{ "version": "1", "package": [ { "name": "linux-xlnx", "layer": "meta-xilinx-core", "version": "6.18.10+git+v2026.1", "products": [ { "product": "linux_kernel", "cvesInRecord": "Yes" } ], "issue": [ { "id": "CVE-1999-0061", "summary": "File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).", "scorev2": "5.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0061" }, { "id": "CVE-1999-0074", "summary": "Listening TCP ports are sequentially allocated, allowing spoofing attacks.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0074" }, { "id": "CVE-1999-0128", "summary": "Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0128" }, { "id": "CVE-1999-0138", "summary": "The suidperl and sperl program do not give up root privileges when changing UIDs back to the original users, allowing root access.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0138" }, { "id": "CVE-1999-0165", "summary": "NFS cache poisoning.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0165" }, { "id": "CVE-1999-0171", "summary": "Denial of service in syslog by sending it a large number of superfluous messages.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0171" }, { "id": "CVE-1999-0183", "summary": "Linux implementations of TFTP would allow access to files outside the restricted directory.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0183" }, { "id": "CVE-1999-0195", "summary": "Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0195" }, { "id": "CVE-1999-0216", "summary": "Denial of service of inetd on Linux through SYN and RST packets.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0216" }, { "id": "CVE-1999-0245", "summary": "Some configurations of NIS+ in Linux allowed attackers to log in as the user \"+\".", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0245" }, { "id": "CVE-1999-0257", "summary": "Nestea variation of teardrop IP fragmentation denial of service.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0257" }, { "id": "CVE-1999-0317", "summary": "Buffer overflow in Linux su command gives root access to local users.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0317" }, { "id": "CVE-1999-0330", "summary": "Linux bdash game has a buffer overflow that allows local users to gain root access.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0330" }, { "id": "CVE-1999-0381", "summary": "super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0381" }, { "id": "CVE-1999-0400", "summary": "Denial of service in Linux 2.2.0 running the ldd command on a core file.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0400" }, { "id": "CVE-1999-0401", "summary": "A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.", "scorev2": "3.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0401" }, { "id": "CVE-1999-0414", "summary": "In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0414" }, { "id": "CVE-1999-0431", "summary": "Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0431" }, { "id": "CVE-1999-0451", "summary": "Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0451" }, { "id": "CVE-1999-0460", "summary": "Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0460" }, { "id": "CVE-1999-0461", "summary": "Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0461" }, { "id": "CVE-1999-0513", "summary": "ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0513" }, { "id": "CVE-1999-0524", "summary": "ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0524", "detail": "ignored", "description": "issue is that ICMP exists, can be filewalled if required" }, { "id": "CVE-1999-0590", "summary": "A system does not present an appropriate legal message or warning to a user who is accessing it.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0590" }, { "id": "CVE-1999-0628", "summary": "The rwho/rwhod service is running, which exposes machine status and user information.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0628" }, { "id": "CVE-1999-0656", "summary": "The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0656", "detail": "not-applicable-config", "description": "specific to ugidd, part of the old user-mode NFS server" }, { "id": "CVE-1999-0720", "summary": "The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0720" }, { "id": "CVE-1999-0780", "summary": "KDE klock allows local users to kill arbitrary processes by specifying an arbitrary PID in the .kss.pid file.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0780" }, { "id": "CVE-1999-0781", "summary": "KDE allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0781" }, { "id": "CVE-1999-0782", "summary": "KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0782" }, { "id": "CVE-1999-0804", "summary": "Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0804" }, { "id": "CVE-1999-0986", "summary": "The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-0986" }, { "id": "CVE-1999-1018", "summary": "IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1018" }, { "id": "CVE-1999-1166", "summary": "Linux 2.0.37 does not properly encode the Custom segment limit, which allows local users to gain root privileges by accessing and modifying kernel memory.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1166" }, { "id": "CVE-1999-1225", "summary": "rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1225" }, { "id": "CVE-1999-1276", "summary": "fte-console in the fte package before 0.46b-4.1 does not drop root privileges, which allows local users to gain root access via the virtual console device.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1276" }, { "id": "CVE-1999-1285", "summary": "Linux 2.1.132 and earlier allows local users to cause a denial of service (resource exhaustion) by reading a large buffer from a random device (e.g. /dev/urandom), which cannot be interrupted until the read has completed.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1285" }, { "id": "CVE-1999-1339", "summary": "Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1339" }, { "id": "CVE-1999-1341", "summary": "Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, allows local unprivileged users to forge IP packets via the TIOCSETD option on tty devices.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1341" }, { "id": "CVE-1999-1352", "summary": "mknod in Linux 2.2 follows symbolic links, which could allow local users to overwrite files or gain privileges.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1352" }, { "id": "CVE-1999-1441", "summary": "Linux 2.0.34 does not properly prevent users from sending SIGIO signals to arbitrary processes, which allows local users to cause a denial of service by sending SIGIO to processes that do not catch it.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1441" }, { "id": "CVE-1999-1442", "summary": "Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local users to cause a denial of service (crash) via a particular sequence of instructions, possibly related to accessing addresses outside of segments.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-1999-1442" }, { "id": "CVE-2000-0006", "summary": "strace allows local users to read arbitrary files via memory mapped file names.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0006", "detail": "upstream-wontfix", "description": "CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical." }, { "id": "CVE-2000-0227", "summary": "The Linux 2.2.x kernel does not restrict the number of Unix domain sockets as defined by the wmem_max parameter, which allows local users to cause a denial of service by requesting a large number of sockets.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0227" }, { "id": "CVE-2000-0289", "summary": "IP masquerading in Linux 2.2.x allows remote attackers to route UDP packets through the internal interface by modifying the external source IP address and port number to match those of an established connection.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0289" }, { "id": "CVE-2000-0344", "summary": "The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to cause a denial of service via a negative size value.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0344" }, { "id": "CVE-2000-0506", "summary": "The \"capabilities\" feature in Linux before 2.2.16 allows local users to cause a denial of service or gain privileges by setting the capabilities to prevent a setuid program from dropping privileges, aka the \"Linux kernel setuid/setcap vulnerability.\"", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2000-0506" }, { "id": "CVE-2001-0316", "summary": "Linux kernel 2.4 and 2.2 allows local users to read kernel memory and possibly gain privileges via a negative argument to the sysctl call.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0316" }, { "id": "CVE-2001-0317", "summary": "Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local users to gain privileges by using ptrace to track and modify a running setuid process.", "scorev2": "3.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0317" }, { "id": "CVE-2001-0405", "summary": "ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote attackers to bypass access restrictions for an FTP server via a PORT command that lists an arbitrary IP address and port number, which is added to the RELATED table and allowed by the firewall.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0405" }, { "id": "CVE-2001-0851", "summary": "Linux kernel 2.0, 2.2 and 2.4 with syncookies enabled allows remote attackers to bypass firewall rules by brute force guessing the cookie.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0851" }, { "id": "CVE-2001-0907", "summary": "Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows local users to cause a denial of service via a series of deeply nested symlinks, which causes the kernel to spend extra time when trying to access the link.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0907" }, { "id": "CVE-2001-0914", "summary": "Linux kernel before 2.4.11pre3 in multiple Linux distributions allows local users to cause a denial of service (crash) by starting the core vmlinux kernel, possibly related to poor error checking during ELF loading.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0914" }, { "id": "CVE-2001-1056", "summary": "IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows remote attackers to bypass intended firewall restrictions by causing the target system to send a \"DCC SEND\" request to a malicious server which listens on port 6667, which may cause the module to believe that the traffic is a valid request and allow the connection to the port specified in the DCC SEND request.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1056" }, { "id": "CVE-2001-1244", "summary": "Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1244" }, { "id": "CVE-2001-1273", "summary": "The \"mxcsr P4\" vulnerability in the Linux kernel before 2.2.17-14, when running on certain Intel CPUs, allows local users to cause a denial of service (system halt).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1273" }, { "id": "CVE-2001-1384", "summary": "ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows local users to gain root privileges by running ptrace on a setuid or setgid program that itself calls an unprivileged program, such as newgrp.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1384" }, { "id": "CVE-2001-1390", "summary": "Unknown vulnerability in binfmt_misc in the Linux kernel before 2.2.19, related to user pages.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1390" }, { "id": "CVE-2001-1391", "summary": "Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 allows users to modify kernel memory.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1391" }, { "id": "CVE-2001-1392", "summary": "The Linux kernel before 2.2.19 does not have unregister calls for (1) CPUID and (2) MSR drivers, which could cause a DoS (crash) by unloading and reloading the drivers.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1392" }, { "id": "CVE-2001-1393", "summary": "Unknown vulnerability in classifier code for Linux kernel before 2.2.19 could result in denial of service (hang).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1393" }, { "id": "CVE-2001-1394", "summary": "Signedness error in (1) getsockopt and (2) setsockopt for Linux kernel before 2.2.19 allows local users to cause a denial of service.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1394" }, { "id": "CVE-2001-1395", "summary": "Unknown vulnerability in sockfilter for Linux kernel before 2.2.19 related to \"boundary cases,\" with unknown impact.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1395" }, { "id": "CVE-2001-1396", "summary": "Unknown vulnerabilities in strnlen_user for Linux kernel before 2.2.19, with unknown impact.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1396" }, { "id": "CVE-2001-1397", "summary": "The System V (SYS5) shared memory implementation for Linux kernel before 2.2.19 could allow attackers to modify recently freed memory.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1397" }, { "id": "CVE-2001-1398", "summary": "Masquerading code for Linux kernel before 2.2.19 does not fully check packet lengths in certain cases, which may lead to a vulnerability.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1398" }, { "id": "CVE-2001-1399", "summary": "Certain operations in Linux kernel before 2.2.19 on the x86 architecture copy the wrong number of bytes, which might allow attackers to modify memory, aka \"User access asm bug on x86.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1399" }, { "id": "CVE-2001-1400", "summary": "Unknown vulnerabilities in the UDP port allocation for Linux kernel before 2.2.19 could allow local users to cause a denial of service (deadlock).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1400" }, { "id": "CVE-2001-1551", "summary": "Linux kernel 2.2.19 enables CAP_SYS_RESOURCE for setuid processes, which allows local users to exceed disk quota restrictions during execution of setuid programs.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1551" }, { "id": "CVE-2001-1572", "summary": "The MAC module in Netfilter in Linux kernel 2.4.1 through 2.4.11, when configured to filter based on MAC addresses, allows remote attackers to bypass packet filters via small packets.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1572" }, { "id": "CVE-2002-0046", "summary": "Linux kernel, and possibly other operating systems, allows remote attackers to read portions of memory via a series of fragmented ICMP packets that generate an ICMP TTL Exceeded response, which includes portions of the memory in the response packet.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0046" }, { "id": "CVE-2002-0060", "summary": "IRC connection tracking helper module in the netfilter subsystem for Linux 2.4.18-pre9 and earlier does not properly set the mask for conntrack expectations for incoming DCC connections, which could allow remote attackers to bypass intended firewall restrictions.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0060" }, { "id": "CVE-2002-0429", "summary": "The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall).", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0429" }, { "id": "CVE-2002-0499", "summary": "The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and earlier, truncates long pathnames without generating an error, which could allow local users to force programs to perform inappropriate operations on the wrong directories.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0499" }, { "id": "CVE-2002-0510", "summary": "The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0510" }, { "id": "CVE-2002-0570", "summary": "The encrypted loop device in Linux kernel 2.4.10 and earlier does not authenticate the entity that is encrypting data, which allows local users to modify encrypted data without knowing the key.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0570" }, { "id": "CVE-2002-0704", "summary": "The Network Address Translation (NAT) capability for Netfilter (\"iptables\") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0704" }, { "id": "CVE-2002-1319", "summary": "The Linux kernel 2.4.20 and earlier, and 2.5.x, when running on x86 systems, allows local users to cause a denial of service (hang) via the emulation mode, which does not properly clear TF and NT EFLAGs.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1319" }, { "id": "CVE-2002-1380", "summary": "Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1380" }, { "id": "CVE-2002-1571", "summary": "The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction clears all registers, which could lead to an information leak on processors that do not clear all relevant SSE registers.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1571" }, { "id": "CVE-2002-1572", "summary": "Signed integer overflow in the bttv_read function in the bttv driver (bttv-driver.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1572" }, { "id": "CVE-2002-1573", "summary": "Unspecified vulnerability in the pcilynx ieee1394 firewire driver (pcilynx.c) in Linux kernel before 2.4.20 has unknown impact and attack vectors, related to \"wrap handling.\"", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1573" }, { "id": "CVE-2002-1574", "summary": "Buffer overflow in the ixj telephony card driver in Linux before 2.4.20 has unknown impact and attack vectors.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1574" }, { "id": "CVE-2002-1963", "summary": "Linux kernel 2.4.1 through 2.4.19 sets root's NR_RESERVED_FILES limit to 10 files, which allows local users to cause a denial of service (resource exhaustion) by opening 10 setuid binaries.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1963" }, { "id": "CVE-2002-1976", "summary": "ifconfig, when used on the Linux kernel 2.2 and later, does not report when the network interface is in promiscuous mode if it was put in promiscuous mode using PACKET_MR_PROMISC, which could allow attackers to sniff the network without detection, as demonstrated using libpcap.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1976" }, { "id": "CVE-2002-2254", "summary": "The experimental IP packet queuing feature in Netfilter / IPTables in Linux kernel 2.4 up to 2.4.19 and 2.5 up to 2.5.31, when a privileged process exits and network traffic is not being queued, may allow a later process with the same Process ID (PID) to access certain network traffic that would otherwise be restricted.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2254" }, { "id": "CVE-2002-2438", "summary": "TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-2438" }, { "id": "CVE-2003-0001", "summary": "Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0001" }, { "id": "CVE-2003-0018", "summary": "Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0018" }, { "id": "CVE-2003-0127", "summary": "The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0127" }, { "id": "CVE-2003-0187", "summary": "The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0187" }, { "id": "CVE-2003-0244", "summary": "The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0244" }, { "id": "CVE-2003-0246", "summary": "The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0246" }, { "id": "CVE-2003-0418", "summary": "The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0418" }, { "id": "CVE-2003-0462", "summary": "A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0462" }, { "id": "CVE-2003-0465", "summary": "The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0465" }, { "id": "CVE-2003-0467", "summary": "Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0467" }, { "id": "CVE-2003-0476", "summary": "The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0476" }, { "id": "CVE-2003-0501", "summary": "The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0501" }, { "id": "CVE-2003-0619", "summary": "Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0619" }, { "id": "CVE-2003-0643", "summary": "Integer signedness error in the Linux Socket Filter implementation (filter.c) in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of service (crash).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0643" }, { "id": "CVE-2003-0956", "summary": "Multiple race conditions in the handling of O_DIRECT in Linux kernel prior to version 2.4.22 could cause stale data to be returned from the disk when handling sparse files, or cause incorrect data to be returned when a file is truncated as it is being read, which might allow local users to obtain sensitive data that was originally owned by other users, a different vulnerability than CVE-2003-0018.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0956" }, { "id": "CVE-2003-0961", "summary": "Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0961" }, { "id": "CVE-2003-0984", "summary": "Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0984" }, { "id": "CVE-2003-0985", "summary": "The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0985" }, { "id": "CVE-2003-0986", "summary": "Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service.", "scorev2": "1.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0986" }, { "id": "CVE-2003-1040", "summary": "kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which allows local users to cause a denial of service (crash) by sending certain signals to kmod.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1040" }, { "id": "CVE-2003-1161", "summary": "exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, was modified to contain a backdoor, which could allow local users to elevate their privileges by passing __WCLONE|__WALL to the sys_wait4 function.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1161" }, { "id": "CVE-2003-1604", "summary": "The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-1604" }, { "id": "CVE-2004-0001", "summary": "Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0001" }, { "id": "CVE-2004-0003", "summary": "Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to \"R128 DRI limits checking.\"", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0003" }, { "id": "CVE-2004-0010", "summary": "Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0010" }, { "id": "CVE-2004-0058", "summary": "Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0058" }, { "id": "CVE-2004-0075", "summary": "The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0075" }, { "id": "CVE-2004-0077", "summary": "The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0077" }, { "id": "CVE-2004-0109", "summary": "Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0109" }, { "id": "CVE-2004-0133", "summary": "The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0133" }, { "id": "CVE-2004-0138", "summary": "The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0138" }, { "id": "CVE-2004-0177", "summary": "The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0177" }, { "id": "CVE-2004-0178", "summary": "The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0178" }, { "id": "CVE-2004-0181", "summary": "The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0181" }, { "id": "CVE-2004-0186", "summary": "smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0186" }, { "id": "CVE-2004-0228", "summary": "Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0228" }, { "id": "CVE-2004-0229", "summary": "The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0229" }, { "id": "CVE-2004-0394", "summary": "A \"potential\" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0394" }, { "id": "CVE-2004-0415", "summary": "Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0415" }, { "id": "CVE-2004-0424", "summary": "Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0424" }, { "id": "CVE-2004-0427", "summary": "The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0427" }, { "id": "CVE-2004-0447", "summary": "Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0447" }, { "id": "CVE-2004-0495", "summary": "Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0495" }, { "id": "CVE-2004-0496", "summary": "Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0496" }, { "id": "CVE-2004-0497", "summary": "Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0497" }, { "id": "CVE-2004-0535", "summary": "The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a \"buffer overflow\" by some sources.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0535" }, { "id": "CVE-2004-0554", "summary": "Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a \"crash.c\" program.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0554" }, { "id": "CVE-2004-0565", "summary": "Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0565" }, { "id": "CVE-2004-0596", "summary": "The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0596" }, { "id": "CVE-2004-0626", "summary": "The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0626" }, { "id": "CVE-2004-0658", "summary": "Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0658" }, { "id": "CVE-2004-0685", "summary": "Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0685" }, { "id": "CVE-2004-0812", "summary": "Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with \"setting up TSS limits,\" allows local users to cause a denial of service (crash) and possibly execute arbitrary code.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0812" }, { "id": "CVE-2004-0814", "summary": "Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0814" }, { "id": "CVE-2004-0816", "summary": "Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0816" }, { "id": "CVE-2004-0883", "summary": "Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0883" }, { "id": "CVE-2004-0887", "summary": "SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0887" }, { "id": "CVE-2004-0949", "summary": "The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0949" }, { "id": "CVE-2004-0986", "summary": "Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0986" }, { "id": "CVE-2004-0997", "summary": "Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0997" }, { "id": "CVE-2004-1016", "summary": "The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1016" }, { "id": "CVE-2004-1017", "summary": "Multiple \"overflows\" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1017" }, { "id": "CVE-2004-1056", "summary": "Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1056" }, { "id": "CVE-2004-1057", "summary": "Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1057" }, { "id": "CVE-2004-1058", "summary": "Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1058" }, { "id": "CVE-2004-1068", "summary": "A \"missing serialization\" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1068" }, { "id": "CVE-2004-1069", "summary": "Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1069" }, { "id": "CVE-2004-1070", "summary": "The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1070" }, { "id": "CVE-2004-1071", "summary": "The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1071" }, { "id": "CVE-2004-1072", "summary": "The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1072" }, { "id": "CVE-2004-1073", "summary": "The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1073" }, { "id": "CVE-2004-1137", "summary": "Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1137" }, { "id": "CVE-2004-1144", "summary": "Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1144" }, { "id": "CVE-2004-1151", "summary": "Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1151" }, { "id": "CVE-2004-1234", "summary": "load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1234" }, { "id": "CVE-2004-1235", "summary": "Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1235" }, { "id": "CVE-2004-1237", "summary": "Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1237" }, { "id": "CVE-2004-1333", "summary": "Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1333" }, { "id": "CVE-2004-1335", "summary": "Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1335" }, { "id": "CVE-2004-2013", "summary": "Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2013" }, { "id": "CVE-2004-2135", "summary": "cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain \"IV computation\" weaknesses that allow watermarked files to be detected without decryption.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2135" }, { "id": "CVE-2004-2136", "summary": "dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain \"IV computation\" weaknesses that allow watermarked files to be detected without decryption.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2136" }, { "id": "CVE-2004-2302", "summary": "Race condition in the sysfs_read_file and sysfs_write_file functions in Linux kernel before 2.6.10 allows local users to read kernel memory and cause a denial of service (crash) via large offsets in sysfs files.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2302" }, { "id": "CVE-2004-2536", "summary": "The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2536" }, { "id": "CVE-2004-2607", "summary": "A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of kernel memory via a large len argument, which is received as an int but cast to a short, which prevents a read loop from filling a buffer.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2607" }, { "id": "CVE-2004-2660", "summary": "Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local users to cause a denial of service (memory consumption) via certain O_DIRECT (direct IO) write requests.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2660" }, { "id": "CVE-2004-2731", "summary": "Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative buffer size to the copyin function.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2731" }, { "id": "CVE-2005-0001", "summary": "Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0001" }, { "id": "CVE-2005-0003", "summary": "The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0003" }, { "id": "CVE-2005-0124", "summary": "The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0124" }, { "id": "CVE-2005-0135", "summary": "The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0135" }, { "id": "CVE-2005-0136", "summary": "The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain \"ptrace corner cases\" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0136" }, { "id": "CVE-2005-0137", "summary": "Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a \"missing Itanium syscall table entry.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0137" }, { "id": "CVE-2005-0176", "summary": "The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0176" }, { "id": "CVE-2005-0177", "summary": "nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0177" }, { "id": "CVE-2005-0178", "summary": "Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0178" }, { "id": "CVE-2005-0179", "summary": "Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0179" }, { "id": "CVE-2005-0180", "summary": "Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0180" }, { "id": "CVE-2005-0204", "summary": "Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0204" }, { "id": "CVE-2005-0207", "summary": "Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0207" }, { "id": "CVE-2005-0209", "summary": "Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0209" }, { "id": "CVE-2005-0210", "summary": "Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0210" }, { "id": "CVE-2005-0400", "summary": "The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0400" }, { "id": "CVE-2005-0449", "summary": "The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0449" }, { "id": "CVE-2005-0489", "summary": "The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0489" }, { "id": "CVE-2005-0504", "summary": "Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0504" }, { "id": "CVE-2005-0529", "summary": "Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0529" }, { "id": "CVE-2005-0530", "summary": "Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0530" }, { "id": "CVE-2005-0531", "summary": "The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0531" }, { "id": "CVE-2005-0532", "summary": "The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0532" }, { "id": "CVE-2005-0736", "summary": "Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0736" }, { "id": "CVE-2005-0749", "summary": "The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0749" }, { "id": "CVE-2005-0750", "summary": "The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0750" }, { "id": "CVE-2005-0756", "summary": "ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0756" }, { "id": "CVE-2005-0767", "summary": "Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0767" }, { "id": "CVE-2005-0815", "summary": "Multiple \"range checking flaws\" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0815" }, { "id": "CVE-2005-0839", "summary": "Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0839" }, { "id": "CVE-2005-0867", "summary": "Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0867" }, { "id": "CVE-2005-0916", "summary": "AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0916" }, { "id": "CVE-2005-0937", "summary": "Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0937" }, { "id": "CVE-2005-0977", "summary": "The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0977" }, { "id": "CVE-2005-1041", "summary": "The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1041" }, { "id": "CVE-2005-1263", "summary": "The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1263" }, { "id": "CVE-2005-1264", "summary": "Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1264" }, { "id": "CVE-2005-1265", "summary": "The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1265" }, { "id": "CVE-2005-1368", "summary": "The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1368" }, { "id": "CVE-2005-1369", "summary": "The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs \"alarms\" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associated store function.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1369" }, { "id": "CVE-2005-1589", "summary": "The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1589" }, { "id": "CVE-2005-1762", "summary": "The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a \"non-canonical\" address.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1762" }, { "id": "CVE-2005-1764", "summary": "Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1764" }, { "id": "CVE-2005-1765", "summary": "syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1765" }, { "id": "CVE-2005-1768", "summary": "Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow.", "scorev2": "3.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1768" }, { "id": "CVE-2005-1913", "summary": "The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-1913" }, { "id": "CVE-2005-2098", "summary": "The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2098" }, { "id": "CVE-2005-2099", "summary": "The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null dereference in the keyring destructor.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2099" }, { "id": "CVE-2005-2456", "summary": "Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2456" }, { "id": "CVE-2005-2457", "summary": "The driver for compressed ISO file systems (zisofs) in the Linux kernel before 2.6.12.5 allows local users and remote attackers to cause a denial of service (kernel crash) via a crafted compressed ISO file system.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2457" }, { "id": "CVE-2005-2458", "summary": "inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows remote attackers to cause a denial of service (kernel crash) via a compressed file with \"improper tables\".", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2458" }, { "id": "CVE-2005-2459", "summary": "The huft_build function in inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 returns the wrong value, which allows remote attackers to cause a denial of service (kernel crash) via a certain compressed file that leads to a null pointer dereference, a different vulnerability than CVE-2005-2458.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2459" }, { "id": "CVE-2005-2490", "summary": "Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2490" }, { "id": "CVE-2005-2492", "summary": "The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2492" }, { "id": "CVE-2005-2500", "summary": "Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux kernel 2.6.12, as used in SuSE Linux Enterprise Server 9, might allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted XDR data for the nfsacl protocol.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2500" }, { "id": "CVE-2005-2548", "summary": "vlan_dev.c in the VLAN code for Linux kernel 2.6.8 allows remote attackers to cause a denial of service (kernel oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument, as demonstrated using snmpwalk on snmpd.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2548" }, { "id": "CVE-2005-2553", "summary": "The find_target function in ptrace32.c in the Linux kernel 2.4.x before 2.4.29 does not properly handle a NULL return value from another function, which allows local users to cause a denial of service (kernel crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit executable program.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2553" }, { "id": "CVE-2005-2555", "summary": "Linux kernel 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2) ipv6/ipv6_sockglue.c.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2555" }, { "id": "CVE-2005-2617", "summary": "The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12 and later, on the 64-bit x86 platform, does not check the return value of the insert_vm_struct function, which allows local users to trigger a memory leak via a 32-bit application with crafted ELF headers.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2617" }, { "id": "CVE-2005-2708", "summary": "The search_binary_handler function in exec.c in Linux 2.4 kernel on 64-bit x86 architectures does not check a return code for a particular function call when virtual memory is low, which allows local users to cause a denial of service (panic), as demonstrated by running a process using the bash ulimit -v command.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2708" }, { "id": "CVE-2005-2709", "summary": "The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2709" }, { "id": "CVE-2005-2800", "summary": "Memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a denial of service (memory consumption) via certain repeated reads from the /proc/scsi/sg/devices file, which is not properly handled when the next() iterator returns NULL or an error.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2800" }, { "id": "CVE-2005-2801", "summary": "xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2801" }, { "id": "CVE-2005-2872", "summary": "The ipt_recent kernel module (ipt_recent.c) in Linux kernel before 2.6.12, when running on 64-bit processors such as AMD64, allows remote attackers to cause a denial of service (kernel panic) via certain attacks such as SSH brute force, which leads to memset calls using a length based on the u_int32_t type, acting on an array of unsigned long elements, a different vulnerability than CVE-2005-2873.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2872" }, { "id": "CVE-2005-2873", "summary": "The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and earlier does not properly perform certain time tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early, a different vulnerability than CVE-2005-2872.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2873" }, { "id": "CVE-2005-2973", "summary": "The udp_v6_get_port function in udp.c in Linux 2.6 before 2.6.14-rc5, when running IPv6, allows local users to cause a denial of service (infinite loop and crash).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2973" }, { "id": "CVE-2005-3044", "summary": "Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow local users to cause a denial of service (kernel OOPS from null dereference) via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put in the 32-bit routing_ioctl function on 64-bit systems.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3044" }, { "id": "CVE-2005-3053", "summary": "The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x allows local users to cause a denial of service (kernel BUG()) via a negative first argument.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3053" }, { "id": "CVE-2005-3055", "summary": "Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial of service (kernel OOPS) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3055" }, { "id": "CVE-2005-3105", "summary": "The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito processors does not properly maintain cache coherency as required by the architecture, which allows local users to cause a denial of service and possibly corrupt data by modifying PTE protections.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3105" }, { "id": "CVE-2005-3106", "summary": "Race condition in Linux 2.6, when threads are sharing memory mapping via CLONE_VM (such as linuxthreads and vfork), might allow local users to cause a denial of service (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.", "scorev2": "1.2", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3106" }, { "id": "CVE-2005-3107", "summary": "fs/exec.c in Linux 2.6, when one thread is tracing another thread that shares the same memory map, might allow local users to cause a denial of service (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3107" }, { "id": "CVE-2005-3108", "summary": "mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to cause a denial of service or an information leak via an ioremap on a certain memory map that causes the iounmap to perform a lookup of a page that does not exist.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3108" }, { "id": "CVE-2005-3109", "summary": "The HFS and HFS+ (hfsplus) modules in Linux 2.6 allow attackers to cause a denial of service (oops) by using hfsplus to mount a filesystem that is not hfsplus.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3109" }, { "id": "CVE-2005-3110", "summary": "Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, when running on an SMP system that is operating under a heavy load, might allow remote attackers to cause a denial of service (crash) via a series of packets that cause a value to be modified after it has been read but before it has been locked.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3110" }, { "id": "CVE-2005-3119", "summary": "Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3119" }, { "id": "CVE-2005-3179", "summary": "drm.c in Linux kernel 2.6.10 to 2.6.13 creates a debug file in sysfs with world-readable and world-writable permissions, which allows local users to enable DRM debugging and obtain sensitive information.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3179" }, { "id": "CVE-2005-3180", "summary": "The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, which allows remote attackers to obtain sensitive information.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3180" }, { "id": "CVE-2005-3181", "summary": "The audit system in Linux kernel 2.6.6, and other versions before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an incorrect function to free names_cache memory, which prevents the memory from being tracked by AUDITSYSCALL code and leads to a memory leak that allows attackers to cause a denial of service (memory consumption).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3181" }, { "id": "CVE-2005-3257", "summary": "The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibly other versions including 2.6.14.4, allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3257" }, { "id": "CVE-2005-3271", "summary": "Exec in Linux kernel 2.6 does not properly clear posix-timers in multi-threaded environments, which results in a resource leak and could allow a large number of multiple local users to cause a denial of service by using more posix-timers than specified by the quota for a single user.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3271" }, { "id": "CVE-2005-3272", "summary": "Linux kernel before 2.6.12 allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3272" }, { "id": "CVE-2005-3273", "summary": "The rose_rt_ioctl function in rose_route.c for Radionet Open Source Environment (ROSE) in Linux 2.6 kernels before 2.6.12, and 2.4 before 2.4.29, does not properly verify the ndigis argument for a new route, which allows attackers to trigger array out-of-bounds errors with a large number of digipeats.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3273" }, { "id": "CVE-2005-3274", "summary": "Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.", "scorev2": "1.2", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3274" }, { "id": "CVE-2005-3275", "summary": "The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly declares a variable to be static, which allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time, which leads to memory corruption.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3275" }, { "id": "CVE-2005-3276", "summary": "The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3276" }, { "id": "CVE-2005-3356", "summary": "The mq_open system call in Linux kernel 2.6.9, in certain situations, can decrement a counter twice (\"double decrement\") as a result of multiple calls to the mntput function when the dentry_open function call fails, which allows local users to cause a denial of service (panic) via unspecified attack vectors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3356" }, { "id": "CVE-2005-3358", "summary": "Linux kernel before 2.6.15 allows local users to cause a denial of service (panic) via a set_mempolicy call with a 0 bitmask, which causes a panic when a page fault occurs.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3358" }, { "id": "CVE-2005-3359", "summary": "The atm module in Linux kernel 2.6 before 2.6.14 allows local users to cause a denial of service (panic) via certain socket calls that produce inconsistent reference counts for loadable protocol modules.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3359" }, { "id": "CVE-2005-3527", "summary": "Race condition in do_coredump in signal.c in Linux kernel 2.6 allows local users to cause a denial of service by triggering a core dump in one thread while another thread has a pending SIGSTOP.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3527" }, { "id": "CVE-2005-3623", "summary": "nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3623" }, { "id": "CVE-2005-3660", "summary": "Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service (memory exhaustion and panic) by creating a large number of connected file descriptors or socketpairs and setting a large data transfer buffer, then preventing Linux from being able to finish the transfer by causing the process to become a zombie, or closing the file descriptor without closing an associated reference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3660" }, { "id": "CVE-2005-3753", "summary": "Linux kernel before after 2.6.12 and before 2.6.13.1 might allow attackers to cause a denial of service (Oops) via certain IPSec packets that cause alignment problems in standard multi-block cipher processors. NOTE: it is not clear whether this issue can be triggered by an attacker.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3753" }, { "id": "CVE-2005-3783", "summary": "The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which allows local users to cause a denial of service (crash).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3783" }, { "id": "CVE-2005-3784", "summary": "The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a denial of service (crash) and gain root privileges.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3784" }, { "id": "CVE-2005-3805", "summary": "A locking problem in POSIX timer cleanup handling on exit in Linux kernel 2.6.10 to 2.6.14, when running on SMP systems, allows local users to cause a denial of service (deadlock) involving process CPU timers.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3805" }, { "id": "CVE-2005-3806", "summary": "The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a denial of service (crash) by triggering a free of non-allocated memory.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3806" }, { "id": "CVE-2005-3807", "summary": "Memory leak in the VFS file lease handling in locks.c in Linux kernels 2.6.10 to 2.6.15 allows local users to cause a denial of service (memory exhaustion) via certain Samba activities that cause an fasync entry to be re-allocated by the fcntl_setlease function after the fasync queue has already been cleaned by the locks_delete_lock function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3807" }, { "id": "CVE-2005-3808", "summary": "Integer overflow in the invalidate_inode_pages2_range function in mm/truncate.c in Linux kernel 2.6.11 to 2.6.14 allows local users to cause a denial of service (hang) via 64-bit mmap calls that are not properly handled on a 32-bit system.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3808" }, { "id": "CVE-2005-3809", "summary": "The nfattr_to_tcp function in ip_conntrack_proto_tcp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via an update message without private protocol information, which triggers a null dereference.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3809" }, { "id": "CVE-2005-3810", "summary": "ip_conntrack_proto_icmp.c in ctnetlink in Linux kernel 2.6.14 up to 2.6.14.3 allows attackers to cause a denial of service (kernel oops) via a message without ICMP ID (ICMP_ID) information, which leads to a null dereference.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3810" }, { "id": "CVE-2005-3847", "summary": "The handle_stop_signal function in signal.c in Linux kernel 2.6.11 up to other versions before 2.6.13 and 2.6.12.6 allows local users to cause a denial of service (deadlock) by sending a SIGKILL to a real-time threaded process while it is performing a core dump.", "scorev2": "4.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3847" }, { "id": "CVE-2005-3848", "summary": "Memory leak in the icmp_push_reply function in Linux 2.6 before 2.6.12.6 and 2.6.13 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted packets that cause the ip_append_data function to fail, aka \"DST leak in icmp_push_reply.\"", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3848" }, { "id": "CVE-2005-3857", "summary": "The time_out_leases function in locks.c for Linux kernel before 2.6.15-rc3 allows local users to cause a denial of service (kernel log message consumption) by causing a large number of broken leases, which is recorded to the log using the printk function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3857" }, { "id": "CVE-2005-3858", "summary": "Memory leak in the ip6_input_finish function in ip6_input.c in Linux kernel 2.6.12 and earlier might allow attackers to cause a denial of service via malformed IPv6 packets with unspecified parameter problems, which prevents the SKB from being freed.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3858" }, { "id": "CVE-2005-4351", "summary": "The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass immutable settings for files by mounting another filesystem that masks the immutable files while the system is running.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4351" }, { "id": "CVE-2005-4352", "summary": "The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2.6.15 and earlier, allows local users to bypass time setting restrictions and set the clock backwards by setting the clock ahead to the maximum unixtime value (19 Jan 2038), which then wraps around to the minimum value (13 Dec 1901), which can then be set ahead to the desired time, aka \"settimeofday() time wrap.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4352" }, { "id": "CVE-2005-4605", "summary": "The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4605" }, { "id": "CVE-2005-4618", "summary": "Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local users to corrupt user memory and possibly cause a denial of service via a long string, which causes sysctl to write a zero byte outside the buffer. NOTE: since the sysctl is called from a userland program that provides the argument, this might not be a vulnerability, unless a legitimate user-assisted or setuid scenario can be identified.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4618" }, { "id": "CVE-2005-4635", "summary": "The nl_fib_input function in fib_frontend.c in the Linux kernel before 2.6.15 does not check for valid lengths of the header and payload, which allows remote attackers to cause a denial of service (invalid memory reference) via malformed fib_lookup netlink messages.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4635" }, { "id": "CVE-2005-4639", "summary": "Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/Card in Linux kernel 2.6.12 and other versions before 2.6.15 allows local users to cause a denial of service (crash) and possibly execute arbitrary code by \"reading more than 8 bytes into an 8 byte long array\".", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4639" }, { "id": "CVE-2005-4798", "summary": "Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31 allows remote NFS servers to cause a denial of service (crash) via a long symlink, which is not properly handled in (1) nfs2xdr.c or (2) nfs3xdr.c and causes a crash in the NFS client.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4798" }, { "id": "CVE-2005-4811", "summary": "The hugepage code (hugetlb.c) in Linux kernel 2.6, possibly 2.6.12 and 2.6.13, in certain configurations, allows local users to cause a denial of service (crash) by triggering an mmap error before a prefault, which causes an error in the unmap_hugepage_area function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4811" }, { "id": "CVE-2005-4881", "summary": "The netlink subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.13-rc1 does not initialize certain padding fields in structures, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors, related to the (1) tc_fill_qdisc, (2) tcf_fill_node, (3) neightbl_fill_info, (4) neightbl_fill_param_info, (5) neigh_fill_info, (6) rtnetlink_fill_ifinfo, (7) rtnetlink_fill_iwinfo, (8) vif_delete, (9) ipmr_destroy_unres, (10) ipmr_cache_alloc_unres, (11) ipmr_cache_resolve, (12) inet6_fill_ifinfo, (13) tca_get_fill, (14) tca_action_flush, (15) tcf_add_notify, (16) tc_dump_action, (17) cbq_dump_police, (18) __nlmsg_put, (19) __rta_fill, (20) __rta_reserve, (21) inet6_fill_prefix, (22) rsvp_dump, and (23) cbq_dump_ovl functions.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4881" }, { "id": "CVE-2005-4886", "summary": "The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the Linux kernel before 2.6.12-rc4 allows remote attackers to cause a denial of service (OOPS) via vectors associated with an incorrect call to the ipv6_skip_exthdr function.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4886" }, { "id": "CVE-2006-0035", "summary": "The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0035" }, { "id": "CVE-2006-0036", "summary": "ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0036" }, { "id": "CVE-2006-0037", "summary": "ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0037" }, { "id": "CVE-2006-0038", "summary": "Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using \"virtualization solutions\" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0038" }, { "id": "CVE-2006-0039", "summary": "Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0039" }, { "id": "CVE-2006-0095", "summary": "dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0095" }, { "id": "CVE-2006-0096", "summary": "wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0096" }, { "id": "CVE-2006-0454", "summary": "Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICMP response in icmp_send, does not properly handle when the ip_options_echo function in icmp.c fails, which allows remote attackers to cause a denial of service (crash) via vectors such as (1) record-route and (2) timestamp IP options with the needaddr bit set and a truncated value.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0454" }, { "id": "CVE-2006-0456", "summary": "The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 can return an incorrect value, which allows local users to cause a denial of service via unknown vectors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0456" }, { "id": "CVE-2006-0457", "summary": "Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions in Linux kernel 2.6.x allows local users to cause a denial of service (crash) or read sensitive kernel memory by modifying the length of a string argument between the time that the kernel calculates the length and when it copies the data into kernel memory.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0457" }, { "id": "CVE-2006-0482", "summary": "Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a \"date -s\" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0482" }, { "id": "CVE-2006-0554", "summary": "Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive information via a crafted XFS ftruncate call, which may return stale data.", "scorev2": "1.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0554" }, { "id": "CVE-2006-0555", "summary": "The Linux Kernel before 2.6.15.5 allows local users to cause a denial of service (NFS client panic) via unknown attack vectors related to the use of O_DIRECT (direct I/O).", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0555" }, { "id": "CVE-2006-0557", "summary": "sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0557" }, { "id": "CVE-2006-0558", "summary": "perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users to cause a denial of service (crash) by interrupting a task while another process is accessing the mm_struct, which triggers a BUG_ON action in the put_page_testzero function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0558" }, { "id": "CVE-2006-0741", "summary": "Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service (\"endless recursive fault\") via unknown attack vectors related to a \"bad elf entry address.\"", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0741" }, { "id": "CVE-2006-0742", "summary": "The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, has the \"noreturn\" attribute set, which allows local users to cause a denial of service by causing user faults on Itanium systems.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0742" }, { "id": "CVE-2006-0744", "summary": "Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0744" }, { "id": "CVE-2006-1052", "summary": "The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local users with ptrace permissions to change the tracer SID to an SID of another process.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1052" }, { "id": "CVE-2006-1055", "summary": "The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1055" }, { "id": "CVE-2006-1056", "summary": "The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1056" }, { "id": "CVE-2006-1066", "summary": "Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems with preemption enabled, allows local users to cause a denial of service (oops) via multiple ptrace tasks that perform single steps, which can cause corruption of the DEBUG_STACK stack during the do_debug function call.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1066" }, { "id": "CVE-2006-1242", "summary": "The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to conduct an Idle Scan (nmap -sI) attack, which bypasses intended protections against such attacks.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1242" }, { "id": "CVE-2006-1342", "summary": "net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the (1) getsockname, (2) getpeername, and (3) accept functions, which allows local users to obtain portions of potentially sensitive memory.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1342" }, { "id": "CVE-2006-1343", "summary": "net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which allows local users to obtain portions of potentially sensitive memory.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1343" }, { "id": "CVE-2006-1368", "summary": "Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes memory to be allocated for the reply data but not the reply structure.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1368" }, { "id": "CVE-2006-1522", "summary": "The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 and 2.6.17-rc1, and possibly earlier versions, allows local users to cause a denial of service (OOPS) via keyctl requests that add a key to a user key instead of a keyring key, which causes an invalid dereference in the __keyring_search_one function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1522" }, { "id": "CVE-2006-1523", "summary": "The __group_complete_signal function in the RCU signal handling (signal.c) in Linux kernel 2.6.16, and possibly other versions, has unknown impact and attack vectors related to improper use of BUG_ON.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1523" }, { "id": "CVE-2006-1524", "summary": "madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow file and mmap restrictions, which allows local users to bypass IPC permissions and replace portions of readonly tmpfs files with zeroes, aka the MADV_REMOVE vulnerability. NOTE: this description was originally written in a way that combined two separate issues. The mprotect issue now has a separate name, CVE-2006-2071.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1524" }, { "id": "CVE-2006-1525", "summary": "ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1525" }, { "id": "CVE-2006-1527", "summary": "The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the for_each_sctp_chunk function.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1527" }, { "id": "CVE-2006-1528", "summary": "Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1528" }, { "id": "CVE-2006-1624", "summary": "The default configuration of syslogd in the Linux sysklogd package does not enable the -x (disable name lookups) option, which allows remote attackers to cause a denial of service (traffic amplification) via messages with spoofed source IP addresses.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1624" }, { "id": "CVE-2006-1855", "summary": "choose_new_parent in Linux kernel before 2.6.11.12 includes certain debugging code, which allows local users to cause a denial of service (panic) by causing certain circumstances involving termination of a parent process.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1855" }, { "id": "CVE-2006-1856", "summary": "Certain modifications to the Linux kernel 2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1856" }, { "id": "CVE-2006-1857", "summary": "Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk.", "scorev2": "9.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1857" }, { "id": "CVE-2006-1858", "summary": "SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1858" }, { "id": "CVE-2006-1859", "summary": "Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an \"uninitialised return value,\" aka \"slab leak.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1859" }, { "id": "CVE-2006-1860", "summary": "lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1860" }, { "id": "CVE-2006-1862", "summary": "The virtual memory implementation in Linux kernel 2.6.x allows local users to cause a denial of service (panic) by running lsof a large number of times in a way that produces a heavy system load.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1862" }, { "id": "CVE-2006-1863", "summary": "Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via \"..\\\\\" sequences, a similar vulnerability to CVE-2006-1864.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1863" }, { "id": "CVE-2006-1864", "summary": "Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via \"..\\\\\" sequences, a similar vulnerability to CVE-2006-1863.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-1864" }, { "id": "CVE-2006-2071", "summary": "Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2071" }, { "id": "CVE-2006-2444", "summary": "The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2444" }, { "id": "CVE-2006-2445", "summary": "Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 allows local users to cause a denial of service (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2445" }, { "id": "CVE-2006-2446", "summary": "Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2446" }, { "id": "CVE-2006-2448", "summary": "Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c).", "scorev2": "5.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2448" }, { "id": "CVE-2006-2451", "summary": "The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2451" }, { "id": "CVE-2006-2629", "summary": "Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP platforms, allows local users to cause a denial of service (crash) by creating and exiting a large number of tasks, then accessing the /proc entry of a task that is exiting, which causes memory corruption that leads to a failure in the prune_dcache function or a BUG_ON error in include/linux/list.h.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2629" }, { "id": "CVE-2006-2932", "summary": "A regression error in the restore_all code path of the 4/4GB split support for non-hugemem Linux kernels on Red Hat Linux Desktop and Enterprise Linux 4 allows local users to cause a denial of service (panic) via unspecified vectors.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2932", "detail": "not-applicable-platform", "description": "specific to RHEL" }, { "id": "CVE-2006-2934", "summary": "SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2934" }, { "id": "CVE-2006-2935", "summary": "The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2935" }, { "id": "CVE-2006-2936", "summary": "The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-2936" }, { "id": "CVE-2006-3085", "summary": "xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3085" }, { "id": "CVE-2006-3468", "summary": "Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3468" }, { "id": "CVE-2006-3626", "summary": "Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3626" }, { "id": "CVE-2006-3634", "summary": "The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in Linux kernel 2.6.17-rc4 to 2.6.18-rc2 perform the atomic futex operation in the kernel address space instead of the user address space, which allows local users to cause a denial of service (crash).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3634" }, { "id": "CVE-2006-3635", "summary": "The ia64 subsystem in the Linux kernel before 2.6.26 allows local users to cause a denial of service (stack consumption and system crash) via a crafted application that leverages the mishandling of invalid Register Stack Engine (RSE) state.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3635" }, { "id": "CVE-2006-3741", "summary": "The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and 2.6 before 2.6.18, when running on Itanium systems, does not properly track the reference count for file descriptors, which allows local users to cause a denial of service (file descriptor consumption).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3741" }, { "id": "CVE-2006-3745", "summary": "Unspecified vulnerability in the sctp_make_abort_user function in the SCTP implementation in Linux 2.6.x before 2.6.17.10 and 2.4.23 up to 2.4.33 allows local users to cause a denial of service (panic) and possibly gain root privileges via unknown attack vectors.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-3745" }, { "id": "CVE-2006-4093", "summary": "Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerPC PPC970 systems allows local users to cause a denial of service (crash) related to the \"HID0 attention enable on PPC970 at boot time.\"", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4093" }, { "id": "CVE-2006-4145", "summary": "The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4145" }, { "id": "CVE-2006-4535", "summary": "The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4535" }, { "id": "CVE-2006-4538", "summary": "Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC platforms, allows local users to cause a denial of service (crash) via a malformed ELF file that triggers memory maps that cross region boundaries.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4538" }, { "id": "CVE-2006-4572", "summary": "ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows remote attackers to (1) bypass a rule that disallows a protocol, via a packet with the protocol header not located immediately after the fragment header, aka \"ip6_tables protocol bypass bug;\" and (2) bypass a rule that looks for a certain extension header, via a packet with an extension header outside the first fragment, aka \"ip6_tables extension header bypass bug.\"", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4572" }, { "id": "CVE-2006-4623", "summary": "The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in dvb-core/dvb_net.c in the dvb driver in the Linux kernel 2.6.17.8 allows remote attackers to cause a denial of service (crash) via an SNDU length of 0 in a ULE packet.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4623" }, { "id": "CVE-2006-4663", "summary": "The source code tar archive of the Linux kernel 2.6.16, 2.6.17.11, and possibly other versions specifies weak permissions (0666 and 0777) for certain files and directories, which might allow local users to insert Trojan horse source code that would be used during the next kernel compilation. NOTE: another researcher disputes the vulnerability, stating that he finds \"Not a single world-writable file or directory.\" CVE analysis as of 20060908 indicates that permissions will only be weak under certain unusual or insecure scenarios", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4663" }, { "id": "CVE-2006-4813", "summary": "The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13 does not properly clear buffers during certain error conditions, which allows local users to read portions of files that have been unlinked.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4813" }, { "id": "CVE-2006-4814", "summary": "The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4814" }, { "id": "CVE-2006-4997", "summary": "The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference).", "scorev2": "7.1", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-4997" }, { "id": "CVE-2006-5158", "summary": "The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock.", "scorev2": "3.3", "scorev3": "7.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5158" }, { "id": "CVE-2006-5173", "summary": "Linux kernel does not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allows local users to cause a denial of service (process crash), as demonstrated using a process that sets the Alignment Check flag (EFLAGS 0x40000), which triggers a SIGBUS in other processes that have an unaligned access.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5173" }, { "id": "CVE-2006-5174", "summary": "The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by \"appending to a file from a bad address,\" which triggers a fault that prevents the unused memory from being cleared in the kernel buffer.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5174" }, { "id": "CVE-2006-5331", "summary": "The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5331" }, { "id": "CVE-2006-5619", "summary": "The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5619" }, { "id": "CVE-2006-5701", "summary": "Double free vulnerability in squashfs module in the Linux kernel 2.6.x, as used in Fedora Core 5 and possibly other distributions, allows local users to cause a denial of service by mounting a crafted squashfs filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5701" }, { "id": "CVE-2006-5749", "summary": "The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.", "scorev2": "1.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5749" }, { "id": "CVE-2006-5751", "summary": "Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5751" }, { "id": "CVE-2006-5753", "summary": "Unspecified vulnerability in the listxattr system call in Linux kernel, when a \"bad inode\" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges via unknown vectors.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5753" }, { "id": "CVE-2006-5754", "summary": "The aio_setup_ring function in Linux kernel does not properly initialize a variable, which allows local users to cause a denial of service (crash) via an unspecified error path that causes an incorrect free operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5754" }, { "id": "CVE-2006-5755", "summary": "Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5755" }, { "id": "CVE-2006-5757", "summary": "Race condition in the __find_get_block_slow function in the ISO9660 filesystem in Linux 2.6.18 and possibly other versions allows local users to cause a denial of service (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5757" }, { "id": "CVE-2006-5823", "summary": "The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via a malformed filesystem that uses zlib compression that triggers memory corruption, as demonstrated using cramfs.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5823" }, { "id": "CVE-2006-5871", "summary": "smbfs in Linux kernel 2.6.8 and other versions, and 2.4.x before 2.4.34, when UNIX extensions are enabled, ignores certain mount options, which could cause clients to use server-specified uid, gid and mode settings.", "scorev2": "4.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-5871" }, { "id": "CVE-2006-6053", "summary": "The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6053" }, { "id": "CVE-2006-6054", "summary": "The ext2 file system code in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext2 stream with malformed data structures that triggers an error in the ext2_check_page due to a length that is smaller than the minimum.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6054" }, { "id": "CVE-2006-6056", "summary": "Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux hooks are enabled, allows local users to cause a denial of service (crash) via a malformed file stream that triggers a NULL pointer dereference in the superblock_doinit function, as demonstrated using an HFS filesystem image.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6056" }, { "id": "CVE-2006-6057", "summary": "The Linux kernel 2.6.x up to 2.6.18, and possibly other versions, on Fedora Core 6 and possibly other operating systems, allows local users to cause a denial of service (crash) via a malformed gfs2 file stream that triggers a NULL pointer dereference in the init_journal function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6057" }, { "id": "CVE-2006-6058", "summary": "The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6058" }, { "id": "CVE-2006-6060", "summary": "The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly other versions, allows local users to cause a denial of service (CPU consumption) via a malformed NTFS file stream that triggers an infinite loop in the __find_get_block_slow function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6060" }, { "id": "CVE-2006-6106", "summary": "Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6106" }, { "id": "CVE-2006-6128", "summary": "The ReiserFS functionality in Linux kernel 2.6.18, and possibly other versions, allows local users to cause a denial of service via a malformed ReiserFS file system that triggers memory corruption when a sync is performed.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6128" }, { "id": "CVE-2006-6304", "summary": "The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6304" }, { "id": "CVE-2006-6333", "summary": "The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wrong flag to the ip_summed field, which allows remote attackers to cause a denial of service (memory corruption) via crafted packets that cause the kernel to interpret another field as an offset.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6333" }, { "id": "CVE-2006-6535", "summary": "The dev_queue_xmit function in Linux kernel 2.6 can fail before calling the local_bh_disable function, which could lead to data corruption and \"node lockups.\" NOTE: it is not clear whether this issue is exploitable.", "scorev2": "9.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6535" }, { "id": "CVE-2006-6921", "summary": "Unspecified versions of the Linux kernel allow local users to cause a denial of service (unrecoverable zombie process) via a program with certain instructions that prevent init from properly reaping a child whose parent has died.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-6921" }, { "id": "CVE-2006-7051", "summary": "The sys_timer_create function in posix-timers.c for Linux kernel 2.6.x allows local users to cause a denial of service (memory consumption) and possibly bypass memory limits or cause other processes to be killed by creating a large number of posix timers, which are allocated in kernel memory but are not treated as part of the process' memory.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7051" }, { "id": "CVE-2006-7203", "summary": "The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (\"mount -t smbfs\").", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7203" }, { "id": "CVE-2006-7229", "summary": "The skge driver 1.5 in Linux kernel 2.6.15 on Ubuntu does not properly use the spin_lock and spin_unlock functions, which allows remote attackers to cause a denial of service (machine crash) via a flood of network traffic.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-7229" }, { "id": "CVE-2007-0006", "summary": "The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as \"spinlock CPU recursion.\"", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0006" }, { "id": "CVE-2007-0771", "summary": "The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to \"MT exec + utrace_attach spin failure mode,\" as demonstrated by ptrace-thrash.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0771" }, { "id": "CVE-2007-0772", "summary": "The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0772" }, { "id": "CVE-2007-0822", "summary": "umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0822" }, { "id": "CVE-2007-0958", "summary": "Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0958" }, { "id": "CVE-2007-0997", "summary": "Race condition in the tee (sys_tee) system call in the Linux kernel 2.6.17 through 2.6.17.6 might allow local users to cause a denial of service (system crash), obtain sensitive information (kernel memory contents), or gain privileges via unspecified vectors related to a potentially dropped ipipe lock during a race between two pipe readers.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0997" }, { "id": "CVE-2007-1000", "summary": "The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1000" }, { "id": "CVE-2007-1217", "summary": "Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1217" }, { "id": "CVE-2007-1353", "summary": "The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1353" }, { "id": "CVE-2007-1357", "summary": "The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1357" }, { "id": "CVE-2007-1388", "summary": "The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1388" }, { "id": "CVE-2007-1496", "summary": "nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using \"multiple packets per netlink message\", and (3) bridged packets, which trigger a NULL pointer dereference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1496" }, { "id": "CVE-2007-1497", "summary": "nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1497" }, { "id": "CVE-2007-1592", "summary": "net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1592" }, { "id": "CVE-2007-1730", "summary": "Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1730" }, { "id": "CVE-2007-1734", "summary": "The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1734" }, { "id": "CVE-2007-1861", "summary": "The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-1861" }, { "id": "CVE-2007-2172", "summary": "A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an \"out of bound access\" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2172" }, { "id": "CVE-2007-2451", "summary": "Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES in the Linux kernel before 2.6.21.3 allows attackers to obtain sensitive information via unspecified vectors.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2451" }, { "id": "CVE-2007-2453", "summary": "The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, (1) does not properly seed pools when there is no entropy, or (2) uses an incorrect cast when extracting entropy, which might cause the random number generator to provide the same values after reboots on systems without an entropy source.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2453" }, { "id": "CVE-2007-2480", "summary": "The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.21 and earlier does not prevent a bind to a port with a local address when there is already a bind to that port with a wildcard local address, which might allow local users to intercept local traffic for daemons or other applications.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2480" }, { "id": "CVE-2007-2525", "summary": "Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the Linux kernel before 2.6.21-git8 allows local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2525" }, { "id": "CVE-2007-2764", "summary": "The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2764", "detail": "not-applicable-platform", "description": "specific to Sun/Brocade SilkWorm switches" }, { "id": "CVE-2007-2875", "summary": "Integer underflow in the cpuset_tasks_read function in the Linux kernel before 2.6.20.13, and 2.6.21.x before 2.6.21.4, when the cpuset filesystem is mounted, allows local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2875" }, { "id": "CVE-2007-2876", "summary": "The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of service by causing certain invalid states that trigger a NULL pointer dereference.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2876" }, { "id": "CVE-2007-2878", "summary": "The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-2878" }, { "id": "CVE-2007-3104", "summary": "The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3104" }, { "id": "CVE-2007-3105", "summary": "Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving \"bound check ordering\". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3105" }, { "id": "CVE-2007-3107", "summary": "The signal handling in the Linux kernel before 2.6.22, including 2.6.2, when running on PowerPC systems using HTX, allows local users to cause a denial of service via unspecified vectors involving floating point corruption and concurrency, related to clearing of MSR bits.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3107" }, { "id": "CVE-2007-3380", "summary": "The Distributed Lock Manager (DLM) in the cluster manager for Linux kernel 2.6.15 allows remote attackers to cause a denial of service (loss of lock services) by connecting to the DLM port, which probably prevents other processes from accessing the service.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3380" }, { "id": "CVE-2007-3513", "summary": "The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel before 2.6.22-rc7 does not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3513" }, { "id": "CVE-2007-3642", "summary": "The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and before 2.6.22 allows remote attackers to cause a denial of service (crash) via an encoded, out-of-range index value for a choice field, which triggers a NULL pointer dereference.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3642" }, { "id": "CVE-2007-3719", "summary": "The process scheduler in the Linux kernel 2.6.16 gives preference to \"interactive\" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3719" }, { "id": "CVE-2007-3720", "summary": "The process scheduler in the Linux kernel 2.4 performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3720" }, { "id": "CVE-2007-3731", "summary": "The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3731" }, { "id": "CVE-2007-3732", "summary": "In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. The kernel's %fs needs to be restored before the call in TRACE_IRQS_ON and before enabling interrupts, so that \"current\" references work. Without this, \"current\" used in the window between iret_exc and the middle of error_code where %fs is reset, would crash.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3732" }, { "id": "CVE-2007-3740", "summary": "The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3740" }, { "id": "CVE-2007-3843", "summary": "The Linux kernel before 2.6.23-rc1 checks the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3843" }, { "id": "CVE-2007-3848", "summary": "Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG).", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3848" }, { "id": "CVE-2007-3850", "summary": "The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on PowerPC, does not properly map userspace resources, which allows local users to read portions of physical address space.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3850" }, { "id": "CVE-2007-3851", "summary": "The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.", "scorev2": "6.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3851" }, { "id": "CVE-2007-4133", "summary": "The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4133" }, { "id": "CVE-2007-4311", "summary": "The xfer_secondary_pool function in drivers/char/random.c in the Linux kernel 2.4 before 2.4.35 performs reseed operations on only the first few bytes of a buffer, which might make it easier for attackers to predict the output of the random number generator, related to incorrect use of the sizeof operator.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4311" }, { "id": "CVE-2007-4567", "summary": "The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4567" }, { "id": "CVE-2007-4571", "summary": "The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4571" }, { "id": "CVE-2007-4573", "summary": "The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4573" }, { "id": "CVE-2007-4774", "summary": "The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process.", "scorev2": "4.3", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4774" }, { "id": "CVE-2007-4997", "summary": "Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an \"off-by-two error.\"", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4997" }, { "id": "CVE-2007-4998", "summary": "cp, when running with an option to preserve symlinks on multiple OSes, allows local, user-assisted attackers to overwrite arbitrary files via a symlink attack using crafted directories containing multiple source files that are copied to the same destination.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4998", "detail": "cpe-incorrect", "description": "a historic cp bug, no longer an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=356471#c5" }, { "id": "CVE-2007-5087", "summary": "The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5087" }, { "id": "CVE-2007-5093", "summary": "The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 \"relies on user space to close the device,\" which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5093" }, { "id": "CVE-2007-5498", "summary": "The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5498" }, { "id": "CVE-2007-5500", "summary": "The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third party information.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5500" }, { "id": "CVE-2007-5501", "summary": "The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5501" }, { "id": "CVE-2007-5904", "summary": "Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5904" }, { "id": "CVE-2007-5966", "summary": "Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third party information.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5966" }, { "id": "CVE-2007-6063", "summary": "Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6063" }, { "id": "CVE-2007-6151", "summary": "The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6151" }, { "id": "CVE-2007-6206", "summary": "The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6206" }, { "id": "CVE-2007-6417", "summary": "The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6417" }, { "id": "CVE-2007-6434", "summary": "Linux kernel 2.6.23 allows local users to create low pages in virtual userspace memory and bypass mmap_min_addr protection via a crafted executable file that calls the do_brk function.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6434" }, { "id": "CVE-2007-6694", "summary": "The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 through 2.6.18-53, when running on PowerPC, might allow local users to cause a denial of service (crash) via unknown vectors that cause the of_get_property function to fail, which triggers a NULL pointer dereference.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6694" }, { "id": "CVE-2007-6712", "summary": "Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6712" }, { "id": "CVE-2007-6716", "summary": "fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 does not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6716" }, { "id": "CVE-2007-6733", "summary": "The nfs_lock function in fs/nfs/file.c in the Linux kernel 2.6.9 does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on an NFS filesystem and then changing this file's permissions, a related issue to CVE-2010-0727.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6733" }, { "id": "CVE-2007-6761", "summary": "drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6761" }, { "id": "CVE-2007-6762", "summary": "In the Linux kernel before 2.6.20, there is an off-by-one bug in net/netlabel/netlabel_cipso_v4.c where it is possible to overflow the doi_def->tags[] array.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6762" }, { "id": "CVE-2008-0001", "summary": "VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0001" }, { "id": "CVE-2008-0007", "summary": "Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0007" }, { "id": "CVE-2008-0009", "summary": "The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0009" }, { "id": "CVE-2008-0010", "summary": "The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0010" }, { "id": "CVE-2008-0163", "summary": "Linux kernel 2.6, when using vservers, allows local users to access resources of other vservers via a symlink attack in /proc.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0163" }, { "id": "CVE-2008-0352", "summary": "The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram).", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0352" }, { "id": "CVE-2008-0598", "summary": "Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0598" }, { "id": "CVE-2008-0600", "summary": "The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0600" }, { "id": "CVE-2008-1294", "summary": "Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1294" }, { "id": "CVE-2008-1375", "summary": "Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1375" }, { "id": "CVE-2008-1514", "summary": "arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions before 2.6.27-rc6, on s390 platforms allows local users to cause a denial of service (kernel panic) via the user-area-padding test from the ptrace testsuite in 31-bit mode, which triggers an invalid dereference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1514" }, { "id": "CVE-2008-1669", "summary": "Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain \"re-ordered access to the descriptor table.\"", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1669" }, { "id": "CVE-2008-1673", "summary": "The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1673" }, { "id": "CVE-2008-1675", "summary": "The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1675" }, { "id": "CVE-2008-2136", "summary": "Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2136" }, { "id": "CVE-2008-2137", "summary": "The (1) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c and the (2) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3, omit some virtual-address range (aka span) checks when the mmap MAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mmap calls.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2137" }, { "id": "CVE-2008-2148", "summary": "The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2148" }, { "id": "CVE-2008-2358", "summary": "Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2358" }, { "id": "CVE-2008-2365", "summary": "Race condition in the ptrace and utrace support in the Linux kernel 2.6.9 through 2.6.25, as used in Red Hat Enterprise Linux (RHEL) 4, allows local users to cause a denial of service (oops) via a long series of PTRACE_ATTACH ptrace calls to another user's process that trigger a conflict between utrace_detach and report_quiescent, related to \"late ptrace_may_attach() check\" and \"race around &dead_engine_ops setting,\" a different vulnerability than CVE-2007-0771 and CVE-2008-1514. NOTE: this issue might only affect kernel versions before 2.6.16.x.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2365" }, { "id": "CVE-2008-2372", "summary": "The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of \"useless newly zeroed pages.\"", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2372" }, { "id": "CVE-2008-2544", "summary": "Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2544", "detail": "disputed", "description": "not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22" }, { "id": "CVE-2008-2729", "summary": "arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2729" }, { "id": "CVE-2008-2750", "summary": "The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2750" }, { "id": "CVE-2008-2812", "summary": "The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2812" }, { "id": "CVE-2008-2826", "summary": "Integer overflow in the sctp_getsockopt_local_addrs_old function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) functionality in the Linux kernel before 2.6.25.9 allows local users to cause a denial of service (resource consumption and system outage) via vectors involving a large addr_num field in an sctp_getaddrs_old data structure.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2826" }, { "id": "CVE-2008-2931", "summary": "The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2931" }, { "id": "CVE-2008-2944", "summary": "Double free vulnerability in the utrace support in the Linux kernel, probably 2.6.18, in Red Hat Enterprise Linux (RHEL) 5 and Fedora Core 6 (FC6) allows local users to cause a denial of service (oops), as demonstrated by a crash when running the GNU GDB testsuite, a different vulnerability than CVE-2008-2365.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-2944" }, { "id": "CVE-2008-3077", "summary": "arch/x86/kernel/ptrace.c in the Linux kernel before 2.6.25.10 on the x86_64 platform leaks task_struct references into the sys32_ptrace function, which allows local users to cause a denial of service (system crash) or have unspecified other impact via unknown vectors, possibly a use-after-free vulnerability.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3077" }, { "id": "CVE-2008-3247", "summary": "The LDT implementation in the Linux kernel 2.6.25.x before 2.6.25.11 on x86_64 platforms uses an incorrect size for ldt_desc, which allows local users to cause a denial of service (system crash) or possibly gain privileges via unspecified vectors.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3247" }, { "id": "CVE-2008-3272", "summary": "The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3272" }, { "id": "CVE-2008-3275", "summary": "The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel before 2.6.25.15 do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service (\"overflow\" of the UBIFS orphan area) via a series of attempted file creations within deleted directories.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3275" }, { "id": "CVE-2008-3276", "summary": "Integer overflow in the dccp_setsockopt_change function in net/dccp/proto.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.17-rc1 through 2.6.26.2 allows remote attackers to cause a denial of service (panic) via a crafted integer value, related to Change L and Change R options without at least one byte in the dccpsf_val field.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3276" }, { "id": "CVE-2008-3496", "summary": "Buffer overflow in format descriptor parsing in the uvc_parse_format function in drivers/media/video/uvc/uvc_driver.c in uvcvideo in the video4linux (V4L) implementation in the Linux kernel before 2.6.26.1 has unknown impact and attack vectors.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3496" }, { "id": "CVE-2008-3525", "summary": "The sbni_ioctl function in drivers/net/wan/sbni.c in the wan subsystem in the Linux kernel 2.6.26.3 does not check for the CAP_NET_ADMIN capability before processing a (1) SIOCDEVRESINSTATS, (2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4) SIOCDEVEMANSIPATE ioctl request, which allows local users to bypass intended capability restrictions.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3525" }, { "id": "CVE-2008-3526", "summary": "Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3526" }, { "id": "CVE-2008-3527", "summary": "arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3527" }, { "id": "CVE-2008-3528", "summary": "The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3528" }, { "id": "CVE-2008-3534", "summary": "The shmem_delete_inode function in mm/shmem.c in the tmpfs implementation in the Linux kernel before 2.6.26.1 allows local users to cause a denial of service (system crash) via a certain sequence of file create, remove, and overwrite operations, as demonstrated by the insserv program, related to allocation of \"useless pages\" and improper maintenance of the i_blocks count.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3534" }, { "id": "CVE-2008-3535", "summary": "Off-by-one error in the iov_iter_advance function in mm/filemap.c in the Linux kernel before 2.6.27-rc2 allows local users to cause a denial of service (system crash) via a certain sequence of file I/O operations with readv and writev, as demonstrated by testcases/kernel/fs/ftest/ftest03 from the Linux Test Project.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3535" }, { "id": "CVE-2008-3686", "summary": "The rt6_fill_node function in net/ipv6/route.c in Linux kernel 2.6.26-rc4, 2.6.26.2, and possibly other 2.6.26 versions, allows local users to cause a denial of service (kernel OOPS) via IPv6 requests when no IPv6 input device is in use, which triggers a NULL pointer dereference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3686" }, { "id": "CVE-2008-3792", "summary": "net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4 does not verify that the SCTP-AUTH extension is enabled before proceeding with SCTP-AUTH API functions, which allows attackers to cause a denial of service (NULL pointer dereference and panic) via vectors that result in calls to (1) sctp_setsockopt_auth_chunk, (2) sctp_setsockopt_hmac_ident, (3) sctp_setsockopt_auth_key, (4) sctp_setsockopt_active_key, (5) sctp_setsockopt_del_key, (6) sctp_getsockopt_maxburst, (7) sctp_getsockopt_active_key, (8) sctp_getsockopt_peer_auth_chunks, or (9) sctp_getsockopt_local_auth_chunks.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3792" }, { "id": "CVE-2008-3831", "summary": "The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3831" }, { "id": "CVE-2008-3833", "summary": "The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3833" }, { "id": "CVE-2008-3911", "summary": "The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from userspace, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3911" }, { "id": "CVE-2008-3915", "summary": "Buffer overflow in nfsd in the Linux kernel before 2.6.26.4, when NFSv4 is enabled, allows remote attackers to have an unknown impact via vectors related to decoding an NFSv4 acl.", "scorev2": "9.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3915" }, { "id": "CVE-2008-4113", "summary": "The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4113" }, { "id": "CVE-2008-4210", "summary": "fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4210" }, { "id": "CVE-2008-4302", "summary": "fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4302" }, { "id": "CVE-2008-4307", "summary": "Race condition in the do_setlk function in fs/nfs/file.c in the Linux kernel before 2.6.26 allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4307" }, { "id": "CVE-2008-4395", "summary": "Multiple buffer overflows in the ndiswrapper module 1.53 for the Linux kernel 2.6 allow remote attackers to execute arbitrary code by sending packets over a local wireless network that specify long ESSIDs.", "scorev2": "8.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4395" }, { "id": "CVE-2008-4410", "summary": "The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4410" }, { "id": "CVE-2008-4445", "summary": "The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4445" }, { "id": "CVE-2008-4554", "summary": "The do_splice_from function in fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4554" }, { "id": "CVE-2008-4576", "summary": "sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4576" }, { "id": "CVE-2008-4609", "summary": "The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4609", "detail": "ignored", "description": "describes design flaws in TCP" }, { "id": "CVE-2008-4618", "summary": "The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4618" }, { "id": "CVE-2008-4933", "summary": "Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4933" }, { "id": "CVE-2008-4934", "summary": "The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-4934" }, { "id": "CVE-2008-5025", "summary": "Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5025" }, { "id": "CVE-2008-5029", "summary": "The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5029" }, { "id": "CVE-2008-5033", "summary": "The chip_command function in drivers/media/video/tvaudio.c in the Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7, and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of service (NULL function pointer dereference and OOPS) via unknown vectors.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5033" }, { "id": "CVE-2008-5079", "summary": "net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5079" }, { "id": "CVE-2008-5134", "summary": "Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an \"invalid beacon/probe response.\"", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5134" }, { "id": "CVE-2008-5182", "summary": "The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5182" }, { "id": "CVE-2008-5300", "summary": "Linux kernel 2.6.28 allows local users to cause a denial of service (\"soft lockup\" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5300" }, { "id": "CVE-2008-5395", "summary": "The parisc_show_stack function in arch/parisc/kernel/traps.c in the Linux kernel before 2.6.28-rc7 on PA-RISC allows local users to cause a denial of service (system crash) via vectors associated with an attempt to unwind a stack that contains userspace addresses.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5395" }, { "id": "CVE-2008-5700", "summary": "libata in the Linux kernel before 2.6.27.9 does not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5700" }, { "id": "CVE-2008-5701", "summary": "Array index error in arch/mips/kernel/scall64-o32.S in the Linux kernel before 2.6.28-rc8 on 64-bit MIPS platforms allows local users to cause a denial of service (system crash) via an o32 syscall with a small syscall number, which leads to an attempted read operation outside the bounds of the syscall table.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5701" }, { "id": "CVE-2008-5702", "summary": "Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5702" }, { "id": "CVE-2008-5713", "summary": "The __qdisc_run function in net/sched/sch_generic.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service (soft lockup) by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in UDP_STREAM mode.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5713" }, { "id": "CVE-2008-6107", "summary": "The (1) sys32_mremap function in arch/sparc64/kernel/sys_sparc32.c, the (2) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c, and the (3) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel before 2.6.25.4, omit some virtual-address range (aka span) checks when the mremap MREMAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mremap calls, a related issue to CVE-2008-2137.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-6107" }, { "id": "CVE-2008-7256", "summary": "mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7256" }, { "id": "CVE-2008-7316", "summary": "mm/filemap.c in the Linux kernel before 2.6.25 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers an iovec of zero length, followed by a page fault for an iovec of nonzero length.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-7316" }, { "id": "CVE-2009-0024", "summary": "The sys_remap_file_pages function in mm/fremap.c in the Linux kernel before 2.6.24.1 allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm_file structure member, and the mmap_region and do_munmap functions.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0024" }, { "id": "CVE-2009-0028", "summary": "The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0028" }, { "id": "CVE-2009-0029", "summary": "The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0029" }, { "id": "CVE-2009-0031", "summary": "Memory leak in the keyctl_join_session_keyring function (security/keys/keyctl.c) in Linux kernel 2.6.29-rc2 and earlier allows local users to cause a denial of service (kernel memory consumption) via unknown vectors related to a \"missing kfree.\"", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0031" }, { "id": "CVE-2009-0065", "summary": "Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0065" }, { "id": "CVE-2009-0269", "summary": "fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0269" }, { "id": "CVE-2009-0322", "summary": "drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and 2.6.28.x before 2.6.28.2, allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0322" }, { "id": "CVE-2009-0605", "summary": "Stack consumption vulnerability in the do_page_fault function in arch/x86/mm/fault.c in the Linux kernel before 2.6.28.5 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via unspecified vectors that trigger page faults on a machine that has a registered Kprobes probe.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0605" }, { "id": "CVE-2009-0675", "summary": "The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel before 2.6.28.6 permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an \"inverted logic\" issue.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0675" }, { "id": "CVE-2009-0676", "summary": "The sock_getsockopt function in net/core/sock.c in the Linux kernel before 2.6.28.6 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0676" }, { "id": "CVE-2009-0745", "summary": "The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not properly initialize the group descriptor during a resize (aka resize2fs) operation, which might allow local users to cause a denial of service (OOPS) by arranging for crafted values to be present in available memory.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0745" }, { "id": "CVE-2009-0746", "summary": "The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate a certain rec_len field, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0746" }, { "id": "CVE-2009-0747", "summary": "The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0747" }, { "id": "CVE-2009-0748", "summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 does not validate the superblock configuration, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) by attempting to mount a crafted ext4 filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0748" }, { "id": "CVE-2009-0778", "summary": "The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an \"rt_cache leak.\"", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0778" }, { "id": "CVE-2009-0787", "summary": "The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0787" }, { "id": "CVE-2009-0834", "summary": "The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0834" }, { "id": "CVE-2009-0835", "summary": "The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0835" }, { "id": "CVE-2009-0859", "summary": "The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel before 2.6.28.5, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0859" }, { "id": "CVE-2009-0935", "summary": "The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6.28 to 2.6.28.2, and 2.6.29-rc3 allows local users to cause a denial of service (OOPS) via a read with an invalid address to an inotify instance, which causes the device's event list mutex to be unlocked twice and prevents proper synchronization of a data structure for the inotify instance.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0935" }, { "id": "CVE-2009-1046", "summary": "The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an \"off-by-two memory error.\" NOTE: it is not clear whether this issue crosses privilege boundaries.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1046" }, { "id": "CVE-2009-1072", "summary": "nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1072" }, { "id": "CVE-2009-1184", "summary": "The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic. NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1184" }, { "id": "CVE-2009-1192", "summary": "The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1192" }, { "id": "CVE-2009-1242", "summary": "The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel before 2.6.29.1 on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka \"Long mode enable\") bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1242" }, { "id": "CVE-2009-1243", "summary": "net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocking step in certain incorrect circumstances, which allows local users to cause a denial of service (panic) by reading zero bytes from the /proc/net/udp file and unspecified other files, related to the \"udp seq_file infrastructure.\"", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1243" }, { "id": "CVE-2009-1265", "summary": "Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes \"garbage\" memory to be sent.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1265" }, { "id": "CVE-2009-1298", "summary": "The ip_frag_reasm function in net/ipv4/ip_fragment.c in the Linux kernel 2.6.32-rc8, and 2.6.29 and later versions before 2.6.32, calls IP_INC_STATS_BH with an incorrect argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and hang) via long IP packets, possibly related to the ip_defrag function.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1298" }, { "id": "CVE-2009-1336", "summary": "fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly initialize a certain structure member that stores the maximum NFS filename length, which allows local users to cause a denial of service (OOPS) via a long filename, related to the encode_lookup function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1336" }, { "id": "CVE-2009-1337", "summary": "The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1337" }, { "id": "CVE-2009-1338", "summary": "The kill_something_info function in kernel/signal.c in the Linux kernel before 2.6.28 does not consider PID namespaces when processing signals directed to PID -1, which allows local users to bypass the intended namespace isolation, and send arbitrary signals to all processes in all namespaces, via a kill command.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1338" }, { "id": "CVE-2009-1360", "summary": "The __inet6_check_established function in net/ipv6/inet6_hashtables.c in the Linux kernel before 2.6.29, when Network Namespace Support (aka NET_NS) is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via vectors involving IPv6 packets.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1360" }, { "id": "CVE-2009-1385", "summary": "Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1385" }, { "id": "CVE-2009-1388", "summary": "The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1388" }, { "id": "CVE-2009-1389", "summary": "Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1389" }, { "id": "CVE-2009-1439", "summary": "Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1439" }, { "id": "CVE-2009-1527", "summary": "Race condition in the ptrace_attach function in kernel/ptrace.c in the Linux kernel before 2.6.30-rc4 allows local users to gain privileges via a PTRACE_ATTACH ptrace call during an exec system call that is launching a setuid application, related to locking an incorrect cred_exec_mutex object.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1527" }, { "id": "CVE-2009-1630", "summary": "The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1630" }, { "id": "CVE-2009-1633", "summary": "Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1633" }, { "id": "CVE-2009-1883", "summary": "The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1883" }, { "id": "CVE-2009-1895", "summary": "The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1895" }, { "id": "CVE-2009-1897", "summary": "The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1897" }, { "id": "CVE-2009-1914", "summary": "The pci_register_iommu_region function in arch/sparc/kernel/pci_common.c in the Linux kernel before 2.6.29 on the sparc64 platform allows local users to cause a denial of service (system crash) by reading the /proc/iomem file, related to uninitialized pointers and the request_resource function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1914" }, { "id": "CVE-2009-1961", "summary": "The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1961" }, { "id": "CVE-2009-2287", "summary": "The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2287" }, { "id": "CVE-2009-2406", "summary": "Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2406" }, { "id": "CVE-2009-2407", "summary": "Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2407" }, { "id": "CVE-2009-2584", "summary": "Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which triggers a stack-based buffer overflow.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2584" }, { "id": "CVE-2009-2691", "summary": "The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30.4 and earlier allows local users to read (1) maps and (2) smaps files under proc/ via vectors related to ELF loading, a setuid process, and a race condition.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2691" }, { "id": "CVE-2009-2692", "summary": "The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2692" }, { "id": "CVE-2009-2695", "summary": "The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2695" }, { "id": "CVE-2009-2698", "summary": "The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2698" }, { "id": "CVE-2009-2767", "summary": "The init_posix_timers function in kernel/posix-timers.c in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (OOPS) or possibly gain privileges via a CLOCK_MONOTONIC_RAW clock_nanosleep call that triggers a NULL pointer dereference.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2767" }, { "id": "CVE-2009-2768", "summary": "The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an \"uninitialized cred pointer.\"", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2768" }, { "id": "CVE-2009-2844", "summary": "cfg80211 in net/wireless/scan.c in the Linux kernel 2.6.30-rc1 and other versions before 2.6.31-rc6 allows remote attackers to cause a denial of service (crash) via a sequence of beacon frames in which one frame omits an SSID Information Element (IE) and the subsequent frame contains an SSID IE, which triggers a NULL pointer dereference in the cmp_ies function. NOTE: a potential weakness in the is_mesh function was also addressed, but the relevant condition did not exist in the code, so it is not a vulnerability.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2844" }, { "id": "CVE-2009-2846", "summary": "The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2846" }, { "id": "CVE-2009-2847", "summary": "The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 through 2.4.37 and 2.6 before 2.6.31-rc5, when running on 64-bit systems, does not clear certain padding bytes from a structure, which allows local users to obtain sensitive information from the kernel stack via the sigaltstack function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2847" }, { "id": "CVE-2009-2848", "summary": "The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.", "scorev2": "5.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2848" }, { "id": "CVE-2009-2849", "summary": "The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to \"suspend_* sysfs attributes\" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2849" }, { "id": "CVE-2009-2903", "summary": "Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddp\"N\" device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2903" }, { "id": "CVE-2009-2908", "summary": "The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a \"negative dentry\" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2908" }, { "id": "CVE-2009-2909", "summary": "Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2909" }, { "id": "CVE-2009-2910", "summary": "arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-2910" }, { "id": "CVE-2009-3001", "summary": "The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3001" }, { "id": "CVE-2009-3002", "summary": "The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3002" }, { "id": "CVE-2009-3043", "summary": "The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3043" }, { "id": "CVE-2009-3080", "summary": "Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3080" }, { "id": "CVE-2009-3228", "summary": "The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3228" }, { "id": "CVE-2009-3234", "summary": "Buffer overflow in the perf_copy_attr function in kernel/perf_counter.c in the Linux kernel 2.6.31-rc1 allows local users to cause a denial of service (crash) and execute arbitrary code via a \"big size data\" to the perf_counter_open system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3234" }, { "id": "CVE-2009-3238", "summary": "The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to \"return the same value over and over again for long stretches of time.\"", "scorev2": "7.8", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3238" }, { "id": "CVE-2009-3280", "summary": "Integer signedness error in the find_ie function in net/wireless/scan.c in the cfg80211 subsystem in the Linux kernel before 2.6.31.1-rc1 allows remote attackers to cause a denial of service (soft lockup) via malformed packets.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3280" }, { "id": "CVE-2009-3286", "summary": "NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3286" }, { "id": "CVE-2009-3288", "summary": "The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3288" }, { "id": "CVE-2009-3290", "summary": "The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified \"random addresses.\"", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3290" }, { "id": "CVE-2009-3547", "summary": "Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3547" }, { "id": "CVE-2009-3556", "summary": "A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows local users to make arbitrary changes to SCSI host attributes by modifying these files.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3556" }, { "id": "CVE-2009-3612", "summary": "The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3612" }, { "id": "CVE-2009-3613", "summary": "The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3613" }, { "id": "CVE-2009-3620", "summary": "The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.", "scorev2": "4.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3620" }, { "id": "CVE-2009-3621", "summary": "net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3621" }, { "id": "CVE-2009-3623", "summary": "The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an NFSv4 mount request.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3623" }, { "id": "CVE-2009-3624", "summary": "The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3624" }, { "id": "CVE-2009-3638", "summary": "Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3638" }, { "id": "CVE-2009-3640", "summary": "The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc1 does not properly handle the absence of an Advanced Programmable Interrupt Controller (APIC), which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via a call to the kvm_vcpu_ioctl function.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3640" }, { "id": "CVE-2009-3722", "summary": "The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3722" }, { "id": "CVE-2009-3725", "summary": "The connector layer in the Linux kernel before 2.6.31.5 does not require the CAP_SYS_ADMIN capability for certain interaction with the (1) uvesafb, (2) pohmelfs, (3) dst, or (4) dm subsystem, which allows local users to bypass intended access restrictions and gain privileges via calls to functions in these subsystems.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3725" }, { "id": "CVE-2009-3726", "summary": "The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3726" }, { "id": "CVE-2009-3888", "summary": "The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3888" }, { "id": "CVE-2009-3889", "summary": "The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3889" }, { "id": "CVE-2009-3939", "summary": "The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.", "scorev2": "6.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3939" }, { "id": "CVE-2009-4004", "summary": "Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4004" }, { "id": "CVE-2009-4005", "summary": "The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4005" }, { "id": "CVE-2009-4020", "summary": "Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4020" }, { "id": "CVE-2009-4021", "summary": "The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4021" }, { "id": "CVE-2009-4026", "summary": "The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous \"code shuffling patch.\"", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4026" }, { "id": "CVE-2009-4027", "summary": "Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4027" }, { "id": "CVE-2009-4031", "summary": "The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4031" }, { "id": "CVE-2009-4067", "summary": "Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.", "scorev2": "7.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4067" }, { "id": "CVE-2009-4131", "summary": "The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4131" }, { "id": "CVE-2009-4138", "summary": "drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4138" }, { "id": "CVE-2009-4141", "summary": "Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4141" }, { "id": "CVE-2009-4271", "summary": "The Linux kernel 2.6.9 through 2.6.17 on the x86_64 and amd64 platforms allows local users to cause a denial of service (panic) via a 32-bit application that calls mprotect on its Virtual Dynamic Shared Object (VDSO) page and then triggers a segmentation fault.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4271" }, { "id": "CVE-2009-4272", "summary": "A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (deadlock) via crafted packets that force collisions in the IPv4 routing hash table, and trigger a routing \"emergency\" in which a hash chain is too long. NOTE: this is related to an issue in the Linux kernel before 2.6.31, when the kernel routing cache is disabled, involving an uninitialized pointer and a panic.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4272" }, { "id": "CVE-2009-4306", "summary": "Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel 2.6.32-git6 and earlier allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4306" }, { "id": "CVE-2009-4307", "summary": "The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4307" }, { "id": "CVE-2009-4308", "summary": "The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4308" }, { "id": "CVE-2009-4410", "summary": "The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file.c in the Linux kernel 2.6.29-rc1 through 2.6.30.y uses the wrong variable in an argument to the kunmap function, which allows local users to cause a denial of service (panic) via unknown vectors.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4410" }, { "id": "CVE-2009-4536", "summary": "drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4536" }, { "id": "CVE-2009-4537", "summary": "drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4537" }, { "id": "CVE-2009-4538", "summary": "drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4538" }, { "id": "CVE-2009-4895", "summary": "Race condition in the tty_fasync function in drivers/char/tty_io.c in the Linux kernel before 2.6.32.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via unknown vectors, related to the put_tty_queue and __f_setown functions. NOTE: the vulnerability was addressed in a different way in 2.6.32.9.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-4895" }, { "id": "CVE-2010-0003", "summary": "The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0003" }, { "id": "CVE-2010-0006", "summary": "The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0006" }, { "id": "CVE-2010-0007", "summary": "net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0007" }, { "id": "CVE-2010-0008", "summary": "The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0008" }, { "id": "CVE-2010-0291", "summary": "The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the \"do_mremap() mess\" or \"mremap/mmap mess.\"", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0291" }, { "id": "CVE-2010-0298", "summary": "The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.", "scorev2": "6.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0298", "detail": "fixed-version", "description": "2.6.34 (1871c6)" }, { "id": "CVE-2010-0307", "summary": "The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0307" }, { "id": "CVE-2010-0410", "summary": "drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0410" }, { "id": "CVE-2010-0415", "summary": "The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0415" }, { "id": "CVE-2010-0437", "summary": "The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0437" }, { "id": "CVE-2010-0622", "summary": "The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0622" }, { "id": "CVE-2010-0623", "summary": "The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0623" }, { "id": "CVE-2010-0727", "summary": "The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0727" }, { "id": "CVE-2010-0741", "summary": "The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO).", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0741" }, { "id": "CVE-2010-1083", "summary": "The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory).", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1083" }, { "id": "CVE-2010-1084", "summary": "Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1084" }, { "id": "CVE-2010-1085", "summary": "The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1085" }, { "id": "CVE-2010-1086", "summary": "The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1086" }, { "id": "CVE-2010-1087", "summary": "The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1087" }, { "id": "CVE-2010-1088", "summary": "fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount \"symlinks,\" which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1088" }, { "id": "CVE-2010-1146", "summary": "The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1146" }, { "id": "CVE-2010-1148", "summary": "The cifs_create function in fs/cifs/dir.c in the Linux kernel 2.6.33.2 and earlier allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1148" }, { "id": "CVE-2010-1162", "summary": "The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1162" }, { "id": "CVE-2010-1173", "summary": "The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1173" }, { "id": "CVE-2010-1187", "summary": "The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1187" }, { "id": "CVE-2010-1188", "summary": "Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1188" }, { "id": "CVE-2010-1436", "summary": "gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1436" }, { "id": "CVE-2010-1437", "summary": "Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1437" }, { "id": "CVE-2010-1446", "summary": "arch/powerpc/mm/fsl_booke_mmu.c in KGDB in the Linux kernel 2.6.30 and other versions before 2.6.33, when running on PowerPC, does not properly perform a security check for access to a kernel page, which allows local users to overwrite arbitrary kernel memory, related to Fsl booke.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1446" }, { "id": "CVE-2010-1451", "summary": "The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the Linux kernel before 2.6.33 on the SPARC platform does not properly obtain the value of a certain _PAGE_EXEC_4U bit and consequently does not properly implement a non-executable stack, which makes it easier for context-dependent attackers to exploit stack-based buffer overflows via a crafted application.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1451" }, { "id": "CVE-2010-1488", "summary": "The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1488" }, { "id": "CVE-2010-1636", "summary": "The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel 2.6.29 through 2.6.32, and possibly other versions, does not ensure that a cloned file descriptor has been opened for reading, which allows local users to read sensitive information from a write-only file descriptor.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1636" }, { "id": "CVE-2010-1641", "summary": "The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1641" }, { "id": "CVE-2010-1643", "summary": "mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1643" }, { "id": "CVE-2010-2066", "summary": "The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2066" }, { "id": "CVE-2010-2071", "summary": "The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2071" }, { "id": "CVE-2010-2226", "summary": "The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2226" }, { "id": "CVE-2010-2240", "summary": "The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2240" }, { "id": "CVE-2010-2243", "summary": "A vulnerability exists in kernel/time/clocksource.c in the Linux kernel before 2.6.34 where on non-GENERIC_TIME systems (GENERIC_TIME=n), accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an OOPS.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2243" }, { "id": "CVE-2010-2248", "summary": "fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2248" }, { "id": "CVE-2010-2478", "summary": "Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2478" }, { "id": "CVE-2010-2492", "summary": "Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2492" }, { "id": "CVE-2010-2495", "summary": "The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2495" }, { "id": "CVE-2010-2521", "summary": "Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2521" }, { "id": "CVE-2010-2524", "summary": "The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a \"cache stuffing\" issue and MS-DFS referrals.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2524" }, { "id": "CVE-2010-2525", "summary": "A flaw was discovered in gfs2 file system\u2019s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2525" }, { "id": "CVE-2010-2537", "summary": "The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor.", "scorev2": "6.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2537" }, { "id": "CVE-2010-2538", "summary": "Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2538" }, { "id": "CVE-2010-2653", "summary": "Race condition in the hvc_close function in drivers/char/hvc_console.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service or possibly have unspecified other impact by closing a Hypervisor Virtual Console device, related to the hvc_open and hvc_remove functions.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2653" }, { "id": "CVE-2010-2798", "summary": "The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2798" }, { "id": "CVE-2010-2803", "summary": "The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2803" }, { "id": "CVE-2010-2938", "summary": "arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when an Intel platform without Extended Page Tables (EPT) functionality is used, accesses VMCS fields without verifying hardware support for these fields, which allows local users to cause a denial of service (host OS crash) by requesting a VMCS dump for a fully virtualized Xen guest.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2938" }, { "id": "CVE-2010-2942", "summary": "The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2942" }, { "id": "CVE-2010-2943", "summary": "The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.", "scorev2": "6.4", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2943" }, { "id": "CVE-2010-2946", "summary": "fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an \"os2.\" substring at the beginning of a name.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2946" }, { "id": "CVE-2010-2954", "summary": "The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2954" }, { "id": "CVE-2010-2955", "summary": "The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2955" }, { "id": "CVE-2010-2959", "summary": "Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2959" }, { "id": "CVE-2010-2960", "summary": "The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2960" }, { "id": "CVE-2010-2962", "summary": "drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2962" }, { "id": "CVE-2010-2963", "summary": "drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2963" }, { "id": "CVE-2010-3015", "summary": "Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3015" }, { "id": "CVE-2010-3066", "summary": "The io_submit_one function in fs/aio.c in the Linux kernel before 2.6.23 allows local users to cause a denial of service (NULL pointer dereference) via a crafted io_submit system call with an IOCB_FLAG_RESFD flag.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3066" }, { "id": "CVE-2010-3067", "summary": "Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3067" }, { "id": "CVE-2010-3078", "summary": "The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3078" }, { "id": "CVE-2010-3079", "summary": "kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3079" }, { "id": "CVE-2010-3080", "summary": "Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3080" }, { "id": "CVE-2010-3081", "summary": "The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a \"stack pointer underflow\" issue, as exploited in the wild in September 2010.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3081" }, { "id": "CVE-2010-3084", "summary": "Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3084" }, { "id": "CVE-2010-3086", "summary": "include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3086" }, { "id": "CVE-2010-3296", "summary": "The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3296" }, { "id": "CVE-2010-3297", "summary": "The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3297" }, { "id": "CVE-2010-3298", "summary": "The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3298" }, { "id": "CVE-2010-3301", "summary": "The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3301" }, { "id": "CVE-2010-3310", "summary": "Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3310" }, { "id": "CVE-2010-3432", "summary": "The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3432" }, { "id": "CVE-2010-3437", "summary": "Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3437" }, { "id": "CVE-2010-3442", "summary": "Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3442" }, { "id": "CVE-2010-3448", "summary": "drivers/platform/x86/thinkpad_acpi.c in the Linux kernel before 2.6.34 on ThinkPad devices, when the X.Org X server is used, does not properly restrict access to the video output control state, which allows local users to cause a denial of service (system hang) via a (1) read or (2) write operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3448" }, { "id": "CVE-2010-3477", "summary": "The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3477" }, { "id": "CVE-2010-3698", "summary": "The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3698" }, { "id": "CVE-2010-3705", "summary": "The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.", "scorev2": "8.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3705" }, { "id": "CVE-2010-3848", "summary": "Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to gain privileges by providing a large number of iovec structures.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3848" }, { "id": "CVE-2010-3849", "summary": "The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an econet address is configured, allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3849" }, { "id": "CVE-2010-3850", "summary": "The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3850" }, { "id": "CVE-2010-3858", "summary": "The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3858" }, { "id": "CVE-2010-3859", "summary": "Multiple integer signedness errors in the TIPC implementation in the Linux kernel before 2.6.36.2 allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3859" }, { "id": "CVE-2010-3861", "summary": "The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3861" }, { "id": "CVE-2010-3865", "summary": "Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3865" }, { "id": "CVE-2010-3873", "summary": "The X.25 implementation in the Linux kernel before 2.6.36.2 does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed (1) X25_FAC_CALLING_AE or (2) X25_FAC_CALLED_AE data, related to net/x25/x25_facilities.c and net/x25/x25_in.c, a different vulnerability than CVE-2010-4164.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3873" }, { "id": "CVE-2010-3874", "summary": "Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3874" }, { "id": "CVE-2010-3875", "summary": "The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3875" }, { "id": "CVE-2010-3876", "summary": "net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3876" }, { "id": "CVE-2010-3877", "summary": "The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3877" }, { "id": "CVE-2010-3880", "summary": "net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3880" }, { "id": "CVE-2010-3881", "summary": "arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3881" }, { "id": "CVE-2010-3904", "summary": "The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3904" }, { "id": "CVE-2010-4072", "summary": "The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the \"old shm interface.\"", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4072" }, { "id": "CVE-2010-4073", "summary": "The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4073" }, { "id": "CVE-2010-4074", "summary": "The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4074" }, { "id": "CVE-2010-4075", "summary": "The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4075" }, { "id": "CVE-2010-4076", "summary": "The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4076" }, { "id": "CVE-2010-4077", "summary": "The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4077" }, { "id": "CVE-2010-4078", "summary": "The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4078" }, { "id": "CVE-2010-4079", "summary": "The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4079" }, { "id": "CVE-2010-4080", "summary": "The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4080" }, { "id": "CVE-2010-4081", "summary": "The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4081" }, { "id": "CVE-2010-4082", "summary": "The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4082" }, { "id": "CVE-2010-4083", "summary": "The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4083" }, { "id": "CVE-2010-4157", "summary": "Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4157" }, { "id": "CVE-2010-4158", "summary": "The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4158" }, { "id": "CVE-2010-4160", "summary": "Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4160" }, { "id": "CVE-2010-4161", "summary": "The udp_queue_rcv_skb function in net/ipv4/udp.c in a certain Red Hat build of the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows attackers to cause a denial of service (deadlock and system hang) by sending UDP traffic to a socket that has a crafted socket filter, a related issue to CVE-2010-4158.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4161" }, { "id": "CVE-2010-4162", "summary": "Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4162" }, { "id": "CVE-2010-4163", "summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4163" }, { "id": "CVE-2010-4164", "summary": "Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4164" }, { "id": "CVE-2010-4165", "summary": "The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4165" }, { "id": "CVE-2010-4169", "summary": "Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors involving an mprotect system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4169" }, { "id": "CVE-2010-4175", "summary": "Integer overflow in the rds_cmsg_rdma_args function (net/rds/rdma.c) in Linux kernel 2.6.35 allows local users to cause a denial of service (crash) and possibly trigger memory corruption via a crafted Reliable Datagram Sockets (RDS) request, a different vulnerability than CVE-2010-3865.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4175" }, { "id": "CVE-2010-4242", "summary": "The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel 2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4242" }, { "id": "CVE-2010-4243", "summary": "fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an \"OOM dodging issue,\" a related issue to CVE-2010-3858.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4243" }, { "id": "CVE-2010-4248", "summary": "Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4248" }, { "id": "CVE-2010-4249", "summary": "The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4249" }, { "id": "CVE-2010-4250", "summary": "Memory leak in the inotify_init1 function in fs/notify/inotify/inotify_user.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory consumption) via vectors involving failed attempts to create files.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4250" }, { "id": "CVE-2010-4251", "summary": "The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4251" }, { "id": "CVE-2010-4256", "summary": "The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4256" }, { "id": "CVE-2010-4258", "summary": "The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4258" }, { "id": "CVE-2010-4263", "summary": "The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb) subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.", "scorev2": "7.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4263" }, { "id": "CVE-2010-4342", "summary": "The aun_incoming function in net/econet/af_econet.c in the Linux kernel before 2.6.37-rc6, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4342" }, { "id": "CVE-2010-4343", "summary": "drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4343" }, { "id": "CVE-2010-4346", "summary": "The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4346" }, { "id": "CVE-2010-4347", "summary": "The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4347" }, { "id": "CVE-2010-4525", "summary": "Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_events->interrupt.pad structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via unspecified vectors.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4525" }, { "id": "CVE-2010-4526", "summary": "Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4526" }, { "id": "CVE-2010-4527", "summary": "The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel before 2.6.37 incorrectly expects that a certain name field ends with a '\\0' character, which allows local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4527" }, { "id": "CVE-2010-4529", "summary": "Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel before 2.6.37 on platforms other than x86 allows local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4529" }, { "id": "CVE-2010-4563", "summary": "The Linux kernel, when using IPv6, allows remote attackers to determine whether a host is sniffing the network by sending an ICMPv6 Echo Request to a multicast address and determining whether an Echo Reply is sent, as demonstrated by thcping.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4563", "detail": "ignored", "description": "low impact, only enables detection of hosts which are sniffing network traffic" }, { "id": "CVE-2010-4565", "summary": "The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4565" }, { "id": "CVE-2010-4648", "summary": "The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/wext.c in the Linux kernel before 2.6.37 does not properly implement a TKIP protection mechanism, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading Wi-Fi frames.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4648" }, { "id": "CVE-2010-4649", "summary": "Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4649" }, { "id": "CVE-2010-4650", "summary": "Buffer overflow in the fuse_do_ioctl function in fs/fuse/file.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging the ability to operate a CUSE server.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4650" }, { "id": "CVE-2010-4655", "summary": "net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability for an ethtool ioctl call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4655" }, { "id": "CVE-2010-4656", "summary": "The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and consequently cause a denial of service or gain privileges, via a long report.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4656" }, { "id": "CVE-2010-4668", "summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4668" }, { "id": "CVE-2010-4805", "summary": "The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4251.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4805" }, { "id": "CVE-2010-5313", "summary": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5313" }, { "id": "CVE-2010-5321", "summary": "Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761. NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.", "scorev2": "4.9", "scorev3": "4.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5321" }, { "id": "CVE-2010-5328", "summary": "include/linux/init_task.h in the Linux kernel before 2.6.35 does not prevent signals with a process group ID of zero from reaching the swapper process, which allows local users to cause a denial of service (system crash) by leveraging access to this process group.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5328" }, { "id": "CVE-2010-5329", "summary": "The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5329" }, { "id": "CVE-2010-5331", "summary": "In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem. NOTE: At least one Linux maintainer believes that this CVE is incorrectly assigned and should be rejected because the value is hard coded and are not user-controllable where it is used", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5331" }, { "id": "CVE-2010-5332", "summary": "In the Linux kernel before 2.6.37, an out of bounds array access happened in drivers/net/mlx4/port.c. When searching for a free entry in either mlx4_register_vlan() or mlx4_register_mac(), and there is no free entry, the loop terminates without updating the local variable free thus causing out of array bounds access.", "scorev2": "4.6", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-5332" }, { "id": "CVE-2011-0006", "summary": "The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0006" }, { "id": "CVE-2011-0463", "summary": "The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle Cluster File System 2 (OCFS2) subsystem in the Linux kernel before 2.6.39-rc1 does not properly handle holes that cross page boundaries, which allows local users to obtain potentially sensitive information from uninitialized disk locations by reading a file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0463" }, { "id": "CVE-2011-0521", "summary": "The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0521" }, { "id": "CVE-2011-0695", "summary": "Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0695" }, { "id": "CVE-2011-0699", "summary": "Integer signedness error in the btrfs_ioctl_space_info function in the Linux kernel 2.6.37 allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted slot value.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0699" }, { "id": "CVE-2011-0709", "summary": "The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0709" }, { "id": "CVE-2011-0710", "summary": "The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0710" }, { "id": "CVE-2011-0711", "summary": "The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0711" }, { "id": "CVE-2011-0712", "summary": "Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0712" }, { "id": "CVE-2011-0714", "summary": "Use-after-free vulnerability in a certain Red Hat patch for the RPC server sockets functionality in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 might allow remote attackers to cause a denial of service (crash) via malformed data in a packet, related to lockd and the svc_xprt_received function.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0714" }, { "id": "CVE-2011-0716", "summary": "The br_multicast_add_group function in net/bridge/br_multicast.c in the Linux kernel before 2.6.38, when a certain Ethernet bridge configuration is used, allows local users to cause a denial of service (memory corruption and system crash) by sending IGMP packets to a local interface.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0716" }, { "id": "CVE-2011-0726", "summary": "The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0726" }, { "id": "CVE-2011-0999", "summary": "mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-0999" }, { "id": "CVE-2011-1010", "summary": "Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1010" }, { "id": "CVE-2011-1012", "summary": "The ldm_parse_vmdb function in fs/partitions/ldm.c in the Linux kernel before 2.6.38-rc6-git6 does not validate the VBLK size value in the VMDB structure in an LDM partition table, which allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted partition table.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1012" }, { "id": "CVE-2011-1013", "summary": "Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1013" }, { "id": "CVE-2011-1016", "summary": "The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1016" }, { "id": "CVE-2011-1017", "summary": "Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1017" }, { "id": "CVE-2011-1019", "summary": "The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1019" }, { "id": "CVE-2011-1020", "summary": "The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1020" }, { "id": "CVE-2011-1021", "summary": "drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1021" }, { "id": "CVE-2011-1023", "summary": "The Reliable Datagram Sockets (RDS) subsystem in the Linux kernel before 2.6.38 does not properly handle congestion map updates, which allows local users to cause a denial of service (BUG_ON and system crash) via vectors involving (1) a loopback (aka loop) transmit operation or (2) an InfiniBand (aka ib) transmit operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1023" }, { "id": "CVE-2011-1044", "summary": "The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1044" }, { "id": "CVE-2011-1076", "summary": "net/dns_resolver/dns_key.c in the Linux kernel before 2.6.38 allows remote DNS servers to cause a denial of service (NULL pointer dereference and OOPS) by not providing a valid response to a DNS query, as demonstrated by an erroneous grand.centrall.org query, which triggers improper handling of error data within a DNS resolver key.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1076" }, { "id": "CVE-2011-1078", "summary": "The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1078" }, { "id": "CVE-2011-1079", "summary": "The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1079" }, { "id": "CVE-2011-1080", "summary": "The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1080" }, { "id": "CVE-2011-1082", "summary": "fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1082" }, { "id": "CVE-2011-1083", "summary": "The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1083" }, { "id": "CVE-2011-1090", "summary": "The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1090" }, { "id": "CVE-2011-1093", "summary": "The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1093" }, { "id": "CVE-2011-1160", "summary": "The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1160" }, { "id": "CVE-2011-1162", "summary": "The tpm_read function in the Linux kernel 2.6 does not properly clear memory, which might allow local users to read the results of the previous TPM command.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1162" }, { "id": "CVE-2011-1163", "summary": "The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1163" }, { "id": "CVE-2011-1169", "summary": "Array index error in the asihpi_hpi_ioctl function in sound/pci/asihpi/hpioctl.c in the AudioScience HPI driver in the Linux kernel before 2.6.38.1 might allow local users to cause a denial of service (memory corruption) or possibly gain privileges via a crafted adapter index value that triggers access to an invalid kernel pointer.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1169" }, { "id": "CVE-2011-1170", "summary": "net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1170" }, { "id": "CVE-2011-1171", "summary": "net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1171" }, { "id": "CVE-2011-1172", "summary": "net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1172" }, { "id": "CVE-2011-1173", "summary": "The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1173" }, { "id": "CVE-2011-1180", "summary": "Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1180" }, { "id": "CVE-2011-1182", "summary": "kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1182" }, { "id": "CVE-2011-1474", "summary": "A locally locally exploitable DOS vulnerability was found in pax-linux versions 2.6.32.33-test79.patch, 2.6.38-test3.patch, and 2.6.37.4-test14.patch. A bad bounds check in arch_get_unmapped_area_topdown triggered by programs doing an mmap after a MAP_GROWSDOWN mmap will create an infinite loop condition without releasing the VM semaphore eventually leading to a system crash.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1474" }, { "id": "CVE-2011-1476", "summary": "Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel before 2.6.39 on unspecified non-x86 platforms allows local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1476" }, { "id": "CVE-2011-1477", "summary": "Multiple array index errors in sound/oss/opl3.c in the Linux kernel before 2.6.39 allow local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1477" }, { "id": "CVE-2011-1478", "summary": "The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1478" }, { "id": "CVE-2011-1479", "summary": "Double free vulnerability in the inotify subsystem in the Linux kernel before 2.6.39 allows local users to cause a denial of service (system crash) via vectors involving failed attempts to create files. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-4250.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1479" }, { "id": "CVE-2011-1493", "summary": "Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1493" }, { "id": "CVE-2011-1494", "summary": "Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1494" }, { "id": "CVE-2011-1495", "summary": "drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1495" }, { "id": "CVE-2011-1573", "summary": "net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.", "scorev2": "4.3", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1573" }, { "id": "CVE-2011-1576", "summary": "The Generic Receive Offload (GRO) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux 5 and 2.6.32 on Red Hat Enterprise Linux 6, as used in Red Hat Enterprise Virtualization (RHEV) Hypervisor and other products, allows remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1576" }, { "id": "CVE-2011-1577", "summary": "Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1577" }, { "id": "CVE-2011-1581", "summary": "The bond_select_queue function in drivers/net/bonding/bond_main.c in the Linux kernel before 2.6.39, when a network device with a large number of receive queues is installed but the default tx_queues setting is used, does not properly restrict queue indexes, which allows remote attackers to cause a denial of service (BUG and system crash) or possibly have unspecified other impact by sending network traffic.", "scorev2": "9.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1581" }, { "id": "CVE-2011-1585", "summary": "The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly determine the associations between users and sessions, which allows local users to bypass CIFS share authentication by leveraging a mount of a share by a different user.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1585" }, { "id": "CVE-2011-1593", "summary": "Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1593" }, { "id": "CVE-2011-1598", "summary": "The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1598" }, { "id": "CVE-2011-1745", "summary": "Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1745" }, { "id": "CVE-2011-1746", "summary": "Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1746" }, { "id": "CVE-2011-1747", "summary": "The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not properly restrict memory allocation by the (1) AGPIOC_RESERVE and (2) AGPIOC_ALLOCATE ioctls, which allows local users to cause a denial of service (memory consumption) by making many calls to these ioctls.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1747" }, { "id": "CVE-2011-1748", "summary": "The raw_release function in net/can/raw.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1748" }, { "id": "CVE-2011-1759", "summary": "Integer overflow in the sys_oabi_semtimedop function in arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 2.6.39 on the ARM platform, when CONFIG_OABI_COMPAT is enabled, allows local users to gain privileges or cause a denial of service (heap memory corruption) by providing a crafted argument and leveraging a race condition.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1759" }, { "id": "CVE-2011-1767", "summary": "net/ipv4/ip_gre.c in the Linux kernel before 2.6.34, when ip_gre is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1767" }, { "id": "CVE-2011-1768", "summary": "The tunnels implementation in the Linux kernel before 2.6.34, when tunnel functionality is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1768" }, { "id": "CVE-2011-1770", "summary": "Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggers a buffer over-read.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1770" }, { "id": "CVE-2011-1771", "summary": "The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.", "scorev2": "4.4", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1771" }, { "id": "CVE-2011-1776", "summary": "The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.", "scorev2": "5.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1776" }, { "id": "CVE-2011-1833", "summary": "Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1833" }, { "id": "CVE-2011-1927", "summary": "The ip_expire function in net/ipv4/ip_fragment.c in the Linux kernel before 2.6.39 does not properly construct ICMP_TIME_EXCEEDED packets after a timeout, which allows remote attackers to cause a denial of service (invalid pointer dereference) via crafted fragmented packets.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-1927" }, { "id": "CVE-2011-2022", "summary": "The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2022" }, { "id": "CVE-2011-2182", "summary": "The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel before 2.6.39.1 does not properly handle memory allocation for non-initial fragments, which might allow local users to conduct buffer overflow attacks, and gain privileges or obtain sensitive information, via a crafted LDM partition table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1017.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2182" }, { "id": "CVE-2011-2183", "summary": "Race condition in the scan_get_next_rmap_item function in mm/ksm.c in the Linux kernel before 2.6.39.3, when Kernel SamePage Merging (KSM) is enabled, allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted application.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2183" }, { "id": "CVE-2011-2184", "summary": "The key_replace_session_keyring function in security/keys/process_keys.c in the Linux kernel before 2.6.39.1 does not initialize a certain structure member, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function, a different vulnerability than CVE-2010-2960.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2184" }, { "id": "CVE-2011-2189", "summary": "net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does not properly handle a high rate of creation and cleanup of network namespaces, which makes it easier for remote attackers to cause a denial of service (memory consumption) via requests to a daemon that requires a separate namespace per connection, as demonstrated by vsftpd.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2189" }, { "id": "CVE-2011-2203", "summary": "The hfs_find_init function in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2203" }, { "id": "CVE-2011-2208", "summary": "Integer signedness error in the osf_getdomainname function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2208" }, { "id": "CVE-2011-2209", "summary": "Integer signedness error in the osf_sysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform allows local users to obtain sensitive information from kernel memory via a crafted call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2209" }, { "id": "CVE-2011-2210", "summary": "The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform does not properly restrict the data size for GSI_GET_HWRPB operations, which allows local users to obtain sensitive information from kernel memory via a crafted call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2210" }, { "id": "CVE-2011-2211", "summary": "The osf_wait4 function in arch/alpha/kernel/osf_sys.c in the Linux kernel before 2.6.39.4 on the Alpha platform uses an incorrect pointer, which allows local users to gain privileges by writing a certain integer value to kernel memory.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2211" }, { "id": "CVE-2011-2213", "summary": "The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2213" }, { "id": "CVE-2011-2479", "summary": "The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2479" }, { "id": "CVE-2011-2482", "summary": "A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/socket.c in the Linux kernel before 2.6.21, as used in Red Hat Enterprise Linux (RHEL) 5, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted SCTP packet.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2482" }, { "id": "CVE-2011-2484", "summary": "The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2484" }, { "id": "CVE-2011-2491", "summary": "The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2491" }, { "id": "CVE-2011-2492", "summary": "The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2492" }, { "id": "CVE-2011-2493", "summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel before 2.6.39 does not properly initialize a certain error-report data structure, which allows local users to cause a denial of service (OOPS) by attempting to mount a crafted ext4 filesystem.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2493" }, { "id": "CVE-2011-2494", "summary": "kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2494" }, { "id": "CVE-2011-2495", "summary": "fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2495" }, { "id": "CVE-2011-2496", "summary": "Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that expands a memory mapping.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2496" }, { "id": "CVE-2011-2497", "summary": "Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow.", "scorev2": "8.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2497" }, { "id": "CVE-2011-2498", "summary": "The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2498" }, { "id": "CVE-2011-2517", "summary": "Multiple buffer overflows in net/wireless/nl80211.c in the Linux kernel before 2.6.39.2 allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability during scan operations with a long SSID value.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2517" }, { "id": "CVE-2011-2518", "summary": "The tomoyo_mount_acl function in security/tomoyo/mount.c in the Linux kernel before 2.6.39.2 calls the kern_path function with arguments taken directly from a mount system call, which allows local users to cause a denial of service (OOPS) or possibly have unspecified other impact via a NULL value for the device name.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2518" }, { "id": "CVE-2011-2521", "summary": "The x86_assign_hw_event function in arch/x86/kernel/cpu/perf_event.c in the Performance Events subsystem in the Linux kernel before 2.6.39 does not properly calculate counter values, which allows local users to cause a denial of service (panic) via the perf program.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2521" }, { "id": "CVE-2011-2525", "summary": "The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2525" }, { "id": "CVE-2011-2534", "summary": "Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39 might allow local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\\0' character.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2534" }, { "id": "CVE-2011-2689", "summary": "The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2689" }, { "id": "CVE-2011-2695", "summary": "Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2695" }, { "id": "CVE-2011-2699", "summary": "The IPv6 implementation in the Linux kernel before 3.1 does not generate Fragment Identification values separately for each destination, which makes it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2699" }, { "id": "CVE-2011-2700", "summary": "Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2700" }, { "id": "CVE-2011-2707", "summary": "The ptrace_setxregs function in arch/xtensa/kernel/ptrace.c in the Linux kernel before 3.1 does not validate user-space pointers, which allows local users to obtain sensitive information from kernel memory locations via a crafted PTRACE_SETXTREGS request.", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2707" }, { "id": "CVE-2011-2723", "summary": "The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2723" }, { "id": "CVE-2011-2898", "summary": "net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not properly restrict user-space access to certain packet data structures associated with VLAN Tag Control Information, which allows local users to obtain potentially sensitive information via a crafted application.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2898" }, { "id": "CVE-2011-2905", "summary": "Untrusted search path vulnerability in the perf_config function in tools/perf/util/config.c in perf, as distributed in the Linux kernel before 3.1, allows local users to overwrite arbitrary files via a crafted config file in the current working directory.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2905" }, { "id": "CVE-2011-2906", "summary": "Integer signedness error in the pmcraid_ioctl_passthrough function in drivers/scsi/pmcraid.c in the Linux kernel before 3.1 might allow local users to cause a denial of service (memory consumption or memory corruption) via a negative size value in an ioctl call. NOTE: this may be a vulnerability only in unusual environments that provide a privileged program for obtaining the required file descriptor.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2906" }, { "id": "CVE-2011-2909", "summary": "The do_devinfo_ioctl function in drivers/staging/comedi/comedi_fops.c in the Linux kernel before 3.1 allows local users to obtain sensitive information from kernel memory via a copy of a short string.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2909" }, { "id": "CVE-2011-2918", "summary": "The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service (system hang) via a crafted application.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2918" }, { "id": "CVE-2011-2928", "summary": "The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel before 3.1-rc3 does not validate the length attribute of long symlinks, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2928" }, { "id": "CVE-2011-2942", "summary": "A certain Red Hat patch to the __br_deliver function in net/bridge/br_forward.c in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging connectivity to a network interface that uses an Ethernet bridge device.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2942" }, { "id": "CVE-2011-3188", "summary": "The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.", "scorev2": "6.4", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3188" }, { "id": "CVE-2011-3191", "summary": "Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory.", "scorev2": "8.3", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3191" }, { "id": "CVE-2011-3209", "summary": "The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel before 2.6.26 on the x86 platform allows local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3209" }, { "id": "CVE-2011-3353", "summary": "Buffer overflow in the fuse_notify_inval_entry function in fs/fuse/dev.c in the Linux kernel before 3.1 allows local users to cause a denial of service (BUG_ON and system crash) by leveraging the ability to mount a FUSE filesystem.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3353" }, { "id": "CVE-2011-3359", "summary": "The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service (system crash) via a crafted frame.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3359" }, { "id": "CVE-2011-3363", "summary": "The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel before 2.6.39 does not properly handle DFS referrals, which allows remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.", "scorev2": "6.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3363" }, { "id": "CVE-2011-3593", "summary": "A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3593" }, { "id": "CVE-2011-3619", "summary": "The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 3.0 does not properly handle invalid parameters, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by writing to a /proc/#####/attr/current file.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3619" }, { "id": "CVE-2011-3637", "summary": "The m_stop function in fs/proc/task_mmu.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (OOPS) via vectors that trigger an m_start error.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3637" }, { "id": "CVE-2011-3638", "summary": "fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3638" }, { "id": "CVE-2011-4077", "summary": "Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel 2.6, when CONFIG_XFS_DEBUG is disabled, allows local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4077" }, { "id": "CVE-2011-4080", "summary": "The sysrq_sysctl_handler function in kernel/sysctl.c in the Linux kernel before 2.6.39 does not require the CAP_SYS_ADMIN capability to modify the dmesg_restrict value, which allows local users to bypass intended access restrictions and read the kernel ring buffer by leveraging root privileges, as demonstrated by a root user in a Linux Containers (aka LXC) environment.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4080" }, { "id": "CVE-2011-4081", "summary": "crypto/ghash-generic.c in the Linux kernel before 3.1 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by triggering a failed or missing ghash_setkey function call, followed by a (1) ghash_update function call or (2) ghash_final function call, as demonstrated by a write operation on an AF_ALG socket.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4081" }, { "id": "CVE-2011-4086", "summary": "The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4086" }, { "id": "CVE-2011-4087", "summary": "The br_parse_ip_options function in net/bridge/br_netfilter.c in the Linux kernel before 2.6.39 does not properly initialize a certain data structure, which allows remote attackers to cause a denial of service by leveraging connectivity to a network interface that uses an Ethernet bridge device.", "scorev2": "4.3", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4087" }, { "id": "CVE-2011-4097", "summary": "Integer overflow in the oom_badness function in mm/oom_kill.c in the Linux kernel before 3.1.8 on 64-bit platforms allows local users to cause a denial of service (memory consumption or process termination) by using a certain large amount of memory.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4097" }, { "id": "CVE-2011-4098", "summary": "The fallocate implementation in the GFS2 filesystem in the Linux kernel before 3.2 relies on the page cache, which might allow local users to cause a denial of service by preallocating blocks in certain situations involving insufficient memory.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4098" }, { "id": "CVE-2011-4110", "summary": "The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and \"updating a negative key into a fully instantiated key.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4110" }, { "id": "CVE-2011-4112", "summary": "The net subsystem in the Linux kernel before 3.1 does not properly restrict use of the IFF_TX_SKB_SHARING flag, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability to access /proc/net/pktgen/pgctrl, and then using the pktgen package in conjunction with a bridge device for a VLAN interface.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4112" }, { "id": "CVE-2011-4127", "summary": "The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4127" }, { "id": "CVE-2011-4131", "summary": "The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4131" }, { "id": "CVE-2011-4132", "summary": "The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allows local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an \"invalid log first block value.\"", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4132" }, { "id": "CVE-2011-4324", "summary": "The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel before 2.6.29 allows local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4324" }, { "id": "CVE-2011-4325", "summary": "The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain functions without properly initializing certain data, which allows local users to cause a denial of service (NULL pointer dereference and O_DIRECT oops), as demonstrated using diotest4 from LTP.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4325" }, { "id": "CVE-2011-4326", "summary": "The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4326" }, { "id": "CVE-2011-4330", "summary": "Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4330" }, { "id": "CVE-2011-4347", "summary": "The kvm_vm_ioctl_assign_device function in virt/kvm/assigned-dev.c in the KVM subsystem in the Linux kernel before 3.1.10 does not verify permission to access PCI configuration space and BAR resources, which allows host OS users to assign PCI devices and cause a denial of service (host OS crash) via a KVM_ASSIGN_PCI_DEVICE operation.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4347" }, { "id": "CVE-2011-4348", "summary": "Race condition in the sctp_rcv function in net/sctp/input.c in the Linux kernel before 2.6.29 allows remote attackers to cause a denial of service (system hang) via SCTP packets. NOTE: in some environments, this issue exists because of an incomplete fix for CVE-2011-2482.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4348" }, { "id": "CVE-2011-4594", "summary": "The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4594" }, { "id": "CVE-2011-4604", "summary": "The bat_socket_read function in net/batman-adv/icmp_socket.c in the Linux kernel before 3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted batman-adv ICMP packet.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4604" }, { "id": "CVE-2011-4611", "summary": "Integer overflow in the perf_event_interrupt function in arch/powerpc/kernel/perf_event.c in the Linux kernel before 2.6.39 on powerpc platforms allows local users to cause a denial of service (unhandled performance monitor exception) via vectors that trigger certain outcomes of performance events.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4611" }, { "id": "CVE-2011-4621", "summary": "The Linux kernel before 2.6.37 does not properly implement a certain clock-update optimization, which allows local users to cause a denial of service (system hang) via an application that executes code in a loop.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4621" }, { "id": "CVE-2011-4913", "summary": "The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4913" }, { "id": "CVE-2011-4914", "summary": "The ROSE protocol implementation in the Linux kernel before 2.6.39 does not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4914" }, { "id": "CVE-2011-4915", "summary": "fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4915" }, { "id": "CVE-2011-4916", "summary": "Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /dev/pts/ and /dev/tty*.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4916" }, { "id": "CVE-2011-4917", "summary": "In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-4917" }, { "id": "CVE-2011-5321", "summary": "The tty_open function in drivers/tty/tty_io.c in the Linux kernel before 3.1.1 mishandles a driver-lookup failure, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted access to a device file under the /dev/pts directory.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5321" }, { "id": "CVE-2011-5327", "summary": "In the Linux kernel before 3.1, an off by one in the drivers/target/loopback/tcm_loop.c tcm_loop_make_naa_tpg() function could result in at least memory corruption.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-5327" }, { "id": "CVE-2012-0028", "summary": "The robust futex implementation in the Linux kernel before 2.6.28 does not properly handle processes that make exec system calls, which allows local users to cause a denial of service or possibly gain privileges by writing to a memory location in a child process.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0028" }, { "id": "CVE-2012-0038", "summary": "Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0038" }, { "id": "CVE-2012-0044", "summary": "Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0044" }, { "id": "CVE-2012-0045", "summary": "The em_syscall function in arch/x86/kvm/emulate.c in the KVM implementation in the Linux kernel before 3.2.14 does not properly handle the 0f05 (aka syscall) opcode, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application, as demonstrated by an NASM file.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0045" }, { "id": "CVE-2012-0055", "summary": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0055" }, { "id": "CVE-2012-0056", "summary": "The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0056" }, { "id": "CVE-2012-0058", "summary": "The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0058" }, { "id": "CVE-2012-0207", "summary": "The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0207" }, { "id": "CVE-2012-0810", "summary": "The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0810" }, { "id": "CVE-2012-0879", "summary": "The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0879" }, { "id": "CVE-2012-0957", "summary": "The override_release function in kernel/sys.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-0957" }, { "id": "CVE-2012-1090", "summary": "The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1090" }, { "id": "CVE-2012-1097", "summary": "The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get and .set methods, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a (1) PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1097" }, { "id": "CVE-2012-1146", "summary": "The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1146" }, { "id": "CVE-2012-1179", "summary": "The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1179" }, { "id": "CVE-2012-1583", "summary": "Double free vulnerability in the xfrm6_tunnel_rcv function in net/ipv6/xfrm6_tunnel.c in the Linux kernel before 2.6.22, when the xfrm6_tunnel module is enabled, allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1583" }, { "id": "CVE-2012-1601", "summary": "The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-1601" }, { "id": "CVE-2012-2100", "summary": "The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4307.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2100" }, { "id": "CVE-2012-2119", "summary": "Buffer overflow in the macvtap device driver in the Linux kernel before 3.4.5, when running in certain configurations, allows privileged KVM guest users to cause a denial of service (crash) via a long descriptor with a long vector length.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2119" }, { "id": "CVE-2012-2121", "summary": "The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2121" }, { "id": "CVE-2012-2123", "summary": "The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process to disable ASLR.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2123" }, { "id": "CVE-2012-2127", "summary": "fs/proc/root.c in the procfs implementation in the Linux kernel before 3.2 does not properly interact with CLONE_NEWPID clone system calls, which allows remote attackers to cause a denial of service (reference leak and memory consumption) by making many connections to a daemon that uses PID namespaces to isolate clients, as demonstrated by vsftpd.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2127" }, { "id": "CVE-2012-2133", "summary": "Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2133" }, { "id": "CVE-2012-2136", "summary": "The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2136" }, { "id": "CVE-2012-2137", "summary": "Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2137" }, { "id": "CVE-2012-2313", "summary": "The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.", "scorev2": "1.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2313" }, { "id": "CVE-2012-2319", "summary": "Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel before 3.3.5 allow local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2319" }, { "id": "CVE-2012-2372", "summary": "The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2372" }, { "id": "CVE-2012-2373", "summary": "The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial of service (panic) via a crafted application that triggers a race condition.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2373" }, { "id": "CVE-2012-2375", "summary": "The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2375" }, { "id": "CVE-2012-2383", "summary": "Integer overflow in the i915_gem_execbuffer2 function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2383" }, { "id": "CVE-2012-2384", "summary": "Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2384" }, { "id": "CVE-2012-2390", "summary": "Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2390" }, { "id": "CVE-2012-2669", "summary": "The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2669" }, { "id": "CVE-2012-2744", "summary": "net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2744" }, { "id": "CVE-2012-2745", "summary": "The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2745" }, { "id": "CVE-2012-3364", "summary": "Multiple stack-based buffer overflows in the Near Field Communication Controller Interface (NCI) in the Linux kernel before 3.4.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via incoming frames with crafted length fields.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3364" }, { "id": "CVE-2012-3375", "summary": "The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3375" }, { "id": "CVE-2012-3400", "summary": "Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.", "scorev2": "7.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3400" }, { "id": "CVE-2012-3412", "summary": "The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3412" }, { "id": "CVE-2012-3430", "summary": "The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3430" }, { "id": "CVE-2012-3510", "summary": "Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel before 2.6.19 allows local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.", "scorev2": "5.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3510" }, { "id": "CVE-2012-3511", "summary": "Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3511" }, { "id": "CVE-2012-3520", "summary": "The Netlink implementation in the Linux kernel before 3.2.30 does not properly handle messages that lack SCM_CREDENTIALS data, which might allow local users to spoof Netlink communication via a crafted message, as demonstrated by a message to (1) Avahi or (2) NetworkManager.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3520" }, { "id": "CVE-2012-3552", "summary": "Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-3552" }, { "id": "CVE-2012-4398", "summary": "The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4398" }, { "id": "CVE-2012-4444", "summary": "The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4444" }, { "id": "CVE-2012-4461", "summary": "The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4461" }, { "id": "CVE-2012-4467", "summary": "The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket.c in the Linux kernel before 3.5.4 use an incorrect argument order, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a crafted ioctl call.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4467" }, { "id": "CVE-2012-4508", "summary": "Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4508" }, { "id": "CVE-2012-4530", "summary": "The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4530" }, { "id": "CVE-2012-4542", "summary": "block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4542" }, { "id": "CVE-2012-4565", "summary": "The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-4565" }, { "id": "CVE-2012-5374", "summary": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5374" }, { "id": "CVE-2012-5375", "summary": "The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5375" }, { "id": "CVE-2012-5517", "summary": "The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5517" }, { "id": "CVE-2012-5532", "summary": "The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5532" }, { "id": "CVE-2012-6536", "summary": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify that the actual Netlink message length is consistent with a certain header field, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability and providing a (1) new or (2) updated state.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6536" }, { "id": "CVE-2012-6537", "summary": "net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6537" }, { "id": "CVE-2012-6538", "summary": "The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6538" }, { "id": "CVE-2012-6539", "summary": "The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6539" }, { "id": "CVE-2012-6540", "summary": "The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6540" }, { "id": "CVE-2012-6541", "summary": "The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6541" }, { "id": "CVE-2012-6542", "summary": "The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6542" }, { "id": "CVE-2012-6543", "summary": "The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6543" }, { "id": "CVE-2012-6544", "summary": "The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6544" }, { "id": "CVE-2012-6545", "summary": "The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6545" }, { "id": "CVE-2012-6546", "summary": "The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6546" }, { "id": "CVE-2012-6547", "summary": "The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6547" }, { "id": "CVE-2012-6548", "summary": "The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6548" }, { "id": "CVE-2012-6549", "summary": "The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6549" }, { "id": "CVE-2012-6638", "summary": "The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6638" }, { "id": "CVE-2012-6647", "summary": "The futex_wait_requeue_pi function in kernel/futex.c in the Linux kernel before 3.5.1 does not ensure that calls have two different futex addresses, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6647" }, { "id": "CVE-2012-6657", "summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5.7 does not ensure that a keepalive action is associated with a stream socket, which allows local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6657" }, { "id": "CVE-2012-6689", "summary": "The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6689" }, { "id": "CVE-2012-6701", "summary": "Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6701" }, { "id": "CVE-2012-6703", "summary": "Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6703" }, { "id": "CVE-2012-6704", "summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6704" }, { "id": "CVE-2012-6712", "summary": "In the Linux kernel before 3.4, a buffer overflow occurs in drivers/net/wireless/iwlwifi/iwl-agn-sta.c, which will cause at least memory corruption.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6712" }, { "id": "CVE-2013-0160", "summary": "The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0160" }, { "id": "CVE-2013-0190", "summary": "The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0190" }, { "id": "CVE-2013-0216", "summary": "The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0216" }, { "id": "CVE-2013-0217", "summary": "Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0217" }, { "id": "CVE-2013-0228", "summary": "The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0228" }, { "id": "CVE-2013-0231", "summary": "The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0231" }, { "id": "CVE-2013-0268", "summary": "The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0268" }, { "id": "CVE-2013-0290", "summary": "The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0290" }, { "id": "CVE-2013-0309", "summary": "arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0309" }, { "id": "CVE-2013-0310", "summary": "The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call.", "scorev2": "6.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0310" }, { "id": "CVE-2013-0311", "summary": "The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges.", "scorev2": "6.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0311" }, { "id": "CVE-2013-0313", "summary": "The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0313" }, { "id": "CVE-2013-0343", "summary": "The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.", "scorev2": "3.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0343" }, { "id": "CVE-2013-0349", "summary": "The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0349" }, { "id": "CVE-2013-0871", "summary": "Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0871" }, { "id": "CVE-2013-0913", "summary": "Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0913" }, { "id": "CVE-2013-0914", "summary": "The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-0914" }, { "id": "CVE-2013-1059", "summary": "net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1059" }, { "id": "CVE-2013-1763", "summary": "Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1763" }, { "id": "CVE-2013-1767", "summary": "Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1767" }, { "id": "CVE-2013-1772", "summary": "The log_prefix function in kernel/printk.c in the Linux kernel 3.x before 3.4.33 does not properly remove a prefix string from a syslog header, which allows local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1772" }, { "id": "CVE-2013-1773", "summary": "Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1773" }, { "id": "CVE-2013-1774", "summary": "The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1774" }, { "id": "CVE-2013-1792", "summary": "Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1792" }, { "id": "CVE-2013-1796", "summary": "The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1796" }, { "id": "CVE-2013-1797", "summary": "Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.", "scorev2": "6.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1797" }, { "id": "CVE-2013-1798", "summary": "The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1798" }, { "id": "CVE-2013-1819", "summary": "The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel before 3.7.6 does not validate block numbers, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1819" }, { "id": "CVE-2013-1826", "summary": "The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux kernel before 3.5.7 does not properly handle error conditions in dump_one_state function calls, which allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1826" }, { "id": "CVE-2013-1827", "summary": "net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1827" }, { "id": "CVE-2013-1828", "summary": "The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the Linux kernel before 3.8.4 does not validate a size value before proceeding to a copy_from_user operation, which allows local users to gain privileges via a crafted application that contains an SCTP_GET_ASSOC_STATS getsockopt system call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1828" }, { "id": "CVE-2013-1848", "summary": "fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1848" }, { "id": "CVE-2013-1858", "summary": "The clone system-call implementation in the Linux kernel before 3.8.3 does not properly handle a combination of the CLONE_NEWUSER and CLONE_FS flags, which allows local users to gain privileges by calling chroot and leveraging the sharing of the / directory between a parent process and a child process.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1858" }, { "id": "CVE-2013-1860", "summary": "Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1860" }, { "id": "CVE-2013-1928", "summary": "The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1928" }, { "id": "CVE-2013-1929", "summary": "Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1929" }, { "id": "CVE-2013-1943", "summary": "The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c.", "scorev2": "4.4", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1943" }, { "id": "CVE-2013-1956", "summary": "The create_user_ns function in kernel/user_namespace.c in the Linux kernel before 3.8.6 does not check whether a chroot directory exists that differs from the namespace root directory, which allows local users to bypass intended filesystem restrictions via a crafted clone system call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1956" }, { "id": "CVE-2013-1957", "summary": "The clone_mnt function in fs/namespace.c in the Linux kernel before 3.8.6 does not properly restrict changes to the MNT_READONLY flag, which allows local users to bypass an intended read-only property of a filesystem by leveraging a separate mount namespace.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1957" }, { "id": "CVE-2013-1958", "summary": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1958" }, { "id": "CVE-2013-1959", "summary": "kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.", "scorev2": "3.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1959" }, { "id": "CVE-2013-1979", "summary": "The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-1979" }, { "id": "CVE-2013-2015", "summary": "The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2015" }, { "id": "CVE-2013-2017", "summary": "The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs during congestion, which allows remote attackers to cause a denial of service (system crash) by leveraging lack of skb consumption in conjunction with a double-free error.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2017" }, { "id": "CVE-2013-2058", "summary": "The host_start function in drivers/usb/chipidea/host.c in the Linux kernel before 3.7.4 does not properly support a certain non-streaming option, which allows local users to cause a denial of service (system crash) by sending a large amount of network traffic through a USB/Ethernet adapter.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2058" }, { "id": "CVE-2013-2094", "summary": "The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.", "scorev2": "7.2", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2094" }, { "id": "CVE-2013-2128", "summary": "The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2128" }, { "id": "CVE-2013-2140", "summary": "The dispatch_discard_io function in drivers/block/xen-blkback/blkback.c in the Xen blkback implementation in the Linux kernel before 3.10.5 allows guest OS users to cause a denial of service (data loss) via filesystem write operations on a read-only disk that supports the (1) BLKIF_OP_DISCARD (aka discard or TRIM) or (2) SCSI UNMAP feature.", "scorev2": "3.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2140" }, { "id": "CVE-2013-2141", "summary": "The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2141" }, { "id": "CVE-2013-2146", "summary": "arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2146" }, { "id": "CVE-2013-2147", "summary": "The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2147" }, { "id": "CVE-2013-2148", "summary": "The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2148" }, { "id": "CVE-2013-2164", "summary": "The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2164" }, { "id": "CVE-2013-2206", "summary": "The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2206" }, { "id": "CVE-2013-2232", "summary": "The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2232" }, { "id": "CVE-2013-2234", "summary": "The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2234" }, { "id": "CVE-2013-2237", "summary": "The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2237" }, { "id": "CVE-2013-2546", "summary": "The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2546" }, { "id": "CVE-2013-2547", "summary": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2547" }, { "id": "CVE-2013-2548", "summary": "The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect length value during a copy operation, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2548" }, { "id": "CVE-2013-2596", "summary": "Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2596" }, { "id": "CVE-2013-2634", "summary": "net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2634" }, { "id": "CVE-2013-2635", "summary": "The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2635" }, { "id": "CVE-2013-2636", "summary": "net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2636" }, { "id": "CVE-2013-2850", "summary": "Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet.", "scorev2": "7.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2850" }, { "id": "CVE-2013-2851", "summary": "Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.", "scorev2": "6.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2851" }, { "id": "CVE-2013-2852", "summary": "Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2852" }, { "id": "CVE-2013-2888", "summary": "Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2888" }, { "id": "CVE-2013-2889", "summary": "drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2889" }, { "id": "CVE-2013-2890", "summary": "drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SONY is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2890" }, { "id": "CVE-2013-2891", "summary": "drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_STEELSERIES is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2891" }, { "id": "CVE-2013-2892", "summary": "drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2892" }, { "id": "CVE-2013-2893", "summary": "The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2893" }, { "id": "CVE-2013-2894", "summary": "drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2894" }, { "id": "CVE-2013-2895", "summary": "drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or obtain sensitive information from kernel memory via a crafted device.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2895" }, { "id": "CVE-2013-2896", "summary": "drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2896" }, { "id": "CVE-2013-2897", "summary": "Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2897" }, { "id": "CVE-2013-2898", "summary": "drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2898" }, { "id": "CVE-2013-2899", "summary": "drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2899" }, { "id": "CVE-2013-2929", "summary": "The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2929" }, { "id": "CVE-2013-2930", "summary": "The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-2930" }, { "id": "CVE-2013-3076", "summary": "The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hash_recvmsg function in crypto/algif_hash.c and the skcipher_recvmsg function in crypto/algif_skcipher.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3076" }, { "id": "CVE-2013-3222", "summary": "The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3222" }, { "id": "CVE-2013-3223", "summary": "The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3223" }, { "id": "CVE-2013-3224", "summary": "The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3224" }, { "id": "CVE-2013-3225", "summary": "The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3225" }, { "id": "CVE-2013-3226", "summary": "The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3226" }, { "id": "CVE-2013-3227", "summary": "The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3227" }, { "id": "CVE-2013-3228", "summary": "The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3228" }, { "id": "CVE-2013-3229", "summary": "The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3229" }, { "id": "CVE-2013-3230", "summary": "The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.9-rc7 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3230" }, { "id": "CVE-2013-3231", "summary": "The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3231" }, { "id": "CVE-2013-3232", "summary": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3232" }, { "id": "CVE-2013-3233", "summary": "The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable and a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3233" }, { "id": "CVE-2013-3234", "summary": "The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3234" }, { "id": "CVE-2013-3235", "summary": "net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3235" }, { "id": "CVE-2013-3236", "summary": "The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3236" }, { "id": "CVE-2013-3237", "summary": "The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3237" }, { "id": "CVE-2013-3301", "summary": "The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3301" }, { "id": "CVE-2013-3302", "summary": "Race condition in the smb_send_rqst function in fs/cifs/transport.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors involving a reconnection event.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-3302" }, { "id": "CVE-2013-4125", "summary": "The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages.", "scorev2": "5.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4125" }, { "id": "CVE-2013-4127", "summary": "Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4127" }, { "id": "CVE-2013-4129", "summary": "The bridge multicast implementation in the Linux kernel through 3.10.3 does not check whether a certain timer is armed before modifying the timeout value of that timer, which allows local users to cause a denial of service (BUG and system crash) via vectors involving the shutdown of a KVM virtual machine, related to net/bridge/br_mdb.c and net/bridge/br_multicast.c.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4129" }, { "id": "CVE-2013-4162", "summary": "The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4162" }, { "id": "CVE-2013-4163", "summary": "The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4163" }, { "id": "CVE-2013-4205", "summary": "Memory leak in the unshare_userns function in kernel/user_namespace.c in the Linux kernel before 3.10.6 allows local users to cause a denial of service (memory consumption) via an invalid CLONE_NEWUSER unshare call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4205" }, { "id": "CVE-2013-4220", "summary": "The bad_mode function in arch/arm64/kernel/traps.c in the Linux kernel before 3.9.5 on the ARM64 platform allows local users to cause a denial of service (system crash) via vectors involving an attempted register access that triggers an unexpected value in the Exception Syndrome Register (ESR).", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4220" }, { "id": "CVE-2013-4247", "summary": "Off-by-one error in the build_unc_path_to_root function in fs/cifs/connect.c in the Linux kernel before 3.9.6 allows remote attackers to cause a denial of service (memory corruption and system crash) via a DFS share mount operation that triggers use of an unexpected DFS referral name length.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4247" }, { "id": "CVE-2013-4254", "summary": "The validate_event function in arch/arm/kernel/perf_event.c in the Linux kernel before 3.10.8 on the ARM platform allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by adding a hardware event to an event group led by a software event.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4254" }, { "id": "CVE-2013-4270", "summary": "The net_ctl_permissions function in net/sysctl_net.c in the Linux kernel before 3.11.5 does not properly determine uid and gid values, which allows local users to bypass intended /proc/sys/net restrictions via a crafted application.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4270" }, { "id": "CVE-2013-4299", "summary": "Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.", "scorev2": "6.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4299" }, { "id": "CVE-2013-4300", "summary": "The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.11 performs a capability check in an incorrect namespace, which allows local users to gain privileges via PID spoofing.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4300" }, { "id": "CVE-2013-4312", "summary": "The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4312" }, { "id": "CVE-2013-4343", "summary": "Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4343" }, { "id": "CVE-2013-4345", "summary": "Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.", "scorev2": "5.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4345" }, { "id": "CVE-2013-4348", "summary": "The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4348" }, { "id": "CVE-2013-4350", "summary": "The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4350" }, { "id": "CVE-2013-4387", "summary": "net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4387" }, { "id": "CVE-2013-4470", "summary": "The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4470" }, { "id": "CVE-2013-4483", "summary": "The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4483" }, { "id": "CVE-2013-4511", "summary": "Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4511" }, { "id": "CVE-2013-4512", "summary": "Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4512" }, { "id": "CVE-2013-4513", "summary": "Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4513" }, { "id": "CVE-2013-4514", "summary": "Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4514" }, { "id": "CVE-2013-4515", "summary": "The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4515" }, { "id": "CVE-2013-4516", "summary": "The mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4516" }, { "id": "CVE-2013-4563", "summary": "The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4563" }, { "id": "CVE-2013-4579", "summary": "The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4579" }, { "id": "CVE-2013-4587", "summary": "Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4587" }, { "id": "CVE-2013-4588", "summary": "Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4588" }, { "id": "CVE-2013-4591", "summary": "Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4591" }, { "id": "CVE-2013-4592", "summary": "Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-4592" }, { "id": "CVE-2013-5634", "summary": "arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform, when KVM is used, allows host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-5634" }, { "id": "CVE-2013-6282", "summary": "The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6282" }, { "id": "CVE-2013-6367", "summary": "The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value.", "scorev2": "5.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6367" }, { "id": "CVE-2013-6368", "summary": "The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6368" }, { "id": "CVE-2013-6376", "summary": "The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6376" }, { "id": "CVE-2013-6378", "summary": "The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6378" }, { "id": "CVE-2013-6380", "summary": "The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6380" }, { "id": "CVE-2013-6381", "summary": "Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6381" }, { "id": "CVE-2013-6382", "summary": "Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6382" }, { "id": "CVE-2013-6383", "summary": "The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6383" }, { "id": "CVE-2013-6431", "summary": "The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before 3.11.5 does not properly implement error-code encoding, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for an IPv6 SIOCADDRT ioctl call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6431" }, { "id": "CVE-2013-6432", "summary": "The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6432" }, { "id": "CVE-2013-6763", "summary": "The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6763" }, { "id": "CVE-2013-7026", "summary": "Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7026" }, { "id": "CVE-2013-7027", "summary": "The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7027" }, { "id": "CVE-2013-7263", "summary": "The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7263" }, { "id": "CVE-2013-7264", "summary": "The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7264" }, { "id": "CVE-2013-7265", "summary": "The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7265" }, { "id": "CVE-2013-7266", "summary": "The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7266" }, { "id": "CVE-2013-7267", "summary": "The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7267" }, { "id": "CVE-2013-7268", "summary": "The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7268" }, { "id": "CVE-2013-7269", "summary": "The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7269" }, { "id": "CVE-2013-7270", "summary": "The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7270" }, { "id": "CVE-2013-7271", "summary": "The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7271" }, { "id": "CVE-2013-7281", "summary": "The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7281" }, { "id": "CVE-2013-7339", "summary": "The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7339" }, { "id": "CVE-2013-7348", "summary": "Double free vulnerability in the ioctx_alloc function in fs/aio.c in the Linux kernel before 3.12.4 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via vectors involving an error condition in the aio_setup_ring function.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7348" }, { "id": "CVE-2013-7421", "summary": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7421" }, { "id": "CVE-2013-7445", "summary": "The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7445" }, { "id": "CVE-2013-7446", "summary": "Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls.", "scorev2": "5.4", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7446" }, { "id": "CVE-2013-7470", "summary": "cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-7470" }, { "id": "CVE-2014-0038", "summary": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0038" }, { "id": "CVE-2014-0049", "summary": "Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.", "scorev2": "7.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0049" }, { "id": "CVE-2014-0069", "summary": "The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0069" }, { "id": "CVE-2014-0077", "summary": "drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.", "scorev2": "5.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:S/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0077" }, { "id": "CVE-2014-0100", "summary": "Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load.", "scorev2": "9.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0100" }, { "id": "CVE-2014-0101", "summary": "The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0101" }, { "id": "CVE-2014-0102", "summary": "The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands.", "scorev2": "5.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0102" }, { "id": "CVE-2014-0131", "summary": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.", "scorev2": "2.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0131" }, { "id": "CVE-2014-0155", "summary": "The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.", "scorev2": "5.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0155" }, { "id": "CVE-2014-0181", "summary": "The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0181" }, { "id": "CVE-2014-0196", "summary": "The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the \"LECHO & !OPOST\" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.", "scorev2": "6.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0196" }, { "id": "CVE-2014-0203", "summary": "The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0203" }, { "id": "CVE-2014-0205", "summary": "The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a certain reference count during requeue operations, which allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a zero count.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0205" }, { "id": "CVE-2014-0206", "summary": "Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-0206" }, { "id": "CVE-2014-1438", "summary": "The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1438" }, { "id": "CVE-2014-1444", "summary": "The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call.", "scorev2": "1.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1444" }, { "id": "CVE-2014-1445", "summary": "The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1445" }, { "id": "CVE-2014-1446", "summary": "The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1446" }, { "id": "CVE-2014-1690", "summary": "The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature.", "scorev2": "2.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1690" }, { "id": "CVE-2014-1737", "summary": "The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1737" }, { "id": "CVE-2014-1738", "summary": "The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1738" }, { "id": "CVE-2014-1739", "summary": "The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1739" }, { "id": "CVE-2014-1874", "summary": "The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-1874" }, { "id": "CVE-2014-2038", "summary": "The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2038" }, { "id": "CVE-2014-2039", "summary": "arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2039" }, { "id": "CVE-2014-2309", "summary": "The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2309" }, { "id": "CVE-2014-2523", "summary": "net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2523" }, { "id": "CVE-2014-2568", "summary": "Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced.", "scorev2": "2.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2568" }, { "id": "CVE-2014-2672", "summary": "Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large amount of network traffic that triggers certain list deletions.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2672" }, { "id": "CVE-2014-2673", "summary": "The arch_dup_task_struct function in the Transactional Memory (TM) implementation in arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly interact with the clone and fork system calls, which allows local users to cause a denial of service (Program Check and system crash) via certain instructions that are executed with the processor in the Transactional state.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2673" }, { "id": "CVE-2014-2678", "summary": "The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2678" }, { "id": "CVE-2014-2706", "summary": "Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2706" }, { "id": "CVE-2014-2739", "summary": "The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2739" }, { "id": "CVE-2014-2851", "summary": "Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2851" }, { "id": "CVE-2014-2889", "summary": "Off-by-one error in the bpf_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 3.1.8, when BPF JIT is enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges via a long jump after a conditional jump.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2889" }, { "id": "CVE-2014-3122", "summary": "The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3122" }, { "id": "CVE-2014-3144", "summary": "The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3144" }, { "id": "CVE-2014-3145", "summary": "The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3145" }, { "id": "CVE-2014-3153", "summary": "The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3153" }, { "id": "CVE-2014-3180", "summary": "In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable", "scorev2": "6.4", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3180" }, { "id": "CVE-2014-3181", "summary": "Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3181" }, { "id": "CVE-2014-3182", "summary": "Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3182" }, { "id": "CVE-2014-3183", "summary": "Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3183" }, { "id": "CVE-2014-3184", "summary": "The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3184" }, { "id": "CVE-2014-3185", "summary": "Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3185" }, { "id": "CVE-2014-3186", "summary": "Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3186" }, { "id": "CVE-2014-3534", "summary": "arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3534" }, { "id": "CVE-2014-3535", "summary": "include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3535" }, { "id": "CVE-2014-3601", "summary": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3601" }, { "id": "CVE-2014-3610", "summary": "The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3610" }, { "id": "CVE-2014-3611", "summary": "Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3611" }, { "id": "CVE-2014-3631", "summary": "The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple \"keyctl newring\" operations followed by a \"keyctl timeout\" operation.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3631" }, { "id": "CVE-2014-3645", "summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3645" }, { "id": "CVE-2014-3646", "summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3646" }, { "id": "CVE-2014-3647", "summary": "arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3647" }, { "id": "CVE-2014-3673", "summary": "The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3673" }, { "id": "CVE-2014-3687", "summary": "The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3687" }, { "id": "CVE-2014-3688", "summary": "The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3688" }, { "id": "CVE-2014-3690", "summary": "arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3690" }, { "id": "CVE-2014-3917", "summary": "kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3917" }, { "id": "CVE-2014-3940", "summary": "The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3940" }, { "id": "CVE-2014-4014", "summary": "The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4014" }, { "id": "CVE-2014-4027", "summary": "The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator.", "scorev2": "2.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4027" }, { "id": "CVE-2014-4157", "summary": "arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure _TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4157" }, { "id": "CVE-2014-4171", "summary": "mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4171" }, { "id": "CVE-2014-4322", "summary": "drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4322" }, { "id": "CVE-2014-4323", "summary": "The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.", "scorev2": "7.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4323" }, { "id": "CVE-2014-4508", "summary": "arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4508" }, { "id": "CVE-2014-4608", "summary": "Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says \"the Linux kernel is *not* affected; media hype.", "scorev2": "7.5", "scorev3": "7.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4608" }, { "id": "CVE-2014-4611", "summary": "Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4611" }, { "id": "CVE-2014-4652", "summary": "Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4652" }, { "id": "CVE-2014-4653", "summary": "sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4653" }, { "id": "CVE-2014-4654", "summary": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4654" }, { "id": "CVE-2014-4655", "summary": "The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4655" }, { "id": "CVE-2014-4656", "summary": "Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4656" }, { "id": "CVE-2014-4667", "summary": "The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4667" }, { "id": "CVE-2014-4699", "summary": "The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4699" }, { "id": "CVE-2014-4943", "summary": "The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-4943" }, { "id": "CVE-2014-5045", "summary": "The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5045" }, { "id": "CVE-2014-5077", "summary": "The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5077" }, { "id": "CVE-2014-5206", "summary": "The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a \"mount -o remount\" command within a user namespace.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5206" }, { "id": "CVE-2014-5207", "summary": "fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a \"mount -o remount\" command within a user namespace.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5207" }, { "id": "CVE-2014-5332", "summary": "Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5332" }, { "id": "CVE-2014-5471", "summary": "Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5471" }, { "id": "CVE-2014-5472", "summary": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.", "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5472" }, { "id": "CVE-2014-6410", "summary": "The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the amount of ICB indirection, which allows physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6410" }, { "id": "CVE-2014-6416", "summary": "Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6416" }, { "id": "CVE-2014-6417", "summary": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly consider the possibility of kmalloc failure, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a long unencrypted auth ticket.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6417" }, { "id": "CVE-2014-6418", "summary": "net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly validate auth replies, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via crafted data from the IP address of a Ceph Monitor.", "scorev2": "7.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-6418" }, { "id": "CVE-2014-7145", "summary": "The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7145" }, { "id": "CVE-2014-7207", "summary": "A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging (1) tun or (2) macvtap device access.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7207" }, { "id": "CVE-2014-7283", "summary": "The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on directories that have hash collisions, as demonstrated by rmdir operations.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7283" }, { "id": "CVE-2014-7284", "summary": "The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values.", "scorev2": "6.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7284" }, { "id": "CVE-2014-7822", "summary": "The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7822" }, { "id": "CVE-2014-7825", "summary": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7825" }, { "id": "CVE-2014-7826", "summary": "kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7826" }, { "id": "CVE-2014-7841", "summary": "The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7841" }, { "id": "CVE-2014-7842", "summary": "Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7842" }, { "id": "CVE-2014-7843", "summary": "The __clear_user function in arch/arm64/lib/clear_user.S in the Linux kernel before 3.17.4 on the ARM64 platform allows local users to cause a denial of service (system crash) by reading one byte beyond a /dev/zero page boundary.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7843" }, { "id": "CVE-2014-7970", "summary": "The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7970" }, { "id": "CVE-2014-7975", "summary": "The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-7975" }, { "id": "CVE-2014-8086", "summary": "Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8086" }, { "id": "CVE-2014-8133", "summary": "arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8133" }, { "id": "CVE-2014-8134", "summary": "The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value.", "scorev2": "1.9", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8134" }, { "id": "CVE-2014-8159", "summary": "The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8159" }, { "id": "CVE-2014-8160", "summary": "net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8160" }, { "id": "CVE-2014-8171", "summary": "The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8171", "detail": "fixed-version", "description": "Fixed from version 3.12rc1" }, { "id": "CVE-2014-8172", "summary": "The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows local users to cause a denial of service (soft lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8172" }, { "id": "CVE-2014-8173", "summary": "The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8173" }, { "id": "CVE-2014-8369", "summary": "The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8369" }, { "id": "CVE-2014-8480", "summary": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 lacks intended decoder-table flags for certain RIP-relative instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8480" }, { "id": "CVE-2014-8481", "summary": "The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel before 3.18-rc2 does not properly handle invalid instructions, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a crafted application that triggers (1) an improperly fetched instruction or (2) an instruction that occupies too many bytes. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8480.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8481" }, { "id": "CVE-2014-8559", "summary": "The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8559" }, { "id": "CVE-2014-8709", "summary": "The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8709" }, { "id": "CVE-2014-8884", "summary": "Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8884" }, { "id": "CVE-2014-8989", "summary": "The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a \"negative groups\" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8989" }, { "id": "CVE-2014-9090", "summary": "The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9090" }, { "id": "CVE-2014-9322", "summary": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9322" }, { "id": "CVE-2014-9410", "summary": "The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.", "scorev2": "7.2", "scorev3": "9.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9410" }, { "id": "CVE-2014-9419", "summary": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9419" }, { "id": "CVE-2014-9420", "summary": "The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9420" }, { "id": "CVE-2014-9428", "summary": "The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9428" }, { "id": "CVE-2014-9529", "summary": "Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9529" }, { "id": "CVE-2014-9584", "summary": "The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9584" }, { "id": "CVE-2014-9585", "summary": "The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9585" }, { "id": "CVE-2014-9644", "summary": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9644" }, { "id": "CVE-2014-9683", "summary": "Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.", "scorev2": "3.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9683" }, { "id": "CVE-2014-9710", "summary": "The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9710" }, { "id": "CVE-2014-9715", "summary": "include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9715" }, { "id": "CVE-2014-9717", "summary": "fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.", "scorev2": "3.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9717" }, { "id": "CVE-2014-9728", "summary": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9728" }, { "id": "CVE-2014-9729", "summary": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9729" }, { "id": "CVE-2014-9730", "summary": "The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9730" }, { "id": "CVE-2014-9731", "summary": "The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \\0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9731" }, { "id": "CVE-2014-9803", "summary": "arch/arm64/include/asm/pgtable.h in the Linux kernel before 3.15-rc5-next-20140519, as used in Android before 2016-07-05 on Nexus 5X and 6P devices, mishandles execute-only pages, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28557020.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9803" }, { "id": "CVE-2014-9870", "summary": "The Linux kernel before 3.11 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly consider user-space access to the TPIDRURW register, which allows local users to gain privileges via a crafted application, aka Android internal bug 28749743 and Qualcomm internal bug CR561044.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9870" }, { "id": "CVE-2014-9888", "summary": "arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9888" }, { "id": "CVE-2014-9892", "summary": "The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9892" }, { "id": "CVE-2014-9895", "summary": "drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9895" }, { "id": "CVE-2014-9900", "summary": "The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9900" }, { "id": "CVE-2014-9903", "summary": "The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9903" }, { "id": "CVE-2014-9904", "summary": "The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9904" }, { "id": "CVE-2014-9914", "summary": "Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to internal data structures for IPv4 UDP sockets.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9914" }, { "id": "CVE-2014-9922", "summary": "The eCryptfs subsystem in the Linux kernel before 3.18 allows local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9922" }, { "id": "CVE-2014-9940", "summary": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9940" }, { "id": "CVE-2015-0239", "summary": "The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0239" }, { "id": "CVE-2015-0274", "summary": "The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote attribute replacement, which allows local users to cause a denial of service (transaction overrun and data corruption) or possibly gain privileges by leveraging XFS filesystem access.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0274" }, { "id": "CVE-2015-0275", "summary": "The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel before 4.1 allows local users to cause a denial of service (BUG) via a crafted fallocate zero-range request.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0275" }, { "id": "CVE-2015-0568", "summary": "Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0568" }, { "id": "CVE-2015-0569", "summary": "Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0569" }, { "id": "CVE-2015-0570", "summary": "Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in wlan_hdd_hostapd.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that uses a long WPS IE element.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0570" }, { "id": "CVE-2015-0571", "summary": "The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0571" }, { "id": "CVE-2015-0572", "summary": "Multiple race conditions in drivers/char/adsprpc.c and drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (zero-value write) or possibly have unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl call.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0572" }, { "id": "CVE-2015-0573", "summary": "drivers/media/platform/msm/broadcast/tsc.c in the TSC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via a crafted application that makes a TSC_GET_CARD_STATUS ioctl call.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0573" }, { "id": "CVE-2015-1328", "summary": "The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1328" }, { "id": "CVE-2015-1333", "summary": "Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1333" }, { "id": "CVE-2015-1339", "summary": "Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in the Linux kernel before 4.4 allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1339" }, { "id": "CVE-2015-1350", "summary": "The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1350" }, { "id": "CVE-2015-1420", "summary": "Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1420" }, { "id": "CVE-2015-1421", "summary": "Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1421" }, { "id": "CVE-2015-1465", "summary": "The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1465" }, { "id": "CVE-2015-1573", "summary": "The nft_flush_table function in net/netfilter/nf_tables_api.c in the Linux kernel before 3.18.5 mishandles the interaction between cross-chain jumps and ruleset flushes, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1573" }, { "id": "CVE-2015-1593", "summary": "The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1593" }, { "id": "CVE-2015-1805", "summary": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\"", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1805" }, { "id": "CVE-2015-2041", "summary": "net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2041" }, { "id": "CVE-2015-2042", "summary": "net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2042" }, { "id": "CVE-2015-2150", "summary": "Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2150" }, { "id": "CVE-2015-2666", "summary": "Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2666" }, { "id": "CVE-2015-2672", "summary": "The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the Linux kernel before 3.19.2 creates certain .altinstr_replacement pointers and consequently does not provide any protection against instruction faulting, which allows local users to cause a denial of service (panic) by triggering a fault, as demonstrated by an unaligned memory operand or a non-canonical address memory operand.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2672" }, { "id": "CVE-2015-2686", "summary": "net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2686" }, { "id": "CVE-2015-2830", "summary": "arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.", "scorev2": "1.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2830" }, { "id": "CVE-2015-2877", "summary": "Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states \"Basically if you care about this attack vector, disable deduplication.\" Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2877" }, { "id": "CVE-2015-2922", "summary": "The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "scorev2": "3.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2922" }, { "id": "CVE-2015-2925", "summary": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\"", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-2925" }, { "id": "CVE-2015-3212", "summary": "Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3212" }, { "id": "CVE-2015-3214", "summary": "The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3214" }, { "id": "CVE-2015-3288", "summary": "mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3288" }, { "id": "CVE-2015-3290", "summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3290" }, { "id": "CVE-2015-3291", "summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform does not properly determine when nested NMI processing is occurring, which allows local users to cause a denial of service (skipped NMI) by modifying the rsp register, issuing a syscall instruction, and triggering an NMI.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3291" }, { "id": "CVE-2015-3331", "summary": "The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.", "scorev2": "9.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3331" }, { "id": "CVE-2015-3332", "summary": "A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3332" }, { "id": "CVE-2015-3339", "summary": "Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.", "scorev2": "6.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3339" }, { "id": "CVE-2015-3636", "summary": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-3636" }, { "id": "CVE-2015-4001", "summary": "Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.", "scorev2": "9.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4001" }, { "id": "CVE-2015-4002", "summary": "drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions.", "scorev2": "9.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4002" }, { "id": "CVE-2015-4003", "summary": "The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4003" }, { "id": "CVE-2015-4004", "summary": "The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.", "scorev2": "8.5", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4004" }, { "id": "CVE-2015-4036", "summary": "Array index error in the tcm_vhost_make_tpg function in drivers/vhost/scsi.c in the Linux kernel before 4.0 might allow guest OS users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl call. NOTE: the affected function was renamed to vhost_scsi_make_tpg before the vulnerability was announced.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4036" }, { "id": "CVE-2015-4167", "summary": "The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4167" }, { "id": "CVE-2015-4170", "summary": "Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a previous tty thread.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4170" }, { "id": "CVE-2015-4176", "summary": "fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4176" }, { "id": "CVE-2015-4177", "summary": "The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4177" }, { "id": "CVE-2015-4178", "summary": "The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4178" }, { "id": "CVE-2015-4692", "summary": "The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4692" }, { "id": "CVE-2015-4700", "summary": "The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4700" }, { "id": "CVE-2015-5156", "summary": "The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.", "scorev2": "6.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5156" }, { "id": "CVE-2015-5157", "summary": "arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI.", "scorev2": "7.2", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5157" }, { "id": "CVE-2015-5257", "summary": "drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device. NOTE: this ID was incorrectly used for an Apache Cordova issue that has the correct ID of CVE-2015-8320.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5257" }, { "id": "CVE-2015-5283", "summary": "The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished.", "scorev2": "4.7", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5283" }, { "id": "CVE-2015-5307", "summary": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5307" }, { "id": "CVE-2015-5327", "summary": "Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.", "scorev2": "4.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5327" }, { "id": "CVE-2015-5364", "summary": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5364" }, { "id": "CVE-2015-5366", "summary": "The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5366" }, { "id": "CVE-2015-5697", "summary": "The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5697" }, { "id": "CVE-2015-5706", "summary": "Use-after-free vulnerability in the path_openat function in fs/namei.c in the Linux kernel 3.x and 4.x before 4.0.4 allows local users to cause a denial of service or possibly have unspecified other impact via O_TMPFILE filesystem operations that leverage a duplicate cleanup operation.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5706" }, { "id": "CVE-2015-5707", "summary": "Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.", "scorev2": "4.6", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-5707" }, { "id": "CVE-2015-6252", "summary": "The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6252" }, { "id": "CVE-2015-6526", "summary": "The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on ppc64 platforms allows local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6526" }, { "id": "CVE-2015-6937", "summary": "The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-6937" }, { "id": "CVE-2015-7312", "summary": "Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c.", "scorev2": "4.4", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7312" }, { "id": "CVE-2015-7509", "summary": "fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7509" }, { "id": "CVE-2015-7513", "summary": "arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7513" }, { "id": "CVE-2015-7515", "summary": "The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7515" }, { "id": "CVE-2015-7550", "summary": "The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7550" }, { "id": "CVE-2015-7566", "summary": "The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7566" }, { "id": "CVE-2015-7613", "summary": "Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.", "scorev2": "6.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7613" }, { "id": "CVE-2015-7799", "summary": "The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call.", "scorev2": "4.9", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7799" }, { "id": "CVE-2015-7872", "summary": "The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.", "scorev2": "2.1", "scorev3": "0.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7872" }, { "id": "CVE-2015-7884", "summary": "The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "scorev2": "1.9", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7884" }, { "id": "CVE-2015-7885", "summary": "The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.", "scorev2": "2.1", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7885" }, { "id": "CVE-2015-7990", "summary": "Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937.", "scorev2": "5.9", "scorev3": "5.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-7990" }, { "id": "CVE-2015-8019", "summary": "The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel 3.14.54 and 3.18.22 does not accept a length argument, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8019" }, { "id": "CVE-2015-8104", "summary": "The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.", "scorev2": "4.7", "scorev3": "10.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8104" }, { "id": "CVE-2015-8215", "summary": "net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8215" }, { "id": "CVE-2015-8324", "summary": "The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of certain data structures, which allows physically proximate attackers to cause a denial of service (NULL pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8324" }, { "id": "CVE-2015-8374", "summary": "fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8374" }, { "id": "CVE-2015-8539", "summary": "The KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8539" }, { "id": "CVE-2015-8543", "summary": "The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8543" }, { "id": "CVE-2015-8551", "summary": "The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka \"Linux pciback missing sanity checks.\"", "scorev2": "4.7", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8551" }, { "id": "CVE-2015-8569", "summary": "The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.", "scorev2": "1.9", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8569" }, { "id": "CVE-2015-8575", "summary": "The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8575" }, { "id": "CVE-2015-8660", "summary": "The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8660" }, { "id": "CVE-2015-8709", "summary": "kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles uid and gid mappings, which allows local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states \"there is no kernel bug here.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8709" }, { "id": "CVE-2015-8746", "summary": "fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) via crafted network traffic.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8746" }, { "id": "CVE-2015-8767", "summary": "net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8767" }, { "id": "CVE-2015-8785", "summary": "The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8785" }, { "id": "CVE-2015-8787", "summary": "The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8787" }, { "id": "CVE-2015-8812", "summary": "drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8812" }, { "id": "CVE-2015-8816", "summary": "The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.", "scorev2": "7.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8816" }, { "id": "CVE-2015-8830", "summary": "Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8830" }, { "id": "CVE-2015-8839", "summary": "Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling.", "scorev2": "1.9", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8839" }, { "id": "CVE-2015-8844", "summary": "The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8844" }, { "id": "CVE-2015-8845", "summary": "The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8845" }, { "id": "CVE-2015-8944", "summary": "The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8944" }, { "id": "CVE-2015-8950", "summary": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8950" }, { "id": "CVE-2015-8952", "summary": "The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6 mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8952" }, { "id": "CVE-2015-8953", "summary": "fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorrect cleanup code path, which allows local users to cause a denial of service (dentry reference leak) via filesystem operations on a large file in a lower overlayfs layer.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8953" }, { "id": "CVE-2015-8955", "summary": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.", "scorev2": "6.9", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8955" }, { "id": "CVE-2015-8956", "summary": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.", "scorev2": "3.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8956" }, { "id": "CVE-2015-8961", "summary": "The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8961" }, { "id": "CVE-2015-8962", "summary": "Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.", "scorev2": "9.3", "scorev3": "7.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8962" }, { "id": "CVE-2015-8963", "summary": "Race condition in kernel/events/core.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect handling of an swevent data structure during a CPU unplug operation.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8963" }, { "id": "CVE-2015-8964", "summary": "The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8964" }, { "id": "CVE-2015-8966", "summary": "arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8966" }, { "id": "CVE-2015-8967", "summary": "arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the \"strict page permissions\" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8967" }, { "id": "CVE-2015-8970", "summary": "crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-8970" }, { "id": "CVE-2015-9004", "summary": "kernel/events/core.c in the Linux kernel before 3.19 mishandles counter grouping, which allows local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9004" }, { "id": "CVE-2015-9289", "summary": "In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-9289" }, { "id": "CVE-2016-0723", "summary": "Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.", "scorev2": "5.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0723" }, { "id": "CVE-2016-0728", "summary": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0728" }, { "id": "CVE-2016-0758", "summary": "Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0758" }, { "id": "CVE-2016-0774", "summary": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.", "scorev2": "5.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0774", "detail": "ignored", "description": "result of incomplete backport" }, { "id": "CVE-2016-0821", "summary": "The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0821" }, { "id": "CVE-2016-0823", "summary": "The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-0823" }, { "id": "CVE-2016-10044", "summary": "The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10044" }, { "id": "CVE-2016-10088", "summary": "The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10088" }, { "id": "CVE-2016-10147", "summary": "crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10147" }, { "id": "CVE-2016-10150", "summary": "Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10150" }, { "id": "CVE-2016-10153", "summary": "The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10153" }, { "id": "CVE-2016-10154", "summary": "The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10154" }, { "id": "CVE-2016-10200", "summary": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10200" }, { "id": "CVE-2016-10208", "summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.", "scorev2": "4.9", "scorev3": "4.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10208" }, { "id": "CVE-2016-10229", "summary": "udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10229" }, { "id": "CVE-2016-10277", "summary": "An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10277" }, { "id": "CVE-2016-10283", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32094986. References: QC-CR#2002052.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10283" }, { "id": "CVE-2016-10284", "summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402303. References: QC-CR#2000664.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10284" }, { "id": "CVE-2016-10285", "summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33752702. References: QC-CR#1104899.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10285" }, { "id": "CVE-2016-10286", "summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400904. References: QC-CR#1090237.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10286" }, { "id": "CVE-2016-10287", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33784446. References: QC-CR#1112751.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10287" }, { "id": "CVE-2016-10288", "summary": "An elevation of privilege vulnerability in the Qualcomm LED driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33863909. References: QC-CR#1109763.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10288" }, { "id": "CVE-2016-10289", "summary": "An elevation of privilege vulnerability in the Qualcomm crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899710. References: QC-CR#1116295.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10289" }, { "id": "CVE-2016-10290", "summary": "An elevation of privilege vulnerability in the Qualcomm shared memory driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33898330. References: QC-CR#1109782.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10290" }, { "id": "CVE-2016-10291", "summary": "An elevation of privilege vulnerability in the Qualcomm Slimbus driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34030871. References: QC-CR#986837.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10291" }, { "id": "CVE-2016-10292", "summary": "A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34514463. References: QC-CR#1065466.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10292" }, { "id": "CVE-2016-10293", "summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33352393. References: QC-CR#1101943.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10293" }, { "id": "CVE-2016-10294", "summary": "An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33621829. References: QC-CR#1105481.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10294" }, { "id": "CVE-2016-10295", "summary": "An information disclosure vulnerability in the Qualcomm LED driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33781694. References: QC-CR#1109326.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10295" }, { "id": "CVE-2016-10296", "summary": "An information disclosure vulnerability in the Qualcomm shared memory driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33845464. References: QC-CR#1109782.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10296" }, { "id": "CVE-2016-10318", "summary": "A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.", "scorev2": "4.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10318" }, { "id": "CVE-2016-10723", "summary": "An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that \"the underlying problem is non-trivial to handle.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10723" }, { "id": "CVE-2016-10741", "summary": "In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10741" }, { "id": "CVE-2016-10764", "summary": "In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so the \">\" should be \">=\" instead.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10764" }, { "id": "CVE-2016-10905", "summary": "An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry.", "scorev2": "6.1", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10905" }, { "id": "CVE-2016-10906", "summary": "An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10906" }, { "id": "CVE-2016-10907", "summary": "An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kernel before 4.8.6. There is an out of bounds write in the function ad5755_parse_dt.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10907" }, { "id": "CVE-2016-1237", "summary": "nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1237" }, { "id": "CVE-2016-1575", "summary": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1575" }, { "id": "CVE-2016-1576", "summary": "The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1576" }, { "id": "CVE-2016-1583", "summary": "The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-1583" }, { "id": "CVE-2016-2053", "summary": "The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2053" }, { "id": "CVE-2016-2059", "summary": "The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2059" }, { "id": "CVE-2016-2061", "summary": "Integer signedness error in the MSM V4L2 video driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (array overflow and memory corruption) via a crafted application that triggers an msm_isp_axi_create_stream call.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2061" }, { "id": "CVE-2016-2062", "summary": "The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, uses an incorrect integer data type, which allows attackers to cause a denial of service (integer overflow, heap-based buffer overflow, and incorrect memory allocation) or possibly have unspecified other impact via a crafted IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2062" }, { "id": "CVE-2016-2063", "summary": "Stack-based buffer overflow in the supply_lm_input_write function in drivers/thermal/supply_lm_core.c in the MSM Thermal driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted application that sends a large amount of data through the debugfs interface.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2063" }, { "id": "CVE-2016-2064", "summary": "sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted application that makes an ioctl call specifying many commands.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2064" }, { "id": "CVE-2016-2065", "summary": "sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (out-of-bounds write and memory corruption) or possibly have unspecified other impact via a crafted application that makes an ioctl call triggering incorrect use of a parameters pointer.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2065" }, { "id": "CVE-2016-2066", "summary": "Integer signedness error in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application that makes an ioctl call.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2066" }, { "id": "CVE-2016-2067", "summary": "drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2067" }, { "id": "CVE-2016-2068", "summary": "The MSM QDSP6 audio driver (aka sound driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (integer overflow, and buffer overflow or buffer over-read) via a crafted application that performs a (1) AUDIO_EFFECTS_WRITE or (2) AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug CR1006609.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2068" }, { "id": "CVE-2016-2069", "summary": "Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU.", "scorev2": "4.4", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2069" }, { "id": "CVE-2016-2070", "summary": "The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux kernel before 4.3.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via crafted TCP traffic.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2070" }, { "id": "CVE-2016-2085", "summary": "The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2085" }, { "id": "CVE-2016-2117", "summary": "The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2117" }, { "id": "CVE-2016-2143", "summary": "The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2143" }, { "id": "CVE-2016-2184", "summary": "The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2184" }, { "id": "CVE-2016-2185", "summary": "The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2185" }, { "id": "CVE-2016-2186", "summary": "The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2186" }, { "id": "CVE-2016-2187", "summary": "The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2187" }, { "id": "CVE-2016-2188", "summary": "The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2188" }, { "id": "CVE-2016-2383", "summary": "The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2383" }, { "id": "CVE-2016-2384", "summary": "Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2384" }, { "id": "CVE-2016-2543", "summary": "The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2543" }, { "id": "CVE-2016-2544", "summary": "Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.", "scorev2": "4.7", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2544" }, { "id": "CVE-2016-2545", "summary": "The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.", "scorev2": "4.7", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2545" }, { "id": "CVE-2016-2546", "summary": "sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.", "scorev2": "4.7", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2546" }, { "id": "CVE-2016-2547", "summary": "sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call.", "scorev2": "4.7", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2547" }, { "id": "CVE-2016-2548", "summary": "sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2548" }, { "id": "CVE-2016-2549", "summary": "sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call.", "scorev2": "2.1", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2549" }, { "id": "CVE-2016-2550", "summary": "The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2550" }, { "id": "CVE-2016-2782", "summary": "The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2782" }, { "id": "CVE-2016-2847", "summary": "fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2847" }, { "id": "CVE-2016-2853", "summary": "The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.", "scorev2": "4.4", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2853" }, { "id": "CVE-2016-2854", "summary": "The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-2854" }, { "id": "CVE-2016-3070", "summary": "The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3070" }, { "id": "CVE-2016-3134", "summary": "The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.", "scorev2": "7.2", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3134" }, { "id": "CVE-2016-3135", "summary": "Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3135" }, { "id": "CVE-2016-3136", "summary": "The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3136" }, { "id": "CVE-2016-3137", "summary": "drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3137" }, { "id": "CVE-2016-3138", "summary": "The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3138" }, { "id": "CVE-2016-3139", "summary": "The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3139" }, { "id": "CVE-2016-3140", "summary": "The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3140" }, { "id": "CVE-2016-3156", "summary": "The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3156" }, { "id": "CVE-2016-3672", "summary": "The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3672" }, { "id": "CVE-2016-3689", "summary": "The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3689" }, { "id": "CVE-2016-3695", "summary": "The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3695", "detail": "not-applicable-platform", "description": "specific to RHEL with securelevel patches" }, { "id": "CVE-2016-3699", "summary": "The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.", "scorev2": "6.9", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3699", "detail": "not-applicable-platform", "description": "specific to RHEL with securelevel patches" }, { "id": "CVE-2016-3713", "summary": "The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.", "scorev2": "5.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3713" }, { "id": "CVE-2016-3841", "summary": "The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.", "scorev2": "7.2", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3841" }, { "id": "CVE-2016-3951", "summary": "Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3951" }, { "id": "CVE-2016-3955", "summary": "The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-3955" }, { "id": "CVE-2016-4440", "summary": "arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3 mishandles the APICv on/off state, which allows guest OS users to obtain direct APIC MSR access on the host OS, and consequently cause a denial of service (host OS crash) or possibly execute arbitrary code on the host OS, via x2APIC mode.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4440" }, { "id": "CVE-2016-4470", "summary": "The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4470" }, { "id": "CVE-2016-4482", "summary": "The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call.", "scorev2": "2.1", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4482" }, { "id": "CVE-2016-4485", "summary": "The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4485" }, { "id": "CVE-2016-4486", "summary": "The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4486" }, { "id": "CVE-2016-4557", "summary": "The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4557" }, { "id": "CVE-2016-4558", "summary": "The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4558" }, { "id": "CVE-2016-4565", "summary": "The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4565" }, { "id": "CVE-2016-4568", "summary": "drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3 allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a crafted number of planes in a VIDIOC_DQBUF ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4568" }, { "id": "CVE-2016-4569", "summary": "The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4569" }, { "id": "CVE-2016-4578", "summary": "sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4578" }, { "id": "CVE-2016-4580", "summary": "The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4580" }, { "id": "CVE-2016-4581", "summary": "fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4581" }, { "id": "CVE-2016-4794", "summary": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4794" }, { "id": "CVE-2016-4805", "summary": "Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4805" }, { "id": "CVE-2016-4913", "summary": "The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \\0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4913" }, { "id": "CVE-2016-4951", "summary": "The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4951" }, { "id": "CVE-2016-4997", "summary": "The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4997" }, { "id": "CVE-2016-4998", "summary": "The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.", "scorev2": "5.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-4998" }, { "id": "CVE-2016-5195", "summary": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "scorev2": "7.2", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5195" }, { "id": "CVE-2016-5243", "summary": "The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5243" }, { "id": "CVE-2016-5244", "summary": "The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5244" }, { "id": "CVE-2016-5340", "summary": "The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5340" }, { "id": "CVE-2016-5342", "summary": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5342" }, { "id": "CVE-2016-5343", "summary": "drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5343" }, { "id": "CVE-2016-5344", "summary": "Multiple integer overflows in the MDSS driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service or possibly have unspecified other impact via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and mdss_rotator.c.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5344" }, { "id": "CVE-2016-5400", "summary": "Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumption) via a crafted USB device that emulates many VFL_TYPE_SDR or VFL_TYPE_SUBDEV devices and performs many connect and disconnect operations.", "scorev2": "4.9", "scorev3": "4.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5400" }, { "id": "CVE-2016-5412", "summary": "arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction.", "scorev2": "4.6", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5412" }, { "id": "CVE-2016-5696", "summary": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.", "scorev2": "5.8", "scorev3": "4.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5696" }, { "id": "CVE-2016-5728", "summary": "Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header, aka a \"double fetch\" vulnerability.", "scorev2": "5.4", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5728" }, { "id": "CVE-2016-5828", "summary": "The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5828" }, { "id": "CVE-2016-5829", "summary": "Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5829" }, { "id": "CVE-2016-5856", "summary": "Drivers/soc/qcom/spcom.c in the Qualcomm SPCom driver in the Android kernel 2017-03-05 allows local users to gain privileges, a different vulnerability than CVE-2016-5857.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5856" }, { "id": "CVE-2016-5870", "summary": "The msm_ipc_router_close function in net/ipc_router/ipc_router_socket.c in the ipc_router component for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact by triggering failure of an accept system call for an AF_MSM_IPC socket.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-5870" }, { "id": "CVE-2016-6130", "summary": "Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a \"double fetch\" vulnerability.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6130" }, { "id": "CVE-2016-6136", "summary": "Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a \"double fetch\" vulnerability.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6136" }, { "id": "CVE-2016-6156", "summary": "Race condition in the ec_device_ioctl_xcmd function in drivers/platform/chrome/cros_ec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a \"double fetch\" vulnerability.", "scorev2": "1.9", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6156" }, { "id": "CVE-2016-6162", "summary": "net/core/skbuff.c in the Linux kernel 4.7-rc6 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via certain IPv6 socket operations.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6162" }, { "id": "CVE-2016-6187", "summary": "The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6187" }, { "id": "CVE-2016-6197", "summary": "fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6197" }, { "id": "CVE-2016-6198", "summary": "The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service (system crash) via a rename system call, related to fs/namei.c and fs/open.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6198" }, { "id": "CVE-2016-6213", "summary": "fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6213" }, { "id": "CVE-2016-6327", "summary": "drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6327" }, { "id": "CVE-2016-6480", "summary": "Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a \"double fetch\" vulnerability.", "scorev2": "4.7", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6480" }, { "id": "CVE-2016-6516", "summary": "Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a \"double fetch\" vulnerability.", "scorev2": "4.4", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6516" }, { "id": "CVE-2016-6755", "summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30740545. References: QC-CR#1065916.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6755" }, { "id": "CVE-2016-6756", "summary": "An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29464815. References: QC-CR#1042068.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6756" }, { "id": "CVE-2016-6757", "summary": "An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148242. References: QC-CR#1052821.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6757" }, { "id": "CVE-2016-6758", "summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30148882. References: QC-CR#1071731.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6758" }, { "id": "CVE-2016-6759", "summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29982686. References: QC-CR#1055766.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6759" }, { "id": "CVE-2016-6760", "summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29617572. References: QC-CR#1055783.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6760" }, { "id": "CVE-2016-6761", "summary": "An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29421682. References: QC-CR#1055792.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6761" }, { "id": "CVE-2016-6775", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31222873. References: N-CVE-2016-6775.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6775" }, { "id": "CVE-2016-6776", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31680980. References: N-CVE-2016-6776.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6776" }, { "id": "CVE-2016-6777", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31910462. References: N-CVE-2016-6777.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6777" }, { "id": "CVE-2016-6778", "summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31384646.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6778" }, { "id": "CVE-2016-6779", "summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31386004.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6779" }, { "id": "CVE-2016-6780", "summary": "An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31251496.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6780" }, { "id": "CVE-2016-6781", "summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31095175. References: MT-ALPS02943455.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6781" }, { "id": "CVE-2016-6782", "summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31224389. References: MT-ALPS02943506.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6782" }, { "id": "CVE-2016-6785", "summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31748056. References: MT-ALPS02961400.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6785" }, { "id": "CVE-2016-6786", "summary": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6786" }, { "id": "CVE-2016-6787", "summary": "kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6787" }, { "id": "CVE-2016-6789", "summary": "An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251973. References: N-CVE-2016-6789.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6789" }, { "id": "CVE-2016-6790", "summary": "An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: Kernel-3.18. Android ID: A-31251628. References: N-CVE-2016-6790.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6790" }, { "id": "CVE-2016-6791", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252384. References: QC-CR#1071809.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6791" }, { "id": "CVE-2016-6828", "summary": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6828" }, { "id": "CVE-2016-7039", "summary": "The IP stack in the Linux kernel through 4.8.2 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7039" }, { "id": "CVE-2016-7042", "summary": "The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file.", "scorev2": "4.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7042" }, { "id": "CVE-2016-7097", "summary": "The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7097" }, { "id": "CVE-2016-7117", "summary": "Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7117" }, { "id": "CVE-2016-7425", "summary": "The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7425" }, { "id": "CVE-2016-7910", "summary": "Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7910" }, { "id": "CVE-2016-7911", "summary": "Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7911" }, { "id": "CVE-2016-7912", "summary": "Use-after-free vulnerability in the ffs_user_copy_worker function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before 4.5.3 allows local users to gain privileges by accessing an I/O data structure after a certain callback call.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7912" }, { "id": "CVE-2016-7913", "summary": "The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7913" }, { "id": "CVE-2016-7914", "summary": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures, as demonstrated by the keyutils test suite.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7914" }, { "id": "CVE-2016-7915", "summary": "The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7915" }, { "id": "CVE-2016-7916", "summary": "Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7916" }, { "id": "CVE-2016-7917", "summary": "The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.", "scorev2": "4.3", "scorev3": "5.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7917" }, { "id": "CVE-2016-8391", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31253255. References: QC-CR#1072166.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8391" }, { "id": "CVE-2016-8392", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31385862. References: QC-CR#1073136.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8392" }, { "id": "CVE-2016-8393", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31911920.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8393" }, { "id": "CVE-2016-8394", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913197.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8394" }, { "id": "CVE-2016-8395", "summary": "A denial of service vulnerability in the NVIDIA camera driver could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device. This issue is rated as High due to the possibility of local permanent denial of service. Product: Android. Versions: Kernel-3.10. Android ID: A-31403040. References: N-CVE-2016-8395.", "scorev2": "7.1", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8395" }, { "id": "CVE-2016-8397", "summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31385953. References: N-CVE-2016-8397.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8397" }, { "id": "CVE-2016-8398", "summary": "Unauthenticated messages processed by the UE. Certain NAS messages are processed when no EPS security context exists in the UE. Product: Android. Versions: Kernel 3.18. Android ID: A-31548486. References: QC-CR#877705.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8398" }, { "id": "CVE-2016-8399", "summary": "An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8399" }, { "id": "CVE-2016-8400", "summary": "An information disclosure vulnerability in the NVIDIA librm library (libnvrm) could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Product: Android. Versions: Kernel-3.18. Android ID: A-31251599. References: N-CVE-2016-8400.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8400" }, { "id": "CVE-2016-8401", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31494725.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8401" }, { "id": "CVE-2016-8402", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495231.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8402" }, { "id": "CVE-2016-8403", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495348.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8403" }, { "id": "CVE-2016-8404", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496950.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8404" }, { "id": "CVE-2016-8405", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8405" }, { "id": "CVE-2016-8406", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796940.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8406" }, { "id": "CVE-2016-8407", "summary": "An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31802656.", "scorev2": "4.3", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8407" }, { "id": "CVE-2016-8408", "summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31496571. References: N-CVE-2016-8408.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8408" }, { "id": "CVE-2016-8409", "summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31495687. References: N-CVE-2016-8409.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8409" }, { "id": "CVE-2016-8410", "summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31498403. References: QC-CR#987010.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8410" }, { "id": "CVE-2016-8412", "summary": "An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31225246. References: QC-CR#1071891.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8412" }, { "id": "CVE-2016-8413", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32709702. References: QC-CR#518731.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8413" }, { "id": "CVE-2016-8414", "summary": "An information disclosure vulnerability in the Qualcomm Secure Execution Environment Communicator could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31704078. References: QC-CR#1076407.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8414" }, { "id": "CVE-2016-8415", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750554. References: QC-CR#1079596.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8415" }, { "id": "CVE-2016-8416", "summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32510746. References: QC-CR#1088206.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8416" }, { "id": "CVE-2016-8417", "summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32342399. References: QC-CR#1088824.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8417" }, { "id": "CVE-2016-8419", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32454494. References: QC-CR#1087209.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8419" }, { "id": "CVE-2016-8420", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451171. References: QC-CR#1087807.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8420" }, { "id": "CVE-2016-8421", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32451104. References: QC-CR#1087797.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8421" }, { "id": "CVE-2016-8424", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31606947. References: N-CVE-2016-8424.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8424" }, { "id": "CVE-2016-8425", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31797770. References: N-CVE-2016-8425.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8425" }, { "id": "CVE-2016-8426", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799206. References: N-CVE-2016-8426.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8426" }, { "id": "CVE-2016-8427", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31799885. References: N-CVE-2016-8427.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8427" }, { "id": "CVE-2016-8428", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-31993456. References: N-CVE-2016-8428.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8428" }, { "id": "CVE-2016-8429", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32160775. References: N-CVE-2016-8429.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8429" }, { "id": "CVE-2016-8430", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32225180. References: N-CVE-2016-8430.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8430" }, { "id": "CVE-2016-8431", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32402179. References: N-CVE-2016-8431.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8431" }, { "id": "CVE-2016-8432", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32447738. References: N-CVE-2016-8432.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8432" }, { "id": "CVE-2016-8434", "summary": "An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32125137. References: QC-CR#1081855.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8434" }, { "id": "CVE-2016-8435", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32700935. References: N-CVE-2016-8435.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8435" }, { "id": "CVE-2016-8436", "summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-32450261. References: QC-CR#1007860.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8436" }, { "id": "CVE-2016-8437", "summary": "Improper input validation in Access Control APIs. Access control API may return memory range checking incorrectly. Product: Android. Versions: Kernel 3.18. Android ID: A-31623057. References: QC-CR#1009695.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8437" }, { "id": "CVE-2016-8438", "summary": "Integer overflow leading to a TOCTOU condition in hypervisor PIL. An integer overflow exposes a race condition that may be used to bypass (Peripheral Image Loader) PIL authentication. Product: Android. Versions: Kernel 3.18. Android ID: A-31624565. References: QC-CR#1023638.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8438" }, { "id": "CVE-2016-8439", "summary": "Possible buffer overflow in trust zone access control API. Buffer overflow may occur due to lack of buffer size checking. Product: Android. Versions: Kernel 3.18. Android ID: A-31625204. References: QC-CR#1027804.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8439" }, { "id": "CVE-2016-8440", "summary": "Possible buffer overflow in SMMU system call. Improper input validation in ADSP SID2CB system call may result in hypervisor memory overwrite. Product: Android. Versions: Kernel 3.18. Android ID: A-31625306. References: QC-CR#1036747.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8440" }, { "id": "CVE-2016-8441", "summary": "Possible buffer overflow in the hypervisor. Inappropriate usage of a static array could lead to a buffer overrun. Product: Android. Versions: Kernel 3.18. Android ID: A-31625904. References: QC-CR#1027769.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8441" }, { "id": "CVE-2016-8442", "summary": "Possible unauthorized memory access in the hypervisor. Lack of input validation could allow hypervisor memory to be accessed by the HLOS. Product: Android. Versions: Kernel 3.18. Android ID: A-31625910. QC-CR#1038173.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8442" }, { "id": "CVE-2016-8443", "summary": "Possible unauthorized memory access in the hypervisor. Incorrect configuration provides access to subsystem page tables. Product: Android. Versions: Kernel 3.18. Android ID: A-32576499. References: QC-CR#964185.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8443" }, { "id": "CVE-2016-8444", "summary": "An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31243641. References: QC-CR#1074310.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8444" }, { "id": "CVE-2016-8449", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31798848. References: N-CVE-2016-8449.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8449" }, { "id": "CVE-2016-8450", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32450563. References: QC-CR#880388.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8450" }, { "id": "CVE-2016-8451", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.4. Android ID: A-32178033.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8451" }, { "id": "CVE-2016-8452", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32506396. References: QC-CR#1050323.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8452" }, { "id": "CVE-2016-8453", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-24739315. References: B-RB#73392.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8453" }, { "id": "CVE-2016-8454", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32174590. References: B-RB#107142.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8454" }, { "id": "CVE-2016-8455", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32219121. References: B-RB#106311.", "scorev2": "9.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8455" }, { "id": "CVE-2016-8456", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219255. References: B-RB#105580.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8456" }, { "id": "CVE-2016-8457", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32219453. References: B-RB#106116.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8457" }, { "id": "CVE-2016-8458", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31968442.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8458" }, { "id": "CVE-2016-8459", "summary": "Possible buffer overflow in storage subsystem. Bad parameters as part of listener responses to RPMB commands could lead to buffer overflow. Product: Android. Versions: Kernel 3.18. Android ID: A-32577972. References: QC-CR#988462.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8459" }, { "id": "CVE-2016-8460", "summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-31668540. References: N-CVE-2016-8460.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8460" }, { "id": "CVE-2016-8461", "summary": "An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level. This issue is rated as High because it could be used to access sensitive data. Product: Android. Versions: Kernel-3.18. Android ID: A-32369621.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8461" }, { "id": "CVE-2016-8463", "summary": "A denial of service vulnerability in the Qualcomm FUSE file system could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-30786860. References: QC-CR#586855.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8463" }, { "id": "CVE-2016-8464", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-29000183. References: B-RB#106314.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8464" }, { "id": "CVE-2016-8465", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32474971. References: B-RB#106053.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8465" }, { "id": "CVE-2016-8466", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31822524. References: B-RB#105268.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8466" }, { "id": "CVE-2016-8468", "summary": "An elevation of privilege vulnerability in Binder could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.18. Android ID: A-32394425.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8468" }, { "id": "CVE-2016-8469", "summary": "An information disclosure vulnerability in the camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31351206. References: N-CVE-2016-8469.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8469" }, { "id": "CVE-2016-8473", "summary": "An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31795790.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8473" }, { "id": "CVE-2016-8474", "summary": "An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31799972.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8474" }, { "id": "CVE-2016-8475", "summary": "An information disclosure vulnerability in the HTC input driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32591129.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8475" }, { "id": "CVE-2016-8476", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32879283. References: QC-CR#1091940.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8476" }, { "id": "CVE-2016-8477", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32720522. References: QC-CR#1090007.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8477" }, { "id": "CVE-2016-8478", "summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511270. References: QC-CR#1088206.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8478" }, { "id": "CVE-2016-8479", "summary": "An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31824853. References: QC-CR#1093687.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8479" }, { "id": "CVE-2016-8480", "summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31804432. References: QC-CR#1086186.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8480" }, { "id": "CVE-2016-8481", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906415. References: QC-CR#1078000.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8481" }, { "id": "CVE-2016-8483", "summary": "An information disclosure vulnerability in the Qualcomm power driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-33745862. References: QC-CR#1035099.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8483" }, { "id": "CVE-2016-8630", "summary": "The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8630" }, { "id": "CVE-2016-8632", "summary": "The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8632" }, { "id": "CVE-2016-8633", "summary": "drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.", "scorev2": "6.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8633" }, { "id": "CVE-2016-8636", "summary": "Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the \"RDMA protocol over infiniband\" (aka Soft RoCE) technology.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8636" }, { "id": "CVE-2016-8645", "summary": "The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8645" }, { "id": "CVE-2016-8646", "summary": "The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8646" }, { "id": "CVE-2016-8650", "summary": "The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8650" }, { "id": "CVE-2016-8655", "summary": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8655" }, { "id": "CVE-2016-8658", "summary": "Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.7.5 allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket.", "scorev2": "5.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8658" }, { "id": "CVE-2016-8660", "summary": "The XFS subsystem in the Linux kernel through 4.8.2 allows local users to cause a denial of service (fdatasync failure and system hang) by using the vfs syscall group in the trinity program, related to a \"page lock order bug in the XFS seek hole/data implementation.\"", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8660" }, { "id": "CVE-2016-8666", "summary": "The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-8666" }, { "id": "CVE-2016-9083", "summary": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9083" }, { "id": "CVE-2016-9084", "summary": "drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9084" }, { "id": "CVE-2016-9120", "summary": "Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9120" }, { "id": "CVE-2016-9178", "summary": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9178" }, { "id": "CVE-2016-9191", "summary": "The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9191" }, { "id": "CVE-2016-9313", "summary": "security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9313" }, { "id": "CVE-2016-9555", "summary": "The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9555" }, { "id": "CVE-2016-9576", "summary": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9576" }, { "id": "CVE-2016-9588", "summary": "arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9588" }, { "id": "CVE-2016-9604", "summary": "It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9604" }, { "id": "CVE-2016-9644", "summary": "The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel 4.4.22 through 4.4.28 contains extended asm statements that are incompatible with the exception table, which allows local users to obtain root access on non-SMEP platforms via a crafted application. NOTE: this vulnerability exists because of incorrect backporting of the CVE-2016-9178 patch to older kernels.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9644" }, { "id": "CVE-2016-9685", "summary": "Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9685" }, { "id": "CVE-2016-9754", "summary": "The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9754" }, { "id": "CVE-2016-9755", "summary": "The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9755" }, { "id": "CVE-2016-9756", "summary": "arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9756" }, { "id": "CVE-2016-9777", "summary": "KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9777" }, { "id": "CVE-2016-9793", "summary": "The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9793" }, { "id": "CVE-2016-9794", "summary": "Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9794" }, { "id": "CVE-2016-9806", "summary": "Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9806" }, { "id": "CVE-2016-9919", "summary": "The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-9919" }, { "id": "CVE-2017-0306", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-34132950. References: N-CVE-2017-0306.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0306" }, { "id": "CVE-2017-0307", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33177895. References: N-CVE-2017-0307.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0307" }, { "id": "CVE-2017-0325", "summary": "An elevation of privilege vulnerability in the NVIDIA I2C HID driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10 and Kernel 3.18. Android ID: A-33040280. References: N-CVE-2017-0325.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0325" }, { "id": "CVE-2017-0327", "summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33893669. References: N-CVE-2017-0327.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0327" }, { "id": "CVE-2017-0328", "summary": "An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33898322. References: N-CVE-2017-0328.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0328" }, { "id": "CVE-2017-0329", "summary": "An elevation of privilege vulnerability in the NVIDIA boot and power management processor driver could enable a local malicious application to execute arbitrary code within the context of the boot and power management processor. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.18. Android ID:A-34115304. References: N-CVE-2017-0329.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0329" }, { "id": "CVE-2017-0330", "summary": "An information disclosure vulnerability in the NVIDIA crypto driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33899858. References: N-CVE-2017-0330.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0330" }, { "id": "CVE-2017-0331", "summary": "An elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel 3.10. Android ID: A-34113000. References: N-CVE-2017-0331.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0331" }, { "id": "CVE-2017-0332", "summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-33812508. References: N-CVE-2017-0332.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0332" }, { "id": "CVE-2017-0333", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33899363. References: N-CVE-2017-0333.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0333" }, { "id": "CVE-2017-0334", "summary": "An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33245849. References: N-CVE-2017-0334.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0334" }, { "id": "CVE-2017-0335", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33043375. References: N-CVE-2017-0335.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0335" }, { "id": "CVE-2017-0336", "summary": "An information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.18. Android ID: A-33042679. References: N-CVE-2017-0336.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0336" }, { "id": "CVE-2017-0337", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-31992762. References: N-CVE-2017-0337.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0337" }, { "id": "CVE-2017-0338", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33057977. References: N-CVE-2017-0338.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0338" }, { "id": "CVE-2017-0339", "summary": "An elevation of privilege vulnerability in the NVIDIA crypto driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel 3.10. Android ID: A-27930566. References: N-CVE-2017-0339.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0339" }, { "id": "CVE-2017-0403", "summary": "An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402548.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0403" }, { "id": "CVE-2017-0404", "summary": "An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32510733.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0404" }, { "id": "CVE-2017-0427", "summary": "An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31495866.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0427" }, { "id": "CVE-2017-0428", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0428" }, { "id": "CVE-2017-0429", "summary": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32636619. References: N-CVE-2017-0429.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0429" }, { "id": "CVE-2017-0430", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32838767. References: B-RB#107459.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0430" }, { "id": "CVE-2017-0432", "summary": "An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-28332719.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0432" }, { "id": "CVE-2017-0433", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913571.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0433" }, { "id": "CVE-2017-0434", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33001936.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0434" }, { "id": "CVE-2017-0435", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31906657. References: QC-CR#1078000.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0435" }, { "id": "CVE-2017-0436", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32624661. References: QC-CR#1078000.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0436" }, { "id": "CVE-2017-0437", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402310. References: QC-CR#1092497.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0437" }, { "id": "CVE-2017-0438", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402604. References: QC-CR#1092497.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0438" }, { "id": "CVE-2017-0439", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32450647. References: QC-CR#1092059.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0439" }, { "id": "CVE-2017-0440", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33252788. References: QC-CR#1095770.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0440" }, { "id": "CVE-2017-0441", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32872662. References: QC-CR#1095009.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0441" }, { "id": "CVE-2017-0442", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32871330. References: QC-CR#1092497.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0442" }, { "id": "CVE-2017-0443", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877494. References: QC-CR#1092497.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0443" }, { "id": "CVE-2017-0444", "summary": "An elevation of privilege vulnerability in the Realtek sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32705232.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0444" }, { "id": "CVE-2017-0445", "summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32769717.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0445" }, { "id": "CVE-2017-0446", "summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32917445.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0446" }, { "id": "CVE-2017-0447", "summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32919560.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0447" }, { "id": "CVE-2017-0448", "summary": "An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10. Android ID: A-32721029. References: N-CVE-2017-0448.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0448" }, { "id": "CVE-2017-0449", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: Kernel-3.10. Android ID: A-31707909. References: B-RB#32094.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0449" }, { "id": "CVE-2017-0451", "summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31796345. References: QC-CR#1073129.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0451" }, { "id": "CVE-2017-0452", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32873615. References: QC-CR#1093693.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0452" }, { "id": "CVE-2017-0453", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33979145. References: QC-CR#1105085.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0453" }, { "id": "CVE-2017-0454", "summary": "An elevation of privilege vulnerability in the Qualcomm audio driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33353700. References: QC-CR#1104067.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0454" }, { "id": "CVE-2017-0455", "summary": "An information disclosure vulnerability in the Qualcomm bootloader could help to enable a local malicious application to to execute arbitrary code within the context of the bootloader. This issue is rated as High because it is a general bypass for a bootloader level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-32370952. References: QC-CR#1082755.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0455" }, { "id": "CVE-2017-0456", "summary": "An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33106520. References: QC-CR#1099598.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0456" }, { "id": "CVE-2017-0457", "summary": "An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31695439. References: QC-CR#1086123, QC-CR#1100695.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0457" }, { "id": "CVE-2017-0458", "summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32588962. References: QC-CR#1089433.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0458" }, { "id": "CVE-2017-0459", "summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32644895. References: QC-CR#1091939.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0459" }, { "id": "CVE-2017-0460", "summary": "An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31252965. References: QC-CR#1098801.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0460" }, { "id": "CVE-2017-0461", "summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32073794. References: QC-CR#1100132.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0461" }, { "id": "CVE-2017-0462", "summary": "An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33353601. References: QC-CR#1102288.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0462" }, { "id": "CVE-2017-0463", "summary": "An elevation of privilege vulnerability in the Qualcomm networking driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33277611. References: QC-CR#1101792.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0463" }, { "id": "CVE-2017-0464", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32940193. References: QC-CR#1102593.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0464" }, { "id": "CVE-2017-0465", "summary": "An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34112914. References: QC-CR#1110747.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0465" }, { "id": "CVE-2017-0507", "summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31992382.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0507" }, { "id": "CVE-2017-0508", "summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.18. Android ID: A-33940449.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0508" }, { "id": "CVE-2017-0510", "summary": "An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32402555.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0510" }, { "id": "CVE-2017-0516", "summary": "An elevation of privilege vulnerability in the Qualcomm input hardware driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32341680. References: QC-CR#1096301.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0516" }, { "id": "CVE-2017-0518", "summary": "An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32370896. References: QC-CR#1086530.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0518" }, { "id": "CVE-2017-0519", "summary": "An elevation of privilege vulnerability in the Qualcomm fingerprint sensor driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32372915. References: QC-CR#1086530.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0519" }, { "id": "CVE-2017-0520", "summary": "An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31750232. References: QC-CR#1082636.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0520" }, { "id": "CVE-2017-0521", "summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32919951. References: QC-CR#1097709.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0521" }, { "id": "CVE-2017-0523", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-32835279. References: QC-CR#1096945.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0523" }, { "id": "CVE-2017-0524", "summary": "An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33002026.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0524" }, { "id": "CVE-2017-0525", "summary": "An elevation of privilege vulnerability in the Qualcomm IPA driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33139056. References: QC-CR#1097714.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0525" }, { "id": "CVE-2017-0526", "summary": "An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33897738.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0526" }, { "id": "CVE-2017-0527", "summary": "An elevation of privilege vulnerability in the HTC Sensor Hub Driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33899318.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0527" }, { "id": "CVE-2017-0528", "summary": "An elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to to execute code in the context of a privileged process. This issue is rated as High because it is a general bypass for a kernel level defense in depth or exploit mitigation technology. Product: Android. Versions: Kernel-3.18. Android ID: A-33351919.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0528" }, { "id": "CVE-2017-0531", "summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32877245. References: QC-CR#1087469.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0531" }, { "id": "CVE-2017-0533", "summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32509422. References: QC-CR#1088206.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0533" }, { "id": "CVE-2017-0534", "summary": "An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32508732. References: QC-CR#1088206.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0534" }, { "id": "CVE-2017-0535", "summary": "An information disclosure vulnerability in the HTC sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33547247.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0535" }, { "id": "CVE-2017-0536", "summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33555878.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0536" }, { "id": "CVE-2017-0537", "summary": "An information disclosure vulnerability in the kernel USB gadget driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-31614969.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0537" }, { "id": "CVE-2017-0561", "summary": "A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0561" }, { "id": "CVE-2017-0563", "summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32089409.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0563" }, { "id": "CVE-2017-0564", "summary": "An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0564" }, { "id": "CVE-2017-0567", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32125310. References: B-RB#112575.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0567" }, { "id": "CVE-2017-0568", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34197514. References: B-RB#112600.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0568" }, { "id": "CVE-2017-0569", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0569" }, { "id": "CVE-2017-0570", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199963. References: B-RB#110688.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0570" }, { "id": "CVE-2017-0571", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34203305. References: B-RB#111541.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0571" }, { "id": "CVE-2017-0572", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-34198931. References: B-RB#112597.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0572" }, { "id": "CVE-2017-0573", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34469904. References: B-RB#91539.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0573" }, { "id": "CVE-2017-0574", "summary": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34624457. References: B-RB#113189.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0574" }, { "id": "CVE-2017-0575", "summary": "An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32658595. References: QC-CR#1103099.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0575" }, { "id": "CVE-2017-0576", "summary": "An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33544431. References: QC-CR#1103089.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0576" }, { "id": "CVE-2017-0577", "summary": "An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33842951.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0577" }, { "id": "CVE-2017-0579", "summary": "An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34125463. References: QC-CR#1115406.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0579" }, { "id": "CVE-2017-0580", "summary": "An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34325986.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0580" }, { "id": "CVE-2017-0581", "summary": "An elevation of privilege vulnerability in the Synaptics Touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34614485.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0581" }, { "id": "CVE-2017-0582", "summary": "An elevation of privilege vulnerability in the HTC OEM fastboot command could enable a local malicious application to execute arbitrary code within the context of the sensor hub. This issue is rated as Moderate because it first requires exploitation of separate vulnerabilities. Product: Android. Versions: Kernel-3.10. Android ID: A-33178836.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0582" }, { "id": "CVE-2017-0583", "summary": "An elevation of privilege vulnerability in the Qualcomm CP access driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and because of vulnerability specific details which limit the impact of the issue. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32068683. References: QC-CR#1103788.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0583" }, { "id": "CVE-2017-0584", "summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32074353. References: QC-CR#1104731.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0584" }, { "id": "CVE-2017-0585", "summary": "An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32475556. References: B-RB#112953.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0585" }, { "id": "CVE-2017-0586", "summary": "An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33649808. References: QC-CR#1097569.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0586" }, { "id": "CVE-2017-0606", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34088848. References: QC-CR#1116015.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0606" }, { "id": "CVE-2017-0607", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400551. References: QC-CR#1085928.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0607" }, { "id": "CVE-2017-0608", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400458. References: QC-CR#1098363.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0608" }, { "id": "CVE-2017-0609", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399801. References: QC-CR#1090482.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0609" }, { "id": "CVE-2017-0610", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399404. References: QC-CR#1094852.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0610" }, { "id": "CVE-2017-0611", "summary": "An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393841. References: QC-CR#1084210.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0611" }, { "id": "CVE-2017-0612", "summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-34389303. References: QC-CR#1061845.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0612" }, { "id": "CVE-2017-0613", "summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35400457. References: QC-CR#1086140.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0613" }, { "id": "CVE-2017-0614", "summary": "An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399405. References: QC-CR#1080290.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0614" }, { "id": "CVE-2017-0619", "summary": "An elevation of privilege vulnerability in the Qualcomm pin controller driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35401152. References: QC-CR#826566.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0619" }, { "id": "CVE-2017-0620", "summary": "An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35401052. References: QC-CR#1081711.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0620" }, { "id": "CVE-2017-0621", "summary": "An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35399703. References: QC-CR#831322.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0621" }, { "id": "CVE-2017-0622", "summary": "An elevation of privilege vulnerability in the Goodix touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32749036. References: QC-CR#1098602.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0622" }, { "id": "CVE-2017-0623", "summary": "An elevation of privilege vulnerability in the HTC bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32512358.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0623" }, { "id": "CVE-2017-0624", "summary": "An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34327795. References: QC-CR#2005832.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0624" }, { "id": "CVE-2017-0626", "summary": "An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35393124. References: QC-CR#1088050.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0626" }, { "id": "CVE-2017-0627", "summary": "An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33300353.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0627" }, { "id": "CVE-2017-0628", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34230377. References: QC-CR#1086833.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0628" }, { "id": "CVE-2017-0629", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35214296. References: QC-CR#1086833.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0629" }, { "id": "CVE-2017-0630", "summary": "An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34277115.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0630" }, { "id": "CVE-2017-0631", "summary": "An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399756. References: QC-CR#1093232.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0631" }, { "id": "CVE-2017-0632", "summary": "An information disclosure vulnerability in the Qualcomm sound codec driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-35392586. References: QC-CR#832915.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0632" }, { "id": "CVE-2017-0633", "summary": "An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-36000515. References: B-RB#117131.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0633" }, { "id": "CVE-2017-0634", "summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32511682.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0634" }, { "id": "CVE-2017-0648", "summary": "An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-36101220.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0648" }, { "id": "CVE-2017-0650", "summary": "An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35472278.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0650" }, { "id": "CVE-2017-0651", "summary": "An information disclosure vulnerability in the kernel ION subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35644815.", "scorev2": "2.6", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-0651" }, { "id": "CVE-2017-1000111", "summary": "Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000111" }, { "id": "CVE-2017-1000112", "summary": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000112" }, { "id": "CVE-2017-1000251", "summary": "The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.", "scorev2": "7.7", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000251" }, { "id": "CVE-2017-1000252", "summary": "The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000252" }, { "id": "CVE-2017-1000253", "summary": "Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the \"gap\" between the stack and the binary.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000253" }, { "id": "CVE-2017-1000255", "summary": "On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: \"5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)\" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable.", "scorev2": "6.6", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000255", "detail": "fixed-version", "description": "Fixed from version 4.14rc5" }, { "id": "CVE-2017-1000363", "summary": "Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000363" }, { "id": "CVE-2017-1000364", "summary": "An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be \"jumped\" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).", "scorev2": "6.2", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000364" }, { "id": "CVE-2017-1000365", "summary": "The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000365" }, { "id": "CVE-2017-1000370", "summary": "The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000370" }, { "id": "CVE-2017-1000371", "summary": "The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000371" }, { "id": "CVE-2017-1000377", "summary": "An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be \"jumped\" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time).", "scorev2": "4.6", "scorev3": "5.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000377", "detail": "not-applicable-platform", "description": "GRSecurity specific" }, { "id": "CVE-2017-1000379", "summary": "The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000379" }, { "id": "CVE-2017-1000380", "summary": "sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000380" }, { "id": "CVE-2017-1000405", "summary": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000405" }, { "id": "CVE-2017-1000407", "summary": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.", "scorev2": "6.1", "scorev3": "7.4", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000407" }, { "id": "CVE-2017-1000410", "summary": "The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes).", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000410" }, { "id": "CVE-2017-10661", "summary": "Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10661" }, { "id": "CVE-2017-10662", "summary": "The sanity_check_raw_super function in fs/f2fs/super.c in the Linux kernel before 4.11.1 does not validate the segment count, which allows local users to gain privileges via unspecified vectors.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10662" }, { "id": "CVE-2017-10663", "summary": "The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel before 4.12.4 does not validate the blkoff and segno arrays, which allows local users to gain privileges via unspecified vectors.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10663" }, { "id": "CVE-2017-10810", "summary": "Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10810" }, { "id": "CVE-2017-10911", "summary": "The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-10911" }, { "id": "CVE-2017-11176", "summary": "The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11176" }, { "id": "CVE-2017-11472", "summary": "The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11472" }, { "id": "CVE-2017-11473", "summary": "Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11473" }, { "id": "CVE-2017-11600", "summary": "net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-11600" }, { "id": "CVE-2017-12146", "summary": "The driver_override implementation in drivers/base/platform.c in the Linux kernel before 4.12.1 allows local users to gain privileges by leveraging a race condition between a read operation and a store operation that involve different overrides.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12146" }, { "id": "CVE-2017-12153", "summary": "A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12153" }, { "id": "CVE-2017-12154", "summary": "The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the \"CR8-load exiting\" and \"CR8-store exiting\" L0 vmcs02 controls exist in cases where L1 omits the \"use TPR shadow\" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12154" }, { "id": "CVE-2017-12168", "summary": "The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).", "scorev2": "4.9", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12168" }, { "id": "CVE-2017-12188", "summary": "arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun.\"", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12188" }, { "id": "CVE-2017-12190", "summary": "The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12190" }, { "id": "CVE-2017-12192", "summary": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12192" }, { "id": "CVE-2017-12193", "summary": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12193" }, { "id": "CVE-2017-12762", "summary": "In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12762" }, { "id": "CVE-2017-13686", "summary": "net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too late to check for a NULL fi field when RTM_F_FIB_MATCH is set, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via crafted system calls. NOTE: this does not affect any stable release.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13686" }, { "id": "CVE-2017-13693", "summary": "The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13693" }, { "id": "CVE-2017-13694", "summary": "The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13694" }, { "id": "CVE-2017-13695", "summary": "The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13695" }, { "id": "CVE-2017-13715", "summary": "The __skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and thoff are initialized, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a single crafted MPLS packet.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-13715" }, { "id": "CVE-2017-14051", "summary": "An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14051" }, { "id": "CVE-2017-14106", "summary": "The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14106" }, { "id": "CVE-2017-14140", "summary": "The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14140" }, { "id": "CVE-2017-14156", "summary": "The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14156" }, { "id": "CVE-2017-14340", "summary": "The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14340" }, { "id": "CVE-2017-14489", "summary": "The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14489" }, { "id": "CVE-2017-14497", "summary": "The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14497" }, { "id": "CVE-2017-14954", "summary": "The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14954" }, { "id": "CVE-2017-14991", "summary": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-14991" }, { "id": "CVE-2017-15102", "summary": "The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.", "scorev2": "6.9", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15102" }, { "id": "CVE-2017-15115", "summary": "The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15115" }, { "id": "CVE-2017-15116", "summary": "The rngapi_reset function in crypto/rng.c in the Linux kernel before 4.2 allows attackers to cause a denial of service (NULL pointer dereference).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15116" }, { "id": "CVE-2017-15126", "summary": "A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is related to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put().", "scorev2": "9.3", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15126" }, { "id": "CVE-2017-15127", "summary": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15127" }, { "id": "CVE-2017-15128", "summary": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.12. A lack of size check could cause a denial of service (BUG).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15128" }, { "id": "CVE-2017-15129", "summary": "A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.", "scorev2": "4.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15129" }, { "id": "CVE-2017-15265", "summary": "Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15265" }, { "id": "CVE-2017-15274", "summary": "security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15274" }, { "id": "CVE-2017-15299", "summary": "The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of add_key for a key that already exists but is uninstantiated, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15299" }, { "id": "CVE-2017-15306", "summary": "The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) via a KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to /dev/kvm.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15306" }, { "id": "CVE-2017-15537", "summary": "The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15537" }, { "id": "CVE-2017-15649", "summary": "net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15649" }, { "id": "CVE-2017-15868", "summary": "The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15868" }, { "id": "CVE-2017-15951", "summary": "The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the \"negative\" state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15951" }, { "id": "CVE-2017-16525", "summary": "The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16525" }, { "id": "CVE-2017-16526", "summary": "drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16526" }, { "id": "CVE-2017-16527", "summary": "sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16527" }, { "id": "CVE-2017-16528", "summary": "sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16528" }, { "id": "CVE-2017-16529", "summary": "The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16529" }, { "id": "CVE-2017-16530", "summary": "The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16530" }, { "id": "CVE-2017-16531", "summary": "drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16531" }, { "id": "CVE-2017-16532", "summary": "The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16532" }, { "id": "CVE-2017-16533", "summary": "The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16533" }, { "id": "CVE-2017-16534", "summary": "The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16534" }, { "id": "CVE-2017-16535", "summary": "The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16535" }, { "id": "CVE-2017-16536", "summary": "The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16536" }, { "id": "CVE-2017-16537", "summary": "The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16537" }, { "id": "CVE-2017-16538", "summary": "drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16538" }, { "id": "CVE-2017-16643", "summary": "The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16643" }, { "id": "CVE-2017-16644", "summary": "The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16644" }, { "id": "CVE-2017-16645", "summary": "The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16645" }, { "id": "CVE-2017-16646", "summary": "drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16646" }, { "id": "CVE-2017-16647", "summary": "drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16647" }, { "id": "CVE-2017-16648", "summary": "The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16648" }, { "id": "CVE-2017-16649", "summary": "The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16649" }, { "id": "CVE-2017-16650", "summary": "The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16650" }, { "id": "CVE-2017-16911", "summary": "The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16911" }, { "id": "CVE-2017-16912", "summary": "The \"get_pipe()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16912" }, { "id": "CVE-2017-16913", "summary": "The \"stub_recv_cmd_submit()\" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16913" }, { "id": "CVE-2017-16914", "summary": "The \"stub_send_ret_submit()\" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16914" }, { "id": "CVE-2017-16939", "summary": "The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16939" }, { "id": "CVE-2017-16994", "summary": "The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16994" }, { "id": "CVE-2017-16995", "summary": "The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16995" }, { "id": "CVE-2017-16996", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16996" }, { "id": "CVE-2017-17052", "summary": "The mm_init function in kernel/fork.c in the Linux kernel before 4.12.10 does not clear the ->exe_file member of a new process's mm_struct, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17052" }, { "id": "CVE-2017-17053", "summary": "The init_new_context function in arch/x86/include/asm/mmu_context.h in the Linux kernel before 4.12.10 does not correctly handle errors from LDT table allocation when forking a new process, allowing a local attacker to achieve a use-after-free or possibly have unspecified other impact by running a specially crafted program. This vulnerability only affected kernels built with CONFIG_MODIFY_LDT_SYSCALL=y.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17053" }, { "id": "CVE-2017-17448", "summary": "net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17448" }, { "id": "CVE-2017-17449", "summary": "The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17449" }, { "id": "CVE-2017-17450", "summary": "net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17450" }, { "id": "CVE-2017-17558", "summary": "The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17558" }, { "id": "CVE-2017-17712", "summary": "The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17712" }, { "id": "CVE-2017-17741", "summary": "The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17741" }, { "id": "CVE-2017-17805", "summary": "The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17805" }, { "id": "CVE-2017-17806", "summary": "The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17806" }, { "id": "CVE-2017-17807", "summary": "The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's \"default request-key keyring\" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17807" }, { "id": "CVE-2017-17852", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17852" }, { "id": "CVE-2017-17853", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17853" }, { "id": "CVE-2017-17854", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17854" }, { "id": "CVE-2017-17855", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17855" }, { "id": "CVE-2017-17856", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17856" }, { "id": "CVE-2017-17857", "summary": "The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17857" }, { "id": "CVE-2017-17862", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17862" }, { "id": "CVE-2017-17863", "summary": "kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17863" }, { "id": "CVE-2017-17864", "summary": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17864" }, { "id": "CVE-2017-17975", "summary": "Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17975" }, { "id": "CVE-2017-18017", "summary": "The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18017" }, { "id": "CVE-2017-18075", "summary": "crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18075" }, { "id": "CVE-2017-18079", "summary": "drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18079" }, { "id": "CVE-2017-18174", "summary": "In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18174" }, { "id": "CVE-2017-18193", "summary": "fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users to cause a denial of service (BUG) via an application with multiple threads.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18193" }, { "id": "CVE-2017-18200", "summary": "The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18200" }, { "id": "CVE-2017-18202", "summary": "The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18202" }, { "id": "CVE-2017-18203", "summary": "The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18203" }, { "id": "CVE-2017-18204", "summary": "The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18204" }, { "id": "CVE-2017-18208", "summary": "The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18208" }, { "id": "CVE-2017-18216", "summary": "In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18216" }, { "id": "CVE-2017-18218", "summary": "In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel before 4.13, local users can cause a denial of service (use-after-free and BUG) or possibly have unspecified other impact by leveraging differences in skb handling between hns_nic_net_xmit_hw and hns_nic_net_xmit.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18218" }, { "id": "CVE-2017-18221", "summary": "The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18221" }, { "id": "CVE-2017-18222", "summary": "In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data, which allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by incompatibility between hns_get_sset_count and ethtool_get_strings.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18222" }, { "id": "CVE-2017-18224", "summary": "In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18224" }, { "id": "CVE-2017-18232", "summary": "The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18232" }, { "id": "CVE-2017-18241", "summary": "fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18241" }, { "id": "CVE-2017-18249", "summary": "The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an allocated nid, which allows local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18249" }, { "id": "CVE-2017-18255", "summary": "The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18255" }, { "id": "CVE-2017-18257", "summary": "The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18257" }, { "id": "CVE-2017-18261", "summary": "The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_timer.h in the Linux kernel before 4.13 allows local users to cause a denial of service (infinite recursion) by writing to a file under /sys/kernel/debug in certain circumstances, as demonstrated by a scenario involving debugfs, ftrace, PREEMPT_TRACER, and FUNCTION_GRAPH_TRACER.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18261" }, { "id": "CVE-2017-18270", "summary": "In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18270" }, { "id": "CVE-2017-18344", "summary": "The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18344" }, { "id": "CVE-2017-18360", "summary": "In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18360" }, { "id": "CVE-2017-18379", "summary": "In the Linux kernel before 4.14, an out of boundary access happened in drivers/nvme/target/fc.c.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18379" }, { "id": "CVE-2017-18509", "summary": "An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18509" }, { "id": "CVE-2017-18549", "summary": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18549" }, { "id": "CVE-2017-18550", "summary": "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18550" }, { "id": "CVE-2017-18551", "summary": "An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18551" }, { "id": "CVE-2017-18552", "summary": "An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18552" }, { "id": "CVE-2017-18595", "summary": "An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18595" }, { "id": "CVE-2017-2583", "summary": "The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a \"MOV SS, NULL selector\" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application.", "scorev2": "4.6", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2583" }, { "id": "CVE-2017-2584", "summary": "arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2584" }, { "id": "CVE-2017-2596", "summary": "The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2596" }, { "id": "CVE-2017-2618", "summary": "A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2618" }, { "id": "CVE-2017-2634", "summary": "It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation before 2.6.22.17 used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2634" }, { "id": "CVE-2017-2636", "summary": "Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2636" }, { "id": "CVE-2017-2647", "summary": "The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2647" }, { "id": "CVE-2017-2671", "summary": "The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-2671" }, { "id": "CVE-2017-5123", "summary": "Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.", "scorev2": "4.6", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5123" }, { "id": "CVE-2017-5546", "summary": "The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5546" }, { "id": "CVE-2017-5547", "summary": "drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5547" }, { "id": "CVE-2017-5548", "summary": "drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5548" }, { "id": "CVE-2017-5549", "summary": "The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5549" }, { "id": "CVE-2017-5550", "summary": "Off-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before 4.9.5 allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5550" }, { "id": "CVE-2017-5551", "summary": "The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5551" }, { "id": "CVE-2017-5576", "summary": "Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5576" }, { "id": "CVE-2017-5577", "summary": "The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5577" }, { "id": "CVE-2017-5669", "summary": "The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5669" }, { "id": "CVE-2017-5897", "summary": "The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5897" }, { "id": "CVE-2017-5967", "summary": "The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5967" }, { "id": "CVE-2017-5970", "summary": "The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5970" }, { "id": "CVE-2017-5972", "summary": "The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. NOTE: third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5972" }, { "id": "CVE-2017-5986", "summary": "Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-5986" }, { "id": "CVE-2017-6001", "summary": "Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.", "scorev2": "7.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6001" }, { "id": "CVE-2017-6074", "summary": "The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6074" }, { "id": "CVE-2017-6214", "summary": "The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6214" }, { "id": "CVE-2017-6264", "summary": "An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6264", "detail": "not-applicable-platform", "description": "Android specific" }, { "id": "CVE-2017-6345", "summary": "The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6345" }, { "id": "CVE-2017-6346", "summary": "Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6346" }, { "id": "CVE-2017-6347", "summary": "The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6347" }, { "id": "CVE-2017-6348", "summary": "The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6348" }, { "id": "CVE-2017-6353", "summary": "net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6353" }, { "id": "CVE-2017-6874", "summary": "Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6874" }, { "id": "CVE-2017-6951", "summary": "The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the \"dead\" type.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-6951" }, { "id": "CVE-2017-7184", "summary": "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7184" }, { "id": "CVE-2017-7187", "summary": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7187" }, { "id": "CVE-2017-7261", "summary": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7261" }, { "id": "CVE-2017-7273", "summary": "The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report.", "scorev2": "4.6", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7273" }, { "id": "CVE-2017-7277", "summary": "The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.", "scorev2": "6.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7277" }, { "id": "CVE-2017-7294", "summary": "The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7294" }, { "id": "CVE-2017-7308", "summary": "The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7308" }, { "id": "CVE-2017-7346", "summary": "The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7346" }, { "id": "CVE-2017-7374", "summary": "Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7374" }, { "id": "CVE-2017-7472", "summary": "The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7472" }, { "id": "CVE-2017-7477", "summary": "Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7477" }, { "id": "CVE-2017-7482", "summary": "In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.", "scorev2": "7.2", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7482" }, { "id": "CVE-2017-7487", "summary": "The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7487" }, { "id": "CVE-2017-7495", "summary": "fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write system calls, and reading this file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7495" }, { "id": "CVE-2017-7518", "summary": "A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.", "scorev2": "4.6", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7518" }, { "id": "CVE-2017-7533", "summary": "Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7533" }, { "id": "CVE-2017-7541", "summary": "The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7541" }, { "id": "CVE-2017-7542", "summary": "The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7542" }, { "id": "CVE-2017-7558", "summary": "A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.", "scorev2": "5.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7558" }, { "id": "CVE-2017-7616", "summary": "Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7616" }, { "id": "CVE-2017-7618", "summary": "crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7618" }, { "id": "CVE-2017-7645", "summary": "The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7645" }, { "id": "CVE-2017-7889", "summary": "The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7889" }, { "id": "CVE-2017-7895", "summary": "The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7895" }, { "id": "CVE-2017-7979", "summary": "The cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel 4.11.x through 4.11-rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via \"tc filter add\" commands in certain contexts. NOTE: this does not affect stable kernels, such as 4.10.x, from kernel.org.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7979" }, { "id": "CVE-2017-8061", "summary": "drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8061" }, { "id": "CVE-2017-8062", "summary": "drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8062" }, { "id": "CVE-2017-8063", "summary": "drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8063" }, { "id": "CVE-2017-8064", "summary": "drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8064" }, { "id": "CVE-2017-8065", "summary": "crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8065" }, { "id": "CVE-2017-8066", "summary": "drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8066" }, { "id": "CVE-2017-8067", "summary": "drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8067" }, { "id": "CVE-2017-8068", "summary": "drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8068" }, { "id": "CVE-2017-8069", "summary": "drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8069" }, { "id": "CVE-2017-8070", "summary": "drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8070" }, { "id": "CVE-2017-8071", "summary": "drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8071" }, { "id": "CVE-2017-8072", "summary": "The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8072" }, { "id": "CVE-2017-8106", "summary": "The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8106" }, { "id": "CVE-2017-8797", "summary": "The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8797" }, { "id": "CVE-2017-8824", "summary": "The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8824" }, { "id": "CVE-2017-8831", "summary": "The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a \"double fetch\" vulnerability.", "scorev2": "6.9", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8831" }, { "id": "CVE-2017-8890", "summary": "The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8890" }, { "id": "CVE-2017-8924", "summary": "The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8924" }, { "id": "CVE-2017-8925", "summary": "The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-8925" }, { "id": "CVE-2017-9059", "summary": "The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a \"module reference and kernel daemon\" leak.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9059" }, { "id": "CVE-2017-9074", "summary": "The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9074" }, { "id": "CVE-2017-9075", "summary": "The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9075" }, { "id": "CVE-2017-9076", "summary": "The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9076" }, { "id": "CVE-2017-9077", "summary": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9077" }, { "id": "CVE-2017-9150", "summary": "The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9150" }, { "id": "CVE-2017-9211", "summary": "The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9211" }, { "id": "CVE-2017-9242", "summary": "The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9242" }, { "id": "CVE-2017-9605", "summary": "The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9605" }, { "id": "CVE-2017-9984", "summary": "The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9984" }, { "id": "CVE-2017-9985", "summary": "The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9985" }, { "id": "CVE-2017-9986", "summary": "The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a \"double fetch\" vulnerability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9986" }, { "id": "CVE-2018-1000004", "summary": "In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000004" }, { "id": "CVE-2018-1000026", "summary": "Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..", "scorev2": "6.8", "scorev3": "7.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000026" }, { "id": "CVE-2018-1000028", "summary": "Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the \"rootsquash\" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.", "scorev2": "5.8", "scorev3": "7.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000028" }, { "id": "CVE-2018-1000199", "summary": "The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000199" }, { "id": "CVE-2018-1000200", "summary": "The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000200" }, { "id": "CVE-2018-1000204", "summary": "Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it \"virtually impossible to exploit.", "scorev2": "6.3", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000204" }, { "id": "CVE-2018-10021", "summary": "drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10021" }, { "id": "CVE-2018-10074", "summary": "The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10074" }, { "id": "CVE-2018-10087", "summary": "The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10087" }, { "id": "CVE-2018-10124", "summary": "The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10124" }, { "id": "CVE-2018-10322", "summary": "The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10322" }, { "id": "CVE-2018-10323", "summary": "The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10323" }, { "id": "CVE-2018-1065", "summary": "The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1065" }, { "id": "CVE-2018-1066", "summary": "The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.", "scorev2": "7.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1066" }, { "id": "CVE-2018-10675", "summary": "The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10675" }, { "id": "CVE-2018-1068", "summary": "A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1068" }, { "id": "CVE-2018-10840", "summary": "Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.", "scorev2": "7.2", "scorev3": "5.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10840", "detail": "fixed-version", "description": "Fixed from version 4.18rc1" }, { "id": "CVE-2018-10853", "summary": "A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.", "scorev2": "4.6", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10853" }, { "id": "CVE-2018-1087", "summary": "kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.", "scorev2": "4.6", "scorev3": "8.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1087" }, { "id": "CVE-2018-10876", "summary": "A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image.", "scorev2": "4.9", "scorev3": "5.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10876", "detail": "fixed-version", "description": "Fixed from version 4.18rc4" }, { "id": "CVE-2018-10877", "summary": "Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.", "scorev2": "6.8", "scorev3": "7.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10877" }, { "id": "CVE-2018-10878", "summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.", "scorev2": "6.1", "scorev3": "4.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10878" }, { "id": "CVE-2018-10879", "summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image.", "scorev2": "6.1", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10879" }, { "id": "CVE-2018-10880", "summary": "Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10880" }, { "id": "CVE-2018-10881", "summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.", "scorev2": "4.9", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10881" }, { "id": "CVE-2018-10882", "summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image.", "scorev2": "4.9", "scorev3": "4.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10882", "detail": "fixed-version", "description": "Fixed from version 4.18rc4" }, { "id": "CVE-2018-10883", "summary": "A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.", "scorev2": "4.9", "scorev3": "4.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10883" }, { "id": "CVE-2018-10901", "summary": "A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10901" }, { "id": "CVE-2018-10902", "summary": "It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10902", "detail": "fixed-version", "description": "Fixed from version 4.18rc6" }, { "id": "CVE-2018-1091", "summary": "In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1091" }, { "id": "CVE-2018-1092", "summary": "The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1092" }, { "id": "CVE-2018-1093", "summary": "The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1093" }, { "id": "CVE-2018-10938", "summary": "A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10938" }, { "id": "CVE-2018-1094", "summary": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1094" }, { "id": "CVE-2018-10940", "summary": "The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-10940" }, { "id": "CVE-2018-1095", "summary": "The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel through 4.15.15 does not properly validate xattr sizes, which causes misinterpretation of a size as an error code, and consequently allows attackers to cause a denial of service (get_acl NULL pointer dereference and system crash) via a crafted ext4 image.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1095" }, { "id": "CVE-2018-1108", "summary": "kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.", "scorev2": "4.3", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1108" }, { "id": "CVE-2018-1118", "summary": "Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", "scorev2": "2.1", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1118" }, { "id": "CVE-2018-1120", "summary": "A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).", "scorev2": "3.5", "scorev3": "2.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1120" }, { "id": "CVE-2018-11232", "summary": "The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11232" }, { "id": "CVE-2018-1130", "summary": "Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1130" }, { "id": "CVE-2018-11412", "summary": "In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.", "scorev2": "4.3", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11412" }, { "id": "CVE-2018-11506", "summary": "The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11506" }, { "id": "CVE-2018-11508", "summary": "The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-11508" }, { "id": "CVE-2018-12232", "summary": "In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12232" }, { "id": "CVE-2018-12233", "summary": "In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12233" }, { "id": "CVE-2018-12633", "summary": "An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage.", "scorev2": "6.3", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12633" }, { "id": "CVE-2018-12714", "summary": "An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via crafted perf_event_open and mmap system calls.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12714" }, { "id": "CVE-2018-12896", "summary": "An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12896" }, { "id": "CVE-2018-12904", "summary": "In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.", "scorev2": "4.4", "scorev3": "4.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12904" }, { "id": "CVE-2018-12928", "summary": "In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs filesystem.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12928" }, { "id": "CVE-2018-12929", "summary": "ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a use-after-free read and possibly cause a denial of service (kernel oops or panic) via a crafted ntfs filesystem.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12929" }, { "id": "CVE-2018-12930", "summary": "ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12930" }, { "id": "CVE-2018-12931", "summary": "ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds write and cause a denial of service (kernel oops or panic) or possibly have unspecified other impact via a crafted ntfs filesystem.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-12931" }, { "id": "CVE-2018-13053", "summary": "The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13053" }, { "id": "CVE-2018-13093", "summary": "An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13093" }, { "id": "CVE-2018-13094", "summary": "An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13094" }, { "id": "CVE-2018-13095", "summary": "An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13095" }, { "id": "CVE-2018-13096", "summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13096" }, { "id": "CVE-2018-13097", "summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG).", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13097" }, { "id": "CVE-2018-13098", "summary": "An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13098" }, { "id": "CVE-2018-13099", "summary": "An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13099" }, { "id": "CVE-2018-13100", "summary": "An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13100" }, { "id": "CVE-2018-13405", "summary": "The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13405" }, { "id": "CVE-2018-13406", "summary": "An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-13406" }, { "id": "CVE-2018-14609", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14609" }, { "id": "CVE-2018-14610", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14610" }, { "id": "CVE-2018-14611", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14611" }, { "id": "CVE-2018-14612", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14612" }, { "id": "CVE-2018-14613", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14613" }, { "id": "CVE-2018-14614", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14614" }, { "id": "CVE-2018-14615", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be negative.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14615" }, { "id": "CVE-2018-14616", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14616" }, { "id": "CVE-2018-14617", "summary": "An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14617" }, { "id": "CVE-2018-14619", "summary": "A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. The \"null skcipher\" was being dropped when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use leading to a local user being able to crash the system or possibly escalate privileges.", "scorev2": "7.2", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14619" }, { "id": "CVE-2018-14625", "summary": "A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.", "scorev2": "4.4", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14625", "detail": "fixed-version", "description": "Fixed from version 4.20rc6" }, { "id": "CVE-2018-14633", "summary": "A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.", "scorev2": "8.3", "scorev3": "7.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14633" }, { "id": "CVE-2018-14634", "summary": "An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14634" }, { "id": "CVE-2018-14641", "summary": "A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.", "scorev2": "7.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14641" }, { "id": "CVE-2018-14646", "summary": "The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14646" }, { "id": "CVE-2018-14656", "summary": "A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log.", "scorev2": "2.1", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14656" }, { "id": "CVE-2018-14678", "summary": "An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14678" }, { "id": "CVE-2018-14734", "summary": "drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free).", "scorev2": "6.1", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-14734" }, { "id": "CVE-2018-15471", "summary": "An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15471" }, { "id": "CVE-2018-15572", "summary": "The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15572" }, { "id": "CVE-2018-15594", "summary": "arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-15594" }, { "id": "CVE-2018-16276", "summary": "An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16276" }, { "id": "CVE-2018-16597", "summary": "An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16597" }, { "id": "CVE-2018-16658", "summary": "An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940.", "scorev2": "3.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16658" }, { "id": "CVE-2018-16862", "summary": "A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.", "scorev2": "2.1", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16862" }, { "id": "CVE-2018-16871", "summary": "A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16871" }, { "id": "CVE-2018-16880", "summary": "A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v4.16 and newer are vulnerable.", "scorev2": "6.9", "scorev3": "5.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16880" }, { "id": "CVE-2018-16882", "summary": "A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable.", "scorev2": "7.2", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16882" }, { "id": "CVE-2018-16884", "summary": "A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.", "scorev2": "6.7", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16884" }, { "id": "CVE-2018-16885", "summary": "A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7.", "scorev2": "4.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-16885" }, { "id": "CVE-2018-17182", "summary": "An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17182" }, { "id": "CVE-2018-17972", "summary": "An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17972" }, { "id": "CVE-2018-17977", "summary": "The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-17977" }, { "id": "CVE-2018-18021", "summary": "arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18021" }, { "id": "CVE-2018-18281", "summary": "Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18281" }, { "id": "CVE-2018-18386", "summary": "drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18386" }, { "id": "CVE-2018-18397", "summary": "The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18397" }, { "id": "CVE-2018-18445", "summary": "In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18445" }, { "id": "CVE-2018-18559", "summary": "In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.", "scorev2": "6.8", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18559" }, { "id": "CVE-2018-18690", "summary": "In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18690" }, { "id": "CVE-2018-18710", "summary": "An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18710" }, { "id": "CVE-2018-18955", "summary": "In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-18955" }, { "id": "CVE-2018-19406", "summary": "kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19406" }, { "id": "CVE-2018-19407", "summary": "The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19407" }, { "id": "CVE-2018-19824", "summary": "In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19824" }, { "id": "CVE-2018-19854", "summary": "An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option).", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19854" }, { "id": "CVE-2018-19985", "summary": "The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19985" }, { "id": "CVE-2018-20169", "summary": "An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.", "scorev2": "7.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20169" }, { "id": "CVE-2018-20449", "summary": "The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"callback=\" lines in a debugfs file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20449" }, { "id": "CVE-2018-20509", "summary": "The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \" ref *desc *node\" lines in a debugfs file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20509" }, { "id": "CVE-2018-20510", "summary": "The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading \"*from *code *flags\" lines in a debugfs file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20510" }, { "id": "CVE-2018-20511", "summary": "An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20511" }, { "id": "CVE-2018-20669", "summary": "An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20669" }, { "id": "CVE-2018-20784", "summary": "In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20784" }, { "id": "CVE-2018-20836", "summary": "An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.", "scorev2": "9.3", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20836" }, { "id": "CVE-2018-20854", "summary": "An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20854" }, { "id": "CVE-2018-20855", "summary": "An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20855" }, { "id": "CVE-2018-20856", "summary": "An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20856" }, { "id": "CVE-2018-20961", "summary": "In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20961" }, { "id": "CVE-2018-20976", "summary": "An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-20976" }, { "id": "CVE-2018-21008", "summary": "An issue was discovered in the Linux kernel before 4.16.7. A use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-21008" }, { "id": "CVE-2018-25015", "summary": "An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25015" }, { "id": "CVE-2018-25020", "summary": "The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-25020" }, { "id": "CVE-2018-5332", "summary": "In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c).", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5332" }, { "id": "CVE-2018-5333", "summary": "In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5333" }, { "id": "CVE-2018-5344", "summary": "In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5344" }, { "id": "CVE-2018-5390", "summary": "Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5390" }, { "id": "CVE-2018-5391", "summary": "The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5391" }, { "id": "CVE-2018-5703", "summary": "The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5703" }, { "id": "CVE-2018-5750", "summary": "The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5750" }, { "id": "CVE-2018-5803", "summary": "In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the \"_sctp_make_chunk()\" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5803" }, { "id": "CVE-2018-5814", "summary": "In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5814" }, { "id": "CVE-2018-5873", "summary": "An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5873" }, { "id": "CVE-2018-5953", "summary": "The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"software IO TLB\" printk call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5953" }, { "id": "CVE-2018-5995", "summary": "The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a \"pages/cpu\" printk call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-5995" }, { "id": "CVE-2018-6412", "summary": "In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6412" }, { "id": "CVE-2018-6554", "summary": "Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6554" }, { "id": "CVE-2018-6555", "summary": "The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6555" }, { "id": "CVE-2018-6559", "summary": "The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6559", "detail": "not-applicable-platform", "description": "Issue only affects Ubuntu" }, { "id": "CVE-2018-6927", "summary": "The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6927" }, { "id": "CVE-2018-7191", "summary": "In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7191" }, { "id": "CVE-2018-7273", "summary": "In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7273" }, { "id": "CVE-2018-7480", "summary": "The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7480" }, { "id": "CVE-2018-7492", "summary": "A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7492" }, { "id": "CVE-2018-7566", "summary": "The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7566" }, { "id": "CVE-2018-7740", "summary": "The resv_map_release function in mm/hugetlb.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7740" }, { "id": "CVE-2018-7754", "summary": "The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading \"ffree: \" lines in a debugfs file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7754" }, { "id": "CVE-2018-7755", "summary": "An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7755" }, { "id": "CVE-2018-7757", "summary": "Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7757" }, { "id": "CVE-2018-7995", "summary": "Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-7995" }, { "id": "CVE-2018-8043", "summary": "The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference).", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8043" }, { "id": "CVE-2018-8087", "summary": "Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8087" }, { "id": "CVE-2018-8781", "summary": "The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8781" }, { "id": "CVE-2018-8822", "summary": "Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-8822" }, { "id": "CVE-2018-9363", "summary": "In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.", "scorev2": "7.2", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9363" }, { "id": "CVE-2018-9568", "summary": "In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-9568" }, { "id": "CVE-2019-0145", "summary": "Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-0145" }, { "id": "CVE-2019-10125", "summary": "An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10125" }, { "id": "CVE-2019-10126", "summary": "A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.", "scorev2": "7.5", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10126" }, { "id": "CVE-2019-10140", "summary": "A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10140" }, { "id": "CVE-2019-10142", "summary": "A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.", "scorev2": "4.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10142" }, { "id": "CVE-2019-10207", "summary": "A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.", "scorev2": "2.1", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10207" }, { "id": "CVE-2019-10220", "summary": "Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.", "scorev2": "9.3", "scorev3": "8.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10220" }, { "id": "CVE-2019-10638", "summary": "In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.", "scorev2": "4.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10638" }, { "id": "CVE-2019-10639", "summary": "The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-10639" }, { "id": "CVE-2019-11190", "summary": "The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11190" }, { "id": "CVE-2019-11191", "summary": "The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported", "scorev2": "1.9", "scorev3": "2.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11191" }, { "id": "CVE-2019-11477", "summary": "Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11477" }, { "id": "CVE-2019-11478", "summary": "Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.", "scorev2": "5.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11478" }, { "id": "CVE-2019-11479", "summary": "Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.", "scorev2": "5.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11479" }, { "id": "CVE-2019-11486", "summary": "The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11486" }, { "id": "CVE-2019-11487", "summary": "The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11487" }, { "id": "CVE-2019-11599", "summary": "The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11599" }, { "id": "CVE-2019-11683", "summary": "udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the \"GRO packet of death\" issue.", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11683" }, { "id": "CVE-2019-11810", "summary": "An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11810" }, { "id": "CVE-2019-11811", "summary": "An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11811" }, { "id": "CVE-2019-11815", "summary": "An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.", "scorev2": "9.3", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11815" }, { "id": "CVE-2019-11833", "summary": "fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11833" }, { "id": "CVE-2019-11884", "summary": "The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\\0' character.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-11884" }, { "id": "CVE-2019-12378", "summary": "An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12378" }, { "id": "CVE-2019-12379", "summary": "An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through 5.1.5. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12379" }, { "id": "CVE-2019-12380", "summary": "**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because \u201cAll the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.\u201d.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12380" }, { "id": "CVE-2019-12381", "summary": "An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12381" }, { "id": "CVE-2019-12382", "summary": "An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12382" }, { "id": "CVE-2019-12454", "summary": "An issue was discovered in wcd9335_codec_enable_dec in sound/soc/codecs/wcd9335.c in the Linux kernel through 5.1.5. It uses kstrndup instead of kmemdup_nul, which allows attackers to have an unspecified impact via unknown vectors. NOTE: The vendor disputes this issues as not being a vulnerability because switching to kmemdup_nul() would only fix a security issue if the source string wasn't NUL-terminated, which is not the case", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12454" }, { "id": "CVE-2019-12455", "summary": "An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because \u201cThe memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.\u201d", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12455" }, { "id": "CVE-2019-12456", "summary": "An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a \"double fetch\" vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12456" }, { "id": "CVE-2019-12614", "summary": "An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12614" }, { "id": "CVE-2019-12615", "summary": "An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12615" }, { "id": "CVE-2019-12817", "summary": "arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1.15 for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above 512 TB. Only a subset of powerpc systems are affected.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12817" }, { "id": "CVE-2019-12818", "summary": "An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12818" }, { "id": "CVE-2019-12819", "summary": "An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free. This will cause a denial of service.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12819" }, { "id": "CVE-2019-12881", "summary": "i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12881" }, { "id": "CVE-2019-12984", "summary": "A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of service.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-12984" }, { "id": "CVE-2019-13233", "summary": "In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13233" }, { "id": "CVE-2019-13272", "summary": "In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13272" }, { "id": "CVE-2019-13631", "summary": "In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.", "scorev2": "4.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13631" }, { "id": "CVE-2019-13648", "summary": "In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-13648" }, { "id": "CVE-2019-14283", "summary": "In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default.", "scorev2": "4.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14283" }, { "id": "CVE-2019-14284", "summary": "In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default.", "scorev2": "2.1", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14284" }, { "id": "CVE-2019-14763", "summary": "In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14763" }, { "id": "CVE-2019-14814", "summary": "There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.", "scorev2": "7.2", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14814" }, { "id": "CVE-2019-14815", "summary": "A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14815" }, { "id": "CVE-2019-14816", "summary": "There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.", "scorev2": "7.2", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14816" }, { "id": "CVE-2019-14821", "summary": "An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.", "scorev2": "7.2", "scorev3": "7.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14821" }, { "id": "CVE-2019-14835", "summary": "A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.", "scorev2": "7.2", "scorev3": "7.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14835" }, { "id": "CVE-2019-14895", "summary": "A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.", "scorev2": "7.5", "scorev3": "8.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14895" }, { "id": "CVE-2019-14896", "summary": "A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.", "scorev2": "10.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14896" }, { "id": "CVE-2019-14897", "summary": "A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.", "scorev2": "7.5", "scorev3": "6.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14897" }, { "id": "CVE-2019-14898", "summary": "The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14898" }, { "id": "CVE-2019-14899", "summary": "A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.", "scorev2": "4.9", "scorev3": "7.4", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14899" }, { "id": "CVE-2019-14901", "summary": "A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.", "scorev2": "10.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-14901" }, { "id": "CVE-2019-15030", "summary": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15030" }, { "id": "CVE-2019-15031", "summary": "In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15031" }, { "id": "CVE-2019-15090", "summary": "An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15090" }, { "id": "CVE-2019-15098", "summary": "drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15098" }, { "id": "CVE-2019-15099", "summary": "drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15099" }, { "id": "CVE-2019-15117", "summary": "parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15117" }, { "id": "CVE-2019-15118", "summary": "check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15118" }, { "id": "CVE-2019-15211", "summary": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15211" }, { "id": "CVE-2019-15212", "summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15212" }, { "id": "CVE-2019-15213", "summary": "An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15213" }, { "id": "CVE-2019-15214", "summary": "An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.", "scorev2": "6.9", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15214" }, { "id": "CVE-2019-15215", "summary": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15215" }, { "id": "CVE-2019-15216", "summary": "An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15216" }, { "id": "CVE-2019-15217", "summary": "An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15217" }, { "id": "CVE-2019-15218", "summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15218" }, { "id": "CVE-2019-15219", "summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15219" }, { "id": "CVE-2019-15220", "summary": "An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15220" }, { "id": "CVE-2019-15221", "summary": "An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15221" }, { "id": "CVE-2019-15222", "summary": "An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15222" }, { "id": "CVE-2019-15223", "summary": "An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15223" }, { "id": "CVE-2019-15239", "summary": "In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15239" }, { "id": "CVE-2019-15291", "summary": "An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15291" }, { "id": "CVE-2019-15292", "summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.", "scorev2": "10.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15292" }, { "id": "CVE-2019-15504", "summary": "drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traffic (which may be remote via usbip or usbredir).", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15504" }, { "id": "CVE-2019-15505", "summary": "drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).", "scorev2": "10.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15505" }, { "id": "CVE-2019-15538", "summary": "An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15538" }, { "id": "CVE-2019-15666", "summary": "An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15666" }, { "id": "CVE-2019-15791", "summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.", "scorev2": "4.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15791" }, { "id": "CVE-2019-15792", "summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a \"struct shiftfs_file_info *\". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.", "scorev2": "4.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15792" }, { "id": "CVE-2019-15793", "summary": "In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.", "scorev2": "4.6", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15793" }, { "id": "CVE-2019-15794", "summary": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.", "scorev2": "7.2", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15794" }, { "id": "CVE-2019-15807", "summary": "In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15807" }, { "id": "CVE-2019-15902", "summary": "A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream \"x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()\" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.", "scorev2": "4.7", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15902" }, { "id": "CVE-2019-15916", "summary": "An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15916" }, { "id": "CVE-2019-15917", "summary": "An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15917" }, { "id": "CVE-2019-15918", "summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to smb21.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15918" }, { "id": "CVE-2019-15919", "summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_write in fs/cifs/smb2pdu.c has a use-after-free.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15919" }, { "id": "CVE-2019-15920", "summary": "An issue was discovered in the Linux kernel before 5.0.10. SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in 5.0.10; see the 5.0.11 ChangeLog, which documents a memory leak.", "scorev2": "4.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15920" }, { "id": "CVE-2019-15921", "summary": "An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15921" }, { "id": "CVE-2019-15922", "summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf data structure if alloc_disk fails in drivers/block/paride/pf.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15922" }, { "id": "CVE-2019-15923", "summary": "An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd data structure if alloc_disk fails in drivers/block/paride/pf.c.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15923" }, { "id": "CVE-2019-15924", "summary": "An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15924" }, { "id": "CVE-2019-15925", "summary": "An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15925" }, { "id": "CVE-2019-15926", "summary": "An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c.", "scorev2": "9.4", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15926" }, { "id": "CVE-2019-15927", "summary": "An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15927" }, { "id": "CVE-2019-16089", "summary": "An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16089" }, { "id": "CVE-2019-16229", "summary": "drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16229" }, { "id": "CVE-2019-16230", "summary": "drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16230" }, { "id": "CVE-2019-16231", "summary": "drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16231" }, { "id": "CVE-2019-16232", "summary": "drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16232" }, { "id": "CVE-2019-16233", "summary": "drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16233" }, { "id": "CVE-2019-16234", "summary": "drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16234" }, { "id": "CVE-2019-16413", "summary": "An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16413" }, { "id": "CVE-2019-16714", "summary": "In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16714" }, { "id": "CVE-2019-16746", "summary": "An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16746" }, { "id": "CVE-2019-16921", "summary": "In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16921" }, { "id": "CVE-2019-16994", "summary": "In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16994" }, { "id": "CVE-2019-16995", "summary": "In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16995" }, { "id": "CVE-2019-17052", "summary": "ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel 3.16 through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17052" }, { "id": "CVE-2019-17053", "summary": "ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17053" }, { "id": "CVE-2019-17054", "summary": "atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17054" }, { "id": "CVE-2019-17055", "summary": "base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17055" }, { "id": "CVE-2019-17056", "summary": "llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17056" }, { "id": "CVE-2019-17075", "summary": "An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable. This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an architecture for which this stack/DMA interaction has security relevance.", "scorev2": "7.1", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17075" }, { "id": "CVE-2019-17133", "summary": "In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17133" }, { "id": "CVE-2019-17351", "summary": "An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17351" }, { "id": "CVE-2019-17666", "summary": "rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.", "scorev2": "8.3", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-17666" }, { "id": "CVE-2019-18198", "summary": "In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18198" }, { "id": "CVE-2019-18282", "summary": "The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.", "scorev2": "5.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18282" }, { "id": "CVE-2019-18660", "summary": "The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18660" }, { "id": "CVE-2019-18675", "summary": "The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18675" }, { "id": "CVE-2019-18680", "summary": "An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18680" }, { "id": "CVE-2019-18683", "summary": "An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18683" }, { "id": "CVE-2019-18786", "summary": "In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18786" }, { "id": "CVE-2019-18805", "summary": "An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18805" }, { "id": "CVE-2019-18806", "summary": "A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18806" }, { "id": "CVE-2019-18807", "summary": "Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18807" }, { "id": "CVE-2019-18808", "summary": "A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18808" }, { "id": "CVE-2019-18809", "summary": "A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18809" }, { "id": "CVE-2019-18810", "summary": "A memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18810" }, { "id": "CVE-2019-18811", "summary": "A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CID-45c1380358b1.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18811" }, { "id": "CVE-2019-18812", "summary": "A memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-c0a333d842ef.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18812" }, { "id": "CVE-2019-18813", "summary": "A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18813" }, { "id": "CVE-2019-18814", "summary": "An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse() fails in aa_audit_rule_init() in security/apparmor/audit.c.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18814" }, { "id": "CVE-2019-18885", "summary": "fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-18885" }, { "id": "CVE-2019-19036", "summary": "btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19036" }, { "id": "CVE-2019-19037", "summary": "ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19037" }, { "id": "CVE-2019-19039", "summary": "__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because \u201c1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19039" }, { "id": "CVE-2019-19043", "summary": "A memory leak in the i40e_setup_macvlans() function in drivers/net/ethernet/intel/i40e/i40e_main.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering i40e_setup_channel() failures, aka CID-27d461333459.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19043" }, { "id": "CVE-2019-19044", "summary": "Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19044" }, { "id": "CVE-2019-19045", "summary": "A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19045" }, { "id": "CVE-2019-19046", "summary": "A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time", "scorev2": "6.8", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19046" }, { "id": "CVE-2019-19047", "summary": "A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19047" }, { "id": "CVE-2019-19048", "summary": "A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19048" }, { "id": "CVE-2019-19049", "summary": "A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before 5.3.10 allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19049" }, { "id": "CVE-2019-19050", "summary": "A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19050" }, { "id": "CVE-2019-19051", "summary": "A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19051" }, { "id": "CVE-2019-19052", "summary": "A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b486.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19052" }, { "id": "CVE-2019-19053", "summary": "A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19053" }, { "id": "CVE-2019-19054", "summary": "A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19054" }, { "id": "CVE-2019-19055", "summary": "A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19055" }, { "id": "CVE-2019-19056", "summary": "A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19056" }, { "id": "CVE-2019-19057", "summary": "Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19057" }, { "id": "CVE-2019-19058", "summary": "A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19058" }, { "id": "CVE-2019-19059", "summary": "Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19059" }, { "id": "CVE-2019-19060", "summary": "A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19060" }, { "id": "CVE-2019-19061", "summary": "A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19061" }, { "id": "CVE-2019-19062", "summary": "A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19062" }, { "id": "CVE-2019-19063", "summary": "Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19063" }, { "id": "CVE-2019-19064", "summary": "A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering pm_runtime_get_sync() failures, aka CID-057b8945f78f. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control these failures at probe time", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19064" }, { "id": "CVE-2019-19065", "summary": "A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability because \"rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger failure if they could corrupt kernel memory (in which case a small memory leak is not a significant problem).", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19065" }, { "id": "CVE-2019-19066", "summary": "A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19066" }, { "id": "CVE-2019-19067", "summary": "Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19067" }, { "id": "CVE-2019-19068", "summary": "A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdd07488e6.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19068" }, { "id": "CVE-2019-19069", "summary": "A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fc739a058d99.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19069" }, { "id": "CVE-2019-19070", "summary": "A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19070" }, { "id": "CVE-2019-19071", "summary": "A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19071" }, { "id": "CVE-2019-19072", "summary": "A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19072" }, { "id": "CVE-2019-19073", "summary": "Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19073" }, { "id": "CVE-2019-19074", "summary": "A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19074" }, { "id": "CVE-2019-19075", "summary": "A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19075" }, { "id": "CVE-2019-19076", "summary": "A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before 5.3.6 allows attackers to cause a denial of service (memory consumption), aka CID-78beef629fd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beef629fd9 was reverted", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19076" }, { "id": "CVE-2019-19077", "summary": "A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe14.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19077" }, { "id": "CVE-2019-19078", "summary": "A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19078" }, { "id": "CVE-2019-19079", "summary": "A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c in the Linux kernel before 5.3 allows attackers to cause a denial of service (memory consumption), aka CID-a21b7f0cff19.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19079" }, { "id": "CVE-2019-19080", "summary": "Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allow attackers to cause a denial of service (memory consumption), aka CID-8572cea1461a.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19080" }, { "id": "CVE-2019-19081", "summary": "A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before 5.3.4 allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a.", "scorev2": "7.1", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19081" }, { "id": "CVE-2019-19082", "summary": "Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, aka CID-104c307147ad.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19082" }, { "id": "CVE-2019-19083", "summary": "Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CID-055e547478a1.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19083" }, { "id": "CVE-2019-19227", "summary": "In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19227" }, { "id": "CVE-2019-19241", "summary": "In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19241" }, { "id": "CVE-2019-19252", "summary": "vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19252" }, { "id": "CVE-2019-19318", "summary": "In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19318" }, { "id": "CVE-2019-19319", "summary": "In the Linux kernel before 5.2, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call, aka CID-345c0dbf3a30.", "scorev2": "4.4", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19319" }, { "id": "CVE-2019-19332", "summary": "An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.", "scorev2": "5.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19332" }, { "id": "CVE-2019-19338", "summary": "A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19338" }, { "id": "CVE-2019-19377", "summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19377" }, { "id": "CVE-2019-19378", "summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19378" }, { "id": "CVE-2019-19447", "summary": "In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19447" }, { "id": "CVE-2019-19448", "summary": "In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19448" }, { "id": "CVE-2019-19449", "summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can lead to slab-out-of-bounds read access in f2fs_build_segment_manager in fs/f2fs/segment.c, related to init_min_max_mtime in fs/f2fs/segment.c (because the second argument to get_seg_entry is not validated).", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19449" }, { "id": "CVE-2019-19462", "summary": "relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19462" }, { "id": "CVE-2019-19523", "summary": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19523" }, { "id": "CVE-2019-19524", "summary": "In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19524" }, { "id": "CVE-2019-19525", "summary": "In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19525" }, { "id": "CVE-2019-19526", "summary": "In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19526" }, { "id": "CVE-2019-19527", "summary": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.", "scorev2": "7.2", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19527" }, { "id": "CVE-2019-19528", "summary": "In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.", "scorev2": "5.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19528" }, { "id": "CVE-2019-19529", "summary": "In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.", "scorev2": "6.9", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19529" }, { "id": "CVE-2019-19530", "summary": "In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19530" }, { "id": "CVE-2019-19531", "summary": "In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.", "scorev2": "4.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19531" }, { "id": "CVE-2019-19532", "summary": "In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.", "scorev2": "4.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19532" }, { "id": "CVE-2019-19533", "summary": "In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.", "scorev2": "2.1", "scorev3": "2.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19533" }, { "id": "CVE-2019-19534", "summary": "In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.", "scorev2": "2.1", "scorev3": "2.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19534" }, { "id": "CVE-2019-19535", "summary": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19535" }, { "id": "CVE-2019-19536", "summary": "In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19536" }, { "id": "CVE-2019-19537", "summary": "In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.", "scorev2": "4.7", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19537" }, { "id": "CVE-2019-19543", "summary": "In the Linux kernel before 5.1.6, there is a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19543" }, { "id": "CVE-2019-19602", "summary": "fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on amd64, aka CID-59c4bd853abc.", "scorev2": "5.4", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19602" }, { "id": "CVE-2019-19767", "summary": "The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19767" }, { "id": "CVE-2019-19768", "summary": "In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19768" }, { "id": "CVE-2019-19769", "summary": "In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).", "scorev2": "6.5", "scorev3": "6.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19769" }, { "id": "CVE-2019-19770", "summary": "In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace", "scorev2": "6.4", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19770" }, { "id": "CVE-2019-19807", "summary": "In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19807" }, { "id": "CVE-2019-19813", "summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19813" }, { "id": "CVE-2019-19814", "summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19814" }, { "id": "CVE-2019-19815", "summary": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause a NULL pointer dereference in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This is related to F2FS_P_SB in fs/f2fs/f2fs.h.", "scorev2": "7.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19815" }, { "id": "CVE-2019-19816", "summary": "In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for the number of data stripes is mishandled.", "scorev2": "9.3", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19816" }, { "id": "CVE-2019-19922", "summary": "kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19922" }, { "id": "CVE-2019-19927", "summary": "In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19927" }, { "id": "CVE-2019-19947", "summary": "In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19947" }, { "id": "CVE-2019-19965", "summary": "In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19965" }, { "id": "CVE-2019-19966", "summary": "In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19966" }, { "id": "CVE-2019-20054", "summary": "In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20054" }, { "id": "CVE-2019-20095", "summary": "mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20095" }, { "id": "CVE-2019-20096", "summary": "In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20096" }, { "id": "CVE-2019-20422", "summary": "In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20422" }, { "id": "CVE-2019-20636", "summary": "In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20636" }, { "id": "CVE-2019-20794", "summary": "An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20794" }, { "id": "CVE-2019-20806", "summary": "An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20806" }, { "id": "CVE-2019-20810", "summary": "go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20810" }, { "id": "CVE-2019-20811", "summary": "An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20811" }, { "id": "CVE-2019-20812", "summary": "An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20812" }, { "id": "CVE-2019-20908", "summary": "An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.", "scorev2": "6.9", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20908" }, { "id": "CVE-2019-20934", "summary": "An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.", "scorev2": "5.4", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-20934" }, { "id": "CVE-2019-25044", "summary": "The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25044" }, { "id": "CVE-2019-25045", "summary": "An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25045" }, { "id": "CVE-2019-25160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: fix out-of-bounds memory accesses\n\nThere are two array out-of-bounds memory accesses, one in\ncipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both\nerrors are embarassingly simple, and the fixes are straightforward.\n\nAs a FYI for anyone backporting this patch to kernels prior to v4.8,\nyou'll want to apply the netlbl_bitmap_walk() patch to\ncipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before\nLinux v4.8.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25160", "detail": "fixed-version", "description": "Fixed from version 5.0" }, { "id": "CVE-2019-25162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: Fix a potential use after free\n\nFree the adap structure only after we are done using it.\nThis patch just moves the put_device() down a bit to avoid the\nuse after free.\n\n[wsa: added comment to the code, added Fixes tag]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-25162", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2019-3016", "summary": "In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.", "scorev2": "1.9", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3016", "detail": "fixed-version", "description": "Fixed from version 5.6rc1" }, { "id": "CVE-2019-3459", "summary": "A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1.", "scorev2": "3.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3459" }, { "id": "CVE-2019-3460", "summary": "A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1.", "scorev2": "3.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3460" }, { "id": "CVE-2019-3701", "summary": "An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user \"root\" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3701" }, { "id": "CVE-2019-3819", "summary": "A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user (\"root\") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.", "scorev2": "4.9", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3819", "detail": "fixed-version", "description": "Fixed from version 5.0rc6" }, { "id": "CVE-2019-3837", "summary": "It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption.", "scorev2": "4.9", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3837" }, { "id": "CVE-2019-3846", "summary": "A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.", "scorev2": "8.3", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3846" }, { "id": "CVE-2019-3874", "summary": "The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.", "scorev2": "3.3", "scorev3": "5.3", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3874" }, { "id": "CVE-2019-3882", "summary": "A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.", "scorev2": "4.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3882" }, { "id": "CVE-2019-3887", "summary": "A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.", "scorev2": "4.7", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3887", "detail": "fixed-version", "description": "Fixed from version 5.1rc4" }, { "id": "CVE-2019-3896", "summary": "A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).", "scorev2": "7.2", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3896" }, { "id": "CVE-2019-3900", "summary": "An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.", "scorev2": "6.8", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3900" }, { "id": "CVE-2019-3901", "summary": "A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.", "scorev2": "1.9", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-3901" }, { "id": "CVE-2019-5108", "summary": "An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.", "scorev2": "3.3", "scorev3": "7.4", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5108" }, { "id": "CVE-2019-5489", "summary": "The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-5489" }, { "id": "CVE-2019-6974", "summary": "In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.", "scorev2": "6.8", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6974" }, { "id": "CVE-2019-7221", "summary": "The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7221" }, { "id": "CVE-2019-7222", "summary": "The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7222" }, { "id": "CVE-2019-7308", "summary": "kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.", "scorev2": "4.7", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-7308" }, { "id": "CVE-2019-8912", "summary": "In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8912" }, { "id": "CVE-2019-8956", "summary": "In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the \"sctp_sendmsg()\" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8956" }, { "id": "CVE-2019-8980", "summary": "A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-8980" }, { "id": "CVE-2019-9003", "summary": "In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a \"service ipmievd restart\" loop.", "scorev2": "7.8", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9003" }, { "id": "CVE-2019-9162", "summary": "In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9162" }, { "id": "CVE-2019-9213", "summary": "In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9213" }, { "id": "CVE-2019-9500", "summary": "The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.", "scorev2": "7.9", "scorev3": "7.9", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9500" }, { "id": "CVE-2019-9857", "summary": "In the Linux kernel through 5.0.2, the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-9857" }, { "id": "CVE-2020-10690", "summary": "There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.", "scorev2": "4.4", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10690" }, { "id": "CVE-2020-10711", "summary": "A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.", "scorev2": "4.3", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10711" }, { "id": "CVE-2020-10720", "summary": "A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10720" }, { "id": "CVE-2020-10732", "summary": "A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.", "scorev2": "3.6", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10732" }, { "id": "CVE-2020-10742", "summary": "A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10742", "detail": "fixed-version", "description": "Fixed from version 3.16rc1" }, { "id": "CVE-2020-10757", "summary": "A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10757" }, { "id": "CVE-2020-10766", "summary": "A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10766" }, { "id": "CVE-2020-10767", "summary": "A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10767" }, { "id": "CVE-2020-10768", "summary": "A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10768" }, { "id": "CVE-2020-10773", "summary": "A stack information leak flaw was found in s390/s390x in the Linux kernel\u2019s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10773" }, { "id": "CVE-2020-10774", "summary": "A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10774" }, { "id": "CVE-2020-10781", "summary": "A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10781" }, { "id": "CVE-2020-10942", "summary": "In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.", "scorev2": "5.4", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-10942" }, { "id": "CVE-2020-11494", "summary": "An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel 3.16 through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11494" }, { "id": "CVE-2020-11565", "summary": "An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue \u201cis a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.\u201d", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11565" }, { "id": "CVE-2020-11608", "summary": "An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.", "scorev2": "4.9", "scorev3": "4.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11608" }, { "id": "CVE-2020-11609", "summary": "An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.", "scorev2": "4.9", "scorev3": "4.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11609" }, { "id": "CVE-2020-11668", "summary": "In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.", "scorev2": "5.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11668" }, { "id": "CVE-2020-11669", "summary": "An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11669" }, { "id": "CVE-2020-11725", "summary": "snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified \"interesting side effects.\" NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the \"owner\" concept. The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, have been designed to misuse the info->owner field in a safe way", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11725" }, { "id": "CVE-2020-11884", "summary": "In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-11884" }, { "id": "CVE-2020-12114", "summary": "A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12114" }, { "id": "CVE-2020-12351", "summary": "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.", "scorev2": "5.8", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12351" }, { "id": "CVE-2020-12352", "summary": "Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.", "scorev2": "3.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12352" }, { "id": "CVE-2020-12464", "summary": "usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12464" }, { "id": "CVE-2020-12465", "summary": "An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12465" }, { "id": "CVE-2020-12652", "summary": "The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a \"double fetch\" vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states \"The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power.\"", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12652" }, { "id": "CVE-2020-12653", "summary": "An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12653" }, { "id": "CVE-2020-12654", "summary": "An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.", "scorev2": "4.3", "scorev3": "7.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12654" }, { "id": "CVE-2020-12655", "summary": "An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12655" }, { "id": "CVE-2020-12656", "summary": "gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12656" }, { "id": "CVE-2020-12657", "summary": "An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12657" }, { "id": "CVE-2020-12659", "summary": "An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12659" }, { "id": "CVE-2020-12768", "summary": "An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12768" }, { "id": "CVE-2020-12769", "summary": "An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12769" }, { "id": "CVE-2020-12770", "summary": "An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12770" }, { "id": "CVE-2020-12771", "summary": "An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12771" }, { "id": "CVE-2020-12826", "summary": "A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.", "scorev2": "4.4", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12826" }, { "id": "CVE-2020-12888", "summary": "The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.", "scorev2": "4.7", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-12888" }, { "id": "CVE-2020-13143", "summary": "gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.", "scorev2": "4.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13143" }, { "id": "CVE-2020-13974", "summary": "An issue was discovered in the Linux kernel 4.4 through 5.7.1. drivers/tty/vt/keyboard.c has an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. NOTE: Members in the community argue that the integer overflow does not lead to a security issue in this case.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-13974" }, { "id": "CVE-2020-14304", "summary": "A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304" }, { "id": "CVE-2020-14305", "summary": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "8.3", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14305" }, { "id": "CVE-2020-14314", "summary": "A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14314" }, { "id": "CVE-2020-14331", "summary": "A flaw was found in the Linux kernel\u2019s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14331" }, { "id": "CVE-2020-14351", "summary": "A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14351" }, { "id": "CVE-2020-14356", "summary": "A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14356" }, { "id": "CVE-2020-14381", "summary": "A flaw was found in the Linux kernel\u2019s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14381" }, { "id": "CVE-2020-14385", "summary": "A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14385" }, { "id": "CVE-2020-14386", "summary": "A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14386" }, { "id": "CVE-2020-14390", "summary": "A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.", "scorev2": "4.6", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14390" }, { "id": "CVE-2020-14416", "summary": "In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.", "scorev2": "4.7", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14416" }, { "id": "CVE-2020-15393", "summary": "In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15393" }, { "id": "CVE-2020-15436", "summary": "Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15436" }, { "id": "CVE-2020-15437", "summary": "The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15437" }, { "id": "CVE-2020-15780", "summary": "An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15780" }, { "id": "CVE-2020-15852", "summary": "An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-15852" }, { "id": "CVE-2020-16119", "summary": "Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196.", "scorev2": "4.6", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16119", "detail": "fixed-version", "description": "Fixed from version 5.15rc2" }, { "id": "CVE-2020-16120", "summary": "Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11.", "scorev2": "2.1", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16120" }, { "id": "CVE-2020-16166", "summary": "The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.", "scorev2": "4.3", "scorev3": "3.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16166" }, { "id": "CVE-2020-1749", "summary": "A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-1749", "detail": "fixed-version", "description": "Fixed from version 5.5rc1" }, { "id": "CVE-2020-24394", "summary": "In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24394" }, { "id": "CVE-2020-24586", "summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.", "scorev2": "2.9", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24586" }, { "id": "CVE-2020-24587", "summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.", "scorev2": "1.8", "scorev3": "2.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24587" }, { "id": "CVE-2020-24588", "summary": "The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.", "scorev2": "2.9", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-24588" }, { "id": "CVE-2020-25211", "summary": "In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25211" }, { "id": "CVE-2020-25212", "summary": "A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25212" }, { "id": "CVE-2020-25220", "summary": "The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25220" }, { "id": "CVE-2020-25221", "summary": "get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25221" }, { "id": "CVE-2020-25284", "summary": "The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.", "scorev2": "1.9", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25284" }, { "id": "CVE-2020-25285", "summary": "A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.", "scorev2": "4.4", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25285" }, { "id": "CVE-2020-25639", "summary": "A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25639" }, { "id": "CVE-2020-25641", "summary": "A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25641" }, { "id": "CVE-2020-25643", "summary": "A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "scorev2": "7.5", "scorev3": "7.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25643" }, { "id": "CVE-2020-25645", "summary": "A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25645" }, { "id": "CVE-2020-25656", "summary": "A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.", "scorev2": "1.9", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25656" }, { "id": "CVE-2020-25668", "summary": "A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25668" }, { "id": "CVE-2020-25669", "summary": "A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25669" }, { "id": "CVE-2020-25670", "summary": "A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25670" }, { "id": "CVE-2020-25671", "summary": "A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25671" }, { "id": "CVE-2020-25672", "summary": "A memory leak vulnerability was found in Linux kernel in llcp_sock_connect", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25672", "detail": "fixed-version", "description": "Fixed from version 5.12rc7" }, { "id": "CVE-2020-25673", "summary": "A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25673" }, { "id": "CVE-2020-25704", "summary": "A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25704" }, { "id": "CVE-2020-25705", "summary": "A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version", "scorev2": "5.8", "scorev3": "7.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-25705" }, { "id": "CVE-2020-26088", "summary": "A missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c in the Linux kernel before 5.8.2 could be used by local attackers to create raw sockets, bypassing security mechanisms, aka CID-26896f01467a.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26088" }, { "id": "CVE-2020-26147", "summary": "An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.", "scorev2": "3.2", "scorev3": "5.4", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26147" }, { "id": "CVE-2020-26541", "summary": "The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.", "scorev2": "6.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26541" }, { "id": "CVE-2020-26558", "summary": "Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.", "scorev2": "4.3", "scorev3": "4.2", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26558" }, { "id": "CVE-2020-27152", "summary": "An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering, aka CID-77377064c3a9.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27152" }, { "id": "CVE-2020-27170", "summary": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27170" }, { "id": "CVE-2020-27171", "summary": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.", "scorev2": "3.6", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27171" }, { "id": "CVE-2020-27194", "summary": "An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27194" }, { "id": "CVE-2020-27673", "summary": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27673" }, { "id": "CVE-2020-27675", "summary": "An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27675" }, { "id": "CVE-2020-27777", "summary": "A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27777" }, { "id": "CVE-2020-27784", "summary": "A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27784" }, { "id": "CVE-2020-27786", "summary": "A flaw was found in the Linux kernel\u2019s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27786" }, { "id": "CVE-2020-27815", "summary": "A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "6.1", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27815", "detail": "fixed-version", "description": "Fixed from version 5.11rc1" }, { "id": "CVE-2020-27820", "summary": "A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if \"unbind\" the driver).", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27820" }, { "id": "CVE-2020-27825", "summary": "A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.", "scorev2": "5.4", "scorev3": "5.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27825" }, { "id": "CVE-2020-27830", "summary": "A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-27830" }, { "id": "CVE-2020-28097", "summary": "The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.", "scorev2": "3.6", "scorev3": "5.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28097" }, { "id": "CVE-2020-28374", "summary": "In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.", "scorev2": "5.5", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28374" }, { "id": "CVE-2020-28588", "summary": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28588" }, { "id": "CVE-2020-28915", "summary": "A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.", "scorev2": "6.1", "scorev3": "5.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28915" }, { "id": "CVE-2020-28941", "summary": "An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28941" }, { "id": "CVE-2020-28974", "summary": "A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.", "scorev2": "6.1", "scorev3": "5.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28974" }, { "id": "CVE-2020-29368", "summary": "An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29368" }, { "id": "CVE-2020-29369", "summary": "An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29369" }, { "id": "CVE-2020-29370", "summary": "An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29370" }, { "id": "CVE-2020-29371", "summary": "An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29371" }, { "id": "CVE-2020-29372", "summary": "An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29372" }, { "id": "CVE-2020-29373", "summary": "An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29373" }, { "id": "CVE-2020-29374", "summary": "An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.", "scorev2": "3.3", "scorev3": "3.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29374" }, { "id": "CVE-2020-29534", "summary": "An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29534" }, { "id": "CVE-2020-29569", "summary": "An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29569" }, { "id": "CVE-2020-29660", "summary": "A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29660" }, { "id": "CVE-2020-29661", "summary": "A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29661" }, { "id": "CVE-2020-35499", "summary": "A NULL pointer dereference flaw in Linux kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35499" }, { "id": "CVE-2020-35501", "summary": "A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem", "scorev2": "3.6", "scorev3": "3.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35501" }, { "id": "CVE-2020-35508", "summary": "A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.", "scorev2": "4.4", "scorev3": "4.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35508" }, { "id": "CVE-2020-35513", "summary": "A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service.", "scorev2": "4.0", "scorev3": "4.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35513" }, { "id": "CVE-2020-35519", "summary": "An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-35519" }, { "id": "CVE-2020-36158", "summary": "mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36158" }, { "id": "CVE-2020-36310", "summary": "An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36310" }, { "id": "CVE-2020-36311", "summary": "An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36311" }, { "id": "CVE-2020-36312", "summary": "An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36312" }, { "id": "CVE-2020-36313", "summary": "An issue was discovered in the Linux kernel before 5.7. The KVM subsystem allows out-of-range access to memslots after a deletion, aka CID-0774a964ef56. This affects arch/s390/kvm/kvm-s390.c, include/linux/kvm_host.h, and virt/kvm/kvm_main.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36313" }, { "id": "CVE-2020-36322", "summary": "An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36322" }, { "id": "CVE-2020-36385", "summary": "An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.", "scorev2": "6.8", "scorev3": "7.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36385" }, { "id": "CVE-2020-36386", "summary": "An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.", "scorev2": "5.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36386" }, { "id": "CVE-2020-36387", "summary": "An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36387" }, { "id": "CVE-2020-36516", "summary": "An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.", "scorev2": "4.9", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36516" }, { "id": "CVE-2020-36557", "summary": "A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36557" }, { "id": "CVE-2020-36558", "summary": "A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36558" }, { "id": "CVE-2020-36691", "summary": "An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36691" }, { "id": "CVE-2020-36694", "summary": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" }, { "id": "CVE-2020-36766", "summary": "An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36766" }, { "id": "CVE-2020-36775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nUsing f2fs_trylock_op() in f2fs_write_compressed_pages() to avoid potential\ndeadlock like we did in f2fs_write_single_data_page().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36775", "detail": "fixed-version", "description": "Fixed from version 5.7" }, { "id": "CVE-2020-36776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/cpufreq_cooling: Fix slab OOB issue\n\nSlab OOB issue is scanned by KASAN in cpu_power_to_freq().\nIf power is limited below the power of OPP0 in EM table,\nit will cause slab out-of-bound issue with negative array\nindex.\n\nReturn the lowest frequency if limited power cannot found\na suitable OPP in EM table to fix this issue.\n\nBacktrace:\n[] die+0x104/0x5ac\n[] bug_handler+0x64/0xd0\n[] brk_handler+0x160/0x258\n[] do_debug_exception+0x248/0x3f0\n[] el1_dbg+0x14/0xbc\n[] __kasan_report+0x1dc/0x1e0\n[] kasan_report+0x10/0x20\n[] __asan_report_load8_noabort+0x18/0x28\n[] cpufreq_power2state+0x180/0x43c\n[] power_actor_set_power+0x114/0x1d4\n[] allocate_power+0xaec/0xde0\n[] power_allocator_throttle+0x3ec/0x5a4\n[] handle_thermal_trip+0x160/0x294\n[] thermal_zone_device_check+0xe4/0x154\n[] process_one_work+0x5e4/0xe28\n[] worker_thread+0xa4c/0xfac\n[] kthread+0x33c/0x358\n[] ret_from_fork+0xc/0x18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36776", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: Fix memory leak in dvb_media_device_free()\n\ndvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`\nbefore setting it to NULL, as documented in include/media/media-device.h:\n\"The media_entity instance itself must be freed explicitly by the driver\nif required.\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36777", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: xiic: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in xiic_xfer and xiic_i2c_remove.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36778", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: stm32f7: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in these stm32f7_i2c_xx serious functions.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36779", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: sprd: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in sprd_i2c_master_xfer() and sprd_i2c_remove().\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36780", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: fix reference leak when pm_runtime_get_sync fails\n\nIn i2c_imx_xfer() and i2c_imx_remove(), the pm reference count\nis not expected to be incremented on return.\n\nHowever, pm_runtime_get_sync will increment pm reference count\neven failed. Forgetting to putting operation will result in a\nreference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36781", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in lpi2c_imx_master_enable.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36782", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: img-scb: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in functions img_i2c_xfer and img_i2c_init.\n\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36783", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cadence: fix reference leak when pm_runtime_get_sync fails\n\nThe PM reference count is not expected to be incremented on\nreturn in functions cdns_i2c_master_xfer and cdns_reg_slave.\n\nHowever, pm_runtime_get_sync will increment pm usage counter\neven failed. Forgetting to putting operation will result in a\nreference leak here.\n\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36784", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs()\n\nThe \"s3a_buf\" is freed along with all the other items on the\n\"asd->s3a_stats\" list. It leads to a double free and a use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36785", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: [next] staging: media: atomisp: fix memory leak of object flash\n\nIn the case where the call to lm3554_platform_data_func returns an\nerror there is a memory leak on the error return path of object\nflash. Fix this by adding an error return path that will free\nflash and rename labels fail2 to fail3 and fail1 to fail2.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36786", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: aspeed: fix clock handling logic\n\nVideo engine uses eclk and vclk for its clock sources and its reset\ncontrol is coupled with eclk so the current clock enabling sequence works\nlike below.\n\n Enable eclk\n De-assert Video Engine reset\n 10ms delay\n Enable vclk\n\nIt introduces improper reset on the Video Engine hardware and eventually\nthe hardware generates unexpected DMA memory transfers that can corrupt\nmemory region in random and sporadic patterns. This issue is observed\nvery rarely on some specific AST2500 SoCs but it causes a critical\nkernel panic with making a various shape of signature so it's extremely\nhard to debug. Moreover, the issue is observed even when the video\nengine is not actively used because udevd turns on the video engine\nhardware for a short time to make a query in every boot.\n\nTo fix this issue, this commit changes the clock handling logic to make\nthe reset de-assertion triggered after enabling both eclk and vclk. Also,\nit adds clk_unprepare call for a case when probe fails.\n\nclk: ast2600: fix reset settings for eclk and vclk\nVideo engine reset setting should be coupled with eclk to match it\nwith the setting for previous Aspeed SoCs which is defined in\nclk-aspeed.c since all Aspeed SoCs are sharing a single video engine\ndriver. Also, reset bit 6 is defined as 'Video Engine' reset in\ndatasheet so it should be de-asserted when eclk is enabled. This\ncommit fixes the setting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36787", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2020-36788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: avoid a use-after-free when BO init fails\n\nnouveau_bo_init() is backed by ttm_bo_init() and ferries its return code\nback to the caller. On failures, ttm_bo_init() invokes the provided\ndestructor which should de-initialize and free the memory.\n\nThus, when nouveau_bo_init() returns an error the gem object has already\nbeen released and the memory freed by nouveau_bo_del_ttm().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36788", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2020-36789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context\n\nIf a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but\nnot always, the case), the 'WARN_ON(in_irq)' in\nnet/core/skbuff.c#skb_release_head_state() might be triggered, under network\ncongestion circumstances, together with the potential risk of a NULL pointer\ndereference.\n\nThe root cause of this issue is the call to kfree_skb() instead of\ndev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog().\n\nThis patch prevents the skb to be freed within the call to netif_rx() by\nincrementing its reference count with skb_get(). The skb is finally freed by\none of the in-irq-context safe functions: dev_consume_skb_any() or\ndev_kfree_skb_any(). The \"any\" version is used because some drivers might call\ncan_get_echo_skb() in a normal context.\n\nThe reason for this issue to occur is that initially, in the core network\nstack, loopback skb were not supposed to be received in hardware IRQ context.\nThe CAN stack is an exeption.\n\nThis bug was previously reported back in 2017 in [1] but the proposed patch\nnever got accepted.\n\nWhile [1] directly modifies net/core/dev.c, we try to propose here a\nsmoother modification local to CAN network stack (the assumption\nbehind is that only CAN devices are affected by this issue).\n\n[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36789", "detail": "fixed-version", "description": "Fixed from version 5.10" }, { "id": "CVE-2020-36790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a memory leak\n\nWe forgot to free new_model_number", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36790", "detail": "fixed-version", "description": "Fixed from version 5.9" }, { "id": "CVE-2020-36791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: keep alloc_hash updated after hash allocation\n\nIn commit 599be01ee567 (\"net_sched: fix an OOB access in cls_tcindex\")\nI moved cp->hash calculation before the first\ntcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.\nThis difference could lead to another out of bound access.\n\ncp->alloc_hash should always be the size allocated, we should\nupdate it after this tcindex_alloc_perfect_hash().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-36791", "detail": "fixed-version", "description": "Fixed from version 5.5.14" }, { "id": "CVE-2020-7053", "summary": "In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-7053" }, { "id": "CVE-2020-8428", "summary": "fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8428" }, { "id": "CVE-2020-8647", "summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.", "scorev2": "3.6", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8647" }, { "id": "CVE-2020-8648", "summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8648" }, { "id": "CVE-2020-8649", "summary": "There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.", "scorev2": "3.6", "scorev3": "5.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8649" }, { "id": "CVE-2020-8834", "summary": "KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 (\"KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\") 87a11bb6a7f7 (\"KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode\") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\") 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\") 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8834", "detail": "fixed-version", "description": "Fixed from version 4.18rc1" }, { "id": "CVE-2020-8835", "summary": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8835" }, { "id": "CVE-2020-8992", "summary": "ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-8992" }, { "id": "CVE-2020-9383", "summary": "An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9383" }, { "id": "CVE-2020-9391", "summary": "An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-9391" }, { "id": "CVE-2021-0920", "summary": "In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel", "scorev2": "6.9", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-0920" }, { "id": "CVE-2021-20177", "summary": "A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. Kernel before kernel 5.5-rc1 is affected.", "scorev2": "2.1", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20177" }, { "id": "CVE-2021-20194", "summary": "There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20194", "detail": "fixed-version", "description": "Fixed from version 5.10rc1" }, { "id": "CVE-2021-20219", "summary": "A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20219" }, { "id": "CVE-2021-20226", "summary": "A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.", "scorev2": "6.1", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20226" }, { "id": "CVE-2021-20239", "summary": "A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20239" }, { "id": "CVE-2021-20261", "summary": "A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.", "scorev2": "4.4", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20261" }, { "id": "CVE-2021-20265", "summary": "A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20265", "detail": "fixed-version", "description": "Fixed from version 4.5rc3" }, { "id": "CVE-2021-20268", "summary": "An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20268" }, { "id": "CVE-2021-20292", "summary": "There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20292" }, { "id": "CVE-2021-20317", "summary": "A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20317" }, { "id": "CVE-2021-20320", "summary": "A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20320" }, { "id": "CVE-2021-20321", "summary": "A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20321" }, { "id": "CVE-2021-20322", "summary": "A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.", "scorev2": "5.8", "scorev3": "7.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-20322" }, { "id": "CVE-2021-21781", "summary": "An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process\u2019s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11", "scorev2": "2.1", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-21781" }, { "id": "CVE-2021-22543", "summary": "An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "8.7", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22543" }, { "id": "CVE-2021-22555", "summary": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space", "scorev2": "4.6", "scorev3": "8.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22555" }, { "id": "CVE-2021-22600", "summary": "A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755", "scorev2": "7.2", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-22600" }, { "id": "CVE-2021-23133", "summary": "A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.", "scorev2": "6.9", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23133" }, { "id": "CVE-2021-23134", "summary": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23134" }, { "id": "CVE-2021-26708", "summary": "A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26708" }, { "id": "CVE-2021-26930", "summary": "An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26930" }, { "id": "CVE-2021-26931", "summary": "An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26931" }, { "id": "CVE-2021-26932", "summary": "An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26932" }, { "id": "CVE-2021-26934", "summary": "An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26934" }, { "id": "CVE-2021-27363", "summary": "An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27363" }, { "id": "CVE-2021-27364", "summary": "An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27364" }, { "id": "CVE-2021-27365", "summary": "An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365" }, { "id": "CVE-2021-28038", "summary": "An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.", "scorev2": "4.9", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28038" }, { "id": "CVE-2021-28039", "summary": "An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28039" }, { "id": "CVE-2021-28375", "summary": "An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28375" }, { "id": "CVE-2021-28660", "summary": "rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.", "scorev2": "8.3", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28660" }, { "id": "CVE-2021-28688", "summary": "The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28688" }, { "id": "CVE-2021-28691", "summary": "Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28691" }, { "id": "CVE-2021-28714", "summary": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28714" }, { "id": "CVE-2021-28715", "summary": "Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)", "scorev2": "2.1", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28715" }, { "id": "CVE-2021-28950", "summary": "An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A \"stall on CPU\" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28950" }, { "id": "CVE-2021-28951", "summary": "An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28951" }, { "id": "CVE-2021-28952", "summary": "An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This has been fixed in 5.12-rc4.)", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28952" }, { "id": "CVE-2021-28964", "summary": "A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28964" }, { "id": "CVE-2021-28971", "summary": "In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28971" }, { "id": "CVE-2021-28972", "summary": "In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.", "scorev2": "7.2", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-28972" }, { "id": "CVE-2021-29154", "summary": "BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29154" }, { "id": "CVE-2021-29155", "summary": "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29155" }, { "id": "CVE-2021-29264", "summary": "An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29264" }, { "id": "CVE-2021-29265", "summary": "An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29265" }, { "id": "CVE-2021-29266", "summary": "An issue was discovered in the Linux kernel before 5.11.9. drivers/vhost/vdpa.c has a use-after-free because v->config_ctx has an invalid value upon re-opening a character device, aka CID-f6bbf0010ba0.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29266" }, { "id": "CVE-2021-29646", "summary": "An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29646" }, { "id": "CVE-2021-29647", "summary": "An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29647" }, { "id": "CVE-2021-29648", "summary": "An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system crash upon an unexpected access attempt (in map_create in kernel/bpf/syscall.c or check_btf_info in kernel/bpf/verifier.c), aka CID-350a5c4dd245.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29648" }, { "id": "CVE-2021-29649", "summary": "An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c, aka CID-f60a85cad677.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29649" }, { "id": "CVE-2021-29650", "summary": "An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29650" }, { "id": "CVE-2021-29657", "summary": "arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.", "scorev2": "6.9", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29657" }, { "id": "CVE-2021-30002", "summary": "An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.", "scorev2": "2.1", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30002" }, { "id": "CVE-2021-30178", "summary": "An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-30178" }, { "id": "CVE-2021-31440", "summary": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.", "scorev2": "6.9", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31440" }, { "id": "CVE-2021-3178", "summary": "fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior", "scorev2": "5.5", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178" }, { "id": "CVE-2021-31829", "summary": "kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31829" }, { "id": "CVE-2021-31916", "summary": "An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "scorev2": "6.1", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-31916" }, { "id": "CVE-2021-32078", "summary": "An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.", "scorev2": "6.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32078" }, { "id": "CVE-2021-32399", "summary": "net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32399" }, { "id": "CVE-2021-32606", "summary": "In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-32606" }, { "id": "CVE-2021-33033", "summary": "The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33033" }, { "id": "CVE-2021-33034", "summary": "In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33034" }, { "id": "CVE-2021-33200", "summary": "kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33200" }, { "id": "CVE-2021-3347", "summary": "An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3347" }, { "id": "CVE-2021-3348", "summary": "nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3348" }, { "id": "CVE-2021-33624", "summary": "In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.", "scorev2": "4.7", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33624" }, { "id": "CVE-2021-33655", "summary": "When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33655" }, { "id": "CVE-2021-33656", "summary": "When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656" }, { "id": "CVE-2021-33909", "summary": "fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33909" }, { "id": "CVE-2021-3411", "summary": "A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3411" }, { "id": "CVE-2021-3428", "summary": "A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3428" }, { "id": "CVE-2021-3444", "summary": "The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (\"bpf: Fix truncation handling for mod32 dst reg wrt zero\") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3444" }, { "id": "CVE-2021-34556", "summary": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34556" }, { "id": "CVE-2021-34693", "summary": "net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34693" }, { "id": "CVE-2021-3483", "summary": "A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3483" }, { "id": "CVE-2021-34866", "summary": "This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34866" }, { "id": "CVE-2021-3489", "summary": "The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (\"bpf, ringbuf: Deny reserve of buffers larger than ringbuf\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (\"bpf: Implement BPF ring buffer and verifier support for it\") (v5.8-rc1).", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3489" }, { "id": "CVE-2021-3490", "summary": "The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (\"bpf: Fix alu32 const subreg bound tracking on bitwise operations\") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (\"bpf: Verifier, do explicit ALU32 bounds tracking\") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (\"bpf:Fix a verifier failure with xor\") ( 5.10-rc1).", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3490" }, { "id": "CVE-2021-3491", "summary": "The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1).", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3491" }, { "id": "CVE-2021-34981", "summary": "Linux Kernel Bluetooth CMTP Module Double Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the CMTP module. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-11977.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-34981" }, { "id": "CVE-2021-3501", "summary": "A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3501" }, { "id": "CVE-2021-35039", "summary": "kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35039" }, { "id": "CVE-2021-3506", "summary": "An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "scorev2": "5.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3506" }, { "id": "CVE-2021-35477", "summary": "In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-35477" }, { "id": "CVE-2021-3564", "summary": "A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3564", "detail": "fixed-version", "description": "Fixed from version 5.13rc5" }, { "id": "CVE-2021-3573", "summary": "A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.", "scorev2": "6.9", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3573" }, { "id": "CVE-2021-3600", "summary": "It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3600" }, { "id": "CVE-2021-3609", "summary": ".A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3609" }, { "id": "CVE-2021-3612", "summary": "An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3612" }, { "id": "CVE-2021-3635", "summary": "A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3635" }, { "id": "CVE-2021-3640", "summary": "A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640" }, { "id": "CVE-2021-3653", "summary": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"int_ctl\" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.", "scorev2": "6.1", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3653" }, { "id": "CVE-2021-3655", "summary": "A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3655" }, { "id": "CVE-2021-3656", "summary": "A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"virt_ext\" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3656" }, { "id": "CVE-2021-3659", "summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3659" }, { "id": "CVE-2021-3669", "summary": "A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3669", "detail": "fixed-version", "description": "Fixed from version 5.15rc1" }, { "id": "CVE-2021-3679", "summary": "A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3679" }, { "id": "CVE-2021-3714", "summary": "A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.", "scorev2": "0.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3714" }, { "id": "CVE-2021-3715", "summary": "A flaw was found in the \"Routing decision\" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3715" }, { "id": "CVE-2021-37159", "summary": "hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.", "scorev2": "4.4", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37159" }, { "id": "CVE-2021-3732", "summary": "A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3732" }, { "id": "CVE-2021-3736", "summary": "A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3736" }, { "id": "CVE-2021-3739", "summary": "A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires \u2018CAP_SYS_ADMIN\u2019. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3739" }, { "id": "CVE-2021-3743", "summary": "An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3743" }, { "id": "CVE-2021-3744", "summary": "A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3744" }, { "id": "CVE-2021-3752", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "scorev2": "7.9", "scorev3": "7.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3752" }, { "id": "CVE-2021-3753", "summary": "A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3753" }, { "id": "CVE-2021-37576", "summary": "arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-37576" }, { "id": "CVE-2021-3759", "summary": "A memory overflow vulnerability was found in the Linux kernel\u2019s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3759", "detail": "fixed-version", "description": "Fixed from version 5.15rc1" }, { "id": "CVE-2021-3760", "summary": "A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3760" }, { "id": "CVE-2021-3764", "summary": "A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3764" }, { "id": "CVE-2021-3772", "summary": "A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.", "scorev2": "5.8", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3772" }, { "id": "CVE-2021-3773", "summary": "A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3773" }, { "id": "CVE-2021-38160", "summary": "In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38160" }, { "id": "CVE-2021-38166", "summary": "In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impractical without the CAP_SYS_ADMIN capability.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38166" }, { "id": "CVE-2021-38198", "summary": "arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38198" }, { "id": "CVE-2021-38199", "summary": "fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.", "scorev2": "3.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38199" }, { "id": "CVE-2021-38200", "summary": "arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12.13, on systems with perf_event_paranoid=-1 and no specific PMU driver support registered, allows local users to cause a denial of service (perf_instruction_pointer NULL pointer dereference and OOPS) via a \"perf record\" command.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38200" }, { "id": "CVE-2021-38201", "summary": "net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38201" }, { "id": "CVE-2021-38202", "summary": "fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38202" }, { "id": "CVE-2021-38203", "summary": "btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38203" }, { "id": "CVE-2021-38204", "summary": "drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.", "scorev2": "4.6", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38204" }, { "id": "CVE-2021-38205", "summary": "drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38205" }, { "id": "CVE-2021-38206", "summary": "The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38206" }, { "id": "CVE-2021-38207", "summary": "drivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38207" }, { "id": "CVE-2021-38208", "summary": "net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38208" }, { "id": "CVE-2021-38209", "summary": "net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38209" }, { "id": "CVE-2021-38300", "summary": "arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38300" }, { "id": "CVE-2021-3847", "summary": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" }, { "id": "CVE-2021-3864", "summary": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" }, { "id": "CVE-2021-3923", "summary": "A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.", "scorev2": "0.0", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-3923" }, { "id": "CVE-2021-4001", "summary": "A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped address space. This flaw affects kernel versions prior to 5.16 rc2.", "scorev2": "4.7", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4001" }, { "id": "CVE-2021-4002", "summary": "A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.", "scorev2": "3.6", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4002" }, { "id": "CVE-2021-4023", "summary": "A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1. The kernel can panic when an improper cancellation operation triggers the submission of new io-uring operations during a shortage of free space. This flaw allows a local user with permissions to execute io-uring requests to possibly crash the system.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4023" }, { "id": "CVE-2021-4028", "summary": "A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. Given the ability to execute code, a local attacker could leverage this use-after-free to crash the system or possibly escalate privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4028" }, { "id": "CVE-2021-4032", "summary": "A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4032" }, { "id": "CVE-2021-4037", "summary": "A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4037" }, { "id": "CVE-2021-40490", "summary": "A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-40490" }, { "id": "CVE-2021-4083", "summary": "A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4083" }, { "id": "CVE-2021-4090", "summary": "An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.", "scorev2": "6.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4090" }, { "id": "CVE-2021-4093", "summary": "A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4093" }, { "id": "CVE-2021-4095", "summary": "A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1.", "scorev2": "1.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4095" }, { "id": "CVE-2021-41073", "summary": "loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc//maps for exploitation.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41073" }, { "id": "CVE-2021-4135", "summary": "A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4135" }, { "id": "CVE-2021-4148", "summary": "A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4148" }, { "id": "CVE-2021-4149", "summary": "A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4149" }, { "id": "CVE-2021-4150", "summary": "A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4150" }, { "id": "CVE-2021-4154", "summary": "A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.", "scorev2": "7.2", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4154" }, { "id": "CVE-2021-4155", "summary": "A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4155" }, { "id": "CVE-2021-4157", "summary": "An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.", "scorev2": "7.4", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4157" }, { "id": "CVE-2021-4159", "summary": "A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4159" }, { "id": "CVE-2021-41864", "summary": "prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41864" }, { "id": "CVE-2021-4197", "summary": "An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4197" }, { "id": "CVE-2021-42008", "summary": "The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42008" }, { "id": "CVE-2021-4202", "summary": "A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4202" }, { "id": "CVE-2021-4203", "summary": "A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.", "scorev2": "4.9", "scorev3": "6.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4203" }, { "id": "CVE-2021-4204", "summary": "An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4204" }, { "id": "CVE-2021-4218", "summary": "A flaw was found in the Linux kernel\u2019s implementation of reading the SVC RDMA counters. Reading the counter sysctl panics the system. This flaw allows a local attacker with local access to cause a denial of service while the system reboots. The issue is specific to CentOS/RHEL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4218", "detail": "fixed-version", "description": "Fixed from version 5.8rc1" }, { "id": "CVE-2021-42252", "summary": "An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42252" }, { "id": "CVE-2021-42327", "summary": "dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42327" }, { "id": "CVE-2021-42739", "summary": "The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42739" }, { "id": "CVE-2021-43056", "summary": "An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43056" }, { "id": "CVE-2021-43057", "summary": "An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43057" }, { "id": "CVE-2021-43267", "summary": "An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43267" }, { "id": "CVE-2021-43389", "summary": "An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43389" }, { "id": "CVE-2021-43975", "summary": "In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43975" }, { "id": "CVE-2021-43976", "summary": "In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).", "scorev2": "2.1", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-43976" }, { "id": "CVE-2021-4439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: cpai: check ctr->cnr to avoid array index out of bound\n\nThe cmtp_add_connection() would add a cmtp session to a controller\nand run a kernel thread to process cmtp.\n\n\t__module_get(THIS_MODULE);\n\tsession->task = kthread_run(cmtp_session, session, \"kcmtpd_ctr_%d\",\n\t\t\t\t\t\t\t\tsession->num);\n\nDuring this process, the kernel thread would call detach_capi_ctr()\nto detach a register controller. if the controller\nwas not attached yet, detach_capi_ctr() would\ntrigger an array-index-out-bounds bug.\n\n[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in\ndrivers/isdn/capi/kcapi.c:483:21\n[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'\n[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted\n5.15.0-rc2+ #8\n[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,\n1996), BIOS 1.14.0-2 04/01/2014\n[ 46.870107][ T6479] Call Trace:\n[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d\n[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40\n[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48\n[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0\n[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0\n[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60\n[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120\n[ 46.874256][ T6479] kthread+0x147/0x170\n[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40\n[ 46.875248][ T6479] ret_from_fork+0x1f/0x30\n[ 46.875773][ T6479]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4439", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-4440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: Drop USERGS_SYSRET64 paravirt call\n\ncommit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.\n\nUSERGS_SYSRET64 is used to return from a syscall via SYSRET, but\na Xen PV guest will nevertheless use the IRET hypercall, as there\nis no sysret PV hypercall defined.\n\nSo instead of testing all the prerequisites for doing a sysret and\nthen mangling the stack for Xen PV again for doing an iret just use\nthe iret exit from the beginning.\n\nThis can easily be done via an ALTERNATIVE like it is done for the\nsysenter compat case already.\n\nIt should be noted that this drops the optimization in Xen for not\nrestoring a few registers when returning to user mode, but it seems\nas if the saved instructions in the kernel more than compensate for\nthis drop (a kernel build in a Xen PV guest was slightly faster with\nthis patch applied).\n\nWhile at it remove the stale sysret32 remnants.\n\n [ pawan: Brad Spengler and Salvatore Bonaccorso \n\t reported a problem with the 5.10 backport commit edc702b4a820\n\t (\"x86/entry_64: Add VERW just before userspace transition\").\n\n\t When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in\n\t syscall_return_via_sysret path as USERGS_SYSRET64 is runtime\n\t patched to:\n\n\t.cpu_usergs_sysret64 = { 0x0f, 0x01, 0xf8,\n\t\t\t\t 0x48, 0x0f, 0x07 }, // swapgs; sysretq\n\n\t which is missing CLEAR_CPU_BUFFERS. It turns out dropping\n\t USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS\n\t to be explicitly added to syscall_return_via_sysret path. Below\n\t is with CONFIG_PARAVIRT_XXL=y and this patch applied:\n\n\t syscall_return_via_sysret:\n\t ...\n\t <+342>: swapgs\n\t <+345>: xchg %ax,%ax\n\t <+347>: verw -0x1a2(%rip) <------\n\t <+354>: sysretq\n ]", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4440", "detail": "fixed-version", "description": "Fixed from version 5.10.218" }, { "id": "CVE-2021-4441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()\n\nIn zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),\nwhich could lead to a NULL pointer dereference on failure of\nkzalloc().\n\nFix this bug by adding a check of tmpbuf.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,\nand our static analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4441", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-4442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity tests to TCP_QUEUE_SEQ\n\nQingyu Li reported a syzkaller bug where the repro\nchanges RCV SEQ _after_ restoring data in the receive queue.\n\nmprotect(0x4aa000, 12288, PROT_READ) = 0\nmmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000\nmmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000\nmmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000\nsocket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3\nsetsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0\nconnect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, \"::1\", &sin6_addr), sin6_scope_id=0}, 28) = 0\nsetsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0\nsendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"0x0000000000000003\\0\\0\", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20\nsetsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0\nsetsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0\nrecvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer)\n\nsyslog shows:\n[ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0\n[ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0\n\nThis should not be allowed. TCP_QUEUE_SEQ should only be used\nwhen queues are empty.\n\nThis patch fixes this case, and the tx path as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4442", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-4453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a potential gpu_metrics_table memory leak\n\nMemory is allocated for gpu_metrics_table in renoir_init_smc_tables(),\nbut not freed in int smu_v12_0_fini_smc_tables(). Free it!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4453", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-4454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate\n\nThe conclusion \"j1939_session_deactivate() should be called with a\nsession ref-count of at least 2\" is incorrect. In some concurrent\nscenarios, j1939_session_deactivate can be called with the session\nref-count less than 2. But there is not any problem because it\nwill check the session active state before session putting in\nj1939_session_deactivate_locked().\n\nHere is the concurrent scenario of the problem reported by syzbot\nand my reproduction log.\n\n cpu0 cpu1\n j1939_xtp_rx_eoma\nj1939_xtp_rx_abort_one\n j1939_session_get_by_addr [kref == 2]\nj1939_session_get_by_addr [kref == 3]\nj1939_session_deactivate [kref == 2]\nj1939_session_put [kref == 1]\n\t\t\t\tj1939_session_completed\n\t\t\t\tj1939_session_deactivate\n\t\t\t\tWARN_ON_ONCE(kref < 2)\n\n=====================================================\nWARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70\nCPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:j1939_session_deactivate+0x5f/0x70\nCall Trace:\n j1939_session_deactivate_activate_next+0x11/0x28\n j1939_xtp_rx_eoma+0x12a/0x180\n j1939_tp_recv+0x4a2/0x510\n j1939_can_recv+0x226/0x380\n can_rcv_filter+0xf8/0x220\n can_receive+0x102/0x220\n ? process_backlog+0xf0/0x2c0\n can_rcv+0x53/0xf0\n __netif_receive_skb_one_core+0x67/0x90\n ? process_backlog+0x97/0x2c0\n __netif_receive_skb+0x22/0x80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4454", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2021-4460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix UBSAN shift-out-of-bounds warning\n\nIf get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up\ndoing a shift operation where the number of bits shifted equals\nnumber of bits in the operand. This behaviour is undefined.\n\nSet num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the\ncount is >= number of bits in the operand.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-4460", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-44733", "summary": "A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44733" }, { "id": "CVE-2021-44879", "summary": "In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-44879" }, { "id": "CVE-2021-45095", "summary": "pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45095" }, { "id": "CVE-2021-45402", "summary": "The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a \"pointer leak.\"", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45402" }, { "id": "CVE-2021-45469", "summary": "In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45469" }, { "id": "CVE-2021-45480", "summary": "An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.", "scorev2": "4.7", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45480" }, { "id": "CVE-2021-45485", "summary": "In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45485" }, { "id": "CVE-2021-45486", "summary": "In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.", "scorev2": "2.7", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45486" }, { "id": "CVE-2021-45868", "summary": "In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.", "scorev2": "4.3", "scorev3": "5.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-45868" }, { "id": "CVE-2021-46283", "summary": "nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46283" }, { "id": "CVE-2021-46904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix null-ptr-deref during tty device unregistration\n\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\n\nThe get_free_serial_index() function returns an available minor number\nbut doesn't assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\n\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46904", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix NULL-deref on disconnect regression\n\nCommit 8a12f8836145 (\"net: hso: fix null-ptr-deref during tty device\nunregistration\") fixed the racy minor allocation reported by syzbot, but\nintroduced an unconditional NULL-pointer dereference on every disconnect\ninstead.\n\nSpecifically, the serial device table must no longer be accessed after\nthe minor has been released by hso_serial_tty_unregister().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46905", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: fix info leak in hid_submit_ctrl\n\nIn hid_submit_ctrl(), the way of calculating the report length doesn't\ntake into account that report->size can be zero. When running the\nsyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to\ncalculate transfer_buffer_length as 16384. When this urb is passed to\nthe usb core layer, KMSAN reports an info leak of 16384 bytes.\n\nTo fix this, first modify hid_report_len() to account for the zero\nreport size case by using DIV_ROUND_UP for the division. Then, call it\nfrom hid_submit_ctrl().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46906", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use correct permission flag for mixed signed bounds arithmetic\n\nWe forbid adding unknown scalars with mixed signed bounds due to the\nspectre v1 masking mitigation. Hence this also needs bypass_spec_v1\nflag instead of allow_ptr_leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46908", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: footbridge: fix PCI interrupt mapping\n\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46909", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled\n\nThe debugging code for kmap_local() doubles the number of per-CPU fixmap\nslots allocated for kmap_local(), in order to use half of them as guard\nregions. This causes the fixmap region to grow downwards beyond the start\nof its reserved window if the supported number of CPUs is large, and collide\nwith the newly added virtual DT mapping right below it, which is obviously\nnot good.\n\nOne manifestation of this is EFI boot on a kernel built with NR_CPUS=32\nand CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting\nin block entries below the fixmap region that the fixmap code misidentifies\nas fixmap table entries, and subsequently tries to dereference using a\nphys-to-virt translation that is only valid for lowmem. This results in a\ncryptic splat such as the one below.\n\n ftrace: allocating 45548 entries in 89 pages\n 8<--- cut here ---\n Unable to handle kernel paging request at virtual address fc6006f0\n pgd = (ptrval)\n [fc6006f0] *pgd=80000040207003, *pmd=00000000\n Internal error: Oops: a06 [#1] SMP ARM\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382\n Hardware name: Generic DT based system\n PC is at cpu_ca15_set_pte_ext+0x24/0x30\n LR is at __set_fixmap+0xe4/0x118\n pc : [] lr : [] psr: 400000d3\n sp : c1601ed8 ip : 00400000 fp : 00800000\n r10: 0000071f r9 : 00421000 r8 : 00c00000\n r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f\n r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0\n Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none\n Control: 30c5387d Table: 40203000 DAC: 00000001\n Process swapper (pid: 0, stack limit = 0x(ptrval))\n\nSo let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,\nfix the BUILD_BUG_ON() check that was supposed to catch this, by checking\nwhether the region grows below the start address rather than above the end\naddress.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46910", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nch_ktls: Fix kernel panic\n\nTaking page refcount is not ideal and causes kernel panic\nsometimes. It's better to take tx_ctx lock for the complete\nskb transmit, to avoid page cleanup if ACK received in middle.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46911", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Make tcp_allowed_congestion_control readonly in non-init netns\n\nCurrently, tcp_allowed_congestion_control is global and writable;\nwriting to it in any net namespace will leak into all other net\nnamespaces.\n\ntcp_available_congestion_control and tcp_allowed_congestion_control are\nthe only sysctls in ipv4_net_table (the per-netns sysctl table) with a\nNULL data pointer; their handlers (proc_tcp_available_congestion_control\nand proc_allowed_congestion_control) have no other way of referencing a\nstruct net. Thus, they operate globally.\n\nBecause ipv4_net_table does not use designated initializers, there is no\neasy way to fix up this one \"bad\" table entry. However, the data pointer\nupdating logic shouldn't be applied to NULL pointers anyway, so we\ninstead force these entries to be read-only.\n\nThese sysctls used to exist in ipv4_table (init-net only), but they were\nmoved to the per-net ipv4_net_table, presumably without realizing that\ntcp_allowed_congestion_control was writable and thus introduced a leak.\n\nBecause the intent of that commit was only to know (i.e. read) \"which\ncongestion algorithms are available or allowed\", this read-only solution\nshould be sufficient.\n\nThe logic added in recent commit\n31c4d2f160eb: (\"net: Ensure net namespace isolation of sysctls\")\ndoes not and cannot check for NULL data pointers, because\nother table entries (e.g. /proc/sys/net/netfilter/nf_log/) have\n.data=NULL but use other methods (.extra2) to access the struct net.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46912", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: clone set element expression template\n\nmemcpy() breaks when using connlimit in set elements. Use\nnft_expr_clone() to initialize the connlimit expression list, otherwise\nconnlimit garbage collector crashes when walking on the list head copy.\n\n[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]\n[ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83\n[ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297\n[ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000\n[ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0\n[ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c\n[ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001\n[ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000\n[ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000\n[ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0\n[ 493.064733] Call Trace:\n[ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]\n[ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46913", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix unbalanced device enable/disable in suspend/resume\n\npci_disable_device() called in __ixgbe_shutdown() decreases\ndev->enable_cnt by 1. pci_enable_device_mem() which increases\ndev->enable_cnt by 1, was removed from ixgbe_resume() in commit\n6f82b2558735 (\"ixgbe: use generic power management\"). This caused\nunbalanced increase/decrease. So add pci_enable_device_mem() back.\n\nFix the following call trace.\n\n ixgbe 0000:17:00.1: disabling already-disabled device\n Call Trace:\n __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]\n ixgbe_suspend+0x32/0x70 [ixgbe]\n pci_pm_suspend+0x87/0x160\n ? pci_pm_freeze+0xd0/0xd0\n dpm_run_callback+0x42/0x170\n __device_suspend+0x114/0x460\n async_suspend+0x1f/0xa0\n async_run_entry_fn+0x3c/0xf0\n process_one_work+0x1dd/0x410\n worker_thread+0x34/0x3f0\n ? cancel_delayed_work+0x90/0x90\n kthread+0x14c/0x170\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46914", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_limit: avoid possible divide error in nft_limit_init\n\ndiv_u64() divides u64 by u32.\n\nnft_limit_init() wants to divide u64 by u64, use the appropriate\nmath function (div64_u64)\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]\nRIP: 0010:div_u64 include/linux/math64.h:127 [inline]\nRIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85\nCode: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00\nRSP: 0018:ffffc90009447198 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003\nRBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000\nR10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]\n nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713\n nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160\n nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321\n nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46915", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ethtool loopback test\n\nThe ixgbe driver currently generates a NULL pointer dereference when\nperforming the ethtool loopback test. This is due to the fact that there\nisn't a q_vector associated with the test ring when it is setup as\ninterrupts are not normally added to the test rings.\n\nTo address this I have added code that will check for a q_vector before\nreturning a napi_id value. If a q_vector is not present it will return a\nvalue of 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46916", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq cleanup of WQCFG registers\n\nA pre-release silicon erratum workaround where wq reset does not clear\nWQCFG registers was leaked into upstream code. Use wq reset command\ninstead of blasting the MMIO region. This also address an issue where\nwe clobber registers in future devices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46917", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: clear MSIX permission entry on shutdown\n\nAdd disabling/clearing of MSIX permission entries on device shutdown to\nmirror the enabling of the MSIX entries on probe. Current code left the\nMSIX enabled and the pasid entries still programmed at device shutdown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46918", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix wq size store permission state\n\nWQ size can only be changed when the device is disabled. Current code\nallows change when device is enabled but wq is disabled. Change the check\nto detect device state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46919", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback\n\nCurrent code blindly writes over the SWERR and the OVERFLOW bits. Write\nback the bits actually read instead so the driver avoids clobbering the\nOVERFLOW bit that comes after the register is read.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46920", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock. The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn\u2019t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe've seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n Writer | Reader\n --------------------------------------------------------------------------------\n ep_scan_ready_list() |\n |- write_lock_irq() |\n |- queued_write_lock_slowpath() |\n\t|- atomic_cond_read_acquire() |\n\t\t\t\t | read_lock_irqsave(&ep->lock, flags);\n --> (observes value before unlock) | chain_epi_lockless()\n | | epi->next = xchg(&ep->ovflist, epi);\n | | read_unlock_irqrestore(&ep->lock, flags);\n | |\n | atomic_cmpxchg_relaxed() |\n |-- READ_ONCE(ep->ovflist); |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46921", "detail": "fixed-version", "description": "Fixed from version 5.12" }, { "id": "CVE-2021-46922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix TPM reservation for seal/unseal\n\nThe original patch 8c657a0590de (\"KEYS: trusted: Reserve TPM for seal\nand unseal operations\") was correct on the mailing list:\n\nhttps://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/\n\nBut somehow got rebased so that the tpm_try_get_ops() in\ntpm2_seal_trusted() got lost. This causes an imbalanced put of the\nTPM ops and causes oopses on TIS based hardware.\n\nThis fix puts back the lost tpm_try_get_ops()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46922", "detail": "fixed-version", "description": "Fixed from version 5.11.17" }, { "id": "CVE-2021-46923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mount_setattr: always cleanup mount_kattr\n\nMake sure that finish_mount_kattr() is called after mount_kattr was\nsuccesfully built in both the success and failure case to prevent\nleaking any references we took when we built it. We returned early if\npath lookup failed thereby risking to leak an additional reference we\ntook when building mount_kattr when an idmapped mount was requested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46923", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: st21nfca: Fix memory leak in device probe and remove\n\n'phy->pending_skb' is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\n\nunreferenced object 0xffff88800bc06800 (size 512):\n comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450\n [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0\n [<000000005fea522c>] __alloc_skb+0x124/0x380\n [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2\n\nFix it by freeing 'pending_skb' in error and remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46924", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix kernel panic caused by race of smc_sock\n\nA crash occurs when smc_cdc_tx_handler() tries to access smc_sock\nbut smc_release() has already freed it.\n\n[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88\n[ 4570.696048] #PF: supervisor write access in kernel mode\n[ 4570.696728] #PF: error_code(0x0002) - not-present page\n[ 4570.697401] PGD 0 P4D 0\n[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111\n[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0\n[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30\n<...>\n[ 4570.711446] Call Trace:\n[ 4570.711746] \n[ 4570.711992] smc_cdc_tx_handler+0x41/0xc0\n[ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560\n[ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10\n[ 4570.713489] tasklet_action_common.isra.17+0x66/0x140\n[ 4570.714083] __do_softirq+0x123/0x2f4\n[ 4570.714521] irq_exit_rcu+0xc4/0xf0\n[ 4570.714934] common_interrupt+0xba/0xe0\n\nThough smc_cdc_tx_handler() checked the existence of smc connection,\nsmc_release() may have already dismissed and released the smc socket\nbefore smc_cdc_tx_handler() further visits it.\n\nsmc_cdc_tx_handler() |smc_release()\nif (!conn) |\n |\n |smc_cdc_tx_dismiss_slots()\n | smc_cdc_tx_dismisser()\n |\n |sock_put(&smc->sk) <- last sock_put,\n | smc_sock freed\nbh_lock_sock(&smc->sk) (panic) |\n\nTo make sure we won't receive any CDC messages after we free the\nsmc_sock, add a refcount on the smc_connection for inflight CDC\nmessage(posted to the QP but haven't received related CQE), and\ndon't release the smc_connection until all the inflight CDC messages\nhaven been done, for both success or failed ones.\n\nUsing refcount on CDC messages brings another problem: when the link\nis going to be destroyed, smcr_link_clear() will reset the QP, which\nthen remove all the pending CQEs related to the QP in the CQ. To make\nsure all the CQEs will always come back so the refcount on the\nsmc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced\nby smc_ib_modify_qp_error().\nAnd remove the timeout in smc_wr_tx_wait_no_pending_sends() since we\nneed to wait for all pending WQEs done, or we may encounter use-after-\nfree when handling CQEs.\n\nFor IB device removal routine, we need to wait for all the QPs on that\ndevice been destroyed before we can destroy CQs on the device, or\nthe refcount on smc_connection won't reach 0 and smc_sock cannot be\nreleased.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46925", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: harden detection of controller\n\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\n\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46926", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert\n\nAfter commit 5b78ed24e8ec (\"mm/pagemap: add mmap_assert_locked()\nannotations to find_vma*()\"), the call to get_user_pages() will trigger\nthe mmap assert.\n\nstatic inline void mmap_assert_locked(struct mm_struct *mm)\n{\n\tlockdep_assert_held(&mm->mmap_lock);\n\tVM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);\n}\n\n[ 62.521410] kernel BUG at include/linux/mmap_lock.h:156!\n...........................................................\n[ 62.538938] RIP: 0010:find_vma+0x32/0x80\n...........................................................\n[ 62.605889] Call Trace:\n[ 62.608502] \n[ 62.610956] ? lock_timer_base+0x61/0x80\n[ 62.614106] find_extend_vma+0x19/0x80\n[ 62.617195] __get_user_pages+0x9b/0x6a0\n[ 62.620356] __gup_longterm_locked+0x42d/0x450\n[ 62.623721] ? finish_wait+0x41/0x80\n[ 62.626748] ? __kmalloc+0x178/0x2f0\n[ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves]\n[ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves]\n[ 62.639541] __x64_sys_ioctl+0x82/0xb0\n[ 62.642620] do_syscall_64+0x3b/0x90\n[ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUse get_user_pages_unlocked() when setting the enclave memory regions.\nThat's a similar pattern as mmap_read_lock() used together with\nget_user_pages().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46927", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Clear stale IIR value on instruction access rights trap\n\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region. In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\n\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46928", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: use call_rcu to free endpoint\n\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\n\n BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n Call Trace:\n __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n spin_lock_bh include/linux/spinlock.h:334 [inline]\n __lock_sock+0x203/0x350 net/core/sock.c:2253\n lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n lock_sock include/net/sock.h:1492 [inline]\n sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n netlink_dump_start include/linux/netlink.h:216 [inline]\n inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\n\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc->base.sk and before calling lock_sock(sk).\n\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\n\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\n\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp->asoc->ep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp->asoc->ep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\n\nNote that delaying endpoint free won't delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().\n\nThanks Jones to bring this issue up.\n\nv1->v2:\n - improve the changelog.\n - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46929", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix list_head check warning\n\nThis is caused by uninitialization of list_head.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4\n\nCall trace:\ndump_backtrace+0x0/0x298\nshow_stack+0x24/0x34\ndump_stack+0x130/0x1a8\nprint_address_description+0x88/0x56c\n__kasan_report+0x1b8/0x2a0\nkasan_report+0x14/0x20\n__asan_load8+0x9c/0xa0\n__list_del_entry_valid+0x34/0xe4\nmtu3_req_complete+0x4c/0x300 [mtu3]\nmtu3_gadget_stop+0x168/0x448 [mtu3]\nusb_gadget_unregister_driver+0x204/0x3a0\nunregister_gadget_item+0x44/0xa4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46930", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Wrap the tx reporter dump callback to extract the sq\n\nFunction mlx5e_tx_reporter_dump_sq() casts its void * argument to struct\nmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually\nof type struct mlx5e_tx_timeout_ctx *.\n\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected\n mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000\n BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae)\n kernel stack overflow (page fault): 0000 [#1] SMP NOPTI\n CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core]\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n [mlx5_core]\n Call Trace:\n mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]\n devlink_health_do_dump.part.91+0x71/0xd0\n devlink_health_report+0x157/0x1b0\n mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core]\n ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0\n [mlx5_core]\n ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core]\n ? update_load_avg+0x19b/0x550\n ? set_next_entity+0x72/0x80\n ? pick_next_task_fair+0x227/0x340\n ? finish_task_switch+0xa2/0x280\n mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]\n process_one_work+0x1de/0x3a0\n worker_thread+0x2d/0x3c0\n ? process_one_work+0x3a0/0x3a0\n kthread+0x115/0x130\n ? kthread_park+0x90/0x90\n ret_from_fork+0x1f/0x30\n --[ end trace 51ccabea504edaff ]---\n RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: disabled\n end Kernel panic - not syncing: Fatal exception\n\nTo fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which\nextracts the sq from struct mlx5e_tx_timeout_ctx and set it as the\nTX-timeout-recovery flow dump callback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46931", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: appletouch - initialize work before device registration\n\nSyzbot has reported warning in __flush_work(). This warning is caused by\nwork->func == NULL, which means missing work initialization.\n\nThis may happen, since input_dev->close() calls\ncancel_work_sync(&dev->work), but dev->work initalization happens _after_\ninput_register_device() call.\n\nSo this patch moves dev->work initialization before registering input\ndevice", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46932", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\n\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\nffs_ep0_release, so it ends up being called twice when userland closes ep0\nand then unmounts f_fs.\nIf userland provided an eventfd along with function's USB descriptors, it\nends up calling eventfd_ctx_put as many times, causing a refcount\nunderflow.\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\n\nAlso, set epfiles to NULL right after de-allocating it, for readability.\n\nFor completeness, ffs_data_clear actually ends up being called thrice, the\nlast call being before the whole ffs structure gets freed, so when this\nspecific sequence happens there is a second underflow happening (but not\nbeing reported):\n\n/sys/kernel/debug/tracing# modprobe usb_f_fs\n/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter\n/sys/kernel/debug/tracing# echo function > current_tracer\n/sys/kernel/debug/tracing# echo 1 > tracing_on\n(setup gadget, run and kill function userland process, teardown gadget)\n/sys/kernel/debug/tracing# echo 0 > tracing_on\n/sys/kernel/debug/tracing# cat trace\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put\n\nWarning output corresponding to above trace:\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\n[ 1946.293094] refcount_t: underflow; use-after-free.\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\n[ 1946.417950] Hardware name: BCM2835\n[ 1946.425442] Backtrace:\n[ 1946.432048] [] (dump_backtrace) from [] (show_stack+0x20/0x24)\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\n[ 1946.458412] [] (show_stack) from [] (dump_stack+0x28/0x30)\n[ 1946.470380] [] (dump_stack) from [] (__warn+0xe8/0x154)\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\n[ 1946.490184] [] (__warn) from [] (warn_slowpath_fmt+0xa0/0xe4)\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\n[ 1946.517070] [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x110/0x15c)\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\n[ 1946.546708] [] (refcount_warn_saturate) from [] (eventfd_ctx_put+0x48/0x74)\n[ 1946.564476] [] (eventfd_ctx_put) from [] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\n[ 1946.590668] [] (ffs_data_clear [usb_f_fs]) from [] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\n[ 1946.609608] r5:bf54d014 r4:c2695b00\n[ 1946.617522] [] (ffs_data_closed [usb_f_fs]) from [] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\n[ 1946.636217] r7:c0dfcb\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46933", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: validate user data in compat ioctl\n\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46934", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix async_free_space accounting for empty parcels\n\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\n\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless. These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\n\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46935", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix use-after-free in tw_timer_handler\n\nA real world panic issue was found as follow in Linux 5.4.\n\n BUG: unable to handle page fault for address: ffffde49a863de28\n PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0\n RIP: 0010:tw_timer_handler+0x20/0x40\n Call Trace:\n \n call_timer_fn+0x2b/0x120\n run_timer_softirq+0x1ef/0x450\n __do_softirq+0x10d/0x2b8\n irq_exit+0xc7/0xd0\n smp_apic_timer_interrupt+0x68/0x120\n apic_timer_interrupt+0xf/0x20\n\nThis issue was also reported since 2017 in the thread [1],\nunfortunately, the issue was still can be reproduced after fixing\nDCCP.\n\nThe ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net\nnamespace is destroyed since tcp_sk_ops is registered befrore\nipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops\nin the list of pernet_list. There will be a use-after-free on\nnet->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net\nif there are some inflight time-wait timers.\n\nThis bug is not introduced by commit f2bf415cfed7 (\"mib: add net to\nNET_ADD_STATS_BH\") since the net_statistics is a global variable\ninstead of dynamic allocation and freeing. Actually, commit\n61a7e26028b9 (\"mib: put net statistics on struct net\") introduces\nthe bug since it put net statistics on struct net and free it when\nnet namespace is destroyed.\n\nMoving init_ipv4_mibs() to the front of tcp_init() to fix this bug\nand replace pr_crit() with panic() since continuing is meaningless\nwhen init_ipv4_mibs() fails.\n\n[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46936", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'\n\nDAMON debugfs interface increases the reference counts of 'struct pid's\nfor targets from the 'target_ids' file write callback\n('dbgfs_target_ids_write()'), but decreases the counts only in DAMON\nmonitoring termination callback ('dbgfs_before_terminate()').\n\nTherefore, when 'target_ids' file is repeatedly written without DAMON\nmonitoring start/termination, the reference count is not decreased and\ntherefore memory for the 'struct pid' cannot be freed. This commit\nfixes this issue by decreasing the reference counts when 'target_ids' is\nwritten.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46937", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-46938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm rq: fix double free of blk_mq_tag_set in dev remove after table load fails\n\nWhen loading a device-mapper table for a request-based mapped device,\nand the allocation/initialization of the blk_mq_tag_set for the device\nfails, a following device remove will cause a double free.\n\nE.g. (dmesg):\n device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device\n device-mapper: ioctl: unable to set up device queue for new table.\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0305e098835de000 TEID: 0305e098835de803\n Fault in home space mode while using kernel ASCE.\n AS:000000025efe0007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1] SMP\n Modules linked in: ... lots of modules ...\n Supported: Yes, External\n CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3\n Hardware name: IBM 8561 T01 7I2 (LPAR)\n Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000\n 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000\n 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640\n 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8\n Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8\n 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58\n #000000025e368ec4: e3b010000008 ag %r11,0(%r1)\n >000000025e368eca: e310b0080004 lg %r1,8(%r11)\n 000000025e368ed0: a7110001 tmll %r1,1\n 000000025e368ed4: a7740129 brc 7,25e369126\n 000000025e368ed8: e320b0080004 lg %r2,8(%r11)\n 000000025e368ede: b904001b lgr %r1,%r11\n Call Trace:\n [<000000025e368eca>] kfree+0x42/0x330\n [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8\n [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]\n [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod]\n [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod]\n [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod]\n [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod]\n [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod]\n [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0\n [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40\n [<000000025e8c15ac>] system_call+0xd8/0x2c8\n Last Breaking-Event-Address:\n [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\nWhen allocation/initialization of the blk_mq_tag_set fails in\ndm_mq_init_request_queue(), it is uninitialized/freed, but the pointer\nis not reset to NULL; so when dev_remove() later gets into\ndm_mq_cleanup_mapped_device() it sees the pointer and tries to\nuninitialize and free it again.\n\nFix this by setting the pointer to NULL in dm_mq_init_request_queue()\nerror-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46938", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Restructure trace_clock_global() to never block\n\nIt was reported that a fix to the ring buffer recursion detection would\ncause a hung machine when performing suspend / resume testing. The\nfollowing backtrace was extracted from debugging that case:\n\nCall Trace:\n trace_clock_global+0x91/0xa0\n __rb_reserve_next+0x237/0x460\n ring_buffer_lock_reserve+0x12a/0x3f0\n trace_buffer_lock_reserve+0x10/0x50\n __trace_graph_return+0x1f/0x80\n trace_graph_return+0xb7/0xf0\n ? trace_clock_global+0x91/0xa0\n ftrace_return_to_handler+0x8b/0xf0\n ? pv_hash+0xa0/0xa0\n return_to_handler+0x15/0x30\n ? ftrace_graph_caller+0xa0/0xa0\n ? trace_clock_global+0x91/0xa0\n ? __rb_reserve_next+0x237/0x460\n ? ring_buffer_lock_reserve+0x12a/0x3f0\n ? trace_event_buffer_lock_reserve+0x3c/0x120\n ? trace_event_buffer_reserve+0x6b/0xc0\n ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0\n ? dpm_run_callback+0x3b/0xc0\n ? pm_ops_is_empty+0x50/0x50\n ? platform_get_irq_byname_optional+0x90/0x90\n ? trace_device_pm_callback_start+0x82/0xd0\n ? dpm_run_callback+0x49/0xc0\n\nWith the following RIP:\n\nRIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200\n\nSince the fix to the recursion detection would allow a single recursion to\nhappen while tracing, this lead to the trace_clock_global() taking a spin\nlock and then trying to take it again:\n\nring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* lock taken */\n (something else gets traced by function graph tracer)\n ring_buffer_lock_reserve() {\n trace_clock_global() {\n arch_spin_lock() {\n queued_spin_lock_slowpath() {\n /* DEAD LOCK! */\n\nTracing should *never* block, as it can lead to strange lockups like the\nabove.\n\nRestructure the trace_clock_global() code to instead of simply taking a\nlock to update the recorded \"prev_time\" simply use it, as two events\nhappening on two different CPUs that calls this at the same time, really\ndoesn't matter which one goes first. Use a trylock to grab the lock for\nupdating the prev_time, and if it fails, simply try again the next time.\nIf it failed to be taken, that means something else is already updating\nit.\n\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46939", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/power turbostat: Fix offset overflow issue in index converting\n\nThe idx_to_offset() function returns type int (32-bit signed), but\nMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.\nThe end result is that it hits the if (offset < 0) check in update_msr_sum()\nwhich prevents the timer callback from updating the stat in the background when\nlong durations are used. The similar issue exists in offset_to_idx() and\nupdate_msr_sum(). Fix this issue by converting the 'int' to 'off_t' accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46940", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Do core softreset when switch mode\n\n\nAccording to the programming guide, to switch mode for DRD controller,\nthe driver needs to do the following.\n\nTo switch from device to host:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(host mode)\n3. Reset the host with USBCMD.HCRESET\n4. Then follow up with the initializing host registers sequence\n\nTo switch from host to device:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(device mode)\n3. Reset the device with DCTL.CSftRst\n4. Then follow up with the initializing registers sequence\n\nCurrently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of\nswitching from host to device. John Stult reported a lockup issue seen\nwith HiKey960 platform without these steps[1]. Similar issue is observed\nwith Ferry's testing platform[2].\n\nSo, apply the required steps along with some fixes to Yu Chen's and John\nStultz's version. The main fixes to their versions are the missing wait\nfor clocks synchronization before clearing GCTL.CoreSoftReset and only\napply DCTL.CSftRst when switching from host to device.\n\n[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/\n[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46941", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix shared sqpoll cancellation hangs\n\n[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.\n[ 736.982897] Call Trace:\n[ 736.982901] schedule+0x68/0xe0\n[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110\n[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30\n[ 736.982911] io_run_task_work_head+0x28/0x50\n[ 736.982913] io_sq_thread+0x4e3/0x720\n\nWe call io_uring_cancel_sqpoll() one by one for each ctx either in\nsq_thread() itself or via task works, and it's intended to cancel all\nrequests of a specified context. However the function uses per-task\ncounters to track the number of inflight requests, so it counts more\nrequests than available via currect io_uring ctx and goes to sleep for\nthem to appear (e.g. from IRQ), that will never happen.\n\nCancel a bit more than before, i.e. all ctxs that share sqpoll\nand continue to use shared counters. Don't forget that we should not\nremove ctx from the list before running that task_work sqpoll-cancel,\notherwise the function wouldn't be able to find the context and will\nhang.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46942", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix set_fmt error handling\n\nIf there in an error during a set_fmt, do not overwrite the previous\nsizes with the invalid config.\n\nWithout this patch, v4l2-compliance ends up allocating 4GiB of RAM and\ncausing the following OOPs\n\n[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)\n[ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0\n[ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46943", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix memory leak in imu_fmt\n\nWe are losing the reference to an allocated memory if try. Change the\norder of the check to avoid that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46944", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: always panic when errors=panic is specified\n\nBefore commit 014c9caa29d3 (\"ext4: make ext4_abort() use\n__ext4_error()\"), the following series of commands would trigger a\npanic:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. mount /dev/sda -o remount,abort test\n\nAfter commit 014c9caa29d3, remounting a file system using the test\nmount option \"abort\" will no longer trigger a panic. This commit will\nrestore the behaviour immediately before commit 014c9caa29d3.\n(However, note that the Linux kernel's behavior has not been\nconsistent; some previous kernel versions, including 5.4 and 4.19\nsimilarly did not panic after using the mount option \"abort\".)\n\nThis also makes a change to long-standing behaviour; namely, the\nfollowing series commands will now cause a panic, when previously it\ndid not:\n\n1. mount /dev/sda -o ro,errors=panic test\n2. echo test > /sys/fs/ext4/sda/trigger_fs_error\n\nHowever, this makes ext4's behaviour much more consistent, so this is\na good thing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46945", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues\n\nefx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is\nlater used to allocate and traverse efx->xdp_tx_queues lookup array. However,\nwe may end up not initializing all the array slots with real queues during\nprobing. This results, for example, in a NULL pointer dereference, when running\n\"# ethtool -S \", similar to below\n\n[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[2570283.681283][T4126959] #PF: supervisor read access in kernel mode\n[2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page\n[2570283.710013][T4126959] PGD 0 P4D 0\n[2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI\n[2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1\n[2570283.752641][T4126959] Hardware name: \n[2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc]\n[2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b\n[2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202\n[2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018\n[2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005\n[2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f\n[2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8\n[2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c\n[2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000\n[2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0\n[2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[2570283.997308][T4126959] PKRU: 55555554\n[2570284.007649][T4126959] Call Trace:\n[2570284.017598][T4126959] dev_ethtool+0x1832/0x2830\n\nFix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true\nvalue of initialized slots in efx->xdp_tx_queues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46947", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX event handling\n\nWe're starting from a TXQ label, not a TXQ type, so\n efx_channel_get_tx_queue() is inappropriate (and could return NULL,\n leading to panics).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46948", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX flush done handling\n\nWe're starting from a TXQ instance number ('qid'), not a TXQ type, so\n efx_get_tx_queue() is inappropriate (and could return NULL, leading\n to panics).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46949", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: properly indicate failure when ending a failed write request\n\nThis patch addresses a data corruption bug in raid1 arrays using bitmaps.\nWithout this fix, the bitmap bits for the failed I/O end up being cleared.\n\nSince we are in the failure leg of raid1_end_write_request, the request\neither needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46950", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: efi: Use local variable for calculating final log size\n\nWhen tpm_read_log_efi is called multiple times, which happens when\none loads and unloads a TPM2 driver multiple times, then the global\nvariable efi_tpm_final_log_size will at some point become a negative\nnumber due to the subtraction of final_events_preboot_size occurring\neach time. Use a local variable to avoid this integer underflow.\n\nThe following issue is now resolved:\n\nMar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\nMar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20\nMar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4\nMar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206\nMar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f\nMar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d\nMar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073\nMar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5\nMar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018\nMar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000\nMar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nMar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0\nMar 8 15:35:12 hibinst kernel: Call Trace:\nMar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7\nMar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0\nMar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260\nMar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]\nMar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370\nMar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0\nMar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46951", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fs_context: validate UDP retrans to prevent shift out-of-bounds\n\nFix shift out-of-bounds in xprt_calc_majortimeo(). This is caused\nby a garbage timeout (retrans) mount option being passed to nfs mount,\nin this case from syzkaller.\n\nIf the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift\nvalue for a 64-bit long integer, so 'retrans' cannot be >= 64.\nIf it is >= 64, fail the mount and return an error.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46952", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure\n\nWhen failing the driver probe because of invalid firmware properties,\nthe GTDT driver unmaps the interrupt that it mapped earlier.\n\nHowever, it never checks whether the mapping of the interrupt actially\nsucceeded. Even more, should the firmware report an illegal interrupt\nnumber that overlaps with the GIC SGI range, this can result in an\nIPI being unmapped, and subsequent fireworks (as reported by Dann\nFrazier).\n\nRework the driver to have a slightly saner behaviour and actually\ncheck whether the interrupt has been mapped before unmapping things.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46953", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets\n\nwhen 'act_mirred' tries to fragment IPv4 packets that had been previously\nre-assembled using 'act_ct', splats like the following can be observed on\nkernels built with KASAN:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888147009574 by task ping/947\n\n CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n \n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n ip_do_fragment+0x1b03/0x1f60\n sch_fragment+0x4bf/0xe40\n tcf_mirred_act+0xc3d/0x11a0 [act_mirred]\n tcf_action_exec+0x104/0x3e0\n fl_classify+0x49a/0x5e0 [cls_flower]\n tcf_classify_ingress+0x18a/0x820\n __netif_receive_skb_core+0xae7/0x3340\n __netif_receive_skb_one_core+0xb6/0x1b0\n process_backlog+0x1ef/0x6c0\n __napi_poll+0xaa/0x500\n net_rx_action+0x702/0xac0\n __do_softirq+0x1e4/0x97f\n do_softirq+0x71/0x90\n \n __local_bh_enable_ip+0xdb/0xf0\n ip_finish_output2+0x760/0x2120\n ip_do_fragment+0x15a5/0x1f60\n __ip_finish_output+0x4c2/0xea0\n ip_output+0x1ca/0x4d0\n ip_send_skb+0x37/0xa0\n raw_sendmsg+0x1c4b/0x2d00\n sock_sendmsg+0xdb/0x110\n __sys_sendto+0x1d7/0x2b0\n __x64_sys_sendto+0xdd/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f82e13853eb\n Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89\n RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb\n RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003\n RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0\n R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0\n\n The buggy address belongs to the page:\n page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009\n flags: 0x17ffffc0001000(reserved)\n raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000\n raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00\n >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2\n ^\n ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2\n\nfor IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n ip_do_fragment()\n ip_skb_dst_mtu()\n ip_dst_mtu_maybe_forward()\n ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin sch_fragment(), similarly to what is done for IPv6 few lines below.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46954", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\n\nrunning openvswitch on kernels built with KASAN, it's possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\n\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n ip_do_fragment+0x1b03/0x1f60\n ovs_fragment+0x5bf/0x840 [openvswitch]\n do_execute_actions+0x1bd5/0x2400 [openvswitch]\n ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n genl_rcv_msg+0x287/0x490\n netlink_rcv_skb+0x120/0x380\n genl_rcv+0x24/0x40\n netlink_unicast+0x439/0x630\n netlink_sendmsg+0x719/0xbf0\n sock_sendmsg+0xe2/0x110\n ____sys_sendmsg+0x5ba/0x890\n ___sys_sendmsg+0xe9/0x160\n __sys_sendmsg+0xd3/0x170\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\n\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n ovs_fragment+0x0/0x840 [openvswitch]\n\n this frame has 2 objects:\n [32, 144) 'ovs_dst'\n [192, 424) 'ovs_rt'\n\n Memory state around the buggy address:\n ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n ^\n ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\n\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n ip_do_fragment()\n ip_skb_dst_mtu()\n ip_dst_mtu_maybe_forward()\n ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46955", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: fix memory leak in virtio_fs_probe()\n\nWhen accidentally passing twice the same tag to qemu, kmemleak ended up\nreporting a memory leak in virtiofs. Also, looking at the log I saw the\nfollowing error (that's when I realised the duplicated tag):\n\n virtiofs: probe of virtio5 failed with error -17\n\nHere's the kmemleak log for reference:\n\nunreferenced object 0xffff888103d47800 (size 1024):\n comm \"systemd-udevd\", pid 118, jiffies 4294893780 (age 18.340s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................\n backtrace:\n [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs]\n [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210\n [<000000004d6baf3c>] really_probe+0xea/0x430\n [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0\n [<00000000196f47a7>] __driver_attach+0x98/0x140\n [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0\n [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0\n [<0000000032b09ba7>] driver_register+0x8f/0xe0\n [<00000000cdd55998>] 0xffffffffa002c013\n [<000000000ea196a2>] do_one_initcall+0x64/0x2e0\n [<0000000008f727ce>] do_init_module+0x5c/0x260\n [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120\n [<00000000ad2f48c6>] do_syscall_64+0x33/0x40\n [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46956", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe\n\nThe execution of sys_read end up hitting a BUG_ON() in __find_get_block\nafter installing kprobe at sys_read, the BUG message like the following:\n\n[ 65.708663] ------------[ cut here ]------------\n[ 65.709987] kernel BUG at fs/buffer.c:1251!\n[ 65.711283] Kernel BUG [#1]\n[ 65.712032] Modules linked in:\n[ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1\n[ 65.714407] Hardware name: riscv-virtio,qemu (DT)\n[ 65.715696] epc : __find_get_block+0x218/0x2c8\n[ 65.716835] ra : __getblk_gfp+0x1c/0x4a\n[ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930\n[ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038\n[ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960\n[ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a\n[ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040\n[ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000\n[ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008\n[ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8\n[ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008\n[ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f\n[ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000\n[ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003\n[ 65.734901] Call Trace:\n[ 65.735076] [] __find_get_block+0x218/0x2c8\n[ 65.735417] [] __ext4_get_inode_loc+0xb2/0x2f6\n[ 65.735618] [] ext4_get_inode_loc+0x3a/0x8a\n[ 65.735802] [] ext4_reserve_inode_write+0x2e/0x8c\n[ 65.735999] [] __ext4_mark_inode_dirty+0x4c/0x18e\n[ 65.736208] [] ext4_dirty_inode+0x46/0x66\n[ 65.736387] [] __mark_inode_dirty+0x12c/0x3da\n[ 65.736576] [] touch_atime+0x146/0x150\n[ 65.736748] [] filemap_read+0x234/0x246\n[ 65.736920] [] generic_file_read_iter+0xc0/0x114\n[ 65.737114] [] ext4_file_read_iter+0x42/0xea\n[ 65.737310] [] new_sync_read+0xe2/0x15a\n[ 65.737483] [] vfs_read+0xca/0xf2\n[ 65.737641] [] ksys_read+0x5e/0xc8\n[ 65.737816] [] sys_read+0xe/0x16\n[ 65.737973] [] ret_from_syscall+0x0/0x2\n[ 65.738858] ---[ end trace fe93f985456c935d ]---\n\nA simple reproducer looks like:\n\techo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events\n\techo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable\n\tcat /sys/kernel/debug/tracing/trace\n\nHere's what happens to hit that BUG_ON():\n\n1) After installing kprobe at entry of sys_read, the first instruction\n is replaced by 'ebreak' instruction on riscv64 platform.\n\n2) Once kernel reach the 'ebreak' instruction at the entry of sys_read,\n it trap into the riscv breakpoint handler, where it do something to\n setup for coming single-step of origin instruction, including backup\n the 'sstatus' in pt_regs, followed by disable interrupt during single\n stepping via clear 'SIE' bit of 'sstatus' in pt_regs.\n\n3) Then kernel restore to the instruction slot contains two instructions,\n one is original instruction at entry of sys_read, the other is 'ebreak'.\n Here it trigger a 'Instruction page fault' exception (value at 'scause'\n is '0xc'), if PF is not filled into PageTabe for that slot yet.\n\n4) Again kernel trap into page fault exception handler, where it choose\n different policy according to the state of running kprobe. Because\n afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kp\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46957", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\n\nThere is a race between a task aborting a transaction during a commit,\na task doing an fsync and the transaction kthread, which leads to an\nuse-after-free of the log root tree. When this happens, it results in a\nstack trace like the following:\n\n BTRFS info (device dm-0): forced readonly\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\n BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\n BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\n BTRFS error (device dm-0): error writing primary super block to device 1\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\n BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\n BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\n BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\n general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__mutex_lock+0x139/0xa40\n Code: c0 74 19 (...)\n RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\n RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\n RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\n R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\n FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_log+0x7c1/0xf20 [btrfs]\n btrfs_sync_file+0x40c/0x580 [btrfs]\n do_fsync+0x38/0x70\n __x64_sys_fsync+0x10/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fa9142a55c3\n Code: 8b 15 09 (...)\n RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\n RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\n RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\n R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\n Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\n ---[ end trace ee2f1b19327d791d ]---\n\nThe steps that lead to this crash are the following:\n\n1) We are at transaction N;\n\n2) We have two tasks with a transaction handle attached to transaction N.\n Task A and Task B. Task B is doing an fsync;\n\n3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree\n into a local variable named 'log_root_tree' at the top of\n btrfs_sync_log(). Task B is about to call write_all_supers(), but\n before that...\n\n4) Task A calls btrfs_commit_transaction(), and after it sets the\n transaction state to TRANS_STATE_COMMIT_START, an error happens before\n it w\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46958", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix use-after-free with devm_spi_alloc_*\n\nWe can't rely on the contents of the devres list during\nspi_unregister_controller(), as the list is already torn down at the\ntime we perform devres_find() for devm_spi_release_controller. This\ncauses devices registered with devm_spi_alloc_{master,slave}() to be\nmistakenly identified as legacy, non-devm managed devices and have their\nreference counters decremented below 0.\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174\n[] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98)\n[] (kobject_put) from [] (put_device+0x20/0x24)\n r4:b6700140\n[] (put_device) from [] (devm_spi_release_controller+0x3c/0x40)\n[] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4)\n r5:b6700180 r4:b6700100\n[] (release_nodes) from [] (devres_release_all+0x5c/0x60)\n r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10\n[] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec)\n r5:b117ad94 r4:b163dc10\n[] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0)\n r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10\n[] (device_driver_detach) from [] (unbind_store+0xe4/0xf8)\n\nInstead, determine the devm allocation state as a flag on the\ncontroller which is guaranteed to be stable during cleanup.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46959", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Return correct error code from smb2_get_enc_key\n\nAvoid a warning if the error percolates back up:\n\n[440700.376476] CIFS VFS: \\\\otters.example.com crypt_message: Could not get encryption key\n[440700.386947] ------------[ cut here ]------------\n[440700.386948] err = 1\n[440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70\n...\n[440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu\n...\n[440700.397334] Call Trace:\n[440700.397346] __filemap_set_wb_err+0x1a/0x70\n[440700.397419] cifs_writepages+0x9c7/0xb30 [cifs]\n[440700.397426] do_writepages+0x4b/0xe0\n[440700.397444] __filemap_fdatawrite_range+0xcb/0x100\n[440700.397455] filemap_write_and_wait+0x42/0xa0\n[440700.397486] cifs_setattr+0x68b/0xf30 [cifs]\n[440700.397493] notify_change+0x358/0x4a0\n[440700.397500] utimes_common+0xe9/0x1c0\n[440700.397510] do_utimes+0xc5/0x150\n[440700.397520] __x64_sys_utimensat+0x88/0xd0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46960", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Do not enable irqs when handling spurious interrups\n\nWe triggered the following error while running our 4.19 kernel\nwith the pseudo-NMI patches backported to it:\n\n[ 14.816231] ------------[ cut here ]------------\n[ 14.816231] kernel BUG at irq.c:99!\n[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP\n[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))\n[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14\n[ 14.816233] Hardware name: evb (DT)\n[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 14.816234] pc : asm_nmi_enter+0x94/0x98\n[ 14.816235] lr : asm_nmi_enter+0x18/0x98\n[ 14.816235] sp : ffff000008003c50\n[ 14.816235] pmr_save: 00000070\n[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0\n[ 14.816238] x27: 0000000000000000 x26: ffff000008004000\n[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000\n[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc\n[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060\n[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff\n[ 14.816243] x17: 0000000000000008 x16: 003d090000000000\n[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40\n[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000\n[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5\n[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f\n[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e\n[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000\n[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000\n[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0\n[ 14.816251] Call trace:\n[ 14.816251] asm_nmi_enter+0x94/0x98\n[ 14.816251] el1_irq+0x8c/0x180 (IRQ C)\n[ 14.816252] gic_handle_irq+0xbc/0x2e4\n[ 14.816252] el1_irq+0xcc/0x180 (IRQ B)\n[ 14.816253] arch_timer_handler_virt+0x38/0x58\n[ 14.816253] handle_percpu_devid_irq+0x90/0x240\n[ 14.816253] generic_handle_irq+0x34/0x50\n[ 14.816254] __handle_domain_irq+0x68/0xc0\n[ 14.816254] gic_handle_irq+0xf8/0x2e4\n[ 14.816255] el1_irq+0xcc/0x180 (IRQ A)\n[ 14.816255] arch_cpu_idle+0x34/0x1c8\n[ 14.816255] default_idle_call+0x24/0x44\n[ 14.816256] do_idle+0x1d0/0x2c8\n[ 14.816256] cpu_startup_entry+0x28/0x30\n[ 14.816256] rest_init+0xb8/0xc8\n[ 14.816257] start_kernel+0x4c8/0x4f4\n[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)\n[ 14.816258] Modules linked in: start_dp(O) smeth(O)\n[ 15.103092] ---[ end trace 701753956cb14aa8 ]---\n[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt\n[ 15.103099] SMP: stopping secondary CPUs\n[ 15.103100] Kernel Offset: disabled\n[ 15.103100] CPU features: 0x36,a2400218\n[ 15.103100] Memory Limit: none\n\nwhich is cause by a 'BUG_ON(in_nmi())' in nmi_enter().\n\nFrom the call trace, we can find three interrupts (noted A, B, C above):\ninterrupt (A) is preempted by (B), which is further interrupted by (C).\n\nSubsequent investigations show that (B) results in nmi_enter() being\ncalled, but that it actually is a spurious interrupt. Furthermore,\ninterrupts are reenabled in the context of (B), and (C) fires with\nNMI priority. We end-up with a nested NMI situation, something\nwe definitely do not want to (and cannot) handle.\n\nThe bug here is that spurious interrupts should never result in any\nstate change, and we should just return to the interrupted context.\nMoving the handling of spurious interrupts as early as possible in\nthe GICv3 handler fixes this issue.\n\n[maz: rewrote commit message, corrected Fixes: tag]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46961", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: uniphier-sd: Fix a resource leak in the remove function\n\nA 'tmio_mmc_host_free()' call is missing in the remove function, in order\nto balance a 'tmio_mmc_host_alloc()' call in the probe.\nThis is done in the error handling path of the probe, but not in the remove\nfunction.\n\nAdd the missing call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46962", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()\n\n RIP: 0010:kmem_cache_free+0xfa/0x1b0\n Call Trace:\n qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]\n scsi_queue_rq+0x5e2/0xa40\n __blk_mq_try_issue_directly+0x128/0x1d0\n blk_mq_request_issue_directly+0x4e/0xb0\n\nFix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now\nallocated by upper layers. This fixes smatch warning of srb unintended\nfree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46963", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Reserve extra IRQ vectors\n\nCommit a6dcfe08487e (\"scsi: qla2xxx: Limit interrupt vectors to number of\nCPUs\") lowers the number of allocated MSI-X vectors to the number of CPUs.\n\nThat breaks vector allocation assumptions in qla83xx_iospace_config(),\nqla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions\ncomputes maximum number of qpairs as:\n\n ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default\n response queue) - 1 (ATIO, in dual or pure target mode)\n\nmax_qpairs is set to zero in case of two CPUs and initiator mode. The\nnumber is then used to allocate ha->queue_pair_map inside\nqla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is\nleft NULL but the driver thinks there are queue pairs available.\n\nqla2xxx_queuecommand() tries to find a qpair in the map and crashes:\n\n if (ha->mqenable) {\n uint32_t tag;\n uint16_t hwq;\n struct qla_qpair *qpair = NULL;\n\n tag = blk_mq_unique_tag(cmd->request);\n hwq = blk_mq_unique_tag_to_hwq(tag);\n qpair = ha->queue_pair_map[hwq]; # <- HERE\n\n if (qpair)\n return qla2xxx_mqueuecommand(host, cmd, qpair);\n }\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014\n Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]\n RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]\n Call Trace:\n scsi_queue_rq+0x58c/0xa60\n blk_mq_dispatch_rq_list+0x2b7/0x6f0\n ? __sbitmap_get_word+0x2a/0x80\n __blk_mq_sched_dispatch_requests+0xb8/0x170\n blk_mq_sched_dispatch_requests+0x2b/0x50\n __blk_mq_run_hw_queue+0x49/0xb0\n __blk_mq_delay_run_hw_queue+0xfb/0x150\n blk_mq_sched_insert_request+0xbe/0x110\n blk_execute_rq+0x45/0x70\n __scsi_execute+0x10e/0x250\n scsi_probe_and_add_lun+0x228/0xda0\n __scsi_scan_target+0xf4/0x620\n ? __pm_runtime_resume+0x4f/0x70\n scsi_scan_target+0x100/0x110\n fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]\n process_one_work+0x1ea/0x3b0\n worker_thread+0x28/0x3b0\n ? process_one_work+0x3b0/0x3b0\n kthread+0x112/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nThe driver should allocate enough vectors to provide every CPU it's own HW\nqueue and still handle reserved (MB, RSP, ATIO) interrupts.\n\nThe change fixes the crash on dual core VM and prevents unbalanced QP\nallocation where nr_hw_queues is two less than the number of CPUs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46964", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: physmap: physmap-bt1-rom: Fix unintentional stack access\n\nCast &data to (char *) in order to avoid unintentionally accessing\nthe stack.\n\nNotice that data is of type u32, so any increment to &data\nwill be in the order of 4-byte chunks, and this piece of code\nis actually intended to be a byte offset.\n\nAddresses-Coverity-ID: 1497765 (\"Out-of-bounds access\")", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46965", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: custom_method: fix potential use-after-free issue\n\nIn cm_write(), buf is always freed when reaching the end of the\nfunction. If the requested count is less than table.length, the\nallocated buffer will be freed but subsequent calls to cm_write() will\nstill try to access it.\n\nRemove the unconditional kfree(buf) at the end of the function and\nset the buf to NULL in the -EINVAL error path to match the rest of\nfunction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46966", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-vdpa: fix vm_flags for virtqueue doorbell mapping\n\nThe virtqueue doorbell is usually implemented via registeres but we\ndon't provide the necessary vma->flags like VM_PFNMAP. This may cause\nseveral issues e.g when userspace tries to map the doorbell via vhost\nIOTLB, kernel may panic due to the page is not backed by page\nstructure. This patch fixes this by setting the necessary\nvm_flags. With this patch, try to map doorbell via IOTLB will fail\nwith bad address.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46967", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix zcard and zqueue hot-unplug memleak\n\nTests with kvm and a kmemdebug kernel showed, that on hot unplug the\nzcard and zqueue structs for the unplugged card or queue are not\nproperly freed because of a mismatch with get/put for the embedded\nkref counter.\n\nThis fix now adjusts the handling of the kref counters. With init the\nkref counter starts with 1. This initial value needs to drop to zero\nwith the unregister of the card or queue to trigger the release and\nfree the object.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46968", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: core: Fix invalid error returning in mhi_queue\n\nmhi_queue returns an error when the doorbell is not accessible in\nthe current state. This can happen when the device is in non M0\nstate, like M3, and needs to be waken-up prior ringing the DB. This\ncase is managed earlier by triggering an asynchronous M3 exit via\ncontroller resume/suspend callbacks, that in turn will cause M0\ntransition and DB update.\n\nSo, since it's not an error but just delaying of doorbell update, there\nis no reason to return an error.\n\nThis also fixes a use after free error for skb case, indeed a caller\nqueuing skb will try to free the skb if the queueing fails, but in\nthat case queueing has been done.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46969", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue\n\nA recent change created a dedicated workqueue for the state-change work\nwith WQ_HIGHPRI (no strong reason for that) and WQ_MEM_RECLAIM flags,\nbut the state-change work (mhi_pm_st_worker) does not guarantee forward\nprogress under memory pressure, and will even wait on various memory\nallocations when e.g. creating devices, loading firmware, etc... The\nwork is then not part of a memory reclaim path...\n\nMoreover, this causes a warning in check_flush_dependency() since we end\nup in code that flushes a non-reclaim workqueue:\n\n[ 40.969601] workqueue: WQ_MEM_RECLAIM mhi_hiprio_wq:mhi_pm_st_worker [mhi] is flushing !WQ_MEM_RECLAIM events_highpri:flush_backlog\n[ 40.969612] WARNING: CPU: 4 PID: 158 at kernel/workqueue.c:2607 check_flush_dependency+0x11c/0x140\n[ 40.969733] Call Trace:\n[ 40.969740] __flush_work+0x97/0x1d0\n[ 40.969745] ? wake_up_process+0x15/0x20\n[ 40.969749] ? insert_work+0x70/0x80\n[ 40.969750] ? __queue_work+0x14a/0x3e0\n[ 40.969753] flush_work+0x10/0x20\n[ 40.969756] rollback_registered_many+0x1c9/0x510\n[ 40.969759] unregister_netdevice_queue+0x94/0x120\n[ 40.969761] unregister_netdev+0x1d/0x30\n[ 40.969765] mhi_net_remove+0x1a/0x40 [mhi_net]\n[ 40.969770] mhi_driver_remove+0x124/0x250 [mhi]\n[ 40.969776] device_release_driver_internal+0xf0/0x1d0\n[ 40.969778] device_release_driver+0x12/0x20\n[ 40.969782] bus_remove_device+0xe1/0x150\n[ 40.969786] device_del+0x17b/0x3e0\n[ 40.969791] mhi_destroy_device+0x9a/0x100 [mhi]\n[ 40.969796] ? mhi_unmap_single_use_bb+0x50/0x50 [mhi]\n[ 40.969799] device_for_each_child+0x5e/0xa0\n[ 40.969804] mhi_pm_st_worker+0x921/0xf50 [mhi]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46970", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn't matter in case of the Lockdown LSM,\nit causes trouble with the SELinux's lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask's type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46971", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix leaked dentry\n\nSince commit 6815f479ca90 (\"ovl: use only uppermetacopy state in\novl_lookup()\"), overlayfs doesn't put temporary dentry when there is a\nmetacopy error, which leads to dentry leaks when shutting down the related\nsuperblock:\n\n overlayfs: refusing to follow metacopy origin for (/file0)\n ...\n BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay]\n ...\n WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d\n CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1\n ...\n RIP: 0010:umount_check.cold+0x107/0x14d\n ...\n Call Trace:\n d_walk+0x28c/0x950\n ? dentry_lru_isolate+0x2b0/0x2b0\n ? __kasan_slab_free+0x12/0x20\n do_one_tree+0x33/0x60\n shrink_dcache_for_umount+0x78/0x1d0\n generic_shutdown_super+0x70/0x440\n kill_anon_super+0x3e/0x70\n deactivate_locked_super+0xc4/0x160\n deactivate_super+0xfa/0x140\n cleanup_mnt+0x22e/0x370\n __cleanup_mnt+0x1a/0x30\n task_work_run+0x139/0x210\n do_exit+0xb0c/0x2820\n ? __kasan_check_read+0x1d/0x30\n ? find_held_lock+0x35/0x160\n ? lock_release+0x1b6/0x660\n ? mm_update_next_owner+0xa20/0xa20\n ? reacquire_held_locks+0x3f0/0x3f0\n ? __sanitizer_cov_trace_const_cmp4+0x22/0x30\n do_group_exit+0x135/0x380\n __do_sys_exit_group.isra.0+0x20/0x20\n __x64_sys_exit_group+0x3c/0x50\n do_syscall_64+0x45/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ...\n VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...\n\nThis fix has been tested with a syzkaller reproducer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46972", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Avoid potential use after free in MHI send\n\nIt is possible that the MHI ul_callback will be invoked immediately\nfollowing the queueing of the skb for transmission, leading to the\ncallback decrementing the refcount of the associated sk and freeing the\nskb.\n\nAs such the dereference of skb and the increment of the sk refcount must\nhappen before the skb is queued, to avoid the skb to be used after free\nand potentially the sk to drop its last refcount..", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46973", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46974", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix crash in auto_retire\n\nThe retire logic uses the 2 lower bits of the pointer to the retire\nfunction to store flags. However, the auto_retire function is not\nguaranteed to be aligned to a multiple of 4, which causes crashes as\nwe jump to the wrong address, for example like this:\n\n2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1\n2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021\n2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work\n2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20\n2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74\n2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286\n2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007\n2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600\n2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff\n2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0\n2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605\n2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000\n2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0\n2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554\n2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace:\n2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf\n2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394\n2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375\n2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156\n2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58\n2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e\n2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40\n2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46976", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Disable preemption when probing user return MSRs\n\nDisable preemption when probing a user return MSR via RDSMR/WRMSR. If\nthe MSR holds a different value per logical CPU, the WRMSR could corrupt\nthe host's value if KVM is preempted between the RDMSR and WRMSR, and\nthen rescheduled on a different CPU.\n\nOpportunistically land the helper in common x86, SVM will use the helper\nin a future commit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46977", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nVMX: Always make an attempt to map eVMCS after migration\n\nWhen enlightened VMCS is in use and nested state is migrated with\nvmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs\npage right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr'\nand we can't read it from VP assist page because userspace may decide\nto restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state\n(and QEMU, for example, does exactly that). To make sure eVMCS is\nmapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES\nrequest.\n\nCommit f2c7ef3ba955 (\"KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES\non nested vmexit\") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to\nnested_vmx_vmexit() to make sure MSR permission bitmap is not switched\nwhen an immediate exit from L2 to L1 happens right after migration (caused\nby a pending event, for example). Unfortunately, in the exact same\nsituation we still need to have eVMCS mapped so\nnested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS.\n\nAs a band-aid, restore nested_get_evmcs_page() when clearing\nKVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far\nfrom being ideal as we can't easily propagate possible failures and even if\nwe could, this is most likely already too late to do so. The whole\n'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration\nseems to be fragile as we diverge too much from the 'native' path when\nvmptr loading happens on vmx_set_nested_state().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46978", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix ioctl handlers removal\n\nCurrently ioctl handlers are removed twice. For the first time during\niio_device_unregister() then later on inside\niio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().\nDouble free leads to kernel panic.\n\nFix this by not touching ioctl handlers list directly but rather\nletting code responsible for registration call the matching cleanup\nroutine itself.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46979", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[ 151.545106][ T70] Unexpected kernel BRK exception at EL1\n[ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328\n...\n[ 151.545542][ T70] Call trace:\n[ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c\n[ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0\n[ 151.545550][ T70] dev_uevent+0x200/0x384\n[ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8\n[ 151.545557][ T70] power_supply_changed_work+0x174/0x31c\n[ 151.545562][ T70] process_one_work+0x244/0x6f0\n[ 151.545564][ T70] worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46980", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: Fix NULL pointer in flush_workqueue\n\nOpen /dev/nbdX first, the config_refs will be 1 and\nthe pointers in nbd_device are still null. Disconnect\n/dev/nbdX, then reference a null recv_workq. The\nprotection by config_refs in nbd_genl_disconnect is useless.\n\n[ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[ 656.368943] #PF: supervisor write access in kernel mode\n[ 656.369844] #PF: error_code(0x0002) - not-present page\n[ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0\n[ 656.371693] Oops: 0002 [#1] SMP\n[ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1\n[ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014\n[ 656.375904] RIP: 0010:mutex_lock+0x29/0x60\n[ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 48 0f b1 55 d\n[ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246\n[ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020\n[ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318\n[ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40\n[ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00\n[ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000\n[ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0\n[ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 656.384927] Call Trace:\n[ 656.385111] flush_workqueue+0x92/0x6c0\n[ 656.385395] nbd_disconnect_and_put+0x81/0xd0\n[ 656.385716] nbd_genl_disconnect+0x125/0x2a0\n[ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0\n[ 656.386422] genl_rcv_msg+0xfc/0x2b0\n[ 656.386685] ? nbd_ioctl+0x490/0x490\n[ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0\n[ 656.387354] netlink_rcv_skb+0x62/0x180\n[ 656.387638] genl_rcv+0x34/0x60\n[ 656.387874] netlink_unicast+0x26d/0x590\n[ 656.388162] netlink_sendmsg+0x398/0x6c0\n[ 656.388451] ? netlink_rcv_skb+0x180/0x180\n[ 656.388750] ____sys_sendmsg+0x1da/0x320\n[ 656.389038] ? ____sys_recvmsg+0x130/0x220\n[ 656.389334] ___sys_sendmsg+0x8e/0xf0\n[ 656.389605] ? ___sys_recvmsg+0xa2/0xf0\n[ 656.389889] ? handle_mm_fault+0x1671/0x21d0\n[ 656.390201] __sys_sendmsg+0x6d/0xe0\n[ 656.390464] __x64_sys_sendmsg+0x23/0x30\n[ 656.390751] do_syscall_64+0x45/0x70\n[ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTo fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46981", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix race condition of overwrite vs truncate\n\npos_fsstress testcase complains a panic as belew:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/compress.c:1082!\ninvalid opcode: 0000 [#1] SMP PTI\nCPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nWorkqueue: writeback wb_workfn (flush-252:16)\nRIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs]\nCall Trace:\n f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs]\n f2fs_write_cache_pages+0x468/0x8a0 [f2fs]\n f2fs_write_data_pages+0x2a4/0x2f0 [f2fs]\n do_writepages+0x38/0xc0\n __writeback_single_inode+0x44/0x2a0\n writeback_sb_inodes+0x223/0x4d0\n __writeback_inodes_wb+0x56/0xf0\n wb_writeback+0x1dd/0x290\n wb_workfn+0x309/0x500\n process_one_work+0x220/0x3c0\n worker_thread+0x53/0x420\n kthread+0x12f/0x150\n ret_from_fork+0x22/0x30\n\nThe root cause is truncate() may race with overwrite as below,\nso that one reference count left in page can not guarantee the\npage attaching in mapping tree all the time, after truncation,\nlater find_lock_page() may return NULL pointer.\n\n- prepare_compress_overwrite\n - f2fs_pagecache_get_page\n - unlock_page\n\t\t\t\t\t- f2fs_setattr\n\t\t\t\t\t - truncate_setsize\n\t\t\t\t\t - truncate_inode_page\n\t\t\t\t\t - delete_from_page_cache\n - find_lock_page\n\nFix this by avoiding referencing updated page.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46982", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-rdma: Fix NULL deref when SEND is completed with error\n\nWhen running some traffic and taking down the link on peer, a\nretry counter exceeded error is received. This leads to\nnvmet_rdma_error_comp which tried accessing the cq_context to\nobtain the queue. The cq_context is no longer valid after the\nfix to use shared CQ mechanism and should be obtained similar\nto how it is obtained in other functions from the wc->qp.\n\n[ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12).\n[ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048\n[ 905.839919] PGD 0 P4D 0\n[ 905.842464] Oops: 0000 1 SMP NOPTI\n[ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1\n[ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma]\n[ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff\n[ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246\n[ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000\n[ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000\n[ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074\n[ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010\n[ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400\n[ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000\n[ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12).\n[ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0\n[ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 905.961857] PKRU: 55555554\n[ 906.010315] Call Trace:\n[ 906.012778] __ib_process_cq+0x89/0x170 [ib_core]\n[ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core]\n[ 906.022152] process_one_work+0x1a7/0x360\n[ 906.026182] ? create_worker+0x1a0/0x1a0\n[ 906.030123] worker_thread+0x30/0x390\n[ 906.033802] ? create_worker+0x1a0/0x1a0\n[ 906.037744] kthread+0x116/0x130\n[ 906.040988] ? kthread_flush_work_fn+0x10/0x10\n[ 906.045456] ret_from_fork+0x1f/0x40", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46983", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkyber: fix out of bounds access when preempted\n\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\n\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\n\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\n\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46984", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: scan: Fix a memory leak in an error handling path\n\nIf 'acpi_device_set_name()' fails, we must free\n'acpi_device_bus_id->bus_id' or there is a (potential) memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46985", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Free gadget structure only after freeing endpoints\n\nAs part of commit e81a7018d93a (\"usb: dwc3: allocate gadget structure\ndynamically\") the dwc3_gadget_release() was added which will free\nthe dwc->gadget structure upon the device's removal when\nusb_del_gadget_udc() is called in dwc3_gadget_exit().\n\nHowever, simply freeing the gadget results a dangling pointer\nsituation: the endpoints created in dwc3_gadget_init_endpoints()\nhave their dep->endpoint.ep_list members chained off the list_head\nanchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed,\nthe first dwc3_ep in the list now has a dangling prev pointer and\nlikewise for the next pointer of the dwc3_ep at the tail of the list.\nThe dwc3_gadget_free_endpoints() that follows will result in a\nuse-after-free when it calls list_del().\n\nThis was caught by enabling KASAN and performing a driver unbind.\nThe recent commit 568262bf5492 (\"usb: dwc3: core: Add shutdown\ncallback for dwc3\") also exposes this as a panic during shutdown.\n\nThere are a few possibilities to fix this. One could be to perform\na list_del() of the gadget->ep_list itself which removes it from\nthe rest of the dwc3_ep chain.\n\nAnother approach is what this patch does, by splitting up the\nusb_del_gadget_udc() call into its separate \"del\" and \"put\"\ncomponents. This allows dwc3_gadget_free_endpoints() to be\ncalled before the gadget is finally freed with usb_put_gadget().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46986", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock when cloning inline extents and using qgroups\n\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\n\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\n\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\n\nWhen this issue happens, stack traces like the following are reported:\n\n [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000\n [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n [72747.556271] Call Trace:\n [72747.556273] __schedule+0x296/0x760\n [72747.556277] schedule+0x3c/0xa0\n [72747.556279] io_schedule+0x12/0x40\n [72747.556284] __lock_page+0x13c/0x280\n [72747.556287] ? generic_file_readonly_mmap+0x70/0x70\n [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs]\n [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160\n [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n [72747.556362] ? update_group_capacity+0x25/0x210\n [72747.556366] ? cpumask_next_and+0x1a/0x20\n [72747.556391] extent_writepages+0x44/0xa0 [btrfs]\n [72747.556394] do_writepages+0x41/0xd0\n [72747.556398] __writeback_single_inode+0x39/0x2a0\n [72747.556403] writeback_sb_inodes+0x1ea/0x440\n [72747.556407] __writeback_inodes_wb+0x5f/0xc0\n [72747.556410] wb_writeback+0x235/0x2b0\n [72747.556414] ? get_nr_inodes+0x35/0x50\n [72747.556417] wb_workfn+0x354/0x490\n [72747.556420] ? newidle_balance+0x2c5/0x3e0\n [72747.556424] process_one_work+0x1aa/0x340\n [72747.556426] worker_thread+0x30/0x390\n [72747.556429] ? create_worker+0x1a0/0x1a0\n [72747.556432] kthread+0x116/0x130\n [72747.556435] ? kthread_park+0x80/0x80\n [72747.556438] ret_from_fork+0x1f/0x30\n\n [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n [72747.566961] Call Trace:\n [72747.566964] __schedule+0x296/0x760\n [72747.566968] ? finish_wait+0x80/0x80\n [72747.566970] schedule+0x3c/0xa0\n [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n [72747.566999] ? finish_wait+0x80/0x80\n [72747.567024] lock_extent_bits+0x37/0x90 [btrfs]\n [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380\n [72747.567076] __extent_writepage+0x203/0x320 [btrfs]\n [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs]\n [72747.567106] ? update_load_avg+0x7e/0x5f0\n [72747.567109] ? enqueue_entity+0xf4/0x6f0\n [72747.567134] extent_writepages+0x44/0xa0 [btrfs]\n [72747.567137] ? enqueue_task_fair+0x93/0x6f0\n [72747.567140] do_writepages+0x41/0xd0\n [72747.567144] __filemap_fdatawrite_range+0xc7/0x100\n [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs]\n [72747.567200] process_one_work+0x1aa/0x340\n [72747.567202] worker_thread+0x30/0x390\n [72747.567205] ? create_worker+0x1a0/0x1a0\n [72747.567208] kthread+0x116/0x130\n [72747.567211] ? kthread_park+0x80/0x80\n [72747.567214] ret_from_fork+0x1f/0x30\n\n [72747.569686] task:fsstress state:D stack: \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46987", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: release page in error path to avoid BUG_ON\n\nConsider the following sequence of events:\n\n1. Userspace issues a UFFD ioctl, which ends up calling into\n shmem_mfill_atomic_pte(). We successfully account the blocks, we\n shmem_alloc_page(), but then the copy_from_user() fails. We return\n -ENOENT. We don't release the page we allocated.\n2. Our caller detects this error code, tries the copy_from_user() after\n dropping the mmap_lock, and retries, calling back into\n shmem_mfill_atomic_pte().\n3. Meanwhile, let's say another process filled up the tmpfs being used.\n4. So shmem_mfill_atomic_pte() fails to account blocks this time, and\n immediately returns - without releasing the page.\n\nThis triggers a BUG_ON in our caller, which asserts that the page\nshould always be consumed, unless -ENOENT is returned.\n\nTo fix this, detect if we have such a \"dangling\" page when accounting\nfails, and if so, release it before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46988", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: prevent corruption in shrinking truncate\n\nI believe there are some issues introduced by commit 31651c607151\n(\"hfsplus: avoid deadlock on file truncation\")\n\nHFS+ has extent records which always contains 8 extents. In case the\nfirst extent record in catalog file gets full, new ones are allocated from\nextents overflow file.\n\nIn case shrinking truncate happens to middle of an extent record which\nlocates in extents overflow file, the logic in hfsplus_file_truncate() was\nchanged so that call to hfs_brec_remove() is not guarded any more.\n\nRight action would be just freeing the extents that exceed the new size\ninside extent record by calling hfsplus_free_extents(), and then check if\nthe whole extent record should be removed. However since the guard\n(blk_cnt > start) is now after the call to hfs_brec_remove(), this has\nunfortunate effect that the last matching extent record is removed\nunconditionally.\n\nTo reproduce this issue, create a file which has at least 10 extents, and\nthen perform shrinking truncate into middle of the last extent record, so\nthat the number of remaining extents is not under or divisible by 8. This\ncauses the last extent record (8 extents) to be removed totally instead of\ntruncating into middle of it. Thus this causes corruption, and lost data.\n\nFix for this is simply checking if the new truncated end is below the\nstart of this extent record, making it safe to remove the full extent\nrecord. However call to hfs_brec_remove() can't be moved to it's previous\nplace since we're dropping ->tree_lock and it can cause a race condition\nand the cached info being invalidated possibly corrupting the node data.\n\nAnother issue is related to this one. When entering into the block\n(blk_cnt > start) we are not holding the ->tree_lock. We break out from\nthe loop not holding the lock, but hfs_find_exit() does unlock it. Not\nsure if it's possible for someone else to take the lock under our feet,\nbut it can cause hard to debug errors and premature unlocking. Even if\nthere's no real risk of it, the locking should still always be kept in\nbalance. Thus taking the lock now just before the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46989", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix crashes when toggling entry flush barrier\n\nThe entry flush mitigation can be enabled/disabled at runtime via a\ndebugfs file (entry_flush), which causes the kernel to patch itself to\nenable/disable the relevant mitigations.\n\nHowever depending on which mitigation we're using, it may not be safe to\ndo that patching while other CPUs are active. For example the following\ncrash:\n\n sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20\n\nShows that we returned to userspace with a corrupted LR that points into\nthe kernel, due to executing the partially patched call to the fallback\nentry flush (ie. we missed the LR restore).\n\nFix it by doing the patching under stop machine. The CPUs that aren't\ndoing the patching will be spinning in the core of the stop machine\nlogic. That is currently sufficient for our purposes, because none of\nthe patching we do is to that code or anywhere in the vicinity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46990", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix use-after-free in i40e_client_subtask()\n\nCurrently the call to i40e_client_del_instance frees the object\npf->cinst, however pf->cinst->lan_info is being accessed after\nthe free. Fix this by adding the missing return.\n\nAddresses-Coverity: (\"Read from pointer after free\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46991", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: avoid overflows in nft_hash_buckets()\n\nNumber of buckets being stored in 32bit variables, we have to\nensure that no overflows occur in nft_hash_buckets()\n\nsyzbot injected a size == 0x40000000 and reported:\n\nUBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\nshift exponent 64 is too large for 64-bit type 'long unsigned int'\nCPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x141/0x1d7 lib/dump_stack.c:120\n ubsan_epilogue+0xb/0x5a lib/ubsan.c:148\n __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327\n __roundup_pow_of_two include/linux/log2.h:57 [inline]\n nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]\n nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652\n nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]\n nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322\n nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46992", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix out-of-bound access in uclamp\n\nUtil-clamp places tasks in different buckets based on their clamp values\nfor performance reasons. However, the size of buckets is currently\ncomputed using a rounding division, which can lead to an off-by-one\nerror in some configurations.\n\nFor instance, with 20 buckets, the bucket size will be 1024/20=51. A\ntask with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly,\ncorrect indexes are in range [0,19], hence leading to an out of bound\nmemory access.\n\nClamp the bucket id to fix the issue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46993", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix resume from sleep before interface was brought up\n\nSince 8ce8c0abcba3 the driver queues work via priv->restart_work when\nresuming after suspend, even when the interface was not previously\nenabled. This causes a null dereference error as the workqueue is only\nallocated and initialized in mcp251x_open().\n\nTo fix this we move the workqueue init to mcp251x_can_probe() as there\nis no reason to do it later and repeat it whenever mcp251x_open() is\ncalled.\n\n[mkl: fix error handling in mcp251x_stop()]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46994", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe\n\nWhen we converted this code to use dev_err_probe() we accidentally\nremoved a return. It means that if devm_clk_get() it will lead to an\nOops when we call clk_get_rate() on the next line.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46995", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: Fix a memleak from userdata error path in new objects\n\nRelease object name if userdata allocation fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46996", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: always set GIC_PRIO_PSR_I_SET during entry\n\nZenghui reports that booting a kernel with \"irqchip.gicv3_pseudo_nmi=1\"\non the command line hits a warning during kernel entry, due to the way\nwe manipulate the PMR.\n\nEarly in the entry sequence, we call lockdep_hardirqs_off() to inform\nlockdep that interrupts have been masked (as the HW sets DAIF wqhen\nentering an exception). Architecturally PMR_EL1 is not affected by\nexception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in\nthe exception entry sequence, so early in exception entry the PMR can\nindicate that interrupts are unmasked even though they are masked by\nDAIF.\n\nIf DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that\ninterrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the\nexception entry paths, and hence lockdep_hardirqs_off() will WARN() that\nsomething is amiss.\n\nWe can avoid this by consistently setting GIC_PRIO_PSR_I_SET during\nexception entry so that kernel code sees a consistent environment. We\nmust also update local_daif_inherit() to undo this, as currently only\ntouches DAIF. For other paths, local_daif_restore() will update both\nDAIF and the PMR. With this done, we can remove the existing special\ncases which set this later in the entry code.\n\nWe always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with\nlocal_daif_save(), as this will warn if it ever encounters\n(GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This\nmatches the gic_prio_kentry_setup that we have to retain for\nret_to_user.\n\nThe original splat from Zenghui's report was:\n\n| DEBUG_LOCKS_WARN_ON(!irqs_disabled())\n| WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8\n| Modules linked in:\n| CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463\n| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--)\n| pc : lockdep_hardirqs_off+0xd4/0xe8\n| lr : lockdep_hardirqs_off+0xd4/0xe8\n| sp : ffff80002a39bad0\n| pmr_save: 000000e0\n| x29: ffff80002a39bad0 x28: ffff0000de214bc0\n| x27: ffff0000de1c0400 x26: 000000000049b328\n| x25: 0000000000406f30 x24: ffff0000de1c00a0\n| x23: 0000000020400005 x22: ffff8000105f747c\n| x21: 0000000096000044 x20: 0000000000498ef9\n| x19: ffff80002a39bc88 x18: ffffffffffffffff\n| x17: 0000000000000000 x16: ffff800011c61eb0\n| x15: ffff800011700a88 x14: 0720072007200720\n| x13: 0720072007200720 x12: 0720072007200720\n| x11: 0720072007200720 x10: 0720072007200720\n| x9 : ffff80002a39bad0 x8 : ffff80002a39bad0\n| x7 : ffff8000119f0800 x6 : c0000000ffff7fff\n| x5 : ffff8000119f07a8 x4 : 0000000000000001\n| x3 : 9bcdab23f2432800 x2 : ffff800011730538\n| x1 : 9bcdab23f2432800 x0 : 0000000000000000\n| Call trace:\n| lockdep_hardirqs_off+0xd4/0xe8\n| enter_from_kernel_mode.isra.5+0x7c/0xa8\n| el1_abort+0x24/0x100\n| el1_sync_handler+0x80/0xd0\n| el1_sync+0x6c/0x100\n| __arch_clear_user+0xc/0x90\n| load_elf_binary+0x9fc/0x1450\n| bprm_execve+0x404/0x880\n| kernel_execve+0x180/0x188\n| call_usermodehelper_exec_async+0xdc/0x158\n| ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46997", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet:enic: Fix a use after free bug in enic_hard_start_xmit\n\nIn enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside\nenic_queue_wq_skb, if some error happens, the skb will be freed\nby dev_kfree_skb(skb). But the freed skb is still used in\nskb_tx_timestamp(skb).\n\nMy patch makes enic_queue_wq_skb() return error and goto spin_unlock()\nincase of error. The solution is provided by Govind.\nSee https://lkml.org/lkml/2021/4/30/961.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46998", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-46999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\n\nThere's a panic that occurs in a few of envs, the call trace is as below:\n\n [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\n [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\n [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]\n [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\n [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\n [] sctp_do_sm+0xc3/0x2a0 [sctp]\n [] sctp_generate_timeout_event+0x81/0xf0 [sctp]\n\nThis is caused by a transport use-after-free issue. When processing a\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\nHowever, later in the sideeffect machine, the old asoc is used to send\nthem out and old asoc's shutdown_last_sent_to is set to the transport\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\nT2 timeout, the old asoc's shutdown_last_sent_to that is already freed\nwould be accessed in sctp_sf_t2_timer_expire().\n\nThanks Alexander and Jere for helping dig into this issue.\n\nTo fix it, this patch is to do the asoc update first, then allocate\nthe COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This\nwould make more sense, as a chunk from an asoc shouldn't be sent out\nwith another asoc. We had fixed quite a few issues caused by this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-46999", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix inode leak on getattr error in __fh_to_dentry", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47000", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Fix cwnd update ordering\n\nAfter a reconnect, the reply handler is opening the cwnd (and thus\nenabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs()\ncan post enough Receive WRs to receive their replies. This causes an\nRNR and the new connection is lost immediately.\n\nThe race is most clearly exposed when KASAN and disconnect injection\nare enabled. This slows down rpcrdma_rep_create() enough to allow\nthe send side to post a bunch of RPC Calls before the Receive\ncompletion handler can invoke ib_post_recv().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47001", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix null pointer dereference in svc_rqst_free()\n\nWhen alloc_pages_node() returns null in svc_rqst_alloc(), the\nnull rq_scratch_page pointer will be dereferenced when calling\nput_page() in svc_rqst_free(). Fix it by adding a null check.\n\nAddresses-Coverity: (\"Dereference after null check\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47002", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix potential null dereference on pointer status\n\nThere are calls to idxd_cmd_exec that pass a null status pointer however\na recent commit has added an assignment to *status that can end up\nwith a null pointer dereference. The function expects a null status\npointer sometimes as there is a later assignment to *status where\nstatus is first null checked. Fix the issue by null checking status\nbefore making the assignment.\n\nAddresses-Coverity: (\"Explicit null dereferenced\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47003", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid touching checkpointed data in get_victim()\n\nIn CP disabling mode, there are two issues when using LFS or SSR | AT_SSR\nmode to select victim:\n\n1. LFS is set to find source section during GC, the victim should have\nno checkpointed data, since after GC, section could not be set free for\nreuse.\n\nPreviously, we only check valid chpt blocks in current segment rather\nthan section, fix it.\n\n2. SSR | AT_SSR are set to find target segment for writes which can be\nfully filled by checkpointed and newly written blocks, we should never\nselect such segment, otherwise it can cause panic or data corruption\nduring allocation, potential case is described as below:\n\n a) target segment has 'n' (n < 512) ckpt valid blocks\n b) GC migrates 'n' valid blocks to other segment (segment is still\n in dirty list)\n c) GC migrates '512 - n' blocks to target segment (segment has 'n'\n cp_vblocks and '512 - n' vblocks)\n d) If GC selects target segment via {AT,}SSR allocator, however there\n is no free space in targe segment.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47004", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix NULL pointer dereference for ->get_features()\n\nget_features ops of pci_epc_ops may return NULL, causing NULL pointer\ndereference in pci_epf_test_alloc_space function. Let us add a check for\npci_epc_feature pointer in pci_epf_test_bind before we access it to avoid\nany such NULL pointer dereference and return -ENOTSUPP in case\npci_epc_feature is not found.\n\nWhen the patch is not applied and EPC features is not implemented in the\nplatform driver, we see the following dump due to kernel NULL pointer\ndereference.\n\nCall trace:\n pci_epf_test_bind+0xf4/0x388\n pci_epf_bind+0x3c/0x80\n pci_epc_epf_link+0xa8/0xcc\n configfs_symlink+0x1a4/0x48c\n vfs_symlink+0x104/0x184\n do_symlinkat+0x80/0xd4\n __arm64_sys_symlinkat+0x1c/0x24\n el0_svc_common.constprop.3+0xb8/0x170\n el0_svc_handler+0x70/0x88\n el0_svc+0x8/0x640\nCode: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400)\n---[ end trace a438e3c5a24f9df0 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47005", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook\n\nThe commit 1879445dfa7b (\"perf/core: Set event's default\n::overflow_handler()\") set a default event->overflow_handler in\nperf_event_alloc(), and replace the check event->overflow_handler with\nis_default_overflow_handler(), but one is missing.\n\nCurrently, the bp->overflow_handler can not be NULL. As a result,\nenable_single_step() is always not invoked.\n\nComments from Zhen Lei:\n\n https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47006", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix panic during f2fs_resize_fs()\n\nf2fs_resize_fs() hangs in below callstack with testcase:\n- mkfs 16GB image & mount image\n- dd 8GB fileA\n- dd 8GB fileB\n- sync\n- rm fileA\n- sync\n- resize filesystem to 8GB\n\nkernel BUG at segment.c:2484!\nCall Trace:\n allocate_segment_by_default+0x92/0xf0 [f2fs]\n f2fs_allocate_data_block+0x44b/0x7e0 [f2fs]\n do_write_page+0x5a/0x110 [f2fs]\n f2fs_outplace_write_data+0x55/0x100 [f2fs]\n f2fs_do_write_data_page+0x392/0x850 [f2fs]\n move_data_page+0x233/0x320 [f2fs]\n do_garbage_collect+0x14d9/0x1660 [f2fs]\n free_segment_range+0x1f7/0x310 [f2fs]\n f2fs_resize_fs+0x118/0x330 [f2fs]\n __f2fs_ioctl+0x487/0x3680 [f2fs]\n __x64_sys_ioctl+0x8e/0xd0\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe root cause is we forgot to check that whether we have enough space\nin resized filesystem to store all valid blocks in before-resizing\nfilesystem, then allocator will run out-of-space during block migration\nin free_segment_range().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47007", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Make sure GHCB is mapped before updating\n\nAccess to the GHCB is mainly in the VMGEXIT path and it is known that the\nGHCB will be mapped. But there are two paths where it is possible the GHCB\nmight not be mapped.\n\nThe sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform\nthe caller of the AP Reset Hold NAE event that a SIPI has been delivered.\nHowever, if a SIPI is performed without a corresponding AP Reset Hold,\nthen the GHCB might not be mapped (depending on the previous VMEXIT),\nwhich will result in a NULL pointer dereference.\n\nThe svm_complete_emulated_msr() routine will update the GHCB to inform\nthe caller of a RDMSR/WRMSR operation about any errors. While it is likely\nthat the GHCB will be mapped in this situation, add a safe guard\nin this path to be certain a NULL pointer dereference is not encountered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47008", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak on object td\n\nTwo error return paths are neglecting to free allocated object td,\ncausing a memory leak. Fix this by returning via the error return\npath that securely kfree's td.\n\nFixes clang scan-build warning:\nsecurity/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential\nmemory leak [unix.Malloc]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47009", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Only allow init netns to set default tcp cong to a restricted algo\n\ntcp_set_default_congestion_control() is netns-safe in that it writes\nto &net->ipv4.tcp_congestion_control, but it also sets\nca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced.\nThis has the unintended side-effect of changing the global\nnet.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it\nis read-only: 97684f0970f6 (\"net: Make tcp_allowed_congestion_control\nreadonly in non-init netns\")\n\nResolve this netns \"leak\" by only allowing the init netns to set the\ndefault algorithm to one that is restricted. This restriction could be\nremoved if tcp_allowed_congestion_control were namespace-ified in the\nfuture.\n\nThis bug was uncovered with\nhttps://github.com/JonathonReinhart/linux-netns-sysctl-verify", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47010", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcontrol: slab: fix obtain a reference to a freeing memcg\n\nPatch series \"Use obj_cgroup APIs to charge kmem pages\", v5.\n\nSince Roman's series \"The new cgroup slab memory controller\" applied.\nAll slab objects are charged with the new APIs of obj_cgroup. The new\nAPIs introduce a struct obj_cgroup to charge slab objects. It prevents\nlong-living objects from pinning the original memory cgroup in the\nmemory. But there are still some corner objects (e.g. allocations\nlarger than order-1 page on SLUB) which are not charged with the new\nAPIs. Those objects (include the pages which are allocated from buddy\nallocator directly) are charged as kmem pages which still hold a\nreference to the memory cgroup.\n\nE.g. We know that the kernel stack is charged as kmem pages because the\nsize of the kernel stack can be greater than 2 pages (e.g. 16KB on\nx86_64 or arm64). If we create a thread (suppose the thread stack is\ncharged to memory cgroup A) and then move it from memory cgroup A to\nmemory cgroup B. Because the kernel stack of the thread hold a\nreference to the memory cgroup A. The thread can pin the memory cgroup\nA in the memory even if we remove the cgroup A. If we want to see this\nscenario by using the following script. We can see that the system has\nadded 500 dying cgroups (This is not a real world issue, just a script\nto show that the large kmallocs are charged as kmem pages which can pin\nthe memory cgroup in the memory).\n\n\t#!/bin/bash\n\n\tcat /proc/cgroups | grep memory\n\n\tcd /sys/fs/cgroup/memory\n\techo 1 > memory.move_charge_at_immigrate\n\n\tfor i in range{1..500}\n\tdo\n\t\tmkdir kmem_test\n\t\techo $$ > kmem_test/cgroup.procs\n\t\tsleep 3600 &\n\t\techo $$ > cgroup.procs\n\t\techo `cat kmem_test/cgroup.procs` > cgroup.procs\n\t\trmdir kmem_test\n\tdone\n\n\tcat /proc/cgroups | grep memory\n\nThis patchset aims to make those kmem pages to drop the reference to\nmemory cgroup by using the APIs of obj_cgroup. Finally, we can see that\nthe number of the dying cgroups will not increase if we run the above test\nscript.\n\nThis patch (of 7):\n\nThe rcu_read_lock/unlock only can guarantee that the memcg will not be\nfreed, but it cannot guarantee the success of css_get (which is in the\nrefill_stock when cached memcg changed) to memcg.\n\n rcu_read_lock()\n memcg = obj_cgroup_memcg(old)\n __memcg_kmem_uncharge(memcg)\n refill_stock(memcg)\n if (stock->cached != memcg)\n // css_get can change the ref counter from 0 back to 1.\n css_get(&memcg->css)\n rcu_read_unlock()\n\nThis fix is very like the commit:\n\n eefbfa7fd678 (\"mm: memcg/slab: fix use after free in obj_cgroup_charge\")\n\nFix this by holding a reference to the memcg which is passed to the\n__memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47011", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47012", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send\n\nIn emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).\nIf some error happens in emac_tx_fill_tpd(), the skb will be freed via\ndev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().\nBut the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).\n\nAs i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,\nthus my patch assigns skb->len to 'len' before the possible free and\nuse 'len' instead of skb->len later.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47013", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix wild memory access when clearing fragments\n\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\n\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n inet_frag_destroy+0xa9/0x150\n call_timer_fn+0x2d/0x180\n run_timer_softirq+0x4fe/0xe70\n __do_softirq+0x197/0x5a0\n irq_exit_rcu+0x1de/0x200\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47014", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RX consumer index logic in the error path.\n\nIn bnxt_rx_pkt(), the RX buffers are expected to complete in order.\nIf the RX consumer index indicates an out of order buffer completion,\nit means we are hitting a hardware bug and the driver will abort all\nremaining RX packets and reset the RX ring. The RX consumer index\nthat we pass to bnxt_discard_rx() is not correct. We should be\npassing the current index (tmp_raw_cons) instead of the old index\n(raw_cons). This bug can cause us to be at the wrong index when\ntrying to abort the next RX packet. It can crash like this:\n\n #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007\n #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232\n #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e\n #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978\n #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0\n #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e\n #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24\n #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e\n #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12\n #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5\n [exception RIP: bnxt_rx_pkt+237]\n RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213\n RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000\n RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000\n RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d\n R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0\n R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47015", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: mvme147,mvme16x: Don't wipe PCC timer config bits\n\nDon't clear the timer 1 configuration bits when clearing the interrupt flag\nand counter overflow. As Michael reported, \"This results in no timer\ninterrupts being delivered after the first. Initialization then hangs\nin calibrate_delay as the jiffies counter is not updated.\"\n\nOn mvme16x, enable the timer after requesting the irq, consistent with\nmvme147.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47016", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix a use after free in ath10k_htc_send_bundle\n\nIn ath10k_htc_send_bundle, the bundle_skb could be freed by\ndev_kfree_skb_any(bundle_skb). But the bundle_skb is used later\nby bundle_skb->len.\n\nAs skb_len = bundle_skb->len, my patch replaces bundle_skb->len to\nskb_len after the bundle_skb was freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47017", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64: Fix the definition of the fixmap area\n\nAt the time being, the fixmap area is defined at the top of\nthe address space or just below KASAN.\n\nThis definition is not valid for PPC64.\n\nFor PPC64, use the top of the I/O space.\n\nBecause of circular dependencies, it is not possible to include\nasm/fixmap.h in asm/book3s/64/pgtable.h , so define a fixed size\nAREA at the top of the I/O space for fixmap and ensure during\nbuild that the size is big enough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47018", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix possible invalid register access\n\nDisable the interrupt and synchronze for the pending irq handlers to ensure\nthe irq tasklet is not being scheduled after the suspend to avoid the\npossible invalid register access acts when the host pcie controller is\nsuspended.\n\n[17932.910534] mt7921e 0000:01:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 21375 usecs\n[17932.910590] pcieport 0000:00:00.0: calling pci_pm_suspend+0x0/0x22c @ 18565, parent: pci0000:00\n[17932.910602] pcieport 0000:00:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 8 usecs\n[17932.910671] mtk-pcie 11230000.pcie: calling platform_pm_suspend+0x0/0x60 @ 22783, parent: soc\n[17932.910674] mtk-pcie 11230000.pcie: platform_pm_suspend+0x0/0x60 returned 0 after 0 usecs\n\n...\n\n17933.615352] x1 : 00000000000d4200 x0 : ffffff8269ca2300\n[17933.620666] Call trace:\n[17933.623127] mt76_mmio_rr+0x28/0xf0 [mt76]\n[17933.627234] mt7921_rr+0x38/0x44 [mt7921e]\n[17933.631339] mt7921_irq_tasklet+0x54/0x1d8 [mt7921e]\n[17933.636309] tasklet_action_common+0x12c/0x16c\n[17933.640754] tasklet_action+0x24/0x2c\n[17933.644418] __do_softirq+0x16c/0x344\n[17933.648082] irq_exit+0xa8/0xac\n[17933.651224] scheduler_ipi+0xd4/0x148\n[17933.654890] handle_IPI+0x164/0x2d4\n[17933.658379] gic_handle_irq+0x140/0x178\n[17933.662216] el1_irq+0xb8/0x180\n[17933.665361] cpuidle_enter_state+0xf8/0x204\n[17933.669544] cpuidle_enter+0x38/0x4c\n[17933.673122] do_idle+0x1a4/0x2a8\n[17933.676352] cpu_startup_entry+0x24/0x28\n[17933.680276] rest_init+0xd4/0xe0\n[17933.683508] arch_call_rest_init+0x10/0x18\n[17933.687606] start_kernel+0x340/0x3b4\n[17933.691279] Code: aa0003f5 d503201f f953eaa8 8b344108 (b9400113)\n[17933.697373] ---[ end trace a24b8e26ffbda3c5 ]---\n[17933.767846] Kernel panic - not syncing: Fatal exception in interrupt", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47019", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: stream: fix memory leak in stream config error path\n\nWhen stream config is failed, master runtime will release all\nslave runtime in the slave_rt_list, but slave runtime is not\nadded to the list at this time. This patch frees slave runtime\nin the config error path to fix the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47020", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix memleak when mt7915_unregister_device()\n\nmt7915_tx_token_put() should get call before mt76_free_pending_txwi().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47021", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix memleak when mt7615_unregister_device()\n\nmt7615_tx_token_put() should get call before mt76_free_pending_txwi().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47022", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix port event handling on init\n\nFor some reason there might be a crash during ports creation if port\nevents are handling at the same time because fw may send initial\nport event with down state.\n\nThe crash points to cancel_delayed_work() which is called when port went\nis down. Currently I did not find out the real cause of the issue, so\nfixed it by cancel port stats work only if previous port's state was up\n& runnig.\n\nThe following is the crash which can be triggered:\n\n[ 28.311104] Unable to handle kernel paging request at virtual address\n000071775f776600\n[ 28.319097] Mem abort info:\n[ 28.321914] ESR = 0x96000004\n[ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 28.330350] SET = 0, FnV = 0\n[ 28.333430] EA = 0, S1PTW = 0\n[ 28.336597] Data abort info:\n[ 28.339499] ISV = 0, ISS = 0x00000004\n[ 28.343362] CM = 0, WnR = 0\n[ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000\n[ 28.352842] [000071775f776600] pgd=0000000000000000,\np4d=0000000000000000\n[ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 28.365310] Modules linked in: prestera_pci(+) prestera\nuio_pdrv_genirq\n[ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted\n5.11.0-rc4 #1\n[ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn\n[prestera_pci]\n[ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)\n[ 28.397468] pc : get_work_pool+0x48/0x60\n[ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0\n[ 28.406018] sp : ffff80001391bc60\n[ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000\n[ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88\n[ 28.420089] x25: 0000000000000000 x24: ffff000106119760\n[ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000\n[ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0\n[ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0\n[ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88\n[ 28.446898] x15: 0000000000000001 x14: 00000000000002ba\n[ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4\n[ 28.457622] x11: 0000000000000030 x10: 000000000000000c\n[ 28.462985] x9 : 000000000000000c x8 : 0000000000000030\n[ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758\n[ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60\n[ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060\n[ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8\n[ 28.489791] Call trace:\n[ 28.492259] get_work_pool+0x48/0x60\n[ 28.495874] cancel_delayed_work+0x38/0xb0\n[ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera]\n[ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera]\n[ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci]\n[ 28.516660] process_one_work+0x1e8/0x360\n[ 28.520710] worker_thread+0x44/0x480\n[ 28.524412] kthread+0x154/0x160\n[ 28.527670] ret_from_fork+0x10/0x38\n[ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020)\n[ 28.537429] ---[ end trace 5eced933df3a080b ]---", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47023", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: free queued packets when closing socket\n\nAs reported by syzbot [1], there is a memory leak while closing the\nsocket. We partially solved this issue with commit ac03046ece2b\n(\"vsock/virtio: free packets during the socket release\"), but we\nforgot to drain the RX queue when the socket is definitely closed by\nthe scheduled work.\n\nTo avoid future issues, let's use the new virtio_transport_remove_sock()\nto drain the RX queue before removing the socket from the af_vsock lists\ncalling vsock_remove_sock().\n\n[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47024", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Always enable the clk on resume\n\nIn mtk_iommu_runtime_resume always enable the clk, even\nif m4u_dom is null. Otherwise the 'suspend' cb might\ndisable the clk which is already disabled causing the warning:\n\n[ 1.586104] infra_m4u already disabled\n[ 1.586133] WARNING: CPU: 0 PID: 121 at drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8\n[ 1.594391] mtk-iommu 10205000.iommu: bound 18001000.larb (ops mtk_smi_larb_component_ops)\n[ 1.598108] Modules linked in:\n[ 1.598114] CPU: 0 PID: 121 Comm: kworker/0:2 Not tainted 5.12.0-rc5 #69\n[ 1.609246] mtk-iommu 10205000.iommu: bound 14027000.larb (ops mtk_smi_larb_component_ops)\n[ 1.617487] Hardware name: Google Elm (DT)\n[ 1.617491] Workqueue: pm pm_runtime_work\n[ 1.620545] mtk-iommu 10205000.iommu: bound 19001000.larb (ops mtk_smi_larb_component_ops)\n\n[ 1.627229] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)\n[ 1.659297] pc : clk_core_disable+0xb0/0xb8\n[ 1.663475] lr : clk_core_disable+0xb0/0xb8\n[ 1.667652] sp : ffff800011b9bbe0\n[ 1.670959] x29: ffff800011b9bbe0 x28: 0000000000000000\n[ 1.676267] x27: ffff800011448000 x26: ffff8000100cfd98\n[ 1.681574] x25: ffff800011b9bd48 x24: 0000000000000000\n[ 1.686882] x23: 0000000000000000 x22: ffff8000106fad90\n[ 1.692189] x21: 000000000000000a x20: ffff0000c0048500\n[ 1.697496] x19: ffff0000c0048500 x18: ffffffffffffffff\n[ 1.702804] x17: 0000000000000000 x16: 0000000000000000\n[ 1.708112] x15: ffff800011460300 x14: fffffffffffe0000\n[ 1.713420] x13: ffff8000114602d8 x12: 0720072007200720\n[ 1.718727] x11: 0720072007200720 x10: 0720072007200720\n[ 1.724035] x9 : ffff800011b9bbe0 x8 : ffff800011b9bbe0\n[ 1.729342] x7 : 0000000000000009 x6 : ffff8000114b8328\n[ 1.734649] x5 : 0000000000000000 x4 : 0000000000000000\n[ 1.739956] x3 : 00000000ffffffff x2 : ffff800011460298\n[ 1.745263] x1 : 1af1d7de276f4500 x0 : 0000000000000000\n[ 1.750572] Call trace:\n[ 1.753010] clk_core_disable+0xb0/0xb8\n[ 1.756840] clk_core_disable_lock+0x24/0x40\n[ 1.761105] clk_disable+0x20/0x30\n[ 1.764501] mtk_iommu_runtime_suspend+0x88/0xa8\n[ 1.769114] pm_generic_runtime_suspend+0x2c/0x48\n[ 1.773815] __rpm_callback+0xe0/0x178\n[ 1.777559] rpm_callback+0x24/0x88\n[ 1.781041] rpm_suspend+0xdc/0x470\n[ 1.784523] rpm_idle+0x12c/0x170\n[ 1.787831] pm_runtime_work+0xa8/0xc0\n[ 1.791573] process_one_work+0x1e8/0x360\n[ 1.795580] worker_thread+0x44/0x478\n[ 1.799237] kthread+0x150/0x158\n[ 1.802460] ret_from_fork+0x10/0x30\n[ 1.806034] ---[ end trace 82402920ef64573b ]---\n[ 1.810728] ------------[ cut here ]------------\n\nIn addition, we now don't need to enable the clock from the\nfunction mtk_iommu_hw_init since it is already enabled by the resume.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47025", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-clt: destroy sysfs after removing session from active list\n\nA session can be removed dynamically by sysfs interface \"remove_path\" that\neventually calls rtrs_clt_remove_path_from_sysfs function. The current\nrtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and\nfrees sess->stats object. Second it removes the session from the active\nlist.\n\nTherefore some functions could access non-connected session and access the\nfreed sess->stats object even-if they check the session status before\naccessing the session.\n\nFor instance rtrs_clt_request and get_next_path_min_inflight check the\nsession status and try to send IO to the session. The session status\ncould be changed when they are trying to send IO but they could not catch\nthe change and update the statistics information in sess->stats object,\nand generate use-after-free problem.\n(see: \"RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its\nstats\")\n\nThis patch changes the rtrs_clt_remove_path_from_sysfs to remove the\nsession from the active session list and then destroy the sysfs\ninterfaces.\n\nEach function still should check the session status because closing or\nerror recovery paths can change the status.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47026", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix kernel crash when the firmware fails to download\n\nFix kernel crash when the firmware is missing or fails to download.\n\n[ 9.444758] kernel BUG at drivers/pci/msi.c:375!\n[ 9.449363] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 9.501033] pstate: a0400009 (NzCv daif +PAN -UAO)\n[ 9.505814] pc : free_msi_irqs+0x180/0x184\n[ 9.509897] lr : free_msi_irqs+0x40/0x184\n[ 9.513893] sp : ffffffc015193870\n[ 9.517194] x29: ffffffc015193870 x28: 00000000f0e94fa2\n[ 9.522492] x27: 0000000000000acd x26: 000000000000009a\n[ 9.527790] x25: ffffffc0152cee58 x24: ffffffdbb383e0d8\n[ 9.533087] x23: ffffffdbb38628d0 x22: 0000000000040200\n[ 9.538384] x21: ffffff8cf7de7318 x20: ffffff8cd65a2480\n[ 9.543681] x19: ffffff8cf7de7000 x18: 0000000000000000\n[ 9.548979] x17: ffffff8cf9ca03b4 x16: ffffffdc13ad9a34\n[ 9.554277] x15: 0000000000000000 x14: 0000000000080800\n[ 9.559575] x13: ffffff8cd65a2980 x12: 0000000000000000\n[ 9.564873] x11: ffffff8cfa45d820 x10: ffffff8cfa45d6d0\n[ 9.570171] x9 : 0000000000000040 x8 : ffffff8ccef1b780\n[ 9.575469] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000\n[ 9.580766] x5 : ffffffdc13824900 x4 : ffffff8ccefe0000\n[ 9.586063] x3 : 0000000000000000 x2 : 0000000000000000\n[ 9.591362] x1 : 0000000000000125 x0 : ffffff8ccefe0000\n[ 9.596660] Call trace:\n[ 9.599095] free_msi_irqs+0x180/0x184\n[ 9.602831] pci_disable_msi+0x100/0x130\n[ 9.606740] pci_free_irq_vectors+0x24/0x30\n[ 9.610915] mt7921_pci_probe+0xbc/0x250 [mt7921e]\n[ 9.615693] pci_device_probe+0xd4/0x14c\n[ 9.619604] really_probe+0x134/0x2ec\n[ 9.623252] driver_probe_device+0x64/0xfc\n[ 9.627335] device_driver_attach+0x4c/0x6c\n[ 9.631506] __driver_attach+0xac/0xc0\n[ 9.635243] bus_for_each_dev+0x8c/0xd4\n[ 9.639066] driver_attach+0x2c/0x38\n[ 9.642628] bus_add_driver+0xfc/0x1d0\n[ 9.646365] driver_register+0x64/0xf8\n[ 9.650101] __pci_register_driver+0x6c/0x7c\n[ 9.654360] init_module+0x28/0xfdc [mt7921e]\n[ 9.658704] do_one_initcall+0x13c/0x2d0\n[ 9.662615] do_init_module+0x58/0x1e8\n[ 9.666351] load_module+0xd80/0xeb4\n[ 9.669912] __arm64_sys_finit_module+0xa8/0xe0\n[ 9.674430] el0_svc_common+0xa4/0x16c\n[ 9.678168] el0_svc_compat_handler+0x2c/0x40\n[ 9.682511] el0_svc_compat+0x8/0x10\n[ 9.686076] Code: a94257f6 f9400bf7 a8c47bfd d65f03c0 (d4210000)\n[ 9.692155] ---[ end trace 7621f966afbf0a29 ]---\n[ 9.697385] Kernel panic - not syncing: Fatal exception\n[ 9.702599] SMP: stopping secondary CPUs\n[ 9.706549] Kernel Offset: 0x1c03600000 from 0xffffffc010000000\n[ 9.712456] PHYS_OFFSET: 0xfffffff440000000\n[ 9.716625] CPU features: 0x080026,2a80aa18\n[ 9.720795] Memory Limit: none", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47027", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix txrate reporting\n\nProperly check rate_info to fix unexpected reporting.\n\n[ 1215.161863] Call trace:\n[ 1215.164307] cfg80211_calculate_bitrate+0x124/0x200 [cfg80211]\n[ 1215.170139] ieee80211s_update_metric+0x80/0xc0 [mac80211]\n[ 1215.175624] ieee80211_tx_status_ext+0x508/0x838 [mac80211]\n[ 1215.181190] mt7915_mcu_get_rx_rate+0x28c/0x8d0 [mt7915e]\n[ 1215.186580] mt7915_mac_tx_free+0x324/0x7c0 [mt7915e]\n[ 1215.191623] mt7915_queue_rx_skb+0xa8/0xd0 [mt7915e]\n[ 1215.196582] mt76_dma_cleanup+0x7b0/0x11d0 [mt76]\n[ 1215.201276] __napi_poll+0x38/0xf8\n[ 1215.204668] napi_workfn+0x40/0x80\n[ 1215.208062] process_one_work+0x1fc/0x390\n[ 1215.212062] worker_thread+0x48/0x4d0\n[ 1215.215715] kthread+0x120/0x128\n[ 1215.218935] ret_from_fork+0x10/0x1c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47028", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: connac: fix kernel warning adding monitor interface\n\nFix the following kernel warning adding a monitor interface in\nmt76_connac_mcu_uni_add_dev routine.\n\n[ 507.984882] ------------[ cut here ]------------\n[ 507.989515] WARNING: CPU: 1 PID: 3017 at mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.059379] CPU: 1 PID: 3017 Comm: ifconfig Not tainted 5.4.98 #0\n[ 508.065461] Hardware name: MT7622_MT7531 RFB (DT)\n[ 508.070156] pstate: 80000005 (Nzcv daif -PAN -UAO)\n[ 508.074939] pc : mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.081806] lr : mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e]\n[ 508.087367] sp : ffffffc013a33930\n[ 508.090671] x29: ffffffc013a33930 x28: ffffff801e628ac0\n[ 508.095973] x27: ffffff801c7f1200 x26: ffffff801c7eb008\n[ 508.101275] x25: ffffff801c7eaef0 x24: ffffff801d025610\n[ 508.106577] x23: ffffff801d022990 x22: ffffff801d024de8\n[ 508.111879] x21: ffffff801d0226a0 x20: ffffff801c7eaee8\n[ 508.117181] x19: ffffff801d0226a0 x18: 000000005d00b000\n[ 508.122482] x17: 00000000ffffffff x16: 0000000000000000\n[ 508.127785] x15: 0000000000000080 x14: ffffff801d704000\n[ 508.133087] x13: 0000000000000040 x12: 0000000000000002\n[ 508.138389] x11: 000000000000000c x10: 0000000000000000\n[ 508.143691] x9 : 0000000000000020 x8 : 0000000000000001\n[ 508.148992] x7 : 0000000000000000 x6 : 0000000000000000\n[ 508.154294] x5 : ffffff801c7eaee8 x4 : 0000000000000006\n[ 508.159596] x3 : 0000000000000001 x2 : 0000000000000000\n[ 508.164898] x1 : ffffff801c7eac08 x0 : ffffff801d0226a0\n[ 508.170200] Call trace:\n[ 508.172640] mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib]\n[ 508.179159] mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e]\n[ 508.184394] drv_add_interface+0x34/0x88 [mac80211]\n[ 508.189271] ieee80211_add_virtual_monitor+0xe0/0xb48 [mac80211]\n[ 508.195277] ieee80211_do_open+0x86c/0x918 [mac80211]\n[ 508.200328] ieee80211_do_open+0x900/0x918 [mac80211]\n[ 508.205372] __dev_open+0xcc/0x150\n[ 508.208763] __dev_change_flags+0x134/0x198\n[ 508.212937] dev_change_flags+0x20/0x60\n[ 508.216764] devinet_ioctl+0x3e8/0x748\n[ 508.220503] inet_ioctl+0x1e4/0x350\n[ 508.223983] sock_do_ioctl+0x48/0x2a0\n[ 508.227635] sock_ioctl+0x310/0x4f8\n[ 508.231116] do_vfs_ioctl+0xa4/0xac0\n[ 508.234681] ksys_ioctl+0x44/0x90\n[ 508.237985] __arm64_sys_ioctl+0x1c/0x48\n[ 508.241901] el0_svc_common.constprop.1+0x7c/0x100\n[ 508.246681] el0_svc_handler+0x18/0x20\n[ 508.250421] el0_svc+0x8/0x1c8\n[ 508.253465] ---[ end trace c7b90fee13d72c39 ]---\n[ 508.261278] ------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47029", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix memory leak in mt7615_coredump_work\n\nSimilar to the issue fixed in mt7921_coredump_work, fix a possible memory\nleak in mt7615_coredump_work routine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47030", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix memory leak in mt7921_coredump_work\n\nFix possible memory leak in mt7921_coredump_work.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47031", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix tx skb dma unmap\n\nThe first pointer in the txp needs to be unmapped as well, otherwise it will\nleak DMA mapping entries", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47032", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix tx skb dma unmap\n\nThe first pointer in the txp needs to be unmapped as well, otherwise it will\nleak DMA mapping entries", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47033", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix pte update for kernel memory on radix\n\nWhen adding a PTE a ptesync is needed to order the update of the PTE\nwith subsequent accesses otherwise a spurious fault may be raised.\n\nradix__set_pte_at() does not do this for performance gains. For\nnon-kernel memory this is not an issue as any faults of this kind are\ncorrected by the page fault handler. For kernel memory these faults\nare not handled. The current solution is that there is a ptesync in\nflush_cache_vmap() which should be called when mapping from the\nvmalloc region.\n\nHowever, map_kernel_page() does not call flush_cache_vmap(). This is\ntroublesome in particular for code patching with Strict RWX on radix.\nIn do_patch_instruction() the page frame that contains the instruction\nto be patched is mapped and then immediately patched. With no ordering\nor synchronization between setting up the PTE and writing to the page\nit is possible for faults.\n\nAs the code patching is done using __put_user_asm_goto() the resulting\nfault is obscured - but using a normal store instead it can be seen:\n\n BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c\n Faulting instruction address: 0xc00000000008bd74\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in: nop_module(PO+) [last unloaded: nop_module]\n CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43\n NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810\n REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty)\n MSR: 9000000000009033 CR: 44002884 XER: 00000000\n CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1\n\nThis results in the kind of issue reported here:\n https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/\n\nChris Riedl suggested a reliable way to reproduce the issue:\n $ mount -t debugfs none /sys/kernel/debug\n $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) &\n\nTurning ftrace on and off does a large amount of code patching which\nin usually less then 5min will crash giving a trace like:\n\n ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000)\n ------------[ ftrace bug ]------------\n ftrace failed to modify\n [] napi_busy_loop+0xc/0x390\n actual: 11:3b:47:4b\n Setting ftrace call site to call ftrace function\n ftrace record flags: 80000001\n (1)\n expected tramp: c00000000006c96c\n ------------[ cut here ]------------\n WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8\n Modules linked in: nop_module(PO-) [last unloaded: nop_module]\n CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1\n NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0\n REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a)\n MSR: 900000000282b033 CR: 28008848 XER: 20040000\n CFAR: c0000000001a9c98 IRQMASK: 0\n GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022\n GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8\n GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118\n GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000\n GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008\n GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8\n GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020\n GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0\n NIP ftrace_bug+0x28c/0x2e8\n LR ftrace_bug+0x288/0x2e8\n Call T\n---truncated---", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47034", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Remove WO permissions on second-level paging entries\n\nWhen the first level page table is used for IOVA translation, it only\nsupports Read-Only and Read-Write permissions. The Write-Only permission\nis not supported as the PRESENT bit (implying Read permission) should\nalways set. When using second level, we still give separate permissions\nthat allows WriteOnly which seems inconsistent and awkward. We want to\nhave consistent behavior. After moving to 1st level, we don't want things\nto work sometimes, and break if we use 2nd level for the same mappings.\nHence remove this configuration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47035", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: skip L4 aggregation for UDP tunnel packets\n\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\n\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\n\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\n\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\n\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\n\nv1 -> v2:\n - hopefully clarify the commit message", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47036", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: q6afe-clocks: fix reprobing of the driver\n\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47037", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: avoid deadlock between hci_dev->lock and socket lock\n\nCommit eab2404ba798 (\"Bluetooth: Add BT_PHY socket option\") added a\ndependency between socket lock and hci_dev->lock that could lead to\ndeadlock.\n\nIt turns out that hci_conn_get_phy() is not in any way relying on hdev\nbeing immutable during the runtime of this function, neither does it even\nlook at any of the members of hdev, and as such there is no need to hold\nthat lock.\n\nThis fixes the lockdep splat below:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 5.12.0-rc1-00026-g73d464503354 #10 Not tainted\n ------------------------------------------------------\n bluetoothd/1118 is trying to acquire lock:\n ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth]\n\n but task is already holding lock:\n ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}:\n lock_sock_nested+0x72/0xa0\n l2cap_sock_ready_cb+0x18/0x70 [bluetooth]\n l2cap_config_rsp+0x27a/0x520 [bluetooth]\n l2cap_sig_channel+0x658/0x1330 [bluetooth]\n l2cap_recv_frame+0x1ba/0x310 [bluetooth]\n hci_rx_work+0x1cc/0x640 [bluetooth]\n process_one_work+0x244/0x5f0\n worker_thread+0x3c/0x380\n kthread+0x13e/0x160\n ret_from_fork+0x22/0x30\n\n -> #2 (&chan->lock#2/1){+.+.}-{3:3}:\n __mutex_lock+0xa3/0xa10\n l2cap_chan_connect+0x33a/0x940 [bluetooth]\n l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n __sys_connect+0x9b/0xc0\n __x64_sys_connect+0x16/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #1 (&conn->chan_lock){+.+.}-{3:3}:\n __mutex_lock+0xa3/0xa10\n l2cap_chan_connect+0x322/0x940 [bluetooth]\n l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n __sys_connect+0x9b/0xc0\n __x64_sys_connect+0x16/0x20\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n __lock_acquire+0x147a/0x1a50\n lock_acquire+0x277/0x3d0\n __mutex_lock+0xa3/0xa10\n hci_conn_get_phy+0x1c/0x150 [bluetooth]\n l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth]\n __sys_getsockopt+0xcc/0x200\n __x64_sys_getsockopt+0x20/0x30\n do_syscall_64+0x33/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n other info that might help us debug this:\n\n Chain exists of:\n &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n lock(&chan->lock#2/1);\n lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n lock(&hdev->lock);\n\n *** DEADLOCK ***\n\n 1 lock held by bluetoothd/1118:\n #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth]\n\n stack backtrace:\n CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10\n Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017\n Call Trace:\n dump_stack+0x7f/0xa1\n check_noncircular+0x105/0x120\n ? __lock_acquire+0x147a/0x1a50\n __lock_acquire+0x147a/0x1a50\n lock_acquire+0x277/0x3d0\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n ? __lock_acquire+0x2e1/0x1a50\n ? lock_is_held_type+0xb4/0x120\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n __mutex_lock+0xa3/0xa10\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n ? lock_acquire+0x277/0x3d0\n ? mark_held_locks+0x49/0x70\n ? mark_held_locks+0x49/0x70\n ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n hci_conn_get_phy+0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47038", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nataflop: potential out of bounds in do_format()\n\nThe function uses \"type\" as an array index:\n\n\tq = unit[drive].disk[type]->queue;\n\nUnfortunately the bounds check on \"type\" isn't done until later in the\nfunction. Fix this by moving the bounds check to the start.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47039", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix overflows checks in provide buffers\n\nColin reported before possible overflow and sign extension problems in\nio_provide_buffers_prep(). As Linus pointed out previous attempt did nothing\nuseful, see d81269fecb8ce (\"io_uring: fix provide_buffers sign extension\").\n\nDo that with help of check__overflow helpers. And fix struct\nio_provide_buf::len type, as it doesn't make much sense to keep it\nsigned.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47040", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix incorrect locking in state_change sk callback\n\nWe are not changing anything in the TCP connection state so\nwe should not take a write_lock but rather a read lock.\n\nThis caused a deadlock when running nvmet-tcp and nvme-tcp\non the same system, where state_change callbacks on the\nhost and on the controller side have causal relationship\nand made lockdep report on this with blktests:\n\n================================\nWARNING: inconsistent lock state\n5.12.0-rc3 #1 Tainted: G I\n--------------------------------\ninconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage.\nnvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes:\nffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n{IN-SOFTIRQ-W} state was registered at:\n __lock_acquire+0x79b/0x18d0\n lock_acquire+0x1ca/0x480\n _raw_write_lock_bh+0x39/0x80\n nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp]\n tcp_fin+0x2a8/0x780\n tcp_data_queue+0xf94/0x1f20\n tcp_rcv_established+0x6ba/0x1f00\n tcp_v4_do_rcv+0x502/0x760\n tcp_v4_rcv+0x257e/0x3430\n ip_protocol_deliver_rcu+0x69/0x6a0\n ip_local_deliver_finish+0x1e2/0x2f0\n ip_local_deliver+0x1a2/0x420\n ip_rcv+0x4fb/0x6b0\n __netif_receive_skb_one_core+0x162/0x1b0\n process_backlog+0x1ff/0x770\n __napi_poll.constprop.0+0xa9/0x5c0\n net_rx_action+0x7b3/0xb30\n __do_softirq+0x1f0/0x940\n do_softirq+0xa1/0xd0\n __local_bh_enable_ip+0xd8/0x100\n ip_finish_output2+0x6b7/0x18a0\n __ip_queue_xmit+0x706/0x1aa0\n __tcp_transmit_skb+0x2068/0x2e20\n tcp_write_xmit+0xc9e/0x2bb0\n __tcp_push_pending_frames+0x92/0x310\n inet_shutdown+0x158/0x300\n __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp]\n nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp]\n nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp]\n nvme_do_delete_ctrl+0x100/0x10c [nvme_core]\n nvme_sysfs_delete.cold+0x8/0xd [nvme_core]\n kernfs_fop_write_iter+0x2c7/0x460\n new_sync_write+0x36c/0x610\n vfs_write+0x5c0/0x870\n ksys_write+0xf9/0x1d0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nirq event stamp: 10687\nhardirqs last enabled at (10687): [] _raw_spin_unlock_irqrestore+0x2d/0x40\nhardirqs last disabled at (10686): [] _raw_spin_lock_irqsave+0x68/0x90\nsoftirqs last enabled at (10684): [] __do_softirq+0x608/0x940\nsoftirqs last disabled at (10649): [] do_softirq+0xa1/0xd0\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(clock-AF_INET);\n \n lock(clock-AF_INET);\n\n *** DEADLOCK ***\n\n5 locks held by nvme/1324:\n #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0\n #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460\n #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330\n #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp]\n #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300\n\nstack backtrace:\nCPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1\nHardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020\nCall Trace:\n dump_stack+0x93/0xc2\n mark_lock_irq.cold+0x2c/0xb3\n ? verify_lock_unused+0x390/0x390\n ? stack_trace_consume_entry+0x160/0x160\n ? lock_downgrade+0x100/0x100\n ? save_trace+0x88/0x5e0\n ? _raw_spin_unlock_irqrestore+0x2d/0x40\n mark_lock+0x530/0x1470\n ? mark_lock_irq+0x1d10/0x1d10\n ? enqueue_timer+0x660/0x660\n mark_usage+0x215/0x2a0\n __lock_acquire+0x79b/0x18d0\n ? tcp_schedule_loss_probe.part.0+0x38c/0x520\n lock_acquire+0x1ca/0x480\n ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n ? rcu_read_unlock+0x40/0x40\n ? tcp_mtu_probe+0x1ae0/0x1ae0\n ? kmalloc_reserve+0xa0/0xa0\n ? sysfs_file_ops+0x170/0x170\n _raw_read_lock+0x3d/0xa0\n ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n nvme_tcp_state_change+0x21/0x150 [nvme_tcp]\n ? sysfs_file_ops\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47041", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Free local data after use\n\nFixes the following memory leak in dc_link_construct():\n\nunreferenced object 0xffffa03e81471400 (size 1024):\ncomm \"amd_module_load\", pid 2486, jiffies 4294946026 (age 10.544s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<000000000bdf5c4a>] kmem_cache_alloc_trace+0x30a/0x4a0\n[<00000000e7c59f0e>] link_create+0xce/0xac0 [amdgpu]\n[<000000002fb6c072>] dc_create+0x370/0x720 [amdgpu]\n[<000000000094d1f3>] amdgpu_dm_init+0x18e/0x17a0 [amdgpu]\n[<00000000bec048fd>] dm_hw_init+0x12/0x20 [amdgpu]\n[<00000000a2bb7cf6>] amdgpu_device_init+0x1463/0x1e60 [amdgpu]\n[<0000000032d3bb13>] amdgpu_driver_load_kms+0x5b/0x330 [amdgpu]\n[<00000000a27834f9>] amdgpu_pci_probe+0x192/0x280 [amdgpu]\n[<00000000fec7d291>] local_pci_probe+0x47/0xa0\n[<0000000055dbbfa7>] pci_device_probe+0xe3/0x180\n[<00000000815da970>] really_probe+0x1c4/0x4e0\n[<00000000b4b6974b>] driver_probe_device+0x62/0x150\n[<000000000f9ecc61>] device_driver_attach+0x58/0x60\n[<000000000f65c843>] __driver_attach+0xd6/0x150\n[<000000002f5e3683>] bus_for_each_dev+0x6a/0xc0\n[<00000000a1cfc897>] driver_attach+0x1e/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47042", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: core: Fix some resource leaks in the error path of 'venus_probe()'\n\nIf an error occurs after a successful 'of_icc_get()' call, it must be\nundone.\n\nUse 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak.\nUpdate the remove function accordingly and axe the now unneeded\n'icc_put()' calls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47043", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix shift-out-of-bounds in load_balance()\n\nSyzbot reported a handful of occurrences where an sd->nr_balance_failed can\ngrow to much higher values than one would expect.\n\nA successful load_balance() resets it to 0; a failed one increments\nit. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an\nactive balance, which will either set it to sd->cache_nice_tries+1 or reset\nit to 0. However, in case the to-be-active-balanced task is not allowed to\nrun on env->dst_cpu, then the increment is done without any further\nmodification.\n\nThis could then be repeated ad nauseam, and would explain the absurdly high\nvalues reported by syzbot (86, 149). VincentG noted there is value in\nletting sd->cache_nice_tries grow, so the shift itself should be\nfixed. That means preventing:\n\n \"\"\"\n If the value of the right operand is negative or is greater than or equal\n to the width of the promoted left operand, the behavior is undefined.\n \"\"\"\n\nThus we need to cap the shift exponent to\n BITS_PER_TYPE(typeof(lefthand)) - 1.\n\nI had a look around for other similar cases via coccinelle:\n\n @expr@\n position pos;\n expression E1;\n expression E2;\n @@\n (\n E1 >> E2@pos\n |\n E1 >> E2@pos\n )\n\n @cst depends on expr@\n position pos;\n expression expr.E1;\n constant cst;\n @@\n (\n E1 >> cst@pos\n |\n E1 << cst@pos\n )\n\n @script:python depends on !cst@\n pos << expr.pos;\n exp << expr.E2;\n @@\n # Dirty hack to ignore constexpr\n if exp.upper() != exp:\n coccilib.report.print_report(pos[0], \"Possible UB shift here\")\n\nThe only other match in kernel/sched is rq_clock_thermal() which employs\nsched_thermal_decay_shift, and that exponent is already capped to 10, so\nthat one is fine.", "scorev2": "0.0", "scorev3": "7.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47044", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()\n\nIt is possible to call lpfc_issue_els_plogi() passing a did for which no\nmatching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a\nnull pointer to a lpfc_nodelist structure resulting in a null pointer\ndereference.\n\nFix by returning an error status if no valid ndlp is found. Fix up comments\nregarding ndlp reference counting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47045", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix off by one in hdmi_14_process_transaction()\n\nThe hdcp_i2c_offsets[] array did not have an entry for\nHDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one\nread overflow. I added an entry and copied the 0x0 value for the offset\nfrom similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.\n\nI also declared several of these arrays as having HDCP_MESSAGE_ID_MAX\nentries. This doesn't change the code, but it's just a belt and\nsuspenders approach to try future proof the code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47046", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails\n\nThe spi controller supports 44-bit address space on AXI in DMA mode,\nso set dma_addr_t width to 44-bit to avoid using a swiotlb mapping.\nIn addition, if dma_map_single fails, it should return immediately\ninstead of continuing doing the DMA operation which bases on invalid\naddress.\n\nThis fixes the following crash which occurs in reading a big block\nfrom flash:\n\n[ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots)\n[ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped\n[ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0\n[ 123.792536] Mem abort info:\n[ 123.795313] ESR = 0x96000145\n[ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 123.803655] SET = 0, FnV = 0\n[ 123.806693] EA = 0, S1PTW = 0\n[ 123.809818] Data abort info:\n[ 123.812683] ISV = 0, ISS = 0x00000145\n[ 123.816503] CM = 1, WnR = 1\n[ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000\n[ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000\n[ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47047", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op\n\nWhen handling op->addr, it is using the buffer \"tmpbuf\" which has been\nfreed. This will trigger a use-after-free KASAN warning. Let's use\ntemporary variables to store op->addr.val and op->cmd.opcode to fix\nthis issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47048", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Use after free in __vmbus_open()\n\nThe \"open_info\" variable is added to the &vmbus_connection.chn_msg_list,\nbut the error handling frees \"open_info\" without removing it from the\nlist. This will result in a use after free. First remove it from the\nlist, and then free it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47049", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: renesas-rpc-if: fix possible NULL pointer dereference of resource\n\nThe platform_get_resource_byname() can return NULL which would be\nimmediately dereferenced by resource_size(). Instead dereference it\nafter validating the resource.\n\nAddresses-Coverity: Dereference null return value", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47050", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()\n\npm_runtime_get_sync will increment pm usage counter even it failed.\nForgetting to putting operation will result in reference leak here.\nFix it by replacing it with pm_runtime_resume_and_get to keep usage\ncounter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47051", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sa2ul - Fix memory leak of rxd\n\nThere are two error return paths that are not freeing rxd and causing\nmemory leaks. Fix these.\n\nAddresses-Coverity: (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47052", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - Fix memory leak of pad\n\nIt appears there are several failure return paths that don't seem\nto be free'ing pad. Fix these.\n\nAddresses-Coverity: (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47053", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: qcom: Put child node before return\n\nPut child node before return to fix potential reference count leak.\nGenerally, the reference count of child is incremented and decremented\nautomatically in the macro for_each_available_child_of_node() and should\nbe decremented manually if the loop is broken in loop body.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47054", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: require write permissions for locking and badblock ioctls\n\nMEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require\nwrite permission. Depending on the hardware MEMLOCK might even be\nwrite-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK\nis always write-once.\n\nMEMSETBADBLOCK modifies the bad block table.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47055", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init\n\nADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()\nbefore calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the\nvf2pf_lock is initialized in adf_dev_init(), which can fail and when it\nfail, the vf2pf_lock is either not initialized or destroyed, a subsequent\nuse of vf2pf_lock will cause issue.\nTo fix this issue, only set this flag if adf_dev_init() returns 0.\n\n[ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0\n[ 7.180345] Call Trace:\n[ 7.182576] mutex_lock+0xc9/0xd0\n[ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat]\n[ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]\n[ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat]\n[ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47056", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - Fix memory leak of object d when dma_iv fails to map\n\nIn the case where the dma_iv mapping fails, the return error path leaks\nthe memory allocated to object d. Fix this by adding a new error return\nlabel and jumping to this to ensure d is free'd before the return.\n\nAddresses-Coverity: (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47057", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: set debugfs_name to NULL after it is freed\n\nThere is a upstream commit cffa4b2122f5(\"regmap:debugfs:\nFix a memory leak when calling regmap_attach_dev\") that\nadds a if condition when create name for debugfs_name.\nWith below function invoking logical, debugfs_name is\nfreed in regmap_debugfs_exit(), but it is not created again\nbecause of the if condition introduced by above commit.\nregmap_reinit_cache()\n\tregmap_debugfs_exit()\n\t...\n\tregmap_debugfs_init()\nSo, set debugfs_name to NULL after it is freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47058", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ss - fix result memory leak on error path\n\nThis patch fixes a memory leak on an error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47059", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Stop looking for coalesced MMIO zones if the bus is destroyed\n\nAbort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev()\nfails to allocate memory for the new instance of the bus. If it can't\ninstantiate a new bus, unregister_dev() destroys all devices _except_ the\ntarget device. But, it doesn't tell the caller that it obliterated the\nbus and invoked the destructor for all devices that were on the bus. In\nthe coalesced MMIO case, this can result in a deleted list entry\ndereference due to attempting to continue iterating on coalesced_zones\nafter future entries (in the walk) have been deleted.\n\nOpportunistically add curly braces to the for-loop, which encompasses\nmany lines but sneaks by without braces due to the guts being a single\nif statement.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47060", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU\n\nIf allocating a new instance of an I/O bus fails when unregistering a\ndevice, wait to destroy the device until after all readers are guaranteed\nto see the new null bus. Destroying devices before the bus is nullified\ncould lead to use-after-free since readers expect the devices on their\nreference of the bus to remain valid.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47061", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs\n\nUse the kvm_for_each_vcpu() helper to iterate over vCPUs when encrypting\nVMSAs for SEV, which effectively switches to use online_vcpus instead of\ncreated_vcpus. This fixes a possible null-pointer dereference as\ncreated_vcpus does not guarantee a vCPU exists, since it is updated at\nthe very beginning of KVM_CREATE_VCPU. created_vcpus exists to allow the\nbulk of vCPU creation to run in parallel, while still correctly\nrestricting the max number of max vCPUs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47062", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge/panel: Cleanup connector on bridge detach\n\nIf we don't call drm_connector_cleanup() manually in\npanel_bridge_detach(), the connector will be cleaned up with the other\nDRM objects in the call to drm_mode_config_cleanup(). However, since our\ndrm_connector is devm-allocated, by the time drm_mode_config_cleanup()\nwill be called, our connector will be long gone. Therefore, the\nconnector must be cleaned up when the bridge is detached to avoid\nuse-after-free conditions.\n\nv2: Cleanup connector only if it was created\n\nv3: Add FIXME\n\nv4: (Use connector->dev) directly in if() block", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47063", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix potential DMA mapping leak\n\nWith buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap\ncould potentially inherit a non-zero value from stack garbage.\nIf this happens, it will cause DMA mappings for MCU command frames to not be\nunmapped after completion", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47064", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: Fix array overrun in rtw_get_tx_power_params()\n\nUsing a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the\nfollowing array overrun is logged:\n\n================================================================================\nUBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34\nindex 5 is out of range for type 'u8 [5]'\nCPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651\nHardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014\nWorkqueue: phy0 ieee80211_scan_work [mac80211]\nCall Trace:\n dump_stack+0x64/0x7c\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold+0x43/0x48\n rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]\n ? rtw_pci_read16+0x20/0x20 [rtw_pci]\n ? check_hw_ready+0x50/0x90 [rtw_core]\n rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]\n rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]\n rtw_set_channel+0xab/0x110 [rtw_core]\n rtw_ops_config+0x87/0xc0 [rtw_core]\n ieee80211_hw_config+0x9d/0x130 [mac80211]\n ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]\n ieee80211_scan_work+0x19f/0x2a0 [mac80211]\n process_one_work+0x1dd/0x3a0\n worker_thread+0x49/0x330\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0x134/0x150\n ? kthread_create_worker_on_cpu+0x70/0x70\n ret_from_fork+0x22/0x30\n================================================================================\n\nThe statement where an array is being overrun is shown in the following snippet:\n\n\tif (rate <= DESC_RATE11M)\n\t\ttx_power = pwr_idx_2g->cck_base[group];\n\telse\n====>\t\ttx_power = pwr_idx_2g->bw40_base[group];\n\nThe associated arrays are defined in main.h as follows:\n\nstruct rtw_2g_txpwr_idx {\n\tu8 cck_base[6];\n\tu8 bw40_base[5];\n\tstruct rtw_2g_1s_pwr_idx_diff ht_1s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_2s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_3s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_4s_diff;\n};\n\nThe problem arises because the value of group is 5 for channel 14. The trivial\nincrease in the dimension of bw40_base fails as this struct must match the layout of\nefuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set\nthe group for channel 14 to 4 if rate <= DESC_RATE11M.\n\nThis patch fixes commit fa6dfe6bff24 (\"rtw88: resolve order of tx power setting routines\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47065", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nasync_xor: increase src_offs when dropping destination page\n\nNow we support sharing one page if PAGE_SIZE is not equal stripe size. To\nsupport this, it needs to support calculating xor value with different\noffsets for each r5dev. One offset array is used to record those offsets.\n\nIn RMW mode, parity page is used as a source page. It sets\nASYNC_TX_XOR_DROP_DST before calculating xor value in ops_run_prexor5.\nSo it needs to add src_list and src_offs at the same time. Now it only\nneeds src_list. So the xor value which is calculated is wrong. It can\ncause data corruption problem.\n\nI can reproduce this problem 100% on a POWER8 machine. The steps are:\n\n mdadm -CR /dev/md0 -l5 -n3 /dev/sdb1 /dev/sdc1 /dev/sdd1 --size=3G\n mkfs.xfs /dev/md0\n mount /dev/md0 /mnt/test\n mount: /mnt/test: mount(2) system call failed: Structure needs cleaning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47066", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc/tegra: regulators: Fix locking up when voltage-spread is out of range\n\nFix voltage coupler lockup which happens when voltage-spread is out\nof range due to a bug in the code. The max-spread requirement shall be\naccounted when CPU regulator doesn't have consumers. This problem is\nobserved on Tegra30 Ouya game console once system-wide DVFS is enabled\nin a device-tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47067", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/nfc: fix use-after-free llcp_sock_bind/connect\n\nCommits 8a4cd82d (\"nfc: fix refcount leak in llcp_sock_connect()\")\nand c33b1cc62 (\"nfc: fix refcount leak in llcp_sock_bind()\")\nfixed a refcount leak bug in bind/connect but introduced a\nuse-after-free if the same local is assigned to 2 different sockets.\n\nThis can be triggered by the following simple program:\n int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );\n int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );\n memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );\n addr.sa_family = AF_NFC;\n addr.nfc_protocol = NFC_PROTO_NFC_DEP;\n bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )\n bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )\n close(sock1);\n close(sock2);\n\nFix this by assigning NULL to llcp_sock->local after calling\nnfc_llcp_local_put.\n\nThis addresses CVE-2021-23134.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47068", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry\n\ndo_mq_timedreceive calls wq_sleep with a stack local address. The\nsender (do_mq_timedsend) uses this address to later call pipelined_send.\n\nThis leads to a very hard to trigger race where a do_mq_timedreceive\ncall might return and leave do_mq_timedsend to rely on an invalid\naddress, causing the following crash:\n\n RIP: 0010:wake_q_add_safe+0x13/0x60\n Call Trace:\n __x64_sys_mq_timedsend+0x2a9/0x490\n do_syscall_64+0x80/0x680\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n RIP: 0033:0x7f5928e40343\n\nThe race occurs as:\n\n1. do_mq_timedreceive calls wq_sleep with the address of `struct\n ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it\n holds a valid `struct ext_wait_queue *` as long as the stack has not\n been overwritten.\n\n2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and\n do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call\n __pipelined_op.\n\n3. Sender calls __pipelined_op::smp_store_release(&this->state,\n STATE_READY). Here is where the race window begins. (`this` is\n `ewq_addr`.)\n\n4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it\n will see `state == STATE_READY` and break.\n\n5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed\n to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's\n stack. (Although the address may not get overwritten until another\n function happens to touch it, which means it can persist around for an\n indefinite time.)\n\n6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a\n `struct ext_wait_queue *`, and uses it to find a task_struct to pass to\n the wake_q_add_safe call. In the lucky case where nothing has\n overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct.\n In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a\n bogus address as the receiver's task_struct causing the crash.\n\ndo_mq_timedsend::__pipelined_op() should not dereference `this` after\nsetting STATE_READY, as the receiver counterpart is now free to return.\nChange __pipelined_op to call wake_q_add_safe on the receiver's\ntask_struct returned by get_task_struct, instead of dereferencing `this`\nwhich sits on the receiver's stack.\n\nAs Manfred pointed out, the race potentially also exists in\nipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix\nthose in the same way.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47069", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix another memory leak in error handling paths\n\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\n\nAdd the missing 'vmbus_free_ring()' call.\n\nNote that it is already freed in the .remove function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47070", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix a memory leak in error handling paths\n\nIf 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be\nupdated and 'hv_uio_cleanup()' in the error handling path will not be\nable to free the corresponding buffer.\n\nIn such a case, we need to free the buffer explicitly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47071", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix removed dentries still existing after log is synced\n\nWhen we move one inode from one directory to another and both the inode\nand its previous parent directory were logged before, we are not supposed\nto have the dentry for the old parent if we have a power failure after the\nlog is synced. Only the new dentry is supposed to exist.\n\nGenerally this works correctly, however there is a scenario where this is\nnot currently working, because the old parent of the file/directory that\nwas moved is not authoritative for a range that includes the dir index and\ndir item keys of the old dentry. This case is better explained with the\nfollowing example and reproducer:\n\n # The test requires a very specific layout of keys and items in the\n # fs/subvolume btree to trigger the bug. So we want to make sure that\n # on whatever platform we are, we have the same leaf/node size.\n #\n # Currently in btrfs the node/leaf size can not be smaller than the page\n # size (but it can be greater than the page size). So use the largest\n # supported node/leaf size (64K).\n\n $ mkfs.btrfs -f -n 65536 /dev/sdc\n $ mount /dev/sdc /mnt\n\n # \"testdir\" is inode 257.\n $ mkdir /mnt/testdir\n $ chmod 755 /mnt/testdir\n\n # Create several empty files to have the directory \"testdir\" with its\n # items spread over several leaves (7 in this case).\n $ for ((i = 1; i <= 1200; i++)); do\n echo -n > /mnt/testdir/file$i\n done\n\n # Create our test directory \"dira\", inode number 1458, which gets all\n # its items in leaf 7.\n #\n # The BTRFS_DIR_ITEM_KEY item for inode 257 (\"testdir\") that points to\n # the entry named \"dira\" is in leaf 2, while the BTRFS_DIR_INDEX_KEY\n # item that points to that entry is in leaf 3.\n #\n # For this particular filesystem node size (64K), file count and file\n # names, we endup with the directory entry items from inode 257 in\n # leaves 2 and 3, as previously mentioned - what matters for triggering\n # the bug exercised by this test case is that those items are not placed\n # in leaf 1, they must be placed in a leaf different from the one\n # containing the inode item for inode 257.\n #\n # The corresponding BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items for\n # the parent inode (257) are the following:\n #\n # item 460 key (257 DIR_ITEM 3724298081) itemoff 48344 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n #\n # and:\n #\n # item 771 key (257 DIR_INDEX 1202) itemoff 36673 itemsize 34\n # location key (1458 INODE_ITEM 0) type DIR\n # transid 6 data_len 0 name_len 4\n # name: dira\n\n $ mkdir /mnt/testdir/dira\n\n # Make sure everything done so far is durably persisted.\n $ sync\n\n # Now do a change to inode 257 (\"testdir\") that does not result in\n # COWing leaves 2 and 3 - the leaves that contain the directory items\n # pointing to inode 1458 (directory \"dira\").\n #\n # Changing permissions, the owner/group, updating or adding a xattr,\n # etc, will not change (COW) leaves 2 and 3. So for the sake of\n # simplicity change the permissions of inode 257, which results in\n # updating its inode item and therefore change (COW) only leaf 1.\n\n $ chmod 700 /mnt/testdir\n\n # Now fsync directory inode 257.\n #\n # Since only the first leaf was changed/COWed, we log the inode item of\n # inode 257 and only the dentries found in the first leaf, all have a\n # key type of BTRFS_DIR_ITEM_KEY, and no keys of type\n # BTRFS_DIR_INDEX_KEY, because they sort after the former type and none\n # exist in the first leaf.\n #\n # We also log 3 items that represent ranges for dir items and dir\n # indexes for which the log is authoritative:\n #\n # 1) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is\n # authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset\n # in the range [0, 2285968570] (the offset here is th\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47072", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios\n\ninit_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems\nwhere the Dell WMI interface is supported. While exit_dell_smbios_wmi()\nunregisters it unconditionally, this leads to the following oops:\n\n[ 175.722921] ------------[ cut here ]------------\n[ 175.722925] Unexpected driver unregister!\n[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40\n...\n[ 175.723089] Call Trace:\n[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]\n...\n[ 175.723148] ---[ end trace 064c34e1ad49509d ]---\n\nMake the unregister happen on the same condition the register happens\nto fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47073", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-loop: fix memory leak in nvme_loop_create_ctrl()\n\nWhen creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()\nfails, the loop ctrl should be freed before jumping to the \"out\" label.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47074", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix memory leak in nvmet_alloc_ctrl()\n\nWhen creating ctrl in nvmet_alloc_ctrl(), if the cntlid_min is larger\nthan cntlid_max of the subsystem, and jumps to the\n\"out_free_changed_ns_list\" label, but the ctrl->sqs lack of be freed.\nFix this by jumping to the \"out_free_sqs\" label.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47075", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Return CQE error if invalid lkey was supplied\n\nRXE is missing update of WQE status in LOCAL_WRITE failures. This caused\nthe following kernel panic if someone sent an atomic operation with an\nexplicitly wrong lkey.\n\n[leonro@vm ~]$ mkt test\ntest_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...\n WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core\n CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]\n Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff\n RSP: 0018:ffff8880158af090 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652\n RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210\n RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b\n R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8\n R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c\n FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0xb11/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_responder+0x5532/0x7620 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_rcv+0x9c8/0x1df0 [rdma_rxe]\n rxe_loopback+0x157/0x1e0 [rdma_rxe]\n rxe_requester+0x1efd/0x58c0 [rdma_rxe]\n rxe_do_task+0x130/0x230 [rdma_rxe]\n rxe_post_send+0x998/0x1860 [rdma_rxe]\n ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]\n ib_uverbs_write+0x847/0xc80 [ib_uverbs]\n vfs_write+0x1c5/0x840\n ksys_write+0x176/0x1d0\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47076", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Add pointer checks in qedf_update_link_speed()\n\nThe following trace was observed:\n\n [ 14.042059] Call Trace:\n [ 14.042061] \n [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf]\n [ 14.042117] qed_link_update+0x5c/0x80 [qed]\n [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed]\n [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042186] ? qed_rd+0x13/0x40 [qed]\n [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed]\n [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed]\n [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed]\n [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100\n [ 14.042250] __do_softirq+0xe4/0x2f8\n [ 14.042253] irq_exit+0xf7/0x100\n [ 14.042255] do_IRQ+0x7f/0xd0\n [ 14.042257] common_interrupt+0xf/0xf\n [ 14.042259] \n\nAPI qedf_link_update() is getting called from QED but by that time\nshost_data is not initialised. This results in a NULL pointer dereference\nwhen we try to dereference shost_data while updating supported_speeds.\n\nAdd a NULL pointer check before dereferencing shost_data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47077", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Clear all QP fields if creation failed\n\nrxe_qp_do_cleanup() relies on valid pointer values in QP for the properly\ncreated ones, but in case rxe_qp_from_init() failed it was filled with\ngarbage and caused tot the following error.\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Modules linked in:\n CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55\n RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67\n RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800\n R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000\n FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n kref_put include/linux/kref.h:64 [inline]\n rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805\n execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327\n rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391\n kref_put include/linux/kref.h:65 [inline]\n rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425\n _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]\n ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231\n ib_create_qp include/rdma/ib_verbs.h:3644 [inline]\n create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920\n ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]\n ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092\n add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717\n enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331\n ib_register_device drivers/infiniband/core/device.c:1413 [inline]\n ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365\n rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147\n rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247\n rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503\n rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]\n rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250\n nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555\n rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n sock_sendmsg_nosec net/socket.c:654 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:674\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0\n---truncated---", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47078", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ideapad-laptop: fix a NULL pointer dereference\n\nThe third parameter of dytc_cql_command should not be NULL since it will\nbe dereferenced immediately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47079", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Prevent divide-by-zero error triggered by the user\n\nThe user_entry_size is supplied by the user and later used as a\ndenominator to calculate number of entries. The zero supplied by the user\nwill trigger the following divide-by-zero error:\n\n divide error: 0000 [#1] SMP KASAN PTI\n CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510\n Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b\n RSP: 0018:ffff88810416f828 EFLAGS: 00010246\n RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d\n RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000\n RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f\n R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0\n FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0\n ib_uverbs_cmd_verbs+0x1546/0x1940\n ib_uverbs_ioctl+0x186/0x240\n __x64_sys_ioctl+0x38a/0x1220\n do_syscall_64+0x3f/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47080", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory\n\nOur code analyzer reported a uaf.\n\nIn gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()\nwith 2 refcount.\nIf hl_cs_allocate_job() failed, the execution runs into release_cb\nbranch. One ref of cb is dropped by hl_cb_put(cb) and could be freed\nif other thread also drops one ref. Then cb is used by cb->id later,\nwhich is a potential uaf.\n\nMy patch add a variable 'id' to accept the value of cb->id before the\nhl_cb_put(cb) is called, to avoid the potential uaf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47081", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev->tstats and tun->security allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there's an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47082", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mediatek: fix global-out-of-bounds issue\n\nWhen eint virtual eint number is greater than gpio number,\nit maybe produce 'desc[eint_n]' size globle-out-of-bounds issue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47083", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: refuse to enable an unbound pipe\n\nThis ioctl() implicitly assumed that the socket was already bound to\na valid local socket name, i.e. Phonet object. If the socket was not\nbound, two separate problems would occur:\n\n1) We'd send an pipe enablement request with an invalid source object.\n2) Later socket calls could BUG on the socket unexpectedly being\n connected yet not bound to a valid object.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47086", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix incorrect page free bug\n\nPointer to the allocated pages (struct page *page) has already\nprogressed towards the end of allocation. It is incorrect to perform\n__free_pages(page, order) using this pointer as we would free any\narbitrary pages. Fix this by stop modifying the page pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47087", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: protect targets destructions with kdamond_lock\n\nDAMON debugfs interface iterates current monitoring targets in\n'dbgfs_target_ids_read()' while holding the corresponding\n'kdamond_lock'. However, it also destructs the monitoring targets in\n'dbgfs_before_terminate()' without holding the lock. This can result in\na use_after_free bug. This commit avoids the race by protecting the\ndestruction with the corresponding 'kdamond_lock'.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47088", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkfence: fix memory leak when cat kfence objects\n\nHulk robot reported a kmemleak problem:\n\n unreferenced object 0xffff93d1d8cc02e8 (size 248):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n seq_open+0x2a/0x80\n full_proxy_open+0x167/0x1e0\n do_dentry_open+0x1e1/0x3a0\n path_openat+0x961/0xa20\n do_filp_open+0xae/0x120\n do_sys_openat2+0x216/0x2f0\n do_sys_open+0x57/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n unreferenced object 0xffff93d419854000 (size 4096):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0\n 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12-\n backtrace:\n seq_read_iter+0x313/0x440\n seq_read+0x14b/0x1a0\n full_proxy_read+0x56/0x80\n vfs_read+0xa5/0x1b0\n ksys_read+0xa0/0xf0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nI find that we can easily reproduce this problem with the following\ncommands:\n\n\tcat /sys/kernel/debug/kfence/objects\n\techo scan > /sys/kernel/debug/kmemleak\n\tcat /sys/kernel/debug/kmemleak\n\nThe leaked memory is allocated in the stack below:\n\n do_syscall_64\n do_sys_open\n do_dentry_open\n full_proxy_open\n seq_open ---> alloc seq_file\n vfs_read\n full_proxy_read\n seq_read\n seq_read_iter\n traverse ---> alloc seq_buf\n\nAnd it should have been released in the following process:\n\n do_syscall_64\n syscall_exit_to_user_mode\n exit_to_user_mode_prepare\n task_work_run\n ____fput\n __fput\n full_proxy_release ---> free here\n\nHowever, the release function corresponding to file_operations is not\nimplemented in kfence. As a result, a memory leak occurs. Therefore,\nthe solution to this problem is to implement the corresponding release\nfunction.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47089", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()\n\nHulk Robot reported a panic in put_page_testzero() when testing\nmadvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying\nget_any_page(). This is because we keep MF_COUNT_INCREASED flag in\nsecond try but the refcnt is not increased.\n\n page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\n ------------[ cut here ]------------\n kernel BUG at include/linux/mm.h:737!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n RIP: release_pages+0x53f/0x840\n Call Trace:\n free_pages_and_swap_cache+0x64/0x80\n tlb_flush_mmu+0x6f/0x220\n unmap_page_range+0xe6c/0x12c0\n unmap_single_vma+0x90/0x170\n unmap_vmas+0xc4/0x180\n exit_mmap+0xde/0x3a0\n mmput+0xa3/0x250\n do_exit+0x564/0x1470\n do_group_exit+0x3b/0x100\n __do_sys_exit_group+0x13/0x20\n __x64_sys_exit_group+0x16/0x20\n do_syscall_64+0x34/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n Modules linked in:\n ---[ end trace e99579b570fe0649 ]---\n RIP: 0010:release_pages+0x53f/0x840", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47090", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix locking in ieee80211_start_ap error path\n\nWe need to hold the local->mtx to release the channel context,\nas even encoded by the lockdep_assert_held() there. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47091", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Always clear vmx->fail on emulation_required\n\nRevert a relatively recent change that set vmx->fail if the vCPU is in L2\nand emulation_required is true, as that behavior is completely bogus.\nSetting vmx->fail and synthesizing a VM-Exit is contradictory and wrong:\n\n (a) it's impossible to have both a VM-Fail and VM-Exit\n (b) vmcs.EXIT_REASON is not modified on VM-Fail\n (c) emulation_required refers to guest state and guest state checks are\n always VM-Exits, not VM-Fails.\n\nFor KVM specifically, emulation_required is handled before nested exits\nin __vmx_handle_exit(), thus setting vmx->fail has no immediate effect,\ni.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored.\nSetting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit()\nfiring when tearing down the VM as KVM never expects vmx->fail to be set\nwhen L2 is active, KVM always reflects those errors into L1.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548\n nested_vmx_vmexit+0x16bd/0x17e0\n arch/x86/kvm/vmx/nested.c:4547\n Modules linked in:\n CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547\n Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80\n Call Trace:\n vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline]\n nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330\n vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799\n kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989\n kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441\n kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline]\n kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545\n kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline]\n kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220\n kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489\n __fput+0x3fc/0x870 fs/file_table.c:280\n task_work_run+0x146/0x1c0 kernel/task_work.c:164\n exit_task_work include/linux/task_work.h:32 [inline]\n do_exit+0x705/0x24f0 kernel/exit.c:832\n do_group_exit+0x168/0x2d0 kernel/exit.c:929\n get_signal+0x1740/0x2120 kernel/signal.c:2852\n arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868\n handle_signal_work kernel/entry/common.c:148 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300\n do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47092", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel_pmc_core: fix memleak on registration failure\n\nIn case device registration fails during module initialisation, the\nplatform device structure needs to be freed using platform_device_put()\nto properly free all resources (e.g. the device name).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47093", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\n\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator. Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\n\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\n\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\n\nFailing to zap a top-level SPTE manifests in one of two ways. If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\n\n WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n Call Trace:\n \n kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n kvm_destroy_vm+0x162/0x2a0 [kvm]\n kvm_vcpu_release+0x34/0x60 [kvm]\n __fput+0x82/0x240\n task_work_run+0x5c/0x90\n do_exit+0x364/0xa10\n ? futex_unqueue+0x38/0x60\n do_group_exit+0x33/0xa0\n get_signal+0x155/0x850\n arch_do_signal_or_restart+0xed/0x750\n exit_to_user_mode_prepare+0xc5/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x48/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list. This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\n\n WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n Call Trace:\n \n kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n __handle_changed_spte+0x92e/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n __handle_changed_spte+0x63c/0xca0 [kvm]\n zap_gfn_range+0x549/0x620 [kvm]\n kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n mmu_free_root_page+0x219/0x2c0 [kvm]\n kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n kvm_mmu_unload+0x1c/0xa0 [kvm]\n kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n kvm_put_kvm+0x3b1/0x8b0 [kvm]\n kvm_vcpu_release+0x4e/0x70 [kvm]\n __fput+0x1f7/0x8c0\n task_work_run+0xf8/0x1a0\n do_exit+0x97b/0x2230\n do_group_exit+0xda/0x2a0\n get_signal+0x3be/0x1e50\n arch_do_signal_or_restart+0x244/0x17f0\n exit_to_user_mode_prepare+0xcb/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x4d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry. But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\n\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label. The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\n\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47094", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ssif: initialize ssif_info->client early\n\nDuring probe ssif_info->client is dereferenced in error path. However,\nit is set when some of the error checking has already been done. This\ncauses following kernel crash if an error path is taken:\n\n[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present\n[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088\n...\n[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0\n[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0\n...\n[ 30.657772][ T674] Call trace:\n[ 30.657775][ T674] __dev_printk+0x28/0xa0\n[ 30.657778][ T674] _dev_err+0x7c/0xa0\n[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]\n[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0\n...\n\nInitialize ssif_info->client before any error path can be taken. Clear\ni2c_client data in the error path to prevent the dangling pointer from\nleaking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47095", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: rawmidi - fix the uninitalized user_pversion\n\nThe user_pversion was uninitialized for the user space file structure\nin the open function, because the file private structure use\nkmalloc for the allocation.\n\nThe kernel ALSA sequencer code clears the file structure, so no additional\nfixes are required.\n\nBugLink: https://github.com/alsa-project/alsa-lib/issues/178", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47096", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: elantech - fix stack out of bound access in elantech_change_report_id()\n\nThe array param[] in elantech_change_report_id() must be at least 3\nbytes, because elantech_read_reg_params() is calling ps2_command() with\nPSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but\nit's defined in the stack as an array of 2 bytes, therefore we have a\npotential stack out-of-bounds access here, also confirmed by KASAN:\n\n[ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0\n[ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118\n\n[ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110\n[ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020\n[ 6.512436] Workqueue: events_long serio_handle_event\n[ 6.512453] Call Trace:\n[ 6.512462] show_stack+0x52/0x58\n[ 6.512474] dump_stack+0xa1/0xd3\n[ 6.512487] print_address_description.constprop.0+0x1d/0x140\n[ 6.512502] ? __ps2_command+0x372/0x7e0\n[ 6.512516] __kasan_report.cold+0x7d/0x112\n[ 6.512527] ? _raw_write_lock_irq+0x20/0xd0\n[ 6.512539] ? __ps2_command+0x372/0x7e0\n[ 6.512552] kasan_report+0x3c/0x50\n[ 6.512564] __asan_load1+0x6a/0x70\n[ 6.512575] __ps2_command+0x372/0x7e0\n[ 6.512589] ? ps2_drain+0x240/0x240\n[ 6.512601] ? dev_printk_emit+0xa2/0xd3\n[ 6.512612] ? dev_vprintk_emit+0xc5/0xc5\n[ 6.512621] ? __kasan_check_write+0x14/0x20\n[ 6.512634] ? mutex_lock+0x8f/0xe0\n[ 6.512643] ? __mutex_lock_slowpath+0x20/0x20\n[ 6.512655] ps2_command+0x52/0x90\n[ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse]\n[ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse]\n[ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse]\n[ 6.512863] ? ps2_command+0x7f/0x90\n[ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse]\n[ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse]\n[ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse]\n[ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse]\n[ 6.513122] ? phys_pmd_init+0x30e/0x521\n[ 6.513137] elantech_init+0x8a/0x200 [psmouse]\n[ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse]\n[ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse]\n[ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse]\n[ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse]\n[ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse]\n[ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse]\n[ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse]\n[ 6.513519] ? mutex_unlock+0x22/0x40\n[ 6.513526] ? ps2_command+0x7f/0x90\n[ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse]\n[ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse]\n[ 6.513624] psmouse_connect+0x272/0x530 [psmouse]\n[ 6.513669] serio_driver_probe+0x55/0x70\n[ 6.513679] really_probe+0x190/0x720\n[ 6.513689] driver_probe_device+0x160/0x1f0\n[ 6.513697] device_driver_attach+0x119/0x130\n[ 6.513705] ? device_driver_attach+0x130/0x130\n[ 6.513713] __driver_attach+0xe7/0x1a0\n[ 6.513720] ? device_driver_attach+0x130/0x130\n[ 6.513728] bus_for_each_dev+0xfb/0x150\n[ 6.513738] ? subsys_dev_iter_exit+0x10/0x10\n[ 6.513748] ? _raw_write_unlock_bh+0x30/0x30\n[ 6.513757] driver_attach+0x2d/0x40\n[ 6.513764] serio_handle_event+0x199/0x3d0\n[ 6.513775] process_one_work+0x471/0x740\n[ 6.513785] worker_thread+0x2d2/0x790\n[ 6.513794] ? process_one_work+0x740/0x740\n[ 6.513802] kthread+0x1b4/0x1e0\n[ 6.513809] ? set_kthread_struct+0x80/0x80\n[ 6.513816] ret_from_fork+0x22/0x30\n\n[ 6.513832] The buggy address belongs to the page:\n[ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7\n[ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n[ 6.513860] raw: 0\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47097", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations\n\nCommit b50aa49638c7 (\"hwmon: (lm90) Prevent integer underflows of\ntemperature calculations\") addressed a number of underflow situations\nwhen writing temperature limits. However, it missed one situation, seen\nwhen an attempt is made to set the hysteresis value to MAX_LONG and the\ncritical temperature limit is negative.\n\nUse clamp_val() when setting the hysteresis temperature to ensure that\nthe provided value can never overflow or underflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47098", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: ensure skb entering GRO are not cloned.\n\nAfter commit d3256efd8e8b (\"veth: allow enabling NAPI even without XDP\"),\nif GRO is enabled on a veth device and TSO is disabled on the peer\ndevice, TCP skbs will go through the NAPI callback. If there is no XDP\nprogram attached, the veth code does not perform any share check, and\nshared/cloned skbs could enter the GRO engine.\n\nIgnat reported a BUG triggered later-on due to the above condition:\n\n[ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574!\n[ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25\n[ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n[ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0\n[ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0\n7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f\n85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89\nf7 4c 89 8c\n[ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246\n[ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000\n[ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2\n[ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0\n[ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590\n[ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0\n[ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000\n[ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0\n[ 53.982634][ C1] Call Trace:\n[ 53.982634][ C1] \n[ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0\n[ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460\n[ 53.982634][ C1] tcp_ack+0x2666/0x54b0\n[ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0\n[ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810\n[ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0\n[ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0\n[ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0\n[ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440\n[ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660\n[ 53.982634][ C1] ip_list_rcv+0x2c8/0x410\n[ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910\n[ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0\n[ 53.982634][ C1] napi_complete_done+0x188/0x6e0\n[ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0\n[ 53.982634][ C1] __napi_poll+0xa1/0x530\n[ 53.982634][ C1] net_rx_action+0x567/0x1270\n[ 53.982634][ C1] __do_softirq+0x28a/0x9ba\n[ 53.982634][ C1] run_ksoftirqd+0x32/0x60\n[ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0\n[ 53.982634][ C1] kthread+0x3b9/0x490\n[ 53.982634][ C1] ret_from_fork+0x22/0x30\n[ 53.982634][ C1] \n\nAddress the issue by skipping the GRO stage for shared or cloned skbs.\nTo reduce the chance of OoO, try to unclone the skbs before giving up.\n\nv1 -> v2:\n - use avoid skb_copy and fallback to netif_receive_skb - Eric", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47099", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module\n\nHi,\n\nWhen testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,\nthe system crashed.\n\nThe log as follows:\n[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a\n[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0\n[ 141.087464] Oops: 0010 [#1] SMP NOPTI\n[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47\n[ 141.088009] Workqueue: events 0xffffffffc09b3a40\n[ 141.088009] RIP: 0010:0xffffffffc09b3a5a\n[ 141.088009] Code: Bad RIP value.\n[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246\n[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000\n[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1\n[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700\n[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8\n[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000\n[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0\n[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 141.088009] PKRU: 55555554\n[ 141.088009] Call Trace:\n[ 141.088009] ? process_one_work+0x195/0x390\n[ 141.088009] ? worker_thread+0x30/0x390\n[ 141.088009] ? process_one_work+0x390/0x390\n[ 141.088009] ? kthread+0x10d/0x130\n[ 141.088009] ? kthread_flush_work_fn+0x10/0x10\n[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a\n[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0\n[ 200.223464] Oops: 0010 [#1] SMP NOPTI\n[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46\n[ 200.224008] Workqueue: events 0xffffffffc0b28a40\n[ 200.224008] RIP: 0010:0xffffffffc0b28a5a\n[ 200.224008] Code: Bad RIP value.\n[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246\n[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000\n[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5\n[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700\n[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8\n[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000\n[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0\n[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 200.224008] PKRU: 55555554\n[ 200.224008] Call Trace:\n[ 200.224008] ? process_one_work+0x195/0x390\n[ 200.224008] ? worker_thread+0x30/0x390\n[ 200.224008] ? process_one_work+0x390/0x390\n[ 200.224008] ? kthread+0x10d/0x130\n[ 200.224008] ? kthread_flush_work_fn+0x10/0x10\n[ 200.224008] ? ret_from_fork+0x35/0x40\n[ 200.224008] kernel fault(0x1) notification starting on CPU 63\n[ 200.224008] kernel fault(0x1) notification finished on CPU 63\n[ 200.224008] CR2: ffffffffc0b28a5a\n[ 200.224008] ---[ end trace c82a412d93f57412 ]---\n\nThe reason is as follows:\nT1: rmmod ipmi_si.\n ->ipmi_unregister_smi()\n -> ipmi_bmc_unregister()\n -> __ipmi_bmc_unregister()\n -> kref_put(&bmc->usecount, cleanup_bmc_device);\n -> schedule_work(&bmc->remove_work);\n\nT2: rmmod ipmi_msghandl\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47100", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nasix: fix uninit-value in asix_mdio_read()\n\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\n\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47101", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix incorrect structure access\n\nIn line:\n\tupper = info->upper_dev;\nWe access upper_dev field, which is related only for particular events\n(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory\naccess for another events,\nwhen ptr is not netdev_notifier_changeupper_info.\n\nThe KASAN logs are as follows:\n\n[ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]\n[ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778\n[ 30.139866]\n[ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6\n[ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 30.153056] Call trace:\n[ 30.155547] dump_backtrace+0x0/0x2c0\n[ 30.159320] show_stack+0x18/0x30\n[ 30.162729] dump_stack_lvl+0x68/0x84\n[ 30.166491] print_address_description.constprop.0+0x74/0x2b8\n[ 30.172346] kasan_report+0x1e8/0x250\n[ 30.176102] __asan_load8+0x98/0xe0\n[ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]\n[ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera]\n[ 30.193313] raw_notifier_call_chain+0x74/0xa0\n[ 30.197860] call_netdevice_notifiers_info+0x68/0xc0\n[ 30.202924] register_netdevice+0x3cc/0x760\n[ 30.207190] register_netdev+0x24/0x50\n[ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47102", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: fully convert sk->sk_rx_dst to RCU rules\n\nsyzbot reported various issues around early demux,\none being included in this changelog [1]\n\nsk->sk_rx_dst is using RCU protection without clearly\ndocumenting it.\n\nAnd following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv()\nare not following standard RCU rules.\n\n[a] dst_release(dst);\n[b] sk->sk_rx_dst = NULL;\n\nThey look wrong because a delete operation of RCU protected\npointer is supposed to clear the pointer before\nthe call_rcu()/synchronize_rcu() guarding actual memory freeing.\n\nIn some cases indeed, dst could be freed before [b] is done.\n\nWe could cheat by clearing sk_rx_dst before calling\ndst_release(), but this seems the right time to stick\nto standard RCU annotations and debugging facilities.\n\n[1]\nBUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline]\nBUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792\nRead of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204\n\nCPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n dst_check include/net/dst.h:470 [inline]\n tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792\n ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340\n ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583\n ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]\n ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644\n __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]\n __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556\n __netif_receive_skb_list net/core/dev.c:5608 [inline]\n netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699\n gro_normal_list net/core/dev.c:5853 [inline]\n gro_normal_list net/core/dev.c:5849 [inline]\n napi_complete_done+0x1f1/0x880 net/core/dev.c:6590\n virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]\n virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557\n __napi_poll+0xaf/0x440 net/core/dev.c:7023\n napi_poll net/core/dev.c:7090 [inline]\n net_rx_action+0x801/0xb40 net/core/dev.c:7177\n __do_softirq+0x29b/0x9c2 kernel/softirq.c:558\n invoke_softirq kernel/softirq.c:432 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:649\n common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240\n asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629\nRIP: 0033:0x7f5e972bfd57\nCode: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73\nRSP: 002b:00007fff8a413210 EFLAGS: 00000283\nRAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45\nRDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45\nRBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9\nR10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0\nR13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019\n \n\nAllocated by task 13:\n kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467\n kasan_slab_alloc include/linux/kasan.h:259 [inline]\n slab_post_alloc_hook mm/slab.h:519 [inline]\n slab_alloc_node mm/slub.c:3234 [inline]\n slab_alloc mm/slub.c:3242 [inline]\n kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247\n dst_alloc+0x146/0x1f0 net/core/dst.c:92\n rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613\n ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47103", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/qib: Fix memory leak in qib_user_sdma_queue_pkts()\n\nThe wrong goto label was used for the error case and missed cleanup of the\npkt allocation.\n\nAddresses-Coverity-ID: 1493352 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47104", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: xsk: return xsk buffers back to pool when cleaning the ring\n\nCurrently we only NULL the xdp_buff pointer in the internal SW ring but\nwe never give it back to the xsk buffer pool. This means that buffers\ncan be leaked out of the buff pool and never be used again.\n\nAdd missing xsk_buff_free() call to the routine that is supposed to\nclean the entries that are left in the ring so that these buffers in the\numem can be used by other sockets.\n\nAlso, only go through the space that is actually left to be cleaned\ninstead of a whole ring.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47105", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()\n\nWe need to use list_for_each_entry_safe() iterator\nbecause we can not access @catchall after kfree_rcu() call.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\nBUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\nRead of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871\n\nCPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]\n nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]\n nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493\n __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626\n nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688\n notifier_call_chain+0xb5/0x200 kernel/notifier.c:83\n blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306\n netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788\n __sock_release+0xcd/0x280 net/socket.c:649\n sock_close+0x18/0x20 net/socket.c:1314\n __fput+0x286/0x9f0 fs/file_table.c:280\n task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n tracehook_notify_resume include/linux/tracehook.h:189 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:175 [inline]\n exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f75fbf28adb\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb\nRDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003\nRBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830\nR10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3\nR13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032\n \n\nAllocated by task 8886:\n kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n ____kasan_kmalloc mm/kasan/common.c:513 [inline]\n ____kasan_kmalloc mm/kasan/common.c:472 [inline]\n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522\n kasan_kmalloc include/linux/kasan.h:269 [inline]\n kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575\n kmalloc include/linux/slab.h:590 [inline]\n nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline]\n nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline]\n nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936\n nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032\n nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47106", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47107", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf\n\nIn commit 41ca9caaae0b\n(\"drm/mediatek: hdmi: Add check for CEA modes only\") a check\nfor CEA modes was added to function mtk_hdmi_bridge_mode_valid()\nin order to address possible issues on MT8167;\nmoreover, with commit c91026a938c2\n(\"drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock\")\nanother similar check was introduced.\n\nUnfortunately though, at the time of writing, MT8173 does not provide\nany mtk_hdmi_conf structure and this is crashing the kernel with NULL\npointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as\nsoon as a HDMI cable gets plugged in.\n\nTo fix this regression, add a NULL pointer check for hdmi->conf in the\nsaid function, restoring HDMI functionality and avoiding NULL pointer\nkernel panics.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47108", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: allow NUD_NOARP entries to be forced GCed\n\nIFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to\nfill up the neighbour table with enough entries that it will overflow for\nvalid connections after that.\n\nThis behaviour is more prevalent after commit 58956317c8de (\"neighbor:\nImprove garbage collection\") is applied, as it prevents removal from\nentries that are not NUD_FAILED, unless they are more than 5s old.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47109", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Disable kvmclock on all CPUs on shutdown\n\nCurrenly, we disable kvmclock from machine_shutdown() hook and this\nonly happens for boot CPU. We need to disable it for all CPUs to\nguard against memory corruption e.g. on restore from hibernate.\n\nNote, writing '0' to kvmclock MSR doesn't clear memory location, it\njust prevents hypervisor from updating the location so for the short\nwhile after write and while CPU is still alive, the clock remains usable\nand correct so we don't need to switch to some other clocksource.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47110", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netback: take a reference to the RX task thread\n\nDo this in order to prevent the task from being freed if the thread\nreturns (which can be triggered by the frontend) before the call to\nkthread_stop done as part of the backend tear down. Not taking the\nreference will lead to a use-after-free in that scenario. Such\nreference was taken before but dropped as part of the rework done in\n2ac061ce97f4.\n\nReintroduce the reference taking and add a comment this time\nexplaining why it's needed.\n\nThis is XSA-374 / CVE-2021-28691.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47111", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Teardown PV features on boot CPU as well\n\nVarious PV features (Async PF, PV EOI, steal time) work through memory\nshared with hypervisor and when we restore from hibernation we must\nproperly teardown all these features to make sure hypervisor doesn't\nwrite to stale locations after we jump to the previously hibernated kernel\n(which can try to place anything there). For secondary CPUs the job is\nalready done by kvm_cpu_down_prepare(), register syscore ops to do\nthe same for boot CPU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47112", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort in rename_exchange if we fail to insert the second ref\n\nError injection stress uncovered a problem where we'd leave a dangling\ninode ref if we failed during a rename_exchange. This happens because\nwe insert the inode ref for one side of the rename, and then for the\nother side. If this second inode ref insert fails we'll leave the first\none dangling and leave a corrupt file system behind. Fix this by\naborting if we did the insert for the first inode ref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47113", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix data corruption by fallocate\n\nWhen fallocate punches holes out of inode size, if original isize is in\nthe middle of last cluster, then the part from isize to the end of the\ncluster will be zeroed with buffer write, at that time isize is not yet\nupdated to match the new size, if writeback is kicked in, it will invoke\nocfs2_writepage()->block_write_full_page() where the pages out of inode\nsize will be dropped. That will cause file corruption. Fix this by\nzero out eof blocks when extending the inode size.\n\nRunning the following command with qemu-image 4.2.1 can get a corrupted\ncoverted image file easily.\n\n qemu-img convert -p -t none -T none -f qcow2 $qcow_image \\\n -O qcow2 -o compat=1.1 $qcow_image.conv\n\nThe usage of fallocate in qemu is like this, it first punches holes out\nof inode size, then extend the inode size.\n\n fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0\n fallocate(11, 0, 2276196352, 65536) = 0\n\nv1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html\nv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47114", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_mb_init_backend on error path.\n\nFix a memory leak discovered by syzbot when a file system is corrupted\nwith an illegally large s_log_groups_per_flex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47116", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed\n\nWe got follow bug_on when run fsstress with injecting IO fault:\n[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!\n[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP\n......\n[130747.334329] Call trace:\n[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4]\n[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4]\n[130747.335368] ext4_find_extent+0x300/0x330 [ext4]\n[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4]\n[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4]\n[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4]\n[130747.336995] ext4_readpage+0x54/0x100 [ext4]\n[130747.337359] generic_file_buffered_read+0x410/0xae8\n[130747.337767] generic_file_read_iter+0x114/0x190\n[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4]\n[130747.338556] __vfs_read+0x11c/0x188\n[130747.338851] vfs_read+0x94/0x150\n[130747.339110] ksys_read+0x74/0xf0\n\nThis patch's modification is according to Jan Kara's suggestion in:\nhttps://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/\n\"I see. Now I understand your patch. Honestly, seeing how fragile is trying\nto fix extent tree after split has failed in the middle, I would probably\ngo even further and make sure we fix the tree properly in case of ENOSPC\nand EDQUOT (those are easily user triggerable). Anything else indicates a\nHW problem or fs corruption so I'd rather leave the extent tree as is and\ndon't try to fix it (which also means we will not create overlapping\nextents).\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47117", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: take a reference when initializing `cad_pid`\n\nDuring boot, kernel_init_freeable() initializes `cad_pid` to the init\ntask's struct pid. Later on, we may change `cad_pid` via a sysctl, and\nwhen this happens proc_do_cad_pid() will increment the refcount on the\nnew pid via get_pid(), and will decrement the refcount on the old pid\nvia put_pid(). As we never called get_pid() when we initialized\n`cad_pid`, we decrement a reference we never incremented, can therefore\nfree the init task's struct pid early. As there can be dangling\nreferences to the struct pid, we can later encounter a use-after-free\n(e.g. when delivering signals).\n\nThis was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to\nhave been around since the conversion of `cad_pid` to struct pid in\ncommit 9ec52099e4b8 (\"[PATCH] replace cad_pid by a struct pid\") from the\npre-KASAN stone age of v2.6.19.\n\nFix this by getting a reference to the init task's struct pid when we\nassign it to `cad_pid`.\n\nFull KASAN splat below.\n\n ==================================================================\n BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]\n BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273\n\n CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n ns_of_pid include/linux/pid.h:153 [inline]\n task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n do_notify_parent+0x308/0xe60 kernel/signal.c:1950\n exit_notify kernel/exit.c:682 [inline]\n do_exit+0x2334/0x2bd0 kernel/exit.c:845\n do_group_exit+0x108/0x2c8 kernel/exit.c:922\n get_signal+0x4e4/0x2a88 kernel/signal.c:2781\n do_signal arch/arm64/kernel/signal.c:882 [inline]\n do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936\n work_pending+0xc/0x2dc\n\n Allocated by task 0:\n slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516\n slab_alloc_node mm/slub.c:2907 [inline]\n slab_alloc mm/slub.c:2915 [inline]\n kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920\n alloc_pid+0xdc/0xc00 kernel/pid.c:180\n copy_process+0x2794/0x5e18 kernel/fork.c:2129\n kernel_clone+0x194/0x13c8 kernel/fork.c:2500\n kernel_thread+0xd4/0x110 kernel/fork.c:2552\n rest_init+0x44/0x4a0 init/main.c:687\n arch_call_rest_init+0x1c/0x28\n start_kernel+0x520/0x554 init/main.c:1064\n 0x0\n\n Freed by task 270:\n slab_free_hook mm/slub.c:1562 [inline]\n slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600\n slab_free mm/slub.c:3161 [inline]\n kmem_cache_free+0x224/0x8e0 mm/slub.c:3177\n put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114\n put_pid+0x30/0x48 kernel/pid.c:109\n proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401\n proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591\n proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617\n call_write_iter include/linux/fs.h:1977 [inline]\n new_sync_write+0x3ac/0x510 fs/read_write.c:518\n vfs_write fs/read_write.c:605 [inline]\n vfs_write+0x9c4/0x1018 fs/read_write.c:585\n ksys_write+0x124/0x240 fs/read_write.c:658\n __do_sys_write fs/read_write.c:670 [inline]\n __se_sys_write fs/read_write.c:667 [inline]\n __arm64_sys_write+0x78/0xb0 fs/read_write.c:667\n __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]\n el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129\n do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168\n el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416\n el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432\n el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701\n\n The buggy address belongs to the object at ffff23794dda0000\n which belongs to the cache pid of size 224\n The buggy address is located 4 bytes inside of\n 224-byte region [ff\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47118", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_fill_super\n\nBuffer head references must be released before calling kill_bdev();\notherwise the buffer head (and its page referenced by b_data) will not\nbe freed by kill_bdev, and subsequently that bh will be leaked.\n\nIf blocksizes differ, sb_set_blocksize() will kill current buffers and\npage cache by using kill_bdev(). And then super block will be reread\nagain but using correct blocksize this time. sb_set_blocksize() didn't\nfully free superblock page and buffer head, and being busy, they were\nnot freed and instead leaked.\n\nThis can easily be reproduced by calling an infinite loop of:\n\n systemctl start .mount, and\n systemctl stop .mount\n\n... since systemd creates a cgroup for each slice which it mounts, and\nthe bh leak get amplified by a dying memory cgroup that also never\ngets freed, and memory consumption is much more easily noticed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47119", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: fix NULL-deref on disconnect\n\nCommit 9d7b18668956 (\"HID: magicmouse: add support for Apple Magic\nTrackpad 2\") added a sanity check for an Apple trackpad but returned\nsuccess instead of -ENODEV when the check failed. This means that the\nremove callback will dereference the never-initialised driver data\npointer when the driver is later unbound (e.g. on USB disconnect).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47120", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in cfusbl_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47121", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in caif_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47122", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix ltout double free on completion race\n\nAlways remove linked timeout on io_link_timeout_fn() from the master\nrequest link list, otherwise we may get use-after-free when first\nio_link_timeout_fn() puts linked timeout in the fail path, and then\nwill be found and put on master's free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47123", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix link timeout refs\n\nWARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nRIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nCall Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n io_put_req fs/io_uring.c:2140 [inline]\n io_queue_linked_timeout fs/io_uring.c:6300 [inline]\n __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354\n io_submit_sqe fs/io_uring.c:6534 [inline]\n io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660\n __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]\n __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182\n\nio_link_timeout_fn() should put only one reference of the linked timeout\nrequest, however in case of racing with the master request's completion\nfirst io_req_complete() puts one and then io_put_req_deferred() is\ncalled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47124", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: fix refcount leak in htb_parent_to_leaf_offload\n\nThe commit ae81feb7338c (\"sch_htb: fix null pointer dereference\non a null new_q\") fixes a NULL pointer dereference bug, but it\nis not correct.\n\nBecause htb_graft_helper properly handles the case when new_q\nis NULL, and after the previous patch by skipping this call\nwhich creates an inconsistency : dev_queue->qdisc will still\npoint to the old qdisc, but cl->parent->leaf.q will point to\nthe new one (which will be noop_qdisc, because new_q was NULL).\nThe code is based on an assumption that these two pointers are\nthe same, so it can lead to refcount leaks.\n\nThe correct fix is to add a NULL pointer check to protect\nqdisc_refcount_inc inside htb_parent_to_leaf_offload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47125", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions\n\nReported by syzbot:\nHEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..\ngit tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master\ndashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7\ncompiler: Debian clang version 11.0.1-2\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\nBUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\nRead of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760\n\nCPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0\nCall Trace:\n \n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x202/0x31e lib/dump_stack.c:120\n print_address_description+0x5f/0x3b0 mm/kasan/report.c:232\n __kasan_report mm/kasan/report.c:399 [inline]\n kasan_report+0x15c/0x200 mm/kasan/report.c:416\n fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\n fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\n fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536\n fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174\n rcu_do_batch kernel/rcu/tree.c:2559 [inline]\n rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794\n __do_softirq+0x372/0x7a6 kernel/softirq.c:345\n invoke_softirq kernel/softirq.c:221 [inline]\n __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:434\n sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100\n \n asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632\nRIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515\nCode: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d\nRSP: 0018:ffffc90009e06560 EFLAGS: 00000206\nRAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1\nR10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4\n rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267\n rcu_read_lock include/linux/rcupdate.h:656 [inline]\n ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231\n ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212\n ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379\n ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982\n ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238\n ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638\n ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848\n ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900\n ext4_append+0x1a4/0x360 fs/ext4/namei.c:67\n ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768\n ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814\n vfs_mkdir+0x45b/0x640 fs/namei.c:3819\n ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]\n ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146\n ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193\n ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788\n ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355\n ovl_get_workdir fs/overlayfs/super.c:1492 [inline]\n ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035\n mount_nodev+0x52/0xe0 fs/super.c:1413\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2903 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3233\n do_mount fs/namespace.c:3246 [inline]\n __do_sys_mount fs/namespace.c:3454 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47126", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: track AF_XDP ZC enabled queues in bitmap\n\nCommit c7a219048e45 (\"ice: Remove xsk_buff_pool from VSI structure\")\nsilently introduced a regression and broke the Tx side of AF_XDP in copy\nmode. xsk_pool on ice_ring is set only based on the existence of the XDP\nprog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.\nThat is not something that should happen for copy mode as it should use\nthe regular data path ice_clean_tx_irq.\n\nThis results in a following splat when xdpsock is run in txonly or l2fwd\nscenarios in copy mode:\n\n\n[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 106.057269] #PF: supervisor read access in kernel mode\n[ 106.062493] #PF: error_code(0x0000) - not-present page\n[ 106.067709] PGD 0 P4D 0\n[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45\n[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50\n[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00\n[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206\n[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800\n[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800\n[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800\n[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff\n[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018\n[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000\n[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0\n[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 106.192898] PKRU: 55555554\n[ 106.195653] Call Trace:\n[ 106.198143] \n[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice]\n[ 106.205087] ice_napi_poll+0x3e/0x590 [ice]\n[ 106.209356] __napi_poll+0x2a/0x160\n[ 106.212911] net_rx_action+0xd6/0x200\n[ 106.216634] __do_softirq+0xbf/0x29b\n[ 106.220274] irq_exit_rcu+0x88/0xc0\n[ 106.223819] common_interrupt+0x7b/0xa0\n[ 106.227719] \n[ 106.229857] asm_common_interrupt+0x1e/0x40\n\n\nFix this by introducing the bitmap of queues that are zero-copy enabled,\nwhere each bit, corresponding to a queue id that xsk pool is being\nconfigured on, will be set/cleared within ice_xsk_pool_{en,dis}able and\nchecked within ice_xsk_pool(). The latter is a function used for\ndeciding which napi poll routine is executed.\nIdea is being taken from our other drivers such as i40e and ixgbe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47127", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lockdown, audit: Fix buggy SELinux lockdown permission checks\n\nCommit 59438b46471a (\"security,lockdown,selinux: implement SELinux lockdown\")\nadded an implementation of the locked_down LSM hook to SELinux, with the aim\nto restrict which domains are allowed to perform operations that would breach\nlockdown. This is indirectly also getting audit subsystem involved to report\nevents. The latter is problematic, as reported by Ondrej and Serhei, since it\ncan bring down the whole system via audit:\n\n 1) The audit events that are triggered due to calls to security_locked_down()\n can OOM kill a machine, see below details [0].\n\n 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()\n when trying to wake up kauditd, for example, when using trace_sched_switch()\n tracepoint, see details in [1]. Triggering this was not via some hypothetical\n corner case, but with existing tools like runqlat & runqslower from bcc, for\n example, which make use of this tracepoint. Rough call sequence goes like:\n\n rq_lock(rq) -> -------------------------+\n trace_sched_switch() -> |\n bpf_prog_xyz() -> +-> deadlock\n selinux_lockdown() -> |\n audit_log_end() -> |\n wake_up_interruptible() -> |\n try_to_wake_up() -> |\n rq_lock(rq) --------------+\n\nWhat's worse is that the intention of 59438b46471a to further restrict lockdown\nsettings for specific applications in respect to the global lockdown policy is\ncompletely broken for BPF. The SELinux policy rule for the current lockdown check\nlooks something like this:\n\n allow : lockdown { };\n\nHowever, this doesn't match with the 'current' task where the security_locked_down()\nis executed, example: httpd does a syscall. There is a tracing program attached\nto the syscall which triggers a BPF program to run, which ends up doing a\nbpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does\nthe permission check against 'current', that is, httpd in this example. httpd\nhas literally zero relation to this tracing program, and it would be nonsensical\nhaving to write an SELinux policy rule against httpd to let the tracing helper\npass. The policy in this case needs to be against the entity that is installing\nthe BPF program. For example, if bpftrace would generate a histogram of syscall\ncounts by user space application:\n\n bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'\n\nbpftrace would then go and generate a BPF program from this internally. One way\nof doing it [for the sake of the example] could be to call bpf_get_current_task()\nhelper and then access current->comm via one of bpf_probe_read_kernel{,_str}()\nhelpers. So the program itself has nothing to do with httpd or any other random\napp doing a syscall here. The BPF program _explicitly initiated_ the lockdown\ncheck. The allow/deny policy belongs in the context of bpftrace: meaning, you\nwant to grant bpftrace access to use these helpers, but other tracers on the\nsystem like my_random_tracer _not_.\n\nTherefore fix all three issues at the same time by taking a completely different\napproach for the security_locked_down() hook, that is, move the check into the\nprogram verification phase where we actually retrieve the BPF func proto. This\nalso reliably gets the task (current) that is trying to install the BPF tracing\nprogram, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since\nwe're moving this out of the BPF helper's fast-path which can be called several\nmillions of times per second.\n\nThe check is then also in line with other security_locked_down() hooks in the\nsystem where the enforcement is performed at open/load time, for example,\nopen_kcore() for /proc/kcore access or module_sig_check() for module signatures\njust to pick f\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47128", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: skip expectations for confirmed conntrack\n\nnft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed\nconntrack entry. However, nf_ct_ext_add() can only be called for\n!nf_ct_is_confirmed().\n\n[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00\n[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202\n[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887\n[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440\n[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447\n[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440\n[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20\n[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000\n[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0\n[ 1825.352508] Call Trace:\n[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]\n[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]\n[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]\n\nAdd the ct helper extension only for unconfirmed conntrack. Skip rule\nevaluation if the ct helper extension does not exist. Thus, you can\nonly create expectations from the first packet.\n\nIt should be possible to remove this limitation by adding a new action\nto attach a generic ct helper to the first packet. Then, use this ct\nhelper extension from follow up packets to create the ct expectation.\n\nWhile at it, add a missing check to skip the template conntrack too\nand remove check for IPCT_UNTRACK which is implicit to !ct.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47129", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix freeing unallocated p2pmem\n\nIn case p2p device was found but the p2p pool is empty, the nvme target\nis still trying to free the sgl from the p2p pool instead of the\nregular sgl pool and causing a crash (BUG() is called). Instead, assign\nthe p2p_dev for the request only if it was allocated from p2p pool.\n\nThis is the crash that was caused:\n\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI\n...\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n...\n[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0\n...\n[Sun May 30 19:13:53 2021] Call Trace:\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70\n[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80\n[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet]\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma]\n[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47130", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix use-after-free after the TLS device goes down and up\n\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\n\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\n\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\n\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\n\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It's used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47131", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47132", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix memory leak in amd_sfh_work\n\nKmemleak tool detected a memory leak in the amd_sfh driver.\n\n====================\nunreferenced object 0xffff88810228ada0 (size 32):\n comm \"insmod\", pid 3968, jiffies 4295056001 (age 775.792s)\n hex dump (first 32 bytes):\n 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s.............\n 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 \"...............\n backtrace:\n [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0\n [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh]\n [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh]\n [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub]\n [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common]\n [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d]\n [<00000000915760ce>] platform_probe+0x6a/0xd0\n [<0000000060258a1f>] really_probe+0x192/0x620\n [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0\n [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110\n [<0000000070d15018>] bus_for_each_drv+0xfd/0x160\n [<0000000013a3c312>] __device_attach+0x18b/0x220\n [<000000008c7b4afc>] device_initial_probe+0x13/0x20\n [<00000000e6e99665>] bus_probe_device+0xfe/0x120\n [<00000000833fa90b>] device_add+0x6a6/0xe00\n [<00000000fa901078>] platform_device_add+0x180/0x380\n====================\n\nThe fix is to freeing request_list entry once the processed entry is\nremoved from the request_list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47133", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/fdt: fix panic when no valid fdt found\n\nsetup_arch() would invoke efi_init()->efi_get_fdt_params(). If no\nvalid fdt found then initial_boot_params will be null. So we\nshould stop further fdt processing here. I encountered this\nissue on risc-v.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47134", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report\n\nFix possible array out of bound access in mt7921_mcu_tx_rate_report.\nRemove unnecessary varibable in mt7921_mcu_tx_rate_report", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47135", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: zero-initialize tc skb extension on allocation\n\nFunction skb_ext_add() doesn't initialize created skb extension with any\nvalue and leaves it up to the user. However, since extension of type\nTC_SKB_EXT originally contained only single value tc_skb_ext->chain its\nusers used to just assign the chain value without setting whole extension\nmemory to zero first. This assumption changed when TC_SKB_EXT extension was\nextended with additional fields but not all users were updated to\ninitialize the new fields which leads to use of uninitialized memory\nafterwards. UBSAN log:\n\n[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28\n[ 778.301495] load of value 107 is not a valid value for type '_Bool'\n[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2\n[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 778.307901] Call Trace:\n[ 778.308680] \n[ 778.309358] dump_stack+0xbb/0x107\n[ 778.310307] ubsan_epilogue+0x5/0x40\n[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48\n[ 778.312454] ? memset+0x20/0x40\n[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]\n[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch]\n[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]\n[ 778.317188] ? create_prof_cpu_mask+0x20/0x20\n[ 778.318220] ? arch_stack_walk+0x82/0xf0\n[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb\n[ 778.320399] ? stack_trace_save+0x91/0xc0\n[ 778.321362] ? stack_trace_consume_entry+0x160/0x160\n[ 778.322517] ? lock_release+0x52e/0x760\n[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch]\n[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]\n[ 778.325950] __netif_receive_skb_core+0x771/0x2db0\n[ 778.327067] ? lock_downgrade+0x6e0/0x6f0\n[ 778.328021] ? lock_acquire+0x565/0x720\n[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0\n[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0\n[ 778.330914] ? lock_downgrade+0x6f0/0x6f0\n[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0\n[ 778.332876] ? lock_release+0x52e/0x760\n[ 778.333808] ? dev_gro_receive+0xcc8/0x2380\n[ 778.334810] ? lock_downgrade+0x6f0/0x6f0\n[ 778.335769] __netif_receive_skb_list_core+0x295/0x820\n[ 778.336955] ? process_backlog+0x780/0x780\n[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]\n[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0\n[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20\n[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0\n[ 778.343288] ? __kasan_kmalloc+0x7a/0x90\n[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]\n[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]\n[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820\n[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]\n[ 778.349688] ? napi_gro_flush+0x26c/0x3c0\n[ 778.350641] napi_complete_done+0x188/0x6b0\n[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]\n[ 778.352853] __napi_poll+0x9f/0x510\n[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]\n[ 778.355158] net_rx_action+0x34c/0xa40\n[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0\n[ 778.357083] ? sched_clock_cpu+0x18/0x190\n[ 778.358041] ? __common_interrupt+0x8e/0x1a0\n[ 778.359045] __do_softirq+0x1ce/0x984\n[ 778.359938] __irq_exit_rcu+0x137/0x1d0\n[ 778.360865] irq_exit_rcu+0xa/0x20\n[ 778.361708] common_interrupt+0x80/0xa0\n[ 778.362640] \n[ 778.363212] asm_common_interrupt+0x1e/0x40\n[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10\n[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00\n[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246\n[ 778.370570] RAX\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47136", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lantiq: fix memory corruption in RX ring\n\nIn a situation where memory allocation or dma mapping fails, an\ninvalid address is programmed into the descriptor. This can lead\nto memory corruption. If the memory allocation fails, DMA should\nreuse the previous skb and mapping and drop the packet. This patch\nalso increments rx drop counter.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47137", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: avoid accessing registers when clearing filters\n\nHardware register having the server TID base can contain\ninvalid values when adapter is in bad state (for example,\ndue to AER fatal error). Reading these invalid values in the\nregister can lead to out-of-bound memory access. So, fix\nby using the saved server TID base when clearing filters.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47138", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47139", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Clear DMA ops when switching domain\n\nSince commit 08a27c1c3ecf (\"iommu: Add support to change default domain\nof an iommu group\") a user can switch a device between IOMMU and direct\nDMA through sysfs. This doesn't work for AMD IOMMU at the moment because\ndev->dma_ops is not cleared when switching from a DMA to an identity\nIOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an\nidentity domain, causing an oops:\n\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind\n # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n ...\n Call Trace:\n iommu_dma_alloc\n e1000e_setup_tx_resources\n e1000e_open\n\nSince iommu_change_dev_def_domain() calls probe_finalize() again, clear\nthe dma_ops there like Vt-d does.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47140", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Add NULL pointer checks when freeing irqs.\n\nWhen freeing notification blocks, we index priv->msix_vectors.\nIf we failed to allocate priv->msix_vectors (see abort_with_msix_vectors)\nthis could lead to a NULL pointer dereference if the driver is unloaded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47141", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a use-after-free\n\nlooks like we forget to set ttm->sg to NULL.\nHit panic below\n\n[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 1235.989074] Call Trace:\n[ 1235.991751] sg_free_table+0x17/0x20\n[ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]\n[ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]\n[ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm]\n[ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]\n[ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm]\n[ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm]\n[ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu]\n[ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]\n[ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]\n[ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47142", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: remove device from smcd_dev_list after failed device_add()\n\nIf the device_add() for a smcd_dev fails, there's no cleanup step that\nrolls back the earlier list_add(). The device subsequently gets freed,\nand we end up with a corrupted list.\n\nAdd some error handling that removes the device from the list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47143", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON in link_to_fixup_dir\n\nWhile doing error injection testing I got the following panic\n\n kernel BUG at fs/btrfs/tree-log.c:1862!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n RIP: 0010:link_to_fixup_dir+0xd5/0xe0\n RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216\n RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0\n RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000\n RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001\n R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800\n R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065\n FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0\n Call Trace:\n replay_one_buffer+0x409/0x470\n ? btree_read_extent_buffer_pages+0xd0/0x110\n walk_up_log_tree+0x157/0x1e0\n walk_log_tree+0xa6/0x1d0\n btrfs_recover_log_trees+0x1da/0x360\n ? replay_one_extent+0x7b0/0x7b0\n open_ctree+0x1486/0x1720\n btrfs_mount_root.cold+0x12/0xea\n ? __kmalloc_track_caller+0x12f/0x240\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n vfs_kern_mount.part.0+0x71/0xb0\n btrfs_mount+0x10d/0x380\n ? vfs_parse_fs_string+0x4d/0x90\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n path_mount+0x433/0xa10\n __x64_sys_mount+0xe3/0x120\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nWe can get -EIO or any number of legitimate errors from\nbtrfs_search_slot(), panicing here is not the appropriate response. The\nerror path for this code handles errors properly, simply return the\nerror.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47145", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmld: fix panic in mld_newpack()\n\nmld_newpack() doesn't allow to allocate high order page,\nonly order-0 allocation is allowed.\nIf headroom size is too large, a kernel panic could occur in skb_put().\n\nTest commands:\n ip netns del A\n ip netns del B\n ip netns add A\n ip netns add B\n ip link add veth0 type veth peer name veth1\n ip link set veth0 netns A\n ip link set veth1 netns B\n\n ip netns exec A ip link set lo up\n ip netns exec A ip link set veth0 up\n ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0\n ip netns exec B ip link set lo up\n ip netns exec B ip link set veth1 up\n ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1\n for i in {1..99}\n do\n let A=$i-1\n ip netns exec A ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100\n ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i\n ip netns exec A ip link set ip6gre$i up\n\n ip netns exec B ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100\n ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i\n ip netns exec B ip link set ip6gre$i up\n done\n\nSplat looks like:\nkernel BUG at net/core/skbuff.c:110!\ninvalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:skb_panic+0x15d/0x15f\nCode: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83\n41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89\n34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20\nRSP: 0018:ffff88810091f820 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000\nRDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb\nRBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031\nR10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028\nR13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0\nFS: 0000000000000000(0000) GS:ffff888117c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n skb_put.cold.104+0x22/0x22\n ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? rcu_read_lock_sched_held+0x91/0xc0\n mld_newpack+0x398/0x8f0\n ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600\n ? lock_contended+0xc40/0xc40\n add_grhead.isra.33+0x280/0x380\n add_grec+0x5ca/0xff0\n ? mld_sendpack+0xf40/0xf40\n ? lock_downgrade+0x690/0x690\n mld_send_initial_cr.part.34+0xb9/0x180\n ipv6_mc_dad_complete+0x15d/0x1b0\n addrconf_dad_completed+0x8d2/0xbb0\n ? lock_downgrade+0x690/0x690\n ? addrconf_rs_timer+0x660/0x660\n ? addrconf_dad_work+0x73c/0x10e0\n addrconf_dad_work+0x73c/0x10e0\n\nAllowing high order page allocation could fix this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47146", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Fix a resource leak in an error handling path\n\nIf an error occurs after a successful 'pci_ioremap_bar()' call, it must be\nundone by a corresponding 'pci_iounmap()' call, as already done in the\nremove function.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47147", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()\n\nThis function is called from ethtool_set_rxfh() and \"*rss_context\"\ncomes from the user. Add some bounds checking to prevent memory\ncorruption.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47148", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fujitsu: fix potential null-ptr-deref\n\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47149", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: fix the potential memory leak in fec_enet_init()\n\nIf the memory allocated for cbd_base is failed, it should\nfree the memory allocated for the queues, otherwise it causes\nmemory leak.\n\nAnd if the memory allocated for the queues is failed, it can\nreturn error directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47150", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: bcm-voter: add a missing of_node_put()\n\nAdd a missing of_node_put() in of_bcm_voter_get() to avoid the\nreference leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47151", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data stream corruption\n\nMaxim reported several issues when forcing a TCP transparent proxy\nto use the MPTCP protocol for the inbound connections. He also\nprovided a clean reproducer.\n\nThe problem boils down to 'mptcp_frag_can_collapse_to()' assuming\nthat only MPTCP will use the given page_frag.\n\nIf others - e.g. the plain TCP protocol - allocate page fragments,\nwe can end-up re-using already allocated memory for mptcp_data_frag.\n\nFix the issue ensuring that the to-be-expanded data fragment is\nlocated at the current page frag end.\n\nv1 -> v2:\n - added missing fixes tag (Mat)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47152", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Don't generate an interrupt on bus reset\n\nNow that the i2c-i801 driver supports interrupts, setting the KILL bit\nin a attempt to recover from a timed out transaction triggers an\ninterrupt. Unfortunately, the interrupt handler (i801_isr) is not\nprepared for this situation and will try to process the interrupt as\nif it was signaling the end of a successful transaction. In the case\nof a block transaction, this can result in an out-of-range memory\naccess.\n\nThis condition was reproduced several times by syzbot:\nhttps://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e\nhttps://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e\nhttps://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e\nhttps://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb\nhttps://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a\nhttps://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79\n\nSo disable interrupts while trying to reset the bus. Interrupts will\nbe enabled again for the following transaction.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47153", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: add error handling in sja1105_setup()\n\nIf any of sja1105_static_config_load(), sja1105_clocking_setup() or\nsja1105_devlink_setup() fails, we can't just return in the middle of\nsja1105_setup() or memory will leak. Add a cleanup path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47158", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix a crash if ->get_sset_count() fails\n\nIf ds->ops->get_sset_count() fails then it \"count\" is a negative error\ncode such as -EOPNOTSUPP. Because \"i\" is an unsigned int, the negative\nerror code is type promoted to a very high value and the loop will\ncorrupt memory until the system crashes.\n\nFix this by checking for error codes and changing the type of \"i\" to\njust int.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47159", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mt7530: fix VLAN traffic leaks\n\nPCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but\nwas not reset when it is disabled, which may cause traffic leaks:\n\n\tip link add br0 type bridge vlan_filtering 1\n\tip link add br1 type bridge vlan_filtering 1\n\tip link set swp0 master br0\n\tip link set swp1 master br1\n\tip link set br0 type bridge vlan_filtering 0\n\tip link set br1 type bridge vlan_filtering 0\n\t# traffic in br0 and br1 will start leaking to each other\n\nAs port_bridge_{add,del} have set up PCR_MATRIX properly, remove the\nPCR_MATRIX write from mt7530_port_set_vlan_aware.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47160", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-dspi: Fix a resource leak in an error handling path\n\n'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the\nerror handling path of the probe function, as already done in the remove\nfunction", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47161", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: skb_linearize the head skb when reassembling msgs\n\nIt's not a good idea to append the frag skb to a skb's frag_list if\nthe frag_list already has skbs from elsewhere, such as this skb was\ncreated by pskb_copy() where the frag_list was cloned (all the skbs\nin it were skb_get'ed) and shared by multiple skbs.\n\nHowever, the new appended frag skb should have been only seen by the\ncurrent skb. Otherwise, it will cause use after free crashes as this\nappended frag skb are seen by multiple skbs but it only got skb_get\ncalled once.\n\nThe same thing happens with a skb updated by pskb_may_pull() with a\nskb_cloned skb. Li Shuang has reported quite a few crashes caused\nby this when doing testing over macvlan devices:\n\n [] kernel BUG at net/core/skbuff.c:1970!\n [] Call Trace:\n [] skb_clone+0x4d/0xb0\n [] macvlan_broadcast+0xd8/0x160 [macvlan]\n [] macvlan_process_broadcast+0x148/0x150 [macvlan]\n [] process_one_work+0x1a7/0x360\n [] worker_thread+0x30/0x390\n\n [] kernel BUG at mm/usercopy.c:102!\n [] Call Trace:\n [] __check_heap_object+0xd3/0x100\n [] __check_object_size+0xff/0x16b\n [] simple_copy_to_iter+0x1c/0x30\n [] __skb_datagram_iter+0x7d/0x310\n [] __skb_datagram_iter+0x2a5/0x310\n [] skb_copy_datagram_iter+0x3b/0x90\n [] tipc_recvmsg+0x14a/0x3a0 [tipc]\n [] ____sys_recvmsg+0x91/0x150\n [] ___sys_recvmsg+0x7b/0xc0\n\n [] kernel BUG at mm/slub.c:305!\n [] Call Trace:\n [] \n [] kmem_cache_free+0x3ff/0x400\n [] __netif_receive_skb_core+0x12c/0xc40\n [] ? kmem_cache_alloc+0x12e/0x270\n [] netif_receive_skb_internal+0x3d/0xb0\n [] ? get_rx_page_info+0x8e/0xa0 [be2net]\n [] be_poll+0x6ef/0xd00 [be2net]\n [] ? irq_exit+0x4f/0x100\n [] net_rx_action+0x149/0x3b0\n\n ...\n\nThis patch is to fix it by linearizing the head skb if it has frag_list\nset in tipc_buf_append(). Note that we choose to do this before calling\nskb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can\nnot just drop the frag_list either as the early time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47162", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: wait and exit until all work queues are done\n\nOn some host, a crash could be triggered simply by repeating these\ncommands several times:\n\n # modprobe tipc\n # tipc bearer enable media udp name UDP1 localip 127.0.0.1\n # rmmod tipc\n\n [] BUG: unable to handle kernel paging request at ffffffffc096bb00\n [] Workqueue: events 0xffffffffc096bb00\n [] Call Trace:\n [] ? process_one_work+0x1a7/0x360\n [] ? worker_thread+0x30/0x390\n [] ? create_worker+0x1a0/0x1a0\n [] ? kthread+0x116/0x130\n [] ? kthread_flush_work_fn+0x10/0x10\n [] ? ret_from_fork+0x35/0x40\n\nWhen removing the TIPC module, the UDP tunnel sock will be delayed to\nrelease in a work queue as sock_release() can't be done in rtnl_lock().\nIf the work queue is schedule to run after the TIPC module is removed,\nkernel will crash as the work queue function cleanup_beareri() code no\nlonger exists when trying to invoke it.\n\nTo fix it, this patch introduce a member wq_count in tipc_net to track\nthe numbers of work queues in schedule, and wait and exit until all\nwork queues are done in tipc_exit_net().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47163", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix null deref accessing lag dev\n\nIt could be the lag dev is null so stop processing the event.\nIn bond_enslave() the active/backup slave being set before setting the\nupper dev so first event is without an upper dev.\nAfter setting the upper dev with bond_master_upper_dev_link() there is\na second event and in that event we have an upper dev.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47164", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: fix shutdown crash when component not probed\n\nWhen main component is not probed, by example when the dw-hdmi module is\nnot loaded yet or in probe defer, the following crash appears on shutdown:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000038\n...\npc : meson_drv_shutdown+0x24/0x50\nlr : platform_drv_shutdown+0x20/0x30\n...\nCall trace:\nmeson_drv_shutdown+0x24/0x50\nplatform_drv_shutdown+0x20/0x30\ndevice_shutdown+0x158/0x360\nkernel_restart_prepare+0x38/0x48\nkernel_restart+0x18/0x68\n__do_sys_reboot+0x224/0x250\n__arm64_sys_reboot+0x24/0x30\n...\n\nSimply check if the priv struct has been allocated before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47165", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()\n\nThe value of mirror->pg_bytes_written should only be updated after a\nsuccessful attempt to flush out the requests on the list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47166", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix an Oopsable condition in __nfs_pageio_add_request()\n\nEnsure that nfs_pageio_error_cleanup() resets the mirror array contents,\nso that the structure reflects the fact that it is now empty.\nAlso change the test in nfs_pageio_do_add_request() to be more robust by\nchecking whether or not the list is empty rather than relying on the\nvalue of pg_count.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47167", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fix an incorrect limit in filelayout_decode_layout()\n\nThe \"sizeof(struct nfs_fh)\" is two bytes too large and could lead to\nmemory corruption. It should be NFS_MAXFHSIZE because that's the size\nof the ->data[] buffer.\n\nI reversed the size of the arguments to put the variable on the left.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47168", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'\n\nIn 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls\n'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the\nfirmware don't exists, function just return without initializing ports\nof 'rp2_card'. But now the interrupt handler function has been\nregistered, and when an interrupt comes, 'rp2_uart_interrupt' may access\nthose ports then causing NULL pointer dereference or other bugs.\n\nBecause the driver does some initialization work in 'rp2_fw_cb', in\norder to make the driver ready to handle interrupts, 'request_firmware'\nshould be used instead of asynchronous 'request_firmware_nowait'.\n\nThis report reveals it:\n\nINFO: trying to register non-static key.\nthe code is fine but needs lockdep annotation.\nturning off the locking correctness validator.\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-\ngc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xec/0x156 lib/dump_stack.c:118\n assign_lock_key kernel/locking/lockdep.c:727 [inline]\n register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753\n __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303\n lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907\n __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]\n _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144\n spin_lock include/linux/spinlock.h:329 [inline]\n rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline]\n rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493\n rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504\n __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149\n handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189\n handle_irq_event+0xac/0x140 kernel/irq/handle.c:206\n handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725\n generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]\n handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87\n do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247\n common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670\n \nRIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61\nCode: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8\n8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90\n90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41\nRSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde\nRAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200\nRBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840\nR10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002\nR13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000\n arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]\n default_idle+0x6f/0x360 arch/x86/kernel/process.c:557\n arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548\n default_idle_call+0x3b/0x60 kernel/sched/idle.c:93\n cpuidle_idle_call kernel/sched/idle.c:153 [inline]\n do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263\n cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369\n start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271\n secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nPGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0\nOops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-\ngc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:readl arch/x86/include/asm/io.h:59 [inline]\nRIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline]\nRIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c:\n493\nCo\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47169", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbfs: Don't WARN about excessively large memory allocations\n\nSyzbot found that the kernel generates a WARNing if the user tries to\nsubmit a bulk transfer through usbfs with a buffer that is way too\nlarge. This isn't a bug in the kernel; it's merely an invalid request\nfrom the user and the usbfs code does handle it correctly.\n\nIn theory the same thing can happen with async transfers, or with the\npacket descriptor table for isochronous transfers.\n\nTo prevent the MM subsystem from complaining about these bad\nallocation requests, add the __GFP_NOWARN flag to the kmalloc calls\nfor these buffers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47170", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix memory leak in smsc75xx_bind\n\nSyzbot reported memory leak in smsc75xx_bind().\nThe problem was is non-freed memory in case of\nerrors after memory allocation.\n\nbacktrace:\n [] kmalloc include/linux/slab.h:556 [inline]\n [] kzalloc include/linux/slab.h:686 [inline]\n [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460\n [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47171", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7124: Fix potential overflow due to non sequential channel numbers\n\nChannel numbering must start at 0 and then not have any holes, or\nit is possible to overflow the available storage. Note this bug was\nintroduced as part of a fix to ensure we didn't rely on the ordering\nof child nodes. So we need to support arbitrary ordering but they all\nneed to be there somewhere.\n\nNote I hit this when using qemu to test the rest of this series.\nArguably this isn't the best fix, but it is probably the most minimal\noption for backporting etc.\n\nAlexandru's sign-off is here because he carried this patch in a larger\nset that Jonathan then applied.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47172", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/uss720: fix memory leak in uss720_probe\n\nuss720_probe forgets to decrease the refcount of usbdev in uss720_probe.\nFix this by decreasing the refcount of usbdev by usb_put_dev.\n\nBUG: memory leak\nunreferenced object 0xffff888101113800 (size 2048):\n comm \"kworker/0:1\", pid 7, jiffies 4294956777 (age 28.870s)\n hex dump (first 32 bytes):\n ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........\n 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................\n backtrace:\n [] kmalloc include/linux/slab.h:554 [inline]\n [] kzalloc include/linux/slab.h:684 [inline]\n [] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582\n [] hub_port_connect drivers/usb/core/hub.c:5129 [inline]\n [] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]\n [] port_event drivers/usb/core/hub.c:5509 [inline]\n [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591\n [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275\n [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421\n [] kthread+0x178/0x1b0 kernel/kthread.c:292\n [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47173", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version\n\nArturo reported this backtrace:\n\n[709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0\n[709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod\n[709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common\n[709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1\n[709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020\n[709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0\n[709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb\n[709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202\n[709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001\n[709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003\n[709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462\n[709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960\n[709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660\n[709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000\n[709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0\n[709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[709732.359003] PKRU: 55555554\n[709732.359005] Call Trace:\n[709732.359009] \n[709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables]\n[709732.359046] ? sched_clock+0x5/0x10\n[709732.359054] ? sched_clock_cpu+0xc/0xb0\n[709732.359061] ? record_times+0x16/0x80\n[709732.359068] ? plist_add+0xc1/0x100\n[709732.359073] ? psi_group_change+0x47/0x230\n[709732.359079] ? skb_clone+0x4d/0xb0\n[709732.359085] ? enqueue_task_rt+0x22b/0x310\n[709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en]\n[709732.359102] ? packet_rcv+0x40/0x4a0\n[709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables]\n[709732.359133] nft_do_chain+0x350/0x500 [nf_tables]\n[709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables]\n[709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables]\n[709732.359172] ? fib4_rule_action+0x6d/0x80\n[709732.359178] ? fib_rules_lookup+0x107/0x250\n[709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat]\n[709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat]\n[709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat]\n[709732.359207] nf_hook_slow+0x44/0xc0\n[709732.359214] ip_output+0xd2/0x100\n[709732.359221] ? __ip_finish_output+0x210/0x210\n[709732.359226] ip_forward+0x37d/0x4a0\n[709732.359232] ? ip4_key_hashfn+0xb0/0xb0\n[709732.359238] ip_subli\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47174", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: fix OOB access in the traffic path\n\nthe following script:\n\n # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2\n # tc qdisc add dev eth0 clsact\n # tc filter add dev eth0 egress matchall action skbedit priority 0x10002\n # ping 192.0.2.2 -I eth0 -c2 -w1 -q\n\nproduces the following splat:\n\n BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]\n Read of size 4 at addr ffff888171306924 by task ping/942\n\n CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n dump_stack+0x92/0xc1\n print_address_description.constprop.7+0x1a/0x150\n kasan_report.cold.13+0x7f/0x111\n fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]\n __dev_queue_xmit+0x1034/0x2b10\n ip_finish_output2+0xc62/0x2120\n __ip_finish_output+0x553/0xea0\n ip_output+0x1ca/0x4d0\n ip_send_skb+0x37/0xa0\n raw_sendmsg+0x1c4b/0x2d00\n sock_sendmsg+0xdb/0x110\n __sys_sendto+0x1d7/0x2b0\n __x64_sys_sendto+0xdd/0x1b0\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fe69735c3eb\n Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89\n RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb\n RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003\n RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260\n R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0\n\n Allocated by task 917:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc+0x7f/0xa0\n __kmalloc_node+0x139/0x280\n fq_pie_init+0x555/0x8e8 [sch_fq_pie]\n qdisc_create+0x407/0x11b0\n tc_modify_qdisc+0x3c2/0x17e0\n rtnetlink_rcv_msg+0x346/0x8e0\n netlink_rcv_skb+0x120/0x380\n netlink_unicast+0x439/0x630\n netlink_sendmsg+0x719/0xbf0\n sock_sendmsg+0xe2/0x110\n ____sys_sendmsg+0x5ba/0x890\n ___sys_sendmsg+0xe9/0x160\n __sys_sendmsg+0xd3/0x170\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff888171306800\n which belongs to the cache kmalloc-256 of size 256\n The buggy address is located 36 bytes to the right of\n 256-byte region [ffff888171306800, ffff888171306900)\n The buggy address belongs to the page:\n page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306\n head:00000000bcfb624e order:1 compound_mapcount:0\n flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nfix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a\nvalid flow: it's an address beyond the allocated memory.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47175", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: add missing discipline function\n\nFix crash with illegal operation exception in dasd_device_tasklet.\nCommit b72949328869 (\"s390/dasd: Prepare for additional path event handling\")\nrenamed the verify_path function for ECKD but not for FBA and DIAG.\nThis leads to a panic when the path verification function is called for a\nFBA or DIAG device.\n\nFix by defining a wrapper function for dasd_generic_verify_path().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47176", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix sysfs leak in alloc_iommu()\n\niommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent\nerrors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47177", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Avoid smp_processor_id() in preemptible code\n\nThe BUG message \"BUG: using smp_processor_id() in preemptible [00000000]\ncode\" was observed for TCMU devices with kernel config DEBUG_PREEMPT.\n\nThe message was observed when blktests block/005 was run on TCMU devices\nwith fileio backend or user:zbc backend [1]. The commit 1130b499b4a7\n(\"scsi: target: tcm_loop: Use LIO wq cmd submission helper\") triggered the\nsymptom. The commit modified work queue to handle commands and changed\n'current->nr_cpu_allowed' at smp_processor_id() call.\n\nThe message was also observed at system shutdown when TCMU devices were not\ncleaned up [2]. The function smp_processor_id() was called in SCSI host\nwork queue for abort handling, and triggered the BUG message. This symptom\nwas observed regardless of the commit 1130b499b4a7 (\"scsi: target:\ntcm_loop: Use LIO wq cmd submission helper\").\n\nTo avoid the preemptible code check at smp_processor_id(), get CPU ID with\nraw_smp_processor_id() instead. The CPU ID is used for performance\nimprovement then thread move to other CPU will not affect the code.\n\n[1]\n\n[ 56.468103] run blktests block/005 at 2021-05-12 14:16:38\n[ 57.369473] check_preemption_disabled: 85 callbacks suppressed\n[ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511\n[ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510\n[ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506\n[ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34\n[ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[ 57.369617] Call Trace:\n[ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507\n[ 57.369628] dump_stack+0x6d/0x89\n[ 57.369642] check_preemption_disabled+0xc8/0xd0\n[ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod]\n[ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod]\n[ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop]\n[ 57.369744] scsi_queue_rq+0x38e/0xc40\n[ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0\n[ 57.369779] blk_mq_try_issue_directly+0x43/0x90\n[ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0\n[ 57.369812] submit_bio_noacct+0x46e/0x4e0\n[ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0\n[ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60\n[ 57.369880] generic_file_read_iter+0x89/0x160\n[ 57.369898] blkdev_read_iter+0x44/0x60\n[ 57.369906] new_sync_read+0x102/0x170\n[ 57.369929] vfs_read+0xd4/0x160\n[ 57.369941] __x64_sys_pread64+0x6e/0xa0\n[ 57.369946] ? lockdep_hardirqs_on+0x79/0x100\n[ 57.369958] do_syscall_64+0x3a/0x70\n[ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 57.369973] RIP: 0033:0x7f7ed4c1399f\n[ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b\n[ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f\n[ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009\n[ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001\n[ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70\n[ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568\n[ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34\n[ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[ 57.370039] Call Trace:\n[ 57.370045] dump_stack+0x6d/0x89\n[ 57.370056] ch\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47178", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()\n\nCommit de144ff4234f changes _pnfs_return_layout() to call\npnfs_mark_matching_lsegs_return() passing NULL as the struct\npnfs_layout_range argument. Unfortunately,\npnfs_mark_matching_lsegs_return() doesn't check if we have a value here\nbefore dereferencing it, causing an oops.\n\nI'm able to hit this crash consistently when running connectathon basic\ntests on NFS v4.1/v4.2 against Ontap.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47179", "detail": "fixed-version", "description": "Fixed from version 5.12.9" }, { "id": "CVE-2021-47180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: fix memory leak in nci_allocate_device\n\nnfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.\nFix this by freeing hci_dev in nci_free_device.\n\nBUG: memory leak\nunreferenced object 0xffff888111ea6800 (size 1024):\n comm \"kworker/1:0\", pid 19, jiffies 4294942308 (age 13.580s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`......\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline]\n [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline]\n [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784\n [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline]\n [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132\n [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153\n [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345\n [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554\n [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740\n [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846\n [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431\n [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914\n [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491\n [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109\n [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164\n [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47180", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: tusb6010: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47181", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47182", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\n\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\n\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\n\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47183", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix NULL ptr dereference on VSI filter sync\n\nRemove the reason of null pointer dereference in sync VSI filters.\nAdded new I40E_VSI_RELEASING flag to signalize deleting and releasing\nof VSI resources to sync this thread with sync filters subtask.\nWithout this patch it is possible to start update the VSI filter list\nafter VSI is removed, that's causing a kernel oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47184", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: tty_buffer: Fix the softlockup issue in flush_to_ldisc\n\nWhen running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup,\nwhich look like this one:\n\n Workqueue: events_unbound flush_to_ldisc\n Call trace:\n dump_backtrace+0x0/0x1ec\n show_stack+0x24/0x30\n dump_stack+0xd0/0x128\n panic+0x15c/0x374\n watchdog_timer_fn+0x2b8/0x304\n __run_hrtimer+0x88/0x2c0\n __hrtimer_run_queues+0xa4/0x120\n hrtimer_interrupt+0xfc/0x270\n arch_timer_handler_phys+0x40/0x50\n handle_percpu_devid_irq+0x94/0x220\n __handle_domain_irq+0x88/0xf0\n gic_handle_irq+0x84/0xfc\n el1_irq+0xc8/0x180\n slip_unesc+0x80/0x214 [slip]\n tty_ldisc_receive_buf+0x64/0x80\n tty_port_default_receive_buf+0x50/0x90\n flush_to_ldisc+0xbc/0x110\n process_one_work+0x1d4/0x4b0\n worker_thread+0x180/0x430\n kthread+0x11c/0x120\n\nIn the testcase pty04, The first process call the write syscall to send\ndata to the pty master. At the same time, the workqueue will do the\nflush_to_ldisc to pop data in a loop until there is no more data left.\nWhen the sender and workqueue running in different core, the sender sends\ndata fastly in full time which will result in workqueue doing work in loop\nfor a long time and occuring softlockup in flush_to_ldisc with kernel\nconfigured without preempt. So I add need_resched check and cond_resched\nin the flush_to_ldisc loop to avoid it.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47185", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: check for null after calling kmemdup\n\nkmemdup can return a null pointer so need to check for it, otherwise\nthe null key will be dereferenced later in tipc_crypto_key_xmit as\ncan be seen in the trace [1].\n\n\n[1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47186", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency\n\nThe entry/exit latency and minimum residency in state for the idle\nstates of MSM8998 were ..bad: first of all, for all of them the\ntimings were written for CPU sleep but the min-residency-us param\nwas miscalculated (supposedly, while porting this from downstream);\nThen, the power collapse states are setting PC on both the CPU\ncluster *and* the L2 cache, which have different timings: in the\nspecific case of L2 the times are higher so these ones should be\ntaken into account instead of the CPU ones.\n\nThis parameter misconfiguration was not giving particular issues\nbecause on MSM8998 there was no CPU scaling at all, so cluster/L2\npower collapse was rarely (if ever) hit.\nWhen CPU scaling is enabled, though, the wrong timings will produce\nSoC unstability shown to the user as random, apparently error-less,\nsudden reboots and/or lockups.\n\nThis set of parameters are stabilizing the SoC when CPU scaling is\nON and when power collapse is frequently hit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47187", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Improve SCSI abort handling\n\nThe following has been observed on a test setup:\n\nWARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c\nCall trace:\n ufshcd_queuecommand+0x468/0x65c\n scsi_send_eh_cmnd+0x224/0x6a0\n scsi_eh_test_devices+0x248/0x418\n scsi_eh_ready_devs+0xc34/0xe58\n scsi_error_handler+0x204/0x80c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nThat warning is triggered by the following statement:\n\n\tWARN_ON(lrbp->cmd);\n\nFix this warning by clearing lrbp->cmd from the abort handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47188", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory ordering between normal and ordered work functions\n\nOrdered work functions aren't guaranteed to be handled by the same thread\nwhich executed the normal work functions. The only way execution between\nnormal/ordered functions is synchronized is via the WORK_DONE_BIT,\nunfortunately the used bitops don't guarantee any ordering whatsoever.\n\nThis manifested as seemingly inexplicable crashes on ARM64, where\nasync_chunk::inode is seen as non-null in async_cow_submit which causes\nsubmit_compressed_extents to be called and crash occurs because\nasync_chunk::inode suddenly became NULL. The call trace was similar to:\n\n pc : submit_compressed_extents+0x38/0x3d0\n lr : async_cow_submit+0x50/0xd0\n sp : ffff800015d4bc20\n\n \n\n Call trace:\n submit_compressed_extents+0x38/0x3d0\n async_cow_submit+0x50/0xd0\n run_ordered_work+0xc8/0x280\n btrfs_work_helper+0x98/0x250\n process_one_work+0x1f0/0x4ac\n worker_thread+0x188/0x504\n kthread+0x110/0x114\n ret_from_fork+0x10/0x18\n\nFix this by adding respective barrier calls which ensure that all\naccesses preceding setting of WORK_DONE_BIT are strictly ordered before\nsetting the flag. At the same time add a read barrier after reading of\nWORK_DONE_BIT in run_ordered_work which ensures all subsequent loads\nwould be strictly ordered after reading the bit. This in turn ensures\nare all accesses before WORK_DONE_BIT are going to be strictly ordered\nbefore any access that can occur in ordered_func.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47189", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf bpf: Avoid memory leak from perf_env__insert_btf()\n\nperf_env__insert_btf() doesn't insert if a duplicate BTF id is\nencountered and this causes a memory leak. Modify the function to return\na success/error value and then free the memory if insertion didn't\nhappen.\n\nv2. Adds a return -1 when the insertion error occurs in\n perf_env__fetch_btf. This doesn't affect anything as the result is\n never checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47190", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_readcap16()\n\nThe following warning was observed running syzkaller:\n\n[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;\n[ 3813.830724] program syz-executor not setting count and/or reply_len properly\n[ 3813.836956] ==================================================================\n[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0\n[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549\n[ 3813.846612] Call Trace:\n[ 3813.846995] dump_stack+0x108/0x15f\n[ 3813.847524] print_address_description+0xa5/0x372\n[ 3813.848243] kasan_report.cold+0x236/0x2a8\n[ 3813.849439] check_memory_region+0x240/0x270\n[ 3813.850094] memcpy+0x30/0x80\n[ 3813.850553] sg_copy_buffer+0x157/0x1e0\n[ 3813.853032] sg_copy_from_buffer+0x13/0x20\n[ 3813.853660] fill_from_dev_buffer+0x135/0x370\n[ 3813.854329] resp_readcap16+0x1ac/0x280\n[ 3813.856917] schedule_resp+0x41f/0x1630\n[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0\n[ 3813.862699] scsi_dispatch_cmd+0x330/0x950\n[ 3813.863329] scsi_request_fn+0xd8e/0x1710\n[ 3813.863946] __blk_run_queue+0x10b/0x230\n[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400\n[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420\n[ 3813.871637] sg_write+0x6c8/0xef0\n[ 3813.878853] __vfs_write+0xe4/0x800\n[ 3813.883487] vfs_write+0x17b/0x530\n[ 3813.884008] ksys_write+0x103/0x270\n[ 3813.886268] __x64_sys_write+0x77/0xc0\n[ 3813.886841] do_syscall_64+0x106/0x360\n[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThis issue can be reproduced with the following syzkaller log:\n\nr0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x26e1, 0x0)\nr1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\\x00')\nopen_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)\nr2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)\nwrite$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB=\"00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d\"], 0x126)\n\nIn resp_readcap16() we get \"int alloc_len\" value -1104926854, and then pass\nthe huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This\nleads to OOB in sg_copy_buffer().\n\nTo solve this issue, define alloc_len as u32.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47191", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: sysfs: Fix hang when device state is set via sysfs\n\nThis fixes a regression added with:\n\ncommit f0f82e2476f6 (\"scsi: core: Fix capacity set to zero after\nofflinining device\")\n\nThe problem is that after iSCSI recovery, iscsid will call into the kernel\nto set the dev's state to running, and with that patch we now call\nscsi_rescan_device() with the state_mutex held. If the SCSI error handler\nthread is just starting to test the device in scsi_send_eh_cmnd() then it's\ngoing to try to grab the state_mutex.\n\nWe are then stuck, because when scsi_rescan_device() tries to send its I/O\nscsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery()\nwhich will return true (the host state is still in recovery) and I/O will\njust be requeued. scsi_send_eh_cmnd() will then never be able to grab the\nstate_mutex to finish error handling.\n\nTo prevent the deadlock move the rescan-related code to after we drop the\nstate_mutex.\n\nThis also adds a check for if we are already in the running state. This\nprevents extra scans and helps the iscsid case where if the transport class\nhas already onlined the device during its recovery process then we don't\nneed userspace to do it again plus possibly block that daemon.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47192", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix memory leak during rmmod\n\nDriver failed to release all memory allocated. This would lead to memory\nleak during driver removal.\n\nProperly free memory when the module is removed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47193", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\n\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata->assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47194", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free of the add_lock mutex\n\nCommit 6098475d4cb4 (\"spi: Fix deadlock when adding SPI controllers on\nSPI buses\") introduced a per-controller mutex. But mutex_unlock() of\nsaid lock is called after the controller is already freed:\n\n spi_unregister_controller(ctlr)\n -> put_device(&ctlr->dev)\n -> spi_controller_release(dev)\n -> mutex_unlock(&ctrl->add_lock)\n\nMove the put_device() after the mutex_unlock().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47195", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x83/0xdf\n create_qp.cold+0x164/0x16e [mlx5_ib]\n mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n create_qp.part.0+0x45b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0xa4/0xd0\n create_qp.part.0+0x92/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n kasan_save_stack+0x1b/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x10c/0x150\n slab_free_freelist_hook+0xb4/0x1b0\n kfree+0xe7/0x2a0\n create_qp.part.0+0x52b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47196", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()\n\nPrior to this patch in case mlx5_core_destroy_cq() failed it proceeds\nto rest of destroy operations. mlx5_core_destroy_cq() could be called again\nby user and cause additional call of mlx5_debug_cq_remove().\ncq->dbg was not nullify in previous call and cause the crash.\n\nFix it by nullify cq->dbg pointer after removal.\n\nAlso proceed to destroy operations only if FW return 0\nfor MLX5_CMD_OP_DESTROY_CQ command.\n\ngeneral protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI\nCPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:lockref_get+0x1/0x60\nCode: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02\n00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17\n48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48\nRSP: 0018:ffff888137dd7a38 EFLAGS: 00010206\nRAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe\nRDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058\nRBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000\nR13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0\nFS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0\nCall Trace:\n simple_recursive_removal+0x33/0x2e0\n ? debugfs_remove+0x60/0x60\n debugfs_remove+0x40/0x60\n mlx5_debug_cq_remove+0x32/0x70 [mlx5_core]\n mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core]\n devx_obj_cleanup+0x151/0x330 [mlx5_ib]\n ? __pollwait+0xd0/0xd0\n ? xas_load+0x5/0x70\n ? xa_load+0x62/0xa0\n destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs]\n uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs]\n uobj_destroy+0x54/0xa0 [ib_uverbs]\n ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs]\n ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs]\n ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs]\n __x64_sys_ioctl+0x3e4/0x8e0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47197", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine\n\nAn error is detected with the following report when unloading the driver:\n \"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b\"\n\nThe NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the\nflag is not cleared upon completion of the login.\n\nThis allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set\nto LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used\nas an rpi_ids array index.\n\nFix by clearing the NLP_REG_LOGIN_SEND nlp_flag in\nlpfc_mbx_cmpl_fc_reg_login().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47198", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT, Fix multiple allocations and memleak of mod acts\n\nCT clear action offload adds additional mod hdr actions to the\nflow's original mod actions in order to clear the registers which\nhold ct_state.\nWhen such flow also includes encap action, a neigh update event\ncan cause the driver to unoffload the flow and then reoffload it.\n\nEach time this happens, the ct clear handling adds that same set\nof mod hdr actions to reset ct_state until the max of mod hdr\nactions is reached.\n\nAlso the driver never releases the allocated mod hdr actions and\ncausing a memleak.\n\nFix above two issues by moving CT clear mod acts allocation\ninto the parsing actions phase and only use it when offloading the rule.\nThe release of mod acts will be done in the normal flow_put().\n\n backtrace:\n [<000000007316e2f3>] krealloc+0x83/0xd0\n [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core]\n [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core]\n [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core]\n [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core]\n [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core]\n [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core]\n [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core]\n [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core]\n [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47199", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n \"For that to work properly the drm_gem_object_get() call in\n drm_gem_ttm_mmap() must be moved so it happens before calling\n obj->funcs->mmap(), otherwise the gem refcount would go down\n to zero.\"", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47200", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: free q_vectors before queues in iavf_disable_vf\n\niavf_free_queues() clears adapter->num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47201", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: Fix NULL pointer dereferences in of_thermal_ functions\n\nof_parse_thermal_zones() parses the thermal-zones node and registers a\nthermal_zone device for each subnode. However, if a thermal zone is\nconsuming a thermal sensor and that thermal sensor device hasn't probed\nyet, an attempt to set trip_point_*_temp for that thermal zone device\ncan cause a NULL pointer dereference. Fix it.\n\n console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp\n ...\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ...\n Call trace:\n of_thermal_set_trip_temp+0x40/0xc4\n trip_point_temp_store+0xc0/0x1dc\n dev_attr_store+0x38/0x88\n sysfs_kf_write+0x64/0xc0\n kernfs_fop_write_iter+0x108/0x1d0\n vfs_write+0x2f4/0x368\n ksys_write+0x7c/0xec\n __arm64_sys_write+0x20/0x30\n el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc\n do_el0_svc+0x28/0xa0\n el0_svc+0x14/0x24\n el0_sync_handler+0x88/0xec\n el0_sync+0x1c0/0x200\n\nWhile at it, fix the possible NULL pointer dereference in other\nfunctions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(),\nof_thermal_get_trend().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47202", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\n\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \"fail_msg\"\nstring is set and a log message output. The job is then added to a\ncompletions list for cancellation.\n\nProcessing of any further jobs from the txq list continues, but since\n\"fail_msg\" remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter. If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\n\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47203", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dpaa2-eth: fix use-after-free in dpaa2_eth_remove\n\nAccess to netdev after free_netdev() will cause use-after-free bug.\nMove debug log before free_netdev() call to avoid it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47204", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: Unregister clocks/resets when unbinding\n\nCurrently, unbinding a CCU driver unmaps the device's MMIO region, while\nleaving its clocks/resets and their providers registered. This can cause\na page fault later when some clock operation tries to perform MMIO. Fix\nthis by separating the CCU initialization from the memory allocation,\nand then using a devres callback to unregister the clocks and resets.\n\nThis also fixes a memory leak of the `struct ccu_reset`, and uses the\ncorrect owner (the specific platform driver) for the clocks and resets.\n\nEarly OF clock providers are never unregistered, and limited error\nhandling is possible, so they are mostly unchanged. The error reporting\nis made more consistent by moving the message inside of_sunxi_ccu_probe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47205", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: ohci-tmio: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47206", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: gus: fix null pointer dereference on pointer block\n\nThe pointer block return from snd_gf1_dma_next_block could be\nnull, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47207", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47209", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\n\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There's no need to crash systems\nwith panic-on-warn enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47210", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\n\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47211", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Update error handler for UCTX and UMEM\n\nIn the fast unload flow, the device state is set to internal error,\nwhich indicates that the driver started the destroy process.\nIn this case, when a destroy command is being executed, it should return\nMLX5_CMD_STAT_OK.\nFix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK\ninstead of EIO.\n\nThis fixes a call trace in the umem release process -\n[ 2633.536695] Call Trace:\n[ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n[ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core]\n[ 2633.539641] disable_device+0x8c/0x130 [ib_core]\n[ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core]\n[ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core]\n[ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib]\n[ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary]\n[ 2633.544661] device_release_driver_internal+0x103/0x1f0\n[ 2633.545679] bus_remove_device+0xf7/0x170\n[ 2633.546640] device_del+0x181/0x410\n[ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]\n[ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core]\n[ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core]\n[ 2633.550864] remove_one+0x69/0xe0 [mlx5_core]\n[ 2633.551819] pci_device_remove+0x3b/0xc0\n[ 2633.552731] device_release_driver_internal+0x103/0x1f0\n[ 2633.553746] unbind_store+0xf6/0x130\n[ 2633.554657] kernfs_fop_write+0x116/0x190\n[ 2633.555567] vfs_write+0xa5/0x1a0\n[ 2633.556407] ksys_write+0x4f/0xb0\n[ 2633.557233] do_syscall_64+0x5b/0x1a0\n[ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 2633.559018] RIP: 0033:0x7f9977132648\n[ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55\n[ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648\n[ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001\n[ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740\n[ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0\n[ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c\n[ 2633.568725] ---[ end trace 10b4fe52945e544d ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47212", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47214", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: kTLS, Fix crash in RX resync flow\n\nFor the TLS RX resync flow, we maintain a list of TLS contexts\nthat require some attention, to communicate their resync information\nto the HW.\nHere we fix list corruptions, by protecting the entries against\nmovements coming from resync_handle_seq_match(), until their resync\nhandling in napi is fully completed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47215", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: advansys: Fix kernel pointer leak\n\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong' and printed with %lx.\n\nChange %lx to %p to print the hashed pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47216", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\n\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V's TSC change callback. If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it's running under\nHyper-V, but will have silently disabled nearly all functionality.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n ...\n Call Trace:\n kvm_arch_init+0x17c/0x280\n kvm_init+0x31/0x330\n vmx_init+0xba/0x13a\n do_one_initcall+0x41/0x1c0\n kernel_init_freeable+0x1f2/0x23b\n kernel_init+0x16/0x120\n ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47217", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix NULL-pointer dereference when hashtab allocation fails\n\nWhen the hash table slot array allocation fails in hashtab_init(),\nh->size is left initialized with a non-zero value, but the h->htable\npointer is NULL. This may then cause a NULL pointer dereference, since\nthe policydb code relies on the assumption that even after a failed\nhashtab_init(), hashtab_map() and hashtab_destroy() can be safely called\non it. Yet, these detect an empty hashtab only by looking at the size.\n\nFix this by making sure that hashtab_init() always leaves behind a valid\nempty hashtab when the allocation fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47218", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()\n\nThe following issue was observed running syzkaller:\n\nBUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]\nBUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\nRead of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815\n\nCPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xe4/0x14a lib/dump_stack.c:118\n print_address_description+0x73/0x280 mm/kasan/report.c:253\n kasan_report_error mm/kasan/report.c:352 [inline]\n kasan_report+0x272/0x370 mm/kasan/report.c:410\n memcpy+0x1f/0x50 mm/kasan/kasan.c:302\n memcpy include/linux/string.h:377 [inline]\n sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\n fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021\n resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772\n schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429\n scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835\n scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896\n scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034\n __blk_run_queue_uncond block/blk-core.c:464 [inline]\n __blk_run_queue+0x1a4/0x380 block/blk-core.c:484\n blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78\n sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847\n sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716\n sg_write+0x64/0xa0 drivers/scsi/sg.c:622\n __vfs_write+0xed/0x690 fs/read_write.c:485\nkill_bdev:block_device:00000000e138492c\n vfs_write+0x184/0x4c0 fs/read_write.c:549\n ksys_write+0x107/0x240 fs/read_write.c:599\n do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nWe get 'alen' from command its type is int. If userspace passes a large\nlength we will get a negative 'alen'.\n\nSwitch n, alen, and rlen to u32.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47219", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: actually fix freelist pointer vs redzoning\n\nIt turns out that SLUB redzoning (\"slub_debug=Z\") checks from\ns->object_size rather than from s->inuse (which is normally bumped to\nmake room for the freelist pointer), so a cache created with an object\nsize less than 24 would have the freelist pointer written beyond\ns->object_size, causing the redzone to be corrupted by the freelist\npointer. This was very visible with \"slub_debug=ZF\":\n\n BUG test (Tainted: G B ): Right Redzone overwritten\n -----------------------------------------------------------------------------\n\n INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb\n INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200\n INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620\n\n Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........\n Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........\n Redzone (____ptrval____): 40 1d e8 1a aa @....\n Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........\n\nAdjust the offset to stay within s->object_size.\n\n(Note that no caches of in this size range are known to exist in the\nkernel currently.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47221", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix vlan tunnel dst refcnt when egressing\n\nThe egress tunnel code uses dst_clone() and directly sets the result\nwhich is wrong because the entry might have 0 refcnt or be already deleted,\ncausing number of problems. It also triggers the WARN_ON() in dst_hold()[1]\nwhen a refcnt couldn't be taken. Fix it by using dst_hold_safe() and\nchecking if a reference was actually taken before setting the dst.\n\n[1] dmesg WARN_ON log and following refcnt errors\n WARNING: CPU: 5 PID: 38 at include/net/dst.h:230 br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]\n Modules linked in: 8021q garp mrp bridge stp llc bonding ipv6 virtio_net\n CPU: 5 PID: 38 Comm: ksoftirqd/5 Kdump: loaded Tainted: G W 5.13.0-rc3+ #360\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\n RIP: 0010:br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]\n Code: e8 85 bc 01 e1 45 84 f6 74 90 45 31 f6 85 db 48 c7 c7 a0 02 19 a0 41 0f 94 c6 31 c9 31 d2 44 89 f6 e8 64 bc 01 e1 85 db 75 02 <0f> 0b 31 c9 31 d2 44 89 f6 48 c7 c7 70 02 19 a0 e8 4b bc 01 e1 49\n RSP: 0018:ffff8881003d39e8 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffa01902a0\n RBP: ffff8881040c6700 R08: 0000000000000000 R09: 0000000000000001\n R10: 2ce93d0054fe0d00 R11: 54fe0d00000e0000 R12: ffff888109515000\n R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000401\n FS: 0000000000000000(0000) GS:ffff88822bf40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f42ba70f030 CR3: 0000000109926000 CR4: 00000000000006e0\n Call Trace:\n br_handle_vlan+0xbc/0xca [bridge]\n __br_forward+0x23/0x164 [bridge]\n deliver_clone+0x41/0x48 [bridge]\n br_handle_frame_finish+0x36f/0x3aa [bridge]\n ? skb_dst+0x2e/0x38 [bridge]\n ? br_handle_ingress_vlan_tunnel+0x3e/0x1c8 [bridge]\n ? br_handle_frame_finish+0x3aa/0x3aa [bridge]\n br_handle_frame+0x2c3/0x377 [bridge]\n ? __skb_pull+0x33/0x51\n ? vlan_do_receive+0x4f/0x36a\n ? br_handle_frame_finish+0x3aa/0x3aa [bridge]\n __netif_receive_skb_core+0x539/0x7c6\n ? __list_del_entry_valid+0x16e/0x1c2\n __netif_receive_skb_list_core+0x6d/0xd6\n netif_receive_skb_list_internal+0x1d9/0x1fa\n gro_normal_list+0x22/0x3e\n dev_gro_receive+0x55b/0x600\n ? detach_buf_split+0x58/0x140\n napi_gro_receive+0x94/0x12e\n virtnet_poll+0x15d/0x315 [virtio_net]\n __napi_poll+0x2c/0x1c9\n net_rx_action+0xe6/0x1fb\n __do_softirq+0x115/0x2d8\n run_ksoftirqd+0x18/0x20\n smpboot_thread_fn+0x183/0x19c\n ? smpboot_unregister_percpu_thread+0x66/0x66\n kthread+0x10a/0x10f\n ? kthread_mod_delayed_work+0xb6/0xb6\n ret_from_fork+0x22/0x30\n ---[ end trace 49f61b07f775fd2b ]---\n dst_release: dst:00000000c02d677a refcnt:-1\n dst_release underflow", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47222", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix vlan tunnel dst null pointer dereference\n\nThis patch fixes a tunnel_dst null pointer dereference due to lockless\naccess in the tunnel egress path. When deleting a vlan tunnel the\ntunnel_dst pointer is set to NULL without waiting a grace period (i.e.\nwhile it's still usable) and packets egressing are dereferencing it\nwithout checking. Use READ/WRITE_ONCE to annotate the lockless use of\ntunnel_id, use RCU for accessing tunnel_dst and make sure it is read\nonly once and checked in the egress path. The dst is already properly RCU\nprotected so we don't need to do anything fancy than to make sure\ntunnel_id and tunnel_dst are read only once and checked in the egress path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47223", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: Make sure to free skb when it is completely used\n\nWith the skb pointer piggy-backed on the TX BD, we have a simple and\nefficient way to free the skb buffer when the frame has been transmitted.\nBut in order to avoid freeing the skb while there are still fragments from\nthe skb in use, we need to piggy-back on the TX BD of the skb, not the\nfirst.\n\nWithout this, we are doing use-after-free on the DMA side, when the first\nBD of a multi TX BD packet is seen as completed in xmit_done, and the\nremaining BDs are still being processed.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47224", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix deadlock in AP/VLAN handling\n\nSyzbot reports that when you have AP_VLAN interfaces that are up\nand close the AP interface they belong to, we get a deadlock. No\nsurprise - since we dev_close() them with the wiphy mutex held,\nwhich goes back into the netdev notifier in cfg80211 and tries to\nacquire the wiphy mutex there.\n\nTo fix this, we need to do two things:\n 1) prevent changing iftype while AP_VLANs are up, we can't\n easily fix this case since cfg80211 already calls us with\n the wiphy mutex held, but change_interface() is relatively\n rare in drivers anyway, so changing iftype isn't used much\n (and userspace has to fall back to down/change/up anyway)\n 2) pull the dev_close() loop over VLANs out of the wiphy mutex\n section in the normal stop case", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47225", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer\n\nBoth Intel and AMD consider it to be architecturally valid for XRSTOR to\nfail with #PF but nonetheless change the register state. The actual\nconditions under which this might occur are unclear [1], but it seems\nplausible that this might be triggered if one sibling thread unmaps a page\nand invalidates the shared TLB while another sibling thread is executing\nXRSTOR on the page in question.\n\n__fpu__restore_sig() can execute XRSTOR while the hardware registers\nare preserved on behalf of a different victim task (using the\nfpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but\nmodify the registers.\n\nIf this happens, then there is a window in which __fpu__restore_sig()\ncould schedule out and the victim task could schedule back in without\nreloading its own FPU registers. This would result in part of the FPU\nstate that __fpu__restore_sig() was attempting to load leaking into the\nvictim task's user-visible state.\n\nInvalidate preserved FPU registers on XRSTOR failure to prevent this\nsituation from corrupting any state.\n\n[1] Frequent readers of the errata lists might imagine \"complex\n microarchitectural conditions\".", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47226", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Prevent state corruption in __fpu__restore_sig()\n\nThe non-compacted slowpath uses __copy_from_user() and copies the entire\nuser buffer into the kernel buffer, verbatim. This means that the kernel\nbuffer may now contain entirely invalid state on which XRSTOR will #GP.\nvalidate_user_xstate_header() can detect some of that corruption, but that\nleaves the onus on callers to clear the buffer.\n\nPrior to XSAVES support, it was possible just to reinitialize the buffer,\ncompletely, but with supervisor states that is not longer possible as the\nbuffer clearing code split got it backwards. Fixing that is possible but\nnot corrupting the state in the first place is more robust.\n\nAvoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate()\nwhich validates the XSAVE header contents before copying the actual states\nto the kernel. copy_user_to_xstate() was previously only called for\ncompacted-format kernel buffers, but it works for both compacted and\nnon-compacted forms.\n\nUsing it for the non-compacted form is slower because of multiple\n__copy_from_user() operations, but that cost is less important than robust\ncode in an already slow path.\n\n[ Changelog polished by Dave Hansen ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47227", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/ioremap: Map EFI-reserved memory as encrypted for SEV\n\nSome drivers require memory that is marked as EFI boot services\ndata. In order for this memory to not be re-used by the kernel\nafter ExitBootServices(), efi_mem_reserve() is used to preserve it\nby inserting a new EFI memory descriptor and marking it with the\nEFI_MEMORY_RUNTIME attribute.\n\nUnder SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to\nbe mapped encrypted by Linux, otherwise the kernel might crash at boot\nlike below:\n\n EFI Variables Facility v0.08 2004-May-17\n general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI\n CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:efi_mokvar_entry_next\n [...]\n Call Trace:\n efi_mokvar_sysfs_init\n ? efi_mokvar_table_init\n do_one_initcall\n ? __kmalloc\n kernel_init_freeable\n ? rest_init\n kernel_init\n ret_from_fork\n\nExpand the __ioremap_check_other() function to additionally check for\nthis other type of boot data reserved at runtime and indicate that it\nshould be mapped encrypted for an SEV guest.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47228", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: aardvark: Fix kernel panic during PIO transfer\n\nTrying to start a new PIO transfer by writing value 0 in PIO_START register\nwhen previous transfer has not yet completed (which is indicated by value 1\nin PIO_START) causes an External Abort on CPU, which results in kernel\npanic:\n\n SError Interrupt on CPU0, code 0xbf000002 -- SError\n Kernel panic - not syncing: Asynchronous SError Interrupt\n\nTo prevent kernel panic, it is required to reject a new PIO transfer when\nprevious one has not finished yet.\n\nIf previous PIO transfer is not finished yet, the kernel may issue a new\nPIO request only if the previous PIO transfer timed out.\n\nIn the past the root cause of this issue was incorrectly identified (as it\noften happens during link retraining or after link down event) and special\nhack was implemented in Trusted Firmware to catch all SError events in EL3,\nto ignore errors with code 0xbf000002 and not forwarding any other errors\nto kernel and instead throw panic from EL3 Trusted Firmware handler.\n\nLinks to discussion and patches about this issue:\nhttps://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50\nhttps://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/\nhttps://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/\nhttps://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541\n\nBut the real cause was the fact that during link retraining or after link\ndown event the PIO transfer may take longer time, up to the 1.44s until it\ntimes out. This increased probability that a new PIO transfer would be\nissued by kernel while previous one has not finished yet.\n\nAfter applying this change into the kernel, it is possible to revert the\nmentioned TF-A hack and SError events do not have to be caught in TF-A EL3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47229", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Immediately reset the MMU context when the SMM flag is cleared\n\nImmediately reset the MMU context when the vCPU's SMM flag is cleared so\nthat the SMM flag in the MMU role is always synchronized with the vCPU's\nflag. If RSM fails (which isn't correctly emulated), KVM will bail\nwithout calling post_leave_smm() and leave the MMU in a bad state.\n\nThe bad MMU role can lead to a NULL pointer dereference when grabbing a\nshadow page's rmap for a page fault as the initial lookups for the gfn\nwill happen with the vCPU's SMM flag (=0), whereas the rmap lookup will\nuse the shadow page's SMM flag, which comes from the MMU (=1). SMM has\nan entirely different set of memslots, and so the initial lookup can find\na memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1).\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline]\n RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947\n Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44\n RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002\n R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000\n R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000\n FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline]\n mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604\n __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline]\n direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769\n kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline]\n kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065\n vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122\n vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428\n vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494\n kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722\n kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:1069 [inline]\n __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x440ce9", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47230", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: fix memory leak in mcba_usb\n\nSyzbot reported memory leak in SocketCAN driver for Microchip CAN BUS\nAnalyzer Tool. The problem was in unfreed usb_coherent.\n\nIn mcba_usb_start() 20 coherent buffers are allocated and there is\nnothing, that frees them:\n\n1) In callback function the urb is resubmitted and that's all\n2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER\n is not set (see mcba_usb_start) and this flag cannot be used with\n coherent buffers.\n\nFail log:\n| [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected\n| [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)\n\nSo, all allocated buffers should be freed with usb_free_coherent()\nexplicitly\n\nNOTE:\nThe same pattern for allocating and freeing coherent buffers\nis used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47231", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix Use-after-Free, hold skb ref while in use\n\nThis patch fixes a Use-after-Free found by the syzbot.\n\nThe problem is that a skb is taken from the per-session skb queue,\nwithout incrementing the ref count. This leads to a Use-after-Free if\nthe skb is taken concurrently from the session queue due to a CTS.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47232", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: rt4801: Fix NULL pointer dereference if priv->enable_gpios is NULL\n\ndevm_gpiod_get_array_optional may return NULL if no GPIO was assigned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47233", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()\n\nUse clk_disable_unprepare() in the error path of mtk_phy_init() to fix\nsome resource leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47234", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: fix potential use-after-free in ec_bhf_remove\n\nstatic void ec_bhf_remove(struct pci_dev *dev)\n{\n...\n\tstruct ec_bhf_priv *priv = netdev_priv(net_dev);\n\n\tunregister_netdev(net_dev);\n\tfree_netdev(net_dev);\n\n\tpci_iounmap(dev, priv->dma_io);\n\tpci_iounmap(dev, priv->io);\n...\n}\n\npriv is netdev private data, but it is used\nafter free_netdev(). It can cause use-after-free when accessing priv\npointer. So, fix it by moving free_netdev() after pci_iounmap()\ncalls.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47235", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_eem: fix tx fixup skb leak\n\nwhen usbnet transmit a skb, eem fixup it in eem_tx_fixup(),\nif skb_copy_expand() failed, it return NULL,\nusbnet_start_xmit() will have no chance to free original skb.\n\nfix it by free orginal skb in eem_tx_fixup() first,\nthen check skb clone status, if failed, return NULL to usbnet.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47236", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: fix memory leak in mkiss_close\n\nMy local syzbot instance hit memory leak in\nmkiss_open()[1]. The problem was in missing\nfree_netdev() in mkiss_close().\n\nIn mkiss_open() netdevice is allocated and then\nregistered, but in mkiss_close() netdevice was\nonly unregistered, but not freed.\n\nFail log:\n\nBUG: memory leak\nunreferenced object 0xffff8880281ba000 (size 4096):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............\n 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x98/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880141a9a00 (size 96):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....\n 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........\n backtrace:\n [] __hw_addr_create_ex+0x5b/0x310\n [] __hw_addr_add_ex+0x1f8/0x2b0\n [] dev_addr_init+0x10b/0x1f0\n [] alloc_netdev_mqs+0x13b/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880219bfc00 (size 512):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............\n 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x777/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff888029b2b200 (size 256):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x912/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47237", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in ip_mc_add1_src\n\nBUG: memory leak\nunreferenced object 0xffff888101bc4c00 (size 32):\n comm \"syz-executor527\", pid 360, jiffies 4294807421 (age 19.329s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................\n backtrace:\n [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]\n [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]\n [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]\n [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095\n [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416\n [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]\n [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423\n [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857\n [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117\n [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]\n [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]\n [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125\n [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47\n [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn commit 24803f38a5c0 (\"igmp: do not remove igmp souce list info when set\nlink down\"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,\nbecause it was also called in igmpv3_clear_delrec().\n\nRough callgraph:\n\ninetdev_destroy\n-> ip_mc_destroy_dev\n -> igmpv3_clear_delrec\n -> ip_mc_clear_src\n-> RCU_INIT_POINTER(dev->ip_ptr, NULL)\n\nHowever, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't\nrelease in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the\nNULL to dev->ip_ptr. As a result, in_dev cannot be obtained through\ninetdev_by_index() and then in_dev->mc_list->sources cannot be released\nby ip_mc_del1_src() in the sock_close. Rough call sequence goes like:\n\nsock_close\n-> __sock_release\n -> inet_release\n -> ip_mc_drop_socket\n -> inetdev_by_index\n -> ip_mc_leave_src\n -> ip_mc_del_src\n -> ip_mc_del1_src\n\nSo we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free\nin_dev->mc_list->sources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47238", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix possible use-after-free in smsc75xx_bind\n\nThe commit 46a8b29c6306 (\"net: usb: fix memory leak in smsc75xx_bind\")\nfails to clean up the work scheduled in smsc75xx_reset->\nsmsc75xx_set_multicast, which leads to use-after-free if the work is\nscheduled to start after the deallocation. In addition, this patch\nalso removes a dangling pointer - dev->data[0].\n\nThis patch calls cancel_work_sync to cancel the scheduled work and set\nthe dangling pointer to NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47239", "detail": "fixed-version", "description": "Fixed from version 5.12.13" }, { "id": "CVE-2021-47240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: fix OOB Read in qrtr_endpoint_post\n\nSyzbot reported slab-out-of-bounds Read in\nqrtr_endpoint_post. The problem was in wrong\n_size_ type:\n\n\tif (len != ALIGN(size, 4) + hdrlen)\n\t\tgoto err;\n\nIf size from qrtr_hdr is 4294967293 (0xfffffffd), the result of\nALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293\nin header this check won't fail and\n\n\tskb_put_data(skb, data + hdrlen, size);\n\nwill read out of bound from data, which is hdrlen allocated block.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47240", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: strset: fix message length calculation\n\nOuter nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for.\nThis may result in ETHTOOL_MSG_STRSET_GET producing a warning like:\n\n calculated message payload length (684) not sufficient\n WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20\n\nand a splat.\n\nAs usually with such warnings three conditions must be met for the warning\nto trigger:\n - there must be no skb size rounding up (e.g. reply_size of 684);\n - string set must be per-device (so that the header gets populated);\n - the device name must be at least 12 characters long.\n\nall in all with current user space it looks like reading priv flags\nis the only place this could potentially happen. Or with syzbot :)", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47241", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix soft lookup in subflow_error_report()\n\nMaxim reported a soft lookup in subflow_error_report():\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:0]\n RIP: 0010:native_queued_spin_lock_slowpath\n RSP: 0018:ffffa859c0003bc0 EFLAGS: 00000202\n RAX: 0000000000000101 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: ffff9195c2772d88 RSI: 0000000000000000 RDI: ffff9195c2772d88\n RBP: ffff9195c2772d00 R08: 00000000000067b0 R09: c6e31da9eb1e44f4\n R10: ffff9195ef379700 R11: ffff9195edb50710 R12: ffff9195c2772d88\n R13: ffff9195f500e3d0 R14: ffff9195ef379700 R15: ffff9195ef379700\n FS: 0000000000000000(0000) GS:ffff91961f400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000c000407000 CR3: 0000000002988000 CR4: 00000000000006f0\n Call Trace:\n \n _raw_spin_lock_bh\n subflow_error_report\n mptcp_subflow_data_available\n __mptcp_move_skbs_from_subflow\n mptcp_data_ready\n tcp_data_queue\n tcp_rcv_established\n tcp_v4_do_rcv\n tcp_v4_rcv\n ip_protocol_deliver_rcu\n ip_local_deliver_finish\n __netif_receive_skb_one_core\n netif_receive_skb\n rtl8139_poll 8139too\n __napi_poll\n net_rx_action\n __do_softirq\n __irq_exit_rcu\n common_interrupt\n \n\nThe calling function - mptcp_subflow_data_available() - can be invoked\nfrom different contexts:\n- plain ssk socket lock\n- ssk socket lock + mptcp_data_lock\n- ssk socket lock + mptcp_data_lock + msk socket lock.\n\nSince subflow_error_report() tries to acquire the mptcp_data_lock, the\nlatter two call chains will cause soft lookup.\n\nThis change addresses the issue moving the error reporting call to\nouter functions, where the held locks list is known and the we can\nacquire only the needed one.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47242", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: Fix out of bounds when parsing TCP options and header\n\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\ncake_tcph_may_drop) could read one byte out of bounds. When the length\nis 1, the execution flow gets into the loop, reads one byte of the\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\none more byte, which exceeds the length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\nheader. Although it wasn't strictly an out-of-bounds access (memory was\nallocated), garbage values could be read where CAKE expected the TCP\nheader if doff was smaller than 5.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47243", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix out of bounds when parsing TCP options\n\nThe TCP option parser in mptcp (mptcp_get_options) could read one byte\nout of bounds. When the length is 1, the execution flow gets into the\nloop, reads one byte of the opcode, and if the opcode is neither\nTCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the\nlength of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47244", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: synproxy: Fix out of bounds when parsing TCP options\n\nThe TCP option parser in synproxy (synproxy_parse_options) could read\none byte out of bounds. When the length is 1, the execution flow gets\ninto the loop, reads one byte of the opcode, and if the opcode is\nneither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds\nthe length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded an early return when length < 0 to avoid calling\nskb_header_pointer with negative length.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47245", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix page reclaim for dead peer hairpin\n\nWhen adding a hairpin flow, a firmware-side send queue is created for\nthe peer net device, which claims some host memory pages for its\ninternal ring buffer. If the peer net device is removed/unbound before\nthe hairpin flow is deleted, then the send queue is not destroyed which\nleads to a stack trace on pci device remove:\n\n[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource\n[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110\n[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0\n[ 748.002171] ------------[ cut here ]------------\n[ 748.001177] FW pages counter is 4 after reclaiming all pages\n[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core]\n[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1\n[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]\n[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9\n[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286\n[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000\n[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51\n[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8\n[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30\n[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000\n[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000\n[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0\n[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 748.001654] Call Trace:\n[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core]\n[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core]\n[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core]\n[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core]\n[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core]\n[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core]\n[ 748.001075] pci_device_remove+0x9f/0x1d0\n[ 748.000833] device_release_driver_internal+0x1e0/0x490\n[ 748.001207] unbind_store+0x19f/0x200\n[ 748.000942] ? sysfs_file_ops+0x170/0x170\n[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450\n[ 748.000970] new_sync_write+0x373/0x610\n[ 748.001124] ? new_sync_read+0x600/0x600\n[ 748.001057] ? lock_acquire+0x4d6/0x700\n[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400\n[ 748.001126] ? fd_install+0x1c9/0x4d0\n[ 748.000951] vfs_write+0x4d0/0x800\n[ 748.000804] ksys_write+0xf9/0x1d0\n[ 748.000868] ? __x64_sys_read+0xb0/0xb0\n[ 748.000811] ? filp_open+0x50/0x50\n[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 748.001223] do_syscall_64+0x3f/0x80\n[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 748.00\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47246", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\n\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\n\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260] dump_stack+0xbb/0x107\n [23827.477906] print_address_description.constprop.0+0x18/0x140\n [23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905] kasan_report.cold+0x7c/0xd8\n [23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744] kasan_check_range+0x145/0x1a0\n [23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486] ? read_word_at_a_time+0xe/0x20\n [23827.498250] ? strscpy+0xa0/0x2a0\n [23827.498889] process_one_work+0x8ac/0x14e0\n [23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359] ? rwlock_bug.part.0+0x90/0x90\n [23827.502116] worker_thread+0x53b/0x1220\n [23827.502831] ? process_one_work+0x14e0/0x14e0\n [23827.503627] kthread+0x328/0x3f0\n [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065] ? __kthread_bind_mask+0x90/0x90\n [23827.505912] ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694] kasan_save_stack+0x1b/0x40\n [23827.508476] __kasan_kmalloc+0x7c/0x90\n [23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298] tc_setup_cb_add+0x1d5/0x420\n [23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821] tc_new_tfilter+0x89a/0x2070\n [23827.516548] rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300] netlink_rcv_skb+0x11d/0x340\n [23827.518021] netlink_unicast+0x42b/0x700\n [23827.518742] netlink_sendmsg+0x743/0xc20\n [23827.519467] sock_sendmsg+0xb2/0xe0\n [23827.520131] ____sys_sendmsg+0x590/0x770\n [23827.520851] ___sys_sendmsg+0xd8/0x160\n [23827.521552] __sys_sendmsg+0xb7/0x140\n [23827.522238] do_syscall_64+0x3a/0x70\n [23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780] kasan_save_stack+0x1b/0x40\n [23827.525488] kasan_set_track+0x1c/0x30\n [23827.526187] kasan_set_free_info+0x20/0x30\n [23827.526968] __kasan_slab_free+0xed/0x130\n [23827.527709] slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528] kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317] kfree_rcu_work+0x55f/0xb70\n [23827.530024] process_one_work+0x8ac/0x14e0\n [23827.530770] worker_thread+0x53b/0x1220\n [23827.531480] kthread+0x328/0x3f0\n [23827.532114] ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007] kasan_save_stack+0x1b/0x40\n [23827.534710] kasan_record_aux_stack+0xab/0xc0\n [23827.535492] kvfree_call_rcu+0x31/0x7b0\n [23827.536206] mlx5e_tc_del\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47247", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey ", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47248", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: fix memory leak in rds_recvmsg\n\nSyzbot reported memory leak in rds. The problem\nwas in unputted refcount in case of error.\n\nint rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,\n\t\tint msg_flags)\n{\n...\n\n\tif (!rds_next_incoming(rs, &inc)) {\n\t\t...\n\t}\n\nAfter this \"if\" inc refcount incremented and\n\n\tif (rds_cmsg_recv(inc, msg, rs)) {\n\t\tret = -EFAULT;\n\t\tgoto out;\n\t}\n...\nout:\n\treturn ret;\n}\n\nin case of rds_cmsg_recv() fail the refcount won't be\ndecremented. And it's easy to see from ftrace log, that\nrds_inc_addref() don't have rds_inc_put() pair in\nrds_recvmsg() after rds_cmsg_recv()\n\n 1) | rds_recvmsg() {\n 1) 3.721 us | rds_inc_addref();\n 1) 3.853 us | rds_message_inc_copy_to_user();\n 1) + 10.395 us | rds_cmsg_recv();\n 1) + 34.260 us | }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47249", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in netlbl_cipsov4_add_std\n\nReported by syzkaller:\nBUG: memory leak\nunreferenced object 0xffff888105df7000 (size 64):\ncomm \"syz-executor842\", pid 360, jiffies 4294824824 (age 22.546s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]\n[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]\n[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]\n[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416\n[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739\n[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800\n[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504\n[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811\n[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340\n[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929\n[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]\n[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674\n[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350\n[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404\n[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433\n[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47\n[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe memory of doi_def->map.std pointing is allocated in\nnetlbl_cipsov4_add_std, but no place has freed it. It should be\nfreed in cipso_v4_doi_free which frees the cipso DOI resource.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47250", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix skb length check in ieee80211_scan_rx()\n\nReplace hard-coded compile-time constants for header length check\nwith dynamic determination based on the frame type. Otherwise, we\nhit a validation WARN_ON in cfg80211 later.\n\n[style fixes, reword commit message]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47251", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid WARN_ON timing related checks\n\nThe soft/batadv interface for a queued OGM can be changed during the time\nthe OGM was queued for transmission and when the OGM is actually\ntransmitted by the worker.\n\nBut WARN_ON must be used to denote kernel bugs and not to print simple\nwarnings. A warning can simply be printed using pr_warn.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47252", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential memory leak in DMUB hw_init\n\n[Why]\nOn resume we perform DMUB hw_init which allocates memory:\ndm_resume->dm_dmub_hw_init->dc_dmub_srv_create->kzalloc\nThat results in memory leak in suspend/resume scenarios.\n\n[How]\nAllocate memory for the DC wrapper to DMUB only if it was not\nallocated before.\nNo need to reallocate it on suspend/resume.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47253", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in gfs2_glock_shrink_scan\n\nThe GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to\nremove the glock from the lru list in __gfs2_glock_put().\n\nOn the shrink scan path, the same flag is cleared under lru_lock but because\nof cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the\nput side can be made without deleting the glock from the lru list.\n\nKeep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to\nensure correct behavior on both sides - clear GLF_LRU after list_del under\nlru_lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47254", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: LAPIC: Restore guard to prevent illegal APIC register access\n\nPer the SDM, \"any access that touches bytes 4 through 15 of an APIC\nregister may cause undefined behavior and must not be executed.\"\nWorse, such an access in kvm_lapic_reg_read can result in a leak of\nkernel stack contents. Prior to commit 01402cf81051 (\"kvm: LAPIC:\nwrite down valid APIC registers\"), such an access was explicitly\ndisallowed. Restore the guard that was removed in that commit.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47255", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: make sure wait for page writeback in memory_failure\n\nOur syzkaller trigger the \"BUG_ON(!list_empty(&inode->i_wb_list))\" in\nclear_inode:\n\n kernel BUG at fs/inode.c:519!\n Internal error: Oops - BUG: 0 [#1] SMP\n Modules linked in:\n Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)\n CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95\n Hardware name: linux,dummy-virt (DT)\n pstate: 80000005 (Nzcv daif -PAN -UAO)\n pc : clear_inode+0x280/0x2a8\n lr : clear_inode+0x280/0x2a8\n Call trace:\n clear_inode+0x280/0x2a8\n ext4_clear_inode+0x38/0xe8\n ext4_free_inode+0x130/0xc68\n ext4_evict_inode+0xb20/0xcb8\n evict+0x1a8/0x3c0\n iput+0x344/0x460\n do_unlinkat+0x260/0x410\n __arm64_sys_unlinkat+0x6c/0xc0\n el0_svc_common+0xdc/0x3b0\n el0_svc_handler+0xf8/0x160\n el0_svc+0x10/0x218\n Kernel panic - not syncing: Fatal exception\n\nA crash dump of this problem show that someone called __munlock_pagevec\nto clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap\n-> munlock_vma_pages_range -> __munlock_pagevec.\n\nAs a result memory_failure will call identify_page_state without\nwait_on_page_writeback. And after truncate_error_page clear the mapping\nof this page. end_page_writeback won't call sb_clear_inode_writeback to\nclear inode->i_wb_list. That will trigger BUG_ON in clear_inode!\n\nFix it by checking PageWriteback too to help determine should we skip\nwait_on_page_writeback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47256", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: fix null deref in parse dev addr\n\nFix a logic error that could result in a null deref if the user sets\nthe mode incorrectly for the given addr type.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47257", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix error handling of scsi_host_alloc()\n\nAfter device is initialized via device_initialize(), or its name is set via\ndev_set_name(), the device has to be freed via put_device(). Otherwise\ndevice name will be leaked because it is allocated dynamically in\ndev_set_name().\n\nFix the leak by replacing kfree() with put_device(). Since\nscsi_host_dev_release() properly handles IDA and kthread removal, remove\nspecial-casing these from the error handling as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47258", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix use-after-free in nfs4_init_client()\n\nKASAN reports a use-after-free when attempting to mount two different\nexports through two different NICs that belong to the same server.\n\nOlga was able to hit this with kernels starting somewhere between 5.7\nand 5.10, but I traced the patch that introduced the clear_bit() call to\n4.13. So something must have changed in the refcounting of the clp\npointer to make this call to nfs_put_client() the very last one.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47259", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a potential NULL dereference in nfs_get_client()\n\nNone of the callers are expecting NULL returns from nfs_get_client() so\nthis code will lead to an Oops. It's better to return an error\npointer. I expect that this is dead code so hopefully no one is\naffected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47260", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix initializing CQ fragments buffer\n\nThe function init_cq_frag_buf() can be called to initialize the current CQ\nfragments buffer cq->buf, or the temporary cq->resize_buf that is filled\nduring CQ resize operation.\n\nHowever, the offending commit started to use function get_cqe() for\ngetting the CQEs, the issue with this change is that get_cqe() always\nreturns CQEs from cq->buf, which leads us to initialize the wrong buffer,\nand in case of enlarging the CQ we try to access elements beyond the size\nof the current cq->buf and eventually hit a kernel panic.\n\n [exception RIP: init_cq_frag_buf+103]\n [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]\n [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]\n [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]\n [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]\n [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]\n [ffff9f799ddcbec8] kthread at ffffffffa66c5da1\n [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd\n\nFix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that\ntakes the correct source buffer as a parameter.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47261", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message\n\nUse the __string() machinery provided by the tracing subystem to make a\ncopy of the string literals consumed by the \"nested VM-Enter failed\"\ntracepoint. A complete copy is necessary to ensure that the tracepoint\ncan't outlive the data/memory it consumes and deference stale memory.\n\nBecause the tracepoint itself is defined by kvm, if kvm-intel and/or\nkvm-amd are built as modules, the memory holding the string literals\ndefined by the vendor modules will be freed when the module is unloaded,\nwhereas the tracepoint and its data in the ring buffer will live until\nkvm is unloaded (or \"indefinitely\" if kvm is built-in).\n\nThis bug has existed since the tracepoint was added, but was recently\nexposed by a new check in tracing to detect exactly this type of bug.\n\n fmt: '%s%s\n ' current_buffer: ' vmx_dirty_log_t-140127 [003] .... kvm_nested_vmenter_failed: '\n WARNING: CPU: 3 PID: 140134 at kernel/trace/trace.c:3759 trace_check_vprintf+0x3be/0x3e0\n CPU: 3 PID: 140134 Comm: less Not tainted 5.13.0-rc1-ce2e73ce600a-req #184\n Hardware name: ASUS Q87M-E/Q87M-E, BIOS 1102 03/03/2014\n RIP: 0010:trace_check_vprintf+0x3be/0x3e0\n Code: <0f> 0b 44 8b 4c 24 1c e9 a9 fe ff ff c6 44 02 ff 00 49 8b 97 b0 20\n RSP: 0018:ffffa895cc37bcb0 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffa895cc37bd08 RCX: 0000000000000027\n RDX: 0000000000000027 RSI: 00000000ffffdfff RDI: ffff9766cfad74f8\n RBP: ffffffffc0a041d4 R08: ffff9766cfad74f0 R09: ffffa895cc37bad8\n R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffc0a041d4\n R13: ffffffffc0f4dba8 R14: 0000000000000000 R15: ffff976409f2c000\n FS: 00007f92fa200740(0000) GS:ffff9766cfac0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559bd11b0000 CR3: 000000019fbaa002 CR4: 00000000001726e0\n Call Trace:\n trace_event_printf+0x5e/0x80\n trace_raw_output_kvm_nested_vmenter_failed+0x3a/0x60 [kvm]\n print_trace_line+0x1dd/0x4e0\n s_show+0x45/0x150\n seq_read_iter+0x2d5/0x4c0\n seq_read+0x106/0x150\n vfs_read+0x98/0x180\n ksys_read+0x5f/0xe0\n do_syscall_64+0x40/0xb0\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47262", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: wcd934x: Fix shift-out-of-bounds error\n\nbit-mask for pins 0 to 4 is BIT(0) to BIT(4) however we ended up with BIT(n - 1)\nwhich is not right, and this was caught by below usban check\n\nUBSAN: shift-out-of-bounds in drivers/gpio/gpio-wcd934x.c:34:14", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47263", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Fix Null-point-dereference in fmt_single_name()\n\nCheck the return value of devm_kstrdup() in case of\nNull-point-dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47264", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: Verify port when creating flow rule\n\nValidate port value provided by the user and with that remove no longer\nneeded validation by the driver. The missing check in the mlx5_ib driver\ncould cause to the below oops.\n\nCall trace:\n _create_flow_rule+0x2d4/0xf28 [mlx5_ib]\n mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]\n ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]\n ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]\n ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]\n do_vfs_ioctl+0xd0/0xaf0\n ksys_ioctl+0x84/0xb4\n __arm64_sys_ioctl+0x28/0xc4\n el0_svc_common.constprop.3+0xa4/0x254\n el0_svc_handler+0x84/0xa0\n el0_svc+0x10/0x26c\n Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47265", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ipoib: Fix warning caused by destroying non-initial netns\n\nAfter the commit 5ce2dced8e95 (\"RDMA/ipoib: Set rtnl_link_ops for ipoib\ninterfaces\"), if the IPoIB device is moved to non-initial netns,\ndestroying that netns lets the device vanish instead of moving it back to\nthe initial netns, This is happening because default_device_exit() skips\nthe interfaces due to having rtnl_link_ops set.\n\nSteps to reporoduce:\n ip netns add foo\n ip link set mlx5_ib0 netns foo\n ip netns delete foo\n\nWARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50\nModules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT\nnf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack\nnf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d\n fuse\nCPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S W 5.13.0-rc1+ #1\nHardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016\nWorkqueue: netns cleanup_net\nRIP: 0010:netdev_exit+0x3f/0x50\nCode: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48\n8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b\nc3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00\nRSP: 0018:ffffb297079d7e08 EFLAGS: 00010206\nRAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d\nRDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00\nRBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00\nR10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620\nR13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20\nFS: 0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ops_exit_list.isra.9+0x36/0x70\n cleanup_net+0x234/0x390\n process_one_work+0x1cb/0x360\n ? process_one_work+0x360/0x360\n worker_thread+0x30/0x370\n ? process_one_work+0x360/0x360\n kthread+0x116/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nTo avoid the above warning and later on the kernel panic that could happen\non shutdown due to a NULL pointer dereference, make sure to set the\nnetns_refund flag that was introduced by commit 3a5ca857079e (\"can: dev:\nMove device back to init netns on owning netns delete\") to properly\nrestore the IPoIB interfaces to the initial netns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47266", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n high-speed (USB2.0 - 480Mbps),\n super-speed (USB3.0 - 5Gbps),\n super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\n\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47267", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port\n\nA pending hrtimer may expire after the kthread_worker of tcpm port\nis destroyed, see below kernel dump when do module unload, fix it\nby cancel the 2 hrtimers.\n\n[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880\n[ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0\n[ 111.526594] Mem abort info:\n[ 111.526597] ESR = 0x96000047\n[ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 111.526604] SET = 0, FnV = 0\n[ 111.526607] EA = 0, S1PTW = 0\n[ 111.526610] Data abort info:\n[ 111.526612] ISV = 0, ISS = 0x00000047\n[ 111.526615] CM = 0, WnR = 1\n[ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000\n[ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000\n[ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP\n[ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci]\n[ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36\n[ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT)\n[ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--)\n[ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4\n[ 111.526703] sp : ffff800010003e20\n[ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180\n[ 111.537156] buffer_io_error: 6 callbacks suppressed\n[ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read\n[ 111.539932] x27: ffff00017f3801c0\n[ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001\n[ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0\n[ 111.548304]\n[ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180\n[ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read\n[ 111.554499]\n[ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000\n[ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read\n[ 111.561218]\n[ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read\n[ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040\n[ 111.570902] x11: ffff0000c05ac6d8\n[ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read\n[ 111.588978] x10: 0000000000000000 x9 : 0000000000040000\n[ 111.588988] x8 : 0000000000000000\n[ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read\n[ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880\n[ 111.605777] x5 : ffff00017f384880\n[ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read\n[ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184\n[ 111.617096] x2 : ffff8000118cb880\n[ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read\n[ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888\n[ 111.626938] Call trace:\n[ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.795809] kthread_queue_work+0x30/0xc0\n[ 111.799828] state_machine_timer_handler+0x20/0x30\n[ 111.804624] __hrtimer_run_queues+0x140/0x1e0\n[ 111.808990] hrtimer_interrupt+0xec/0x2c0\n[ 111.813004] arch_timer_handler_phys+0x38/0x50\n[ 111.817456] handle_percpu_devid_irq+0x88/0x150\n[ 111.821991] __handle_domain_irq+0x80/0xe0\n[ 111.826093] gic_handle_irq+0xc0/0x140\n[ 111.829848] el1_irq+0xbc/0x154\n[ 111.832991] arch_cpu_idle+0x1c/0x2c\n[ 111.836572] default_idle_call+0x24/0x6c\n[ 111.840497] do_idle+0x238/0x2ac\n[ 1\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47268", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: ep0: fix NULL pointer exception\n\nThere is no validation of the index from dwc3_wIndex_to_dep() and we might\nbe referring a non-existing ep and trigger a NULL pointer exception. In\ncertain configurations we might use fewer eps and the index might wrongly\nindicate a larger ep index than existing.\n\nBy adding this validation from the patch we can actually report a wrong\nindex back to the caller.\n\nIn our usecase we are using a composite device on an older kernel, but\nupstream might use this fix also. Unfortunately, I cannot describe the\nhardware for others to reproduce the issue as it is a proprietary\nimplementation.\n\n[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4\n[ 82.966891] Mem abort info:\n[ 82.969663] ESR = 0x96000006\n[ 82.972703] Exception class = DABT (current EL), IL = 32 bits\n[ 82.978603] SET = 0, FnV = 0\n[ 82.981642] EA = 0, S1PTW = 0\n[ 82.984765] Data abort info:\n[ 82.987631] ISV = 0, ISS = 0x00000006\n[ 82.991449] CM = 0, WnR = 0\n[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc\n[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000\n[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP\n[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)\n[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1\n[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)\n[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c\n[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94\n\n...\n\n[ 83.141788] Call trace:\n[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c\n[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94\n[ 83.181546] ---[ end trace aac6b5267d84c32f ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47269", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadgets null ptr deref on 10gbps cabling.\n\nThis avoids a null pointer dereference in\nf_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}\nby simply reusing the 5gbps config for 10gbps.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47270", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler\n\nPatch fixes the following critical issue caused by deadlock which has been\ndetected during testing NCM class:\n\nsmp: csd: Detected non-responsive CSD lock (#1) on CPU#0\nsmp: csd: CSD lock (#1) unresponsive.\n....\nRIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0\nRSP: 0018:ffffbc494011cde0 EFLAGS: 00000002\nRAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658\nRBP: ffffbc494011cde0 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658\nR13: ffff9ee8116b4670 R14: 0000000000000246 R15: ffff9ee8116b4658\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0\nCall Trace:\n \n do_raw_spin_lock+0xc0/0xd0\n _raw_spin_lock_irqsave+0x95/0xa0\n cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci]\n usb_ep_queue+0x35/0x110\n eth_start_xmit+0x220/0x3d0 [u_ether]\n ncm_tx_timeout+0x34/0x40 [usb_f_ncm]\n ? ncm_free_inst+0x50/0x50 [usb_f_ncm]\n __hrtimer_run_queues+0xac/0x440\n hrtimer_run_softirq+0x8c/0xb0\n __do_softirq+0xcf/0x428\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x61/0x70\n irq_exit_rcu+0xc1/0xd0\n sysvec_apic_timer_interrupt+0x52/0xb0\n asm_sysvec_apic_timer_interrupt+0x12/0x20\nRIP: 0010:do_raw_spin_trylock+0x18/0x40\nRSP: 0018:ffffbc494138bda8 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9ee8116b4658\nRBP: ffffbc494138bda8 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658\nR13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000\n _raw_spin_lock+0x3d/0x70\n ? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]\n cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]\n ? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci]\n ? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci]\n ? irq_thread+0xa0/0x1c0\n irq_thread_fn+0x28/0x60\n irq_thread+0x105/0x1c0\n ? __kthread_parkme+0x42/0x90\n ? irq_forced_thread_fn+0x90/0x90\n ? wake_threads_waitq+0x30/0x30\n ? irq_thread_check_affinity+0xe0/0xe0\n kthread+0x12a/0x160\n ? kthread_park+0x90/0x90\n ret_from_fork+0x22/0x30\n\nThe root cause of issue is spin_lock/spin_unlock instruction instead\nspin_lock_irqsave/spin_lock_irqrestore in cdnsp_thread_irq_handler\nfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47271", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL\n\nThere exists a possible scenario in which dwc3_gadget_init() can fail:\nduring during host -> peripheral mode switch in dwc3_set_mode(), and\na pending gadget driver fails to bind. Then, if the DRD undergoes\nanother mode switch from peripheral->host the resulting\ndwc3_gadget_exit() will attempt to reference an invalid and dangling\ndwc->gadget pointer as well as call dma_free_coherent() on unmapped\nDMA pointers.\n\nThe exact scenario can be reproduced as follows:\n - Start DWC3 in peripheral mode\n - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs)\n - Run FunctionFS userspace application (open EPs, write descriptors, etc)\n - Bind gadget driver to DWC3's UDC\n - Switch DWC3 to host mode\n => dwc3_gadget_exit() is called. usb_del_gadget() will put the\n\tConfigFS driver instance on the gadget_driver_pending_list\n - Stop FunctionFS application (closes the ep files)\n - Switch DWC3 to peripheral mode\n => dwc3_gadget_init() fails as usb_add_gadget() calls\n\tcheck_pending_gadget_drivers() and attempts to rebind the UDC\n\tto the ConfigFS gadget but fails with -19 (-ENODEV) because the\n\tFFS instance is not in FFS_ACTIVE state (userspace has not\n\tre-opened and written the descriptors yet, i.e. desc_ready!=0).\n - Switch DWC3 back to host mode\n => dwc3_gadget_exit() is called again, but this time dwc->gadget\n\tis invalid.\n\nAlthough it can be argued that userspace should take responsibility\nfor ensuring that the FunctionFS application be ready prior to\nallowing the composite driver bind to the UDC, failure to do so\nshould not result in a panic from the kernel driver.\n\nFix this by setting dwc->gadget to NULL in the failure path of\ndwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out\nunless the gadget pointer is valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47272", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled\n\nWhen only PHY1 is used (for example on Odroid-HC4), the regmap init code\nuses the usb2 ports when doesn't initialize the PHY1 regmap entry.\n\nThis fixes:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n...\npc : regmap_update_bits_base+0x40/0xa0\nlr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\n...\nCall trace:\nregmap_update_bits_base+0x40/0xa0\ndwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\ndwc3_meson_g12a_usb2_init+0x7c/0xc8\ndwc3_meson_g12a_usb_init+0x28/0x48\ndwc3_meson_g12a_probe+0x298/0x540\nplatform_probe+0x70/0xe0\nreally_probe+0xf0/0x4d8\ndriver_probe_device+0xfc/0x168\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47273", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Correct the length check which causes memory corruption\n\nWe've suffered from severe kernel crashes due to memory corruption on\nour production environment, like,\n\nCall Trace:\n[1640542.554277] general protection fault: 0000 [#1] SMP PTI\n[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G\n[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190\n[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286\n[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:\n0000000006e931bf\n[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:\nffff9a45ff004300\n[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:\n0000000000000000\n[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:\nffffffff9a20608d\n[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:\n696c662f65636976\n[1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)\nknlGS:0000000000000000\n[1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:\n00000000003606e0\n[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1640542.566742] Call Trace:\n[1640542.567009] anon_vma_clone+0x5d/0x170\n[1640542.567417] __split_vma+0x91/0x1a0\n[1640542.567777] do_munmap+0x2c6/0x320\n[1640542.568128] vm_munmap+0x54/0x70\n[1640542.569990] __x64_sys_munmap+0x22/0x30\n[1640542.572005] do_syscall_64+0x5b/0x1b0\n[1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[1640542.575642] RIP: 0033:0x7f45d6e61e27\n\nJames Wang has reproduced it stably on the latest 4.19 LTS.\nAfter some debugging, we finally proved that it's due to ftrace\nbuffer out-of-bound access using a debug tool as follows:\n[ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000\n[ 86.780806] no_context+0xdf/0x3c0\n[ 86.784327] __do_page_fault+0x252/0x470\n[ 86.788367] do_page_fault+0x32/0x140\n[ 86.792145] page_fault+0x1e/0x30\n[ 86.795576] strncpy_from_unsafe+0x66/0xb0\n[ 86.799789] fetch_memory_string+0x25/0x40\n[ 86.804002] fetch_deref_string+0x51/0x60\n[ 86.808134] kprobe_trace_func+0x32d/0x3a0\n[ 86.812347] kprobe_dispatcher+0x45/0x50\n[ 86.816385] kprobe_ftrace_handler+0x90/0xf0\n[ 86.820779] ftrace_ops_assist_func+0xa1/0x140\n[ 86.825340] 0xffffffffc00750bf\n[ 86.828603] do_sys_open+0x5/0x1f0\n[ 86.832124] do_syscall_64+0x5b/0x1b0\n[ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\ncommit b220c049d519 (\"tracing: Check length before giving out\nthe filter buffer\") adds length check to protect trace data\noverflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent\noverflow entirely, the length check should also take the sizeof\nentry->array[0] into account, since this array[0] is filled the\nlength of trace data and occupy addtional space and risk overflow.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47274", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: avoid oversized read request in cache missing code path\n\nIn the cache missing code path of cached device, if a proper location\nfrom the internal B+ tree is matched for a cache miss range, function\ncached_dev_cache_miss() will be called in cache_lookup_fn() in the\nfollowing code block,\n[code block 1]\n 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode\n 527 ? min_t(uint64_t, INT_MAX,\n 528 KEY_START(k) - bio->bi_iter.bi_sector)\n 529 : INT_MAX;\n 530 int ret = s->d->cache_miss(b, s, bio, sectors);\n\nHere s->d->cache_miss() is the call backfunction pointer initialized as\ncached_dev_cache_miss(), the last parameter 'sectors' is an important\nhint to calculate the size of read request to backing device of the\nmissing cache data.\n\nCurrent calculation in above code block may generate oversized value of\n'sectors', which consequently may trigger 2 different potential kernel\npanics by BUG() or BUG_ON() as listed below,\n\n1) BUG_ON() inside bch_btree_insert_key(),\n[code block 2]\n 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k));\n2) BUG() inside biovec_slab(),\n[code block 3]\n 51 default:\n 52 BUG();\n 53 return NULL;\n\nAll the above panics are original from cached_dev_cache_miss() by the\noversized parameter 'sectors'.\n\nInside cached_dev_cache_miss(), parameter 'sectors' is used to calculate\nthe size of data read from backing device for the cache missing. This\nsize is stored in s->insert_bio_sectors by the following lines of code,\n[code block 4]\n 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);\n\nThen the actual key inserting to the internal B+ tree is generated and\nstored in s->iop.replace_key by the following lines of code,\n[code block 5]\n 911 s->iop.replace_key = KEY(s->iop.inode,\n 912 bio->bi_iter.bi_sector + s->insert_bio_sectors,\n 913 s->insert_bio_sectors);\nThe oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from\nthe above code block.\n\nAnd the bio sending to backing device for the missing data is allocated\nwith hint from s->insert_bio_sectors by the following lines of code,\n[code block 6]\n 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT,\n 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS),\n 928 &dc->disk.bio_split);\nThe oversized parameter 'sectors' may trigger panic 2) by BUG() from the\nagove code block.\n\nNow let me explain how the panics happen with the oversized 'sectors'.\nIn code block 5, replace_key is generated by macro KEY(). From the\ndefinition of macro KEY(),\n[code block 7]\n 71 #define KEY(inode, offset, size) \\\n 72 ((struct bkey) { \\\n 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \\\n 74 .low = (offset) \\\n 75 })\n\nHere 'size' is 16bits width embedded in 64bits member 'high' of struct\nbkey. But in code block 1, if \"KEY_START(k) - bio->bi_iter.bi_sector\" is\nvery probably to be larger than (1<<16) - 1, which makes the bkey size\ncalculation in code block 5 is overflowed. In one bug report the value\nof parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors'\nresults the overflowed s->insert_bio_sectors in code block 4, then makes\nsize field of s->iop.replace_key to be 0 in code block 5. Then the 0-\nsized s->iop.replace_key is inserted into the internal B+ tree as cache\nmissing check key (a special key to detect and avoid a racing between\nnormal write request and cache missing read request) as,\n[code block 8]\n 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key);\n\nThen the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey\nsize check BUG_ON() in code block 2, and causes the kernel panic 1).\n\nAnother ke\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47275", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Do not blindly read the ip address in ftrace_bug()\n\nIt was reported that a bug on arm64 caused a bad ip address to be used for\nupdating into a nop in ftrace_init(), but the error path (rightfully)\nreturned -EINVAL and not -EFAULT, as the bug caused more than one error to\noccur. But because -EINVAL was returned, the ftrace_bug() tried to report\nwhat was at the location of the ip address, and read it directly. This\ncaused the machine to panic, as the ip was not pointing to a valid memory\naddress.\n\nInstead, read the ip address with copy_from_kernel_nofault() to safely\naccess the memory, and if it faults, report that the address faulted,\notherwise report what was in that location.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47276", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47277", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()\n\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47278", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47279", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix use-after-free read in drm_getunique()\n\nThere is a time-of-check-to-time-of-use error in drm_getunique() due\nto retrieving file_priv->master prior to locking the device's master\nmutex.\n\nAn example can be seen in the crash report of the use-after-free error\nfound by Syzbot:\nhttps://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803\n\nIn the report, the master pointer was used after being freed. This is\nbecause another process had acquired the device's master mutex in\ndrm_setmaster_ioctl(), then overwrote fpriv->master in\ndrm_new_set_master(). The old value of fpriv->master was subsequently\nfreed before the mutex was unlocked.\n\nTo fix this, we lock the device's master mutex before retrieving the\npointer from from fpriv->master. This patch passes the Syzbot\nreproducer test.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47280", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47281", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm2835: Fix out-of-bounds access with more than 4 slaves\n\nCommit 571e31fa60b3 (\"spi: bcm2835: Cache CS register value for\n->prepare_message()\") limited the number of slaves to 3 at compile-time.\nThe limitation was necessitated by a statically-sized array prepare_cs[]\nin the driver private data which contains a per-slave register value.\n\nThe commit sought to enforce the limitation at run-time by setting the\ncontroller's num_chipselect to 3: Slaves with a higher chipselect are\nrejected by spi_add_device().\n\nHowever the commit neglected that num_chipselect only limits the number\nof *native* chipselects. If GPIO chipselects are specified in the\ndevice tree for more than 3 slaves, num_chipselect is silently raised by\nof_spi_get_gpio_numbers() and the result are out-of-bounds accesses to\nthe statically-sized array prepare_cs[].\n\nAs a bandaid fix which is backportable to stable, raise the number of\nallowed slaves to 24 (which \"ought to be enough for anybody\"), enforce\nthe limitation on slave ->setup and revert num_chipselect to 3 (which is\nthe number of native chipselects supported by the controller).\nAn upcoming for-next commit will allow an arbitrary number of slaves.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47282", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet:sfc: fix non-freed irq in legacy irq mode\n\nSFC driver can be configured via modparam to work using MSI-X, MSI or\nlegacy IRQ interrupts. In the last one, the interrupt was not properly\nreleased on module remove.\n\nIt was not freed because the flag irqs_hooked was not set during\ninitialization in the case of using legacy IRQ.\n\nExample of (trimmed) trace during module remove without this fix:\n\nremove_proc_entry: removing non-empty directory 'irq/125', leaking at least '0000:3b:00.1'\nWARNING: CPU: 39 PID: 3658 at fs/proc/generic.c:715 remove_proc_entry+0x15c/0x170\n...trimmed...\nCall Trace:\n unregister_irq_proc+0xe3/0x100\n free_desc+0x29/0x70\n irq_free_descs+0x47/0x70\n mp_unmap_irq+0x58/0x60\n acpi_unregister_gsi_ioapic+0x2a/0x40\n acpi_pci_irq_disable+0x78/0xb0\n pci_disable_device+0xd1/0x100\n efx_pci_remove+0xa1/0x1e0 [sfc]\n pci_device_remove+0x38/0xa0\n __device_release_driver+0x177/0x230\n driver_detach+0xcb/0x110\n bus_remove_driver+0x58/0xd0\n pci_unregister_driver+0x2a/0xb0\n efx_exit_module+0x24/0xf40 [sfc]\n __do_sys_delete_module.constprop.0+0x171/0x280\n ? exit_to_user_mode_prepare+0x83/0x1d0\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f9f9385800b\n...trimmed...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47283", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: netjet: Fix crash in nj_probe:\n\n'nj_setup' in netjet.c might fail with -EIO and in this case\n'card->irq' is initialized and is bigger than zero. A subsequent call to\n'nj_release' will free the irq that has not been requested.\n\nFix this bug by deleting the previous assignment to 'card->irq' and just\nkeep the assignment before 'request_irq'.\n\nThe KASAN's log reveals it:\n\n[ 3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826\nfree_irq+0x100/0x480\n[ 3.355112 ] Modules linked in:\n[ 3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[ 3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 3.356552 ] RIP: 0010:free_irq+0x100/0x480\n[ 3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18\n4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5\nff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80\n[ 3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082\n[ 3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:\n0000000000000000\n[ 3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:\n00000000ffffffff\n[ 3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:\n0000000000000000\n[ 3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:\n0000000000000000\n[ 3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:\nffff888104dc80a8\n[ 3.360652 ] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000)\nknlGS:0000000000000000\n[ 3.361170 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:\n00000000000006f0\n[ 3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 3.362175 ] Call Trace:\n[ 3.362175 ] nj_release+0x51/0x1e0\n[ 3.362175 ] nj_probe+0x450/0x950\n[ 3.362175 ] ? pci_device_remove+0x110/0x110\n[ 3.362175 ] local_pci_probe+0x45/0xa0\n[ 3.362175 ] pci_device_probe+0x12b/0x1d0\n[ 3.362175 ] really_probe+0x2a9/0x610\n[ 3.362175 ] driver_probe_device+0x90/0x1d0\n[ 3.362175 ] ? mutex_lock_nested+0x1b/0x20\n[ 3.362175 ] device_driver_attach+0x68/0x70\n[ 3.362175 ] __driver_attach+0x124/0x1b0\n[ 3.362175 ] ? device_driver_attach+0x70/0x70\n[ 3.362175 ] bus_for_each_dev+0xbb/0x110\n[ 3.362175 ] ? rdinit_setup+0x45/0x45\n[ 3.362175 ] driver_attach+0x27/0x30\n[ 3.362175 ] bus_add_driver+0x1eb/0x2a0\n[ 3.362175 ] driver_register+0xa9/0x180\n[ 3.362175 ] __pci_register_driver+0x82/0x90\n[ 3.362175 ] ? w6692_init+0x38/0x38\n[ 3.362175 ] nj_init+0x36/0x38\n[ 3.362175 ] do_one_initcall+0x7f/0x3d0\n[ 3.362175 ] ? rdinit_setup+0x45/0x45\n[ 3.362175 ] ? rcu_read_lock_sched_held+0x4f/0x80\n[ 3.362175 ] kernel_init_freeable+0x2aa/0x301\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] kernel_init+0x18/0x190\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] ret_from_fork+0x1f/0x30\n[ 3.362175 ] Kernel panic - not syncing: panic_on_warn set ...\n[ 3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[ 3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 3.362175 ] Call Trace:\n[ 3.362175 ] dump_stack+0xba/0xf5\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] panic+0x15a/0x3f2\n[ 3.362175 ] ? __warn+0xf2/0x150\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] __warn+0x108/0x150\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] report_bug+0x119/0x1c0\n[ 3.362175 ] handle_bug+0x3b/0x80\n[ 3.362175 ] exc_invalid_op+0x18/0x70\n[ 3.362175 ] asm_exc_invalid_op+0x12/0x20\n[ 3.362175 ] RIP: 0010:free_irq+0x100\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47284", "detail": "fixed-version", "description": "Fixed from version 5.13" }, { "id": "CVE-2021-47286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: core: Validate channel ID when processing command completions\n\nMHI reads the channel ID from the event ring element sent by the\ndevice which can be any value between 0 and 255. In order to\nprevent any out of bound accesses, add a check against the maximum\nnumber of channels supported by the controller and those channels\nnot configured yet so as to skip processing of that event ring\nelement.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47286", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: auxiliary bus: Fix memory leak when driver_register() fail\n\nIf driver_register() returns with error we need to free the memory\nallocated for auxdrv->driver.name before returning from\n__auxiliary_driver_register()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47287", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\n\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\n\narch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\n\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof &com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\n\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use &com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of &com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\n\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47288", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: fix NULL pointer dereference\n\nCommit 71f642833284 (\"ACPI: utils: Fix reference counting in\nfor_each_acpi_dev_match()\") started doing \"acpi_dev_put()\" on a pointer\nthat was possibly NULL. That fails miserably, because that helper\ninline function is not set up to handle that case.\n\nJust make acpi_dev_put() silently accept a NULL pointer, rather than\ncalling down to put_device() with an invalid offset off that NULL\npointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47289", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL dereference on XCOPY completion\n\nCPU affinity control added with commit 39ae3edda325 (\"scsi: target: core:\nMake completion affinity configurable\") makes target_complete_cmd() queue\nwork on a CPU based on se_tpg->se_tpg_wwn->cmd_compl_affinity state.\n\nLIO's EXTENDED COPY worker is a special case in that read/write cmds are\ndispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn\npointer following initialization in target_xcopy_setup_pt().\n\nThe NULL xcopy_pt_tpg->se_tpg_wwn pointer is dereferenced on completion of\nany EXTENDED COPY initiated read/write cmds. E.g using the libiscsi\nSCSI.ExtendedCopy.Simple test:\n\n BUG: kernel NULL pointer dereference, address: 00000000000001a8\n RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod]\n Call Trace:\n fd_execute_rw+0x148/0x42a [target_core_file]\n ? __dynamic_pr_debug+0xa7/0xe0\n ? target_check_reservation+0x5b/0x940 [target_core_mod]\n __target_execute_cmd+0x1e/0x90 [target_core_mod]\n transport_generic_new_cmd+0x17c/0x330 [target_core_mod]\n target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod]\n target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod]\n ? target_check_fua+0x40/0x40 [target_core_mod]\n ? transport_complete_task_attr+0x130/0x130 [target_core_mod]\n target_xcopy_do_work+0x61f/0xc00 [target_core_mod]\n\nThis fix makes target_complete_cmd() queue work on se_cmd->cpuid if\nse_tpg_wwn is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47290", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions\n\nWhile running the self-tests on a KASAN enabled kernel, I observed a\nslab-out-of-bounds splat very similar to the one reported in\ncommit 821bbf79fe46 (\"ipv6: Fix KASAN: slab-out-of-bounds Read in\n fib6_nh_flush_exceptions\").\n\nWe additionally need to take care of fib6_metrics initialization\nfailure when the caller provides an nh.\n\nThe fix is similar, explicitly free the route instead of calling\nfib6_info_release on a half-initialized object.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47291", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memleak in io_init_wq_offload()\n\nI got memory leak report when doing fuzz test:\n\nBUG: memory leak\nunreferenced object 0xffff888107310a80 (size 96):\ncomm \"syz-executor.6\", pid 4610, jiffies 4295140240 (age 20.135s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nbacktrace:\n[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]\n[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]\n[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]\n[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955\n[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016\n[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]\n[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]\n[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]\n[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301\n[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCPU0 CPU1\nio_uring_enter io_uring_enter\nio_uring_add_tctx_node io_uring_add_tctx_node\n__io_uring_add_tctx_node __io_uring_add_tctx_node\nio_uring_alloc_task_context io_uring_alloc_task_context\nio_init_wq_offload io_init_wq_offload\nhash = kzalloc hash = kzalloc\nctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked\n\nWhen calling io_uring_enter() in parallel, the 'hash_map' will be leaked,\nadd uring_lock to protect 'hash_map'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47292", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: Skip non-Ethernet packets\n\nCurrently tcf_skbmod_act() assumes that packets use Ethernet as their L2\nprotocol, which is not always the case. As an example, for CAN devices:\n\n\t$ ip link add dev vcan0 type vcan\n\t$ ip link set up vcan0\n\t$ tc qdisc add dev vcan0 root handle 1: htb\n\t$ tc filter add dev vcan0 parent 1: protocol ip prio 10 \\\n\t\tmatchall action skbmod swap mac\n\nDoing the above silently corrupts all the packets. Do not perform skbmod\nactions for non-Ethernet packets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47293", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Decrease sock refcount when sock timers expire\n\nCommit 63346650c1a9 (\"netrom: switch to sock timer API\") switched to use\nsock timer API. It replaces mod_timer() by sk_reset_timer(), and\ndel_timer() by sk_stop_timer().\n\nFunction sk_reset_timer() will increase the refcount of sock if it is\ncalled on an inactive timer, hence, in case the timer expires, we need to\ndecrease the refcount ourselves in the handler, otherwise, the sock\nrefcount will be unbalanced and the sock will never be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47294", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix memory leak in tcindex_partial_destroy_work\n\nSyzbot reported memory leak in tcindex_set_parms(). The problem was in\nnon-freed perfect hash in tcindex_partial_destroy_work().\n\nIn tcindex_set_parms() new tcindex_data is allocated and some fields from\nold one are copied to new one, but not the perfect hash. Since\ntcindex_partial_destroy_work() is the destroy function for old\ntcindex_data, we need to free perfect hash to avoid memory leak.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47295", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak\n\nvcpu_put is not called if the user copy fails. This can result in preempt\nnotifier corruption and crashes, among other issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47296", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix uninit-value in caif_seqpkt_sendmsg\n\nWhen nr_segs equal to zero in iovec_from_user, the object\nmsg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg\nwhich is defined in ___sys_sendmsg. So we cann't just judge\nmsg->msg_iter.iov->base directlly. We can use nr_segs to judge\nmsg in caif_seqpkt_sendmsg whether has data buffers.\n\n=====================================================\nBUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1c9/0x220 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343\n ___sys_sendmsg net/socket.c:2397 [inline]\n __sys_sendmmsg+0x808/0xc90 net/socket.c:2480\n __compat_sys_sendmmsg net/compat.c:656 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47297", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix potential memory leak on unlikely error case\n\nIf skb_linearize is needed and fails we could leak a msg on the error\nhandling. To fix ensure we kfree the msg block before returning error.\nFound during code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47298", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link->dev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index() |\nlink->dev = dev |\n | rtnl_lock()\n | unregister_netdevice_many()\n | dev_xdp_uninstall()\n | rtnl_unlock()\nrtnl_lock(); |\ndev_xdp_attach_link() |\nrtnl_unlock(); |\n | netdev_run_todo() // dev released\nbpf_xdp_link_release() |\n /* access dev. |\n use-after-free */ |\n\n[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[ 45.968297]\n[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[ 45.969222] Hardware name: linux,dummy-virt (DT)\n[ 45.969795] Call trace:\n[ 45.970106] dump_backtrace+0x0/0x4c8\n[ 45.970564] show_stack+0x30/0x40\n[ 45.970981] dump_stack_lvl+0x120/0x18c\n[ 45.971470] print_address_description.constprop.0+0x74/0x30c\n[ 45.972182] kasan_report+0x1e8/0x200\n[ 45.972659] __asan_report_load8_noabort+0x2c/0x50\n[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.973834] bpf_link_free+0xd0/0x188\n[ 45.974315] bpf_link_put+0x1d0/0x218\n[ 45.974790] bpf_link_release+0x3c/0x58\n[ 45.975291] __fput+0x20c/0x7e8\n[ 45.975706] ____fput+0x24/0x30\n[ 45.976117] task_work_run+0x104/0x258\n[ 45.976609] do_notify_resume+0x894/0xaf8\n[ 45.977121] work_pending+0xc/0x328\n[ 45.977575]\n[ 45.977775] The buggy address belongs to the page:\n[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 45.982259] page dumped because: kasan: bad access detected\n[ 45.982948]\n[ 45.983153] Memory state around the buggy address:\n[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.986419] ^\n[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988895] ==================================================================\n[ 45.989773] Disabling lock debugging due to kernel taint\n[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22\n[ 45.991929] Hardware name: linux,dummy-virt (DT)\n[ 45.992448] Call trace:\n[ 45.992753] dump_backtrace+0x0/0x4c8\n[ 45.993208] show_stack+0x30/0x40\n[ 45.993627] dump_stack_lvl+0x120/0x18c\n[ 45.994113] dump_stack+0x1c/0x34\n[ 45.994530] panic+0x3a4/0x7d8\n[ 45.994930] end_report+0x194/0x198\n[ 45.995380] kasan_report+0x134/0x200\n[ 45.995850] __asan_report_load8_noabort+0x2c/0x50\n[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.997007] bpf_link_free+0xd0/0x188\n[ 45.997474] bpf_link_put+0x1d0/0x218\n[ 45.997942] bpf_link_release+0x3c/0x58\n[ 45.998429] __fput+0x20c/0x7e8\n[ 45.998833] ____fput+0x24/0x30\n[ 45.999247] task_work_run+0x104/0x258\n[ 45.999731] do_notify_resume+0x894/0xaf8\n[ 46.000236] work_pending\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47299", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix tail_call_reachable rejection for interpreter when jit failed\n\nDuring testing of f263a81451c1 (\"bpf: Track subprog poke descriptors correctly\nand fix use-after-free\") under various failure conditions, for example, when\njit_subprogs() fails and tries to clean up the program to be run under the\ninterpreter, we ran into the following freeze:\n\n [...]\n #127/8 tailcall_bpf2bpf_3:FAIL\n [...]\n [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20\n [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682\n [ 92.043707]\n [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87\n [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\n [ 92.046785] Call Trace:\n [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.049019] ? ktime_get+0x117/0x130\n [...] // few hundred [similar] lines more\n [ 92.659025] ? ktime_get+0x117/0x130\n [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.662378] ? print_usage_bug+0x50/0x50\n [ 92.663221] ? print_usage_bug+0x50/0x50\n [ 92.664077] ? bpf_ksym_find+0x9c/0xe0\n [ 92.664887] ? ktime_get+0x117/0x130\n [ 92.665624] ? kernel_text_address+0xf5/0x100\n [ 92.666529] ? __kernel_text_address+0xe/0x30\n [ 92.667725] ? unwind_get_return_address+0x2f/0x50\n [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.670185] ? ktime_get+0x117/0x130\n [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.675159] ? ktime_get+0x117/0x130\n [ 92.677074] ? lock_is_held_type+0xd5/0x130\n [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.680046] ? ktime_get+0x117/0x130\n [ 92.681285] ? __bpf_prog_run32+0x6b/0x90\n [ 92.682601] ? __bpf_prog_run64+0x90/0x90\n [ 92.683636] ? lock_downgrade+0x370/0x370\n [ 92.684647] ? mark_held_locks+0x44/0x90\n [ 92.685652] ? ktime_get+0x117/0x130\n [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.688004] ? ktime_get+0x117/0x130\n [ 92.688573] ? __cant_migrate+0x2b/0x80\n [ 92.689192] ? bpf_test_run+0x2f4/0x510\n [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0\n [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90\n [ 92.691506] ? __kasan_slab_alloc+0x61/0x80\n [ 92.692128] ? eth_type_trans+0x128/0x240\n [ 92.692737] ? __build_skb+0x46/0x50\n [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50\n [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0\n [ 92.694639] ? __fget_light+0xa1/0x100\n [ 92.695162] ? bpf_prog_inc+0x23/0x30\n [ 92.695685] ? __sys_bpf+0xb40/0x2c80\n [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90\n [ 92.697150] ? mark_held_locks+0x24/0x90\n [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220\n [ 92.699045] ? finish_task_switch+0xe6/0x370\n [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.701233] ? finish_task_switch+0x11d/0x370\n [ 92.702264] ? __switch_to+0x2c0/0x740\n [ 92.703148] ? mark_held_locks+0x24/0x90\n [ 92.704155] ? __x64_sys_bpf+0x45/0x50\n [ 92.705146] ? do_syscall_64+0x35/0x80\n [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae\n [...]\n\nTurns out that the program rejection from e411901c0b77 (\"bpf: allow for tailcalls\nin BPF subprograms for x64 JIT\") is buggy since env->prog->aux->tail_call_reachable\nis never true. Commit ebf7d1f508a7 (\"bpf, x64: rework pro/epilogue and tailcall\nhandling in JIT\") added a tracker into check_max_stack_depth() which propagates\nthe tail_call_reachable condition throughout the subprograms. This info is then\nassigned to the subprogram's \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47300", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igb_poll() runs\nwhile the controller is reset this can lead to the driver try to free\na skb that was already freed.\n\n(The crash is harder to reproduce with the igb driver, but the same\npotential problem exists as the code is identical to igc)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47301", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igc_poll() runs\nwhile the controller is being reset this can lead to the driver try to\nfree a skb that was already freed.\n\nLog message:\n\n [ 101.525242] refcount_t: underflow; use-after-free.\n [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0\n [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E)\n x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E)\n ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E)\n rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E)\n soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E)\n iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E)\n soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E)\n autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E)\n i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E)\n [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E)\n e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E)\n usbcore(E) drm(E) button(E) video(E)\n [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe\n [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017\n [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0\n [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48\n 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3\n [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286\n [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001\n [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff\n [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50\n [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00\n [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40\n [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000\n [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0\n [ 101.525343] Call Trace:\n [ 101.525346] sock_wfree+0x9c/0xa0\n [ 101.525353] unix_destruct_scm+0x7b/0xa0\n [ 101.525358] skb_release_head_state+0x40/0x90\n [ 101.525362] skb_release_all+0xe/0x30\n [ 101.525364] napi_consume_skb+0x57/0x160\n [ 101.525367] igc_poll+0xb7/0xc80 [igc]\n [ 101.525376] ? sched_clock+0x5/0x10\n [ 101.525381] ? sched_clock_cpu+0xe/0x100\n [ 101.525385] net_rx_action+0x14c/0x410\n [ 101.525388] __do_softirq+0xe9/0x2f4\n [ 101.525391] __local_bh_enable_ip+0xe3/0x110\n [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0\n [ 101.525398] irq_forced_thread_fn+0x6a/0x80\n [ 101.525401] irq_thread+0xe8/0x180\n [ 101.525403] ? wake_threads_waitq+0x30/0x30\n [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0\n [ 101.525408] kthread+0x183/0x1a0\n [ 101.525412] ? kthread_park+0x80/0x80\n [ 101.525415] ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47302", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Track subprog poke descriptors correctly and fix use-after-free\n\nSubprograms are calling map_poke_track(), but on program release there is no\nhook to call map_poke_untrack(). However, on program release, the aux memory\n(and poke descriptor table) is freed even though we still have a reference to\nit in the element list of the map aux data. When we run map_poke_run(), we then\nend up accessing free'd memory, triggering KASAN in prog_array_map_poke_run():\n\n [...]\n [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e\n [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337\n [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399\n [ 402.824715] Call Trace:\n [ 402.824719] dump_stack+0x93/0xc2\n [ 402.824727] print_address_description.constprop.0+0x1a/0x140\n [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824744] kasan_report.cold+0x7c/0xd8\n [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824757] prog_array_map_poke_run+0xc2/0x34e\n [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0\n [...]\n\nThe elements concerned are walked as follows:\n\n for (i = 0; i < elem->aux->size_poke_tab; i++) {\n poke = &elem->aux->poke_tab[i];\n [...]\n\nThe access to size_poke_tab is a 4 byte read, verified by checking offsets\nin the KASAN dump:\n\n [ 402.825004] The buggy address belongs to the object at ffff8881905a7800\n which belongs to the cache kmalloc-1k of size 1024\n [ 402.825008] The buggy address is located 320 bytes inside of\n 1024-byte region [ffff8881905a7800, ffff8881905a7c00)\n\nThe pahole output of bpf_prog_aux:\n\n struct bpf_prog_aux {\n [...]\n /* --- cacheline 5 boundary (320 bytes) --- */\n u32 size_poke_tab; /* 320 4 */\n [...]\n\nIn general, subprograms do not necessarily manage their own data structures.\nFor example, BTF func_info and linfo are just pointers to the main program\nstructure. This allows reference counting and cleanup to be done on the latter\nwhich simplifies their management a bit. The aux->poke_tab struct, however,\ndid not follow this logic. The initial proposed fix for this use-after-free\nbug further embedded poke data tracking into the subprogram with proper\nreference counting. However, Daniel and Alexei questioned why we were treating\nthese objects special; I agree, its unnecessary. The fix here removes the per\nsubprogram poke table allocation and map tracking and instead simply points\nthe aux->poke_tab pointer at the main programs poke table. This way, map\ntracking is simplified to the main program and we do not need to manage them\nper subprogram.\n\nThis also means, bpf_prog_free_deferred(), which unwinds the program reference\ncounting and kfrees objects, needs to ensure that we don't try to double free\nthe poke_tab when free'ing the subprog structures. This is easily solved by\nNULL'ing the poke_tab pointer. The second detail is to ensure that per\nsubprogram JIT logic only does fixups on poke_tab[] entries it owns. To do\nthis, we add a pointer in the poke structure to point at the subprogram value\nso JITs can easily check while walking the poke_tab structure if the current\nentry belongs to the current program. The aux pointer is stable and therefore\nsuitable for such comparison. On the jit_subprogs() error path, we omit\ncleaning up the poke->aux field because these are only ever referenced from\nthe JIT side, but on error we will never make it to the JIT, so its fine to\nleave them dangling. Removing these pointers would complicate the error path\nfor no reason. However, we do need to untrack all poke descriptors from the\nmain program as otherwise they could race with the freeing of JIT memory from\nthe subprograms. Lastly, a748c6975dea3 (\"bpf: propagate poke des\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47303", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n which calls:\n tcp_set_congestion_control() ->\n tcp_reinit_congestion_control() ->\n tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n set icsk_ca_initialized=0 (without first calling cc->release()),\n call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc->release() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47304", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sync_file: Don't leak fences on merge failure\n\nEach add_fence() call does a dma_fence_get() on the relevant fence. In\nthe error path, we weren't calling dma_fence_put() so all those fences\ngot leaked. Also, in the krealloc_array failure case, we weren't\nfreeing the fences array. Instead, ensure that i and fences are always\nzero-initialized and dma_fence_put() all the fences and kfree(fences) on\nevery error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47305", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fddi: fix UAF in fza_probe\n\nfp is netdev private data and it cannot be\nused after free_netdev() call. Using fp after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() after error message.\n\nTURBOchannel adapter\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47306", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL deref in cifs_compose_mount_options()\n\nThe optional @ref parameter might contain an NULL node_name, so\nprevent dereferencing it in cifs_compose_mount_options().\n\nAddresses-Coverity: 1476408 (\"Explicit null dereferenced\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47307", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix array index out of bound exception\n\nFix array index out of bound exception in fc_rport_prli_resp().", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47308", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: validate lwtstate->data before returning from skb_tunnel_info()\n\nskb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info\ntype without validation. lwtstate->data can have various types such as\nmpls_iptunnel_encap, etc and these are not compatible.\nSo skb_tunnel_info() should validate before returning that pointer.\n\nSplat looks like:\nBUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]\nRead of size 2 at addr ffff888106ec2698 by task ping/811\n\nCPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195\nCall Trace:\n dump_stack_lvl+0x56/0x7b\n print_address_description.constprop.8.cold.13+0x13/0x2ee\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n kasan_report.cold.14+0x83/0xdf\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n vxlan_get_route+0x418/0x4b0 [vxlan]\n [ ... ]\n vxlan_xmit_one+0x148b/0x32b0 [vxlan]\n [ ... ]\n vxlan_xmit+0x25c5/0x4780 [vxlan]\n [ ... ]\n dev_hard_start_xmit+0x1ae/0x6e0\n __dev_queue_xmit+0x1f39/0x31a0\n [ ... ]\n neigh_xmit+0x2f9/0x940\n mpls_xmit+0x911/0x1600 [mpls_iptunnel]\n lwtunnel_xmit+0x18f/0x450\n ip_finish_output2+0x867/0x2040\n [ ... ]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47309", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: fix UAF in tlan_remove_one\n\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47310", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qcom/emac: fix UAF in emac_remove\n\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47311", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix dereference of null pointer flow\n\nIn the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then\nnft_flow_rule_create is not called and flow is NULL. The subsequent\nerror handling execution via label err_destroy_flow_rule will lead\nto a null pointer dereference on flow when calling nft_flow_rule_destroy.\nSince the error path to err_destroy_flow_rule has to cater for null\nand non-null flows, only call nft_flow_rule_destroy if flow is non-null\nto fix this issue.\n\nAddresses-Coverity: (\"Explicity null dereference\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47312", "detail": "fixed-version", "description": "Fixed from version 5.13.5" }, { "id": "CVE-2021-47313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Fix potential memleak in cppc_cpufreq_cpu_init\n\nIt's a classic example of memleak, we allocate something, we fail and\nnever free the resources.\n\nMake sure we free all resources on policy ->init() failures.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47313", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: fsl_ifc: fix leak of private memory on probe failure\n\nOn probe error the driver should free the memory allocated for private\nstructure. Fix this by using resource-managed allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47314", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: fsl_ifc: fix leak of IO mapping on probe failure\n\nOn probe error the driver should unmap the IO memory. Smatch reports:\n\n drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47315", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix NULL dereference in nfs3svc_encode_getaclres\n\nIn error cases the dentry may be NULL.\n\nBefore 20798dfe249a, the encoder also checked dentry and\nd_really_is_positive(dentry), but that looks like overkill to me--zero\nstatus should be enough to guarantee a positive dentry.\n\nThis isn't the first time we've seen an error-case NULL dereference\nhidden in the initialization of a local variable in an xdr encoder. But\nI went back through the other recent rewrites and didn't spot any\nsimilar bugs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47316", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf: Fix detecting BPF atomic instructions\n\nCommit 91c960b0056672 (\"bpf: Rename BPF_XADD and prepare to encode other\natomics in .imm\") converted BPF_XADD to BPF_ATOMIC and added a way to\ndistinguish instructions based on the immediate field. Existing JIT\nimplementations were updated to check for the immediate field and to\nreject programs utilizing anything more than BPF_ADD (such as BPF_FETCH)\nin the immediate field.\n\nHowever, the check added to powerpc64 JIT did not look at the correct\nBPF instruction. Due to this, such programs would be accepted and\nincorrectly JIT'ed resulting in soft lockups, as seen with the atomic\nbounds test. Fix this by looking at the correct immediate value.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47317", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Avoid use-after-free for scale_freq_data\n\nCurrently topology_scale_freq_tick() (which gets called from\nscheduler_tick()) may end up using a pointer to \"struct\nscale_freq_data\", which was previously cleared by\ntopology_clear_scale_freq_source(), as there is no protection in place\nhere. The users of topology_clear_scale_freq_source() though needs a\nguarantee that the previously cleared scale_freq_data isn't used\nanymore, so they can free the related resources.\n\nSince topology_scale_freq_tick() is called from scheduler tick, we don't\nwant to add locking in there. Use the RCU update mechanism instead\n(which is already used by the scheduler's utilization update path) to\nguarantee race free updates here.\n\nsynchronize_rcu() makes sure that all RCU critical sections that started\nbefore it is called, will finish before it returns. And so the callers\nof topology_clear_scale_freq_source() don't need to worry about their\ncallback getting called anymore.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47318", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Fix memory leak among suspend/resume procedure\n\nThe vblk->vqs should be freed before we call init_vqs()\nin virtblk_restore().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47319", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix acl memory leak of posix_acl_create()\n\nWhen looking into another nfs xfstests report, I found acl and\ndefault_acl in nfs3_proc_create() and nfs3_proc_mknod() error\npaths are possibly leaked. Fix them in advance.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47320", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: Fix possible use-after-free by calling del_timer_sync()\n\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47321", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix an Oops in pnfs_mark_request_commit() when doing O_DIRECT\n\nFix an Oopsable condition in pnfs_mark_request_commit() when we're\nputting a set of writes on the commit list to reschedule them after a\nfailed pNFS attempt.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47322", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47323", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: Fix possible use-after-free in wdt_startup()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47324", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation\n\nThe reference counting issue happens in several exception handling paths\nof arm_smmu_iova_to_phys_hard(). When those error scenarios occur, the\nfunction forgets to decrease the refcount of \"smmu\" increased by\narm_smmu_rpm_get(), causing a refcount leak.\n\nFix this issue by jumping to \"out\" label when those error scenarios\noccur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47325", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails\n\narm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the\nrefcount of the \"smmu\" even though the return value is less than 0.\n\nThe reference counting issue happens in some error handling paths of\narm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get()\nfails, the caller functions forget to decrease the refcount of \"smmu\"\nincreased by arm_smmu_rpm_get(), causing a refcount leak.\n\nFix this issue by calling pm_runtime_resume_and_get() instead of\npm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount\nbalanced in case of failure.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47327", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: Fix conn use after free during resets\n\nIf we haven't done a unbind target call we can race where\niscsi_conn_teardown wakes up the EH thread and then frees the conn while\nthose threads are still accessing the conn ehwait.\n\nWe can only do one TMF per session so this just moves the TMF fields from\nthe conn to the session. We can then rely on the\niscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call\nto remove the target and it's devices, and know after that point there is\nno device or scsi-ml callout trying to access the session.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47328", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix resource leak in case of probe failure\n\nThe driver doesn't clean up all the allocated resources properly when\nscsi_add_host(), megasas_start_aen() function fails during the PCI device\nprobe.\n\nClean up all those resources.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47329", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: 8250: serial_cs: Fix a memory leak in error handling path\n\nIn the probe function, if the final 'serial_config()' fails, 'info' is\nleaking.\n\nAdd a resource handling path to free this memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47330", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: common: usb-conn-gpio: fix NULL pointer dereference of charger\n\nWhen power on system with OTG cable, IDDIG's interrupt arises before\nthe charger registration, it will cause a NULL pointer dereference,\nfix the issue by registering the power supply before requesting\nIDDIG/VBUS irq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47331", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usx2y: Don't call free_pages_exact() with NULL address\n\nUnlike some other functions, we can't pass NULL pointer to\nfree_pages_exact(). Add a proper NULL check for avoiding possible\nOops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47332", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: alcor_pci: fix null-ptr-deref when there is no PCI bridge\n\nThere is an issue with the ASPM(optional) capability checking function.\nA device might be attached to root complex directly, in this case,\nbus->self(bridge) will be NULL, thus priv->parent_pdev is NULL.\nSince alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's\nASPM capability and populate parent_cap_off, which will be used later by\nalcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do\nhere is to avoid checking the capability if we are on the root complex.\nThis will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply\nreturn when bring called, effectively disable ASPM for the device.\n\n[ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40\n[ 1.253998] Call Trace:\n[ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci]\n[ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47333", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/libmasm/module: Fix two use after free in ibmasm_init_one\n\nIn ibmasm_init_one, it calls ibmasm_init_remote_input_dev().\nInside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are\nallocated by input_allocate_device(), and assigned to\nsp->remote.mouse_dev and sp->remote.keybd_dev respectively.\n\nIn the err_free_devices error branch of ibmasm_init_one,\nmouse_dev and keybd_dev are freed by input_free_device(), and return\nerror. Then the execution runs into error_send_message error branch\nof ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called\nto unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.\n\nMy patch add a \"error_init_remote\" label to handle the error of\nibmasm_init_remote_input_dev(), to avoid the uaf bugs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47334", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances\n\nAs syzbot reported, there is an use-after-free issue during f2fs recovery:\n\nUse-after-free write at 0xffff88823bc16040 (in kfence-#10):\n kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486\n f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869\n f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945\n mount_bdev+0x26c/0x3a0 fs/super.c:1367\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2905 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3235\n do_mount fs/namespace.c:3248 [inline]\n __do_sys_mount fs/namespace.c:3456 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is multi f2fs filesystem instances can race on accessing\nglobal fsync_entry_slab pointer, result in use-after-free issue of slab\ncache, fixes to init/destroy this slab cache only once during module\ninit/destroy procedure to avoid this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47335", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmackfs: restrict bytes count in smk_set_cipso()\n\nOops, I failed to update subject line.\n\nFrom 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001\nDate: Mon, 12 Apr 2021 22:25:06 +0900\nSubject: [PATCH] smackfs: restrict bytes count in smk_set_cipso()\n\nCommit 7ef4c19d245f3dc2 (\"smackfs: restrict bytes count in smackfs write\nfunctions\") missed that count > SMK_CIPSOMAX check applies to only\nformat == SMK_FIXED24_FMT case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47336", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix bad pointer dereference when ehandler kthread is invalid\n\nCommit 66a834d09293 (\"scsi: core: Fix error handling of scsi_host_alloc()\")\nchanged the allocation logic to call put_device() to perform host cleanup\nwith the assumption that IDA removal and stopping the kthread would\nproperly be performed in scsi_host_dev_release(). However, in the unlikely\ncase that the error handler thread fails to spawn, shost->ehandler is set\nto ERR_PTR(-ENOMEM).\n\nThe error handler cleanup code in scsi_host_dev_release() will call\nkthread_stop() if shost->ehandler != NULL which will always be the case\nwhether the kthread was successfully spawned or not. In the case that it\nfailed to spawn this has the nasty side effect of trying to dereference an\ninvalid pointer when kthread_stop() is called. The following splat provides\nan example of this behavior in the wild:\n\nscsi host11: error handler thread failed to spawn, error = -4\nKernel attempted to read user page (10c) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x0000010c\nFaulting instruction address: 0xc00000000818e9a8\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region\n hash dm_log dm_mod fuse overlay squashfs loop\nCPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1\nNIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8\nREGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7)\nMSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228\nXER: 20040001\nCFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0\nGPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc\nGPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000\nGPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff\nGPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0\nGPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288\nGPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898\nGPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000\nGPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc\nNIP [c00000000818e9a8] kthread_stop+0x38/0x230\nLR [c0000000089846e8] scsi_host_dev_release+0x98/0x160\nCall Trace:\n[c000000033bb2c48] 0xc000000033bb2c48 (unreliable)\n[c0000000089846e8] scsi_host_dev_release+0x98/0x160\n[c00000000891e960] device_release+0x60/0x100\n[c0000000087e55c4] kobject_release+0x84/0x210\n[c00000000891ec78] put_device+0x28/0x40\n[c000000008984ea4] scsi_host_alloc+0x314/0x430\n[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]\n[c000000008110104] vio_bus_probe+0xa4/0x4b0\n[c00000000892a860] really_probe+0x140/0x680\n[c00000000892aefc] driver_probe_device+0x15c/0x200\n[c00000000892b63c] device_driver_attach+0xcc/0xe0\n[c00000000892b740] __driver_attach+0xf0/0x200\n[c000000008926f28] bus_for_each_dev+0xa8/0x130\n[c000000008929ce4] driver_attach+0x34/0x50\n[c000000008928fc0] bus_add_driver+0x1b0/0x300\n[c00000000892c798] driver_register+0x98/0x1a0\n[c00000000810eb60] __vio_register_driver+0x80/0xe0\n[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]\n[c0000000080121d0] do_one_initcall+0x60/0x2d0\n[c000000008261abc] do_init_module+0x7c/0x320\n[c000000008265700] load_module+0x2350/0x25b0\n[c000000008265cb4] __do_sys_finit_module+0xd4/0x160\n[c000000008031110] system_call_exception+0x150/0x2d0\n[c00000000800d35c] system_call_common+0xec/0x278\n\nFix this be nulling shost->ehandler when the kthread fails to spawn.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47337", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmem: Do not delete the mode that is still in use\n\nThe execution of fb_delete_videomode() is not based on the result of the\nprevious fbcon_mode_deleted(). As a result, the mode is directly deleted,\nregardless of whether it is still in use, which may cause UAF.\n\n==================================================================\nBUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \\\ndrivers/video/fbdev/core/modedb.c:924\nRead of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962\n\nCPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x137/0x1be lib/dump_stack.c:118\n print_address_description+0x6c/0x640 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x13d/0x1e0 mm/kasan/report.c:562\n fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924\n fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746\n fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975\n do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 18960:\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x3d/0x70 mm/kasan/common.c:56\n kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355\n __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422\n slab_free_hook mm/slub.c:1541 [inline]\n slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574\n slab_free mm/slub.c:3139 [inline]\n kfree+0xca/0x3d0 mm/slub.c:4121\n fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104\n fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978\n do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xa9", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47338", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-core: explicitly clear ioctl input data\n\nAs seen from a recent syzbot bug report, mistakes in the compat ioctl\nimplementation can lead to uninitialized kernel stack data getting used\nas input for driver ioctl handlers.\n\nThe reported bug is now fixed, but it's possible that other related\nbugs are still present or get added in the future. As the drivers need\nto check user input already, the possible impact is fairly low, but it\nmight still cause an information leak.\n\nTo be on the safe side, always clear the entire ioctl buffer before\ncalling the conversion handler functions that are meant to initialize\nthem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47339", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix GPF in diFree\n\nAvoid passing inode with\nJFS_SBI(inode->i_sb)->ipimap == NULL to\ndiFree()[1]. GFP will appear:\n\n\tstruct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap;\n\tstruct inomap *imap = JFS_IP(ipimap)->i_imap;\n\nJFS_IP() will return invalid pointer when ipimap == NULL\n\nCall Trace:\n diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1]\n jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154\n evict+0x2ed/0x750 fs/inode.c:578\n iput_final fs/inode.c:1654 [inline]\n iput.part.0+0x3fe/0x820 fs/inode.c:1680\n iput+0x58/0x70 fs/inode.c:1670", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47340", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47341", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix possible UAF when remounting r/o a mmp-protected file system\n\nAfter commit 618f003199c6 (\"ext4: fix memory leak in\next4_fill_super\"), after the file system is remounted read-only, there\nis a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to\npoint at freed memory, which the call to ext4_stop_mmpd() can trip\nover.\n\nFix this by only allowing kmmpd() to exit when it is stopped via\next4_stop_mmpd().\n\nBug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com>", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47342", "detail": "fixed-version", "description": "Fixed from version 5.10.77" }, { "id": "CVE-2021-47343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm btree remove: assign new_root only when removal succeeds\n\nremove_raw() in dm_btree_remove() may fail due to IO read error\n(e.g. read the content of origin block fails during shadowing),\nand the value of shadow_spine::root is uninitialized, but\nthe uninitialized value is still assign to new_root in the\nend of dm_btree_remove().\n\nFor dm-thin, the value of pmd->details_root or pmd->root will become\nan uninitialized value, so if trying to read details_info tree again\nout-of-bound memory may occur as showed below:\n\n general protection fault, probably for non-canonical address 0x3fdcb14c8d7520\n CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6\n Hardware name: QEMU Standard PC\n RIP: 0010:metadata_ll_load_ie+0x14/0x30\n Call Trace:\n sm_metadata_count_is_more_than_one+0xb9/0xe0\n dm_tm_shadow_block+0x52/0x1c0\n shadow_step+0x59/0xf0\n remove_raw+0xb2/0x170\n dm_btree_remove+0xf4/0x1c0\n dm_pool_delete_thin_device+0xc3/0x140\n pool_message+0x218/0x2b0\n target_message+0x251/0x290\n ctl_ioctl+0x1c4/0x4d0\n dm_ctl_ioctl+0xe/0x20\n __x64_sys_ioctl+0x7b/0xb0\n do_syscall_64+0x40/0xb0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFixing it by only assign new_root when removal succeeds", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47343", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: zr364xx: fix memory leak in zr364xx_start_readpipe\n\nsyzbot reported memory leak in zr364xx driver.\nThe problem was in non-freed urb in case of\nusb_submit_urb() fail.\n\nbacktrace:\n [] kmalloc include/linux/slab.h:561 [inline]\n [] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74\n [] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022\n [] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline]\n [] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516\n [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [] really_probe+0x159/0x500 drivers/base/dd.c:576", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47344", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix rdma_resolve_route() memory leak\n\nFix a memory leak when \"mda_resolve_route() is called more than once on\nthe same \"rdma_cm_id\".\n\nThis is possible if cma_query_handler() triggers the\nRDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and\nallows rdma_resolve_route() to be called again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47345", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()\n\ncommit 6f755e85c332 (\"coresight: Add helper for inserting synchronization\npackets\") removed trailing '\\0' from barrier_pkt array and updated the\ncall sites like etb_update_buffer() to have proper checks for barrier_pkt\nsize before read but missed updating tmc_update_etf_buffer() which still\nreads barrier_pkt past the array size resulting in KASAN out-of-bounds\nbug. Fix this by adding a check for barrier_pkt size before accessing\nlike it is done in etb_update_buffer().\n\n BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698\n Read of size 4 at addr ffffffd05b7d1030 by task perf/2629\n\n Call trace:\n dump_backtrace+0x0/0x27c\n show_stack+0x20/0x2c\n dump_stack+0x11c/0x188\n print_address_description+0x3c/0x4a4\n __kasan_report+0x140/0x164\n kasan_report+0x10/0x18\n __asan_report_load4_noabort+0x1c/0x24\n tmc_update_etf_buffer+0x4b8/0x698\n etm_event_stop+0x248/0x2d8\n etm_event_del+0x20/0x2c\n event_sched_out+0x214/0x6f0\n group_sched_out+0xd0/0x270\n ctx_sched_out+0x2ec/0x518\n __perf_event_task_sched_out+0x4fc/0xe6c\n __schedule+0x1094/0x16a0\n preempt_schedule_irq+0x88/0x170\n arm64_preempt_schedule_irq+0xf0/0x18c\n el1_irq+0xe8/0x180\n perf_event_exec+0x4d8/0x56c\n setup_new_exec+0x204/0x400\n load_elf_binary+0x72c/0x18c0\n search_binary_handler+0x13c/0x420\n load_script+0x500/0x6c4\n search_binary_handler+0x13c/0x420\n exec_binprm+0x118/0x654\n __do_execve_file+0x77c/0xba4\n __arm64_compat_sys_execve+0x98/0xac\n el0_svc_common+0x1f8/0x5e0\n el0_svc_compat_handler+0x84/0xb0\n el0_svc_compat+0x10/0x50\n\n The buggy address belongs to the variable:\n barrier_pkt+0x10/0x40\n\n Memory state around the buggy address:\n ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00\n ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03\n ^\n ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa\n ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa\n ==================================================================", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47346", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwl1251: Fix possible buffer overflow in wl1251_cmd_scan\n\nFunction wl1251_cmd_scan calls memcpy without checking the length.\nHarden by checking the length is within the maximum allowed size.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47347", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid HDCP over-read and corruption\n\nInstead of reading the desired 5 bytes of the actual target field,\nthe code was reading 8. This could result in a corrupted value if the\ntrailing 3 bytes were non-zero, so instead use an appropriately sized\nand zero-initialized bounce buffer, and read only 5 bytes before casting\nto u64.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47348", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmwifiex: bring down link before deleting interface\n\nWe can deadlock when rmmod'ing the driver or going through firmware\nreset, because the cfg80211_unregister_wdev() has to bring down the link\nfor us, ... which then grab the same wiphy lock.\n\nnl80211_del_interface() already handles a very similar case, with a nice\ndescription:\n\n /*\n * We hold RTNL, so this is safe, without RTNL opencount cannot\n * reach 0, and thus the rdev cannot be deleted.\n *\n * We need to do it for the dev_close(), since that will call\n * the netdev notifiers, and we need to acquire the mutex there\n * but don't know if we get there from here or from some other\n * place (e.g. \"ip link set ... down\").\n */\n mutex_unlock(&rdev->wiphy.mtx);\n...\n\nDo similarly for mwifiex teardown, by ensuring we bring the link down\nfirst.\n\nSample deadlock trace:\n\n[ 247.103516] INFO: task rmmod:2119 blocked for more than 123 seconds.\n[ 247.110630] Not tainted 5.12.4 #5\n[ 247.115796] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 247.124557] task:rmmod state:D stack: 0 pid: 2119 ppid: 2114 flags:0x00400208\n[ 247.133905] Call trace:\n[ 247.136644] __switch_to+0x130/0x170\n[ 247.140643] __schedule+0x714/0xa0c\n[ 247.144548] schedule_preempt_disabled+0x88/0xf4\n[ 247.149714] __mutex_lock_common+0x43c/0x750\n[ 247.154496] mutex_lock_nested+0x5c/0x68\n[ 247.158884] cfg80211_netdev_notifier_call+0x280/0x4e0 [cfg80211]\n[ 247.165769] raw_notifier_call_chain+0x4c/0x78\n[ 247.170742] call_netdevice_notifiers_info+0x68/0xa4\n[ 247.176305] __dev_close_many+0x7c/0x138\n[ 247.180693] dev_close_many+0x7c/0x10c\n[ 247.184893] unregister_netdevice_many+0xfc/0x654\n[ 247.190158] unregister_netdevice_queue+0xb4/0xe0\n[ 247.195424] _cfg80211_unregister_wdev+0xa4/0x204 [cfg80211]\n[ 247.201816] cfg80211_unregister_wdev+0x20/0x2c [cfg80211]\n[ 247.208016] mwifiex_del_virtual_intf+0xc8/0x188 [mwifiex]\n[ 247.214174] mwifiex_uninit_sw+0x158/0x1b0 [mwifiex]\n[ 247.219747] mwifiex_remove_card+0x38/0xa0 [mwifiex]\n[ 247.225316] mwifiex_pcie_remove+0xd0/0xe0 [mwifiex_pcie]\n[ 247.231451] pci_device_remove+0x50/0xe0\n[ 247.235849] device_release_driver_internal+0x110/0x1b0\n[ 247.241701] driver_detach+0x5c/0x9c\n[ 247.245704] bus_remove_driver+0x84/0xb8\n[ 247.250095] driver_unregister+0x3c/0x60\n[ 247.254486] pci_unregister_driver+0x2c/0x90\n[ 247.259267] cleanup_module+0x18/0xcdc [mwifiex_pcie]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47349", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix lockup on kernel exec fault\n\nThe powerpc kernel is not prepared to handle exec faults from kernel.\nEspecially, the function is_exec_fault() will return 'false' when an\nexec fault is taken by kernel, because the check is based on reading\ncurrent->thread.regs->trap which contains the trap from user.\n\nFor instance, when provoking a LKDTM EXEC_USERSPACE test,\ncurrent->thread.regs->trap is set to SYSCALL trap (0xc00), and\nthe fault taken by the kernel is not seen as an exec fault by\nset_access_flags_filter().\n\nCommit d7df2443cd5f (\"powerpc/mm: Fix spurious segfaults on radix\nwith autonuma\") made it clear and handled it properly. But later on\ncommit d3ca587404b3 (\"powerpc/mm: Fix reporting of kernel execute\nfaults\") removed that handling, introducing test based on error_code.\nAnd here is the problem, because on the 603 all upper bits of SRR1\nget cleared when the TLB instruction miss handler bails out to ISI.\n\nUntil commit cbd7e6ca0210 (\"powerpc/fault: Avoid heavy\nsearch_exception_tables() verification\"), an exec fault from kernel\nat a userspace address was indirectly caught by the lack of entry for\nthat address in the exception tables. But after that commit the\nkernel mainly relies on KUAP or on core mm handling to catch wrong\nuser accesses. Here the access is not wrong, so mm handles it.\nIt is a minor fault because PAGE_EXEC is not set,\nset_access_flags_filter() should set PAGE_EXEC and voila.\nBut as is_exec_fault() returns false as explained in the beginning,\nset_access_flags_filter() bails out without setting PAGE_EXEC flag,\nwhich leads to a forever minor exec fault.\n\nAs the kernel is not prepared to handle such exec faults, the thing to\ndo is to fire in bad_kernel_fault() for any exec fault taken by the\nkernel, as it was prior to commit d3ca587404b3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47350", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix races between xattr_{set|get} and listxattr operations\n\nUBIFS may occur some problems with concurrent xattr_{set|get} and\nlistxattr operations, such as assertion failure, memory corruption,\nstale xattr value[1].\n\nFix it by importing a new rw-lock in @ubifs_inode to serilize write\noperations on xattr, concurrent read operations are still effective,\njust like ext4.\n\n[1] https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47351", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: Add validation for used length\n\nThis adds validation for used length (might come\nfrom an untrusted device) to avoid data corruption\nor loss.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47352", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix NULL pointer dereference in udf_symlink function\n\nIn function udf_symlink, epos.bh is assigned with the value returned\nby udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c\nand returns the value of sb_getblk function that could be NULL.\nThen, epos.bh is used without any check, causing a possible\nNULL pointer dereference when sb_getblk fails.\n\nThis fix adds a check to validate the value of epos.bh.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47353", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Avoid data corruptions\n\nWait for all dependencies of a job to complete before\nkilling it to avoid data corruptions.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47354", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: nicstar: Fix possible use-after-free in nicstar_cleanup()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47355", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix possible use-after-free in HFC_cleanup()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "7.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47356", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: iphase: fix possible use-after-free in ia_module_exit()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47357", "detail": "fixed-version", "description": "Fixed from version 5.14" }, { "id": "CVE-2021-47358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: greybus: uart: fix tty use after free\n\nUser space can hold a tty open indefinitely and tty drivers must not\nrelease the underlying structures until the last user is gone.\n\nSwitch to using the tty-port reference counter to manage the life time\nof the greybus tty state to avoid use after free after a disconnect.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47358", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix soft lockup during fsstress\n\nBelow traces are observed during fsstress and system got hung.\n[ 130.698396] watchdog: BUG: soft lockup - CPU#6 stuck for 26s!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47359", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: make sure fd closes complete\n\nDuring BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object\ncleanup may close 1 or more fds. The close operations are\ncompleted using the task work mechanism -- which means the thread\nneeds to return to userspace or the file object may never be\ndereferenced -- which can lead to hung processes.\n\nForce the binder thread back to userspace if an fd is closed during\nBC_FREE_BUFFER handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47360", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: fix error handling in mcb_alloc_bus()\n\nThere are two bugs:\n1) If ida_simple_get() fails then this code calls put_device(carrier)\n but we haven't yet called get_device(carrier) and probably that\n leads to a use after free.\n2) After device_initialize() then we need to use put_device() to\n release the bus. This will free the internal resources tied to the\n device and call mcb_free_bus() which will free the rest.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47361", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Update intermediate power state for SI\n\nUpdate the current state as boot state during dpm initialization.\nDuring the subsequent initialization, set_power_state gets called to\ntransition to the final power state. set_power_state refers to values\nfrom the current state and without current state populated, it could\nresult in NULL pointer dereference.\n\nFor ex: on platforms where PCI speed change is supported through ACPI\nATCS method, the link speed of current state needs to be queried before\ndeciding on changing to final power state's link speed. The logic to query\nATCS-support was broken on certain platforms. The issue became visible\nwhen broken ATCS-support logic got fixed with commit\nf9b7f3703ff9 (\"drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)\").\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47362", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix division by zero while replacing a resilient group\n\nThe resilient nexthop group torture tests in fib_nexthop.sh exposed a\npossible division by zero while replacing a resilient group [1]. The\ndivision by zero occurs when the data path sees a resilient nexthop\ngroup with zero buckets.\n\nThe tests replace a resilient nexthop group in a loop while traffic is\nforwarded through it. The tests do not specify the number of buckets\nwhile performing the replacement, resulting in the kernel allocating a\nstub resilient table (i.e, 'struct nh_res_table') with zero buckets.\n\nThis table should never be visible to the data path, but the old nexthop\ngroup (i.e., 'oldg') might still be used by the data path when the stub\ntable is assigned to it.\n\nFix this by only assigning the stub table to the old nexthop group after\nmaking sure the group is no longer used by the data path.\n\nTested with fib_nexthops.sh:\n\nTests passed: 222\nTests failed: 0\n\n[1]\n divide error: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\n RIP: 0010:nexthop_select_path+0x2d2/0x1a80\n[...]\n Call Trace:\n fib_select_multipath+0x79b/0x1530\n fib_select_path+0x8fb/0x1c10\n ip_route_output_key_hash_rcu+0x1198/0x2da0\n ip_route_output_key_hash+0x190/0x340\n ip_route_output_flow+0x21/0x120\n raw_sendmsg+0x91d/0x2e10\n inet_sendmsg+0x9e/0xe0\n __sys_sendto+0x23d/0x360\n __x64_sys_sendto+0xe1/0x1b0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47363", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix memory leak in compat_insnlist()\n\n`compat_insnlist()` handles the 32-bit version of the `COMEDI_INSNLIST`\nioctl (whenwhen `CONFIG_COMPAT` is enabled). It allocates memory to\ntemporarily hold an array of `struct comedi_insn` converted from the\n32-bit version in user space. This memory is only being freed if there\nis a fault while filling the array, otherwise it is leaked.\n\nAdd a call to `kfree()` to fix the leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47364", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix page leak\n\nThere's a loop in afs_extend_writeback() that adds extra pages to a write\nwe want to make to improve the efficiency of the writeback by making it\nlarger. This loop stops, however, if we hit a page we can't write back\nfrom immediately, but it doesn't get rid of the page ref we speculatively\nacquired.\n\nThis was caused by the removal of the cleanup loop when the code switched\nfrom using find_get_pages_contig() to xarray scanning as the latter only\ngets a single page at a time, not a batch.\n\nFix this by putting the page on a ref on an early break from the loop.\nUnfortunately, we can't just add that page to the pagevec we're employing\nas we'll go through that and add those pages to the RPC call.\n\nThis was found by the generic/074 test. It leaks ~4GiB of RAM each time it\nis run - which can be observed with \"top\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47365", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\n\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\n\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are *signed* 32-bit values.\n\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag. This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\n\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\n\nNote that the issue does not exist with FS.StoreData - that uses *unsigned*\n32-bit values. It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\n\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing \"git status\" on it from a Linux afs\nclient[1]. Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\n\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\n\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\n\nNote the file position of 18446744071815340032. This is the requested file\nposition sign-extended.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47366", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix pages leaking when building skb in big mode\n\nWe try to use build_skb() if we had sufficient tailroom. But we forget\nto release the unused pages chained via private in big mode which will\nleak pages. Fixing this by release the pages after building the skb in\nbig mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47367", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nenetc: Fix illegal access when reading affinity_hint\n\nirq_set_affinity_hit() stores a reference to the cpumask_t\nparameter in the irq descriptor, and that reference can be\naccessed later from irq_affinity_hint_proc_show(). Since\nthe cpu_mask parameter passed to irq_set_affinity_hit() has\nonly temporary storage (it's on the stack memory), later\naccesses to it are illegal. Thus reads from the corresponding\nprocfs affinity_hint file can result in paging request oops.\n\nThe issue is fixed by the get_cpu_mask() helper, which provides\na permanent storage for the cpumask_t parameter.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47368", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: fix NULL deref in qeth_clear_working_pool_list()\n\nWhen qeth_set_online() calls qeth_clear_working_pool_list() to roll\nback after an error exit from qeth_hardsetup_card(), we are at risk of\naccessing card->qdio.in_q before it was allocated by\nqeth_alloc_qdio_queues() via qeth_mpc_initialize().\n\nqeth_clear_working_pool_list() then dereferences NULL, and by writing to\nqueue->bufs[i].pool_entry scribbles all over the CPU's lowcore.\nResulting in a crash when those lowcore areas are used next (eg. on\nthe next machine-check interrupt).\n\nSuch a scenario would typically happen when the device is first set\nonline and its queues aren't allocated yet. An early IO error or certain\nmisconfigs (eg. mismatched transport mode, bad portno) then cause us to\nerror out from qeth_hardsetup_card() with card->qdio.in_q still being\nNULL.\n\nFix it by checking the pointer for NULL before accessing it.\n\nNote that we also have (rare) paths inside qeth_mpc_initialize() where\na configuration change can cause us to free the existing queues,\nexpecting that subsequent code will allocate them again. If we then\nerror out before that re-allocation happens, the same bug occurs.\n\nRoot-caused-by: Heiko Carstens ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47369", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure tx skbs always have the MPTCP ext\n\nDue to signed/unsigned comparison, the expression:\n\n\tinfo->size_goal - skb->len > 0\n\nevaluates to true when the size goal is smaller than the\nskb size. That results in lack of tx cache refill, so that\nthe skb allocated by the core TCP code lacks the required\nMPTCP skb extensions.\n\nDue to the above, syzbot is able to trigger the following WARN_ON():\n\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nModules linked in:\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\nFS: 00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\n call_write_iter include/linux/fs.h:2163 [inline]\n new_sync_write+0x40b/0x640 fs/read_write.c:507\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\n ksys_write+0x1ee/0x250 fs/read_write.c:647\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\n\nFix the issue rewriting the relevant expression to avoid\nsign-related problems - note: size_goal is always >= 0.\n\nAdditionally, ensure that the skb in the tx cache always carries\nthe relevant extension.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47370", "detail": "fixed-version", "description": "Fixed from version 5.14.9" }, { "id": "CVE-2021-47371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix memory leaks in nexthop notification chain listeners\n\nsyzkaller discovered memory leaks [1] that can be reduced to the\nfollowing commands:\n\n # ip nexthop add id 1 blackhole\n # devlink dev reload pci/0000:06:00.0\n\nAs part of the reload flow, mlxsw will unregister its netdevs and then\nunregister from the nexthop notification chain. Before unregistering\nfrom the notification chain, mlxsw will receive delete notifications for\nnexthop objects using netdevs registered by mlxsw or their uppers. mlxsw\nwill not receive notifications for nexthops using netdevs that are not\ndismantled as part of the reload flow. For example, the blackhole\nnexthop above that internally uses the loopback netdev as its nexthop\ndevice.\n\nOne way to fix this problem is to have listeners flush their nexthop\ntables after unregistering from the notification chain. This is\nerror-prone as evident by this patch and also not symmetric with the\nregistration path where a listener receives a dump of all the existing\nnexthops.\n\nTherefore, fix this problem by replaying delete notifications for the\nlistener being unregistered. This is symmetric to the registration path\nand also consistent with the netdev notification chain.\n\nThe above means that unregister_nexthop_notifier(), like\nregister_nexthop_notifier(), will have to take RTNL in order to iterate\nover the existing nexthops and that any callers of the function cannot\nhold RTNL. This is true for mlxsw and netdevsim, but not for the VXLAN\ndriver. To avoid a deadlock, change the latter to unregister its nexthop\nlistener without holding RTNL, making it symmetric to the registration\npath.\n\n[1]\nunreferenced object 0xffff88806173d600 (size 512):\n comm \"syz-executor.0\", pid 1290, jiffies 4295583142 (age 143.507s)\n hex dump (first 32 bytes):\n 41 9d 1e 60 80 88 ff ff 08 d6 73 61 80 88 ff ff A..`......sa....\n 08 d6 73 61 80 88 ff ff 01 00 00 00 00 00 00 00 ..sa............\n backtrace:\n [] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]\n [] slab_post_alloc_hook+0x96/0x490 mm/slab.h:522\n [] slab_alloc_node mm/slub.c:3206 [inline]\n [] slab_alloc mm/slub.c:3214 [inline]\n [] kmem_cache_alloc_trace+0x163/0x370 mm/slub.c:3231\n [] kmalloc include/linux/slab.h:591 [inline]\n [] kzalloc include/linux/slab.h:721 [inline]\n [] mlxsw_sp_nexthop_obj_group_create drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:4918 [inline]\n [] mlxsw_sp_nexthop_obj_new drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5054 [inline]\n [] mlxsw_sp_nexthop_obj_event+0x59a/0x2910 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:5239\n [] notifier_call_chain+0xbd/0x210 kernel/notifier.c:83\n [] blocking_notifier_call_chain kernel/notifier.c:318 [inline]\n [] blocking_notifier_call_chain+0x72/0xa0 kernel/notifier.c:306\n [] call_nexthop_notifiers+0x156/0x310 net/ipv4/nexthop.c:244\n [] insert_nexthop net/ipv4/nexthop.c:2336 [inline]\n [] nexthop_add net/ipv4/nexthop.c:2644 [inline]\n [] rtm_new_nexthop+0x14e8/0x4d10 net/ipv4/nexthop.c:2913\n [] rtnetlink_rcv_msg+0x448/0xbf0 net/core/rtnetlink.c:5572\n [] netlink_rcv_skb+0x173/0x480 net/netlink/af_netlink.c:2504\n [] rtnetlink_rcv+0x22/0x30 net/core/rtnetlink.c:5590\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n [] netlink_unicast+0x5ae/0x7f0 net/netlink/af_netlink.c:1340\n [] netlink_sendmsg+0x8e1/0xe30 net/netlink/af_netlink.c:1929\n [] sock_sendmsg_nosec net/socket.c:704 [inline\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47371", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix use after free on rmmod\n\nplat_dev->dev->platform_data is released by platform_device_unregister(),\nuse of pclk and hclk is a use-after-free. Since device unregister won't\nneed a clk device we adjust the function call sequence to fix this issue.\n\n[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]\n[ 31.275563] Freed by task 306:\n[ 30.276782] platform_device_release+0x25/0x80", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47372", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Fix potential VPE leak on error\n\nIn its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,\nthere is an off-by-one in the number of VPEs to be freed.\n\nFix it by simply passing the number of VPEs allocated, which is the\nindex of the loop iterating over the VPEs.\n\n[maz: fixed commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47373", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: prevent an error message from causing runtime problems\n\nFor some drivers, that use the DMA API. This error message can be reached\nseveral millions of times per second, causing spam to the kernel's printk\nbuffer and bringing the CPU usage up to 100% (so, it should be rate\nlimited). However, since there is at least one driver that is in the\nmainline and suffers from the error condition, it is more useful to\nerr_printk() here instead of just rate limiting the error message (in hopes\nthat it will make it easier for other drivers that suffer from this issue\nto be spotted).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47374", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: Fix uaf in blk_trace access after removing by sysfs\n\nThere is an use-after-free problem triggered by following process:\n\n P1(sda)\t\t\t\tP2(sdb)\n\t\t\techo 0 > /sys/block/sdb/trace/enable\n\t\t\t blk_trace_remove_queue\n\t\t\t synchronize_rcu\n\t\t\t blk_trace_free\n\t\t\t relay_close\nrcu_read_lock\n__blk_add_trace\n trace_note_tsk\n (Iterate running_trace_list)\n\t\t\t relay_close_buf\n\t\t\t\t relay_destroy_buf\n\t\t\t\t kfree(buf)\n trace_note(sdb's bt)\n relay_reserve\n buf->offset <- nullptr deference (use-after-free) !!!\nrcu_read_unlock\n\n[ 502.714379] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n[ 502.715260] #PF: supervisor read access in kernel mode\n[ 502.715903] #PF: error_code(0x0000) - not-present page\n[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0\n[ 502.717252] Oops: 0000 [#1] SMP\n[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360\n[ 502.732872] Call Trace:\n[ 502.733193] __blk_add_trace.cold+0x137/0x1a3\n[ 502.733734] blk_add_trace_rq+0x7b/0xd0\n[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0\n[ 502.734755] blk_mq_start_request+0xde/0x1b0\n[ 502.735287] scsi_queue_rq+0x528/0x1140\n...\n[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0\n[ 502.747501] sg_ioctl+0x466/0x1100\n\nReproduce method:\n ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sda, BLKTRACESTART)\n ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sdb, BLKTRACESTART)\n\n echo 0 > /sys/block/sdb/trace/enable &\n // Add delay(mdelay/msleep) before kernel enters blk_trace_free()\n\n ioctl$SG_IO(/dev/sda, SG_IO, ...)\n // Enters trace_note_tsk() after blk_trace_free() returned\n // Use mdelay in rcu region rather than msleep(which may schedule out)\n\nRemove blk_trace from running_list before calling blk_trace_free() by\nsysfs if blk_trace is at Blktrace_running state.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47375", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add oversize check before call kvcalloc()\n\nCommit 7661809d493b (\"mm: don't allow oversized kvmalloc() calls\") add the\noversize check. When the allocation is larger than what kmalloc() supports,\nthe following warning triggered:\n\nWARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597\nModules linked in:\nCPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597\nCall Trace:\n kvmalloc include/linux/mm.h:806 [inline]\n kvmalloc_array include/linux/mm.h:824 [inline]\n kvcalloc include/linux/mm.h:829 [inline]\n check_btf_line kernel/bpf/verifier.c:9925 [inline]\n check_btf_info kernel/bpf/verifier.c:10049 [inline]\n bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759\n bpf_prog_load kernel/bpf/syscall.c:2301 [inline]\n __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587\n __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]\n __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47376", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-rdma: destroy cm id before destroy qp to avoid use after free\n\nWe should always destroy cm_id before destroy qp to avoid to get cma\nevent after qp was destroyed, which may lead to use after free.\nIn RDMA connection establishment error flow, don't destroy qp in cm\nevent handler.Just report cm_error to upper level, qp will be destroy\nin nvme_rdma_alloc_queue() after destroy cm id.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47378", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd\n\nKASAN reports a use-after-free report when doing fuzz test:\n\n[693354.104835] ==================================================================\n[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338\n\n[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147\n[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018\n[693354.105612] Call Trace:\n[693354.105621] dump_stack+0xf1/0x19b\n[693354.105626] ? show_regs_print_info+0x5/0x5\n[693354.105634] ? printk+0x9c/0xc3\n[693354.105638] ? cpumask_weight+0x1f/0x1f\n[693354.105648] print_address_description+0x70/0x360\n[693354.105654] kasan_report+0x1b2/0x330\n[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105675] ? bfq_cpd_init+0x20/0x20\n[693354.105683] cgroup_file_write+0x3aa/0x510\n[693354.105693] ? ___slab_alloc+0x507/0x540\n[693354.105698] ? cgroup_file_poll+0x60/0x60\n[693354.105702] ? 0xffffffff89600000\n[693354.105708] ? usercopy_abort+0x90/0x90\n[693354.105716] ? mutex_lock+0xef/0x180\n[693354.105726] kernfs_fop_write+0x1ab/0x280\n[693354.105732] ? cgroup_file_poll+0x60/0x60\n[693354.105738] vfs_write+0xe7/0x230\n[693354.105744] ksys_write+0xb0/0x140\n[693354.105749] ? __ia32_sys_read+0x50/0x50\n[693354.105760] do_syscall_64+0x112/0x370\n[693354.105766] ? syscall_return_slowpath+0x260/0x260\n[693354.105772] ? do_page_fault+0x9b/0x270\n[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0\n[693354.105784] ? enter_from_user_mode+0x30/0x30\n[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.105875] Allocated by task 1453337:\n[693354.106001] kasan_kmalloc+0xa0/0xd0\n[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220\n[693354.106010] bfq_pd_alloc+0x96/0x120\n[693354.106015] blkcg_activate_policy+0x1b7/0x2b0\n[693354.106020] bfq_create_group_hierarchy+0x1e/0x80\n[693354.106026] bfq_init_queue+0x678/0x8c0\n[693354.106031] blk_mq_init_sched+0x1f8/0x460\n[693354.106037] elevator_switch_mq+0xe1/0x240\n[693354.106041] elevator_switch+0x25/0x40\n[693354.106045] elv_iosched_store+0x1a1/0x230\n[693354.106049] queue_attr_store+0x78/0xb0\n[693354.106053] kernfs_fop_write+0x1ab/0x280\n[693354.106056] vfs_write+0xe7/0x230\n[693354.106060] ksys_write+0xb0/0x140\n[693354.106064] do_syscall_64+0x112/0x370\n[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.106114] Freed by task 1453336:\n[693354.106225] __kasan_slab_free+0x130/0x180\n[693354.106229] kfree+0x90/0x1b0\n[693354.106233] blkcg_deactivate_policy+0x12c/0x220\n[693354.106238] bfq_exit_queue+0xf5/0x110\n[693354.106241] blk_mq_exit_sched+0x104/0x130\n[693354.106245] __elevator_exit+0x45/0x60\n[693354.106249] elevator_switch_mq+0xd6/0x240\n[693354.106253] elevator_switch+0x25/0x40\n[693354.106257] elv_iosched_store+0x1a1/0x230\n[693354.106261] queue_attr_store+0x78/0xb0\n[693354.106264] kernfs_fop_write+0x1ab/0x280\n[693354.106268] vfs_write+0xe7/0x230\n[693354.106271] ksys_write+0xb0/0x140\n[693354.106275] do_syscall_64+0x112/0x370\n[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.106329] The buggy address belongs to the object at ffff888be0a35580\n which belongs to the cache kmalloc-1k of size 1024\n[693354.106736] The buggy address is located 228 bytes inside of\n 1024-byte region [ffff888be0a35580, ffff888be0a35980)\n[693354.107114] The buggy address belongs to the page:\n[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0\n[693354.107606] flags: 0x17ffffc0008100(slab|head)\n[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080\n[693354.108020] r\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47379", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix potential NULL pointer dereference\n\ndevm_add_action_or_reset() can suddenly invoke amd_mp2_pci_remove() at\nregistration that will cause NULL pointer dereference since\ncorresponding data is not initialized yet. The patch moves\ninitialization of data before devm_add_action_or_reset().\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\n[jkosina@suse.cz: rebase]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47380", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Fix DSP oops stack dump output contents\n\nFix @buf arg given to hex_dump_to_buffer() and stack address used\nin dump error output.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47381", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: fix deadlock during failing recovery\n\nCommit 0b9902c1fcc5 (\"s390/qeth: fix deadlock during recovery\") removed\ntaking discipline_mutex inside qeth_do_reset(), fixing potential\ndeadlocks. An error path was missed though, that still takes\ndiscipline_mutex and thus has the original deadlock potential.\n\nIntermittent deadlocks were seen when a qeth channel path is configured\noffline, causing a race between qeth_do_reset and ccwgroup_remove.\nCall qeth_set_offline() directly in the qeth_do_reset() error case and\nthen a new variant of ccwgroup_set_offline(), without taking\ndiscipline_mutex.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47382", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix out-of-bound vmalloc access in imageblit\n\nThis issue happens when a userspace program does an ioctl\nFBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct\ncontaining only the fields xres, yres, and bits_per_pixel\nwith values.\n\nIf this struct is the same as the previous ioctl, the\nvc_resize() detects it and doesn't call the resize_screen(),\nleaving the fb_var_screeninfo incomplete. And this leads to\nthe updatescrollmode() calculates a wrong value to\nfbcon_display->vrows, which makes the real_y() return a\nwrong value of y, and that value, eventually, causes\nthe imageblit to access an out-of-bound address value.\n\nTo solve this issue I made the resize_screen() be called\neven if the screen does not need any resizing, so it will\n\"fix and fill\" the fb_var_screeninfo independently.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47383", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field\n\nIf driver read tmp value sufficient for\n(tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))\nfrom device then Null pointer dereference occurs.\n(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)\nAlso lm75[] does not serve a purpose anymore after switching to\ndevm_i2c_new_dummy_device() in w83791d_detect_subclients().\n\nThe patch fixes possible NULL pointer dereference by removing lm75[].\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\n[groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47384", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field\n\nIf driver read val value sufficient for\n(val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))\nfrom device then Null pointer dereference occurs.\n(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)\nAlso lm75[] does not serve a purpose anymore after switching to\ndevm_i2c_new_dummy_device() in w83791d_detect_subclients().\n\nThe patch fixes possible NULL pointer dereference by removing lm75[].\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\n[groeck: Dropped unnecessary continuation lines, fixed multipline alignment]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47385", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field\n\nIf driver read val value sufficient for\n(val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))\nfrom device then Null pointer dereference occurs.\n(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)\nAlso lm75[] does not serve a purpose anymore after switching to\ndevm_i2c_new_dummy_device() in w83791d_detect_subclients().\n\nThe patch fixes possible NULL pointer dereference by removing lm75[].\n\nFound by Linux Driver Verification project (linuxtesting.org).\n\n[groeck: Dropped unnecessary continuation lines, fixed multi-line alignment]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47386", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: schedutil: Use kobject release() method to free sugov_tunables\n\nThe struct sugov_tunables is protected by the kobject, so we can't free\nit directly. Otherwise we would get a call trace like this:\n ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30\n WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100\n Modules linked in:\n CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)\n pc : debug_print_object+0xb8/0x100\n lr : debug_print_object+0xb8/0x100\n sp : ffff80001ecaf910\n x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80\n x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000\n x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20\n x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010\n x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365\n x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69\n x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0\n x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001\n x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000\n x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000\n Call trace:\n debug_print_object+0xb8/0x100\n __debug_check_no_obj_freed+0x1c0/0x230\n debug_check_no_obj_freed+0x20/0x88\n slab_free_freelist_hook+0x154/0x1c8\n kfree+0x114/0x5d0\n sugov_exit+0xbc/0xc0\n cpufreq_exit_governor+0x44/0x90\n cpufreq_set_policy+0x268/0x4a8\n store_scaling_governor+0xe0/0x128\n store+0xc0/0xf0\n sysfs_kf_write+0x54/0x80\n kernfs_fop_write_iter+0x128/0x1c0\n new_sync_write+0xf0/0x190\n vfs_write+0x2d4/0x478\n ksys_write+0x74/0x100\n __arm64_sys_write+0x24/0x30\n invoke_syscall.constprop.0+0x54/0xe0\n do_el0_svc+0x64/0x158\n el0_svc+0x2c/0xb0\n el0t_64_sync_handler+0xb0/0xb8\n el0t_64_sync+0x198/0x19c\n irq event stamp: 5518\n hardirqs last enabled at (5517): [] console_unlock+0x554/0x6c8\n hardirqs last disabled at (5518): [] el1_dbg+0x28/0xa0\n softirqs last enabled at (5504): [] __do_softirq+0x4d0/0x6c0\n softirqs last disabled at (5483): [] irq_exit+0x1b0/0x1b8\n\nSo split the original sugov_tunables_free() into two functions,\nsugov_clear_global_tunables() is just used to clear the global_tunables\nand the new sugov_tunables_free() is used as kobj_type::release to\nrelease the sugov_tunables safely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47387", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix use-after-free in CCMP/GCMP RX\n\nWhen PN checking is done in mac80211, for fragmentation we need\nto copy the PN to the RX struct so we can later use it to do a\ncomparison, since commit bf30ca922a0c (\"mac80211: check defrag\nPN against current frame\").\n\nUnfortunately, in that commit I used the 'hdr' variable without\nit being necessarily valid, so use-after-free could occur if it\nwas necessary to reallocate (parts of) the frame.\n\nFix this by reloading the variable after the code that results\nin the reallocations, if any.\n\nThis fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47388", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: fix missing sev_decommission in sev_receive_start\n\nDECOMMISSION the current SEV context if binding an ASID fails after\nRECEIVE_START. Per AMD's SEV API, RECEIVE_START generates a new guest\ncontext and thus needs to be paired with DECOMMISSION:\n\n The RECEIVE_START command is the only command other than the LAUNCH_START\n command that generates a new guest context and guest handle.\n\nThe missing DECOMMISSION can result in subsequent SEV launch failures,\nas the firmware leaks memory and might not able to allocate more SEV\nguest contexts in the future.\n\nNote, LAUNCH_START suffered the same bug, but was previously fixed by\ncommit 934002cd660b (\"KVM: SVM: Call SEV Guest Decommission if ASID\nbinding fails\").", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47389", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()\n\nKASAN reports the following issue:\n\n BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798\n\n CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- ---\n Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020\n Call Trace:\n dump_stack+0xa5/0xe6\n print_address_description.constprop.0+0x18/0x130\n ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n __kasan_report.cold+0x7f/0x114\n ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n kasan_report+0x38/0x50\n kasan_check_range+0xf5/0x1d0\n kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]\n ? kvm_arch_exit+0x110/0x110 [kvm]\n ? sched_clock+0x5/0x10\n ioapic_write_indirect+0x59f/0x9e0 [kvm]\n ? static_obj+0xc0/0xc0\n ? __lock_acquired+0x1d2/0x8c0\n ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]\n\nThe problem appears to be that 'vcpu_bitmap' is allocated as a single long\non stack and it should really be KVM_MAX_VCPUS long. We also seem to clear\nthe lower 16 bits of it with bitmap_zero() for no particular reason (my\nguess would be that 'bitmap' and 'vcpu_bitmap' variables in\nkvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed\n16-bit long, the later should accommodate all possible vCPUs).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47390", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n CPU 1 CPU 2\n\nrdma_resolve_addr():\n RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler) #1\n\n\t\t\t process_one_req(): for #1\n addr_handler():\n RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n mutex_unlock(&id_priv->handler_mutex);\n [.. handler still running ..]\n\nrdma_resolve_addr():\n RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler)\n !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n _destroy_id():\n cma_cancel_operation():\n rdma_addr_cancel()\n\n // process_one_req() self removes it\n\t\t spin_lock_bh(&lock);\n cancel_delayed_work(&req->work);\n\t if (!list_empty(&req->list)) == true\n\n ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n addr_handler():\n\t mutex_lock(&id_priv->handler_mutex);\n !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47391", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure\n\nIf cma_listen_on_all() fails it leaves the per-device ID still on the\nlisten_list but the state is not set to RDMA_CM_ADDR_BOUND.\n\nWhen the cmid is eventually destroyed cma_cancel_listens() is not called\ndue to the wrong state, however the per-device IDs are still holding the\nrefcount preventing the ID from being destroyed, thus deadlocking:\n\n task:rping state:D stack: 0 pid:19605 ppid: 47036 flags:0x00000084\n Call Trace:\n __schedule+0x29a/0x780\n ? free_unref_page_commit+0x9b/0x110\n schedule+0x3c/0xa0\n schedule_timeout+0x215/0x2b0\n ? __flush_work+0x19e/0x1e0\n wait_for_completion+0x8d/0xf0\n _destroy_id+0x144/0x210 [rdma_cm]\n ucma_close_id+0x2b/0x40 [rdma_ucm]\n __destroy_id+0x93/0x2c0 [rdma_ucm]\n ? __xa_erase+0x4a/0xa0\n ucma_destroy_id+0x9a/0x120 [rdma_ucm]\n ucma_write+0xb8/0x130 [rdma_ucm]\n vfs_write+0xb4/0x250\n ksys_write+0xb5/0xd0\n ? syscall_trace_enter.isra.19+0x123/0x190\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nEnsure that cma_listen_on_all() atomically unwinds its action under the\nlock during error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47392", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs\n\nFan speed minimum can be enforced from sysfs. For example, setting\ncurrent fan speed to 20 is used to enforce fan speed to be at 100%\nspeed, 19 - to be not below 90% speed, etcetera. This feature provides\nability to limit fan speed according to some system wise\nconsiderations, like absence of some replaceable units or high system\nambient temperature.\n\nRequest for changing fan minimum speed is configuration request and can\nbe set only through 'sysfs' write procedure. In this situation value of\nargument 'state' is above nominal fan speed maximum.\n\nReturn non-zero code in this case to avoid\nthermal_cooling_device_stats_update() call, because in this case\nstatistics update violates thermal statistics table range.\nThe issues is observed in case kernel is configured with option\nCONFIG_THERMAL_STATISTICS.\n\nHere is the trace from KASAN:\n[ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0\n[ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444\n[ 159.545625] Call Trace:\n[ 159.548366] dump_stack+0x92/0xc1\n[ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0\n[ 159.635869] thermal_zone_device_update+0x345/0x780\n[ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0\n[ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]\n[ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]\n[ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core]\n[ 160.070233] RIP: 0033:0x7fd995909970\n[ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..\n[ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970\n[ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001\n[ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700\n[ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013\n[ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013\n[ 160.143671]\n[ 160.145338] Allocated by task 2924:\n[ 160.149242] kasan_save_stack+0x19/0x40\n[ 160.153541] __kasan_kmalloc+0x7f/0xa0\n[ 160.157743] __kmalloc+0x1a2/0x2b0\n[ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0\n[ 160.167687] __thermal_cooling_device_register+0x1b5/0x500\n[ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0\n[ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]\n[ 160.248140]\n[ 160.249807] The buggy address belongs to the object at ffff888116163400\n[ 160.249807] which belongs to the cache kmalloc-1k of size 1024\n[ 160.263814] The buggy address is located 64 bytes to the right of\n[ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800)\n[ 160.277536] The buggy address belongs to the page:\n[ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160\n[ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0\n[ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)\n[ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0\n[ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000\n[ 160.327033] page dumped because: kasan: bad access detected\n[ 160.333270]\n[ 160.334937] Memory state around the buggy address:\n[ 160.356469] >ffff888116163800: fc ..", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47393", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unlink table before deleting it\n\nsyzbot reports following UAF:\nBUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955\n nla_strcmp+0xf2/0x130 lib/nlattr.c:836\n nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570\n nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]\n nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064\n nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n\nProblem is that all get operations are lockless, so the commit_mutex\nheld by nft_rcv_nl_event() isn't enough to stop a parallel GET request\nfrom doing read-accesses to the table object even after synchronize_rcu().\n\nTo avoid this, unlink the table first and store the table objects in\non-stack scratch space.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47394", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap\n\nLimit max values for vht mcs and nss in ieee80211_parse_tx_radiotap\nroutine in order to fix the following warning reported by syzbot:\n\nWARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]\nWARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244\nModules linked in:\nCPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]\nRIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244\nRSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216\nRAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000\nRDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003\nRBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100\nR10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8\nR13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004\nFS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740\n netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089\n __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165\n __bpf_tx_skb net/core/filter.c:2114 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2139 [inline]\n __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162\n ____bpf_clone_redirect net/core/filter.c:2429 [inline]\n bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401\n bpf_prog_eeb6f53a69e5c6a2+0x59/0x234\n bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]\n __bpf_prog_run include/linux/filter.h:624 [inline]\n bpf_prog_run include/linux/filter.h:631 [inline]\n bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119\n bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663\n bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]\n __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605\n __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47395", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211-hwsim: fix late beacon hrtimer handling\n\nThomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx\nthat our handling of the hrtimer here is wrong: If the timer fires\nlate (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot)\nthen it tries to actually rearm the timer at the next deadline,\nwhich might be in the past already:\n\n 1 2 3 N N+1\n | | | ... | |\n\n ^ intended to fire here (1)\n ^ next deadline here (2)\n ^ actually fired here\n\nThe next time it fires, it's later, but will still try to schedule\nfor the next deadline (now 3), etc. until it catches up with N,\nbut that might take a long time, causing stalls etc.\n\nNow, all of this is simulation, so we just have to fix it, but\nnote that the behaviour is wrong even per spec, since there's no\nvalue then in sending all those beacons unaligned - they should be\naligned to the TBTT (1, 2, 3, ... in the picture), and if we're a\nbit (or a lot) late, then just resume at that point.\n\nTherefore, change the code to use hrtimer_forward_now() which will\nensure that the next firing of the timer would be at N+1 (in the\npicture), i.e. the next interval point after the current time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47396", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb\n\nWe should always check if skb_header_pointer's return is NULL before\nusing it, otherwise it may cause null-ptr-deref, as syzbot reported:\n\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]\n RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196\n Call Trace:\n \n sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109\n ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422\n ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463\n NF_HOOK include/linux/netfilter.h:307 [inline]\n NF_HOOK include/linux/netfilter.h:301 [inline]\n ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]\n NF_HOOK include/linux/netfilter.h:307 [inline]\n NF_HOOK include/linux/netfilter.h:301 [inline]\n ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47397", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Fix kernel pointer leak\n\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong long' and printed with %llx. Change %llx to %p to print the secured\npointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47398", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup\n\nThe ixgbe driver currently generates a NULL pointer dereference with\nsome machine (online cpus < 63). This is due to the fact that the\nmaximum value of num_xdp_queues is nr_cpu_ids. Code is in\n\"ixgbe_set_rss_queues\"\".\n\nHere's how the problem repeats itself:\nSome machine (online cpus < 63), And user set num_queues to 63 through\nethtool. Code is in the \"ixgbe_set_channels\",\n\tadapter->ring_feature[RING_F_FDIR].limit = count;\n\nIt becomes 63.\n\nWhen user use xdp, \"ixgbe_set_rss_queues\" will set queues num.\n\tadapter->num_rx_queues = rss_i;\n\tadapter->num_tx_queues = rss_i;\n\tadapter->num_xdp_queues = ixgbe_xdp_queues(adapter);\n\nAnd rss_i's value is from\n\tf = &adapter->ring_feature[RING_F_FDIR];\n\trss_i = f->indices = f->limit;\n\nSo \"num_rx_queues\" > \"num_xdp_queues\", when run to \"ixgbe_xdp_setup\",\n\tfor (i = 0; i < adapter->num_rx_queues; i++)\n\t\tif (adapter->xdp_ring[i]->xsk_umem)\n\nIt leads to panic.\n\nCall trace:\n[exception RIP: ixgbe_xdp+368]\nRIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297\nRAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90\nRBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000\nR10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000\nR13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530\nORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc\n 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808\n 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235\n10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384\n11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd\n12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb\n13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88\n14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319\n15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290\n16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8\n17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64\n18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9\n19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c\n\nSo I fix ixgbe_max_channels so that it will not allow a setting of queues\nto be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,\ntake the smaller value of num_rx_queues and num_xdp_queues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47399", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: do not allow call hns3_nic_net_open repeatedly\n\nhns3_nic_net_open() is not allowed to called repeatly, but there\nis no checking for this. When doing device reset and setup tc\nconcurrently, there is a small oppotunity to call hns3_nic_net_open\nrepeatedly, and cause kernel bug by calling napi_enable twice.\n\nThe calltrace information is like below:\n[ 3078.222780] ------------[ cut here ]------------\n[ 3078.230255] kernel BUG at net/core/dev.c:6991!\n[ 3078.236224] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 3078.243431] Modules linked in: hns3 hclgevf hclge hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O)\n[ 3078.258880] CPU: 0 PID: 295 Comm: kworker/u8:5 Tainted: G O 5.14.0-rc4+ #1\n[ 3078.269102] Hardware name: , BIOS KpxxxFPGA 1P B600 V181 08/12/2021\n[ 3078.276801] Workqueue: hclge hclge_service_task [hclge]\n[ 3078.288774] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[ 3078.296168] pc : napi_enable+0x80/0x84\ntc qdisc sho[w 3d0e7v8 .e3t0h218 79] lr : hns3_nic_net_open+0x138/0x510 [hns3]\n\n[ 3078.314771] sp : ffff8000108abb20\n[ 3078.319099] x29: ffff8000108abb20 x28: 0000000000000000 x27: ffff0820a8490300\n[ 3078.329121] x26: 0000000000000001 x25: ffff08209cfc6200 x24: 0000000000000000\n[ 3078.339044] x23: ffff0820a8490300 x22: ffff08209cd76000 x21: ffff0820abfe3880\n[ 3078.349018] x20: 0000000000000000 x19: ffff08209cd76900 x18: 0000000000000000\n[ 3078.358620] x17: 0000000000000000 x16: ffffc816e1727a50 x15: 0000ffff8f4ff930\n[ 3078.368895] x14: 0000000000000000 x13: 0000000000000000 x12: 0000259e9dbeb6b4\n[ 3078.377987] x11: 0096a8f7e764eb40 x10: 634615ad28d3eab5 x9 : ffffc816ad8885b8\n[ 3078.387091] x8 : ffff08209cfc6fb8 x7 : ffff0820ac0da058 x6 : ffff0820a8490344\n[ 3078.396356] x5 : 0000000000000140 x4 : 0000000000000003 x3 : ffff08209cd76938\n[ 3078.405365] x2 : 0000000000000000 x1 : 0000000000000010 x0 : ffff0820abfe38a0\n[ 3078.414657] Call trace:\n[ 3078.418517] napi_enable+0x80/0x84\n[ 3078.424626] hns3_reset_notify_up_enet+0x78/0xd0 [hns3]\n[ 3078.433469] hns3_reset_notify+0x64/0x80 [hns3]\n[ 3078.441430] hclge_notify_client+0x68/0xb0 [hclge]\n[ 3078.450511] hclge_reset_rebuild+0x524/0x884 [hclge]\n[ 3078.458879] hclge_reset_service_task+0x3c4/0x680 [hclge]\n[ 3078.467470] hclge_service_task+0xb0/0xb54 [hclge]\n[ 3078.475675] process_one_work+0x1dc/0x48c\n[ 3078.481888] worker_thread+0x15c/0x464\n[ 3078.487104] kthread+0x160/0x170\n[ 3078.492479] ret_from_fork+0x10/0x18\n[ 3078.498785] Code: c8027c81 35ffffa2 d50323bf d65f03c0 (d4210000)\n[ 3078.506889] ---[ end trace 8ebe0340a1b0fb44 ]---\n\nOnce hns3_nic_net_open() is excute success, the flag\nHNS3_NIC_STATE_DOWN will be cleared. So add checking for this\nflag, directly return when HNS3_NIC_STATE_DOWN is no set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47400", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipack: ipoctal: fix stack information leak\n\nThe tty driver name is used also after registering the driver and must\nspecifically not be allocated on the stack to avoid leaking information\nto user space (or triggering an oops).\n\nDrivers should not try to encode topology information in the tty device\nname but this one snuck in through staging without anyone noticing and\nanother driver has since copied this malpractice.\n\nFixing the ABI is a separate issue, but this at least plugs the security\nhole.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47401", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: flower: protect fl_walk() with rcu\n\nPatch that refactored fl_walk() to use idr_for_each_entry_continue_ul()\nalso removed rcu protection of individual filters which causes following\nuse-after-free when filter is deleted concurrently. Fix fl_walk() to obtain\nrcu read lock while iterating and taking the filter reference and temporary\nrelease the lock while calling arg->fn() callback that can sleep.\n\nKASAN trace:\n\n[ 352.773640] ==================================================================\n[ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower]\n[ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987\n\n[ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2\n[ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 352.781022] Call Trace:\n[ 352.781573] dump_stack_lvl+0x46/0x5a\n[ 352.782332] print_address_description.constprop.0+0x1f/0x140\n[ 352.783400] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.784292] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.785138] kasan_report.cold+0x83/0xdf\n[ 352.785851] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.786587] kasan_check_range+0x145/0x1a0\n[ 352.787337] fl_walk+0x159/0x240 [cls_flower]\n[ 352.788163] ? fl_put+0x10/0x10 [cls_flower]\n[ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.790102] tcf_chain_dump+0x231/0x450\n[ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170\n[ 352.791833] ? __might_sleep+0x2e/0xc0\n[ 352.792594] ? tfilter_notify+0x170/0x170\n[ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.794477] tc_dump_tfilter+0x385/0x4b0\n[ 352.795262] ? tc_new_tfilter+0x1180/0x1180\n[ 352.796103] ? __mod_node_page_state+0x1f/0xc0\n[ 352.796974] ? __build_skb_around+0x10e/0x130\n[ 352.797826] netlink_dump+0x2c0/0x560\n[ 352.798563] ? netlink_getsockopt+0x430/0x430\n[ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.800542] __netlink_dump_start+0x356/0x440\n[ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550\n[ 352.802190] ? tc_new_tfilter+0x1180/0x1180\n[ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[ 352.803668] ? tc_new_tfilter+0x1180/0x1180\n[ 352.804344] ? _copy_from_iter_nocache+0x800/0x800\n[ 352.805202] ? kasan_set_track+0x1c/0x30\n[ 352.805900] netlink_rcv_skb+0xc6/0x1f0\n[ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0\n[ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[ 352.808324] ? netlink_ack+0x4d0/0x4d0\n[ 352.809086] ? netlink_deliver_tap+0x62/0x3d0\n[ 352.809951] netlink_unicast+0x353/0x480\n[ 352.810744] ? netlink_attachskb+0x430/0x430\n[ 352.811586] ? __alloc_skb+0xd7/0x200\n[ 352.812349] netlink_sendmsg+0x396/0x680\n[ 352.813132] ? netlink_unicast+0x480/0x480\n[ 352.813952] ? __import_iovec+0x192/0x210\n[ 352.814759] ? netlink_unicast+0x480/0x480\n[ 352.815580] sock_sendmsg+0x6c/0x80\n[ 352.816299] ____sys_sendmsg+0x3a5/0x3c0\n[ 352.817096] ? kernel_sendmsg+0x30/0x30\n[ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150\n[ 352.818753] ___sys_sendmsg+0xd8/0x140\n[ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110\n[ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0\n[ 352.821110] ? __copy_msghdr_from_user+0x260/0x260\n[ 352.821934] ? _raw_spin_lock+0x81/0xd0\n[ 352.822680] ? __handle_mm_fault+0xef3/0x1b20\n[ 352.823549] ? rb_insert_color+0x2a/0x270\n[ 352.824373] ? copy_page_range+0x16b0/0x16b0\n[ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0\n[ 352.826190] ? __fget_light+0xd9/0xf0\n[ 352.826941] __sys_sendmsg+0xb3/0x130\n[ 352.827613] ? __sys_sendmsg_sock+0x20/0x20\n[ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0\n[ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60\n[ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160\n[ 352.830845] do_syscall_64+0x35/0x80\n[ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 352.832331] RIP: 0033:0x7f7bee973c17\n[ \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47402", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipack: ipoctal: fix module reference leak\n\nA reference to the carrier module was taken on every open but was only\nreleased once when the final reference to the tty struct was dropped.\n\nFix this by taking the module reference and initialising the tty driver\ndata when installing the tty.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47403", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: fix slab-out-of-bounds Write in betop_probe\n\nSyzbot reported slab-out-of-bounds Write bug in hid-betopff driver.\nThe problem is the driver assumes the device must have an input report but\nsome malicious devices violate this assumption.\n\nSo this patch checks hid_device's input is non empty before it's been used.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47404", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: free raw_report buffers in usbhid_stop\n\nFree the unsent raw_report buffers when the device is removed.\n\nFixes a memory leak reported by syzbot at:\nhttps://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47405", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add error checking to ext4_ext_replay_set_iblocks()\n\nIf the call to ext4_map_blocks() fails due to an corrupted file\nsystem, ext4_ext_replay_set_iblocks() can get stuck in an infinite\nloop. This could be reproduced by running generic/526 with a file\nsystem that has inline_data and fast_commit enabled. The system will\nrepeatedly log to the console:\n\nEXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076\n\nand the stack that it gets stuck in is:\n\n ext4_block_to_path+0xe3/0x130\n ext4_ind_map_blocks+0x93/0x690\n ext4_map_blocks+0x100/0x660\n skip_hole+0x47/0x70\n ext4_ext_replay_set_iblocks+0x223/0x440\n ext4_fc_replay_inode+0x29e/0x3b0\n ext4_fc_replay+0x278/0x550\n do_one_pass+0x646/0xc10\n jbd2_journal_recover+0x14a/0x270\n jbd2_journal_load+0xc4/0x150\n ext4_load_journal+0x1f3/0x490\n ext4_fill_super+0x22d4/0x2c00\n\nWith this patch, generic/526 still fails, but system is no longer\nlocking up in a tight loop. It's likely the root casue is that\nfast_commit replay is corrupting file systems with inline_data, and we\nprobably need to add better error handling in the fast commit replay\ncode path beyond what is done here, which essentially just breaks the\ninfinite loop without reporting the to the higher levels of the code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47406", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Handle SRCU initialization failure during page track init\n\nCheck the return of init_srcu_struct(), which can fail due to OOM, when\ninitializing the page track mechanism. Lack of checking leads to a NULL\npointer deref found by a modified syzkaller.\n\n[Move the call towards the beginning of kvm_arch_init_vm. - Paolo]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47407", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: serialize hash resizes and cleanups\n\nSyzbot was able to trigger the following warning [1]\n\nNo repro found by syzbot yet but I was able to trigger similar issue\nby having 2 scripts running in parallel, changing conntrack hash sizes,\nand:\n\nfor j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done\n\nIt would take more than 5 minutes for net_namespace structures\nto be cleaned up.\n\nThis is because nf_ct_iterate_cleanup() has to restart everytime\na resize happened.\n\nBy adding a mutex, we can serialize hash resizes and cleanups\nand also make get_next_corpse() faster by skipping over empty\nbuckets.\n\nEven without resizes in the picture, this patch considerably\nspeeds up network namespace dismantles.\n\n[1]\nINFO: task syz-executor.0:8312 can't die for more than 144 seconds.\ntask:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006\nCall Trace:\n context_switch kernel/sched/core.c:4955 [inline]\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\n preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408\n preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35\n __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390\n local_bh_enable include/linux/bottom_half.h:32 [inline]\n get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]\n nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275\n nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469\n ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171\n setup_net+0x639/0xa30 net/core/net_namespace.c:349\n copy_net_ns+0x319/0x760 net/core/net_namespace.c:470\n create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226\n ksys_unshare+0x445/0x920 kernel/fork.c:3128\n __do_sys_unshare kernel/fork.c:3202 [inline]\n __se_sys_unshare kernel/fork.c:3200 [inline]\n __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f63da68e739\nRSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000\nRBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80\nR13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000\n\nShowing all locks held in the system:\n1 lock held by khungtaskd/27:\n #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446\n2 locks held by kworker/u4:2/153:\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268\n #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272\n1 lock held by systemd-udevd/2970:\n1 lock held by in:imklog/6258:\n #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990\n3 locks held by kworker/1:6/8158:\n1 lock held by syz-executor.0/8312:\n2 locks held by kworker/u4:13/9320:\n1 lock held by\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47408", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47409", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: fix svm_migrate_fini warning\n\nDevice manager releases device-specific resources when a driver\ndisconnects from a device, devm_memunmap_pages and\ndevm_release_mem_region calls in svm_migrate_fini are redundant.\n\nIt causes below warning trace after patch \"drm/amdgpu: Split\namdgpu_device_fini into early and late\", so remove function\nsvm_migrate_fini.\n\nBUG: https://gitlab.freedesktop.org/drm/amd/-/issues/1718\n\nWARNING: CPU: 1 PID: 3646 at drivers/base/devres.c:795\ndevm_release_action+0x51/0x60\nCall Trace:\n ? memunmap_pages+0x360/0x360\n svm_migrate_fini+0x2d/0x60 [amdgpu]\n kgd2kfd_device_exit+0x23/0xa0 [amdgpu]\n amdgpu_amdkfd_device_fini_sw+0x1d/0x30 [amdgpu]\n amdgpu_device_fini_sw+0x45/0x290 [amdgpu]\n amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n drm_dev_release+0x20/0x40 [drm]\n release_nodes+0x196/0x1e0\n device_release_driver_internal+0x104/0x1d0\n driver_detach+0x47/0x90\n bus_remove_driver+0x7a/0xd0\n pci_unregister_driver+0x3d/0x90\n amdgpu_exit+0x11/0x20 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47410", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked\n\nrq_qos framework is only applied on request based driver, so:\n\n1) rq_qos_done_bio() needn't to be called for bio based driver\n\n2) rq_qos_done_bio() needn't to be called for bio which isn't tracked,\nsuch as bios ended from error handling code.\n\nEspecially in bio_endio():\n\n1) request queue is referred via bio->bi_bdev->bd_disk->queue, which\nmay be gone since request queue refcount may not be held in above two\ncases\n\n2) q->rq_qos may be freed in blk_cleanup_queue() when calling into\n__rq_qos_done_bio()\n\nFix the potential kernel panic by not calling rq_qos_ops->done_bio if\nthe bio isn't tracked. This way is safe because both ioc_rqos_done_bio()\nand blkcg_iolatency_done_bio() are nop if the bio isn't tracked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47412", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle\n\nWhen passing 'phys' in the devicetree to describe the USB PHY phandle\n(which is the recommended way according to\nDocumentation/devicetree/bindings/usb/ci-hdrc-usb2.txt) the\nfollowing NULL pointer dereference is observed on i.MX7 and i.MX8MM:\n\n[ 1.489344] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n[ 1.498170] Mem abort info:\n[ 1.500966] ESR = 0x96000044\n[ 1.504030] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.509356] SET = 0, FnV = 0\n[ 1.512416] EA = 0, S1PTW = 0\n[ 1.515569] FSC = 0x04: level 0 translation fault\n[ 1.520458] Data abort info:\n[ 1.523349] ISV = 0, ISS = 0x00000044\n[ 1.527196] CM = 0, WnR = 1\n[ 1.530176] [0000000000000098] user address but active_mm is swapper\n[ 1.536544] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 1.542125] Modules linked in:\n[ 1.545190] CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.14.0-dirty #3\n[ 1.551901] Hardware name: Kontron i.MX8MM N801X S (DT)\n[ 1.557133] Workqueue: events_unbound deferred_probe_work_func\n[ 1.562984] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n[ 1.568998] pc : imx7d_charger_detection+0x3f0/0x510\n[ 1.573973] lr : imx7d_charger_detection+0x22c/0x510\n\nThis happens because the charger functions check for the phy presence\ninside the imx_usbmisc_data structure (data->usb_phy), but the chipidea\ncore populates the usb_phy passed via 'phys' inside 'struct ci_hdrc'\n(ci->usb_phy) instead.\n\nThis causes the NULL pointer dereference inside imx7d_charger_detection().\n\nFix it by also searching for 'phys' in case 'fsl,usbphy' is not found.\n\nTested on a imx7s-warp board.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47413", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Flush current cpu icache before other cpus\n\nOn SiFive Unmatched, I recently fell onto the following BUG when booting:\n\n[ 0.000000] ftrace: allocating 36610 entries in 144 pages\n[ 0.000000] Oops - illegal instruction [#1]\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.13.1+ #5\n[ 0.000000] Hardware name: SiFive HiFive Unmatched A00 (DT)\n[ 0.000000] epc : riscv_cpuid_to_hartid_mask+0x6/0xae\n[ 0.000000] ra : __sbi_rfence_v02+0xc8/0x10a\n[ 0.000000] epc : ffffffff80007240 ra : ffffffff80009964 sp : ffffffff81803e10\n[ 0.000000] gp : ffffffff81a1ea70 tp : ffffffff8180f500 t0 : ffffffe07fe30000\n[ 0.000000] t1 : 0000000000000004 t2 : 0000000000000000 s0 : ffffffff81803e60\n[ 0.000000] s1 : 0000000000000000 a0 : ffffffff81a22238 a1 : ffffffff81803e10\n[ 0.000000] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[ 0.000000] a5 : 0000000000000000 a6 : ffffffff8000989c a7 : 0000000052464e43\n[ 0.000000] s2 : ffffffff81a220c8 s3 : 0000000000000000 s4 : 0000000000000000\n[ 0.000000] s5 : 0000000000000000 s6 : 0000000200000100 s7 : 0000000000000001\n[ 0.000000] s8 : ffffffe07fe04040 s9 : ffffffff81a22c80 s10: 0000000000001000\n[ 0.000000] s11: 0000000000000004 t3 : 0000000000000001 t4 : 0000000000000008\n[ 0.000000] t5 : ffffffcf04000808 t6 : ffffffe3ffddf188\n[ 0.000000] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000002\n[ 0.000000] [] riscv_cpuid_to_hartid_mask+0x6/0xae\n[ 0.000000] [] sbi_remote_fence_i+0x1e/0x26\n[ 0.000000] [] flush_icache_all+0x12/0x1a\n[ 0.000000] [] patch_text_nosync+0x26/0x32\n[ 0.000000] [] ftrace_init_nop+0x52/0x8c\n[ 0.000000] [] ftrace_process_locs.isra.0+0x29c/0x360\n[ 0.000000] [] ftrace_init+0x80/0x130\n[ 0.000000] [] start_kernel+0x5c4/0x8f6\n[ 0.000000] ---[ end trace f67eb9af4d8d492b ]---\n[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task!\n[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---\n\nWhile ftrace is looping over a list of addresses to patch, it always failed\nwhen patching the same function: riscv_cpuid_to_hartid_mask. Looking at the\nbacktrace, the illegal instruction is encountered in this same function.\nHowever, patch_text_nosync, after patching the instructions, calls\nflush_icache_range. But looking at what happens in this function:\n\nflush_icache_range -> flush_icache_all\n -> sbi_remote_fence_i\n -> __sbi_rfence_v02\n -> riscv_cpuid_to_hartid_mask\n\nThe icache and dcache of the current cpu are never synchronized between the\npatching of riscv_cpuid_to_hartid_mask and calling this same function.\n\nSo fix this by flushing the current cpu's icache before asking for the other\ncpus to do the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47414", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mvm: Fix possible NULL dereference\n\nIn __iwl_mvm_remove_time_event() check that 'te_data->vif' is NULL\nbefore dereferencing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47415", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: mdio: fix memory leak\n\nSyzbot reported memory leak in MDIO bus interface, the problem was in\nwrong state logic.\n\nMDIOBUS_ALLOCATED indicates 2 states:\n\t1. Bus is only allocated\n\t2. Bus allocated and __mdiobus_register() fails, but\n\t device_register() was called\n\nIn case of device_register() has been called we should call put_device()\nto correctly free the memory allocated for this device, but mdiobus_free()\ncalls just kfree(dev) in case of MDIOBUS_ALLOCATED state\n\nTo avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED\n_before_ calling device_register(), because put_device() should be\ncalled even in case of device_register() failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47416", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Fix memory leak in strset\n\nFree struct strset itself, not just its internal parts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47417", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: fix NULL deref in fifo_set_limit()\n\nsyzbot reported another NULL deref in fifo_set_limit() [1]\n\nI could repro the issue with :\n\nunshare -n\ntc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit\ntc qd replace dev lo parent 1:0 pfifo_fast\ntc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit\n\npfifo_fast does not have a change() operation.\nMake fifo_set_limit() more robust about this.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0\nOops: 0010 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\nRSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000\nRBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910\nR13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800\nFS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n fifo_set_limit net/sched/sch_fifo.c:242 [inline]\n fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227\n tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418\n qdisc_change net/sched/sch_api.c:1332 [inline]\n tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340\n netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47418", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: properly cancel timer from taprio_destroy()\n\nThere is a comment in qdisc_create() about us not calling ops->reset()\nin some cases.\n\nerr_out4:\n\t/*\n\t * Any broken qdiscs that would require a ops->reset() here?\n\t * The qdisc was never in action so it shouldn't be necessary.\n\t */\n\nAs taprio sets a timer before actually receiving a packet, we need\nto cancel it from ops->destroy, just in case ops->reset has not\nbeen called.\n\nsyzbot reported:\n\nODEBUG: free active (active state 0) object type: hrtimer hint: advance_sched+0x0/0x9a0 arch/x86/include/asm/atomic64_64.h:22\nWARNING: CPU: 0 PID: 8441 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505\nModules linked in:\nCPU: 0 PID: 8441 Comm: syz-executor813 Not tainted 5.14.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505\nCode: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd e0 d3 e3 89 4c 89 ee 48 c7 c7 e0 c7 e3 89 e8 5b 86 11 05 <0f> 0b 83 05 85 03 92 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3\nRSP: 0018:ffffc9000130f330 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000\nRDX: ffff88802baeb880 RSI: ffffffff815d87b5 RDI: fffff52000261e58\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815d25ee R11: 0000000000000000 R12: ffffffff898dd020\nR13: ffffffff89e3ce20 R14: ffffffff81653630 R15: dffffc0000000000\nFS: 0000000000f0d300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffb64b3e000 CR3: 0000000036557000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __debug_check_no_obj_freed lib/debugobjects.c:987 [inline]\n debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1018\n slab_free_hook mm/slub.c:1603 [inline]\n slab_free_freelist_hook+0x171/0x240 mm/slub.c:1653\n slab_free mm/slub.c:3213 [inline]\n kfree+0xe4/0x540 mm/slub.c:4267\n qdisc_create+0xbcf/0x1320 net/sched/sch_api.c:1299\n tc_modify_qdisc+0x4c8/0x1a60 net/sched/sch_api.c:1663\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340\n netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2403\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2457\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2486\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47419", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: fix a potential ttm->sg memory leak\n\nMemory is allocated for ttm->sg by kmalloc in kfd_mem_dmamap_userptr,\nbut isn't freed by kfree in kfd_mem_dmaunmap_userptr. Free it!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47420", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume\n\nIn current code, when a PCI error state pci_channel_io_normal is detectd,\nit will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI\ndriver will continue the execution of PCI resume callback report_resume by\npci_walk_bridge, and the callback will go into amdgpu_pci_resume\nfinally, where write lock is releasd unconditionally without acquiring\nsuch lock first. In this case, a deadlock will happen when other threads\nstart to acquire the read lock.\n\nTo fix this, add a member in amdgpu_device strucutre to cache\npci_channel_state, and only continue the execution in amdgpu_pci_resume\nwhen it's pci_channel_io_frozen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47421", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/kms/nv50-: fix file release memory leak\n\nWhen using single_open() for opening, single_release() should be\ncalled, otherwise the 'op' allocated in single_open() will be leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47422", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/debugfs: fix file release memory leak\n\nWhen using single_open() for opening, single_release() should be\ncalled, otherwise the 'op' allocated in single_open() will be leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47423", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix freeing of uninitialized misc IRQ vector\n\nWhen VSI set up failed in i40e_probe() as part of PF switch set up\ndriver was trying to free misc IRQ vectors in\ni40e_clear_interrupt_scheme and produced a kernel Oops:\n\n Trying to free already-free IRQ 266\n WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300\n Workqueue: events work_for_cpu_fn\n RIP: 0010:__free_irq+0x9a/0x300\n Call Trace:\n ? synchronize_irq+0x3a/0xa0\n free_irq+0x2e/0x60\n i40e_clear_interrupt_scheme+0x53/0x190 [i40e]\n i40e_probe.part.108+0x134b/0x1a40 [i40e]\n ? kmem_cache_alloc+0x158/0x1c0\n ? acpi_ut_update_ref_count.part.1+0x8e/0x345\n ? acpi_ut_update_object_reference+0x15e/0x1e2\n ? strstr+0x21/0x70\n ? irq_get_irq_data+0xa/0x20\n ? mp_check_pin_attr+0x13/0xc0\n ? irq_get_irq_data+0xa/0x20\n ? mp_map_pin_to_irq+0xd3/0x2f0\n ? acpi_register_gsi_ioapic+0x93/0x170\n ? pci_conf1_read+0xa4/0x100\n ? pci_bus_read_config_word+0x49/0x70\n ? do_pci_enable_device+0xcc/0x100\n local_pci_probe+0x41/0x90\n work_for_cpu_fn+0x16/0x20\n process_one_work+0x1a7/0x360\n worker_thread+0x1cf/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x112/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x1f/0x40\n\nThe problem is that at that point misc IRQ vectors\nwere not allocated yet and we get a call trace\nthat driver is trying to free already free IRQ vectors.\n\nAdd a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED\nPF state before calling i40e_free_misc_vector. This state is set only if\nmisc IRQ vectors were properly initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47424", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: acpi: fix resource leak in reconfiguration device addition\n\nacpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a\nreference on the adapter which is never released which will result in a\nreference count leak and render the adapter unremovable. Make sure to\nput the adapter after creating the client in the same manner that we do\nfor OF.\n\n[wsa: fixed title]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47425", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, s390: Fix potential memory leak about jit_data\n\nMake sure to free jit_data through kfree() in the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47426", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: Fix iscsi_task use after free\n\nCommit d39df158518c (\"scsi: iscsi: Have abort handler get ref to conn\")\nadded iscsi_get_conn()/iscsi_put_conn() calls during abort handling but\nthen also changed the handling of the case where we detect an already\ncompleted task where we now end up doing a goto to the common put/cleanup\ncode. This results in a iscsi_task use after free, because the common\ncleanup code will do a put on the iscsi_task.\n\nThis reverts the goto and moves the iscsi_get_conn() to after we've checked\nif the iscsi_task is valid.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47427", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: fix program check interrupt emergency stack path\n\nEmergency stack path was jumping into a 3: label inside the\n__GEN_COMMON_BODY macro for the normal path after it had finished,\nrather than jumping over it. By a small miracle this is the correct\nplace to build up a new interrupt frame with the existing stack\npointer, so things basically worked okay with an added weird looking\n700 trap frame on top (which had the wrong ->nip so it didn't decode\nbug messages either).\n\nFix this by avoiding using numeric labels when jumping over non-trivial\nmacros.\n\nBefore:\n\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637\n NIP: 7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0\n REGS: c0000000fffb3a50 TRAP: 0700 Not tainted\n MSR: 9000000000021031 CR: 00000700 XER: 20040000\n CFAR: c0000000000098b0 IRQMASK: 0\n GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000\n GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299\n GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8\n GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001\n GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8\n GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158\n GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300\n GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80\n NIP [7265677368657265] 0x7265677368657265\n LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10\n Call Trace:\n [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable)\n --- interrupt: 700 at decrementer_common_virt+0xb8/0x230\n NIP: c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0\n REGS: c0000000fffb3d60 TRAP: 0700 Not tainted\n MSR: 9000000000021031 CR: 22424282 XER: 20040000\n CFAR: c0000000000098b0 IRQMASK: 0\n GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000\n GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299\n GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8\n GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001\n GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8\n GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158\n GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300\n GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80\n NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230\n LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10\n --- interrupt: 700\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 6d28218e0cc3c949 ]---\n\nAfter:\n\n ------------[ cut here ]------------\n kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638\n NIP: c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0\n REGS: c0000000fffb3d60 TRAP: 0700 Not tainted\n MSR: 9000000000021031 CR: 24482227 XER: 00040000\n CFAR: c0000000000098b0 IRQMASK: 0\n GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868\n GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009\n GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c\n GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00\n GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90\n GPR20: 00000000100eed90 00000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47428", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix unrecoverable MCE calling async handler from NMI\n\nThe machine check handler is not considered NMI on 64s. The early\nhandler is the true NMI handler, and then it schedules the\nmachine_check_exception handler to run when interrupts are enabled.\n\nThis works fine except the case of an unrecoverable MCE, where the true\nNMI is taken when MSR[RI] is clear, it can not recover, so it calls\nmachine_check_exception directly so something might be done about it.\n\nCalling an async handler from NMI context can result in irq state and\nother things getting corrupted. This can also trigger the BUG at\n arch/powerpc/include/asm/interrupt.h:168\n BUG_ON(!arch_irq_disabled_regs(regs) && !(regs->msr & MSR_EE));\n\nFix this by making an _async version of the handler which is called\nin the normal case, and a NMI version that is called for unrecoverable\ninterrupts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47429", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n\n\nCommit\n\n 3c73b81a9164 (\"x86/entry, selftests: Further improve user entry sanity checks\")\n\nadded a warning if AC is set when in the kernel.\n\nCommit\n\n 662a0221893a3d (\"x86/entry: Fix AC assertion\")\n\nchanged the warning to only fire if the CPU supports SMAP.\n\nHowever, the warning can still trigger on a machine that supports SMAP\nbut where it's disabled in the kernel config and when running the\nsyscall_nt selftest, for example:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 49 at irqentry_enter_from_user_mode\n CPU: 0 PID: 49 Comm: init Tainted: G T 5.15.0-rc4+ #98 e6202628ee053b4f310759978284bd8bb0ce6905\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\n RIP: 0010:irqentry_enter_from_user_mode\n ...\n Call Trace:\n ? irqentry_enter\n ? exc_general_protection\n ? asm_exc_general_protection\n ? asm_exc_general_protectio\n\nIS_ENABLED(CONFIG_X86_SMAP) could be added to the warning condition, but\neven this would not be enough in case SMAP is disabled at boot time with\nthe \"nosmap\" parameter.\n\nTo be consistent with \"nosmap\" behaviour, clear X86_FEATURE_SMAP when\n!CONFIG_X86_SMAP.\n\nFound using entry-fuzz + satrandconfig.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47430", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix gart.bo pin_count leak\n\ngmc_v{9,10}_0_gart_disable() isn't called matched with\ncorrespoding gart_enbale function in SRIOV case. This will\nlead to gart.bo pin_count leak on driver unload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47431", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Don't overflow in peek()\n\nWhen we started spreading new inode numbers throughout most of the 64\nbit inode space, that triggered some corner case bugs, in particular\nsome integer overflows related to the radix tree code. Oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47432", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2021-47433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix abort logic in btrfs_replace_file_extents\n\nError injection testing uncovered a case where we'd end up with a\ncorrupt file system with a missing extent in the middle of a file. This\noccurs because the if statement to decide if we should abort is wrong.\n\nThe only way we would abort in this case is if we got a ret !=\n-EOPNOTSUPP and we called from the file clone code. However the\nprealloc code uses this path too. Instead we need to abort if there is\nan error, and the only error we _don't_ abort on is -EOPNOTSUPP and only\nif we came from the clone file code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47433", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix command ring pointer corruption while aborting a command\n\nThe command ring pointer is located at [6:63] bits of the command\nring control register (CRCR). All the control bits like command stop,\nabort are located at [0:3] bits. While aborting a command, we read the\nCRCR and set the abort bit and write to the CRCR. The read will always\ngive command ring pointer as all zeros. So we essentially write only\nthe control bits. Since we split the 64 bit write into two 32 bit writes,\nthere is a possibility of xHC command ring stopped before the upper\ndword (all zeros) is written. If that happens, xHC updates the upper\ndword of its internal command ring pointer with all zeros. Next time,\nwhen the command ring is restarted, we see xHC memory access failures.\nFix this issue by only writing to the lower dword of CRCR where all\ncontrol bits are located.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47434", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix mempool NULL pointer race when completing IO\n\ndm_io_dec_pending() calls end_io_acct() first and will then dec md\nin-flight pending count. But if a task is swapping DM table at same\ntime this can result in a crash due to mempool->elements being NULL:\n\ntask1 task2\ndo_resume\n ->do_suspend\n ->dm_wait_for_completion\n bio_endio\n\t\t\t\t ->clone_endio\n\t\t\t\t ->dm_io_dec_pending\n\t\t\t\t ->end_io_acct\n\t\t\t\t ->wakeup task1\n ->dm_swap_table\n ->__bind\n ->__bind_mempools\n ->bioset_exit\n ->mempool_exit\n ->free_io\n\n[ 67.330330] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n......\n[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 67.330510] pc : mempool_free+0x70/0xa0\n[ 67.330515] lr : mempool_free+0x4c/0xa0\n[ 67.330520] sp : ffffff8008013b20\n[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004\n[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8\n[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800\n[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800\n[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80\n[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c\n[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd\n[ 67.330563] x15: 000000000093b41e x14: 0000000000000010\n[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555\n[ 67.330574] x11: 0000000000000001 x10: 0000000000000001\n[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000\n[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a\n[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001\n[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8\n[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970\n[ 67.330609] Call trace:\n[ 67.330616] mempool_free+0x70/0xa0\n[ 67.330627] bio_put+0xf8/0x110\n[ 67.330638] dec_pending+0x13c/0x230\n[ 67.330644] clone_endio+0x90/0x180\n[ 67.330649] bio_endio+0x198/0x1b8\n[ 67.330655] dec_pending+0x190/0x230\n[ 67.330660] clone_endio+0x90/0x180\n[ 67.330665] bio_endio+0x198/0x1b8\n[ 67.330673] blk_update_request+0x214/0x428\n[ 67.330683] scsi_end_request+0x2c/0x300\n[ 67.330688] scsi_io_completion+0xa0/0x710\n[ 67.330695] scsi_finish_command+0xd8/0x110\n[ 67.330700] scsi_softirq_done+0x114/0x148\n[ 67.330708] blk_done_softirq+0x74/0xd0\n[ 67.330716] __do_softirq+0x18c/0x374\n[ 67.330724] irq_exit+0xb4/0xb8\n[ 67.330732] __handle_domain_irq+0x84/0xc0\n[ 67.330737] gic_handle_irq+0x148/0x1b0\n[ 67.330744] el1_irq+0xe8/0x190\n[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538\n[ 67.330759] cpuidle_enter_state+0x1fc/0x398\n[ 67.330764] cpuidle_enter+0x18/0x20\n[ 67.330772] do_idle+0x1b4/0x290\n[ 67.330778] cpu_startup_entry+0x20/0x28\n[ 67.330786] secondary_start_kernel+0x160/0x170\n\nFix this by:\n1) Establishing pointers to 'struct dm_io' members in\ndm_io_dec_pending() so that they may be passed into end_io_acct()\n_after_ free_io() is called.\n2) Moving end_io_acct() after free_io().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47435", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: dsps: Fix the probe error path\n\nCommit 7c75bde329d7 (\"usb: musb: musb_dsps: request_irq() after\ninitializing musb\") has inverted the calls to\ndsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without\nupdating correctly the error path. dsps_create_musb_pdev() allocates and\nregisters a new platform device which must be unregistered and freed\nwith platform_device_unregister(), and this is missing upon\ndsps_setup_optional_vbus_irq() error.\n\nWhile on the master branch it seems not to trigger any issue, I observed\na kernel crash because of a NULL pointer dereference with a v5.10.70\nstable kernel where the patch mentioned above was backported. With this\nkernel version, -EPROBE_DEFER is returned the first time\ndsps_setup_optional_vbus_irq() is called which triggers the probe to\nerror out without unregistering the platform device. Unfortunately, on\nthe Beagle Bone Black Wireless, the platform device still living in the\nsystem is being used by the USB Ethernet gadget driver, which during the\nboot phase triggers the crash.\n\nMy limited knowledge of the musb world prevents me to revert this commit\nwhich was sent to silence a robot warning which, as far as I understand,\ndoes not make sense. The goal of this patch was to prevent an IRQ to\nfire before the platform device being registered. I think this cannot\never happen due to the fact that enabling the interrupts is done by the\n->enable() callback of the platform musb device, and this platform\ndevice must be already registered in order for the core or any other\nuser to use this callback.\n\nHence, I decided to fix the error path, which might prevent future\nerrors on mainline kernels while also fixing older ones.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47436", "detail": "fixed-version", "description": "Fixed from version 5.14.14" }, { "id": "CVE-2021-47437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adis16475: fix deadlock on frequency set\n\nWith commit 39c024b51b560\n(\"iio: adis16475: improve sync scale mode handling\"), two deadlocks were\nintroduced:\n 1) The call to 'adis_write_reg_16()' was not changed to it's unlocked\n version.\n 2) The lock was not being released on the success path of the function.\n\nThis change fixes both these issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47437", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path\n\nPrior to this patch in case mlx5_core_destroy_cq() failed it returns\nwithout completing all destroy operations and that leads to memory leak.\nInstead, complete the destroy flow before return error.\n\nAlso move mlx5_debug_cq_remove() to the beginning of mlx5_core_destroy_cq()\nto be symmetrical with mlx5_core_create_cq().\n\nkmemleak complains on:\n\nunreferenced object 0xc000000038625100 (size 64):\n comm \"ethtool\", pid 28301, jiffies 4298062946 (age 785.380s)\n hex dump (first 32 bytes):\n 60 01 48 94 00 00 00 c0 b8 05 34 c3 00 00 00 c0 `.H.......4.....\n 02 00 00 00 00 00 00 00 00 db 7d c1 00 00 00 c0 ..........}.....\n backtrace:\n [<000000009e8643cb>] add_res_tree+0xd0/0x270 [mlx5_core]\n [<00000000e7cb8e6c>] mlx5_debug_cq_add+0x5c/0xc0 [mlx5_core]\n [<000000002a12918f>] mlx5_core_create_cq+0x1d0/0x2d0 [mlx5_core]\n [<00000000cef0a696>] mlx5e_create_cq+0x210/0x3f0 [mlx5_core]\n [<000000009c642c26>] mlx5e_open_cq+0xb4/0x130 [mlx5_core]\n [<0000000058dfa578>] mlx5e_ptp_open+0x7f4/0xe10 [mlx5_core]\n [<0000000081839561>] mlx5e_open_channels+0x9cc/0x13e0 [mlx5_core]\n [<0000000009cf05d4>] mlx5e_switch_priv_channels+0xa4/0x230\n[mlx5_core]\n [<0000000042bbedd8>] mlx5e_safe_switch_params+0x14c/0x300\n[mlx5_core]\n [<0000000004bc9db8>] set_pflag_tx_port_ts+0x9c/0x160 [mlx5_core]\n [<00000000a0553443>] mlx5e_set_priv_flags+0xd0/0x1b0 [mlx5_core]\n [<00000000a8f3d84b>] ethnl_set_privflags+0x234/0x2d0\n [<00000000fd27f27c>] genl_family_rcv_msg_doit+0x108/0x1d0\n [<00000000f495e2bb>] genl_family_rcv_msg+0xe4/0x1f0\n [<00000000646c5c2c>] genl_rcv_msg+0x78/0x120\n [<00000000d53e384e>] netlink_rcv_skb+0x74/0x1a0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47438", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Added the condition for scheduling ksz_mib_read_work\n\nWhen the ksz module is installed and removed using rmmod, kernel crashes\nwith null pointer dereferrence error. During rmmod, ksz_switch_remove\nfunction tries to cancel the mib_read_workqueue using\ncancel_delayed_work_sync routine and unregister switch from dsa.\n\nDuring dsa_unregister_switch it calls ksz_mac_link_down, which in turn\nreschedules the workqueue since mib_interval is non-zero.\nDue to which queue executed after mib_interval and it tries to access\ndp->slave. But the slave is unregistered in the ksz_switch_remove\nfunction. Hence kernel crashes.\n\nTo avoid this crash, before canceling the workqueue, resetted the\nmib_interval to 0.\n\nv1 -> v2:\n-Removed the if condition in ksz_mib_read_work", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47439", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: encx24j600: check error in devm_regmap_init_encx24j600\n\ndevm_regmap_init may return error which caused by like out of memory,\nthis will results in null pointer dereference later when reading\nor writing register:\n\ngeneral protection fault in encx24j600_spi_probe\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 286 Comm: spi-encx24j600- Not tainted 5.15.0-rc2-00142-g9978db750e31-dirty #11 9c53a778c1306b1b02359f3c2bbedc0222cba652\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:regcache_cache_bypass drivers/base/regmap/regcache.c:540\nCode: 54 41 89 f4 55 53 48 89 fb 48 83 ec 08 e8 26 94 a8 fe 48 8d bb a0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 03 00 00 4c 8d ab b0 00 00 00 48 8b ab a0 00\nRSP: 0018:ffffc900010476b8 EFLAGS: 00010207\nRAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: 0000000000000000\nRDX: 0000000000000012 RSI: ffff888002de0000 RDI: 0000000000000094\nRBP: ffff888013c9a000 R08: 0000000000000000 R09: fffffbfff3f9cc6a\nR10: ffffc900010476e8 R11: fffffbfff3f9cc69 R12: 0000000000000001\nR13: 000000000000000a R14: ffff888013c9af54 R15: ffff888013c9ad08\nFS: 00007ffa984ab580(0000) GS:ffff88801fe00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055a6384136c8 CR3: 000000003bbe6003 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n encx24j600_spi_probe drivers/net/ethernet/microchip/encx24j600.c:459\n spi_probe drivers/spi/spi.c:397\n really_probe drivers/base/dd.c:517\n __driver_probe_device drivers/base/dd.c:751\n driver_probe_device drivers/base/dd.c:782\n __device_attach_driver drivers/base/dd.c:899\n bus_for_each_drv drivers/base/bus.c:427\n __device_attach drivers/base/dd.c:971\n bus_probe_device drivers/base/bus.c:487\n device_add drivers/base/core.c:3364\n __spi_add_device drivers/spi/spi.c:599\n spi_add_device drivers/spi/spi.c:641\n spi_new_device drivers/spi/spi.c:717\n new_device_store+0x18c/0x1f1 [spi_stub 4e02719357f1ff33f5a43d00630982840568e85e]\n dev_attr_store drivers/base/core.c:2074\n sysfs_kf_write fs/sysfs/file.c:139\n kernfs_fop_write_iter fs/kernfs/file.c:300\n new_sync_write fs/read_write.c:508 (discriminator 4)\n vfs_write fs/read_write.c:594\n ksys_write fs/read_write.c:648\n do_syscall_64 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:113\n\nAdd error check in devm_regmap_init_encx24j600 to avoid this situation.", "scorev2": "0.0", "scorev3": "2.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47440", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: thermal: Fix out-of-bounds memory accesses\n\nCurrently, mlxsw allows cooling states to be set above the maximum\ncooling state supported by the driver:\n\n # cat /sys/class/thermal/thermal_zone2/cdev0/type\n mlxsw_fan\n # cat /sys/class/thermal/thermal_zone2/cdev0/max_state\n 10\n # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state\n # echo $?\n 0\n\nThis results in out-of-bounds memory accesses when thermal state\ntransition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the\ntransition table is accessed with a too large index (state) [1].\n\nAccording to the thermal maintainer, it is the responsibility of the\ndriver to reject such operations [2].\n\nTherefore, return an error when the state to be set exceeds the maximum\ncooling state supported by the driver.\n\nTo avoid dead code, as suggested by the thermal maintainer [3],\npartially revert commit a421ce088ac8 (\"mlxsw: core: Extend cooling\ndevice with cooling levels\") that tried to interpret these invalid\ncooling states (above the maximum) in a special way. The cooling levels\narray is not removed in order to prevent the fans going below 20% PWM,\nwhich would cause them to get stuck at 0% PWM.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290\nRead of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5\n\nCPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122\nHardware name: Mellanox Technologies Ltd. \"MSN2410-CB2FO\"/\"SA000874\", BIOS 4.6.5 03/08/2016\nWorkqueue: events_freezable_power_ thermal_zone_device_check\nCall Trace:\n dump_stack_lvl+0x8b/0xb3\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x7f/0x11b\n thermal_cooling_device_stats_update+0x271/0x290\n __thermal_cdev_update+0x15e/0x4e0\n thermal_cdev_update+0x9f/0xe0\n step_wise_throttle+0x770/0xee0\n thermal_zone_device_update+0x3f6/0xdf0\n process_one_work+0xa42/0x1770\n worker_thread+0x62f/0x13e0\n kthread+0x3ee/0x4e0\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n thermal_cooling_device_setup_sysfs+0x153/0x2c0\n __thermal_cooling_device_register.part.0+0x25b/0x9c0\n thermal_cooling_device_register+0xb3/0x100\n mlxsw_thermal_init+0x5c5/0x7e0\n __mlxsw_core_bus_device_register+0xcb3/0x19c0\n mlxsw_core_bus_device_register+0x56/0xb0\n mlxsw_pci_probe+0x54f/0x710\n local_pci_probe+0xc6/0x170\n pci_device_probe+0x2b2/0x4d0\n really_probe+0x293/0xd10\n __driver_probe_device+0x2af/0x440\n driver_probe_device+0x51/0x1e0\n __driver_attach+0x21b/0x530\n bus_for_each_dev+0x14c/0x1d0\n bus_add_driver+0x3ac/0x650\n driver_register+0x241/0x3d0\n mlxsw_sp_module_init+0xa2/0x174\n do_one_initcall+0xee/0x5f0\n kernel_init_freeable+0x45a/0x4de\n kernel_init+0x1f/0x210\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff8881052f7800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 1016 bytes inside of\n 1024-byte region [ffff8881052f7800, ffff8881052f7c00)\nThe buggy address belongs to the page:\npage:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0\nhead:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x200000000010200(slab|head|node=0|zone=2)\nraw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\n[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-\n---truncated---", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47441", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: fix possible memory leak in digital_in_send_sdd_req()\n\n'skb' is allocated in digital_in_send_sdd_req(), but not free when\ndigital_in_send_cmd() failed, which will cause memory leak. Fix it\nby freeing 'skb' if digital_in_send_cmd() return failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47442", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: fix possible memory leak in digital_tg_listen_mdaa()\n\n'params' is allocated in digital_tg_listen_mdaa(), but not free when\ndigital_send_cmd() failed, which will cause memory leak. Fix it by\nfreeing 'params' if digital_send_cmd() return failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47443", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read\n\nIn commit e11f5bd8228f (\"drm: Add support for DP 1.4 Compliance edid\ncorruption test\") the function connector_bad_edid() started assuming\nthat the memory for the EDID passed to it was big enough to hold\n`edid[0x7e] + 1` blocks of data (1 extra for the base block). It\ncompletely ignored the fact that the function was passed `num_blocks`\nwhich indicated how much memory had been allocated for the EDID.\n\nLet's fix this by adding a bounds check.\n\nThis is important for handling the case where there's an error in the\nfirst block of the EDID. In that case we will call\nconnector_bad_edid() without having re-allocated memory based on\n`edid[0x7e]`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47444", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix null pointer dereference on pointer edp\n\nThe initialization of pointer dev dereferences pointer edp before\nedp is null checked, so there is a potential null pointer deference\nissue. Fix this by only dereferencing edp after edp has been null\nchecked.\n\nAddresses-Coverity: (\"Dereference before null check\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47445", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a4xx: fix error handling in a4xx_gpu_init()\n\nThis code returns 1 on error instead of a negative error. It leads to\nan Oops in the caller. A second problem is that the check for\n\"if (ret != -ENODATA)\" cannot be true because \"ret\" is set to 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47446", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a3xx: fix error handling in a3xx_gpu_init()\n\nThese error paths returned 1 on failure, instead of a negative error\ncode. This would lead to an Oops in the caller. A second problem is\nthat the check for \"if (ret != -ENODATA)\" did not work because \"ret\" was\nset to 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47447", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible stall on recvmsg()\n\nrecvmsg() can enter an infinite loop if the caller provides the\nMSG_WAITALL, the data present in the receive queue is not sufficient to\nfulfill the request, and no more data is received by the peer.\n\nWhen the above happens, mptcp_wait_data() will always return with\nno wait, as the MPTCP_DATA_READY flag checked by such function is\nset and never cleared in such code path.\n\nLeveraging the above syzbot was able to trigger an RCU stall:\n\nrcu: INFO: rcu_preempt self-detected stall on CPU\nrcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1\n (t=10500 jiffies g=13089 q=109)\nrcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1\nrcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.\nrcu: RCU grace-period kthread stack dump:\ntask:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000\nCall Trace:\n context_switch kernel/sched/core.c:4955 [inline]\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\n schedule+0xd3/0x270 kernel/sched/core.c:6315\n schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881\n rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955\n rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128\n kthread+0x405/0x4f0 kernel/kthread.c:327\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\nrcu: Stack dump where RCU GP kthread last ran:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]\nRIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]\nRIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]\nRIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]\nRIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\nRIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189\nCode: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00\nRSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283\nRAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870\nRBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877\nR10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000\nR13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000\nFS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n instrument_atomic_read_write include/linux/instrumented.h:101 [inline]\n test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]\n mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016\n release_sock+0xb4/0x1b0 net/core/sock.c:3204\n mptcp_wait_data net/mptcp/protocol.c:1770 [inline]\n mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080\n inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659\n sock_recvmsg_nosec net/socket.c:944 [inline]\n ____sys_recvmsg+0x527/0x600 net/socket.c:2626\n ___sys_recvmsg+0x127/0x200 net/socket.c:2670\n do_recvmmsg+0x24d/0x6d0 net/socket.c:2764\n __sys_recvmmsg net/socket.c:2843 [inline]\n __do_sys_recvmmsg net/socket.c:2866 [inline]\n __se_sys_recvmmsg net/socket.c:2859 [inline]\n __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc200d2\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47448", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix locking for Tx timestamp tracking flush\n\nCommit 4dd0d5c33c3e (\"ice: add lock around Tx timestamp tracker flush\")\nadded a lock around the Tx timestamp tracker flow which is used to\ncleanup any left over SKBs and prepare for device removal.\n\nThis lock is problematic because it is being held around a call to\nice_clear_phy_tstamp. The clear function takes a mutex to send a PHY\nwrite command to firmware. This could lead to a deadlock if the mutex\nactually sleeps, and causes the following warning on a kernel with\npreemption debugging enabled:\n\n[ 715.419426] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573\n[ 715.427900] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3100, name: rmmod\n[ 715.435652] INFO: lockdep is turned off.\n[ 715.439591] Preemption disabled at:\n[ 715.439594] [<0000000000000000>] 0x0\n[ 715.446678] CPU: 52 PID: 3100 Comm: rmmod Tainted: G W OE 5.15.0-rc4+ #42 bdd7ec3018e725f159ca0d372ce8c2c0e784891c\n[ 715.458058] Hardware name: Intel Corporation S2600STQ/S2600STQ, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ 715.468483] Call Trace:\n[ 715.470940] dump_stack_lvl+0x6a/0x9a\n[ 715.474613] ___might_sleep.cold+0x224/0x26a\n[ 715.478895] __mutex_lock+0xb3/0x1440\n[ 715.482569] ? stack_depot_save+0x378/0x500\n[ 715.486763] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.494979] ? kfree+0xc1/0x520\n[ 715.498128] ? mutex_lock_io_nested+0x12a0/0x12a0\n[ 715.502837] ? kasan_set_free_info+0x20/0x30\n[ 715.507110] ? __kasan_slab_free+0x10b/0x140\n[ 715.511385] ? slab_free_freelist_hook+0xc7/0x220\n[ 715.516092] ? kfree+0xc1/0x520\n[ 715.519235] ? ice_deinit_lag+0x16c/0x220 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.527359] ? ice_remove+0x1cf/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.535133] ? pci_device_remove+0xab/0x1d0\n[ 715.539318] ? __device_release_driver+0x35b/0x690\n[ 715.544110] ? driver_detach+0x214/0x2f0\n[ 715.548035] ? bus_remove_driver+0x11d/0x2f0\n[ 715.552309] ? pci_unregister_driver+0x26/0x250\n[ 715.556840] ? ice_module_exit+0xc/0x2f [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.564799] ? __do_sys_delete_module.constprop.0+0x2d8/0x4e0\n[ 715.570554] ? do_syscall_64+0x3b/0x90\n[ 715.574303] ? entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 715.579529] ? start_flush_work+0x542/0x8f0\n[ 715.583719] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.591923] ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.599960] ? wait_for_completion_io+0x250/0x250\n[ 715.604662] ? lock_acquire+0x196/0x200\n[ 715.608504] ? do_raw_spin_trylock+0xa5/0x160\n[ 715.612864] ice_sbq_rw_reg+0x1e6/0x2f0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.620813] ? ice_reset+0x130/0x130 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.628497] ? __debug_check_no_obj_freed+0x1e8/0x3c0\n[ 715.633550] ? trace_hardirqs_on+0x1c/0x130\n[ 715.637748] ice_write_phy_reg_e810+0x70/0xf0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.646220] ? do_raw_spin_trylock+0xa5/0x160\n[ 715.650581] ? ice_ptp_release+0x910/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.658797] ? ice_ptp_release+0x255/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.667013] ice_clear_phy_tstamp+0x2c/0x110 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.675403] ice_ptp_release+0x408/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.683440] ice_remove+0x560/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]\n[ 715.691037] ? _raw_spin_unlock_irqrestore+0x46/0x73\n[ 715.696005] pci_device_remove+0xab/0x1d0\n[ 715.700018] __device_release_driver+0x35b/0x690\n[ 715.704637] driver_detach+0x214/0x2f0\n[ 715.708389] bus_remove_driver+0x11d/0x2f0\n[ 715.712489] pci_unregister_driver+0x26/0x250\n[ 71\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47449", "detail": "fixed-version", "description": "Fixed from version 5.14.14" }, { "id": "CVE-2021-47450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix host stage-2 PGD refcount\n\nThe KVM page-table library refcounts the pages of concatenated stage-2\nPGDs individually. However, when running KVM in protected mode, the\nhost's stage-2 PGD is currently managed by EL2 as a single high-order\ncompound page, which can cause the refcount of the tail pages to reach 0\nwhen they shouldn't, hence corrupting the page-table.\n\nFix this by introducing a new hyp_split_page() helper in the EL2 page\nallocator (matching the kernel's split_page() function), and make use of\nit from host_s2_zalloc_pages_exact().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47450", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\n\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\nstructure is initialized by kmalloc on executing idletimer_tg_create\nfunction. However, in this process timer->timer_type is not defined to\na specific value. Thus, timer->timer_type has garbage value and it occurs\nkernel panic. So, this commit fixes the panic by initializing\ntimer->timer_type using kzalloc instead of kmalloc.\n\nTest commands:\n # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\n $ cat /sys/class/xt_idletimer/timers/test\n Killed\n\nSplat looks like:\n BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\n Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\n CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n dump_stack_lvl+0x6e/0x9c\n kasan_report.cold+0x112/0x117\n ? alarm_expires_remaining+0x49/0x70\n __asan_load8+0x86/0xb0\n alarm_expires_remaining+0x49/0x70\n idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\n dev_attr_show+0x3c/0x60\n sysfs_kf_seq_show+0x11d/0x1f0\n ? device_remove_bin_file+0x20/0x20\n kernfs_seq_show+0xa4/0xb0\n seq_read_iter+0x29c/0x750\n kernfs_fop_read_iter+0x25a/0x2c0\n ? __fsnotify_parent+0x3d1/0x570\n ? iov_iter_init+0x70/0x90\n new_sync_read+0x2a7/0x3d0\n ? __x64_sys_llseek+0x230/0x230\n ? rw_verify_area+0x81/0x150\n vfs_read+0x17b/0x240\n ksys_read+0xd9/0x180\n ? vfs_write+0x460/0x460\n ? do_syscall_64+0x16/0xc0\n ? lockdep_hardirqs_on+0x79/0x120\n __x64_sys_read+0x43/0x50\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f0cdc819142\n Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\n RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\n RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\n R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\n R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47451", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: skip netdev events generated on netns removal\n\nsyzbot reported following (harmless) WARN:\n\n WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468\n nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline]\n nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline]\n __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524\n nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline]\n nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382\n\nreproducer:\nunshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ; \\\n nft add chain netdev t ingress \\{ type filter hook ingress device \"br0\" \\\n priority 0\\; policy drop\\; \\}'\n\nProblem is that when netns device exit hooks create the UNREGISTER\nevent, the .pre_exit hook for nf_tables core has already removed the\nbase hook. Notifier attempts to do this again.\n\nThe need to do base hook unregister unconditionally was needed in the past,\nbecause notifier was last stage where reg->dev dereference was safe.\n\nNow that nf_tables does the hook removal in .pre_exit, this isn't\nneeded anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47452", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Avoid crash from unnecessary IDA free\n\nIn the remove path, there is an attempt to free the aux_idx IDA whether\nit was allocated or not. This can potentially cause a crash when\nunloading the driver on systems that do not initialize support for RDMA.\nBut, this free cannot be gated by the status bit for RDMA, since it is\nallocated if the driver detects support for RDMA at probe time, but the\ndriver can enter into a state where RDMA is not supported after the IDA\nhas been allocated at probe time and this would lead to a memory leak.\n\nInitialize aux_idx to an invalid value and check for a valid value when\nunloading to determine if an IDA free is necessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47453", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/smp: do not decrement idle task preempt count in CPU offline\n\nWith PREEMPT_COUNT=y, when a CPU is offlined and then onlined again, we\nget:\n\nBUG: scheduling while atomic: swapper/1/0/0x00000000\nno locks held by swapper/1/0.\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.0-rc2+ #100\nCall Trace:\n dump_stack_lvl+0xac/0x108\n __schedule_bug+0xac/0xe0\n __schedule+0xcf8/0x10d0\n schedule_idle+0x3c/0x70\n do_idle+0x2d8/0x4a0\n cpu_startup_entry+0x38/0x40\n start_secondary+0x2ec/0x3a0\n start_secondary_prolog+0x10/0x14\n\nThis is because powerpc's arch_cpu_idle_dead() decrements the idle task's\npreempt count, for reasons explained in commit a7c2bb8279d2 (\"powerpc:\nRe-enable preemption before cpu_die()\"), specifically \"start_secondary()\nexpects a preempt_count() of 0.\"\n\nHowever, since commit 2c669ef6979c (\"powerpc/preempt: Don't touch the idle\ntask's preempt_count during hotplug\") and commit f1a0a376ca0c (\"sched/core:\nInitialize the idle task with preemption disabled\"), that justification no\nlonger holds.\n\nThe idle task isn't supposed to re-enable preemption, so remove the\nvestigial preempt_enable() from the CPU offline path.\n\nTested with pseries and powernv in qemu, and pseries on PowerVM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47454", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Fix possible memory leak in ptp_clock_register()\n\nI got memory leak as follows when doing fault injection test:\n\nunreferenced object 0xffff88800906c618 (size 8):\n comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n hex dump (first 8 bytes):\n 70 74 70 30 00 00 00 00 ptp0....\n backtrace:\n [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n [<000000004e35abdd>] dev_set_name+0xc0/0x100\n [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\n\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47455", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_pci: peak_pci_remove(): fix UAF\n\nWhen remove the module peek_pci, referencing 'chan' again after\nreleasing 'dev' will cause UAF.\n\nFix this by releasing 'dev' later.\n\nThe following log reveals it:\n\n[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537\n[ 35.965513 ] Call Trace:\n[ 35.965718 ] dump_stack_lvl+0xa8/0xd1\n[ 35.966028 ] print_address_description+0x87/0x3b0\n[ 35.966420 ] kasan_report+0x172/0x1c0\n[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170\n[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20\n[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.968752 ] pci_device_remove+0xa9/0x250", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47456", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()\n\nUsing wait_event_interruptible() to wait for complete transmission,\nbut do not check the result of wait_event_interruptible() which can be\ninterrupted. It will result in TX buffer has multiple accessors and\nthe later process interferes with the previous process.\n\nFollowing is one of the problems reported by syzbot.\n\n=============================================================\nWARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:isotp_tx_timer_handler+0x2e0/0x4c0\nCall Trace:\n \n ? isotp_setsockopt+0x390/0x390\n __hrtimer_run_queues+0xb8/0x610\n hrtimer_run_softirq+0x91/0xd0\n ? rcu_read_lock_sched_held+0x4d/0x80\n __do_softirq+0xe8/0x553\n irq_exit_rcu+0xf8/0x100\n sysvec_apic_timer_interrupt+0x9e/0xc0\n \n asm_sysvec_apic_timer_interrupt+0x12/0x20\n\nAdd result check for wait_event_interruptible() in isotp_sendmsg()\nto avoid multiple accessers for tx buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47457", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: mount fails with buffer overflow in strlen\n\nStarting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an\nocfs2 filesystem with either o2cb or pcmk cluster stack fails with the\ntrace below. Problem seems to be that strings for cluster stack and\ncluster name are not guaranteed to be null terminated in the disk\nrepresentation, while strlcpy assumes that the source string is always\nnull terminated. This causes a read outside of the source string\ntriggering the buffer overflow detection.\n\n detected buffer overflow in strlen\n ------------[ cut here ]------------\n kernel BUG at lib/string.c:1149!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1\n Debian 5.14.6-2\n RIP: 0010:fortify_panic+0xf/0x11\n ...\n Call Trace:\n ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]\n ocfs2_fill_super+0x359/0x19b0 [ocfs2]\n mount_bdev+0x185/0x1b0\n legacy_get_tree+0x27/0x40\n vfs_get_tree+0x25/0xb0\n path_mount+0x454/0xa20\n __x64_sys_mount+0x103/0x140\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47458", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv\n\nIt will trigger UAF for rx_kref of j1939_priv as following.\n\n cpu0 cpu1\nj1939_sk_bind(socket0, ndev0, ...)\nj1939_netdev_start\n j1939_sk_bind(socket1, ndev0, ...)\n j1939_netdev_start\nj1939_priv_set\n j1939_priv_get_by_ndev_locked\nj1939_jsk_add\n.....\nj1939_netdev_stop\nkref_put_lock(&priv->rx_kref, ...)\n kref_get(&priv->rx_kref, ...)\n REFCOUNT_WARN(\"addition on 0;...\")\n\n====================================================\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0\nRIP: 0010:refcount_warn_saturate+0x169/0x1e0\nCall Trace:\n j1939_netdev_start+0x68b/0x920\n j1939_sk_bind+0x426/0xeb0\n ? security_socket_bind+0x83/0xb0\n\nThe rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to\nprotect.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47459", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix data corruption after conversion from inline format\n\nCommit 6dbf7bb55598 (\"fs: Don't invalidate page buffers in\nblock_write_full_page()\") uncovered a latent bug in ocfs2 conversion\nfrom inline inode format to a normal inode format.\n\nThe code in ocfs2_convert_inline_data_to_extents() attempts to zero out\nthe whole cluster allocated for file data by grabbing, zeroing, and\ndirtying all pages covering this cluster. However these pages are\nbeyond i_size, thus writeback code generally ignores these dirty pages\nand no blocks were ever actually zeroed on the disk.\n\nThis oversight was fixed by commit 693c241a5f6a (\"ocfs2: No need to zero\npages past i_size.\") for standard ocfs2 write path, inline conversion\npath was apparently forgotten; the commit log also has a reasoning why\nthe zeroing actually is not needed.\n\nAfter commit 6dbf7bb55598, things became worse as writeback code stopped\ninvalidating buffers on pages beyond i_size and thus these pages end up\nwith clean PageDirty bit but with buffers attached to these pages being\nstill dirty. So when a file is converted from inline format, then\nwriteback triggers, and then the file is grown so that these pages\nbecome valid, the invalid dirtiness state is preserved,\nmark_buffer_dirty() does nothing on these pages (buffers are already\ndirty) but page is never written back because it is clean. So data\nwritten to these pages is lost once pages are reclaimed.\n\nSimple reproducer for the problem is:\n\n xfs_io -f -c \"pwrite 0 2000\" -c \"pwrite 2000 2000\" -c \"fsync\" \\\n -c \"pwrite 4000 2000\" ocfs2_file\n\nAfter unmounting and mounting the fs again, you can observe that end of\n'ocfs2_file' has lost its contents.\n\nFix the problem by not doing the pointless zeroing during conversion\nfrom inline format similarly as in the standard write path.\n\n[akpm@linux-foundation.org: fix whitespace, per Joseph]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47460", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: fix a race between writeprotect and exit_mmap()\n\nA race is possible when a process exits, its VMAs are removed by\nexit_mmap() and at the same time userfaultfd_writeprotect() is called.\n\nThe race was detected by KASAN on a development kernel, but it appears\nto be possible on vanilla kernels as well.\n\nUse mmget_not_zero() to prevent the race as done in other userfaultfd\noperations.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47461", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in mbind()\n\nsyzbot reported access to unitialized memory in mbind() [1]\n\nIssue came with commit bda420b98505 (\"numa balancing: migrate on fault\namong multiple bound nodes\")\n\nThis commit added a new bit in MPOL_MODE_FLAGS, but only checked valid\ncombination (MPOL_F_NUMA_BALANCING can only be used with MPOL_BIND) in\ndo_set_mempolicy()\n\nThis patch moves the check in sanitize_mpol_flags() so that it is also\nused by mbind()\n\n [1]\n BUG: KMSAN: uninit-value in __mpol_equal+0x567/0x590 mm/mempolicy.c:2260\n __mpol_equal+0x567/0x590 mm/mempolicy.c:2260\n mpol_equal include/linux/mempolicy.h:105 [inline]\n vma_merge+0x4a1/0x1e60 mm/mmap.c:1190\n mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811\n do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333\n kernel_mbind mm/mempolicy.c:1483 [inline]\n __do_sys_mbind mm/mempolicy.c:1490 [inline]\n __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486\n __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Uninit was created at:\n slab_alloc_node mm/slub.c:3221 [inline]\n slab_alloc mm/slub.c:3230 [inline]\n kmem_cache_alloc+0x751/0xff0 mm/slub.c:3235\n mpol_new mm/mempolicy.c:293 [inline]\n do_mbind+0x912/0x15f0 mm/mempolicy.c:1289\n kernel_mbind mm/mempolicy.c:1483 [inline]\n __do_sys_mbind mm/mempolicy.c:1490 [inline]\n __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486\n __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n =====================================================\n Kernel panic - not syncing: panic_on_kmsan set ...\n CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G B 5.15.0-rc2-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106\n dump_stack+0x25/0x28 lib/dump_stack.c:113\n panic+0x44f/0xdeb kernel/panic.c:232\n kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186\n __msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208\n __mpol_equal+0x567/0x590 mm/mempolicy.c:2260\n mpol_equal include/linux/mempolicy.h:105 [inline]\n vma_merge+0x4a1/0x1e60 mm/mmap.c:1190\n mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811\n do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333\n kernel_mbind mm/mempolicy.c:1483 [inline]\n __do_sys_mbind mm/mempolicy.c:1490 [inline]\n __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486\n __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47462", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix NULL page->mapping dereference in page_is_secretmem()\n\nCheck for a NULL page->mapping before dereferencing the mapping in\npage_is_secretmem(), as the page's mapping can be nullified while gup()\nis running, e.g. by reclaim or truncation.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000068\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W\n RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0\n Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be\n RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046\n RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900\n ...\n CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0\n Call Trace:\n get_user_pages_fast_only+0x13/0x20\n hva_to_pfn+0xa9/0x3e0\n try_async_pf+0xa1/0x270\n direct_page_fault+0x113/0xad0\n kvm_mmu_page_fault+0x69/0x680\n vmx_handle_exit+0xe1/0x5d0\n kvm_arch_vcpu_ioctl_run+0xd81/0x1c70\n kvm_vcpu_ioctl+0x267/0x670\n __x64_sys_ioctl+0x83/0xa0\n do_syscall_64+0x56/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47463", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix possible null-pointer dereference in audit_filter_rules\n\nFix possible null-pointer dereference in audit_filter_rules.\n\naudit_filter_rules() error: we previously assumed 'ctx' could be null", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47464", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest()\n\nIn commit 10d91611f426 (\"powerpc/64s: Reimplement book3s idle code in\nC\") kvm_start_guest() became idle_kvm_start_guest(). The old code\nallocated a stack frame on the emergency stack, but didn't use the\nframe to store anything, and also didn't store anything in its caller's\nframe.\n\nidle_kvm_start_guest() on the other hand is written more like a normal C\nfunction, it creates a frame on entry, and also stores CR/LR into its\ncallers frame (per the ABI). The problem is that there is no caller\nframe on the emergency stack.\n\nThe emergency stack for a given CPU is allocated with:\n\n paca_ptrs[i]->emergency_sp = alloc_stack(limit, i) + THREAD_SIZE;\n\nSo emergency_sp actually points to the first address above the emergency\nstack allocation for a given CPU, we must not store above it without\nfirst decrementing it to create a frame. This is different to the\nregular kernel stack, paca->kstack, which is initialised to point at an\ninitial frame that is ready to use.\n\nidle_kvm_start_guest() stores the backchain, CR and LR all of which\nwrite outside the allocation for the emergency stack. It then creates a\nstack frame and saves the non-volatile registers. Unfortunately the\nframe it creates is not large enough to fit the non-volatiles, and so\nthe saving of the non-volatile registers also writes outside the\nemergency stack allocation.\n\nThe end result is that we corrupt whatever is at 0-24 bytes, and 112-248\nbytes above the emergency stack allocation.\n\nIn practice this has gone unnoticed because the memory immediately above\nthe emergency stack happens to be used for other stack allocations,\neither another CPUs mc_emergency_sp or an IRQ stack. See the order of\ncalls to irqstack_early_init() and emergency_stack_init().\n\nThe low addresses of another stack are the top of that stack, and so are\nonly used if that stack is under extreme pressue, which essentially\nnever happens in practice - and if it did there's a high likelyhood we'd\ncrash due to that stack overflowing.\n\nStill, we shouldn't be corrupting someone else's stack, and it is purely\nluck that we aren't corrupting something else.\n\nTo fix it we save CR/LR into the caller's frame using the existing r1 on\nentry, we then create a SWITCH_FRAME_SIZE frame (which has space for\npt_regs) on the emergency stack with the backchain pointing to the\nexisting stack, and then finally we switch to the new frame on the\nemergency stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47465", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slub: fix potential memoryleak in kmem_cache_open()\n\nIn error path, the random_seq of slub cache might be leaked. Fix this\nby using __kmem_cache_release() to release all the relevant resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47466", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: fix reference count leak in kfree_at_end\n\nThe reference counting issue happens in the normal path of\nkfree_at_end(). When kunit_alloc_and_get_resource() is invoked, the\nfunction forgets to handle the returned resource object, whose refcount\nincreased inside, causing a refcount leak.\n\nFix this issue by calling kunit_alloc_resource() instead of\nkunit_alloc_and_get_resource().\n\nFixed the following when applying:\nShuah Khan \n\nCHECK: Alignment should match open parenthesis\n+\tkunit_alloc_resource(test, NULL, kfree_res_free, GFP_KERNEL,\n \t\t\t\t (void *)to_free);", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47467", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: Fix sleeping function called from invalid context\n\nThe driver can call card->isac.release() function from an atomic\ncontext.\n\nFix this by calling this function after releasing the lock.\n\nThe following log reveals it:\n\n[ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018\n[ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe\n[ 44.169574 ] INFO: lockdep is turned off.\n[ 44.169899 ] irq event stamp: 0\n[ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 44.170627 ] hardirqs last disabled at (0): [] copy_process+0x132d/0x3e00\n[ 44.171240 ] softirqs last enabled at (0): [] copy_process+0x135a/0x3e00\n[ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 44.172318 ] Preemption disabled at:\n[ 44.172320 ] [] nj_release+0x69/0x500 [netjet]\n[ 44.174441 ] Call Trace:\n[ 44.174630 ] dump_stack_lvl+0xa8/0xd1\n[ 44.174912 ] dump_stack+0x15/0x17\n[ 44.175166 ] ___might_sleep+0x3a2/0x510\n[ 44.175459 ] ? nj_release+0x69/0x500 [netjet]\n[ 44.175791 ] __might_sleep+0x82/0xe0\n[ 44.176063 ] ? start_flush_work+0x20/0x7b0\n[ 44.176375 ] start_flush_work+0x33/0x7b0\n[ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170\n[ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0\n[ 44.177372 ] ? kasan_quarantine_put+0xaa/0x1f0\n[ 44.177711 ] __flush_work+0x11a/0x1a0\n[ 44.177991 ] ? flush_work+0x20/0x20\n[ 44.178257 ] ? lock_release+0x13c/0x8f0\n[ 44.178550 ] ? __kasan_check_write+0x14/0x20\n[ 44.178872 ] ? do_raw_spin_lock+0x148/0x360\n[ 44.179187 ] ? read_lock_is_recursive+0x20/0x20\n[ 44.179530 ] ? __kasan_check_read+0x11/0x20\n[ 44.179846 ] ? do_raw_spin_unlock+0x55/0x900\n[ 44.180168 ] ? ____kasan_slab_free+0x116/0x140\n[ 44.180505 ] ? _raw_spin_unlock_irqrestore+0x41/0x60\n[ 44.180878 ] ? skb_queue_purge+0x1a3/0x1c0\n[ 44.181189 ] ? kfree+0x13e/0x290\n[ 44.181438 ] flush_work+0x17/0x20\n[ 44.181695 ] mISDN_freedchannel+0xe8/0x100\n[ 44.182006 ] isac_release+0x210/0x260 [mISDNipac]\n[ 44.182366 ] nj_release+0xf6/0x500 [netjet]\n[ 44.182685 ] nj_remove+0x48/0x70 [netjet]\n[ 44.182989 ] pci_device_remove+0xa9/0x250", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47468", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slub: fix potential use-after-free in slab_debugfs_fops\n\nWhen sysfs_slab_add failed, we shouldn't call debugfs_slab_add() for s\nbecause s will be freed soon. And slab_debugfs_fops will use s later\nleading to a use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47470", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: mxsfb: Fix NULL pointer dereference crash on unload\n\nThe mxsfb->crtc.funcs may already be NULL when unloading the driver,\nin which case calling mxsfb_irq_disable() via drm_irq_uninstall() from\nmxsfb_unload() leads to NULL pointer dereference.\n\nSince all we care about is masking the IRQ and mxsfb->base is still\nvalid, just use that to clear and mask the IRQ.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47471", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()\n\nCommit 8c0eb596baa5 (\"[SCSI] qla2xxx: Fix a memory leak in an error path of\nqla2x00_process_els()\"), intended to change:\n\n bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN\n\n\n bsg_job->request->msgcode != FC_BSG_RPT_ELS\n\nbut changed it to:\n\n bsg_job->request->msgcode == FC_BSG_RPT_ELS\n\ninstead.\n\nChange the == to a != to avoid leaking the fcport structure or freeing\nunallocated memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47473", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix bulk-buffer overflow\n\nThe driver is using endpoint-sized buffers but must not assume that the\ntx and rx buffers are of equal size or a malicious device could overflow\nthe slab-allocated receive buffer when doing bulk transfers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47474", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix transfer-buffer overflows\n\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\n\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\n\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\n\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47475", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: ni_usb6501: fix NULL-deref in command paths\n\nThe driver uses endpoint-sized USB transfer buffers but had no sanity\nchecks on the sizes. This can lead to zero-size-pointer dereferences or\noverflowed transfer buffers in ni6501_port_command() and\nni6501_counter_command() if a (malicious) device has smaller max-packet\nsizes than expected (or when doing descriptor fuzz testing).\n\nAdd the missing sanity checks to probe().", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47476", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: dt9812: fix DMA buffers on stack\n\nUSB transfer buffers are typically mapped for DMA and must not be\nallocated on the stack or transfers will fail.\n\nAllocate proper transfer buffers in the various command helpers and\nreturn an error on short transfers instead of acting on random stack\ndata.\n\nNote that this also fixes a stack info leak on systems where DMA is not\nused as 32 bytes are always sent to the device regardless of how short\nthe command is.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47477", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: Fix out of bound access for corrupted isofs image\n\nWhen isofs image is suitably corrupted isofs_read_inode() can read data\nbeyond the end of buffer. Sanity-check the directory entry length before\nusing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47478", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix use-after-free in rtl8712_dl_fw\n\nSyzbot reported use-after-free in rtl8712_dl_fw(). The problem was in\nrace condition between r871xu_dev_remove() ->ndo_open() callback.\n\nIt's easy to see from crash log, that driver accesses released firmware\nin ->ndo_open() callback. It may happen, since driver was releasing\nfirmware _before_ unregistering netdev. Fix it by moving\nunregister_netdev() before cleaning up resources.\n\nCall Trace:\n...\n rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]\n rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170\n rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]\n rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394\n netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380\n __dev_open+0x2bc/0x4d0 net/core/dev.c:1484\n\nFreed by task 1306:\n...\n release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053\n r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599\n usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47479", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Put LLD module refcnt after SCSI device is released\n\nSCSI host release is triggered when SCSI device is freed. We have to make\nsure that the low-level device driver module won't be unloaded before SCSI\nhost instance is released because shost->hostt is required in the release\nhandler.\n\nMake sure to put LLD module refcnt after SCSI device is released.\n\nFixes a kernel panic of 'BUG: unable to handle page fault for address'\nreported by Changhui and Yi.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47480", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Initialize the ODP xarray when creating an ODP MR\n\nNormally the zero fill would hide the missing initialization, but an\nerrant set to desc_size in reg_create() causes a crash:\n\n BUG: unable to handle page fault for address: 0000000800000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]\n Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8\n RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286\n RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000\n RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff\n R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0\n R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00\n FS: 00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]\n mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]\n ib_dereg_mr_user+0x45/0xb0 [ib_core]\n ? xas_load+0x8/0x80\n destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]\n uobj_destroy+0x3c/0x70 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]\n ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\n ? ttwu_queue_wakelist+0xa9/0xe0\n ? pty_write+0x85/0x90\n ? file_tty_write.isra.33+0x214/0x330\n ? process_echoes+0x60/0x60\n ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]\n __x64_sys_ioctl+0x10d/0x8e0\n ? vfs_write+0x17f/0x260\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nAdd the missing xarray initialization and remove the desc_size set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47481", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: batman-adv: fix error handling\n\nSyzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was\nin wrong error handling in batadv_mesh_init().\n\nBefore this patch batadv_mesh_init() was calling batadv_mesh_free() in case\nof any batadv_*_init() calls failure. This approach may work well, when\nthere is some kind of indicator, which can tell which parts of batadv are\ninitialized; but there isn't any.\n\nAll written above lead to cleaning up uninitialized fields. Even if we hide\nODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit\nGPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]\n\nTo fix these bugs we can unwind batadv_*_init() calls one by one.\nIt is good approach for 2 reasons: 1) It fixes bugs on error handling\npath 2) It improves the performance, since we won't call unneeded\nbatadv_*_free() functions.\n\nSo, this patch makes all batadv_*_init() clean up all allocated memory\nbefore returning with an error to no call correspoing batadv_*_free()\nand open-codes batadv_mesh_free() with proper order to avoid touching\nuninitialized fields.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47482", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: Fix possible double-free in regcache_rbtree_exit()\n\nIn regcache_rbtree_insert_to_block(), when 'present' realloc failed,\nthe 'blk' which is supposed to assign to 'rbnode->block' will be freed,\nso 'rbnode->block' points a freed memory, in the error handling path of\nregcache_rbtree_init(), 'rbnode->block' will be freed again in\nregcache_rbtree_exit(), KASAN will report double-free as follows:\n\nBUG: KASAN: double-free or invalid-free in kfree+0xce/0x390\nCall Trace:\n slab_free_freelist_hook+0x10d/0x240\n kfree+0xce/0x390\n regcache_rbtree_exit+0x15d/0x1a0\n regcache_rbtree_init+0x224/0x2c0\n regcache_init+0x88d/0x1310\n __regmap_init+0x3151/0x4a80\n __devm_regmap_init+0x7d/0x100\n madera_spi_probe+0x10f/0x333 [madera_spi]\n spi_probe+0x183/0x210\n really_probe+0x285/0xc30\n\nTo fix this, moving up the assignment of rbnode->block to immediately after\nthe reallocation has succeeded so that the data structure stays valid even\nif the second reallocation fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47483", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Fix possible null pointer dereference.\n\nThis patch fixes possible null pointer dereference in files\n\"rvu_debugfs.c\" and \"rvu_nix.c\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47484", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields\n\nOverflowing either addrlimit or bytes_togo can allow userspace to trigger\na buffer overflow of kernel memory. Check for overflows in all the places\ndoing math on user controlled buffers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47485", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Fix potential NULL dereference\n\nThe bpf_jit_binary_free() function requires a non-NULL argument. When\nthe RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps,\njit_data->header will be NULL, which triggers a NULL\ndereference. Avoid this by checking the argument, prior calling the\nfunction.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47486", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix even more out of bound writes from debugfs\n\nCVE-2021-42327 was fixed by:\n\ncommit f23750b5b3d98653b31d4469592935ef6364ad67\nAuthor: Thelford Williams \nDate: Wed Oct 13 16:04:13 2021 -0400\n\n drm/amdgpu: fix out of bounds write\n\nbut amdgpu_dm_debugfs.c contains more of the same issue so fix the\nremaining ones.\n\nv2:\n\t* Add missing fix in dp_max_bpc_write (Harry Wentland)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47489", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix memleak in ttm_transfered_destroy\n\nWe need to cleanup the fences for ghost objects as well.\n\nBug: https://bugzilla.kernel.org/show_bug.cgi?id=214029\nBug: https://bugzilla.kernel.org/show_bug.cgi?id=214447", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47490", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: khugepaged: skip huge page collapse for special files\n\nThe read-only THP for filesystems will collapse THP for files opened\nreadonly and mapped with VM_EXEC. The intended usecase is to avoid TLB\nmisses for large text segments. But it doesn't restrict the file types\nso a THP could be collapsed for a non-regular file, for example, block\ndevice, if it is opened readonly and mapped with EXEC permission. This\nmay cause bugs, like [1] and [2].\n\nThis is definitely not the intended usecase, so just collapse THP for\nregular files in order to close the attack surface.\n\n[shy828301@gmail.com: fix vm_file check [3]]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47491", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, thp: bail out early in collapse_file for writeback page\n\nCurrently collapse_file does not explicitly check PG_writeback, instead,\npage_has_private and try_to_release_page are used to filter writeback\npages. This does not work for xfs with blocksize equal to or larger\nthan pagesize, because in such case xfs has no page->private.\n\nThis makes collapse_file bail out early for writeback page. Otherwise,\nxfs end_page_writeback will panic as follows.\n\n page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32\n aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:\"libtest.so\"\n flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback)\n raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8\n raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000\n page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))\n page->mem_cgroup:ffff0000c3e9a000\n ------------[ cut here ]------------\n kernel BUG at include/linux/mm.h:1212!\n Internal error: Oops - BUG: 0 [#1] SMP\n Modules linked in:\n BUG: Bad page state in process khugepaged pfn:84ef32\n xfs(E)\n page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32\n libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n Call trace:\n end_page_writeback+0x1c0/0x214\n iomap_finish_page_writeback+0x13c/0x204\n iomap_finish_ioend+0xe8/0x19c\n iomap_writepage_end_bio+0x38/0x50\n bio_endio+0x168/0x1ec\n blk_update_request+0x278/0x3f0\n blk_mq_end_request+0x34/0x15c\n virtblk_request_done+0x38/0x74 [virtio_blk]\n blk_done_softirq+0xc4/0x110\n __do_softirq+0x128/0x38c\n __irq_exit_rcu+0x118/0x150\n irq_exit+0x1c/0x30\n __handle_domain_irq+0x8c/0xf0\n gic_handle_irq+0x84/0x108\n el1_irq+0xcc/0x180\n arch_cpu_idle+0x18/0x40\n default_idle_call+0x4c/0x1a0\n cpuidle_idle_call+0x168/0x1e0\n do_idle+0xb4/0x104\n cpu_startup_entry+0x30/0x9c\n secondary_start_kernel+0x104/0x180\n Code: d4210000 b0006161 910c8021 94013f4d (d4210000)\n ---[ end trace 4a88c6a074082f8c ]---\n Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47492", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix race between searching chunks and release journal_head from buffer_head\n\nEncountered a race between ocfs2_test_bg_bit_allocatable() and\njbd2_journal_put_journal_head() resulting in the below vmcore.\n\n PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: \"loop3\"\n Call trace:\n panic\n oops_end\n no_context\n __bad_area_nosemaphore\n bad_area_nosemaphore\n __do_page_fault\n do_page_fault\n page_fault\n [exception RIP: ocfs2_block_group_find_clear_bits+316]\n ocfs2_block_group_find_clear_bits [ocfs2]\n ocfs2_cluster_group_search [ocfs2]\n ocfs2_search_chain [ocfs2]\n ocfs2_claim_suballoc_bits [ocfs2]\n __ocfs2_claim_clusters [ocfs2]\n ocfs2_claim_clusters [ocfs2]\n ocfs2_local_alloc_slide_window [ocfs2]\n ocfs2_reserve_local_alloc_bits [ocfs2]\n ocfs2_reserve_clusters_with_limit [ocfs2]\n ocfs2_reserve_clusters [ocfs2]\n ocfs2_lock_refcount_allocators [ocfs2]\n ocfs2_make_clusters_writable [ocfs2]\n ocfs2_replace_cow [ocfs2]\n ocfs2_refcount_cow [ocfs2]\n ocfs2_file_write_iter [ocfs2]\n lo_rw_aio\n loop_queue_work\n kthread_worker_fn\n kthread\n ret_from_fork\n\nWhen ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the\nbg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and\nreleased the jounal head from the buffer head. Needed to take bit lock\nfor the bit 'BH_JournalHead' to fix this race.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47493", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: fix management registrations locking\n\nThe management registrations locking was broken, the list was\nlocked for each wdev, but cfg80211_mgmt_registrations_update()\niterated it without holding all the correct spinlocks, causing\nlist corruption.\n\nRather than trying to fix it with fine-grained locking, just\nmove the lock to the wiphy/rdev (still need the list on each\nwdev), we already need to hold the wdev lock to change it, so\nthere's no contention on the lock in any case. This trivially\nfixes the bug since we hold one wdev's lock already, and now\nwill hold the lock that protects all lists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47494", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: sanity check for maxpacket\n\nmaxpacket of 0 makes no sense and oopses as we need to divide\nby it. Give up.\n\nV2: fixed typo in log and stylistic issues", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47495", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix flipped sign in tls_err_abort() calls\n\nsk->sk_err appears to expect a positive value, a convention that ktls\ndoesn't always follow and that leads to memory corruption in other code.\nFor instance,\n\n [kworker]\n tls_encrypt_done(..., err=)\n tls_err_abort(.., err)\n sk->sk_err = err;\n\n [task]\n splice_from_pipe_feed\n ...\n tls_sw_do_sendpage\n if (sk->sk_err) {\n ret = -sk->sk_err; // ret is positive\n\n splice_from_pipe_feed (continued)\n ret = actor(...) // ret is still positive and interpreted as bytes\n // written, resulting in underflow of buf->len and\n // sd->len, leading to huge buf->offset and bogus\n // addresses computed in later calls to actor()\n\nFix all tls_err_abort() callers to pass a negative error code\nconsistently and centralize the error-prone sign flip there, throwing in\na warning to catch future misuse and uninlining the function so it\nreally does only warn once.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47496", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: Fix shift-out-of-bound (UBSAN) with byte size cells\n\nIf a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic\n\n *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);\n\nwill become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we\nsubtract one from that making a large number that is then shifted more than the\nnumber of bits that fit into an unsigned long.\n\nUBSAN reports this problem:\n\n UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8\n shift exponent 64 is too large for 64-bit type 'unsigned long'\n CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9\n Hardware name: Google Lazor (rev3+) with KB Backlight (DT)\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n dump_backtrace+0x0/0x170\n show_stack+0x24/0x30\n dump_stack_lvl+0x64/0x7c\n dump_stack+0x18/0x38\n ubsan_epilogue+0x10/0x54\n __ubsan_handle_shift_out_of_bounds+0x180/0x194\n __nvmem_cell_read+0x1ec/0x21c\n nvmem_cell_read+0x58/0x94\n nvmem_cell_read_variable_common+0x4c/0xb0\n nvmem_cell_read_variable_le_u32+0x40/0x100\n a6xx_gpu_init+0x170/0x2f4\n adreno_bind+0x174/0x284\n component_bind_all+0xf0/0x264\n msm_drm_bind+0x1d8/0x7a0\n try_to_bring_up_master+0x164/0x1ac\n __component_add+0xbc/0x13c\n component_add+0x20/0x2c\n dp_display_probe+0x340/0x384\n platform_probe+0xc0/0x100\n really_probe+0x110/0x304\n __driver_probe_device+0xb8/0x120\n driver_probe_device+0x4c/0xfc\n __device_attach_driver+0xb0/0x128\n bus_for_each_drv+0x90/0xdc\n __device_attach+0xc8/0x174\n device_initial_probe+0x20/0x2c\n bus_probe_device+0x40/0xa4\n deferred_probe_work_func+0x7c/0xb8\n process_one_work+0x128/0x21c\n process_scheduled_works+0x40/0x54\n worker_thread+0x1ec/0x2a8\n kthread+0x138/0x158\n ret_from_fork+0x10/0x20\n\nFix it by making sure there are any bits to mask out.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47497", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm rq: don't queue request to blk-mq during DM suspend\n\nDM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue.\n\nBut blk-mq's unquiesce may come from outside events, such as elevator\nswitch, updating nr_requests or others, and request may come during\nsuspend, so simply ask for blk-mq to requeue it.\n\nFixes one kernel panic issue when running updating nr_requests and\ndm-mpath suspend/resume stress test.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47498", "detail": "fixed-version", "description": "Fixed from version 5.15" }, { "id": "CVE-2021-47499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: kxcjk-1013: Fix possible memory leak in probe and remove\n\nWhen ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the\nmemory allocated by iio_triggered_buffer_setup() will not be freed, and cause\nmemory leak as follows:\n\nunreferenced object 0xffff888009551400 (size 512):\n comm \"i2c-SMO8500-125\", pid 911, jiffies 4294911787 (age 83.852s)\n hex dump (first 32 bytes):\n 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ .......\n backtrace:\n [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360\n [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf]\n [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer]\n [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013]\n\nFix it by remove data->dready_trig condition in probe and remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47499", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: mma8452: Fix trigger reference couting\n\nThe mma8452 driver directly assigns a trigger to the struct iio_dev. The\nIIO core when done using this trigger will call `iio_trigger_put()` to drop\nthe reference count by 1.\n\nWithout the matching `iio_trigger_get()` in the driver the reference count\ncan reach 0 too early, the trigger gets freed while still in use and a\nuse-after-free occurs.\n\nFix this by getting a reference to the trigger before assigning it to the\nIIO device.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47500", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix NULL pointer dereference in i40e_dbg_dump_desc\n\nWhen trying to dump VFs VSI RX/TX descriptors\nusing debugfs there was a crash\ndue to NULL pointer dereference in i40e_dbg_dump_desc.\nAdded a check to i40e_dbg_dump_desc that checks if\nVSI type is correct for dumping RX/TX descriptors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47501", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd934x: handle channel mappping list correctly\n\nCurrently each channel is added as list to dai channel list, however\nthere is danger of adding same channel to multiple dai channel list\nwhich endups corrupting the other list where its already added.\n\nThis patch ensures that the channel is actually free before adding to\nthe dai channel list and also ensures that the channel is on the list\nbefore deleting it.\n\nThis check was missing previously, and we did not hit this issue as\nwe were testing very simple usecases with sequence of amixer commands.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47502", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()\n\nCalling scsi_remove_host() before scsi_add_host() results in a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000108\n RIP: 0010:device_del+0x63/0x440\n Call Trace:\n device_unregister+0x17/0x60\n scsi_remove_host+0xee/0x2a0\n pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]\n local_pci_probe+0x3f/0x90\n\nWe cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host()\nhas not been called yet at that point in time.\n\nFunction call tree:\n\n pm8001_pci_probe()\n |\n `- pm8001_pci_alloc()\n | |\n | `- pm8001_alloc()\n | |\n | `- scsi_remove_host()\n |\n `- scsi_add_host()", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47503", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure task_work gets run as part of cancelations\n\nIf we successfully cancel a work item but that work item needs to be\nprocessed through task_work, then we can be sleeping uninterruptibly\nin io_uring_cancel_generic() and never process it. Hence we don't\nmake forward progress and we end up with an uninterruptible sleep\nwarning.\n\nWhile in there, correct a comment that should be IFF, not IIF.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47504", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix use-after-free due to missing POLLFREE handling\n\nsignalfd_poll() and binder_poll() are special in that they use a\nwaitqueue whose lifetime is the current task, rather than the struct\nfile as is normally the case. This is okay for blocking polls, since a\nblocking poll occurs within one task; however, non-blocking polls\nrequire another solution. This solution is for the queue to be cleared\nbefore it is freed, by sending a POLLFREE notification to all waiters.\n\nUnfortunately, only eventpoll handles POLLFREE. A second type of\nnon-blocking poll, aio poll, was added in kernel v4.18, and it doesn't\nhandle POLLFREE. This allows a use-after-free to occur if a signalfd or\nbinder fd is polled with aio poll, and the waitqueue gets freed.\n\nFix this by making aio poll handle POLLFREE.\n\nA patch by Ramji Jiyani \n(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)\ntried to do this by making aio_poll_wake() always complete the request\ninline if POLLFREE is seen. However, that solution had two bugs.\nFirst, it introduced a deadlock, as it unconditionally locked the aio\ncontext while holding the waitqueue lock, which inverts the normal\nlocking order. Second, it didn't consider that POLLFREE notifications\nare missed while the request has been temporarily de-queued.\n\nThe second problem was solved by my previous patch. This patch then\nproperly fixes the use-after-free by handling POLLFREE in a\ndeadlock-free way. It does this by taking advantage of the fact that\nfreeing of the waitqueue is RCU-delayed, similar to what eventpoll does.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47505", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix use-after-free due to delegation race\n\nA delegation break could arrive as soon as we've called vfs_setlease. A\ndelegation break runs a callback which immediately (in\nnfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we\nthen exit nfs4_set_delegation without hashing the delegation, it will be\nfreed as soon as the callback is done with it, without ever being\nremoved from del_recall_lru.\n\nSymptoms show up later as use-after-free or list corruption warnings,\nusually in the laundromat thread.\n\nI suspect aba2072f4523 \"nfsd: grant read delegations to clients holding\nwrites\" made this bug easier to hit, but I looked as far back as v3.0\nand it looks to me it already had the same problem. So I'm not sure\nwhere the bug was introduced; it may have been there from the beginning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47506", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix nsfd startup race (again)\n\nCommit bd5ae9288d64 (\"nfsd: register pernet ops last, unregister first\")\nhas re-opened rpc_pipefs_event() race against nfsd_net_id registration\n(register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76\n(\"nfsd: fix nsfd startup race triggering BUG_ON\").\n\nRestore the order of register_pernet_subsys() vs register_cld_notifier().\nAdd WARN_ON() to prevent a future regression.\n\nCrash info:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000012\nCPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1\npc : rpc_pipefs_event+0x54/0x120 [nfsd]\nlr : rpc_pipefs_event+0x48/0x120 [nfsd]\nCall trace:\n rpc_pipefs_event+0x54/0x120 [nfsd]\n blocking_notifier_call_chain\n rpc_fill_super\n get_tree_keyed\n rpc_fs_get_tree\n vfs_get_tree\n do_mount\n ksys_mount\n __arm64_sys_mount\n el0_svc_handler\n el0_svc", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47507", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: free exchange changeset on failures\n\nFstests runs on my VMs have show several kmemleak reports like the following.\n\n unreferenced object 0xffff88811ae59080 (size 64):\n comm \"xfs_io\", pid 12124, jiffies 4294987392 (age 6.368s)\n hex dump (first 32 bytes):\n 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................\n 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................\n backtrace:\n [<00000000ac0176d2>] ulist_add_merge+0x60/0x150 [btrfs]\n [<0000000076e9f312>] set_state_bits+0x86/0xc0 [btrfs]\n [<0000000014fe73d6>] set_extent_bit+0x270/0x690 [btrfs]\n [<000000004f675208>] set_record_extent_bits+0x19/0x20 [btrfs]\n [<00000000b96137b1>] qgroup_reserve_data+0x274/0x310 [btrfs]\n [<0000000057e9dcbb>] btrfs_check_data_free_space+0x5c/0xa0 [btrfs]\n [<0000000019c4511d>] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs]\n [<000000006d37e007>] btrfs_dio_iomap_begin+0x415/0x970 [btrfs]\n [<00000000fb8a74b8>] iomap_iter+0x161/0x1e0\n [<0000000071dff6ff>] __iomap_dio_rw+0x1df/0x700\n [<000000002567ba53>] iomap_dio_rw+0x5/0x20\n [<0000000072e555f8>] btrfs_file_write_iter+0x290/0x530 [btrfs]\n [<000000005eb3d845>] new_sync_write+0x106/0x180\n [<000000003fb505bf>] vfs_write+0x24d/0x2f0\n [<000000009bb57d37>] __x64_sys_pwrite64+0x69/0xa0\n [<000000003eba3fdf>] do_syscall_64+0x43/0x90\n\nIn case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata()\nfail the allocated extent_changeset will not be freed.\n\nSo in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space()\nfree the allocated extent_changeset to get rid of the allocated memory.\n\nThe issue currently only happens in the direct IO write path, but only\nafter 65b3c08606e5 (\"btrfs: fix ENOSPC failure when attempting direct IO\nwrite into NOCOW range\"), and also at defrag_one_locked_target(). Every\nother place is always calling extent_changeset_free() even if its call\nto btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has\nfailed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47508", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Limit the period size to 16MB\n\nSet the practical limit to the period size (the fragment shift in OSS)\ninstead of a full 31bit; a too large value could lead to the exhaust\nof memory as we allocate temporary buffers of the period size, too.\n\nAs of this patch, we set to 16MB limit, which should cover all use\ncases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47509", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix re-dirty process of tree-log nodes\n\nThere is a report of a transaction abort of -EAGAIN with the following\nscript.\n\n #!/bin/sh\n\n for d in sda sdb; do\n mkfs.btrfs -d single -m single -f /dev/\\${d}\n done\n\n mount /dev/sda /mnt/test\n mount /dev/sdb /mnt/scratch\n\n for dir in test scratch; do\n echo 3 >/proc/sys/vm/drop_caches\n fio --directory=/mnt/\\${dir} --name=fio.\\${dir} --rw=read --size=50G --bs=64m \\\n --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \\\n --group_reporting |& tee /dev/shm/fio.\\${dir}\n echo 3 >/proc/sys/vm/drop_caches\n done\n\n for d in sda sdb; do\n umount /dev/\\${d}\n done\n\nThe stack trace is shown in below.\n\n [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction)\n [3310.968060] BTRFS info (device sda): forced readonly\n [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction.\n [3310.968065] ------------[ cut here ]------------\n [3310.968066] BTRFS: Transaction aborted (error -11)\n [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8\n [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1\n [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021\n [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8\n [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282\n [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027\n [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00\n [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48\n [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00\n [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58\n [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000\n [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0\n [3310.968160] PKRU: 55555554\n [3310.968161] Call Trace:\n [3310.968167] ? dput+0xd4/0x300\n [3310.968174] btrfs_sync_file+0x3f1/0x490\n [3310.968180] __x64_sys_fsync+0x33/0x60\n [3310.968185] do_syscall_64+0x3b/0x90\n [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [3310.968194] RIP: 0033:0x7efe6557329b\n [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a\n [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b\n [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006\n [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010\n [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980\n [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000\n [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]---\n [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown\n\nThe abort occurs because of a write hole while writing out freeing tree\nnodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree\nnode to ensure btrfs can write the region and does not leave a hole on\nwrite on a zoned device. The current code fails to re-dirty a node\nwhen the tree-log tree's depth is greater or equal to 2. That leads to\na transaction abort with -EAGAIN.\n\nFix the issue by properly re-dirtying a node on walking up the tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47510", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Fix negative period/buffer sizes\n\nThe period size calculation in OSS layer may receive a negative value\nas an error, but the code there assumes only the positive values and\nhandle them with size_t. Due to that, a too big value may be passed\nto the lower layers.\n\nThis patch changes the code to handle with ssize_t and adds the proper\nerror checks appropriately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47511", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: prevent dismantle issue\n\nFor some reason, fq_pie_destroy() did not copy\nworking code from pie_destroy() and other qdiscs,\nthus causing elusive bug.\n\nBefore calling del_timer_sync(&q->adapt_timer),\nwe need to ensure timer will not rearm itself.\n\nrcu: INFO: rcu_preempt self-detected stall on CPU\nrcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579\n (t=10501 jiffies g=13085 q=3989)\nNMI backtrace for cpu 0\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111\n nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62\n trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]\n rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343\n print_cpu_stall kernel/rcu/tree_stall.h:627 [inline]\n check_cpu_stall kernel/rcu/tree_stall.h:711 [inline]\n rcu_pending kernel/rcu/tree.c:3878 [inline]\n rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597\n update_process_times+0x16d/0x200 kernel/time/timer.c:1785\n tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226\n tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428\n __run_hrtimer kernel/time/hrtimer.c:1685 [inline]\n __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749\n hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811\n local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]\n __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103\n sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097\n \n \n asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638\nRIP: 0010:write_comp_data kernel/kcov.c:221 [inline]\nRIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273\nCode: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00\nRSP: 0018:ffffc90000d27b28 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000\nRDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003\nRBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000\n pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418\n fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383\n call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421\n expire_timers kernel/time/timer.c:1466 [inline]\n __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734\n __run_timers kernel/time/timer.c:1715 [inline]\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747\n __do_softirq+0x29b/0x9c2 kernel/softirq.c:558\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164\n kthread+0x405/0x4f0 kernel/kthread.c:327\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47512", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: Fix memory leak in felix_setup_mmio_filtering\n\nAvoid a memory leak if there is not a CPU port defined.\n\nAddresses-Coverity-ID: 1492897 (\"Resource leak\")\nAddresses-Coverity-ID: 1492899 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47513", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix netns refcount leak in devlink_nl_cmd_reload()\n\nWhile preparing my patch series adding netns refcount tracking,\nI spotted bugs in devlink_nl_cmd_reload()\n\nSome error paths forgot to release a refcount on a netns.\n\nTo fix this, we can reduce the scope of get_net()/put_net()\nsection around the call to devlink_reload().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47514", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47515", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: Fix memory leak in nfp_cpp_area_cache_add()\n\nIn line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a\nCPP area structure. But in line 807 (#2), when the cache is allocated\nfailed, this CPP area structure is not freed, which will result in\nmemory leak.\n\nWe can fix it by freeing the CPP area when the cache is allocated\nfailed (#2).\n\n792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)\n793 {\n794 \tstruct nfp_cpp_area_cache *cache;\n795 \tstruct nfp_cpp_area *area;\n\n800\tarea = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),\n801 \t\t\t\t 0, size);\n\t// #1: allocates and initializes\n\n802 \tif (!area)\n803 \t\treturn -ENOMEM;\n\n805 \tcache = kzalloc(sizeof(*cache), GFP_KERNEL);\n806 \tif (!cache)\n807 \t\treturn -ENOMEM; // #2: missing free\n\n817\treturn 0;\n818 }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47516", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: do not perform operations on net devices being unregistered\n\nThere is a short period between a net device starts to be unregistered\nand when it is actually gone. In that time frame ethtool operations\ncould still be performed, which might end up in unwanted or undefined\nbehaviours[1].\n\nDo not allow ethtool operations after a net device starts its\nunregistration. This patch targets the netlink part as the ioctl one\nisn't affected: the reference to the net device is taken and the\noperation is executed within an rtnl lock section and the net device\nwon't be found after unregister.\n\n[1] For example adding Tx queues after unregister ends up in NULL\n pointer exceptions and UaFs, such as:\n\n BUG: KASAN: use-after-free in kobject_get+0x14/0x90\n Read of size 1 at addr ffff88801961248c by task ethtool/755\n\n CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014\n Call Trace:\n dump_stack_lvl+0x57/0x72\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x7f/0x11b\n kobject_get+0x14/0x90\n kobject_add_internal+0x3d1/0x450\n kobject_init_and_add+0xba/0xf0\n netdev_queue_update_kobjects+0xcf/0x200\n netif_set_real_num_tx_queues+0xb4/0x310\n veth_set_channels+0x1c3/0x550\n ethnl_set_channels+0x524/0x610", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47517", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done\n\nThe done() netlink callback nfc_genl_dump_ses_done() should check if\nreceived argument is non-NULL, because its allocation could fail earlier\nin dumpit() (nfc_genl_dump_ses()).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47518", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_read_fifo: fix memory leak in error branch\n\nIn m_can_read_fifo(), if the second call to m_can_fifo_read() fails,\nthe function jump to the out_fail label and returns without calling\nm_can_receive_skb(). This means that the skb previously allocated by\nalloc_can_skb() is not freed. In other terms, this is a memory leak.\n\nThis patch adds a goto label to destroy the skb if an error occurs.\n\nIssue was found with GCC -fanalyzer, please follow the link below for\ndetails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47519", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: pch_can: pch_can_rx_normal: fix use after free\n\nAfter calling netif_receive_skb(skb), dereferencing skb is unsafe.\nEspecially, the can_frame cf which aliases skb memory is dereferenced\njust after the call netif_receive_skb(skb).\n\nReordering the lines solves the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47520", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sja1000: fix use after free in ems_pcmcia_add_card()\n\nIf the last channel is not available then \"dev\" is freed. Fortunately,\nwe can just use \"pdev->irq\" instead.\n\nAlso we should check if at least one channel was set up.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47521", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bigbenff: prevent null pointer dereference\n\nWhen emulating the device through uhid, there is a chance we don't have\noutput reports and so report_field is null.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47522", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr\n\nThis buffer is currently allocated in hfi1_init():\n\n\tif (reinit)\n\t\tret = init_after_reset(dd);\n\telse\n\t\tret = loadtime_init(dd);\n\tif (ret)\n\t\tgoto done;\n\n\t/* allocate dummy tail memory for all receive contexts */\n\tdd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev,\n\t\t\t\t\t\t\t sizeof(u64),\n\t\t\t\t\t\t\t &dd->rcvhdrtail_dummy_dma,\n\t\t\t\t\t\t\t GFP_KERNEL);\n\n\tif (!dd->rcvhdrtail_dummy_kvaddr) {\n\t\tdd_dev_err(dd, \"cannot allocate dummy tail memory\\n\");\n\t\tret = -ENOMEM;\n\t\tgoto done;\n\t}\n\nThe reinit triggered path will overwrite the old allocation and leak it.\n\nFix by moving the allocation to hfi1_alloc_devdata() and the deallocation\nto hfi1_free_devdata().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47523", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: liteuart: fix minor-number leak on probe errors\n\nMake sure to release the allocated minor number before returning on\nprobe errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47524", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: liteuart: fix use-after-free and memleak on unbind\n\nDeregister the port when unbinding the driver to prevent it from being\nused after releasing the driver data and leaking memory allocated by\nserial core.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47525", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: liteuart: Fix NULL pointer dereference in ->remove()\n\ndrvdata has to be set in _probe() - otherwise platform_get_drvdata()\ncauses null pointer dereference BUG in _remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47526", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix transmit-buffer reset and memleak\n\nCommit 761ed4a94582 (\"tty: serial_core: convert uart_close to use\ntty_port_close\") converted serial core to use tty_port_close() but\nfailed to notice that the transmit buffer still needs to be freed on\nfinal close.\n\nNot freeing the transmit buffer means that the buffer is no longer\ncleared on next open so that any ioctl() waiting for the buffer to drain\nmight wait indefinitely (e.g. on termios changes) or that stale data can\nend up being transmitted in case tx is restarted.\n\nFurthermore, the buffer of any port that has been opened would leak on\ndriver unbind.\n\nNote that the port lock is held when clearing the buffer pointer due to\nthe ldisc race worked around by commit a5ba1d95e46e (\"uart: fix race\nbetween uart_put_char() and uart_shutdown()\").\n\nAlso note that the tty-port shutdown() callback is not called for\nconsole ports so it is not strictly necessary to free the buffer page\nafter releasing the lock (cf. d72402145ace (\"tty/serial: do not free\ntrasnmit buffer page under port lock\")).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47527", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()\n\nIn cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring\nand there is a dereference of it in cdnsp_endpoint_init(), which could\nlead to a NULL pointer dereference on failure of cdnsp_ring_alloc().\n\nFix this bug by adding a check of pep->ring.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,\nand our static analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47528", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Fix memory leaks in error handling path\n\nShould an error occur (invalid TLV len or memory allocation failure), the\nmemory already allocated in 'reduce_power_data' should be freed before\nreturning, otherwise it is leaking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47529", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix wait_fence submitqueue leak\n\nWe weren't dropping the submitqueue reference in all paths. In\nparticular, when the fence has already been signalled. Split out\na helper to simplify handling this in the various different return\npaths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47530", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix mmap to include VM_IO and VM_DONTDUMP\n\nIn commit 510410bfc034 (\"drm/msm: Implement mmap as GEM object\nfunction\") we switched to a new/cleaner method of doing things. That's\ngood, but we missed a little bit.\n\nBefore that commit, we used to _first_ run through the\ndrm_gem_mmap_obj() case where `obj->funcs->mmap()` was NULL. That meant\nthat we ran:\n\n vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;\n vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags));\n vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);\n\n...and _then_ we modified those mappings with our own. Now that\n`obj->funcs->mmap()` is no longer NULL we don't run the default\ncode. It looks like the fact that the vm_flags got VM_IO / VM_DONTDUMP\nwas important because we're now getting crashes on Chromebooks that\nuse ARC++ while logging out. Specifically a crash that looks like this\n(this is on a 5.10 kernel w/ relevant backports but also seen on a\n5.15 kernel):\n\n Unable to handle kernel paging request at virtual address ffffffc008000000\n Mem abort info:\n ESR = 0x96000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000008293d000\n [ffffffc008000000] pgd=00000001002b3003, p4d=00000001002b3003,\n pud=00000001002b3003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] PREEMPT SMP\n [...]\n CPU: 7 PID: 15734 Comm: crash_dump64 Tainted: G W 5.10.67 #1 [...]\n Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n pc : __arch_copy_to_user+0xc0/0x30c\n lr : copyout+0xac/0x14c\n [...]\n Call trace:\n __arch_copy_to_user+0xc0/0x30c\n copy_page_to_iter+0x1a0/0x294\n process_vm_rw_core+0x240/0x408\n process_vm_rw+0x110/0x16c\n __arm64_sys_process_vm_readv+0x30/0x3c\n el0_svc_common+0xf8/0x250\n do_el0_svc+0x30/0x80\n el0_svc+0x10/0x1c\n el0_sync_handler+0x78/0x108\n el0_sync+0x184/0x1c0\n Code: f8408423 f80008c3 910020c6 36100082 (b8404423)\n\nLet's add the two flags back in.\n\nWhile we're at it, the fact that we aren't running the default means\nthat we _don't_ need to clear out VM_PFNMAP, so remove that and save\nan instruction.\n\nNOTE: it was confirmed that VM_IO was the important flag to fix the\nproblem I was seeing, but adding back VM_DONTDUMP seems like a sane\nthing to do so I'm doing that too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47531", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/devfreq: Fix OPP refcnt leak", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47532", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: kms: Clear the HVS FIFO commit pointer once done\n\nCommit 9ec03d7f1ed3 (\"drm/vc4: kms: Wait on previous FIFO users before a\ncommit\") introduced a wait on the previous commit done on a given HVS\nFIFO.\n\nHowever, we never cleared that pointer once done. Since\ndrm_crtc_commit_put can free the drm_crtc_commit structure directly if\nwe were the last user, this means that it can lead to a use-after free\nif we were to duplicate the state, and that stale pointer would even be\ncopied to the new state.\n\nSet the pointer to NULL once we're done with the wait so that we don't\ncarry over a pointer to a free'd structure.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47533", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: kms: Add missing drm_crtc_commit_put\n\nCommit 9ec03d7f1ed3 (\"drm/vc4: kms: Wait on previous FIFO users before a\ncommit\") introduced a global state for the HVS, with each FIFO storing\nthe current CRTC commit so that we can properly synchronize commits.\n\nHowever, the refcounting was off and we thus ended up leaking the\ndrm_crtc_commit structure every commit. Add a drm_crtc_commit_put to\nprevent the leakage.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47534", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Allocate enough space for GMU registers\n\nIn commit 142639a52a01 (\"drm/msm/a6xx: fix crashstate capture for\nA650\") we changed a6xx_get_gmu_registers() to read 3 sets of\nregisters. Unfortunately, we didn't change the memory allocation for\nthe array. That leads to a KASAN warning (this was on the chromeos-5.4\nkernel, which has the problematic commit backported to it):\n\n BUG: KASAN: slab-out-of-bounds in _a6xx_get_gmu_registers+0x144/0x430\n Write of size 8 at addr ffffff80c89432b0 by task A618-worker/209\n CPU: 5 PID: 209 Comm: A618-worker Tainted: G W 5.4.156-lockdep #22\n Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT)\n Call trace:\n dump_backtrace+0x0/0x248\n show_stack+0x20/0x2c\n dump_stack+0x128/0x1ec\n print_address_description+0x88/0x4a0\n __kasan_report+0xfc/0x120\n kasan_report+0x10/0x18\n __asan_report_store8_noabort+0x1c/0x24\n _a6xx_get_gmu_registers+0x144/0x430\n a6xx_gpu_state_get+0x330/0x25d4\n msm_gpu_crashstate_capture+0xa0/0x84c\n recover_worker+0x328/0x838\n kthread_worker_fn+0x32c/0x574\n kthread+0x2dc/0x39c\n ret_from_fork+0x10/0x18\n\n Allocated by task 209:\n __kasan_kmalloc+0xfc/0x1c4\n kasan_kmalloc+0xc/0x14\n kmem_cache_alloc_trace+0x1f0/0x2a0\n a6xx_gpu_state_get+0x164/0x25d4\n msm_gpu_crashstate_capture+0xa0/0x84c\n recover_worker+0x328/0x838\n kthread_worker_fn+0x32c/0x574\n kthread+0x2dc/0x39c\n ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47535", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix wrong list_del in smc_lgr_cleanup_early\n\nsmc_lgr_cleanup_early() meant to delete the link\ngroup from the link group list, but it deleted\nthe list head by mistake.\n\nThis may cause memory corruption since we didn't\nremove the real link group from the list and later\nmemseted the link group structure.\nWe got a list corruption panic when testing:\n\n[ \u00a0231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000\n[ \u00a0231.278222] ------------[ cut here ]------------\n[ \u00a0231.278726] kernel BUG at lib/list_debug.c:53!\n[ \u00a0231.279326] invalid opcode: 0000 [#1] SMP NOPTI\n[ \u00a0231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435\n[ \u00a0231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014\n[ \u00a0231.281248] Workqueue: events smc_link_down_work\n[ \u00a0231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90\n[ \u00a0231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c\n60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f>\n0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc\n[ \u00a0231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292\n[ \u00a0231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000\n[ \u00a0231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040\n[ \u00a0231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001\n[ \u00a0231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001\n[ \u00a0231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003\n[ \u00a0231.288337] FS: \u00a00000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n[ \u00a0231.289160] CS: \u00a00010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ \u00a0231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0\n[ \u00a0231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ \u00a0231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ \u00a0231.291940] Call Trace:\n[ \u00a0231.292211] \u00a0smc_lgr_terminate_sched+0x53/0xa0\n[ \u00a0231.292677] \u00a0smc_switch_conns+0x75/0x6b0\n[ \u00a0231.293085] \u00a0? update_load_avg+0x1a6/0x590\n[ \u00a0231.293517] \u00a0? ttwu_do_wakeup+0x17/0x150\n[ \u00a0231.293907] \u00a0? update_load_avg+0x1a6/0x590\n[ \u00a0231.294317] \u00a0? newidle_balance+0xca/0x3d0\n[ \u00a0231.294716] \u00a0smcr_link_down+0x50/0x1a0\n[ \u00a0231.295090] \u00a0? __wake_up_common_lock+0x77/0x90\n[ \u00a0231.295534] \u00a0smc_link_down_work+0x46/0x60\n[ \u00a0231.295933] \u00a0process_one_work+0x18b/0x350", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47536", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Fix a memleak bug in rvu_mbox_init()\n\nIn rvu_mbox_init(), mbox_regions is not freed or passed out\nunder the switch-default region, which could lead to a memory leak.\n\nFix this bug by changing 'return err' to 'goto free_regions'.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_OCTEONTX2_AF=y show no new warnings,\nand our static analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47537", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()\n\nNeed to call rxrpc_put_local() for peer candidate before kfree() as it\nholds a ref to rxrpc_local.\n\n[DH: v2: Changed to abstract the peer freeing code out into a function]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47538", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()\n\nNeed to call rxrpc_put_peer() for bundle candidate before kfree() as it\nholds a ref to rxrpc_peer.\n\n[DH: v2: Changed to abstract out the bundle freeing code into a function]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47539", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode\n\nFix the following NULL pointer dereference in mt7915_get_phy_mode\nroutine adding an ibss interface to the mt7915 driver.\n\n[ 101.137097] wlan0: Trigger new scan to find an IBSS to join\n[ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69\n[ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 103.073670] Mem abort info:\n[ 103.076520] ESR = 0x96000005\n[ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 103.084934] SET = 0, FnV = 0\n[ 103.088042] EA = 0, S1PTW = 0\n[ 103.091215] Data abort info:\n[ 103.094104] ISV = 0, ISS = 0x00000005\n[ 103.098041] CM = 0, WnR = 0\n[ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000\n[ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 103.116590] Internal error: Oops: 96000005 [#1] SMP\n[ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0\n[ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT)\n[ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211]\n[ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--)\n[ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e]\n[ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e]\n[ 103.223927] sp : ffffffc011cdb9e0\n[ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098\n[ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40\n[ 103.237855] x25: 0000000000000001 x24: 000000000000011f\n[ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918\n[ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58\n[ 103.253785] x19: ffffff8006744400 x18: 0000000000000000\n[ 103.259094] x17: 0000000000000000 x16: 0000000000000001\n[ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8\n[ 103.269713] x13: 0000000000000000 x12: 0000000000000000\n[ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000\n[ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88\n[ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44\n[ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001\n[ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001\n[ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011\n[ 103.306882] Call trace:\n[ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e]\n[ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e]\n[ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211]\n[ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211]\n[ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211]\n[ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211]\n[ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211]\n[ 103.348495] process_one_work+0x288/0x690\n[ 103.352499] worker_thread+0x70/0x464\n[ 103.356157] kthread+0x144/0x150\n[ 103.359380] ret_from_fork+0x10/0x18\n[ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47540", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()\n\nIn mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and\ntmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().\nAfter that mlx4_en_alloc_resources() is called and there is a dereference\nof &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to\na use after free problem on failure of mlx4_en_copy_priv().\n\nFix this bug by adding a check of mlx4_en_copy_priv()\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_MLX4_EN=m show no new warnings,\nand our static analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47541", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()\n\nIn qlcnic_83xx_add_rings(), the indirect function of\nahw->hw_ops->alloc_mbx_args will be called to allocate memory for\ncmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),\nwhich could lead to a NULL pointer dereference on failure of the\nindirect function like qlcnic_83xx_alloc_mbx_args().\n\nFix this bug by adding a check of alloc_mbx_args(), this patch\nimitates the logic of mbx_cmd()'s failure handling.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_QLCNIC=m show no new warnings, and our\nstatic analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47542", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix page frag corruption on page fault\n\nSteffen reported a TCP stream corruption for HTTP requests\nserved by the apache web-server using a cifs mount-point\nand memory mapping the relevant file.\n\nThe root cause is quite similar to the one addressed by\ncommit 20eb4f29b602 (\"net: fix sk_page_frag() recursion from\nmemory reclaim\"). Here the nested access to the task page frag\nis caused by a page fault on the (mmapped) user-space memory\nbuffer coming from the cifs file.\n\nThe page fault handler performs an smb transaction on a different\nsocket, inside the same process context. Since sk->sk_allaction\nfor such socket does not prevent the usage for the task_frag,\nthe nested allocation modify \"under the hood\" the page frag\nin use by the outer sendmsg call, corrupting the stream.\n\nThe overall relevant stack trace looks like the following:\n\nhttpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:\n ffffffff91461d91 tcp_sendmsg_locked+0x1\n ffffffff91462b57 tcp_sendmsg+0x27\n ffffffff9139814e sock_sendmsg+0x3e\n ffffffffc06dfe1d smb_send_kvec+0x28\n [...]\n ffffffffc06cfaf8 cifs_readpages+0x213\n ffffffff90e83c4b read_pages+0x6b\n ffffffff90e83f31 __do_page_cache_readahead+0x1c1\n ffffffff90e79e98 filemap_fault+0x788\n ffffffff90eb0458 __do_fault+0x38\n ffffffff90eb5280 do_fault+0x1a0\n ffffffff90eb7c84 __handle_mm_fault+0x4d4\n ffffffff90eb8093 handle_mm_fault+0xc3\n ffffffff90c74f6d __do_page_fault+0x1ed\n ffffffff90c75277 do_page_fault+0x37\n ffffffff9160111e page_fault+0x1e\n ffffffff9109e7b5 copyin+0x25\n ffffffff9109eb40 _copy_from_iter_full+0xe0\n ffffffff91462370 tcp_sendmsg_locked+0x5e0\n ffffffff91462370 tcp_sendmsg_locked+0x5e0\n ffffffff91462b57 tcp_sendmsg+0x27\n ffffffff9139815c sock_sendmsg+0x4c\n ffffffff913981f7 sock_write_iter+0x97\n ffffffff90f2cc56 do_iter_readv_writev+0x156\n ffffffff90f2dff0 do_iter_write+0x80\n ffffffff90f2e1c3 vfs_writev+0xa3\n ffffffff90f2e27c do_writev+0x5c\n ffffffff90c042bb do_syscall_64+0x5b\n ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\n\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\nwe can avoid the nesting using the sk page frag for allocation\nlacking the __GFP_FS flag. Do not define an additional mm-helper\nfor that, as this is strictly tied to the sk page frag usage.\n\nv1 -> v2:\n - use a stricted sk_page_frag() check instead of reordering the\n code (Eric)", "scorev2": "0.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47544", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix memory leak in fib6_rule_suppress\n\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\nrules (used by certain tools such as wg-quick). In such scenarios, every\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\n\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\ndown the issue to ca7a03c41753 (\"ipv6: do not free rt if\nFIB_LOOKUP_NOREF is set on suppress rule\").\n\nThe problem with that change is that the generic `args->flags` always have\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\ndecreasing the refcount when needed.\n\nHow to reproduce:\n - Add the following nftables rule to a prerouting chain:\n meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n This can be done with:\n sudo nft create table inet test\n sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'\n sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n - Run:\n sudo ip -6 rule add table main suppress_prefixlength 0\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\n with every incoming ipv6 packet.\n\nThis patch exposes the protocol-specific flags to the protocol\nspecific `suppress` function, and check the protocol-specific `flags`\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\n\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47546", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound\n\nIn line 5001, if all id in the array 'lp->phy[8]' is not 0, when the\n'for' end, the 'k' is 8.\n\nAt this time, the array 'lp->phy[8]' may be out of bound.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47547", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()\n\nThe if statement:\n if (port >= DSAF_GE_NUM)\n return;\n\nlimits the value of port less than DSAF_GE_NUM (i.e., 8).\nHowever, if the value of port is 6 or 7, an array overflow could occur:\n port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;\n\nbecause the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).\n\nTo fix this possible array overflow, we first check port and if it is\ngreater than or equal to DSAF_MAX_PORT_NUM, the function returns.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47548", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl\n\nWhen the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,\na bug is reported:\n ==================================================================\n BUG: Unable to handle kernel data access on read at 0x80000800805b502c\n Oops: Kernel access of bad area, sig: 11 [#1]\n NIP [c0000000000388a4] .ioread32+0x4/0x20\n LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]\n Call Trace:\n .free_irq+0x1c/0x4e0 (unreliable)\n .ata_host_stop+0x74/0xd0 [libata]\n .release_nodes+0x330/0x3f0\n .device_release_driver_internal+0x178/0x2c0\n .driver_detach+0x64/0xd0\n .bus_remove_driver+0x70/0xf0\n .driver_unregister+0x38/0x80\n .platform_driver_unregister+0x14/0x30\n .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]\n .__se_sys_delete_module+0x1ec/0x2d0\n .system_call_exception+0xfc/0x1f0\n system_call_common+0xf8/0x200\n ==================================================================\n\nThe triggering of the BUG is shown in the following stack:\n\ndriver_detach\n device_release_driver_internal\n __device_release_driver\n drv->remove(dev) --> platform_drv_remove/platform_remove\n drv->remove(dev) --> sata_fsl_remove\n iounmap(host_priv->hcr_base);\t\t\t<---- unmap\n kfree(host_priv); <---- free\n devres_release_all\n release_nodes\n dr->node.release(dev, dr->data) --> ata_host_stop\n ap->ops->port_stop(ap) --> sata_fsl_port_stop\n ioread32(hcr_base + HCONTROL) <---- UAF\n host->ops->host_stop(host)\n\nThe iounmap(host_priv->hcr_base) and kfree(host_priv) functions should\nnot be executed in drv->remove. These functions should be executed in\nhost_stop after port_stop. Therefore, we move these functions to the\nnew function sata_fsl_host_stop and bind the new function to host_stop.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47549", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: fix potential memleak\n\nIn function amdgpu_get_xgmi_hive, when kobject_init_and_add failed\nThere is a potential memleak if not call kobject_put.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47550", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again\n\nIn SRIOV configuration, the reset may failed to bring asic back to normal but stop cpsch\nalready been called, the start_cpsch will not be called since there is no resume in this\ncase. When reset been triggered again, driver should avoid to do uninitialization again.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47551", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()\n\nFor avoiding to slow down queue destroy, we don't call\nblk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying to\ncancel dispatch work in blk_release_queue().\n\nHowever, this way has caused kernel oops[1], reported by Changhui. The log\nshows that scsi_device can be freed before running blk_release_queue(),\nwhich is expected too since scsi_device is released after the scsi disk\nis closed and the scsi_device is removed.\n\nFixes the issue by canceling blk-mq dispatch work in both blk_cleanup_queue()\nand disk_release():\n\n1) when disk_release() is run, the disk has been closed, and any sync\ndispatch activities have been done, so canceling dispatch work is enough to\nquiesce filesystem I/O dispatch activity.\n\n2) in blk_cleanup_queue(), we only focus on passthrough request, and\npassthrough request is always explicitly allocated & freed by\nits caller, so once queue is frozen, all sync dispatch activity\nfor passthrough request has been done, then it is enough to just cancel\ndispatch work for avoiding any dispatch activity.\n\n[1] kernel panic log\n[12622.769416] BUG: kernel NULL pointer dereference, address: 0000000000000300\n[12622.777186] #PF: supervisor read access in kernel mode\n[12622.782918] #PF: error_code(0x0000) - not-present page\n[12622.788649] PGD 0 P4D 0\n[12622.791474] Oops: 0000 [#1] PREEMPT SMP PTI\n[12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: loaded Not tainted 5.15.0+ #1\n[12622.804877] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015\n[12622.813321] Workqueue: kblockd blk_mq_run_work_fn\n[12622.818572] RIP: 0010:sbitmap_get+0x75/0x190\n[12622.823336] Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 <48> 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 fa f3 ff ff 83 f8 ff 75 58\n[12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202\n[12622.850120] RAX: 0000000000000001 RBX: 0000000000000300 RCX: 0000000000000004\n[12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030\n[12622.866042] RBP: 0000000000000004 R08: 0000000000000001 R09: ffffa0b742721334\n[12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000\n[12622.881964] R13: 0000000000000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030\n[12622.889926] FS: 0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:0000000000000000\n[12622.898956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0\n[12622.913328] Call Trace:\n[12622.916055] \n[12622.918394] scsi_mq_get_budget+0x1a/0x110\n[12622.922969] __blk_mq_do_dispatch_sched+0x1d4/0x320\n[12622.928404] ? pick_next_task_fair+0x39/0x390\n[12622.933268] __blk_mq_sched_dispatch_requests+0xf4/0x140\n[12622.939194] blk_mq_sched_dispatch_requests+0x30/0x60\n[12622.944829] __blk_mq_run_hw_queue+0x30/0xa0\n[12622.949593] process_one_work+0x1e8/0x3c0\n[12622.954059] worker_thread+0x50/0x3b0\n[12622.958144] ? rescuer_thread+0x370/0x370\n[12622.962616] kthread+0x158/0x180\n[12622.966218] ? set_kthread_struct+0x40/0x40\n[12622.970884] ret_from_fork+0x22/0x30\n[12622.974875] \n[12622.977309] Modules linked in: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea sysfillrect sysimgblt fb_sys_fops pcspkr cec mei_me lpc_ich mei ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter drm fuse xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg ixgbe ahci libahci crct10dif_pclmul crc32_pclmul crc32c_intel libata megaraid_sas ghash_clmulni_intel tg3 wdat_w\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47552", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/scs: Reset task stack state in bringup_cpu()\n\nTo hot unplug a CPU, the idle task on that CPU calls a few layers of C\ncode before finally leaving the kernel. When KASAN is in use, poisoned\nshadow is left around for each of the active stack frames, and when\nshadow call stacks are in use. When shadow call stacks (SCS) are in use\nthe task's saved SCS SP is left pointing at an arbitrary point within\nthe task's shadow call stack.\n\nWhen a CPU is offlined than onlined back into the kernel, this stale\nstate can adversely affect execution. Stale KASAN shadow can alias new\nstackframes and result in bogus KASAN warnings. A stale SCS SP is\neffectively a memory leak, and prevents a portion of the shadow call\nstack being used. Across a number of hotplug cycles the idle task's\nentire shadow call stack can become unusable.\n\nWe previously fixed the KASAN issue in commit:\n\n e1b77c92981a5222 (\"sched/kasan: remove stale KASAN poison after hotplug\")\n\n... by removing any stale KASAN stack poison immediately prior to\nonlining a CPU.\n\nSubsequently in commit:\n\n f1a0a376ca0c4ef1 (\"sched/core: Initialize the idle task with preemption disabled\")\n\n... the refactoring left the KASAN and SCS cleanup in one-time idle\nthread initialization code rather than something invoked prior to each\nCPU being onlined, breaking both as above.\n\nWe fixed SCS (but not KASAN) in commit:\n\n 63acd42c0d4942f7 (\"sched/scs: Reset the shadow stack when idle_task_exit\")\n\n... but as this runs in the context of the idle task being offlined it's\npotentially fragile.\n\nTo fix these consistently and more robustly, reset the SCS SP and KASAN\nshadow of a CPU's idle task immediately before we online that CPU in\nbringup_cpu(). This ensures the idle task always has a consistent state\nwhen it is running, and removes the need to so so when exiting an idle\ntask.\n\nWhenever any thread is created, dup_task_struct() will give the task a\nstack which is free of KASAN shadow, and initialize the task's SCS SP,\nso there's no need to specially initialize either for idle thread within\ninit_idle(), as this was only necessary to handle hotplug cycles.\n\nI've tested this on arm64 with:\n\n* gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK\n* clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK\n\n... offlining and onlining CPUS with:\n\n| while true; do\n| for C in /sys/devices/system/cpu/cpu*/online; do\n| echo 0 > $C;\n| echo 1 > $C;\n| done\n| done", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47553", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: avoid putting an uninitialized iova_domain\n\nThe system will crash if we put an uninitialized iova_domain, this\ncould happen when an error occurs before initializing the iova_domain\nin vdpasim_create().\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:__cpuhp_state_remove_instance+0x96/0x1c0\n...\nCall Trace:\n \n put_iova_domain+0x29/0x220\n vdpasim_free+0xd1/0x120 [vdpa_sim]\n vdpa_release_dev+0x21/0x40 [vdpa]\n device_release+0x33/0x90\n kobject_release+0x63/0x160\n vdpasim_create+0x127/0x2a0 [vdpa_sim]\n vdpasim_net_dev_add+0x7d/0xfe [vdpa_sim_net]\n vdpa_nl_cmd_dev_add_set_doit+0xe1/0x1a0 [vdpa]\n genl_family_rcv_msg_doit+0x112/0x140\n genl_rcv_msg+0xdf/0x1d0\n ...\n\nSo we must make sure the iova_domain is already initialized before\nput it.\n\nIn addition, we may get the following warning in this case:\nWARNING: ... drivers/iommu/iova.c:344 iova_cache_put+0x58/0x70\n\nSo we must make sure the iova_cache_put() is invoked only if the\niova_cache_get() is already invoked. Let's fix it together.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47554", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix underflow for the real_dev refcnt\n\nInject error before dev_hold(real_dev) in register_vlan_dev(),\nand execute the following testcase:\n\nip link add dev dummy1 type dummy\nip link add name dummy1.100 link dummy1 type vlan id 100\nip link del dev dummy1\n\nWhen the dummy netdevice is removed, we will get a WARNING as following:\n\n=======================================================================\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0\n\nand an endless loop of:\n\n=======================================================================\nunregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824\n\nThat is because dev_put(real_dev) in vlan_dev_free() be called without\ndev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev\nunderflow.\n\nMove the dev_hold(real_dev) to vlan_dev_init() which is the call-back of\nndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev\nsymmetrical.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47555", "detail": "fixed-version", "description": "Fixed from version 5.15.6" }, { "id": "CVE-2021-47556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()\n\nethtool_set_coalesce() now uses both the .get_coalesce() and\n.set_coalesce() callbacks. But the check for their availability is\nbuggy, so changing the coalesce settings on a device where the driver\nprovides only _one_ of the callbacks results in a NULL pointer\ndereference instead of an -EOPNOTSUPP.\n\nFix the condition so that the availability of both callbacks is\nensured. This also matches the netlink code.\n\nNote that reproducing this requires some effort - it only affects the\nlegacy ioctl path, and needs a specific combination of driver options:\n- have .get_coalesce() and .coalesce_supported but no\n .set_coalesce(), or\n- have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn't\n cause the crash as it first attempts to call ethtool_get_coalesce()\n and bails out on error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47556", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_ets: don't peek at classes beyond 'nbands'\n\nwhen the number of DRR classes decreases, the round-robin active list can\ncontain elements that have already been freed in ets_qdisc_change(). As a\nconsequence, it's possible to see a NULL dereference crash, caused by the\nattempt to call cl->qdisc->ops->peek(cl->qdisc) when cl->qdisc is NULL:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets]\n Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 <48> 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d\n RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287\n RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000\n RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0\n R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100\n FS: 00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0\n Call Trace:\n \n qdisc_peek_dequeued+0x29/0x70 [sch_ets]\n tbf_dequeue+0x22/0x260 [sch_tbf]\n __qdisc_run+0x7f/0x630\n net_tx_action+0x290/0x4c0\n __do_softirq+0xee/0x4f8\n irq_exit_rcu+0xf4/0x130\n sysvec_apic_timer_interrupt+0x52/0xc0\n asm_sysvec_apic_timer_interrupt+0x12/0x20\n RIP: 0033:0x7f2aa7fc9ad4\n Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa <53> 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00\n RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202\n RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720\n RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720\n RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460\n \n Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod\n CR2: 0000000000000018\n\nEnsuring that 'alist' was never zeroed [1] was not sufficient, we need to\nremove from the active list those elements that are no more SP nor DRR.\n\n[1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/\n\nv3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting\n DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock\n acquired, thanks to Cong Wang.\n\nv2: when a NULL qdisc is found in the DRR active list, try to dequeue skb\n from the next list item.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47557", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Disable Tx queues when reconfiguring the interface\n\nThe Tx queues were not disabled in situations where the driver needed to\nstop the interface to apply a new configuration. This could result in a\nkernel panic when doing any of the 3 following actions:\n* reconfiguring the number of queues (ethtool -L)\n* reconfiguring the size of the ring buffers (ethtool -G)\n* installing/removing an XDP program (ip l set dev ethX xdp)\n\nPrevent the panic by making sure netif_tx_disable is called when stopping\nan interface.\n\nWithout this patch, the following kernel panic can be observed when doing\nany of the actions above:\n\nUnable to handle kernel paging request at virtual address ffff80001238d040\n[....]\n Call trace:\n dwmac4_set_addr+0x8/0x10\n dev_hard_start_xmit+0xe4/0x1ac\n sch_direct_xmit+0xe8/0x39c\n __dev_queue_xmit+0x3ec/0xaf0\n dev_queue_xmit+0x14/0x20\n[...]\n[ end trace 0000000000000002 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47558", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()\n\nCoverity reports a possible NULL dereferencing problem:\n\nin smc_vlan_by_tcpsk():\n6. returned_null: netdev_lower_get_next returns NULL (checked 29 out of 30 times).\n7. var_assigned: Assigning: ndev = NULL return value from netdev_lower_get_next.\n1623 ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower);\nCID 1468509 (#1 of 1): Dereference null return value (NULL_RETURNS)\n8. dereference: Dereferencing a pointer that might be NULL ndev when calling is_vlan_dev.\n1624 if (is_vlan_dev(ndev)) {\n\nRemove the manual implementation and use netdev_walk_all_lower_dev() to\niterate over the lower devices. While on it remove an obsolete function\nparameter comment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47559", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum: Protect driver from buggy firmware\n\nWhen processing port up/down events generated by the device's firmware,\nthe driver protects itself from events reported for non-existent local\nports, but not the CPU port (local port 0), which exists, but lacks a\nnetdev.\n\nThis can result in a NULL pointer dereference when calling\nnetif_carrier_{on,off}().\n\nFix this by bailing early when processing an event reported for the CPU\nport. Problem was only observed when running on top of a buggy emulator.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47560", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: disable timeout handling\n\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\n\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\n\n BUG kmalloc-1k (Not tainted): Poison overwritten\n First byte 0x1 instead of 0x6b\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n \t__kmalloc+0xc2/0x1c9\n \tvirtio_i2c_xfer+0x65/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\n \tkfree+0x1bd/0x1cc\n \tvirtio_i2c_xfer+0x32e/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47561", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix vsi->txq_map sizing\n\nThe approach of having XDP queue per CPU regardless of user's setting\nexposed a hidden bug that could occur in case when Rx queue count differ\nfrom Tx queue count. Currently vsi->txq_map's size is equal to the\ndoubled vsi->alloc_txq, which is not correct due to the fact that XDP\nrings were previously based on the Rx queue count. Below splat can be\nseen when ethtool -L is used and XDP rings are configured:\n\n[ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f\n[ 682.883403] #PF: supervisor read access in kernel mode\n[ 682.889345] #PF: error_code(0x0000) - not-present page\n[ 682.895289] PGD 0 P4D 0\n[ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1\n[ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 682.923380] RIP: 0010:devres_remove+0x44/0x130\n[ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8\n[ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002\n[ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370\n[ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000\n[ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000\n[ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60\n[ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c\n[ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000\n[ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0\n[ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 683.038336] Call Trace:\n[ 683.041167] devm_kfree+0x33/0x50\n[ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice]\n[ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice]\n[ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice]\n[ 683.060697] ice_set_channels+0x14f/0x290 [ice]\n[ 683.065962] ethnl_set_channels+0x333/0x3f0\n[ 683.070807] genl_family_rcv_msg_doit+0xea/0x150\n[ 683.076152] genl_rcv_msg+0xde/0x1d0\n[ 683.080289] ? channels_prepare_data+0x60/0x60\n[ 683.085432] ? genl_get_cmd+0xd0/0xd0\n[ 683.089667] netlink_rcv_skb+0x50/0xf0\n[ 683.094006] genl_rcv+0x24/0x40\n[ 683.097638] netlink_unicast+0x239/0x340\n[ 683.102177] netlink_sendmsg+0x22e/0x470\n[ 683.106717] sock_sendmsg+0x5e/0x60\n[ 683.110756] __sys_sendto+0xee/0x150\n[ 683.114894] ? handle_mm_fault+0xd0/0x2a0\n[ 683.119535] ? do_user_addr_fault+0x1f3/0x690\n[ 683.134173] __x64_sys_sendto+0x25/0x30\n[ 683.148231] do_syscall_64+0x3b/0xc0\n[ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix this by taking into account the value that num_possible_cpus()\nyields in addition to vsi->alloc_txq instead of doubling the latter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47562", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: avoid bpf_prog refcount underflow\n\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\n\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\n\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n\n[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[ 481.077390] #PF: supervisor read access in kernel mode\n[ 481.083335] #PF: error_code(0x0000) - not-present page\n[ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1\n[ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 481.237029] Call Trace:\n[ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0\n[ 481.244602] rtnl_dump_ifinfo+0x525/0x650\n[ 481.249246] ? __alloc_skb+0xa5/0x280\n[ 481.253484] netlink_dump+0x168/0x3c0\n[ 481.257725] netlink_recvmsg+0x21e/0x3e0\n[ 481.262263] ____sys_recvmsg+0x87/0x170\n[ 481.266707] ? __might_fault+0x20/0x30\n[ 481.271046] ? _copy_from_user+0x66/0xa0\n[ 481.275591] ? iovec_from_user+0xf6/0x1c0\n[ 481.280226] ___sys_recvmsg+0x82/0x100\n[ 481.284566] ? sock_sendmsg+0x5e/0x60\n[ 481.288791] ? __sys_sendto+0xee/0x150\n[ 481.293129] __sys_recvmsg+0x56/0xa0\n[ 481.297267] do_syscall_64+0x3b/0xc0\n[ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 481.307238] RIP: 0033:0x7f5466f39617\n[ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[ 481.451520] Modules linked in: ice\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47563", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix double free issue on err path\n\nfix error path handling in prestera_bridge_port_join() that\ncases prestera driver to crash (see below).\n\n Trace:\n Internal error: Oops: 96000044 [#1] SMP\n Modules linked in: prestera_pci prestera uio_pdrv_genirq\n CPU: 1 PID: 881 Comm: ip Not tainted 5.15.0 #1\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : prestera_bridge_destroy+0x2c/0xb0 [prestera]\n lr : prestera_bridge_port_join+0x2cc/0x350 [prestera]\n sp : ffff800011a1b0f0\n ...\n x2 : ffff000109ca6c80 x1 : dead000000000100 x0 : dead000000000122\n Call trace:\n prestera_bridge_destroy+0x2c/0xb0 [prestera]\n prestera_bridge_port_join+0x2cc/0x350 [prestera]\n prestera_netdev_port_event.constprop.0+0x3c4/0x450 [prestera]\n prestera_netdev_event_handler+0xf4/0x110 [prestera]\n raw_notifier_call_chain+0x54/0x80\n call_netdevice_notifiers_info+0x54/0xa0\n __netdev_upper_dev_link+0x19c/0x380", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47564", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix kernel panic during drive powercycle test\n\nWhile looping over shost's sdev list it is possible that one\nof the drives is getting removed and its sas_target object is\nfreed but its sdev object remains intact.\n\nConsequently, a kernel panic can occur while the driver is trying to access\nthe sas_address field of sas_target object without also checking the\nsas_target object for NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47565", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc/vmcore: fix clearing user buffer by properly using clear_user()\n\nTo clear a user buffer we cannot simply use memset, we have to use\nclear_user(). With a virtio-mem device that registers a vmcore_cb and\nhas some logically unplugged memory inside an added Linux memory block,\nI can easily trigger a BUG by copying the vmcore via \"cp\":\n\n systemd[1]: Starting Kdump Vmcore Save Service...\n kdump[420]: Kdump is using the default log level(3).\n kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/\n kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/\n kdump[465]: saving vmcore-dmesg.txt complete\n kdump[467]: saving vmcore\n BUG: unable to handle page fault for address: 00007f2374e01000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0003) - permissions violation\n PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867\n Oops: 0003 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014\n RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86\n Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81\n RSP: 0018:ffffc9000073be08 EFLAGS: 00010212\n RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000\n RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008\n RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50\n R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000\n R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8\n FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0\n Call Trace:\n read_vmcore+0x236/0x2c0\n proc_reg_read+0x55/0xa0\n vfs_read+0x95/0x190\n ksys_read+0x4f/0xc0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nSome x86-64 CPUs have a CPU feature called \"Supervisor Mode Access\nPrevention (SMAP)\", which is used to detect wrong access from the kernel\nto user buffers like this: SMAP triggers a permissions violation on\nwrong access. In the x86-64 variant of clear_user(), SMAP is properly\nhandled via clac()+stac().\n\nTo fix, properly use clear_user() when we're dealing with a user buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47566", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/32: Fix hardlockup on vmap stack overflow\n\nSince the commit c118c7303ad5 (\"powerpc/32: Fix vmap stack - Do not\nactivate MMU before reading task struct\") a vmap stack overflow\nresults in a hard lockup. This is because emergency_ctx is still\naddressed with its virtual address allthough data MMU is not active\nanymore at that time.\n\nFix it by using a physical address instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47567", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memleak in get_file_stream_info()\n\nFix memleak in get_file_stream_info()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47568", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fail cancellation for EXITING tasks\n\nWARNING: CPU: 1 PID: 20 at fs/io_uring.c:6269 io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269\nCPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.16.0-rc1-syzkaller #0\nWorkqueue: events io_fallback_req_func\nRIP: 0010:io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269\nCall Trace:\n \n io_req_task_link_timeout+0x6b/0x1e0 fs/io_uring.c:6886\n io_fallback_req_func+0xf9/0x1ae fs/io_uring.c:1334\n process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298\n worker_thread+0x658/0x11f0 kernel/workqueue.c:2445\n kthread+0x405/0x4f0 kernel/kthread.c:327\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \n\nWe need original task's context to do cancellations, so if it's dying\nand the callback is executed in a fallback mode, fail the cancellation\nattempt.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47569", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8188eu: fix a memory leak in rtw_wx_read32()\n\nFree \"ptmp\" before returning -EINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47570", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()\n\nThe free_rtllib() function frees the \"dev\" pointer so there is use\nafter free on the next line. Re-arrange things to avoid that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47571", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: fix null pointer dereference when IPv6 is not enabled\n\nWhen we try to add an IPv6 nexthop and IPv6 is not enabled\n(!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path\nof nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug\nhas been present since the beginning of IPv6 nexthop gateway support.\nCommit 1aefd3de7bc6 (\"ipv6: Add fib6_nh_init and release to stubs\") tells\nus that only fib6_nh_init has a dummy stub because fib6_nh_release should\nnot be called if fib6_nh_init returns an error, but the commit below added\na call to ipv6_stub->fib6_nh_release in its error path. To fix it return\nthe dummy stub's -EAFNOSUPPORT error directly without calling\nipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.\n\n[1]\n Output is a bit truncated, but it clearly shows the error.\n BUG: kernel NULL pointer dereference, address: 000000000000000000\n #PF: supervisor instruction fetch in kernel modede\n #PF: error_code(0x0010) - not-present pagege\n PGD 0 P4D 0\n Oops: 0010 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\n RIP: 0010:0x0\n Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac\n RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860\n RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f\n R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840\n FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0\n Call Trace:\n \n nh_create_ipv6+0xed/0x10c\n rtm_new_nexthop+0x6d7/0x13f3\n ? check_preemption_disabled+0x3d/0xf2\n ? lock_is_held_type+0xbe/0xfd\n rtnetlink_rcv_msg+0x23f/0x26a\n ? check_preemption_disabled+0x3d/0xf2\n ? rtnl_calcit.isra.0+0x147/0x147\n netlink_rcv_skb+0x61/0xb2\n netlink_unicast+0x100/0x187\n netlink_sendmsg+0x37f/0x3a0\n ? netlink_unicast+0x187/0x187\n sock_sendmsg_nosec+0x67/0x9b\n ____sys_sendmsg+0x19d/0x1f9\n ? copy_msghdr_from_user+0x4c/0x5e\n ? rcu_read_lock_any_held+0x2a/0x78\n ___sys_sendmsg+0x6c/0x8c\n ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n ? lockdep_hardirqs_on+0xd9/0x102\n ? sockfd_lookup_light+0x69/0x99\n __sys_sendmsg+0x50/0x6e\n do_syscall_64+0xcb/0xf2\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f98dea28914\n Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53\n RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e\n RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914\n RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008\n R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001\n R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0\n \n Modules linked in: bridge stp llc bonding virtio_net", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47572", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()\n\nIn resp_mode_select() sanity check the block descriptor len to avoid UAF.\n\nBUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\nRead of size 1 at addr ffff888026670f50 by task scsicmd/15032\n\nCPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nCall Trace:\n \n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107\n print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257\n kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443\n __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306\n resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\n schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483\n scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537\n scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63\n sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837\n sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775\n sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47576", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check for wq exit after adding new worker task_work\n\nWe check IO_WQ_BIT_EXIT before attempting to create a new worker, and\nwq exit cancels pending work if we have any. But it's possible to have\na race between the two, where creation checks exit finding it not set,\nbut we're in the process of exiting. The exit side will cancel pending\ncreation task_work, but there's a gap where we add task_work after we've\ncanceled existing creations at exit time.\n\nFix this by checking the EXIT bit post adding the creation task_work.\nIf it's set, run the same cancelation that exit does.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47577", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Don't call kcalloc() if size arg is zero\n\nIf the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of\nthat, for a following NULL pointer check to work on the returned pointer,\nkcalloc() must not be called with the size arg equal to zero. Return early\nwithout error before the kcalloc() call if size arg is zero.\n\nBUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\nWrite of size 4 at addr 0000000000000010 by task syz-executor.1/22789\n\nCPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\n memcpy+0x3b/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:191 [inline]\n sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\n do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]\n do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]\n resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\n blk_execute_rq+0xdb/0x360 block/blk-exec.c:102\n sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]\n scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930\n sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47578", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix warning in ovl_create_real()\n\nSyzbot triggered the following warning in ovl_workdir_create() ->\novl_create_real():\n\n\tif (!err && WARN_ON(!newdentry->d_inode)) {\n\nThe reason is that the cgroup2 filesystem returns from mkdir without\ninstantiating the new dentry.\n\nWeird filesystems such as this will be rejected by overlayfs at a later\nstage during setup, but to prevent such a warning, call ovl_mkdir_real()\ndirectly from ovl_workdir_create() and reject this case early.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47579", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix type in min_t to avoid stack OOB\n\nChange min_t() to use type \"u32\" instead of type \"int\" to avoid stack out\nof bounds. With min_t() type \"int\" the values get sign extended and the\nlarger value gets used causing stack out of bounds.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\nRead of size 127 at addr ffff888072607128 by task syz-executor.7/18707\n\nCPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\n print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\n memcpy+0x23/0x60 mm/kasan/shadow.c:65\n memcpy include/linux/fortify-string.h:191 [inline]\n sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\n sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000\n fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162\n fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]\n resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\n sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836\n sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774\n sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47580", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Make do_proc_control() and do_proc_bulk() killable\n\nThe USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke\nusb_start_wait_urb(), which contains an uninterruptible wait with a\nuser-specified timeout value. If timeout value is very large and the\ndevice being accessed does not respond in a reasonable amount of time,\nthe kernel will complain about \"Task X blocked for more than N\nseconds\", as found in testing by syzbot:\n\nINFO: task syz-executor.0:8700 blocked for more than 143 seconds.\n Not tainted 5.14.0-rc7-syzkaller #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004\nCall Trace:\n context_switch kernel/sched/core.c:4681 [inline]\n __schedule+0xc07/0x11f0 kernel/sched/core.c:5938\n schedule+0x14b/0x210 kernel/sched/core.c:6017\n schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857\n do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85\n __wait_for_common kernel/sched/completion.c:106 [inline]\n wait_for_common kernel/sched/completion.c:117 [inline]\n wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157\n usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63\n do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236\n proc_bulk drivers/usb/core/devio.c:1273 [inline]\n usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]\n usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713\n...\n\nTo fix this problem, this patch replaces usbfs's calls to\nusb_control_msg() and usb_bulk_msg() with special-purpose code that\ndoes essentially the same thing (as recommended in the comment for\nusb_start_wait_urb()), except that it always uses a killable wait and\nit uses GFP_KERNEL rather than GFP_NOIO.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47582", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mxl111sf: change mutex_init() location\n\nSyzbot reported, that mxl111sf_ctrl_msg() uses uninitialized\nmutex. The problem was in wrong mutex_init() location.\n\nPrevious mutex_init(&state->msg_lock) call was in ->init() function, but\ndvb_usbv2_init() has this order of calls:\n\n\tdvb_usbv2_init()\n\t dvb_usbv2_adapter_init()\n\t dvb_usbv2_adapter_frontend_init()\n\t props->frontend_attach()\n\n\t props->init()\n\nSince mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()\ninternally we need to initialize state->msg_lock before\nfrontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*\ndevices, which will simply initiaize mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47583", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niocost: Fix divide-by-zero on donation from low hweight cgroup\n\nThe donation calculation logic assumes that the donor has non-zero\nafter-donation hweight, so the lowest active hweight a donating cgroup can\nhave is 2 so that it can donate 1 while keeping the other 1 for itself.\nEarlier, we only donated from cgroups with sizable surpluses so this\ncondition was always true. However, with the precise donation algorithm\nimplemented, f1de2439ec43 (\"blk-iocost: revamp donation amount\ndetermination\") made the donation amount calculation exact enabling even low\nhweight cgroups to donate.\n\nThis means that in rare occasions, a cgroup with active hweight of 1 can\nenter donation calculation triggering the following warning and then a\ndivide-by-zero oops.\n\n WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867]\n ...\n RIP: 0010:transfer_surpluses.cold+0x0/0x53\n Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0\n4\n ...\n Call Trace:\n \n ioc_timer_fn+0x1043/0x1390\n call_timer_fn+0xa1/0x2c0\n __run_timers.part.0+0x1ec/0x2e0\n run_timer_softirq+0x35/0x70\n ...\n iocg: invalid donation weights in /a/b: active=1 donating=1 after=0\n\nFix it by excluding cgroups w/ active hweight < 2 from donating. Excluding\nthese extreme low hweight donations shouldn't affect work conservation in\nany meaningful way.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47584", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leak in __add_inode_ref()\n\nLine 1169 (#3) allocates a memory chunk for victim_name by kmalloc(),\nbut when the function returns in line 1184 (#4) victim_name allocated\nby line 1169 (#3) is not freed, which will lead to a memory leak.\nThere is a similar snippet of code in this function as allocating a memory\nchunk for victim_name in line 1104 (#1) as well as releasing the memory\nin line 1116 (#2).\n\nWe should kfree() victim_name when the return value of backref_in_log()\nis less than zero and before the function returns in line 1184 (#4).\n\n1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans,\n1058 \t\t\t\t struct btrfs_root *root,\n1059 \t\t\t\t struct btrfs_path *path,\n1060 \t\t\t\t struct btrfs_root *log_root,\n1061 \t\t\t\t struct btrfs_inode *dir,\n1062 \t\t\t\t struct btrfs_inode *inode,\n1063 \t\t\t\t u64 inode_objectid, u64 parent_objectid,\n1064 \t\t\t\t u64 ref_index, char *name, int namelen,\n1065 \t\t\t\t int *search_done)\n1066 {\n\n1104 \tvictim_name = kmalloc(victim_name_len, GFP_NOFS);\n\t// #1: kmalloc (victim_name-1)\n1105 \tif (!victim_name)\n1106 \t\treturn -ENOMEM;\n\n1112\tret = backref_in_log(log_root, &search_key,\n1113\t\t\tparent_objectid, victim_name,\n1114\t\t\tvictim_name_len);\n1115\tif (ret < 0) {\n1116\t\tkfree(victim_name); // #2: kfree (victim_name-1)\n1117\t\treturn ret;\n1118\t} else if (!ret) {\n\n1169 \tvictim_name = kmalloc(victim_name_len, GFP_NOFS);\n\t// #3: kmalloc (victim_name-2)\n1170 \tif (!victim_name)\n1171 \t\treturn -ENOMEM;\n\n1180 \tret = backref_in_log(log_root, &search_key,\n1181 \t\t\tparent_objectid, victim_name,\n1182 \t\t\tvictim_name_len);\n1183 \tif (ret < 0) {\n1184 \t\treturn ret; // #4: missing kfree (victim_name-2)\n1185 \t} else if (!ret) {\n\n1241 \treturn 0;\n1242 }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47585", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwmac-rk: fix oob read in rk_gmac_setup\n\nKASAN reports an out-of-bounds read in rk_gmac_setup on the line:\n\n\twhile (ops->regs[i]) {\n\nThis happens for most platforms since the regs flexible array member is\nempty, so the memory after the ops structure is being read here. It\nseems that mostly this happens to contain zero anyway, so we get lucky\nand everything still works.\n\nTo avoid adding redundant data to nearly all the ops structures, add a\nnew flag to indicate whether the regs field is valid and avoid this loop\nwhen it is not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47586", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: systemport: Add global locking for descriptor lifecycle\n\nThe descriptor list is a shared resource across all of the transmit queues, and\nthe locking mechanism used today only protects concurrency across a given\ntransmit queue between the transmit and reclaiming. This creates an opportunity\nfor the SYSTEMPORT hardware to work on corrupted descriptors if we have\nmultiple producers at once which is the case when using multiple transmit\nqueues.\n\nThis was particularly noticeable when using multiple flows/transmit queues and\nit showed up in interesting ways in that UDP packets would get a correct UDP\nheader checksum being calculated over an incorrect packet length. Similarly TCP\npackets would get an equally correct checksum computed by the hardware over an\nincorrect packet length.\n\nThe SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges\nwhen the driver produces a new descriptor anytime it writes to the\nWRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to\nre-organize its descriptors and it is possible that concurrent TX queues\neventually break this internal allocation scheme to the point where the\nlength/status part of the descriptor gets used for an incorrect data buffer.\n\nThe fix is to impose a global serialization for all TX queues in the short\nsection where we are writing to the WRITE_PORT_{HI,LO} registers which solves\nthe corruption even with multiple concurrent TX queues being used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47587", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsit: do not call ipip6_dev_free() from sit_init_net()\n\nipip6_dev_free is sit dev->priv_destructor, already called\nby register_netdevice() if something goes wrong.\n\nAlternative would be to make ipip6_dev_free() robust against\nmultiple invocations, but other drivers do not implement this\nstrategy.\n\nsyzbot reported:\n\ndst_release underflow\nWARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173\nModules linked in:\nCPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173\nCode: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48\nRSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246\nRAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000\nRDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000\nRBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c\nR10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358\nR13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000\nFS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160\n ipip6_dev_free net/ipv6/sit.c:1414 [inline]\n sit_init_net+0x229/0x550 net/ipv6/sit.c:1936\n ops_init+0x313/0x430 net/core/net_namespace.c:140\n setup_net+0x35b/0x9d0 net/core/net_namespace.c:326\n copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470\n create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226\n ksys_unshare+0x57d/0xb50 kernel/fork.c:3075\n __do_sys_unshare kernel/fork.c:3146 [inline]\n __se_sys_unshare kernel/fork.c:3144 [inline]\n __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f66c882ce99\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200\nRBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47588", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigbvf: fix double free in `igbvf_probe`\n\nIn `igbvf_probe`, if register_netdev() fails, the program will go to\nlabel err_hw_init, and then to label err_ioremap. In free_netdev() which\nis just below label err_ioremap, there is `list_for_each_entry_safe` and\n`netif_napi_del` which aims to delete all entries in `dev->napi_list`.\nThe program has added an entry `adapter->rx_ring->napi` which is added by\n`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has\nbeen freed below label err_hw_init. So this a UAF.\n\nIn terms of how to patch the problem, we can refer to igbvf_remove() and\ndelete the entry before `adapter->rx_ring`.\n\nThe KASAN logs are as follows:\n\n[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450\n[ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366\n[ 35.128360]\n[ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14\n[ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 35.131749] Call Trace:\n[ 35.132199] dump_stack_lvl+0x59/0x7b\n[ 35.132865] print_address_description+0x7c/0x3b0\n[ 35.133707] ? free_netdev+0x1fd/0x450\n[ 35.134378] __kasan_report+0x160/0x1c0\n[ 35.135063] ? free_netdev+0x1fd/0x450\n[ 35.135738] kasan_report+0x4b/0x70\n[ 35.136367] free_netdev+0x1fd/0x450\n[ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf]\n[ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]\n[ 35.138751] local_pci_probe+0x13c/0x1f0\n[ 35.139461] pci_device_probe+0x37e/0x6c0\n[ 35.165526]\n[ 35.165806] Allocated by task 366:\n[ 35.166414] ____kasan_kmalloc+0xc4/0xf0\n[ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]\n[ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf]\n[ 35.168866] local_pci_probe+0x13c/0x1f0\n[ 35.169565] pci_device_probe+0x37e/0x6c0\n[ 35.179713]\n[ 35.179993] Freed by task 366:\n[ 35.180539] kasan_set_track+0x4c/0x80\n[ 35.181211] kasan_set_free_info+0x1f/0x40\n[ 35.181942] ____kasan_slab_free+0x103/0x140\n[ 35.182703] kfree+0xe3/0x250\n[ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf]\n[ 35.184040] local_pci_probe+0x13c/0x1f0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47589", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix deadlock in __mptcp_push_pending()\n\n__mptcp_push_pending() may call mptcp_flush_join_list() with subflow\nsocket lock held. If such call hits mptcp_sockopt_sync_all() then\nsubsequently __mptcp_sockopt_sync() could try to lock the subflow\nsocket for itself, causing a deadlock.\n\nsysrq: Show Blocked State\ntask:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000\nCall Trace:\n \n __schedule+0x2d6/0x10c0\n ? __mod_memcg_state+0x4d/0x70\n ? csum_partial+0xd/0x20\n ? _raw_spin_lock_irqsave+0x26/0x50\n schedule+0x4e/0xc0\n __lock_sock+0x69/0x90\n ? do_wait_intr_irq+0xa0/0xa0\n __lock_sock_fast+0x35/0x50\n mptcp_sockopt_sync_all+0x38/0xc0\n __mptcp_push_pending+0x105/0x200\n mptcp_sendmsg+0x466/0x490\n sock_sendmsg+0x57/0x60\n __sys_sendto+0xf0/0x160\n ? do_wait_intr_irq+0xa0/0xa0\n ? fpregs_restore_userregs+0x12/0xd0\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f9ba546c2d0\nRSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0\nRDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234\nRBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060\nR13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8\n \n\nFix the issue by using __mptcp_flush_join_list() instead of plain\nmptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by\nFlorian. The sockopt sync will be deferred to the workqueue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47590", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: remove tcp ulp setsockopt support\n\nTCP_ULP setsockopt cannot be used for mptcp because its already\nused internally to plumb subflow (tcp) sockets to the mptcp layer.\n\nsyzbot managed to trigger a crash for mptcp connections that are\nin fallback mode:\n\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0\nRIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline]\n[..]\n __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]\n tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160\n do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391\n mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638\n\nRemove support for TCP_ULP setsockopt.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47591", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\n\nTo replicate the issue:-\n\n1) Add 1 flower filter for VLAN Priority based frame steering:-\n$ IFDEVNAME=eth0\n$ tc qdisc add dev $IFDEVNAME ingress\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\n map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\n queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\n flower vlan_prio 0 hw_tc 0\n\n2) Get the 'pref' id\n$ tc filter show dev $IFDEVNAME ingress\n\n3) Delete a specific tc flower record (say pref 49151)\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\n\nFrom dmesg, we will observe kernel NULL pointer ooops\n\n[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 197.171367] #PF: supervisor read access in kernel mode\n[ 197.171367] #PF: error_code(0x0000) - not-present page\n[ 197.171367] PGD 0 P4D 0\n[ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\n\n\n\n[ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\n\n\n\n[ 197.171367] Call Trace:\n[ 197.171367] \n[ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\n[ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\n[ 197.171367] tc_setup_cb_destroy+0xb3/0x180\n[ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n\nThe above issue is due to previous incorrect implementation of\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\nto get struct flow_rule *rule which is no longer valid for tc filter\ndelete operation.\n\n struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\n struct flow_dissector *dissector = rule->match.dissector;\n\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\nrecord for 'RX frame steering' tc flower, currently used for VLAN\npriority. The implementation has taken consideration for future extension\nto include other type RX frame steering such as EtherType based.\n\nv2:\n - Clean up overly extensive backtrace and rewrite git message to better\n explain the kernel NULL pointer issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47592", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: clear 'kern' flag from fallback sockets\n\nThe mptcp ULP extension relies on sk->sk_sock_kern being set correctly:\nIt prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, \"mptcp\", 6); from\nworking for plain tcp sockets (any userspace-exposed socket).\n\nBut in case of fallback, accept() can return a plain tcp sk.\nIn such case, sk is still tagged as 'kernel' and setsockopt will work.\n\nThis will crash the kernel, The subflow extension has a NULL ctx->conn\nmptcp socket:\n\nBUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0\nCall Trace:\n tcp_data_ready+0xf8/0x370\n [..]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47593", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: never allow the PM to close a listener subflow\n\nCurrently, when deleting an endpoint the netlink PM treverses\nall the local MPTCP sockets, regardless of their status.\n\nIf an MPTCP listener socket is bound to the IP matching the\ndelete endpoint, the listener TCP socket will be closed.\nThat is unexpected, the PM should only affect data subflows.\n\nAdditionally, syzbot was able to trigger a NULL ptr dereference\ndue to the above:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nCPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897\nCode: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff\nRSP: 0018:ffffc90001f2f818 EFLAGS: 00010016\nRAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000\nRDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000\nR13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001\nFS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0\nCall Trace:\n \n lock_acquire kernel/locking/lockdep.c:5637 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162\n finish_wait+0xc0/0x270 kernel/sched/wait.c:400\n inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]\n inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497\n mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865\n inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739\n mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345\n do_accept+0x382/0x510 net/socket.c:1773\n __sys_accept4_file+0x7e/0xe0 net/socket.c:1816\n __sys_accept4+0xb0/0x100 net/socket.c:1846\n __do_sys_accept net/socket.c:1864 [inline]\n __se_sys_accept net/socket.c:1861 [inline]\n __x64_sys_accept+0x71/0xb0 net/socket.c:1861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f177cd8b8e9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c\nR13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000\n \n\nFix the issue explicitly skipping MPTCP socket in TCP_LISTEN\nstatus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47594", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_ets: don't remove idle classes from the round-robin list\n\nShuang reported that the following script:\n\n 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7\n 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &\n 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3\n\ncrashes systematically when line 2) is commented:\n\n list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100)\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:47!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47\n Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe\n RSP: 0018:ffffae46807a3888 EFLAGS: 00010246\n RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202\n RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff\n RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff\n R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800\n R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400\n FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0\n Call Trace:\n \n ets_qdisc_change+0x58b/0xa70 [sch_ets]\n tc_modify_qdisc+0x323/0x880\n rtnetlink_rcv_msg+0x169/0x4a0\n netlink_rcv_skb+0x50/0x100\n netlink_unicast+0x1a5/0x280\n netlink_sendmsg+0x257/0x4d0\n sock_sendmsg+0x5b/0x60\n ____sys_sendmsg+0x1f2/0x260\n ___sys_sendmsg+0x7c/0xc0\n __sys_sendmsg+0x57/0xa0\n do_syscall_64+0x3a/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7efdc8031338\n Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55\n RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338\n RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940\n R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001\n R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000\n \n Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]\n ---[ end trace f35878d1912655c2 ]---\n RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47\n Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe\n RSP: 0018:ffffae46807a3888 EFLAGS: 00010246\n RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202\n RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff\n RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff\n R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800\n R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400\n FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47595", "detail": "fixed-version", "description": "Fixed from version 5.15.11" }, { "id": "CVE-2021-47596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix use-after-free bug in hclgevf_send_mbx_msg\n\nCurrently, the hns3_remove function firstly uninstall client instance,\nand then uninstall acceletion engine device. The netdevice is freed in\nclient instance uninstall process, but acceletion engine device uninstall\nprocess still use it to trace runtime information. This causes a use after\nfree problem.\n\nSo fixes it by check the instance register state to avoid use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47596", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: fix kernel-infoleak for UDP sockets\n\nKMSAN reported a kernel-infoleak [1], that can exploited\nby unpriv users.\n\nAfter analysis it turned out UDP was not initializing\nr->idiag_expires. Other users of inet_sk_diag_fill()\nmight make the same mistake in the future, so fix this\nin inet_sk_diag_fill().\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:156 [inline]\n _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n copy_to_iter include/linux/uio.h:155 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]\n netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974\n sock_recvmsg_nosec net/socket.c:944 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n sock_read_iter+0x5a9/0x630 net/socket.c:1035\n call_read_iter include/linux/fs.h:2156 [inline]\n new_sync_read fs/read_write.c:400 [inline]\n vfs_read+0x1631/0x1980 fs/read_write.c:481\n ksys_read+0x28c/0x520 fs/read_write.c:619\n __do_sys_read fs/read_write.c:629 [inline]\n __se_sys_read fs/read_write.c:627 [inline]\n __x64_sys_read+0xdb/0x120 fs/read_write.c:627\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245\n __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg net/socket.c:724 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1057\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x63f/0xe30 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBytes 68-71 of 312 are uninitialized\nMemory access of size 312 starts at ffff88812ab54000\nData copied to user address 0000000020001440\n\nCPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47597", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: do not call cake_destroy() from cake_init()\n\nqdiscs are not supposed to call their own destroy() method\nfrom init(), because core stack already does that.\n\nsyzbot was able to trigger use after free:\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nModules linked in:\nCPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]\nRIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nCode: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8\nRSP: 0018:ffffc9000627f290 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44\nRBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000\nFS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0\nCall Trace:\n \n tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810\n tcf_block_put_ext net/sched/cls_api.c:1381 [inline]\n tcf_block_put_ext net/sched/cls_api.c:1376 [inline]\n tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394\n cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695\n qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293\n tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f1bb06badb9\nCode: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.\nRSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688\nR13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47598", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47599", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm btree remove: fix use after free in rebalance_children()\n\nMove dm_tm_unlock() after dm_tm_dec().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47600", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix an IS_ERR() vs NULL bug\n\nThe __get_free_pages() function does not return error pointers it returns\nNULL so fix this condition to avoid a NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47601", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: track only QoS data frames for admission control\n\nFor admission control, obviously all of that only works for\nQoS data frames, otherwise we cannot even access the QoS\nfield in the header.\n\nSyzbot reported (see below) an uninitialized value here due\nto a status of a non-QoS nullfunc packet, which isn't even\nlong enough to contain the QoS header.\n\nFix this to only do anything for QoS data packets.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47602", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: improve robustness of the audit queue handling\n\nIf the audit daemon were ever to get stuck in a stopped state the\nkernel's kauditd_thread() could get blocked attempting to send audit\nrecords to the userspace audit daemon. With the kernel thread\nblocked it is possible that the audit queue could grow unbounded as\ncertain audit record generating events must be exempt from the queue\nlimits else the system enter a deadlock state.\n\nThis patch resolves this problem by lowering the kernel thread's\nsocket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks\nthe kauditd_send_queue() function to better manage the various audit\nqueues when connection problems occur between the kernel and the\naudit daemon. With this patch, the backlog may temporarily grow\nbeyond the defined limits when the audit daemon is stopped and the\nsystem is under heavy audit pressure, but kauditd_thread() will\ncontinue to make progress and drain the queues as it would for other\nconnection problems. For example, with the audit daemon put into a\nstopped state and the system configured to audit every syscall it\nwas still possible to shutdown the system without a kernel panic,\ndeadlock, etc.; granted, the system was slow to shutdown but that is\nto be expected given the extreme pressure of recording every syscall.\n\nThe timeout value of HZ/10 was chosen primarily through\nexperimentation and this developer's \"gut feeling\". There is likely\nno one perfect value, but as this scenario is limited in scope (root\nprivileges would be needed to send SIGSTOP to the audit daemon), it\nis likely not worth exposing this as a tunable at present. This can\nalways be done at a later date if it proves necessary.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47603", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: check that offset is within bounds in get_config()\n\nThis condition checks \"len\" but it does not check \"offset\" and that\ncould result in an out of bounds read if \"offset > dev->config_size\".\nThe problem is that since both variables are unsigned the\n\"dev->config_size - offset\" subtraction would result in a very high\nunsigned value.\n\nI think these checks might not be necessary because \"len\" and \"offset\"\nare supposed to already have been validated using the\nvhost_vdpa_config_validate() function. But I do not know the code\nperfectly, and I like to be safe.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47604", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: fix memory corruption in vduse_dev_ioctl()\n\nThe \"config.offset\" comes from the user. There needs to a check to\nprevent it being out of bounds. The \"config.offset\" and\n\"dev->config_size\" variables are both type u32. So if the offset if\nout of bounds then the \"dev->config_size - config.offset\" subtraction\nresults in a very high u32 value. The out of bounds offset can result\nin memory corruption.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47605", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netlink: af_netlink: Prevent empty skb by adding a check on len.\n\nAdding a check on len parameter to avoid empty skb. This prevents a\ndivision error in netem_enqueue function which is caused when skb->len=0\nand skb->data_len=0 in the randomized corruption step as shown below.\n\nskb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8);\n\nCrash Report:\n[ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family\n0 port 6081 - 0\n[ 343.216110] netem: version 1.3\n[ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+\n[ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS 1.11.0-2.el7 04/01/2014\n[ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem]\n[ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff\nff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f\n74 f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03\n[ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246\n[ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX:\n0000000000000000\n[ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI:\nffff88800f8eda40\n[ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09:\nffffffff94fb8445\n[ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12:\n0000000000000000\n[ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15:\n0000000000000020\n[ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000)\nknlGS:0000000000000000\n[ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4:\n00000000000006e0\n[ 343.250076] Call Trace:\n[ 343.250423] \n[ 343.250713] ? memcpy+0x4d/0x60\n[ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem]\n[ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem]\n[ 343.253102] ? stack_trace_save+0x87/0xb0\n[ 343.253655] ? filter_irq_stacks+0xb0/0xb0\n[ 343.254220] ? netem_init+0xa0/0xa0 [sch_netem]\n[ 343.254837] ? __kasan_check_write+0x14/0x20\n[ 343.255418] ? _raw_spin_lock+0x88/0xd6\n[ 343.255953] dev_qdisc_enqueue+0x50/0x180\n[ 343.256508] __dev_queue_xmit+0x1a7e/0x3090\n[ 343.257083] ? netdev_core_pick_tx+0x300/0x300\n[ 343.257690] ? check_kcov_mode+0x10/0x40\n[ 343.258219] ? _raw_spin_unlock_irqrestore+0x29/0x40\n[ 343.258899] ? __kasan_init_slab_obj+0x24/0x30\n[ 343.259529] ? setup_object.isra.71+0x23/0x90\n[ 343.260121] ? new_slab+0x26e/0x4b0\n[ 343.260609] ? kasan_poison+0x3a/0x50\n[ 343.261118] ? kasan_unpoison+0x28/0x50\n[ 343.261637] ? __kasan_slab_alloc+0x71/0x90\n[ 343.262214] ? memcpy+0x4d/0x60\n[ 343.262674] ? write_comp_data+0x2f/0x90\n[ 343.263209] ? __kasan_check_write+0x14/0x20\n[ 343.263802] ? __skb_clone+0x5d6/0x840\n[ 343.264329] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.264958] dev_queue_xmit+0x1c/0x20\n[ 343.265470] netlink_deliver_tap+0x652/0x9c0\n[ 343.266067] netlink_unicast+0x5a0/0x7f0\n[ 343.266608] ? netlink_attachskb+0x860/0x860\n[ 343.267183] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.267820] ? write_comp_data+0x2f/0x90\n[ 343.268367] netlink_sendmsg+0x922/0xe80\n[ 343.268899] ? netlink_unicast+0x7f0/0x7f0\n[ 343.269472] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.270099] ? write_comp_data+0x2f/0x90\n[ 343.270644] ? netlink_unicast+0x7f0/0x7f0\n[ 343.271210] sock_sendmsg+0x155/0x190\n[ 343.271721] ____sys_sendmsg+0x75f/0x8f0\n[ 343.272262] ? kernel_sendmsg+0x60/0x60\n[ 343.272788] ? write_comp_data+0x2f/0x90\n[ 343.273332] ? write_comp_data+0x2f/0x90\n[ 343.273869] ___sys_sendmsg+0x10f/0x190\n[ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80\n[ 343.274984] ? slab_post_alloc_hook+0x70/0x230\n[ 343.275597] ? futex_wait_setup+0x240/0x240\n[ 343.276175] ? security_file_alloc+0x3e/0x170\n[ 343.276779] ? write_comp_d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47606", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg\n\nThe implementation of BPF_CMPXCHG on a high level has the following parameters:\n\n .-[old-val] .-[new-val]\n BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)\n `-[mem-loc] `-[old-val]\n\nGiven a BPF insn can only have two registers (dst, src), the R0 is fixed and\nused as an auxilliary register for input (old value) as well as output (returning\nold value from memory location). While the verifier performs a number of safety\nchecks, it misses to reject unprivileged programs where R0 contains a pointer as\nold value.\n\nThrough brute-forcing it takes about ~16sec on my machine to leak a kernel pointer\nwith BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the\nguessed address into the map slot as a scalar, and using the map value pointer as\nR0 while SRC_REG has a canary value to detect a matching address.\n\nFix it by checking R0 for pointers, and reject if that's the case for unprivileged\nprograms.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47607", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kernel address leakage in atomic fetch\n\nThe change in commit 37086bfdc737 (\"bpf: Propagate stack bounds to registers\nin atomics w/ BPF_FETCH\") around check_mem_access() handling is buggy since\nthis would allow for unprivileged users to leak kernel pointers. For example,\nan atomic fetch/and with -1 on a stack destination which holds a spilled\npointer will migrate the spilled register type into a scalar, which can then\nbe exported out of the program (since scalar != pointer) by dumping it into\na map value.\n\nThe original implementation of XADD was preventing this situation by using\na double call to check_mem_access() one with BPF_READ and a subsequent one\nwith BPF_WRITE, in both cases passing -1 as a placeholder value instead of\nregister as per XADD semantics since it didn't contain a value fetch. The\nBPF_READ also included a check in check_stack_read_fixed_off() which rejects\nthe program if the stack slot is of __is_pointer_value() if dst_regno < 0.\nThe latter is to distinguish whether we're dealing with a regular stack spill/\nfill or some arithmetical operation which is disallowed on non-scalars, see\nalso 6e7e63cbb023 (\"bpf: Forbid XADD on spilled pointers for unprivileged\nusers\") for more context on check_mem_access() and its handling of placeholder\nvalue -1.\n\nOne minimally intrusive option to fix the leak is for the BPF_FETCH case to\ninitially check the BPF_READ case via check_mem_access() with -1 as register,\nfollowed by the actual load case with non-negative load_reg to propagate\nstack bounds to registers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47608", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scpi: Fix string overflow in SCPI genpd driver\n\nWithout the bound checks for scpi_pd->name, it could result in the buffer\noverflow when copying the SCPI device name from the corresponding device\ntree node as the name string is set at maximum size of 30.\n\nLet us fix it by using devm_kasprintf so that the string buffer is\nallocated dynamically.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47609", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix null ptr access msm_ioctl_gem_submit()\n\nFix the below null pointer dereference in msm_ioctl_gem_submit():\n\n 26545.260705: Call trace:\n 26545.263223: kref_put+0x1c/0x60\n 26545.266452: msm_ioctl_gem_submit+0x254/0x744\n 26545.270937: drm_ioctl_kernel+0xa8/0x124\n 26545.274976: drm_ioctl+0x21c/0x33c\n 26545.278478: drm_compat_ioctl+0xdc/0xf0\n 26545.282428: __arm64_compat_sys_ioctl+0xc8/0x100\n 26545.287169: el0_svc_common+0xf8/0x250\n 26545.291025: do_el0_svc_compat+0x28/0x54\n 26545.295066: el0_svc_compat+0x10/0x1c\n 26545.298838: el0_sync_compat_handler+0xa8/0xcc\n 26545.303403: el0_sync_compat+0x188/0x1c0\n 26545.307445: Code: d503201f d503201f 52800028 4b0803e8 (b8680008)\n 26545.318799: Kernel panic - not syncing: Oops: Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47610", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: validate extended element ID is present\n\nBefore attempting to parse an extended element, verify that\nthe extended element ID is present.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47611", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix segfault in nfc_genl_dump_devices_done\n\nWhen kmalloc in nfc_genl_dump_devices() fails then\nnfc_genl_dump_devices_done() segfaults as below\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:klist_iter_exit+0x26/0x80\nCall Trace:\n\nclass_dev_iter_exit+0x15/0x20\nnfc_genl_dump_devices_done+0x3b/0x50\ngenl_lock_done+0x84/0xd0\nnetlink_sock_destruct+0x8f/0x270\n__sk_destruct+0x64/0x3b0\nsk_destruct+0xa8/0xd0\n__sk_free+0x2e8/0x3d0\nsk_free+0x51/0x90\nnetlink_sock_destruct_work+0x1c/0x20\nprocess_one_work+0x411/0x710\nworker_thread+0x6fd/0xa80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47612", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: fix completion handling\n\nThe driver currently assumes that the notify callback is only received\nwhen the device is done with all the queued buffers.\n\nHowever, this is not true, since the notify callback could be called\nwithout any of the queued buffers being completed (for example, with\nvirtio-pci and shared interrupts) or with only some of the buffers being\ncompleted (since the driver makes them available to the device in\nmultiple separate virtqueue_add_sgs() calls).\n\nThis can lead to incorrect data on the I2C bus or memory corruption in\nthe guest if the device operates on buffers which are have been freed by\nthe driver. (The WARN_ON in the driver is also triggered.)\n\n BUG kmalloc-128 (Tainted: G W ): Poison overwritten\n First byte 0x0 instead of 0x6b\n Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28\n \tmemdup_user+0x2e/0xbd\n \ti2cdev_ioctl_rdwr+0x9d/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28\n \tkfree+0x1bd/0x1cc\n \ti2cdev_ioctl_rdwr+0x1bb/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nFix this by calling virtio_get_buf() from the notify handler like other\nvirtio drivers and by actually waiting for all the buffers to be\ncompleted.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47613", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix a user-after-free in add_pble_prm\n\nWhen irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE\ninfo list.\n\nAdd the chunk entry to the PBLE info list only after successful setting of\nthe SD in irdma_hmc_sd_one.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47614", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: Fix use-after-free in rxe_queue_cleanup\n\nOn error handling path in rxe_qp_from_init() qp->sq.queue is freed and\nthen rxe_create_qp() will drop last reference to this object. qp clean up\nfunction will try to free this queue one time and it causes UAF bug.\n\nFix it by zeroing queue pointer after freeing queue in rxe_qp_from_init().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47616", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2021-47617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pciehp: Fix infinite loop in IRQ handler upon power fault\n\nThe Power Fault Detected bit in the Slot Status register differs from\nall other hotplug events in that it is sticky: It can only be cleared\nafter turning off slot power. Per PCIe r5.0, sec. 6.7.1.8:\n\n If a power controller detects a main power fault on the hot-plug slot,\n it must automatically set its internal main power fault latch [...].\n The main power fault latch is cleared when software turns off power to\n the hot-plug slot.\n\nThe stickiness used to cause interrupt storms and infinite loops which\nwere fixed in 2009 by commits 5651c48cfafe (\"PCI pciehp: fix power fault\ninterrupt storm problem\") and 99f0169c17f3 (\"PCI: pciehp: enable\nsoftware notification on empty slots\").\n\nUnfortunately in 2020 the infinite loop issue was inadvertently\nreintroduced by commit 8edf5332c393 (\"PCI: pciehp: Fix MSI interrupt\nrace\"): The hardirq handler pciehp_isr() clears the PFD bit until\npciehp's power_fault_detected flag is set. That happens in the IRQ\nthread pciehp_ist(), which never learns of the event because the hardirq\nhandler is stuck in an infinite loop. Fix by setting the\npower_fault_detected flag already in the hardirq handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47617", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108 ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144] ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108] ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 :\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60 ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc \ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 \ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64 ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c\nr10: 00000000 r9 : c30897f4 r8 : ecd63cd4\nr7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98\nr3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008\nFlags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\nControl: 32c5387d Table: 2d546400 DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47618", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix queues reservation for XDP\n\nWhen XDP was configured on a system with large number of CPUs\nand X722 NIC there was a call trace with NULL pointer dereference.\n\ni40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12\ni40e 0000:87:00.0: setup of MAIN VSI failed\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]\nCall Trace:\n? i40e_reconfig_rss_queues+0x130/0x130 [i40e]\ndev_xdp_install+0x61/0xe0\ndev_xdp_attach+0x18a/0x4c0\ndev_change_xdp_fd+0x1e6/0x220\ndo_setlink+0x616/0x1030\n? ahci_port_stop+0x80/0x80\n? ata_qc_issue+0x107/0x1e0\n? lock_timer_base+0x61/0x80\n? __mod_timer+0x202/0x380\nrtnl_setlink+0xe5/0x170\n? bpf_lsm_binder_transaction+0x10/0x10\n? security_capable+0x36/0x50\nrtnetlink_rcv_msg+0x121/0x350\n? rtnl_calcit.isra.0+0x100/0x100\nnetlink_rcv_skb+0x50/0xf0\nnetlink_unicast+0x1d3/0x2a0\nnetlink_sendmsg+0x22a/0x440\nsock_sendmsg+0x5e/0x60\n__sys_sendto+0xf0/0x160\n? __sys_getsockname+0x7e/0xc0\n? _copy_from_user+0x3c/0x80\n? __sys_setsockopt+0xc8/0x1a0\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f83fa7a39e0\n\nThis was caused by PF queue pile fragmentation due to\nflow director VSI queue being placed right after main VSI.\nBecause of this main VSI was not able to resize its\nqueue allocation for XDP resulting in no queues allocated\nfor main VSI when XDP was turned on.\n\nFix this by always allocating last queue in PF queue pile\nfor a flow director VSI.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47619", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: refactor malicious adv data check\n\nCheck for out-of-bound read was being performed at the end of while\nnum_reports loop, and would fill journal with false positives. Added\ncheck to beginning of loop processing so that it doesn't get checked\nafter ptr has been advanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47620", "detail": "fixed-version", "description": "Fixed from version 5.16.5" }, { "id": "CVE-2021-47622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: Fix a deadlock in the error handler\n\nThe following deadlock has been observed on a test setup:\n\n - All tags allocated\n\n - The SCSI error handler calls ufshcd_eh_host_reset_handler()\n\n - ufshcd_eh_host_reset_handler() queues work that calls\n ufshcd_err_handler()\n\n - ufshcd_err_handler() locks up as follows:\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt\nCall trace:\n __switch_to+0x298/0x5d8\n __schedule+0x6cc/0xa94\n schedule+0x12c/0x298\n blk_mq_get_tag+0x210/0x480\n __blk_mq_alloc_request+0x1c8/0x284\n blk_get_request+0x74/0x134\n ufshcd_exec_dev_cmd+0x68/0x640\n ufshcd_verify_dev_init+0x68/0x35c\n ufshcd_probe_hba+0x12c/0x1cb8\n ufshcd_host_reset_and_restore+0x88/0x254\n ufshcd_reset_and_restore+0xd0/0x354\n ufshcd_err_handler+0x408/0xc58\n process_one_work+0x24c/0x66c\n worker_thread+0x3e8/0xa4c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nFix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved\nrequest.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47622", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fixmap: Fix VM debug warning on unmap\n\nUnmapping a fixmap entry is done by calling __set_fixmap()\nwith FIXMAP_PAGE_CLEAR as flags.\n\nToday, powerpc __set_fixmap() calls map_kernel_page().\n\nmap_kernel_page() is not happy when called a second time\nfor the same page.\n\n\tWARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8\n\tCPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682\n\tNIP: c0017cd4 LR: c00187f0 CTR: 00000010\n\tREGS: e1011d50 TRAP: 0700 Not tainted (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty)\n\tMSR: 00029032 CR: 42000208 XER: 00000000\n\n\tGPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c\n\tGPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000\n\tGPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n\tGPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000\n\tNIP [c0017cd4] set_pte_at+0xc/0x1e8\n\tLR [c00187f0] map_kernel_page+0x9c/0x100\n\tCall Trace:\n\t[e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable)\n\t[e1011e30] [c0165fec] __set_fixmap+0x30/0x44\n\t[e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170\n\t[e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0\n\t[e1011e90] [c0c03634] do_one_initcall+0x80/0x178\n\t[e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250\n\t[e1011f20] [c0007e34] kernel_init+0x24/0x140\n\t[e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64\n\tInstruction dump:\n\t7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010\n\t4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030\n\nImplement unmap_kernel_page() which clears an existing pte.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47623", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change\n\nThe refcount leak issues take place in an error handling path. When the\n3rd argument buf doesn't match with \"offline\", \"online\" or \"remove\", the\nfunction simply returns -EINVAL and forgets to decrease the reference\ncount of a rpc_xprt object and a rpc_xprt_switch object increased by\nrpc_sysfs_xprt_kobj_get_xprt() and\nrpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of\nboth unused objects.\n\nFix this issue by jumping to the error handling path labelled with\nout_put when buf matches none of \"offline\", \"online\" or \"remove\".", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47624", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: davinci: da850-evm: Avoid NULL pointer dereference\n\nWith newer versions of GCC, there is a panic in da850_evm_config_emac()\nwhen booting multi_v5_defconfig in QEMU under the palmetto-bmc machine:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000020\npgd = (ptrval)\n[00000020] *pgd=00000000\nInternal error: Oops: 5 [#1] PREEMPT ARM\nModules linked in:\nCPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1\nHardware name: Generic DT based system\nPC is at da850_evm_config_emac+0x1c/0x120\nLR is at do_one_initcall+0x50/0x1e0\n\nThe emac_pdata pointer in soc_info is NULL because davinci_soc_info only\ngets populated on davinci machines but da850_evm_config_emac() is called\non all machines via device_initcall().\n\nMove the rmii_en assignment below the machine check so that it is only\ndereferenced when running on a supported SoC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47631", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/set_memory: Avoid spinlock recursion in change_page_attr()\n\nCommit 1f9ad21c3b38 (\"powerpc/mm: Implement set_memory() routines\")\nincluded a spin_lock() to change_page_attr() in order to\nsafely perform the three step operations. But then\ncommit 9f7853d7609d (\"powerpc/mm: Fix set_memory_*() against\nconcurrent accesses\") modify it to use pte_update() and do\nthe operation safely against concurrent access.\n\nIn the meantime, Maxime reported some spinlock recursion.\n\n[ 15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217\n[ 15.357540] lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0\n[ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523\n[ 15.373350] Workqueue: events do_free_init\n[ 15.377615] Call Trace:\n[ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable)\n[ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4\n[ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310\n[ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0\n[ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8\n[ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94\n[ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310\n[ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134\n[ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8\n[ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c\n[ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8\n[ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94\n[ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8\n[ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8\n[ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210\n[ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c\n\nRemove the read / modify / write sequence to make the operation atomic\nand remove the spin_lock() in change_page_attr().\n\nTo do the operation atomically, we can't use pte modification helpers\nanymore. Because all platforms have different combination of bits, it\nis not easy to use those bits directly. But all have the\n_PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare\ntwo sets to know which bits are set or cleared.\n\nFor instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you\nknow which bit gets cleared and which bit get set when changing exec\npermission.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47632", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111\n\nThe bug was found during fuzzing. Stacktrace locates it in\nath5k_eeprom_convert_pcal_info_5111.\nWhen none of the curve is selected in the loop, idx can go\nup to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.\npd = &chinfo[pier].pd_curves[idx];\n\nThere are many OOB writes using pd later in the code. So I\nadded a sanity check for idx. Checks for other loops involving\nAR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not\nused outside the loops.\n\nThe patch is NOT tested with real device.\n\nThe following is the fuzzing report\n\nBUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\nWrite of size 1 at addr ffff8880174a4d60 by task modprobe/214\n\nCPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1\nCall Trace:\n dump_stack+0x76/0xa0\n print_address_description.constprop.0+0x16/0x200\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n __kasan_report.cold+0x37/0x7c\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n kasan_report+0xe/0x20\n ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]\n ath5k_eeprom_init+0x2513/0x6290 [ath5k]\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? usleep_range+0xb8/0x100\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]\n ath5k_hw_init+0xb60/0x1970 [ath5k]\n ath5k_init_ah+0x6fe/0x2530 [ath5k]\n ? kasprintf+0xa6/0xe0\n ? ath5k_stop+0x140/0x140 [ath5k]\n ? _dev_notice+0xf6/0xf6\n ? apic_timer_interrupt+0xa/0x20\n ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n ? mutex_lock+0x89/0xd0\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n local_pci_probe+0xd3/0x160\n pci_device_probe+0x23f/0x3e0\n ? pci_device_remove+0x280/0x280\n ? pci_device_remove+0x280/0x280\n really_probe+0x209/0x5d0", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47633", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n klist_dec_and_del+0xa7/0x4a0\n klist_put+0xc7/0x1a0\n device_del+0x4d4/0xed0\n cdev_device_del+0x1a/0x80\n ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n device_add+0x60a/0x18b0\n cdev_device_add+0x103/0x170\n ubi_create_volume+0x1118/0x1a10 [ubi]\n ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n cdev_device_del+0x1a/0x80\n ubi_remove_volume+0x438/0x6c0 [ubi]\n ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_add_volume\n // sysfs exist\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n cdev_del\n // double free\n cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_debugfs_init_dev\n //error goto out_uif;\n uif_close\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n device_remove_attrs\n device_remove_groups\n sysfs_remove_groups\n sysfs_remove_group\n remove_files\n kernfs_remove_by_name\n kernfs_remove_by_name_ns\n __kernfs_remove\n kernfs_drain", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47634", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix to add refcount once page is set private\n\nMM defined the rule [1] very clearly that once page was set with PG_private\nflag, we should increment the refcount in that page, also main flows like\npageout(), migrate_page() will assume there is one additional page\nreference count if page_has_private() returns true. Otherwise, we may\nget a BUG in page migration:\n\n page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8\n index:0xe2 pfn:0x14c12\n aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:\"f30e\"\n flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|\n zone=1|lastcpupid=0x1fffff)\n page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)\n ------------[ cut here ]------------\n kernel BUG at include/linux/page_ref.h:184!\n invalid opcode: 0000 [#1] SMP\n CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5\n RIP: 0010:migrate_page_move_mapping+0xac3/0xe70\n Call Trace:\n ubifs_migrate_page+0x22/0xc0 [ubifs]\n move_to_new_page+0xb4/0x600\n migrate_pages+0x1523/0x1cc0\n compact_zone+0x8c5/0x14b0\n kcompactd+0x2bc/0x560\n kthread+0x18c/0x1e0\n ret_from_fork+0x1f/0x30\n\nBefore the time, we should make clean a concept, what does refcount means\nin page gotten from grab_cache_page_write_begin(). There are 2 situations:\nSituation 1: refcount is 3, page is created by __page_cache_alloc.\n TYPE_A - the write process is using this page\n TYPE_B - page is assigned to one certain mapping by calling\n\t __add_to_page_cache_locked()\n TYPE_C - page is added into pagevec list corresponding current cpu by\n\t calling lru_cache_add()\nSituation 2: refcount is 2, page is gotten from the mapping's tree\n TYPE_B - page has been assigned to one certain mapping\n TYPE_A - the write process is using this page (by calling\n\t page_cache_get_speculative())\nFilesystem releases one refcount by calling put_page() in xxx_write_end(),\nthe released refcount corresponds to TYPE_A (write task is using it). If\nthere are any processes using a page, page migration process will skip the\npage by judging whether expected_page_refs() equals to page refcount.\n\nThe BUG is caused by following process:\n PA(cpu 0) kcompactd(cpu 1)\n\t\t\t\tcompact_zone\nubifs_write_begin\n page_a = grab_cache_page_write_begin\n add_to_page_cache_lru\n lru_cache_add\n pagevec_add // put page into cpu 0's pagevec\n (refcnf = 3, for page creation process)\nubifs_write_end\n SetPagePrivate(page_a) // doesn't increase page count !\n unlock_page(page_a)\n put_page(page_a) // refcnt = 2\n\t\t\t\t[...]\n\n PB(cpu 0)\nfilemap_read\n filemap_get_pages\n add_to_page_cache_lru\n lru_cache_add\n __pagevec_lru_add // traverse all pages in cpu 0's pagevec\n\t __pagevec_lru_add_fn\n\t SetPageLRU(page_a)\n\t\t\t\tisolate_migratepages\n isolate_migratepages_block\n\t\t\t\t get_page_unless_zero(page_a)\n\t\t\t\t // refcnt = 3\n list_add(page_a, from_list)\n\t\t\t\tmigrate_pages(from_list)\n\t\t\t\t __unmap_and_move\n\t\t\t\t move_to_new_page\n\t\t\t\t ubifs_migrate_page(page_a)\n\t\t\t\t migrate_page_move_mapping\n\t\t\t\t\t expected_page_refs get 3\n (migration[1] + mapping[1] + private[1])\n\t release_pages\n\t put_page_testzero(page_a) // refcnt = 3\n page_ref_freeze // refcnt = 0\n\t page_ref_dec_and_test(0 - 1 = -1)\n page_ref_unfreeze\n VM_BUG_ON_PAGE(-1 != 0, page)\n\nUBIFS doesn't increase the page refcount after setting private flag, which\nleads to page migration task believes the page is not used by any other\nprocesses, so the page is migrated. This causes concurrent accessing on\npage refcount between put_page() called by other process(eg. read process\ncalls lru_cache_add) and page_ref_unfreeze() called by mi\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47635", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096\n if (aligned_len <= wbuf->avail) ... // Not satisfy\n if (wbuf->used) {\n ubifs_leb_write() // Fill some data in avail wbuf\n len -= wbuf->avail; // len is still not 8-bytes aligned\n aligned_len -= wbuf->avail;\n }\n n = aligned_len >> c->max_write_shift;\n if (n) {\n n <<= c->max_write_shift;\n err = ubifs_leb_write(c, wbuf->lnum, buf + written,\n wbuf->offs, n);\n // n > len, read out of bounds less than 8(n-len) bytes\n }\n\n, which can be catched by KASAN:\n =========================================================\n BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n Call Trace:\n kasan_report.cold+0x81/0x165\n nand_write_page_swecc+0xa9/0x160\n ubifs_leb_write+0xf2/0x1b0 [ubifs]\n ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n write_head+0xdc/0x1c0 [ubifs]\n ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link].", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47636", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix deadlock in concurrent rename whiteout and inode writeback\n\nFollowing hung tasks:\n[ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132\n[ 77.028820] Call Trace:\n[ 77.029027] schedule+0x8c/0x1b0\n[ 77.029067] mutex_lock+0x50/0x60\n[ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs]\n[ 77.029117] __writeback_single_inode+0x43c/0x570\n[ 77.029128] writeback_sb_inodes+0x259/0x740\n[ 77.029148] wb_writeback+0x107/0x4d0\n[ 77.029163] wb_workfn+0x162/0x7b0\n\n[ 92.390442] task:aa state:D stack: 0 pid: 1506\n[ 92.390448] Call Trace:\n[ 92.390458] schedule+0x8c/0x1b0\n[ 92.390461] wb_wait_for_completion+0x82/0xd0\n[ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110\n[ 92.390472] writeback_inodes_sb_nr+0x14/0x20\n[ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs]\n[ 92.390503] do_rename.cold+0x7f/0x187 [ubifs]\n[ 92.390549] ubifs_rename+0x8b/0x180 [ubifs]\n[ 92.390571] vfs_rename+0xdb2/0x1170\n[ 92.390580] do_renameat2+0x554/0x770\n\n, are caused by concurrent rename whiteout and inode writeback processes:\n\trename_whiteout(Thread 1)\t wb_workfn(Thread2)\nubifs_rename\n do_rename\n lock_4_inodes (Hold ui_mutex)\n ubifs_budget_space\n make_free_space\n shrink_liability\n\t __writeback_inodes_sb_nr\n\t bdi_split_work_to_wbs (Queue new wb work)\n\t\t\t\t\t wb_do_writeback(wb work)\n\t\t\t\t\t\t__writeback_single_inode\n\t\t\t\t\t ubifs_write_inode\n\t\t\t\t\t LOCK(ui_mutex)\n\t\t\t\t\t\t\t \u2191\n\t wb_wait_for_completion (Wait wb work) <-- deadlock!\n\nReproducer (Detail program in [Link]):\n 1. SYS_renameat2(\"/mp/dir/file\", \"/mp/dir/whiteout\", RENAME_WHITEOUT)\n 2. Consume out of space before kernel(mdelay) doing budget for whiteout\n\nFix it by doing whiteout space budget before locking ubifs inodes.\nBTW, it also fixes wrong goto tag 'out_release' in whiteout budget\nerror handling path(It should at least recover dir i_size and unlock\n4 ubifs inodes).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47637", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: rename_whiteout: Fix double free for whiteout_ui->data\n\n'whiteout_ui->data' will be freed twice if space budget fail for\nrename whiteout operation as following process:\n\nrename_whiteout\n dev = kmalloc\n whiteout_ui->data = dev\n kfree(whiteout_ui->data) // Free first time\n iput(whiteout)\n ubifs_free_inode\n kfree(ui->data)\t // Double free!\n\nKASAN reports:\n==================================================================\nBUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70\nCall Trace:\n kfree+0x117/0x490\n ubifs_free_inode+0x4f/0x70 [ubifs]\n i_callback+0x30/0x60\n rcu_do_batch+0x366/0xac0\n __do_softirq+0x133/0x57f\n\nAllocated by task 1506:\n kmem_cache_alloc_trace+0x3c2/0x7a0\n do_rename+0x9b7/0x1150 [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nFreed by task 1506:\n kfree+0x117/0x490\n do_rename.cold+0x53/0x8a [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nThe buggy address belongs to the object at ffff88810238bed8 which\nbelongs to the cache kmalloc-8 of size 8\n==================================================================\n\nLet ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused\nassignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()\n-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it\n(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',\n and the nlink of whiteout inode is 0).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47638", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU\n\nZap both valid and invalid roots when zapping/unmapping a gfn range, as\nKVM must ensure it holds no references to the freed page after returning\nfrom the unmap operation. Most notably, the TDP MMU doesn't zap invalid\nroots in mmu_notifier callbacks. This leads to use-after-free and other\nissues if the mmu_notifier runs to completion while an invalid root\nzapper yields as KVM fails to honor the requirement that there must be\n_no_ references to the page after the mmu_notifier returns.\n\nThe bug is most easily reproduced by hacking KVM to cause a collision\nbetween set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug\nexists between kvm_mmu_notifier_invalidate_range_start() and memslot\nupdates as well. Invalidating a root ensures pages aren't accessible by\nthe guest, and KVM won't read or write page data itself, but KVM will\ntrigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing\na zap of an invalid root _after_ the mmu_notifier returns is fatal.\n\n WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]\n RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]\n Call Trace:\n \n kvm_set_pfn_dirty+0xa8/0xe0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n zap_gfn_range+0x1f3/0x310 [kvm]\n kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]\n kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]\n set_nx_huge_pages+0xb4/0x190 [kvm]\n param_attr_store+0x70/0x100\n module_attr_store+0x19/0x30\n kernfs_fop_write_iter+0x119/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1cc/0x270\n ksys_write+0x5f/0xe0\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47639", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix early region not updated correctly\n\nThe shadow's page table is not updated when PTE_RPN_SHIFT is 24\nand PAGE_SHIFT is 12. It not only causes false positives but\nalso false negative as shown the following text.\n\nFix it by bringing the logic of kasan_early_shadow_page_entry here.\n\n1. False Positive:\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50\nWrite of size 16 at addr f57f3be0 by task swapper/0/1\n\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1\nCall Trace:\n[c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable)\n[c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300\n[c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200\n[c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0\n[c80d1cc0] [c03018a4] memset+0x34/0x90\n[c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50\n[c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570\n[c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0\n[c80d1db0] [c2036580] init_sd+0xc4/0x1d0\n[c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c\n[c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384\n[c80d1ef0] [c0004b14] kernel_init+0x24/0x170\n[c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64\n\nMemory state around the buggy address:\n f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n>f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\n\n2. False Negative (with KASAN tests):\n==================================================================\nBefore fix:\n ok 45 - kmalloc_double_kzfree\n # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039\n KASAN failure expected in \"((volatile char *)area)[3100]\", but none occurred\n not ok 46 - vmalloc_oob\n not ok 1 - kasan\n\n==================================================================\nAfter fix:\n ok 1 - kasan", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47640", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: cirrusfb: check pixclock to avoid divide by zero\n\nDo a sanity check on pixclock value to avoid divide by zero.\n\nIf the pixclock value is zero, the cirrusfb driver will round up\npixclock to get the derived frequency as close to maxclock as\npossible.\n\nSyzkaller reported a divide error in cirrusfb_check_pixclock.\n\ndivide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2\nRIP: 0010:cirrusfb_check_var+0x6f1/0x1260\n\nCall Trace:\n fb_set_var+0x398/0xf90\n do_fb_ioctl+0x4b8/0x6f0\n fb_ioctl+0xeb/0x130\n __x64_sys_ioctl+0x19d/0x220\n do_syscall_64+0x3a/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47641", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow\n\nCoverity complains of a possible buffer overflow. However,\ngiven the 'static' scope of nvidia_setup_i2c_bus() it looks\nlike that can't happen after examiniing the call sites.\n\nCID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)\n1. fixed_size_dest: You might overrun the 48-character fixed-size string\n chan->adapter.name by copying name without checking the length.\n2. parameter_as_source: Note: This defect has an elevated risk because the\n source argument is a parameter of the current function.\n 89 strcpy(chan->adapter.name, name);\n\nFix this warning by using strscpy() which will silence the warning and\nprevent any future buffer overflows should the names used to identify the\nchannel become much longer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47642", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: free before error exiting\n\nFix leak in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47643", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging: media: zoran: move videodev alloc\n\nMove some code out of zr36057_init() and create new functions for handling\nzr->video_dev. This permit to ease code reading and fix a zr->video_dev\nmemory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47644", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com\n\nOn the case tmp_dcim=1, the index of buffer is miscalculated.\nThis generate a NULL pointer dereference later.\n\nSo let's fix the calcul and add a check to prevent this to reappear.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47645", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"Revert \"block, bfq: honor already-setup queue merges\"\"\n\nA crash [1] happened to be triggered in conjunction with commit\n2d52c58b9c9b (\"block, bfq: honor already-setup queue merges\"). The\nlatter was then reverted by commit ebc69e897e17 (\"Revert \"block, bfq:\nhonor already-setup queue merges\"\"). Yet, the reverted commit was not\nthe one introducing the bug. In fact, it actually triggered a UAF\nintroduced by a different commit, and now fixed by commit d29bd41428cf\n(\"block, bfq: reset last_bfqq_created on group change\").\n\nSo, there is no point in keeping commit 2d52c58b9c9b (\"block, bfq:\nhonor already-setup queue merges\") out. This commit restores it.\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=214503", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47646", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: ipq8074: fix PCI-E clock oops\n\nFix PCI-E clock related kernel oops that are caused by a missing clock\nparent.\n\npcie0_rchng_clk_src has num_parents set to 2 but only one parent is\nactually set via parent_hws, it should also have \"XO\" defined.\nThis will cause the kernel to panic on a NULL pointer in\nclk_core_get_parent_by_index().\n\nSo, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent\ndata.\nSince there is already an existing static const char * const gcc_xo_gpll0[]\nused to provide the same parents via parent_names convert those users to\nclk_parent_data as well.\n\nWithout this earlycon is needed to even catch the OOPS as it will reset\nthe board before serial is initialized with the following:\n\n[ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000\n[ 0.232322] Mem abort info:\n[ 0.239094] ESR = 0x96000004\n[ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.244908] SET = 0, FnV = 0\n[ 0.250377] EA = 0, S1PTW = 0\n[ 0.253236] FSC = 0x04: level 0 translation fault\n[ 0.256277] Data abort info:\n[ 0.261141] ISV = 0, ISS = 0x00000004\n[ 0.264262] CM = 0, WnR = 0\n[ 0.267820] [0000a00000000000] address between user and kernel address ranges\n[ 0.270954] Internal error: Oops: 96000004 [#1] SMP\n[ 0.278067] Modules linked in:\n[ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0\n[ 0.285882] Hardware name: Xiaomi AX3600 (DT)\n[ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec\n[ 0.303067] lr : __clk_register+0x1d8/0x820\n[ 0.308273] sp : ffffffc01111b7d0\n[ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040\n[ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800\n[ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828\n[ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020\n[ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a\n[ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006\n[ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000\n[ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06\n[ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001\n[ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700\n[ 0.379982] Call trace:\n[ 0.387091] clk_core_get_parent_by_index+0x68/0xec\n[ 0.389351] __clk_register+0x1d8/0x820\n[ 0.394210] devm_clk_hw_register+0x5c/0xe0\n[ 0.398030] devm_clk_register_regmap+0x44/0x8c\n[ 0.402198] qcom_cc_really_probe+0x17c/0x1d0\n[ 0.406711] qcom_cc_probe+0x34/0x44\n[ 0.411224] gcc_ipq8074_probe+0x18/0x30\n[ 0.414869] platform_probe+0x68/0xe0\n[ 0.418776] really_probe.part.0+0x9c/0x30c\n[ 0.422336] __driver_probe_device+0x98/0x144\n[ 0.426329] driver_probe_device+0x44/0x11c\n[ 0.430842] __device_attach_driver+0xb4/0x120\n[ 0.434836] bus_for_each_drv+0x68/0xb0\n[ 0.439349] __device_attach+0xb0/0x170\n[ 0.443081] device_initial_probe+0x14/0x20\n[ 0.446901] bus_probe_device+0x9c/0xa4\n[ 0.451067] device_add+0x35c/0x834\n[ 0.454886] of_device_add+0x54/0x64\n[ 0.458360] of_platform_device_create_pdata+0xc0/0x100\n[ 0.462181] of_platform_bus_create+0x114/0x370\n[ 0.467128] of_platform_bus_create+0x15c/0x370\n[ 0.471641] of_platform_populate+0x50/0xcc\n[ 0.476155] of_platform_default_populate_init+0xa8/0xc8\n[ 0.480324] do_one_initcall+0x50/0x1b0\n[ 0.485877] kernel_init_freeable+0x234/0x29c\n[ 0.489436] kernel_init+0x24/0x120\n[ 0.493948] ret_from_fork+0x10/0x20\n[ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042)\n[ 0.501079] ---[ end trace 4ca7e1129da2abce ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47647", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix a memory leak in 'host1x_remove()'\n\nAdd a missing 'host1x_channel_list_free()' call in the remove function,\nas already done in the error handling path of the probe function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47648", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: validate ubuf->pagecount\n\nSyzbot has reported GPF in sg_alloc_append_table_from_pages(). The\nproblem was in ubuf->pages == ZERO_PTR.\n\nubuf->pagecount is calculated from arguments passed from user-space. If\nuser creates udmabuf with list.size == 0 then ubuf->pagecount will be\nalso equal to zero; it causes kmalloc_array() to return ZERO_PTR.\n\nFix it by validating ubuf->pagecount before passing it to\nkmalloc_array().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47649", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: prevent the potentially use of null pointer\n\nThere is one call trace that snd_soc_register_card()\n->snd_soc_bind_card()->soc_init_pcm_runtime()\n->snd_soc_dai_compress_new()->snd_soc_new_compress().\nIn the trace the 'codec_dai' transfers from card->dai_link,\nand we can see from the snd_soc_add_pcm_runtime() in\nsnd_soc_bind_card() that, if value of card->dai_link->num_codecs\nis 0, then 'codec_dai' could be null pointer caused\nby index out of bound in 'asoc_rtd_to_codec(rtd, 0)'.\nAnd snd_soc_register_card() is called by various platforms.\nTherefore, it is better to add the check in the case of misusing.\nAnd because 'cpu_dai' has already checked in soc_init_pcm_runtime(),\nthere is no need to check again.\nAdding the check as follow, then if 'codec_dai' is null,\nsnd_soc_new_compress() will not pass through the check\n'if (playback + capture != 1)', avoiding the leftover use of\n'codec_dai'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47650", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: rpmpd: Check for null return of devm_kcalloc\n\nBecause of the possible failure of the allocation, data->domains might\nbe NULL pointer and will cause the dereference of the NULL pointer\nlater.\nTherefore, it might be better to check it and directly return -ENOMEM\nwithout releasing data manually if fails, because the comment of the\ndevm_kmalloc() says \"Memory allocated with this function is\nautomatically freed on driver detach.\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47651", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()\n\nI got a null-ptr-deref report:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:fb_destroy_modelist+0x38/0x100\n...\nCall Trace:\n ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]\n usb_probe_interface+0x1aa/0x3c0 [usbcore]\n really_probe+0x167/0x460\n...\n ret_from_fork+0x1f/0x30\n\nIf fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will\nbe called to destroy modelist in the error handling path. But modelist\nhas not been initialized yet, so it will result in null-ptr-deref.\n\nInitialize modelist before calling fb_alloc_cmap() to fix this bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47652", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: davinci: vpif: fix use-after-free on driver unbind\n\nThe driver allocates and registers two platform device structures during\nprobe, but the devices were never deregistered on driver unbind.\n\nThis results in a use-after-free on driver unbind as the device\nstructures were allocated using devres and would be freed by driver\ncore when remove() returns.\n\nFix this by adding the missing deregistration calls to the remove()\ncallback and failing probe on registration errors.\n\nNote that the platform device structures must be freed using a proper\nrelease callback to avoid leaking associated resources like device\nnames.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47653", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsamples/landlock: Fix path_list memory leak\n\nClang static analysis reports this error\n\nsandboxer.c:134:8: warning: Potential leak of memory\n pointed to by 'path_list'\n ret = 0;\n ^\npath_list is allocated in parse_path() but never freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47654", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: vdec: fixed possible memory leak issue\n\nThe venus_helper_alloc_dpb_bufs() implementation allows an early return\non an error path when checking the id from ida_alloc_min() which would\nnot release the earlier buffer allocation.\n\nMove the direct kfree() from the error checking of dma_alloc_attrs() to\nthe common fail path to ensure that allocations are released on all\nerror paths in this function.\n\nAddresses-Coverity: 1494120 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47655", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix use-after-free in jffs2_clear_xattr_subsystem\n\nWhen we mount a jffs2 image, assume that the first few blocks of\nthe image are normal and contain at least one xattr-related inode,\nbut the next block is abnormal. As a result, an error is returned\nin jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then\ncalled in jffs2_build_filesystem() and then again in\njffs2_do_fill_super().\n\nFinally we can observe the following report:\n ==================================================================\n BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac\n Read of size 8 at addr ffff8881243384e0 by task mount/719\n\n Call Trace:\n dump_stack+0x115/0x16b\n jffs2_clear_xattr_subsystem+0x95/0x6ac\n jffs2_do_fill_super+0x84f/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n mtd_get_sb+0x254/0x400\n mtd_get_sb_by_nr+0x4f/0xd0\n get_tree_mtd+0x498/0x840\n jffs2_get_tree+0x25/0x30\n vfs_get_tree+0x8d/0x2e0\n path_mount+0x50f/0x1e50\n do_mount+0x107/0x130\n __se_sys_mount+0x1c5/0x2f0\n __x64_sys_mount+0xc7/0x160\n do_syscall_64+0x45/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\n Allocated by task 719:\n kasan_save_stack+0x23/0x60\n __kasan_kmalloc.constprop.0+0x10b/0x120\n kasan_slab_alloc+0x12/0x20\n kmem_cache_alloc+0x1c0/0x870\n jffs2_alloc_xattr_ref+0x2f/0xa0\n jffs2_scan_medium.cold+0x3713/0x4794\n jffs2_do_mount_fs.cold+0xa7/0x2253\n jffs2_do_fill_super+0x383/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n Freed by task 719:\n kmem_cache_free+0xcc/0x7b0\n jffs2_free_xattr_ref+0x78/0x98\n jffs2_clear_xattr_subsystem+0xa1/0x6ac\n jffs2_do_mount_fs.cold+0x5e6/0x2253\n jffs2_do_fill_super+0x383/0xc30\n jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n The buggy address belongs to the object at ffff8881243384b8\n which belongs to the cache jffs2_xattr_ref of size 48\n The buggy address is located 40 bytes inside of\n 48-byte region [ffff8881243384b8, ffff8881243384e8)\n [...]\n ==================================================================\n\nThe triggering of the BUG is shown in the following stack:\n-----------------------------------------------------------\njffs2_fill_super\n jffs2_do_fill_super\n jffs2_do_mount_fs\n jffs2_build_filesystem\n jffs2_scan_medium\n jffs2_scan_eraseblock <--- ERROR\n jffs2_clear_xattr_subsystem <--- free\n jffs2_clear_xattr_subsystem <--- free again\n-----------------------------------------------------------\n\nAn error is returned in jffs2_do_mount_fs(). If the error is returned\nby jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to\nbe executed. If the error is returned by jffs2_build_filesystem(), the\njffs2_clear_xattr_subsystem() also does not need to be executed again.\nSo move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'\nto fix this UAF problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47656", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free()\n\nIf virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it\nhappened in the bug report by syzbot), virtio_gpu_array_put_free() could be\ncalled with objs equal to NULL.\n\nEnsure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise\nreturn from the function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47657", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2021-47658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a potential gpu_metrics_table memory leak\n\nMemory is allocated for gpu_metrics_table in renoir_init_smc_tables(),\nbut not freed in int smu_v12_0_fini_smc_tables(). Free it!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47658", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2021-47659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/plane: Move range check for format_count earlier\n\nWhile the check for format_count > 64 in __drm_universal_plane_init()\nshouldn't be hit (it's a WARN_ON), in its current position it will then\nleak the plane->format_types array and fail to call\ndrm_mode_object_unregister() leaking the modeset identifier. Move it to\nthe start of the function to avoid allocating those resources in the\nfirst place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47659", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2021-47660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix some memory leaks in an error handling path of 'log_replay()'\n\nAll error handling paths lead to 'out' where many resources are freed.\n\nDo it as well here instead of a direct return, otherwise 'log', 'ra' and\n'log->one_page_buf' (at least) will leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47660", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2021-47668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_restart: fix use after free bug\n\nAfter calling netif_rx_ni(skb), dereferencing skb is unsafe.\nEspecially, the can_frame cf which aliases skb memory is accessed\nafter the netif_rx_ni() in:\n stats->rx_bytes += cf->len;\n\nReordering the lines solves the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47668", "detail": "fixed-version", "description": "Fixed from version 5.11" }, { "id": "CVE-2021-47669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: vxcan: vxcan_xmit: fix use after free bug\n\nAfter calling netif_rx_ni(skb), dereferencing skb is unsafe.\nEspecially, the canfd_frame cfd which aliases skb memory is accessed\nafter the netif_rx_ni().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47669", "detail": "fixed-version", "description": "Fixed from version 5.11" }, { "id": "CVE-2021-47670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix use after free bugs\n\nAfter calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.\nEspecially, the can_frame cf which aliases skb memory is accessed\nafter the peak_usb_netif_rx_ni().\n\nReordering the lines solves the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47670", "detail": "fixed-version", "description": "Fixed from version 5.11" }, { "id": "CVE-2021-47671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path\n\nIn es58x_rx_err_msg(), if can->do_set_mode() fails, the function\ndirectly returns without calling netif_rx(skb). This means that the\nskb previously allocated by alloc_can_err_skb() is not freed. In other\nterms, this is a memory leak.\n\nThis patch simply removes the return statement in the error branch and\nlet the function continue.\n\nIssue was found with GCC -fanalyzer, please follow the link below for\ndetails.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-47671", "detail": "fixed-version", "description": "Fixed from version 5.16" }, { "id": "CVE-2022-0168", "summary": "A denial of service (DOS) issue was found in the Linux kernel\u2019s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0168" }, { "id": "CVE-2022-0171", "summary": "A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0171" }, { "id": "CVE-2022-0185", "summary": "A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0185" }, { "id": "CVE-2022-0264", "summary": "A vulnerability was found in the Linux kernel's eBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. This flaws affects kernel versions < v5.16-rc6", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0264" }, { "id": "CVE-2022-0286", "summary": "A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0286", "detail": "fixed-version", "description": "Fixed from version 5.14rc2" }, { "id": "CVE-2022-0322", "summary": "A flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0322" }, { "id": "CVE-2022-0330", "summary": "A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0330" }, { "id": "CVE-2022-0382", "summary": "An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations. This flaw allows a local user to read some kernel memory. This issue is limited to no more than 7 bytes, and the user cannot control what is read. This flaw affects the Linux kernel versions prior to 5.17-rc1.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0382" }, { "id": "CVE-2022-0400", "summary": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400", "detail": "not-applicable-config", "description": "CONFIG_SMC requires CONFIG_INFINIBAND, SMC-R is an IBM Z RoCE feature not applicable to AMD FPGAs." }, { "id": "CVE-2022-0433", "summary": "A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. This flaw allows a local user to crash the system. This flaw affects Linux kernel versions prior to 5.17-rc1.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0433" }, { "id": "CVE-2022-0435", "summary": "A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.", "scorev2": "9.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0435" }, { "id": "CVE-2022-0480", "summary": "A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0480" }, { "id": "CVE-2022-0487", "summary": "A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0487" }, { "id": "CVE-2022-0492", "summary": "A vulnerability was found in the Linux kernel\u2019s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0492" }, { "id": "CVE-2022-0494", "summary": "A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0494" }, { "id": "CVE-2022-0500", "summary": "A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel\u2019s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0500" }, { "id": "CVE-2022-0516", "summary": "A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0516" }, { "id": "CVE-2022-0617", "summary": "A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0617" }, { "id": "CVE-2022-0646", "summary": "A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0646" }, { "id": "CVE-2022-0742", "summary": "Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.", "scorev2": "7.8", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0742" }, { "id": "CVE-2022-0812", "summary": "An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0812" }, { "id": "CVE-2022-0847", "summary": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847" }, { "id": "CVE-2022-0850", "summary": "A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0850" }, { "id": "CVE-2022-0854", "summary": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0854" }, { "id": "CVE-2022-0995", "summary": "An out-of-bounds (OOB) memory write flaw was found in the Linux kernel\u2019s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0995" }, { "id": "CVE-2022-0998", "summary": "An integer overflow flaw was found in the Linux kernel\u2019s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-0998" }, { "id": "CVE-2022-1011", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1011" }, { "id": "CVE-2022-1012", "summary": "A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1012" }, { "id": "CVE-2022-1015", "summary": "A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.", "scorev2": "4.6", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1015" }, { "id": "CVE-2022-1016", "summary": "A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1016" }, { "id": "CVE-2022-1043", "summary": "A flaw was found in the Linux kernel\u2019s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1043" }, { "id": "CVE-2022-1048", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1048" }, { "id": "CVE-2022-1055", "summary": "A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "8.6", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1055" }, { "id": "CVE-2022-1116", "summary": "Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1116" }, { "id": "CVE-2022-1158", "summary": "A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1158" }, { "id": "CVE-2022-1184", "summary": "A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel\u2019s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1184" }, { "id": "CVE-2022-1195", "summary": "A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1195" }, { "id": "CVE-2022-1198", "summary": "A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux that allows an attacker to crash linux kernel by simulating ax25 device using 6pack driver from user space.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1198" }, { "id": "CVE-2022-1199", "summary": "A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1199" }, { "id": "CVE-2022-1204", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1204" }, { "id": "CVE-2022-1205", "summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1205" }, { "id": "CVE-2022-1247", "summary": "An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their \u201ccount\u201d and \u201cuse\u201d are zero.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1247" }, { "id": "CVE-2022-1263", "summary": "A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1263" }, { "id": "CVE-2022-1280", "summary": "A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.", "scorev2": "3.3", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280" }, { "id": "CVE-2022-1353", "summary": "A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1353" }, { "id": "CVE-2022-1419", "summary": "The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1419" }, { "id": "CVE-2022-1462", "summary": "An out-of-bounds read flaw was found in the Linux kernel\u2019s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.", "scorev2": "3.3", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462", "detail": "fixed-version", "description": "Fixed from version 5.19rc7" }, { "id": "CVE-2022-1508", "summary": "An out-of-bounds read flaw was found in the Linux kernel\u2019s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some memory out of bounds.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1508" }, { "id": "CVE-2022-1516", "summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516" }, { "id": "CVE-2022-1651", "summary": "A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1651" }, { "id": "CVE-2022-1652", "summary": "Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1652" }, { "id": "CVE-2022-1671", "summary": "A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1671" }, { "id": "CVE-2022-1678", "summary": "An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.", "scorev2": "5.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1678" }, { "id": "CVE-2022-1679", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1679" }, { "id": "CVE-2022-1729", "summary": "A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1729" }, { "id": "CVE-2022-1734", "summary": "A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.", "scorev2": "4.4", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1734" }, { "id": "CVE-2022-1786", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1786" }, { "id": "CVE-2022-1789", "summary": "With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.", "scorev2": "6.9", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1789" }, { "id": "CVE-2022-1852", "summary": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1852" }, { "id": "CVE-2022-1882", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1882" }, { "id": "CVE-2022-1943", "summary": "A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way user triggers some file operation which triggers udf_write_fi(). A local user could use this flaw to crash the system or potentially", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1943" }, { "id": "CVE-2022-1973", "summary": "A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1973" }, { "id": "CVE-2022-1974", "summary": "A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1974" }, { "id": "CVE-2022-1975", "summary": "There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1975" }, { "id": "CVE-2022-1976", "summary": "A flaw was found in the Linux kernel\u2019s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1976" }, { "id": "CVE-2022-1998", "summary": "A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1998" }, { "id": "CVE-2022-20105", "summary": "In MM service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20105" }, { "id": "CVE-2022-20106", "summary": "In MM service, there is a possible out of bounds write due to a heap-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20106" }, { "id": "CVE-2022-20107", "summary": "In subtitle service, there is a possible application crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330673; Issue ID: DTV03330673.", "scorev2": "4.9", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20107" }, { "id": "CVE-2022-20108", "summary": "In voice service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330702; Issue ID: DTV03330702.", "scorev2": "4.6", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-20108" }, { "id": "CVE-2022-2078", "summary": "A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2078" }, { "id": "CVE-2022-2153", "summary": "A flaw was found in the Linux kernel\u2019s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2153" }, { "id": "CVE-2022-21546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix WRITE_SAME No Data Buffer crash\n\nIn newer version of the SBC specs, we have a NDOB bit that indicates there\nis no data buffer that gets written out. If this bit is set using commands\nlike \"sg_write_same --ndob\" we will crash in target_core_iblock/file's\nexecute_write_same handlers when we go to access the se_cmd->t_data_sg\nbecause its NULL.\n\nThis patch adds a check for the NDOB bit in the common WRITE SAME code\nbecause we don't support it. And, it adds a check for zero SG elements in\neach handler in case the initiator tries to send a normal WRITE SAME with\nno data buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-21546", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-2196", "summary": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a", "scorev2": "0.0", "scorev3": "5.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2196" }, { "id": "CVE-2022-2308", "summary": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2308", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-2318", "summary": "There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2318" }, { "id": "CVE-2022-23222", "summary": "kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23222" }, { "id": "CVE-2022-2327", "summary": "io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2327", "detail": "fixed-version", "description": "Fixed from version 5.12rc1" }, { "id": "CVE-2022-2380", "summary": "The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2380" }, { "id": "CVE-2022-24122", "summary": "kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24122" }, { "id": "CVE-2022-24448", "summary": "An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.", "scorev2": "1.9", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24448" }, { "id": "CVE-2022-24958", "summary": "drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24958" }, { "id": "CVE-2022-24959", "summary": "An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-24959" }, { "id": "CVE-2022-2503", "summary": "Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5", "scorev2": "0.0", "scorev3": "6.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2503" }, { "id": "CVE-2022-25258", "summary": "An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.", "scorev2": "4.9", "scorev3": "4.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25258" }, { "id": "CVE-2022-25265", "summary": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.", "scorev2": "4.4", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265" }, { "id": "CVE-2022-25375", "summary": "An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25375" }, { "id": "CVE-2022-25636", "summary": "net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.", "scorev2": "6.9", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-25636" }, { "id": "CVE-2022-2585", "summary": "It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2585" }, { "id": "CVE-2022-2586", "summary": "It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2586" }, { "id": "CVE-2022-2588", "summary": "It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588" }, { "id": "CVE-2022-2590", "summary": "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2590" }, { "id": "CVE-2022-2602", "summary": "io_uring UAF, Unix SCM garbage collection", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602" }, { "id": "CVE-2022-26365", "summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26365" }, { "id": "CVE-2022-2639", "summary": "An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639" }, { "id": "CVE-2022-26490", "summary": "st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26490" }, { "id": "CVE-2022-2663", "summary": "An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663", "detail": "fixed-version", "description": "Fixed from version 6.0rc5" }, { "id": "CVE-2022-26878", "summary": "drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26878" }, { "id": "CVE-2022-26966", "summary": "An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26966" }, { "id": "CVE-2022-27223", "summary": "In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.", "scorev2": "6.5", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27223" }, { "id": "CVE-2022-27666", "summary": "A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27666" }, { "id": "CVE-2022-2785", "summary": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2785", "detail": "fixed-version", "description": "Fixed from version 6.0rc1" }, { "id": "CVE-2022-27950", "summary": "In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-27950" }, { "id": "CVE-2022-28356", "summary": "In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28356" }, { "id": "CVE-2022-28388", "summary": "usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28388" }, { "id": "CVE-2022-28389", "summary": "mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.", "scorev2": "2.1", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28389" }, { "id": "CVE-2022-28390", "summary": "ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28390" }, { "id": "CVE-2022-2873", "summary": "An out-of-bounds memory access flaw was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2873" }, { "id": "CVE-2022-28796", "summary": "jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28796" }, { "id": "CVE-2022-28893", "summary": "The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-28893" }, { "id": "CVE-2022-2905", "summary": "An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2905" }, { "id": "CVE-2022-29156", "summary": "drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29156" }, { "id": "CVE-2022-2938", "summary": "A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2938" }, { "id": "CVE-2022-29581", "summary": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29581" }, { "id": "CVE-2022-29582", "summary": "In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.", "scorev2": "6.9", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29582" }, { "id": "CVE-2022-2959", "summary": "A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2959" }, { "id": "CVE-2022-2961", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2961" }, { "id": "CVE-2022-2964", "summary": "A flaw was found in the Linux kernel\u2019s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2964" }, { "id": "CVE-2022-2977", "summary": "A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2977" }, { "id": "CVE-2022-2978", "summary": "A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2978" }, { "id": "CVE-2022-2991", "summary": "A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-2991" }, { "id": "CVE-2022-29968", "summary": "An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-29968" }, { "id": "CVE-2022-3028", "summary": "A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028" }, { "id": "CVE-2022-30594", "summary": "The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.", "scorev2": "4.4", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30594" }, { "id": "CVE-2022-3061", "summary": "Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by zero error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3061" }, { "id": "CVE-2022-3077", "summary": "A buffer overflow vulnerability was found in the Linux kernel Intel\u2019s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3077" }, { "id": "CVE-2022-3078", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3078" }, { "id": "CVE-2022-3103", "summary": "off-by-one in io_uring module.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3103" }, { "id": "CVE-2022-3104", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3104" }, { "id": "CVE-2022-3105", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3105" }, { "id": "CVE-2022-3106", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3106" }, { "id": "CVE-2022-3107", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3107" }, { "id": "CVE-2022-3108", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108" }, { "id": "CVE-2022-3110", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. _rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks check of the return value of rtw_alloc_hwxmits() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3110" }, { "id": "CVE-2022-3111", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3111" }, { "id": "CVE-2022-3112", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3112" }, { "id": "CVE-2022-3113", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3113" }, { "id": "CVE-2022-3114", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3114" }, { "id": "CVE-2022-3115", "summary": "An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3115" }, { "id": "CVE-2022-3169", "summary": "A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3169" }, { "id": "CVE-2022-3170", "summary": "An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3170" }, { "id": "CVE-2022-3176", "summary": "There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3176" }, { "id": "CVE-2022-3202", "summary": "A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202" }, { "id": "CVE-2022-32250", "summary": "net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32250" }, { "id": "CVE-2022-32296", "summary": "The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 (\"Double-Hash Port Selection Algorithm\") of RFC 6056.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32296" }, { "id": "CVE-2022-3238", "summary": "A double-free flaw was found in the Linux kernel\u2019s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238" }, { "id": "CVE-2022-3239", "summary": "A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239" }, { "id": "CVE-2022-32981", "summary": "An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32981" }, { "id": "CVE-2022-3303", "summary": "A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3303" }, { "id": "CVE-2022-3344", "summary": "A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3344" }, { "id": "CVE-2022-33740", "summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33740" }, { "id": "CVE-2022-33741", "summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33741" }, { "id": "CVE-2022-33742", "summary": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).", "scorev2": "3.6", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33742" }, { "id": "CVE-2022-33743", "summary": "network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.", "scorev2": "4.6", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33743" }, { "id": "CVE-2022-33744", "summary": "Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.", "scorev2": "1.9", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33744" }, { "id": "CVE-2022-33981", "summary": "drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.", "scorev2": "2.1", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-33981" }, { "id": "CVE-2022-3424", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424" }, { "id": "CVE-2022-3435", "summary": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3435", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-34494", "summary": "rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34494" }, { "id": "CVE-2022-34495", "summary": "rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.", "scorev2": "4.9", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34495" }, { "id": "CVE-2022-34918", "summary": "An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.", "scorev2": "7.2", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-34918" }, { "id": "CVE-2022-3521", "summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "2.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521" }, { "id": "CVE-2022-3523", "summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3523", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-3524", "summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3524" }, { "id": "CVE-2022-3526", "summary": "A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211024.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3526" }, { "id": "CVE-2022-3533", "summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects the function parse_usdt_arg of the file tools/lib/bpf/usdt.c of the component BPF. The manipulation of the argument reg_name leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211031.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3533" }, { "id": "CVE-2022-3534", "summary": "A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3534", "detail": "fixed-version", "description": "Fixed from version 6.2rc1" }, { "id": "CVE-2022-3541", "summary": "A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211041 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3541" }, { "id": "CVE-2022-3543", "summary": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211043.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3543" }, { "id": "CVE-2022-3544", "summary": "A vulnerability, which was classified as problematic, was found in Linux Kernel. Affected is the function damon_sysfs_add_target of the file mm/damon/sysfs.c of the component Netfilter. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211044.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3544" }, { "id": "CVE-2022-3545", "summary": "A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3545" }, { "id": "CVE-2022-3564", "summary": "A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3564" }, { "id": "CVE-2022-3565", "summary": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3565" }, { "id": "CVE-2022-3566", "summary": "A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3566", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-3567", "summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3567", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-3577", "summary": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3577" }, { "id": "CVE-2022-3586", "summary": "A flaw was found in the Linux kernel\u2019s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586" }, { "id": "CVE-2022-3594", "summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3594" }, { "id": "CVE-2022-3595", "summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211364.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3595" }, { "id": "CVE-2022-3606", "summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3606" }, { "id": "CVE-2022-36123", "summary": "The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36123" }, { "id": "CVE-2022-3619", "summary": "A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3619", "detail": "fixed-version", "description": "Fixed from version 6.1rc4" }, { "id": "CVE-2022-3621", "summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3621", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-3623", "summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "5.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3623" }, { "id": "CVE-2022-3624", "summary": "A vulnerability was found in Linux Kernel and classified as problematic. Affected by this issue is the function rlb_arp_xmit of the file drivers/net/bonding/bond_alb.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211928.", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3624", "detail": "fixed-version", "description": "Fixed from version 6.0rc1" }, { "id": "CVE-2022-3625", "summary": "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3625" }, { "id": "CVE-2022-3628", "summary": "A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3628" }, { "id": "CVE-2022-36280", "summary": "An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36280" }, { "id": "CVE-2022-3629", "summary": "A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.", "scorev2": "1.4", "scorev3": "2.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3629", "detail": "fixed-version", "description": "Fixed from version 6.0rc1" }, { "id": "CVE-2022-3630", "summary": "A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects some unknown processing of the file fs/fscache/cookie.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211931.", "scorev2": "0.0", "scorev3": "3.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3630", "detail": "fixed-version", "description": "Fixed from version 6.0rc1" }, { "id": "CVE-2022-3633", "summary": "A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.", "scorev2": "2.7", "scorev3": "3.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3633", "detail": "fixed-version", "description": "Fixed from version 6.0rc1" }, { "id": "CVE-2022-3635", "summary": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3635" }, { "id": "CVE-2022-3636", "summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3636", "detail": "fixed-version", "description": "Fixed from version 5.19rc1" }, { "id": "CVE-2022-3640", "summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3640" }, { "id": "CVE-2022-36402", "summary": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36402", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2022-3643", "summary": "Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3643" }, { "id": "CVE-2022-3646", "summary": "A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.", "scorev2": "0.0", "scorev3": "3.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3646", "detail": "fixed-version", "description": "Fixed from version 6.1rc1" }, { "id": "CVE-2022-3649", "summary": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.", "scorev2": "0.0", "scorev3": "3.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3649" }, { "id": "CVE-2022-36879", "summary": "An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36879" }, { "id": "CVE-2022-36946", "summary": "nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-36946" }, { "id": "CVE-2022-3707", "summary": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707" }, { "id": "CVE-2022-38096", "summary": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096", "detail": "fixed-version", "description": "Fixed from 6.9" }, { "id": "CVE-2022-38457", "summary": "A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457" }, { "id": "CVE-2022-3903", "summary": "An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3903" }, { "id": "CVE-2022-3910", "summary": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3910" }, { "id": "CVE-2022-39188", "summary": "An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188" }, { "id": "CVE-2022-39189", "summary": "An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39189" }, { "id": "CVE-2022-39190", "summary": "An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39190" }, { "id": "CVE-2022-3977", "summary": "A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-3977" }, { "id": "CVE-2022-39842", "summary": "An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. NOTE: the original discoverer disputes that the overflow can actually happen.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-39842" }, { "id": "CVE-2022-40133", "summary": "A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40133" }, { "id": "CVE-2022-40307", "summary": "An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40307" }, { "id": "CVE-2022-40476", "summary": "A null pointer dereference issue was discovered in fs/io_uring.c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40476" }, { "id": "CVE-2022-40768", "summary": "drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-40768" }, { "id": "CVE-2022-4095", "summary": "A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095" }, { "id": "CVE-2022-41218", "summary": "In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41218" }, { "id": "CVE-2022-41222", "summary": "mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41222" }, { "id": "CVE-2022-4127", "summary": "A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4127" }, { "id": "CVE-2022-4128", "summary": "A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could use this flaw to potentially crash the system causing a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4128" }, { "id": "CVE-2022-4139", "summary": "An incorrect TLB flush issue was found in the Linux kernel\u2019s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4139" }, { "id": "CVE-2022-41674", "summary": "An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41674" }, { "id": "CVE-2022-41848", "summary": "drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41848" }, { "id": "CVE-2022-41849", "summary": "drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41849" }, { "id": "CVE-2022-41850", "summary": "roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850" }, { "id": "CVE-2022-41858", "summary": "A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-41858" }, { "id": "CVE-2022-42328", "summary": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42328" }, { "id": "CVE-2022-42329", "summary": "Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42329" }, { "id": "CVE-2022-42432", "summary": "This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42432" }, { "id": "CVE-2022-4269", "summary": "A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4269" }, { "id": "CVE-2022-42703", "summary": "mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42703" }, { "id": "CVE-2022-42719", "summary": "A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42719" }, { "id": "CVE-2022-42720", "summary": "Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42720" }, { "id": "CVE-2022-42721", "summary": "A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42721" }, { "id": "CVE-2022-42722", "summary": "In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42722" }, { "id": "CVE-2022-42895", "summary": "There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely.\nWe recommend upgrading past commit\u00a0 https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url \n\n", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42895", "detail": "fixed-version", "description": "Fixed from version 6.1rc4" }, { "id": "CVE-2022-42896", "summary": "There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth.\u00a0A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.\n\nWe recommend upgrading past commit\u00a0 https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url \n\n", "scorev2": "0.0", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-42896" }, { "id": "CVE-2022-43750", "summary": "drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43750" }, { "id": "CVE-2022-4378", "summary": "A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4378" }, { "id": "CVE-2022-4379", "summary": "A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4379" }, { "id": "CVE-2022-4382", "summary": "A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4382", "detail": "fixed-version", "description": "Fixed from version 6.2rc5" }, { "id": "CVE-2022-43945", "summary": "The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-43945" }, { "id": "CVE-2022-44032", "summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44032" }, { "id": "CVE-2022-44033", "summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44033" }, { "id": "CVE-2022-44034", "summary": "An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-44034" }, { "id": "CVE-2022-4543", "summary": "A flaw named \"EntryBleed\" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4543", "detail": "not-applicable-config", "description": "x86-64 specific entry_SYSCALL_64 TLB side channel" }, { "id": "CVE-2022-45869", "summary": "A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45869" }, { "id": "CVE-2022-45884", "summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45884" }, { "id": "CVE-2022-45885", "summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45885" }, { "id": "CVE-2022-45886", "summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45886" }, { "id": "CVE-2022-45887", "summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45887" }, { "id": "CVE-2022-45888", "summary": "An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45888" }, { "id": "CVE-2022-45919", "summary": "An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45919" }, { "id": "CVE-2022-45934", "summary": "An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-45934" }, { "id": "CVE-2022-4662", "summary": "A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662" }, { "id": "CVE-2022-4696", "summary": "There exists a use-after-free vulnerability in the Linux kernel through io_uring and the\u00a0IORING_OP_SPLICE operation. If\u00a0IORING_OP_SPLICE is\u00a0missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above\n", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696" }, { "id": "CVE-2022-4744", "summary": "A double-free flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4744" }, { "id": "CVE-2022-47518", "summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47518" }, { "id": "CVE-2022-47519", "summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47519" }, { "id": "CVE-2022-47520", "summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47520" }, { "id": "CVE-2022-47521", "summary": "An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47521" }, { "id": "CVE-2022-47929", "summary": "In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with \"tc qdisc\" and \"tc class\" commands. This affects qdisc_graft in net/sched/sch_api.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47929" }, { "id": "CVE-2022-47938", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47938" }, { "id": "CVE-2022-47939", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47939" }, { "id": "CVE-2022-47940", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47940" }, { "id": "CVE-2022-47941", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47941" }, { "id": "CVE-2022-47942", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47942" }, { "id": "CVE-2022-47943", "summary": "An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943" }, { "id": "CVE-2022-47946", "summary": "An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47946" }, { "id": "CVE-2022-4842", "summary": "A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842" }, { "id": "CVE-2022-48423", "summary": "In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48423" }, { "id": "CVE-2022-48424", "summary": "In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48424" }, { "id": "CVE-2022-48425", "summary": "In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48425" }, { "id": "CVE-2022-48502", "summary": "An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502" }, { "id": "CVE-2022-48619", "summary": "An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48619" }, { "id": "CVE-2022-48626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmoxart: fix potential use-after-free on remove path\n\nIt was reported that the mmc host structure could be accessed after it\nwas freed in moxart_remove(), so fix this by saving the base register of\nthe device and using it instead of the pointer dereference.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48626", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix memory overlapping when deleting chars in the buffer\n\nA memory overlapping copy occurs when deleting a long line. This memory\noverlapping copy can cause data corruption when scr_memcpyw is optimized\nto memcpy because memcpy does not ensure its behavior if the destination\nbuffer overlaps with the source buffer. The line buffer is not always\nbroken, because the memcpy utilizes the hardware acceleration, whose\nresult is not deterministic.\n\nFix this problem by using replacing the scr_memcpyw with scr_memmovew.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48627", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-48628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: drop messages from MDS when unmounting\n\nWhen unmounting all the dirty buffers will be flushed and after\nthe last osd request is finished the last reference of the i_count\nwill be released. Then it will flush the dirty cap/snap to MDSs,\nand the unmounting won't wait the possible acks, which will ihold\nthe inodes when updating the metadata locally but makes no sense\nany more, of this. This will make the evict_inodes() to skip these\ninodes.\n\nIf encrypt is enabled the kernel generate a warning when removing\nthe encrypt keys when the skipped inodes still hold the keyring:\n\nWARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0\nCPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1\nHardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015\nRIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0\nRSP: 0018:ffffc9000b277e28 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00\nRDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000\nRBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000\nR10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40\nR13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000\nFS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneric_shutdown_super+0x47/0x120\nkill_anon_super+0x14/0x30\nceph_kill_sb+0x36/0x90 [ceph]\ndeactivate_locked_super+0x29/0x60\ncleanup_mnt+0xb8/0x140\ntask_work_run+0x67/0xb0\nexit_to_user_mode_prepare+0x23d/0x240\nsyscall_exit_to_user_mode+0x25/0x60\ndo_syscall_64+0x40/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd83dc39e9b\n\nLater the kernel will crash when iput() the inodes and dereferencing\nthe \"sb->s_master_keys\", which has been released by the\ngeneric_shutdown_super().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48628", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2022-48629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qcom-rng - ensure buffer for generate is completely filled\n\nThe generate function in struct rng_alg expects that the destination\nbuffer is completely filled if the function returns 0. qcom_rng_read()\ncan run into a situation where the buffer is partially filled with\nrandomness and the remaining part of the buffer is zeroed since\nqcom_rng_generate() doesn't check the return value. This issue can\nbe reproduced by running the following from libkcapi:\n\n kcapi-rng -b 9000000 > OUTFILE\n\nThe generated OUTFILE will have three huge sections that contain all\nzeros, and this is caused by the code where the test\n'val & PRNG_STATUS_DATA_AVAIL' fails.\n\nLet's fix this issue by ensuring that qcom_rng_read() always returns\nwith a full buffer if the function returns success. Let's also have\nqcom_rng_generate() return the correct value.\n\nHere's some statistics from the ent project\n(https://www.fourmilab.ch/random/) that shows information about the\nquality of the generated numbers:\n\n $ ent -c qcom-random-before\n Value Char Occurrences Fraction\n 0 606748 0.067416\n 1 33104 0.003678\n 2 33001 0.003667\n ...\n 253 \ufffd 32883 0.003654\n 254 \ufffd 33035 0.003671\n 255 \ufffd 33239 0.003693\n\n Total: 9000000 1.000000\n\n Entropy = 7.811590 bits per byte.\n\n Optimum compression would reduce the size\n of this 9000000 byte file by 2 percent.\n\n Chi square distribution for 9000000 samples is 9329962.81, and\n randomly would exceed this value less than 0.01 percent of the\n times.\n\n Arithmetic mean value of data bytes is 119.3731 (127.5 = random).\n Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).\n Serial correlation coefficient is 0.159130 (totally uncorrelated =\n 0.0).\n\nWithout this patch, the results of the chi-square test is 0.01%, and\nthe numbers are certainly not random according to ent's project page.\nThe results improve with this patch:\n\n $ ent -c qcom-random-after\n Value Char Occurrences Fraction\n 0 35432 0.003937\n 1 35127 0.003903\n 2 35424 0.003936\n ...\n 253 \ufffd 35201 0.003911\n 254 \ufffd 34835 0.003871\n 255 \ufffd 35368 0.003930\n\n Total: 9000000 1.000000\n\n Entropy = 7.999979 bits per byte.\n\n Optimum compression would reduce the size\n of this 9000000 byte file by 0 percent.\n\n Chi square distribution for 9000000 samples is 258.77, and randomly\n would exceed this value 42.24 percent of the times.\n\n Arithmetic mean value of data bytes is 127.5006 (127.5 = random).\n Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).\n Serial correlation coefficient is 0.000468 (totally uncorrelated =\n 0.0).\n\nThis change was tested on a Nexus 5 phone (msm8974 SoC).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48629", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ\n\nThe commit referenced in the Fixes tag removed the 'break' from the else\nbranch in qcom_rng_read(), causing an infinite loop whenever 'max' is\nnot a multiple of WORD_SZ. This can be reproduced e.g. by running:\n\n kcapi-rng -b 67 >/dev/null\n\nThere are many ways to fix this without adding back the 'break', but\nthey all seem more awkward than simply adding it back, so do just that.\n\nTested on a machine with Qualcomm Amberwing processor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48630", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-48631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0\n\nWhen walking through an inode extents, the ext4_ext_binsearch_idx() function\nassumes that the extent header has been previously validated. However, there\nare no checks that verify that the number of entries (eh->eh_entries) is\nnon-zero when depth is > 0. And this will lead to problems because the\nEXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:\n\n[ 135.245946] ------------[ cut here ]------------\n[ 135.247579] kernel BUG at fs/ext4/extents.c:2258!\n[ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4\n[ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n[ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0\n[ 135.256475] Code:\n[ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246\n[ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023\n[ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c\n[ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c\n[ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024\n[ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000\n[ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n[ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0\n[ 135.277952] Call Trace:\n[ 135.278635] \n[ 135.279247] ? preempt_count_add+0x6d/0xa0\n[ 135.280358] ? percpu_counter_add_batch+0x55/0xb0\n[ 135.281612] ? _raw_read_unlock+0x18/0x30\n[ 135.282704] ext4_map_blocks+0x294/0x5a0\n[ 135.283745] ? xa_load+0x6f/0xa0\n[ 135.284562] ext4_mpage_readpages+0x3d6/0x770\n[ 135.285646] read_pages+0x67/0x1d0\n[ 135.286492] ? folio_add_lru+0x51/0x80\n[ 135.287441] page_cache_ra_unbounded+0x124/0x170\n[ 135.288510] filemap_get_pages+0x23d/0x5a0\n[ 135.289457] ? path_openat+0xa72/0xdd0\n[ 135.290332] filemap_read+0xbf/0x300\n[ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40\n[ 135.292192] new_sync_read+0x103/0x170\n[ 135.293014] vfs_read+0x15d/0x180\n[ 135.293745] ksys_read+0xa1/0xe0\n[ 135.294461] do_syscall_64+0x3c/0x80\n[ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis patch simply adds an extra check in __ext4_ext_check(), verifying that\neh_entries is not 0 when eh_depth is > 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48631", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\n\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48632", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix WARN_ON(lock->magic != lock) error\n\npsb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex\ngets destroyed by drm_gem_object_release() move the\ndrm_gem_object_release() call in psb_gem_free_object() to after\nthe unpin to fix the below warning:\n\n[ 79.693962] ------------[ cut here ]------------\n[ 79.693992] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse\n[ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490\n[ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0\n[ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11\n[ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282\n[ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000\n[ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff\n[ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90\n[ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138\n[ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270\n[ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000\n[ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0\n[ 79.694734] Call Trace:\n[ 79.694749] \n[ 79.694761] ? __schedule+0x47f/0x1670\n[ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694830] ? lock_is_held_type+0xe3/0x140\n[ 79.694864] ? ww_mutex_lock+0x38/0xa0\n[ 79.694885] ? __cond_resched+0x1c/0x30\n[ 79.694902] ww_mutex_lock+0x38/0xa0\n[ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]\n[ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]\n[ 79.694996] drm_gem_object_release_handle+0x50/0x60\n[ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0\n[ 79.695042] idr_for_each+0x4b/0xb0\n[ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 79.695095] drm_gem_release+0x1c/0x30\n[ 79.695118] drm_file_free.part.0+0x1ea/0x260\n[ 79.695150] drm_release+0x6a/0x120\n[ 79.695175] __fput+0x9f/0x260\n[ 79.695203] task_work_run+0x59/0xa0\n[ 79.695227] do_exit+0x387/0xbe0\n[ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695304] do_group_exit+0x33/0xb0\n[ 79.695331] __x64_sys_exit_group+0x14/0x20\n[ 79.695353] do_syscall_64+0x58/0x80\n[ 79.695376] ? up_read+0x17/0x20\n[ 79.695401] ? lock_is_held_type+0xe3/0x140\n[ 79.695429] ? asm_exc_page_fault+0x22/0x30\n[ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100\n[ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 79.695493] RIP: 0033:0x7ff1ccefe3f1\n[ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.\n[ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48633", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from invalid context errors\n\ngma_crtc_page_flip() was holding the event_lock spinlock while calling\ncrtc_funcs->mode_set_base() which takes ww_mutex.\n\nThe only reason to hold event_lock is to clear gma_crtc->page_flip_event\non mode_set_base() errors.\n\nInstead unlock it after setting gma_crtc->page_flip_event and on\nerrors re-take the lock and clear gma_crtc->page_flip_event it\nit is still set.\n\nThis fixes the following WARN/stacktrace:\n\n[ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870\n[ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell\n[ 512.123031] preempt_count: 1, expected: 0\n[ 512.123048] RCU nest depth: 0, expected: 0\n[ 512.123066] INFO: lockdep is turned off.\n[ 512.123080] irq event stamp: 0\n[ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0\n[ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 512.123233] Preemption disabled at:\n[ 512.123241] [<0000000000000000>] 0x0\n[ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1\n[ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 512.123323] Call Trace:\n[ 512.123346] \n[ 512.123370] dump_stack_lvl+0x5b/0x77\n[ 512.123412] __might_resched.cold+0xff/0x13a\n[ 512.123458] ww_mutex_lock+0x1e/0xa0\n[ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]\n[ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]\n[ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]\n[ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0\n[ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.123936] drm_ioctl_kernel+0xa1/0x150\n[ 512.123984] drm_ioctl+0x21f/0x420\n[ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10\n[ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60\n[ 512.124104] ? lock_release+0x1ef/0x2d0\n[ 512.124161] __x64_sys_ioctl+0x8d/0xd0\n[ 512.124203] do_syscall_64+0x58/0x80\n[ 512.124239] ? do_syscall_64+0x67/0x80\n[ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0\n[ 512.124300] ? do_syscall_64+0x67/0x80\n[ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80\n[ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 512.124411] RIP: 0033:0x7fcc4a70740f\n[ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n[ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f\n[ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009\n[ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034\n[ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0\n[ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0\n[ 512.124647] ", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48634", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got an infinite loop and a WARNING report when executing a tail command\nin virtiofs.\n\n WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0\n Modules linked in:\n CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7\n Call Trace:\n \n dax_iomap_rw+0xea/0x620\n ? __this_cpu_preempt_check+0x13/0x20\n fuse_dax_read_iter+0x47/0x80\n fuse_file_read_iter+0xae/0xd0\n new_sync_read+0xfe/0x180\n ? 0xffffffff81000000\n vfs_read+0x14d/0x1a0\n ksys_read+0x6d/0xf0\n __x64_sys_read+0x1a/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe tail command will call read() with a count of 0. In this case,\niomap_iter() will report this WARNING, and always return 1 which casuing\nthe infinite loop in dax_iomap_rw().\n\nFixing by checking count whether is 0 in dax_iomap_rw().", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48635", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\n\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\n\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\n\nFix by checking the pavgroup pointer with lcu->lock held.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48636", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: prevent skb UAF after handing over to PTP worker\n\nWhen reading the timestamp is required bnxt_tx_int() hands\nover the ownership of the completed skb to the PTP worker.\nThe skb should not be used afterwards, as the worker may\nrun before the rest of our code and free the skb, leading\nto a use-after-free.\n\nSince dev_kfree_skb_any() accepts NULL make the loss of\nownership more obvious and set skb to NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48637", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: cgroup_get_from_id() must check the looked-up kn is a directory\n\ncgroup has to be one kernfs dir, otherwise kernel panic is caused,\nespecially cgroup id is provide from userspace.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48638", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix possible refcount leak in tc_new_tfilter()\n\ntfilter_put need to be called to put the refount got by tp->ops->get to\navoid possible refcount leak when chain->tmplt_ops != NULL and\nchain->tmplt_ops != tp->ops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48639", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n [ 334.694703] Mem abort info:\n [ 334.697486] ESR = 0x0000000096000004\n [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 334.706536] SET = 0, FnV = 0\n [ 334.709579] EA = 0, S1PTW = 0\n [ 334.712719] FSC = 0x04: level 0 translation fault\n [ 334.717586] Data abort info:\n [ 334.720454] ISV = 0, ISS = 0x00000004\n [ 334.724288] CM = 0, WnR = 0\n [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n [ 334.740734] Internal error: Oops: 96000004 [#1] SMP\n [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.807962] sp : ffff8000221733e0\n [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n [ 334.882532] Call trace:\n [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]\n [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]\n [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]\n [ 334.905622] dev_hard_start_xmit+0xb4/0x220\n [ 334.909798] __dev_queue_xmit+0x1a0/0x720\n [ 334.913799] arp_xmit+0x3c/0xbc\n [ 334.916932] arp_send_dst+0x98/0xd0\n [ 334.920410] arp_solicit+0xe8/0x230\n [ 334.923888] neigh_probe+0x60/0xb0\n [ 334.927279] __neigh_event_send+0x3b0/0x470\n [ 334.931453] neigh_resolve_output+0x70/0x90\n [ 334.935626] ip_finish_output2+0x158/0x514\n [ 334.939714] __ip_finish_output+0xac/0x1a4\n [ 334.943800] ip_finish_output+0x40/0xfc\n [ 334.947626] ip_output+0xf8/0x1a4\n [ 334.950931] ip_send_skb+0x5c/0x100\n [ 334.954410] ip_push_pending_frames+0x3c/0x60\n [ 334.958758] raw_sendmsg+0x458/0x6d0\n [ 334.962325] inet_sendmsg+0x50/0x80\n [ 334.965805] sock_sendmsg+0x60/0x6c\n [ 334.969286] __sys_sendto+0xc8/0x134\n [ 334.972853] __arm64_sys_sendto+0x34/0x4c\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48640", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix memory leak when blob is malformed\n\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48641", "detail": "fixed-version", "description": "Fixed from version 5.19.12" }, { "id": "CVE-2022-48642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()\n\nIt seems to me that percpu memory for chain stats started leaking since\ncommit 3bc158f8d0330f0a (\"netfilter: nf_tables: map basechain priority to\nhardware priority\") when nft_chain_offload_priority() returned an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48642", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()\n\nsyzbot is reporting underflow of nft_counters_enabled counter at\nnf_tables_addchain() [1], for commit 43eb8949cfdffa76 (\"netfilter:\nnf_tables: do not leave chain stats enabled on error\") missed that\nnf_tables_chain_destroy() after nft_basechain_init() in the error path of\nnf_tables_addchain() decrements the counter because nft_basechain_init()\nmakes nft_is_base_chain() return true by setting NFT_CHAIN_BASE flag.\n\nIncrement the counter immediately after returning from\nnft_basechain_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48643", "detail": "fixed-version", "description": "Fixed from version 5.19.12" }, { "id": "CVE-2022-48644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: avoid disabling offload when it was never enabled\n\nIn an incredibly strange API design decision, qdisc->destroy() gets\ncalled even if qdisc->init() never succeeded, not exclusively since\ncommit 87b60cfacf9f (\"net_sched: fix error recovery at qdisc creation\"),\nbut apparently also earlier (in the case of qdisc_create_dflt()).\n\nThe taprio qdisc does not fully acknowledge this when it attempts full\noffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in\ntaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS\nparsed from netlink (in taprio_change(), tail called from taprio_init()).\n\nBut in taprio_destroy(), we call taprio_disable_offload(), and this\ndetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).\n\nBut looking at the implementation of FULL_OFFLOAD_IS_ENABLED()\n(a bitwise check of bit 1 in q->flags), it is invalid to call this macro\non q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set\nto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on\nan invalid set of flags.\n\nAs a result, it is possible to crash the kernel if user space forces an\nerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling\nof taprio_enable_offload(). This is because drivers do not expect the\noffload to be disabled when it was never enabled.\n\nThe error that we force here is to attach taprio as a non-root qdisc,\nbut instead as child of an mqprio root qdisc:\n\n$ tc qdisc add dev swp0 root handle 1: \\\n\tmqprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc qdisc replace dev swp0 parent 1:1 \\\n\ttaprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 990000 sched-entry S 0x80 100000 \\\n\tflags 0x0 clockid CLOCK_TAI\nUnable to handle kernel paging request at virtual address fffffffffffffff8\n[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCall trace:\n taprio_dump+0x27c/0x310\n vsc9959_port_setup_tc+0x1f4/0x460\n felix_port_setup_tc+0x24/0x3c\n dsa_slave_setup_tc+0x54/0x27c\n taprio_disable_offload.isra.0+0x58/0xe0\n taprio_destroy+0x80/0x104\n qdisc_create+0x240/0x470\n tc_modify_qdisc+0x1fc/0x6b0\n rtnetlink_rcv_msg+0x12c/0x390\n netlink_rcv_skb+0x5c/0x130\n rtnetlink_rcv+0x1c/0x2c\n\nFix this by keeping track of the operations we made, and undo the\noffload only if we actually did it.\n\nI've added \"bool offloaded\" inside a 4 byte hole between \"int clockid\"\nand \"atomic64_t picos_per_byte\". Now the first cache line looks like\nbelow:\n\n$ pahole -C taprio_sched net/sched/sch_taprio.o\nstruct taprio_sched {\n struct Qdisc * * qdiscs; /* 0 8 */\n struct Qdisc * root; /* 8 8 */\n u32 flags; /* 16 4 */\n enum tk_offsets tk_offset; /* 20 4 */\n int clockid; /* 24 4 */\n bool offloaded; /* 28 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n atomic64_t picos_per_byte; /* 32 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n spinlock_t current_entry_lock; /* 40 0 */\n\n /* XXX 8 bytes hole, try to pack */\n\n struct sched_entry * current_entry; /* 48 8 */\n struct sched_gate_list * oper_sched; /* 56 8 */\n /* --- cacheline 1 boundary (64 bytes) --- */", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48644", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\n\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\n\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\n\nMoreover, attempting to access these registers crashes the kernel:\n\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\n\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48645", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc/siena: fix null pointer dereference in efx_hard_start_xmit\n\nLike in previous patch for sfc, prevent potential (but unlikely) NULL\npointer dereference.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48646", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interrupts\n\nIn legacy interrupt mode the tx_channel_offset was hardcoded to 1, but\nthat's not correct if efx_sepparate_tx_channels is false. In that case,\nthe offset is 0 because the tx queues are in the single existing channel\nat index 0, together with the rx queue.\n\nWithout this fix, as soon as you try to send any traffic, it tries to\nget the tx queues from an uninitialized channel getting these errors:\n WARNING: CPU: 1 PID: 0 at drivers/net/ethernet/sfc/tx.c:540 efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n RIP: 0010:efx_hard_start_xmit+0x12e/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]\n [...]\n Call Trace:\n \n dev_hard_start_xmit+0xd7/0x230\n sch_direct_xmit+0x9f/0x360\n __dev_queue_xmit+0x890/0xa40\n [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48647", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn't\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it's wrong anyway so let's fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48648", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu'\nkunit test case cause a use-after-free error:\n\n BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x34/0x48\n print_address_description.constprop.0+0x87/0x2a5\n print_report+0x103/0x1ed\n kasan_report+0xb7/0x140\n kobject_del+0x14/0x30\n kmem_cache_destroy+0x130/0x170\n test_exit+0x1a/0x30\n kunit_try_run_case+0xad/0xc0\n kunit_generic_run_threadfn_adapter+0x26/0x50\n kthread+0x17b/0x1b0\n \n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n acquire lock/mutex\n shutdown_cache\n schedule_work(kmem_cache_release) (if RCU flag set)\n release lock/mutex\n kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like 'refcnt'", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48649", "detail": "fixed-version", "description": "Fixed from version 5.19.12" }, { "id": "CVE-2022-48650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()\n\nCommit 8f394da36a36 (\"scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG\")\nmade the __qlt_24xx_handle_abts() function return early if\ntcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean\nup the allocated memory for the management command.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48650", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb->mac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW\n and skb->protocol is not specified as in packet_parse_headers()\n\n 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()\n\nIn this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb->head + skb->mac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.", "scorev2": "0.0", "scorev3": "7.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48651", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix crash by keep old cfg when update TCs more than queues\n\nThere are problems if allocated queues less than Traffic Classes.\n\nCommit a632b2a4c920 (\"ice: ethtool: Prohibit improper channel config\nfor DCB\") already disallow setting less queues than TCs.\n\nAnother case is if we first set less queues, and later update more TCs\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\n\n[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\n[ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\n[ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\n[ 95.969621] general protection fault: 0000 [#1] SMP NOPTI\n[ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1\n[ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\n[ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\n[ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\n[ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\n[ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\n[ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\n[ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\n[ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\n[ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\n[ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\n[ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\n[ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 95.971530] PKRU: 55555554\n[ 95.971573] Call Trace:\n[ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice]\n[ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice]\n[ 95.971774] ice_vsi_open+0x25/0x120 [ice]\n[ 95.971843] ice_open_internal+0xb8/0x1f0 [ice]\n[ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice]\n[ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\n[ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice]\n[ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice]\n[ 95.972220] dcbnl_ieee_set+0x89/0x230\n[ 95.972279] ? dcbnl_ieee_del+0x150/0x150\n[ 95.972341] dcb_doit+0x124/0x1b0\n[ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0\n[ 95.972457] ? dcb_doit+0x14d/0x1b0\n[ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280\n[ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100\n[ 95.972661] netlink_rcv_skb+0xcf/0xf0\n[ 95.972720] netlink_unicast+0x16d/0x220\n[ 95.972781] netlink_sendmsg+0x2ba/0x3a0\n[ 95.975891] sock_sendmsg+0x4c/0x50\n[ 95.979032] ___sys_sendmsg+0x2e4/0x300\n[ 95.982147] ? kmem_cache_alloc+0x13e/0x190\n[ 95.985242] ? __wake_up_common_lock+0x79/0x90\n[ 95.988338] ? __check_object_size+0xac/0x1b0\n[ 95.991440] ? _copy_to_user+0x22/0x30\n[ 95.994539] ? move_addr_to_user+0xbb/0xd0\n[ 95.997619] ? __sys_sendmsg+0x53/0x80\n[ 96.000664] __sys_sendmsg+0x53/0x80\n[ 96.003747] do_syscall_64+0x5b/0x1d0\n[ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\nqueue map failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48652", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't double unplug aux on peer initiated reset\n\nIn the IDC callback that is accessed when the aux drivers request a reset,\nthe function to unplug the aux devices is called. This function is also\ncalled in the ice_prepare_for_reset function. This double call is causing\na \"scheduling while atomic\" BUG.\n\n[ 662.676430] ice 0000:4c:00.0 rocep76s0: cqp opcode = 0x1 maj_err_code = 0xffff min_err_code = 0x8003\n\n[ 662.676609] ice 0000:4c:00.0 rocep76s0: [Modify QP Cmd Error][op_code=8] status=-29 waiting=1 completion_err=1 maj=0xffff min=0x8003\n\n[ 662.815006] ice 0000:4c:00.0 rocep76s0: ICE OICR event notification: oicr = 0x10000003\n\n[ 662.815014] ice 0000:4c:00.0 rocep76s0: critical PE Error, GLPE_CRITERR=0x00011424\n\n[ 662.815017] ice 0000:4c:00.0 rocep76s0: Requesting a reset\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n\n[ 662.815475] BUG: scheduling while atomic: swapper/37/0/0x00010002\n[ 662.815477] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill 8021q garp mrp stp llc vfat fat rpcrdma intel_rapl_msr intel_rapl_common sunrpc i10nm_edac rdma_ucm nfit ib_srpt libnvdimm ib_isert iscsi_target_mod x86_pkg_temp_thermal intel_powerclamp coretemp target_core_mod snd_hda_intel ib_iser snd_intel_dspcfg libiscsi snd_intel_sdw_acpi scsi_transport_iscsi kvm_intel iTCO_wdt rdma_cm snd_hda_codec kvm iw_cm ipmi_ssif iTCO_vendor_support snd_hda_core irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hwdep snd_seq snd_seq_device rapl snd_pcm snd_timer isst_if_mbox_pci pcspkr isst_if_mmio irdma intel_uncore idxd acpi_ipmi joydev isst_if_common snd mei_me idxd_bus ipmi_si soundcore i2c_i801 mei ipmi_devintf i2c_smbus i2c_ismt ipmi_msghandler acpi_power_meter acpi_pad rv(OE) ib_uverbs ib_cm ib_core xfs libcrc32c ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helpe\n r ttm\n[ 662.815546] nvme nvme_core ice drm crc32c_intel i40e t10_pi wmi pinctrl_emmitsburg dm_mirror dm_region_hash dm_log dm_mod fuse\n[ 662.815557] Preemption disabled at:\n[ 662.815558] [<0000000000000000>] 0x0\n[ 662.815563] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Tainted: G S OE 5.17.1 #2\n[ 662.815566] Hardware name: Intel Corporation D50DNP/D50DNP, BIOS SE5C6301.86B.6624.D18.2111021741 11/02/2021\n[ 662.815568] Call Trace:\n[ 662.815572] \n[ 662.815574] dump_stack_lvl+0x33/0x42\n[ 662.815581] __schedule_bug.cold.147+0x7d/0x8a\n[ 662.815588] __schedule+0x798/0x990\n[ 662.815595] schedule+0x44/0xc0\n[ 662.815597] schedule_preempt_disabled+0x14/0x20\n[ 662.815600] __mutex_lock.isra.11+0x46c/0x490\n[ 662.815603] ? __ibdev_printk+0x76/0xc0 [ib_core]\n[ 662.815633] device_del+0x37/0x3d0\n[ 662.815639] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[ 662.815674] ice_schedule_reset+0x3c/0xd0 [ice]\n[ 662.815693] irdma_iidc_event_handler.cold.7+0xb6/0xd3 [irdma]\n[ 662.815712] ? bitmap_find_next_zero_area_off+0x45/0xa0\n[ 662.815719] ice_send_event_to_aux+0x54/0x70 [ice]\n[ 662.815741] ice_misc_intr+0x21d/0x2d0 [ice]\n[ 662.815756] __handle_irq_event_percpu+0x4c/0x180\n[ 662.815762] handle_irq_event_percpu+0xf/0x40\n[ 662.815764] handle_irq_event+0x34/0x60\n[ 662.815766] handle_edge_irq+0x9a/0x1c0\n[ 662.815770] __common_interrupt+0x62/0x100\n[ 662.815774] common_interrupt+0xb4/0xd0\n[ 662.815779] \n[ 662.815780] \n[ 662.815780] asm_common_interrupt+0x1e/0x40\n[ 662.815785] RIP: 0010:cpuidle_enter_state+0xd6/0x380\n[ 662.815789] Code: 49 89 c4 0f 1f 44 00 00 31 ff e8 65 d7 95 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 64 02 00 00 31 ff e8 ae c5 9c ff fb 45 85 f6 <0f> 88 12 01 00 00 49 63 d6 4c 2b 24 24 48 8d 04 52 48 8d 04 82 49\n[ 662.815791] RSP: 0018:ff2c2c4f18edbe80 EFLAGS: 00000202\n[ 662.815793] RAX: ff280805df140000 RBX: 0000000000000002 RCX: 000000000000001f\n[ 662.815795] RDX: 0000009a52da2d08 R\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48653", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()\n\nnf_osf_find() incorrectly returns true on mismatch, this leads to\ncopying uninitialized memory area in nft_osf which can be used to leak\nstale kernel stack data to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48654", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Harden accesses to the reset domains\n\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\n\nAdd an internal consistency check before any such domains descriptors\naccesses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48655", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get()\n\nWe should call of_node_put() for the reference returned by\nof_parse_phandle() in fail path or when it is not used anymore.\nHere we only need to move the of_node_put() before the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48656", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: topology: fix possible overflow in amu_fie_setup()\n\ncpufreq_get_hw_max_freq() returns max frequency in kHz as *unsigned int*,\nwhile freq_inv_set_max_ratio() gets passed this frequency in Hz as 'u64'.\nMultiplying max frequency by 1000 can potentially result in overflow --\nmultiplying by 1000ULL instead should avoid that...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48657", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: fix flush_cpu_slab()/__free_slab() invocations in task context.\n\nCommit 5a836bf6b09f (\"mm: slub: move flush_cpu_slab() invocations\n__free_slab() invocations out of IRQ context\") moved all flush_cpu_slab()\ninvocations to the global workqueue to avoid a problem related\nwith deactivate_slab()/__free_slab() being called from an IRQ context\non PREEMPT_RT kernels.\n\nWhen the flush_all_cpu_locked() function is called from a task context\nit may happen that a workqueue with WQ_MEM_RECLAIM bit set ends up\nflushing the global workqueue, this will cause a dependency issue.\n\n workqueue: WQ_MEM_RECLAIM nvme-delete-wq:nvme_delete_ctrl_work [nvme_core]\n is flushing !WQ_MEM_RECLAIM events:flush_cpu_slab\n WARNING: CPU: 37 PID: 410 at kernel/workqueue.c:2637\n check_flush_dependency+0x10a/0x120\n Workqueue: nvme-delete-wq nvme_delete_ctrl_work [nvme_core]\n RIP: 0010:check_flush_dependency+0x10a/0x120[ 453.262125] Call Trace:\n __flush_work.isra.0+0xbf/0x220\n ? __queue_work+0x1dc/0x420\n flush_all_cpus_locked+0xfb/0x120\n __kmem_cache_shutdown+0x2b/0x320\n kmem_cache_destroy+0x49/0x100\n bioset_exit+0x143/0x190\n blk_release_queue+0xb9/0x100\n kobject_cleanup+0x37/0x130\n nvme_fc_ctrl_free+0xc6/0x150 [nvme_fc]\n nvme_free_ctrl+0x1ac/0x2b0 [nvme_core]\n\nFix this bug by creating a workqueue for the flush operation with\nthe WQ_MEM_RECLAIM bit set.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48658", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: fix to return errno if kmalloc() fails\n\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\n\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48659", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\n\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48660", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: Fix potential resource leakage when register a chip\n\nIf creation of software node fails, the locally allocated string\narray is left unfreed. Free it on error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48661", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Really move i915_gem_context.link under ref protection\n\ni915_perf assumes that it can use the i915_gem_context reference to\nprotect its i915->gem.contexts.list iteration. However, this requires\nthat we do not remove the context from the list until after we drop the\nfinal reference and release the struct. If, as currently, we remove the\ncontext from the list during context_close(), the link.next pointer may\nbe poisoned while we are holding the context reference and cause a GPF:\n\n[ 4070.573157] i915 0000:00:02.0: [drm:i915_perf_open_ioctl [i915]] filtering on ctx_id=0x1fffff ctx_id_mask=0x1fffff\n[ 4070.574881] general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP\n[ 4070.574897] CPU: 1 PID: 284392 Comm: amd_performance Tainted: G E 5.17.9 #180\n[ 4070.574903] Hardware name: Intel Corporation NUC7i5BNK/NUC7i5BNB, BIOS BNKBL357.86A.0052.2017.0918.1346 09/18/2017\n[ 4070.574907] RIP: 0010:oa_configure_all_contexts.isra.0+0x222/0x350 [i915]\n[ 4070.574982] Code: 08 e8 32 6e 10 e1 4d 8b 6d 50 b8 ff ff ff ff 49 83 ed 50 f0 41 0f c1 04 24 83 f8 01 0f 84 e3 00 00 00 85 c0 0f 8e fa 00 00 00 <49> 8b 45 50 48 8d 70 b0 49 8d 45 50 48 39 44 24 10 0f 85 34 fe ff\n[ 4070.574990] RSP: 0018:ffffc90002077b78 EFLAGS: 00010202\n[ 4070.574995] RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000000\n[ 4070.575000] RDX: 0000000000000001 RSI: ffffc90002077b20 RDI: ffff88810ddc7c68\n[ 4070.575004] RBP: 0000000000000001 R08: ffff888103242648 R09: fffffffffffffffc\n[ 4070.575008] R10: ffffffff82c50bc0 R11: 0000000000025c80 R12: ffff888101bf1860\n[ 4070.575012] R13: dead0000000000b0 R14: ffffc90002077c04 R15: ffff88810be5cabc\n[ 4070.575016] FS: 00007f1ed50c0780(0000) GS:ffff88885ec80000(0000) knlGS:0000000000000000\n[ 4070.575021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4070.575025] CR2: 00007f1ed5590280 CR3: 000000010ef6f005 CR4: 00000000003706e0\n[ 4070.575029] Call Trace:\n[ 4070.575033] \n[ 4070.575037] lrc_configure_all_contexts+0x13e/0x150 [i915]\n[ 4070.575103] gen8_enable_metric_set+0x4d/0x90 [i915]\n[ 4070.575164] i915_perf_open_ioctl+0xbc0/0x1500 [i915]\n[ 4070.575224] ? asm_common_interrupt+0x1e/0x40\n[ 4070.575232] ? i915_oa_init_reg_state+0x110/0x110 [i915]\n[ 4070.575290] drm_ioctl_kernel+0x85/0x110\n[ 4070.575296] ? update_load_avg+0x5f/0x5e0\n[ 4070.575302] drm_ioctl+0x1d3/0x370\n[ 4070.575307] ? i915_oa_init_reg_state+0x110/0x110 [i915]\n[ 4070.575382] ? gen8_gt_irq_handler+0x46/0x130 [i915]\n[ 4070.575445] __x64_sys_ioctl+0x3c4/0x8d0\n[ 4070.575451] ? __do_softirq+0xaa/0x1d2\n[ 4070.575456] do_syscall_64+0x35/0x80\n[ 4070.575461] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 4070.575467] RIP: 0033:0x7f1ed5c10397\n[ 4070.575471] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 da 0d 00 f7 d8 64 89 01 48\n[ 4070.575478] RSP: 002b:00007ffd65c8d7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 4070.575484] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f1ed5c10397\n[ 4070.575488] RDX: 00007ffd65c8d7c0 RSI: 0000000040106476 RDI: 0000000000000006\n[ 4070.575492] RBP: 00005620972f9c60 R08: 000000000000000a R09: 0000000000000005\n[ 4070.575496] R10: 000000000000000d R11: 0000000000000246 R12: 000000000000000a\n[ 4070.575500] R13: 000000000000000d R14: 0000000000000000 R15: 00007ffd65c8d7c0\n[ 4070.575505] \n[ 4070.575507] Modules linked in: nls_ascii(E) nls_cp437(E) vfat(E) fat(E) i915(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) aesni_intel(E) crypto_simd(E) intel_gtt(E) cryptd(E) ttm(E) rapl(E) intel_cstate(E) drm_kms_helper(E) cfbfillrect(E) syscopyarea(E) cfbimgblt(E) intel_uncore(E) sysfillrect(E) mei_me(E) sysimgblt(E) i2c_i801(E) fb_sys_fops(E) mei(E) intel_pch_thermal(E) i2c_smbus\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48662", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mockup: fix NULL pointer dereference when removing debugfs\n\nWe now remove the device's debugfs entries when unbinding the driver.\nThis now causes a NULL-pointer dereference on module exit because the\nplatform devices are unregistered *after* the global debugfs directory\nhas been recursively removed. Fix it by unregistering the devices first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48663", "detail": "fixed-version", "description": "Fixed from version 5.19.12" }, { "id": "CVE-2022-48664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a space reclaim worker\n\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\n\n Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1\n Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000\n Sep 07 11:55:32 debian9 kernel: Call Trace:\n Sep 07 11:55:32 debian9 kernel: \n Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0\n Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70\n Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0\n Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130\n Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0\n Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420\n Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0\n Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200\n Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0\n Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530\n Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140\n Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30\n Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0\n Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170\n Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]\n Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0\n Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120\n Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30\n Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]\n Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0\n Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160\n Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0\n Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0\n Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40\n Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90\n Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd\n Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n Sep 07 11:55:32 debian9 kernel: \n\nWhat happens is the following:\n\n1) The cleaner kthread tries to start a transaction to delete an unused\n block group, but the metadata reservation can not be satisfied right\n away, so a reservation ticket is created and it starts the async\n metadata reclaim task (fs_info->async_reclaim_work);\n\n2) Writeback for all the filler inodes with an i_size of 2K starts\n (generic/562 creates a lot of 2K files with the goal of filling\n metadata space). We try to create an inline extent for them, but we\n fail when trying to insert the inline extent with -ENOSPC (at\n cow_file_range_inline()) - since this is not critical, we fallback\n to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48664", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix overflow for large capacity partition\n\nUsing int type for sector index, there will be overflow in a large\ncapacity partition.\n\nFor example, if storage with sector size of 512 bytes and partition\ncapacity is larger than 2TB, there will be overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48665", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48666", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in insert range\n\ninsert range doesn't discard the affected cached region\nso can risk temporarily corrupting file data.\n\nAlso includes some minor cleanup (avoiding rereading\ninode size repeatedly unnecessarily) to make it clearer.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48667", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix temporary data corruption in collapse range\n\ncollapse range doesn't discard the affected cached region\nso can risk temporarily corrupting the file data. This\nfixes xfstest generic/031\n\nI also decided to merge a minor cleanup to this into the same patch\n(avoiding rereading inode size repeatedly unnecessarily) to make it\nclearer.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48668", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix potential memleak in papr_get_attr()\n\n`buf` is allocated in papr_get_attr(), and krealloc() of `buf`\ncould fail. We need to free the original `buf` in the case of failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48669", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2022-48670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npeci: cpu: Fix use-after-free in adev_release()\n\nWhen auxiliary_device_add() returns an error, auxiliary_device_uninit()\nis called, which causes refcount for device to be decremented and\n.release callback will be triggered.\n\nBecause adev_release() re-calls auxiliary_device_uninit(), it will cause\nuse-after-free:\n[ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15\n[ 1269.464007] refcount_t: underflow; use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48670", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()\n\nsyzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at\ncpuset_attach() [1], for commit 4f7e7236435ca0ab (\"cgroup: Fix\nthreadgroup_rwsem <-> cpus_read_lock() deadlock\") missed that\ncpuset_attach() is also called from cgroup_attach_task_all().\nAdd cpus_read_lock() like what cgroup_procs_write_start() does.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48671", "detail": "fixed-version", "description": "Fixed from version 5.19.11" }, { "id": "CVE-2022-48672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48672", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n \n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48673", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix pcluster use-after-free on UP platforms\n\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\n\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\n\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n \n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\n\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\n\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48674", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] \n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48675", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48686", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,\n family=) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48687", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] \n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48688", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48689", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i<=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48690", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [] kmalloc include/linux/slab.h:600 [inline]\n [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48691", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n \n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48692", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48693", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix drain SQ hang with no completion\n\nSW generated completions for outstanding WRs posted on SQ\nafter QP is in error target the wrong CQ. This causes the\nib_drain_sq to hang with no completion.\n\nFix this to generate completions on the right CQ.\n\n[ 863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds.\n[ 863.979224] Not tainted 5.14.0-130.el9.x86_64 #1\n[ 863.986588] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 863.996997] task:kworker/u52:2 state:D stack: 0 pid: 671 ppid: 2 flags:0x00004000\n[ 864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc]\n[ 864.014056] Call Trace:\n[ 864.017575] __schedule+0x206/0x580\n[ 864.022296] schedule+0x43/0xa0\n[ 864.026736] schedule_timeout+0x115/0x150\n[ 864.032185] __wait_for_common+0x93/0x1d0\n[ 864.037717] ? usleep_range_state+0x90/0x90\n[ 864.043368] __ib_drain_sq+0xf6/0x170 [ib_core]\n[ 864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core]\n[ 864.056240] ib_drain_sq+0x66/0x70 [ib_core]\n[ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma]\n[ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc]\n[ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma]\n[ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc]\n[ 864.088718] process_one_work+0x1e8/0x3c0\n[ 864.094170] worker_thread+0x50/0x3b0\n[ 864.099109] ? rescuer_thread+0x370/0x370\n[ 864.104473] kthread+0x149/0x170\n[ 864.109022] ? set_kthread_struct+0x40/0x40\n[ 864.114713] ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48694", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48695", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: spi: Reserve space for register address/padding\n\nCurrently the max_raw_read and max_raw_write limits in regmap_spi struct\ndo not take into account the additional size of the transmitted register\naddress and padding. This may result in exceeding the maximum permitted\nSPI message size, which could cause undefined behaviour, e.g. data\ncorruption.\n\nFix regmap_get_spi_bus() to properly adjust the above mentioned limits\nby reserving space for the register address/padding as set in the regmap\nconfiguration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48696", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48697", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput().", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48698", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48699", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48701", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48702", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48703", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [] ra = [] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[] si_dma_is_lockup+0x34/0xd0\n[] radeon_fence_check_lockup+0xd0/0x290\n[] process_one_work+0x280/0x550\n[] worker_thread+0x70/0x7c0\n[] worker_thread+0x130/0x7c0\n[] kthread+0x200/0x210\n[] worker_thread+0x0/0x7c0\n[] kthread+0x14c/0x210\n[] ret_from_kernel_thread+0x18/0x20\n[] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48704", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix crash in chip reset fail\n\nIn case of drv own fail in reset, we may need to run mac_reset several\ntimes. The sequence would trigger system crash as the log below.\n\nBecause we do not re-enable/schedule \"tx_napi\" before disable it again,\nthe process would keep waiting for state change in napi_diable(). To\navoid the problem and keep status synchronize for each run, goto final\nresource handling if drv own failed.\n\n[ 5857.353423] mt7921e 0000:3b:00.0: driver own failed\n[ 5858.433427] mt7921e 0000:3b:00.0: Timeout for driver own\n[ 5859.633430] mt7921e 0000:3b:00.0: driver own failed\n[ 5859.633444] ------------[ cut here ]------------\n[ 5859.633446] WARNING: CPU: 6 at kernel/kthread.c:659 kthread_park+0x11d\n[ 5859.633717] Workqueue: mt76 mt7921_mac_reset_work [mt7921_common]\n[ 5859.633728] RIP: 0010:kthread_park+0x11d/0x150\n[ 5859.633736] RSP: 0018:ffff8881b676fc68 EFLAGS: 00010202\n......\n[ 5859.633766] Call Trace:\n[ 5859.633768] \n[ 5859.633771] mt7921e_mac_reset+0x176/0x6f0 [mt7921e]\n[ 5859.633778] mt7921_mac_reset_work+0x184/0x3a0 [mt7921_common]\n[ 5859.633785] ? mt7921_mac_set_timing+0x520/0x520 [mt7921_common]\n[ 5859.633794] ? __kasan_check_read+0x11/0x20\n[ 5859.633802] process_one_work+0x7ee/0x1320\n[ 5859.633810] worker_thread+0x53c/0x1240\n[ 5859.633818] kthread+0x2b8/0x370\n[ 5859.633824] ? process_one_work+0x1320/0x1320\n[ 5859.633828] ? kthread_complete_and_exit+0x30/0x30\n[ 5859.633834] ret_from_fork+0x1f/0x30\n[ 5859.633842] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48705", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-48706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48706", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix null pointer dereference for resetting decoder\n\nNot all decoders have a reset callback.\n\nThe CXL specification allows a host bridge with a single root port to\nhave no explicit HDM decoders. Currently the region driver assumes there\nare none. As such the CXL core creates a special pass through decoder\ninstance without a commit/reset callback.\n\nPrior to this patch, the ->reset() callback was called unconditionally when\ncalling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,\n1 Root Port, and one directly attached CXL type 3 device or multiple CXL\ntype 3 devices attached to downstream ports of a switch can cause a null\npointer dereference.\n\nBefore the fix, a kernel crash was observed when we destroy the region, and\na pass through decoder is reset.\n\nThe issue can be reproduced as below,\n 1) create a region with a CXL setup which includes a HB with a\n single root port under which a memdev is attached directly.\n 2) destroy the region with cxl destroy-region regionX -f.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48707", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference\n\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48708", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: switch: fix potential memleak in ice_add_adv_recipe()\n\nWhen ice_add_special_words() fails, the 'rm' is not released, which will\nlead to a memory leak. Fix this up by going to 'err_unroll' label.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48709", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48710", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-48711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: improve size validations for received domain records\n\nThe function tipc_mon_rcv() allows a node to receive and process\ndomain_record structs from peer nodes to track their views of the\nnetwork topology.\n\nThis patch verifies that the number of members in a received domain\nrecord does not exceed the limit defined by MAX_MON_DOMAIN, something\nthat may otherwise lead to a stack overflow.\n\ntipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where\nwe are reading a 32 bit message data length field into a uint16. To\navert any risk of bit overflow, we add an extra sanity check for this in\nthat function. We cannot see that happen with the current code, but\nfuture designers being unaware of this risk, may introduce it by\nallowing delivery of very large (> 64k) sk buffers from the bearer\nlayer. This potential problem was identified by Eric Dumazet.\n\nThis fixes CVE-2022-0435", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48711", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix error handling in ext4_fc_record_modified_inode()\n\nCurrent code does not fully takes care of krealloc() error case, which\ncould lead to silent memory corruption or a kernel bug. This patch\nfixes that.\n\nAlso it cleans up some duplicated error handling logic from various\nfunctions in fast_commit.c file.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48712", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/pt: Fix crash with stop filters in single-range mode\n\nAdd a check for !buf->single before calling pt_buffer_region_size in a\nplace where a missing check can cause a kernel crash.\n\nFixes a bug introduced by commit 670638477aed (\"perf/x86/intel/pt:\nOpportunistically use single range output mode\"), which added a\nsupport for PT single-range output mode. Since that commit if a PT\nstop filter range is hit while tracing, the kernel will crash because\nof a null pointer dereference in pt_handle_status due to calling\npt_buffer_region_size without a ToPA configured.\n\nThe commit which introduced single-range mode guarded almost all uses of\nthe ToPA buffer variables with checks of the buf->single variable, but\nmissed the case where tracing was stopped by the PT hardware, which\nhappens when execution hits a configured stop filter.\n\nTested that hitting a stop filter while PT recording successfully\nrecords a trace with this patch but crashes without this patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48713", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use VM_MAP instead of VM_ALLOC for ringbuf\n\nAfter commit 2fd3fb0be1d1 (\"kasan, vmalloc: unpoison VM_ALLOC pages\nafter mapping\"), non-VM_ALLOC mappings will be marked as accessible\nin __get_vm_area_node() when KASAN is enabled. But now the flag for\nringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access\nafter vmap() returns. Because the ringbuf area is created by mapping\nallocated pages, so use VM_MAP instead.\n\nAfter the change, info in /proc/vmallocinfo also changes from\n [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmalloc user\nto\n [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmap user", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48714", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Make bnx2fc_recv_frame() mp safe\n\nRunning tests with a debug kernel shows that bnx2fc_recv_frame() is\nmodifying the per_cpu lport stats counters in a non-mpsafe way. Just boot\na debug kernel and run the bnx2fc driver with the hardware enabled.\n\n[ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_\n[ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B\n[ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n[ 1391.699183] Call Trace:\n[ 1391.699188] dump_stack_lvl+0x57/0x7d\n[ 1391.699198] check_preemption_disabled+0xc8/0xd0\n[ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180\n[ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc]\n[ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc]\n[ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc]\n[ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc]\n[ 1391.699258] kthread+0x364/0x420\n[ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50\n[ 1391.699268] ? set_kthread_struct+0x100/0x100\n[ 1391.699273] ret_from_fork+0x22/0x30\n\nRestore the old get_cpu/put_cpu code with some modifications to reduce the\nsize of the critical section.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48715", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix incorrect used of portid\n\nMixer controls have the channel id in mixer->reg, which is not same\nas port id. port id should be derived from chan_info array.\nSo fix this. Without this, its possible that we could corrupt\nstruct wcd938x_sdw_priv by accessing port_map array out of range\nwith channel id instead of port id.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48716", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: max9759: fix underflow in speaker_gain_control_put()\n\nCheck for negative values of \"priv->gain\" to prevent an out of bounds\naccess. The concern is that these might come from the user via:\n -> snd_ctl_elem_write_user()\n -> snd_ctl_elem_write()\n -> kctl->put()", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48717", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: mxsfb: Fix NULL pointer dereference\n\nmxsfb should not ever dereference the NULL pointer which\ndrm_atomic_get_new_bridge_state is allowed to return.\nAssume a fixed format instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48718", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work\n\nsyzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:\n\n kworker/0:16/14617 is trying to acquire lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n [...]\n but task is already holding lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572\n\nThe neighbor entry turned to NUD_FAILED state, where __neigh_event_send()\ntriggered an immediate probe as per commit cd28ca0a3dd1 (\"neigh: reduce\narp latency\") via neigh_probe() given table lock was held.\n\nOne option to fix this situation is to defer the neigh_probe() back to\nthe neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case\nof NTF_MANAGED, this deferral is acceptable given this only happens on\nactual failure state and regular / expected state is NUD_VALID with the\nentry already present.\n\nThe fix adds a parameter to __neigh_event_send() in order to communicate\nwhether immediate probe is allowed or disallowed. Existing call-sites\nof neigh_event_send() default as-is to immediate probe. However, the\nneigh_managed_work() disables it via use of neigh_event_send_probe().\n\n[0] \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]\n check_deadlock kernel/locking/lockdep.c:2999 [inline]\n validate_chain kernel/locking/lockdep.c:3788 [inline]\n __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027\n lock_acquire kernel/locking/lockdep.c:5639 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604\n __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]\n _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334\n ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123\n __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]\n __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170\n ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201\n NF_HOOK_COND include/linux/netfilter.h:296 [inline]\n ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224\n dst_output include/net/dst.h:451 [inline]\n NF_HOOK include/linux/netfilter.h:307 [inline]\n ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508\n ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650\n ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742\n neigh_probe+0xc2/0x110 net/core/neighbour.c:1040\n __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201\n neigh_event_send include/net/neighbour.h:470 [inline]\n neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574\n process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307\n worker_thread+0x657/0x1110 kernel/workqueue.c:2454\n kthread+0x2e9/0x3a0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48719", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macsec: Fix offload support for NETDEV_UNREGISTER event\n\nCurrent macsec netdev notify handler handles NETDEV_UNREGISTER event by\nreleasing relevant SW resources only, this causes resources leak in case\nof macsec HW offload, as the underlay driver was not notified to clean\nit's macsec offload resources.\n\nFix by calling the underlay driver to clean it's relevant resources\nby moving offload handling from macsec_dellink() to macsec_common_dellink()\nwhen handling NETDEV_UNREGISTER event.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48720", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n \n __wake_up_common_lock+0x7a/0xc0\n sock_def_readable+0x3c/0x70\n tcp_data_queue+0x4a7/0xc40\n tcp_rcv_established+0x32f/0x660\n ? sk_filter_trim_cap+0xcb/0x2e0\n tcp_v4_do_rcv+0x10b/0x260\n tcp_v4_rcv+0xd2a/0xde0\n ip_protocol_deliver_rcu+0x3b/0x1d0\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0x6a/0x110\n ? tcp_v4_early_demux+0xa2/0x140\n ? tcp_v4_early_demux+0x10d/0x140\n ip_sublist_rcv_finish+0x49/0x60\n ip_sublist_rcv+0x19d/0x230\n ip_list_rcv+0x13e/0x170\n __netif_receive_skb_list_core+0x1c2/0x240\n netif_receive_skb_list_internal+0x1e6/0x320\n napi_complete_done+0x11d/0x190\n mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n __napi_poll+0x3c/0x1b0\n net_rx_action+0x27c/0x300\n __do_softirq+0x114/0x2d2\n irq_exit_rcu+0xb4/0xe0\n common_interrupt+0xba/0xe0\n \n \n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48721", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: ca8210: Stop leaking skb's\n\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. We then leak the skb\nstructure.\n\nFree the skb structure upon error before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48722", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: uniphier: fix reference count leak in uniphier_spi_probe()\n\nThe issue happens in several error paths in uniphier_spi_probe().\nWhen either dma_get_slave_caps() or devm_spi_register_master() returns\nan error code, the function forgets to decrease the refcount of both\n`dma_rx` and `dma_tx` objects, which may lead to refcount leaks.\n\nFix it by decrementing the reference count of specific objects in\nthose error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48723", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()\n\nAfter commit e3beca48a45b (\"irqdomain/treewide: Keep firmware node\nunconditionally allocated\"). For tear down scenario, fn is only freed\nafter fail to allocate ir_domain, though it also should be freed in case\ndmar_enable_qi returns error.\n\nBesides free fn, irq_domain and ir_msi_domain need to be removed as well\nif intel_setup_irq_remapping fails to enable queued invalidation.\n\nImprove the rewinding path by add out_free_ir_domain and out_free_fwnode\nlables per Baolu's suggestion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48724", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix refcounting leak in siw_create_qp()\n\nThe atomic_inc() needs to be paired with an atomic_dec() on the error\npath.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48725", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ucma: Protect mc during concurrent multicast leaves\n\nPartially revert the commit mentioned in the Fixes line to make sure that\nallocation and erasing multicast struct are locked.\n\n BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]\n BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579\n Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529\n CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]\n ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579\n ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614\n ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x28e/0xae0 fs/read_write.c:588\n ksys_write+0x1ee/0x250 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCurrently the xarray search can touch a concurrently freeing mc as the\nxa_for_each() is not surrounded by any lock. Rather than hold the lock for\na full scan hold it only for the effected items, which is usually an empty\nlist.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48726", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Avoid consuming a stale esr value when SError occur\n\nWhen any exception other than an IRQ occurs, the CPU updates the ESR_EL2\nregister with the exception syndrome. An SError may also become pending,\nand will be synchronised by KVM. KVM notes the exception type, and whether\nan SError was synchronised in exit_code.\n\nWhen an exception other than an IRQ occurs, fixup_guest_exit() updates\nvcpu->arch.fault.esr_el2 from the hardware register. When an SError was\nsynchronised, the vcpu esr value is used to determine if the exception\nwas due to an HVC. If so, ELR_EL2 is moved back one instruction. This\nis so that KVM can process the SError first, and re-execute the HVC if\nthe guest survives the SError.\n\nBut if an IRQ synchronises an SError, the vcpu's esr value is stale.\nIf the previous non-IRQ exception was an HVC, KVM will corrupt ELR_EL2,\ncausing an unrelated guest instruction to be executed twice.\n\nCheck ARM_EXCEPTION_CODE() before messing with ELR_EL2, IRQs don't\nupdate this register so don't need to check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48727", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix AIP early init panic\n\nAn early failure in hfi1_ipoib_setup_rn() can lead to the following panic:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n Workqueue: events work_for_cpu_fn\n RIP: 0010:try_to_grab_pending+0x2b/0x140\n Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c\n RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046\n RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000\n RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0\n RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001\n R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000\n R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690\n FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __cancel_work_timer+0x42/0x190\n ? dev_printk_emit+0x4e/0x70\n iowait_cancel_work+0x15/0x30 [hfi1]\n hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1]\n ? dev_err+0x6c/0x90\n hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1]\n hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1]\n rdma_init_netdev+0x5a/0x80 [ib_core]\n ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1]\n ipoib_intf_init+0x6c/0x350 [ib_ipoib]\n ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib]\n ipoib_add_one+0xbe/0x300 [ib_ipoib]\n add_client_context+0x12c/0x1a0 [ib_core]\n enable_device_and_get+0xdc/0x1d0 [ib_core]\n ib_register_device+0x572/0x6b0 [ib_core]\n rvt_register_device+0x11b/0x220 [rdmavt]\n hfi1_register_ib_device+0x6b4/0x770 [hfi1]\n do_init_one.isra.20+0x3e3/0x680 [hfi1]\n local_pci_probe+0x41/0x90\n work_for_cpu_fn+0x16/0x20\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x1cf/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x1f/0x40\n\nThe panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL\nderef when hfi1_ipoib_netdev_dtor() is called in this error case.\n\nhfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so\nfix by adjusting the error paths accordingly.\n\nOther changes:\n- hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev()\n since the netdev core code deletes calls free_netdev()\n- The switch to the accelerated entrances is moved to the success path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48728", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix panic with larger ipoib send_queue_size\n\nWhen the ipoib send_queue_size is increased from the default the following\npanic happens:\n\n RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]\n Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0\n RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286\n RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101\n R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200\n R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001\n FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0\n Call Trace:\n \n hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]\n hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]\n ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]\n ipoib_stop+0x48/0xc0 [ib_ipoib]\n __dev_close_many+0x9e/0x110\n __dev_change_flags+0xd9/0x210\n dev_change_flags+0x21/0x60\n do_setlink+0x31c/0x10f0\n ? __nla_validate_parse+0x12d/0x1a0\n ? __nla_parse+0x21/0x30\n ? inet6_validate_link_af+0x5e/0xf0\n ? cpumask_next+0x1f/0x20\n ? __snmp6_fill_stats64.isra.53+0xbb/0x140\n ? __nla_validate_parse+0x47/0x1a0\n __rtnl_newlink+0x530/0x910\n ? pskb_expand_head+0x73/0x300\n ? __kmalloc_node_track_caller+0x109/0x280\n ? __nla_put+0xc/0x20\n ? cpumask_next_and+0x20/0x30\n ? update_sd_lb_stats.constprop.144+0xd3/0x820\n ? _raw_spin_unlock_irqrestore+0x25/0x37\n ? __wake_up_common_lock+0x87/0xc0\n ? kmem_cache_alloc_trace+0x3d/0x3d0\n rtnl_newlink+0x43/0x60\n\nThe issue happens when the shift that should have been a function of the\ntxq item size mistakenly used the ring size.\n\nFix by using the item size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48729", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: heaps: Fix potential spectre v1 gadget\n\nIt appears like nr could be a Spectre v1 gadget as it's supplied by a\nuser and used as an array index. Prevent the contents\nof kernel memory from being leaked to userspace via speculative\nexecution by using array_index_nospec.\n\n [sumits: added fixes and cc: stable tags]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48730", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid scanning potential huge holes\n\nWhen using devm_request_free_mem_region() and devm_memremap_pages() to\nadd ZONE_DEVICE memory, if requested free mem region's end pfn were\nhuge(e.g., 0x400000000), the node_end_pfn() will be also huge (see\nmove_pfn_range_to_zone()). Thus it creates a huge hole between\nnode_start_pfn() and node_end_pfn().\n\nWe found on some AMD APUs, amdkfd requested such a free mem region and\ncreated a huge hole. In such a case, following code snippet was just\ndoing busy test_bit() looping on the huge hole.\n\n for (pfn = start_pfn; pfn < end_pfn; pfn++) {\n\tstruct page *page = pfn_to_online_page(pfn);\n\t\tif (!page)\n\t\t\tcontinue;\n\t...\n }\n\nSo we got a soft lockup:\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 26s! [bash:1221]\n CPU: 6 PID: 1221 Comm: bash Not tainted 5.15.0-custom #1\n RIP: 0010:pfn_to_online_page+0x5/0xd0\n Call Trace:\n ? kmemleak_scan+0x16a/0x440\n kmemleak_write+0x306/0x3a0\n ? common_file_perm+0x72/0x170\n full_proxy_write+0x5c/0x90\n vfs_write+0xb9/0x260\n ksys_write+0x67/0xe0\n __x64_sys_write+0x1a/0x20\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nI did some tests with the patch.\n\n(1) amdgpu module unloaded\n\nbefore the patch:\n\n real 0m0.976s\n user 0m0.000s\n sys 0m0.968s\n\nafter the patch:\n\n real 0m0.981s\n user 0m0.000s\n sys 0m0.973s\n\n(2) amdgpu module loaded\n\nbefore the patch:\n\n real 0m35.365s\n user 0m0.000s\n sys 0m35.354s\n\nafter the patch:\n\n real 0m1.049s\n user 0m0.000s\n sys 0m1.042s", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48731", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix off by one in BIOS boundary checking\n\nBounds checking when parsing init scripts embedded in the BIOS reject\naccess to the last byte. This causes driver initialization to fail on\nApple eMac's with GeForce 2 MX GPUs, leaving the system with no working\nconsole.\n\nThis is probably only seen on OpenFirmware machines like PowerPC Macs\nbecause the BIOS image provided by OF is only the used parts of the ROM,\nnot a power-of-two blocks read from PCI directly so PCs always have\nempty bytes at the end that are never accessed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48732", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free after failure to create a snapshot\n\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\n\n1) We allocated the pending snapshot and added it to the transaction's\n list of pending snapshots;\n\n2) We call btrfs_commit_transaction(), and it fails either at the first\n call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n In both cases, we don't abort the transaction and we release our\n transaction handle. We jump to the 'fail' label and free the pending\n snapshot structure. We return with the pending snapshot still in the\n transaction's list;\n\n3) Another task commits the transaction. This time there's no error at\n all, and then during the transaction commit it accesses a pointer\n to the pending snapshot structure that the snapshot creation task\n has already freed, resulting in a user-after-free.\n\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\n\n fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\n\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48733", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock between quota disable and qgroup rescan worker\n\nQuota disable ioctl starts a transaction before waiting for the qgroup\nrescan worker completes. However, this wait can be infinite and results\nin deadlock because of circular dependency among the quota disable\nioctl, the qgroup rescan worker and the other task with transaction such\nas block group relocation task.\n\nThe deadlock happens with the steps following:\n\n1) Task A calls ioctl to disable quota. It starts a transaction and\n waits for qgroup rescan worker completes.\n2) Task B such as block group relocation task starts a transaction and\n joins to the transaction that task A started. Then task B commits to\n the transaction. In this commit, task B waits for a commit by task A.\n3) Task C as the qgroup rescan worker starts its job and starts a\n transaction. In this transaction start, task C waits for completion\n of the transaction that task A started and task B committed.\n\nThis deadlock was found with fstests test case btrfs/115 and a zoned\nnull_blk device. The test case enables and disables quota, and the\nblock group reclaim was triggered during the quota disable by chance.\nThe deadlock was also observed by running quota enable and disable in\nparallel with 'btrfs balance' command on regular null_blk devices.\n\nAn example report of the deadlock:\n\n [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds.\n [372.479944] Not tainted 5.16.0-rc8 #7\n [372.485067] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000\n [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs]\n [372.510782] Call Trace:\n [372.514092] \n [372.521684] __schedule+0xb56/0x4850\n [372.530104] ? io_schedule_timeout+0x190/0x190\n [372.538842] ? lockdep_hardirqs_on+0x7e/0x100\n [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60\n [372.555591] schedule+0xe0/0x270\n [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs]\n [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs]\n [372.578875] ? free_unref_page+0x3f2/0x650\n [372.585484] ? finish_wait+0x270/0x270\n [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs]\n [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs]\n [372.607157] ? lock_release+0x3a9/0x6d0\n [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs]\n [372.620960] ? do_raw_spin_lock+0x11e/0x250\n [372.627137] ? rwlock_bug.part.0+0x90/0x90\n [372.633215] ? lock_is_held_type+0xe4/0x140\n [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs]\n [372.646268] process_one_work+0x7e9/0x1320\n [372.652321] ? lock_release+0x6d0/0x6d0\n [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230\n [372.664513] ? rwlock_bug.part.0+0x90/0x90\n [372.670529] worker_thread+0x59e/0xf90\n [372.676172] ? process_one_work+0x1320/0x1320\n [372.682440] kthread+0x3b9/0x490\n [372.687550] ? _raw_spin_unlock_irq+0x24/0x50\n [372.693811] ? set_kthread_struct+0x100/0x100\n [372.700052] ret_from_fork+0x22/0x30\n [372.705517] \n [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds.\n [372.729827] Not tainted 5.16.0-rc8 #7\n [372.745907] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000\n [372.787776] Call Trace:\n [372.801652] \n [372.812961] __schedule+0xb56/0x4850\n [372.830011] ? io_schedule_timeout+0x190/0x190\n [372.852547] ? lockdep_hardirqs_on+0x7e/0x100\n [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60\n [372.886792] schedule+0xe0/0x270\n [372.901685] wait_current_trans+0x22c/0x310 [btrfs]\n [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs]\n [372.938923] ? finish_wait+0x270/0x270\n [372.959085] ? join_transaction+0xc7\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48734", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix UAF of leds class devs at unbinding\n\nThe LED class devices that are created by HD-audio codec drivers are\nregistered via devm_led_classdev_register() and associated with the\nHD-audio codec device. Unfortunately, it turned out that the devres\nrelease doesn't work for this case; namely, since the codec resource\nrelease happens before the devm call chain, it triggers a NULL\ndereference or a UAF for a stale set_brightness_delay callback.\n\nFor fixing the bug, this patch changes the LED class device register\nand unregister in a manual manner without devres, keeping the\ninstances in hda_gen_spec.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48735", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw()\n\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48738", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: hdmi-codec: Fix OOB memory accesses\n\nCorrect size of iec_status array by changing it to the size of status\narray of the struct snd_aes_iec958. This fixes out-of-bounds slab\nread accesses made by memcpy() of the hdmi-codec driver. This problem\nis reported by KASAN.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48739", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix double free of cond_list on error paths\n\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\n\nAlso consistently reset the cond_list pointer to NULL after freeing.\n\n[PM: fix line lengths in the description]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48740", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix NULL pointer dereference in copy up warning\n\nThis patch is fixing a NULL pointer dereference to get a recently\nintroduced warning message working.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48741", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()\n\nWhile looking at one unrelated syzbot bug, I found the replay logic\nin __rtnl_newlink() to potentially trigger use-after-free.\n\nIt is better to clear master_dev and m_ops inside the loop,\nin case we have to replay it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48742", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: amd-xgbe: Fix skb data length underflow\n\nThere will be BUG_ON() triggered in include/linux/skbuff.h leading to\nintermittent kernel panic, when the skb length underflow is detected.\n\nFix this by dropping the packet if such length underflows are seen\nbecause of inconsistencies in the hardware descriptors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48743", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Use del_timer_sync in fw reset flow of halting poll\n\nSubstitute del_timer() with del_timer_sync() in fw reset polling\ndeactivation flow, in order to prevent a race condition which occurs\nwhen del_timer() is called and timer is deactivated while another\nprocess is handling the timer interrupt. A situation that led to\nthe following call trace:\n\tRIP: 0010:run_timer_softirq+0x137/0x420\n\t\n\trecalibrate_cpu_khz+0x10/0x10\n\tktime_get+0x3e/0xa0\n\t? sched_clock_cpu+0xb/0xc0\n\t__do_softirq+0xf5/0x2ea\n\tirq_exit_rcu+0xc1/0xf0\n\tsysvec_apic_timer_interrupt+0x9e/0xc0\n\tasm_sysvec_apic_timer_interrupt+0x12/0x20\n\t", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48745", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix handling of wrong devices during bond netevent\n\nCurrent implementation of bond netevent handler only check if\nthe handled netdev is VF representor and it missing a check if\nthe VF representor is on the same phys device of the bond handling\nthe netevent.\n\nFix by adding the missing check and optimizing the check if\nthe netdev is VF representor so it will not access uninitialized\nprivate data and crashes.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036c\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nWorkqueue: eth3bond0 bond_mii_monitor [bonding]\nRIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core]\nRSP: 0018:ffff88812d69fd60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000\nRDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880\nRBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008\nR10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10\nR13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core]\n mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core]\n mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core]\n raw_notifier_call_chain+0x41/0x60\n call_netdevice_notifiers_info+0x34/0x80\n netdev_lower_state_changed+0x4e/0xa0\n bond_mii_monitor+0x56b/0x640 [bonding]\n process_one_work+0x1b9/0x390\n worker_thread+0x4d/0x3d0\n ? rescuer_thread+0x350/0x350\n kthread+0x124/0x150\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48746", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix wrong offset in bio_truncate()\n\nbio_truncate() clears the buffer outside of last block of bdev, however\ncurrent bio_truncate() is using the wrong offset of page. So it can\nreturn the uninitialized data.\n\nThis happened when both of truncated/corrupted FS and userspace (via\nbdev) are trying to read the last of bdev.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48747", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: vlan: fix memory leak in __allowed_ingress\n\nWhen using per-vlan state, if vlan snooping and stats are disabled,\nuntagged or priority-tagged ingress frame will go to check pvid state.\nIf the port state is forwarding and the pvid state is not\nlearning/forwarding, untagged or priority-tagged frame will be dropped\nbut skb memory is not freed.\nShould free skb when __allowed_ingress returns false.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48748", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc\n\nThe function performs a check on the \"ctx\" input parameter, however, it\nis used before the check.\n\nInitialize the \"base\" variable after the sanity check to avoid a\npossible NULL pointer dereference.\n\nAddresses-Coverity-ID: 1493866 (\"Null pointer dereference\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48749", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix crash in clear_caseopen\n\nPawe\u0142 Marciniak reports the following crash, observed when clearing\nthe chassis intrusion alarm.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000028\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1\nHardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018\nRIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]\nCode: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ...\nRSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68\nRBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a\nR10: 000000000000000a R11: f000000000000000 R12: 000000000000001f\nR13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0\nFS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0\nCall Trace:\n \n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x10b/0x180\n vfs_write+0x209/0x2a0\n ksys_write+0x4f/0xc0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe problem is that the device passed to clear_caseopen() is the hwmon\ndevice, not the platform device, and the platform data is not set in the\nhwmon device. Store the pointer to sio_data in struct nct6775_data and\nget if from there if needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48750", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Transitional solution for clcsock race issue\n\nWe encountered a crash in smc_setsockopt() and it is caused by\naccessing smc->clcsock after clcsock was released.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53\n RIP: 0010:smc_setsockopt+0x59/0x280 [smc]\n Call Trace:\n \n __sys_setsockopt+0xfc/0x190\n __x64_sys_setsockopt+0x20/0x30\n do_syscall_64+0x34/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f16ba83918e\n \n\nThis patch tries to fix it by holding clcsock_release_lock and\nchecking whether clcsock has already been released before access.\n\nIn case that a crash of the same reason happens in smc_getsockopt()\nor smc_switch_to_fallback(), this patch also checkes smc->clcsock\nin them too. And the caller of smc_switch_to_fallback() will identify\nwhether fallback succeeds according to the return value.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48751", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending\n\nRunning selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel\ntriggered below warning:\n\n[ 172.851380] ------------[ cut here ]------------\n[ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280\n[ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse\n[ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2\n[ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180\n[ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598)\n[ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000\n[ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1\n[ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004\n[ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000\n[ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68\n[ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000\n[ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0\n[ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003\n[ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600\n[ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8\n[ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280\n[ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280\n[ 172.851565] Call Trace:\n[ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)\n[ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60\n[ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660\n[ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0\n[ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140\n[ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40\n[ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380\n[ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268\n\nThe warning indicates that MSR_EE being set(interrupt enabled) when\nthere was an overflown PMC detected. This could happen in\npower_pmu_disable since it runs under interrupt soft disable\ncondition ( local_irq_save ) and not with interrupts hard disabled.\ncommit 2c9ac51b850d (\"powerpc/perf: Fix PMU callbacks to clear\npending PMI before resetting an overflown PMC\") intended to clear\nPMI pending bit in Paca when disabling the PMU. It could happen\nthat PMC gets overflown while code is in power_pmu_disable\ncallback function. Hence add a check to see if PMI pending bit\nis set in Paca before clearing it via clear_pmi_pending.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48752", "detail": "fixed-version", "description": "Fixed from version 5.16.5" }, { "id": "CVE-2022-48753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in disk_register_independent_access_ranges\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix this issue by adding kobject_put().\nCallback function blk_ia_ranges_sysfs_release() in kobject_put()\ncan handle the pointer \"iars\" properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48753", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphylib: fix potential use-after-free\n\nCommit bafbdd527d56 (\"phylib: Add device reset GPIO support\") added call\nto phy_device_reset(phydev) after the put_device() call in phy_detach().\n\nThe comment before the put_device() call says that the phydev might go\naway with put_device().\n\nFix potential use-after-free by calling phy_device_reset() before\nput_device().", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48754", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06\n\nJohan reported the below crash with test_bpf on ppc64 e5500:\n\n test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1\n Oops: Exception in kernel mode, sig: 4 [#1]\n BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500\n Modules linked in: test_bpf(+)\n CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1\n NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18\n REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty)\n MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK: 0\n <...>\n NIP [8000000000061c3c] 0x8000000000061c3c\n LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]\n Call Trace:\n .__run_one+0x60/0x17c [test_bpf] (unreliable)\n .test_bpf_init+0x6a8/0xdc8 [test_bpf]\n .do_one_initcall+0x6c/0x28c\n .do_init_module+0x68/0x28c\n .load_module+0x2460/0x2abc\n .__do_sys_init_module+0x120/0x18c\n .system_call_exception+0x110/0x1b8\n system_call_common+0xf0/0x210\n --- interrupt: c00 at 0x101d0acc\n <...>\n ---[ end trace 47b2bf19090bb3d0 ]---\n\n Illegal instruction\n\nThe illegal instruction turned out to be 'ldbrx' emitted for\nBPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of\nthe same and implement an alternative approach for older processors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48755", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: invalid parameter check in msm_dsi_phy_enable\n\nThe function performs a check on the \"phy\" input parameter, however, it\nis used before the check.\n\nInitialize the \"dev\" variable after the sanity check to avoid a possible\nNULL pointer dereference.\n\nAddresses-Coverity-ID: 1493860 (\"Null pointer dereference\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48756", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix information leakage in /proc/net/ptype\n\nIn one net namespace, after creating a packet socket without binding\nit to a device, users in other net namespaces can observe the new\n`packet_type` added by this packet socket by reading `/proc/net/ptype`\nfile. This is minor information leakage as packet socket is\nnamespace aware.\n\nAdd a net pointer in `packet_type` to keep the net namespace of\nof corresponding packet socket. In `ptype_seq_show`, this net pointer\nmust be checked when it is not NULL.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48757", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()\n\nThe bnx2fc_destroy() functions are removing the interface before calling\ndestroy_work. This results multiple WARNings from sysfs_remove_group() as\nthe controller rport device attributes are removed too early.\n\nReplace the fcoe_port's destroy_work queue. It's not needed.\n\nThe problem is easily reproducible with the following steps.\n\nExample:\n\n $ dmesg -w &\n $ systemctl enable --now fcoe\n $ fipvlan -s -c ens2f1\n $ fcoeadm -d ens2f1.802\n [ 583.464488] host2: libfc: Link down on port (7500a1)\n [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!!\n [ 583.490468] ------------[ cut here ]------------\n [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'\n [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80\n [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...\n [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1\n [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]\n [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80\n [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...\n [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282\n [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000\n [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0\n [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00\n [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400\n [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004\n [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000\n [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0\n [ 584.454888] Call Trace:\n [ 584.466108] device_del+0xb2/0x3e0\n [ 584.481701] device_unregister+0x13/0x60\n [ 584.501306] bsg_unregister_queue+0x5b/0x80\n [ 584.522029] bsg_remove_queue+0x1c/0x40\n [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]\n [ 584.573823] process_one_work+0x1e3/0x3b0\n [ 584.592396] worker_thread+0x50/0x3b0\n [ 584.609256] ? rescuer_thread+0x370/0x370\n [ 584.628877] kthread+0x149/0x170\n [ 584.643673] ? set_kthread_struct+0x40/0x40\n [ 584.662909] ret_from_fork+0x22/0x30\n [ 584.680002] ---[ end trace 53575ecefa942ece ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48758", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev\n\nstruct rpmsg_ctrldev contains a struct cdev. The current code frees\nthe rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the\ncdev is a managed object, therefore its release is not predictable\nand the rpmsg_ctrldev could be freed before the cdev is entirely\nreleased, as in the backtrace below.\n\n[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c\n[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0\n[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v\n[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26\n[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)\n[ 93.730055] Workqueue: events kobject_delayed_cleanup\n[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)\n[ 93.740216] pc : debug_print_object+0x13c/0x1b0\n[ 93.744890] lr : debug_print_object+0x13c/0x1b0\n[ 93.749555] sp : ffffffacf5bc7940\n[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000\n[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000\n[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000\n[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0\n[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0\n[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0\n[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000\n[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c\n[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000\n[ 93.802244] x11: 0000000000000001 x10: 0000000000000000\n[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900\n[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000\n[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000\n[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001\n[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061\n[ 93.835104] Call trace:\n[ 93.837644] debug_print_object+0x13c/0x1b0\n[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0\n[ 93.846987] debug_check_no_obj_freed+0x18/0x20\n[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4\n[ 93.856346] kfree+0xfc/0x2f4\n[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8\n[ 93.864445] device_release+0x84/0x168\n[ 93.868310] kobject_cleanup+0x12c/0x298\n[ 93.872356] kobject_delayed_cleanup+0x10/0x18\n[ 93.876948] process_one_work+0x578/0x92c\n[ 93.881086] worker_thread+0x804/0xcf8\n[ 93.884963] kthread+0x2a8/0x314\n[ 93.888303] ret_from_fork+0x10/0x18\n\nThe cdev_device_add/del() API was created to address this issue (see\ncommit '233ed09d7fda (\"chardev: add helper function to register char\ndevs with a struct device\")'), use it instead of cdev add/del().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48759", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix hang in usb_kill_urb by adding memory barriers\n\nThe syzbot fuzzer has identified a bug in which processes hang waiting\nfor usb_kill_urb() to return. It turns out the issue is not unlinking\nthe URB; that works just fine. Rather, the problem arises when the\nwakeup notification that the URB has completed is not received.\n\nThe reason is memory-access ordering on SMP systems. In outline form,\nusb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on\ndifferent CPUs perform the following actions:\n\nCPU 0\t\t\t\t\tCPU 1\n----------------------------\t\t---------------------------------\nusb_kill_urb():\t\t\t\t__usb_hcd_giveback_urb():\n ...\t\t\t\t\t ...\n atomic_inc(&urb->reject);\t\t atomic_dec(&urb->use_count);\n ...\t\t\t\t\t ...\n wait_event(usb_kill_urb_queue,\n\tatomic_read(&urb->use_count) == 0);\n\t\t\t\t\t if (atomic_read(&urb->reject))\n\t\t\t\t\t\twake_up(&usb_kill_urb_queue);\n\nConfining your attention to urb->reject and urb->use_count, you can\nsee that the overall pattern of accesses on CPU 0 is:\n\n\twrite urb->reject, then read urb->use_count;\n\nwhereas the overall pattern of accesses on CPU 1 is:\n\n\twrite urb->use_count, then read urb->reject.\n\nThis pattern is referred to in memory-model circles as SB (for \"Store\nBuffering\"), and it is well known that without suitable enforcement of\nthe desired order of accesses -- in the form of memory barriers -- it\nis entirely possible for one or both CPUs to execute their reads ahead\nof their writes. The end result will be that sometimes CPU 0 sees the\nold un-decremented value of urb->use_count while CPU 1 sees the old\nun-incremented value of urb->reject. Consequently CPU 0 ends up on\nthe wait queue and never gets woken up, leading to the observed hang\nin usb_kill_urb().\n\nThe same pattern of accesses occurs in usb_poison_urb() and the\nfailure pathway of usb_hcd_submit_urb().\n\nThe problem is fixed by adding suitable memory barriers. To provide\nproper memory-access ordering in the SB pattern, a full barrier is\nrequired on both CPUs. The atomic_inc() and atomic_dec() accesses\nthemselves don't provide any memory ordering, but since they are\npresent, we can use the optimized smp_mb__after_atomic() memory\nbarrier in the various routines to obtain the desired effect.\n\nThis patch adds the necessary memory barriers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48760", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci-plat: fix crash when suspend if remote wake enable\n\nCrashed at i.mx8qm platform when suspend if enable remote wakeup\n\nInternal error: synchronous external abort: 96000210 [#1] PREEMPT SMP\nModules linked in:\nCPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12\nHardware name: Freescale i.MX8QM MEK (DT)\nWorkqueue: events_unbound async_run_entry_fn\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8\nlr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8\nsp : ffff80001394bbf0\nx29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578\nx26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001\nx20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0\nx8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453\nx5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c\nx2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620\nCall trace:\n xhci_disable_hub_port_wake.isra.62+0x60/0xf8\n xhci_suspend+0x58/0x510\n xhci_plat_suspend+0x50/0x78\n platform_pm_suspend+0x2c/0x78\n dpm_run_callback.isra.25+0x50/0xe8\n __device_suspend+0x108/0x3c0\n\nThe basic flow:\n\t1. run time suspend call xhci_suspend, xhci parent devices gate the clock.\n 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend\n 3. xhci_suspend call xhci_disable_hub_port_wake, which access register,\n\t but clock already gated by run time suspend.\n\nThis problem was hidden by power domain driver, which call run time resume before it.\n\nBut the below commit remove it and make this issue happen.\n\tcommit c1df456d0f06e (\"PM: domains: Don't runtime resume devices at genpd_prepare()\")\n\nThis patch call run time resume before suspend to make sure clock is on\nbefore access register.\n\nTesteb-by: Abel Vesa ", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48761", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: extable: fix load_unaligned_zeropad() reg indices\n\nIn ex_handler_load_unaligned_zeropad() we erroneously extract the data and\naddr register indices from ex->type rather than ex->data. As ex->type will\ncontain EX_TYPE_LOAD_UNALIGNED_ZEROPAD (i.e. 4):\n * We'll always treat X0 as the address register, since EX_DATA_REG_ADDR is\n extracted from bits [9:5]. Thus, we may attempt to dereference an\n arbitrary address as X0 may hold an arbitrary value.\n * We'll always treat X4 as the data register, since EX_DATA_REG_DATA is\n extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary\n behaviour within load_unaligned_zeropad() and its caller.\n\nFix this by extracting both values from ex->data as originally intended.\n\nOn an MTE-enabled QEMU image we are hitting the following crash:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n fixup_exception+0xc4/0x108\n __do_kernel_fault+0x3c/0x268\n do_tag_check_fault+0x3c/0x104\n do_mem_abort+0x44/0xf4\n el1_abort+0x40/0x64\n el1h_64_sync_handler+0x60/0xa0\n el1h_64_sync+0x7c/0x80\n link_path_walk+0x150/0x344\n path_openat+0xa0/0x7dc\n do_filp_open+0xb8/0x168\n do_sys_openat2+0x88/0x17c\n __arm64_sys_openat+0x74/0xa0\n invoke_syscall+0x48/0x148\n el0_svc_common+0xb8/0xf8\n do_el0_svc+0x28/0x88\n el0_svc+0x24/0x84\n el0t_64_sync_handler+0x88/0xec\n el0t_64_sync+0x1b4/0x1b8\n Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48762", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Forcibly leave nested virt when SMM state is toggled\n\nForcibly leave nested virtualization operation if userspace toggles SMM\nstate via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace\nforces the vCPU out of SMM while it's post-VMXON and then injects an SMI,\nvmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both\nvmxon=false and smm.vmxon=false, but all other nVMX state allocated.\n\nDon't attempt to gracefully handle the transition as (a) most transitions\nare nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't\nsufficient information to handle all transitions, e.g. SVM wants access\nto the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede\nKVM_SET_NESTED_STATE during state restore as the latter disallows putting\nthe vCPU into L2 if SMM is active, and disallows tagging the vCPU as\nbeing post-VMXON in SMM if SMM is not active.\n\nAbuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX\ndue to failure to free vmcs01's shadow VMCS, but the bug goes far beyond\njust a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU\nin an architecturally impossible state.\n\n WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n Modules linked in:\n CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00\n Call Trace:\n \n kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123\n kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]\n kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460\n kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]\n kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676\n kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]\n kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250\n kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273\n __fput+0x286/0x9f0 fs/file_table.c:311\n task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n exit_task_work include/linux/task_work.h:32 [inline]\n do_exit+0xb29/0x2a30 kernel/exit.c:806\n do_group_exit+0xd2/0x2f0 kernel/exit.c:935\n get_signal+0x4b0/0x28c0 kernel/signal.c:2862\n arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868\n handle_signal_work kernel/entry/common.c:148 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48763", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Free kvm_cpuid_entry2 array on post-KVM_RUN KVM_SET_CPUID{,2}\n\nFree the \"struct kvm_cpuid_entry2\" array on successful post-KVM_RUN\nKVM_SET_CPUID{,2} to fix a memory leak, the callers of kvm_set_cpuid()\nfree the array only on failure.\n\n BUG: memory leak\n unreferenced object 0xffff88810963a800 (size 2048):\n comm \"syz-executor025\", pid 3610, jiffies 4294944928 (age 8.080s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................\n 47 65 6e 75 6e 74 65 6c 69 6e 65 49 00 00 00 00 GenuntelineI....\n backtrace:\n [] kmalloc_node include/linux/slab.h:604 [inline]\n [] kvmalloc_node+0x3e/0x100 mm/util.c:580\n [] kvmalloc include/linux/slab.h:732 [inline]\n [] vmemdup_user+0x22/0x100 mm/util.c:199\n [] kvm_vcpu_ioctl_set_cpuid2+0x8f/0xf0 arch/x86/kvm/cpuid.c:423\n [] kvm_arch_vcpu_ioctl+0xb99/0x1e60 arch/x86/kvm/x86.c:5251\n [] kvm_vcpu_ioctl+0x4ad/0x950 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4066\n [] vfs_ioctl fs/ioctl.c:51 [inline]\n [] __do_sys_ioctl fs/ioctl.c:874 [inline]\n [] __se_sys_ioctl fs/ioctl.c:860 [inline]\n [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48764", "detail": "fixed-version", "description": "Fixed from version 5.16.5" }, { "id": "CVE-2022-48765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n \n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48765", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48766", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: properly put ceph_string reference after async create attempt\n\nThe reference acquired by try_prep_async_create is currently leaked.\nEnsure we put it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48767", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histogram: Fix a potential memory leak for kstrdup()\n\nkfree() is missing on an error path to free the memory allocated by\nkstrdup():\n\n p = param = kstrdup(data->params[i], GFP_KERNEL);\n\nSo it is better to free it via kfree(p).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48768", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: avoid EFIv2 runtime services on Apple x86 machines\n\nAditya reports [0] that his recent MacbookPro crashes in the firmware\nwhen using the variable services at runtime. The culprit appears to be a\ncall to QueryVariableInfo(), which we did not use to call on Apple x86\nmachines in the past as they only upgraded from EFI v1.10 to EFI v2.40\nfirmware fairly recently, and QueryVariableInfo() (along with\nUpdateCapsule() et al) was added in EFI v2.00.\n\nThe only runtime service introduced in EFI v2.00 that we actually use in\nLinux is QueryVariableInfo(), as the capsule based ones are optional,\ngenerally not used at runtime (all the LVFS/fwupd firmware update\ninfrastructure uses helper EFI programs that invoke capsule update at\nboot time, not runtime), and not implemented by Apple machines in the\nfirst place. QueryVariableInfo() is used to 'safely' set variables,\ni.e., only when there is enough space. This prevents machines with buggy\nfirmwares from corrupting their NVRAMs when they run out of space.\n\nGiven that Apple machines have been using EFI v1.10 services only for\nthe longest time (the EFI v2.0 spec was released in 2006, and Linux\nsupport for the newly introduced runtime services was added in 2011, but\nthe MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only),\nlet's avoid the EFI v2.0 ones on all Apple x86 machines.\n\n[0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48769", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()\n\ntask_pt_regs() can return NULL on powerpc for kernel threads. This is\nthen used in __bpf_get_stack() to check for user mode, resulting in a\nkernel oops. Guard against this by checking return value of\ntask_pt_regs() before trying to obtain the call chain.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48770", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48771", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] \n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2022-48773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create\n\nIf there are failures then we must not leave the non-NULL pointers with\nthe error value, otherwise `rpcrdma_ep_destroy` gets confused and tries\nfree them, resulting in an Oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48773", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ptdma: Fix the error handling path in pt_core_init()\n\nIn order to free resources correctly in the error handling path of\npt_core_init(), 2 goto's have to be switched. Otherwise, some resources\nwill leak and we will try to release things that have not been allocated\nyet.\n\nAlso move a dev_err() to a place where it is more meaningful.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48774", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\uff1a\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix memory leak by calling kobject_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48775", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: parsers: qcom: Fix missing free for pparts in cleanup\n\nMtdpart doesn't free pparts when a cleanup function is declared.\nAdd missing free for pparts in cleanup function for smem to fix the\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48776", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: parsers: qcom: Fix kernel panic on skipped partition\n\nIn the event of a skipped partition (case when the entry name is empty)\nthe kernel panics in the cleanup function as the name entry is NULL.\nRework the parser logic by first checking the real partition number and\nthen allocate the space and set the data for the valid partitions.\n\nThe logic was also fundamentally wrong as with a skipped partition, the\nparts number returned was incorrect by not decreasing it for the skipped\npartitions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48777", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: gpmi: don't leak PM reference in error path\n\nIf gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be\ndropped.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48778", "detail": "fixed-version", "description": "Fixed from version 5.16.11" }, { "id": "CVE-2022-48779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: fix use-after-free in ocelot_vlan_del()\n\nocelot_vlan_member_del() will free the struct ocelot_bridge_vlan, so if\nthis is the same as the port's pvid_vlan which we access afterwards,\nwhat we're accessing is freed memory.\n\nFix the bug by determining whether to clear ocelot_port->pvid_vlan prior\nto calling ocelot_vlan_member_del().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48779", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Avoid overwriting the copies of clcsock callback functions\n\nThe callback functions of clcsock will be saved and replaced during\nthe fallback. But if the fallback happens more than once, then the\ncopies of these callback functions will be overwritten incorrectly,\nresulting in a loop call issue:\n\nclcsk->sk_error_report\n |- smc_fback_error_report() <------------------------------|\n |- smc_fback_forward_wakeup() | (loop)\n |- clcsock_callback() (incorrectly overwritten) |\n |- smc->clcsk_error_report() ------------------|\n\nSo this patch fixes the issue by saving these function pointers only\nonce in the fallback and avoiding overwriting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48780", "detail": "fixed-version", "description": "Fixed from version 5.16.11" }, { "id": "CVE-2022-48781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48781", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: fix use after free\n\nClang static analysis reports this problem\nroute.c:425:4: warning: Use of memory after it is freed\n trace_mctp_key_acquire(key);\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~\nWhen mctp_key_add() fails, key is freed but then is later\nused in trace_mctp_key_acquire(). Add an else statement\nto use the key only when mctp_key_add() is successful.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48782", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: fix use after free in gswip_remove()\n\nof_node_put(priv->ds->slave_mii_bus->dev.of_node) should be\ndone before mdiobus_free(priv->ds->slave_mii_bus).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48783", "detail": "fixed-version", "description": "Fixed from version 5.16.11" }, { "id": "CVE-2022-48784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: fix race in netlink owner interface destruction\n\nMy previous fix here to fix the deadlock left a race where\nthe exact same deadlock (see the original commit referenced\nbelow) can still happen if cfg80211_destroy_ifaces() already\nruns while nl80211_netlink_notify() is still marking some\ninterfaces as nl_owner_dead.\n\nThe race happens because we have two loops here - first we\ndev_close() all the netdevs, and then we destroy them. If we\nalso have two netdevs (first one need only be a wdev though)\nthen we can find one during the first iteration, close it,\nand go to the second iteration -- but then find two, and try\nto destroy also the one we didn't close yet.\n\nFix this by only iterating once.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48784", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: use rcu-safe version of ipv6_get_lladdr()\n\nSome time ago 8965779d2c0e (\"ipv6,mcast: always hold idev->lock before mca_lock\")\nswitched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe\nversion. That was OK, because idev->lock was held for these codepaths.\n\nIn 88e2ca308094 (\"mld: convert ifmcaddr6 to RCU\") these external locks were\nremoved, so we probably need to restore the original rcu-safe call.\n\nOtherwise, we occasionally get a machine crashed/stalled with the following\nin dmesg:\n\n[ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI\n[ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1\n[ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV\n[ 3406.009552][T230589] Workqueue: mld mld_ifc_work\n[ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60\n[ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b\n[ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202\n[ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040\n[ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008\n[ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000\n[ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100\n[ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000\n[ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000\n[ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0\n[ 3406.162421][T230589] Call Trace:\n[ 3406.170235][T230589] \n[ 3406.177736][T230589] mld_newpack+0xfe/0x1a0\n[ 3406.186686][T230589] add_grhead+0x87/0xa0\n[ 3406.195498][T230589] add_grec+0x485/0x4e0\n[ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0\n[ 3406.214024][T230589] mld_ifc_work+0x15d/0x450\n[ 3406.223279][T230589] process_one_work+0x1e6/0x380\n[ 3406.232982][T230589] worker_thread+0x50/0x3a0\n[ 3406.242371][T230589] ? rescuer_thread+0x360/0x360\n[ 3406.252175][T230589] kthread+0x127/0x150\n[ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40\n[ 3406.271287][T230589] ret_from_fork+0x22/0x30\n[ 3406.280812][T230589] \n[ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders]\n[ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48785", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: remove vsock from connected table when connect is interrupted by a signal\n\nvsock_connect() expects that the socket could already be in the\nTCP_ESTABLISHED state when the connecting task wakes up with a signal\npending. If this happens the socket will be in the connected table, and\nit is not removed when the socket state is reset. In this situation it's\ncommon for the process to retry connect(), and if the connection is\nsuccessful the socket will be added to the connected table a second\ntime, corrupting the list.\n\nPrevent this by calling vsock_remove_connected() if a signal is received\nwhile waiting for a connection. This is harmless if the socket is not in\nthe connected table, and if it is in the table then removing it will\nprevent list corruption from a double add.\n\nNote for backporting: this patch requires d5afa82c977e (\"vsock: correct\nremoval of socket from the list\"), which is in all current stable trees\nexcept 4.9.y.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48786", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: fix use-after-free\n\nIf no firmware was present at all (or, presumably, all of the\nfirmware files failed to parse), we end up unbinding by calling\ndevice_release_driver(), which calls remove(), which then in\niwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However\nthe new code I added will still erroneously access it after it\nwas freed.\n\nSet 'failure=false' in this case to avoid the access, all data\nwas already freed anyway.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48787", "detail": "fixed-version", "description": "Fixed from version 5.16.11" }, { "id": "CVE-2022-48788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-rdma: fix possible use-after-free in transport error_recovery work\n\nWhile nvme_rdma_submit_async_event_work is checking the ctrl and queue\nstate before preparing the AER command and scheduling io_work, in order\nto fully prevent a race where this check is not reliable the error\nrecovery work must flush async_event_work before continuing to destroy\nthe admin queue after setting the ctrl state to RESETTING such that\nthere is no race .submit_async_event and the error recovery handler\nitself changing the ctrl state.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48788", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix possible use-after-free in transport error_recovery work\n\nWhile nvme_tcp_submit_async_event_work is checking the ctrl and queue\nstate before preparing the AER command and scheduling io_work, in order\nto fully prevent a race where this check is not reliable the error\nrecovery work must flush async_event_work before continuing to destroy\nthe admin queue after setting the ctrl state to RESETTING such that\nthere is no race .submit_async_event and the error recovery handler\nitself changing the ctrl state.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48789", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix a possible use-after-free in controller reset during load\n\nUnlike .queue_rq, in .submit_async_event drivers may not check the ctrl\nreadiness for AER submission. This may lead to a use-after-free\ncondition that was observed with nvme-tcp.\n\nThe race condition may happen in the following scenario:\n1. driver executes its reset_ctrl_work\n2. -> nvme_stop_ctrl - flushes ctrl async_event_work\n3. ctrl sends AEN which is received by the host, which in turn\n schedules AEN handling\n4. teardown admin queue (which releases the queue socket)\n5. AEN processed, submits another AER, calling the driver to submit\n6. driver attempts to send the cmd\n==> use-after-free\n\nIn order to fix that, add ctrl state check to validate the ctrl\nis actually able to accept the AER submission.\n\nThis addresses the above race in controller resets because the driver\nduring teardown should:\n1. change ctrl state to RESETTING\n2. flush async_event_work (as well as other async work elements)\n\nSo after 1,2, any other AER command will find the\nctrl state to be RESETTING and bail out without submitting the AER.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48790", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted TMF sas_task\n\nCurrently a use-after-free may occur if a TMF sas_task is aborted before we\nhandle the IO completion in mpi_ssp_completion(). The abort occurs due to\ntimeout.\n\nWhen the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the\nsas_task is freed in pm8001_exec_internal_tmf_task().\n\nHowever, if the I/O completion occurs later, the I/O completion still\nthinks that the sas_task is available. Fix this by clearing the ccb->task\nif the TMF times out - the I/O completion handler does nothing if this\npointer is cleared.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48791", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48792", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: nSVM: fix potential NULL derefernce on nested migration\n\nTurns out that due to review feedback and/or rebases\nI accidentally moved the call to nested_svm_load_cr3 to be too early,\nbefore the NPT is enabled, which is very wrong to do.\n\nKVM can't even access guest memory at that point as nested NPT\nis needed for that, and of course it won't initialize the walk_mmu,\nwhich is main issue the patch was addressing.\n\nFix this for real.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48793", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: at86rf230: Stop leaking skb's\n\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. In the Tx case we then leak\nthe skb structure.\n\nFree the skb structure upon error before returning when appropriate.\n\nAs the 'is_tx = 0' cannot be moved in the complete handler because of a\npossible race between the delay in switching to STATE_RX_AACK_ON and a\nnew interrupt, we introduce an intermediate 'was_tx' boolean just for\nthis purpose.\n\nThere is no Fixes tag applying here, many changes have been made on this\narea and the issue kind of always existed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48794", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix data TLB miss in sba_unmap_sg\n\nRolf Eike Beer reported the following bug:\n\n[1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018\n[1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4\n[1274934.746891] Hardware name: 9000/785/C8000\n[1274934.746891]\n[1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI\n[1274934.746891] PSW: 00001000000001001111111000001110 Not tainted\n[1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000\n[1274934.746891] r04-07 0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001\n[1274934.746891] r08-11 0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001\n[1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0\n[1274934.746891] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007\n[1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001\n[1274934.746891] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0\n[1274934.746891] r28-31 0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118\n[1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 00000000066e5800\n[1274934.746891] sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[1274934.746891]\n[1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec\n[1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018\n[1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: ffffffffffffffff\n[1274934.746891] ORIG_R28: 0000000040acdd58\n[1274934.746891] IAOQ[0]: sba_unmap_sg+0xb0/0x118\n[1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118\n[1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118\n[1274934.746891] Backtrace:\n[1274934.746891] [<00000000402740cc>] dma_unmap_sg_attrs+0x6c/0x70\n[1274934.746891] [<000000004074d6bc>] scsi_dma_unmap+0x54/0x60\n[1274934.746891] [<00000000407a3488>] mptscsih_io_done+0x150/0xd70\n[1274934.746891] [<0000000040798600>] mpt_interrupt+0x168/0xa68\n[1274934.746891] [<0000000040255a48>] __handle_irq_event_percpu+0xc8/0x278\n[1274934.746891] [<0000000040255c34>] handle_irq_event_percpu+0x3c/0xd8\n[1274934.746891] [<000000004025ecb4>] handle_percpu_irq+0xb4/0xf0\n[1274934.746891] [<00000000402548e0>] generic_handle_irq+0x50/0x70\n[1274934.746891] [<000000004019a254>] call_on_stack+0x18/0x24\n[1274934.746891]\n[1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)\n\nThe bug is caused by overrunning the sglist and incorrectly testing\nsg_dma_len(sglist) before nents. Normally this doesn't cause a crash,\nbut in this case sglist crossed a page boundary. This occurs in the\nfollowing code:\n\n\twhile (sg_dma_len(sglist) && nents--) {\n\nThe fix is simply to test nents first and move the decrement of nents\ninto the loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48795", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential use-after-free during probe\n\nKasan has reported the following use after free on dev->iommu.\nwhen a device probe fails and it is in process of freeing dev->iommu\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\ncausing use after free.\n\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\n\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n dump_backtrace+0x0/0x33c\n show_stack+0x18/0x24\n dump_stack_lvl+0x16c/0x1e0\n print_address_description+0x84/0x39c\n __kasan_report+0x184/0x308\n kasan_report+0x50/0x78\n __asan_load8+0xc0/0xc4\n of_iommu_configure+0xb4/0x4a4\n of_dma_configure_id+0x2fc/0x4d4\n platform_dma_configure+0x40/0x5c\n really_probe+0x1b4/0xb74\n driver_probe_device+0x11c/0x228\n __device_attach_driver+0x14c/0x304\n bus_for_each_drv+0x124/0x1b0\n __device_attach+0x25c/0x334\n device_initial_probe+0x24/0x34\n bus_probe_device+0x78/0x134\n deferred_probe_work_func+0x130/0x1a8\n process_one_work+0x4c8/0x970\n worker_thread+0x5c8/0xaec\n kthread+0x1f8/0x220\n ret_from_fork+0x10/0x18\n\nAllocated by task 1:\n ____kasan_kmalloc+0xd4/0x114\n __kasan_kmalloc+0x10/0x1c\n kmem_cache_alloc_trace+0xe4/0x3d4\n __iommu_probe_device+0x90/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFreed by task 1:\n kasan_set_track+0x4c/0x84\n kasan_set_free_info+0x28/0x4c\n ____kasan_slab_free+0x120/0x15c\n __kasan_slab_free+0x18/0x28\n slab_free_freelist_hook+0x204/0x2fc\n kfree+0xfc/0x3a4\n __iommu_probe_device+0x284/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFix this by setting dev->iommu to NULL first and\nthen freeing dev_iommu structure in dev_iommu_free\nfunction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48796", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: don't try to NUMA-migrate COW pages that have other uses\n\nOded Gabbay reports that enabling NUMA balancing causes corruption with\nhis Gaudi accelerator test load:\n\n \"All the details are in the bug, but the bottom line is that somehow,\n this patch causes corruption when the numa balancing feature is\n enabled AND we don't use process affinity AND we use GUP to pin pages\n so our accelerator can DMA to/from system memory.\n\n Either disabling numa balancing, using process affinity to bind to\n specific numa-node or reverting this patch causes the bug to\n disappear\"\n\nand Oded bisected the issue to commit 09854ba94c6a (\"mm: do_wp_page()\nsimplification\").\n\nNow, the NUMA balancing shouldn't actually be changing the writability\nof a page, and as such shouldn't matter for COW. But it appears it\ndoes. Suspicious.\n\nHowever, regardless of that, the condition for enabling NUMA faults in\nchange_pte_range() is nonsensical. It uses \"page_mapcount(page)\" to\ndecide if a COW page should be NUMA-protected or not, and that makes\nabsolutely no sense.\n\nThe number of mappings a page has is irrelevant: not only does GUP get a\nreference to a page as in Oded's case, but the other mappings migth be\npaged out and the only reference to them would be in the page count.\n\nSince we should never try to NUMA-balance a page that we can't move\nanyway due to other references, just fix the code to use 'page_count()'.\nOded confirms that that fixes his issue.\n\nNow, this does imply that something in NUMA balancing ends up changing\npage protections (other than the obvious one of making the page\ninaccessible to get the NUMA faulting information). Otherwise the COW\nsimplification wouldn't matter - since doing the GUP on the page would\nmake sure it's writable.\n\nThe cause of that permission change would be good to figure out too,\nsince it clearly results in spurious COW events - but fixing the\nnonsensical test that just happened to work before is obviously the\nCorrectThing(tm) to do regardless.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48797", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: verify the driver availability for path_event call\n\nIf no driver is attached to a device or the driver does not provide the\npath_event function, an FCES path-event on this device could end up in a\nkernel-panic. Verify the driver availability before the path_event\nfunction call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48798", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix list corruption in perf_cgroup_switch()\n\nThere's list corruption on cgrp_cpuctx_list. This happens on the\nfollowing path:\n\n perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)\n cpu_ctx_sched_in\n ctx_sched_in\n ctx_pinned_sched_in\n merge_sched_in\n perf_cgroup_event_disable: remove the event from the list\n\nUse list_for_each_entry_safe() to allow removing an entry during\niteration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48799", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmscan: remove deadlock due to throttling failing to make progress\n\nA soft lockup bug in kcompactd was reported in a private bugzilla with\nthe following visible in dmesg;\n\n watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479]\n\nThe machine had 256G of RAM with no swap and an earlier failed\nallocation indicated that node 0 where kcompactd was run was potentially\nunreclaimable;\n\n Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB\n inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB\n mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp:\n 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB\n kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes\n\nVlastimil Babka investigated a crash dump and found that a task\nmigrating pages was trying to drain PCP lists;\n\n PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: \"kworker/u128:3\"\n Call Trace:\n __schedule\n schedule\n schedule_timeout\n wait_for_completion\n __flush_work\n __drain_all_pages\n __alloc_pages_slowpath.constprop.114\n __alloc_pages\n alloc_migration_target\n migrate_pages\n migrate_to_node\n do_migrate_pages\n cpuset_migrate_mm_workfn\n process_one_work\n worker_thread\n kthread\n ret_from_fork\n\nThis failure is specific to CONFIG_PREEMPT=n builds. The root of the\nproblem is that kcompact0 is not rescheduling on a CPU while a task that\nhas isolated a large number of the pages from the LRU is waiting on\nkcompact0 to reschedule so the pages can be released. While\nshrink_inactive_list() only loops once around too_many_isolated, reclaim\ncan continue without rescheduling if sc->skipped_deactivate == 1 which\ncould happen if there was no file LRU and the inactive anon list was not\nlow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48800", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL\n\nIf we fail to copy the just created file descriptor to userland, we\ntry to clean up by putting back 'fd' and freeing 'ib'. The code uses\nput_unused_fd() for the former which is wrong, as the file descriptor\nwas already published by fd_install() which gets called internally by\nanon_inode_getfd().\n\nThis makes the error handling code leaving a half cleaned up file\ndescriptor table around and a partially destructed 'file' object,\nallowing userland to play use-after-free tricks on us, by abusing\nthe still usable fd and making the code operate on a dangling\n'file->private_data' pointer.\n\nInstead of leaving the kernel in a partially corrupted state, don't\nattempt to explicitly clean up and leave this to the process exit\npath that'll release any still valid fds, including the one created\nby the previous call to anon_inode_getfd(). Simply return -EFAULT to\nindicate the error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48801", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: task_mmu.c: don't read mapcount for migration entry\n\nThe syzbot reported the below BUG:\n\n kernel BUG at include/linux/page-flags.h:785!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]\n RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744\n Call Trace:\n page_mapcount include/linux/mm.h:837 [inline]\n smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466\n smaps_pte_entry fs/proc/task_mmu.c:538 [inline]\n smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601\n walk_pmd_range mm/pagewalk.c:128 [inline]\n walk_pud_range mm/pagewalk.c:205 [inline]\n walk_p4d_range mm/pagewalk.c:240 [inline]\n walk_pgd_range mm/pagewalk.c:277 [inline]\n __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379\n walk_page_vma+0x277/0x350 mm/pagewalk.c:530\n smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768\n smap_gather_stats fs/proc/task_mmu.c:741 [inline]\n show_smap+0xc6/0x440 fs/proc/task_mmu.c:822\n seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272\n seq_read+0x3e0/0x5b0 fs/seq_file.c:162\n vfs_read+0x1b5/0x600 fs/read_write.c:479\n ksys_read+0x12d/0x250 fs/read_write.c:619\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe reproducer was trying to read /proc/$PID/smaps when calling\nMADV_FREE at the mean time. MADV_FREE may split THPs if it is called\nfor partial THP. It may trigger the below race:\n\n CPU A CPU B\n ----- -----\n smaps walk: MADV_FREE:\n page_mapcount()\n PageCompound()\n split_huge_page()\n page = compound_head(page)\n PageDoubleMap(page)\n\nWhen calling PageDoubleMap() this page is not a tail page of THP anymore\nso the BUG is triggered.\n\nThis could be fixed by elevated refcount of the page before calling\nmapcount, but that would prevent it from counting migration entries, and\nit seems overkilling because the race just could happen when PMD is\nsplit so all PTE entries of tail pages are actually migration entries,\nand smaps_account() does treat migration entries as mapcount == 1 as\nKirill pointed out.\n\nAdd a new parameter for smaps_account() to tell this entry is migration\nentry then skip calling page_mapcount(). Don't skip getting mapcount\nfor device private entries since they do track references with mapcount.\n\nPagemap also has the similar issue although it was not reported. Fixed\nit as well.\n\n[shy828301@gmail.com: v4]\n[nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48802", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: Fix missing sentinel for clk_div_table\n\n_get_table_maxdiv() tries to access \"clk_div_table\" array out of bound\ndefined in phy-j721e-wiz.c. Add a sentinel entry to prevent\nthe following global-out-of-bounds error reported by enabling KASAN.\n\n[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148\n[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38\n[ 9.565926]\n[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360\n[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT)\n[ 9.581832] Workqueue: events_unbound deferred_probe_work_func\n[ 9.587708] Call trace:\n[ 9.590174] dump_backtrace+0x20c/0x218\n[ 9.594038] show_stack+0x18/0x68\n[ 9.597375] dump_stack_lvl+0x9c/0xd8\n[ 9.601062] print_address_description.constprop.0+0x78/0x334\n[ 9.606830] kasan_report+0x1f0/0x260\n[ 9.610517] __asan_load4+0x9c/0xd8\n[ 9.614030] _get_maxdiv+0xc0/0x148\n[ 9.617540] divider_determine_rate+0x88/0x488\n[ 9.622005] divider_round_rate_parent+0xc8/0x124\n[ 9.626729] wiz_clk_div_round_rate+0x54/0x68\n[ 9.631113] clk_core_determine_round_nolock+0x124/0x158\n[ 9.636448] clk_core_round_rate_nolock+0x68/0x138\n[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8\n[ 9.645987] clk_set_rate+0x50/0xa8\n[ 9.649499] cdns_sierra_phy_init+0x88/0x248\n[ 9.653794] phy_init+0x98/0x108\n[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170\n[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0\n[ 9.665546] j721e_pcie_probe+0x4b8/0x798\n[ 9.669579] platform_probe+0x8c/0x108\n[ 9.673350] really_probe+0x114/0x630\n[ 9.677037] __driver_probe_device+0x18c/0x220\n[ 9.681505] driver_probe_device+0xac/0x150\n[ 9.685712] __device_attach_driver+0xec/0x170\n[ 9.690178] bus_for_each_drv+0xf0/0x158\n[ 9.694124] __device_attach+0x184/0x210\n[ 9.698070] device_initial_probe+0x14/0x20\n[ 9.702277] bus_probe_device+0xec/0x100\n[ 9.706223] deferred_probe_work_func+0x124/0x180\n[ 9.710951] process_one_work+0x4b0/0xbc0\n[ 9.714983] worker_thread+0x74/0x5d0\n[ 9.718668] kthread+0x214/0x230\n[ 9.721919] ret_from_fork+0x10/0x20\n[ 9.725520]\n[ 9.727032] The buggy address belongs to the variable:\n[ 9.732183] clk_div_table+0x24/0x440", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48803", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt_ioctl: fix array_index_nospec in vt_setactivate\n\narray_index_nospec ensures that an out-of-bounds value is set to zero\non the transient path. Decreasing the value by one afterwards causes\na transient integer underflow. vsa.console should be decreased first\nand then sanitized with array_index_nospec.\n\nKasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh\nRazavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU\nAmsterdam.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48804", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup\n\nax88179_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB's\n data.\n\nI have tested that this can be used by a malicious USB device to send a\nbogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response\nthat contains random kernel heap data.\nIt's probably also possible to get OOB writes from this on a\nlittle-endian system somehow - maybe by triggering skb_cow() via IP\noptions processing -, but I haven't tested that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48805", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48806", "detail": "fixed-version", "description": "Fixed from version 5.16.10" }, { "id": "CVE-2022-48807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix KASAN error in LAG NETDEV_UNREGISTER handler\n\nCurrently, the same handler is called for both a NETDEV_BONDING_INFO\nLAG unlink notification as for a NETDEV_UNREGISTER call. This is\ncausing a problem though, since the netdev_notifier_info passed has\na different structure depending on which event is passed. The problem\nmanifests as a call trace from a BUG: KASAN stack-out-of-bounds error.\n\nFix this by creating a handler specific to NETDEV_UNREGISTER that only\nis passed valid elements in the netdev_notifier_info struct for the\nNETDEV_UNREGISTER event.\n\nAlso included is the removal of an unbalanced dev_put on the peer_netdev\nand related braces.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48807", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48808", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix a memleak when uncloning an skb dst and its metadata\n\nWhen uncloning an skb dst and its associated metadata, a new\ndst+metadata is allocated and later replaces the old one in the skb.\nThis is helpful to have a non-shared dst+metadata attached to a specific\nskb.\n\nThe issue is the uncloned dst+metadata is initialized with a refcount of\n1, which is increased to 2 before attaching it to the skb. When\ntun_dst_unclone returns, the dst+metadata is only referenced from a\nsingle place (the skb) while its refcount is 2. Its refcount will never\ndrop to 0 (when the skb is consumed), leading to a memory leak.\n\nFix this by removing the call to dst_hold in tun_dst_unclone, as the\ndst+metadata refcount is already 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48809", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path\n\nip[6]mr_free_table() can only be called under RTNL lock.\n\nRTNL: assertion failed at net/core/dev.c (10367)\nWARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367\nModules linked in:\nCPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367\nCode: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee\nRSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4\nR13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000\nFS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509\n ip6mr_free_table net/ipv6/ip6mr.c:389 [inline]\n ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline]\n ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline]\n ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298\n ops_init+0xaf/0x470 net/core/net_namespace.c:140\n setup_net+0x54f/0xbb0 net/core/net_namespace.c:331\n copy_net_ns+0x318/0x760 net/core/net_namespace.c:475\n create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\n copy_namespaces+0x391/0x450 kernel/nsproxy.c:178\n copy_process+0x2e0c/0x7300 kernel/fork.c:2167\n kernel_clone+0xe7/0xab0 kernel/fork.c:2555\n __do_sys_clone+0xc8/0x110 kernel/fork.c:2672\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f4ab89f9059\nCode: Unable to access opcode bytes at RIP 0x7f4ab89f902f.\nRSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038\nRAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059\nRDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000\nRBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300\nR10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000\nR13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48810", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: don't release napi in __ibmvnic_open()\n\nIf __ibmvnic_open() encounters an error such as when setting link state,\nit calls release_resources() which frees the napi structures needlessly.\nInstead, have __ibmvnic_open() only clean up the work it did so far (i.e.\ndisable napi and irqs) and leave the rest to the callers.\n\nIf caller of __ibmvnic_open() is ibmvnic_open(), it should release the\nresources immediately. If the caller is do_reset() or do_hard_reset(),\nthey will release the resources on the next reset.\n\nThis fixes following crash that occurred when running the drmgr command\nseveral times to add/remove a vnic interface:\n\n\t[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq\n\t[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq\n\t[102056] ibmvnic 30000003 env3: Replenished 8 pools\n\tKernel attempted to read user page (10) - exploit attempt? (uid: 0)\n\tBUG: Kernel NULL pointer dereference on read at 0x00000010\n\tFaulting instruction address: 0xc000000000a3c840\n\tOops: Kernel access of bad area, sig: 11 [#1]\n\tLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n\t...\n\tCPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1\n\tWorkqueue: events_long __ibmvnic_reset [ibmvnic]\n\tNIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820\n\tREGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37)\n\tMSR: 8000000000009033 CR: 28248484 XER: 00000004\n\tCFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0\n\tGPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000\n\t...\n\tNIP [c000000000a3c840] napi_enable+0x20/0xc0\n\tLR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]\n\tCall Trace:\n\t[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)\n\t[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]\n\t[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]\n\t[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570\n\t[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660\n\t[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0\n\t[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\tInstruction dump:\n\t7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010\n\t38a0fff6 e92d1100 f9210028 39200000 f9010020 60420000 e9210020\n\t---[ end trace 5f8033b08fd27706 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48811", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe GSWIP switch is a platform device, so the initial set of constraints\nthat I thought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the GSWIP switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe gswip driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48812", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Felix VSC9959 switch is a PCI device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the felix switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe felix driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc_size() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48813", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: seville: register the mdiobus under devres\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Seville VSC9959 switch is a platform device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the seville switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe seville driver has a code structure that could accommodate both the\nmdiobus_unregister and mdiobus_free calls, but it has an external\ndependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls\ndevm_mdiobus_alloc_size() on its behalf. So rather than restructuring\nthat, and exporting yet one more symbol mscc_miim_teardown(), let's work\nwith devres and replace of_mdiobus_register with the devres variant.\nWhen we use all-devres, we can ensure that devres doesn't free a\nstill-registered bus (it either runs both callbacks, or none).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48814", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: bcm_sf2: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Starfighter 2 is a platform device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the bcm_sf2 switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe bcm_sf2 driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48815", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48816", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ar9331: register the mdiobus under devres\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe ar9331 is an MDIO device, so the initial set of constraints that I\nthought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the ar9331 switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe ar9331 driver doesn't have a complex code structure for mdiobus\nremoval, so just replace of_mdiobus_register with the devres variant in\norder to be all-devres and ensure that we don't free a still-registered\nbus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48817", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe mv88e6xxx is an MDIO device, so the initial set of constraints that\nI thought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the Marvell switch driver on shutdown.\n\nsystemd-shutdown[1]: Powering off.\nmv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down\nfsl-mc dpbp.9: Removing from iommu group 7\nfsl-mc dpbp.8: Removing from iommu group 7\n------------[ cut here ]------------\nkernel BUG at drivers/net/phy/mdio_bus.c:677!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15\npc : mdiobus_free+0x44/0x50\nlr : devm_mdiobus_free+0x10/0x20\nCall trace:\n mdiobus_free+0x44/0x50\n devm_mdiobus_free+0x10/0x20\n devres_release_all+0xa0/0x100\n __device_release_driver+0x190/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x4c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n kernel_power_off+0x34/0x6c\n __do_sys_reboot+0x15c/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe Marvell driver already has a good structure for mdiobus removal, so\njust plug in mdiobus_free and get rid of devres.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48818", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\n\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\n\n\tWARN_ON(sk_forward_alloc_get(sk));\n\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\n\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\n\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48819", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable()\n\nThis error path needs to decrement \"usbphyc->n_pll_cons.counter\" before\nreturning.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48820", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: avoid double fput() on failed usercopy\n\nIf the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF\nioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact,\ndma_buf_fd() called fd_install() before, i.e. \"consumed\" one reference,\nleaving us with none.\n\nCalling dma_buf_put() will therefore put a reference we no longer own,\nleading to a valid file descritor table entry for an already released\n'file' object which is a straight use-after-free.\n\nSimply avoid calling dma_buf_put() and rely on the process exit code to\ndo the necessary cleanup, if needed, i.e. if the file descriptor is\nstill valid.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48821", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: f_fs: Fix use-after-free for epfile\n\nConsider a case where ffs_func_eps_disable is called from\nffs_func_disable as part of composition switch and at the\nsame time ffs_epfile_release get called from userspace.\nffs_epfile_release will free up the read buffer and call\nffs_data_closed which in turn destroys ffs->epfiles and\nmark it as NULL. While this was happening the driver has\nalready initialized the local epfile in ffs_func_eps_disable\nwhich is now freed and waiting to acquire the spinlock. Once\nspinlock is acquired the driver proceeds with the stale value\nof epfile and tries to free the already freed read buffer\ncausing use-after-free.\n\nFollowing is the illustration of the race:\n\n CPU1 CPU2\n\n ffs_func_eps_disable\n epfiles (local copy)\n\t\t\t\t\tffs_epfile_release\n\t\t\t\t\tffs_data_closed\n\t\t\t\t\tif (last file closed)\n\t\t\t\t\tffs_data_reset\n\t\t\t\t\tffs_data_clear\n\t\t\t\t\tffs_epfiles_destroy\nspin_lock\ndereference epfiles\n\nFix this races by taking epfiles local copy & assigning it under\nspinlock and if epfiles(local) is null then update it in ffs->epfiles\nthen finally destroy it.\nExtending the scope further from the race, protecting the ep related\nstructures, and concurrent accesses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48822", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Fix refcount issue when LOGO is received during TMF\n\nHung task call trace was seen during LOGO processing.\n\n[ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued...\n[ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0\n[ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET\n[ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1.\n[ 974.309625] host1: rport 016900: Received LOGO request while in state Ready\n[ 974.309627] host1: rport 016900: Delete port\n[ 974.309642] host1: rport 016900: work event 3\n[ 974.309644] host1: rport 016900: lld callback ev 3\n[ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush.\n[ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success...\n[ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds.\n[ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1\n\n[ 984.031166] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080\n[ 984.031212] Call Trace:\n[ 984.031222] __schedule+0x2c4/0x700\n[ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0\n[ 984.031233] ? bit_wait_timeout+0x90/0x90\n[ 984.031235] schedule+0x38/0xa0\n[ 984.031238] io_schedule+0x12/0x40\n[ 984.031240] bit_wait_io+0xd/0x50\n[ 984.031243] __wait_on_bit+0x6c/0x80\n[ 984.031248] ? free_buffer_head+0x21/0x50\n[ 984.031251] out_of_line_wait_on_bit+0x91/0xb0\n[ 984.031257] ? init_wait_var_entry+0x50/0x50\n[ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2]\n[ 984.031280] kjournald2+0xbd/0x270 [jbd2]\n[ 984.031284] ? finish_wait+0x80/0x80\n[ 984.031291] ? commit_timeout+0x10/0x10 [jbd2]\n[ 984.031294] kthread+0x116/0x130\n[ 984.031300] ? kthread_flush_work_fn+0x10/0x10\n[ 984.031305] ret_from_fork+0x1f/0x40\n\nThere was a ref count issue when LOGO is received during TMF. This leads to\none of the I/Os hanging with the driver. Fix the ref count.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48823", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: myrs: Fix crash in error case\n\nIn myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails\nwith non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and\ncrash the kernel.\n\n[ 1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A\n[ 1.105872] myrs 0000:00:03.0: Failed to initialize Controller\n[ 1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.110774] Call Trace:\n[ 1.110950] myrs_cleanup+0xe4/0x150 [myrs]\n[ 1.111135] myrs_probe.cold+0x91/0x56a [myrs]\n[ 1.111302] ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs]\n[ 1.111500] local_pci_probe+0x48/0x90", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48824", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Add stag_work to all the vports\n\nCall trace seen when creating NPIV ports, only 32 out of 64 show online.\nstag work was not initialized for vport, hence initialize the stag work.\n\nWARNING: CPU: 8 PID: 645 at kernel/workqueue.c:1635 __queue_delayed_work+0x68/0x80\nCPU: 8 PID: 645 Comm: kworker/8:1 Kdump: loaded Tainted: G IOE --------- --\n 4.18.0-348.el8.x86_64 #1\nHardware name: Dell Inc. PowerEdge MX740c/0177V9, BIOS 2.12.2 07/09/2021\nWorkqueue: events fc_lport_timeout [libfc]\nRIP: 0010:__queue_delayed_work+0x68/0x80\nCode: 89 b2 88 00 00 00 44 89 82 90 00 00 00 48 01 c8 48 89 42 50 41 81\nf8 00 20 00 00 75 1d e9 60 24 07 00 44 89 c7 e9 98 f6 ff ff <0f> 0b eb\nc5 0f 0b eb a1 0f 0b eb a7 0f 0b eb ac 44 89 c6 e9 40 23\nRSP: 0018:ffffae514bc3be40 EFLAGS: 00010006\nRAX: ffff8d25d6143750 RBX: 0000000000000202 RCX: 0000000000000002\nRDX: ffff8d2e31383748 RSI: ffff8d25c000d600 RDI: ffff8d2e31383788\nRBP: ffff8d2e31380de0 R08: 0000000000002000 R09: ffff8d2e31383750\nR10: ffffffffc0c957e0 R11: ffff8d2624800000 R12: ffff8d2e31380a58\nR13: ffff8d2d915eb000 R14: ffff8d25c499b5c0 R15: ffff8d2e31380e18\nFS: 0000000000000000(0000) GS:ffff8d2d1fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055fd0484b8b8 CR3: 00000008ffc10006 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n queue_delayed_work_on+0x36/0x40\n qedf_elsct_send+0x57/0x60 [qedf]\n fc_lport_enter_flogi+0x90/0xc0 [libfc]\n fc_lport_timeout+0xb7/0x140 [libfc]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 008f00f722f2c2ff ]--\n\nInitialize stag work for all the vports.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48825", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix deadlock on DSI device attach error\n\nDSI device attach to DSI host will be done with host device's lock\nheld.\n\nUn-registering host in \"device attach\" error path (ex: probe retry)\nwill result in deadlock with below call trace and non operational\nDSI display.\n\nStartup Call trace:\n[ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8\n[ 35.043048] mutex_lock_nested+0x7c/0xc8\n[ 35.043060] device_del+0x4c/0x3e8\n[ 35.043075] device_unregister+0x20/0x40\n[ 35.043082] mipi_dsi_remove_device_fn+0x18/0x28\n[ 35.043093] device_for_each_child+0x68/0xb0\n[ 35.043105] mipi_dsi_host_unregister+0x40/0x90\n[ 35.043115] vc4_dsi_host_attach+0xf0/0x120 [vc4]\n[ 35.043199] mipi_dsi_attach+0x30/0x48\n[ 35.043209] tc358762_probe+0x128/0x164 [tc358762]\n[ 35.043225] mipi_dsi_drv_probe+0x28/0x38\n[ 35.043234] really_probe+0xc0/0x318\n[ 35.043244] __driver_probe_device+0x80/0xe8\n[ 35.043254] driver_probe_device+0xb8/0x118\n[ 35.043263] __device_attach_driver+0x98/0xe8\n[ 35.043273] bus_for_each_drv+0x84/0xd8\n[ 35.043281] __device_attach+0xf0/0x150\n[ 35.043290] device_initial_probe+0x1c/0x28\n[ 35.043300] bus_probe_device+0xa4/0xb0\n[ 35.043308] deferred_probe_work_func+0xa0/0xe0\n[ 35.043318] process_one_work+0x254/0x700\n[ 35.043330] worker_thread+0x4c/0x448\n[ 35.043339] kthread+0x19c/0x1a8\n[ 35.043348] ret_from_fork+0x10/0x20\n\nShutdown Call trace:\n[ 365.565417] Call trace:\n[ 365.565423] __switch_to+0x148/0x200\n[ 365.565452] __schedule+0x340/0x9c8\n[ 365.565467] schedule+0x48/0x110\n[ 365.565479] schedule_timeout+0x3b0/0x448\n[ 365.565496] wait_for_completion+0xac/0x138\n[ 365.565509] __flush_work+0x218/0x4e0\n[ 365.565523] flush_work+0x1c/0x28\n[ 365.565536] wait_for_device_probe+0x68/0x158\n[ 365.565550] device_shutdown+0x24/0x348\n[ 365.565561] kernel_restart_prepare+0x40/0x50\n[ 365.565578] kernel_restart+0x20/0x70\n[ 365.565591] __do_sys_reboot+0x10c/0x220\n[ 365.565605] __arm64_sys_reboot+0x2c/0x38\n[ 365.565619] invoke_syscall+0x4c/0x110\n[ 365.565634] el0_svc_common.constprop.3+0xfc/0x120\n[ 365.565648] do_el0_svc+0x2c/0x90\n[ 365.565661] el0_svc+0x4c/0xf0\n[ 365.565671] el0t_64_sync_handler+0x90/0xb8\n[ 365.565682] el0t_64_sync+0x180/0x184", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48826", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix the behavior of READ near OFFSET_MAX\n\nDan Aloni reports:\n> Due to commit 8cfb9015280d (\"NFS: Always provide aligned buffers to\n> the RPC read layers\") on the client, a read of 0xfff is aligned up\n> to server rsize of 0x1000.\n>\n> As a result, in a test where the server has a file of size\n> 0x7fffffffffffffff, and the client tries to read from the offset\n> 0x7ffffffffffff000, the read causes loff_t overflow in the server\n> and it returns an NFS code of EINVAL to the client. The client as\n> a result indefinitely retries the request.\n\nThe Linux NFS client does not handle NFS?ERR_INVAL, even though all\nNFS specifications permit servers to return that status code for a\nREAD.\n\nInstead of NFS?ERR_INVAL, have out-of-range READ requests succeed\nand return a short result. Set the EOF flag in the result to prevent\nthe client from retrying the READ request. This behavior appears to\nbe consistent with Solaris NFS servers.\n\nNote that NFSv3 and NFSv4 use u64 offset values on the wire. These\nmust be converted to loff_t internally before use -- an implicit\ntype cast is not adequate for this purpose. Otherwise VFS checks\nagainst sb->s_maxbytes do not work properly.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48827", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix ia_size underflow\n\niattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and\nNFSv4 both define file size as an unsigned 64-bit type. Thus there\nis a range of valid file size values an NFS client can send that is\nalready larger than Linux can handle.\n\nCurrently decode_fattr4() dumps a full u64 value into ia_size. If\nthat value happens to be larger than S64_MAX, then ia_size\nunderflows. I'm about to fix up the NFSv3 behavior as well, so let's\ncatch the underflow in the common code path: nfsd_setattr().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48828", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes\n\niattr::ia_size is a loff_t, so these NFSv3 procedures must be\ncareful to deal with incoming client size values that are larger\nthan s64_max without corrupting the value.\n\nSilently capping the value results in storing a different value\nthan the client passed in which is unexpected behavior, so remove\nthe min_t() check in decode_sattr3().\n\nNote that RFC 1813 permits only the WRITE procedure to return\nNFS3ERR_FBIG. We believe that NFSv3 reference implementations\nalso return NFS3ERR_FBIG when ia_size is too large.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48829", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix potential CAN frame reception race in isotp_rcv()\n\nWhen receiving a CAN frame the current code logic does not consider\nconcurrently receiving processes which do not show up in real world\nusage.\n\nZiyang Xuan writes:\n\nThe following syz problem is one of the scenarios. so->rx.len is\nchanged by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals\n0 before alloc_skb() and equals 4096 after alloc_skb(). That will\ntrigger skb_over_panic() in skb_put().\n\n=======================================================\nCPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0\nRIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113\nCall Trace:\n \n skb_over_panic net/core/skbuff.c:118 [inline]\n skb_put.cold+0x24/0x24 net/core/skbuff.c:1990\n isotp_rcv_cf net/can/isotp.c:570 [inline]\n isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668\n deliver net/can/af_can.c:574 [inline]\n can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635\n can_receive+0x31d/0x580 net/can/af_can.c:665\n can_rcv+0x120/0x1c0 net/can/af_can.c:696\n __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465\n __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579\n\nTherefore we make sure the state changes and data structures stay\nconsistent at CAN frame reception time by adding a spin_lock in\nisotp_rcv(). This fixes the issue reported by syzkaller but does not\naffect real world operation.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48830", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: fix reference leak in asymmetric_verify()\n\nDon't leak a reference to the key if its algorithm is unknown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48831", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: don't deref the syscall args when checking the openat2 open_how::flags\n\nAs reported by Jeff, dereferencing the openat2 syscall argument in\naudit_match_perm() to obtain the open_how::flags can result in an\noops/page-fault. This patch fixes this by using the open_how struct\nthat we store in the audit_context with audit_openat2_how().\n\nIndependent of this patch, Richard Guy Briggs posted a similar patch\nto the audit mailing list roughly 40 minutes after this patch was\nposted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48832", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] \n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48833", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48834", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48835", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n \n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48836", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48837", "detail": "fixed-version", "description": "Fixed from version 5.16.17" }, { "id": "CVE-2022-48838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48838", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n \n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n==================================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48839", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48840", "detail": "fixed-version", "description": "Fixed from version 5.16.17" }, { "id": "CVE-2022-48841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats()\n\nIt is possible to do NULL pointer dereference in routine that updates\nTx ring stats. Currently only stats and bytes are updated when ring\npointer is valid, but later on ring is accessed to propagate gathered Tx\nstats onto VSI stats.\n\nChange the existing logic to move to next ring when ring is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48841", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix race condition during interface enslave\n\nCommit 5dbbbd01cbba83 (\"ice: Avoid RTNL lock when re-creating\nauxiliary device\") changes a process of re-creation of aux device\nso ice_plug_aux_dev() is called from ice_service_task() context.\nThis unfortunately opens a race window that can result in dead-lock\nwhen interface has left LAG and immediately enters LAG again.\n\nReproducer:\n```\n#!/bin/sh\n\nip link add lag0 type bond mode 1 miimon 100\nip link set lag0\n\nfor n in {1..10}; do\n echo Cycle: $n\n ip link set ens7f0 master lag0\n sleep 1\n ip link set ens7f0 nomaster\ndone\n```\n\nThis results in:\n[20976.208697] Workqueue: ice ice_service_task [ice]\n[20976.213422] Call Trace:\n[20976.215871] __schedule+0x2d1/0x830\n[20976.219364] schedule+0x35/0xa0\n[20976.222510] schedule_preempt_disabled+0xa/0x10\n[20976.227043] __mutex_lock.isra.7+0x310/0x420\n[20976.235071] enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core]\n[20976.251215] ib_enum_roce_netdev+0xa4/0xe0 [ib_core]\n[20976.256192] ib_cache_setup_one+0x33/0xa0 [ib_core]\n[20976.261079] ib_register_device+0x40d/0x580 [ib_core]\n[20976.266139] irdma_ib_register_device+0x129/0x250 [irdma]\n[20976.281409] irdma_probe+0x2c1/0x360 [irdma]\n[20976.285691] auxiliary_bus_probe+0x45/0x70\n[20976.289790] really_probe+0x1f2/0x480\n[20976.298509] driver_probe_device+0x49/0xc0\n[20976.302609] bus_for_each_drv+0x79/0xc0\n[20976.306448] __device_attach+0xdc/0x160\n[20976.310286] bus_probe_device+0x9d/0xb0\n[20976.314128] device_add+0x43c/0x890\n[20976.321287] __auxiliary_device_add+0x43/0x60\n[20976.325644] ice_plug_aux_dev+0xb2/0x100 [ice]\n[20976.330109] ice_service_task+0xd0c/0xed0 [ice]\n[20976.342591] process_one_work+0x1a7/0x360\n[20976.350536] worker_thread+0x30/0x390\n[20976.358128] kthread+0x10a/0x120\n[20976.365547] ret_from_fork+0x1f/0x40\n...\n[20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084\n[20976.446469] Call Trace:\n[20976.448921] __schedule+0x2d1/0x830\n[20976.452414] schedule+0x35/0xa0\n[20976.455559] schedule_preempt_disabled+0xa/0x10\n[20976.460090] __mutex_lock.isra.7+0x310/0x420\n[20976.464364] device_del+0x36/0x3c0\n[20976.467772] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[20976.472313] ice_lag_event_handler+0x2a2/0x520 [ice]\n[20976.477288] notifier_call_chain+0x47/0x70\n[20976.481386] __netdev_upper_dev_link+0x18b/0x280\n[20976.489845] bond_enslave+0xe05/0x1790 [bonding]\n[20976.494475] do_setlink+0x336/0xf50\n[20976.502517] __rtnl_newlink+0x529/0x8b0\n[20976.543441] rtnl_newlink+0x43/0x60\n[20976.546934] rtnetlink_rcv_msg+0x2b1/0x360\n[20976.559238] netlink_rcv_skb+0x4c/0x120\n[20976.563079] netlink_unicast+0x196/0x230\n[20976.567005] netlink_sendmsg+0x204/0x3d0\n[20976.570930] sock_sendmsg+0x4c/0x50\n[20976.574423] ____sys_sendmsg+0x1eb/0x250\n[20976.586807] ___sys_sendmsg+0x7c/0xc0\n[20976.606353] __sys_sendmsg+0x57/0xa0\n[20976.609930] do_syscall_64+0x5b/0x1a0\n[20976.613598] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev()\n is called from ice_service_task() context, aux device is created\n and associated device->lock is taken.\n2. Command 'ip link ... set master...' calls ice's notifier under\n RTNL lock and that notifier calls ice_unplug_aux_dev(). That\n function tries to take aux device->lock but this is already taken\n by ice_plug_aux_dev() in step 1\n3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already\n taken in step 2\n4. Dead-lock\n\nThe patch fixes this issue by following changes:\n- Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev()\n call in ice_service_task()\n- The bit is checked in ice_clear_rdma_cap() and only if it is not set\n then ice_unplug_aux_dev() is called. If it is set (in other words\n plugging of aux device was requested and ice_plug_aux_dev() is\n potentially running) then the function only clears the\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48842", "detail": "fixed-version", "description": "Fixed from version 5.16.16" }, { "id": "CVE-2022-48844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix leaking sent_cmd skb\n\nsent_cmd memory is not freed before freeing hci_dev causing it to leak\nit contents.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48844", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: smp: fill in sibling and core maps earlier\n\nAfter enabling CONFIG_SCHED_CORE (landed during 5.14 cycle),\n2-core 2-thread-per-core interAptiv (CPS-driven) started emitting\nthe following:\n\n[ 0.025698] CPU1 revision is: 0001a120 (MIPS interAptiv (multi))\n[ 0.048183] ------------[ cut here ]------------\n[ 0.048187] WARNING: CPU: 1 PID: 0 at kernel/sched/core.c:6025 sched_core_cpu_starting+0x198/0x240\n[ 0.048220] Modules linked in:\n[ 0.048233] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc3+ #35 b7b319f24073fd9a3c2aa7ad15fb7993eec0b26f\n[ 0.048247] Stack : 817f0000 00000004 327804c8 810eb050 00000000 00000004 00000000 c314fdd1\n[ 0.048278] 830cbd64 819c0000 81800000 817f0000 83070bf4 00000001 830cbd08 00000000\n[ 0.048307] 00000000 00000000 815fcbc4 00000000 00000000 00000000 00000000 00000000\n[ 0.048334] 00000000 00000000 00000000 00000000 817f0000 00000000 00000000 817f6f34\n[ 0.048361] 817f0000 818a3c00 817f0000 00000004 00000000 00000000 4dc33260 0018c933\n[ 0.048389] ...\n[ 0.048396] Call Trace:\n[ 0.048399] [<8105a7bc>] show_stack+0x3c/0x140\n[ 0.048424] [<8131c2a0>] dump_stack_lvl+0x60/0x80\n[ 0.048440] [<8108b5c0>] __warn+0xc0/0xf4\n[ 0.048454] [<8108b658>] warn_slowpath_fmt+0x64/0x10c\n[ 0.048467] [<810bd418>] sched_core_cpu_starting+0x198/0x240\n[ 0.048483] [<810c6514>] sched_cpu_starting+0x14/0x80\n[ 0.048497] [<8108c0f8>] cpuhp_invoke_callback_range+0x78/0x140\n[ 0.048510] [<8108d914>] notify_cpu_starting+0x94/0x140\n[ 0.048523] [<8106593c>] start_secondary+0xbc/0x280\n[ 0.048539]\n[ 0.048543] ---[ end trace 0000000000000000 ]---\n[ 0.048636] Synchronize counters for CPU 1: done.\n\n...for each but CPU 0/boot.\nBasic debug printks right before the mentioned line say:\n\n[ 0.048170] CPU: 1, smt_mask:\n\nSo smt_mask, which is sibling mask obviously, is empty when entering\nthe function.\nThis is critical, as sched_core_cpu_starting() calculates\ncore-scheduling parameters only once per CPU start, and it's crucial\nto have all the parameters filled in at that moment (at least it\nuses cpu_smt_mask() which in fact is `&cpu_sibling_map[cpu]` on\nMIPS).\n\nA bit of debugging led me to that set_cpu_sibling_map() performing\nthe actual map calculation, was being invocated after\nnotify_cpu_start(), and exactly the latter function starts CPU HP\ncallback round (sched_core_cpu_starting() is basically a CPU HP\ncallback).\nWhile the flow is same on ARM64 (maps after the notifier, although\nbefore calling set_cpu_online()), x86 started calculating sibling\nmaps earlier than starting the CPU HP callbacks in Linux 4.14 (see\n[0] for the reference). Neither me nor my brief tests couldn't find\nany potential caveats in calculating the maps right after performing\ndelay calibration, but the WARN splat is now gone.\nThe very same debug prints now yield exactly what I expected from\nthem:\n\n[ 0.048433] CPU: 1, smt_mask: 0-1\n\n[0] https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=76ce7cfe35ef", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48845", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48846", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix filter limit check\n\nIn watch_queue_set_filter(), there are a couple of places where we check\nthat the filter type value does not exceed what the type_filter bitmap\ncan hold. One place calculates the number of bits by:\n\n if (tf[i].type >= sizeof(wfilter->type_filter) * 8)\n\nwhich is fine, but the second does:\n\n if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)\n\nwhich is not. This can lead to a couple of out-of-bounds writes due to\na too-large type:\n\n (1) __set_bit() on wfilter->type_filter\n (2) Writing more elements in wfilter->filters[] than we allocated.\n\nFix this by just using the proper WATCH_TYPE__NR instead, which is the\nnumber of types we actually know about.\n\nThe bug may cause an oops looking something like:\n\n BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740\n Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611\n ...\n Call Trace:\n \n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x150\n ...\n kasan_report.cold+0x7f/0x11b\n ...\n watch_queue_set_filter+0x659/0x740\n ...\n __x64_sys_ioctl+0x127/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 611:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n watch_queue_set_filter+0x23a/0x740\n __x64_sys_ioctl+0x127/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff88800d2c66a0\n which belongs to the cache kmalloc-32 of size 32\n The buggy address is located 28 bytes inside of\n 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48847", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Do not unregister events twice\n\nNicolas reported that using:\n\n # trace-cmd record -e all -M 10 -p osnoise --poll\n\nResulted in the following kernel warning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1217 at kernel/tracepoint.c:404 tracepoint_probe_unregister+0x280/0x370\n [...]\n CPU: 0 PID: 1217 Comm: trace-cmd Not tainted 5.17.0-rc6-next-20220307-nico+ #19\n RIP: 0010:tracepoint_probe_unregister+0x280/0x370\n [...]\n CR2: 00007ff919b29497 CR3: 0000000109da4005 CR4: 0000000000170ef0\n Call Trace:\n \n osnoise_workload_stop+0x36/0x90\n tracing_set_tracer+0x108/0x260\n tracing_set_trace_write+0x94/0xd0\n ? __check_object_size.part.0+0x10a/0x150\n ? selinux_file_permission+0x104/0x150\n vfs_write+0xb5/0x290\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7ff919a18127\n [...]\n ---[ end trace 0000000000000000 ]---\n\nThe warning complains about an attempt to unregister an\nunregistered tracepoint.\n\nThis happens on trace-cmd because it first stops tracing, and\nthen switches the tracer to nop. Which is equivalent to:\n\n # cd /sys/kernel/tracing/\n # echo osnoise > current_tracer\n # echo 0 > tracing_on\n # echo nop > current_tracer\n\nThe osnoise tracer stops the workload when no trace instance\nis actually collecting data. This can be caused both by\ndisabling tracing or disabling the tracer itself.\n\nTo avoid unregistering events twice, use the existing\ntrace_osnoise_callback_enabled variable to check if the events\n(and the workload) are actually active before trying to\ndeactivate them.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48848", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: bypass tiling flag check in virtual display case (v2)\n\nvkms leverages common amdgpu framebuffer creation, and\nalso as it does not support FB modifier, there is no need\nto check tiling flags when initing framebuffer when virtual\ndisplay is enabled.\n\nThis can fix below calltrace:\n\namdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier\nWARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu]\n\nv2: check adev->enable_virtual_display instead as vkms can be\n\tenabled in bare metal as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48849", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet-sysfs: add check for netdevice being present to speed_show\n\nWhen bringing down the netdevice or system shutdown, a panic can be\ntriggered while accessing the sysfs path because the device is already\nremoved.\n\n [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called\n [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called\n ...\n [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null)\n [ 758.031397] IP: [] dma_pool_alloc+0x1ab/0x280\n\n crash> bt\n ...\n PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: \"amsd\"\n ...\n #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778\n [exception RIP: dma_pool_alloc+0x1ab]\n RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046\n RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000\n RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090\n RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00\n R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0\n R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]\n #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]\n #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]\n #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]\n #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]\n #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]\n #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]\n #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46\n #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208\n #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3\n #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf\n #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596\n #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10\n #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5\n #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff\n #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f\n #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92\n\n crash> net_device.state ffff89443b0c0000\n state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER)\n\nTo prevent this scenario, we also make sure that the netdevice is present.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48850", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gdm724x: fix use after free in gdm_lte_rx()\n\nThe netif_rx_ni() function frees the skb so we can't dereference it to\nsave the skb->len.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48851", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: hdmi: Unregister codec device on unbind\n\nOn bind we will register the HDMI codec device but we don't unregister\nit on unbind, leading to a device leakage. Unregister our device at\nunbind.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48852", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: fix info leak with DMA_FROM_DEVICE\n\nThe problem I'm addressing was discovered by the LTP test covering\ncve-2018-1000204.\n\nA short description of what happens follows:\n1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO\n interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV\n and a corresponding dxferp. The peculiar thing about this is that TUR\n is not reading from the device.\n2) In sg_start_req() the invocation of blk_rq_map_user() effectively\n bounces the user-space buffer. As if the device was to transfer into\n it. Since commit a45b599ad808 (\"scsi: sg: allocate with __GFP_ZERO in\n sg_build_indirect()\") we make sure this first bounce buffer is\n allocated with GFP_ZERO.\n3) For the rest of the story we keep ignoring that we have a TUR, so the\n device won't touch the buffer we prepare as if the we had a\n DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device\n and the buffer allocated by SG is mapped by the function\n virtqueue_add_split() which uses DMA_FROM_DEVICE for the \"in\" sgs (here\n scatter-gather and not scsi generics). This mapping involves bouncing\n via the swiotlb (we need swiotlb to do virtio in protected guest like\n s390 Secure Execution, or AMD SEV).\n4) When the SCSI TUR is done, we first copy back the content of the second\n (that is swiotlb) bounce buffer (which most likely contains some\n previous IO data), to the first bounce buffer, which contains all\n zeros. Then we copy back the content of the first bounce buffer to\n the user-space buffer.\n5) The test case detects that the buffer, which it zero-initialized,\n ain't all zeros and fails.\n\nOne can argue that this is an swiotlb problem, because without swiotlb\nwe leak all zeros, and the swiotlb should be transparent in a sense that\nit does not affect the outcome (if all other participants are well\nbehaved).\n\nCopying the content of the original buffer into the swiotlb buffer is\nthe only way I can think of to make swiotlb transparent in such\nscenarios. So let's do just that if in doubt, but allow the driver\nto tell us that the whole mapped buffer is going to be overwritten,\nin which case we can preserve the old behavior and avoid the performance\nimpact of the extra bounce.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48853", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-48854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arc_emac: Fix use after free in arc_mdio_probe()\n\nIf bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free\nthe \"bus\". But bus->name is still used in the next line, which will lead\nto a use after free.\n\nWe can fix it by putting the name in a local variable and make the\nbus->name point to the rodata section \"name\",then use the name in the\nerror message without referring to bus to avoid the uaf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48854", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix kernel-infoleak for SCTP sockets\n\nsyzbot reported a kernel infoleak [1] of 4 bytes.\n\nAfter analysis, it turned out r->idiag_expires is not initialized\nif inet_sctp_diag_fill() calls inet_diag_msg_common_fill()\n\nMake sure to clear idiag_timer/idiag_retrans/idiag_expires\nand let inet_diag_msg_sctpasoc_fill() fill them again if needed.\n\n[1]\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:154 [inline]\n _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n copy_to_iter include/linux/uio.h:162 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]\n netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n __sys_recvfrom+0x795/0xa10 net/socket.c:2097\n __do_sys_recvfrom net/socket.c:2115 [inline]\n __se_sys_recvfrom net/socket.c:2111 [inline]\n __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3247 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1158 [inline]\n netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248\n __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]\n netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343\n netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1061\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x645/0xe00 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBytes 68-71 of 2508 are uninitialized\nMemory access of size 2508 starts at ffff888114f9b000\nData copied to user address 00007f7fe09ff2e0\n\nCPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48855", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngianfar: ethtool: Fix refcount leak in gfar_get_ts_info\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48856", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: port100: fix use-after-free in port100_send_complete\n\nSyzbot reported UAF in port100_send_complete(). The root case is in\nmissing usb_kill_urb() calls on error handling path of ->probe function.\n\nport100_send_complete() accesses devm allocated memory which will be\nfreed on probe failure. We should kill this urbs before returning an\nerror from probe function to prevent reported use-after-free\n\nFail log:\n\nBUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935\nRead of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26\n...\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935\n __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670\n\n...\n\nAllocated by task 1255:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:436 [inline]\n ____kasan_kmalloc mm/kasan/common.c:515 [inline]\n ____kasan_kmalloc mm/kasan/common.c:474 [inline]\n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524\n alloc_dr drivers/base/devres.c:116 [inline]\n devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823\n devm_kzalloc include/linux/device.h:209 [inline]\n port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502\n\nFreed by task 1255:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track+0x21/0x30 mm/kasan/common.c:45\n kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\n ____kasan_slab_free mm/kasan/common.c:366 [inline]\n ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328\n kasan_slab_free include/linux/kasan.h:236 [inline]\n __cache_free mm/slab.c:3437 [inline]\n kfree+0xf8/0x2b0 mm/slab.c:3794\n release_nodes+0x112/0x1a0 drivers/base/devres.c:501\n devres_release_all+0x114/0x190 drivers/base/devres.c:530\n really_probe+0x626/0xcc0 drivers/base/dd.c:670", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48857", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix a race on command flush flow\n\nFix a refcount use after free warning due to a race on command entry.\nSuch race occurs when one of the commands releases its last refcount and\nfrees its index and entry while another process running command flush\nflow takes refcount to this command entry. The process which handles\ncommands flush may see this command as needed to be flushed if the other\nprocess released its refcount but didn't release the index yet. Fix it\nby adding the needed spin lock.\n\nIt fixes the following warning trace:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0\n...\nRIP: 0010:refcount_warn_saturate+0x80/0xe0\n...\nCall Trace:\n \n mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core]\n mlx5_cmd_flush+0x3a/0xf0 [mlx5_core]\n enter_error_state+0x44/0x80 [mlx5_core]\n mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core]\n process_one_work+0x1be/0x390\n worker_thread+0x4d/0x3d0\n ? rescuer_thread+0x350/0x350\n kthread+0x141/0x160\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48858", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr\n\nThis node pointer is returned by of_find_compatible_node() with\nrefcount incremented. Calling of_node_put() to aovid the refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48859", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet: Fix error handling in xemaclite_of_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function. Calling of_node_put() to avoid the\nrefcount leak. As the remove function do.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48860", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: fix use-after-free on vp_vdpa_remove\n\nWhen vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device\nand then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,\ntriggering use-after-free.\n\nCall Trace of unbinding driver free vp_vdpa :\ndo_syscall_64\n vfs_write\n kernfs_fop_write_iter\n device_release_driver_internal\n pci_device_remove\n vp_vdpa_remove\n vdpa_unregister_device\n kobject_release\n device_release\n kfree\n\nCall Trace of dereference vp_vdpa->mdev.pci_dev:\nvp_modern_remove\n pci_release_selected_regions\n pci_release_region\n pci_resource_len\n pci_resource_end\n (dev)->resource[(bar)].end", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48861", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: fix hung thread due to erroneous iotlb entries\n\nIn vhost_iotlb_add_range_ctx(), range size can overflow to 0 when\nstart is 0 and last is ULONG_MAX. One instance where it can happen\nis when userspace sends an IOTLB message with iova=size=uaddr=0\n(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,\nlast = ULONG_MAX ends up in the iotlb. Next time a packet is sent,\niotlb_access_ok() loops indefinitely due to that erroneous entry.\n\n\tCall Trace:\n\t \n\t iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340\n\t vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366\n\t vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104\n\t vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372\n\t kthread+0x2e9/0x3a0 kernel/kthread.c:377\n\t ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n\t \n\nReported by syzbot at:\n\thttps://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87\n\nTo fix this, do two things:\n\n1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map\n a range with size 0.\n2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]\n by splitting it into two entries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48862", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix memory leak in dsp_pipeline_build()\n\ndsp_pipeline_build() allocates dup pointer by kstrdup(cfg),\nbut then it updates dup variable by strsep(&dup, \"|\").\nAs a result when it calls kfree(dup), the dup variable contains NULL.\n\nFound by Linux Driver Verification project (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48863", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command\n\nWhen control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command\nrequest from the driver, presently there is no validation against the\nnumber of queue pairs to configure, or even if multiqueue had been\nnegotiated or not is unverified. This may lead to kernel panic due to\nuninitialized resource for the queues were there any bogus request\nsent down by untrusted driver. Tie up the loose ends there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48864", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel panic when enabling bearer\n\nWhen enabling a bearer on a node, a kernel panic is observed:\n\n[ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[ 4.520030] Call Trace:\n[ 4.520689] \n[ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc]\n[ 4.525292] tipc_rcv+0x5da/0x730 [tipc]\n[ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0\n[ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[ 4.528737] __netif_receive_skb_list_core+0x20b/0x260\n[ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0\n[ 4.531450] ? dev_gro_receive+0x4c2/0x680\n[ 4.532512] napi_complete_done+0x6f/0x180\n[ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net]\n...\n\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\n\n thread 1 | thread 2\n -------- | --------\n |\ntipc_enable_bearer() |\n test_and_set_bit_lock() |\n tipc_bearer_xmit_skb() |\n | tipc_l2_rcv_msg()\n | tipc_rcv()\n | __tipc_node_link_up()\n | tipc_link_build_state_msg()\n | tipc_link_build_proto_msg()\n | tipc_mon_prep()\n | {\n | ...\n | // null-pointer dereference\n | u16 gen = mon->dom_gen;\n | ...\n | }\n // Not being executed yet |\n tipc_mon_create() |\n { |\n ... |\n // allocate |\n mon = kzalloc(); |\n ... |\n } |\n\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\n\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48865", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts\n\nSyzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug.\nThe root case is in missing validation check of actual number of endpoints.\n\nCode should not blindly access usb_host_interface::endpoint array, since\nit may contain less endpoints than code expects.\n\nFix it by adding missing validaion check and print an error if\nnumber of endpoints do not match expected number", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48866", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Prevent use after free on completion memory\n\nOn driver unload any pending descriptors are flushed at the\ntime the interrupt is freed:\nidxd_dmaengine_drv_remove() ->\n\tdrv_disable_wq() ->\n\t\tidxd_wq_free_irq() ->\n\t\t\tidxd_flush_pending_descs().\n\nIf there are any descriptors present that need to be flushed this\nflow triggers a \"not present\" page fault as below:\n\n BUG: unable to handle page fault for address: ff391c97c70c9040\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n\nThe address that triggers the fault is the address of the\ndescriptor that was freed moments earlier via:\ndrv_disable_wq()->idxd_wq_free_resources()\n\nFix the use after free by freeing the descriptors after any possible\nusage. This is done after idxd_wq_reset() to ensure that the memory\nremains accessible during possible completion writes by the device.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48867", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\n\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\n\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\n\nSome examples of problematic flows:\n(a)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\n\n idxd_dmaengine_drv_remove()->drv_disable_wq()->idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\n\n(b)\n\n idxd_dmaengine_drv_probe() -> drv_enable_wq() -> idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\n\n idxd_dmaengine_drv_remove()->__idxd_wq_quiesce()->percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48868", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadgetfs: Fix race between mounting and unmounting\n\nThe syzbot fuzzer and Gerald Lee have identified a use-after-free bug\nin the gadgetfs driver, involving processes concurrently mounting and\nunmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()\ncan race with gadgetfs_kill_sb(), causing the latter to deallocate\nthe_device while the former is using it. The output from KASAN says,\nin part:\n\nBUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]\nBUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\nBUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]\nBUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]\nBUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]\nBUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\nBUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\nWrite of size 4 at addr ffff8880276d7840 by task syz-executor126/18689\n\nCPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n...\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]\n __refcount_sub_and_test include/linux/refcount.h:272 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]\n gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n vfs_get_super fs/super.c:1190 [inline]\n get_tree_single+0xd0/0x160 fs/super.c:1207\n vfs_get_tree+0x88/0x270 fs/super.c:1531\n vfs_fsconfig_locked fs/fsopen.c:232 [inline]\n\nThe simplest solution is to ensure that gadgetfs_fill_super() and\ngadgetfs_kill_sb() are serialized by making them both acquire a new\nmutex.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48869", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \n spk_ttyio_release+0x19/0x70 [speakup]\n synth_release.part.6+0xac/0xc0 [speakup]\n synth_remove+0x56/0x60 [speakup]\n __x64_sys_delete_module+0x156/0x250\n ? fpregs_assert_state_consistent+0x1d/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth->dev was not initialized during modprobe, so we add check\nfor in_synth->dev to fix this bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48870", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48871", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap->fl->lock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it's non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48872", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don't remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48873", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free and race in fastrpc_map_find\n\nCurrently, there is a race window between the point when the mutex is\nunlocked in fastrpc_map_lookup and the reference count increasing\n(fastrpc_map_get) in fastrpc_map_find, which can also lead to\nuse-after-free.\n\nSo lets merge fastrpc_map_find into fastrpc_map_lookup which allows us\nto both protect the maps list by also taking the &fl->lock spinlock and\nthe reference count, since the spinlock will be released only after.\nAdd take_ref argument to make this suitable for all callers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48874", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: sdata can be NULL during AMPDU start\n\nieee80211_tx_ba_session_handle_start() may get NULL for sdata when a\ndeauthentication is ongoing.\n\nHere a trace triggering the race with the hostapd test\nmulti_ap_fronthaul_on_ap:\n\n(gdb) list *drv_ampdu_action+0x46\n0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).\n391 int ret = -EOPNOTSUPP;\n392\n393 might_sleep();\n394\n395 sdata = get_bss_sdata(sdata);\n396 if (!check_sdata_in_driver(sdata))\n397 return -EIO;\n398\n399 trace_drv_ampdu_action(local, sdata, params);\n400\n\nwlan0: moving STA 02:00:00:00:03:00 to state 3\nwlan0: associated\nwlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)\nwlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0\nwlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)\nwlan0: moving STA 02:00:00:00:03:00 to state 2\nwlan0: moving STA 02:00:00:00:03:00 to state 1\nwlan0: Removed STA 02:00:00:00:03:00\nwlan0: Destroyed STA 02:00:00:00:03:00\nBUG: unable to handle page fault for address: fffffffffffffb48\nPGD 11814067 P4D 11814067 PUD 11816067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\nWorkqueue: phy3 ieee80211_ba_session_work [mac80211]\nRIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]\nCode: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85\nRSP: 0018:ffffc900025ebd20 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240\nRDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40\nRBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0\nR13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8\nFS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0\nCall Trace:\n \n ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]\n ieee80211_ba_session_work+0xff/0x2e0 [mac80211]\n process_one_work+0x29f/0x620\n worker_thread+0x4d/0x3d0\n ? process_one_work+0x620/0x620\n kthread+0xfb/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48875", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix initialization of rx->link and rx->link_sta\n\nThere are some codepaths that do not initialize rx->link_sta properly. This\ncauses a crash in places which assume that rx->link_sta is valid if rx->sta\nis valid.\nOne known instance is triggered by __ieee80211_rx_h_amsdu being called from\nfast-rx. It results in a crash like this one:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3\n Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014\n RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]\n Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48\n 83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0\n 11 00 00 8d 50 fd 83 fa 01\n RSP: 0018:ffff999040803b10 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900\n R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000\n FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0\n Call Trace:\n \n __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]\n ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n ? __local_bh_enable_ip+0x3b/0xa0\n ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]\n ? prepare_transfer+0x109/0x1a0 [xhci_hcd]\n ieee80211_rx_list+0xa80/0xda0 [mac80211]\n mt76_rx_complete+0x207/0x2e0 [mt76]\n mt76_rx_poll_complete+0x357/0x5a0 [mt76]\n mt76u_rx_worker+0x4f5/0x600 [mt76_usb]\n ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]\n __mt76_worker_fn+0x50/0x80 [mt76]\n kthread+0xed/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n\nSince the initialization of rx->link and rx->link_sta is rather convoluted\nand duplicated in many places, clean it up by using a helper function to\nset it.\n\n[remove unnecessary rx->sta->sta.mlo check]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48876", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: let's avoid panic if extent_tree is not created\n\nThis patch avoids the below panic.\n\npc : __lookup_extent_tree+0xd8/0x760\nlr : f2fs_do_write_data_page+0x104/0x87c\nsp : ffffffc010cbb3c0\nx29: ffffffc010cbb3e0 x28: 0000000000000000\nx27: ffffff8803e7f020 x26: ffffff8803e7ed40\nx25: ffffff8803e7f020 x24: ffffffc010cbb460\nx23: ffffffc010cbb480 x22: 0000000000000000\nx21: 0000000000000000 x20: ffffffff22e90900\nx19: 0000000000000000 x18: ffffffc010c5d080\nx17: 0000000000000000 x16: 0000000000000020\nx15: ffffffdb1acdbb88 x14: ffffff888759e2b0\nx13: 0000000000000000 x12: ffffff802da49000\nx11: 000000000a001200 x10: ffffff8803e7ed40\nx9 : ffffff8023195800 x8 : ffffff802da49078\nx7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0000000000000006 x4 : ffffffc010cbba28\nx3 : 0000000000000000 x2 : ffffffc010cbb480\nx1 : 0000000000000000 x0 : ffffff8803e7ed40\nCall trace:\n __lookup_extent_tree+0xd8/0x760\n f2fs_do_write_data_page+0x104/0x87c\n f2fs_write_single_data_page+0x420/0xb60\n f2fs_write_cache_pages+0x418/0xb1c\n __f2fs_write_data_pages+0x428/0x58c\n f2fs_write_data_pages+0x30/0x40\n do_writepages+0x88/0x190\n __writeback_single_inode+0x48/0x448\n writeback_sb_inodes+0x468/0x9e8\n __writeback_inodes_wb+0xb8/0x2a4\n wb_writeback+0x33c/0x740\n wb_do_writeback+0x2b4/0x400\n wb_workfn+0xe4/0x34c\n process_one_work+0x24c/0x5bc\n worker_thread+0x3e8/0xa50\n kthread+0x150/0x1b4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48877", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Fix driver shutdown on closed serdev\n\nThe driver shutdown callback (which sends EDL_SOC_RESET to the device\nover serdev) should not be invoked when HCI device is not open (e.g. if\nhci_dev_open_sync() failed), because the serdev and its TTY are not open\neither. Also skip this step if device is powered off\n(qca_power_shutdown()).\n\nThe shutdown callback causes use-after-free during system reboot with\nQualcomm Atheros Bluetooth:\n\n Unable to handle kernel paging request at virtual address\n 0072662f67726fd7\n ...\n CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W\n 6.1.0-rt5-00325-g8a5f56bcfcca #8\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n tty_driver_flush_buffer+0x4/0x30\n serdev_device_write_flush+0x24/0x34\n qca_serdev_shutdown+0x80/0x130 [hci_uart]\n device_shutdown+0x15c/0x260\n kernel_restart+0x48/0xac\n\nKASAN report:\n\n BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50\n Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1\n\n CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted\n 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xdc/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x68/0x84\n print_report+0x188/0x488\n kasan_report+0xa4/0xf0\n __asan_load8+0x80/0xac\n tty_driver_flush_buffer+0x1c/0x50\n ttyport_write_flush+0x34/0x44\n serdev_device_write_flush+0x48/0x60\n qca_serdev_shutdown+0x124/0x274\n device_shutdown+0x1e8/0x350\n kernel_restart+0x48/0xb0\n __do_sys_reboot+0x244/0x2d0\n __arm64_sys_reboot+0x54/0x70\n invoke_syscall+0x60/0x190\n el0_svc_common.constprop.0+0x7c/0x160\n do_el0_svc+0x44/0xf0\n el0_svc+0x2c/0x6c\n el0t_64_sync_handler+0xbc/0x140\n el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48878", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48879", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/surface: aggregator: Add missing call to ssam_request_sync_free()\n\nAlthough rare, ssam_request_sync_init() can fail. In that case, the\nrequest should be freed via ssam_request_sync_free(). Currently it is\nleaked instead. Fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48880", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: Fix refcount leak in amd_pmc_probe\n\npci_get_domain_bus_and_slot() takes reference, the caller should release\nthe reference by calling pci_dev_put() after use. Call pci_dev_put() in\nthe error path to fix this.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48881", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)\n\nUpon updating MAC security entity (SecY) in hw offload path, the macsec\nsecurity association (SA) initialization routine is called. In case of\nextended packet number (epn) is enabled the salt and ssci attributes are\nretrieved using the MACsec driver rx_sa context which is unavailable when\nupdating a SecY property such as encoding-sa hence the null dereference.\nFix by using the provided SA to set those attributes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48882", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent\n\nA user is able to configure an arbitrary number of rx queues when\ncreating an interface via netlink. This doesn't work for child PKEY\ninterfaces because the child interface uses the parent receive channels.\n\nAlthough the child shares the parent's receive channels, the number of\nrx queues is important for the channel_stats array: the parent's rx\nchannel index is used to access the child's channel_stats. So the array\nhas to be at least as large as the parent's rx queue size for the\ncounting to work correctly and to prevent out of bound accesses.\n\nThis patch checks for the mentioned scenario and returns an error when\ntrying to create the interface. The error is propagated to the user.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48883", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix command stats access after free\n\nCommand may fail while driver is reloading and can't accept FW commands\ntill command interface is reinitialized. Such command failure is being\nlogged to command stats. This results in NULL pointer access as command\nstats structure is being freed and reallocated during mlx5 devlink\nreload (see kernel log below).\n\nFix it by making command stats statically allocated on driver probe.\n\nKernel log:\n[ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0\n[ 2394.810610] PGD 0 P4D 0\n[ 2394.811811] Oops: 0002 [#1] SMP NOPTI\n...\n[ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0\n...\n[ 2394.829505] Call Trace:\n[ 2394.830667] _raw_spin_lock_irq+0x23/0x26\n[ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core]\n[ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core]\n[ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]\n[ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]\n[ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0\n[ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100\n[ 2394.838663] ? __rtnl_unlock+0x25/0x50\n[ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150\n[ 2394.840862] duplex_show+0x6e/0xc0\n[ 2394.841963] dev_attr_show+0x1c/0x40\n[ 2394.843048] sysfs_kf_seq_show+0x9b/0x100\n[ 2394.844123] seq_read+0x153/0x410\n[ 2394.845187] vfs_read+0x91/0x140\n[ 2394.846226] ksys_read+0x4f/0xb0\n[ 2394.847234] do_syscall_64+0x5b/0x1a0\n[ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48884", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix potential memory leak in ice_gnss_tty_write()\n\nThe ice_gnss_tty_write() return directly if the write_buf alloc failed,\nleaking the cmd_buf.\n\nFix by free cmd_buf if write_buf alloc failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48885", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add check for kzalloc\n\nAdd the check for the return value of kzalloc in order to avoid\nNULL pointer dereference.\nMoreover, use the goto-label to share the clean code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48886", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Remove rcu locks from user resources\n\nUser resource lookups used rcu to avoid two extra atomics. Unfortunately\nthe rcu paths were buggy and it was easy to make the driver crash by\nsubmitting command buffers from two different threads. Because the\nlookups never show up in performance profiles replace them with a\nregular spin lock which fixes the races in accesses to those shared\nresources.\n\nFixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and\nseen crashes with apps using shared resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48887", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Fix memory leak in msm_mdss_parse_data_bus_icc_path\n\nof_icc_get() alloc resources for path1, we should release it when not\nneed anymore. Early return when IS_ERR_OR_NULL(path0) may leak path1.\nDefer getting path1 to fix this.\n\nPatchwork: https://patchwork.freedesktop.org/patch/514264/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48888", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof-nau8825: fix module alias overflow\n\nThe maximum name length for a platform_device_id entry is 20 characters\nincluding the trailing NUL byte. The sof_nau8825.c file exceeds that,\nwhich causes an obscure error message:\n\nsound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding]\nMODULE_ALIAS(\"platform:adl_max98373_nau8825\");\n ^~~~\ninclude/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS'\n ^~~~~~\ninclude/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO'\n ^~~~\ninclude/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO'\n = __MODULE_INFO_PREFIX __stringify(tag) \"=\" info\n\nI could not figure out how to make the module handling robust enough\nto handle this better, but as a quick fix, using slightly shorter\nnames that are still unique avoids the build issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48889", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM\n\nstorvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),\nwhich in a confidential VM allocates swiotlb bounce buffers. If the I/O\nsubmission fails in storvsc_do_io(), the I/O is typically retried by higher\nlevel code, but the bounce buffer memory is never freed. The mostly like\ncause of I/O submission failure is a full VMBus channel ring buffer, which\nis not uncommon under high I/O loads. Eventually enough bounce buffer\nmemory leaks that the confidential VM can't do any I/O. The same problem\ncan arise in a non-confidential VM with kernel boot parameter\nswiotlb=force.\n\nFix this by doing scsi_dma_unmap() in the case of an I/O submission\nerror, which frees the bounce buffer memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48890", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9211: Use irq handler when ready\n\nIf the system does not come from reset (like when it is kexec()), the\nregulator might have an IRQ waiting for us.\n\nIf we enable the IRQ handler before its structures are ready, we crash.\n\nThis patch fixes:\n\n[ 1.141839] Unable to handle kernel read from unreadable memory at virtual address 0000000000000078\n[ 1.316096] Call trace:\n[ 1.316101] blocking_notifier_call_chain+0x20/0xa8\n[ 1.322757] cpu cpu0: dummy supplies not allowed for exclusive requests\n[ 1.327823] regulator_notifier_call_chain+0x1c/0x2c\n[ 1.327825] da9211_irq_handler+0x68/0xf8\n[ 1.327829] irq_thread+0x11c/0x234\n[ 1.327833] kthread+0x13c/0x154", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48891", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Fix use-after-free bug in dup_user_cpus_ptr()\n\nSince commit 07ec77a1d4e8 (\"sched: Allow task CPU affinity to be\nrestricted on asymmetric systems\"), the setting and clearing of\nuser_cpus_ptr are done under pi_lock for arm64 architecture. However,\ndup_user_cpus_ptr() accesses user_cpus_ptr without any lock\nprotection. Since sched_setaffinity() can be invoked from another\nprocess, the process being modified may be undergoing fork() at\nthe same time. When racing with the clearing of user_cpus_ptr in\n__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and\npossibly double-free in arm64 kernel.\n\nCommit 8f9ea86fdf99 (\"sched: Always preserve the user requested\ncpumask\") fixes this problem as user_cpus_ptr, once set, will never\nbe cleared in a task's lifetime. However, this bug was re-introduced\nin commit 851a723e45d1 (\"sched: Always clear user_cpus_ptr in\ndo_set_cpus_allowed()\") which allows the clearing of user_cpus_ptr in\ndo_set_cpus_allowed(). This time, it will affect all arches.\n\nFix this bug by always clearing the user_cpus_ptr of the newly\ncloned/forked task before the copying process starts and check the\nuser_cpus_ptr state of the source task under pi_lock.\n\nNote to stable, this patch won't be applicable to stable releases.\nJust copy the new dup_user_cpus_ptr() function over.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48892", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have 'engine->release == NULL' and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It's not really\n worth it with just a single callsite at the moment. (Janusz)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48893", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Don't unregister on shutdown\n\nSimilar to SMMUv2, this driver calls iommu_device_unregister() from the\nshutdown path, which removes the IOMMU groups with no coordination\nwhatsoever with their users - shutdown methods are optional in device\ndrivers. This can lead to NULL pointer dereferences in those drivers'\nDMA API calls, or worse.\n\nInstead of calling the full arm_smmu_device_remove() from\narm_smmu_device_shutdown(), let's pick only the relevant function call -\narm_smmu_device_disable() - more or less the reverse of\narm_smmu_device_reset() - and call just that from the shutdown path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48894", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48895", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix pci device refcount leak\n\nAs the comment of pci_get_domain_bus_and_slot() says, it\nreturns a PCI device with refcount incremented, when finish\nusing it, the caller must decrement the reference count by\ncalling pci_dev_put().\n\nIn ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(),\npci_dev_put() is called to avoid leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48896", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/mm: fix incorrect file_map_count for invalid pmd\n\nThe page table check trigger BUG_ON() unexpectedly when split hugepage:\n\n ------------[ cut here ]------------\n kernel BUG at mm/page_table_check.c:119!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Modules linked in:\n CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748\n Hardware name: linux,dummy-virt (DT)\n pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : page_table_check_set.isra.0+0x398/0x468\n lr : page_table_check_set.isra.0+0x1c0/0x468\n[...]\n Call trace:\n page_table_check_set.isra.0+0x398/0x468\n __page_table_check_pte_set+0x160/0x1c0\n __split_huge_pmd_locked+0x900/0x1648\n __split_huge_pmd+0x28c/0x3b8\n unmap_page_range+0x428/0x858\n unmap_single_vma+0xf4/0x1c8\n zap_page_range+0x2b0/0x410\n madvise_vma_behavior+0xc44/0xe78\n do_madvise+0x280/0x698\n __arm64_sys_madvise+0x90/0xe8\n invoke_syscall.constprop.0+0xdc/0x1d8\n do_el0_svc+0xf4/0x3f8\n el0_svc+0x58/0x120\n el0t_64_sync_handler+0xb8/0xc0\n el0t_64_sync+0x19c/0x1a0\n[...]\n\nOn arm64, pmd_leaf() will return true even if the pmd is invalid due to\npmd_present_invalid() check. So in pmdp_invalidate() the file_map_count\nwill not only decrease once but also increase once. Then in set_pte_at(),\nthe file_map_count increase again, and so trigger BUG_ON() unexpectedly.\n\nAdd !pmd_present_invalid() check in pmd_user_accessible_page() to fix the\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48897", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48898", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix GEM handle creation UAF\n\nUserspace can guess the handle value and try to race GEM object creation\nwith handle close, resulting in a use-after-free if we dereference the\nobject after dropping the handle's reference. For that reason, dropping\nthe handle's reference must be done *after* we are done dereferencing\nthe object.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48899", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not start relocation until in progress drops are done\n\nWe hit a bug with a recovering relocation on mount for one of our file\nsystems in production. I reproduced this locally by injecting errors\ninto snapshot delete with balance running at the same time. This\npresented as an error while looking up an extent item\n\n WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680\n CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8\n RIP: 0010:lookup_inline_extent_backref+0x647/0x680\n RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000\n RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001\n R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000\n R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000\n FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0\n Call Trace:\n \n insert_inline_extent_backref+0x46/0xd0\n __btrfs_inc_extent_ref.isra.0+0x5f/0x200\n ? btrfs_merge_delayed_refs+0x164/0x190\n __btrfs_run_delayed_refs+0x561/0xfa0\n ? btrfs_search_slot+0x7b4/0xb30\n ? btrfs_update_root+0x1a9/0x2c0\n btrfs_run_delayed_refs+0x73/0x1f0\n ? btrfs_update_root+0x1a9/0x2c0\n btrfs_commit_transaction+0x50/0xa50\n ? btrfs_update_reloc_root+0x122/0x220\n prepare_to_merge+0x29f/0x320\n relocate_block_group+0x2b8/0x550\n btrfs_relocate_block_group+0x1a6/0x350\n btrfs_relocate_chunk+0x27/0xe0\n btrfs_balance+0x777/0xe60\n balance_kthread+0x35/0x50\n ? btrfs_balance+0xe60/0xe60\n kthread+0x16b/0x190\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x22/0x30\n \n\nNormally snapshot deletion and relocation are excluded from running at\nthe same time by the fs_info->cleaner_mutex. However if we had a\npending balance waiting to get the ->cleaner_mutex, and a snapshot\ndeletion was running, and then the box crashed, we would come up in a\nstate where we have a half deleted snapshot.\n\nAgain, in the normal case the snapshot deletion needs to complete before\nrelocation can start, but in this case relocation could very well start\nbefore the snapshot deletion completes, as we simply add the root to the\ndead roots list and wait for the next time the cleaner runs to clean up\nthe snapshot.\n\nFix this by setting a bit on the fs_info if we have any DEAD_ROOT's that\nhad a pending drop_progress key. If they do then we know we were in the\nmiddle of the drop operation and set a flag on the fs_info. Then\nbalance can wait until this flag is cleared to start up again.\n\nIf there are DEAD_ROOT's that don't have a drop_progress set then we're\nsafe to start balance right away as we'll be properly protected by the\ncleaner_mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48901", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not WARN_ON() if we have PageError set\n\nWhenever we do any extent buffer operations we call\nassert_eb_page_uptodate() to complain loudly if we're operating on an\nnon-uptodate page. Our overnight tests caught this warning earlier this\nweek\n\n WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50\n CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G W 5.17.0-rc3+ #564\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n Workqueue: btrfs-cache btrfs_work_helper\n RIP: 0010:assert_eb_page_uptodate+0x3f/0x50\n RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246\n RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000\n RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0\n RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000\n R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1\n R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000\n FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0\n Call Trace:\n\n extent_buffer_test_bit+0x3f/0x70\n free_space_test_bit+0xa6/0xc0\n load_free_space_tree+0x1f6/0x470\n caching_thread+0x454/0x630\n ? rcu_read_lock_sched_held+0x12/0x60\n ? rcu_read_lock_sched_held+0x12/0x60\n ? rcu_read_lock_sched_held+0x12/0x60\n ? lock_release+0x1f0/0x2d0\n btrfs_work_helper+0xf2/0x3e0\n ? lock_release+0x1f0/0x2d0\n ? finish_task_switch.isra.0+0xf9/0x3a0\n process_one_work+0x26d/0x580\n ? process_one_work+0x580/0x580\n worker_thread+0x55/0x3b0\n ? process_one_work+0x580/0x580\n kthread+0xf0/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n\nThis was partially fixed by c2e39305299f01 (\"btrfs: clear extent buffer\nuptodate when we fail to write it\"), however all that fix did was keep\nus from finding extent buffers after a failed writeout. It didn't keep\nus from continuing to use a buffer that we already had found.\n\nIn this case we're searching the commit root to cache the block group,\nso we can start committing the transaction and switch the commit root\nand then start writing. After the switch we can look up an extent\nbuffer that hasn't been written yet and start processing that block\ngroup. Then we fail to write that block out and clear Uptodate on the\npage, and then we start spewing these errors.\n\nNormally we're protected by the tree lock to a certain degree here. If\nwe read a block we have that block read locked, and we block the writer\nfrom locking the block before we submit it for the write. However this\nisn't necessarily fool proof because the read could happen before we do\nthe submit_bio and after we locked and unlocked the extent buffer.\n\nAlso in this particular case we have path->skip_locking set, so that\nwon't save us here. We'll simply get a block that was valid when we\nread it, but became invalid while we were using it.\n\nWhat we really want is to catch the case where we've \"read\" a block but\nit's not marked Uptodate. On read we ClearPageError(), so if we're\n!Uptodate and !Error we know we didn't do the right thing for reading\nthe page.\n\nFix this by checking !Uptodate && !Error, this way we will not complain\nif our buffer gets invalidated while we're using it, and we'll maintain\nthe spirit of the check which is to make sure we have a fully in-cache\nblock while we're messing with it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48902", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix relocation crash due to premature return from btrfs_commit_transaction()\n\nWe are seeing crashes similar to the following trace:\n\n[38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]\n[38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54\n[38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]\n[38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206\n[38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14\n[38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360\n[38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000\n[38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800\n[38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360\n[38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000\n[38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0\n[38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[38.992528] Call Trace:\n[38.992854] \n[38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs]\n[38.993941] btrfs_balance+0x78e/0xea0 [btrfs]\n[38.994801] ? vsnprintf+0x33c/0x520\n[38.995368] ? __kmalloc_track_caller+0x351/0x440\n[38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]\n[38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs]\n[38.997867] ? mod_objcg_state+0xee/0x340\n[38.998552] ? seq_release+0x24/0x30\n[38.999184] ? proc_nr_files+0x30/0x30\n[38.999654] ? call_rcu+0xc8/0x2f0\n[39.000228] ? __x64_sys_ioctl+0x84/0xc0\n[39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]\n[39.001973] __x64_sys_ioctl+0x84/0xc0\n[39.002566] do_syscall_64+0x3a/0x80\n[39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[39.003735] RIP: 0033:0x7f11c166959b\n[39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b\n[39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003\n[39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0\n[39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3\n[39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001\n[39.015040] \n[39.015418] ---[ end trace 0000000000000000 ]---\n[43.131559] ------------[ cut here ]------------\n[43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!\n[43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54\n[43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]\n[43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246\n[43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001\n[43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff\n[43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50\n[43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000\n[43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000\n[43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000\n[43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0\n[43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48903", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix I/O page table memory leak\n\nThe current logic updates the I/O page table mode for the domain\nbefore calling the logic to free memory used for the page table.\nThis results in IOMMU page table memory leak, and can be observed\nwhen launching VM w/ pass-through devices.\n\nFix by freeing the memory used for page table before updating the mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48904", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: free reset-work-item when flushing\n\nFix a tiny memory leak when flushing the reset work queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48905", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Correctly set DATA_FIN timeout when number of retransmits is large\n\nSyzkaller with UBSAN uncovered a scenario where a large number of\nDATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN\ntimeout calculation:\n\n================================================================================\nUBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29\nshift exponent 32 is too large for 32-bit type 'unsigned int'\nCPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: events mptcp_worker\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n ubsan_epilogue+0xb/0x5a lib/ubsan.c:151\n __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330\n mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]\n __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445\n mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528\n process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307\n worker_thread+0x95/0xe10 kernel/workqueue.c:2454\n kthread+0x2f4/0x3b0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \n================================================================================\n\nThis change limits the maximum timeout by limiting the size of the\nshift, which keeps all intermediate values in-bounds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48906", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: lcd2s: Fix memory leak in ->remove()\n\nOnce allocated the struct lcd2s_data is never freed.\nFix the memory leak by switching to devm_kzalloc().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48907", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()\n\nDuring driver initialization, the pointer of card info, i.e. the\nvariable 'ci' is required. However, the definition of\n'com20020pci_id_table' reveals that this field is empty for some\ndevices, which will cause null pointer dereference when initializing\nthese devices.\n\nThe following log reveals it:\n\n[ 3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_pci]\n[ 3.975181] Call Trace:\n[ 3.976208] local_pci_probe+0x13f/0x210\n[ 3.977248] pci_device_probe+0x34c/0x6d0\n[ 3.977255] ? pci_uevent+0x470/0x470\n[ 3.978265] really_probe+0x24c/0x8d0\n[ 3.978273] __driver_probe_device+0x1b3/0x280\n[ 3.979288] driver_probe_device+0x50/0x370\n\nFix this by checking whether the 'ci' is a null pointer first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48908", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix connection leak\n\nThere's a potential leak issue under following execution sequence :\n\nsmc_release \t\t\t\tsmc_connect_work\nif (sk->sk_state == SMC_INIT)\n\t\t\t\t\tsend_clc_confirim\n\ttcp_abort();\n\t\t\t\t\t...\n\t\t\t\t\tsk.sk_state = SMC_ACTIVE\nsmc_close_active\nswitch(sk->sk_state) {\n...\ncase SMC_ACTIVE:\n\tsmc_close_final()\n\t// then wait peer closed\n\nUnfortunately, tcp_abort() may discard CLC CONFIRM messages that are\nstill in the tcp send buffer, in which case our connection token cannot\nbe delivered to the server side, which means that we cannot get a\npassive close message at all. Therefore, it is impossible for the to be\ndisconnected at all.\n\nThis patch tries a very simple way to avoid this issue, once the state\nhas changed to SMC_ACTIVE after tcp_abort(), we can actively abort the\nsmc connection, considering that the state is SMC_INIT before\ntcp_abort(), abandoning the complete disconnection process should not\ncause too much problem.\n\nIn fact, this problem may exist as long as the CLC CONFIRM message is\nnot received by the server. Whether a timer should be added after\nsmc_close_final() needs to be discussed in the future. But even so, this\npatch provides a faster release for connection in above case, it should\nalso be valuable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48909", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ensure we call ipv6_mc_down() at most once\n\nThere are two reasons for addrconf_notify() to be called with NETDEV_DOWN:\neither the network device is actually going down, or IPv6 was disabled\non the interface.\n\nIf either of them stays down while the other is toggled, we repeatedly\ncall the code for NETDEV_DOWN, including ipv6_mc_down(), while never\ncalling the corresponding ipv6_mc_up() in between. This will cause a\nnew entry in idev->mc_tomb to be allocated for each multicast group\nthe interface is subscribed to, which in turn leaks one struct ifmcaddr6\nper nontrivial multicast group the interface is subscribed to.\n\nThe following reproducer will leak at least $n objects:\n\nip addr add ff2e::4242/32 dev eth0 autojoin\nsysctl -w net.ipv6.conf.eth0.disable_ipv6=1\nfor i in $(seq 1 $n); do\n\tip link set up eth0; ip link set down eth0\ndone\n\nJoining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the\nsysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)\ncan also be used to create a nontrivial idev->mc_list, which will the\nleak objects with the right up-down-sequence.\n\nBased on both sources for NETDEV_DOWN events the interface IPv6 state\nshould be considered:\n\n - not ready if the network interface is not ready OR IPv6 is disabled\n for it\n - ready if the network interface is ready AND IPv6 is enabled for it\n\nThe functions ipv6_mc_up() and ipv6_down() should only be run when this\nstate changes.\n\nImplement this by remembering when the IPv6 state is ready, and only\nrun ipv6_mc_down() if it actually changed from ready to not ready.\n\nThe other direction (not ready -> ready) already works correctly, as:\n\n - the interface notification triggered codepath for NETDEV_UP /\n NETDEV_CHANGE returns early if ipv6 is disabled, and\n - the disable_ipv6=0 triggered codepath skips fully initializing the\n interface as long as addrconf_link_ready(dev) returns false\n - calling ipv6_mc_up() repeatedly does not leak anything", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48910", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: fix possible use-after-free\n\nEric Dumazet says:\n The sock_hold() side seems suspect, because there is no guarantee\n that sk_refcnt is not already 0.\n\nOn failure, we cannot queue the packet and need to indicate an\nerror. The packet will be dropped by the caller.\n\nv2: split skb prefetch hunk into separate change", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48911", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: fix use-after-free in __nf_register_net_hook()\n\nWe must not dereference @new_hooks after nf_hook_mutex has been released,\nbecause other threads might have freed our allocated hooks already.\n\nBUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\nBUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]\nBUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\nRead of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430\n\nCPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\n hooks_validate net/netfilter/core.c:171 [inline]\n __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\n nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571\n nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587\n nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218\n synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81\n xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038\n check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]\n find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573\n translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735\n do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]\n do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639\n nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101\n ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024\n rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084\n __sys_setsockopt+0x2db/0x610 net/socket.c:2180\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f65a1ace7d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9\nRDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003\nRBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130\nR13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000\n \n\nThe buggy address belongs to the page:\npage:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993\n prep_new_page mm/page_alloc.c:2434 [inline]\n get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389\n __alloc_pages_node include/linux/gfp.h:572 [inline]\n alloc_pages_node include/linux/gfp.h:595 [inline]\n kmalloc_large_node+0x62/0x130 mm/slub.c:4438\n __kmalloc_node+0x35a/0x4a0 mm/slub.\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48912", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix use after free for struct blk_trace\n\nWhen tracing the whole disk, 'dropped' and 'msg' will be created\nunder 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free()\nwon't remove those files. What's worse, the following UAF can be\ntriggered because of accessing stale 'dropped' and 'msg':\n\n==================================================================\nBUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100\nRead of size 4 at addr ffff88816912f3d8 by task blktrace/1188\n\nCPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_address_description.constprop.0.cold+0xab/0x381\n ? blk_dropped_read+0x89/0x100\n ? blk_dropped_read+0x89/0x100\n kasan_report.cold+0x83/0xdf\n ? blk_dropped_read+0x89/0x100\n kasan_check_range+0x140/0x1b0\n blk_dropped_read+0x89/0x100\n ? blk_create_buf_file_callback+0x20/0x20\n ? kmem_cache_free+0xa1/0x500\n ? do_sys_openat2+0x258/0x460\n full_proxy_read+0x8f/0xc0\n vfs_read+0xc6/0x260\n ksys_read+0xb9/0x150\n ? vfs_write+0x3d0/0x3d0\n ? fpregs_assert_state_consistent+0x55/0x60\n ? exit_to_user_mode_prepare+0x39/0x1e0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fbc080d92fd\nCode: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1\nRSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd\nRDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045\nRBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd\nR10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0\nR13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8\n \n\nAllocated by task 1050:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n do_blk_trace_setup+0xcb/0x410\n __blk_trace_setup+0xac/0x130\n blk_trace_ioctl+0xe9/0x1c0\n blkdev_ioctl+0xf1/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFreed by task 1050:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x103/0x180\n kfree+0x9a/0x4c0\n __blk_trace_remove+0x53/0x70\n blk_trace_ioctl+0x199/0x1c0\n blkdev_common_ioctl+0x5e9/0xb30\n blkdev_ioctl+0x1a5/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe buggy address belongs to the object at ffff88816912f380\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 88 bytes inside of\n 96-byte region [ffff88816912f380, ffff88816912f3e0)\nThe buggy address belongs to the page:\npage:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f\nflags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780\nraw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n>ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48913", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netfront: destroy queues before real_num_tx_queues is zeroed\n\nxennet_destroy_queues() relies on info->netdev->real_num_tx_queues to\ndelete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5\n(\"net-sysfs: update the queue counts in the unregistration path\"),\nunregister_netdev() indirectly sets real_num_tx_queues to 0. Those two\nfacts together means, that xennet_destroy_queues() called from\nxennet_remove() cannot do its job, because it's called after\nunregister_netdev(). This results in kfree-ing queues that are still\nlinked in napi, which ultimately crashes:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226\n RIP: 0010:free_netdev+0xa3/0x1a0\n Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00\n RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff\n RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050\n R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680\n FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0\n Call Trace:\n \n xennet_remove+0x13d/0x300 [xen_netfront]\n xenbus_dev_remove+0x6d/0xf0\n __device_release_driver+0x17a/0x240\n device_release_driver+0x24/0x30\n bus_remove_device+0xd8/0x140\n device_del+0x18b/0x410\n ? _raw_spin_unlock+0x16/0x30\n ? klist_iter_exit+0x14/0x20\n ? xenbus_dev_request_and_reply+0x80/0x80\n device_unregister+0x13/0x60\n xenbus_dev_changed+0x18e/0x1f0\n xenwatch_thread+0xc0/0x1a0\n ? do_wait_intr_irq+0xa0/0xa0\n kthread+0x16b/0x190\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x22/0x30\n \n\nFix this by calling xennet_destroy_queues() from xennet_uninit(),\nwhen real_num_tx_queues is still available. This ensures that queues are\ndestroyed when real_num_tx_queues is set to 0, regardless of how\nunregister_netdev() was called.\n\nOriginally reported at\nhttps://github.com/QubesOS/qubes-issues/issues/7257", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48914", "detail": "fixed-version", "description": "Fixed from version 5.16.13" }, { "id": "CVE-2022-48915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix TZ_GET_TRIP NULL pointer dereference\n\nDo not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if\nthe thermal zone does not define one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48915", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix double list_add when enabling VMD in scalable mode\n\nWhen enabling VMD and IOMMU scalable mode, the following kernel panic\ncall trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids\nCPU) during booting:\n\npci 0000:59:00.5: Adding to iommu group 42\n...\nvmd 0000:59:00.5: PCI host bridge to bus 10000:80\npci 10000:80:01.0: [8086:352a] type 01 class 0x060400\npci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]\npci 10000:80:01.0: enabling Extended Tags\npci 10000:80:01.0: PME# supported from D0 D3hot D3cold\npci 10000:80:01.0: DMAR: Setup RID2PASID failed\npci 10000:80:01.0: Failed to add to iommu group 42: -16\npci 10000:80:03.0: [8086:352b] type 01 class 0x060400\npci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]\npci 10000:80:03.0: enabling Extended Tags\npci 10000:80:03.0: PME# supported from D0 D3hot D3cold\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:29!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7\nHardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022\nWorkqueue: events work_for_cpu_fn\nRIP: 0010:__list_add_valid.cold+0x26/0x3f\nCode: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f\n 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1\n fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9\n 9e e8 8b b1 fe\nRSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246\nRAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8\nRDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20\nRBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888\nR10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0\nR13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70\nFS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n intel_pasid_alloc_table+0x9c/0x1d0\n dmar_insert_one_dev_info+0x423/0x540\n ? device_to_iommu+0x12d/0x2f0\n intel_iommu_attach_device+0x116/0x290\n __iommu_attach_device+0x1a/0x90\n iommu_group_add_device+0x190/0x2c0\n __iommu_probe_device+0x13e/0x250\n iommu_probe_device+0x24/0x150\n iommu_bus_notifier+0x69/0x90\n blocking_notifier_call_chain+0x5a/0x80\n device_add+0x3db/0x7b0\n ? arch_memremap_can_ram_remap+0x19/0x50\n ? memremap+0x75/0x140\n pci_device_add+0x193/0x1d0\n pci_scan_single_device+0xb9/0xf0\n pci_scan_slot+0x4c/0x110\n pci_scan_child_bus_extend+0x3a/0x290\n vmd_enable_domain.constprop.0+0x63e/0x820\n vmd_probe+0x163/0x190\n local_pci_probe+0x42/0x80\n work_for_cpu_fn+0x13/0x20\n process_one_work+0x1e2/0x3b0\n worker_thread+0x1c4/0x3a0\n ? rescuer_thread+0x370/0x370\n kthread+0xc7/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\n...\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe following 'lspci' output shows devices '10000:80:*' are subdevices of\nthe VMD device 0000:59:00.5:\n\n $ lspci\n ...\n 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20)\n ...\n 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03)\n 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03)\n 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03)\n 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03)\n 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]\n 10000:82:00\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48916", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mvm: check debugfs_dir ptr before use\n\nWhen \"debugfs=off\" is used on the kernel command line, iwiwifi's\nmvm module uses an invalid/unchecked debugfs_dir pointer and causes\na BUG:\n\n BUG: kernel NULL pointer dereference, address: 000000000000004f\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7\n Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021\n RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]\n Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73\n RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246\n RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328\n RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c\n RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620\n R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000\n R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320\n FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \n ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]\n iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]\n iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]\n _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]\n iwl_opmode_register+0x6a/0xe0 [iwlwifi]\n ? 0xffffffffa0231000\n iwl_mvm_init+0x35/0x1000 [iwlmvm]\n ? 0xffffffffa0231000\n do_one_initcall+0x5a/0x1b0\n ? kmem_cache_alloc+0x1e5/0x2f0\n ? do_init_module+0x1e/0x220\n do_init_module+0x48/0x220\n load_module+0x2602/0x2bc0\n ? __kernel_read+0x145/0x2e0\n ? kernel_read_file+0x229/0x290\n __do_sys_finit_module+0xc5/0x130\n ? __do_sys_finit_module+0xc5/0x130\n __x64_sys_finit_module+0x13/0x20\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f64dda564dd\n Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd\n RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001\n RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002\n R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2\n R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018\n \n Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev\n CR2: 000000000000004f\n ---[ end trace 0000000000000000 ]---\n\nCheck the debugfs_dir pointer for an error before using it.\n\n[change to make both conditional]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48918", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix double free race when mount fails in cifs_get_root()\n\nWhen cifs_get_root() fails during cifs_smb3_do_mount() we call\ndeactivate_locked_super() which eventually will call delayed_free() which\nwill free the context.\nIn this situation we should not proceed to enter the out: section in\ncifs_smb3_do_mount() and free the same resources a second time.\n\n[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0\n\n[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4\n[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019\n[Thu Feb 10 12:59:06 2022] Call Trace:\n[Thu Feb 10 12:59:06 2022] \n[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78\n[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150\n[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117\n[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0\n[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0\n[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0\n[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20\n[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140\n[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10\n[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b\n[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150\n[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30\n[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0\n...\n[Thu Feb 10 12:59:07 2022] Freed by task 58179:\n[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50\n[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30\n[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40\n[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170\n[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20\n[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0\n[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520\n[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]\n[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]\n[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140\n[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0\n[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210\n[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0\n[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n[Thu Feb 10 12:59:07 2022] Last potentially related work creation:\n[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50\n[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0\n[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10\n[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0\n[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]\n[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]\n[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0\n[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]\n[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]\n[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140\n[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0\n[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210\n[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0\n[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48919", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: get rid of warning on transaction commit when using flushoncommit\n\nWhen using the flushoncommit mount option, during almost every transaction\ncommit we trigger a warning from __writeback_inodes_sb_nr():\n\n $ cat fs/fs-writeback.c:\n (...)\n static void __writeback_inodes_sb_nr(struct super_block *sb, ...\n {\n (...)\n WARN_ON(!rwsem_is_locked(&sb->s_umount));\n (...)\n }\n (...)\n\nThe trace produced in dmesg looks like the following:\n\n [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3\n [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif\n [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186\n [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3\n [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...)\n [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246\n [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000\n [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50\n [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000\n [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488\n [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460\n [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000\n [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0\n [947.571072] Call Trace:\n [947.572354] \n [947.573266] btrfs_commit_transaction+0x1f1/0x998\n [947.576785] ? start_transaction+0x3ab/0x44e\n [947.579867] ? schedule_timeout+0x8a/0xdd\n [947.582716] transaction_kthread+0xe9/0x156\n [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407\n [947.590104] kthread+0x131/0x139\n [947.592168] ? set_kthread_struct+0x32/0x32\n [947.595174] ret_from_fork+0x22/0x30\n [947.597561] \n [947.598553] ---[ end trace 644721052755541c ]---\n\nThis is because we started using writeback_inodes_sb() to flush delalloc\nwhen committing a transaction (when using -o flushoncommit), in order to\navoid deadlocks with filesystem freeze operations. This change was made\nby commit ce8ea7cc6eb313 (\"btrfs: don't call btrfs_start_delalloc_roots\nin flushoncommit\"). After that change we started producing that warning,\nand every now and then a user reports this since the warning happens too\noften, it spams dmesg/syslog, and a user is unsure if this reflects any\nproblem that might compromise the filesystem's reliability.\n\nWe can not just lock the sb->s_umount semaphore before calling\nwriteback_inodes_sb(), because that would at least deadlock with\nfilesystem freezing, since at fs/super.c:freeze_super() sync_filesystem()\nis called while we are holding that semaphore in write mode, and that can\ntrigger a transaction commit, resulting in a deadlock. It would also\ntrigger the same type of deadlock in the unmount path. Possibly, it could\nalso introduce some other locking dependencies that lockdep would report.\n\nTo fix this call try_to_writeback_inodes_sb() instead of\nwriteback_inodes_sb(), because that will try to read lock sb->s_umount\nand then will only call writeback_inodes_sb() if it was able to lock it.\nThis is fine because the cases where it can't read lock sb->s_umount\nare during a filesystem unmount or during a filesystem freeze - in those\ncases sb->s_umount is write locked and sync_filesystem() is called, which\ncalls writeback_inodes_sb(). In other words, in all cases where we can't\ntake a read lock on sb->s_umount, writeback is already being triggered\nelsewhere.\n\nAn alternative would be to call btrfs_start_delalloc_roots() with a\nnumber of pages different from LONG_MAX, for example matching the number\nof delalloc bytes we currently have, in \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48920", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix fault in reweight_entity\n\nSyzbot found a GPF in reweight_entity. This has been bisected to\ncommit 4ef0c5c6b5ba (\"kernel/sched: Fix sched_fork() access an invalid\nsched_task_group\")\n\nThere\u00a0is a race between sched_post_fork() and setpriority(PRIO_PGRP)\nwithin a thread group that causes a null-ptr-deref\u00a0in\nreweight_entity() in CFS. The scenario is that the main process spawns\nnumber of new threads, which then call setpriority(PRIO_PGRP, 0, -20),\nwait, and exit. For each of the new threads the copy_process() gets\ninvoked, which adds the new task_struct and calls sched_post_fork()\nfor it.\n\nIn the above scenario there is a possibility that\nsetpriority(PRIO_PGRP) and set_one_prio() will be called for a thread\nin the group that is just being created by copy_process(), and for\nwhich the sched_post_fork() has not been executed yet. This will\ntrigger a null pointer dereference in reweight_entity(),\u00a0as it will\ntry to access the run queue pointer, which hasn't been set.\n\nBefore the mentioned change the cfs_rq pointer for the task has been\nset in sched_fork(), which is called much earlier in copy_process(),\nbefore the new task is added to the thread_group. Now it is done in\nthe sched_post_fork(), which is called after that. To fix the issue\nthe remove the update_load param from the update_load param() function\nand call reweight_task() only if the task flag doesn't have the\nTASK_NEW flag set.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48921", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix oops caused by irqsoff latency tracer\n\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\nproperly. This because these two functions use macro 'CALLER_ADDR1' (aka.\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\nfor other purpose, the code generated this macro (as below) could trigger\nmemory access fault.\n\n 0xffffffff8011510e <+80>: ld a1,-16(s0)\n 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here\n\nThe oops message during booting if compiled with 'irqoff' tracer enabled:\n[ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\n[ 0.041925][ T0] Oops [#1]\n[ 0.042063][ T0] Modules linked in:\n[ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\n[ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT)\n[ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2\n[ 0.044601][ T0] ra : restore_all+0x12/0x6e\n[ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\n[ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\n[ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\n[ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\n[ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\n[ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\n[ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\n[ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\n[ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\n[ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368\n[ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\n[ 0.046402][ T0] [] restore_all+0x12/0x6e\n\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\nassembly entry code.\n\n\tresume_kernel:\n\t\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\n\t\tbnez s0, restore_all\n\t\tREG_L s0, TASK_TI_FLAGS(tp)\n andi s0, s0, _TIF_NEED_RESCHED\n beqz s0, restore_all\n call preempt_schedule_irq\n j restore_all\n\nTo fix above issue, here we add one extra level wrapper for function\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\ncode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48922", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: prevent copying too big compressed lzo segment\n\nCompressed length can be corrupted to be a lot larger than memory\nwe have allocated for buffer.\nThis will cause memcpy in copy_compressed_segment to write outside\nof allocated memory.\n\nThis mostly results in stuck read syscall but sometimes when using\nbtrfs send can get #GP\n\n kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI\n kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12\n kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]\n kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs\n Code starting with the faulting instruction\n ===========================================\n 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction\n 3: 48 8d 79 08 lea 0x8(%rcx),%rdi\n 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi\n b: 48 89 01 mov %rax,(%rcx)\n e: 44 89 f0 mov %r14d,%eax\n 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx\n kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212\n kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8\n kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d\n kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000\n kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000\n kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000\n kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0\n kernel: Call Trace:\n kernel: \n kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs\n kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs\n kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs\n kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)\n kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455)\n kernel: ? process_one_work (kernel/workqueue.c:2397)\n kernel: kthread (kernel/kthread.c:377)\n kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)\n kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)\n kernel: ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48923", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: int340x: fix memory leak in int3400_notify()\n\nIt is easy to hit the below memory leaks in my TigerLake platform:\n\nunreferenced object 0xffff927c8b91dbc0 (size 32):\n comm \"kworker/0:2\", pid 112, jiffies 4294893323 (age 83.604s)\n hex dump (first 32 bytes):\n 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The\n 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk.\n backtrace:\n [] __kmalloc_track_caller+0x2fe/0x4a0\n [] kvasprintf+0x65/0xd0\n [] kasprintf+0x4e/0x70\n [] int3400_notify+0x82/0x120 [int3400_thermal]\n [] acpi_ev_notify_dispatch+0x54/0x71\n [] acpi_os_execute_deferred+0x17/0x30\n [] process_one_work+0x21a/0x3f0\n [] worker_thread+0x4a/0x3b0\n [] kthread+0xfd/0x130\n [] ret_from_fork+0x1f/0x30\n\nFix it by calling kfree() accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48924", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Do not change route.addr.src_addr outside state checks\n\nIf the state is not idle then resolve_prepare_src() should immediately\nfail and no change to global state should happen. However, it\nunconditionally overwrites the src_addr trying to build a temporary any\naddress.\n\nFor instance if the state is already RDMA_CM_LISTEN then this will corrupt\nthe src_addr and would cause the test in cma_cancel_operation():\n\n if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)\n\nWhich would manifest as this trace from syzkaller:\n\n BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26\n Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204\n\n CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x141/0x1d7 lib/dump_stack.c:120\n print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232\n __kasan_report mm/kasan/report.c:399 [inline]\n kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416\n __list_add_valid+0x93/0xa0 lib/list_debug.c:26\n __list_add include/linux/list.h:67 [inline]\n list_add_tail include/linux/list.h:100 [inline]\n cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline]\n rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751\n ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102\n ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x28e/0xa30 fs/read_write.c:603\n ksys_write+0x1ee/0x250 fs/read_write.c:658\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThis is indicating that an rdma_id_private was destroyed without doing\ncma_cancel_listens().\n\nInstead of trying to re-use the src_addr memory to indirectly create an\nany address derived from the dst build one explicitly on the stack and\nbind to that as any other normal flow would do. rdma_bind_addr() will copy\nit over the src_addr once it knows the state is valid.\n\nThis is similar to commit bc0bdc5afaa7 (\"RDMA/cma: Do not change\nroute.addr.src_addr.ss_family\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48925", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: add spinlock for rndis response list\n\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48926", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: tsc2046: fix memory corruption by preventing array overflow\n\nOn one side we have indio_dev->num_channels includes all physical channels +\ntimestamp channel. On other side we have an array allocated only for\nphysical channels. So, fix memory corruption by ARRAY_SIZE() instead of\nnum_channels variable.\n\nNote the first case is a cleanup rather than a fix as the software\ntimestamp channel bit in active_scanmask is never set by the IIO core.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48927", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: men_z188_adc: Fix a resource leak in an error handling path\n\nIf iio_device_register() fails, a previous ioremap() is left unbalanced.\n\nUpdate the error handling path and add the missing iounmap() call, as\nalready done in the remove function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48928", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48929", "detail": "fixed-version", "description": "Fixed from version 5.16.12" }, { "id": "CVE-2022-48930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ib_srp: Fix a deadlock\n\nRemove the flush_workqueue(system_long_wq) call since flushing\nsystem_long_wq is deadlock-prone and since that call is redundant with a\npreceding cancel_work_sync()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48930", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs: fix a race in configfs_{,un}register_subsystem()\n\nWhen configfs_register_subsystem() or configfs_unregister_subsystem()\nis executing link_group() or unlink_group(),\nit is possible that two processes add or delete list concurrently.\nSome unfortunate interleavings of them can cause kernel panic.\n\nOne of cases is:\nA --> B --> C --> D\nA <-- B <-- C <-- D\n\n delete list_head *B | delete list_head *C\n--------------------------------|-----------------------------------\nconfigfs_unregister_subsystem | configfs_unregister_subsystem\n unlink_group | unlink_group\n unlink_obj | unlink_obj\n list_del_init | list_del_init\n __list_del_entry | __list_del_entry\n __list_del | __list_del\n // next == C |\n next->prev = prev |\n | next->prev = prev\n prev->next = next |\n | // prev == B\n | prev->next = next\n\nFix this by adding mutex when calling link_group() or unlink_group(),\nbut parent configfs_subsystem is NULL when config_item is root.\nSo I create a mutex configfs_subsystem_mutex.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48931", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte\n\nWhen adding a rule with 32 destinations, we hit the following out-of-band\naccess issue:\n\n BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70\n\nThis patch fixes the issue by both increasing the allocated buffers to\naccommodate for the needed actions and by checking the number of actions\nto prevent this issue when a rule with too many actions is provided.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48932", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memory leak during stateful obj update\n\nstateful objects can be updated from the control plane.\nThe transaction logic allocates a temporary object for this purpose.\n\nThe ->init function was called for this object, so plain kfree() leaks\nresources. We must call ->destroy function of the object.\n\nnft_obj_destroy does this, but it also decrements the module refcount,\nbut the update path doesn't increment it.\n\nTo avoid special-casing the update object release, do module_get for\nthe update case too and release it via nft_obj_destroy().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48933", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()\n\nida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)\ninclusive.\nSo NFP_MAX_MAC_INDEX (0xff) is a valid id.\n\nIn order for the error handling path to work correctly, the 'invalid'\nvalue for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range,\ninclusive.\n\nSo set it to -1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48934", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unregister flowtable hooks on netns exit\n\nUnregister flowtable hooks before they are releases via\nnf_tables_flowtable_destroy() otherwise hook core reports UAF.\n\nBUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\nRead of size 4 at addr ffff8880736f7438 by task syz-executor579/3666\n\nCPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106\n dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106\n print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450\n kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450\n nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\n __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429\n nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571\n nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232\n nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652\n\n__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which\nonly unregisters the hooks, then after RCU grace period, it is\nguaranteed that no packets add new entries to the flowtable (no flow\noffload rules and flowtable hooks are reachable from packet path), so it\nis safe to call nf_flow_table_free() which cleans up the remaining\nentries from the flowtable (both software and hardware) and it unbinds\nthe flow_block.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48935", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: add a schedule point in io_add_buffers()\n\nLooping ~65535 times doing kmalloc() calls can trigger soft lockups,\nespecially with DEBUG features (like KASAN).\n\n[ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575]\n[ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O)\n[ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801\n[ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98)\n[ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40\n[ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246\n[ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001\n[ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a\n[ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004\n[ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380\n[ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0\n[ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000\n[ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0\n[ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 253.544494] Call Trace:\n[ 253.544496] \n[ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544505] __kernel_text_address (kernel/extable.c:78)\n[ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19)\n[ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27)\n[ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544521] stack_trace_save (kernel/stacktrace.c:123)\n[ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)\n[ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)\n[ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524)\n[ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)\n[ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?)\n[ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524)\n[ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)\n[ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n[ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n[ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546)\n[ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078)\n[ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441)\n[ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096)\n[ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096)\n[ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n[ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?)\n[ 253.544596] __io_queue_sqe (fs/io_uring.c:?)\n[ 253.544600] io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544603] io_submit_sqe (fs/io_uring.c:?)\n[ 253.544608] io_submit_sqes (fs/io_uring.c:?)\n[ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri\n---truncated---", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48937", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nCDC-NCM: avoid overflow in sanity checking\n\nA broken device may give an extreme offset like 0xFFF0\nand a reasonable length for a fragment. In the sanity\ncheck as formulated now, this will create an integer\noverflow, defeating the sanity check. Both offset\nand offset + len need to be checked in such a manner\nthat no overflow can occur.\nAnd those quantities should be unsigned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48938", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add schedule points in batch ops\n\nsyzbot reported various soft lockups caused by bpf batch operations.\n\n INFO: task kworker/1:1:27 blocked for more than 140 seconds.\n INFO: task hung in rcu_barrier\n\nNothing prevents batch ops to process huge amount of data,\nwe need to add schedule points in them.\n\nNote that maybe_wait_bpf_programs(map) calls from\ngeneric_map_delete_batch() can be factorized by moving\nthe call after the loop.\n\nThis will be done later in -next tree once we get this fix merged,\nunless there is strong opinion doing this optimization sooner.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48939", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to incorrect copy_map_value\n\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\n\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] \n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] \n[ 16.051762] ==================================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48940", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix concurrent reset and removal of VFs\n\nCommit c503e63200c6 (\"ice: Stop processing VF messages during teardown\")\nintroduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is\nintended to prevent some issues with concurrently handling messages from\nVFs while tearing down the VFs.\n\nThis change was motivated by crashes caused while tearing down and\nbringing up VFs in rapid succession.\n\nIt turns out that the fix actually introduces issues with the VF driver\ncaused because the PF no longer responds to any messages sent by the VF\nduring its .remove routine. This results in the VF potentially removing\nits DMA memory before the PF has shut down the device queues.\n\nAdditionally, the fix doesn't actually resolve concurrency issues within\nthe ice driver. It is possible for a VF to initiate a reset just prior\nto the ice driver removing VFs. This can result in the remove task\nconcurrently operating while the VF is being reset. This results in\nsimilar memory corruption and panics purportedly fixed by that commit.\n\nFix this concurrency at its root by protecting both the reset and\nremoval flows using the existing VF cfg_lock. This ensures that we\ncannot remove the VF while any outstanding critical tasks such as a\nvirtchnl message or a reset are occurring.\n\nThis locking change also fixes the root cause originally fixed by commit\nc503e63200c6 (\"ice: Stop processing VF messages during teardown\"), so we\ncan simply revert it.\n\nNote that I kept these two changes together because simply reverting the\noriginal commit alone would leave the driver vulnerable to worse race\nconditions.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48941", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: Handle failure to register sensor with thermal zone correctly\n\nIf an attempt is made to a sensor with a thermal zone and it fails,\nthe call to devm_thermal_zone_of_sensor_register() may return -ENODEV.\nThis may result in crashes similar to the following.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000003cd\n...\nInternal error: Oops: 96000021 [#1] PREEMPT SMP\n...\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mutex_lock+0x18/0x60\nlr : thermal_zone_device_update+0x40/0x2e0\nsp : ffff800014c4fc60\nx29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790\nx26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000\nx23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd\nx20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000\nx17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040\nx14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\nx8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd\nx2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd\nCall trace:\n mutex_lock+0x18/0x60\n hwmon_notify_event+0xfc/0x110\n 0xffffdde1cb7a0a90\n 0xffffdde1cb7a0b7c\n irq_thread_fn+0x2c/0xa0\n irq_thread+0x134/0x240\n kthread+0x178/0x190\n ret_from_fork+0x10/0x20\nCode: d503201f d503201f d2800001 aa0103e4 (c8e47c02)\n\nJon Hunter reports that the exact call sequence is:\n\nhwmon_notify_event()\n --> hwmon_thermal_notify()\n --> thermal_zone_device_update()\n --> update_temperature()\n --> mutex_lock()\n\nThe hwmon core needs to handle all errors returned from calls\nto devm_thermal_zone_of_sensor_register(). If the call fails\nwith -ENODEV, report that the sensor was not attached to a\nthermal zone but continue to register the hwmon device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48942", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: make apf token non-zero to fix bug\n\nIn current async pagefault logic, when a page is ready, KVM relies on\nkvm_arch_can_dequeue_async_page_present() to determine whether to deliver\na READY event to the Guest. This function test token value of struct\nkvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a\nREADY event is finished by Guest. If value is zero meaning that a READY\nevent is done, so the KVM can deliver another.\nBut the kvm_arch_setup_async_pf() may produce a valid token with zero\nvalue, which is confused with previous mention and may lead the loss of\nthis READY event.\n\nThis bug may cause task blocked forever in Guest:\n INFO: task stress:7532 blocked for more than 1254 seconds.\n Not tainted 5.10.0 #16\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:stress state:D stack: 0 pid: 7532 ppid: 1409\n flags:0x00000080\n Call Trace:\n __schedule+0x1e7/0x650\n schedule+0x46/0xb0\n kvm_async_pf_task_wait_schedule+0xad/0xe0\n ? exit_to_user_mode_prepare+0x60/0x70\n __kvm_handle_async_pf+0x4f/0xb0\n ? asm_exc_page_fault+0x8/0x30\n exc_page_fault+0x6f/0x110\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\n RIP: 0033:0x402d00\n RSP: 002b:00007ffd31912500 EFLAGS: 00010206\n RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0\n RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0\n RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086\n R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000\n R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48943", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix yet more sched_fork() races\n\nWhere commit 4ef0c5c6b5ba (\"kernel/sched: Fix sched_fork() access an\ninvalid sched_task_group\") fixed a fork race vs cgroup, it opened up a\nrace vs syscalls by not placing the task on the runqueue before it\ngets exposed through the pidhash.\n\nCommit 13765de8148f (\"sched/fair: Fix fault in reweight_entity\") is\ntrying to fix a single instance of this, instead fix the whole class\nof issues, effectively reverting this commit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48944", "detail": "fixed-version", "description": "Fixed from version 5.17" }, { "id": "CVE-2022-48945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: fix compose size exceed boundary\n\nsyzkaller found a bug:\n\n BUG: unable to handle page fault for address: ffffc9000a3b1000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0\n Oops: 0002 [#1] PREEMPT SMP\n CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n RIP: 0010:memcpy_erms+0x6/0x10\n[...]\n Call Trace:\n \n ? tpg_fill_plane_buffer+0x856/0x15b0\n vivid_fillbuff+0x8ac/0x1110\n vivid_thread_vid_cap_tick+0x361/0xc90\n vivid_thread_vid_cap+0x21a/0x3a0\n kthread+0x143/0x180\n ret_from_fork+0x1f/0x30\n \n\nThis is because we forget to check boundary after adjust compose->height\nint V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem\nfor this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48945", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix preallocation discarding at indirect extent boundary\n\nWhen preallocation extent is the first one in the extent block, the\ncode would corrupt extent tree header instead. Fix the problem and use\nudf_delete_aext() for deleting extent to avoid some code duplication.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48946", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix u8 overflow\n\nBy keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases\nmultiple times and eventually it will wrap around the maximum number\n(i.e., 255).\nThis patch prevents this by adding a boundary check with\nL2CAP_MAX_CONF_RSP\n\nBtmon log:\nBluetooth monitor ver 5.64\n= Note: Linux version 6.1.0-rc2 (x86_64) 0.264594\n= Note: Bluetooth subsystem version 2.22 0.264636\n@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191\n= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604\n@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741\n= Open Index: 00:00:00:00:00:00 [hci0] 13.900426\n(...)\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106\n invalid packet size (12 != 1033)\n 08 00 01 00 02 01 04 00 01 10 ff ff ............\n> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561\n invalid packet size (14 != 1547)\n 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@.....\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390\n invalid packet size (16 != 2061)\n 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@.......\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932\n invalid packet size (16 != 2061)\n 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@.......\n= bluetoothd: Bluetooth daemon 5.43 14.401828\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753\n invalid packet size (12 != 1033)\n 08 00 01 00 04 01 04 00 40 00 00 00 ........@...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48947", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Prevent buffer overflow in setup handler\n\nSetup function uvc_function_setup permits control transfer\nrequests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),\ndata stage handler for OUT transfer uses memcpy to copy req->actual\nbytes to uvc_event->data.data array of size 60. This may result\nin an overflow of 4 bytes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48948", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Initialize mailbox message for VF reset\n\nWhen a MAC address is not assigned to the VF, that portion of the message\nsent to the VF is not set. The memory, however, is allocated from the\nstack meaning that information may be leaked to the VM. Initialize the\nmessage buffer to 0 so that no information is passed to the VM in this\ncase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48949", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48950", "detail": "fixed-version", "description": "Fixed from version 6.0.14" }, { "id": "CVE-2022-48951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()\n\nThe bounds checks in snd_soc_put_volsw_sx() are only being applied to the\nfirst channel, meaning it is possible to write out of bounds values to the\nsecond channel in stereo controls. Add appropriate checks.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48951", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: mt7621: Add sentinel to quirks table\n\nCurrent driver is missing a sentinel in the struct soc_device_attribute\narray, which causes an oops when assessed by the\nsoc_device_match(mt7621_pcie_quirks_match) call.\n\nThis was only exposed once the CONFIG_SOC_MT7621 mt7621 soc_dev_attr\nwas fixed to register the SOC as a device, in:\n\ncommit 7c18b64bba3b (\"mips: ralink: mt7621: do not use kzalloc too early\")\n\nFix it by adding the required sentinel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48952", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-48953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: cmos: Fix event handler registration ordering issue\n\nBecause acpi_install_fixed_event_handler() enables the event\nautomatically on success, it is incorrect to call it before the\nhandler routine passed to it is ready to handle events.\n\nUnfortunately, the rtc-cmos driver does exactly the incorrect thing\nby calling cmos_wake_setup(), which passes rtc_handler() to\nacpi_install_fixed_event_handler(), before cmos_do_probe(), because\nrtc_handler() uses dev_get_drvdata() to get to the cmos object\npointer and the driver data pointer is only populated in\ncmos_do_probe().\n\nThis leads to a NULL pointer dereference in rtc_handler() on boot\nif the RTC fixed event happens to be active at the init time.\n\nTo address this issue, change the initialization ordering of the\ndriver so that cmos_wake_setup() is always called after a successful\ncmos_do_probe() call.\n\nWhile at it, change cmos_pnp_probe() to call cmos_do_probe() after\nthe initial if () statement used for computing the IRQ argument to\nbe passed to cmos_do_probe() which is cleaner than calling it in\neach branch of that if () (local variable \"irq\" can be of type int,\nbecause it is passed to that function as an argument of type int).\n\nNote that commit 6492fed7d8c9 (\"rtc: rtc-cmos: Do not check\nACPI_FADT_LOW_POWER_S0\") caused this issue to affect a larger number\nof systems, because previously it only affected systems with\nACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that\ncommit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48953", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: fix use-after-free in hsci\n\nKASAN found that addr was dereferenced after br2dev_event_work was freed.\n\n==================================================================\nBUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0\nRead of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540\nCPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1\nHardware name: IBM 8561 T01 703 (LPAR)\nWorkqueue: 0.0.8000_event qeth_l2_br2dev_worker\nCall Trace:\n [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8\n [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0\n [<000000016942d118>] print_report+0x110/0x1f8\n [<0000000167a7bd04>] kasan_report+0xfc/0x128\n [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0\n [<00000001673edd1e>] process_one_work+0x76e/0x1128\n [<00000001673ee85c>] worker_thread+0x184/0x1098\n [<000000016740718a>] kthread+0x26a/0x310\n [<00000001672c606a>] __ret_from_fork+0x8a/0xe8\n [<00000001694711da>] ret_from_fork+0xa/0x40\nAllocated by task 108338:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n __kasan_kmalloc+0xa0/0xc0\n qeth_l2_switchdev_event+0x25a/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nFreed by task 540:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n kasan_save_free_info+0x4c/0x68\n ____kasan_slab_free+0x14e/0x1a8\n __kasan_slab_free+0x24/0x30\n __kmem_cache_free+0x168/0x338\n qeth_l2_br2dev_worker+0x154/0x6b0\n process_one_work+0x76e/0x1128\n worker_thread+0x184/0x1098\n kthread+0x26a/0x310\n __ret_from_fork+0x8a/0xe8\n ret_from_fork+0xa/0x40\nLast potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n insert_work+0x56/0x2e8\n __queue_work+0x4ce/0xd10\n queue_work_on+0xf4/0x100\n qeth_l2_switchdev_event+0x520/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nSecond to last potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n kvfree_call_rcu+0xb2/0x760\n kernfs_unlink_open_file+0x348/0x430\n kernfs_fop_release+0xc2/0x320\n __fput+0x1ae/0x768\n task_work_run+0x1bc/0x298\n exit_to_user_mode_prepare+0x1a0/0x1a8\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nThe buggy address belongs to the object at 00000000fdcea400\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 64 bytes inside of\n 96-byte region [00000000fdcea400, 00000000fdcea460)\nThe buggy address belongs to the physical page:\npage:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea\nflags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)\nraw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00\nraw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n 00000000fdcea380: fb fb fb fb fb fb f\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48954", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: thunderbolt: fix memory leak in tbnet_open()\n\nWhen tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in\ntb_xdomain_alloc_out_hopid() is not released. Add\ntb_xdomain_release_out_hopid() to the error path to release ida.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48955", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid use-after-free in ip6_fragment()\n\nBlamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.\n\nIt seems to not be always true, at least for UDP stack.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]\nBUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\nRead of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618\n\nCPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x45d mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n ip6_dst_idev include/net/ip6_fib.h:245 [inline]\n ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\n __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]\n ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206\n NF_HOOK_COND include/linux/netfilter.h:291 [inline]\n ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227\n dst_output include/net/dst.h:445 [inline]\n ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161\n ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966\n udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286\n udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313\n udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xd3/0x120 net/socket.c:734\n sock_write_iter+0x295/0x3d0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2191 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x9ed/0xdd0 fs/read_write.c:584\n ksys_write+0x1ec/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fde3588c0d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9\nRDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a\nRBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000\n \n\nAllocated by task 7618:\n kasan_save_stack+0x22/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422\n dst_alloc+0x14a/0x1f0 net/core/dst.c:92\n ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344\n ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]\n rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]\n ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254\n pol_lookup_func include/net/ip6_fib.h:582 [inline]\n fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625\n ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638\n ip6_route_output include/net/ip6_route.h:98 [inline]\n ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092\n ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222\n ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260\n udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec n\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48956", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()\n\nThe cmd_buff needs to be freed when error happened in\ndpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48957", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet: aeroflex: fix potential skb leak in greth_init_rings()\n\nThe greth_init_rings() function won't free the newly allocated skb when\ndma_mapping_error() returns error, so add dev_kfree_skb() to fix it.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48958", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()\n\nWhen dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),\npriv->regions is not released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48959", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hisilicon: Fix potential use-after-free in hix5hd2_rx()\n\nThe skb is delivered to napi_gro_receive() which may free it, after\ncalling this, dereferencing skb may trigger use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48960", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: fix unbalanced fwnode reference count in mdio_device_release()\n\nThere is warning report about of_node refcount leak\nwhile probing mdio device:\n\nOF: ERROR: memory leak, expected refcount 1 instead of 2,\nof_node_get()/of_node_put() unbalanced - destroy cset entry:\nattach overlay node /spi/soc@0/mdio@710700c0/ethernet@4\n\nIn of_mdiobus_register_device(), we increase fwnode refcount\nby fwnode_handle_get() before associating the of_node with\nmdio device, but it has never been decreased in normal path.\nSince that, in mdio_device_release(), it needs to call\nfwnode_handle_put() in addition instead of calling kfree()\ndirectly.\n\nAfter above, just calling mdio_device_free() in the error handle\npath of of_mdiobus_register_device() is enough to keep the\nrefcount balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48961", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hisilicon: Fix potential use-after-free in hisi_femac_rx()\n\nThe skb is delivered to napi_gro_receive() which may free it, after\ncalling this, dereferencing skb may trigger use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48962", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix memory leak in ipc_mux_init()\n\nWhen failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux\nis not released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48963", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix potential use-after-free in ravb_rx_gbeth()\n\nThe skb is delivered to napi_gro_receive() which may free it, after calling this,\ndereferencing skb may trigger use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48964", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio/rockchip: fix refcount leak in rockchip_gpiolib_register()\n\nThe node returned by of_get_parent() with refcount incremented,\nof_node_put() needs be called when finish using it. So add it in the\nend of of_pinctrl_get().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48965", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvneta: Prevent out of bounds read in mvneta_config_rss()\n\nThe pp->indir[0] value comes from the user. It is passed to:\n\n\tif (cpu_online(pp->rxq_def))\n\ninside the mvneta_percpu_elect() function. It needs bounds checkeding\nto ensure that it is not beyond the end of the cpu bitmap.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48966", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Bounds check struct nfc_target arrays\n\nWhile running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:\n\n memcpy: detected field-spanning write (size 129) of single field \"target->sensf_res\" at net/nfc/nci/ntf.c:260 (size 18)\n\nThis appears to be a legitimate lack of bounds checking in\nnci_add_new_protocol(). Add the missing checks.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48967", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential memory leak in otx2_init_tc()\n\nIn otx2_init_tc(), if rhashtable_init() failed, it does not free\ntc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48968", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Fix NULL sring after live migration\n\nA NAPI is setup for each network sring to poll data to kernel\nThe sring with source host is destroyed before live migration and\nnew sring with target host is setup after live migration.\nThe NAPI for the old sring is not deleted until setup new sring\nwith target host after migration. With busy_poll/busy_read enabled,\nthe NAPI can be polled before got deleted when resume VM.\n\nBUG: unable to handle kernel NULL pointer dereference at\n0000000000000008\nIP: xennet_poll+0xae/0xd20\nPGD 0 P4D 0\nOops: 0000 [#1] SMP PTI\nCall Trace:\n finish_task_switch+0x71/0x230\n timerqueue_del+0x1d/0x40\n hrtimer_try_to_cancel+0xb5/0x110\n xennet_alloc_rx_buffers+0x2a0/0x2a0\n napi_busy_loop+0xdb/0x270\n sock_poll+0x87/0x90\n do_sys_poll+0x26f/0x580\n tracing_map_insert+0x1d4/0x2f0\n event_hist_trigger+0x14a/0x260\n\n finish_task_switch+0x71/0x230\n __schedule+0x256/0x890\n recalc_sigpending+0x1b/0x50\n xen_sched_clock+0x15/0x20\n __rb_reserve_next+0x12d/0x140\n ring_buffer_lock_reserve+0x123/0x3d0\n event_triggers_call+0x87/0xb0\n trace_event_buffer_commit+0x1c4/0x210\n xen_clocksource_get_cycles+0x15/0x20\n ktime_get_ts64+0x51/0xf0\n SyS_ppoll+0x160/0x1a0\n SyS_ppoll+0x160/0x1a0\n do_syscall_64+0x73/0x130\n entry_SYSCALL_64_after_hwframe+0x41/0xa6\n...\nRIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900\nCR2: 0000000000000008\n---[ end trace f8601785b354351c ]---\n\nxen frontend should remove the NAPIs for the old srings before live\nmigration as the bond srings are destroyed\n\nThere is a tiny window between the srings are set to NULL and\nthe NAPIs are disabled, It is safe as the NAPI threads are still\nfrozen at that time", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48969", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Get user_ns from in_skb in unix_diag_get_exact().\n\nWei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed\nthe root cause: in unix_diag_get_exact(), the newly allocated skb does not\nhave sk. [2]\n\nWe must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to\nsk_diag_fill().\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000270\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:sk_user_ns include/net/sock.h:920 [inline]\nRIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]\nRIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170\nCode: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8\n54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b\n9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d\nRSP: 0018:ffffc90000d67968 EFLAGS: 00010246\nRAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d\nRDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270\nRBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000\nR10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800\nR13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940\nFS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n unix_diag_get_exact net/unix/diag.c:285 [inline]\n unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317\n __sock_diag_cmd net/core/sock_diag.c:235 [inline]\n sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266\n netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2476\n ___sys_sendmsg net/socket.c:2530 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2559\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x4697f9\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9\nRDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003\nRBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80\nR13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0\n \nModules linked in:\nCR2: 0000000000000270\n\n[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\n[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48970", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix not cleanup led when bt_init fails\n\nbt_init() calls bt_leds_init() to register led, but if it fails later,\nbt_leds_cleanup() is not called to unregister it.\n\nThis can cause panic if the argument \"bluetooth-power\" in text is freed\nand then another led_trigger_register() tries to access it:\n\nBUG: unable to handle page fault for address: ffffffffc06d3bc0\nRIP: 0010:strcmp+0xc/0x30\n Call Trace:\n \n led_trigger_register+0x10d/0x4f0\n led_trigger_register_simple+0x7d/0x100\n bt_init+0x39/0xf7 [bluetooth]\n do_one_initcall+0xd0/0x4e0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48971", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()\n\nKernel fault injection test reports null-ptr-deref as follows:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nRIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114\nCall Trace:\n \n raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87\n call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944\n unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982\n unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879\n register_netdevice+0x9a8/0xb90 net/core/dev.c:10083\n ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659\n ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229\n mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316\n\nieee802154_if_add() allocates wpan_dev as netdev's private data, but not\ninit the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage\nthe list when device register/unregister, and may lead to null-ptr-deref.\n\nUse INIT_LIST_HEAD() on it to initialize it correctly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48972", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: amd8111: Fix PCI device reference count leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL\ninput parameter, there is no problem for the 'Device not found' branch.\nFor the normal path, add pci_dev_put() in amd_gpio_exit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48973", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: fix using __this_cpu_add in preemptible\n\nCurrently in nf_conntrack_hash_check_insert(), when it fails in\nnf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the\npreemptible context, a call trace can be triggered:\n\n BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636\n caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]\n Call Trace:\n \n dump_stack_lvl+0x33/0x46\n check_preemption_disabled+0xc3/0xf0\n nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]\n ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]\n ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]\n nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]\n netlink_rcv_skb+0x50/0x100\n nfnetlink_rcv+0x65/0x144 [nfnetlink]\n netlink_unicast+0x1ae/0x290\n netlink_sendmsg+0x257/0x4f0\n sock_sendmsg+0x5f/0x70\n\nThis patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for\nnf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),\nas well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().\n\nNote that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is\nsafe to use NF_CT_STAT_INC(), as it's under local_bh_disable().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48974", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix memory leak in gpiochip_setup_dev()\n\nHere is a backtrace report about memory leak detected in\ngpiochip_setup_dev():\n\nunreferenced object 0xffff88810b406400 (size 512):\n comm \"python3\", pid 1682, jiffies 4295346908 (age 24.090s)\n backtrace:\n kmalloc_trace\n device_add\t\tdevice_private_init at drivers/base/core.c:3361\n\t\t\t(inlined by) device_add at drivers/base/core.c:3411\n cdev_device_add\n gpiolib_cdev_register\n gpiochip_setup_dev\n gpiochip_add_data_with_key\n\ngcdev_register() & gcdev_unregister() would call device_add() &\ndevice_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to\nregister/unregister device.\n\nHowever, if device_add() succeeds, some resource (like\nstruct device_private allocated by device_private_init())\nis not released by device_del().\n\nTherefore, after device_add() succeeds by gcdev_register(), it\nneeds to call put_device() to release resource in the error handle\npath.\n\nHere we move forward the register of release function, and let it\nrelease every piece of resource by put_device() instead of kfree().\n\nWhile at it, fix another subtle issue, i.e. when gc->ngpio is equal\nto 0, we still call kcalloc() and, in case of further error, kfree()\non the ZERO_PTR pointer, which is not NULL. It's not a bug per se,\nbut rather waste of the resources and potentially wrong expectation\nabout contents of the gdev->descs variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48975", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable_offload: fix using __this_cpu_add in preemptible\n\nflow_offload_queue_work() can be called in workqueue without\nbh disabled, like the call trace showed in my act_ct testing,\ncalling NF_FLOW_TABLE_STAT_INC() there would cause a call\ntrace:\n\n BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560\n caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\n Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]\n Call Trace:\n \n dump_stack_lvl+0x33/0x46\n check_preemption_disabled+0xc3/0xf0\n flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\n nf_flow_table_iterate+0x138/0x170 [nf_flow_table]\n nf_flow_table_free+0x140/0x1a0 [nf_flow_table]\n tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]\n process_one_work+0x6a3/0x1030\n worker_thread+0x8a/0xdf0\n\nThis patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()\ninstead in flow_offload_queue_work().\n\nNote that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),\nit may not be called in preemptible path, but it's good to use\nNF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in\nflow_offload_queue_work().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48976", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: af_can: fix NULL pointer dereference in can_rcv_filter\n\nAnalogue to commit 8aa59e355949 (\"can: af_can: fix NULL pointer\ndereference in can_rx_register()\") we need to check for a missing\ninitialization of ml_priv in the receive path of CAN frames.\n\nSince commit 4e096a18867a (\"net: introduce CAN specific pointer in the\nstruct net_device\") the check for dev->type to be ARPHRD_CAN is not\nsufficient anymore since bonding or tun netdevices claim to be CAN\ndevices but do not initialize ml_priv accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48977", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: fix shift-out-of-bounds in hid_report_raw_event\n\nSyzbot reported shift-out-of-bounds in hid_report_raw_event.\n\nmicrosoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >\n32! (swapper/0)\n======================================================================\nUBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20\nshift exponent 127 is too large for 32-bit type 'int'\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted\n6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/26/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322\n snto32 drivers/hid/hid-core.c:1323 [inline]\n hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]\n hid_process_report drivers/hid/hid-core.c:1665 [inline]\n hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998\n hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066\n hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284\n __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671\n dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988\n call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers+0x76a/0x980 kernel/time/timer.c:1790\n run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803\n __do_softirq+0x277/0x75b kernel/softirq.c:571\n __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107\n======================================================================\n\nIf the size of the integer (unsigned n) is bigger than 32 in snto32(),\nshift exponent will be too large for 32-bit type 'int', resulting in a\nshift-out-of-bounds bug.\nFix this by adding a check on the size of the integer (unsigned n) in\nsnto32(). To add support for n greater than 32 bits, set n to 32, if n\nis greater than 32.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48978", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix array index out of bound error in DCN32 DML\n\n[Why&How]\nLinkCapacitySupport array is indexed with the number of voltage states and\nnot the number of max DPPs. Fix the error by changing the array\ndeclaration to use the correct (larger) array size of total number of\nvoltage states.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48979", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\n\nThe SJA1105 family has 45 L2 policing table entries\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\naccounting for the difference in port count (5 in SJA1105 vs 10 in\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\nhas L2 ingress policers for multicast traffic. If a packet is classified\nas multicast, it will be processed by the policer index 99 + SRCPORT.\n\nThe sja1105_init_l2_policing() function initializes all L2 policers such\nthat they don't interfere with normal packet reception by default. To have\na common code between SJA1105 and SJA1110, the index of the multicast\npolicer for the port is calculated because it's an index that is out of\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\nperformed.\n\nThe code fails to do the proper thing when determining what to do with the\nmulticast policer of port 0 on SJA1105 (ds->num_ports = 5). The \"mcast\"\nindex will be equal to 45, which is also equal to\ntable->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\nthrough the check. But at the same time, SJA1105 doesn't have multicast\npolicers. So the code programs the SHARINDX field of an out-of-bounds\nelement in the L2 Policing table of the static config.\n\nThe comparison between index 45 and 45 entries should have determined the\ncode to not access this policer index on SJA1105, since its memory wasn't\neven allocated.\n\nWith enough bad luck, the out-of-bounds write could even overwrite other\nvalid kernel data, but in this case, the issue was detected using KASAN.\n\nKernel log:\n\nsja1105 spi5.0: Probed switch chip: SJA1105Q\n==================================================================\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\n...\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n...\nsja1105_setup+0x1cbc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n...\nAllocated by task 8:\n...\nsja1105_setup+0x1bcc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48980", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Remove errant put in error path\n\ndrm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM\nobject getting prematurely freed leading to a later use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48981", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix crash when replugging CSR fake controllers\n\nIt seems fake CSR 5.0 clones can cause the suspend notifier to be\nregistered twice causing the following kernel panic:\n\n[ 71.986122] Call Trace:\n[ 71.986124] \n[ 71.986125] blocking_notifier_chain_register+0x33/0x60\n[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]\n[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]\n[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300\n[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90\n[ 71.986167] usb_probe_interface+0xe3/0x2b0\n[ 71.986171] really_probe+0xdb/0x380\n[ 71.986174] ? pm_runtime_barrier+0x54/0x90\n[ 71.986177] __driver_probe_device+0x78/0x170\n[ 71.986180] driver_probe_device+0x1f/0x90\n[ 71.986183] __device_attach_driver+0x89/0x110\n[ 71.986186] ? driver_allows_async_probing+0x70/0x70\n[ 71.986189] bus_for_each_drv+0x8c/0xe0\n[ 71.986192] __device_attach+0xb2/0x1e0\n[ 71.986195] bus_probe_device+0x92/0xb0\n[ 71.986198] device_add+0x422/0x9a0\n[ 71.986201] ? sysfs_merge_group+0xd4/0x110\n[ 71.986205] usb_set_configuration+0x57a/0x820\n[ 71.986208] usb_generic_driver_probe+0x4f/0x70\n[ 71.986211] usb_probe_device+0x3a/0x110\n[ 71.986213] really_probe+0xdb/0x380\n[ 71.986216] ? pm_runtime_barrier+0x54/0x90\n[ 71.986219] __driver_probe_device+0x78/0x170\n[ 71.986221] driver_probe_device+0x1f/0x90\n[ 71.986224] __device_attach_driver+0x89/0x110\n[ 71.986227] ? driver_allows_async_probing+0x70/0x70\n[ 71.986230] bus_for_each_drv+0x8c/0xe0\n[ 71.986232] __device_attach+0xb2/0x1e0\n[ 71.986235] bus_probe_device+0x92/0xb0\n[ 71.986237] device_add+0x422/0x9a0\n[ 71.986239] ? _dev_info+0x7d/0x98\n[ 71.986242] ? blake2s_update+0x4c/0xc0\n[ 71.986246] usb_new_device.cold+0x148/0x36d\n[ 71.986250] hub_event+0xa8a/0x1910\n[ 71.986255] process_one_work+0x1c4/0x380\n[ 71.986259] worker_thread+0x51/0x390\n[ 71.986262] ? rescuer_thread+0x3b0/0x3b0\n[ 71.986264] kthread+0xdb/0x110\n[ 71.986266] ? kthread_complete_and_exit+0x20/0x20\n[ 71.986268] ret_from_fork+0x1f/0x30\n[ 71.986273] \n[ 71.986274] ---[ end trace 0000000000000000 ]---\n[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48982", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\n\nSyzkaller reports a NULL deref bug as follows:\n\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\n Read of size 4 at addr 0000000000000138 by task file1/1955\n\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0xcd/0x134\n ? io_tctx_exit_cb+0x53/0xd3\n kasan_report+0xbb/0x1f0\n ? io_tctx_exit_cb+0x53/0xd3\n kasan_check_range+0x140/0x190\n io_tctx_exit_cb+0x53/0xd3\n task_work_run+0x164/0x250\n ? task_work_cancel+0x30/0x30\n get_signal+0x1c3/0x2440\n ? lock_downgrade+0x6e0/0x6e0\n ? lock_downgrade+0x6e0/0x6e0\n ? exit_signals+0x8b0/0x8b0\n ? do_raw_read_unlock+0x3b/0x70\n ? do_raw_spin_unlock+0x50/0x230\n arch_do_signal_or_restart+0x82/0x2470\n ? kmem_cache_free+0x260/0x4b0\n ? putname+0xfe/0x140\n ? get_sigframe_size+0x10/0x10\n ? do_execveat_common.isra.0+0x226/0x710\n ? lockdep_hardirqs_on+0x79/0x100\n ? putname+0xfe/0x140\n ? do_execveat_common.isra.0+0x238/0x710\n exit_to_user_mode_prepare+0x15f/0x250\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x42/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0023:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n Kernel panic - not syncing: panic_on_warn set ...\n\nThis happens because the adding of task_work from io_ring_exit_work()\nisn't synchronized with canceling all work items from eg exec. The\nexecution of the two are ordered in that they are both run by the task\nitself, but if io_tctx_exit_cb() is queued while we're canceling all\nwork items off exec AND gets executed when the task exits to userspace\nrather than in the main loop in io_uring_cancel_generic(), then we can\nfind current->io_uring == NULL and hit the above crash.\n\nIt's safe to add this NULL check here, because the execution of the two\npaths are done by the task itself.\n\n[axboe: add code comment and also put an explanation in the commit msg]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48983", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: slcan: fix freed work crash\n\nThe LTP test pty03 is causing a crash in slcan:\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n Workqueue: 0x0 (events)\n RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)\n Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e\n RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968\n RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0\n RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734\n R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000\n R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0\n FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0\n Call Trace:\n \n worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)\n kthread (/home/rich/kernel/linux/kernel/kthread.c:376)\n ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)\n\nApparently, the slcan's tx_work is freed while being scheduled. While\nslcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),\nslcan_close() (tty side) does not. So when the netdev is never set UP,\nbut the tty is stuffed with bytes and forced to wakeup write, the work\nis scheduled, but never flushed.\n\nSo add an additional flush_work() to slcan_close() to be sure the work\nis flushed under all circumstances.\n\nThe Fixes commit below moved flush_work() from slcan_close() to\nslcan_netdev_close(). What was the rationale behind it? Maybe we can\ndrop the one in slcan_netdev_close()?\n\nI see the same pattern in can327. So it perhaps needs the very same fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48984", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix race on per-CQ variable napi work_done\n\nAfter calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be\ncleared, and another CPU can start napi thread and access per-CQ variable,\ncq->work_done. If the other thread (for example, from busy_poll) sets\nit to a value >= budget, this thread will continue to run when it should\nstop, and cause memory corruption and panic.\n\nTo fix this issue, save the per-CQ work_done variable in a local variable\nbefore napi_complete_done(), so it won't be corrupted by a possible\nconcurrent thread after napi_complete_done().\n\nAlso, add a flag bit to advertise to the NIC firmware: the NAPI work_done\nvariable race is fixed, so the driver is able to reliably support features\nlike busy_poll.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48985", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix gup_pud_range() for dax\n\nFor dax pud, pud_huge() returns true on x86. So the function works as long\nas hugetlb is configured. However, dax doesn't depend on hugetlb.\nCommit 414fd080d125 (\"mm/gup: fix gup_pmd_range() for dax\") fixed\ndevmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as\nwell.\n\nThis fixes the below kernel panic:\n\ngeneral protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP\n\t< snip >\nCall Trace:\n\nget_user_pages_fast+0x1f/0x40\niov_iter_get_pages+0xc6/0x3b0\n? mempool_alloc+0x5d/0x170\nbio_iov_iter_get_pages+0x82/0x4e0\n? bvec_alloc+0x91/0xc0\n? bio_alloc_bioset+0x19a/0x2a0\nblkdev_direct_IO+0x282/0x480\n? __io_complete_rw_common+0xc0/0xc0\n? filemap_range_has_page+0x82/0xc0\ngeneric_file_direct_write+0x9d/0x1a0\n? inode_update_time+0x24/0x30\n__generic_file_write_iter+0xbd/0x1e0\nblkdev_write_iter+0xb4/0x150\n? io_import_iovec+0x8d/0x340\nio_write+0xf9/0x300\nio_issue_sqe+0x3c3/0x1d30\n? sysvec_reschedule_ipi+0x6c/0x80\n__io_queue_sqe+0x33/0x240\n? fget+0x76/0xa0\nio_submit_sqes+0xe6a/0x18d0\n? __fget_light+0xd1/0x100\n__x64_sys_io_uring_enter+0x199/0x880\n? __context_tracking_enter+0x1f/0x70\n? irqentry_exit_to_user_mode+0x24/0x30\n? irqentry_exit+0x1d/0x30\n? __context_tracking_exit+0xe/0x70\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fc97c11a7be\n\t< snip >\n\n---[ end trace 48b2e0e67debcaeb ]---\nRIP: 0010:internal_get_user_pages_fast+0x340/0x990\n\t< snip >\nKernel panic - not syncing: Fatal exception\nKernel Offset: disabled", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48986", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-dv-timings.c: fix too strict blanking sanity checks\n\nSanity checks were added to verify the v4l2_bt_timings blanking fields\nin order to avoid integer overflows when userspace passes weird values.\n\nBut that assumed that userspace would correctly fill in the front porch,\nbackporch and sync values, but sometimes all you know is the total\nblanking, which is then assigned to just one of these fields.\n\nAnd that can fail with these checks.\n\nSo instead set a maximum for the total horizontal and vertical\nblanking and check that each field remains below that.\n\nThat is still sufficient to avoid integer overflows, but it also\nallows for more flexibility in how userspace fills in these fields.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48987", "detail": "fixed-version", "description": "Fixed from version 6.0.13" }, { "id": "CVE-2022-48988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: fix possible use-after-free in memcg_write_event_control()\n\nmemcg_write_event_control() accesses the dentry->d_name of the specified\ncontrol fd to route the write call. As a cgroup interface file can't be\nrenamed, it's safe to access d_name as long as the specified file is a\nregular cgroup file. Also, as these cgroup interface files can't be\nremoved before the directory, it's safe to access the parent too.\n\nPrior to 347c4a874710 (\"memcg: remove cgroup_event->cft\"), there was a\ncall to __file_cft() which verified that the specified file is a regular\ncgroupfs file before further accesses. The cftype pointer returned from\n__file_cft() was no longer necessary and the commit inadvertently dropped\nthe file type check with it allowing any file to slip through. With the\ninvarients broken, the d_name and parent accesses can now race against\nrenames and removals of arbitrary files and cause use-after-free's.\n\nFix the bug by resurrecting the file type check in __file_cft(). Now that\ncgroupfs is implemented through kernfs, checking the file operations needs\nto go through a layer of indirection. Instead, let's check the superblock\nand dentry type.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48988", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Fix oops due to race with cookie_lru and use_cookie\n\nIf a cookie expires from the LRU and the LRU_DISCARD flag is set, but\nthe state machine has not run yet, it's possible another thread can call\nfscache_use_cookie and begin to use it.\n\nWhen the cookie_worker finally runs, it will see the LRU_DISCARD flag\nset, transition the cookie->state to LRU_DISCARDING, which will then\nwithdraw the cookie. Once the cookie is withdrawn the object is removed\nthe below oops will occur because the object associated with the cookie\nis now NULL.\n\nFix the oops by clearing the LRU_DISCARD bit if another thread uses the\ncookie before the cookie_worker runs.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n ...\n CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\n Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]\n RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]\n ...\n Call Trace:\n netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]\n process_one_work+0x217/0x3e0\n worker_thread+0x4a/0x3b0\n kthread+0xd6/0x100", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48989", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free during gpu recovery\n\n[Why]\n [ 754.862560] refcount_t: underflow; use-after-free.\n [ 754.862898] Call Trace:\n [ 754.862903] \n [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu]\n [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched]\n\n[How]\n The fw_fence may be not init, check whether dma_fence_init\n is performed before job free", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48990", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: invoke MMU notifiers in shmem/file collapse paths\n\nAny codepath that zaps page table entries must invoke MMU notifiers to\nensure that secondary MMUs (like KVM) don't keep accessing pages which\naren't mapped anymore. Secondary MMUs don't hold their own references to\npages that are mirrored over, so failing to notify them can lead to page\nuse-after-free.\n\nI'm marking this as addressing an issue introduced in commit f3f0e1d2150b\n(\"khugepaged: add support of collapse for tmpfs/shmem pages\"), but most of\nthe security impact of this only came in commit 27e1f8273113 (\"khugepaged:\nenable collapse pmd for pte-mapped THP\"), which actually omitted flushes\nfor the removal of present PTEs, not just for the removal of empty page\ntables.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48991", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-pcm: Add NULL check in BE reparenting\n\nAdd NULL check in dpcm_be_reparent API, to handle\nkernel NULL pointer dereference error.\nThe issue occurred in fuzzing test.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48992", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed.\n\nseq_copy_in_user() and seq_copy_in_kernel() did not have prototypes\nmatching snd_seq_dump_func_t. Adjust this and remove the casts. There\nare not resulting binary output differences.\n\nThis was found as a result of Clang's new -Wcast-function-type-strict\nflag, which is more sensitive than the simpler -Wcast-function-type,\nwhich only checks for type width mismatches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48994", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: raydium_ts_i2c - fix memory leak in raydium_i2c_send()\n\nThere is a kmemleak when test the raydium_i2c_ts with bpf mock device:\n\n unreferenced object 0xffff88812d3675a0 (size 8):\n comm \"python3\", pid 349, jiffies 4294741067 (age 95.695s)\n hex dump (first 8 bytes):\n 11 0e 10 c0 01 00 04 00 ........\n backtrace:\n [<0000000068427125>] __kmalloc+0x46/0x1b0\n [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]\n [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]\n [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]\n [<00000000a310de16>] i2c_device_probe+0x651/0x680\n [<00000000f5a96bf3>] really_probe+0x17c/0x3f0\n [<00000000096ba499>] __driver_probe_device+0xe3/0x170\n [<00000000c5acb4d9>] driver_probe_device+0x49/0x120\n [<00000000264fe082>] __device_attach_driver+0xf7/0x150\n [<00000000f919423c>] bus_for_each_drv+0x114/0x180\n [<00000000e067feca>] __device_attach+0x1e5/0x2d0\n [<0000000054301fc2>] bus_probe_device+0x126/0x140\n [<00000000aad93b22>] device_add+0x810/0x1130\n [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0\n [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110\n [<00000000ffec4177>] of_i2c_notify+0x100/0x160\n unreferenced object 0xffff88812d3675c8 (size 8):\n comm \"python3\", pid 349, jiffies 4294741070 (age 95.692s)\n hex dump (first 8 bytes):\n 22 00 36 2d 81 88 ff ff \".6-....\n backtrace:\n [<0000000068427125>] __kmalloc+0x46/0x1b0\n [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]\n [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]\n [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]\n [<00000000a310de16>] i2c_device_probe+0x651/0x680\n [<00000000f5a96bf3>] really_probe+0x17c/0x3f0\n [<00000000096ba499>] __driver_probe_device+0xe3/0x170\n [<00000000c5acb4d9>] driver_probe_device+0x49/0x120\n [<00000000264fe082>] __device_attach_driver+0xf7/0x150\n [<00000000f919423c>] bus_for_each_drv+0x114/0x180\n [<00000000e067feca>] __device_attach+0x1e5/0x2d0\n [<0000000054301fc2>] bus_probe_device+0x126/0x140\n [<00000000aad93b22>] device_add+0x810/0x1130\n [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0\n [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110\n [<00000000ffec4177>] of_i2c_notify+0x100/0x160\n\nAfter BANK_SWITCH command from i2c BUS, no matter success or error\nhappened, the tx_buf should be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48995", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()\n\nCommit da87878010e5 (\"mm/damon/sysfs: support online inputs update\") made\n'damon_sysfs_set_schemes()' to be called for running DAMON context, which\ncould have schemes. In the case, DAMON sysfs interface is supposed to\nupdate, remove, or add schemes to reflect the sysfs files. However, the\ncode is assuming the DAMON context wouldn't have schemes at all, and\ntherefore creates and adds new schemes. As a result, the code doesn't\nwork as intended for online schemes tuning and could have more than\nexpected memory footprint. The schemes are all in the DAMON context, so\nit doesn't leak the memory, though.\n\nRemove the wrong asssumption (the DAMON context wouldn't have schemes) in\n'damon_sysfs_set_schemes()' to fix the bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48996", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: tpm: Protect tpm_pm_suspend with locks\n\nCurrently tpm transactions are executed unconditionally in\ntpm_pm_suspend() function, which may lead to races with other tpm\naccessors in the system.\n\nSpecifically, the hw_random tpm driver makes use of tpm_get_random(),\nand this function is called in a loop from a kthread, which means it's\nnot frozen alongside userspace, and so can race with the work done\nduring system suspend:\n\n tpm tpm0: tpm_transmit: tpm_recv: error -52\n tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics\n CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\n Call Trace:\n tpm_tis_status.cold+0x19/0x20\n tpm_transmit+0x13b/0x390\n tpm_transmit_cmd+0x20/0x80\n tpm1_pm_suspend+0xa6/0x110\n tpm_pm_suspend+0x53/0x80\n __pnp_bus_suspend+0x35/0xe0\n __device_suspend+0x10f/0x350\n\nFix this by calling tpm_try_get_ops(), which itself is a wrapper around\ntpm_chip_start(), but takes the appropriate mutex.\n\n[Jason: reworked commit message, added metadata]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48997", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf/32: Fix Oops on tail call tests\n\ntest_bpf tail call tests end up as:\n\n test_bpf: #0 Tail call leaf jited:1 85 PASS\n test_bpf: #1 Tail call 2 jited:1 111 PASS\n test_bpf: #2 Tail call 3 jited:1 145 PASS\n test_bpf: #3 Tail call 4 jited:1 170 PASS\n test_bpf: #4 Tail call load/store leaf jited:1 190 PASS\n test_bpf: #5 Tail call load/store jited:1\n BUG: Unable to handle kernel data access on write at 0xf1b4e000\n Faulting instruction address: 0xbe86b710\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K MMU=Hash PowerMac\n Modules linked in: test_bpf(+)\n CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195\n Hardware name: PowerMac3,1 750CL 0x87210 PowerMac\n NIP: be86b710 LR: be857e88 CTR: be86b704\n REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+)\n MSR: 00009032 CR: 28008242 XER: 00000000\n DAR: f1b4e000 DSISR: 42000000\n GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000\n GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8\n GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000\n GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00\n NIP [be86b710] 0xbe86b710\n LR [be857e88] __run_one+0xec/0x264 [test_bpf]\n Call Trace:\n [f1b4dfe0] [00000002] 0x2 (unreliable)\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThis is a tentative to write above the stack. The problem is encoutered\nwith tests added by commit 38608ee7b690 (\"bpf, tests: Add load store\ntest case for tail call\")\n\nThis happens because tail call is done to a BPF prog with a different\nstack_depth. At the time being, the stack is kept as is when the caller\ntail calls its callee. But at exit, the callee restores the stack based\non its own properties. Therefore here, at each run, r1 is erroneously\nincreased by 32 - 16 = 16 bytes.\n\nThis was done that way in order to pass the tail call count from caller\nto callee through the stack. As powerpc32 doesn't have a red zone in\nthe stack, it was necessary the maintain the stack as is for the tail\ncall. But it was not anticipated that the BPF frame size could be\ndifferent.\n\nLet's take a new approach. Use register r4 to carry the tail call count\nduring the tail call, and save it into the stack at function entry if\nrequired. This means the input parameter must be in r3, which is more\ncorrect as it is a 32 bits parameter, then tail call better match with\nnormal BPF function entry, the down side being that we move that input\nparameter back and forth between r3 and r4. That can be optimised later.\n\nDoing that also has the advantage of maximising the common parts between\ntail calls and a normal function exit.\n\nWith the fix, tail call tests are now successfull:\n\n test_bpf: #0 Tail call leaf jited:1 53 PASS\n test_bpf: #1 Tail call 2 jited:1 115 PASS\n test_bpf: #2 Tail call 3 jited:1 154 PASS\n test_bpf: #3 Tail call 4 jited:1 165 PASS\n test_bpf: #4 Tail call load/store leaf jited:1 101 PASS\n test_bpf: #5 Tail call load/store jited:1 141 PASS\n test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS\n test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS\n test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS\n test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS\n test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48998", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-48999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Handle attempt to delete multipath route when fib_info contains an nh reference\n\nGwangun Jung reported a slab-out-of-bounds access in fib_nh_match:\n fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961\n fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753\n inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874\n\nSeparate nexthop objects are mutually exclusive with the legacy\nmultipath spec. Fix fib_nh_match to return if the config for the\nto be deleted route contains a multipath spec while the fib_info\nis using a nexthop object.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-48999", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix PCI device refcount leak in has_external_pci()\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() before 'return true' to avoid reference count leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49000", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix race when vmap stack overflow\n\nCurrently, when detecting vmap stack overflow, riscv firstly switches\nto the so called shadow stack, then use this shadow stack to call the\nget_overflow_stack() to get the overflow stack. However, there's\na race here if two or more harts use the same shadow stack at the same\ntime.\n\nTo solve this race, we introduce spin_shadow_stack atomic var, which\nwill be swap between its own address and 0 in atomic way, when the\nvar is set, it means the shadow_stack is being used; when the var\nis cleared, it means the shadow_stack isn't being used.\n\n[Palmer: Add AQ to the swap, and also some comments.]", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49001", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() for the error path to avoid reference count leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49002", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix SRCU protection of nvme_ns_head list\n\nWalking the nvme_ns_head siblings list is protected by the head's srcu\nin nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths().\nRemoving namespaces from the list also fails to synchronize the srcu.\nConcurrent scan work can therefore cause use-after-frees.\n\nHold the head's srcu lock in nvme_mpath_revalidate_paths() and\nsynchronize with the srcu, not the global RCU, in nvme_ns_remove().\n\nObserved the following panic when making NVMe/RDMA connections\nwith native multipath on the Rocky Linux 8.6 kernel\n(it seems the upstream kernel has the same race condition).\nDisassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx;\ncomputing capacity != get_capacity(ns->disk).\nAddress 0x50 is dereferenced because ns->disk is NULL.\nThe NULL disk appears to be the result of concurrent scan work\nfreeing the namespace (note the log line in the middle of the panic).\n\n[37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050\n[37314.206036] nvme0n3: detected capacity change from 0 to 11811160064\n[37314.299753] PGD 0 P4D 0\n[37314.299756] Oops: 0000 [#1] SMP PTI\n[37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1\n[37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018\n[37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core]\n[37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core]\n[37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3\n[37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202\n[37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000\n[37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800\n[37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff\n[37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000\n[37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000\n[37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000\n[37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0\n[37315.799267] Call Trace:\n[37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core]\n[37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core]\n[37315.961871] ? __blk_mq_free_request+0x6b/0x90\n[37316.015021] nvme_scan_work+0x151/0x240 [nvme_core]\n[37316.073371] process_one_work+0x1a7/0x360\n[37316.121318] ? create_worker+0x1a0/0x1a0\n[37316.168227] worker_thread+0x30/0x390\n[37316.212024] ? create_worker+0x1a0/0x1a0\n[37316.258939] kthread+0x10a/0x120\n[37316.297557] ? set_kthread_struct+0x50/0x50\n[37316.347590] ret_from_fork+0x35/0x40\n[37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49003", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sync efi page table's kernel mappings before switching\n\nThe EFI page table is initially created as a copy of the kernel page table.\nWith VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area:\nif the stack is allocated in a new PGD (one that was not present at the\nmoment of the efi page table creation or not synced in a previous vmalloc\nfault), the kernel will take a trap when switching to the efi page table\nwhen the vmalloc kernel stack is accessed, resulting in a kernel panic.\n\nFix that by updating the efi kernel mappings before switching to the efi\npage table.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49004", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Fix bounds check for _sx controls\n\nFor _sx controls the semantics of the max field is not the usual one, max\nis the number of steps rather than the maximum value. This means that our\ncheck in snd_soc_put_volsw_sx() needs to just check against the maximum\nvalue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49005", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Free buffers when a used dynamic event is removed\n\nAfter 65536 dynamic events have been added and removed, the \"type\" field\nof the event then uses the first type number that is available (not\ncurrently used by other events). A type number is the identifier of the\nbinary blobs in the tracing ring buffer (known as events) to map them to\nlogic that can parse the binary blob.\n\nThe issue is that if a dynamic event (like a kprobe event) is traced and\nis in the ring buffer, and then that event is removed (because it is\ndynamic, which means it can be created and destroyed), if another dynamic\nevent is created that has the same number that new event's logic on\nparsing the binary blob will be used.\n\nTo show how this can be an issue, the following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # for i in `seq 65536`; do\n echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events\n # done\n\nFor every iteration of the above, the writing to the kprobe_events will\nremove the old event and create a new one (with the same format) and\nincrease the type number to the next available on until the type number\nreaches over 65535 which is the max number for the 16 bit type. After it\nreaches that number, the logic to allocate a new number simply looks for\nthe next available number. When an dynamic event is removed, that number\nis then available to be reused by the next dynamic event created. That is,\nonce the above reaches the max number, the number assigned to the event in\nthat loop will remain the same.\n\nNow that means deleting one dynamic event and created another will reuse\nthe previous events type number. This is where bad things can happen.\nAfter the above loop finishes, the kprobes/foo event which reads the\ndo_sys_openat2 function call's first parameter as an integer.\n\n # echo 1 > kprobes/foo/enable\n # cat /etc/passwd > /dev/null\n # cat trace\n cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n # echo 0 > kprobes/foo/enable\n\nNow if we delete the kprobe and create a new one that reads a string:\n\n # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events\n\nAnd now we can the trace:\n\n # cat trace\n sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49006", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()\n\nSyzbot reported a null-ptr-deref bug:\n\n NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP\n frequency < 30 seconds\n general protection fault, probably for non-canonical address\n 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 1 PID: 3603 Comm: segctord Not tainted\n 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google\n 10/11/2022\n RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0\n fs/nilfs2/alloc.c:608\n Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00\n 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02\n 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7\n RSP: 0018:ffffc90003dff830 EFLAGS: 00010212\n RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d\n RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010\n RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f\n R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158\n R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0\n Call Trace:\n \n nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]\n nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193\n nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236\n nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940\n nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]\n nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]\n nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088\n nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337\n nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568\n nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018\n nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067\n nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]\n nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]\n nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045\n nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]\n nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \n ...\n\nIf DAT metadata file is corrupted on disk, there is a case where\nreq->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during\na b-tree operation that cascadingly updates ancestor nodes of the b-tree,\nbecause nilfs_dat_commit_alloc() for a lower level block can initialize\nthe blocknr on the same DAT entry between nilfs_dat_prepare_end() and\nnilfs_dat_commit_end().\n\nIf this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()\nwithout valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and\ncauses the NULL pointer dereference above in\nnilfs_palloc_commit_free_entry() function, which leads to a crash.\n\nFix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh\nbefore nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().\n\nThis also calls nilfs_error() in that case to notify that there is a fatal\nflaw in the filesystem metadata and prevent further operations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49007", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down\n\nIn can327_feed_frame_to_netdev(), it did not free the skb when netdev\nis down, and all callers of can327_feed_frame_to_netdev() did not free\nallocated skb too. That would trigger skb leak.\n\nFix it by adding kfree_skb() in can327_feed_frame_to_netdev() when netdev\nis down. Not tested, just compiled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49008", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49009", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Check for null before removing sysfs attrs\n\nIf coretemp_add_core() gets an error then pdata->core_data[indx]\nis already NULL and has been kfreed. Don't pass that to\nsysfs_remove_group() as that will crash in sysfs_remove_group().\n\n[Shortened for readability]\n[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'\n\n[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188\n[91855.165103] #PF: supervisor read access in kernel mode\n[91855.194506] #PF: error_code(0x0000) - not-present page\n[91855.224445] PGD 0 P4D 0\n[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI\n...\n[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80\n...\n[91855.796571] Call Trace:\n[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]\n[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]\n[91855.871107] cpuhp_invoke_callback+0x105/0x4b0\n[91855.893432] cpuhp_thread_fun+0x8e/0x150\n...\n\nFix this by checking for NULL first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49010", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it after using to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49011", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix server->active leak in afs_put_server\n\nThe atomic_read was accidentally replaced with atomic_inc_return,\nwhich prevents the server from getting cleaned up and causes rmmod\nto hang with a warning:\n\n Can't purge s=00000001", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49012", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix memory leak in sctp_stream_outq_migrate()\n\nWhen sctp_stream_outq_migrate() is called to release stream out resources,\nthe memory pointed to by prio_head in stream out is not released.\n\nThe memory leak information is as follows:\n unreferenced object 0xffff88801fe79f80 (size 64):\n comm \"sctp_repo\", pid 7957, jiffies 4294951704 (age 36.480s)\n hex dump (first 32 bytes):\n 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................\n 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................\n backtrace:\n [] kmalloc_trace+0x26/0x60\n [] sctp_sched_prio_set+0x4cc/0x770\n [] sctp_stream_init_ext+0xd2/0x1b0\n [] sctp_sendmsg_to_asoc+0x1614/0x1a30\n [] sctp_sendmsg+0xda1/0x1ef0\n [] inet_sendmsg+0x9d/0xe0\n [] sock_sendmsg+0xd3/0x120\n [] __sys_sendto+0x23a/0x340\n [] __x64_sys_sendto+0xe1/0x1b0\n [] do_syscall_64+0x39/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49013", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix use-after-free in tun_detach()\n\nsyzbot reported use-after-free in tun_detach() [1]. This causes call\ntrace like below:\n\n==================================================================\nBUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\nRead of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673\n\nCPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x461 mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\n call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10237 [inline]\n netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351\n tun_detach drivers/net/tun.c:704 [inline]\n tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467\n __fput+0x27c/0xa90 fs/file_table.c:320\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xb3d/0x2a30 kernel/exit.c:820\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x21b1/0x2440 kernel/signal.c:2858\n arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that sock_put() from __tun_detach() drops\nlast reference count for struct net, and then notifier_call_chain()\nfrom netdev_state_change() accesses that struct net.\n\nThis patch fixes the issue by calling sock_put() from tun_detach()\nafter all necessary accesses for the struct net has done.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49014", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: Fix potential use-after-free\n\nThe skb is delivered to netif_rx() which may free it, after calling this,\ndereferencing skb may trigger use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49015", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdiobus: fix unbalanced node reference count\n\nI got the following report while doing device(mscc-miim) load test\nwith CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0\n\nIf the 'fwnode' is not an acpi node, the refcount is get in\nfwnode_mdiobus_phy_device_register(), but it has never been\nput when the device is freed in the normal path. So call\nfwnode_handle_put() in phy_device_release() to avoid leak.\n\nIf it's an acpi node, it has never been get, but it's put\nin the error path, so call fwnode_handle_get() before\nphy_device_register() to keep get/put operation balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49016", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: re-fetch skb cb after tipc_msg_validate\n\nAs the call trace shows, the original skb was freed in tipc_msg_validate(),\nand dereferencing the old skb cb would cause an use-after-free crash.\n\n BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n Call Trace:\n \n tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n tipc_rcv+0x744/0x1150 [tipc]\n ...\n Allocated by task 47078:\n kmem_cache_alloc_node+0x158/0x4d0\n __alloc_skb+0x1c1/0x270\n tipc_buf_acquire+0x1e/0xe0 [tipc]\n tipc_msg_create+0x33/0x1c0 [tipc]\n tipc_link_build_proto_msg+0x38a/0x2100 [tipc]\n tipc_link_timeout+0x8b8/0xef0 [tipc]\n tipc_node_timeout+0x2a1/0x960 [tipc]\n call_timer_fn+0x2d/0x1c0\n ...\n Freed by task 47078:\n tipc_msg_validate+0x7b/0x440 [tipc]\n tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]\n tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n tipc_rcv+0x744/0x1150 [tipc]\n\nThis patch fixes it by re-fetching the skb cb from the new allocated skb\nafter calling tipc_msg_validate().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49017", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sleep in atomic at close time\n\nMatt reported a splat at msk close time:\n\n BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill\n preempt_count: 201, expected: 0\n RCU nest depth: 0, expected: 0\n 4 locks held by packetdrill/155:\n #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)\n #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)\n #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)\n #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)\n Preemption disabled at:\n 0x0\n CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n __might_resched.cold (kernel/sched/core.c:9891)\n __mptcp_destroy_sock (include/linux/kernel.h:110)\n __mptcp_close (net/mptcp/protocol.c:2959)\n mptcp_subflow_queue_clean (include/net/sock.h:1777)\n __mptcp_close_ssk (net/mptcp/protocol.c:2363)\n mptcp_destroy_common (net/mptcp/protocol.c:3170)\n mptcp_destroy (include/net/sock.h:1495)\n __mptcp_destroy_sock (net/mptcp/protocol.c:2886)\n __mptcp_close (net/mptcp/protocol.c:2959)\n mptcp_close (net/mptcp/protocol.c:2974)\n inet_release (net/ipv4/af_inet.c:432)\n __sock_release (net/socket.c:651)\n sock_close (net/socket.c:1367)\n __fput (fs/file_table.c:320)\n task_work_run (kernel/task_work.c:181 (discriminator 1))\n exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)\n syscall_exit_to_user_mode (kernel/entry/common.c:130)\n do_syscall_64 (arch/x86/entry/common.c:87)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n\nWe can't call mptcp_close under the 'fast' socket lock variant, replace\nit with a sock_lock_nested() as the relevant code is already under the\nlistening msk socket lock protection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49018", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: nixge: fix NULL dereference\n\nIn function nixge_hw_dma_bd_release() dereference of NULL pointer\npriv->rx_bd_v is possible for the case of its allocation failure in\nnixge_hw_dma_bd_init().\n\nMove for() loop with priv->rx_bd_v dereference under the check for\nits validity.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49019", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: Fix a potential socket leak in p9_socket_open\n\nBoth p9_fd_create_tcp() and p9_fd_create_unix() will call\np9_socket_open(). If the creation of p9_trans_fd fails,\np9_fd_create_tcp() and p9_fd_create_unix() will return an\nerror directly instead of releasing the cscoket, which will\nresult in a socket leak.\n\nThis patch adds sock_release() to fix the leak issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49020", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: fix null-ptr-deref while probe() failed\n\nI got a null-ptr-deref report as following when doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nOops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n \n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x23e/0x2d0\n bus_remove_device+0x1bd/0x240\n device_del+0x357/0x770\n phy_device_remove+0x11/0x30\n mdiobus_unregister+0xa5/0x140\n release_nodes+0x6a/0xa0\n devres_release_all+0xf8/0x150\n device_unbind_cleanup+0x19/0xd0\n\n//probe path:\nphy_device_register()\n device_add()\n\nphy_connect\n phy_attach_direct() //set device driver\n probe() //it's failed, driver is not bound\n device_bind_driver() // probe failed, it's not called\n\n//remove path:\nphy_device_remove()\n device_del()\n device_release_driver_internal()\n __device_release_driver() //dev->drv is not NULL\n klist_remove() <- knode_driver is not added yet, cause null-ptr-deref\n\nIn phy_attach_direct(), after setting the 'dev->driver', probe() fails,\ndevice_bind_driver() is not called, so the knode_driver->n_klist is not\nset, then it causes null-ptr-deref in __device_release_driver() while\ndeleting device. Fix this by setting dev->driver to NULL in the error\npath in phy_attach_direct().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49021", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac8021: fix possible oob access in ieee80211_get_rate_duration\n\nFix possible out-of-bound access in ieee80211_get_rate_duration routine\nas reported by the following UBSAN report:\n\nUBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47\nindex 15 is out of range for type 'u16 [12]'\nCPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic\nHardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017\nWorkqueue: mt76 mt76u_tx_status_data [mt76_usb]\nCall Trace:\n \n show_stack+0x4e/0x61\n dump_stack_lvl+0x4a/0x6f\n dump_stack+0x10/0x18\n ubsan_epilogue+0x9/0x43\n __ubsan_handle_out_of_bounds.cold+0x42/0x47\nieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]\n ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]\n ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]\n ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]\n mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]\n mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]\n mt76u_tx_status_data+0x67/0xd0 [mt76_usb]\n process_one_work+0x225/0x400\n worker_thread+0x50/0x3e0\n ? process_one_work+0x400/0x400\n kthread+0xe9/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49022", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix buffer overflow in elem comparison\n\nFor vendor elements, the code here assumes that 5 octets\nare present without checking. Since the element itself is\nalready checked to fit, we only need to check the length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49023", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods\n\nIn m_can_pci_remove() and error handling path of m_can_pci_probe(),\nm_can_class_free_dev() should be called to free resource allocated by\nm_can_class_allocate_dev(), otherwise there will be memleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49024", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free when reverting termination table\n\nWhen having multiple dests with termination tables and second one\nor afterwards fails the driver reverts usage of term tables but\ndoesn't reset the assignment in attr->dests[num_vport_dests].termtbl\nwhich case a use-after-free when releasing the rule.\nFix by resetting the assignment of termtbl to null.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49025", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ne100: Fix possible use after free in e100_xmit_prepare\n\nIn e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so\ne100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will\nresend the skb. But the skb is already freed, which will cause UAF bug\nwhen the upper layer resends the skb.\n\nRemove the harmful free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49026", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix error handling in iavf_init_module()\n\nThe iavf_init_module() won't destroy workqueue when pci_register_driver()\nfailed. Call destroy_workqueue() when pci_register_driver() failed to\nprevent the resource leak.\n\nSimilar to the handling of u132_hcd_init in commit f276e002793c\n(\"usb: u132-hcd: fix resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49027", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: Fix resource leak in ixgbevf_init_module()\n\nixgbevf_init_module() won't destroy the workqueue created by\ncreate_singlethread_workqueue() when pci_register_driver() failed. Add\ndestroy_workqueue() in fail path to prevent the resource leak.\n\nSimilar to the handling of u132_hcd_init in commit f276e002793c\n(\"usb: u132-hcd: fix resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49028", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails\n\nSmatch report warning as follows:\n\ndrivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:\n '&data->list' not removed from list\n\nIf ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will\nbe freed, but data->list will not be removed from driver_data.bmc_data,\nthen list traversal may cause UAF.\n\nFix by removeing it from driver_data.bmc_data before free().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49029", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Handle size overflow for ringbuf mmap\n\nThe maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries\nwill overflow u32 when mapping producer page and data pages. Only\ncasting max_entries to size_t is not enough, because for 32-bits\napplication on 64-bits kernel the size of read-only mmap region\nalso could overflow size_t.\n\nSo fixing it by casting the size of read-only mmap region into a __u64\nand checking whether or not there will be overflow during mmap.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49030", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: health: afe4403: Fix oob read in afe4403_read_raw\n\nKASAN report out-of-bounds read as follows:\n\nBUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0\nRead of size 4 at addr ffffffffc02ac638 by task cat/279\n\nCall Trace:\n afe4403_read_raw\n iio_read_channel_info\n dev_attr_show\n\nThe buggy address belongs to the variable:\n afe4403_channel_leds+0x18/0xffffffffffffe9e0\n\nThis issue can be reproduced by singe command:\n\n $ cat /sys/bus/spi/devices/spi0.0/iio\\:device0/in_intensity6_raw\n\nThe array size of afe4403_channel_leds is less than channels, so access\nwith chan->address cause OOB read in afe4403_read_raw. Fix it by moving\naccess before use it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49031", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: health: afe4404: Fix oob read in afe4404_[read|write]_raw\n\nKASAN report out-of-bounds read as follows:\n\nBUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380\nRead of size 4 at addr ffffffffc00e4658 by task cat/278\n\nCall Trace:\n afe4404_read_raw\n iio_read_channel_info\n dev_attr_show\n\nThe buggy address belongs to the variable:\n afe4404_channel_leds+0x18/0xffffffffffffe9c0\n\nThis issue can be reproduce by singe command:\n\n $ cat /sys/bus/i2c/devices/0-0058/iio\\:device0/in_intensity6_raw\n\nThe array size of afe4404_channel_leds and afe4404_channel_offdacs\nare less than channels, so access with chan->address cause OOB read\nin afe4404_[read|write]_raw. Fix it by moving access before use them.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49032", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()\n\nSyzkaller reported BUG as follows:\n\n BUG: sleeping function called from invalid context at\n include/linux/sched/mm.h:274\n Call Trace:\n \n dump_stack_lvl+0xcd/0x134\n __might_resched.cold+0x222/0x26b\n kmem_cache_alloc+0x2e7/0x3c0\n update_qgroup_limit_item+0xe1/0x390\n btrfs_qgroup_inherit+0x147b/0x1ee0\n create_subvol+0x4eb/0x1710\n btrfs_mksubvol+0xfe5/0x13f0\n __btrfs_ioctl_snap_create+0x2b0/0x430\n btrfs_ioctl_snap_create_v2+0x25a/0x520\n btrfs_ioctl+0x2a1c/0x5ce0\n __x64_sys_ioctl+0x193/0x200\n do_syscall_64+0x35/0x80\n\nFix this by calling qgroup_dirty() on @dstqgroup, and update limit item in\nbtrfs_run_qgroups() later outside of the spinlock context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49033", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK\n\nWhen CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected,\ncpu_max_bits_warn() generates a runtime warning similar as below when\nshowing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)\ninstead of NR_CPUS to iterate CPUs.\n\n[ 3.052463] ------------[ cut here ]------------\n[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0\n[ 3.070072] Modules linked in: efivarfs autofs4\n[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052\n[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000\n[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430\n[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff\n[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890\n[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa\n[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000\n[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000\n[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000\n[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286\n[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n[ 3.195868] ...\n[ 3.199917] Call Trace:\n[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c\n[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88\n[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100\n[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc\n[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0\n[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4\n[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4\n[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0\n[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100\n[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94\n[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160\n[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49034", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2022-49035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE\n\nI expect that the hardware will have limited this to 16, but just in\ncase it hasn't, check for this corner case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49035", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: fix memory corruption when tag_size is less than digest size\n\nIt is possible to set up dm-integrity in such a way that the\n\"tag_size\" parameter is less than the actual digest size. In this\nsituation, a part of the digest beyond tag_size is ignored.\n\nIn this case, dm-integrity would write beyond the end of the\nic->recalc_tags array and corrupt memory. The corruption happened in\nintegrity_recalc->integrity_sector_checksum->crypto_shash_final.\n\nFix this corruption by increasing the tags array so that it has enough\npadding at the end to accomodate the loop in integrity_recalc() being\nable to write a full digest size for the last member of the tags\narray.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49044", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: dev: check return value when calling dev_set_name()\n\nIf dev_set_name() fails, the dev_name() is null, check the return\nvalue of dev_set_name() to avoid the null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49046", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nep93xx: clock: Fix UAF in ep93xx_clk_register_gate()\n\narch/arm/mach-ep93xx/clock.c:154:2: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]\narch/arm/mach-ep93xx/clock.c:151:2: note: Taking true branch\nif (IS_ERR(clk))\n^\narch/arm/mach-ep93xx/clock.c:152:3: note: Memory is released\nkfree(psc);\n^~~~~~~~~~\narch/arm/mach-ep93xx/clock.c:154:2: note: Use of memory after it is freed\nreturn &psc->hw;\n^ ~~~~~~~~", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49047", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix panic when forwarding a pkt with no in6 dev\n\nkongweibin reported a kernel panic in ip6_forward() when input interface\nhas no in6 dev associated.\n\nThe following tc commands were used to reproduce this panic:\ntc qdisc del dev vxlan100 root\ntc qdisc add dev vxlan100 root netem corrupt 5%", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49048", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix panic when growing a memfd_secret\n\nWhen one tries to grow an existing memfd_secret with ftruncate, one gets\na panic [1]. For example, doing the following reliably induces the\npanic:\n\n fd = memfd_secret();\n\n ftruncate(fd, 10);\n ptr = mmap(NULL, 10, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n strcpy(ptr, \"123456789\");\n\n munmap(ptr, 10);\n ftruncate(fd, 20);\n\nThe basic reason for this is, when we grow with ftruncate, we call down\ninto simple_setattr, and then truncate_inode_pages_range, and eventually\nwe try to zero part of the memory. The normal truncation code does this\nvia the direct map (i.e., it calls page_address() and hands that to\nmemset()).\n\nFor memfd_secret though, we specifically don't map our pages via the\ndirect map (i.e. we call set_direct_map_invalid_noflush() on every\nfault). So the address returned by page_address() isn't useful, and\nwhen we try to memset() with it we panic.\n\nThis patch avoids the panic by implementing a custom setattr for\nmemfd_secret, which detects resizes specifically (setting the size for\nthe first time works just fine, since there are no existing pages to try\nto zero), and rejects them with EINVAL.\n\nOne could argue growing should be supported, but I think that will\nrequire a significantly more lengthy change. So, I propose a minimal\nfix for the benefit of stable kernels, and then perhaps to extend\nmemfd_secret to support growing in a separate patch.\n\n[1]:\n\n BUG: unable to handle page fault for address: ffffa0a889277028\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD afa01067 P4D afa01067 PUD 83f909067 PMD 83f8bf067 PTE 800ffffef6d88060\n Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n CPU: 0 PID: 281 Comm: repro Not tainted 5.17.0-dbg-DEV #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:memset_erms+0x9/0x10\n Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01\n RSP: 0018:ffffb932c09afbf0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffda63c4249dc0 RCX: 0000000000000fd8\n RDX: 0000000000000fd8 RSI: 0000000000000000 RDI: ffffa0a889277028\n RBP: ffffb932c09afc00 R08: 0000000000001000 R09: ffffa0a889277028\n R10: 0000000000020023 R11: 0000000000000000 R12: ffffda63c4249dc0\n R13: ffffa0a890d70d98 R14: 0000000000000028 R15: 0000000000000fd8\n FS: 00007f7294899580(0000) GS:ffffa0af9bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffa0a889277028 CR3: 0000000107ef6006 CR4: 0000000000370ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? zero_user_segments+0x82/0x190\n truncate_inode_partial_folio+0xd4/0x2a0\n truncate_inode_pages_range+0x380/0x830\n truncate_setsize+0x63/0x80\n simple_setattr+0x37/0x60\n notify_change+0x3d8/0x4d0\n do_sys_ftruncate+0x162/0x1d0\n __x64_sys_ftruncate+0x1c/0x20\n do_syscall_64+0x44/0xa0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n Modules linked in: xhci_pci xhci_hcd virtio_net net_failover failover virtio_blk virtio_balloon uhci_hcd ohci_pci ohci_hcd evdev ehci_pci ehci_hcd 9pnet_virtio 9p netfs 9pnet\n CR2: ffffa0a889277028\n\n[lkp@intel.com: secretmem_iops can be static]\n[axelrasmussen@google.com: return EINVAL]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49049", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: renesas-rpc-if: fix platform-device leak in error path\n\nMake sure to free the flash platform device in the event that\nregistration fails during probe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49050", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Fix out-of-bounds accesses in RX fixup\n\naqc111_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB's\n data.\n\nFound doing variant analysis. Tested it with another driver (ax88179_178a), since\nI don't have a aqc111 device to test it, but the code looks very similar.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49051", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix unexpected zeroed page mapping with zram swap\n\nTwo processes under CLONE_VM cloning, user process can be corrupted by\nseeing zeroed page unexpectedly.\n\n CPU A CPU B\n\n do_swap_page do_swap_page\n SWP_SYNCHRONOUS_IO path SWP_SYNCHRONOUS_IO path\n swap_readpage valid data\n swap_slot_free_notify\n delete zram entry\n swap_readpage zeroed(invalid) data\n pte_lock\n map the *zero data* to userspace\n pte_unlock\n pte_lock\n if (!pte_same)\n goto out_nomap;\n pte_unlock\n return and next refault will\n read zeroed data\n\nThe swap_slot_free_notify is bogus for CLONE_VM case since it doesn't\nincrease the refcount of swap slot at copy_mm so it couldn't catch up\nwhether it's safe or not to discard data from backing device. In the\ncase, only the lock it could rely on to synchronize swap slot freeing is\npage table lock. Thus, this patch gets rid of the swap_slot_free_notify\nfunction. With this patch, CPU A will see correct data.\n\n CPU A CPU B\n\n do_swap_page do_swap_page\n SWP_SYNCHRONOUS_IO path SWP_SYNCHRONOUS_IO path\n swap_readpage original data\n pte_lock\n map the original data\n swap_free\n swap_range_free\n bd_disk->fops->swap_slot_free_notify\n swap_readpage read zeroed data\n pte_unlock\n pte_lock\n if (!pte_same)\n goto out_nomap;\n pte_unlock\n return\n on next refault will see mapped data by CPU B\n\nThe concern of the patch would increase memory consumption since it\ncould keep wasted memory with compressed form in zram as well as\nuncompressed form in address space. However, most of cases of zram uses\nno readahead and do_swap_page is followed by swap_free so it will free\nthe compressed form from in zram quickly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49052", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcmu: Fix possible page UAF\n\ntcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not\ntake refcount properly and just returns page pointer. When\ntcmu_try_get_data_page() returns, the returned page may have been freed by\ntcmu_blocks_release().\n\nWe need to get_page() under cmdr_lock to avoid concurrent\ntcmu_blocks_release().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49053", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests\n\nhv_panic_page might contain guest-sensitive information, do not dump it\nover to Hyper-V by default in isolated guests.\n\nWhile at it, update some comments in hyperv_{panic,die}_event().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49054", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Check for potential null return of kmalloc_array()\n\nAs the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference.\nTherefore, it is better to check the return value of kmalloc_array() to avoid this confusion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49055", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: null_blk: end timed out poll request\n\nWhen poll request is timed out, it is removed from the poll list,\nbut not completed, so the request is leaked, and never get chance\nto complete.\n\nFix the issue by ending it in timeout handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49057", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: potential buffer overflow in handling symlinks\n\nSmatch printed a warning:\n\tarch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:\n\t__memcpy() 'dctx->buf' too small (16 vs u32max)\n\nIt's caused because Smatch marks 'link_len' as untrusted since it comes\nfrom sscanf(). Add a check to ensure that 'link_len' is not larger than\nthe size of the 'link_str' buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49058", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: add flush_workqueue to prevent uaf\n\nOur detector found a concurrent use-after-free bug when detaching an\nNCI device. The main reason for this bug is the unexpected scheduling\nbetween the used delayed mechanism (timer and workqueue).\n\nThe race can be demonstrated below:\n\nThread-1 Thread-2\n | nci_dev_up()\n | nci_open_device()\n | __nci_request(nci_reset_req)\n | nci_send_cmd\n | queue_work(cmd_work)\nnci_unregister_device() |\n nci_close_device() | ...\n del_timer_sync(cmd_timer)[1] |\n... | Worker\nnci_free_device() | nci_cmd_work()\n kfree(ndev)[3] | mod_timer(cmd_timer)[2]\n\nIn short, the cleanup routine thought that the cmd_timer has already\nbeen detached by [1] but the mod_timer can re-attach the timer [2], even\nit is already released [3], resulting in UAF.\n\nThis UAF is easy to trigger, crash trace by POC is like below\n\n[ 66.703713] ==================================================================\n[ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490\n[ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33\n[ 66.703974]\n[ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5\n[ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work\n[ 66.703974] Call Trace:\n[ 66.703974] \n[ 66.703974] dump_stack_lvl+0x57/0x7d\n[ 66.703974] print_report.cold+0x5e/0x5db\n[ 66.703974] ? enqueue_timer+0x448/0x490\n[ 66.703974] kasan_report+0xbe/0x1c0\n[ 66.703974] ? enqueue_timer+0x448/0x490\n[ 66.703974] enqueue_timer+0x448/0x490\n[ 66.703974] __mod_timer+0x5e6/0xb80\n[ 66.703974] ? mark_held_locks+0x9e/0xe0\n[ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0\n[ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410\n[ 66.703974] ? queue_work_on+0x61/0x80\n[ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130\n[ 66.703974] process_one_work+0x8bb/0x1510\n[ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230\n[ 66.703974] ? rwlock_bug.part.0+0x90/0x90\n[ 66.703974] ? _raw_spin_lock_irq+0x41/0x50\n[ 66.703974] worker_thread+0x575/0x1190\n[ 66.703974] ? process_one_work+0x1510/0x1510\n[ 66.703974] kthread+0x2a0/0x340\n[ 66.703974] ? kthread_complete_and_exit+0x20/0x20\n[ 66.703974] ret_from_fork+0x22/0x30\n[ 66.703974] \n[ 66.703974]\n[ 66.703974] Allocated by task 267:\n[ 66.703974] kasan_save_stack+0x1e/0x40\n[ 66.703974] __kasan_kmalloc+0x81/0xa0\n[ 66.703974] nci_allocate_device+0xd3/0x390\n[ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0\n[ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd\n[ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0\n[ 66.703974] tty_ioctl+0x764/0x1310\n[ 66.703974] __x64_sys_ioctl+0x122/0x190\n[ 66.703974] do_syscall_64+0x3b/0x90\n[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 66.703974]\n[ 66.703974] Freed by task 406:\n[ 66.703974] kasan_save_stack+0x1e/0x40\n[ 66.703974] kasan_set_track+0x21/0x30\n[ 66.703974] kasan_set_free_info+0x20/0x30\n[ 66.703974] __kasan_slab_free+0x108/0x170\n[ 66.703974] kfree+0xb0/0x330\n[ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0\n[ 66.703974] nci_uart_tty_close+0xdf/0x180\n[ 66.703974] tty_ldisc_kill+0x73/0x110\n[ 66.703974] tty_ldisc_hangup+0x281/0x5b0\n[ 66.703974] __tty_hangup.part.0+0x431/0x890\n[ 66.703974] tty_release+0x3a8/0xc80\n[ 66.703974] __fput+0x1f0/0x8c0\n[ 66.703974] task_work_run+0xc9/0x170\n[ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0\n[ 66.703974] syscall_exit_to_user_mode+0x19/0x50\n[ 66.703974] do_syscall_64+0x48/0x90\n[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49059", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix NULL pointer dereference in smc_pnet_find_ib()\n\ndev_name() was called with dev.parent as argument but without to\nNULL-check it before.\nSolve this by checking the pointer before the call to dev_name().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49060", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link\n\nWhen using a fixed-link, the altr_tse_pcs driver crashes\ndue to null-pointer dereference as no phy_device is provided to\ntse_pcs_fix_mac_speed function. Fix this by adding a check for\nphy_dev before calling the tse_pcs_fix_mac_speed() function.\n\nAlso clean up the tse_pcs_fix_mac_speed function a bit. There is\nno need to check for splitter_base and sgmii_adapter_base\nbecause the driver will fail if these 2 variables are not\nderived from the device tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49061", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr\n\nUse the actual length of volume coherency data when setting the\nxattr to avoid the following KASAN report.\n\n BUG: KASAN: slab-out-of-bounds in cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n Write of size 4 at addr ffff888101e02af4 by task kworker/6:0/1347\n\n CPU: 6 PID: 1347 Comm: kworker/6:0 Kdump: loaded Not tainted 5.18.0-rc1-nfs-fscache-netfs+ #13\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014\n Workqueue: events fscache_create_volume_work [fscache]\n Call Trace:\n \n dump_stack_lvl+0x45/0x5a\n print_report.cold+0x5e/0x5db\n ? __lock_text_start+0x8/0x8\n ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n kasan_report+0xab/0x120\n ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n kasan_check_range+0xf5/0x1d0\n memcpy+0x39/0x60\n cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]\n cachefiles_acquire_volume+0x2be/0x500 [cachefiles]\n ? __cachefiles_free_volume+0x90/0x90 [cachefiles]\n fscache_create_volume_work+0x68/0x160 [fscache]\n process_one_work+0x3b7/0x6a0\n worker_thread+0x2c4/0x650\n ? process_one_work+0x6a0/0x6a0\n kthread+0x16c/0x1a0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \n\n Allocated by task 1347:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n cachefiles_set_volume_xattr+0x76/0x350 [cachefiles]\n cachefiles_acquire_volume+0x2be/0x500 [cachefiles]\n fscache_create_volume_work+0x68/0x160 [fscache]\n process_one_work+0x3b7/0x6a0\n worker_thread+0x2c4/0x650\n kthread+0x16c/0x1a0\n ret_from_fork+0x22/0x30\n\n The buggy address belongs to the object at ffff888101e02af0\n which belongs to the cache kmalloc-8 of size 8\n The buggy address is located 4 bytes inside of\n 8-byte region [ffff888101e02af0, ffff888101e02af8)\n\n The buggy address belongs to the physical page:\n page:00000000a2292d70 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e02\n flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\n raw: 0017ffffc0000200 0000000000000000 dead000000000001 ffff888100042280\n raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888101e02980: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc\n ffff888101e02a00: 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00\n >ffff888101e02a80: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 04 fc\n ^\n ffff888101e02b00: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc\n ffff888101e02b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc\n ==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49062", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[ 718.223418] Call Trace:\n[ 718.227139]\n[ 718.230783] dump_stack_lvl+0x33/0x42\n[ 718.234431] print_address_description.constprop.9+0x21/0x170\n[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.245539] kasan_report.cold.18+0x7f/0x11b\n[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.252852] free_irq_cpu_rmap+0x53/0x80\n[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]\n[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]\n[ 718.267419] ice_rebuild+0x39c/0xb60 [ice]\n[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[ 718.278033] ? delay_tsc+0x4a/0xb0\n[ 718.281513] ? preempt_count_sub+0x14/0xc0\n[ 718.284984] ? delay_tsc+0x8f/0xb0\n[ 718.288463] ice_do_reset+0x92/0xf0 [ice]\n[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]\n[ 718.295561] pci_reset_function+0x53/0x80\n<...>\n[ 718.393035] Allocated by task 690:\n[ 718.433497] Freed by task 20834:\n[ 718.495688] Last potentially related work creation:\n[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00\n which belongs to the cache kmalloc-96 of size 96\n[ 718.574085] The buggy address is located 0 bytes inside of\n 96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[ 718.579265] The buggy address belongs to the page:\n[ 718.598905] Memory state around the buggy address:\n[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.610811] ^\n[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49063", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: unmark inode in use in error path\n\nUnmark inode in use if error encountered. If the in-use flag leakage\noccurs in cachefiles_open_file(), Cachefiles will complain \"Inode\nalready in use\" when later another cookie with the same index key is\nlooked up.\n\nIf the in-use flag leakage occurs in cachefiles_create_tmpfile(), though\nthe \"Inode already in use\" warning won't be triggered, fix the leakage\nanyway.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49064", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix the svc_deferred_event trace class\n\nFix a NULL deref crash that occurs when an svc_rqst is deferred\nwhile the sunrpc tracing subsystem is enabled. svc_revisit() sets\ndr->xprt to NULL, so it can't be relied upon in the tracepoint to\nprovide the remote's address.\n\nUnfortunately we can't revert the \"svc_deferred_class\" hunk in\ncommit ece200ddd54b (\"sunrpc: Save remote presentation address in\nsvc_xprt for trace events\") because there is now a specific check\nof event format specifiers for unsafe dereferences. The warning\nthat check emits is:\n\n event svc_defer_recv has unsafe dereference of argument 1\n\nA \"%pISpc\" format specifier with a \"struct sockaddr *\" is indeed\nflagged by this check.\n\nInstead, take the brute-force approach used by the svcrdma_qp_error\ntracepoint. Convert the dr::addr field into a presentation address\nin the TP_fast_assign() arm of the trace event, and store that as\na string. This fix can be backported to -stable kernels.\n\nIn the meantime, commit c6ced22997ad (\"tracing: Update print fmt\ncheck to handle new __get_sockaddr() macro\") is now in v5.18, so\nthis wonky fix can be replaced with __sockaddr() and friends\nproperly during the v5.19 merge window.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49065", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Ensure eth header is in skb's linear part\n\nAfter feeding a decapsulated packet to a veth device with act_mirred,\nskb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),\nwhich expects at least ETH_HLEN byte of linear data (as\n__dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes\nunconditionally).\n\nUse pskb_may_pull() to ensure veth_xmit() respects this constraint.\n\nkernel BUG at include/linux/skbuff.h:2328!\nRIP: 0010:eth_type_trans+0xcf/0x140\nCall Trace:\n \n __dev_forward_skb2+0xe3/0x160\n veth_xmit+0x6e/0x250 [veth]\n dev_hard_start_xmit+0xc7/0x200\n __dev_queue_xmit+0x47f/0x520\n ? skb_ensure_writable+0x85/0xa0\n ? skb_mpls_pop+0x98/0x1c0\n tcf_mirred_act+0x442/0x47e [act_mirred]\n tcf_action_exec+0x86/0x140\n fl_classify+0x1d8/0x1e0 [cls_flower]\n ? dma_pte_clear_level+0x129/0x1a0\n ? dma_pte_clear_level+0x129/0x1a0\n ? prb_fill_curr_block+0x2f/0xc0\n ? skb_copy_bits+0x11a/0x220\n __tcf_classify+0x58/0x110\n tcf_classify_ingress+0x6b/0x140\n __netif_receive_skb_core.constprop.0+0x47d/0xfd0\n ? __iommu_dma_unmap_swiotlb+0x44/0x90\n __netif_receive_skb_one_core+0x3d/0xa0\n netif_receive_skb+0x116/0x170\n be_process_rx+0x22f/0x330 [be2net]\n be_poll+0x13c/0x370 [be2net]\n __napi_poll+0x2a/0x170\n net_rx_action+0x22f/0x2f0\n __do_softirq+0xca/0x2a8\n __irq_exit_rcu+0xc1/0xe0\n common_interrupt+0x83/0xa0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49066", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit\n\nmpe: On 64-bit Book3E vmalloc space starts at 0x8000000000000000.\n\nBecause of the way __pa() works we have:\n __pa(0x8000000000000000) == 0, and therefore\n virt_to_pfn(0x8000000000000000) == 0, and therefore\n virt_addr_valid(0x8000000000000000) == true\n\nWhich is wrong, virt_addr_valid() should be false for vmalloc space.\nIn fact all vmalloc addresses that alias with a valid PFN will return\ntrue from virt_addr_valid(). That can cause bugs with hardened usercopy\nas described below by Kefeng Wang:\n\n When running ethtool eth0 on 64-bit Book3E, a BUG occurred:\n\n usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!\n kernel BUG at mm/usercopy.c:99\n ...\n usercopy_abort+0x64/0xa0 (unreliable)\n __check_heap_object+0x168/0x190\n __check_object_size+0x1a0/0x200\n dev_ethtool+0x2494/0x2b20\n dev_ioctl+0x5d0/0x770\n sock_do_ioctl+0xf0/0x1d0\n sock_ioctl+0x3ec/0x5a0\n __se_sys_ioctl+0xf0/0x160\n system_call_exception+0xfc/0x1f0\n system_call_common+0xf8/0x200\n\n The code shows below,\n\n data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));\n copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))\n\n The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true\n on 64-bit Book3E, which leads to the panic.\n\n As commit 4dd7554a6456 (\"powerpc/64: Add VIRTUAL_BUG_ON checks for __va\n and __pa addresses\") does, make sure the virt addr above PAGE_OFFSET in\n the virt_addr_valid() for 64-bit, also add upper limit check to make\n sure the virt is below high_memory.\n\n Meanwhile, for 32-bit PAGE_OFFSET is the virtual address of the start\n of lowmem, high_memory is the upper low virtual address, the check is\n suitable for 32-bit, this will fix the issue mentioned in commit\n 602946ec2f90 (\"powerpc: Set max_mapnr correctly\") too.\n\nOn 32-bit there is a similar problem with high memory, that was fixed in\ncommit 602946ec2f90 (\"powerpc: Set max_mapnr correctly\"), but that\ncommit breaks highmem and needs to be reverted.\n\nWe can't easily fix __pa(), we have code that relies on its current\nbehaviour. So for now add extra checks to virt_addr_valid().\n\nFor 64-bit Book3S the extra checks are not necessary, the combination of\nvirt_to_pfn() and pfn_valid() should yield the correct result, but they\nare harmless.\n\n[mpe: Add additional change log detail]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49067", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release correct delalloc amount in direct IO write path\n\nRunning generic/406 causes the following WARNING in btrfs_destroy_inode()\nwhich tells there are outstanding extents left.\n\nIn btrfs_get_blocks_direct_write(), we reserve a temporary outstanding\nextents with btrfs_delalloc_reserve_metadata() (or indirectly from\nbtrfs_delalloc_reserve_space(()). We then release the outstanding extents\nwith btrfs_delalloc_release_extents(). However, the \"len\" can be modified\nin the COW case, which releases fewer outstanding extents than expected.\n\nFix it by calling btrfs_delalloc_release_extents() for the original length.\n\nTo reproduce the warning, the filesystem should be 1 GiB. It's\ntriggering a short-write, due to not being able to allocate a large\nextent and instead allocating a smaller one.\n\n WARNING: CPU: 0 PID: 757 at fs/btrfs/inode.c:8848 btrfs_destroy_inode+0x1e6/0x210 [btrfs]\n Modules linked in: btrfs blake2b_generic xor lzo_compress\n lzo_decompress raid6_pq zstd zstd_decompress zstd_compress xxhash zram\n zsmalloc\n CPU: 0 PID: 757 Comm: umount Not tainted 5.17.0-rc8+ #101\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n RIP: 0010:btrfs_destroy_inode+0x1e6/0x210 [btrfs]\n RSP: 0018:ffffc9000327bda8 EFLAGS: 00010206\n RAX: 0000000000000000 RBX: ffff888100548b78 RCX: 0000000000000000\n RDX: 0000000000026900 RSI: 0000000000000000 RDI: ffff888100548b78\n RBP: ffff888100548940 R08: 0000000000000000 R09: ffff88810b48aba8\n R10: 0000000000000001 R11: ffff8881004eb240 R12: ffff88810b48a800\n R13: ffff88810b48ec08 R14: ffff88810b48ed00 R15: ffff888100490c68\n FS: 00007f8549ea0b80(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f854a09e733 CR3: 000000010a2e9003 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n destroy_inode+0x33/0x70\n dispose_list+0x43/0x60\n evict_inodes+0x161/0x1b0\n generic_shutdown_super+0x2d/0x110\n kill_anon_super+0xf/0x20\n btrfs_kill_super+0xd/0x20 [btrfs]\n deactivate_locked_super+0x27/0x90\n cleanup_mnt+0x12c/0x180\n task_work_run+0x54/0x80\n exit_to_user_mode_prepare+0x152/0x160\n syscall_exit_to_user_mode+0x12/0x30\n do_syscall_64+0x42/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f854a000fb7", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49068", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw\n\n[Why]\nBelow general protection fault observed when WebGL Aquarium is run for\nlonger duration. If drm debug logs are enabled and set to 0x1f then the\nissue is observed within 10 minutes of run.\n\n[ 100.717056] general protection fault, probably for non-canonical address 0x2d33302d32323032: 0000 [#1] PREEMPT SMP NOPTI\n[ 100.727921] CPU: 3 PID: 1906 Comm: DrmThread Tainted: G W 5.15.30 #12 d726c6a2d6ebe5cf9223931cbca6892f916fe18b\n[ 100.754419] RIP: 0010:CalculateSwathWidth+0x1f7/0x44f\n[ 100.767109] Code: 00 00 00 f2 42 0f 11 04 f0 48 8b 85 88 00 00 00 f2 42 0f 10 04 f0 48 8b 85 98 00 00 00 f2 42 0f 11 04 f0 48 8b 45 10 0f 57 c0 42 0f 2a 04 b0 0f 57 c9 f3 43 0f 2a 0c b4 e8 8c e2 f3 ff 48 8b\n[ 100.781269] RSP: 0018:ffffa9230079eeb0 EFLAGS: 00010246\n[ 100.812528] RAX: 2d33302d32323032 RBX: 0000000000000500 RCX: 0000000000000000\n[ 100.819656] RDX: 0000000000000001 RSI: ffff99deb712c49c RDI: 0000000000000000\n[ 100.826781] RBP: ffffa9230079ef50 R08: ffff99deb712460c R09: ffff99deb712462c\n[ 100.833907] R10: ffff99deb7124940 R11: ffff99deb7124d70 R12: ffff99deb712ae44\n[ 100.841033] R13: 0000000000000001 R14: 0000000000000000 R15: ffffa9230079f0a0\n[ 100.848159] FS: 00007af121212640(0000) GS:ffff99deba780000(0000) knlGS:0000000000000000\n[ 100.856240] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 100.861980] CR2: 0000209000fe1000 CR3: 000000011b18c000 CR4: 0000000000350ee0\n[ 100.869106] Call Trace:\n[ 100.871555] \n[ 100.873655] ? asm_sysvec_reschedule_ipi+0x12/0x20\n[ 100.878449] CalculateSwathAndDETConfiguration+0x1a3/0x6dd\n[ 100.883937] dml31_ModeSupportAndSystemConfigurationFull+0x2ce4/0x76da\n[ 100.890467] ? kallsyms_lookup_buildid+0xc8/0x163\n[ 100.895173] ? kallsyms_lookup_buildid+0xc8/0x163\n[ 100.899874] ? __sprint_symbol+0x80/0x135\n[ 100.903883] ? dm_update_plane_state+0x3f9/0x4d2\n[ 100.908500] ? symbol_string+0xb7/0xde\n[ 100.912250] ? number+0x145/0x29b\n[ 100.915566] ? vsnprintf+0x341/0x5ff\n[ 100.919141] ? desc_read_finalized_seq+0x39/0x87\n[ 100.923755] ? update_load_avg+0x1b9/0x607\n[ 100.927849] ? compute_mst_dsc_configs_for_state+0x7d/0xd5b\n[ 100.933416] ? fetch_pipe_params+0xa4d/0xd0c\n[ 100.937686] ? dc_fpu_end+0x3d/0xa8\n[ 100.941175] dml_get_voltage_level+0x16b/0x180\n[ 100.945619] dcn30_internal_validate_bw+0x10e/0x89b\n[ 100.950495] ? dcn31_validate_bandwidth+0x68/0x1fc\n[ 100.955285] ? resource_build_scaling_params+0x98b/0xb8c\n[ 100.960595] ? dcn31_validate_bandwidth+0x68/0x1fc\n[ 100.965384] dcn31_validate_bandwidth+0x9a/0x1fc\n[ 100.970001] dc_validate_global_state+0x238/0x295\n[ 100.974703] amdgpu_dm_atomic_check+0x9c1/0xbce\n[ 100.979235] ? _printk+0x59/0x73\n[ 100.982467] drm_atomic_check_only+0x403/0x78b\n[ 100.986912] drm_mode_atomic_ioctl+0x49b/0x546\n[ 100.991358] ? drm_ioctl+0x1c1/0x3b3\n[ 100.994936] ? drm_atomic_set_property+0x92a/0x92a\n[ 100.999725] drm_ioctl_kernel+0xdc/0x149\n[ 101.003648] drm_ioctl+0x27f/0x3b3\n[ 101.007051] ? drm_atomic_set_property+0x92a/0x92a\n[ 101.011842] amdgpu_drm_ioctl+0x49/0x7d\n[ 101.015679] __se_sys_ioctl+0x7c/0xb8\n[ 101.015685] do_syscall_64+0x5f/0xb8\n[ 101.015690] ? __irq_exit_rcu+0x34/0x96\n\n[How]\nIt calles populate_dml_pipes which uses doubles to initialize.\nAdding FPU protection avoids context switch and probable loss of vba context\nas there is potential contention while drm debug logs are enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49069", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without device\n\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\n\n BUG: Kernel NULL pointer dereference on read at 0x00000060\n Faulting instruction address: 0xc00000000080dfa4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n [...]\n CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\n NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\n REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)\n MSR: 8000000002009033 CR: 28228282 XER: 20000000\n CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\n GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\n GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\n GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\n GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\n GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\n GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\n GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\n GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\n NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n [...]\n [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\n\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\n\nTested with 5.17 on qemu ppc64le emulation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49070", "detail": "fixed-version", "description": "Fixed from version 5.17.3" }, { "id": "CVE-2022-49071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ili9341: fix optional regulator handling\n\nIf the optional regulator lookup fails, reset the pointer to NULL.\nOther functions such as mipi_dbi_poweron_reset_conditional() only do\na NULL pointer check and will otherwise dereference the error pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49071", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: Restrict usage of GPIO chip irq members before initialization\n\nGPIO chip irq members are exposed before they could be completely\ninitialized and this leads to race conditions.\n\nOne such issue was observed for the gc->irq.domain variable which\nwas accessed through the I2C interface in gpiochip_to_irq() before\nit could be initialized by gpiochip_add_irqchip(). This resulted in\nKernel NULL pointer dereference.\n\nFollowing are the logs for reference :-\n\nkernel: Call Trace:\nkernel: gpiod_to_irq+0x53/0x70\nkernel: acpi_dev_gpio_irq_get_by+0x113/0x1f0\nkernel: i2c_acpi_get_irq+0xc0/0xd0\nkernel: i2c_device_probe+0x28a/0x2a0\nkernel: really_probe+0xf2/0x460\nkernel: RIP: 0010:gpiochip_to_irq+0x47/0xc0\n\nTo avoid such scenarios, restrict usage of GPIO chip irq members before\nthey are completely initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49072", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: sata_dwc_460ex: Fix crash due to OOB write\n\nthe driver uses libata's \"tag\" values from in various arrays.\nSince the mentioned patch bumped the ATA_TAG_INTERNAL to 32,\nthe value of the SATA_DWC_QCMD_MAX needs to account for that.\n\nOtherwise ATA_TAG_INTERNAL usage cause similar crashes like\nthis as reported by Tice Rex on the OpenWrt Forum and\nreproduced (with symbols) here:\n\n| BUG: Kernel NULL pointer dereference at 0x00000000\n| Faulting instruction address: 0xc03ed4b8\n| Oops: Kernel access of bad area, sig: 11 [#1]\n| BE PAGE_SIZE=4K PowerPC 44x Platform\n| CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0\n| NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c\n| REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)\n| MSR: 00021000 CR: 42000222 XER: 00000000\n| DEAR: 00000000 ESR: 00000000\n| GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]\n| [..]\n| NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254\n| LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| Call Trace:\n| [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)\n| [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc\n| [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524\n| [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0\n| [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204\n| [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130\n| [...]\n\nThis is because sata_dwc_dma_xfer_complete() NULLs the\ndma_pending's next neighbour \"chan\" (a *dma_chan struct) in\nthis '32' case right here (line ~735):\n> hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;\n\nThen the next time, a dma gets issued; dma_dwc_xfer_setup() passes\nthe NULL'd hsdevp->chan to the dmaengine_slave_config() which then\ncauses the crash.\n\nWith this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.\nThis avoids the OOB. But please note, there was a worthwhile discussion\non what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not\nbe a \"fake\" 33 command-long queue size.\n\nIdeally, the dw driver should account for the ATA_TAG_INTERNAL.\nIn Damien Le Moal's words: \"... having looked at the driver, it\nis a bigger change than just faking a 33rd \"tag\" that is in fact\nnot a command tag at all.\"\n\nBugLink: https://github.com/openwrt/openwrt/issues/9505", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49073", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix GICR_CTLR.RWP polling\n\nIt turns out that our polling of RWP is totally wrong when checking\nfor it in the redistributors, as we test the *distributor* bit index,\nwhereas it is a different bit number in the RDs... Oopsie boo.\n\nThis is embarassing. Not only because it is wrong, but also because\nit took *8 years* to notice the blunder...\n\nJust fix the damn thing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49074", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix qgroup reserve overflow the qgroup limit\n\nWe use extent_changeset->bytes_changed in qgroup_reserve_data() to record\nhow many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the\nbytes_changed is set as \"unsigned int\", and it will overflow if we try to\nfallocate a range larger than 4GiB. The result is we reserve less bytes\nand eventually break the qgroup limit.\n\nUnlike regular buffered/direct write, which we use one changeset for\neach ordered extent, which can never be larger than 256M. For\nfallocate, we use one changeset for the whole range, thus it no longer\nrespects the 256M per extent limit, and caused the problem.\n\nThe following example test script reproduces the problem:\n\n $ cat qgroup-overflow.sh\n #!/bin/bash\n\n DEV=/dev/sdj\n MNT=/mnt/sdj\n\n mkfs.btrfs -f $DEV\n mount $DEV $MNT\n\n # Set qgroup limit to 2GiB.\n btrfs quota enable $MNT\n btrfs qgroup limit 2G $MNT\n\n # Try to fallocate a 3GiB file. This should fail.\n echo\n echo \"Try to fallocate a 3GiB file...\"\n fallocate -l 3G $MNT/3G.file\n\n # Try to fallocate a 5GiB file.\n echo\n echo \"Try to fallocate a 5GiB file...\"\n fallocate -l 5G $MNT/5G.file\n\n # See we break the qgroup limit.\n echo\n sync\n btrfs qgroup show -r $MNT\n\n umount $MNT\n\nWhen running the test:\n\n $ ./qgroup-overflow.sh\n (...)\n\n Try to fallocate a 3GiB file...\n fallocate: fallocate failed: Disk quota exceeded\n\n Try to fallocate a 5GiB file...\n\n qgroupid\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rfer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 excl\u00a0\u00a0\u00a0\u00a0 max_rfer\n --------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ----\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ----\u00a0\u00a0\u00a0\u00a0 --------\n 0/5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5.00GiB\u00a0\u00a0\u00a0\u00a0\u00a0 5.00GiB\u00a0\u00a0\u00a0\u00a0\u00a0 2.00GiB\n\nSince we have no control of how bytes_changed is used, it's better to\nset it to u64.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49075", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Fix use-after-free bug for mm struct\n\nUnder certain conditions, such as MPI_Abort, the hfi1 cleanup code may\nrepresent the last reference held on the task mm.\nhfi1_mmu_rb_unregister() then drops the last reference and the mm is freed\nbefore the final use in hfi1_release_user_pages(). A new task may\nallocate the mm structure while it is still being used, resulting in\nproblems. One manifestation is corruption of the mmap_sem counter leading\nto a hang in down_write(). Another is corruption of an mm struct that is\nin use by another task.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49076", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)\n\nIf an mremap() syscall with old_size=0 ends up in move_page_tables(), it\nwill call invalidate_range_start()/invalidate_range_end() unnecessarily,\ni.e. with an empty range.\n\nThis causes a WARN in KVM's mmu_notifier. In the past, empty ranges\nhave been diagnosed to be off-by-one bugs, hence the WARNing. Given the\nlow (so far) number of unique reports, the benefits of detecting more\nbuggy callers seem to outweigh the cost of having to fix cases such as\nthis one, where userspace is doing something silly. In this particular\ncase, an early return from move_page_tables() is enough to fix the\nissue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49077", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlz4: fix LZ4_decompress_safe_partial read out of bound\n\nWhen partialDecoding, it is EOF if we've either filled the output buffer\nor can't proceed with reading an offset for following match.\n\nIn some extreme corner cases when compressed data is suitably corrupted,\nUAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial\nmay lead to read out of bound problem during decoding. lz4 upstream has\nfixed it [2] and this issue has been disscussed here [3] before.\n\ncurrent decompression routine was ported from lz4 v1.8.3, bumping\nlib/lz4 to v1.9.+ is certainly a huge work to be done later, so, we'd\nbetter fix it first.\n\n[1] https://lore.kernel.org/all/000000000000830d1205cf7f0477@google.com/\n[2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#\n[3] https://lore.kernel.org/all/CC666AE8-4CA4-4951-B6FB-A2EFDE3AC03B@fb.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49078", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: traverse devices under chunk_mutex in btrfs_can_activate_zone\n\nbtrfs_can_activate_zone() can be called with the device_list_mutex already\nheld, which will lead to a deadlock:\n\ninsert_dev_extents() // Takes device_list_mutex\n`-> insert_dev_extent()\n `-> btrfs_insert_empty_item()\n `-> btrfs_insert_empty_items()\n `-> btrfs_search_slot()\n `-> btrfs_cow_block()\n `-> __btrfs_cow_block()\n `-> btrfs_alloc_tree_block()\n `-> btrfs_reserve_extent()\n `-> find_free_extent()\n `-> find_free_extent_update_loop()\n `-> can_allocate_chunk()\n `-> btrfs_can_activate_zone() // Takes device_list_mutex again\n\nInstead of using the RCU on fs_devices->device_list we\ncan use fs_devices->alloc_list, protected by the chunk_mutex to traverse\nthe list of active devices.\n\nWe are in the chunk allocation thread. The newer chunk allocation\nhappens from the devices in the fs_device->alloc_list protected by the\nchunk_mutex.\n\n btrfs_create_chunk()\n lockdep_assert_held(&info->chunk_mutex);\n gather_device_info\n list_for_each_entry(device, &fs_devices->alloc_list, dev_alloc_list)\n\nAlso, a device that reappears after the mount won't join the alloc_list\nyet and, it will be in the dev_list, which we don't want to consider in\nthe context of the chunk alloc.\n\n [15.166572] WARNING: possible recursive locking detected\n [15.167117] 5.17.0-rc6-dennis #79 Not tainted\n [15.167487] --------------------------------------------\n [15.167733] kworker/u8:3/146 is trying to acquire lock:\n [15.167733] ffff888102962ee0 (&fs_devs->device_list_mutex){+.+.}-{3:3}, at: find_free_extent+0x15a/0x14f0 [btrfs]\n [15.167733]\n [15.167733] but task is already holding lock:\n [15.167733] ffff888102962ee0 (&fs_devs->device_list_mutex){+.+.}-{3:3}, at: btrfs_create_pending_block_groups+0x20a/0x560 [btrfs]\n [15.167733]\n [15.167733] other info that might help us debug this:\n [15.167733] Possible unsafe locking scenario:\n [15.167733]\n [15.171834] CPU0\n [15.171834] ----\n [15.171834] lock(&fs_devs->device_list_mutex);\n [15.171834] lock(&fs_devs->device_list_mutex);\n [15.171834]\n [15.171834] *** DEADLOCK ***\n [15.171834]\n [15.171834] May be due to missing lock nesting notation\n [15.171834]\n [15.171834] 5 locks held by kworker/u8:3/146:\n [15.171834] #0: ffff888100050938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x1c3/0x5a0\n [15.171834] #1: ffffc9000067be80 ((work_completion)(&fs_info->async_data_reclaim_work)){+.+.}-{0:0}, at: process_one_work+0x1c3/0x5a0\n [15.176244] #2: ffff88810521e620 (sb_internal){.+.+}-{0:0}, at: flush_space+0x335/0x600 [btrfs]\n [15.176244] #3: ffff888102962ee0 (&fs_devs->device_list_mutex){+.+.}-{3:3}, at: btrfs_create_pending_block_groups+0x20a/0x560 [btrfs]\n [15.176244] #4: ffff8881152e4b78 (btrfs-dev-00){++++}-{3:3}, at: __btrfs_tree_lock+0x27/0x130 [btrfs]\n [15.179641]\n [15.179641] stack backtrace:\n [15.179641] CPU: 1 PID: 146 Comm: kworker/u8:3 Not tainted 5.17.0-rc6-dennis #79\n [15.179641] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014\n [15.179641] Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n [15.179641] Call Trace:\n [15.179641] \n [15.179641] dump_stack_lvl+0x45/0x59\n [15.179641] __lock_acquire.cold+0x217/0x2b2\n [15.179641] lock_acquire+0xbf/0x2b0\n [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]\n [15.183838] __mutex_lock+0x8e/0x970\n [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]\n [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]\n [15.183838] ? lock_is_held_type+0xd7/0x130\n [15.183838] ? find_free_extent+0x15a/0x14f0 [btrfs]\n [15.183838] find_free_extent+0x15a/0x14f0 [btrfs]\n [15.183838] ? _raw_spin_unlock+0x24/0x40\n [15.183838] ? btrfs_get_alloc_profile+0x106/0x230 [btrfs]\n [15.187601] btrfs_reserve_extent+0x131/0x260 [btrfs]\n [15.\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49079", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller. But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new. This would happen if mempolicy was updated on\nthe shared shmem file while the sp->lock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n shm = shmat(shmid, 0, 0);\n loop many times {\n mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n maxnode, 0);\n }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49080", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhighmem: fix checks in __kmap_local_sched_{in,out}\n\nWhen CONFIG_DEBUG_KMAP_LOCAL is enabled __kmap_local_sched_{in,out} check\nthat even slots in the tsk->kmap_ctrl.pteval are unmapped. The slots are\ninitialized with 0 value, but the check is done with pte_none. 0 pte\nhowever does not necessarily mean that pte_none will return true. e.g.\non xtensa it returns false, resulting in the following runtime warnings:\n\n WARNING: CPU: 0 PID: 101 at mm/highmem.c:627 __kmap_local_sched_out+0x51/0x108\n CPU: 0 PID: 101 Comm: touch Not tainted 5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13\n Call Trace:\n dump_stack+0xc/0x40\n __warn+0x8f/0x174\n warn_slowpath_fmt+0x48/0xac\n __kmap_local_sched_out+0x51/0x108\n __schedule+0x71a/0x9c4\n preempt_schedule_irq+0xa0/0xe0\n common_exception_return+0x5c/0x93\n do_wp_page+0x30e/0x330\n handle_mm_fault+0xa70/0xc3c\n do_page_fault+0x1d8/0x3c4\n common_exception+0x7f/0x7f\n\n WARNING: CPU: 0 PID: 101 at mm/highmem.c:664 __kmap_local_sched_in+0x50/0xe0\n CPU: 0 PID: 101 Comm: touch Tainted: G W 5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13\n Call Trace:\n dump_stack+0xc/0x40\n __warn+0x8f/0x174\n warn_slowpath_fmt+0x48/0xac\n __kmap_local_sched_in+0x50/0xe0\n finish_task_switch$isra$0+0x1ce/0x2f8\n __schedule+0x86e/0x9c4\n preempt_schedule_irq+0xa0/0xe0\n common_exception_return+0x5c/0x93\n do_wp_page+0x30e/0x330\n handle_mm_fault+0xa70/0xc3c\n do_page_fault+0x1d8/0x3c4\n common_exception+0x7f/0x7f\n\nFix it by replacing !pte_none(pteval) with pte_val(pteval) != 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49081", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\n\nThe function mpt3sas_transport_port_remove() called in\n_scsih_expander_node_remove() frees the port field of the sas_expander\nstructure, leading to the following use-after-free splat from KASAN when\nthe ioc_info() call following that function is executed (e.g. when doing\nrmmod of the driver module):\n\n[ 3479.371167] ==================================================================\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\n[ 3479.393524]\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\n[ 3479.409263] Call Trace:\n[ 3479.411743] \n[ 3479.413875] dump_stack_lvl+0x45/0x59\n[ 3479.417582] print_address_description.constprop.0+0x1f/0x120\n[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.429469] kasan_report.cold+0x83/0xdf\n[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40\n[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]\n[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\n[ 3479.465529] ? down_write+0xde/0x150\n[ 3479.470746] ? up_write+0x14d/0x460\n[ 3479.475840] ? kernfs_find_ns+0x137/0x310\n[ 3479.481438] pci_device_remove+0x65/0x110\n[ 3479.487013] __device_release_driver+0x316/0x680\n[ 3479.493180] driver_detach+0x1ec/0x2d0\n[ 3479.498499] bus_remove_driver+0xe7/0x2d0\n[ 3479.504081] pci_unregister_driver+0x26/0x250\n[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\n[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510\n[ 3479.522315] ? free_module+0xaa0/0xaa0\n[ 3479.527593] ? __cond_resched+0x1c/0x90\n[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70\n[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110\n[ 3479.551828] do_syscall_64+0x35/0x80\n[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\n...\n[ 3479.943087] ==================================================================\n\nFix this by introducing the local variable port_id to store the port ID\nvalue before executing mpt3sas_transport_port_remove(). This local variable\nis then used in the call to ioc_info() instead of dereferencing the freed\nport structure.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49082", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/omap: Fix regression in probe for NULL pointer dereference\n\nCommit 3f6634d997db (\"iommu: Use right way to retrieve iommu_ops\") started\ntriggering a NULL pointer dereference for some omap variants:\n\n__iommu_probe_device from probe_iommu_group+0x2c/0x38\nprobe_iommu_group from bus_for_each_dev+0x74/0xbc\nbus_for_each_dev from bus_iommu_probe+0x34/0x2e8\nbus_iommu_probe from bus_set_iommu+0x80/0xc8\nbus_set_iommu from omap_iommu_init+0x88/0xcc\nomap_iommu_init from do_one_initcall+0x44/0x24\n\nThis is caused by omap iommu probe returning 0 instead of ERR_PTR(-ENODEV)\nas noted by Jason Gunthorpe .\n\nLooks like the regression already happened with an earlier commit\n6785eb9105e3 (\"iommu/omap: Convert to probe/release_device() call-backs\")\nthat changed the function return type and missed converting one place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49083", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqede: confirm skb is allocated before using\n\nqede_build_skb() assumes build_skb() always works and goes straight\nto skb_reserve(). However, build_skb() can fail under memory pressure.\nThis results in a kernel panic because the skb to reserve is NULL.\n\nAdd a check in case build_skb() failed to allocate and return NULL.\n\nThe NULL return is handled correctly in callers to qede_build_skb().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49084", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: Fix five use after free bugs in get_initial_state\n\nIn get_initial_state, it calls notify_initial_state_done(skb,..) if\ncb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),\nthe skb will be freed by nlmsg_free(skb).\nThen get_initial_state will goto out and the freed skb will be used by\nreturn value skb->len, which is a uaf bug.\n\nWhat's worse, the same problem goes even further: skb can also be\nfreed in the notify_*_state_change -> notify_*_state calls below.\nThus 4 additional uaf bugs happened.\n\nMy patch lets the problem callee functions: notify_initial_state_done\nand notify_*_state_change return an error code if errors happen.\nSo that the error codes could be propagated and the uaf bugs can be avoid.\n\nv2 reports a compilation warning. This v3 fixed this warning and built\nsuccessfully in my local environment with no additional warnings.\nv2: https://lore.kernel.org/patchwork/patch/1435218/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49085", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix leak of nested actions\n\nWhile parsing user-provided actions, openvswitch module may dynamically\nallocate memory and store pointers in the internal copy of the actions.\nSo this memory has to be freed while destroying the actions.\n\nCurrently there are only two such actions: ct() and set(). However,\nthere are many actions that can hold nested lists of actions and\novs_nla_free_flow_actions() just jumps over them leaking the memory.\n\nFor example, removal of the flow with the following actions will lead\nto a leak of the memory allocated by nf_ct_tmpl_alloc():\n\n actions:clone(ct(commit),0)\n\nNon-freed set() action may also leak the 'dst' structure for the\ntunnel info including device references.\n\nUnder certain conditions with a high rate of flow rotation that may\ncause significant memory leak problem (2MB per second in reporter's\ncase). The problem is also hard to mitigate, because the user doesn't\nhave direct control over the datapath flows generated by OVS.\n\nFix that by iterating over all the nested actions and freeing\neverything that needs to be freed recursively.\n\nNew build time assertion should protect us from this problem if new\nactions will be added in the future.\n\nUnfortunately, openvswitch module doesn't use NLA_F_NESTED, so all\nattributes has to be explicitly checked. sample() and clone() actions\nare mixing extra attributes into the user-provided action list. That\nprevents some code generalization too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49086", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix a race in rxrpc_exit_net()\n\nCurrent code can lead to the following race:\n\nCPU0 CPU1\n\nrxrpc_exit_net()\n rxrpc_peer_keepalive_worker()\n if (rxnet->live)\n\n rxnet->live = false;\n del_timer_sync(&rxnet->peer_keepalive_timer);\n\n timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay);\n\n cancel_work_sync(&rxnet->peer_keepalive_work);\n\nrxrpc_exit_net() exits while peer_keepalive_timer is still armed,\nleading to use-after-free.\n\nsyzbot report was:\n\nODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0\nWARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505\nModules linked in:\nCPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nRIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505\nCode: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3\nRSP: 0018:ffffc9000353fb00 EFLAGS: 00010082\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000\nRDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0\nR13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __debug_check_no_obj_freed lib/debugobjects.c:992 [inline]\n debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023\n kfree+0xd6/0x310 mm/slab.c:3809\n ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176\n ops_free_list net/core/net_namespace.c:174 [inline]\n cleanup_net+0x591/0xb00 net/core/net_namespace.c:598\n process_one_work+0x996/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e9/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49087", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe\n\nThis node pointer is returned by of_find_compatible_node() with\nrefcount incremented. Calling of_node_put() to aovid the refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49088", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition\n\nThe documentation of the function rvt_error_qp says both r_lock and s_lock\nneed to be held when calling that function. It also asserts using lockdep\nthat both of those locks are held. However, the commit I referenced in\nFixes accidentally makes the call to rvt_error_qp in rvt_ruc_loopback no\nlonger covered by r_lock. This results in the lockdep assertion failing\nand also possibly in a race condition.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49089", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narch/arm64: Fix topology initialization for core scheduling\n\nArm64 systems rely on store_cpu_topology() to call update_siblings_masks()\nto transfer the toplogy to the various cpu masks. This needs to be done\nbefore the call to notify_cpu_starting() which tells the scheduler about\neach cpu found, otherwise the core scheduling data structures are setup\nin a way that does not match the actual topology.\n\nWith smt_mask not setup correctly we bail on `cpumask_weight(smt_mask) == 1`\nfor !leaders in:\n\n notify_cpu_starting()\n cpuhp_invoke_callback_range()\n sched_cpu_starting()\n sched_core_cpu_starting()\n\nwhich leads to rq->core not being correctly set for !leader-rq's.\n\nWithout this change stress-ng (which enables core scheduling in its prctl\ntests in newer versions -- i.e. with PR_SCHED_CORE support) causes a warning\nand then a crash (trimmed for legibility):\n\n[ 1853.805168] ------------[ cut here ]------------\n[ 1853.809784] task_rq(b)->core != rq->core\n[ 1853.809792] WARNING: CPU: 117 PID: 0 at kernel/sched/fair.c:11102 cfs_prio_less+0x1b4/0x1c4\n...\n[ 1854.015210] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n...\n[ 1854.231256] Call trace:\n[ 1854.233689] pick_next_task+0x3dc/0x81c\n[ 1854.237512] __schedule+0x10c/0x4cc\n[ 1854.240988] schedule_idle+0x34/0x54", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49090", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx: Fix memory leak in imx_pd_connector_get_modes\n\nAvoid leaking the display mode variable if of_get_drm_display_mode\nfails.\n\nAddresses-Coverity-ID: 1443943 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49091", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix route with nexthop object delete warning\n\nFRR folks have hit a kernel warning[1] while deleting routes[2] which is\ncaused by trying to delete a route pointing to a nexthop id without\nspecifying nhid but matching on an interface. That is, a route is found\nbut we hit a warning while matching it. The warning is from\nfib_info_nh() in include/net/nexthop.h because we run it on a fib_info\nwith nexthop object. The call chain is:\n inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a\nnexthop fib_info and also with fc_oif set thus calling fib_info_nh on\nthe fib_info and triggering the warning). The fix is to not do any\nmatching in that branch if the fi has a nexthop object because those are\nmanaged separately. I.e. we should match when deleting without nh spec and\nshould fail when deleting a nexthop route with old-style nh spec because\nnexthop objects are managed separately, e.g.:\n $ ip r show 1.2.3.4/32\n 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0\n\n $ ip r del 1.2.3.4/32\n $ ip r del 1.2.3.4/32 nhid 12\n \n\n $ ip r del 1.2.3.4/32 dev dummy0\n \n\n[1]\n [ 523.462226] ------------[ cut here ]------------\n [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460\n [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd\n [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse\n [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1\n [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020\n [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460\n [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00\n [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286\n [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0\n [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380\n [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000\n [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031\n [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0\n [ 523.462311] FS: 00007f2455\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49092", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: fix coalescing for page_pool fragment recycling\n\nFix a use-after-free when using page_pool with page fragments. We\nencountered this problem during normal RX in the hns3 driver:\n\n(1) Initially we have three descriptors in the RX queue. The first one\n allocates PAGE1 through page_pool, and the other two allocate one\n half of PAGE2 each. Page references look like this:\n\n RX_BD1 _______ PAGE1\n RX_BD2 _______ PAGE2\n RX_BD3 _________/\n\n(2) Handle RX on the first descriptor. Allocate SKB1, eventually added\n to the receive queue by tcp_queue_rcv().\n\n(3) Handle RX on the second descriptor. Allocate SKB2 and pass it to\n netif_receive_skb():\n\n netif_receive_skb(SKB2)\n ip_rcv(SKB2)\n SKB3 = skb_clone(SKB2)\n\n SKB2 and SKB3 share a reference to PAGE2 through\n skb_shinfo()->dataref. The other ref to PAGE2 is still held by\n RX_BD3:\n\n SKB2 ---+- PAGE2\n SKB3 __/ /\n RX_BD3 _________/\n\n (3b) Now while handling TCP, coalesce SKB3 with SKB1:\n\n tcp_v4_rcv(SKB3)\n tcp_try_coalesce(to=SKB1, from=SKB3) // succeeds\n kfree_skb_partial(SKB3)\n skb_release_data(SKB3) // drops one dataref\n\n SKB1 _____ PAGE1\n \\____\n SKB2 _____ PAGE2\n /\n RX_BD3 _________/\n\n In skb_try_coalesce(), __skb_frag_ref() takes a page reference to\n PAGE2, where it should instead have increased the page_pool frag\n reference, pp_frag_count. Without coalescing, when releasing both\n SKB2 and SKB3, a single reference to PAGE2 would be dropped. Now\n when releasing SKB1 and SKB2, two references to PAGE2 will be\n dropped, resulting in underflow.\n\n (3c) Drop SKB2:\n\n af_packet_rcv(SKB2)\n consume_skb(SKB2)\n skb_release_data(SKB2) // drops second dataref\n page_pool_return_skb_page(PAGE2) // drops one pp_frag_count\n\n SKB1 _____ PAGE1\n \\____\n PAGE2\n /\n RX_BD3 _________/\n\n(4) Userspace calls recvmsg()\n Copies SKB1 and releases it. Since SKB3 was coalesced with SKB1, we\n release the SKB3 page as well:\n\n tcp_eat_recv_skb(SKB1)\n skb_release_data(SKB1)\n page_pool_return_skb_page(PAGE1)\n page_pool_return_skb_page(PAGE2) // drops second pp_frag_count\n\n(5) PAGE2 is freed, but the third RX descriptor was still using it!\n In our case this causes IOMMU faults, but it would silently corrupt\n memory if the IOMMU was disabled.\n\nChange the logic that checks whether pp_recycle SKBs can be coalesced.\nWe still reject differing pp_recycle between 'from' and 'to' SKBs, but\nin order to avoid the situation described above, we also reject\ncoalescing when both 'from' and 'to' are pp_recycled and 'from' is\ncloned.\n\nThe new logic allows coalescing a cloned pp_recycle SKB into a page\nrefcounted one, because in this case the release (4) will drop the right\nreference, the one taken by skb_try_coalesce().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49093", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix slab-out-of-bounds bug in decrypt_internal\n\nThe memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in\ntls_set_sw_offload(). The return value of crypto_aead_ivsize()\nfor \"ccm(aes)\" is 16. So memcpy() require 16 bytes from 12 bytes\nmemory space will trigger slab-out-of-bounds bug as following:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]\nRead of size 16 at addr ffff888114e84e60 by task tls/10911\n\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_report+0xab/0x120\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_check_range+0xf9/0x1e0\n memcpy+0x20/0x60\n decrypt_internal+0x385/0xc40 [tls]\n ? tls_get_rec+0x2e0/0x2e0 [tls]\n ? process_rx_list+0x1a5/0x420 [tls]\n ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]\n decrypt_skb_update+0x9d/0x400 [tls]\n tls_sw_recvmsg+0x3c8/0xb50 [tls]\n\nAllocated by task 10911:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n tls_set_sw_offload+0x2eb/0xa20 [tls]\n tls_setsockopt+0x68c/0x700 [tls]\n __sys_setsockopt+0xfe/0x1b0\n\nReplace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size\nwhen memcpy() iv value in TLS_1_3_VERSION scenario.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49094", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()\n\nThe error handling path of the probe releases a resource that is not freed\nin the remove function. In some cases, a ioremap() must be undone.\n\nAdd the missing iounmap() call in the remove function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49095", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sfc: add missing xdp queue reinitialization\n\nAfter rx/tx ring buffer size is changed, kernel panic occurs when\nit acts XDP_TX or XDP_REDIRECT.\n\nWhen tx/rx ring buffer size is changed(ethtool -G), sfc driver\nreallocates and reinitializes rx and tx queues and their buffer\n(tx_queue->buffer).\nBut it misses reinitializing xdp queues(efx->xdp_tx_queues).\nSo, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized\ntx_queue->buffer.\n\nA new function efx_set_xdp_channels() is separated from efx_set_channels()\nto handle only xdp queues.\n\nSplat looks like:\n BUG: kernel NULL pointer dereference, address: 000000000000002a\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#4] PREEMPT SMP NOPTI\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0\n RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0\n FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0\n RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297\n PKRU: 55555554\n RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700\n RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700\n FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0\n PKRU: 55555554\n Call Trace:\n \n efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n ? enqueue_task_fair+0x95/0x550\n efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49096", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Avoid writeback threads getting stuck in mempool_alloc()\n\nIn a low memory situation, allow the NFS writeback code to fail without\ngetting stuck in infinite loops in mempool_alloc().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49097", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix potential crash on module unload\n\nThe vmbus driver relies on the panic notifier infrastructure to perform\nsome operations when a panic event is detected. Since vmbus can be built\nas module, it is required that the driver handles both registering and\nunregistering such panic notifier callback.\n\nAfter commit 74347a99e73a (\"x86/Hyper-V: Unload vmbus channel in hv panic callback\")\nthough, the panic notifier registration is done unconditionally in the module\ninitialization routine whereas the unregistering procedure is conditionally\nguarded and executes only if HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE capability\nis set.\n\nThis patch fixes that by unconditionally unregistering the panic notifier\nin the module's exit routine as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49098", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()\n\nInitialize the device's dma_{mask,parms} pointers and the device's\ndma_mask value before invoking device_register(). Address the\nfollowing trace with 5.17-rc7:\n\n[ 49.646839] WARNING: CPU: 0 PID: 189 at include/linux/dma-mapping.h:543\n\tnetvsc_probe+0x37a/0x3a0 [hv_netvsc]\n[ 49.646928] Call Trace:\n[ 49.646930] \n[ 49.646935] vmbus_probe+0x40/0x60 [hv_vmbus]\n[ 49.646942] really_probe+0x1ce/0x3b0\n[ 49.646948] __driver_probe_device+0x109/0x180\n[ 49.646952] driver_probe_device+0x23/0xa0\n[ 49.646955] __device_attach_driver+0x76/0xe0\n[ 49.646958] ? driver_allows_async_probing+0x50/0x50\n[ 49.646961] bus_for_each_drv+0x84/0xd0\n[ 49.646964] __device_attach+0xed/0x170\n[ 49.646967] device_initial_probe+0x13/0x20\n[ 49.646970] bus_probe_device+0x8f/0xa0\n[ 49.646973] device_add+0x41a/0x8e0\n[ 49.646975] ? hrtimer_init+0x28/0x80\n[ 49.646981] device_register+0x1b/0x20\n[ 49.646983] vmbus_device_register+0x5e/0xf0 [hv_vmbus]\n[ 49.646991] vmbus_add_channel_work+0x12d/0x190 [hv_vmbus]\n[ 49.646999] process_one_work+0x21d/0x3f0\n[ 49.647002] worker_thread+0x4a/0x3b0\n[ 49.647005] ? process_one_work+0x3f0/0x3f0\n[ 49.647007] kthread+0xff/0x130\n[ 49.647011] ? kthread_complete_and_exit+0x20/0x20\n[ 49.647015] ret_from_fork+0x22/0x30\n[ 49.647020] \n[ 49.647021] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49099", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_console: eliminate anonymous module_init & module_exit\n\nEliminate anonymous module_init() and module_exit(), which can lead to\nconfusion or ambiguity when reading System.map, crashes/oops/bugs,\nor an initcall_debug log.\n\nGive each of these init and exit functions unique driver-specific\nnames to eliminate the anonymous names.\n\nExample 1: (System.map)\n ffffffff832fc78c t init\n ffffffff832fc79e t init\n ffffffff832fc8f8 t init\n\nExample 2: (initcall_debug log)\n calling init+0x0/0x12 @ 1\n initcall init+0x0/0x12 returned 0 after 15 usecs\n calling init+0x0/0x60 @ 1\n initcall init+0x0/0x60 returned 0 after 2 usecs\n calling init+0x0/0x9a @ 1\n initcall init+0x0/0x9a returned 0 after 74 usecs", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49100", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs: fix possible memory leak in MMU DR fini\n\nThis patch fixes what seems to be copy paste error.\n\nWe will have a memory leak if the host-resident shadow is NULL (which\nwill likely happen as the DR and HR are not dependent).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49102", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()\n\n[You don't often get email from xiongx18@fudan.edu.cn. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]\n\nThe reference counting issue happens in two error paths in the\nfunction _nfs42_proc_copy_notify(). In both error paths, the function\nsimply returns the error code and forgets to balance the refcount of\nobject `ctx`, bumped by get_nfs_open_context() earlier, which may\ncause refcount leaks.\n\nFix it by balancing refcount of the `ctx` object before the function\nreturns in both error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49103", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_core: handle NULL result of find_service_by_handle\n\nIn case of an invalid handle the function find_servive_by_handle\nreturns NULL. So take care of this and avoid a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49104", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: wfx: fix an error handling in wfx_init_common()\n\nOne error handler of wfx_init_common() return without calling\nieee80211_free_hw(hw), which may result in memory leak. And I add\none err label to unify the error handler, which is useful for the\nsubsequent changes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49105", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_arm: Avoid NULL ptr deref in vchiq_dump_platform_instances\n\nvchiq_get_state() can return a NULL pointer. So handle this cases and\navoid a NULL pointer derefence in vchiq_dump_platform_instances.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49106", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_readdir when note_last_dentry returns error\n\nReset the last_readdir at the same time, and add a comment explaining\nwhy we don't free last_readdir when dir_emit returns false.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49107", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Fix memory leaks on probe\n\nHandle the error branches to free memory where required.\n\nAddresses-Coverity-ID: 1491825 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49108", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix inode reference leakage in ceph_get_snapdir()\n\nThe ceph_get_inode() will search for or insert a new inode into the\nhash for the given vino, and return a reference to it. If new is\nnon-NULL, its reference is consumed.\n\nWe should release the reference when in error handing cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49109", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: revisit gc autotuning\n\nas of commit 4608fdfc07e1\n(\"netfilter: conntrack: collect all entries in one cycle\")\nconntrack gc was changed to run every 2 minutes.\n\nOn systems where conntrack hash table is set to large value, most evictions\nhappen from gc worker rather than the packet path due to hash table\ndistribution.\n\nThis causes netlink event overflows when events are collected.\n\nThis change collects average expiry of scanned entries and\nreschedules to the average remaining value, within 1 to 60 second interval.\n\nTo avoid event overflows, reschedule after each bucket and add a\nlimit for both run time and number of evictions per run.\n\nIf more entries have to be evicted, reschedule and restart 1 jiffy\ninto the future.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49110", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn->type is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n 5.17.0-rc5-00006-gda4022eeac1a #7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x150\n kasan_report.cold+0x7f/0x11b\n hci_send_acl+0xaba/0xc50\n l2cap_do_send+0x23f/0x3d0\n l2cap_chan_send+0xc06/0x2cc0\n l2cap_sock_sendmsg+0x201/0x2b0\n sock_sendmsg+0xdc/0x110\n sock_write_iter+0x20f/0x370\n do_iter_readv_writev+0x343/0x690\n do_iter_write+0x132/0x640\n vfs_writev+0x198/0x570\n do_writev+0x202/0x280\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n \n R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n Allocated by task 45:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n hci_chan_create+0x9a/0x2f0\n l2cap_conn_add.part.0+0x1a/0xdc0\n l2cap_connect_cfm+0x236/0x1000\n le_conn_complete_evt+0x15a7/0x1db0\n hci_le_conn_complete_evt+0x226/0x2c0\n hci_le_meta_evt+0x247/0x450\n hci_event_packet+0x61b/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n Freed by task 45:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0xfb/0x130\n kfree+0xac/0x350\n hci_conn_cleanup+0x101/0x6a0\n hci_conn_del+0x27e/0x6c0\n hci_disconn_phylink_complete_evt+0xe0/0x120\n hci_event_packet+0x812/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n The buggy address belongs to the object at ffff88800c0f0500\n The buggy address is located 24 bytes inside of\n which belongs to the cache kmalloc-128 of size 128\n The buggy address belongs to the page:\n 128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n flags: 0x100000000000200(slab|node=0|zone=1)\n page:00000000fe45cd86 refcount:1 mapcount:0\n mapping:0000000000000000 index:0x0 pfn:0xc0f0\n raw: 0000000000000000 0000000080100010 00000001ffffffff\n 0000000000000000\n raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n ffff8880078418c0\n page dumped because: kasan: bad access detected\n ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n Memory state around the buggy address:\n >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49111", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix monitor mode crash with sdio driver\n\nmt7921s driver may receive frames with fragment buffers. If there is a\nCTS packet received in monitor mode, the payload is 10 bytes only and\nneed 6 bytes header padding after RXD buffer. However, only RXD in the\nfirst linear buffer, if we pull buffer size RXD-size+6 bytes with\nskb_pull(), that would trigger \"BUG_ON(skb->len < skb->data_len)\" in\n__skb_pull().\n\nTo avoid the nonlinear buffer issue, enlarge the RXD size from 128 to\n256 to make sure all MCU operation in linear buffer.\n\n[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!\n[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 52.007987] pc : skb_pull+0x48/0x4c\n[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]\n[ 52.008361] Call trace:\n[ 52.008377] skb_pull+0x48/0x4c\n[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]\n[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]\n[ 52.008449] kthread+0x148/0x3ac\n[ 52.008466] ret_from_fork+0x10/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49112", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/secvar: fix refcount leak in format_show()\n\nRefcount leak will happen when format_show returns failure in multiple\ncases. Unified management of of_node_put can fix this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49113", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix use after free in fc_exch_abts_resp()\n\nfc_exch_release(ep) will decrease the ep's reference count. When the\nreference count reaches zero, it is freed. But ep is still used in the\nfollowing code, which will lead to a use after free.\n\nReturn after the fc_exch_release() call to avoid use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49114", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix misused goto label\n\nFix a misused goto label jump since that can result in a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49115", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use memset avoid memory leaks\n\nUse memset to initialize structs to prevent memory leaks\nin l2cap_ecred_connect", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49116", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: ralink: fix a refcount leak in ill_acc_of_setup()\n\nof_node_put(np) needs to be called when pdev == NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49117", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Free irq vectors in order for v3 HW\n\nIf the driver probe fails to request the channel IRQ or fatal IRQ, the\ndriver will free the IRQ vectors before freeing the IRQs in free_irq(),\nand this will cause a kernel BUG like this:\n\n------------[ cut here ]------------\nkernel BUG at drivers/pci/msi.c:369!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nCall trace:\n free_msi_irqs+0x118/0x13c\n pci_disable_msi+0xfc/0x120\n pci_free_irq_vectors+0x24/0x3c\n hisi_sas_v3_probe+0x360/0x9d0 [hisi_sas_v3_hw]\n local_pci_probe+0x44/0xb0\n work_for_cpu_fn+0x20/0x34\n process_one_work+0x1d0/0x340\n worker_thread+0x2e0/0x460\n kthread+0x180/0x190\n ret_from_fork+0x10/0x20\n---[ end trace b88990335b610c11 ]---\n\nSo we use devm_add_action() to control the order in which we free the\nvectors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49118", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()\n\nIn pm8001_chip_fw_flash_update_build(), if\npm8001_chip_fw_flash_update_build() fails, the struct fw_control_ex\nallocated must be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49119", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix task leak in pm8001_send_abort_all()\n\nIn pm8001_send_abort_all(), make sure to free the allocated sas task\nif pm8001_tag_alloc() or pm8001_mpi_build_cmd() fail.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49120", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix tag leaks on error\n\nIn pm8001_chip_set_dev_state_req(), pm8001_chip_fw_flash_update_req(),\npm80xx_chip_phy_ctl_req() and pm8001_chip_reg_dev_req() add missing calls\nto pm8001_tag_free() to free the allocated tag when pm8001_mpi_build_cmd()\nfails.\n\nSimilarly, in pm8001_exec_internal_task_abort(), if the chip ->task_abort\nmethod fails, the tag allocated for the abort request task must be\nfreed. Add the missing call to pm8001_tag_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49121", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm ioctl: prevent potential spectre v1 gadget\n\nIt appears like cmd could be a Spectre v1 gadget as it's supplied by a\nuser and used as an array index. Prevent the contents of kernel memory\nfrom being leaked to userspace via speculative execution by using\narray_index_nospec.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49122", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: Fix frames flush failure caused by deadlock\n\nWe are seeing below warnings:\n\nkernel: [25393.301506] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0\nkernel: [25398.421509] ath11k_pci 0000:01:00.0: failed to flush mgmt transmit queue 0\nkernel: [25398.421831] ath11k_pci 0000:01:00.0: dropping mgmt frame for vdev 0, is_started 0\n\nthis means ath11k fails to flush mgmt. frames because wmi_mgmt_tx_work\nhas no chance to run in 5 seconds.\n\nBy setting /proc/sys/kernel/hung_task_timeout_secs to 20 and increasing\nATH11K_FLUSH_TIMEOUT to 50 we get below warnings:\n\nkernel: [ 120.763160] INFO: task wpa_supplicant:924 blocked for more than 20 seconds.\nkernel: [ 120.763169] Not tainted 5.10.90 #12\nkernel: [ 120.763177] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nkernel: [ 120.763186] task:wpa_supplicant state:D stack: 0 pid: 924 ppid: 1 flags:0x000043a0\nkernel: [ 120.763201] Call Trace:\nkernel: [ 120.763214] __schedule+0x785/0x12fa\nkernel: [ 120.763224] ? lockdep_hardirqs_on_prepare+0xe2/0x1bb\nkernel: [ 120.763242] schedule+0x7e/0xa1\nkernel: [ 120.763253] schedule_timeout+0x98/0xfe\nkernel: [ 120.763266] ? run_local_timers+0x4a/0x4a\nkernel: [ 120.763291] ath11k_mac_flush_tx_complete+0x197/0x2b1 [ath11k 13c3a9bf37790f4ac8103b3decf7ab4008ac314a]\nkernel: [ 120.763306] ? init_wait_entry+0x2e/0x2e\nkernel: [ 120.763343] __ieee80211_flush_queues+0x167/0x21f [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763378] __ieee80211_recalc_idle+0x105/0x125 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763411] ieee80211_recalc_idle+0x14/0x27 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763441] ieee80211_free_chanctx+0x77/0xa2 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763473] __ieee80211_vif_release_channel+0x100/0x131 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763540] ieee80211_vif_release_channel+0x66/0x81 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763572] ieee80211_destroy_auth_data+0xa3/0xe6 [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763612] ieee80211_mgd_deauth+0x178/0x29b [mac80211 335da900954f1c5ea7f1613d92088ce83342042c]\nkernel: [ 120.763654] cfg80211_mlme_deauth+0x1a8/0x22c [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763697] nl80211_deauthenticate+0xfa/0x123 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763715] genl_rcv_msg+0x392/0x3c2\nkernel: [ 120.763750] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763782] ? nl80211_associate+0x432/0x432 [cfg80211 8945aa5bc2af5f6972336665d8ad6f9c191ad5be]\nkernel: [ 120.763802] ? genl_rcv+0x36/0x36\nkernel: [ 120.763814] netlink_rcv_skb+0x89/0xf7\nkernel: [ 120.763829] genl_rcv+0x28/0x36\nkernel: [ 120.763840] netlink_unicast+0x179/0x24b\nkernel: [ 120.763854] netlink_sendmsg+0x393/0x401\nkernel: [ 120.763872] sock_sendmsg+0x72/0x76\nkernel: [ 120.763886] ____sys_sendmsg+0x170/0x1e6\nkernel: [ 120.763897] ? copy_msghdr_from_user+0x7a/0xa2\nkernel: [ 120.763914] ___sys_sendmsg+0x95/0xd1\nkernel: [ 120.763940] __sys_sendmsg+0x85/0xbf\nkernel: [ 120.763956] do_syscall_64+0x43/0x55\nkernel: [ 120.763966] entry_SYSCALL_64_after_hwframe+0x44/0xa9\nkernel: [ 120.763977] RIP: 0033:0x79089f3fcc83\nkernel: [ 120.763986] RSP: 002b:00007ffe604f0508 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nkernel: [ 120.763997] RAX: ffffffffffffffda RBX: 000059b40e987690 RCX: 000079089f3fcc83\nkernel: [ 120.764006] RDX: 0000000000000000 RSI: 00007ffe604f0558 RDI: 0000000000000009\nkernel: [ 120.764014] RBP: 00007ffe604f0540 R08: 0000000000000004 R09: 0000000000400000\nkernel: [ 120.764023] R10: 00007ffe604f0638 R11: 0000000000000246 R12: 000059b40ea04980\nkernel: [ 120.764032] R13: 00007ffe604\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49123", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mce: Work around an erratum on fast string copy instructions\n\nA rare kernel panic scenario can happen when the following conditions\nare met due to an erratum on fast string copy instructions:\n\n1) An uncorrected error.\n2) That error must be in first cache line of a page.\n3) Kernel must execute page_copy from the page immediately before that\npage.\n\nThe fast string copy instructions (\"REP; MOVS*\") could consume an\nuncorrectable memory error in the cache line _right after_ the desired\nregion to copy and raise an MCE.\n\nBit 0 of MSR_IA32_MISC_ENABLE can be cleared to disable fast string\ncopy and will avoid such spurious machine checks. However, that is less\npreferable due to the permanent performance impact. Considering memory\npoison is rare, it's desirable to keep fast string copy enabled until an\nMCE is seen.\n\nIntel has confirmed the following:\n1. The CPU erratum of fast string copy only applies to Skylake,\nCascade Lake and Cooper Lake generations.\n\nDirectly return from the MCE handler:\n2. Will result in complete execution of the \"REP; MOVS*\" with no data\nloss or corruption.\n3. Will not result in another MCE firing on the next poisoned cache line\ndue to \"REP; MOVS*\".\n4. Will resume execution from a correct point in code.\n5. Will result in the same instruction that triggered the MCE firing a\nsecond MCE immediately for any other software recoverable data fetch\nerrors.\n6. Is not safe without disabling the fast string copy, as the next fast\nstring copy of the same buffer on the same CPU would result in a PANIC\nMCE.\n\nThis should mitigate the erratum completely with the only caveat that\nthe fast string copy is disabled on the affected hyper thread thus\nperformance degradation.\n\nThis is still better than the OS crashing on MCEs raised on an\nirrelevant process due to \"REP; MOVS*' accesses in a kernel context,\ne.g., copy_page.\n\n\nInjected errors on 1st cache line of 8 anonymous pages of process\n'proc1' and observed MCE consumption from 'proc2' with no panic\n(directly returned).\n\nWithout the fix, the host panicked within a few minutes on a\nrandom 'proc2' process due to kernel access from copy_page.\n\n [ bp: Fix comment style + touch ups, zap an unlikely(), improve the\n quirk function's readability. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49124", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sprd: fix potential NULL dereference\n\n'drm' could be null in sprd_drm_shutdown, and drm_warn maybe dereference\nit, remove this warning log.\n\n\nv1 -> v2:\n- Split checking platform_get_resource() return value to a separate patch\n- Use dev_warn() instead of removing the warning log", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49125", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix memory leaks\n\nFix memory leaks related to operational reply queue's memory segments which\nare not getting freed while unloading the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49126", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nref_tracker: implement use-after-free detection\n\nWhenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir\nas dead.\n\nTest the dead status from ref_tracker_alloc() and ref_tracker_free()\n\nThis should detect buggy dev_put()/dev_hold() happening too late\nin netdevice dismantle process.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49127", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: Add missing pm_runtime_put_sync\n\npm_runtime_get_sync() will increase the rumtime PM counter\neven when it returns an error. Thus a pairing decrement is needed\nto prevent refcount leak. Fix this by replacing this API with\npm_runtime_resume_and_get(), which will not change the runtime\nPM counter on error. Besides, a matching decrement is needed\non the error handling path to keep the counter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49128", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix crash when startup fails.\n\nIf the nic fails to start, it is possible that the\nreset_work has already been scheduled. Ensure the\nwork item is canceled so we do not have use-after-free\ncrash in case cleanup is called before the work item\nis executed.\n\nThis fixes crash on my x86_64 apu2 when mt7921k radio\nfails to work. Radio still fails, but OS does not\ncrash.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49129", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: mhi: use mhi_sync_power_up()\n\nIf amss.bin was missing ath11k would crash during 'rmmod ath11k_pci'. The\nreason for that was that we were using mhi_async_power_up() which does not\ncheck any errors. But mhi_sync_power_up() on the other hand does check for\nerrors so let's use that to fix the crash.\n\nI was not able to find a reason why an async version was used.\nath11k_mhi_start() (which enables state ATH11K_MHI_POWER_ON) is called from\nath11k_hif_power_up(), which can sleep. So sync version should be safe to use\nhere.\n\n[ 145.569731] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI\n[ 145.569789] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 145.569843] CPU: 2 PID: 1628 Comm: rmmod Kdump: loaded Tainted: G W 5.16.0-wt-ath+ #567\n[ 145.569898] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 145.569956] RIP: 0010:ath11k_hal_srng_access_begin+0xb5/0x2b0 [ath11k]\n[ 145.570028] Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 ec 01 00 00 48 8b ab a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <0f> b6 14 02 48 89 e8 83 e0 07 83 c0 03 45 85 ed 75 48 38 d0 7c 08\n[ 145.570089] RSP: 0018:ffffc900025d7ac0 EFLAGS: 00010246\n[ 145.570144] RAX: dffffc0000000000 RBX: ffff88814fca2dd8 RCX: 1ffffffff50cb455\n[ 145.570196] RDX: 0000000000000000 RSI: ffff88814fca2dd8 RDI: ffff88814fca2e80\n[ 145.570252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffa8659497\n[ 145.570329] R10: fffffbfff50cb292 R11: 0000000000000001 R12: ffff88814fca0000\n[ 145.570410] R13: 0000000000000000 R14: ffff88814fca2798 R15: ffff88814fca2dd8\n[ 145.570465] FS: 00007fa399988540(0000) GS:ffff888233e00000(0000) knlGS:0000000000000000\n[ 145.570519] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 145.570571] CR2: 00007fa399b51421 CR3: 0000000137898002 CR4: 00000000003706e0\n[ 145.570623] Call Trace:\n[ 145.570675] \n[ 145.570727] ? ath11k_ce_tx_process_cb+0x34b/0x860 [ath11k]\n[ 145.570797] ath11k_ce_tx_process_cb+0x356/0x860 [ath11k]\n[ 145.570864] ? tasklet_init+0x150/0x150\n[ 145.570919] ? ath11k_ce_alloc_pipes+0x280/0x280 [ath11k]\n[ 145.570986] ? tasklet_clear_sched+0x42/0xe0\n[ 145.571042] ? tasklet_kill+0xe9/0x1b0\n[ 145.571095] ? tasklet_clear_sched+0xe0/0xe0\n[ 145.571148] ? irq_has_action+0x120/0x120\n[ 145.571202] ath11k_ce_cleanup_pipes+0x45a/0x580 [ath11k]\n[ 145.571270] ? ath11k_pci_stop+0x10e/0x170 [ath11k_pci]\n[ 145.571345] ath11k_core_stop+0x8a/0xc0 [ath11k]\n[ 145.571434] ath11k_core_deinit+0x9e/0x150 [ath11k]\n[ 145.571499] ath11k_pci_remove+0xd2/0x260 [ath11k_pci]\n[ 145.571553] pci_device_remove+0x9a/0x1c0\n[ 145.571605] __device_release_driver+0x332/0x660\n[ 145.571659] driver_detach+0x1e7/0x2c0\n[ 145.571712] bus_remove_driver+0xe2/0x2d0\n[ 145.571772] pci_unregister_driver+0x21/0x250\n[ 145.571826] __do_sys_delete_module+0x30a/0x4b0\n[ 145.571879] ? free_module+0xac0/0xac0\n[ 145.571933] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 145.571986] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 145.572039] ? lockdep_hardirqs_on+0x79/0x100\n[ 145.572097] do_syscall_64+0x3b/0x90\n[ 145.572153] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49130", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix kernel panic during unload/load ath11k modules\n\nCall netif_napi_del() from ath11k_ahb_free_ext_irq() to fix\nthe following kernel panic when unload/load ath11k modules\nfor few iterations.\n\n[ 971.201365] Unable to handle kernel paging request at virtual address 6d97a208\n[ 971.204227] pgd = 594c2919\n[ 971.211478] [6d97a208] *pgd=00000000\n[ 971.214120] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n[ 971.412024] CPU: 2 PID: 4435 Comm: insmod Not tainted 5.4.89 #0\n[ 971.434256] Hardware name: Generic DT based system\n[ 971.440165] PC is at napi_by_id+0x10/0x40\n[ 971.445019] LR is at netif_napi_add+0x160/0x1dc\n\n[ 971.743127] (napi_by_id) from [<807d89a0>] (netif_napi_add+0x160/0x1dc)\n[ 971.751295] (netif_napi_add) from [<7f1209ac>] (ath11k_ahb_config_irq+0xf8/0x414 [ath11k_ahb])\n[ 971.759164] (ath11k_ahb_config_irq [ath11k_ahb]) from [<7f12135c>] (ath11k_ahb_probe+0x40c/0x51c [ath11k_ahb])\n[ 971.768567] (ath11k_ahb_probe [ath11k_ahb]) from [<80666864>] (platform_drv_probe+0x48/0x94)\n[ 971.779670] (platform_drv_probe) from [<80664718>] (really_probe+0x1c8/0x450)\n[ 971.789389] (really_probe) from [<80664cc4>] (driver_probe_device+0x15c/0x1b8)\n[ 971.797547] (driver_probe_device) from [<80664f60>] (device_driver_attach+0x44/0x60)\n[ 971.805795] (device_driver_attach) from [<806650a0>] (__driver_attach+0x124/0x140)\n[ 971.814822] (__driver_attach) from [<80662adc>] (bus_for_each_dev+0x58/0xa4)\n[ 971.823328] (bus_for_each_dev) from [<80663a2c>] (bus_add_driver+0xf0/0x1e8)\n[ 971.831662] (bus_add_driver) from [<806658a4>] (driver_register+0xa8/0xf0)\n[ 971.839822] (driver_register) from [<8030269c>] (do_one_initcall+0x78/0x1ac)\n[ 971.847638] (do_one_initcall) from [<80392524>] (do_init_module+0x54/0x200)\n[ 971.855968] (do_init_module) from [<803945b0>] (load_module+0x1e30/0x1ffc)\n[ 971.864126] (load_module) from [<803948b0>] (sys_init_module+0x134/0x17c)\n[ 971.871852] (sys_init_module) from [<80301000>] (ret_fast_syscall+0x0/0x50)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.6.0.1-00760-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49131", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: pci: fix crash on suspend if board file is not found\n\nMario reported that the kernel was crashing on suspend if ath11k was not able\nto find a board file:\n\n[ 473.693286] PM: Suspending system (s2idle)\n[ 473.693291] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 474.407787] BUG: unable to handle page fault for address: 0000000000002070\n[ 474.407791] #PF: supervisor read access in kernel mode\n[ 474.407794] #PF: error_code(0x0000) - not-present page\n[ 474.407798] PGD 0 P4D 0\n[ 474.407801] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 474.407805] CPU: 2 PID: 2350 Comm: kworker/u32:14 Tainted: G W 5.16.0 #248\n[...]\n[ 474.407868] Call Trace:\n[ 474.407870] \n[ 474.407874] ? _raw_spin_lock_irqsave+0x2a/0x60\n[ 474.407882] ? lock_timer_base+0x72/0xa0\n[ 474.407889] ? _raw_spin_unlock_irqrestore+0x29/0x3d\n[ 474.407892] ? try_to_del_timer_sync+0x54/0x80\n[ 474.407896] ath11k_dp_rx_pktlog_stop+0x49/0xc0 [ath11k]\n[ 474.407912] ath11k_core_suspend+0x34/0x130 [ath11k]\n[ 474.407923] ath11k_pci_pm_suspend+0x1b/0x50 [ath11k_pci]\n[ 474.407928] pci_pm_suspend+0x7e/0x170\n[ 474.407935] ? pci_pm_freeze+0xc0/0xc0\n[ 474.407939] dpm_run_callback+0x4e/0x150\n[ 474.407947] __device_suspend+0x148/0x4c0\n[ 474.407951] async_suspend+0x20/0x90\ndmesg-efi-164255130401001:\nOops#1 Part1\n[ 474.407955] async_run_entry_fn+0x33/0x120\n[ 474.407959] process_one_work+0x220/0x3f0\n[ 474.407966] worker_thread+0x4a/0x3d0\n[ 474.407971] kthread+0x17a/0x1a0\n[ 474.407975] ? process_one_work+0x3f0/0x3f0\n[ 474.407979] ? set_kthread_struct+0x40/0x40\n[ 474.407983] ret_from_fork+0x22/0x30\n[ 474.407991] \n\nThe issue here is that board file loading happens after ath11k_pci_probe()\nsuccesfully returns (ath11k initialisation happends asynchronously) and the\nsuspend handler is still enabled, of course failing as ath11k is not properly\ninitialised. Fix this by checking ATH11K_FLAG_QMI_FAIL during both suspend and\nresume.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49132", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: svm range restore work deadlock when process exit\n\nkfd_process_notifier_release flush svm_range_restore_work\nwhich calls svm_range_list_lock_and_flush_work to flush deferred_list\nwork, but if deferred_list work mmput release the last user, it will\ncall exit_mmap -> notifier_release, it is deadlock with below backtrace.\n\nMove flush svm_range_restore_work to kfd_process_wq_release to avoid\ndeadlock. Then svm_range_restore_work take task->mm ref to avoid mm is\ngone while validating and mapping ranges to GPU.\n\nWorkqueue: events svm_range_deferred_list_work [amdgpu]\nCall Trace:\n wait_for_completion+0x94/0x100\n __flush_work+0x12a/0x1e0\n __cancel_work_timer+0x10e/0x190\n cancel_delayed_work_sync+0x13/0x20\n kfd_process_notifier_release+0x98/0x2a0 [amdgpu]\n __mmu_notifier_release+0x74/0x1f0\n exit_mmap+0x170/0x200\n mmput+0x5d/0x130\n svm_range_deferred_list_work+0x104/0x230 [amdgpu]\n process_one_work+0x220/0x3c0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49133", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum: Guard against invalid local ports\n\nWhen processing events generated by the device's firmware, the driver\nprotects itself from events reported for non-existent local ports, but\nnot for the CPU port (local port 0), which exists, but does not have all\nthe fields as any local port.\n\nThis can result in a NULL pointer dereference when trying access\n'struct mlxsw_sp_port' fields which are not initialized for CPU port.\n\nCommit 63b08b1f6834 (\"mlxsw: spectrum: Protect driver from buggy firmware\")\nalready handled such issue by bailing early when processing a PUDE event\nreported for the CPU port.\n\nGeneralize the approach by moving the check to a common function and\nmaking use of it in all relevant places.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49134", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak\n\n[why]\nResource release is needed on the error handling path\nto prevent memory leak.\n\n[how]\nFix this by adding kfree on the error handling path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49135", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set\n\nhci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has\nbeen set as that means hci_unregister_dev has been called so it will\nlikely cause a uaf after the timeout as the hdev will be freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49136", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj\n\nThis issue takes place in an error path in\namdgpu_cs_fence_to_handle_ioctl(). When `info->in.what` falls into\ndefault case, the function simply returns -EINVAL, forgetting to\ndecrement the reference count of a dma_fence obj, which is bumped\nearlier by amdgpu_cs_get_fence(). This may result in reference count\nleaks.\n\nFix it by decreasing the refcount of specific object before returning\nthe error code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49137", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Ignore multiple conn complete events\n\nWhen one of the three connection complete events is received multiple\ntimes for the same handle, the device is registered multiple times which\nleads to memory corruptions. Therefore, consequent events for a single\nconnection are ignored.\n\nThe conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET\nis introduced to identify new connections. To make sure the events do not\ncontain this or another invalid handle HCI_CONN_HANDLE_MAX and checks\nare introduced.\n\nBuglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497", "scorev2": "0.0", "scorev3": "5.7", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49138", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix null ptr deref on hci_sync_conn_complete_evt\n\nThis event is just specified for SCO and eSCO link types.\nOn the reception of a HCI_Synchronous_Connection_Complete for a BDADDR\nof an existing LE connection, LE link type and a status that triggers the\nsecond case of the packet processing a NULL pointer dereference happens,\nas conn->link is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49139", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: fix possible NULL pointer dereference\n\nAs the possible failure of the allocation, kzalloc() may return NULL\npointer.\nTherefore, it should be better to check the 'sgi' in order to prevent\nthe dereference of NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49141", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: preserve skb_end_offset() in skb_unclone_keeptruesize()\n\nsyzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len)\nin skb_try_coalesce() [1]\n\nI was able to root cause the issue to kfence.\n\nWhen kfence is in action, the following assertion is no longer true:\n\nint size = xxxx;\nvoid *ptr1 = kmalloc(size, gfp);\nvoid *ptr2 = kmalloc(size, gfp);\n\nif (ptr1 && ptr2)\n\tASSERT(ksize(ptr1) == ksize(ptr2));\n\nWe attempted to fix these issues in the blamed commits, but forgot\nthat TCP was possibly shifting data after skb_unclone_keeptruesize()\nhas been used, notably from tcp_retrans_try_collapse().\n\nSo we not only need to keep same skb->truesize value,\nwe also need to make sure TCP wont fill new tailroom\nthat pskb_expand_head() was able to get from a\naddr = kmalloc(...) followed by ksize(addr)\n\nSplit skb_unclone_keeptruesize() into two parts:\n\n1) Inline skb_unclone_keeptruesize() for the common case,\n when skb is not cloned.\n\n2) Out of line __skb_unclone_keeptruesize() for the 'slow path'.\n\nWARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nModules linked in:\nCPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nCode: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa\nRSP: 0018:ffffc900063af268 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000\nRDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003\nRBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000\nR10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8\nR13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155\nFS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]\n tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630\n tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914\n tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025\n tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947\n tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719\n sk_backlog_rcv include/net/sock.h:1037 [inline]\n __release_sock+0x134/0x3b0 net/core/sock.c:2779\n release_sock+0x54/0x1b0 net/core/sock.c:3311\n sk_wait_data+0x177/0x450 net/core/sock.c:2821\n tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457\n tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572\n inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49142", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memory leak of uid in files registration\n\nWhen there are no files for __io_sqe_files_scm() to process in the\nrange, it'll free everything and return. However, it forgets to put uid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49144", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Avoid out of bounds access when parsing _CPC data\n\nIf the NumEntries field in the _CPC return package is less than 2, do\nnot attempt to access the \"Revision\" element of that package, because\nit may not be present then.\n\nBugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49145", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: use virtio_device_ready() in virtio_device_restore()\n\nAfter waking up a suspended VM, the kernel prints the following trace\nfor virtio drivers which do not directly call virtio_device_ready() in\nthe .restore:\n\n PM: suspend exit\n irq 22: nobody cared (try booting with the \"irqpoll\" option)\n Call Trace:\n \n dump_stack_lvl+0x38/0x49\n dump_stack+0x10/0x12\n __report_bad_irq+0x3a/0xaf\n note_interrupt.cold+0xb/0x60\n handle_irq_event+0x71/0x80\n handle_fasteoi_irq+0x95/0x1e0\n __common_interrupt+0x6b/0x110\n common_interrupt+0x63/0xe0\n asm_common_interrupt+0x1e/0x40\n ? __do_softirq+0x75/0x2f3\n irq_exit_rcu+0x93/0xe0\n sysvec_apic_timer_interrupt+0xac/0xd0\n \n \n asm_sysvec_apic_timer_interrupt+0x12/0x20\n arch_cpu_idle+0x12/0x20\n default_idle_call+0x39/0xf0\n do_idle+0x1b5/0x210\n cpu_startup_entry+0x20/0x30\n start_secondary+0xf3/0x100\n secondary_startup_64_no_verify+0xc3/0xcb\n \n handlers:\n [<000000008f9bac49>] vp_interrupt\n [<000000008f9bac49>] vp_interrupt\n Disabling IRQ #22\n\nThis happens because we don't invoke .enable_cbs callback in\nvirtio_device_restore(). That callback is used by some transports\n(e.g. virtio-pci) to enable interrupts.\n\nLet's fix it, by calling virtio_device_ready() as we do in\nvirtio_dev_probe(). This function calls .enable_cts callback and sets\nDRIVER_OK status bit.\n\nThis fix also avoids setting DRIVER_OK twice for those drivers that\ncall virtio_device_ready() in the .restore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49146", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix the maximum minor value is blk_alloc_ext_minor()\n\nida_alloc_range(..., min, max, ...) returns values from min to max,\ninclusive.\n\nSo, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().\n\nThis is an issue because in device_add_disk(), this value is used in:\n ddev->devt = MKDEV(disk->major, disk->first_minor);\nand NR_EXT_DEVT is '(1 << MINORBITS)'.\n\nSo, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49147", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Free the page array when watch_queue is dismantled\n\nCommit 7ea1a0124b6d (\"watch_queue: Free the alloc bitmap when the\nwatch_queue is torn down\") took care of the bitmap, but not the page\narray.\n\n BUG: memory leak\n unreferenced object 0xffff88810d9bc140 (size 32):\n comm \"syz-executor335\", pid 3603, jiffies 4294946994 (age 12.840s)\n hex dump (first 32 bytes):\n 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n kmalloc_array include/linux/slab.h:621 [inline]\n kcalloc include/linux/slab.h:652 [inline]\n watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251\n pipe_ioctl+0x82/0x140 fs/pipe.c:632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49148", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call timer start racing with call destruction\n\nThe rxrpc_call struct has a timer used to handle various timed events\nrelating to a call. This timer can get started from the packet input\nroutines that are run in softirq mode with just the RCU read lock held.\nUnfortunately, because only the RCU read lock is held - and neither ref or\nother lock is taken - the call can start getting destroyed at the same time\na packet comes in addressed to that call. This causes the timer - which\nwas already stopped - to get restarted. Later, the timer dispatch code may\nthen oops if the timer got deallocated first.\n\nFix this by trying to take a ref on the rxrpc_call struct and, if\nsuccessful, passing that ref along to the timer. If the timer was already\nrunning, the ref is discarded.\n\nThe timer completion routine can then pass the ref along to the call's work\nitem when it queues it. If the timer or work item where already\nqueued/running, the extra ref is discarded.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49149", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: gamecube: Fix refcount leak in gamecube_rtc_read_offset_from_sram\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49150", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. We should check that in endpoint is actually present to\nprevent this warning.\n\nFound pipes are now saved to struct mcba_priv and code uses them\ndirectly instead of making pipes in place.\n\nFail log:\n\n| usb 5-1: BOGUS urb xfer, pipe 3 != type 1\n| WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n| Modules linked in:\n| CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0\n| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\n| Workqueue: usb_hub_wq hub_event\n| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n| ...\n| Call Trace:\n| \n| mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]\n| mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858\n| usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n| call_driver_probe drivers/base/dd.c:517 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49151", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nXArray: Fix xas_create_range() when multi-order entry present\n\nIf there is already an entry present that is of order >= XA_CHUNK_SHIFT\nwhen we call xas_create_range(), xas_create_range() will misinterpret\nthat entry as a node and dereference xa_node->parent, generally leading\nto a crash that looks something like this:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001:\n0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0\nRIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline]\nRIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725\n\nIt's deterministically reproducable once you know what the problem is,\nbut producing it in a live kernel requires khugepaged to hit a race.\nWhile the problem has been present since xas_create_range() was\nintroduced, I'm not aware of a way to hit it before the page cache was\nconverted to use multi-index entries.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49152", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: socket: free skb in send6 when ipv6 is disabled\n\nI got a memory leak report:\n\nunreferenced object 0xffff8881191fc040 (size 232):\n comm \"kworker/u17:0\", pid 23193, jiffies 4295238848 (age 3464.870s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] slab_post_alloc_hook+0x84/0x3b0\n [] kmem_cache_alloc_node+0x167/0x340\n [] __alloc_skb+0x1db/0x200\n [] wg_socket_send_buffer_to_peer+0x3d/0xc0\n [] wg_packet_send_handshake_initiation+0xfa/0x110\n [] wg_packet_handshake_send_worker+0x21/0x30\n [] process_one_work+0x2e8/0x770\n [] worker_thread+0x4a/0x4b0\n [] kthread+0x120/0x160\n [] ret_from_fork+0x1f/0x30\n\nIn function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_\nbuffer_to_peer(), the semantics of send6() is required to free skb. But\nwhen CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it\nto fix this bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49153", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: fix panic on out-of-bounds guest IRQ\n\nAs guest_irq is coming from KVM_IRQFD API call, it may trigger\ncrash in svm_update_pi_irte() due to out-of-bounds:\n\ncrash> bt\nPID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: \"vcpu8\"\n #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397\n #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d\n #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d\n #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d\n #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9\n #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51\n #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace\n [exception RIP: svm_update_pi_irte+227]\n RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086\n RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001\n RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8\n RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200\n R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001\n R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]\n #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]\n #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]\n RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b\n RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020\n RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0\n R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0\n R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0\n ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b\n\nVmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on\nout-of-bounds guest IRQ), so we can just copy source from that to fix\nthis.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49154", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()\n\n[ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020\n[ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]\n[ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1\n[ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018\n[ 12.356356] Call Trace:\n[ 12.358821] dump_stack_lvl+0x34/0x44\n[ 12.362514] check_preemption_disabled+0xd9/0xe0\n[ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]\n[ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx]\n[ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40\n[ 12.384284] local_pci_probe+0x42/0x80\n[ 12.390162] ? pci_match_device+0xd7/0x110\n[ 12.396366] pci_device_probe+0xfd/0x1b0\n[ 12.402372] really_probe+0x1e7/0x3e0\n[ 12.408114] __driver_probe_device+0xfe/0x180\n[ 12.414544] driver_probe_device+0x1e/0x90\n[ 12.420685] __driver_attach+0xc0/0x1c0\n[ 12.426536] ? __device_attach_driver+0xe0/0xe0\n[ 12.433061] ? __device_attach_driver+0xe0/0xe0\n[ 12.439538] bus_for_each_dev+0x78/0xc0\n[ 12.445294] bus_add_driver+0x12b/0x1e0\n[ 12.451021] driver_register+0x8f/0xe0\n[ 12.456631] ? 0xffffffffc07bc000\n[ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx]\n[ 12.468776] do_one_initcall+0x44/0x200\n[ 12.474401] ? load_module+0xad3/0xba0\n[ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410\n[ 12.486268] do_init_module+0x5c/0x280\n[ 12.491730] __do_sys_init_module+0x12e/0x1b0\n[ 12.497785] do_syscall_64+0x3b/0x90\n[ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 12.509764] RIP: 0033:0x7f554f73ab2e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49155", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix scheduling while atomic\n\nThe driver makes a call into midlayer (fc_remote_port_delete) which can put\nthe thread to sleep. The thread that originates the call is in interrupt\ncontext. The combination of the two trigger a crash. Schedule the call in\nnon-interrupt context where it is more safe.\n\nkernel: BUG: scheduling while atomic: swapper/7/0/0x00010000\nkernel: Call Trace:\nkernel: \nkernel: dump_stack+0x66/0x81\nkernel: __schedule_bug.cold.90+0x5/0x1d\nkernel: __schedule+0x7af/0x960\nkernel: schedule+0x28/0x80\nkernel: schedule_timeout+0x26d/0x3b0\nkernel: wait_for_completion+0xb4/0x140\nkernel: ? wake_up_q+0x70/0x70\nkernel: __wait_rcu_gp+0x12c/0x160\nkernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod]\nkernel: synchronize_sched+0x6c/0x80\nkernel: ? call_rcu_bh+0x20/0x20\nkernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10\nkernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod]\nkernel: starget_for_each_device+0x85/0xb0 [scsi_mod]\nkernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod]\nkernel: scsi_init_io+0x388/0x3d0 [scsi_mod]\nkernel: device_for_each_child+0x54/0x90\nkernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc]\nkernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx]\nkernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx]\nkernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx]\nkernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx]\nkernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx]\nkernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx]\nkernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx]\nkernel: __handle_irq_event_percpu+0x40/0x180\nkernel: handle_irq_event_percpu+0x30/0x80\nkernel: handle_irq_event+0x36/0x60", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49156", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix premature hw access after PCI error\n\nAfter a recoverable PCI error has been detected and recovered, qla driver\nneeds to check to see if the error condition still persist and/or wait\nfor the OS to give the resume signal.\n\nSep 8 22:26:03 localhost kernel: WARNING: CPU: 9 PID: 124606 at qla_tmpl.c:440\nqla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx]\nSep 8 22:26:03 localhost kernel: RIP: 0010:qla27xx_fwdt_entry_t266+0x55/0x60\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: Call Trace:\nSep 8 22:26:03 localhost kernel: ? qla27xx_walk_template+0xb1/0x1b0 [qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla27xx_execute_fwdt_template+0x12a/0x160\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla27xx_fwdump+0xa0/0x1c0 [qla2xxx]\nSep 8 22:26:03 localhost kernel: ? qla2xxx_pci_mmio_enabled+0xfb/0x120\n[qla2xxx]\nSep 8 22:26:03 localhost kernel: ? report_mmio_enabled+0x44/0x80\nSep 8 22:26:03 localhost kernel: ? report_slot_reset+0x80/0x80\nSep 8 22:26:03 localhost kernel: ? pci_walk_bus+0x70/0x90\nSep 8 22:26:03 localhost kernel: ? aer_dev_correctable_show+0xc0/0xc0\nSep 8 22:26:03 localhost kernel: ? pcie_do_recovery+0x1bb/0x240\nSep 8 22:26:03 localhost kernel: ? aer_recover_work_func+0xaa/0xd0\nSep 8 22:26:03 localhost kernel: ? process_one_work+0x1a7/0x360\n..\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-8041:22: detected PCI\ndisconnect.\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22:\nqla27xx_fwdt_entry_t262: dump ram MB failed. Area 5h start 198013h end 198013h\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: Unable to\ncapture FW dump\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-1015:22: cmd=0x0,\nwaited 5221 msecs\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-680d:22: mmio\nenabled returning.\nSep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-d04c:22: MBX\nCommand timeout for cmd 0, iocontrol=ffffffff jiffies=10140f2e5\nmb[0-3]=[0xffff 0xffff 0xffff 0xffff]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49157", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix warning message due to adisc being flushed\n\nFix warning message due to adisc being flushed. Linux kernel triggered a\nwarning message where a different error code type is not matching up with\nthe expected type. Add additional translation of one error code type to\nanother.\n\nWARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498\nqla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nCPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1\n..\nGPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000\nNIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nLR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx]\nCall Trace:\n[c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable)\n[c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx]\n[c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx]\n[c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx]\n[c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx]\n[c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120\n[c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0\n[c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100\n[c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40\n[c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130\n[c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [\nc00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180\n[c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60\n[c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20]\n[c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290\n[c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0\n[c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330\n[c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130\n[c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0\n[c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49158", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Implement ref count for SRB\n\nThe timeout handler and the done function are racing. When\nqla2x00_async_iocb_timeout() starts to run it can be preempted by the\nnormal response path (via the firmware?). qla24xx_async_gpsc_sp_done()\nreleases the SRB unconditionally. When scheduling back to\nqla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed\nsp->qpair pointer:\n\n qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21.\n qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21\n qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400.\n qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000004\n IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx]\n\nObvious solution to this is to introduce a reference counter. One reference\nis taken for the normal code path (the 'good' case) and one for the timeout\npath. As we always race between the normal good case and the timeout/abort\nhandler we need to serialize it. Also we cannot assume any order between\nthe handlers. Since this is slow path we can use proper synchronization via\nlocks.\n\nWhen we are able to cancel a timer (del_timer returns 1) we know there\ncan't be any error handling in progress because the timeout handler hasn't\nexpired yet, thus we can safely decrement the refcounter by one.\n\nIf we are not able to cancel the timer, we know an abort handler is\nrunning. We have to make sure we call sp->done() in the abort handlers\nbefore calling kref_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49159", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash during module load unload test\n\nDuring purex packet handling the driver was incorrectly freeing a\npre-allocated structure. Fix this by skipping that entry.\n\nSystem crashed with the following stack during a module unload test.\n\nCall Trace:\n\tsbitmap_init_node+0x7f/0x1e0\n\tsbitmap_queue_init_node+0x24/0x150\n\tblk_mq_init_bitmaps+0x3d/0xa0\n\tblk_mq_init_tags+0x68/0x90\n\tblk_mq_alloc_map_and_rqs+0x44/0x120\n\tblk_mq_alloc_set_map_and_rqs+0x63/0x150\n\tblk_mq_alloc_tag_set+0x11b/0x230\n\tscsi_add_host_with_dma.cold+0x3f/0x245\n\tqla2x00_probe_one+0xd5a/0x1b80 [qla2xxx]\n\nCall Trace with slub_debug and debug kernel:\n\tkasan_report_invalid_free+0x50/0x80\n\t__kasan_slab_free+0x137/0x150\n\tslab_free_freelist_hook+0xc6/0x190\n\tkfree+0xe8/0x2e0\n\tqla2x00_free_device+0x3bb/0x5d0 [qla2xxx]\n\tqla2x00_remove_one+0x668/0xcf0 [qla2xxx]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49160", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Fix error handling in mt8183_da7219_max98357_dev_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49161", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: sm712fb: Fix crash in smtcfb_write()\n\nWhen the sm712fb driver writes three bytes to the framebuffer, the\ndriver will crash:\n\n BUG: unable to handle page fault for address: ffffc90001ffffff\n RIP: 0010:smtcfb_write+0x454/0x5b0\n Call Trace:\n vfs_write+0x291/0xd60\n ? do_sys_openat2+0x27d/0x350\n ? __fget_light+0x54/0x340\n ksys_write+0xce/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix it by removing the open-coded endianness fixup-code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49162", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: fix a bug of accessing array out of bounds\n\nWhen error occurs in parsing jpeg, the slot isn't acquired yet, it may\nbe the default value MXC_MAX_SLOTS.\nIf the driver access the slot using the incorrect slot number, it will\naccess array out of bounds.\nThe result is the driver will change num_domains, which follows\nslot_data in struct mxc_jpeg_dev.\nThen the driver won't detach the pm domain at rmmod, which will lead to\nkernel panic when trying to insmod again.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49163", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/tm: Fix more userspace r13 corruption\n\nCommit cf13435b730a (\"powerpc/tm: Fix userspace r13 corruption\") fixes a\nproblem in treclaim where a SLB miss can occur on the\nthread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13\nvalue, clobbering it with the kernel r13 and ultimately resulting in\nkernel r13 being stored in ckpt_regs.\n\nThere is an equivalent problem in trechkpt where the user r13 value is\nloaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss\ncould occur on ckpt_regs accesses after that, which will result in r13\nbeing clobbered with a kernel value and that will get recheckpointed and\nthen restored to user registers.\n\nThe same memory page is accessed right before this critical window where\na SLB miss could cause corruption, so hitting the bug requires the SLB\nentry be removed within a small window of instructions, which is\npossible if a SLB related MCE hits there. PAPR also permits the\nhypervisor to discard this SLB entry (because slb_shadow->persistent is\nonly set to SLB_NUM_BOLTED) although it's not known whether any\nimplementations would do this (KVM does not). So this is an extremely\nunlikely bug, only found by inspection.\n\nFix this by also storing user r13 in a temporary location on the kernel\nstack and don't change the r13 register from kernel r13 until the RI=0\ncritical section that does not fault.\n\nThe SCRATCH0 change is not strictly part of the fix, it's only used in\nthe RI=0 section so it does not have the same problem as the previous\nSCRATCH0 bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49164", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers\n\nIf the application queues an NV12M jpeg as output buffer, but then\nqueues a single planar capture buffer, the kernel will crash with\n\"Unable to handle kernel NULL pointer dereference\" in mxc_jpeg_addrs,\nprevent this by finishing the job with error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49165", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: add sanity check on allocation size\n\nntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation\nsize. It triggers one BUG in the __ntfs_malloc function.\n\nFix this by adding sanity check on ni->attr_list_size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49166", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not double complete bio on errors during compressed reads\n\nI hit some weird panics while fixing up the error handling from\nbtrfs_lookup_bio_sums(). Turns out the compression path will complete\nthe bio we use if we set up any of the compression bios and then return\nan error, and then btrfs_submit_data_bio() will also call bio_endio() on\nthe bio.\n\nFix this by making btrfs_submit_compressed_read() responsible for\ncalling bio_endio() on the bio if there are any errors. Currently it\nwas only doing it if we created the compression bios, otherwise it was\ndepending on btrfs_submit_data_bio() to do the right thing. This\ncreates the above problem, so fix up btrfs_submit_compressed_read() to\nalways call bio_endio() in case of an error, and then simply return from\nbtrfs_submit_data_bio() if we had to call\nbtrfs_submit_compressed_read().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49167", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not clean up repair bio if submit fails\n\nThe submit helper will always run bio_endio() on the bio if it fails to\nsubmit, so cleaning up the bio just leads to a variety of use-after-free\nand NULL pointer dereference bugs because we race with the endio\nfunction that is cleaning up the bio. Instead just return BLK_STS_OK as\nthe repair function has to continue to process the rest of the pages,\nand the endio for the repair bio will do the appropriate cleanup for the\npage that it was given.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49168", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use spin_lock to avoid hang\n\n[14696.634553] task:cat state:D stack: 0 pid:1613738 ppid:1613735 flags:0x00000004\n[14696.638285] Call Trace:\n[14696.639038] \n[14696.640032] __schedule+0x302/0x930\n[14696.640969] schedule+0x58/0xd0\n[14696.641799] schedule_preempt_disabled+0x18/0x30\n[14696.642890] __mutex_lock.constprop.0+0x2fb/0x4f0\n[14696.644035] ? mod_objcg_state+0x10c/0x310\n[14696.645040] ? obj_cgroup_charge+0xe1/0x170\n[14696.646067] __mutex_lock_slowpath+0x13/0x20\n[14696.647126] mutex_lock+0x34/0x40\n[14696.648070] stat_show+0x25/0x17c0 [f2fs]\n[14696.649218] seq_read_iter+0x120/0x4b0\n[14696.650289] ? aa_file_perm+0x12a/0x500\n[14696.651357] ? lru_cache_add+0x1c/0x20\n[14696.652470] seq_read+0xfd/0x140\n[14696.653445] full_proxy_read+0x5c/0x80\n[14696.654535] vfs_read+0xa0/0x1a0\n[14696.655497] ksys_read+0x67/0xe0\n[14696.656502] __x64_sys_read+0x1a/0x20\n[14696.657580] do_syscall_64+0x3b/0xc0\n[14696.658671] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[14696.660068] RIP: 0033:0x7efe39df1cb2\n[14696.661133] RSP: 002b:00007ffc8badd948 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[14696.662958] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007efe39df1cb2\n[14696.664757] RDX: 0000000000020000 RSI: 00007efe399df000 RDI: 0000000000000003\n[14696.666542] RBP: 00007efe399df000 R08: 00007efe399de010 R09: 00007efe399de010\n[14696.668363] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000000\n[14696.670155] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[14696.671965] \n[14696.672826] task:umount state:D stack: 0 pid:1614985 ppid:1614984 flags:0x00004000\n[14696.674930] Call Trace:\n[14696.675903] \n[14696.676780] __schedule+0x302/0x930\n[14696.677927] schedule+0x58/0xd0\n[14696.679019] schedule_preempt_disabled+0x18/0x30\n[14696.680412] __mutex_lock.constprop.0+0x2fb/0x4f0\n[14696.681783] ? destroy_inode+0x65/0x80\n[14696.683006] __mutex_lock_slowpath+0x13/0x20\n[14696.684305] mutex_lock+0x34/0x40\n[14696.685442] f2fs_destroy_stats+0x1e/0x60 [f2fs]\n[14696.686803] f2fs_put_super+0x158/0x390 [f2fs]\n[14696.688238] generic_shutdown_super+0x7a/0x120\n[14696.689621] kill_block_super+0x27/0x50\n[14696.690894] kill_f2fs_super+0x7f/0x100 [f2fs]\n[14696.692311] deactivate_locked_super+0x35/0xa0\n[14696.693698] deactivate_super+0x40/0x50\n[14696.694985] cleanup_mnt+0x139/0x190\n[14696.696209] __cleanup_mnt+0x12/0x20\n[14696.697390] task_work_run+0x64/0xa0\n[14696.698587] exit_to_user_mode_prepare+0x1b7/0x1c0\n[14696.700053] syscall_exit_to_user_mode+0x27/0x50\n[14696.701418] do_syscall_64+0x48/0xc0\n[14696.702630] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49169", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on curseg->alloc_type\n\nAs Wenqing Liu reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215657\n\n- Overview\nUBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image\n\n- Reproduce\ntested on kernel 5.17-rc4, 5.17-rc6\n\n1. mkdir test_crash\n2. cd test_crash\n3. unzip tmp2.zip\n4. mkdir mnt\n5. ./single_test.sh f2fs 2\n\n- Kernel dump\n[ 46.434454] loop0: detected capacity change from 0 to 131072\n[ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9\n[ 46.738319] ================================================================================\n[ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2\n[ 46.738475] index 231 is out of range for type 'unsigned int [2]'\n[ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1\n[ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[ 46.738551] Call Trace:\n[ 46.738556] \n[ 46.738563] dump_stack_lvl+0x47/0x5c\n[ 46.738581] ubsan_epilogue+0x5/0x50\n[ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80\n[ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs]\n[ 46.738819] do_write_page+0xef/0x210 [f2fs]\n[ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs]\n[ 46.739038] __write_node_page+0x2b7/0x920 [f2fs]\n[ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs]\n[ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]\n[ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs]\n[ 46.739507] deactivate_locked_super+0x60/0xc0\n[ 46.739517] deactivate_super+0x70/0xb0\n[ 46.739524] cleanup_mnt+0x11a/0x200\n[ 46.739532] __cleanup_mnt+0x16/0x20\n[ 46.739538] task_work_run+0x67/0xa0\n[ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0\n[ 46.739559] syscall_exit_to_user_mode+0x26/0x40\n[ 46.739568] do_syscall_64+0x46/0xb0\n[ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is we missed to do sanity check on curseg->alloc_type,\nresult in out-of-bound accessing on sbi->block_count[] array, fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49170", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don't BUG if someone dirty pages without asking ext4 first\n\n[un]pin_user_pages_remote is dirtying pages without properly warning\nthe file system in advance. A related race was noted by Jan Kara in\n2018[1]; however, more recently instead of it being a very hard-to-hit\nrace, it could be reliably triggered by process_vm_writev(2) which was\ndiscovered by Syzbot[2].\n\nThis is technically a bug in mm/gup.c, but arguably ext4 is fragile in\nthat if some other kernel subsystem dirty pages without properly\nnotifying the file system using page_mkwrite(), ext4 will BUG, while\nother file systems will not BUG (although data will still be lost).\n\nSo instead of crashing with a BUG, issue a warning (since there may be\npotential data loss) and just mark the page as clean to avoid\nunprivileged denial of service attacks until the problem can be\nproperly fixed. More discussion and background can be found in the\nthread starting at [2].\n\n[1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz\n[2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49171", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix non-access data TLB cache flush faults\n\nWhen a page is not present, we get non-access data TLB faults from\nthe fdc and fic instructions in flush_user_dcache_range_asm and\nflush_user_icache_range_asm. When these occur, the cache line is\nnot invalidated and potentially we get memory corruption. The\nproblem was hidden by the nullification of the flush instructions.\n\nThese faults also affect performance. With pa8800/pa8900 processors,\nthere will be 32 faults per 4 KB page since the cache line is 128\nbytes. There will be more faults with earlier processors.\n\nThe problem is fixed by using flush_cache_pages(). It does the flush\nusing a tmp alias mapping.\n\nThe flush_cache_pages() call in flush_cache_range() flushed too\nlarge a range.\n\nV2: Remove unnecessary preempt_disable() and preempt_enable() calls.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49172", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsi: Implement a timeout for polling status\n\nThe data transfer routines must poll the status register to\ndetermine when more data can be shifted in or out. If the hardware\ngets into a bad state, these polling loops may never exit. Prevent\nthis by returning an error if a timeout is exceeded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49173", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix ext4_mb_mark_bb() with flex_bg with fast_commit\n\nIn case of flex_bg feature (which is by default enabled), extents for\nany given inode might span across blocks from two different block group.\next4_mb_mark_bb() only reads the buffer_head of block bitmap once for the\nstarting block group, but it fails to read it again when the extent length\nboundary overflows to another block group. Then in this below loop it\naccesses memory beyond the block group bitmap buffer_head and results\ninto a data abort.\n\n\tfor (i = 0; i < clen; i++)\n\t\tif (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state)\n\t\t\talready++;\n\nThis patch adds this functionality for checking block group boundary in\next4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different\nblock group.\n\nw/o this patch, I was easily able to hit a data access abort using Power platform.\n\n<...>\n[ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters\n[ 74.533214] EXT4-fs (loop3): shut down requested (2)\n[ 74.536705] Aborting journal on device loop3-8.\n[ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000\n[ 74.703727] Faulting instruction address: 0xc0000000007bffb8\ncpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]\n pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0\n lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0\n sp: c000000015db7300\n msr: 800000000280b033\n dar: c00000005e980000\n dsisr: 40000000\n current = 0xc000000027af6880\n paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01\n pid = 5167, comm = mount\n<...>\nenter ? for help\n[c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410\n[c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000\n[c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0\n[c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0\n[c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0\n[c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10\n[c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350\n[c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40\n[c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100\n[c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70\n[c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550\n[c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0\n[c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49174", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: core: keep irq flags in device_pm_check_callbacks()\n\nThe function device_pm_check_callbacks() can be called under the spin\nlock (in the reported case it happens from genpd_add_device() ->\ndev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes.\n\nHowever this function uncoditionally uses spin_lock_irq() /\nspin_unlock_irq(), thus not preserving the CPU flags. Use the\nirqsave/irqrestore instead.\n\nThe backtrace for the reference:\n[ 2.752010] ------------[ cut here ]------------\n[ 2.756769] raw_local_irq_restore() called with IRQs enabled\n[ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50\n[ 2.772338] Modules linked in:\n[ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684\n[ 2.781384] Freeing initrd memory: 46024K\n[ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50\n[ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50\n[ 2.785846] sp : ffff80000805b7d0\n[ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002\n[ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800\n[ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00\n[ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff\n[ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7\n[ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8\n[ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0\n[ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0\n[ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000\n[ 2.889774] Call trace:\n[ 2.892290] warn_bogus_irq_restore+0x34/0x50\n[ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0\n[ 2.901690] genpd_unlock_spin+0x20/0x30\n[ 2.905724] genpd_add_device+0x100/0x2d0\n[ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c\n[ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190\n[ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0\n[ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30\n[ 2.929102] psci_dt_attach_cpu+0x24/0x90\n[ 2.933230] psci_cpuidle_probe+0x2d4/0x46c\n[ 2.937534] platform_probe+0x68/0xe0\n[ 2.941304] really_probe.part.0+0x9c/0x2fc\n[ 2.945605] __driver_probe_device+0x98/0x144\n[ 2.950085] driver_probe_device+0x44/0x15c\n[ 2.954385] __device_attach_driver+0xb8/0x120\n[ 2.958950] bus_for_each_drv+0x78/0xd0\n[ 2.962896] __device_attach+0xd8/0x180\n[ 2.966843] device_initial_probe+0x14/0x20\n[ 2.971144] bus_probe_device+0x9c/0xa4\n[ 2.975092] device_add+0x380/0x88c\n[ 2.978679] platform_device_add+0x114/0x234\n[ 2.983067] platform_device_register_full+0x100/0x190\n[ 2.988344] psci_idle_init+0x6c/0xb0\n[ 2.992113] do_one_initcall+0x74/0x3a0\n[ 2.996060] kernel_init_freeable+0x2fc/0x384\n[ 3.000543] kernel_init+0x28/0x130\n[ 3.004132] ret_from_fork+0x10/0x20\n[ 3.007817] irq event stamp: 319826\n[ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84\n[ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c\n[ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588\n[ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174\n[ 3.045607] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49175", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: fix use-after-free in bfq_dispatch_request\n\nKASAN reports a use-after-free report when doing normal scsi-mq test\n\n[69832.239032] ==================================================================\n[69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0\n[69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155\n[69832.244656]\n[69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8\n[69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[69832.249069] Workqueue: kblockd blk_mq_run_work_fn\n[69832.250022] Call Trace:\n[69832.250541] dump_stack+0x9b/0xce\n[69832.251232] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.252243] print_address_description.constprop.6+0x3e/0x60\n[69832.253381] ? __cpuidle_text_end+0x5/0x5\n[69832.254211] ? vprintk_func+0x6b/0x120\n[69832.254994] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.255952] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.256914] kasan_report.cold.9+0x22/0x3a\n[69832.257753] ? bfq_dispatch_request+0x1045/0x44b0\n[69832.258755] check_memory_region+0x1c1/0x1e0\n[69832.260248] bfq_dispatch_request+0x1045/0x44b0\n[69832.261181] ? bfq_bfqq_expire+0x2440/0x2440\n[69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170\n[69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830\n[69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100\n[69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0\n[69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570\n[69832.267147] ? __switch_to+0x5f4/0xee0\n[69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140\n[69832.268946] __blk_mq_run_hw_queue+0xc0/0x270\n[69832.269840] blk_mq_run_work_fn+0x51/0x60\n[69832.278170] process_one_work+0x6d4/0xfe0\n[69832.278984] worker_thread+0x91/0xc80\n[69832.279726] ? __kthread_parkme+0xb0/0x110\n[69832.280554] ? process_one_work+0xfe0/0xfe0\n[69832.281414] kthread+0x32d/0x3f0\n[69832.282082] ? kthread_park+0x170/0x170\n[69832.282849] ret_from_fork+0x1f/0x30\n[69832.283573]\n[69832.283886] Allocated by task 7725:\n[69832.284599] kasan_save_stack+0x19/0x40\n[69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0\n[69832.286350] kmem_cache_alloc_node+0x13f/0x460\n[69832.287237] bfq_get_queue+0x3d4/0x1140\n[69832.287993] bfq_get_bfqq_handle_split+0x103/0x510\n[69832.289015] bfq_init_rq+0x337/0x2d50\n[69832.289749] bfq_insert_requests+0x304/0x4e10\n[69832.290634] blk_mq_sched_insert_requests+0x13e/0x390\n[69832.291629] blk_mq_flush_plug_list+0x4b4/0x760\n[69832.292538] blk_flush_plug_list+0x2c5/0x480\n[69832.293392] io_schedule_prepare+0xb2/0xd0\n[69832.294209] io_schedule_timeout+0x13/0x80\n[69832.295014] wait_for_common_io.constprop.1+0x13c/0x270\n[69832.296137] submit_bio_wait+0x103/0x1a0\n[69832.296932] blkdev_issue_discard+0xe6/0x160\n[69832.297794] blk_ioctl_discard+0x219/0x290\n[69832.298614] blkdev_common_ioctl+0x50a/0x1750\n[69832.304715] blkdev_ioctl+0x470/0x600\n[69832.305474] block_ioctl+0xde/0x120\n[69832.306232] vfs_ioctl+0x6c/0xc0\n[69832.306877] __se_sys_ioctl+0x90/0xa0\n[69832.307629] do_syscall_64+0x2d/0x40\n[69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[69832.309382]\n[69832.309701] Freed by task 155:\n[69832.310328] kasan_save_stack+0x19/0x40\n[69832.311121] kasan_set_track+0x1c/0x30\n[69832.311868] kasan_set_free_info+0x1b/0x30\n[69832.312699] __kasan_slab_free+0x111/0x160\n[69832.313524] kmem_cache_free+0x94/0x460\n[69832.314367] bfq_put_queue+0x582/0x940\n[69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0\n[69832.317275] bfq_bfqq_expire+0xb27/0x2440\n[69832.318084] bfq_dispatch_request+0x697/0x44b0\n[69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830\n[69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0\n[69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140\n[69832.322225] __blk_mq_run_hw_queue+0xc0/0x270\n[69832.323114] blk_mq_run_work_fn+0x51/0x6\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49176", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: cavium - fix NULL but dereferenced coccicheck error\n\nFix following coccicheck warning:\n./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR:\npdev is NULL but dereferenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49177", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick/mspro_block: fix handling of read-only devices\n\nUse set_disk_ro to propagate the read-only state to the block layer\ninstead of checking for it in ->open and leaking a reference in case\nof a read-only device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49178", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: don't move oom_bfqq\n\nOur test report a UAF:\n\n[ 2073.019181] ==================================================================\n[ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584\n[ 2073.019192]\n[ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5\n[ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 2073.019200] Call trace:\n[ 2073.019203] dump_backtrace+0x0/0x310\n[ 2073.019206] show_stack+0x28/0x38\n[ 2073.019210] dump_stack+0xec/0x15c\n[ 2073.019216] print_address_description+0x68/0x2d0\n[ 2073.019220] kasan_report+0x238/0x2f0\n[ 2073.019224] __asan_store8+0x88/0xb0\n[ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168\n[ 2073.019233] bfq_put_async_queues+0xbc/0x208\n[ 2073.019236] bfq_pd_offline+0x178/0x238\n[ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019244] bfq_exit_queue+0x128/0x178\n[ 2073.019249] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019252] elevator_exit+0xc8/0xd0\n[ 2073.019256] blk_exit_queue+0x50/0x88\n[ 2073.019259] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019274] null_exit+0x90/0x114 [null_blk]\n[ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019282] el0_svc_common+0xc8/0x320\n[ 2073.019287] el0_svc_handler+0xf8/0x160\n[ 2073.019290] el0_svc+0x10/0x218\n[ 2073.019291]\n[ 2073.019294] Allocated by task 14163:\n[ 2073.019301] kasan_kmalloc+0xe0/0x190\n[ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418\n[ 2073.019308] bfq_pd_alloc+0x54/0x118\n[ 2073.019313] blkcg_activate_policy+0x250/0x460\n[ 2073.019317] bfq_create_group_hierarchy+0x38/0x110\n[ 2073.019321] bfq_init_queue+0x6d0/0x948\n[ 2073.019325] blk_mq_init_sched+0x1d8/0x390\n[ 2073.019330] elevator_switch_mq+0x88/0x170\n[ 2073.019334] elevator_switch+0x140/0x270\n[ 2073.019338] elv_iosched_store+0x1a4/0x2a0\n[ 2073.019342] queue_attr_store+0x90/0xe0\n[ 2073.019348] sysfs_kf_write+0xa8/0xe8\n[ 2073.019351] kernfs_fop_write+0x1f8/0x378\n[ 2073.019359] __vfs_write+0xe0/0x360\n[ 2073.019363] vfs_write+0xf0/0x270\n[ 2073.019367] ksys_write+0xdc/0x1b8\n[ 2073.019371] __arm64_sys_write+0x50/0x60\n[ 2073.019375] el0_svc_common+0xc8/0x320\n[ 2073.019380] el0_svc_handler+0xf8/0x160\n[ 2073.019383] el0_svc+0x10/0x218\n[ 2073.019385]\n[ 2073.019387] Freed by task 72584:\n[ 2073.019391] __kasan_slab_free+0x120/0x228\n[ 2073.019394] kasan_slab_free+0x10/0x18\n[ 2073.019397] kfree+0x94/0x368\n[ 2073.019400] bfqg_put+0x64/0xb0\n[ 2073.019404] bfqg_and_blkg_put+0x90/0xb0\n[ 2073.019408] bfq_put_queue+0x220/0x228\n[ 2073.019413] __bfq_put_async_bfqq+0x98/0x168\n[ 2073.019416] bfq_put_async_queues+0xbc/0x208\n[ 2073.019420] bfq_pd_offline+0x178/0x238\n[ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420\n[ 2073.019429] bfq_exit_queue+0x128/0x178\n[ 2073.019433] blk_mq_exit_sched+0x12c/0x160\n[ 2073.019437] elevator_exit+0xc8/0xd0\n[ 2073.019440] blk_exit_queue+0x50/0x88\n[ 2073.019443] blk_cleanup_queue+0x228/0x3d8\n[ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]\n[ 2073.019459] null_exit+0x90/0x114 [null_blk]\n[ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0\n[ 2073.019467] el0_svc_common+0xc8/0x320\n[ 2073.019471] el0_svc_handler+0xf8/0x160\n[ 2073.019474] el0_svc+0x10/0x218\n[ 2073.019475]\n[ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00\n which belongs to the cache kmalloc-1024 of size 1024\n[ 2073.019484] The buggy address is located 552 bytes inside of\n 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)\n[ 2073.019486] The buggy address belongs to the page:\n[ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0\n[ 2073.020123] flags: 0x7ffff0000008100(slab|head)\n[ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00\n[ 2073.020409] ra\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49179", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLSM: general protection fault in legacy_parse_param\n\nThe usual LSM hook \"bail on fail\" scheme doesn't work for cases where\na security module may return an error code indicating that it does not\nrecognize an input. In this particular case Smack sees a mount option\nthat it recognizes, and returns 0. A call to a BPF hook follows, which\nreturns -ENOPARAM, which confuses the caller because Smack has processed\nits data.\n\nThe SELinux hook incorrectly returns 1 on success. There was a time\nwhen this was correct, however the current expectation is that it\nreturn 0 on success. This is repaired.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49180", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add vlan list lock to protect vlan list\n\nWhen adding port base VLAN, vf VLAN need to remove from HW and modify\nthe vlan state in vf VLAN list as false. If the periodicity task is\nfreeing the same node, it may cause \"use after free\" error.\nThis patch adds a vlan list lock to protect the vlan list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49182", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix ref leak when switching zones\n\nWhen switching zones or network namespaces without doing a ct clear in\nbetween, it is now leaking a reference to the old ct entry. That's\nbecause tcf_ct_skb_nfct_cached() returns false and\ntcf_ct_flow_table_lookup() may simply overwrite it.\n\nThe fix is to, as the ct entry is not reusable, free it already at\ntcf_ct_skb_nfct_cached().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49183", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sparx5: switchdev: fix possible NULL pointer dereference\n\nAs the possible failure of the allocation, devm_kzalloc() may return NULL\npointer.\nTherefore, it should be better to check the 'db' in order to prevent\nthe dereference of NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49184", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function. Calling of_node_put() to avoid\nthe refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49185", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: visconti: prevent array overflow in visconti_clk_register_gates()\n\nThis code was using -1 to represent that there was no reset function.\nUnfortunately, the -1 was stored in u8 so the if (clks[i].rs_id >= 0)\ncondition was always true. This lead to an out of bounds access in\nvisconti_clk_register_gates().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49186", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_hw_get_clk() when dev is NULL\n\nAny registered clk_core structure can have a NULL pointer in its dev\nfield. While never actually documented, this is evidenced by the wide\nusage of clk_register and clk_hw_register with a NULL device pointer,\nand the fact that the core of_clk_hw_register() function also passes a\nNULL device pointer.\n\nA call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that\ncase will result in a NULL pointer derefence when it calls dev_name() on\nthat NULL device pointer.\n\nAdd a test for this case and use NULL as the dev_id if the device\npointer is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49187", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region\n\nThe device_node pointer is returned by of_parse_phandle() or\nof_get_child_by_name() with refcount incremented.\nWe should use of_node_put() on it when done.\n\nThis function only call of_node_put(node) when of_address_to_resource\nsucceeds, missing error cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49188", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: clk-rcg2: Update logic to calculate D value for RCG\n\nThe display pixel clock has a requirement on certain newer platforms to\nsupport M/N as (2/3) and the final D value calculated results in\nunderflow errors.\nAs the current implementation does not check for D value is within\nthe accepted range for a given M & N value. Update the logic to\ncalculate the final D value based on the range.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49189", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/resource: fix kfree() of bootmem memory again\n\nSince commit ebff7d8f270d (\"mem hotunplug: fix kfree() of bootmem\nmemory\"), we could get a resource allocated during boot via\nalloc_resource(). And it's required to release the resource using\nfree_resource(). Howerver, many people use kfree directly which will\nresult in kernel BUG. In order to fix this without fixing every call\nsite, just leak a couple of bytes in such corner case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49190", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmxser: fix xmit_buf leak in activate when LSR == 0xff\n\nWhen LSR is 0xff in ->activate() (rather unlike), we return an error.\nProvided ->shutdown() is not called when ->activate() fails, nothing\nactually frees the buffer in this case.\n\nFix this by properly freeing the buffer in a designated label. We jump\nthere also from the \"!info->type\" if now too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49191", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool\n\ncpsw_ethtool_begin directly returns the result of pm_runtime_get_sync\nwhen successful.\npm_runtime_get_sync returns -error code on failure and 0 on successful\nresume but also 1 when the device is already active. So the common case\nfor cpsw_ethtool_begin is to return 1. That leads to inconsistent calls\nto pm_runtime_put in the call-chain so that pm_runtime_put is called\none too many times and as result leaving the cpsw dev behind suspended.\n\nThe suspended cpsw dev leads to an access violation later on by\ndifferent parts of the cpsw driver.\n\nFix this by calling the return-friendly pm_runtime_resume_and_get\nfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49192", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix 'scheduling while atomic' on aux critical err interrupt\n\nThere's a kernel BUG splat on processing aux critical error\ninterrupts in ice_misc_intr():\n\n[ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000\n...\n[ 2101.060770] Call Trace:\n[ 2101.063229] \n[ 2101.065252] dump_stack+0x41/0x60\n[ 2101.068587] __schedule_bug.cold.100+0x4c/0x58\n[ 2101.073060] __schedule+0x6a4/0x830\n[ 2101.076570] schedule+0x35/0xa0\n[ 2101.079727] schedule_preempt_disabled+0xa/0x10\n[ 2101.084284] __mutex_lock.isra.7+0x310/0x420\n[ 2101.088580] ? ice_misc_intr+0x201/0x2e0 [ice]\n[ 2101.093078] ice_send_event_to_aux+0x25/0x70 [ice]\n[ 2101.097921] ice_misc_intr+0x220/0x2e0 [ice]\n[ 2101.102232] __handle_irq_event_percpu+0x40/0x180\n[ 2101.106965] handle_irq_event_percpu+0x30/0x80\n[ 2101.111434] handle_irq_event+0x36/0x53\n[ 2101.115292] handle_edge_irq+0x82/0x190\n[ 2101.119148] handle_irq+0x1c/0x30\n[ 2101.122480] do_IRQ+0x49/0xd0\n[ 2101.125465] common_interrupt+0xf/0xf\n[ 2101.129146] \n...\n\nAs Andrew correctly mentioned previously[0], the following call\nladder happens:\n\nice_misc_intr() <- hardirq\n ice_send_event_to_aux()\n device_lock()\n mutex_lock()\n might_sleep()\n might_resched() <- oops\n\nAdd a new PF state bit which indicates that an aux critical error\noccurred and serve it in ice_service_task() in process context.\nThe new ice_pf::oicr_err_reg is read-write in both hardirq and\nprocess contexts, but only 3 bits of non-critical data probably\naren't worth explicit synchronizing (and they're even in the same\nbyte [31:24]).\n\n[0] https://lore.kernel.org/all/YeSRUVmrdmlUXHDn@lunn.ch", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49193", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmgenet: Use stronger register read/writes to assure ordering\n\nGCC12 appears to be much smarter about its dependency tracking and is\naware that the relaxed variants are just normal loads and stores and\nthis is causing problems like:\n\n[ 210.074549] ------------[ cut here ]------------\n[ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out\n[ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240\n[ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat]\n[ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110\n[ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58\n[ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters\n[ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022\n[ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 210.161358] pc : dev_watchdog+0x234/0x240\n[ 210.161364] lr : dev_watchdog+0x234/0x240\n[ 210.161368] sp : ffff8000080a3a40\n[ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20\n[ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08\n[ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000\n[ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff\n[ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a\n[ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0\n[ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c\n[ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000\n[ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000\n[ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044\n[ 210.269682] Call trace:\n[ 210.272133] dev_watchdog+0x234/0x240\n[ 210.275811] call_timer_fn+0x3c/0x15c\n[ 210.279489] __run_timers.part.0+0x288/0x310\n[ 210.283777] run_timer_softirq+0x48/0x80\n[ 210.287716] __do_softirq+0x128/0x360\n[ 210.291392] __irq_exit_rcu+0x138/0x140\n[ 210.295243] irq_exit_rcu+0x1c/0x30\n[ 210.298745] el1_interrupt+0x38/0x54\n[ 210.302334] el1h_64_irq_handler+0x18/0x24\n[ 210.306445] el1h_64_irq+0x7c/0x80\n[ 210.309857] arch_cpu_idle+0x18/0x2c\n[ 210.313445] default_idle_call+0x4c/0x140\n[ 210.317470] cpuidle_idle_call+0x14c/0x1a0\n[ 210.321584] do_idle+0xb0/0x100\n[ 210.324737] cpu_startup_entry+0x30/0x8c\n[ 210.328675] secondary_start_kernel+0xe4/0x110\n[ 210.333138] __secondary_switched+0x94/0x98\n\nThe assumption when these were relaxed seems to be that device memory\nwould be mapped non reordering, and that other constructs\n(spinlocks/etc) would provide the barriers to assure that packet data\nand in memory rings/queues were ordered with respect to device\nregister reads/writes. This itself seems a bit sketchy, but the real\nproblem with GCC12 is that it is moving the actual reads/writes around\nat will as though they were independent operations when in truth they\nare not, but the compiler can't know that. When looking at the\nassembly dumps for many of these routines its possible to see very\nclean, but not strictly in program order operations occurring as the\ncompiler would be free to do if these weren't actually register\nreads/write operations.\n\nIts possible to suppress the timeout with a liberal bit of dma_mb()'s\nsprinkled around but the device still seems unable to reliably\nsend/receive data. A better plan is to use the safer readl/writel\neverywhere.\n\nSince this partially reverts an older commit, which notes the use of\nthe relaxed variants for performance reasons. I would suggest that\nany performance problems \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49194", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic on shutdown if multi-chip tree failed to probe\n\nDSA probing is atypical because a tree of devices must probe all at\nonce, so out of N switches which call dsa_tree_setup_routing_table()\nduring probe, for (N - 1) of them, \"complete\" will return false and they\nwill exit probing early. The Nth switch will set up the whole tree on\ntheir behalf.\n\nThe implication is that for (N - 1) switches, the driver binds to the\ndevice successfully, without doing anything. When the driver is bound,\nthe ->shutdown() method may run. But if the Nth switch has failed to\ninitialize the tree, there is nothing to do for the (N - 1) driver\ninstances, since the slave devices have not been created, etc. Moreover,\ndsa_switch_shutdown() expects that the calling @ds has been in fact\ninitialized, so it jumps at dereferencing the various data structures,\nwhich is incorrect.\n\nAvoid the ensuing NULL pointer dereferences by simply checking whether\nthe Nth switch has previously set \"ds->setup = true\" for the switch\nwhich is currently shutting down. The entire setup is serialized under\ndsa2_mutex which we already hold.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49195", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix use after free in remove_phb_dynamic()\n\nIn remove_phb_dynamic() we use &phb->io_resource, after we've called\ndevice_unregister(&host_bridge->dev). But the unregister may have freed\nphb, because pcibios_free_controller_deferred() is the release function\nfor the host_bridge.\n\nIf there are no outstanding references when we call device_unregister()\nthen phb will be freed out from under us.\n\nThis has gone mainly unnoticed, but with slub_debug and page_poison\nenabled it can lead to a crash:\n\n PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: \"drmgr\"\n #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc\n #1 [c0000000e4f075d0] oops_end at c000000000029608\n #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4\n #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8\n #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30\n Data SLB Access [380] exception frame:\n R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100\n R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9\n R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff\n R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000\n R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000\n R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003\n R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005\n R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0\n R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8\n R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800\n R30: c00000004d1d2400 R31: c00000004d1d2540\n NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474\n CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003\n CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3\n DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2\n [NIP : release_resource+56]\n [LR : release_resource+48]\n #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable)\n #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648\n #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]\n #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]\n #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c\n #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504\n #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868\n #12 [c0000000e4f07c70] new_sync_write at c00000000054339c\n #13 [c0000000e4f07d10] vfs_write at c000000000546624\n #14 [c0000000e4f07d60] ksys_write at c0000000005469f4\n #15 [c0000000e4f07db0] system_call_exception at c000000000030840\n #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168\n\nTo avoid it, we can take a reference to the host_bridge->dev until we're\ndone using phb. Then when we drop the reference the phb will be freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49196", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_netlink: Fix shift out of bounds in group mask calculation\n\nWhen a netlink message is received, netlink_recvmsg() fills in the address\nof the sender. One of the fields is the 32-bit bitfield nl_groups, which\ncarries the multicast group on which the message was received. The least\nsignificant bit corresponds to group 1, and therefore the highest group\nthat the field can represent is 32. Above that, the UB sanitizer flags the\nout-of-bounds shift attempts.\n\nWhich bits end up being set in such case is implementation defined, but\nit's either going to be a wrong non-zero value, or zero, which is at least\nnot misleading. Make the latter choice deterministic by always setting to 0\nfor higher-numbered multicast groups.\n\nTo get information about membership in groups >= 32, userspace is expected\nto use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO\nsocket option.\n[0] https://lwn.net/Articles/147608/\n\nThe way to trigger this issue is e.g. through monitoring the BRVLAN group:\n\n\t# bridge monitor vlan &\n\t# ip link add name br type bridge\n\nWhich produces the following citation:\n\n\tUBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19\n\tshift exponent 32 is too large for 32-bit type 'int'", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49197", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb\n\nGot crash when doing pressure test of mptcp:\n\n===========================================================================\ndst_release: dst:ffffa06ce6e5c058 refcnt:-1\nkernel tried to execute NX-protected page - exploit attempt? (uid: 0)\nBUG: unable to handle kernel paging request at ffffa06ce6e5c058\nPGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063\nOops: 0011 [#1] SMP PTI\nCPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014\nCall Trace:\n ? skb_release_head_state+0x68/0x100\n ? skb_release_all+0xe/0x30\n ? kfree_skb+0x32/0xa0\n ? mptcp_sendmsg_frag+0x57e/0x750\n ? __mptcp_retrans+0x21b/0x3c0\n ? __switch_to_asm+0x35/0x70\n ? mptcp_worker+0x25e/0x320\n ? process_one_work+0x1a7/0x360\n ? worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n ? kthread+0x112/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ? ret_from_fork+0x35/0x40\n===========================================================================\n\nIn __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will\nbe initialized, in under memory pressure situation sk_wmem_schedule will\nreturn false and then kfree_skb. In this case skb->_skb_refdst is not null\nbecause_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and\nkfree_skb will try to release dst and cause crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49198", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()\n\nThis code checks \"index\" for an upper bound but it does not check for\nnegatives. Change the type to unsigned to prevent underflows.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49199", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt\n\nFix the following kernel oops in btmtksdio_interrrupt\n\n[ 14.339134] btmtksdio_interrupt+0x28/0x54\n[ 14.339139] process_sdio_pending_irqs+0x68/0x1a0\n[ 14.339144] sdio_irq_work+0x40/0x70\n[ 14.339154] process_one_work+0x184/0x39c\n[ 14.339160] worker_thread+0x228/0x3e8\n[ 14.339168] kthread+0x148/0x3ac\n[ 14.339176] ret_from_fork+0x10/0x30\n\nThat happened because hdev->power_on is already called before\nsdio_set_drvdata which btmtksdio_interrupt handler relies on is not\nproperly set up.\n\nThe details are shown as the below: hci_register_dev would run\nqueue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI\nworkqueue_struct to complete the power-on sequeunce and thus hci_power_on\nmay run before sdio_set_drvdata is done in btmtksdio_probe.\n\nThe hci_dev_do_open in hci_power_on would initialize the device and enable\nthe interrupt and thus it is possible that btmtksdio_interrupt is being\ncalled right before sdio_set_drvdata is filled out.\n\nWhen btmtksdio_interrupt is being called and sdio_set_drvdata is not filled\n, the kernel oops is going to happen because btmtksdio_interrupt access an\nuninitialized pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49200", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: fix race between xmit and reset\n\nThere is a race between reset and the transmit paths that can lead to\nibmvnic_xmit() accessing an scrq after it has been freed in the reset\npath. It can result in a crash like:\n\n\tKernel attempted to read user page (0) - exploit attempt? (uid: 0)\n\tBUG: Kernel NULL pointer dereference on read at 0x00000000\n\tFaulting instruction address: 0xc0080000016189f8\n\tOops: Kernel access of bad area, sig: 11 [#1]\n\t...\n\tNIP [c0080000016189f8] ibmvnic_xmit+0x60/0xb60 [ibmvnic]\n\tLR [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\tCall Trace:\n\t[c008000001618f08] ibmvnic_xmit+0x570/0xb60 [ibmvnic] (unreliable)\n\t[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\t[c000000000c9cfcc] sch_direct_xmit+0xec/0x330\n\t[c000000000bfe640] __dev_xmit_skb+0x3a0/0x9d0\n\t[c000000000c00ad4] __dev_queue_xmit+0x394/0x730\n\t[c008000002db813c] __bond_start_xmit+0x254/0x450 [bonding]\n\t[c008000002db8378] bond_start_xmit+0x40/0xc0 [bonding]\n\t[c000000000c0046c] dev_hard_start_xmit+0x11c/0x280\n\t[c000000000c00ca4] __dev_queue_xmit+0x564/0x730\n\t[c000000000cf97e0] neigh_hh_output+0xd0/0x180\n\t[c000000000cfa69c] ip_finish_output2+0x31c/0x5c0\n\t[c000000000cfd244] __ip_queue_xmit+0x194/0x4f0\n\t[c000000000d2a3c4] __tcp_transmit_skb+0x434/0x9b0\n\t[c000000000d2d1e0] __tcp_retransmit_skb+0x1d0/0x6a0\n\t[c000000000d2d984] tcp_retransmit_skb+0x34/0x130\n\t[c000000000d310e8] tcp_retransmit_timer+0x388/0x6d0\n\t[c000000000d315ec] tcp_write_timer_handler+0x1bc/0x330\n\t[c000000000d317bc] tcp_write_timer+0x5c/0x200\n\t[c000000000243270] call_timer_fn+0x50/0x1c0\n\t[c000000000243704] __run_timers.part.0+0x324/0x460\n\t[c000000000243894] run_timer_softirq+0x54/0xa0\n\t[c000000000ea713c] __do_softirq+0x15c/0x3e0\n\t[c000000000166258] __irq_exit_rcu+0x158/0x190\n\t[c000000000166420] irq_exit+0x20/0x40\n\t[c00000000002853c] timer_interrupt+0x14c/0x2b0\n\t[c000000000009a00] decrementer_common_virt+0x210/0x220\n\t--- interrupt: 900 at plpar_hcall_norets_notrace+0x18/0x2c\n\nThe immediate cause of the crash is the access of tx_scrq in the following\nsnippet during a reset, where the tx_scrq can be either NULL or an address\nthat will soon be invalid:\n\n\tibmvnic_xmit()\n\t{\n\t\t...\n\t\ttx_scrq = adapter->tx_scrq[queue_num];\n\t\ttxq = netdev_get_tx_queue(netdev, queue_num);\n\t\tind_bufp = &tx_scrq->ind_buf;\n\n\t\tif (test_bit(0, &adapter->resetting)) {\n\t\t...\n\t}\n\nBut beyond that, the call to ibmvnic_xmit() itself is not safe during a\nreset and the reset path attempts to avoid this by stopping the queue in\nibmvnic_cleanup(). However just after the queue was stopped, an in-flight\nibmvnic_complete_tx() could have restarted the queue even as the reset is\nprogressing.\n\nSince the queue was restarted we could get a call to ibmvnic_xmit() which\ncan then access the bad tx_scrq (or other fields).\n\nWe cannot however simply have ibmvnic_complete_tx() check the ->resetting\nbit and skip starting the queue. This can race at the \"back-end\" of a good\nreset which just restarted the queue but has not cleared the ->resetting\nbit yet. If we skip restarting the queue due to ->resetting being true,\nthe queue would remain stopped indefinitely potentially leading to transmit\ntimeouts.\n\nIOW ->resetting is too broad for this purpose. Instead use a new flag\nthat indicates whether or not the queues are active. Only the open/\nreset paths control when the queues are active. ibmvnic_complete_tx()\nand others wake up the queue only if the queue is marked active.\n\nSo we will have:\n\tA. reset/open thread in ibmvnic_cleanup() and __ibmvnic_open()\n\n\t\t->resetting = true\n\t\t->tx_queues_active = false\n\t\tdisable tx queues\n\t\t...\n\t\t->tx_queues_active = true\n\t\tstart tx queues\n\n\tB. Tx interrupt in ibmvnic_complete_tx():\n\n\t\tif (->tx_queues_active)\n\t\t\tnetif_wake_subqueue();\n\nTo ensure that ->tx_queues_active and state of the queues are consistent,\nwe need a lock which:\n\n\t- must also be taken in the interrupt path (ibmvnic_complete_tx())\n\t- shared across the multiple\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49201", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: add missing NULL check in h5_enqueue\n\nSyzbot hit general protection fault in __pm_runtime_resume(). The problem\nwas in missing NULL check.\n\nhu->serdev can be NULL and we should not blindly pass &serdev->dev\nsomewhere, since it will cause GPF.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49202", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix double free during GPU reset on DC streams\n\n[Why]\nThe issue only occurs during the GPU reset code path.\n\nWe first backup the current state prior to commiting 0 streams\ninternally from DM to DC. This state backup contains valid link\nencoder assignments.\n\nDC will clear the link encoder assignments as part of current state\n(but not the backup, since it was a copied before the commit) and\nfree the extra stream reference it held.\n\nDC requires that the link encoder assignments remain cleared/invalid\nprior to commiting. Since the backup still has valid assignments we\ncall the interface post reset to clear them. This routine also\nreleases the extra reference that the link encoder interface held -\nresulting in a double free (and eventually a NULL pointer dereference).\n\n[How]\nWe'll have to do a full DC commit anyway after GPU reset because\nthe stream count previously went to 0.\n\nWe don't need to retain the assignment that we had backed up, so\njust copy off of the now clean current state assignment after the\nreset has occcurred with the new link_enc_cfg_copy() interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49203", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix more uncharged while msg has more_data\n\nIn tcp_bpf_send_verdict(), if msg has more data after\ntcp_bpf_sendmsg_redir():\n\ntcp_bpf_send_verdict()\n tosend = msg->sg.size //msg->sg.size = 22220\n case __SK_REDIRECT:\n sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc\n tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000\n goto more_data;\n tosend = msg->sg.size //msg->sg.size = 11000\n case __SK_REDIRECT:\n sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc\n\nThe msg->sg.size(11000) has been uncharged twice, to fix we can charge the\nremaining msg->sg.size before goto more data.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0\nCall Trace:\n \n inet_csk_destroy_sock+0x55/0x110\n __tcp_close+0x279/0x470\n tcp_close+0x1f/0x60\n inet_release+0x3f/0x80\n __sock_release+0x3d/0xb0\n sock_close+0x11/0x20\n __fput+0x92/0x250\n task_work_run+0x6a/0xa0\n do_exit+0x33b/0xb60\n do_group_exit+0x2f/0xa0\n get_signal+0xb6/0x950\n arch_do_signal_or_restart+0xac/0x2a0\n ? vfs_write+0x237/0x290\n exit_to_user_mode_prepare+0xa9/0x200\n syscall_exit_to_user_mode+0x12/0x30\n do_syscall_64+0x46/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \n\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49204", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n sk_msg_return()\n tcp_bpf_sendmsg_redir()\n unlikely(!psock))\n sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49205", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix memory leak in error flow for subscribe event routine\n\nIn case the second xa_insert() fails, the obj_event is not released. Fix\nthe error unwind flow to free that memory to avoid a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49206", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix memleak in sk_psock_queue_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation we may enqueue\ndata on the ingress msg queue while tear down is trying to free it.\n\n sk1 (redirect sk2) sk2\n ------------------- ---------------\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n tcp_bpf_sendmsg_redir()\n bpf_tcp_ingress()\n sock_map_close()\n lock_sock()\n lock_sock() ... blocking\n sk_psock_stop\n sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);\n release_sock(sk);\n lock_sock()\n sk_mem_charge()\n get_page()\n sk_psock_queue_msg()\n sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED);\n drop_sk_msg()\n release_sock()\n\nWhile drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge\nand has sg pages need to put. To fix we use sk_msg_free() and then kfee()\nmsg.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0\nCall Trace:\n \n inet_csk_destroy_sock+0x55/0x110\n tcp_rcv_state_process+0xe5f/0xe90\n ? sk_filter_trim_cap+0x10d/0x230\n ? tcp_v4_do_rcv+0x161/0x250\n tcp_v4_do_rcv+0x161/0x250\n tcp_v4_rcv+0xc3a/0xce0\n ip_protocol_deliver_rcu+0x3d/0x230\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0xfd/0x110\n ? ip_protocol_deliver_rcu+0x230/0x230\n ip_rcv+0xd6/0x100\n ? ip_local_deliver+0x110/0x110\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0xa4/0x160\n __napi_poll+0x29/0x1b0\n net_rx_action+0x287/0x300\n __do_softirq+0xff/0x2fc\n do_softirq+0x79/0x90\n \n\nWARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0\nCall Trace:\n \n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n ? process_one_work+0x3c0/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49207", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Prevent some integer underflows\n\nMy static checker complains that:\n\n drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init()\n warn: can subtract underflow 'info->dev->hmc_fpm_misc.max_ceqs'?\n\nIt appears that \"info->dev->hmc_fpm_misc.max_ceqs\" comes from the firmware\nin irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could\nbe zero. Even if we trust the firmware, it's easy enough to change the\ncondition just as a hardenning measure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49208", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full\n\nIf tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc()\nreturns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial\nmemory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is\ngreater than osize after sk_msg_alloc(), memleak occurs. To fix we use\nsk_msg_trim() to release the allocated memory, then goto wait for memory.\n\nOther call paths of sk_msg_alloc() have the similar issue, such as\ntls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(),\nas Cong Wang suggested.\n\nThis issue can cause the following info:\nWARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0\nCall Trace:\n \n inet_csk_destroy_sock+0x55/0x110\n __tcp_close+0x279/0x470\n tcp_close+0x1f/0x60\n inet_release+0x3f/0x80\n __sock_release+0x3d/0xb0\n sock_close+0x11/0x20\n __fput+0x92/0x250\n task_work_run+0x6a/0xa0\n do_exit+0x33b/0xb60\n do_group_exit+0x2f/0xa0\n get_signal+0xb6/0x950\n arch_do_signal_or_restart+0xac/0x2a0\n exit_to_user_mode_prepare+0xa9/0x200\n syscall_exit_to_user_mode+0x12/0x30\n do_syscall_64+0x46/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \n\nWARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n kthread+0xe6/0x110\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49209", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: pgalloc: fix memory leak caused by pgd_free()\n\npgd page is freed by generic implementation pgd_free() since commit\nf9cb654cb550 (\"asm-generic: pgalloc: provide generic pgd_free()\"),\nhowever, there are scenarios that the system uses more than one page as\nthe pgd table, in such cases the generic implementation pgd_free() won't\nbe applicable anymore. For example, when PAGE_SIZE_4KB is enabled and\nMIPS_VA_BITS_48 is not enabled in a 64bit system, the macro \"PGD_ORDER\"\nwill be set as \"1\", which will cause allocating two pages as the pgd\ntable. Well, at the same time, the generic implementation pgd_free()\njust free one pgd page, which will result in the memory leak.\n\nThe memory leak can be easily detected by executing shell command:\n\"while true; do ls > /dev/null; grep MemFree /proc/meminfo; done\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49210", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: cdmm: Fix refcount leak in mips_cdmm_phys_base\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49211", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init\n\nThe reference counting issue happens in several error handling paths\non a refcounted object \"nc->dmac\". In these paths, the function simply\nreturns the error code, forgetting to balance the reference count of\n\"nc->dmac\", increased earlier by dma_request_channel(), which may\ncause refcount leaks.\n\nFix it by decrementing the refcount of specific object in those error\npaths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49212", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix error handling in ath10k_setup_msa_resources\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49213", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Don't use DSISR for SLB faults\n\nSince commit 46ddcb3950a2 (\"powerpc/mm: Show if a bad page fault on data\nis read or write.\") we use page_fault_is_write(regs->dsisr) in\n__bad_page_fault() to determine if the fault is for a read or write, and\nchange the message printed accordingly.\n\nBut SLB faults, aka Data Segment Interrupts, don't set DSISR (Data\nStorage Interrupt Status Register) to a useful value. All ISA versions\nfrom v2.03 through v3.1 specify that the Data Segment Interrupt sets\nDSISR \"to an undefined value\". As far as I can see there's no mention of\nSLB faults setting DSISR in any BookIV content either.\n\nThis manifests as accesses that should be a read being incorrectly\nreported as writes, for example, using the xmon \"dump\" command:\n\n 0:mon> d 0x5deadbeef0000000\n 5deadbeef0000000\n [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000\n [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400]\n pc: c00000000010a300: mread+0x90/0x190\n\nIf we disassemble the PC, we see a load instruction:\n\n 0:mon> di c00000000010a300\n c00000000010a300 89490000 lbz r10,0(r9)\n\nWe can also see in exceptions-64s.S that the data_access_slb block\ndoesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So\nthe value we're using to determine if the fault is a read/write is some\nstale value in pt_regs from a previous page fault.\n\nRework the printing logic to separate the SLB fault case out, and only\nprint read/write in the cases where we can determine it.\n\nThe result looks like eg:\n\n 0:mon> d 0x5deadbeef0000000\n 5deadbeef0000000\n [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000\n [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]\n\n 0:mon> d 0\n 0000000000000000\n [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000\n [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0\n cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49214", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix race at socket teardown\n\nFix a race in the xsk socket teardown code that can lead to a NULL pointer\ndereference splat. The current xsk unbind code in xsk_unbind_dev() starts by\nsetting xs->state to XSK_UNBOUND, sets xs->dev to NULL and then waits for any\nNAPI processing to terminate using synchronize_net(). After that, the release\ncode starts to tear down the socket state and free allocated memory.\n\n BUG: kernel NULL pointer dereference, address: 00000000000000c0\n PGD 8000000932469067 P4D 8000000932469067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2\n Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015\n RIP: 0010:__xsk_sendmsg+0x2c/0x690\n [...]\n RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258\n RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800\n RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800\n R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000\n FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0\n Call Trace:\n \n ? aa_sk_perm+0x43/0x1b0\n xsk_sendmsg+0xf0/0x110\n sock_sendmsg+0x65/0x70\n __sys_sendto+0x113/0x190\n ? debug_smp_processor_id+0x17/0x20\n ? fpregs_assert_state_consistent+0x23/0x50\n ? exit_to_user_mode_prepare+0xa5/0x1d0\n __x64_sys_sendto+0x29/0x30\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThere are two problems with the current code. First, setting xs->dev to NULL\nbefore waiting for all users to stop using the socket is not correct. The\nentry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg()\nare all guarded by a test that xs->state is in the state XSK_BOUND and if not,\nit returns right away. But one process might have passed this test but still\nhave not gotten to the point in which it uses xs->dev in the code. In this\ninterim, a second process executing xsk_unbind_dev() might have set xs->dev to\nNULL which will lead to a crash for the first process. The solution here is\njust to get rid of this NULL assignment since it is not used anymore. Before\ncommit 42fddcc7c64b (\"xsk: use state member for socket synchronization\"),\nxs->dev was the gatekeeper to admit processes into the data plane functions,\nbut it was replaced with the state variable xs->state in the aforementioned\ncommit.\n\nThe second problem is that synchronize_net() does not wait for any process in\nxsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the\nstate they rely on might be cleaned up prematurely. This can happen when the\nnotifier gets called (at driver unload for example) as it uses xsk_unbind_dev().\nSolve this by extending the RCU critical region from just the ndo_xsk_wakeup\nto the whole functions mentioned above, so that both the test of xs->state ==\nXSK_BOUND and the last use of any member of xs is covered by the RCU critical\nsection. This will guarantee that when synchronize_net() completes, there will\nbe no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and\nstate can be cleaned up safely. Note that we need to drop the RCU lock for the\nskb xmit path as it uses functions that might sleep. Due to this, we have to\nretest the xs->state after we grab the mutex that protects the skb xmit code\nfrom, among a number of things, an xsk_unbind_dev() being executed from the\nnotifier at the same time.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49215", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix reference leak in tegra_dsi_ganged_probe\n\nThe reference taken by 'of_find_device_by_node()' must be released when\nnot needed anymore. Add put_device() call to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49216", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix abort all task initialization\n\nIn pm80xx_send_abort_all(), the n_elem field of the ccb used is not\ninitialized to 0. This missing initialization sometimes lead to the task\ncompletion path seeing the ccb with a non-zero n_elem resulting in the\nexecution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),\ncausing a crash such as:\n\n[ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280\n[ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012\n[ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0\n[ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0\n[ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b\n[ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000\n[ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000\n[ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000\n[ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0\n[ 197.762656] Call Trace:\n[ 197.765127] \n[ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]\n[ 197.772364] ? do_raw_spin_unlock+0x54/0x220\n[ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]\n[ 197.782406] process_oq+0xe85/0x7890 [pm80xx]\n[ 197.786817] ? lock_acquire+0x194/0x490\n[ 197.790697] ? handle_irq_event+0x10e/0x1b0\n[ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]\n[ 197.800378] ? __wake_up_bit+0x100/0x100\n[ 197.804340] ? lock_is_held_type+0x98/0x110\n[ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx]\n[ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0\n[ 197.818785] __do_softirq+0x1b5/0x82d\n[ 197.822485] ? do_raw_spin_unlock+0x54/0x220\n[ 197.826799] __irq_exit_rcu+0x17e/0x1e0\n[ 197.830678] irq_exit_rcu+0xa/0x20\n[ 197.834114] common_interrupt+0x78/0x90\n[ 197.840051] \n[ 197.844236] \n[ 197.848397] asm_common_interrupt+0x1e/0x40\n\nAvoid this issue by always initializing the ccb n_elem field to 0 in\npm8001_send_abort_all(), pm8001_send_read_log() and\npm80xx_send_abort_all().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49217", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp: Fix OOB read when handling Post Cursor2 register\n\nThe link_status array was not large enough to read the Adjust Request\nPost Cursor2 register, so remove the common helper function to avoid\nan OOB read, found with a -Warray-bounds build:\n\ndrivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':\ndrivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]\n 59 | return link_status[r - DP_LANE0_1_STATUS];\n | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~\ndrivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'\n 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],\n | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nReplace the only user of the helper with an open-coded fetch and decode,\nsimilar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49218", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix memory leak during D3hot to D0 transition\n\nIf 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does\nnot have No_Soft_Reset bit set in its PMCSR config register), then\nthe current PCI state will be saved locally in\n'vfio_pci_core_device::pm_save' during D0->D3hot transition and same\nwill be restored back during D3hot->D0 transition.\nFor saving the PCI state locally, pci_store_saved_state() is being\nused and the pci_load_and_free_saved_state() will free the allocated\nmemory.\n\nBut for reset related IOCTLs, vfio driver calls PCI reset-related\nAPI's which will internally change the PCI power state back to D0. So,\nwhen the guest resumes, then it will get the current state as D0 and it\nwill skip the call to vfio_pci_set_power_state() for changing the\npower state to D0 explicitly. In this case, the memory pointed by\n'pm_save' will never be freed. In a malicious sequence, the state changing\nto D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be\nrun in a loop and it can cause an OOM situation.\n\nThis patch frees the earlier allocated memory first before overwriting\n'pm_save' to prevent the mentioned memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49219", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndax: make sure inodes are flushed before destroy cache\n\nA bug can be triggered by following command\n\n$ modprobe nd_pmem && modprobe -r nd_pmem\n\n[ 10.060014] BUG dax_cache (Not tainted): Objects remaining in dax_cache on __kmem_cache_shutdown()\n[ 10.060938] Slab 0x0000000085b729ac objects=9 used=1 fp=0x000000004f5ae469 flags=0x200000000010200(slab|head|node)\n[ 10.062433] Call Trace:\n[ 10.062673] dump_stack_lvl+0x34/0x44\n[ 10.062865] slab_err+0x90/0xd0\n[ 10.063619] __kmem_cache_shutdown+0x13b/0x2f0\n[ 10.063848] kmem_cache_destroy+0x4a/0x110\n[ 10.064058] __x64_sys_delete_module+0x265/0x300\n\nThis is caused by dax_fs_exit() not flushing inodes before destroy cache.\nTo fix this issue, call rcu_barrier() before destroy cache.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49220", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: populate connector of struct dp_panel\n\nDP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose\nand expect DP source return correct checksum. During drm edid read,\ncorrect edid checksum is calculated and stored at\nconnector::real_edid_checksum.\n\nThe problem is struct dp_panel::connector never be assigned, instead the\nconnector is stored in struct msm_dp::connector. When we run compliance\ntesting test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid\nedid set in struct dp_panel::edid so we'll try to use the connectors\nreal_edid_checksum and hit a NULL pointer dereference error because the\nconnector pointer is never assigned.\n\nChanges in V2:\n-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()\n\nChanges in V3:\n-- remove unhelpful kernel crash trace commit text\n-- remove renaming dp_display parameter to dp\n\nChanges in V4:\n-- add more details to commit text\n\nChanges in v10:\n-- group into one series\n\nChanges in v11:\n-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read\n\nSignee-off-by: Kuogee Hsieh ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49221", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: anx7625: Fix overflow issue on reading EDID\n\nThe length of EDID block can be longer than 256 bytes, so we should use\n`int` instead of `u8` for the `edid_pos` variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49222", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Hold port reference until decoder release\n\nKASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in\ncxl_decoder_release() where it goes to reference its parent, a cxl_port,\nto free its id back to port->decoder_ida.\n\n BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core]\n Read of size 8 at addr ffff888119270908 by task kworker/35:2/379\n\n CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events kobject_delayed_cleanup\n Call Trace:\n \n dump_stack_lvl+0x59/0x73\n print_address_description.constprop.0+0x1f/0x150\n ? to_cxl_port+0x18/0x90 [cxl_core]\n kasan_report.cold+0x83/0xdf\n ? to_cxl_port+0x18/0x90 [cxl_core]\n to_cxl_port+0x18/0x90 [cxl_core]\n cxl_decoder_release+0x2a/0x60 [cxl_core]\n device_release+0x5f/0x100\n kobject_cleanup+0x80/0x1c0\n\nThe device core only guarantees parent lifetime until all children are\nunregistered. If a child needs a parent to complete its ->release()\ncallback that child needs to hold a reference to extend the lifetime of\nthe parent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49223", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\uff1a\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix memory leak by calling kobject_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49224", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921s: fix a possible memory leak in mt7921_load_patch\n\nAlways release fw data at the end of mt7921_load_patch routine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49225", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: asix: add proper error handling of usb read errors\n\nSyzbot once again hit uninit value in asix driver. The problem still the\nsame -- asix_read_cmd() reads less bytes, than was requested by caller.\n\nSince all read requests are performed via asix_read_cmd() let's catch\nusb related error there and add __must_check notation to be sure all\ncallers actually check return value.\n\nSo, this patch adds sanity check inside asix_read_cmd(), that simply\nchecks if bytes read are not less, than was requested and adds missing\nerror handling of asix_read_cmd() all across the driver code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49226", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid kernel warning when changing RX ring parameters\n\nCalling ethtool changing the RX ring parameters like this:\n\n $ ethtool -G eth0 rx 1024\n\non igc triggers kernel warnings like this:\n\n[ 225.198467] ------------[ cut here ]------------\n[ 225.198473] Missing unregister, handled but fix driver\n[ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168\nxdp_rxq_info_reg+0x79/0xd0\n[...]\n[ 225.198601] Call Trace:\n[ 225.198604] \n[ 225.198609] igc_setup_rx_resources+0x3f/0xe0 [igc]\n[ 225.198617] igc_ethtool_set_ringparam+0x30e/0x450 [igc]\n[ 225.198626] ethnl_set_rings+0x18a/0x250\n[ 225.198631] genl_family_rcv_msg_doit+0xca/0x110\n[ 225.198637] genl_rcv_msg+0xce/0x1c0\n[ 225.198640] ? rings_prepare_data+0x60/0x60\n[ 225.198644] ? genl_get_cmd+0xd0/0xd0\n[ 225.198647] netlink_rcv_skb+0x4e/0xf0\n[ 225.198652] genl_rcv+0x24/0x40\n[ 225.198655] netlink_unicast+0x20e/0x330\n[ 225.198659] netlink_sendmsg+0x23f/0x480\n[ 225.198663] sock_sendmsg+0x5b/0x60\n[ 225.198667] __sys_sendto+0xf0/0x160\n[ 225.198671] ? handle_mm_fault+0xb2/0x280\n[ 225.198676] ? do_user_addr_fault+0x1eb/0x690\n[ 225.198680] __x64_sys_sendto+0x20/0x30\n[ 225.198683] do_syscall_64+0x38/0x90\n[ 225.198687] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 225.198693] RIP: 0033:0x7f7ae38ac3aa\n\nigc_ethtool_set_ringparam() copies the igc_ring structure but neglects to\nreset the xdp_rxq_info member before calling igc_setup_rx_resources().\nThis in turn calls xdp_rxq_info_reg() with an already registered xdp_rxq_info.\n\nMake sure to unregister the xdp_rxq_info structure first in\nigc_setup_rx_resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49227", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n ...\n Call Trace:\n \n btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n btf_parse kernel/bpf/btf.c:4513 [inline]\n btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n type 0: void\n type 1: int\n type 2: decl_tag to func type 3\n type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own 'resolve' callback functions\nand hence handled properly in kernel.\nBut func type doesn't have 'resolve' callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement 'resolve' callback\nfunc type properly. The 'resolve' callback will be also called\nin btf_check_all_types() for func types.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49228", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: unregister virtual clocks when unregistering physical clock.\n\nWhen unregistering a physical clock which has some virtual clocks,\nunregister the virtual clocks with it.\n\nThis fixes the following oops, which can be triggered by unloading\na driver providing a PTP clock when it has enabled virtual clocks:\n\nBUG: unable to handle page fault for address: ffffffffc04fc4d8\nOops: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:ptp_vclock_read+0x31/0xb0\nCall Trace:\n timecounter_read+0xf/0x50\n ptp_vclock_refresh+0x2c/0x50\n ? ptp_clock_release+0x40/0x40\n ptp_aux_kworker+0x17/0x30\n kthread_worker_fn+0x9b/0x240\n ? kthread_should_park+0x30/0x30\n kthread+0xe2/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49229", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta\n\nFree allocated skb in mt7915_mcu_add_sta routine in case of failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49230", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: fix memory overrun and memory leak during hw_scan\n\nPreviously we allocated less memory than actual required, overwrite\nto the buffer causes the mm module to complaint and raise access\nviolation faults. Along with potential memory leaks when returned\nearly. Fix these by passing the correct size and proper deinit flow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49231", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()\n\nIn amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode()\nis assigned to mode and is passed to drm_mode_probed_add() directly after\nthat. drm_mode_probed_add() passes &mode->head to list_add_tail(), and\nthere is a dereference of it in list_add_tail() without recoveries, which\ncould lead to NULL pointer dereference on failure of\namdgpu_dm_create_common_mode().\n\nFix this by adding a NULL check of mode.\n\nThis bug was found by a static analyzer.\n\nBuilds with 'make allyesconfig' show no new warnings,\nand our static analyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49232", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Call dc_stream_release for remove link enc assignment\n\n[Why]\nA porting error resulted in the stream assignment for the link\nbeing retained without being released - a memory leak.\n\n[How]\nFix the porting error by adding back the dc_stream_release() intended\nas part of the original patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49233", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: Avoid cross-chip syncing of VLAN filtering\n\nChanges to VLAN filtering are not applicable to cross-chip\nnotifications.\n\nOn a system like this:\n\n.-----. .-----. .-----.\n| sw1 +---+ sw2 +---+ sw3 |\n'-1-2-' '-1-2-' '-1-2-'\n\nBefore this change, upon sw1p1 leaving a bridge, a call to\ndsa_port_vlan_filtering would also be made to sw2p1 and sw3p1.\n\nIn this scenario:\n\n.---------. .-----. .-----.\n| sw1 +---+ sw2 +---+ sw3 |\n'-1-2-3-4-' '-1-2-' '-1-2-'\n\nWhen sw1p4 would leave a bridge, dsa_port_vlan_filtering would be\ncalled for sw2 and sw3 with a non-existing port - leading to array\nout-of-bounds accesses and crashes on mv88e6xxx.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49234", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k_htc: fix uninit value bugs\n\nSyzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing\nfield initialization.\n\nIn htc_connect_service() svc_meta_len and pad are not initialized. Based\non code it looks like in current skb there is no service data, so simply\ninitialize svc_meta_len to 0.\n\nhtc_issue_send() does not initialize htc_frame_hdr::control array. Based\non firmware code, it will initialize it by itself, so simply zero whole\narray to make KMSAN happy\n\nFail logs:\n\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\n hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\n htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\n htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\n\nBytes 4-7 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00\n\nBUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430\n hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]\n hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479\n htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]\n htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275\n...\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258\n...\n\nBytes 16-17 of 18 are uninitialized\nMemory access of size 18 starts at ffff888027377e00", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49235", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix UAF due to race between btf_try_get_module and load_module\n\nWhile working on code to populate kfunc BTF ID sets for module BTF from\nits initcall, I noticed that by the time the initcall is invoked, the\nmodule BTF can already be seen by userspace (and the BPF verifier). The\nexisting btf_try_get_module calls try_module_get which only fails if\nmod->state == MODULE_STATE_GOING, i.e. it can increment module reference\nwhen module initcall is happening in parallel.\n\nCurrently, BTF parsing happens from MODULE_STATE_COMING notifier\ncallback. At this point, the module initcalls have not been invoked.\nThe notifier callback parses and prepares the module BTF, allocates an\nID, which publishes it to userspace, and then adds it to the btf_modules\nlist allowing the kernel to invoke btf_try_get_module for the BTF.\n\nHowever, at this point, the module has not been fully initialized (i.e.\nits initcalls have not finished). The code in module.c can still fail\nand free the module, without caring for other users. However, nothing\nstops btf_try_get_module from succeeding between the state transition\nfrom MODULE_STATE_COMING to MODULE_STATE_LIVE.\n\nThis leads to a use-after-free issue when BPF program loads\nsuccessfully in the state transition, load_module's do_init_module call\nfails and frees the module, and BPF program fd on close calls module_put\nfor the freed module. Future patch has test case to verify we don't\nregress in this area in future.\n\nThere are multiple points after prepare_coming_module (in load_module)\nwhere failure can occur and module loading can return error. We\nillustrate and test for the race using the last point where it can\npractically occur (in module __init function).\n\nAn illustration of the race:\n\nCPU 0 CPU 1\n\t\t\t load_module\n\t\t\t notifier_call(MODULE_STATE_COMING)\n\t\t\t btf_parse_module\n\t\t\t btf_alloc_id\t// Published to userspace\n\t\t\t list_add(&btf_mod->list, btf_modules)\n\t\t\t mod->init(...)\n...\t\t\t\t^\nbpf_check\t\t |\ncheck_pseudo_btf_id |\n btf_try_get_module |\n returns true | ...\n... | module __init in progress\nreturn prog_fd | ...\n... V\n\t\t\t if (ret < 0)\n\t\t\t free_module(mod)\n\t\t\t ...\nclose(prog_fd)\n ...\n bpf_prog_free_deferred\n module_put(used_btf.mod) // use-after-free\n\nWe fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier\ncallback when MODULE_STATE_LIVE state is reached for the module, so that\nwe return NULL from btf_try_get_module for modules that are not fully\nformed. Since try_module_get already checks that module is not in\nMODULE_STATE_GOING state, and that is the only transition a live module\ncan make before being removed from btf_modules list, this is enough to\nclose the race and prevent the bug.\n\nA later selftest patch crafts the race condition artifically to verify\nthat it has been fixed, and that verifier fails to load program (with\nENXIO).\n\nLastly, a couple of comments:\n\n 1. Even if this race didn't exist, it seems more appropriate to only\n access resources (ksyms and kfuncs) of a fully formed module which\n has been initialized completely.\n\n 2. This patch was born out of need for synchronization against module\n initcall for the next patch, so it is needed for correctness even\n without the aforementioned race condition. The BTF resources\n initialized by module initcall are set up once and then only looked\n up, so just waiting until the initcall has finished ensures correct\n behavior.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49236", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: add missing of_node_put() to avoid leak\n\nThe node pointer is returned by of_find_node_by_type()\nor of_parse_phandle() with refcount incremented. Calling\nof_node_put() to aovid the refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49237", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: free peer for station when disconnect from AP for QCA6390/WCN6855\n\nCommit b4a0f54156ac (\"ath11k: move peer delete after vdev stop of station\nfor QCA6390 and WCN6855\") is to fix firmware crash by changing the WMI\ncommand sequence, but actually skip all the peer delete operation, then\nit lead commit 58595c9874c6 (\"ath11k: Fixing dangling pointer issue upon\npeer delete failure\") not take effect, and then happened a use-after-free\nwarning from KASAN. because the peer->sta is not set to NULL and then used\nlater.\n\nChange to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.\n\nlog of user-after-free:\n\n[ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860\n\n[ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523\n[ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 534.888716] Call Trace:\n[ 534.888720] \n[ 534.888726] dump_stack_lvl+0x57/0x7d\n[ 534.888736] print_address_description.constprop.0+0x1f/0x170\n[ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888771] kasan_report.cold+0x83/0xdf\n[ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]\n[ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]\n[ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]\n[ 534.888897] ? check_prev_add+0x20f0/0x20f0\n[ 534.888922] ? __lock_acquire+0xb72/0x1870\n[ 534.888937] ? find_held_lock+0x33/0x110\n[ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]\n[ 534.888981] ? rcu_read_unlock+0x40/0x40\n[ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]\n[ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]\n[ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889075] call_timer_fn+0x167/0x4a0\n[ 534.889084] ? add_timer_on+0x3b0/0x3b0\n[ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370\n[ 534.889117] __run_timers.part.0+0x539/0x8b0\n[ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]\n[ 534.889157] ? call_timer_fn+0x4a0/0x4a0\n[ 534.889164] ? mark_lock_irq+0x1c30/0x1c30\n[ 534.889173] ? clockevents_program_event+0xdd/0x280\n[ 534.889189] ? mark_held_locks+0xa5/0xe0\n[ 534.889203] run_timer_softirq+0x97/0x180\n[ 534.889213] __do_softirq+0x276/0x86a\n[ 534.889230] __irq_exit_rcu+0x11c/0x180\n[ 534.889238] irq_exit_rcu+0x5/0x20\n[ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0\n[ 534.889251] \n[ 534.889254] \n[ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70\n[ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee\n[ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206\n[ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10\n[ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001\n[ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f\n[ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68\n[ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000\n[ 534.889316] ? mark_lock+0xd0/0x14a0\n[ 534.889332] klist_next+0x1d4/0x450\n[ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0\n[ 534.889350] device_for_each_child+0xa8/0x140\n[ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0\n[ 534.889370] ? __lock_release+0x4bd/0x9f0\n[ 534.889378] ? dpm_suspend+0x26b/0x3f0\n[ 534.889390] dpm_wait_for_subordinate+\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49238", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\nThis is similar to commit 64b92de9603f\n(\"ASoC: wcd9335: fix a leaked reference by adding missing of_node_put\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49239", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8195: Fix error handling in mt8195_mt6359_rt1019_rt5682_dev_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49240", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49241", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mxs: Fix error handling in mxs_sgtl5000_probe\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFor example, when codec_np is NULL, saif_np[0] and saif_np[1]\nare not NULL, it will cause leaks.\n\nof_node_put() will check if the node pointer is NULL, so we can\ncall it directly to release the refcount of regular pointers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49242", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function.\nCalling of_node_put() to avoid the refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49243", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49244", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume\n\npm_runtime_get_sync will increment pm usage counter\neven it failed. Forgetting to putting operation will\nresult in reference leak here. We fix it by replacing\nit with pm_runtime_resume_and_get to keep usage counter\nbalanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49245", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: atmel: Fix error handling in snd_proto_probe\n\nThe device_node pointer is returned by of_parse_phandle() with refcount\nincremented. We should use of_node_put() on it when done.\n\nThis function only calls of_node_put() in the regular path.\nAnd it will cause refcount leak in error paths.\nFix this by calling of_node_put() in error handling too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49246", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED\n\nIf the callback 'start_streaming' fails, then all\nqueued buffers in the driver should be returned with\nstate 'VB2_BUF_STATE_QUEUED'. Currently, they are\nreturned with 'VB2_BUF_STATE_ERROR' which is wrong.\nFix this. This also fixes the warning:\n\n[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6\n[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14\n[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT)\n[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]\n[ 65.592395] sp : ffff800012bc3ad0\n[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8\n[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612\n[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0\n[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff\n[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78\n[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce\n[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228\n[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78\n[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880\n[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0\n[ 65.598940] Call trace:\n[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common]\n[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]\n[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2]\n[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]\n[ 65.601103] v4l_streamon+0x3c/0x50 [videodev]\n[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev]\n[ 65.601977] video_usercopy+0x320/0x828 [videodev]\n[ 65.602419] video_ioctl2+0x3c/0x58 [videodev]\n[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev]\n[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0\n[ 65.603576] invoke_syscall+0x54/0x118\n[ 65.603911] el0_svc_common.constprop.3+0x84/0x100\n[ 65.604332] do_el0_svc+0x34/0xa0\n[ 65.604625] el0_svc+0x1c/0x50\n[ 65.604897] el0t_64_sync_handler+0x88/0xb0\n[ 65.605264] el0t_64_sync+0x16c/0x170\n[ 65.605587] ---[ end trace 578e0ba07742170d ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49247", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction\n\nAV/C deferred transaction was supported at a commit 00a7bb81c20f (\"ALSA:\nfirewire-lib: Add support for deferred transaction\") while 'deferrable'\nflag can be uninitialized for non-control/notify AV/C transactions.\nUBSAN reports it:\n\nkernel: ================================================================================\nkernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9\nkernel: load of value 158 is not a valid value for type '_Bool'\nkernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu\nkernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019\nkernel: Call Trace:\nkernel: \nkernel: show_stack+0x52/0x58\nkernel: dump_stack_lvl+0x4a/0x5f\nkernel: dump_stack+0x10/0x12\nkernel: ubsan_epilogue+0x9/0x45\nkernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49\nkernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]\nkernel: fcp_response+0x28/0x30 [snd_firewire_lib]\nkernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]\nkernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]\nkernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]\nkernel: tasklet_action_common.constprop.0+0xea/0xf0\nkernel: tasklet_action+0x22/0x30\nkernel: __do_softirq+0xd9/0x2e3\nkernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0\nkernel: do_softirq+0x75/0xa0\nkernel: \nkernel: \nkernel: __local_bh_enable_ip+0x50/0x60\nkernel: irq_forced_thread_fn+0x7e/0x90\nkernel: irq_thread+0xba/0x190\nkernel: ? irq_thread_fn+0x60/0x60\nkernel: kthread+0x11e/0x140\nkernel: ? irq_thread_check_affinity+0xf0/0xf0\nkernel: ? set_kthread_struct+0x50/0x50\nkernel: ret_from_fork+0x22/0x30\nkernel: \nkernel: ================================================================================\n\nThis commit fixes the bug. The bug has no disadvantage for the non-\ncontrol/notify AV/C transactions since the flag has an effect for AV/C\nresponse with INTERIM (0x0f) status which is not used for the transactions\nin AV/C general specification.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49248", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wc938x: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes.\n\nFix this by using enumerated items instead of integers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49249", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing compander for aux\n\nAUX interpolator does not have compander, so check before accessing\ncompander data for this.\n\nWithout this checkan array of out bounds access will be made in\ncomp_enabled[] array.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49250", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: va-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49251", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rx-macro: fix accessing array out of bounds for enum type\n\nAccessing enums using integer would result in array out of bounds access\non platforms like aarch64 where sizeof(long) is 8 compared to enum size\nwhich is 4 bytes.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49252", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: go7007: s2250-board: fix leak in probe()\n\nCall i2c_unregister_device(audio) on this error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49253", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()\n\nIn cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to\nctx->active_fmt and there is a dereference of it after that, which could\nlead to NULL pointer dereference on failure of devm_kzalloc().\n\nFix this bug by adding a NULL check of ctx->active_fmt.\n\nThis bug was found by a static analyzer.\n\nBuilds with 'make allyesconfig' show no new warnings, and our static\nanalyzer no longer warns about this code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49254", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix missing free nid in f2fs_handle_failed_inode\n\nThis patch fixes xfstests/generic/475 failure.\n\n[ 293.680694] F2FS-fs (dm-1): May loss orphan inode, run fsck to fix.\n[ 293.685358] Buffer I/O error on dev dm-1, logical block 8388592, async page read\n[ 293.691527] Buffer I/O error on dev dm-1, logical block 8388592, async page read\n[ 293.691764] sh (7615): drop_caches: 3\n[ 293.691819] sh (7616): drop_caches: 3\n[ 293.694017] Buffer I/O error on dev dm-1, logical block 1, async page read\n[ 293.695659] sh (7618): drop_caches: 3\n[ 293.696979] sh (7617): drop_caches: 3\n[ 293.700290] sh (7623): drop_caches: 3\n[ 293.708621] sh (7626): drop_caches: 3\n[ 293.711386] sh (7628): drop_caches: 3\n[ 293.711825] sh (7627): drop_caches: 3\n[ 293.716738] sh (7630): drop_caches: 3\n[ 293.719613] sh (7632): drop_caches: 3\n[ 293.720971] sh (7633): drop_caches: 3\n[ 293.727741] sh (7634): drop_caches: 3\n[ 293.730783] sh (7636): drop_caches: 3\n[ 293.732681] sh (7635): drop_caches: 3\n[ 293.732988] sh (7637): drop_caches: 3\n[ 293.738836] sh (7639): drop_caches: 3\n[ 293.740568] sh (7641): drop_caches: 3\n[ 293.743053] sh (7640): drop_caches: 3\n[ 293.821889] ------------[ cut here ]------------\n[ 293.824654] kernel BUG at fs/f2fs/node.c:3334!\n[ 293.826226] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 293.828713] CPU: 0 PID: 7653 Comm: umount Tainted: G OE 5.17.0-rc1-custom #1\n[ 293.830946] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 293.832526] RIP: 0010:f2fs_destroy_node_manager+0x33f/0x350 [f2fs]\n[ 293.833905] Code: e8 d6 3d f9 f9 48 8b 45 d0 65 48 2b 04 25 28 00 00 00 75 1a 48 81 c4 28 03 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b\n[ 293.837783] RSP: 0018:ffffb04ec31e7a20 EFLAGS: 00010202\n[ 293.839062] RAX: 0000000000000001 RBX: ffff9df947db2eb8 RCX: 0000000080aa0072\n[ 293.840666] RDX: 0000000000000000 RSI: ffffe86c0432a140 RDI: ffffffffc0b72a21\n[ 293.842261] RBP: ffffb04ec31e7d70 R08: ffff9df94ca85780 R09: 0000000080aa0072\n[ 293.843909] R10: ffff9df94ca85700 R11: ffff9df94e1ccf58 R12: ffff9df947db2e00\n[ 293.845594] R13: ffff9df947db2ed0 R14: ffff9df947db2eb8 R15: ffff9df947db2eb8\n[ 293.847855] FS: 00007f5a97379800(0000) GS:ffff9dfa77c00000(0000) knlGS:0000000000000000\n[ 293.850647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 293.852940] CR2: 00007f5a97528730 CR3: 000000010bc76005 CR4: 0000000000370ef0\n[ 293.854680] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 293.856423] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 293.858380] Call Trace:\n[ 293.859302] \n[ 293.860311] ? ttwu_do_wakeup+0x1c/0x170\n[ 293.861800] ? ttwu_do_activate+0x6d/0xb0\n[ 293.863057] ? _raw_spin_unlock_irqrestore+0x29/0x40\n[ 293.864411] ? try_to_wake_up+0x9d/0x5e0\n[ 293.865618] ? debug_smp_processor_id+0x17/0x20\n[ 293.866934] ? debug_smp_processor_id+0x17/0x20\n[ 293.868223] ? free_unref_page+0xbf/0x120\n[ 293.869470] ? __free_slab+0xcb/0x1c0\n[ 293.870614] ? preempt_count_add+0x7a/0xc0\n[ 293.871811] ? __slab_free+0xa0/0x2d0\n[ 293.872918] ? __wake_up_common_lock+0x8a/0xc0\n[ 293.874186] ? __slab_free+0xa0/0x2d0\n[ 293.875305] ? free_inode_nonrcu+0x20/0x20\n[ 293.876466] ? free_inode_nonrcu+0x20/0x20\n[ 293.877650] ? debug_smp_processor_id+0x17/0x20\n[ 293.878949] ? call_rcu+0x11a/0x240\n[ 293.880060] ? f2fs_destroy_stats+0x59/0x60 [f2fs]\n[ 293.881437] ? kfree+0x1fe/0x230\n[ 293.882674] f2fs_put_super+0x160/0x390 [f2fs]\n[ 293.883978] generic_shutdown_super+0x7a/0x120\n[ 293.885274] kill_block_super+0x27/0x50\n[ 293.886496] kill_f2fs_super+0x7f/0x100 [f2fs]\n[ 293.887806] deactivate_locked_super+0x35/0xa0\n[ 293.889271] deactivate_super+0x40/0x50\n[ 293.890513] cleanup_mnt+0x139/0x190\n[ 293.891689] __cleanup_mnt+0x12/0x20\n[ 293.892850] task_work_run+0x64/0xa0\n[ 293.894035] exit_to_user_mode_prepare+0x1b7/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49255", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Actually free the watch\n\nfree_watch() does everything barring actually freeing the watch object. Fix\nthis by adding the missing kfree.\n\nkmemleak produces a report something like the following. Note that as an\naddress can be seen in the first word, the watch would appear to have gone\nthrough call_rcu().\n\nBUG: memory leak\nunreferenced object 0xffff88810ce4a200 (size 96):\n comm \"syz-executor352\", pid 3605, jiffies 4294947473 (age 13.720s)\n hex dump (first 32 bytes):\n e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H.............\n 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmalloc include/linux/slab.h:581 [inline]\n [] kzalloc include/linux/slab.h:714 [inline]\n [] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800\n [] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49256", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix NULL dereference in error cleanup\n\nIn watch_queue_set_size(), the error cleanup code doesn't take account of\nthe fact that __free_page() can't handle a NULL pointer when trying to free\nup buffer pages that did get allocated.\n\nFix this by only calling __free_page() on the pages actually allocated.\n\nWithout the fix, this can lead to something like the following:\n\nBUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\nRead of size 4 at addr 0000000000000034 by task syz-executor168/3599\n...\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold+0x66/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:71 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]\n page_ref_count include/linux/page_ref.h:67 [inline]\n put_page_testzero include/linux/mm.h:717 [inline]\n __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473\n watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275\n pipe_ioctl+0xac/0x2b0 fs/pipe.c:632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49257", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccree - Fix use after free in cc_cipher_exit()\n\nkfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But\nctx_p->user.key is still used in the next line, which will lead to a\nuse after free.\n\nWe can call kfree_sensitive() after dev_dbg() to avoid the uaf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49258", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't delete queue kobject before its children\n\nkobjects aren't supposed to be deleted before their child kobjects are\ndeleted. Apparently this is usually benign; however, a WARN will be\ntriggered if one of the child kobjects has a named attribute group:\n\n sysfs group 'modes' not found for kobject 'crypto'\n WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80\n ...\n Call Trace:\n sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312\n __kobject_del+0x20/0x80 lib/kobject.c:611\n kobject_cleanup+0xa4/0x140 lib/kobject.c:696\n kobject_release lib/kobject.c:736 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x53/0x70 lib/kobject.c:753\n blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159\n blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962\n del_gendisk+0x117/0x250 block/genhd.c:610\n\nFix this by moving the kobject_del() and the corresponding\nkobject_uevent() to the correct place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49259", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - fix the aead software fallback for engine\n\nDue to the subreq pointer misuse the private context memory. The aead\nsoft crypto occasionally casues the OS panic as setting the 64K page.\nHere is fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49260", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[ 183.637934] #PF: supervisor read access in kernel mode\n[ 183.637997] #PF: error_code(0x0000) - not-present page\n[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1\n[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 183.650142] Call Trace:\n[ 183.650988] \n[ 183.651793] vm_access+0x1f0/0x2a0 [i915]\n[ 183.652726] __access_remote_vm+0x224/0x380\n[ 183.653561] mem_rw.isra.0+0xf9/0x190\n[ 183.654402] vfs_read+0x9d/0x1b0\n[ 183.655238] ksys_read+0x63/0xe0\n[ 183.656065] do_syscall_64+0x38/0xc0\n[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 183.657663] RIP: 0033:0x7fe5ef725142\n[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49261", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: octeontx2 - remove CONFIG_DM_CRYPT check\n\nNo issues were found while using the driver with dm-crypt enabled. So\nCONFIG_DM_CRYPT check in the driver can be removed.\n\nThis also fixes the NULL pointer dereference in driver release if\nCONFIG_DM_CRYPT is enabled.\n\n...\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n...\nCall trace:\n crypto_unregister_alg+0x68/0xfc\n crypto_unregister_skciphers+0x44/0x60\n otx2_cpt_crypto_exit+0x100/0x1a0\n otx2_cptvf_remove+0xf8/0x200\n pci_device_remove+0x3c/0xd4\n __device_release_driver+0x188/0x234\n device_release_driver+0x2c/0x4c\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49262", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path\n\nThis avoids leaking memory if brcmf_chip_get_raminfo fails. Note that\nthe CLM blob is released in the device remove path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49263", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Force single empty string when argv is empty\n\nQuoting[1] Ariadne Conill:\n\n\"In several other operating systems, it is a hard requirement that the\nsecond argument to execve(2) be the name of a program, thus prohibiting\na scenario where argc < 1. POSIX 2017 also recommends this behaviour,\nbut it is not an explicit requirement[2]:\n\n The argument arg0 should point to a filename string that is\n associated with the process being started by one of the exec\n functions.\n...\nInterestingly, Michael Kerrisk opened an issue about this in 2008[3],\nbut there was no consensus to support fixing this issue then.\nHopefully now that CVE-2021-4034 shows practical exploitative use[4]\nof this bug in a shellcode, we can reconsider.\n\nThis issue is being tracked in the KSPP issue tracker[5].\"\n\nWhile the initial code searches[6][7] turned up what appeared to be\nmostly corner case tests, trying to that just reject argv == NULL\n(or an immediately terminated pointer list) quickly started tripping[8]\nexisting userspace programs.\n\nThe next best approach is forcing a single empty string into argv and\nadjusting argc to match. The number of programs depending on argc == 0\nseems a smaller set than those calling execve with a NULL argv.\n\nAccount for the additional stack space in bprm_stack_limits(). Inject an\nempty string when argc == 0 (and set argc = 1). Warn about the case so\nuserspace has some notice about the change:\n\n process './argc0' launched './argc0' with NULL argv: empty string added\n\nAdditionally WARN() and reject NULL argv usage for kernel threads.\n\n[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/\n[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html\n[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408\n[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\n[5] https://github.com/KSPP/linux/issues/176\n[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0\n[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0\n[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49264", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()\n\nWhen a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following\nsleep-in-atomic bug will be seen, as genpd_debug_remove() will be called\nwith a spinlock being held.\n\n[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460\n[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0\n[ 0.029219] preempt_count: 1, expected: 0\n[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489\n[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)\n[ 0.029256] Call trace:\n[ 0.029265] dump_backtrace.part.0+0xbc/0xd0\n[ 0.029285] show_stack+0x3c/0xa0\n[ 0.029298] dump_stack_lvl+0x7c/0xa0\n[ 0.029311] dump_stack+0x18/0x34\n[ 0.029323] __might_resched+0x10c/0x13c\n[ 0.029338] __might_sleep+0x4c/0x80\n[ 0.029351] down_read+0x24/0xd0\n[ 0.029363] lookup_one_len_unlocked+0x9c/0xcc\n[ 0.029379] lookup_positive_unlocked+0x10/0x50\n[ 0.029392] debugfs_lookup+0x68/0xac\n[ 0.029406] genpd_remove.part.0+0x12c/0x1b4\n[ 0.029419] of_genpd_remove_last+0xa8/0xd4\n[ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c\n[ 0.029449] platform_probe+0x68/0xe0\n[ 0.029462] really_probe+0x190/0x430\n[ 0.029473] __driver_probe_device+0x90/0x18c\n[ 0.029485] driver_probe_device+0x40/0xe0\n[ 0.029497] __driver_attach+0xf4/0x1d0\n[ 0.029508] bus_for_each_dev+0x70/0xd0\n[ 0.029523] driver_attach+0x24/0x30\n[ 0.029534] bus_add_driver+0x164/0x22c\n[ 0.029545] driver_register+0x78/0x130\n[ 0.029556] __platform_driver_register+0x28/0x34\n[ 0.029569] psci_idle_init_domains+0x1c/0x28\n[ 0.029583] do_one_initcall+0x50/0x1b0\n[ 0.029595] kernel_init_freeable+0x214/0x280\n[ 0.029609] kernel_init+0x2c/0x13c\n[ 0.029622] ret_from_fork+0x10/0x20\n\nIt doesn't seem necessary to call genpd_debug_remove() with the lock, so\nmove it out from locking to fix the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49265", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix rq-qos breakage from skipping rq_qos_done_bio()\n\na647a524a467 (\"block: don't call rq_qos_ops->done_bio if the bio isn't\ntracked\") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.\nWhile this fixed a potential oops, it also broke blk-iocost by skipping the\ndone_bio callback for merged bios.\n\nBefore, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),\nrq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED\ndistinguishing the former from the latter. rq_qos_done_bio() is not called\nfor bios which wenth through rq_qos_merge(). This royally confuses\nblk-iocost as the merged bios never finish and are considered perpetually\nin-flight.\n\nOne reliably reproducible failure mode is an intermediate cgroup geting\nstuck active preventing its children from being activated due to the\nleaf-only rule, leading to loss of control. The following is from\nresctl-bench protection scenario which emulates isolating a web server like\nworkload from a memory bomb run on an iocost configuration which should\nyield a reasonable level of protection.\n\n # cat /sys/block/nvme2n1/device/model\n Samsung SSD 970 PRO 512GB\n # cat /sys/fs/cgroup/io.cost.model\n 259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025\n # cat /sys/fs/cgroup/io.cost.qos\n 259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m\n W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82\n lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6\n\n Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%\n\nThe isolation result of 58.12% is close to what this device would show\nwithout any IO control.\n\nFix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and\ncalling rq_qos_done_bio() on them too. For consistency and clarity, rename\nBIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into\nrq_qos_done_bio() so that it's next to the code paths that set the flags.\n\nWith the patch applied, the above same benchmark shows:\n\n # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1\n ...\n Memory Hog Summary\n ==================\n\n IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m\n W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m\n\n Isolation and Request Latency Impact Distributions:\n\n min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev\n isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81\n lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68\n\n Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49266", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM\n\nDo not call snd_dma_free_pages() when snd_dma_alloc_pages() returns\n-ENOMEM because it leads to a NULL pointer dereference bug.\n\nThe dmesg says:\n\n [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12\n [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ T1387] #PF: supervisor read access in kernel mode\n [ T1387] #PF: error_code(0x0000) - not-present page\n [ T1387] PGD 0 P4D 0\n [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3\n [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021\n [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80\n [ T1387] Code: [... snip ...]\n [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246\n [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0\n [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000\n [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001\n [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828\n [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000\n [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0\n [ T1387] PKRU: 55555554\n [ T1387] Call Trace:\n [ T1387] \n [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]\n [... snip ...]\n [ T1387] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49268", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: sanitize CAN ID checks in isotp_bind()\n\nSyzbot created an environment that lead to a state machine status that\ncan not be reached with a compliant CAN ID address configuration.\nThe provided address information consisted of CAN ID 0x6000001 and 0xC28001\nwhich both boil down to 11 bit CAN IDs 0x001 in sending and receiving.\n\nSanitize the SFF/EFF CAN ID values before performing the address checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49269", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix use-after-free in dm_cleanup_zoned_dev()\n\ndm_cleanup_zoned_dev() uses queue, so it must be called\nbefore blk_cleanup_disk() starts its killing:\n\nblk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->\n->...RCU...->blk_free_queue_rcu()->kmem_cache_free()\n\nOtherwise, RCU callback may be executed first and\ndm_cleanup_zoned_dev() will touch free'd memory:\n\n BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0\n Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681\n\n CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0+0x1f/0x150\n ? dm_cleanup_zoned_dev+0x33/0xd0\n kasan_report.cold+0x7f/0x11b\n ? dm_cleanup_zoned_dev+0x33/0xd0\n dm_cleanup_zoned_dev+0x33/0xd0\n __dm_destroy+0x26a/0x400\n ? dm_blk_ioctl+0x230/0x230\n ? up_write+0xd8/0x270\n dev_remove+0x156/0x1d0\n ctl_ioctl+0x269/0x530\n ? table_clear+0x140/0x140\n ? lock_release+0xb2/0x750\n ? remove_all+0x40/0x40\n ? rcu_read_lock_sched_held+0x12/0x70\n ? lock_downgrade+0x3c0/0x3c0\n ? rcu_read_lock_sched_held+0x12/0x70\n dm_ctl_ioctl+0xa/0x10\n __x64_sys_ioctl+0xb9/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fb6dfa95c27", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49270", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent bad output lengths in smb2_ioctl_query_info()\n\nWhen calling smb2_ioctl_query_info() with\nsmb_query_info::flags=PASSTHRU_FSCTL and\nsmb_query_info::output_buffer_length=0, the following would return\n0x10\n\n\tbuffer = memdup_user(arg + sizeof(struct smb_query_info),\n\t\t\t qi.output_buffer_length);\n\tif (IS_ERR(buffer)) {\n\t\tkfree(vars);\n\t\treturn PTR_ERR(buffer);\n\t}\n\nrather than a valid pointer thus making IS_ERR() check fail. This\nwould then cause a NULL ptr deference in @buffer when accessing it\nlater in smb2_ioctl_query_ioctl(). While at it, prevent having a\n@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO\nFileEndOfFileInformation requests when\nsmb_query_info::flags=PASSTHRU_SET_INFO.\n\nHere is a small C reproducer which triggers a NULL ptr in @buffer when\npassing an invalid smb_query_info::flags\n\n\t#include \n\t#include \n\t#include \n\t#include \n\t#include \n\t#include \n\n\t#define die(s) perror(s), exit(1)\n\t#define QUERY_INFO 0xc018cf07\n\n\tint main(int argc, char *argv[])\n\t{\n\t\tint fd;\n\n\t\tif (argc < 2)\n\t\t\texit(1);\n\t\tfd = open(argv[1], O_RDONLY);\n\t\tif (fd == -1)\n\t\t\tdie(\"open\");\n\t\tif (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)\n\t\t\tdie(\"ioctl\");\n\t\tclose(fd);\n\t\treturn 0;\n\t}\n\n\tmount.cifs //srv/share /mnt -o ...\n\tgcc repro.c && ./a.out /mnt/f0\n\n\t[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n\t[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1\n\t[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n\t[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]\n\t[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24\n\t[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256\n\t[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d\n\t[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380\n\t[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003\n\t[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288\n\t[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000\n\t[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000\n\t[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0\n\t[ 114.146131] Call Trace:\n\t[ 114.146291] \n\t[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]\n\t[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]\n\t[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]\n\t[ 114.147775] ? dentry_path_raw+0xa6/0xf0\n\t[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]\n\t[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]\n\t[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]\n\t[ 114.149371] ? lock_downgrade+0x6f0/0x6f0\n\t[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]\n\t[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0\n\t[ 114.150562] ? __up_read+0x192/0x710\n\t[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0\n\t[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0\n\t[ 114.151296] __x64_sys_ioctl+0x127/0x190\n\t[ 114.151549] do_syscall_64+0x3b/0x90\n\t[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\t[ 114.152079] RIP: 0033:0x7f7aead043df\n\t[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49271", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock\n\nsyzbot caught a potential deadlock between the PCM\nruntime->buffer_mutex and the mm->mmap_lock. It was brought by the\nrecent fix to cover the racy read/write and other ioctls, and in that\ncommit, I overlooked a (hopefully only) corner case that may take the\nrevert lock, namely, the OSS mmap. The OSS mmap operation\nexceptionally allows to re-configure the parameters inside the OSS\nmmap syscall, where mm->mmap_mutex is already held. Meanwhile, the\ncopy_from/to_user calls at read/write operations also take the\nmm->mmap_lock internally, hence it may lead to a AB/BA deadlock.\n\nA similar problem was already seen in the past and we fixed it with a\nrefcount (in commit b248371628aa). The former fix covered only the\ncall paths with OSS read/write and OSS ioctls, while we need to cover\nthe concurrent access via both ALSA and OSS APIs now.\n\nThis patch addresses the problem above by replacing the buffer_mutex\nlock in the read/write operations with a refcount similar as we've\nused for OSS. The new field, runtime->buffer_accessing, keeps the\nnumber of concurrent read/write operations. Unlike the former\nbuffer_mutex protection, this protects only around the\ncopy_from/to_user() calls; the other codes are basically protected by\nthe PCM stream lock. The refcount can be a negative, meaning blocked\nby the ioctls. If a negative value is seen, the read/write aborts\nwith -EBUSY. In the ioctl side, OTOH, they check this refcount, too,\nand set to a negative value for blocking unless it's already being\naccessed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49272", "detail": "fixed-version", "description": "Fixed from version 5.17.2" }, { "id": "CVE-2022-49273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: pl031: fix rtc features null pointer dereference\n\nWhen there is no interrupt line, rtc alarm feature is disabled.\n\nThe clearing of the alarm feature bit was being done prior to allocations\nof ldata->rtc device, resulting in a null pointer dereference.\n\nClear RTC_FEATURE_ALARM after the rtc device is allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49273", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix crash when mount with quota enabled\n\nThere is a reported crash when mounting ocfs2 with quota enabled.\n\n RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2]\n Call Trace:\n ocfs2_local_read_info+0xb9/0x6f0 [ocfs2]\n dquot_load_quota_sb+0x216/0x470\n dquot_load_quota_inode+0x85/0x100\n ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2]\n ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2]\n mount_bdev+0x185/0x1b0\n legacy_get_tree+0x27/0x40\n vfs_get_tree+0x25/0xb0\n path_mount+0x465/0xac0\n __x64_sys_mount+0x103/0x140\n\nIt is caused by when initializing dqi_gqlock, the corresponding dqi_type\nand dqi_sb are not properly initialized.\n\nThis issue is introduced by commit 6c85c2c72819, which wants to avoid\naccessing uninitialized variables in error cases. So make global quota\ninfo properly initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49274", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_tx_handler(): fix use after free of skb\n\ncan_put_echo_skb() will clone skb then free the skb. Move the\ncan_put_echo_skb() for the m_can version 3.0.x directly before the\nstart of the xmit in hardware, similar to the 3.1.x branch.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49275", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_scan_medium\n\nIf an error is returned in jffs2_scan_eraseblock() and some memory\nhas been added to the jffs2_summary *s, we can observe the following\nkmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88812b889c40 (size 64):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.\n 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................\n backtrace:\n [] __kmalloc+0x613/0x910\n [] jffs2_sum_add_dirent_mem+0x5c/0xa0\n [] jffs2_scan_medium.cold+0x36e5/0x4794\n [] jffs2_do_mount_fs.cold+0xa7/0x2267\n [] jffs2_do_fill_super+0x383/0xc30\n [] jffs2_fill_super+0x2ea/0x4c0\n [] mtd_get_sb+0x254/0x400\n [] mtd_get_sb_by_nr+0x4f/0xd0\n [] get_tree_mtd+0x498/0x840\n [] jffs2_get_tree+0x25/0x30\n [] vfs_get_tree+0x8d/0x2e0\n [] path_mount+0x50f/0x1e50\n [] do_mount+0x107/0x130\n [] __se_sys_mount+0x1c5/0x2f0\n [] __x64_sys_mount+0xc7/0x160\n [] do_syscall_64+0x45/0x70\nunreferenced object 0xffff888114b54840 (size 32):\n comm \"mount\", pid 692, jiffies 4294838325 (age 34.288s)\n hex dump (first 32 bytes):\n c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............\n 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.\n backtrace:\n [] kmem_cache_alloc_trace+0x584/0x880\n [] jffs2_sum_add_inode_mem+0x54/0x90\n [] jffs2_scan_medium.cold+0x4481/0x4794\n [...]\nunreferenced object 0xffff888114b57280 (size 32):\n comm \"mount\", pid 692, jiffies 4294838393 (age 34.357s)\n hex dump (first 32 bytes):\n 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............\n 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.\n backtrace:\n [] kmem_cache_alloc_trace+0x584/0x880\n [] jffs2_sum_add_xattr_mem+0x54/0x90\n [] jffs2_scan_medium.cold+0x298c/0x4794\n [...]\nunreferenced object 0xffff8881116cd510 (size 16):\n comm \"mount\", pid 692, jiffies 4294838395 (age 34.355s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.\n backtrace:\n [] kmem_cache_alloc_trace+0x584/0x880\n [] jffs2_sum_add_xref_mem+0x54/0x90\n [] jffs2_scan_medium.cold+0x3a20/0x4794\n [...]\n--------------------------------------------\n\nTherefore, we should call jffs2_sum_reset_collected(s) on exit to\nrelease the memory added in s. In addition, a new tag \"out_buf\" is\nadded to prevent the NULL pointer reference caused by s being NULL.\n(thanks to Zhang Yi for this analysis)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49276", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_do_mount_fs\n\nIf jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,\nwe can observe the following kmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88811b25a640 (size 64):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmem_cache_alloc_trace+0x584/0x880\n [] jffs2_sum_init+0x86/0x130\n [] jffs2_do_mount_fs+0x798/0xac0\n [] jffs2_do_fill_super+0x383/0xc30\n [] jffs2_fill_super+0x2ea/0x4c0\n [...]\nunreferenced object 0xffff88812c760000 (size 65536):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n backtrace:\n [] __kmalloc+0x6b9/0x910\n [] jffs2_sum_init+0xd7/0x130\n [] jffs2_do_mount_fs+0x798/0xac0\n [] jffs2_do_fill_super+0x383/0xc30\n [] jffs2_fill_super+0x2ea/0x4c0\n [...]\n--------------------------------------------\n\nThis is because the resources allocated in jffs2_sum_init() are not\nreleased. Call jffs2_sum_exit() to release these resources to solve\nthe problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49277", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: Fix count check in rproc_coredump_write()\n\nCheck count for 0, to avoid a potential underflow. Make the check the\nsame as the one in rproc_recovery_write().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49278", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: prevent integer overflow on 32 bit systems\n\nOn a 32 bit system, the \"len * sizeof(*p)\" operation can have an\ninteger overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49279", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: prevent underflow in nfssvc_decode_writeargs()\n\nSmatch complains:\n\n\tfs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()\n\twarn: no lower bound on 'args->len'\n\nChange the type to unsigned to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49280", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix handlecache and multiuser\n\nIn multiuser each individual user has their own tcon structure for the\nshare and thus their own handle for a cached directory.\nWhen we umount such a share we much make sure to release the pinned down dentry\nfor each such tcon and not just the master tcon.\n\nOtherwise we will get nasty warnings on umount that dentries are still in use:\n[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\\\n (2) [unmount of cifs cifs]\n...\n[ 3459.590492] Call Trace:\n[ 3459.590500] d_walk+0x61/0x2a0\n[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0\n[ 3459.590526] shrink_dcache_for_umount+0x49/0x110\n[ 3459.590535] generic_shutdown_super+0x1a/0x110\n[ 3459.590542] kill_anon_super+0x14/0x30\n[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs]\n[ 3459.590773] deactivate_locked_super+0x36/0xa0\n[ 3459.590782] cleanup_mnt+0x131/0x190\n[ 3459.590789] task_work_run+0x5c/0x90\n[ 3459.590798] exit_to_user_mode_loop+0x151/0x160\n[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0\n[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30\n[ 3459.590828] do_syscall_64+0x48/0x90\n[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49281", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: quota: fix loop condition at f2fs_quota_sync()\n\ncnt should be passed to sb_has_quota_active() instead of type to check\nactive quota properly.\n\nMoreover, when the type is -1, the compiler with enough inline knowledge\ncan discard sb_has_quota_active() check altogether, causing a NULL pointer\ndereference at the following inode_lock(dqopt->files[cnt]):\n\n[ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 2.796024] Mem abort info:\n[ 2.796025] ESR = 0x96000005\n[ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2.796029] SET = 0, FnV = 0\n[ 2.796031] EA = 0, S1PTW = 0\n[ 2.796032] Data abort info:\n[ 2.796034] ISV = 0, ISS = 0x00000005\n[ 2.796035] CM = 0, WnR = 0\n[ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000\n[ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000\n[ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP\n[ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1\n[ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT)\n[ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO)\n[ 2.796065] pc : down_write+0x28/0x70\n[ 2.796070] lr : f2fs_quota_sync+0x100/0x294\n[ 2.796071] sp : ffffffa3f48ffc30\n[ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000\n[ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80\n[ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001\n[ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000\n[ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110\n[ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038\n[ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0\n[ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0\n[ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000\n[ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948\n[ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0\n[ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a\n[ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d\n[ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001\n[ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0\n[ 2.796098] Call trace:\n[ 2.796100] down_write+0x28/0x70\n[ 2.796102] f2fs_quota_sync+0x100/0x294\n[ 2.796104] block_operations+0x120/0x204\n[ 2.796106] f2fs_write_checkpoint+0x11c/0x520\n[ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34\n[ 2.796109] issue_checkpoint_thread+0x6c/0xb8\n[ 2.796112] kthread+0x138/0x414\n[ 2.796114] ret_from_fork+0x10/0x18\n[ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02)\n[ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]---\n[ 2.800116] Kernel panic - not syncing: Fatal exception\n[ 2.800120] SMP: stopping secondary CPUs", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49282", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: sysfb: fix platform-device leak in error path\n\nMake sure to free the platform device also in the unlikely event that\nregistration fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49283", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: syscfg: Fix memleak on registration failure in cscfg_create_device\n\ndevice_register() calls device_initialize(),\naccording to doc of device_initialize:\n\n Use put_device() to give up your reference instead of freeing\n * @dev directly once you have called this function.\n\nTo prevent potential memleak, use put_device() for error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49284", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: mma8452: use the correct logic to get mma8452_data\n\nThe original logic to get mma8452_data is wrong, the *dev point to\nthe device belong to iio_dev. we can't use this dev to find the\ncorrect i2c_client. The original logic happen to work because it\nfinally use dev->driver_data to get iio_dev. Here use the API\nto_i2c_client() is wrong and make reader confuse. To correct the\nlogic, it should be like this\n\n struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));\n\nBut after commit 8b7651f25962 (\"iio: iio_device_alloc(): Remove\nunnecessary self drvdata\"), the upper logic also can't work.\nWhen try to show the avialable scale in userspace, will meet kernel\ndump, kernel handle NULL pointer dereference.\n\nSo use dev_to_iio_dev() to correct the logic.\n\nDual fixes tags as the second reflects when the bug was exposed, whilst\nthe first reflects when the original bug was introduced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49285", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: use try_get_ops() in tpm-space.c\n\nAs part of the series conversion to remove nested TPM operations:\n\nhttps://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/\n\nexposure of the chip->tpm_mutex was removed from much of the upper\nlevel code. In this conversion, tpm2_del_space() was missed. This\ndidn't matter much because it's usually called closely after a\nconverted operation, so there's only a very tiny race window where the\nchip can be removed before the space flushing is done which causes a\nNULL deref on the mutex. However, there are reports of this window\nbeing hit in practice, so fix this by converting tpm2_del_space() to\nuse tpm_try_get_ops(), which performs all the teardown checks before\nacquring the mutex.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49286", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: fix reference counting for struct tpm_chip\n\nThe following sequence of operations results in a refcount warning:\n\n1. Open device /dev/tpmrm.\n2. Remove module tpm_tis_spi.\n3. Write a TPM command to the file descriptor opened at step 1.\n\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4\nrefcount_t: addition on 0; use-after-free.\nModules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac\nsha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4\nbrcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes\nraspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm\nsnd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]\nCPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2\nHardware name: BCM2711\n[] (unwind_backtrace) from [] (show_stack+0x10/0x14)\n[] (show_stack) from [] (dump_stack+0xc4/0xd8)\n[] (dump_stack) from [] (__warn+0x104/0x108)\n[] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8)\n[] (warn_slowpath_fmt) from [] (kobject_get+0xa0/0xa4)\n[] (kobject_get) from [] (tpm_try_get_ops+0x14/0x54 [tpm])\n[] (tpm_try_get_ops [tpm]) from [] (tpm_common_write+0x38/0x60 [tpm])\n[] (tpm_common_write [tpm]) from [] (vfs_write+0xc4/0x3c0)\n[] (vfs_write) from [] (ksys_write+0x58/0xcc)\n[] (ksys_write) from [] (ret_fast_syscall+0x0/0x4c)\nException stack(0xc226bfa8 to 0xc226bff0)\nbfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000\nbfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684\nbfe0: 0000006c beafe648 0001056c b6eb6944\n---[ end trace d4b8409def9b8b1f ]---\n\nThe reason for this warning is the attempt to get the chip->dev reference\nin tpm_common_write() although the reference counter is already zero.\n\nSince commit 8979b02aaf1d (\"tpm: Fix reference count to main device\") the\nextra reference used to prevent a premature zero counter is never taken,\nbecause the required TPM_CHIP_FLAG_TPM2 flag is never set.\n\nFix this by moving the TPM 2 character device handling from\ntpm_chip_alloc() to tpm_add_char_device() which is called at a later point\nin time when the flag has been set in case of TPM2.\n\nCommit fdc915f7f719 (\"tpm: expose spaces via a device link /dev/tpmrm\")\nalready introduced function tpm_devs_release() to release the extra\nreference but did not implement the required put on chip->devs that results\nin the call of this function.\n\nFix this by putting chip->devs in tpm_chip_unregister().\n\nFinally move the new implementation for the TPM 2 handling into a new\nfunction to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the\ngood case and error cases.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49287", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent prealloc proc writes\n\nWe have no protection against concurrent PCM buffer preallocation\nchanges via proc files, and it may potentially lead to UAF or some\nweird problem. This patch applies the PCM open_mutex to the proc\nwrite operation for avoiding the racy proc writes and the PCM stream\nopen (and further operations).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49288", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuaccess: fix integer overflow on access_ok()\n\nThree architectures check the end of a user access against the\naddress limit without taking a possible overflow into account.\nPassing a negative length or another overflow in here returns\nsuccess when it should not.\n\nUse the most common correct implementation here, which optimizes\nfor a constant 'size' argument, and turns the common case into a\nsingle comparison.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49289", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix potential double free on mesh join\n\nWhile commit 6a01afcf8468 (\"mac80211: mesh: Free ie data when leaving\nmesh\") fixed a memory leak on mesh leave / teardown it introduced a\npotential memory corruption caused by a double free when rejoining the\nmesh:\n\n ieee80211_leave_mesh()\n -> kfree(sdata->u.mesh.ie);\n ...\n ieee80211_join_mesh()\n -> copy_mesh_setup()\n -> old_ie = ifmsh->ie;\n -> kfree(old_ie);\n\nThis double free / kernel panics can be reproduced by using wpa_supplicant\nwith an encrypted mesh (if set up without encryption via \"iw\" then\nifmsh->ie is always NULL, which avoids this issue). And then calling:\n\n $ iw dev mesh0 mesh leave\n $ iw dev mesh0 mesh join my-mesh\n\nNote that typically these commands are not used / working when using\nwpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going\nthrough a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join\nwhere the NETDEV_UP resets the mesh.ie to NULL via a memcpy of\ndefault_mesh_setup in cfg80211_netdev_notifier_call, which then avoids\nthe memory corruption, too.\n\nThe issue was first observed in an application which was not using\nwpa_supplicant but \"Senf\" instead, which implements its own calls to\nnl80211.\n\nFixing the issue by removing the kfree()'ing of the mesh IE in the mesh\njoin function and leaving it solely up to the mesh leave to free the\nmesh IE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49290", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent hw_params and hw_free calls\n\nCurrently we have neither proper check nor protection against the\nconcurrent calls of PCM hw_params and hw_free ioctls, which may result\nin a UAF. Since the existing PCM stream lock can't be used for\nprotecting the whole ioctl operations, we need a new mutex to protect\nthose racy calls.\n\nThis patch introduced a new mutex, runtime->buffer_mutex, and applies\nit to both hw_params and hw_free ioctl code paths. Along with it, the\nboth functions are slightly modified (the mmap_count check is moved\ninto the state-check block) for code simplicity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49291", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49292", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: initialize registers in nft_do_chain()\n\nInitialize registers to avoid stack leak into userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49293", "detail": "fixed-version", "description": "Fixed from version 5.18" }, { "id": "CVE-2022-49294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check if modulo is 0 before dividing.\n\n[How & Why]\nIf a value of 0 is read, then this will cause a divide-by-0 panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49294", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: call genl_unregister_family() first in nbd_cleanup()\n\nOtherwise there may be race between module removal and the handling of\nnetlink command, which can lead to the oops as shown below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000098\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 31299 Comm: nbd-client Tainted: G E 5.14.0-rc4\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:down_write+0x1a/0x50\n Call Trace:\n start_creating+0x89/0x130\n debugfs_create_dir+0x1b/0x130\n nbd_start_device+0x13d/0x390 [nbd]\n nbd_genl_connect+0x42f/0x748 [nbd]\n genl_family_rcv_msg_doit.isra.0+0xec/0x150\n genl_rcv_msg+0xe5/0x1e0\n netlink_rcv_skb+0x55/0x100\n genl_rcv+0x29/0x40\n netlink_unicast+0x1a8/0x250\n netlink_sendmsg+0x21b/0x430\n ____sys_sendmsg+0x2a4/0x2d0\n ___sys_sendmsg+0x81/0xc0\n __sys_sendmsg+0x62/0xb0\n __x64_sys_sendmsg+0x1f/0x30\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n Modules linked in: nbd(E-)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49295", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix possible deadlock when holding Fwb to get inline_data\n\n1, mount with wsync.\n2, create a file with O_RDWR, and the request was sent to mds.0:\n\n ceph_atomic_open()-->\n ceph_mdsc_do_request(openc)\n finish_open(file, dentry, ceph_open)-->\n ceph_open()-->\n ceph_init_file()-->\n ceph_init_file_info()-->\n ceph_uninline_data()-->\n {\n ...\n if (inline_version == 1 || /* initial version, no data */\n inline_version == CEPH_INLINE_NONE)\n goto out_unlock;\n ...\n }\n\nThe inline_version will be 1, which is the initial version for the\nnew create file. And here the ci->i_inline_version will keep with 1,\nit's buggy.\n\n3, buffer write to the file immediately:\n\n ceph_write_iter()-->\n ceph_get_caps(file, need=Fw, want=Fb, ...);\n generic_perform_write()-->\n a_ops->write_begin()-->\n ceph_write_begin()-->\n netfs_write_begin()-->\n netfs_begin_read()-->\n netfs_rreq_submit_slice()-->\n netfs_read_from_server()-->\n rreq->netfs_ops->issue_read()-->\n ceph_netfs_issue_read()-->\n {\n ...\n if (ci->i_inline_version != CEPH_INLINE_NONE &&\n ceph_netfs_issue_op_inline(subreq))\n return;\n ...\n }\n ceph_put_cap_refs(ci, Fwb);\n\nThe ceph_netfs_issue_op_inline() will send a getattr(Fsr) request to\nmds.1.\n\n4, then the mds.1 will request the rd lock for CInode::filelock from\nthe auth mds.0, the mds.0 will do the CInode::filelock state transation\nfrom excl --> sync, but it need to revoke the Fxwb caps back from the\nclients.\n\nWhile the kernel client has aleady held the Fwb caps and waiting for\nthe getattr(Fsr).\n\nIt's deadlock!\n\nURL: https://tracker.ceph.com/issues/55377", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49296", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix io hung while disconnecting device\n\nIn our tests, \"qemu-nbd\" triggers a io hung:\n\nINFO: task qemu-nbd:11445 blocked for more than 368 seconds.\n Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000\nCall Trace:\n \n __schedule+0x480/0x1050\n ? _raw_spin_lock_irqsave+0x3e/0xb0\n schedule+0x9c/0x1b0\n blk_mq_freeze_queue_wait+0x9d/0xf0\n ? ipi_rseq+0x70/0x70\n blk_mq_freeze_queue+0x2b/0x40\n nbd_add_socket+0x6b/0x270 [nbd]\n nbd_ioctl+0x383/0x510 [nbd]\n blkdev_ioctl+0x18e/0x3e0\n __x64_sys_ioctl+0xac/0x120\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fd8ff706577\nRSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577\nRDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f\nRBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0\nR10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d\nR13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0\n\n\"qemu-ndb -d\" will call ioctl 'NBD_DISCONNECT' first, however, following\nmessage was found:\n\nblock nbd0: Send disconnect failed -32\n\nWhich indicate that something is wrong with the server. Then,\n\"qemu-nbd -d\" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear\nrequests after commit 2516ab1543fd(\"nbd: only clear the queue on device\nteardown\"). And in the meantime, request can't complete through timeout\nbecause nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which\nmeans such request will never be completed in this situation.\n\nNow that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't\ncomplete multiple times, switch back to call nbd_clear_sock() in\nnbd_clear_sock_ioctl(), so that inflight requests can be cleared.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49297", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix uninit-value in r871xu_drv_init()\n\nWhen 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0,\n'mac[6]' will not be initialized.\n\nBUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541\n r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n really_probe+0x653/0x14b0 drivers/base/dd.c:596\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238\n usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293\n really_probe+0x653/0x14b0 drivers/base/dd.c:596\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566\n hub_port_connect drivers/usb/core/hub.c:5358 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]\n port_event drivers/usb/core/hub.c:5660 [inline]\n hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742\n process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307\n worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454\n kthread+0x3c7/0x500 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30\n\nLocal variable mac created at:\n r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n\nKMSAN: uninit-value in r871xu_drv_init\nhttps://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49298", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between nbd_alloc_config() and module removal\n\nWhen nbd module is being removing, nbd_alloc_config() may be\ncalled concurrently by nbd_genl_connect(), although try_module_get()\nwill return false, but nbd_alloc_config() doesn't handle it.\n\nThe race may lead to the leak of nbd_config and its related\nresources (e.g, recv_workq) and oops in nbd_read_stat() due\nto the unload of nbd module as shown below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n Oops: 0000 [#1] SMP PTI\n CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: knbd16-recv recv_work [nbd]\n RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]\n Call Trace:\n recv_work+0x3b/0xb0 [nbd]\n process_one_work+0x1ed/0x390\n worker_thread+0x4a/0x3d0\n kthread+0x12a/0x150\n ret_from_fork+0x22/0x30\n\nFixing it by checking the return value of try_module_get()\nin nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),\nassign nbd->config only when nbd_alloc_config() succeeds to ensure\nthe value of nbd->config is binary (valid or NULL).\n\nAlso adding a debug message to check the reference counter\nof nbd_config during module removal.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49300", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix uninit-value in usb_read8() and friends\n\nWhen r8712_usbctrl_vendorreq() returns negative, 'data' in\nusb_read{8,16,32} will not be initialized.\n\nBUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:643 [inline]\nBUG: KMSAN: uninit-value in string+0x4ec/0x6f0 lib/vsprintf.c:725\n string_nocheck lib/vsprintf.c:643 [inline]\n string+0x4ec/0x6f0 lib/vsprintf.c:725\n vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806\n va_format lib/vsprintf.c:1704 [inline]\n pointer+0x18e6/0x1f70 lib/vsprintf.c:2443\n vsnprintf+0x1a9b/0x3650 lib/vsprintf.c:2810\n vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158\n vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256\n dev_vprintk_emit+0x5ef/0x6d0 drivers/base/core.c:4604\n dev_printk_emit+0x1dd/0x21f drivers/base/core.c:4615\n __dev_printk+0x3be/0x440 drivers/base/core.c:4627\n _dev_info+0x1ea/0x22f drivers/base/core.c:4673\n r871xu_drv_init+0x1929/0x3070 drivers/staging/rtl8712/usb_intf.c:401\n usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396\n really_probe+0x6c7/0x1350 drivers/base/dd.c:621\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238\n usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293\n really_probe+0x6c7/0x1350 drivers/base/dd.c:621\n __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752\n driver_probe_device drivers/base/dd.c:782 [inline]\n __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899\n bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427\n __device_attach+0x593/0x8e0 drivers/base/dd.c:970\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017\n bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487\n device_add+0x1fff/0x26e0 drivers/base/core.c:3405\n usb_new_device+0x1b91/0x2950 drivers/usb/core/hub.c:2566\n hub_port_connect drivers/usb/core/hub.c:5363 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]\n port_event drivers/usb/core/hub.c:5665 [inline]\n hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5747\n process_one_work+0xdb6/0x1820 kernel/workqueue.c:2289\n worker_thread+0x10d0/0x2240 kernel/workqueue.c:2436\n kthread+0x3c7/0x500 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nLocal variable data created at:\n usb_read8+0x5d/0x130 drivers/staging/rtl8712/usb_ops.c:33\n r8712_read8+0xa5/0xd0 drivers/staging/rtl8712/rtl8712_io.c:29\n\nKMSAN: uninit-value in r871xu_drv_init\nhttps://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49301", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: host: isp116x: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49302", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192eu: Fix deadlock in rtw_joinbss_event_prehandle\n\nThere is a deadlock in rtw_joinbss_event_prehandle(), which is shown below:\n\n (Thread 1) | (Thread 2)\n | _set_timer()\nrtw_joinbss_event_prehandle()| mod_timer()\n spin_lock_bh() //(1) | (wait a time)\n ... | rtw_join_timeout_handler()\n | _rtw_join_timeout_handler()\n del_timer_sync() | spin_lock_bh() //(2)\n (wait timer to stop) | ...\n\nWe hold pmlmepriv->lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need pmlmepriv->lock in position (2) of thread 2.\nAs a result, rtw_joinbss_event_prehandle() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_bh(), which could let timer handler to obtain\nthe needed lock. What`s more, we change spin_lock_bh() to\nspin_lock_irq() in _rtw_join_timeout_handler() in order to\nprevent deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49303", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: tty: serial: Fix deadlock in sa1100_set_termios()\n\nThere is a deadlock in sa1100_set_termios(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | sa1100_enable_ms()\nsa1100_set_termios() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | sa1100_timeout()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold sport->port.lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need sport->port.lock in position (2) of thread 2. As a result,\nsa1100_set_termios() will block forever.\n\nThis patch moves del_timer_sync() before spin_lock_irqsave()\nin order to prevent the deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49304", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()\n\nThere is a deadlock in ieee80211_beacons_stop(), which is shown below:\n\n (Thread 1) | (Thread 2)\n | ieee80211_send_beacon()\nieee80211_beacons_stop() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | ieee80211_send_beacon_cb()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold ieee->beacon_lock in position (1) of thread 1 and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need ieee->beacon_lock in position (2) of thread 2.\nAs a result, ieee80211_beacons_stop() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irqsave(), which could let timer handler to obtain\nthe needed lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49305", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: host: Stop setting the ACPI companion\n\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\n\nAssigning the ACPI companion here resulted in the\nfwnode->secondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49306", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: synclink_gt: Fix null-pointer-dereference in slgt_clean()\n\nWhen the driver fails at alloc_hdlcdev(), and then we remove the driver\nmodule, we will get the following splat:\n\n[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]\n[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0\n[ 25.077709] Call Trace:\n[ 25.077924] \n[ 25.078108] unregister_hdlc_device+0x16/0x30\n[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt]\n\nFix this by checking whether the 'info->netdev' is a null pointer first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49307", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nextcon: Modify extcon device to be created after driver data is set\n\nCurrently, someone can invoke the sysfs such as state_show()\nintermittently before dev_set_drvdata() is done.\nAnd it can be a cause of kernel Oops because of edev is Null at that time.\nSo modified the driver registration to after setting drviver data.\n\n- Oops's backtrace.\n\nBacktrace:\n[] (state_show) from [] (dev_attr_show)\n[] (dev_attr_show) from [] (sysfs_kf_seq_show)\n[] (sysfs_kf_seq_show) from [] (kernfs_seq_show)\n[] (kernfs_seq_show) from [] (seq_read)\n[] (seq_read) from [] (kernfs_fop_read)\n[] (kernfs_fop_read) from [] (__vfs_read)\n[] (__vfs_read) from [] (vfs_read)\n[] (vfs_read) from [] (ksys_read)\n[] (ksys_read) from [] (sys_read)\n[] (sys_read) from [] (__sys_trace_return)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49308", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()\n\nThere is a deadlock in rtw_surveydone_event_callback(),\nwhich is shown below:\n\n (Thread 1) | (Thread 2)\n | _set_timer()\nrtw_surveydone_event_callback()| mod_timer()\n spin_lock_bh() //(1) | (wait a time)\n ... | rtw_scan_timeout_handler()\n del_timer_sync() | spin_lock_bh() //(2)\n (wait timer to stop) | ...\n\nWe hold pmlmepriv->lock in position (1) of thread 1 and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need pmlmepriv->lock in position (2) of thread 2.\nAs a result, rtw_surveydone_event_callback() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_bh(), which could let timer handler to obtain\nthe needed lock. What`s more, we change spin_lock_bh() in\nrtw_scan_timeout_handler() to spin_lock_irq(). Otherwise,\nspin_lock_bh() will also cause deadlock() in timer handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49309", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: xillybus: fix a refcount leak in cleanup_dev()\n\nusb_get_dev is called in xillyusb_probe. So it is better to call\nusb_put_dev before xdev is released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49310", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle()\n\nThere is a deadlock in rtw_joinbss_event_prehandle(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | _set_timer()\nrtw_joinbss_event_prehandle()| mod_timer()\n spin_lock_bh() //(1) | (wait a time)\n ... | _rtw_join_timeout_handler()\n del_timer_sync() | spin_lock_bh() //(2)\n (wait timer to stop) | ...\n\nWe hold pmlmepriv->lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need pmlmepriv->lock in position (2) of thread 2.\nAs a result, rtw_joinbss_event_prehandle() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_bh(), which could let timer handler to obtain\nthe needed lock. What`s more, we change spin_lock_bh() to\nspin_lock_irq() in _rtw_join_timeout_handler() in order to\nprevent deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49311", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix a potential memory leak in r871xu_drv_init()\n\nIn r871xu_drv_init(), if r8712_init_drv_sw() fails, then the memory\nallocated by r8712_alloc_io_queue() in r8712_usb_dvobj_init() is not\nproperly released as there is no action will be performed by\nr8712_usb_dvobj_deinit().\nTo properly release it, we should call r8712_free_io_queue() in\nr8712_usb_dvobj_deinit().\n\nBesides, in r871xu_dev_remove(), r8712_usb_dvobj_deinit() will be called\nby r871x_dev_unload() under condition `padapter->bup` and\nr8712_free_io_queue() is called by r8712_free_drv_sw().\nHowever, r8712_usb_dvobj_deinit() does not rely on `padapter->bup` and\ncalling r8712_free_io_queue() in r8712_free_drv_sw() is negative for\nbetter understading the code.\nSo I move r8712_usb_dvobj_deinit() into r871xu_dev_remove(), and remove\nr8712_free_io_queue() from r8712_free_drv_sw().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49312", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: usb: host: Fix deadlock in oxu_bus_suspend()\n\nThere is a deadlock in oxu_bus_suspend(), which is shown below:\n\n (Thread 1) | (Thread 2)\n | timer_action()\noxu_bus_suspend() | mod_timer()\n spin_lock_irq() //(1) | (wait a time)\n ... | oxu_watchdog()\n del_timer_sync() | spin_lock_irq() //(2)\n (wait timer to stop) | ...\n\nWe hold oxu->lock in position (1) of thread 1, and use\ndel_timer_sync() to wait timer to stop, but timer handler\nalso need oxu->lock in position (2) of thread 2. As a result,\noxu_bus_suspend() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irq(), which could let timer handler to obtain\nthe needed lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49313", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix a possible resource leak in icom_probe\n\nWhen pci_read_config_dword failed, call pci_release_regions() and\npci_disable_device() to recycle the resource previously allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49314", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()\n\nThere is a deadlock in rtllib_beacons_stop(), which is shown\nbelow:\n\n (Thread 1) | (Thread 2)\n | rtllib_send_beacon()\nrtllib_beacons_stop() | mod_timer()\n spin_lock_irqsave() //(1) | (wait a time)\n ... | rtllib_send_beacon_cb()\n del_timer_sync() | spin_lock_irqsave() //(2)\n (wait timer to stop) | ...\n\nWe hold ieee->beacon_lock in position (1) of thread 1 and\nuse del_timer_sync() to wait timer to stop, but timer handler\nalso need ieee->beacon_lock in position (2) of thread 2.\nAs a result, rtllib_beacons_stop() will block forever.\n\nThis patch extracts del_timer_sync() from the protection of\nspin_lock_irqsave(), which could let timer handler to obtain\nthe needed lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49315", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Don't hold the layoutget locks across multiple RPC calls\n\nWhen doing layoutget as part of the open() compound, we have to be\ncareful to release the layout locks before we can call any further RPC\ncalls, such as setattr(). The reason is that those calls could trigger\na recall, which could deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49316", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid infinite loop to flush node pages\n\nxfstests/generic/475 can give EIO all the time which give an infinite loop\nto flush node page like below. Let's avoid it.\n\n[16418.518551] Call Trace:\n[16418.518553] ? dm_submit_bio+0x48/0x400\n[16418.518574] ? submit_bio_checks+0x1ac/0x5a0\n[16418.525207] __submit_bio+0x1a9/0x230\n[16418.525210] ? kmem_cache_alloc+0x29e/0x3c0\n[16418.525223] submit_bio_noacct+0xa8/0x2b0\n[16418.525226] submit_bio+0x4d/0x130\n[16418.525238] __submit_bio+0x49/0x310 [f2fs]\n[16418.525339] ? bio_add_page+0x6a/0x90\n[16418.525344] f2fs_submit_page_bio+0x134/0x1f0 [f2fs]\n[16418.525365] read_node_page+0x125/0x1b0 [f2fs]\n[16418.525388] __get_node_page.part.0+0x58/0x3f0 [f2fs]\n[16418.525409] __get_node_page+0x2f/0x60 [f2fs]\n[16418.525431] f2fs_get_dnode_of_data+0x423/0x860 [f2fs]\n[16418.525452] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[16418.525458] ? __mod_memcg_state.part.0+0x2a/0x30\n[16418.525465] ? __mod_memcg_lruvec_state+0x27/0x40\n[16418.525467] ? __xa_set_mark+0x57/0x70\n[16418.525472] f2fs_do_write_data_page+0x10e/0x7b0 [f2fs]\n[16418.525493] f2fs_write_single_data_page+0x555/0x830 [f2fs]\n[16418.525514] ? sysvec_apic_timer_interrupt+0x4e/0x90\n[16418.525518] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[16418.525523] f2fs_write_cache_pages+0x303/0x880 [f2fs]\n[16418.525545] ? blk_flush_plug_list+0x47/0x100\n[16418.525548] f2fs_write_data_pages+0xfd/0x320 [f2fs]\n[16418.525569] do_writepages+0xd5/0x210\n[16418.525648] filemap_fdatawrite_wbc+0x7d/0xc0\n[16418.525655] filemap_fdatawrite+0x50/0x70\n[16418.525658] f2fs_sync_dirty_inodes+0xa4/0x230 [f2fs]\n[16418.525679] f2fs_write_checkpoint+0x16d/0x1720 [f2fs]\n[16418.525699] ? ttwu_do_wakeup+0x1c/0x160\n[16418.525709] ? ttwu_do_activate+0x6d/0xd0\n[16418.525711] ? __wait_for_common+0x11d/0x150\n[16418.525715] kill_f2fs_super+0xca/0x100 [f2fs]\n[16418.525733] deactivate_locked_super+0x3b/0xb0\n[16418.525739] deactivate_super+0x40/0x50\n[16418.525741] cleanup_mnt+0x139/0x190\n[16418.525747] __cleanup_mnt+0x12/0x20\n[16418.525749] task_work_run+0x6d/0xa0\n[16418.525765] exit_to_user_mode_prepare+0x1ad/0x1b0\n[16418.525771] syscall_exit_to_user_mode+0x27/0x50\n[16418.525774] do_syscall_64+0x48/0xc0\n[16418.525776] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49317", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove WARN_ON in f2fs_is_valid_blkaddr\n\nSyzbot triggers two WARNs in f2fs_is_valid_blkaddr and\n__is_bitmap_valid. For example, in f2fs_is_valid_blkaddr,\nif type is DATA_GENERIC_ENHANCE or DATA_GENERIC_ENHANCE_READ,\nit invokes WARN_ON if blkaddr is not in the right range.\nThe call trace is as follows:\n\n f2fs_get_node_info+0x45f/0x1070\n read_node_page+0x577/0x1190\n __get_node_page.part.0+0x9e/0x10e0\n __get_node_page\n f2fs_get_node_page+0x109/0x180\n do_read_inode\n f2fs_iget+0x2a5/0x58b0\n f2fs_fill_super+0x3b39/0x7ca0\n\nFix these two WARNs by replacing WARN_ON with dump_stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49318", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49319", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type\n\nIn zynqmp_dma_alloc/free_chan_resources functions there is a\npotential overflow in the below expressions.\n\ndma_alloc_coherent(chan->dev, (2 * chan->desc_size *\n\t\t ZYNQMP_DMA_NUM_DESCS),\n\t\t &chan->desc_pool_p, GFP_KERNEL);\n\ndma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) *\n ZYNQMP_DMA_NUM_DESCS),\n chan->desc_pool_v, chan->desc_pool_p);\n\nThe arguments desc_size and ZYNQMP_DMA_NUM_DESCS were 32 bit. Though\nthis overflow condition is not observed but it is a potential problem\nin the case of 32-bit multiplication. Hence fix it by changing the\ndesc_size data type to size_t.\n\nIn addition to coverity fix it also reuse ZYNQMP_DMA_DESC_SIZE macro in\ndma_alloc_coherent API argument.\n\nAddresses-Coverity: Event overflow_before_widen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49320", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: treat all calls not a bcall when bc_serv is NULL\n\nWhen a rdma server returns a fault format reply, nfs v3 client may\ntreats it as a bcall when bc service is not exist.\n\nThe debug message at rpcrdma_bc_receive_call are,\n\n[56579.837169] RPC: rpcrdma_bc_receive_call: callback XID\n00000001, length=20\n[56579.837174] RPC: rpcrdma_bc_receive_call: 00 00 00 01 00 00 00\n00 00 00 00 00 00 00 00 00 00 00 00 04\n\nAfter that, rpcrdma_bc_receive_call will meets NULL pointer as,\n\n[ 226.057890] BUG: unable to handle kernel NULL pointer dereference at\n00000000000000c8\n...\n[ 226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20\n...\n[ 226.059732] Call Trace:\n[ 226.059878] rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]\n[ 226.060011] __ib_process_cq+0x89/0x170 [ib_core]\n[ 226.060092] ib_cq_poll_work+0x26/0x80 [ib_core]\n[ 226.060257] process_one_work+0x1a7/0x360\n[ 226.060367] ? create_worker+0x1a0/0x1a0\n[ 226.060440] worker_thread+0x30/0x390\n[ 226.060500] ? create_worker+0x1a0/0x1a0\n[ 226.060574] kthread+0x116/0x130\n[ 226.060661] ? kthread_flush_work_fn+0x10/0x10\n[ 226.060724] ret_from_fork+0x35/0x40\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49321", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix sleeping function called from invalid context on RT kernel\n\nWhen setting bootparams=\"trace_event=initcall:initcall_start tp_printk=1\" in the\ncmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the\natomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,\nthese locks are replaced with sleepable rt-spinlock, so the stack calltrace will\nbe triggered.\nFix it by raw_spin_lock_irqsave when PREEMPT_RT and \"trace_event=initcall:initcall_start\ntp_printk=1\" enabled.\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n Preemption disabled at:\n [] try_to_wake_up+0x7e/0xba0\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x60/0x8c\n dump_stack+0x10/0x12\n __might_resched.cold+0x11d/0x155\n rt_spin_lock+0x40/0x70\n trace_event_buffer_commit+0x2fa/0x4c0\n ? map_vsyscall+0x93/0x93\n trace_event_raw_event_initcall_start+0xbe/0x110\n ? perf_trace_initcall_finish+0x210/0x210\n ? probe_sched_wakeup+0x34/0x40\n ? ttwu_do_wakeup+0xda/0x310\n ? trace_hardirqs_on+0x35/0x170\n ? map_vsyscall+0x93/0x93\n do_one_initcall+0x217/0x3c0\n ? trace_event_raw_event_initcall_level+0x170/0x170\n ? push_cpu_stop+0x400/0x400\n ? cblist_init_generic+0x241/0x290\n kernel_init_freeable+0x1ac/0x347\n ? _raw_spin_unlock_irq+0x65/0x80\n ? rest_init+0xf0/0xf0\n kernel_init+0x1e/0x150\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49322", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49323", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: cpc: Fix refcount leak in mips_cpc_default_phys_base\n\nAdd the missing of_node_put() to release the refcount incremented\nby of_find_compatible_node().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49324", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add accessors to read/set tp->snd_cwnd\n\nWe had various bugs over the years with code\nbreaking the assumption that tp->snd_cwnd is greater\nthan zero.\n\nLately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added\nin commit 8b8a321ff72c (\"tcp: fix zero cwnd in tcp_cwnd_reduction\")\ncan trigger, and without a repro we would have to spend\nconsiderable time finding the bug.\n\nInstead of complaining too late, we want to catch where\nand when tp->snd_cwnd is set to an illegal value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49325", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtl818x: Prevent using not initialized queues\n\nUsing not existing queues can panic the kernel with rtl8180/rtl8185 cards.\nIgnore the skb priority for those cards, they only have one tx queue. Pierre\nAsselin (pa@panix.com) reported the kernel crash in the Gentoo forum:\n\nhttps://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html\n\nHe also confirmed that this patch fixes the issue. In summary this happened:\n\nAfter updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a\n\"divide error: 0000\" when connecting to an AP. Control port tx now tries to\nuse IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in\n2.10.\n\nSince only the rtl8187se part of the driver supports QoS, the priority\nof the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185\ncards.\n\nrtl8180 is then unconditionally reading out the priority and finally crashes on\ndrivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this\npatch:\n\tidx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries\n\n\"ring->entries\" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got\ninitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49326", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: avoid journal no-space deadlock by reserving 1 journal bucket\n\nThe journal no-space deadlock was reported time to time. Such deadlock\ncan happen in the following situation.\n\nWhen all journal buckets are fully filled by active jset with heavy\nwrite I/O load, the cache set registration (after a reboot) will load\nall active jsets and inserting them into the btree again (which is\ncalled journal replay). If a journaled bkey is inserted into a btree\nnode and results btree node split, new journal request might be\ntriggered. For example, the btree grows one more level after the node\nsplit, then the root node record in cache device super block will be\nupgrade by bch_journal_meta() from bch_btree_set_root(). But there is no\nspace in journal buckets, the journal replay has to wait for new journal\nbucket to be reclaimed after at least one journal bucket replayed. This\nis one example that how the journal no-space deadlock happens.\n\nThe solution to avoid the deadlock is to reserve 1 journal bucket in\nrun time, and only permit the reserved journal bucket to be used during\ncache set registration procedure for things like journal replay. Then\nthe journal space will never be fully filled, there is no chance for\njournal no-space deadlock to happen anymore.\n\nThis patch adds a new member \"bool do_reserve\" in struct journal, it is\ninititalized to 0 (false) when struct journal is allocated, and set to\n1 (true) by bch_journal_space_reserve() when all initialization done in\nrun_cache_set(). In the run time when journal_reclaim() tries to\nallocate a new journal bucket, free_journal_buckets() is called to check\nwhether there are enough free journal buckets to use. If there is only\n1 free journal bucket and journal->do_reserve is 1 (true), the last\nbucket is reserved and free_journal_buckets() will return 0 to indicate\nno free journal bucket. Then journal_reclaim() will give up, and try\nnext time to see whetheer there is free journal bucket to allocate. By\nthis method, there is always 1 jouranl bucket reserved in run time.\n\nDuring the cache set registration, journal->do_reserve is 0 (false), so\nthe reserved journal bucket can be used to avoid the no-space deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49327", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix use-after-free by removing a non-RCU wcid pointer\n\nFixes an issue caught by KASAN about use-after-free in mt76_txq_schedule\nby protecting mtxq->wcid with rcu_lock between mt76_txq_schedule and\nsta_info_[alloc, free].\n\n[18853.876689] ==================================================================\n[18853.876751] BUG: KASAN: use-after-free in mt76_txq_schedule+0x204/0xaf8 [mt76]\n[18853.876773] Read of size 8 at addr ffffffaf989a2138 by task mt76-tx phy0/883\n[18853.876786]\n[18853.876810] CPU: 5 PID: 883 Comm: mt76-tx phy0 Not tainted 5.10.100-fix-510-56778d365941-kasan #5 0b01fbbcf41a530f52043508fec2e31a4215\n\n[18853.876840] Call trace:\n[18853.876861] dump_backtrace+0x0/0x3ec\n[18853.876878] show_stack+0x20/0x2c\n[18853.876899] dump_stack+0x11c/0x1ac\n[18853.876918] print_address_description+0x74/0x514\n[18853.876934] kasan_report+0x134/0x174\n[18853.876948] __asan_report_load8_noabort+0x44/0x50\n[18853.876976] mt76_txq_schedule+0x204/0xaf8 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877002] mt76_txq_schedule_all+0x2c/0x48 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877030] mt7921_tx_worker+0xa0/0x1cc [mt7921_common f0875ebac9d7b4754e1010549e7db50fbd90a047]\n[18853.877054] __mt76_worker_fn+0x190/0x22c [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2]\n[18853.877071] kthread+0x2f8/0x3b8\n[18853.877087] ret_from_fork+0x10/0x30\n[18853.877098]\n[18853.877112] Allocated by task 941:\n[18853.877131] kasan_save_stack+0x38/0x68\n[18853.877147] __kasan_kmalloc+0xd4/0xfc\n[18853.877163] kasan_kmalloc+0x10/0x1c\n[18853.877177] __kmalloc+0x264/0x3c4\n[18853.877294] sta_info_alloc+0x460/0xf88 [mac80211]\n[18853.877410] ieee80211_prep_connection+0x204/0x1ee0 [mac80211]\n[18853.877523] ieee80211_mgd_auth+0x6c4/0xa4c [mac80211]\n[18853.877635] ieee80211_auth+0x20/0x2c [mac80211]\n[18853.877733] rdev_auth+0x7c/0x438 [cfg80211]\n[18853.877826] cfg80211_mlme_auth+0x26c/0x390 [cfg80211]\n[18853.877919] nl80211_authenticate+0x6d4/0x904 [cfg80211]\n[18853.877938] genl_rcv_msg+0x748/0x93c\n[18853.877954] netlink_rcv_skb+0x160/0x2a8\n[18853.877969] genl_rcv+0x3c/0x54\n[18853.877985] netlink_unicast_kernel+0x104/0x1ec\n[18853.877999] netlink_unicast+0x178/0x268\n[18853.878015] netlink_sendmsg+0x3cc/0x5f0\n[18853.878030] sock_sendmsg+0xb4/0xd8\n[18853.878043] ____sys_sendmsg+0x2f8/0x53c\n[18853.878058] ___sys_sendmsg+0xe8/0x150\n[18853.878071] __sys_sendmsg+0xc4/0x1f4\n[18853.878087] __arm64_compat_sys_sendmsg+0x88/0x9c\n[18853.878101] el0_svc_common+0x1b4/0x390\n[18853.878115] do_el0_svc_compat+0x8c/0xdc\n[18853.878131] el0_svc_compat+0x10/0x1c\n[18853.878146] el0_sync_compat_handler+0xa8/0xcc\n[18853.878161] el0_sync_compat+0x188/0x1c0\n[18853.878171]\n[18853.878183] Freed by task 10927:\n[18853.878200] kasan_save_stack+0x38/0x68\n[18853.878215] kasan_set_track+0x28/0x3c\n[18853.878228] kasan_set_free_info+0x24/0x48\n[18853.878244] __kasan_slab_free+0x11c/0x154\n[18853.878259] kasan_slab_free+0x14/0x24\n[18853.878273] slab_free_freelist_hook+0xac/0x1b0\n[18853.878287] kfree+0x104/0x390\n[18853.878402] sta_info_free+0x198/0x210 [mac80211]\n[18853.878515] __sta_info_destroy_part2+0x230/0x2d4 [mac80211]\n[18853.878628] __sta_info_flush+0x300/0x37c [mac80211]\n[18853.878740] ieee80211_set_disassoc+0x2cc/0xa7c [mac80211]\n[18853.878851] ieee80211_mgd_deauth+0x4a4/0x10a0 [mac80211]\n[18853.878962] ieee80211_deauth+0x20/0x2c [mac80211]\n[18853.879057] rdev_deauth+0x7c/0x438 [cfg80211]\n[18853.879150] cfg80211_mlme_deauth+0x274/0x414 [cfg80211]\n[18853.879243] cfg80211_mlme_down+0xe4/0x118 [cfg80211]\n[18853.879335] cfg80211_disconnect+0x218/0x2d8 [cfg80211]\n[18853.879427] __cfg80211_leave+0x17c/0x240 [cfg80211]\n[18853.879519] cfg80211_leave+0x3c/0x58 [cfg80211]\n[18853.879611] wiphy_suspend+0xdc/0x200 [cfg80211]\n[18853.879628] dpm_run_callback+0x58/0x408\n[18853.879642] __device_suspend+0x4cc/0x864\n[18853.879658] async_suspend+0x34/0xf4\n[18\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49328", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: Fix NULL pointer dereference on sysfs access\n\nThe control device has no drvdata. So we will get a\nNULL pointer dereference when accessing control\ndevice's msg_timeout attribute via sysfs:\n\n[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271)\n[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094)\n[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59)\n[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088)\n[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164)\n[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230)\n[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041)\n[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238)\n[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1))\n[ 132.876319][ T3644] kernel_read (fs/read_write.c:459)\n[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94)\n[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186)\n[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207)\n[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189)\n[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)\n[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419)\n\nTo fix it, don't create the unneeded attribute for\ncontrol device anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49329", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_mtup_probe_success vs wrong snd_cwnd\n\nsyzbot got a new report [1] finally pointing to a very old bug,\nadded in initial support for MTU probing.\n\ntcp_mtu_probe() has checks about starting an MTU probe if\ntcp_snd_cwnd(tp) >= 11.\n\nBut nothing prevents tcp_snd_cwnd(tp) to be reduced later\nand before the MTU probe succeeds.\n\nThis bug would lead to potential zero-divides.\n\nDebugging added in commit 40570375356c (\"tcp: add accessors\nto read/set tp->snd_cwnd\") has paid off :)\n\nWhile we are at it, address potential overflows in this code.\n\n[1]\nWARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nModules linked in:\nCPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]\nRIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nCode: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff\nRSP: 0018:ffffc900079e70f8 EFLAGS: 00010287\nRAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000\nRDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f\nRBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520\nR10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50\nR13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000\nFS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356\n tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861\n tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973\n tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x1d8/0x4c0 net/core/sock.c:2849\n release_sock+0x5d/0x1c0 net/core/sock.c:3404\n sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145\n tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410\n tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n __sys_sendto+0x439/0x5c0 net/socket.c:2119\n __do_sys_sendto net/socket.c:2131 [inline]\n __se_sys_sendto net/socket.c:2127 [inline]\n __x64_sys_sendto+0xda/0xf0 net/socket.c:2127\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f6431289109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109\nRDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a\nRBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49330", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling\n\nError paths do not free previously allocated memory. Add devm_kfree() to\nthose failure paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49331", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Address NULL pointer dereference after starget_to_rport()\n\nCalls to starget_to_rport() may return NULL. Add check for NULL rport\nbefore dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49332", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-Switch, pair only capable devices\n\nOFFLOADS paring using devcom is possible only on devices\nthat support LAG. Filter based on lag capabilities.\n\nThis fixes an issue where mlx5_get_next_phys_dev() was\ncalled without holding the interface lock.\n\nThis issue was found when commit\nbc4c2f2e0179 (\"net/mlx5: Lag, filter non compatible devices\")\nadded an assert that verifies the interface lock is held.\n\nWARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nModules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]\nCPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nCode: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff <0f> 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff\nRSP: 0018:ffff88811bf47458 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001\nRDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78\nRBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437\nR10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000\nR13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428\nFS: 00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]\n mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]\n esw_offloads_enable+0x1153/0x1500 [mlx5_core]\n ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]\n ? wait_for_completion_io_timeout+0x20/0x20\n ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]\n mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]\n ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]\n ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]\n ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]\n ? __debugfs_create_file+0x260/0x3e0\n mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]\n ? mutex_lock_io_nested+0x12c0/0x12c0\n ? esw_offloads_disable+0x250/0x250 [mlx5_core]\n ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470\n ? rcu_read_lock_sched_held+0x3f/0x70\n devlink_nl_cmd_eswitch_set_doit+0x217/0x620", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49333", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: Fix xarray node memory leak\n\nIf xas_split_alloc() fails to allocate the necessary nodes to complete the\nxarray entry split, it sets the xa_state to -ENOMEM, which xas_nomem()\nthen interprets as \"Please allocate more memory\", not as \"Please free\nany unnecessary memory\" (which was the intended outcome). It's confusing\nto use xas_nomem() to free memory in this context, so call xas_destroy()\ninstead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49334", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/cs: make commands with 0 chunks illegal behaviour.\n\nSubmitting a cs with 0 chunks, causes an oops later, found trying\nto execute the wrong userspace driver.\n\nMESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo\n\n[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8\n[172536.665188] #PF: supervisor read access in kernel mode\n[172536.665189] #PF: error_code(0x0000) - not-present page\n[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0\n[172536.665195] Oops: 0000 [#1] SMP NOPTI\n[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS\n[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015\n[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]\n[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10\n[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246\n[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68\n[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38\n[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40\n[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28\n[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000\n[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0\n[172536.665287] Call Trace:\n[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm]\n[172536.665338] drm_ioctl+0x201/0x3b0 [drm]\n[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665372] ? selinux_file_ioctl+0x135/0x230\n[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu]\n[172536.665403] __x64_sys_ioctl+0x83/0xb0\n[172536.665406] do_syscall_64+0x33/0x40\n[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49335", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/etnaviv: check for reaped mapping in etnaviv_iommu_unmap_gem\n\nWhen the mapping is already reaped the unmap must be a no-op, as we\nwould otherwise try to remove the mapping twice, corrupting the involved\ndata structures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49336", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: dlmfs: fix error handling of user_dlm_destroy_lock\n\nWhen user_dlm_destroy_lock failed, it didn't clean up the flags it set\nbefore exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of\nlock is still in used, next time when unlink invokes this function, it\nwill return succeed, and then unlink will remove inode and dentry if lock\nis not in used(file closed), but the dlm lock is still linked in dlm lock\nresource, then when bast come in, it will trigger a panic due to\nuser-after-free. See the following panic call trace. To fix this,\nUSER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should\nbe returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink\nfail.\n\nFor the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,\nUSER_LOCK_BUSY is also required to be cleared. Even though spin lock is\nreleased in between, but USER_LOCK_IN_TEARDOWN is still set, for\nUSER_LOCK_BUSY, if before every place that waits on this flag,\nUSER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow\nwaits on the busy flag set by user_dlm_destroy_lock(), then we can\nsimplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix\nuser_dlm_cluster_lock() which is the only function not following this.\n\n[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink\n004fb0000060000b5a90b8c847b72e1, error -16 from destroy\n[ 989.757536] ------------[ cut here ]------------\n[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!\n[ 989.757876] invalid opcode: 0000 [#1] SMP\n[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)\nksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc\nxen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5\nauth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs\nocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc\nfcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc\nrds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad\nrdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)\nmlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad\nib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support\npcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si\nipmi_msghandler\n[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp\npps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel\nbe2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio\nlibiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi\ndm_mirror dm_region_hash dm_log dm_mod [last unloaded:\nksplice_2zhuk2jr_ib_ipoib_old]\n[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE\n4.1.12-124.57.1.el6uek.x86_64 #2\n[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER\nX5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021\n[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:\nffff88017f7c8000\n[ 989.762848] RIP: e030:[] []\n__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]\n[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246\n[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:\n0000000000000003\n[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:\nffff880174d48170\n[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:\n0000000000000000\n[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:\nffff880174d48008\n[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:\nffff88021db7a000\n[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)\nknlGS:ffff880247480000\n[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:\n0000000000042660\n[ 989.765081] Stack:\n[ 989.765167] 00000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49337", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT: Fix cleanup of CT before cleanup of TC ct rules\n\nCT cleanup assumes that all tc rules were deleted first, and so\nis free to delete the CT shared resources (e.g the dr_action\nfwd_action which is shared for all tuples). But currently for\nuplink, this is happens in reverse, causing the below trace.\n\nCT cleanup is called from:\nmlx5e_cleanup_rep_tx()->mlx5e_cleanup_uplink_rep_tx()->\nmlx5e_rep_tc_cleanup()->mlx5e_tc_esw_cleanup()->\nmlx5_tc_ct_clean()\n\nOnly afterwards, tc cleanup is called from:\nmlx5e_cleanup_rep_tx()->mlx5e_tc_ht_cleanup()\nwhich would have deleted all the tc ct rules, and so delete\nall the offloaded tuples.\n\nFix this reversing the order of init and on cleanup, which\nwill result in tc cleanup then ct cleanup.\n\n[ 9443.593347] WARNING: CPU: 2 PID: 206774 at drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c:1882 mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593349] Modules linked in: act_ct nf_flow_table rdma_ucm(O) rdma_cm(O) iw_cm(O) ib_ipoib(O) ib_cm(O) ib_umad(O) mlx5_core(O-) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) psample ib_core(O) mlx_compat(O) ip_gre gre ip_tunnel act_vlan bonding geneve esp6_offload esp6 esp4_offload esp4 act_tunnel_key vxlan ip6_udp_tunnel udp_tunnel act_mirred act_skbedit act_gact cls_flower sch_ingress nfnetlink_cttimeout nfnetlink xfrm_user xfrm_algo 8021q garp stp ipmi_devintf mrp ipmi_msghandler llc openvswitch nsh nf_conncount nf_nat mst_pciconf(O) dm_multipath sbsa_gwdt uio_pdrv_genirq uio mlxbf_pmc mlxbf_pka mlx_trio mlx_bootctl(O) bluefield_edac sch_fq_codel ip_tables ipv6 crc_ccitt btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq raid1 raid0 crct10dif_ce i2c_mlxbf gpio_mlxbf2 mlxbf_gige aes_neon_bs aes_neon_blk [last unloaded: mlx5_ib]\n[ 9443.593419] CPU: 2 PID: 206774 Comm: modprobe Tainted: G O 5.4.0-1023.24.gc14613d-bluefield #1\n[ 9443.593422] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:143ebaf Jan 11 2022\n[ 9443.593424] pstate: 20000005 (nzCv daif -PAN -UAO)\n[ 9443.593489] pc : mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593545] lr : mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]\n[ 9443.593546] sp : ffff8000135dbab0\n[ 9443.593548] x29: ffff8000135dbab0 x28: ffff0003a6ab8e80\n[ 9443.593550] x27: 0000000000000000 x26: ffff0003e07d7000\n[ 9443.593552] x25: ffff800009609de0 x24: ffff000397fb2120\n[ 9443.593554] x23: ffff0003975c0000 x22: 0000000000000000\n[ 9443.593556] x21: ffff0003975f08c0 x20: ffff800009609de0\n[ 9443.593558] x19: ffff0003c8a13380 x18: 0000000000000014\n[ 9443.593560] x17: 0000000067f5f125 x16: 000000006529c620\n[ 9443.593561] x15: 000000000000000b x14: 0000000000000000\n[ 9443.593563] x13: 0000000000000002 x12: 0000000000000001\n[ 9443.593565] x11: ffff800011108868 x10: 0000000000000000\n[ 9443.593567] x9 : 0000000000000000 x8 : ffff8000117fb270\n[ 9443.593569] x7 : ffff0003ebc01288 x6 : 0000000000000000\n[ 9443.593571] x5 : ffff800009591ab8 x4 : fffffe000f6d9a20\n[ 9443.593572] x3 : 0000000080040001 x2 : fffffe000f6d9a20\n[ 9443.593574] x1 : ffff8000095901d8 x0 : 0000000000000025\n[ 9443.593577] Call trace:\n[ 9443.593634] mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]\n[ 9443.593688] mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]\n[ 9443.593743] mlx5_tc_ct_clean+0x34/0xa8 [mlx5_core]\n[ 9443.593797] mlx5e_tc_esw_cleanup+0x58/0x88 [mlx5_core]\n[ 9443.593851] mlx5e_rep_tc_cleanup+0x24/0x30 [mlx5_core]\n[ 9443.593905] mlx5e_cleanup_rep_tx+0x6c/0x78 [mlx5_core]\n[ 9443.593959] mlx5e_detach_netdev+0x74/0x98 [mlx5_core]\n[ 9443.594013] mlx5e_netdev_change_profile+0x70/0x180 [mlx5_core]\n[ 9443.594067] mlx5e_netdev_attach_nic_profile+0x34/0x40 [mlx5_core]\n[ 9443.594122] mlx5e_vport_rep_unload+0x15c/0x1a8 [mlx5_core]\n[ 9443.594177] mlx5_eswitch_unregister_vport_reps+0x228/0x298 [mlx5_core]\n[ 9443.594231] mlx5e_rep_remove+0x2c/0x38\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49338", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: unexport __init-annotated seg6_hmac_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the caller (net/ipv6/seg6.c)\nand the callee (net/ipv6/seg6_hmac.c) belong to the same module.\nIt seems an internal function call in ipv6.ko.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49339", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_gre: test csum_start instead of transport header\n\nGRE with TUNNEL_CSUM will apply local checksum offload on\nCHECKSUM_PARTIAL packets.\n\nipgre_xmit must validate csum_start after an optional skb_pull,\nelse lco_csum may trigger an overflow. The original check was\n\n\tif (csum && skb_checksum_start(skb) < skb->data)\n\t\treturn -EINVAL;\n\nThis had false positives when skb_checksum_start is undefined:\nwhen ip_summed is not CHECKSUM_PARTIAL. A discussed refinement\nwas straightforward\n\n\tif (csum && skb->ip_summed == CHECKSUM_PARTIAL &&\n\t skb_checksum_start(skb) < skb->data)\n\t\treturn -EINVAL;\n\nBut was eventually revised more thoroughly:\n- restrict the check to the only branch where needed, in an\n uncommon GRE path that uses header_ops and calls skb_pull.\n- test skb_transport_header, which is set along with csum_start\n in skb_partial_csum_set in the normal header_ops datapath.\n\nTurns out skbs can arrive in this branch without the transport\nheader set, e.g., through BPF redirection.\n\nRevise the check back to check csum_start directly, and only if\nCHECKSUM_PARTIAL. Do leave the check in the updated location.\nCheck field regardless of whether TUNNEL_CSUM is configured.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49340", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Clear prog->jited_len along prog->jited\n\nsyzbot reported an illegal copy_to_user() attempt\nfrom bpf_prog_get_info_by_fd() [1]\n\nThere was no repro yet on this bug, but I think\nthat commit 0aef499f3172 (\"mm/usercopy: Detect vmalloc overruns\")\nis exposing a prior bug in bpf arm64.\n\nbpf_prog_get_info_by_fd() looks at prog->jited_len\nto determine if the JIT image can be copied out to user space.\n\nMy theory is that syzbot managed to get a prog where prog->jited_len\nhas been set to 43, while prog->bpf_func has ben cleared.\n\nIt is not clear why copy_to_user(uinsns, NULL, ulen) is triggering\nthis particular warning.\n\nI thought find_vma_area(NULL) would not find a vm_struct.\nAs we do not hold vmap_area_lock spinlock, it might be possible\nthat the found vm_struct was garbage.\n\n[1]\nusercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!\nkernel BUG at mm/usercopy.c:101!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0\nHardware name: linux,dummy-virt (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:101\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:89\nsp : ffff80000b773a20\nx29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48\nx26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000\nx23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001\nx20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd\nx17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420\nx14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031\nx11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865\nx8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830\nx5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064\nCall trace:\n usercopy_abort+0x90/0x94 mm/usercopy.c:89\n check_heap_object mm/usercopy.c:186 [inline]\n __check_object_size mm/usercopy.c:252 [inline]\n __check_object_size+0x198/0x36c mm/usercopy.c:214\n check_object_size include/linux/thread_info.h:199 [inline]\n check_copy_size include/linux/thread_info.h:235 [inline]\n copy_to_user include/linux/uaccess.h:159 [inline]\n bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993\n bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253\n __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956\n __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]\n __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52\n el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142\n do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206\n el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624\n el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581\nCode: aa0003e3 d00038c0 91248000 97fff65f (d4210000)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49341", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: bgmac: Fix refcount leak in bcma_mdio_mii_register\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49342", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid cycles in directory h-tree\n\nA maliciously corrupted filesystem can contain cycles in the h-tree\nstored inside a directory. That can easily lead to the kernel corrupting\ntree nodes that were already verified under its hands while doing a node\nsplit and consequently accessing unallocated memory. Fix the problem by\nverifying traversed block numbers are unique.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49343", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix a data-race in unix_dgram_peer_wake_me().\n\nunix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s\nlock held and check if its receive queue is full. Here we need to\nuse unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise\nKCSAN will report a data-race.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49344", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xfrm: unexport __init-annotated xfrm4_protocol_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\nnet/ipv4/xfrm4_policy.c is never compiled as modular.\n(CONFIG_XFRM is boolean)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49345", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list\n\nEvery iteration of for_each_available_child_of_node() decrements\nthe reference count of the previous node.\nwhen breaking early from a for_each_available_child_of_node() loop,\nwe need to explicitly call of_node_put() on the gphy_fw_np.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49346", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in ext4_writepages\n\nwe got issue as follows:\nEXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls\n------------[ cut here ]------------\nkernel BUG at fs/ext4/inode.c:2708!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155\nRIP: 0010:ext4_writepages+0x1977/0x1c10\nRSP: 0018:ffff88811d3e7880 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000\nRDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002\nRBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000\nR10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001\nR13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028\nFS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n do_writepages+0x130/0x3a0\n filemap_fdatawrite_wbc+0x83/0xa0\n filemap_flush+0xab/0xe0\n ext4_alloc_da_blocks+0x51/0x120\n __ext4_ioctl+0x1534/0x3210\n __x64_sys_ioctl+0x12c/0x170\n do_syscall_64+0x3b/0x90\n\nIt may happen as follows:\n1. write inline_data inode\nvfs_write\n new_sync_write\n ext4_file_write_iter\n ext4_buffered_write_iter\n generic_perform_write\n ext4_da_write_begin\n ext4_da_write_inline_data_begin -> If inline data size too\n small will allocate block to write, then mapping will has\n dirty page\n ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA\n2. fallocate\ndo_vfs_ioctl\n ioctl_preallocate\n vfs_fallocate\n ext4_fallocate\n ext4_convert_inline_data\n ext4_convert_inline_data_nolock\n ext4_map_blocks -> fail will goto restore data\n ext4_restore_inline_data\n ext4_create_inline_data\n ext4_write_inline_data\n ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA\n3. writepages\n__ext4_ioctl\n ext4_alloc_da_blocks\n filemap_flush\n filemap_fdatawrite_wbc\n do_writepages\n ext4_writepages\n if (ext4_has_inline_data(inode))\n BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))\n\nThe root cause of this issue is we destory inline data until call\next4_writepages under delay allocation mode. But there maybe already\nconvert from inline to extent. To solve this issue, we call\nfilemap_flush first..", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49347", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filter out EXT4_FC_REPLAY from on-disk superblock field s_state\n\nThe EXT4_FC_REPLAY bit in sbi->s_mount_state is used to indicate that\nwe are in the middle of replay the fast commit journal. This was\nactually a mistake, since the sbi->s_mount_info is initialized from\nes->s_state. Arguably s_mount_state is misleadingly named, but the\nname is historical --- s_mount_state and s_state dates back to ext2.\n\nWhat should have been used is the ext4_{set,clear,test}_mount_flag()\ninline functions, which sets EXT4_MF_* bits in sbi->s_mount_flags.\n\nThe problem with using EXT4_FC_REPLAY is that a maliciously corrupted\nsuperblock could result in EXT4_FC_REPLAY getting set in\ns_mount_state. This bypasses some sanity checks, and this can trigger\na BUG() in ext4_es_cache_extent(). As a easy-to-backport-fix, filter\nout the EXT4_FC_REPLAY bit for now. We should eventually transition\naway from EXT4_FC_REPLAY to something like EXT4_MF_REPLAY.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49348", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_rename_dir_prepare\n\nWe got issue as follows:\nEXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue\next4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478\next4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000\next4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae\n==================================================================\nBUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220\nRead of size 4 at addr ffff88810beee6ae by task rep/1895\n\nCPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241\nCall Trace:\n dump_stack+0xbe/0xf9\n print_address_description.constprop.0+0x1e/0x220\n kasan_report.cold+0x37/0x7f\n ext4_rename_dir_prepare+0x152/0x220\n ext4_rename+0xf44/0x1ad0\n ext4_rename2+0x11c/0x170\n vfs_rename+0xa84/0x1440\n do_renameat2+0x683/0x8f0\n __x64_sys_renameat+0x53/0x60\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\nRIP: 0033:0x7f45a6fc41c9\nRSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9\nRDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005\nRBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080\nR10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0\nR13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000\n\nThe buggy address belongs to the page:\npage:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee\nflags: 0x200000000000000()\nraw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000\nraw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n==================================================================\nDisabling lock debugging due to kernel taint\next4_rename_dir_prepare: [2] parent_de->inode=3537895424\next4_rename_dir_prepare: [3] dir=0xffff888124170140\next4_rename_dir_prepare: [4] ino=2\next4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872\n\nReason is first directory entry which 'rec_len' is 34478, then will get illegal\nparent entry. Now, we do not check directory entry after read directory block\nin 'ext4_get_first_dir_block'.\nTo solve this issue, check directory entry in 'ext4_get_first_dir_block'.\n\n[ Trigger an ext4_error() instead of just warning if the directory is\n missing a '.' or '..' entry. Also make sure we return an error code\n if the file system is corrupted. -TYT ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49349", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: unexport __init-annotated mdio_bus_init()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\ndrivers/net/phy/phy_device.c is never compiled as modular.\n(CONFIG_PHYLIB is boolean)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49350", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera: Fix refcount leak in altera_tse_mdio_create\n\nEvery iteration of for_each_child_of_node() decrements\nthe reference count of the previous node.\nWhen break from a for_each_child_of_node() loop,\nwe need to explicitly call of_node_put() on the child node when\nnot need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49351", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix warning in ext4_handle_inode_extension\n\nWe got issue as follows:\nEXT4-fs error (device loop0) in ext4_reserve_inode_write:5741: Out of memory\nEXT4-fs error (device loop0): ext4_setattr:5462: inode #13: comm syz-executor.0: mark_inode_dirty error\nEXT4-fs error (device loop0) in ext4_setattr:5519: Out of memory\nEXT4-fs error (device loop0): ext4_ind_map_blocks:595: inode #13: comm syz-executor.0: Can't allocate blocks for non-extent mapped inodes with bigalloc\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 4361 at fs/ext4/file.c:301 ext4_file_write_iter+0x11c9/0x1220\nModules linked in:\nCPU: 1 PID: 4361 Comm: syz-executor.0 Not tainted 5.10.0+ #1\nRIP: 0010:ext4_file_write_iter+0x11c9/0x1220\nRSP: 0018:ffff924d80b27c00 EFLAGS: 00010282\nRAX: ffffffff815a3379 RBX: 0000000000000000 RCX: 000000003b000000\nRDX: ffff924d81601000 RSI: 00000000000009cc RDI: 00000000000009cd\nRBP: 000000000000000d R08: ffffffffbc5a2c6b R09: 0000902e0e52a96f\nR10: ffff902e2b7c1b40 R11: ffff902e2b7c1b40 R12: 000000000000000a\nR13: 0000000000000001 R14: ffff902e0e52aa10 R15: ffffffffffffff8b\nFS: 00007f81a7f65700(0000) GS:ffff902e3bc80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffff600400 CR3: 000000012db88001 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n do_iter_readv_writev+0x2e5/0x360\n do_iter_write+0x112/0x4c0\n do_pwritev+0x1e5/0x390\n __x64_sys_pwritev2+0x7e/0xa0\n do_syscall_64+0x37/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAbove issue may happen as follows:\nAssume\ninode.i_size=4096\nEXT4_I(inode)->i_disksize=4096\n\nstep 1: set inode->i_isize = 8192\next4_setattr\n if (attr->ia_size != inode->i_size)\n EXT4_I(inode)->i_disksize = attr->ia_size;\n rc = ext4_mark_inode_dirty\n ext4_reserve_inode_write\n ext4_get_inode_loc\n __ext4_get_inode_loc\n sb_getblk --> return -ENOMEM\n ...\n if (!error) ->will not update i_size\n i_size_write(inode, attr->ia_size);\nNow:\ninode.i_size=4096\nEXT4_I(inode)->i_disksize=8192\n\nstep 2: Direct write 4096 bytes\next4_file_write_iter\n ext4_dio_write_iter\n iomap_dio_rw ->return error\n if (extend)\n ext4_handle_inode_extension\n WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize);\n->Then trigger warning.\n\nTo solve above issue, if mark inode dirty failed in ext4_setattr just\nset 'EXT4_I(inode)->i_disksize' with old value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49352", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: don't requests stats with '0' sized stats buffer\n\nSachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being\nreported with vPMEM when papr_scm probe is being called. The panic is of the\nform below and is observed only with following option disabled(profile) for the\nsaid LPAR 'Enable Performance Information Collection' in the HMC:\n\n Kernel attempted to write user page (1c) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on write at 0x0000001c\n Faulting instruction address: 0xc008000001b90844\n Oops: Kernel access of bad area, sig: 11 [#1]\n\n NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm]\n LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm]\n Call Trace:\n 0xc00000000941bca0 (unreliable)\n papr_scm_probe+0x2ac/0x6ec [papr_scm]\n platform_probe+0x98/0x150\n really_probe+0xfc/0x510\n __driver_probe_device+0x17c/0x230\n\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n\nOn investigation looks like this panic was caused due to a 'stat_buffer' of\nsize==0 being provided to drc_pmem_query_stats() to fetch all performance\nstats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called\nsince the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused\ndue to missing check for 'p->stat_buffer_len' at the beginning of\npapr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support\nperformance-stats.\n\nFix this by introducing the check for 'p->stat_buffer_len' at the beginning of\npapr_scm_pmu_check_events().\n\n[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49353", "detail": "fixed-version", "description": "Fixed from version 5.18.4" }, { "id": "CVE-2022-49354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe\n\nof_find_device_by_node() takes reference, we should use put_device()\nto release it when not need anymore.\nAdd missing put_device() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49354", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Trap RDMA segment overflows\n\nPrevent svc_rdma_build_writes() from walking off the end of a Write\nchunk's segment array. Caught with KASAN.\n\nThe test that this fix replaces is invalid, and might have been left\nover from an earlier prototype of the PCL work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49356", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Do not import certificates from UEFI Secure Boot for T2 Macs\n\nOn Apple T2 Macs, when Linux attempts to read the db and dbx efi variables\nat early boot to load UEFI Secure Boot certificates, a page fault occurs\nin Apple firmware code and EFI runtime services are disabled with the\nfollowing logs:\n\n[Firmware Bug]: Page fault caused by firmware at PA: 0xffffb1edc0068000\nWARNING: CPU: 3 PID: 104 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x50/0xf0\n(Removed some logs from here)\nCall Trace:\n \n page_fault_oops+0x4f/0x2c0\n ? search_bpf_extables+0x6b/0x80\n ? search_module_extables+0x50/0x80\n ? search_exception_tables+0x5b/0x60\n kernelmode_fixup_or_oops+0x9e/0x110\n __bad_area_nosemaphore+0x155/0x190\n bad_area_nosemaphore+0x16/0x20\n do_kern_addr_fault+0x8c/0xa0\n exc_page_fault+0xd8/0x180\n asm_exc_page_fault+0x1e/0x30\n(Removed some logs from here)\n ? __efi_call+0x28/0x30\n ? switch_mm+0x20/0x30\n ? efi_call_rts+0x19a/0x8e0\n ? process_one_work+0x222/0x3f0\n ? worker_thread+0x4a/0x3d0\n ? kthread+0x17a/0x1a0\n ? process_one_work+0x3f0/0x3f0\n ? set_kthread_struct+0x40/0x40\n ? ret_from_fork+0x22/0x30\n \n---[ end trace 1f82023595a5927f ]---\nefi: Froze efi_rts_wq and disabled EFI Runtime Services\nintegrity: Couldn't get size: 0x8000000000000015\nintegrity: MODSIGN: Couldn't get UEFI db list\nefi: EFI Runtime Services are disabled!\nintegrity: Couldn't get size: 0x8000000000000015\nintegrity: Couldn't get UEFI dbx list\nintegrity: Couldn't get size: 0x8000000000000015\nintegrity: Couldn't get mokx list\nintegrity: Couldn't get size: 0x80000000\n\nSo we avoid reading these UEFI variables and thus prevent the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49357", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: memleak flow rule from commit path\n\nAbort path release flow rule object, however, commit path does not.\nUpdate code to destroy these objects before releasing the transaction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49358", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Job should reference MMU not file_priv\n\nFor a while now it's been allowed for a MMU context to outlive it's\ncorresponding panfrost_priv, however the job structure still references\npanfrost_priv to get hold of the MMU context. If panfrost_priv has been\nfreed this is a use-after-free which I've been able to trigger resulting\nin a splat.\n\nTo fix this, drop the reference to panfrost_priv in the job structure\nand add a direct reference to the MMU structure which is what's actually\nneeded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49359", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on total_data_blocks\n\nAs Yanming reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215916\n\nThe kernel message is shown below:\n\nkernel BUG at fs/f2fs/segment.c:2560!\nCall Trace:\n allocate_segment_by_default+0x228/0x440\n f2fs_allocate_data_block+0x13d1/0x31f0\n do_write_page+0x18d/0x710\n f2fs_outplace_write_data+0x151/0x250\n f2fs_do_write_data_page+0xef9/0x1980\n move_data_page+0x6af/0xbc0\n do_garbage_collect+0x312f/0x46f0\n f2fs_gc+0x6b0/0x3bc0\n f2fs_balance_fs+0x921/0x2260\n f2fs_write_single_data_page+0x16be/0x2370\n f2fs_write_cache_pages+0x428/0xd00\n f2fs_write_data_pages+0x96e/0xd50\n do_writepages+0x168/0x550\n __writeback_single_inode+0x9f/0x870\n writeback_sb_inodes+0x47d/0xb20\n __writeback_inodes_wb+0xb2/0x200\n wb_writeback+0x4bd/0x660\n wb_workfn+0x5f3/0xab0\n process_one_work+0x79f/0x13e0\n worker_thread+0x89/0xf60\n kthread+0x26a/0x300\n ret_from_fork+0x22/0x30\nRIP: 0010:new_curseg+0xe8d/0x15f0\n\nThe root cause is: ckpt.valid_block_count is inconsistent with SIT table,\nstat info indicates filesystem has free blocks, but SIT table indicates\nfilesystem has no free segment.\n\nSo that during garbage colloection, it triggers panic when LFS allocator\nfails to find free segment.\n\nThis patch tries to fix this issue by checking consistency in between\nckpt.valid_block_count and block accounted from SIT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49360", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check for inline inode\n\nYanming reported a kernel bug in Bugzilla kernel [1], which can be\nreproduced. The bug message is:\n\nThe kernel message is shown below:\n\nkernel BUG at fs/inode.c:611!\nCall Trace:\n evict+0x282/0x4e0\n __dentry_kill+0x2b2/0x4d0\n dput+0x2dd/0x720\n do_renameat2+0x596/0x970\n __x64_sys_rename+0x78/0x90\n do_syscall_64+0x3b/0x90\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=215895\n\nThe bug is due to fuzzed inode has both inline_data and encrypted flags.\nDuring f2fs_evict_inode(), as the inode was deleted by rename(), it\nwill cause inline data conversion due to conflicting flags. The page\ncache will be polluted and the panic will be triggered in clear_inode().\n\nTry fixing the bug by doing more sanity checks for inline data inode in\nsanity_check_inode().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49361", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix potential use-after-free in nfsd_file_put()\n\nnfsd_file_put_noref() can free @nf, so don't dereference @nf\nimmediately upon return from nfsd_file_put_noref().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49362", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on block address in f2fs_do_zero_range()\n\nAs Yanming reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215894\n\nI have encountered a bug in F2FS file system in kernel v5.17.\n\nI have uploaded the system call sequence as case.c, and a fuzzed image can\nbe found in google net disk\n\nThe kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can\nreproduce the bug by running the following commands:\n\nkernel BUG at fs/f2fs/segment.c:2291!\nCall Trace:\n f2fs_invalidate_blocks+0x193/0x2d0\n f2fs_fallocate+0x2593/0x4a70\n vfs_fallocate+0x2a5/0xac0\n ksys_fallocate+0x35/0x70\n __x64_sys_fallocate+0x8e/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is, after image was fuzzed, block mapping info in inode\nwill be inconsistent with SIT table, so in f2fs_fallocate(), it will cause\npanic when updating SIT with invalid blkaddr.\n\nLet's fix the issue by adding sanity check on block address before updating\nSIT table with it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49363", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to clear dirty inode in f2fs_evict_inode()\n\nAs Yanming reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215904\n\nThe kernel message is shown below:\n\nkernel BUG at fs/f2fs/inode.c:825!\nCall Trace:\n evict+0x282/0x4e0\n __dentry_kill+0x2b2/0x4d0\n shrink_dentry_list+0x17c/0x4f0\n shrink_dcache_parent+0x143/0x1e0\n do_one_tree+0x9/0x30\n shrink_dcache_for_umount+0x51/0x120\n generic_shutdown_super+0x5c/0x3a0\n kill_block_super+0x90/0xd0\n kill_f2fs_super+0x225/0x310\n deactivate_locked_super+0x78/0xc0\n cleanup_mnt+0x2b7/0x480\n task_work_run+0xc8/0x150\n exit_to_user_mode_prepare+0x14a/0x150\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x48/0x90\n\nThe root cause is: inode node and dnode node share the same nid,\nso during f2fs_evict_inode(), dnode node truncation will invalidate\nits NAT entry, so when truncating inode node, it fails due to\ninvalid NAT entry, result in inode is still marked as dirty, fix\nthis issue by clearing dirty for inode and setting SBI_NEED_FSCK\nflag in filesystem.\n\noutput from dump.f2fs:\n[print_node_info: 354] Node ID [0xf:15] is inode\ni_nid[0] \t\t[0x f : 15]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49364", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Off by one in dm_dmub_outbox1_low_irq()\n\nThe > ARRAY_SIZE() should be >= ARRAY_SIZE() to prevent an out of bounds\naccess.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49365", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix reference count leak in smb_check_perm_dacl()\n\nThe issue happens in a specific path in smb_check_perm_dacl(). When\n\"id\" and \"uid\" have the same value, the function simply jumps out of\nthe loop without decrementing the reference count of the object\n\"posix_acls\", which is increased by get_acl() earlier. This may\nresult in memory leaks.\n\nFix it by decreasing the reference count of \"posix_acls\" before\njumping to label \"check_access_bits\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49366", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\n\nmv88e6xxx_mdio_register() pass the device node to of_mdiobus_register().\nWe don't need the device node after it.\n\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49367", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()\n\nThe \"fsp->location\" variable comes from user via ethtool_get_rxnfc().\nCheck that it is valid to prevent an out of bounds read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49368", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namt: fix possible memory leak in amt_rcv()\n\nIf an amt receives packets and it finds socket.\nIf it can't find a socket, it should free a received skb.\nBut it doesn't.\nSo, a memory leak would possibly occur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49369", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix this issue by calling kobject_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49370", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix deadlock in __device_attach\n\nIn __device_attach function, The lock holding logic is as follows:\n...\n__device_attach\ndevice_lock(dev) // get lock dev\n async_schedule_dev(__device_attach_async_helper, dev); // func\n async_schedule_node\n async_schedule_node_domain(func)\n entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC);\n\t/* when fail or work limit, sync to execute func, but\n\t __device_attach_async_helper will get lock dev as\n\t well, which will lead to A-A deadlock. */\n\tif (!entry || atomic_read(&entry_count) > MAX_WORK) {\n\t func;\n\telse\n\t queue_work_node(node, system_unbound_wq, &entry->work)\n device_unlock(dev)\n\nAs shown above, when it is allowed to do async probes, because of\nout of memory or work limit, async work is not allowed, to do\nsync execute instead. it will lead to A-A deadlock because of\n__device_attach_async_helper getting lock dev.\n\nTo fix the deadlock, move the async_schedule_dev outside device_lock,\nas we can see, in async_schedule_node_domain, the parameter of\nqueue_work_node is system_unbound_wq, so it can accept concurrent\noperations. which will also not change the code logic, and will\nnot lead to deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49371", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: tcp_rtx_synack() can be called from process context\n\nLaurent reported the enclosed report [1]\n\nThis bug triggers with following coditions:\n\n0) Kernel built with CONFIG_DEBUG_PREEMPT=y\n\n1) A new passive FastOpen TCP socket is created.\n This FO socket waits for an ACK coming from client to be a complete\n ESTABLISHED one.\n2) A socket operation on this socket goes through lock_sock()\n release_sock() dance.\n3) While the socket is owned by the user in step 2),\n a retransmit of the SYN is received and stored in socket backlog.\n4) At release_sock() time, the socket backlog is processed while\n in process context.\n5) A SYNACK packet is cooked in response of the SYN retransmit.\n6) -> tcp_rtx_synack() is called in process context.\n\nBefore blamed commit, tcp_rtx_synack() was always called from BH handler,\nfrom a timer handler.\n\nFix this by using TCP_INC_STATS() & NET_INC_STATS()\nwhich do not assume caller is in non preemptible context.\n\n[1]\nBUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180\ncaller is tcp_rtx_synack.part.0+0x36/0xc0\nCPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1\nHardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021\nCall Trace:\n \n dump_stack_lvl+0x48/0x5e\n check_preemption_disabled+0xde/0xe0\n tcp_rtx_synack.part.0+0x36/0xc0\n tcp_rtx_synack+0x8d/0xa0\n ? kmem_cache_alloc+0x2e0/0x3e0\n ? apparmor_file_alloc_security+0x3b/0x1f0\n inet_rtx_syn_ack+0x16/0x30\n tcp_check_req+0x367/0x610\n tcp_rcv_state_process+0x91/0xf60\n ? get_nohz_timer_target+0x18/0x1a0\n ? lock_timer_base+0x61/0x80\n ? preempt_count_add+0x68/0xa0\n tcp_v4_do_rcv+0xbd/0x270\n __release_sock+0x6d/0xb0\n release_sock+0x2b/0x90\n sock_setsockopt+0x138/0x1140\n ? __sys_getsockname+0x7e/0xc0\n ? aa_sk_perm+0x3e/0x1a0\n __sys_setsockopt+0x198/0x1e0\n __x64_sys_setsockopt+0x21/0x30\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49372", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() in some error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49373", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: check attribute length for bearer name\n\nsyzbot reported uninit-value:\n=====================================================\nBUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:644 [inline]\nBUG: KMSAN: uninit-value in string+0x4f9/0x6f0 lib/vsprintf.c:725\n string_nocheck lib/vsprintf.c:644 [inline]\n string+0x4f9/0x6f0 lib/vsprintf.c:725\n vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806\n vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158\n vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256\n vprintk_default+0x86/0xa0 kernel/printk/printk.c:2283\n vprintk+0x15f/0x180 kernel/printk/printk_safe.c:50\n _printk+0x18d/0x1cf kernel/printk/printk.c:2293\n tipc_enable_bearer net/tipc/bearer.c:371 [inline]\n __tipc_nl_bearer_enable+0x2022/0x22a0 net/tipc/bearer.c:1033\n tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:1042\n genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]\n\n- Do sanity check the attribute length for TIPC_NLA_BEARER_NAME.\n- Do not use 'illegal name' in printing message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49374", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: mt6397: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49375", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: Fix potential NULL pointer dereference\n\nIf sd_probe() sees an early error before sdkp->device is initialized,\nsd_zbc_release_disk() is called. This causes a NULL pointer dereference\nwhen sd_is_zoned() is called inside that function. Avoid this by removing\nthe call to sd_zbc_release_disk() in sd_probe() error path.\n\nThis change is safe and does not result in zone information memory leakage\nbecause the zone information for a zoned disk is allocated only when\nsd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set,\nresulting in sd_disk_release() being called when needed to cleanup a disk\nzone information using sd_zbc_release_disk().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49376", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: don't touch ->tagset in blk_mq_get_sq_hctx\n\nblk_mq_run_hw_queues() could be run when there isn't queued request and\nafter queue is cleaned up, at that time tagset is freed, because tagset\nlifetime is covered by driver, and often freed after blk_cleanup_queue()\nreturns.\n\nSo don't touch ->tagset for figuring out current default hctx by the mapping\nbuilt in request queue, so use-after-free on tagset can be avoided. Meantime\nthis way should be fast than retrieving mapping from tagset.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49377", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix considering that all channels have TX queues\n\nNormally, all channels have RX and TX queues, but this is not true if\nmodparam efx_separate_tx_channels=1 is used. In that cases, some\nchannels only have RX queues and others only TX queues (or more\npreciselly, they have them allocated, but not initialized).\n\nFix efx_channel_has_tx_queues to return the correct value for this case\ntoo.\n\nMessages shown at probe time before the fix:\n sfc 0000:03:00.0 ens6f0np0: MC command 0x82 inlen 544 failed rc=-22 (raw=0) arg=0\n ------------[ cut here ]------------\n netdevice: ens6f0np0: failed to initialise TXQ -1\n WARNING: CPU: 1 PID: 626 at drivers/net/ethernet/sfc/ef10.c:2393 efx_ef10_tx_init+0x201/0x300 [sfc]\n [...] stripped\n RIP: 0010:efx_ef10_tx_init+0x201/0x300 [sfc]\n [...] stripped\n Call Trace:\n efx_init_tx_queue+0xaa/0xf0 [sfc]\n efx_start_channels+0x49/0x120 [sfc]\n efx_start_all+0x1f8/0x430 [sfc]\n efx_net_open+0x5a/0xe0 [sfc]\n __dev_open+0xd0/0x190\n __dev_change_flags+0x1b3/0x220\n dev_change_flags+0x21/0x60\n [...] stripped\n\nMessages shown at remove time before the fix:\n sfc 0000:03:00.0 ens6f0np0: failed to flush 10 queues\n sfc 0000:03:00.0 ens6f0np0: failed to flush queues", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49378", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction\n\nMounting NFS rootfs was timing out when deferred_probe_timeout was\nnon-zero [1]. This was because ip_auto_config() initcall times out\nwaiting for the network interfaces to show up when\ndeferred_probe_timeout was non-zero. While ip_auto_config() calls\nwait_for_device_probe() to make sure any currently running deferred\nprobe work or asynchronous probe finishes, that wasn't sufficient to\naccount for devices being deferred until deferred_probe_timeout.\n\nCommit 35a672363ab3 (\"driver core: Ensure wait_for_device_probe() waits\nuntil the deferred_probe_timeout fires\") tried to fix that by making\nsure wait_for_device_probe() waits for deferred_probe_timeout to expire\nbefore returning.\n\nHowever, if wait_for_device_probe() is called from the kernel_init()\ncontext:\n\n- Before deferred_probe_initcall() [2], it causes the boot process to\n hang due to a deadlock.\n\n- After deferred_probe_initcall() [3], it blocks kernel_init() from\n continuing till deferred_probe_timeout expires and beats the point of\n deferred_probe_timeout that's trying to wait for userspace to load\n modules.\n\nNeither of this is good. So revert the changes to\nwait_for_device_probe().\n\n[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/\n[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/\n[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49379", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid f2fs_bug_on() in dec_valid_node_count()\n\nAs Yanming reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215897\n\nI have encountered a bug in F2FS file system in kernel v5.17.\n\nThe kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can\nreproduce the bug by running the following commands:\n\nThe kernel message is shown below:\n\nkernel BUG at fs/f2fs/f2fs.h:2511!\nCall Trace:\n f2fs_remove_inode_page+0x2a2/0x830\n f2fs_evict_inode+0x9b7/0x1510\n evict+0x282/0x4e0\n do_unlinkat+0x33a/0x540\n __x64_sys_unlinkat+0x8e/0xd0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is: .total_valid_block_count or .total_valid_node_count\ncould fuzzed to zero, then once dec_valid_node_count() was called, it\nwill cause BUG_ON(), this patch fixes to print warning info and set\nSBI_NEED_FSCK into CP instead of panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49380", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_do_fill_super\n\nIf jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns\nan error, we can observe the following kmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff888105a65340 (size 64):\n comm \"mount\", pid 710, jiffies 4302851558 (age 58.239s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmem_cache_alloc_trace+0x475/0x8a0\n [] jffs2_sum_init+0x96/0x1a0\n [] jffs2_do_mount_fs+0x745/0x2120\n [] jffs2_do_fill_super+0x35c/0x810\n [] jffs2_fill_super+0x2b9/0x3b0\n [...]\nunreferenced object 0xffff8881bd7f0000 (size 65536):\n comm \"mount\", pid 710, jiffies 4302851558 (age 58.239s)\n hex dump (first 32 bytes):\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n backtrace:\n [] kmalloc_order+0xda/0x110\n [] kmalloc_order_trace+0x21/0x130\n [] __kmalloc+0x711/0x8a0\n [] jffs2_sum_init+0xd9/0x1a0\n [] jffs2_do_mount_fs+0x745/0x2120\n [] jffs2_do_fill_super+0x35c/0x810\n [] jffs2_fill_super+0x2b9/0x3b0\n [...]\n--------------------------------------------\n\nThis is because the resources allocated in jffs2_sum_init() are not\nreleased. Call jffs2_sum_exit() to release these resources to solve\nthe problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49381", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: rockchip: Fix refcount leak in rockchip_grf_init\n\nof_find_matching_node_and_match returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49382", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: rzg2l_wdt: Fix 'BUG: Invalid wait context'\n\nThis patch fixes the issue 'BUG: Invalid wait context' during restart()\ncallback by using clk_prepare_enable() instead of pm_runtime_get_sync()\nfor turning on the clocks during restart.\n\nThis issue is noticed when testing with renesas_defconfig.\n\n[ 42.213802] reboot: Restarting system\n[ 42.217860]\n[ 42.219364] =============================\n[ 42.223368] [ BUG: Invalid wait context ]\n[ 42.227372] 5.17.0-rc5-arm64-renesas-00002-g10393723e35e #522 Not tainted\n[ 42.234153] -----------------------------\n[ 42.238155] systemd-shutdow/1 is trying to lock:\n[ 42.242766] ffff00000a650828 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x14/0x20\n[ 42.250709] other info that might help us debug this:\n[ 42.255753] context-{4:4}\n[ 42.258368] 2 locks held by systemd-shutdow/1:\n[ 42.262806] #0: ffff80000944e1c8 (system_transition_mutex#2){+.+.}-{3:3}, at: __do_sys_reboot+0xd0/0x250\n[ 42.272388] #1: ffff8000094c4e40 (rcu_read_lock){....}-{1:2}, at: atomic_notifier_call_chain+0x0/0x150\n[ 42.281795] stack backtrace:\n[ 42.284672] CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.17.0-rc5-arm64-renesas-00002-g10393723e35e #522\n[ 42.294577] Hardware name: Renesas SMARC EVK based on r9a07g044c2 (DT)\n[ 42.301096] Call trace:\n[ 42.303538] dump_backtrace+0xcc/0xd8\n[ 42.307203] show_stack+0x14/0x30\n[ 42.310517] dump_stack_lvl+0x88/0xb0\n[ 42.314180] dump_stack+0x14/0x2c\n[ 42.317492] __lock_acquire+0x1b24/0x1b50\n[ 42.321502] lock_acquire+0x120/0x3a8\n[ 42.325162] __mutex_lock+0x84/0x8f8\n[ 42.328737] mutex_lock_nested+0x30/0x58\n[ 42.332658] genpd_lock_mtx+0x14/0x20\n[ 42.336319] genpd_runtime_resume+0xc4/0x228\n[ 42.340587] __rpm_callback+0x44/0x170\n[ 42.344337] rpm_callback+0x64/0x70\n[ 42.347824] rpm_resume+0x4e0/0x6b8\n[ 42.351310] __pm_runtime_resume+0x50/0x78\n[ 42.355404] rzg2l_wdt_restart+0x28/0x68\n[ 42.359329] watchdog_restart_notifier+0x1c/0x30\n[ 42.363943] atomic_notifier_call_chain+0x94/0x150\n[ 42.368732] do_kernel_restart+0x24/0x30\n[ 42.372652] machine_restart+0x44/0x70\n[ 42.376399] kernel_restart+0x3c/0x60\n[ 42.380058] __do_sys_reboot+0x228/0x250\n[ 42.383977] __arm64_sys_reboot+0x20/0x28\n[ 42.387983] invoke_syscall+0x40/0xf8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49383", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix double free of io_acct_set bioset\n\nNow io_acct_set is alloc and free in personality. Remove the codes that\nfree io_acct_set in md_free and md_stop.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49384", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: base: fix UAF when driver_attach failed\n\nWhen driver_attach(drv); failed, the driver_private will be freed.\nBut it has been added to the bus, which caused a UAF.\n\nTo fix it, we need to delete it from the bus when failed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49385", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nam65_cpsw_init_cpts() and am65_cpsw_nuss_probe() don't release\nthe refcount in error case.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49386", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: rzg2l_wdt: Fix 32bit overflow issue\n\nThe value of timer_cycle_us can be 0 due to 32bit overflow.\nFor eg:- If we assign the counter value \"0xfff\" for computing\nmaxval.\n\nThis patch fixes this issue by appending ULL to 1024, so that\nit is promoted to 64bit.\n\nThis patch also fixes the warning message, 'watchdog: Invalid min and\nmax timeout values, resetting to 0!'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49387", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: ubi_create_volume: Fix use-after-free when volume creation failed\n\nThere is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s\nerror handling path:\n\n ubi_eba_replace_table(vol, eba_tbl)\n vol->eba_tbl = tbl\nout_mapping:\n ubi_eba_destroy_table(eba_tbl) // Free 'eba_tbl'\nout_unlock:\n put_device(&vol->dev)\n vol_release\n kfree(tbl->entries)\t // UAF\n\nFix it by removing redundant 'eba_tbl' releasing.\nFetch a reproducer in [Link].", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49388", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbip: fix a refcount leak in stub_probe()\n\nusb_get_dev() is called in stub_device_alloc(). When stub_probe() fails\nafter that, usb_put_dev() needs to be called to release the reference.\n\nFix this by moving usb_put_dev() to sdev_free error path handling.\n\nFind this by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49389", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: fix UAF bug for real_dev\n\nCreate a new macsec device but not get reference to real_dev. That can\nnot ensure that real_dev is freed after macsec. That will trigger the\nUAF bug for real_dev as following:\n\n==================================================================\nBUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\nCall Trace:\n ...\n macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662\n dev_get_iflink+0x73/0xe0 net/core/dev.c:637\n default_operstate net/core/link_watch.c:42 [inline]\n rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54\n linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161\n\nAllocated by task 22209:\n ...\n alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549\n rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235\n veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748\n\nFreed by task 8:\n ...\n kfree+0xd6/0x4d0 mm/slub.c:4552\n kvfree+0x42/0x50 mm/util.c:615\n device_release+0x9f/0x240 drivers/base/core.c:2229\n kobject_cleanup lib/kobject.c:673 [inline]\n kobject_release lib/kobject.c:704 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1c8/0x540 lib/kobject.c:721\n netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327\n\nAfter commit faab39f63c1f (\"net: allow out-of-order netdev unregistration\")\nand commit e5f80fcf869a (\"ipv6: give an IPv6 dev to blackhole_netdev\"), we\ncan add dev_hold_track() in macsec_dev_init() and dev_put_track() in\nmacsec_free_netdev() to fix the problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49390", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mtk_scp: Fix a potential double free\n\n'scp->rproc' is allocated using devm_rproc_alloc(), so there is no need\nto free it explicitly in the remove function.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49391", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe\n\nplatform_get_resource() may fail and return NULL, so we should\nbetter check it's return value to avoid a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49392", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl\n\nThis is another instance of incorrect use of list iterator and\nchecking it for NULL.\n\nThe list iterator value 'map' will *always* be set and non-NULL\nby list_for_each_entry(), so it is incorrect to assume that the\niterator value will be NULL if the list is empty (in this case, the\ncheck 'if (!map) {' will always be false and never exit as expected).\n\nTo fix the bug, use a new variable 'iter' as the list iterator,\nwhile use the original variable 'map' as a dedicated pointer to\npoint to the found element.\n\nWithout this patch, Kernel crashes with below trace:\n\nUnable to handle kernel access to user memory outside uaccess routines\n at virtual address 0000ffff7fb03750\n...\nCall trace:\n fastrpc_map_create+0x70/0x290 [fastrpc]\n fastrpc_req_mem_map+0xf0/0x2dc [fastrpc]\n fastrpc_device_ioctl+0x138/0xc60 [fastrpc]\n __arm64_sys_ioctl+0xa8/0xec\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xd4/0xfc\n do_el0_svc+0x28/0x90\n el0_svc+0x3c/0x130\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x18c/0x190\nCode: 14000016 f94000a5 eb05029f 54000260 (b94018a6)\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49393", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix inflight count imbalances and IO hangs on offline\n\niolatency needs to track the number of inflight IOs per cgroup. As this\ntracking can be expensive, it is disabled when no cgroup has iolatency\nconfigured for the device. To ensure that the inflight counters stay\nbalanced, iolatency_set_limit() freezes the request_queue while manipulating\nthe enabled counter, which ensures that no IO is in flight and thus all\ncounters are zero.\n\nUnfortunately, iolatency_set_limit() isn't the only place where the enabled\ncounter is manipulated. iolatency_pd_offline() can also dec the counter and\ntrigger disabling. As this disabling happens without freezing the q, this\ncan easily happen while some IOs are in flight and thus leak the counts.\n\nThis can be easily demonstrated by turning on iolatency on an one empty\ncgroup while IOs are in flight in other cgroups and then removing the\ncgroup. Note that iolatency shouldn't have been enabled elsewhere in the\nsystem to ensure that removing the cgroup disables iolatency for the whole\ndevice.\n\nThe following keeps flipping on and off iolatency on sda:\n\n echo +io > /sys/fs/cgroup/cgroup.subtree_control\n while true; do\n mkdir -p /sys/fs/cgroup/test\n echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency\n sleep 1\n rmdir /sys/fs/cgroup/test\n sleep 1\n done\n\nand there's concurrent fio generating direct rand reads:\n\n fio --name test --filename=/dev/sda --direct=1 --rw=randread \\\n --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k\n\nwhile monitoring with the following drgn script:\n\n while True:\n for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):\n for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):\n blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')\n pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]\n if pd.value_() == 0:\n continue\n iolat = container_of(pd, 'struct iolatency_grp', 'pd')\n inflight = iolat.rq_wait.inflight.counter.value_()\n if inflight:\n print(f'inflight={inflight} {disk_name(blkg.q.disk).decode(\"utf-8\")} '\n f'{cgroup_path(css.cgroup).decode(\"utf-8\")}')\n time.sleep(1)\n\nThe monitoring output looks like the following:\n\n inflight=1 sda /user.slice\n inflight=1 sda /user.slice\n ...\n inflight=14 sda /user.slice\n inflight=13 sda /user.slice\n inflight=17 sda /user.slice\n inflight=15 sda /user.slice\n inflight=18 sda /user.slice\n inflight=17 sda /user.slice\n inflight=20 sda /user.slice\n inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19\n inflight=19 sda /user.slice\n inflight=19 sda /user.slice\n\nIf a cgroup with stuck inflight ends up getting throttled, the throttled IOs\nwill never get issued as there's no completion event to wake it up leading\nto an indefinite hang.\n\nThis patch fixes the bug by unifying enable handling into a work item which\nis automatically kicked off from iolatency_set_min_lat_nsec() which is\ncalled from both iolatency_set_limit() and iolatency_pd_offline() paths.\nPunting to a work item is necessary as iolatency_pd_offline() is called\nunder spinlocks while freezing a request_queue requires a sleepable context.\n\nThis also simplifies the code reducing LOC sans the comments and avoids the\nunnecessary freezes which were happening whenever a cgroup's latency target\nis newly set or cleared.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49394", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Fix out-of-bounds read in LDT setup\n\nsyscall_stub_data() expects the data_count parameter to be the number of\nlongs, not bytes.\n\n ==================================================================\n BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0\n Read of size 128 at addr 000000006411f6f0 by task swapper/1\n\n CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18\n Call Trace:\n show_stack.cold+0x166/0x2a7\n __dump_stack+0x3a/0x43\n dump_stack_lvl+0x1f/0x27\n print_report.cold+0xdb/0xf81\n kasan_report+0x119/0x1f0\n kasan_check_range+0x3a3/0x440\n memcpy+0x52/0x140\n syscall_stub_data+0x70/0xe0\n write_ldt_entry+0xac/0x190\n init_new_ldt+0x515/0x960\n init_new_context+0x2c4/0x4d0\n mm_init.constprop.0+0x5ed/0x760\n mm_alloc+0x118/0x170\n 0x60033f48\n do_one_initcall+0x1d7/0x860\n 0x60003e7b\n kernel_init+0x6e/0x3d4\n new_thread_handler+0x1e7/0x2c0\n\n The buggy address belongs to stack of task swapper/1\n and is located at offset 64 in frame:\n init_new_ldt+0x0/0x960\n\n This frame has 2 objects:\n [32, 40) 'addr'\n [64, 80) 'desc'\n ==================================================================", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49395", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix reset-controller leak on probe errors\n\nMake sure to release the lane reset controller in case of a late probe\nerror (e.g. probe deferral).\n\nNote that due to the reset controller being defined in devicetree in\n\"lane\" child nodes, devm_reset_control_get_exclusive() cannot be used\ndirectly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49396", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp: fix struct clk leak on probe errors\n\nMake sure to release the pipe clock reference in case of a late probe\nerror (e.g. probe deferral).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49397", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list. However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute. There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind). As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled. With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n -> dwc3_gadget_ep_cleanup_cancelled_requests()\n ->list_for_each_entry_safe()\n ->dwc3_gadget_giveback(n)\n ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n ->spin_unlock\n ->Thread#2 executes\n ...\n ->dwc3_gadget_giveback(n+1)\n ->Already removed!\n\nThread#2:\ndwc3_gadget_pullup()\n ->waiting for dwc3 spin_lock\n ...\n ->Thread#1 released lock\n ->dwc3_stop_active_transfers()\n ->dwc3_remove_requests()\n ->fetches n+1 item from cancelled_list (n removed by Thread#1)\n ->dwc3_gadget_giveback()\n ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n ->spin_unlock", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49398", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: goldfish: Use tty_port_destroy() to destroy port\n\nIn goldfish_tty_probe(), the port initialized through tty_port_init()\nshould be destroyed in error paths.In goldfish_tty_remove(), qtty->port\nalso should be destroyed or else might leak resources.\n\nFix the above by calling tty_port_destroy().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49399", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't set mddev private to NULL in raid0 pers->free\n\nIn normal stop process, it does like this:\n do_md_stop\n |\n __md_stop (pers->free(); mddev->private=NULL)\n |\n md_free (free mddev)\n__md_stop sets mddev->private to NULL after pers->free. The raid device\nwill be stopped and mddev memory is free. But in reshape, it doesn't\nfree the mddev and mddev will still be used in new raid.\n\nIn reshape, it first sets mddev->private to new_pers and then runs\nold_pers->free(). Now raid0 sets mddev->private to NULL in raid0_free.\nThe new raid can't work anymore. It will panic when dereference\nmddev->private because of NULL pointer dereference.\n\nIt can panic like this:\n[63010.814972] kernel BUG at drivers/md/raid10.c:928!\n[63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1\n[63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020\n[63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]\n[63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246\n[63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000\n[63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800\n[63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000\n[63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200\n[63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003\n[63010.906399] FS: 0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000\n[63010.914485] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0\n[63010.927363] Call Trace:\n[63010.929822] ? bio_reset+0xe/0x40\n[63010.933144] ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]\n[63010.938629] raid10_sync_request+0x756/0x1610 [raid10]\n[63010.943770] md_do_sync.cold+0x3e4/0x94c\n[63010.947698] md_thread+0xab/0x160\n[63010.951024] ? md_write_inc+0x50/0x50\n[63010.954688] kthread+0x149/0x170\n[63010.957923] ? set_kthread_struct+0x40/0x40\n[63010.962107] ret_from_fork+0x22/0x30\n\nRemoving the code that sets mddev->private to NULL in raid0 can fix\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49400", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_owner: use strscpy() instead of strlcpy()\n\ncurrent->comm[] is not a string (no guarantee for a zero byte in it).\n\nstrlcpy(s1, s2, l) is calling strlen(s2), potentially\ncausing out-of-bound access, as reported by syzbot:\n\ndetected buffer overflow in __fortify_strlen\n------------[ cut here ]------------\nkernel BUG at lib/string_helpers.c:980!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980\nCode: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a\nRSP: 0018:ffffc900000074a8 EFLAGS: 00010286\n\nRAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000\nRDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87\nRBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000\nR10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700\nR13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n \n __fortify_strlen include/linux/fortify-string.h:128 [inline]\n strlcpy include/linux/fortify-string.h:143 [inline]\n __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171\n __set_page_owner+0x3e/0x50 mm/page_owner.c:190\n prep_new_page mm/page_alloc.c:2441 [inline]\n get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408\n alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272\n alloc_slab_page mm/slub.c:1799 [inline]\n allocate_slab+0x26c/0x3c0 mm/slub.c:1944\n new_slab mm/slub.c:2004 [inline]\n ___slab_alloc+0x8df/0xf20 mm/slub.c:3005\n __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092\n slab_alloc_node mm/slub.c:3183 [inline]\n slab_alloc mm/slub.c:3225 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3232 [inline]\n kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242\n dst_alloc+0x146/0x1f0 net/core/dst.c:92", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49401", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Clean up hash direct_functions on register failures\n\nWe see the following GPF when register_ftrace_direct fails:\n\n[ ] general protection fault, probably for non-canonical address \\\n 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n[...]\n[ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70\n[ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...]\n[ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206\n[ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b\n[ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0\n[ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001\n[ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0\n[ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000\n[ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000\n[ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0\n[ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ ] Call Trace:\n[ ] \n[ ] register_ftrace_direct+0x54/0x290\n[ ] ? render_sigset_t+0xa0/0xa0\n[ ] bpf_trampoline_update+0x3f5/0x4a0\n[ ] ? 0xffffffffa00a3000\n[ ] bpf_trampoline_link_prog+0xa9/0x140\n[ ] bpf_tracing_prog_attach+0x1dc/0x450\n[ ] bpf_raw_tracepoint_open+0x9a/0x1e0\n[ ] ? find_held_lock+0x2d/0x90\n[ ] ? lock_release+0x150/0x430\n[ ] __sys_bpf+0xbd6/0x2700\n[ ] ? lock_is_held_type+0xd8/0x130\n[ ] __x64_sys_bpf+0x1c/0x20\n[ ] do_syscall_64+0x3a/0x80\n[ ] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ ] RIP: 0033:0x7fa9421defa9\n[ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...]\n[ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\n[ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9\n[ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011\n[ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000\n[ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001\n[ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001\n[ ] \n[ ] Modules linked in: klp_vm(OK)\n[ ] ---[ end trace 0000000000000000 ]---\n\nOne way to trigger this is:\n 1. load a livepatch that patches kernel function xxx;\n 2. run bpftrace -e 'kfunc:xxx {}', this will fail (expected for now);\n 3. repeat #2 => gpf.\n\nThis is because the entry is added to direct_functions, but not removed.\nFix this by remove the entry from direct_functions when\nregister_ftrace_direct fails.\n\nAlso remove the last trailing space from ftrace.c, so we don't have to\nworry about it anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49402", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/string_helpers: fix not adding strarray to device's resource list\n\nAdd allocated strarray to device's resource list. This is a must to\nautomatically release strarray when the device disappears.\n\nWithout this fix we have a memory leak in the few drivers which use\ndevm_kasprintf_strarray().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49403", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Fix potential integer multiplication overflow errors\n\nWhen multiplying of different types, an overflow is possible even when\nstoring the result in a larger type. This is because the conversion is\ndone after the multiplication. So arithmetic overflow and thus in\nincorrect value is possible.\n\nCorrect an instance of this in the inter packet delay calculation. Fix by\nensuring one of the operands is u64 which will promote the other to u64 as\nwell ensuring no overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49404", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()\n\nThis code has a check to prevent read overflow but it needs another\ncheck to prevent writing beyond the end of the ->Ssid[] array.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49405", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix potential deadlock in blk_ia_range_sysfs_show()\n\nWhen being read, a sysfs attribute is already protected against removal\nwith the kobject node active reference counter. As a result, in\nblk_ia_range_sysfs_show(), there is no need to take the queue sysfs\nlock when reading the value of a range attribute. Using the queue sysfs\nlock in this function creates a potential deadlock situation with the\ndisk removal, something that a lockdep signals with a splat when the\ndevice is removed:\n\n[ 760.703551] Possible unsafe locking scenario:\n[ 760.703551]\n[ 760.703554] CPU0 CPU1\n[ 760.703556] ---- ----\n[ 760.703558] lock(&q->sysfs_lock);\n[ 760.703565] lock(kn->active#385);\n[ 760.703573] lock(&q->sysfs_lock);\n[ 760.703579] lock(kn->active#385);\n[ 760.703587]\n[ 760.703587] *** DEADLOCK ***\n\nSolve this by removing the mutex_lock()/mutex_unlock() calls from\nblk_ia_range_sysfs_show().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49406", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix plock invalid read\n\nThis patch fixes an invalid read showed by KASAN. A unlock will allocate a\n\"struct plock_op\" and a followed send_op() will append it to a global\nsend_list data structure. In some cases a followed dev_read() moves it\nto recv_list and dev_write() will cast it to \"struct plock_xop\" and access\nfields which are only available in those structures. At this point an\ninvalid read happens by accessing those fields.\n\nTo fix this issue the \"callback\" field is moved to \"struct plock_op\" to\nindicate that a cast to \"plock_xop\" is allowed and does the additional\n\"plock_xop\" handling if set.\n\nExample of the KASAN output which showed the invalid read:\n\n[ 2064.296453] ==================================================================\n[ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]\n[ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484\n[ 2064.308168]\n[ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9\n[ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n[ 2064.311618] Call Trace:\n[ 2064.312218] dump_stack_lvl+0x56/0x7b\n[ 2064.313150] print_address_description.constprop.8+0x21/0x150\n[ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.316595] kasan_report.cold.14+0x7f/0x11b\n[ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]\n[ 2064.318687] dev_write+0x52b/0x5a0 [dlm]\n[ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]\n[ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10\n[ 2064.321926] vfs_write+0x17e/0x930\n[ 2064.322769] ? __fget_light+0x1aa/0x220\n[ 2064.323753] ksys_write+0xf1/0x1c0\n[ 2064.324548] ? __ia32_sys_read+0xb0/0xb0\n[ 2064.325464] do_syscall_64+0x3a/0x80\n[ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.327606] RIP: 0033:0x7f807e4ba96f\n[ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48\n[ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f\n[ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010\n[ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001\n[ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80\n[ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001\n[ 2064.342857]\n[ 2064.343226] Allocated by task 12438:\n[ 2064.344057] kasan_save_stack+0x1c/0x40\n[ 2064.345079] __kasan_kmalloc+0x84/0xa0\n[ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220\n[ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]\n[ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0\n[ 2064.351070] fcntl_setlk+0x281/0xbc0\n[ 2064.352879] do_fcntl+0x5e4/0xfe0\n[ 2064.354657] __x64_sys_fcntl+0x11f/0x170\n[ 2064.356550] do_syscall_64+0x3a/0x80\n[ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 2064.360745]\n[ 2064.361511] Last potentially related work creation:\n[ 2064.363957] kasan_save_stack+0x1c/0x40\n[ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.368100] call_rcu+0x11b/0xf70\n[ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.372404] receive_from_sock+0x290/0x770 [dlm]\n[ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]\n[ 2064.377290] process_one_work+0x9a8/0x16e0\n[ 2064.379357] worker_thread+0x87/0xbf0\n[ 2064.381188] kthread+0x3ac/0x490\n[ 2064.383460] ret_from_fork+0x22/0x30\n[ 2064.385588]\n[ 2064.386518] Second to last potentially related work creation:\n[ 2064.389219] kasan_save_stack+0x1c/0x40\n[ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0\n[ 2064.393303] call_rcu+0x11b/0xf70\n[ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]\n[ 2064.397694] receive_from_sock+0x290/0x770 \n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49407", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in parse_apply_sb_mount_options()\n\nIf processing the on-disk mount options fails after any memory was\nallocated in the ext4_fs_context, e.g. s_qf_names, then this memory is\nleaked. Fix this by calling ext4_fc_free() instead of kfree() directly.\n\nReproducer:\n\n mkfs.ext4 -F /dev/vdc\n tune2fs /dev/vdc -E mount_opts=usrjquota=file\n echo clear > /sys/kernel/debug/kmemleak\n mount /dev/vdc /vdc\n echo scan > /sys/kernel/debug/kmemleak\n sleep 5\n echo scan > /sys/kernel/debug/kmemleak\n cat /sys/kernel/debug/kmemleak", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49408", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:199!\n[...]\nRIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]\nRIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217\n[...]\nCall Trace:\n ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766\n ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561\n ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964\n ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384\n ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567\n ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980\n ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031\n ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257\n v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63\n v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82\n vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368\n dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490\n ext4_quota_enable fs/ext4/super.c:6137 [inline]\n ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163\n ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754\n mount_bdev+0x2e9/0x3b0 fs/super.c:1158\n mount_fs+0x4b/0x1e4 fs/super.c:1261\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget\n __ext4_iget\n ext4_ext_check_inode\n ext4_ext_check\n __ext4_ext_check\n ext4_valid_extent_entries\n Check for overlapping extents does't take effect\n dquot_enable\n vfs_load_quota_inode\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n ext4_es_cache_extent\n __es_tree_search\n ext4_es_end\n BUG_ON(es->es_lblk + es->es_len < es->es_lblk)\n\nThe error ext4 extents is as follows:\n0af3 0300 0400 0000 00000000 extent_header\n00000000 0100 0000 12000000 extent1\n00000000 0100 0000 18000000 extent2\n02000000 0400 0000 14000000 extent3\n\nIn the ext4_valid_extent_entries function,\nif prev is 0, no error is returned even if lblock<=prev.\nThis was intended to skip the check on the first extent, but\nin the error image above, prev=0+1-1=0 when checking the second extent,\nso even though lblock<=prev, the function does not return an error.\nAs a result, bug_ON occurs in __es_tree_search and the system panics.\n\nTo solve this problem, we only need to check that:\n1. The lblock of the first extent is not less than 0.\n2. The lblock of the next extent is not less than\n the next block of the previous extent.\nThe same applies to extent_idx.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49409", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential double free in create_var_ref()\n\nIn create_var_ref(), init_var_ref() is called to initialize the fields\nof variable ref_field, which is allocated in the previous function call\nto create_hist_field(). Function init_var_ref() allocates the\ncorresponding fields such as ref_field->system, but frees these fields\nwhen the function encounters an error. The caller later calls\ndestroy_hist_field() to conduct error handling, which frees the fields\nand the variable itself. This results in double free of the fields which\nare already freed in the previous function.\n\nFix this by storing NULL to the corresponding fields when they are freed\nin init_var_ref().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49410", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Make sure bfqg for which we are queueing requests is online\n\nBios queued into BFQ IO scheduler can be associated with a cgroup that\nwas already offlined. This may then cause insertion of this bfq_group\ninto a service tree. But this bfq_group will get freed as soon as last\nbio associated with it is completed leading to use after free issues for\nservice tree users. Fix the problem by making sure we always operate on\nonline bfq_group. If the bfq_group associated with the bio is not\nonline, we pick the first online parent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49411", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Avoid merging queues with different parents\n\nIt can happen that the parent of a bfqq changes between the moment we\ndecide two queues are worth to merge (and set bic->stable_merge_bfqq)\nand the moment bfq_setup_merge() is called. This can happen e.g. because\nthe process submitted IO for a different cgroup and thus bfqq got\nreparented. It can even happen that the bfqq we are merging with has\nparent cgroup that is already offline and going to be destroyed in which\ncase the merge can lead to use-after-free issues such as:\n\nBUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50\nRead of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544\n\nCPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x46/0x5a\n print_address_description.constprop.0+0x1f/0x140\n ? __bfq_deactivate_entity+0x9cb/0xa50\n kasan_report.cold+0x7f/0x11b\n ? __bfq_deactivate_entity+0x9cb/0xa50\n __bfq_deactivate_entity+0x9cb/0xa50\n ? update_curr+0x32f/0x5d0\n bfq_deactivate_entity+0xa0/0x1d0\n bfq_del_bfqq_busy+0x28a/0x420\n ? resched_curr+0x116/0x1d0\n ? bfq_requeue_bfqq+0x70/0x70\n ? check_preempt_wakeup+0x52b/0xbc0\n __bfq_bfqq_expire+0x1a2/0x270\n bfq_bfqq_expire+0xd16/0x2160\n ? try_to_wake_up+0x4ee/0x1260\n ? bfq_end_wr_async_queues+0xe0/0xe0\n ? _raw_write_unlock_bh+0x60/0x60\n ? _raw_spin_lock_irq+0x81/0xe0\n bfq_idle_slice_timer+0x109/0x280\n ? bfq_dispatch_request+0x4870/0x4870\n __hrtimer_run_queues+0x37d/0x700\n ? enqueue_hrtimer+0x1b0/0x1b0\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_update_offsets_now+0x6f/0x280\n hrtimer_interrupt+0x2c8/0x740\n\nFix the problem by checking that the parent of the two bfqqs we are\nmerging in bfq_setup_merge() is the same.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49412", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Update cgroup information before merging bio\n\nWhen the process is migrated to a different cgroup (or in case of\nwriteback just starts submitting bios associated with a different\ncgroup) bfq_merge_bio() can operate with stale cgroup information in\nbic. Thus the bio can be merged to a request from a different cgroup or\nit can result in merging of bfqqs for different cgroups or bfqqs of\nalready dead cgroups and causing possible use-after-free issues. Fix the\nproblem by updating cgroup information in bfq_merge_bio().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49413", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix race condition between ext4_write and ext4_convert_inline_data\n\nHulk Robot reported a BUG_ON:\n ==================================================================\n EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,\n block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters\n kernel BUG at fs/ext4/ext4_jbd2.c:53!\n invalid opcode: 0000 [#1] SMP KASAN PTI\n CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1\n RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]\n RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116\n [...]\n Call Trace:\n ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795\n generic_perform_write+0x279/0x3c0 mm/filemap.c:3344\n ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270\n ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520\n do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732\n do_iter_write+0x107/0x430 fs/read_write.c:861\n vfs_writev fs/read_write.c:934 [inline]\n do_pwritev+0x1e5/0x380 fs/read_write.c:1031\n [...]\n ==================================================================\n\nAbove issue may happen as follows:\n cpu1 cpu2\n__________________________|__________________________\ndo_pwritev\n vfs_writev\n do_iter_write\n ext4_file_write_iter\n ext4_buffered_write_iter\n generic_perform_write\n ext4_da_write_begin\n vfs_fallocate\n ext4_fallocate\n ext4_convert_inline_data\n ext4_convert_inline_data_nolock\n ext4_destroy_inline_data_nolock\n clear EXT4_STATE_MAY_INLINE_DATA\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_mb_new_blocks\n ext4_mb_regular_allocator\n ext4_mb_good_group_nolock\n ext4_mb_init_group\n ext4_mb_init_cache\n ext4_mb_generate_buddy --> error\n ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)\n ext4_restore_inline_data\n set EXT4_STATE_MAY_INLINE_DATA\n ext4_block_write_begin\n ext4_da_write_end\n ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)\n ext4_write_inline_data_end\n handle=NULL\n ext4_journal_stop(handle)\n __ext4_journal_stop\n ext4_put_nojournal(handle)\n ref_cnt = (unsigned long)handle\n BUG_ON(ref_cnt == 0) ---> BUG_ON\n\nThe lock held by ext4_convert_inline_data is xattr_sem, but the lock\nheld by generic_perform_write is i_rwsem. Therefore, the two locks can\nbe concurrent.\n\nTo solve above issue, we add inode_lock() for ext4_convert_inline_data().\nAt the same time, move ext4_convert_inline_data() in front of\next4_punch_hole(), remove similar handling from ext4_punch_hole().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49414", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ipmb: Fix refcount leak in ipmi_ipmb_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49415", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix use-after-free in chanctx code\n\nIn ieee80211_vif_use_reserved_context(), when we have an\nold context and the new context's replace_state is set to\nIEEE80211_CHANCTX_REPLACE_NONE, we free the old context\nin ieee80211_vif_use_reserved_reassign(). Therefore, we\ncannot check the old_ctx anymore, so we should set it to\nNULL after this point.\n\nHowever, since the new_ctx replace state is clearly not\nIEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do\nanything else in this function and can just return to\navoid accessing the freed old_ctx.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49416", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mei: fix potential NULL-ptr deref\n\nIf SKB allocation fails, continue rather than using the NULL\npointer.\n\nCoverity CID: 1497650", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49417", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix free of uninitialized nfs4_label on referral lookup.\n\nSend along the already-allocated fattr along with nfs4_fs_locations, and\ndrop the memcpy of fattr. We end up growing two more allocations, but this\nfixes up a crash as:\n\nPID: 790 TASK: ffff88811b43c000 CPU: 0 COMMAND: \"ls\"\n #0 [ffffc90000857920] panic at ffffffff81b9bfde\n #1 [ffffc900008579c0] do_trap at ffffffff81023a9b\n #2 [ffffc90000857a10] do_error_trap at ffffffff81023b78\n #3 [ffffc90000857a58] exc_stack_segment at ffffffff81be1f45\n #4 [ffffc90000857a80] asm_exc_stack_segment at ffffffff81c009de\n #5 [ffffc90000857b08] nfs_lookup at ffffffffa0302322 [nfs]\n #6 [ffffc90000857b70] __lookup_slow at ffffffff813a4a5f\n #7 [ffffc90000857c60] walk_component at ffffffff813a86c4\n #8 [ffffc90000857cb8] path_lookupat at ffffffff813a9553\n #9 [ffffc90000857cf0] filename_lookup at ffffffff813ab86b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49418", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup\n\nCommit b3c9a924aab6 (\"fbdev: vesafb: Cleanup fb_info in .fb_destroy rather\nthan .remove\") fixed a use-after-free error due the vesafb driver freeing\nthe fb_info in the .remove handler instead of doing it in .fb_destroy.\n\nThis can happen if the .fb_destroy callback is executed after the .remove\ncallback, since the former tries to access a pointer freed by the latter.\n\nBut that change didn't take into account that another possible scenario is\nthat .fb_destroy is called before the .remove callback. For example, if no\nprocess has the fbdev chardev opened by the time the driver is removed.\n\nIf that's the case, fb_info will be freed when unregister_framebuffer() is\ncalled, making the fb_info pointer accessed in vesafb_remove() after that\nto no longer be valid.\n\nTo prevent that, move the expression containing the info->par to happen\nbefore the unregister_framebuffer() function call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49419", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate races around sk->sk_bound_dev_if\n\nUDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while\nthis field can be changed by another thread.\n\nAdds minimal annotations to avoid KCSAN splats for UDP.\nFollowing patches will add more annotations to potential lockless readers.\n\nBUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg\n\nwrite to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:\n __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221\n ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272\n inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576\n __sys_connect_file net/socket.c:1900 [inline]\n __sys_connect+0x197/0x1b0 net/socket.c:1917\n __do_sys_connect net/socket.c:1927 [inline]\n __se_sys_connect net/socket.c:1924 [inline]\n __x64_sys_connect+0x3d/0x50 net/socket.c:1924\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:\n udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436\n inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n ____sys_sendmsg+0x39a/0x510 net/socket.c:2413\n ___sys_sendmsg net/socket.c:2467 [inline]\n __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553\n __do_sys_sendmmsg net/socket.c:2582 [inline]\n __se_sys_sendmmsg net/socket.c:2579 [inline]\n __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0x00000000 -> 0xffffff9b\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n\nI chose to not add Fixes: tag because race has minor consequences\nand stable teams busy enough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49420", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup\n\nof_parse_phandle() returns a node pointer with refcount incremented, we should\nuse of_node_put() on it when not need anymore. Add missing of_node_put() to\navoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49421", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix the error handling path in idxd_cdev_register()\n\nIf a call to alloc_chrdev_region() fails, the already allocated resources\nare leaking.\n\nAdd the needed error handling path to fix the leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49422", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtla: Avoid record NULL pointer dereference\n\nFix the following null/deref_null.cocci errors:\n./tools/tracing/rtla/src/osnoise_hist.c:870:31-36: ERROR: record is NULL but dereferenced.\n./tools/tracing/rtla/src/osnoise_top.c:650:31-36: ERROR: record is NULL but dereferenced.\n./tools/tracing/rtla/src/timerlat_hist.c:905:31-36: ERROR: record is NULL but dereferenced.\n./tools/tracing/rtla/src/timerlat_top.c:700:31-36: ERROR: record is NULL but dereferenced.\n\n\"record\" is NULL before calling osnoise_init_trace_tool.\nAdd a tag \"out_free\" to avoid dereferring a NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49423", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer dereference when printing dev_name\n\nWhen larbdev is NULL (in the case I hit, the node is incorrectly set\niommus = <&iommu NUM>), it will cause device_link_add() fail and\nkernel crashes when we try to print dev_name(larbdev).\n\nLet's fail the probe if a larbdev is NULL to avoid invalid inputs from\ndts.\n\nIt should work for normal correct setting and avoid the crash caused\nby my incorrect setting.\n\nError log:\n[ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n...\n[ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO)\n[ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n[ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]\n[ 18.346884][ T301] sp : ffffffc00a5635e0\n[ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8\n[ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38\n[ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38\n[ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38\n[ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000\n[ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0\n[ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004\n[ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420\n[ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003\n[ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2\n[ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00\n[ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000\n[ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001\n[ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005\n[ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000\n[ 18.360208][ T301] Hardware name: MT6873 (DT)\n[ 18.360771][ T301] Call trace:\n[ 18.361168][ T301] dump_backtrace+0xf8/0x1f0\n[ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c\n[ 18.362305][ T301] dump_stack+0x1c/0x2c\n[ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump]\n[ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump]\n[ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8\n[ 18.364937][ T301] die+0x16c/0x568\n[ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214\n[ 18.365402][ T301] do_page_fault+0xb8/0x678\n[ 18.366934][ T301] do_translation_fault+0x48/0x64\n[ 18.368645][ T301] do_mem_abort+0x68/0x148\n[ 18.368652][ T301] el1_abort+0x40/0x64\n[ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88\n[ 18.368668][ T301] el1h_64_sync+0x68/0x6c\n[ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49424", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix dereference of stale list iterator after loop body\n\nThe list iterator variable will be a bogus pointer if no break was hit.\nDereferencing it (cur->page in this case) could load an out-of-bounds/undefined\nvalue making it unsafe to use that in the comparision to determine if the\nspecific element was found.\n\nSince 'cur->page' *can* be out-ouf-bounds it cannot be guaranteed that\nby chance (or intention of an attacker) it matches the value of 'page'\neven though the correct element was not found.\n\nThis is fixed by using a separate list iterator variable for the loop\nand only setting the original variable if a suitable element was found.\nThen determing if the element was found is simply checking if the\nvariable is set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49425", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3-sva: Fix mm use-after-free\n\nWe currently call arm64_mm_context_put() without holding a reference to\nthe mm, which can result in use-after-free. Call mmgrab()/mmdrop() to\nensure the mm only gets freed after we unpinned the ASID.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49426", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Remove clk_disable in mtk_iommu_remove\n\nAfter the commit b34ea31fe013 (\"iommu/mediatek: Always enable the clk on\nresume\"), the iommu clock is controlled by the runtime callback.\nthus remove the clk control in the mtk_iommu_remove.\n\nOtherwise, it will warning like:\n\necho 14018000.iommu > /sys/bus/platform/drivers/mtk-iommu/unbind\n\n[ 51.413044] ------------[ cut here ]------------\n[ 51.413648] vpp0_smi_iommu already disabled\n[ 51.414233] WARNING: CPU: 2 PID: 157 at */v5.15-rc1/kernel/mediatek/\n drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8\n[ 51.417174] Hardware name: MT8195V/C(ENG) (DT)\n[ 51.418635] pc : clk_core_disable+0xb0/0xb8\n[ 51.419177] lr : clk_core_disable+0xb0/0xb8\n...\n[ 51.429375] Call trace:\n[ 51.429694] clk_core_disable+0xb0/0xb8\n[ 51.430193] clk_core_disable_lock+0x24/0x40\n[ 51.430745] clk_disable+0x20/0x30\n[ 51.431189] mtk_iommu_remove+0x58/0x118\n[ 51.431705] platform_remove+0x28/0x60\n[ 51.432197] device_release_driver_internal+0x110/0x1f0\n[ 51.432873] device_driver_detach+0x18/0x28\n[ 51.433418] unbind_store+0xd4/0x108\n[ 51.433886] drv_attr_store+0x24/0x38\n[ 51.434363] sysfs_kf_write+0x40/0x58\n[ 51.434843] kernfs_fop_write_iter+0x164/0x1e0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49427", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on inline_dots inode\n\nAs Wenqing reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215765\n\nIt will cause a kernel panic with steps:\n- mkdir mnt\n- mount tmp40.img mnt\n- ls mnt\n\nfolio_mark_dirty+0x33/0x50\nf2fs_add_regular_entry+0x541/0xad0 [f2fs]\nf2fs_add_dentry+0x6c/0xb0 [f2fs]\nf2fs_do_add_link+0x182/0x230 [f2fs]\n__recover_dot_dentries+0x2d6/0x470 [f2fs]\nf2fs_lookup+0x5af/0x6a0 [f2fs]\n__lookup_slow+0xac/0x200\nlookup_slow+0x45/0x70\nwalk_component+0x16c/0x250\npath_lookupat+0x8b/0x1f0\nfilename_lookup+0xef/0x250\nuser_path_at_empty+0x46/0x70\nvfs_statx+0x98/0x190\n__do_sys_newlstat+0x41/0x90\n__x64_sys_newlstat+0x1a/0x30\ndo_syscall_64+0x37/0xb0\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is for special file: e.g. character, block, fifo or\nsocket file, f2fs doesn't assign address space operations pointer array\nfor mapping->a_ops field, so, in a fuzzed image, if inline_dots flag was\ntagged in special file, during lookup(), when f2fs runs into\n__recover_dot_dentries(), it will cause NULL pointer access once\nf2fs_add_regular_entry() calls a_ops->set_dirty_page().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49428", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Prevent panic when SDMA is disabled\n\nIf the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to\nhfi1_write_iter() will dereference a NULL pointer and panic. A typical\nstack frame is:\n\n sdma_select_user_engine [hfi1]\n hfi1_user_sdma_process_request [hfi1]\n hfi1_write_iter [hfi1]\n do_iter_readv_writev\n do_iter_write\n vfs_writev\n do_writev\n do_syscall_64\n\nThe fix is to test for SDMA in hfi1_write_iter() and fail the I/O with\nEINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49429", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: gpio-keys - cancel delayed work only in case of GPIO\n\ngpio_keys module can either accept gpios or interrupts. The module\ninitializes delayed work in case of gpios only and is only used if\ndebounce timer is not used, so make sure cancel_delayed_work_sync()\nis called only when its gpio-backed and debounce_use_hrtimer is false.\n\nThis fixes the issue seen below when the gpio_keys module is unloaded and\nan interrupt pin is used instead of GPIO:\n\n[ 360.297569] ------------[ cut here ]------------\n[ 360.302303] WARNING: CPU: 0 PID: 237 at kernel/workqueue.c:3066 __flush_work+0x414/0x470\n[ 360.310531] Modules linked in: gpio_keys(-)\n[ 360.314797] CPU: 0 PID: 237 Comm: rmmod Not tainted 5.18.0-rc5-arm64-renesas-00116-g73636105874d-dirty #166\n[ 360.324662] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)\n[ 360.331270] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 360.338318] pc : __flush_work+0x414/0x470\n[ 360.342385] lr : __cancel_work_timer+0x140/0x1b0\n[ 360.347065] sp : ffff80000a7fba00\n[ 360.350423] x29: ffff80000a7fba00 x28: ffff000012b9c5c0 x27: 0000000000000000\n[ 360.357664] x26: ffff80000a7fbb80 x25: ffff80000954d0a8 x24: 0000000000000001\n[ 360.364904] x23: ffff800009757000 x22: 0000000000000000 x21: ffff80000919b000\n[ 360.372143] x20: ffff00000f5974e0 x19: ffff00000f5974e0 x18: ffff8000097fcf48\n[ 360.379382] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000053f40\n[ 360.386622] x14: ffff800009850e88 x13: 0000000000000002 x12: 000000000000a60c\n[ 360.393861] x11: 000000000000a610 x10: 0000000000000000 x9 : 0000000000000008\n[ 360.401100] x8 : 0101010101010101 x7 : 00000000a473c394 x6 : 0080808080808080\n[ 360.408339] x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff80000919b458\n[ 360.415578] x2 : ffff8000097577f0 x1 : 0000000000000001 x0 : 0000000000000000\n[ 360.422818] Call trace:\n[ 360.425299] __flush_work+0x414/0x470\n[ 360.429012] __cancel_work_timer+0x140/0x1b0\n[ 360.433340] cancel_delayed_work_sync+0x10/0x18\n[ 360.437931] gpio_keys_quiesce_key+0x28/0x58 [gpio_keys]\n[ 360.443327] devm_action_release+0x10/0x18\n[ 360.447481] release_nodes+0x8c/0x1a0\n[ 360.451194] devres_release_all+0x90/0x100\n[ 360.455346] device_unbind_cleanup+0x14/0x60\n[ 360.459677] device_release_driver_internal+0xe8/0x168\n[ 360.464883] driver_detach+0x4c/0x90\n[ 360.468509] bus_remove_driver+0x54/0xb0\n[ 360.472485] driver_unregister+0x2c/0x58\n[ 360.476462] platform_driver_unregister+0x10/0x18\n[ 360.481230] gpio_keys_exit+0x14/0x828 [gpio_keys]\n[ 360.486088] __arm64_sys_delete_module+0x1e0/0x270\n[ 360.490945] invoke_syscall+0x40/0xf8\n[ 360.494661] el0_svc_common.constprop.3+0xf0/0x110\n[ 360.499515] do_el0_svc+0x20/0x78\n[ 360.502877] el0_svc+0x48/0xf8\n[ 360.505977] el0t_64_sync_handler+0x88/0xb0\n[ 360.510216] el0t_64_sync+0x148/0x14c\n[ 360.513930] irq event stamp: 4306\n[ 360.517288] hardirqs last enabled at (4305): [] __cancel_work_timer+0x130/0x1b0\n[ 360.526359] hardirqs last disabled at (4306): [] el1_dbg+0x24/0x88\n[ 360.534204] softirqs last enabled at (4278): [] _stext+0x4a0/0x5e0\n[ 360.542133] softirqs last disabled at (4267): [] irq_exit_rcu+0x18c/0x1b0\n[ 360.550591] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49430", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Add missing of_node_put in iommu_init_early_dart\n\nThe device_node pointer is returned by of_find_compatible_node\nwith refcount incremented. We should use of_node_put() to avoid\nthe refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49431", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xics: fix refcount leak in icp_opal_init()\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, use of_node_put() on it when done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49432", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Prevent use of lock before it is initialized\n\nIf there is a failure during probe of hfi1 before the sdma_map_lock is\ninitialized, the call to hfi1_free_devdata() will attempt to use a lock\nthat has not been initialized. If the locking correctness validator is on\nthen an INFO message and stack trace resembling the following may be seen:\n\n INFO: trying to register non-static key.\n The code is fine but needs lockdep annotation, or maybe\n you didn't initialize this object before use?\n turning off the locking correctness validator.\n Call Trace:\n register_lock_class+0x11b/0x880\n __lock_acquire+0xf3/0x7930\n lock_acquire+0xff/0x2d0\n _raw_spin_lock_irq+0x46/0x60\n sdma_clean+0x42a/0x660 [hfi1]\n hfi1_free_devdata+0x3a7/0x420 [hfi1]\n init_one+0x867/0x11a0 [hfi1]\n pci_device_probe+0x40e/0x8d0\n\nThe use of sdma_map_lock in sdma_clean() is for freeing the sdma_map\nmemory, and sdma_map is not allocated/initialized until after\nsdma_map_lock has been initialized. This code only needs to be run if\nsdma_map is not NULL, and so checking for that condition will avoid trying\nto use the lock before it is initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49433", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()\n\nThe sysfs sriov_numvfs_store() path acquires the device lock before the\nconfig space access lock:\n\n sriov_numvfs_store\n device_lock # A (1) acquire device lock\n sriov_configure\n vfio_pci_sriov_configure # (for example)\n vfio_pci_core_sriov_configure\n pci_disable_sriov\n sriov_disable\n pci_cfg_access_lock\n pci_wait_cfg # B (4) wait for dev->block_cfg_access == 0\n\nPreviously, pci_dev_lock() acquired the config space access lock before the\ndevice lock:\n\n pci_dev_lock\n pci_cfg_access_lock\n dev->block_cfg_access = 1 # B (2) set dev->block_cfg_access = 1\n device_lock # A (3) wait for device lock\n\nAny path that uses pci_dev_lock(), e.g., pci_reset_function(), may\ndeadlock with sriov_numvfs_store() if the operations occur in the sequence\n(1) (2) (3) (4).\n\nAvoid the deadlock by reversing the order in pci_dev_lock() so it acquires\nthe device lock before the config space access lock, the same as the\nsriov_numvfs_store() path.\n\n[bhelgaas: combined and adapted commit log from Jay Zhou's independent\nsubsequent posting:\nhttps://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49434", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49435", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/papr_scm: Fix leaking nvdimm_events_map elements\n\nRight now 'char *' elements allocated for individual 'stat_id' in\n'papr_scm_priv.nvdimm_events_map[]' during papr_scm_pmu_check_events(), get\nleaked in papr_scm_remove() and papr_scm_pmu_register(),\npapr_scm_pmu_check_events() error paths.\n\nAlso individual 'stat_id' arent NULL terminated 'char *' instead they are fixed\n8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a\nNULL terminated 'char *' and at other places it assumes it to be a\n'papr_scm_perf_stat.stat_id' sized string which is 8-byes in size.\n\nFix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also\ninclude space for 'stat_id' entries. This is possible since number of available\nevents/stat_ids are known upfront. This saves some memory and one extra level of\nindirection from 'nvdimm_events_map' to 'stat_id'. Also rest of the code\ncan continue to call 'kfree(papr_scm_priv.nvdimm_events_map)' without needing to\niterate over the array and free up individual elements.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49436", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive: Fix refcount leak in xive_spapr_init\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49437", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: sparcspkr - fix refcount leak in bbc_beep_probe\n\nof_find_node_by_path() calls of_find_node_opts_by_path(),\nwhich returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49438", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fsl_rio: Fix refcount leak in fsl_rio_setup\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49439", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: Keep MSR[RI] set when calling RTAS\n\nRTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big\nendian mode (MSR[SF,LE] unset).\n\nThe change in MSR is done in enter_rtas() in a relatively complex way,\nsince the MSR value could be hardcoded.\n\nFurthermore, a panic has been reported when hitting the watchdog interrupt\nwhile running in RTAS, this leads to the following stack trace:\n\n watchdog: CPU 24 Hard LOCKUP\n watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n Oops: Unrecoverable System Reset, sig: 6 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n ...\n Supported: No, Unreleased kernel\n CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c\n NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000\n REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)\n MSR: 8000000002981000 CR: 48800002 XER: 20040020\n CFAR: 000000000000011c IRQMASK: 1\n GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc\n GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010\n GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034\n GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008\n GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f\n GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40\n GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000\n NIP [000000001fb41050] 0x1fb41050\n LR [000000001fb4104c] 0x1fb4104c\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 3ddec07f638c34a2 ]---\n\nThis happens because MSR[RI] is unset when entering RTAS but there is no\nvalid reason to not set it here.\n\nRTAS is expected to be called with MSR[RI] as specified in PAPR+ section\n\"7.2.1 Machine State\":\n\n R1\u20137.2.1\u20139. If called with MSR[RI] equal to 1, then RTAS must protect\n its own critical regions from recursion by setting the MSR[RI] bit to\n 0 when in the critical regions.\n\nFixing this by reviewing the way MSR is compute before calling RTAS. Now a\nhardcoded value meaning real \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49440", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix deadlock caused by calling printk() under tty_port->lock\n\npty_write() invokes kmalloc() which may invoke a normal printk() to print\nfailure message. This can cause a deadlock in the scenario reported by\nsyz-bot below:\n\n CPU0 CPU1 CPU2\n ---- ---- ----\n lock(console_owner);\n lock(&port_lock_key);\n lock(&port->lock);\n lock(&port_lock_key);\n lock(&port->lock);\n lock(console_owner);\n\nAs commit dbdda842fe96 (\"printk: Add console owner and waiter logic to\nload balance console writes\") said, such deadlock can be prevented by\nusing printk_deferred() in kmalloc() (which is invoked in the section\nguarded by the port->lock). But there are too many printk() on the\nkmalloc() path, and kmalloc() can be called from anywhere, so changing\nprintk() to printk_deferred() is too complicated and inelegant.\n\nTherefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so\nthat printk() will not be called, and this deadlock problem can be\navoided.\n\nSyzbot reported the following lockdep error:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.4.143-00237-g08ccc19a-dirty #10 Not tainted\n------------------------------------------------------\nsyz-executor.4/29420 is trying to acquire lock:\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023\n\nbut task is already holding lock:\nffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #2 (&port->lock){-.-.}-{2:2}:\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n tty_port_tty_get drivers/tty/tty_port.c:288 [inline] \t\t<-- lock(&port->lock);\n tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47\n serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767\n serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854\n serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] \t<-- lock(&port_lock_key);\n serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870\n serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126\n __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156\n [...]\n\n-> #1 (&port_lock_key){-.-.}-{2:2}:\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198\n\t\t\t\t\t\t\t\t\t\t<-- lock(&port_lock_key);\n call_console_drivers kernel/printk/printk.c:1819 [inline]\n console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504\n vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024\t\t\t<-- lock(console_owner);\n vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394\n printk+0xba/0xed kernel/printk/printk.c:2084\n register_console+0x8b3/0xc10 kernel/printk/printk.c:2829\n univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681\n console_init+0x49d/0x6d3 kernel/printk/printk.c:2915\n start_kernel+0x5e9/0x879 init/main.c:713\n secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241\n\n-> #0 (console_owner){....}-{0:0}:\n [...]\n lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734\n console_trylock_spinning kernel/printk/printk.c:1773 \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49441", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/base/node.c: fix compaction sysfs file leak\n\nCompaction sysfs file is created via compaction_register_node in\nregister_node. But we forgot to remove it in unregister_node. Thus\ncompaction sysfs file is leaked. Using compaction_unregister_node to fix\nthis issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49442", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlist: fix a data-race around ep->rdllist\n\nep_poll() first calls ep_events_available() with no lock held and checks\nif ep->rdllist is empty by list_empty_careful(), which reads\nrdllist->prev. Thus all accesses to it need some protection to avoid\nstore/load-tearing.\n\nNote INIT_LIST_HEAD_RCU() already has the annotation for both prev\nand next.\n\nCommit bf3b9f6372c4 (\"epoll: Add busy poll support to epoll with socket\nfds.\") added the first lockless ep_events_available(), and commit\nc5a282e9635e (\"fs/epoll: reduce the scope of wq lock in epoll_wait()\")\nmade some ep_events_available() calls lockless and added single call under\na lock, finally commit e59d3c64cba6 (\"epoll: eliminate unnecessary lock\nfor zero timeout\") made the last ep_events_available() lockless.\n\nBUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait\n\nwrite to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:\n INIT_LIST_HEAD include/linux/list.h:38 [inline]\n list_splice_init include/linux/list.h:492 [inline]\n ep_start_scan fs/eventpoll.c:622 [inline]\n ep_send_events fs/eventpoll.c:1656 [inline]\n ep_poll fs/eventpoll.c:1806 [inline]\n do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234\n do_epoll_pwait fs/eventpoll.c:2268 [inline]\n __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]\n __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275\n __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:\n list_empty_careful include/linux/list.h:329 [inline]\n ep_events_available fs/eventpoll.c:381 [inline]\n ep_poll fs/eventpoll.c:1797 [inline]\n do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234\n do_epoll_pwait fs/eventpoll.c:2268 [inline]\n __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]\n __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275\n __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0xffff88810480c7d0 -> 0xffff888103c15098\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49443", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: fix [e_shstrndx].sh_size=0 OOB access\n\nIt is trivial to craft a module to trigger OOB access in this line:\n\n\tif (info->secstrings[strhdr->sh_size - 1] != '\\0') {\n\nBUG: unable to handle page fault for address: ffffc90000aa0fff\nPGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\nRIP: 0010:load_module+0x19b/0x2391\n\n[rebased patch onto modules-next]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49444", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49445", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm: Fix firmware activation deadlock scenarios\n\nLockdep reports the following deadlock scenarios for CXL root device\npower-management, device_prepare(), operations, and device_shutdown()\noperations for 'nd_region' devices:\n\n Chain exists of:\n &nvdimm_region_key --> &nvdimm_bus->reconfig_mutex --> system_transition_mutex\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(system_transition_mutex);\n lock(&nvdimm_bus->reconfig_mutex);\n lock(system_transition_mutex);\n lock(&nvdimm_region_key);\n\n Chain exists of:\n &cxl_nvdimm_bridge_key --> acpi_scan_lock --> &cxl_root_key\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&cxl_root_key);\n lock(acpi_scan_lock);\n lock(&cxl_root_key);\n lock(&cxl_nvdimm_bridge_key);\n\nThese stem from holding nvdimm_bus_lock() over hibernate_quiet_exec()\nwhich walks the entire system device topology taking device_lock() along\nthe way. The nvdimm_bus_lock() is protecting against unregistration,\nmultiple simultaneous ops callers, and preventing activate_show() from\nracing activate_store(). For the first 2, the lock is redundant.\nUnregistration already flushes all ops users, and sysfs already prevents\nmultiple threads to be active in an ops handler at the same time. For\nthe last userspace should already be waiting for its last\nactivate_store() to complete, and does not need activate_show() to flush\nthe write side, so this lock usage can be deleted in these attributes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49446", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: hisi: Add missing of_node_put after of_find_compatible_node\n\nof_find_compatible_node will increment the refcount of the returned\ndevice_node. Calling of_node_put() to avoid the refcount leak", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49447", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: bcm: Check for NULL return of devm_kzalloc()\n\nAs the potential failure of allocation, devm_kzalloc() may return NULL. Then\nthe 'pd->pmb' and the follow lines of code may bring null pointer dereference.\n\nTherefore, it is better to check the return value of devm_kzalloc() to avoid\nthis confusion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49448", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49449", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix listen() setting the bar too high for the prealloc rings\n\nAF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump\nup the sysctl), but whilst the preallocation circular buffers have 32 slots\nin them, one of them has to be a dead slot because we're using CIRC_CNT().\n\nThis means that listen(rxrpc_sock, 32) will cause an oops when the socket\nis closed because rxrpc_service_prealloc_one() allocated one too many calls\nand rxrpc_discard_prealloc() won't then be able to get rid of them because\nit'll think the ring is empty. rxrpc_release_calls_on_socket() then tries\nto abort them, but oopses because call->peer isn't yet set.\n\nFix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match\nthe ring capacity.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000086\n ...\n RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]\n Call Trace:\n \n ? __wake_up_common_lock+0x7a/0x90\n ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]\n ? rxrpc_abort_call+0x4c/0x60 [rxrpc]\n rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]\n rxrpc_release+0xc9/0x1c0 [rxrpc]\n __sock_release+0x37/0xa0\n sock_close+0x11/0x20\n __fput+0x89/0x240\n task_work_run+0x59/0x90\n do_exit+0x319/0xaa0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49450", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix list protocols enumeration in the base protocol\n\nWhile enumerating protocols implemented by the SCMI platform using\nBASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is\ncurrently validated in an improper way since the check employs a sum\nbetween unsigned integers that could overflow and cause the check itself\nto be silently bypassed if the returned value 'loop_num_ret' is big\nenough.\n\nFix the validation avoiding the addition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49451", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-eth: retrieve the virtual address before dma_unmap\n\nThe TSO header was DMA unmapped before the virtual address was retrieved\nand then used to free the buffer. This meant that we were actually\nremoving the DMA map and then trying to search for it to help in\nretrieving the virtual address. This lead to a invalid virtual address\nbeing used in the kfree call.\n\nFix this by calling dpaa2_iova_to_virt() prior to the dma_unmap call.\n\n[ 487.231819] Unable to handle kernel paging request at virtual address fffffd9807000008\n\n(...)\n\n[ 487.354061] Hardware name: SolidRun LX2160A Honeycomb (DT)\n[ 487.359535] pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 487.366485] pc : kfree+0xac/0x304\n[ 487.369799] lr : kfree+0x204/0x304\n[ 487.373191] sp : ffff80000c4eb120\n[ 487.376493] x29: ffff80000c4eb120 x28: ffff662240c46400 x27: 0000000000000001\n[ 487.383621] x26: 0000000000000001 x25: ffff662246da0cc0 x24: ffff66224af78000\n[ 487.390748] x23: ffffad184f4ce008 x22: ffffad1850185000 x21: ffffad1838d13cec\n[ 487.397874] x20: ffff6601c0000000 x19: fffffd9807000000 x18: 0000000000000000\n[ 487.405000] x17: ffffb910cdc49000 x16: ffffad184d7d9080 x15: 0000000000004000\n[ 487.412126] x14: 0000000000000008 x13: 000000000000ffff x12: 0000000000000000\n[ 487.419252] x11: 0000000000000004 x10: 0000000000000001 x9 : ffffad184d7d927c\n[ 487.426379] x8 : 0000000000000000 x7 : 0000000ffffffd1d x6 : ffff662240a94900\n[ 487.433505] x5 : 0000000000000003 x4 : 0000000000000009 x3 : ffffad184f4ce008\n[ 487.440632] x2 : ffff662243eec000 x1 : 0000000100000100 x0 : fffffc0000000000\n[ 487.447758] Call trace:\n[ 487.450194] kfree+0xac/0x304\n[ 487.453151] dpaa2_eth_free_tx_fd.isra.0+0x33c/0x3e0 [fsl_dpaa2_eth]\n[ 487.459507] dpaa2_eth_tx_conf+0x100/0x2e0 [fsl_dpaa2_eth]\n[ 487.464989] dpaa2_eth_poll+0xdc/0x380 [fsl_dpaa2_eth]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49452", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: ti_sci_pm_domains: Check for null return of devm_kcalloc\n\nThe allocation funciton devm_kcalloc may fail and return a null pointer,\nwhich would cause a null-pointer dereference later.\nIt might be better to check it and directly return -ENOMEM just like the\nusage of devm_kcalloc in previous code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49453", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: mediatek: Fix refcount leak in mtk_pcie_subsys_powerup()\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49454", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible double free in ocxl_file_register_afu\n\ninfo_release() will be called in device_unregister() when info->dev's\nreference count is 0. So there is no need to call ocxl_afu_put() and\nkfree() again.\n\nFix this by adding free_minor() and return to err_unregister error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49455", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix missed rcu protection\n\nWhen removing the rcu_read_lock in bond_ethtool_get_ts_info() as\ndiscussed [1], I didn't notice it could be called via setsockopt,\nwhich doesn't hold rcu lock, as syzbot pointed:\n\n stack backtrace:\n CPU: 0 PID: 3599 Comm: syz-executor317 Not tainted 5.18.0-rc5-syzkaller-01392-g01f4685797a5 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]\n bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595\n __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554\n ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568\n sock_timestamping_bind_phc net/core/sock.c:869 [inline]\n sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916\n sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221\n __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223\n __do_sys_setsockopt net/socket.c:2238 [inline]\n __se_sys_setsockopt net/socket.c:2235 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f8902c8eb39\n\nFix it by adding rcu_read_lock and take a ref on the real_dev.\nSince dev_hold() and dev_put() can take NULL these days, we can\nskip checking if real_dev exist.\n\n[1] https://lore.kernel.org/netdev/27565.1642742439@famine/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49456", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: versatile: Add missing of_node_put in dcscb_init\n\nThe device_node pointer is returned by of_find_compatible_node\nwith refcount incremented. We should use of_node_put() to avoid\nthe refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49457", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: don't free the IRQ if it was not requested\n\nAs msm_drm_uninit() is called from the msm_drm_init() error path,\nadditional care should be necessary as not to call the free_irq() for\nthe IRQ that was not requested before (because an error occured earlier\nthan the request_irq() call).\n\nThis fixed the issue reported with the following backtrace:\n\n[ 8.571329] Trying to free already-free IRQ 187\n[ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 free_irq+0x1e0/0x35c\n[ 8.588746] Modules linked in: pmic_glink pdr_interface fastrpc qrtr_smd snd_soc_hdmi_codec msm fsa4480 gpu_sched drm_dp_aux_bus qrtr i2c_qcom_geni crct10dif_ce qcom_stats qcom_q6v5_pas drm_display_helper gpi qcom_pil_info drm_kms_helper qcom_q6v5 qcom_sysmon qcom_common qcom_glink_smem qcom_rng mdt_loader qmi_helpers phy_qcom_qmp ufs_qcom typec qnoc_sm8350 socinfo rmtfs_mem fuse drm ipv6\n[ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419\n[ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT)\n[ 8.641496] Workqueue: events_unbound deferred_probe_work_func\n[ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 8.654681] pc : free_irq+0x1e0/0x35c\n[ 8.658454] lr : free_irq+0x1e0/0x35c\n[ 8.662228] sp : ffff800008ab3950\n[ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700\n[ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90\n[ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800\n[ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff\n[ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d\n[ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c\n[ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb\n[ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202\n[ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000\n[ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000\n[ 8.739217] Call trace:\n[ 8.741755] free_irq+0x1e0/0x35c\n[ 8.745198] msm_drm_uninit.isra.0+0x14c/0x294 [msm]\n[ 8.750548] msm_drm_bind+0x28c/0x5d0 [msm]\n[ 8.755081] try_to_bring_up_aggregate_device+0x164/0x1d0\n[ 8.760657] __component_add+0xa0/0x170\n[ 8.764626] component_add+0x14/0x20\n[ 8.768337] dp_display_probe+0x2a4/0x464 [msm]\n[ 8.773242] platform_probe+0x68/0xe0\n[ 8.777043] really_probe.part.0+0x9c/0x28c\n[ 8.781368] __driver_probe_device+0x98/0x144\n[ 8.785871] driver_probe_device+0x40/0x140\n[ 8.790191] __device_attach_driver+0xb4/0x120\n[ 8.794788] bus_for_each_drv+0x78/0xd0\n[ 8.798751] __device_attach+0xdc/0x184\n[ 8.802713] device_initial_probe+0x14/0x20\n[ 8.807031] bus_probe_device+0x9c/0xa4\n[ 8.810991] deferred_probe_work_func+0x88/0xc0\n[ 8.815667] process_one_work+0x1d0/0x320\n[ 8.819809] worker_thread+0x14c/0x444\n[ 8.823688] kthread+0x10c/0x110\n[ 8.827036] ret_from_fork+0x10/0x20\n\nPatchwork: https://patchwork.freedesktop.org/patch/485422/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49458", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe\n\nplatform_get_resource() may return NULL, add proper check to\navoid potential NULL dereferencing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49459", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: rk3399_dmc: Disable edev on remove()\n\nOtherwise we hit an unablanced enable-count when unbinding the DFI\ndevice:\n\n[ 1279.659119] ------------[ cut here ]------------\n[ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c\n...\n[ 1279.659352] Hardware name: Google Kevin (DT)\n[ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n[ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c\n[ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28\n...\n[ 1279.659571] Call trace:\n[ 1279.659582] devfreq_event_remove_edev+0x84/0x8c\n[ 1279.659590] devm_devfreq_event_release+0x1c/0x28\n[ 1279.659602] release_nodes+0x1cc/0x244\n[ 1279.659611] devres_release_all+0x44/0x60\n[ 1279.659621] device_release_driver_internal+0x11c/0x1ac\n[ 1279.659629] device_driver_detach+0x20/0x2c\n[ 1279.659641] unbind_store+0x7c/0xb0\n[ 1279.659650] drv_attr_store+0x2c/0x40\n[ 1279.659663] sysfs_kf_write+0x44/0x58\n[ 1279.659672] kernfs_fop_write_iter+0xf4/0x190\n[ 1279.659684] vfs_write+0x2b0/0x2e4\n[ 1279.659693] ksys_write+0x80/0xec\n[ 1279.659701] __arm64_sys_write+0x24/0x30\n[ 1279.659714] el0_svc_common+0xf0/0x1d8\n[ 1279.659724] do_el0_svc_compat+0x28/0x3c\n[ 1279.659738] el0_svc_compat+0x10/0x1c\n[ 1279.659746] el0_sync_compat_handler+0xa8/0xcc\n[ 1279.659758] el0_sync_compat+0x188/0x1c0\n[ 1279.659768] ---[ end trace cec200e5094155b4 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49460", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namt: fix memory leak for advertisement message\n\nWhen a gateway receives an advertisement message, it extracts relay\ninformation and then it should be freed.\nBut the advertisement handler doesn't free it.\nSo, memory leak would occur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49461", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Fix refcount leak in a6xx_gpu_init\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\n\na6xx_gmu_init() passes the node to of_find_device_by_node()\nand of_dma_configure(), of_find_device_by_node() will takes its\nreference, of_dma_configure() doesn't need the node after usage.\n\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49462", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe\n\nof_find_node_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49463", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix buffer copy overflow of ztailpacking feature\n\nI got some KASAN report as below:\n\n[ 46.959738] ==================================================================\n[ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370\n[ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188\n...\n[ 46.960430] Call Trace:\n[ 46.960430] \n[ 46.960430] dump_stack_lvl+0x41/0x5e\n[ 46.960430] print_report.cold+0xb2/0x6b7\n[ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370\n[ 46.960430] kasan_report+0x8a/0x140\n[ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370\n[ 46.960430] kasan_check_range+0x14d/0x1d0\n[ 46.960430] memcpy+0x20/0x60\n[ 46.960430] z_erofs_shifted_transform+0x2bd/0x370\n[ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080\n\nThe root cause is that the tail pcluster won't be a complete filesystem\nblock anymore. So if ztailpacking is used, the second part of an\nuncompressed tail pcluster may not be ``rq->pageofs_out``.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49464", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: Set BIO_THROTTLED when bio has been throttled\n\n1.In current process, all bio will set the BIO_THROTTLED flag\nafter __blk_throtl_bio().\n\n2.If bio needs to be throttled, it will start the timer and\nstop submit bio directly. Bio will submit in\nblk_throtl_dispatch_work_fn() when the timer expires.But in\nthe current process, if bio is throttled. The BIO_THROTTLED\nwill be set to bio after timer start. If the bio has been\ncompleted, it may cause use-after-free blow.\n\nBUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70\nRead of size 2 at addr ffff88801b8902d4 by task fio/26380\n\n dump_stack+0x9b/0xce\n print_address_description.constprop.6+0x3e/0x60\n kasan_report.cold.9+0x22/0x3a\n blk_throtl_bio+0x12f0/0x2c70\n submit_bio_checks+0x701/0x1550\n submit_bio_noacct+0x83/0xc80\n submit_bio+0xa7/0x330\n mpage_readahead+0x380/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAllocated by task 26380:\n kasan_save_stack+0x19/0x40\n __kasan_kmalloc.constprop.2+0xc1/0xd0\n kmem_cache_alloc+0x146/0x440\n mempool_alloc+0x125/0x2f0\n bio_alloc_bioset+0x353/0x590\n mpage_alloc+0x3b/0x240\n do_mpage_readpage+0xddf/0x1ef0\n mpage_readahead+0x264/0x500\n read_pages+0x1c1/0xbf0\n page_cache_ra_unbounded+0x471/0x6f0\n do_page_cache_ra+0xda/0x110\n ondemand_readahead+0x442/0xae0\n page_cache_async_ra+0x210/0x300\n generic_file_buffered_read+0x4d9/0x2130\n generic_file_read_iter+0x315/0x490\n blkdev_read_iter+0x113/0x1b0\n aio_read+0x2ad/0x450\n io_submit_one+0xc8e/0x1d60\n __se_sys_io_submit+0x125/0x350\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFreed by task 0:\n kasan_save_stack+0x19/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x1b/0x30\n __kasan_slab_free+0x111/0x160\n kmem_cache_free+0x94/0x460\n mempool_free+0xd6/0x320\n bio_free+0xe0/0x130\n bio_put+0xab/0xe0\n bio_endio+0x3a6/0x5d0\n blk_update_request+0x590/0x1370\n scsi_end_request+0x7d/0x400\n scsi_io_completion+0x1aa/0xe50\n scsi_softirq_done+0x11b/0x240\n blk_mq_complete_request+0xd4/0x120\n scsi_mq_done+0xf0/0x200\n virtscsi_vq_done+0xbc/0x150\n vring_interrupt+0x179/0x390\n __handle_irq_event_percpu+0xf7/0x490\n handle_irq_event_percpu+0x7b/0x160\n handle_irq_event+0xcc/0x170\n handle_edge_irq+0x215/0xb20\n common_interrupt+0x60/0x120\n asm_common_interrupt+0x1e/0x40\n\nFix this by move BIO_THROTTLED set into the queue_lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49465", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: scmi: Fix refcount leak in scmi_regulator_probe\n\nof_find_node_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49466", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: msm: fix possible memory leak in mdp5_crtc_cursor_set()\n\ndrm_gem_object_lookup will call drm_gem_object_get inside. So cursor_bo\nneeds to be put when msm_gem_get_and_pin_iova fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49467", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/core: Fix memory leak in __thermal_cooling_device_register()\n\nI got memory leak as follows when doing fault injection test:\n\nunreferenced object 0xffff888010080000 (size 264312):\n comm \"182\", pid 102533, jiffies 4296434960 (age 10.100s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 40 7f 1f b9 ff ff ff ff ........@.......\n backtrace:\n [<0000000038b2f4fc>] kmalloc_order_trace+0x1d/0x110 mm/slab_common.c:969\n [<00000000ebcb8da5>] __kmalloc+0x373/0x420 include/linux/slab.h:510\n [<0000000084137f13>] thermal_cooling_device_setup_sysfs+0x15d/0x2d0 include/linux/slab.h:586\n [<00000000352b8755>] __thermal_cooling_device_register+0x332/0xa60 drivers/thermal/thermal_core.c:927\n [<00000000fb9f331b>] devm_thermal_of_cooling_device_register+0x6b/0xf0 drivers/thermal/thermal_core.c:1041\n [<000000009b8012d2>] max6650_probe.cold+0x557/0x6aa drivers/hwmon/max6650.c:211\n [<00000000da0b7e04>] i2c_device_probe+0x472/0xac0 drivers/i2c/i2c-core-base.c:561\n\nIf device_register() fails, thermal_cooling_device_destroy_sysfs() need be called\nto free the memory allocated in thermal_cooling_device_setup_sysfs().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49468", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix anon_dev leak in create_subvol()\n\nWhen btrfs_qgroup_inherit(), btrfs_alloc_tree_block, or\nbtrfs_insert_root() fail in create_subvol(), we return without freeing\nanon_dev. Reorganize the error handling in create_subvol() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49469", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[ 39.634962] Call trace:\n[ 39.634974] dump_backtrace+0x0/0x3b8\n[ 39.634999] show_stack+0x20/0x2c\n[ 39.635016] dump_stack_lvl+0x60/0x78\n[ 39.635040] print_address_description+0x70/0x2f0\n[ 39.635062] kasan_report+0x154/0x194\n[ 39.635079] __asan_report_load1_noabort+0x44/0x50\n[ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4\n[ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4\n[ 39.635157] process_one_work+0x560/0xc5c\n[ 39.635177] worker_thread+0x7ec/0xcc0\n[ 39.635195] kthread+0x2d0/0x3d0\n[ 39.635215] ret_from_fork+0x10/0x20\n[ 39.635247] Allocated by task 0:\n[ 39.635260] (stack is not available)\n[ 39.635281] Freed by task 2392:\n[ 39.635295] kasan_save_stack+0x38/0x68\n[ 39.635319] kasan_set_track+0x28/0x3c\n[ 39.635338] kasan_set_free_info+0x28/0x4c\n[ 39.635357] ____kasan_slab_free+0x104/0x150\n[ 39.635374] __kasan_slab_free+0x18/0x28\n[ 39.635391] slab_free_freelist_hook+0x114/0x248\n[ 39.635410] kfree+0xf8/0x2b4\n[ 39.635427] skb_free_head+0x58/0x98\n[ 39.635447] skb_release_data+0x2f4/0x410\n[ 39.635464] skb_release_all+0x50/0x60\n[ 39.635481] kfree_skb+0xc8/0x25c\n[ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]\n[ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]\n[ 39.635925] process_one_work+0x560/0xc5c\n[ 39.635951] worker_thread+0x7ec/0xcc0\n[ 39.635970] kthread+0x2d0/0x3d0\n[ 39.635990] ret_from_fork+0x10/0x20\n[ 39.636021] The buggy address belongs to the object at ffffff80cf28a600\n which belongs to the cache kmalloc-512 of size 512\n[ 39.636039] The buggy address is located 13 bytes inside of\n 512-byte region [ffffff80cf28a600, ffffff80cf28a800)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49470", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw89: cfo: check mac_id to avoid out-of-bounds\n\nSomehow, hardware reports incorrect mac_id and pollute memory. Check index\nbefore we access the array.\n\n UBSAN: array-index-out-of-bounds in rtw89/phy.c:2517:23\n index 188 is out of range for type 's32 [64]'\n CPU: 1 PID: 51550 Comm: irq/35-rtw89_pc Tainted: G OE\n Call Trace:\n \n show_stack+0x52/0x58\n dump_stack_lvl+0x4c/0x63\n dump_stack+0x10/0x12\n ubsan_epilogue+0x9/0x45\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n ? __alloc_skb+0x92/0x1d0\n rtw89_phy_cfo_parse+0x44/0x7f [rtw89_core]\n rtw89_core_rx+0x261/0x871 [rtw89_core]\n ? __alloc_skb+0xee/0x1d0\n rtw89_pci_napi_poll+0x3fa/0x4ea [rtw89_pci]\n __napi_poll+0x33/0x1a0\n net_rx_action+0x126/0x260\n ? __queue_work+0x217/0x4c0\n __do_softirq+0xd9/0x315\n ? disable_irq_nosync+0x10/0x10\n do_softirq.part.0+0x6d/0x90\n \n \n __local_bh_enable_ip+0x62/0x70\n rtw89_pci_interrupt_threadfn+0x182/0x1a6 [rtw89_pci]\n irq_thread_fn+0x28/0x60\n irq_thread+0xc8/0x190\n ? irq_thread_fn+0x60/0x60\n kthread+0x16b/0x190\n ? irq_thread_check_affinity+0xe0/0xe0\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49471", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: Allow probing without .driver_data\n\nCurrently, if the .probe element is present in the phy_driver structure\nand the .driver_data is not, a NULL pointer dereference happens.\n\nAllow passing .probe without .driver_data by inserting NULL checks\nfor priv->type.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49472", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ti: j721e-evm: Fix refcount leak in j721e_soc_probe_*\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49473", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49474", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()\n\nIt will cause null-ptr-deref if platform_get_resource_byname() returns NULL,\nwe need check the return value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49475", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix kernel crash at mt7921_pci_remove\n\nThe crash log shown it is possible that mt7921_irq_handler is called while\ndevm_free_irq is being handled so mt76_free_device need to be postponed\nuntil devm_free_irq is completed to solve the crash we free the mt76 device\ntoo early.\n\n[ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 9299.339705] #PF: supervisor read access in kernel mode\n[ 9299.339735] #PF: error_code(0x0000) - not-present page\n[ 9299.339768] PGD 0 P4D 0\n[ 9299.339786] Oops: 0000 [#1] SMP PTI\n[ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1\n[ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022\n[ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]\n[ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082\n[ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5\n[ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020\n[ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011\n[ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080\n[ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228\n[ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000\n[ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0\n[ 9299.340432] PKRU: 55555554\n[ 9299.340449] Call Trace:\n[ 9299.340467] \n[ 9299.340485] __free_irq+0x221/0x350\n[ 9299.340527] free_irq+0x30/0x70\n[ 9299.340553] devm_free_irq+0x55/0x80\n[ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]\n[ 9299.340616] pci_device_remove+0x3b/0xa0\n[ 9299.340651] __device_release_driver+0x17a/0x240\n[ 9299.340686] device_driver_detach+0x3c/0xa0\n[ 9299.340714] unbind_store+0x113/0x130\n[ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0\n[ 9299.340775] new_sync_write+0x15c/0x1f0\n[ 9299.340806] vfs_write+0x1d2/0x270\n[ 9299.340831] ksys_write+0x67/0xe0\n[ 9299.340857] do_syscall_64+0x3b/0x90\n[ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49476", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: samsung: Fix refcount leak in aries_audio_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nIf extcon_find_edev_by_node() fails, it doesn't call of_node_put()\nCalling of_node_put() after extcon_find_edev_by_node() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49477", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init\n\nSyzbot reported that -1 is used as array index. The problem was in\nmissing validation check.\n\nhdw->unit_number is initialized with -1 and then if init table walk fails\nthis value remains unchanged. Since code blindly uses this member for\narray indexing adding sanity check is the easiest fix for that.\n\nhdw->workpoll initialization moved upper to prevent warning in\n__flush_work.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49478", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: fix tx status related use-after-free race on station removal\n\nThere is a small race window where ongoing tx activity can lead to a skb\ngetting added to the status tracking idr after that idr has already been\ncleaned up, which will keep the wcid linked in the status poll list.\nFix this by only adding status skbs if the wcid pointer is still assigned\nin dev->wcid, which gets cleared early by mt76_sta_pre_rcu_remove", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49479", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe\n\nof_find_device_by_node() takes reference, we should use put_device()\nto release it. when devm_kzalloc() fails, it doesn't have a\nput_device(), it will cause refcount leak.\nAdd missing put_device() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49480", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt\n\nof_node_get() returns a node with refcount incremented.\nCalling of_node_put() to drop the reference when not needed anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49481", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mxs-saif: Fix refcount leak in mxs_saif_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49482", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/disp/dpu1: avoid clearing hw interrupts if hw_intr is null during drm uninit\n\nIf edp modeset init is failed due to panel being not ready and\nprobe defers during drm bind, avoid clearing irqs and dereference\nhw_intr when hw_intr is null.\n\nBUG: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\nCall trace:\n dpu_core_irq_uninstall+0x50/0xb0\n dpu_irq_uninstall+0x18/0x24\n msm_drm_uninit+0xd8/0x16c\n msm_drm_bind+0x580/0x5fc\n try_to_bring_up_master+0x168/0x1c0\n __component_add+0xb4/0x178\n component_add+0x1c/0x28\n dp_display_probe+0x38c/0x400\n platform_probe+0xb0/0xd0\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xbc/0xe8\n driver_probe_device+0x48/0xf0\n __device_attach_driver+0xa0/0xc8\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xc4/0x150\n device_initial_probe+0x1c/0x28\n\nChanges in V2:\n- Update commit message and coreect fixes tag.\n\nPatchwork: https://patchwork.freedesktop.org/patch/484430/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49483", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\n\nFix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\nroutine if the chip does not support dbdc and the hw reports band_idx\nset to 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49484", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix null pointer dereference of pointer perfmon\n\nIn the unlikely event that pointer perfmon is null the WARN_ON return path\noccurs after the pointer has already been deferenced. Fix this by only\ndereferencing perfmon after it has been null checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49485", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl: Fix refcount leak in imx_sgtl5000_probe\n\nof_find_i2c_device_by_node() takes a reference,\nIn error paths, we should call put_device() to drop\nthe reference to aviod refount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49486", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49487", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected\n\nThere is a possibility for mdp5_get_global_state to return\n-EDEADLK when acquiring the modeset lock, but currently global_state in\nmdp5_mixer_release doesn't check for if an error is returned.\n\nTo avoid a NULL dereference error, let's have mdp5_mixer_release\ncheck if an error is returned and propagate that error.\n\nPatchwork: https://patchwork.freedesktop.org/patch/485181/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49488", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume\n\nBUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3\n\nCall trace:\n dpu_vbif_init_memtypes+0x40/0xb8\n dpu_runtime_resume+0xcc/0x1c0\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x134/0x258\n __rpm_callback+0x98/0x138\n rpm_callback+0x30/0x88\n rpm_resume+0x36c/0x49c\n __pm_runtime_resume+0x80/0xb0\n dpu_core_irq_uninstall+0x30/0xb0\n dpu_irq_uninstall+0x18/0x24\n msm_drm_uninit+0xd8/0x16c\n\nPatchwork: https://patchwork.freedesktop.org/patch/483255/\n[DB: fixed Fixes tag]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49489", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected\n\nmdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring\nthe modeset lock, but currently mdp5_pipe_release doesn't check for if\nan error is returned. Because of this, there is a possibility of\nmdp5_pipe_release hitting a NULL dereference error.\n\nTo avoid this, let's have mdp5_pipe_release check if\nmdp5_get_global_state returns an error and propogate that error.\n\nChanges since v1:\n- Separated declaration and initialization of *new_state to avoid\n compiler warning\n- Fixed some spelling mistakes in commit message\n\nChanges since v2:\n- Return 0 in case where hwpipe is NULL as this is considered normal\n behavior\n- Added 2nd patch in series to fix a similar NULL dereference issue in\n mdp5_mixer_release\n\nPatchwork: https://patchwork.freedesktop.org/patch/485179/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49490", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop: fix possible null-ptr-deref in vop_bind()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check 'res' to avoid null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49491", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags\n\nIn nvme_alloc_admin_tags, the admin_q can be set to an error (typically\n-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which\nis checked immediately after the call. However, when we return the error\nmessage up the stack, to nvme_reset_work the error takes us to\nnvme_remove_dead_ctrl()\n nvme_dev_disable()\n nvme_suspend_queue(&dev->queues[0]).\n\nHere, we only check that the admin_q is non-NULL, rather than not\nan error or NULL, and begin quiescing a queue that never existed, leading\nto bad / NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49492", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix errorenous cleanup order\n\nThere is a logic error when removing rt5645 device as the function\nrt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and\ndelete the &rt5645->btn_check_timer latter. However, since the timer\nhandler rt5645_btn_check_callback() will re-queue the jack_detect_work,\nthis cleanup order is buggy.\n\nThat is, once the del_timer_sync in rt5645_i2c_remove is concurrently\nrun with the rt5645_btn_check_callback, the canceled jack_detect_work\nwill be rescheduled again, leading to possible use-after-free.\n\nThis patch fix the issue by placing the del_timer_sync function before\nthe cancel_delayed_work_sync.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49493", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()\n\nIt will cause null-ptr-deref when using 'res', if platform_get_resource()\nreturns NULL, so move using 'res' after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49494", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: check return value after calling platform_get_resource_byname()\n\nIt will cause null-ptr-deref if platform_get_resource_byname() returns NULL,\nwe need check the return value.\n\nPatchwork: https://patchwork.freedesktop.org/patch/482992/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49495", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: prevent kernel crash when rmmod mtk-vcodec-dec.ko\n\nIf the driver support subdev mode, the parameter \"dev->pm.dev\" will be\nNULL in mtk_vcodec_dec_remove. Kernel will crash when try to rmmod\nmtk-vcodec-dec.ko.\n\n[ 4380.702726] pc : do_raw_spin_trylock+0x4/0x80\n[ 4380.707075] lr : _raw_spin_lock_irq+0x90/0x14c\n[ 4380.711509] sp : ffff80000819bc10\n[ 4380.714811] x29: ffff80000819bc10 x28: ffff3600c03e4000 x27: 0000000000000000\n[ 4380.721934] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n[ 4380.729057] x23: ffff3600c0f34930 x22: ffffd5e923549000 x21: 0000000000000220\n[ 4380.736179] x20: 0000000000000208 x19: ffffd5e9213e8ebc x18: 0000000000000020\n[ 4380.743298] x17: 0000002000000000 x16: ffffd5e9213e8e90 x15: 696c346f65646976\n[ 4380.750420] x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000040\n[ 4380.757542] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 4380.764664] x8 : 0000000000000000 x7 : ffff3600c7273ae8 x6 : ffffd5e9213e8ebc\n[ 4380.771786] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\n[ 4380.778908] x2 : 0000000000000000 x1 : ffff3600c03e4000 x0 : 0000000000000208\n[ 4380.786031] Call trace:\n[ 4380.788465] do_raw_spin_trylock+0x4/0x80\n[ 4380.792462] __pm_runtime_disable+0x2c/0x1b0\n[ 4380.796723] mtk_vcodec_dec_remove+0x5c/0xa0 [mtk_vcodec_dec]\n[ 4380.802466] platform_remove+0x2c/0x60\n[ 4380.806204] __device_release_driver+0x194/0x250\n[ 4380.810810] driver_detach+0xc8/0x15c\n[ 4380.814462] bus_remove_driver+0x5c/0xb0\n[ 4380.818375] driver_unregister+0x34/0x64\n[ 4380.822288] platform_driver_unregister+0x18/0x24\n[ 4380.826979] mtk_vcodec_dec_driver_exit+0x1c/0x888 [mtk_vcodec_dec]\n[ 4380.833240] __arm64_sys_delete_module+0x190/0x224\n[ 4380.838020] invoke_syscall+0x48/0x114\n[ 4380.841760] el0_svc_common.constprop.0+0x60/0x11c\n[ 4380.846540] do_el0_svc+0x28/0x90\n[ 4380.849844] el0_svc+0x4c/0x100\n[ 4380.852975] el0t_64_sync_handler+0xec/0xf0\n[ 4380.857148] el0t_64_sync+0x190/0x194\n[ 4380.860801] Code: 94431515 17ffffca d503201f d503245f (b9400004)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49496", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: remove two BUG() from skb_checksum_help()\n\nI have a syzbot report that managed to get a crash in skb_checksum_help()\n\nIf syzbot can trigger these BUG(), it makes sense to replace\nthem with more friendly WARN_ON_ONCE() since skb_checksum_help()\ncan instead return an error code.\n\nNote that syzbot will still crash there, until real bug is fixed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49497", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Check for null pointer of pointer substream before dereferencing it\n\nPointer substream is being dereferenced on the assignment of pointer card\nbefore substream is being null checked with the macro PCM_RUNTIME_CHECK.\nAlthough PCM_RUNTIME_CHECK calls BUG_ON, it still is useful to perform the\nthe pointer check before card is assigned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49498", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix null pointer dereferences without iommu\n\nCheck if 'aspace' is set before using it as it will stay null without\nIOMMU, such as on msm8974.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49499", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwl1251: dynamically allocate memory used for DMA\n\nWith introduction of vmap'ed stacks, stack parameters can no\nlonger be used for DMA and now leads to kernel panic.\n\nIt happens at several places for the wl1251 (e.g. when\naccessed through SDIO) making it unuseable on e.g. the\nOpenPandora.\n\nWe solve this by allocating temporary buffers or use wl1251_read32().\n\nTested on v5.18-rc5 with OpenPandora.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49500", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Run unregister_netdev() before unbind() again\n\nCommit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\")\nsought to fix a use-after-free on disconnect of USB Ethernet adapters.\n\nIt turns out that a different fix is necessary to address the issue:\nhttps://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/\n\nSo the commit was not necessary.\n\nThe commit made binding and unbinding of USB Ethernet asymmetrical:\nBefore, usbnet_probe() first invoked the ->bind() callback and then\nregister_netdev(). usbnet_disconnect() mirrored that by first invoking\nunregister_netdev() and then ->unbind().\n\nSince the commit, the order in usbnet_disconnect() is reversed and no\nlonger mirrors usbnet_probe().\n\nOne consequence is that a PHY disconnected (and stopped) in ->unbind()\nis afterwards stopped once more by unregister_netdev() as it closes the\nnetdev before unregistering. That necessitates a contortion in ->stop()\nbecause the PHY may only be stopped if it hasn't already been\ndisconnected.\n\nReverting the commit allows making the call to phy_stop() unconditional\nin ->stop().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49501", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rga: fix possible memory leak in rga_probe\n\nrga->m2m_dev needs to be freed when rga_probe fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49502", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix\n\nThe \"rxstatus->rs_keyix\" eventually gets passed to test_bit() so we need to\nensure that it is within the bitmap.\n\ndrivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()\nerror: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49503", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Inhibit aborts if external loopback plug is inserted\n\nAfter running a short external loopback test, when the external loopback is\nremoved and a normal cable inserted that is directly connected to a target\ndevice, the system oops in the llpfc_set_rrq_active() routine.\n\nWhen the loopback was inserted an FLOGI was transmit. As we're looped back,\nwe receive the FLOGI request. The FLOGI is ABTS'd as we recognize the same\nwppn thus understand it's a loopback. However, as the ABTS sends address\ninformation the port is not set to (fffffe), the ABTS is dropped on the\nwire. A short 1 frame loopback test is run and completes before the ABTS\ntimes out. The looback is unplugged and the new cable plugged in, and the\nan FLOGI to the new device occurs and completes. Due to a mixup in ref\ncounting the completion of the new FLOGI releases the fabric ndlp. Then the\noriginal ABTS completes and references the released ndlp generating the\noops.\n\nCorrect by no-op'ing the ABTS when in loopback mode (it will be dropped\nanyway). Added a flag to track the mode to recognize when it should be\nno-op'd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49504", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: NULL out the dev->rfkill to prevent UAF\n\nCommit 3e3b5dfcd16a (\"NFC: reorder the logic in nfc_{un,}register_device\")\nassumes the device_is_registered() in function nfc_dev_up() will help\nto check when the rfkill is unregistered. However, this check only\ntake effect when device_del(&dev->dev) is done in nfc_unregister_device().\nHence, the rfkill object is still possible be dereferenced.\n\nThe crash trace in latest kernel (5.18-rc2):\n\n[ 68.760105] ==================================================================\n[ 68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750\n[ 68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313\n[ 68.760756]\n[ 68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4\n[ 68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 68.760756] Call Trace:\n[ 68.760756] \n[ 68.760756] dump_stack_lvl+0x57/0x7d\n[ 68.760756] print_report.cold+0x5e/0x5db\n[ 68.760756] ? __lock_acquire+0x3ec1/0x6750\n[ 68.760756] kasan_report+0xbe/0x1c0\n[ 68.760756] ? __lock_acquire+0x3ec1/0x6750\n[ 68.760756] __lock_acquire+0x3ec1/0x6750\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] ? register_lock_class+0x18d0/0x18d0\n[ 68.760756] lock_acquire+0x1ac/0x4f0\n[ 68.760756] ? rfkill_blocked+0xe/0x60\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] ? mutex_lock_io_nested+0x12c0/0x12c0\n[ 68.760756] ? nla_get_range_signed+0x540/0x540\n[ 68.760756] ? _raw_spin_lock_irqsave+0x4e/0x50\n[ 68.760756] _raw_spin_lock_irqsave+0x39/0x50\n[ 68.760756] ? rfkill_blocked+0xe/0x60\n[ 68.760756] rfkill_blocked+0xe/0x60\n[ 68.760756] nfc_dev_up+0x84/0x260\n[ 68.760756] nfc_genl_dev_up+0x90/0xe0\n[ 68.760756] genl_family_rcv_msg_doit+0x1f4/0x2f0\n[ 68.760756] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230\n[ 68.760756] ? security_capable+0x51/0x90\n[ 68.760756] genl_rcv_msg+0x280/0x500\n[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0\n[ 68.760756] ? lock_acquire+0x1ac/0x4f0\n[ 68.760756] ? nfc_genl_dev_down+0xe0/0xe0\n[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410\n[ 68.760756] netlink_rcv_skb+0x11b/0x340\n[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0\n[ 68.760756] ? netlink_ack+0x9c0/0x9c0\n[ 68.760756] ? netlink_deliver_tap+0x136/0xb00\n[ 68.760756] genl_rcv+0x1f/0x30\n[ 68.760756] netlink_unicast+0x430/0x710\n[ 68.760756] ? memset+0x20/0x40\n[ 68.760756] ? netlink_attachskb+0x740/0x740\n[ 68.760756] ? __build_skb_around+0x1f4/0x2a0\n[ 68.760756] netlink_sendmsg+0x75d/0xc00\n[ 68.760756] ? netlink_unicast+0x710/0x710\n[ 68.760756] ? netlink_unicast+0x710/0x710\n[ 68.760756] sock_sendmsg+0xdf/0x110\n[ 68.760756] __sys_sendto+0x19e/0x270\n[ 68.760756] ? __ia32_sys_getpeername+0xa0/0xa0\n[ 68.760756] ? fd_install+0x178/0x4c0\n[ 68.760756] ? fd_install+0x195/0x4c0\n[ 68.760756] ? kernel_fpu_begin_mask+0x1c0/0x1c0\n[ 68.760756] __x64_sys_sendto+0xd8/0x1b0\n[ 68.760756] ? lockdep_hardirqs_on+0xbf/0x130\n[ 68.760756] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 68.760756] do_syscall_64+0x3b/0x90\n[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 68.760756] RIP: 0033:0x7f67fb50e6b3\n...\n[ 68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\n[ 68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3\n[ 68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003\n[ 68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c\n[ 68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e\n[ 68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003\n\n[ 68.760756] \n[ 68.760756]\n[ 68.760756] Allocated by task 279:\n[ 68.760756] kasan_save_stack+0x1e/0x40\n[\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49505", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add vblank register/unregister callback functions\n\nWe encountered a kernel panic issue that callback data will be NULL when\nit's using in ovl irq handler. There is a timing issue between\nmtk_disp_ovl_irq_handler() and mtk_ovl_disable_vblank().\n\nTo resolve this issue, we use the flow to register/unregister vblank cb:\n- Register callback function and callback data when crtc creates.\n- Unregister callback function and callback data when crtc destroies.\n\nWith this solution, we can assure callback data will not be NULL when\nvblank is disable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49506", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9121: Fix uninit-value in da9121_assign_chip_model()\n\nKASAN report slab-out-of-bounds in __regmap_init as follows:\n\nBUG: KASAN: slab-out-of-bounds in __regmap_init drivers/base/regmap/regmap.c:841\nRead of size 1 at addr ffff88803678cdf1 by task xrun/9137\n\nCPU: 0 PID: 9137 Comm: xrun Tainted: G W 5.18.0-rc2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xe8/0x15a lib/dump_stack.c:88\n print_report.cold+0xcd/0x69b mm/kasan/report.c:313\n kasan_report+0x8e/0xc0 mm/kasan/report.c:491\n __regmap_init+0x4540/0x4ba0 drivers/base/regmap/regmap.c:841\n __devm_regmap_init+0x7a/0x100 drivers/base/regmap/regmap.c:1266\n __devm_regmap_init_i2c+0x65/0x80 drivers/base/regmap/regmap-i2c.c:394\n da9121_i2c_probe+0x386/0x6d1 drivers/regulator/da9121-regulator.c:1039\n i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563\n\nThis happend when da9121 device is probe by da9121_i2c_id, but with\ninvalid dts. Thus, chip->subvariant_id is set to -EINVAL, and later\nda9121_assign_chip_model() will access 'regmap' without init it.\n\nFix it by return -EINVAL from da9121_assign_chip_model() if\n'chip->subvariant_id' is invalid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49507", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: elan: Fix potential double free in elan_input_configured\n\n'input' is a managed resource allocated with devm_input_allocate_device(),\nso there is no need to call input_free_device() explicitly or\nthere will be a double free.\n\nAccording to the doc of devm_input_allocate_device():\n * Managed input devices do not need to be explicitly unregistered or\n * freed as it will be done automatically when owner device unbinds from\n * its driver (or binding fails).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49508", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: max9286: fix kernel oops when removing module\n\nWhen removing the max9286 module we get a kernel oops:\n\nUnable to handle kernel paging request at virtual address 000000aa00000094\nMem abort info:\n ESR = 0x96000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000880d85000\n[000000aa00000094] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nModules linked in: fsl_jr_uio caam_jr rng_core libdes caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine max9271 authenc crct10dif_ce mxc_jpeg_encdec\nCPU: 2 PID: 713 Comm: rmmod Tainted: G C 5.15.5-00057-gaebcd29c8ed7-dirty #5\nHardware name: Freescale i.MX8QXP MEK (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : i2c_mux_del_adapters+0x24/0xf0\nlr : max9286_remove+0x28/0xd0 [max9286]\nsp : ffff800013a9bbf0\nx29: ffff800013a9bbf0 x28: ffff00080b6da940 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000801a5b970 x22: ffff0008048b0890 x21: ffff800009297000\nx20: ffff0008048b0f70 x19: 000000aa00000064 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000014 x13: 0000000000000000 x12: ffff000802da49e8\nx11: ffff000802051918 x10: ffff000802da4920 x9 : ffff000800030098\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffffffffffffffff x1 : ffff00080b6da940 x0 : 0000000000000000\nCall trace:\n i2c_mux_del_adapters+0x24/0xf0\n max9286_remove+0x28/0xd0 [max9286]\n i2c_device_remove+0x40/0x110\n __device_release_driver+0x188/0x234\n driver_detach+0xc4/0x150\n bus_remove_driver+0x60/0xe0\n driver_unregister+0x34/0x64\n i2c_del_driver+0x58/0xa0\n max9286_i2c_driver_exit+0x1c/0x490 [max9286]\n __arm64_sys_delete_module+0x194/0x260\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xd4/0xfc\n do_el0_svc+0x2c/0x94\n el0_svc+0x28/0x80\n el0t_64_sync_handler+0xa8/0x130\n el0t_64_sync+0x1a0/0x1a4\n\nThe Oops happens because the I2C client data does not point to\nmax9286_priv anymore but to v4l2_subdev. The change happened in\nmax9286_init() which calls v4l2_i2c_subdev_init() later on...\n\nBesides fixing the max9286_remove() function, remove the call to\ni2c_set_clientdata() in max9286_probe(), to avoid confusion, and make\nthe necessary changes to max9286_init() so that it doesn't have to use\ni2c_get_clientdata() in order to fetch the pointer to priv.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49509", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/omap: fix NULL but dereferenced coccicheck error\n\nFix the following coccicheck warning:\n./drivers/gpu/drm/omapdrm/omap_overlay.c:89:22-25: ERROR: r_ovl is NULL\nbut dereferenced.\n\nHere should be ovl->idx rather than r_ovl->idx.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49510", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: defio: fix the pagelist corruption\n\nEasily hit the below list corruption:\n==\nlist_add corruption. prev->next should be next (ffffffffc0ceb090), but\nwas ffffec604507edc8. (prev=ffffec604507edc8).\nWARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26\n__list_add_valid+0x53/0x80\nCPU: 65 PID: 3959 Comm: fbdev Tainted: G U\nRIP: 0010:__list_add_valid+0x53/0x80\nCall Trace:\n \n fb_deferred_io_mkwrite+0xea/0x150\n do_page_mkwrite+0x57/0xc0\n do_wp_page+0x278/0x2f0\n __handle_mm_fault+0xdc2/0x1590\n handle_mm_fault+0xdd/0x2c0\n do_user_addr_fault+0x1d3/0x650\n exc_page_fault+0x77/0x180\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\nRIP: 0033:0x7fd98fc8fad1\n==\n\nFigure out the race happens when one process is adding &page->lru into\nthe pagelist tail in fb_deferred_io_mkwrite(), another process is\nre-initializing the same &page->lru in fb_deferred_io_fault(), which is\nnot protected by the lock.\n\nThis fix is to init all the page lists one time during initialization,\nit not only fixes the list corruption, but also avoids INIT_LIST_HEAD()\nredundantly.\n\nV2: change \"int i\" to \"unsigned int i\" (Geert Uytterhoeven)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49511", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: denali: Use managed device resources\n\nAll of the resources used by this driver has managed interfaces, so use\nthem. Otherwise we will get the following splat:\n\n[ 4.472703] denali-nand-pci 0000:00:05.0: timeout while waiting for irq 0x1000\n[ 4.474071] denali-nand-pci: probe of 0000:00:05.0 failed with error -5\n[ 4.473538] nand: No NAND device found\n[ 4.474068] BUG: unable to handle page fault for address: ffffc90005000410\n[ 4.475169] #PF: supervisor write access in kernel mode\n[ 4.475579] #PF: error_code(0x0002) - not-present page\n[ 4.478362] RIP: 0010:iowrite32+0x9/0x50\n[ 4.486068] Call Trace:\n[ 4.486269] \n[ 4.486443] denali_isr+0x15b/0x300 [denali]\n[ 4.486788] ? denali_direct_write+0x50/0x50 [denali]\n[ 4.487189] __handle_irq_event_percpu+0x161/0x3b0\n[ 4.487571] handle_irq_event+0x7d/0x1b0\n[ 4.487884] handle_fasteoi_irq+0x2b0/0x770\n[ 4.488219] __common_interrupt+0xc8/0x1b0\n[ 4.488549] common_interrupt+0x9a/0xc0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49512", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: governor: Use kobject release() method to free dbs_data\n\nThe struct dbs_data embeds a struct gov_attr_set and\nthe struct gov_attr_set embeds a kobject. Since every kobject must have\na release() method and we can't use kfree() to free it directly,\nso introduce cpufreq_dbs_data_release() to release the dbs_data via\nthe kobject::release() method. This fixes the calltrace like below:\n\n ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x34\n WARNING: CPU: 12 PID: 810 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100\n Modules linked in:\n CPU: 12 PID: 810 Comm: sh Not tainted 5.16.0-next-20220120-yocto-standard+ #536\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : debug_print_object+0xb8/0x100\n lr : debug_print_object+0xb8/0x100\n sp : ffff80001dfcf9a0\n x29: ffff80001dfcf9a0 x28: 0000000000000001 x27: ffff0001464f0000\n x26: 0000000000000000 x25: ffff8000090e3f00 x24: ffff80000af60210\n x23: ffff8000094dfb78 x22: ffff8000090e3f00 x21: ffff0001080b7118\n x20: ffff80000aeb2430 x19: ffff800009e8f5e0 x18: 0000000000000000\n x17: 0000000000000002 x16: 00004d62e58be040 x15: 013590470523aff8\n x14: ffff8000090e1828 x13: 0000000001359047 x12: 00000000f5257d14\n x11: 0000000000040591 x10: 0000000066c1ffea x9 : ffff8000080d15e0\n x8 : ffff80000a1765a8 x7 : 0000000000000000 x6 : 0000000000000001\n x5 : ffff800009e8c000 x4 : ffff800009e8c760 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0001474ed040\n Call trace:\n debug_print_object+0xb8/0x100\n __debug_check_no_obj_freed+0x1d0/0x25c\n debug_check_no_obj_freed+0x24/0xa0\n kfree+0x11c/0x440\n cpufreq_dbs_governor_exit+0xa8/0xac\n cpufreq_exit_governor+0x44/0x90\n cpufreq_set_policy+0x29c/0x570\n store_scaling_governor+0x110/0x154\n store+0xb0/0xe0\n sysfs_kf_write+0x58/0x84\n kernfs_fop_write_iter+0x12c/0x1c0\n new_sync_write+0xf0/0x18c\n vfs_write+0x1cc/0x220\n ksys_write+0x74/0x100\n __arm64_sys_write+0x28/0x3c\n invoke_syscall.constprop.0+0x58/0xf0\n do_el0_svc+0x70/0x170\n el0_svc+0x54/0x190\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x1a0/0x1a4\n irq event stamp: 189006\n hardirqs last enabled at (189005): [] finish_task_switch.isra.0+0xe0/0x2c0\n hardirqs last disabled at (189006): [] el1_dbg+0x24/0xa0\n softirqs last enabled at (188966): [] __do_softirq+0x4b0/0x6a0\n softirqs last disabled at (188957): [] __irq_exit_rcu+0x108/0x1a4\n\n[ rjw: Because can be freed by the gov_attr_set_put() in\n cpufreq_dbs_governor_exit() now, it is also necessary to put the\n invocation of the governor ->exit() callback into the new\n cpufreq_dbs_data_release() function. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49513", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe\n\nCall of_node_put(platform_node) to avoid refcount leak in\nthe error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49514", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t\n\nThe CS35L41_NUM_OTP_ELEM is 100, but only 99 entries are defined in\nthe array otp_map_1/2[CS35L41_NUM_OTP_ELEM], this will trigger UBSAN\nto report a shift-out-of-bounds warning in the cs35l41_otp_unpack()\nsince the last entry in the array will result in GENMASK(-1, 0).\n\nUBSAN reports this problem:\n UBSAN: shift-out-of-bounds in /home/hwang4/build/jammy/jammy/sound/soc/codecs/cs35l41-lib.c:836:8\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23\n Hardware name: LENOVO \\x02MFG_IN_GO/\\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022\n Call Trace:\n \n show_stack+0x52/0x58\n dump_stack_lvl+0x4a/0x5f\n dump_stack+0x10/0x12\n ubsan_epilogue+0x9/0x45\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef\n ? regmap_unlock_mutex+0xe/0x10\n cs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib]\n cs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41]\n cs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c]\n ? cs35l41_hda_i2c_remove+0x20/0x20 [snd_hda_scodec_cs35l41_i2c]\n i2c_device_probe+0x252/0x2b0", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49515", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: always check VF VSI pointer values\n\nThe ice_get_vf_vsi function can return NULL in some cases, such as if\nhandling messages during a reset where the VSI is being removed and\nrecreated.\n\nSeveral places throughout the driver do not bother to check whether this\nVSI pointer is valid. Static analysis tools maybe report issues because\nthey detect paths where a potentially NULL pointer could be dereferenced.\n\nFix this by checking the return value of ice_get_vf_vsi everywhere.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49516", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe\n\nThis node pointer is returned by of_parse_phandle() with\nrefcount incremented in this function.\nCalling of_node_put() to avoid the refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49517", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload\n\nIt is possible to craft a topology where sof_get_control_data() would do\nout of bounds access because it expects that it is only called when the\npayload is bytes type.\nConfusingly it also handles other types of controls, but the payload\nparsing implementation is only valid for bytes.\n\nFix the code to count the non bytes controls and instead of storing a\npointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),\nstore the pointer to the data itself and add a new member to save the size\nof the data.\n\nIn case of non bytes controls we store the pointer to the chanv itself,\nwhich is just an array of values at the end.\n\nIn case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check\nagainst NULL since it is incorrect and invalid in this context.\nThe data is pointing to the end of cdata struct, so it should never be\nnull.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49518", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: skip ath10k_halt during suspend for driver state RESTARTING\n\nDouble free crash is observed when FW recovery(caused by wmi\ntimeout/crash) is followed by immediate suspend event. The FW recovery\nis triggered by ath10k_core_restart() which calls driver clean up via\nath10k_halt(). When the suspend event occurs between the FW recovery,\nthe restart worker thread is put into frozen state until suspend completes.\nThe suspend event triggers ath10k_stop() which again triggers ath10k_halt()\nThe double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be\ncalled twice(Note: ath10k_htt_rx_alloc was not called by restart worker\nthread because of its frozen state), causing the crash.\n\nTo fix this, during the suspend flow, skip call to ath10k_halt() in\nath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.\nAlso, for driver state ATH10K_STATE_RESTARTING, call\nath10k_wait_for_suspend() in ath10k_stop(). This is because call to\nath10k_wait_for_suspend() is skipped later in\n[ath10k_halt() > ath10k_core_stop()] for the driver state\nATH10K_STATE_RESTARTING.\n\nThe frozen restart worker thread will be cancelled during resume when the\ndevice comes out of suspend.\n\nBelow is the crash stack for reference:\n\n[ 428.469167] ------------[ cut here ]------------\n[ 428.469180] kernel BUG at mm/slub.c:4150!\n[ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 428.469219] Workqueue: events_unbound async_run_entry_fn\n[ 428.469230] RIP: 0010:kfree+0x319/0x31b\n[ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246\n[ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000\n[ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000\n[ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000\n[ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 428.469285] Call Trace:\n[ 428.469295] ? dma_free_attrs+0x5f/0x7d\n[ 428.469320] ath10k_core_stop+0x5b/0x6f\n[ 428.469336] ath10k_halt+0x126/0x177\n[ 428.469352] ath10k_stop+0x41/0x7e\n[ 428.469387] drv_stop+0x88/0x10e\n[ 428.469410] __ieee80211_suspend+0x297/0x411\n[ 428.469441] rdev_suspend+0x6e/0xd0\n[ 428.469462] wiphy_suspend+0xb1/0x105\n[ 428.469483] ? name_show+0x2d/0x2d\n[ 428.469490] dpm_run_callback+0x8c/0x126\n[ 428.469511] ? name_show+0x2d/0x2d\n[ 428.469517] __device_suspend+0x2e7/0x41b\n[ 428.469523] async_suspend+0x1f/0x93\n[ 428.469529] async_run_entry_fn+0x3d/0xd1\n[ 428.469535] process_one_work+0x1b1/0x329\n[ 428.469541] worker_thread+0x213/0x372\n[ 428.469547] kthread+0x150/0x15f\n[ 428.469552] ? pr_cont_work+0x58/0x58\n[ 428.469558] ? kthread_blkcg+0x31/0x31\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49519", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall\n\nIf a compat process tries to execute an unknown system call above the\n__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the\noffending process. Information about the error is printed to dmesg in\ncompat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() ->\narm64_show_signal().\n\narm64_show_signal() interprets a non-zero value for\ncurrent->thread.fault_code as an exception syndrome and displays the\nmessage associated with the ESR_ELx.EC field (bits 31:26).\ncurrent->thread.fault_code is set in compat_arm_syscall() ->\narm64_notify_die() with the bad syscall number instead of a valid ESR_ELx\nvalue. This means that the ESR_ELx.EC field has the value that the user set\nfor the syscall number and the kernel can end up printing bogus exception\nmessages*. For example, for the syscall number 0x68000000, which evaluates\nto ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:\n\n[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79\n[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich is misleading, as the bad compat syscall has nothing to do with\npointer authentication.\n\nStop arm64_show_signal() from printing exception syndrome information by\nhaving compat_arm_syscall() set the ESR_ELx value to 0, as it has no\nmeaning for an invalid system call number. The example above now becomes:\n\n[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80\n[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich although shows less information because the syscall number,\nwrongfully advertised as the ESR value, is missing, it is better than\nshowing plainly wrong information. The syscall number can be easily\nobtained with strace.\n\n*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative\ninteger in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END\nevaluates to true; the syscall will exit to userspace in this case with the\nENOSYS error code instead of arm64_notify_die() being called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49520", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()\n\nIf no handler is found in lpfc_complete_unsol_iocb() to match the rctl of a\nreceived frame, the frame is dropped and resources are leaked.\n\nFix by returning resources when discarding an unhandled frame type. Update\nlpfc_fc_frame_check() handling of NOP basic link service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49521", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: jz4740: Apply DMA engine limits to maximum segment size\n\nDo what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and\nlimit the maximum segment size based on the DMA engine's capabilities. This\nis needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c\nDMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]\nCPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19\nWorkqueue: kblockd blk_mq_run_work_fn\nStack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac\n 814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444\n 00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62\n 6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009\n 805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000\n ...\nCall Trace:\n[<80107670>] show_stack+0x84/0x120\n[<80528cd8>] __warn+0xb8/0xec\n[<80528d78>] warn_slowpath_fmt+0x6c/0xb8\n[<8016f1d4>] debug_dma_map_sg+0x2f4/0x39c\n[<80169d4c>] __dma_map_sg_attrs+0xf0/0x118\n[<8016a27c>] dma_map_sg_attrs+0x14/0x28\n[<804f66b4>] jz4740_mmc_prepare_dma_data+0x74/0xa4\n[<804f6714>] jz4740_mmc_pre_request+0x30/0x54\n[<804f4ff4>] mmc_blk_mq_issue_rq+0x6e0/0x7bc\n[<804f5590>] mmc_mq_queue_rq+0x220/0x2d4\n[<8038b2c0>] blk_mq_dispatch_rq_list+0x480/0x664\n[<80391040>] blk_mq_do_dispatch_sched+0x2dc/0x370\n[<80391468>] __blk_mq_sched_dispatch_requests+0xec/0x164\n[<80391540>] blk_mq_sched_dispatch_requests+0x44/0x94\n[<80387900>] __blk_mq_run_hw_queue+0xb0/0xcc\n[<80134c14>] process_one_work+0x1b8/0x264\n[<80134ff8>] worker_thread+0x2ec/0x3b8\n[<8013b13c>] kthread+0x104/0x10c\n[<80101dcc>] ret_from_kernel_thread+0x14/0x1c\n\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49522", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: disable spectral scan during spectral deinit\n\nWhen ath11k modules are removed using rmmod with spectral scan enabled,\ncrash is observed. Different crash trace is observed for each crash.\n\nSend spectral scan disable WMI command to firmware before cleaning\nthe spectral dbring in the spectral_deinit API to avoid this crash.\n\ncall trace from one of the crash observed:\n[ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008\n[ 1252.882722] pgd = 0f42e886\n[ 1252.890955] [00000008] *pgd=00000000\n[ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n[ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0\n[ 1253.115261] Hardware name: Generic DT based system\n[ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]\n[ 1253.125940] LR is at 0x88e31017\n[ 1253.132448] pc : [<7f9387b8>] lr : [<88e31017>] psr: a0000193\n[ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000\n[ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080\n[ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000\n[ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001\n[ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\n[ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055\n[ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)\n[ 1253.458055] [<7f9387b8>] (ath11k_spectral_process_data [ath11k]) from [<7f917fdc>] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])\n[ 1253.466139] [<7f917fdc>] (ath11k_dbring_buffer_release_event [ath11k]) from [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])\n[ 1253.478807] [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx [ath11k]) from [<7f8fe868>] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])\n[ 1253.490699] [<7f8fe868>] (ath11k_htc_rx_completion_handler [ath11k]) from [<7f91308c>] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])\n[ 1253.502386] [<7f91308c>] (ath11k_ce_per_engine_service [ath11k]) from [<7f9a4198>] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])\n[ 1253.514811] [<7f9a4198>] (ath11k_pci_ce_tasklet [ath11k_pci]) from [<8032227c>] (tasklet_action_common.constprop.2+0x64/0xe8)\n[ 1253.526476] [<8032227c>] (tasklet_action_common.constprop.2) from [<803021e8>] (__do_softirq+0x130/0x2d0)\n[ 1253.537756] [<803021e8>] (__do_softirq) from [<80322610>] (irq_exit+0xcc/0xe8)\n[ 1253.547304] [<80322610>] (irq_exit) from [<8036a4a4>] (__handle_domain_irq+0x60/0xb4)\n[ 1253.554428] [<8036a4a4>] (__handle_domain_irq) from [<805eb348>] (gic_handle_irq+0x4c/0x90)\n[ 1253.562321] [<805eb348>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)\n\nTested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49523", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: cx23885: Fix the error handling in cx23885_initdev()\n\nWhen the driver fails to call the dma_set_mask(), the driver will get\nthe following splat:\n\n[ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240\n[ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590\n[ 55.856822] Call Trace:\n[ 55.860327] __process_removed_driver+0x3c/0x240\n[ 55.861347] bus_for_each_dev+0x102/0x160\n[ 55.861681] i2c_del_driver+0x2f/0x50\n\nThis is because the driver has initialized the i2c related resources\nin cx23885_dev_setup() but not released them in error handling, fix this\nbug by modifying the error path that jumps after failing to call the\ndma_set_mask().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49524", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx25821: Fix the warning when removing the module\n\nWhen removing the module, we will get the following warning:\n\n[ 14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]'\n[ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0\n[ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0\n[ 14.759589] Call Trace:\n[ 14.759792] \n[ 14.759975] unregister_irq_proc+0x14c/0x170\n[ 14.760340] irq_free_descs+0x94/0xe0\n[ 14.760640] mp_unmap_irq+0xb6/0x100\n[ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40\n[ 14.761334] acpi_pci_irq_disable+0x1d3/0x320\n[ 14.761688] pci_disable_device+0x1ad/0x380\n[ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60\n[ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821]\n[ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821]\n[ 14.763242] pci_device_remove+0x92/0x240\n\nFix this by freeing the irq before call pci_disable_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49525", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: don't set sb values if can't pass sanity check\n\nIf bitmap area contains invalid data, kernel will crash then mdadm\ntriggers \"Segmentation fault\".\nThis is cluster-md speical bug. In non-clustered env, mdadm will\nhandle broken metadata case. In clustered array, only kernel space\nhandles bitmap slot info. But even this bug only happened in clustered\nenv, current sanity check is wrong, the code should be changed.\n\nHow to trigger: (faulty injection)\n\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb\nmdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb\nmdadm -Ss\necho aaa > magic.txt\n == below modifying slot 2 bitmap data ==\ndd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic\ndd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize\nmdadm -A /dev/md0 /dev/sda /dev/sdb\n == kernel crashes. mdadm outputs \"Segmentation fault\" ==\n\nReason of kernel crash:\n\nIn md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't\nblock chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()\ntrigger \"divide error\".\n\nCrash log:\n\nkernel: md: md0 stopped.\nkernel: md/raid1:md0: not clean -- starting background reconstruction\nkernel: md/raid1:md0: active with 2 out of 2 mirrors\nkernel: dlm: ... ...\nkernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1\nkernel: md0: invalid bitmap file superblock: bad magic\nkernel: md_bitmap_copy_from_slot can't get bitmap from slot 2\nkernel: md-cluster: Could not gather bitmaps from slot 2\nkernel: divide error: 0000 [#1] SMP NOPTI\nkernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default\nkernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]\nkernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246\nkernel: ... ...\nkernel: Call Trace:\nkernel: ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]\nkernel: md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]\nkernel: load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]\nkernel: md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]\nkernel: do_md_run+0x30/0x100 [md_mod 24ea..d3a]\nkernel: md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]\nkernel: ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]\nkernel: ? blkdev_ioctl+0xb1/0x2b0\nkernel: block_ioctl+0x3b/0x40\nkernel: __x64_sys_ioctl+0x7f/0xb0\nkernel: do_syscall_64+0x59/0x80\nkernel: ? exit_to_user_mode_prepare+0x1ab/0x230\nkernel: ? syscall_exit_to_user_mode+0x18/0x40\nkernel: ? do_syscall_64+0x69/0x80\nkernel: entry_SYSCALL_64_after_hwframe+0x44/0xae\nkernel: RIP: 0033:0x7f4a15fa722b\nkernel: ... ...\nkernel: ---[ end trace 8afa7612f559c868 ]---\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49526", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: avoid null dereference in deinit\n\nIf venus_probe fails at pm_runtime_put_sync the error handling first\ncalls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets\ncore->ops to NULL, hfi_core_deinit cannot call the core_deinit function\nanymore.\n\nAvoid this null pointer derefence by skipping the call when necessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49527", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: dw9714: Disable the regulator when the driver fails to probe\n\nWhen the driver fails to probe, we will get the following splat:\n\n[ 59.305988] ------------[ cut here ]------------\n[ 59.306417] WARNING: CPU: 2 PID: 395 at drivers/regulator/core.c:2257 _regulator_put+0x3ec/0x4e0\n[ 59.310345] RIP: 0010:_regulator_put+0x3ec/0x4e0\n[ 59.318362] Call Trace:\n[ 59.318582] \n[ 59.318765] regulator_put+0x1f/0x30\n[ 59.319058] devres_release_group+0x319/0x3d0\n[ 59.319420] i2c_device_probe+0x766/0x940\n\nFix this by disabling the regulator in error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49528", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: fix the null pointer while the smu is disabled\n\nIt needs to check if the pp_funcs is initialized while release the\ncontext, otherwise it will trigger null pointer panic while the software\nsmu is not enabled.\n\n[ 1109.404555] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[ 1109.404609] #PF: supervisor read access in kernel mode\n[ 1109.404638] #PF: error_code(0x0000) - not-present page\n[ 1109.404657] PGD 0 P4D 0\n[ 1109.404672] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 1109.404701] CPU: 7 PID: 9150 Comm: amdgpu_test Tainted: G OEL 5.16.0-custom #1\n[ 1109.404732] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\n[ 1109.404765] RIP: 0010:amdgpu_dpm_force_performance_level+0x1d/0x170 [amdgpu]\n[ 1109.405109] Code: 5d c3 44 8b a3 f0 80 00 00 eb e5 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 4c 8b b7 f0 7d 00 00 <49> 83 7e 78 00 0f 84 f2 00 00 00 80 bf 87 80 00 00 00 48 89 fb 0f\n[ 1109.405176] RSP: 0018:ffffaf3083ad7c20 EFLAGS: 00010282\n[ 1109.405203] RAX: 0000000000000000 RBX: ffff9796b1c14600 RCX: 0000000002862007\n[ 1109.405229] RDX: ffff97968591c8c0 RSI: 0000000000000001 RDI: ffff9796a3700000\n[ 1109.405260] RBP: ffffaf3083ad7c50 R08: ffffffff9897de00 R09: ffff979688d9db60\n[ 1109.405286] R10: 0000000000000000 R11: ffff979688d9db90 R12: 0000000000000001\n[ 1109.405316] R13: ffff9796a3700000 R14: 0000000000000000 R15: ffff9796a3708fc0\n[ 1109.405345] FS: 00007ff055cff180(0000) GS:ffff9796bfdc0000(0000) knlGS:0000000000000000\n[ 1109.405378] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1109.405400] CR2: 0000000000000078 CR3: 000000000a394000 CR4: 00000000000506e0\n[ 1109.405434] Call Trace:\n[ 1109.405445] \n[ 1109.405456] ? delete_object_full+0x1d/0x20\n[ 1109.405480] amdgpu_ctx_set_stable_pstate+0x7c/0xa0 [amdgpu]\n[ 1109.405698] amdgpu_ctx_fini.part.0+0xcb/0x100 [amdgpu]\n[ 1109.405911] amdgpu_ctx_do_release+0x71/0x80 [amdgpu]\n[ 1109.406121] amdgpu_ctx_ioctl+0x52d/0x550 [amdgpu]\n[ 1109.406327] ? _raw_spin_unlock+0x1a/0x30\n[ 1109.406354] ? drm_gem_handle_delete+0x81/0xb0 [drm]\n[ 1109.406400] ? amdgpu_ctx_get_entity+0x2c0/0x2c0 [amdgpu]\n[ 1109.406609] drm_ioctl_kernel+0xb6/0x140 [drm]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49529", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix double free in si_parse_power_table()\n\nIn function si_parse_power_table(), array adev->pm.dpm.ps and its member\nis allocated. If the allocation of each member fails, the array itself\nis freed and returned with an error code. However, the array is later\nfreed again in si_dpm_fini() function which is called when the function\nreturns an error.\n\nThis leads to potential double free of the array adev->pm.dpm.ps, as\nwell as leak of its array members, since the members are not freed in\nthe allocation function and the array is not nulled when freed.\nIn addition adev->pm.dpm.num_ps, which keeps track of the allocated\narray member, is not updated until the member allocation is\nsuccessfully finished, this could also lead to either use after free,\nor uninitialized variable access in si_dpm_fini().\n\nFix this by postponing the free of the array until si_dpm_fini() and\nincrement adev->pm.dpm.num_ps everytime the array member is allocated.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49530", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: implement ->free_disk\n\nEnsure that the lo_device which is stored in the gendisk private\ndata is valid until the gendisk is freed. Currently the loop driver\nuses a lot of effort to make sure a device is not freed when it is\nstill in use, but to to fix a potential deadlock this will be relaxed\na bit soon.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49531", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes\n\ndrm_cvt_mode may return NULL and we should check it.\n\nThis bug is found by syzkaller:\n\nFAULT_INJECTION stacktrace:\n[ 168.567394] FAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 1\n[ 168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1\n[ 168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 168.567408] Call trace:\n[ 168.567414] dump_backtrace+0x0/0x310\n[ 168.567418] show_stack+0x28/0x38\n[ 168.567423] dump_stack+0xec/0x15c\n[ 168.567427] should_fail+0x3ac/0x3d0\n[ 168.567437] __should_failslab+0xb8/0x120\n[ 168.567441] should_failslab+0x28/0xc0\n[ 168.567445] kmem_cache_alloc_trace+0x50/0x640\n[ 168.567454] drm_mode_create+0x40/0x90\n[ 168.567458] drm_cvt_mode+0x48/0xc78\n[ 168.567477] virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]\n[ 168.567485] drm_helper_probe_single_connector_modes+0x3a4/0xd80\n[ 168.567492] drm_mode_getconnector+0x2e0/0xa70\n[ 168.567496] drm_ioctl_kernel+0x11c/0x1d8\n[ 168.567514] drm_ioctl+0x558/0x6d0\n[ 168.567522] do_vfs_ioctl+0x160/0xf30\n[ 168.567525] ksys_ioctl+0x98/0xd8\n[ 168.567530] __arm64_sys_ioctl+0x50/0xc8\n[ 168.567536] el0_svc_common+0xc8/0x320\n[ 168.567540] el0_svc_handler+0xf8/0x160\n[ 168.567544] el0_svc+0x10/0x218\n\nKASAN stacktrace:\n[ 168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]\n[ 168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425\n[ 168.567566]\n[ 168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1\n[ 168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n[ 168.567575] Call trace:\n[ 168.567578] dump_backtrace+0x0/0x310\n[ 168.567582] show_stack+0x28/0x38\n[ 168.567586] dump_stack+0xec/0x15c\n[ 168.567591] kasan_report+0x244/0x2f0\n[ 168.567594] __asan_load4+0x58/0xb0\n[ 168.567607] virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]\n[ 168.567612] drm_helper_probe_single_connector_modes+0x3a4/0xd80\n[ 168.567617] drm_mode_getconnector+0x2e0/0xa70\n[ 168.567621] drm_ioctl_kernel+0x11c/0x1d8\n[ 168.567624] drm_ioctl+0x558/0x6d0\n[ 168.567628] do_vfs_ioctl+0x160/0xf30\n[ 168.567632] ksys_ioctl+0x98/0xd8\n[ 168.567636] __arm64_sys_ioctl+0x50/0xc8\n[ 168.567641] el0_svc_common+0xc8/0x320\n[ 168.567645] el0_svc_handler+0xf8/0x160\n[ 168.567649] el0_svc+0x10/0x218", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49532", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: Change max no of active probe SSID and BSSID to fw capability\n\nThe maximum number of SSIDs in a for active probe requests is currently\nreported as 16 (WLAN_SCAN_PARAMS_MAX_SSID) when registering the driver.\nThe scan_req_params structure only has the capacity to hold 10 SSIDs.\nThis leads to a buffer overflow which can be triggered from\nwpa_supplicant in userspace. When copying the SSIDs into the\nscan_req_params structure in the ath11k_mac_op_hw_scan route, it can\noverwrite the extraie pointer.\n\nFirmware supports 16 ssid * 4 bssid, for each ssid 4 bssid combo probe\nrequest will be sent, so totally 64 probe requests supported. So\nset both max ssid and bssid to 16 and 4 respectively. Remove the\nredundant macros of ssid and bssid.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01300-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49533", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT\n\nThere is a potential memory leak in lpfc_ignore_els_cmpl() and\nlpfc_els_rsp_reject() that was allocated from NPIV PLOGI_RJT\n(lpfc_rcv_plogi()'s login_mbox).\n\nCheck if cmdiocb->context_un.mbox was allocated in lpfc_ignore_els_cmpl(),\nand then free it back to phba->mbox_mem_pool along with mbox->ctx_buf for\nservice parameters.\n\nFor lpfc_els_rsp_reject() failure, free both the ctx_buf for service\nparameters and the login_mbox.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49534", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI\n\nIf lpfc_issue_els_flogi() fails and returns non-zero status, the node\nreference count is decremented to trigger the release of the nodelist\nstructure. However, if there is a prior registration or dev-loss-evt work\npending, the node may be released prematurely. When dev-loss-evt\ncompletes, the released node is referenced causing a use-after-free null\npointer dereference.\n\nSimilarly, when processing non-zero ELS PLOGI completion status in\nlpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport\nregistration before triggering node removal. If dev-loss-evt work is\npending, the node may be released prematurely and a subsequent call to\nlpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.\n\nAdd test for pending dev-loss before decrementing the node reference count\nfor FLOGI, PLOGI, PRLI, and ADISC handling.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49535", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix SCSI I/O completion and abort handler deadlock\n\nDuring stress I/O tests with 500+ vports, hard LOCKUP call traces are\nobserved.\n\nCPU A:\n native_queued_spin_lock_slowpath+0x192\n _raw_spin_lock_irqsave+0x32\n lpfc_handle_fcp_err+0x4c6\n lpfc_fcp_io_cmd_wqe_cmpl+0x964\n lpfc_sli4_fp_handle_cqe+0x266\n __lpfc_sli4_process_cq+0x105\n __lpfc_sli4_hba_process_cq+0x3c\n lpfc_cq_poll_hdler+0x16\n irq_poll_softirq+0x76\n __softirqentry_text_start+0xe4\n irq_exit+0xf7\n do_IRQ+0x7f\n\nCPU B:\n native_queued_spin_lock_slowpath+0x5b\n _raw_spin_lock+0x1c\n lpfc_abort_handler+0x13e\n scmd_eh_abort_handler+0x85\n process_one_work+0x1a7\n worker_thread+0x30\n kthread+0x112\n ret_from_fork+0x1f\n\nDiagram of lockup:\n\nCPUA CPUB\n---- ----\nlpfc_cmd->buf_lock\n phba->hbalock\n lpfc_cmd->buf_lock\nphba->hbalock\n\nFix by reordering the taking of the lpfc_cmd->buf_lock and phba->hbalock in\nlpfc_abort_handler routine so that it tries to take the lpfc_cmd->buf_lock\nfirst before phba->hbalock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49536", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix call trace observed during I/O with CMF enabled\n\nThe following was seen with CMF enabled:\n\nBUG: using smp_processor_id() in preemptible\ncode: systemd-udevd/31711\nkernel: caller is lpfc_update_cmf_cmd+0x214/0x420 [lpfc]\nkernel: CPU: 12 PID: 31711 Comm: systemd-udevd\nkernel: Call Trace:\nkernel: \nkernel: dump_stack_lvl+0x44/0x57\nkernel: check_preemption_disabled+0xbf/0xe0\nkernel: lpfc_update_cmf_cmd+0x214/0x420 [lpfc]\nkernel: lpfc_nvme_fcp_io_submit+0x23b4/0x4df0 [lpfc]\n\nthis_cpu_ptr() calls smp_processor_id() in a preemptible context.\n\nFix by using per_cpu_ptr() with raw_smp_processor_id() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49537", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: jack: Access input_dev under mutex\n\nIt is possible when using ASoC that input_dev is unregistered while\ncalling snd_jack_report, which causes NULL pointer dereference.\nIn order to prevent this serialize access to input_dev using mutex lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49538", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw89: ser: fix CAM leaks occurring in L2 reset\n\nThe CAM, meaning address CAM and bssid CAM here, will get leaks during\nSER (system error recover) L2 reset process and ieee80211_restart_hw()\nwhich is called by L2 reset process eventually.\n\nThe normal flow would be like\n-> add interface (acquire 1)\n-> enter ips (release 1)\n-> leave ips (acquire 1)\n-> connection (occupy 1) <(A) 1 leak after L2 reset if non-sec connection>\n\nThe ieee80211_restart_hw() flow (under connection)\n-> ieee80211 reconfig\n-> add interface (acquire 1)\n-> leave ips (acquire 1)\n-> connection (occupy (A) + 2) <(B) 1 more leak>\n\nOriginally, CAM is released before HW restart only if connection is under\nsecurity. Now, release CAM whatever connection it is to fix leak in (A).\nOTOH, check if CAM is already valid to avoid acquiring multiple times to\nfix (B).\n\nBesides, if AP mode, release address CAM of all stations before HW restart.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49539", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix race in schedule and flush work\n\nWhile booting secondary CPUs, cpus_read_[lock/unlock] is not keeping\nonline cpumask stable. The transient online mask results in below\ncalltrace.\n\n[ 0.324121] CPU1: Booted secondary processor 0x0000000001 [0x410fd083]\n[ 0.346652] Detected PIPT I-cache on CPU2\n[ 0.347212] CPU2: Booted secondary processor 0x0000000002 [0x410fd083]\n[ 0.377255] Detected PIPT I-cache on CPU3\n[ 0.377823] CPU3: Booted secondary processor 0x0000000003 [0x410fd083]\n[ 0.379040] ------------[ cut here ]------------\n[ 0.383662] WARNING: CPU: 0 PID: 10 at kernel/workqueue.c:3084 __flush_work+0x12c/0x138\n[ 0.384850] Modules linked in:\n[ 0.385403] CPU: 0 PID: 10 Comm: rcu_tasks_rude_ Not tainted 5.17.0-rc3-v8+ #13\n[ 0.386473] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n[ 0.387289] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.388308] pc : __flush_work+0x12c/0x138\n[ 0.388970] lr : __flush_work+0x80/0x138\n[ 0.389620] sp : ffffffc00aaf3c60\n[ 0.390139] x29: ffffffc00aaf3d20 x28: ffffffc009c16af0 x27: ffffff80f761df48\n[ 0.391316] x26: 0000000000000004 x25: 0000000000000003 x24: 0000000000000100\n[ 0.392493] x23: ffffffffffffffff x22: ffffffc009c16b10 x21: ffffffc009c16b28\n[ 0.393668] x20: ffffffc009e53861 x19: ffffff80f77fbf40 x18: 00000000d744fcc9\n[ 0.394842] x17: 000000000000000b x16: 00000000000001c2 x15: ffffffc009e57550\n[ 0.396016] x14: 0000000000000000 x13: ffffffffffffffff x12: 0000000100000000\n[ 0.397190] x11: 0000000000000462 x10: ffffff8040258008 x9 : 0000000100000000\n[ 0.398364] x8 : 0000000000000000 x7 : ffffffc0093c8bf4 x6 : 0000000000000000\n[ 0.399538] x5 : 0000000000000000 x4 : ffffffc00a976e40 x3 : ffffffc00810444c\n[ 0.400711] x2 : 0000000000000004 x1 : 0000000000000000 x0 : 0000000000000000\n[ 0.401886] Call trace:\n[ 0.402309] __flush_work+0x12c/0x138\n[ 0.402941] schedule_on_each_cpu+0x228/0x278\n[ 0.403693] rcu_tasks_rude_wait_gp+0x130/0x144\n[ 0.404502] rcu_tasks_kthread+0x220/0x254\n[ 0.405264] kthread+0x174/0x1ac\n[ 0.405837] ret_from_fork+0x10/0x20\n[ 0.406456] irq event stamp: 102\n[ 0.406966] hardirqs last enabled at (101): [] _raw_spin_unlock_irq+0x78/0xb4\n[ 0.408304] hardirqs last disabled at (102): [] el1_dbg+0x24/0x5c\n[ 0.409410] softirqs last enabled at (54): [] local_bh_enable+0xc/0x2c\n[ 0.410645] softirqs last disabled at (50): [] local_bh_disable+0xc/0x2c\n[ 0.411890] ---[ end trace 0000000000000000 ]---\n[ 0.413000] smp: Brought up 1 node, 4 CPUs\n[ 0.413762] SMP: Total of 4 processors activated.\n[ 0.414566] CPU features: detected: 32-bit EL0 Support\n[ 0.415414] CPU features: detected: 32-bit EL1 Support\n[ 0.416278] CPU features: detected: CRC32 instructions\n[ 0.447021] Callback from call_rcu_tasks_rude() invoked.\n[ 0.506693] Callback from call_rcu_tasks() invoked.\n\nThis commit therefore fixes this issue by applying a single-CPU\noptimization to the RCU Tasks Rude grace-period process. The key point\nhere is that the purpose of this RCU flavor is to force a schedule on\neach online CPU since some past event. But the rcu_tasks_rude_wait_gp()\nfunction runs in the context of the RCU Tasks Rude's grace-period kthread,\nso there must already have been a context switch on the current CPU since\nthe call to either synchronize_rcu_tasks_rude() or call_rcu_tasks_rude().\nSo if there is only a single CPU online, RCU Tasks Rude's grace-period\nkthread does not need to anything at all.\n\nIt turns out that the rcu_tasks_rude_wait_gp() function's call to\nschedule_on_each_cpu() causes problems during early boot. During that\ntime, there is only one online CPU, namely the boot CPU. Therefore,\napplying this single-CPU optimization fixes early-boot instances of\nthis problem.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49540", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential double free during failed mount\n\nRHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2088799", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49541", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()\n\nIn an attempt to log message 0126 with LOG_TRACE_EVENT, the following hard\nlockup call trace hangs the system.\n\nCall Trace:\n _raw_spin_lock_irqsave+0x32/0x40\n lpfc_dmp_dbg.part.32+0x28/0x220 [lpfc]\n lpfc_cmpl_els_fdisc+0x145/0x460 [lpfc]\n lpfc_sli_cancel_jobs+0x92/0xd0 [lpfc]\n lpfc_els_flush_cmd+0x43c/0x670 [lpfc]\n lpfc_els_flush_all_cmd+0x37/0x60 [lpfc]\n lpfc_sli4_async_event_proc+0x956/0x1720 [lpfc]\n lpfc_do_work+0x1485/0x1d70 [lpfc]\n kthread+0x112/0x130\n ret_from_fork+0x1f/0x40\nKernel panic - not syncing: Hard LOCKUP\n\nThe same CPU tries to claim the phba->port_list_lock twice.\n\nMove the cfg_log_verbose checks as part of the lpfc_printf_vlog() and\nlpfc_printf_log() macros before calling lpfc_dmp_dbg(). There is no need\nto take the phba->port_list_lock within lpfc_dmp_dbg().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49542", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix the warning of dev_wake in mhi_pm_disable_transition()\n\nWhen test device recovery with below command, it has warning in message\nas below.\necho assert > /sys/kernel/debug/ath11k/wcn6855\\ hw2.0/simulate_fw_crash\necho assert > /sys/kernel/debug/ath11k/qca6390\\ hw2.0/simulate_fw_crash\n\nwarning message:\n[ 1965.642121] ath11k_pci 0000:06:00.0: simulating firmware assert crash\n[ 1968.471364] ieee80211 phy0: Hardware restart was requested\n[ 1968.511305] ------------[ cut here ]------------\n[ 1968.511368] WARNING: CPU: 3 PID: 1546 at drivers/bus/mhi/core/pm.c:505 mhi_pm_disable_transition+0xb37/0xda0 [mhi]\n[ 1968.511443] Modules linked in: ath11k_pci ath11k mac80211 libarc4 cfg80211 qmi_helpers qrtr_mhi mhi qrtr nvme nvme_core\n[ 1968.511563] CPU: 3 PID: 1546 Comm: kworker/u17:0 Kdump: loaded Tainted: G W 5.17.0-rc3-wt-ath+ #579\n[ 1968.511629] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n[ 1968.511704] Workqueue: mhi_hiprio_wq mhi_pm_st_worker [mhi]\n[ 1968.511787] RIP: 0010:mhi_pm_disable_transition+0xb37/0xda0 [mhi]\n[ 1968.511870] Code: a9 fe ff ff 4c 89 ff 44 89 04 24 e8 03 46 f6 e5 44 8b 04 24 41 83 f8 01 0f 84 21 fe ff ff e9 4c fd ff ff 0f 0b e9 af f8 ff ff <0f> 0b e9 5c f8 ff ff 48 89 df e8 da 9e ee e3 e9 12 fd ff ff 4c 89\n[ 1968.511923] RSP: 0018:ffffc900024efbf0 EFLAGS: 00010286\n[ 1968.511969] RAX: 00000000ffffffff RBX: ffff88811d241250 RCX: ffffffffc0176922\n[ 1968.512014] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888118a90a24\n[ 1968.512059] RBP: ffff888118a90800 R08: 0000000000000000 R09: ffff888118a90a27\n[ 1968.512102] R10: ffffed1023152144 R11: 0000000000000001 R12: ffff888118a908ac\n[ 1968.512229] R13: ffff888118a90928 R14: dffffc0000000000 R15: ffff888118a90a24\n[ 1968.512310] FS: 0000000000000000(0000) GS:ffff888234200000(0000) knlGS:0000000000000000\n[ 1968.512405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1968.512493] CR2: 00007f5538f443a8 CR3: 000000016dc28001 CR4: 00000000003706e0\n[ 1968.512587] Call Trace:\n[ 1968.512672] \n[ 1968.512751] ? _raw_spin_unlock_irq+0x1f/0x40\n[ 1968.512859] mhi_pm_st_worker+0x3ac/0x790 [mhi]\n[ 1968.512959] ? mhi_pm_mission_mode_transition.isra.0+0x7d0/0x7d0 [mhi]\n[ 1968.513063] process_one_work+0x86a/0x1400\n[ 1968.513184] ? pwq_dec_nr_in_flight+0x230/0x230\n[ 1968.513312] ? move_linked_works+0x125/0x290\n[ 1968.513416] worker_thread+0x6db/0xf60\n[ 1968.513536] ? process_one_work+0x1400/0x1400\n[ 1968.513627] kthread+0x241/0x2d0\n[ 1968.513733] ? kthread_complete_and_exit+0x20/0x20\n[ 1968.513821] ret_from_fork+0x22/0x30\n[ 1968.513924] \n\nReason is mhi_deassert_dev_wake() from mhi_device_put() is called\nbut mhi_assert_dev_wake() from __mhi_device_get_sync() is not called\nin progress of recovery. Commit 8e0559921f9a (\"bus: mhi: core:\nSkip device wake in error or shutdown state\") add check for the\npm_state of mhi in __mhi_device_get_sync(), and the pm_state is not\nthe normal state untill recovery is completed, so it leads the\ndev_wake is not 0 and above warning print in mhi_pm_disable_transition()\nwhile checking mhi_cntrl->dev_wake.\n\nAdd check in ath11k_pci_write32()/ath11k_pci_read32() to skip call\nmhi_device_put() if mhi_device_get_sync() does not really do wake,\nthen the warning gone.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49543", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipw2x00: Fix potential NULL dereference in libipw_xmit()\n\ncrypt and crypt->ops could be null, so we need to checking null\nbefore dereference", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49544", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Cancel pending work at closing a MIDI substream\n\nAt closing a USB MIDI output substream, there might be still a pending\nwork, which would eventually access the rawmidi runtime object that is\nbeing released. For fixing the race, make sure to cancel the pending\nwork at closing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49545", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xffffc900002a9000 (size 4096):\n comm \"kexec\", pid 14950, jiffies 4295110793 (age 373.951s)\n hex dump (first 32 bytes):\n 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............\n 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>.............\n backtrace:\n [<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170\n [<000000002b66b6c0>] __vmalloc_node+0xb4/0x160\n [<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0\n [<0000000019afff23>] crash_load_segments+0x260/0x470\n [<0000000019ebe95c>] bzImage64_load+0x814/0xad0\n [<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0\n [<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0\n [<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530\n [<0000000087c19992>] do_syscall_64+0x3b/0x90\n [<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to\nstore elf headers. While it's not freed back to system correctly when\nkdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it\nby introducing x86 specific function arch_kimage_file_post_load_cleanup(),\nand freeing the buffer there.\n\nAnd also remove the incorrect elf header buffer freeing code. Before\ncalling arch specific kexec_file loading function, the image instance has\nbeen initialized. So 'image->elf_headers' must be NULL. It doesn't make\nsense to free the elf header buffer in the place.\n\nThree different people have reported three bugs about the memory leak on\nx86_64 inside Redhat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49546", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock between concurrent dio writes when low on free data space\n\nWhen reserving data space for a direct IO write we can end up deadlocking\nif we have multiple tasks attempting a write to the same file range, there\nare multiple extents covered by that file range, we are low on available\nspace for data and the writes don't expand the inode's i_size.\n\nThe deadlock can happen like this:\n\n1) We have a file with an i_size of 1M, at offset 0 it has an extent with\n a size of 128K and at offset 128K it has another extent also with a\n size of 128K;\n\n2) Task A does a direct IO write against file range [0, 256K), and because\n the write is within the i_size boundary, it takes the inode's lock (VFS\n level) in shared mode;\n\n3) Task A locks the file range [0, 256K) at btrfs_dio_iomap_begin(), and\n then gets the extent map for the extent covering the range [0, 128K).\n At btrfs_get_blocks_direct_write(), it creates an ordered extent for\n that file range ([0, 128K));\n\n4) Before returning from btrfs_dio_iomap_begin(), it unlocks the file\n range [0, 256K);\n\n5) Task A executes btrfs_dio_iomap_begin() again, this time for the file\n range [128K, 256K), and locks the file range [128K, 256K);\n\n6) Task B starts a direct IO write against file range [0, 256K) as well.\n It also locks the inode in shared mode, as it's within the i_size limit,\n and then tries to lock file range [0, 256K). It is able to lock the\n subrange [0, 128K) but then blocks waiting for the range [128K, 256K),\n as it is currently locked by task A;\n\n7) Task A enters btrfs_get_blocks_direct_write() and tries to reserve data\n space. Because we are low on available free space, it triggers the\n async data reclaim task, and waits for it to reserve data space;\n\n8) The async reclaim task decides to wait for all existing ordered extents\n to complete (through btrfs_wait_ordered_roots()).\n It finds the ordered extent previously created by task A for the file\n range [0, 128K) and waits for it to complete;\n\n9) The ordered extent for the file range [0, 128K) can not complete\n because it blocks at btrfs_finish_ordered_io() when trying to lock the\n file range [0, 128K).\n\n This results in a deadlock, because:\n\n - task B is holding the file range [0, 128K) locked, waiting for the\n range [128K, 256K) to be unlocked by task A;\n\n - task A is holding the file range [128K, 256K) locked and it's waiting\n for the async data reclaim task to satisfy its space reservation\n request;\n\n - the async data reclaim task is waiting for ordered extent [0, 128K)\n to complete, but the ordered extent can not complete because the\n file range [0, 128K) is currently locked by task B, which is waiting\n on task A to unlock file range [128K, 256K) and task A waiting\n on the async data reclaim task.\n\n This results in a deadlock between 4 task: task A, task B, the async\n data reclaim task and the task doing ordered extent completion (a work\n queue task).\n\nThis type of deadlock can sporadically be triggered by the test case\ngeneric/300 from fstests, and results in a stack trace like the following:\n\n[12084.033689] INFO: task kworker/u16:7:123749 blocked for more than 241 seconds.\n[12084.034877] Not tainted 5.18.0-rc2-btrfs-next-115 #1\n[12084.035562] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[12084.036548] task:kworker/u16:7 state:D stack: 0 pid:123749 ppid: 2 flags:0x00004000\n[12084.036554] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n[12084.036599] Call Trace:\n[12084.036601] \n[12084.036606] __schedule+0x3cb/0xed0\n[12084.036616] schedule+0x4e/0xb0\n[12084.036620] btrfs_start_ordered_extent+0x109/0x1c0 [btrfs]\n[12084.036651] ? prepare_to_wait_exclusive+0xc0/0xc0\n[12084.036659] btrfs_run_ordered_extent_work+0x1a/0x30 [btrfs]\n[12084.036688] btrfs_work_helper+0xf8/0x400 [btrfs]\n[12084.0367\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49547", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix potential array overflow in bpf_trampoline_get_progs()\n\nThe cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not\ninclude BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of\nthe attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline\ncan exceed BPF_MAX_TRAMP_PROGS.\n\nWhen this happens, the assignment '*progs++ = aux->prog' in\nbpf_trampoline_get_progs() will cause progs array overflow as the\nprogs field in the bpf_tramp_progs struct can only hold at most\nBPF_MAX_TRAMP_PROGS bpf programs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49548", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE/AMD: Fix memory leak when threshold_create_bank() fails\n\nIn mce_threshold_create_device(), if threshold_create_bank() fails, the\npreviously allocated threshold banks array @bp will be leaked because\nthe call to mce_threshold_remove_device() will not free it.\n\nThis happens because mce_threshold_remove_device() fetches the pointer\nthrough the threshold_banks per-CPU variable but bp is written there\nonly after the bank creation is successful, and not before, when\nthreshold_create_bank() fails.\n\nAdd a helper which unwinds all the bank creation work previously done\nand pass into it the previously allocated threshold banks array for\nfreeing.\n\n [ bp: Massage. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49549", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: provide block_invalidate_folio to fix memory leak\n\nThe ntfs3 filesystem lacks the 'invalidate_folio' method and it causes\nmemory leak. If you write to the filesystem and then unmount it, the\ncached written data are not freed and they are permanently leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49550", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: isp1760: Fix out-of-bounds array access\n\nRunning the driver through kasan gives an interesting splat:\n\n BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c\n Read of size 20 at addr f1db2e64 by task swapper/0/1\n (...)\n isp1760_register from isp1760_plat_probe+0x1d8/0x220\n (...)\n\nThis happens because the loop reading the regmap fields for the\ndifferent ISP1760 variants look like this:\n\n for (i = 0; i < HC_FIELD_MAX; i++) { ... }\n\nMeaning it expects the arrays to be at least HC_FIELD_MAX - 1 long.\n\nHowever the arrays isp1760_hc_reg_fields[], isp1763_hc_reg_fields[],\nisp1763_hc_volatile_ranges[] and isp1763_dc_volatile_ranges[] are\ndynamically sized during compilation.\n\nFix this by putting an empty assignment to the [HC_FIELD_MAX]\nand [DC_FIELD_MAX] array member at the end of each array.\nThis will make the array one member longer than it needs to be,\nbut avoids the risk of overwriting whatever is inside\n[HC_FIELD_MAX - 1] and is simple and intuitive to read. Also\nadd comments explaining what is going on.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49551", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix combination of jit blinding and pointers to bpf subprogs.\n\nThe combination of jit blinding and pointers to bpf subprogs causes:\n[ 36.989548] BUG: unable to handle page fault for address: 0000000100000001\n[ 36.990342] #PF: supervisor instruction fetch in kernel mode\n[ 36.990968] #PF: error_code(0x0010) - not-present page\n[ 36.994859] RIP: 0010:0x100000001\n[ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.\n[ 37.004091] Call Trace:\n[ 37.004351] \n[ 37.004576] ? bpf_loop+0x4d/0x70\n[ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b\n\nThe jit blinding logic didn't recognize that ld_imm64 with an address\nof bpf subprogram is a special instruction and proceeded to randomize it.\nBy itself it wouldn't have been an issue, but jit_subprogs() logic\nrelies on two step process to JIT all subprogs and then JIT them\nagain when addresses of all subprogs are known.\nBlinding process in the first JIT phase caused second JIT to miss\nadjustment of special ld_imm64.\n\nFix this issue by ignoring special ld_imm64 instructions that don't have\nuser controlled constants and shouldn't be blinded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49552", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: validate BOOT sectors_per_clusters\n\nWhen the NTFS BOOT sectors_per_clusters field is > 0x80, it represents a\nshift value. Make sure that the shift value is not too large before using\nit (NTFS max cluster size is 2MB). Return -EVINVAL if it too large.\n\nThis prevents negative shift values and shift values that are larger than\nthe field size.\n\nPrevents this UBSAN error:\n\n UBSAN: shift-out-of-bounds in ../fs/ntfs3/super.c:673:16\n shift exponent -192 is negative", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49553", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: fix races between asynchronous zspage free and page migration\n\nThe asynchronous zspage free worker tries to lock a zspage's entire page\nlist without defending against page migration. Since pages which haven't\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\n\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there's a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage's pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\n\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49554", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_qca: Use del_timer_sync() before freeing\n\nWhile looking at a crash report on a timer list being corrupted, which\nusually happens when a timer is freed while still active. This is\ncommonly triggered by code calling del_timer() instead of\ndel_timer_sync() just before freeing.\n\nOne possible culprit is the hci_qca driver, which does exactly that.\n\nEric mentioned that wake_retrans_timer could be rearmed via the work\nqueue, so also move the destruction of the work queue before\ndel_timer_sync().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49555", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak\n\nFor some sev ioctl interfaces, the length parameter that is passed maybe\nless than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data\nthat PSP firmware returns. In this case, kmalloc will allocate memory\nthat is the size of the input rather than the size of the data.\nSince PSP firmware doesn't fully overwrite the allocated buffer, these\nsev ioctl interface may return uninitialized kernel slab memory.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49556", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)\n\nSet the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',\ni.e. to KVM's historical uABI size. When saving FPU state for usersapce,\nKVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if\nthe host doesn't support XSAVE. Setting the XSAVE header allows the VM\nto be migrated to a host that does support XSAVE without the new host\nhaving to handle FPU state that may or may not be compatible with XSAVE.\n\nSetting the uABI size to the host's default size results in out-of-bounds\nwrites (setting the FP+SSE bits) and data corruption (that is thankfully\ncaught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.\n\nWARN if the default size is larger than KVM's historical uABI size; all\nfeatures that can push the FPU size beyond the historical size must be\nopt-in.\n\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n Read of size 8 at addr ffff888011e33a00 by task qemu-build/681\n CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1\n Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010\n Call Trace:\n \n dump_stack_lvl+0x34/0x45\n print_report.cold+0x45/0x575\n kasan_report+0x9b/0xd0\n fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]\n kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]\n __x64_sys_ioctl+0x5de/0xc90\n do_syscall_64+0x31/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \n Allocated by task 0:\n (stack is not available)\n The buggy address belongs to the object at ffff888011e33800\n which belongs to the cache kmalloc-512 of size 512\n The buggy address is located 0 bytes to the right of\n 512-byte region [ffff888011e33800, ffff888011e33a00)\n The buggy address belongs to the physical page:\n page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30\n head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0\n flags: 0x4000000000010200(slab|head|zone=1)\n raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n Memory state around the buggy address:\n ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ==================================================================\n Disabling lock debugging due to kernel taint", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49557", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: double hook unregistration in netns path\n\n__nft_release_hooks() is called from pre_netns exit path which\nunregisters the hooks, then the NETDEV_UNREGISTER event is triggered\nwhich unregisters the hooks again.\n\n[ 565.221461] WARNING: CPU: 18 PID: 193 at net/netfilter/core.c:495 __nf_unregister_net_hook+0x247/0x270\n[...]\n[ 565.246890] CPU: 18 PID: 193 Comm: kworker/u64:1 Tainted: G E 5.18.0-rc7+ #27\n[ 565.253682] Workqueue: netns cleanup_net\n[ 565.257059] RIP: 0010:__nf_unregister_net_hook+0x247/0x270\n[...]\n[ 565.297120] Call Trace:\n[ 565.300900] \n[ 565.304683] nf_tables_flowtable_event+0x16a/0x220 [nf_tables]\n[ 565.308518] raw_notifier_call_chain+0x63/0x80\n[ 565.312386] unregister_netdevice_many+0x54f/0xb50\n\nUnregister and destroy netdev hook from netns pre_exit via kfree_rcu\nso the NETDEV_UNREGISTER path see unregistered hooks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49558", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Drop WARNs that assert a triple fault never \"escapes\" from L2\n\nRemove WARNs that sanity check that KVM never lets a triple fault for L2\nescape and incorrectly end up in L1. In normal operation, the sanity\ncheck is perfectly valid, but it incorrectly assumes that it's impossible\nfor userspace to induce KVM_REQ_TRIPLE_FAULT without bouncing through\nKVM_RUN (which guarantees kvm_check_nested_state() will see and handle\nthe triple fault).\n\nThe WARN can currently be triggered if userspace injects a machine check\nwhile L2 is active and CR4.MCE=0. And a future fix to allow save/restore\nof KVM_REQ_TRIPLE_FAULT, e.g. so that a synthesized triple fault isn't\nlost on migration, will make it trivially easy for userspace to trigger\nthe WARN.\n\nClearing KVM_REQ_TRIPLE_FAULT when forcibly leaving guest mode is\ntempting, but wrong, especially if/when the request is saved/restored,\ne.g. if userspace restores events (including a triple fault) and then\nrestores nested state (which may forcibly leave guest mode). Ignoring\nthe fact that KVM doesn't currently provide the necessary APIs, it's\nuserspace's responsibility to manage pending events during save/restore.\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 1399 at arch/x86/kvm/vmx/nested.c:4522 nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 7 PID: 1399 Comm: state_test Not tainted 5.17.0-rc3+ #808\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Call Trace:\n \n vmx_leave_nested+0x30/0x40 [kvm_intel]\n vmx_set_nested_state+0xca/0x3e0 [kvm_intel]\n kvm_arch_vcpu_ioctl+0xf49/0x13e0 [kvm]\n kvm_vcpu_ioctl+0x4b9/0x660 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49559", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: check if cluster num is valid\n\nSyzbot reported slab-out-of-bounds read in exfat_clear_bitmap.\nThis was triggered by reproducer calling truncute with size 0,\nwhich causes the following trace:\n\nBUG: KASAN: slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174\nRead of size 8 at addr ffff888115aa9508 by task syz-executor251/365\n\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118\n print_address_description+0x81/0x3c0 mm/kasan/report.c:233\n __kasan_report mm/kasan/report.c:419 [inline]\n kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309\n exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174\n exfat_free_cluster+0x25a/0x4a0 fs/exfat/fatent.c:181\n __exfat_truncate+0x99e/0xe00 fs/exfat/file.c:217\n exfat_truncate+0x11b/0x4f0 fs/exfat/file.c:243\n exfat_setattr+0xa03/0xd40 fs/exfat/file.c:339\n notify_change+0xb76/0xe10 fs/attr.c:336\n do_truncate+0x1ea/0x2d0 fs/open.c:65\n\nMove the is_valid_cluster() helper from fatent.c to a common\nheader to make it reusable in other *.c files. And add is_valid_cluster()\nto validate if cluster number is within valid range in exfat_clear_bitmap()\nand exfat_set_bitmap().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49560", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: re-fetch conntrack after insertion\n\nIn case the conntrack is clashing, insertion can free skb->_nfct and\nset skb->_nfct to the already-confirmed entry.\n\nThis wasn't found before because the conntrack entry and the extension\nspace used to free'd after an rcu grace period, plus the race needs\nevents enabled to trigger.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49561", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits\n\nUse the recently introduced __try_cmpxchg_user() to update guest PTE A/D\nbits instead of mapping the PTE into kernel address space. The VM_PFNMAP\npath is broken as it assumes that vm_pgoff is the base pfn of the mapped\nVMA range, which is conceptually wrong as vm_pgoff is the offset relative\nto the file and has nothing to do with the pfn. The horrific hack worked\nfor the original use case (backing guest memory with /dev/mem), but leads\nto accessing \"random\" pfns for pretty much any other VM_PFNMAP case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49562", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for RSA\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49563", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49564", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/lbr: Fix unchecked MSR access error on HSW\n\nThe fuzzer triggers the below trace.\n\n[ 7763.384369] unchecked MSR access error: WRMSR to 0x689\n(tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4\n(native_write_msr+0x4/0x20)\n[ 7763.397420] Call Trace:\n[ 7763.399881] \n[ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0\n[ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0\n[ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240\n\nOn a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is\ndisabled, a TSX quirk is required to access LBR from registers.\nThe lbr_from_signext_quirk_needed() is introduced to determine whether\nthe TSX quirk should be applied. However, the\nlbr_from_signext_quirk_needed() is invoked before the\nintel_pmu_lbr_init(), which parses the LBR format information. Without\nthe correct LBR format information, the TSX quirk never be applied.\n\nMove the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init().\nChecking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is\nnot required anymore.\n\nBoth LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but\nonly the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments\naccordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49565", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix memory leak in RSA\n\nWhen an RSA key represented in form 2 (as defined in PKCS #1 V2.1) is\nused, some components of the private key persist even after the TFM is\nreleased.\nReplace the explicit calls to free the buffers in qat_rsa_exit_tfm()\nwith a call to qat_rsa_clear_ctx() which frees all buffers referenced in\nthe TFM context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49566", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix uninit-value in mpol_rebind_policy()\n\nmpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when\npol->mode is MPOL_LOCAL. Check pol->mode before access\npol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).\n\nBUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]\nBUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\n mpol_rebind_policy mm/mempolicy.c:352 [inline]\n mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\n cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]\n cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278\n cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515\n cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]\n cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804\n __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520\n cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539\n cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852\n kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296\n call_write_iter include/linux/fs.h:2162 [inline]\n new_sync_write fs/read_write.c:503 [inline]\n vfs_write+0x1318/0x2030 fs/read_write.c:590\n ksys_write+0x28b/0x510 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0xdb/0x120 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n slab_alloc mm/slub.c:3259 [inline]\n kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264\n mpol_new mm/mempolicy.c:293 [inline]\n do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853\n kernel_set_mempolicy mm/mempolicy.c:1504 [inline]\n __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]\n __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507\n __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nKMSAN: uninit-value in mpol_rebind_task (2)\nhttps://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc\n\nThis patch seems to fix below bug too.\nKMSAN: uninit-value in mpol_rebind_mm (2)\nhttps://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b\n\nThe uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().\nWhen syzkaller reproducer runs to the beginning of mpol_new(),\n\n\t mpol_new() mm/mempolicy.c\n\t do_mbind() mm/mempolicy.c\n\tkernel_mbind() mm/mempolicy.c\n\n`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`\nis 0. Then\n\n\tmode = MPOL_LOCAL;\n\t...\n\tpolicy->mode = mode;\n\tpolicy->flags = flags;\n\nwill be executed. So in mpol_set_nodemask(),\n\n\t mpol_set_nodemask() mm/mempolicy.c\n\t do_mbind()\n\tkernel_mbind()\n\npol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,\nwhich will be accessed in mpol_rebind_policy().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49567", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't null dereference ops->destroy\n\nA KVM device cleanup happens in either of two callbacks:\n1) destroy() which is called when the VM is being destroyed;\n2) release() which is called when a device fd is closed.\n\nMost KVM devices use 1) but Book3s's interrupt controller KVM devices\n(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during\nthe machine execution. The error handling in kvm_ioctl_create_device()\nassumes destroy() is always defined which leads to NULL dereference as\ndiscovered by Syzkaller.\n\nThis adds a checks for destroy!=NULL and adds a missing release().\n\nThis is not changing kvm_destroy_devices() as devices with defined\nrelease() should have been removed from the KVM devices list by then.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49568", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers\n\nIn case a IRQ based transfer times out the bcm2835_spi_handle_err()\nfunction is called. Since commit 1513ceee70f2 (\"spi: bcm2835: Drop\ndma_pending flag\") the TX and RX DMA transfers are unconditionally\ncanceled, leading to NULL pointer derefs if ctlr->dma_tx or\nctlr->dma_rx are not set.\n\nFix the NULL pointer deref by checking that ctlr->dma_tx and\nctlr->dma_rx are valid pointers before accessing them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49569", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: gpio-xilinx: Fix integer overflow\n\nCurrent implementation is not able to configure more than 32 pins\ndue to incorrect data type. So type casting with unsigned long\nto avoid it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49570", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_max_reordering.\n\nWhile reading sysctl_tcp_max_reordering, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49571", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_slow_start_after_idle.\n\nWhile reading sysctl_tcp_slow_start_after_idle, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49572", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_early_retrans.\n\nWhile reading sysctl_tcp_early_retrans, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49573", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_recovery.\n\nWhile reading sysctl_tcp_recovery, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49574", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.\n\nWhile reading sysctl_tcp_thin_linear_timeouts, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49575", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix data-races around sysctl_fib_multipath_hash_fields.\n\nWhile reading sysctl_fib_multipath_hash_fields, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49576", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix a data-race around sysctl_udp_l3mdev_accept.\n\nWhile reading sysctl_udp_l3mdev_accept, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49577", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_prot_sock.\n\nsysctl_ip_prot_sock is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49578", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix data-races around sysctl_fib_multipath_hash_policy.\n\nWhile reading sysctl_fib_multipath_hash_policy, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49579", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix a data-race around sysctl_fib_multipath_use_neigh.\n\nWhile reading sysctl_fib_multipath_use_neigh, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49580", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix buffer overflow in be_get_module_eeprom\n\nbe_cmd_read_port_transceiver_data assumes that it is given a buffer that\nis at least PAGE_DATA_LEN long, or twice that if the module supports SFF\n8472. However, this is not always the case.\n\nFix this by passing the desired offset and length to\nbe_cmd_read_port_transceiver_data so that we only copy the bytes once.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49581", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix NULL pointer dereference in dsa_port_reset_vlan_filtering\n\nThe \"ds\" iterator variable used in dsa_port_reset_vlan_filtering() ->\ndsa_switch_for_each_port() overwrites the \"dp\" received as argument,\nwhich is later used to call dsa_port_vlan_filtering() proper.\n\nAs a result, switches which do enter that code path (the ones with\nvlan_filtering_is_global=true) will dereference an invalid dp in\ndsa_port_reset_vlan_filtering() after leaving a VLAN-aware bridge.\n\nUse a dedicated \"other_dp\" iterator variable to avoid this from\nhappening.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49582", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix handling of dummy receive descriptors\n\nFix memory leak caused by not handling dummy receive descriptor properly.\niavf_get_rx_buffer now sets the rx_buffer return value for dummy receive\ndescriptors. Without this patch, when the hardware writes a dummy\ndescriptor, iavf would not free the page allocated for the previous receive\nbuffer. This is an unlikely event but can still happen.\n\n[Jesse: massaged commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49583", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Add locking to prevent panic when setting sriov_numvfs to zero\n\nIt is possible to disable VFs while the PF driver is processing requests\nfrom the VF driver. This can result in a panic.\n\nBUG: unable to handle kernel paging request at 000000000000106c\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- -\nHardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020\nRIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe]\nCode: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff\n01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 <41> 80 7c 24 4c\n00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a\nRSP: 0018:ffffb337869f8df8 EFLAGS: 00010002\nRAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b\nRDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006\nRBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780\nR10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020\nR13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80\nFS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? ttwu_do_wakeup+0x19/0x140\n ? try_to_wake_up+0x1cd/0x550\n ? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf]\n ixgbe_msix_other+0x17e/0x310 [ixgbe]\n __handle_irq_event_percpu+0x40/0x180\n handle_irq_event_percpu+0x30/0x80\n handle_irq_event+0x36/0x53\n handle_edge_irq+0x82/0x190\n handle_irq+0x1c/0x30\n do_IRQ+0x49/0xd0\n common_interrupt+0xf/0xf\n\nThis can be eventually be reproduced with the following script:\n\nwhile :\ndo\n echo 63 > /sys/class/net//device/sriov_numvfs\n sleep 1\n echo 0 > /sys/class/net//device/sriov_numvfs\n sleep 1\ndone\n\nAdd lock when disabling SR-IOV to prevent process VF mailbox communication.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49584", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout.\n\nWhile reading sysctl_tcp_fastopen_blackhole_timeout, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49585", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_fastopen.\n\nWhile reading sysctl_tcp_fastopen, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49586", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_notsent_lowat.\n\nWhile reading sysctl_tcp_notsent_lowat, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49587", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_migrate_req.\n\nWhile reading sysctl_tcp_migrate_req, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49588", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigmp: Fix data-races around sysctl_igmp_qrv.\n\nWhile reading sysctl_igmp_qrv, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.\n\nThis test can be packed into a helper, so such changes will be in the\nfollow-up series after net is merged into net-next.\n\n qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv);", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49589", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigmp: Fix data-races around sysctl_igmp_llm_reports.\n\nWhile reading sysctl_igmp_llm_reports, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.\n\nThis test can be packed into a helper, so such changes will be in the\nfollow-up series after net is merged into net-next.\n\n if (ipv4_is_local_multicast(pmc->multiaddr) &&\n !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49590", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: ksz_common: Fix refcount leak bug\n\nIn ksz_switch_register(), we should call of_node_put() for the\nreference returned by of_get_child_by_name() which has increased\nthe refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49591", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix dma queue left shift overflow issue\n\nWhen queue number is > 4, left shift overflows due to 32 bits\ninteger variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.\n\nIf CONFIG_UBSAN is enabled, kernel dumps below warning:\n[ 10.363842] ==================================================================\n[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/\nlinux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12\n[ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'\n[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg\n[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021\n[ 10.363958] Call Trace:\n[ 10.363960] \n[ 10.363963] dump_stack_lvl+0x4a/0x5f\n[ 10.363971] dump_stack+0x10/0x12\n[ 10.363974] ubsan_epilogue+0x9/0x45\n[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n[ 10.363979] ? wake_up_klogd+0x4a/0x50\n[ 10.363983] ? vprintk_emit+0x8f/0x240\n[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]\n[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]\n[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]\n[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac]\n[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70\n[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]\n[ 10.364042] stmmac_open+0x39e/0x920 [stmmac]\n[ 10.364050] __dev_open+0xf0/0x1a0\n[ 10.364054] __dev_change_flags+0x188/0x1f0\n[ 10.364057] dev_change_flags+0x26/0x60\n[ 10.364059] do_setlink+0x908/0xc40\n[ 10.364062] ? do_setlink+0xb10/0xc40\n[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0\n[ 10.364068] __rtnl_newlink+0x597/0xa10\n[ 10.364072] ? __nla_reserve+0x41/0x50\n[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0\n[ 10.364079] ? pskb_expand_head+0x75/0x310\n[ 10.364082] ? nla_reserve_64bit+0x21/0x40\n[ 10.364086] ? skb_free_head+0x65/0x80\n[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50\n[ 10.364094] ? __cond_resched+0x19/0x30\n[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420\n[ 10.364100] rtnl_newlink+0x49/0x70\n\nThis change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue\nmapping warning.\n\nBugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49592", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_probe_interval.\n\nWhile reading sysctl_tcp_probe_interval, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49593", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_mtu_probe_floor.\n\nWhile reading sysctl_tcp_mtu_probe_floor, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49594", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_probe_threshold.\n\nWhile reading sysctl_tcp_probe_threshold, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49595", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_min_snd_mss.\n\nWhile reading sysctl_tcp_min_snd_mss, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49596", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_base_mss.\n\nWhile reading sysctl_tcp_base_mss, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49597", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_mtu_probing.\n\nWhile reading sysctl_tcp_mtu_probing, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49598", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix data-races around sysctl_tcp_l3mdev_accept.\n\nWhile reading sysctl_tcp_l3mdev_accept, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49599", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix a data-race around sysctl_ip_autobind_reuse.\n\nWhile reading sysctl_ip_autobind_reuse, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49600", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.\n\nWhile reading sysctl_tcp_fwmark_accept, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49601", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix a data-race around sysctl_fwmark_reflect.\n\nWhile reading sysctl_fwmark_reflect, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49602", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_fwd_update_priority.\n\nWhile reading sysctl_ip_fwd_update_priority, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49603", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_fwd_use_pmtu.\n\nWhile reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49604", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reinstate IGC_REMOVED logic and implement it properly\n\nThe initially merged version of the igc driver code (via commit\n146740f9abc4, \"igc: Add support for PF\") contained the following\nIGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:\n\n\tu32 igc_rd32(struct igc_hw *hw, u32 reg)\n\t{\n\t\tu8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);\n\t\tu32 value = 0;\n\n\t\tif (IGC_REMOVED(hw_addr))\n\t\t\treturn ~value;\n\n\t\tvalue = readl(&hw_addr[reg]);\n\n\t\t/* reads should not return all F's */\n\t\tif (!(~value) && (!reg || !(~readl(hw_addr))))\n\t\t\thw->hw_addr = NULL;\n\n\t\treturn value;\n\t}\n\nAnd:\n\n\t#define wr32(reg, val) \\\n\tdo { \\\n\t\tu8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \\\n\t\tif (!IGC_REMOVED(hw_addr)) \\\n\t\t\twritel((val), &hw_addr[(reg)]); \\\n\t} while (0)\n\nE.g. igb has similar checks in its MMIO accessors, and has a similar\nmacro E1000_REMOVED, which is implemented as follows:\n\n\t#define E1000_REMOVED(h) unlikely(!(h))\n\nThese checks serve to detect and take note of an 0xffffffff MMIO read\nreturn from the device, which can be caused by a PCIe link flap or some\nother kind of PCI bus error, and to avoid performing MMIO reads and\nwrites from that point onwards.\n\nHowever, the IGC_REMOVED macro was not originally implemented:\n\n\t#ifndef IGC_REMOVED\n\t#define IGC_REMOVED(a) (0)\n\t#endif /* IGC_REMOVED */\n\nThis led to the IGC_REMOVED logic to be removed entirely in a\nsubsequent commit (commit 3c215fb18e70, \"igc: remove IGC_REMOVED\nfunction\"), with the rationale that such checks matter only for\nvirtualization and that igc does not support virtualization -- but a\nPCIe device can become detached even without virtualization being in\nuse, and without proper checks, a PCIe bus error affecting an igc\nadapter will lead to various NULL pointer dereferences, as the first\naccess after the error will set hw->hw_addr to NULL, and subsequent\naccesses will blindly dereference this now-NULL pointer.\n\nThis patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and\nimplements IGC_REMOVED the way it is done for igb, by checking for the\nunlikely() case of hw_addr being NULL. This change prevents the oopses\nseen when a PCIe link flap occurs on an igc adapter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49605", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix sleep from invalid context BUG\n\nTaking the qos_mutex to process RoCEv2 QP's on netdev events causes a\nkernel splat.\n\nFix this by removing the handling for RoCEv2 in\nirdma_cm_teardown_connections that uses the mutex. This handling is only\nneeded for iWARP to avoid having connections established while the link is\ndown or having connections remain functional after the IP address is\nremoved.\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.\n Call Trace:\n kernel: dump_stack+0x66/0x90\n kernel: ___might_sleep.cold.92+0x8d/0x9a\n kernel: mutex_lock+0x1c/0x40\n kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma]\n kernel: ? check_preempt_curr+0x7a/0x90\n kernel: ? select_idle_sibling+0x22/0x3c0\n kernel: ? select_task_rq_fair+0x94c/0xc90\n kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma]\n kernel: ? __wake_up_common+0x7a/0x190\n kernel: irdma_if_notify+0x3cc/0x450 [irdma]\n kernel: ? sched_clock_cpu+0xc/0xb0\n kernel: irdma_inet6addr_event+0xc6/0x150 [irdma]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49606", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix data race between perf_event_set_output() and perf_mmap_close()\n\nYang Jihing reported a race between perf_event_set_output() and\nperf_mmap_close():\n\n\tCPU1\t\t\t\t\tCPU2\n\n\tperf_mmap_close(e2)\n\t if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0\n\t detach_rest = true\n\n\t\t\t\t\t\tioctl(e1, IOC_SET_OUTPUT, e2)\n\t\t\t\t\t\t perf_event_set_output(e1, e2)\n\n\t ...\n\t list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)\n\t ring_buffer_attach(e, NULL);\n\t // e1 isn't yet added and\n\t // therefore not detached\n\n\t\t\t\t\t\t ring_buffer_attach(e1, e2->rb)\n\t\t\t\t\t\t list_add_rcu(&e1->rb_entry,\n\t\t\t\t\t\t\t\t &e2->rb->event_list)\n\nAfter this; e1 is attached to an unmapped rb and a subsequent\nperf_mmap() will loop forever more:\n\n\tagain:\n\t\tmutex_lock(&e->mmap_mutex);\n\t\tif (event->rb) {\n\t\t\t...\n\t\t\tif (!atomic_inc_not_zero(&e->rb->mmap_count)) {\n\t\t\t\t...\n\t\t\t\tmutex_unlock(&e->mmap_mutex);\n\t\t\t\tgoto again;\n\t\t\t}\n\t\t}\n\nThe loop in perf_mmap_close() holds e2->mmap_mutex, while the attach\nin perf_event_set_output() holds e1->mmap_mutex. As such there is no\nserialization to avoid this race.\n\nChange perf_event_set_output() to take both e1->mmap_mutex and\ne2->mmap_mutex to alleviate that problem. Additionally, have the loop\nin perf_mmap() detach the rb directly, this avoids having to wait for\nthe concurrent perf_mmap_close() to get around to doing it to make\nprogress.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49607", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: ralink: Check for null return of devm_kcalloc\n\nBecause of the possible failure of the allocation, data->domains might\nbe NULL pointer and will cause the dereference of the NULL pointer\nlater.\nTherefore, it might be better to check it and directly return -ENOMEM\nwithout releasing data manually if fails, because the comment of the\ndevm_kmalloc() says \"Memory allocated with this function is\nautomatically freed on driver detach.\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49608", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe\n\nof_find_matching_node_and_match() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49609", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Prevent RSB underflow before vmenter\n\nOn VMX, there are some balanced returns between the time the guest's\nSPEC_CTRL value is written, and the vmenter.\n\nBalanced returns (matched by a preceding call) are usually ok, but it's\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\n\nFor maximum paranoia, don't allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n\n [ bp: Fix 32-bit build. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49610", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/speculation: Fill RSB on vmexit for IBRS\n\nPrevent RSB underflow/poisoning attacks with RSB. While at it, add a\nbunch of comments to attempt to document the current state of tribal\nknowledge about RSB attacks and what exactly is being mitigated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49611", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: core: Fix boundary conditions in interpolation\n\nThe functions power_supply_temp2resist_simple and power_supply_ocv2cap_simple\nhandle boundary conditions incorrectly.\nThe change was introduced in a4585ba2050f460f749bbaf2b67bd56c41e30283\n(\"power: supply: core: Use library interpolation\").\nThere are two issues: First, the lines \"high = i - 1\" and \"high = i\" in ocv2cap\nhave the wrong order compared to temp2resist. As a consequence, ocv2cap\nsets high=-1 if ocv>table[0].ocv, which causes an out-of-bounds read.\nSecond, the logic of temp2resist is also not correct.\nConsider the case table[] = {{20, 100}, {10, 80}, {0, 60}}.\nFor temp=5, we expect a resistance of 70% by interpolation.\nHowever, temp2resist sets high=low=2 and returns 60.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49612", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix PM usage_count for console handover\n\nWhen console is enabled, univ8250_console_setup() calls\nserial8250_console_setup() before .dev is set to uart_port. Therefore,\nit will not call pm_runtime_get_sync(). Later, when the actual driver\nis going to take over univ8250_console_exit() is called. As .dev is\nalready set, serial8250_console_exit() makes pm_runtime_put_sync() call\nwith usage count being zero triggering PM usage count warning\n(extra debug for univ8250_console_setup(), univ8250_console_exit(), and\nserial8250_register_ports()):\n\n[ 0.068987] univ8250_console_setup ttyS0 nodev\n[ 0.499670] printk: console [ttyS0] enabled\n[ 0.717955] printk: console [ttyS0] printing thread started\n[ 1.960163] serial8250_register_ports assigned dev for ttyS0\n[ 1.976830] printk: console [ttyS0] disabled\n[ 1.976888] printk: console [ttyS0] printing thread stopped\n[ 1.977073] univ8250_console_exit ttyS0 usage:0\n[ 1.977075] serial8250 serial8250: Runtime PM usage count underflow!\n[ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A\n[ 1.977812] univ8250_console_setup ttyS0 usage:2\n[ 1.978167] printk: console [ttyS0] printing thread started\n[ 1.978203] printk: console [ttyS0] enabled\n\nTo fix the issue, call pm_runtime_get_sync() in\nserial8250_register_ports() as soon as .dev is set for an uart_port\nif it has console enabled.\n\nThis problem became apparent only recently because 82586a721595 (\"PM:\nruntime: Avoid device usage count underflows\") added the warning\nprintout. I confirmed this problem also occurs with v5.18 (w/o the\nwarning printout, obviously).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49613", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error\n\nThe initial settings will be written before the codec probe function.\nBut, the rt711->component doesn't be assigned yet.\nIf IO error happened during initial settings operations, it will cause the kernel panic.\nThis patch changed component->dev to slave->dev to fix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49615", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt7*-sdw: harden jack_detect_handler\n\nRealtek headset codec drivers typically check if the card is\ninstantiated before proceeding with the jack detection.\n\nThe rt700, rt711 and rt711-sdca are however missing a check on the\ncard pointer, which can lead to NULL dereferences encountered in\ndriver bind/unbind tests.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49616", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: handle errors on card registration\n\nIf the card registration fails, typically because of deferred probes,\nthe device properties added for headset codecs are not removed, which\nleads to kernel oopses in driver bind/unbind tests.\n\nWe already clean-up the device properties when the card is removed,\nthis code can be moved as a helper and called upon card registration\nerrors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49617", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()\n\npdesc could be null but still dereference pdesc->name and it will lead to\na null pointer access. So we move a null check before dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49618", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sfp: fix memory leak in sfp_probe()\n\nsfp_probe() allocates a memory chunk from sfp with sfp_alloc(). When\ndevm_add_action() fails, sfp is not freed, which leads to a memory leak.\n\nWe should use devm_add_action_or_reset() instead of devm_add_action().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49619", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tipc: fix possible refcount leak in tipc_sk_create()\n\nFree sk in case tipc_sk_insert() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49620", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: pmac32-cpufreq: Fix refcount leak bug\n\nIn pmac_cpufreq_init_MacRISC3(), we need to add corresponding\nof_node_put() for the three node pointers whose refcount have\nbeen incremented by of_find_node_by_name().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49621", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: avoid skb access on nf_stolen\n\nWhen verdict is NF_STOLEN, the skb might have been freed.\n\nWhen tracing is enabled, this can result in a use-after-free:\n1. access to skb->nf_trace\n2. access to skb->mark\n3. computation of trace id\n4. dump of packet payload\n\nTo avoid 1, keep a cached copy of skb->nf_trace in the\ntrace state struct.\nRefresh this copy whenever verdict is != STOLEN.\n\nAvoid 2 by skipping skb->mark access if verdict is STOLEN.\n\n3 is avoided by precomputing the trace id.\n\nOnly dump the packet when verdict is not \"STOLEN\".", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49622", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive/spapr: correct bitmap allocation size\n\nkasan detects access beyond the end of the xibm->bitmap allocation:\n\nBUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140\nRead of size 8 at addr c00000001d1d0118 by task swapper/0/1\n\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28\nCall Trace:\n[c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable)\n[c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710\n[c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354\n[c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0\n[c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140\n[c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260\n[c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450\n[c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118\n[c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac\n[c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640\n[c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0\n[c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64\n\nAllocated by task 0:\n kasan_save_stack+0x34/0x70\n __kasan_kmalloc+0xb4/0xf0\n __kmalloc+0x268/0x540\n xive_spapr_init+0x4d0/0x77c\n pseries_init_irq+0x40/0x27c\n init_IRQ+0x44/0x84\n start_kernel+0x2a4/0x538\n start_here_common+0x1c/0x20\n\nThe buggy address belongs to the object at c00000001d1d0118\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n 8-byte region [c00000001d1d0118, c00000001d1d0120)\n\nThe buggy address belongs to the physical page:\npage:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d\nflags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff)\nraw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480\nraw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc\n>c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc\n c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc\n\nThis happens because the allocation uses the wrong unit (bits) when it\nshould pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small\nnumbers of bits, the allocated object can be smaller than sizeof(long),\nwhich results in invalid accesses.\n\nUse bitmap_zalloc() to allocate and initialize the irq bitmap, paired with\nbitmap_free() for consistency.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49623", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: remove aq_nic_deinit() when resume\n\naq_nic_deinit() has been called while suspending, so we don't have to call\nit again on resume.\nActually, call it again leads to another hang issue when resuming from\nS3.\n\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace:\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] \nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic]\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic]\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] \nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]---\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110\nJul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49624", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix kernel panic when creating VF\n\nWhen creating VFs a kernel panic can happen when calling to\nefx_ef10_try_update_nic_stats_vf.\n\nWhen releasing a DMA coherent buffer, sometimes, I don't know in what\nspecific circumstances, it has to unmap memory with vunmap. It is\ndisallowed to do that in IRQ context or with BH disabled. Otherwise, we\nhit this line in vunmap, causing the crash:\n BUG_ON(in_interrupt());\n\nThis patch reenables BH to release the buffer.\n\nLog messages when the bug is hit:\n kernel BUG at mm/vmalloc.c:2727!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1\n Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020\n RIP: 0010:vunmap+0x2e/0x30\n ...skip...\n Call Trace:\n __iommu_dma_free+0x96/0x100\n efx_nic_free_buffer+0x2b/0x40 [sfc]\n efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]\n efx_ef10_update_stats_vf+0x18/0x40 [sfc]\n efx_start_all+0x15e/0x1d0 [sfc]\n efx_net_open+0x5a/0xe0 [sfc]\n __dev_open+0xe7/0x1a0\n __dev_change_flags+0x1d7/0x240\n dev_change_flags+0x21/0x60\n ...skip...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49625", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix use after free when disabling sriov\n\nUse after free is detected by kfence when disabling sriov. What was read\nafter being freed was vf->pci_dev: it was freed from pci_disable_sriov\nand later read in efx_ef10_sriov_free_vf_vports, called from\nefx_ef10_sriov_free_vf_vswitching.\n\nSet the pointer to NULL at release time to not trying to read it later.\n\nReproducer and dmesg log (note that kfence doesn't detect it every time):\n$ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs\n$ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs\n\n BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]\n\n Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):\n efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]\n efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xfe/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k\n\n allocated by task 6771 on cpu 10 at 3137.860196s:\n pci_alloc_dev+0x21/0x60\n pci_iov_add_virtfn+0x2a2/0x320\n sriov_enable+0x212/0x3e0\n efx_ef10_sriov_configure+0x67/0x80 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xba/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n freed by task 6771 on cpu 12 at 3170.991309s:\n device_release+0x34/0x90\n kobject_cleanup+0x3a/0x130\n pci_iov_remove_virtfn+0xd9/0x120\n sriov_disable+0x30/0xe0\n efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]\n efx_pci_sriov_configure+0x24/0x40 [sfc]\n sriov_numvfs_store+0xfe/0x140\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49626", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix potential memory leak in ima_init_crypto()\n\nOn failure to allocate the SHA1 tfm, IMA fails to initialize and exits\nwithout freeing the ima_algo_array. Add the missing kfree() for\nima_algo_array to avoid the potential memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49627", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix leaks in probe\n\nThese two error paths should clean up before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49628", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix data-races around nexthop_compat_mode.\n\nWhile reading nexthop_compat_mode, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49629", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix a data-race around sysctl_tcp_ecn_fallback.\n\nWhile reading sysctl_tcp_ecn_fallback, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49630", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nraw: Fix a data-race around sysctl_raw_l3mdev_accept.\n\nWhile reading sysctl_raw_l3mdev_accept, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49631", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: Fix a data-race around sysctl_icmp_errors_use_inbound_ifaddr.\n\nWhile reading sysctl_icmp_errors_use_inbound_ifaddr, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its reader.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49632", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: Fix data-races around sysctl_icmp_echo_enable_probe.\n\nWhile reading sysctl_icmp_echo_enable_probe, it can be changed\nconcurrently. Thus, we need to add READ_ONCE() to its readers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49633", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data-races in proc_dou8vec_minmax().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_dou8vec_minmax() to use READ_ONCE() and\nWRITE_ONCE() internally to fix data-races on the sysctl side. For now,\nproc_dou8vec_minmax() itself is tolerant to a data-race, but we still\nneed to add annotations on the other subsystem's side.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49634", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/selftests: fix subtraction overflow bug\n\nOn some machines hole_end can be small enough to cause subtraction\noverflow. On the other side (addr + 2 * min_alignment) can overflow\nin case of mock tests. This patch should handle both cases.\n\n(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49635", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: fix memory leak in vlan_newlink()\n\nBlamed commit added back a bug I fixed in commit 9bbd917e0bec\n(\"vlan: fix memory leak in vlan_dev_set_egress_priority\")\n\nIf a memory allocation fails in vlan_changelink() after other allocations\nsucceeded, we need to call vlan_dev_free_egress_priority()\nto free all allocated memory because after a failed ->newlink()\nwe do not call any methods like ndo_uninit() or dev->priv_destructor().\n\nIn following example, if the allocation for last element 2000:2001 fails,\nwe need to free eight prior allocations:\n\nip link add link dummy0 dummy0.100 type vlan id 100 \\\n\tegress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001\n\nsyzbot report was:\n\nBUG: memory leak\nunreferenced object 0xffff888117bd1060 (size 32):\ncomm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s)\nhex dump (first 32 bytes):\n09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[] kmalloc include/linux/slab.h:600 [inline]\n[] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193\n[] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128\n[] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185\n[] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]\n[] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580\n[] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593\n[] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089\n[] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501\n[] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[] sock_sendmsg_nosec net/socket.c:714 [inline]\n[] sock_sendmsg+0x56/0x80 net/socket.c:734\n[] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488\n[] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542\n[] __sys_sendmsg net/socket.c:2571 [inline]\n[] __do_sys_sendmsg net/socket.c:2580 [inline]\n[] __se_sys_sendmsg net/socket.c:2578 [inline]\n[] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578\n[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49636", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix a data-race around sysctl_fib_sync_mem.\n\nWhile reading sysctl_fib_sync_mem, it can be changed concurrently.\nSo, we need to add READ_ONCE() to avoid a data-race.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49637", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: Fix data-races around sysctl.\n\nWhile reading icmp sysctl variables, they can be changed concurrently.\nSo, we need to add READ_ONCE() to avoid data-races.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49638", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncipso: Fix data-races around sysctl.\n\nWhile reading cipso sysctl variables, they can be changed concurrently.\nSo, we need to add READ_ONCE() to avoid data-races.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49639", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data races in proc_douintvec_minmax().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_douintvec_minmax() to use READ_ONCE() and\nWRITE_ONCE() internally to fix data-races on the sysctl side. For now,\nproc_douintvec_minmax() itself is tolerant to a data-race, but we still\nneed to add annotations on the other subsystem's side.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49640", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data races in proc_douintvec().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race. So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_douintvec() to use READ_ONCE() and WRITE_ONCE()\ninternally to fix data-races on the sysctl side. For now, proc_douintvec()\nitself is tolerant to a data-race, but we still need to add annotations on\nthe other subsystem's side.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49641", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwc-qos: Disable split header for Tegra194\n\nThere is a long-standing issue with the Synopsys DWC Ethernet driver\nfor Tegra194 where random system crashes have been observed [0]. The\nproblem occurs when the split header feature is enabled in the stmmac\ndriver. In the bad case, a larger than expected buffer length is\nreceived and causes the calculation of the total buffer length to\noverflow. This results in a very large buffer length that causes the\nkernel to crash. Why this larger buffer length is received is not clear,\nhowever, the feedback from the NVIDIA design team is that the split\nheader feature is not supported for Tegra194. Therefore, disable split\nheader support for Tegra194 to prevent these random crashes from\noccurring.\n\n[0] https://lore.kernel.org/linux-tegra/b0b17697-f23e-8fa5-3757-604a86f3a095@nvidia.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49642", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix a potential integer overflow in ima_appraise_measurement\n\nWhen the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be\nnegative, which may cause the integer overflow problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49643", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()\n\nIf drm_connector_init fails, intel_connector_free will be called to take\ncare of proper free. So it is necessary to drop the refcount of port\nbefore intel_connector_free.\n\n(cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49644", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix shrinker list corruption by madvise IOCTL\n\nCalling madvise IOCTL twice on BO causes memory shrinker list corruption\nand crashes kernel because BO is already on the list and it's added to\nthe list again, while BO should be removed from the list before it's\nre-added. Fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49645", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix queue selection for mesh/OCB interfaces\n\nWhen using iTXQ, the code assumes that there is only one vif queue for\nbroadcast packets, using the BE queue. Allowing non-BE queue marking\nviolates that assumption and txq->ac == skb_queue_mapping is no longer\nguaranteed. This can cause issues with queue handling in the driver and\nalso causes issues with the recent ATF change, resulting in an AQL\nunderflow warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49646", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Use separate src/dst nodes when preloading css_sets for migration\n\nEach cset (css_set) is pinned by its tasks. When we're moving tasks around\nacross csets for a migration, we need to hold the source and destination\ncsets to ensure that they don't go away while we're moving tasks about. This\nis done by linking cset->mg_preload_node on either the\nmgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the\nsame cset->mg_preload_node for both the src and dst lists was deemed okay as\na cset can't be both the source and destination at the same time.\n\nUnfortunately, this overloading becomes problematic when multiple tasks are\ninvolved in a migration and some of them are identity noop migrations while\nothers are actually moving across cgroups. For example, this can happen with\nthe following sequence on cgroup1:\n\n #1> mkdir -p /sys/fs/cgroup/misc/a/b\n #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs\n #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &\n #4> PID=$!\n #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks\n #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs\n\nthe process including the group leader back into a. In this final migration,\nnon-leader threads would be doing identity migration while the group leader\nis doing an actual one.\n\nAfter #3, let's say the whole process was in cset A, and that after #4, the\nleader moves to cset B. Then, during #6, the following happens:\n\n 1. cgroup_migrate_add_src() is called on B for the leader.\n\n 2. cgroup_migrate_add_src() is called on A for the other threads.\n\n 3. cgroup_migrate_prepare_dst() is called. It scans the src list.\n\n 4. It notices that B wants to migrate to A, so it tries to A to the dst\n list but realizes that its ->mg_preload_node is already busy.\n\n 5. and then it notices A wants to migrate to A as it's an identity\n migration, it culls it by list_del_init()'ing its ->mg_preload_node and\n putting references accordingly.\n\n 6. The rest of migration takes place with B on the src list but nothing on\n the dst list.\n\nThis means that A isn't held while migration is in progress. If all tasks\nleave A before the migration finishes and the incoming task pins it, the\ncset will be destroyed leading to use-after-free.\n\nThis is caused by overloading cset->mg_preload_node for both src and dst\npreload lists. We wanted to exclude the cset from the src list but ended up\ninadvertently excluding it from the dst list too.\n\nThis patch fixes the issue by separating out cset->mg_preload_node into\n->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst\npreloadings don't interfere with each other.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49647", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Fix memory leak problem\n\nThis reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.\n\nAs commit 46bbe5c671e0 (\"tracing: fix double free\") said, the\n\"double free\" problem reported by clang static analyzer is:\n > In parse_var_defs() if there is a problem allocating\n > var_defs.expr, the earlier var_defs.name is freed.\n > This free is duplicated by free_var_defs() which frees\n > the rest of the list.\n\nHowever, if there is a problem allocating N-th var_defs.expr:\n + in parse_var_defs(), the freed 'earlier var_defs.name' is\n actually the N-th var_defs.name;\n + then in free_var_defs(), the names from 0th to (N-1)-th are freed;\n\n IF ALLOCATING PROBLEM HAPPENED HERE!!! -+\n \\\n |\n 0th 1th (N-1)-th N-th V\n +-------------+-------------+-----+-------------+-----------\nvar_defs: | name | expr | name | expr | ... | name | expr | name | ///\n +-------------+-------------+-----+-------------+-----------\n\nThese two frees don't act on same name, so there was no \"double free\"\nproblem before. Conversely, after that commit, we get a \"memory leak\"\nproblem because the above \"N-th var_defs.name\" is not freed.\n\nIf enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th\nvar_defs.expr allocated, then execute on shell like:\n $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \\\n/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger\n\nThen kmemleak reports:\n unreferenced object 0xffff8fb100ef3518 (size 8):\n comm \"bash\", pid 196, jiffies 4295681690 (age 28.538s)\n hex dump (first 8 bytes):\n 76 31 00 00 b1 8f ff ff v1......\n backtrace:\n [<0000000038fe4895>] kstrdup+0x2d/0x60\n [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0\n [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110\n [<0000000066737a4c>] event_trigger_write+0x75/0xd0\n [<000000007341e40c>] vfs_write+0xbb/0x2a0\n [<0000000087fde4c2>] ksys_write+0x59/0xd0\n [<00000000581e9cdf>] do_syscall_64+0x3a/0x80\n [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49648", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue\n\nxenvif_rx_next_skb() is expecting the rx queue not being empty, but\nin case the loop in xenvif_rx_action() is doing multiple iterations,\nthe availability of another skb in the rx queue is not being checked.\n\nThis can lead to crashes:\n\n[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080\n[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback]\n[40072.537534] PGD 0 P4D 0\n[40072.537644] Oops: 0000 [#1] SMP NOPTI\n[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5\n[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021\n[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000\n[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback]\n[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246\n[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7\n[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8\n[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008\n[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708\n[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0\n[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000\n[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660\n[40072.539211] Call Trace:\n[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback]\n[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback]\n\nFix that by stopping the loop in case the rx queue becomes empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49649", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: fix runtime PM underflow\n\nCommit dbad41e7bb5f (\"dmaengine: qcom: bam_dma: check if the runtime pm enabled\")\ncaused unbalanced pm_runtime_get/put() calls when the bam is\ncontrolled remotely. This commit reverts it and just enables pm_runtime\nin all cases, the clk_* functions already just nop when the clock is NULL.\n\nAlso clean up a bit by removing unnecessary bamclk null checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49650", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Tighten cleanup_srcu_struct() GP checks\n\nCurrently, cleanup_srcu_struct() checks for a grace period in progress,\nbut it does not check for a grace period that has not yet started but\nwhich might start at any time. Such a situation could result in a\nuse-after-free bug, so this commit adds a check for a grace period that\nis needed but not yet started to cleanup_srcu_struct().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49651", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not needed anymore.\n\nAdd missing of_node_put() in to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49652", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix a memory leak in the EFCH MMIO support\n\nThe recently added support for EFCH MMIO regions introduced a memory\nleak in that code path. The leak is caused by the fact that\nrelease_resource() merely removes the resource from the tree but does\nnot free its memory. We need to call release_mem_region() instead,\nwhich does free the memory. As a nice side effect, this brings back\nsome symmetry between the legacy and MMIO paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49653", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: qca8k: reset cpu port on MTU change\n\nIt was discovered that the Documentation lacks of a fundamental detail\non how to correctly change the MAX_FRAME_SIZE of the switch.\n\nIn fact if the MAX_FRAME_SIZE is changed while the cpu port is on, the\nswitch panics and cease to send any packet. This cause the mgmt ethernet\nsystem to not receive any packet (the slow fallback still works) and\nmakes the device not reachable. To recover from this a switch reset is\nrequired.\n\nTo correctly handle this, turn off the cpu ports before changing the\nMAX_FRAME_SIZE and turn on again after the value is applied.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49654", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Fix invalidation/lookup race\n\nIf an NFS file is opened for writing and closed, fscache_invalidate() will\nbe asked to invalidate the file - however, if the cookie is in the\nLOOKING_UP state (or the CREATING state), then request to invalidate\ndoesn't get recorded for fscache_cookie_state_machine() to do something\nwith.\n\nFix this by making __fscache_invalidate() set a flag if it sees the cookie\nis in the LOOKING_UP state to indicate that we need to go to invalidation.\nNote that this requires a count on the n_accesses counter for the state\nmachine, which that will release when it's done.\n\nfscache_cookie_state_machine() then shifts to the INVALIDATING state if it\nsees the flag.\n\nWithout this, an nfs file can get corrupted if it gets modified locally and\nthen read locally as the cache contents may not get updated.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49655", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: meson: Fix refcount leak in meson_smp_prepare_cpus\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49656", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: fix memory leak in error case\n\nusbnet_write_cmd_async() mixed up which buffers\nneed to be freed in which error case.\n\nv2: add Fixes tag\nv3: fix uninitialized buf pointer", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49657", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals\n\nKuee reported a corner case where the tnum becomes constant after the call\nto __reg_bound_offset(), but the register's bounds are not, that is, its\nmin bounds are still not equal to the register's max bounds.\n\nThis in turn allows to leak pointers through turning a pointer register as\nis into an unknown scalar via adjust_ptr_min_max_vals().\n\nBefore:\n\n func#0 @0\n 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))\n 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))\n 2: (87) r3 = -r3 ; R3_w=scalar()\n 3: (87) r3 = -r3 ; R3_w=scalar()\n 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)\n 5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 6: (95) exit\n\n from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 8: (95) exit\n\n from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 9: (07) r3 += -32767 ; R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)) <--- [*]\n 10: (95) exit\n\nWhat can be seen here is that R3=scalar(umin=32767,umax=32768,var_off=(0x7fff;\n0x8000)) after the operation R3 += -32767 results in a 'malformed' constant, that\nis, R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)). Intersecting with var_off has\nnot been done at that point via __update_reg_bounds(), which would have improved\nthe umax to be equal to umin.\n\nRefactor the tnum <> min/max bounds information flow into a reg_bounds_sync()\nhelper and use it consistently everywhere. After the fix, bounds have been\ncorrected to R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) and thus the register\nis regarded as a 'proper' constant scalar of 0.\n\nAfter:\n\n func#0 @0\n 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0))\n 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0))\n 2: (87) r3 = -r3 ; R3_w=scalar()\n 3: (87) r3 = -r3 ; R3_w=scalar()\n 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881)\n 5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 6: (95) exit\n\n from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0))\n 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767)\n 8: (95) exit\n\n from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49658", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits\n\nIn commit 1be37d3b0414 (\"can: m_can: fix periph RX path: use\nrx-offload to ensure skbs are sent from softirq context\") the RX path\nfor peripheral devices was switched to RX-offload.\n\nReceived CAN frames are pushed to RX-offload together with a\ntimestamp. RX-offload is designed to handle overflows of the timestamp\ncorrectly, if 32 bit timestamps are provided.\n\nThe timestamps of m_can core are only 16 bits wide. So this patch\nshifts them to full 32 bit before passing them to RX-offload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49659", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_open/close(): fix memory leak\n\nThe gs_usb driver appears to suffer from a malady common to many USB\nCAN adapter drivers in that it performs usb_alloc_coherent() to\nallocate a number of USB request blocks (URBs) for RX, and then later\nrelies on usb_kill_anchored_urbs() to free them, but this doesn't\nactually free them. As a result, this may be leaking DMA memory that's\nbeen used by the driver.\n\nThis commit is an adaptation of the techniques found in the esd_usb2\ndriver where a similar design pattern led to a memory leak. It\nexplicitly frees the RX URBs and their DMA memory via a call to\nusb_free_coherent(). Since the RX URBs were allocated in the\ngs_can_open(), we remove them in gs_can_close() rather than in the\ndisconnect function as was done in esd_usb2.\n\nFor more information, see the 928150fad41b (\"can: esd_usb2: fix memory\nleak\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49661", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix lockdep splat in in6_dump_addrs()\n\nAs reported by syzbot, we should not use rcu_dereference()\nwhen rcu_read_lock() is not held.\n\nWARNING: suspicious RCU usage\n5.19.0-rc2-syzkaller #0 Not tainted\n\nnet/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz-executor326/3617:\n #0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223\n\nstack backtrace:\nCPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175\n inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300\n netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275\n __netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380\n netlink_dump_start include/linux/netlink.h:245 [inline]\n rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:734\n ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2546\n __sys_sendmsg net/socket.c:2575 [inline]\n __do_sys_sendmsg net/socket.c:2584 [inline]\n __se_sys_sendmsg net/socket.c:2582 [inline]\n __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49662", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: do not assume mac header is set in skb_tunnel_check_pmtu()\n\nRecently added debug in commit f9aefd6b2aa3 (\"net: warn if mac header\nwas not set\") caught a bug in skb_tunnel_check_pmtu(), as shown\nin this syzbot report [1].\n\nIn ndo_start_xmit() paths, there is really no need to use skb->mac_header,\nbecause skb->data is supposed to point at it.\n\n[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]\nWARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413\nModules linked in:\nCPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]\nRIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413\nCode: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00\nRSP: 0018:ffffc90002e4f520 EFLAGS: 00010212\nRAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000\nRDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003\nRBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff\nR13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f\nFS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ngeneve_xmit_skb drivers/net/geneve.c:927 [inline]\ngeneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107\n__netdev_start_xmit include/linux/netdevice.h:4805 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4819 [inline]\n__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309\ndev_direct_xmit include/linux/netdevice.h:3007 [inline]\npacket_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282\npacket_snd net/packet/af_packet.c:3073 [inline]\npacket_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg+0xcf/0x120 net/socket.c:734\n____sys_sendmsg+0x6eb/0x810 net/socket.c:2489\n___sys_sendmsg+0xf3/0x170 net/socket.c:2543\n__sys_sendmsg net/socket.c:2572 [inline]\n__do_sys_sendmsg net/socket.c:2581 [inline]\n__se_sys_sendmsg net/socket.c:2579 [inline]\n__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f3baaa89109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109\nRDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003\nRBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49663", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: move bc link creation back to tipc_node_create\n\nShuang Li reported a NULL pointer dereference crash:\n\n [] BUG: kernel NULL pointer dereference, address: 0000000000000068\n [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]\n [] Call Trace:\n [] \n [] tipc_bcast_rcv+0xa2/0x190 [tipc]\n [] tipc_node_bc_rcv+0x8b/0x200 [tipc]\n [] tipc_rcv+0x3af/0x5b0 [tipc]\n [] tipc_udp_recv+0xc7/0x1e0 [tipc]\n\nIt was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it\ncreates a node in tipc_node_check_dest(), after inserting the new node\ninto hashtable in tipc_node_create(), it creates the bc link. However,\nthere is a gap between this insert and bc link creation, a bc packet\nmay come in and get the node from the hashtable then try to dereference\nits bc link, which is NULL.\n\nThis patch is to fix it by moving the bc link creation before inserting\ninto the hashtable.\n\nNote that for a preliminary node becoming \"real\", the bc link creation\nshould also be called before it's rehashed, as we don't create it for\npreliminary nodes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49664", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource\n\nUnlike release_mem_region(), a call to release_resource() does not\nfree the resource, so it has to be freed explicitly to avoid a memory\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49665", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/memhotplug: Add add_pages override for PPC\n\nWith commit ffa0b64e3be5 (\"powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit\")\nthe kernel now validate the addr against high_memory value. This results\nin the below BUG_ON with dax pfns.\n\n[ 635.798741][T26531] kernel BUG at mm/page_alloc.c:5521!\n1:mon> e\ncpu 0x1: Vector: 700 (Program Check) at [c000000007287630]\n pc: c00000000055ed48: free_pages.part.0+0x48/0x110\n lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0\n sp: c0000000072878d0\n msr: 800000000282b033\n current = 0xc00000000afabe00\n paca = 0xc00000037ffff300 irqmask: 0x03 irq_happened: 0x05\n pid = 26531, comm = 50-landscape-sy\nkernel BUG at :5521!\nLinux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022\n1:mon> t\n[link register ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0\n[c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable)\n[c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0\n[c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210\n[c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40\n[c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00\n[c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0\n[c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310\n[c000000007287d80] c00000000062858c sys_execve+0x4c/0x60\n[c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0\n[c000000007287e10] c00000000000c53c system_call_common+0xec/0x250\n\nThe fix is to make sure we update high_memory on memory hotplug.\nThis is similar to what x86 does in commit 3072e413e305 (\"mm/memory_hotplug: introduce add_pages\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49666", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free after 802.3ad slave unbind\n\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\"),\nresolve case, when there is several aggregation groups in the same bond.\nbond_3ad_unbind_slave will invalidate (clear) aggregator when\n__agg_active_ports return zero. So, ad_clear_agg can be executed even, when\nnum_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,\npreviously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave\nwill not update slave ports list, because lag_ports==NULL. So, here we\ngot slave ports, pointing to freed aggregator memory.\n\nFix with checking actual number of ports in group (as was before\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\") ),\nbefore ad_clear_agg().\n\nThe KASAN logs are as follows:\n\n[ 767.617392] ==================================================================\n[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470\n[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767\n[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15\n[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler\n[ 767.666468] Call trace:\n[ 767.668930] dump_backtrace+0x0/0x2d0\n[ 767.672625] show_stack+0x24/0x30\n[ 767.675965] dump_stack_lvl+0x68/0x84\n[ 767.679659] print_address_description.constprop.0+0x74/0x2b8\n[ 767.685451] kasan_report+0x1f0/0x260\n[ 767.689148] __asan_load2+0x94/0xd0\n[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49667", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nThis function only calls of_node_put() in normal path,\nmissing it in error paths.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49668", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race on unaccepted mptcp sockets\n\nWhen the listener socket owning the relevant request is closed,\nit frees the unaccepted subflows and that causes later deletion\nof the paired MPTCP sockets.\n\nThe mptcp socket's worker can run in the time interval between such delete\noperations. When that happens, any access to msk->first will cause an UaF\naccess, as the subflow cleanup did not cleared such field in the mptcp\nsocket.\n\nAddress the issue explicitly traversing the listener socket accept\nqueue at close time and performing the needed cleanup on the pending\nmsk.\n\nNote that the locking is a bit tricky, as we need to acquire the msk\nsocket lock, while still owning the subflow socket one.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49669", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlinux/dim: Fix divide by 0 in RDMA DIM\n\nFix a divide 0 error in rdma_dim_stats_compare() when prev->cpe_ratio ==\n0.\n\nCallTrace:\n Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020\n task: ffff880194b78000 task.stack: ffffc90006714000\n RIP: 0010:backport_rdma_dim+0x10e/0x240 [mlx_compat]\n RSP: 0018:ffff880c10e83ec0 EFLAGS: 00010202\n RAX: 0000000000002710 RBX: ffff88096cd7f780 RCX: 0000000000000064\n RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 000000001d7c6c09\n R13: ffff88096cd7f780 R14: ffff880b174fe800 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff880c10e80000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000a0965b00 CR3: 000000000200a003 CR4: 00000000007606e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ib_poll_handler+0x43/0x80 [ib_core]\n irq_poll_softirq+0xae/0x110\n __do_softirq+0xd1/0x28c\n irq_exit+0xde/0xf0\n do_IRQ+0x54/0xe0\n common_interrupt+0x8f/0x8f\n \n ? cpuidle_enter_state+0xd9/0x2a0\n ? cpuidle_enter_state+0xc7/0x2a0\n ? do_idle+0x170/0x1d0\n ? cpu_startup_entry+0x6f/0x80\n ? start_secondary+0x1b9/0x210\n ? secondary_startup_64+0xa5/0xb0\n Code: 0f 87 e1 00 00 00 8b 4c 24 14 44 8b 43 14 89 c8 4d 63 c8 44 29 c0 99 31 d0 29 d0 31 d2 48 98 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <49> f7 f1 48 83 f8 0a 0f 86 c1 00 00 00 44 39 c1 7f 10 48 89 df\n RIP: backport_rdma_dim+0x10e/0x240 [mlx_compat] RSP: ffff880c10e83ec0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49670", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix memory leak in ib_cm_insert_listen\n\ncm_alloc_id_priv() allocates resource for the cm_id_priv. When\ncm_init_listen() fails it doesn't free it, leading to memory leak.\n\nAdd the missing error unwind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49671", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: unlink NAPI from device on destruction\n\nSyzbot found a race between tun file and device destruction.\nNAPIs live in struct tun_file which can get destroyed before\nthe netdev so we have to del them explicitly. The current\ncode is missing deleting the NAPI if the queue was detached\nfirst.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49672", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix KASAN warning in raid5_add_disks\n\nThere's a KASAN warning in raid5_add_disk when running the LVM testsuite.\nThe warning happens in the test\nlvconvert-raid-reshape-linear_to_raid6-single-type.sh. We fix the warning\nby verifying that rdev->saved_raid_disk is within limits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49673", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix accesses beyond end of raid member array\n\nOn dm-raid table load (using raid_ctr), dm-raid allocates an array\nrs->devs[rs->raid_disks] for the raid device members. rs->raid_disks\nis defined by the number of raid metadata and image tupples passed\ninto the target's constructor.\n\nIn the case of RAID layout changes being requested, that number can be\ndifferent from the current number of members for existing raid sets as\ndefined in their superblocks. Example RAID layout changes include:\n- raid1 legs being added/removed\n- raid4/5/6/10 number of stripes changed (stripe reshaping)\n- takeover to higher raid level (e.g. raid5 -> raid6)\n\nWhen accessing array members, rs->raid_disks must be used in control\nloops instead of the potentially larger value in rs->md.raid_disks.\nOtherwise it will cause memory access beyond the end of the rs->devs\narray.\n\nFix this by changing code that is prone to out-of-bounds access.\nAlso fix validate_raid_redundancy() to validate all devices that are\nadded. Also, use braces to help clean up raid_iterate_devices().\n\nThe out-of-bounds memory accesses was discovered using KASAN.\n\nThis commit was verified to pass all LVM2 RAID tests (with KASAN\nenabled).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49674", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntick/nohz: unexport __init-annotated tick_nohz_full_setup()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it had been broken for a decade.\n\nCommit 28438794aba4 (\"modpost: fix section mismatch check for exported\ninit/exit sections\") fixed it so modpost started to warn it again, then\nthis showed up:\n\n MODPOST vmlinux.symvers\n WARNING: modpost: vmlinux.o(___ksymtab_gpl+tick_nohz_full_setup+0x0): Section mismatch in reference from the variable __ksymtab_tick_nohz_full_setup to the function .init.text:tick_nohz_full_setup()\n The symbol tick_nohz_full_setup is exported and annotated __init\n Fix this by removing the __init annotation of tick_nohz_full_setup or drop the export.\n\nDrop the export because tick_nohz_full_setup() is only called from the\nbuilt-in code in kernel/sched/isolation.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49675", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nThis function doesn't call of_node_put() in some error paths.\nTo unify the structure, Add put_node label and goto it on errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49676", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: cns3xxx: Fix refcount leak in cns3xxx_init\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49677", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: bcm: brcmstb: pm: pm-arm: Fix refcount leak in brcmstb_pm_probe\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\n\nIn brcmstb_init_sram, it pass dn to of_address_to_resource(),\nof_address_to_resource() will call of_find_device_by_node() to take\nreference, so we should release the reference returned by\nof_find_matching_node().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49678", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: Fix refcount leak in axxia_boot_secondary\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49679", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: exynos: Fix refcount leak in exynos_map_pmu\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() checks null pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49680", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxtensa: xtfpga: Fix refcount leak bug in setup\n\nIn machine_setup(), of_find_compatible_node() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49681", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxtensa: Fix refcount leak bug in time.c\n\nIn calibrate_ccount(), of_find_compatible_node() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49682", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: adi-axi-adc: Fix refcount leak in adi_axi_adc_attach_client\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49683", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: aspeed: Fix refcount leak in aspeed_adc_set_trim_data\n\nof_find_node_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49684", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: trigger: sysfs: fix use-after-free on remove\n\nEnsure that the irq_work has completed before the trigger is freed.\n\n ==================================================================\n BUG: KASAN: use-after-free in irq_work_run_list\n Read of size 8 at addr 0000000064702248 by task python3/25\n\n Call Trace:\n irq_work_run_list\n irq_work_tick\n update_process_times\n tick_sched_handle\n tick_sched_timer\n __hrtimer_run_queues\n hrtimer_interrupt\n\n Allocated by task 25:\n kmem_cache_alloc_trace\n iio_sysfs_trig_add\n dev_attr_store\n sysfs_kf_write\n kernfs_fop_write_iter\n new_sync_write\n vfs_write\n ksys_write\n sys_write\n\n Freed by task 25:\n kfree\n iio_sysfs_trig_remove\n dev_attr_store\n sysfs_kf_write\n kernfs_fop_write_iter\n new_sync_write\n vfs_write\n ksys_write\n sys_write\n\n ==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49685", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix list double add in uvcg_video_pump\n\nA panic can occur if the endpoint becomes disabled and the\nuvcg_video_pump adds the request back to the req_free list after it has\nalready been queued to the endpoint. The endpoint complete will add the\nrequest back to the req_free list. Invalidate the local request handle\nonce it's been queued.\n\n<6>[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0)\n<3>[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90.\n<6>[ 246.797213][ T26] ------------[ cut here ]------------\n<2>[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31!\n<6>[ 246.807073][ T26] Call trace:\n<6>[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c\n<6>[ 246.807366][ T26] process_one_work+0x2a4/0x544\n<6>[ 246.807394][ T26] worker_thread+0x350/0x784\n<6>[ 246.807442][ T26] kthread+0x2ac/0x320", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49686", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix xdp_rxq_info bug after suspend/resume\n\nThe following sequence currently causes a driver bug warning\nwhen using virtio_net:\n\n # ip link set eth0 up\n # echo mem > /sys/power/state (or e.g. # rtcwake -s 10 -m mem)\n \n # ip link set eth0 down\n\n Missing register, driver bug\n WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60\n Call trace:\n xdp_rxq_info_unreg+0x58/0x60\n virtnet_close+0x58/0xac\n __dev_close_many+0xac/0x140\n __dev_change_flags+0xd8/0x210\n dev_change_flags+0x24/0x64\n do_setlink+0x230/0xdd0\n ...\n\nThis happens because virtnet_freeze() frees the receive_queue\ncompletely (including struct xdp_rxq_info) but does not call\nxdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the\nreceive_queue again but does not call xdp_rxq_info_reg().\n\nActually, parts of virtnet_freeze_down() and virtnet_restore_up()\nare almost identical to virtnet_close() and virtnet_open(): only\nthe calls to xdp_rxq_info_(un)reg() are missing. This means that\nwe can fix this easily and avoid such problems in the future by\njust calling virtnet_close()/open() from the freeze/restore handlers.\n\nAside from adding the missing xdp_rxq_info calls the only difference\nis that the refill work is only cancelled if netif_running(). However,\nthis should not make any functional difference since the refill work\nshould only be active if the network interface is actually up.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49687", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix dynamic root getattr\n\nThe recent patch to make afs_getattr consult the server didn't account\nfor the pseudo-inodes employed by the dynamic root-type afs superblock\nnot having a volume or a server to access, and thus an oops occurs if\nsuch a directory is stat'd.\n\nFix this by checking to see if the vnode->volume pointer actually points\nanywhere before following it in afs_getattr().\n\nThis can be tested by stat'ing a directory in /afs. It may be\nsufficient just to do \"ls /afs\" and the oops looks something like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n ...\n RIP: 0010:afs_getattr+0x8b/0x14b\n ...\n Call Trace:\n \n vfs_statx+0x79/0xf5\n vfs_fstatat+0x49/0x62", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49688", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: do not assume transport header is always set\n\nRewrite tests in ip6erspan_tunnel_xmit() and\nerspan_fb_xmit() to not assume transport header is set.\n\nsyzbot reported:\n\nWARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline]\nWARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963\nModules linked in:\nCPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline]\nRIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963\nCode: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00\nRSP: 0018:ffffc90005daf910 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000\nRDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003\nRBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40\nR13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000\nFS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0\nCall Trace:\n\n__netdev_start_xmit include/linux/netdevice.h:4805 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4819 [inline]\nxmit_one net/core/dev.c:3588 [inline]\ndev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604\nsch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342\n__dev_xmit_skb net/core/dev.c:3815 [inline]\n__dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219\ndev_queue_xmit include/linux/netdevice.h:2994 [inline]\ntx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63\nkthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229\nkthread+0x2e9/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49691", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: at803x: fix NULL pointer dereference on AR9331 PHY\n\nLatest kernel will explode on the PHY interrupt config, since it depends\nnow on allocated priv. So, run probe to allocate priv to fix it.\n\n ar9331_switch ethernet.1:10 lan0 (uninitialized): PHY [!ahb!ethernet@1a000000!mdio!switch@10:00] driver [Qualcomm Atheros AR9331 built-in PHY] (irq=13)\n CPU 0 Unable to handle kernel paging request at virtual address 0000000a, epc == 8050e8a8, ra == 80504b34\n ...\n Call Trace:\n [<8050e8a8>] at803x_config_intr+0x5c/0xd0\n [<80504b34>] phy_request_interrupt+0xa8/0xd0\n [<8050289c>] phylink_bringup_phy+0x2d8/0x3ac\n [<80502b68>] phylink_fwnode_phy_connect+0x118/0x130\n [<8074d8ec>] dsa_slave_create+0x270/0x420\n [<80743b04>] dsa_port_setup+0x12c/0x148\n [<8074580c>] dsa_register_switch+0xaf0/0xcc0\n [<80511344>] ar9331_sw_probe+0x370/0x388\n [<8050cb78>] mdio_probe+0x44/0x70\n [<804df300>] really_probe+0x200/0x424\n [<804df7b4>] __driver_probe_device+0x290/0x298\n [<804df810>] driver_probe_device+0x54/0xe4\n [<804dfd50>] __device_attach_driver+0xe4/0x130\n [<804dcb00>] bus_for_each_drv+0xb4/0xd8\n [<804dfac4>] __device_attach+0x104/0x1a4\n [<804ddd24>] bus_probe_device+0x48/0xc4\n [<804deb44>] deferred_probe_work_func+0xf0/0x10c\n [<800a0ffc>] process_one_work+0x314/0x4d4\n [<800a17fc>] worker_thread+0x2a4/0x354\n [<800a9a54>] kthread+0x134/0x13c\n [<8006306c>] ret_from_kernel_thread+0x14/0x1c\n\nSame Issue would affect some other PHYs (QCA8081, QCA9561), so fix it\ntoo.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49692", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf\n\nof_graph_get_remote_node() returns remote device node pointer with\nrefcount incremented, we should use of_node_put() on it\nwhen not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\n\nPatchwork: https://patchwork.freedesktop.org/patch/488473/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49693", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: disable the elevator int del_gendisk\n\nThe elevator is only used for file system requests, which are stopped in\ndel_gendisk. Move disabling the elevator and freeing the scheduler tags\nto the end of del_gendisk instead of doing that work in disk_release and\nblk_cleanup_queue to avoid a use after free on q->tag_set from\ndisk_release as the tag_set might not be alive at that point.\n\nMove the blk_qos_exit call as well, as it just depends on the elevator\nexit and would be the only reason to keep the not exactly cheap queue\nfreeze in disk_release.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49694", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: fix a use-after-free issue in igb_clean_tx_ring\n\nFix the following use-after-free bug in igb_clean_tx_ring routine when\nthe NIC is running in XDP mode. The issue can be triggered redirecting\ntraffic into the igb NIC and then closing the device while the traffic\nis flowing.\n\n[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9\n[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017\n[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0\n[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282\n[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000\n[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0\n[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058\n[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090\n[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000\n[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000\n[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0\n[ 73.426565] Call Trace:\n[ 73.429087] \n[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb]\n[ 73.436002] igb_down+0x1d7/0x220 [igb]\n[ 73.439974] __igb_close+0x3c/0x120 [igb]\n[ 73.444118] igb_xdp+0x10c/0x150 [igb]\n[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb]\n[ 73.453362] dev_xdp_install+0xda/0x110\n[ 73.457371] dev_xdp_attach+0x1da/0x550\n[ 73.461369] do_setlink+0xfd0/0x10f0\n[ 73.465166] ? __nla_validate_parse+0x89/0xc70\n[ 73.469714] rtnl_setlink+0x11a/0x1e0\n[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0\n[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130\n[ 73.482258] netlink_rcv_skb+0x8d/0x110\n[ 73.486229] netlink_unicast+0x230/0x340\n[ 73.490317] netlink_sendmsg+0x215/0x470\n[ 73.494395] __sys_sendto+0x179/0x190\n[ 73.498268] ? move_addr_to_user+0x37/0x70\n[ 73.502547] ? __sys_getsockname+0x84/0xe0\n[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0\n[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0\n[ 73.515636] __x64_sys_sendto+0x20/0x30\n[ 73.519603] do_syscall_64+0x3b/0x80\n[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 73.528712] RIP: 0033:0x7ff38d41f20c\n[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c\n[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003\n[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0\n[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30\n[ 73.596545] \n[ 73.598842] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49695", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix use-after-free Read in tipc_named_reinit\n\nsyzbot found the following issue on:\n==================================================================\nBUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0\nnet/tipc/name_distr.c:413\nRead of size 8 at addr ffff88805299a000 by task kworker/1:9/23764\n\nCPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted\n5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 01/01/2011\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xeb/0x495\nmm/kasan/report.c:313\n print_report mm/kasan/report.c:429 [inline]\n kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491\n tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413\n tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138\n process_one_work+0x996/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e9/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298\n \n[...]\n==================================================================\n\nIn the commit\nd966ddcc3821 (\"tipc: fix a deadlock when flushing scheduled work\"),\nthe cancel_work_sync() function just to make sure ONLY the work\ntipc_net_finalize_work() is executing/pending on any CPU completed before\ntipc namespace is destroyed through tipc_exit_net(). But this function\nis not guaranteed the work is the last queued. So, the destroyed instance\nmay be accessed in the work which will try to enqueue later.\n\nIn order to completely fix, we re-order the calling of cancel_work_sync()\nto make sure the work tipc_net_finalize_work() was last queued and it\nmust be completed by calling cancel_work_sync().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49696", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix request_sock leak in sk lookup helpers\n\nA customer reported a request_socket leak in a Calico cloud environment. We\nfound that a BPF program was doing a socket lookup with takes a refcnt on\nthe socket and that it was finding the request_socket but returning the parent\nLISTEN socket via sk_to_full_sk() without decrementing the child request socket\n1st, resulting in request_sock slab object leak. This patch retains the\nexisting behaviour of returning full socks to the caller but it also decrements\nthe child request_socket if one is present before doing so to prevent the leak.\n\nThanks to Curtis Taylor for all the help in diagnosing and testing this. And\nthanks to Antoine Tenart for the reproducer and patch input.\n\nv2 of this patch contains, refactor as per Daniel Borkmann's suggestions to\nvalidate RCU flags on the listen socket so that it balances with bpf_sk_release()\nand update comments as per Martin KaFai Lau's suggestion. One small change to\nDaniels suggestion, put \"sk = sk2\" under \"if (sk2 != sk)\" to avoid an extra\ninstruction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49697", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: use get_random_u32 instead of prandom\n\nbh might occur while updating per-cpu rnd_state from user context,\nie. local_out path.\n\nBUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725\ncaller is nft_ng_random_eval+0x24/0x54 [nft_numgen]\nCall Trace:\n check_preemption_disabled+0xde/0xe0\n nft_ng_random_eval+0x24/0x54 [nft_numgen]\n\nUse the random driver instead, this also avoids need for local prandom\nstate. Moreover, prandom now uses the random driver since d4150779e60f\n(\"random32: use real rng for non-deterministic randomness\").\n\nBased on earlier patch from Pablo Neira.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49698", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: Handle sibling entries in filemap_get_read_batch()\n\nIf a read races with an invalidation followed by another read, it is\npossible for a folio to be replaced with a higher-order folio. If that\nhappens, we'll see a sibling entry for the new folio in the next iteration\nof the loop. This manifests as a NULL pointer dereference while holding\nthe RCU read lock.\n\nHandle this by simply returning. The next call will find the new folio\nand handle it correctly. The other ways of handling this rare race are\nmore complex and it's just not worth it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49699", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: add missing TID updates on slab deactivation\n\nThe fastpath in slab_alloc_node() assumes that c->slab is stable as long as\nthe TID stays the same. However, two places in __slab_alloc() currently\ndon't update the TID when deactivating the CPU slab.\n\nIf multiple operations race the right way, this could lead to an object\ngetting lost; or, in an even more unlikely situation, it could even lead to\nan object being freed onto the wrong slab's freelist, messing up the\n`inuse` counter and eventually causing a page to be freed to the page\nallocator while it still contains slab objects.\n\n(I haven't actually tested these cases though, this is just based on\nlooking at the code. Writing testcases for this stuff seems like it'd be\na pain...)\n\nThe race leading to state inconsistency is (all operations on the same CPU\nand kmem_cache):\n\n - task A: begin do_slab_free():\n - read TID\n - read pcpu freelist (==NULL)\n - check `slab == c->slab` (true)\n - [PREEMPT A->B]\n - task B: begin slab_alloc_node():\n - fastpath fails (`c->freelist` is NULL)\n - enter __slab_alloc()\n - slub_get_cpu_ptr() (disables preemption)\n - enter ___slab_alloc()\n - take local_lock_irqsave()\n - read c->freelist as NULL\n - get_freelist() returns NULL\n - write `c->slab = NULL`\n - drop local_unlock_irqrestore()\n - goto new_slab\n - slub_percpu_partial() is NULL\n - get_partial() returns NULL\n - slub_put_cpu_ptr() (enables preemption)\n - [PREEMPT B->A]\n - task A: finish do_slab_free():\n - this_cpu_cmpxchg_double() succeeds()\n - [CORRUPT STATE: c->slab==NULL, c->freelist!=NULL]\n\nFrom there, the object on c->freelist will get lost if task B is allowed to\ncontinue from here: It will proceed to the retry_load_slab label,\nset c->slab, then jump to load_freelist, which clobbers c->freelist.\n\nBut if we instead continue as follows, we get worse corruption:\n\n - task A: run __slab_free() on object from other struct slab:\n - CPU_PARTIAL_FREE case (slab was on no list, is now on pcpu partial)\n - task A: run slab_alloc_node() with NUMA node constraint:\n - fastpath fails (c->slab is NULL)\n - call __slab_alloc()\n - slub_get_cpu_ptr() (disables preemption)\n - enter ___slab_alloc()\n - c->slab is NULL: goto new_slab\n - slub_percpu_partial() is non-NULL\n - set c->slab to slub_percpu_partial(c)\n - [CORRUPT STATE: c->slab points to slab-1, c->freelist has objects\n from slab-2]\n - goto redo\n - node_match() fails\n - goto deactivate_slab\n - existing c->freelist is passed into deactivate_slab()\n - inuse count of slab-1 is decremented to account for object from\n slab-2\n\nAt this point, the inuse count of slab-1 is 1 lower than it should be.\nThis means that if we free all allocated objects in slab-1 except for one,\nSLUB will think that slab-1 is completely unused, and may free its page,\nleading to use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49700", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Allocate/free queue resource only during probe/remove\n\nCurrently, the sub-queues and event pool resources are allocated/freed for\nevery CRQ connection event such as reset and LPM. This exposes the driver\nto a couple issues. First the inefficiency of freeing and reallocating\nmemory that can simply be resued after being sanitized. Further, a system\nunder memory pressue runs the risk of allocation failures that could result\nin a crippled driver. Finally, there is a race window where command\nsubmission/compeletion can try to pull/return elements from/to an event\npool that is being deleted or already has been deleted due to the lack of\nhost state around freeing/allocating resources. The following is an example\nof list corruption following a live partition migration (LPM):\n\nOops: Exception in kernel mode, sig: 5 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: vfat fat isofs cdrom ext4 mbcache jbd2 nft_counter nft_compat nf_tables nfnetlink rpadlpar_io rpaphp xsk_diag nfsv3 nfs_acl nfs lockd grace fscache netfs rfkill bonding tls sunrpc pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth vmx_crypto dm_multipath dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\nCPU: 0 PID: 2108 Comm: ibmvfc_0 Kdump: loaded Not tainted 5.14.0-70.9.1.el9_0.ppc64le #1\nNIP: c0000000007c4bb0 LR: c0000000007c4bac CTR: 00000000005b9a10\nREGS: c00000025c10b760 TRAP: 0700 Not tainted (5.14.0-70.9.1.el9_0.ppc64le)\nMSR: 800000000282b033 CR: 2800028f XER: 0000000f\nCFAR: c0000000001f55bc IRQMASK: 0\n GPR00: c0000000007c4bac c00000025c10ba00 c000000002a47c00 000000000000004e\n GPR04: c0000031e3006f88 c0000031e308bd00 c00000025c10b768 0000000000000027\n GPR08: 0000000000000000 c0000031e3009dc0 00000031e0eb0000 0000000000000000\n GPR12: c0000031e2ffffa8 c000000002dd0000 c000000000187108 c00000020fcee2c0\n GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n GPR20: 0000000000000000 0000000000000000 0000000000000000 c008000002f81300\n GPR24: 5deadbeef0000100 5deadbeef0000122 c000000263ba6910 c00000024cc88000\n GPR28: 000000000000003c c0000002430a0000 c0000002430ac300 000000000000c300\nNIP [c0000000007c4bb0] __list_del_entry_valid+0x90/0x100\nLR [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100\nCall Trace:\n[c00000025c10ba00] [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100 (unreliable)\n[c00000025c10ba60] [c008000002f42284] ibmvfc_free_queue+0xec/0x210 [ibmvfc]\n[c00000025c10bb10] [c008000002f4246c] ibmvfc_deregister_scsi_channel+0xc4/0x160 [ibmvfc]\n[c00000025c10bba0] [c008000002f42580] ibmvfc_release_sub_crqs+0x78/0x130 [ibmvfc]\n[c00000025c10bc20] [c008000002f4f6cc] ibmvfc_do_work+0x5c4/0xc70 [ibmvfc]\n[c00000025c10bce0] [c008000002f4fdec] ibmvfc_work+0x74/0x1e8 [ibmvfc]\n[c00000025c10bda0] [c0000000001872b8] kthread+0x1b8/0x1c0\n[c00000025c10be10] [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64\nInstruction dump:\n40820034 38600001 38210060 4e800020 7c0802a6 7c641b78 3c62fe7a 7d254b78\n3863b590 f8010070 4ba309cd 60000000 <0fe00000> 7c0802a6 3c62fe7a 3863b640\n---[ end trace 11a2b65a92f8b66c ]---\nibmvfc 30000003: Send warning. Receive queue closed, will retry.\n\nAdd registration/deregistration helpers that are called instead during\nconnection resets to sanitize and reconfigure the queues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49701", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when block group reclaim task is running\n\nWhen we start an unmount, at close_ctree(), if we have the reclaim task\nrunning and in the middle of a data block group relocation, we can trigger\na deadlock when stopping an async reclaim task, producing a trace like the\nfollowing:\n\n[629724.498185] task:kworker/u16:7 state:D stack: 0 pid:681170 ppid: 2 flags:0x00004000\n[629724.499760] Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs]\n[629724.501267] Call Trace:\n[629724.501759] \n[629724.502174] __schedule+0x3cb/0xed0\n[629724.502842] schedule+0x4e/0xb0\n[629724.503447] btrfs_wait_on_delayed_iputs+0x7c/0xc0 [btrfs]\n[629724.504534] ? prepare_to_wait_exclusive+0xc0/0xc0\n[629724.505442] flush_space+0x423/0x630 [btrfs]\n[629724.506296] ? rcu_read_unlock_trace_special+0x20/0x50\n[629724.507259] ? lock_release+0x220/0x4a0\n[629724.507932] ? btrfs_get_alloc_profile+0xb3/0x290 [btrfs]\n[629724.508940] ? do_raw_spin_unlock+0x4b/0xa0\n[629724.509688] btrfs_async_reclaim_metadata_space+0x139/0x320 [btrfs]\n[629724.510922] process_one_work+0x252/0x5a0\n[629724.511694] ? process_one_work+0x5a0/0x5a0\n[629724.512508] worker_thread+0x52/0x3b0\n[629724.513220] ? process_one_work+0x5a0/0x5a0\n[629724.514021] kthread+0xf2/0x120\n[629724.514627] ? kthread_complete_and_exit+0x20/0x20\n[629724.515526] ret_from_fork+0x22/0x30\n[629724.516236] \n[629724.516694] task:umount state:D stack: 0 pid:719055 ppid:695412 flags:0x00004000\n[629724.518269] Call Trace:\n[629724.518746] \n[629724.519160] __schedule+0x3cb/0xed0\n[629724.519835] schedule+0x4e/0xb0\n[629724.520467] schedule_timeout+0xed/0x130\n[629724.521221] ? lock_release+0x220/0x4a0\n[629724.521946] ? lock_acquired+0x19c/0x420\n[629724.522662] ? trace_hardirqs_on+0x1b/0xe0\n[629724.523411] __wait_for_common+0xaf/0x1f0\n[629724.524189] ? usleep_range_state+0xb0/0xb0\n[629724.524997] __flush_work+0x26d/0x530\n[629724.525698] ? flush_workqueue_prep_pwqs+0x140/0x140\n[629724.526580] ? lock_acquire+0x1a0/0x310\n[629724.527324] __cancel_work_timer+0x137/0x1c0\n[629724.528190] close_ctree+0xfd/0x531 [btrfs]\n[629724.529000] ? evict_inodes+0x166/0x1c0\n[629724.529510] generic_shutdown_super+0x74/0x120\n[629724.530103] kill_anon_super+0x14/0x30\n[629724.530611] btrfs_kill_super+0x12/0x20 [btrfs]\n[629724.531246] deactivate_locked_super+0x31/0xa0\n[629724.531817] cleanup_mnt+0x147/0x1c0\n[629724.532319] task_work_run+0x5c/0xa0\n[629724.532984] exit_to_user_mode_prepare+0x1a6/0x1b0\n[629724.533598] syscall_exit_to_user_mode+0x16/0x40\n[629724.534200] do_syscall_64+0x48/0x90\n[629724.534667] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[629724.535318] RIP: 0033:0x7fa2b90437a7\n[629724.535804] RSP: 002b:00007ffe0b7e4458 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[629724.536912] RAX: 0000000000000000 RBX: 00007fa2b9182264 RCX: 00007fa2b90437a7\n[629724.538156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000555d6cf20dd0\n[629724.539053] RBP: 0000555d6cf20ba0 R08: 0000000000000000 R09: 00007ffe0b7e3200\n[629724.539956] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[629724.540883] R13: 0000555d6cf20dd0 R14: 0000555d6cf20cb0 R15: 0000000000000000\n[629724.541796] \n\nThis happens because:\n\n1) Before entering close_ctree() we have the async block group reclaim\n task running and relocating a data block group;\n\n2) There's an async metadata (or data) space reclaim task running;\n\n3) We enter close_ctree() and park the cleaner kthread;\n\n4) The async space reclaim task is at flush_space() and runs all the\n existing delayed iputs;\n\n5) Before the async space reclaim task calls\n btrfs_wait_on_delayed_iputs(), the block group reclaim task which is\n doing the data block group relocation, creates a delayed iput at\n replace_file_extents() (called when COWing leaves that have file extent\n items pointing to relocated data exten\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49702", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Store vhost pointer during subcrq allocation\n\nCurrently the back pointer from a queue to the vhost adapter isn't set\nuntil after subcrq interrupt registration. The value is available when a\nqueue is first allocated and can/should be also set for primary and async\nqueues as well as subcrqs.\n\nThis fixes a crash observed during kexec/kdump on Power 9 with legacy XICS\ninterrupt controller where a pending subcrq interrupt from the previous\nkernel can be replayed immediately upon IRQ registration resulting in\ndereference of a garbage backpointer in ibmvfc_interrupt_scsi().\n\nKernel attempted to read user page (58) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000058\nFaulting instruction address: 0xc008000003216a08\nOops: Kernel access of bad area, sig: 11 [#1]\n...\nNIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc]\nLR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\nCall Trace:\n[c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable)\n[c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270\n[c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188\n[c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310\n[c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80\n[c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0\n[c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130\n[c000000014622f60] [0000000020000000] 0x20000000\n[c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0\n[c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0\n[c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170\n[c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0\n[c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0\n[c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230\n[c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc]\n[c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc]\n[c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc]\n[c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc]\n[c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49703", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix fid refcount leak in v9fs_vfs_get_link\n\nwe check for protocol version later than required, after a fid has\nbeen obtained. Just move the version check earlier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49704", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix fid refcount leak in v9fs_vfs_atomic_open_dotl\n\nWe need to release directory fid if we fail halfway through open\n\nThis fixes fid leaking with xfstests generic 531", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49705", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzonefs: fix zonefs_iomap_begin() for reads\n\nIf a readahead is issued to a sequential zone file with an offset\nexactly equal to the current file size, the iomap type is set to\nIOMAP_UNWRITTEN, which will prevent an IO, but the iomap length is\ncalculated as 0. This causes a WARN_ON() in iomap_iter():\n\n[17309.548939] WARNING: CPU: 3 PID: 2137 at fs/iomap/iter.c:34 iomap_iter+0x9cf/0xe80\n[...]\n[17309.650907] RIP: 0010:iomap_iter+0x9cf/0xe80\n[...]\n[17309.754560] Call Trace:\n[17309.757078] \n[17309.759240] ? lock_is_held_type+0xd8/0x130\n[17309.763531] iomap_readahead+0x1a8/0x870\n[17309.767550] ? iomap_read_folio+0x4c0/0x4c0\n[17309.771817] ? lockdep_hardirqs_on_prepare+0x400/0x400\n[17309.778848] ? lock_release+0x370/0x750\n[17309.784462] ? folio_add_lru+0x217/0x3f0\n[17309.790220] ? reacquire_held_locks+0x4e0/0x4e0\n[17309.796543] read_pages+0x17d/0xb60\n[17309.801854] ? folio_add_lru+0x238/0x3f0\n[17309.807573] ? readahead_expand+0x5f0/0x5f0\n[17309.813554] ? policy_node+0xb5/0x140\n[17309.819018] page_cache_ra_unbounded+0x27d/0x450\n[17309.825439] filemap_get_pages+0x500/0x1450\n[17309.831444] ? filemap_add_folio+0x140/0x140\n[17309.837519] ? lock_is_held_type+0xd8/0x130\n[17309.843509] filemap_read+0x28c/0x9f0\n[17309.848953] ? zonefs_file_read_iter+0x1ea/0x4d0 [zonefs]\n[17309.856162] ? trace_contention_end+0xd6/0x130\n[17309.862416] ? __mutex_lock+0x221/0x1480\n[17309.868151] ? zonefs_file_read_iter+0x166/0x4d0 [zonefs]\n[17309.875364] ? filemap_get_pages+0x1450/0x1450\n[17309.881647] ? __mutex_unlock_slowpath+0x15e/0x620\n[17309.888248] ? wait_for_completion_io_timeout+0x20/0x20\n[17309.895231] ? lock_is_held_type+0xd8/0x130\n[17309.901115] ? lock_is_held_type+0xd8/0x130\n[17309.906934] zonefs_file_read_iter+0x356/0x4d0 [zonefs]\n[17309.913750] new_sync_read+0x2d8/0x520\n[17309.919035] ? __x64_sys_lseek+0x1d0/0x1d0\n\nFurthermore, this causes iomap_readahead() to loop forever as\niomap_readahead_iter() always returns 0, making no progress.\n\nFix this by treating reads after the file size as access to holes,\nsetting the iomap type to IOMAP_HOLE, the iomap addr to IOMAP_NULL_ADDR\nand using the length argument as is for the iomap length. To simplify\nthe code with this change, zonefs_iomap_begin() is split into the read\nvariant, zonefs_read_iomap_begin() and zonefs_read_iomap_ops, and the\nwrite variant, zonefs_write_iomap_begin() and zonefs_write_iomap_ops.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49706", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add reserved GDT blocks check\n\nWe capture a NULL pointer issue when resizing a corrupt ext4 image which\nis freshly clear resize_inode feature (not run e2fsck). It could be\nsimply reproduced by following steps. The problem is because of the\nresize_inode feature was cleared, and it will convert the filesystem to\nmeta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was\nnot reduced to zero, so could we mistakenly call reserve_backup_gdb()\nand passing an uninitialized resize_inode to it when adding new group\ndescriptors.\n\n mkfs.ext4 /dev/sda 3G\n tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck\n mount /dev/sda /mnt\n resize2fs /dev/sda 8G\n\n ========\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748\n ...\n RIP: 0010:ext4_flex_group_add+0xe08/0x2570\n ...\n Call Trace:\n \n ext4_resize_fs+0xbec/0x1660\n __ext4_ioctl+0x1749/0x24e0\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xa6/0x110\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f2dd739617b\n ========\n\nThe fix is simple, add a check in ext4_resize_begin() to make sure that\nthe es->s_reserved_gdt_blocks is zero when the resize_inode feature is\ndisabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49707", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on ext4_mb_use_inode_pa\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/mballoc.c:3211!\n[...]\nRIP: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f\n[...]\nCall Trace:\n ext4_mb_new_blocks+0x9df/0x5d30\n ext4_ext_map_blocks+0x1803/0x4d80\n ext4_map_blocks+0x3a4/0x1a10\n ext4_writepages+0x126d/0x2c30\n do_writepages+0x7f/0x1b0\n __filemap_fdatawrite_range+0x285/0x3b0\n file_write_and_wait_range+0xb1/0x140\n ext4_sync_file+0x1aa/0xca0\n vfs_fsync_range+0xfb/0x260\n do_fsync+0x48/0xa0\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\ndo_fsync\n vfs_fsync_range\n ext4_sync_file\n file_write_and_wait_range\n __filemap_fdatawrite_range\n do_writepages\n ext4_writepages\n mpage_map_and_submit_extent\n mpage_map_one_extent\n ext4_map_blocks\n ext4_mb_new_blocks\n ext4_mb_normalize_request\n >>> start + size <= ac->ac_o_ex.fe_logical\n ext4_mb_regular_allocator\n ext4_mb_simple_scan_group\n ext4_mb_use_best_found\n ext4_mb_new_preallocation\n ext4_mb_new_inode_pa\n ext4_mb_use_inode_pa\n >>> set ac->ac_b_ex.fe_len <= 0\n ext4_mb_mark_diskspace_used\n >>> BUG_ON(ac->ac_b_ex.fe_len <= 0);\n\nwe can easily reproduce this problem with the following commands:\n\t`fallocate -l100M disk`\n\t`mkfs.ext4 -b 1024 -g 256 disk`\n\t`mount disk /mnt`\n\t`fsstress -d /mnt -l 0 -n 1000 -p 1`\n\nThe size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP.\nTherefore, \"start + size <= ac->ac_o_ex.fe_logical\" may occur\nwhen the size is truncated. So start should be the start position of\nthe group where ac_o_ex.fe_logical is located after alignment.\nIn addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP\nis very large, the value calculated by start_off is more accurate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49708", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfi: Fix __cfi_slowpath_diag RCU usage with cpuidle\n\nRCU_NONIDLE usage during __cfi_slowpath_diag can result in an invalid\nRCU state in the cpuidle code path:\n\n WARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:613 rcu_eqs_enter+0xe4/0x138\n ...\n Call trace:\n rcu_eqs_enter+0xe4/0x138\n rcu_idle_enter+0xa8/0x100\n cpuidle_enter_state+0x154/0x3a8\n cpuidle_enter+0x3c/0x58\n do_idle.llvm.6590768638138871020+0x1f4/0x2ec\n cpu_startup_entry+0x28/0x2c\n secondary_start_kernel+0x1b8/0x220\n __secondary_switched+0x94/0x98\n\nInstead, call rcu_irq_enter/exit to wake up RCU only when needed and\ndisable interrupts for the entire CFI shadow/module check when we do.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49709", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm mirror log: round up region bitmap size to BITS_PER_LONG\n\nThe code in dm-log rounds up bitset_size to 32 bits. It then uses\nfind_next_zero_bit_le on the allocated region. find_next_zero_bit_le\naccesses the bitmap using unsigned long pointers. So, on 64-bit\narchitectures, it may access 4 bytes beyond the allocated size.\n\nFix this bug by rounding up bitset_size to BITS_PER_LONG.\n\nThis bug was found by running the lvm2 testsuite with kasan.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49710", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()\n\nIn fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to\nfsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in\nfsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io\ntriggers KASAN use-after-free. To avoid the use-after-free, keep the\nreference to mc->root_mc_bus_dev->mc_io in a local variable and pass to\nfsl_destroy_mc_io().\n\nThis patch needs rework to apply to kernels older than v5.15.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49711", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() will check NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49712", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: Fix memory leak in dwc2_hcd_init\n\nusb_create_hcd will alloc memory for hcd, and we should\ncall usb_put_hcd to free it when platform_get_resource()\nfails to prevent memory leak.\ngoto error2 label instead error1 to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49713", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/realtek-rtl: Fix refcount leak in map_interrupts\n\nof_find_node_by_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nThis function doesn't call of_node_put() in error path.\nCall of_node_put() directly after of_property_read_u32() to cover\nboth normal path and error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49714", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions\n\nof_find_node_by_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49715", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Fix error handling in gic_populate_ppi_partitions\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nWhen kcalloc fails, it missing of_node_put() and results in refcount\nleak. Fix this by goto out_put_node label.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49716", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/apple-aic: Fix refcount leak in build_fiq_affinity\n\nof_find_node_by_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49717", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/apple-aic: Fix refcount leak in aic_of_ic_init\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49718", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic/realview: Fix refcount leak in realview_gic_of_init\n\nof_find_matching_node_and_match() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49719", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix handling of offline queues in blk_mq_alloc_request_hctx()\n\nThis patch prevents that test nvme/004 triggers the following:\n\nUBSAN: array-index-out-of-bounds in block/blk-mq.h:135:9\nindex 512 is out of range for type 'long unsigned int [512]'\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n dump_stack+0x10/0x12\n ubsan_epilogue+0x9/0x3b\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n blk_mq_alloc_request_hctx+0x304/0x310\n __nvme_submit_sync_cmd+0x70/0x200 [nvme_core]\n nvmf_connect_io_queue+0x23e/0x2a0 [nvme_fabrics]\n nvme_loop_connect_io_queues+0x8d/0xb0 [nvme_loop]\n nvme_loop_create_ctrl+0x58e/0x7d0 [nvme_loop]\n nvmf_create_ctrl+0x1d7/0x4d0 [nvme_fabrics]\n nvmf_dev_write+0xae/0x111 [nvme_fabrics]\n vfs_write+0x144/0x560\n ksys_write+0xb7/0x140\n __x64_sys_write+0x42/0x50\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49720", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: consistently handle PLTs.\n\nSometimes it is necessary to use a PLT entry to call an ftrace\ntrampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),\nwith each having *almost* identical logic, but this is not handled by\nftrace_modify_call() since its introduction in commit:\n\n 3b23e4991fb66f6d (\"arm64: implement ftrace with regs\")\n\nDue to this, if we ever were to call ftrace_modify_call() for a callsite\nwhich requires a PLT entry for a trampoline, then either:\n\na) If the old addr requires a trampoline, ftrace_modify_call() will use\n an out-of-range address to generate the 'old' branch instruction.\n This will result in warnings from aarch64_insn_gen_branch_imm() and\n ftrace_modify_code(), and no instructions will be modified. As\n ftrace_modify_call() will return an error, this will result in\n subsequent internal ftrace errors.\n\nb) If the old addr does not require a trampoline, but the new addr does,\n ftrace_modify_call() will use an out-of-range address to generate the\n 'new' branch instruction. This will result in warnings from\n aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace\n the 'old' branch with a BRK. This will result in a kernel panic when\n this BRK is later executed.\n\nPractically speaking, case (a) is vastly more likely than case (b), and\ntypically this will result in internal ftrace errors that don't\nnecessarily affect the rest of the system. This can be demonstrated with\nan out-of-tree test module which triggers ftrace_modify_call(), e.g.\n\n| # insmod test_ftrace.ko\n| test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024\n| branch_imm_common: offset out of range\n| branch_imm_common: offset out of range\n| ------------[ ftrace bug ]------------\n| ftrace failed to modify\n| [] test_function+0x8/0x38 [test_ftrace]\n| actual: 1d:00:00:94\n| Updating ftrace call site to call a different ftrace function\n| ftrace record flags: e0000002\n| (2) R\n| expected tramp: ffffb374ae42ed54\n| ------------[ cut here ]------------\n| WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0\n| Modules linked in: test_ftrace(+)\n| CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : ftrace_bug+0x280/0x2b0\n| lr : ftrace_bug+0x280/0x2b0\n| sp : ffff80000839ba00\n| x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0\n| x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000\n| x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8\n| x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff\n| x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4\n| x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666\n| x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8\n| x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167\n| x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000\n| x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022\n| Call trace:\n| ftrace_bug+0x280/0x2b0\n| ftrace_replace_code+0x98/0xa0\n| ftrace_modify_all_code+0xe0/0x144\n| arch_ftrace_update_code+0x14/0x20\n| ftrace_startup+0xf8/0x1b0\n| register_ftrace_function+0x38/0x90\n| test_ftrace_init+0xd0/0x1000 [test_ftrace]\n| do_one_initcall+0x50/0x2b0\n| do_init_module+0x50/0x1f0\n| load_module+0x17c8/0x1d64\n| __do_sys_finit_module+0xa8/0x100\n| __arm64_sys_finit_module+0x2c/0x3c\n| invoke_syscall+0x50/0x120\n| el0_svc_common.constprop.0+0xdc/0x100\n| do_el0_svc+0x3c/0xd0\n| el0_svc+0x34/0xb0\n| el0t_64_sync_handler+0xbc/0x140\n| el0t_64_sync+0x18c/0x190\n| ---[ end trace 0000000000000000 ]---\n\nWe can solve this by consistently determining whether to use a PLT entry\nfor an address.\n\nNote that since (the earlier) commit:\n\n f1a54ae9\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49721", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix memory corruption in VF driver\n\nDisable VF's RX/TX queues, when it's disabled. VF can have queues enabled,\nwhen it requests a reset. If PF driver assumes that VF is disabled,\nwhile VF still has queues configured, VF may unmap DMA resources.\nIn such scenario device still can map packets to memory, which ends up\nsilently corrupting it.\nPreviously, VF driver could experience memory corruption, which lead to\ncrash:\n[ 5119.170157] BUG: unable to handle kernel paging request at 00001b9780003237\n[ 5119.170166] PGD 0 P4D 0\n[ 5119.170173] Oops: 0002 [#1] PREEMPT_RT SMP PTI\n[ 5119.170181] CPU: 30 PID: 427592 Comm: kworker/u96:2 Kdump: loaded Tainted: G W I --------- - - 4.18.0-372.9.1.rt7.166.el8.x86_64 #1\n[ 5119.170189] Hardware name: Dell Inc. PowerEdge R740/014X06, BIOS 2.3.10 08/15/2019\n[ 5119.170193] Workqueue: iavf iavf_adminq_task [iavf]\n[ 5119.170219] RIP: 0010:__page_frag_cache_drain+0x5/0x30\n[ 5119.170238] Code: 0f 0f b6 77 51 85 f6 74 07 31 d2 e9 05 df ff ff e9 90 fe ff ff 48 8b 05 49 db 33 01 eb b4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 29 77 34 74 01 c3 48 8b 07 f6 c4 80 74 0f 0f b6 77 51 85 f6 74\n[ 5119.170244] RSP: 0018:ffffa43b0bdcfd78 EFLAGS: 00010282\n[ 5119.170250] RAX: ffffffff896b3e40 RBX: ffff8fb282524000 RCX: 0000000000000002\n[ 5119.170254] RDX: 0000000049000000 RSI: 0000000000000000 RDI: 00001b9780003203\n[ 5119.170259] RBP: ffff8fb248217b00 R08: 0000000000000022 R09: 0000000000000009\n[ 5119.170262] R10: 2b849d6300000000 R11: 0000000000000020 R12: 0000000000000000\n[ 5119.170265] R13: 0000000000001000 R14: 0000000000000009 R15: 0000000000000000\n[ 5119.170269] FS: 0000000000000000(0000) GS:ffff8fb1201c0000(0000) knlGS:0000000000000000\n[ 5119.170274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5119.170279] CR2: 00001b9780003237 CR3: 00000008f3e1a003 CR4: 00000000007726e0\n[ 5119.170283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 5119.170286] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 5119.170290] PKRU: 55555554\n[ 5119.170292] Call Trace:\n[ 5119.170298] iavf_clean_rx_ring+0xad/0x110 [iavf]\n[ 5119.170324] iavf_free_rx_resources+0xe/0x50 [iavf]\n[ 5119.170342] iavf_free_all_rx_resources.part.51+0x30/0x40 [iavf]\n[ 5119.170358] iavf_virtchnl_completion+0xd8a/0x15b0 [iavf]\n[ 5119.170377] ? iavf_clean_arq_element+0x210/0x280 [iavf]\n[ 5119.170397] iavf_adminq_task+0x126/0x2e0 [iavf]\n[ 5119.170416] process_one_work+0x18f/0x420\n[ 5119.170429] worker_thread+0x30/0x370\n[ 5119.170437] ? process_one_work+0x420/0x420\n[ 5119.170445] kthread+0x151/0x170\n[ 5119.170452] ? set_kthread_struct+0x40/0x40\n[ 5119.170460] ret_from_fork+0x35/0x40\n[ 5119.170477] Modules linked in: iavf sctp ip6_udp_tunnel udp_tunnel mlx4_en mlx4_core nfp tls vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support dell_smbios wmi_bmof dell_wmi_descriptor dcdbas kvm_intel kvm irqbypass intel_rapl_common isst_if_common skx_edac irdma nfit libnvdimm x86_pkg_temp_thermal i40e intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ib_uverbs rapl ipmi_ssif intel_cstate intel_uncore mei_me pcspkr acpi_ipmi ib_core mei lpc_ich i2c_i801 ipmi_si ipmi_devintf wmi ipmi_msghandler acpi_power_meter xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ice ahci drm libahci crc32c_intel libata tg3 megaraid_sas\n[ 5119.170613] i2c_algo_bit dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: iavf]\n[ 5119.170627] CR2: 00001b9780003237", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49722", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/reset: Fix error_state_read ptr + offset use\n\nFix our pointer offset usage in error_state_read\nwhen there is no i915_gpu_coredump but buf offset\nis non-zero.\n\nThis fixes a kernel page fault can happen when\nmultiple tests are running concurrently in a loop\nand one is producing engine resets and consuming\nthe i915 error_state dump while the other is\nforcing full GT resets. (takes a while to trigger).\n\nThe dmesg call trace:\n\n[ 5590.803000] BUG: unable to handle page fault for address:\n ffffffffa0b0e000\n[ 5590.803009] #PF: supervisor read access in kernel mode\n[ 5590.803013] #PF: error_code(0x0000) - not-present page\n[ 5590.803016] PGD 5814067 P4D 5814067 PUD 5815063 PMD 109de4067\n PTE 0\n[ 5590.803022] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 5590.803026] CPU: 5 PID: 13656 Comm: i915_hangman Tainted: G U\n 5.17.0-rc5-ups69-guc-err-capt-rev6+ #136\n[ 5590.803033] Hardware name: Intel Corporation Alder Lake Client\n Platform/AlderLake-M LP4x RVP, BIOS ADLPFWI1.R00.\n 3031.A02.2201171222\t01/17/2022\n[ 5590.803039] RIP: 0010:memcpy_erms+0x6/0x10\n[ 5590.803045] Code: fe ff ff cc eb 1e 0f 1f 00 48 89 f8 48 89 d1\n 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3\n 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4\n c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20\n 72 7e 40 38 fe\n[ 5590.803054] RSP: 0018:ffffc90003a8fdf0 EFLAGS: 00010282\n[ 5590.803057] RAX: ffff888107ee9000 RBX: ffff888108cb1a00\n RCX: 0000000000000f8f\n[ 5590.803061] RDX: 0000000000001000 RSI: ffffffffa0b0e000\n RDI: ffff888107ee9071\n[ 5590.803065] RBP: 0000000000000000 R08: 0000000000000001\n R09: 0000000000000001\n[ 5590.803069] R10: 0000000000000001 R11: 0000000000000002\n R12: 0000000000000019\n[ 5590.803073] R13: 0000000000174fff R14: 0000000000001000\n R15: ffff888107ee9000\n[ 5590.803077] FS: 00007f62a99bee80(0000) GS:ffff88849f880000(0000)\n knlGS:0000000000000000\n[ 5590.803082] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5590.803085] CR2: ffffffffa0b0e000 CR3: 000000010a1a8004\n CR4: 0000000000770ee0\n[ 5590.803089] PKRU: 55555554\n[ 5590.803091] Call Trace:\n[ 5590.803093] \n[ 5590.803096] error_state_read+0xa1/0xd0 [i915]\n[ 5590.803175] kernfs_fop_read_iter+0xb2/0x1b0\n[ 5590.803180] new_sync_read+0x116/0x1a0\n[ 5590.803185] vfs_read+0x114/0x1b0\n[ 5590.803189] ksys_read+0x63/0xe0\n[ 5590.803193] do_syscall_64+0x38/0xc0\n[ 5590.803197] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 5590.803201] RIP: 0033:0x7f62aaea5912\n[ 5590.803204] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 5a b9 0c 00 e8 05\n 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25\n 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff\n ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[ 5590.803213] RSP: 002b:00007fff5b659ae8 EFLAGS: 00000246\n ORIG_RAX: 0000000000000000\n[ 5590.803218] RAX: ffffffffffffffda RBX: 0000000000100000\n RCX: 00007f62aaea5912\n[ 5590.803221] RDX: 000000000008b000 RSI: 00007f62a8c4000f\n RDI: 0000000000000006\n[ 5590.803225] RBP: 00007f62a8bcb00f R08: 0000000000200010\n R09: 0000000000101000\n[ 5590.803229] R10: 0000000000000001 R11: 0000000000000246\n R12: 0000000000000006\n[ 5590.803233] R13: 0000000000075000 R14: 00007f62a8acb010\n R15: 0000000000200000\n[ 5590.803238] \n[ 5590.803240] Modules linked in: i915 ttm drm_buddy drm_dp_helper\n drm_kms_helper syscopyarea sysfillrect sysimgblt\n fb_sys_fops prime_numbers nfnetlink br_netfilter\n overlay mei_pxp mei_hdcp x86_pkg_temp_thermal\n coretemp kvm_intel snd_hda_codec_hdmi snd_hda_intel\n \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49723", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: goldfish: Fix free_irq() on remove\n\nPass the correct dev_id to free_irq() to fix this splat when the driver\nis unbound:\n\n WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq\n Trying to free already-free IRQ 65\n Call Trace:\n warn_slowpath_fmt\n free_irq\n goldfish_tty_remove\n platform_remove\n device_remove\n device_release_driver_internal\n device_driver_detach\n unbind_store\n drv_attr_store\n ...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49724", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix call trace in setup_tx_descriptors\n\nAfter PF reset and ethtool -t there was call trace in dmesg\nsometimes leading to panic. When there was some time, around 5\nseconds, between reset and test there were no errors.\n\nProblem was that pf reset calls i40e_vsi_close in prep_for_reset\nand ethtool -t calls i40e_vsi_close in diag_test. If there was not\nenough time between those commands the second i40e_vsi_close starts\nbefore previous i40e_vsi_close was done which leads to crash.\n\nAdd check to diag_test if pf is in reset and don't start offline\ntests if it is true.\nAdd netif_info(\"testing failed\") into unhappy path of i40e_diag_test()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49725", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource: hyper-v: unexport __init-annotated hv_init_clocksource()\n\nEXPORT_SYMBOL and __init is a bad combination because the .init.text\nsection is freed up after the initialization. Hence, modules cannot\nuse symbols annotated __init. The access to a freed symbol may end up\nwith kernel panic.\n\nmodpost used to detect it, but it has been broken for a decade.\n\nRecently, I fixed modpost so it started to warn it again, then this\nshowed up in linux-next builds.\n\nThere are two ways to fix it:\n\n - Remove __init\n - Remove EXPORT_SYMBOL\n\nI chose the latter for this case because the only in-tree call-site,\narch/x86/kernel/cpu/mshyperv.c is never compiled as modular.\n(CONFIG_HYPERVISOR_GUEST is boolean)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49726", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix signed integer overflow in l2tp_ip6_sendmsg\n\nWhen len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be\noverflow. To fix, we can follow what udpv6 does and subtract the\ntranshdrlen from the max.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49727", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix signed integer overflow in __ip6_append_data\n\nResurrect ubsan overflow checks and ubsan report this warning,\nfix it by change the variable [length] type to size_t.\n\nUBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19\n2147479552 + 8567 cannot be represented in type 'int'\nCPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x214/0x230\n show_stack+0x30/0x78\n dump_stack_lvl+0xf8/0x118\n dump_stack+0x18/0x30\n ubsan_epilogue+0x18/0x60\n handle_overflow+0xd0/0xf0\n __ubsan_handle_add_overflow+0x34/0x44\n __ip6_append_data.isra.48+0x1598/0x1688\n ip6_append_data+0x128/0x260\n udpv6_sendmsg+0x680/0xdd0\n inet6_sendmsg+0x54/0x90\n sock_sendmsg+0x70/0x88\n ____sys_sendmsg+0xe8/0x368\n ___sys_sendmsg+0x98/0xe0\n __sys_sendmmsg+0xf4/0x3b8\n __arm64_sys_sendmmsg+0x34/0x48\n invoke_syscall+0x64/0x160\n el0_svc_common.constprop.4+0x124/0x300\n do_el0_svc+0x44/0xc8\n el0_svc+0x3c/0x1e8\n el0t_64_sync_handler+0x88/0xb0\n el0t_64_sync+0x16c/0x170\n\nChanges since v1:\n-Change the variable [length] type to unsigned, as Eric Dumazet suggested.\nChanges since v2:\n-Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.\nChanges since v3:\n-Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as\nJakub Kicinski suggested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49728", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred\n\nSimilar to the handling of play_deferred in commit 19cfe912c37b\n(\"Bluetooth: btusb: Fix memory leak in play_deferred\"), we thought\na patch might be needed here as well.\n\nCurrently usb_submit_urb is called directly to submit deferred tx\nurbs after unanchor them.\n\nSo the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb\nand cause memory leak.\n\nPut those urbs in tx_anchor to avoid the leak, and also fix the error\nhandling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49729", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()\n\nIn an unlikely (and probably wrong?) case that the 'ppi' parameter of\nata_host_alloc_pinfo() points to an array starting with a NULL pointer,\nthere's going to be a kernel oops as the 'pi' local variable won't get\nreassigned from the initial value of NULL. Initialize 'pi' instead to\n'&ata_dummy_port_info' to fix the possible kernel oops for good...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49731", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock: redo the psock vs ULP protection check\n\nCommit 8a59f9d1e3d4 (\"sock: Introduce sk->sk_prot->psock_update_sk_prot()\")\nhas moved the inet_csk_has_ulp(sk) check from sk_psock_init() to\nthe new tcp_bpf_update_proto() function. I'm guessing that this\nwas done to allow creating psocks for non-inet sockets.\n\nUnfortunately the destruction path for psock includes the ULP\nunwind, so we need to fail the sk_psock_init() itself.\nOtherwise if ULP is already present we'll notice that later,\nand call tcp_update_ulp() with the sk_proto of the ULP\nitself, which will most likely result in the ULP looping\nits callbacks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49732", "detail": "fixed-version", "description": "Fixed from version 5.19" }, { "id": "CVE-2022-49733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC\n\nThere is a small race window at snd_pcm_oss_sync() that is called from\nOSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls\nsnd_pcm_oss_make_ready() at first, then takes the params_lock mutex\nfor the rest. When the stream is set up again by another thread\nbetween them, it leads to inconsistency, and may result in unexpected\nresults such as NULL dereference of OSS buffer as a fuzzer spotted\nrecently.\n\nThe fix is simply to cover snd_pcm_oss_make_ready() call into the same\nparams_lock mutex with snd_pcm_oss_make_ready_locked() variant.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49733", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_extra_isize in is_alive()\n\nsyzbot found a f2fs bug:\n\nBUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline]\nBUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline]\nBUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline]\nBUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734\nRead of size 4 at addr ffff888076557568 by task kworker/u4:3/52\n\nCPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:284 [inline]\nprint_report+0x15e/0x45d mm/kasan/report.c:395\nkasan_report+0xbb/0x1f0 mm/kasan/report.c:495\ndata_blkaddr fs/f2fs/f2fs.h:2891 [inline]\nis_alive fs/f2fs/gc.c:1117 [inline]\ngc_data_segment fs/f2fs/gc.c:1520 [inline]\ndo_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734\nf2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831\nf2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410\nf2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753\nwrite_inode fs/fs-writeback.c:1440 [inline]\n__writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652\nwriteback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870\nwb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044\nwb_do_writeback fs/fs-writeback.c:2187 [inline]\nwb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227\nprocess_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nThe root cause is that we forgot to do sanity check on .i_extra_isize\nin below path, result in accessing invalid address later, fix it.\n- gc_data_segment\n - is_alive\n - data_blkaddr\n - offset_in_addr", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49738", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Always check inode size of inline inodes\n\nCheck if the inode size of stuffed (inline) inodes is within the allowed\nrange when reading inodes from disk (gfs2_dinode_in()). This prevents\nus from on-disk corruption.\n\nThe two checks in stuffed_readpage() and gfs2_unstuffer_page() that just\ntruncate inline data to the maximum allowed size don't actually make\nsense, and they can be removed now as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49739", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads\n\nThis patch fixes slab-out-of-bounds reads in brcmfmac that occur in\nbrcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count\nvalue of channel specifications provided by the device is greater than\nthe length of 'list->element[]', decided by the size of the 'list'\nallocated with kzalloc(). The patch adds checks that make the functions\nfree the buffer and return -EINVAL if that is the case. Note that the\nnegative return is handled by the caller, brcmf_setup_wiphybands() or\nbrcmf_cfg80211_attach().\n\nFound by a modified version of syzkaller.\n\nCrash Report from brcmf_construct_chaninfo():\n==================================================================\nBUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430\nRead of size 4 at addr ffff888115f24600 by task kworker/0:2/1896\n\nCPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0.cold+0x93/0x334\n kasan_report.cold+0x83/0xdf\n brcmf_setup_wiphybands+0x1238/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1896:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n kmem_cache_alloc_trace+0x19e/0x330\n brcmf_setup_wiphybands+0x290/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff888115f24000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1536 bytes inside of\n 2048-byte region [ffff888115f24000, ffff888115f24800)\n\nMemory state around the buggy address:\n ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\n\nCrash Report from brcmf_enable_bw40_2g():\n==========\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49740", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: fix error handling code in ufx_usb_probe\n\nThe current error handling code in ufx_usb_probe have many unmatching\nissues, e.g., missing ufx_free_usb_list, destroy_modedb label should\nonly include framebuffer_release, fb_dealloc_cmap only matches\nfb_alloc_cmap.\n\nMy local syzkaller reports a memory leak bug:\n\nmemory leak in ufx_usb_probe\n\nBUG: memory leak\nunreferenced object 0xffff88802f879580 (size 128):\n comm \"kworker/0:7\", pid 17416, jiffies 4295067474 (age 46.710s)\n hex dump (first 32 bytes):\n 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|.............\n 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................\n backtrace:\n [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045\n [] kmalloc include/linux/slab.h:553 [inline]\n [] kzalloc include/linux/slab.h:689 [inline]\n [] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline]\n [] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655\n [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [] call_driver_probe drivers/base/dd.c:560 [inline]\n [] really_probe+0x12d/0x390 drivers/base/dd.c:639\n [] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778\n [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808\n [] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936\n [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427\n [] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008\n [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487\n [] device_add+0x642/0xdc0 drivers/base/core.c:3517\n [] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170\n [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [] call_driver_probe drivers/base/dd.c:560 [inline]\n [] really_probe+0x12d/0x390 drivers/base/dd.c:639\n [] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778\n\nFix this bug by rewriting the error handling code in ufx_usb_probe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49741", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: initialize locks earlier in f2fs_fill_super()\n\nsyzbot is reporting lockdep warning at f2fs_handle_error() [1], for\nspin_lock(&sbi->error_lock) is called before spin_lock_init() is called.\nFor safe locking in error handling, move initialization of locks (and\nobvious structures) in f2fs_fill_super() to immediately after memory\nallocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49742", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: Use \"buf\" flexible array for memcpy() destination\n\nThe \"buf\" flexible array needs to be the memcpy() destination to avoid\nfalse positive run-time warning from the recent FORTIFY_SOURCE\nhardening:\n\n memcpy: detected field-spanning write (size 93) of single field \"&fh->fb\"\n at fs/overlayfs/export.c:799 (size 21)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49743", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/uffd: fix pte marker when fork() without fork event\n\nPatch series \"mm: Fixes on pte markers\".\n\nPatch 1 resolves the syzkiller report from Pengfei.\n\nPatch 2 further harden pte markers when used with the recent swapin error\nmarkers. The major case is we should persist a swapin error marker after\nfork(), so child shouldn't read a corrupted page.\n\n\nThis patch (of 2):\n\nWhen fork(), dst_vma is not guaranteed to have VM_UFFD_WP even if src may\nhave it and has pte marker installed. The warning is improper along with\nthe comment. The right thing is to inherit the pte marker when needed, or\nkeep the dst pte empty.\n\nA vague guess is this happened by an accident when there's the prior patch\nto introduce src/dst vma into this helper during the uffd-wp feature got\ndeveloped and I probably messed up in the rebase, since if we replace\ndst_vma with src_vma the warning & comment it all makes sense too.\n\nHugetlb did exactly the right here (copy_hugetlb_page_range()). Fix the\ngeneral path.\n\nReproducer:\n\nhttps://github.com/xupengfe/syzkaller_logs/blob/main/221208_115556_copy_page_range/repro.c\n\nBugzilla report: https://bugzilla.kernel.org/show_bug.cgi?id=216808", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49744", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: m10bmc-sec: Fix probe rollback\n\nHandle probe error rollbacks properly to avoid leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49745", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init\n\nIf the function sdma_load_context() fails, the sdma_desc will be\nfreed, but the allocated desc->bd is forgot to be freed.\n\nWe already met the sdma_load_context() failure case and the log as\nbelow:\n[ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready\n...\n\nIn this case, the desc->bd will not be freed without this change.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49746", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs/zmap.c: Fix incorrect offset calculation\n\nEffective offset to add to length was being incorrectly calculated,\nwhich resulted in iomap->length being set to 0, triggering a WARN_ON\nin iomap_iter_done().\n\nFix that, and describe it in comments.\n\nThis was reported as a crash by syzbot under an issue about a warning\nencountered in iomap_iter_done(), but unrelated to erofs.\n\nC reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000\nKernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02\nDashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49747", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: fix potential integer overflow on shift of a int\n\nThe left shift of int 32 bit integer constant 1 is evaluated using 32 bit\narithmetic and then passed as a 64 bit function argument. In the case where\ni is 32 or more this can lead to an overflow. Avoid this by shifting\nusing the BIT_ULL macro instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49748", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: use casting of u64 in clock multiplication to avoid overflow\n\nIn functions i2c_dw_scl_lcnt() and i2c_dw_scl_hcnt() may have overflow\nby depending on the values of the given parameters including the ic_clk.\nFor example in our use case where ic_clk is larger than one million,\nmultiplication of ic_clk * 4700 will result in 32 bit overflow.\n\nAdd cast of u64 to the calculation to avoid multiplication overflow, and\nuse the corresponding define for divide.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49749", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Add u64 casts to avoid overflowing\n\nThe fields of the _CPC object are unsigned 32-bits values.\nTo avoid overflows while using _CPC's values, add 'u64' casts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49750", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: fix WARNING after calling w1_process()\n\nI got the following WARNING message while removing driver(ds2482):\n\n------------[ cut here ]------------\ndo not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]\nWARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0\nCPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307\nRIP: 0010:__might_sleep+0x98/0xa0\nCall Trace:\n exit_signals+0x6c/0x550\n do_exit+0x2b4/0x17e0\n kthread_exit+0x52/0x60\n kthread+0x16d/0x1e0\n ret_from_fork+0x1f/0x30\n\nThe state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),\nset it to TASK_RUNNING when it breaks out of the loop to avoid the\nwarning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49751", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevice property: fix of node refcount leak in fwnode_graph_get_next_endpoint()\n\nThe 'parent' returned by fwnode_graph_get_port_parent()\nwith refcount incremented when 'prev' is not NULL, it\nneeds be put when finish using it.\n\nBecause the parent is const, introduce a new variable to\nstore the returned fwnode, then put it before returning\nfrom fwnode_graph_get_next_endpoint().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49752", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: Fix double increment of client_count in dma_chan_get()\n\nThe first time dma_chan_get() is called for a channel the channel\nclient_count is incorrectly incremented twice for public channels,\nfirst in balance_ref_count(), and again prior to returning. This\nresults in an incorrect client count which will lead to the\nchannel resources not being freed when they should be. A simple\n test of repeated module load and unload of async_tx on a Dell\n Power Edge R7425 also shows this resulting in a kref underflow\n warning.\n\n[ 124.329662] async_tx: api initialized (async)\n[ 129.000627] async_tx: api initialized (async)\n[ 130.047839] ------------[ cut here ]------------\n[ 130.052472] refcount_t: underflow; use-after-free.\n[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28\nrefcount_warn_saturate+0xba/0x110\n[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr\nintel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm\nmgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si\nsyscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops\nk10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat\nfat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul\nlibahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas\ni40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash\ndm_log dm_mod [last unloaded: async_tx]\n[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not\ntainted 5.14.0-185.el9.x86_64 #1\n[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS\n1.18.0 01/17/2022\n[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d\n26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a\nbd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff\n48 c7\n[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286\n[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000\n[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0\n[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff\n[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970\n[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)\nknlGS:0000000000000000\n[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0\n[ 130.219729] Call Trace:\n[ 130.222192] \n[ 130.224305] dma_chan_put+0x10d/0x110\n[ 130.227988] dmaengine_put+0x7a/0xa0\n[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280\n[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0\n[ 130.242652] do_syscall_64+0x5c/0x90\n[ 130.246240] ? exc_page_fault+0x62/0x150\n[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 130.255243] RIP: 0033:0x7f6463a3f5ab\n[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48\n83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00\n00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89\n01 48\n[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:\n00000000000000b0\n[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab\n[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8\n[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000\n[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8\n[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8\n[ 130.320875] \n[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---\n\ncat /sys/class/dma/dma0chan*/in_use would get the wrong result.\n2\n2\n2\n\nTest-by: Jie Hai ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49753", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix a buffer overflow in mgmt_mesh_add()\n\nSmatch Warning:\nnet/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()\n'mesh_tx->param' too small (48 vs 50)\n\nAnalysis:\n\n'mesh_tx->param' is array of size 48. This is the destination.\nu8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.\n\nBut in the caller 'mesh_send' we reject only when len > 50.\nlen > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49754", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait\n\nWhile performing fast composition switch, there is a possibility that the\nprocess of ffs_ep0_write/ffs_ep0_read get into a race condition\ndue to ep0req being freed up from functionfs_unbind.\n\nConsider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait\nby taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't\nbounded so it can go ahead and mark the ep0req to NULL, and since there\nis no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.\n\nFix this by making a serialized execution between the two functions using\na mutex_lock(ffs->mutex).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49755", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe()\n\nsp_usb_phy_probe() will call platform_get_resource_byname() that may fail\nand return NULL. devm_ioremap() will use usbphy->moon4_res_mem->start as\ninput, which may causes null-ptr-deref. Check the ret value of\nplatform_get_resource_byname() to avoid the null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49756", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/highbank: Fix memory leak in highbank_mc_probe()\n\nWhen devres_open_group() fails, it returns -ENOMEM without freeing memory\nallocated by edac_mc_alloc().\n\nCall edac_mc_free() on the error handling path to avoid a memory leak.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49757", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: uniphier-glue: Fix possible null-ptr-deref\n\nIt will cause null-ptr-deref when resource_size(res) invoked,\nif platform_get_resource() returns NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49758", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Use threaded irqs instead of tasklets\n\nThe vmci_dispatch_dgs() tasklet function calls vmci_read_data()\nwhich uses wait_event() resulting in invalid sleep in an atomic\ncontext (and therefore potentially in a deadlock).\n\nUse threaded irqs to fix this issue and completely remove usage\nof tasklets.\n\n[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145\n[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd\n[ 20.264645] preempt_count: 101, expected: 0\n[ 20.264646] RCU nest depth: 0, expected: 0\n[ 20.264647] 1 lock held by vmtoolsd/762:\n[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]\n[ 20.264658] Preemption disabled at:\n[ 20.264659] [] vmci_send_datagram+0x44/0xa0 [vmw_vmci]\n[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1\n[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020\n[ 20.264668] Call trace:\n[ 20.264669] dump_backtrace+0xc4/0x130\n[ 20.264672] show_stack+0x24/0x80\n[ 20.264673] dump_stack_lvl+0x88/0xb4\n[ 20.264676] dump_stack+0x18/0x34\n[ 20.264677] __might_resched+0x1a0/0x280\n[ 20.264679] __might_sleep+0x58/0x90\n[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]\n[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]\n[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150\n[ 20.264688] tasklet_action+0x40/0x50\n[ 20.264689] __do_softirq+0x23c/0x6b4\n[ 20.264690] __irq_exit_rcu+0x104/0x214\n[ 20.264691] irq_exit_rcu+0x1c/0x50\n[ 20.264693] el1_interrupt+0x38/0x6c\n[ 20.264695] el1h_64_irq_handler+0x18/0x24\n[ 20.264696] el1h_64_irq+0x68/0x6c\n[ 20.264697] preempt_count_sub+0xa4/0xe0\n[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0\n[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]\n[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]\n[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]\n[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]\n[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]\n[ 20.264713] vsock_connect+0x278/0x330 [vsock]\n[ 20.264715] __sys_connect_file+0x8c/0xc0\n[ 20.264718] __sys_connect+0x84/0xb4\n[ 20.264720] __arm64_sys_connect+0x2c/0x3c\n[ 20.264721] invoke_syscall+0x78/0x100\n[ 20.264723] el0_svc_common.constprop.0+0x68/0x124\n[ 20.264724] do_el0_svc+0x38/0x4c\n[ 20.264725] el0_svc+0x60/0x180\n[ 20.264726] el0t_64_sync_handler+0x11c/0x150\n[ 20.264728] el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49759", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix PTE marker handling in hugetlb_change_protection()\n\nPatch series \"mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()\".\n\nPlaying with virtio-mem and background snapshots (using uffd-wp) on\nhugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the\ndetails, hugetlb_change_protection() seems to not handle uffd-wp correctly\nin all cases.\n\nPatch #1 fixes my test case. I don't have reproducers for patch #2, as it\nrequires running into migration entries.\n\nI did not yet check in detail yet if !hugetlb code requires similar care.\n\n\nThis patch (of 2):\n\nThere are two problematic cases when stumbling over a PTE marker in\nhugetlb_change_protection():\n\n(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will\n end up in the \"!huge_pte_none(pte)\" case and mess up the PTE marker.\n\n(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the\n \"!huge_pte_none(pte)\" case even though we cleared the PTE, because\n the \"pte\" variable is stale. We'll mess up the PTE marker.\n\nFor example, if we later stumble over such a \"wrongly modified\" PTE marker,\nwe'll treat it like a present PTE that maps some garbage page.\n\nThis can, for example, be triggered by mapping a memfd backed by huge\npages, registering uffd-wp, uffd-wp'ing an unmapped page and (a)\nuffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c)\nunregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)\non that file range, we will run into a VM_BUG_ON:\n\n[ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n[ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)\n[ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000\n[ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page))\n[ 195.039573] ------------[ cut here ]------------\n[ 195.039574] kernel BUG at mm/rmap.c:1346!\n[ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1\n[ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022\n[ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550\n[ 195.039588] Code: [...]\n[ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292\n[ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000\n[ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff\n[ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08\n[ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0\n[ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100\n[ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000\n[ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0\n[ 195.039598] PKRU: 55555554\n[ 195.039599] Call Trace:\n[ 195.039600] \n[ 195.039602] __unmap_hugepage_range+0x33b/0x7d0\n[ 195.039605] unmap_hugepage_range+0x55/0x70\n[ 195.039608] hugetlb_vmdelete_list+0x77/0xa0\n[ 195.039611] hugetlbfs_fallocate+0x410/0x550\n[ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40\n[ 195.039616] vfs_fallocate+0x12e/0x360\n[ 195.039618] __x64_sys_fallocate+0x40/0x70\n[ 195.039620] do_syscall_64+0x58/0x80\n[ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40\n[ 195.039624] ? do_syscall_64+0x67/0x80\n[ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 195.039628] RIP: 0033:0x7fc7b590651f\n[ 195.039653] Code: [...]\n[ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d\n[ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49760", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always report error in run_one_delayed_ref()\n\nCurrently we have a btrfs_debug() for run_one_delayed_ref() failure, but\nif end users hit such problem, there will be no chance that\nbtrfs_debug() is enabled. This can lead to very little useful info for\ndebugging.\n\nThis patch will:\n\n- Add extra info for error reporting\n Including:\n * logical bytenr\n * num_bytes\n * type\n * action\n * ref_mod\n\n- Replace the btrfs_debug() with btrfs_err()\n\n- Move the error reporting into run_one_delayed_ref()\n This is to avoid use-after-free, the @node can be freed in the caller.\n\nThis error should only be triggered at most once.\n\nAs if run_one_delayed_ref() failed, we trigger the error message, then\ncausing the call chain to error out:\n\nbtrfs_run_delayed_refs()\n`- btrfs_run_delayed_refs()\n `- btrfs_run_delayed_refs_for_head()\n `- run_one_delayed_ref()\n\nAnd we will abort the current transaction in btrfs_run_delayed_refs().\nIf we have to run delayed refs for the abort transaction,\nrun_one_delayed_ref() will just cleanup the refs and do nothing, thus no\nnew error messages would be output.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49761", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-49762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: check overflow when iterating ATTR_RECORDs\n\nKernel iterates over ATTR_RECORDs in mft record in ntfs_attr_find(). \nBecause the ATTR_RECORDs are next to each other, kernel can get the next\nATTR_RECORD from end address of current ATTR_RECORD, through current\nATTR_RECORD length field.\n\nThe problem is that during iteration, when kernel calculates the end\naddress of current ATTR_RECORD, kernel may trigger an integer overflow bug\nin executing `a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))`. This\nmay wrap, leading to a forever iteration on 32bit systems.\n\nThis patch solves it by adding some checks on calculating end address\nof current ATTR_RECORD during iteration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49762", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: fix use-after-free in ntfs_attr_find()\n\nPatch series \"ntfs: fix bugs about Attribute\", v2.\n\nThis patchset fixes three bugs relative to Attribute in record:\n\nPatch 1 adds a sanity check to ensure that, attrs_offset field in first\nmft record loading from disk is within bounds.\n\nPatch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid\ndereferencing ATTR_RECORD before checking this ATTR_RECORD is within\nbounds.\n\nPatch 3 adds an overflow checking to avoid possible forever loop in\nntfs_attr_find().\n\nWithout patch 1 and patch 2, the kernel triggersa KASAN use-after-free\ndetection as reported by Syzkaller.\n\nAlthough one of patch 1 or patch 2 can fix this, we still need both of\nthem. Because patch 1 fixes the root cause, and patch 2 not only fixes\nthe direct cause, but also fixes the potential out-of-bounds bug.\n\n\nThis patch (of 3):\n\nSyzkaller reported use-after-free read as follows:\n==================================================================\nBUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\nRead of size 2 at addr ffff88807e352009 by task syz-executor153/3607\n\n[...]\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597\n ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193\n ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845\n ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854\n mount_bdev+0x34d/0x410 fs/super.c:1400\n legacy_get_tree+0x105/0x220 fs/fs_context.c:610\n vfs_get_tree+0x89/0x2f0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x1326/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n \n\nThe buggy address belongs to the physical page:\npage:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350\nhead:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140\nraw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nKernel will loads $MFT/$DATA's first mft record in\nntfs_read_inode_mount().\n\nYet the problem is that after loading, kernel doesn't check whether\nattrs_offset field is a valid value.\n\nTo be more specific, if attrs_offset field is larger than bytes_allocated\nfield, then it may trigger the out-of-bounds read bug(reported as\nuse-after-free bug) in ntfs_attr_find(), when kernel tries to access the\ncorresponding mft record's attribute.\n\nThis patch solves it by adding the sanity check between attrs_offset field\nand bytes_allocated field, after loading the first mft record.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49763", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent bpf program recursion for raw tracepoint probes\n\nWe got report from sysbot [1] about warnings that were caused by\nbpf program attached to contention_begin raw tracepoint triggering\nthe same tracepoint by using bpf_trace_printk helper that takes\ntrace_printk_lock lock.\n\n Call Trace:\n \n ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90\n bpf_trace_printk+0x2b/0xe0\n bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n bpf_trace_run2+0x26/0x90\n native_queued_spin_lock_slowpath+0x1c6/0x2b0\n _raw_spin_lock_irqsave+0x44/0x50\n bpf_trace_printk+0x3f/0xe0\n bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n bpf_trace_run2+0x26/0x90\n native_queued_spin_lock_slowpath+0x1c6/0x2b0\n _raw_spin_lock_irqsave+0x44/0x50\n bpf_trace_printk+0x3f/0xe0\n bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n bpf_trace_run2+0x26/0x90\n native_queued_spin_lock_slowpath+0x1c6/0x2b0\n _raw_spin_lock_irqsave+0x44/0x50\n bpf_trace_printk+0x3f/0xe0\n bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n bpf_trace_run2+0x26/0x90\n native_queued_spin_lock_slowpath+0x1c6/0x2b0\n _raw_spin_lock_irqsave+0x44/0x50\n __unfreeze_partials+0x5b/0x160\n ...\n\nThe can be reproduced by attaching bpf program as raw tracepoint on\ncontention_begin tracepoint. The bpf prog calls bpf_trace_printk\nhelper. Then by running perf bench the spin lock code is forced to\ntake slow path and call contention_begin tracepoint.\n\nFixing this by skipping execution of the bpf program if it's\nalready running, Using bpf prog 'active' field, which is being\ncurrently used by trampoline programs for the same reason.\n\nMoving bpf_prog_inc_misses_counter to syscall.c because\ntrampoline.c is compiled in just for CONFIG_BPF_JIT option.\n\n[1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49764", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: use a dedicated spinlock for trans_fd\n\nShamelessly copying the explanation from Tetsuo Handa's suggested\npatch[1] (slightly reworded):\nsyzbot is reporting inconsistent lock state in p9_req_put()[2],\nfor p9_tag_remove() from p9_req_put() from IRQ context is using\nspin_lock_irqsave() on \"struct p9_client\"->lock but trans_fd\n(not from IRQ context) is using spin_lock().\n\nSince the locks actually protect different things in client.c and in\ntrans_fd.c, just replace trans_fd.c's lock by a new one specific to the\ntransport (client.c's protect the idr for fid/tag allocations,\nwhile trans_fd.c's protects its own req list and request status field\nthat acts as the transport's state machine)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49765", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Bounds-check struct nlmsgerr creation\n\nIn preparation for FORTIFY_SOURCE doing bounds-check on memcpy(),\nswitch from __nlmsg_put to nlmsg_put(), and explain the bounds check\nfor dealing with the memcpy() across a composite flexible array struct.\nAvoids this future run-time warning:\n\n memcpy: detected field-spanning write (size 32) of single field \"&errmsg->msg\" at net/netlink/af_netlink.c:2447 (size 16)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49766", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/trans_fd: always use O_NONBLOCK read/write\n\nsyzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop()\n from p9_conn_destroy() from p9_fd_close() is failing to interrupt already\nstarted kernel_read() from p9_fd_read() from p9_read_work() and/or\nkernel_write() from p9_fd_write() from p9_write_work() requests.\n\nSince p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not\nneed to interrupt kernel_read()/kernel_write(). However, since p9_fd_open()\ndoes not set O_NONBLOCK flag, but pipe blocks unless signal is pending,\np9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when\nthe file descriptor refers to a pipe. In other words, pipe file descriptor\nneeds to be handled as if socket file descriptor.\n\nWe somehow need to interrupt kernel_read()/kernel_write() on pipes.\n\nA minimal change, which this patch is doing, is to set O_NONBLOCK flag\n from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing\nof regular files. But this approach changes O_NONBLOCK flag on userspace-\nsupplied file descriptors (which might break userspace programs), and\nO_NONBLOCK flag could be changed by userspace. It would be possible to set\nO_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still\nremains small race window for clearing O_NONBLOCK flag.\n\nIf we don't want to manipulate O_NONBLOCK flag, we might be able to\nsurround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING)\nand recalc_sigpending(). Since p9_read_work()/p9_write_work() works are\nprocessed by kernel threads which process global system_wq workqueue,\nsignals could not be delivered from remote threads when p9_mux_poll_stop()\n from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling\nset_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be\nneeded if we count on signals for making kernel_read()/kernel_write()\nnon-blocking.\n\n[Dominique: add comment at Christian's suggestion]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49767", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: trans_fd/p9_conn_cancel: drop client lock earlier\n\nsyzbot reported a double-lock here and we no longer need this\nlock after requests have been moved off to local list:\njust drop the lock earlier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49768", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Check sb_bsize_shift after reading superblock\n\nFuzzers like to scribble over sb_bsize_shift but in reality it's very\nunlikely that this field would be corrupted on its own. Nevertheless it\nshould be checked to avoid the possibility of messy mount errors due to\nbad calculations. It's always a fixed value based on the block size so\nwe can just check that it's the expected value.\n\nTested with:\n\n mkfs.gfs2 -O -p lock_nolock /dev/vdb\n for i in 0 -1 64 65 32 33; do\n gfs2_edit -p sb field sb_bsize_shift $i /dev/vdb\n mount /dev/vdb /mnt/test && umount /mnt/test\n done\n\nBefore this patch we get a withdraw after\n\n[ 76.413681] gfs2: fsid=loop0.0: fatal: invalid metadata block\n[ 76.413681] bh = 19 (type: exp=5, found=4)\n[ 76.413681] function = gfs2_meta_buffer, file = fs/gfs2/meta_io.c, line = 492\n\nand with UBSAN configured we also get complaints like\n\n[ 76.373395] UBSAN: shift-out-of-bounds in fs/gfs2/ops_fstype.c:295:19\n[ 76.373815] shift exponent 4294967287 is too large for 64-bit type 'long unsigned int'\n\nAfter the patch, these complaints don't appear, mount fails immediately\nand we get an explanation in dmesg.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49769", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: avoid putting the realm twice when decoding snaps fails\n\nWhen decoding the snaps fails it maybe leaving the 'first_realm'\nand 'realm' pointing to the same snaprealm memory. And then it'll\nput it twice and could cause random use-after-free, BUG_ON, etc\nissues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49770", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm ioctl: fix misbehavior if list_versions races with module loading\n\n__list_versions will first estimate the required space using the\n\"dm_target_iterate(list_version_get_needed, &needed)\" call and then will\nfill the space using the \"dm_target_iterate(list_version_get_info,\n&iter_info)\" call. Each of these calls locks the targets using the\n\"down_read(&_lock)\" and \"up_read(&_lock)\" calls, however between the first\nand second \"dm_target_iterate\" there is no lock held and the target\nmodules can be loaded at this point, so the second \"dm_target_iterate\"\ncall may need more space than what was the first \"dm_target_iterate\"\nreturned.\n\nThe code tries to handle this overflow (see the beginning of\nlist_version_get_info), however this handling is incorrect.\n\nThe code sets \"param->data_size = param->data_start + needed\" and\n\"iter_info.end = (char *)vers+len\" - \"needed\" is the size returned by the\nfirst dm_target_iterate call; \"len\" is the size of the buffer allocated by\nuserspace.\n\n\"len\" may be greater than \"needed\"; in this case, the code will write up\nto \"len\" bytes into the buffer, however param->data_size is set to\n\"needed\", so it may write data past the param->data_size value. The ioctl\ninterface copies only up to param->data_size into userspace, thus part of\nthe result will be truncated.\n\nFix this bug by setting \"iter_info.end = (char *)vers + needed;\" - this\nguarantees that the second \"dm_target_iterate\" call will write only up to\nthe \"needed\" buffer and it will exit with \"DM_BUFFER_FULL_FLAG\" if it\noverflows the \"needed\" space - in this case, userspace will allocate a\nlarger buffer and retry.\n\nNote that there is also a bug in list_version_get_needed - we need to add\n\"strlen(tt->name) + 1\" to the needed size, not \"strlen(tt->name)\".", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49771", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open()\n\nsnd_usbmidi_output_open() has a check of the NULL port with\nsnd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened,\nbut in reality, the NULL port may be seen when the device gives an\ninvalid endpoint setup at the descriptor, hence the driver skips the\nallocation. That is, the check itself is valid and snd_BUG_ON()\nshould be dropped from there. Otherwise it's confusing as if it were\na real bug, as recently syzbot stumbled on it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49772", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix optc2_configure warning on dcn314\n\n[Why]\ndcn314 uses optc2_configure_crc() that wraps\noptc1_configure_crc() + set additional registers\nnot applicable to dcn314.\nIt's not critical but when used leads to warning like:\nWARNING: drivers/gpu/drm/amd/amdgpu/../display/dc/dc_helper.c\nCall Trace:\n\ngeneric_reg_set_ex+0x6d/0xe0 [amdgpu]\noptc2_configure_crc+0x60/0x80 [amdgpu]\ndc_stream_configure_crc+0x129/0x150 [amdgpu]\namdgpu_dm_crtc_configure_crc_source+0x5d/0xe0 [amdgpu]\n\n[How]\nUse optc1_configure_crc() directly", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49773", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign()\n\nShould not call eventfd_ctx_put() in case of error.\n\n[Introduce new goto target instead. - Paolo]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49774", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: cdg: allow tcp_cdg_release() to be called multiple times\n\nApparently, mptcp is able to call tcp_disconnect() on an already\ndisconnected flow. This is generally fine, unless current congestion\ncontrol is CDG, because it might trigger a double-free [1]\n\nInstead of fixing MPTCP, and future bugs, we can make tcp_disconnect()\nmore resilient.\n\n[1]\nBUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]\nBUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567\n\nCPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: events mptcp_worker\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x719 mm/kasan/report.c:433\nkasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462\n____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145\n__mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327\nmptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]\nmptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627\nprocess_one_work+0x991/0x1610 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\n\nAllocated by task 3671:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track mm/kasan/common.c:45 [inline]\nset_alloc_info mm/kasan/common.c:437 [inline]\n____kasan_kmalloc mm/kasan/common.c:516 [inline]\n____kasan_kmalloc mm/kasan/common.c:475 [inline]\n__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525\nkmalloc_array include/linux/slab.h:640 [inline]\nkcalloc include/linux/slab.h:671 [inline]\ntcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380\ntcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193\ntcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]\ntcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391\ndo_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513\ntcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801\nmptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844\n__sys_setsockopt+0x2d6/0x690 net/socket.c:2252\n__do_sys_setsockopt net/socket.c:2263 [inline]\n__se_sys_setsockopt net/socket.c:2260 [inline]\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2260\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 16:\nkasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\nkasan_set_track+0x21/0x30 mm/kasan/common.c:45\nkasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\n____kasan_slab_free mm/kasan/common.c:367 [inline]\n____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329\nkasan_slab_free include/linux/kasan.h:200 [inline]\nslab_free_hook mm/slub.c:1759 [inline]\nslab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785\nslab_free mm/slub.c:3539 [inline]\nkfree+0xe2/0x580 mm/slub.c:4567\ntcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226\ntcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254\ntcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969\ninet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157\ntcp_done+0x23b/0x340 net/ipv4/tcp.c:4649\ntcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624\ntcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525\ntcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759\nip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439\nip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484\nNF_HOOK include/linux/netfilter.h:302 [inline]\nNF_HOOK include/linux/netfilter.h:296 [inline]\nip6_input+0x9c/0xd\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49775", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: enforce a consistent minimal mtu\n\nmacvlan should enforce a minimal mtu of 68, even at link creation.\n\nThis patch avoids the current behavior (which could lead to crashes\nin ipv6 stack if the link is brought up)\n\n$ ip link add macvlan1 link eno1 mtu 8 type macvlan # This should fail !\n$ ip link sh dev macvlan1\n5: macvlan1@eno1: mtu 8 qdisc noop\n state DOWN mode DEFAULT group default qlen 1000\n link/ether 02:47:6c:24:74:82 brd ff:ff:ff:ff:ff:ff\n$ ip link set macvlan1 mtu 67\nError: mtu less than device minimum.\n$ ip link set macvlan1 mtu 68\n$ ip link set macvlan1 mtu 8\nError: mtu less than device minimum.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49776", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: i8042 - fix leaking of platform device on module removal\n\nAvoid resetting the module-wide i8042_platform_device pointer in\ni8042_probe() or i8042_remove(), so that the device can be properly\ndestroyed by i8042_exit() on module unload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49777", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/mm: fix incorrect file_map_count for non-leaf pmd/pud\n\nThe page table check trigger BUG_ON() unexpectedly when collapse hugepage:\n\n ------------[ cut here ]------------\n kernel BUG at mm/page_table_check.c:82!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Modules linked in:\n CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750\n Hardware name: linux,dummy-virt (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : page_table_check_clear.isra.0+0x258/0x3f0\n lr : page_table_check_clear.isra.0+0x240/0x3f0\n[...]\n Call trace:\n page_table_check_clear.isra.0+0x258/0x3f0\n __page_table_check_pmd_clear+0xbc/0x108\n pmdp_collapse_flush+0xb0/0x160\n collapse_huge_page+0xa08/0x1080\n hpage_collapse_scan_pmd+0xf30/0x1590\n khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8\n khugepaged+0x338/0x518\n kthread+0x278/0x2f8\n ret_from_fork+0x10/0x20\n[...]\n\nSince pmd_user_accessible_page() doesn't check if a pmd is leaf, it\ndecrease file_map_count for a non-leaf pmd comes from collapse_huge_page().\nand so trigger BUG_ON() unexpectedly.\n\nFix this problem by using pmd_leaf() insteal of pmd_present() in\npmd_user_accessible_page(). Moreover, use pud_leaf() for\npud_user_accessible_page() too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49778", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case\n\nIn __unregister_kprobe_top(), if the currently unregistered probe has\npost_handler but other child probes of the aggrprobe do not have\npost_handler, the post_handler of the aggrprobe is cleared. If this is\na ftrace-based probe, there is a problem. In later calls to\ndisarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is\nNULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in\n__disarm_kprobe_ftrace() and may even cause use-after-free:\n\n Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2)\n WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0\n Modules linked in: testKprobe_007(-)\n CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18\n [...]\n Call Trace:\n \n __disable_kprobe+0xcd/0xe0\n __unregister_kprobe_top+0x12/0x150\n ? mutex_lock+0xe/0x30\n unregister_kprobes.part.23+0x31/0xa0\n unregister_kprobe+0x32/0x40\n __x64_sys_delete_module+0x15e/0x260\n ? do_user_addr_fault+0x2cd/0x6b0\n do_syscall_64+0x3a/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n\nFor the kprobe-on-ftrace case, we keep the post_handler setting to\nidentify this aggrprobe armed with kprobe_ipmodify_ops. This way we\ncan disarm it correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49779", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus()\n\nIf device_register() fails in tcm_loop_setup_hba_bus(), the name allocated\nby dev_set_name() need be freed. As comment of device_register() says, it\nshould use put_device() to give up the reference in the error path. So fix\nthis by calling put_device(), then the name can be freed in kobject_cleanup().\nThe 'tl_hba' will be freed in tcm_loop_release_adapter(), so it don't need\ngoto error label in this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49780", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Fix crash due to race between amd_pmu_enable_all, perf NMI and throttling\n\namd_pmu_enable_all() does:\n\n if (!test_bit(idx, cpuc->active_mask))\n continue;\n\n amd_pmu_enable_event(cpuc->events[idx]);\n\nA perf NMI of another event can come between these two steps. Perf NMI\nhandler internally disables and enables _all_ events, including the one\nwhich nmi-intercepted amd_pmu_enable_all() was in process of enabling.\nIf that unintentionally enabled event has very low sampling period and\ncauses immediate successive NMI, causing the event to be throttled,\ncpuc->events[idx] and cpuc->active_mask gets cleared by x86_pmu_stop().\nThis will result in amd_pmu_enable_event() getting called with event=NULL\nwhen amd_pmu_enable_all() resumes after handling the NMIs. This causes a\nkernel crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000198\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n Call Trace:\n \n amd_pmu_enable_all+0x68/0xb0\n ctx_resched+0xd9/0x150\n event_function+0xb8/0x130\n ? hrtimer_start_range_ns+0x141/0x4a0\n ? perf_duration_warn+0x30/0x30\n remote_function+0x4d/0x60\n __flush_smp_call_function_queue+0xc4/0x500\n flush_smp_call_function_queue+0x11d/0x1b0\n do_idle+0x18f/0x2d0\n cpu_startup_entry+0x19/0x20\n start_secondary+0x121/0x160\n secondary_startup_64_no_verify+0xe5/0xeb\n \n\namd_pmu_disable_all()/amd_pmu_enable_all() calls inside perf NMI handler\nwere recently added as part of BRS enablement but I'm not sure whether\nwe really need them. We can just disable BRS in the beginning and enable\nit back while returning from NMI. This will solve the issue by not\nenabling those events whose active_masks are set but are not yet enabled\nin hw pmu.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49781", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Improve missing SIGTRAP checking\n\nTo catch missing SIGTRAP we employ a WARN in __perf_event_overflow(),\nwhich fires if pending_sigtrap was already set: returning to user space\nwithout consuming pending_sigtrap, and then having the event fire again\nwould re-enter the kernel and trigger the WARN.\n\nThis, however, seemed to miss the case where some events not associated\nwith progress in the user space task can fire and the interrupt handler\nruns before the IRQ work meant to consume pending_sigtrap (and generate\nthe SIGTRAP).\n\nsyzbot gifted us this stack trace:\n\n | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow\n | Modules linked in:\n | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022\n | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313\n | <...>\n | Call Trace:\n | \n | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729\n | __run_hrtimer kernel/time/hrtimer.c:1685 [inline]\n | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749\n | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811\n | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]\n | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113\n | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107\n | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649\n | <...>\n | \n\nIn this case, syzbot produced a program with event type\nPERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer\nmanages to fire again before the IRQ work got a chance to run, all while\nnever having returned to user space.\n\nImprove the WARN to check for real progress in user space: approximate\nthis by storing a 32-bit hash of the current IP into pending_sigtrap,\nand if an event fires while pending_sigtrap still matches the previous\nIP, we assume no progress (false negatives are possible given we could\nreturn to user space and trigger again on the same IP).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49782", "detail": "fixed-version", "description": "Fixed from version 6.0.10" }, { "id": "CVE-2022-49783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Drop fpregs lock before inheriting FPU permissions\n\nMike Galbraith reported the following against an old fork of preempt-rt\nbut the same issue also applies to the current preempt-rt tree.\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: systemd\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n Preemption disabled at:\n fpu_clone\n CPU: 6 PID: 1 Comm: systemd Tainted: G E (unreleased)\n Call Trace:\n \n dump_stack_lvl\n ? fpu_clone\n __might_resched\n rt_spin_lock\n fpu_clone\n ? copy_thread\n ? copy_process\n ? shmem_alloc_inode\n ? kmem_cache_alloc\n ? kernel_clone\n ? __do_sys_clone\n ? do_syscall_64\n ? __x64_sys_rt_sigprocmask\n ? syscall_exit_to_user_mode\n ? do_syscall_64\n ? syscall_exit_to_user_mode\n ? do_syscall_64\n ? syscall_exit_to_user_mode\n ? do_syscall_64\n ? exc_page_fault\n ? entry_SYSCALL_64_after_hwframe\n \n\nMike says:\n\n The splat comes from fpu_inherit_perms() being called under fpregs_lock(),\n and us reaching the spin_lock_irq() therein due to fpu_state_size_dynamic()\n returning true despite static key __fpu_state_size_dynamic having never\n been enabled.\n\nMike's assessment looks correct. fpregs_lock on a PREEMPT_RT kernel disables\npreemption so calling spin_lock_irq() in fpu_inherit_perms() is unsafe. This\nproblem exists since commit\n\n 9e798e9aa14c (\"x86/fpu: Prepare fpu_clone() for dynamically enabled features\").\n\nEven though the original bug report should not have enabled the paths at\nall, the bug still exists.\n\nfpregs_lock is necessary when editing the FPU registers or a task's FP\nstate but it is not necessary for fpu_inherit_perms(). The only write\nof any FP state in fpu_inherit_perms() is for the new child which is\nnot running yet and cannot context switch or be borrowed by a kernel\nthread yet. Hence, fpregs_lock is not protecting anything in the new\nchild until clone() completes and can be dropped earlier. The siglock\nstill needs to be acquired by fpu_inherit_perms() as the read of the\nparent's permissions has to be serialised.\n\n [ bp: Cleanup splat. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49783", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd/uncore: Fix memory leak for events array\n\nWhen a CPU comes online, the per-CPU NB and LLC uncore contexts are\nfreed but not the events array within the context structure. This\ncauses a memory leak as identified by the kmemleak detector.\n\n [...]\n unreferenced object 0xffff8c5944b8e320 (size 32):\n comm \"swapper/0\", pid 1, jiffies 4294670387 (age 151.072s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000000759fb79>] amd_uncore_cpu_up_prepare+0xaf/0x230\n [<00000000ddc9e126>] cpuhp_invoke_callback+0x2cf/0x470\n [<0000000093e727d4>] cpuhp_issue_call+0x14d/0x170\n [<0000000045464d54>] __cpuhp_setup_state_cpuslocked+0x11e/0x330\n [<0000000069f67cbd>] __cpuhp_setup_state+0x6b/0x110\n [<0000000015365e0f>] amd_uncore_init+0x260/0x321\n [<00000000089152d2>] do_one_initcall+0x3f/0x1f0\n [<000000002d0bd18d>] kernel_init_freeable+0x1ca/0x212\n [<0000000030be8dde>] kernel_init+0x11/0x120\n [<0000000059709e59>] ret_from_fork+0x22/0x30\n unreferenced object 0xffff8c5944b8dd40 (size 64):\n comm \"swapper/0\", pid 1, jiffies 4294670387 (age 151.072s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000306efe8b>] amd_uncore_cpu_up_prepare+0x183/0x230\n [<00000000ddc9e126>] cpuhp_invoke_callback+0x2cf/0x470\n [<0000000093e727d4>] cpuhp_issue_call+0x14d/0x170\n [<0000000045464d54>] __cpuhp_setup_state_cpuslocked+0x11e/0x330\n [<0000000069f67cbd>] __cpuhp_setup_state+0x6b/0x110\n [<0000000015365e0f>] amd_uncore_init+0x260/0x321\n [<00000000089152d2>] do_one_initcall+0x3f/0x1f0\n [<000000002d0bd18d>] kernel_init_freeable+0x1ca/0x212\n [<0000000030be8dde>] kernel_init+0x11/0x120\n [<0000000059709e59>] ret_from_fork+0x22/0x30\n [...]\n\nFix the problem by freeing the events array before freeing the uncore\ncontext.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49784", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Add overflow check in sgx_validate_offset_length()\n\nsgx_validate_offset_length() function verifies \"offset\" and \"length\"\narguments provided by userspace, but was missing an overflow check on\ntheir addition. Add it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49785", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: properly pin the parent in blkcg_css_online\n\nblkcg_css_online is supposed to pin the blkcg of the parent, but\n397c9f46ee4d refactored things and along the way, changed it to pin the\ncss instead. This results in extra pins, and we end up leaking blkcgs\nand cgroups.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49786", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put()\n\npci_get_device() will increase the reference count for the returned\npci_dev. We need to use pci_dev_put() to decrease the reference count\nbefore amd_probe() returns. There is no problem for the 'smbus_dev ==\nNULL' branch because pci_dev_put() can also handle the NULL input\nparameter case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49787", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()\n\n`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,\nwhich may carry uninitialized data to the userspace, as observed by\nKMSAN:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121\n instrument_copy_to_user ./include/linux/instrumented.h:121\n _copy_to_user+0x5f/0xb0 lib/usercopy.c:33\n copy_to_user ./include/linux/uaccess.h:169\n vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431\n vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925\n vfs_ioctl fs/ioctl.c:51\n ...\n\n Uninit was stored to memory at:\n kmemdup+0x74/0xb0 mm/util.c:131\n dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271\n vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339\n qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940\n vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488\n vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927\n ...\n\n Local variable ev created at:\n qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n\n Bytes 28-31 of 48 are uninitialized\n Memory access of size 48 starts at ffff888035155e00\n Data copied to user address 0000000020000100\n\nUse memset() to prevent the infoleaks.\n\nAlso speculatively fix qp_notify_peer_local(), which may suffer from the\nsame problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49788", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: zfcp: Fix double free of FSF request when qdio send fails\n\nWe used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache\nthe FSF request ID when sending a new FSF request. This is used in case the\nsending fails and we need to remove the request from our internal hash\ntable again (so we don't keep an invalid reference and use it when we free\nthe request again).\n\nIn 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32\nbit wide), but the rest of the zfcp code (and the firmware specification)\nhandles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x\nELF ABI]). For one this has the obvious problem that when the ID grows\npast 32 bit (this can happen reasonably fast) it is truncated to 32 bit\nwhen storing it in the cache variable and so doesn't match the original ID\nanymore. The second less obvious problem is that even when the original ID\nhas not yet grown past 32 bit, as soon as the 32nd bit is set in the\noriginal ID (0x80000000 = 2'147'483'648) we will have a mismatch when we\ncast it back to 'unsigned long'. As the cached variable is of a signed\ntype, the compiler will choose a sign-extending instruction to load the 32\nbit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once\nwe pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the\nrequest again all the leading zeros will be flipped to ones to extend the\nsign and won't match the original ID anymore (this has been observed in\npractice).\n\nIf we can't successfully remove the request from the hash table again after\n'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify\nthe adapter about new work because the adapter is already gone during\ne.g. a ChpID toggle) we will end up with a double free. We unconditionally\nfree the request in the calling function when 'zfcp_fsf_req_send()' fails,\nbut because the request is still in the hash table we end up with a stale\nmemory reference, and once the zfcp adapter is either reset during recovery\nor shutdown we end up freeing the same memory twice.\n\nThe resulting stack traces vary depending on the kernel and have no direct\ncorrelation to the place where the bug occurs. Here are three examples that\nhave been seen in practice:\n\n list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00)\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:62!\n monitor event: 0040 ilc:2 [#1] PREEMPT SMP\n Modules linked in: ...\n CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded\n Hardware name: ...\n Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\n Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6\n 0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8\n 00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800\n 00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70\n Krnl Code: 00000003cbeea1e8: c020004f68a7 larl %r2,00000003cc8d7336\n 00000003cbeea1ee: c0e50027fd65 brasl %r14,00000003cc3e9cb8\n #00000003cbeea1f4: af000000 mc 0,0\n >00000003cbeea1f8: c02000920440 larl %r2,00000003cd12aa78\n 00000003cbeea1fe: c0e500289c25 brasl %r14,00000003cc3fda48\n 00000003cbeea204: b9040043 lgr %r4,%r3\n 00000003cbeea208: b9040051 lgr %r5,%r1\n 00000003cbeea20c: b9040032 lgr %r3,%r2\n Call Trace:\n [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140\n ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140)\n [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp]\n [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp]\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49789", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: iforce - invert valid length check when fetching device IDs\n\nsyzbot is reporting uninitialized value at iforce_init_device() [1], for\ncommit 6ac0aec6b0a6 (\"Input: iforce - allow callers supply data buffer\nwhen fetching device IDs\") is checking that valid length is shorter than\nbytes to read. Since iforce_get_id_packet() stores valid length when\nreturning 0, the caller needs to check that valid length is longer than or\nequals to bytes to read.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49790", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix multishot accept request leaks\n\nHaving REQ_F_POLLED set doesn't guarantee that the request is\nexecuted as a multishot from the polling path. Fortunately for us, if\nthe code thinks it's multishot issue when it's not, it can only ask to\nskip completion so leaking the request. Use issue_flags to mark\nmultipoll issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49791", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: mp2629: fix potential array out of bound access\n\nAdd sentinel at end of maps to avoid potential array out of\nbound access in iio core.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49792", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init()\n\ndev_set_name() allocates memory for name, it need be freed\nwhen device_add() fails, call put_device() to give up the\nreference that hold in device_initialize(), so that it can\nbe freed in kobject_cleanup() when the refcount hit to 0.\n\nFault injection test can trigger this:\n\nunreferenced object 0xffff8e8340a7b4c0 (size 32):\n comm \"modprobe\", pid 243, jiffies 4294678145 (age 48.845s)\n hex dump (first 32 bytes):\n 69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65 iio_sysfs_trigge\n 72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff r..@............\n backtrace:\n [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360\n [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0\n [<000000003636c520>] kstrdup+0x2d/0x60\n [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90\n [<0000000092efe493>] dev_set_name+0x4e/0x70", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49793", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger()\n\nIf iio_trigger_register() returns error, it should call iio_trigger_free()\nto give up the reference that hold in iio_trigger_alloc(), so that it can\ncall iio_trig_release() to free memory when the refcount hit to 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49794", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrethook: fix a potential memleak in rethook_alloc()\n\nIn rethook_alloc(), the variable rh is not freed or passed out\nif handler is NULL, which could lead to a memleak, fix it.\n\n[Masami: Add \"rethook:\" tag to the title.]\n\nAcke-by: Masami Hiramatsu (Google) ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49795", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit()\n\nWhen test_gen_kprobe_cmd() failed after kprobe_event_gen_cmd_end(), it\nwill goto delete, which will call kprobe_event_delete() and release the\ncorresponding resource. However, the trace_array in gen_kretprobe_test\nwill point to the invalid resource. Set gen_kretprobe_test to NULL\nafter called kprobe_event_delete() to prevent null-ptr-deref.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000070\nPGD 0 P4D 0\nOops: 0000 [#1] SMP PTI\nCPU: 0 PID: 246 Comm: modprobe Tainted: G W\n6.1.0-rc1-00174-g9522dc5c87da-dirty #248\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__ftrace_set_clr_event_nolock+0x53/0x1b0\nCode: e8 82 26 fc ff 49 8b 1e c7 44 24 0c ea ff ff ff 49 39 de 0f 84 3c\n01 00 00 c7 44 24 18 00 00 00 00 e8 61 26 fc ff 48 8b 6b 10 <44> 8b 65\n70 4c 8b 6d 18 41 f7 c4 00 02 00 00 75 2f\nRSP: 0018:ffffc9000159fe00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff88810971d268 RCX: 0000000000000000\nRDX: ffff8881080be600 RSI: ffffffff811b48ff RDI: ffff88810971d058\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc9000159fe58 R11: 0000000000000001 R12: ffffffffa0001064\nR13: ffffffffa000106c R14: ffff88810971d238 R15: 0000000000000000\nFS: 00007f89eeff6540(0000) GS:ffff88813b600000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000070 CR3: 000000010599e004 CR4: 0000000000330ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __ftrace_set_clr_event+0x3e/0x60\n trace_array_set_clr_event+0x35/0x50\n ? 0xffffffffa0000000\n kprobe_event_gen_test_exit+0xcd/0x10b [kprobe_event_gen_test]\n __x64_sys_delete_module+0x206/0x380\n ? lockdep_hardirqs_on_prepare+0xd8/0x190\n ? syscall_enter_from_user_mode+0x1c/0x50\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f89eeb061b7", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49796", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit()\n\nWhen trace_get_event_file() failed, gen_kretprobe_test will be assigned\nas the error code. If module kprobe_event_gen_test is removed now, the\nnull pointer dereference will happen in kprobe_event_gen_test_exit().\nCheck if gen_kprobe_test or gen_kretprobe_test is error code or NULL\nbefore dereference them.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\nPGD 0 P4D 0\nOops: 0000 [#1] SMP PTI\nCPU: 3 PID: 2210 Comm: modprobe Not tainted\n6.1.0-rc1-00171-g2159299a3b74-dirty #217\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kprobe_event_gen_test_exit+0x1c/0xb5 [kprobe_event_gen_test]\nCode: Unable to access opcode bytes at 0xffffffff9ffffff2.\nRSP: 0018:ffffc900015bfeb8 EFLAGS: 00010246\nRAX: ffffffffffffffea RBX: ffffffffa0002080 RCX: 0000000000000000\nRDX: ffffffffa0001054 RSI: ffffffffa0001064 RDI: ffffffffdfc6349c\nRBP: ffffffffa0000000 R08: 0000000000000004 R09: 00000000001e95c0\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000800\nR13: ffffffffa0002420 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f56b75be540(0000) GS:ffff88813bc00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffff9ffffff2 CR3: 000000010874a006 CR4: 0000000000330ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __x64_sys_delete_module+0x206/0x380\n ? lockdep_hardirqs_on_prepare+0xd8/0x190\n ? syscall_enter_from_user_mode+0x1c/0x50\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49797", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race where eprobes can be called before the event\n\nThe flag that tells the event to call its triggers after reading the event\nis set for eprobes after the eprobe is enabled. This leads to a race where\nthe eprobe may be triggered at the beginning of the event where the record\ninformation is NULL. The eprobe then dereferences the NULL record causing\na NULL kernel pointer bug.\n\nTest for a NULL record to keep this from happening.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49798", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix wild-memory-access in register_synth_event()\n\nIn register_synth_event(), if set_synth_event_print_fmt() failed, then\nboth trace_remove_event_call() and unregister_trace_event() will be\ncalled, which means the trace_event_call will call\n__unregister_trace_event() twice. As the result, the second unregister\nwill causes the wild-memory-access.\n\nregister_synth_event\n set_synth_event_print_fmt failed\n trace_remove_event_call\n event_remove\n if call->event.funcs then\n __unregister_trace_event (first call)\n unregister_trace_event\n __unregister_trace_event (second call)\n\nFix the bug by avoiding to call the second __unregister_trace_event() by\nchecking if the first one is called.\n\ngeneral protection fault, probably for non-canonical address\n\t0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI\nKASAN: maybe wild-memory-access in range\n[0xdead000000000120-0xdead000000000127]\nCPU: 0 PID: 3807 Comm: modprobe Not tainted\n6.1.0-rc1-00186-g76f33a7eedb4 #299\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_trace_event+0x6e/0x280\nCode: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48\nb8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02\n00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b\nRSP: 0018:ffff88810413f370 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000\nRDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20\nRBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481\nR10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122\nR13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028\nFS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __create_synth_event+0x1e37/0x1eb0\n create_or_delete_synth_event+0x110/0x250\n synth_event_run_command+0x2f/0x110\n test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]\n synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]\n do_one_initcall+0xdb/0x480\n do_init_module+0x1cf/0x680\n load_module+0x6a50/0x70a0\n __do_sys_finit_module+0x12f/0x1c0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49799", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event()\n\ntest_gen_synth_cmd() only free buf in fail path, hence buf will leak\nwhen there is no failure. Add kfree(buf) to prevent the memleak. The\nsame reason and solution in test_empty_synth_event().\n\nunreferenced object 0xffff8881127de000 (size 2048):\n comm \"modprobe\", pid 247, jiffies 4294972316 (age 78.756s)\n hex dump (first 32 bytes):\n 20 67 65 6e 5f 73 79 6e 74 68 5f 74 65 73 74 20 gen_synth_test\n 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 64 5f pid_t next_pid_\n backtrace:\n [<000000004254801a>] kmalloc_trace+0x26/0x100\n [<0000000039eb1cf5>] 0xffffffffa00083cd\n [<000000000e8c3bc8>] 0xffffffffa00086ba\n [<00000000c293d1ea>] do_one_initcall+0xdb/0x480\n [<00000000aa189e6d>] do_init_module+0x1cf/0x680\n [<00000000d513222b>] load_module+0x6a50/0x70a0\n [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0\n [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90\n [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\nunreferenced object 0xffff8881127df000 (size 2048):\n comm \"modprobe\", pid 247, jiffies 4294972324 (age 78.728s)\n hex dump (first 32 bytes):\n 20 65 6d 70 74 79 5f 73 79 6e 74 68 5f 74 65 73 empty_synth_tes\n 74 20 20 70 69 64 5f 74 20 6e 65 78 74 5f 70 69 t pid_t next_pi\n backtrace:\n [<000000004254801a>] kmalloc_trace+0x26/0x100\n [<00000000d4db9a3d>] 0xffffffffa0008071\n [<00000000c31354a5>] 0xffffffffa00086ce\n [<00000000c293d1ea>] do_one_initcall+0xdb/0x480\n [<00000000aa189e6d>] do_init_module+0x1cf/0x680\n [<00000000d513222b>] load_module+0x6a50/0x70a0\n [<000000001fd4d529>] __do_sys_finit_module+0x12f/0x1c0\n [<00000000b36c4c0f>] do_syscall_64+0x3f/0x90\n [<00000000bbf20cf3>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49800", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix memory leak in tracing_read_pipe()\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff888105a18900 (size 128):\n comm \"test_progs\", pid 18933, jiffies 4336275356 (age 22801.766s)\n hex dump (first 32 bytes):\n 25 73 00 90 81 88 ff ff 26 05 00 00 42 01 58 04 %s......&...B.X.\n 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000560143a1>] __kmalloc_node_track_caller+0x4a/0x140\n [<000000006af00822>] krealloc+0x8d/0xf0\n [<00000000c309be6a>] trace_iter_expand_format+0x99/0x150\n [<000000005a53bdb6>] trace_check_vprintf+0x1e0/0x11d0\n [<0000000065629d9d>] trace_event_printf+0xb6/0xf0\n [<000000009a690dc7>] trace_raw_output_bpf_trace_printk+0x89/0xc0\n [<00000000d22db172>] print_trace_line+0x73c/0x1480\n [<00000000cdba76ba>] tracing_read_pipe+0x45c/0x9f0\n [<0000000015b58459>] vfs_read+0x17b/0x7c0\n [<000000004aeee8ed>] ksys_read+0xed/0x1c0\n [<0000000063d3d898>] do_syscall_64+0x3b/0x90\n [<00000000a06dda7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\niter->fmt alloced in\n tracing_read_pipe() -> .. ->trace_iter_expand_format(), but not\nfreed, to fix, add free in tracing_release_pipe()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49801", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix null pointer dereference in ftrace_add_mod()\n\nThe @ftrace_mod is allocated by kzalloc(), so both the members {prev,next}\nof @ftrace_mode->list are NULL, it's not a valid state to call list_del().\nIf kstrdup() for @ftrace_mod->{func|module} fails, it goes to @out_free\ntag and calls free_ftrace_mod() to destroy @ftrace_mod, then list_del()\nwill write prev->next and next->prev, where null pointer dereference\nhappens.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCall Trace:\n \n ftrace_mod_callback+0x20d/0x220\n ? do_filp_open+0xd9/0x140\n ftrace_process_regex.isra.51+0xbf/0x130\n ftrace_regex_write.isra.52.part.53+0x6e/0x90\n vfs_write+0xee/0x3a0\n ? __audit_filter_op+0xb1/0x100\n ? auditd_test_task+0x38/0x50\n ksys_write+0xa5/0xe0\n do_syscall_64+0x3a/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nKernel panic - not syncing: Fatal exception\n\nSo call INIT_LIST_HEAD() to initialize the list member to fix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49802", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: Fix memory leak of nsim_dev->fa_cookie\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff8881bac872d0 (size 8):\n comm \"sh\", pid 58603, jiffies 4481524462 (age 68.065s)\n hex dump (first 8 bytes):\n 04 00 00 00 de ad be ef ........\n backtrace:\n [<00000000c80b8577>] __kmalloc+0x49/0x150\n [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim]\n [<0000000093d78e77>] full_proxy_write+0xf3/0x180\n [<000000005a662c16>] vfs_write+0x1c5/0xaf0\n [<000000007aabf84a>] ksys_write+0xed/0x1c0\n [<000000005f1d2e47>] do_syscall_64+0x3b/0x90\n [<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\n\nnsim_dev_trap_fa_cookie_write()\n kmalloc() fa_cookie\n nsim_dev->fa_cookie = fa_cookie\n..\nnsim_drv_remove()\n\nThe fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To\nfix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49803", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: avoid using global register for current_stack_pointer\n\nCommit 30de14b1884b (\"s390: current_stack_pointer shouldn't be a\nfunction\") made current_stack_pointer a global register variable like\non many other architectures. Unfortunately on s390 it uncovers old\ngcc bug which is fixed only since gcc-9.1 [gcc commit 3ad7fed1cc87\n(\"S/390: Fix PR89775. Stackpointer save/restore instructions removed\")]\nand backported to gcc-8.4 and later. Due to this bug gcc versions prior\nto 8.4 generate broken code which leads to stack corruptions.\n\nCurrent minimal gcc version required to build the kernel is declared\nas 5.1. It is not possible to fix all old gcc versions, so work\naround this problem by avoiding using global register variable for\ncurrent_stack_pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49804", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: Fix potential null-ptr-deref in lan966x_stats_init()\n\nlan966x_stats_init() calls create_singlethread_workqueue() and not\nchecked the ret value, which may return NULL. And a null-ptr-deref may\nhappen:\n\nlan966x_stats_init()\n create_singlethread_workqueue() # failed, lan966x->stats_queue is NULL\n queue_delayed_work()\n queue_delayed_work_on()\n __queue_delayed_work() # warning here, but continue\n __queue_work() # access wq->flags, null-ptr-deref\n\nCheck the ret value and return -ENOMEM if it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49805", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: sparx5: Fix potential null-ptr-deref in sparx_stats_init() and sparx5_start()\n\nsparx_stats_init() calls create_singlethread_workqueue() and not\nchecked the ret value, which may return NULL. And a null-ptr-deref may\nhappen:\n\nsparx_stats_init()\n create_singlethread_workqueue() # failed, sparx5->stats_queue is NULL\n queue_delayed_work()\n queue_delayed_work_on()\n __queue_delayed_work() # warning here, but continue\n __queue_work() # access wq->flags, null-ptr-deref\n\nCheck the ret value and return -ENOMEM if it is NULL. So as\nsparx5_start().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49806", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a memory leak in nvmet_auth_set_key\n\nWhen changing dhchap secrets we need to release the old\nsecrets as well.\n\nkmemleak complaint:\n--\nunreferenced object 0xffff8c7f44ed8180 (size 64):\n comm \"check\", pid 7304, jiffies 4295686133 (age 72034.246s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 4c 64 4c 4f 64 71 DHHC-1:00:LdLOdq\n 79 56 69 67 77 48 55 32 6d 5a 59 4c 7a 35 59 38 yVigwHU2mZYLz5Y8\n backtrace:\n [<00000000b6fc5071>] kstrdup+0x2e/0x60\n [<00000000f0f4633f>] 0xffffffffc0e07ee6\n [<0000000053006c05>] 0xffffffffc0dff783\n [<00000000419ae922>] configfs_write_iter+0xb1/0x120\n [<000000008183c424>] vfs_write+0x2be/0x3c0\n [<000000009005a2a5>] ksys_write+0x5f/0xe0\n [<00000000cd495c89>] do_syscall_64+0x38/0x90\n [<00000000f2a84ac5>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49807", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: don't leak tagger-owned storage on switch driver unbind\n\nIn the initial commit dc452a471dba (\"net: dsa: introduce tagger-owned\nstorage for private and shared data\"), we had a call to\ntag_ops->disconnect(dst) issued from dsa_tree_free(), which is called at\ntree teardown time.\n\nThere were problems with connecting to a switch tree as a whole, so this\ngot reworked to connecting to individual switches within the tree. In\nthis process, tag_ops->disconnect(ds) was made to be called only from\nswitch.c (cross-chip notifiers emitted as a result of dynamic tag proto\nchanges), but the normal driver teardown code path wasn't replaced with\nanything.\n\nSolve this problem by adding a function that does the opposite of\ndsa_switch_setup_tag_protocol(), which is called from the equivalent\nspot in dsa_switch_teardown(). The positioning here also ensures that we\nwon't have any use-after-free in tagging protocol (*rcv) ops, since the\nteardown sequence is as follows:\n\ndsa_tree_teardown\n-> dsa_tree_teardown_master\n -> dsa_master_teardown\n -> unsets master->dsa_ptr, making no further packets match the\n ETH_P_XDSA packet type handler\n-> dsa_tree_teardown_ports\n -> dsa_port_teardown\n -> dsa_slave_destroy\n -> unregisters DSA net devices, there is even a synchronize_net()\n in unregister_netdevice_many()\n-> dsa_tree_teardown_switches\n -> dsa_switch_teardown\n -> dsa_switch_teardown_tag_protocol\n -> finally frees the tagger-owned storage", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49808", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix skb leak in x25_lapb_receive_frame()\n\nx25_lapb_receive_frame() using skb_copy() to get a private copy of\nskb, the new skb should be freed in the undersized/fragmented skb\nerror handling path. Otherwise there is a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49809", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix missing xas_retry() calls in xarray iteration\n\nnetfslib has a number of places in which it performs iteration of an xarray\nwhilst being under the RCU read lock. It *should* call xas_retry() as the\nfirst thing inside of the loop and do \"continue\" if it returns true in case\nthe xarray walker passed out a special value indicating that the walk needs\nto be redone from the root[*].\n\nFix this by adding the missing retry checks.\n\n[*] I wonder if this should be done inside xas_find(), xas_next_node() and\n suchlike, but I'm told that's not an simple change to effect.\n\nThis can cause an oops like that below. Note the faulting address - this\nis an internal value (|0x2) returned from xarray.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000402\n...\nRIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs]\n...\nCall Trace:\n netfs_rreq_assess+0xa6/0x240 [netfs]\n netfs_readpage+0x173/0x3b0 [netfs]\n ? init_wait_var_entry+0x50/0x50\n filemap_read_page+0x33/0xf0\n filemap_get_pages+0x2f2/0x3f0\n filemap_read+0xaa/0x320\n ? do_filp_open+0xb2/0x150\n ? rmqueue+0x3be/0xe10\n ceph_read_iter+0x1fe/0x680 [ceph]\n ? new_sync_read+0x115/0x1a0\n new_sync_read+0x115/0x1a0\n vfs_read+0xf3/0x180\n ksys_read+0x5f/0xe0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nChanges:\n========\nver #2)\n - Changed an unsigned int to a size_t to reduce the likelihood of an\n overflow as per Willy's suggestion.\n - Added an additional patch to fix the maths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49810", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: use after free in drbd_create_device()\n\nThe drbd_destroy_connection() frees the \"connection\" so use the _safe()\niterator to prevent a use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49811", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: switchdev: Fix memory leaks when changing VLAN protocol\n\nThe bridge driver can offload VLANs to the underlying hardware either\nvia switchdev or the 8021q driver. When the former is used, the VLAN is\nmarked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV'\nprivate flag.\n\nTo avoid the memory leaks mentioned in the cited commit, the bridge\ndriver will try to delete a VLAN via the 8021q driver if the VLAN is not\nmarked with the previously mentioned flag.\n\nWhen the VLAN protocol of the bridge changes, switchdev drivers are\nnotified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but\nthe 8021q driver is also called to add the existing VLANs with the new\nprotocol and delete them with the old protocol.\n\nIn case the VLANs were offloaded via switchdev, the above behavior is\nboth redundant and buggy. Redundant because the VLANs are already\nprogrammed in hardware and drivers that support VLAN protocol change\n(currently only mlx5) change the protocol upon the switchdev attribute\nnotification. Buggy because the 8021q driver is called despite these\nVLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to\nmemory leaks [1] when the VLANs are deleted.\n\nFix by not calling the 8021q driver for VLANs that were already\nprogrammed via switchdev.\n\n[1]\nunreferenced object 0xffff8881f6771200 (size 256):\n comm \"ip\", pid 446855, jiffies 4298238841 (age 55.240s)\n hex dump (first 32 bytes):\n 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000012819ac>] vlan_vid_add+0x437/0x750\n [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920\n [<000000000632b56f>] br_changelink+0x3d6/0x13f0\n [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0\n [<00000000f6276baf>] rtnl_newlink+0x5f/0x90\n [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00\n [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340\n [<0000000010588814>] netlink_unicast+0x438/0x710\n [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40\n [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0\n [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0\n [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0\n [<00000000684f7e25>] __sys_sendmsg+0xab/0x130\n [<000000004538b104>] do_syscall_64+0x3d/0x90\n [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49812", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix error handling in ena_init()\n\nThe ena_init() won't destroy workqueue created by\ncreate_singlethread_workqueue() when pci_register_driver() failed.\nCall destroy_workqueue() when pci_register_driver() failed to prevent the\nresource leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49813", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: close race conditions on sk_receive_queue\n\nsk->sk_receive_queue is protected by skb queue lock, but for KCM\nsockets its RX path takes mux->rx_lock to protect more than just\nskb queue. However, kcm_recvmsg() still only grabs the skb queue\nlock, so race conditions still exist.\n\nWe can teach kcm_recvmsg() to grab mux->rx_lock too but this would\nintroduce a potential performance regression as struct kcm_mux can\nbe shared by multiple KCM sockets.\n\nSo we have to enforce skb queue lock in requeue_rx_msgs() and handle\nskb peek case carefully in kcm_wait_data(). Fortunately,\nskb_recv_datagram() already handles it nicely and is widely used by\nother sockets, we can just switch to skb_recv_datagram() after\ngetting rid of the unnecessary sock lock in kcm_recvmsg() and\nkcm_splice_read(). Side note: SOCK_DONE is not used by KCM sockets,\nso it is safe to get rid of this check too.\n\nI ran the original syzbot reproducer for 30 min without seeing any\nissue.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49814", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix missing xas_retry() in fscache mode\n\nThe xarray iteration only holds the RCU read lock and thus may encounter\nXA_RETRY_ENTRY if there's process modifying the xarray concurrently.\nThis will cause oops when referring to the invalid entry.\n\nFix this by adding the missing xas_retry(), which will make the\niteration wind back to the root node if XA_RETRY_ENTRY is encountered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49815", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mhi: Fix memory leak in mhi_net_dellink()\n\nMHI driver registers network device without setting the\nneeds_free_netdev flag, and does NOT call free_netdev() when\nunregisters network device, which causes a memory leak.\n\nThis patch calls free_netdev() to fix it since netdev_priv\nis used after unregister.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49817", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix misuse of put_device() in mISDN_register_device()\n\nWe should not release reference by put_device() before calling device_initialize().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49818", "detail": "fixed-version", "description": "Fixed from version 6.0.10" }, { "id": "CVE-2022-49819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: fix potential memory leak in octep_device_setup()\n\nWhen occur unsupported_dev and mbox init errors, it did not free oct->conf\nand iounmap() oct->mmio[i].hw_addr. That would trigger memory leak problem.\nAdd kfree() for oct->conf and iounmap() for oct->mmio[i].hw_addr under\nunsupported_dev and mbox init errors to fix the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49819", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp i2c: don't count unused / invalid keys for flow release\n\nWe're currently hitting the WARN_ON in mctp_i2c_flow_release:\n\n if (midev->release_count > midev->i2c_lock_count) {\n WARN_ONCE(1, \"release count overflow\");\n\nThis may be hit if we expire a flow before sending the first packet it\ncontains - as we will not be pairing the increment of release_count\n(performed on flow release) with the i2c lock operation (only\nperformed on actual TX).\n\nTo fix this, only release a flow if we've encountered it previously (ie,\ndev_flow_state does not indicate NEW), as we will mark the flow as\nACTIVE at the same time as accounting for the i2c lock operation. We\nalso need to add an INVALID flow state, to indicate when we've done the\nrelease.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49820", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix possible memory leak in mISDN_dsp_element_register()\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device's\nbus_id string array\"), the name of device is allocated dynamically,\nuse put_device() to give up the reference, so that the name can be\nfreed in kobject_cleanup() when the refcount is 0.\n\nThe 'entry' is going to be freed in mISDN_dsp_dev_release(), so the\nkfree() is removed. list_del() is called in mISDN_dsp_dev_release(),\nso it need be initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49821", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix connections leak when tlink setup failed\n\nIf the tlink setup failed, lost to put the connections, then\nthe module refcnt leak since the cifsd kthread not exit.\n\nAlso leak the fscache info, and for next mount with fsc, it will\nprint the follow errors:\n CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)\n\nLet's check the result of tlink setup, and do some cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49822", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tdev_add()\n\nIn ata_tdev_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x3a0\nlr : device_del+0x44/0x3a0\nCall trace:\n device_del+0x48/0x3a0\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tdev_delete+0x24/0x50 [libata]\n ata_tlink_delete+0x40/0xa0 [libata]\n ata_tport_delete+0x2c/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tdev_add(). In the error path, device_del() is called to delete\nthe device which was added earlier in this function, and ata_tdev_free()\nis called to free ata_dev.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49823", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tlink_add()\n\nIn ata_tlink_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 33 PID: 13850 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #12\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x39c\nlr : device_del+0x44/0x39c\nCall trace:\n device_del+0x48/0x39c\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tlink_delete+0x88/0xb0 [libata]\n ata_tport_delete+0x2c/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tlink_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49824", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tport_add()\n\nIn ata_tport_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #8\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x39c\nlr : device_del+0x44/0x39c\nCall trace:\n device_del+0x48/0x39c\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tport_delete+0x34/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tport_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49825", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix double ata_host_put() in ata_tport_add()\n\nIn the error path in ata_tport_add(), when calling put_device(),\nata_tport_release() is called, it will put the refcount of 'ap->host'.\n\nAnd then ata_host_put() is called again, the refcount is decreased\nto 0, ata_host_release() is called, all ports are freed and set to\nnull.\n\nWhen unbinding the device after failure, ata_host_stop() is called\nto release the resources, it leads a null-ptr-deref(), because all\nthe ports all freed and null.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nCPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8\npstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : ata_host_stop+0x3c/0x84 [libata]\nlr : release_nodes+0x64/0xd0\nCall trace:\n ata_host_stop+0x3c/0x84 [libata]\n release_nodes+0x64/0xd0\n devres_release_all+0xbc/0x1b0\n device_unbind_cleanup+0x20/0x70\n really_probe+0x158/0x320\n __driver_probe_device+0x84/0x120\n driver_probe_device+0x44/0x120\n __driver_attach+0xb4/0x220\n bus_for_each_dev+0x78/0xdc\n driver_attach+0x2c/0x40\n bus_add_driver+0x184/0x240\n driver_register+0x80/0x13c\n __pci_register_driver+0x4c/0x60\n ahci_pci_driver_init+0x30/0x1000 [ahci]\n\nFix this by removing redundant ata_host_put() in the error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49826", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix potential null-ptr-deref in drm_vblank_destroy_worker()\n\ndrm_vblank_init() call drmm_add_action_or_reset() with\ndrm_vblank_init_release() as action. If __drmm_add_action() failed, will\ndirectly call drm_vblank_init_release() with the vblank whose worker is\nNULL. As the resule, a null-ptr-deref will happen in\nkthread_destroy_worker(). Add the NULL check before calling\ndrm_vblank_destroy_worker().\n\nBUG: null-ptr-deref\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 5 PID: 961 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf-dirty\nRIP: 0010:kthread_destroy_worker+0x25/0xb0\n Call Trace:\n \n drm_vblank_init_release+0x124/0x220 [drm]\n ? drm_crtc_vblank_restore+0x8b0/0x8b0 [drm]\n __drmm_add_action_or_reset+0x41/0x50 [drm]\n drm_vblank_init+0x282/0x310 [drm]\n vkms_init+0x35f/0x1000 [vkms]\n ? 0xffffffffc4508000\n ? lock_is_held_type+0xd7/0x130\n ? __kmem_cache_alloc_node+0x1c2/0x2b0\n ? lock_is_held_type+0xd7/0x130\n ? 0xffffffffc4508000\n do_one_initcall+0xd0/0x4f0\n ...\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49827", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: don't delete error page from pagecache\n\nThis change is very similar to the change that was made for shmem [1], and\nit solves the same problem but for HugeTLBFS instead.\n\nCurrently, when poison is found in a HugeTLB page, the page is removed\nfrom the page cache. That means that attempting to map or read that\nhugepage in the future will result in a new hugepage being allocated\ninstead of notifying the user that the page was poisoned. As [1] states,\nthis is effectively memory corruption.\n\nThe fix is to leave the page in the page cache. If the user attempts to\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\nEIO, the same error code that shmem uses. For attempts to map the page,\nthe thread will get a BUS_MCEERR_AR SIGBUS.\n\n[1]: commit a76054266661 (\"mm: shmem: don't truncate page if memory failure happens\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49828", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/scheduler: fix fence ref counting\n\nWe leaked dependency fences when processes were beeing killed.\n\nAdditional to that grab a reference to the last scheduled fence.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49829", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/drv: Fix potential memory leak in drm_dev_init()\n\ndrm_dev_init() will add drm_dev_init_release() as a callback. When\ndrmm_add_action() failed, the release function won't be added. As the\nresult, the ref cnt added by device_get() in drm_dev_init() won't be put\nby drm_dev_init_release(), which leads to the memleak. Use\ndrmm_add_action_or_reset() instead of drmm_add_action() to prevent\nmemleak.\n\nunreferenced object 0xffff88810bc0c800 (size 2048):\n comm \"modprobe\", pid 8322, jiffies 4305809845 (age 15.292s)\n hex dump (first 32 bytes):\n e8 cc c0 0b 81 88 ff ff ff ff ff ff 00 00 00 00 ................\n 20 24 3c 0c 81 88 ff ff 18 c8 c0 0b 81 88 ff ff $<.............\n backtrace:\n [<000000007251f72d>] __kmalloc+0x4b/0x1c0\n [<0000000045f21f26>] platform_device_alloc+0x2d/0xe0\n [<000000004452a479>] platform_device_register_full+0x24/0x1c0\n [<0000000089f4ea61>] 0xffffffffa0736051\n [<00000000235b2441>] do_one_initcall+0x7a/0x380\n [<0000000001a4a177>] do_init_module+0x5c/0x230\n [<000000002bf8a8e2>] load_module+0x227d/0x2420\n [<00000000637d6d0a>] __do_sys_finit_module+0xd5/0x140\n [<00000000c99fc324>] do_syscall_64+0x3f/0x90\n [<000000004d85aa77>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49830", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: initialize device's zone info for seeding\n\nWhen performing seeding on a zoned filesystem it is necessary to\ninitialize each zoned device's btrfs_zoned_device_info structure,\notherwise mounting the filesystem will cause a NULL pointer dereference.\n\nThis was uncovered by fstests' testcase btrfs/163.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49831", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map\n\nHere is the BUG report by KASAN about null pointer dereference:\n\nBUG: KASAN: null-ptr-deref in strcmp+0x2e/0x50\nRead of size 1 at addr 0000000000000000 by task python3/2640\nCall Trace:\n strcmp\n __of_find_property\n of_find_property\n pinctrl_dt_to_map\n\nkasprintf() would return NULL pointer when kmalloc() fail to allocate.\nSo directly return ENOMEM, if kasprintf() return NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49832", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: clone zoned device info when cloning a device\n\nWhen cloning a btrfs_device, we're not cloning the associated\nbtrfs_zoned_device_info structure of the device in case of a zoned\nfilesystem.\n\nLater on this leads to a NULL pointer dereference when accessing the\ndevice's zone_info for instance when setting a zone as active.\n\nThis was uncovered by fstests' testcase btrfs/161.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49833", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of ns_writer on remount\n\nIf a nilfs2 filesystem is downgraded to read-only due to metadata\ncorruption on disk and is remounted read/write, or if emergency read-only\nremount is performed, detaching a log writer and synchronizing the\nfilesystem can be done at the same time.\n\nIn these cases, use-after-free of the log writer (hereinafter\nnilfs->ns_writer) can happen as shown in the scenario below:\n\n Task1 Task2\n -------------------------------- ------------------------------\n nilfs_construct_segment\n nilfs_segctor_sync\n init_wait\n init_waitqueue_entry\n add_wait_queue\n schedule\n nilfs_remount (R/W remount case)\n\t\t\t\t nilfs_attach_log_writer\n nilfs_detach_log_writer\n nilfs_segctor_destroy\n kfree\n finish_wait\n _raw_spin_lock_irqsave\n __raw_spin_lock_irqsave\n do_raw_spin_lock\n debug_spin_lock_before <-- use-after-free\n\nWhile Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1\nwaked up, Task1 accesses nilfs->ns_writer which is already freed. This\nscenario diagram is based on the Shigeru Yoshida's post [1].\n\nThis patch fixes the issue by not detaching nilfs->ns_writer on remount so\nthat this UAF race doesn't happen. Along with this change, this patch\nalso inserts a few necessary read-only checks with superblock instance\nwhere only the ns_writer pointer was used to check if the filesystem is\nread-only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49834", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: fix potential memleak in 'add_widget_node'\n\nAs 'kobject_add' may allocated memory for 'kobject->name' when return error.\nAnd in this function, if call 'kobject_add' failed didn't free kobject.\nSo call 'kobject_put' to recycling resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49835", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsiox: fix possible memory leak in siox_device_add()\n\nIf device_register() returns error in siox_device_add(),\nthe name allocated by dev_set_name() need be freed. As\ncomment of device_register() says, it should use put_device()\nto give up the reference in the error path. So fix this\nby calling put_device(), then the name can be freed in\nkobject_cleanup(), and sdevice is freed in siox_device_release(),\nset it to null in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49836", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memory leaks in __check_func_call\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff88817139d000 (size 2048):\n comm \"test_progs\", pid 33246, jiffies 4307381979 (age 45851.820s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000045f075f0>] kmalloc_trace+0x27/0xa0\n [<0000000098b7c90a>] __check_func_call+0x316/0x1230\n [<00000000b4c3c403>] check_helper_call+0x172e/0x4700\n [<00000000aa3875b7>] do_check+0x21d8/0x45e0\n [<000000001147357b>] do_check_common+0x767/0xaf0\n [<00000000b5a595b4>] bpf_check+0x43e3/0x5bc0\n [<0000000011e391b1>] bpf_prog_load+0xf26/0x1940\n [<0000000007f765c0>] __sys_bpf+0xd2c/0x3650\n [<00000000839815d6>] __x64_sys_bpf+0x75/0xc0\n [<00000000946ee250>] do_syscall_64+0x3b/0x90\n [<0000000000506b7f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root case here is: In function prepare_func_exit(), the callee is\nnot released in the abnormal scenario after \"state->curframe--;\". To\nfix, move \"state->curframe--;\" to the very bottom of the function,\nright when we free callee and reset frame[] pointer to NULL, as Andrii\nsuggested.\n\nIn addition, function __check_func_call() has a similar problem. In\nthe abnormal scenario before \"state->curframe++;\", the callee also\nshould be released by free_func_state().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49837", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: clear out_curr if all frag chunks of current msg are pruned\n\nA crash was reported by Zhen Chen:\n\n list_del corruption, ffffa035ddf01c18->next is NULL\n WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0\n RIP: 0010:__list_del_entry_valid+0x59/0xe0\n Call Trace:\n sctp_sched_dequeue_common+0x17/0x70 [sctp]\n sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]\n sctp_outq_flush_data+0x85/0x360 [sctp]\n sctp_outq_uncork+0x77/0xa0 [sctp]\n sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]\n sctp_side_effects+0x37/0xe0 [sctp]\n sctp_do_sm+0xd0/0x230 [sctp]\n sctp_primitive_SEND+0x2f/0x40 [sctp]\n sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]\n sctp_sendmsg+0x3d5/0x440 [sctp]\n sock_sendmsg+0x5b/0x70\n\nand in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream\nout_curr outq while this outq was empty.\n\nNormally stream->out_curr must be set to NULL once all frag chunks of\ncurrent msg are dequeued, as we can see in sctp_sched_dequeue_done().\nHowever, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,\nsctp_sched_dequeue_done() is not called to do this.\n\nThis patch is to fix it by simply setting out_curr to NULL when the\nlast frag chunk of current msg is dequeued from out_curr stream in\nsctp_prsctp_prune_unsent().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49838", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_transport_sas: Fix error handling in sas_phy_add()\n\nIf transport_add_device() fails in sas_phy_add(), the kernel will crash\ntrying to delete the device in transport_remove_device() called from\nsas_remove_host().\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000108\nCPU: 61 PID: 42829 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc1+ #173\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x54/0x3d0\nlr : device_del+0x37c/0x3d0\nCall trace:\n device_del+0x54/0x3d0\n attribute_container_class_device_del+0x28/0x38\n transport_remove_classdev+0x6c/0x80\n attribute_container_device_trigger+0x108/0x110\n transport_remove_device+0x28/0x38\n sas_phy_delete+0x30/0x60 [scsi_transport_sas]\n do_sas_phy_delete+0x6c/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x40/0x50 [scsi_transport_sas]\n sas_remove_host+0x20/0x38 [scsi_transport_sas]\n hisi_sas_remove+0x40/0x68 [hisi_sas_main]\n hisi_sas_v2_remove+0x20/0x30 [hisi_sas_v2_hw]\n platform_remove+0x2c/0x60\n\nFix this by checking and handling return value of transport_add_device()\nin sas_phy_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49839", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()\n\nWe got a syzkaller problem because of aarch64 alignment fault\nif KFENCE enabled. When the size from user bpf program is an odd\nnumber, like 399, 407, etc, it will cause the struct skb_shared_info's\nunaligned access. As seen below:\n\n BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n\n Use-after-free read at 0xffff6254fffac077 (in kfence-#213):\n __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]\n arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]\n arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]\n atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]\n __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n skb_clone+0xf4/0x214 net/core/skbuff.c:1481\n ____bpf_clone_redirect net/core/filter.c:2433 [inline]\n bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420\n bpf_prog_d3839dd9068ceb51+0x80/0x330\n bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]\n bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53\n bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594\n bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n\n kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512\n\n allocated by task 15074 on cpu 0 at 1342.585390s:\n kmalloc include/linux/slab.h:568 [inline]\n kzalloc include/linux/slab.h:675 [inline]\n bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191\n bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512\n bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381\n\nTo fix the problem, we adjust @size so that (@size + @hearoom) is a\nmultiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info\nis aligned to a cache line.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49840", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Add missing .thaw_noirq hook\n\nThe following warning is seen with non-console UART instance when\nsystem hibernates.\n\n[ 37.371969] ------------[ cut here ]------------\n[ 37.376599] uart3_root_clk already disabled\n[ 37.380810] WARNING: CPU: 0 PID: 296 at drivers/clk/clk.c:952 clk_core_disable+0xa4/0xb0\n...\n[ 37.506986] Call trace:\n[ 37.509432] clk_core_disable+0xa4/0xb0\n[ 37.513270] clk_disable+0x34/0x50\n[ 37.516672] imx_uart_thaw+0x38/0x5c\n[ 37.520250] platform_pm_thaw+0x30/0x6c\n[ 37.524089] dpm_run_callback.constprop.0+0x3c/0xd4\n[ 37.528972] device_resume+0x7c/0x160\n[ 37.532633] dpm_resume+0xe8/0x230\n[ 37.536036] hibernation_snapshot+0x288/0x430\n[ 37.540397] hibernate+0x10c/0x2e0\n[ 37.543798] state_store+0xc4/0xd0\n[ 37.547203] kobj_attr_store+0x1c/0x30\n[ 37.550953] sysfs_kf_write+0x48/0x60\n[ 37.554619] kernfs_fop_write_iter+0x118/0x1ac\n[ 37.559063] new_sync_write+0xe8/0x184\n[ 37.562812] vfs_write+0x230/0x290\n[ 37.566214] ksys_write+0x68/0xf4\n[ 37.569529] __arm64_sys_write+0x20/0x2c\n[ 37.573452] invoke_syscall.constprop.0+0x50/0xf0\n[ 37.578156] do_el0_svc+0x11c/0x150\n[ 37.581648] el0_svc+0x30/0x140\n[ 37.584792] el0t_64_sync_handler+0xe8/0xf0\n[ 37.588976] el0t_64_sync+0x1a0/0x1a4\n[ 37.592639] ---[ end trace 56e22eec54676d75 ]---\n\nOn hibernating, pm core calls into related hooks in sequence like:\n\n .freeze\n .freeze_noirq\n .thaw_noirq\n .thaw\n\nWith .thaw_noirq hook being absent, the clock will be disabled in a\nunbalanced call which results the warning above.\n\n imx_uart_freeze()\n clk_prepare_enable()\n imx_uart_suspend_noirq()\n clk_disable()\n imx_uart_thaw\n clk_disable_unprepare()\n\nAdding the missing .thaw_noirq hook as imx_uart_resume_noirq() will have\nthe call sequence corrected as below and thus fix the warning.\n\n imx_uart_freeze()\n clk_prepare_enable()\n imx_uart_suspend_noirq()\n clk_disable()\n imx_uart_resume_noirq()\n clk_enable()\n imx_uart_thaw\n clk_disable_unprepare()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49841", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Fix use-after-free in snd_soc_exit()\n\nKASAN reports a use-after-free:\n\nBUG: KASAN: use-after-free in device_del+0xb5b/0xc60\nRead of size 8 at addr ffff888008655050 by task rmmod/387\nCPU: 2 PID: 387 Comm: rmmod\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n\ndump_stack_lvl+0x79/0x9a\nprint_report+0x17f/0x47b\nkasan_report+0xbb/0xf0\ndevice_del+0xb5b/0xc60\nplatform_device_del.part.0+0x24/0x200\nplatform_device_unregister+0x2e/0x40\nsnd_soc_exit+0xa/0x22 [snd_soc_core]\n__do_sys_delete_module.constprop.0+0x34f/0x5b0\ndo_syscall_64+0x3a/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n...\n\n\nIt's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,\nbut its ret is ignored, which makes soc_dummy_dev unregistered twice.\n\nsnd_soc_init()\n snd_soc_util_init()\n platform_device_register_simple(soc_dummy_dev)\n platform_driver_register() # fail\n \tplatform_device_unregister(soc_dummy_dev)\n platform_driver_register() # success\n...\nsnd_soc_exit()\n snd_soc_util_exit()\n # soc_dummy_dev will be unregistered for second time\n\nTo fix it, handle error and stop snd_soc_init() when util_init() fail.\nAlso clean debugfs when util_init() or driver_register() fail.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49842", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: fix skb drop check\n\nIn commit a6d190f8c767 (\"can: skb: drop tx skb if in listen only\nmode\") the priv->ctrlmode element is read even on virtual CAN\ninterfaces that do not create the struct can_priv at startup. This\nout-of-bounds read may lead to CAN frame drops for virtual CAN\ninterfaces like vcan and vxcan.\n\nThis patch mainly reverts the original commit and adds a new helper\nfor CAN interface drivers that provide the required information in\nstruct can_priv.\n\n[mkl: patch pch_can, too]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49844", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_send_one(): fix missing CAN header initialization\n\nThe read access to struct canxl_frame::len inside of a j1939 created\nskbuff revealed a missing initialization of reserved and later filled\nelements in struct can_frame.\n\nThis patch initializes the 8 byte CAN header with zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49845", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix a slab-out-of-bounds write bug in udf_find_entry()\n\nSyzbot reported a slab-out-of-bounds Write bug:\n\nloop0: detected capacity change from 0 to 2048\n==================================================================\nBUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0\nfs/udf/namei.c:253\nWrite of size 105 at addr ffff8880123ff896 by task syz-executor323/3610\n\nCPU: 0 PID: 3610 Comm: syz-executor323 Not tainted\n6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/11/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189\n memcpy+0x3c/0x60 mm/kasan/shadow.c:66\n udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ffab0d164d9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9\nRDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180\nRBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nAllocated by task 3610:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:576 [inline]\n udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe buggy address belongs to the object at ffff8880123ff800\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 150 bytes inside of\n 256-byte region [ffff8880123ff800, ffff8880123ff900)\n\nThe buggy address belongs to the physical page:\npage:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000\nindex:0x0 pfn:0x123fe\nhead:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),\npid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0\n create_dummy_stack mm/page_owner.c:\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49846", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: Fix segmentation fault at module unload\n\nMove am65_cpsw_nuss_phylink_cleanup() call to after\nam65_cpsw_nuss_cleanup_ndev() so phylink is still valid\nto prevent the below Segmentation fault on module remove when\nfirst slave link is up.\n\n[ 31.652944] Unable to handle kernel paging request at virtual address 00040008000005f4\n[ 31.684627] Mem abort info:\n[ 31.687446] ESR = 0x0000000096000004\n[ 31.704614] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 31.720663] SET = 0, FnV = 0\n[ 31.723729] EA = 0, S1PTW = 0\n[ 31.740617] FSC = 0x04: level 0 translation fault\n[ 31.756624] Data abort info:\n[ 31.759508] ISV = 0, ISS = 0x00000004\n[ 31.776705] CM = 0, WnR = 0\n[ 31.779695] [00040008000005f4] address between user and kernel address ranges\n[ 31.808644] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 31.814928] Modules linked in: wlcore_sdio wl18xx wlcore mac80211 libarc4 cfg80211 rfkill crct10dif_ce phy_gmii_sel ti_am65_cpsw_nuss(-) sch_fq_codel ipv6\n[ 31.828776] CPU: 0 PID: 1026 Comm: modprobe Not tainted 6.1.0-rc2-00012-gfabfcf7dafdb-dirty #160\n[ 31.837547] Hardware name: Texas Instruments AM625 (DT)\n[ 31.842760] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.849709] pc : phy_stop+0x18/0xf8\n[ 31.853202] lr : phylink_stop+0x38/0xf8\n[ 31.857031] sp : ffff80000a0839f0\n[ 31.860335] x29: ffff80000a0839f0 x28: ffff000000de1c80 x27: 0000000000000000\n[ 31.867462] x26: 0000000000000000 x25: 0000000000000000 x24: ffff80000a083b98\n[ 31.874589] x23: 0000000000000800 x22: 0000000000000001 x21: ffff000001bfba90\n[ 31.881715] x20: ffff0000015ee000 x19: 0004000800000200 x18: 0000000000000000\n[ 31.888842] x17: ffff800076c45000 x16: ffff800008004000 x15: 000058e39660b106\n[ 31.895969] x14: 0000000000000144 x13: 0000000000000144 x12: 0000000000000000\n[ 31.903095] x11: 000000000000275f x10: 00000000000009e0 x9 : ffff80000a0837d0\n[ 31.910222] x8 : ffff000000de26c0 x7 : ffff00007fbd6540 x6 : ffff00007fbd64c0\n[ 31.917349] x5 : ffff00007fbd0b10 x4 : ffff00007fbd0b10 x3 : ffff00007fbd3920\n[ 31.924476] x2 : d0a07fcff8b8d500 x1 : 0000000000000000 x0 : 0004000800000200\n[ 31.931603] Call trace:\n[ 31.934042] phy_stop+0x18/0xf8\n[ 31.937177] phylink_stop+0x38/0xf8\n[ 31.940657] am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss]\n[ 31.947452] __dev_close_many+0xa4/0x140\n[ 31.951371] dev_close_many+0x84/0x128\n[ 31.955115] unregister_netdevice_many+0x130/0x6d0\n[ 31.959897] unregister_netdevice_queue+0x94/0xd8\n[ 31.964591] unregister_netdev+0x24/0x38\n[ 31.968504] am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss]\n[ 31.975637] am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49847", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp-combo: fix NULL-deref on runtime resume\n\nCommit fc64623637da (\"phy: qcom-qmp-combo,usb: add support for separate\nPCS_USB region\") started treating the PCS_USB registers as potentially\nseparate from the PCS registers but used the wrong base when no PCS_USB\noffset has been provided.\n\nFix the PCS_USB base used at runtime resume to prevent dereferencing a\nNULL pointer on platforms that do not provide a PCS_USB offset (e.g.\nSC7180).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49848", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix match incorrectly in dev_args_match_device\n\nsyzkaller found a failed assertion:\n\n assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921\n\nThis can be triggered when we set devid to (u64)-1 by ioctl. In this\ncase, the match of devid will be skipped and the match of device may\nsucceed incorrectly.\n\nPatch 562d7b1512f7 introduced this function which is used to match device.\nThis function contains two matching scenarios, we can distinguish them by\nchecking the value of args->missing rather than check whether args->devid\nand args->uuid is default value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49849", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix deadlock in nilfs_count_free_blocks()\n\nA semaphore deadlock can occur if nilfs_get_block() detects metadata\ncorruption while locating data blocks and a superblock writeback occurs at\nthe same time:\n\ntask 1 task 2\n------ ------\n* A file operation *\nnilfs_truncate()\n nilfs_get_block()\n down_read(rwsem A) <--\n nilfs_bmap_lookup_contig()\n ... generic_shutdown_super()\n nilfs_put_super()\n * Prepare to write superblock *\n down_write(rwsem B) <--\n nilfs_cleanup_super()\n * Detect b-tree corruption * nilfs_set_log_cursor()\n nilfs_bmap_convert_error() nilfs_count_free_blocks()\n __nilfs_error() down_read(rwsem A) <--\n nilfs_set_error()\n down_write(rwsem B) <--\n\n *** DEADLOCK ***\n\nHere, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem)\nand then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata\ncorruption, __nilfs_error() is called from nilfs_bmap_convert_error()\ninside the lock section.\n\nSince __nilfs_error() calls nilfs_set_error() unless the filesystem is\nread-only and nilfs_set_error() attempts to writelock rwsem B (=\nnilfs->ns_sem) to write back superblock exclusively, hierarchical lock\nacquisition occurs in the order rwsem A -> rwsem B.\n\nNow, if another task starts updating the superblock, it may writelock\nrwsem B during the lock sequence above, and can deadlock trying to\nreadlock rwsem A in nilfs_count_free_blocks().\n\nHowever, there is actually no need to take rwsem A in\nnilfs_count_free_blocks() because it, within the lock section, only reads\na single integer data on a shared struct with\nnilfs_sufile_get_ncleansegs(). This has been the case after commit\naa474a220180 (\"nilfs2: add local variable to cache the number of clean\nsegments\"), that is, even before this bug was introduced.\n\nSo, this resolves the deadlock problem by just not taking the semaphore in\nnilfs_count_free_blocks().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49850", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix reserved memory setup\n\nCurrently, RISC-V sets up reserved memory using the \"early\" copy of the\ndevice tree. As a result, when trying to get a reserved memory region\nusing of_reserved_mem_lookup(), the pointer to reserved memory regions\nis using the early, pre-virtual-memory address which causes a kernel\npanic when trying to use the buffer's name:\n\n Unable to handle kernel paging request at virtual address 00000000401c31ac\n Oops [#1]\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1\n Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)\n epc : string+0x4a/0xea\n ra : vsnprintf+0x1e4/0x336\n epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0\n gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000\n t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20\n s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000\n a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff\n a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff\n s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008\n s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00\n s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002\n s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617\n t5 : ffffffff812f3618 t6 : ffffffff81203d08\n status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d\n [] vsnprintf+0x1e4/0x336\n [] vprintk_store+0xf6/0x344\n [] vprintk_emit+0x56/0x192\n [] vprintk_default+0x16/0x1e\n [] vprintk+0x72/0x80\n [] _printk+0x36/0x50\n [] print_reserved_mem+0x1c/0x24\n [] paging_init+0x528/0x5bc\n [] setup_arch+0xd0/0x592\n [] start_kernel+0x82/0x73c\n\nearly_init_fdt_scan_reserved_mem() takes no arguments as it operates on\ninitial_boot_params, which is populated by early_init_dt_verify(). On\nRISC-V, early_init_dt_verify() is called twice. Once, directly, in\nsetup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,\nvery early in the boot process, by parse_dtb() when it calls\nearly_init_dt_scan_nodes().\n\nThis first call uses dtb_early_va to set initial_boot_params, which is\nnot usable later in the boot process when\nearly_init_fdt_scan_reserved_mem() is called. On arm64 for example, the\ncorresponding call to early_init_dt_scan_nodes() uses fixmap addresses\nand doesn't suffer the same fate.\n\nMove early_init_fdt_scan_reserved_mem() further along the boot sequence,\nafter the direct call to early_init_dt_verify() in setup_arch() so that\nthe names use the correct virtual memory addresses. The above supposed\nthat CONFIG_BUILTIN_DTB was not set, but should work equally in the case\nwhere it is - unflatted_and_copy_device_tree() also updates\ninitial_boot_params.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49851", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: fix kernel info leakage\n\nthread_struct's s[12] may contain random kernel memory content, which\nmay be finally leaked to userspace. This is a security hole. Fix it\nby clearing the s[12] array in thread_struct when fork.\n\nAs for kthread case, it's better to clear the s[12] array as well.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49852", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macvlan: fix memory leaks of macvlan_common_newlink\n\nkmemleak reports memory leaks in macvlan_common_newlink, as follows:\n\n ip link add link eth0 name .. type macvlan mode source macaddr add\n \n\nkmemleak reports:\n\nunreferenced object 0xffff8880109bb140 (size 64):\n comm \"ip\", pid 284, jiffies 4294986150 (age 430.108s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff ..........Z.....\n 80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b ..............kk\n backtrace:\n [] kmem_cache_alloc_trace+0x1c7/0x300\n [] macvlan_hash_add_source+0x45/0xc0\n [] macvlan_changelink_sources+0xd7/0x170\n [] macvlan_common_newlink+0x38c/0x5a0\n [] macvlan_newlink+0xe/0x20\n [] __rtnl_newlink+0x7af/0xa50\n [] rtnl_newlink+0x48/0x70\n ...\n\nIn the scenario where the macvlan mode is configured as 'source',\nmacvlan_changelink_sources() will be execured to reconfigure list of\nremote source mac addresses, at the same time, if register_netdevice()\nreturn an error, the resource generated by macvlan_changelink_sources()\nis not cleaned up.\n\nUsing this patch, in the case of an error, it will execute\nmacvlan_flush_sources() to ensure that the resource is cleaned up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49853", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: Fix an error handling path in mctp_init()\n\nIf mctp_neigh_init() return error, the routes resources should\nbe released in the error handling path. Otherwise some resources\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49854", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg\n\nipc_pcie_read_bios_cfg() is using the acpi_evaluate_dsm() to\nobtain the wwan power state configuration from BIOS but is\nnot freeing the acpi_object. The acpi_evaluate_dsm() returned\nacpi_object to be freed.\n\nFree the acpi_object after use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49855", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix memory leak in prestera_rxtx_switch_init()\n\nWhen prestera_sdma_switch_init() failed, the memory pointed to by\nsw->rxtx isn't released. Fix it. Only be compiled, not be tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49857", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix SQE threshold checking\n\nCurrent way of checking available SQE count which is based on\nHW updated SQB count could result in driver submitting an SQE\neven before CQE for the previously transmitted SQE at the same\nindex is processed in NAPI resulting losing SKB pointers,\nhence a leak. Fix this by checking a consumer index which\nis updated once CQE is processed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49858", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: fix issue of invalid opcode in lapbeth_open()\n\nIf lapb_register() failed when lapb device goes to up for the first time,\nthe NAPI is not disabled. As a result, the invalid opcode issue is\nreported when the lapb device goes to up for the second time.\n\nThe stack info is as follows:\n[ 1958.311422][T11356] kernel BUG at net/core/dev.c:6442!\n[ 1958.312206][T11356] invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n[ 1958.315979][T11356] RIP: 0010:napi_enable+0x16a/0x1f0\n[ 1958.332310][T11356] Call Trace:\n[ 1958.332817][T11356] \n[ 1958.336135][T11356] lapbeth_open+0x18/0x90\n[ 1958.337446][T11356] __dev_open+0x258/0x490\n[ 1958.341672][T11356] __dev_change_flags+0x4d4/0x6a0\n[ 1958.345325][T11356] dev_change_flags+0x93/0x160\n[ 1958.346027][T11356] devinet_ioctl+0x1276/0x1bf0\n[ 1958.346738][T11356] inet_ioctl+0x1c8/0x2d0\n[ 1958.349638][T11356] sock_ioctl+0x5d1/0x750\n[ 1958.356059][T11356] __x64_sys_ioctl+0x3ec/0x1790\n[ 1958.365594][T11356] do_syscall_64+0x35/0x80\n[ 1958.366239][T11356] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 1958.377381][T11356] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49859", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-glue: fix memory leak when register device fail\n\nIf device_register() fails, it should call put_device() to give\nup reference, the name allocated in dev_set_name() can be freed\nin callback function kobject_cleanup().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49860", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()\n\nA clk_prepare_enable() call in the probe is not balanced by a corresponding\nclk_disable_unprepare() in the remove function.\n\nAdd the missing call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49861", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header\n\nThis is a follow-up for commit 974cb0e3e7c9 (\"tipc: fix uninit-value\nin tipc_nl_compat_name_table_dump\") where it should have type casted\nsizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative\nvalue.\n\nsyzbot reported a call trace because of it:\n\n BUG: KMSAN: uninit-value in ...\n tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934\n __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238\n tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321\n tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324\n genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]\n genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792\n netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501\n genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49862", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: af_can: fix NULL pointer dereference in can_rx_register()\n\nIt causes NULL pointer dereference when testing as following:\n(a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.\n(b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan\n link device, and bind vxcan device to bond device (can also use\n ifenslave command to bind vxcan device to bond device).\n(c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.\n(d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.\n\nThe bond device invokes the can-raw protocol registration interface to\nreceive CAN packets. However, ml_priv is not allocated to the dev,\ndev_rcv_lists is assigned to NULL in can_rx_register(). In this case,\nit will occur the NULL pointer dereference issue.\n\nThe following is the stack information:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:can_rx_register+0x12d/0x1e0\nCall Trace:\n\nraw_enable_filters+0x8d/0x120\nraw_enable_allfilters+0x3b/0x130\nraw_bind+0x118/0x4f0\n__sys_bind+0x163/0x1a0\n__x64_sys_bind+0x1e/0x30\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49863", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram()\n\n./drivers/gpu/drm/amd/amdkfd/kfd_migrate.c:985:58-62: ERROR: p is NULL but dereferenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49864", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network\n\nWhen copying a `struct ifaddrlblmsg` to the network, __ifal_reserved\nremained uninitialized, resulting in a 1-byte infoleak:\n\n BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841\n __netdev_start_xmit ./include/linux/netdevice.h:4841\n netdev_start_xmit ./include/linux/netdevice.h:4857\n xmit_one net/core/dev.c:3590\n dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606\n __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256\n dev_queue_xmit ./include/linux/netdevice.h:3009\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:307\n __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338\n __netlink_sendskb net/netlink/af_netlink.c:1263\n netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272\n netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360\n nlmsg_unicast ./include/net/netlink.h:1061\n rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758\n ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n ...\n Uninit was created at:\n slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742\n slab_alloc_node mm/slub.c:3398\n __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437\n __do_kmalloc_node mm/slab_common.c:954\n __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975\n kmalloc_reserve net/core/skbuff.c:437\n __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509\n alloc_skb ./include/linux/skbuff.h:1267\n nlmsg_new ./include/net/netlink.h:964\n ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608\n rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540\n rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319\n netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921\n ...\n\nThis patch ensures that the reserved field is always initialized.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49865", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: mhi: fix memory leak in mhi_mbim_dellink\n\nMHI driver registers network device without setting the\nneeds_free_netdev flag, and does NOT call free_netdev() when\nunregisters network device, which causes a memory leak.\n\nThis patch sets needs_free_netdev to true when registers\nnetwork device, which makes netdev subsystem call free_netdev()\nautomatically after unregister_netdevice().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49866", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix memory leak in ipc_wwan_dellink\n\nIOSM driver registers network device without setting the\nneeds_free_netdev flag, and does NOT call free_netdev() when\nunregisters network device, which causes a memory leak.\n\nThis patch sets needs_free_netdev to true when registers\nnetwork device, which makes netdev subsystem call free_netdev()\nautomatically after unregister_netdevice().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49867", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ralink: mt7621-pci: add sentinel to quirks table\n\nWith mt7621 soc_dev_attr fixed to register the soc as a device,\nkernel will experience an oops in soc_device_match_attr\n\nThis quirk test was introduced in the staging driver in\ncommit 9445ccb3714c (\"staging: mt7621-pci-phy: add quirks for 'E2'\nrevision using 'soc_device_attribute'\"). The staging driver was removed,\nand later re-added in commit d87da32372a0 (\"phy: ralink: Add PHY driver\nfor MT7621 PCIe PHY\") for kernel 5.11", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49868", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix possible crash in bnxt_hwrm_set_coal()\n\nDuring the error recovery sequence, the rtnl_lock is not held for the\nentire duration and some datastructures may be freed during the sequence.\nCheck for the BNXT_STATE_OPEN flag instead of netif_running() to ensure\nthat the device is fully operational before proceeding to reconfigure\nthe coalescing settings.\n\nThis will fix a possible crash like this:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000000\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1\nHardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019\nRIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]\nCode: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 <48> 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6\nRSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5\nRDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28\nRBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c\nR13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0\nFS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n ethnl_set_coalesce+0x3ce/0x4c0\n genl_family_rcv_msg_doit.isra.15+0x10f/0x150\n genl_family_rcv_msg+0xb3/0x160\n ? coalesce_fill_reply+0x480/0x480\n genl_rcv_msg+0x47/0x90\n ? genl_family_rcv_msg+0x160/0x160\n netlink_rcv_skb+0x4c/0x120\n genl_rcv+0x24/0x40\n netlink_unicast+0x196/0x230\n netlink_sendmsg+0x204/0x3d0\n sock_sendmsg+0x4c/0x50\n __sys_sendto+0xee/0x160\n ? syscall_trace_enter+0x1d3/0x2c0\n ? __audit_syscall_exit+0x249/0x2a0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x5b/0x1a0\n entry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f38524163bb", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49869", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncapabilities: fix undefined behavior in bit shift for CAP_TO_MASK\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in security/commoncap.c:1252:2\nleft shift of 1 by 31 places cannot be represented in type 'int'\nCall Trace:\n \n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n cap_task_prctl+0x561/0x6f0\n security_task_prctl+0x5a/0xb0\n __x64_sys_prctl+0x61/0x8f0\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49870", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix memory leaks of napi_get_frags\n\nkmemleak reports after running test_progs:\n\nunreferenced object 0xffff8881b1672dc0 (size 232):\n comm \"test_progs\", pid 394388, jiffies 4354712116 (age 841.975s)\n hex dump (first 32 bytes):\n e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....\n 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace:\n [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150\n [<0000000041c7fc09>] __napi_build_skb+0x15/0x50\n [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540\n [<000000003ecfa30e>] napi_get_frags+0x59/0x140\n [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]\n [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]\n [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320\n [<000000008f338ea2>] do_iter_write+0x135/0x630\n [<000000008a3377a4>] vfs_writev+0x12e/0x440\n [<00000000a6b5639a>] do_writev+0x104/0x280\n [<00000000ccf065d8>] do_syscall_64+0x3b/0x90\n [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\ntun_get_user()\n napi_gro_frags()\n napi_frags_finish()\n case GRO_NORMAL:\n gro_normal_one()\n list_add_tail(&skb->list, &napi->rx_list);\n <-- While napi->rx_count < READ_ONCE(gro_normal_batch),\n <-- gro_normal_list() is not called, napi->rx_list is not empty\n <-- not ask to complete the gro work, will cause memory leaks in\n <-- following tun_napi_del()\n...\ntun_napi_del()\n netif_napi_del()\n __netif_napi_del()\n <-- &napi->rx_list is not empty, which caused memory leaks\n\nTo fix, add napi_complete() after napi_gro_frags().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49871", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix panic on frag_list with mixed head alloc types\n\nSince commit 3dcbdb134f32 (\"net: gso: Fix skb_segment splat when\nsplitting gso_size mangled skb having linear-headed frag_list\"), it is\nallowed to change gso_size of a GRO packet. However, that commit assumes\nthat \"checking the first list_skb member suffices; i.e if either of the\nlist_skb members have non head_frag head, then the first one has too\".\n\nIt turns out this assumption does not hold. We've seen BUG_ON being hit\nin skb_segment when skbs on the frag_list had differing head_frag with\nthe vmxnet3 driver. This happens because __netdev_alloc_skb and\n__napi_alloc_skb can return a skb that is page backed or kmalloced\ndepending on the requested size. As the result, the last small skb in\nthe GRO packet can be kmalloced.\n\nThere are three different locations where this can be fixed:\n\n(1) We could check head_frag in GRO and not allow GROing skbs with\n different head_frag. However, that would lead to performance\n regression on normal forward paths with unmodified gso_size, where\n !head_frag in the last packet is not a problem.\n\n(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating\n that NETIF_F_SG is undesirable. That would need to eat a bit in\n sk_buff. Furthermore, that flag can be unset when all skbs on the\n frag_list are page backed. To retain good performance,\n bpf_skb_net_grow/shrink would have to walk the frag_list.\n\n(3) Walk the frag_list in skb_segment when determining whether\n NETIF_F_SG should be cleared. This of course slows things down.\n\nThis patch implements (3). To limit the performance impact in\nskb_segment, the list is walked only for skbs with SKB_GSO_DODGY set\nthat have gso_size changed. Normal paths thus will not hit it.\n\nWe could check only the last skb but since we need to walk the whole\nlist anyway, let's stay on the safe side.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49872", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix wrong reg type conversion in release_reference()\n\nSome helper functions will allocate memory. To avoid memory leaks, the\nverifier requires the eBPF program to release these memories by calling\nthe corresponding helper functions.\n\nWhen a resource is released, all pointer registers corresponding to the\nresource should be invalidated. The verifier use release_references() to\ndo this job, by apply __mark_reg_unknown() to each relevant register.\n\nIt will give these registers the type of SCALAR_VALUE. A register that\nwill contain a pointer value at runtime, but of type SCALAR_VALUE, which\nmay allow the unprivileged user to get a kernel pointer by storing this\nregister into a map.\n\nUsing __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49873", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: fix possible memory leak in mousevsc_probe()\n\nIf hid_add_device() returns error, it should call hid_destroy_device()\nto free hid_dev which is allocated in hid_allocate_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49874", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE\n\nWhen using bpftool to pin {PROG, MAP, LINK} without FILE,\nsegmentation fault will occur. The reson is that the lack\nof FILE will cause strlen to trigger NULL pointer dereference.\nThe corresponding stacktrace is shown below:\n\ndo_pin\n do_pin_any\n do_pin_fd\n mount_bpffs_for_pin\n strlen(name) <- NULL pointer dereference\n\nFix it by adding validation to the common process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49875", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit()\n\nWhen device is running and the interface status is changed, the gpf issue\nis triggered. The problem triggering process is as follows:\nThread A: Thread B\nieee80211_runtime_change_iftype() process_one_work()\n ... ...\n ieee80211_do_stop() ...\n ... ...\n sdata->bss = NULL ...\n ... ieee80211_subif_start_xmit()\n ieee80211_multicast_to_unicast\n //!sdata->bss->multicast_to_unicast\n cause gpf issue\n\nWhen the interface status is changed, the sending queue continues to send\npackets. After the bss is set to NULL, the bss is accessed. As a result,\nthis causes a general-protection-fault issue.\n\nThe following is the stack information:\ngeneral protection fault, probably for non-canonical address\n0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f]\nWorkqueue: mld mld_ifc_work\nRIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310\nCall Trace:\n\ndev_hard_start_xmit+0x1be/0x990\n__dev_queue_xmit+0x2c9a/0x3b60\nip6_finish_output2+0xf92/0x1520\nip6_finish_output+0x6af/0x11e0\nip6_output+0x1ed/0x540\nmld_sendpack+0xa09/0xe70\nmld_ifc_work+0x71c/0xdb0\nprocess_one_work+0x9bf/0x1710\nworker_thread+0x665/0x1080\nkthread+0x2e4/0x3a0\nret_from_fork+0x1f/0x30\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49876", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues\n\nWhen running `test_sockmap` selftests, the following warning appears:\n\n WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0\n Call Trace:\n \n inet_csk_destroy_sock+0x55/0x110\n tcp_rcv_state_process+0xd28/0x1380\n ? tcp_v4_do_rcv+0x77/0x2c0\n tcp_v4_do_rcv+0x77/0x2c0\n __release_sock+0x106/0x130\n __tcp_close+0x1a7/0x4e0\n tcp_close+0x20/0x70\n inet_release+0x3c/0x80\n __sock_release+0x3a/0xb0\n sock_close+0x14/0x20\n __fput+0xa3/0x260\n task_work_run+0x59/0xb0\n exit_to_user_mode_prepare+0x1b3/0x1c0\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x48/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root case is in commit 84472b436e76 (\"bpf, sockmap: Fix more uncharged\nwhile msg has more_data\"), where I used msg->sg.size to replace the tosend,\ncausing breakage:\n\n if (msg->apply_bytes && msg->apply_bytes < tosend)\n tosend = psock->apply_bytes;", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49877", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, verifier: Fix memory leak in array reallocation for stack state\n\nIf an error (NULL) is returned by krealloc(), callers of realloc_array()\nwere setting their allocation pointers to NULL, but on error krealloc()\ndoes not touch the original allocation. This would result in a memory\nresource leak. Instead, free the old allocation on the error handling\npath.\n\nThe memory leak information is as follows as also reported by Zhengchao:\n\n unreferenced object 0xffff888019801800 (size 256):\n comm \"bpf_repo\", pid 6490, jiffies 4294959200 (age 17.170s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0\n [<0000000086712a0b>] krealloc+0x83/0xd0\n [<00000000139aab02>] realloc_array+0x82/0xe2\n [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186\n [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341\n [<0000000081780455>] do_check_common+0x5358/0xb350\n [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d\n [<000000002973c690>] bpf_prog_load+0x13db/0x2240\n [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0\n [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0\n [<0000000056fedaf5>] do_syscall_64+0x35/0x80\n [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49878", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix BUG_ON() when directory entry has invalid rec_len\n\nThe rec_len field in the directory entry has to be a multiple of 4. A\ncorrupted filesystem image can be used to hit a BUG() in\next4_rec_len_to_disk(), called from make_indexed_dir().\n\n ------------[ cut here ]------------\n kernel BUG at fs/ext4/ext4.h:2413!\n ...\n RIP: 0010:make_indexed_dir+0x53f/0x5f0\n ...\n Call Trace:\n \n ? add_dirent_to_buf+0x1b2/0x200\n ext4_add_entry+0x36e/0x480\n ext4_add_nondir+0x2b/0xc0\n ext4_create+0x163/0x200\n path_openat+0x635/0xe90\n do_filp_open+0xb4/0x160\n ? __create_object.isra.0+0x1de/0x3b0\n ? _raw_spin_unlock+0x12/0x30\n do_sys_openat2+0x91/0x150\n __x64_sys_open+0x6c/0xa0\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe fix simply adds a call to ext4_check_dir_entry() to validate the\ndirectory entry, returning -EFSCORRUPTED if the entry is invalid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49879", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix warning in 'ext4_da_release_space'\n\nSyzkaller report issue as follows:\nEXT4-fs (loop0): Free/Dirty block details\nEXT4-fs (loop0): free_blocks=0\nEXT4-fs (loop0): dirty_blocks=0\nEXT4-fs (loop0): Block reservation details\nEXT4-fs (loop0): i_reserved_data_blocks=0\nEXT4-fs warning (device loop0): ext4_da_release_space:1527: ext4_da_release_space: ino 18, to_free 1 with only 0 reserved data blocks\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 92 at fs/ext4/inode.c:1528 ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1524\nModules linked in:\nCPU: 0 PID: 92 Comm: kworker/u4:4 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: writeback wb_workfn (flush-7:0)\nRIP: 0010:ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1528\nRSP: 0018:ffffc900015f6c90 EFLAGS: 00010296\nRAX: 42215896cd52ea00 RBX: 0000000000000000 RCX: 42215896cd52ea00\nRDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000\nRBP: 1ffff1100e907d96 R08: ffffffff816aa79d R09: fffff520002bece5\nR10: fffff520002bece5 R11: 1ffff920002bece4 R12: ffff888021fd2000\nR13: ffff88807483ecb0 R14: 0000000000000001 R15: ffff88807483e740\nFS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555569ba628 CR3: 000000000c88e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ext4_es_remove_extent+0x1ab/0x260 fs/ext4/extents_status.c:1461\n mpage_release_unused_pages+0x24d/0xef0 fs/ext4/inode.c:1589\n ext4_writepages+0x12eb/0x3be0 fs/ext4/inode.c:2852\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2469\n __writeback_single_inode+0xd1/0x670 fs/fs-writeback.c:1587\n writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1870\n wb_writeback+0x41f/0x7b0 fs/fs-writeback.c:2044\n wb_do_writeback fs/fs-writeback.c:2187 [inline]\n wb_workfn+0x3cb/0xef0 fs/fs-writeback.c:2227\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \n\nAbove issue may happens as follows:\next4_da_write_begin\n ext4_create_inline_data\n ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);\n ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);\n__ext4_ioctl\n ext4_ext_migrate -> will lead to eh->eh_entries not zero, and set extent flag\next4_da_write_begin\n ext4_da_convert_inline_data_to_extent\n ext4_da_write_inline_data_begin\n ext4_da_map_blocks\n ext4_insert_delayed_block\n\t if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk))\n\t if (!ext4_es_scan_clu(inode, &ext4_es_is_mapped, lblk))\n\t ext4_clu_mapped(inode, EXT4_B2C(sbi, lblk)); -> will return 1\n\t allocated = true;\n ext4_es_insert_delayed_block(inode, lblk, allocated);\next4_writepages\n mpage_map_and_submit_extent(handle, &mpd, &give_up_on_write); -> return -ENOSPC\n mpage_release_unused_pages(&mpd, give_up_on_write); -> give_up_on_write == 1\n ext4_es_remove_extent\n ext4_da_release_space(inode, reserved);\n if (unlikely(to_free > ei->i_reserved_data_blocks))\n\t -> to_free == 1 but ei->i_reserved_data_blocks == 0\n\t -> then trigger warning as above\n\nTo solve above issue, forbid inode do migrate which has inline data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49880", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix memory leak in query_regdb_file()\n\nIn the function query_regdb_file() the alpha2 parameter is duplicated\nusing kmemdup() and subsequently freed in regdb_fw_cb(). However,\nrequest_firmware_nowait() can fail without calling regdb_fw_cb() and\nthus leak memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49881", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache\n\nReject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.\nNot checking the active flag during refresh is particularly egregious, as\nKVM can end up with a valid, inactive cache, which can lead to a variety\nof use-after-free bugs, e.g. consuming a NULL kernel pointer or missing\nan mmu_notifier invalidation due to the cache not being on the list of\ngfns to invalidate.\n\nNote, \"active\" needs to be set if and only if the cache is on the list\nof caches, i.e. is reachable via mmu_notifier events. If a relevant\nmmu_notifier event occurs while the cache is \"active\" but not on the\nlist, KVM will not acquire the cache's lock and so will not serailize\nthe mmu_notifier event with active users and/or kvm_gpc_refresh().\n\nA race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND\ncan be exploited to trigger the bug.\n\n1. Deactivate shinfo cache:\n\nkvm_xen_hvm_set_attr\ncase KVM_XEN_ATTR_TYPE_SHARED_INFO\n kvm_gpc_deactivate\n kvm_gpc_unmap\n gpc->valid = false\n gpc->khva = NULL\n gpc->active = false\n\nResult: active = false, valid = false\n\n2. Cause cache refresh:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n kvm_gpc_check\n return -EWOULDBLOCK because !gpc->valid\n kvm_xen_set_evtchn_fast\n return -EWOULDBLOCK\n kvm_gpc_refresh\n hva_to_pfn_retry\n gpc->valid = true\n gpc->khva = not NULL\n\nResult: active = false, valid = true\n\n3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl\nKVM_XEN_ATTR_TYPE_SHARED_INFO:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n read_lock gpc->lock\n kvm_xen_hvm_set_attr case\n KVM_XEN_ATTR_TYPE_SHARED_INFO\n mutex_lock kvm->lock\n kvm_xen_shared_info_init\n kvm_gpc_activate\n gpc->khva = NULL\n kvm_gpc_check\n [ Check passes because gpc->valid is\n still true, even though gpc->khva\n is already NULL. ]\n shinfo = gpc->khva\n pending_bits = shinfo->evtchn_pending\n CRASH: test_and_set_bit(..., pending_bits)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49882", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: smm: number of GPRs in the SMRAM image depends on the image format\n\nOn 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will\naccess 16 gprs to 32-bit smram image, causing out-ouf-bound ram\naccess.\n\nOn 32 bit host, the rsm_load_state_64/enter_smm_save_state_64\nis compiled out, thus access overflow can't happen.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49883", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Initialize gfn_to_pfn_cache locks in dedicated helper\n\nMove the gfn_to_pfn_cache lock initialization to another helper and\ncall the new helper during VM/vCPU creation. There are race\nconditions possible due to kvm_gfn_to_pfn_cache_init()'s\nability to re-initialize the cache's locks.\n\nFor example: a race between ioctl(KVM_XEN_HVM_EVTCHN_SEND) and\nkvm_gfn_to_pfn_cache_init() leads to a corrupted shinfo gpc lock.\n\n (thread 1) | (thread 2)\n |\n kvm_xen_set_evtchn_fast |\n read_lock_irqsave(&gpc->lock, ...) |\n | kvm_gfn_to_pfn_cache_init\n | rwlock_init(&gpc->lock)\n read_unlock_irqrestore(&gpc->lock, ...) |\n\nRename \"cache_init\" and \"cache_destroy\" to activate+deactivate to\navoid implying that the cache really is destroyed/freed.\n\nNote, there more races in the newly named kvm_gpc_activate() that will\nbe addressed separately.\n\n[sean: call out that this is a bug fix]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49884", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()\n\nChange num_ghes from int to unsigned int, preventing an overflow\nand causing subsequent vmalloc() to fail.\n\nThe overflow happens in ghes_estatus_pool_init() when calculating\nlen during execution of the statement below as both multiplication\noperands here are signed int:\n\nlen += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE);\n\nThe following call trace is observed because of this bug:\n\n[ 9.317108] swapper/0: vmalloc error: size 18446744071562596352, exceeds total pages, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0-1\n[ 9.317131] Call Trace:\n[ 9.317134] \n[ 9.317137] dump_stack_lvl+0x49/0x5f\n[ 9.317145] dump_stack+0x10/0x12\n[ 9.317146] warn_alloc.cold+0x7b/0xdf\n[ 9.317150] ? __device_attach+0x16a/0x1b0\n[ 9.317155] __vmalloc_node_range+0x702/0x740\n[ 9.317160] ? device_add+0x17f/0x920\n[ 9.317164] ? dev_set_name+0x53/0x70\n[ 9.317166] ? platform_device_add+0xf9/0x240\n[ 9.317168] __vmalloc_node+0x49/0x50\n[ 9.317170] ? ghes_estatus_pool_init+0x43/0xa0\n[ 9.317176] vmalloc+0x21/0x30\n[ 9.317177] ghes_estatus_pool_init+0x43/0xa0\n[ 9.317179] acpi_hest_init+0x129/0x19c\n[ 9.317185] acpi_init+0x434/0x4a4\n[ 9.317188] ? acpi_sleep_proc_init+0x2a/0x2a\n[ 9.317190] do_one_initcall+0x48/0x200\n[ 9.317195] kernel_init_freeable+0x221/0x284\n[ 9.317200] ? rest_init+0xe0/0xe0\n[ 9.317204] kernel_init+0x1a/0x130\n[ 9.317205] ret_from_fork+0x22/0x30\n[ 9.317208] \n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49885", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Panic on bad configs that #VE on \"private\" memory access\n\nAll normal kernel memory is \"TDX private memory\". This includes\neverything from kernel stacks to kernel text. Handling\nexceptions on arbitrary accesses to kernel memory is essentially\nimpossible because they can happen in horribly nasty places like\nkernel entry/exit. But, TDX hardware can theoretically _deliver_\na virtualization exception (#VE) on any access to private memory.\n\nBut, it's not as bad as it sounds. TDX can be configured to never\ndeliver these exceptions on private memory with a \"TD attribute\"\ncalled ATTR_SEPT_VE_DISABLE. The guest has no way to *set* this\nattribute, but it can check it.\n\nEnsure ATTR_SEPT_VE_DISABLE is set in early boot. panic() if it\nis unset. There is no sane way for Linux to run with this\nattribute clear so a panic() is appropriate.\n\nThere's small window during boot before the check where kernel\nhas an early #VE handler. But the handler is only for port I/O\nand will also panic() as soon as it sees any other #VE, such as\na one generated by a private memory access.\n\n[ dhansen: Rewrite changelog and rebase on new tdx_parse_tdinfo().\n\t Add Kirill's tested-by because I made changes since\n\t he wrote this. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49886", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: meson: vdec: fix possible refcount leak in vdec_probe()\n\nv4l2_device_unregister need to be called to put the refcount got by\nv4l2_device_register when vdec_probe fails or vdec_remove is called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49887", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: avoid kprobe recursion\n\nThe cortex_a76_erratum_1463225_debug_handler() function is called when\nhandling debug exceptions (and synchronous exceptions from BRK\ninstructions), and so is called when a probed function executes. If the\ncompiler does not inline cortex_a76_erratum_1463225_debug_handler(), it\ncan be probed.\n\nIf cortex_a76_erratum_1463225_debug_handler() is probed, any debug\nexception or software breakpoint exception will result in recursive\nexceptions leading to a stack overflow. This can be triggered with the\nftrace multiple_probes selftest, and as per the example splat below.\n\nThis is a regression caused by commit:\n\n 6459b8469753e9fe (\"arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround\")\n\n... which removed the NOKPROBE_SYMBOL() annotation associated with the\nfunction.\n\nMy intent was that cortex_a76_erratum_1463225_debug_handler() would be\ninlined into its caller, el1_dbg(), which is marked noinstr and cannot\nbe probed. Mark cortex_a76_erratum_1463225_debug_handler() as\n__always_inline to ensure this.\n\nExample splat prior to this patch (with recursive entries elided):\n\n| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events\n| # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events\n| # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable\n| Insufficient stack space to handle exception!\n| ESR: 0x0000000096000047 -- DABT (current EL)\n| FAR: 0xffff800009cefff0\n| Task stack: [0xffff800009cf0000..0xffff800009cf4000]\n| IRQ stack: [0xffff800008000000..0xffff800008004000]\n| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : arm64_enter_el1_dbg+0x4/0x20\n| lr : el1_dbg+0x24/0x5c\n| sp : ffff800009cf0000\n| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000\n| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068\n| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000\n| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0\n| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4\n| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040\n| Kernel panic - not syncing: kernel stack overflow\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xe4/0x104\n| show_stack+0x18/0x4c\n| dump_stack_lvl+0x64/0x7c\n| dump_stack+0x18/0x38\n| panic+0x14c/0x338\n| test_taint+0x0/0x2c\n| panic_bad_stack+0x104/0x118\n| handle_bad_stack+0x34/0x48\n| __bad_stack+0x78/0x7c\n| arm64_enter_el1_dbg+0x4/0x20\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| do_el0_svc+0x0/0x28\n| el0t_64_sync_handler+0x84/0xf0\n| el0t_64_sync+0x18c/0x190\n| Kernel Offset: disabled\n| CPU features: 0x0080,00005021,19001080\n| Memory Limit: none\n| ---[ end Kernel panic - not syncing: kernel stack overflow ]---\n\nWith this patch, cortex_a76_erratum_1463225_debug_handler() is inlined\ninto el1_dbg(), and el1_dbg() cannot be probed:\n\n| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events\n| sh: write error: No such file or directory\n| # grep -w cortex_a76_errat\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49888", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()\n\nOn some machines the number of listed CPUs may be bigger than the actual\nCPUs that exist. The tracing subsystem allocates a per_cpu directory with\naccess to the per CPU ring buffer via a cpuX file. But to save space, the\nring buffer will only allocate buffers for online CPUs, even though the\nCPU array will be as big as the nr_cpu_ids.\n\nWith the addition of waking waiters on the ring buffer when closing the\nfile, the ring_buffer_wake_waiters() now needs to make sure that the\nbuffer is allocated (with the irq_work allocated with it) before trying to\nwake waiters, as it will cause a NULL pointer dereference.\n\nWhile debugging this, I added a NULL check for the buffer itself (which is\nOK to do), and also NULL pointer checks against buffer->buffers (which is\nnot fine, and will WARN) as well as making sure the CPU number passed in\nis within the nr_cpu_ids (which is also not fine if it isn't).\n\n\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49889", "detail": "fixed-version", "description": "Fixed from version 6.0.8" }, { "id": "CVE-2022-49890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncapabilities: fix potential memleak on error path from vfs_getxattr_alloc()\n\nIn cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to\ncomplete the memory allocation of tmpbuf, if we have completed\nthe memory allocation of tmpbuf, but failed to call handler->get(...),\nthere will be a memleak in below logic:\n\n |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)\n | /* ^^^ alloc for tmpbuf */\n |-- value = krealloc(*xattr_value, error + 1, flags)\n | /* ^^^ alloc memory */\n |-- error = handler->get(handler, ...)\n | /* error! */\n |-- *xattr_value = value\n | /* xattr_value is &tmpbuf (memory leak!) */\n\nSo we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.\n\n[PM: subject line and backtrace tweaks]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49890", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()\n\ntest_gen_kprobe_cmd() only free buf in fail path, hence buf will leak\nwhen there is no failure. Move kfree(buf) from fail path to common path\nto prevent the memleak. The same reason and solution in\ntest_gen_kretprobe_cmd().\n\nunreferenced object 0xffff888143b14000 (size 2048):\n comm \"insmod\", pid 52490, jiffies 4301890980 (age 40.553s)\n hex dump (first 32 bytes):\n 70 3a 6b 70 72 6f 62 65 73 2f 67 65 6e 5f 6b 70 p:kprobes/gen_kp\n 72 6f 62 65 5f 74 65 73 74 20 64 6f 5f 73 79 73 robe_test do_sys\n backtrace:\n [<000000006d7b836b>] kmalloc_trace+0x27/0xa0\n [<0000000009528b5b>] 0xffffffffa059006f\n [<000000008408b580>] do_one_initcall+0x87/0x2a0\n [<00000000c4980a7e>] do_init_module+0xdf/0x320\n [<00000000d775aad0>] load_module+0x3006/0x3390\n [<00000000e9a74b80>] __do_sys_finit_module+0x113/0x1b0\n [<000000003726480d>] do_syscall_64+0x35/0x80\n [<000000003441e93b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49891", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix use-after-free for dynamic ftrace_ops\n\nKASAN reported a use-after-free with ftrace ops [1]. It was found from\nvmcore that perf had registered two ops with the same content\nsuccessively, both dynamic. After unregistering the second ops, a\nuse-after-free occurred.\n\nIn ftrace_shutdown(), when the second ops is unregistered, the\nFTRACE_UPDATE_CALLS command is not set because there is another enabled\nops with the same content. Also, both ops are dynamic and the ftrace\ncallback function is ftrace_ops_list_func, so the\nFTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value\nof 'command' will be 0 and ftrace_shutdown() will skip the rcu\nsynchronization.\n\nHowever, ftrace may be activated. When the ops is released, another CPU\nmay be accessing the ops. Add the missing synchronization to fix this\nproblem.\n\n[1]\nBUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\nBUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\nRead of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468\n\nCPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132\n show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1b4/0x248 lib/dump_stack.c:118\n print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387\n __kasan_report mm/kasan/report.c:547 [inline]\n kasan_report+0x118/0x210 mm/kasan/report.c:564\n check_memory_region_inline mm/kasan/generic.c:187 [inline]\n __asan_load8+0x98/0xc0 mm/kasan/generic.c:253\n __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]\n ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049\n ftrace_graph_call+0x0/0x4\n __might_sleep+0x8/0x100 include/linux/perf_event.h:1170\n __might_fault mm/memory.c:5183 [inline]\n __might_fault+0x58/0x70 mm/memory.c:5171\n do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]\n strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139\n getname_flags+0xb0/0x31c fs/namei.c:149\n getname+0x2c/0x40 fs/namei.c:209\n [...]\n\nAllocated by task 14445:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc mm/kasan/common.c:479 [inline]\n __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493\n kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:675 [inline]\n perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230\n perf_event_alloc kernel/events/core.c:11733 [inline]\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\n __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723\n [...]\n\nFreed by task 14445:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:48\n kasan_set_track+0x24/0x34 mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358\n __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437\n __kasan_slab_free mm/kasan/common.c:445 [inline]\n kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446\n slab_free_hook mm/slub.c:1569 [inline]\n slab_free_freelist_hook mm/slub.c:1608 [inline]\n slab_free mm/slub.c:3179 [inline]\n kfree+0x12c/0xc10 mm/slub.c:4176\n perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434\n perf_event_alloc kernel/events/core.c:11733 [inline]\n __do_sys_perf_event_open kernel/events/core.c:11831 [inline]\n __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723\n [...]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49892", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix cxl_region leak, cleanup targets at region delete\n\nWhen a region is deleted any targets that have been previously assigned\nto that region hold references to it. Trigger those references to\ndrop by detaching all targets at unregister_region() time.\n\nOtherwise that region object will leak as userspace has lost the ability\nto detach targets once region sysfs is torn down.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49893", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix region HPA ordering validation\n\nSome regions may not have any address space allocated. Skip them when\nvalidating HPA order otherwise a crash like the following may result:\n\n devm_cxl_add_region: cxl_acpi cxl_acpi.0: decoder3.4: created region9\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [..]\n RIP: 0010:store_targetN+0x655/0x1740 [cxl_core]\n [..]\n Call Trace:\n \n kernfs_fop_write_iter+0x144/0x200\n vfs_write+0x24a/0x4d0\n ksys_write+0x69/0xf0\n do_syscall_64+0x3a/0x90\n\nstore_targetN+0x655/0x1740:\nalloc_region_ref at drivers/cxl/core/region.c:676\n(inlined by) cxl_port_attach_region at drivers/cxl/core/region.c:850\n(inlined by) cxl_region_attach at drivers/cxl/core/region.c:1290\n(inlined by) attach_target at drivers/cxl/core/region.c:1410\n(inlined by) store_targetN at drivers/cxl/core/region.c:1453", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49894", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix decoder allocation crash\n\nWhen an intermediate port's decoders have been exhausted by existing\nregions, and creating a new region with the port in question in it's\nhierarchical path is attempted, cxl_port_attach_region() fails to find a\nport decoder (as would be expected), and drops into the failure / cleanup\npath.\n\nHowever, during cleanup of the region reference, a sanity check attempts\nto dereference the decoder, which in the above case didn't exist. This\ncauses a NULL pointer dereference BUG.\n\nTo fix this, refactor the decoder allocation and de-allocation into\nhelper routines, and in this 'free' routine, check that the decoder,\n@cxld, is valid before attempting any operations on it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49895", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pmem: Fix cxl_pmem_region and cxl_memdev leak\n\nWhen a cxl_nvdimm object goes through a ->remove() event (device\nphysically removed, nvdimm-bridge disabled, or nvdimm device disabled),\nthen any associated regions must also be disabled. As highlighted by the\ncxl-create-region.sh test [1], a single device may host multiple\nregions, but the driver was only tracking one region at a time. This\nleads to a situation where only the last enabled region per nvdimm\ndevice is cleaned up properly. Other regions are leaked, and this also\ncauses cxl_memdev reference leaks.\n\nFix the tracking by allowing cxl_nvdimm objects to track multiple region\nassociations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49896", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix tree mod log mishandling of reallocated nodes\n\nWe have been seeing the following panic in production\n\n kernel BUG at fs/btrfs/tree-mod-log.c:677!\n invalid opcode: 0000 [#1] SMP\n RIP: 0010:tree_mod_log_rewind+0x1b4/0x200\n RSP: 0000:ffffc9002c02f890 EFLAGS: 00010293\n RAX: 0000000000000003 RBX: ffff8882b448c700 RCX: 0000000000000000\n RDX: 0000000000008000 RSI: 00000000000000a7 RDI: ffff88877d831c00\n RBP: 0000000000000002 R08: 000000000000009f R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000100c40 R12: 0000000000000001\n R13: ffff8886c26d6a00 R14: ffff88829f5424f8 R15: ffff88877d831a00\n FS: 00007fee1d80c780(0000) GS:ffff8890400c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fee1963a020 CR3: 0000000434f33002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n btrfs_get_old_root+0x12b/0x420\n btrfs_search_old_slot+0x64/0x2f0\n ? tree_mod_log_oldest_root+0x3d/0xf0\n resolve_indirect_ref+0xfd/0x660\n ? ulist_alloc+0x31/0x60\n ? kmem_cache_alloc_trace+0x114/0x2c0\n find_parent_nodes+0x97a/0x17e0\n ? ulist_alloc+0x30/0x60\n btrfs_find_all_roots_safe+0x97/0x150\n iterate_extent_inodes+0x154/0x370\n ? btrfs_search_path_in_tree+0x240/0x240\n iterate_inodes_from_logical+0x98/0xd0\n ? btrfs_search_path_in_tree+0x240/0x240\n btrfs_ioctl_logical_to_ino+0xd9/0x180\n btrfs_ioctl+0xe2/0x2ec0\n ? __mod_memcg_lruvec_state+0x3d/0x280\n ? do_sys_openat2+0x6d/0x140\n ? kretprobe_dispatcher+0x47/0x70\n ? kretprobe_rethook_handler+0x38/0x50\n ? rethook_trampoline_handler+0x82/0x140\n ? arch_rethook_trampoline_callback+0x3b/0x50\n ? kmem_cache_free+0xfb/0x270\n ? do_sys_openat2+0xd5/0x140\n __x64_sys_ioctl+0x71/0xb0\n do_syscall_64+0x2d/0x40\n\nWhich is this code in tree_mod_log_rewind()\n\n\tswitch (tm->op) {\n case BTRFS_MOD_LOG_KEY_REMOVE_WHILE_FREEING:\n\t\tBUG_ON(tm->slot < n);\n\nThis occurs because we replay the nodes in order that they happened, and\nwhen we do a REPLACE we will log a REMOVE_WHILE_FREEING for every slot,\nstarting at 0. 'n' here is the number of items in this block, which in\nthis case was 1, but we had 2 REMOVE_WHILE_FREEING operations.\n\nThe actual root cause of this was that we were replaying operations for\na block that shouldn't have been replayed. Consider the following\nsequence of events\n\n1. We have an already modified root, and we do a btrfs_get_tree_mod_seq().\n2. We begin removing items from this root, triggering KEY_REPLACE for\n it's child slots.\n3. We remove one of the 2 children this root node points to, thus triggering\n the root node promotion of the remaining child, and freeing this node.\n4. We modify a new root, and re-allocate the above node to the root node of\n this other root.\n\nThe tree mod log looks something like this\n\n\tlogical 0\top KEY_REPLACE (slot 1)\t\t\tseq 2\n\tlogical 0\top KEY_REMOVE (slot 1)\t\t\tseq 3\n\tlogical 0\top KEY_REMOVE_WHILE_FREEING (slot 0)\tseq 4\n\tlogical 4096\top LOG_ROOT_REPLACE (old logical 0)\tseq 5\n\tlogical 8192\top KEY_REMOVE_WHILE_FREEING (slot 1)\tseq 6\n\tlogical 8192\top KEY_REMOVE_WHILE_FREEING (slot 0)\tseq 7\n\tlogical 0\top LOG_ROOT_REPLACE (old logical 8192)\tseq 8\n\n>From here the bug is triggered by the following steps\n\n1. Call btrfs_get_old_root() on the new_root.\n2. We call tree_mod_log_oldest_root(btrfs_root_node(new_root)), which is\n currently logical 0.\n3. tree_mod_log_oldest_root() calls tree_mod_log_search_oldest(), which\n gives us the KEY_REPLACE seq 2, and since that's not a\n LOG_ROOT_REPLACE we incorrectly believe that we don't have an old\n root, because we expect that the most recent change should be a\n LOG_ROOT_REPLACE.\n4. Back in tree_mod_log_oldest_root() we don't have a LOG_ROOT_REPLACE,\n so we don't set old_root, we simply use our e\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49898", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: stop using keyrings subsystem for fscrypt_master_key\n\nThe approach of fs/crypto/ internally managing the fscrypt_master_key\nstructs as the payloads of \"struct key\" objects contained in a\n\"struct key\" keyring has outlived its usefulness. The original idea was\nto simplify the code by reusing code from the keyrings subsystem.\nHowever, several issues have arisen that can't easily be resolved:\n\n- When a master key struct is destroyed, blk_crypto_evict_key() must be\n called on any per-mode keys embedded in it. (This started being the\n case when inline encryption support was added.) Yet, the keyrings\n subsystem can arbitrarily delay the destruction of keys, even past the\n time the filesystem was unmounted. Therefore, currently there is no\n easy way to call blk_crypto_evict_key() when a master key is\n destroyed. Currently, this is worked around by holding an extra\n reference to the filesystem's request_queue(s). But it was overlooked\n that the request_queue reference is *not* guaranteed to pin the\n corresponding blk_crypto_profile too; for device-mapper devices that\n support inline crypto, it doesn't. This can cause a use-after-free.\n\n- When the last inode that was using an incompletely-removed master key\n is evicted, the master key removal is completed by removing the key\n struct from the keyring. Currently this is done via key_invalidate().\n Yet, key_invalidate() takes the key semaphore. This can deadlock when\n called from the shrinker, since in fscrypt_ioctl_add_key(), memory is\n allocated with GFP_KERNEL under the same semaphore.\n\n- More generally, the fact that the keyrings subsystem can arbitrarily\n delay the destruction of keys (via garbage collection delay, or via\n random processes getting temporary key references) is undesirable, as\n it means we can't strictly guarantee that all secrets are ever wiped.\n\n- Doing the master key lookups via the keyrings subsystem results in the\n key_permission LSM hook being called. fscrypt doesn't want this, as\n all access control for encrypted files is designed to happen via the\n files themselves, like any other files. The workaround which SELinux\n users are using is to change their SELinux policy to grant key search\n access to all domains. This works, but it is an odd extra step that\n shouldn't really have to be done.\n\nThe fix for all these issues is to change the implementation to what I\nshould have done originally: don't use the keyrings subsystem to keep\ntrack of the filesystem's fscrypt_master_key structs. Instead, just\nstore them in a regular kernel data structure, and rework the reference\ncounting, locking, and lifetime accordingly. Retain support for\nRCU-mode key lookups by using a hash table. Replace fscrypt_sb_free()\nwith fscrypt_sb_delete(), which releases the keys synchronously and runs\na bit earlier during unmount, so that block devices are still available.\n\nA side effect of this patch is that neither the master keys themselves\nnor the filesystem keyrings will be listed in /proc/keys anymore.\n(\"Master key users\" and the master key users keyrings will still be\nlisted.) However, this was mostly an implementation detail, and it was\nintended just for debugging purposes. I don't know of anyone using it.\n\nThis patch does *not* change how \"master key users\" (->mk_users) works;\nthat still uses the keyrings subsystem. That is still needed for key\nquotas, and changing that isn't necessary to solve the issues listed\nabove. If we decide to change that too, it would be a separate patch.\n\nI've marked this as fixing the original commit that added the fscrypt\nkeyring, but as noted above the most important issue that this patch\nfixes wasn't introduced until the addition of inline encryption support.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49899", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix adapter not be removed in piix4_remove()\n\nIn piix4_probe(), the piix4 adapter will be registered in:\n\n piix4_probe()\n piix4_add_adapters_sb800() / piix4_add_adapter()\n i2c_add_adapter()\n\nBased on the probed device type, piix4_add_adapters_sb800() or single\npiix4_add_adapter() will be called.\nFor the former case, piix4_adapter_count is set as the number of adapters,\nwhile for antoher case it is not set and kept default *zero*.\n\nWhen piix4 is removed, piix4_remove() removes the adapters added in\npiix4_probe(), basing on the piix4_adapter_count value.\nBecause the count is zero for the single adapter case, the adapter won't\nbe removed and makes the sources allocated for adapter leaked, such as\nthe i2c client and device.\n\nThese sources can still be accessed by i2c or bus and cause problems.\nAn easily reproduced case is that if a new adapter is registered, i2c\nwill get the leaked adapter and try to call smbus_algorithm, which was\nalready freed:\n\nTriggered by: rmmod i2c_piix4 && modprobe max31730\n\n BUG: unable to handle page fault for address: ffffffffc053d860\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3752 Comm: modprobe Tainted: G\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core\n RSP: 0018:ffff888107477710 EFLAGS: 00000246\n ...\n \n i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core\n __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core\n bus_for_each_dev (drivers/base/bus.c:301)\n i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core\n i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n \n ---[ end trace 0000000000000000 ]---\n\nFix this problem by correctly set piix4_adapter_count as 1 for the\nsingle adapter so it can be normally removed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49900", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\n\nThere is a kmemleak caused by modprobe null_blk.ko\n\nunreferenced object 0xffff8881acb1f000 (size 1024):\n comm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\n backtrace:\n [<000000004a10c249>] kmalloc_node_trace+0x22/0x60\n [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350\n [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440\n [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0\n [<00000000d10c98c3>] 0xffffffffc450d69d\n [<00000000b9299f48>] 0xffffffffc4538392\n [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0\n [<00000000b389383b>] do_init_module+0x1a4/0x680\n [<0000000087cf3542>] load_module+0x6249/0x7110\n [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200\n [<00000000fdcfff51>] do_syscall_64+0x35/0x80\n [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThat is because q->ma_ops is set to NULL before blk_release_queue is\ncalled.\n\nblk_mq_init_queue_data\n blk_mq_init_allocated_queue\n blk_mq_realloc_hw_ctxs\n for (i = 0; i < set->nr_hw_queues; i++) {\n old_hctx = xa_load(&q->hctx_table, i);\n if (!blk_mq_alloc_and_init_hctx(.., i, ..))\t\t[1]\n if (!old_hctx)\n\t break;\n\n xa_for_each_start(&q->hctx_table, j, hctx, j)\n blk_mq_exit_hctx(q, set, hctx, j); \t\t\t[2]\n\n if (!q->nr_hw_queues)\t\t\t\t\t[3]\n goto err_hctxs;\n\n err_exit:\n q->mq_ops = NULL;\t\t\t \t\t\t[4]\n\n blk_put_queue\n blk_release_queue\n if (queue_is_mq(q))\t\t\t\t\t[5]\n blk_mq_release(q);\n\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q->nr_hw_queues is 0.\n[4]: Set q->mq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q->unused_hctx_list are leaked.\n\nTo fix it, call blk_release_queue in exception path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49901", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix possible memory leak for rq_wb on add_disk failure\n\nkmemleak reported memory leaks in device_add_disk():\n\nkmemleak: 3 new suspected memory leaks\n\nunreferenced object 0xffff88800f420800 (size 512):\n comm \"modprobe\", pid 4275, jiffies 4295639067 (age 223.512s)\n hex dump (first 32 bytes):\n 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 ................\n 00 e1 f5 05 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000d3662699>] kmalloc_trace+0x26/0x60\n [<00000000edc7aadc>] wbt_init+0x50/0x6f0\n [<0000000069601d16>] wbt_enable_default+0x157/0x1c0\n [<0000000028fc393f>] blk_register_queue+0x2a4/0x420\n [<000000007345a042>] device_add_disk+0x6fd/0xe40\n [<0000000060e6aab0>] nbd_dev_add+0x828/0xbf0 [nbd]\n ...\n\nIt is because the memory allocated in wbt_enable_default() is not\nreleased in device_add_disk() error path.\nNormally, these memory are freed in:\n\ndel_gendisk()\n rq_qos_exit()\n rqos->ops->exit(rqos);\n wbt_exit()\n\nSo rq_qos_exit() is called to free the rq_wb memory for wbt_init().\nHowever in the error path of device_add_disk(), only\nblk_unregister_queue() is called and make rq_wb memory leaked.\n\nAdd rq_qos_exit() to the error path to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49902", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix WARNING in ip6_route_net_exit_late()\n\nDuring the initialization of ip6_route_net_init_late(), if file\nipv6_route or rt6_stats fails to be created, the initialization is\nsuccessful by default. Therefore, the ipv6_route or rt6_stats file\ndoesn't be found during the remove in ip6_route_net_exit_late(). It\nwill cause WRNING.\n\nThe following is the stack information:\nname 'rt6_stats'\nWARNING: CPU: 0 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460\nModules linked in:\nWorkqueue: netns cleanup_net\nRIP: 0010:remove_proc_entry+0x389/0x460\nPKRU: 55555554\nCall Trace:\n\nops_exit_list+0xb0/0x170\ncleanup_net+0x4ea/0xb00\nprocess_one_work+0x9bf/0x1710\nworker_thread+0x665/0x1080\nkthread+0x2e4/0x3a0\nret_from_fork+0x1f/0x30\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49903", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Fix null-ptr-deref in neigh_table_clear()\n\nWhen IPv6 module gets initialized but hits an error in the middle,\nkenel panic with:\n\nKASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]\nCPU: 1 PID: 361 Comm: insmod\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370\nRSP: 0018:ffff888012677908 EFLAGS: 00000202\n...\nCall Trace:\n \n neigh_table_clear+0x94/0x2d0\n ndisc_cleanup+0x27/0x40 [ipv6]\n inet6_init+0x21c/0x2cb [ipv6]\n do_one_initcall+0xd3/0x4d0\n do_init_module+0x1ae/0x670\n...\nKernel panic - not syncing: Fatal exception\n\nWhen ipv6 initialization fails, it will try to cleanup and calls:\n\nneigh_table_clear()\n neigh_ifdown(tbl, NULL)\n pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev == NULL))\n # dev_net(NULL) triggers null-ptr-deref.\n\nFix it by passing NULL to pneigh_queue_purge() in neigh_ifdown() if dev\nis NULL, to make kernel not panic immediately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49904", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible leaked pernet namespace in smc_init()\n\nIn smc_init(), register_pernet_subsys(&smc_net_stat_ops) is called\nwithout any error handling.\nIf it fails, registering of &smc_net_ops won't be reverted.\nAnd if smc_nl_init() fails, &smc_net_stat_ops itself won't be reverted.\n\nThis leaves wild ops in subsystem linkedlist and when another module\ntries to call register_pernet_operations() it triggers page fault:\n\nBUG: unable to handle page fault for address: fffffbfff81b964c\nRIP: 0010:register_pernet_operations+0x1b9/0x5f0\nCall Trace:\n \n register_pernet_subsys+0x29/0x40\n ebtables_init+0x58/0x1000 [ebtables]\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49905", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Free rwi on reset success\n\nFree the rwi structure in the event that the last rwi in the list\nprocessed successfully. The logic in commit 4f408e1fa6e1 (\"ibmvnic:\nretry reset if there are no other resets\") introduces an issue that\nresults in a 32 byte memory leak whenever the last rwi in the list\ngets processed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49906", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: fix undefined behavior in bit shift for __mdiobus_register\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27\nleft shift of 1 by 31 places cannot be represented in type 'int'\nCall Trace:\n \n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n __mdiobus_register+0x49d/0x4e0\n fixed_mdio_bus_init+0xd8/0x12d\n do_one_initcall+0x76/0x430\n kernel_init_freeable+0x3b3/0x422\n kernel_init+0x24/0x1e0\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49907", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix memory leak in vhci_write\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810d81ac00 (size 240):\n [...]\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418\n [] alloc_skb include/linux/skbuff.h:1257 [inline]\n [] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]\n [] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]\n [] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511\n [] call_write_iter include/linux/fs.h:2192 [inline]\n [] new_sync_write fs/read_write.c:491 [inline]\n [] vfs_write+0x42d/0x540 fs/read_write.c:578\n [] ksys_write+0x9d/0x160 fs/read_write.c:631\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nHCI core will uses hci_rx_work() to process frame, which is queued to\nthe hdev->rx_q tail in hci_recv_frame() by HCI driver.\n\nYet the problem is that, HCI core may not free the skb after handling\nACL data packets. To be more specific, when start fragment does not\ncontain the L2CAP length, HCI core just copies skb into conn->rx_skb and\nfinishes frame process in l2cap_recv_acldata(), without freeing the skb,\nwhich triggers the above memory leak.\n\nThis patch solves it by releasing the relative skb, after processing\nthe above case in l2cap_recv_acldata().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49908", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu\n\nFix the race condition between the following two flows that run in\nparallel:\n\n1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->\n __sock_queue_rcv_skb.\n\n2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.\n\nAn SKB can be queued by the first flow and immediately dequeued and\nfreed by the second flow, therefore the callers of l2cap_reassemble_sdu\ncan't use the SKB after that function returns. However, some places\ncontinue accessing struct l2cap_ctrl that resides in the SKB's CB for a\nshort time after l2cap_reassemble_sdu returns, leading to a\nuse-after-free condition (the stack trace is below, line numbers for\nkernel 5.19.8).\n\nFix it by keeping a local copy of struct l2cap_ctrl.\n\nBUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\nRead of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169\n\nWorkqueue: hci0 hci_rx_work [bluetooth]\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth\n ret_from_fork (arch/x86/entry/entry_64.S:306)\n \n\nAllocated by task 43169:\n kasan_save_stack (mm/kasan/common.c:39)\n __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)\n __alloc_skb (net/core/skbuff.c:414)\n l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth\n l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth\n hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth\n process_one_work (kernel/workqueue.c:2289)\n worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)\n kthread (kernel/kthread.c:376)\n ret_from_fork (arch/x86/entry/entry_64.S:306)\n\nFreed by task 27920:\n kasan_save_stack (mm/kasan/common.c:39)\n kasan_set_track (mm/kasan/common.c:45)\n kasan_set_free_info (mm/kasan/generic.c:372)\n ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)\n slab_free_freelist_hook (mm/slub.c:1780)\n kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)\n skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)\n bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth\n l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth\n sock_read_iter (net/socket.c:1087)\n new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)\n vfs_read (fs/read_write.c:482)\n ksys_read (fs/read_write.c:620)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49910", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: enforce documented limit to prevent allocating huge memory\n\nDaniel Xu reported that the hash:net,iface type of the ipset subsystem does\nnot limit adding the same network with different interfaces to a set, which\ncan lead to huge memory usage or allocation failure.\n\nThe quick reproducer is\n\n$ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0\n$ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done\n\nThe backtrace when vmalloc fails:\n\n [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages\n <...>\n [Tue Oct 25 00:13:08 2022] Call Trace:\n [Tue Oct 25 00:13:08 2022] \n [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60\n [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180\n [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760\n [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20\n [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90\n [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0\n [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710\n <...>\n\nThe fix is to enforce the limit documented in the ipset(8) manpage:\n\n> The internal restriction of the hash:net,iface set type is that the same\n> network prefix cannot be stored with more than 64 different interfaces\n> in a single set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49911", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix ulist leaks in error paths of qgroup self tests\n\nIn the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests,\nif we fail to add the tree ref, remove the extent item or remove the\nextent ref, we are returning from the test function without freeing the\n\"old_roots\" ulist that was allocated by the previous calls to\nbtrfs_find_all_roots(). Fix that by calling ulist_free() before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49912", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix inode list leak during backref walking at find_parent_nodes()\n\nDuring backref walking, at find_parent_nodes(), if we are dealing with a\ndata extent and we get an error while resolving the indirect backrefs, at\nresolve_indirect_refs(), or in the while loop that iterates over the refs\nin the direct refs rbtree, we end up leaking the inode lists attached to\nthe direct refs we have in the direct refs rbtree that were not yet added\nto the refs ulist passed as argument to find_parent_nodes(). Since they\nwere not yet added to the refs ulist and prelim_release() does not free\nthe lists, on error the caller can only free the lists attached to the\nrefs that were added to the refs ulist, all the remaining refs get their\ninode lists never freed, therefore leaking their memory.\n\nFix this by having prelim_release() always free any attached inode list\nto each ref found in the rbtree, and have find_parent_nodes() set the\nref's inode list to NULL once it transfers ownership of the inode list\nto a ref added to the refs ulist passed to find_parent_nodes().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49913", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix inode list leak during backref walking at resolve_indirect_refs()\n\nDuring backref walking, at resolve_indirect_refs(), if we get an error\nwe jump to the 'out' label and call ulist_free() on the 'parents' ulist,\nwhich frees all the elements in the ulist - however that does not free\nany inode lists that may be attached to elements, through the 'aux' field\nof a ulist node, so we end up leaking lists if we have any attached to\nthe unodes.\n\nFix this by calling free_leaf_list() instead of ulist_free() when we exit\nfrom resolve_indirect_refs(). The static function free_leaf_list() is\nmoved up for this to be possible and it's slightly simplified by removing\nunnecessary code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49914", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix possible memory leak in mISDN_register_device()\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device's\nbus_id string array\"), the name of device is allocated dynamically,\nadd put_device() to give up the reference, so that the name can be\nfreed in kobject_cleanup() when the refcount is 0.\n\nSet device class before put_device() to avoid null release() function\nWARN message in device_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49915", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: Fix NULL pointer dereference in rose_send_frame()\n\nThe syzkaller reported an issue:\n\nKASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]\nCPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: rcu_gp srcu_invoke_callbacks\nRIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101\nCall Trace:\n \n rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255\n rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009\n rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111\n call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790\n __run_timers kernel/time/timer.c:1768 [inline]\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803\n __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571\n [...]\n \n\nIt triggers NULL pointer dereference when 'neigh->dev->dev_addr' is\ncalled in the rose_send_frame(). It's the first occurrence of the\n`neigh` is in rose_loopback_timer() as `rose_loopback_neigh', and\nthe 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.\n\nIt had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf\n(\"rose: Fix Null pointer dereference in rose_send_frame()\") ever.\nBut it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8\n(\"rose: check NULL rose_loopback_neigh->loopback\") again.\n\nWe fix it by add NULL check in rose_transmit_clear_request(). When\nthe 'dev' in 'neigh' is NULL, we don't reply the request and just\nclear it.\n\nsyzkaller don't provide repro, and I provide a syz repro like:\nr0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)\nioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\\x00', 0x201})\nr1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)\nbind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)\nconnect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49916", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix WARNING in ip_vs_app_net_cleanup()\n\nDuring the initialization of ip_vs_app_net_init(), if file ip_vs_app\nfails to be created, the initialization is successful by default.\nTherefore, the ip_vs_app file doesn't be found during the remove in\nip_vs_app_net_cleanup(). It will cause WRNING.\n\nThe following is the stack information:\nname 'ip_vs_app'\nWARNING: CPU: 1 PID: 9 at fs/proc/generic.c:712 remove_proc_entry+0x389/0x460\nModules linked in:\nWorkqueue: netns cleanup_net\nRIP: 0010:remove_proc_entry+0x389/0x460\nCall Trace:\n\nops_exit_list+0x125/0x170\ncleanup_net+0x4ea/0xb00\nprocess_one_work+0x9bf/0x1710\nworker_thread+0x665/0x1080\nkthread+0x2e4/0x3a0\nret_from_fork+0x1f/0x30\n", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49917", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix WARNING in __ip_vs_cleanup_batch()\n\nDuring the initialization of ip_vs_conn_net_init(), if file ip_vs_conn\nor ip_vs_conn_sync fails to be created, the initialization is successful\nby default. Therefore, the ip_vs_conn or ip_vs_conn_sync file doesn't\nbe found during the remove.\n\nThe following is the stack information:\nname 'ip_vs_conn_sync'\nWARNING: CPU: 3 PID: 9 at fs/proc/generic.c:712\nremove_proc_entry+0x389/0x460\nModules linked in:\nWorkqueue: netns cleanup_net\nRIP: 0010:remove_proc_entry+0x389/0x460\nCall Trace:\n\n__ip_vs_cleanup_batch+0x7d/0x120\nops_exit_list+0x125/0x170\ncleanup_net+0x4ea/0xb00\nprocess_one_work+0x9bf/0x1710\nworker_thread+0x665/0x1080\nkthread+0x2e4/0x3a0\nret_from_fork+0x1f/0x30\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49918", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flow rule object from commit path\n\nNo need to postpone this to the commit release path, since no packets\nare walking over this object, this is accessed from control plane only.\nThis helped uncovered UAF triggered by races with the netlink notifier.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49919", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: netlink notifier might race to release objects\n\ncommit release path is invoked via call_rcu and it runs lockless to\nrelease the objects after rcu grace period. The netlink notifier handler\nmight win race to remove objects that the transaction context is still\nreferencing from the commit release path.\n\nCall rcu_barrier() to ensure pending rcu callbacks run to completion\nif the list of transactions to be destroyed is not empty.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49920", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: Fix use after free in red_enqueue()\n\nWe can't use \"skb\" again after passing it to qdisc_enqueue(). This is\nbasically identical to commit 2f09707d0c97 (\"sch_sfb: Also store skb\nlen before calling child enqueue\").", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49921", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()\n\nnfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb\nshould be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send()\nwill only free skb when i2c_master_send() return >=0, which means skb\nwill memleak when i2c_master_send() failed. Free skb no matter whether\ni2c_master_send() succeeds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49922", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nxp-nci: Fix potential memory leak in nxp_nci_send()\n\nnxp_nci_send() will call nxp_nci_i2c_write(), and only free skb when\nnxp_nci_i2c_write() failed. However, even if the nxp_nci_i2c_write()\nrun succeeds, the skb will not be freed in nxp_nci_i2c_write(). As the\nresult, the skb will memleak. nxp_nci_send() should also free the skb\nwhen nxp_nci_i2c_write() succeeds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49923", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fdp: Fix potential memory leak in fdp_nci_send()\n\nfdp_nci_send() will call fdp_nci_i2c_write that will not free skb in\nthe function. As a result, when fdp_nci_i2c_write() finished, the skb\nwill memleak. fdp_nci_send() should free skb after fdp_nci_i2c_write()\nfinished.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49924", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix null-ptr-deref in ib_core_cleanup()\n\nKASAN reported a null-ptr-deref error:\n\n KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\n CPU: 1 PID: 379\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:destroy_workqueue+0x2f/0x740\n RSP: 0018:ffff888016137df8 EFLAGS: 00000202\n ...\n Call Trace:\n ib_core_cleanup+0xa/0xa1 [ib_core]\n __do_sys_delete_module.constprop.0+0x34f/0x5b0\n do_syscall_64+0x3a/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7fa1a0d221b7\n ...\n\nIt is because the fail of roce_gid_mgmt_init() is ignored:\n\n ib_core_init()\n roce_gid_mgmt_init()\n gid_cache_wq = alloc_ordered_workqueue # fail\n ...\n ib_core_cleanup()\n roce_gid_mgmt_cleanup()\n destroy_workqueue(gid_cache_wq)\n # destroy an unallocated wq\n\nFix this by catching the fail of roce_gid_mgmt_init() in ib_core_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49925", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: Fix possible memory leaks in dsa_loop_init()\n\nkmemleak reported memory leaks in dsa_loop_init():\n\nkmemleak: 12 new suspected memory leaks\n\nunreferenced object 0xffff8880138ce000 (size 2048):\n comm \"modprobe\", pid 390, jiffies 4295040478 (age 238.976s)\n backtrace:\n [<000000006a94f1d5>] kmalloc_trace+0x26/0x60\n [<00000000a9c44622>] phy_device_create+0x5d/0x970\n [<00000000d0ee2afc>] get_phy_device+0xf3/0x2b0\n [<00000000dca0c71f>] __fixed_phy_register.part.0+0x92/0x4e0\n [<000000008a834798>] fixed_phy_register+0x84/0xb0\n [<0000000055223fcb>] dsa_loop_init+0xa9/0x116 [dsa_loop]\n ...\n\nThere are two reasons for memleak in dsa_loop_init().\n\nFirst, fixed_phy_register() create and register phy_device:\n\nfixed_phy_register()\n get_phy_device()\n phy_device_create() # freed by phy_device_free()\n phy_device_register() # freed by phy_device_remove()\n\nBut fixed_phy_unregister() only calls phy_device_remove().\nSo the memory allocated in phy_device_create() is leaked.\n\nSecond, when mdio_driver_register() fail in dsa_loop_init(),\nit just returns and there is no cleanup for phydevs.\n\nFix the problems by catching the error of mdio_driver_register()\nin dsa_loop_init(), then calling both fixed_phy_unregister() and\nphy_device_free() to release phydevs.\nAlso add a function for phydevs cleanup to avoid duplacate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49926", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4: Fix kmemleak when allocate slot failed\n\nIf one of the slot allocate failed, should cleanup all the other\nallocated slots, otherwise, the allocated slots will leak:\n\n unreferenced object 0xffff8881115aa100 (size 64):\n comm \"\"mount.nfs\"\", pid 679, jiffies 4294744957 (age 115.037s)\n hex dump (first 32 bytes):\n 00 cc 19 73 81 88 ff ff 00 a0 5a 11 81 88 ff ff ...s......Z.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000007a4c434a>] nfs4_find_or_create_slot+0x8e/0x130\n [<000000005472a39c>] nfs4_realloc_slot_table+0x23f/0x270\n [<00000000cd8ca0eb>] nfs40_init_client+0x4a/0x90\n [<00000000128486db>] nfs4_init_client+0xce/0x270\n [<000000008d2cacad>] nfs4_set_client+0x1a2/0x2b0\n [<000000000e593b52>] nfs4_create_server+0x300/0x5f0\n [<00000000e4425dd2>] nfs4_try_get_tree+0x65/0x110\n [<00000000d3a6176f>] vfs_get_tree+0x41/0xf0\n [<0000000016b5ad4c>] path_mount+0x9b3/0xdd0\n [<00000000494cae71>] __x64_sys_mount+0x190/0x1d0\n [<000000005d56bdec>] do_syscall_64+0x35/0x80\n [<00000000687c9ae4>] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49927", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix null-ptr-deref when xps sysfs alloc failed\n\nThere is a null-ptr-deref when xps sysfs alloc failed:\n BUG: KASAN: null-ptr-deref in sysfs_do_create_link_sd+0x40/0xd0\n Read of size 8 at addr 0000000000000030 by task gssproxy/457\n\n CPU: 5 PID: 457 Comm: gssproxy Not tainted 6.0.0-09040-g02357b27ee03 #9\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n kasan_report+0xa3/0x120\n sysfs_do_create_link_sd+0x40/0xd0\n rpc_sysfs_client_setup+0x161/0x1b0\n rpc_new_client+0x3fc/0x6e0\n rpc_create_xprt+0x71/0x220\n rpc_create+0x1d4/0x350\n gssp_rpc_create+0xc3/0x160\n set_gssp_clnt+0xbc/0x140\n write_gssp+0x116/0x1a0\n proc_reg_write+0xd6/0x130\n vfs_write+0x177/0x690\n ksys_write+0xb9/0x150\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nWhen the xprt_switch sysfs alloc failed, should not add xprt and\nswitch sysfs to it, otherwise, maybe null-ptr-deref; also initialize\nthe 'xps_sysfs' to NULL to avoid oops when destroy it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49928", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr leak in RESPST_ERR_RNR\n\nrxe_recheck_mr() will increase mr's ref_cnt, so we should call rxe_put(mr)\nto drop mr's ref_cnt in RESPST_ERR_RNR to avoid below warning:\n\n WARNING: CPU: 0 PID: 4156 at drivers/infiniband/sw/rxe/rxe_pool.c:259 __rxe_cleanup+0x1df/0x240 [rdma_rxe]\n...\n Call Trace:\n rxe_dereg_mr+0x4c/0x60 [rdma_rxe]\n ib_dereg_mr_user+0xa8/0x200 [ib_core]\n ib_mr_pool_destroy+0x77/0xb0 [ib_core]\n nvme_rdma_destroy_queue_ib+0x89/0x240 [nvme_rdma]\n nvme_rdma_free_queue+0x40/0x50 [nvme_rdma]\n nvme_rdma_teardown_io_queues.part.0+0xc3/0x120 [nvme_rdma]\n nvme_rdma_error_recovery_work+0x4d/0xf0 [nvme_rdma]\n process_one_work+0x582/0xa40\n ? pwq_dec_nr_in_flight+0x100/0x100\n ? rwlock_bug.part.0+0x60/0x60\n worker_thread+0x2a9/0x700\n ? process_one_work+0xa40/0xa40\n kthread+0x168/0x1a0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49929", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix NULL pointer problem in free_mr_init()\n\nLock grab occurs in a concurrent scenario, resulting in stepping on a NULL\npointer. It should be init mutex_init() first before use the lock.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n __mutex_lock.constprop.0+0xd0/0x5c0\n __mutex_lock_slowpath+0x1c/0x2c\n mutex_lock+0x44/0x50\n free_mr_send_cmd_to_hw+0x7c/0x1c0 [hns_roce_hw_v2]\n hns_roce_v2_dereg_mr+0x30/0x40 [hns_roce_hw_v2]\n hns_roce_dereg_mr+0x4c/0x130 [hns_roce_hw_v2]\n ib_dereg_mr_user+0x54/0x124\n uverbs_free_mr+0x24/0x30\n destroy_hw_idr_uobject+0x38/0x74\n uverbs_destroy_uobject+0x48/0x1c4\n uobj_destroy+0x74/0xcc\n ib_uverbs_cmd_verbs+0x368/0xbb0\n ib_uverbs_ioctl+0xec/0x1a4\n __arm64_sys_ioctl+0xb4/0x100\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x58/0x190\n do_el0_svc+0x30/0x90\n el0_svc+0x2c/0xb4\n el0t_64_sync_handler+0x1a4/0x1b0\n el0t_64_sync+0x19c/0x1a0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49930", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Correctly move list in sc_disable()\n\nCommit 13bac861952a (\"IB/hfi1: Fix abba locking issue with sc_disable()\")\nincorrectly tries to move a list from one list head to another. The\nresult is a kernel crash.\n\nThe crash is triggered when a link goes down and there are waiters for a\nsend to complete. The following signature is seen:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n [...]\n Call Trace:\n sc_disable+0x1ba/0x240 [hfi1]\n pio_freeze+0x3d/0x60 [hfi1]\n handle_freeze+0x27/0x1b0 [hfi1]\n process_one_work+0x1b0/0x380\n ? process_one_work+0x380/0x380\n worker_thread+0x30/0x360\n ? process_one_work+0x380/0x380\n kthread+0xd7/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n\nThe fix is to use the correct call to move the list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49931", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-49932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace\n\nCall kvm_init() only after _all_ setup is complete, as kvm_init() exposes\n/dev/kvm to userspace and thus allows userspace to create VMs (and call\nother ioctls). E.g. KVM will encounter a NULL pointer when attempting to\nadd a vCPU to the per-CPU loaded_vmcss_on_cpu list if userspace is able to\ncreate a VM before vmx_init() configures said list.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP\n CPU: 6 PID: 1143 Comm: stable Not tainted 6.0.0-rc7+ #988\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:vmx_vcpu_load_vmcs+0x68/0x230 [kvm_intel]\n \n vmx_vcpu_load+0x16/0x60 [kvm_intel]\n kvm_arch_vcpu_load+0x32/0x1f0 [kvm]\n vcpu_load+0x2f/0x40 [kvm]\n kvm_arch_vcpu_create+0x231/0x310 [kvm]\n kvm_vm_ioctl+0x79f/0xe10 [kvm]\n ? handle_mm_fault+0xb1/0x220\n __x64_sys_ioctl+0x80/0xb0\n do_syscall_64+0x2b/0x50\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7f5a6b05743b\n \n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel(+) kvm irqbypass", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49932", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-49934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix UAF in ieee80211_scan_rx()\n\nieee80211_scan_rx() tries to access scan_req->flags after a\nnull check, but a UAF is observed when the scan is completed\nand __ieee80211_scan_completed() executes, which then calls\ncfg80211_scan_done() leading to the freeing of scan_req.\n\nSince scan_req is rcu_dereference()'d, prevent the racing in\n__ieee80211_scan_completed() by ensuring that from mac80211's\nPOV it is no longer accessed from an RCU read critical section\nbefore we call cfg80211_scan_done().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49934", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/dma-resv: check if the new fence is really later\n\nPreviously when we added a fence to a dma_resv object we always\nassumed the the newer than all the existing fences.\n\nWith Jason's work to add an UAPI to explicit export/import that's not\nnecessary the case any more. So without this check we would allow\nuserspace to force the kernel into an use after free error.\n\nSince the change is very small and defensive it's probably a good\nidea to backport this to stable kernels as well just in case others\nare using the dma_resv object in the same way.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49935", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Prevent nested device-reset calls\n\nAutomatic kernel fuzzing revealed a recursive locking violation in\nusb-storage:\n\n============================================\nWARNING: possible recursive locking detected\n5.18.0 #3 Not tainted\n--------------------------------------------\nkworker/1:3/1205 is trying to acquire lock:\nffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at:\nusb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230\n\nbut task is already holding lock:\nffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at:\nusb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230\n\n...\n\nstack backtrace:\nCPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_deadlock_bug kernel/locking/lockdep.c:2988 [inline]\ncheck_deadlock kernel/locking/lockdep.c:3031 [inline]\nvalidate_chain kernel/locking/lockdep.c:3816 [inline]\n__lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053\nlock_acquire kernel/locking/lockdep.c:5665 [inline]\nlock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630\n__mutex_lock_common kernel/locking/mutex.c:603 [inline]\n__mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747\nusb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230\nusb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109\nr871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622\nusb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458\ndevice_remove drivers/base/dd.c:545 [inline]\ndevice_remove+0x11f/0x170 drivers/base/dd.c:537\n__device_release_driver drivers/base/dd.c:1222 [inline]\ndevice_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248\nusb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627\nusb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118\nusb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114\n\nThis turned out not to be an error in usb-storage but rather a nested\ndevice reset attempt. That is, as the rtl8712 driver was being\nunbound from a composite device in preparation for an unrelated USB\nreset (that driver does not have pre_reset or post_reset callbacks),\nits ->remove routine called usb_reset_device() -- thus nesting one\nreset call within another.\n\nPerforming a reset as part of disconnect processing is a questionable\npractice at best. However, the bug report points out that the USB\ncore does not have any protection against nested resets. Adding a\nreset_in_progress flag and testing it will prevent such errors in the\nfuture.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49936", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mceusb: Use new usb_control_msg_*() routines\n\nAutomatic kernel fuzzing led to a WARN about invalid pipe direction in\nthe mceusb driver:\n\n------------[ cut here ]------------\nusb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40\nWARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410\nusb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410\nCode: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8\n44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b\ne9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41\nRSP: 0018:ffffc900032becf0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000\nRDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90\nRBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000\nR10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000\nR13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0\nCall Trace:\n\nusb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58\nusb_internal_control_msg drivers/usb/core/message.c:102 [inline]\nusb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153\nmceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline]\nmceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807\n\nThe reason for the warning is clear enough; the driver sends an\nunusual read request on endpoint 0 but does not set the USB_DIR_IN bit\nin the bRequestType field.\n\nMore importantly, the whole situation can be avoided and the driver\nsimplified by converting it over to the relatively new\nusb_control_msg_recv() and usb_control_msg_send() routines. That's\nwhat this fix does.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49937", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix small mempool leak in SMB2_negotiate()\n\nIn some cases of failure (dialect mismatches) in SMB2_negotiate(), after\nthe request is sent, the checks would return -EIO when they should be\nrather setting rc = -EIO and jumping to neg_exit to free the response\nbuffer from mempool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49938", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF of ref->proc caused by race condition\n\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\n\nThe transaction then ends and the target proc gets released making the\nref->proc now a dangling pointer. Later on, ref->node is closed and we\nattempt to take spin_lock(&ref->proc->inner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\nfailed reference on the spot instead of relying on the target to do so.\n\n ==================================================================\n BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\n Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\n\n CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\n Hardware name: linux,dummy-virt (DT)\n Workqueue: events binder_deferred_func\n Call trace:\n dump_backtrace.part.0+0x1d0/0x1e0\n show_stack+0x18/0x70\n dump_stack_lvl+0x68/0x84\n print_report+0x2e4/0x61c\n kasan_report+0xa4/0x110\n kasan_check_range+0xfc/0x1a4\n __kasan_check_write+0x3c/0x50\n _raw_spin_lock+0xa8/0x150\n binder_deferred_func+0x5e0/0x9b0\n process_one_work+0x38c/0x5f0\n worker_thread+0x9c/0x694\n kthread+0x188/0x190\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49939", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()\n\nA null pointer dereference can happen when attempting to access the\n\"gsm->receive()\" function in gsmld_receive_buf(). Currently, the code\nassumes that gsm->recieve is only called after MUX activation.\nSince the gsmld_receive_buf() function can be accessed without the need to\ninitialize the MUX, the gsm->receive() function will not be set and a\nNULL pointer dereference will occur.\n\nFix this by avoiding the call to \"gsm->receive()\" in case the function is\nnot initialized by adding a sanity check.\n\nCall Trace:\n \n gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861\n tiocsti drivers/tty/tty_io.c:2293 [inline]\n tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49940", "detail": "fixed-version", "description": "Fixed from version 5.19.8" }, { "id": "CVE-2022-49942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected\n\nWhen we are not connected to a channel, sending channel \"switch\"\nannouncement doesn't make any sense.\n\nThe BSS list is empty in that case. This causes the for loop in\ncfg80211_get_bss() to be bypassed, so the function returns NULL\n(check line 1424 of net/wireless/scan.c), causing the WARN_ON()\nin ieee80211_ibss_csa_beacon() to get triggered (check line 500\nof net/mac80211/ibss.c), which was consequently reported on the\nsyzkaller dashboard.\n\nThus, check if we have an existing connection before generating\nthe CSA beacon in ieee80211_ibss_finish_csa().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49942", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation. In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 (kn->active#4){++++}-{0:0}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __kernfs_remove+0x268/0x380\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kernfs_remove_by_name_ns+0x58/0xac\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sysfs_remove_file_ns+0x18/0x24\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 device_del+0x15c/0x440\n\n-> #2 (device_links_lock){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 device_link_remove+0x3c/0xa0\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 _regulator_put.part.0+0x168/0x190\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_put+0x3c/0x54\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 devm_regulator_release+0x14/0x20\n\n-> #1 (regulator_list_mutex){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_lock_dependent+0x54/0x284\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_enable+0x34/0x80\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 phy_power_on+0x24/0x130\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __dwc2_lowlevel_hw_enable+0x100/0x130\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dwc2_lowlevel_hw_enable+0x18/0x40\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dwc2_hsotg_udc_start+0x6c/0x2f0\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 gadget_bind_driver+0x124/0x1f4\n\n-> #0 (udc_lock){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __lock_acquire+0x1298/0x20cc\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire.part.0+0xe0/0x230\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc->driver along with a few other\nthings. As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's ->bind or ->unbind\nroutine, or while a UDC is being started or stopped. (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers' ->disconnect callbacks are problematic. Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the ->bind callback is invoked. If a disconnect occurred\nduring that window, we could call the driver's ->disconnect routine\nbefore its ->bind routine. To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver. This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this. Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc->driver at arbitrary times since it is a\nsysfs callback. The solution here is to acquire the gadget's device\nlock rather than the udc_mutex. Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc->driver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc->driver. The missing lock and\nunlock calls are added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49943", "detail": "fixed-version", "description": "Fixed from version 5.19.8" }, { "id": "CVE-2022-49944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"usb: typec: ucsi: add a common function ucsi_unregister_connectors()\"\n\nThe recent commit 87d0e2f41b8c (\"usb: typec: ucsi: add a common\nfunction ucsi_unregister_connectors()\") introduced a regression that\ncaused NULL dereference at reading the power supply sysfs. It's a\nstale sysfs entry that should have been removed but remains with NULL\nops. The commit changed the error handling to skip the entries after\na NULL con->wq, and this leaves the power device unreleased.\n\nFor addressing the regression, the straight revert is applied here.\nFurther code improvements can be done from the scratch again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49944", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (gpio-fan) Fix array out of bounds access\n\nThe driver does not check if the cooling state passed to\ngpio_fan_set_cur_state() exceeds the maximum cooling state as\nstored in fan_data->num_speeds. Since the cooling state is later\nused as an array index in set_fan_speed(), an array out of bounds\naccess can occur.\nThis can be exploited by setting the state of the thermal cooling device\nto arbitrary values, causing for example a kernel oops when unavailable\nmemory is accessed this way.\n\nExample kernel oops:\n[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064\n[ 807.987369] Mem abort info:\n[ 807.987398] ESR = 0x96000005\n[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 807.987477] SET = 0, FnV = 0\n[ 807.987507] EA = 0, S1PTW = 0\n[ 807.987536] FSC = 0x05: level 1 translation fault\n[ 807.987570] Data abort info:\n[ 807.987763] ISV = 0, ISS = 0x00000005\n[ 807.987801] CM = 0, WnR = 0\n[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000\n[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP\n[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575\n[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]\n[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]\n[ 807.988691] sp : ffffffc008cf3bd0\n[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000\n[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920\n[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c\n[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000\n[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70\n[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c\n[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009\n[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8\n[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060\n[ 807.989084] Call trace:\n[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan]\n[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]\n[ 807.989199] cur_state_store+0x84/0xd0\n[ 807.989221] dev_attr_store+0x20/0x38\n[ 807.989262] sysfs_kf_write+0x4c/0x60\n[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0\n[ 807.989298] new_sync_write+0x10c/0x190\n[ 807.989315] vfs_write+0x254/0x378\n[ 807.989362] ksys_write+0x70/0xf8\n[ 807.989379] __arm64_sys_write+0x24/0x30\n[ 807.989424] invoke_syscall+0x4c/0x110\n[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120\n[ 807.989458] do_el0_svc+0x2c/0x90\n[ 807.989473] el0_svc+0x24/0x60\n[ 807.989544] el0t_64_sync_handler+0x90/0xb8\n[ 807.989558] el0t_64_sync+0x1a0/0x1a4\n[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)\n[ 807.989627] ---[ end t\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49945", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Prevent out-of-bounds access\n\nThe while loop in raspberrypi_discover_clocks() relies on the assumption\nthat the id of the last clock element is zero. Because this data comes\nfrom the Videocore firmware and it doesn't guarantuee such a behavior\nthis could lead to out-of-bounds access. So fix this by providing\na sentinel element.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49946", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix alloc->vma_vm_mm null-ptr dereference\n\nSyzbot reported a couple issues introduced by commit 44e602b4e52f\n(\"binder_alloc: add missing mmap_lock calls when using the VMA\"), in\nwhich we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not\nbeen initialized yet.\n\nThis can happen if a binder_proc receives a transaction without having\npreviously called mmap() to setup the binder_proc->alloc space in [1].\nAlso, a similar issue occurs via binder_alloc_print_pages() when we try\nto dump the debugfs binder stats file in [2].\n\nSample of syzbot's crash report:\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\n CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0\n syz-executor229[3755] cmdline: ./syz-executor2294415195\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022\n RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923\n [...]\n Call Trace:\n \n lock_acquire kernel/locking/lockdep.c:5666 [inline]\n lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n down_read+0x98/0x450 kernel/locking/rwsem.c:1499\n mmap_read_lock include/linux/mmap_lock.h:117 [inline]\n binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline]\n binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593\n binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199\n binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986\n binder_ioctl_write_read drivers/android/binder.c:5036 [inline]\n binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n ==================================================================\n\nFix these issues by setting up alloc->vma_vm_mm pointer during open()\nand caching directly from current->mm. This guarantees we have a valid\nreference to take the mmap_lock during scenarios described above.\n\n[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459\n[2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49947", "detail": "fixed-version", "description": "Fixed from version 5.19.8" }, { "id": "CVE-2022-49948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: Clear selection before changing the font\n\nWhen changing the console font with ioctl(KDFONTOP) the new font size\ncan be bigger than the previous font. A previous selection may thus now\nbe outside of the new screen size and thus trigger out-of-bounds\naccesses to graphics memory if the selection is removed in\nvc_do_resize().\n\nPrevent such out-of-memory accesses by dropping the selection before the\nvarious con_font_set() console handlers are called.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49948", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Fix memory leak in firmware upload\n\nIn the case of firmware-upload, an instance of struct fw_upload is\nallocated in firmware_upload_register(). This data needs to be freed\nin fw_dev_release(). Create a new fw_upload_free() function in\nsysfs_upload.c to handle the firmware-upload specific memory frees\nand incorporate the missing kfree call for the fw_upload structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49949", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix memory corruption on open\n\nThe probe session-duplication overflow check incremented the session\ncount also when there were no more available sessions so that memory\nbeyond the fixed-size slab-allocated session array could be corrupted in\nfastrpc_session_alloc() on open().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49950", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Fix use-after-free during unregister\n\nIn the following code within firmware_upload_unregister(), the call to\ndevice_unregister() could result in the dev_release function freeing the\nfw_upload_priv structure before it is dereferenced for the call to\nmodule_put(). This bug was found by the kernel test robot using\nCONFIG_KASAN while running the firmware selftests.\n\n device_unregister(&fw_sysfs->dev);\n module_put(fw_upload_priv->module);\n\nThe problem is fixed by copying fw_upload_priv->module to a local variable\nfor use when calling device_unregister().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49951", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix memory corruption on probe\n\nAdd the missing sanity check on the probed-session count to avoid\ncorrupting memory beyond the fixed-size slab-allocated session array\nwhen there are more than FASTRPC_MAX_SESSIONS sessions defined in the\ndevicetree.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49952", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: cm3605: Fix an error handling path in cm3605_probe()\n\nThe commit in Fixes also introduced a new error handling path which should\ngoto the existing error handling path.\nOtherwise some resources leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49953", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag\n\nsyzbot is reporting hung task at __input_unregister_device() [1], for\niforce_close() waiting at wait_event_interruptible() with dev->mutex held\nis blocking input_disconnect_device() from __input_unregister_device().\n\nIt seems that the cause is simply that commit c2b27ef672992a20 (\"Input:\niforce - wait for command completion when closing the device\") forgot to\ncall wake_up() after clear_bit().\n\nFix this problem by introducing a helper that calls clear_bit() followed\nby wake_up_all().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49954", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: Fix RTAS MSR[HV] handling for Cell\n\nThe semi-recent changes to MSR handling when entering RTAS (firmware)\ncause crashes on IBM Cell machines. An example trace:\n\n kernel tried to execute user page (2fff01a8) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0x2fff01a8\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=4 NUMA Cell\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.0.0-rc2-00433-gede0a8d3307a #207\n NIP: 000000002fff01a8 LR: 0000000000032608 CTR: 0000000000000000\n REGS: c0000000015236b0 TRAP: 0400 Tainted: G W (6.0.0-rc2-00433-gede0a8d3307a)\n MSR: 0000000008001002 CR: 00000000 XER: 20000000\n ...\n NIP 0x2fff01a8\n LR 0x32608\n Call Trace:\n 0xc00000000143c5f8 (unreliable)\n .rtas_call+0x224/0x320\n .rtas_get_boot_time+0x70/0x150\n .read_persistent_clock64+0x114/0x140\n .read_persistent_wall_and_boot_offset+0x24/0x80\n .timekeeping_init+0x40/0x29c\n .start_kernel+0x674/0x8f0\n start_here_common+0x1c/0x50\n\nUnlike PAPR platforms where RTAS is only used in guests, on the IBM Cell\nmachines Linux runs with MSR[HV] set but also uses RTAS, provided by\nSLOF.\n\nFix it by copying the MSR[HV] bit from the MSR value we've just read\nusing mfmsr into the value used for RTAS.\n\nIt seems like we could also fix it using an #ifdef CELL to set MSR[HV],\nbut that doesn't work because it's possible to build a single kernel\nimage that runs on both Cell native and pseries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49955", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8712: fix use after free bugs\n\n_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()\nfunctions don't do anything except free the \"pcmd\" pointer. It\nresults in a use after free. Delete them.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49956", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: fix strp_init() order and cleanup\n\nstrp_init() is called just a few lines above this csk->sk_user_data\ncheck, it also initializes strp->work etc., therefore, it is\nunnecessary to call strp_done() to cancel the freshly initialized\nwork.\n\nAnd if sk_user_data is already used by KCM, psock->strp should not be\ntouched, particularly strp->work state, so we need to move strp_init()\nafter the csk->sk_user_data check.\n\nThis also makes a lockdep warning reported by syzbot go away.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49957", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix netdevice reference leaks in attach_default_qdiscs()\n\nIn attach_default_qdiscs(), if a dev has multiple queues and queue 0 fails\nto attach qdisc because there is no memory in attach_one_default_qdisc().\nThen dev->qdisc will be noop_qdisc by default. But the other queues may be\nable to successfully attach to default qdisc.\n\nIn this case, the fallback to noqueue process will be triggered. If the\noriginal attached qdisc is not released and a new one is directly\nattached, this will cause netdevice reference leaks.\n\nThe following is the bug log:\n\nveth0: default qdisc (fq_codel) fail, fallback to noqueue\nunregister_netdevice: waiting for veth0 to become free. Usage count = 32\nleaked reference.\n qdisc_alloc+0x12e/0x210\n qdisc_create_dflt+0x62/0x140\n attach_one_default_qdisc.constprop.41+0x44/0x70\n dev_activate+0x128/0x290\n __dev_open+0x12a/0x190\n __dev_change_flags+0x1a2/0x1f0\n dev_change_flags+0x23/0x60\n do_setlink+0x332/0x1150\n __rtnl_newlink+0x52f/0x8e0\n rtnl_newlink+0x43/0x70\n rtnetlink_rcv_msg+0x140/0x3b0\n netlink_rcv_skb+0x50/0x100\n netlink_unicast+0x1bb/0x290\n netlink_sendmsg+0x37c/0x4e0\n sock_sendmsg+0x5f/0x70\n ____sys_sendmsg+0x208/0x280\n\nFix this bug by clearing any non-noop qdiscs that may have been assigned\nbefore trying to re-attach.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49958", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix memory leak at failed datapath creation\n\novs_dp_cmd_new()->ovs_dp_change()->ovs_dp_set_upcall_portids()\nallocates array via kmalloc.\nIf for some reason new_vport() fails during ovs_dp_cmd_new()\ndp->upcall_portids must be freed.\nAdd missing kfree.\n\nKmemleak example:\nunreferenced object 0xffff88800c382500 (size 64):\n comm \"dump_state\", pid 323, jiffies 4294955418 (age 104.347s)\n hex dump (first 32 bytes):\n 5e c2 79 e4 1f 7a 38 c7 09 21 38 0c 80 88 ff ff ^.y..z8..!8.....\n 03 00 00 00 0a 00 00 00 14 00 00 00 28 00 00 00 ............(...\n backtrace:\n [<0000000071bebc9f>] ovs_dp_set_upcall_portids+0x38/0xa0\n [<000000000187d8bd>] ovs_dp_change+0x63/0xe0\n [<000000002397e446>] ovs_dp_cmd_new+0x1f0/0x380\n [<00000000aa06f36e>] genl_family_rcv_msg_doit+0xea/0x150\n [<000000008f583bc4>] genl_rcv_msg+0xdc/0x1e0\n [<00000000fa10e377>] netlink_rcv_skb+0x50/0x100\n [<000000004959cece>] genl_rcv+0x24/0x40\n [<000000004699ac7f>] netlink_unicast+0x23e/0x360\n [<00000000c153573e>] netlink_sendmsg+0x24e/0x4b0\n [<000000006f4aa380>] sock_sendmsg+0x62/0x70\n [<00000000d0068654>] ____sys_sendmsg+0x230/0x270\n [<0000000012dacf7d>] ___sys_sendmsg+0x88/0xd0\n [<0000000011776020>] __sys_sendmsg+0x59/0xa0\n [<000000002e8f2dc1>] do_syscall_64+0x3b/0x90\n [<000000003243e7cb>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49959", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: fix null pointer dereference\n\nAsus chromebook CX550 crashes during boot on v5.17-rc1 kernel.\nThe root cause is null pointer defeference of bi_next\nin tgl_get_bw_info() in drivers/gpu/drm/i915/display/intel_bw.c.\n\nBUG: kernel NULL pointer dereference, address: 000000000000002e\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 1 Comm: swapper/0 Tainted: G U 5.17.0-rc1\nHardware name: Google Delbin/Delbin, BIOS Google_Delbin.13672.156.3 05/14/2021\nRIP: 0010:tgl_get_bw_info+0x2de/0x510\n...\n[ 2.554467] Call Trace:\n[ 2.554467] \n[ 2.554467] intel_bw_init_hw+0x14a/0x434\n[ 2.554467] ? _printk+0x59/0x73\n[ 2.554467] ? _dev_err+0x77/0x91\n[ 2.554467] i915_driver_hw_probe+0x329/0x33e\n[ 2.554467] i915_driver_probe+0x4c8/0x638\n[ 2.554467] i915_pci_probe+0xf8/0x14e\n[ 2.554467] ? _raw_spin_unlock_irqrestore+0x12/0x2c\n[ 2.554467] pci_device_probe+0xaa/0x142\n[ 2.554467] really_probe+0x13f/0x2f4\n[ 2.554467] __driver_probe_device+0x9e/0xd3\n[ 2.554467] driver_probe_device+0x24/0x7c\n[ 2.554467] __driver_attach+0xba/0xcf\n[ 2.554467] ? driver_attach+0x1f/0x1f\n[ 2.554467] bus_for_each_dev+0x8c/0xc0\n[ 2.554467] bus_add_driver+0x11b/0x1f7\n[ 2.554467] driver_register+0x60/0xea\n[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16\n[ 2.554467] i915_init+0x2c/0xb9\n[ 2.554467] ? mipi_dsi_bus_init+0x16/0x16\n[ 2.554467] do_one_initcall+0x12e/0x2b3\n[ 2.554467] do_initcall_level+0xd6/0xf3\n[ 2.554467] do_initcalls+0x4e/0x79\n[ 2.554467] kernel_init_freeable+0xed/0x14d\n[ 2.554467] ? rest_init+0xc1/0xc1\n[ 2.554467] kernel_init+0x1a/0x120\n[ 2.554467] ret_from_fork+0x1f/0x30\n[ 2.554467] \n...\nKernel panic - not syncing: Fatal exception\n\n(cherry picked from commit c247cd03898c4c43c3bce6d4014730403bc13032)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49960", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO\n\nPrecision markers need to be propagated whenever we have an ARG_CONST_*\nstyle argument, as the verifier cannot consider imprecise scalars to be\nequivalent for the purposes of states_equal check when such arguments\nrefine the return value (in this case, set mem_size for PTR_TO_MEM). The\nresultant mem_size for the R0 is derived from the constant value, and if\nthe verifier incorrectly prunes states considering them equivalent where\nsuch arguments exist (by seeing that both registers have reg->precise as\nfalse in regsafe), we can end up with invalid programs passing the\nverifier which can do access beyond what should have been the correct\nmem_size in that explored state.\n\nTo show a concrete example of the problem:\n\n0000000000000000 :\n 0: r2 = *(u32 *)(r1 + 80)\n 1: r1 = *(u32 *)(r1 + 76)\n 2: r3 = r1\n 3: r3 += 4\n 4: if r3 > r2 goto +18 \n 5: w2 = 0\n 6: *(u32 *)(r1 + 0) = r2\n 7: r1 = *(u32 *)(r1 + 0)\n 8: r2 = 1\n 9: if w1 == 0 goto +1 \n 10: r2 = -1\n\n0000000000000058 :\n 11: r1 = 0 ll\n 13: r3 = 0\n 14: call bpf_ringbuf_reserve\n 15: if r0 == 0 goto +7 \n 16: r1 = r0\n 17: r1 += 16777215\n 18: w2 = 0\n 19: *(u8 *)(r1 + 0) = r2\n 20: r1 = r0\n 21: r2 = 0\n 22: call bpf_ringbuf_submit\n\n00000000000000b8 :\n 23: w0 = 0\n 24: exit\n\nFor the first case, the single line execution's exploration will prune\nthe search at insn 14 for the branch insn 9's second leg as it will be\nverified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will\nalways be 0 so at runtime we don't get error for being greater than\nUINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just\nsees reg->precise as false for both r2 registers in both states, hence\nconsiders them equal for purposes of states_equal.\n\nIf we propagated precise markers using the backtracking support, we\nwould use the precise marking to then ensure that old r2 (UINT_MAX) was\nwithin the new r2 (1) and this would never be true, so the verification\nwould rightfully fail.\n\nThe end result is that the out of bounds access at instruction 19 would\nbe permitted without this fix.\n\nNote that reg->precise is always set to true when user does not have\nCAP_BPF (or when subprog count is greater than 1 (i.e. use of any static\nor global functions)), hence this is only a problem when precision marks\nneed to be explicitly propagated (i.e. privileged users with CAP_BPF).\n\nA simplified test case has been included in the next patch to prevent\nfuture regressions.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49961", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference in remove if xHC has only one roothub\n\nThe remove path in xhci platform driver tries to remove and put both main\nand shared hcds even if only a main hcd exists (one roothub)\n\nThis causes a null pointer dereference in reboot for those controllers.\n\nCheck that the shared_hcd exists before trying to remove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49962", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/ttm: fix CCS handling\n\nCrucible + recent Mesa seems to sometimes hit:\n\nGEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER)\n\nAnd it looks like we can also trigger this with gem_lmem_swapping, if we\nmodify the test to use slightly larger object sizes.\n\nLooking closer it looks like we have the following issues in\nmigrate_copy():\n\n - We are using plain integer in various places, which we can easily\n overflow with a large object.\n\n - We pass the entire object size (when the src is lmem) into\n emit_pte() and then try to copy it, which doesn't work, since we\n only have a few fixed sized windows in which to map the pages and\n perform the copy. With an object > 8M we therefore aren't properly\n copying the pages. And then with an object > 64M we trigger the\n GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER).\n\nSo it looks like our copy handling for any object > 8M (which is our\nCHUNK_SZ) is currently broken on DG2.\n\nTestcase: igt@gem_lmem_swapping\n(cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49963", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level\n\nThough acpi_find_last_cache_level() always returned signed value and the\ndocument states it will return any errors caused by lack of a PPTT table,\nit never returned negative values before.\n\nCommit 0c80f9e165f8 (\"ACPI: PPTT: Leave the table mapped for the runtime usage\")\nhowever changed it by returning -ENOENT if no PPTT was found. The value\nreturned from acpi_find_last_cache_level() is then assigned to unsigned\nfw_level.\n\nIt will result in the number of cache leaves calculated incorrectly as\na huge value which will then cause the following warning from __alloc_pages\nas the order would be great than MAX_ORDER because of incorrect and huge\ncache leaves value.\n\n | WARNING: CPU: 0 PID: 1 at mm/page_alloc.c:5407 __alloc_pages+0x74/0x314\n | Modules linked in:\n | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-10393-g7c2a8d3ac4c0 #73\n | pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : __alloc_pages+0x74/0x314\n | lr : alloc_pages+0xe8/0x318\n | Call trace:\n | __alloc_pages+0x74/0x314\n | alloc_pages+0xe8/0x318\n | kmalloc_order_trace+0x68/0x1dc\n | __kmalloc+0x240/0x338\n | detect_cache_attributes+0xe0/0x56c\n | update_siblings_masks+0x38/0x284\n | store_cpu_topology+0x78/0x84\n | smp_prepare_cpus+0x48/0x134\n | kernel_init_freeable+0xc4/0x14c\n | kernel_init+0x2c/0x1b4\n | ret_from_fork+0x10/0x20\n\nFix the same by changing fw_level to be signed integer and return the\nerror from init_cache_level() early in case of error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49964", "detail": "fixed-version", "description": "Fixed from version 5.19.7" }, { "id": "CVE-2022-49965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: add missing ->fini_xxxx interfaces for some SMU13 asics\n\nWithout these, potential memory leak may be induced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49965", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: add missing ->fini_microcode interface for Sienna Cichlid\n\nTo avoid any potential memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49966", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a data-race around bpf_jit_limit.\n\nWhile reading bpf_jit_limit, it can be changed concurrently via sysctl,\nWRITE_ONCE() in __do_proc_doulongvec_minmax(). The size of bpf_jit_limit\nis long, so we need to add a paired READ_ONCE() to avoid load-tearing.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49967", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154/adf7242: defer destroy_workqueue call\n\nThere is a possible race condition (use-after-free) like below\n\n (FREE) | (USE)\n adf7242_remove | adf7242_channel\n cancel_delayed_work_sync |\n destroy_workqueue (1) | adf7242_cmd_rx\n | mod_delayed_work (2)\n |\n\nThe root cause for this race is that the upper layer (ieee802154) is\nunaware of this detaching event and the function adf7242_channel can\nbe called without any checks.\n\nTo fix this, we can add a flag write at the beginning of adf7242_remove\nand add flag check in adf7242_channel. Or we can just defer the\ndestructive operation like other commit 3e0588c291d6 (\"hamradio: defer\nax25 kfree after unregister_netdev\") which let the\nieee802154_unregister_hw() to handle the synchronization. This patch\ntakes the second option.\n\nruns\")", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49968", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: clear optc underflow before turn off odm clock\n\n[Why]\nAfter ODM clock off, optc underflow bit will be kept there always and clear not work.\nWe need to clear that before clock off.\n\n[How]\nClear that if have when clock off.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49969", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cgroup: Fix kernel BUG in purge_effective_progs\n\nSyzkaller reported a triggered kernel BUG as follows:\n\n ------------[ cut here ]------------\n kernel BUG at kernel/bpf/cgroup.c:925!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0\n Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84\n 28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48\n 8b 0c5\n RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578\n RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000\n R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00\n FS: 00007f68213d2b80(0000) GS:ffff88813bc80000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0\n Call Trace:\n \n cgroup_bpf_prog_detach+0xcc/0x100\n __sys_bpf+0x2273/0x2a00\n __x64_sys_bpf+0x17/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f68214dbcb9\n Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff8\n RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\n RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9\n RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009\n RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003\n R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20\n R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0\n \n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n\nRepetition steps:\n\nFor the following cgroup tree,\n\n root\n |\n cg1\n |\n cg2\n\n 1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs\n attach type is NONE or OVERRIDE.\n 2. write 1 to /proc/thread-self/fail-nth for failslab.\n 3. detach prog1 for cg1, and then kernel BUG occur.\n\nFailslab injection will cause kmalloc fail and fall back to\npurge_effective_progs. The problem is that cg2 have attached another prog,\nso when go through cg2 layer, iteration will add pos to 1, and subsequent\noperations will be skipped by the following condition, and cg will meet\nNULL in the end.\n\n `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))`\n\nThe NULL cg means no link or prog match, this is as expected, and it's not\na bug. So here just skip the no match situation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49970", "detail": "fixed-version", "description": "Fixed from version 5.19.8" }, { "id": "CVE-2022-49971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix a potential gpu_metrics_table memory leak\n\nMemory is allocated for gpu_metrics_table in\nsmu_v13_0_4_init_smc_tables(), but not freed in\nsmu_v13_0_4_fini_smc_tables(). This may cause memory leaks, fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49971", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix corrupted packets for XDP_SHARED_UMEM\n\nFix an issue in XDP_SHARED_UMEM mode together with aligned mode where\npackets are corrupted for the second and any further sockets bound to\nthe same umem. In other words, this does not affect the first socket\nbound to the umem. The culprit for this bug is that the initialization\nof the DMA addresses for the pre-populated xsk buffer pool entries was\nnot performed for any socket but the first one bound to the umem. Only\nthe linear array of DMA addresses was populated. Fix this by populating\nthe DMA addresses in the xsk buffer pool for every socket bound to the\nsame umem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49972", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Fix wrong last sg check in sk_msg_recvmsg()\n\nFix one kernel NULL pointer dereference as below:\n\n[ 224.462334] Call Trace:\n[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380\n[ 224.462441] ? sock_has_perm+0x78/0xa0\n[ 224.462463] tcp_bpf_recvmsg+0x12e/0x220\n[ 224.462494] inet_recvmsg+0x5b/0xd0\n[ 224.462534] __sys_recvfrom+0xc8/0x130\n[ 224.462574] ? syscall_trace_enter+0x1df/0x2e0\n[ 224.462606] ? __do_page_fault+0x2de/0x500\n[ 224.462635] __x64_sys_recvfrom+0x24/0x30\n[ 224.462660] do_syscall_64+0x5d/0x1d0\n[ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nIn commit 9974d37ea75f (\"skmsg: Fix invalid last sg check in\nsk_msg_recvmsg()\"), we change last sg check to sg_is_last(),\nbut in sockmap redirection case (without stream_parser/stream_verdict/\nskb_verdict), we did not mark the end of the scatterlist. Check the\nsk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all\ndo not mark the end of sg. They are expected to use sg.end for end\njudgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49973", "detail": "fixed-version", "description": "Fixed from version 5.19.8" }, { "id": "CVE-2022-49974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nintendo: fix rumble worker null pointer deref\n\nWe can dereference a null pointer trying to queue work to a destroyed\nworkqueue.\n\nIf the device is disconnected, nintendo_hid_remove is called, in which\nthe rumble_queue is destroyed. Avoid using that queue to defer rumble\nwork once the controller state is set to JOYCON_CTLR_STATE_REMOVED.\n\nThis eliminates the null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49974", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don't redirect packets with invalid pkt_len\n\nSyzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any\nskbs, that is, the flow->head is null.\nThe root cause, as the [2] says, is because that bpf_prog_test_run_skb()\nrun a bpf prog which redirects empty skbs.\nSo we should determine whether the length of the packet modified by bpf\nprog or others like bpf_prog_test is valid before forwarding it directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49975", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Fix broken touchscreen on Chuwi Hi8 with Windows BIOS\n\nThe x86-android-tablets handling for the Chuwi Hi8 is only necessary with\nthe Android BIOS and it is causing problems with the Windows BIOS version.\n\nSpecifically when trying to register the already present touchscreen\nx86_acpi_irq_helper_get() calls acpi_unregister_gsi(), this breaks\nthe working of the touchscreen and also leads to an oops:\n\n[ 14.248946] ------------[ cut here ]------------\n[ 14.248954] remove_proc_entry: removing non-empty directory 'irq/75', leaking at least 'MSSL0001:00'\n[ 14.248983] WARNING: CPU: 3 PID: 440 at fs/proc/generic.c:718 remove_proc_entry\n...\n[ 14.249293] unregister_irq_proc+0xe0/0x100\n[ 14.249305] free_desc+0x29/0x70\n[ 14.249312] irq_free_descs+0x4b/0x80\n[ 14.249320] mp_unmap_irq+0x5c/0x60\n[ 14.249329] acpi_unregister_gsi_ioapic+0x2a/0x40\n[ 14.249338] x86_acpi_irq_helper_get+0x4b/0x190 [x86_android_tablets]\n[ 14.249355] x86_android_tablet_init+0x178/0xe34 [x86_android_tablets]\n\nAdd an init callback for the Chuwi Hi8, which detects when the Windows BIOS\nis in use and exits with -ENODEV in that case, fixing this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49976", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead\n\nftrace_startup does not remove ops from ftrace_ops_list when\nftrace_startup_enable fails:\n\nregister_ftrace_function\n ftrace_startup\n __register_ftrace_function\n ...\n add_ftrace_ops(&ftrace_ops_list, ops)\n ...\n ...\n ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1\n ...\n return 0 // ops is in the ftrace_ops_list.\n\nWhen ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:\nunregister_ftrace_function\n ftrace_shutdown\n if (unlikely(ftrace_disabled))\n return -ENODEV; // return here, __unregister_ftrace_function is not executed,\n // as a result, ops is still in the ftrace_ops_list\n __unregister_ftrace_function\n ...\n\nIf ops is dynamically allocated, it will be free later, in this case,\nis_ftrace_trampoline accesses NULL pointer:\n\nis_ftrace_trampoline\n ftrace_ops_trampoline\n do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!\n\nSyzkaller reports as follows:\n[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b\n[ 1203.508039] #PF: supervisor read access in kernel mode\n[ 1203.508798] #PF: error_code(0x0000) - not-present page\n[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0\n[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI\n[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8\n[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0\n[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00\n[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246\n[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866\n[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b\n[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07\n[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399\n[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008\n[ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000\n[ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0\n[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nTherefore, when ftrace_startup_enable fails, we need to rollback registration\nprocess and remove ops from ftrace_ops_list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49977", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fb_pm2fb: Avoid potential divide by zero error\n\nIn `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be\ncopied from user, then go through `fb_set_var()` and\n`info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`.\nAlong the path, `var->pixclock` won't be modified. This function checks\nwhether reciprocal of `var->pixclock` is too high. If `var->pixclock` is\nzero, there will be a divide by zero error. So, it is necessary to check\nwhether denominator is zero to avoid crash. As this bug is found by\nSyzkaller, logs are listed below.\n\ndivide error in pm2fb_check_var\nCall Trace:\n \n fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49978", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix refcount bug in sk_psock_get (2)\n\nSyzkaller reports refcount bug as follows:\n------------[ cut here ]------------\nrefcount_t: saturated; leaking memory.\nWARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19\nModules linked in:\nCPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0\n \n __refcount_add_not_zero include/linux/refcount.h:163 [inline]\n __refcount_inc_not_zero include/linux/refcount.h:227 [inline]\n refcount_inc_not_zero include/linux/refcount.h:245 [inline]\n sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439\n tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091\n tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983\n tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057\n tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659\n tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x134/0x3b0 net/core/sock.c:2849\n release_sock+0x54/0x1b0 net/core/sock.c:3404\n inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909\n __sys_shutdown_sock net/socket.c:2331 [inline]\n __sys_shutdown_sock net/socket.c:2325 [inline]\n __sys_shutdown+0xf1/0x1b0 net/socket.c:2343\n __do_sys_shutdown net/socket.c:2351 [inline]\n __se_sys_shutdown net/socket.c:2349 [inline]\n __x64_sys_shutdown+0x50/0x70 net/socket.c:2349\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n \n\nDuring SMC fallback process in connect syscall, kernel will\nreplaces TCP with SMC. In order to forward wakeup\nsmc socket waitqueue after fallback, kernel will sets\nclcsk->sk_user_data to origin smc socket in\nsmc_fback_replace_callbacks().\n\nLater, in shutdown syscall, kernel will calls\nsk_psock_get(), which treats the clcsk->sk_user_data\nas psock type, triggering the refcnt warning.\n\nSo, the root cause is that smc and psock, both will use\nsk_user_data field. So they will mismatch this field\neasily.\n\nThis patch solves it by using another bit(defined as\nSK_USER_DATA_PSOCK) in PTRMASK, to mark whether\nsk_user_data points to a psock object or not.\nThis patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e\n(\"net, sk_msg: Clear sk_user_data pointer on clone if tagged\").\n\nFor there will possibly be more flags in the sk_user_data field,\nthis patch also refactor sk_user_data flags code to be more generic\nto improve its maintainability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49979", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free Read in usb_udc_uevent()\n\nThe syzbot fuzzer found a race between uevent callbacks and gadget\ndriver unregistration that can cause a use-after-free bug:\n\n---------------------------------------------------------------\nBUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130\ndrivers/usb/gadget/udc/core.c:1732\nRead of size 8 at addr ffff888078ce2050 by task udevd/2968\n\nCPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n06/29/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xbe/0x1f0 mm/kasan/report.c:495\n usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732\n dev_uevent+0x290/0x770 drivers/base/core.c:2424\n---------------------------------------------------------------\n\nThe bug occurs because usb_udc_uevent() dereferences udc->driver but\ndoes so without acquiring the udc_lock mutex, which protects this\nfield. If the gadget driver is unbound from the udc concurrently with\nuevent processing, the driver structure may be accessed after it has\nbeen deallocated.\n\nTo prevent the race, we make sure that the routine holds the mutex\naround the racing accesses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49980", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hidraw: fix memory leak in hidraw_release()\n\nFree the buffered reports before deleting the list entry.\n\nBUG: memory leak\nunreferenced object 0xffff88810e72f180 (size 32):\n comm \"softirq\", pid 0, jiffies 4294945143 (age 16.080s)\n hex dump (first 32 bytes):\n 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmemdup+0x23/0x50 mm/util.c:128\n [] kmemdup include/linux/fortify-string.h:440 [inline]\n [] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521\n [] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992\n [] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065\n [] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284\n [] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670\n [] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747\n [] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988\n [] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474\n [] expire_timers kernel/time/timer.c:1519 [inline]\n [] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790\n [] __run_timers kernel/time/timer.c:1768 [inline]\n [] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803\n [] __do_softirq+0xe6/0x2ea kernel/softirq.c:571\n [] invoke_softirq kernel/softirq.c:445 [inline]\n [] __irq_exit_rcu kernel/softirq.c:650 [inline]\n [] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662\n [] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649\n [] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]\n [] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]\n [] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]\n [] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49981", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix memory leak in pvr_probe\n\nThe error handling code in pvr2_hdw_create forgets to unregister the\nv4l2 device. When pvr2_hdw_create returns back to pvr2_context_create,\nit calls pvr2_context_destroy to destroy context, but mp->hdw is NULL,\nwhich leads to that pvr2_hdw_destroy directly returns.\n\nFix this by adding v4l2_device_unregister to decrease the refcount of\nusb interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49982", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: Set the DMA mask for the udmabuf device (v2)\n\nIf the DMA mask is not set explicitly, the following warning occurs\nwhen the userspace tries to access the dma-buf via the CPU as\nreported by syzbot here:\n\nWARNING: CPU: 1 PID: 3595 at kernel/dma/mapping.c:188\n__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188\nModules linked in:\nCPU: 0 PID: 3595 Comm: syz-executor249 Not tainted\n5.17.0-rc2-syzkaller-00316-g0457e5153e0e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 01/01/2011\nRIP: 0010:__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188\nCode: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 71 4c 8b 3d c0\n83 b5 0d e9 db fe ff ff e8 b6 0f 13 00 0f 0b e8 af 0f 13 00 <0f> 0b 45\n 31 e4 e9 54 ff ff ff e8 a0 0f 13 00 49 8d 7f 50 48 b8 00\nRSP: 0018:ffffc90002a07d68 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88807e25e2c0 RSI: ffffffff81649e91 RDI: ffff88801b848408\nRBP: ffff88801b848000 R08: 0000000000000002 R09: ffff88801d86c74f\nR10: ffffffff81649d72 R11: 0000000000000001 R12: 0000000000000002\nR13: ffff88801d86c680 R14: 0000000000000001 R15: 0000000000000000\nFS: 0000555556e30300(0000) GS:ffff8880b9d00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200000cc CR3: 000000001d74a000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n dma_map_sgtable+0x70/0xf0 kernel/dma/mapping.c:264\n get_sg_table.isra.0+0xe0/0x160 drivers/dma-buf/udmabuf.c:72\n begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126\n dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1164\n dma_buf_ioctl+0x259/0x2b0 drivers/dma-buf/dma-buf.c:363\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f62fcf530f9\nCode: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe3edab9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f62fcf530f9\nRDX: 0000000020000200 RSI: 0000000040086200 RDI: 0000000000000006\nRBP: 00007f62fcf170e0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f62fcf17170\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nv2: Dont't forget to deregister if DMA mask setup fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49983", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report\n\nIt is possible for a malicious device to forgo submitting a Feature\nReport. The HID Steam driver presently makes no prevision for this\nand de-references the 'struct hid_report' pointer obtained from the\nHID devices without first checking its validity. Let's change that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49984", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don't use tnum_range on array range checking for poke descriptors\n\nHsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which\nis based on a customized syzkaller:\n\n BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0\n Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489\n CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x9c/0xc9\n print_address_description.constprop.0+0x1f/0x1f0\n ? bpf_int_jit_compile+0x1257/0x13f0\n kasan_report.cold+0xeb/0x197\n ? kvmalloc_node+0x170/0x200\n ? bpf_int_jit_compile+0x1257/0x13f0\n bpf_int_jit_compile+0x1257/0x13f0\n ? arch_prepare_bpf_dispatcher+0xd0/0xd0\n ? rcu_read_lock_sched_held+0x43/0x70\n bpf_prog_select_runtime+0x3e8/0x640\n ? bpf_obj_name_cpy+0x149/0x1b0\n bpf_prog_load+0x102f/0x2220\n ? __bpf_prog_put.constprop.0+0x220/0x220\n ? find_held_lock+0x2c/0x110\n ? __might_fault+0xd6/0x180\n ? lock_downgrade+0x6e0/0x6e0\n ? lock_is_held_type+0xa6/0x120\n ? __might_fault+0x147/0x180\n __sys_bpf+0x137b/0x6070\n ? bpf_perf_link_attach+0x530/0x530\n ? new_sync_read+0x600/0x600\n ? __fget_files+0x255/0x450\n ? lock_downgrade+0x6e0/0x6e0\n ? fput+0x30/0x1a0\n ? ksys_write+0x1a8/0x260\n __x64_sys_bpf+0x7a/0xc0\n ? syscall_enter_from_user_mode+0x21/0x70\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f917c4e2c2d\n\nThe problem here is that a range of tnum_range(0, map->max_entries - 1) has\nlimited ability to represent the concrete tight range with the tnum as the\nset of resulting states from value + mask can result in a superset of the\nactual intended range, and as such a tnum_in(range, reg->var_off) check may\nyield true when it shouldn't, for example tnum_range(0, 2) would result in\n00XX -> v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here\nrepresented by a less precise superset of {0, 1, 2, 3}. As the register is\nknown const scalar, really just use the concrete reg->var_off.value for the\nupper index check.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49985", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq\n\nstorvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it\ndoesn't need to make forward progress under memory pressure. Marking this\nworkqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a\nnon-WQ_MEM_RECLAIM workqueue. In the current state it causes the following\nwarning:\n\n[ 14.506347] ------------[ cut here ]------------\n[ 14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn\n[ 14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130\n[ 14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure #91~18.04.1-Ubuntu\n[ 14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun\n[ 14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130\n\t\t<-snip->\n[ 14.506408] Call Trace:\n[ 14.506412] __flush_work+0xf1/0x1c0\n[ 14.506414] __cancel_work_timer+0x12f/0x1b0\n[ 14.506417] ? kernfs_put+0xf0/0x190\n[ 14.506418] cancel_delayed_work_sync+0x13/0x20\n[ 14.506420] disk_block_events+0x78/0x80\n[ 14.506421] del_gendisk+0x3d/0x2f0\n[ 14.506423] sr_remove+0x28/0x70\n[ 14.506427] device_release_driver_internal+0xef/0x1c0\n[ 14.506428] device_release_driver+0x12/0x20\n[ 14.506429] bus_remove_device+0xe1/0x150\n[ 14.506431] device_del+0x167/0x380\n[ 14.506432] __scsi_remove_device+0x11d/0x150\n[ 14.506433] scsi_remove_device+0x26/0x40\n[ 14.506434] storvsc_remove_lun+0x40/0x60\n[ 14.506436] process_one_work+0x209/0x400\n[ 14.506437] worker_thread+0x34/0x400\n[ 14.506439] kthread+0x121/0x140\n[ 14.506440] ? process_one_work+0x400/0x400\n[ 14.506441] ? kthread_park+0x90/0x90\n[ 14.506443] ret_from_fork+0x35/0x40\n[ 14.506445] ---[ end trace 2d9633159fdc6ee7 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49986", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: call __md_stop_writes in md_stop\n\nFrom the link [1], we can see raid1d was running even after the path\nraid_dtr -> md_stop -> __md_stop.\n\nLet's stop write first in destructor to align with normal md-raid to\nfix the KASAN issue.\n\n[1]. https://lore.kernel.org/linux-raid/CAPhsuW5gc4AakdGNdF8ubpezAuDLFOYUO_sfMZcec6hQFm8nhg@mail.gmail.com/T/#m7f12bf90481c02c6d2da68c64aeed4779b7df74a", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49987", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix error exit of privcmd_ioctl_dm_op()\n\nThe error exit of privcmd_ioctl_dm_op() is calling unlock_pages()\npotentially with pages being NULL, leading to a NULL dereference.\n\nAdditionally lock_pages() doesn't check for pin_user_pages_fast()\nhaving been completely successful, resulting in potentially not\nlocking all pages into memory. This could result in sporadic failures\nwhen using the related memory in user mode.\n\nFix all of that by calling unlock_pages() always with the real number\nof pinned pages, which will be zero in case pages being NULL, and by\nchecking the number of pages pinned by pin_user_pages_fast() matching\nthe expected number of pages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49989", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: fix double free of GS and RI CBs on fork() failure\n\nThe pointers for guarded storage and runtime instrumentation control\nblocks are stored in the thread_struct of the associated task. These\npointers are initially copied on fork() via arch_dup_task_struct()\nand then cleared via copy_thread() before fork() returns. If fork()\nhappens to fail after the initial task dup and before copy_thread(),\nthe newly allocated task and associated thread_struct memory are\nfreed via free_task() -> arch_release_task_struct(). This results in\na double free of the guarded storage and runtime info structs\nbecause the fields in the failed task still refer to memory\nassociated with the source task.\n\nThis problem can manifest as a BUG_ON() in set_freepointer() (with\nCONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)\nwhen running trinity syscall fuzz tests on s390x. To avoid this\nproblem, clear the associated pointer fields in\narch_dup_task_struct() immediately after the new task is copied.\nNote that the RI flag is still cleared in copy_thread() because it\nresides in thread stack memory and that is where stack info is\ncopied.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49990", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: avoid corrupting page->mapping in hugetlb_mcopy_atomic_pte\n\nIn MCOPY_ATOMIC_CONTINUE case with a non-shared VMA, pages in the page\ncache are installed in the ptes. But hugepage_add_new_anon_rmap is called\nfor them mistakenly because they're not vm_shared. This will corrupt the\npage->mapping used by page cache code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49991", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mprotect: only reference swap pfn page if type match\n\nYu Zhao reported a bug after the commit \"mm/swap: Add swp_offset_pfn() to\nfetch PFN from swap entry\" added a check in swp_offset_pfn() for swap type [1]:\n\n kernel BUG at include/linux/swapops.h:117!\n CPU: 46 PID: 5245 Comm: EventManager_De Tainted: G S O L 6.0.0-dbg-DEV #2\n RIP: 0010:pfn_swap_entry_to_page+0x72/0xf0\n Code: c6 48 8b 36 48 83 fe ff 74 53 48 01 d1 48 83 c1 08 48 8b 09 f6\n c1 01 75 7b 66 90 48 89 c1 48 8b 09 f6 c1 01 74 74 5d c3 eb 9e <0f> 0b\n 48 ba ff ff ff ff 03 00 00 00 eb ae a9 ff 0f 00 00 75 13 48\n RSP: 0018:ffffa59e73fabb80 EFLAGS: 00010282\n RAX: 00000000ffffffe8 RBX: 0c00000000000000 RCX: ffffcd5440000000\n RDX: 1ffffffffff7a80a RSI: 0000000000000000 RDI: 0c0000000000042b\n RBP: ffffa59e73fabb80 R08: ffff9965ca6e8bb8 R09: 0000000000000000\n R10: ffffffffa5a2f62d R11: 0000030b372e9fff R12: ffff997b79db5738\n R13: 000000000000042b R14: 0c0000000000042b R15: 1ffffffffff7a80a\n FS: 00007f549d1bb700(0000) GS:ffff99d3cf680000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000440d035b3180 CR3: 0000002243176004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n change_pte_range+0x36e/0x880\n change_p4d_range+0x2e8/0x670\n change_protection_range+0x14e/0x2c0\n mprotect_fixup+0x1ee/0x330\n do_mprotect_pkey+0x34c/0x440\n __x64_sys_mprotect+0x1d/0x30\n\nIt triggers because pfn_swap_entry_to_page() could be called upon e.g. a\ngenuine swap entry.\n\nFix it by only calling it when it's a write migration entry where the page*\nis used.\n\n[1] https://lore.kernel.org/lkml/CAOUHufaVC2Za-p8m0aiHw6YkheDcrO-C3wRGixwDS32VTS+k1w@mail.gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49992", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: Check for overflow while configuring loop\n\nThe userspace can configure a loop using an ioctl call, wherein\na configuration of type loop_config is passed (see lo_ioctl()'s\ncase on line 1550 of drivers/block/loop.c). This proceeds to call\nloop_configure() which in turn calls loop_set_status_from_info()\n(see line 1050 of loop.c), passing &config->info which is of type\nloop_info64*. This function then sets the appropriate values, like\nthe offset.\n\nloop_device has lo_offset of type loff_t (see line 52 of loop.c),\nwhich is typdef-chained to long long, whereas loop_info64 has\nlo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h).\n\nThe function directly copies offset from info to the device as\nfollows (See line 980 of loop.c):\n\tlo->lo_offset = info->lo_offset;\n\nThis results in an overflow, which triggers a warning in iomap_iter()\ndue to a call to iomap_iter_done() which has:\n\tWARN_ON_ONCE(iter->iomap.offset > iter->pos);\n\nThus, check for negative value during loop_set_status_from_info().\n\nBug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49993", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootmem: remove the vmemmap pages from kmemleak in put_page_bootmem\n\nThe vmemmap pages is marked by kmemleak when allocated from memblock. \nRemove it from kmemleak when freeing the page. Otherwise, when we reuse\nthe page, kmemleak may report such an error and then stop working.\n\n kmemleak: Cannot insert 0xffff98fb6eab3d40 into the object search tree (overlaps existing)\n kmemleak: Kernel memory leak detector disabled\n kmemleak: Object 0xffff98fb6be00000 (size 335544320):\n kmemleak: comm \"swapper\", pid 0, jiffies 4294892296\n kmemleak: min_count = 0\n kmemleak: count = 0\n kmemleak: flags = 0x1\n kmemleak: checksum = 0\n kmemleak: backtrace:", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49994", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: avoid use-after-free after removing device\n\nWhen a disk is removed, bdi_unregister gets called to stop further\nwriteback and wait for associated delayed work to complete. However,\nwb_inode_writeback_end() may schedule bandwidth estimation dwork after\nthis has completed, which can result in the timer attempting to access the\njust freed bdi_writeback.\n\nFix this by checking if the bdi_writeback is alive, similar to when\nscheduling writeback work.\n\nSince this requires wb->work_lock, and wb_inode_writeback_end() may get\ncalled from interrupt, switch wb->work_lock to an irqsafe lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49995", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix possible memory leak in btrfs_get_dev_args_from_path()\n\nIn btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail if\nthe path is invalid. In this case, btrfs_get_dev_args_from_path()\nreturns directly without freeing args->uuid and args->fsid allocated\nbefore, which causes memory leak.\n\nTo fix these possible leaks, when btrfs_get_bdev_and_sb() fails,\nbtrfs_put_dev_args_from_path() is called to clean up the memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49996", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lantiq_xrx200: restore buffer if memory allocation failed\n\nIn a situation where memory allocation fails, an invalid buffer address\nis stored. When this descriptor is used again, the system panics in the\nbuild_skb() function when accessing memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49997", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix locking in rxrpc's sendmsg\n\nFix three bugs in the rxrpc's sendmsg implementation:\n\n (1) rxrpc_new_client_call() should release the socket lock when returning\n an error from rxrpc_get_call_slot().\n\n (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex\n held in the event that we're interrupted by a signal whilst waiting\n for tx space on the socket or relocking the call mutex afterwards.\n\n Fix this by: (a) moving the unlock/lock of the call mutex up to\n rxrpc_send_data() such that the lock is not held around all of\n rxrpc_wait_for_tx_window*() and (b) indicating to higher callers\n whether we're return with the lock dropped. Note that this means\n recvmsg() will not block on this call whilst we're waiting.\n\n (3) After dropping and regaining the call mutex, rxrpc_send_data() needs\n to go and recheck the state of the tx_pending buffer and the\n tx_total_len check in case we raced with another sendmsg() on the same\n call.\n\nThinking on this some more, it might make sense to have different locks for\nsendmsg() and recvmsg(). There's probably no need to make recvmsg() wait\nfor sendmsg(). It does mean that recvmsg() can return MSG_EOR indicating\nthat a call is dead before a sendmsg() to that call returns - but that can\ncurrently happen anyway.\n\nWithout fix (2), something like the following can be induced:\n\n\tWARNING: bad unlock balance detected!\n\t5.16.0-rc6-syzkaller #0 Not tainted\n\t-------------------------------------\n\tsyz-executor011/3597 is trying to release lock (&call->user_mutex) at:\n\t[] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\tno locks held by syz-executor011/3597.\n\t...\n\tCall Trace:\n\t \n\t __dump_stack lib/dump_stack.c:88 [inline]\n\t dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n\t print_unlock_imbalance_bug include/trace/events/lock.h:58 [inline]\n\t __lock_release kernel/locking/lockdep.c:5306 [inline]\n\t lock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657\n\t __mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900\n\t rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748\n\t rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561\n\t sock_sendmsg_nosec net/socket.c:704 [inline]\n\t sock_sendmsg+0xcf/0x120 net/socket.c:724\n\t ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n\t ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n\t __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n\t do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n\t do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n\t entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49998", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-49999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix space cache corruption and potential double allocations\n\nWhen testing space_cache v2 on a large set of machines, we encountered a\nfew symptoms:\n\n1. \"unable to add free space :-17\" (EEXIST) errors.\n2. Missing free space info items, sometimes caught with a \"missing free\n space info for X\" error.\n3. Double-accounted space: ranges that were allocated in the extent tree\n and also marked as free in the free space tree, ranges that were\n marked as allocated twice in the extent tree, or ranges that were\n marked as free twice in the free space tree. If the latter made it\n onto disk, the next reboot would hit the BUG_ON() in\n add_new_free_space().\n4. On some hosts with no on-disk corruption or error messages, the\n in-memory space cache (dumped with drgn) disagreed with the free\n space tree.\n\nAll of these symptoms have the same underlying cause: a race between\ncaching the free space for a block group and returning free space to the\nin-memory space cache for pinned extents causes us to double-add a free\nrange to the space cache. This race exists when free space is cached\nfrom the free space tree (space_cache=v2) or the extent tree\n(nospace_cache, or space_cache=v1 if the cache needs to be regenerated).\nstruct btrfs_block_group::last_byte_to_unpin and struct\nbtrfs_block_group::progress are supposed to protect against this race,\nbut commit d0c2f4fa555e (\"btrfs: make concurrent fsyncs wait less when\nwaiting for a transaction commit\") subtly broke this by allowing\nmultiple transactions to be unpinning extents at the same time.\n\nSpecifically, the race is as follows:\n\n1. An extent is deleted from an uncached block group in transaction A.\n2. btrfs_commit_transaction() is called for transaction A.\n3. btrfs_run_delayed_refs() -> __btrfs_free_extent() runs the delayed\n ref for the deleted extent.\n4. __btrfs_free_extent() -> do_free_extent_accounting() ->\n add_to_free_space_tree() adds the deleted extent back to the free\n space tree.\n5. do_free_extent_accounting() -> btrfs_update_block_group() ->\n btrfs_cache_block_group() queues up the block group to get cached.\n block_group->progress is set to block_group->start.\n6. btrfs_commit_transaction() for transaction A calls\n switch_commit_roots(). It sets block_group->last_byte_to_unpin to\n block_group->progress, which is block_group->start because the block\n group hasn't been cached yet.\n7. The caching thread gets to our block group. Since the commit roots\n were already switched, load_free_space_tree() sees the deleted extent\n as free and adds it to the space cache. It finishes caching and sets\n block_group->progress to U64_MAX.\n8. btrfs_commit_transaction() advances transaction A to\n TRANS_STATE_SUPER_COMMITTED.\n9. fsync calls btrfs_commit_transaction() for transaction B. Since\n transaction A is already in TRANS_STATE_SUPER_COMMITTED and the\n commit is for fsync, it advances.\n10. btrfs_commit_transaction() for transaction B calls\n switch_commit_roots(). This time, the block group has already been\n cached, so it sets block_group->last_byte_to_unpin to U64_MAX.\n11. btrfs_commit_transaction() for transaction A calls\n btrfs_finish_extent_commit(), which calls unpin_extent_range() for\n the deleted extent. It sees last_byte_to_unpin set to U64_MAX (by\n transaction B!), so it adds the deleted extent to the space cache\n again!\n\nThis explains all of our symptoms above:\n\n* If the sequence of events is exactly as described above, when the free\n space is re-added in step 11, it will fail with EEXIST.\n* If another thread reallocates the deleted extent in between steps 7\n and 11, then step 11 will silently re-add that space to the space\n cache as free even though it is actually allocated. Then, if that\n space is allocated *again*, the free space tree will be corrupted\n (namely, the wrong item will be deleted).\n* If we don't catch this free space tree corr\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-49999", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: fix stuck flows on cleanup due to pending work\n\nTo clear the flow table on flow table free, the following sequence\nnormally happens in order:\n\n 1) gc_step work is stopped to disable any further stats/del requests.\n 2) All flow table entries are set to teardown state.\n 3) Run gc_step which will queue HW del work for each flow table entry.\n 4) Waiting for the above del work to finish (flush).\n 5) Run gc_step again, deleting all entries from the flow table.\n 6) Flow table is freed.\n\nBut if a flow table entry already has pending HW stats or HW add work\nstep 3 will not queue HW del work (it will be skipped), step 4 will wait\nfor the pending add/stats to finish, and step 5 will queue HW del work\nwhich might execute after freeing of the flow table.\n\nTo fix the above, this patch flushes the pending work, then it sets the\nteardown flag to all flows in the flowtable and it forces a garbage\ncollector run to queue work to remove the flows from hardware, then it\nflushes this new pending work and (finally) it forces another garbage\ncollector run to remove the entry from the software flowtable.\n\nStack trace:\n[47773.882335] BUG: KASAN: use-after-free in down_read+0x99/0x460\n[47773.883634] Write of size 8 at addr ffff888103b45aa8 by task kworker/u20:6/543704\n[47773.885634] CPU: 3 PID: 543704 Comm: kworker/u20:6 Not tainted 5.12.0-rc7+ #2\n[47773.886745] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n[47773.888438] Workqueue: nf_ft_offload_del flow_offload_work_handler [nf_flow_table]\n[47773.889727] Call Trace:\n[47773.890214] dump_stack+0xbb/0x107\n[47773.890818] print_address_description.constprop.0+0x18/0x140\n[47773.892990] kasan_report.cold+0x7c/0xd8\n[47773.894459] kasan_check_range+0x145/0x1a0\n[47773.895174] down_read+0x99/0x460\n[47773.899706] nf_flow_offload_tuple+0x24f/0x3c0 [nf_flow_table]\n[47773.907137] flow_offload_work_handler+0x72d/0xbe0 [nf_flow_table]\n[47773.913372] process_one_work+0x8ac/0x14e0\n[47773.921325]\n[47773.921325] Allocated by task 592159:\n[47773.922031] kasan_save_stack+0x1b/0x40\n[47773.922730] __kasan_kmalloc+0x7a/0x90\n[47773.923411] tcf_ct_flow_table_get+0x3cb/0x1230 [act_ct]\n[47773.924363] tcf_ct_init+0x71c/0x1156 [act_ct]\n[47773.925207] tcf_action_init_1+0x45b/0x700\n[47773.925987] tcf_action_init+0x453/0x6b0\n[47773.926692] tcf_exts_validate+0x3d0/0x600\n[47773.927419] fl_change+0x757/0x4a51 [cls_flower]\n[47773.928227] tc_new_tfilter+0x89a/0x2070\n[47773.936652]\n[47773.936652] Freed by task 543704:\n[47773.937303] kasan_save_stack+0x1b/0x40\n[47773.938039] kasan_set_track+0x1c/0x30\n[47773.938731] kasan_set_free_info+0x20/0x30\n[47773.939467] __kasan_slab_free+0xe7/0x120\n[47773.940194] slab_free_freelist_hook+0x86/0x190\n[47773.941038] kfree+0xce/0x3a0\n[47773.941644] tcf_ct_flow_table_cleanup_work\n\nOriginal patch description and stack trace by Paul Blakey.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50000", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tproxy: restrict to prerouting hook\n\nTPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.\nThis fixes a crash (null dereference) when using tproxy from e.g. output.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50001", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY\n\nOnly set MLX5_LAG_FLAG_NDEVS_READY if both netdevices are registered.\nDoing so guarantees that both ldev->pf[MLX5_LAG_P0].dev and\nldev->pf[MLX5_LAG_P1].dev have valid pointers when\nMLX5_LAG_FLAG_NDEVS_READY is set.\n\nThe core issue is asymmetry in setting MLX5_LAG_FLAG_NDEVS_READY and\nclearing it. Setting it is done wrongly when both\nldev->pf[MLX5_LAG_P0].dev and ldev->pf[MLX5_LAG_P1].dev are set;\nclearing it is done right when either of ldev->pf[i].netdev is cleared.\n\nConsider the following scenario:\n1. PF0 loads and sets ldev->pf[MLX5_LAG_P0].dev to a valid pointer\n2. PF1 loads and sets both ldev->pf[MLX5_LAG_P1].dev and\n ldev->pf[MLX5_LAG_P1].netdev with valid pointers. This results in\n MLX5_LAG_FLAG_NDEVS_READY is set.\n3. PF0 is unloaded before setting dev->pf[MLX5_LAG_P0].netdev.\n MLX5_LAG_FLAG_NDEVS_READY remains set.\n\nFurther execution of mlx5_do_bond() will result in null pointer\ndereference when calling mlx5_lag_is_multipath()\n\nThis patch fixes the following call trace actually encountered:\n\n[ 1293.475195] BUG: kernel NULL pointer dereference, address: 00000000000009a8\n[ 1293.478756] #PF: supervisor read access in kernel mode\n[ 1293.481320] #PF: error_code(0x0000) - not-present page\n[ 1293.483686] PGD 0 P4D 0\n[ 1293.484434] Oops: 0000 [#1] SMP PTI\n[ 1293.485377] CPU: 1 PID: 23690 Comm: kworker/u16:2 Not tainted 5.18.0-rc5_for_upstream_min_debug_2022_05_05_10_13 #1\n[ 1293.488039] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 1293.490836] Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n[ 1293.492448] RIP: 0010:mlx5_lag_is_multipath+0x5/0x50 [mlx5_core]\n[ 1293.494044] Code: e8 70 40 ff e0 48 8b 14 24 48 83 05 5c 1a 1b 00 01 e9 19 ff ff ff 48 83 05 47 1a 1b 00 01 eb d7 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 87 a8 09 00 00 48 85 c0 74 26 48 83 05 a7 1b 1b 00 01 41 b8\n[ 1293.498673] RSP: 0018:ffff88811b2fbe40 EFLAGS: 00010202\n[ 1293.500152] RAX: ffff88818a94e1c0 RBX: ffff888165eca6c0 RCX: 0000000000000000\n[ 1293.501841] RDX: 0000000000000001 RSI: ffff88818a94e1c0 RDI: 0000000000000000\n[ 1293.503585] RBP: 0000000000000000 R08: ffff888119886740 R09: ffff888165eca73c\n[ 1293.505286] R10: 0000000000000018 R11: 0000000000000018 R12: ffff88818a94e1c0\n[ 1293.506979] R13: ffff888112729800 R14: 0000000000000000 R15: ffff888112729858\n[ 1293.508753] FS: 0000000000000000(0000) GS:ffff88852cc40000(0000) knlGS:0000000000000000\n[ 1293.510782] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1293.512265] CR2: 00000000000009a8 CR3: 00000001032d4002 CR4: 0000000000370ea0\n[ 1293.514001] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1293.515806] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50002", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: xsk: prohibit usage of non-balanced queue id\n\nFix the following scenario:\n1. ethtool -L $IFACE rx 8 tx 96\n2. xdpsock -q 10 -t -z\n\nAbove refers to a case where user would like to attach XSK socket in\ntxonly mode at a queue id that does not have a corresponding Rx queue.\nAt this moment ice's XSK logic is tightly bound to act on a \"queue pair\",\ne.g. both Tx and Rx queues at a given queue id are disabled/enabled and\nboth of them will get XSK pool assigned, which is broken for the presented\nqueue configuration. This results in the splat included at the bottom,\nwhich is basically an OOB access to Rx ring array.\n\nTo fix this, allow using the ids only in scope of \"combined\" queues\nreported by ethtool. However, logic should be rewritten to allow such\nconfigurations later on, which would end up as a complete rewrite of the\ncontrol path, so let us go with this temporary fix.\n\n[420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082\n[420160.566359] #PF: supervisor read access in kernel mode\n[420160.572657] #PF: error_code(0x0000) - not-present page\n[420160.579002] PGD 0 P4D 0\n[420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G OE 5.19.0-rc7+ #10\n[420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice]\n[420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85\n[420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282\n[420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8\n[420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000\n[420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000\n[420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a\n[420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828\n[420160.693211] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000\n[420160.703645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0\n[420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[420160.740707] PKRU: 55555554\n[420160.745960] Call Trace:\n[420160.750962] \n[420160.755597] ? kmalloc_large_node+0x79/0x90\n[420160.762703] ? __kmalloc_node+0x3f5/0x4b0\n[420160.769341] xp_assign_dev+0xfd/0x210\n[420160.775661] ? shmem_file_read_iter+0x29a/0x420\n[420160.782896] xsk_bind+0x152/0x490\n[420160.788943] __sys_bind+0xd0/0x100\n[420160.795097] ? exit_to_user_mode_prepare+0x20/0x120\n[420160.802801] __x64_sys_bind+0x16/0x20\n[420160.809298] do_syscall_64+0x38/0x90\n[420160.815741] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[420160.823731] RIP: 0033:0x7fa86a0dd2fb\n[420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48\n[420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031\n[420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb\n[420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003\n[420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000\n[420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0\n[420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000\n[420160.919817] \n[420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50003", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix metadata dst->dev xmit null pointer dereference\n\nWhen we try to transmit an skb with metadata_dst attached (i.e. dst->dev\n== NULL) through xfrm interface we can hit a null pointer dereference[1]\nin xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a\nloopback skb device when there's no policy which dereferences dst->dev\nunconditionally. Not having dst->dev can be interepreted as it not being\na loopback device, so just add a check for a null dst_orig->dev.\n\nWith this fix xfrm interface's Tx error counters go up as usual.\n\n[1] net-next calltrace captured via netconsole:\n BUG: kernel NULL pointer dereference, address: 00000000000000c0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014\n RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60\n Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02\n RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80\n RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000\n R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0\n Call Trace:\n \n xfrmi_xmit+0xde/0x460\n ? tcf_bpf_act+0x13d/0x2a0\n dev_hard_start_xmit+0x72/0x1e0\n __dev_queue_xmit+0x251/0xd30\n ip_finish_output2+0x140/0x550\n ip_push_pending_frames+0x56/0x80\n raw_sendmsg+0x663/0x10a0\n ? try_charge_memcg+0x3fd/0x7a0\n ? __mod_memcg_lruvec_state+0x93/0x110\n ? sock_sendmsg+0x30/0x40\n sock_sendmsg+0x30/0x40\n __sys_sendto+0xeb/0x130\n ? handle_mm_fault+0xae/0x280\n ? do_user_addr_fault+0x1e7/0x680\n ? kvm_read_and_reset_apf_flags+0x3b/0x50\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x34/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7ff35cac1366\n Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89\n RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366\n RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003\n RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\n R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001\n \n Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]\n CR2: 00000000000000c0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50004", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout\n\nWhen the pn532 uart device is detaching, the pn532_uart_remove()\nis called. But there are no functions in pn532_uart_remove() that\ncould delete the cmd_timeout timer, which will cause use-after-free\nbugs. The process is shown below:\n\n (thread 1) | (thread 2)\n | pn532_uart_send_frame\npn532_uart_remove | mod_timer(&pn532->cmd_timeout,...)\n ... | (wait a time)\n kfree(pn532) //FREE | pn532_cmd_timeout\n | pn532_uart_send_frame\n | pn532->... //USE\n\nThis patch adds del_timer_sync() in pn532_uart_remove() in order to\nprevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()\nis well synchronized, it sets nfc_dev->shutting_down to true and there\nare no syscalls could restart the cmd_timeout timer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50005", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2 fix problems with __nfs42_ssc_open\n\nA destination server while doing a COPY shouldn't accept using the\npassed in filehandle if its not a regular filehandle.\n\nIf alloc_file_pseudo() has failed, we need to decrement a reference\non the newly created inode, otherwise it leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50006", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix refcount leak in __xfrm_policy_check()\n\nThe issue happens on an error path in __xfrm_policy_check(). When the\nfetching process of the object `pols[1]` fails, the function simply\nreturns 0, forgetting to decrement the reference count of `pols[0]`,\nwhich is incremented earlier by either xfrm_sk_policy_lookup() or\nxfrm_policy_lookup(). This may result in memory leaks.\n\nFix it by decreasing the reference count of `pols[0]` in that path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50007", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: don't call disarm_kprobe() for disabled kprobes\n\nThe assumption in __disable_kprobe() is wrong, and it could try to disarm\nan already disarmed kprobe and fire the WARN_ONCE() below. [0] We can\neasily reproduce this issue.\n\n1. Write 0 to /sys/kernel/debug/kprobes/enabled.\n\n # echo 0 > /sys/kernel/debug/kprobes/enabled\n\n2. Run execsnoop. At this time, one kprobe is disabled.\n\n # /usr/share/bcc/tools/execsnoop &\n [1] 2460\n PCOMM PID PPID RET ARGS\n\n # cat /sys/kernel/debug/kprobes/list\n ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE]\n ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE]\n\n3. Write 1 to /sys/kernel/debug/kprobes/enabled, which changes\n kprobes_all_disarmed to false but does not arm the disabled kprobe.\n\n # echo 1 > /sys/kernel/debug/kprobes/enabled\n\n # cat /sys/kernel/debug/kprobes/list\n ffffffff91345650 r __x64_sys_execve+0x0 [FTRACE]\n ffffffff91345650 k __x64_sys_execve+0x0 [DISABLED][FTRACE]\n\n4. Kill execsnoop, when __disable_kprobe() calls disarm_kprobe() for the\n disabled kprobe and hits the WARN_ONCE() in __disarm_kprobe_ftrace().\n\n # fg\n /usr/share/bcc/tools/execsnoop\n ^C\n\nActually, WARN_ONCE() is fired twice, and __unregister_kprobe_top() misses\nsome cleanups and leaves the aggregated kprobe in the hash table. Then,\n__unregister_trace_kprobe() initialises tk->rp.kp.list and creates an\ninfinite loop like this.\n\n aggregated kprobe.list -> kprobe.list -.\n ^ |\n '.__.'\n\nIn this situation, these commands fall into the infinite loop and result\nin RCU stall or soft lockup.\n\n cat /sys/kernel/debug/kprobes/list : show_kprobe_addr() enters into the\n infinite loop with RCU.\n\n /usr/share/bcc/tools/execsnoop : warn_kprobe_rereg() holds kprobe_mutex,\n and __get_valid_kprobe() is stuck in\n\t\t\t\t the loop.\n\nTo avoid the issue, make sure we don't call disarm_kprobe() for disabled\nkprobes.\n\n[0]\nFailed to disarm kprobe-ftrace at __x64_sys_execve+0x0/0x40 (error -2)\nWARNING: CPU: 6 PID: 2460 at kernel/kprobes.c:1130 __disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)\nModules linked in: ena\nCPU: 6 PID: 2460 Comm: execsnoop Not tainted 5.19.0+ #28\nHardware name: Amazon EC2 c5.2xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:__disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)\nCode: 24 8b 02 eb c1 80 3d c4 83 f2 01 00 75 d4 48 8b 75 00 89 c2 48 c7 c7 90 fa 0f 92 89 04 24 c6 05 ab 83 01 e8 e4 94 f0 ff <0f> 0b 8b 04 24 eb b1 89 c6 48 c7 c7 60 fa 0f 92 89 04 24 e8 cc 94\nRSP: 0018:ffff9e6ec154bd98 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff930f7b00 RCX: 0000000000000001\nRDX: 0000000080000001 RSI: ffffffff921461c5 RDI: 00000000ffffffff\nRBP: ffff89c504286da8 R08: 0000000000000000 R09: c0000000fffeffff\nR10: 0000000000000000 R11: ffff9e6ec154bc28 R12: ffff89c502394e40\nR13: ffff89c502394c00 R14: ffff9e6ec154bc00 R15: 0000000000000000\nFS: 00007fe800398740(0000) GS:ffff89c812d80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00057f010 CR3: 0000000103b54006 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\n __disable_kprobe (kernel/kprobes.c:1716)\n disable_kprobe (kernel/kprobes.c:2392)\n __disable_trace_kprobe (kernel/trace/trace_kprobe.c:340)\n disable_trace_kprobe (kernel/trace/trace_kprobe.c:429)\n perf_trace_event_unreg.isra.2 (./include/linux/tracepoint.h:93 kernel/trace/trace_event_perf.c:168)\n perf_kprobe_destroy (kernel/trace/trace_event_perf.c:295)\n _free_event (kernel/events/core.c:4971)\n perf_event_release_kernel (kernel/events/core.c:5176)\n perf_release (kernel/events/core.c:5186)\n __fput (fs/file_table.c:321)\n task_work_run (./include/linux/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50008", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null-ptr-deref in f2fs_get_dnode_of_data\n\nThere is issue as follows when test f2fs atomic write:\nF2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock\nF2FS-fs (loop0): invalid crc_offset: 0\nF2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=1, run fsck to fix.\nF2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix.\n==================================================================\nBUG: KASAN: null-ptr-deref in f2fs_get_dnode_of_data+0xac/0x16d0\nRead of size 8 at addr 0000000000000028 by task rep/1990\n\nCPU: 4 PID: 1990 Comm: rep Not tainted 5.19.0-rc6-next-20220715 #266\nCall Trace:\n \n dump_stack_lvl+0x6e/0x91\n print_report.cold+0x49a/0x6bb\n kasan_report+0xa8/0x130\n f2fs_get_dnode_of_data+0xac/0x16d0\n f2fs_do_write_data_page+0x2a5/0x1030\n move_data_page+0x3c5/0xdf0\n do_garbage_collect+0x2015/0x36c0\n f2fs_gc+0x554/0x1d30\n f2fs_balance_fs+0x7f5/0xda0\n f2fs_write_single_data_page+0xb66/0xdc0\n f2fs_write_cache_pages+0x716/0x1420\n f2fs_write_data_pages+0x84f/0x9a0\n do_writepages+0x130/0x3a0\n filemap_fdatawrite_wbc+0x87/0xa0\n file_write_and_wait_range+0x157/0x1c0\n f2fs_do_sync_file+0x206/0x12d0\n f2fs_sync_file+0x99/0xc0\n vfs_fsync_range+0x75/0x140\n f2fs_file_write_iter+0xd7b/0x1850\n vfs_write+0x645/0x780\n ksys_write+0xf1/0x1e0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAs 3db1de0e582c commit changed atomic write way which new a cow_inode for\natomic write file, and also mark cow_inode as FI_ATOMIC_FILE.\nWhen f2fs_do_write_data_page write cow_inode will use cow_inode's cow_inode\nwhich is NULL. Then will trigger null-ptr-deref.\nTo solve above issue, introduce FI_COW_FILE flag for COW inode.\n\nFiexes: 3db1de0e582c(\"f2fs: change the current atomic write way\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50009", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: i740fb: Check the argument of i740_calc_vclk()\n\nSince the user can control the arguments of the ioctl() from the user\nspace, under special arguments that may result in a divide-by-zero bug.\n\nIf the user provides an improper 'pixclock' value that makes the argumet\nof i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a\ndivide-by-zero bug in:\n drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX)));\n\nThe following log can reveal it:\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nRIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline]\nRIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline]\nRIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742\nCall Trace:\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189\n\nFix this by checking the argument of i740_calc_vclk() first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50010", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvenus: pm_helpers: Fix warning in OPP during probe\n\nFix the following WARN triggered during Venus driver probe on\n5.19.0-rc8-next-20220728:\n\n WARNING: CPU: 7 PID: 339 at drivers/opp/core.c:2471 dev_pm_opp_set_config+0x49c/0x610\n Modules linked in: qcom_spmi_adc5 rtc_pm8xxx qcom_spmi_adc_tm5 leds_qcom_lpg led_class_multicolor\n qcom_pon qcom_vadc_common venus_core(+) qcom_spmi_temp_alarm v4l2_mem2mem videobuf2_v4l2 msm(+)\n videobuf2_common crct10dif_ce spi_geni_qcom snd_soc_sm8250 i2c_qcom_geni gpu_sched\n snd_soc_qcom_common videodev qcom_q6v5_pas soundwire_qcom drm_dp_aux_bus qcom_stats\n drm_display_helper qcom_pil_info soundwire_bus snd_soc_lpass_va_macro mc qcom_q6v5\n phy_qcom_snps_femto_v2 qcom_rng snd_soc_lpass_macro_common snd_soc_lpass_wsa_macro\n lpass_gfm_sm8250 slimbus qcom_sysmon qcom_common qcom_glink_smem qmi_helpers\n qcom_wdt mdt_loader socinfo icc_osm_l3 display_connector\n drm_kms_helper qnoc_sm8250 drm fuse ip_tables x_tables ipv6\n CPU: 7 PID: 339 Comm: systemd-udevd Not tainted 5.19.0-rc8-next-20220728 #4\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : dev_pm_opp_set_config+0x49c/0x610\n lr : dev_pm_opp_set_config+0x58/0x610\n sp : ffff8000093c3710\n x29: ffff8000093c3710 x28: ffffbca3959d82b8 x27: ffff8000093c3d00\n x26: ffffbca3959d8e08 x25: ffff4396cac98118 x24: ffff4396c0e24810\n x23: ffff4396c4272c40 x22: ffff4396c0e24810 x21: ffff8000093c3810\n x20: ffff4396cac36800 x19: ffff4396cac96800 x18: 0000000000000000\n x17: 0000000000000003 x16: ffffbca3f4edf198 x15: 0000001cba64a858\n x14: 0000000000000180 x13: 000000000000017e x12: 0000000000000000\n x11: 0000000000000002 x10: 0000000000000a60 x9 : ffff8000093c35c0\n x8 : ffff4396c4273700 x7 : ffff43983efca6c0 x6 : ffff43983efca640\n x5 : 00000000410fd0d0 x4 : ffff4396c4272c40 x3 : ffffbca3f5d1e008\n x2 : 0000000000000000 x1 : ffff4396c2421600 x0 : ffff4396cac96860\n Call trace:\n dev_pm_opp_set_config+0x49c/0x610\n devm_pm_opp_set_config+0x18/0x70\n vcodec_domains_get+0xb8/0x1638 [venus_core]\n core_get_v4+0x1d8/0x218 [venus_core]\n venus_probe+0xf4/0x468 [venus_core]\n platform_probe+0x68/0xd8\n really_probe+0xbc/0x2a8\n __driver_probe_device+0x78/0xe0\n driver_probe_device+0x3c/0xf0\n __driver_attach+0x70/0x120\n bus_for_each_dev+0x70/0xc0\n driver_attach+0x24/0x30\n bus_add_driver+0x150/0x200\n driver_register+0x64/0x120\n __platform_driver_register+0x28/0x38\n qcom_venus_driver_init+0x24/0x1000 [venus_core]\n do_one_initcall+0x54/0x1c8\n do_init_module+0x44/0x1d0\n load_module+0x16c8/0x1aa0\n __do_sys_finit_module+0xbc/0x110\n __arm64_sys_finit_module+0x20/0x30\n invoke_syscall+0x44/0x108\n el0_svc_common.constprop.0+0xcc/0xf0\n do_el0_svc+0x2c/0xb8\n el0_svc+0x2c/0x88\n el0t_64_sync_handler+0xb8/0xc0\n el0t_64_sync+0x18c/0x190\n qcom-venus: probe of aa00000.video-codec failed with error -16\n\nThe fix is re-ordering the code related to OPP core. The OPP core\nexpects all configuration options to be provided before the OPP\ntable is added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50011", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64: Init jump labels before parse_early_param()\n\nOn 64-bit, calling jump_label_init() in setup_feature_keys() is too\nlate because static keys may be used in subroutines of\nparse_early_param() which is again subroutine of early_init_devtree().\n\nFor example booting with \"threadirqs\":\n\n static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init()\n WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120\n ...\n NIP static_key_enable_cpuslocked+0xfc/0x120\n LR static_key_enable_cpuslocked+0xf8/0x120\n Call Trace:\n static_key_enable_cpuslocked+0xf8/0x120 (unreliable)\n static_key_enable+0x30/0x50\n setup_forced_irqthreads+0x28/0x40\n do_early_param+0xa0/0x108\n parse_args+0x290/0x4e0\n parse_early_options+0x48/0x5c\n parse_early_param+0x58/0x84\n early_init_devtree+0xd4/0x518\n early_setup+0xb4/0x214\n\nSo call jump_label_init() just before parse_early_param() in\nearly_init_devtree().\n\n[mpe: Add call trace to change log and minor wording edits.]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50012", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page()\n\nAs Dipanjan Das reported, syzkaller\nfound a f2fs bug as below:\n\nRIP: 0010:f2fs_new_node_page+0x19ac/0x1fc0 fs/f2fs/node.c:1295\nCall Trace:\n write_all_xattrs fs/f2fs/xattr.c:487 [inline]\n __f2fs_setxattr+0xe76/0x2e10 fs/f2fs/xattr.c:743\n f2fs_setxattr+0x233/0xab0 fs/f2fs/xattr.c:790\n f2fs_xattr_generic_set+0x133/0x170 fs/f2fs/xattr.c:86\n __vfs_setxattr+0x115/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277\n vfs_setxattr+0x13f/0x330 fs/xattr.c:303\n setxattr+0x146/0x160 fs/xattr.c:611\n path_setxattr+0x1a7/0x1d0 fs/xattr.c:630\n __do_sys_lsetxattr fs/xattr.c:653 [inline]\n __se_sys_lsetxattr fs/xattr.c:649 [inline]\n __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:649\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nNAT entry and nat bitmap can be inconsistent, e.g. one nid is free\nin nat bitmap, and blkaddr in its NAT entry is not NULL_ADDR, it\nmay trigger BUG_ON() in f2fs_new_node_page(), fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50013", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW\n\nEver since the Dirty COW (CVE-2016-5195) security issue happened, we know\nthat FOLL_FORCE can be possibly dangerous, especially if there are races\nthat can be exploited by user space.\n\nRight now, it would be sufficient to have some code that sets a PTE of a\nR/O-mapped shared page dirty, in order for it to erroneously become\nwritable by FOLL_FORCE. The implications of setting a write-protected PTE\ndirty might not be immediately obvious to everyone.\n\nAnd in fact ever since commit 9ae0f87d009c (\"mm/shmem: unconditionally set\npte dirty in mfill_atomic_install_pte\"), we can use UFFDIO_CONTINUE to map\na shmem page R/O while marking the pte dirty. This can be used by\nunprivileged user space to modify tmpfs/shmem file content even if the\nuser does not have write permissions to the file, and to bypass memfd\nwrite sealing -- Dirty COW restricted to tmpfs/shmem (CVE-2022-2590).\n\nTo fix such security issues for good, the insight is that we really only\nneed that fancy retry logic (FOLL_COW) for COW mappings that are not\nwritable (!VM_WRITE). And in a COW mapping, we really only broke COW if\nwe have an exclusive anonymous page mapped. If we have something else\nmapped, or the mapped anonymous page might be shared (!PageAnonExclusive),\nwe have to trigger a write fault to break COW. If we don't find an\nexclusive anonymous page when we retry, we have to trigger COW breaking\nonce again because something intervened.\n\nLet's move away from this mandatory-retry + dirty handling and rely on our\nPageAnonExclusive() flag for making a similar decision, to use the same\nCOW logic as in other kernel parts here as well. In case we stumble over\na PTE in a COW mapping that does not map an exclusive anonymous page, COW\nwas not properly broken and we have to trigger a fake write-fault to break\nCOW.\n\nJust like we do in can_change_pte_writable() added via commit 64fe24a3e05e\n(\"mm/mprotect: try avoiding write faults for exclusive anonymous pages\nwhen changing protection\") and commit 76aefad628aa (\"mm/mprotect: fix\nsoft-dirty check in can_change_pte_writable()\"), take care of softdirty\nand uffd-wp manually.\n\nFor example, a write() via /proc/self/mem to a uffd-wp-protected range has\nto fail instead of silently granting write access and bypassing the\nuserspace fault handler. Note that FOLL_FORCE is not only used for debug\naccess, but also triggered by applications without debug intentions, for\nexample, when pinning pages via RDMA.\n\nThis fixes CVE-2022-2590. Note that only x86_64 and aarch64 are\naffected, because only those support CONFIG_HAVE_ARCH_USERFAULTFD_MINOR.\n\nFortunately, FOLL_COW is no longer required to handle FOLL_FORCE. So\nlet's just get rid of it.\n\nThanks to Nadav Amit for pointing out that the pte_dirty() check in\nFOLL_FORCE code is problematic and might be exploitable.\n\nNote 1: We don't check for the PTE being dirty because it doesn't matter\n\tfor making a \"was COWed\" decision anymore, and whoever modifies the\n\tpage has to set the page dirty either way.\n\nNote 2: Kernels before extended uffd-wp support and before\n\tPageAnonExclusive (< 5.19) can simply revert the problematic\n\tcommit instead and be safe regarding UFFDIO_CONTINUE. A backport to\n\tv5.19 requires minor adjustments due to lack of\n\tvma_soft_dirty_enabled().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50014", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-ipc: Do not process IPC reply before firmware boot\n\nIt is not yet clear, but it is possible to create a firmware so broken\nthat it will send a reply message before a FW_READY message (it is not\nyet clear if FW_READY will arrive later).\nSince the reply_data is allocated only after the FW_READY message, this\nwill lead to a NULL pointer dereference if not filtered out.\n\nThe issue was reported with IPC4 firmware but the same condition is present\nfor IPC3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50015", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot\n\nIt is not yet clear, but it is possible to create a firmware so broken\nthat it will send a reply message before a FW_READY message (it is not\nyet clear if FW_READY will arrive later).\nSince the reply_data is allocated only after the FW_READY message, this\nwill lead to a NULL pointer dereference if not filtered out.\n\nThe issue was reported with IPC4 firmware but the same condition is present\nfor IPC3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50016", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start\n\nWe should call of_node_put() for the reference 'uctl_node' returned by\nof_get_parent() which will increase the refcount. Otherwise, there will\nbe a refcount leak bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50017", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: Fix refcount leak bug in ucc_uart.c\n\nIn soc_info(), of_find_node_by_type() will return a node pointer\nwith refcount incremented. We should use of_node_put() when it is\nnot used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50019", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid resizing to a partial cluster size\n\nThis patch avoids an attempt to resize the filesystem to an\nunaligned cluster boundary. An online resize to a size that is not\nintegral to cluster size results in the last iteration attempting to\ngrow the fs by a negative amount, which trips a BUG_ON and leaves the fs\nwith a corrupted in-memory superblock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50020", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: block range must be validated before use in ext4_mb_clear_bb()\n\nBlock range to free is validated in ext4_free_blocks() using\next4_inode_block_valid() and then it's passed to ext4_mb_clear_bb().\nHowever in some situations on bigalloc file system the range might be\nadjusted after the validation in ext4_free_blocks() which can lead to\ntroubles on corrupted file systems such as one found by syzkaller that\nresulted in the following BUG\n\nkernel BUG at fs/ext4/ext4.h:3319!\nPREEMPT SMP NOPTI\nCPU: 28 PID: 4243 Comm: repro Kdump: loaded Not tainted 5.19.0-rc6+ #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014\nRIP: 0010:ext4_free_blocks+0x95e/0xa90\nCall Trace:\n \n ? lock_timer_base+0x61/0x80\n ? __es_remove_extent+0x5a/0x760\n ? __mod_timer+0x256/0x380\n ? ext4_ind_truncate_ensure_credits+0x90/0x220\n ext4_clear_blocks+0x107/0x1b0\n ext4_free_data+0x15b/0x170\n ext4_ind_truncate+0x214/0x2c0\n ? _raw_spin_unlock+0x15/0x30\n ? ext4_discard_preallocations+0x15a/0x410\n ? ext4_journal_check_start+0xe/0x90\n ? __ext4_journal_start_sb+0x2f/0x110\n ext4_truncate+0x1b5/0x460\n ? __ext4_journal_start_sb+0x2f/0x110\n ext4_evict_inode+0x2b4/0x6f0\n evict+0xd0/0x1d0\n ext4_enable_quotas+0x11f/0x1f0\n ext4_orphan_cleanup+0x3de/0x430\n ? proc_create_seq_private+0x43/0x50\n ext4_fill_super+0x295f/0x3ae0\n ? snprintf+0x39/0x40\n ? sget_fc+0x19c/0x330\n ? ext4_reconfigure+0x850/0x850\n get_tree_bdev+0x16d/0x260\n vfs_get_tree+0x25/0xb0\n path_mount+0x431/0xa70\n __x64_sys_mount+0xe2/0x120\n do_syscall_64+0x5b/0x80\n ? do_user_addr_fault+0x1e2/0x670\n ? exc_page_fault+0x70/0x170\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fdf4e512ace\n\nFix it by making sure that the block range is properly validated before\nused every time it changes in ext4_free_blocks() or ext4_mb_clear_bb().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50021", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers:md:fix a potential use-after-free bug\n\nIn line 2884, \"raid5_release_stripe(sh);\" drops the reference to sh and\nmay cause sh to be released. However, sh is subsequently used in lines\n2886 \"if (sh->batch_head && sh != sh->batch_head)\". This may result in an\nuse-after-free bug.\n\nIt can be fixed by moving \"raid5_release_stripe(sh);\" to the bottom of\nthe function.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50022", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-axi-dmac: ignore interrupt if no descriptor\n\nIf the channel has no descriptor and the interrupt is raised then the\nkernel will OOPS. Check the result of vchan_next_desc() in the handler\naxi_chan_block_xfer_complete() to avoid the error happening.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50023", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-axi-dmac: do not print NULL LLI during error\n\nDuring debugging we have seen an issue where axi_chan_dump_lli()\nis passed a NULL LLI pointer which ends up causing an OOPS due\nto trying to get fields from it. Simply print NULL LLI and exit\nto avoid this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50024", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix a memory leak in an error handling path\n\nA bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the\nerror handling path of afu_allocate_irqs().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50025", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs/gaudi: fix shift out of bounds\n\nWhen validating NIC queues, queue offset calculation must be\nperformed only for NIC queues.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50026", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak when failing to issue CMF WQE\n\nThere is no corresponding free routine if lpfc_sli4_issue_wqe fails to\nissue the CMF WQE in lpfc_issue_cmf_sync_wqe.\n\nIf ret_val is non-zero, then free the iocbq request structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50027", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngadgetfs: ep_io - wait until IRQ finishes\n\nafter usb_ep_queue() if wait_for_completion_interruptible() is\ninterrupted we need to wait until IRQ gets finished.\n\nOtherwise complete() from epio_complete() can corrupt stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50028", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: ipq8074: dont disable gcc_sleep_clk_src\n\nOnce the usb sleep clocks are disabled, clock framework is trying to\ndisable the sleep clock source also.\n\nHowever, it seems that it cannot be disabled and trying to do so produces:\n[ 245.436390] ------------[ cut here ]------------\n[ 245.441233] gcc_sleep_clk_src status stuck at 'on'\n[ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140\n[ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio\n[ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215\n[ 245.463889] Hardware name: Xiaomi AX9000 (DT)\n[ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 245.474307] pc : clk_branch_wait+0x130/0x140\n[ 245.481073] lr : clk_branch_wait+0x130/0x140\n[ 245.485588] sp : ffffffc009f2bad0\n[ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000\n[ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20\n[ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0\n[ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7\n[ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777\n[ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129\n[ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001\n[ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001\n[ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027\n[ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026\n[ 245.557122] Call trace:\n[ 245.564229] clk_branch_wait+0x130/0x140\n[ 245.566490] clk_branch2_disable+0x2c/0x40\n[ 245.570656] clk_core_disable+0x60/0xb0\n[ 245.574561] clk_core_disable+0x68/0xb0\n[ 245.578293] clk_disable+0x30/0x50\n[ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom]\n[ 245.585588] platform_remove+0x28/0x60\n[ 245.590361] device_remove+0x4c/0x80\n[ 245.594179] device_release_driver_internal+0x1dc/0x230\n[ 245.597914] device_driver_detach+0x18/0x30\n[ 245.602861] unbind_store+0xec/0x110\n[ 245.607027] drv_attr_store+0x24/0x40\n[ 245.610847] sysfs_kf_write+0x44/0x60\n[ 245.614405] kernfs_fop_write_iter+0x128/0x1c0\n[ 245.618052] new_sync_write+0xc0/0x130\n[ 245.622391] vfs_write+0x1d4/0x2a0\n[ 245.626123] ksys_write+0x58/0xe0\n[ 245.629508] __arm64_sys_write+0x1c/0x30\n[ 245.632895] invoke_syscall.constprop.0+0x5c/0x110\n[ 245.636890] do_el0_svc+0xa0/0x150\n[ 245.641488] el0_svc+0x18/0x60\n[ 245.644872] el0t_64_sync_handler+0xa4/0x130\n[ 245.647914] el0t_64_sync+0x174/0x178\n[ 245.652340] ---[ end trace 0000000000000000 ]---\n\nSo, add CLK_IS_CRITICAL flag to the clock so that the kernel won't try\nto disable the sleep clock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50029", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input\n\nMalformed user input to debugfs results in buffer overflow crashes. Adapt\ninput string lengths to fit within internal buffers, leaving space for NULL\nterminators.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50030", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas: Fix refcount leak bug\n\nIn usbhs_rza1_hardware_init(), of_find_node_by_name() will return\na node pointer with refcount incremented. We should use of_node_put()\nwhen it is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50032", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: ohci-ppc-of: Fix refcount leak bug\n\nIn ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return\na node pointer with refcount incremented. We should use of_node_put()\nwhen it is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50033", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3 fix use-after-free at workaround 2\n\nBUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac\n\ncdns3_wa2_remove_old_request()\n{\n\t...\n\tkfree(priv_req->request.buf);\n\tcdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n\tlist_del_init(&priv_req->list);\n\t^^^ use after free\n\t...\n}\n\ncdns3_gadget_ep_free_request() free the space pointed by priv_req,\nbut priv_req is used in the following list_del_init().\n\nThis patch move list_del_init() before cdns3_gadget_ep_free_request().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50034", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix use-after-free on amdgpu_bo_list mutex\n\nIf amdgpu_cs_vm_handling returns r != 0, then it will unlock the\nbo_list_mutex inside the function amdgpu_cs_vm_handling and again on\namdgpu_cs_parser_fini. This problem results in the following\nuse-after-free problem:\n\n[ 220.280990] ------------[ cut here ]------------\n[ 220.281000] refcount_t: underflow; use-after-free.\n[ 220.281019] WARNING: CPU: 1 PID: 3746 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n[ 220.281029] ------------[ cut here ]------------\n[ 220.281415] CPU: 1 PID: 3746 Comm: chrome:cs0 Tainted: G W L ------- --- 5.20.0-0.rc0.20220812git7ebfc85e2cd7.10.fc38.x86_64 #1\n[ 220.281421] Hardware name: System manufacturer System Product Name/ROG STRIX X570-I GAMING, BIOS 4403 04/27/2022\n[ 220.281426] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[ 220.281431] Code: 01 01 e8 79 4a 6f 00 0f 0b e9 42 47 a5 00 80 3d de\n7e be 01 00 75 85 48 c7 c7 f8 98 8e 98 c6 05 ce 7e be 01 01 e8 56 4a\n6f 00 <0f> 0b e9 1f 47 a5 00 80 3d b9 7e be 01 00 0f 85 5e ff ff ff 48\nc7\n[ 220.281437] RSP: 0018:ffffb4b0d18d7a80 EFLAGS: 00010282\n[ 220.281443] RAX: 0000000000000026 RBX: 0000000000000003 RCX: 0000000000000000\n[ 220.281448] RDX: 0000000000000001 RSI: ffffffff988d06dc RDI: 00000000ffffffff\n[ 220.281452] RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffb4b0d18d7930\n[ 220.281457] R10: 0000000000000003 R11: ffffa0672e2fffe8 R12: ffffa058ca360400\n[ 220.281461] R13: ffffa05846c50a18 R14: 00000000fffffe00 R15: 0000000000000003\n[ 220.281465] FS: 00007f82683e06c0(0000) GS:ffffa066e2e00000(0000) knlGS:0000000000000000\n[ 220.281470] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 220.281475] CR2: 00003590005cc000 CR3: 00000001fca46000 CR4: 0000000000350ee0\n[ 220.281480] Call Trace:\n[ 220.281485] \n[ 220.281490] amdgpu_cs_ioctl+0x4e2/0x2070 [amdgpu]\n[ 220.281806] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]\n[ 220.282028] drm_ioctl_kernel+0xa4/0x150\n[ 220.282043] drm_ioctl+0x21f/0x420\n[ 220.282053] ? amdgpu_cs_find_mapping+0xe0/0xe0 [amdgpu]\n[ 220.282275] ? lock_release+0x14f/0x460\n[ 220.282282] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 220.282290] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[ 220.282297] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282305] ? _raw_spin_unlock_irqrestore+0x40/0x60\n[ 220.282317] amdgpu_drm_ioctl+0x4a/0x80 [amdgpu]\n[ 220.282534] __x64_sys_ioctl+0x90/0xd0\n[ 220.282545] do_syscall_64+0x5b/0x80\n[ 220.282551] ? futex_wake+0x6c/0x150\n[ 220.282568] ? lock_is_held_type+0xe8/0x140\n[ 220.282580] ? do_syscall_64+0x67/0x80\n[ 220.282585] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282592] ? do_syscall_64+0x67/0x80\n[ 220.282597] ? do_syscall_64+0x67/0x80\n[ 220.282602] ? lockdep_hardirqs_on+0x7d/0x100\n[ 220.282609] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 220.282616] RIP: 0033:0x7f8282a4f8bf\n[ 220.282639] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10\n00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00\n0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00\n00\n[ 220.282644] RSP: 002b:00007f82683df410 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 220.282651] RAX: ffffffffffffffda RBX: 00007f82683df588 RCX: 00007f8282a4f8bf\n[ 220.282655] RDX: 00007f82683df4d0 RSI: 00000000c0186444 RDI: 0000000000000018\n[ 220.282659] RBP: 00007f82683df4d0 R08: 00007f82683df5e0 R09: 00007f82683df4b0\n[ 220.282663] R10: 00001d04000a0600 R11: 0000000000000246 R12: 00000000c0186444\n[ 220.282667] R13: 0000000000000018 R14: 00007f82683df588 R15: 0000000000000003\n[ 220.282689] \n[ 220.282693] irq event stamp: 6232311\n[ 220.282697] hardirqs last enabled at (6232319): [] __up_console_sem+0x5e/0x70\n[ 220.282704] hardirqs last disabled at (6232326): [] __up_console_sem+0x43/0x70\n[ 220.282709] softirqs last enabled at (6232072): [] __irq_exit_rcu+0xf9/0x170\n[ 220.282716] softirqs last disabled at (6232061): [regions'\narray will be accessed by negative index '-1'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50040", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix call trace with null VSI during VF reset\n\nDuring stress test with attaching and detaching VF from KVM and\nsimultaneously changing VFs spoofcheck and trust there was a\ncall trace in ice_reset_vf that VF's VSI is null.\n\n[145237.352797] WARNING: CPU: 46 PID: 840629 at drivers/net/ethernet/intel/ice/ice_vf_lib.c:508 ice_reset_vf+0x3d6/0x410 [ice]\n[145237.352851] Modules linked in: ice(E) vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio iavf dm_mod xt_CHECKSUM xt_MASQUERADE\nxt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun\n bridge stp llc sunrpc intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm iTCO_wdt iTC\nO_vendor_support irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl ipmi_si intel_cstate ipmi_devintf joydev intel_uncore m\nei_me ipmi_msghandler i2c_i801 pcspkr mei lpc_ich ioatdma i2c_smbus acpi_pad acpi_power_meter ip_tables xfs libcrc32c i2c_algo_bit drm_sh\nmem_helper drm_kms_helper sd_mod t10_pi crc64_rocksoft syscopyarea crc64 sysfillrect sg sysimgblt fb_sys_fops drm i40e ixgbe ahci libahci\n libata crc32c_intel mdio dca wmi fuse [last unloaded: ice]\n[145237.352917] CPU: 46 PID: 840629 Comm: kworker/46:2 Tainted: G S W I E 5.19.0-rc6+ #24\n[145237.352921] Hardware name: Intel Corporation S2600WTT/S2600WTT, BIOS SE5C610.86B.01.01.0008.021120151325 02/11/2015\n[145237.352923] Workqueue: ice ice_service_task [ice]\n[145237.352948] RIP: 0010:ice_reset_vf+0x3d6/0x410 [ice]\n[145237.352984] Code: 30 ec f3 cc e9 28 fd ff ff 0f b7 4b 50 48 c7 c2 48 19 9c c0 4c 89 ee 48 c7 c7 30 fe 9e c0 e8 d1 21 9d cc 31 c0 e9 a\n9 fe ff ff <0f> 0b b8 ea ff ff ff e9 c1 fc ff ff 0f 0b b8 fb ff ff ff e9 91 fe\n[145237.352987] RSP: 0018:ffffb453e257fdb8 EFLAGS: 00010246\n[145237.352990] RAX: ffff8bd0040181c0 RBX: ffff8be68db8f800 RCX: 0000000000000000\n[145237.352991] RDX: 000000000000ffff RSI: 0000000000000000 RDI: ffff8be68db8f800\n[145237.352993] RBP: ffff8bd0040181c0 R08: 0000000000001000 R09: ffff8bcfd520e000\n[145237.352995] R10: 0000000000000000 R11: 00008417b5ab0bc0 R12: 0000000000000005\n[145237.352996] R13: ffff8bcee061c0d0 R14: ffff8bd004019640 R15: 0000000000000000\n[145237.352998] FS: 0000000000000000(0000) GS:ffff8be5dfb00000(0000) knlGS:0000000000000000\n[145237.353000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[145237.353002] CR2: 00007fd81f651d68 CR3: 0000001a0fe10001 CR4: 00000000001726e0\n[145237.353003] Call Trace:\n[145237.353008] \n[145237.353011] ice_process_vflr_event+0x8d/0xb0 [ice]\n[145237.353049] ice_service_task+0x79f/0xef0 [ice]\n[145237.353074] process_one_work+0x1c8/0x390\n[145237.353081] ? process_one_work+0x390/0x390\n[145237.353084] worker_thread+0x30/0x360\n[145237.353087] ? process_one_work+0x390/0x390\n[145237.353090] kthread+0xe8/0x110\n[145237.353094] ? kthread_complete_and_exit+0x20/0x20\n[145237.353097] ret_from_fork+0x22/0x30\n[145237.353103] \n\nRemove WARN_ON() from check if VSI is null in ice_reset_vf.\nAdd \"VF is already removed\\n\" in dev_dbg().\n\nThis WARN_ON() is unnecessary and causes call trace, despite that\ncall trace, driver still works. There is no need for this warn\nbecause this piece of code is responsible for disabling VF's Tx/Rx\nqueues when VF is disabled, but when VF is already removed there\nis no need to do reset or disable queues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50041", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: genl: fix error path memory leak in policy dumping\n\nIf construction of the array of policies fails when recording\nnon-first policy we need to unwind.\n\nnetlink_policy_dump_add_policy() itself also needs fixing as\nit currently gives up on error without recording the allocated\npointer in the pstate pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50042", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix potential refcount leak in ndisc_router_discovery()\n\nThe issue happens on specific paths in the function. After both the\nobject `rt` and `neigh` are grabbed successfully, when `lifetime` is\nnonzero but the metric needs change, the function just deletes the\nroute and set `rt` to NULL. Then, it may try grabbing `rt` and `neigh`\nagain if above conditions hold. The function simply overwrite `neigh`\nif succeeds or returns if fails, without decreasing the reference\ncount of previous `neigh`. This may result in memory leaks.\n\nFix it by decrementing the reference count of `neigh` in place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50043", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: start MHI channel after endpoit creation\n\nMHI channel may generates event/interrupt right after enabling.\nIt may leads to 2 race conditions issues.\n\n1)\nSuch event may be dropped by qcom_mhi_qrtr_dl_callback() at check:\n\n\tif (!qdev || mhi_res->transaction_status)\n\t\treturn;\n\nBecause dev_set_drvdata(&mhi_dev->dev, qdev) may be not performed at\nthis moment. In this situation qrtr-ns will be unable to enumerate\nservices in device.\n---------------------------------------------------------------\n\n2)\nSuch event may come at the moment after dev_set_drvdata() and\nbefore qrtr_endpoint_register(). In this case kernel will panic with\naccessing wrong pointer at qcom_mhi_qrtr_dl_callback():\n\n\trc = qrtr_endpoint_post(&qdev->ep, mhi_res->buf_addr,\n\t\t\t\tmhi_res->bytes_xferd);\n\nBecause endpoint is not created yet.\n--------------------------------------------------------------\nSo move mhi_prepare_for_transfer_autoqueue after endpoint creation\nto fix it.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50044", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pci: Fix get_phb_number() locking\n\nThe recent change to get_phb_number() causes a DEBUG_ATOMIC_SLEEP\nwarning on some systems:\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n 1 lock held by swapper/1:\n #0: c157efb0 (hose_spinlock){+.+.}-{2:2}, at: pcibios_alloc_controller+0x64/0x220\n Preemption disabled at:\n [<00000000>] 0x0\n CPU: 0 PID: 1 Comm: swapper Not tainted 5.19.0-yocto-standard+ #1\n Call Trace:\n [d101dc90] [c073b264] dump_stack_lvl+0x50/0x8c (unreliable)\n [d101dcb0] [c0093b70] __might_resched+0x258/0x2a8\n [d101dcd0] [c0d3e634] __mutex_lock+0x6c/0x6ec\n [d101dd50] [c0a84174] of_alias_get_id+0x50/0xf4\n [d101dd80] [c002ec78] pcibios_alloc_controller+0x1b8/0x220\n [d101ddd0] [c140c9dc] pmac_pci_init+0x198/0x784\n [d101de50] [c140852c] discover_phbs+0x30/0x4c\n [d101de60] [c0007fd4] do_one_initcall+0x94/0x344\n [d101ded0] [c1403b40] kernel_init_freeable+0x1a8/0x22c\n [d101df10] [c00086e0] kernel_init+0x34/0x160\n [d101df30] [c001b334] ret_from_kernel_thread+0x5c/0x64\n\nThis is because pcibios_alloc_controller() holds hose_spinlock but\nof_alias_get_id() takes of_mutex which can sleep.\n\nThe hose_spinlock protects the phb_bitmap, and also the hose_list, but\nit doesn't need to be held while get_phb_number() calls the OF routines,\nbecause those are only looking up information in the device tree.\n\nSo fix it by having get_phb_number() take the hose_spinlock itself, only\nwhere required, and then dropping the lock before returning.\npcibios_alloc_controller() then needs to take the lock again before the\nlist_add() but that's safe, the order of the list is not important.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50045", "detail": "fixed-version", "description": "Fixed from version 5.19.4" }, { "id": "CVE-2022-50046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sunrpc: fix potential memory leaks in rpc_sysfs_xprt_state_change()\n\nThe issue happens on some error handling paths. When the function\nfails to grab the object `xprt`, it simply returns 0, forgetting to\ndecrease the reference count of another object `xps`, which is\nincreased by rpc_sysfs_xprt_kobj_get_xprt_switch(), causing refcount\nleaks. Also, the function forgets to check whether `xps` is valid\nbefore using it, which may result in NULL-dereferencing issues.\n\nFix it by adding proper error handling code when either `xprt` or\n`xps` is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50046", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6060: prevent crash on an unused port\n\nIf the port isn't a CPU port nor a user port, 'cpu_dp'\nis a null pointer and a crash happened on dereferencing\nit in mv88e6060_setup_port():\n\n[ 9.575872] Unable to handle kernel NULL pointer dereference at virtual address 00000014\n...\n[ 9.942216] mv88e6060_setup from dsa_register_switch+0x814/0xe84\n[ 9.948616] dsa_register_switch from mdio_probe+0x2c/0x54\n[ 9.954433] mdio_probe from really_probe.part.0+0x98/0x2a0\n[ 9.960375] really_probe.part.0 from driver_probe_device+0x30/0x10c\n[ 9.967029] driver_probe_device from __device_attach_driver+0xb8/0x13c\n[ 9.973946] __device_attach_driver from bus_for_each_drv+0x90/0xe0\n[ 9.980509] bus_for_each_drv from __device_attach+0x110/0x184\n[ 9.986632] __device_attach from bus_probe_device+0x8c/0x94\n[ 9.992577] bus_probe_device from deferred_probe_work_func+0x78/0xa8\n[ 9.999311] deferred_probe_work_func from process_one_work+0x290/0x73c\n[ 10.006292] process_one_work from worker_thread+0x30/0x4b8\n[ 10.012155] worker_thread from kthread+0xd4/0x10c\n[ 10.017238] kthread from ret_from_fork+0x14/0x3c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50047", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: possible module reference underflow in error path\n\ndst->ops is set on when nft_expr_clone() fails, but module refcount has\nnot been bumped yet, therefore nft_expr_destroy() leads to module\nreference underflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50048", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: DPCM: Don't pick up BE without substream\n\nWhen DPCM tries to add valid BE connections at dpcm_add_paths(), it\ndoesn't check whether the picked BE actually supports for the given\nstream direction. Due to that, when an asymmetric BE stream is\npresent, it picks up wrongly and this may result in a NULL dereference\nat a later point where the code assumes the existence of a\ncorresponding BE substream.\n\nThis patch adds the check for the presence of the substream for the\ntarget BE for avoiding the problem above.\n\nNote that we have already some fix for non-existing BE substream at\ncommit 6246f283d5e0 (\"ASoC: dpcm: skip missing substream while\napplying symmetry\"). But the code path we've hit recently is rather\nhappening before the previous fix. So this patch tries to fix at\npicking up a BE instead of parsing BE lists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50049", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf()\n\nsnprintf() returns the would-be-filled size when the string overflows\nthe given buffer size, hence using this value may result in the buffer\noverflow (although it's unrealistic).\n\nThis patch replaces with a safer version, scnprintf() for papering\nover such a potential issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50050", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: debug: Fix potential buffer overflow by snprintf()\n\nsnprintf() returns the would-be-filled size when the string overflows\nthe given buffer size, hence using this value may result in the buffer\noverflow (although it's unrealistic).\n\nThis patch replaces with a safer version, scnprintf() for papering\nover such a potential issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50051", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix potential buffer overflow by snprintf()\n\nsnprintf() returns the would-be-filled size when the string overflows\nthe given buffer size, hence using this value may result in a buffer\noverflow (although it's unrealistic).\n\nThis patch replaces it with a safer version, scnprintf() for papering\nover such a potential issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50052", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix reset error handling\n\nDo not call iavf_close in iavf_reset_task error handling. Doing so can\nlead to double call of napi_disable, which can lead to deadlock there.\nRemoving VF would lead to iavf_remove task being stuck, because it\nrequires crit_lock, which is held by iavf_close.\nCall iavf_disable_vf if reset fail, so that driver will clean up\nremaining invalid resources.\nDuring rapid VF resets, HW can fail to setup VF mailbox. Wrong\nerror handling can lead to iavf_remove being stuck with:\n[ 5218.999087] iavf 0000:82:01.0: Failed to init adminq: -53\n...\n[ 5267.189211] INFO: task repro.sh:11219 blocked for more than 30 seconds.\n[ 5267.189520] Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1\n[ 5267.189764] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 5267.190062] task:repro.sh state:D stack: 0 pid:11219 ppid: 8162 flags:0x00000000\n[ 5267.190347] Call Trace:\n[ 5267.190647] \n[ 5267.190927] __schedule+0x460/0x9f0\n[ 5267.191264] schedule+0x44/0xb0\n[ 5267.191563] schedule_preempt_disabled+0x14/0x20\n[ 5267.191890] __mutex_lock.isra.12+0x6e3/0xac0\n[ 5267.192237] ? iavf_remove+0xf9/0x6c0 [iavf]\n[ 5267.192565] iavf_remove+0x12a/0x6c0 [iavf]\n[ 5267.192911] ? _raw_spin_unlock_irqrestore+0x1e/0x40\n[ 5267.193285] pci_device_remove+0x36/0xb0\n[ 5267.193619] device_release_driver_internal+0xc1/0x150\n[ 5267.193974] pci_stop_bus_device+0x69/0x90\n[ 5267.194361] pci_stop_and_remove_bus_device+0xe/0x20\n[ 5267.194735] pci_iov_remove_virtfn+0xba/0x120\n[ 5267.195130] sriov_disable+0x2f/0xe0\n[ 5267.195506] ice_free_vfs+0x7d/0x2f0 [ice]\n[ 5267.196056] ? pci_get_device+0x4f/0x70\n[ 5267.196496] ice_sriov_configure+0x78/0x1a0 [ice]\n[ 5267.196995] sriov_numvfs_store+0xfe/0x140\n[ 5267.197466] kernfs_fop_write_iter+0x12e/0x1c0\n[ 5267.197918] new_sync_write+0x10c/0x190\n[ 5267.198404] vfs_write+0x24e/0x2d0\n[ 5267.198886] ksys_write+0x5c/0xd0\n[ 5267.199367] do_syscall_64+0x3a/0x80\n[ 5267.199827] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 5267.200317] RIP: 0033:0x7f5b381205c8\n[ 5267.200814] RSP: 002b:00007fff8c7e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 5267.201981] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f5b381205c8\n[ 5267.202620] RDX: 0000000000000002 RSI: 00005569420ee900 RDI: 0000000000000001\n[ 5267.203426] RBP: 00005569420ee900 R08: 000000000000000a R09: 00007f5b38180820\n[ 5267.204327] R10: 000000000000000a R11: 0000000000000246 R12: 00007f5b383c06e0\n[ 5267.205193] R13: 0000000000000002 R14: 00007f5b383bb880 R15: 0000000000000002\n[ 5267.206041] \n[ 5267.206970] Kernel panic - not syncing: hung_task: blocked tasks\n[ 5267.207809] CPU: 48 PID: 551 Comm: khungtaskd Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1\n[ 5267.208726] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019\n[ 5267.209623] Call Trace:\n[ 5267.210569] \n[ 5267.211480] dump_stack_lvl+0x33/0x42\n[ 5267.212472] panic+0x107/0x294\n[ 5267.213467] watchdog.cold.8+0xc/0xbb\n[ 5267.214413] ? proc_dohung_task_timeout_secs+0x30/0x30\n[ 5267.215511] kthread+0xf4/0x120\n[ 5267.216459] ? kthread_complete_and_exit+0x20/0x20\n[ 5267.217505] ret_from_fork+0x22/0x30\n[ 5267.218459] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50053", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix NULL pointer dereference in iavf_get_link_ksettings\n\nFix possible NULL pointer dereference, due to freeing of adapter->vf_res\nin iavf_init_get_resources. Previous commit introduced a regression,\nwhere receiving IAVF_ERR_ADMIN_QUEUE_NO_WORK from iavf_get_vf_config\nwould free adapter->vf_res. However, netdev is still registered, so\nethtool_ops can be called. Calling iavf_get_link_ksettings with no vf_res,\nwill result with:\n[ 9385.242676] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 9385.242683] #PF: supervisor read access in kernel mode\n[ 9385.242686] #PF: error_code(0x0000) - not-present page\n[ 9385.242690] PGD 0 P4D 0\n[ 9385.242696] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n[ 9385.242701] CPU: 6 PID: 3217 Comm: pmdalinux Kdump: loaded Tainted: G S E 5.18.0-04958-ga54ce3703613-dirty #1\n[ 9385.242708] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.11.0 11/02/2019\n[ 9385.242710] RIP: 0010:iavf_get_link_ksettings+0x29/0xd0 [iavf]\n[ 9385.242745] Code: 00 0f 1f 44 00 00 b8 01 ef ff ff 48 c7 46 30 00 00 00 00 48 c7 46 38 00 00 00 00 c6 46 0b 00 66 89 46 08 48 8b 87 68 0e 00 00 40 08 80 75 50 8b 87 5c 0e 00 00 83 f8 08 74 7a 76 1d 83 f8 20\n[ 9385.242749] RSP: 0018:ffffc0560ec7fbd0 EFLAGS: 00010246\n[ 9385.242755] RAX: 0000000000000000 RBX: ffffc0560ec7fc08 RCX: 0000000000000000\n[ 9385.242759] RDX: ffffffffc0ad4550 RSI: ffffc0560ec7fc08 RDI: ffffa0fc66674000\n[ 9385.242762] RBP: 00007ffd1fb2bf50 R08: b6a2d54b892363ee R09: ffffa101dc14fb00\n[ 9385.242765] R10: 0000000000000000 R11: 0000000000000004 R12: ffffa0fc66674000\n[ 9385.242768] R13: 0000000000000000 R14: ffffa0fc66674000 R15: 00000000ffffffa1\n[ 9385.242771] FS: 00007f93711a2980(0000) GS:ffffa0fad72c0000(0000) knlGS:0000000000000000\n[ 9385.242775] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9385.242778] CR2: 0000000000000008 CR3: 0000000a8e61c003 CR4: 00000000003706e0\n[ 9385.242781] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 9385.242784] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 9385.242787] Call Trace:\n[ 9385.242791] \n[ 9385.242793] ethtool_get_settings+0x71/0x1a0\n[ 9385.242814] __dev_ethtool+0x426/0x2f40\n[ 9385.242823] ? slab_post_alloc_hook+0x4f/0x280\n[ 9385.242836] ? kmem_cache_alloc_trace+0x15d/0x2f0\n[ 9385.242841] ? dev_ethtool+0x59/0x170\n[ 9385.242848] dev_ethtool+0xa7/0x170\n[ 9385.242856] dev_ioctl+0xc3/0x520\n[ 9385.242866] sock_do_ioctl+0xa0/0xe0\n[ 9385.242877] sock_ioctl+0x22f/0x320\n[ 9385.242885] __x64_sys_ioctl+0x84/0xc0\n[ 9385.242896] do_syscall_64+0x3a/0x80\n[ 9385.242904] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 9385.242918] RIP: 0033:0x7f93702396db\n[ 9385.242923] Code: 73 01 c3 48 8b 0d ad 57 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 57 38 00 f7 d8 64 89 01 48\n[ 9385.242927] RSP: 002b:00007ffd1fb2bf18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 9385.242932] RAX: ffffffffffffffda RBX: 000055671b1d2fe0 RCX: 00007f93702396db\n[ 9385.242935] RDX: 00007ffd1fb2bf20 RSI: 0000000000008946 RDI: 0000000000000007\n[ 9385.242937] RBP: 00007ffd1fb2bf20 R08: 0000000000000003 R09: 0030763066307330\n[ 9385.242940] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd1fb2bf80\n[ 9385.242942] R13: 0000000000000007 R14: 0000556719f6de90 R15: 00007ffd1fb2c1b0\n[ 9385.242948] \n[ 9385.242949] Modules linked in: iavf(E) xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nft_compat nf_nat_tftp nft_objref nf_conntrack_tftp bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink vfat fat irdma ib_uverbs ib_core intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretem\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50054", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix adminq error handling\n\niavf_alloc_asq_bufs/iavf_alloc_arq_bufs allocates with dma_alloc_coherent\nmemory for VF mailbox.\nFree DMA regions for both ASQ and ARQ in case error happens during\nconfiguration of ASQ/ARQ registers.\nWithout this change it is possible to see when unloading interface:\n74626.583369: dma_debug_device_change: device driver has pending DMA allocations while released from device [count=32]\nOne of leaked entries details: [device address=0x0000000b27ff9000] [size=4096 bytes] [mapped with DMA_BIDIRECTIONAL] [mapped as coherent]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50055", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix missing i_op in ntfs_read_mft\n\nThere is null pointer dereference because i_op == NULL.\nThe bug happens because we don't initialize i_op for records in $Extend.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50056", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL deref in ntfs_update_mftmirr\n\nIf ntfs_fill_super() wasn't called then sbi->sb will be equal to NULL.\nCode should check this ptr before dereferencing. Syzbot hit this issue\nvia passing wrong mount param as can be seen from log below\n\nFail log:\nntfs3: Unknown parameter 'iochvrset'\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nCPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0\n...\nCall Trace:\n \n put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463\n ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363\n put_fs_context+0x119/0x7a0 fs/fs_context.c:469\n do_new_mount+0x2b4/0xad0 fs/namespace.c:3044\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50057", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim_blk: set number of address spaces and virtqueue groups\n\nCommit bda324fd037a (\"vdpasim: control virtqueue support\") added two\nnew fields (nas, ngroups) to vdpasim_dev_attr, but we forgot to\ninitialize them for vdpa_sim_blk.\n\nWhen creating a new vdpa_sim_blk device this causes the kernel\nto panic in this way:\n \u00a0 \u00a0$ vdpa dev add mgmtdev vdpasim_blk name blk0\n \u00a0 \u00a0BUG: kernel NULL pointer dereference, address: 0000000000000030\n \u00a0 \u00a0...\n \u00a0 \u00a0RIP: 0010:vhost_iotlb_add_range_ctx+0x41/0x220 [vhost_iotlb]\n \u00a0 \u00a0...\n \u00a0 \u00a0Call Trace:\n \u00a0 \u00a0 \n \u00a0 \u00a0 vhost_iotlb_add_range+0x11/0x800 [vhost_iotlb]\n \u00a0 \u00a0 vdpasim_map_range+0x91/0xd0 [vdpa_sim]\n \u00a0 \u00a0 vdpasim_alloc_coherent+0x56/0x90 [vdpa_sim]\n \u00a0 \u00a0 ...\n\nThis happens because vdpasim->iommu[0] is not initialized when\ndev_attr.nas is 0.\n\nLet's fix this issue by initializing both (nas, ngroups) to 1 for\nvdpa_sim_blk.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50058", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: don't leak snap_rwsem in handle_cap_grant\n\nWhen handle_cap_grant is called on an IMPORT op, then the snap_rwsem is\nheld and the function is expected to release it before returning. It\ncurrently fails to do that in all cases which could lead to a deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50059", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Fix mcam entry resource leak\n\nThe teardown sequence in FLR handler returns if no NIX LF\nis attached to PF/VF because it indicates that graceful\nshutdown of resources already happened. But there is a\nchance of all allocated MCAM entries not being freed by\nPF/VF. Hence free mcam entries even in case of detached LF.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50060", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50061", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bgmac: Fix a BUG triggered by wrong bytes_compl\n\nOn one of our machines we got:\n\nkernel BUG at lib/dynamic_queue_limits.c:27!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM\nCPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1\nHardware name: BRCM XGS iProc\ntask: ee3415c0 task.stack: ee32a000\nPC is at dql_completed+0x168/0x178\nLR is at bgmac_poll+0x18c/0x6d8\npc : [] lr : [] psr: 800a0313\nsp : ee32be14 ip : 000005ea fp : 00000bd4\nr10: ee558500 r9 : c0116298 r8 : 00000002\nr7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851\nr3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180\nFlags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 12c5387d Table: 8e88c04a DAC: 00000051\nProcess irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)\nStack: (0xee32be14 to 0xee32c000)\nbe00: ee558520 ee52c100 ef128810\nbe20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040\nbe40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040\nbe60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a\nbe80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98\nbea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8\nbec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000\nbee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520\nbf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900\nbf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c\nbf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28\nbf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70\nbf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000\nbfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000\nbfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\nbfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000\n[] (dql_completed) from [] (bgmac_poll+0x18c/0x6d8)\n[] (bgmac_poll) from [] (net_rx_action+0x1c4/0x494)\n[] (net_rx_action) from [] (do_current_softirqs+0x1ec/0x43c)\n[] (do_current_softirqs) from [] (__local_bh_enable+0x80/0x98)\n[] (__local_bh_enable) from [] (irq_forced_thread_fn+0x84/0x98)\n[] (irq_forced_thread_fn) from [] (irq_thread+0x118/0x1c0)\n[] (irq_thread) from [] (kthread+0x150/0x158)\n[] (kthread) from [] (ret_from_fork+0x14/0x24)\nCode: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)\n\nThe issue seems similar to commit 90b3b339364c (\"net: hisilicon: Fix a BUG\ntrigered by wrong bytes_compl\") and potentially introduced by commit\nb38c83dd0866 (\"bgmac: simplify tx ring index handling\").\n\nIf there is an RX interrupt between setting ring->end\nand netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()\ncan miscalculate the queue size while called from bgmac_poll().\n\nThe machine which triggered the BUG runs a v4.14 RT kernel - but the issue\nseems present in mainline too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50062", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: suppress non-changes to the tagging protocol\n\nThe way in which dsa_tree_change_tag_proto() works is that when\ndsa_tree_notify() fails, it doesn't know whether the operation failed\nmid way in a multi-switch tree, or it failed for a single-switch tree.\nSo even though drivers need to fail cleanly in\nds->ops->change_tag_protocol(), DSA will still call dsa_tree_notify()\nagain, to restore the old tag protocol for potential switches in the\ntree where the change did succeeed (before failing for others).\n\nThis means for the felix driver that if we report an error in\nfelix_change_tag_protocol(), we'll get another call where proto_ops ==\nold_proto_ops. If we proceed to act upon that, we may do unexpected\nthings. For example, we will call dsa_tag_8021q_register() twice in a\nrow, without any dsa_tag_8021q_unregister() in between. Then we will\nactually call dsa_tag_8021q_unregister() via old_proto_ops->teardown,\nwhich (if it manages to run at all, after walking through corrupted data\nstructures) will leave the ports inoperational anyway.\n\nThe bug can be readily reproduced if we force an error while in\ntag_8021q mode; this crashes the kernel.\n\necho ocelot-8021q > /sys/class/net/eno2/dsa/tagging\necho edsa > /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000014\nCall trace:\n vcap_entry_get+0x24/0x124\n ocelot_vcap_filter_del+0x198/0x270\n felix_tag_8021q_vlan_del+0xd4/0x21c\n dsa_switch_tag_8021q_vlan_del+0x168/0x2cc\n dsa_switch_event+0x68/0x1170\n dsa_tree_notify+0x14/0x34\n dsa_port_tag_8021q_vlan_del+0x84/0x110\n dsa_tag_8021q_unregister+0x15c/0x1c0\n felix_tag_8021q_teardown+0x16c/0x180\n felix_change_tag_protocol+0x1bc/0x230\n dsa_switch_event+0x14c/0x1170\n dsa_tree_change_tag_proto+0x118/0x1c0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50063", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Avoid use-after-free on suspend/resume\n\nhctx->user_data is set to vq in virtblk_init_hctx(). However, vq is\nfreed on suspend and reallocated on resume. So, hctx->user_data is\ninvalid after resume, and it will cause use-after-free accessing which\nwill result in the kernel crash something like below:\n\n[ 22.428391] Call Trace:\n[ 22.428899] \n[ 22.429339] virtqueue_add_split+0x3eb/0x620\n[ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0\n[ 22.430789] ? kvm_clock_get_cycles+0x14/0x30\n[ 22.431496] virtqueue_add_sgs+0xad/0xd0\n[ 22.432108] virtblk_add_req+0xe8/0x150\n[ 22.432692] virtio_queue_rqs+0xeb/0x210\n[ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280\n[ 22.434059] __blk_flush_plug+0xe1/0x140\n[ 22.434853] blk_finish_plug+0x20/0x40\n[ 22.435512] read_pages+0x20a/0x2e0\n[ 22.436063] ? folio_add_lru+0x62/0xa0\n[ 22.436652] page_cache_ra_unbounded+0x112/0x160\n[ 22.437365] filemap_get_pages+0xe1/0x5b0\n[ 22.437964] ? context_to_sid+0x70/0x100\n[ 22.438580] ? sidtab_context_to_sid+0x32/0x400\n[ 22.439979] filemap_read+0xcd/0x3d0\n[ 22.440917] xfs_file_buffered_read+0x4a/0xc0\n[ 22.441984] xfs_file_read_iter+0x65/0xd0\n[ 22.442970] __kernel_read+0x160/0x2e0\n[ 22.443921] bprm_execve+0x21b/0x640\n[ 22.444809] do_execveat_common.isra.0+0x1a8/0x220\n[ 22.446008] __x64_sys_execve+0x2d/0x40\n[ 22.446920] do_syscall_64+0x37/0x90\n[ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by getting vq from vblk, and removes\nvirtblk_init_hctx().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50064", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix memory leak inside XPD_TX with mergeable\n\nWhen we call xdp_convert_buff_to_frame() to get xdpf, if it returns\nNULL, we should check if xdp_page was allocated by xdp_linearize_page().\nIf it is newly allocated, it should be freed here alone. Just like any\nother \"goto err_xdp\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50065", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix aq_vec index out of range error\n\nThe final update statement of the for loop exceeds the array range, the\ndereference of self->aq_vec[i] is not checked and then leads to the\nindex out of range error.\nAlso fixed this kind of coding style in other for loop.\n\n[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48\n[ 97.937607] index 8 is out of range for type 'aq_vec_s *[8]'\n[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2\n[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022\n[ 97.937611] Workqueue: events_unbound async_run_entry_fn\n[ 97.937616] Call Trace:\n[ 97.937617] \n[ 97.937619] dump_stack_lvl+0x49/0x63\n[ 97.937624] dump_stack+0x10/0x16\n[ 97.937626] ubsan_epilogue+0x9/0x3f\n[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49\n[ 97.937629] ? __scm_send+0x348/0x440\n[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]\n[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]\n[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]\n[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]\n[ 97.937653] pci_pm_suspend+0x7e/0x1a0\n[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0\n[ 97.937657] dpm_run_callback+0x54/0x190\n[ 97.937660] __device_suspend+0x14c/0x4d0\n[ 97.937661] async_suspend+0x23/0x70\n[ 97.937663] async_run_entry_fn+0x33/0x120\n[ 97.937664] process_one_work+0x21f/0x3f0\n[ 97.937666] worker_thread+0x4a/0x3c0\n[ 97.937668] ? process_one_work+0x3f0/0x3f0\n[ 97.937669] kthread+0xf0/0x120\n[ 97.937671] ? kthread_complete_and_exit+0x20/0x20\n[ 97.937672] ret_from_fork+0x22/0x30\n[ 97.937676] \n\nv2. fixed \"warning: variable 'aq_vec' set but not used\"\n\nv3. simplified a for loop", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50066", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: unset reloc control if transaction commit fails in prepare_to_relocate()\n\nIn btrfs_relocate_block_group(), the rc is allocated. Then\nbtrfs_relocate_block_group() calls\n\nrelocate_block_group()\n prepare_to_relocate()\n set_reloc_control()\n\nthat assigns rc to the variable fs_info->reloc_ctl. When\nprepare_to_relocate() returns, it calls\n\nbtrfs_commit_transaction()\n btrfs_start_dirty_block_groups()\n btrfs_alloc_path()\n kmem_cache_zalloc()\n\nwhich may fail for example (or other errors could happen). When the\nfailure occurs, btrfs_relocate_block_group() detects the error and frees\nrc and doesn't set fs_info->reloc_ctl to NULL. After that, in\nbtrfs_init_reloc_root(), rc is retrieved from fs_info->reloc_ctl and\nthen used, which may cause a use-after-free bug.\n\nThis possible bug can be triggered by calling btrfs_ioctl_balance()\nbefore calling btrfs_ioctl_defrag().\n\nTo fix this possible bug, in prepare_to_relocate(), check if\nbtrfs_commit_transaction() fails. If the failure occurs,\nunset_reloc_control() is called to set fs_info->reloc_ctl to NULL.\n\nThe error log in our fault-injection testing is shown as follows:\n\n [ 58.751070] BUG: KASAN: use-after-free in btrfs_init_reloc_root+0x7ca/0x920 [btrfs]\n ...\n [ 58.753577] Call Trace:\n ...\n [ 58.755800] kasan_report+0x45/0x60\n [ 58.756066] btrfs_init_reloc_root+0x7ca/0x920 [btrfs]\n [ 58.757304] record_root_in_trans+0x792/0xa10 [btrfs]\n [ 58.757748] btrfs_record_root_in_trans+0x463/0x4f0 [btrfs]\n [ 58.758231] start_transaction+0x896/0x2950 [btrfs]\n [ 58.758661] btrfs_defrag_root+0x250/0xc00 [btrfs]\n [ 58.759083] btrfs_ioctl_defrag+0x467/0xa00 [btrfs]\n [ 58.759513] btrfs_ioctl+0x3c95/0x114e0 [btrfs]\n ...\n [ 58.768510] Allocated by task 23683:\n [ 58.768777] ____kasan_kmalloc+0xb5/0xf0\n [ 58.769069] __kmalloc+0x227/0x3d0\n [ 58.769325] alloc_reloc_control+0x10a/0x3d0 [btrfs]\n [ 58.769755] btrfs_relocate_block_group+0x7aa/0x1e20 [btrfs]\n [ 58.770228] btrfs_relocate_chunk+0xf1/0x760 [btrfs]\n [ 58.770655] __btrfs_balance+0x1326/0x1f10 [btrfs]\n [ 58.771071] btrfs_balance+0x3150/0x3d30 [btrfs]\n [ 58.771472] btrfs_ioctl_balance+0xd84/0x1410 [btrfs]\n [ 58.771902] btrfs_ioctl+0x4caa/0x114e0 [btrfs]\n ...\n [ 58.773337] Freed by task 23683:\n ...\n [ 58.774815] kfree+0xda/0x2b0\n [ 58.775038] free_reloc_control+0x1d6/0x220 [btrfs]\n [ 58.775465] btrfs_relocate_block_group+0x115c/0x1e20 [btrfs]\n [ 58.775944] btrfs_relocate_chunk+0xf1/0x760 [btrfs]\n [ 58.776369] __btrfs_balance+0x1326/0x1f10 [btrfs]\n [ 58.776784] btrfs_balance+0x3150/0x3d30 [btrfs]\n [ 58.777185] btrfs_ioctl_balance+0xd84/0x1410 [btrfs]\n [ 58.777621] btrfs_ioctl+0x4caa/0x114e0 [btrfs]\n ...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50067", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix dummy res NULL ptr deref bug\n\nCheck the bo->resource value before accessing the resource\nmem_type.\n\nv2: Fix commit description unwrapped warning\n\n\n[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI\n[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1\n[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014\n[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]\n[ 40.200754][ T184] Code: e8 72 c5 ff ff 83 f8 b8 74 d4 85 c0 75 54 49 8b 9e 58 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 3c 03 7e 44 8b 53 10 31 c0 85 d2 0f 85 58\n[ 40.203685][ T184] RSP: 0018:ffffc900006df0c8 EFLAGS: 00010202\n[ 40.204630][ T184] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1102f4bb71b\n[ 40.205864][ T184] RDX: 0000000000000002 RSI: ffffc900006df208 RDI: 0000000000000010\n[ 40.207102][ T184] RBP: 1ffff920000dbe1a R08: ffffc900006df208 R09: 0000000000000000\n[ 40.208394][ T184] R10: ffff88817a5f0000 R11: 0000000000000001 R12: ffffc900006df110\n[ 40.209692][ T184] R13: ffffc900006df0f0 R14: ffff88817a5db800 R15: ffffc900006df208\n[ 40.210862][ T184] FS: 00007f6b1d16e8c0(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000\n[ 40.212250][ T184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 40.213275][ T184] CR2: 000055a1001d4ff0 CR3: 00000001700f4000 CR4: 00000000000006e0\n[ 40.214469][ T184] Call Trace:\n[ 40.214974][ T184] \n[ 40.215438][ T184] ? ttm_bo_bounce_temp_buffer+0x140/0x140 [ttm]\n[ 40.216572][ T184] ? mutex_spin_on_owner+0x240/0x240\n[ 40.217456][ T184] ? drm_vma_offset_add+0xaa/0x100 [drm]\n[ 40.218457][ T184] ttm_bo_init_reserved+0x3d6/0x540 [ttm]\n[ 40.219410][ T184] ? shmem_get_inode+0x744/0x980\n[ 40.220231][ T184] ttm_bo_init_validate+0xb1/0x200 [ttm]\n[ 40.221172][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[ 40.222530][ T184] ? ttm_bo_init_reserved+0x540/0x540 [ttm]\n[ 40.223643][ T184] ? __do_sys_finit_module+0x11a/0x1c0\n[ 40.224654][ T184] ? __shmem_file_setup+0x102/0x280\n[ 40.234764][ T184] drm_gem_vram_create+0x305/0x480 [drm_vram_helper]\n[ 40.235766][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[ 40.236846][ T184] ? __kasan_slab_free+0x108/0x180\n[ 40.237650][ T184] drm_gem_vram_fill_create_dumb+0x134/0x340 [drm_vram_helper]\n[ 40.238864][ T184] ? local_pci_probe+0xdf/0x180\n[ 40.239674][ T184] ? drmm_vram_helper_init+0x400/0x400 [drm_vram_helper]\n[ 40.240826][ T184] drm_client_framebuffer_create+0x19c/0x400 [drm]\n[ 40.241955][ T184] ? drm_client_buffer_delete+0x200/0x200 [drm]\n[ 40.243001][ T184] ? drm_client_pick_crtcs+0x554/0xb80 [drm]\n[ 40.244030][ T184] drm_fb_helper_generic_probe+0x23f/0x940 [drm_kms_helper]\n[ 40.245226][ T184] ? __cond_resched+0x1c/0xc0\n[ 40.245987][ T184] ? drm_fb_helper_memory_range_to_clip+0x180/0x180 [drm_kms_helper]\n[ 40.247316][ T184] ? mutex_unlock+0x80/0x100\n[ 40.248005][ T184] ? __mutex_unlock_slowpath+0x2c0/0x2c0\n[ 40.249083][ T184] drm_fb_helper_single_fb_probe+0x907/0xf00 [drm_kms_helper]\n[ 40.250314][ T184] ? drm_fb_helper_check_var+0x1180/0x1180 [drm_kms_helper]\n[ 40.251540][ T184] ? __cond_resched+0x1c/0xc0\n[ 40.252321][ T184] ? mutex_lock+0x9f/0x100\n[ 40.253062][ T184] __drm_fb_helper_initial_config_and_unlock+0xb9/0x2c0 [drm_kms_helper]\n[ 40.254394][ T184] drm_fbdev_client_hotplug+0x56f/0x840 [drm_kms_helper]\n[ 40.255477][ T184] drm_fbdev_generic_setup+0x165/0x3c0 [drm_kms_helper]\n[ 40.256607][ T184] bochs_pci_probe+0x6b7/0x900 [bochs]\n[ \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50068", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBPF: Fix potential bad pointer dereference in bpf_sys_bpf()\n\nThe bpf_sys_bpf() helper function allows an eBPF program to load another\neBPF program from within the kernel. In this case the argument union\nbpf_attr pointer (as well as the insns and license pointers inside) is a\nkernel address instead of a userspace address (which is the case of a\nusual bpf() syscall). To make the memory copying process in the syscall\nwork in both cases, bpfptr_t was introduced to wrap around the pointer\nand distinguish its origin. Specifically, when copying memory contents\nfrom a bpfptr_t, a copy_from_user() is performed in case of a userspace\naddress and a memcpy() is performed for a kernel address.\n\nThis can lead to problems because the in-kernel pointer is never checked\nfor validity. The problem happens when an eBPF syscall program tries to\ncall bpf_sys_bpf() to load a program but provides a bad insns pointer --\nsay 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()\nwhich would then call bpf_prog_load() to load the program.\nbpf_prog_load() is responsible for copying the eBPF instructions to the\nnewly allocated memory for the program; it creates a kernel bpfptr_t for\ninsns and invokes copy_from_bpfptr(). Internally, all bpfptr_t\noperations are backed by the corresponding sockptr_t operations, which\nperforms direct memcpy() on kernel pointers for copy_from/strncpy_from\noperations. Therefore, the code is always happy to dereference the bad\npointer to trigger a un-handle-able page fault and in turn an oops.\nHowever, this is not supposed to happen because at that point the eBPF\nprogram is already verified and should not cause a memory error.\n\nSample KASAN trace:\n\n[ 25.685056][ T228] ==================================================================\n[ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30\n[ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228\n[ 25.686732][ T228]\n[ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7\n[ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014\n[ 25.687991][ T228] Call Trace:\n[ 25.688223][ T228] \n[ 25.688429][ T228] dump_stack_lvl+0x73/0x9e\n[ 25.688747][ T228] print_report+0xea/0x200\n[ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.689401][ T228] ? _printk+0x54/0x6e\n[ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0\n[ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.690412][ T228] kasan_report+0xb5/0xe0\n[ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0\n[ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30\n[ 25.691734][ T228] memcpy+0x25/0x60\n[ 25.692000][ T228] copy_from_bpfptr+0x21/0x30\n[ 25.692328][ T228] bpf_prog_load+0x604/0x9e0\n[ 25.692653][ T228] ? cap_capable+0xb4/0xe0\n[ 25.692956][ T228] ? security_capable+0x4f/0x70\n[ 25.693324][ T228] __sys_bpf+0x3af/0x580\n[ 25.693635][ T228] bpf_sys_bpf+0x45/0x240\n[ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd\n[ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0\n[ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0\n[ 25.695144][ T228] bpf_prog_test_run+0x172/0x190\n[ 25.695487][ T228] __sys_bpf+0x2c5/0x580\n[ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50\n[ 25.696084][ T228] do_syscall_64+0x60/0x90\n[ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60\n[ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0\n[ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40\n[ 25.697586][ T228] ? do_syscall_64+0x6e/0x90\n[ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 25.698312][ T228] RIP: 0033:0x7f6d543fb759\n[ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50069", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: do not queue data on closed subflows\n\nDipanjan reported a syzbot splat at close time:\n\nWARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153\ninet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153\nModules linked in: uio_ivshmem(OE) uio(E)\nCPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE\n5.19.0-rc6-g2eae0556bb9d #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153\nCode: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91\nf9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 <0f> 0b\ne9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d\nRSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00\nRDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002\nRBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000\nR10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400\nR13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258\nFS: 0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0\nCall Trace:\n \n __sk_destruct+0x4f/0x8e0 net/core/sock.c:2067\n sk_destruct+0xbd/0xe0 net/core/sock.c:2112\n __sk_free+0xef/0x3d0 net/core/sock.c:2123\n sk_free+0x78/0xa0 net/core/sock.c:2134\n sock_put include/net/sock.h:1927 [inline]\n __mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351\n __mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828\n mptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586\n process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289\n worker_thread+0x623/0x1070 kernel/workqueue.c:2436\n kthread+0x2e9/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302\n \n\nThe root cause of the problem is that an mptcp-level (re)transmit can\nrace with mptcp_close() and the packet scheduler checks the subflow\nstate before acquiring the socket lock: we can try to (re)transmit on\nan already closed ssk.\n\nFix the issue checking again the subflow socket status under the\nsubflow socket lock protection. Additionally add the missing check\nfor the fallback-to-tcp case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50070", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: move subflow cleanup in mptcp_destroy_common()\n\nIf the mptcp socket creation fails due to a CGROUP_INET_SOCK_CREATE\neBPF program, the MPTCP protocol ends-up leaking all the subflows:\nthe related cleanup happens in __mptcp_destroy_sock() that is not\ninvoked in such code path.\n\nAddress the issue moving the subflow sockets cleanup in the\nmptcp_destroy_common() helper, which is invoked in every msk cleanup\npath.\n\nAdditionally get rid of the intermediate list_splice_init step, which\nis an unneeded relic from the past.\n\nThe issue is present since before the reported root cause commit, but\nany attempt to backport the fix before that hash will require a complete\nrewrite.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50071", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pnfs: Fix a use-after-free bug in open\n\nIf someone cancels the open RPC call, then we must not try to free\neither the open slot or the layoutget operation arguments, since they\nare likely still in use by the hung RPC call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50072", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null\n\nFixes a NULL pointer derefence bug triggered from tap driver.\nWhen tap_get_user calls virtio_net_hdr_to_skb the skb->dev is null\n(in tap.c skb->dev is set after the call to virtio_net_hdr_to_skb)\nvirtio_net_hdr_to_skb calls dev_parse_header_protocol which\nneeds skb->dev field to be valid.\n\nThe line that trigers the bug is in dev_parse_header_protocol\n(dev is at offset 0x10 from skb and is stored in RAX register)\n if (!dev->header_ops || !dev->header_ops->parse_protocol)\n 22e1: mov 0x10(%rbx),%rax\n 22e5:\t mov 0x230(%rax),%rax\n\nSetting skb->dev before the call in tap.c fixes the issue.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000230\nRIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap]\nCode: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48\nRSP: 0018:ffffc90005c27c38 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010\nRDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300\nRBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8\nR10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001\nR13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6\nFS: 0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0\nCall Trace:\n tap_get_user+0x3f1/0x540 [tap]\n tap_sendmsg+0x56/0x362 [tap]\n ? get_tx_bufs+0xc2/0x1e0 [vhost_net]\n handle_tx_copy+0x114/0x670 [vhost_net]\n handle_tx+0xb0/0xe0 [vhost_net]\n handle_tx_kick+0x15/0x20 [vhost_net]\n vhost_worker+0x7b/0xc0 [vhost]\n ? vhost_vring_call_reset+0x40/0x40 [vhost]\n kthread+0xfa/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50073", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix memleak in aa_simple_write_to_buffer()\n\nWhen copy_from_user failed, the memory is freed by kvfree. however the\nmanagement struct and data blob are allocated independently, so only\nkvfree(data) cause a memleak issue here. Use aa_put_loaddata(data) to\nfix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50074", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/eprobes: Have event probes be consistent with kprobes and uprobes\n\nCurrently, if a symbol \"@\" is attempted to be used with an event probe\n(eprobes), it will cause a NULL pointer dereference crash.\n\nBoth kprobes and uprobes can reference data other than the main registers.\nSuch as immediate address, symbols and the current task name. Have eprobes\ndo the same thing.\n\nFor \"comm\", if \"comm\" is used and the event being attached to does not\nhave the \"comm\" field, then make it the \"$comm\" that kprobes has. This is\nconsistent to the way histograms and filters work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50075", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory leak on the deferred close\n\nxfstests on smb21 report kmemleak as below:\n\n unreferenced object 0xffff8881767d6200 (size 64):\n comm \"xfs_io\", pid 1284, jiffies 4294777434 (age 20.789s)\n hex dump (first 32 bytes):\n 80 5a d0 11 81 88 ff ff 78 8a aa 63 81 88 ff ff .Z......x..c....\n 00 71 99 76 81 88 ff ff 00 00 00 00 00 00 00 00 .q.v............\n backtrace:\n [<00000000ad04e6ea>] cifs_close+0x92/0x2c0\n [<0000000028b93c82>] __fput+0xff/0x3f0\n [<00000000d8116851>] task_work_run+0x85/0xc0\n [<0000000027e14f9e>] do_exit+0x5e5/0x1240\n [<00000000fb492b95>] do_group_exit+0x58/0xe0\n [<00000000129a32d9>] __x64_sys_exit_group+0x28/0x30\n [<00000000e3f7d8e9>] do_syscall_64+0x35/0x80\n [<00000000102e8a0b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nWhen cancel the deferred close work, we should also cleanup the struct\ncifs_deferred_close.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50076", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix reference count leak in aa_pivotroot()\n\nThe aa_pivotroot() function has a reference counting bug in a specific\npath. When aa_replace_current_label() returns on success, the function\nforgets to decrement the reference count of \u201ctarget\u201d, which is\nincreased earlier by build_pivotroot(), causing a reference leak.\n\nFix it by decreasing the refcount of \u201ctarget\u201d in that path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50077", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/eprobes: Do not allow eprobes to use $stack, or % for regs\n\nWhile playing with event probes (eprobes), I tried to see what would\nhappen if I attempted to retrieve the instruction pointer (%rip) knowing\nthat event probes do not use pt_regs. The result was:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000024\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 1847 Comm: trace-cmd Not tainted 5.19.0-rc5-test+ #309\n Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01\nv03.03 07/14/2016\n RIP: 0010:get_event_field.isra.0+0x0/0x50\n Code: ff 48 c7 c7 c0 8f 74 a1 e8 3d 8b f5 ff e8 88 09 f6 ff 4c 89 e7 e8\n50 6a 13 00 48 89 ef 5b 5d 41 5c 41 5d e9 42 6a 13 00 66 90 <48> 63 47 24\n8b 57 2c 48 01 c6 8b 47 28 83 f8 02 74 0e 83 f8 04 74\n RSP: 0018:ffff916c394bbaf0 EFLAGS: 00010086\n RAX: ffff916c854041d8 RBX: ffff916c8d9fbf50 RCX: ffff916c255d2000\n RDX: 0000000000000000 RSI: ffff916c255d2008 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff916c3a2a0c08 R09: ffff916c394bbda8\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff916c854041d8\n R13: ffff916c854041b0 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff916c9ea40000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000024 CR3: 000000011b60a002 CR4: 00000000001706e0\n Call Trace:\n \n get_eprobe_size+0xb4/0x640\n ? __mod_node_page_state+0x72/0xc0\n __eprobe_trace_func+0x59/0x1a0\n ? __mod_lruvec_page_state+0xaa/0x1b0\n ? page_remove_file_rmap+0x14/0x230\n ? page_remove_rmap+0xda/0x170\n event_triggers_call+0x52/0xe0\n trace_event_buffer_commit+0x18f/0x240\n trace_event_raw_event_sched_wakeup_template+0x7a/0xb0\n try_to_wake_up+0x260/0x4c0\n __wake_up_common+0x80/0x180\n __wake_up_common_lock+0x7c/0xc0\n do_notify_parent+0x1c9/0x2a0\n exit_notify+0x1a9/0x220\n do_exit+0x2ba/0x450\n do_group_exit+0x2d/0x90\n __x64_sys_exit_group+0x14/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nObviously this is not the desired result.\n\nMove the testing for TPARG_FL_TPOINT which is only used for event probes\nto the top of the \"$\" variable check, as all the other variables are not\nused for event probes. Also add a check in the register parsing \"%\" to\nfail if an event probe is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50078", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check correct bounds for stream encoder instances for DCN303\n\n[Why & How]\neng_id for DCN303 cannot be more than 1, since we have only two\ninstances of stream encoders.\n\nCheck the correct boundary condition for engine ID for DCN303 prevent\nthe potential out of bounds access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50079", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: add overflow check in register_shm_helper()\n\nWith special lengths supplied by user space, register_shm_helper() has\nan integer overflow when calculating the number of pages covered by a\nsupplied user space memory region.\n\nThis causes internal_get_user_pages_fast() a helper function of\npin_user_pages_fast() to do a NULL pointer dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n Modules linked in:\n CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n pc : internal_get_user_pages_fast+0x474/0xa80\n Call trace:\n internal_get_user_pages_fast+0x474/0xa80\n pin_user_pages_fast+0x24/0x4c\n register_shm_helper+0x194/0x330\n tee_shm_register_user_buf+0x78/0x120\n tee_ioctl+0xd0/0x11a0\n __arm64_sys_ioctl+0xa8/0xec\n invoke_syscall+0x48/0x114\n\nFix this by adding an an explicit call to access_ok() in\ntee_shm_register_user_buf() to catch an invalid user space address\nearly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50080", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix warning in ext4_iomap_begin as race between bmap and write\n\nWe got issue as follows:\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 9310 at fs/ext4/inode.c:3441 ext4_iomap_begin+0x182/0x5d0\nRIP: 0010:ext4_iomap_begin+0x182/0x5d0\nRSP: 0018:ffff88812460fa08 EFLAGS: 00010293\nRAX: ffff88811f168000 RBX: 0000000000000000 RCX: ffffffff97793c12\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: ffff88812c669160 R08: ffff88811f168000 R09: ffffed10258cd20f\nR10: ffff88812c669077 R11: ffffed10258cd20e R12: 0000000000000001\nR13: 00000000000000a4 R14: 000000000000000c R15: ffff88812c6691ee\nFS: 00007fd0d6ff3740(0000) GS:ffff8883af180000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fd0d6dda290 CR3: 0000000104a62000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n iomap_apply+0x119/0x570\n iomap_bmap+0x124/0x150\n ext4_bmap+0x14f/0x250\n bmap+0x55/0x80\n do_vfs_ioctl+0x952/0xbd0\n __x64_sys_ioctl+0xc6/0x170\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nAbove issue may happen as follows:\n bmap write\nbmap\n ext4_bmap\n iomap_bmap\n ext4_iomap_begin\n ext4_file_write_iter\n\t\t\t ext4_buffered_write_iter\n\t\t\t generic_perform_write\n\t\t\t\t ext4_da_write_begin\n\t\t\t\t ext4_da_write_inline_data_begin\n\t\t\t\t ext4_prepare_inline_data\n\t\t\t\t ext4_create_inline_data\n\t\t\t\t\t ext4_set_inode_flag(inode,\n\t\t\t\t\t\tEXT4_INODE_INLINE_DATA);\n if (WARN_ON_ONCE(ext4_has_inline_data(inode))) ->trigger bug_on\n\nTo solved above issue hold inode lock in ext4_bamp.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50082", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix address sanitizer warning in raid_status\n\nThere is this warning when using a kernel with the address sanitizer\nand running this testsuite:\nhttps://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid]\nRead of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319\nCPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3. #1\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n \n dump_stack_lvl+0x6a/0x9c\n print_address_description.constprop.0+0x1f/0x1e0\n print_report.cold+0x55/0x244\n kasan_report+0xc9/0x100\n raid_status+0x1747/0x2820 [dm_raid]\n dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod]\n table_load+0x35c/0x630 [dm_mod]\n ctl_ioctl+0x411/0x630 [dm_mod]\n dm_ctl_ioctl+0xa/0x10 [dm_mod]\n __x64_sys_ioctl+0x12a/0x1a0\n do_syscall_64+0x5b/0x80\n\nThe warning is caused by reading conf->max_nr_stripes in raid_status. The\ncode in raid_status reads mddev->private, casts it to struct r5conf and\nreads the entry max_nr_stripes.\n\nHowever, if we have different raid type than 4/5/6, mddev->private\ndoesn't point to struct r5conf; it may point to struct r0conf, struct\nr1conf, struct r10conf or struct mpconf. If we cast a pointer to one\nof these structs to struct r5conf, we will be reading invalid memory\nand KASAN warns about it.\n\nFix this bug by reading struct r5conf only if raid type is 4, 5 or 6.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50084", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm raid: fix address sanitizer warning in raid_resume\n\nThere is a KASAN warning in raid_resume when running the lvm test\nlvconvert-raid.sh. The reason for the warning is that mddev->raid_disks\nis greater than rs->raid_disks, so the loop touches one entry beyond\nthe allocated length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50085", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't allow the same type rq_qos add more than once\n\nIn our test of iocost, we encountered some list add/del corruptions of\ninner_walk list in ioc_timer_fn.\n\nThe reason can be described as follows:\n\ncpu 0\t\t\t\t\tcpu 1\nioc_qos_write\t\t\t\tioc_qos_write\n\nioc = q_to_ioc(queue);\nif (!ioc) {\n ioc = kzalloc();\n\t\t\t\t\tioc = q_to_ioc(queue);\n\t\t\t\t\tif (!ioc) {\n\t\t\t\t\t\tioc = kzalloc();\n\t\t\t\t\t\t...\n\t\t\t\t\t\trq_qos_add(q, rqos);\n\t\t\t\t\t}\n ...\n rq_qos_add(q, rqos);\n ...\n}\n\nWhen the io.cost.qos file is written by two cpus concurrently, rq_qos may\nbe added to one disk twice. In that case, there will be two iocs enabled\nand running on one disk. They own different iocgs on their active list. In\nthe ioc_timer_fn function, because of the iocgs from two iocs have the\nsame root iocg, the root iocg's walk_list may be overwritten by each other\nand this leads to list add/del corruptions in building or destroying the\ninner_walk list.\n\nAnd so far, the blk-rq-qos framework works in case that one instance for\none type rq_qos per queue by default. This patch make this explicit and\nalso fix the crash above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50086", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails\n\nWhen scpi probe fails, at any point, we need to ensure that the scpi_info\nis not set and will remain NULL until the probe succeeds. If it is not\ntaken care, then it could result use-after-free as the value is exported\nvia get_scpi_ops() and could refer to a memory allocated via devm_kzalloc()\nbut freed when the probe fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50087", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: fix potential memory leak in damon_reclaim_init()\n\ndamon_reclaim_init() allocates a memory chunk for ctx with\ndamon_new_ctx(). When damon_select_ops() fails, ctx is not released,\nwhich will lead to a memory leak.\n\nWe should release the ctx with damon_destroy_ctx() when damon_select_ops()\nfails to fix the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50088", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure pages are unlocked on cow_file_range() failure\n\nThere is a hung_task report on zoned btrfs like below.\n\nhttps://github.com/naota/linux/issues/59\n\n [726.328648] INFO: task rocksdb:high0:11085 blocked for more than 241 seconds.\n [726.329839] Not tainted 5.16.0-rc1+ #1\n [726.330484] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [726.331603] task:rocksdb:high0 state:D stack: 0 pid:11085 ppid: 11082 flags:0x00000000\n [726.331608] Call Trace:\n [726.331611] \n [726.331614] __schedule+0x2e5/0x9d0\n [726.331622] schedule+0x58/0xd0\n [726.331626] io_schedule+0x3f/0x70\n [726.331629] __folio_lock+0x125/0x200\n [726.331634] ? find_get_entries+0x1bc/0x240\n [726.331638] ? filemap_invalidate_unlock_two+0x40/0x40\n [726.331642] truncate_inode_pages_range+0x5b2/0x770\n [726.331649] truncate_inode_pages_final+0x44/0x50\n [726.331653] btrfs_evict_inode+0x67/0x480\n [726.331658] evict+0xd0/0x180\n [726.331661] iput+0x13f/0x200\n [726.331664] do_unlinkat+0x1c0/0x2b0\n [726.331668] __x64_sys_unlink+0x23/0x30\n [726.331670] do_syscall_64+0x3b/0xc0\n [726.331674] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [726.331677] RIP: 0033:0x7fb9490a171b\n [726.331681] RSP: 002b:00007fb943ffac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000057\n [726.331684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb9490a171b\n [726.331686] RDX: 00007fb943ffb040 RSI: 000055a6bbe6ec20 RDI: 00007fb94400d300\n [726.331687] RBP: 00007fb943ffad00 R08: 0000000000000000 R09: 0000000000000000\n [726.331688] R10: 0000000000000031 R11: 0000000000000246 R12: 00007fb943ffb000\n [726.331690] R13: 00007fb943ffb040 R14: 0000000000000000 R15: 00007fb943ffd260\n [726.331693] \n\nWhile we debug the issue, we found running fstests generic/551 on 5GB\nnon-zoned null_blk device in the emulated zoned mode also had a\nsimilar hung issue.\n\nAlso, we can reproduce the same symptom with an error injected\ncow_file_range() setup.\n\nThe hang occurs when cow_file_range() fails in the middle of\nallocation. cow_file_range() called from do_allocation_zoned() can\nsplit the give region ([start, end]) for allocation depending on\ncurrent block group usages. When btrfs can allocate bytes for one part\nof the split regions but fails for the other region (e.g. because of\n-ENOSPC), we return the error leaving the pages in the succeeded regions\nlocked. Technically, this occurs only when @unlock == 0. Otherwise, we\nunlock the pages in an allocated region after creating an ordered\nextent.\n\nConsidering the callers of cow_file_range(unlock=0) won't write out\nthe pages, we can unlock the pages on error exit from\ncow_file_range(). So, we can ensure all the pages except @locked_page\nare unlocked on error case.\n\nIn summary, cow_file_range now behaves like this:\n\n- page_started == 1 (return value)\n - All the pages are unlocked. IO is started.\n- unlock == 1\n - All the pages except @locked_page are unlocked in any case\n- unlock == 0\n - On success, all the pages are locked for writing out them\n - On failure, all the pages except @locked_page are unlocked", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50089", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_size\n\nOn zoned filesystem, data write out is limited by max_zone_append_size,\nand a large ordered extent is split according the size of a bio. OTOH,\nthe number of extents to be written is calculated using\nBTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve the\nmetadata bytes to update and/or create the metadata items.\n\nThe metadata reservation is done at e.g, btrfs_buffered_write() and then\nreleased according to the estimation changes. Thus, if the number of extent\nincreases massively, the reserved metadata can run out.\n\nThe increase of the number of extents easily occurs on zoned filesystem\nif BTRFS_MAX_EXTENT_SIZE > max_zone_append_size. And, it causes the\nfollowing warning on a small RAM environment with disabling metadata\nover-commit (in the following patch).\n\n[75721.498492] ------------[ cut here ]------------\n[75721.505624] BTRFS: block rsv 1 returned -28\n[75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537 btrfs_use_block_rsv+0x560/0x760 [btrfs]\n[75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loaded Tainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109\n[75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\n[75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n[75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs]\n[75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286\n[75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX: 0000000000000000\n[75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff52001f7be6e\n[75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09: ffff889f8d1fc6c7\n[75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12: ffff88980a3c0e28\n[75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15: ffff88980a3c0e8a\n[75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000) knlGS:0000000000000000\n[75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4: 0000000000350ee0\n[75721.730499] Call Trace:\n[75721.735166] \n[75721.739886] btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs]\n[75721.747545] ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs]\n[75721.756145] ? btrfs_get_32+0xea/0x2d0 [btrfs]\n[75721.762852] ? btrfs_get_32+0xea/0x2d0 [btrfs]\n[75721.769520] ? push_leaf_left+0x420/0x620 [btrfs]\n[75721.776431] ? memcpy+0x4e/0x60\n[75721.781931] split_leaf+0x433/0x12d0 [btrfs]\n[75721.788392] ? btrfs_get_token_32+0x580/0x580 [btrfs]\n[75721.795636] ? push_for_double_split.isra.0+0x420/0x420 [btrfs]\n[75721.803759] ? leaf_space_used+0x15d/0x1a0 [btrfs]\n[75721.811156] btrfs_search_slot+0x1bc3/0x2790 [btrfs]\n[75721.818300] ? lock_downgrade+0x7c0/0x7c0\n[75721.824411] ? free_extent_buffer.part.0+0x107/0x200 [btrfs]\n[75721.832456] ? split_leaf+0x12d0/0x12d0 [btrfs]\n[75721.839149] ? free_extent_buffer.part.0+0x14f/0x200 [btrfs]\n[75721.846945] ? free_extent_buffer+0x13/0x20 [btrfs]\n[75721.853960] ? btrfs_release_path+0x4b/0x190 [btrfs]\n[75721.861429] btrfs_csum_file_blocks+0x85c/0x1500 [btrfs]\n[75721.869313] ? rcu_read_lock_sched_held+0x16/0x80\n[75721.876085] ? lock_release+0x552/0xf80\n[75721.881957] ? btrfs_del_csums+0x8c0/0x8c0 [btrfs]\n[75721.888886] ? __kasan_check_write+0x14/0x20\n[75721.895152] ? do_raw_read_unlock+0x44/0x80\n[75721.901323] ? _raw_write_lock_irq+0x60/0x80\n[75721.907983] ? btrfs_global_root+0xb9/0xe0 [btrfs]\n[75721.915166] ? btrfs_csum_root+0x12b/0x180 [btrfs]\n[75721.921918] ? btrfs_get_global_root+0x820/0x820 [btrfs]\n[75721.929166] ? _raw_write_unlock+0x23/0x40\n[75721.935116] ? unpin_extent_cache+0x1e3/0x390 [btrfs]\n[75721.942041] btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs]\n[75721.949906] ? try_to_wake_up+0x30/0x14a0\n[75721.955700] ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs]\n[75721.962661] ? rcu\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50090", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/csd_lock: Change csdlock_debug from early_param to __setup\n\nThe csdlock_debug kernel-boot parameter is parsed by the\nearly_param() function csdlock_debug(). If set, csdlock_debug()\ninvokes static_branch_enable() to enable csd_lock_wait feature, which\ntriggers a panic on arm64 for kernels built with CONFIG_SPARSEMEM=y and\nCONFIG_SPARSEMEM_VMEMMAP=n.\n\nWith CONFIG_SPARSEMEM_VMEMMAP=n, __nr_to_section is called in\nstatic_key_enable() and returns NULL, resulting in a NULL dereference\nbecause mem_section is initialized only later in sparse_init().\n\nThis is also a problem for powerpc because early_param() functions\nare invoked earlier than jump_label_init(), also resulting in\nstatic_key_enable() failures. These failures cause the warning \"static\nkey 'xxx' used before call to jump_label_init()\".\n\nThus, early_param is too early for csd_lock_wait to run\nstatic_branch_enable(), so changes it to __setup to fix these.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50091", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: fix use-after-free crash in dm_sm_register_threshold_callback\n\nFault inject on pool metadata device reports:\n BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80\n Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950\n\n CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_address_description.constprop.0.cold+0xeb/0x3f4\n kasan_report.cold+0xe6/0x147\n dm_pool_register_metadata_threshold+0x40/0x80\n pool_ctr+0xa0a/0x1150\n dm_table_add_target+0x2c8/0x640\n table_load+0x1fd/0x430\n ctl_ioctl+0x2c4/0x5a0\n dm_ctl_ioctl+0xa/0x10\n __x64_sys_ioctl+0xb3/0xd0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis can be easily reproduced using:\n echo offline > /sys/block/sda/device/state\n dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10\n dmsetup load pool --table \"0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0\"\n\nIf a metadata commit fails, the transaction will be aborted and the\nmetadata space maps will be destroyed. If a DM table reload then\nhappens for this failed thin-pool, a use-after-free will occur in\ndm_sm_register_threshold_callback (called from\ndm_pool_register_metadata_threshold).\n\nFix this by in dm_pool_register_metadata_threshold() by returning the\n-EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr()\nwith a new error message: \"Error registering metadata threshold\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50092", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE)\n\nKASAN reports:\n\n[ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)\n[ 4.676149][ T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0\n[ 4.683454][ T0]\n[ 4.685638][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1\n[ 4.694331][ T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016\n[ 4.703196][ T0] Call Trace:\n[ 4.706334][ T0] \n[ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497)\n\nafter converting the type of the first argument (@nr, bit number)\nof arch_test_bit() from `long` to `unsigned long`[0].\n\nUnder certain conditions (for example, when ACPI NUMA is disabled\nvia command line), pxm_to_node() can return %NUMA_NO_NODE (-1).\nIt is valid 'magic' number of NUMA node, but not valid bit number\nto use in bitops.\nnode_online() eventually descends to test_bit() without checking\nfor the input, assuming it's on caller side (which might be good\nfor perf-critical tasks). There, -1 becomes %ULONG_MAX which leads\nto an insane array index when calculating bit position in memory.\n\nFor now, add an explicit check for @node being not %NUMA_NO_NODE\nbefore calling test_bit(). The actual logics didn't change here\nat all.\n\n[0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50093", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: trace: fix stack-out-of-bound access in SPMI tracing functions\n\ntrace_spmi_write_begin() and trace_spmi_read_end() both call\nmemcpy() with a length of \"len + 1\". This leads to one extra\nbyte being read beyond the end of the specified buffer. Fix\nthis out-of-bound memory access by using a length of \"len\"\ninstead.\n\nHere is a KASAN log showing the issue:\n\nBUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234\nRead of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314\n...\nCall trace:\n dump_backtrace+0x0/0x3e8\n show_stack+0x2c/0x3c\n dump_stack_lvl+0xdc/0x11c\n print_address_description+0x74/0x384\n kasan_report+0x188/0x268\n kasan_check_range+0x270/0x2b0\n memcpy+0x90/0xe8\n trace_event_raw_event_spmi_read_end+0x1d0/0x234\n spmi_read_cmd+0x294/0x3ac\n spmi_ext_register_readl+0x84/0x9c\n regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]\n _regmap_raw_read+0x40c/0x754\n regmap_raw_read+0x3a0/0x514\n regmap_bulk_read+0x418/0x494\n adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]\n ...\n __arm64_sys_read+0x4c/0x60\n invoke_syscall+0x80/0x218\n el0_svc_common+0xec/0x1c8\n ...\n\naddr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:\n adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]\n\nthis frame has 1 object:\n [32, 33) 'status'\n\nMemory state around the buggy address:\n ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1\n ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00\n ^\n ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00\n==================================================================", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50094", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: Cleanup CPU timers before freeing them during exec\n\nCommit 55e8c8eb2c7b (\"posix-cpu-timers: Store a reference to a pid not a\ntask\") started looking up tasks by PID when deleting a CPU timer.\n\nWhen a non-leader thread calls execve, it will switch PIDs with the leader\nprocess. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find\nthe task because the timer still points out to the old PID.\n\nThat means that armed timers won't be disarmed, that is, they won't be\nremoved from the timerqueue_list. exit_itimers will still release their\nmemory, and when that list is later processed, it leads to a\nuse-after-free.\n\nClean up the timers from the de-threaded task before freeing them. This\nprevents a reported use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50095", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kprobes: Update kcb status flag after singlestepping\n\nFix kprobes to update kcb (kprobes control block) status flag to\nKPROBE_HIT_SSDONE even if the kp->post_handler is not set.\n\nThis bug may cause a kernel panic if another INT3 user runs right\nafter kprobes because kprobe_int3_handler() misunderstands the\nINT3 is kprobe's single stepping INT3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50096", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: s3fb: Check the size of screen before memset_io()\n\nIn the function s3fb_set_par(), the value of 'screen_size' is\ncalculated by the user input. If the user provides the improper value,\nthe value of 'screen_size' may larger than 'info->screen_size', which\nmay cause the following bug:\n\n[ 54.083733] BUG: unable to handle page fault for address: ffffc90003000000\n[ 54.083742] #PF: supervisor write access in kernel mode\n[ 54.083744] #PF: error_code(0x0002) - not-present page\n[ 54.083760] RIP: 0010:memset_orig+0x33/0xb0\n[ 54.083782] Call Trace:\n[ 54.083788] s3fb_set_par+0x1ec6/0x4040\n[ 54.083806] fb_set_var+0x604/0xeb0\n[ 54.083836] do_fb_ioctl+0x234/0x670\n\nFix the this by checking the value of 'screen_size' before memset_io().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50097", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts\n\nEnsure SRB is returned during I/O timeout error escalation. If that is not\npossible fail the escalation path.\n\nFollowing crash stack was seen:\n\nBUG: unable to handle kernel paging request at 0000002f56aa90f8\nIP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx]\nCall Trace:\n ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx]\n ? qla2x00_start_sp+0x116/0x1170 [qla2xxx]\n ? dma_pool_alloc+0x1d6/0x210\n ? mempool_alloc+0x54/0x130\n ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx]\n ? qla_do_work+0x2d/0x40 [qla2xxx]\n ? process_one_work+0x14c/0x390", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50098", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: arkfb: Check the size of screen before memset_io()\n\nIn the function arkfb_set_par(), the value of 'screen_size' is\ncalculated by the user input. If the user provides the improper value,\nthe value of 'screen_size' may larger than 'info->screen_size', which\nmay cause the following bug:\n\n[ 659.399066] BUG: unable to handle page fault for address: ffffc90003000000\n[ 659.399077] #PF: supervisor write access in kernel mode\n[ 659.399079] #PF: error_code(0x0002) - not-present page\n[ 659.399094] RIP: 0010:memset_orig+0x33/0xb0\n[ 659.399116] Call Trace:\n[ 659.399122] arkfb_set_par+0x143f/0x24c0\n[ 659.399130] fb_set_var+0x604/0xeb0\n[ 659.399161] do_fb_ioctl+0x234/0x670\n[ 659.399189] fb_ioctl+0xdd/0x130\n\nFix the this by checking the value of 'screen_size' before memset_io().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50099", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Do not requeue task on CPU excluded from cpus_mask\n\nThe following warning was triggered on a large machine early in boot on\na distribution kernel but the same problem should also affect mainline.\n\n WARNING: CPU: 439 PID: 10 at ../kernel/workqueue.c:2231 process_one_work+0x4d/0x440\n Call Trace:\n \n rescuer_thread+0x1f6/0x360\n kthread+0x156/0x180\n ret_from_fork+0x22/0x30\n \n\nCommit c6e7bd7afaeb (\"sched/core: Optimize ttwu() spinning on p->on_cpu\")\noptimises ttwu by queueing a task that is descheduling on the wakelist,\nbut does not check if the task descheduling is still allowed to run on that CPU.\n\nIn this warning, the problematic task is a workqueue rescue thread which\nchecks if the rescue is for a per-cpu workqueue and running on the wrong CPU.\nWhile this is early in boot and it should be possible to create workers,\nthe rescue thread may still used if the MAYDAY_INITIAL_TIMEOUT is reached\nor MAYDAY_INTERVAL and on a sufficiently large machine, the rescue\nthread is being used frequently.\n\nTracing confirmed that the task should have migrated properly using the\nstopper thread to handle the migration. However, a parallel wakeup from udev\nrunning on another CPU that does not share CPU cache observes p->on_cpu and\nuses task_cpu(p), queues the task on the old CPU and triggers the warning.\n\nCheck that the wakee task that is descheduling is still allowed to run\non its current CPU and if not, wait for the descheduling to complete\nand select an allowed CPU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50100", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: vt8623fb: Check the size of screen before memset_io()\n\nIn the function vt8623fb_set_par(), the value of 'screen_size' is\ncalculated by the user input. If the user provides the improper value,\nthe value of 'screen_size' may larger than 'info->screen_size', which\nmay cause the following bug:\n\n[ 583.339036] BUG: unable to handle page fault for address: ffffc90005000000\n[ 583.339049] #PF: supervisor write access in kernel mode\n[ 583.339052] #PF: error_code(0x0002) - not-present page\n[ 583.339074] RIP: 0010:memset_orig+0x33/0xb0\n[ 583.339110] Call Trace:\n[ 583.339118] vt8623fb_set_par+0x11cd/0x21e0\n[ 583.339146] fb_set_var+0x604/0xeb0\n[ 583.339181] do_fb_ioctl+0x234/0x670\n[ 583.339209] fb_ioctl+0xdd/0x130\n\nFix the this by checking the value of 'screen_size' before memset_io().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50101", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()\n\nSince the user can control the arguments of the ioctl() from the user\nspace, under special arguments that may result in a divide-by-zero bug\nin:\n drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul);\nwith hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.\nand then in:\n drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock);\nwe'll get a division-by-zero.\n\nThe following log can reveal it:\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nRIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline]\nRIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784\nCall Trace:\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189\n\nFix this by checking the argument of ark_set_pixclock() first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50102", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed\n\nWith cgroup v2, the cpuset's cpus_allowed mask can be empty indicating\nthat the cpuset will just use the effective CPUs of its parent. So\ncpuset_can_attach() can call task_can_attach() with an empty mask.\nThis can lead to cpumask_any_and() returns nr_cpu_ids causing the call\nto dl_bw_of() to crash due to percpu value access of an out of bound\nCPU value. For example:\n\n\t[80468.182258] BUG: unable to handle page fault for address: ffffffff8b6648b0\n\t :\n\t[80468.191019] RIP: 0010:dl_cpu_busy+0x30/0x2b0\n\t :\n\t[80468.207946] Call Trace:\n\t[80468.208947] cpuset_can_attach+0xa0/0x140\n\t[80468.209953] cgroup_migrate_execute+0x8c/0x490\n\t[80468.210931] cgroup_update_dfl_csses+0x254/0x270\n\t[80468.211898] cgroup_subtree_control_write+0x322/0x400\n\t[80468.212854] kernfs_fop_write_iter+0x11c/0x1b0\n\t[80468.213777] new_sync_write+0x11f/0x1b0\n\t[80468.214689] vfs_write+0x1eb/0x280\n\t[80468.215592] ksys_write+0x5f/0xe0\n\t[80468.216463] do_syscall_64+0x5c/0x80\n\t[80468.224287] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFix that by using effective_cpus instead. For cgroup v1, effective_cpus\nis the same as cpus_allowed. For v2, effective_cpus is the real cpumask\nto be used by tasks within the cpuset anyway.\n\nAlso update task_can_attach()'s 2nd argument name to cs_effective_cpus to\nreflect the change. In addition, a check is added to task_can_attach()\nto guard against the possibility that cpumask_any_and() may return a\nvalue >= nr_cpu_ids.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50103", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive: Fix refcount leak in xive_get_max_prio\n\nof_find_node_by_path() returns a node pointer with\nrefcount incremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50104", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/spufs: Fix refcount leak in spufs_init_isolated_loader\n\nof_find_node_by_path() returns remote device nodepointer with\nrefcount incremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50105", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address\n\nof_get_next_parent() returns a node pointer with refcount incremented,\nwe should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() in the error path to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50106", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory leak when using fscache\n\nIf we hit the 'index == next_cached' case, we leak a refcount on the\nstruct page. Fix this by using readahead_folio() which takes care of\nthe refcount for you.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50107", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: max77620: Fix refcount leak in max77620_initialise_fps\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50108", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: amba-clcd: Fix refcount leak bugs\n\nIn clcdfb_of_init_display(), we should call of_node_put() for the\nreferences returned by of_graph_get_next_endpoint() and\nof_graph_get_remote_port_parent() which have increased the refcount.\n\nBesides, we should call of_node_put() both in fail path or when\nthe references are not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50109", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: sp5100_tco: Fix a memory leak of EFCH MMIO resource\n\nUnlike release_mem_region(), a call to release_resource() does not\nfree the resource, so it has to be freed explicitly to avoid a memory\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50110", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mt6359: Fix refcount leak bug\n\nIn mt6359_parse_dt() and mt6359_accdet_parse_dt(), we should call\nof_node_put() for the reference returned by of_get_child_by_name()\nwhich has increased the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50111", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50112", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoc: audio-graph-card2: Fix refcount leak bug in __graph_get_type()\n\nWe should call of_node_put() for the reference before its replacement\nas it returned by of_get_parent() which has increased the refcount.\nBesides, we should also call of_node_put() before return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50113", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 9p: fix refcount leak in p9_read_work() error handling\n\np9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid\ntemporary refcount leak.\n\n[Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50114", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes\n\nWe have sanity checks for byte controls and if any of the fail the locally\nallocated scontrol->ipc_control_data is freed up, but not set to NULL.\n\nOn a rollback path of the error the higher level code will also try to free\nthe scontrol->ipc_control_data which will eventually going to lead to\nmemory corruption as double freeing memory is not a good thing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50115", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix deadlock and link starvation in outgoing data path\n\nThe current implementation queues up new control and user packets as needed\nand processes this queue down to the ldisc in the same code path.\nThat means that the upper and the lower layer are hard coupled in the code.\nDue to this deadlocks can happen as seen below while transmitting data,\nespecially during ldisc congestion. Furthermore, the data channels starve\nthe control channel on high transmission load on the ldisc.\n\nIntroduce an additional control channel data queue to prevent timeouts and\nlink hangups during ldisc congestion. This is being processed before the\nuser channel data queue in gsm_data_kick(), i.e. with the highest priority.\nPut the queue to ldisc data path into a workqueue and trigger it whenever\nnew data has been put into the transmission queue. Change\ngsm_dlci_data_sweep() accordingly to fill up the transmission queue until\nTX_THRESH_HI. This solves the locking issue, keeps latency low and provides\ngood performance on high data load.\nNote that now all packets from a DLCI are removed from the internal queue\nif the associated DLCI was closed. This ensures that no data is sent by the\nintroduced write task to an already closed DLCI.\n\nBUG: spinlock recursion on CPU#0, test_v24_loop/124\n lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0\nCPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n do_raw_spin_lock+0x76/0xa0\n _raw_spin_lock_irqsave+0x72/0x80\n uart_write_room+0x3b/0xc0\n gsm_data_kick+0x14b/0x240 [n_gsm]\n gsmld_write_wakeup+0x35/0x70 [n_gsm]\n tty_wakeup+0x53/0x60\n tty_port_default_wakeup+0x1b/0x30\n serial8250_tx_chars+0x12f/0x220\n serial8250_handle_irq.part.0+0xfe/0x150\n serial8250_default_handle_irq+0x48/0x80\n serial8250_interrupt+0x56/0xa0\n __handle_irq_event_percpu+0x78/0x1f0\n handle_irq_event+0x34/0x70\n handle_fasteoi_irq+0x90/0x1e0\n __common_interrupt+0x69/0x100\n common_interrupt+0x48/0xc0\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:__do_softirq+0x83/0x34e\nCode: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d\ne2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61\n80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00\nRSP: 0018:ffffc90000003f98 EFLAGS: 00000286\nRAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7\nRBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000\n ? __do_softirq+0x73/0x34e\n irq_exit_rcu+0xb5/0x100\n common_interrupt+0xa4/0xc0\n \n \n asm_common_interrupt+0x1e/0x40\nRIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50\nCode: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff\n48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 3d 97 33 ff\n65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44\nRSP: 0018:ffffc9000020fd08 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000\nRDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001\nRBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8\n ? _raw_spin_unlock_irqrestore+0x23/0x50\n gsmtty_write+0x65/0x80 [n_gsm]\n n_tty_write+0x33f/0x530\n ? swake_up_all+0xe0/0xe0\n file_tty_write.constprop.0+0x1b1/0x320\n ? n_tty_flush_buffer+0xb0/0xb0\n new_sync_write+0x10c/0x190\n vfs_write+0x282/0x310\n ksys_write+0x68/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f3e5e35c15c\nCode: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50116", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio: Split migration ops from main device ops\n\nvfio core checks whether the driver sets some migration op (e.g.\nset_state/get_state) and accordingly calls its op.\n\nHowever, currently mlx5 driver sets the above ops without regards to its\nmigration caps.\n\nThis might lead to unexpected usage/Oops if user space may call to the\nabove ops even if the driver doesn't support migration. As for example,\nthe migration state_mutex is not initialized in that case.\n\nThe cleanest way to manage that seems to split the migration ops from\nthe main device ops, this will let the driver setting them separately\nfrom the main ops when it's applicable.\n\nAs part of that, validate ops construction on registration and include a\ncheck for VFIO_MIGRATION_STOP_COPY since the uAPI claims it must be set\nin migration_flags.\n\nHISI driver was changed as well to match this scheme.\n\nThis scheme may enable down the road to come with some extra group of\nops (e.g. DMA log) that can be set without regards to the other options\nbased on driver caps.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50117", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable\n\ncommit 2c9ac51b850d (\"powerpc/perf: Fix PMU callbacks to clear\npending PMI before resetting an overflown PMC\") added a new\nfunction \"pmi_irq_pending\" in hw_irq.h. This function is to check\nif there is a PMI marked as pending in Paca (PACA_IRQ_PMI).This is\nused in power_pmu_disable in a WARN_ON. The intention here is to\nprovide a warning if there is PMI pending, but no counter is found\noverflown.\n\nDuring some of the perf runs, below warning is hit:\n\nWARNING: CPU: 36 PID: 0 at arch/powerpc/perf/core-book3s.c:1332 power_pmu_disable+0x25c/0x2c0\n Modules linked in:\n -----\n\n NIP [c000000000141c3c] power_pmu_disable+0x25c/0x2c0\n LR [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0\n Call Trace:\n [c000000baffcfb90] [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 (unreliable)\n [c000000baffcfc10] [c0000000003e2f8c] perf_pmu_disable+0x4c/0x60\n [c000000baffcfc30] [c0000000003e3344] group_sched_out.part.124+0x44/0x100\n [c000000baffcfc80] [c0000000003e353c] __perf_event_disable+0x13c/0x240\n [c000000baffcfcd0] [c0000000003dd334] event_function+0xc4/0x140\n [c000000baffcfd20] [c0000000003d855c] remote_function+0x7c/0xa0\n [c000000baffcfd50] [c00000000026c394] flush_smp_call_function_queue+0xd4/0x300\n [c000000baffcfde0] [c000000000065b24] smp_ipi_demux_relaxed+0xa4/0x100\n [c000000baffcfe20] [c0000000000cb2b0] xive_muxed_ipi_action+0x20/0x40\n [c000000baffcfe40] [c000000000207c3c] __handle_irq_event_percpu+0x8c/0x250\n [c000000baffcfee0] [c000000000207e2c] handle_irq_event_percpu+0x2c/0xa0\n [c000000baffcff10] [c000000000210a04] handle_percpu_irq+0x84/0xc0\n [c000000baffcff40] [c000000000205f14] generic_handle_irq+0x54/0x80\n [c000000baffcff60] [c000000000015740] __do_irq+0x90/0x1d0\n [c000000baffcff90] [c000000000016990] __do_IRQ+0xc0/0x140\n [c0000009732f3940] [c000000bafceaca8] 0xc000000bafceaca8\n [c0000009732f39d0] [c000000000016b78] do_IRQ+0x168/0x1c0\n [c0000009732f3a00] [c0000000000090c8] hardware_interrupt_common_virt+0x218/0x220\n\nThis means that there is no PMC overflown among the active events\nin the PMU, but there is a PMU pending in Paca. The function\n\"any_pmc_overflown\" checks the PMCs on active events in\ncpuhw->n_events. Code snippet:\n\n<<>>\nif (any_pmc_overflown(cpuhw))\n \tclear_pmi_irq_pending();\n else\n \tWARN_ON(pmi_irq_pending());\n<<>>\n\nHere the PMC overflown is not from active event. Example: When we do\nperf record, default cycles and instructions will be running on PMC6\nand PMC5 respectively. It could happen that overflowed event is currently\nnot active and pending PMI is for the inactive event. Debug logs from\ntrace_printk:\n\n<<>>\nany_pmc_overflown: idx is 5: pmc value is 0xd9a\npower_pmu_disable: PMC1: 0x0, PMC2: 0x0, PMC3: 0x0, PMC4: 0x0, PMC5: 0xd9a, PMC6: 0x80002011\n<<>>\n\nHere active PMC (from idx) is PMC5 , but overflown PMC is PMC6(0x80002011).\nWhen we handle PMI interrupt for such cases, if the PMC overflown is\nfrom inactive event, it will be ignored. Reference commit:\ncommit bc09c219b2e6 (\"powerpc/perf: Fix finding overflowed PMC in interrupt\")\n\nPatch addresses two changes:\n1) Fix 1 : Removal of warning ( WARN_ON(pmi_irq_pending()); )\n We were printing warning if no PMC is found overflown among active PMU\n events, but PMI pending in PACA. But this could happen in cases where\n PMC overflown is not in active PMC. An inactive event could have caused\n the overflow. Hence the warning is not needed. To know pending PMI is\n from an inactive event, we need to loop through all PMC's which will\n cause more SPR reads via mfspr and increase in context switch. Also in\n existing function: perf_event_interrupt, already we ignore PMI's\n overflown when it is from an inactive PMC.\n\n2) Fix 2: optimization in clearing pending PMI.\n Currently we check for any active PMC overflown before clearing PMI\n pending in Paca. This is causing additional SP\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50118", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: Fix possible refcount leak in rpmsg_register_device_override()\n\nrpmsg_register_device_override need to call put_device to free vch when\ndriver_set_override fails.\n\nFix this by adding a put_device() to the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50119", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Fix refcount leak in imx_rproc_addr_init\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not needed anymore.\nThis function has two paths missing of_node_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50120", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init\n\nEvery iteration of for_each_available_child_of_node() decrements\nthe reference count of the previous node.\nWhen breaking early from a for_each_available_child_of_node() loop,\nwe need to explicitly call of_node_put() on the child node.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50121", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nFix refcount leak in some error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50122", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nFix missing of_node_put() in error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50123", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50124", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: cros_ec_codec: Fix refcount leak in cros_ec_codec_platform_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50125", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted\n\nFollowing process will fail assertion 'jh->b_frozen_data == NULL' in\njbd2_journal_dirty_metadata():\n\n jbd2_journal_commit_transaction\nunlink(dir/a)\n jh->b_transaction = trans1\n jh->b_jlist = BJ_Metadata\n journal->j_running_transaction = NULL\n trans1->t_state = T_COMMIT\nunlink(dir/b)\n handle->h_trans = trans2\n do_get_write_access\n jh->b_modified = 0\n jh->b_frozen_data = frozen_buffer\n jh->b_next_transaction = trans2\n jbd2_journal_dirty_metadata\n is_handle_aborted\n is_journal_aborted // return false\n\n --> jbd2 abort <--\n\n while (commit_transaction->t_buffers)\n if (is_journal_aborted)\n jbd2_journal_refile_buffer\n __jbd2_journal_refile_buffer\n WRITE_ONCE(jh->b_transaction,\n\t\t\t\t\t\tjh->b_next_transaction)\n WRITE_ONCE(jh->b_next_transaction, NULL)\n __jbd2_journal_file_buffer(jh, BJ_Reserved)\n J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure !\n\nThe reproducer (See detail in [Link]) reports:\n ------------[ cut here ]------------\n kernel BUG at fs/jbd2/transaction.c:1629!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 2 PID: 584 Comm: unlink Tainted: G W\n 5.19.0-rc6-00115-g4a57a8400075-dirty #697\n RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470\n RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202\n Call Trace:\n \n __ext4_handle_dirty_metadata+0xa0/0x290\n ext4_handle_dirty_dirblock+0x10c/0x1d0\n ext4_delete_entry+0x104/0x200\n __ext4_unlink+0x22b/0x360\n ext4_unlink+0x275/0x390\n vfs_unlink+0x20b/0x4c0\n do_unlinkat+0x42f/0x4c0\n __x64_sys_unlink+0x37/0x50\n do_syscall_64+0x35/0x80\n\nAfter journal aborting, __jbd2_journal_refile_buffer() is executed with\nholding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()'\ninto the area protected by @jh->b_state_lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50126", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix error unwind in rxe_create_qp()\n\nIn the function rxe_create_qp(), rxe_qp_from_init() is called to\ninitialize qp, internally things like the spin locks are not setup until\nrxe_qp_init_req().\n\nIf an error occures before this point then the unwind will call\nrxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()\nwhich will oops when trying to access the uninitialized spinlock.\n\nMove the spinlock initializations earlier before any failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50127", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Fix a use-after-free\n\nChange the LIO port members inside struct srpt_port from regular members\ninto pointers. Allocate the LIO port data structures from inside\nsrpt_make_tport() and free these from inside srpt_make_tport(). Keep\nstruct srpt_device as long as either an RDMA port or a LIO target port is\nassociated with it. This patch decouples the lifetime of struct srpt_port\n(controlled by the RDMA core) and struct srpt_port_id (controlled by LIO).\nThis patch fixes the following KASAN complaint:\n\n BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt]\n Read of size 8 at addr ffff888141cc34b8 by task check/5093\n\n Call Trace:\n \n show_stack+0x4e/0x53\n dump_stack_lvl+0x51/0x66\n print_address_description.constprop.0.cold+0xea/0x41e\n print_report.cold+0x90/0x205\n kasan_report+0xb9/0xf0\n __asan_load8+0x69/0x90\n srpt_enable_tpg+0x31/0x70 [ib_srpt]\n target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod]\n configfs_write_iter+0x18b/0x210\n new_sync_write+0x1f2/0x2f0\n vfs_write+0x3e3/0x540\n ksys_write+0xbb/0x140\n __x64_sys_write+0x42/0x50\n do_syscall_64+0x34/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50129", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: fbtft: core: set smem_len before fb_deferred_io_init call\n\nThe fbtft_framebuffer_alloc() calls fb_deferred_io_init() before\ninitializing info->fix.smem_len. It is set to zero by the\nframebuffer_alloc() function. It will trigger a WARN_ON() at the\nstart of fb_deferred_io_init() and the function will not do anything.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50130", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: mcp2221: prevent a buffer overflow in mcp_smbus_write()\n\nSmatch Warning:\ndrivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()\n'&mcp->txbuf[5]' too small (59 vs 255)\ndrivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'\ntoo small (34 vs 255)\n\nThe 'len' variable can take a value between 0-255 as it can come from\ndata->block[0] and it is user data. So add an bound check to prevent a\nbuffer overflow in memcpy().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50131", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: change place of 'priv_ep' assignment in cdns3_gadget_ep_dequeue(), cdns3_gadget_ep_enable()\n\nIf 'ep' is NULL, result of ep_to_cdns3_ep(ep) is invalid pointer\nand its dereference with priv_ep->cdns3_dev may cause panic.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50132", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci_plat_remove: avoid NULL dereference\n\nSince commit 4736ebd7fcaff1eb8481c140ba494962847d6e0a (\"usb: host:\nxhci-plat: omit shared hcd if either root hub has no ports\")\nxhci->shared_hcd can be NULL, which causes the following Oops\non reboot:\n\n[ 710.124450] systemd-shutdown[1]: Rebooting.\n[ 710.298861] xhci-hcd xhci-hcd.2.auto: remove, state 4\n[ 710.304217] usb usb3: USB disconnect, device number 1\n[ 710.317441] xhci-hcd xhci-hcd.2.auto: USB bus 3 deregistered\n[ 710.323280] xhci-hcd xhci-hcd.2.auto: remove, state 1\n[ 710.328401] usb usb2: USB disconnect, device number 1\n[ 710.333515] usb 2-3: USB disconnect, device number 2\n[ 710.467649] xhci-hcd xhci-hcd.2.auto: USB bus 2 deregistered\n[ 710.475450] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003b8\n[ 710.484425] Mem abort info:\n[ 710.487265] ESR = 0x0000000096000004\n[ 710.491060] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 710.496427] SET = 0, FnV = 0\n[ 710.499525] EA = 0, S1PTW = 0\n[ 710.502716] FSC = 0x04: level 0 translation fault\n[ 710.507648] Data abort info:\n[ 710.510577] ISV = 0, ISS = 0x00000004\n[ 710.514462] CM = 0, WnR = 0\n[ 710.517480] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b0050000\n[ 710.523976] [00000000000003b8] pgd=0000000000000000, p4d=0000000000000000\n[ 710.530961] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 710.536551] Modules linked in: rfkill input_leds snd_soc_simple_card snd_soc_simple_card_utils snd_soc_nau8822 designware_i2s snd_soc_core dw_hdmi_ahb_audio snd_pcm_dmaengine arm_ccn panfrost ac97_bus gpu_sched snd_pcm at24 fuse configfs sdhci_of_dwcmshc sdhci_pltfm sdhci nvme led_class mmc_core nvme_core bt1_pvt polynomial tp_serio snd_seq_midi snd_seq_midi_event snd_seq snd_timer snd_rawmidi snd_seq_device snd soundcore efivarfs ipv6\n[ 710.575286] CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 5.19.0-rc7-00043-gfd8619f4fd54 #1\n[ 710.583822] Hardware name: T-Platforms TF307-MB/BM1BM1-A, BIOS 5.6 07/06/2022\n[ 710.590972] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 710.597949] pc : usb_remove_hcd+0x34/0x1e4\n[ 710.602067] lr : xhci_plat_remove+0x74/0x140\n[ 710.606351] sp : ffff800009f3b7c0\n[ 710.609674] x29: ffff800009f3b7c0 x28: ffff000800960040 x27: 0000000000000000\n[ 710.616833] x26: ffff800008dc22a0 x25: 0000000000000000 x24: 0000000000000000\n[ 710.623992] x23: 0000000000000000 x22: ffff000805465810 x21: ffff000805465800\n[ 710.631149] x20: ffff000800f80000 x19: 0000000000000000 x18: ffffffffffffffff\n[ 710.638307] x17: ffff000805096000 x16: ffff00080633b800 x15: ffff000806537a1c\n[ 710.645465] x14: 0000000000000001 x13: 0000000000000000 x12: ffff00080378d6f0\n[ 710.652621] x11: ffff00080041a900 x10: ffff800009b204e8 x9 : ffff8000088abaa4\n[ 710.659779] x8 : ffff000800960040 x7 : ffff800009409000 x6 : 0000000000000001\n[ 710.666936] x5 : ffff800009241000 x4 : ffff800009241440 x3 : 0000000000000000\n[ 710.674094] x2 : ffff000800960040 x1 : ffff000800960040 x0 : 0000000000000000\n[ 710.681251] Call trace:\n[ 710.683704] usb_remove_hcd+0x34/0x1e4\n[ 710.687467] xhci_plat_remove+0x74/0x140\n[ 710.691400] platform_remove+0x34/0x70\n[ 710.695165] device_remove+0x54/0x90\n[ 710.698753] device_release_driver_internal+0x200/0x270\n[ 710.703992] device_release_driver+0x24/0x30\n[ 710.708273] bus_remove_device+0xe0/0x16c\n[ 710.712293] device_del+0x178/0x390\n[ 710.715797] platform_device_del.part.0+0x24/0x90\n[ 710.720514] platform_device_unregister+0x30/0x50\n[ 710.725232] dwc3_host_exit+0x20/0x30\n[ 710.728907] dwc3_remove+0x174/0x1b0\n[ 710.732494] platform_remove+0x34/0x70\n[ 710.736254] device_remove+0x54/0x90\n[ 710.739840] device_release_driver_internal+0x200/0x270\n[ 710.745078] device_release_driver+0x24/0x30\n[ 710.749359] bus_remove_device+0xe0/0x16c\n[ 710.753380] device_del+0x178/0x390\n[ 710.756881] platform_device_del.part\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50133", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: fix potential memory leak in setup_base_ctxt()\n\nsetup_base_ctxt() allocates a memory chunk for uctxt->groups with\nhfi1_alloc_ctxt_rcv_groups(). When init_user_ctxt() fails, uctxt->groups\nis not released, which will lead to a memory leak.\n\nWe should release the uctxt->groups with hfi1_free_ctxt_rcv_groups()\nwhen init_user_ctxt() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50134", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup\n\nThe function rxe_create_qp calls rxe_qp_from_init. If some error\noccurs, the error handler of function rxe_qp_from_init will set\nboth scq and rcq to NULL.\n\nThen rxe_create_qp calls rxe_put to handle qp. In the end,\nrxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly\naccesses scq and rcq before checking them. This will cause\nnull-ptr-deref error.\n\nThe call graph is as below:\n\nrxe_create_qp {\n ...\n rxe_qp_from_init {\n ...\n err1:\n ...\n qp->rcq = NULL; <---rcq is set to NULL\n qp->scq = NULL; <---scq is set to NULL\n ...\n }\n\nqp_init:\n rxe_put{\n ...\n rxe_qp_do_cleanup {\n ...\n atomic_dec(&qp->scq->num_wq); <--- scq is accessed\n ...\n atomic_dec(&qp->rcq->num_wq); <--- rcq is accessed\n }\n}", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50135", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event\n\nIf siw_recv_mpa_rr returns -EAGAIN, it means that the MPA reply hasn't\nbeen received completely, and should not report IW_CM_EVENT_CONNECT_REPLY\nin this case. This may trigger a call trace in iw_cm. A simple way to\ntrigger this:\n server: ib_send_lat\n client: ib_send_lat -R \n\nThe call trace looks like this:\n\n kernel BUG at drivers/infiniband/core/iwcm.c:894!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n <...>\n Workqueue: iw_cm_wq cm_work_handler [iw_cm]\n Call Trace:\n \n cm_work_handler+0x1dd/0x370 [iw_cm]\n process_one_work+0x1e2/0x3b0\n worker_thread+0x49/0x2e0\n ? rescuer_thread+0x370/0x370\n kthread+0xe5/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50136", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix a window for use-after-free\n\nDuring a destroy CQ an interrupt may cause processing of a CQE after CQ\nresources are freed by irdma_cq_free_rsrc(). Fix this by moving the call\nto irdma_cq_free_rsrc() after the irdma_sc_cleanup_ceqes(), which is\ncalled under the cq_lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50137", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix potential memory leak in __qedr_alloc_mr()\n\n__qedr_alloc_mr() allocates a memory chunk for \"mr->info.pbl_table\" with\ninit_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, \"mr\"\nis released while \"mr->info.pbl_table\" is not released, which will lead\nto a memory leak.\n\nWe should release the \"mr->info.pbl_table\" with qedr_free_pbl() when error\noccurs to fix the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50138", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aspeed-vhub: Fix refcount leak bug in ast_vhub_init_desc()\n\nWe should call of_node_put() for the reference returned by\nof_get_child_by_name() which has increased the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50139", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick/ms_block: Fix a memory leak\n\n'erased_blocks_bitmap' is never freed. As it is allocated at the same time\nas 'used_blocks_bitmap', it is likely that it should be freed also at the\nsame time.\n\nAdd the corresponding bitmap_free() in msb_data_clear().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50140", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() checks null pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50141", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: msu: Fix vmalloced buffers\n\nAfter commit f5ff79fddf0e (\"dma-mapping: remove CONFIG_DMA_REMAP\") there's\na chance of DMA buffer getting allocated via vmalloc(), which messes up\nthe mmapping code:\n\n> RIP: msc_mmap_fault [intel_th_msu]\n> Call Trace:\n> \n> __do_fault\n> do_fault\n...\n\nFix this by accounting for vmalloc possibility.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50142", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: Fix a resource leak in an error handling path\n\nIf an error occurs after calling 'pci_alloc_irq_vectors()',\n'pci_free_irq_vectors()' must be called as already done in the remove\nfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50143", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: revisit driver bind/unbind and callbacks\n\nIn the SoundWire probe, we store a pointer from the driver ops into\nthe 'slave' structure. This can lead to kernel oopses when unbinding\ncodec drivers, e.g. with the following sequence to remove machine\ndriver and codec driver.\n\n/sbin/modprobe -r snd_soc_sof_sdw\n/sbin/modprobe -r snd_soc_rt711\n\nThe full details can be found in the BugLink below, for reference the\ntwo following examples show different cases of driver ops/callbacks\nbeing invoked after the driver .remove().\n\nkernel: BUG: kernel NULL pointer dereference, address: 0000000000000150\nkernel: Workqueue: events cdns_update_slave_status_work [soundwire_cadence]\nkernel: RIP: 0010:mutex_lock+0x19/0x30\nkernel: Call Trace:\nkernel: ? sdw_handle_slave_status+0x426/0xe00 [soundwire_bus 94ff184bf398570c3f8ff7efe9e32529f532e4ae]\nkernel: ? newidle_balance+0x26a/0x400\nkernel: ? cdns_update_slave_status_work+0x1e9/0x200 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82]\n\nkernel: BUG: unable to handle page fault for address: ffffffffc07654c8\nkernel: Workqueue: pm pm_runtime_work\nkernel: RIP: 0010:sdw_bus_prep_clk_stop+0x6f/0x160 [soundwire_bus]\nkernel: Call Trace:\nkernel: \nkernel: sdw_cdns_clock_stop+0xb5/0x1b0 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82]\nkernel: intel_suspend_runtime+0x5f/0x120 [soundwire_intel aca858f7c87048d3152a4a41bb68abb9b663a1dd]\nkernel: ? dpm_sysfs_remove+0x60/0x60\n\nThis was not detected earlier in Intel tests since the tests first\nremove the parent PCI device and shut down the bus. The sequence\nabove is a corner case which keeps the bus operational but without a\ndriver bound.\n\nWhile trying to solve this kernel oopses, it became clear that the\nexisting SoundWire bus does not deal well with the unbind case.\n\nCommit 528be501b7d4a (\"soundwire: sdw_slave: add probe_complete structure and new fields\")\nadded a 'probed' status variable and a 'probe_complete'\nstruct completion. This status is however not reset on remove and\nlikewise the 'probe complete' is not re-initialized, so the\nbind/unbind/bind test cases would fail. The timeout used before the\n'update_status' callback was also a bad idea in hindsight, there\nshould really be no timing assumption as to if and when a driver is\nbound to a device.\n\nAn initial draft was based on device_lock() and device_unlock() was\ntested. This proved too complicated, with deadlocks created during the\nsuspend-resume sequences, which also use the same device_lock/unlock()\nas the bind/unbind sequences. On a CometLake device, a bad DSDT/BIOS\ncaused spurious resumes and the use of device_lock() caused hangs\nduring suspend. After multiple weeks or testing and painful\nreverse-engineering of deadlocks on different devices, we looked for\nalternatives that did not interfere with the device core.\n\nA bus notifier was used successfully to keep track of DRIVER_BOUND and\nDRIVER_UNBIND events. This solved the bind-unbind-bind case in tests,\nbut it can still be defeated with a theoretical corner case where the\nmemory is freed by a .remove while the callback is in use. The\nnotifier only helps make sure the driver callbacks are valid, but not\nthat the memory allocated in probe remains valid while the callbacks\nare invoked.\n\nThis patch suggests the introduction of a new 'sdw_dev_lock' mutex\nprotecting probe/remove and all driver callbacks. Since this mutex is\n'local' to SoundWire only, it does not interfere with existing locks\nand does not create deadlocks. In addition, this patch removes the\n'probe_complete' completion, instead we directly invoke the\n'update_status' from the probe routine. That removes any sort of\ntiming dependency and a much better support for the device/driver\nmodel, the driver could be bound before the bus started, or eons after\nthe bus started and the hardware would be properly initialized in all\ncases.\n\nBugLink: https://github.com/thesofproject/linux/is\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50144", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sf-pdma: Add multithread support for a DMA channel\n\nWhen we get a DMA channel and try to use it in multiple threads it\nwill cause oops and hanging the system.\n\n% echo 64 > /sys/module/dmatest/parameters/threads_per_chan\n% echo 10000 > /sys/module/dmatest/parameters/iterations\n% echo 1 > /sys/module/dmatest/parameters/run\n[ 89.480664] Unable to handle kernel NULL pointer dereference at virtual\n address 00000000000000a0\n[ 89.488725] Oops [#1]\n[ 89.494708] CPU: 2 PID: 1008 Comm: dma0chan0-copy0 Not tainted\n 5.17.0-rc5\n[ 89.509385] epc : vchan_find_desc+0x32/0x46\n[ 89.513553] ra : sf_pdma_tx_status+0xca/0xd6\n\nThis happens because of data race. Each thread rewrite channels's\ndescriptor as soon as device_prep_dma_memcpy() is called. It leads to the\nsituation when the driver thinks that it uses right descriptor that\nactually is freed or substituted for other one.\n\nWith current fixes a descriptor changes its value only when it has\nbeen used. A new descriptor is acquired from vc->desc_issued queue that\nis already filled with descriptors that are ready to be sent. Threads\nhave no direct access to DMA channel descriptor. Now it is just possible\nto queue a descriptor for further processing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50145", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors\n\nIf dw_pcie_ep_init() fails to perform any action after the EPC memory is\ninitialized and the MSI memory region is allocated, the latter parts won't\nbe undone thus causing a memory leak. Add a cleanup-on-error path to fix\nthese leaks.\n\n[bhelgaas: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50146", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix get_nodes out of bound access\n\nWhen user specified more nodes than supported, get_nodes will access nmask\narray out of bounds.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50147", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix potential NULL dereference in __kernfs_remove\n\nWhen lockdep is enabled, lockdep_assert_held_write would\ncause potential NULL pointer dereference.\n\nFix the following smatch warnings:\n\nfs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check 'kn' (see line 1346)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50148", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential deadlock in __driver_attach\n\nIn __driver_attach function, There are also AA deadlock problem,\nlike the commit b232b02bf3c2 (\"driver core: fix deadlock in\n__device_attach\").\n\nstack like commit b232b02bf3c2 (\"driver core: fix deadlock in\n__device_attach\").\nlist below:\n In __driver_attach function, The lock holding logic is as follows:\n ...\n __driver_attach\n if (driver_allows_async_probing(drv))\n device_lock(dev) // get lock dev\n async_schedule_dev(__driver_attach_async_helper, dev); // func\n async_schedule_node\n async_schedule_node_domain(func)\n entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC);\n /* when fail or work limit, sync to execute func, but\n __driver_attach_async_helper will get lock dev as\n will, which will lead to A-A deadlock. */\n if (!entry || atomic_read(&entry_count) > MAX_WORK) {\n func;\n else\n queue_work_node(node, system_unbound_wq, &entry->work)\n device_unlock(dev)\n\n As above show, when it is allowed to do async probes, because of\n out of memory or work limit, async work is not be allowed, to do\n sync execute instead. it will lead to A-A deadlock because of\n __driver_attach_async_helper getting lock dev.\n\nReproduce:\nand it can be reproduce by make the condition\n(if (!entry || atomic_read(&entry_count) > MAX_WORK)) untenable, like\nbelow:\n\n[ 370.785650] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables\nthis message.\n[ 370.787154] task:swapper/0 state:D stack: 0 pid: 1 ppid:\n0 flags:0x00004000\n[ 370.788865] Call Trace:\n[ 370.789374] \n[ 370.789841] __schedule+0x482/0x1050\n[ 370.790613] schedule+0x92/0x1a0\n[ 370.791290] schedule_preempt_disabled+0x2c/0x50\n[ 370.792256] __mutex_lock.isra.0+0x757/0xec0\n[ 370.793158] __mutex_lock_slowpath+0x1f/0x30\n[ 370.794079] mutex_lock+0x50/0x60\n[ 370.794795] __device_driver_lock+0x2f/0x70\n[ 370.795677] ? driver_probe_device+0xd0/0xd0\n[ 370.796576] __driver_attach_async_helper+0x1d/0xd0\n[ 370.797318] ? driver_probe_device+0xd0/0xd0\n[ 370.797957] async_schedule_node_domain+0xa5/0xc0\n[ 370.798652] async_schedule_node+0x19/0x30\n[ 370.799243] __driver_attach+0x246/0x290\n[ 370.799828] ? driver_allows_async_probing+0xa0/0xa0\n[ 370.800548] bus_for_each_dev+0x9d/0x130\n[ 370.801132] driver_attach+0x22/0x30\n[ 370.801666] bus_add_driver+0x290/0x340\n[ 370.802246] driver_register+0x88/0x140\n[ 370.802817] ? virtio_scsi_init+0x116/0x116\n[ 370.803425] scsi_register_driver+0x1a/0x30\n[ 370.804057] init_sd+0x184/0x226\n[ 370.804533] do_one_initcall+0x71/0x3a0\n[ 370.805107] kernel_init_freeable+0x39a/0x43a\n[ 370.805759] ? rest_init+0x150/0x150\n[ 370.806283] kernel_init+0x26/0x230\n[ 370.806799] ret_from_fork+0x1f/0x30\n\nTo fix the deadlock, move the async_schedule_dev outside device_lock,\nas we can see, in async_schedule_node_domain, the parameter of\nqueue_work_node is system_unbound_wq, so it can accept concurrent\noperations. which will also not change the code logic, and will\nnot lead to deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50149", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix random warning message when driver load\n\nWarning log:\n[ 4.141392] Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xa20 (GFP_ATOMIC). Fix your code!\n[ 4.150340] CPU: 1 PID: 175 Comm: 1-0050 Not tainted 5.15.5-00039-g2fd9ae1b568c #20\n[ 4.158010] Hardware name: Freescale i.MX8QXP MEK (DT)\n[ 4.163155] Call trace:\n[ 4.165600] dump_backtrace+0x0/0x1b0\n[ 4.169286] show_stack+0x18/0x68\n[ 4.172611] dump_stack_lvl+0x68/0x84\n[ 4.176286] dump_stack+0x18/0x34\n[ 4.179613] kmalloc_fix_flags+0x60/0x88\n[ 4.183550] new_slab+0x334/0x370\n[ 4.186878] ___slab_alloc.part.108+0x4d4/0x748\n[ 4.191419] __slab_alloc.isra.109+0x30/0x78\n[ 4.195702] kmem_cache_alloc+0x40c/0x420\n[ 4.199725] dma_pool_alloc+0xac/0x1f8\n[ 4.203486] cdns3_allocate_trb_pool+0xb4/0xd0\n\npool_alloc_page(struct dma_pool *pool, gfp_t mem_flags)\n{\n\t...\n\tpage = kmalloc(sizeof(*page), mem_flags);\n\tpage->vaddr = dma_alloc_coherent(pool->dev, pool->allocation,\n\t\t\t\t\t &page->dma, mem_flags);\n\t...\n}\n\nkmalloc was called with mem_flags, which is passed down in\ncdns3_allocate_trb_pool() and have GFP_DMA32 flags.\nkmall_fix_flags() report warning.\n\nGFP_DMA32 is not useful at all. dma_alloc_coherent() will handle\nDMA memory region correctly by pool->dev. GFP_DMA32 can be removed\nsafely.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50151", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50152", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: Fix refcount leak in ehci_hcd_ppc_of_probe\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50153", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: mediatek-gen3: Fix refcount leak in mtk_pcie_init_irq_domains()\n\nof_get_child_by_name() returns a node pointer with refcount incremented, so\nwe should use of_node_put() on it when we don't need it anymore.\n\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50154", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: parsers: ofpart: Fix refcount leak in bcm4908_partitions_fw_offset\n\nof_find_node_by_path() returns a node pointer with refcount incremented,\nwe should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50155", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: cp2112: prevent a buffer overflow in cp2112_xfer()\n\nSmatch warnings:\ndrivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()\n'data->block[1]' too small (33 vs 255)\ndrivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too\nsmall (64 vs 255)\n\nThe 'read_length' variable is provided by 'data->block[0]' which comes\nfrom user and it(read_length) can take a value between 0-255. Add an\nupper bound to 'read_length' variable to prevent a buffer overflow in\nmemcpy().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50156", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: microchip: Fix refcount leak in mc_pcie_init_irq_domains()\n\nof_get_next_child() returns a node pointer with refcount incremented, so we\nshould use of_node_put() on it when we don't need it anymore.\n\nmc_pcie_init_irq_domains() only calls of_node_put() in the normal path,\nmissing it in some error paths. Add missing of_node_put() to avoid\nrefcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50157", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: partitions: Fix refcount leak in parse_redboot_of\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50158", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: check previous kernel's ima-kexec-buffer against memory bounds\n\nPresently ima_get_kexec_buffer() doesn't check if the previous kernel's\nima-kexec-buffer lies outside the addressable memory range. This can result\nin a kernel panic if the new kernel is booted with 'mem=X' arg and the\nima-kexec-buffer was allocated beyond that range by the previous kernel.\nThe panic is usually of the form below:\n\n$ sudo kexec --initrd initrd vmlinux --append='mem=16G'\n\n\n BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000\n Faulting instruction address: 0xc000000000837974\n Oops: Kernel access of bad area, sig: 11 [#1]\n\n NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0\n LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160\n Call Trace:\n [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160\n [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108\n [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120\n [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0\n [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec\n [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0\n [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64\n Instruction dump:\n f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330\n 7c0802a6 fb610198 7c9b2378 f80101d0 2c090001 40820614 e9240010\n ---[ end trace 0000000000000000 ]---\n\nFix this issue by checking returned PFN range of previous kernel's\nima-kexec-buffer with page_is_ram() to ensure correct memory bounds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50159", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: maps: Fix refcount leak in ap_flash_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50160", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: maps: Fix refcount leak in of_flash_probe_versatile\n\nof_find_matching_node_and_match() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50161", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: Fix possible refcount leak in if_usb_probe()\n\nusb_get_dev will be called before lbs_get_firmware_async which means that\nusb_put_dev need to be called when lbs_get_firmware_async fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50162", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix incorrect dev_tracker usage\n\nWhile investigating a separate rose issue [1], and enabling\nCONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]\n\nAn ax25_dev can be used by one (or many) struct ax25_cb.\nWe thus need different dev_tracker, one per struct ax25_cb.\n\nAfter this patch is applied, we are able to focus on rose.\n\n[1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/\n\n[2]\n[ 205.798723] reference already released.\n[ 205.798732] allocated in:\n[ 205.798734] ax25_bind+0x1a2/0x230 [ax25]\n[ 205.798747] __sys_bind+0xea/0x110\n[ 205.798753] __x64_sys_bind+0x18/0x20\n[ 205.798758] do_syscall_64+0x5c/0x80\n[ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 205.798768] freed in:\n[ 205.798770] ax25_release+0x115/0x370 [ax25]\n[ 205.798778] __sock_release+0x42/0xb0\n[ 205.798782] sock_close+0x15/0x20\n[ 205.798785] __fput+0x9f/0x260\n[ 205.798789] ____fput+0xe/0x10\n[ 205.798792] task_work_run+0x64/0xa0\n[ 205.798798] exit_to_user_mode_prepare+0x18b/0x190\n[ 205.798804] syscall_exit_to_user_mode+0x26/0x40\n[ 205.798808] do_syscall_64+0x69/0x80\n[ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 205.798827] ------------[ cut here ]------------\n[ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81\n[ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video\n[ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]\n[ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3\n[ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020\n[ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81\n[ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e\n[ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286\n[ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000\n[ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff\n[ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618\n[ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0\n[ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001\n[ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000\n[ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0\n[ 205.799033] Call Trace:\n[ 205.799035] \n[ 205.799038] ? ax25_dev_device_down+0xd9/\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50163", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue\n\nAfter successfull station association, if station queues are disabled for\nsome reason, the related lists are not emptied. So if some new element is\nadded to the list in iwl_mvm_mac_wake_tx_queue, it can match with the old\none and produce a BUG like this:\n\n[ 46.535263] list_add corruption. prev->next should be next (ffff94c1c318a360), but was 0000000000000000. (prev=ffff94c1d02d3388).\n[ 46.535283] ------------[ cut here ]------------\n[ 46.535284] kernel BUG at lib/list_debug.c:26!\n[ 46.535290] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 46.585304] CPU: 0 PID: 623 Comm: wpa_supplicant Not tainted 5.19.0-rc3+ #1\n[ 46.592380] Hardware name: Dell Inc. Inspiron 660s/0478VN , BIOS A07 08/24/2012\n[ 46.600336] RIP: 0010:__list_add_valid.cold+0x3d/0x3f\n[ 46.605475] Code: f2 4c 89 c1 48 89 fe 48 c7 c7 c8 40 67 93 e8 20 cc fd ff 0f 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 70 40 67 93 e8 09 cc fd ff <0f> 0b 48 89 fe 48 c7 c7 00 41 67 93 e8 f8 cb fd ff 0f 0b 48 89 d1\n[ 46.624469] RSP: 0018:ffffb20800ab76d8 EFLAGS: 00010286\n[ 46.629854] RAX: 0000000000000075 RBX: ffff94c1c318a0e0 RCX: 0000000000000000\n[ 46.637105] RDX: 0000000000000201 RSI: ffffffff9365e100 RDI: 00000000ffffffff\n[ 46.644356] RBP: ffff94c1c5f43370 R08: 0000000000000075 R09: 3064316334396666\n[ 46.651607] R10: 3364323064316334 R11: 39666666663d7665 R12: ffff94c1c5f43388\n[ 46.658857] R13: ffff94c1d02d3388 R14: ffff94c1c318a360 R15: ffff94c1cf2289c0\n[ 46.666108] FS: 00007f65634ff7c0(0000) GS:ffff94c1da200000(0000) knlGS:0000000000000000\n[ 46.674331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 46.680170] CR2: 00007f7dfe984460 CR3: 000000010e894003 CR4: 00000000000606f0\n[ 46.687422] Call Trace:\n[ 46.689906] \n[ 46.691950] iwl_mvm_mac_wake_tx_queue+0xec/0x15c [iwlmvm]\n[ 46.697601] ieee80211_queue_skb+0x4b3/0x720 [mac80211]\n[ 46.702973] ? sta_info_get+0x46/0x60 [mac80211]\n[ 46.707703] ieee80211_tx+0xad/0x110 [mac80211]\n[ 46.712355] __ieee80211_tx_skb_tid_band+0x71/0x90 [mac80211]\n...\n\nIn order to avoid this problem, we must also remove the related lists when\nstation queues are disabled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50164", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()`\n\nCommit 7a4836560a61 changes simple_write_to_buffer() with memdup_user()\nbut it forgets to change the value to be returned that came from\nsimple_write_to_buffer() call. It results in the following warning:\n\n warning: variable 'rc' is uninitialized when used here [-Wuninitialized]\n return rc;\n ^~\n\nRemove rc variable and just return the passed in length if the\nmemdup_user() succeeds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50165", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: When HCI work queue is drained, only queue chained work\n\nThe HCI command, event, and data packet processing workqueue is drained\nto avoid deadlock in commit\n76727c02c1e1 (\"Bluetooth: Call drain_workqueue() before resetting state\").\n\nThere is another delayed work, which will queue command to this drained\nworkqueue. Which results in the following error report:\n\nBluetooth: hci2: command 0x040f tx timeout\nWARNING: CPU: 1 PID: 18374 at kernel/workqueue.c:1438 __queue_work+0xdad/0x1140\nWorkqueue: events hci_cmd_timeout\nRIP: 0010:__queue_work+0xdad/0x1140\nRSP: 0000:ffffc90002cffc60 EFLAGS: 00010093\nRAX: 0000000000000000 RBX: ffff8880b9d3ec00 RCX: 0000000000000000\nRDX: ffff888024ba0000 RSI: ffffffff814e048d RDI: ffff8880b9d3ec08\nRBP: 0000000000000008 R08: 0000000000000000 R09: 00000000b9d39700\nR10: ffffffff814f73c6 R11: 0000000000000000 R12: ffff88807cce4c60\nR13: 0000000000000000 R14: ffff8880796d8800 R15: ffff8880796d8800\nFS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c0174b4000 CR3: 000000007cae9000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? queue_work_on+0xcb/0x110\n ? lockdep_hardirqs_off+0x90/0xd0\n queue_work_on+0xee/0x110\n process_one_work+0x996/0x1610\n ? pwq_dec_nr_in_flight+0x2a0/0x2a0\n ? rwlock_bug.part.0+0x90/0x90\n ? _raw_spin_lock_irq+0x41/0x50\n worker_thread+0x665/0x1080\n ? process_one_work+0x1610/0x1610\n kthread+0x2e9/0x3a0\n ? kthread_complete_and_exit+0x40/0x40\n ret_from_fork+0x1f/0x30\n \n\nTo fix this, we can add a new HCI_DRAIN_WQ flag, and don't queue the\ntimeout workqueue while command workqueue is draining.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50166", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix potential 32-bit overflow when accessing ARRAY map element\n\nIf BPF array map is bigger than 4GB, element pointer calculation can\noverflow because both index and elem_size are u32. Fix this everywhere\nby forcing 64-bit multiplication. Extract this formula into separate\nsmall helper and use it consistently in various places.\n\nSpeculative-preventing formula utilizing index_mask trick is left as is,\nbut explicit u64 casts are added in both places.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50167", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, x86: fix freeing of not-finalized bpf_prog_pack\n\nsyzbot reported a few issues with bpf_prog_pack [1], [2]. This only happens\nwith multiple subprogs. In jit_subprogs(), we first call bpf_int_jit_compile()\non each sub program. And then, we call it on each sub program again. jit_data\nis not freed in the first call of bpf_int_jit_compile(). Similarly we don't\ncall bpf_jit_binary_pack_finalize() in the first call of bpf_int_jit_compile().\n\nIf bpf_int_jit_compile() failed for one sub program, we will call\nbpf_jit_binary_pack_finalize() for this sub program. However, we don't have a\nchance to call it for other sub programs. Then we will hit \"goto out_free\" in\njit_subprogs(), and call bpf_jit_free on some subprograms that haven't got\nbpf_jit_binary_pack_finalize() yet.\n\nAt this point, bpf_jit_binary_pack_free() is called and the whole 2MB page is\nfreed erroneously.\n\nFix this with a custom bpf_jit_free() for x86_64, which calls\nbpf_jit_binary_pack_finalize() if necessary. Also, with custom\nbpf_jit_free(), bpf_prog_aux->use_bpf_prog_pack is not needed any more,\nremove it.\n\n[1] https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f\n[2] https://syzkaller.appspot.com/bug?extid=87f65c75f4a72db05445", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50168", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()\n\nThe simple_write_to_buffer() function will succeed if even a single\nbyte is initialized. However, we need to initialize the whole buffer\nto prevent information leaks. Just use memdup_user().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50169", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: executor: Fix a memory leak on failure in kunit_filter_tests\n\nIt's possible that memory allocation for 'filtered' will fail, but for the\ncopy of the suite to succeed. In this case, the copy could be leaked.\n\nProperly free 'copy' in the error case for the allocation of 'filtered'\nfailing.\n\nNote that there may also have been a similar issue in\nkunit_filter_subsuites, before it was removed in \"kunit: flatten\nkunit_suite*** to kunit_suite** in .kunit_test_suites\".\n\nThis was reported by clang-analyzer via the kernel test robot, here:\nhttps://lore.kernel.org/all/c8073b8e-7b9e-0830-4177-87c12f16349c@intel.com/\n\nAnd by smatch via Dan Carpenter and the kernel test robot:\nhttps://lore.kernel.org/all/202207101328.ASjx88yj-lkp@intel.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50170", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - don't sleep when in softirq\n\nWhen kunpeng920 encryption driver is used to deencrypt and decrypt\npackets during the softirq, it is not allowed to use mutex lock. The\nkernel will report the following error:\n\nBUG: scheduling while atomic: swapper/57/0/0x00000300\nCall trace:\ndump_backtrace+0x0/0x1e4\nshow_stack+0x20/0x2c\ndump_stack+0xd8/0x140\n__schedule_bug+0x68/0x80\n__schedule+0x728/0x840\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x24\n__mutex_lock.constprop.0+0x594/0x5dc\n__mutex_lock_slowpath+0x1c/0x30\nmutex_lock+0x50/0x60\nsec_request_init+0x8c/0x1a0 [hisi_sec2]\nsec_process+0x28/0x1ac [hisi_sec2]\nsec_skcipher_crypto+0xf4/0x1d4 [hisi_sec2]\nsec_skcipher_encrypt+0x1c/0x30 [hisi_sec2]\ncrypto_skcipher_encrypt+0x2c/0x40\ncrypto_authenc_encrypt+0xc8/0xfc [authenc]\ncrypto_aead_encrypt+0x2c/0x40\nechainiv_encrypt+0x144/0x1a0 [echainiv]\ncrypto_aead_encrypt+0x2c/0x40\nesp_output_tail+0x348/0x5c0 [esp4]\nesp_output+0x120/0x19c [esp4]\nxfrm_output_one+0x25c/0x4d4\nxfrm_output_resume+0x6c/0x1fc\nxfrm_output+0xac/0x3c0\nxfrm4_output+0x64/0x130\nip_build_and_send_pkt+0x158/0x20c\ntcp_v4_send_synack+0xdc/0x1f0\ntcp_conn_request+0x7d0/0x994\ntcp_v4_conn_request+0x58/0x6c\ntcp_v6_conn_request+0xf0/0x100\ntcp_rcv_state_process+0x1cc/0xd60\ntcp_v4_do_rcv+0x10c/0x250\ntcp_v4_rcv+0xfc4/0x10a4\nip_protocol_deliver_rcu+0xf4/0x200\nip_local_deliver_finish+0x58/0x70\nip_local_deliver+0x68/0x120\nip_sublist_rcv_finish+0x70/0x94\nip_list_rcv_finish.constprop.0+0x17c/0x1d0\nip_sublist_rcv+0x40/0xb0\nip_list_rcv+0x140/0x1dc\n__netif_receive_skb_list_core+0x154/0x28c\n__netif_receive_skb_list+0x120/0x1a0\nnetif_receive_skb_list_internal+0xe4/0x1f0\nnapi_complete_done+0x70/0x1f0\ngro_cell_poll+0x9c/0xb0\nnapi_poll+0xcc/0x264\nnet_rx_action+0xd4/0x21c\n__do_softirq+0x130/0x358\nirq_exit+0x11c/0x13c\n__handle_domain_irq+0x88/0xf0\ngic_handle_irq+0x78/0x2c0\nel1_irq+0xb8/0x140\narch_cpu_idle+0x18/0x40\ndefault_idle_call+0x5c/0x1c0\ncpuidle_idle_call+0x174/0x1b0\ndo_idle+0xc8/0x160\ncpu_startup_entry+0x30/0x11c\nsecondary_start_kernel+0x158/0x1e4\nsoftirq: huh, entered softirq 3 NET_RX 0000000093774ee4 with\npreempt_count 00000100, exited with fffffe00?", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50171", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg\n\nFree the skb if mt76u_bulk_msg fails in __mt76x02u_mcu_send_msg routine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50172", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Fix global state lock backoff\n\nWe need to grab the lock after the early return for !hwpipe case.\nOtherwise, we could have hit contention yet still returned 0.\n\nFixes an issue that the new CONFIG_DRM_DEBUG_MODESET_LOCK stuff flagged\nin CI:\n\n WARNING: CPU: 0 PID: 282 at drivers/gpu/drm/drm_modeset_lock.c:296 drm_modeset_lock+0xf8/0x154\n Modules linked in:\n CPU: 0 PID: 282 Comm: kms_cursor_lega Tainted: G W 5.19.0-rc2-15930-g875cc8bc536a #1\n Hardware name: Qualcomm Technologies, Inc. DB820c (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : drm_modeset_lock+0xf8/0x154\n lr : drm_atomic_get_private_obj_state+0x84/0x170\n sp : ffff80000cfab6a0\n x29: ffff80000cfab6a0 x28: 0000000000000000 x27: ffff000083bc4d00\n x26: 0000000000000038 x25: 0000000000000000 x24: ffff80000957ca58\n x23: 0000000000000000 x22: ffff000081ace080 x21: 0000000000000001\n x20: ffff000081acec18 x19: ffff80000cfabb80 x18: 0000000000000038\n x17: 0000000000000000 x16: 0000000000000000 x15: fffffffffffea0d0\n x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 5f534b434f4c5f47\n x11: ffff80000a386aa8 x10: 0000000000000029 x9 : ffff80000cfab610\n x8 : 0000000000000029 x7 : 0000000000000014 x6 : 0000000000000000\n x5 : 0000000000000001 x4 : ffff8000081ad904 x3 : 0000000000000029\n x2 : ffff0000801db4c0 x1 : ffff80000cfabb80 x0 : ffff000081aceb58\n Call trace:\n drm_modeset_lock+0xf8/0x154\n drm_atomic_get_private_obj_state+0x84/0x170\n mdp5_get_global_state+0x54/0x6c\n mdp5_pipe_release+0x2c/0xd4\n mdp5_plane_atomic_check+0x2ec/0x414\n drm_atomic_helper_check_planes+0xd8/0x210\n drm_atomic_helper_check+0x54/0xb0\n ...\n ---[ end trace 0000000000000000 ]---\n drm_modeset_lock attempting to lock a contended lock without backoff:\n drm_modeset_lock+0x148/0x154\n mdp5_get_global_state+0x30/0x6c\n mdp5_pipe_release+0x2c/0xd4\n mdp5_plane_atomic_check+0x290/0x414\n drm_atomic_helper_check_planes+0xd8/0x210\n drm_atomic_helper_check+0x54/0xb0\n drm_atomic_check_only+0x4b0/0x8f4\n drm_atomic_commit+0x68/0xe0\n\nPatchwork: https://patchwork.freedesktop.org/patch/492701/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50173", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: avoid kernel hung in hinic_get_stats64()\n\nWhen using hinic device as a bond slave device, and reading device stats\nof master bond device, the kernel may hung.\n\nThe kernel panic calltrace as follows:\nKernel panic - not syncing: softlockup: hung tasks\nCall trace:\n native_queued_spin_lock_slowpath+0x1ec/0x31c\n dev_get_stats+0x60/0xcc\n dev_seq_printf_stats+0x40/0x120\n dev_seq_show+0x1c/0x40\n seq_read_iter+0x3c8/0x4dc\n seq_read+0xe0/0x130\n proc_reg_read+0xa8/0xe0\n vfs_read+0xb0/0x1d4\n ksys_read+0x70/0xfc\n __arm64_sys_read+0x20/0x30\n el0_svc_common+0x88/0x234\n do_el0_svc+0x2c/0x90\n el0_svc+0x1c/0x30\n el0_sync_handler+0xa8/0xb0\n el0_sync+0x148/0x180\n\nAnd the calltrace of task that actually caused kernel hungs as follows:\n __switch_to+124\n __schedule+548\n schedule+72\n schedule_timeout+348\n __down_common+188\n __down+24\n down+104\n hinic_get_stats64+44 [hinic]\n dev_get_stats+92\n bond_get_stats+172 [bonding]\n dev_get_stats+92\n dev_seq_printf_stats+60\n dev_seq_show+24\n seq_read_iter+964\n seq_read+220\n proc_reg_read+164\n vfs_read+172\n ksys_read+108\n __arm64_sys_read+28\n el0_svc_common+132\n do_el0_svc+40\n el0_svc+24\n el0_sync_handler+164\n el0_sync+324\n\nWhen getting device stats from bond, kernel will call bond_get_stats().\nIt first holds the spinlock bond->stats_lock, and then call\nhinic_get_stats64() to collect hinic device's stats.\nHowever, hinic_get_stats64() calls `down(&nic_dev->mgmt_lock)` to\nprotect its critical section, which may schedule current task out.\nAnd if system is under high pressure, the task cannot be woken up\nimmediately, which eventually triggers kernel hung panic.\n\nSince previous patch has replaced hinic_dev.tx_stats/rx_stats with local\nvariable in hinic_get_stats64(), there is nothing need to be protected\nby lock, so just removing down()/up() is ok.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50174", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tw686x: Fix memory leak in tw686x_video_init\n\nvideo_device_alloc() allocates memory for vdev,\nwhen video_register_device() fails, it doesn't release the memory and\nleads to memory leak, call video_device_release() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50175", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mcde: Fix refcount leak in mcde_dsi_bind\n\nEvery iteration of for_each_available_child_of_node() decrements\nthe reference counter of the previous node. There is no decrement\nwhen break out from the loop and results in refcount leak.\nAdd missing of_node_put() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50176", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix ksoftirqd boosting timing and iteration\n\nThe RCU priority boosting can fail in two situations:\n\n1) If (nr_cpus= > maxcpus=), which means if the total number of CPUs\nis higher than those brought online at boot, then torture_onoff() may\nlater bring up CPUs that weren't online on boot. Now since rcutorture\ninitialization only boosts the ksoftirqds of the CPUs that have been\nset online on boot, the CPUs later set online by torture_onoff won't\nbenefit from the boost, making RCU priority boosting fail.\n\n2) The ksoftirqd kthreads are boosted after the creation of\nrcu_torture_boost() kthreads, which opens a window large enough for these\nrcu_torture_boost() kthreads to wait (despite running at FIFO priority)\nfor ksoftirqds that are still running at SCHED_NORMAL priority.\n\nThe issues can trigger for example with:\n\n\t./kvm.sh --configs TREE01 --kconfig \"CONFIG_RCU_BOOST=y\"\n\n\t[ 34.968561] rcu-torture: !!!\n\t[ 34.968627] ------------[ cut here ]------------\n\t[ 35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610\n\t[ 35.052043] Modules linked in:\n\t[ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1\n\t[ 35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014\n\t[ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610\n\t[ 35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 <0f> 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82\n\t[ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202\n\t[ 37.277320] rcu: De-offloading 8\n\t[ 37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001\n\t[ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff\n\t[ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff\n\t[ 37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20\n\t[ 37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0\n\t[ 37.290427] FS: 0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000\n\t[ 37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0\n\t[ 37.290470] Call Trace:\n\t[ 37.295049] \n\t[ 37.295065] ? preempt_count_add+0x63/0x90\n\t[ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40\n\t[ 37.295125] ? rcu_torture_stats_print+0x610/0x610\n\t[ 37.295143] rcu_torture_stats+0x29/0x70\n\t[ 37.295160] kthread+0xe3/0x110\n\t[ 37.295176] ? kthread_complete_and_exit+0x20/0x20\n\t[ 37.295193] ret_from_fork+0x22/0x30\n\t[ 37.295218] \n\nFix this with boosting the ksoftirqds kthreads from the boosting\nhotplug callback itself and before the boosting kthreads are created.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50177", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: 8852a: rfk: fix div 0 exception\n\nThe DPK is a kind of RF calibration whose algorithm is to fine tune\nparameters and calibrate, and check the result. If the result isn't good\nenough, it could adjust parameters and try again.\n\nThis issue is to read and show the result, but it could be a negative\ncalibration result that causes divisor 0 and core dump. So, fix it by\nphy_div() that does division only if divisor isn't zero; otherwise,\nzero is adopted.\n\n divide error: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 728 Comm: wpa_supplicant Not tainted 5.10.114-16019-g462a1661811a #1 \n RIP: 0010:rtw8852a_dpk+0x14ae/0x288f [rtw89_core]\n RSP: 0018:ffffa9bb412a7520 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 00000000000180fc RDI: ffffa141d01023c0\n RBP: ffffa9bb412a76a0 R08: 0000000000001319 R09: 00000000ffffff92\n R10: ffffffffc0292de3 R11: ffffffffc00d2f51 R12: 0000000000000000\n R13: ffffa141d01023c0 R14: ffffffffc0290250 R15: ffffa141d0102638\n FS: 00007fa99f5c2740(0000) GS:ffffa142e5e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000013e8e010 CR3: 0000000110d2c000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n rtw89_core_sta_add+0x95/0x9c [rtw89_core ]\n rtw89_ops_sta_state+0x5d/0x108 [rtw89_core ]\n drv_sta_state+0x115/0x66f [mac80211 ]\n sta_info_insert_rcu+0x45c/0x713 [mac80211 ]\n sta_info_insert+0xf/0x1b [mac80211 ]\n ieee80211_prep_connection+0x9d6/0xb0c [mac80211 ]\n ieee80211_mgd_auth+0x2aa/0x352 [mac80211 ]\n cfg80211_mlme_auth+0x160/0x1f6 [cfg80211 ]\n nl80211_authenticate+0x2e5/0x306 [cfg80211 ]\n genl_rcv_msg+0x371/0x3a1\n ? nl80211_stop_sched_scan+0xe5/0xe5 [cfg80211 ]\n ? genl_rcv+0x36/0x36\n netlink_rcv_skb+0x8a/0xf9\n genl_rcv+0x28/0x36\n netlink_unicast+0x27b/0x3a0\n netlink_sendmsg+0x2aa/0x469\n sock_sendmsg_nosec+0x49/0x4d\n ____sys_sendmsg+0xe5/0x213\n __sys_sendmsg+0xec/0x157\n ? syscall_enter_from_user_mode+0xd7/0x116\n do_syscall_64+0x43/0x55\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n RIP: 0033:0x7fa99f6e689b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50178", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k: fix use-after-free in ath9k_hif_usb_rx_cb\n\nSyzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The\nproblem was in incorrect htc_handle->drv_priv initialization.\n\nProbable call trace which can trigger use-after-free:\n\nath9k_htc_probe_device()\n /* htc_handle->drv_priv = priv; */\n ath9k_htc_wait_for_target() <--- Failed\n ieee80211_free_hw()\t\t <--- priv pointer is freed\n\n\n...\nath9k_hif_usb_rx_cb()\n ath9k_hif_usb_rx_stream()\n RX_STAT_INC()\t\t<--- htc_handle->drv_priv access\n\nIn order to not add fancy protection for drv_priv we can move\nhtc_handle->drv_priv initialization at the end of the\nath9k_htc_probe_device() and add helper macro to make\nall *_STAT_* macros NULL safe, since syzbot has reported related NULL\nderef in that macros [1]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50179", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-gpu: fix a missing check to avoid NULL dereference\n\n'cache_ent' could be set NULL inside virtio_gpu_cmd_get_capset()\nand it will lead to a NULL dereference by a lately use of it\n(i.e., ptr = cache_ent->caps_cache). Fix it with a NULL check.\n\n\n[ kraxel: minor codestyle fixup ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50181", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Align upwards buffer size\n\nThe hardware can support any image size WxH,\nwith arbitrary W (image width) and H (image height) dimensions.\n\nAlign upwards buffer size for both encoder and decoder.\nand leave the picture resolution unchanged.\n\nFor decoder, the risk of memory out of bounds can be avoided.\nFor both encoder and decoder, the driver will lift the limitation of\nresolution alignment.\n\nFor example, the decoder can support jpeg whose resolution is 227x149\nthe encoder can support nv12 1080P, won't change it to 1920x1072.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50182", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: encoder_cvbs: Fix refcount leak in meson_encoder_cvbs_init\n\nof_graph_get_remote_node() returns remote device nodepointer with\nrefcount incremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50183", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: encoder_hdmi: Fix refcount leak in meson_encoder_hdmi_init\n\nof_graph_get_remote_node() returns remote device nodepointer with\nrefcount incremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50184", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()\n\nThe last case label can write two buffers 'mc_reg_address[j]' and\n'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE\nsince there are no checks for this value in both case labels after the\nlast 'j++'.\n\nInstead of changing '>' to '>=' there, add the bounds check at the start\nof the second 'case' (the first one already has it).\n\nAlso, remove redundant last checks for 'j' index bigger than array size.\nThe expression is always false. Moreover, before or after the patch\n'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it\nseems it can be a valid value.\n\nDetected using the static analysis tool - Svace.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50185", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix missing skb drop on htc_tx_completion error\n\nOn htc_tx_completion error the skb is not dropped. This is wrong since\nthe completion_handler logic expect the skb to be consumed anyway even\nwhen an error is triggered. Not freeing the skb on error is a memory\nleak since the skb won't be freed anywere else. Correctly free the\npacket on eid >= ATH11K_HTC_EP_COUNT before returning.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50186", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix netdev open race\n\nMake sure to allocate resources needed before registering the device.\n\nThis specifically avoids having a racing open() trigger a BUG_ON() in\nmod_timer() when ath11k_mac_op_start() is called before the\nmon_reap_timer as been set up.\n\nI did not see this issue with next-20220310, but I hit it on every probe\nwith next-20220511. Perhaps some timing changed in between.\n\nHere's the backtrace:\n\n[ 51.346947] kernel BUG at kernel/time/timer.c:990!\n[ 51.346958] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n...\n[ 51.578225] Call trace:\n[ 51.583293] __mod_timer+0x298/0x390\n[ 51.589518] mod_timer+0x14/0x20\n[ 51.595368] ath11k_mac_op_start+0x41c/0x4a0 [ath11k]\n[ 51.603165] drv_start+0x38/0x60 [mac80211]\n[ 51.610110] ieee80211_do_open+0x29c/0x7d0 [mac80211]\n[ 51.617945] ieee80211_open+0x60/0xb0 [mac80211]\n[ 51.625311] __dev_open+0x100/0x1c0\n[ 51.631420] __dev_change_flags+0x194/0x210\n[ 51.638214] dev_change_flags+0x24/0x70\n[ 51.644646] do_setlink+0x228/0xdb0\n[ 51.650723] __rtnl_newlink+0x460/0x830\n[ 51.657162] rtnl_newlink+0x4c/0x80\n[ 51.663229] rtnetlink_rcv_msg+0x124/0x390\n[ 51.669917] netlink_rcv_skb+0x58/0x130\n[ 51.676314] rtnetlink_rcv+0x18/0x30\n[ 51.682460] netlink_unicast+0x250/0x310\n[ 51.688960] netlink_sendmsg+0x19c/0x3e0\n[ 51.695458] ____sys_sendmsg+0x220/0x290\n[ 51.701938] ___sys_sendmsg+0x7c/0xc0\n[ 51.708148] __sys_sendmsg+0x68/0xd0\n[ 51.714254] __arm64_sys_sendmsg+0x28/0x40\n[ 51.720900] invoke_syscall+0x48/0x120\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50187", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: Fix refcount leak in meson_encoder_hdmi_init\n\nof_find_device_by_node() takes reference, we should use put_device()\nto release it when not need anymore.\nAdd missing put_device() in error path to avoid refcount\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50188", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/power turbostat: Fix file pointer leak\n\nCurrently if a fscanf fails then an early return leaks an open\nfile pointer. Fix this by fclosing the file before the return.\nDetected using static analysis with cppcheck:\n\ntools/power/x86/turbostat/turbostat.c:2039:3: error: Resource leak: fp [resourceLeak]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50189", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix simplification of devm_spi_register_controller\n\nThis reverts commit 59ebbe40fb51 (\"spi: simplify\ndevm_spi_register_controller\").\n\nIf devm_add_action() fails in devm_add_action_or_reset(),\ndevm_spi_unregister() will be called, it decreases the\nrefcount of 'ctlr->dev' to 0, then it will cause uaf in\nthe drivers that calling spi_put_controller() in error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50190", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: of: Fix refcount leak bug in of_get_regulation_constraints()\n\nWe should call the of_node_put() for the reference returned by\nof_get_child_by_name() which has increased the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50191", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra20-slink: fix UAF in tegra_slink_remove()\n\nAfter calling spi_unregister_master(), the refcount of master will\nbe decrease to 0, and it will be freed in spi_controller_release(),\nthe device data also will be freed, so it will lead a UAF when using\n'tspi'. To fix this, get the master before unregister and put it when\nfinish using it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50192", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: wake up all waiters after z_erofs_lzma_head ready\n\nWhen the user mounts the erofs second times, the decompression thread\nmay hung. The problem happens due to a sequence of steps like the\nfollowing:\n\n1) Task A called z_erofs_load_lzma_config which obtain all of the node\n from the z_erofs_lzma_head.\n\n2) At this time, task B called the z_erofs_lzma_decompress and wanted to\n get a node. But the z_erofs_lzma_head was empty, the Task B had to\n sleep.\n\n3) Task A release nodes and push nodes into the z_erofs_lzma_head. But\n task B was still sleeping.\n\nOne example report when the hung happens:\ntask:kworker/u3:1 state:D stack:14384 pid: 86 ppid: 2 flags:0x00004000\nWorkqueue: erofs_unzipd z_erofs_decompressqueue_work\nCall Trace:\n \n __schedule+0x281/0x760\n schedule+0x49/0xb0\n z_erofs_lzma_decompress+0x4bc/0x580\n ? cpu_core_flags+0x10/0x10\n z_erofs_decompress_pcluster+0x49b/0xba0\n ? __update_load_avg_se+0x2b0/0x330\n ? __update_load_avg_se+0x2b0/0x330\n ? update_load_avg+0x5f/0x690\n ? update_load_avg+0x5f/0x690\n ? set_next_entity+0xbd/0x110\n ? _raw_spin_unlock+0xd/0x20\n z_erofs_decompress_queue.isra.0+0x2e/0x50\n z_erofs_decompressqueue_work+0x30/0x60\n process_one_work+0x1d3/0x3a0\n worker_thread+0x45/0x3a0\n ? process_one_work+0x3a0/0x3a0\n kthread+0xe2/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50193", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register\n\nEvery iteration of for_each_available_child_of_node() decrements\nthe reference count of the previous node.\nWhen breaking early from a for_each_available_child_of_node() loop,\nwe need to explicitly call of_node_put() on the child node.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50194", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: dts: qcom: replace gcc PXO with pxo_board fixed clock\n\nReplace gcc PXO phandle to pxo_board fixed clock declared in the dts.\ngcc driver doesn't provide PXO_SRC as it's a fixed-clock. This cause a\nkernel panic if any driver actually try to use it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50195", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: ocmem: Fix refcount leak in of_get_ocmem\n\nof_parse_phandle() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.\nof_node_put() will check NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50196", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: zynq: Fix refcount leak in zynq_get_revision\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50197", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50198", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: Fix refcount leak in omapdss_init_of\n\nomapdss_find_dss_of_node() calls of_find_compatible_node() to get device\nnode. of_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() in later error path and normal path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50199", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: Add boundary check in put_entry()\n\nJust like next_entry(), boundary check is necessary to prevent memory\nout-of-bound access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50200", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix memleak in security_read_state_kernel()\n\nIn this function, it directly returns the result of __security_read_policy\nwithout freeing the allocated memory in *data, cause memory leak issue,\nso free the memory if __security_read_policy failed.\n\n[PM: subject line tweak]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50201", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: hibernate: defer device probing when resuming from hibernation\n\nsyzbot is reporting hung task at misc_open() [1], for there is a race\nwindow of AB-BA deadlock which involves probe_count variable. Currently\nwait_for_device_probe() from snapshot_open() from misc_open() can sleep\nforever with misc_mtx held if probe_count cannot become 0.\n\nWhen a device is probed by hub_event() work function, probe_count is\nincremented before the probe function starts, and probe_count is\ndecremented after the probe function completed.\n\nThere are three cases that can prevent probe_count from dropping to 0.\n\n (a) A device being probed stopped responding (i.e. broken/malicious\n hardware).\n\n (b) A process emulating a USB device using /dev/raw-gadget interface\n stopped responding for some reason.\n\n (c) New device probe requests keeps coming in before existing device\n probe requests complete.\n\nThe phenomenon syzbot is reporting is (b). A process which is holding\nsystem_transition_mutex and misc_mtx is waiting for probe_count to become\n0 inside wait_for_device_probe(), but the probe function which is called\n from hub_event() work function is waiting for the processes which are\nblocked at mutex_lock(&misc_mtx) to respond via /dev/raw-gadget interface.\n\nThis patch mitigates (b) by deferring wait_for_device_probe() from\nsnapshot_open() to snapshot_write() and snapshot_ioctl(). Please note that\nthe possibility of (b) remains as long as any thread which is emulating a\nUSB device via /dev/raw-gadget interface can be blocked by uninterruptible\nblocking operations (e.g. mutex_lock()).\n\nPlease also note that (a) and (c) are not addressed. Regarding (c), we\nshould change the code to wait for only one device which contains the\nimage for resuming from hibernation. I don't know how to address (a), for\nuse of timeout for wait_for_device_probe() might result in loss of user\ndata in the image. Maybe we should require the userland to wait for the\nimage device before opening /dev/snapshot interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50202", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: display: Fix refcount leak bug\n\nIn omapdss_init_fbdev(), of_find_node_by_name() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50203", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: pdata-quirks: Fix refcount leak bug\n\nIn pdata_quirks_init_clocks(), the loop contains\nof_find_node_by_name() but without corresponding of_node_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50204", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next2: Add more validity checks for inode counts\n\nAdd checks verifying number of inodes stored in the superblock matches\nthe number computed from number of inodes per group. Also verify we have\nat least one block worth of inodes per group. This prevents crashes on\ncorrupted filesystems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50205", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: fix oops in concurrently setting insn_emulation sysctls\n\nemulation_proc_handler() changes table->data for proc_dointvec_minmax\nand can generate the following Oops if called concurrently with itself:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n | Internal error: Oops: 96000006 [#1] SMP\n | Call trace:\n | update_insn_emulation_mode+0xc0/0x148\n | emulation_proc_handler+0x64/0xb8\n | proc_sys_call_handler+0x9c/0xf8\n | proc_sys_write+0x18/0x20\n | __vfs_write+0x20/0x48\n | vfs_write+0xe4/0x1d0\n | ksys_write+0x70/0xf8\n | __arm64_sys_write+0x20/0x28\n | el0_svc_common.constprop.0+0x7c/0x1c0\n | el0_svc_handler+0x2c/0xa0\n | el0_svc+0x8/0x200\n\nTo fix this issue, keep the table->data as &insn->current_mode and\nuse container_of() to retrieve the insn pointer. Another mutex is\nused to protect against the current_mode update but not for retrieving\ninsn_emulation as table->data is no longer changing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50206", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: bcm: Fix refcount leak in bcm_kona_smc_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50207", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: amlogic: Fix refcount leak in meson-secure-pwrc.c\n\nIn meson_secure_pwrc_probe(), there is a refcount leak in one fail\npath.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50208", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmeson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50209", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK\n\nWhen CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,\ncpu_max_bits_warn() generates a runtime warning similar as below while\nwe show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)\ninstead of NR_CPUS to iterate CPUs.\n\n[ 3.052463] ------------[ cut here ]------------\n[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0\n[ 3.070072] Modules linked in: efivarfs autofs4\n[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052\n[ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27\n[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000\n[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430\n[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff\n[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890\n[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa\n[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000\n[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000\n[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000\n[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286\n[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n[ 3.195868] ...\n[ 3.199917] Call Trace:\n[ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c\n[ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88\n[ 3.217625] [<980000000023d268>] __warn+0xd0/0x100\n[ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc\n[ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0\n[ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4\n[ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4\n[ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0\n[ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100\n[ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94\n[ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160\n[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50210", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-raid10: fix KASAN warning\n\nThere's a KASAN warning in raid10_remove_disk when running the lvm\ntest lvconvert-raid-reshape.sh. We fix this warning by verifying that the\nvalue \"number\" is valid.\n\nBUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]\nRead of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682\n\nCPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report.cold+0x45/0x57a\n ? __lock_text_start+0x18/0x18\n ? raid10_remove_disk+0x61/0x2a0 [raid10]\n kasan_report+0xa8/0xe0\n ? raid10_remove_disk+0x61/0x2a0 [raid10]\n raid10_remove_disk+0x61/0x2a0 [raid10]\nBuffer I/O error on dev dm-76, logical block 15344, async page read\n ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0\n remove_and_add_spares+0x367/0x8a0 [md_mod]\n ? super_written+0x1c0/0x1c0 [md_mod]\n ? mutex_trylock+0xac/0x120\n ? _raw_spin_lock+0x72/0xc0\n ? _raw_spin_lock_bh+0xc0/0xc0\n md_check_recovery+0x848/0x960 [md_mod]\n raid10d+0xcf/0x3360 [raid10]\n ? sched_clock_cpu+0x185/0x1a0\n ? rb_erase+0x4d4/0x620\n ? var_wake_function+0xe0/0xe0\n ? psi_group_change+0x411/0x500\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? raid10_sync_request+0x36c0/0x36c0 [raid10]\n ? preempt_count_sub+0xf/0xc0\n ? _raw_spin_unlock_irqrestore+0x19/0x40\n ? del_timer_sync+0xa9/0x100\n ? try_to_del_timer_sync+0xc0/0xc0\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? __lock_text_start+0x18/0x18\n ? _raw_spin_unlock_irq+0x11/0x24\n ? __list_del_entry_valid+0x68/0xa0\n ? finish_wait+0xa3/0x100\n md_thread+0x161/0x260 [md_mod]\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n ? _raw_spin_lock_irqsave+0x78/0xc0\n ? prepare_to_wait_event+0x2c0/0x2c0\n ? unregister_md_personality+0xa0/0xa0 [md_mod]\n kthread+0x148/0x180\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \n\nAllocated by task 124495:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x80/0xa0\n setup_conf+0x140/0x5c0 [raid10]\n raid10_run+0x4cd/0x740 [raid10]\n md_run+0x6f9/0x1300 [md_mod]\n raid_ctr+0x2531/0x4ac0 [dm_raid]\n dm_table_add_target+0x2b0/0x620 [dm_mod]\n table_load+0x1c8/0x400 [dm_mod]\n ctl_ioctl+0x29e/0x560 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]\n __do_compat_sys_ioctl+0xfa/0x160\n do_syscall_64+0x90/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x9e/0xc0\n kvfree_call_rcu+0x84/0x480\n timerfd_release+0x82/0x140\nL __fput+0xfa/0x400\n task_work_run+0x80/0xc0\n exit_to_user_mode_prepare+0x155/0x160\n syscall_exit_to_user_mode+0x12/0x40\n do_syscall_64+0x42/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x9e/0xc0\n kvfree_call_rcu+0x84/0x480\n timerfd_release+0x82/0x140\n __fput+0xfa/0x400\n task_work_run+0x80/0xc0\n exit_to_user_mode_prepare+0x155/0x160\n syscall_exit_to_user_mode+0x12/0x40\n do_syscall_64+0x42/0xc0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe buggy address belongs to the object at ffff889108f3d200\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 0 bytes to the right of\n 256-byte region [ffff889108f3d200, ffff889108f3d300)\n\nThe buggy address belongs to the physical page:\npage:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c\nhead:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0\nflags: 0x4000000000010200(slab|head|zone=2)\nraw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40\nraw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff889108f3d280: 00 00\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50211", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not allow CHAIN_ID to refer to another table\n\nWhen doing lookups for chains on the same batch by using its ID, a chain\nfrom a different table can be used. If a rule is added to a table but\nrefers to a chain in a different table, it will be linked to the chain in\ntable2, but would have expressions referring to objects in table1.\n\nThen, when table1 is removed, the rule will not be removed as its linked to\na chain in table2. When expressions in the rule are processed or removed,\nthat will lead to a use-after-free.\n\nWhen looking for chains by ID, use the table that was used for the lookup\nby name, and only return chains belonging to that same table.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50212", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not allow SET_ID to refer to another table\n\nWhen doing lookups for sets on the same batch by using its ID, a set from a\ndifferent table can be used.\n\nThen, when the table is removed, a reference to the set may be kept after\nthe set is freed, leading to a potential use-after-free.\n\nWhen looking for sets by ID, use the table that was used for the lookup by\nname, and only return sets belonging to that same table.\n\nThis fixes CVE-2022-2586, also reported as ZDI-CAN-17470.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50213", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Clear the connection field properly\n\ncoresight devices track their connections (output connections) and\nhold a reference to the fwnode. When a device goes away, we walk through\nthe devices on the coresight bus and make sure that the references\nare dropped. This happens both ways:\n a) For all output connections from the device, drop the reference to\n the target device via coresight_release_platform_data()\n\nb) Iterate over all the devices on the coresight bus and drop the\n reference to fwnode if *this* device is the target of the output\n connection, via coresight_remove_conns()->coresight_remove_match().\n\nHowever, the coresight_remove_match() doesn't clear the fwnode field,\nafter dropping the reference, this causes use-after-free and\nadditional refcount drops on the fwnode.\n\ne.g., if we have two devices, A and B, with a connection, A -> B.\nIf we remove B first, B would clear the reference on B, from A\nvia coresight_remove_match(). But when A is removed, it still has\na connection with fwnode still pointing to B. Thus it tries to drops\nthe reference in coresight_release_platform_data(), raising the bells\nlike :\n\n[ 91.990153] ------------[ cut here ]------------\n[ 91.990163] refcount_t: addition on 0; use-after-free.\n[ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144\n[ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-)\n crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug]\n[ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53\n[ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019\n[ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 91.990454] pc : refcount_warn_saturate+0xa0/0x144\n[ 91.990476] lr : refcount_warn_saturate+0xa0/0x144\n[ 91.990496] sp : ffff80000c843640\n[ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8\n[ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8\n[ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2\n[ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40\n[ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0\n[ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375\n[ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28\n[ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572\n[ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027\n[ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00\n[ 91.991000] Call trace:\n[ 91.991012] refcount_warn_saturate+0xa0/0x144\n[ 91.991034] kobject_get+0xac/0xb0\n[ 91.991055] of_node_get+0x2c/0x40\n[ 91.991076] of_fwnode_get+0x40/0x60\n[ 91.991094] fwnode_handle_get+0x3c/0x60\n[ 91.991116] fwnode_get_nth_parent+0xf4/0x110\n[ 91.991137] fwnode_full_name_string+0x48/0xc0\n[ 91.991158] device_node_string+0x41c/0x530\n[ 91.991178] pointer+0x320/0x3ec\n[ 91.991198] vsnprintf+0x23c/0x750\n[ 91.991217] vprintk_store+0x104/0x4b0\n[ 91.991238] vprintk_emit+0x8c/0x360\n[ 91.991257] vprintk_default+0x44/0x50\n[ 91.991276] vprintk+0xcc/0xf0\n[ 91.991295] _printk+0x68/0x90\n[ 91.991315] of_node_release+0x13c/0x14c\n[ 91.991334] kobject_put+0x98/0x114\n[ 91.991354] of_node_put+0x24/0x34\n[ 91.991372] of_fwnode_put+0x40/0x5c\n[ 91.991390] fwnode_handle_put+0x38/0x50\n[ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight]\n[ 91.991472] coresight_unregister+0x64/0xcc [coresight]\n[ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x]\n[ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x]\n[ 91.991598] amba_remove+0x3c/0x19c\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50214", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Allow waiting for commands to complete on removed device\n\nWhen a SCSI device is removed while in active use, currently sg will\nimmediately return -ENODEV on any attempt to wait for active commands that\nwere sent before the removal. This is problematic for commands that use\nSG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel\nwhen userspace frees or reuses it after getting ENODEV, leading to\ncorrupted userspace memory (in the case of READ-type commands) or corrupted\ndata being sent to the device (in the case of WRITE-type commands). This\nhas been seen in practice when logging out of a iscsi_tcp session, where\nthe iSCSI driver may still be processing commands after the device has been\nmarked for removal.\n\nChange the policy to allow userspace to wait for active sg commands even\nwhen the device is being removed. Return -ENODEV only when there are no\nmore responses to read.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50215", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: write inode in fuse_release()\n\nA race between write(2) and close(2) allows pages to be dirtied after\nfuse_flush -> write_inode_now(). If these pages are not flushed from\nfuse_release(), then there might not be a writable open file later. So any\nremaining dirty pages must be written back before the file is released.\n\nThis is a partial revert of the blamed commit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50217", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: isl29028: Fix the warning in isl29028_remove()\n\nThe driver use the non-managed form of the register function in\nisl29028_remove(). To keep the release order as mirroring the ordering\nin probe, the driver should use non-managed form in probe, too.\n\nThe following log reveals it:\n\n[ 32.374955] isl29028 0-0010: remove\n[ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0\n[ 32.385461] Call Trace:\n[ 32.385807] sysfs_unmerge_group+0x59/0x110\n[ 32.386110] dpm_sysfs_remove+0x58/0xc0\n[ 32.386391] device_del+0x296/0xe50\n[ 32.386959] cdev_device_del+0x1d/0xd0\n[ 32.387231] devm_iio_device_unreg+0x27/0xb0\n[ 32.387542] devres_release_group+0x319/0x3d0\n[ 32.388162] i2c_device_remove+0x93/0x1f0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50218", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix KASAN use-after-free Read in compute_effective_progs\n\nSyzbot found a Use After Free bug in compute_effective_progs().\nThe reproducer creates a number of BPF links, and causes a fault\ninjected alloc to fail, while calling bpf_link_detach on them.\nLink detach triggers the link to be freed by bpf_link_free(),\nwhich calls __cgroup_bpf_detach() and update_effective_progs().\nIf the memory allocation in this function fails, the function restores\nthe pointer to the bpf_cgroup_link on the cgroup list, but the memory\ngets freed just after it returns. After this, every subsequent call to\nupdate_effective_progs() causes this already deallocated pointer to be\ndereferenced in prog_list_length(), and triggers KASAN UAF error.\n\nTo fix this issue don't preserve the pointer to the prog or link in the\nlist, but remove it and replace it with a dummy prog without shrinking\nthe table. The subsequent call to __cgroup_bpf_detach() or\n__cgroup_bpf_detach() will correct it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50219", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix linkwatch use-after-free on disconnect\n\nusbnet uses the work usbnet_deferred_kevent() to perform tasks which may\nsleep. On disconnect, completion of the work was originally awaited in\n->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic\ncommit \"[PATCH] USB: usbnet, prevent exotic rtnl deadlock\":\n\n https://git.kernel.org/tglx/history/c/0f138bbfd83c\n\nThe change was made because back then, the kernel's workqueue\nimplementation did not allow waiting for a single work. One had to wait\nfor completion of *all* work by calling flush_scheduled_work(), and that\ncould deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex\nheld in ->ndo_stop().\n\nThe commit solved one problem but created another: It causes a\nuse-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,\nax88179_178a.c, ch9200.c and smsc75xx.c:\n\n* If the drivers receive a link change interrupt immediately before\n disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)\n ->status() callback and schedule usbnet_deferred_kevent().\n* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback,\n which calls netif_carrier_{on,off}().\n* That in turn schedules the work linkwatch_event().\n\nBecause usbnet_deferred_kevent() is awaited after unregister_netdev(),\nnetif_carrier_{on,off}() may operate on an unregistered netdev and\nlinkwatch_event() may run after free_netdev(), causing a use-after-free.\n\nIn 2010, usbnet was changed to only wait for a single instance of\nusbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf\n(\"drivers/net: don't use flush_scheduled_work()\").\n\nUnfortunately the commit neglected to move the wait back to\n->ndo_stop(). Rectify that omission at long last.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50220", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fb-helper: Fix out-of-bounds access\n\nClip memory range to screen-buffer size to avoid out-of-bounds access\nin fbdev deferred I/O's damage handling.\n\nFbdev's deferred I/O can only track pages. From the range of pages, the\ndamage handler computes the clipping rectangle for the display update.\nIf the fbdev screen buffer ends near the beginning of a page, that page\ncould contain more scanlines. The damage handler would then track these\nnon-existing scanlines as dirty and provoke an out-of-bounds access\nduring the screen update. Hence, clip the maximum memory range to the\nsize of the screen buffer.\n\nWhile at it, rename the variables min/max to min_off/max_off in\ndrm_fb_helper_deferred_io(). This avoids confusion with the macros of\nthe same name.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50221", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vt: initialize unicode screen buffer\n\nsyzbot reports kernel infoleak at vcs_read() [1], for buffer can be read\nimmediately after resize operation. Initialize buffer using kzalloc().\n\n ----------\n #include \n #include \n #include \n #include \n\n int main(int argc, char *argv[])\n {\n struct fb_var_screeninfo var = { };\n const int fb_fd = open(\"/dev/fb0\", 3);\n ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);\n var.yres = 0x21;\n ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);\n return read(open(\"/dev/vcsu\", O_RDONLY), &var, sizeof(var)) == -1;\n }\n ----------", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50222", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK\n\nWhen CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,\ncpu_max_bits_warn() generates a runtime warning similar as below while\nwe show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)\ninstead of NR_CPUS to iterate CPUs.\n\n[ 3.052463] ------------[ cut here ]------------\n[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0\n[ 3.070072] Modules linked in: efivarfs autofs4\n[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052\n[ 3.084034] Hardware name: Loongson Loongson-3A5000-7A1000-1w-V0.1-CRB/Loongson-LS3A5000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27\n[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000\n[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430\n[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff\n[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890\n[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa\n[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000\n[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000\n[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000\n[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286\n[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n[ 3.195868] ...\n[ 3.199917] Call Trace:\n[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c\n[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88\n[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100\n[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc\n[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0\n[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4\n[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4\n[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0\n[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100\n[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94\n[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160\n[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50223", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Treat NX as a valid SPTE bit for NPT\n\nTreat the NX bit as valid when using NPT, as KVM will set the NX bit when\nthe NX huge page mitigation is enabled (mindblowing) and trigger the WARN\nthat fires on reserved SPTE bits being set.\n\nKVM has required NX support for SVM since commit b26a71a1a5b9 (\"KVM: SVM:\nRefuse to load kvm_amd if NX support is not available\") for exactly this\nreason, but apparently it never occurred to anyone to actually test NPT\nwith the mitigation enabled.\n\n ------------[ cut here ]------------\n spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000\n WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm]\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022\n RIP: 0010:make_spte+0x327/0x340 [kvm]\n Call Trace:\n \n tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm]\n kvm_tdp_mmu_map+0x343/0x3b0 [kvm]\n direct_page_fault+0x1ae/0x2a0 [kvm]\n kvm_tdp_page_fault+0x7d/0x90 [kvm]\n kvm_mmu_page_fault+0xfb/0x2e0 [kvm]\n npf_interception+0x55/0x90 [kvm_amd]\n svm_invoke_exit_handler+0x31/0xf0 [kvm_amd]\n svm_handle_exit+0xf6/0x1d0 [kvm_amd]\n vcpu_enter_guest+0xb6d/0xee0 [kvm]\n ? kvm_pmu_trigger_event+0x6d/0x230 [kvm]\n vcpu_run+0x65/0x2c0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm]\n kvm_vcpu_ioctl+0x551/0x610 [kvm]\n __se_sys_ioctl+0x77/0xc0\n __x64_sys_ioctl+0x1d/0x20\n do_syscall_64+0x44/0xa0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50224", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv:uprobe fix SR_SPIE set/clear handling\n\nIn riscv the process of uprobe going to clear spie before exec\nthe origin insn,and set spie after that.But When access the page\nwhich origin insn has been placed a page fault may happen and\nirq was disabled in arch_uprobe_pre_xol function,It cause a WARN\nas follows.\nThere is no need to clear/set spie in arch_uprobe_pre/post/abort_xol.\nWe can just remove it.\n\n[ 31.684157] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1488\n[ 31.684677] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 76, name: work\n[ 31.684929] preempt_count: 0, expected: 0\n[ 31.685969] CPU: 2 PID: 76 Comm: work Tainted: G\n[ 31.686542] Hardware name: riscv-virtio,qemu (DT)\n[ 31.686797] Call Trace:\n[ 31.687053] [] dump_backtrace+0x30/0x38\n[ 31.687699] [] show_stack+0x40/0x4c\n[ 31.688141] [] dump_stack_lvl+0x44/0x5c\n[ 31.688396] [] dump_stack+0x18/0x20\n[ 31.688653] [] __might_resched+0x114/0x122\n[ 31.688948] [] __might_sleep+0x50/0x7a\n[ 31.689435] [] down_read+0x30/0x130\n[ 31.689728] [] do_page_fault+0x166/x446\n[ 31.689997] [] ret_from_exception+0x0/0xc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50225", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak\n\nFor some sev ioctl interfaces, input may be passed that is less than or\nequal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP\nfirmware returns. In this case, kmalloc will allocate memory that is the\nsize of the input rather than the size of the data. Since PSP firmware\ndoesn't fully overwrite the buffer, the sev ioctl interfaces with the\nissue may return uninitialized slab memory.\n\nCurrently, all of the ioctl interfaces in the ccp driver are safe, but\nto prevent future problems, change all ioctl interfaces that allocate\nmemory with kmalloc to use kzalloc and memset the data buffer to zero\nin sev_ioctl_do_platform_status.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50226", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/xen: Initialize Xen timer only once\n\nAdd a check for existing xen timers before initializing a new one.\n\nCurrently kvm_xen_init_timer() is called on every\nKVM_XEN_VCPU_ATTR_TYPE_TIMER, which is causing the following ODEBUG\ncrash when vcpu->arch.xen.timer is already set.\n\nODEBUG: init active (active state 0)\nobject type: hrtimer hint: xen_timer_callbac0\nRIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:502\nCall Trace:\n__debug_object_init\ndebug_hrtimer_init\ndebug_init\nhrtimer_init\nkvm_xen_init_timer\nkvm_xen_vcpu_set_attr\nkvm_arch_vcpu_ioctl\nkvm_vcpu_ioctl\nvfs_ioctl", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50227", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0\n\nDon't BUG/WARN on interrupt injection due to GIF being cleared,\nsince it's trivial for userspace to force the situation via\nKVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct\nfor KVM internally generated injections).\n\n kernel BUG at arch/x86/kvm/svm/svm.c:3386!\n invalid opcode: 0000 [#1] SMP\n CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]\n Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53\n RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006\n RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0\n RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000\n FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0\n Call Trace:\n \n inject_pending_event+0x2f7/0x4c0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]\n kvm_vcpu_ioctl+0x26d/0x650 [kvm]\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50228", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: bcd2000: Fix a UAF bug on the error path of probing\n\nWhen the driver fails in snd_card_register() at probe time, it will free\nthe 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.\n\nThe following log can reveal it:\n\n[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0\n[ 50.729530] Call Trace:\n[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n\nFix this by adding usb_kill_urb() before usb_free_urb().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50229", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set UXN on swapper page tables\n\n[ This issue was fixed upstream by accident in c3cee924bd85 (\"arm64:\n head: cover entire kernel image in initial ID map\") as part of a\n large refactoring of the arm64 boot flow. This simple fix is therefore\n preferred for -stable backporting ]\n\nOn a system that implements FEAT_EPAN, read/write access to the idmap\nis denied because UXN is not set on the swapper PTEs. As a result,\nidmap_kpti_install_ng_mappings panics the kernel when accessing\n__idmap_kpti_flag. Fix it by setting UXN on these PTEs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50230", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/poly1305 - fix a read out-of-bound\n\nA kasan error was reported during fuzzing:\n\nBUG: KASAN: slab-out-of-bounds in neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon]\nRead of size 4 at addr ffff0010e293f010 by task syz-executor.5/1646715\nCPU: 4 PID: 1646715 Comm: syz-executor.5 Kdump: loaded Not tainted 5.10.0.aarch64 #1\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.59 01/31/2019\nCall trace:\n dump_backtrace+0x0/0x394\n show_stack+0x34/0x4c arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x158/0x1e4 lib/dump_stack.c:118\n print_address_description.constprop.0+0x68/0x204 mm/kasan/report.c:387\n __kasan_report+0xe0/0x140 mm/kasan/report.c:547\n kasan_report+0x44/0xe0 mm/kasan/report.c:564\n check_memory_region_inline mm/kasan/generic.c:187 [inline]\n __asan_load4+0x94/0xd0 mm/kasan/generic.c:252\n neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon]\n neon_poly1305_do_update+0x6c/0x15c [poly1305_neon]\n neon_poly1305_update+0x9c/0x1c4 [poly1305_neon]\n crypto_shash_update crypto/shash.c:131 [inline]\n shash_finup_unaligned+0x84/0x15c crypto/shash.c:179\n crypto_shash_finup+0x8c/0x140 crypto/shash.c:193\n shash_digest_unaligned+0xb8/0xe4 crypto/shash.c:201\n crypto_shash_digest+0xa4/0xfc crypto/shash.c:217\n crypto_shash_tfm_digest+0xb4/0x150 crypto/shash.c:229\n essiv_skcipher_setkey+0x164/0x200 [essiv]\n crypto_skcipher_setkey+0xb0/0x160 crypto/skcipher.c:612\n skcipher_setkey+0x3c/0x50 crypto/algif_skcipher.c:305\n alg_setkey+0x114/0x2a0 crypto/af_alg.c:220\n alg_setsockopt+0x19c/0x210 crypto/af_alg.c:253\n __sys_setsockopt+0x190/0x2e0 net/socket.c:2123\n __do_sys_setsockopt net/socket.c:2134 [inline]\n __se_sys_setsockopt net/socket.c:2131 [inline]\n __arm64_sys_setsockopt+0x78/0x94 net/socket.c:2131\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall+0x64/0x100 arch/arm64/kernel/syscall.c:48\n el0_svc_common.constprop.0+0x220/0x230 arch/arm64/kernel/syscall.c:155\n do_el0_svc+0xb4/0xd4 arch/arm64/kernel/syscall.c:217\n el0_svc+0x24/0x3c arch/arm64/kernel/entry-common.c:353\n el0_sync_handler+0x160/0x164 arch/arm64/kernel/entry-common.c:369\n el0_sync+0x160/0x180 arch/arm64/kernel/entry.S:683\n\nThis error can be reproduced by the following code compiled as ko on a\nsystem with kasan enabled:\n\n#include \n#include \n#include \n#include \n\nchar test_data[] = \"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\"\n \"\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\"\n \"\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\"\n \"\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\";\n\nint init(void)\n{\n struct crypto_shash *tfm = NULL;\n char *data = NULL, *out = NULL;\n\n tfm = crypto_alloc_shash(\"poly1305\", 0, 0);\n data = kmalloc(POLY1305_KEY_SIZE - 1, GFP_KERNEL);\n out = kmalloc(POLY1305_DIGEST_SIZE, GFP_KERNEL);\n memcpy(data, test_data, POLY1305_KEY_SIZE - 1);\n crypto_shash_tfm_digest(tfm, data, POLY1305_KEY_SIZE - 1, out);\n\n kfree(data);\n kfree(out);\n return 0;\n}\n\nvoid deinit(void)\n{\n}\n\nmodule_init(init)\nmodule_exit(deinit)\nMODULE_LICENSE(\"GPL\");\n\nThe root cause of the bug sits in neon_poly1305_blocks. The logic\nneon_poly1305_blocks() performed is that if it was called with both s[]\nand r[] uninitialized, it will first try to initialize them with the\ndata from the first \"block\" that it believed to be 32 bytes in length.\nFirst 16 bytes are used as the key and the next 16 bytes for s[]. This\nwould lead to the aforementioned read out-of-bound. However, after\ncalling poly1305_init_arch(), only 16 bytes were deducted from the input\nand s[] is initialized yet again with the following 16 bytes. The second\ninitialization of s[] is certainly redundent which indicates that the\nfirst initialization should be for r[] only.\n\nThis patch fixes the issue by calling poly1305_init_arm64() instead o\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50231", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set UXN on swapper page tables\n\n[ This issue was fixed upstream by accident in c3cee924bd85 (\"arm64:\n head: cover entire kernel image in initial ID map\") as part of a\n large refactoring of the arm64 boot flow. This simple fix is therefore\n preferred for -stable backporting ]\n\nOn a system that implements FEAT_EPAN, read/write access to the idmap\nis denied because UXN is not set on the swapper PTEs. As a result,\nidmap_kpti_install_ng_mappings panics the kernel when accessing\n__idmap_kpti_flag. Fix it by setting UXN on these PTEs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50232", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}\n\nBoth dev_name and short_name are not guaranteed to be NULL terminated so\nthis instead use strnlen and then attempt to determine if the resulting\nstring needs to be truncated or not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50233", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/af_unix: defer registered files gc to io_uring release\n\nInstead of putting io_uring's registered files in unix_gc() we want it\nto be done by io_uring itself. The trick here is to consider io_uring\nregistered files for cycle detection but not actually putting them down.\nBecause io_uring can't register other ring instances, this will remove\nall refs to the ring file triggering the ->release path and clean up\nwith io_ring_ctx_free().\n\n[axboe: add kerneldoc comment to skb, fold in skb leak fix]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50234", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Protect against send buffer overflow in NFSv2 READDIR\n\nRestore the previous limit on the @count argument to prevent a\nbuffer overflow attack.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50235", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix crash on isr after kexec()\n\nIf the system is rebooted via isr(), the IRQ handler might\nbe triggered before the domain is initialized. Resulting on\nan invalid memory access error.\n\nFix:\n[ 0.500930] Unable to handle kernel read from unreadable memory at virtual address 0000000000000070\n[ 0.501166] Call trace:\n[ 0.501174] report_iommu_fault+0x28/0xfc\n[ 0.501180] mtk_iommu_isr+0x10c/0x1c0\n\n[ joro: Fixed spelling in commit message ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50236", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom: fix writes in read-only memory region\n\nThis commit fixes a kernel oops because of a write in some read-only memory:\n\n\t[ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8\n\t..snip..\n\t[ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP\n\t..snip..\n\t[ 9.269161] Call trace:\n\t[ 9.276271] __memcpy+0x5c/0x230\n\t[ 9.278531] snprintf+0x58/0x80\n\t[ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190\n\t[ 9.284869] qcom_cpufreq_probe+0xc8/0x39c\n\t..snip..\n\nThe following line defines a pointer that point to a char buffer stored\nin read-only memory:\n\n\tchar *pvs_name = \"speedXX-pvsXX-vXX\";\n\nThis pointer is meant to hold a template \"speedXX-pvsXX-vXX\" where the\nXX values get overridden by the qcom_cpufreq_krait_name_version function. Since\nthe template is actually stored in read-only memory, when the function\nexecutes the following call we get an oops:\n\n\tsnprintf(*pvs_name, sizeof(\"speedXX-pvsXX-vXX\"), \"speed%d-pvs%d-v%d\",\n\t\t speed, pvs, pvs_ver);\n\nTo fix this issue, we instead store the template name onto the stack by\nusing the following syntax:\n\n\tchar pvs_name_buffer[] = \"speedXX-pvsXX-vXX\";\n\nBecause the `pvs_name` needs to be able to be assigned to NULL, the\ntemplate buffer is stored in the pvs_name_buffer and not under the\npvs_name variable.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50239", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nandroid: binder: stop saving a pointer to the VMA\n\nDo not record a pointer to a VMA outside of the mmap_lock for later use. \nThis is unsafe and there are a number of failure paths *after* the\nrecorded VMA pointer may be freed during setup. There is no callback to\nthe driver to clear the saved pointer from generic mm code. Furthermore,\nthe VMA pointer may become stale if any number of VMA operations end up\nfreeing the VMA so saving it was fragile to being with.\n\nInstead, change the binder_alloc struct to record the start address of the\nVMA and use vma_lookup() to get the vma when needed. Add lockdep\nmmap_lock checks on updates to the vma pointer to ensure the lock is held\nand depend on that lock for synchronization of readers and writers - which\nwas already the case anyways, so the smp_wmb()/smp_rmb() was not\nnecessary.\n\n[akpm@linux-foundation.org: fix drivers/android/binder_alloc_selftest.c]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50240", "detail": "fixed-version", "description": "Fixed from version 6.0" }, { "id": "CVE-2022-50241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix use-after-free on source server when doing inter-server copy\n\nUse-after-free occurred when the laundromat tried to free expired\ncpntf_state entry on the s2s_cp_stateids list after inter-server\ncopy completed. The sc_cp_list that the expired copy state was\ninserted on was already freed.\n\nWhen COPY completes, the Linux client normally sends LOCKU(lock_state x),\nFREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.\nThe nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state\nfrom the s2s_cp_stateids list before freeing the lock state's stid.\n\nHowever, sometimes the CLOSE was sent before the FREE_STATEID request.\nWhen this happens, the nfsd4_close_open_stateid call from nfsd4_close\nfrees all lock states on its st_locks list without cleaning up the copy\nstate on the sc_cp_list list. When the time the FREE_STATEID arrives the\nserver returns BAD_STATEID since the lock state was freed. This causes\nthe use-after-free error to occur when the laundromat tries to free\nthe expired cpntf_state.\n\nThis patch adds a call to nfs4_free_cpntf_statelist in\nnfsd4_close_open_stateid to clean up the copy state before calling\nfree_ol_stateid_reaplist to free the lock state's stid on the reaplist.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50241", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()\n\nIf vp alloc failed in qlcnic_sriov_init(), all previously allocated vp\nneeds to be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50242", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: handle the error returned from sctp_auth_asoc_init_active_key\n\nWhen it returns an error from sctp_auth_asoc_init_active_key(), the\nactive_key is actually not updated. The old sh_key will be freeed\nwhile it's still used as active key in asoc. Then an use-after-free\nwill be triggered when sending patckets, as found by syzbot:\n\n sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112\n sctp_set_owner_w net/sctp/socket.c:132 [inline]\n sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863\n sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025\n inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:734\n\nThis patch is to fix it by not replacing the sh_key when it returns\nerrors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().\nFor sctp_auth_set_active_key(), old active_key_id will be set back\nto asoc->active_key_id when the same thing happens.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50243", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()\n\nIf device_register() fails in cxl_pci_afu|adapter(), the device\nis not added, device_unregister() can not be called in the error\npath, otherwise it will cause a null-ptr-deref because of removing\nnot added device.\n\nAs comment of device_register() says, it should use put_device() to give\nup the reference in the error path. So split device_unregister() into\ndevice_del() and put_device(), then goes to put dev when register fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50244", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: fix possible UAF when kfifo_alloc() fails\n\nIf kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free\npriv. But priv is still in the chdev->file_list, then list traversal\nmay cause UAF. This fixes the following smatch warning:\n\ndrivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50245", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpci: fix of node refcount leak in tcpci_register_port()\n\nI got the following report while doing device(mt6370-tcpc) load\ntest with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@34/tcpc/connector\n\nThe 'fwnode' set in tcpci_parse_config() which is called\nin tcpci_register_port(), its node refcount is increased\nin device_get_named_child_node(). It needs be put while\nexiting, so call fwnode_handle_put() in the error path of\ntcpci_register_port() and in tcpci_unregister_port() to\navoid leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50246", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq\n\nCan not set the @shared_hcd to NULL before decrease the usage count\nby usb_put_hcd(), this will cause the shared hcd not released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50247", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix double free on tx path.\n\nWe see kernel crashes and lockups and KASAN errors related to ax210\nfirmware crashes. One of the KASAN dumps pointed at the tx path,\nand it appears there is indeed a way to double-free an skb.\n\nIf iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the\nmethod will be freed. But, in case where we build TSO skb buffer,\nthe skb may also be freed in error case. So, return 0 in that particular\nerror case and do cleanup manually.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90\niwlwifi 0000:06:00.0: 0x00000000 | tsf hi\nRead of size 8 at addr ffff88813cfa4ba0 by task btserver/9650\n\nCPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5\niwlwifi 0000:06:00.0: 0x00000000 | time gp1\nHardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019\nCall Trace:\n \n dump_stack_lvl+0x55/0x6d\n print_report.cold.12+0xf2/0x684\niwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2\n ? __list_del_entry_valid+0x12/0x90\n kasan_report+0x8b/0x180\niwlwifi 0000:06:00.0: 0x00000001 | uCode revision type\n ? __list_del_entry_valid+0x12/0x90\n __list_del_entry_valid+0x12/0x90\niwlwifi 0000:06:00.0: 0x00000048 | uCode version major\n tcp_update_skb_after_send+0x5d/0x170\n __tcp_transmit_skb+0xb61/0x15c0\niwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor\n ? __tcp_select_window+0x490/0x490\niwlwifi 0000:06:00.0: 0x00000420 | hw version\n ? trace_kmalloc_node+0x29/0xd0\n ? __kmalloc_node_track_caller+0x12a/0x260\n ? memset+0x1f/0x40\n ? __build_skb_around+0x125/0x150\n ? __alloc_skb+0x1d4/0x220\n ? skb_zerocopy_clone+0x55/0x230\niwlwifi 0000:06:00.0: 0x00489002 | board version\n ? kmalloc_reserve+0x80/0x80\n ? rcu_read_lock_bh_held+0x60/0xb0\n tcp_write_xmit+0x3f1/0x24d0\niwlwifi 0000:06:00.0: 0x034E001C | hcmd\n ? __check_object_size+0x180/0x350\niwlwifi 0000:06:00.0: 0x24020000 | isr0\n tcp_sendmsg_locked+0x8a9/0x1520\niwlwifi 0000:06:00.0: 0x01400000 | isr1\n ? tcp_sendpage+0x50/0x50\niwlwifi 0000:06:00.0: 0x48F0000A | isr2\n ? lock_release+0xb9/0x400\n ? tcp_sendmsg+0x14/0x40\niwlwifi 0000:06:00.0: 0x00C3080C | isr3\n ? lock_downgrade+0x390/0x390\n ? do_raw_spin_lock+0x114/0x1d0\niwlwifi 0000:06:00.0: 0x00200000 | isr4\n ? rwlock_bug.part.2+0x50/0x50\niwlwifi 0000:06:00.0: 0x034A001C | last cmd Id\n ? rwlock_bug.part.2+0x50/0x50\n ? lockdep_hardirqs_on_prepare+0xe/0x200\niwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event\n ? __local_bh_enable_ip+0x87/0xe0\n ? inet_send_prepare+0x220/0x220\niwlwifi 0000:06:00.0: 0x000000C4 | l2p_control\n tcp_sendmsg+0x22/0x40\n sock_sendmsg+0x5f/0x70\niwlwifi 0000:06:00.0: 0x00010034 | l2p_duration\n __sys_sendto+0x19d/0x250\niwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid\n ? __ia32_sys_getpeername+0x40/0x40\niwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? lock_release+0xb9/0x400\n ? lock_downgrade+0x390/0x390\n ? ktime_get+0x64/0x130\n ? ktime_get+0x8d/0x130\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n __x64_sys_sendto+0x6f/0x80\n do_syscall_64+0x34/0xb0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f1d126e4531\nCode: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89\nRSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531\nRDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014\nRBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50248", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: of: Fix refcount leak bug in of_get_ddr_timings()\n\nWe should add the of_node_put() when breaking out of\nfor_each_child_of_node() as it will automatically increase\nand decrease the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50249", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix use_count leakage when handling boot-on\n\nI found a use_count leakage towards supply regulator of rdev with\nboot-on option.\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 regulator_dev A \u2502 \u2502 regulator_dev B \u2502\n\u2502 (boot-on) \u2502 \u2502 (boot-on) \u2502\n\u2502 use_count=0 \u2502\u25c0\u2500\u2500supply\u2500\u2500\u2502 use_count=1 \u2502\n\u2502 \u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nIn case of rdev(A) configured with `regulator-boot-on', the use_count\nof supplying regulator(B) will increment inside\nregulator_enable(rdev->supply).\n\nThus, B will acts like always-on, and further balanced\nregulator_enable/disable cannot actually disable it anymore.\n\nHowever, B was also configured with `regulator-boot-on', we wish it\ncould be disabled afterwards.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50250", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host(), besides, the timer added before mmc_add_host() needs be del.\n\nAnd this patch fixes another missing call mmc_free_host() if usb_control_msg()\nfails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50251", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Do not free q_vector unless new one was allocated\n\nAvoid potential use-after-free condition under memory pressure. If the\nkzalloc() fails, q_vector will be freed but left in the original\nadapter->q_vector[v_idx] array position.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50252", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb->len != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb->len == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn't really reproduce outside of syzkaller\nenvironment, so I'm taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb->len == 0.\nDoesn't seem like we can do anything better than having\nan explicit check after __skb_pull?", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50253", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ov8865: Fix an error handling path in ov8865_probe()\n\nThe commit in Fixes also introduced some new error handling which should\ngoto the existing error handling path.\nOtherwise some resources leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50254", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix reading strings from synthetic events\n\nThe follow commands caused a crash:\n\n # cd /sys/kernel/tracing\n # echo 's:open char file[]' > dynamic_events\n # echo 'hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)' > events/syscalls/sys_enter_openat/trigger'\n # echo 1 > events/synthetic/open/enable\n\nBOOM!\n\nThe problem is that the synthetic event field \"char file[]\" will read\nthe value given to it as a string without any memory checks to make sure\nthe address is valid. The above example will pass in the user space\naddress and the sythetic event code will happily call strlen() on it\nand then strscpy() where either one will cause an oops when accessing\nuser space addresses.\n\nUse the helper functions from trace_kprobe and trace_eprobe that can\nread strings safely (and actually succeed when the address is from user\nspace and the memory is mapped in).\n\nNow the above can show:\n\n packagekitd-1721 [000] ...2. 104.597170: open: file=/usr/lib/rpm/fileattrs/cmake.attr\n in:imjournal-978 [006] ...2. 104.599642: open: file=/var/lib/rsyslog/imjournal.state.tmp\n packagekitd-1721 [000] ...2. 104.626308: open: file=/usr/lib/rpm/fileattrs/debuginfo.attr", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50255", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: remove drm bridges at aggregate driver unbind time\n\ndrm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init\nwere not manually removed at module unload time, which caused dangling\nreferences to freed memory to remain linked in the global bridge_list.\n\nWhen loading the driver modules back in, the same functions would again\ncall drm_bridge_add, and when traversing the global bridge_list, would\nend up peeking into freed memory.\n\nOnce again KASAN revealed the problem:\n\n[ +0.000095] =============================================================\n[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120\n[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483\n\n[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000006] dump_backtrace+0x1ec/0x280\n[ +0.000012] show_stack+0x24/0x80\n[ +0.000008] dump_stack_lvl+0x98/0xd4\n[ +0.000011] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000008] kasan_report+0xb8/0xfc\n[ +0.000008] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] __list_add_valid+0x9c/0x120\n[ +0.000009] drm_bridge_add+0x6c/0x104 [drm]\n[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]\n[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]\n[ +0.000014] component_bind+0x174/0x520\n[ +0.000012] component_bind_all+0x1a8/0x38c\n[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]\n[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]\n[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390\n[ +0.000010] component_master_add_with_match+0x1c8/0x284\n[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]\n[ +0.000026] platform_probe+0xd0/0x220\n[ +0.000009] really_probe+0x3ac/0xa80\n[ +0.000009] __driver_probe_device+0x1f8/0x400\n[ +0.000009] driver_probe_device+0x68/0x1b0\n[ +0.000009] __driver_attach+0x20c/0x480\n[ +0.000008] bus_for_each_dev+0x114/0x1b0\n[ +0.000009] driver_attach+0x48/0x64\n[ +0.000008] bus_add_driver+0x390/0x564\n[ +0.000009] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]\n[ +0.000027] do_one_initcall+0xc4/0x2b0\n[ +0.000011] do_init_module+0x154/0x570\n[ +0.000011] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000009] __arm64_sys_init_module+0x78/0xb0\n[ +0.000009] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000012] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000016] Allocated by task 879:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000011] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc+0x278/0x4a0\n[ +0.000011] mpi_resize+0x13c/0x1d0\n[ +0.000011] mpi_powm+0xd24/0x1570\n[ +0.000009] rsa_enc+0x1a4/0x30c\n[ +0.000009] pkcs1pad_verify+0x3f0/0x580\n[ +0.000009] public_key_verify_signature+0x7a8/0xba4\n[ +0.000010] public_key_verify_signature_2+0x40/0x60\n[ +0.000008] verify_signature+0xb4/0x114\n[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574\n[ +0.000009] pkcs7_validate_trust+0xb8/0x15c\n[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0\n[ +0.000012] verify_pkcs7_signature+0x78/0xac\n[ +0.000007] mod_verify_sig+0x110/0x190\n[ +0.000009] module_sig_check+0x114/0x1e0\n[ +0.000009] load_module+0xa0/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50256", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/gntdev: Prevent leaking grants\n\nPrior to this commit, if a grant mapping operation failed partially,\nsome of the entries in the map_ops array would be invalid, whereas all\nof the entries in the kmap_ops array would be valid. This in turn would\ncause the following logic in gntdev_map_grant_pages to become invalid:\n\n for (i = 0; i < map->count; i++) {\n if (map->map_ops[i].status == GNTST_okay) {\n map->unmap_ops[i].handle = map->map_ops[i].handle;\n if (!use_ptemod)\n alloced++;\n }\n if (use_ptemod) {\n if (map->kmap_ops[i].status == GNTST_okay) {\n if (map->map_ops[i].status == GNTST_okay)\n alloced++;\n map->kunmap_ops[i].handle = map->kmap_ops[i].handle;\n }\n }\n }\n ...\n atomic_add(alloced, &map->live_grants);\n\nAssume that use_ptemod is true (i.e., the domain mapping the granted\npages is a paravirtualized domain). In the code excerpt above, note that\nthe \"alloced\" variable is only incremented when both kmap_ops[i].status\nand map_ops[i].status are set to GNTST_okay (i.e., both mapping\noperations are successful). However, as also noted above, there are\ncases where a grant mapping operation fails partially, breaking the\nassumption of the code excerpt above.\n\nThe aforementioned causes map->live_grants to be incorrectly set. In\nsome cases, all of the map_ops mappings fail, but all of the kmap_ops\nmappings succeed, meaning that live_grants may remain zero. This in turn\nmakes it impossible to unmap the successfully grant-mapped pages pointed\nto by kmap_ops, because unmap_grant_pages has the following snippet of\ncode at its beginning:\n\n if (atomic_read(&map->live_grants) == 0)\n return; /* Nothing to do */\n\nIn other cases where only some of the map_ops mappings fail but all\nkmap_ops mappings succeed, live_grants is made positive, but when the\nuser requests unmapping the grant-mapped pages, __unmap_grant_pages_done\nwill then make map->live_grants negative, because the latter function\ndoes not check if all of the pages that were requested to be unmapped\nwere actually unmapped, and the same function unconditionally subtracts\n\"data->count\" (i.e., a value that can be greater than map->live_grants)\nfrom map->live_grants. The side effects of a negative live_grants value\nhave not been studied.\n\nThe net effect of all of this is that grant references are leaked in one\nof the above conditions. In Qubes OS v4.1 (which uses Xen's grant\nmechanism extensively for X11 GUI isolation), this issue manifests\nitself with warning messages like the following to be printed out by the\nLinux kernel in the VM that had granted pages (that contain X11 GUI\nwindow data) to dom0: \"g.e. 0x1234 still pending\", especially after the\nuser rapidly resizes GUI VM windows (causing some grant-mapping\noperations to partially or completely fail, due to the fact that the VM\nunshares some of the pages as part of the window resizing, making the\npages impossible to grant-map from dom0).\n\nThe fix for this issue involves counting all successful map_ops and\nkmap_ops mappings separately, and then adding the sum to live_grants.\nDuring unmapping, only the number of successfully unmapped grants is\nsubtracted from live_grants. The code is also modified to check for\nnegative live_grants values after the subtraction and warn the user.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50257", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()\n\nThis patch fixes a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware\nversion string by memcpy() in brcmf_fil_iovar_data_get().\nThe patch ensures buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3\n[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[ 47.601565][ T1897] ==================================================================\n[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0\n[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897\n[ 47.604336][ T1897]\n[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131\n[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event\n[ 47.607453][ T1897] Call Trace:\n[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1\n[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334\n[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf\n[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0\n[ 47.610882][ T1897] strsep+0x1b2/0x1f0\n[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0\n[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40\n[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100\n[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0\n[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110\n[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260\n[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[ 47.616288][ T1897] brcmf_attach+0x246/0xd40\n[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0\n[ 47.617280][ T1897] ? kmemdup+0x43/0x50\n[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690\n[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760\n[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250\n[ 47.619950][ T1897] really_probe+0x205/0xb70\n[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0\n[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.622209][ T1897] driver_probe_device+0x4e/0x150\n[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0\n[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0\n[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30\n[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160\n[ 47.625437][ T1897] __device_attach+0x23f/0x3a0\n[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0\n[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0\n[ 47.627057][ T1897] bus_probe_device+0x1da/0x290\n[ 47.627557][ T1897] device_add+0xb7b/0x1eb0\n[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290\n[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0\n[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0\n[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0\n[ 47.630385][ T1897] usb_probe_device+0xbb/0x250\n[ 47.630927][ T1897] ? usb_suspend+0x590/0x590\n[ 47.631397][ T1897] really_probe+0x205/0xb70\n[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130\n[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0\n[ 47.633002][ \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50258", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: fix race in sock_map_free()\n\nsock_map_free() calls release_sock(sk) without owning a reference\non the socket. This can cause use-after-free as syzbot found [1]\n\nJakub Sitnicki already took care of a similar issue\nin sock_hash_free() in commit 75e68e5bf2c7 (\"bpf, sockhash:\nSynchronize delete from bucket list on map free\")\n\n[1]\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31\nModules linked in:\nCPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: events_unbound bpf_map_free_deferred\nRIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31\nCode: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff\nRSP: 0018:ffffc9000456fb60 EFLAGS: 00010246\nRAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0\nRDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000\nRBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5\nR10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004\nR13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__refcount_dec include/linux/refcount.h:344 [inline]\nrefcount_dec include/linux/refcount.h:359 [inline]\n__sock_put include/net/sock.h:779 [inline]\ntcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092\nrelease_sock+0xaf/0x1c0 net/core/sock.c:3468\nsock_map_free+0x219/0x2c0 net/core/sock_map.c:356\nprocess_one_work+0x81c/0xd10 kernel/workqueue.c:2289\nworker_thread+0xb14/0x1330 kernel/workqueue.c:2436\nkthread+0x266/0x300 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50259", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Make .remove and .shutdown HW shutdown consistent\n\nDrivers' .remove and .shutdown callbacks are executed on different code\npaths. The former is called when a device is removed from the bus, while\nthe latter is called at system shutdown time to quiesce the device.\n\nThis means that some overlap exists between the two, because both have to\ntake care of properly shutting down the hardware. But currently the logic\nused in these two callbacks isn't consistent in msm drivers, which could\nlead to kernel panic.\n\nFor example, on .remove the component is deleted and its .unbind callback\nleads to the hardware being shutdown but only if the DRM device has been\nmarked as registered.\n\nThat check doesn't exist in the .shutdown logic and this can lead to the\ndriver calling drm_atomic_helper_shutdown() for a DRM device that hasn't\nbeen properly initialized.\n\nA situation like this can happen if drivers for expected sub-devices fail\nto probe, since the .bind callback will never be executed. If that is the\ncase, drm_atomic_helper_shutdown() will attempt to take mutexes that are\nonly initialized if drm_mode_config_init() is called during a device bind.\n\nThis bug was attempted to be fixed in commit 623f279c7781 (\"drm/msm: fix\nshutdown hook in case GPU components failed to bind\"), but unfortunately\nit still happens in some cases as the one mentioned above, i.e:\n\n systemd-shutdown[1]: Powering off.\n kvm: exiting hardware virtualization\n platform wifi-firmware.0: Removing from iommu group 12\n platform video-firmware.0: Removing from iommu group 10\n ------------[ cut here ]------------\n WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0\n ...\n Hardware name: Google CoachZ (rev3+) (DT)\n pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0\n lr : drm_modeset_lock_all_ctx+0x48/0x3d0\n sp : ffff80000805bb80\n x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030\n x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800\n x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034\n x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000\n x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0\n Call trace:\n drm_modeset_lock_all_ctx+0x3c4/0x3d0\n drm_atomic_helper_shutdown+0x70/0x134\n msm_drv_shutdown+0x30/0x40\n platform_shutdown+0x28/0x40\n device_shutdown+0x148/0x350\n kernel_power_off+0x38/0x80\n __do_sys_reboot+0x288/0x2c0\n __arm64_sys_reboot+0x28/0x34\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0x44/0xec\n do_el0_svc+0x2c/0xc0\n el0_svc+0x2c/0x84\n el0t_64_sync_handler+0x11c/0x150\n el0t_64_sync+0x18c/0x190\n ---[ end trace 0000000000000000 ]---\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000\n [0000000000000018] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 96000004 [#1] PREEMPT SMP\n ...\n Hardware name: Google CoachZ (rev3+) (DT)\n pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ww_mutex_lock+0x28/0x32c\n lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0\n sp : ffff80000805bb50\n x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000\n x26: 00000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50260", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .mode_valid = sti_hda_connector_mode_valid,\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~~\n drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .mode_valid = sti_dvo_connector_mode_valid,\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~~\n drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .mode_valid = sti_hdmi_connector_mode_valid,\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n->mode_valid() in 'struct drm_connector_helper_funcs' expects a return\ntype of 'enum drm_mode_status', not 'int'. Adjust the return type of\nsti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to\nresolve the warning and CFI failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50261", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate BOOT record_size\n\nWhen the NTFS BOOT record_size field < 0, it represents a\nshift value. However, there is no sanity check on the shift result\nand the sbi->record_bits calculation through blksize_bits() assumes\nthe size always > 256, which could lead to NPD while mounting a\nmalformed NTFS image.\n\n[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 318.675682] #PF: supervisor read access in kernel mode\n[ 318.675869] #PF: error_code(0x0000) - not-present page\n[ 318.676246] PGD 0 P4D 0\n[ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5\n[ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0\n[ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180\n[ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246\n[ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080\n[ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080\n[ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000\n[ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000\n[ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0\n[ 318.685623] Call Trace:\n[ 318.686607] \n[ 318.686872] ? ntfs_alloc_inode+0x1a/0x60\n[ 318.687235] attr_load_runs_vcn+0x2b/0xa0\n[ 318.687468] mi_read+0xbb/0x250\n[ 318.687576] ntfs_iget5+0x114/0xd90\n[ 318.687750] ntfs_fill_super+0x588/0x11b0\n[ 318.687953] ? put_ntfs+0x130/0x130\n[ 318.688065] ? snprintf+0x49/0x70\n[ 318.688164] ? put_ntfs+0x130/0x130\n[ 318.688256] get_tree_bdev+0x16a/0x260\n[ 318.688407] vfs_get_tree+0x20/0xb0\n[ 318.688519] path_mount+0x2dc/0x9b0\n[ 318.688877] do_mount+0x74/0x90\n[ 318.689142] __x64_sys_mount+0x89/0xd0\n[ 318.689636] do_syscall_64+0x3b/0x90\n[ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 318.690318] RIP: 0033:0x7fd9e133c48a\n[ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a\n[ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0\n[ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020\n[ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0\n[ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff\n[ 318.693007] \n[ 318.693271] Modules linked in:\n[ 318.693614] CR2: 0000000000000158\n[ 318.694446] ---[ end trace 0000000000000000 ]---\n[ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0\n[ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180\n[ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246\n[ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080\n[ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080\n[ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000\n[ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000\n[\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50262", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpasim: fix memory leak when freeing IOTLBs\n\nAfter commit bda324fd037a (\"vdpasim: control virtqueue support\"),\nvdpasim->iommu became an array of IOTLB, so we should clean the\nmappings of each free one by one instead of just deleting the ranges\nin the first IOTLB which may leak maps.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50263", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: socfpga: Fix memory leak in socfpga_gate_init()\n\nFree @socfpga_clk and @ops on the error path to avoid memory leak issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50264", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: annotate data-races around kcm->rx_wait\n\nkcm->rx_psock can be read locklessly in kcm_rfree().\nAnnotate the read and writes accordingly.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in kcm_rcv_strparser / kcm_rfree\n\nwrite to 0xffff88810784e3d0 of 1 bytes by task 1823 on cpu 1:\nreserve_rx_kcm net/kcm/kcmsock.c:283 [inline]\nkcm_rcv_strparser+0x250/0x3a0 net/kcm/kcmsock.c:363\n__strp_recv+0x64c/0xd20 net/strparser/strparser.c:301\nstrp_recv+0x6d/0x80 net/strparser/strparser.c:335\ntcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703\nstrp_read_sock net/strparser/strparser.c:358 [inline]\ndo_strp_work net/strparser/strparser.c:406 [inline]\nstrp_work+0xe8/0x180 net/strparser/strparser.c:415\nprocess_one_work+0x3d3/0x720 kernel/workqueue.c:2289\nworker_thread+0x618/0xa70 kernel/workqueue.c:2436\nkthread+0x1a9/0x1e0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nread to 0xffff88810784e3d0 of 1 bytes by task 17869 on cpu 0:\nkcm_rfree+0x121/0x220 net/kcm/kcmsock.c:181\nskb_release_head_state+0x8e/0x160 net/core/skbuff.c:841\nskb_release_all net/core/skbuff.c:852 [inline]\n__kfree_skb net/core/skbuff.c:868 [inline]\nkfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891\nkfree_skb include/linux/skbuff.h:1216 [inline]\nkcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161\n____sys_recvmsg+0x16c/0x2e0\n___sys_recvmsg net/socket.c:2743 [inline]\ndo_recvmmsg+0x2f1/0x710 net/socket.c:2837\n__sys_recvmmsg net/socket.c:2916 [inline]\n__do_sys_recvmmsg net/socket.c:2939 [inline]\n__se_sys_recvmmsg net/socket.c:2932 [inline]\n__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x01 -> 0x00\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 17869 Comm: syz-executor.2 Not tainted 6.1.0-rc1-syzkaller-00010-gbb1a1146467a-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50265", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix check for probe enabled in kill_kprobe()\n\nIn kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be\ncalled always fails. This is because before that we set the\nKPROBE_FLAG_GONE flag for kprobe so that \"!kprobe_disabled(p)\" is always\nfalse.\n\nThe disarm_kprobe_ftrace() call introduced by commit:\n\n 0cb2f1372baa (\"kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler\")\n\nto fix the NULL pointer reference problem. When the probe is enabled, if\nwe do not disarm it, this problem still exists.\n\nFix it by putting the probe enabled check before setting the\nKPROBE_FLAG_GONE flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50266", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: rtsx_pci: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path, beside, runtime PM also needs be disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50267", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: moxart: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50268", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix memory leak in vkms_init()\n\nA memory leak was reported after the vkms module install failed.\n\nunreferenced object 0xffff88810bc28520 (size 16):\n comm \"modprobe\", pid 9662, jiffies 4298009455 (age 42.590s)\n hex dump (first 16 bytes):\n 01 01 00 64 81 88 ff ff 00 00 dc 0a 81 88 ff ff ...d............\n backtrace:\n [<00000000e7561ff8>] kmalloc_trace+0x27/0x60\n [<000000000b1954a0>] 0xffffffffc45200a9\n [<00000000abbf1da0>] do_one_initcall+0xd0/0x4f0\n [<000000001505ee87>] do_init_module+0x1a4/0x680\n [<00000000958079ad>] load_module+0x6249/0x7110\n [<00000000117e4696>] __do_sys_finit_module+0x140/0x200\n [<00000000f74b12d2>] do_syscall_64+0x35/0x80\n [<000000008fc6fcde>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe reason is that the vkms_init() returns without checking the return\nvalue of vkms_create(), and if the vkms_create() failed, the config\nallocated at the beginning of vkms_init() is leaked.\n\n vkms_init()\n config = kmalloc(...) # config allocated\n ...\n return vkms_create() # vkms_create failed and config is leaked\n\nFix this problem by checking return value of vkms_create() and free the\nconfig if error happened.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50269", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix the assign logic of iocb\n\ncommit 18ae8d12991b (\"f2fs: show more DIO information in tracepoint\")\nintroduces iocb field in 'f2fs_direct_IO_enter' trace event\nAnd it only assigns the pointer and later it accesses its field\nin trace print log.\n\nUnable to handle kernel paging request at virtual address ffffffc04cef3d30\nMem abort info:\nESR = 0x96000007\nEC = 0x25: DABT (current EL), IL = 32 bits\n\n pc : trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4\n lr : trace_raw_output_f2fs_direct_IO_enter+0x2c/0xa4\n sp : ffffffc0443cbbd0\n x29: ffffffc0443cbbf0 x28: ffffff8935b120d0 x27: ffffff8935b12108\n x26: ffffff8935b120f0 x25: ffffff8935b12100 x24: ffffff8935b110c0\n x23: ffffff8935b10000 x22: ffffff88859a936c x21: ffffff88859a936c\n x20: ffffff8935b110c0 x19: ffffff8935b10000 x18: ffffffc03b195060\n x17: ffffff8935b11e76 x16: 00000000000000cc x15: ffffffef855c4f2c\n x14: 0000000000000001 x13: 000000000000004e x12: ffff0000ffffff00\n x11: ffffffef86c350d0 x10: 00000000000010c0 x9 : 000000000fe0002c\n x8 : ffffffc04cef3d28 x7 : 7f7f7f7f7f7f7f7f x6 : 0000000002000000\n x5 : ffffff8935b11e9a x4 : 0000000000006250 x3 : ffff0a00ffffff04\n x2 : 0000000000000002 x1 : ffffffef86a0a31f x0 : ffffff8935b10000\n Call trace:\n trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4\n print_trace_fmt+0x9c/0x138\n print_trace_line+0x154/0x254\n tracing_read_pipe+0x21c/0x380\n vfs_read+0x108/0x3ac\n ksys_read+0x7c/0xec\n __arm64_sys_read+0x20/0x30\n invoke_syscall+0x60/0x150\n el0_svc_common.llvm.1237943816091755067+0xb8/0xf8\n do_el0_svc+0x28/0xa0\n\nFix it by copying the required variables for printing and while at\nit fix the similar issue at some other places in the same file.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50270", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: Use kvmalloc/kvfree for larger packets.\n\nWhen copying a large file over sftp over vsock, data size is usually 32kB,\nand kmalloc seems to fail to try to allocate 32 32kB regions.\n\n vhost-5837: page allocation failure: order:4, mode:0x24040c0\n Call Trace:\n [] dump_stack+0x97/0xdb\n [] warn_alloc_failed+0x10f/0x138\n [] ? __alloc_pages_direct_compact+0x38/0xc8\n [] __alloc_pages_nodemask+0x84c/0x90d\n [] alloc_kmem_pages+0x17/0x19\n [] kmalloc_order_trace+0x2b/0xdb\n [] __kmalloc+0x177/0x1f7\n [] ? copy_from_iter+0x8d/0x31d\n [] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]\n [] vhost_worker+0xf7/0x157 [vhost]\n [] kthread+0xfd/0x105\n [] ? vhost_dev_set_owner+0x22e/0x22e [vhost]\n [] ? flush_kthread_worker+0xf3/0xf3\n [] ret_from_fork+0x4e/0x80\n [] ? flush_kthread_worker+0xf3/0xf3\n\nWork around by doing kvmalloc instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50271", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\n\nWei Chen reports a kernel bug as blew:\n\ngeneral protection fault, probably for non-canonical address\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n...\nCall Trace:\n\n__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109\ni2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170\ni2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297\ni2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:870 [inline]\n__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fd834a8bded\n\nIn az6027_i2c_xfer(), if msg[i].addr is 0x99,\na null-ptr-deref will caused when accessing msg[i].buf.\nFor msg[i].len is 0 and msg[i].buf is null.\n\nFix this by checking msg[i].len in az6027_i2c_xfer().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50272", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on destination blkaddr during recovery\n\nAs Wenqing Liu reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=216456\n\nloop5: detected capacity change from 0 to 131072\nF2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1\nF2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0\nF2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1\nF2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0\nF2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1\nF2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0\nF2FS-fs (loop5): Bitmap was wrongly set, blk:5634\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 1013 at fs/f2fs/segment.c:2198\nRIP: 0010:update_sit_entry+0xa55/0x10b0 [f2fs]\nCall Trace:\n \n f2fs_do_replace_block+0xa98/0x1890 [f2fs]\n f2fs_replace_block+0xeb/0x180 [f2fs]\n recover_data+0x1a69/0x6ae0 [f2fs]\n f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]\n f2fs_fill_super+0x4665/0x61e0 [f2fs]\n mount_bdev+0x2cf/0x3b0\n legacy_get_tree+0xed/0x1d0\n vfs_get_tree+0x81/0x2b0\n path_mount+0x47e/0x19d0\n do_mount+0xce/0xf0\n __x64_sys_mount+0x12c/0x1a0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIf we enable CONFIG_F2FS_CHECK_FS config, it will trigger a kernel panic\ninstead of warning.\n\nThe root cause is: in fuzzed image, SIT table is inconsistent with inode\nmapping table, result in triggering such warning during SIT table update.\n\nThis patch introduces a new flag DATA_GENERIC_ENHANCE_UPDATE, w/ this\nflag, data block recovery flow can check destination blkaddr's validation\nin SIT table, and skip f2fs_replace_block() to avoid inconsistent status.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50273", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: adopts refcnt to avoid UAF\n\ndvb_unregister_device() is known that prone to use-after-free.\nThat is, the cleanup from dvb_unregister_device() releases the dvb_device\neven if there are pointers stored in file->private_data still refer to it.\n\nThis patch adds a reference counter into struct dvb_device and delays its\ndeallocation until no pointer refers to the object.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50274", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Add the missed acpi_put_table() to fix memory leak\n\nWhen the radeon driver reads the bios information from ACPI\ntable in radeon_acpi_vfct_bios(), it misses to call acpi_put_table()\nto release the ACPI memory after the init, so add acpi_put_table()\nproperly to fix the memory leak.\n\nv2: fix text formatting (Alex)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50275", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: fix null pointer dereferencing in power_supply_get_battery_info\n\nwhen kmalloc() fail to allocate memory in kasprintf(), propname\nwill be NULL, strcmp() called by of_get_property() will cause\nnull pointer dereference.\n\nSo return ENOMEM if kasprintf() return NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50276", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don't allow journal inode to have encrypt flag\n\nMounting a filesystem whose journal inode has the encrypt flag causes a\nNULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt'\nmount option is used.\n\nThe problem is that when jbd2_journal_init_inode() calls bmap(), it\neventually finds its way into ext4_iomap_begin(), which calls\nfscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if\nthe inode is encrypted, then its encryption key must already be set up.\nThat's not the case here, since the journal inode is never \"opened\" like\na normal file would be. Hence the crash.\n\nA reproducer is:\n\n mkfs.ext4 -F /dev/vdb\n debugfs -w /dev/vdb -R \"set_inode_field <8> flags 0x80808\"\n mount /dev/vdb /mnt -o inlinecrypt\n\nTo fix this, make ext4 consider journal inodes with the encrypt flag to\nbe invalid. (Note, maybe other flags should be rejected on the journal\ninode too. For now, this is just the minimal fix for the above issue.)\n\nI've marked this as fixing the commit that introduced the call to\nfscrypt_limit_io_blocks(), since that's what made an actual crash start\nbeing possible. But this fix could be applied to any version of ext4\nthat supports the encrypt feature.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50277", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPNP: fix name memory leak in pnp_alloc_dev()\n\nAfter commit 1fa5ae857bb1 (\"driver core: get rid of struct device's\nbus_id string array\"), the name of device is allocated dynamically,\nmove dev_set_name() after pnp_add_id() to avoid memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50278", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()\n\nThere is a global-out-of-bounds reported by KASAN:\n\n BUG: KASAN: global-out-of-bounds in\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411\n\n CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D\n 6.1.0-rc8+ #144 e15588508517267d37\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),\n Call Trace:\n \n ...\n kasan_report+0xbb/0x1c0\n _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]\n rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]\n rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]\n ...\n \n\nThe root cause of the problem is that the comparison order of\n\"prate_section\" in _rtl8812ae_phy_set_txpower_limit() is wrong. The\n_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two\nstrings from tail to head, which causes the problem. In the\n_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet\nthis requirement by carefully designing the comparison order.\nFor example, \"pregulation\" and \"pbandwidth\" are compared in order of\nlength from small to large, first is 3 and last is 4. However, the\ncomparison order of \"prate_section\" dose not obey such order requirement,\ntherefore when \"prate_section\" is \"HT\", when comparing from tail to head,\nit will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As\nmentioned above, the _rtl8812ae_eq_n_byte() has the same function as\nstrcmp(), so just strcmp() is enough.\n\nFix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.\nAlthough it can be fixed by adjusting the comparison order of\n\"prate_section\", this may cause the value of \"rate_section\" to not be\nfrom 0 to 5. In addition, commit \"21e4b0726dc6\" not only moved driver\nfrom staging to regular tree, but also added setting txpower limit\nfunction during the driver config phase, so the problem was introduced\nby this commit.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50279", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npnode: terminate at peers of source\n\nThe propagate_mnt() function handles mount propagation when creating\nmounts and propagates the source mount tree @source_mnt to all\napplicable nodes of the destination propagation mount tree headed by\n@dest_mnt.\n\nUnfortunately it contains a bug where it fails to terminate at peers of\n@source_mnt when looking up copies of the source mount that become\nmasters for copies of the source mount tree mounted on top of slaves in\nthe destination propagation tree causing a NULL dereference.\n\nOnce the mechanics of the bug are understood it's easy to trigger.\nBecause of unprivileged user namespaces it is available to unprivileged\nusers.\n\nWhile fixing this bug we've gotten confused multiple times due to\nunclear terminology or missing concepts. So let's start this with some\nclarifications:\n\n* The terms \"master\" or \"peer\" denote a shared mount. A shared mount\n belongs to a peer group.\n\n* A peer group is a set of shared mounts that propagate to each other.\n They are identified by a peer group id. The peer group id is available\n in @shared_mnt->mnt_group_id.\n Shared mounts within the same peer group have the same peer group id.\n The peers in a peer group can be reached via @shared_mnt->mnt_share.\n\n* The terms \"slave mount\" or \"dependent mount\" denote a mount that\n receives propagation from a peer in a peer group. IOW, shared mounts\n may have slave mounts and slave mounts have shared mounts as their\n master. Slave mounts of a given peer in a peer group are listed on\n that peers slave list available at @shared_mnt->mnt_slave_list.\n\n* The term \"master mount\" denotes a mount in a peer group. IOW, it\n denotes a shared mount or a peer mount in a peer group. The term\n \"master mount\" - or \"master\" for short - is mostly used when talking\n in the context of slave mounts that receive propagation from a master\n mount. A master mount of a slave identifies the closest peer group a\n slave mount receives propagation from. The master mount of a slave can\n be identified via @slave_mount->mnt_master. Different slaves may point\n to different masters in the same peer group.\n\n* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.\n Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to\n ensure all slave mounts of a peer group are visited the\n ->mnt_slave_lists of all peers in a peer group have to be walked.\n\n* Slave mounts point to a peer in the closest peer group they receive\n propagation from via @slave_mnt->mnt_master (see above). Together with\n these peers they form a propagation group (see below). The closest\n peer group can thus be identified through the peer group id\n @slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave\n mount receives propagation from.\n\n* A shared-slave mount is a slave mount to a peer group pg1 while also\n a peer in another peer group pg2. IOW, a peer group may receive\n propagation from another peer group.\n\n If a peer group pg1 is a slave to another peer group pg2 then all\n peers in peer group pg1 point to the same peer in peer group pg2 via\n ->mnt_master. IOW, all peers in peer group pg1 appear on the same\n ->mnt_slave_list. IOW, they cannot be slaves to different peer groups.\n\n* A pure slave mount is a slave mount that is a slave to a peer group\n but is not a peer in another peer group.\n\n* A propagation group denotes the set of mounts consisting of a single\n peer group pg1 and all slave mounts and shared-slave mounts that point\n to a peer in that peer group via ->mnt_master. IOW, all slave mounts\n such that @slave_mnt->mnt_master->mnt_group_id is equal to\n @shared_mnt->mnt_group_id.\n\n The concept of a propagation group makes it easier to talk about a\n single propagation level in a propagation tree.\n\n For example, in propagate_mnt() the immediate peers of @dest_mnt and\n all slaves of @dest_mnt's peer group form a propagation group pr\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50280", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()\n\nIn error case in bridge_platform_create after calling\nplatform_device_add()/platform_device_add_data()/\nplatform_device_add_resources(), release the failed\n'pdev' or it will be leak, call platform_device_put()\nto fix this problem.\n\nBesides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd',\nuse platform_device_unregister() to release sgi_w1\nresources when xtalk-bridge registration fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50281", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchardev: fix error handling in cdev_device_add()\n\nWhile doing fault injection test, I got the following report:\n\n------------[ cut here ]------------\nkobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called.\nWARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0\nCPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kobject_put+0x23d/0x4e0\nCall Trace:\n \n cdev_device_add+0x15e/0x1b0\n __iio_device_register+0x13b4/0x1af0 [industrialio]\n __devm_iio_device_register+0x22/0x90 [industrialio]\n max517_probe+0x3d8/0x6b4 [max517]\n i2c_device_probe+0xa81/0xc00\n\nWhen device_add() is injected fault and returns error, if dev->devt is not set,\ncdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt\nin error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50282", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: add missing of_node_get() in dynamic partitions code\n\nThis fixes unbalanced of_node_put():\n[ 1.078910] 6 cmdlinepart partitions found on MTD device gpmi-nand\n[ 1.085116] Creating 6 MTD partitions on \"gpmi-nand\":\n[ 1.090181] 0x000000000000-0x000008000000 : \"nandboot\"\n[ 1.096952] 0x000008000000-0x000009000000 : \"nandfit\"\n[ 1.103547] 0x000009000000-0x00000b000000 : \"nandkernel\"\n[ 1.110317] 0x00000b000000-0x00000c000000 : \"nanddtb\"\n[ 1.115525] ------------[ cut here ]------------\n[ 1.120141] refcount_t: addition on 0; use-after-free.\n[ 1.125328] WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0xdc/0x148\n[ 1.133528] Modules linked in:\n[ 1.136589] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc7-next-20220930-04543-g8cf3f7\n[ 1.146342] Hardware name: Freescale i.MX8DXL DDR3L EVK (DT)\n[ 1.151999] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.158965] pc : refcount_warn_saturate+0xdc/0x148\n[ 1.163760] lr : refcount_warn_saturate+0xdc/0x148\n[ 1.168556] sp : ffff800009ddb080\n[ 1.171866] x29: ffff800009ddb080 x28: ffff800009ddb35a x27: 0000000000000002\n[ 1.179015] x26: ffff8000098b06ad x25: ffffffffffffffff x24: ffff0a00ffffff05\n[ 1.186165] x23: ffff00001fdf6470 x22: ffff800009ddb367 x21: 0000000000000000\n[ 1.193314] x20: ffff00001fdfebe8 x19: ffff00001fdfec50 x18: ffffffffffffffff\n[ 1.200464] x17: 0000000000000000 x16: 0000000000000118 x15: 0000000000000004\n[ 1.207614] x14: 0000000000000fff x13: ffff800009bca248 x12: 0000000000000003\n[ 1.214764] x11: 00000000ffffefff x10: c0000000ffffefff x9 : 4762cb2ccb52de00\n[ 1.221914] x8 : 4762cb2ccb52de00 x7 : 205d313431303231 x6 : 312e31202020205b\n[ 1.229063] x5 : ffff800009d55c1f x4 : 0000000000000001 x3 : 0000000000000000\n[ 1.236213] x2 : 0000000000000000 x1 : ffff800009954be6 x0 : 000000000000002a\n[ 1.243365] Call trace:\n[ 1.245806] refcount_warn_saturate+0xdc/0x148\n[ 1.250253] kobject_get+0x98/0x9c\n[ 1.253658] of_node_get+0x20/0x34\n[ 1.257072] of_fwnode_get+0x3c/0x54\n[ 1.260652] fwnode_get_nth_parent+0xd8/0xf4\n[ 1.264926] fwnode_full_name_string+0x3c/0xb4\n[ 1.269373] device_node_string+0x498/0x5b4\n[ 1.273561] pointer+0x41c/0x5d0\n[ 1.276793] vsnprintf+0x4d8/0x694\n[ 1.280198] vprintk_store+0x164/0x528\n[ 1.283951] vprintk_emit+0x98/0x164\n[ 1.287530] vprintk_default+0x44/0x6c\n[ 1.291284] vprintk+0xf0/0x134\n[ 1.294428] _printk+0x54/0x7c\n[ 1.297486] of_node_release+0xe8/0x128\n[ 1.301326] kobject_put+0x98/0xfc\n[ 1.304732] of_node_put+0x1c/0x28\n[ 1.308137] add_mtd_device+0x484/0x6d4\n[ 1.311977] add_mtd_partitions+0xf0/0x1d0\n[ 1.316078] parse_mtd_partitions+0x45c/0x518\n[ 1.320439] mtd_device_parse_register+0xb0/0x274\n[ 1.325147] gpmi_nand_probe+0x51c/0x650\n[ 1.329074] platform_probe+0xa8/0xd0\n[ 1.332740] really_probe+0x130/0x334\n[ 1.336406] __driver_probe_device+0xb4/0xe0\n[ 1.340681] driver_probe_device+0x3c/0x1f8\n[ 1.344869] __driver_attach+0xdc/0x1a4\n[ 1.348708] bus_for_each_dev+0x80/0xcc\n[ 1.352548] driver_attach+0x24/0x30\n[ 1.356127] bus_add_driver+0x108/0x1f4\n[ 1.359967] driver_register+0x78/0x114\n[ 1.363807] __platform_driver_register+0x24/0x30\n[ 1.368515] gpmi_nand_driver_init+0x1c/0x28\n[ 1.372798] do_one_initcall+0xbc/0x238\n[ 1.376638] do_initcall_level+0x94/0xb4\n[ 1.380565] do_initcalls+0x54/0x94\n[ 1.384058] do_basic_setup+0x1c/0x28\n[ 1.387724] kernel_init_freeable+0x110/0x188\n[ 1.392084] kernel_init+0x20/0x1a0\n[ 1.395578] ret_from_fork+0x10/0x20\n[ 1.399157] ---[ end trace 0000000000000000 ]---\n[ 1.403782] ------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50283", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix memory leak in init_mqueue_fs()\n\nWhen setup_mq_sysctls() failed in init_mqueue_fs(), mqueue_inode_cachep is\nnot released. In order to fix this issue, the release path is reordered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50284", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages\n\nThe h->*_huge_pages counters are protected by the hugetlb_lock, but\nalloc_huge_page has a corner case where it can decrement the counter\noutside of the lock.\n\nThis could lead to a corrupted value of h->resv_huge_pages, which we have\nobserved on our systems.\n\nTake the hugetlb_lock before decrementing h->resv_huge_pages to avoid a\npotential race.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50285", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline\n\nWhen converting files with inline data to extents, delayed allocations\nmade on a file system created with both the bigalloc and inline options\ncan result in invalid extent status cache content, incorrect reserved\ncluster counts, kernel memory leaks, and potential kernel panics.\n\nWith bigalloc, the code that determines whether a block must be\ndelayed allocated searches the extent tree to see if that block maps\nto a previously allocated cluster. If not, the block is delayed\nallocated, and otherwise, it isn't. However, if the inline option is\nalso used, and if the file containing the block is marked as able to\nstore data inline, there isn't a valid extent tree associated with\nthe file. The current code in ext4_clu_mapped() calls\next4_find_extent() to search the non-existent tree for a previously\nallocated cluster anyway, which typically finds nothing, as desired.\nHowever, a side effect of the search can be to cache invalid content\nfrom the non-existent tree (garbage) in the extent status tree,\nincluding bogus entries in the pending reservation tree.\n\nTo fix this, avoid searching the extent tree when allocating blocks\nfor bigalloc + inline files that are being converted from inline to\nextent mapped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50286", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: fix a memory leak in generate_lfp_data_ptrs\n\nWhen (size != 0 || ptrs->lvds_ entries != 3), the program tries to\nfree() the ptrs. However, the ptrs is not created by calling kzmalloc(),\nbut is obtained by pointer offset operation.\nThis may lead to memory leaks or undefined behavior.\n\nFix this by replacing the arguments of kfree() with ptrs_block.\n\n(cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50287", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure\n\nadapter->dcb would get silently freed inside qlcnic_dcb_enable() in\ncase qlcnic_dcb_attach() would return an error, which always happens\nunder OOM conditions. This would lead to use-after-free because both\nof the existing callers invoke qlcnic_dcb_get_info() on the obtained\npointer, which is potentially freed at that point.\n\nPropagate errors from qlcnic_dcb_enable(), and instead free the dcb\npointer at callsite using qlcnic_dcb_free(). This also removes the now\nunused qlcnic_clear_dcb_ops() helper, which was a simple wrapper around\nkfree() also causing memory leaks for partially initialized dcb.\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE\nstatic analysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50288", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix memory leak in ocfs2_stack_glue_init()\n\nocfs2_table_header should be free in ocfs2_stack_glue_init() if\nocfs2_sysfs_init() failed, otherwise kmemleak will report memleak.\n\nBUG: memory leak\nunreferenced object 0xffff88810eeb5800 (size 128):\n comm \"modprobe\", pid 4507, jiffies 4296182506 (age 55.888s)\n hex dump (first 32 bytes):\n c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@..............\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0\n [<00000000c04f70f7>] 0xffffffffa0050037\n [<000000001bd12912>] do_one_initcall+0xdb/0x480\n [<0000000064f766c9>] do_init_module+0x1cf/0x680\n [<000000002ba52db0>] load_module+0x6441/0x6f20\n [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0\n [<00000000380c1f22>] do_syscall_64+0x3f/0x90\n [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50289", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: annotate data-races around kcm->rx_psock\n\nkcm->rx_psock can be read locklessly in kcm_rfree().\nAnnotate the read and writes accordingly.\n\nWe do the same for kcm->rx_wait in the following patch.\n\nsyzbot reported:\nBUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm\n\nwrite to 0xffff888123d827b8 of 8 bytes by task 2758 on cpu 1:\nunreserve_rx_kcm+0x72/0x1f0 net/kcm/kcmsock.c:313\nkcm_rcv_strparser+0x2b5/0x3a0 net/kcm/kcmsock.c:373\n__strp_recv+0x64c/0xd20 net/strparser/strparser.c:301\nstrp_recv+0x6d/0x80 net/strparser/strparser.c:335\ntcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703\nstrp_read_sock net/strparser/strparser.c:358 [inline]\ndo_strp_work net/strparser/strparser.c:406 [inline]\nstrp_work+0xe8/0x180 net/strparser/strparser.c:415\nprocess_one_work+0x3d3/0x720 kernel/workqueue.c:2289\nworker_thread+0x618/0xa70 kernel/workqueue.c:2436\nkthread+0x1a9/0x1e0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nread to 0xffff888123d827b8 of 8 bytes by task 5859 on cpu 0:\nkcm_rfree+0x14c/0x220 net/kcm/kcmsock.c:181\nskb_release_head_state+0x8e/0x160 net/core/skbuff.c:841\nskb_release_all net/core/skbuff.c:852 [inline]\n__kfree_skb net/core/skbuff.c:868 [inline]\nkfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891\nkfree_skb include/linux/skbuff.h:1216 [inline]\nkcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161\n____sys_recvmsg+0x16c/0x2e0\n___sys_recvmsg net/socket.c:2743 [inline]\ndo_recvmmsg+0x2f1/0x710 net/socket.c:2837\n__sys_recvmmsg net/socket.c:2916 [inline]\n__do_sys_recvmmsg net/socket.c:2939 [inline]\n__se_sys_recvmmsg net/socket.c:2932 [inline]\n__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff88812971ce00 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 5859 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-12189-g19d17ab7c68b-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50291", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: fix bridge lifetime\n\nDevice-managed resources allocated post component bind must be tied to\nthe lifetime of the aggregate DRM device or they will not necessarily be\nreleased when binding of the aggregate device is deferred.\n\nThis can lead resource leaks or failure to bind the aggregate device\nwhen binding is later retried and a second attempt to allocate the\nresources is made.\n\nFor the DP bridges, previously allocated bridges will leak on probe\ndeferral.\n\nFix this by amending the DP parser interface and tying the lifetime of\nthe bridge device to the DRM device rather than DP platform device.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502667/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50292", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range\n\nIf we get -ENOMEM while dropping file extent items in a given range, at\nbtrfs_drop_extents(), due to failure to allocate memory when attempting to\nincrement the reference count for an extent or drop the reference count,\nwe handle it with a BUG_ON(). This is excessive, instead we can simply\nabort the transaction and return the error to the caller. In fact most\ncallers of btrfs_drop_extents(), directly or indirectly, already abort\nthe transaction if btrfs_drop_extents() returns any error.\n\nAlso, we already have error paths at btrfs_drop_extents() that may return\n-ENOMEM and in those cases we abort the transaction, like for example\nanything that changes the b+tree may return -ENOMEM due to a failure to\nallocate a new extent buffer when COWing an existing extent buffer, such\nas a call to btrfs_duplicate_item() for example.\n\nSo replace the BUG_ON() calls with proper logic to abort the transaction\nand return the error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50293", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix memory leak in lbs_init_adapter()\n\nWhen kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not\nreleased. Add free memory to processing error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50294", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()\n\nSyzkaller produced the below call trace:\n\n BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0\n Write of size 8 at addr 0000000000000070 by task repro/16399\n\n CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7\n Call Trace:\n \n dump_stack_lvl+0xcd/0x134\n ? io_msg_ring+0x3cb/0x9f0\n kasan_report+0xbc/0xf0\n ? io_msg_ring+0x3cb/0x9f0\n kasan_check_range+0x140/0x190\n io_msg_ring+0x3cb/0x9f0\n ? io_msg_ring_prep+0x300/0x300\n io_issue_sqe+0x698/0xca0\n io_submit_sqes+0x92f/0x1c30\n __do_sys_io_uring_enter+0xae4/0x24b0\n....\n RIP: 0033:0x7f2eaf8f8289\n RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289\n RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004\n RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0\n R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000\n \n Kernel panic - not syncing: panic_on_warn set ...\n\nWe don't have a NULL check on file_ptr in io_msg_send_fd() function,\nso when file_ptr is NUL src_file is also NULL and get_file()\ndereferences a NULL pointer and leads to above crash.\n\nAdd a NULL check to fix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50295", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK\n\nWhen CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,\ncpu_max_bits_warn() generates a runtime warning similar as below while\nwe show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)\ninstead of NR_CPUS to iterate CPUs.\n\n[ 3.052463] ------------[ cut here ]------------\n[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0\n[ 3.070072] Modules linked in: efivarfs autofs4\n[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052\n[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000\n[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430\n[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff\n[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890\n[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa\n[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000\n[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000\n[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000\n[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286\n[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n[ 3.195868] ...\n[ 3.199917] Call Trace:\n[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c\n[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88\n[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100\n[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc\n[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0\n[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4\n[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4\n[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0\n[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100\n[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94\n[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160\n[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50296", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: verify the expected usb_endpoints are present\n\nThe bug arises when a USB device claims to be an ATH9K but doesn't\nhave the expected endpoints. (In this case there was an interrupt\nendpoint where the driver expected a bulk endpoint.) The kernel\nneeds to be able to handle such devices without getting an internal error.\n\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493\nModules linked in:\nCPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nWorkqueue: events request_firmware_work_func\nRIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493\nCall Trace:\n ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]\n ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019\n ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]\n ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242\n request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097\n process_one_work+0x9af/0x1600 kernel/workqueue.c:2279\n worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425\n kthread+0x3b4/0x4a0 kernel/kthread.c:313\n ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50297", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: qcom-ngd: cleanup in probe error path\n\nAdd proper error path in probe() to cleanup resources previously\nacquired/allocated to fix warnings visible during probe deferral:\n\n notifier callback qcom_slim_ngd_ssr_notify already registered\n WARNING: CPU: 6 PID: 70 at kernel/notifier.c:28 notifier_chain_register+0x5c/0x90\n Modules linked in:\n CPU: 6 PID: 70 Comm: kworker/u16:1 Not tainted 6.0.0-rc3-next-20220830 #380\n Call trace:\n notifier_chain_register+0x5c/0x90\n srcu_notifier_chain_register+0x44/0x90\n qcom_register_ssr_notifier+0x38/0x4c\n qcom_slim_ngd_ctrl_probe+0xd8/0x400\n platform_probe+0x6c/0xe0\n really_probe+0xbc/0x2d4\n __driver_probe_device+0x78/0xe0\n driver_probe_device+0x3c/0x12c\n __device_attach_driver+0xb8/0x120\n bus_for_each_drv+0x78/0xd0\n __device_attach+0xa8/0x1c0\n device_initial_probe+0x18/0x24\n bus_probe_device+0xa0/0xac\n deferred_probe_work_func+0x88/0xc0\n process_one_work+0x1d4/0x320\n worker_thread+0x2cc/0x44c\n kthread+0x110/0x114\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50298", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Replace snprintf with scnprintf\n\nCurrent code produces a warning as shown below when total characters\nin the constituent block device names plus the slashes exceeds 200.\nsnprintf() returns the number of characters generated from the given\ninput, which could cause the expression \u201c200 \u2013 len\u201d to wrap around\nto a large positive number. Fix this by using scnprintf() instead,\nwhich returns the actual number of characters written into the buffer.\n\n[ 1513.267938] ------------[ cut here ]------------\n[ 1513.267943] WARNING: CPU: 15 PID: 37247 at /lib/vsprintf.c:2509 vsnprintf+0x2c8/0x510\n[ 1513.267944] Modules linked in: \n[ 1513.267969] CPU: 15 PID: 37247 Comm: mdadm Not tainted 5.4.0-1085-azure #90~18.04.1-Ubuntu\n[ 1513.267969] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 1513.267971] RIP: 0010:vsnprintf+0x2c8/0x510\n<-snip->\n[ 1513.267982] Call Trace:\n[ 1513.267986] snprintf+0x45/0x70\n[ 1513.267990] ? disk_name+0x71/0xa0\n[ 1513.267993] dump_zones+0x114/0x240 [raid0]\n[ 1513.267996] ? _cond_resched+0x19/0x40\n[ 1513.267998] raid0_run+0x19e/0x270 [raid0]\n[ 1513.268000] md_run+0x5e0/0xc50\n[ 1513.268003] ? security_capable+0x3f/0x60\n[ 1513.268005] do_md_run+0x19/0x110\n[ 1513.268006] md_ioctl+0x195e/0x1f90\n[ 1513.268007] blkdev_ioctl+0x91f/0x9f0\n[ 1513.268010] block_ioctl+0x3d/0x50\n[ 1513.268012] do_vfs_ioctl+0xa9/0x640\n[ 1513.268014] ? __fput+0x162/0x260\n[ 1513.268016] ksys_ioctl+0x75/0x80\n[ 1513.268017] __x64_sys_ioctl+0x1a/0x20\n[ 1513.268019] do_syscall_64+0x5e/0x200\n[ 1513.268021] entry_SYSCALL_64_after_hwframe+0x44/0xa9", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50299", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix extent map use-after-free when handling missing device in read_one_chunk\n\nStore the error code before freeing the extent_map. Though it's\nreference counted structure, in that function it's the first and last\nallocation so this would lead to a potential use-after-free.\n\nThe error can happen eg. when chunk is stored on a missing device and\nthe degraded mount option is missing.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50300", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/omap: Fix buffer overflow in debugfs\n\nThere are two issues here:\n\n1) The \"len\" variable needs to be checked before the very first write.\n Otherwise if omap2_iommu_dump_ctx() with \"bytes\" less than 32 it is a\n buffer overflow.\n2) The snprintf() function returns the number of bytes that *would* have\n been copied if there were enough space. But we want to know the\n number of bytes which were *actually* copied so use scnprintf()\n instead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50301", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlockd: set other missing fields when unlocking files\n\nvfs_lock_file() expects the struct file_lock to be fully initialised by\nthe caller. Re-exported NFSv3 has been seen to Oops if the fl_file field\nis NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50302", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix double release compute pasid\n\nIf kfd_process_device_init_vm returns failure after vm is converted to\ncompute vm and vm->pasid set to compute pasid, KFD will not take\npdd->drm_file reference. As a result, drm close file handler maybe\ncalled to release the compute pasid before KFD process destroy worker to\nrelease the same pasid and set vm->pasid to zero, this generates below\nWARNING backtrace and NULL pointer access.\n\nAdd helper amdgpu_amdkfd_gpuvm_set_vm_pasid and call it at the last step\nof kfd_process_device_init_vm, to ensure vm pasid is the original pasid\nif acquiring vm failed or is the compute pasid with pdd->drm_file\nreference taken to avoid double release same pasid.\n\n amdgpu: Failed to create process VM object\n ida_free called for id=32770 which is not allocated.\n WARNING: CPU: 57 PID: 72542 at ../lib/idr.c:522 ida_free+0x96/0x140\n RIP: 0010:ida_free+0x96/0x140\n Call Trace:\n amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu]\n amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu]\n drm_file_free.part.13+0x216/0x270 [drm]\n drm_close_helper.isra.14+0x60/0x70 [drm]\n drm_release+0x6e/0xf0 [drm]\n __fput+0xcc/0x280\n ____fput+0xe/0x20\n task_work_run+0x96/0xc0\n do_exit+0x3d0/0xc10\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n RIP: 0010:ida_free+0x76/0x140\n Call Trace:\n amdgpu_pasid_free_delayed+0xe1/0x2a0 [amdgpu]\n amdgpu_driver_postclose_kms+0x2d8/0x340 [amdgpu]\n drm_file_free.part.13+0x216/0x270 [drm]\n drm_close_helper.isra.14+0x60/0x70 [drm]\n drm_release+0x6e/0xf0 [drm]\n __fput+0xcc/0x280\n ____fput+0xe/0x20\n task_work_run+0x96/0xc0\n do_exit+0x3d0/0xc10", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50303", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: fix possible resource leak in init_mtd()\n\nI got the error report while inject fault in init_mtd():\n\nsysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0'\nCall Trace:\n \n dump_stack_lvl+0x67/0x83\n sysfs_warn_dup+0x60/0x70\n sysfs_create_dir_ns+0x109/0x120\n kobject_add_internal+0xce/0x2f0\n kobject_add+0x98/0x110\n device_add+0x179/0xc00\n device_create_groups_vargs+0xf4/0x100\n device_create+0x7b/0xb0\n bdi_register_va.part.13+0x58/0x2d0\n bdi_register+0x9b/0xb0\n init_mtd+0x62/0x171 [mtd]\n do_one_initcall+0x6c/0x3c0\n do_init_module+0x58/0x222\n load_module+0x268e/0x27d0\n __do_sys_finit_module+0xd5/0x140\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \nkobject_add_internal failed for mtd-0 with -EEXIST, don't try to register\n\tthings with the same name in the same directory.\nError registering mtd class or bdi: -17\n\nIf init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered,\nas a result, we can't load the mtd module again, to fix this by calling\nbdi_unregister(mtd_bdi) after out_procfs label.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50304", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove()\n\nsof_es8336_remove() calls cancel_delayed_work(). However, that\nfunction does not wait until the work function finishes. This\nmeans that the callback function may still be running after\nthe driver's remove function has finished, which would result\nin a use-after-free.\n\nFix by calling cancel_delayed_work_sync(), which ensures that\nthe work is properly cancelled, no longer running, and unable\nto re-schedule itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50305", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential out of bound read in ext4_fc_replay_scan()\n\nFor scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain\nspace less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read\nwhen mounting corrupt file system image.\nADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this\nthree tags will read data during scan, tag length couldn't less than data length\nwhich will read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50306", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix out-of-bounds access on cio_ignore free\n\nThe channel-subsystem-driver scans for newly available devices whenever\ndevice-IDs are removed from the cio_ignore list using a command such as:\n\n echo free >/proc/cio_ignore\n\nSince an I/O device scan might interfer with running I/Os, commit\n172da89ed0ea (\"s390/cio: avoid excessive path-verification requests\")\nintroduced an optimization to exclude online devices from the scan.\n\nThe newly added check for online devices incorrectly assumes that\nan I/O-subchannel's drvdata points to a struct io_subchannel_private.\nFor devices that are bound to a non-default I/O subchannel driver, such\nas the vfio_ccw driver, this results in an out-of-bounds read access\nduring each scan.\n\nFix this by changing the scan logic to rely on a driver-independent\nonline indication. For this we can use struct subchannel->config.ena,\nwhich is the driver's requested subchannel-enabled state. Since I/Os\ncan only be started on enabled subchannels, this matches the intent\nof the original optimization of not scanning devices where I/O might\nbe running.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50307", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50308", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50309", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed\n\nIf the initialization fails in calling addrconf_init_net(), devconf_all is\nthe pointer that has been released. Then ip6mr_sk_done() is called to\nrelease the net, accessing devconf->mc_forwarding directly causes invalid\npointer access.\n\nThe process is as follows:\nsetup_net()\n\tops_init()\n\t\taddrconf_init_net()\n\t\tall = kmemdup(...) ---> alloc \"all\"\n\t\t...\n\t\tnet->ipv6.devconf_all = all;\n\t\t__addrconf_sysctl_register() ---> failed\n\t\t...\n\t\tkfree(all); ---> ipv6.devconf_all invalid\n\t\t...\n\tops_exit_list()\n\t\t...\n\t\tip6mr_sk_done()\n\t\t\tdevconf = net->ipv6.devconf_all;\n\t\t\t//devconf is invalid pointer\n\t\t\tif (!devconf || !atomic_read(&devconf->mc_forwarding))\n\nThe following is the Call Trace information:\nBUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0\nRead of size 4 at addr ffff888075508e88 by task ip/14554\nCall Trace:\n\ndump_stack_lvl+0x8e/0xd1\nprint_report+0x155/0x454\nkasan_report+0xba/0x1f0\nkasan_check_range+0x35/0x1b0\nip6mr_sk_done+0x112/0x3a0\nrawv6_close+0x48/0x70\ninet_release+0x109/0x230\ninet6_release+0x4c/0x70\nsock_release+0x87/0x1b0\nigmp6_net_exit+0x6b/0x170\nops_exit_list+0xb0/0x170\nsetup_net+0x7ac/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f7963322547\n\n\nAllocated by task 14554:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0xa1/0xb0\n__kmalloc_node_track_caller+0x4a/0xb0\nkmemdup+0x28/0x60\naddrconf_init_net+0x1be/0x840\nops_init+0xa5/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 14554:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x155/0x1b0\nslab_free_freelist_hook+0x11b/0x220\n__kmem_cache_free+0xa4/0x360\naddrconf_init_net+0x623/0x840\nops_init+0xa5/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50310", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix refcount leak in cxl_calc_capp_routing\n\nof_get_next_parent() returns a node pointer with refcount incremented,\nwe should use of_node_put() on it when not need anymore.\nThis function only calls of_node_put() in normal path,\nmissing it in the error path.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50311", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: serial: jsm: fix some leaks in probe\n\nThis error path needs to unwind instead of just returning directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50312", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix order >= MAX_ORDER warning due to crafted negative i_size\n\nAs syzbot reported [1], the root cause is that i_size field is a\nsigned type, and negative i_size is also less than EROFS_BLKSIZ.\nAs a consequence, it's handled as fast symlink unexpectedly.\n\nLet's fall back to the generic path to deal with such unusual i_size.\n\n[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50313", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: Fix hung when signal interrupts nbd_start_device_ioctl()\n\nsyzbot reported hung task [1]. The following program is a simplified\nversion of the reproducer:\n\nint main(void)\n{\n\tint sv[2], fd;\n\n\tif (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)\n\t\treturn 1;\n\tif ((fd = open(\"/dev/nbd0\", 0)) < 0)\n\t\treturn 1;\n\tif (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0)\n\t\treturn 1;\n\tif (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0)\n\t\treturn 1;\n\tif (ioctl(fd, NBD_DO_IT) < 0)\n\t\treturn 1;\n\treturn 0;\n}\n\nWhen signal interrupt nbd_start_device_ioctl() waiting the condition\natomic_read(&config->recv_threads) == 0, the task can hung because it\nwaits the completion of the inflight IOs.\n\nThis patch fixes the issue by clearing queue, not just shutdown, when\nsignal interrupt nbd_start_device_ioctl().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50314", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS\n\nUBSAN complains about array-index-out-of-bounds:\n[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41\n[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]'\n[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu\n[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010\n[ 1.980718] kernel: Call Trace:\n[ 1.980721] kernel: \n[ 1.980723] kernel: show_stack+0x52/0x58\n[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f\n[ 1.980734] kernel: dump_stack+0x10/0x12\n[ 1.980736] kernel: ubsan_epilogue+0x9/0x45\n[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49\n[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]\n[ 1.980748] kernel: ata_qc_issue+0x135/0x240\n[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580\n[ 1.980754] kernel: ? vprintk_default+0x1d/0x20\n[ 1.980759] kernel: ata_exec_internal+0x67/0xa0\n[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0\n[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90\n[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310\n[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0\n[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30\n[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]\n[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]\n[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]\n[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0\n[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560\n[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40\n[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]\n[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600\n[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0\n[ 1.980813] kernel: scsi_error_handler+0xa1/0x180\n[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0\n[ 1.980820] kernel: kthread+0x12a/0x150\n[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50\n[ 1.980826] kernel: ret_from_fork+0x22/0x30\n[ 1.980831] kernel: \n\nThis happens because sata_pmp_init_links() initialize link->pmp up to\nSATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.\n\nI can't find the maximum Enclosure Management ports specified in AHCI\nspec v1.3.1, but \"12.2.1 LED message type\" states that \"Port Multiplier\nInformation\" can utilize 4 bits, which implies it can support up to 16\nports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the\nissue.\n\nBugLink: https://bugs.launchpad.net/bugs/1970074", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50315", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Fix kmemleak in orangefs_sysfs_init()\n\nWhen insert and remove the orangefs module, there are kobjects memory\nleaked as below:\n\nunreferenced object 0xffff88810f95af00 (size 64):\n comm \"insmod\", pid 783, jiffies 4294813439 (age 65.512s)\n hex dump (first 32 bytes):\n a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................\n 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000005a6e4dfe>] orangefs_sysfs_init+0x42/0x3a0\n [<00000000722645ca>] 0xffffffffa02780fe\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/0x80\n [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nunreferenced object 0xffff88810f95ae80 (size 64):\n comm \"insmod\", pid 783, jiffies 4294813439 (age 65.512s)\n hex dump (first 32 bytes):\n c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................\n 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000001a4841fa>] orangefs_sysfs_init+0xc7/0x3a0\n [<00000000722645ca>] 0xffffffffa02780fe\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/0x80\n [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nunreferenced object 0xffff88810f95ae00 (size 64):\n comm \"insmod\", pid 783, jiffies 4294813440 (age 65.511s)\n hex dump (first 32 bytes):\n 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `...............\n 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000005915e797>] orangefs_sysfs_init+0x12b/0x3a0\n [<00000000722645ca>] 0xffffffffa02780fe\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/0x80\n [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nunreferenced object 0xffff88810f95ad80 (size 64):\n comm \"insmod\", pid 783, jiffies 4294813440 (age 65.511s)\n hex dump (first 32 bytes):\n 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x...............\n 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000007a14eb35>] orangefs_sysfs_init+0x1ac/0x3a0\n [<00000000722645ca>] 0xffffffffa02780fe\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/0x80\n [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nunreferenced object 0xffff88810f95ac00 (size 64):\n comm \"insmod\", pid 783, jiffies 4294813440 (age 65.531s)\n hex dump (first 32 bytes):\n e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g.............\n 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000001f38adcb>] orangefs_sysfs_init+0x291/0x3a0\n [<00000000722645ca>] 0xffffffffa02780fe\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50316", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: megachips: Fix a null pointer dereference bug\n\nWhen removing the module we will get the following warning:\n\n[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered\n[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130\n[ 31.921825] Call Trace:\n[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]\n[ 31.923139] i2c_device_remove+0x181/0x1f0\n\nThe two bridges (stdp2690, stdp4028) do not probe at the same time, so\nthe driver does not call ge_b850v3_resgiter() when probing, causing the\ndriver to try to remove the object that has not been initialized.\n\nFix this by checking whether both the bridges are probed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50317", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()\n\npci_get_device() will increase the reference count for the returned\n'dev'. We need to call pci_dev_put() to decrease the reference count.\nSince 'dev' is only used in pci_read_config_dword(), let's add\npci_dev_put() right after it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50318", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: trbe: remove cpuhp instance node before remove cpuhp state\n\ncpuhp_state_add_instance() and cpuhp_state_remove_instance() should\nbe used in pairs. Or there will lead to the warn on\ncpuhp_remove_multi_state() since the cpuhp_step list is not empty.\n\nThe following is the error log with 'rmmod coresight-trbe':\nError: Removing state 215 which has instances left.\nCall trace:\n __cpuhp_remove_state_cpuslocked+0x144/0x160\n __cpuhp_remove_state+0xac/0x100\n arm_trbe_device_remove+0x2c/0x60 [coresight_trbe]\n platform_remove+0x34/0x70\n device_remove+0x54/0x90\n device_release_driver_internal+0x1e4/0x250\n driver_detach+0x5c/0xb0\n bus_remove_driver+0x64/0xc0\n driver_unregister+0x3c/0x70\n platform_driver_unregister+0x20/0x30\n arm_trbe_exit+0x1c/0x658 [coresight_trbe]\n __arm64_sys_delete_module+0x1ac/0x24c\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x58/0x1a0\n do_el0_svc+0x38/0xd0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0x1ac/0x1b0\n el0t_64_sync+0x19c/0x1a0\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50319", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address\n\nOn a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table\nwhich contains invalid physical addresses, with high bits set which fall\noutside the range of the CPU-s supported physical address range.\n\nCalling acpi_os_map_memory() on such an invalid phys address leads to\nthe below WARN_ON in ioremap triggering resulting in an oops/stacktrace.\n\nAdd code to verify the physical address before calling acpi_os_map_memory()\nto fix / avoid the oops.\n\n[ 1.226900] ioremap: invalid physical address 3001000000000000\n[ 1.226949] ------------[ cut here ]------------\n[ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f\n[ 1.226996] Modules linked in:\n[ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490\n[ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013\n[ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f\n[ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 <0f> 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00\n[ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286\n[ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000\n[ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff\n[ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18\n[ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008\n[ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000\n[ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000\n[ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0\n[ 1.227167] Call Trace:\n[ 1.227176] \n[ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0\n[ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370\n[ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0\n[ 1.227288] acpi_init_fpdt+0xa8/0x253\n[ 1.227308] ? acpi_debugfs_init+0x1f/0x1f\n[ 1.227339] do_one_initcall+0x5a/0x300\n[ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80\n[ 1.227442] kernel_init_freeable+0x28b/0x2cc\n[ 1.227512] ? rest_init+0x170/0x170\n[ 1.227538] kernel_init+0x16/0x140\n[ 1.227552] ret_from_fork+0x1f/0x30\n[ 1.227639] \n[ 1.227647] irq event stamp: 186819\n[ 1.227656] hardirqs last enabled at (186825): [] __up_console_sem+0x5e/0x70\n[ 1.227672] hardirqs last disabled at (186830): [] __up_console_sem+0x43/0x70\n[ 1.227686] softirqs last enabled at (186576): [] __irq_exit_rcu+0xed/0x160\n[ 1.227701] softirqs last disabled at (186569): [] __irq_exit_rcu+0xed/0x160\n[ 1.227715] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50320", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()\n\nThe brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb\nin case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.\nCompile tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50321", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: msc313: Fix function prototype mismatch in msc313_rtc_probe()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed.\n\nmsc313_rtc_probe() was passing clk_disable_unprepare() directly, which\ndid not have matching prototypes for devm_add_action_or_reset()'s\ncallback argument. Refactor to use devm_clk_get_enabled() instead.\n\nThis was found as a result of Clang's new -Wcast-function-type-strict\nflag, which is more sensitive than the simpler -Wcast-function-type,\nwhich only checks for type width mismatches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50322", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not sense pfmemalloc status in skb_append_pagefrags()\n\nskb_append_pagefrags() is used by af_unix and udp sendpage()\nimplementation so far.\n\nIn commit 326140063946 (\"tcp: TX zerocopy should not sense\npfmemalloc status\") we explained why we should not sense\npfmemalloc status for pages owned by user space.\n\nWe should also use skb_fill_page_desc_noacc()\nin skb_append_pagefrags() to avoid following KCSAN report:\n\nBUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags\n\nwrite to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:323 [inline]\nlru_add_fn+0x327/0x410 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nlru_add_drain_cpu+0x73/0x250 mm/swap.c:669\nlru_add_drain+0x21/0x60 mm/swap.c:773\nfree_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311\ntlb_batch_pages_flush mm/mmu_gather.c:59 [inline]\ntlb_flush_mmu_free mm/mmu_gather.c:256 [inline]\ntlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263\ntlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363\nexit_mmap+0x190/0x4d0 mm/mmap.c:3098\n__mmput+0x27/0x1b0 kernel/fork.c:1185\nmmput+0x3d/0x50 kernel/fork.c:1207\ncopy_process+0x19fc/0x2100 kernel/fork.c:2518\nkernel_clone+0x166/0x550 kernel/fork.c:2671\n__do_sys_clone kernel/fork.c:2812 [inline]\n__se_sys_clone kernel/fork.c:2796 [inline]\n__x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1817 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2432 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2453 [inline]\nskb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974\nunix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1255\n__do_sys_sendfile64 fs/read_write.c:1323 [inline]\n__se_sys_sendfile64 fs/read_write.c:1309 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea00058fc188\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50323", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: maps: pxa2xx-flash: fix memory leak in probe\n\nFree 'info' upon remapping error to avoid a memory leak.\n\n[: Reword the commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50324", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix potential RX buffer overflow\n\nIf an event caused firmware to return invalid RX size for\nLARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.\nFix by utilizing min_t().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50325", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: airspy: fix memory leak in airspy probe\n\nThe commit ca9dc8d06ab6 (\"media: airspy: respect the DMA coherency\n rules\") moves variable buf from stack to heap, however, it only frees\nbuf in the error handling code, missing deallocation in the success\npath.\n\nFix this by freeing buf in the success path since this variable does not\nhave any references in other code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50326", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50327", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix potential use-after-free in jbd2_fc_wait_bufs\n\nIn 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count\nwhich may lead to use-after-free.\nSo judge buffer if uptodate before put buffer head reference count.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50328", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq\n\nCommit 64dc8c732f5c (\"block, bfq: fix possible uaf for 'bfqq->bic'\")\nwill access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()\ncan free bfqq first, and then call bic_set_bfqq(), which will cause uaf.\n\nFix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50329", "detail": "fixed-version", "description": "Fixed from version 6.1.3" }, { "id": "CVE-2022-50330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: cavium - prevent integer overflow loading firmware\n\nThe \"code_length\" value comes from the firmware file. If your firmware\nis untrusted realistically there is probably very little you can do to\nprotect yourself. Still we try to limit the damage as much as possible.\nAlso Smatch marks any data read from the filesystem as untrusted and\nprints warnings if it not capped correctly.\n\nThe \"ntohl(ucode->code_length) * 2\" multiplication can have an\ninteger overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50330", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwwan_hwsim: fix possible memory leak in wwan_hwsim_dev_new()\n\nInject fault while probing module, if device_register() fails,\nbut the refcount of kobject is not decreased to 0, the name\nallocated in dev_set_name() is leaked. Fix this by calling\nput_device(), so that name can be freed in callback function\nkobject_cleanup().\n\nunreferenced object 0xffff88810152ad20 (size 8):\n comm \"modprobe\", pid 252, jiffies 4294849206 (age 22.713s)\n hex dump (first 8 bytes):\n 68 77 73 69 6d 30 00 ff hwsim0..\n backtrace:\n [<000000009c3504ed>] __kmalloc_node_track_caller+0x44/0x1b0\n [<00000000c0228a5e>] kvasprintf+0xb5/0x140\n [<00000000cff8c21f>] kvasprintf_const+0x55/0x180\n [<0000000055a1e073>] kobject_set_name_vargs+0x56/0x150\n [<000000000a80b139>] dev_set_name+0xab/0xe0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50331", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo/aperture: Call sysfb_disable() before removing PCI devices\n\nCall sysfb_disable() from aperture_remove_conflicting_pci_devices()\nbefore removing PCI devices. Without, simpledrm can still bind to\nsimple-framebuffer devices after the hardware driver has taken over\nthe hardware. Both drivers interfere with each other and results are\nundefined.\n\nReported modesetting errors [1] are shown below.\n\n---- snap ----\nrcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 7 jiffies s: 165 root: 0x2000/.\nrcu: blocking rcu_node structures (internal RCU debug):\nTask dump for CPU 13:\ntask:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x00000008\nCall Trace:\n \n ? commit_tail+0xd7/0x130\n ? drm_atomic_helper_commit+0x126/0x150\n ? drm_atomic_commit+0xa4/0xe0\n ? drm_plane_get_damage_clips.cold+0x1c/0x1c\n ? drm_atomic_helper_dirtyfb+0x19e/0x280\n ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0\n ? drm_mode_getfb2_ioctl+0x2d0/0x2d0\n ? drm_ioctl_kernel+0xc4/0x150\n ? drm_ioctl+0x246/0x3f0\n ? drm_mode_getfb2_ioctl+0x2d0/0x2d0\n ? __x64_sys_ioctl+0x91/0xd0\n ? do_syscall_64+0x60/0xd0\n ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5\n \n...\nrcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 30 jiffies s: 169 root: 0x2000/.\nrcu: blocking rcu_node structures (internal RCU debug):\nTask dump for CPU 13:\ntask:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x0000400e\nCall Trace:\n \n ? memcpy_toio+0x76/0xc0\n ? memcpy_toio+0x1b/0xc0\n ? drm_fb_memcpy_toio+0x76/0xb0\n ? drm_fb_blit_toio+0x75/0x2b0\n ? simpledrm_simple_display_pipe_update+0x132/0x150\n ? drm_atomic_helper_commit_planes+0xb6/0x230\n ? drm_atomic_helper_commit_tail+0x44/0x80\n ? commit_tail+0xd7/0x130\n ? drm_atomic_helper_commit+0x126/0x150\n ? drm_atomic_commit+0xa4/0xe0\n ? drm_plane_get_damage_clips.cold+0x1c/0x1c\n ? drm_atomic_helper_dirtyfb+0x19e/0x280\n ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0\n ? drm_mode_getfb2_ioctl+0x2d0/0x2d0\n ? drm_ioctl_kernel+0xc4/0x150\n ? drm_ioctl+0x246/0x3f0\n ? drm_mode_getfb2_ioctl+0x2d0/0x2d0\n ? __x64_sys_ioctl+0x91/0xd0\n ? do_syscall_64+0x60/0xd0\n ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5\n \n\nThe problem was added by commit 5e0137612430 (\"video/aperture: Disable\nand unregister sysfb devices via aperture helpers\") to v6.0.3 and does\nnot exist in the mainline branch.\n\nThe mainline commit 5e0137612430 (\"video/aperture: Disable and\nunregister sysfb devices via aperture helpers\") has been backported\nfrom v6.0-rc1 to stable v6.0.3 from a larger patch series [2] that\nreworks fbdev framebuffer ownership. The backport misses a change to\naperture_remove_conflicting_pci_devices(). Mainline itself is fine,\nbecause the function does not exist there as a result of the patch\nseries.\n\nInstead of backporting the whole series, fix the additional function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50332", "detail": "fixed-version", "description": "Fixed from version 6.0.6" }, { "id": "CVE-2022-50333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: fix shift-out-of-bounds in dbDiscardAG\n\nThis should be applied to most URSAN bugs found recently by syzbot,\nby guarding the dbMount. As syzbot feeding rubbish into the bmap\ndescriptor.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50333", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()\n\nSyzkaller reports a null-ptr-deref bug as follows:\n======================================================\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380\n[...]\nCall Trace:\n \n vfs_parse_fs_param fs/fs_context.c:148 [inline]\n vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129\n vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191\n generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231\n do_new_mount fs/namespace.c:3036 [inline]\n path_mount+0x12de/0x1e20 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n \n======================================================\n\nAccording to commit \"vfs: parse: deal with zero length string value\",\nkernel will set the param->string to null pointer in vfs_parse_fs_string()\nif fs string has zero length.\n\nYet the problem is that, hugetlbfs_parse_param() will dereference the\nparam->string, without checking whether it is a null pointer. To be more\nspecific, if hugetlbfs_parse_param() parses an illegal mount parameter,\nsuch as \"size=,\", kernel will constructs struct fs_parameter with null\npointer in vfs_parse_fs_string(), then passes this struct fs_parameter to\nhugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.\n\nThis patch solves it by adding sanity check on param->string\nin hugetlbfs_parse_param().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50334", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: set req refcount to zero to avoid uninitialized usage\n\nWhen a new request is allocated, the refcount will be zero if it is\nreused, but if the request is newly allocated from slab, it is not fully\ninitialized before being added to idr.\n\nIf the p9_read_work got a response before the refcount initiated. It will\nuse a uninitialized req, which will result in a bad request data struct.\n\nHere is the logs from syzbot.\n\nCorrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00\n0x00 0x00 . . . . . . . . ] (in kfence-#110):\n p9_fcall_fini net/9p/client.c:248 [inline]\n p9_req_put net/9p/client.c:396 [inline]\n p9_req_put+0x208/0x250 net/9p/client.c:390\n p9_client_walk+0x247/0x540 net/9p/client.c:1165\n clone_fid fs/9p/fid.h:21 [inline]\n v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118\n v9fs_xattr_set fs/9p/xattr.c:100 [inline]\n v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159\n __vfs_setxattr+0x119/0x180 fs/xattr.c:182\n __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216\n __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277\n vfs_setxattr+0x143/0x340 fs/xattr.c:309\n setxattr+0x146/0x160 fs/xattr.c:617\n path_setxattr+0x197/0x1c0 fs/xattr.c:636\n __do_sys_setxattr fs/xattr.c:652 [inline]\n __se_sys_setxattr fs/xattr.c:648 [inline]\n __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nBelow is a similar scenario, the scenario in the syzbot log looks more\ncomplicated than this one, but this patch can fix it.\n\n T21124 p9_read_work\n======================== second trans =================================\np9_client_walk\n p9_client_rpc\n p9_client_prepare_req\n p9_tag_alloc\n req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);\n tag = idr_alloc\n << preempted >>\n req->tc.tag = tag;\n /* req->[refcount/tag] == uninitialized */\n m->rreq = p9_tag_lookup(m->client, m->rc.tag);\n /* increments uninitalized refcount */\n\n refcount_set(&req->refcount, 2);\n /* cb drops one ref */\n p9_client_cb(req)\n /* reader thread drops its ref:\n request is incorrectly freed */\n p9_req_put(req)\n /* use after free and ref underflow */\n p9_req_put(req)\n\nTo fix it, we can initialize the refcount to zero before add to idr.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50335", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add null pointer check to attr_load_runs_vcn\n\nSome metadata files are handled before MFT. This adds a null pointer\ncheck for some corner cases that could lead to NPD while reading these\nmetadata files for a malformed NTFS image.\n\n[ 240.190827] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 240.191583] #PF: supervisor read access in kernel mode\n[ 240.191956] #PF: error_code(0x0000) - not-present page\n[ 240.192391] PGD 0 P4D 0\n[ 240.192897] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 240.193805] CPU: 0 PID: 242 Comm: mount Tainted: G B 5.19.0+ #17\n[ 240.194477] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 240.195152] RIP: 0010:ni_find_attr+0xae/0x300\n[ 240.195679] Code: c8 48 c7 45 88 c0 4e 5e 86 c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 e2 d9f\n[ 240.196642] RSP: 0018:ffff88800812f690 EFLAGS: 00000286\n[ 240.197019] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff85ef037a\n[ 240.197523] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff88e95f60\n[ 240.197877] RBP: ffff88800812f738 R08: 0000000000000001 R09: fffffbfff11d2bed\n[ 240.198292] R10: ffffffff88e95f67 R11: fffffbfff11d2bec R12: 0000000000000000\n[ 240.198647] R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000\n[ 240.199410] FS: 00007f233c33be40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000\n[ 240.199895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 240.200314] CR2: 0000000000000158 CR3: 0000000004d32000 CR4: 00000000000006f0\n[ 240.200839] Call Trace:\n[ 240.201104] \n[ 240.201502] ? ni_load_mi+0x80/0x80\n[ 240.202297] ? ___slab_alloc+0x465/0x830\n[ 240.202614] attr_load_runs_vcn+0x8c/0x1a0\n[ 240.202886] ? __kasan_slab_alloc+0x32/0x90\n[ 240.203157] ? attr_data_write_resident+0x250/0x250\n[ 240.203543] mi_read+0x133/0x2c0\n[ 240.203785] mi_get+0x70/0x140\n[ 240.204012] ni_load_mi_ex+0xfa/0x190\n[ 240.204346] ? ni_std5+0x90/0x90\n[ 240.204588] ? __kasan_kmalloc+0x88/0xb0\n[ 240.204859] ni_enum_attr_ex+0xf1/0x1c0\n[ 240.205107] ? ni_fname_type.part.0+0xd0/0xd0\n[ 240.205600] ? ntfs_load_attr_list+0xbe/0x300\n[ 240.205864] ? ntfs_cmp_names_cpu+0x125/0x180\n[ 240.206157] ntfs_iget5+0x56c/0x1870\n[ 240.206510] ? ntfs_get_block_bmap+0x70/0x70\n[ 240.206776] ? __kasan_kmalloc+0x88/0xb0\n[ 240.207030] ? set_blocksize+0x95/0x150\n[ 240.207545] ntfs_fill_super+0xb8f/0x1e20\n[ 240.207839] ? put_ntfs+0x1d0/0x1d0\n[ 240.208069] ? vsprintf+0x20/0x20\n[ 240.208467] ? mutex_unlock+0x81/0xd0\n[ 240.208846] ? set_blocksize+0x95/0x150\n[ 240.209221] get_tree_bdev+0x232/0x370\n[ 240.209804] ? put_ntfs+0x1d0/0x1d0\n[ 240.210519] ntfs_fs_get_tree+0x15/0x20\n[ 240.210991] vfs_get_tree+0x4c/0x130\n[ 240.211455] path_mount+0x645/0xfd0\n[ 240.211806] ? putname+0x80/0xa0\n[ 240.212112] ? finish_automount+0x2e0/0x2e0\n[ 240.212559] ? kmem_cache_free+0x110/0x390\n[ 240.212906] ? putname+0x80/0xa0\n[ 240.213329] do_mount+0xd6/0xf0\n[ 240.213829] ? path_mount+0xfd0/0xfd0\n[ 240.214246] ? __kasan_check_write+0x14/0x20\n[ 240.214774] __x64_sys_mount+0xca/0x110\n[ 240.215080] do_syscall_64+0x3b/0x90\n[ 240.215442] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 240.215811] RIP: 0033:0x7f233b4e948a\n[ 240.216104] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 240.217615] RSP: 002b:00007fff02211ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 240.218718] RAX: ffffffffffffffda RBX: 0000561cdc35b060 RCX: 00007f233b4e948a\n[ 240.219556] RDX: 0000561cdc35b260 RSI: 0000561cdc35b2e0 RDI: 0000561cdc363af0\n[ 240.219975] RBP: 0000000000000000 R08: 0000561cdc35b280 R09: 0000000000000020\n[ 240.220403] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000561cdc363af0\n[ 240.220803] R13: 000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50336", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocxl: fix pci device refcount leak when calling get_function_0()\n\nget_function_0() calls pci_get_domain_bus_and_slot(), as comment\nsays, it returns a pci device with refcount increment, so after\nusing it, pci_dev_put() needs be called.\n\nGet the device reference when get_function_0() is not called, so\npci_dev_put() can be called in the error path and callers\nunconditionally. And add comment above get_dvsec_vendor0() to tell\ncallers to call pci_dev_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50337", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()\n\nsyzbot is again reporting attempt to cancel uninitialized work\nat mgmt_index_removed() [1], for setting of HCI_MGMT flag from\nmgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can\nrace with testing of HCI_MGMT flag from mgmt_index_removed() from\nhci_sock_bind() due to lack of serialization via hci_dev_lock().\n\nSince mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can\nsafely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and\nhci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag\nafter INIT_DELAYED_WORK() completed.\n\nThis is a local fix based on mgmt_chan_list_lock. Lack of serialization\nvia hci_dev_lock() might be causing different race conditions somewhere\nelse. But a global fix based on hci_dev_lock() should deserve a future\npatch.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50339", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vimc: Fix wrong function called when vimc_init() fails\n\nIn vimc_init(), when platform_driver_register(&vimc_pdrv) fails,\nplatform_driver_unregister(&vimc_pdrv) is wrongly called rather than\nplatform_device_unregister(&vimc_pdev), which causes kernel warning:\n\n Unexpected driver unregister!\n WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0\n RIP: 0010:driver_unregister+0x8f/0xb0\n Call Trace:\n \n vimc_init+0x7d/0x1000 [vimc]\n do_one_initcall+0xd0/0x4e0\n do_init_module+0x1cf/0x6b0\n load_module+0x65c2/0x7820", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50340", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix oops during encryption\n\nWhen running xfstests against Azure the following oops occurred on an\narm64 system\n\n Unable to handle kernel write to read-only memory at virtual address\n ffff0001221cf000\n Mem abort info:\n ESR = 0x9600004f\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x0f: level 3 permission fault\n Data abort info:\n ISV = 0, ISS = 0x0000004f\n CM = 0, WnR = 1\n swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000\n [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,\n pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787\n Internal error: Oops: 9600004f [#1] PREEMPT SMP\n ...\n pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n pc : __memcpy+0x40/0x230\n lr : scatterwalk_copychunks+0xe0/0x200\n sp : ffff800014e92de0\n x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008\n x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008\n x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000\n x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014\n x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058\n x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590\n x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580\n x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005\n x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001\n x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000\n Call trace:\n __memcpy+0x40/0x230\n scatterwalk_map_and_copy+0x98/0x100\n crypto_ccm_encrypt+0x150/0x180\n crypto_aead_encrypt+0x2c/0x40\n crypt_message+0x750/0x880\n smb3_init_transform_rq+0x298/0x340\n smb_send_rqst.part.11+0xd8/0x180\n smb_send_rqst+0x3c/0x100\n compound_send_recv+0x534/0xbc0\n smb2_query_info_compound+0x32c/0x440\n smb2_set_ea+0x438/0x4c0\n cifs_xattr_set+0x5d4/0x7c0\n\nThis is because in scatterwalk_copychunks(), we attempted to write to\na buffer (@sign) that was allocated in the stack (vmalloc area) by\ncrypt_message() and thus accessing its remaining 8 (x2) bytes ended up\ncrossing a page boundary.\n\nTo simply fix it, we could just pass @sign kmalloc'd from\ncrypt_message() and then we're done. Luckily, we don't seem to pass\nany other vmalloc'd buffers in smb_rqst::rq_iov...\n\nInstead, let's map the correct pages and offsets from vmalloc buffers\nas well in cifs_sg_set_buf() and then avoiding such oopses.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50341", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfloppy: Fix memory leak in do_floppy_init()\n\nA memory leak was reported when floppy_alloc_disk() failed in\ndo_floppy_init().\n\nunreferenced object 0xffff888115ed25a0 (size 8):\n comm \"modprobe\", pid 727, jiffies 4295051278 (age 25.529s)\n hex dump (first 8 bytes):\n 00 ac 67 5b 81 88 ff ff ..g[....\n backtrace:\n [<000000007f457abb>] __kmalloc_node+0x4c/0xc0\n [<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180\n [<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130\n [<0000000066007fd7>] 0xffffffffc06b8b08\n [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0\n [<00000000e26d04ee>] do_init_module+0x1a4/0x680\n [<000000001bb22407>] load_module+0x6249/0x7110\n [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200\n [<000000007bddca46>] do_syscall_64+0x35/0x80\n [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\nunreferenced object 0xffff88810fc30540 (size 32):\n comm \"modprobe\", pid 727, jiffies 4295051278 (age 25.529s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000007f457abb>] __kmalloc_node+0x4c/0xc0\n [<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130\n [<0000000066007fd7>] 0xffffffffc06b8b08\n [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0\n [<00000000e26d04ee>] do_init_module+0x1a4/0x680\n [<000000001bb22407>] load_module+0x6249/0x7110\n [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200\n [<000000007bddca46>] do_syscall_64+0x35/0x80\n [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nIf the floppy_alloc_disk() failed, disks of current drive will not be set,\nthus the lastest allocated set->tag cannot be freed in the error handling\npath. A simple call graph shown as below:\n\n floppy_module_init()\n floppy_init()\n do_floppy_init()\n for (drive = 0; drive < N_DRIVE; drive++)\n blk_mq_alloc_tag_set()\n blk_mq_alloc_tag_set_tags()\n blk_mq_realloc_tag_set_tags() # set->tag allocated\n floppy_alloc_disk()\n blk_mq_alloc_disk() # error occurred, disks failed to allocated\n\n ->out_put_disk:\n for (drive = 0; drive < N_DRIVE; drive++)\n if (!disks[drive][0]) # the last disks is not set and loop break\n break;\n blk_mq_free_tag_set() # the latest allocated set->tag leaked\n\nFix this problem by free the set->tag of current drive before jump to\nerror handling path.\n\n[efremov: added stable list, changed title]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50342", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: fix possible name leaks when rio_add_device() fails\n\nPatch series \"rapidio: fix three possible memory leaks\".\n\nThis patchset fixes three name leaks in error handling.\n - patch #1 fixes two name leaks while rio_add_device() fails.\n - patch #2 fixes a name leak while rio_register_mport() fails.\n\n\nThis patch (of 2):\n\nIf rio_add_device() returns error, the name allocated by dev_set_name()\nneed be freed. It should use put_device() to give up the reference in the\nerror path, so that the name can be freed in kobject_cleanup(), and the\n'rdev' can be freed in rio_release_dev().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50343", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix null-ptr-deref in ext4_write_info\n\nI caught a null-ptr-deref bug as follows:\n==================================================================\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339\nRIP: 0010:ext4_write_info+0x53/0x1b0\n[...]\nCall Trace:\n dquot_writeback_dquots+0x341/0x9a0\n ext4_sync_fs+0x19e/0x800\n __sync_filesystem+0x83/0x100\n sync_filesystem+0x89/0xf0\n generic_shutdown_super+0x79/0x3e0\n kill_block_super+0xa1/0x110\n deactivate_locked_super+0xac/0x130\n deactivate_super+0xb6/0xd0\n cleanup_mnt+0x289/0x400\n __cleanup_mnt+0x16/0x20\n task_work_run+0x11c/0x1c0\n exit_to_user_mode_prepare+0x203/0x210\n syscall_exit_to_user_mode+0x5b/0x3a0\n do_syscall_64+0x59/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n ==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\nexit_to_user_mode_prepare\n task_work_run\n __cleanup_mnt\n cleanup_mnt\n deactivate_super\n deactivate_locked_super\n kill_block_super\n generic_shutdown_super\n shrink_dcache_for_umount\n dentry = sb->s_root\n sb->s_root = NULL <--- Here set NULL\n sync_filesystem\n __sync_filesystem\n sb->s_op->sync_fs > ext4_sync_fs\n dquot_writeback_dquots\n sb->dq_op->write_info > ext4_write_info\n ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)\n d_inode(sb->s_root)\n s_root->d_inode <--- Null pointer dereference\n\nTo solve this problem, we use ext4_journal_start_sb directly\nto avoid s_root being used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50344", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: init quota for 'old.inode' in 'ext4_rename'\n\nSyzbot found the following issue:\next4_parse_param: s_want_extra_isize=128\next4_inode_info_init: s_want_extra_isize=32\next4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828\n__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128\n__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128\next4_xattr_block_set: inode=ffff88823869a2c8\n------------[ cut here ]------------\nWARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980\nModules linked in:\nRIP: 0010:ext4_xattr_block_set.cold+0x22/0x980\nRSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000\nRDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178\nRBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e\nR10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000\nR13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000\nFS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? ext4_xattr_set_entry+0x3b7/0x2320\n ? ext4_xattr_block_set+0x0/0x2020\n ? ext4_xattr_set_entry+0x0/0x2320\n ? ext4_xattr_check_entries+0x77/0x310\n ? ext4_xattr_ibody_set+0x23b/0x340\n ext4_xattr_move_to_block+0x594/0x720\n ext4_expand_extra_isize_ea+0x59a/0x10f0\n __ext4_expand_extra_isize+0x278/0x3f0\n __ext4_mark_inode_dirty.cold+0x347/0x410\n ext4_rename+0xed3/0x174f\n vfs_rename+0x13a7/0x2510\n do_renameat2+0x55d/0x920\n __x64_sys_rename+0x7d/0xb0\n do_syscall_64+0x3b/0xa0\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAs 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty,\nwhich may trigger expand 'extra_isize' and allocate block. If inode\ndidn't init quota will lead to warning. To solve above issue, init\n'old.inode' firstly in 'ext4_rename'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50346", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path, besides, led_classdev_unregister() and pm_runtime_disable() also\nneed be called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50347", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix a memory leak in an error handling path\n\nIf this memdup_user() call fails, the memory allocated in a previous call\na few lines above should be freed. Otherwise it leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50348", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: tifm: fix possible memory leak in tifm_7xx1_switch_media()\n\nIf device_register() returns error in tifm_7xx1_switch_media(),\nname of kobject which is allocated in dev_set_name() called in device_add()\nis leaked.\n\nNever directly free @dev after calling device_register(), even\nif it returned an error! Always use put_device() to give up the\nreference initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50349", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix a race condition between login_work and the login thread\n\nIn case a malicious initiator sends some random data immediately after a\nlogin PDU; the iscsi_target_sk_data_ready() callback will schedule the\nlogin_work and, at the same time, the negotiation may end without clearing\nthe LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are\nrequired to complete the login).\n\nThe login has been completed but the login_work function will find the\nLOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling\nitself; at this point, if the initiator drops the connection, the\niscsit_conn structure will be freed, login_work will dereference a released\nsocket structure and the kernel crashes.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000230\nPF: supervisor write access in kernel mode\nPF: error_code(0x0002) - not-present page\nWorkqueue: events iscsi_target_do_login_rx [iscsi_target_mod]\nRIP: 0010:_raw_read_lock_bh+0x15/0x30\nCall trace:\n iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod]\n process_one_work+0x1e8/0x3c0\n\nFix this bug by forcing login_work to stop after the login has been\ncompleted and the socket callbacks have been restored.\n\nAdd a comment to clearify the return values of iscsi_target_do_login()", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50350", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_create()\n\nIf the cifs already shutdown, we should free the xid before return,\notherwise, the xid will be leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50351", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns: fix possible memory leak in hnae_ae_register()\n\nInject fault while probing module, if device_register() fails,\nbut the refcount of kobject is not decreased to 0, the name\nallocated in dev_set_name() is leaked. Fix this by calling\nput_device(), so that name can be freed in callback function\nkobject_cleanup().\n\nunreferenced object 0xffff00c01aba2100 (size 128):\n comm \"systemd-udevd\", pid 1259, jiffies 4294903284 (age 294.152s)\n hex dump (first 32 bytes):\n 68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!......\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000034783f26>] slab_post_alloc_hook+0xa0/0x3e0\n [<00000000748188f2>] __kmem_cache_alloc_node+0x164/0x2b0\n [<00000000ab0743e8>] __kmalloc_node_track_caller+0x6c/0x390\n [<000000006c0ffb13>] kvasprintf+0x8c/0x118\n [<00000000fa27bfe1>] kvasprintf_const+0x60/0xc8\n [<0000000083e10ed7>] kobject_set_name_vargs+0x3c/0xc0\n [<000000000b87affc>] dev_set_name+0x7c/0xa0\n [<000000003fd8fe26>] hnae_ae_register+0xcc/0x190 [hnae]\n [<00000000fe97edc9>] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]\n [<00000000c36ff1eb>] hns_dsaf_probe+0x548/0x748 [hns_dsaf]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50352", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: wmt-sdmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host(), besides, clk_disable_unprepare() also needs be called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50353", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix kfd_process_device_init_vm error handling\n\nShould only destroy the ib_mem and let process cleanup worker to free\nthe outstanding BOs. Reset the pointer in pdd->qpd structure, to avoid\nNULL pointer access in process destroy worker.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n Call Trace:\n amdgpu_amdkfd_gpuvm_unmap_gtt_bo_from_kernel+0x46/0xb0 [amdgpu]\n kfd_process_device_destroy_cwsr_dgpu+0x40/0x70 [amdgpu]\n kfd_process_destroy_pdds+0x71/0x190 [amdgpu]\n kfd_process_wq_release+0x2a2/0x3b0 [amdgpu]\n process_one_work+0x2a1/0x600\n worker_thread+0x39/0x3d0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50354", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vt6655: fix some erroneous memory clean-up loops\n\nIn some initialization functions of this driver, memory is allocated with\n'i' acting as an index variable and increasing from 0. The commit in\n\"Fixes\" introduces some clean-up codes in case of allocation failure,\nwhich free memory in reverse order with 'i' decreasing to 0. However,\nthere are some problems:\n - The case i=0 is left out. Thus memory is leaked.\n - In case memory allocation fails right from the start, the memory\n freeing loops will start with i=-1 and invalid memory locations will\n be accessed.\n\nOne of these loops has been fixed in commit c8ff91535880 (\"staging:\nvt6655: fix potential memory leak\"). Fix the remaining erroneous loops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50355", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sfb: fix null pointer access issue when sfb_init() fails\n\nWhen the default qdisc is sfb, if the qdisc of dev_queue fails to be\ninited during mqprio_init(), sfb_reset() is invoked to clear resources.\nIn this case, the q->qdisc is NULL, and it will cause gpf issue.\n\nThe process is as follows:\nqdisc_create_dflt()\n\tsfb_init()\n\t\ttcf_block_get() --->failed, q->qdisc is NULL\n\t...\n\tqdisc_put()\n\t\t...\n\t\tsfb_reset()\n\t\t\tqdisc_reset(q->qdisc) --->q->qdisc is NULL\n\t\t\t\tops = qdisc->ops\n\nThe following is the Call Trace information:\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nRIP: 0010:qdisc_reset+0x2b/0x6f0\nCall Trace:\n\nsfb_reset+0x37/0xd0\nqdisc_reset+0xed/0x6f0\nqdisc_destroy+0x82/0x4c0\nqdisc_put+0x9e/0xb0\nqdisc_create_dflt+0x2c3/0x4a0\nmqprio_init+0xa71/0x1760\nqdisc_create+0x3eb/0x1000\ntc_modify_qdisc+0x408/0x1720\nrtnetlink_rcv_msg+0x38e/0xac0\nnetlink_rcv_skb+0x12d/0x3a0\nnetlink_unicast+0x4a2/0x740\nnetlink_sendmsg+0x826/0xcc0\nsock_sendmsg+0xc5/0x100\n____sys_sendmsg+0x583/0x690\n___sys_sendmsg+0xe8/0x160\n__sys_sendmsg+0xbf/0x160\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f2164122d04\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50356", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: fix some leaks in probe\n\nThe dwc3_get_properties() function calls:\n\n\tdwc->usb_psy = power_supply_get_by_name(usb_psy_name);\n\nso there is some additional clean up required on these error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50357", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: return error when getting invalid max_flowrings from dongle\n\nWhen firmware hit trap at initialization, host will read abnormal\nmax_flowrings number from dongle, and it will cause kernel panic when\ndoing iowrite to initialize dongle ring.\nTo detect this error at early stage, we directly return error when getting\ninvalid max_flowrings(>256).", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50358", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Fix a null-ptr-deref bug in buffer_prepare()\n\nWhen the driver calls cx88_risc_buffer() to prepare the buffer, the\nfunction call may fail, resulting in a empty buffer and null-ptr-deref\nlater in buffer_queue().\n\nThe following log can reveal it:\n\n[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500\n[ 41.836311] Call Trace:\n[ 41.836945] __enqueue_in_driver+0x141/0x360\n[ 41.837262] vb2_start_streaming+0x62/0x4a0\n[ 41.838216] vb2_core_streamon+0x1da/0x2c0\n[ 41.838516] __vb2_init_fileio+0x981/0xbc0\n[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120\n[ 41.840072] vb2_fop_read+0x20e/0x400\n[ 41.840346] v4l2_read+0x215/0x290\n[ 41.840603] vfs_read+0x162/0x4c0\n\nFix this by checking the return value of cx88_risc_buffer()\n\n[hverkuil: fix coding style issues]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50359", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: fix aux-bus EP lifetime\n\nDevice-managed resources allocated post component bind must be tied to\nthe lifetime of the aggregate DRM device or they will not necessarily be\nreleased when binding of the aggregate device is deferred.\n\nThis can lead resource leaks or failure to bind the aggregate device\nwhen binding is later retried and a second attempt to allocate the\nresources is made.\n\nFor the DP aux-bus, an attempt to populate the bus a second time will\nsimply fail (\"DP AUX EP device already populated\").\n\nFix this by tying the lifetime of the EP device to the DRM device rather\nthan DP controller platform device.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502672/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50360", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init()\n\nFault injection test reports this issue:\n\nkernel BUG at net/core/dev.c:10731!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCall Trace:\n \n wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]\n wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]\n wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff]\n spi_probe+0xe4/0x140\n really_probe+0x17e/0x3f0\n __driver_probe_device+0xe3/0x170\n driver_probe_device+0x49/0x120\n\nThe root case here is alloc_ordered_workqueue() fails, but\ncfg80211_unregister_netdevice() or unregister_netdev() not be called in\nerror handling path. To fix add unregister_netdev goto lable to add the\nunregister operation in error handling path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50361", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: hisilicon: Add multi-thread support for a DMA channel\n\nWhen we get a DMA channel and try to use it in multiple threads it\nwill cause oops and hanging the system.\n\n% echo 100 > /sys/module/dmatest/parameters/threads_per_chan\n% echo 100 > /sys/module/dmatest/parameters/iterations\n% echo 1 > /sys/module/dmatest/parameters/run\n[383493.327077] Unable to handle kernel paging request at virtual\n\t\taddress dead000000000108\n[383493.335103] Mem abort info:\n[383493.335103] ESR = 0x96000044\n[383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits\n[383493.335107] SET = 0, FnV = 0\n[383493.335108] EA = 0, S1PTW = 0\n[383493.335109] FSC = 0x04: level 0 translation fault\n[383493.335110] Data abort info:\n[383493.335111] ISV = 0, ISS = 0x00000044\n[383493.364739] CM = 0, WnR = 1\n[383493.367793] [dead000000000108] address between user and kernel\n\t\taddress ranges\n[383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:\n\t\tloaded Tainted: GO 5.17.0-rc4+ #2\n[383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT\n\t\t-SSBS BTYPE=--)\n[383493.465331] pc : vchan_tx_submit+0x64/0xa0\n[383493.469957] lr : vchan_tx_submit+0x34/0xa0\n\nThis occurs because the transmission timed out, and that's due\nto data race. Each thread rewrite channels's descriptor as soon as\ndevice_issue_pending is called. It leads to the situation that\nthe driver thinks that it uses the right descriptor in interrupt\nhandler while channels's descriptor has been changed by other\nthread. The descriptor which in fact reported interrupt will not\nbe handled any more, as well as its tx->callback.\nThat's why timeout reports.\n\nWith current fixes channels' descriptor changes it's value only\nwhen it has been used. A new descriptor is acquired from\nvc->desc_issued queue that is already filled with descriptors\nthat are ready to be sent. Threads have no direct access to DMA\nchannel descriptor. In case of channel's descriptor is busy, try\nto submit to HW again when a descriptor is completed. In this case,\nvc->desc_issued may be empty when hisi_dma_start_transfer is called,\nso delete error reporting on this. Now it is just possible to queue\na descriptor for further processing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50362", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: pass gfp argument to alloc_sk_msg()\n\nsyzbot found that alloc_sk_msg() could be called from a\nnon sleepable context. sk_psock_verdict_recv() uses\nrcu_read_lock() protection.\n\nWe need the callers to pass a gfp_t argument to avoid issues.\n\nsyzbot report was:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:274\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3613, name: syz-executor414\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 PID: 3613 Comm: syz-executor414 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106\n__might_resched+0x538/0x6a0 kernel/sched/core.c:9877\nmight_alloc include/linux/sched/mm.h:274 [inline]\nslab_pre_alloc_hook mm/slab.h:700 [inline]\nslab_alloc_node mm/slub.c:3162 [inline]\nslab_alloc mm/slub.c:3256 [inline]\nkmem_cache_alloc_trace+0x59/0x310 mm/slub.c:3287\nkmalloc include/linux/slab.h:600 [inline]\nkzalloc include/linux/slab.h:733 [inline]\nalloc_sk_msg net/core/skmsg.c:507 [inline]\nsk_psock_skb_ingress_self+0x5c/0x330 net/core/skmsg.c:600\nsk_psock_verdict_apply+0x395/0x440 net/core/skmsg.c:1014\nsk_psock_verdict_recv+0x34d/0x560 net/core/skmsg.c:1201\ntcp_read_skb+0x4a1/0x790 net/ipv4/tcp.c:1770\ntcp_rcv_established+0x129d/0x1a10 net/ipv4/tcp_input.c:5971\ntcp_v4_do_rcv+0x479/0xac0 net/ipv4/tcp_ipv4.c:1681\nsk_backlog_rcv include/net/sock.h:1109 [inline]\n__release_sock+0x1d8/0x4c0 net/core/sock.c:2906\nrelease_sock+0x5d/0x1c0 net/core/sock.c:3462\ntcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1483\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n__sys_sendto+0x46d/0x5f0 net/socket.c:2117\n__do_sys_sendto net/socket.c:2129 [inline]\n__se_sys_sendto net/socket.c:2125 [inline]\n__x64_sys_sendto+0xda/0xf0 net/socket.c:2125\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50363", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: mux: reg: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref in resource_size(), if platform_get_resource()\nreturns NULL, move calling resource_size() after devm_ioremap_resource() that\nwill check 'res' to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50364", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: Account for tail adjustment during pull operations\n\nExtending the tail can have some unexpected side effects if a program uses\na helper like BPF_FUNC_skb_pull_data to read partial content beyond the\nhead skb headlen when all the skbs in the gso frag_list are linear with no\nhead_frag -\n\n kernel BUG at net/core/skbuff.c:4219!\n pc : skb_segment+0xcf4/0xd2c\n lr : skb_segment+0x63c/0xd2c\n Call trace:\n skb_segment+0xcf4/0xd2c\n __udp_gso_segment+0xa4/0x544\n udp4_ufo_fragment+0x184/0x1c0\n inet_gso_segment+0x16c/0x3a4\n skb_mac_gso_segment+0xd4/0x1b0\n __skb_gso_segment+0xcc/0x12c\n udp_rcv_segment+0x54/0x16c\n udp_queue_rcv_skb+0x78/0x144\n udp_unicast_rcv_skb+0x8c/0xa4\n __udp4_lib_rcv+0x490/0x68c\n udp_rcv+0x20/0x30\n ip_protocol_deliver_rcu+0x1b0/0x33c\n ip_local_deliver+0xd8/0x1f0\n ip_rcv+0x98/0x1a4\n deliver_ptype_list_skb+0x98/0x1ec\n __netif_receive_skb_core+0x978/0xc60\n\nFix this by marking these skbs as GSO_DODGY so segmentation can handle\nthe tail updates accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50365", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: fix UBSAN shift-out-of-bounds issue\n\nWhen value < time_unit, the parameter of ilog2() will be zero and\nthe return value is -1. u64(-1) is too large for shift exponent\nand then will trigger shift-out-of-bounds:\n\nshift exponent 18446744073709551615 is too large for 32-bit type 'int'\nCall Trace:\n rapl_compute_time_window_core\n rapl_write_data_raw\n set_time_window\n store_constraint_time_window_us", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50366", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: fix UAF/GPF bug in nilfs_mdt_destroy\n\nIn alloc_inode, inode_init_always() could return -ENOMEM if\nsecurity_inode_alloc() fails, which causes inode->i_private\nuninitialized. Then nilfs_is_metadata_file_inode() returns\ntrue and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),\nwhich frees the uninitialized inode->i_private\nand leads to crashes(e.g., UAF/GPF).\n\nFix this by moving security_inode_alloc just prior to\nthis_cpu_inc(nr_inodes)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50367", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502668/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50368", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix null-ptr-deref in vkms_release()\n\nA null-ptr-deref is triggered when it tries to destroy the workqueue in\nvkms->output.composer_workq in vkms_release().\n\n KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\n CPU: 5 PID: 17193 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf #24\n RIP: 0010:destroy_workqueue+0x2f/0x710\n ...\n Call Trace:\n \n ? vkms_config_debugfs_init+0x50/0x50 [vkms]\n __devm_drm_dev_alloc+0x15a/0x1c0 [drm]\n vkms_init+0x245/0x1000 [vkms]\n do_one_initcall+0xd0/0x4f0\n do_init_module+0x1a4/0x680\n load_module+0x6249/0x7110\n __do_sys_finit_module+0x140/0x200\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe reason is that an OOM happened which triggers the destroy of the\nworkqueue, however, the workqueue is alloced in the later process,\nthus a null-ptr-deref happened. A simple call graph is shown as below:\n\n vkms_init()\n vkms_create()\n devm_drm_dev_alloc()\n __devm_drm_dev_alloc()\n devm_drm_dev_init()\n devm_add_action_or_reset()\n devm_add_action() # an error happened\n devm_drm_dev_init_release()\n drm_dev_put()\n kref_put()\n drm_dev_release()\n vkms_release()\n destroy_workqueue() # null-ptr-deref happened\n vkms_modeset_init()\n vkms_output_init()\n vkms_crtc_init() # where the workqueue get allocated\n\nFix this by checking if composer_workq is NULL before passing it to\nthe destroy_workqueue() in vkms_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50369", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: Fix handling of real but unexpected device interrupts\n\nCommit c7b79a752871 (\"mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI\nIDs\") caused a regression on certain Gigabyte motherboards for Intel\nAlder Lake-S where system crashes to NULL pointer dereference in\ni2c_dw_xfer_msg() when system resumes from S3 sleep state (\"deep\").\n\nI was able to debug the issue on Gigabyte Z690 AORUS ELITE and made\nfollowing notes:\n\n- Issue happens when resuming from S3 but not when resuming from\n \"s2idle\"\n- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when\n system enters into pci_pm_resume_noirq() while all other i2c_designware\n PCI devices are in D3. Devices were runtime suspended and in D3 prior\n entering into suspend\n- Interrupt comes after pci_pm_resume_noirq() when device interrupts are\n re-enabled\n- According to register dump the interrupt really comes from the\n i2c_designware.0. Controller is enabled, I2C target address register\n points to a one detectable I2C device address 0x60 and the\n DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and\n TX_EMPTY bits are set indicating completed I2C transaction.\n\nMy guess is that the firmware uses this controller to communicate with\nan on-board I2C device during resume but does not disable the controller\nbefore giving control to an operating system.\n\nI was told the UEFI update fixes this but never the less it revealed the\ndriver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device\nis supposed to be idle and state variables are not set (especially the\ndev->msgs pointer which may point to NULL or stale old data).\n\nIntroduce a new software status flag STATUS_ACTIVE indicating when the\ncontroller is active in driver point of view. Now treat all interrupts\nthat occur when is not set as unexpected and mask all interrupts from\nthe controller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50370", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nled: qcom-lpg: Fix sleeping in atomic\n\nlpg_brighness_set() function can sleep, while led's brightness_set()\ncallback must be non-blocking. Change LPG driver to use\nbrightness_set_blocking() instead.\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:580\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0\npreempt_count: 101, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.1.0-rc1-00014-gbe99b089c6fc-dirty #85\nHardware name: Qualcomm Technologies, Inc. DB820c (DT)\nCall trace:\n dump_backtrace.part.0+0xe4/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x88/0xb4\n dump_stack+0x18/0x34\n __might_resched+0x170/0x254\n __might_sleep+0x48/0x9c\n __mutex_lock+0x4c/0x400\n mutex_lock_nested+0x2c/0x40\n lpg_brightness_single_set+0x40/0x90\n led_set_brightness_nosleep+0x34/0x60\n led_heartbeat_function+0x80/0x170\n call_timer_fn+0xb8/0x340\n __run_timers.part.0+0x20c/0x254\n run_timer_softirq+0x3c/0x7c\n _stext+0x14c/0x578\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x2c/0x5c\n do_softirq_own_stack+0x1c/0x30\n __irq_exit_rcu+0x164/0x170\n irq_exit_rcu+0x10/0x40\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x64/0x68\n cpuidle_enter_state+0xc8/0x380\n cpuidle_enter+0x38/0x50\n do_idle+0x244/0x2d0\n cpu_startup_entry+0x24/0x30\n rest_init+0x128/0x1a0\n arch_post_acpi_subsys_init+0x0/0x18\n start_kernel+0x6f4/0x734\n __primary_switched+0xbc/0xc4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50371", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory leak when build ntlmssp negotiate blob failed\n\nThere is a memory leak when mount cifs:\n unreferenced object 0xffff888166059600 (size 448):\n comm \"mount.cifs\", pid 51391, jiffies 4295596373 (age 330.596s)\n hex dump (first 32 bytes):\n fe 53 4d 42 40 00 00 00 00 00 00 00 01 00 82 00 .SMB@...........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000060609a61>] mempool_alloc+0xe1/0x260\n [<00000000adfa6c63>] cifs_small_buf_get+0x24/0x60\n [<00000000ebb404c7>] __smb2_plain_req_init+0x32/0x460\n [<00000000bcf875b4>] SMB2_sess_alloc_buffer+0xa4/0x3f0\n [<00000000753a2987>] SMB2_sess_auth_rawntlmssp_negotiate+0xf5/0x480\n [<00000000f0c1f4f9>] SMB2_sess_setup+0x253/0x410\n [<00000000a8b83303>] cifs_setup_session+0x18f/0x4c0\n [<00000000854bd16d>] cifs_get_smb_ses+0xae7/0x13c0\n [<000000006cbc43d9>] mount_get_conns+0x7a/0x730\n [<000000005922d816>] cifs_mount+0x103/0xd10\n [<00000000e33def3b>] cifs_smb3_do_mount+0x1dd/0xc90\n [<0000000078034979>] smb3_get_tree+0x1d5/0x300\n [<000000004371f980>] vfs_get_tree+0x41/0xf0\n [<00000000b670d8a7>] path_mount+0x9b3/0xdd0\n [<000000005e839a7d>] __x64_sys_mount+0x190/0x1d0\n [<000000009404c3b9>] do_syscall_64+0x35/0x80\n\nWhen build ntlmssp negotiate blob failed, the session setup request\nshould be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50372", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix race in lowcomms\n\nThis patch fixes a race between queue_work() in\n_dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can\ntake the final reference of a dlm_msg and so msg->idx can contain\ngarbage which is signaled by the following warning:\n\n[ 676.237050] ------------[ cut here ]------------\n[ 676.237052] WARNING: CPU: 0 PID: 1060 at include/linux/srcu.h:189 dlm_lowcomms_commit_msg+0x41/0x50\n[ 676.238945] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common iTCO_wdt iTCO_vendor_support qxl kvm_intel drm_ttm_helper vmw_vsock_virtio_transport kvm vmw_vsock_virtio_transport_common ttm irqbypass crc32_pclmul joydev crc32c_intel serio_raw drm_kms_helper vsock virtio_scsi virtio_console virtio_balloon snd_pcm drm syscopyarea sysfillrect sysimgblt snd_timer fb_sys_fops i2c_i801 lpc_ich snd i2c_smbus soundcore pcspkr\n[ 676.244227] CPU: 0 PID: 1060 Comm: lock_torture_wr Not tainted 5.19.0-rc3+ #1546\n[ 676.245216] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014\n[ 676.246460] RIP: 0010:dlm_lowcomms_commit_msg+0x41/0x50\n[ 676.247132] Code: fe ff ff ff 75 24 48 c7 c6 bd 0f 49 bb 48 c7 c7 38 7c 01 bd e8 00 e7 ca ff 89 de 48 c7 c7 60 78 01 bd e8 42 3d cd ff 5b 5d c3 <0f> 0b eb d8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48\n[ 676.249253] RSP: 0018:ffffa401c18ffc68 EFLAGS: 00010282\n[ 676.249855] RAX: 0000000000000001 RBX: 00000000ffff8b76 RCX: 0000000000000006\n[ 676.250713] RDX: 0000000000000000 RSI: ffffffffbccf3a10 RDI: ffffffffbcc7b62e\n[ 676.251610] RBP: ffffa401c18ffc70 R08: 0000000000000001 R09: 0000000000000001\n[ 676.252481] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000005\n[ 676.253421] R13: ffff8b76786ec370 R14: ffff8b76786ec370 R15: ffff8b76786ec480\n[ 676.254257] FS: 0000000000000000(0000) GS:ffff8b7777800000(0000) knlGS:0000000000000000\n[ 676.255239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 676.255897] CR2: 00005590205d88b8 CR3: 000000017656c003 CR4: 0000000000770ee0\n[ 676.256734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 676.257567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 676.258397] PKRU: 55555554\n[ 676.258729] Call Trace:\n[ 676.259063] \n[ 676.259354] dlm_midcomms_commit_mhandle+0xcc/0x110\n[ 676.259964] queue_bast+0x8b/0xb0\n[ 676.260423] grant_pending_locks+0x166/0x1b0\n[ 676.261007] _unlock_lock+0x75/0x90\n[ 676.261469] unlock_lock.isra.57+0x62/0xa0\n[ 676.262009] dlm_unlock+0x21e/0x330\n[ 676.262457] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 676.263183] torture_unlock+0x5a/0x90 [dlm_locktorture]\n[ 676.263815] ? preempt_count_sub+0xba/0x100\n[ 676.264361] ? complete+0x1d/0x60\n[ 676.264777] lock_torture_writer+0xb8/0x150 [dlm_locktorture]\n[ 676.265555] kthread+0x10a/0x130\n[ 676.266007] ? kthread_complete_and_exit+0x20/0x20\n[ 676.266616] ret_from_fork+0x22/0x30\n[ 676.267097] \n[ 676.267381] irq event stamp: 9579855\n[ 676.267824] hardirqs last enabled at (9579863): [] __up_console_sem+0x58/0x60\n[ 676.268896] hardirqs last disabled at (9579872): [] __up_console_sem+0x3d/0x60\n[ 676.270008] softirqs last enabled at (9579798): [] __do_softirq+0x349/0x4c7\n[ 676.271438] softirqs last disabled at (9579897): [] irq_exit_rcu+0xb0/0xf0\n[ 676.272796] ---[ end trace 0000000000000000 ]---\n\nI reproduced this warning with dlm_locktorture test which is currently\nnot upstream. However this patch fix the issue by make a additional\nrefcount between dlm_lowcomms_new_msg() and dlm_lowcomms_commit_msg().\nIn case of the race the kref_put() in dlm_lowcomms_commit_msg() will be\nthe final put.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50373", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure\n\nsyzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1],\nfor rcu_sync_enter() is called without rcu_sync_init() due to\nhci_uart_tty_open() ignoring percpu_init_rwsem() failure.\n\nWhile we are at it, fix that hci_uart_register_device() ignores\npercpu_init_rwsem() failure and hci_uart_unregister_device() does not\ncall percpu_free_rwsem().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50374", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown\n\nlpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can\nstill occur which in turn tries to access dma apis if lpuart_dma_tx_use\nflag is true. At this point since dma is torn down, these dma apis can\nabort. Set lpuart_dma_tx_use and the corresponding rx flag\nlpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not\naccessed after they are relinquished.\n\nOtherwise, when try to kill btattach, kernel may panic. This patch may\nfix this issue.\nroot@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200\n^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP\n[ 90.189806] Modules linked in: moal(O) mlan(O)\n[ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37\n[ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)\n[ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60\n[ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c\n[ 90.225237] sp : ffff800013f0bac0\n[ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800\n[ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00\n[ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000\n[ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000\n[ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040\n[ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090\n[ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804\n[ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480\n[ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800\n[ 90.299876] Call trace:\n[ 90.302321] fsl_edma3_disable_request+0x8/0x60\n[ 90.306851] lpuart_flush_buffer+0x40/0x160\n[ 90.311037] uart_flush_buffer+0x88/0x120\n[ 90.315050] tty_driver_flush_buffer+0x20/0x30\n[ 90.319496] hci_uart_flush+0x44/0x90\n[ 90.323162] +0x34/0x12c\n[ 90.327253] tty_ldisc_close+0x38/0x70\n[ 90.331005] tty_ldisc_release+0xa8/0x190\n[ 90.335018] tty_release_struct+0x24/0x8c\n[ 90.339022] tty_release+0x3ec/0x4c0\n[ 90.342593] __fput+0x70/0x234\n[ 90.345652] ____fput+0x14/0x20\n[ 90.348790] task_work_run+0x84/0x17c\n[ 90.352455] do_exit+0x310/0x96c\n[ 90.355688] do_group_exit+0x3c/0xa0\n[ 90.359259] __arm64_sys_exit_group+0x1c/0x20\n[ 90.363609] invoke_syscall+0x48/0x114\n[ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc\n[ 90.372068] do_el0_svc+0x2c/0x94\n[ 90.375379] el0_svc+0x28/0x80\n[ 90.378438] el0t_64_sync_handler+0xa8/0x130\n[ 90.382711] el0t_64_sync+0x1a0/0x1a4\n[ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)\n[ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]---\n[ 90.397073] note: btattach[503] exited with preempt_count 1\n[ 90.402636] Fixing recursive fault but reboot is needed!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50375", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()\n\nWhen insert and remove the orangefs module, there are memory leaked\nas below:\n\nunreferenced object 0xffff88816b0cc000 (size 2048):\n comm \"insmod\", pid 783, jiffies 4294813439 (age 65.512s)\n hex dump (first 32 bytes):\n 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000031ab7788>] kmalloc_trace+0x27/0xa0\n [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f\n [<00000000e5a0085b>] 0xffffffffa02780f9\n [<000000004232d9f7>] do_one_initcall+0x87/0x2a0\n [<0000000054f22384>] do_init_module+0xdf/0x320\n [<000000003263bdea>] load_module+0x2f98/0x3330\n [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0\n [<00000000250ae02b>] do_syscall_64+0x35/0x80\n [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nUse the golbal variable as the buffer rather than dynamic allocate to\nslove the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50376", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: reorder driver deinit sequence to fix use-after-free bug\n\nUnloading the driver triggers the following KASAN warning:\n\n[ +0.006275] =============================================================\n[ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0\n[ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695\n\n[ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000007] dump_backtrace+0x1ec/0x280\n[ +0.000013] show_stack+0x24/0x80\n[ +0.000008] dump_stack_lvl+0x98/0xd4\n[ +0.000011] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000007] kasan_report+0xb8/0xfc\n[ +0.000008] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000010] __list_del_entry_valid+0xe0/0x1a0\n[ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm]\n[ +0.000172] drm_bridge_detach+0x94/0x260 [drm]\n[ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm]\n[ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm]\n[ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm]\n[ +0.000144] drm_managed_release+0x170/0x414 [drm]\n[ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm]\n[ +0.000143] drm_dev_put+0x20/0x30 [drm]\n[ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm]\n[ +0.000028] take_down_aggregate_device+0xb0/0x160\n[ +0.000016] component_del+0x18c/0x360\n[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]\n[ +0.000015] platform_remove+0x64/0xb0\n[ +0.000009] device_remove+0xb8/0x154\n[ +0.000009] device_release_driver_internal+0x398/0x5b0\n[ +0.000009] driver_detach+0xac/0x1b0\n[ +0.000009] bus_remove_driver+0x158/0x29c\n[ +0.000009] driver_unregister+0x70/0xb0\n[ +0.000008] platform_driver_unregister+0x20/0x2c\n[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]\n[ +0.000012] __do_sys_delete_module+0x288/0x400\n[ +0.000011] __arm64_sys_delete_module+0x5c/0x80\n[ +0.000009] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000012] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000018] Allocated by task 0:\n[ +0.000007] (stack is not available)\n\n[ +0.000011] Freed by task 2695:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000011] kasan_set_track+0x2c/0x40\n[ +0.000008] kasan_set_free_info+0x28/0x50\n[ +0.000009] ____kasan_slab_free+0x128/0x1d4\n[ +0.000008] __kasan_slab_free+0x18/0x24\n[ +0.000007] slab_free_freelist_hook+0x108/0x230\n[ +0.000011] kfree+0x110/0x35c\n[ +0.000008] release_nodes+0xf0/0x16c\n[ +0.000009] devres_release_group+0x180/0x270\n[ +0.000008] component_unbind+0x128/0x1e0\n[ +0.000010] component_unbind_all+0x1b8/0x264\n[ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm]\n[ +0.000025] take_down_aggregate_device+0xb0/0x160\n[ +0.000009] component_del+0x18c/0x360\n[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]\n[ +0.000012] platform_remove+0x64/0xb0\n[ +0.000008] device_remove+0xb8/0x154\n[ +0.000009] device_release_driver_internal+0x398/0x5b0\n[ +0.000009] driver_detach+0xac/0x1b0\n[ +0.000009] bus_remove_driver+0x158/0x29c\n[ +0.000008] driver_unregister+0x70/0xb0\n[ +0.000008] platform_driver_unregister+0x20/0x2c\n[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]\n[ +0.000011] __do_sys_delete_module+0x288/0x400\n[ +0.000010] __arm64_sys_delete_module+0x5c/0x80\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64_sync+0x18c/0x190\n\n[ +0.000014] The buggy address belongs to the object at ffff000020c39000\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50378", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota enable and quota rescan ioctl\n\nWhen enabling quotas, at btrfs_quota_enable(), after committing the\ntransaction, we change fs_info->quota_root to point to the quota root we\ncreated and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try\nto start the qgroup rescan worker, first by initializing it with a call\nto qgroup_rescan_init() - however if that fails we end up freeing the\nquota root but we leave fs_info->quota_root still pointing to it, this\ncan later result in a use-after-free somewhere else.\n\nWe have previously set the flags BTRFS_FS_QUOTA_ENABLED and\nBTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at\nbtrfs_quota_enable(), which is possible if someone already called the\nquota rescan ioctl, and therefore started the rescan worker.\n\nSo fix this by ignoring an -EINPROGRESS and asserting we can't get any\nother error.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50379", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: /proc/pid/smaps_rollup: fix no vma's null-deref\n\nCommit 258f669e7e88 (\"mm: /proc/pid/smaps_rollup: convert to single value\nseq_file\") introduced a null-deref if there are no vma's in the task in\nshow_smaps_rollup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50380", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix a crash in mempool_free\n\nThere's a crash in mempool_free when running the lvm test\nshell/lvchange-rebuild-raid.sh.\n\nThe reason for the crash is this:\n* super_written calls atomic_dec_and_test(&mddev->pending_writes) and\n wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)\n and bio_put(bio).\n* so, the process that waited on sb_wait and that is woken up is racing\n with bio_put(bio).\n* if the process wins the race, it calls bioset_exit before bio_put(bio)\n is executed.\n* bio_put(bio) attempts to free a bio into a destroyed bio set - causing\n a crash in mempool_free.\n\nWe fix this bug by moving bio_put before atomic_dec_and_test.\n\nWe also move rdev_dec_pending before atomic_dec_and_test as suggested by\nNeil Brown.\n\nThe function md_end_flush has a similar bug - we must call bio_put before\nwe decrement the number of in-progress bios.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 11557f0067 P4D 11557f0067 PUD 0\n Oops: 0002 [#1] PREEMPT SMP\n CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Workqueue: kdelayd flush_expired_bios [dm_delay]\n RIP: 0010:mempool_free+0x47/0x80\n Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00\n RSP: 0018:ffff88910036bda8 EFLAGS: 00010093\n RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8\n RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900\n R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000\n R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05\n FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0\n Call Trace:\n \n clone_endio+0xf4/0x1c0 [dm_mod]\n clone_endio+0xf4/0x1c0 [dm_mod]\n __submit_bio+0x76/0x120\n submit_bio_noacct_nocheck+0xb6/0x2a0\n flush_expired_bios+0x28/0x2f [dm_delay]\n process_one_work+0x1b4/0x300\n worker_thread+0x45/0x3e0\n ? rescuer_thread+0x380/0x380\n kthread+0xc2/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \n Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50381", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Always leave BHs disabled when running ->parallel()\n\nA deadlock can happen when an overloaded system runs ->parallel() in the\ncontext of the current task:\n\n padata_do_parallel\n ->parallel()\n pcrypt_aead_enc/dec\n padata_do_serial\n spin_lock(&reorder->lock) // BHs still enabled\n \n ...\n __do_softirq\n ...\n padata_do_serial\n spin_lock(&reorder->lock)\n\nIt's a bug for BHs to be on in _do_serial as Steffen points out, so\nensure they're off in the \"current task\" case like they are in\npadata_parallel_worker to avoid this situation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50382", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Can't set dst buffer to done when lat decode error\n\nCore thread will call v4l2_m2m_buf_done to set dst buffer done for\nlat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to\nfree dst buffer when lat decode error, core thread will access kernel\nNULL pointer dereference, then crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50383", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vme_user: Fix possible UAF in tsi148_dma_list_add\n\nSmatch report warning as follows:\n\ndrivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:\n '&entry->list' not removed from list\n\nIn tsi148_dma_list_add(), the error path \"goto err_dma\" will not\nremove entry->list from list->entries, but entry will be freed,\nthen list traversal may cause UAF.\n\nFix by removeing it from list->entries before free().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50384", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix an Oops in nfs_d_automount()\n\nWhen mounting from a NFSv4 referral, path->dentry can end up being a\nnegative dentry, so derive the struct nfs_server from the dentry\nitself instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50385", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389", "scorev2": "0.0", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50386", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: fix the issue of CMDQ memory leaks\n\nWhen hinic_set_cmdq_depth() fails in hinic_init_cmdqs(), the cmdq memory is\nnot released correctly. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50387", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix multipath crash caused by flush request when blktrace is enabled\n\nThe flush request initialized by blk_kick_flush has NULL bio,\nand it may be dealt with nvme_end_req during io completion.\nWhen blktrace is enabled, nvme_trace_bio_complete with multipath\nactivated trying to access NULL pointer bio from flush request\nresults in the following crash:\n\n[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a\n[ 2517.835213] #PF: supervisor read access in kernel mode\n[ 2517.838724] #PF: error_code(0x0000) - not-present page\n[ 2517.842222] PGD 7b2d51067 P4D 0\n[ 2517.845684] Oops: 0000 [#1] SMP NOPTI\n[ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1\n[ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022\n[ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]\n[ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30\n[ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba\n[ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286\n[ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000\n[ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000\n[ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000\n[ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8\n[ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018\n[ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000\n[ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0\n[ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 2517.913761] PKRU: 55555554\n[ 2517.917558] Call Trace:\n[ 2517.921294] \n[ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]\n[ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]\n[ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]\n[ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]\n[ 2517.939830] tcp_read_sock+0x9c/0x260\n[ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]\n[ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]\n[ 2517.950834] process_one_work+0x1e8/0x390\n[ 2517.954473] worker_thread+0x53/0x3c0\n[ 2517.958069] ? process_one_work+0x390/0x390\n[ 2517.961655] kthread+0x10c/0x130\n[ 2517.965211] ? set_kthread_struct+0x40/0x40\n[ 2517.968760] ret_from_fork+0x1f/0x30\n[ 2517.972285] \n\nTo avoid this situation, add a NULL check for req->bio before\ncalling trace_block_bio_complete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50388", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak\n\nIn crb_acpi_add(), we get the TPM2 table to retrieve information\nlike start method, and then assign them to the priv data, so the\nTPM2 table is not used after the init, should be freed, call\nacpi_put_table() to fix the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50389", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26\nleft shift of 1 by 31 places cannot be represented in type 'int'\nCall Trace:\n \n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n ttm_bo_move_memcpy+0x3b4/0x460 [ttm]\n bo_driver_move+0x32/0x40 [drm_vram_helper]\n ttm_bo_handle_move_mem+0x118/0x200 [ttm]\n ttm_bo_validate+0xfa/0x220 [ttm]\n drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper]\n drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper]\n drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper]\n drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper]\n drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper]\n drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper]\n drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper]\n drm_atomic_commit+0x9c/0x160 [drm]\n drm_client_modeset_commit_atomic+0x33a/0x380 [drm]\n drm_client_modeset_commit_locked+0x77/0x220 [drm]\n drm_client_modeset_commit+0x31/0x60 [drm]\n __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper]\n drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper]\n fbcon_init+0x316/0x790\n visual_init+0x113/0x1d0\n do_bind_con_driver+0x2a3/0x5c0\n do_take_over_console+0xa9/0x270\n do_fbcon_takeover+0xa1/0x170\n do_fb_registered+0x2a8/0x340\n fbcon_fb_registered+0x47/0xe0\n register_framebuffer+0x294/0x4a0\n __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\n drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\n drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\n drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\n bochs_pci_probe+0x6ca/0x772 [bochs]\n local_pci_probe+0x4d/0xb0\n pci_device_probe+0x119/0x320\n really_probe+0x181/0x550\n __driver_probe_device+0xc6/0x220\n driver_probe_device+0x32/0x100\n __driver_attach+0x195/0x200\n bus_for_each_dev+0xbb/0x120\n driver_attach+0x27/0x30\n bus_add_driver+0x22e/0x2f0\n driver_register+0xa9/0x190\n __pci_register_driver+0x90/0xa0\n bochs_pci_driver_init+0x52/0x1000 [bochs]\n do_one_initcall+0x76/0x430\n do_init_module+0x61/0x28a\n load_module+0x1f82/0x2e50\n __do_sys_finit_module+0xf8/0x190\n __x64_sys_finit_module+0x23/0x30\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50390", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix memory leak in set_mempolicy_home_node system call\n\nWhen encountering any vma in the range with policy other than MPOL_BIND or\nMPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on\nthe policy just allocated with mpol_dup().\n\nThis allows arbitrary users to leak kernel memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50391", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe()\n\nThe node returned by of_parse_phandle() with refcount incremented,\nof_node_put() needs be called when finish using it. So add it in the\nerror path in mt8183_mt6358_ts3a227_max98357_dev_probe().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50392", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: SDMA update use unlocked iterator\n\nSDMA update page table may be called from unlocked context, this\ngenerate below warning. Use unlocked iterator to handle this case.\n\nWARNING: CPU: 0 PID: 1475 at\ndrivers/dma-buf/dma-resv.c:483 dma_resv_iter_next\nCall Trace:\n dma_resv_iter_first+0x43/0xa0\n amdgpu_vm_sdma_update+0x69/0x2d0 [amdgpu]\n amdgpu_vm_ptes_update+0x29c/0x870 [amdgpu]\n amdgpu_vm_update_range+0x2f6/0x6c0 [amdgpu]\n svm_range_unmap_from_gpus+0x115/0x300 [amdgpu]\n svm_range_cpu_invalidate_pagetables+0x510/0x5e0 [amdgpu]\n __mmu_notifier_invalidate_range_start+0x1d3/0x230\n unmap_vmas+0x140/0x150\n unmap_region+0xa8/0x110", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50393", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: ismt: Fix an out-of-bounds bug in ismt_access()\n\nWhen the driver does not check the data from the user, the variable\n'data->block[0]' may be very large to cause an out-of-bounds bug.\n\nThe following log can reveal it:\n\n[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20\n[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE\n[ 33.996475] ==================================================================\n[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b\n[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485\n[ 33.999450] Call Trace:\n[ 34.001849] memcpy+0x20/0x60\n[ 34.002077] ismt_access.cold+0x374/0x214b\n[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0\n[ 34.004007] i2c_smbus_xfer+0x10a/0x390\n[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710\n[ 34.005196] i2cdev_ioctl+0x5ec/0x74c\n\nFix this bug by checking the size of 'data->block[0]' first.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50394", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nintegrity: Fix memory leakage in keyring allocation error path\n\nKey restriction is allocated in integrity_init_keyring(). However, if\nkeyring allocation failed, it is not freed, causing memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50395", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix memory leak in tcindex_set_parms\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810c287f00 (size 256):\n comm \"syz-executor105\", pid 3600, jiffies 4294943292 (age 12.990s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n [] kmalloc include/linux/slab.h:576 [inline]\n [] kmalloc_array include/linux/slab.h:627 [inline]\n [] kcalloc include/linux/slab.h:659 [inline]\n [] tcf_exts_init include/net/pkt_cls.h:250 [inline]\n [] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342\n [] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553\n [] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147\n [] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082\n [] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540\n [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [] sock_sendmsg_nosec net/socket.c:714 [inline]\n [] sock_sendmsg+0x56/0x80 net/socket.c:734\n [] ____sys_sendmsg+0x178/0x410 net/socket.c:2482\n [] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [] __sys_sendmmsg+0x105/0x330 net/socket.c:2622\n [] __do_sys_sendmmsg net/socket.c:2651 [inline]\n [] __se_sys_sendmmsg net/socket.c:2648 [inline]\n [] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nKernel uses tcindex_change() to change an existing\nfilter properties.\n\nYet the problem is that, during the process of changing,\nif `old_r` is retrieved from `p->perfect`, then\nkernel uses tcindex_alloc_perfect_hash() to newly\nallocate filter results, uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure, which triggers the above memory leak.\n\nTo be more specific, there are only two source for the `old_r`,\naccording to the tcindex_lookup(). `old_r` is retrieved from\n`p->perfect`, or `old_r` is retrieved from `p->h`.\n\n * If `old_r` is retrieved from `p->perfect`, kernel uses\ntcindex_alloc_perfect_hash() to newly allocate the\nfilter results. Then `r` is assigned with `cp->perfect + handle`,\nwhich is newly allocated. So condition `old_r && old_r != r` is\ntrue in this situation, and kernel uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure\n\n * If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL\naccording to the tcindex_lookup(). Considering that `cp->h`\nis directly copied from `p->h` and `p->perfect` is NULL,\n`r` is assigned with `tcindex_lookup(cp, handle)`, whose value\nshould be the same as `old_r`, so condition `old_r && old_r != r`\nis false in this situation, kernel ignores using\ntcindex_filter_result_init() to clear the old filter result.\n\nSo only when `old_r` is retrieved from `p->perfect` does kernel use\ntcindex_filter_result_init() to clear the old filter result, which\ntriggers the above memory leak.\n\nConsidering that there already exists a tc_filter_wq workqueue\nto destroy the old tcindex_d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50396", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: add atomic_check to bridge ops\n\nDRM commit_tails() will disable downstream crtc/encoder/bridge if\nboth disable crtc is required and crtc->active is set before pushing\na new frame downstream.\n\nThere is a rare case that user space display manager issue an extra\nscreen update immediately followed by close DRM device while down\nstream display interface is disabled. This extra screen update will\ntimeout due to the downstream interface is disabled but will cause\ncrtc->active be set. Hence the followed commit_tails() called by\ndrm_release() will pass the disable downstream crtc/encoder/bridge\nconditions checking even downstream interface is disabled.\nThis cause the crash to happen at dp_bridge_disable() due to it trying\nto access the main link register to push the idle pattern out while main\nlink clocks is disabled.\n\nThis patch adds atomic_check to prevent the extra frame will not\nbe pushed down if display interface is down so that crtc->active\nwill not be set neither. This will fail the conditions checking\nof disabling down stream crtc/encoder/bridge which prevent\ndrm_release() from calling dp_bridge_disable() so that crash\nat dp_bridge_disable() prevented.\n\nThere is no protection in the DRM framework to check if the display\npipeline has been already disabled before trying again. The only\ncheck is the crtc_state->active but this is controlled by usermode\nusing UAPI. Hence if the usermode sets this and then crashes, the\ndriver needs to protect against double disable.\n\nSError Interrupt on CPU7, code 0x00000000be000411 -- SError\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\npstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __cmpxchg_case_acq_32+0x14/0x2c\nlr : do_raw_spin_lock+0xa4/0xdc\nsp : ffffffc01092b6a0\nx29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038\nx26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000\nx23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008\nx20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000\nx17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0\nx14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4\nx8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001\nx5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0\nx2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0\nKernel panic - not syncing: Asynchronous SError Interrupt\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\nCall trace:\n dump_backtrace.part.0+0xbc/0xe4\n show_stack+0x24/0x70\n dump_stack_lvl+0x68/0x84\n dump_stack+0x18/0x34\n panic+0x14c/0x32c\n nmi_panic+0x58/0x7c\n arm64_serror_panic+0x78/0x84\n do_serror+0x40/0x64\n el1h_64_error_handler+0x30/0x48\n el1h_64_error+0x68/0x6c\n __cmpxchg_case_acq_32+0x14/0x2c\n _raw_spin_lock_irqsave+0x38/0x4c\n lock_timer_base+0x40/0x78\n __mod_timer+0xf4/0x25c\n schedule_timeout+0xd4/0xfc\n __wait_for_common+0xac/0x140\n wait_for_completion_timeout+0x2c/0x54\n dp_ctrl_push_idle+0x40/0x88\n dp_bridge_disable+0x24/0x30\n drm_atomic_bridge_chain_disable+0x90/0xbc\n drm_atomic_helper_commit_modeset_disables+0x198/0x444\n msm_atomic_commit_tail+0x1d0/0x374\n commit_tail+0x80/0x108\n drm_atomic_helper_commit+0x118/0x11c\n drm_atomic_commit+0xb4/0xe0\n drm_client_modeset_commit_atomic+0x184/0x224\n drm_client_modeset_commit_locked+0x58/0x160\n drm_client_modeset_commit+0x3c/0x64\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac\n drm_fb_helper_set_par+0x74/0x80\n drm_fb_helper_hotplug_event+0xdc/0xe0\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac\n drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c\n drm_fb_helper_lastclose+0x20/0x2c\n drm_lastclose+0x44/0x6c\n drm_release+0x88/0xd4\n __fput+0x104/0x220\n ____fput+0x1c/0x28\n task_work_run+0x8c/0x100\n d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50398", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: prevent integer overflow in sh_css_set_black_frame()\n\nThe \"height\" and \"width\" values come from the user so the \"height * width\"\nmultiplication can overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50399", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: greybus: audio_helper: remove unused and wrong debugfs usage\n\nIn the greybus audio_helper code, the debugfs file for the dapm has the\npotential to be removed and memory will be leaked. There is also the\nvery real potential for this code to remove ALL debugfs entries from the\nsystem, and it seems like this is what will really happen if this code\never runs. This all is very wrong as the greybus audio driver did not\ncreate this debugfs file, the sound core did and controls the lifespan\nof it.\n\nSo remove all of the debugfs logic from the audio_helper code as there's\nno way it could be correct. If this really is needed, it can come back\nwith a fixup for the incorrect usage of the debugfs_lookup() call which\nis what caused this to be noticed at all.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50400", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure\n\nOn error situation `clp->cl_cb_conn.cb_xprt` should not be given\na reference to the xprt otherwise both client cleanup and the\nerror handling path of the caller call to put it. Better to\ndelay handing over the reference to a later branch.\n\n[ 72.530665] refcount_t: underflow; use-after-free.\n[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120\n[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]\n[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1\n[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014\n[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]\n[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120\n[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48\n[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286\n[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000\n[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0\n[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff\n[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180\n[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0\n[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000\n[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0\n[ 72.554874] Call Trace:\n[ 72.555278] \n[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]\n[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]\n[ 72.557087] ? update_load_avg+0x82/0x610\n[ 72.557652] ? cpuacct_charge+0x60/0x70\n[ 72.558212] ? dequeue_entity+0xdb/0x3e0\n[ 72.558765] ? queued_spin_unlock+0x9/0x20\n[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]\n[ 72.560031] process_one_work+0x1df/0x390\n[ 72.560600] worker_thread+0x37/0x3b0\n[ 72.561644] ? process_one_work+0x390/0x390\n[ 72.562247] kthread+0x12f/0x150\n[ 72.562710] ? set_kthread_struct+0x50/0x50\n[ 72.563309] ret_from_fork+0x22/0x30\n[ 72.563818] \n[ 72.564189] ---[ end trace 031117b1c72ec616 ]---\n[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).\n[ 72.567647] ------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50401", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/md/md-bitmap: check the return value of md_bitmap_get_counter()\n\nCheck the return value of md_bitmap_get_counter() in case it returns\nNULL pointer, which will result in a null pointer dereference.\n\nv2: update the check to include other dereference", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50402", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fbcon: release buffer when fbcon_do_set_font() failed\n\nsyzbot is reporting memory leak at fbcon_do_set_font() [1], for\ncommit a5a923038d70 (\"fbdev: fbcon: Properly revert changes when\nvc_resize() failed\") missed that the buffer might be newly allocated\nby fbcon_set_font().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50404", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tunnel: wait until all sk_user_data reader finish before releasing the sock\n\nThere is a race condition in vxlan that when deleting a vxlan device\nduring receiving packets, there is a possibility that the sock is\nreleased after getting vxlan_sock vs from sk_user_data. Then in\nlater vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got\nNULL pointer dereference. e.g.\n\n #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757\n #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d\n #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48\n #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b\n #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb\n #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542\n #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62\n [exception RIP: vxlan_ecn_decapsulate+0x3b]\n RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246\n RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000\n RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700\n RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae\n R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700\n R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]\n #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507\n #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45\n #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807\n #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951\n #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde\n #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b\n #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139\n #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a\n #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3\n #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca\n #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3\n\nReproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh\n\nFix this by waiting for all sk_user_data reader to finish before\nreleasing the sock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50405", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: iomap: fix memory corruption when recording errors during writeback\n\nEvery now and then I see this crash on arm64:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\nBuffer I/O error on dev dm-0, logical block 8733687, async page read\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\nuser pgtable: 64k pages, 42-bit VAs, pgdp=0000000139750000\n[00000000000000f8] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000, pmd=0000000000000000\nInternal error: Oops: 96000006 [#1] PREEMPT SMP\nBuffer I/O error on dev dm-0, logical block 8733688, async page read\nDumping ftrace buffer:\nBuffer I/O error on dev dm-0, logical block 8733689, async page read\n (ftrace buffer empty)\nXFS (dm-0): log I/O error -5\nModules linked in: dm_thin_pool dm_persistent_data\nXFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ec/0x590 [xfs] (fs/xfs/xfs_trans_buf.c:296).\n dm_bio_prison\nXFS (dm-0): Please unmount the filesystem and rectify the problem(s)\nXFS (dm-0): xfs_imap_lookup: xfs_ialloc_read_agi() returned error -5, agno 0\n dm_bufio dm_log_writes xfs nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT\npotentially unexpected fatal signal 6.\n nf_reject_ipv6\npotentially unexpected fatal signal 6.\n ipt_REJECT nf_reject_ipv4\nCPU: 1 PID: 122166 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7\n rpcsec_gss_krb5 auth_rpcgss xt_tcpudp ip_set_hash_ip ip_set_hash_net xt_set nft_compat ip_set_hash_mac ip_set nf_tables\nHardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021\npstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n ip_tables\npc : 000003fd6d7df200\n x_tables\nlr : 000003fd6d7df1ec\n overlay nfsv4\nCPU: 0 PID: 54031 Comm: u4:3 Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7405\nHardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021\nWorkqueue: writeback wb_workfn\nsp : 000003ffd9522fd0\n (flush-253:0)\npstate: 60401005 (nZCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--)\npc : errseq_set+0x1c/0x100\nx29: 000003ffd9522fd0 x28: 0000000000000023 x27: 000002acefeb6780\nx26: 0000000000000005 x25: 0000000000000001 x24: 0000000000000000\nx23: 00000000ffffffff x22: 0000000000000005\nlr : __filemap_set_wb_err+0x24/0xe0\n x21: 0000000000000006\nsp : fffffe000f80f760\nx29: fffffe000f80f760 x28: 0000000000000003 x27: fffffe000f80f9f8\nx26: 0000000002523000 x25: 00000000fffffffb x24: fffffe000f80f868\nx23: fffffe000f80fbb0 x22: fffffc0180c26a78 x21: 0000000002530000\nx20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000\n\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000001 x13: 0000000000470af3 x12: fffffc0058f70000\nx11: 0000000000000040 x10: 0000000000001b20 x9 : fffffe000836b288\nx8 : fffffc00eb9fd480 x7 : 0000000000f83659 x6 : 0000000000000000\nx5 : 0000000000000869 x4 : 0000000000000005 x3 : 00000000000000f8\nx20: 000003fd6d740020 x19: 000000000001dd36 x18: 0000000000000001\nx17: 000003fd6d78704c x16: 0000000000000001 x15: 000002acfac87668\nx2 : 0000000000000ffa x1 : 00000000fffffffb x0 : 00000000000000f8\nCall trace:\n errseq_set+0x1c/0x100\n __filemap_set_wb_err+0x24/0xe0\n iomap_do_writepage+0x5e4/0xd5c\n write_cache_pages+0x208/0x674\n iomap_writepages+0x34/0x60\n xfs_vm_writepages+0x8c/0xcc [xfs 7a861f39c43631f15d3a5884246ba5035d4ca78b]\nx14: 0000000000000000 x13: 2064656e72757465 x12: 0000000000002180\nx11: 000003fd6d8a82d0 x10: 0000000000000000 x9 : 000003fd6d8ae288\nx8 : 0000000000000083 x7 : 00000000ffffffff x6 : 00000000ffffffee\nx5 : 00000000fbad2887 x4 : 000003fd6d9abb58 x3 : 000003fd6d740020\nx2 : 0000000000000006 x1 : 000000000001dd36 x0 : 0000000000000000\nCPU: \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50406", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - increase the memory of local variables\n\nIncrease the buffer to prevent stack overflow by fuzz test. The maximum\nlength of the qos configuration buffer is 256 bytes. Currently, the value\nof the 'val buffer' is only 32 bytes. The sscanf does not check the dest\nmemory length. So the 'val buffer' may stack overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50407", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()\n\n> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);\n\nmay be schedule, and then complete before the line\n\n> ndev->stats.tx_bytes += skb->len;\n\n[ 46.912801] ==================================================================\n[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328\n[ 46.935991]\n[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1\n[ 46.947255] Hardware name: [REDACTED]\n[ 46.954568] Call trace:\n[ 46.957037] dump_backtrace+0x0/0x2b8\n[ 46.960719] show_stack+0x24/0x30\n[ 46.964052] dump_stack+0x128/0x194\n[ 46.967557] print_address_description.isra.0+0x64/0x380\n[ 46.972877] __kasan_report+0x1d4/0x240\n[ 46.976723] kasan_report+0xc/0x18\n[ 46.980138] __asan_report_load4_noabort+0x18/0x20\n[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0\n[ 46.994894] sch_direct_xmit+0x198/0xd08\n[ 46.998827] __qdisc_run+0x37c/0x1dc0\n[ 47.002500] __dev_queue_xmit+0x1528/0x21f8\n[ 47.006692] dev_queue_xmit+0x24/0x30\n[ 47.010366] neigh_resolve_output+0x37c/0x678\n[ 47.014734] ip_finish_output2+0x598/0x2458\n[ 47.018927] __ip_finish_output+0x300/0x730\n[ 47.023118] ip_output+0x2e0/0x430\n[ 47.026530] ip_local_out+0x90/0x140\n[ 47.030117] igmpv3_sendpack+0x14c/0x228\n[ 47.034049] igmpv3_send_cr+0x384/0x6b8\n[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118\n[ 47.042262] call_timer_fn+0x1cc/0xbe8\n[ 47.046021] __run_timers+0x4d8/0xb28\n[ 47.049693] run_timer_softirq+0x24/0x40\n[ 47.053626] __do_softirq+0x2c0/0x117c\n[ 47.057387] irq_exit+0x2dc/0x388\n[ 47.060715] __handle_domain_irq+0xb4/0x158\n[ 47.064908] gic_handle_irq+0x58/0xb0\n[ 47.068581] el0_irq_naked+0x50/0x5c\n[ 47.072162]\n[ 47.073665] Allocated by task 328:\n[ 47.077083] save_stack+0x24/0xb0\n[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0\n[ 47.084776] kasan_slab_alloc+0x14/0x20\n[ 47.088622] kmem_cache_alloc+0x15c/0x468\n[ 47.092643] __alloc_skb+0xa4/0x498\n[ 47.096142] igmpv3_newpack+0x158/0xd78\n[ 47.099987] add_grhead+0x210/0x288\n[ 47.103485] add_grec+0x6b0/0xb70\n[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8\n[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118\n[ 47.115027] call_timer_fn+0x1cc/0xbe8\n[ 47.118785] __run_timers+0x4d8/0xb28\n[ 47.122457] run_timer_softirq+0x24/0x40\n[ 47.126389] __do_softirq+0x2c0/0x117c\n[ 47.130142]\n[ 47.131643] Freed by task 180:\n[ 47.134712] save_stack+0x24/0xb0\n[ 47.138041] __kasan_slab_free+0x108/0x180\n[ 47.142146] kasan_slab_free+0x10/0x18\n[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0\n[ 47.150444] kmem_cache_free+0x8c/0x528\n[ 47.154292] kfree_skbmem+0x94/0x108\n[ 47.157880] consume_skb+0x10c/0x5a8\n[ 47.161466] __dev_kfree_skb_any+0x88/0xa0\n[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]\n[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]\n[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]\n[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]\n[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]\n[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]\n[ 47.197859] process_one_work+0x7fc/0x1a80\n[ 47.201965] worker_thread+0x31c/0xc40\n[ 47.205726] kthread+0x2d8/0x370\n[ 47.208967] ret_from_fork+0x10/0x18\n[ 47.212546]\n[ 47.214051] The buggy address belongs to the object at ffffff803f588280\n[ 47.214051] which belongs to the cache skbuff_head_cache of size 208\n[ 47.227086] The buggy address is located 104 bytes inside of\n[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)\n[ 47.238814] The buggy address belongs to the page:\n[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50408", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n [...]\n [ 14.471200] Call Trace:\n [ 14.471562] \n [ 14.471882] lock_acquire+0x245/0x2e0\n [ 14.472416] ? remove_wait_queue+0x12/0x50\n [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50\n [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50\n [ 14.474318] ? remove_wait_queue+0x12/0x50\n [ 14.474907] remove_wait_queue+0x12/0x50\n [ 14.475480] sk_stream_wait_memory+0x20d/0x340\n [ 14.476127] ? do_wait_intr_irq+0x80/0x80\n [ 14.476704] do_tcp_sendpages+0x287/0x600\n [ 14.477283] tcp_bpf_push+0xab/0x260\n [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500\n [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0\n [ 14.479096] tcp_bpf_send_verdict+0x105/0x470\n [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0\n [ 14.480311] sock_sendmsg+0x2d/0x40\n [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0\n [ 14.481390] ? copy_msghdr_from_user+0x62/0x80\n [ 14.482048] ___sys_sendmsg+0x78/0xb0\n [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150\n [ 14.483215] ? __do_fault+0x2a/0x1a0\n [ 14.483738] ? do_fault+0x15e/0x5d0\n [ 14.484246] ? __handle_mm_fault+0x56b/0x1040\n [ 14.484874] ? lock_is_held_type+0xdf/0x130\n [ 14.485474] ? find_held_lock+0x2d/0x90\n [ 14.486046] ? __sys_sendmsg+0x41/0x70\n [ 14.486587] __sys_sendmsg+0x41/0x70\n [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350\n [ 14.487822] do_syscall_64+0x34/0x80\n [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n\nThe test scenario has the following flow:\n\nthread1 thread2\n----------- ---------------\n tcp_bpf_sendmsg\n tcp_bpf_send_verdict\n tcp_bpf_sendmsg_redir sock_close\n tcp_bpf_push_locked __sock_release\n tcp_bpf_push //inet_release\n do_tcp_sendpages sock->ops->release\n sk_stream_wait_memory \t // tcp_close\n sk_wait_event sk->sk_prot->close\n release_sock(__sk);\n ***\n lock_sock(sk);\n __tcp_close\n sock_orphan(sk)\n sk->sk_wq = NULL\n release_sock\n ****\n lock_sock(__sk);\n remove_wait_queue(sk_sleep(sk), &wait);\n sk_sleep(sk)\n //NULL pointer dereference\n &rcu_dereference_raw(sk->sk_wq)->wait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50409", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Protect against send buffer overflow in NFSv2 READ\n\nSince before the git era, NFSD has conserved the number of pages\nheld by each nfsd thread by combining the RPC receive and send\nbuffers into a single array of pages. This works because there are\nno cases where an operation needs a large RPC Call message and a\nlarge RPC Reply at the same time.\n\nOnce an RPC Call has been received, svc_process() updates\nsvc_rqst::rq_res to describe the part of rq_pages that can be\nused for constructing the Reply. This means that the send buffer\n(rq_res) shrinks when the received RPC record containing the RPC\nCall is large.\n\nA client can force this shrinkage on TCP by sending a correctly-\nformed RPC Call header contained in an RPC record that is\nexcessively large. The full maximum payload size cannot be\nconstructed in that case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50410", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix error code path in acpi_ds_call_control_method()\n\nA use-after-free in acpi_ps_parse_aml() after a failing invocaion of\nacpi_ds_call_control_method() is reported by KASAN [1] and code\ninspection reveals that next_walk_state pushed to the thread by\nacpi_ds_create_walk_state() is freed on errors, but it is not popped\nfrom the thread beforehand. Thus acpi_ds_get_current_walk_state()\ncalled by acpi_ps_parse_aml() subsequently returns it as the new\nwalk state which is incorrect.\n\nTo address this, make acpi_ds_call_control_method() call\nacpi_ds_pop_walk_state() to pop next_walk_state from the thread before\nreturning an error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50411", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: adv7511: unregister cec i2c device after cec adapter\n\ncec_unregister_adapter() assumes that the underlying adapter ops are\ncallable. For example, if the CEC adapter currently has a valid physical\naddress, then the unregistration procedure will invalidate the physical\naddress by setting it to f.f.f.f. Whence the following kernel oops\nobserved after removing the adv7511 module:\n\n Unable to handle kernel execution of user memory at virtual address 0000000000000000\n Internal error: Oops: 86000004 [#1] PREEMPT_RT SMP\n Call trace:\n 0x0\n adv7511_cec_adap_log_addr+0x1ac/0x1c8 [adv7511]\n cec_adap_unconfigure+0x44/0x90 [cec]\n __cec_s_phys_addr.part.0+0x68/0x230 [cec]\n __cec_s_phys_addr+0x40/0x50 [cec]\n cec_unregister_adapter+0xb4/0x118 [cec]\n adv7511_remove+0x60/0x90 [adv7511]\n i2c_device_remove+0x34/0xe0\n device_release_driver_internal+0x114/0x1f0\n driver_detach+0x54/0xe0\n bus_remove_driver+0x60/0xd8\n driver_unregister+0x34/0x60\n i2c_del_driver+0x2c/0x68\n adv7511_exit+0x1c/0x67c [adv7511]\n __arm64_sys_delete_module+0x154/0x288\n invoke_syscall+0x48/0x100\n el0_svc_common.constprop.0+0x48/0xe8\n do_el0_svc+0x28/0x88\n el0_svc+0x1c/0x50\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x15c/0x160\n Code: bad PC value\n ---[ end trace 0000000000000000 ]---\n\nProtect against this scenario by unregistering i2c_cec after\nunregistering the CEC adapter. Duly disable the CEC clock afterwards\ntoo.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50412", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix use-after-free\n\nWe've already freed the assoc_data at this point, so need\nto use another copy of the AP (MLD) address instead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50413", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: fcoe: Fix transport not deattached when fcoe_if_init() fails\n\nfcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when\nfcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed\n&fcoe_sw_transport on fcoe_transports list. This causes panic when\nreinserting module.\n\n BUG: unable to handle page fault for address: fffffbfff82e2213\n RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe]\n Call Trace:\n \n do_one_initcall+0xd0/0x4e0\n load_module+0x5eee/0x7210\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50414", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: led: Fix potential null-ptr-deref in start_task()\n\nstart_task() calls create_singlethread_workqueue() and not checked the\nret value, which may return NULL. And a null-ptr-deref may happen:\n\nstart_task()\n create_singlethread_workqueue() # failed, led_wq is NULL\n queue_delayed_work()\n queue_delayed_work_on()\n __queue_delayed_work() # warning here, but continue\n __queue_work() # access wq->flags, null-ptr-deref\n\nCheck the ret value and return -ENOMEM if it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50415", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()\n\nIf of_iomap() failed, 'aic' should be freed before return. Otherwise\nthere is a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50416", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix GEM handle creation ref-counting\n\npanfrost_gem_create_with_handle() previously returned a BO but with the\nonly reference being from the handle, which user space could in theory\nguess and release, causing a use-after-free. Additionally if the call to\npanfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then\na(nother) reference on the BO was dropped.\n\nThe _create_with_handle() is a problematic pattern, so ditch it and\ninstead create the handle in panfrost_ioctl_create_bo(). If the call to\npanfrost_gem_mapping_get() fails then this means that user space has\nindeed gone behind our back and freed the handle. In which case just\nreturn an error code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50417", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()\n\nmhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets\nsome error, mhi_ctrl should be freed with mhi_free_controller(). But\nwhen ath11k_mhi_read_addr_from_dt() fails, the function returns without\ncalling mhi_free_controller(), which will lead to a memory leak.\n\nWe can fix it by calling mhi_free_controller() when\nath11k_mhi_read_addr_from_dt() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50418", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sysfs: Fix attempting to call device_add multiple times\n\ndevice_add shall not be called multiple times as stated in its\ndocumentation:\n\n 'Do not call this routine or device_register() more than once for\n any device structure'\n\nSyzkaller reports a bug as follows [1]:\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:33!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\n[...]\nCall Trace:\n \n __list_add include/linux/list.h:69 [inline]\n list_add_tail include/linux/list.h:102 [inline]\n kobj_kset_join lib/kobject.c:164 [inline]\n kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214\n kobject_add_varg lib/kobject.c:358 [inline]\n kobject_add+0x150/0x1c0 lib/kobject.c:410\n device_add+0x368/0x1e90 drivers/base/core.c:3452\n hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53\n hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799\n hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110\n hci_event_func net/bluetooth/hci_event.c:7440 [inline]\n hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495\n hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007\n process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50419", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/hpre - fix resource leak in remove process\n\nIn hpre_remove(), when the disable operation of qm sriov failed,\nthe following logic should continue to be executed to release the\nremaining resources that have been allocated, instead of returning\ndirectly, otherwise there will be resource leakage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50420", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Avoid double destroy of default endpoint\n\nThe rpmsg_dev_remove() in rpmsg_core is the place for releasing\nthis default endpoint.\n\nSo need to avoid destroying the default endpoint in\nrpmsg_chrdev_eptdev_destroy(), this should be the same as\nrpmsg_eptdev_release(). Otherwise there will be double destroy\nissue that ept->refcount report warning:\n\nrefcount_t: underflow; use-after-free.\n\nCall trace:\n refcount_warn_saturate+0xf8/0x150\n virtio_rpmsg_destroy_ept+0xd4/0xec\n rpmsg_dev_remove+0x60/0x70\n\nThe issue can be reproduced by stopping remoteproc before\nclosing the /dev/rpmsgX.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50421", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()\n\nWhen executing SMP task failed, the smp_execute_task_sg() calls del_timer()\nto delete \"slow_task->timer\". However, if the timer handler\nsas_task_internal_timedout() is running, the del_timer() in\nsmp_execute_task_sg() will not stop it and a UAF will happen. The process\nis shown below:\n\n (thread 1) | (thread 2)\nsmp_execute_task_sg() | sas_task_internal_timedout()\n ... |\n del_timer() |\n ... | ...\n sas_free_task(task) |\n kfree(task->slow_task) //FREE|\n | task->slow_task->... //USE\n\nFix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure\nthe timer handler have finished before the \"task->slow_task\" is\ndeallocated.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50422", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()\n\nThere is an use-after-free reported by KASAN:\n\n BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82\n Read of size 1 at addr ffff888112afc460 by task modprobe/2111\n CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n Call Trace:\n \n kasan_report+0xae/0xe0\n acpi_ut_remove_reference+0x3b/0x82\n acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5\n acpi_ds_store_object_to_local+0x15d/0x3a0\n acpi_ex_store+0x78d/0x7fd\n acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b\n acpi_ps_parse_aml+0x217/0x8d5\n ...\n \n\nThe root cause of the problem is that the acpi_operand_object\nis freed when acpi_ut_walk_package_tree() fails in\nacpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in\nacpi_ut_copy_iobject_to_iobject(). The problem was introduced\nby \"8aa5e56eeb61\" commit, this commit is to fix memory leak in\nacpi_ut_copy_iobject_to_iobject(), repeatedly adding remove\noperation, lead to \"acpi_operand_object\" used after free.\n\nFix it by removing acpi_ut_remove_reference() in\nacpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()\nis called to copy an internal package object into another internal\npackage object, when it fails, the memory of acpi_operand_object\nshould be freed by the caller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50423", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()\n\nFixed coverity issue with resource leaks at variable \"fw\" going out of\nscope leaks the storage it points to mt7921_check_offload_capability().\n\nAddresses-Coverity-ID: 1527806 (\"Resource leaks\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50424", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly\n\nWhen an extended state component is not present in fpstate, but in init\nstate, the function copies from init_fpstate via copy_feature().\n\nBut, dynamic states are not present in init_fpstate because of all-zeros\ninit states. Then retrieving them from init_fpstate will explode like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n RIP: 0010:memcpy_erms+0x6/0x10\n ? __copy_xstate_to_uabi_buf+0x381/0x870\n fpu_copy_guest_fpstate_to_uabi+0x28/0x80\n kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]\n ? __this_cpu_preempt_check+0x13/0x20\n ? vmx_vcpu_put+0x2e/0x260 [kvm_intel]\n kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]\n ? __fget_light+0xd4/0x130\n __x64_sys_ioctl+0xe3/0x910\n ? debug_smp_processor_id+0x17/0x20\n ? fpregs_assert_state_consistent+0x27/0x50\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdjust the 'mask' to zero out the userspace buffer for the features that\nare not available both from fpstate and from init_fpstate.\n\nThe dynamic features depend on the compacted XSAVE format. Ensure it is\nenabled before reading XCOMP_BV in init_fpstate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50425", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_dsp_rproc: Add mutex protection for workqueue\n\nThe workqueue may execute late even after remoteproc is stopped or\nstopping, some resources (rpmsg device and endpoint) have been\nreleased in rproc_stop_subdevices(), then rproc_vq_interrupt()\naccessing these resources will cause kennel dump.\n\nCall trace:\n virtqueue_add_split+0x1ac/0x560\n virtqueue_add_inbuf+0x4c/0x60\n rpmsg_recv_done+0x15c/0x294\n vring_interrupt+0x6c/0xa4\n rproc_vq_interrupt+0x30/0x50\n imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc]\n process_one_work+0x1d0/0x354\n worker_thread+0x13c/0x470\n kthread+0x154/0x160\n ret_from_fork+0x10/0x20\n\nAdd mutex protection in imx_dsp_rproc_vq_work(), if the state is\nnot running, then just skip calling rproc_vq_interrupt().\n\nAlso the flush workqueue operation can't be added in rproc stop\nfor the same reason. The call sequence is\n\nrproc_shutdown\n-> rproc_stop\n ->rproc_stop_subdevices\n ->rproc->ops->stop()\n ->imx_dsp_rproc_stop\n ->flush_work\n -> rproc_vq_interrupt\n\nThe resource needed by rproc_vq_interrupt has been released in\nrproc_stop_subdevices, so flush_work is not safe to be called in\nimx_dsp_rproc_stop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50426", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: fix possible memory leak in snd_ac97_dev_register()\n\nIf device_register() fails in snd_ac97_dev_register(), it should\ncall put_device() to give up reference, or the name allocated in\ndev_set_name() is leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50427", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one errors in fast-commit block filling\n\nDue to several different off-by-one errors, or perhaps due to a late\nchange in design that wasn't fully reflected in the code that was\nactually merged, there are several very strange constraints on how\nfast-commit blocks are filled with tlv entries:\n\n- tlvs must start at least 10 bytes before the end of the block, even\n though the minimum tlv length is 8. Otherwise, the replay code will\n ignore them. (BUG: ext4_fc_reserve_space() could violate this\n requirement if called with a len of blocksize - 9 or blocksize - 8.\n Fortunately, this doesn't seem to happen currently.)\n\n- tlvs must end at least 1 byte before the end of the block. Otherwise\n the replay code will consider them to be invalid. This quirk\n contributed to a bug (fixed by an earlier commit) where uninitialized\n memory was being leaked to disk in the last byte of blocks.\n\nAlso, strangely these constraints don't apply to the replay code in\ne2fsprogs, which will accept any tlvs in the blocks (with no bounds\nchecks at all, but that is a separate issue...).\n\nGiven that this all seems to be a bug, let's fix it by just filling\nblocks with tlv entries in the natural way.\n\nNote that old kernels will be unable to replay fast-commit journals\ncreated by kernels that have this commit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50428", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()\n\nWe should add the of_node_put() when breaking out of\nfor_each_child_of_node() as it will automatically increase\nand decrease the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50429", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING\n\nvub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.\nEnsure that we mark current as TASK_RUNNING for sleepable context.\n\n[ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [] sdio_irq_thread+0x17d/0x5b0\n[ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160\n[ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1\n[ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020\n[ 77.554912] RIP: 0010:__might_sleep+0x116/0x160\n[ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282\n[ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000\n[ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9\n[ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba\n[ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60\n[ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660\n[ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000\n[ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0\n[ 77.554942] Call Trace:\n[ 77.554944] \n[ 77.554952] mutex_lock+0x78/0xf0\n[ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]\n[ 77.554981] sdio_irq_thread+0x25c/0x5b0\n[ 77.555006] kthread+0x2b8/0x370\n[ 77.555017] ret_from_fork+0x1f/0x30\n[ 77.555023] \n[ 77.555025] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50430", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()\n\ndev_set_name() in soundbus_add_one() allocates memory for name, it need be\nfreed when of_device_register() fails, call soundbus_dev_put() to give up\nthe reference that hold in device_initialize(), so that it can be freed in\nkobject_cleanup() when the refcount hit to 0. And other resources are also\nfreed in i2sbus_release_dev(), so it can return 0 directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50431", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix use-after-free in __kernfs_remove\n\nSyzkaller managed to trigger concurrent calls to\nkernfs_remove_by_name_ns() for the same file resulting in\na KASAN detected use-after-free. The race occurs when the root\nnode is freed during kernfs_drain().\n\nTo prevent this acquire an additional reference for the root\nof the tree that is removed before calling __kernfs_remove().\n\nFound by syzkaller with the following reproducer (slab_nomerge is\nrequired):\n\nsyz_mount_image$ext4(0x0, &(0x7f0000000100)='./file0\\x00', 0x100000, 0x0, 0x0, 0x0, 0x0)\nr0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\\x00', 0x0, 0x0)\nclose(r0)\npipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800)\nmount$9p_fd(0x0, &(0x7f0000000040)='./file0\\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAY_EXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@dont_hash}]}})\n\nSample report:\n\n==================================================================\nBUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]\nBUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\nBUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\nRead of size 2 at addr ffff8880088807f0 by task syz-executor.2/857\n\nCPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433\n kasan_report+0xa3/0x130 mm/kasan/report.c:495\n kernfs_type include/linux/kernfs.h:335 [inline]\n kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]\n __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369\n __kernfs_remove fs/kernfs/dir.c:1356 [inline]\n kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589\n sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943\n __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335\n p9_client_create+0xd4d/0x1190 net/9p/client.c:993\n v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408\n v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126\n legacy_get_tree+0xf1/0x200 fs/fs_context.c:610\n vfs_get_tree+0x85/0x2e0 fs/super.c:1530\n do_new_mount fs/namespace.c:3040 [inline]\n path_mount+0x675/0x1d00 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __x64_sys_mount+0x282/0x300 fs/namespace.c:3568\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f725f983aed\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\nRAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed\nRDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000\nRBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000\nR10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000\n \n\nAllocated by task 855:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:437 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470\n kasan_slab_alloc include/linux/kasan.h:224 [inline]\n slab_post_alloc_hook mm/slab.h:7\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50432", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: ssdt: Don't free memory if ACPI table was loaded successfully\n\nAmadeusz reports KASAN use-after-free errors introduced by commit\n3881ee0b1edc (\"efi: avoid efivars layer when loading SSDTs from\nvariables\"). The problem appears to be that the memory that holds the\nnew ACPI table is now freed unconditionally, instead of only when the\nACPI core reported a failure to load the table.\n\nSo let's fix this, by omitting the kfree() on success.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50433", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix possible memleak when register 'hctx' failed\n\nThere's issue as follows when do fault injection test:\nunreferenced object 0xffff888132a9f400 (size 512):\n comm \"insmod\", pid 308021, jiffies 4324277909 (age 509.733s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....\n 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............\n backtrace:\n [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0\n [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0\n [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230\n [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910\n [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0\n [<00000000a2a34657>] 0xffffffffa2ad310f\n [<00000000b173f718>] 0xffffffffa2af824a\n [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0\n [<00000000f32fdf93>] do_init_module+0xdf/0x320\n [<00000000cbe8541e>] load_module+0x3006/0x3390\n [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0\n [<00000000a1a29ae8>] do_syscall_64+0x35/0x80\n [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFault injection context as follows:\n kobject_add\n blk_mq_register_hctx\n blk_mq_sysfs_register\n blk_register_queue\n device_add_disk\n null_add_dev.part.0 [null_blk]\n\nAs 'blk_mq_register_hctx' may already add some objects when failed halfway,\nbut there isn't do fallback, caller don't know which objects add failed.\nTo solve above issue just do fallback when add objects failed halfway in\n'blk_mq_register_hctx'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50434", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid crash when inline data creation follows DIO write\n\nWhen inode is created and written to using direct IO, there is nothing\nto clear the EXT4_STATE_MAY_INLINE_DATA flag. Thus when inode gets\ntruncated later to say 1 byte and written using normal write, we will\ntry to store the data as inline data. This confuses the code later\nbecause the inode now has both normal block and inline data allocated\nand the confusion manifests for example as:\n\nkernel BUG at fs/ext4/inode.c:2721!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 359 Comm: repro Not tainted 5.19.0-rc8-00001-g31ba1e3b8305-dirty #15\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\nRIP: 0010:ext4_writepages+0x363d/0x3660\nRSP: 0018:ffffc90000ccf260 EFLAGS: 00010293\nRAX: ffffffff81e1abcd RBX: 0000008000000000 RCX: ffff88810842a180\nRDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000\nRBP: ffffc90000ccf650 R08: ffffffff81e17d58 R09: ffffed10222c680b\nR10: dfffe910222c680c R11: 1ffff110222c680a R12: ffff888111634128\nR13: ffffc90000ccf880 R14: 0000008410000000 R15: 0000000000000001\nFS: 00007f72635d2640(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000565243379180 CR3: 000000010aa74000 CR4: 0000000000150eb0\nCall Trace:\n \n do_writepages+0x397/0x640\n filemap_fdatawrite_wbc+0x151/0x1b0\n file_write_and_wait_range+0x1c9/0x2b0\n ext4_sync_file+0x19e/0xa00\n vfs_fsync_range+0x17b/0x190\n ext4_buffered_write_iter+0x488/0x530\n ext4_file_write_iter+0x449/0x1b90\n vfs_write+0xbcd/0xf40\n ksys_write+0x198/0x2c0\n __x64_sys_write+0x7b/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n\nFix the problem by clearing EXT4_STATE_MAY_INLINE_DATA when we are doing\ndirect IO write to a file.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50435", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don't set up encryption key during jbd2 transaction\n\nCommit a80f7fcf1867 (\"ext4: fixup ext4_fc_track_* functions' signature\")\nextended the scope of the transaction in ext4_unlink() too far, making\nit include the call to ext4_find_entry(). However, ext4_find_entry()\ncan deadlock when called from within a transaction because it may need\nto set up the directory's encryption key.\n\nFix this by restoring the transaction to its original scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50436", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502670/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50437", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: fix memory leak when reading function table\n\nWhen the input parameter idx meets the expected case option in\nhinic_dbg_get_func_table(), read_data is not released. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50438", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8173: Enable IRQ when pdata is ready\n\nIf the device does not come straight from reset, we might receive an IRQ\nbefore we are ready to handle it.\n\n\n[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4\n[ 2.522601] Call trace:\n[ 2.525040] regmap_read+0x1c/0x80\n[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0\n...\n[ 2.598921] start_kernel+0x338/0x42c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50439", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate the box size for the snooped cursor\n\nInvalid userspace dma surface copies could potentially overflow\nthe memcpy from the surface to the snooped image leading to crashes.\nTo fix it the dimensions of the copybox have to be validated\nagainst the expected size of the snooped cursor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50440", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Lag, fix failure to cancel delayed bond work\n\nCommit 0d4e8ed139d8 (\"net/mlx5: Lag, avoid lockdep warnings\")\naccidentally removed a call to cancel delayed bond work thus it may\ncause queued delay to expire and fall on an already destroyed work\nqueue.\n\nFix by restoring the call cancel_delayed_work_sync() before\ndestroying the workqueue.\n\nThis prevents call trace such as this:\n\n[ 329.230417] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ 329.231444] #PF: supervisor write access in kernel mode\n [ 329.232233] #PF: error_code(0x0002) - not-present page\n [ 329.233007] PGD 0 P4D 0\n [ 329.233476] Oops: 0002 [#1] SMP\n [ 329.234012] CPU: 5 PID: 145 Comm: kworker/u20:4 Tainted: G OE 6.0.0-rc5_mlnx #1\n [ 329.235282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [ 329.236868] Workqueue: mlx5_cmd_0000:08:00.1 cmd_work_handler [mlx5_core]\n [ 329.237886] RIP: 0010:_raw_spin_lock+0xc/0x20\n [ 329.238585] Code: f0 0f b1 17 75 02 f3 c3 89 c6 e9 6f 3c 5f ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 31 c0 ba 01 00 00 00 0f b1 17 75 02 f3 c3 89 c6 e9 45 3c 5f ff 0f 1f 44 00 00 0f 1f\n [ 329.241156] RSP: 0018:ffffc900001b0e98 EFLAGS: 00010046\n [ 329.241940] RAX: 0000000000000000 RBX: ffffffff82374ae0 RCX: 0000000000000000\n [ 329.242954] RDX: 0000000000000001 RSI: 0000000000000014 RDI: 0000000000000000\n [ 329.243974] RBP: ffff888106ccf000 R08: ffff8881004000c8 R09: ffff888100400000\n [ 329.244990] R10: 0000000000000000 R11: ffffffff826669f8 R12: 0000000000002000\n [ 329.246009] R13: 0000000000000005 R14: ffff888100aa7ce0 R15: ffff88852ca80000\n [ 329.247030] FS: 0000000000000000(0000) GS:ffff88852ca80000(0000) knlGS:0000000000000000\n [ 329.248260] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 329.249111] CR2: 0000000000000000 CR3: 000000016d675001 CR4: 0000000000770ee0\n [ 329.250133] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 329.251152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 329.252176] PKRU: 55555554", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50441", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate buffer length while parsing index\n\nindx_read is called when we have some NTFS directory operations that\nneed more information from the index buffers. This adds a sanity check\nto make sure the returned index buffer length is legit, or we may have\nsome out-of-bound memory accesses.\n\n[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320\n[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245\n[ 560.898760]\n[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37\n[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 560.900170] Call Trace:\n[ 560.900407] \n[ 560.900732] dump_stack_lvl+0x49/0x63\n[ 560.901108] print_report.cold+0xf5/0x689\n[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.901716] kasan_report+0xa7/0x130\n[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.902208] __asan_load2+0x68/0x90\n[ 560.902427] hdr_find_e.isra.0+0x10c/0x320\n[ 560.902846] ? cmp_uints+0xe0/0xe0\n[ 560.903363] ? cmp_sdh+0x90/0x90\n[ 560.903883] ? ntfs_bread_run+0x190/0x190\n[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750\n[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130\n[ 560.905259] ? __kasan_check_write+0x14/0x20\n[ 560.905599] ? up_read+0x1a/0x90\n[ 560.905853] ? indx_read+0x22c/0x380\n[ 560.906096] indx_find+0x2ef/0x470\n[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0\n[ 560.906692] ? __kasan_kmalloc+0x88/0xb0\n[ 560.906977] dir_search_u+0x196/0x2f0\n[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450\n[ 560.907464] ? __kasan_check_write+0x14/0x20\n[ 560.907747] ? mutex_lock+0x8f/0xe0\n[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20\n[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.908459] ntfs_lookup+0xe0/0x100\n[ 560.908788] __lookup_slow+0x116/0x220\n[ 560.909050] ? lookup_fast+0x1b0/0x1b0\n[ 560.909309] ? lookup_fast+0x13f/0x1b0\n[ 560.909601] walk_component+0x187/0x230\n[ 560.909944] link_path_walk.part.0+0x3f0/0x660\n[ 560.910285] ? handle_lookup_down+0x90/0x90\n[ 560.910618] ? path_init+0x642/0x6e0\n[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0\n[ 560.912559] ? __alloc_file+0x114/0x170\n[ 560.913008] path_openat+0x19c/0x1d10\n[ 560.913419] ? getname_flags+0x73/0x2b0\n[ 560.913815] ? kasan_save_stack+0x3a/0x50\n[ 560.914125] ? kasan_save_stack+0x26/0x50\n[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90\n[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.915339] ? getname_flags+0x73/0x2b0\n[ 560.915647] ? getname+0x12/0x20\n[ 560.916114] ? __x64_sys_open+0x4c/0x60\n[ 560.916460] ? path_lookupat.isra.0+0x230/0x230\n[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0\n[ 560.917194] do_filp_open+0x15c/0x1f0\n[ 560.917448] ? may_open_dev+0x60/0x60\n[ 560.917696] ? expand_files+0xa4/0x3a0\n[ 560.917923] ? __kasan_check_write+0x14/0x20\n[ 560.918185] ? _raw_spin_lock+0x88/0xdb\n[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100\n[ 560.918783] ? _find_next_bit+0x4a/0x130\n[ 560.919026] ? _raw_spin_unlock+0x19/0x40\n[ 560.919276] ? alloc_fd+0x14b/0x2d0\n[ 560.919635] do_sys_openat2+0x32a/0x4b0\n[ 560.920035] ? file_open_root+0x230/0x230\n[ 560.920336] ? __rcu_read_unlock+0x5b/0x280\n[ 560.920813] do_sys_open+0x99/0xf0\n[ 560.921208] ? filp_open+0x60/0x60\n[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180\n[ 560.921867] __x64_sys_open+0x4c/0x60\n[ 560.922128] do_syscall_64+0x3b/0x90\n[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 560.923030] RIP: 0033:0x7f7dff2e4469\n[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002\n[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469\n[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI:\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50442", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: lvds: fix PM usage counter unbalance in poweron\n\npm_runtime_get_sync will increment pm usage counter even it failed.\nForgetting to putting operation will result in reference leak here.\nWe fix it by replacing it with the newest pm_runtime_resume_and_get\nto keep usage counter balanced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50443", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra20: Fix refcount leak in tegra20_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50444", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Reinject transport-mode packets through workqueue\n\nThe following warning is displayed when the tcp6-multi-diffip11 stress\ntest case of the LTP test suite is tested:\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ns-tcpserver:48198]\nCPU: 0 PID: 48198 Comm: ns-tcpserver Kdump: loaded Not tainted 6.0.0-rc6+ #39\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : des3_ede_encrypt+0x27c/0x460 [libdes]\nlr : 0x3f\nsp : ffff80000ceaa1b0\nx29: ffff80000ceaa1b0 x28: ffff0000df056100 x27: ffff0000e51e5280\nx26: ffff80004df75030 x25: ffff0000e51e4600 x24: 000000000000003b\nx23: 0000000000802080 x22: 000000000000003d x21: 0000000000000038\nx20: 0000000080000020 x19: 000000000000000a x18: 0000000000000033\nx17: ffff0000e51e4780 x16: ffff80004e2d1448 x15: ffff80004e2d1248\nx14: ffff0000e51e4680 x13: ffff80004e2d1348 x12: ffff80004e2d1548\nx11: ffff80004e2d1848 x10: ffff80004e2d1648 x9 : ffff80004e2d1748\nx8 : ffff80004e2d1948 x7 : 000000000bcaf83d x6 : 000000000000001b\nx5 : ffff80004e2d1048 x4 : 00000000761bf3bf x3 : 000000007f1dd0a3\nx2 : ffff0000e51e4780 x1 : ffff0000e3b9a2f8 x0 : 00000000db44e872\nCall trace:\n des3_ede_encrypt+0x27c/0x460 [libdes]\n crypto_des3_ede_encrypt+0x1c/0x30 [des_generic]\n crypto_cbc_encrypt+0x148/0x190\n crypto_skcipher_encrypt+0x2c/0x40\n crypto_authenc_encrypt+0xc8/0xfc [authenc]\n crypto_aead_encrypt+0x2c/0x40\n echainiv_encrypt+0x144/0x1a0 [echainiv]\n crypto_aead_encrypt+0x2c/0x40\n esp6_output_tail+0x1c8/0x5d0 [esp6]\n esp6_output+0x120/0x278 [esp6]\n xfrm_output_one+0x458/0x4ec\n xfrm_output_resume+0x6c/0x1f0\n xfrm_output+0xac/0x4ac\n __xfrm6_output+0x130/0x270\n xfrm6_output+0x60/0xec\n ip6_xmit+0x2ec/0x5bc\n inet6_csk_xmit+0xbc/0x10c\n __tcp_transmit_skb+0x460/0x8c0\n tcp_write_xmit+0x348/0x890\n __tcp_push_pending_frames+0x44/0x110\n tcp_rcv_established+0x3c8/0x720\n tcp_v6_do_rcv+0xdc/0x4a0\n tcp_v6_rcv+0xc24/0xcb0\n ip6_protocol_deliver_rcu+0xf0/0x574\n ip6_input_finish+0x48/0x7c\n ip6_input+0x48/0xc0\n ip6_rcv_finish+0x80/0x9c\n xfrm_trans_reinject+0xb0/0xf4\n tasklet_action_common.constprop.0+0xf8/0x134\n tasklet_action+0x30/0x3c\n __do_softirq+0x128/0x368\n do_softirq+0xb4/0xc0\n __local_bh_enable_ip+0xb0/0xb4\n put_cpu_fpsimd_context+0x40/0x70\n kernel_neon_end+0x20/0x40\n sha1_base_do_update.constprop.0.isra.0+0x11c/0x140 [sha1_ce]\n sha1_ce_finup+0x94/0x110 [sha1_ce]\n crypto_shash_finup+0x34/0xc0\n hmac_finup+0x48/0xe0\n crypto_shash_finup+0x34/0xc0\n shash_digest_unaligned+0x74/0x90\n crypto_shash_digest+0x4c/0x9c\n shash_ahash_digest+0xc8/0xf0\n shash_async_digest+0x28/0x34\n crypto_ahash_digest+0x48/0xcc\n crypto_authenc_genicv+0x88/0xcc [authenc]\n crypto_authenc_encrypt+0xd8/0xfc [authenc]\n crypto_aead_encrypt+0x2c/0x40\n echainiv_encrypt+0x144/0x1a0 [echainiv]\n crypto_aead_encrypt+0x2c/0x40\n esp6_output_tail+0x1c8/0x5d0 [esp6]\n esp6_output+0x120/0x278 [esp6]\n xfrm_output_one+0x458/0x4ec\n xfrm_output_resume+0x6c/0x1f0\n xfrm_output+0xac/0x4ac\n __xfrm6_output+0x130/0x270\n xfrm6_output+0x60/0xec\n ip6_xmit+0x2ec/0x5bc\n inet6_csk_xmit+0xbc/0x10c\n __tcp_transmit_skb+0x460/0x8c0\n tcp_write_xmit+0x348/0x890\n __tcp_push_pending_frames+0x44/0x110\n tcp_push+0xb4/0x14c\n tcp_sendmsg_locked+0x71c/0xb64\n tcp_sendmsg+0x40/0x6c\n inet6_sendmsg+0x4c/0x80\n sock_sendmsg+0x5c/0x6c\n __sys_sendto+0x128/0x15c\n __arm64_sys_sendto+0x30/0x40\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x170/0x194\n do_el0_svc+0x38/0x4c\n el0_svc+0x28/0xe0\n el0t_64_sync_handler+0xbc/0x13c\n el0t_64_sync+0x180/0x184\n\nGet softirq info by bcc tool:\n./softirqs -NT 10\nTracing soft irq event time... Hit Ctrl-C to end.\n\n15:34:34\nSOFTIRQ TOTAL_nsecs\nblock 158990\ntimer 20030920\nsched 46577080\nnet_rx 676746820\ntasklet 9906067650\n\n15:34:45\nSOFTIRQ TOTAL_nsecs\nblock 86100\nsched 38849790\nnet_rx \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50445", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARC: mm: fix leakage of memory allocated for PTE\n\nSince commit d9820ff (\"ARC: mm: switch pgtable_t back to struct page *\")\na memory leakage problem occurs. Memory allocated for page table entries\nnot released during process termination. This issue can be reproduced by\na small program that allocates a large amount of memory. After several\nruns, you'll see that the amount of free memory has reduced and will\ncontinue to reduce after each run. All ARC CPUs are effected by this\nissue. The issue was introduced since the kernel stable release v5.15-rc1.\n\nAs described in commit d9820ff after switch pgtable_t back to struct\npage *, a pointer to \"struct page\" and appropriate functions are used to\nallocate and free a memory page for PTEs, but the pmd_pgtable macro hasn't\nchanged and returns the direct virtual address from the PMD (PGD) entry.\nThan this address used as a parameter in the __pte_free() and as a result\nthis function couldn't release memory page allocated for PTEs.\n\nFix this issue by changing the pmd_pgtable macro and returning pointer to\nstruct page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50446", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix crash on hci_create_cis_sync\n\nWhen attempting to connect multiple ISO sockets without using\nDEFER_SETUP may result in the following crash:\n\nBUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0\nRead of size 2 at addr 0000000000000036 by task kworker/u3:1/50\n\nCPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted\n6.0.0-rc7-02243-gb84a13ff4eda #4373\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009),\nBIOS 1.16.0-1.fc36 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n dump_stack_lvl+0x19/0x27\n kasan_report+0xbc/0xf0\n ? hci_create_cis_sync+0x18b/0x2b0\n hci_create_cis_sync+0x18b/0x2b0\n ? get_link_mode+0xd0/0xd0\n ? __ww_mutex_lock_slowpath+0x10/0x10\n ? mutex_lock+0xe0/0xe0\n ? get_link_mode+0xd0/0xd0\n hci_cmd_sync_work+0x111/0x190\n process_one_work+0x427/0x650\n worker_thread+0x87/0x750\n ? process_one_work+0x650/0x650\n kthread+0x14e/0x180\n ? kthread_exit+0x50/0x50\n ret_from_fork+0x22/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50447", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in\n\nWhen PTE_MARKER_UFFD_WP not configured, it's still possible to reach pte\nmarker code and trigger an warning. Add a few CONFIG_PTE_MARKER_UFFD_WP\nifdefs to make sure the code won't be reached when not compiled in.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50448", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: Fix memory leak in _samsung_clk_register_pll()\n\nIf clk_register() fails, @pll->rate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50449", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix memory leak on ntfs_fill_super() error path\n\nsyzbot reported kmemleak as below:\n\nBUG: memory leak\nunreferenced object 0xffff8880122f1540 (size 32):\n comm \"a.out\", pid 6664, jiffies 4294939771 (age 25.500s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................\n backtrace:\n [] ntfs_init_fs_context+0x22/0x1c0\n [] alloc_fs_context+0x217/0x430\n [] path_mount+0x704/0x1080\n [] __x64_sys_mount+0x18c/0x1d0\n [] do_syscall_64+0x34/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by freeing mount options on error path of\nntfs_fill_super().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50451", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cake: fix null pointer access issue when cake_init() fails\n\nWhen the default qdisc is cake, if the qdisc of dev_queue fails to be\ninited during mqprio_init(), cake_reset() is invoked to clear\nresources. In this case, the tins is NULL, and it will cause gpf issue.\n\nThe process is as follows:\nqdisc_create_dflt()\n\tcake_init()\n\t\tq->tins = kvcalloc(...) --->failed, q->tins is NULL\n\t...\n\tqdisc_put()\n\t\t...\n\t\tcake_reset()\n\t\t\t...\n\t\t\tcake_dequeue_one()\n\t\t\t\tb = &q->tins[...] --->q->tins is NULL\n\nThe following is the Call Trace information:\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:cake_dequeue_one+0xc9/0x3c0\nCall Trace:\n\ncake_reset+0xb1/0x140\nqdisc_reset+0xed/0x6f0\nqdisc_destroy+0x82/0x4c0\nqdisc_put+0x9e/0xb0\nqdisc_create_dflt+0x2c3/0x4a0\nmqprio_init+0xa71/0x1760\nqdisc_create+0x3eb/0x1000\ntc_modify_qdisc+0x408/0x1720\nrtnetlink_rcv_msg+0x38e/0xac0\nnetlink_rcv_skb+0x12d/0x3a0\nnetlink_unicast+0x4a2/0x740\nnetlink_sendmsg+0x826/0xcc0\nsock_sendmsg+0xc5/0x100\n____sys_sendmsg+0x583/0x690\n___sys_sendmsg+0xe8/0x160\n__sys_sendmsg+0xbf/0x160\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f89e5122d04\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50452", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix NULL-pointer dereferences\n\nThere are several places where we can crash the kernel by requesting\nlines, unbinding the GPIO device, then calling any of the system calls\nrelevant to the GPIO character device's annonymous file descriptors:\nioctl(), read(), poll().\n\nWhile I observed it with the GPIO simulator, it will also happen for any\nof the GPIO devices that can be hot-unplugged - for instance any HID GPIO\nexpander (e.g. CP2112).\n\nThis affects both v1 and v2 uAPI.\n\nThis fixes it partially by checking if gdev->chip is not NULL but it\ndoesn't entirely remedy the situation as we still have a race condition\nin which another thread can remove the device after the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50453", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()\n\nnouveau_bo_init() is backed by ttm_bo_init() and ferries its return code\nback to the caller. On failures, ttm will call nouveau_bo_del_ttm() and\nfree the memory.Thus, when nouveau_bo_init() returns an error, the gem\nobject has already been released. Then the call to nouveau_bo_ref() will\nuse the freed \"nvbo->bo\" and lead to a use-after-free bug.\n\nWe should delete the call to nouveau_bo_ref() to avoid the use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50454", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix resolving backrefs for inline extent followed by prealloc\n\nIf a file consists of an inline extent followed by a regular or prealloc\nextent, then a legitimate attempt to resolve a logical address in the\nnon-inline region will result in add_all_parents reading the invalid\noffset field of the inline extent. If the inline extent item is placed\nin the leaf eb s.t. it is the first item, attempting to access the\noffset field will not only be meaningless, it will go past the end of\nthe eb and cause this panic:\n\n [17.626048] BTRFS warning (device dm-2): bad eb member end: ptr 0x3fd4 start 30834688 member offset 16377 size 8\n [17.631693] general protection fault, probably for non-canonical address 0x5088000000000: 0000 [#1] SMP PTI\n [17.635041] CPU: 2 PID: 1267 Comm: btrfs Not tainted 5.12.0-07246-g75175d5adc74-dirty #199\n [17.637969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [17.641995] RIP: 0010:btrfs_get_64+0xe7/0x110\n [17.649890] RSP: 0018:ffffc90001f73a08 EFLAGS: 00010202\n [17.651652] RAX: 0000000000000001 RBX: ffff88810c42d000 RCX: 0000000000000000\n [17.653921] RDX: 0005088000000000 RSI: ffffc90001f73a0f RDI: 0000000000000001\n [17.656174] RBP: 0000000000000ff9 R08: 0000000000000007 R09: c0000000fffeffff\n [17.658441] R10: ffffc90001f73790 R11: ffffc90001f73788 R12: ffff888106afe918\n [17.661070] R13: 0000000000003fd4 R14: 0000000000003f6f R15: cdcdcdcdcdcdcdcd\n [17.663617] FS: 00007f64e7627d80(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000\n [17.666525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [17.668664] CR2: 000055d4a39152e8 CR3: 000000010c596002 CR4: 0000000000770ee0\n [17.671253] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [17.673634] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [17.676034] PKRU: 55555554\n [17.677004] Call Trace:\n [17.677877] add_all_parents+0x276/0x480\n [17.679325] find_parent_nodes+0xfae/0x1590\n [17.680771] btrfs_find_all_leafs+0x5e/0xa0\n [17.682217] iterate_extent_inodes+0xce/0x260\n [17.683809] ? btrfs_inode_flags_to_xflags+0x50/0x50\n [17.685597] ? iterate_inodes_from_logical+0xa1/0xd0\n [17.687404] iterate_inodes_from_logical+0xa1/0xd0\n [17.689121] ? btrfs_inode_flags_to_xflags+0x50/0x50\n [17.691010] btrfs_ioctl_logical_to_ino+0x131/0x190\n [17.692946] btrfs_ioctl+0x104a/0x2f60\n [17.694384] ? selinux_file_ioctl+0x182/0x220\n [17.695995] ? __x64_sys_ioctl+0x84/0xc0\n [17.697394] __x64_sys_ioctl+0x84/0xc0\n [17.698697] do_syscall_64+0x33/0x40\n [17.700017] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [17.701753] RIP: 0033:0x7f64e72761b7\n [17.709355] RSP: 002b:00007ffefb067f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n [17.712088] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f64e72761b7\n [17.714667] RDX: 00007ffefb067fb0 RSI: 00000000c0389424 RDI: 0000000000000003\n [17.717386] RBP: 00007ffefb06d188 R08: 000055d4a390d2b0 R09: 00007f64e7340a60\n [17.719938] R10: 0000000000000231 R11: 0000000000000246 R12: 0000000000000001\n [17.722383] R13: 0000000000000000 R14: 00000000c0389424 R15: 000055d4a38fd2a0\n [17.724839] Modules linked in:\n\nFix the bug by detecting the inline extent item in add_all_parents and\nskipping to the next extent item.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50456", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: Fix refcount error in del_mtd_device()\n\ndel_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which\nis mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before\nof_node_put(). As the result, of_node_put() won't do anything in\ndel_mtd_device(), and causes the refcount leak.\n\ndel_mtd_device()\n memset(&mtd->dev, 0, sizeof(mtd->dev) # clear mtd->dev\n of_node_put()\n mtd_get_of_node(mtd) # mtd->dev is cleared, can't locate of_node\n # of_node_put(NULL) won't do anything\n\nFix the error by caching the pointer of the device_node.\n\nOF: ERROR: memory leak, expected refcount 1 instead of 2,\nof_node_get()/of_node_put() unbalanced - destroy cset entry: attach\noverlay node /spi/spi-sram@0\nCPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54\n 0d8a1edddf51f172ff5226989a7565c6313b08e2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\n dump_stack_lvl+0x67/0x83\n kobject_get+0x155/0x160\n of_node_get+0x1f/0x30\n of_fwnode_get+0x43/0x70\n fwnode_handle_get+0x54/0x80\n fwnode_get_nth_parent+0xc9/0xe0\n fwnode_full_name_string+0x3f/0xa0\n device_node_string+0x30f/0x750\n pointer+0x598/0x7a0\n vsnprintf+0x62d/0x9b0\n ...\n cfs_overlay_release+0x30/0x90\n config_item_release+0xbe/0x1a0\n config_item_put+0x5e/0x80\n configfs_rmdir+0x3bd/0x540\n vfs_rmdir+0x18c/0x320\n do_rmdir+0x198/0x330\n __x64_sys_rmdir+0x2c/0x40\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[: Light reword of the commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50457", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: Fix refcount leak in tegra210_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50458", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()\n\nFix a NULL pointer crash that occurs when we are freeing the socket at the\nsame time we access it via sysfs.\n\nThe problem is that:\n\n 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take\n the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()\n does a get on the \"struct sock\".\n\n 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put\n on the \"struct socket\" and that does __sock_release() which sets the\n sock->ops to NULL.\n\n 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then\n call kernel_getpeername() which accesses the NULL sock->ops.\n\nAbove we do a get on the \"struct sock\", but we needed a get on the \"struct\nsocket\". Originally, we just held the frwd_lock the entire time but in\ncommit bcf3a2953d36 (\"scsi: iscsi: iscsi_tcp: Avoid holding spinlock while\ncalling getpeername()\") we switched to refcount based because the network\nlayer changed and started taking a mutex in that path, so we could no\nlonger hold the frwd_lock.\n\nInstead of trying to maintain multiple refcounts, this just has us use a\nmutex for accessing the socket in the interface code paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50459", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_flock()\n\nIf not flock, before return -ENOLCK, should free the xid,\notherwise, the xid will be leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50460", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()\n\nEnsure pm_runtime_put() is issued in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50461", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: vpe-mt: fix possible memory leak while module exiting\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device's\nbus_id string array\"), the name of device is allocated dynamically,\nit need be freed when module exiting, call put_device() to give up\nreference, so that it can be freed in kobject_cleanup() when the\nrefcount hit to 0. The vpe_device is static, so remove kfree() from\nvpe_device_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50462", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/52xx: Fix a resource leak in an error handling path\n\nThe error handling path of mpc52xx_lpbfifo_probe() has a request_irq()\nthat is not balanced by a corresponding free_irq().\n\nAdd the missing call, as already done in the remove function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50463", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()\n\nAs comment of pci_get_device() says, it returns a pci_device with its\nrefcount increased. We need to call pci_dev_put() to decrease the\nrefcount. Save the return value of pci_get_device() and call\npci_dev_put() to decrease the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50464", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix leaking uninitialized memory in fast-commit journal\n\nWhen space at the end of fast-commit journal blocks is unused, make sure\nto zero it out so that uninitialized memory is not leaked to disk.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50465", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/binfmt_elf: Fix memory leak in load_elf_binary()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffff88817104ef80 (size 224):\n comm \"xfs_admin\", pid 47165, jiffies 4298708825 (age 1333.476s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z.....\n backtrace:\n [] __alloc_file+0x21/0x250\n [] alloc_empty_file+0x41/0xf0\n [] path_openat+0xea/0x3d30\n [] do_filp_open+0x1b9/0x290\n [] do_open_execat+0xce/0x5b0\n [] open_exec+0x27/0x50\n [] load_elf_binary+0x510/0x3ed0\n [] bprm_execve+0x599/0x1240\n [] do_execveat_common.isra.0+0x4c7/0x680\n [] __x64_sys_execve+0x88/0xb0\n [] do_syscall_64+0x35/0x80\n\nIf \"interp_elf_ex\" fails to allocate memory in load_elf_binary(),\nthe program will take the \"out_free_ph\" error handing path,\nresulting in \"interpreter\" file resource is not released.\n\nFix it by adding an error handing path \"out_free_file\", which will\nrelease the file resource when \"interp_elf_ex\" failed to allocate\nmemory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50466", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID\n\nAn error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to\nlpfc_nlp_put() with a null pointer to a nodelist structure.\n\nChanged lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon\nentry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50467", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()\n\nThe following WARNING message was given when rmmod cros_usbpd_notify:\n\n Unexpected driver unregister!\n WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0\n Modules linked in: cros_usbpd_notify(-)\n CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24\n ...\n Call Trace:\n \n cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]\n __x64_sys_delete_module+0x3c7/0x570\n ? __ia32_sys_delete_module+0x570/0x570\n ? lock_is_held_type+0xe3/0x140\n ? syscall_enter_from_user_mode+0x17/0x50\n ? rcu_read_lock_sched_held+0xa0/0xd0\n ? syscall_enter_from_user_mode+0x1c/0x50\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f333fe9b1b7\n\nThe reason is that the cros_usbpd_notify_init() does not check the return\nvalue of platform_driver_register(), and the cros_usbpd_notify can\ninstall successfully even if platform_driver_register() failed.\n\nFix by checking the return value of platform_driver_register() and\nunregister cros_usbpd_notify_plat_driver when it failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50468", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()\n\nIn rtw_init_drv_sw(), there are various init functions are called to\npopulate the padapter structure and some checks for their return value.\nHowever, except for the first one error path, the other five error paths\ndo not properly release the previous allocated resources, which leads to\nvarious memory leaks.\n\nThis patch fixes them and keeps the success and error separate.\nNote that these changes keep the form of `rtw_init_drv_sw()` in\n\"drivers/staging/r8188eu/os_dep/os_intfs.c\". As there is no proper device\nto test with, no runtime testing was performed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50469", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Remove device endpoints from bandwidth list when freeing the device\n\nEndpoints are normally deleted from the bandwidth list when they are\ndropped, before the virt device is freed.\n\nIf xHC host is dying or being removed then the endpoints aren't dropped\ncleanly due to functions returning early to avoid interacting with a\nnon-accessible host controller.\n\nSo check and delete endpoints that are still on the bandwidth list when\nfreeing the virt device.\n\nSolves a list_del corruption kernel crash when unbinding xhci-pci,\ncaused by xhci_mem_cleanup() when it later tried to delete already freed\nendpoints from the bandwidth list.\n\nThis only affects hosts that use software bandwidth checking, which\ncurrenty is only the xHC in intel Panther Point PCH (Ivy Bridge)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50470", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/gntdev: Accommodate VMA splitting\n\nPrior to this commit, the gntdev driver code did not handle the\nfollowing scenario correctly with paravirtualized (PV) Xen domains:\n\n* User process sets up a gntdev mapping composed of two grant mappings\n (i.e., two pages shared by another Xen domain).\n* User process munmap()s one of the pages.\n* User process munmap()s the remaining page.\n* User process exits.\n\nIn the scenario above, the user process would cause the kernel to log\nthe following messages in dmesg for the first munmap(), and the second\nmunmap() call would result in similar log messages:\n\n BUG: Bad page map in process doublemap.test pte:... pmd:...\n page:0000000057c97bff refcount:1 mapcount:-1 \\\n mapping:0000000000000000 index:0x0 pfn:...\n ...\n page dumped because: bad pte\n ...\n file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0\n ...\n Call Trace:\n \n dump_stack_lvl+0x46/0x5e\n print_bad_pte.cold+0x66/0xb6\n unmap_page_range+0x7e5/0xdc0\n unmap_vmas+0x78/0xf0\n unmap_region+0xa8/0x110\n __do_munmap+0x1ea/0x4e0\n __vm_munmap+0x75/0x120\n __x64_sys_munmap+0x28/0x40\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\n ...\n\nFor each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)\nwould print out the following and trigger a general protection fault in\nthe affected Xen PV domain:\n\n (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...\n (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...\n\nAs of this writing, gntdev_grant_map structure's vma field (referred to\nas map->vma below) is mainly used for checking the start and end\naddresses of mappings. However, with split VMAs, these may change, and\nthere could be more than one VMA associated with a gntdev mapping.\nHence, remove the use of map->vma and rely on map->pages_vm_start for\nthe original start address and on (map->count << PAGE_SHIFT) for the\noriginal mapping size. Let the invalidate() and find_special_page()\nhooks use these.\n\nAlso, given that there can be multiple VMAs associated with a gntdev\nmapping, move the \"mmu_interval_notifier_remove(&map->notifier)\" call to\nthe end of gntdev_put_map, so that the MMU notifier is only removed\nafter the closing of the last remaining VMA.\n\nFinally, use an atomic to prevent inadvertent gntdev mapping re-use,\ninstead of using the map->live_grants atomic counter and/or the map->vma\npointer (the latter of which is now removed). This prevents the\nuserspace from mmap()'ing (with MAP_FIXED) a gntdev mapping over the\nsame address range as a previously set up gntdev mapping. This scenario\ncan be summarized with the following call-trace, which was valid prior\nto this commit:\n\n mmap\n gntdev_mmap\n mmap (repeat mmap with MAP_FIXED over the same address range)\n gntdev_invalidate\n unmap_grant_pages (sets 'being_removed' entries to true)\n gnttab_unmap_refs_async\n unmap_single_vma\n gntdev_mmap (maps the shared pages again)\n munmap\n gntdev_invalidate\n unmap_grant_pages\n (no-op because 'being_removed' entries are true)\n unmap_single_vma (For PV domains, Xen reports that a granted page\n is being unmapped and triggers a general protection fault in the\n affected domain, if Xen was built with CONFIG_DEBUG)\n\nThe fix for this last scenario could be worth its own commit, but we\nopted for a single commit, because removing the gntdev_grant_map\nstructure's vma field requires guarding the entry to gntdev_mmap(), and\nthe live_grants atomic counter is not sufficient on its own to prevent\nthe mmap() over a pre-existing mapping.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50471", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mad: Don't call to function that might sleep while in atomic context\n\nTracepoints are not allowed to sleep, as such the following splat is\ngenerated due to call to ib_query_pkey() in atomic context.\n\nWARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220\nCPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1\n Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:rb_commit+0xc1/0x220\n RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202\n RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246\n RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246\n R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0\n Call Trace:\n ring_buffer_unlock_commit+0x1d/0xa0\n trace_buffer_unlock_commit_regs+0x3b/0x1b0\n trace_event_buffer_commit+0x67/0x1d0\n trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]\n ib_mad_recv_done+0x48b/0xc10 [ib_core]\n ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]\n __ib_process_cq+0x91/0x1c0 [ib_core]\n ib_cq_poll_work+0x26/0x80 [ib_core]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 78ba8509d3830a16 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50472", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: Init completion before kobject_init_and_add()\n\nIn cpufreq_policy_alloc(), it will call uninitialed completion in\ncpufreq_sysfs_release() when kobject_init_and_add() fails. And\nthat will cause a crash such as the following page fault in complete:\n\nBUG: unable to handle page fault for address: fffffffffffffff8\n[..]\nRIP: 0010:complete+0x98/0x1f0\n[..]\nCall Trace:\n kobject_put+0x1be/0x4c0\n cpufreq_online.cold+0xee/0x1fd\n cpufreq_add_dev+0x183/0x1e0\n subsys_interface_register+0x3f5/0x4e0\n cpufreq_register_driver+0x3b7/0x670\n acpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq]\n do_one_initcall+0x13d/0x780\n do_init_module+0x1c3/0x630\n load_module+0x6e67/0x73b0\n __do_sys_finit_module+0x181/0x240\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50473", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh: fix possible memory leak in macio_add_one_device()\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device's\nbus_id string array\"), the name of device is allocated dynamically. It\nneeds to be freed when of_device_register() fails. Call put_device() to\ngive up the reference that's taken in device_initialize(), so that it\ncan be freed in kobject_cleanup() when the refcount hits 0.\n\nmacio device is freed in macio_release_dev(), so the kfree() can be\nremoved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50474", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Make sure \"ib_port\" is valid when access sysfs node\n\nThe \"ib_port\" structure must be set before adding the sysfs kobject,\nand reset after removing it, otherwise it may crash when accessing\nthe sysfs node:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x96000006\n Exception class = DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5\n [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#2] PREEMPT SMP\n Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]\n Process grep (pid: 3372, stack limit = 0x0000000022055c92)\n CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1\n Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022\n pstate: 40000005 (nZcv daif -PAN -UAO)\n pc : hw_stat_port_show+0x4c/0x80 [ib_core]\n lr : port_attr_show+0x40/0x58 [ib_core]\n sp : ffff000029f43b50\n x29: ffff000029f43b50 x28: 0000000019375000\n x27: ffff8007b821a540 x26: ffff000029f43e30\n x25: 0000000000008000 x24: ffff000000eaa958\n x23: 0000000000001000 x22: ffff8007a4ce3000\n x21: ffff8007baff8000 x20: ffff8007b9066ac0\n x19: ffff8007bae97578 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000\n x9 : 0000000000000000 x8 : ffff8007a4ce4000\n x7 : 0000000000000000 x6 : 000000000000003f\n x5 : ffff000000e6a280 x4 : ffff8007a4ce3000\n x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab\n x1 : ffff8007b9066a10 x0 : ffff8007baff8000\n Call trace:\n hw_stat_port_show+0x4c/0x80 [ib_core]\n port_attr_show+0x40/0x58 [ib_core]\n sysfs_kf_seq_show+0x8c/0x150\n kernfs_seq_show+0x44/0x50\n seq_read+0x1b4/0x45c\n kernfs_fop_read+0x148/0x1d8\n __vfs_read+0x58/0x180\n vfs_read+0x94/0x154\n ksys_read+0x68/0xd8\n __arm64_sys_read+0x28/0x34\n el0_svc_common+0x88/0x18c\n el0_svc_handler+0x78/0x94\n el0_svc+0x8/0xe8\n Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50475", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb_netdev: Use dev_kfree_skb_any() in interrupt context\n\nTX/RX callback handlers (ntb_netdev_tx_handler(),\nntb_netdev_rx_handler()) can be called in interrupt\ncontext via the DMA framework when the respective\nDMA operations have completed. As such, any calls\nby these routines to free skb's, should use the\ninterrupt context safe dev_kfree_skb_any() function.\n\nPreviously, these callback handlers would call the\ninterrupt unsafe version of dev_kfree_skb(). This has\nnot presented an issue on Intel IOAT DMA engines as\nthat driver utilizes tasklets rather than a hard\ninterrupt handler, like the AMD PTDMA DMA driver.\nOn AMD systems, a kernel WARNING message is\nencountered, which is being issued from\nskb_release_head_state() due to in_hardirq()\nbeing true.\n\nBesides the user visible WARNING from the kernel,\nthe other symptom of this bug was that TCP/IP performance\nacross the ntb_netdev interface was very poor, i.e.\napproximately an order of magnitude below what was\nexpected. With the repair to use dev_kfree_skb_any(),\nkernel WARNINGs from skb_release_head_state() ceased\nand TCP/IP performance, as measured by iperf, was on\npar with expected results, approximately 20 Gb/s on\nAMD Milan based server. Note that this performance\nis comparable with Intel based servers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50476", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: class: Fix potential memleak in devm_rtc_allocate_device()\n\ndevm_rtc_allocate_device() will alloc a rtc_device first, and then run\ndev_set_name(). If dev_set_name() failed, the rtc_device will memleak.\nMove devm_add_action_or_reset() in front of dev_set_name() to prevent\nmemleak.\n\nunreferenced object 0xffff888110a53000 (size 2048):\n comm \"python3\", pid 470, jiffies 4296078308 (age 58.882s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 30 a5 10 81 88 ff ff .........0......\n 08 30 a5 10 81 88 ff ff 00 00 00 00 00 00 00 00 .0..............\n backtrace:\n [<000000004aac0364>] kmalloc_trace+0x21/0x110\n [<000000000ff02202>] devm_rtc_allocate_device+0xd4/0x400\n [<000000001bdf5639>] devm_rtc_device_register+0x1a/0x80\n [<00000000351bf81c>] rx4581_probe+0xdd/0x110 [rtc_rx4581]\n [<00000000f0eba0ae>] spi_probe+0xde/0x130\n [<00000000bff89ee8>] really_probe+0x175/0x3f0\n [<00000000128e8d84>] __driver_probe_device+0xe6/0x170\n [<00000000ee5bf913>] device_driver_attach+0x32/0x80\n [<00000000f3f28f92>] bind_store+0x10b/0x1a0\n [<000000009ff812d8>] drv_attr_store+0x49/0x70\n [<000000008139c323>] sysfs_kf_write+0x8d/0xb0\n [<00000000b6146e01>] kernfs_fop_write_iter+0x214/0x2d0\n [<00000000ecbe3895>] vfs_write+0x61a/0x7d0\n [<00000000aa2196ea>] ksys_write+0xc8/0x190\n [<0000000046a600f5>] do_syscall_64+0x37/0x90\n [<00000000541a336f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50477", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()\n\nPatch series \"nilfs2: fix UBSAN shift-out-of-bounds warnings on mount\ntime\".\n\nThe first patch fixes a bug reported by syzbot, and the second one fixes\nthe remaining bug of the same kind. Although they are triggered by the\nsame super block data anomaly, I divided it into the above two because the\ndetails of the issues and how to fix it are different.\n\nBoth are required to eliminate the shift-out-of-bounds issues at mount\ntime.\n\n\nThis patch (of 2):\n\nIf the block size exponent information written in an on-disk superblock is\ncorrupted, nilfs_sb2_bad_offset helper function can trigger\nshift-out-of-bounds warning followed by a kernel panic (if panic_on_warn\nis set):\n\n shift exponent 38983 is too large for 64-bit type 'unsigned long long'\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322\n nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]\n nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523\n init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577\n nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047\n nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317\n ...\n\nIn addition, since nilfs_sb2_bad_offset() performs multiplication without\nconsidering the upper bound, the computation may overflow if the disk\nlayout parameters are not normal.\n\nThis fixes these issues by inserting preliminary sanity checks for those\nparameters and by converting the comparison from one involving\nmultiplication and left bit-shifting to one using division and right\nbit-shifting.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50478", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: fix potential memory leak\n\nThis patch fix potential memory leak (clk_src) when function run\ninto last return NULL.\n\ns/free/kfree/ - Alex", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50479", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()\n\nThe break of for_each_available_child_of_node() needs a\ncorresponding of_node_put() when the reference 'child' is not\nused anymore. Here we do not need to call of_node_put() in\nfail path as '!match' means no break.\n\nWhile the of_platform_device_create() will created a new\nreference by 'child' but it has considered the refcounting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50480", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()\n\nIf device_register() fails in cxl_register_afu|adapter(), the device\nis not added, device_unregister() can not be called in the error path,\notherwise it will cause a null-ptr-deref because of removing not added\ndevice.\n\nAs comment of device_register() says, it should use put_device() to give\nup the reference in the error path. So split device_unregister() into\ndevice_del() and put_device(), then goes to put dev when register fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50481", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clean up si_domain in the init_dmars() error path\n\nA splat from kmem_cache_destroy() was seen with a kernel prior to\ncommit ee2653bbe89d (\"iommu/vt-d: Remove domain and devinfo mempool\")\nwhen there was a failure in init_dmars(), because the iommu_domain\ncache still had objects. While the mempool code is now gone, there\nstill is a leak of the si_domain memory if init_dmars() fails. So\nclean up si_domain in the init_dmars() error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50482", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: avoid buffer leaks on xdp_do_redirect() failure\n\nBefore enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software\nBD in the RX ring between index orig_i and i can have one of 2 refcount\nvalues on its page.\n\nWe are the owner of the current buffer that is being processed, so the\nrefcount will be at least 1.\n\nIf the current owner of the buffer at the diametrically opposed index\nin the RX ring (i.o.w, the other half of this page) has not yet called\nkfree(), this page's refcount could even be 2.\n\nenetc_page_reusable() in enetc_flip_rx_buff() tests for the page\nrefcount against 1, and [ if it's 2 ] does not attempt to reuse it.\n\nBut if enetc_flip_rx_buff() is put after the xdp_do_redirect() call,\nthe page refcount can have one of 3 values. It can also be 0, if there\nis no owner of the other page half, and xdp_do_redirect() for this\nbuffer ran so far that it triggered a flush of the devmap/cpumap bulk\nqueue, and the consumers of those bulk queues also freed the buffer,\nall by the time xdp_do_redirect() returns the execution back to enetc.\n\nThis is the reason why enetc_flip_rx_buff() is called before\nxdp_do_redirect(), but there is a big flaw with that reasoning:\nenetc_flip_rx_buff() will set rx_swbd->page = NULL on both sides of the\nenetc_page_reusable() branch, and if xdp_do_redirect() returns an error,\nwe call enetc_xdp_free(), which does not deal gracefully with that.\n\nIn fact, what happens is quite special. The page refcounts start as 1.\nenetc_flip_rx_buff() figures they're reusable, transfers these\nrx_swbd->page pointers to a different rx_swbd in enetc_reuse_page(), and\nbumps the refcount to 2. When xdp_do_redirect() later returns an error,\nwe call the no-op enetc_xdp_free(), but we still haven't lost the\nreference to that page. A copy of it is still at rx_ring->next_to_alloc,\nbut that has refcount 2 (and there are no concurrent owners of it in\nflight, to drop the refcount). What really kills the system is when\nwe'll flip the rx_swbd->page the second time around. With an updated\nrefcount of 2, the page will not be reusable and we'll really leak it.\nThen enetc_new_page() will have to allocate more pages, which will then\neventually leak again on further errors from xdp_do_redirect().\n\nThe problem, summarized, is that we zeroize rx_swbd->page before we're\ncompletely done with it, and this makes it impossible for the error path\nto do something with it.\n\nSince the packet is potentially multi-buffer and therefore the\nrx_swbd->page is potentially an array, manual passing of the old\npointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit\ndifficult.\n\nFor the sake of going with a simple solution, we accept the possibility\nof racing with xdp_do_redirect(), and we move the flip procedure to\nexecute only on the redirect success path. By racing, I mean that the\npage may be deemed as not reusable by enetc (having a refcount of 0),\nbut there will be no leak in that case, either.\n\nOnce we accept that, we have something better to do with buffers on\nXDP_REDIRECT failure. Since we haven't performed half-page flipping yet,\nwe won't, either (and this way, we can avoid enetc_xdp_free()\ncompletely, which gives the entire page to the slab allocator).\nInstead, we'll call enetc_xdp_drop(), which will recycle this half of\nthe buffer back to the RX ring.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50483", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks\n\nWhen the driver hits -ENOMEM at allocating a URB or a buffer, it\naborts and goes to the error path that releases the all previously\nallocated resources. However, when -ENOMEM hits at the middle of the\nsync EP URB allocation loop, the partially allocated URBs might be\nleft without released, because ep->nurbs is still zero at that point.\n\nFix it by setting ep->nurbs at first, so that the error handler loops\nover the full URB list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50484", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add EXT4_IGET_BAD flag to prevent unexpected bad inode\n\nThere are many places that will get unhappy (and crash) when ext4_iget()\nreturns a bad inode. However, if iget the boot loader inode, allows a bad\ninode to be returned, because the inode may not be initialized. This\nmechanism can be used to bypass some checks and cause panic. To solve this\nproblem, we add a special iget flag EXT4_IGET_BAD. Only with this flag\nwe'd be returning bad inode from ext4_iget(), otherwise we always return\nthe error code if the inode is bad inode.(suggested by Jan Kara)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50485", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: Fix return type of netcp_ndo_start_xmit()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = netcp_ndo_start_xmit,\n ^~~~~~~~~~~~~~~~~~~~\n 1 error generated.\n\n->ndo_start_xmit() in 'struct net_device_ops' expects a return type of\n'netdev_tx_t', not 'int'. Adjust the return type of\nnetcp_ndo_start_xmit() to match the prototype's to resolve the warning\nand CFI failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50486", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for 'bfqq->bic'\n\nOur test report a uaf for 'bfqq->bic' in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | \u039b | \u039b\n | | | |\n V | V |\n bfqq1 bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | |\n \\-------------\\|\n V\n bfqq1 bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n | \u039b\n | |\n V |\n bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n \u039b\n |\\--------------\\\n | V\n bfqq2 bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq->bic while bfqq is detached from bic.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50488", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mipi-dsi: Detach devices when removing the host\n\nWhenever the MIPI-DSI host is unregistered, the code of\nmipi_dsi_host_unregister() loops over every device currently found on that\nbus and will unregister it.\n\nHowever, it doesn't detach it from the bus first, which leads to all kind\nof resource leaks if the host wants to perform some clean up whenever a\ndevice is detached.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50489", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Propagate error from htab_lock_bucket() to userspace\n\nIn __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns\n-EBUSY, it will go to next bucket. Going to next bucket may not only\nskip the elements in current bucket silently, but also incur\nout-of-bound memory access or expose kernel memory to userspace if\ncurrent bucket_cnt is greater than bucket_size or zero.\n\nFixing it by stopping batch operation and returning -EBUSY when\nhtab_lock_bucket() fails, and the application can retry or skip the busy\nbatch as needed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50490", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: cti: Fix hang in cti_disable_hw()\n\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\n\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\n\n perf record -e cs_etm//u -- ls\n\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\n\nWith lock and scheduler debugging enabled the following is output:\n\n coresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 0\n hardirqs last enabled at (0): [<0000000000000000>] 0x0\n hardirqs last disabled at (0): [] copy_process+0xa0c/0x1948\n softirqs last enabled at (0): [] copy_process+0xa0c/0x1948\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\n Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\n Call trace:\n dump_backtrace+0x134/0x140\n show_stack+0x20/0x58\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n __might_resched+0x180/0x228\n __might_sleep+0x50/0x88\n __pm_runtime_resume+0xac/0xb0\n cti_enable+0x44/0x120\n coresight_control_assoc_ectdev+0xc0/0x150\n coresight_enable_path+0xb4/0x288\n etm_event_start+0x138/0x170\n etm_event_add+0x48/0x70\n event_sched_in.isra.122+0xb4/0x280\n merge_sched_in+0x1fc/0x3d0\n visit_groups_merge.constprop.137+0x16c/0x4b0\n ctx_sched_in+0x114/0x1f0\n perf_event_sched_in+0x60/0x90\n ctx_resched+0x68/0xb0\n perf_event_exec+0x138/0x508\n begin_new_exec+0x52c/0xd40\n load_elf_binary+0x6b8/0x17d0\n bprm_execve+0x360/0x7f8\n do_execveat_common.isra.47+0x218/0x238\n __arm64_sys_execve+0x48/0x60\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.4+0xfc/0x120\n do_el0_svc+0x34/0xc0\n el0_svc+0x40/0x98\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x170/0x174\n\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n\n[ Fix build warnings ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50491", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix use-after-free on probe deferral\n\nThe bridge counter was never reset when tearing down the DRM device so\nthat stale pointers to deallocated structures would be accessed on the\nnext tear down (e.g. after a second late bind deferral).\n\nGiven enough bridges and a few probe deferrals this could currently also\nlead to data beyond the bridge array being corrupted.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502665/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50492", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash when I/O abort times out\n\nWhile performing CPU hotplug, a crash with the following stack was seen:\n\nCall Trace:\n qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]\n qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]\n qla_nvme_post_cmd+0x166/0x240 [qla2xxx]\n nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]\n blk_mq_dispatch_rq_list+0x17b/0x610\n __blk_mq_sched_dispatch_requests+0xb0/0x140\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x35/0x90\n __blk_mq_delay_run_hw_queue+0x161/0x180\n blk_execute_rq+0xbe/0x160\n __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]\n nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]\n nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]\n nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]\n process_one_work+0x1e8/0x3c0\n\nOn abort timeout, completion was called without checking if the I/O was\nalready completed.\n\nVerify that I/O and abort request are indeed outstanding before attempting\ncompletion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50493", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash\n\nWhen CPU 0 is offline and intel_powerclamp is used to inject\nidle, it generates kernel BUG:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: bash/15687\ncaller is debug_smp_processor_id+0x17/0x20\nCPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57\nCall Trace:\n\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\ncheck_preemption_disabled+0xdd/0xe0\ndebug_smp_processor_id+0x17/0x20\npowerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]\n...\n...\n\nHere CPU 0 is the control CPU by default and changed to the current CPU,\nif CPU 0 offlined. This check has to be performed under cpus_read_lock(),\nhence the above warning.\n\nUse get_cpu() instead of smp_processor_id() to avoid this BUG.\n\n[ rjw: Subject edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50494", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: Fix UAF in destroy()\n\nDm_cache also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in destroy().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50496", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: fix shift-out-of-bounds in check_special_flags\n\nUBSAN reported a shift-out-of-bounds warning:\n\n left shift of 1 by 31 places cannot be represented in type 'int'\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106\n ubsan_epilogue+0xa/0x44 lib/ubsan.c:151\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322\n check_special_flags fs/binfmt_misc.c:241 [inline]\n create_entry fs/binfmt_misc.c:456 [inline]\n bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654\n vfs_write+0x11e/0x580 fs/read_write.c:582\n ksys_write+0xcf/0x120 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x4194e1\n\nSince the type of Node's flags is unsigned long, we should define these\nmacros with same type too.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50497", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: alx: take rtnl_lock on resume\n\nZbynek reports that alx trips an rtnl assertion on resume:\n\n RTNL: assertion failed at net/core/dev.c (2891)\n RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0\n Call Trace:\n \n __alx_open+0x230/0x570 [alx]\n alx_resume+0x54/0x80 [alx]\n ? pci_legacy_resume+0x80/0x80\n dpm_run_callback+0x4a/0x150\n device_resume+0x8b/0x190\n async_resume+0x19/0x30\n async_run_entry_fn+0x30/0x130\n process_one_work+0x1e5/0x3b0\n\nindeed the driver does not hold rtnl_lock during its internal close\nand re-open functions during suspend/resume. Note that this is not\na huge bug as the driver implements its own locking, and does not\nimplement changing the number of queues, but we need to silence\nthe splat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50498", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: Fix double free in dvb_register_device()\n\nIn function dvb_register_device() -> dvb_register_media_device() ->\ndvb_create_media_entity(), dvb->entity is allocated and initialized. If\nthe initialization fails, it frees the dvb->entity, and return an error\ncode. The caller takes the error code and handles the error by calling\ndvb_media_device_free(), which unregisters the entity and frees the\nfield again if it is not NULL. As dvb->entity may not NULLed in\ndvb_create_media_entity() when the allocation of dvbdev->pad fails, a\ndouble free may occur. This may also cause an Use After free in\nmedia_device_unregister_entity().\n\nFix this by storing NULL to dvb->entity when it is freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50499", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix memory leak in nsim_drv_probe() when nsim_dev_resources_register() failed\n\nIf some items in nsim_dev_resources_register() fail, memory leak will\noccur. The following is the memory leak information.\n\nunreferenced object 0xffff888074c02600 (size 128):\n comm \"echo\", pid 8159, jiffies 4294945184 (age 493.530s)\n hex dump (first 32 bytes):\n 40 47 ea 89 ff ff ff ff 01 00 00 00 00 00 00 00 @G..............\n ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n [<0000000011a31c98>] kmalloc_trace+0x22/0x60\n [<0000000027384c69>] devl_resource_register+0x144/0x4e0\n [<00000000a16db248>] nsim_drv_probe+0x37a/0x1260\n [<000000007d1f448c>] really_probe+0x20b/0xb10\n [<00000000c416848a>] __driver_probe_device+0x1b3/0x4a0\n [<00000000077e0351>] driver_probe_device+0x49/0x140\n [<0000000054f2465a>] __device_attach_driver+0x18c/0x2a0\n [<000000008538f359>] bus_for_each_drv+0x151/0x1d0\n [<0000000038e09747>] __device_attach+0x1c9/0x4e0\n [<00000000dd86e533>] bus_probe_device+0x1d5/0x280\n [<00000000839bea35>] device_add+0xae0/0x1cb0\n [<000000009c2abf46>] new_device_store+0x3b6/0x5f0\n [<00000000fb823d7f>] bus_attr_store+0x72/0xa0\n [<000000007acc4295>] sysfs_kf_write+0x106/0x160\n [<000000005f50cb4d>] kernfs_fop_write_iter+0x3a8/0x5a0\n [<0000000075eb41bf>] vfs_write+0x8f0/0xc80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50500", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for dcoda_iram_alloc\n\nAs the coda_iram_alloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50501", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: lpddr2_nvm: Fix possible null-ptr-deref\n\nIt will cause null-ptr-deref when resource_size(add_range) invoked,\nif platform_get_resource() returns NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50503", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid scheduling in rtas_os_term()\n\nIt's unsafe to use rtas_busy_delay() to handle a busy status from\nthe ibm,os-term RTAS function in rtas_os_term():\n\nKernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\nBUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 2, expected: 0\nCPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9\nCall Trace:\n[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)\n[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0\n[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0\n[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4\n[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68\n[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50\n[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0\n[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0\n[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0\n[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420\n[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200\n\nUse rtas_busy_delay_time() instead, which signals without side effects\nwhether to attempt the ibm,os-term RTAS call again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50504", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix pci device refcount leak in ppr_notifier()\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it before returning from ppr_notifier()\nto avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50505", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: only clone bio if we have a backing device\n\nCommit c347a787e34cb (drbd: set ->bi_bdev in drbd_req_new) moved a\nbio_set_dev call (which has since been removed) to \"earlier\", from\ndrbd_request_prepare to drbd_req_new.\n\nThe problem is that this accesses device->ldev->backing_bdev, which is\nnot NULL-checked at this point. When we don't have an ldev (i.e. when\nthe DRBD device is diskless), this leads to a null pointer deref.\n\nSo, only allocate the private_bio if we actually have a disk. This is\nalso a small optimization, since we don't clone the bio to only to\nimmediately free it again in the diskless case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50506", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate data run offset\n\nThis adds sanity checks for data run offset. We should make sure data\nrun offset is legit before trying to unpack them, otherwise we may\nencounter use-after-free or some unexpected memory access behaviors.\n\n[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570\n[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240\n[ 82.941670]\n[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15\n[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 82.943720] Call Trace:\n[ 82.944204] \n[ 82.944471] dump_stack_lvl+0x49/0x63\n[ 82.944908] print_report.cold+0xf5/0x67b\n[ 82.945141] ? __wait_on_bit+0x106/0x120\n[ 82.945750] ? run_unpack+0x2e3/0x570\n[ 82.946626] kasan_report+0xa7/0x120\n[ 82.947046] ? run_unpack+0x2e3/0x570\n[ 82.947280] __asan_load1+0x51/0x60\n[ 82.947483] run_unpack+0x2e3/0x570\n[ 82.947709] ? memcpy+0x4e/0x70\n[ 82.947927] ? run_pack+0x7a0/0x7a0\n[ 82.948158] run_unpack_ex+0xad/0x3f0\n[ 82.948399] ? mi_enum_attr+0x14a/0x200\n[ 82.948717] ? run_unpack+0x570/0x570\n[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0\n[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0\n[ 82.949611] ? mi_read+0x262/0x2c0\n[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180\n[ 82.950249] ntfs_iget5+0x632/0x1870\n[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70\n[ 82.951192] ? evict+0x223/0x280\n[ 82.951525] ? iput.part.0+0x286/0x320\n[ 82.951969] ntfs_fill_super+0x1321/0x1e20\n[ 82.952436] ? put_ntfs+0x1d0/0x1d0\n[ 82.952822] ? vsprintf+0x20/0x20\n[ 82.953188] ? mutex_unlock+0x81/0xd0\n[ 82.953379] ? set_blocksize+0x95/0x150\n[ 82.954001] get_tree_bdev+0x232/0x370\n[ 82.954438] ? put_ntfs+0x1d0/0x1d0\n[ 82.954700] ntfs_fs_get_tree+0x15/0x20\n[ 82.955049] vfs_get_tree+0x4c/0x130\n[ 82.955292] path_mount+0x645/0xfd0\n[ 82.955615] ? putname+0x80/0xa0\n[ 82.955955] ? finish_automount+0x2e0/0x2e0\n[ 82.956310] ? kmem_cache_free+0x110/0x390\n[ 82.956723] ? putname+0x80/0xa0\n[ 82.957023] do_mount+0xd6/0xf0\n[ 82.957411] ? path_mount+0xfd0/0xfd0\n[ 82.957638] ? __kasan_check_write+0x14/0x20\n[ 82.957948] __x64_sys_mount+0xca/0x110\n[ 82.958310] do_syscall_64+0x3b/0x90\n[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 82.959341] RIP: 0033:0x7fd0d1ce948a\n[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a\n[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0\n[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020\n[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0\n[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50507", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power\n\nAfter 'commit ba45841ca5eb (\"wifi: mt76: mt76x02: simplify struct\nmt76x02_rate_power\")', mt76x02 relies on ht[0-7] rate_power data for\nvht mcs{0,7}, while it uses vth[0-1] rate_power for vht mcs {8,9}.\nFix a possible out-of-bound access in mt76x0_phy_get_target_power routine.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50508", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for kmalloc\n\nAs the kmalloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50509", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()\n\narm_smmu_pmu_init() won't remove the callback added by\ncpuhp_setup_state_multi() when platform_driver_register() failed. Remove\nthe callback by cpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50510", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/fonts: fix undefined behavior in bit shift for get_default_font\n\nShifting signed 32-bit value by 31 bits is undefined, so changing\nsignificant bit to unsigned. The UBSAN warning calltrace like below:\n\nUBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20\nleft shift of 1 by 31 places cannot be represented in type 'int'\n \n dump_stack_lvl+0x7d/0xa5\n dump_stack+0x15/0x1b\n ubsan_epilogue+0xe/0x4e\n __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c\n get_default_font+0x1c7/0x1f0\n fbcon_startup+0x347/0x3a0\n do_take_over_console+0xce/0x270\n do_fbcon_takeover+0xa1/0x170\n do_fb_registered+0x2a8/0x340\n fbcon_fb_registered+0x47/0xe0\n register_framebuffer+0x294/0x4a0\n __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]\n drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]\n drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]\n drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]\n bochs_pci_probe+0x6ca/0x772 [bochs]\n local_pci_probe+0x4d/0xb0\n pci_device_probe+0x119/0x320\n really_probe+0x181/0x550\n __driver_probe_device+0xc6/0x220\n driver_probe_device+0x32/0x100\n __driver_attach+0x195/0x200\n bus_for_each_dev+0xbb/0x120\n driver_attach+0x27/0x30\n bus_add_driver+0x22e/0x2f0\n driver_register+0xa9/0x190\n __pci_register_driver+0x90/0xa0\n bochs_pci_driver_init+0x52/0x1000 [bochs]\n do_one_initcall+0x76/0x430\n do_init_module+0x61/0x28a\n load_module+0x1f82/0x2e50\n __do_sys_finit_module+0xf8/0x190\n __x64_sys_finit_module+0x23/0x30\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50511", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_regions()\n\nAs krealloc may return NULL, in this case 'state->fc_regions' may not be\nfreed by krealloc, but 'state->fc_regions' already set NULL. Then will\nlead to 'state->fc_regions' memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50512", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()\n\nIn rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated\nin failure, then `pcmdpriv->cmd_allocated_buf` will be not properly\nreleased. Besides, considering there are only two error paths and the\nfirst one can directly return, so we do not need implicitly jump to the\n`exit` tag to execute the error handler.\n\nSo this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error\npath to release the resource and simplified the return logic of\nrtw_init_cmd_priv(). As there is no proper device to test with, no runtime\ntesting was performed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50513", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix refcount leak on error path\n\nWhen failing to allocate report_desc, opts->refcnt has already been\nincremented so it needs to be decremented to avoid leaving the options\nstructure permanently locked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50514", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()\n\nIf construction of the array of work queues to handle hpd_rx_irq offload\nwork fails, we need to unwind. Destroy all the created workqueues and\nthe allocated memory for the hpd_rx_irq_offload_work_queue struct array.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50515", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix invalid derefence of sb_lvbptr\n\nI experience issues when putting a lkbsb on the stack and have sb_lvbptr\nfield to a dangled pointer while not using DLM_LKF_VALBLK. It will crash\nwith the following kernel message, the dangled pointer is here\n0xdeadbeef as example:\n\n[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef\n[ 102.749320] #PF: supervisor read access in kernel mode\n[ 102.749323] #PF: error_code(0x0000) - not-present page\n[ 102.749325] PGD 0 P4D 0\n[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565\n[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014\n[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10\n[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe\n[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202\n[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040\n[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070\n[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001\n[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70\n[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001\n[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000\n[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0\n[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 102.749379] PKRU: 55555554\n[ 102.749381] Call Trace:\n[ 102.749382] \n[ 102.749383] ? send_args+0xb2/0xd0\n[ 102.749389] send_common+0xb7/0xd0\n[ 102.749395] _unlock_lock+0x2c/0x90\n[ 102.749400] unlock_lock.isra.56+0x62/0xa0\n[ 102.749405] dlm_unlock+0x21e/0x330\n[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]\n[ 102.749419] ? preempt_count_sub+0xba/0x100\n[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]\n[ 102.786186] kthread+0x10a/0x130\n[ 102.786581] ? kthread_complete_and_exit+0x20/0x20\n[ 102.787156] ret_from_fork+0x22/0x30\n[ 102.787588] \n[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw\n[ 102.792536] CR2: 00000000deadbeef\n[ 102.792930] ---[ end trace 0000000000000000 ]---\n\nThis patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags\nis set when copying the lvbptr array instead of if it's just null which\nfixes for me the issue.\n\nI think this patch can fix other dlm users as well, depending how they\nhandle the init, freeing memory handling of sb_lvbptr and don't set\nDLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a\nhidden issue all the time. However with checking on DLM_LKF_VALBLK the\nuser always need to provide a sb_lvbptr non-null value. There might be\nmore intelligent handling between per ls lvblen, DLM_LKF_VALBLK and\nnon-null to report the user the way how DLM API is used is wrong but can\nbe added for later, this will only fix the current behaviour.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50516", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: do not clobber swp_entry_t during THP split\n\nThe following has been observed when running stressng mmap since commit\nb653db77350c (\"mm: Clear page->private when splitting or migrating a page\")\n\n watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546]\n CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374\n Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016\n RIP: 0010:xas_descend+0x28/0x80\n Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 <48> 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2\n RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246\n RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002\n RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0\n RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0\n R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000\n R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88\n FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n xas_load+0x3a/0x50\n __filemap_get_folio+0x80/0x370\n ? put_swap_page+0x163/0x360\n pagecache_get_page+0x13/0x90\n __try_to_reclaim_swap+0x50/0x190\n scan_swap_map_slots+0x31e/0x670\n get_swap_pages+0x226/0x3c0\n folio_alloc_swap+0x1cc/0x240\n add_to_swap+0x14/0x70\n shrink_page_list+0x968/0xbc0\n reclaim_page_list+0x70/0xf0\n reclaim_pages+0xdd/0x120\n madvise_cold_or_pageout_pte_range+0x814/0xf30\n walk_pgd_range+0x637/0xa30\n __walk_page_range+0x142/0x170\n walk_page_range+0x146/0x170\n madvise_pageout+0xb7/0x280\n ? asm_common_interrupt+0x22/0x40\n madvise_vma_behavior+0x3b7/0xac0\n ? find_vma+0x4a/0x70\n ? find_vma+0x64/0x70\n ? madvise_vma_anon_name+0x40/0x40\n madvise_walk_vmas+0xa6/0x130\n do_madvise+0x2f4/0x360\n __x64_sys_madvise+0x26/0x30\n do_syscall_64+0x5b/0x80\n ? do_syscall_64+0x67/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n ? do_syscall_64+0x67/0x80\n ? common_interrupt+0x8b/0xa0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe problem can be reproduced with the mmtests config\nconfig-workload-stressng-mmap. It does not always happen and when it\ntriggers is variable but it has happened on multiple machines.\n\nThe intent of commit b653db77350c patch was to avoid the case where\nPG_private is clear but folio->private is not-NULL. However, THP tail\npages uses page->private for \"swp_entry_t if folio_test_swapcache()\" as\nstated in the documentation for struct folio. This patch only clobbers\npage->private for tail pages if the head page was not in swapcache and\nwarns once if page->private had an unexpected value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50517", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix locking in pdc_iodc_print() firmware call\n\nUtilize pdc_lock spinlock to protect parallel modifications of the\niodc_dbuf[] buffer, check length to prevent buffer overflow of\niodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong\nindentings.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50518", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure\n\nIf creation or finalization of a checkpoint fails due to anomalies in the\ncheckpoint metadata on disk, a kernel warning is generated.\n\nThis patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted\nwith panic_on_warn, does not panic. A nilfs_error is appropriate here to\nhandle the abnormal filesystem condition.\n\nThis also replaces the detected error codes with an I/O error so that\nneither of the internal error codes is returned to callers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50519", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50520", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()\n\nThe ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()\nis not freed after the call, so it leads to memory leak.\n\nThe method results in ACPI buffer is not used, so just pass NULL to\nwmi_evaluate_method() which fixes the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50521", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: mcb-parse: fix error handing in chameleon_parse_gdd()\n\nIf mcb_device_register() returns error in chameleon_parse_gdd(), the refcount\nof bus and device name are leaked. Fix this by calling put_device() to give up\nthe reference, so they can be released in mcb_release_dev() and kobject_cleanup().", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50522", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rockchip: Fix memory leak in rockchip_clk_register_pll()\n\nIf clk_register() fails, @pll->rate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50523", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Check return value after calling platform_get_resource()\n\nplatform_get_resource() may return NULL pointer, we need check its\nreturn value to avoid null-ptr-deref in resource_size().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50524", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()\n\nThe fsl_pamu_probe() returns directly when create_csd() failed, leaving\nirq and memories unreleased.\nFix by jumping to error if create_csd() returns error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50525", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: fix memory corruption with too many bridges\n\nAdd the missing sanity check on the bridge counter to avoid corrupting\ndata beyond the fixed-sized bridge array in case there are ever more\nthan eight bridges.\n\nPatchwork: https://patchwork.freedesktop.org/patch/502664/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50526", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix size validation for non-exclusive domains (v4)\n\nFix amdgpu_bo_validate_size() to check whether the TTM domain manager for the\nrequested memory exists, else we get a kernel oops when dereferencing \"man\".\n\nv2: Make the patch standalone, i.e. not dependent on local patches.\nv3: Preserve old behaviour and just check that the manager pointer is not\n NULL.\nv4: Complain if GTT domain requested and it is uninitialized--most likely a\n bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50527", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leakage\n\nThis patch fixes potential memory leakage and seg fault\nin _gpuvm_import_dmabuf() function", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50528", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntest_firmware: fix memory leak in test_firmware_init()\n\nWhen misc_register() failed in test_firmware_init(), the memory pointed\nby test_fw_config->name is not released. The memory leak information is\nas follows:\nunreferenced object 0xffff88810a34cb00 (size 32):\n comm \"insmod\", pid 7952, jiffies 4294948236 (age 49.060s)\n hex dump (first 32 bytes):\n 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi\n 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............\n backtrace:\n [] __kmalloc_node_track_caller+0x4b/0xc0\n [] kstrndup+0x46/0xc0\n [] __test_firmware_config_init+0x29/0x380 [test_firmware]\n [] 0xffffffffa040f068\n [] do_one_initcall+0x141/0x780\n [] do_init_module+0x1c3/0x630\n [] load_module+0x623e/0x76a0\n [] __do_sys_finit_module+0x181/0x240\n [] do_syscall_64+0x39/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50529", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()\n\nOur syzkaller report a null pointer dereference, root cause is\nfollowing:\n\n__blk_mq_alloc_map_and_rqs\n set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs\n blk_mq_alloc_map_and_rqs\n blk_mq_alloc_rqs\n // failed due to oom\n alloc_pages_node\n // set->tags[hctx_idx] is still NULL\n blk_mq_free_rqs\n drv_tags = set->tags[hctx_idx];\n // null pointer dereference is triggered\n blk_mq_clear_rq_mapping(drv_tags, ...)\n\nThis is because commit 63064be150e4 (\"blk-mq:\nAdd blk_mq_alloc_map_and_rqs()\") merged the two steps:\n\n1) set->tags[hctx_idx] = blk_mq_alloc_rq_map()\n2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])\n\ninto one step:\n\nset->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()\n\nSince tags is not initialized yet in this case, fix the problem by\nchecking if tags is NULL pointer in blk_mq_clear_rq_mapping().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50530", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix an information leak in tipc_topsrv_kern_subscr\n\nUse a 8-byte write to initialize sub.usr_handle in\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\nwhen issuing setsockopt(..., SOL_TIPC, ...).\nThis resulted in an infoleak reported by KMSAN when the packet was\nreceived:\n\n =====================================================\n BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\n instrument_copy_to_user ./include/linux/instrumented.h:121\n copyout+0xbc/0x100 lib/iov_iter.c:169\n _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\n copy_to_iter ./include/linux/uio.h:176\n simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\n skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\n skb_copy_datagram_msg ./include/linux/skbuff.h:3903\n packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\n ____sys_recvmsg+0x2c4/0x810 net/socket.c:?\n ___sys_recvmsg+0x217/0x840 net/socket.c:2743\n __sys_recvmsg net/socket.c:2773\n __do_sys_recvmsg net/socket.c:2783\n __se_sys_recvmsg net/socket.c:2780\n __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n ...\n\n Uninit was stored to memory at:\n tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\n tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\n tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\n tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\n __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\n __do_sys_setsockopt net/socket.c:2263\n __se_sys_setsockopt net/socket.c:2260\n __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n Local variable sub created at:\n tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n\n Bytes 84-87 of 88 are uninitialized\n Memory access of size 88 starts at ffff88801ed57cd0\n Data copied to user address 0000000020000400\n ...\n =====================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50531", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()\n\nIn mpt3sas_transport_port_add(), if sas_rphy_add() returns error,\nsas_rphy_free() needs be called to free the resource allocated in\nsas_end_device_alloc(). Otherwise a kernel crash will happen:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000108\nCPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x54/0x3d0\nlr : device_del+0x37c/0x3d0\nCall trace:\n device_del+0x54/0x3d0\n attribute_container_class_device_del+0x28/0x38\n transport_remove_classdev+0x6c/0x80\n attribute_container_device_trigger+0x108/0x110\n transport_remove_device+0x28/0x38\n sas_rphy_remove+0x50/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_rphy_remove+0x38/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_remove_host+0x20/0x38 [scsi_transport_sas]\n scsih_remove+0xd8/0x420 [mpt3sas]\n\nBecause transport_add_device() is not called when sas_rphy_add() fails, the\ndevice is not added. When sas_rphy_remove() is subsequently called to\nremove the device in the remove() path, a NULL pointer dereference happens.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50532", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mlme: fix null-ptr deref on failed assoc\n\nIf association to an AP without a link 0 fails, then we crash in\ntracing because it assumes that either ap_mld_addr or link 0 BSS\nis valid, since we clear sdata->vif.valid_links and then don't\nadd the ap_mld_addr to the struct.\n\nSince we clear also sdata->vif.cfg.ap_addr, keep a local copy of\nit and assign it earlier, before clearing valid_links, to fix\nthis.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50533", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Use last transaction's pmd->root when commit failed\n\nRecently we found a softlock up problem in dm thin pool btree lookup\ncode due to corrupted metadata:\n\n Kernel panic - not syncing: softlockup: hung tasks\n CPU: 7 PID: 2669225 Comm: kworker/u16:3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: dm-thin do_worker [dm_thin_pool]\n Call Trace:\n \n dump_stack+0x9c/0xd3\n panic+0x35d/0x6b9\n watchdog_timer_fn.cold+0x16/0x25\n __run_hrtimer+0xa2/0x2d0\n \n RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]\n __bufio_new+0x11f/0x4f0 [dm_bufio]\n new_read+0xa3/0x1e0 [dm_bufio]\n dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]\n ro_step+0x63/0x100 [dm_persistent_data]\n btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]\n dm_btree_lookup+0x16f/0x210 [dm_persistent_data]\n dm_thin_find_block+0x12c/0x210 [dm_thin_pool]\n __process_bio_read_only+0xc5/0x400 [dm_thin_pool]\n process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]\n process_one_work+0x3c5/0x730\n\nFollowing process may generate a broken btree mixed with fresh and\nstale btree nodes, which could get dm thin trapped in an infinite loop\nwhile looking up data block:\n Transaction 1: pmd->root = A, A->B->C // One path in btree\n pmd->root = X, X->Y->Z // Copy-up\n Transaction 2: X,Z is updated on disk, Y write failed.\n // Commit failed, dm thin becomes read-only.\n process_bio_read_only\n\t\t dm_thin_find_block\n\t\t __find_block\n\t\t dm_btree_lookup(pmd->root)\nThe pmd->root points to a broken btree, Y may contain stale node\npointing to any block, for example X, which gets dm thin trapped into\na dead loop while looking up Z.\n\nFix this by setting pmd->root in __open_metadata(), so that dm thin\nwill use the last transaction's pmd->root if commit failed.\n\nFetch a reproducer in [Link].\n\nLinke: https://bugzilla.kernel.org/show_bug.cgi?id=216790", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50534", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null-deref in dm_resume\n\n[Why]\nFixing smatch error:\ndm_resume() error: we previously assumed 'aconnector->dc_link' could be null\n\n[How]\nCheck if dc_link null at the beginning of the loop,\nso further checks can be dropped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50535", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix repeated calls to sock_put() when msg has more_data\n\nIn tcp_bpf_send_verdict() redirection, the eval variable is assigned to\n__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,\nsock_put() will be called multiple times.\n\nWe should reset the eval variable to __SK_NONE every time more_data\nstarts.\n\nThis causes:\n\nIPv4: Attempt to release TCP socket in state 1 00000000b4c925d7\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110\nModules linked in:\nCPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1\nHardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014\nCall Trace:\n \n __tcp_transmit_skb+0xa1b/0xb90\n ? __alloc_skb+0x8c/0x1a0\n ? __kmalloc_node_track_caller+0x184/0x320\n tcp_write_xmit+0x22a/0x1110\n __tcp_push_pending_frames+0x32/0xf0\n do_tcp_sendpages+0x62d/0x640\n tcp_bpf_push+0xae/0x2c0\n tcp_bpf_sendmsg_redir+0x260/0x410\n ? preempt_count_add+0x70/0xa0\n tcp_bpf_send_verdict+0x386/0x4b0\n tcp_bpf_sendmsg+0x21b/0x3b0\n sock_sendmsg+0x58/0x70\n __sys_sendto+0xfa/0x170\n ? xfd_validate_state+0x1d/0x80\n ? switch_fpu_return+0x59/0xe0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50536", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()\n\nIn rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will\nnot be freed through rpi_firmware_delete(), fix this leak by calling\nkfree() in the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50537", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvme: Fix error not catched in fake_init()\n\nIn fake_init(), __root_device_register() is possible to fail but it's\nignored, which can cause unregistering vme_root fail when exit.\n\n general protection fault,\n probably for non-canonical address 0xdffffc000000008c\n KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]\n RIP: 0010:root_device_unregister+0x26/0x60\n Call Trace:\n \n __x64_sys_delete_module+0x34f/0x540\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nReturn error when __root_device_register() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50538", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: omap4-common: Fix refcount leak bug\n\nIn omap4_sram_init(), of_find_compatible_node() will return a node\npointer with refcount incremented. We should use of_node_put() when\nit is not used anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50539", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom-adm: fix wrong sizeof config in slave_config\n\nFix broken slave_config function that uncorrectly compare the\nperipheral_size with the size of the config pointer instead of the size\nof the config struct. This cause the crci value to be ignored and cause\na kernel panic on any slave that use adm driver.\n\nTo fix this, compare to the size of the struct and NOT the size of the\npointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50540", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow\n\nUDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.\nThese registers are 32-bit hardware counters and the driver uses these\ncounters to monitor the operational progress status for a channel, when\ntransferring more than 4GB of data it was observed that these counters\noverflow and completion calculation of a operation gets affected and the\ntransfer hangs indefinitely.\n\nThis commit adds changes to decrease the byte count for every complete\ntransaction so that these registers never overflow and the proper byte\ncount statistics is maintained for ongoing transaction by the RT counters.\n\nEarlier uc->bcnt used to maintain a count of the completed bytes at driver\nside, since the RT counters maintain the statistics of current transaction\nnow, the maintenance of uc->bcnt is not necessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50541", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: si470x: Fix use-after-free in si470x_int_in_callback()\n\nsyzbot reported use-after-free in si470x_int_in_callback() [1]. This\nindicates that urb->context, which contains struct si470x_device\nobject, is freed when si470x_int_in_callback() is called.\n\nThe cause of this issue is that si470x_int_in_callback() is called for\nfreed urb.\n\nsi470x_usb_driver_probe() calls si470x_start_usb(), which then calls\nusb_submit_urb() and si470x_start(). If si470x_start_usb() fails,\nsi470x_usb_driver_probe() doesn't kill urb, but it just frees struct\nsi470x_device object, as depicted below:\n\nsi470x_usb_driver_probe()\n ...\n si470x_start_usb()\n ...\n usb_submit_urb()\n retval = si470x_start()\n return retval\n if (retval < 0)\n free struct si470x_device object, but don't kill urb\n\nThis patch fixes this issue by killing urb when si470x_start_usb()\nfails and urb is submitted. If si470x_start_usb() fails and urb is\nnot submitted, i.e. submitting usb fails, it just frees struct\nsi470x_device object.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50542", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr->map double free\n\nrxe_mr_cleanup() which tries to free mr->map again will be called when\nrxe_mr_init_user() fails:\n\n CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x45/0x5d\n panic+0x19e/0x349\n end_report.part.0+0x54/0x7c\n kasan_report.cold+0xa/0xf\n rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr->map once it is\nsuccessfully allocated.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50543", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()\n\nxhci_alloc_stream_info() allocates stream context array for stream_info\n->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,\nstream_info->stream_ctx_array is not released, which will lead to a\nmemory leak.\n\nWe can fix it by releasing the stream_info->stream_ctx_array with\nxhci_free_stream_ctx() on the error path to avoid the potential memory\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50544", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nr6040: Fix kmemleak in probe and remove\n\nThere is a memory leaks reported by kmemleak:\n\n unreferenced object 0xffff888116111000 (size 2048):\n comm \"modprobe\", pid 817, jiffies 4294759745 (age 76.502s)\n hex dump (first 32 bytes):\n 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................\n 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kmalloc_trace+0x22/0x60\n [] phy_device_create+0x4e/0x90\n [] get_phy_device+0xd2/0x220\n [] mdiobus_scan+0xa4/0x2e0\n [] __mdiobus_register+0x482/0x8b0\n [] r6040_init_one+0x714/0xd2c [r6040]\n ...\n\nThe problem occurs in probe process as follows:\n r6040_init_one:\n mdiobus_register\n mdiobus_scan <- alloc and register phy_device,\n the reference count of phy_device is 3\n r6040_mii_probe\n phy_connect <- connect to the first phy_device,\n so the reference count of the first\n phy_device is 4, others are 3\n register_netdev <- fault inject succeeded, goto error handling path\n\n // error handling path\n err_out_mdio_unregister:\n mdiobus_unregister(lp->mii_bus);\n err_out_mdio:\n mdiobus_free(lp->mii_bus); <- the reference count of the first\n phy_device is 1, it is not released\n and other phy_devices are released\n // similarly, the remove process also has the same problem\n\nThe root cause is traced to the phy_device is not disconnected when\nremoves one r6040 device in r6040_remove_one() or on error handling path\nafter r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet\ndevice is connected to the first PHY device of mii_bus, in order to\nnotify the connected driver when the link status changes, which is the\ndefault behavior of the PHY infrastructure to handle everything.\nTherefore the phy_device should be disconnected when removes one r6040\ndevice or on error handling path.\n\nFix it by adding phy_disconnect() when removes one r6040 device or on\nerror handling path after r6040_mii probed successfully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50545", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninititialized value in 'ext4_evict_inode'\n\nSyzbot found the following issue:\n=====================================================\nBUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180\n evict+0x365/0x9a0 fs/inode.c:664\n iput_final fs/inode.c:1747 [inline]\n iput+0x985/0xdd0 fs/inode.c:1773\n __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361\n ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844\n vfs_mknod+0x79d/0x830 fs/namei.c:3914\n do_mknodat+0x47d/0xaa0\n __do_sys_mknodat fs/namei.c:3992 [inline]\n __se_sys_mknodat fs/namei.c:3989 [inline]\n __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578\n alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285\n alloc_slab_page mm/slub.c:1794 [inline]\n allocate_slab+0x1b5/0x1010 mm/slub.c:1939\n new_slab mm/slub.c:1992 [inline]\n ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180\n __slab_alloc mm/slub.c:3279 [inline]\n slab_alloc_node mm/slub.c:3364 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429\n alloc_inode_sb include/linux/fs.h:3117 [inline]\n ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321\n alloc_inode+0x83/0x440 fs/inode.c:259\n new_inode_pseudo fs/inode.c:1018 [inline]\n new_inode+0x3b/0x430 fs/inode.c:1046\n __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959\n ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992\n vfs_mkdir+0x62a/0x870 fs/namei.c:4035\n do_mkdirat+0x466/0x7b0 fs/namei.c:4060\n __do_sys_mkdirat fs/namei.c:4075 [inline]\n __se_sys_mkdirat fs/namei.c:4073 [inline]\n __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nCPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n=====================================================\n\nNow, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed\nbefore set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after\n6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which\nwill lead to access uninit-value.\nTo solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50546", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: solo6x10: fix possible memory leak in solo_sysfs_init()\n\nIf device_register() returns error in solo_sysfs_init(), the\nname allocated by dev_set_name() need be freed. As comment of\ndevice_register() says, it should use put_device() to give up\nthe reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanup().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50547", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: hi846: Fix memory leak in hi846_parse_dt()\n\nIf any of the checks related to the supported link frequencies fail, then\nthe V4L2 fwnode resources don't get released before returning, which leads\nto a memleak. Fix this by properly freeing the V4L2 fwnode data in a\ndesignated label.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50548", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata\n\nFollowing concurrent processes:\n\n P1(drop cache) P2(kworker)\ndrop_caches_sysctl_handler\n drop_slab\n shrink_slab\n down_read(&shrinker_rwsem) - LOCK A\n do_shrink_slab\n super_cache_scan\n prune_icache_sb\n dispose_list\n evict\n ext4_evict_inode\n\t ext4_clear_inode\n\t ext4_discard_preallocations\n\t ext4_mb_load_buddy_gfp\n\t ext4_mb_init_cache\n\t ext4_read_block_bitmap_nowait\n\t ext4_read_bh_nowait\n\t submit_bh\n\t dm_submit_bio\n\t\t do_worker\n\t\t\t\t process_deferred_bios\n\t\t\t\t commit\n\t\t\t\t metadata_operation_failed\n\t\t\t\t dm_pool_abort_metadata\n\t\t\t\t down_write(&pmd->root_lock) - LOCK B\n\t\t __destroy_persistent_data_objects\n\t\t\t\t dm_block_manager_destroy\n\t\t\t\t dm_bufio_client_destroy\n\t\t\t\t unregister_shrinker\n\t\t\t\t\t down_write(&shrinker_rwsem)\n\t\t thin_map |\n\t\t dm_thin_find_block \u2193\n\t\t down_read(&pmd->root_lock) --> ABBA deadlock\n\n, which triggers hung task:\n\n[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.\n[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2\n[ 76.978534] Workqueue: dm-thin do_worker\n[ 76.978552] Call Trace:\n[ 76.978564] __schedule+0x6ba/0x10f0\n[ 76.978582] schedule+0x9d/0x1e0\n[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0\n[ 76.978600] down_write+0xec/0x110\n[ 76.978607] unregister_shrinker+0x2c/0xf0\n[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0\n[ 76.978625] dm_block_manager_destroy+0x19/0x40\n[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70\n[ 76.978636] dm_pool_abort_metadata+0x8e/0x100\n[ 76.978643] metadata_operation_failed+0x86/0x110\n[ 76.978649] commit+0x6a/0x230\n[ 76.978655] do_worker+0xc6e/0xd90\n[ 76.978702] process_one_work+0x269/0x630\n[ 76.978714] worker_thread+0x266/0x630\n[ 76.978730] kthread+0x151/0x1b0\n[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.\n[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910\n[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459\n[ 76.982128] Call Trace:\n[ 76.982139] __schedule+0x6ba/0x10f0\n[ 76.982155] schedule+0x9d/0x1e0\n[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910\n[ 76.982173] down_read+0x84/0x170\n[ 76.982177] dm_thin_find_block+0x4c/0xd0\n[ 76.982183] thin_map+0x201/0x3d0\n[ 76.982188] __map_bio+0x5b/0x350\n[ 76.982195] dm_submit_bio+0x2b6/0x930\n[ 76.982202] __submit_bio+0x123/0x2d0\n[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0\n[ 76.982222] submit_bio_noacct+0x389/0x770\n[ 76.982227] submit_bio+0x50/0xc0\n[ 76.982232] submit_bh_wbc+0x15e/0x230\n[ 76.982238] submit_bh+0x14/0x20\n[ 76.982241] ext4_read_bh_nowait+0xc5/0x130\n[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60\n[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0\n[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0\n[ 76.982263] ext4_discard_preallocations+0x45d/0x830\n[ 76.982274] ext4_clear_inode+0x48/0xf0\n[ 76.982280] ext4_evict_inode+0xcf/0xc70\n[ 76.982285] evict+0x119/0x2b0\n[ 76.982290] dispose_list+0x43/0xa0\n[ 76.982294] prune_icache_sb+0x64/0x90\n[ 76.982298] super_cache_scan+0x155/0x210\n[ 76.982303] do_shrink_slab+0x19e/0x4e0\n[ 76.982310] shrink_slab+0x2bd/0x450\n[ 76.982317] drop_slab+0xcc/0x1a0\n[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0\n[ 76.982327] proc_sys_call_handler+0x1bc/0x300\n[ 76.982331] proc_sys_write+0x17/0x20\n[ 76.982334] vfs_write+0x3d3/0x570\n[ 76.982342] ksys_write+0x73/0x160\n[ 76.982347] __x64_sys_write+0x1e/0x30\n[ 76.982352] do_syscall_64+0x35/0x80\n[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFunct\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50549", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix memory leak on add_disk() failures\n\nWhen a gendisk is successfully initialized but add_disk() fails such as when\na loop device has invalid number of minor device numbers specified,\nblkcg_init_disk() is called during init and then blkcg_exit_disk() during\nerror handling. Unfortunately, iolatency gets initialized in the former but\ndoesn't get cleaned up in the latter.\n\nThis is because, in non-error cases, the cleanup is performed by\ndel_gendisk() calling rq_qos_exit(), the assumption being that rq_qos\npolicies, iolatency being one of them, can only be activated once the disk\nis fully registered and visible. That assumption is true for wbt and iocost,\nbut not so for iolatency as it gets initialized before add_disk() is called.\n\nIt is desirable to lazy-init rq_qos policies because they are optional\nfeatures and add to hot path overhead once initialized - each IO has to walk\nall the registered rq_qos policies. So, we want to switch iolatency to lazy\ninit too. However, that's a bigger change. As a fix for the immediate\nproblem, let's just add an extra call to rq_qos_exit() in blkcg_exit_disk().\nThis is safe because duplicate calls to rq_qos_exit() become noop's.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50550", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()\n\nThis patch fixes a shift-out-of-bounds in brcmfmac that occurs in\nBIT(chiprev) when a 'chiprev' provided by the device is too large.\nIt should also not be equal to or greater than BITS_PER_TYPE(u32)\nas we do bitwise AND with a u32 variable and BIT(chiprev). The patch\nadds a check that makes the function return NULL if that is the case.\nNote that the NULL case is later handled by the bus-specific caller,\nbrcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.\n\nFound by a modified version of syzkaller.\n\nUBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c\nshift exponent 151055786 is too large for 64-bit type 'long unsigned int'\nCPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb\n ? lock_chain_count+0x20/0x20\n brcmf_fw_alloc_request.cold+0x19/0x3ea\n ? brcmf_fw_get_firmwares+0x250/0x250\n ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0\n brcmf_usb_get_fwname+0x114/0x1a0\n ? brcmf_usb_reset_resume+0x120/0x120\n ? number+0x6c4/0x9a0\n brcmf_c_process_clm_blob+0x168/0x590\n ? put_dec+0x90/0x90\n ? enable_ptr_key_workfn+0x20/0x20\n ? brcmf_common_pd_remove+0x50/0x50\n ? rcu_read_lock_sched_held+0xa1/0xd0\n brcmf_c_preinit_dcmds+0x673/0xc40\n ? brcmf_c_set_joinpref_default+0x100/0x100\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lock_acquire+0x19d/0x4e0\n ? find_held_lock+0x2d/0x110\n ? brcmf_usb_deq+0x1cc/0x260\n ? mark_held_locks+0x9f/0xe0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n ? trace_hardirqs_on+0x1c/0x120\n ? brcmf_usb_deq+0x1a7/0x260\n ? brcmf_usb_rx_fill_all+0x5a/0xf0\n brcmf_attach+0x246/0xd40\n ? wiphy_new_nm+0x1476/0x1d50\n ? kmemdup+0x30/0x40\n brcmf_usb_probe+0x12de/0x1690\n ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n ? usb_match_id.part.0+0x88/0xc0\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __mutex_unlock_slowpath+0xe7/0x660\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_set_configuration+0x984/0x1770\n ? kernfs_create_link+0x175/0x230\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n ? driver_allows_async_probing+0x120/0x120\n bus_for_each_drv+0x123/0x1a0\n ? bus_rescan_devices+0x20/0x20\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n ? trace_hardirqs_on+0x1c/0x120\n __device_attach+0x207/0x330\n ? device_bind_driver+0xb0/0xb0\n ? kobject_uevent_env+0x230/0x12c0\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n ? __fw_devlink_link_to_suppliers+0x550/0x550\n usb_new_device.cold+0x463/0xf66\n ? hub_disconnect+0x400/0x400\n ? _raw_spin_unlock_irq+0x24/0x30\n hub_event+0x10d5/0x3330\n ? hub_port_debounce+0x280/0x280\n ? __lock_acquire+0x1671/0x5790\n ? wq_calc_node_cpumask+0x170/0x2a0\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x873/0x13e0\n ? lock_release+0x640/0x640\n ? pwq_dec_nr_in_flight+0x320/0x320\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x8b/0xd10\n ? __kthread_parkme+0xd9/0x1d0\n ? pr\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50551", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: use quiesced elevator switch when reinitializing queues\n\nThe hctx's run_work may be racing with the elevator switch when\nreinitializing hardware queues. The queue is merely frozen in this\ncontext, but that only prevents requests from allocating and doesn't\nstop the hctx work from running. The work may get an elevator pointer\nthat's being torn down, and can result in use-after-free errors and\nkernel panics (example below). Use the quiesced elevator switch instead,\nand make the previous one static since it is now only used locally.\n\n nvme nvme0: resetting controller\n nvme nvme0: 32/0/0 default/read/poll queues\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0\n Oops: 0000 [#1] SMP PTI\n Workqueue: kblockd blk_mq_run_work_fn\n RIP: 0010:kyber_has_work+0x29/0x70\n\n...\n\n Call Trace:\n __blk_mq_do_dispatch_sched+0x83/0x2b0\n __blk_mq_sched_dispatch_requests+0x12e/0x170\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x2b/0x50\n process_one_work+0x1ef/0x380\n worker_thread+0x2d/0x3e0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50552", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'\n\nWhen generate a synthetic event with many params and then create a trace\naction for it [1], kernel panic happened [2].\n\nIt is because that in trace_action_create() 'data->n_params' is up to\nSYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'\nkeeps indices into array 'hist_data->var_refs' for each synthetic event\nparam, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX\n(current value is 16), so out-of-bound write happened when 'data->n_params'\nmore than 16. In this case, 'data->match_data.event' is overwritten and\neventually cause the panic.\n\nTo solve the issue, adjust the length of 'data->var_ref_idx' to be\nSYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.\n\n[1]\n # cd /sys/kernel/tracing/\n # echo \"my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\\\nint v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\\\nint v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\\\nint v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\\\nint v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\\\nint v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\\\nint v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\\\nint v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\\\nint v63\" >> synthetic_events\n # echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm==\"bash\"' >> \\\nevents/sched/sched_waking/trigger\n # echo \"hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\\\npid,pid,pid,pid,pid,pid,pid,pid,pid)\" >> events/sched/sched_switch/trigger\n\n[2]\nBUG: unable to handle page fault for address: ffff91c900000000\nPGD 61001067 P4D 61001067 PUD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:strcmp+0xc/0x30\nCode: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee\nc3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14\n07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3\nRSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000\nRBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000\nR10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580\nR13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538\nFS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0\nCall Trace:\n \n __find_event_file+0x55/0x90\n action_create+0x76c/0x1060\n event_hist_trigger_parse+0x146d/0x2060\n ? event_trigger_write+0x31/0xd0\n trigger_process_regex+0xbb/0x110\n event_trigger_write+0x6b/0xd0\n vfs_write+0xc8/0x3e0\n ? alloc_fd+0xc0/0x160\n ? preempt_count_add+0x4d/0xa0\n ? preempt_count_add+0x70/0xa0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1d1d0cf077\nCode: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e\nfa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00\nf0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74\nRSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077\nRDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001\nRBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142\nR\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50553", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: avoid double ->queue_rq() because of early timeout\n\nDavid Jeffery found one double ->queue_rq() issue, so far it can\nbe triggered in VM use case because of long vmexit latency or preempt\nlatency of vCPU pthread or long page fault in vCPU pthread, then block\nIO req could be timed out before queuing the request to hardware but after\ncalling blk_mq_start_request() during ->queue_rq(), then timeout handler\nmay handle it by requeue, then double ->queue_rq() is caused, and kernel\npanic.\n\nSo far, it is driver's responsibility to cover the race between timeout\nand completion, so it seems supposed to be solved in driver in theory,\ngiven driver has enough knowledge.\n\nBut it is really one common problem, lots of driver could have similar\nissue, and could be hard to fix all affected drivers, even it isn't easy\nfor driver to handle the race. So David suggests this patch by draining\nin-progress ->queue_rq() for solving this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50554", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a null-ptr-deref in tipc_topsrv_accept\n\nsyzbot found a crash in tipc_topsrv_accept:\n\n KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n Workqueue: tipc_rcv tipc_topsrv_accept\n RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487\n Call Trace:\n \n tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460\n process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nIt was caused by srv->listener that might be set to null by\ntipc_topsrv_stop() in net .exit whereas it's still used in\ntipc_topsrv_accept() worker.\n\nsrv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add\na check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to\navoid the null-ptr-deref. To ensure the lsock is not released during the\ntipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()\nwhere it's waiting until the tipc_topsrv_accept worker to be done.\n\nNote that sk_callback_lock is used to protect sk->sk_user_data instead of\nsrv->listener, and it should check srv in tipc_topsrv_listener_data_ready()\ninstead. This also ensures that no more tipc_topsrv_accept worker will be\nstarted after tipc_conn_close() is called in tipc_topsrv_stop() where it\nsets sk->sk_user_data to null.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50555", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix potential null-ptr-deref due to drmm_mode_config_init()\n\ndrmm_mode_config_init() will call drm_mode_create_standard_properties()\nand won't check the ret value. When drm_mode_create_standard_properties()\nfailed due to alloc, property will be a NULL pointer and may causes the\nnull-ptr-deref. Fix the null-ptr-deref by adding the ret value check.\n\nFound null-ptr-deref while testing insert module bochs:\ngeneral protection fault, probably for non-canonical address\n 0xdffffc000000000c: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]\nCPU: 3 PID: 249 Comm: modprobe Not tainted 6.1.0-rc1+ #364\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:drm_object_attach_property+0x73/0x3c0 [drm]\nCall Trace:\n \n __drm_connector_init+0xb6c/0x1100 [drm]\n bochs_pci_probe.cold.11+0x4cb/0x7fe [bochs]\n pci_device_probe+0x17d/0x340\n really_probe+0x1db/0x5d0\n __driver_probe_device+0x1e7/0x250\n driver_probe_device+0x4a/0x120\n __driver_attach+0xcd/0x2c0\n bus_for_each_dev+0x11a/0x1b0\n bus_add_driver+0x3d7/0x500\n driver_register+0x18e/0x320\n do_one_initcall+0xc4/0x3e0\n do_init_module+0x1b4/0x630\n load_module+0x5dca/0x7230\n __do_sys_finit_module+0x100/0x170\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ff65af9f839", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50556", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: thunderbay: fix possible memory leak in thunderbay_build_functions()\n\nThe thunderbay_add_functions() will free memory of thunderbay_funcs\nwhen everything is ok, but thunderbay_funcs will not be freed when\nthunderbay_add_functions() fails, then there will be a memory leak,\nso we need to add kfree() when thunderbay_add_functions() fails to\nfix it.\n\nIn addition, doing some cleaner works, moving kfree(funcs) from\nthunderbay_add_functions() to thunderbay_build_functions().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50557", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap-irq: Use the new num_config_regs property in regmap_add_irq_chip_fwnode\n\nCommit faa87ce9196d (\"regmap-irq: Introduce config registers for irq\ntypes\") added the num_config_regs, then commit 9edd4f5aee84 (\"regmap-irq:\nDeprecate type registers and virtual registers\") suggested to replace\nnum_type_reg with it. However, regmap_add_irq_chip_fwnode wasn't modified\nto use the new property. Later on, commit 255a03bb1bb3 (\"ASoC: wcd9335:\nConvert irq chip to config regs\") removed the old num_type_reg property\nfrom the WCD9335 driver's struct regmap_irq_chip, causing a null pointer\ndereference in regmap_irq_set_type when it tried to index d->type_buf as\nit was never allocated in regmap_add_irq_chip_fwnode:\n\n[ 39.199374] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\n[ 39.200006] Call trace:\n[ 39.200014] regmap_irq_set_type+0x84/0x1c0\n[ 39.200026] __irq_set_trigger+0x60/0x1c0\n[ 39.200040] __setup_irq+0x2f4/0x78c\n[ 39.200051] request_threaded_irq+0xe8/0x1a0\n\nUse num_config_regs in regmap_add_irq_chip_fwnode instead of num_type_reg,\nand fall back to it if num_config_regs isn't defined to maintain backward\ncompatibility.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50558", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: scu: fix memleak on platform_device_add() fails\n\nNo error handling is performed when platform_device_add()\nfails. Add error processing before return, and modified\nthe return value.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50559", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn't being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device's struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[ +0.000014] =============================================================\n[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000005] dump_backtrace+0x1ec/0x280\n[ +0.000011] show_stack+0x24/0x80\n[ +0.000007] dump_stack_lvl+0x98/0xd4\n[ +0.000010] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000007] kasan_report+0xb8/0xfc\n[ +0.000007] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] find_components+0x468/0x500\n[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390\n[ +0.000009] __component_add+0x1dc/0x49c\n[ +0.000009] component_add+0x20/0x30\n[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[ +0.000013] platform_probe+0xd0/0x220\n[ +0.000008] really_probe+0x3ac/0xa80\n[ +0.000008] __driver_probe_device+0x1f8/0x400\n[ +0.000008] driver_probe_device+0x68/0x1b0\n[ +0.000008] __driver_attach+0x20c/0x480\n[ +0.000009] bus_for_each_dev+0x114/0x1b0\n[ +0.000007] driver_attach+0x48/0x64\n[ +0.000009] bus_add_driver+0x390/0x564\n[ +0.000007] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[ +0.000014] do_one_initcall+0xc4/0x2b0\n[ +0.000008] do_init_module+0x154/0x570\n[ +0.000010] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000008] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64_sync+0x18c/0x190\n\n[ +0.000014] Allocated by task 902:\n[ +0.000007] kasan_save_stack+0x2c/0x5c\n[ +0.000009] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc_node+0x240/0x580\n[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac\n[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0\n[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490\n[ +0.000009] __alloc_skb+0x1d4/0x310\n[ +0.000010] alloc_skb_with_frags+0x8c/0x620\n[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0\n[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0\n[ +0.000010] sock_sendmsg+0xcc/0x110\n[ +0.000007] sock_write_iter+0x1d0/0x304\n[ +0.000008] new_sync_write+0x364/0x460\n[ +0.000007] vfs_write+0x420/0x5ac\n[ +0.000008] ksys_write+0x19c/0x1f0\n[ +0.000008] __arm64_sys_write+0x78/0xb0\n[ +0.000007] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000008] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000013] Freed by task 2509:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000007] kasan_set_track+0x2c/0x40\n[ +0.000008] kasan_set_free_info+0x28/0x50\n[ +0.000008] ____kasan_slab_free+0x128/0x1d4\n[ +0.000008] __kasan_slab_free+0x18/0x24\n[ +0.000007] slab_free_freelist_hook+0x108/0x230\n[ +0.000010] \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50560", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: fix memory leak in iio_device_register_eventset()\n\nWhen iio_device_register_sysfs_group() returns failed,\niio_device_register_eventset() needs to free attrs array.\n\nOtherwise, kmemleak would scan & report memory leak as below:\n\nunreferenced object 0xffff88810a1cc3c0 (size 32):\n comm \"100-i2c-vcnl302\", pid 728, jiffies 4295052307 (age 156.027s)\n backtrace:\n __kmalloc+0x46/0x1b0\n iio_device_register_eventset at drivers/iio/industrialio-event.c:541\n __iio_device_register at drivers/iio/industrialio-core.c:1959\n __devm_iio_device_register at drivers/iio/industrialio-core.c:2040", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50561", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: acpi: Call acpi_put_table() to fix memory leak\n\nThe start and length of the event log area are obtained from\nTPM2 or TCPA table, so we call acpi_get_table() to get the\nACPI information, but the acpi_get_table() should be coupled with\nacpi_put_table() to release the ACPI memory, add the acpi_put_table()\nproperly to fix the memory leak.\n\nWhile we are at it, remove the redundant empty line at the\nend of the tpm_read_log_acpi().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50562", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n\n Call Trace:\n \n dump_stack_lvl+0x73/0x9f\n print_report.cold+0x132/0xaa2\n _raw_spin_lock_irqsave+0xcd/0x160\n __run_timers+0x173/0x710\n kasan_report+0xad/0x110\n __run_timers+0x173/0x710\n __asan_store8+0x9c/0x140\n __run_timers+0x173/0x710\n call_timer_fn+0x310/0x310\n pvclock_clocksource_read+0xfa/0x250\n kvm_clock_read+0x2c/0x70\n kvm_clock_get_cycles+0xd/0x20\n ktime_get+0x5c/0x110\n lapic_next_event+0x38/0x50\n clockevents_program_event+0xf1/0x1e0\n run_timer_softirq+0x49/0x90\n __do_softirq+0x16e/0x62c\n __irq_exit_rcu+0x1fa/0x270\n irq_exit_rcu+0x12/0x20\n sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n use free\ndo_resume |\n __find_device_hash_cell |\n dm_get |\n atomic_inc(&md->holders) |\n | dm_destroy\n | __dm_destroy\n | if (!dm_suspended_md(md))\n | atomic_read(&md->holders)\n | msleep(1)\n dm_resume |\n __dm_resume |\n dm_table_resume_targets |\n pool_resume |\n do_waker #add delay work |\n dm_put |\n atomic_dec(&md->holders) |\n | dm_table_destroy\n | pool_dtr\n | __pool_dec\n | __pool_destroy\n | destroy_workqueue\n | kfree(pool) # free pool\n time out\n__do_softirq\n run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n 1. create thin-pool\n 2. dmsetup suspend pool\n 3. dmsetup resume pool\n 4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50563", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/netiucv: Fix return type of netiucv_tx()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = netiucv_tx,\n ^~~~~~~~~~\n\n->ndo_start_xmit() in 'struct net_device_ops' expects a return type of\n'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to\nmatch the prototype's to resolve the warning and potential CFI failure,\nshould s390 select ARCH_SUPPORTS_CFI_CLANG in the future.\n\nAdditionally, while in the area, remove a comment block that is no\nlonger relevant.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50564", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: plfxlc: fix potential memory leak in __lf_x_usb_enable_rx()\n\nurbs does not be freed in exception paths in __lf_x_usb_enable_rx().\nThat will trigger memory leak. To fix it, add kfree() for urbs within\n\"error\" label. Compile tested only.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50565", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix device name leak when register device failed in add_mtd_device()\n\nThere is a kmemleak when register device failed:\n unreferenced object 0xffff888101aab550 (size 8):\n comm \"insmod\", pid 3922, jiffies 4295277753 (age 925.408s)\n hex dump (first 8 bytes):\n 6d 74 64 30 00 88 ff ff mtd0....\n backtrace:\n [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150\n [<000000003c32b416>] kvasprintf+0xb0/0x130\n [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0\n [<000000006e781163>] dev_set_name+0xab/0xe0\n [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700\n [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0\n [<00000000c0d88488>] 0xffffffffa0238457\n [<00000000b40d0922>] 0xffffffffa02a008f\n [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0\n [<00000000770f6ca6>] do_init_module+0xdf/0x320\n [<000000007b6768fe>] load_module+0x2f98/0x3330\n [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0\n [<00000000674c2290>] do_syscall_64+0x35/0x80\n [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nIf register device failed, should call put_device() to give up the\nreference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50566", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: fix shift-out-of-bounds in dbAllocAG\n\nSyzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The\nunderlying bug is the missing check of bmp->db_agl2size. The field can\nbe greater than 64 and trigger the shift-out-of-bounds.\n\nFix this bug by adding a check of bmp->db_agl2size in dbMount since this\nfield is used in many following functions. The upper bound for this\nfield is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.\nNote that, for maintenance, I reorganized error handling code of dbMount.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50567", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: fix f_hidg lifetime vs cdev\n\nThe embedded struct cdev does not have its lifetime correctly tied to\nthe enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN\nis held open while the gadget is deleted.\n\nThis can readily be replicated with libusbgx's example programs (for\nconciseness - operating directly via configfs is equivalent):\n\n\tgadget-hid\n\texec 3<> /dev/hidg0\n\tgadget-vid-pid-remove\n\texec 3<&-\n\nPull the existing device up in to struct f_hidg and make use of the\ncdev_device_{add,del}() helpers. This changes the lifetime of the\ndevice object to match struct f_hidg, but note that it is still added\nand deleted at the same time.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50568", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Update ipcomp_scratches with NULL when freed\n\nCurrently if ipcomp_alloc_scratches() fails to allocate memory\nipcomp_scratches holds obsolete address. So when we try to free the\npercpu scratches using ipcomp_free_scratches() it tries to vfree non\nexistent vm area. Described below:\n\nstatic void * __percpu *ipcomp_alloc_scratches(void)\n{\n ...\n scratches = alloc_percpu(void *);\n if (!scratches)\n return NULL;\nipcomp_scratches does not know about this allocation failure.\nTherefore holding the old obsolete address.\n ...\n}\n\nSo when we free,\n\nstatic void ipcomp_free_scratches(void)\n{\n ...\n scratches = ipcomp_scratches;\nAssigning obsolete address from ipcomp_scratches\n\n if (!scratches)\n return;\n\n for_each_possible_cpu(i)\n vfree(*per_cpu_ptr(scratches, i));\nTrying to free non existent page, causing warning: trying to vfree\nexistent vm area.\n ...\n}\n\nFix this breakage by updating ipcomp_scrtches with NULL when scratches\nis freed", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50569", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: fix memory corruption in ioctl\n\nIf \"s_mem.bytes\" is larger than the buffer size it leads to memory\ncorruption.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50570", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: call __btrfs_remove_free_space_cache_locked on cache load failure\n\nNow that lockdep is staying enabled through our entire CI runs I started\nseeing the following stack in generic/475\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0\nCPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\nWorkqueue: btrfs-cache btrfs_work_helper\nRIP: 0010:btrfs_discard_update_discardable+0x98/0xb0\nRSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8c85c605c200 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ffffffff86807c5b RDI: ffffffff868a831e\nRBP: ffff8c85c4c54000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff8c85c66932f0 R11: 0000000000000001 R12: ffff8c85c3899010\nR13: ffff8c85d5be4f40 R14: ffff8c85c4c54000 R15: ffff8c86114bfa80\nFS: 0000000000000000(0000) GS:ffff8c863bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2e7f168160 CR3: 000000010289a004 CR4: 0000000000370ee0\nCall Trace:\n\n __btrfs_remove_free_space_cache+0x27/0x30\n load_free_space_cache+0xad2/0xaf0\n caching_thread+0x40b/0x650\n ? lock_release+0x137/0x2d0\n btrfs_work_helper+0xf2/0x3e0\n ? lock_is_held_type+0xe2/0x140\n process_one_work+0x271/0x590\n ? process_one_work+0x590/0x590\n worker_thread+0x52/0x3b0\n ? process_one_work+0x590/0x590\n kthread+0xf0/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n\nThis is the code\n\n ctl = block_group->free_space_ctl;\n discard_ctl = &block_group->fs_info->discard_ctl;\n\n lockdep_assert_held(&ctl->tree_lock);\n\nWe have a temporary free space ctl for loading the free space cache in\norder to avoid having allocations happening while we're loading the\ncache. When we hit an error we free it all up, however this also calls\nbtrfs_discard_update_discardable, which requires\nblock_group->free_space_ctl->tree_lock to be held. However this is our\ntemporary ctl so this lock isn't held. Fix this by calling\n__btrfs_remove_free_space_cache_locked instead so that we only clean up\nthe entries and do not mess with the discardable stats.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50571", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()\n\nThe of_get_next_child() returns a node with refcount incremented, and\ndecrements the refcount of prev. So in the error path of the while loop,\nof_node_put() needs be called for cpu_ep.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50572", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix mt7915_rate_txpower_get() resource leaks\n\nCoverity message: variable \"buf\" going out of scope leaks the storage.\n\nAddresses-Coverity-ID: 1527799 (\"Resource leaks\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50573", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/omap: dss: Fix refcount leak bugs\n\nIn dss_init_ports() and __dss_uninit_ports(), we should call\nof_node_put() for the reference returned by of_graph_get_port_by_id()\nin fail path or when it is not used anymore.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50574", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()\n\nAs 'kdata.num' is user-controlled data, if user tries to allocate\nmemory larger than(>=) MAX_ORDER, then kcalloc() will fail, it\ncreates a stack trace and messes up dmesg with a warning.\n\nCall trace:\n-> privcmd_ioctl\n--> privcmd_ioctl_mmap_resource\n\nAdd __GFP_NOWARN in order to avoid too large allocation warning.\nThis is detected by static analysis using smatch.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50575", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: pch: Fix PCI device refcount leak in pch_request_dma()\n\nAs comment of pci_get_slot() says, it returns a pci_device with its\nrefcount increased. The caller must decrement the reference count by\ncalling pci_dev_put().\n\nSince 'dma_dev' is only used to filter the channel in filter(), we can\ncall pci_dev_put() before exiting from pch_request_dma(). Add the\nmissing pci_dev_put() for the normal and error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50576", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix memory leak in __ima_inode_hash()\n\nCommit f3cc6b25dcc5 (\"ima: always measure and audit files in policy\") lets\nmeasurement or audit happen even if the file digest cannot be calculated.\n\nAs a result, iint->ima_hash could have been allocated despite\nima_collect_measurement() returning an error.\n\nSince ima_hash belongs to a temporary inode metadata structure, declared\nat the beginning of __ima_inode_hash(), just add a kfree() call if\nima_collect_measurement() returns an error different from -ENOMEM (in that\ncase, ima_hash should not have been allocated).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50577", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix possible memory leak in __class_register()\n\nIf class_add_groups() returns error, the 'cp->subsys' need be\nunregister, and the 'cp' need be freed.\n\nWe can not call kset_unregister() here, because the 'cls' will\nbe freed in callback function class_release() and it's also\nfreed in caller's error path, it will cause double free.\n\nSo fix this by calling kobject_del() and kfree_const(name) to\ncleanup kobject. Besides, call kfree() to free the 'cp'.\n\nFault injection test can trigger this:\n\nunreferenced object 0xffff888102fa8190 (size 8):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 8 bytes):\n 70 6b 74 63 64 76 64 00 pktcdvd.\n backtrace:\n [<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320\n [<000000005e4d70bc>] kstrdup+0x3a/0x70\n [<00000000c2e5e85a>] kstrdup_const+0x68/0x80\n [<000000000049a8c7>] kvasprintf_const+0x10b/0x190\n [<0000000029123163>] kobject_set_name_vargs+0x56/0x150\n [<00000000747219c9>] kobject_set_name+0xab/0xe0\n [<0000000005f1ea4e>] __class_register+0x15c/0x49a\n\nunreferenced object 0xffff888037274000 (size 1024):\n comm \"modprobe\", pid 502, jiffies 4294906074 (age 49.296s)\n hex dump (first 32 bytes):\n 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n backtrace:\n [<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0\n [<00000000ecf3dd95>] __class_register+0x86/0x49a", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50578", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: fix module PLTs with mcount\n\nLi Huafei reports that mcount-based ftrace with module PLTs was broken\nby commit:\n\n a6253579977e4c6f (\"arm64: ftrace: consistently handle PLTs.\")\n\nWhen a module PLTs are used and a module is loaded sufficiently far away\nfrom the kernel, we'll create PLTs for any branches which are\nout-of-range. These are separate from the special ftrace trampoline\nPLTs, which the module PLT code doesn't directly manipulate.\n\nWhen mcount is in use this is a problem, as each mcount callsite in a\nmodule will be initialized to point to a module PLT, but since commit\na6253579977e4c6f ftrace_make_nop() will assume that the callsite has\nbeen initialized to point to the special ftrace trampoline PLT, and\nftrace_find_callable_addr() rejects other cases.\n\nThis means that when ftrace tries to initialize a callsite via\nftrace_make_nop(), the call to ftrace_find_callable_addr() will find\nthat the `_mcount` stub is out-of-range and is not handled by the ftrace\nPLT, resulting in a splat:\n\n| ftrace_test: loading out-of-tree module taints kernel.\n| ftrace: no module PLT for _mcount\n| ------------[ ftrace bug ]------------\n| ftrace failed to modify\n| [] 0xffff800029180014\n| actual: 44:00:00:94\n| Initializing ftrace call sites\n| ftrace record flags: 2000000\n| (0)\n| expected tramp: ffff80000802eb3c\n| ------------[ cut here ]------------\n| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270\n| Modules linked in:\n| CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : ftrace_bug+0x94/0x270\n| lr : ftrace_bug+0x21c/0x270\n| sp : ffff80000b2bbaf0\n| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000\n| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00\n| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8\n| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff\n| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118\n| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666\n| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030\n| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4\n| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001\n| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022\n| Call trace:\n| ftrace_bug+0x94/0x270\n| ftrace_process_locs+0x308/0x430\n| ftrace_module_init+0x44/0x60\n| load_module+0x15b4/0x1ce8\n| __do_sys_init_module+0x1ec/0x238\n| __arm64_sys_init_module+0x24/0x30\n| invoke_syscall+0x54/0x118\n| el0_svc_common.constprop.4+0x84/0x100\n| do_el0_svc+0x3c/0xd0\n| el0_svc+0x1c/0x50\n| el0t_64_sync_handler+0x90/0xb8\n| el0t_64_sync+0x15c/0x160\n| ---[ end trace 0000000000000000 ]---\n| ---------test_init-----------\n\nFix this by reverting to the old behaviour of ignoring the old\ninstruction when initialising an mcount callsite in a module, which was\nthe behaviour prior to commit a6253579977e4c6f.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50579", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: prevent overflow while calculating wait time\n\nThere is a problem found by code review in tg_with_in_bps_limit() that\n'bps_limit * jiffy_elapsed_rnd' might overflow. Fix the problem by\ncalling mul_u64_u64_div_u64() instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50580", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix OOB Read in __hfs_brec_find\n\nSyzbot reported a OOB read bug:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190\nfs/hfs/string.c:84\nRead of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11\nCPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted\n6.1.0-rc6-syzkaller-00308-g644e9524388a #0\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n hfs_strcmp+0x117/0x190 fs/hfs/string.c:84\n __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75\n hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138\n hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462\n write_inode fs/fs-writeback.c:1440 [inline]\n\nIf the input inode of hfs_write_inode() is incorrect:\nstruct inode\n struct hfs_inode_info\n struct hfs_cat_key\n struct hfs_name\n u8 len # len is greater than HFS_NAMELEN(31) which is the\nmaximum length of an HFS filename\n\nOOB read occurred:\nhfs_write_inode()\n hfs_brec_find()\n __hfs_brec_find()\n hfs_cat_keycmp()\n hfs_strcmp() # OOB read occurred due to len is too large\n\nFix this by adding a Check on len in hfs_write_inode() before calling\nhfs_brec_find().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50581", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Prevent integer underflow\n\nBy using a ratio of delay to poll_enabled_time that is not integer\ntime_remaining underflows and does not exit the loop as expected.\nAs delay could be derived from DT and poll_enabled_time is defined\nin the driver this can easily happen.\n\nUse a signed iterator to make sure that the loop exits once\nthe remaining time is negative.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50582", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid0, raid10: Don't set discard sectors for request queue\n\nIt should use disk_stack_limits to get a proper max_discard_sectors\nrather than setting a value by stack drivers.\n\nAnd there is a bug. If all member disks are rotational devices,\nraid0/raid10 set max_discard_sectors. So the member devices are\nnot ssd/nvme, but raid0/raid10 export the wrong value. It reports\nwarning messages in function __blkdev_issue_discard when mkfs.xfs\nlike this:\n\n[ 4616.022599] ------------[ cut here ]------------\n[ 4616.027779] WARNING: CPU: 4 PID: 99634 at block/blk-lib.c:50 __blkdev_issue_discard+0x16a/0x1a0\n[ 4616.140663] RIP: 0010:__blkdev_issue_discard+0x16a/0x1a0\n[ 4616.146601] Code: 24 4c 89 20 31 c0 e9 fe fe ff ff c1 e8 09 8d 48 ff 4c 89 f0 4c 09 e8 48 85 c1 0f 84 55 ff ff ff b8 ea ff ff ff e9 df fe ff ff <0f> 0b 48 8d 74 24 08 e8 ea d6 00 00 48 c7 c6 20 1e 89 ab 48 c7 c7\n[ 4616.167567] RSP: 0018:ffffaab88cbffca8 EFLAGS: 00010246\n[ 4616.173406] RAX: ffff9ba1f9e44678 RBX: 0000000000000000 RCX: ffff9ba1c9792080\n[ 4616.181376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ba1c9792080\n[ 4616.189345] RBP: 0000000000000cc0 R08: ffffaab88cbffd10 R09: 0000000000000000\n[ 4616.197317] R10: 0000000000000012 R11: 0000000000000000 R12: 0000000000000000\n[ 4616.205288] R13: 0000000000400000 R14: 0000000000000cc0 R15: ffff9ba1c9792080\n[ 4616.213259] FS: 00007f9a5534e980(0000) GS:ffff9ba1b7c80000(0000) knlGS:0000000000000000\n[ 4616.222298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4616.228719] CR2: 000055a390a4c518 CR3: 0000000123e40006 CR4: 00000000001706e0\n[ 4616.236689] Call Trace:\n[ 4616.239428] blkdev_issue_discard+0x52/0xb0\n[ 4616.244108] blkdev_common_ioctl+0x43c/0xa00\n[ 4616.248883] blkdev_ioctl+0x116/0x280\n[ 4616.252977] __x64_sys_ioctl+0x8a/0xc0\n[ 4616.257163] do_syscall_64+0x5c/0x90\n[ 4616.261164] ? handle_mm_fault+0xc5/0x2a0\n[ 4616.265652] ? do_user_addr_fault+0x1d8/0x690\n[ 4616.270527] ? do_syscall_64+0x69/0x90\n[ 4616.274717] ? exc_page_fault+0x62/0x150\n[ 4616.279097] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 4616.284748] RIP: 0033:0x7f9a55398c6b", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50583", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic\n\nThe dma_map_single() doesn't permit zero length mapping. It causes a follow\npanic.\n\nA panic was reported on arm64:\n\n[ 60.137988] ------------[ cut here ]------------\n[ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624!\n[ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l\n2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn\nc videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl\n[ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237\n[ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT)\n[ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590\n[ 60.213149] lr : swiotlb_map+0x88/0x1f0\n[ 60.216982] sp : ffff80000a883bc0\n[ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000\n[ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0\n[ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000\n[ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000\n[ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180\n[ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000\n[ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000\n[ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001\n[ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010\n[ 60.291658] Call trace:\n[ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590\n[ 60.298629] swiotlb_map+0x88/0x1f0\n[ 60.302115] dma_map_page_attrs+0x188/0x230\n[ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test]\n[ 60.312660] __arm64_sys_ioctl+0xa8/0xf0\n[ 60.316583] invoke_syscall+0x44/0x108\n[ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0\n[ 60.325038] do_el0_svc+0x2c/0xb8\n[ 60.328351] el0_svc+0x2c/0x88\n[ 60.331406] el0t_64_sync_handler+0xb8/0xc0\n[ 60.335587] el0t_64_sync+0x18c/0x190\n[ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000)\n[ 60.345344] ---[ end trace 0000000000000000 ]---\n\nTo fix it, this patch adds a checking the payload length if it is zero.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50614", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()\n\npci_get_device() will increase the reference count for the returned\npci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its\nreference count increased. We need to call pci_dev_put() to decrease the\nreference count. Let's add the missing pci_dev_put().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50615", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Use different devices for resource allocation and DT lookup\n\nFollowing by the below discussion, there's the potential UAF issue\nbetween regulator and mfd.\nhttps://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/\n\nFrom the analysis of Yingliang\n\nCPU A\t\t\t\t|CPU B\nmt6370_probe()\t\t\t|\n devm_mfd_add_devices()\t|\n\t\t\t\t|mt6370_regulator_probe()\n\t\t\t\t| regulator_register()\n\t\t\t\t| //allocate init_data and add it to devres\n\t\t\t\t| regulator_of_get_init_data()\ni2c_unregister_device()\t\t|\n device_del()\t\t\t|\n devres_release_all()\t|\n // init_data is freed\t|\n release_nodes()\t\t|\n\t\t\t\t| // using init_data causes UAF\n\t\t\t\t| regulator_register()\n\nIt's common to use mfd core to create child device for the regulator.\nIn order to do the DT lookup for init data, the child that registered\nthe regulator would pass its parent as the parameter. And this causes\ninit data resource allocated to its parent, not itself. The issue happen\nwhen parent device is going to release and regulator core is still doing\nsome operation of init data constraint for the regulator of child device.\n\nTo fix it, this patch expand 'regulator_register' API to use the\ndifferent devices for init data allocation and DT lookup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50616", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/powerplay/psm: Fix memory leak in power state init\n\nCommit 902bc65de0b3 (\"drm/amdgpu/powerplay/psm: return an error in power\nstate init\") made the power state init function return early in case of\nfailure to get an entry from the powerplay table, but it missed to clean up\nthe allocated memory for the current power state before returning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50617", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: meson-gx: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it's not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path which\nwill call mmc_free_host().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50618", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()\n\nIf the number of pages from the userptr BO differs from the SG BO then the\nallocated memory for the SG table doesn't get freed before returning\n-EINVAL, which may lead to a memory leak in some error paths. Fix this by\nchecking the number of pages before allocating memory for the SG table.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50619", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to invalidate dcc->f2fs_issue_discard in error path\n\nSyzbot reports a NULL pointer dereference issue as below:\n\n __refcount_add include/linux/refcount.h:193 [inline]\n __refcount_inc include/linux/refcount.h:250 [inline]\n refcount_inc include/linux/refcount.h:267 [inline]\n get_task_struct include/linux/sched/task.h:110 [inline]\n kthread_stop+0x34/0x1c0 kernel/kthread.c:703\n f2fs_stop_discard_thread+0x3c/0x5c fs/f2fs/segment.c:1638\n kill_f2fs_super+0x5c/0x194 fs/f2fs/super.c:4522\n deactivate_locked_super+0x70/0xe8 fs/super.c:332\n deactivate_super+0xd0/0xd4 fs/super.c:363\n cleanup_mnt+0x1f8/0x234 fs/namespace.c:1186\n __cleanup_mnt+0x20/0x30 fs/namespace.c:1193\n task_work_run+0xc4/0x14c kernel/task_work.c:177\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x26c/0xbe0 kernel/exit.c:795\n do_group_exit+0x60/0xe8 kernel/exit.c:925\n __do_sys_exit_group kernel/exit.c:936 [inline]\n __se_sys_exit_group kernel/exit.c:934 [inline]\n __wake_up_parent+0x0/0x40 kernel/exit.c:934\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581\n\nThe root cause of this issue is in error path of f2fs_start_discard_thread(),\nit missed to invalidate dcc->f2fs_issue_discard, later kthread_stop() may\naccess invalid pointer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50620", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: verity-loadpin: Only trust verity targets with enforcement\n\nVerity targets can be configured to ignore corrupted data blocks.\nLoadPin must only trust verity targets that are configured to\nperform some kind of enforcement when data corruption is detected,\nlike returning an error, restarting the system or triggering a\npanic.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50621", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_modified_inode()\n\nAs krealloc may return NULL, in this case 'state->fc_modified_inodes'\nmay not be freed by krealloc, but 'state->fc_modified_inodes' already\nset NULL. Then will lead to 'state->fc_modified_inodes' memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50622", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: prevent integer overflow in dfl_feature_ioctl_set_irq()\n\nThe \"hdr.count * sizeof(s32)\" multiplication can overflow on 32 bit\nsystems leading to memory corruption. Use array_size() to fix that.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50623", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netsec: fix error handling in netsec_register_mdio()\n\nIf phy_device_register() fails, phy_device_free() need be called to\nput refcount, so memory of phy device and device name can be freed\nin callback function.\n\nIf get_phy_device() fails, mdiobus_unregister() need be called,\nor it will cause warning in mdiobus_free() and kobject is leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50624", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: amba-pl011: avoid SBSA UART accessing DMACR register\n\nChapter \"B Generic UART\" in \"ARM Server Base System Architecture\" [1]\ndocumentation describes a generic UART interface. Such generic UART\ndoes not support DMA. In current code, sbsa_uart_pops and\namba_pl011_pops share the same stop_rx operation, which will invoke\npl011_dma_rx_stop, leading to an access of the DMACR register. This\ncommit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the\naccess to DMACR register for SBSA UARTs which does not support DMA.\n\nWhen the kernel enables DMA engine with \"CONFIG_DMA_ENGINE=y\", Linux\nSBSA PL011 driver will access PL011 DMACR register in some functions.\nFor most real SBSA Pl011 hardware implementations, the DMACR write\nbehaviour will be ignored. So these DMACR operations will not cause\nobvious problems. But for some virtual SBSA PL011 hardware, like Xen\nvirtual SBSA PL011 (vpl011) device, the behaviour might be different.\nXen vpl011 emulation will inject a data abort to guest, when guest is\naccessing an unimplemented UART register. As Xen VPL011 is SBSA\ncompatible, it will not implement DMACR register. So when Linux SBSA\nPL011 driver access DMACR register, it will get an unhandled data abort\nfault and the application will get a segmentation fault:\nUnhandled fault at 0xffffffc00944d048\nMem abort info:\n ESR = 0x96000000\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x00: ttbr address size fault\nData abort info:\n ISV = 0, ISS = 0x00000000\n CM = 0, WnR = 0\nswapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000\n[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13\nInternal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP\n...\nCall trace:\n pl011_stop_rx+0x70/0x80\n tty_port_shutdown+0x7c/0xb4\n tty_port_close+0x60/0xcc\n uart_close+0x34/0x8c\n tty_release+0x144/0x4c0\n __fput+0x78/0x220\n ____fput+0x1c/0x30\n task_work_run+0x88/0xc0\n do_notify_resume+0x8d0/0x123c\n el0_svc+0xa8/0xc0\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x1a0/0x1a4\nCode: b9000083 b901f001 794038a0 8b000042 (b9000041)\n---[ end trace 83dd93df15c3216f ]---\nnote: bootlogd[132] exited with preempt_count 1\n/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon\n\nThis has been discussed in the Xen community, and we think it should fix\nthis in Linux. See [2] for more information.\n\n[1] https://developer.arm.com/documentation/den0094/c/?lang=en\n[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50625", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: fix memory leak in dvb_usb_adapter_init()\n\nSyzbot reports a memory leak in \"dvb_usb_adapter_init()\".\nThe leak is due to not accounting for and freeing current iteration's\nadapter->priv in case of an error. Currently if an error occurs,\nit will exit before incrementing \"num_adapters_initalized\",\nwhich is used as a reference counter to free all adap->priv\nin \"dvb_usb_adapter_exit()\". There are multiple error paths that\ncan exit from before incrementing the counter. Including the\nerror handling paths for \"dvb_usb_adapter_stream_init()\",\n\"dvb_usb_adapter_dvb_init()\" and \"dvb_usb_adapter_frontend_init()\"\nwithin \"dvb_usb_adapter_init()\".\n\nThis means that in case of an error in any of these functions the\ncurrent iteration is not accounted for and the current iteration's\nadap->priv is not freed.\n\nFix this by freeing the current iteration's adap->priv in the\n\"stream_init_err:\" label in the error path. The rest of the\n(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()\nas expected using the num_adapters_initalized variable.\n\nSyzbot report:\n\nBUG: memory leak\nunreferenced object 0xffff8881172f1a00 (size 512):\n comm \"kworker/0:2\", pid 139, jiffies 4294994873 (age 10.960s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n [] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]\n [] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]\n [] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308\n [] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883\n [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [] call_driver_probe drivers/base/dd.c:542 [inline]\n [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n [] really_probe drivers/base/dd.c:583 [inline]\n [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752\n [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782\n [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899\n [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427\n [] __device_attach+0x122/0x260 drivers/base/dd.c:970\n [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487\n [] device_add+0x5fb/0xdf0 drivers/base/core.c:3405\n [] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170\n [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [] call_driver_probe drivers/base/dd.c:542 [inline]\n [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n [] really_probe drivers/base/dd.c:583 [inline]\n [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50626", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix monitor mode bringup crash\n\nWhen the interface is brought up in monitor mode, it leads\nto NULL pointer dereference crash. This crash happens when\nthe packet type is extracted for a SKB. This extraction\nwhich is present in the received msdu delivery path,is\nnot needed for the monitor ring packets since they are\nall RAW packets. Hence appending the flags with\n\"RX_FLAG_ONLY_MONITOR\" to skip that extraction.\n\nObserved calltrace:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000064\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000048517000\n[0000000000000064] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: ath11k_pci ath11k qmi_helpers\nCPU: 2 PID: 1781 Comm: napi/-271 Not tainted\n6.1.0-rc5-wt-ath-656295-gef907406320c-dirty #6\nHardware name: Qualcomm Technologies, Inc. IPQ8074/AP-HK10-C2 (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]\nlr : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x5c/0x60 [ath11k]\nsp : ffff80000ef5bb10\nx29: ffff80000ef5bb10 x28: 0000000000000000 x27: ffff000007baafa0\nx26: ffff000014a91ed0 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff800002b77378 x22: ffff000014a91ec0 x21: ffff000006c8d600\nx20: 0000000000000000 x19: ffff800002b77740 x18: 0000000000000006\nx17: 736564203634343a x16: 656e694c20657079 x15: 0000000000000143\nx14: 00000000ffffffea x13: ffff80000ef5b8b8 x12: ffff80000ef5b8c8\nx11: ffff80000a591d30 x10: ffff80000a579d40 x9 : c0000000ffffefff\nx8 : 0000000000000003 x7 : 0000000000017fe8 x6 : ffff80000a579ce8\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 3a35ec12ed7f8900 x1 : 0000000000000000 x0 : 0000000000000052\nCall trace:\n ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k]\n ath11k_dp_rx_deliver_msdu.isra.42+0xa4/0x3d0 [ath11k]\n ath11k_dp_rx_mon_deliver.isra.43+0x2f8/0x458 [ath11k]\n ath11k_dp_rx_process_mon_rings+0x310/0x4c0 [ath11k]\n ath11k_dp_service_srng+0x234/0x338 [ath11k]\n ath11k_pcic_ext_grp_napi_poll+0x30/0xb8 [ath11k]\n __napi_poll+0x5c/0x190\n napi_threaded_poll+0xf0/0x118\n kthread+0xf4/0x110\n ret_from_fork+0x10/0x20\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50627", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gud: Fix UBSAN warning\n\nUBSAN complains about invalid value for bool:\n\n[ 101.165172] [drm] Initialized gud 1.0.0 20200422 for 2-3.2:1.0 on minor 1\n[ 101.213360] gud 2-3.2:1.0: [drm] fb1: guddrmfb frame buffer device\n[ 101.213426] usbcore: registered new interface driver gud\n[ 101.989431] ================================================================================\n[ 101.989441] UBSAN: invalid-load in linux/include/linux/iosys-map.h:253:9\n[ 101.989447] load of value 121 is not a valid value for type '_Bool'\n[ 101.989451] CPU: 1 PID: 455 Comm: kworker/1:6 Not tainted 5.18.0-rc5-gud-5.18-rc5 #3\n[ 101.989456] Hardware name: Hewlett-Packard HP EliteBook 820 G1/1991, BIOS L71 Ver. 01.44 04/12/2018\n[ 101.989459] Workqueue: events_long gud_flush_work [gud]\n[ 101.989471] Call Trace:\n[ 101.989474] \n[ 101.989479] dump_stack_lvl+0x49/0x5f\n[ 101.989488] dump_stack+0x10/0x12\n[ 101.989493] ubsan_epilogue+0x9/0x3b\n[ 101.989498] __ubsan_handle_load_invalid_value.cold+0x44/0x49\n[ 101.989504] dma_buf_vmap.cold+0x38/0x3d\n[ 101.989511] ? find_busiest_group+0x48/0x300\n[ 101.989520] drm_gem_shmem_vmap+0x76/0x1b0 [drm_shmem_helper]\n[ 101.989528] drm_gem_shmem_object_vmap+0x9/0xb [drm_shmem_helper]\n[ 101.989535] drm_gem_vmap+0x26/0x60 [drm]\n[ 101.989594] drm_gem_fb_vmap+0x47/0x150 [drm_kms_helper]\n[ 101.989630] gud_prep_flush+0xc1/0x710 [gud]\n[ 101.989639] ? _raw_spin_lock+0x17/0x40\n[ 101.989648] gud_flush_work+0x1e0/0x430 [gud]\n[ 101.989653] ? __switch_to+0x11d/0x470\n[ 101.989664] process_one_work+0x21f/0x3f0\n[ 101.989673] worker_thread+0x200/0x3e0\n[ 101.989679] ? rescuer_thread+0x390/0x390\n[ 101.989684] kthread+0xfd/0x130\n[ 101.989690] ? kthread_complete_and_exit+0x20/0x20\n[ 101.989696] ret_from_fork+0x22/0x30\n[ 101.989706] \n[ 101.989708] ================================================================================\n\nThe source of this warning is in iosys_map_clear() called from\ndma_buf_vmap(). It conditionally sets values based on map->is_iomem. The\niosys_map variables are allocated uninitialized on the stack leading to\n->is_iomem having all kinds of values and not only 0/1.\n\nFix this by zeroing the iosys_map variables.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50628", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Fix memory leak in rsi_coex_attach()\n\nThe coex_cb needs to be freed when rsi_create_kthread() failed in\nrsi_coex_attach().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50629", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: fix UAF in hugetlb_handle_userfault\n\nThe vma_lock and hugetlb_fault_mutex are dropped before handling userfault\nand reacquire them again after handle_userfault(), but reacquire the\nvma_lock could lead to UAF[1,2] due to the following race,\n\nhugetlb_fault\n hugetlb_no_page\n /*unlock vma_lock */\n hugetlb_handle_userfault\n handle_userfault\n /* unlock mm->mmap_lock*/\n vm_mmap_pgoff\n do_mmap\n mmap_region\n munmap_vma_range\n /* clean old vma */\n /* lock vma_lock again <--- UAF */\n /* unlock vma_lock */\n\nSince the vma_lock will unlock immediately after\nhugetlb_handle_userfault(), let's drop the unneeded lock and unlock in\nhugetlb_handle_userfault() to fix the issue.\n\n[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/\n[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50630", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: kexec: Fix memory leak of fdt buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xff60000082864000 (size 9588):\n comm \"kexec\", pid 146, jiffies 4294900634 (age 64.788s)\n hex dump (first 32 bytes):\n d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@\n 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............\n backtrace:\n [<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e\n [<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4\n [<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6\n [<00000000f01e68b4>] __kmalloc+0x5c2/0x62a\n [<000000002bd497b2>] kvmalloc_node+0x66/0xd6\n [<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea\n [<00000000e1166bde>] elf_kexec_load+0x206/0x4ec\n [<0000000036548e09>] kexec_image_load_default+0x40/0x4c\n [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322\n [<0000000040c62c03>] ret_from_syscall+0x0/0x2\n\nIn elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.\nWhile it's not freed back to system when kexec kernel is reloaded or\nunloaded. Then memory leak is caused. Fix it by introducing riscv\nspecific function arch_kimage_file_post_load_cleanup(), and freeing the\nbuffer there.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50631", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()\n\ntad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi()\nwhen platform_driver_register() failed. Remove the callback by\ncpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50632", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init\n\nof_icc_get() alloc resources for path handle, we should release it when not\nneed anymore. Like the release in dwc3_qcom_interconnect_exit() function.\nAdd icc_put() in error handling to fix this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50633", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()\n\ncw_bat_probe() calls create_singlethread_workqueue() and not checked the\nret value, which may return NULL. And a null-ptr-deref may happen:\n\ncw_bat_probe()\n create_singlethread_workqueue() # failed, cw_bat->wq is NULL\n queue_delayed_work()\n queue_delayed_work_on()\n __queue_delayed_work() # warning here, but continue\n __queue_work() # access wq->flags, null-ptr-deref\n\nCheck the ret value and return -ENOMEM if it is NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50634", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n # echo 'p cmdline_proc_show' > kprobe_events\n # echo 'p cmdline_proc_show+16' >> kprobe_events\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000000050bfc\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 9000000000009033 CR: 88002444 XER: 20040006\n CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n ...\n NIP arch_prepare_kprobe+0x10c/0x2d0\n LR arch_prepare_kprobe+0xfc/0x2d0\n Call Trace:\n 0xc0000000012f77a0 (unreliable)\n register_kprobe+0x3c0/0x7a0\n __register_trace_kprobe+0x140/0x1a0\n __trace_kprobe_create+0x794/0x1040\n trace_probe_create+0xc4/0xe0\n create_or_delete_trace_kprobe+0x2c/0x80\n trace_parse_run_command+0xf0/0x210\n probes_write+0x20/0x40\n vfs_write+0xfc/0x450\n ksys_write+0x84/0x140\n system_call_exception+0x17c/0x3a0\n system_call_vectored_common+0xe8/0x278\n --- interrupt: 3000 at 0x7fffa5682de0\n NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 900000000280f033 CR: 44002408 XER: 00000000\n\nThe address being probed has some special:\n\n cmdline_proc_show: Probe based on ftrace\n cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n ...\n prev = get_kprobe(p->addr - 1);\n preempt_enable_no_resched();\n if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {\n ...\n\nIf prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur\nwith a null pointer reference. At this point prev->addr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'\nto fix this problem.\n\n[mpe: Trim oops]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50635", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix pci_device_is_present() for VFs by checking PF\n\npci_device_is_present() previously didn't work for VFs because it reads the\nVendor and Device ID, which are 0xffff for VFs, which looks like they\naren't present. Check the PF instead.\n\nWei Gong reported that if virtio I/O is in progress when the driver is\nunbound or \"0\" is written to /sys/.../sriov_numvfs, the virtio I/O\noperation hangs, which may result in output like this:\n\n task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002\n Call Trace:\n schedule+0x4f/0xc0\n blk_mq_freeze_queue_wait+0x69/0xa0\n blk_mq_freeze_queue+0x1b/0x20\n blk_cleanup_queue+0x3d/0xd0\n virtblk_remove+0x3c/0xb0 [virtio_blk]\n virtio_dev_remove+0x4b/0x80\n ...\n device_unregister+0x1b/0x60\n unregister_virtio_device+0x18/0x30\n virtio_pci_remove+0x41/0x80\n pci_device_remove+0x3e/0xb0\n\nThis happened because pci_device_is_present(VF) returned \"false\" in\nvirtio_pci_remove(), so it called virtio_break_device(). The broken vq\nmeant that vring_interrupt() skipped the vq.callback() that would have\ncompleted the virtio I/O operation via virtblk_done().\n\n[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50636", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()\n\nIf \"cpu_dev\" fails to get opp table in qcom_cpufreq_hw_read_lut(),\nthe program will return, resulting in \"table\" resource is not released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50637", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad boot loader inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:203!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349\n RIP: 0010:ext4_es_end.isra.0+0x34/0x42\n RSP: 0018:ffffc9000143b768 EFLAGS: 00010203\n RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff\n RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0\n R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000\n FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n __es_tree_search.isra.0+0x6d/0xf5\n ext4_es_cache_extent+0xfa/0x230\n ext4_cache_extents+0xd2/0x110\n ext4_find_extent+0x5d5/0x8c0\n ext4_ext_map_blocks+0x9c/0x1d30\n ext4_map_blocks+0x431/0xa50\n ext4_mpage_readpages+0x48e/0xe40\n ext4_readahead+0x47/0x50\n read_pages+0x82/0x530\n page_cache_ra_unbounded+0x199/0x2a0\n do_page_cache_ra+0x47/0x70\n page_cache_ra_order+0x242/0x400\n ondemand_readahead+0x1e8/0x4b0\n page_cache_sync_ra+0xf4/0x110\n filemap_get_pages+0x131/0xb20\n filemap_read+0xda/0x4b0\n generic_file_read_iter+0x13a/0x250\n ext4_file_read_iter+0x59/0x1d0\n vfs_read+0x28f/0x460\n ksys_read+0x73/0x160\n __x64_sys_read+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n==================================================================\n\nIn the above issue, ioctl invokes the swap_inode_boot_loader function to\nswap inode<5> and inode<12>. However, inode<5> contain incorrect imode and\ndisordered extents, and i_nlink is set to 1. The extents check for inode in\nthe ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.\nWhile links_count is set to 1, the extents are not initialized in\nswap_inode_boot_loader. After the ioctl command is executed successfully,\nthe extents are swapped to inode<12>, in this case, run the `cat` command\nto view inode<12>. And Bug_ON is triggered due to the incorrect extents.\n\nWhen the boot loader inode is not initialized, its imode can be one of the\nfollowing:\n1) the imode is a bad type, which is marked as bad_inode in ext4_iget and\n set to S_IFREG.\n2) the imode is good type but not S_IFREG.\n3) the imode is S_IFREG.\n\nThe BUG_ON may be triggered by bypassing the check in cases 1 and 2.\nTherefore, when the boot loader inode is bad_inode or its imode is not\nS_IFREG, initialize the inode to avoid triggering the BUG.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50638", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: Fix memory leak in worker creation\n\nIf the CPU mask allocation for a node fails, then the memory allocated for\nthe 'io_wqe' struct of the current node doesn't get freed on the error\nhandling path, since it has not yet been added to the 'wqes' array.\n\nThis was spotted when fuzzing v6.1-rc1 with Syzkaller:\nBUG: memory leak\nunreferenced object 0xffff8880093d5000 (size 1024):\n comm \"syz-executor.2\", pid 7701, jiffies 4295048595 (age 13.900s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720\n [<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130\n [<000000004e107011>] io_wq_create+0x7b9/0xdc0\n [<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d\n [<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba\n [<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce\n [<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80\n [<000000008a8a7508>] do_syscall_64+0x5d/0x90\n [<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50639", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Fix kernel panic when remove non-standard SDIO card\n\nSDIO tuple is only allocated for standard SDIO card, especially it causes\nmemory corruption issues when the non-standard SDIO card has removed, which\nis because the card device's reference counter does not increase for it at\nsdio_init_func(), but all SDIO card device reference counter gets decreased\nat sdio_release_func().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50640", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: omap_ssi: Fix refcount leak in ssi_probe\n\nWhen returning or breaking early from a\nfor_each_available_child_of_node() loop, we need to explicitly call\nof_node_put() on the child node to possibly release the node.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50641", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_typec: zero out stale pointers\n\n`cros_typec_get_switch_handles` allocates four pointers when obtaining\ntype-c switch handles. These pointers are all freed if failing to obtain\nany of them; therefore, pointers in `port` become stale. The stale\npointers eventually cause use-after-free or double free in later code\npaths. Zeroing out all pointer fields after freeing to eliminate these\nstale pointers.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50642", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_copy_file_range()\n\nIf the file is used by swap, before return -EOPNOTSUPP, should\nfree the xid, otherwise, the xid will be leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50643", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe\n\npm_runtime_get_sync() will increment pm usage counter.\nForgetting to putting operation will result in reference leak.\nAdd missing pm_runtime_put_sync in some error paths.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50644", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()\n\nAs the comment of pci_get_domain_bus_and_slot() says, it returns\na PCI device with refcount incremented, so it doesn't need to\ncall an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI\ndevice needs to be put in the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50645", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hpsa: Fix possible memory leak in hpsa_init_one()\n\nThe hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in\nhpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to\nclean1 directly, which frees h and leaks the h->reply_map.\n\nFix by calling hpda_free_ctlr_info() to release h->replay_map and h instead\nfree h directly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50646", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: Make port I/O string accessors actually work\n\nFix port I/O string accessors such as `insb', `outsb', etc. which use\nthe physical PCI port I/O address rather than the corresponding memory\nmapping to get at the requested location, which in turn breaks at least\naccesses made by our parport driver to a PCIe parallel port such as:\n\nPCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20\nparport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]\n\ncausing a memory access fault:\n\nUnable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008\nOops [#1]\nModules linked in:\nCPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23\nHardware name: SiFive HiFive Unmatched A00 (DT)\nepc : parport_pc_fifo_write_block_pio+0x266/0x416\n ra : parport_pc_fifo_write_block_pio+0xb4/0x416\nepc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60\n gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000\n t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0\n s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000\n a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb\n a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000\n s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50\n s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000\n s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000\n s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930\n t5 : 0000000000001000 t6 : 0000000000040000\nstatus: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f\n[] parport_pc_compat_write_block_pio+0xfe/0x200\n[] parport_write+0x46/0xf8\n[] lp_write+0x158/0x2d2\n[] vfs_write+0x8e/0x2c2\n[] ksys_write+0x52/0xc2\n[] sys_write+0xe/0x16\n[] ret_from_syscall+0x0/0x2\n---[ end trace 0000000000000000 ]---\n\nFor simplicity address the problem by adding PCI_IOBASE to the physical\naddress requested in the respective wrapper macros only, observing that\nthe raw accessors such as `__insb', `__outsb', etc. are not supposed to\nbe used other than by said macros. Remove the cast to `long' that is no\nlonger needed on `addr' now that it is used as an offset from PCI_IOBASE\nand add parentheses around `addr' needed for predictable evaluation in\nmacro expansion. No need to make said adjustments in separate changes\ngiven that current code is gravely broken and does not ever work.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50647", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller\n\nNaveen reported recursive locking of direct_mutex with sample\nftrace-direct-modify.ko:\n\n[ 74.762406] WARNING: possible recursive locking detected\n[ 74.762887] 6.0.0-rc6+ #33 Not tainted\n[ 74.763216] --------------------------------------------\n[ 74.763672] event-sample-fn/1084 is trying to acquire lock:\n[ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n register_ftrace_function+0x1f/0x180\n[ 74.764922]\n[ 74.764922] but task is already holding lock:\n[ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n modify_ftrace_direct+0x34/0x1f0\n[ 74.766142]\n[ 74.766142] other info that might help us debug this:\n[ 74.766701] Possible unsafe locking scenario:\n[ 74.766701]\n[ 74.767216] CPU0\n[ 74.767437] ----\n[ 74.767656] lock(direct_mutex);\n[ 74.767952] lock(direct_mutex);\n[ 74.768245]\n[ 74.768245] *** DEADLOCK ***\n[ 74.768245]\n[ 74.768750] May be due to missing lock nesting notation\n[ 74.768750]\n[ 74.769332] 1 lock held by event-sample-fn/1084:\n[ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \\\n modify_ftrace_direct+0x34/0x1f0\n[ 74.770496]\n[ 74.770496] stack backtrace:\n[ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ...\n[ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...\n[ 74.772474] Call Trace:\n[ 74.772696] \n[ 74.772896] dump_stack_lvl+0x44/0x5b\n[ 74.773223] __lock_acquire.cold.74+0xac/0x2b7\n[ 74.773616] lock_acquire+0xd2/0x310\n[ 74.773936] ? register_ftrace_function+0x1f/0x180\n[ 74.774357] ? lock_is_held_type+0xd8/0x130\n[ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.775213] __mutex_lock+0x99/0x1010\n[ 74.775536] ? register_ftrace_function+0x1f/0x180\n[ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160\n[ 74.776424] ? ftrace_set_hash+0x195/0x220\n[ 74.776779] ? register_ftrace_function+0x1f/0x180\n[ 74.777194] ? kfree+0x3e1/0x440\n[ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.777941] ? __schedule+0xb40/0xb40\n[ 74.778258] ? register_ftrace_function+0x1f/0x180\n[ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.779128] register_ftrace_function+0x1f/0x180\n[ 74.779527] ? ftrace_set_filter_ip+0x33/0x70\n[ 74.779910] ? __schedule+0xb40/0xb40\n[ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.781147] ftrace_modify_direct_caller+0x5b/0x90\n[ 74.781563] ? 0xffffffffa0201000\n[ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify]\n[ 74.782309] modify_ftrace_direct+0x1b2/0x1f0\n[ 74.782690] ? __schedule+0xb40/0xb40\n[ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify]\n[ 74.783508] ? __schedule+0xb40/0xb40\n[ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]\n[ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify]\n[ 74.784766] kthread+0xf5/0x120\n[ 74.785052] ? kthread_complete_and_exit+0x20/0x20\n[ 74.785464] ret_from_fork+0x22/0x30\n[ 74.785781] \n\nFix this by using register_ftrace_function_nolock in\nftrace_modify_direct_caller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50648", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()\n\nADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length\nof 8, but adp5061_chg_type array size is 4, may end up reading 4 elements\nbeyond the end of the adp5061_chg_type[] array.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50649", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference state management for synchronous callbacks\n\nCurrently, verifier verifies callback functions (sync and async) as if\nthey will be executed once, (i.e. it explores execution state as if the\nfunction was being called once). The next insn to explore is set to\nstart of subprog and the exit from nested frame is handled using\ncurframe > 0 and prepare_func_exit. In case of async callback it uses a\ncustomized variant of push_stack simulating a kind of branch to set up\ncustom state and execution context for the async callback.\n\nWhile this approach is simple and works when callback really will be\nexecuted only once, it is unsafe for all of our current helpers which\nare for_each style, i.e. they execute the callback multiple times.\n\nA callback releasing acquired references of the caller may do so\nmultiple times, but currently verifier sees it as one call inside the\nframe, which then returns to caller. Hence, it thinks it released some\nreference that the cb e.g. got access through callback_ctx (register\nfilled inside cb from spilled typed register on stack).\n\nSimilarly, it may see that an acquire call is unpaired inside the\ncallback, so the caller will copy the reference state of callback and\nthen will have to release the register with new ref_obj_ids. But again,\nthe callback may execute multiple times, but the verifier will only\naccount for acquired references for a single symbolic execution of the\ncallback, which will cause leaks.\n\nNote that for async callback case, things are different. While currently\nwe have bpf_timer_set_callback which only executes it once, even for\nmultiple executions it would be safe, as reference state is NULL and\ncheck_reference_leak would force program to release state before\nBPF_EXIT. The state is also unaffected by analysis for the caller frame.\nHence async callback is safe.\n\nSince we want the reference state to be accessible, e.g. for pointers\nloaded from stack through callback_ctx's PTR_TO_STACK, we still have to\ncopy caller's reference_state to callback's bpf_func_state, but we\nenforce that whatever references it adds to that reference_state has\nbeen released before it hits BPF_EXIT. This requires introducing a new\ncallback_ref member in the reference state to distinguish between caller\nvs callee references. Hence, check_reference_leak now errors out if it\nsees we are in callback_fn and we have not released callback_ref refs.\nSince there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2\netc. we need to also distinguish between whether this particular ref\nbelongs to this callback frame or parent, and only error for our own, so\nwe store state->frameno (which is always non-zero for callbacks).\n\nIn short, callbacks can read parent reference_state, but cannot mutate\nit, to be able to use pointers acquired by the caller. They must only\nundo their changes (by releasing their own acquired_refs before\nBPF_EXIT) on top of caller reference_state before returning (at which\npoint the caller and callback state will match anyway, so no need to\ncopy it back to caller).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50650", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: eeprom: fix null-deref on genl_info in dump\n\nThe similar fix as commit 46cdedf2a0fa (\"ethtool: pse-pd: fix null-deref on\ngenl_info in dump\") is also needed for ethtool eeprom.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50651", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: uio_dmem_genirq: Fix missing unlock in irq configuration\n\nCommit b74351287d4b (\"uio: fix a sleep-in-atomic-context bug in\nuio_dmem_genirq_irqcontrol()\") started calling disable_irq() without\nholding the spinlock because it can sleep. However, that fix introduced\nanother bug: if interrupt is already disabled and a new disable request\ncomes in, then the spinlock is not unlocked:\n\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' > /dev/uio0\nroot@localhost:~# printf '\\x00\\x00\\x00\\x00' > /dev/uio0\nroot@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002\n[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]\n[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21\n[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 14.855664] Call Trace:\n[ 14.855861] \n[ 14.856025] dump_stack_lvl+0x4d/0x67\n[ 14.856325] dump_stack+0x14/0x1a\n[ 14.856583] __schedule_bug.cold+0x4b/0x5c\n[ 14.856915] __schedule+0xe81/0x13d0\n[ 14.857199] ? idr_find+0x13/0x20\n[ 14.857456] ? get_work_pool+0x2d/0x50\n[ 14.857756] ? __flush_work+0x233/0x280\n[ 14.858068] ? __schedule+0xa95/0x13d0\n[ 14.858307] ? idr_find+0x13/0x20\n[ 14.858519] ? get_work_pool+0x2d/0x50\n[ 14.858798] schedule+0x6c/0x100\n[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110\n[ 14.859335] ? tty_write_room+0x1f/0x30\n[ 14.859598] ? n_tty_poll+0x1ec/0x220\n[ 14.859830] ? tty_ldisc_deref+0x1a/0x20\n[ 14.860090] schedule_hrtimeout_range+0x17/0x20\n[ 14.860373] do_select+0x596/0x840\n[ 14.860627] ? __kernel_text_address+0x16/0x50\n[ 14.860954] ? poll_freewait+0xb0/0xb0\n[ 14.861235] ? poll_freewait+0xb0/0xb0\n[ 14.861517] ? rpm_resume+0x49d/0x780\n[ 14.861798] ? common_interrupt+0x59/0xa0\n[ 14.862127] ? asm_common_interrupt+0x2b/0x40\n[ 14.862511] ? __uart_start.isra.0+0x61/0x70\n[ 14.862902] ? __check_object_size+0x61/0x280\n[ 14.863255] core_sys_select+0x1c6/0x400\n[ 14.863575] ? vfs_write+0x1c9/0x3d0\n[ 14.863853] ? vfs_write+0x1c9/0x3d0\n[ 14.864121] ? _copy_from_user+0x45/0x70\n[ 14.864526] do_pselect.constprop.0+0xb3/0xf0\n[ 14.864893] ? do_syscall_64+0x6d/0x90\n[ 14.865228] ? do_syscall_64+0x6d/0x90\n[ 14.865556] __x64_sys_pselect6+0x76/0xa0\n[ 14.865906] do_syscall_64+0x60/0x90\n[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50\n[ 14.866640] ? do_syscall_64+0x6d/0x90\n[ 14.866972] ? do_syscall_64+0x6d/0x90\n[ 14.867286] ? do_syscall_64+0x6d/0x90\n[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...] stripped\n[ 14.872959] \n\n('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)\n\nThe implementation of \"uio_dmem_genirq\" was based on \"uio_pdrv_genirq\" and\nit is used in a similar manner to the \"uio_pdrv_genirq\" driver with respect\nto interrupt configuration and handling. At the time \"uio_dmem_genirq\" was\nintroduced, both had the same implementation of the 'uio_info' handlers\nirqcontrol() and handler(). Then commit 34cb27528398 (\"UIO: Fix concurrency\nissue\"), which was only applied to \"uio_pdrv_genirq\", ended up making them\na little different. That commit, among other things, changed disable_irq()\nto disable_irq_nosync() in the implementation of irqcontrol(). The\nmotivation there was to avoid a deadlock between irqcontrol() and\nhandler(), since it added a spinlock in the irq handler, and disable_irq()\nwaits for the completion of the irq handler.\n\nBy changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also\navoid the sleeping-whil\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50652", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: atmel-mci: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it's not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nSo fix this by checking the return value and calling mmc_free_host()\nin the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50653", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix panic due to wrong pageattr of im->image\n\nIn the scenario where livepatch and kretfunc coexist, the pageattr of\nim->image is rox after arch_prepare_bpf_trampoline in\nbpf_trampoline_update, and then modify_fentry or register_fentry returns\n-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag\nwill be configured, and arch_prepare_bpf_trampoline will be re-executed.\n\nAt this time, because the pageattr of im->image is rox,\narch_prepare_bpf_trampoline will read and write im->image, which causes\na fault. as follows:\n\n insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c\n bpftrace -e 'kretfunc:cmdline_proc_show {}'\n\nBUG: unable to handle page fault for address: ffffffffa0206000\nPGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061\nOops: 0003 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5\nRIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0\nRSP: 0018:ffffc90001083ad8 EFLAGS: 00010202\nRAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000\nRDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030\nRBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400\nR10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8\nR13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10\nFS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n bpf_trampoline_update+0x25a/0x6b0\n __bpf_trampoline_link_prog+0x101/0x240\n bpf_trampoline_link_prog+0x2d/0x50\n bpf_tracing_prog_attach+0x24c/0x530\n bpf_raw_tp_link_attach+0x73/0x1d0\n __sys_bpf+0x100e/0x2570\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x5b/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWith this patch, when modify_fentry or register_fentry returns -EAGAIN\nfrom bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset\nto nx+rw.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50654", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: associate skb with a device at tx\n\nSyzkaller triggered flow dissector warning with the following:\n\nr0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0)\nioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))\nioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})\npwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\\x00!', 0x2}], 0x1, 0x0, 0x0)\n\n[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0\n[ 9.485929] skb_get_poff+0x53/0xa0\n[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20\n[ 9.485944] ? ppp_send_frame+0xc2/0x5b0\n[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60\n[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0\n[ 9.485968] ? ppp_xmit_process+0x5b/0xb0\n[ 9.485974] ? ppp_write+0x12a/0x190\n[ 9.485981] ? do_iter_write+0x18e/0x2d0\n[ 9.485987] ? __import_iovec+0x30/0x130\n[ 9.485997] ? do_pwritev+0x1b6/0x240\n[ 9.486016] ? trace_hardirqs_on+0x47/0x50\n[ 9.486023] ? __x64_sys_pwritev+0x24/0x30\n[ 9.486026] ? do_syscall_64+0x3d/0x80\n[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFlow dissector tries to find skb net namespace either via device\nor via socket. Neigher is set in ppp_send_frame, so let's manually\nuse ppp->dev.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50655", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Clear nfc_target before being used\n\nFix a slab-out-of-bounds read that occurs in nla_put() called from\nnfc_genl_send_target() when target->sensb_res_len, which is duplicated\nfrom an nfc_target in pn533, is too large as the nfc_target is not\nproperly initialized and retains garbage values. Clear nfc_targets with\nmemset() before they are used.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: slab-out-of-bounds in nla_put\nCall Trace:\n memcpy\n nla_put\n nfc_genl_dump_targets\n genl_lock_dumpit\n netlink_dump\n __netlink_dump_start\n genl_family_rcv_msg_dumpit\n genl_rcv_msg\n netlink_rcv_skb\n genl_rcv\n netlink_unicast\n netlink_sendmsg\n sock_sendmsg\n ____sys_sendmsg\n ___sys_sendmsg\n __sys_sendmsg\n do_syscall_64", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50656", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: add missing memcpy in kasan_init\n\nHi Atish,\n\nIt seems that the panic is due to the missing memcpy during kasan_init.\nCould you please check whether this patch is helpful?\n\nWhen doing kasan_populate, the new allocated base_pud/base_p4d should\ncontain kasan_early_shadow_{pud, p4d}'s content. Add the missing memcpy\nto avoid page fault when read/write kasan shadow region.\n\nTested on:\n - qemu with sv57 and CONFIG_KASAN on.\n - qemu with sv48 and CONFIG_KASAN on.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50657", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom: fix memory leak in error path\n\nIf for some reason the speedbin length is incorrect, then there is a\nmemory leak in the error path because we never free the speedbin buffer.\nThis commit fixes the error path to always free the speedbin buffer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50658", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: geode - Fix PCI device refcount leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. We add a new struct\n'amd_geode_priv' to record pointer of the pci_dev and membase, and then\nadd missing pci_dev_put() for the normal and error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50659", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ipw2200: fix memory leak in ipw_wdev_init()\n\nIn the error path of ipw_wdev_init(), exception value is returned, and\nthe memory applied for in the function is not released. Also the memory\nis not released in ipw_pci_probe(). As a result, memory leakage occurs.\nSo memory release needs to be added to the error path of ipw_wdev_init().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50660", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: Move copy_seccomp() to no failure path.\n\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1]. It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\n\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\n\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process(). When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space. In the failure path, we have to call seccomp_filter_release()\nto decrement the filter's refcount.\n\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\n\nTo keep the change and current seccomp refcount semantics, let's move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\n hex dump (first 32 bytes):\n 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................\n ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n __vmalloc_node_range (mm/vmalloc.c:3226)\n __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\n bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 16 bytes):\n 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........\n backtrace:\n bpf_prog_store_orig_filter (net/core/filter.c:1137)\n bpf_prog_create_from_user (net/core/filter.c:1428)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50661", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: fix memory leak in hns_roce_alloc_mr()\n\nWhen hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not\nreleased. Compiled test only.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50662", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix possible memory leak in stmmac_dvr_probe()\n\nThe bitmap_free() should be called to free priv->af_xdp_zc_qps\nwhen create_singlethread_workqueue() fails, otherwise there will\nbe a memory leak, so we add the err path error_wq_init to fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50663", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: fix leak of memory fw", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50664", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected\n\nIt has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),\nas below, it will not print when debug_mask is not set ATH11K_DBG_DATA.\n\tath11k_dbg(ab, ATH11K_DBG_DATA,\n\t\t \"failed to find the peer with peer_id %d\\n\",\n\t\t ppdu_info.peer_id);\n\nWhen run scan with station disconnected, the peer_id is 0 for case\nHAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called\nfrom ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is\nreset to 0 in the while loop, so it does not match condition of the\ncheck \"if (ppdu_info->peer_id == HAL_INVALID_PEERID\" in the loop, and\nthen the log \"failed to find the peer with peer_id 0\" print after the\ncheck in the loop, it is below call stack when debug_mask is set\nATH11K_DBG_DATA.\n\nThe reason is this commit 01d2f285e3e5 (\"ath11k: decode HE status tlv\")\nadd \"memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))\" in\nath11k_dp_rx_process_mon_status(), but the commit does not initialize\nthe peer_id to HAL_INVALID_PEERID, then lead the check mis-match.\n\nCallstack of the failed log:\n[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]\n[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd\n[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246\n[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000\n[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18\n[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000\n[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40\n[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000\n[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000\n[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0\n[12335.689360] Call Trace:\n[12335.689377] \n[12335.689418] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689471] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689653] ? lock_acquire+0xef/0x360\n[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]\n[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689860] call_timer_fn+0xb2/0x2f0\n[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689970] run_timer_softirq+0x21f/0x540\n[12335.689999] ? ktime_get+0xad/0x160\n[12335.690025] ? lapic_next_deadline+0x2c/0x40\n[12335.690053] ? clockevents_program_event+0x82/0x100\n[12335.690093] __do_softirq+0x151/0x4a8\n[12335.690135] irq_exit_rcu+0xc9/0x100\n[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0\n[12335.690189] \n[12335.690204] \n[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20\n\nReset the default value to HAL_INVALID_PEERID each time after memset\nof ppdu_info as well as others memset which existed in function\nath11k_dp_rx_process_mon_status(), then the failed log disappeared.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50665", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix QP destroy to wait for all references dropped.\n\nDelay QP destroy completion until all siw references to QP are\ndropped. The calling RDMA core will free QP structure after\nsuccessful return from siw_qp_destroy() call, so siw must not\nhold any remaining reference to the QP upon return.\nA use-after-free was encountered in xfstest generic/460, while\ntesting NFSoRDMA. Here, after a TCP connection drop by peer,\nthe triggered siw_cm_work_handler got delayed until after\nQP destroy call, referencing a QP which has already freed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50666", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()\n\nIf the copy of the description string from userspace fails, then the page\nfor the instance descriptor doesn't get freed before returning -EFAULT,\nwhich leads to a memleak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50667", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock due to mbcache entry corruption\n\nWhen manipulating xattr blocks, we can deadlock infinitely looping\ninside ext4_xattr_block_set() where we constantly keep finding xattr\nblock for reuse in mbcache but we are unable to reuse it because its\nreference count is too big. This happens because cache entry for the\nxattr block is marked as reusable (e_reusable set) although its\nreference count is too big. When this inconsistency happens, this\ninconsistent state is kept indefinitely and so ext4_xattr_block_set()\nkeeps retrying indefinitely.\n\nThe inconsistent state is caused by non-atomic update of e_reusable bit.\ne_reusable is part of a bitfield and e_reusable update can race with\nupdate of e_referenced bit in the same bitfield resulting in loss of one\nof the updates. Fix the problem by using atomic bitops instead.\n\nThis bug has been around for many years, but it became *much* easier\nto hit after commit 65f8b80053a1 (\"ext4: fix race when reusing xattr\nblocks\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50668", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible name leak in ocxl_file_register_afu()\n\nIf device_register() returns error in ocxl_file_register_afu(),\nthe name allocated by dev_set_name() need be freed. As comment\nof device_register() says, it should use put_device() to give\nup the reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanup(),\nand info is freed in info_release().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50669", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: omap_hsmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it's not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path wihch\nwill call mmc_free_host().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50670", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix \"kernel NULL pointer dereference\" error\n\nWhen rxe_queue_init in the function rxe_qp_init_req fails,\nboth qp->req.task.func and qp->req.task.arg are not initialized.\n\nBecause of creation of qp fails, the function rxe_create_qp will\ncall rxe_qp_do_cleanup to handle allocated resource.\n\nBefore calling __rxe_do_task, both qp->req.task.func and\nqp->req.task.arg should be checked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50671", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynq-ipi: fix error handling while device_register() fails\n\nIf device_register() fails, it has two issues:\n1. The name allocated by dev_set_name() is leaked.\n2. The parent of device is not NULL, device_unregister() is called\n in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because\n of removing not added device.\n\nCall put_device() to give up the reference, so the name is freed in\nkobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()\nto avoid null-ptr-deref.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50672", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n \n dump_stack_lvl+0x73/0x9f\n print_report+0x25d/0x759\n kasan_report+0xc0/0x120\n __asan_load8+0x99/0x140\n __list_add_valid+0x28/0x1a0\n ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n __ext4_fill_super+0x48e2/0x5300 [ext4]\n ext4_fill_super+0x19f/0x3a0 [ext4]\n get_tree_bdev+0x27b/0x450\n ext4_get_tree+0x19/0x30 [ext4]\n vfs_get_tree+0x49/0x150\n path_mount+0xaae/0x1350\n do_mount+0xe2/0x110\n __x64_sys_mount+0xf0/0x190\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n --- loop1: assume last_orphan is 12 ---\n list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)\n ext4_truncate --> return 0\n ext4_inode_attach_jinode --> return -ENOMEM\n iput(inode) --> free inode<12>\n --- loop2: last_orphan is still 12 ---\n list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);\n // use inode<12> and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50673", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: vdso: fix NULL deference in vdso_join_timens() when vfork\n\nTesting tools/testing/selftests/timens/vfork_exec.c got below\nkernel log:\n\n[ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020\n[ 6.842255] Oops [#1]\n[ 6.842871] Modules linked in:\n[ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8\n[ 6.845861] Hardware name: riscv-virtio,qemu (DT)\n[ 6.848009] epc : vdso_join_timens+0xd2/0x110\n[ 6.850097] ra : vdso_join_timens+0xd2/0x110\n[ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0\n[ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030\n[ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40\n[ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c\n[ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000\n[ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000\n[ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38\n[ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e\n[ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f\n[ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00\n[ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d\n[ 6.868046] [] timens_commit+0x38/0x11a\n[ 6.869089] [] timens_on_fork+0x72/0xb4\n[ 6.870055] [] begin_new_exec+0x3c6/0x9f0\n[ 6.871231] [] load_elf_binary+0x628/0x1214\n[ 6.872304] [] bprm_execve+0x1f2/0x4e4\n[ 6.873243] [] do_execveat_common+0x16e/0x1ee\n[ 6.874258] [] sys_execve+0x3c/0x48\n[ 6.875162] [] ret_from_syscall+0x0/0x2\n[ 6.877484] ---[ end trace 0000000000000000 ]---\n\nThis is because the mm->context.vdso_info is NULL in vfork case. From\nanother side, mm->context.vdso_info either points to vdso info\nfor RV64 or vdso info for compat, there's no need to bloat riscv's\nmm_context_t, we can handle the difference when setup the additional\npage for vdso.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50674", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored\n\nPrior to commit 69e3b846d8a7 (\"arm64: mte: Sync tags for pages where PTE\nis untagged\"), mte_sync_tags() was only called for pte_tagged() entries\n(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use\ntest_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently\nsetting PG_mte_tagged on an untagged page.\n\nThe above commit was required as guests may enable MTE without any\ncontrol at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.\nHowever, the side-effect was that any page with a PTE that looked like\nswap (or migration) was getting PG_mte_tagged set automatically. A\nsubsequent page copy (e.g. migration) copied the tags to the destination\npage even if the tags were owned by KASAN.\n\nThis issue was masked by the page_kasan_tag_reset() call introduced in\ncommit e5b8d9218951 (\"arm64: mte: reset the page tag in page->flags\").\nWhen this commit was reverted (20794545c146), KASAN started reporting\naccess faults because the overriding tags in a page did not match the\noriginal page->flags (with CONFIG_KASAN_HW_TAGS=y):\n\n BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26\n Read at addr f5ff000017f2e000 by task syz-executor.1/2218\n Pointer tag: [f5], memory tag: [f2]\n\nMove the PG_mte_tagged bit setting from mte_sync_tags() to the actual\nplace where tags are cleared (mte_sync_page_tags()) or restored\n(mte_restore_tags()).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50675", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()\n\nsyzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for\ncommit ac3615e7f3cffe2a (\"RDS: TCP: Reduce code duplication in\nrds_tcp_reset_callbacks()\") added cancel_delayed_work_sync() into a section\nprotected by lock_sock() without realizing that rds_send_xmit() might call\nlock_sock().\n\nWe don't need to protect cancel_delayed_work_sync() using lock_sock(), for\neven if rds_{send,recv}_worker() re-queued this work while __flush_work()\n from cancel_delayed_work_sync() was waiting for this work to complete,\nretried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP\nbit.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50676", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: fix use after free in _ipmi_destroy_user()\n\nThe intf_free() function frees the \"intf\" pointer so we cannot\ndereference it again on the next line.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50677", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix invalid address access when enabling SCAN log level\n\nThe variable i is changed when setting random MAC address and causes\ninvalid address access when printing the value of pi->reqs[i]->reqid.\n\nWe replace reqs index with ri to fix the issue.\n\n[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ 136.737365] Mem abort info:\n[ 136.740172] ESR = 0x96000004\n[ 136.743359] Exception class = DABT (current EL), IL = 32 bits\n[ 136.749294] SET = 0, FnV = 0\n[ 136.752481] EA = 0, S1PTW = 0\n[ 136.755635] Data abort info:\n[ 136.758514] ISV = 0, ISS = 0x00000004\n[ 136.762487] CM = 0, WnR = 0\n[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577\n[ 136.772265] [0000000000000000] pgd=0000000000000000\n[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)\n[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)\n[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1\n[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)\n[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)\n[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]\n[ 136.828162] sp : ffff00000e9a3880\n[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400\n[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0\n[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400\n[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8\n[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400\n[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000\n[ 136.863343] x17: 0000000000000000 x16: 0000000000000000\n[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050\n[ 136.873966] x13: 0000000000003135 x12: 0000000000000000\n[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888\n[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008\n[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d\n[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942\n[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8\n[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000\n[ 136.911146] Call trace:\n[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]\n[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]\n[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]\n[ 136.937298] genl_rcv_msg+0x358/0x3f4\n[ 136.940960] netlink_rcv_skb+0xb4/0x118\n[ 136.944795] genl_rcv+0x34/0x48\n[ 136.947935] netlink_unicast+0x264/0x300\n[ 136.951856] netlink_sendmsg+0x2e4/0x33c\n[ 136.955781] __sys_sendto+0x120/0x19c", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50678", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix DMA mappings leak\n\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers.\n\nsteps for reproduction:\nwhile :\ndo\nfor ((i=0; i<=8160; i=i+32))\ndo\nethtool -G enp130s0f0 rx $i tx $i\nsleep 0.5\nethtool -g enp130s0f0\ndone\ndone\n\nThis resulted in crash:\ni40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536\nDriver BUG\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50\nCall Trace:\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\nMissing register, driver bug\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140\nCall Trace:\nxdp_rxq_info_unreg+0x1e/0x50\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\n\nThis was caused because of new buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in\ni40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,\nthus kfree on rx_bi caused leak of already mapped DMA.\n\nFix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally\nreallocate back to rx_bi when BPF program unloads.\n\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XSP_SETUP_XSK_POOL handler.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50679", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmrp: introduce active flags to prevent UAF when applicant uninit\n\nThe caller of del_timer_sync must prevent restarting of the timer, If\nwe have no this synchronization, there is a small probability that the\ncancellation will not be successful.\n\nAnd syzbot report the fellowing crash:\n==================================================================\nBUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]\nBUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\nWrite at addr f9ff000024df6058 by task syz-fuzzer/2256\nPointer tag: [f9], memory tag: [fe]\n\nCPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-\nge01d50cbd6ee #0\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156\n dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]\n show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x1a8/0x4a0 mm/kasan/report.c:395\n kasan_report+0x94/0xb4 mm/kasan/report.c:495\n __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320\n do_bad_area arch/arm64/mm/fault.c:473 [inline]\n do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749\n do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825\n el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367\n el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427\n el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576\n hlist_add_head include/linux/list.h:929 [inline]\n enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\n mod_timer+0x14/0x20 kernel/time/timer.c:1161\n mrp_periodic_timer_arm net/802/mrp.c:614 [inline]\n mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627\n call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474\n expire_timers+0x98/0xc4 kernel/time/timer.c:1519\n\nTo fix it, we can introduce a new active flags to make sure the timer will\nnot restart.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50697", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: da7219: Fix an error handling path in da7219_register_dai_clks()\n\nIf clk_hw_register() fails, the corresponding clk should not be\nunregistered.\n\nTo handle errors from loops, clean up partial iterations before doing the\ngoto. So add a clk_hw_unregister().\nThen use a while (--i >= 0) loop in the unwind section.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50698", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()\n\nThe following warning was triggered on a hardware environment:\n\n SELinux: Converting 162 SID table entries...\n BUG: sleeping function called from invalid context at\n __might_sleep+0x60/0x74 0x0\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar\n CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1\n Call trace:\n dump_backtrace+0x0/0x1c8\n show_stack+0x18/0x28\n dump_stack+0xe8/0x15c\n ___might_sleep+0x168/0x17c\n __might_sleep+0x60/0x74\n __kmalloc_track_caller+0xa0/0x7dc\n kstrdup+0x54/0xac\n convert_context+0x48/0x2e4\n sidtab_context_to_sid+0x1c4/0x36c\n security_context_to_sid_core+0x168/0x238\n security_context_to_sid_default+0x14/0x24\n inode_doinit_use_xattr+0x164/0x1e4\n inode_doinit_with_dentry+0x1c0/0x488\n selinux_d_instantiate+0x20/0x34\n security_d_instantiate+0x70/0xbc\n d_splice_alias+0x4c/0x3c0\n ext4_lookup+0x1d8/0x200 [ext4]\n __lookup_slow+0x12c/0x1e4\n walk_component+0x100/0x200\n path_lookupat+0x88/0x118\n filename_lookup+0x98/0x130\n user_path_at_empty+0x48/0x60\n vfs_statx+0x84/0x140\n vfs_fstatat+0x20/0x30\n __se_sys_newfstatat+0x30/0x74\n __arm64_sys_newfstatat+0x1c/0x2c\n el0_svc_common.constprop.0+0x100/0x184\n do_el0_svc+0x1c/0x2c\n el0_svc+0x20/0x34\n el0_sync_handler+0x80/0x17c\n el0_sync+0x13c/0x140\n SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is\n not valid (left unmapped).\n\nIt was found that within a critical section of spin_lock_irqsave in\nsidtab_context_to_sid(), convert_context() (hooked by\nsidtab_convert_params.func) might cause the process to sleep via\nallocating memory with GFP_KERNEL, which is problematic.\n\nAs Ondrej pointed out [1], convert_context()/sidtab_convert_params.func\nhas another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.\nTherefore, fix this problem by adding a gfp_t argument for\nconvert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC\nproperly in individual callers.\n\n[PM: wrap long BUG() output lines, tweak subject line]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50699", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Delay the unmapping of the buffer\n\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\nsending a copy complete interrupt to the host driver while still\nprocessing the buffer that the driver has sent, this is leading into an\nSMMU fault triggering kernel panic. This is happening on copy engine\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\nfirmware. Upon receiving a copy complete interrupt, host driver will\nimmediately unmap and frees the buffer presuming that hardware has\nprocessed the buffer. In the issue case, upon receiving copy complete\ninterrupt, host driver will unmap and free the buffer but since hardware\nis still accessing the buffer (which in this case got unmapped in\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\nkernel panic.\n\nIn order to avoid this, as a work around, add a delay before unmapping\nthe copy engine source DMA buffer. This is conditionally done for\nWCN3990 and only for the CE3 channel where issue is seen.\n\nBelow is the crash signature:\n\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\nremoteproc remoteproc0: crash detected in\n4080000.remoteproc: type fatal error <3> remoteproc remoteproc0:\nhandling crash #1 in 4080000.remoteproc\n\npc : __arm_lpae_unmap+0x500/0x514\nlr : __arm_lpae_unmap+0x4bc/0x514\nsp : ffffffc011ffb530\nx29: ffffffc011ffb590 x28: 0000000000000000\nx27: 0000000000000000 x26: 0000000000000004\nx25: 0000000000000003 x24: ffffffc011ffb890\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\nx21: 0000000000000009 x20: 00000007fff7c000\nx19: 0000000000000003 x18: 0000000000000000\nx17: 0000000000000004 x16: ffffffd7a357d9f0\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\nx13: 000000000000000e x12: 0000000000000000\nx11: 00000000ffffffff x10: 00000000fffffe00\nx9 : 000000000000017c x8 : 000000000000000c\nx7 : 0000000000000000 x6 : ffffffa762ef9000\nx5 : 0000000000000003 x4 : 0000000000000004\nx3 : 0000000000001000 x2 : 00000007fff7c000\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\n__arm_lpae_unmap+0x500/0x514\n__arm_lpae_unmap+0x4bc/0x514\n__arm_lpae_unmap+0x4bc/0x514\narm_lpae_unmap_pages+0x78/0xa4\narm_smmu_unmap_pages+0x78/0x104\n__iommu_unmap+0xc8/0x1e4\niommu_unmap_fast+0x38/0x48\n__iommu_dma_unmap+0x84/0x104\niommu_dma_free+0x34/0x50\ndma_free_attrs+0xa4/0xd0\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\n[ath10k_core]\nath10k_halt+0x11c/0x180 [ath10k_core]\nath10k_stop+0x54/0x94 [ath10k_core]\ndrv_stop+0x48/0x1c8 [mac80211]\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\n[mac80211]\n__dev_open+0xb4/0x174\n__dev_change_flags+0xc4/0x1dc\ndev_change_flags+0x3c/0x7c\ndevinet_ioctl+0x2b4/0x580\ninet_ioctl+0xb0/0x1b4\nsock_do_ioctl+0x4c/0x16c\ncompat_ifreq_ioctl+0x1cc/0x35c\ncompat_sock_ioctl+0x110/0x2ac\n__arm64_compat_sys_ioctl+0xf4/0x3e0\nel0_svc_common+0xb4/0x17c\nel0_svc_compat_handler+0x2c/0x58\nel0_svc_compat+0x8/0x2c\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50700", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host\n\nSDIO may need addtional 511 bytes to align bus operation. If the tailroom\nof this skb is not big enough, we would access invalid memory region.\nFor low level operation, increase skb size to keep valid memory access in\nSDIO host.\n\nError message:\n[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0\n[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451\n[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1\n[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]\n[69.951] Call Trace:\n[69.951] \n[69.952] dump_stack_lvl+0x49/0x63\n[69.952] print_report+0x171/0x4a8\n[69.952] kasan_report+0xb4/0x130\n[69.952] kasan_check_range+0x149/0x1e0\n[69.952] memcpy+0x24/0x70\n[69.952] sg_copy_buffer+0xe9/0x1a0\n[69.952] sg_copy_to_buffer+0x12/0x20\n[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]\n[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]\n[69.952] process_one_work+0x7ee/0x1320\n[69.952] worker_thread+0x53c/0x1240\n[69.952] kthread+0x2b8/0x370\n[69.952] ret_from_fork+0x1f/0x30\n[69.952] \n\n[69.952] Allocated by task 854:\n[69.952] kasan_save_stack+0x26/0x50\n[69.952] kasan_set_track+0x25/0x30\n[69.952] kasan_save_alloc_info+0x1b/0x30\n[69.952] __kasan_kmalloc+0x87/0xa0\n[69.952] __kmalloc_node_track_caller+0x63/0x150\n[69.952] kmalloc_reserve+0x31/0xd0\n[69.952] __alloc_skb+0xfc/0x2b0\n[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]\n[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]\n[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]\n[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]\n[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]\n[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]\n[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]\n[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]\n[69.953] process_one_work+0x7ee/0x1320\n[69.953] worker_thread+0x53c/0x1240\n[69.953] kthread+0x2b8/0x370\n[69.953] ret_from_fork+0x1f/0x30\n[69.953] The buggy address belongs to the object at ffff88811c9ce800\n which belongs to the cache kmalloc-2k of size 2048\n[69.953] The buggy address is located 0 bytes to the right of\n 2048-byte region [ffff88811c9ce800, ffff88811c9cf000)\n\n[69.953] Memory state around the buggy address:\n[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ^\n[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50701", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()\n\nInject fault while probing module, if device_register() fails in\nvdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is\nnot decreased to 0, the name allocated in dev_set_name() is leaked.\nFix this by calling put_device(), so that name can be freed in\ncallback function kobject_cleanup().\n\n(vdpa_sim_net)\nunreferenced object 0xffff88807eebc370 (size 16):\n comm \"modprobe\", pid 3848, jiffies 4362982860 (age 18.153s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk.\n backtrace:\n [] __kmalloc_node_track_caller+0x4e/0x150\n [] kstrdup+0x33/0x60\n [] kobject_set_name_vargs+0x41/0x110\n [] dev_set_name+0xab/0xe0\n [] device_add+0xe3/0x1a80\n [] 0xffffffffa0270013\n [] do_one_initcall+0x87/0x2e0\n [] do_init_module+0x1ab/0x640\n [] load_module+0x5d00/0x77f0\n [] __do_sys_finit_module+0x110/0x1b0\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n(vdpa_sim_blk)\nunreferenced object 0xffff8881070c1250 (size 16):\n comm \"modprobe\", pid 6844, jiffies 4364069319 (age 17.572s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk.\n backtrace:\n [] __kmalloc_node_track_caller+0x4e/0x150\n [] kstrdup+0x33/0x60\n [] kobject_set_name_vargs+0x41/0x110\n [] dev_set_name+0xab/0xe0\n [] device_add+0xe3/0x1a80\n [] 0xffffffffa0220013\n [] do_one_initcall+0x87/0x2e0\n [] do_init_module+0x1ab/0x640\n [] load_module+0x5d00/0x77f0\n [] __do_sys_finit_module+0x110/0x1b0\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50702", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()\n\nThere are two refcount leak bugs in qcom_smsm_probe():\n\n(1) The 'local_node' is escaped out from for_each_child_of_node() as\nthe break of iteration, we should call of_node_put() for it in error\npath or when it is not used anymore.\n(2) The 'node' is escaped out from for_each_available_child_of_node()\nas the 'goto', we should call of_node_put() for it in goto target.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50703", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free during usb config switch\n\nIn the process of switching USB config from rndis to other config,\nif the hardware does not support the ->pullup callback, or the\nhardware encounters a low probability fault, both of them may cause\nthe ->pullup callback to fail, which will then cause a system panic\n(use after free).\n\nThe gadget drivers sometimes need to be unloaded regardless of the\nhardware's behavior.\n\nAnalysis as follows:\n=======================================================================\n(1) write /config/usb_gadget/g1/UDC \"none\"\n\ngether_disconnect+0x2c/0x1f8\nrndis_disable+0x4c/0x74\ncomposite_disconnect+0x74/0xb0\nconfigfs_composite_disconnect+0x60/0x7c\nusb_gadget_disconnect+0x70/0x124\nusb_gadget_unregister_driver+0xc8/0x1d8\ngadget_dev_desc_UDC_store+0xec/0x1e4\n\n(2) rm /config/usb_gadget/g1/configs/b.1/f1\n\nrndis_deregister+0x28/0x54\nrndis_free+0x44/0x7c\nusb_put_function+0x14/0x1c\nconfig_usb_cfg_unlink+0xc4/0xe0\nconfigfs_unlink+0x124/0x1c8\nvfs_unlink+0x114/0x1dc\n\n(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4\n\npanic+0x1fc/0x3d0\ndo_page_fault+0xa8/0x46c\ndo_mem_abort+0x3c/0xac\nel1_sync_handler+0x40/0x78\n0xffffff801138f880\nrndis_close+0x28/0x34\neth_stop+0x74/0x110\ndev_close_many+0x48/0x194\nrollback_registered_many+0x118/0x814\nunregister_netdev+0x20/0x30\ngether_cleanup+0x1c/0x38\nrndis_attr_release+0xc/0x14\nkref_put+0x74/0xb8\nconfigfs_rmdir+0x314/0x374\n\nIf gadget->ops->pullup() return an error, function rndis_close() will be\ncalled, then it will causes a use-after-free problem.\n=======================================================================", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50704", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: defer fsnotify calls to task context\n\nWe can't call these off the kiocb completion as that might be off\nsoft/hard irq context. Defer the calls to when we process the\ntask_work for this request. That avoids valid complaints like:\n\nstack backtrace:\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_usage_bug kernel/locking/lockdep.c:3961 [inline]\n valid_state kernel/locking/lockdep.c:3973 [inline]\n mark_lock_irq kernel/locking/lockdep.c:4176 [inline]\n mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632\n mark_lock kernel/locking/lockdep.c:4596 [inline]\n mark_usage kernel/locking/lockdep.c:4527 [inline]\n __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007\n lock_acquire kernel/locking/lockdep.c:5666 [inline]\n lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]\n fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688\n might_alloc include/linux/sched/mm.h:271 [inline]\n slab_pre_alloc_hook mm/slab.h:700 [inline]\n slab_alloc mm/slab.c:3278 [inline]\n __kmem_cache_alloc_lru mm/slab.c:3471 [inline]\n kmem_cache_alloc+0x39/0x520 mm/slab.c:3491\n fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]\n fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]\n fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948\n send_to_group fs/notify/fsnotify.c:360 [inline]\n fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570\n __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230\n fsnotify_parent include/linux/fsnotify.h:77 [inline]\n fsnotify_file include/linux/fsnotify.h:99 [inline]\n fsnotify_access include/linux/fsnotify.h:309 [inline]\n __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195\n io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228\n iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]\n iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178\n bio_endio+0x5f9/0x780 block/bio.c:1564\n req_bio_endio block/blk-mq.c:695 [inline]\n blk_update_request+0x3fc/0x1300 block/blk-mq.c:825\n scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541\n scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971\n scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438\n blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022\n __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571\n invoke_softirq kernel/softirq.c:445 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50705", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ieee802154: don't warn zero-sized raw_sendmsg()\n\nsyzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],\nfor PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting\n__dev_queue_xmit() with skb->len == 0.\n\nSince PF_IEEE802154 socket's zero-sized raw_sendmsg() request was\nable to return 0, don't call __dev_queue_xmit() if packet length is 0.\n\n ----------\n #include \n #include \n\n int main(int argc, char *argv[])\n {\n struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };\n struct iovec iov = { };\n struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };\n sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);\n return 0;\n }\n ----------\n\nNote that this might be a sign that commit fd1894224407c484 (\"bpf: Don't\nredirect packets with invalid pkt_len\") should be reverted, for\nskb->len == 0 was acceptable for at least PF_IEEE802154 socket.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50706", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()\n\n'vc_ctrl_req' is alloced in virtio_crypto_alg_skcipher_close_session(),\nand should be freed in the invalid ctrl_status->status error handling\ncase. Otherwise there is a memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50707", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: fix potential resource leak in ssip_pn_open()\n\nssip_pn_open() claims the HSI client's port with hsi_claim_port(). When\nhsi_register_port_event() gets some error and returns a negetive value,\nthe HSI client's port should be released with hsi_release_port().\n\nFix it by calling hsi_release_port() when hsi_register_port_event() fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50708", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()\n\nsyzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for\nioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with\npkt_len = 0 but ath9k_hif_usb_rx_stream() uses\n__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that\npkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb\nwith uninitialized memory and ath9k_htc_rx_msg() is reading from\nuninitialized memory.\n\nSince bytes accessed by ath9k_htc_rx_msg() is not known until\nath9k_htc_rx_msg() is called, it would be difficult to check minimal valid\npkt_len at \"if (pkt_len > 2 * MAX_RX_BUF_SIZE) {\" line in\nath9k_hif_usb_rx_stream().\n\nWe have two choices. One is to workaround by adding __GFP_ZERO so that\nath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let\nath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose\nthe latter.\n\nNote that I'm not sure threshold condition is correct, for I can't find\ndetails on possible packet length used by this protocol.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50709", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: set tx_tstamps when creating new Tx rings via ethtool\n\nWhen the user changes the number of queues via ethtool, the driver\nallocates new rings. This allocation did not initialize tx_tstamps. This\nresults in the tx_tstamps field being zero (due to kcalloc allocation), and\nwould result in a NULL pointer dereference when attempting a transmit\ntimestamp on the new ring.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50710", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe()\n\nIf mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called\nin error path or removing module to free the memory allocated in\nmtk_wed_add_hw().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50711", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: hold region lock when flushing snapshots\n\nNetdevsim triggers a splat on reload, when it destroys regions\nwith snapshots pending:\n\n WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140\n CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580\n RIP: 0010:devlink_region_snapshot_del+0x12e/0x140\n Call Trace:\n \n devl_region_destroy+0x70/0x140\n nsim_dev_reload_down+0x2f/0x60 [netdevsim]\n devlink_reload+0x1f7/0x360\n devlink_nl_cmd_reload+0x6ce/0x860\n genl_family_rcv_msg_doit.isra.0+0x145/0x1c0\n\nThis is the locking assert in devlink_region_snapshot_del(),\nwe're supposed to be holding the region->snapshot_lock here.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50712", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: visconti: Fix memory leak in visconti_register_pll()\n\n@pll->rate_table has allocated memory by kmemdup(), if clk_hw_register()\nfails, it should be freed, otherwise it will cause memory leak issue,\nthis patch fixes it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50713", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix rmmod crash in driver reload test\n\nIn insmod/rmmod stress test, the following crash dump shows up immediately.\nThe problem is caused by missing mt76_dev in mt7921_pci_remove(). We\nshould make sure the drvdata is ready before probe() finished.\n\n[168.862789] ==================================================================\n[168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480\n[168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361\n[168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1\n[168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020\n[168.862820] Call Trace:\n[168.862822] \n[168.862825] dump_stack_lvl+0x49/0x63\n[168.862832] print_report.cold+0x493/0x6b7\n[168.862845] kasan_report+0xa7/0x120\n[168.862857] kasan_check_range+0x163/0x200\n[168.862861] __kasan_check_write+0x14/0x20\n[168.862866] try_to_grab_pending+0x59/0x480\n[168.862870] __cancel_work_timer+0xbb/0x340\n[168.862898] cancel_work_sync+0x10/0x20\n[168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e]\n[168.862909] pci_device_remove+0xa3/0x1d0\n[168.862914] device_remove+0xc4/0x170\n[168.862920] device_release_driver_internal+0x163/0x300\n[168.862925] driver_detach+0xc7/0x1a0\n[168.862930] bus_remove_driver+0xeb/0x2d0\n[168.862935] driver_unregister+0x71/0xb0\n[168.862939] pci_unregister_driver+0x30/0x230\n[168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e]\n[168.862949] __x64_sys_delete_module+0x2f9/0x4b0\n[168.862968] do_syscall_64+0x38/0x90\n[168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTest steps:\n1. insmode\n2. do not ifup\n3. rmmod quickly (within 1 second)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50714", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: stop mdx_raid1 thread when raid1 array run failed\n\nfail run raid1 array when we assemble array with the inactive disk only,\nbut the mdx_raid1 thread were not stop, Even if the associated resources\nhave been released. it will caused a NULL dereference when we do poweroff.\n\nThis causes the following Oops:\n [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070\n [ 287.594762] #PF: supervisor read access in kernel mode\n [ 287.599912] #PF: error_code(0x0000) - not-present page\n [ 287.605061] PGD 0 P4D 0\n [ 287.607612] Oops: 0000 [#1] SMP NOPTI\n [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0\n [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022\n [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]\n [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......\n [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202\n [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000\n [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800\n [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff\n [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800\n [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500\n [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000\n [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0\n [ 287.713033] Call Trace:\n [ 287.715498] raid1d+0x6c/0xbbb [raid1]\n [ 287.719256] ? __schedule+0x1ff/0x760\n [ 287.722930] ? schedule+0x3b/0xb0\n [ 287.726260] ? schedule_timeout+0x1ed/0x290\n [ 287.730456] ? __switch_to+0x11f/0x400\n [ 287.734219] md_thread+0xe9/0x140 [md_mod]\n [ 287.738328] ? md_thread+0xe9/0x140 [md_mod]\n [ 287.742601] ? wait_woken+0x80/0x80\n [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]\n [ 287.751064] kthread+0x11a/0x140\n [ 287.754300] ? kthread_park+0x90/0x90\n [ 287.757974] ret_from_fork+0x1f/0x30\n\nIn fact, when raid1 array run fail, we need to do\nmd_unregister_thread() before raid1_free().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50715", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: Fix use-after-free on ar5523_cmd() timed out\n\nsyzkaller reported use-after-free with the stack trace like below [1]:\n\n[ 38.960489][ C3] ==================================================================\n[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240\n[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0\n[ 38.966363][ C3]\n[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18\n[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[ 38.969959][ C3] Call Trace:\n[ 38.970841][ C3] \n[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174\n[ 38.972620][ C3] print_report.cold+0x2c3/0x752\n[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240\n[ 38.974644][ C3] kasan_report+0xb1/0x1d0\n[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240\n[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240\n[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0\n[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430\n[ 38.981266][ C3] dummy_timer+0x140c/0x34e0\n[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0\n[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60\n[ 38.986242][ C3] ? lock_release+0x51c/0x790\n[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70\n[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130\n[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0\n[ 38.990777][ C3] ? lock_acquire+0x472/0x550\n[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60\n[ 38.993138][ C3] ? lock_acquire+0x472/0x550\n[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230\n[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0\n[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0\n[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0\n[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0\n[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0\n[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0\n[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10\n[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40\n[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0\n[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0\n[ 39.016196][ C3] __do_softirq+0x1d2/0x9be\n[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190\n[ 39.019004][ C3] irq_exit_rcu+0x5/0x20\n[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0\n[ 39.021965][ C3] \n[ 39.023237][ C3] \n\nIn ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below\n(there are other functions which finally call ar5523_cmd()):\n\nar5523_probe()\n-> ar5523_host_available()\n -> ar5523_cmd_read()\n -> ar5523_cmd()\n\nIf ar5523_cmd() timed out, then ar5523_host_available() failed and\nar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()\nmight touch the freed structure.\n\nThis patch fixes this issue by canceling in-flight tx cmd if submitted\nurb timed out.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50716", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds check on Transfer Tag\n\nttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),\nadd a bounds check to avoid out-of-bounds access.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50717", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix pci device refcount leak\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put().\n\nSo before returning from amdgpu_device_resume|suspend_display_audio(),\npci_dev_put() is called to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50718", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: line6: fix stack overflow in line6_midi_transmit\n\nCorrectly calculate available space including the size of the chunk\nbuffer. This fixes a buffer overflow when multiple MIDI sysex\nmessages are sent to a PODxt device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50719", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Don't disable x2APIC if locked\n\nThe APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC\n(or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but\nit disables the memory-mapped APIC interface in favor of one that uses\nMSRs. The APIC mode is controlled by the EXT bit in the APIC MSR.\n\nThe MMIO/xAPIC interface has some problems, most notably the APIC LEAK\n[1]. This bug allows an attacker to use the APIC MMIO interface to\nextract data from the SGX enclave.\n\nIntroduce support for a new feature that will allow the BIOS to lock\nthe APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the\nkernel tries to disable the APIC or revert to legacy APIC mode a GP\nfault will occur.\n\nIntroduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle\nthe new locked mode when the LEGACY_XAPIC_DISABLED bit is set by\npreventing the kernel from trying to disable the x2APIC.\n\nOn platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are\nenabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If\nlegacy APIC is required, then it SGX and TDX need to be disabled in the\nBIOS.\n\n[1]: https://aepicleak.com/aepicleak.pdf", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50720", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg\n\nThe calling convention for pre_slave_sg is to return NULL on error and\nprovide an error log to the system. Qcom-adm instead provide error\npointer when an error occur. This indirectly cause kernel panic for\nexample for the nandc driver that checks only if the pointer returned by\ndevice_prep_slave_sg is not NULL. Returning an error pointer makes nandc\nthink the device_prep_slave_sg function correctly completed and makes\nthe kernel panics later in the code.\n\nWhile nandc is the one that makes the kernel crash, it was pointed out\nthat the real problem is qcom-adm not following calling convention for\nthat function.\n\nTo fix this, drop returning error pointer and return NULL with an error\nlog.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50721", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ipu3-imgu: Fix NULL pointer dereference in active selection access\n\nWhat the IMGU driver did was that it first acquired the pointers to active\nand try V4L2 subdev state, and only then figured out which one to use.\n\nThe problem with that approach and a later patch (see Fixes: tag) is that\nas sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is\nnow an attempt to dereference that.\n\nFix this.\n\nAlso rewrap lines a little.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50722", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: fix memory leak in bnxt_nvm_test()\n\nFree the kzalloc'ed buffer before returning in the success path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50723", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix resource leak in regulator_register()\n\nI got some resource leak reports while doing fault injection test:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 100,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@64/regulators/buck1\n\nunreferenced object 0xffff88810deea000 (size 512):\n comm \"490-i2c-rt5190a\", pid 253, jiffies 4294859840 (age 5061.046s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................\n backtrace:\n [<00000000d78541e2>] kmalloc_trace+0x21/0x110\n [<00000000b343d153>] device_private_init+0x32/0xd0\n [<00000000be1f0c70>] device_add+0xb2d/0x1030\n [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0\n [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0\n [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]\n\nunreferenced object 0xffff88810b617b80 (size 32):\n comm \"490-i2c-rt5190a\", pid 253, jiffies 4294859904 (age 5060.983s)\n hex dump (first 32 bytes):\n 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S\n 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+...\n backtrace:\n [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0\n [<0000000025c6a4e5>] kstrdup+0x3a/0x70\n [<00000000790efb69>] create_regulator+0xc0/0x4e0\n [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440\n [<0000000045796214>] regulator_register+0x10b3/0x12a0\n [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0\n [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]\n\nAfter calling regulator_resolve_supply(), the 'rdev->supply' is set\nby set_supply(), after this set, in the error path, the resources\nneed be released, so call regulator_put() to avoid the leaks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50724", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()\n\nKASAN reports a use-after-free:\nBUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]\nCall Trace:\n ...\n dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]\n vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge]\n platform_probe+0xb6/0x170\n ...\nAllocated by task 1238:\n ...\n dvb_register_device+0x1a7/0xa70 [dvb_core]\n dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]\n vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]\n ...\nFreed by task 1238:\n dvb_register_device+0x6d2/0xa70 [dvb_core]\n dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]\n vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]\n ...\n\nIt is because the error handling in vidtv_bridge_dvb_init() is wrong.\n\nFirst, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but\ngoto fail_dmx(_dev): calls release functions again, which causes\nuse-after-free.\n\nAlso, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause\nout-of-bound when i finished its loop (i == NUM_FE). And the loop\nreleasing is wrong, although now NUM_FE is 1 so it won't cause problem.\n\nFix this by correctly releasing everything.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50725", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix possible use-after-free in async command interface\n\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\n elevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\n is about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\n immediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\n object.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\n object.\n\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\n\nTrace:\n\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\n\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x57/0x7d\n print_report.cold+0x2d5/0x684\n ? do_raw_spin_lock+0x23d/0x270\n kasan_report+0xb1/0x1a0\n ? do_raw_spin_lock+0x23d/0x270\n do_raw_spin_lock+0x23d/0x270\n ? rwlock_bug.part.0+0x90/0x90\n ? __delete_object+0xb8/0x100\n ? lock_downgrade+0x6e0/0x6e0\n _raw_spin_lock_irqsave+0x43/0x60\n ? __wake_up_common_lock+0xb9/0x140\n __wake_up_common_lock+0xb9/0x140\n ? __wake_up_common+0x650/0x650\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kasan_set_track+0x21/0x30\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kfree+0x1ba/0x520\n ? do_raw_spin_unlock+0x54/0x220\n mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n ? dump_command+0xcc0/0xcc0 [mlx5_core]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n ? irq_release+0x140/0x140 [mlx5_core]\n irq_int_handler+0x19/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x1f2/0x620\n handle_irq_event+0xb2/0x1d0\n handle_edge_irq+0x21e/0xb00\n __common_interrupt+0x79/0x1a0\n common_interrupt+0x78/0xa0\n \n \n asm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n ? default_idle_call+0xcc/0x450\n default_idle_call+0xec/0x450\n do_idle+0x394/0x450\n ? arch_cpu_idle_exit+0x40/0x40\n ? do_idle+0x17/0x450\n cpu_startup_entry+0x19/0x20\n start_secondary+0x221/0x2b0\n ? set_cpu_sibling_map+0x2070/0x2070\n secondary_startup_64_no_verify+0xcd/0xdb\n \n\nAllocated by task 49502:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n kvmalloc_node+0x48/0xe0\n mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\n mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\n mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\n mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\n mlx5e_detach_netdev+0x1c\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50726", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: efct: Fix possible memleak in efct_device_init()\n\nIn efct_device_init(), when efct_scsi_reg_fc_transport() fails,\nefct_scsi_tgt_driver_exit() is not called to release memory for\nefct_scsi_tgt_driver_init() and causes memleak:\n\nunreferenced object 0xffff8881020ce000 (size 2048):\n comm \"modprobe\", pid 465, jiffies 4294928222 (age 55.872s)\n backtrace:\n [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110\n [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod]\n [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct]\n [<00000000115de533>] 0xffffffffc0d90011\n [<00000000d608f646>] do_one_initcall+0xd0/0x4e0\n [<0000000067828cf1>] do_init_module+0x1cc/0x6a0\n ...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50727", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/lcs: Fix return type of lcs_start_xmit()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = lcs_start_xmit,\n ^~~~~~~~~~~~~~\n drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = lcs_start_xmit,\n ^~~~~~~~~~~~~~\n\n->ndo_start_xmit() in 'struct net_device_ops' expects a return type of\n'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to\nmatch the prototype's to resolve the warning and potential CFI failure,\nshould s390 select ARCH_SUPPORTS_CFI_CLANG in the future.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50728", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix resource leak in ksmbd_session_rpc_open()\n\nWhen ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to\nundo the result of ksmbd_ipc_id_alloc().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50729", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode->i_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n \n evict+0x11c/0x2b0\n iput+0x236/0x3a0\n do_unlinkat+0x1b4/0x490\n __x64_sys_unlinkat+0x4c/0xb0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm kworker\n ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n ext4_convert_unwritten_io_end_vec()\n ext4_convert_unwritten_extents()\n ext4_map_blocks()\n ext4_ext_map_blocks()\n ext4_ext_try_to_merge_up()\n __mark_inode_dirty()\n check !I_FREEING\n locked_inode_to_wb_and_lock_list()\n iput()\n iput_final()\n evict()\n ext4_evict_inode()\n truncate_inode_pages_final() //wait release io_end\n inode_io_list_move_locked()\n ext4_release_io_end()\n trigger WARN_ON_ONCE()", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50730", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: akcipher - default implementation for setting a private key\n\nChanges from v1:\n * removed the default implementation from set_pub_key: it is assumed that\n an implementation must always have this callback defined as there are\n no use case for an algorithm, which doesn't need a public key\n\nMany akcipher implementations (like ECDSA) support only signature\nverifications, so they don't have all callbacks defined.\n\nCommit 78a0324f4a53 (\"crypto: akcipher - default implementations for\nrequest callbacks\") introduced default callbacks for sign/verify\noperations, which just return an error code.\n\nHowever, these are not enough, because before calling sign the caller would\nlikely call set_priv_key first on the instantiated transform (as the\nin-kernel testmgr does). This function does not have a default stub, so the\nkernel crashes, when trying to set a private key on an akcipher, which\ndoesn't support signature generation.\n\nI've noticed this, when trying to add a KAT vector for ECDSA signature to\nthe testmgr.\n\nWith this patch the testmgr returns an error in dmesg (as it should)\ninstead of crashing the kernel NULL ptr dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50731", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8192u: Fix use after free in ieee80211_rx()\n\nWe cannot dereference the \"skb\" pointer after calling\nieee80211_monitor_rx(), because it is a use after free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50732", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: idmouse: fix an uninit-value in idmouse_open\n\nIn idmouse_create_image, if any ftip_command fails, it will\ngo to the reset label. However, this leads to the data in\nbulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check\nfor valid image incurs an uninitialized dereference.\n\nFix this by moving the check before reset label since this\ncheck only be valid if the data after bulk_in_buffer[HEADER]\nhas concrete data.\n\nNote that this is found by KMSAN, so only kernel compilation\nis tested.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50733", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: Fix memleak in nvmem_register()\n\ndev_set_name will alloc memory for nvmem->dev.kobj.name in\nnvmem_register, when nvmem_validate_keepouts failed, nvmem's\nmemory will be freed and return, but nobody will free memory\nfor nvmem->dev.kobj.name, there will be memleak, so moving\nnvmem_validate_keepouts() after device_register() and let\nthe device core deal with cleaning name in error cases.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50734", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: do not run mt76u_status_worker if the device is not running\n\nFix the following NULL pointer dereference avoiding to run\nmt76u_status_worker thread if the device is not running yet.\n\nKASAN: null-ptr-deref in range\n[0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware\nname: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: mt76 mt76u_tx_status_data\nRIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0\nCode: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>\nb6\n04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7\nRSP: 0018:ffffc900005af988 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a\nRBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c\nR10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8\nR13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28\nFS: 0000000000000000(0000) GS:ffff88811aa00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n mt76x02_send_tx_status+0x1d2/0xeb0\n mt76x02_tx_status_data+0x8e/0xd0\n mt76u_tx_status_data+0xe1/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\n ret_from_fork+0x1f/0x30\nModules linked in:\n--[ end trace 8df5d20fc5040f65 ]--\nRIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0\nCode: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>\nb6\n04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7\nRSP: 0018:ffffc900005af988 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a\nRBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c\nR10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8\nR13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28\nFS: 0000000000000000(0000) GS:ffff88811aa00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0\nPKRU: 55555554\n\nMoreover move stat_work schedule out of the for loop.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50735", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix immediate work request flush to completion queue\n\nCorrectly set send queue element opcode during immediate work request\nflushing in post sendqueue operation, if the QP is in ERROR state.\nAn undefined ocode value results in out-of-bounds access to an array\nfor mapping the opcode between siw internal and RDMA core representation\nin work completion generation. It resulted in a KASAN BUG report\nof type 'global-out-of-bounds' during NFSoRDMA testing.\n\nThis patch further fixes a potential case of a malicious user which may\nwrite undefined values for completion queue elements status or opcode,\nif the CQ is memory mapped to user land. It avoids the same out-of-bounds\naccess to arrays for status and opcode mapping as described above.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50736", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate index root when initialize NTFS security\n\nThis enhances the sanity check for $SDH and $SII while initializing NTFS\nsecurity, guarantees these index root are legit.\n\n[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320\n[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243\n[ 162.460851]\n[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42\n[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 162.462609] Call Trace:\n[ 162.462954] \n[ 162.463276] dump_stack_lvl+0x49/0x63\n[ 162.463822] print_report.cold+0xf5/0x689\n[ 162.464608] ? unwind_get_return_address+0x3a/0x60\n[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320\n[ 162.466975] kasan_report+0xa7/0x130\n[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0\n[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320\n[ 162.468536] __asan_load2+0x68/0x90\n[ 162.468923] hdr_find_e.isra.0+0x10c/0x320\n[ 162.469282] ? cmp_uints+0xe0/0xe0\n[ 162.469557] ? cmp_sdh+0x90/0x90\n[ 162.469864] ? ni_find_attr+0x214/0x300\n[ 162.470217] ? ni_load_mi+0x80/0x80\n[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 162.470931] ? ntfs_bread_run+0x190/0x190\n[ 162.471307] ? indx_get_root+0xe4/0x190\n[ 162.471556] ? indx_get_root+0x140/0x190\n[ 162.471833] ? indx_init+0x1e0/0x1e0\n[ 162.472069] ? fnd_clear+0x115/0x140\n[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100\n[ 162.472731] indx_find+0x184/0x470\n[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0\n[ 162.474704] ? do_syscall_64+0x3b/0x90\n[ 162.474962] dir_search_u+0x196/0x2f0\n[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450\n[ 162.475661] ? ntfs_security_init+0x3d6/0x440\n[ 162.475906] ? is_sd_valid+0x180/0x180\n[ 162.476191] ntfs_extend_init+0x13f/0x2c0\n[ 162.476496] ? ntfs_fix_post_read+0x130/0x130\n[ 162.476861] ? iput.part.0+0x286/0x320\n[ 162.477325] ntfs_fill_super+0x11e0/0x1b50\n[ 162.477709] ? put_ntfs+0x1d0/0x1d0\n[ 162.477970] ? vsprintf+0x20/0x20\n[ 162.478258] ? set_blocksize+0x95/0x150\n[ 162.478538] get_tree_bdev+0x232/0x370\n[ 162.478789] ? put_ntfs+0x1d0/0x1d0\n[ 162.479038] ntfs_fs_get_tree+0x15/0x20\n[ 162.479374] vfs_get_tree+0x4c/0x130\n[ 162.479729] path_mount+0x654/0xfe0\n[ 162.480124] ? putname+0x80/0xa0\n[ 162.480484] ? finish_automount+0x2e0/0x2e0\n[ 162.480894] ? putname+0x80/0xa0\n[ 162.481467] ? kmem_cache_free+0x1c4/0x440\n[ 162.482280] ? putname+0x80/0xa0\n[ 162.482714] do_mount+0xd6/0xf0\n[ 162.483264] ? path_mount+0xfe0/0xfe0\n[ 162.484782] ? __kasan_check_write+0x14/0x20\n[ 162.485593] __x64_sys_mount+0xca/0x110\n[ 162.486024] do_syscall_64+0x3b/0x90\n[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 162.487141] RIP: 0033:0x7f9d374e948a\n[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5\n[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a\n[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0\n[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020\n[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0\n[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 162.493644] \n[ 162.493908]\n[ 162.494214] The buggy address belongs to the physical page:\n[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc\n[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000\n[ 162.498928] raw: 0000000000000000 0000000000240000 0\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50737", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-vdpa: fix an iotlb memory leak\n\nBefore commit 3d5698793897 (\"vhost-vdpa: introduce asid based IOTLB\")\nwe called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during\nrelease to free all the resources allocated when processing user IOTLB\nmessages through vhost_vdpa_process_iotlb_update().\nThat commit changed the handling of IOTLB a bit, and we accidentally\nremoved some code called during the release.\n\nWe partially fixed this with commit 037d4305569a (\"vhost-vdpa: call\nvhost_vdpa_cleanup during the release\") but a potential memory leak is\nstill there as showed by kmemleak if the application does not send\nVHOST_IOTLB_INVALIDATE or crashes:\n\n unreferenced object 0xffff888007fbaa30 (size 16):\n comm \"blkio-bench\", pid 914, jiffies 4294993521 (age 885.500s)\n hex dump (first 16 bytes):\n 40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA.............\n backtrace:\n [<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0\n [<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]\n [<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost]\n [<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]\n [<00000000de1cd4a0>] vfs_write+0x216/0x4b0\n [<00000000a2850200>] ksys_write+0x71/0xf0\n [<00000000de8e720b>] __x64_sys_write+0x19/0x20\n [<0000000018b12cbb>] do_syscall_64+0x3f/0x90\n [<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nLet's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in\nvhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup()\nsince we need a valid v->vdev.mm in vhost_vdpa_pa_unmap().\nvhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap()\non the whole range removes all the entries.\n\nThe kmemleak log reported was observed with a vDPA device that has `use_va`\nset to true (e.g. VDUSE). This patch has been tested with both types of\ndevices.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50738", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add null pointer check for inode operations\n\nThis adds a sanity check for the i_op pointer of the inode which is\nreturned after reading Root directory MFT record. We should check the\ni_op is valid before trying to create the root dentry, otherwise we may\nencounter a NPD while mounting a image with a funny Root directory MFT\nrecord.\n\n[ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 114.484811] #PF: supervisor read access in kernel mode\n[ 114.485084] #PF: error_code(0x0000) - not-present page\n[ 114.485606] PGD 0 P4D 0\n[ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28\n[ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110\n[ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241\n[ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296\n[ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea\n[ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020\n[ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05\n[ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000\n[ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750\n[ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000\n[ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0\n[ 114.493671] Call Trace:\n[ 114.493890] \n[ 114.494075] __d_instantiate+0x24/0x1c0\n[ 114.494505] d_instantiate.part.0+0x35/0x50\n[ 114.494754] d_make_root+0x53/0x80\n[ 114.494998] ntfs_fill_super+0x1232/0x1b50\n[ 114.495260] ? put_ntfs+0x1d0/0x1d0\n[ 114.495499] ? vsprintf+0x20/0x20\n[ 114.495723] ? set_blocksize+0x95/0x150\n[ 114.495964] get_tree_bdev+0x232/0x370\n[ 114.496272] ? put_ntfs+0x1d0/0x1d0\n[ 114.496502] ntfs_fs_get_tree+0x15/0x20\n[ 114.496859] vfs_get_tree+0x4c/0x130\n[ 114.497099] path_mount+0x654/0xfe0\n[ 114.497507] ? putname+0x80/0xa0\n[ 114.497933] ? finish_automount+0x2e0/0x2e0\n[ 114.498362] ? putname+0x80/0xa0\n[ 114.498571] ? kmem_cache_free+0x1c4/0x440\n[ 114.498819] ? putname+0x80/0xa0\n[ 114.499069] do_mount+0xd6/0xf0\n[ 114.499343] ? path_mount+0xfe0/0xfe0\n[ 114.499683] ? __kasan_check_write+0x14/0x20\n[ 114.500133] __x64_sys_mount+0xca/0x110\n[ 114.500592] do_syscall_64+0x3b/0x90\n[ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 114.501294] RIP: 0033:0x7fdc898e948a\n[ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a\n[ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0\n[ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020\n[ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0\n[ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 114.506562] \n[ 114.506887] Modules linked in:\n[ 114.507648] CR2: 0000000000000008\n[ 114.508884] ---[ end trace 0000000000000000 ]---\n[ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110\n[ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241\n[ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296\n[ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea\n[ 114.51\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50739", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()\n\nSyzkaller reports a long-known leak of urbs in\nath9k_hif_usb_dealloc_tx_urbs().\n\nThe cause of the leak is that usb_get_urb() is called but usb_free_urb()\n(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or\nurb->ep fields have not been initialized and usb_kill_urb() returns\nimmediately.\n\nThe patch removes trying to kill urbs located in hif_dev->tx.tx_buf\nbecause hif_dev->tx.tx_buf is not supposed to contain urbs which are in\npending state (the pending urbs are stored in hif_dev->tx.tx_pending).\nThe tx.tx_lock is acquired so there should not be any changes in the list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50740", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Disable useless interrupt to avoid kernel panic\n\nThere is a hardware bug that the interrupt STMBUF_HALF may be triggered\nafter or when disable interrupt.\nIt may led to unexpected kernel panic.\nAnd interrupt STMBUF_HALF and STMBUF_RTND have no other effect.\nSo disable them and the unused interrupts.\n\nmeanwhile clear the interrupt status when disable interrupt.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50741", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible refcount leak in afu_ioctl()\n\neventfd_ctx_put need to be called to put the refcount that gotten by\neventfd_ctx_fdget when ocxl_irq_set_handler fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50742", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: Fix pcluster memleak when its block address is zero\n\nsyzkaller reported a memleak:\nhttps://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed\n\nunreferenced object 0xffff88811009c7f8 (size 136):\n ...\n backtrace:\n [] z_erofs_do_read_page+0x99b/0x1740\n [] z_erofs_readahead+0x24e/0x580\n [] read_pages+0x86/0x3d0\n ...\n\nsyzkaller constructed a case: in z_erofs_register_pcluster(),\nztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be\nzero although pcl is not a inline pcluster.\n\nThen following path adds refcount for grp, but the refcount won't be put\nbecause pcl is inline.\n\nz_erofs_readahead()\n z_erofs_do_read_page() # for another page\n z_erofs_collector_begin()\n erofs_find_workgroup()\n erofs_workgroup_get()\n\nSince it's illegal for the block address of a non-inlined pcluster to\nbe zero, add check here to avoid registering the pcluster which would\nbe leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50743", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs\n\nDuring I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a\nhard lockup similar to the call trace below may occur.\n\nThe spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer\ninterrupts as expected, so change the strength of the spin lock to _irq.\n\nKernel panic - not syncing: Hard LOCKUP\nCPU: 3 PID: 110402 Comm: cat Kdump: loaded\n\nexception RIP: native_queued_spin_lock_slowpath+91\n\n[IRQ stack]\n native_queued_spin_lock_slowpath at ffffffffb814e30b\n _raw_spin_lock at ffffffffb89a667a\n lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc]\n lpfc_cmf_timer at ffffffffc0abbc67 [lpfc]\n __hrtimer_run_queues at ffffffffb8184250\n hrtimer_interrupt at ffffffffb8184ab0\n smp_apic_timer_interrupt at ffffffffb8a026ba\n apic_timer_interrupt at ffffffffb8a01c4f\n[End of IRQ stack]\n\n apic_timer_interrupt at ffffffffb8a01c4f\n lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc]\n lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc]\n full_proxy_read at ffffffffb83e7fc3\n vfs_read at ffffffffb833fe71\n ksys_read at ffffffffb83402af\n do_syscall_64 at ffffffffb800430b\n entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50744", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: tegra-video: fix device_node use after free\n\nAt probe time this code path is followed:\n\n * tegra_csi_init\n * tegra_csi_channels_alloc\n * for_each_child_of_node(node, channel) -- iterates over channels\n * automatically gets 'channel'\n * tegra_csi_channel_alloc()\n * saves into chan->of_node a pointer to the channel OF node\n * automatically gets and puts 'channel'\n * now the node saved in chan->of_node has refcount 0, can disappear\n * tegra_csi_channels_init\n * iterates over channels\n * tegra_csi_channel_init -- uses chan->of_node\n\nAfter that, chan->of_node keeps storing the node until the device is\nremoved.\n\nof_node_get() the node and of_node_put() it during teardown to avoid any\nrisk.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50745", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: validate the extent length for uncompressed pclusters\n\nsyzkaller reported a KASAN use-after-free:\nhttps://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2\n\nThe referenced fuzzed image actually has two issues:\n - m_pa == 0 as a non-inlined pcluster;\n - The logical length is longer than its physical length.\n\nThe first issue has already been addressed. This patch addresses\nthe second issue by checking the extent length validity.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50746", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: Fix OOB Write in hfs_asc2mac\n\nSyzbot reported a OOB Write bug:\n\nloop0: detected capacity change from 0 to 64\n==================================================================\nBUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0\nfs/hfs/trans.c:133\nWrite of size 1 at addr ffff88801848314e by task syz-executor391/3632\n\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133\n hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28\n hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n\nIf in->len is much larger than HFS_NAMELEN(31) which is the maximum\nlength of an HFS filename, a OOB write could occur in hfs_asc2mac(). In\nthat case, when the dst reaches the boundary, the srclen is still\ngreater than 0, which causes a OOB write.\nFix this by adding a check on dstlen in while() before writing to dst\naddress.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50747", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: mqueue: fix possible memory leak in init_mqueue_fs()\n\ncommit db7cfc380900 (\"ipc: Free mq_sysctls if ipc namespace creation\nfailed\")\n\nHere's a similar memory leak to the one fixed by the patch above.\nretire_mq_sysctls need to be called when init_mqueue_fs fails after\nsetup_mq_sysctls.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50748", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: fix potential integer overflow in encode_comp_t()\n\nThe integer overflow is descripted with following codes:\n > 317 static comp_t encode_comp_t(u64 value)\n > 318 {\n > 319 int exp, rnd;\n ......\n > 341 exp <<= MANTSIZE;\n > 342 exp += value;\n > 343 return exp;\n > 344 }\n\nCurrently comp_t is defined as type of '__u16', but the variable 'exp' is\ntype of 'int', so overflow would happen when variable 'exp' in line 343 is\ngreater than 65535.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50749", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure\n\nIn case mipi_dsi_attach() fails, call drm_panel_remove() to\navoid memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50750", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs: fix possible memory leak in configfs_create_dir()\n\nkmemleak reported memory leaks in configfs_create_dir():\n\nunreferenced object 0xffff888009f6af00 (size 192):\n comm \"modprobe\", pid 3777, jiffies 4295537735 (age 233.784s)\n backtrace:\n kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)\n new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)\n configfs_register_subsystem (fs/configfs/dir.c:1857)\n basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n\nunreferenced object 0xffff888003ba7180 (size 96):\n comm \"modprobe\", pid 3777, jiffies 4295537735 (age 233.784s)\n backtrace:\n kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)\n configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)\n configfs_make_dirent (fs/configfs/dir.c:248)\n configfs_create_dir (fs/configfs/dir.c:296)\n configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)\n configfs_register_subsystem (fs/configfs/dir.c:1881)\n basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n\nThis is because the refcount is not correct in configfs_make_dirent().\nFor normal stage, the refcount is changing as:\n\nconfigfs_register_subsystem()\n configfs_create_dir()\n configfs_make_dirent()\n configfs_new_dirent() # set s_count = 1\n dentry->d_fsdata = configfs_get(sd); # s_count = 2\n...\nconfigfs_unregister_subsystem()\n configfs_remove_dir()\n remove_dir()\n configfs_remove_dirent() # s_count = 1\n dput() ...\n *dentry_unlink_inode()*\n configfs_d_iput() # s_count = 0, release\n\nHowever, if we failed in configfs_create():\n\nconfigfs_register_subsystem()\n configfs_create_dir()\n configfs_make_dirent() # s_count = 2\n ...\n configfs_create() # fail\n ->out_remove:\n configfs_remove_dirent(dentry)\n configfs_put(sd) # s_count = 1\n return PTR_ERR(inode);\n\nThere is no inode in the error path, so the configfs_d_iput() is lost\nand makes sd and fragment memory leaked.\n\nTo fix this, when we failed in configfs_create(), manually call\nconfigfs_put(sd) to keep the refcount correct.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50751", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()\n\nWhen running chunk-sized reads on disks with badblocks duplicate bio\nfree/puts are observed:\n\n =============================================================================\n BUG bio-200 (Not tainted): Object already free\n -----------------------------------------------------------------------------\n Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504\n __slab_alloc.constprop.0+0x5a/0xb0\n kmem_cache_alloc+0x31e/0x330\n mempool_alloc_slab+0x17/0x20\n mempool_alloc+0x100/0x2b0\n bio_alloc_bioset+0x181/0x460\n do_mpage_readpage+0x776/0xd00\n mpage_readahead+0x166/0x320\n blkdev_readahead+0x15/0x20\n read_pages+0x13f/0x5f0\n page_cache_ra_unbounded+0x18d/0x220\n force_page_cache_ra+0x181/0x1c0\n page_cache_sync_ra+0x65/0xb0\n filemap_get_pages+0x1df/0xaf0\n filemap_read+0x1e1/0x700\n blkdev_read_iter+0x1e5/0x330\n vfs_read+0x42a/0x570\n Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504\n kmem_cache_free+0x46d/0x490\n mempool_free_slab+0x17/0x20\n mempool_free+0x66/0x190\n bio_free+0x78/0x90\n bio_put+0x100/0x1a0\n raid5_make_request+0x2259/0x2450\n md_handle_request+0x402/0x600\n md_submit_bio+0xd9/0x120\n __submit_bio+0x11f/0x1b0\n submit_bio_noacct_nocheck+0x204/0x480\n submit_bio_noacct+0x32e/0xc70\n submit_bio+0x98/0x1a0\n mpage_readahead+0x250/0x320\n blkdev_readahead+0x15/0x20\n read_pages+0x13f/0x5f0\n page_cache_ra_unbounded+0x18d/0x220\n Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Workqueue: raid5wq raid5_do_work\n Call Trace:\n \n dump_stack_lvl+0x5a/0x78\n dump_stack+0x10/0x16\n print_trailer+0x158/0x165\n object_err+0x35/0x50\n free_debug_processing.cold+0xb7/0xbe\n __slab_free+0x1ae/0x330\n kmem_cache_free+0x46d/0x490\n mempool_free_slab+0x17/0x20\n mempool_free+0x66/0x190\n bio_free+0x78/0x90\n bio_put+0x100/0x1a0\n mpage_end_io+0x36/0x150\n bio_endio+0x2fd/0x360\n md_end_io_acct+0x7e/0x90\n bio_endio+0x2fd/0x360\n handle_failed_stripe+0x960/0xb80\n handle_stripe+0x1348/0x3760\n handle_active_stripes.constprop.0+0x72a/0xaf0\n raid5_do_work+0x177/0x330\n process_one_work+0x616/0xb20\n worker_thread+0x2bd/0x6f0\n kthread+0x179/0x1b0\n ret_from_fork+0x22/0x30\n \n\nThe double free is caused by an unnecessary bio_put() in the\nif(is_badblock(...)) error path in raid5_read_one_chunk().\n\nThe error path was moved ahead of bio_alloc_clone() in c82aa1b76787c\n(\"md/raid5: move checking badblock before clone bio in\nraid5_read_one_chunk\"). The previous code checked and freed align_bio\nwhich required a bio_put. After the move that is no longer needed as\nraid_bio is returned to the control of the common io path which\nperforms its own endio resulting in a double free on bad device blocks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50752", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on summary info\n\nAs Wenqing Liu reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=216456\n\nBUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]\nRead of size 4 at addr ffff8881464dcd80 by task mount/1013\n\nCPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n dump_stack_lvl+0x45/0x5e\n print_report.cold+0xf3/0x68d\n kasan_report+0xa8/0x130\n recover_data+0x63ae/0x6ae0 [f2fs]\n f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]\n f2fs_fill_super+0x4665/0x61e0 [f2fs]\n mount_bdev+0x2cf/0x3b0\n legacy_get_tree+0xed/0x1d0\n vfs_get_tree+0x81/0x2b0\n path_mount+0x47e/0x19d0\n do_mount+0xce/0xf0\n __x64_sys_mount+0x12c/0x1a0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node\nis larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size\npage.\n\n- recover_data\n - do_recover_data\n - check_index_in_prev_nodes\n - f2fs_data_blkaddr\n\nThis patch adds sanity check on summary info in recovery and GC flow\nin where the flows rely on them.\n\nAfter patch:\n[ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50753", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix a memleak in multi_transaction_new()\n\nIn multi_transaction_new(), the variable t is not freed or passed out\non the failure of copy_from_user(t->data, buf, size), which could lead\nto a memleak.\n\nFix this bug by adding a put_multi_transaction(t) in the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50754", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid double brelse() in udf_rename()\n\nsyzbot reported a warning like below [1]:\n\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0\n...\nCall Trace:\n \n invalidate_bh_lru+0x99/0x150\n smp_call_function_many_cond+0xe2a/0x10c0\n ? generic_remap_file_range_prep+0x50/0x50\n ? __brelse+0xa0/0xa0\n ? __mutex_lock+0x21c/0x12d0\n ? smp_call_on_cpu+0x250/0x250\n ? rcu_read_lock_sched_held+0xb/0x60\n ? lock_release+0x587/0x810\n ? __brelse+0xa0/0xa0\n ? generic_remap_file_range_prep+0x50/0x50\n on_each_cpu_cond_mask+0x3c/0x80\n blkdev_flush_mapping+0x13a/0x2f0\n blkdev_put_whole+0xd3/0xf0\n blkdev_put+0x222/0x760\n deactivate_locked_super+0x96/0x160\n deactivate_super+0xda/0x100\n cleanup_mnt+0x222/0x3d0\n task_work_run+0x149/0x240\n ? task_work_cancel+0x30/0x30\n do_exit+0xb29/0x2a40\n ? reacquire_held_locks+0x4a0/0x4a0\n ? do_raw_spin_lock+0x12a/0x2b0\n ? mm_update_next_owner+0x7c0/0x7c0\n ? rwlock_bug.part.0+0x90/0x90\n ? zap_other_threads+0x234/0x2d0\n do_group_exit+0xd0/0x2a0\n __x64_sys_exit_group+0x3a/0x50\n do_syscall_64+0x34/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that brelse() is called on both ofibh.sbh\nand ofibh.ebh by udf_find_entry() when it returns NULL. However,\nbrelse() is called by udf_rename(), too. So, b_count on buffer_head\nbecomes unbalanced.\n\nThis patch fixes the issue by not calling brelse() by udf_rename()\nwhen udf_find_entry() returns NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50755", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix mempool alloc size\n\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\n\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\n\nWhile unlikely to occur (you'd need a 4MB in exactly 127 phys segments\non a queue that doesn't support SGLs), this memory corruption has been\nobserved by kfence.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50756", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: camss: Clean up received buffers on failed start of streaming\n\nIt is required to return the received buffers, if streaming can not be\nstarted. For instance media_pipeline_start() may fail with EPIPE, if\na link validation between entities is not passed, and in such a case\na user gets a kernel warning:\n\n WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160\n \n Call trace:\n vb2_start_streaming+0xec/0x160\n vb2_core_streamon+0x9c/0x1a0\n vb2_ioctl_streamon+0x68/0xbc\n v4l_streamon+0x30/0x3c\n __video_do_ioctl+0x184/0x3e0\n video_usercopy+0x37c/0x7b0\n video_ioctl2+0x24/0x40\n v4l2_ioctl+0x4c/0x70\n\nThe fix is to correct the error path in video_start_streaming() of camss.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50757", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vt6655: fix potential memory leak\n\nIn function device_init_td0_ring, memory is allocated for member\ntd_info of priv->apTD0Rings[i], with i increasing from 0. In case of\nallocation failure, the memory is freed in reversed order, with i\ndecreasing to 0. However, the case i=0 is left out and thus memory is\nleaked.\n\nModify the memory freeing loop to include the case i=0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50758", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov5648: Free V4L2 fwnode data on unbind\n\nThe V4L2 fwnode data structure doesn't get freed on unbind, which leads to\na memleak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50759", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50760", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: Fix memory leak in xen_init_lock_cpu()\n\nIn xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),\nif bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead\nto a memory leak issue, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50761", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()\n\nsyzbot reported UBSAN error as below:\n\n[ 76.901829][ T6677] ================================================================================\n[ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13\n[ 76.905363][ T6677] shift exponent -247 is negative\n\nThis patch avoid this error.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50762", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/octeontx - prevent integer overflows\n\nThe \"code_length\" value comes from the firmware file. If your firmware\nis untrusted realistically there is probably very little you can do to\nprotect yourself. Still we try to limit the damage as much as possible.\nAlso Smatch marks any data read from the filesystem as untrusted and\nprints warnings if it not capped correctly.\n\nThe \"code_length * 2\" can overflow. The round_up(ucode_size, 16) +\nsizeof() expression can overflow too. Prevent these overflows.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50763", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6/sit: use DEV_STATS_INC() to avoid data-races\n\nsyzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error\nconcurrently.\n\nThis is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit()\nis not protected by a spinlock.\n\nWhile original KCSAN report was about tx path, rx path has the same issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50764", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: kexec: Fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xff2000000403d000 (size 4096):\n comm \"kexec\", pid 146, jiffies 4294900633 (age 64.792s)\n hex dump (first 32 bytes):\n 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............\n 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe\n [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560\n [<00000000b4b3712a>] __vmalloc_node+0x56/0x62\n [<00000000854f75e2>] vzalloc+0x2c/0x34\n [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c\n [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec\n [<0000000036548e09>] kexec_image_load_default+0x40/0x4c\n [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322\n [<0000000040c62c03>] ret_from_syscall+0x0/0x2\n\nIn elf_kexec_load(), a buffer is allocated via vzalloc() to store elf\nheaders. While it's not freed back to system when kdump kernel is\nreloaded or unloaded, or when image->elf_header is successfully set and\nthen fails to load kdump kernel for some reason. Fix it by freeing the\nbuffer in arch_kimage_file_post_load_cleanup().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50765", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer\n\nsyzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for\ncommit bc877d285ca3dba2 (\"btrfs: Deduplicate extent_buffer init code\")\nmissed that btrfs_set_header_generation() in btrfs_init_new_buffer() must\nnot be moved to after clean_tree_block() because clean_tree_block() is\ncalling btrfs_header_generation() since commit 55c69072d6bd5be1 (\"Btrfs:\nFix extent_buffer usage when nodesize != leafsize\").\n\nSince memzero_extent_buffer() will reset \"struct btrfs_header\" part, we\ncan't move btrfs_set_header_generation() to before memzero_extent_buffer().\nJust re-add btrfs_set_header_generation() before btrfs_clean_tree_block().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50766", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: Fix several use-after-free bugs\n\nSeveral types of UAFs can occur when physically removing a USB device.\n\nAdds ufx_ops_destroy() function to .fb_destroy of fb_ops, and\nin this function, there is kref_put() that finally calls ufx_free().\n\nThis fix prevents multiple UAFs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50767", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Correct device removal for multi-actuator devices\n\nCorrect device count for multi-actuator drives which can cause kernel\npanics.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50768", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mxcmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50769", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix memory leak in ocfs2_mount_volume()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffff88810cc65e60 (size 32):\n comm \"mount.ocfs2\", pid 23753, jiffies 4302528942 (age 34735.105s)\n hex dump (first 32 bytes):\n 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................\n 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0x4d/0x150\n [] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]\n [] ocfs2_check_volume+0x485/0x900 [ocfs2]\n [] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]\n [] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]\n [] mount_bdev+0x312/0x400\n [] legacy_get_tree+0xed/0x1d0\n [] vfs_get_tree+0x7d/0x230\n [] path_mount+0xd62/0x1760\n [] do_mount+0xca/0xe0\n [] __x64_sys_mount+0x12c/0x1a0\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis call stack is related to two problems. Firstly, the ocfs2 super uses\n\"replay_map\" to trace online/offline slots, in order to recover offline\nslots during recovery and mount. But when ocfs2_truncate_log_init()\nreturns an error in ocfs2_mount_volume(), the memory of \"replay_map\" will\nnot be freed in error handling path. Secondly, the memory of \"replay_map\"\nwill not be freed if d_make_root() returns an error in ocfs2_fill_super().\nBut the memory of \"replay_map\" will be freed normally when completing\nrecovery and mount in ocfs2_complete_mount_recovery().\n\nFix the first problem by adding error handling path to free \"replay_map\"\nwhen ocfs2_truncate_log_init() fails. And fix the second problem by\ncalling ocfs2_free_replay_slots(osb) in the error handling path\n\"out_dismount\". In addition, since ocfs2_free_replay_slots() is static,\nit is necessary to remove its static attribute and declare it in header\nfile.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50770", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()\n\nRunning rcutorture with non-zero fqs_duration module parameter in a\nkernel built with CONFIG_PREEMPTION=y results in the following splat:\n\nBUG: using __this_cpu_read() in preemptible [00000000]\ncode: rcu_torture_fqs/398\ncaller is __this_cpu_preempt_check+0x13/0x20\nCPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+\nCall Trace:\n\ndump_stack_lvl+0x5b/0x86\ndump_stack+0x10/0x16\ncheck_preemption_disabled+0xe5/0xf0\n__this_cpu_preempt_check+0x13/0x20\nrcu_force_quiescent_state.part.0+0x1c/0x170\nrcu_force_quiescent_state+0x1e/0x30\nrcu_torture_fqs+0xca/0x160\n? rcu_torture_boost+0x430/0x430\nkthread+0x192/0x1d0\n? kthread_complete_and_exit+0x30/0x30\nret_from_fork+0x22/0x30\n\n\nThe problem is that rcu_force_quiescent_state() uses __this_cpu_read()\nin preemptible code instead of the proper raw_cpu_read(). This commit\ntherefore changes __this_cpu_read() to raw_cpu_read().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50771", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix memory leak in nsim_bus_dev_new()\n\nIf device_register() failed in nsim_bus_dev_new(), the value of reference\nin nsim_bus_dev->dev is 1. obj->name in nsim_bus_dev->dev will not be\nreleased.\n\nunreferenced object 0xffff88810352c480 (size 16):\n comm \"echo\", pid 5691, jiffies 4294945921 (age 133.270s)\n hex dump (first 16 bytes):\n 6e 65 74 64 65 76 73 69 6d 31 00 00 00 00 00 00 netdevsim1......\n backtrace:\n [<000000005e2e5e26>] __kmalloc_node_track_caller+0x3a/0xb0\n [<0000000094ca4fc8>] kvasprintf+0xc3/0x160\n [<00000000aad09bcc>] kvasprintf_const+0x55/0x180\n [<000000009bac868d>] kobject_set_name_vargs+0x56/0x150\n [<000000007c1a5d70>] dev_set_name+0xbb/0xf0\n [<00000000ad0d126b>] device_add+0x1f8/0x1cb0\n [<00000000c222ae24>] new_device_store+0x3b6/0x5e0\n [<0000000043593421>] bus_attr_store+0x72/0xa0\n [<00000000cbb1833a>] sysfs_kf_write+0x106/0x160\n [<00000000d0dedb8a>] kernfs_fop_write_iter+0x3a8/0x5a0\n [<00000000770b66e2>] vfs_write+0x8f0/0xc80\n [<0000000078bb39be>] ksys_write+0x106/0x210\n [<00000000005e55a4>] do_syscall_64+0x35/0x80\n [<00000000eaa40bbc>] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50772", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt\n\nI got a null-ptr-defer error report when I do the following tests\non the qemu platform:\n\nmake defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,\nCONFIG_SND_MTS64=m\n\nThen making test scripts:\ncat>test_mod1.sh<\n snd_mts64_interrupt+0x24/0xa0 [snd_mts64]\n parport_irq_handler+0x37/0x50 [parport]\n __handle_irq_event_percpu+0x39/0x190\n handle_irq_event_percpu+0xa/0x30\n handle_irq_event+0x2f/0x50\n handle_edge_irq+0x99/0x1b0\n __common_interrupt+0x5d/0x100\n common_interrupt+0xa0/0xc0\n \n \n asm_common_interrupt+0x22/0x40\n RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30\n parport_claim+0xbd/0x230 [parport]\n snd_mts64_probe+0x14a/0x465 [snd_mts64]\n platform_probe+0x3f/0xa0\n really_probe+0x129/0x2c0\n __driver_probe_device+0x6d/0xc0\n driver_probe_device+0x1a/0xa0\n __device_attach_driver+0x7a/0xb0\n bus_for_each_drv+0x62/0xb0\n __device_attach+0xe4/0x180\n bus_probe_device+0x82/0xa0\n device_add+0x550/0x920\n platform_device_add+0x106/0x220\n snd_mts64_attach+0x2e/0x80 [snd_mts64]\n port_check+0x14/0x20 [parport]\n bus_for_each_dev+0x6e/0xc0\n __parport_register_driver+0x7c/0xb0 [parport]\n snd_mts64_module_init+0x31/0x1000 [snd_mts64]\n do_one_initcall+0x3c/0x1f0\n do_init_module+0x46/0x1c6\n load_module+0x1d8d/0x1e10\n __do_sys_finit_module+0xa2/0xf0\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n Kernel panic - not syncing: Fatal exception in interrupt\n Rebooting in 1 seconds..\n\nThe mts wa not initialized during interrupt, we add check for\nmts to fix this bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50773", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix DMA transfer direction\n\nWhen CONFIG_DMA_API_DEBUG is selected, while running the crypto self\ntest on the QAT crypto algorithms, the function add_dma_entry() reports\na warning similar to the one below, saying that overlapping mappings\nare not supported. This occurs in tests where the input and the output\nscatter list point to the same buffers (i.e. two different scatter lists\nwhich point to the same chunks of memory).\n\nThe logic that implements the mapping uses the flag DMA_BIDIRECTIONAL\nfor both the input and the output scatter lists which leads to\noverlapped write mappings. These are not supported by the DMA layer.\n\nFix by specifying the correct DMA transfer directions when mapping\nbuffers. For in-place operations where the input scatter list\nmatches the output scatter list, buffers are mapped once with\nDMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag\nDMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE.\nOverlapping a read mapping with a write mapping is a valid case in\ndma-coherent devices like QAT.\nThe function that frees and unmaps the buffers, qat_alg_free_bufl()\nhas been changed accordingly to the changes to the mapping function.\n\n DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported\n WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270\n ...\n Call Trace:\n dma_map_page_attrs+0x82/0x2d0\n ? preempt_count_add+0x6a/0xa0\n qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat]\n qat_alg_aead_dec+0x71/0x250 [intel_qat]\n crypto_aead_decrypt+0x3d/0x70\n test_aead_vec_cfg+0x649/0x810\n ? number+0x310/0x3a0\n ? vsnprintf+0x2a3/0x550\n ? scnprintf+0x42/0x70\n ? valid_sg_divisions.constprop.0+0x86/0xa0\n ? test_aead_vec+0xdf/0x120\n test_aead_vec+0xdf/0x120\n alg_test_aead+0x185/0x400\n alg_test+0x3d8/0x500\n ? crypto_acomp_scomp_free_ctx+0x30/0x30\n ? __schedule+0x32a/0x12a0\n ? ttwu_queue_wakelist+0xbf/0x110\n ? _raw_spin_unlock_irqrestore+0x23/0x40\n ? try_to_wake_up+0x83/0x570\n ? _raw_spin_unlock_irqrestore+0x23/0x40\n ? __set_cpus_allowed_ptr_locked+0xea/0x1b0\n ? crypto_acomp_scomp_free_ctx+0x30/0x30\n cryptomgr_test+0x27/0x50\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50774", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix refcount leak in hns_roce_mmap\n\nrdma_user_mmap_entry_get_pgoff() takes the reference.\nAdd missing rdma_user_mmap_entry_put() to release the reference.\n\nAcked-by Haoyue Xu ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50775", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: st: Fix memory leak in st_of_quadfs_setup()\n\nIf st_clk_register_quadfs_pll() fails, @lock should be freed before goto\n@err_exit, otherwise will cause meory leak issue, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50776", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe\n\nof_phy_find_device() return device node with refcount incremented.\nCall put_device() to relese it when not needed anymore.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50777", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL\n\nWith CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe\na runtime panic while running Android's Compatibility Test Suite's (CTS)\nandroid.hardware.input.cts.tests. This is stemming from a strlen()\ncall in hidinput_allocate().\n\n__compiletime_strlen() is implemented in terms of __builtin_object_size(),\nthen does an array access to check for NUL-termination. A quirk of\n__builtin_object_size() is that for strings whose values are runtime\ndependent, __builtin_object_size(str, 1 or 0) returns the maximum size\nof possible values when those sizes are determinable at compile time.\nExample:\n\n static const char *v = \"FOO BAR\";\n static const char *y = \"FOO BA\";\n unsigned long x (int z) {\n // Returns 8, which is:\n // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))\n return __builtin_object_size(z ? v : y, 1);\n }\n\nSo when FORTIFY_SOURCE is enabled, the current implementation of\n__compiletime_strlen() will try to access beyond the end of y at runtime\nusing the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.\n\nhidinput_allocate() has a local C string whose value is control flow\ndependent on a switch statement, so __builtin_object_size(str, 1)\nevaluates to the maximum string length, making all other cases fault on\nthe last character check. hidinput_allocate() could be cleaned up to\navoid runtime calls to strlen() since the local variable can only have\nliteral values, so there's no benefit to trying to fortify the strlen\ncall site there.\n\nPerform a __builtin_constant_p() check against index 0 earlier in the\nmacro to filter out the control-flow-dependant case. Add a KUnit test\nfor checking the expected behavioral characteristics of FORTIFY_SOURCE\ninternals.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50778", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()\n\nWhen insert and remove the orangefs module, then debug_help_string will\nbe leaked:\n\n unreferenced object 0xffff8881652ba000 (size 4096):\n comm \"insmod\", pid 1701, jiffies 4294893639 (age 13218.530s)\n hex dump (first 32 bytes):\n 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key\n 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow\n backtrace:\n [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0\n [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]\n [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]\n [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0\n [<000000001d0614ae>] do_init_module+0xdf/0x320\n [<00000000efef068c>] load_module+0x2f98/0x3330\n [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0\n [<00000000a0da6f99>] do_syscall_64+0x35/0x80\n [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nWhen remove the module, should always free debug_help_string. Should\nalways free the allocated buffer when change the free_debug_help_string.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50779", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed\n\nWhen the ops_init() interface is invoked to initialize the net, but\nops->init() fails, data is released. However, the ptr pointer in\nnet->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked\nto release the net, invalid address access occurs.\n\nThe process is as follows:\nsetup_net()\n\tops_init()\n\t\tdata = kzalloc(...) ---> alloc \"data\"\n\t\tnet_assign_generic() ---> assign \"date\" to ptr in net->gen\n\t\t...\n\t\tops->init() ---> failed\n\t\t...\n\t\tkfree(data); ---> ptr in net->gen is invalid\n\t...\n\tops_exit_list()\n\t\t...\n\t\tnfqnl_nf_hook_drop()\n\t\t\t*q = nfnl_queue_pernet(net) ---> q is invalid\n\nThe following is the Call Trace information:\nBUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280\nRead of size 8 at addr ffff88810396b240 by task ip/15855\nCall Trace:\n\ndump_stack_lvl+0x8e/0xd1\nprint_report+0x155/0x454\nkasan_report+0xba/0x1f0\nnfqnl_nf_hook_drop+0x264/0x280\nnf_queue_nf_hook_drop+0x8b/0x1b0\n__nf_unregister_net_hook+0x1ae/0x5a0\nnf_unregister_net_hooks+0xde/0x130\nops_exit_list+0xb0/0x170\nsetup_net+0x7ac/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n\nAllocated by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0xa1/0xb0\n__kmalloc+0x49/0xb0\nops_init+0xe7/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 15855:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x155/0x1b0\nslab_free_freelist_hook+0x11b/0x220\n__kmem_cache_free+0xa4/0x360\nops_init+0xb9/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50780", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()\n\nIn the PP_OD_EDIT_VDDC_CURVE case the \"input_index\" variable is capped at\n2 but not checked for negative values so it results in an out of bounds\nread. This value comes from the user via sysfs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50781", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad quota inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:202!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ext4_es_cache_extent+0xe2/0x210\n ext4_cache_extents+0xd2/0x110\n ext4_find_extent+0x5d5/0x8c0\n ext4_ext_map_blocks+0x9c/0x1d30\n ext4_map_blocks+0x431/0xa50\n ext4_getblk+0x82/0x340\n ext4_bread+0x14/0x110\n ext4_quota_read+0xf0/0x180\n v2_read_header+0x24/0x90\n v2_check_quota_file+0x2f/0xa0\n dquot_load_quota_sb+0x26c/0x760\n dquot_load_quota_inode+0xa5/0x190\n ext4_enable_quotas+0x14c/0x300\n __ext4_fill_super+0x31cc/0x32c0\n ext4_fill_super+0x115/0x2d0\n get_tree_bdev+0x1d2/0x360\n ext4_get_tree+0x19/0x30\n vfs_get_tree+0x26/0xe0\n path_mount+0x81d/0xfc0\n do_mount+0x8d/0xc0\n __x64_sys_mount+0xc0/0x160\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget --> get error inode <5>\n ext4_ext_check_inode --> Wrong imode makes it escape inspection\n make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode\n dquot_load_quota_inode\n vfs_setup_quota_inode --> check pass\n dquot_load_quota_sb\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n __es_tree_search.isra.0\n ext4_es_end --> Wrong extents trigger BUG_ON\n\nIn the above issue, s_usr_quota_inum is set to 5, but inode<5> contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50782", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use proper req destructor for IPv6\n\nBefore, only the destructor from TCP request sock in IPv4 was called\neven if the subflow was IPv6.\n\nIt is important to use the right destructor to avoid memory leaks with\nsome advanced IPv6 features, e.g. when the request socks contain\nspecific IPv6 options.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50783", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mei: fix potential NULL-ptr deref after clone\n\nIf cloning the SKB fails, don't try to use it, but rather return\nas if we should pass it.\n\nCoverity CID: 1503456", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50784", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsi: occ: Prevent use after free\n\nUse get_device and put_device in the open and close functions to\nmake sure the device doesn't get freed while a file descriptor is\nopen.\nAlso, lock around the freeing of the device buffer and check the\nbuffer before using it in the submit function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50785", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: s5p-mfc: Clear workbit to handle error condition\n\nDuring error on CLOSE_INSTANCE command, ctx_work_bits was not getting\ncleared. During consequent mfc execution NULL pointer dereferencing of\nthis context led to kernel panic. This patch fixes this issue by making\nsure to clear ctx_work_bits always.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50786", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: dbc: Fix memory leak in xhci_alloc_dbc()\n\nIf DbC is already in use, then the allocated memory for the xhci_dbc struct\ndoesn't get freed before returning NULL, which leads to a memleak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50809", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: devices: fix missing put_device in mport_cdev_open\n\nWhen kfifo_alloc fails, the refcount of chdev->dev is left incremental. \nWe should use put_device(&chdev->dev) to decrease the ref count of\nchdev->dev to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50810", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails\n\nOtherwise, meta buffers could be leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50811", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsecurity: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6\n\nA bad bug in clang's implementation of -fzero-call-used-regs can result\nin NULL pointer dereferences (see the links above the check for more\ninformation). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a\nsupported GCC version or a clang newer than 15.0.6, which will catch\nboth a theoretical 15.0.7 and the upcoming 16.0.0, which will both have\nthe bug fixed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50812", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: mcb: fix resource leak in mcb_probe()\n\nWhen probe hook function failed in mcb_probe(), it doesn't put the device.\nCompiled test only.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50813", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr\n\nKASAN reported this Bug:\n\n\t[17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60\n\t[17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958\n\t...\n\t[17619.698934] The buggy address belongs to the variable:\n\t[17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]\n\nThere is a mismatch in hisi_zip when get/set the variable sgl_sge_nr.\nThe type of sgl_sge_nr is u16, and get/set sgl_sge_nr by\nparam_get/set_int.\n\nReplacing param_get/set_int to param_get/set_ushort can fix this bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50814", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next2: Add sanity checks for group and filesystem size\n\nAdd sanity check that filesystem size does not exceed the underlying\ndevice size and that group size is big enough so that metadata can fit\ninto it. This avoid trying to mount some crafted filesystems with\nextremely large group counts.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50815", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ensure sane device mtu in tunnels\n\nAnother syzbot report [1] with no reproducer hints\nat a bug in ip6_gre tunnel (dev:ip6gretap0)\n\nSince ipv6 mcast code makes sure to read dev->mtu once\nand applies a sanity check on it (see commit b9b312a7a451\n\"ipv6: mcast: better catch silly mtu values\"), a remaining\npossibility is that a layer is able to set dev->mtu to\nan underflowed value (high order bit set).\n\nThis could happen indeed in ip6gre_tnl_link_config_route(),\nip6_tnl_link_config() and ipip6_tunnel_bind_dev()\n\nMake sure to sanitize mtu value in a local variable before\nit is written once on dev->mtu, as lockless readers could\ncatch wrong temporary value.\n\n[1]\nskbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:120\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022\nWorkqueue: mld mld_ifc_work\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nlr : skb_panic+0x4c/0x50 net/core/skbuff.c:116\nsp : ffff800020dd3b60\nx29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800\nx26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200\nx23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38\nx20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9\nx17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80\nx14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80\nx11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00\nx8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000\nx5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\nskb_panic+0x4c/0x50 net/core/skbuff.c:116\nskb_over_panic net/core/skbuff.c:125 [inline]\nskb_put+0xd4/0xdc net/core/skbuff.c:2049\nip6_mc_hdr net/ipv6/mcast.c:1714 [inline]\nmld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765\nadd_grhead net/ipv6/mcast.c:1851 [inline]\nadd_grec+0xa20/0xae0 net/ipv6/mcast.c:1989\nmld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115\nmld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653\nprocess_one_work+0x2d8/0x504 kernel/workqueue.c:2289\nworker_thread+0x340/0x610 kernel/workqueue.c:2436\nkthread+0x12c/0x158 kernel/kthread.c:376\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nCode: 91011400 aa0803e1 a90027ea 94373093 (d4210000)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50816", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: avoid possible NULL deref in skb_clone()\n\nsyzbot got a crash [1] in skb_clone(), caused by a bug\nin hsr_get_untagged_frame().\n\nWhen/if create_stripped_skb_hsr() returns NULL, we must\nnot attempt to call skb_clone().\n\nWhile we are at it, replace a WARN_ONCE() by netdev_warn_once().\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nRIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641\nCode: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00\nRSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207\n\nRAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000\nRDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140\nR10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640\nR13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620\nFS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nhsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164\nhsr_forward_do net/hsr/hsr_forward.c:461 [inline]\nhsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623\nhsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69\n__netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379\n__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483\n__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599\nnetif_receive_skb_internal net/core/dev.c:5685 [inline]\nnetif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744\ntun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544\ntun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995\ntun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x9e9/0xdd0 fs/read_write.c:584\nksys_write+0x127/0x250 fs/read_write.c:637\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50817", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix running_req for internal abort commands\n\nDisabling the remote phy for a SATA disk causes a hang:\n\nroot@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols\nsata\nroot@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable\nroot@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed\n[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache\n[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK\n[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk\n[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK\n...\n[ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds.\n[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218\n[ 124.012049] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008\n[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker\n[ 124.034319] Call trace:\n[ 124.036758] __switch_to+0x128/0x278\n[ 124.040333] __schedule+0x434/0xa58\n[ 124.043820] schedule+0x94/0x138\n[ 124.047045] schedule_timeout+0x2fc/0x368\n[ 124.051052] wait_for_completion+0xdc/0x200\n[ 124.055234] __flush_workqueue+0x1a8/0x708\n[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0\n[ 124.063858] sas_port_event_worker+0x60/0x98\n[ 124.068126] process_one_work+0x3f8/0x660\n[ 124.072134] worker_thread+0x70/0x700\n[ 124.075793] kthread+0x1a4/0x1b8\n[ 124.079014] ret_from_fork+0x10/0x20\n\nThe issue is that the per-device running_req read in\npm8001_dev_gone_notify() never goes to zero and we never make progress.\nThis is caused by missing accounting for running_req for when an internal\nabort command completes.\n\nIn commit 2cbbf489778e (\"scsi: pm8001: Use libsas internal abort support\")\nwe started to send internal abort commands as a proper sas_task. In this\nwhen we deliver a sas_task to HW the per-device running_req is incremented\nin pm8001_queue_command(). However it is never decremented for internal\nabort commnds, so decrement in pm8001_mpi_task_abort_resp().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50818", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: Set ubuf->sg = NULL if the creation of sg table fails\n\nWhen userspace tries to map the dmabuf and if for some reason\n(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be\nset to NULL. Otherwise, when the userspace subsequently closes the\ndmabuf fd, we'd try to erroneously free the invalid sg table from\nrelease_udmabuf resulting in the following crash reported by syzbot:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 3609 Comm: syz-executor487 Not tainted\n5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 07/22/2022\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\nCode: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c\n8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14\n02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2\nRSP: 0018:ffffc900037efd30 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000\nRBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000\nR13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000\nFS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78\n __dentry_kill+0x42b/0x640 fs/dcache.c:612\n dentry_kill fs/dcache.c:733 [inline]\n dput+0x806/0xdb0 fs/dcache.c:913\n __fput+0x39c/0x9d0 fs/file_table.c:333\n task_work_run+0xdd/0x1a0 kernel/task_work.c:177\n ptrace_notify+0x114/0x140 kernel/signal.c:2353\n ptrace_report_syscall include/linux/ptrace.h:420 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]\n syscall_exit_work kernel/entry/common.c:249 [inline]\n syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276\n __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]\n syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fc1c0c35b6b\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24\n0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00\nf0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b\nRDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006\nRBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c\nR13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50819", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init()\n\ndmc620_pmu_init() won't remove the callback added by\ncpuhp_setup_state_multi() when platform_driver_register() failed. Remove\nthe callback by cpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50820", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50821", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Release MR restrack when delete\n\nThe MR restrack also needs to be released when delete it, otherwise it\ncause memory leak as the task struct won't be released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50822", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: Fix refcount leak in tegra114_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50823", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak\n\nIn check_acpi_tpm2(), we get the TPM2 table just to make\nsure the table is there, not used after the init, so the\nacpi_put_table() should be added to release the ACPI memory.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50824", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe()\n\nI got the following report while doing fault injection test:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 4,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/tcpc@60/connector\n\nIf wusb3801_hw_init() fails, fwnode_handle_put() needs be called to\navoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50825", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\n\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\nwith a subdev state of NULL leads to a NULL pointer dereference. This\ncan currently happen in imgu_subdev_set_selection() when the state\npassed in is NULL, as this method first gets pointers to both the \"try\"\nand \"active\" states and only then decides which to use.\n\nThe same issue has been addressed for imgu_subdev_get_selection() with\ncommit 30d03a0de650 (\"ipu3-imgu: Fix NULL pointer dereference in active\nselection access\"). However the issue still persists in\nimgu_subdev_set_selection().\n\nTherefore, apply a similar fix as done in the aforementioned commit to\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\nhelper functions for \"crop\" and \"compose\" access and use them in both\nimgu_subdev_set_selection() and imgu_subdev_get_selection().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50826", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix memory leak in lpfc_create_port()\n\nCommit 5e633302ace1 (\"scsi: lpfc: vmid: Add support for VMID in mailbox\ncommand\") introduced allocations for the VMID resources in\nlpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the\nVMID allocations, the new code would branch to the 'out' label, which\nreturns NULL without unwinding anything, thus skipping the call to\nscsi_host_put().\n\nFix the problem by creating a separate label 'out_free_vmid' to unwind the\nVMID resources and make the 'out_put_shost' label call only\nscsi_host_put(), as was done before the introduction of allocations for\nVMID.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50827", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynqmp: Fix stack-out-of-bounds in strncpy`\n\n\"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\"\n\nLinux-ATF interface is using 16 bytes of SMC payload. In case clock name is\nlonger than 15 bytes, string terminated NULL character will not be received\nby Linux. Add explicit NULL character at last byte to fix issues when clock\nname is longer.\n\nThis fixes below bug reported by KASAN:\n\n ==================================================================\n BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\n Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1\n\n CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3\n Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)\n Call trace:\n dump_backtrace+0x0/0x1e8\n show_stack+0x14/0x20\n dump_stack+0xd4/0x108\n print_address_description.isra.0+0xbc/0x37c\n __kasan_report+0x144/0x198\n kasan_report+0xc/0x18\n __asan_load1+0x5c/0x68\n strncpy+0x30/0x68\n zynqmp_clock_probe+0x238/0x7b8\n platform_drv_probe+0x6c/0xc8\n really_probe+0x14c/0x418\n driver_probe_device+0x74/0x130\n __device_attach_driver+0xc4/0xe8\n bus_for_each_drv+0xec/0x150\n __device_attach+0x160/0x1d8\n device_initial_probe+0x10/0x18\n bus_probe_device+0xe0/0xf0\n device_add+0x528/0x950\n of_device_add+0x5c/0x80\n of_platform_device_create_pdata+0x120/0x168\n of_platform_bus_create+0x244/0x4e0\n of_platform_populate+0x50/0xe8\n zynqmp_firmware_probe+0x370/0x3a8\n platform_drv_probe+0x6c/0xc8\n really_probe+0x14c/0x418\n driver_probe_device+0x74/0x130\n device_driver_attach+0x94/0xa0\n __driver_attach+0x70/0x108\n bus_for_each_dev+0xe4/0x158\n driver_attach+0x30/0x40\n bus_add_driver+0x21c/0x2b8\n driver_register+0xbc/0x1d0\n __platform_driver_register+0x7c/0x88\n zynqmp_firmware_driver_init+0x1c/0x24\n do_one_initcall+0xa4/0x234\n kernel_init_freeable+0x1b0/0x24c\n kernel_init+0x10/0x110\n ret_from_fork+0x10/0x18\n\n The buggy address belongs to the page:\n page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0\n raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff\n page dumped because: kasan: bad access detected\n\n addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:\n zynqmp_clock_probe+0x0/0x7b8\n\n this frame has 3 objects:\n [32, 44) 'response'\n [64, 80) 'ret_payload'\n [96, 112) 'name'\n\n Memory state around the buggy address:\n ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2\n >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n ^\n ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ==================================================================", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50828", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()\n\nIt is possible that skb is freed in ath9k_htc_rx_msg(), then\nusb_submit_urb() fails and we try to free skb again. It causes\nuse-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes\nNULL but rx_buf is not freed and there can be a memory leak.\n\nThe patch removes unnecessary nskb and makes skb processing more clear: it\nis supposed that ath9k_htc_rx_msg() either frees old skb or passes its\nmanaging to another callback function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50829", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: hd44780: Fix potential memory leak in hd44780_remove()\n\nhd44780_probe() allocates a memory chunk for hd with kzalloc() and\nmakes \"lcd->drvdata->hd44780\" point to it. When we call hd44780_remove(),\nwe should release all relevant memory and resource. But \"lcd->drvdata\n->hd44780\" is not released, which will lead to a memory leak.\n\nWe should release the \"lcd->drvdata->hd44780\" in hd44780_remove() to fix\nthe memory leak bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50830", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix potential memory leak in wilc_mac_xmit()\n\nThe wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add\ndev_kfree_skb() to fix it. Compile tested only.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50832", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works\n\nsyzbot is reporting attempt to schedule hdev->cmd_work work from system_wq\nWQ into hdev->workqueue WQ which is under draining operation [1], for\ncommit c8efcc2589464ac7 (\"workqueue: allow chained queueing during\ndestruction\") does not allow such operation.\n\nThe check introduced by commit 877afadad2dce8aa (\"Bluetooth: When HCI work\nqueue is drained, only queue chained work\") was incomplete.\n\nUse hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because\nhci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect\nthe queuing operation with RCU read lock in order to avoid calling\nqueue_delayed_work() after cancel_delayed_work() completed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50833", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: Fix potential resource leaks\n\nnfc_get_device() take reference for the device, add missing\nnfc_put_device() to release it when not need anymore.\nAlso fix the style warnning by use error EOPNOTSUPP instead of\nENOTSUPP.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50834", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: add miss release buffer head in fc_do_one_pass()\n\nIn fc_do_one_pass() miss release buffer head after use which will lead\nto reference count leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50835", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()\n\nThe kfree() should be called when of_irq_get_byname() fails or\ndevm_request_threaded_irq() fails in qcom_add_sysmon_subdev(),\notherwise there will be a memory leak, so add kfree() to fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50836", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path\n\nIf dsa_tag_8021q_setup() fails, for example due to the inability of the\ndevice to install a VLAN, the tag_8021q context of the switch will leak.\nMake sure it is freed on the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50837", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stream: purge sk_error_queue in sk_stream_kill_queues()\n\nChangheon Lee reported TCP socket leaks, with a nice repro.\n\nIt seems we leak TCP sockets with the following sequence:\n\n1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.\n\n Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().\n __skb_tstamp_tx() is using skb_clone(), unless\n SOF_TIMESTAMPING_OPT_TSONLY was also requested.\n\n2) If the application is also using MSG_ZEROCOPY, then we put in the\n error queue cloned skbs that had a struct ubuf_info attached to them.\n\n Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()\n does a sock_hold().\n\n As long as the cloned skbs are still in sk_error_queue,\n socket refcount is kept elevated.\n\n3) Application closes the socket, while error queue is not empty.\n\nSince tcp_close() no longer purges the socket error queue,\nwe might end up with a TCP socket with at least one skb in\nerror queue keeping the socket alive forever.\n\nThis bug can be (ab)used to consume all kernel memory\nand freeze the host.\n\nWe need to purge the error queue, with proper synchronization\nagainst concurrent writers.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50838", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix potential buffer head reference count leak\n\nAs in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without\nupdate 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head\nfrom \u2018j_fc_off - 1\u2019 if 'bh' is NULL will terminal release which will lead to\nbuffer head buffer head reference count leak.\nTo solve above issue, update 'journal->j_fc_off' before return -EIO.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50839", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix possible UAF in snic_tgt_create()\n\nSmatch reports a warning as follows:\n\ndrivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:\n '&tgt->list' not removed from list\n\nIf device_add() fails in snic_tgt_create(), tgt will be freed, but\ntgt->list will not be removed from snic->disc.tgt_list, then list traversal\nmay cause UAF.\n\nRemove from snic->disc.tgt_list before free().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50840", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add overflow check for attribute size\n\nThe offset addition could overflow and pass the used size check given an\nattribute with very large size (e.g., 0xffffff7f) while parsing MFT\nattributes. This could lead to out-of-bound memory R/W if we try to\naccess the next attribute derived by Add2Ptr(attr, asize)\n\n[ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067\n[ 32.964301] #PF: supervisor read access in kernel mode\n[ 32.964526] #PF: error_code(0x0000) - not-present page\n[ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0\n[ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6\n[ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110\n[ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\n[ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\n[ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\n[ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\n[ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\n[ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\n[ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\n[ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000\n[ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0\n[ 32.972098] Call Trace:\n[ 32.972842] \n[ 32.973341] ni_enum_attr_ex+0xda/0xf0\n[ 32.974087] ntfs_iget5+0x1db/0xde0\n[ 32.974386] ? slab_post_alloc_hook+0x53/0x270\n[ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0\n[ 32.975115] ntfs_fill_super+0x5d6/0x12a0\n[ 32.975336] get_tree_bdev+0x175/0x270\n[ 32.975709] ? put_ntfs+0x150/0x150\n[ 32.975956] ntfs_fs_get_tree+0x15/0x20\n[ 32.976191] vfs_get_tree+0x2a/0xc0\n[ 32.976374] ? capable+0x19/0x20\n[ 32.976572] path_mount+0x484/0xaa0\n[ 32.977025] ? putname+0x57/0x70\n[ 32.977380] do_mount+0x80/0xa0\n[ 32.977555] __x64_sys_mount+0x8b/0xe0\n[ 32.978105] do_syscall_64+0x3b/0x90\n[ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 32.979311] RIP: 0033:0x7fdab72e948a\n[ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5\n[ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a\n[ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0\n[ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020\n[ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0\n[ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 32.984094] \n[ 32.984352] Modules linked in:\n[ 32.984753] CR2: ffff956a83c76067\n[ 32.985911] ---[ end trace 0000000000000000 ]---\n[ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110\n[ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a\n[ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283\n[ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f\n[ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8\n[ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f\n[ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000\n[ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170\n[ 32.991011] FS: \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50841", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Check whether transferred 2D BO is shmem\n\nTransferred 2D BO always must be a shmem BO. Add check for that to prevent\nNULL dereference if userspace passes a VRAM BO.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50842", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm clone: Fix UAF in clone_dtr()\n\nDm_clone also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in clone_dtr().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50843", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]\n .odn_edit_dpm_table = smu_od_edit_dpm_table,\n ^~~~~~~~~~~~~~~~~~~~~\n 1 error generated.\n\nThere are only two implementations of ->odn_edit_dpm_table() in 'struct\namd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One\nhas a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the\nother uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls\n->od_edit_dpm_table() from 'struct pptable_funcs' and\npp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct\npp_hwmgr_func', which both have a second parameter type of 'enum\nPP_OD_DPM_TABLE_COMMAND'.\n\nUpdate the type parameter in both the prototype in 'struct amd_pm_funcs'\nand pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which\ncleans up the warning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50844", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix inode leak in ext4_xattr_inode_create() on an error path\n\nThere is issue as follows when do setxattr with inject fault:\n\n[localhost]# fsck.ext4 -fn /dev/sda\ne2fsck 1.46.6-rc1 (12-Sep-2022)\nPass 1: Checking inodes, blocks, and sizes\nPass 2: Checking directory structure\nPass 3: Checking directory connectivity\nPass 4: Checking reference counts\nUnattached zero-length inode 15. Clear? no\n\nUnattached inode 15\nConnect to /lost+found? no\n\nPass 5: Checking group summary information\n\n/dev/sda: ********** WARNING: Filesystem still has errors **********\n\n/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks\n\nThis occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()'\nfails, dropping i_nlink of the inode is needed. Or will lead to inode leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50845", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: via-sdmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it's not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path which\nwill call mmc_free_host().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50846", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe\n\nDuring device boot, the HPD interrupt could be triggered before the DRM\nsubsystem registers it6505 as a DRM bridge. In such cases, the driver\ntries to access AUX channel and causes NULL pointer dereference.\nInitializing the AUX channel earlier to prevent such error.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50847", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: dio: fix possible memory leak in dio_init()\n\nIf device_register() returns error, the 'dev' and name needs be\nfreed. Add a release function, and then call put_device() in the\nerror path, so the name is freed in kobject_cleanup() and to the\n'dev' is freed in release function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50848", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: Avoid kcore oops by vmap()ing with VM_IOREMAP\n\nAn oops can be induced by running 'cat /proc/kcore > /dev/null' on\ndevices using pstore with the ram backend because kmap_atomic() assumes\nlowmem pages are accessible with __va().\n\n Unable to handle kernel paging request at virtual address ffffff807ff2b000\n Mem abort info:\n ESR = 0x96000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000\n [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] PREEMPT SMP\n Modules linked in: dm_integrity\n CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba\n Hardware name: Google Lazor (rev3 - 8) (DT)\n pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __memcpy+0x110/0x260\n lr : vread+0x194/0x294\n sp : ffffffc013ee39d0\n x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000\n x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000\n x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000\n x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60\n x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001\n x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b\n x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78\n x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000\n Call trace:\n __memcpy+0x110/0x260\n read_kcore+0x584/0x778\n proc_reg_read+0xb4/0xe4\n\nDuring early boot, memblock reserves the pages for the ramoops reserved\nmemory node in DT that would otherwise be part of the direct lowmem\nmapping. Pstore's ram backend reuses those reserved pages to change the\nmemory type (writeback or non-cached) by passing the pages to vmap()\n(see pfn_to_page() usage in persistent_ram_vmap() for more details) with\nspecific flags. When read_kcore() starts iterating over the vmalloc\nregion, it runs over the virtual address that vmap() returned for\nramoops. In aligned_vread() the virtual address is passed to\nvmalloc_to_page() which returns the page struct for the reserved lowmem\narea. That lowmem page is passed to kmap_atomic(), which effectively\ncalls page_to_virt() that assumes a lowmem page struct must be directly\naccessible with __va() and friends. These pages are mapped via vmap()\nthough, and the lowmem mapping was never made, so accessing them via the\nlowmem virtual address oopses like above.\n\nLet's side-step this problem by passing VM_IOREMAP to vmap(). This will\ntell vread() to not include the ramoops region in the kcore. Instead the\narea will look like a bunch of zeros. The alternative is to teach kmap()\nabout vmalloc areas that intersect with lowmem. Presumably such a change\nisn't a one-liner, and there isn't much interest in inspecting the\nramoops region in kcore files anyway, so the most expedient route is\ntaken for now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50849", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ipr: Fix WARNING in ipr_init()\n\nipr_init() will not call unregister_reboot_notifier() when\npci_register_driver() fails, which causes a WARNING. Call\nunregister_reboot_notifier() when pci_register_driver() fails.\n\nnotifier callback ipr_halt [ipr] already registered\nWARNING: CPU: 3 PID: 299 at kernel/notifier.c:29\nnotifier_chain_register+0x16d/0x230\nModules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore\nled_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm\ndrm_display_helper drm_kms_helper drm drm_panel_orientation_quirks\nagpgart cfbft\nCPU: 3 PID: 299 Comm: modprobe Tainted: G W\n6.1.0-rc1-00190-g39508d23b672-dirty #332\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:notifier_chain_register+0x16d/0x230\nCall Trace:\n \n __blocking_notifier_chain_register+0x73/0xb0\n ipr_init+0x30/0x1000 [ipr]\n do_one_initcall+0xdb/0x480\n do_init_module+0x1cf/0x680\n load_module+0x6a50/0x70a0\n __do_sys_finit_module+0x12f/0x1c0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50850", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_vdpa: fix the crash in unmap a large memory\n\nWhile testing in vIOMMU, sometimes Guest will unmap very large memory,\nwhich will cause the crash. To fix this, add a new function\nvhost_vdpa_general_unmap(). This function will only unmap the memory\nthat saved in iotlb.\n\nCall Trace:\n[ 647.820144] ------------[ cut here ]------------\n[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!\n[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62\n[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4\n[ 647.824365] RIP: 0010:domain_unmap+0x48/0x110\n[ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59\n[ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202\n[ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b\n[ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540\n[ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003\n[ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff\n[ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000\n[ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000\n[ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0\n[ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 647.840666] Call Trace:\n[ 647.841437] \n[ 647.842107] intel_iommu_unmap_pages+0x93/0x140\n[ 647.843112] __iommu_unmap+0x91/0x1b0\n[ 647.844003] iommu_unmap+0x6a/0x95\n[ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa]\n[ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa]\n[ 647.847235] ? _raw_spin_unlock+0x15/0x30\n[ 647.848181] ? _copy_from_iter+0x8c/0x580\n[ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost]\n[ 647.850126] vfs_write+0x1e4/0x3a0\n[ 647.850897] ksys_write+0x53/0xd0\n[ 647.851688] do_syscall_64+0x3a/0x90\n[ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 647.853457] RIP: 0033:0x7f7734ef9f4f\n[ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8\n[ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f\n[ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010\n[ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000\n[ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010\n[ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000\n[ 647.864692] \n[ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v]\n[ 647.874688] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50851", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix use after free in mt7921_acpi_read()\n\nDon't dereference \"sar_root\" after it has been freed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50852", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a credential leak in _nfs4_discover_trunking()", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50853", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: virtual_ncidev: Fix memory leak in virtual_nci_send()\n\nskb should be free in virtual_nci_send(), otherwise kmemleak will report\nmemleak.\n\nSteps for reproduction (simulated in qemu):\n\tcd tools/testing/selftests/nci\n\tmake\n\t./nci_dev\n\nBUG: memory leak\nunreferenced object 0xffff888107588000 (size 208):\n comm \"nci_dev\", pid 206, jiffies 4294945376 (age 368.248s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000008d94c8fd>] __alloc_skb+0x1da/0x290\n [<00000000278bc7f8>] nci_send_cmd+0xa3/0x350\n [<0000000081256a22>] nci_reset_req+0x6b/0xa0\n [<000000009e721112>] __nci_request+0x90/0x250\n [<000000005d556e59>] nci_dev_up+0x217/0x5b0\n [<00000000e618ce62>] nfc_dev_up+0x114/0x220\n [<00000000981e226b>] nfc_genl_dev_up+0x94/0xe0\n [<000000009bb03517>] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0\n [<00000000b7f8c101>] genl_rcv_msg+0x35c/0x640\n [<00000000c94075ff>] netlink_rcv_skb+0x11e/0x350\n [<00000000440cfb1e>] genl_rcv+0x24/0x40\n [<0000000062593b40>] netlink_unicast+0x43f/0x640\n [<000000001d0b13cc>] netlink_sendmsg+0x73a/0xbf0\n [<000000003272487f>] __sys_sendto+0x324/0x370\n [<00000000ef9f1747>] __x64_sys_sendto+0xdd/0x1b0\n [<000000001e437841>] do_syscall_64+0x3f/0x90", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50854", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: prevent leak of lsm program after failed attach\n\nIn [0], we added the ability to bpf_prog_attach LSM programs to cgroups,\nbut in our validation to make sure the prog is meant to be attached to\nBPF_LSM_CGROUP, we return too early if the check fails. This results in\nlack of decrementing prog's refcnt (through bpf_prog_put)\nleaving the LSM program alive past the point of the expected lifecycle.\nThis fix allows for the decrement to take place.\n\n[0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50855", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_ses_add_channel()\n\nBefore return, should free the xid, otherwise, the\nxid will be leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50856", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: rio: fix possible name leak in rio_register_mport()\n\nIf device_register() returns error, the name allocated by dev_set_name()\nneed be freed. It should use put_device() to give up the reference in the\nerror path, so that the name can be freed in kobject_cleanup(), and\nlist_del() is called to delete the port from rio_mports.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50857", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: alcor: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50858", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message\n\nCommit d5c7076b772a (\"smb3: add smb3.1.1 to default dialect list\")\nextend the dialects from 3 to 4, but forget to decrease the extended\nlength when specific the dialect, then the message length is larger\nthan expected.\n\nThis maybe leak some info through network because not initialize the\nmessage body.\n\nAfter apply this patch, the VALIDATE_NEGOTIATE_INFO message length is\nreduced from 28 bytes to 26 bytes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50859", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix memleak in alloc_ns()\n\nAfter changes in commit a1bd627b46d1 (\"apparmor: share profile name on\nreplacement\"), the hname member of struct aa_policy is not valid slab\nobject, but a subset of that, it can not be freed by kfree_sensitive(),\nuse aa_policy_destroy() to fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50860", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Finish converting the NFSv2 GETACL result encoder\n\nThe xdr_stream conversion inadvertently left some code that set the\npage_len of the send buffer. The XDR stream encoders should handle\nthis automatically now.\n\nThis oversight adds garbage past the end of the Reply message.\nClients typically ignore the garbage, but NFSD does not need to send\nit, as it leaks stale memory contents onto the wire.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50861", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: prevent decl_tag from being referenced in func_proto\n\nSyzkaller was able to hit the following issue:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946\nbtf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nModules linked in:\nCPU: 0 PID: 3609 Comm: syz-executor361 Not tainted\n6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 09/22/2022\nRIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nCode: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91\ne4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45\n31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44\nRSP: 0018:ffffc90003cefb40 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005\nRBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e\nR10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011\nFS: 000055555641b300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n btf_func_proto_check kernel/bpf/btf.c:4447 [inline]\n btf_check_all_types kernel/bpf/btf.c:4723 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]\n btf_parse kernel/bpf/btf.c:5026 [inline]\n btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892\n bpf_btf_load kernel/bpf/syscall.c:4324 [inline]\n __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010\n __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f0fbae41c69\nCode: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69\nRDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012\nRBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nLooks like it tries to create a func_proto which return type is\ndecl_tag. For the details, see Martin's spot on analysis in [0].\n\n0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50862", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: free unused skb to prevent memory leak\n\nThis avoid potential memory leak under power saving mode.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50863", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix shift-out-of-bounds due to too large exponent of block size\n\nIf field s_log_block_size of superblock data is corrupted and too large,\ninit_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds\nwarning followed by a kernel panic (if panic_on_warn is set):\n\n shift exponent 38973 is too large for 32-bit type 'int'\n Call Trace:\n \n dump_stack_lvl+0xcd/0x134\n ubsan_epilogue+0xb/0x50\n __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5\n init_nilfs.cold.11+0x18/0x1d [nilfs2]\n nilfs_mount+0x9b5/0x12b0 [nilfs2]\n ...\n\nThis fixes the issue by adding and using a new helper function for getting\nblock size with sanity check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50864", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix a signed-integer-overflow bug in tcp_add_backlog()\n\nThe type of sk_rcvbuf and sk_sndbuf in struct sock is int, and\nin tcp_add_backlog(), the variable limit is caculated by adding\nsk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value\nof int and overflow. This patch reduces the limit budget by\nhalving the sndbuf to solve this issue since ACK packets are much\nsmaller than the payload.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50865", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: pxa: fix null-pointer dereference in filter()\n\nkasprintf() would return NULL pointer when kmalloc() fail to allocate.\nNeed to check the return pointer before calling strcmp().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50866", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage\n\nadreno_show_object() is a trap! It will re-allocate the pointer it is\npassed on first call, when the data is ascii85 encoded, using kvmalloc/\nkvfree(). Which means the data *passed* to it must be kvmalloc'd, ie.\nwe cannot use the state_kcalloc() helper.\n\nThis partially reverts commit ec8f1813bf8d (\"drm/msm/a6xx: Replace\nkcalloc() with kvzalloc()\"), but adds the missing kvfree() to fix the\nmemory leak that was present previously. And adds a warning comment.\n\nPatchwork: https://patchwork.freedesktop.org/patch/507014/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50867", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: amd - Fix PCI device refcount leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() for the normal and error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50868", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds in r_page\n\nWhen PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for\nthe first time, the size of *buffer would be equal to\nDefaultLogPageSize(4K).But for *buffer operations like memcpy,\nif the memory area size(n) which being assigned to buffer is larger\nthan 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause\nan out of boundary error.\n Call trace:\n [...]\n kasan_report+0x44/0x130\n check_memory_region+0xf8/0x1a0\n memcpy+0xc8/0x100\n ntfs_read_run_nb+0x20c/0x460\n read_log_page+0xd0/0x1f4\n log_read_rst+0x110/0x75c\n log_replay+0x1e8/0x4aa0\n ntfs_loadlog_and_replay+0x290/0x2d0\n ntfs_fill_super+0x508/0xec0\n get_tree_bdev+0x1fc/0x34c\n [...]\n\nFix this by setting variable r_page to NULL in log_read_rst.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50869", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid device tree lookups in rtas_os_term()\n\nrtas_os_term() is called during panic. Its behavior depends on a couple\nof conditions in the /rtas node of the device tree, the traversal of\nwhich entails locking and local IRQ state changes. If the kernel panics\nwhile devtree_lock is held, rtas_os_term() as currently written could\nhang.\n\nInstead of discovering the relevant characteristics at panic time,\ncache them in file-static variables at boot. Note the lookup for\n\"ibm,extended-os-term\" is converted to of_property_read_bool() since it\nis a boolean property, not an RTAS function token.\n\n[mpe: Incorporate suggested change from Nick]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50870", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix qmi_msg_handler data structure initialization\n\nqmi_msg_handler is required to be null terminated by QMI module.\nThere might be a case where a handler for a msg id is not present in the\nhandlers array which can lead to infinite loop while searching the handler\nand therefore out of bound access in qmi_invoke_handler().\nHence update the initialization in qmi_msg_handler data structure.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50871", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: Fix memory leak in realtime_counter_init()\n\nThe \"sys_clk\" resource is malloced by clk_get(),\nit is not released when the function return.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50872", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove\n\nIn vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses\na reference of pointer as the argument of kfree, which is the wrong pointer\nand then may hit crash like this:\n\nUnable to handle kernel paging request at virtual address 00ffff003363e30c\nInternal error: Oops: 96000004 [#1] SMP\nCall trace:\n rb_next+0x20/0x5c\n ext4_readdir+0x494/0x5c4 [ext4]\n iterate_dir+0x168/0x1b4\n __se_sys_getdents64+0x68/0x170\n __arm64_sys_getdents64+0x24/0x30\n el0_svc_common.constprop.0+0x7c/0x1bc\n do_el0_svc+0x2c/0x94\n el0_svc+0x20/0x30\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x160/0x180\nCode: 54000220 f9400441 b4000161 aa0103e0 (f9400821)\nSMP: stopping secondary CPUs\nStarting crashdump kernel...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50873", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/erdma: Fix refcount leak in erdma_mmap\n\nrdma_user_mmap_entry_get() take reference, we should release it when not\nneed anymore, add the missing rdma_user_mmap_entry_put() in the error\npath to fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50874", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()\n\nWhen kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will\nbe NULL, and strcmp() will cause null pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50875", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: Fix musb_gadget.c rxstate overflow bug\n\nThe usb function device call musb_gadget_queue() adds the passed\nrequest to musb_ep::req_list,If the (request->length > musb_ep->packet_sz)\nand (is_buffer_mapped(req) return false),the rxstate() will copy all data\nin fifo to request->buf which may cause request->buf out of bounds.\n\nFix it by add the length check :\nfifocnt = min_t(unsigned, request->length - request->actual, fifocnt);", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50876", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: broadcom: bcm4908_enet: update TX stats after actual transmission\n\nQueueing packets doesn't guarantee their transmission. Update TX stats\nafter hardware confirms consuming submitted data.\n\nThis also fixes a possible race and NULL dereference.\nbcm4908_enet_start_xmit() could try to access skb after freeing it in\nthe bcm4908_enet_poll_tx().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50877", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()\n\nA NULL check for bridge->encoder shows that it may be NULL, but it\nalready been dereferenced on all paths leading to the check.\n812\tif (!bridge->encoder) {\n\nDereference the pointer bridge->encoder.\n810\tdrm_connector_attach_encoder(<9611->connector, bridge->encoder);", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50878", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool: Fix SEGFAULT\n\nfind_insn() will return NULL in case of failure. Check insn in order\nto avoid a kernel Oops for NULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50879", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041] drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161] genl_rcv_msg+0x38e/0x3be\n[21713.800166] netlink_rcv_skb+0x89/0xf7\n[21713.800171] genl_rcv+0x28/0x36\n[21713.800176] netlink_unicast+0x179/0x24b\n[21713.800181] netlink_sendmsg+0x3a0/0x40e\n[21713.800187] sock_sendmsg+0x72/0x76\n[21713.800192] ____sys_sendmsg+0x16d/0x1e3\n[21713.800196] ___sys_sendmsg+0x95/0xd1\n[21713.800200] __sys_sendmsg+0x85/0xbf\n[21713.800205] do_syscall_64+0x43/0x55\n[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50880", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()\n\nThis patch fixes a use-after-free in ath9k that occurs in\nath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access\n'drv_priv' that has already been freed by ieee80211_free_hw(), called by\nath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before\nieee80211_free_hw(). Note that urbs from the driver should be killed\nbefore freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will\naccess 'wmi'.\n\nFound by a modified version of syzkaller.\n\n==================================================================\nBUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40\nRead of size 8 at addr ffff8881069132a0 by task kworker/0:1/7\n\nCPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x8e/0xd1\n print_address_description.constprop.0.cold+0x93/0x334\n ? ath9k_destroy_wmi+0x38/0x40\n ? ath9k_destroy_wmi+0x38/0x40\n kasan_report.cold+0x83/0xdf\n ? ath9k_destroy_wmi+0x38/0x40\n ath9k_destroy_wmi+0x38/0x40\n ath9k_hif_usb_disconnect+0x329/0x3f0\n ? ath9k_hif_usb_suspend+0x120/0x120\n ? usb_disable_interface+0xfc/0x180\n usb_unbind_interface+0x19b/0x7e0\n ? usb_autoresume_device+0x50/0x50\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n ? __device_link_del+0x370/0x370\n ? usb_remove_ep_devs+0x43/0x80\n ? remove_intf_ep_devs+0x112/0x1a0\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? hub_port_debounce+0x2e0/0x2e0\n ? check_irq_usage+0x860/0xf20\n ? drain_workqueue+0x281/0x360\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x92b/0x1460\n ? pwq_dec_nr_in_flight+0x330/0x330\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x95/0xe00\n ? __kthread_parkme+0x115/0x1e0\n ? process_one_work+0x1460/0x1460\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the page:\npage:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635\n prep_new_page+0x1aa/0x240\n get_page_from_freelist+0x159a/0x27c0\n __alloc_pages+0x2da/0x6a0\n alloc_pages+0xec/0x1e0\n kmalloc_order+0x39/0xf0\n kmalloc_order_trace+0x19/0x120\n __kmalloc+0x308/0x390\n wiphy_new_nm+0x6f5/0x1dd0\n ieee80211_alloc_hw_nm+0x36d/0x2230\n ath9k_htc_probe_device+0x9d/0x1e10\n ath9k_htc_hw_init+0x34/0x50\n ath9k_hif_usb_firmware_cb+0x25f/0x4e0\n request_firmware_work_func+0x131/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\npage last free stack trace:\n free_pcp_prepare+0x3d3/0x7f0\n free_unref_page+0x1e/0x3d0\n device_release+0xa4/0x240\n kobject_put+0x186/0x4c0\n put_device+0x20/0x30\n ath9k_htc_disconnect_device+0x1cf/0x2c0\n ath9k_htc_hw_deinit+0x26/0x30\n ath9k_hif_usb_disconnect+0x2d9/0x3f0\n usb_unbind_interface+0x19b/0x7e0\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n process_one_work+0x92b/0x1460\n\nMemory state around the buggy address:\n ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n>ffff888\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50881", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2022-50882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix memory leak in uvc_gpio_parse\n\nPreviously the unit buffer was allocated before checking the IRQ for\nprivacy GPIO. In case of error, the unit buffer was leaked.\n\nAllocate the unit buffer after the IRQ to avoid it.\n\nAddresses-Coverity-ID: 1474639 (\"Resource leak\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50882", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent decl_tag from being referenced in func_proto arg\n\nSyzkaller managed to hit another decl_tag issue:\n\n btf_func_proto_check kernel/bpf/btf.c:4506 [inline]\n btf_check_all_types kernel/bpf/btf.c:4734 [inline]\n btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763\n btf_parse kernel/bpf/btf.c:5042 [inline]\n btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709\n bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342\n __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034\n __do_sys_bpf kernel/bpf/syscall.c:5093 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n\nThis seems similar to commit ea68376c8bed (\"bpf: prevent decl_tag from being\nreferenced in func_proto\") but for the argument.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50883", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Prevent drm_copy_field() to attempt copying a NULL pointer\n\nThere are some struct drm_driver fields that are required by drivers since\ndrm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.\n\nBut it can be possible that a driver has a bug and did not set some of the\nfields, which leads to drm_copy_field() attempting to copy a NULL pointer:\n\n[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ +0.010955] Mem abort info:\n[ +0.002835] ESR = 0x0000000096000004\n[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits\n[ +0.005395] SET = 0, FnV = 0\n[ +0.003113] EA = 0, S1PTW = 0\n[ +0.003182] FSC = 0x04: level 0 translation fault\n[ +0.004964] Data abort info:\n[ +0.002919] ISV = 0, ISS = 0x00000004\n[ +0.003886] CM = 0, WnR = 0\n[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000\n[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ +0.006925] Internal error: Oops: 96000004 [#1] SMP\n...\n[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ +0.007061] pc : __pi_strlen+0x14/0x150\n[ +0.003895] lr : drm_copy_field+0x30/0x1a4\n[ +0.004156] sp : ffff8000094b3a50\n[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040\n[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040\n[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000\n[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000\n[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40\n[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8\n[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141\n[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000\n[ +0.007240] Call trace:\n[ +0.002475] __pi_strlen+0x14/0x150\n[ +0.003537] drm_version+0x84/0xac\n[ +0.003448] drm_ioctl_kernel+0xa8/0x16c\n[ +0.003975] drm_ioctl+0x270/0x580\n[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc\n[ +0.003978] invoke_syscall+0x78/0x100\n[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4\n[ +0.004767] do_el0_svc+0x38/0x4c\n[ +0.003357] el0_svc+0x34/0x100\n[ +0.003185] el0t_64_sync_handler+0x11c/0x150\n[ +0.004418] el0t_64_sync+0x190/0x194\n[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)\n[ +0.006180] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50884", "detail": "fixed-version", "description": "Fixed from version 6.1" }, { "id": "CVE-2022-50885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed\n\nThere is a null-ptr-deref when mount.cifs over rdma:\n\n BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n Read of size 8 at addr 0000000000000018 by task mount.cifs/3046\n\n CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n kasan_report+0xad/0x130\n rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n execute_in_process_context+0x25/0x90\n __rxe_cleanup+0x101/0x1d0 [rdma_rxe]\n rxe_create_qp+0x16a/0x180 [rdma_rxe]\n create_qp.part.0+0x27d/0x340\n ib_create_qp_kernel+0x73/0x160\n rdma_create_qp+0x100/0x230\n _smbd_get_connection+0x752/0x20f0\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe root cause of the issue is the socket create failed in\nrxe_qp_init_req().\n\nSo move the reset rxe_qp_do_cleanup() after the NULL ptr check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50885", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: toshsd: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host(), besides, free_irq() also needs be called.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50886", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix unbalanced of node refcount in regulator_dev_lookup()\n\nI got the the following report:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@62/regulators/exten\n\nIn of_get_regulator(), the node is returned from of_parse_phandle()\nwith refcount incremented, after using it, of_node_put() need be called.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50887", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()\n\nq6v5_wcss_init_mmio() will call platform_get_resource_byname() that may\nfail and return NULL. devm_ioremap() will use res->start as input, which\nmay causes null-ptr-deref. Check the ret value of\nplatform_get_resource_byname() to avoid the null-ptr-deref.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50888", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2022-50889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: Fix UAF in dm_integrity_dtr()\n\nDm_integrity also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in dm_integrity_dtr().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-50889", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-0030", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030" }, { "id": "CVE-2023-0045", "summary": "The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set \u00a0function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. \u00a0The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.\n\nWe recommend upgrading past commit\u00a0a664ec9158eeddd75121d39c9a0758016097fa96", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0045" }, { "id": "CVE-2023-0122", "summary": "A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine. Affected versions v6.0-rc1 to v6.0-rc3, fixed in v6.0-rc4.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0122" }, { "id": "CVE-2023-0160", "summary": "A deadlock flaw was found in the Linux kernel\u2019s BPF subsystem. This flaw allows a local user to potentially crash the system.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" }, { "id": "CVE-2023-0179", "summary": "A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0179" }, { "id": "CVE-2023-0210", "summary": "A bug affects the Linux kernel\u2019s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0210" }, { "id": "CVE-2023-0240", "summary": "There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation.\n\nIn the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0240" }, { "id": "CVE-2023-0266", "summary": "A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.\u00a0SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit\u00a056b88b50565cd8b946a2d00b0c83927b7ebb055e", "scorev2": "0.0", "scorev3": "7.9", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266" }, { "id": "CVE-2023-0386", "summary": "A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel\u2019s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0386" }, { "id": "CVE-2023-0394", "summary": "A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394" }, { "id": "CVE-2023-0458", "summary": "A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit\u00a0739790605705ddcf18f21782b9c99ad7d53a8c11", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0458" }, { "id": "CVE-2023-0459", "summary": "Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the \"access_ok\" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit\u00a074e19ef0ff8061ef55957c3abd71614ef0f42f47", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0459" }, { "id": "CVE-2023-0461", "summary": "There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS\u00a0or CONFIG_XFRM_ESPINTCP\u00a0has to be configured, but the operation does not require any privilege.\n\nThere is a use-after-free bug of icsk_ulp_data\u00a0of a struct inet_connection_sock.\n\nWhen CONFIG_TLS\u00a0is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.\n\nThe setsockopt\u00a0TCP_ULP\u00a0operation does not require any privilege.\n\nWe recommend upgrading past commit\u00a02c02d41d71f90a5168391b6a5f2954112ba2307c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0461" }, { "id": "CVE-2023-0468", "summary": "A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0468" }, { "id": "CVE-2023-0469", "summary": "A use-after-free flaw was found in io_uring/filetable.c in io_install_fixed_file in the io_uring subcomponent in the Linux Kernel during call cleanup. This flaw may lead to a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0469" }, { "id": "CVE-2023-0590", "summary": "A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\") not applied yet, then kernel could be affected.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590" }, { "id": "CVE-2023-0597", "summary": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" }, { "id": "CVE-2023-0615", "summary": "A memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615" }, { "id": "CVE-2023-1032", "summary": "The Linux kernel io_uring IORING_OP_SOCKET operation contained a double free in function __sys_socket_file() in file net/socket.c. This issue was introduced in da214a475f8bd1d3e9e7a19ddfeb4d1617551bab and fixed in 649c15c7691e9b13cbe9bf6c65c365350e056067.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1032" }, { "id": "CVE-2023-1073", "summary": "A memory corruption flaw was found in the Linux kernel\u2019s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1073", "detail": "fixed-version", "description": "Fixed from version 6.2rc5" }, { "id": "CVE-2023-1074", "summary": "A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1074", "detail": "fixed-version", "description": "Fixed from version 6.2rc6" }, { "id": "CVE-2023-1075", "summary": "A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1075", "detail": "fixed-version", "description": "Fixed from version 6.2rc7" }, { "id": "CVE-2023-1076", "summary": "A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1076", "detail": "fixed-version", "description": "Fixed from version 6.3rc1" }, { "id": "CVE-2023-1077", "summary": "In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1077" }, { "id": "CVE-2023-1078", "summary": "A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1078" }, { "id": "CVE-2023-1079", "summary": "A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1079" }, { "id": "CVE-2023-1095", "summary": "In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095" }, { "id": "CVE-2023-1118", "summary": "A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1118" }, { "id": "CVE-2023-1192", "summary": "A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192" }, { "id": "CVE-2023-1193", "summary": "A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193" }, { "id": "CVE-2023-1194", "summary": "An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1194" }, { "id": "CVE-2023-1195", "summary": "A use-after-free flaw was found in reconn_set_ipaddr_from_hostname in fs/cifs/connect.c in the Linux kernel. The issue occurs when it forgets to set the free pointer server->hostname to NULL, leading to an invalid pointer request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1195" }, { "id": "CVE-2023-1206", "summary": "A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel\u2019s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.", "scorev2": "0.0", "scorev3": "5.7", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1206" }, { "id": "CVE-2023-1249", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\") not applied yet, then kernel could be affected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1249" }, { "id": "CVE-2023-1252", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\") not applied yet, the kernel could be affected.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1252" }, { "id": "CVE-2023-1281", "summary": "Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation.\u00a0The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nThis issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281" }, { "id": "CVE-2023-1295", "summary": "A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1295" }, { "id": "CVE-2023-1380", "summary": "A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1380" }, { "id": "CVE-2023-1382", "summary": "A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382" }, { "id": "CVE-2023-1390", "summary": "A remote denial of service vulnerability was found in the Linux kernel\u2019s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1390" }, { "id": "CVE-2023-1476", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between rmap walk and mremap, allowing a local user to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1476" }, { "id": "CVE-2023-1513", "summary": "A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513" }, { "id": "CVE-2023-1582", "summary": "A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1582" }, { "id": "CVE-2023-1583", "summary": "A NULL pointer dereference was found in io_file_bitmap_get in io_uring/filetable.c in the io_uring sub-component in the Linux Kernel. When fixed files are unregistered, some context information (file_alloc_{start,end} and alloc_hint) is not cleared. A subsequent request that has auto index selection enabled via IORING_FILE_INDEX_ALLOC can cause a NULL pointer dereference. An unprivileged user can use the flaw to cause a system crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1583" }, { "id": "CVE-2023-1611", "summary": "A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1611" }, { "id": "CVE-2023-1637", "summary": "A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1637" }, { "id": "CVE-2023-1652", "summary": "A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1652" }, { "id": "CVE-2023-1670", "summary": "A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1670" }, { "id": "CVE-2023-1829", "summary": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.\u00a0The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829" }, { "id": "CVE-2023-1838", "summary": "A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1838" }, { "id": "CVE-2023-1855", "summary": "A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1855" }, { "id": "CVE-2023-1859", "summary": "A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859" }, { "id": "CVE-2023-1872", "summary": "A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\n\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\n\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1872" }, { "id": "CVE-2023-1989", "summary": "A use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1989" }, { "id": "CVE-2023-1990", "summary": "A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1990" }, { "id": "CVE-2023-1998", "summary": "The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.", "scorev2": "0.0", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998" }, { "id": "CVE-2023-2002", "summary": "A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2002" }, { "id": "CVE-2023-2006", "summary": "A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2006" }, { "id": "CVE-2023-2007", "summary": "The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2007" }, { "id": "CVE-2023-2008", "summary": "A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2008" }, { "id": "CVE-2023-2019", "summary": "A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2019" }, { "id": "CVE-2023-20659", "summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588413.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20659" }, { "id": "CVE-2023-20660", "summary": "In wlan, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588383; Issue ID: ALPS07588383.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20660" }, { "id": "CVE-2023-20661", "summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560782; Issue ID: ALPS07560782.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20661" }, { "id": "CVE-2023-20662", "summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560765; Issue ID: ALPS07560765.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20662" }, { "id": "CVE-2023-20663", "summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07560741; Issue ID: ALPS07560741.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20663" }, { "id": "CVE-2023-20674", "summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588552.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20674" }, { "id": "CVE-2023-20675", "summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07588569.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20675" }, { "id": "CVE-2023-20676", "summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588569; Issue ID: ALPS07628518.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20676" }, { "id": "CVE-2023-20677", "summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20677" }, { "id": "CVE-2023-20679", "summary": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588453.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20679" }, { "id": "CVE-2023-20682", "summary": "In wlan, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441605; Issue ID: ALPS07441605.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20682" }, { "id": "CVE-2023-20712", "summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796914; Issue ID: ALPS07796914.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20712" }, { "id": "CVE-2023-20715", "summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796900; Issue ID: ALPS07796900.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20715" }, { "id": "CVE-2023-20716", "summary": "In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796883; Issue ID: ALPS07796883.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20716" }, { "id": "CVE-2023-20810", "summary": "In IOMMU, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20810" }, { "id": "CVE-2023-20811", "summary": "In IOMMU, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20811" }, { "id": "CVE-2023-20838", "summary": "In imgsys, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326418.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20838" }, { "id": "CVE-2023-20839", "summary": "In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326409.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20839" }, { "id": "CVE-2023-20840", "summary": "In imgsys, there is a possible out of bounds read and write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326430; Issue ID: ALPS07326430.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20840" }, { "id": "CVE-2023-20841", "summary": "In imgsys, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326441.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20841" }, { "id": "CVE-2023-20842", "summary": "In imgsys_cmdq, there is a possible out of bounds write due to a missing\u00a0valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354259; Issue ID: ALPS07340477.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20842" }, { "id": "CVE-2023-20843", "summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340119; Issue ID: ALPS07340119.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20843" }, { "id": "CVE-2023-20844", "summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354058; Issue ID: ALPS07340121.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20844" }, { "id": "CVE-2023-20845", "summary": "In imgsys, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07197795; Issue ID: ALPS07340357.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20845" }, { "id": "CVE-2023-20846", "summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local information disclosure with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354023; Issue ID: ALPS07340098.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20846" }, { "id": "CVE-2023-20847", "summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local denial of service with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354025; Issue ID: ALPS07340108.", "scorev2": "0.0", "scorev3": "4.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20847" }, { "id": "CVE-2023-20848", "summary": "In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340433.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20848" }, { "id": "CVE-2023-20849", "summary": "In imgsys_cmdq, there is a possible use after free due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340350.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20849" }, { "id": "CVE-2023-20850", "summary": "In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340381.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-20850" }, { "id": "CVE-2023-2124", "summary": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2124" }, { "id": "CVE-2023-2156", "summary": "A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2156" }, { "id": "CVE-2023-2162", "summary": "A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2162" }, { "id": "CVE-2023-2163", "summary": "Incorrect verifier pruning\u00a0in BPF in Linux Kernel\u00a0>=5.4\u00a0leads to unsafe\ncode paths being incorrectly marked as safe, resulting in\u00a0arbitrary read/write in\nkernel memory, lateral privilege escalation, and container escape.", "scorev2": "0.0", "scorev3": "10.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2163" }, { "id": "CVE-2023-2166", "summary": "A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2166" }, { "id": "CVE-2023-2176", "summary": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" }, { "id": "CVE-2023-2177", "summary": "A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2177" }, { "id": "CVE-2023-2194", "summary": "An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2194" }, { "id": "CVE-2023-2235", "summary": "A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.\n\nThe perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but\u00a0remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.\n\n", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2235" }, { "id": "CVE-2023-2236", "summary": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2236" }, { "id": "CVE-2023-2269", "summary": "A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2269" }, { "id": "CVE-2023-22995", "summary": "In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22995" }, { "id": "CVE-2023-22996", "summary": "In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use, e.g., with put_device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22996" }, { "id": "CVE-2023-22997", "summary": "In the Linux kernel before 6.1.2, kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22997" }, { "id": "CVE-2023-22998", "summary": "In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998" }, { "id": "CVE-2023-22999", "summary": "In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-22999" }, { "id": "CVE-2023-23000", "summary": "In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23000" }, { "id": "CVE-2023-23001", "summary": "In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c misinterprets the regulator_get return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23001" }, { "id": "CVE-2023-23002", "summary": "In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c misinterprets the devm_gpiod_get_index_optional return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23002" }, { "id": "CVE-2023-23003", "summary": "In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23003" }, { "id": "CVE-2023-23004", "summary": "In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23004" }, { "id": "CVE-2023-23005", "summary": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005", "detail": "disputed", "description": "There are no realistic cases in which a user can cause the alloc_memory_type error case to be reached. See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2" }, { "id": "CVE-2023-23006", "summary": "In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23006" }, { "id": "CVE-2023-23039", "summary": "An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().", "scorev2": "0.0", "scorev3": "5.7", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23039" }, { "id": "CVE-2023-23454", "summary": "cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454" }, { "id": "CVE-2023-23455", "summary": "atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23455" }, { "id": "CVE-2023-23559", "summary": "In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23559" }, { "id": "CVE-2023-23586", "summary": "Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process.\u00a0timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit\u00a0 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring \n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23586" }, { "id": "CVE-2023-2430", "summary": "A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring.c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2430" }, { "id": "CVE-2023-25012", "summary": "The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-25012" }, { "id": "CVE-2023-2513", "summary": "A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2513" }, { "id": "CVE-2023-2598", "summary": "A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2598" }, { "id": "CVE-2023-26242", "summary": "afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer overflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26242" }, { "id": "CVE-2023-26544", "summary": "In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26544" }, { "id": "CVE-2023-26545", "summary": "In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545" }, { "id": "CVE-2023-26605", "summary": "In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26605" }, { "id": "CVE-2023-26606", "summary": "In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26606" }, { "id": "CVE-2023-26607", "summary": "In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607" }, { "id": "CVE-2023-28327", "summary": "A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28327" }, { "id": "CVE-2023-28328", "summary": "A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28328" }, { "id": "CVE-2023-28464", "summary": "hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28464" }, { "id": "CVE-2023-28466", "summary": "do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28466" }, { "id": "CVE-2023-2860", "summary": "An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2860" }, { "id": "CVE-2023-28772", "summary": "An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28772" }, { "id": "CVE-2023-28866", "summary": "In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28866" }, { "id": "CVE-2023-2898", "summary": "There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2898", "detail": "fixed-version", "description": "Fixed from version 6.5rc1" }, { "id": "CVE-2023-2985", "summary": "A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985" }, { "id": "CVE-2023-3006", "summary": "A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3006" }, { "id": "CVE-2023-3022", "summary": "A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3022" }, { "id": "CVE-2023-30456", "summary": "An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30456" }, { "id": "CVE-2023-30772", "summary": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772" }, { "id": "CVE-2023-3079", "summary": "Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3079", "detail": "not-applicable-config", "description": "Issue only affects chromium, which is not in linux-yocto" }, { "id": "CVE-2023-3090", "summary": "A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if\u00a0CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3090" }, { "id": "CVE-2023-3106", "summary": "A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3106" }, { "id": "CVE-2023-3108", "summary": "A flaw was found in the subsequent get_user_pages_fast in the Linux kernel\u2019s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3108" }, { "id": "CVE-2023-31081", "summary": "An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel 6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes vidtv_mux_stop_thread(dvb->mux).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31081" }, { "id": "CVE-2023-31082", "summary": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" }, { "id": "CVE-2023-31083", "summary": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" }, { "id": "CVE-2023-31084", "summary": "An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31084" }, { "id": "CVE-2023-31085", "summary": "An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31085" }, { "id": "CVE-2023-3111", "summary": "A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3111" }, { "id": "CVE-2023-31248", "summary": "Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31248" }, { "id": "CVE-2023-3141", "summary": "A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3141" }, { "id": "CVE-2023-31436", "summary": "qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436" }, { "id": "CVE-2023-3159", "summary": "A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3159" }, { "id": "CVE-2023-3161", "summary": "A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3161" }, { "id": "CVE-2023-3212", "summary": "A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3212" }, { "id": "CVE-2023-3220", "summary": "An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3220" }, { "id": "CVE-2023-32233", "summary": "In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233" }, { "id": "CVE-2023-32246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: call rcu_barrier() in ksmbd_server_exit()\n\nracy issue is triggered the bug by racing between closing a connection\nand rmmod. In ksmbd, rcu_barrier() is not called at module unload time,\nso nothing prevents ksmbd from getting unloaded while it still has RCU\ncallbacks pending. It leads to trigger unintended execution of kernel\ncode locally and use to defeat protections such as Kernel Lockdown", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32246", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-32247", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32247" }, { "id": "CVE-2023-32248", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32248" }, { "id": "CVE-2023-32249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: not allow guest user on multichannel\n\nThis patch return STATUS_NOT_SUPPORTED if binding session is guest.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32249", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-32250", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "scorev2": "0.0", "scorev3": "9.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32250" }, { "id": "CVE-2023-32252", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32252" }, { "id": "CVE-2023-32254", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32254" }, { "id": "CVE-2023-32257", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32257" }, { "id": "CVE-2023-32258", "summary": "A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32258" }, { "id": "CVE-2023-32269", "summary": "An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32269" }, { "id": "CVE-2023-3268", "summary": "An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3268" }, { "id": "CVE-2023-3269", "summary": "A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3269" }, { "id": "CVE-2023-32810", "summary": "In bluetooth driver, there is a possible out of bounds read due to improper input validation. This could lead to local information leak with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07867212; Issue ID: ALPS07867212.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32810" }, { "id": "CVE-2023-32820", "summary": "In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; Issue ID: ALPS07932637.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32820" }, { "id": "CVE-2023-3312", "summary": "A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3312" }, { "id": "CVE-2023-3317", "summary": "A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3317" }, { "id": "CVE-2023-33203", "summary": "The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33203" }, { "id": "CVE-2023-33250", "summary": "The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33250" }, { "id": "CVE-2023-33288", "summary": "An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33288" }, { "id": "CVE-2023-3338", "summary": "A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3338" }, { "id": "CVE-2023-3355", "summary": "A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3355" }, { "id": "CVE-2023-3357", "summary": "A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3357" }, { "id": "CVE-2023-3358", "summary": "A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358" }, { "id": "CVE-2023-3359", "summary": "An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3359" }, { "id": "CVE-2023-3389", "summary": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and\u00a00e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389" }, { "id": "CVE-2023-3390", "summary": "A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit\u00a01240eb93f0616b21c675416516ff3d74798fdc97.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3390" }, { "id": "CVE-2023-33951", "summary": "A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the handling of GEM objects. The issue results from improper locking when performing operations on an object. This flaw allows a local privileged user to disclose information in the context of the kernel.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33951" }, { "id": "CVE-2023-33952", "summary": "A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-33952" }, { "id": "CVE-2023-3397", "summary": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" }, { "id": "CVE-2023-34256", "summary": "An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34256" }, { "id": "CVE-2023-34319", "summary": "The fix for XSA-423 added logic to Linux'es netback driver to deal with\na frontend splitting a packet in a way such that not all of the headers\nwould come in one piece. Unfortunately the logic introduced there\ndidn't account for the extreme case of the entire packet being split\ninto as many pieces as permitted by the protocol, yet still being\nsmaller than the area that's specially dealt with to keep all (possible)\nheaders together. Such an unusual packet would therefore trigger a\nbuffer overrun in the driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34319" }, { "id": "CVE-2023-34324", "summary": "Closing of an event channel in the Linux kernel can result in a deadlock.\nThis happens when the close is being performed in parallel to an unrelated\nXen console action and the handling of a Xen console interrupt in an\nunprivileged guest.\n\nThe closing of an event channel is e.g. triggered by removal of a\nparavirtual device on the other side. As this action will cause console\nmessages to be issued on the other side quite often, the chance of\ntriggering the deadlock is not neglectable.\n\nNote that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel\non Arm doesn't use queued-RW-locks, which are required to trigger the\nissue (on Arm32 a waiting writer doesn't block further readers to get\nthe lock).", "scorev2": "0.0", "scorev3": "4.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34324" }, { "id": "CVE-2023-3439", "summary": "A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3439" }, { "id": "CVE-2023-35001", "summary": "Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35001" }, { "id": "CVE-2023-3567", "summary": "A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3567" }, { "id": "CVE-2023-35788", "summary": "An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35788" }, { "id": "CVE-2023-35823", "summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35823" }, { "id": "CVE-2023-35824", "summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824" }, { "id": "CVE-2023-35826", "summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35826" }, { "id": "CVE-2023-35827", "summary": "An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35827" }, { "id": "CVE-2023-35828", "summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828" }, { "id": "CVE-2023-35829", "summary": "An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829" }, { "id": "CVE-2023-3609", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3609" }, { "id": "CVE-2023-3610", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\n\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3610" }, { "id": "CVE-2023-3611", "summary": "An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\n\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3611" }, { "id": "CVE-2023-3640", "summary": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640", "detail": "not-applicable-config", "description": "x86 cpu_entry_area KASLR Leak" }, { "id": "CVE-2023-37453", "summary": "An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37453" }, { "id": "CVE-2023-37454", "summary": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" }, { "id": "CVE-2023-3772", "summary": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772", "detail": "fixed-version", "description": "Fixed from version 6.5rc7" }, { "id": "CVE-2023-3773", "summary": "A flaw was found in the Linux kernel\u2019s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3773", "detail": "fixed-version", "description": "Fixed from version 6.5rc7" }, { "id": "CVE-2023-3776", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3776" }, { "id": "CVE-2023-3777", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\n\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3777" }, { "id": "CVE-2023-3812", "summary": "An out-of-bounds memory access flaw was found in the Linux kernel\u2019s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812" }, { "id": "CVE-2023-38409", "summary": "An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38409" }, { "id": "CVE-2023-38426", "summary": "An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38426" }, { "id": "CVE-2023-38427", "summary": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38427" }, { "id": "CVE-2023-38428", "summary": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428" }, { "id": "CVE-2023-38429", "summary": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38429" }, { "id": "CVE-2023-38430", "summary": "An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38430" }, { "id": "CVE-2023-38431", "summary": "An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38431" }, { "id": "CVE-2023-38432", "summary": "An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-38432" }, { "id": "CVE-2023-3863", "summary": "A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3863" }, { "id": "CVE-2023-3865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bound read in smb2_write\n\nksmbd_smb2_check_message doesn't validate hdr->NextCommand. If\n->NextCommand is bigger than Offset + Length of smb2 write, It will\nallow oversized smb2 write length. It will cause OOB read in smb2_write.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3865", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-3866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate session id and tree id in the compound request\n\nThis patch validate session id and tree id in compound request.\nIf first operation in the compound is SMB2 ECHO request, ksmbd bypass\nsession and tree validation. So work->sess and work->tcon could be NULL.\nIf secound request in the compound access work->sess or tcon, It cause\nNULL pointer dereferecing error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3866", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-3867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out of bounds read in smb2_sess_setup\n\nksmbd does not consider the case of that smb2 session setup is\nin compound request. If this is the second payload of the compound,\nOOB read issue occurs while processing the first payload in\nthe smb2_sess_setup().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-3867", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-39176", "summary": "A flaw was found within the parsing of SMB2 requests that have a transform header in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE.", "scorev2": "0.0", "scorev3": "5.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39176", "detail": "fixed-version", "description": "Fixed from 6.5" }, { "id": "CVE-2023-39179", "summary": "A flaw was found within the handling of SMB2 read requests in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39179", "detail": "fixed-version", "description": "Fixed from 6.5" }, { "id": "CVE-2023-39180", "summary": "A flaw was found within the handling of SMB2_READ commands in the kernel ksmbd module. The issue results from not releasing memory after its effective lifetime. An attacker can leverage this to create a denial-of-service condition on affected installations of Linux. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39180", "detail": "fixed-version", "description": "Fixed from 6.5" }, { "id": "CVE-2023-39189", "summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39189" }, { "id": "CVE-2023-39191", "summary": "An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39191" }, { "id": "CVE-2023-39192", "summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39192" }, { "id": "CVE-2023-39193", "summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193" }, { "id": "CVE-2023-39194", "summary": "A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.", "scorev2": "0.0", "scorev3": "3.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39194" }, { "id": "CVE-2023-39197", "summary": "An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197" }, { "id": "CVE-2023-39198", "summary": "A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-39198" }, { "id": "CVE-2023-4004", "summary": "A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004" }, { "id": "CVE-2023-4010", "summary": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" }, { "id": "CVE-2023-4015", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\n\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4015" }, { "id": "CVE-2023-40283", "summary": "An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40283" }, { "id": "CVE-2023-40791", "summary": "extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-40791" }, { "id": "CVE-2023-4130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()\n\nThere are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request\nfrom client. ksmbd find next smb2_ea_info using ->NextEntryOffset of\ncurrent smb2_ea_info. ksmbd need to validate buffer length Before\naccessing the next ea. ksmbd should check buffer length using buf_len,\nnot next variable. next is the start offset of current ea that got from\nprevious ea.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4130", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-4132", "summary": "A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132" }, { "id": "CVE-2023-4133", "summary": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" }, { "id": "CVE-2023-4134", "summary": "A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. This issue occurs in the device cleanup routine due to a possible rearming of the watchdog_timer from the workqueue. This could allow a local user to crash the system, causing a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4134" }, { "id": "CVE-2023-4147", "summary": "A use-after-free flaw was found in the Linux kernel\u2019s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147" }, { "id": "CVE-2023-4155", "summary": "A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4155", "detail": "fixed-version", "description": "Fixed from version 6.5rc6" }, { "id": "CVE-2023-4194", "summary": "A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194" }, { "id": "CVE-2023-4206", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\n\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4206" }, { "id": "CVE-2023-4207", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\n\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4207" }, { "id": "CVE-2023-4208", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4208" }, { "id": "CVE-2023-4244", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nDue to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4244" }, { "id": "CVE-2023-4273", "summary": "A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273" }, { "id": "CVE-2023-42752", "summary": "An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42752" }, { "id": "CVE-2023-42753", "summary": "An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753" }, { "id": "CVE-2023-42754", "summary": "A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42754" }, { "id": "CVE-2023-42755", "summary": "A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42755" }, { "id": "CVE-2023-42756", "summary": "A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-42756" }, { "id": "CVE-2023-4385", "summary": "A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4385" }, { "id": "CVE-2023-4387", "summary": "A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387" }, { "id": "CVE-2023-4389", "summary": "A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389" }, { "id": "CVE-2023-4394", "summary": "A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4394" }, { "id": "CVE-2023-44466", "summary": "An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44466" }, { "id": "CVE-2023-4458", "summary": "A flaw was found within the parsing of extended attributes in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4458" }, { "id": "CVE-2023-4459", "summary": "A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459" }, { "id": "CVE-2023-4515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate command request size\n\nIn commit 2b9b8f3b68ed (\"ksmbd: validate command payload size\"), except\nfor SMB2_OPLOCK_BREAK_HE command, the request size of other commands\nis not checked, it's not expected. Fix it by add check for request\nsize of other commands.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4515", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-4569", "summary": "A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4569" }, { "id": "CVE-2023-45862", "summary": "An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862" }, { "id": "CVE-2023-45863", "summary": "An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45863" }, { "id": "CVE-2023-45871", "summary": "An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871" }, { "id": "CVE-2023-45898", "summary": "The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-45898" }, { "id": "CVE-2023-4611", "summary": "A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4611" }, { "id": "CVE-2023-4622", "summary": "A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\n\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\n\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622" }, { "id": "CVE-2023-4623", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\n\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\n\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623" }, { "id": "CVE-2023-46343", "summary": "In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46343" }, { "id": "CVE-2023-46813", "summary": "An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46813" }, { "id": "CVE-2023-46838", "summary": "Transmit requests in Xen's virtual network protocol can consist of\nmultiple parts. While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all. Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments. Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46838" }, { "id": "CVE-2023-46862", "summary": "An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-46862" }, { "id": "CVE-2023-47233", "summary": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", "scorev2": "0.0", "scorev3": "4.3", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" }, { "id": "CVE-2023-4732", "summary": "A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4732" }, { "id": "CVE-2023-4921", "summary": "A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\n\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\n\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921" }, { "id": "CVE-2023-50431", "summary": "sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-50431" }, { "id": "CVE-2023-5090", "summary": "A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5090" }, { "id": "CVE-2023-51042", "summary": "In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51042" }, { "id": "CVE-2023-51043", "summary": "In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51043" }, { "id": "CVE-2023-5158", "summary": "A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5158" }, { "id": "CVE-2023-5178", "summary": "A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178" }, { "id": "CVE-2023-51780", "summary": "An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51780" }, { "id": "CVE-2023-51781", "summary": "An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781" }, { "id": "CVE-2023-51782", "summary": "An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-51782" }, { "id": "CVE-2023-5197", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\n\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197" }, { "id": "CVE-2023-52340", "summary": "The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52340" }, { "id": "CVE-2023-52429", "summary": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" }, { "id": "CVE-2023-52433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip sync GC for new elements in this transaction\n\nNew elements in this transaction might expired before such transaction\nends. Skip sync GC for such elements otherwise commit path might walk\nover an already released object. Once transaction is finished, async GC\nwill collect such expired element.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52433", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", "scorev2": "0.0", "scorev3": "8.0", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: explicitly null-terminate the xattr list\n\nWhen setting an xattr, explicitly null-terminate the xattr list. This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52436", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52439", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()\n\nIf authblob->SessionKey.Length is bigger than session key\nsize(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.\ncifs_arc4_crypt copy to session key array from SessionKey from client.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52440", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\n\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52441", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate session id and tree id in compound request\n\n`smb2_get_msg()` in smb2_get_ksmbd_tcon() and smb2_check_user_session()\nwill always return the first request smb2 header in a compound request.\nif `SMB2_TREE_CONNECT_HE` is the first command in compound request, will\nreturn 0, i.e. The tree id check is skipped.\nThis patch use ksmbd_req_buf_next() to get current command in compound.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52442", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: avoid crash when parsed profile name is empty\n\nWhen processing a packed profile in unpack_profile() described like\n\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\n\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\n\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n \n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\n\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\n\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\n\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52443", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid dirent corruption\n\nAs Al reported in link[1]:\n\nf2fs_rename()\n...\n\tif (old_dir != new_dir && !whiteout)\n\t\tf2fs_set_link(old_inode, old_dir_entry,\n\t\t\t\t\told_dir_page, new_dir);\n\telse\n\t\tf2fs_put_page(old_dir_page, 0);\n\nYou want correct inumber in the \"..\" link. And cross-directory\nrename does move the source to new parent, even if you'd been asked\nto leave a whiteout in the old place.\n\n[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/\n\nWith below testcase, it may cause dirent corruption, due to it missed\nto call f2fs_set_link() to update \"..\" link to new directory.\n- mkdir -p dir/foo\n- renameat2 -w dir/foo bar\n\n[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3]\n[FSCK] other corrupted bugs [Fail]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52444", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52445", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a race condition between btf_put() and map_free()\n\nWhen running `./test_progs -j` in my local vm with latest kernel,\nI once hit a kasan error like below:\n\n [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.185599] Read of size 4 at addr ffff888106806910 by task kworker/u12:2/2830\n [ 1887.186498]\n [ 1887.186712] CPU: 3 PID: 2830 Comm: kworker/u12:2 Tainted: G OEL 6.7.0-rc3-00699-g90679706d486-dirty #494\n [ 1887.188034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [ 1887.189618] Workqueue: events_unbound bpf_map_free_deferred\n [ 1887.190341] Call Trace:\n [ 1887.190666] \n [ 1887.190949] dump_stack_lvl+0xac/0xe0\n [ 1887.191423] ? nf_tcp_handle_invalid+0x1b0/0x1b0\n [ 1887.192019] ? panic+0x3c0/0x3c0\n [ 1887.192449] print_report+0x14f/0x720\n [ 1887.192930] ? preempt_count_sub+0x1c/0xd0\n [ 1887.193459] ? __virt_addr_valid+0xac/0x120\n [ 1887.194004] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.194572] kasan_report+0xc3/0x100\n [ 1887.195085] ? bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.195668] bpf_rb_root_free+0x1f8/0x2b0\n [ 1887.196183] ? __bpf_obj_drop_impl+0xb0/0xb0\n [ 1887.196736] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197270] ? preempt_count_sub+0x1c/0xd0\n [ 1887.197802] ? _raw_spin_unlock+0x1f/0x40\n [ 1887.198319] bpf_obj_free_fields+0x1d4/0x260\n [ 1887.198883] array_map_free+0x1a3/0x260\n [ 1887.199380] bpf_map_free_deferred+0x7b/0xe0\n [ 1887.199943] process_scheduled_works+0x3a2/0x6c0\n [ 1887.200549] worker_thread+0x633/0x890\n [ 1887.201047] ? __kthread_parkme+0xd7/0xf0\n [ 1887.201574] ? kthread+0x102/0x1d0\n [ 1887.202020] kthread+0x1ab/0x1d0\n [ 1887.202447] ? pr_cont_work+0x270/0x270\n [ 1887.202954] ? kthread_blkcg+0x50/0x50\n [ 1887.203444] ret_from_fork+0x34/0x50\n [ 1887.203914] ? kthread_blkcg+0x50/0x50\n [ 1887.204397] ret_from_fork_asm+0x11/0x20\n [ 1887.204913] \n [ 1887.204913] \n [ 1887.205209]\n [ 1887.205416] Allocated by task 2197:\n [ 1887.205881] kasan_set_track+0x3f/0x60\n [ 1887.206366] __kasan_kmalloc+0x6e/0x80\n [ 1887.206856] __kmalloc+0xac/0x1a0\n [ 1887.207293] btf_parse_fields+0xa15/0x1480\n [ 1887.207836] btf_parse_struct_metas+0x566/0x670\n [ 1887.208387] btf_new_fd+0x294/0x4d0\n [ 1887.208851] __sys_bpf+0x4ba/0x600\n [ 1887.209292] __x64_sys_bpf+0x41/0x50\n [ 1887.209762] do_syscall_64+0x4c/0xf0\n [ 1887.210222] entry_SYSCALL_64_after_hwframe+0x63/0x6b\n [ 1887.210868]\n [ 1887.211074] Freed by task 36:\n [ 1887.211460] kasan_set_track+0x3f/0x60\n [ 1887.211951] kasan_save_free_info+0x28/0x40\n [ 1887.212485] ____kasan_slab_free+0x101/0x180\n [ 1887.213027] __kmem_cache_free+0xe4/0x210\n [ 1887.213514] btf_free+0x5b/0x130\n [ 1887.213918] rcu_core+0x638/0xcc0\n [ 1887.214347] __do_softirq+0x114/0x37e\n\nThe error happens at bpf_rb_root_free+0x1f8/0x2b0:\n\n 00000000000034c0 :\n ; {\n 34c0: f3 0f 1e fa endbr64\n 34c4: e8 00 00 00 00 callq 0x34c9 \n 34c9: 55 pushq %rbp\n 34ca: 48 89 e5 movq %rsp, %rbp\n ...\n ; if (rec && rec->refcount_off >= 0 &&\n 36aa: 4d 85 ed testq %r13, %r13\n 36ad: 74 a9 je 0x3658 \n 36af: 49 8d 7d 10 leaq 0x10(%r13), %rdi\n 36b3: e8 00 00 00 00 callq 0x36b8 \n <==== kasan function\n 36b8: 45 8b 7d 10 movl 0x10(%r13), %r15d\n <==== use-after-free load\n 36bc: 45 85 ff testl %r15d, %r15d\n 36bf: 78 8c js 0x364d \n\nSo the problem \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52446", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer the free of inner map when necessary\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52447", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\n\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating\nrgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52448", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\n\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n\u2018gluebi->desc\u2019 in gluebi_read().\n\nubi_gluebi_init\n ubi_register_volume_notifier\n ubi_enumerate_volumes\n ubi_notify_all\n gluebi_notify nb->notifier_call()\n gluebi_create\n mtd_device_register\n mtd_device_parse_register\n add_mtd_device\n blktrans_notify_add not->add()\n ftl_add_mtd tr->add_mtd()\n scan_header\n mtd_read\n mtd_read_oob\n mtd_read_oob_std\n gluebi_read mtd->read()\n gluebi->desc - NULL\n\nDetailed reproduction information available at the Link [1],\n\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\n\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()\n\nGet logical socket id instead of physical id in discover_upi_topology()\nto avoid out-of-bound access on 'upi = &type->topology[nid][idx];' line\nthat leads to NULL pointer dereference in upi_fill_topology()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52450", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/memhp: Fix access beyond end of drmem array\n\ndlpar_memory_remove_by_index() may access beyond the bounds of the\ndrmem lmb array when the LMB lookup fails to match an entry with the\ngiven DRC index. When the search fails, the cursor is left pointing to\n&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the\nlast valid entry in the array. The debug message at the end of the\nfunction then dereferences this pointer:\n\n pr_debug(\"Failed to hot-remove memory at %llx\\n\",\n lmb->base_addr);\n\nThis was found by inspection and confirmed with KASAN:\n\n pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658\n Read of size 8 at addr c000000364e97fd0 by task bash/949\n\n dump_stack_lvl+0xa4/0xfc (unreliable)\n print_report+0x214/0x63c\n kasan_report+0x140/0x2e0\n __asan_load8+0xa8/0xe0\n dlpar_memory+0x298/0x1658\n handle_dlpar_errorlog+0x130/0x1d0\n dlpar_store+0x18c/0x3e0\n kobj_attr_store+0x68/0xa0\n sysfs_kf_write+0xc4/0x110\n kernfs_fop_write_iter+0x26c/0x390\n vfs_write+0x2d4/0x4e0\n ksys_write+0xac/0x1a0\n system_call_exception+0x268/0x530\n system_call_vectored_common+0x15c/0x2ec\n\n Allocated by task 1:\n kasan_save_stack+0x48/0x80\n kasan_set_track+0x34/0x50\n kasan_save_alloc_info+0x34/0x50\n __kasan_kmalloc+0xd0/0x120\n __kmalloc+0x8c/0x320\n kmalloc_array.constprop.0+0x48/0x5c\n drmem_init+0x2a0/0x41c\n do_one_initcall+0xe0/0x5c0\n kernel_init_freeable+0x4ec/0x5a0\n kernel_init+0x30/0x1e0\n ret_from_kernel_user_thread+0x14/0x1c\n\n The buggy address belongs to the object at c000000364e80000\n which belongs to the cache kmalloc-128k of size 131072\n The buggy address is located 0 bytes to the right of\n allocated 98256-byte region [c000000364e80000, c000000364e97fd0)\n\n ==================================================================\n pseries-hotplug-mem: Failed to hot-remove memory at 0\n\nLog failed lookups with a separate message and dereference the\ncursor only when it points to a valid entry.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52451", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume\n\nWhen the optional PRE_COPY support was added to speed up the device\ncompatibility check, it failed to update the saving/resuming data\npointers based on the fd offset. This results in migration data\ncorruption and when the device gets started on the destination the\nfollowing error is reported in some cases,\n\n[ 478.907684] arm-smmu-v3 arm-smmu-v3.2.auto: event 0x10 received:\n[ 478.913691] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000310200000010\n[ 478.919603] arm-smmu-v3 arm-smmu-v3.2.auto: 0x000002088000007f\n[ 478.925515] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.931425] arm-smmu-v3 arm-smmu-v3.2.auto: 0x0000000000000000\n[ 478.947552] hisi_zip 0000:31:00.0: qm_axi_rresp [error status=0x1] found\n[ 478.955930] hisi_zip 0000:31:00.0: qm_db_timeout [error status=0x400] found\n[ 478.955944] hisi_zip 0000:31:00.0: qm sq doorbell timeout in function 2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52453", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52454", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52455", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: fix tx statemachine deadlock\n\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\n\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52456", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed\n\nReturning an error code from .remove() makes the driver core emit the\nlittle helpful error message:\n\n\tremove callback returned a non-zero value. This will be ignored.\n\nand then remove the device anyhow. So all resources that were not freed\nare leaked in this case. Skipping serial8250_unregister_port() has the\npotential to keep enough of the UART around to trigger a use-after-free.\n\nSo replace the error return (and with it the little helpful error\nmessage) by a more useful error message and continue to cleanup.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52457", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: add check that partition length needs to be aligned with block size\n\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52458", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix duplicated list deletion\n\nThe list deletion call dropped here is already called from the\nhelper function in the line before. Having a second list_del()\ncall results in either a warning (with CONFIG_DEBUG_LIST=y):\n\nlist_del corruption, c46c8198->next is LIST_POISON1 (00000100)\n\nIf CONFIG_DEBUG_LIST is disabled the operation results in a\nkernel error due to NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52459", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference at hibernate\n\nDuring hibernate sequence the source context might not have a clk_mgr.\nSo don't use it to look for DML2 support.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52460", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix bounds limiting when given a malformed entity\n\nIf we're given a malformed entity in drm_sched_entity_init()--shouldn't\nhappen, but we verify--with out-of-bounds priority value, we set it to an\nallowed value. Fix the expression which sets this limit.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52461", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix check for attempt to corrupt spilled pointer\n\nWhen register is spilled onto a stack as a 1/2/4-byte register, we set\nslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,\ndepending on actual spill size). So to check if some stack slot has\nspilled register we need to consult slot_type[7], not slot_type[0].\n\nTo avoid the need to remember and double-check this in the future, just\nuse is_spilled_reg() helper.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52462", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: force RO when remounting if SetVariable is not supported\n\nIf SetVariable at runtime is not supported by the firmware we never assign\na callback for that function. At the same time mount the efivarfs as\nRO so no one can call that. However, we never check the permission flags\nwhen someone remounts the filesystem as RW. As a result this leads to a\ncrash looking like this:\n\n$ mount -o remount,rw /sys/firmware/efi/efivars\n$ efi-updatevar -f PK.auth PK\n\n[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 303.280482] Mem abort info:\n[ 303.280854] ESR = 0x0000000086000004\n[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 303.282016] SET = 0, FnV = 0\n[ 303.282414] EA = 0, S1PTW = 0\n[ 303.282821] FSC = 0x04: level 0 translation fault\n[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\n[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\n[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\n[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\n[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 303.292123] pc : 0x0\n[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec\n[ 303.293156] sp : ffff800008673c10\n[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\n[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\n[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\n[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\n[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\n[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\n[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\n[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\n[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\n[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\n[ 303.303341] Call trace:\n[ 303.303679] 0x0\n[ 303.303938] efivar_entry_set_get_size+0x98/0x16c\n[ 303.304585] efivarfs_file_write+0xd0/0x1a4\n[ 303.305148] vfs_write+0xc4/0x2e4\n[ 303.305601] ksys_write+0x70/0x104\n[ 303.306073] __arm64_sys_write+0x1c/0x28\n[ 303.306622] invoke_syscall+0x48/0x114\n[ 303.307156] el0_svc_common.constprop.0+0x44/0xec\n[ 303.307803] do_el0_svc+0x38/0x98\n[ 303.308268] el0_svc+0x2c/0x84\n[ 303.308702] el0t_64_sync_handler+0xf4/0x120\n[ 303.309293] el0t_64_sync+0x190/0x194\n[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)\n[ 303.310612] ---[ end trace 0000000000000000 ]---\n\nFix this by adding a .reconfigure() function to the fs operations which\nwe can use to check the requested flags and deny anything that's not RO\nif the firmware doesn't implement SetVariable at runtime.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52463", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/thunderx: Fix possible out-of-bounds string access\n\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\n\n drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n ...\n 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);\n ...\n 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);\n\n ...\n\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\n\nChange it to strlcat().\n\n [ bp: Trim compiler output, fixup commit message. ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52464", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: Fix null pointer dereference in smb2_probe\n\ndevm_kasprintf and devm_kzalloc return a pointer to dynamically\nallocated memory which can be NULL upon failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52465", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52467", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix use-after-free in class_register()\n\nThe lock_class_key is still registered and can be found in\nlock_keys_hash hlist after subsys_private is freed in error\nhandler path.A task who iterate over the lock_keys_hash\nlater may cause use-after-free.So fix that up and unregister\nthe lock_class_key before kfree(cp).\n\nOn our platform, a driver fails to kset_register because of\ncreating duplicate filename '/class/xxx'.With Kasan enabled,\nit prints a invalid-access bug report.\n\nKASAN bug report:\n\nBUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc\nWrite of size 8 at addr 15ffff808b8c0368 by task modprobe/252\nPointer tag: [15], memory tag: [fe]\n\nCPU: 7 PID: 252 Comm: modprobe Tainted: G W\n 6.6.0-mainline-maybe-dirty #1\n\nCall trace:\ndump_backtrace+0x1b0/0x1e4\nshow_stack+0x2c/0x40\ndump_stack_lvl+0xac/0xe0\nprint_report+0x18c/0x4d8\nkasan_report+0xe8/0x148\n__hwasan_store8_noabort+0x88/0x98\nlockdep_register_key+0x19c/0x1bc\nclass_register+0x94/0x1ec\ninit_module+0xbc/0xf48 [rfkill]\ndo_one_initcall+0x17c/0x72c\ndo_init_module+0x19c/0x3f8\n...\nMemory state around the buggy address:\nffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a\nffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe\n>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\n ^\nffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03\n\nAs CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access\nnot use-after-free here.In this case, modprobe is manipulating\nthe corrupted lock_keys_hash hlish where lock_class_key is already\nfreed before.\n\nIt's worth noting that this only can happen if lockdep is enabled,\nwhich is not true for normal system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52468", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\n\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\n\nkv_parse_power_table\n |-> kv_dpm_init\n |-> kv_dpm_sw_init\n\t |-> kv_dpm_fini\n\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52469", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check the alloc_workqueue return value in radeon_crtc_init()\n\ncheck the alloc_workqueue return value in radeon_crtc_init()\nto avoid null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52470", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix some null pointer dereference issues in ice_ptp.c\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52471", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rsa - add a check for allocation failure\n\nStatic checkers insist that the mpi_alloc() allocation can fail so add\na check to prevent a NULL dereference. Small allocations like this\ncan't actually fail in current kernels, but adding a check is very\nsimple and makes the static checkers happy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52472", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix NULL pointer dereference in zone registration error path\n\nIf device_register() in thermal_zone_device_register_with_trips()\nreturns an error, the tz variable is set to NULL and subsequently\ndereferenced in kfree(tz->tzp).\n\nCommit adc8749b150c (\"thermal/drivers/core: Use put_device() if\ndevice_register() fails\") added the tz = NULL assignment in question to\navoid a possible double-free after dropping the reference to the zone\ndevice. However, after commit 4649620d9404 (\"thermal: core: Make\nthermal_zone_device_unregister() return after freeing the zone\"), that\nassignment has become redundant, because dropping the reference to the\nzone device does not cause the zone object to be freed any more.\n\nDrop it to address the NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52473", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests\n\nhfi1 user SDMA request processing has two bugs that can cause data\ncorruption for user SDMA requests that have multiple payload iovecs\nwhere an iovec other than the tail iovec does not run up to the page\nboundary for the buffer pointed to by that iovec.a\n\nHere are the specific bugs:\n1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len.\n Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec\n to the packet, even if some of those bytes are past\n iovec->iov.iov_len and are thus not intended to be in the packet.\n2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the\n next iovec in user_sdma_request->iovs when the current iovec\n is not PAGE_SIZE and does not contain enough data to complete the\n packet. The transmitted packet will contain the wrong data from the\n iovec pages.\n\nThis has not been an issue with SDMA packets from hfi1 Verbs or PSM2\nbecause they only produce iovecs that end short of PAGE_SIZE as the tail\niovec of an SDMA request.\n\nFixing these bugs exposes other bugs with the SDMA pin cache\n(struct mmu_rb_handler) that get in way of supporting user SDMA requests\nwith multiple payload iovecs whose buffers do not end at PAGE_SIZE. So\nthis commit fixes those issues as well.\n\nHere are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec\npayload user SDMA requests can hit:\n1. Overlapping memory ranges in mmu_rb_handler will result in duplicate\n pinnings.\n2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node),\n the mmu_rb code (1) removes the existing entry under a lock, (2)\n releases that lock, pins the new pages, (3) then reacquires the lock\n to insert the extended mmu_rb_node.\n\n If someone else comes in and inserts an overlapping entry between (2)\n and (3), insert in (3) will fail.\n\n The failure path code in this case unpins _all_ pages in either the\n original mmu_rb_node or the new mmu_rb_node that was inserted between\n (2) and (3).\n3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is\n incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node\n could be evicted by another thread that gets mmu_rb_handler->lock and\n checks mmu_rb_node->refcount before mmu_rb_node->refcount is\n incremented.\n4. Related to #2 above, SDMA request submission failure path does not\n check mmu_rb_node->refcount before freeing mmu_rb_node object.\n\n If there are other SDMA requests in progress whose iovecs have\n pointers to the now-freed mmu_rb_node(s), those pointers to the\n now-freed mmu_rb nodes will be dereferenced when those SDMA requests\n complete.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52474", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-52475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/lbr: Filter vsyscall addresses\n\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\n\n __insn_get_emulate_prefix()\n insn_get_emulate_prefix()\n insn_get_prefixes()\n insn_get_opcode()\n decode_branch_type()\n get_branch_type()\n intel_pmu_lbr_filter()\n intel_pmu_handle_irq()\n perf_event_nmi_handler()\n\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\n\n peek_nbyte_next(insn_byte_t, insn, i)\n\nWithin this macro, this dereference occurs:\n\n (insn)->next_byte\n\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\n\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52476", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: hub: Guard against accesses to uninitialized BOS descriptors\n\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 \nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\n\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52477", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Fix kernel crash on receiver USB disconnect\n\nhidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)\nraces when it races with itself.\n\nhidpp_connect_event() primarily runs from a workqueue but it also runs\non probe() and if a \"device-connected\" packet is received by the hw\nwhen the thread running hidpp_connect_event() from probe() is waiting on\nthe hw, then a second thread running hidpp_connect_event() will be\nstarted from the workqueue.\n\nThis opens the following races (note the below code is simplified):\n\n1. Retrieving + printing the protocol (harmless race):\n\n\tif (!hidpp->protocol_major) {\n\t\thidpp_root_get_protocol_version()\n\t\thidpp->protocol_major = response.rap.params[0];\n\t}\n\nWe can actually see this race hit in the dmesg in the abrt output\nattached to rhbz#2227968:\n\n[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.\n\nTesting with extra logging added has shown that after this the 2 threads\ntake turn grabbing the hw access mutex (send_mutex) so they ping-pong\nthrough all the other TOCTOU cases managing to hit all of them:\n\n2. Updating the name to the HIDPP name (harmless race):\n\n\tif (hidpp->name == hdev->name) {\n\t\t...\n\t\thidpp->name = new_name;\n\t}\n\n3. Initializing the power_supply class for the battery (problematic!):\n\nhidpp_initialize_battery()\n{\n if (hidpp->battery.ps)\n return 0;\n\n\tprobe_battery(); /* Blocks, threads take turns executing this */\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n}\n\n4. Creating delayed input_device (potentially problematic):\n\n\tif (hidpp->delayed_input)\n\t\treturn;\n\n\thidpp->delayed_input = hidpp_allocate_input(hdev);\n\nThe really big problem here is 3. Hitting the race leads to the following\nsequence:\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\n\t...\n\n\thidpp->battery.desc.properties =\n\t\tdevm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);\n\n\thidpp->battery.ps =\n\t\tdevm_power_supply_register(&hidpp->hid_dev->dev,\n\t\t\t\t\t &hidpp->battery.desc, cfg);\n\nSo now we have registered 2 power supplies for the same battery,\nwhich looks a bit weird from userspace's pov but this is not even\nthe really big problem.\n\nNotice how:\n\n1. This is all devm-maganaged\n2. The hidpp->battery.desc struct is shared between the 2 power supplies\n3. hidpp->battery.desc.properties points to the result from the second\n devm_kmemdup()\n\nThis causes a use after free scenario on USB disconnect of the receiver:\n1. The last registered power supply class device gets unregistered\n2. The memory from the last devm_kmemdup() call gets freed,\n hidpp->battery.desc.properties now points to freed memory\n3. The first registered power supply class device gets unregistered,\n this involves sending a remove uevent to userspace which invokes\n power_supply_uevent() to fill the uevent data\n4. power_supply_uevent() uses hidpp->battery.desc.properties which\n now points to freed memory leading to backtraces like this one:\n\nSep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08\n...\nSep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event\nSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0\n...\nSep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0\nSep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0\nSep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0\nSep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680\nSep 22 20:01:35 eric kernel: \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52478", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix uaf in smb20_oplock_break_ack\n\ndrop reference after use opinfo.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52479", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix race condition between session lookup and expire\n\n Thread A + Thread B\n ksmbd_session_lookup | smb2_sess_setup\n sess = xa_load |\n |\n | xa_erase(&conn->sessions, sess->id);\n |\n | ksmbd_session_destroy(sess) --> kfree(sess)\n |\n // UAF! |\n sess->last_active = jiffies |\n +\n\nThis patch add rwsem to fix race condition between ksmbd_session_lookup\nand ksmbd_expire_session.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52480", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add Cortex-A520 speculative unprivileged load workaround\n\nImplement the workaround for ARM Cortex-A520 erratum 2966298. On an\naffected Cortex-A520 core, a speculatively executed unprivileged load\nmight leak data from a privileged load via a cache side channel. The\nissue only exists for loads within a translation regime with the same\ntranslation (e.g. same ASID and VMID). Therefore, the issue only affects\nthe return to EL0.\n\nThe workaround is to execute a TLBI before returning to EL0 after all\nloads of privileged data. A non-shareable TLBI to any address is\nsufficient.\n\nThe workaround isn't necessary if page table isolation (KPTI) is\nenabled, but for simplicity it will be. Page table isolation should\nnormally be disabled for Cortex-A520 as it supports the CSV3 feature\nand the E0PD feature (used when KASLR is enabled).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52481", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/srso: Add SRSO mitigation for Hygon processors\n\nAdd mitigation for the speculative return stack overflow vulnerability\nwhich exists on Hygon processors too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52482", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net's route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net->mctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo , where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\n\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\n\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\n\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\n\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52484", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\n\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\n\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\n\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52486", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix peer flow lists handling\n\nThe cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP\nflag when list of peer flows has become empty. However, if any concurrent\nuser holds a reference to a peer flow (for example, the neighbor update\nworkqueue task is updating peer flow's parent encap entry concurrently),\nthen the flow will not be removed from the peer list and, consecutively,\nDUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls\nmlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm\nwill try to remove the flow from eswitch instances that it has never peered\nwith causing either NULL pointer dereference when trying to remove the flow\npeer list head of peer_index that was never initialized or a warning if the\nlist debug config is enabled[0].\n\nFix the issue by always removing the peer flow from the list even when not\nreleasing the last reference to it.\n\n[0]:\n\n[ 3102.985806] ------------[ cut here ]------------\n[ 3102.986223] list_del corruption, ffff888139110698->next is NULL\n[ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg\nss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding]\n[ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3\n[ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b\n[ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286\n[ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640\n[ 3102.997188] DEL flow 00000000be367878 on port 0\n[ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff\n[ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100\n[ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240\n[ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000\n[ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0\n[ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 3103.003787] Call Trace:\n[ 3103.004055] \n[ 3103.004297] ? __warn+0x7d/0x130\n[ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.005094] ? report_bug+0xf1/0x1c0\n[ 3103.005439] ? console_unlock+0x4a/0xd0\n[ 3103.005806] ? handle_bug+0x3f/0x70\n[ 3103.006149] ? exc_invalid_op+0x13/0x60\n[ 3103.006531] ? asm_exc_invalid_op+0x16/0x20\n[ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core]\n[ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n[ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core]\n[ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core]\n[ 3103.009901] tc_setup_cb_destroy+0xab/0x180\n[ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower]\n[ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower]\n[ 3103.0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52487", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO\n\nThe SC16IS7XX IC supports a burst mode to access the FIFOs where the\ninitial register address is sent ($00), followed by all the FIFO data\nwithout having to resend the register address each time. In this mode, the\nIC doesn't increment the register address for each R/W byte.\n\nThe regmap_raw_read() and regmap_raw_write() are functions which can\nperform IO over multiple registers. They are currently used to read/write\nfrom/to the FIFO, and although they operate correctly in this burst mode on\nthe SPI bus, they would corrupt the regmap cache if it was not disabled\nmanually. The reason is that when the R/W size is more than 1 byte, these\nfunctions assume that the register address is incremented and handle the\ncache accordingly.\n\nConvert FIFO R/W functions to use the regmap _noinc_ versions in order to\nremove the manual cache control which was a workaround when using the\n_raw_ versions. FIFO registers are properly declared as volatile so\ncache will not be used/updated for FIFO accesses.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52488", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/sparsemem: fix race in accessing memory_section->usage\n\nThe below race is observed on a PFN which falls into the device memory\nregion with the system memory configuration where PFN's are such that\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end\npfn contains the device memory PFN's as well, the compaction triggered\nwill try on the device memory PFN's too though they end up in NOP(because\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When\nfrom other core, the section mappings are being removed for the\nZONE_DEVICE region, that the PFN in question belongs to, on which\ncompaction is currently being operated is resulting into the kernel crash\nwith CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].\n\ncompact_zone()\t\t\tmemunmap_pages\n-------------\t\t\t---------------\n__pageblock_pfn_to_page\n ......\n (a)pfn_valid():\n valid_section()//return true\n\t\t\t (b)__remove_pages()->\n\t\t\t\t sparse_remove_section()->\n\t\t\t\t section_deactivate():\n\t\t\t\t [Free the array ms->usage and set\n\t\t\t\t ms->usage = NULL]\n pfn_section_valid()\n [Access ms->usage which\n is NULL]\n\nNOTE: From the above it can be said that the race is reduced to between\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\nSPASEMEM_VMEMAP enabled.\n\nThe commit b943f045a9af(\"mm/sparse: fix kernel crash with\npfn_section_valid check\") tried to address the same problem by clearing\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\nfalse thus ms->usage is not accessed.\n\nFix this issue by the below steps:\n\na) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.\n\nb) RCU protected read side critical section will either return NULL\n when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.\n\nc) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No\n attempt will be made to access ->usage after this as the\n SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\n\nThanks to David/Pavan for their inputs on this patch.\n\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\n\nOn Snapdragon SoC, with the mentioned memory configuration of PFN's as\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\nissues daily while testing on a device farm.\n\nFor this particular issue below is the log. Though the below log is\nnot directly pointing to the pfn_section_valid(){ ms->usage;}, when we\nloaded this dump on T32 lauterbach tool, it is pointing.\n\n[ 540.578056] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n[ 540.578068] Mem abort info:\n[ 540.578070] ESR = 0x0000000096000005\n[ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 540.578077] SET = 0, FnV = 0\n[ 540.578080] EA = 0, S1PTW = 0\n[ 540.578082] FSC = 0x05: level 1 translation fault\n[ 540.578085] Data abort info:\n[ 540.578086] ISV = 0, ISS = 0x00000005\n[ 540.578088] CM = 0, WnR = 0\n[ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\n[ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\n[ 540.579454] lr : compact_zone+0x994/0x1058\n[ 540.579460] sp : ffffffc03579b510\n[ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\n[ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\n[ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\n[ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\n[ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\n[ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\n[ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\n[ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\n[ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52489", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: migrate: fix getting incorrect page mapping during page migration\n\nWhen running stress-ng testing, we found below kernel crash after a few hours:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : dentry_name+0xd8/0x224\nlr : pointer+0x22c/0x370\nsp : ffff800025f134c0\n......\nCall trace:\n dentry_name+0xd8/0x224\n pointer+0x22c/0x370\n vsnprintf+0x1ec/0x730\n vscnprintf+0x2c/0x60\n vprintk_store+0x70/0x234\n vprintk_emit+0xe0/0x24c\n vprintk_default+0x3c/0x44\n vprintk_func+0x84/0x2d0\n printk+0x64/0x88\n __dump_page+0x52c/0x530\n dump_page+0x14/0x20\n set_migratetype_isolate+0x110/0x224\n start_isolate_page_range+0xc4/0x20c\n offline_pages+0x124/0x474\n memory_block_offline+0x44/0xf4\n memory_subsys_offline+0x3c/0x70\n device_offline+0xf0/0x120\n ......\n\nAfter analyzing the vmcore, I found this issue is caused by page migration.\nThe scenario is that, one thread is doing page migration, and we will use the\ntarget page's ->mapping field to save 'anon_vma' pointer between page unmap and\npage move, and now the target page is locked and refcount is 1.\n\nCurrently, there is another stress-ng thread performing memory hotplug,\nattempting to offline the target page that is being migrated. It discovers that\nthe refcount of this target page is 1, preventing the offline operation, thus\nproceeding to dump the page. However, page_mapping() of the target page may\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\nthe target page->mapping only saves 'anon_vma' pointer without setting\nPAGE_MAPPING_ANON flag.\n\nThere are seveval ways to fix this issue:\n(1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving\n'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target\npage has not built mappings yet.\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\nthe system, however, there are still some PFN walkers that call page_mapping()\nwithout holding the page lock, such as compaction.\n(3) Using target page->private field to save the 'anon_vma' pointer and 2 bits\npage state, just as page->mapping records an anonymous page, which can remove\nthe page_mapping() impact for PFN walkers and also seems a simple way.\n\nSo I choose option 3 to fix this issue, and this can also fix other potential\nissues for PFN walkers, such as compaction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52490", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\n\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\n\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\n\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\n\nCPU0 CPU1\nmtk_jpeg_dec_... |\n start worker\t |\n |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove |\n v4l2_m2m_release |\n kfree(m2m_dev); |\n |\n | v4l2_m2m_get_curr_priv\n | m2m_dev->curr_ctx //use\n\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\n\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52491", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fix NULL pointer in channel unregistration function\n\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[ 1.484499] Call trace:\n[ 1.486930] device_del+0x40/0x394\n[ 1.490314] device_unregister+0x20/0x7c\n[ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0\n\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\n\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52492", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Drop chan lock before queuing buffers\n\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\n\n[mani: added fixes tag and cc'ed stable]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52493", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Add alignment check for event ring read pointer\n\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned. Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\n\nSo add a alignment check for event ring read pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52494", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink_altmode: fix port sanity check\n\nThe PMIC GLINK altmode driver currently supports at most two ports.\n\nFix the incomplete port sanity check on notifications to avoid\naccessing and corrupting memory beyond the port array if we ever get a\nnotification for an unsupported port.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52495", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix lz4 inplace decompression\n\nCurrently EROFS can map another compressed buffer for inplace\ndecompression, that was used to handle the cases that some pages of\ncompressed data are actually not in-place I/O.\n\nHowever, like most simple LZ77 algorithms, LZ4 expects the compressed\ndata is arranged at the end of the decompressed buffer and it\nexplicitly uses memmove() to handle overlapping:\n __________________________________________________________\n |_ direction of decompression --> ____ |_ compressed data _|\n\nAlthough EROFS arranges compressed data like this, it typically maps two\nindividual virtual buffers so the relative order is uncertain.\nPreviously, it was hardly observed since LZ4 only uses memmove() for\nshort overlapped literals and x86/arm64 memmove implementations seem to\ncompletely cover it up and they don't have this issue. Juhyung reported\nthat EROFS data corruption can be found on a new Intel x86 processor.\nAfter some analysis, it seems that recent x86 processors with the new\nFSRM feature expose this issue with \"rep movsb\".\n\nLet's strictly use the decompressed buffer for lz4 inplace\ndecompression for now. Later, as an useful improvement, we could try\nto tie up these two buffers together in the correct order.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52497", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: sleep: Fix possible deadlocks in core system-wide PM code\n\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld. Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\n\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52498", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie reported that newer kernels were crashing during boot on his 476\nFSP2 system:\n\n kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)\n BUG: Unable to handle kernel instruction fetch\n Faulting instruction address: 0xb7ee2000\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K FSP-2\n Modules linked in:\n CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1\n Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2\n NIP:\u00a0 b7ee2000 LR: 8c008000 CTR: 00000000\n REGS: bffebd83 TRAP: 0400\u00a0\u00a0 Not tainted (6.1.55-d23900f.ppcnf-fs p2)\n MSR:\u00a0 00000030 \u00a0 CR: 00001000\u00a0 XER: 20000000\n GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000\n GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000\n GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0\n GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0\n NIP [b7ee2000] 0xb7ee2000\n LR [8c008000] 0x8c008000\n Call Trace:\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThe problem is in ret_from_syscall where the check for\nicache_44x_need_flush is done. When the flush is needed the code jumps\nout-of-line to do the flush, and then intends to jump back to continue\nthe syscall return.\n\nHowever the branch back to label 1b doesn't return to the correct\nlocation, instead branching back just prior to the return to userspace,\ncausing bogus register values to be used by the rfi.\n\nThe breakage was introduced by commit 6f76a01173cc\n(\"powerpc/syscall: implement system call entry/exit logic in C for PPC32\") which\ninadvertently removed the \"1\" label and reused it elsewhere.\n\nFix it by adding named local labels in the correct locations. Note that\nthe return label needs to be outside the ifdef so that CONFIG_PPC_47x=n\ncompiles.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52499", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\n\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52500", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52501", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\n\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\n\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\n\nnfc_llcp_sock_get_sn() has a similar problem.\n\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52502", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\n\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\n\n kref_put(&sess->refcount, destroy_session);\n\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\n\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52503", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/alternatives: Disable KASAN in apply_alternatives()\n\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\n\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\n\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\n\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\n\nFix it for real by disabling KASAN while the kernel is patching alternatives.\n\n[ mingo: updated the changelog ]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52504", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52505", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set all reserved memblocks on Node#0 at initialization\n\nAfter commit 61167ad5fecdea (\"mm: pass nid to reserve_bootmem_region()\")\nwe get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733\n[ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90\n[ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0\n[ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000\n[ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800\n[ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20\n[ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000\n[ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000\n[ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000\n[ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c\n[ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000000000002b82\n[ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00\n[ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780\n[ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748\n[ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970\n[ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000\n[ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000\n[ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918\n[ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000\n[ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c\n[ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000040e3f28>] reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] [<900000000421ca84>] memblock_free_all+0x114/0x350\n[ 0.000000] [<9000000004218b2c>] mm_core_init+0x138/0x3cc\n[ 0.000000] [<9000000004200e38>] start_kernel+0x488/0x7a4\n[ 0.000000] [<90000000040df0d8>] kernel_entry+0xd8/0xdc\n[ 0.000000]\n[ 0.000000] Code: 02eb21ad 00410f4c 380c31ac <262b818d> 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd\n\nThe reason is early memblock_reserve() in memblock_init() set node id to\nMAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain\nreserve_bootmem_region() -> init_reserved_page(). After memblock_init(),\nthose late calls of memblock_reserve() operate on subregions of memblock\n.memory regions. As a result, these reserved regions will be set to the\ncorrect node at the first iteration of memmap_init_reserved_pages().\n\nSo set all reserved memblocks on Node#0 at initialization can avoid this\npanic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52506", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: assert requested protocol is valid\n\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52507", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()\n\nThe nvme_fc_fcp_op structure describing an AEN operation is initialized with a\nnull request structure pointer. An FC LLDD may make a call to\nnvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation.\n\nAdd validation of the request structure pointer before dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52508", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52509", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52510", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: reduce DMA RX transfer width to single byte\n\nThrough empirical testing it has been determined that sometimes RX SPI\ntransfers with DMA enabled return corrupted data. This is down to single\nor even multiple bytes lost during DMA transfer from SPI peripheral to\nmemory. It seems the RX FIFO within the SPI peripheral can become\nconfused when performing bus read accesses wider than a single byte to it\nduring an active SPI transfer.\n\nThis patch reduces the width of individual DMA read accesses to the\nRX FIFO to a single byte to mitigate that issue.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52511", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: wpcm450: fix out of bounds write\n\nWrite into 'pctrl->gpio_bank' happens before the check for GPIO index\nvalidity, so out of bounds write may happen.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52512", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix connection failure handling\n\nIn case immediate MPA request processing fails, the newly\ncreated endpoint unlinks the listening endpoint and is\nready to be dropped. This special case was not handled\ncorrectly by the code handling the later TCP socket close,\ncausing a NULL dereference crash in siw_cm_work_handler()\nwhen dereferencing a NULL listener. We now also cancel\nthe useless MPA timeout, if immediate MPA request\nprocessing fails.\n\nThis patch furthermore simplifies MPA processing in general:\nScheduling a useless TCP socket read in sk_data_ready() upcall\nis now surpressed, if the socket is already moved out of\nTCP_ESTABLISHED state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52513", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Do not call scsi_done() from srp_abort()\n\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52515", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\n\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\n\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\n\nTrimmed-down lockdep splat:\n\n The existing dependency chain (in reverse order) is:\n\n -> #2 (free_entries_lock){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n dma_entry_alloc+0x38/0x110\n debug_dma_map_page+0x60/0xf8\n dma_map_page_attrs+0x1e0/0x230\n dma_map_single_attrs.constprop.0+0x6c/0xc8\n geni_se_rx_dma_prep+0x40/0xcc\n qcom_geni_serial_isr+0x310/0x510\n __handle_irq_event_percpu+0x110/0x244\n handle_irq_event_percpu+0x20/0x54\n handle_irq_event+0x50/0x88\n handle_fasteoi_irq+0xa4/0xcc\n handle_irq_desc+0x28/0x40\n generic_handle_domain_irq+0x24/0x30\n gic_handle_irq+0xc4/0x148\n do_interrupt_handler+0xa4/0xb0\n el1_interrupt+0x34/0x64\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n arch_local_irq_enable+0x4/0x8\n ____do_softirq+0x18/0x24\n ...\n\n -> #1 (&port_lock_key){-.-.}-{2:2}:\n _raw_spin_lock_irqsave+0x60/0x80\n qcom_geni_serial_console_write+0x184/0x1dc\n console_flush_all+0x344/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n register_console+0x230/0x38c\n uart_add_one_port+0x338/0x494\n qcom_geni_serial_probe+0x390/0x424\n platform_probe+0x70/0xc0\n really_probe+0x148/0x280\n __driver_probe_device+0xfc/0x114\n driver_probe_device+0x44/0x100\n __device_attach_driver+0x64/0xdc\n bus_for_each_drv+0xb0/0xd8\n __device_attach+0xe4/0x140\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x44/0xb0\n device_add+0x538/0x668\n of_device_add+0x44/0x50\n of_platform_device_create_pdata+0x94/0xc8\n of_platform_bus_create+0x270/0x304\n of_platform_populate+0xac/0xc4\n devm_of_platform_populate+0x60/0xac\n geni_se_probe+0x154/0x160\n platform_probe+0x70/0xc0\n ...\n\n -> #0 (console_owner){-...}-{0:0}:\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n console_unlock+0x94/0xf0\n vprintk_emit+0x238/0x24c\n vprintk_default+0x3c/0x48\n vprintk+0xb4/0xbc\n _printk+0x68/0x90\n dma_entry_alloc+0xb4/0x110\n debug_dma_map_sg+0xdc/0x2f8\n __dma_map_sg_attrs+0xac/0xe4\n dma_map_sgtable+0x30/0x4c\n get_pages+0x1d4/0x1e4 [msm]\n msm_gem_pin_pages_locked+0x38/0xac [msm]\n msm_gem_pin_vma_locked+0x58/0x88 [msm]\n msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n drm_ioctl_kernel+0xe0/0x15c\n drm_ioctl+0x2e8/0x3f4\n vfs_ioctl+0x30/0x50\n ...\n\n Chain exists of:\n console_owner --> &port_lock_key --> free_entries_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(free_entries_lock);\n lock(&port_lock_key);\n lock(free_entries_lock);\n lock(console_owner);\n\n *** DEADLOCK ***\n\n Call trace:\n dump_backtrace+0xb4/0xf0\n show_stack+0x20/0x30\n dump_stack_lvl+0x60/0x84\n dump_stack+0x18/0x24\n print_circular_bug+0x1cc/0x234\n check_noncircular+0x78/0xac\n __lock_acquire+0xdf8/0x109c\n lock_acquire+0x234/0x284\n console_flush_all+0x330/0x454\n consol\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52516", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52517", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_codec: Fix leaking content of local_codecs\n\nThe following memory leak can be observed when the controller supports\ncodecs which are stored in local_codecs list but the elements are never\nfreed:\n\nunreferenced object 0xffff88800221d840 (size 32):\n comm \"kworker/u3:0\", pid 36, jiffies 4294898739 (age 127.060s)\n hex dump (first 32 bytes):\n f8 d3 02 03 80 88 ff ff 80 d8 21 02 80 88 ff ff ..........!.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0x47/0x120\n [] hci_codec_list_add.isra.0+0x2d/0x160\n [] hci_read_codec_capabilities+0x183/0x270\n [] hci_read_supported_codecs+0x1bb/0x2d0\n [] hci_read_local_codecs_sync+0x3e/0x60\n [] hci_dev_open_sync+0x943/0x11e0\n [] hci_power_on+0x10d/0x3f0\n [] process_one_work+0x404/0x800\n [] worker_thread+0x374/0x670\n [] kthread+0x188/0x1c0\n [] ret_from_fork+0x2b/0x50\n [] ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52518", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit\n\nThe EHL (Elkhart Lake) based platforms provide a OOB (Out of band)\nservice, which allows to wakup device when the system is in S5 (Soft-Off\nstate). This OOB service can be enabled/disabled from BIOS settings. When\nenabled, the ISH device gets PME wake capability. To enable PME wakeup,\ndriver also needs to enable ACPI GPE bit.\n\nOn resume, BIOS will clear the wakeup bit. So driver need to re-enable it\nin resume function to keep the next wakeup capability. But this BIOS\nclearing of wakeup bit doesn't decrement internal OS GPE reference count,\nso this reenabling on every resume will cause reference count to overflow.\n\nSo first disable and reenable ACPI GPE bit using acpi_disable_gpe().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52519", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(), a reference\nto that attribute is returned which needs to be disposed accordingly\nusing kobject_put(). Move the setting name validation into a separate\nfunction to allow for this change without having to duplicate the\ncleanup code for this setting.\nAs a side note, a very similar bug was fixed in\ncommit 7295a996fdab (\"platform/x86: dell-sysman: Fix reference leak\"),\nso it seems that the bug was copied from that driver.\n\nCompile-tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52520", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix possible store tearing in neigh_periodic_work()\n\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\n\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\n\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52522", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets\n\nWith a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages\nsent from one TCP socket (s1) to actually egress from another TCP\nsocket (s2):\n\ntcp_bpf_sendmsg(s1)\t\t// = sk_prot->sendmsg\n tcp_bpf_send_verdict(s1)\t// __SK_REDIRECT case\n tcp_bpf_sendmsg_redir(s2)\n tcp_bpf_push_locked(s2)\n\ttcp_bpf_push(s2)\n\t tcp_rate_check_app_limited(s2) // expects tcp_sock\n\t tcp_sendmsg_locked(s2)\t // ditto\n\nThere is a hard-coded assumption in the call-chain, that the egress\nsocket (s2) is a TCP socket.\n\nHowever in commit 122e6c79efe1 (\"sock_map: Update sock type checks for\nUDP\") we have enabled redirects to non-TCP sockets. This was done for the\nsake of BPF sk_skb programs. There was no indention to support sk_msg\nsend-to-egress use case.\n\nAs a result, attempts to send-to-egress through a non-TCP socket lead to a\ncrash due to invalid downcast from sock to tcp_sock:\n\n BUG: kernel NULL pointer dereference, address: 000000000000002f\n ...\n Call Trace:\n \n ? show_regs+0x60/0x70\n ? __die+0x1f/0x70\n ? page_fault_oops+0x80/0x160\n ? do_user_addr_fault+0x2d7/0x800\n ? rcu_is_watching+0x11/0x50\n ? exc_page_fault+0x70/0x1c0\n ? asm_exc_page_fault+0x27/0x30\n ? tcp_tso_segs+0x14/0xa0\n tcp_write_xmit+0x67/0xce0\n __tcp_push_pending_frames+0x32/0xf0\n tcp_push+0x107/0x140\n tcp_sendmsg_locked+0x99f/0xbb0\n tcp_bpf_push+0x19d/0x3a0\n tcp_bpf_sendmsg_redir+0x55/0xd0\n tcp_bpf_send_verdict+0x407/0x550\n tcp_bpf_sendmsg+0x1a1/0x390\n inet_sendmsg+0x6a/0x70\n sock_sendmsg+0x9d/0xc0\n ? sockfd_lookup_light+0x12/0x80\n __sys_sendto+0x10e/0x160\n ? syscall_enter_from_user_mode+0x20/0x60\n ? __this_cpu_preempt_check+0x13/0x20\n ? lockdep_hardirqs_on+0x82/0x110\n __x64_sys_sendto+0x1f/0x30\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nReject selecting a non-TCP sockets as redirect target from a BPF sk_msg\nprogram to prevent the crash. When attempted, user will receive an EACCES\nerror from send/sendto/sendmsg() syscall.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52523", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: llcp: Add lock when modifying device list\n\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52524", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet\n\nOnly skip the code path trying to access the rfc1042 headers when the\nbuffer is too small, so the driver can still process packets without\nrfc1042 headers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52525", "detail": "fixed-version", "description": "Fixed from version 6.5.7" }, { "id": "CVE-2023-52526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix memory leak of LZMA global compressed deduplication\n\nWhen stressing microLZMA EROFS images with the new global compressed\ndeduplication feature enabled (`-Ededupe`), I found some short-lived\ntemporary pages weren't properly released, which could slowly cause\nunexpected OOMs hours later.\n\nLet's fix it now (LZ4 and DEFLATE don't have this issue.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52526", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()\n\nIncluding the transhdrlen in length is a problem when the packet is\npartially filled (e.g. something like send(MSG_MORE) happened previously)\nwhen appending to an IPv4 or IPv6 packet as we don't want to repeat the\ntransport header or account for it twice. This can happen under some\ncircumstances, such as splicing into an L2TP socket.\n\nThe symptom observed is a warning in __ip6_append_data():\n\n WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800\n\nthat occurs when MSG_SPLICE_PAGES is used to append more data to an already\npartially occupied skbuff. The warning occurs when 'copy' is larger than\nthe amount of data in the message iterator. This is because the requested\nlength includes the transport header length when it shouldn't. This can be\ntriggered by, for example:\n\n sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);\n bind(sfd, ...); // ::1\n connect(sfd, ...); // ::1 port 7\n send(sfd, buffer, 4100, MSG_MORE);\n sendfile(sfd, dfd, NULL, 1024);\n\nFix this by only adding transhdrlen into the length if the write queue is\nempty in l2tp_ip6_sendmsg(), analogously to how UDP does things.\n\nl2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds\nthe UDP packet itself.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52527", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\n\nsyzbot reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\n\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\n\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52528", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: sony: Fix a potential memory leak in sony_probe()\n\nIf an error occurs after a successful usb_alloc_urb() call, usb_free_urb()\nshould be called.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52529", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix potential key use-after-free\n\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52530", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix a memory corruption issue\n\nA few lines above, space is kzalloc()'ed for:\n\tsizeof(struct iwl_nvm_data) +\n\tsizeof(struct ieee80211_channel) +\n\tsizeof(struct ieee80211_rate)\n\n'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.\n\nAt the end of this structure, there is the 'channels' flex array.\nEach element is of type 'struct ieee80211_channel'.\nSo only 1 element is allocated in this array.\n\nWhen doing:\n mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;\nWe point at the first element of the 'channels' flex array.\nSo this is fine.\n\nHowever, when doing:\n mvm->nvm_data->bands[0].bitrates =\n\t\t\t(void *)((u8 *)mvm->nvm_data->channels + 1);\nbecause of the \"(u8 *)\" cast, we add only 1 to the address of the beginning\nof the flex array.\n\nIt is likely that we want point at the 'struct ieee80211_rate' allocated\njust after.\n\nRemove the spurious casting so that the pointer arithmetic works as\nexpected.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52531", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix TX CQE error handling\n\nFor an unknown TX CQE error type (probably from a newer hardware),\nstill free the SKB, update the queue tail, etc., otherwise the\naccounting will be wrong.\n\nAlso, TX errors can be triggered by injecting corrupted packets, so\nreplace the WARN_ONCE to ratelimited error logging.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52532", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspend()\n\nThe iommu_suspend() syscore suspend callback is invoked with IRQ disabled.\nAllocating memory with the GFP_KERNEL flag may re-enable IRQs during\nthe suspend callback, which can cause intermittent suspend/hibernation\nproblems with the following kernel traces:\n\nCalling iommu_suspend+0x0/0x1d0\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 15 at kernel/time/timekeeping.c:868 ktime_get+0x9b/0xb0\n...\nCPU: 0 PID: 15 Comm: rcu_preempt Tainted: G U E 6.3-intel #r1\nRIP: 0010:ktime_get+0x9b/0xb0\n...\nCall Trace:\n \n tick_sched_timer+0x22/0x90\n ? __pfx_tick_sched_timer+0x10/0x10\n __hrtimer_run_queues+0x111/0x2b0\n hrtimer_interrupt+0xfa/0x230\n __sysvec_apic_timer_interrupt+0x63/0x140\n sysvec_apic_timer_interrupt+0x7b/0xa0\n \n \n asm_sysvec_apic_timer_interrupt+0x1f/0x30\n...\n------------[ cut here ]------------\nInterrupts enabled after iommu_suspend+0x0/0x1d0\nWARNING: CPU: 0 PID: 27420 at drivers/base/syscore.c:68 syscore_suspend+0x147/0x270\nCPU: 0 PID: 27420 Comm: rtcwake Tainted: G U W E 6.3-intel #r1\nRIP: 0010:syscore_suspend+0x147/0x270\n...\nCall Trace:\n \n hibernation_snapshot+0x25b/0x670\n hibernate+0xcd/0x390\n state_store+0xcf/0xe0\n kobj_attr_store+0x13/0x30\n sysfs_kf_write+0x3f/0x50\n kernfs_fop_write_iter+0x128/0x200\n vfs_write+0x1fd/0x3c0\n ksys_write+0x6f/0xf0\n __x64_sys_write+0x1d/0x30\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nGiven that only 4 words memory is needed, avoid the memory allocation in\niommu_suspend().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52559", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\n\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\n\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed. And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\n\nSo use damon_destroy_target to free all the damon_regions and damon_target.\n\n unreferenced object 0xffff888107c9a940 (size 64):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n 60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............\n backtrace:\n [] kmalloc_trace+0x27/0xa0\n [] damon_new_target+0x3f/0x1b0\n [] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [] damon_test_apply_three_regions1+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079cc740 (size 56):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [] damon_new_region+0x22/0x1c0\n [] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [] damon_test_apply_three_regions1+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff888107c9ac40 (size 64):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....\n backtrace:\n [] kmalloc_trace+0x27/0xa0\n [] damon_new_target+0x3f/0x1b0\n [] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [] damon_test_apply_three_regions2+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079ccc80 (size 56):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [] damon_new_region+0x22/0x1c0\n [] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [] damon_test_apply_three_regions2+0x21e/0x260\n [] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [] kthread+0x2b6/0x380\n [] ret_from_fork+0x2d/0x70\n [prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n [ 1041.219165] ------------[ cut here ]------------\n [ 1041.221517] kernel BUG at lib/list_debug.c:62!\n [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\n\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n\n [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\n\nThis patch fixes this issue by properly checking shutdown_cache()'s\nreturn value before taking the kmem_cache_release() branch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52562", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: fix memory leak on ->hpd_notify callback\n\nThe EDID returned by drm_bridge_get_edid() needs to be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52563", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n \n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52564", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix OOB read\n\nIf the index provided by the user is bigger than the mask size, we might do\nan out of bound read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52565", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails. If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed. However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug. This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted. However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52566", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_port: Check IRQ data before use\n\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\n\nWithout this fix we have got an Oops:\n\n serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n RIP: 0010:serial8250_handle_irq+0x7c/0x240\n Call Trace:\n ? serial8250_handle_irq+0x7c/0x240\n ? __pfx_serial8250_timeout+0x10/0x10", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52567", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\n\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\n\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\n\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\n\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\n\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52568", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG() after failure to insert delayed dir index item\n\nInstead of calling BUG() when we fail to insert a delayed dir index item\ninto the delayed node's tree, we can just release all the resources we\nhave allocated/acquired before and return the error to the caller. This is\nfine because all existing call chains undo anything they have done before\ncalling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending\nsnapshots in the transaction commit path).\n\nSo remove the BUG() call and do proper error handling.\n\nThis relates to a syzbot report linked below, but does not fix it because\nit only prevents hitting a BUG(), it does not fix the issue where somehow\nwe attempt to use twice the same index number for different index items.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52569", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\n\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\nparent->types[i] in parent_remove_sysfs_files(), and it will cause\nbelow null-ptr-deref.\n\nIf mdev_type_add() fails, return the error code and kset_unregister()\nto fix the issue.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? __kobject_del+0x62/0x1c0\n kobject_del+0x32/0x50\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\n mdev_unregister_parent+0xfb/0x190 [mdev]\n ? mdev_register_parent+0x270/0x270 [mdev]\n ? find_module_all+0x9d/0xe0\n mdpy_dev_exit+0x17/0x63 [mdpy]\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\n ? module_flags+0x300/0x300\n ? __fput+0x4e7/0xa00\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fbc813221b7\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\n \n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52570", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: rk817: Fix node refcount leak\n\nDan Carpenter reports that the Smatch static checker warning has found\nthat there is another refcount leak in the probe function. While\nof_node_put() was added in one of the return paths, it should in\nfact be added for ALL return paths that return an error and at driver\nremoval time.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52571", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix UAF in cifs_demultiplex_thread()\n\nThere is a UAF when xfstests on cifs:\n\n BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160\n Read of size 4 at addr ffff88810103fc08 by task cifsd/923\n\n CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45\n ...\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n kasan_check_range+0x145/0x1a0\n smb2_is_network_name_deleted+0x27/0x160\n cifs_demultiplex_thread.cold+0x172/0x5a4\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n \n\n Allocated by task 923:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x54/0x60\n kmem_cache_alloc+0x147/0x320\n mempool_alloc+0xe1/0x260\n cifs_small_buf_get+0x24/0x60\n allocate_buffers+0xa1/0x1c0\n cifs_demultiplex_thread+0x199/0x10d0\n kthread+0x165/0x1a0\n ret_from_fork+0x1f/0x30\n\n Freed by task 921:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n kmem_cache_free+0xe3/0x4d0\n cifs_small_buf_release+0x29/0x90\n SMB2_negotiate+0x8b7/0x1c60\n smb2_negotiate+0x51/0x70\n cifs_negotiate_protocol+0xf0/0x160\n cifs_get_smb_ses+0x5fa/0x13c0\n mount_get_conns+0x7a/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe UAF is because:\n\n mount(pid: 921) | cifsd(pid: 923)\n-------------------------------|-------------------------------\n | cifs_demultiplex_thread\nSMB2_negotiate |\n cifs_send_recv |\n compound_send_recv |\n smb_send_rqst |\n wait_for_response |\n wait_event_state [1] |\n | standard_receive3\n | cifs_handle_standard\n | handle_mid\n | mid->resp_buf = buf; [2]\n | dequeue_mid [3]\n KILL the process [4] |\n resp_iov[i].iov_base = buf |\n free_rsp_buf [5] |\n | is_network_name_deleted [6]\n | callback\n\n1. After send request to server, wait the response until\n mid->mid_state != SUBMITTED;\n2. Receive response from server, and set it to mid;\n3. Set the mid state to RECEIVED;\n4. Kill the process, the mid state already RECEIVED, get 0;\n5. Handle and release the negotiate response;\n6. UAF.\n\nIt can be easily reproduce with add some delay in [3] - [6].\n\nOnly sync call has the problem since async call's callback is\nexecuted in cifsd process.\n\nAdd an extra state to mark the mid state to READY before wakeup the\nwaitter, then it can get the resp safely.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52572", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: Fix possible NULL-pointer dereference\n\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52573", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix null-ptr-deref when team device type is changed\n\nGet a null-ptr-deref bug as follows with reproducer [1].\n\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\n\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\n\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52574", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()\n\nThe code calling ima_free_kexec_buffer() runs long after the memblock\nallocator has already been torn down, potentially resulting in a use\nafter free in memblock_isolate_range().\n\nWith KASAN or KFENCE, this use after free will result in a BUG\nfrom the idle task, and a subsequent kernel panic.\n\nSwitch ima_free_kexec_buffer() over to memblock_free_late() to avoid\nthat bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52576", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix dccp_v4_err()/dccp_v6_err() again\n\ndh->dccph_x is the 9th byte (offset 8) in \"struct dccp_hdr\",\nnot in the \"byte 7\" as Jann claimed.\n\nWe need to make sure the ICMP messages are big enough,\nusing more standard ways (no more assumptions).\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\nBUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]\nBUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\npskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\ndccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\nicmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867\nicmpv6_rcv+0x19d5/0x30d0\nip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\nip6_input_finish net/ipv6/ip6_input.c:483 [inline]\nNF_HOOK include/linux/netfilter.h:304 [inline]\nip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\nip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\ndst_input include/net/dst.h:468 [inline]\nip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\nNF_HOOK include/linux/netfilter.h:304 [inline]\nipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\nnetif_receive_skb_internal net/core/dev.c:5723 [inline]\nnetif_receive_skb+0x58/0x660 net/core/dev.c:5782\ntun_rx_batched+0x83b/0x920\ntun_get_user+0x564c/0x6940 drivers/net/tun.c:2002\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n__alloc_skb+0x318/0x740 net/core/skbuff.c:650\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313\nsock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795\ntun_alloc_skb drivers/net/tun.c:1531 [inline]\ntun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52577", "detail": "fixed-version", "description": "Fixed from version 6.5.6" }, { "id": "CVE-2023-52578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: use DEV_STATS_INC()\n\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\n\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\n\nHandles updates to dev->stats.tx_dropped while we are at it.\n\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52578", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/core: Fix ETH_P_1588 flow dissector\n\nWhen a PTP ethernet raw frame with a size of more than 256 bytes followed\nby a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation\nis wrong. For example: hdr->message_length takes the wrong value (0xffff)\nand it does not replicate real header length. In this case, 'nhoff' value\nwas overridden and the PTP header was badly dissected. This leads to a\nkernel crash.\n\nnet/core: flow_dissector\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector hdr->message_length = 0x0000ffff\nnet/core flow dissector nhoff = 0x0001000d (u16 overflow)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88\nskb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nUsing the size of the ptp_header struct will allow the corrected\ncalculation of the nhoff value.\n\nnet/core flow dissector nhoff = 0x0000000e\nnet/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)\n...\nskb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff\nskb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\nskb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nKernel trace:\n[ 74.984279] ------------[ cut here ]------------\n[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!\n[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1\n[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023\n[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130\n[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9\n[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297\n[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003\n[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300\n[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800\n[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010\n[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800\n[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000\n[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0\n[ 75.121980] PKRU: 55555554\n[ 75.125035] Call Trace:\n[ 75.127792] \n[ 75.130063] ? eth_get_headlen+0xa4/0xc0\n[ 75.134472] igc_process_skb_fields+0xcd/0x150\n[ 75.139461] igc_poll+0xc80/0x17b0\n[ 75.143272] __napi_poll+0x27/0x170\n[ 75.147192] net_rx_action+0x234/0x280\n[ 75.151409] __do_softirq+0xef/0x2f4\n[ 75.155424] irq_exit_rcu+0xc7/0x110\n[ 75.159432] common_interrupt+0xb8/0xd0\n[ 75.163748] \n[ 75.166112] \n[ 75.168473] asm_common_interrupt+0x22/0x40\n[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350\n[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1\n[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202\n[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f\n[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20\n[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001\n[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980\n[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000\n[ 75.245635] ? \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52580", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak when more than 255 elements expired\n\nWhen more than 255 elements expired we're supposed to switch to a new gc\ncontainer structure.\n\nThis never happens: u8 type will wrap before reaching the boundary\nand nft_trans_gc_space() always returns true.\n\nThis means we recycle the initial gc container structure and\nlose track of the elements that came before.\n\nWhile at it, don't deref 'gc' after we've passed it to call_rcu.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52581", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only call folio_start_fscache() one time for each folio\n\nIf a network filesystem using netfs implements a clamp_length()\nfunction, it can set subrequest lengths smaller than a page size.\n\nWhen we loop through the folios in netfs_rreq_unlock_folios() to\nset any folios to be written back, we need to make sure we only\ncall folio_start_fscache() once for each folio.\n\nOtherwise, this simple testcase:\n\n mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1\n 1+0 records in\n 1+0 records out\n 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s\n echo 3 > /proc/sys/vm/drop_caches\n cat /mnt/nfs/file.bin > /dev/null\n\nwill trigger an oops similar to the following:\n\n page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))\n ------------[ cut here ]------------\n kernel BUG at include/linux/netfs.h:44!\n ...\n CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5\n ...\n RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]\n ...\n Call Trace:\n netfs_rreq_assess+0x497/0x660 [netfs]\n netfs_subreq_terminated+0x32b/0x610 [netfs]\n nfs_netfs_read_completion+0x14e/0x1a0 [nfs]\n nfs_read_completion+0x2f9/0x330 [nfs]\n rpc_free_task+0x72/0xa0 [sunrpc]\n rpc_async_release+0x46/0x70 [sunrpc]\n process_one_work+0x3bd/0x710\n worker_thread+0x89/0x610\n kthread+0x181/0x1c0\n ret_from_fork+0x29/0x50", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52582", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix deadlock or deadcode of misusing dget()\n\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\n\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52583", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", "scorev2": "0.0", "scorev3": "3.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)\n -----------------------------------+-----------------------------------\n ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)\n spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)\n list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)\n &priv->multicast_list, list) |\n ipoib_mcast_join(dev, mcast) |\n spin_unlock_irq(&priv->lock) |\n | spin_lock_irqsave(&priv->lock, flags)\n | list_for_each_entry_safe(mcast, tmcast,\n | &priv->multicast_list, list)\n | list_del(&mcast->list);\n | list_add_tail(&mcast->list, &remove_list)\n | spin_unlock_irqrestore(&priv->lock, flags)\n spin_lock_irq(&priv->lock) |\n | ipoib_mcast_remove_list(&remove_list)\n (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,\n `priv->multicast_list` and we keep | remove_list, list)\n spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)\n the other thread which is blocked |\n and the list is still valid on |\n it's stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash> bc 31\nPID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: \"kworker/u72:2\"\n--\n [exception RIP: ipoib_mcast_join_task+0x1b1]\n RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002\n RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000\n work (&priv->mcast_task{,.work})\n RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000\n &mcast->list\n RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000\n R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00\n mcast\n R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8\n dev priv (&priv->lock) &priv->multicast_list (aka head)\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n--- ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\n\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n mcast_task.work.func = 0xffffffffc0944910 ,\n mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash> b 8\nPID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52587", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to tag gcing flag on page during block migration\n\nIt needs to add missing gcing flag on page during block migration,\nin order to garantee migrated data be persisted during checkpoint,\notherwise out-of-order persistency between data and node may cause\ndata corruption after SPOR.\n\nSimilar issue was fixed by commit 2d1fe8a86bf5 (\"f2fs: fix to tag\ngcing flag on page during file defragment\").", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52588", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\n\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\n\nFound by a modified version of syzkaller.\n\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52594", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: restart beacon queue when hardware reset\n\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52595", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: fix setting of fpc register\n\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\n\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\n\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\n\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\n\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.", "scorev2": "0.0", "scorev3": "4.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52597", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ptrace: handle setting of fpc register correctly\n\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\n\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\n\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\n\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52598", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diNewExt\n\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\n\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\n\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52599", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uaf in jfs_evict_inode\n\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\n\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52600", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in dbAdjTree\n\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52601", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds Read in dtSearch\n\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\n\nDave:\nSet return code to -EIO", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52602", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUBSAN: array-index-out-of-bounds in dtSplitRoot\n\nSyzkaller reported the following issue:\n\noop0: detected capacity change from 0 to 32768\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n \n\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\n\nThe patch is tested via syzbot.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52603", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \nKernel Offset: disabled\nRebooting in 86400 seconds..\n\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\n\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\n\nThe patch is tested via syzbot.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/lib: Validate size for vector operations\n\nSome of the fp/vmx code in sstep.c assume a certain maximum size for the\ninstructions being emulated. The size of those operations however is\ndetermined separately in analyse_instr().\n\nAdd a check to validate the assumption on the maximum size of the\noperations, so as to prevent any unintended kernel stack corruption.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52606", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52607", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\n\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\n\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\n\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\n\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\n\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\n\nAdd a consistency check to validate such condition in the A2P ISR.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52608", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n Task A | Task B\n ------------------+------------------\n mmget_not_zero() |\n | do_exit()\n | exit_mm()\n | mmput()\n mmput() |\n exit_mmap() |\n remove_vma() |\n fput() |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52609", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\n\n inet_frag_reasm_prepare\n skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[ 843.804823] ------------[ cut here ]------------\n[ 843.809659] kernel BUG at net/core/skbuff.c:2091!\n[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 843.894229] PKRU: 55555554\n[ 843.898539] Call Trace:\n[ 843.902772] \n[ 843.906922] ? __die_body+0x1e/0x60\n[ 843.911032] ? die+0x3c/0x60\n[ 843.915037] ? do_trap+0xe2/0x110\n[ 843.918911] ? pskb_expand_head+0x2ac/0x300\n[ 843.922687] ? do_error_trap+0x65/0x80\n[ 843.926342] ? pskb_expand_head+0x2ac/0x300\n[ 843.929905] ? exc_invalid_op+0x50/0x60\n[ 843.933398] ? pskb_expand_head+0x2ac/0x300\n[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20\n[ 843.940226] ? pskb_expand_head+0x2ac/0x300\n[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240\n[ 843.946904] ip_defrag+0x5d4/0x870\n[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]\n[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[ 843.959657] tcf_action_exec+0xa1/0x160\n[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]\n[ 843.966010] ? skb_clone+0x53/0xc0\n[ 843.969173] tcf_classify+0x24d/0x420\n[ 843.972333] tc_run+0x8f/0xf0\n[ 843.975465] __netif_receive_skb_core+0x67a/0x1080\n[ 843.978634] ? dev_gro_receive+0x249/0x730\n[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260\n[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0\n[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[ 843.991170] napi_complete_done+0x72/0x1a0\n[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[ 843.997501] __napi_poll+0x25/0x1b0\n[ 844.000627] net_rx_action+0x256/0x330\n[ 844.003705] __do_softirq+0xb3/0x29b\n[ 844.006718] irq_exit_rcu+0x9e/0xc0\n[ 844.009672] common_interrupt+0x86/0xa0\n[ 844.012537] \n[ 844.015285] \n[ 844.017937] asm_common_interrupt+0x26/0x40\n[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52610", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: sdio: Honor the host max_req_size in the RX path\n\nLukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes\nwith an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth\ncombo card. The error he observed is identical to what has been fixed\nin commit e967229ead0e (\"wifi: rtw88: sdio: Check the HISR RX_REQUEST\nbit in rtw_sdio_rx_isr()\") but that commit didn't fix Lukas' problem.\n\nLukas found that disabling or limiting RX aggregation works around the\nproblem for some time (but does not fully fix it). In the following\ndiscussion a few key topics have been discussed which have an impact on\nthis problem:\n- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller\n which prevents DMA transfers. Instead all transfers need to go through\n the controller SRAM which limits transfers to 1536 bytes\n- rtw88 chips don't split incoming (RX) packets, so if a big packet is\n received this is forwarded to the host in it's original form\n- rtw88 chips can do RX aggregation, meaning more multiple incoming\n packets can be pulled by the host from the card with one MMC/SDIO\n transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH\n register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will\n be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation\n and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)\n\nUse multiple consecutive reads in rtw_sdio_read_port() and limit the\nnumber of bytes which are copied by the host from the card in one\nMMC/SDIO transfer. This allows receiving a buffer that's larger than\nthe hosts max_req_size (number of bytes which can be transferred in\none MMC/SDIO transfer). As a result of this the skb_over_panic error\nis gone as the rtw88 driver is now able to receive more than 1536 bytes\nfrom the card (either because the incoming packet is larger than that\nor because multiple packets have been aggregated).\n\nIn case of an receive errors (-EILSEQ has been observed by Lukas) we\nneed to drain the remaining data from the card's buffer, otherwise the\ncard will return corrupt data for the next rtw_sdio_read_port() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52611", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: scomp - fix req->dst buffer overflow\n\nThe req->dst buffer size should be checked before copying from the\nscomp_scratch->dst to avoid req->dst buffer overflow problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52612", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment\n\nPTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need\n-ENODEV as the right value for comparison.\n\nOtherwise, tz->type is NULL when thermal-zones is undefined, resulting\nin the following error:\n\n[ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8\n[ 12.302877] Oops[#1]:\n[ 12.305190] CPU: 1 PID: 181 Comm: systemd-udevd Not tainted 6.6.0-rc7+ #5385\n[ 12.312304] pc 900000000355f410 ra 90000000031579b8 tp 90000001069e8000 sp 90000001069eba10\n[ 12.320739] a0 0000000000000000 a1 fffffffffffffff1 a2 0000000000000014 a3 0000000000000001\n[ 12.329173] a4 90000001069eb990 a5 0000000000000001 a6 0000000000001001 a7 900000010003431c\n[ 12.337606] t0 fffffffffffffff1 t1 54567fd5da9b4fd4 t2 900000010614ec40 t3 00000000000dc901\n[ 12.346041] t4 0000000000000000 t5 0000000000000004 t6 900000010614ee20 t7 900000000d00b790\n[ 12.354472] t8 00000000000dc901 u0 54567fd5da9b4fd4 s9 900000000402ae10 s0 900000010614ec40\n[ 12.362916] s1 90000000039fced0 s2 ffffffffffffffed s3 ffffffffffffffed s4 9000000003acc000\n[ 12.362931] s5 0000000000000004 s6 fffffffffffff000 s7 0000000000000490 s8 90000001028b2ec8\n[ 12.362938] ra: 90000000031579b8 thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.386411] ERA: 900000000355f410 strscpy+0xf0/0x160\n[ 12.391626] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 12.397898] PRMD: 00000004 (PPLV0 +PIE -PWE)\n[ 12.403678] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 12.409859] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n[ 12.415882] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 12.415907] BADV: fffffffffffffff1\n[ 12.415911] PRID: 0014a000 (Loongson-64bit, Loongson-2K1000)\n[ 12.415917] Modules linked in: loongson2_thermal(+) vfat fat uio_pdrv_genirq uio fuse zram zsmalloc\n[ 12.415950] Process systemd-udevd (pid: 181, threadinfo=00000000358b9718, task=00000000ace72fe3)\n[ 12.415961] Stack : 0000000000000dc0 54567fd5da9b4fd4 900000000402ae10 9000000002df9358\n[ 12.415982] ffffffffffffffed 0000000000000004 9000000107a10aa8 90000001002a3410\n[ 12.415999] ffffffffffffffed ffffffffffffffed 9000000107a11268 9000000003157ab0\n[ 12.416016] 9000000107a10aa8 ffffff80020fc0c8 90000001002a3410 ffffffffffffffed\n[ 12.416032] 0000000000000024 ffffff80020cc1e8 900000000402b2a0 9000000003acc000\n[ 12.416048] 90000001002a3410 0000000000000000 ffffff80020f4030 90000001002a3410\n[ 12.416065] 0000000000000000 9000000002df6808 90000001002a3410 0000000000000000\n[ 12.416081] ffffff80020f4030 0000000000000000 90000001002a3410 9000000002df2ba8\n[ 12.416097] 00000000000000b4 90000001002a34f4 90000001002a3410 0000000000000002\n[ 12.416114] ffffff80020f4030 fffffffffffffff0 90000001002a3410 9000000002df2f30\n[ 12.416131] ...\n[ 12.416138] Call Trace:\n[ 12.416142] [<900000000355f410>] strscpy+0xf0/0x160\n[ 12.416167] [<90000000031579b8>] thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.416183] [<9000000003157ab0>] devm_thermal_add_hwmon_sysfs+0x50/0xe0\n[ 12.416200] [] loongson2_thermal_probe+0x128/0x200 [loongson2_thermal]\n[ 12.416232] [<9000000002df6808>] platform_probe+0x68/0x140\n[ 12.416249] [<9000000002df2ba8>] really_probe+0xc8/0x3c0\n[ 12.416269] [<9000000002df2f30>] __driver_probe_device+0x90/0x180\n[ 12.416286] [<9000000002df3058>] driver_probe_device+0x38/0x160\n[ 12.416302] [<9000000002df33a8>] __driver_attach+0xa8/0x200\n[ 12.416314] [<9000000002deffec>] bus_for_each_dev+0x8c/0x120\n[ 12.416330] [<9000000002df198c>] bus_add_driver+0x10c/0x2a0\n[ 12.416346] [<9000000002df46b4>] driver_register+0x74/0x160\n[ 12.416358] [<90000000022201a4>] do_one_initcall+0x84/0x220\n[ 12.416372] [<90000000022f3ab8>] do_init_module+0x58/0x2c0\n[\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52613", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Fix buffer overflow in trans_stat_show\n\nFix buffer overflow in trans_stat_show().\n\nConvert simple snprintf to the more secure scnprintf with size of\nPAGE_SIZE.\n\nAdd condition checking if we are exceeding PAGE_SIZE and exit early from\nloop. Also add at the end a warning that we exceeded PAGE_SIZE and that\nstats is disabled.\n\nReturn -EFBIG in the case where we don't have enough space to write the\nfull transition table.\n\nAlso document in the ABI that this function can return -EFBIG error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52614", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\n\nThere is a dead-lock in the hwrng device read path. This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng. The resulting page fault triggers a recursive read\nwhich then dead-locks.\n\nFix this by using a stack buffer when calling copy_to_user.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52615", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\n\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52616", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\n\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\n\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\n\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\n\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52617", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rnbd-srv: Check for unlikely string overflow\n\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\n\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~\nIn function 'rnbd_srv_get_full_path',\n inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n 617 | dev_search_path, dev_name);\n | ~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52618", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Fix crash when setting number of cpus to an odd number\n\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n addr of zone0 = BASE\n addr of zone1 = BASE + zone_size\n addr of zone2 = BASE + zone_size*2\n ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\n\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52619", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow timeout for anonymous sets\n\nNever used from userspace, disallow these parameters.", "scorev2": "0.0", "scorev3": "2.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52620", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-52621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid online resizing failures due to oversized flex bg\n\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\n\n mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n mount $dev $dir\n resize2fs $dev 16G\n\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n \n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\n\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\n\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) \u2248 21845\n\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a suspicious RCU usage warning\n\nI received the following warning while running cthon against an ontap\nserver running pNFS:\n\n[ 57.202521] =============================\n[ 57.202522] WARNING: suspicious RCU usage\n[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[ 57.202525] -----------------------------\n[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[ 57.202527]\n other info that might help us debug this:\n\n[ 57.202528]\n rcu_scheduler_active = 2, debug_locks = 1\n[ 57.202529] no locks held by test5/3567.\n[ 57.202530]\n stack backtrace:\n[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[ 57.202536] Call Trace:\n[ 57.202537] \n[ 57.202540] dump_stack_lvl+0x77/0xb0\n[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0\n[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202866] write_cache_pages+0x265/0x450\n[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202913] do_writepages+0xd2/0x230\n[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80\n[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80\n[ 57.202924] filemap_write_and_wait_range+0xd9/0x170\n[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202969] __se_sys_close+0x46/0xd0\n[ 57.202972] do_syscall_64+0x68/0x100\n[ 57.202975] ? do_syscall_64+0x77/0x100\n[ 57.202976] ? do_syscall_64+0x77/0x100\n[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 57.202982] RIP: 0033:0x7fe2b12e4a94\n[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[ 57.202993] R10: 00007f\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52623", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix operation precedence bug in port timestamping napi_poll context\n\nIndirection (*) is of lower precedence than postfix increment (++). Logic\nin napi_poll context would cause an out-of-bound read by first increment\nthe pointer address by byte address space and then dereference the value.\nRather, the intended logic was to dereference first and then increment the\nunderlying value.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52626", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7091r: Allow users to configure device events\n\nAD7091R-5 devices are supported by the ad7091r-5 driver together with\nthe ad7091r-base driver. Those drivers declared iio events for notifying\nuser space when ADC readings fall bellow the thresholds of low limit\nregisters or above the values set in high limit registers.\nHowever, to configure iio events and their thresholds, a set of callback\nfunctions must be implemented and those were not present until now.\nThe consequence of trying to configure ad7091r-5 events without the\nproper callback functions was a null pointer dereference in the kernel\nbecause the pointers to the callback functions were not set.\n\nImplement event configuration callbacks allowing users to read/write\nevent thresholds and enable/disable event generation.\n\nSince the event spec structs are generic to AD7091R devices, also move\nthose from the ad7091r-5 driver the base driver so they can be reused\nwhen support for ad7091r-2/-4/-8 be added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52627", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\n\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\n\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\n\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\n\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52628", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix an NULL dereference bug\n\nThe issue here is when this is called from ntfs_load_attr_list(). The\n\"size\" comes from le32_to_cpu(attr->res.data_size) so it can't overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero. This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52631", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: time-travel: fix time corruption\n\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\n\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.", "scorev2": "0.0", "scorev3": "5.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52633", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\n\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\n\nwhile true\ndo\n echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\n\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\n\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\n\n[1]\n...\n..\n-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\n\n[2]\n\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\n\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52635", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: just wait for more data to be available on the socket\n\nA short read may occur while reading the message footer from the\nsocket. Later, when the socket is ready for another read, the\nmessenger invokes all read_partial_*() handlers, including\nread_partial_sparse_msg_data(). The expectation is that\nread_partial_sparse_msg_data() would bail, allowing the messenger to\ninvoke read_partial() for the footer and pick up where it left off.\n\nHowever read_partial_sparse_msg_data() violates that and ends up\ncalling into the state machine in the OSD client. The sparse-read\nstate machine assumes that it's a new op and interprets some piece of\nthe footer as the sparse-read header and returns bogus extents/data\nlength, etc.\n\nTo determine whether read_partial_sparse_msg_data() should bail, let's\nreuse cursor->total_resid. Because once it reaches to zero that means\nall the extents and data have been successfully received in last read,\nelse it could break out when partially reading any of the extents and\ndata. And then osd_sparse_read() could continue where it left off.\n\n[ idryomov: changelog ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52636", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\n\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\n\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\n\n CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n print_report+0xd3/0x620\n ? kasan_complete_mode_report_info+0x7d/0x200\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n kasan_report+0xc2/0x100\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n __asan_load4+0x84/0xb0\n j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n j1939_sk_recv+0x20b/0x320 [can_j1939]\n ? __kasan_check_write+0x18/0x20\n ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n ? j1939_simple_recv+0x69/0x280 [can_j1939]\n ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n j1939_can_recv+0x43f/0x580 [can_j1939]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n ? raw_rcv+0x42/0x3c0 [can_raw]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n can_rcv_filter+0x11f/0x350 [can]\n can_receive+0x12f/0x190 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n can_rcv+0xdd/0x130 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n __netif_receive_skb_one_core+0x13d/0x150\n ? __pfx___netif_receive_skb_one_core+0x10/0x10\n ? __kasan_check_write+0x18/0x20\n ? _raw_spin_lock_irq+0x8c/0xe0\n __netif_receive_skb+0x23/0xb0\n process_backlog+0x107/0x260\n __napi_poll+0x69/0x310\n net_rx_action+0x2a1/0x580\n ? __pfx_net_rx_action+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? handle_irq_event+0x7d/0xa0\n __do_softirq+0xf3/0x3f8\n do_softirq+0x53/0x80\n \n \n __local_bh_enable_ip+0x6e/0x70\n netif_rx+0x16b/0x180\n can_send+0x32b/0x520 [can]\n ? __pfx_can_send+0x10/0x10 [can]\n ? __check_object_size+0x299/0x410\n raw_sendmsg+0x572/0x6d0 [can_raw]\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n ? apparmor_socket_sendmsg+0x2f/0x40\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n sock_sendmsg+0xef/0x100\n sock_write_iter+0x162/0x220\n ? __pfx_sock_write_iter+0x10/0x10\n ? __rtnl_unlock+0x47/0x80\n ? security_file_permission+0x54/0x320\n vfs_write+0x6ba/0x750\n ? __pfx_vfs_write+0x10/0x10\n ? __fget_light+0x1ca/0x1f0\n ? __rcu_read_unlock+0x5b/0x280\n ksys_write+0x143/0x170\n ? __pfx_ksys_write+0x10/0x10\n ? __kasan_check_read+0x15/0x20\n ? fpregs_assert_state_consistent+0x62/0x70\n __x64_sys_write+0x47/0x60\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6d/0x90\n ? irqentry_exit+0x3f/0x50\n ? exc_page_fault+0x79/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 348:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x1f/0x30\n __kasan_kmalloc+0xb5/0xc0\n __kmalloc_node_track_caller+0x67/0x160\n j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 349:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_free_info+0x2f/0x50\n __kasan_slab_free+0x12e/0x1c0\n __kmem_cache_free+0x1b9/0x380\n kfree+0x7a/0x120\n j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52637", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\n\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\n\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\n\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\n\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\n\n[mkl: remove unrelated newline change]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52638", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix oob in ntfs_listxattr\n\nThe length of name cannot exceed the space occupied by ea.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52640", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()\n\nIt is preferable to exit through the out: label because\ninternal debugging functions are located there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52641", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: bpf attach/detach requires write permission\n\nNote that bpf attach/detach also requires CAP_NET_ADMIN.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52642", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix memleak in iio_device_register_sysfs\n\nWhen iio_device_register_sysfs_group() fails, we should\nfree iio_dev_opaque->chan_attr_group.attrs to prevent\npotential memleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52643", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\n\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\n\nLog of issue before change (with kernel parameter qos=0):\n [ +5.112651] ------------[ cut here ]------------\n [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS\n [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n [ +0.000001] CS: 0010 DS: 0\n---truncated---", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52644", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: mediatek: fix race conditions with genpd\n\nIf the power domains are registered first with genpd and *after that*\nthe driver attempts to power them on in the probe sequence, then it is\npossible that a race condition occurs if genpd tries to power them on\nin the same time.\nThe same is valid for powering them off before unregistering them\nfrom genpd.\nAttempt to fix race conditions by first removing the domains from genpd\nand *after that* powering down domains.\nAlso first power up the domains and *after that* register them\nto genpd.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix mremap after fork null-deref\n\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\n\n[jmoyer@redhat.com: fix 80 column issue]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52646", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: Check whether crossbar pad is non-NULL before access\n\nWhen translating source to sink streams in the crossbar subdev, the\ndriver tries to locate the remote subdev connected to the sink pad. The\nremote pad may be NULL, if userspace tries to enable a stream that ends\nat an unconnected crossbar sink. When that occurs, the driver\ndereferences the NULL pad, leading to a crash.\n\nPrevent the crash by checking if the pad is NULL before using it, and\nreturn an error if it is.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52647", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52648", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Avoid reading beyond LUT array\n\nWhen the floor LUT index (drm_fixp2int(lut_index) is the last\nindex of the array the ceil LUT index will point to an entry\nbeyond the array. Make sure we guard against it and use the\nvalue of the floor LUT index.\n\nv3:\n - Drop bits from commit description that didn't contribute\n anything of value", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52649", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\n\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52650", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNTB: fix possible name leak in ntb_register_device()\n\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\n\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\n\n[mani: reworded commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52652", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/af_unix: disable sending io_uring over sockets\n\nFile reference cycles have caused lots of problems for io_uring\nin the past, and it still doesn't work exactly right and races with\nunix_stream_read_generic(). The safest fix would be to completely\ndisallow sending io_uring files via sockets via SCM_RIGHT, so there\nare no possible cycles invloving registered files and thus rendering\nSCM accounting on the io_uring side unnecessary.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52654", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: aqc111: check packet for fixup for true limit\n\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\n\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\n\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52655", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: drop any code related to SCM_RIGHTS\n\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52656", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/pm: resolve reboot exception for si oland\"\n\nThis reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.\n\nThis causes hangs on SI when DC is enabled and errors on driver\nreboot and power off cycles.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52657", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"\n\nThis reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b.\nThe revert is required due to the suspicion it is not good for anything\nand cause crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52658", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type\n\nOn 64-bit platforms, the pfn_to_kaddr() macro requires that the input\nvalue is 64 bits in order to ensure that valid address bits don't get\nlost when shifting that input by PAGE_SHIFT to calculate the physical\naddress to provide a virtual address for.\n\nOne such example is in pvalidate_pages() (used by SEV-SNP guests), where\nthe GFN in the struct used for page-state change requests is a 40-bit\nbit-field, so attempts to pass this GFN field directly into\npfn_to_kaddr() ends up causing guest crashes when dealing with addresses\nabove the 1TB range due to the above.\n\nFix this issue with SEV-SNP guests, as well as any similar cases that\nmight cause issues in current/future code, by using an inline function,\ninstead of a macro, so that the input is implicitly cast to the\nexpected 64-bit input type prior to performing the shift operation.\n\nWhile it might be argued that the issue is on the caller side, other\narchs/macros have taken similar approaches to deal with instances like\nthis, such as ARM explicitly casting the input to phys_addr_t:\n\n e48866647b48 (\"ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()\")\n\nA C inline function is even better though.\n\n[ mingo: Refined the changelog some more & added __always_inline. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52659", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52660", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()\n\nIf clk_get_sys(..., \"pll_d2_out0\") fails, the clk_get_sys() call must be\nundone.\n\nAdd the missing clk_put and a new 'put_pll_d_out0' label in the error\nhandling path, and use it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52661", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node\n\nWhen ida_alloc_max fails, resources allocated before should be freed,\nincluding *res allocated by kmalloc and ttm_resource_init.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52662", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe()\n\nDriver uses kasprintf() to initialize fw_{code,data}_bin members of\nstruct acp_dev_data, but kfree() is never called to deallocate the\nmemory, which results in a memory leak.\n\nFix the issue by switching to devm_kasprintf(). Additionally, ensure the\nallocation was successful by checking the pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52663", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft->g succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft->g. However, its caller\nfs_any_create_table() will free ft->g again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft->g to NULL in fs_any_create_groups().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52667", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix lock ordering in btrfs_zone_activate()\n\nThe btrfs CI reported a lockdep warning as follows by running generic\ngeneric/129.\n\n WARNING: possible circular locking dependency detected\n 6.7.0-rc5+ #1 Not tainted\n ------------------------------------------------------\n kworker/u5:5/793427 is trying to acquire lock:\n ffff88813256d028 (&cache->lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x5e/0x130\n but task is already holding lock:\n ffff88810a23a318 (&fs_info->zone_active_bgs_lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x34/0x130\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n -> #1 (&fs_info->zone_active_bgs_lock){+.+.}-{2:2}:\n ...\n -> #0 (&cache->lock){+.+.}-{2:2}:\n ...\n\nThis is because we take fs_info->zone_active_bgs_lock after a block_group's\nlock in btrfs_zone_activate() while doing the opposite in other places.\n\nFix the issue by expanding the fs_info->zone_active_bgs_lock's critical\nsection and taking it before a block_group's lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52668", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: s390/aes - Fix buffer overread in CTR mode\n\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left. Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52669", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: virtio: Free driver_override when rpmsg_remove()\n\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\n\nunreferenced object 0xffff0000d55d7080 (size 128):\n comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n hex dump (first 32 bytes):\n 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n [<00000000228a60c3>] kstrndup+0x4c/0x90\n [<0000000077158695>] driver_set_override+0xd0/0x164\n [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n [<00000000443331cc>] really_probe+0xbc/0x2dc\n [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n [<000000003b929a36>] __device_attach+0x9c/0x19c\n [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n [<000000003c999637>] bus_probe_device+0xa0/0xac", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52670", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52671", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npipe: wakeup wr_wait after setting max_usage\n\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\n\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\n\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\n\n[Christian Brauner : rewrite to account for watch queues]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52672", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\n\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52674", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52675", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52676", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Check if the code to patch lies in the exit section\n\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52677", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c\n\nBefore using list_first_entry, make sure to check that list is not\nempty, if list is empty return -ENODATA.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1347 kfd_create_indirect_link_prop() warn: can 'gpu_link' even be NULL?\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1428 kfd_add_peer_prop() warn: can 'iolink1' even be NULL?\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_topology.c:1433 kfd_add_peer_prop() warn: can 'iolink2' even be NULL?", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52678", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: Fix double free in of_parse_phandle_with_args_map\n\nIn of_parse_phandle_with_args_map() the inner loop that\niterates through the map entries calls of_node_put(new)\nto free the reference acquired by the previous iteration\nof the inner loop. This assumes that the value of \"new\" is\nNULL on the first iteration of the inner loop.\n\nMake sure that this is true in all iterations of the outer\nloop by setting \"new\" to NULL after its value is assigned to \"cur\".\n\nExtend the unittest to detect the double free and add an additional\ntest case that actually triggers this path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52679", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52680", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Free s_fs_info on unmount\n\nNow that we allocate a s_fs_info struct on fs context creation, we\nshould ensure that we free it again when the superblock goes away.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52681", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52682", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: LPIT: Avoid u32 multiplication overflow\n\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\n\nChange multiplication to mul_u32_u32().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52683", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: qseecom: fix memory leaks in error paths\n\nFix instances of returning error codes directly instead of jumping to\nthe relevant labels where memory allocated for the SCM calls would be\nfreed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52684", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_event_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52686", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: safexcel - Add error handling for dma_map_sg() calls\n\nMacro dma_map_sg() may return 0 on error. This patch enables\nchecks in case of the macro failure and ensures unmapping of\npreviously mapped buffers with dma_unmap_sg().\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52687", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix the error handler of rfkill config\n\nWhen the core rfkill config throws error, it should free the\nallocated resources. Currently it is not freeing the core pdev\ncreate resources. Avoid this issue by calling the core pdev\ndestroy in the error handler of core rfkill config.\n\nFound this issue in the code review and it is compile tested only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52688", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing mutex lock around get meter levels\n\nAs scarlett2_meter_ctl_get() uses meter_level_map[], the data_mutex\nshould be locked while accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52689", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52690", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52691", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52692", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: check for error while searching for backlight device parent\n\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\n\nCheck acpi_get_parent() result and set parent device only in case of success.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52693", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\n\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52694", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check writeback connectors in create_validate_stream_for_sink\n\n[WHY & HOW]\nThis is to check connector type to avoid\nunhandled null pointer for writeback connectors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52695", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52696", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL\n\nsof_sdw_rt_sdca_jack_exit() are used by different codecs, and some of\nthem use the same dai name.\nFor example, rt712 and rt713 both use \"rt712-sdca-aif1\" and\nsof_sdw_rt_sdca_jack_exit().\nAs a result, sof_sdw_rt_sdca_jack_exit() will be called twice by\nmc_dailink_exit_loop(). Set ctx->headset_codec_dev = NULL; after\nput_device(ctx->headset_codec_dev); to avoid ctx->headset_codec_dev\nbeing put twice.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52697", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: fix memory leak in netlbl_calipso_add_pass()\n\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\n\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n hex dump (first 32 bytes):\n 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<...>] kmalloc include/linux/slab.h:552 [inline]\n [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\n\n[PM: merged via the LSM tree at Jakub Kicinski request]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52698", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52699", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52700", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use a bounce buffer for copying skb->mark\n\nsyzbot found arm64 builds would crash in sock_recv_mark()\nwhen CONFIG_HARDENED_USERCOPY=y\n\nx86 and powerpc are not detecting the issue because\nthey define user_access_begin.\nThis will be handled in a different patch,\nbecause a check_object_size() is missing.\n\nOnly data from skb->cb[] can be copied directly to/from user space,\nas explained in commit 79a8a642bf05 (\"net: Whitelist\nthe skbuff_head_cache \"cb\" field\")\n\nsyzbot report was:\nusercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nlr : usercopy_abort+0x90/0x94 mm/usercopy.c:90\nsp : ffff80000fb9b9a0\nx29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00\nx26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000\nx23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8\nx20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000\nx17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118\nx14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400\nx11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00\nx8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c\nCall trace:\nusercopy_abort+0x90/0x94 mm/usercopy.c:90\n__check_heap_object+0xa8/0x100 mm/slub.c:4761\ncheck_heap_object mm/usercopy.c:196 [inline]\n__check_object_size+0x208/0x6b8 mm/usercopy.c:251\ncheck_object_size include/linux/thread_info.h:199 [inline]\n__copy_to_user include/linux/uaccess.h:115 [inline]\nput_cmsg+0x408/0x464 net/core/scm.c:238\nsock_recv_mark net/socket.c:975 [inline]\n__sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984\nsock_recv_cmsgs include/net/sock.h:2728 [inline]\npacket_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482\n____sys_recvmsg+0x110/0x3a0\n___sys_recvmsg net/socket.c:2737 [inline]\n__sys_recvmsg+0x194/0x210 net/socket.c:2767\n__do_sys_recvmsg net/socket.c:2777 [inline]\n__se_sys_recvmsg net/socket.c:2774 [inline]\n__arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52701", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\n\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52702", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52703", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfreezer,umh: Fix call_usermode_helper_exec() vs SIGKILL\n\nTetsuo-San noted that commit f5d39b020809 (\"freezer,sched: Rewrite\ncore freezer logic\") broke call_usermodehelper_exec() for the KILLABLE\ncase.\n\nSpecifically it was missed that the second, unconditional,\nwait_for_completion() was not optional and ensures the on-stack\ncompletion is unused before going out-of-scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52704", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes. Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks. This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord state:D stack:23456 pid:5067 ppid:2\n flags:0x00004000\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n schedule+0xc3/0x190 kernel/sched/core.c:6682\n rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n kthread+0x270/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n ...\n Call Trace:\n \n folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52705", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: sim: fix a memory leak\n\nFix an inverted logic bug in gpio_sim_remove_hogs() that leads to GPIO\nhog structures never being freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52706", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: Fix use-after-free in ep_remove_wait_queue()\n\nIf a non-root cgroup gets removed when there is a thread that registered\ntrigger and is polling on a pressure file within the cgroup, the polling\nwaitqueue gets freed in the following path:\n\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n\nHowever, the polling thread still has a reference to the pressure file and\nwill access the freed waitqueue when the file is closed or upon exit:\n\n fput\n ep_eventpoll_release\n ep_free\n ep_remove_wait_queue\n remove_wait_queue\n\nThis results in use-after-free as pasted below.\n\nThe fundamental problem here is that cgroup_file_release() (and\nconsequently waitqueue's lifetime) is not tied to the file's real lifetime.\nUsing wake_up_pollfree() here might be less than ideal, but it is in line\nwith the comment at commit 42288cb44c4b (\"wait: add wake_up_pollfree()\")\nsince the waitqueue's lifetime is not tied to file's one and can be\nconsidered as another special case. While this would be fixable by somehow\nmaking cgroup_file_release() be tied to the fput(), it would require\nsizable refactoring at cgroups or higher layer which might be more\njustifiable if we identify more cases like this.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0\n Write of size 4 at addr ffff88810e625328 by task a.out/4404\n\n\tCPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38\n\tHardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017\n\tCall Trace:\n\t\n\tdump_stack_lvl+0x73/0xa0\n\tprint_report+0x16c/0x4e0\n\tkasan_report+0xc3/0xf0\n\tkasan_check_range+0x2d2/0x310\n\t_raw_spin_lock_irqsave+0x60/0xc0\n\tremove_wait_queue+0x1a/0xa0\n\tep_free+0x12c/0x170\n\tep_eventpoll_release+0x26/0x30\n\t__fput+0x202/0x400\n\ttask_work_run+0x11d/0x170\n\tdo_exit+0x495/0x1130\n\tdo_group_exit+0x100/0x100\n\tget_signal+0xd67/0xde0\n\tarch_do_signal_or_restart+0x2a/0x2b0\n\texit_to_user_mode_prepare+0x94/0x100\n\tsyscall_exit_to_user_mode+0x20/0x40\n\tdo_syscall_64+0x52/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\t\n\n Allocated by task 4404:\n\n\tkasan_set_track+0x3d/0x60\n\t__kasan_kmalloc+0x85/0x90\n\tpsi_trigger_create+0x113/0x3e0\n\tpressure_write+0x146/0x2e0\n\tcgroup_file_write+0x11c/0x250\n\tkernfs_fop_write_iter+0x186/0x220\n\tvfs_write+0x3d8/0x5c0\n\tksys_write+0x90/0x110\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Freed by task 4407:\n\n\tkasan_set_track+0x3d/0x60\n\tkasan_save_free_info+0x27/0x40\n\t____kasan_slab_free+0x11d/0x170\n\tslab_free_freelist_hook+0x87/0x150\n\t__kmem_cache_free+0xcb/0x180\n\tpsi_trigger_destroy+0x2e8/0x310\n\tcgroup_file_release+0x4f/0xb0\n\tkernfs_drain_open_files+0x165/0x1f0\n\tkernfs_drain+0x162/0x1a0\n\t__kernfs_remove+0x1fb/0x310\n\tkernfs_remove_by_name_ns+0x95/0xe0\n\tcgroup_addrm_files+0x67f/0x700\n\tcgroup_destroy_locked+0x283/0x3c0\n\tcgroup_rmdir+0x29/0x100\n\tkernfs_iop_rmdir+0xd1/0x140\n\tvfs_rmdir+0xfe/0x240\n\tdo_rmdir+0x13d/0x280\n\t__x64_sys_rmdir+0x2c/0x30\n\tdo_syscall_64+0x43/0x90\n\tentry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52707", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\n\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\n\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52708", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix invalid page access after closing deferred I/O devices\n\nWhen a fbdev with deferred I/O is once opened and closed, the dirty\npages still remain queued in the pageref list, and eventually later\nthose may be processed in the delayed work. This may lead to a\ncorruption of pages, hitting an Oops.\n\nThis patch makes sure to cancel the delayed work and clean up the\npageref list at closing the device for addressing the bug. A part of\nthe cleanup code is factored out as a new helper function that is\ncalled from the common fb_release().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52731", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: blocklist the kclient when receiving corrupted snap trace\n\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\n\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\n\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52732", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\n\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\n\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52735", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Do not unset preset when cleaning up codec\n\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\n\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\n\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52736", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52737", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini\n\nCurrently amdgpu calls drm_sched_fini() from the fence driver sw fini\nroutine - such function is expected to be called only after the\nrespective init function - drm_sched_init() - was executed successfully.\n\nHappens that we faced a driver probe failure in the Steam Deck\nrecently, and the function drm_sched_fini() was called even without\nits counter-part had been previously called, causing the following oops:\n\namdgpu: probe of 0000:04:00.0 failed with error -110\nBUG: kernel NULL pointer dereference, address: 0000000000000090\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338\nHardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022\nRIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]\n[...]\nCall Trace:\n \n amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]\n amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]\n amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n devm_drm_dev_init_release+0x49/0x70\n [...]\n\nTo prevent that, check if the drm_sched was properly initialized for a\ngiven ring before calling its fini counter-part.\n\nNotice ideally we'd use sched.ready for that; such field is set as the latest\nthing on drm_sched_init(). But amdgpu seems to \"override\" the meaning of such\nfield - in the above oops for example, it was a GFX ring causing the crash, and\nthe sched.ready field was set to true in the ring init routine, regardless of\nthe state of the DRM scheduler. Hence, we ended-up using sched.ops as per\nChristian's suggestion [0], and also removed the no_scheduler check [1].\n\n[0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/\n[1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52738", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52739", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch\n\nThe RFI and STF security mitigation options can flip the\ninterrupt_exit_not_reentrant static branch condition concurrently with\nthe interrupt exit code which tests that branch.\n\nInterrupt exit tests this condition to set MSR[EE|RI] for exit, then\nagain in the case a soft-masked interrupt is found pending, to recover\nthe MSR so the interrupt can be replayed before attempting to exit\nagain. If the condition changes between these two tests, the MSR and irq\nsoft-mask state will become corrupted, leading to warnings and possible\ncrashes. For example, if the branch is initially true then false,\nMSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get\nenabled, leading to warnings in irq_64.c.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52740", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages()\n\nWhen the network status is unstable, use-after-free may occur when\nread data from the server.\n\n BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0\n\n Call Trace:\n \n dump_stack_lvl+0x38/0x4c\n print_report+0x16f/0x4a6\n kasan_report+0xb7/0x130\n readpages_fill_pages+0x14c/0x7e0\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n \n\n Allocated by task 2535:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x82/0x90\n cifs_readdata_direct_alloc+0x2c/0x110\n cifs_readdata_alloc+0x2d/0x60\n cifs_readahead+0x393/0xfe0\n read_pages+0x12f/0x470\n page_cache_ra_unbounded+0x1b1/0x240\n filemap_get_pages+0x1c8/0x9a0\n filemap_read+0x1c0/0x540\n cifs_strict_readv+0x21b/0x240\n vfs_read+0x395/0x4b0\n ksys_read+0xb8/0x150\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 79:\n kasan_save_stack+0x22/0x50\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2e/0x50\n __kasan_slab_free+0x10e/0x1a0\n __kmem_cache_free+0x7a/0x1a0\n cifs_readdata_release+0x49/0x60\n process_one_work+0x46c/0x760\n worker_thread+0x2a4/0x6f0\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\n Last potentially related work creation:\n kasan_save_stack+0x22/0x50\n __kasan_record_aux_stack+0x95/0xb0\n insert_work+0x2b/0x130\n __queue_work+0x1fe/0x660\n queue_work_on+0x4b/0x60\n smb2_readv_callback+0x396/0x800\n cifs_abort_connection+0x474/0x6a0\n cifs_reconnect+0x5cb/0xa50\n cifs_readv_from_socket.cold+0x22/0x6c\n cifs_read_page_from_socket+0xc1/0x100\n readpages_fill_pages.cold+0x2f/0x46\n cifs_readv_receive+0x46d/0xa40\n cifs_demultiplex_thread+0x121c/0x1490\n kthread+0x16b/0x1a0\n ret_from_fork+0x2c/0x50\n\nThe following function calls will cause UAF of the rdata pointer.\n\nreadpages_fill_pages\n cifs_read_page_from_socket\n cifs_readv_from_socket\n cifs_reconnect\n __cifs_reconnect\n cifs_abort_connection\n mid->callback() --> smb2_readv_callback\n queue_work(&rdata->work) # if the worker completes first,\n # the rdata is freed\n cifs_readv_complete\n kref_put\n cifs_readdata_release\n kfree(rdata)\n return rdata->... # UAF in readpages_fill_pages()\n\nSimilarly, this problem also occurs in the uncache_fill_pages().\n\nFix this by adjusts the order of condition judgment in the return\nstatement.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52741", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] \n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52743", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix potential NULL-ptr-dereference\n\nin_dev_get() can return NULL which will cause a failure once idev is\ndereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a\ncheck for NULL value in idev beforehand.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52744", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\n\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\n\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52745", "detail": "fixed-version", "description": "Fixed from version 6.1.12" }, { "id": "CVE-2023-52746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\n\n int type = nla_type(nla);\n\n if (type > XFRMA_MAX) {\n return -EOPNOTSUPP;\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\n if (nla_len(nla) < compat_policy[type].len) {\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.", "scorev2": "0.0", "scorev3": "2.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52746", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Restore allocated resources on failed copyout\n\nFix a resource leak if an error occurs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52747", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: avoid format-overflow warning\n\nWith gcc and W=1 option, there's a warning like this:\n\nfs/f2fs/compress.c: In function \u2018f2fs_init_page_array_cache\u2019:\nfs/f2fs/compress.c:1984:47: error: \u2018%u\u2019 directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 | sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n | ^~\n\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52748", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr->cur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52749", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\n\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\n\nThis went unnoticed until commit:\n\n 34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\n\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\n\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\n\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xec/0x108\n| show_stack+0x18/0x2c\n| dump_stack_lvl+0x50/0x68\n| dump_stack+0x18/0x24\n| panic+0x13c/0x340\n| el1t_64_irq_handler+0x0/0x1c\n| el1_abort+0x0/0x5c\n| el1h_64_sync+0x64/0x68\n| __pi_strcmp+0x1c/0x150\n| unflatten_dt_nodes+0x1e8/0x2d8\n| __unflatten_device_tree+0x5c/0x15c\n| unflatten_device_tree+0x38/0x50\n| setup_arch+0x164/0x1e0\n| start_kernel+0x64/0x38c\n| __primary_switched+0xbc/0xc4\n\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52750", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52751", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\n\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\n\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\n\n [ 816.251274] general protection fault, probably for non-canonical\n address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n ...\n [ 816.260138] Call Trace:\n [ 816.260329] \n [ 816.260499] ? die_addr+0x36/0x90\n [ 816.260762] ? exc_general_protection+0x1b3/0x410\n [ 816.261126] ? asm_exc_general_protection+0x26/0x30\n [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs]\n [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs]\n [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n [ 816.262689] ? seq_read_iter+0x379/0x470\n [ 816.262995] seq_read_iter+0x118/0x470\n [ 816.263291] proc_reg_read_iter+0x53/0x90\n [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f\n [ 816.263945] vfs_read+0x201/0x350\n [ 816.264211] ksys_read+0x75/0x100\n [ 816.264472] do_syscall_64+0x3f/0x90\n [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n [ 816.265135] RIP: 0033:0x7fd5e669d381", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52752", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference of timing generator\n\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52753", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: fix access to invalid resource for the second interface\n\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver. It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor. Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\n\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52754", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52755", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when releasing mids\n\nAll release_mid() callers seem to hold a reference of @mid so there is\nno need to call kref_put(&mid->refcount, __release_mid) under\n@server->mid_lock spinlock. If they don't, then an use-after-free bug\nwould have occurred anyways.\n\nBy getting rid of such spinlock also fixes a potential deadlock as\nshown below\n\nCPU 0 CPU 1\n------------------------------------------------------------------\ncifs_demultiplex_thread() cifs_debug_data_proc_show()\n release_mid()\n spin_lock(&server->mid_lock);\n spin_lock(&cifs_tcp_ses_lock)\n\t\t\t\t spin_lock(&server->mid_lock)\n __release_mid()\n smb2_find_smb_tcon()\n spin_lock(&cifs_tcp_ses_lock) *deadlock*", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52757", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\n\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\n\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52762", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.\n\nThe `i3c_master_bus_init` function may attach the I2C devices before the\nI3C bus initialization. In this flow, the DAT `alloc_entry`` will be used\nbefore the DAT `init`. Additionally, if the `i3c_master_bus_init` fails,\nthe DAT `cleanup` will execute before the device is detached, which will\nexecue DAT `free_entry` function. The above scenario can cause the driver\nto use DAT_data when it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52763", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\n\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\n\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52764", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: qcom-spmi-pmic: Fix revid implementation\n\nThe Qualcomm SPMI PMIC revid implementation is broken in multiple ways.\n\nFirst, it assumes that just because the sibling base device has been\nregistered that means that it is also bound to a driver, which may not\nbe the case (e.g. due to probe deferral or asynchronous probe). This\ncould trigger a NULL-pointer dereference when attempting to access the\ndriver data of the unbound device.\n\nSecond, it accesses driver data of a sibling device directly and without\nany locking, which means that the driver data may be freed while it is\nbeing accessed (e.g. on driver unbind).\n\nThird, it leaks a struct device reference to the sibling device which is\nlooked up using the spmi_device_from_of() every time a function (child)\ndevice is calling the revid function (e.g. on probe).\n\nFix this mess by reimplementing the revid lookup so that it is done only\nat probe of the PMIC device; the base device fetches the revid info from\nthe hardware, while any secondary SPMI device fetches the information\nfrom the base device and caches it so that it can be accessed safely\nfrom its children. If the base device has not been probed yet then probe\nof a secondary device is deferred.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52765", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler\n\nDo not loop over ring headers in hci_dma_irq_handler() that are not\nallocated and enabled in hci_dma_init(). Otherwise out of bounds access\nwill occur from rings->headers[i] access when i >= number of allocated\nring headers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52766", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52767", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: use vmm_table as array in wilc struct\n\nEnabling KASAN and running some iperf tests raises some memory issues with\nvmm_table:\n\nBUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4\nWrite of size 4 at addr c3a61540 by task wlan0-tx/95\n\nKASAN detects that we are writing data beyond range allocated to vmm_table.\nThere is indeed a mismatch between the size passed to allocator in\nwilc_wlan_init, and the range of possible indexes used later: allocation\nsize is missing a multiplication by sizeof(u32)", "scorev2": "0.0", "scorev3": "5.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52768", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix htt mlo-offset event locking\n\nThe ath12k active pdevs are protected by RCU but the htt mlo-offset\nevent handling code calling ath12k_mac_get_ar_by_pdev_id() was not\nmarked as a read-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52769", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: split initial and dynamic conditions for extent_cache\n\nLet's allocate the extent_cache tree without dynamic conditions to avoid a\nmissing condition causing a panic as below.\n\n # create a file w/ a compressed flag\n # disable the compression\n # panic while updating extent_cache\n\nF2FS-fs (dm-64): Swapfile: last extent is not aligned to section\nF2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)\nAdding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k\n==================================================================\nBUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\nBUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\nBUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\nBUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\nBUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\nWrite of size 4 at addr 0000000000000030 by task syz-executor154/3327\n\nCPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1\nHardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023\nCall Trace:\n __dump_stack out/common/lib/dump_stack.c:77 [inline]\n dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118\n __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415\n kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428\n kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186\n __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37\n instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\n atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\n queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\n __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\n _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\n __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155\n f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172\n f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]\n f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764\n vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310\n ksys_fallocate out/common/fs/open.c:333 [inline]\n __do_sys_fallocate out/common/fs/open.c:341 [inline]\n __se_sys_fallocate out/common/fs/open.c:339 [inline]\n __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339\n do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52770", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix delete_endpoint() vs parent unregistration race\n\nThe CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of\nports (struct cxl_port objects) between an endpoint and the root of a\nCXL topology. Each port including the endpoint port is attached to the\ncxl_port driver.\n\nGiven that setup, it follows that when either any port in that lineage\ngoes through a cxl_port ->remove() event, or the memdev goes through a\ncxl_mem ->remove() event. The hierarchy below the removed port, or the\nentire hierarchy if the memdev is removed needs to come down.\n\nThe delete_endpoint() callback is careful to check whether it is being\ncalled to tear down the hierarchy, or if it is only being called to\nteardown the memdev because an ancestor port is going through\n->remove().\n\nThat care needs to take the device_lock() of the endpoint's parent.\nWhich requires 2 bugs to be fixed:\n\n1/ A reference on the parent is needed to prevent use-after-free\n scenarios like this signature:\n\n BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\n Workqueue: cxl_port detach_memdev [cxl_core]\n RIP: 0010:spin_bug+0x65/0xa0\n Call Trace:\n do_raw_spin_lock+0x69/0xa0\n __mutex_lock+0x695/0xb80\n delete_endpoint+0xad/0x150 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n detach_memdev+0x15/0x20 [cxl_core]\n process_one_work+0x1e3/0x4c0\n worker_thread+0x1dd/0x3d0\n\n2/ In the case of RCH topologies, the parent device that needs to be\n locked is not always @port->dev as returned by cxl_mem_find_port(), use\n endpoint->dev.parent instead.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52771", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_actor()\n\nsyzbot reported the following crash [1]\n\nAfter releasing unix socket lock, u->oob_skb can be changed\nby another thread. We must temporarily increase skb refcount\nto make sure this other thread will not free the skb under us.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nRead of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297\n\nCPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0xc4/0x620 mm/kasan/report.c:475\nkasan_report+0xda/0x110 mm/kasan/report.c:588\nunix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866\nunix_stream_recv_urg net/unix/af_unix.c:2587 [inline]\nunix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666\nunix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903\nsock_recvmsg_nosec net/socket.c:1044 [inline]\nsock_recvmsg+0xe2/0x170 net/socket.c:1066\n____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803\n___sys_recvmsg+0x115/0x1a0 net/socket.c:2845\n__sys_recvmsg+0x114/0x1e0 net/socket.c:2875\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fc67492c559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559\nRDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340\nR13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388\n\n\nAllocated by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523\n__alloc_skb+0x287/0x330 net/core/skbuff.c:641\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331\nsock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780\nsock_alloc_send_skb include/net/sock.h:1884 [inline]\nqueue_oob net/unix/af_unix.c:2147 [inline]\nunix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2667\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 5295:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200\nkasan_slab_free include/linux/kasan.h:164 [inline]\nslab_free_hook mm/slub.c:1800 [inline]\nslab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826\nslab_free mm/slub.c:3809 [inline]\nkmem_cache_free+0xf8/0x340 mm/slub.c:3831\nkfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015\n__kfree_skb net/core/skbuff.c:1073 [inline]\nconsume_skb net/core/skbuff.c:1288 [inline]\nconsume_skb+0xdf/0x170 net/core/skbuff.c:1282\nqueue_oob net/unix/af_unix.c:2178 [inline]\nu\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52772", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer()\n\nWhen ddc_service_construct() is called, it explicitly checks both the\nlink type and whether there is something on the link which will\ndictate whether the pin is marked as hw_supported.\n\nIf the pin isn't set or the link is not set (such as from\nunloading/reloading amdgpu in an IGT test) then fail the\namdgpu_dm_i2c_xfer() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52773", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52774", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n \u00a6 clc proposal\n ------------->\n \u00a6 clc accept\n <-------------\n \u00a6 clc confirm\n ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n \u00a6failed llc confirm\n \u00a6 x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n \u00a6 decline\n -------------->\n \u00a6 decline\n <--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52775", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dfs-radar and temperature event locking\n\nThe ath12k active pdevs are protected by RCU but the DFS-radar and\ntemperature event handling code calling ath12k_mac_get_ar_by_pdev_id()\nwas not marked as a read-side critical section.\n\nMark the code in question as RCU read-side critical sections to avoid\nany potential use-after-free issues.\n\nNote that the temperature event handler looks like a place holder\ncurrently but would still trigger an RCU lockdep splat.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52776", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix gtk offload status event locking\n\nThe ath11k active pdevs are protected by RCU but the gtk offload status\nevent handling code calling ath11k_mac_get_arvif_by_vdev_id() was not\nmarked as a read-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52777", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: deal with large GSO size\n\nAfter the blamed commit below, the TCP sockets (and the MPTCP subflows)\ncan build egress packets larger than 64K. That exceeds the maximum DSS\ndata size, the length being misrepresent on the wire and the stream being\ncorrupted, as later observed on the receiver:\n\n WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0\n CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.\n RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705\n RSP: 0018:ffffc90000006e80 EFLAGS: 00010246\n RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000\n netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.\n RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908\n RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a\n R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908\n R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29\n FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \n mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819\n subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409\n tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151\n tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098\n tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483\n tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749\n ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438\n ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483\n ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304\n __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532\n process_backlog+0x353/0x660 net/core/dev.c:5974\n __napi_poll+0xc6/0x5a0 net/core/dev.c:6536\n net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603\n __do_softirq+0x184/0x524 kernel/softirq.c:553\n do_softirq+0xdd/0x130 kernel/softirq.c:454\n\nAddress the issue explicitly bounding the maximum GSO size to what MPTCP\nactually allows.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52778", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Pass AT_GETATTR_NOSEC flag to getattr interface function\n\nWhen vfs_getattr_nosec() calls a filesystem's getattr interface function\nthen the 'nosec' should propagate into this function so that\nvfs_getattr_nosec() can again be called from the filesystem's gettattr\nrather than vfs_getattr(). The latter would add unnecessary security\nchecks that the initial vfs_getattr_nosec() call wanted to avoid.\nTherefore, introduce the getattr flag GETATTR_NOSEC and allow to pass\nwith the new getattr_flags parameter to the getattr interface function.\nIn overlayfs and ecryptfs use this flag to determine which one of the\ntwo functions to call.\n\nIn a recent code change introduced to IMA vfs_getattr_nosec() ended up\ncalling vfs_getattr() in overlayfs, which in turn called\nsecurity_inode_getattr() on an exiting process that did not have\ncurrent->fs set anymore, which then caused a kernel NULL pointer\ndereference. With this change the call to security_inode_getattr() can\nbe avoided, thus avoiding the NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52779", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvneta: fix calls to page_pool_get_stats\n\nCalling page_pool_get_stats in the mvneta driver without checks\nleads to kernel crashes.\nFirst the page pool is only available if the bm is not used.\nThe page pool is also not allocated when the port is stopped.\nIt can also be not allocated in case of errors.\n\nThe current implementation leads to the following crash calling\nethstats on a port that is down or when calling it at the wrong moment:\n\nble to handle kernel NULL pointer dereference at virtual address 00000070\n[00000070] *pgd=00000000\nInternal error: Oops: 5 [#1] SMP ARM\nHardware name: Marvell Armada 380/385 (Device Tree)\nPC is at page_pool_get_stats+0x18/0x1cc\nLR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta]\npc : [] lr : [] psr: a0000013\nsp : f1439d48 ip : f1439dc0 fp : 0000001d\nr10: 00000100 r9 : c4816b80 r8 : f0d75150\nr7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68\nr3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000\nFlags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 066b004a DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390\nRegister r2 information: non-paged memory\nRegister r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048\nRegister r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390\nRegister r5 information: NULL pointer\nRegister r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096\nRegister r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c\nRegister r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208\nRegister r9 information: slab task_struct start c4816b80 pointer offset 0\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390\nProcess snmpd (pid: 733, stack limit = 0x38de3a88)\nStack: (0xf1439d48 to 0xf143a000)\n9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80\n9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000\n9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8\n9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50\n9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d\n9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000\n9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000\n9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80\n9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8\n9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40\n9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000\n9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0\n9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0\n9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014\n9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c\n9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036\n9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000\n9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0\n9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000\n page_pool_get_s\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52780", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in 'usb_get_bos_descriptor()'\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction 'usb_get_bos_descriptor()' encounters an iteration issue when\nskipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a 'goto' statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52781", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Track xmit submission to PTP WQ after populating metadata map\n\nEnsure the skb is available in metadata mapping to skbs before tracking the\nmetadata index for detecting undelivered CQEs. If the metadata index is put\nin the tracking list before putting the skb in the map, the metadata index\nmight be used for detecting undelivered CQEs before the relevant skb is\navailable in the map, which can lead to a null-ptr-deref.\n\nLog:\n general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ #108\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: events mlx5e_rx_dim_work [mlx5_core]\n RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]\n Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07\n RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206\n RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005\n RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028\n RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383\n R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40\n R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? die_addr+0x3c/0xa0\n ? exc_general_protection+0x144/0x210\n ? asm_exc_general_protection+0x22/0x30\n ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]\n ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]\n __napi_poll.constprop.0+0xa4/0x580\n net_rx_action+0x460/0xb80\n ? _raw_spin_unlock_irqrestore+0x32/0x60\n ? __napi_poll.constprop.0+0x580/0x580\n ? tasklet_action_common.isra.0+0x2ef/0x760\n __do_softirq+0x26c/0x827\n irq_exit_rcu+0xc2/0x100\n common_interrupt+0x7f/0xa0\n \n \n asm_common_interrupt+0x22/0x40\n RIP: 0010:__kmem_cache_alloc_node+0xb/0x330\n Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83\n RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246\n RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218\n RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0\n RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9\n R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0\n R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450\n ? cmd_exec+0x796/0x2200 [mlx5_core]\n kmalloc_trace+0x26/0xc0\n cmd_exec+0x796/0x2200 [mlx5_core]\n mlx5_cmd_do+0x22/0xc0 [mlx5_core]\n mlx5_cmd_exec+0x17/0x30 [mlx5_core]\n mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]\n ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? process_one_work+0x659/0x1220\n mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]\n process_one_work+0x730/0x1220\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? max_active_store+0xf0/0xf0\n ? assign_work+0x168/0x240\n worker_thread+0x70f/0x12d0\n ? __kthread_parkme+0xd1/0x1d0\n ? process_one_work+0x1220/0x1220\n kthread+0x2d9/0x3b0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x70\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_as\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52782", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wangxun: fix kernel panic due to null pointer\n\nWhen the device uses a custom subsystem vendor ID, the function\nwx_sw_init() returns before the memory of 'wx->mac_table' is allocated.\nThe null pointer will causes the kernel panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52783", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: stop the device in bond_setup_by_slave()\n\nCommit 9eed321cde22 (\"net: lapbether: only support ethernet devices\")\nhas been able to keep syzbot away from net/lapb, until today.\n\nIn the following splat [1], the issue is that a lapbether device has\nbeen created on a bonding device without members. Then adding a non\nARPHRD_ETHER member forced the bonding master to change its type.\n\nThe fix is to make sure we call dev_close() in bond_setup_by_slave()\nso that the potential linked lapbether devices (or any other devices\nhaving assumptions on the physical device) are removed.\n\nA similar bug has been addressed in commit 40baec225765\n(\"bonding: fix panic on non-ARPHRD_ETHER enslave failure\")\n\n[1]\nskbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0\nkernel BUG at net/core/skbuff.c:192 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_panic net/core/skbuff.c:188 [inline]\npc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nlr : skb_panic net/core/skbuff.c:188 [inline]\nlr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nsp : ffff800096a06aa0\nx29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000\nx26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea\nx23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140\nx20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100\nx17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001\nx14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00\nx8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c\nx2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086\nCall trace:\nskb_panic net/core/skbuff.c:188 [inline]\nskb_under_panic+0x13c/0x140 net/core/skbuff.c:202\nskb_push+0xf0/0x108 net/core/skbuff.c:2446\nip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384\ndev_hard_header include/linux/netdevice.h:3136 [inline]\nlapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257\nlapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447\nlapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149\nlapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251\n__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326\nlapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nlapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466\nnotifier_call_chain+0x1a4/0x510 kernel/notifier.c:93\nraw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1970 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:2008 [inline]\ncall_netdevice_notifiers net/core/dev.c:2022 [inline]\n__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508\ndev_close_many+0x1e0/0x470 net/core/dev.c:1559\ndev_close+0x174/0x250 net/core/dev.c:1585\nbond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332\nbond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539\ndev_ifsioc+0x754/0x9ac\ndev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786\nsock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217\nsock_ioctl+0x4e8/0x834 net/socket.c:1322\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52784", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix racing issue between ufshcd_mcq_abort() and ISR\n\nIf command timeout happens and cq complete IRQ is raised at the same time,\nufshcd_mcq_abort clears lprb->cmd and a NULL pointer deref happens in the\nISR. Error log:\n\nufshcd_abort: Device abort task at tag 18\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000108\npc : [0xffffffe27ef867ac] scsi_dma_unmap+0xc/0x44\nlr : [0xffffffe27f1b898c] ufshcd_release_scsi_cmd+0x24/0x114", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52785", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix racy may inline data check in dio write\n\nsyzbot reports that the following warning from ext4_iomap_begin()\ntriggers as of the commit referenced below:\n\n if (WARN_ON_ONCE(ext4_has_inline_data(inode)))\n return -ERANGE;\n\nThis occurs during a dio write, which is never expected to encounter\nan inode with inline data. To enforce this behavior,\next4_dio_write_iter() checks the current inline state of the inode\nand clears the MAY_INLINE_DATA state flag to either fall back to\nbuffered writes, or enforce that any other writers in progress on\nthe inode are not allowed to create inline data.\n\nThe problem is that the check for existing inline data and the state\nflag can span a lock cycle. For example, if the ilock is originally\nlocked shared and subsequently upgraded to exclusive, another writer\nmay have reacquired the lock and created inline data before the dio\nwrite task acquires the lock and proceeds.\n\nThe commit referenced below loosens the lock requirements to allow\nsome forms of unaligned dio writes to occur under shared lock, but\nAFAICT the inline data check was technically already racy for any\ndio write that would have involved a lock cycle. Regardless, lift\nclearing of the state bit to the same lock critical section that\nchecks for preexisting inline data on the inode to close the race.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52786", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: make sure active queue usage is held for bio_integrity_prep()\n\nblk_integrity_unregister() can come if queue usage counter isn't held\nfor one bio with integrity prepared, so this request may be completed with\ncalling profile->complete_fn, then kernel panic.\n\nAnother constraint is that bio_integrity_prep() needs to be called\nbefore bio merge.\n\nFix the issue by:\n\n- call bio_integrity_prep() with one queue usage counter grabbed reliably\n\n- call bio_integrity_prep() before bio merge", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52787", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni915/perf: Fix NULL deref bugs with drm_dbg() calls\n\nWhen i915 perf interface is not available dereferencing it will lead to\nNULL dereferences.\n\nAs returning -ENOTSUPP is pretty clear return when perf interface is not\navailable.\n\n[tursulin: added stable tag]\n(cherry picked from commit 36f27350ff745bd228ab04d7845dfbffc177a889)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52788", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: vcc: Add check for kstrdup() in vcc_probe()\n\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52789", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: fix out-of-bounds TLB allocations with CONFIG_SWIOTLB_DYNAMIC\n\nLimit the free list length to the size of the IO TLB. Transient pool can be\nsmaller than IO_TLB_SEGSIZE, but the free list is initialized with the\nassumption that the total number of slots is a multiple of IO_TLB_SEGSIZE.\nAs a result, swiotlb_area_find_slots() may allocate slots past the end of\na transient IO TLB buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52790", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Run atomic i2c xfer when !preemptible\n\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\n\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\n\n[ 12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[ 12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[ 12.742376] schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[ 12.749179] wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[ 12.994527] atomic_notifier_call_chain from machine_restart+0x34/0x58\n[ 13.001050] machine_restart from panic+0x2a8/0x32c\n\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52791", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Do not try to cleanup after cxl_region_setup_targets() fails\n\nCommit 5e42bcbc3fef (\"cxl/region: decrement ->nr_targets on error in\ncxl_region_attach()\") tried to avoid 'eiw' initialization errors when\n->nr_targets exceeded 16, by just decrementing ->nr_targets when\ncxl_region_setup_targets() failed.\n\nCommit 86987c766276 (\"cxl/region: Cleanup target list on attach error\")\nextended that cleanup to also clear cxled->pos and p->targets[pos]. The\ninitialization error was incidentally fixed separately by:\nCommit 8d4285425714 (\"cxl/region: Fix port setup uninitialized variable\nwarnings\") which was merged a few days after 5e42bcbc3fef.\n\nBut now the original cleanup when cxl_region_setup_targets() fails\nprevents endpoint and switch decoder resources from being reused:\n\n1) the cleanup does not set the decoder's region to NULL, which results\n in future dpa_size_store() calls returning -EBUSY\n2) the decoder is not properly freed, which results in future commit\n errors associated with the upstream switch\n\nNow that the initialization errors were fixed separately, the proper\ncleanup for this case is to just return immediately. Then the resources\nassociated with this target get cleanup up as normal when the failed\nregion is deleted.\n\nThe ->nr_targets decrement in the error case also helped prevent\na p->targets[] array overflow, so add a new check to prevent against\nthat overflow.\n\nTested by trying to create an invalid region for a 2 switch * 2 endpoint\ntopology, and then following up with creating a valid region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52792", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: powerclamp: fix mismatch in get function for max_idle\n\nKASAN reported this\n\n [ 444.853098] BUG: KASAN: global-out-of-bounds in param_get_int+0x77/0x90\n [ 444.853111] Read of size 4 at addr ffffffffc16c9220 by task cat/2105\n ...\n [ 444.853442] The buggy address belongs to the variable:\n [ 444.853443] max_idle+0x0/0xffffffffffffcde0 [intel_powerclamp]\n\nThere is a mismatch between the param_get_int and the definition of\nmax_idle. Replacing param_get_int with param_get_byte resolves this\nissue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52794", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-vdpa: fix use after free in vhost_vdpa_probe()\n\nThe put_device() calls vhost_vdpa_release_dev() which calls\nida_simple_remove() and frees \"v\". So this call to\nida_simple_remove() is a use after free and a double free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52795", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: add ipvlan_route_v6_outbound() helper\n\nInspired by syzbot reports using a stack of multiple ipvlan devices.\n\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\n\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\n\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\n\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n\n\n[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[] cpu_online include/linux/cpumask.h:1092 [inline]\n[] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[] ip6_route_output include/net/ip6_route.h:100 [inline]\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[] neigh_hh_output include/net/neighbour.h:529 [inline]\n[] pmu_sbi_ovf_handler+0x3a4/0x3ae\n[ 107.320112] [] handle_percpu_devid_irq+0x9e/0x1a0\n[ 107.320131] [] generic_handle_domain_irq+0x28/0x36\n[ 107.320148] [] riscv_intc_irq+0x36/0x4e\n[ 107.320166] [] handle_riscv_irq+0x54/0x86\n[ 107.320189] [] do_irq+0x64/0x96\n[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097\n[ 107.320585] ---[ end trace 0000000000000000 ]---\n[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt\n[ 107.320775] SMP: stopping secondary CPUs\n[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000\n[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52797", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix dfs radar event locking\n\nThe ath11k active pdevs are protected by RCU but the DFS radar event\nhandling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52798", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in dbFindLeaf\n\nCurrently while searching for dmtree_t for sufficient free blocks there\nis an array out of bounds while getting element in tp->dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52799", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52800", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix missing update of domains_itree after splitting iopt_area\n\nIn iopt_area_split(), if the original iopt_area has filled a domain and is\nlinked to domains_itree, pages_nodes have to be properly\nreinserted. Otherwise the domains_itree becomes corrupted and we will UAF.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52801", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52803", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add validity check for db_maxag and db_agpref\n\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\n\nThe following is related bug reported by Syzbot:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\n\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52804", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52805", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix possible null-ptr-deref when assigning a stream\n\nWhile AudioDSP drivers assign streams exclusively of HOST or LINK type,\nnothing blocks a user to attempt to assign a COUPLED stream. As\nsupplied substream instance may be a stub, what is the case when\ncode-loading, such scenario ends with null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52806", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs\n\nThe hns3 driver define an array of string to show the coalesce\ninfo, but if the kernel adds a new mode or a new state,\nout-of-bounds access may occur when coalesce info is read via\ndebugfs, this patch fix the problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52807", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\n\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\n\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000] down_write+0x24/0x70\n[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175] pci_device_remove+0x48/0xd8\n[ 1669.988082] device_release_driver_internal+0x1b4/0x250\n[ 1669.993282] device_release_driver+0x28/0x38\n[ 1669.997534] pci_stop_bus_device+0x84/0xb8\n[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244] remove_store+0xfc/0x140\n[ 1670.010802] dev_attr_store+0x44/0x60\n[ 1670.014448] sysfs_kf_write+0x58/0x80\n[ 1670.018095] kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000] __vfs_write+0x60/0x190\n[ 1670.025472] vfs_write+0xac/0x1c0\n[ 1670.028771] ksys_write+0x6c/0xd8\n[ 1670.032071] __arm64_sys_write+0x24/0x30\n[ 1670.035977] el0_svc_common+0x78/0x130\n[ 1670.039710] el0_svc_handler+0x38/0x78\n[ 1670.043442] el0_svc+0x8/0xc\n\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52808", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\n\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52809", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Add check for negative db_l2nbperpage\n\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\n\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\n\nSyzbot reported this bug:\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52810", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue's event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52811", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52812", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst->flags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst->flags & PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52813", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential null pointer derefernce\n\nThe amdgpu_ras_get_context may return NULL if device\nnot support ras feature, so add check before using.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52814", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vkms: fix a possible null pointer dereference\n\nIn amdgpu_vkms_conn_get_modes(), the return value of drm_cvt_mode()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_cvt_mode(). Add a check to avoid null pointer\ndereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52815", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix shift out-of-bounds issue\n\n[ 567.613292] shift exponent 255 is too large for 64-bit type 'long unsigned int'\n[ 567.614498] CPU: 5 PID: 238 Comm: kworker/5:1 Tainted: G OE 6.2.0-34-generic #34~22.04.1-Ubuntu\n[ 567.614502] Hardware name: AMD Splinter/Splinter-RPL, BIOS WS43927N_871 09/25/2023\n[ 567.614504] Workqueue: events send_exception_work_handler [amdgpu]\n[ 567.614748] Call Trace:\n[ 567.614750] \n[ 567.614753] dump_stack_lvl+0x48/0x70\n[ 567.614761] dump_stack+0x10/0x20\n[ 567.614763] __ubsan_handle_shift_out_of_bounds+0x156/0x310\n[ 567.614769] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.614773] ? update_sd_lb_stats.constprop.0+0xf2/0x3c0\n[ 567.614780] svm_range_split_by_granularity.cold+0x2b/0x34 [amdgpu]\n[ 567.615047] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615052] svm_migrate_to_ram+0x185/0x4d0 [amdgpu]\n[ 567.615286] do_swap_page+0x7b6/0xa30\n[ 567.615291] ? srso_alias_return_thunk+0x5/0x7f\n[ 567.615294] ? __free_pages+0x119/0x130\n[ 567.615299] handle_pte_fault+0x227/0x280\n[ 567.615303] __handle_mm_fault+0x3c0/0x720\n[ 567.615311] handle_mm_fault+0x119/0x330\n[ 567.615314] ? lock_mm_and_find_vma+0x44/0x250\n[ 567.615318] do_user_addr_fault+0x1a9/0x640\n[ 567.615323] exc_page_fault+0x81/0x1b0\n[ 567.615328] asm_exc_page_fault+0x27/0x30\n[ 567.615332] RIP: 0010:__get_user_8+0x1c/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52816", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\n\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\n\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636] \n[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002] full_proxy_read+0x5c/0x80\n[4005007.703011] vfs_read+0x9f/0x1a0\n[4005007.703019] ksys_read+0x67/0xe0\n[4005007.703023] __x64_sys_read+0x19/0x20\n[4005007.703028] do_syscall_64+0x5c/0xc0\n[4005007.703034] ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052] ? irqentry_exit+0x19/0x30\n[4005007.703057] ? exc_page_fault+0x89/0x160\n[4005007.703062] ? asm_exc_page_fault+0x8/0x30\n[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105] \n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52817", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52818", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\n\nFor pptable structs that use flexible array sizes, use flexible arrays.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52819", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: fix a possible null pointer dereference\n\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52821", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix a race condition of vram buffer unref in svm code\n\nprange->svm_bo unref can happen in both mmu callback and a callback after\nmigrate to system ram. Both are async call in different tasks. Sync svm_bo\nunref operation to avoid random \"use-after-free\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52825", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52826", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()\n\nlen is extracted from HTT message and could be an unexpected value in\ncase errors happen, so add validation before using to avoid possible\nout-of-bound read in the following message iteration and parsing.\n\nThe same issue also applies to ppdu_info->ppdu_stats.common.num_users,\nso validate it before using too.\n\nThese are found during code review.\n\nCompile test only.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52827", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52828", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52829", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu/hotplug: Don't offline the last non-isolated CPU\n\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\n\ncpuset_hotplug_workfn()\n rebuild_sched_domains_locked()\n ndoms = generate_sched_domains(&doms, &attr);\n cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\n\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\n\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\n\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\n\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52831", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52832", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52833", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natl1c: Work around the DMA RX overflow issue\n\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\n\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\n\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\n\nTested on AR8131 on Acer 4540.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52834", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52835", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/ww_mutex/test: Fix potential workqueue corruption\n\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\n\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\n\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\n\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\n\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\n\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52836", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_open\n\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\n\nFix this by implementing ->free_disk and free private data in it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52837", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imsttfb: fix a resource leak in probe\n\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52838", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: Do not broadcast to other cpus when starting a counter\n\nThis command:\n\n$ perf record -e cycles:k -e instructions:k -c 10000 -m 64M dd if=/dev/zero of=/dev/null count=1000\n\ngives rise to this kernel warning:\n\n[ 444.364395] WARNING: CPU: 0 PID: 104 at kernel/smp.c:775 smp_call_function_many_cond+0x42c/0x436\n[ 444.364515] Modules linked in:\n[ 444.364657] CPU: 0 PID: 104 Comm: perf-exec Not tainted 6.6.0-rc6-00051-g391df82e8ec3-dirty #73\n[ 444.364771] Hardware name: riscv-virtio,qemu (DT)\n[ 444.364868] epc : smp_call_function_many_cond+0x42c/0x436\n[ 444.364917] ra : on_each_cpu_cond_mask+0x20/0x32\n[ 444.364948] epc : ffffffff8009f9e0 ra : ffffffff8009fa5a sp : ff20000000003800\n[ 444.364966] gp : ffffffff81500aa0 tp : ff60000002b83000 t0 : ff200000000038c0\n[ 444.364982] t1 : ffffffff815021f0 t2 : 000000000000001f s0 : ff200000000038b0\n[ 444.364998] s1 : ff60000002c54d98 a0 : ff60000002a73940 a1 : 0000000000000000\n[ 444.365013] a2 : 0000000000000000 a3 : 0000000000000003 a4 : 0000000000000100\n[ 444.365029] a5 : 0000000000010100 a6 : 0000000000f00000 a7 : 0000000000000000\n[ 444.365044] s2 : 0000000000000000 s3 : ffffffffffffffff s4 : ff60000002c54d98\n[ 444.365060] s5 : ffffffff81539610 s6 : ffffffff80c20c48 s7 : 0000000000000000\n[ 444.365075] s8 : 0000000000000000 s9 : 0000000000000001 s10: 0000000000000001\n[ 444.365090] s11: ffffffff80099394 t3 : 0000000000000003 t4 : 00000000eac0c6e6\n[ 444.365104] t5 : 0000000400000000 t6 : ff60000002e010d0\n[ 444.365120] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n[ 444.365226] [] smp_call_function_many_cond+0x42c/0x436\n[ 444.365295] [] on_each_cpu_cond_mask+0x20/0x32\n[ 444.365311] [] pmu_sbi_ctr_start+0x7a/0xaa\n[ 444.365327] [] riscv_pmu_start+0x48/0x66\n[ 444.365339] [] perf_adjust_freq_unthr_context+0x196/0x1ac\n[ 444.365356] [] perf_event_task_tick+0x78/0x8c\n[ 444.365368] [] scheduler_tick+0xe6/0x25e\n[ 444.365383] [] update_process_times+0x80/0x96\n[ 444.365398] [] tick_sched_handle+0x26/0x52\n[ 444.365410] [] tick_sched_timer+0x50/0x98\n[ 444.365422] [] __hrtimer_run_queues+0x126/0x18a\n[ 444.365433] [] hrtimer_interrupt+0xce/0x1da\n[ 444.365444] [] riscv_timer_interrupt+0x30/0x3a\n[ 444.365457] [] handle_percpu_devid_irq+0x80/0x114\n[ 444.365470] [] generic_handle_domain_irq+0x1c/0x2a\n[ 444.365483] [] riscv_intc_irq+0x2e/0x46\n[ 444.365497] [] handle_riscv_irq+0x4a/0x74\n[ 444.365521] [] do_irq+0x7c/0x7e\n[ 444.365796] ---[ end trace 0000000000000000 ]---\n\nThat's because the fix in commit 3fec323339a4 (\"drivers: perf: Fix panic\nin riscv SBI mmap support\") was wrong since there is no need to broadcast\nto other cpus when starting a counter, that's only needed in mmap when\nthe counters could have already been started on other cpus, so simply\nremove this broadcast.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52839", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\n\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52840", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: mux: Add check and kfree for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52841", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()\n\nKMSAN reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\n virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nUninit was stored to memory at:\n virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]\n virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nUninit was created at:\n slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]\n virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58\n virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]\n virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nCPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014\nWorkqueue: vsock-loopback vsock_loopback_work\n=====================================================\n\nThe following simple reproducer can cause the issue described above:\n\nint main(void)\n{\n int sock;\n struct sockaddr_vm addr = {\n .svm_family = AF_VSOCK,\n .svm_cid = VMADDR_CID_ANY,\n .svm_port = 1234,\n };\n\n sock = socket(AF_VSOCK, SOCK_STREAM, 0);\n connect(sock, (struct sockaddr *)&addr, sizeof(addr));\n return 0;\n}\n\nThis issue occurs because the `buf_alloc` and `fwd_cnt` fields of the\n`struct virtio_vsock_hdr` are not initialized when a new skb is allocated\nin `virtio_transport_init_hdr()`. This patch resolves the issue by\ninitializing these fields during allocation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52842", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: verify mac len before reading mac header\n\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\n\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\n\n BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n netif_receive_skb_internal net/core/dev.c:5723 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\n\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\n\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\n\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\n\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\n\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52843", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: psi: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52844", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\n\nsyzbot reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\n\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\n\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52845", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Prevent use after free in prp_create_tagged_frame()\n\nThe prp_fill_rct() function can fail. In that situation, it frees the\nskb and returns NULL. Meanwhile on the success path, it returns the\noriginal skb. So it's straight forward to fix bug by using the returned\nvalue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52846", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bttv: fix use after free error due to btv->timeout timer\n\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\n\nThis bug is found by static analysis, it may be false positive.\n\nFix it by adding del_timer_sync invoking to the remove function.\n\ncpu0 cpu1\n bttv_probe\n ->timer_setup\n ->bttv_set_dma\n ->mod_timer;\nbttv_remove\n ->kfree(btv);\n ->bttv_irq_timeout\n ->USE btv", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52847", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to drop meta_inode's page cache in f2fs_put_super()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1\nkernel BUG at fs/f2fs/super.c:1639!\nCPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0\nRIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639\nCall Trace:\n generic_shutdown_super+0x161/0x3c0 fs/super.c:693\n kill_block_super+0x3b/0x70 fs/super.c:1646\n kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879\n deactivate_locked_super+0x9a/0x170 fs/super.c:481\n deactivate_super+0xde/0x100 fs/super.c:514\n cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254\n task_work_run+0x14d/0x240 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296\n do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIn f2fs_put_super(), it tries to do sanity check on dirty and IO\nreference count of f2fs, once there is any reference count leak,\nit will trigger panic.\n\nThe root case is, during f2fs_put_super(), if there is any IO error\nin f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page\ncache later, result in panic, fix this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52848", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that removing cxl_mock_mem causes a crash with the following\ntrace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000044\n [..]\n RIP: 0010:cxl_region_decode_reset+0x7f/0x180 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x29/0x40 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n device_unregister+0x13/0x60\n devm_release_action+0x4d/0x90\n ? __pfx_unregister_port+0x10/0x10 [cxl_core]\n delete_endpoint+0x121/0x130 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n bus_remove_device+0xd7/0x150\n device_del+0x155/0x3e0\n ? lock_release+0x142/0x290\n cdev_device_del+0x15/0x50\n cxl_memdev_unregister+0x54/0x70 [cxl_core]\n\nThis crash is due to the clearing out the cxl_memdev's driver context\n(@cxlds) before the subsystem is done with it. This is ultimately due to\nthe region(s), that this memdev is a member, being torn down and expecting\nto be able to de-reference @cxlds, like here:\n\nstatic int cxl_region_decode_reset(struct cxl_region *cxlr, int count)\n...\n if (cxlds->rcd)\n goto endpoint_reset;\n...\n\nFix it by keeping the driver context valid until memdev-device\nunregistration, and subsequently the entire stack of related\ndependencies, unwinds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52849", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hantro: Check whether reset op is defined before use\n\nThe i.MX8MM/N/P does not define the .reset op since reset of the VPU is\ndone by genpd. Check whether the .reset op is defined before calling it\nto avoid NULL pointer dereference.\n\nNote that the Fixes tag is set to the commit which removed the reset op\nfrom i.MX8M Hantro G2 implementation, this is because before this commit\nall the implementations did define the .reset op.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52850", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF\n\nIn the unlikely event that workqueue allocation fails and returns NULL in\nmlx5_mkey_cache_init(), delete the call to\nmlx5r_umr_resource_cleanup() (which frees the QP) in\nmlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double\nfree of the same QP when __mlx5_ib_add() does its cleanup.\n\nResolves a splat:\n\n Syzkaller reported a UAF in ib_destroy_qp_user\n\n workqueue: Failed to create a rescuer kthread for wq \"mkey_cache\": -EINTR\n infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642):\n failed to create work queue\n infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642):\n mr cache init failed -12\n ==================================================================\n BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)\n Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642\n\n Call Trace:\n \n kasan_report (mm/kasan/report.c:590)\n ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)\n mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)\n __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178)\n mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)\n ...\n \n\n Allocated by task 1642:\n __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026\n mm/slab_common.c:1039)\n create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720\n ./include/rdma/ib_verbs.h:2795 drivers/infiniband/core/verbs.c:1209)\n ib_create_qp_kernel (drivers/infiniband/core/verbs.c:1347)\n mlx5r_umr_resource_init (drivers/infiniband/hw/mlx5/umr.c:164)\n mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4070)\n __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)\n mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)\n ...\n\n Freed by task 1642:\n __kmem_cache_free (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822)\n ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2112)\n mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)\n mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4076\n drivers/infiniband/hw/mlx5/main.c:4065)\n __mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)\n mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)\n ...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52851", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52852", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52853", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix refcnt handling in padata_free_shell()\n\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\n\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\n\n```c\nstruct request {\n struct padata_priv padata;\n struct completion *done;\n};\n\nvoid parallel(struct padata_priv *padata) {\n do_something();\n}\n\nvoid serial(struct padata_priv *padata) {\n struct request *request = container_of(padata,\n \t\t\t\tstruct request,\n\t\t\t\tpadata);\n complete(request->done);\n}\n\nvoid user_function() {\n DECLARE_COMPLETION(done)\n padata->parallel = parallel;\n padata->serial = serial;\n padata_do_parallel();\n wait_for_completion(&done);\n padata_free_shell();\n}\n```\n\nIn the corresponding padata.c file, there's the following code:\n\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n ...\n cnt = 0;\n\n while (!list_empty(&local_list)) {\n ...\n padata->serial(padata);\n cnt++;\n }\n\n local_bh_enable();\n\n if (refcount_sub_and_test(cnt, &pd->refcnt))\n padata_free_pd(pd);\n}\n```\n\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\n\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52854", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix possible NULL pointer dereference caused by driver concurrency\n\nIn _dwc2_hcd_urb_enqueue(), \"urb->hcpriv = NULL\" is executed without\nholding the lock \"hsotg->lock\". In _dwc2_hcd_urb_dequeue():\n\n spin_lock_irqsave(&hsotg->lock, flags);\n ...\n\tif (!urb->hcpriv) {\n\t\tdev_dbg(hsotg->dev, \"## urb->hcpriv is NULL ##\\n\");\n\t\tgoto out;\n\t}\n rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv\n ...\nout:\n spin_unlock_irqrestore(&hsotg->lock, flags);\n\nWhen _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are\nconcurrently executed, the NULL check of \"urb->hcpriv\" can be executed\nbefore \"urb->hcpriv = NULL\". After urb->hcpriv is NULL, it can be used\nin the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL\npointer dereference.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by myself. This tool analyzes the locking APIs to extract\nfunction pairs that can be concurrently executed, and then analyzes the\ninstructions in the paired functions to identify possible concurrency\nbugs including data races and atomicity violations. The above possible\nbug is reported, when my tool analyzes the source code of Linux 6.5.\n\nTo fix this possible bug, \"urb->hcpriv = NULL\" should be executed with\nholding the lock \"hsotg->lock\". After using this patch, my tool never\nreports the possible bug, with the kernelconfiguration allyesconfig for\nx86_64. Because I have no associated hardware, I cannot test the patch\nin runtime testing, and just verify it according to the code logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52855", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: lt8912b: Fix crash on bridge detach\n\nThe lt8912b driver, in its bridge detach function, calls\ndrm_connector_unregister() and drm_connector_cleanup().\n\ndrm_connector_unregister() should be called only for connectors\nexplicitly registered with drm_connector_register(), which is not the\ncase in lt8912b.\n\nThe driver's drm_connector_funcs.destroy hook is set to\ndrm_connector_cleanup().\n\nThus the driver should not call either drm_connector_unregister() nor\ndrm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a\ncrash on bridge detach:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000\n[0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks\nCPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2\nHardware name: Toradex Verdin AM62 on Verdin Development Board (DT)\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_connector_cleanup+0x78/0x2d4 [drm]\nlr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\nsp : ffff800082ed3a90\nx29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000\nx26: 0000000000000000 x25: dead000000000122 x24: dead000000000122\nx23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000\nx20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8\nx17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038\nx14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e\nx11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48\nx8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n drm_connector_cleanup+0x78/0x2d4 [drm]\n lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]\n drm_bridge_detach+0x44/0x84 [drm]\n drm_encoder_cleanup+0x40/0xb8 [drm]\n drmm_encoder_alloc_release+0x1c/0x30 [drm]\n drm_managed_release+0xac/0x148 [drm]\n drm_dev_put.part.0+0x88/0xb8 [drm]\n devm_drm_dev_init_release+0x14/0x24 [drm]\n devm_action_release+0x14/0x20\n release_nodes+0x5c/0x90\n devres_release_all+0x8c/0xe0\n device_unbind_cleanup+0x18/0x68\n device_release_driver_internal+0x208/0x23c\n driver_detach+0x4c/0x94\n bus_remove_driver+0x70/0xf4\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n tidss_platform_driver_exit+0x18/0xb2c [tidss]\n __arm64_sys_delete_module+0x1a0/0x2b4\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x60/0x10c\n do_el0_svc_compat+0x1c/0x40\n el0_svc_compat+0x40/0xac\n el0t_32_sync_handler+0xb0/0x138\n el0t_32_sync+0x194/0x198\nCode: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52856", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52857", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52858", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: hisi: Fix use-after-free when register pmu fails\n\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52859", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process\n\nWhen tearing down a 'hisi_hns3' PMU, we mistakenly run the CPU hotplug\ncallbacks after the device has been unregistered, leading to fireworks\nwhen we try to execute empty function callbacks within the driver:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | CPU: 0 PID: 15 Comm: cpuhp/0 Tainted: G W O 5.12.0-rc4+ #1\n | Hardware name: , BIOS KpxxxFPGA 1P B600 V143 04/22/2021\n | pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n | pc : perf_pmu_migrate_context+0x98/0x38c\n | lr : perf_pmu_migrate_context+0x94/0x38c\n |\n | Call trace:\n | perf_pmu_migrate_context+0x98/0x38c\n | hisi_hns3_pmu_offline_cpu+0x104/0x12c [hisi_hns3_pmu]\n\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been unregistered.\n\n[will: Rewrote commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52860", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: it66121: Fix invalid connector dereference\n\nFix the NULL pointer dereference when no monitor is connected, and the\nsound card is opened from userspace.\n\nInstead return an empty buffer (of zeroes) as the EDID information to\nthe sound framework if there is no connector attached.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52861", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer dereference in error message\n\nThis patch fixes a null pointer dereference in the error message that is\nprinted when the Display Core (DC) fails to initialize. The original\nmessage includes the DC version number, which is undefined if the DC is\nnot initialized.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52862", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\n\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52863", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: wmi: Fix opening of char device\n\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\n\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52864", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52865", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks()\n\nWhen CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and\nthen the below user-memory-access bug occurs.\n\nIn hid_test_uclogic_params_cleanup_event_hooks(),it call\nuclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so\nwhen it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()\nwill access hdev->dev with hdev=NULL, which will cause below\nuser-memory-access.\n\nSo add a fake_device with quirks member and call hid_set_drvdata()\nto assign hdev->dev->driver_data which avoids the null-ptr-def bug\nfor drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying\nthis patch, the below user-memory-access bug never occurs.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN\n KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]\n CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6\n DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n ? sched_clock_cpu+0x69/0x550\n ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70\n ? load_balance+0x2950/0x2950\n ? rcu_trc_cmpxchg_need_qs+0x67/0xa0\n hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0\n ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600\n ? __switch_to+0x5cf/0xe60\n ? migrate_enable+0x260/0x260\n ? __kthread_parkme+0x83/0x150\n ? kunit_try_run_case_cleanup+0xe0/0xe0\n kunit_generic_run_threadfn_adapter+0x4a/0x90\n ? kunit_try_catch_throw+0x80/0x80\n kthread+0x2b5/0x380\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x70\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n Modules linked in:\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: \n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52866", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: possible buffer overflow\n\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52867", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: prevent potential string overflow\n\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX. If it's too high then these sprintf()s will overflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/platform: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52869", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52870", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: llcc: Handle a second device without data corruption\n\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52871", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52872", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52873", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro\n\nIn the TDX_HYPERCALL asm, after the TDCALL instruction returns from the\nuntrusted VMM, the registers that the TDX guest shares to the VMM need\nto be cleared to avoid speculative execution of VMM-provided values.\n\nRSI is specified in the bitmap of those registers, but it is missing\nwhen zeroing out those registers in the current TDX_HYPERCALL.\n\nIt was there when it was originally added in commit 752d13305c78\n(\"x86/tdx: Expand __tdx_hypercall() to handle more arguments\"), but was\nlater removed in commit 1e70c680375a (\"x86/tdx: Do not corrupt\nframe-pointer in __tdx_hypercall()\"), which was correct because %rsi is\nlater restored in the \"pop %rsi\". However a later commit 7a3a401874be\n(\"x86/tdx: Drop flags from __tdx_hypercall()\") removed that \"pop %rsi\"\nbut forgot to add the \"xor %rsi, %rsi\" back.\n\nFix by adding it back.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52874", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52875", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52876", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port->partner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port->partner to avoid dereferencing a NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52877", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52878", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52879", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52880", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n SND.NXT). All incoming segments whose ACK value doesn't satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK < SND.UNA wouldn't be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\n\ntp->bytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 < S 0:0(0) win 65535 \n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52881", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\n\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52882", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible null pointer dereference\n\nabo->tbo.resource may be NULL in amdgpu_vm_bo_update.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52883", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52884", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2023-52885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\n\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\n\nReproduce by two tasks:\n\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n Read of size 8 at addr ffff888139d96228 by task nc/102553\n CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n Call Trace:\n \n dump_stack_lvl+0x33/0x50\n print_address_description.constprop.0+0x27/0x310\n print_report+0x3e/0x70\n kasan_report+0xae/0xe0\n svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\n tcp_data_queue+0x9f4/0x20e0\n tcp_rcv_established+0x666/0x1f60\n tcp_v4_do_rcv+0x51c/0x850\n tcp_v4_rcv+0x23fc/0x2e80\n ip_protocol_deliver_rcu+0x62/0x300\n ip_local_deliver_finish+0x267/0x350\n ip_local_deliver+0x18b/0x2d0\n ip_rcv+0x2fb/0x370\n __netif_receive_skb_one_core+0x166/0x1b0\n process_backlog+0x24c/0x5e0\n __napi_poll+0xa2/0x500\n net_rx_action+0x854/0xc90\n __do_softirq+0x1bb/0x5de\n do_softirq+0xcb/0x100\n \n \n ...\n \n\n Allocated by task 102371:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7b/0x90\n svc_setup_socket+0x52/0x4f0 [sunrpc]\n svc_addsock+0x20d/0x400 [sunrpc]\n __write_ports_addfd+0x209/0x390 [nfsd]\n write_ports+0x239/0x2c0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\n Freed by task 102551:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x190\n __kmem_cache_free+0x133/0x270\n svc_xprt_free+0x1e2/0x350 [sunrpc]\n svc_xprt_destroy_all+0x25a/0x440 [sunrpc]\n nfsd_put+0x125/0x240 [nfsd]\n nfsd_svc+0x2cb/0x3c0 [nfsd]\n write_threads+0x1ac/0x2a0 [nfsd]\n nfsctl_transaction_write+0xac/0x110 [nfsd]\n vfs_write+0x1c3/0xae0\n ksys_write+0xed/0x1c0\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52885", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix race by not overwriting udev->descriptor in hub_port_init()\n\nSyzbot reported an out-of-bounds read in sysfs.c:read_descriptors():\n\nBUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\nRead of size 8 at addr ffff88801e78b8c8 by task udevd/5011\n\nCPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883\n...\nAllocated by task 758:\n...\n __do_kmalloc_node mm/slab_common.c:966 [inline]\n __kmalloc+0x5e/0x190 mm/slab_common.c:979\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:680 [inline]\n usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887\n usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]\n usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545\n\nAs analyzed by Khazhy Kumykov, the cause of this bug is a race between\nread_descriptors() and hub_port_init(): The first routine uses a field\nin udev->descriptor, not expecting it to change, while the second\noverwrites it.\n\nPrior to commit 45bf39f8df7f (\"USB: core: Don't hold device lock while\nreading the \"descriptors\" sysfs file\") this race couldn't occur,\nbecause the routines were mutually exclusive thanks to the device\nlocking. Removing that locking from read_descriptors() exposed it to\nthe race.\n\nThe best way to fix the bug is to keep hub_port_init() from changing\nudev->descriptor once udev has been initialized and registered.\nDrivers expect the descriptors stored in the kernel to be immutable;\nwe should not undermine this expectation. In fact, this change should\nhave been made long ago.\n\nSo now hub_port_init() will take an additional argument, specifying a\nbuffer in which to store the device descriptor it reads. (If udev has\nnot yet been initialized, the buffer pointer will be NULL and then\nhub_port_init() will store the device descriptor in udev as before.)\nThis eliminates the data race responsible for the out-of-bounds read.\n\nThe changes to hub_port_init() appear more extensive than they really\nare, because of indentation changes resulting from an attempt to avoid\nwriting to other parts of the usb_device structure after it has been\ninitialized. Similar changes should be made to the code that reads\nthe BOS descriptor, but that can be handled in a separate patch later\non. This patch is sufficient to fix the bug found by syzbot.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52886", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new\n\nThis patch enhances error handling in scenarios with RTS (Request to\nSend) messages arriving closely. It replaces the less informative WARN_ON_ONCE\nbacktraces with a new error handling method. This provides clearer error\nmessages and allows for the early termination of problematic sessions.\nPreviously, sessions were only released at the end of j1939_xtp_rx_rts().\n\nPotentially this could be reproduced with something like:\ntestj1939 -r vcan0:0x80 &\nwhile true; do\n\t# send first RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send second RTS\n\tcansend vcan0 18EC8090#1014000303002301;\n\t# send abort\n\tcansend vcan0 18EC8090#ff00000000002301;\ndone", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52887", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2023-52888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn't do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52888", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2023-52889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)->label is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n BUG: kernel NULL pointer dereference, address: 000000000000004c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n RIP: 0010:aa_label_next_confined+0xb/0x40\n Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? aa_label_next_confined+0xb/0x40\n apparmor_secmark_check+0xec/0x330\n security_sock_rcv_skb+0x35/0x50\n sk_filter_trim_cap+0x47/0x250\n sock_queue_rcv_skb_reason+0x20/0x60\n raw_rcv+0x13c/0x210\n raw_local_deliver+0x1f3/0x250\n ip_protocol_deliver_rcu+0x4f/0x2f0\n ip_local_deliver_finish+0x76/0xa0\n __netif_receive_skb_one_core+0x89/0xa0\n netif_receive_skb+0x119/0x170\n ? __netdev_alloc_skb+0x3d/0x140\n vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n __napi_poll+0x28/0x1b0\n net_rx_action+0x2a4/0x380\n __do_softirq+0xd1/0x2c8\n __irq_exit_rcu+0xbb/0xf0\n common_interrupt+0x86/0xa0\n \n \n asm_common_interrupt+0x26/0x40\n RIP: 0010:apparmor_socket_post_create+0xb/0x200\n Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n ? __pfx_apparmor_socket_post_create+0x10/0x10\n security_socket_post_create+0x4b/0x80\n __sock_create+0x176/0x1f0\n __sys_socket+0x89/0x100\n __x64_sys_socket+0x17/0x20\n do_syscall_64+0x5d/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52889", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2023-52893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngsmi: fix null-deref in gsmi_get_variable\n\nWe can get EFI variables without fetching the attribute, so we must\nallow for that in gsmi.\n\ncommit 859748255b43 (\"efi: pstore: Omit efivars caching EFI varstore\naccess layer\") added a new get_variable call with attr=NULL, which\ntriggers panic in gsmi.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52893", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()\n\nIn Google internal bug 265639009 we've received an (as yet) unreproducible\ncrash report from an aarch64 GKI 5.10.149-android13 running device.\n\nAFAICT the source code is at:\n https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10\n\nThe call stack is:\n ncm_close() -> ncm_notify() -> ncm_do_notify()\nwith the crash at:\n ncm_do_notify+0x98/0x270\nCode: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)\n\nWhich I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):\n\n // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)\n 0B 0D 00 79 strh w11, [x8, #6]\n\n // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)\n 6C 0A 00 B9 str w12, [x19, #8]\n\n // x10 (NULL) was read here from offset 0 of valid pointer x9\n // IMHO we're reading 'cdev->gadget' and getting NULL\n // gadget is indeed at offset 0 of struct usb_composite_dev\n 2A 01 40 F9 ldr x10, [x9]\n\n // loading req->buf pointer, which is at offset 0 of struct usb_request\n 69 02 40 F9 ldr x9, [x19]\n\n // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed\n 4B 5D 40 B9 ldr w11, [x10, #0x5c]\n\nwhich seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:\n\n event->wLength = cpu_to_le16(8);\n req->length = NCM_STATUS_BYTECOUNT;\n\n /* SPEED_CHANGE data is up/down speeds in bits/sec */\n data = req->buf + sizeof *event;\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\n\nMy analysis of registers and NULL ptr deref crash offset\n (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)\nheavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:\n data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));\nwhich calls:\n ncm_bitrate(NULL)\nwhich then calls:\n gadget_is_superspeed(NULL)\nwhich reads\n ((struct usb_gadget *)NULL)->max_speed\nand hits a panic.\n\nAFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.\n(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)\n\nIt's not at all clear to me how this is all supposed to work...\nbut returning 0 seems much better than panic-ing...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52894", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52895", "detail": "fixed-version", "description": "Fixed from version 6.1.8" }, { "id": "CVE-2023-52896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between quota rescan and disable leading to NULL pointer deref\n\nIf we have one task trying to start the quota rescan worker while another\none is trying to disable quotas, we can end up hitting a race that results\nin the quota rescan worker doing a NULL pointer dereference. The steps for\nthis are the following:\n\n1) Quotas are enabled;\n\n2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().\n It calls qgroup_rescan_init() which returns 0 (success) and then joins a\n transaction and commits it;\n\n3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().\n It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls\n btrfs_qgroup_wait_for_completion(), which returns immediately since the\n rescan worker is not yet running.\n Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;\n\n4) Task A queues the rescan worker, by calling btrfs_queue_work();\n\n5) The rescan worker starts, and calls rescan_should_stop() at the start\n of its while loop, which results in 0 iterations of the loop, since\n the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by\n task B at step 3);\n\n6) Task B sets fs_info->quota_root to NULL;\n\n7) The rescan worker tries to start a transaction and uses\n fs_info->quota_root as the root argument for btrfs_start_transaction().\n This results in a NULL pointer dereference down the call chain of\n btrfs_start_transaction(). The stack trace is something like the one\n reported in Link tag below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: btrfs-qgroup-rescan btrfs_work_helper\n RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564\n Code: 48 89 fb 48 (...)\n RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206\n RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d\n R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000\n R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402\n btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n Modules linked in:\n\nSo fix this by having the rescan worker function not attempt to start a\ntransaction if it didn't do any rescan work.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52896", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: do not warn on record without old_roots populated\n\n[BUG]\nThere are some reports from the mailing list that since v6.1 kernel, the\nWARN_ON() inside btrfs_qgroup_account_extent() gets triggered during\nrescan:\n\n WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7\n RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n Call Trace:\n \n btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? __rseq_handle_notify_resume+0xa9/0x4a0\n ? mntput_no_expire+0x4a/0x240\n ? __seccomp_filter+0x319/0x4d0\n __x64_sys_ioctl+0x90/0xd0\n do_syscall_64+0x5b/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7fd9b790d9bf\n \n\n[CAUSE]\nSince commit e15e9f43c7ca (\"btrfs: introduce\nBTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting\"), if\nour qgroup is already in inconsistent state, we will no longer do the\ntime-consuming backref walk.\n\nThis can leave some qgroup records without a valid old_roots ulist.\nNormally this is fine, as btrfs_qgroup_account_extents() would also skip\nthose records if we have NO_ACCOUNTING flag set.\n\nBut there is a small window, if we have NO_ACCOUNTING flag set, and\ninserted some qgroup_record without a old_roots ulist, but then the user\ntriggered a qgroup rescan.\n\nDuring btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then\ncommit current transaction.\n\nAnd since we have a qgroup_record with old_roots = NULL, we trigger the\nWARN_ON() during btrfs_qgroup_account_extents().\n\n[FIX]\nUnfortunately due to the introduction of NO_ACCOUNTING flag, the\nassumption that every qgroup_record would have its old_roots populated\nis no longer correct.\n\nFix the false alerts and drop the WARN_ON().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52897", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52898", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52899", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52900", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52901", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnommu: fix memory leak in do_mmap() error path\n\nThe preallocation of the maple tree nodes may leak if the error path to\n\"error_just_free\" is taken. Fix this by moving the freeing of the maple\ntree nodes to a shared location for all error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52902", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n\u00a0io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n\u00a0io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n\u00a0io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n\u00a0io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n\u00a0io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n\u00a0io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n\u00a0io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n\u00a0process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n\u00a0worker_thread+0x340/0x610 kernel/workqueue.c:2436\n\u00a0kthread+0x12c/0x158 kernel/kthread.c:376\n\u00a0ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52903", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()\n\nThe subs function argument may be NULL, so do not use it before the NULL check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52904", "detail": "fixed-version", "description": "Fixed from version 5.15.168" }, { "id": "CVE-2023-52905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52905", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52906", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()\n\nFix a use-after-free that occurs in hcd when in_urb sent from\npn533_usb_send_frame() is completed earlier than out_urb. Its callback\nfrees the skb data in pn533_send_async_complete() that is used as a\ntransfer buffer of out_urb. Wait before sending in_urb until the\ncallback of out_urb is called. To modify the callback of out_urb alone,\nseparate the complete function of out_urb and ack_urb.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in dummy_timer\nCall Trace:\n memcpy (mm/kasan/shadow.c:65)\n dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)\n transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)\n dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)\n arch_static_branch (arch/x86/include/asm/jump_label.h:27)\n static_key_false (include/linux/jump_label.h:207)\n timer_expire_exit (include/trace/events/timer.h:127)\n call_timer_fn (kernel/time/timer.c:1475)\n expire_timers (kernel/time/timer.c:1519)\n __run_timers (kernel/time/timer.c:1790)\n run_timer_softirq (kernel/time/timer.c:1803)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52907", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential NULL dereference\n\nFix potential NULL dereference, in the case when \"man\", the resource manager\nmight be NULL, when/if we print debug information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52908", "detail": "fixed-version", "description": "Fixed from version 6.1.7" }, { "id": "CVE-2023-52909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix handling of cached open files in nfsd4_open codepath\n\nCommit fb70bf124b05 (\"NFSD: Instantiate a struct file when creating a\nregular NFSv4 file\") added the ability to cache an open fd over a\ncompound. There are a couple of problems with the way this currently\nworks:\n\nIt's racy, as a newly-created nfsd_file can end up with its PENDING bit\ncleared while the nf is hashed, and the nf_file pointer is still zeroed\nout. Other tasks can find it in this state and they expect to see a\nvalid nf_file, and can oops if nf_file is NULL.\n\nAlso, there is no guarantee that we'll end up creating a new nfsd_file\nif one is already in the hash. If an extant entry is in the hash with a\nvalid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with\nthe value of op_file and the old nf_file will leak.\n\nFix both issues by making a new nfsd_file_acquirei_opened variant that\ntakes an optional file pointer. If one is present when this is called,\nwe'll take a new reference to it instead of trying to open the file. If\nthe nfsd_file already has a valid nf_file, we'll just ignore the\noptional file and pass the nfsd_file back as-is.\n\nAlso rework the tracepoints a bit to allow for an \"opened\" variant and\ndon't try to avoid counting acquisitions in the case where we already\nhave a cached open file.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52909", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52910", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: another fix for the headless Adreno GPU\n\nFix another oops reproducible when rebooting the board with the Adreno\nGPU working in the headless mode (e.g. iMX platforms).\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[00000000] *pgd=74936831, *pte=00000000, *ppte=00000000\nInternal error: Oops: 17 [#1] ARM\nCPU: 0 PID: 51 Comm: reboot Not tainted 6.2.0-rc1-dirty #11\nHardware name: Freescale i.MX53 (Device Tree Support)\nPC is at msm_atomic_commit_tail+0x50/0x970\nLR is at commit_tail+0x9c/0x188\npc : [] lr : [] psr: 600e0013\nsp : e0851d30 ip : ee4eb7eb fp : 00090acc\nr10: 00000058 r9 : c2193014 r8 : c4310000\nr7 : c4759380 r6 : 07bef61d r5 : 00000000 r4 : 00000000\nr3 : c44cc440 r2 : 00000000 r1 : 00000000 r0 : 00000000\nFlags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\nControl: 10c5387d Table: 74910019 DAC: 00000051\nRegister r0 information: NULL pointer\nRegister r1 information: NULL pointer\nRegister r2 information: NULL pointer\nRegister r3 information: slab kmalloc-1k start c44cc400 pointer offset 64 size 1024\nRegister r4 information: NULL pointer\nRegister r5 information: NULL pointer\nRegister r6 information: non-paged memory\nRegister r7 information: slab kmalloc-128 start c4759380 pointer offset 0 size 128\nRegister r8 information: slab kmalloc-2k start c4310000 pointer offset 0 size 2048\nRegister r9 information: non-slab/vmalloc memory\nRegister r10 information: non-paged memory\nRegister r11 information: non-paged memory\nRegister r12 information: non-paged memory\nProcess reboot (pid: 51, stack limit = 0xc80046d9)\nStack: (0xe0851d30 to 0xe0852000)\n1d20: c4759380 fbd77200 000005ff 002b9c70\n1d40: c4759380 c4759380 00000000 07bef61d 00000600 c0d6fe7c c2193014 00000058\n1d60: 00090acc c067a214 00000000 c4759380 c4310000 00000000 c44cc854 c067a89c\n1d80: 00000000 00000000 00000000 c4310468 00000000 c4759380 c4310000 c4310468\n1da0: c4310470 c0643258 c4759380 00000000 00000000 c0c4ee24 00000000 c44cc810\n1dc0: 00000000 c0c4ee24 00000000 c44cc810 00000000 0347d2a8 e0851e00 e0851e00\n1de0: c4759380 c067ad20 c4310000 00000000 c44cc810 c27f8718 c44cc854 c067adb8\n1e00: c4933000 00000002 00000001 00000000 00000000 c2130850 00000000 c2130854\n1e20: c25fc488 00000000 c0ff162c 00000000 00000001 00000002 00000000 00000000\n1e40: c43102c0 c43102c0 00000000 0347d2a8 c44cc810 c44cc814 c2133da8 c06d1a60\n1e60: 00000000 00000000 00079028 c2012f24 fee1dead c4933000 00000058 c01431e4\n1e80: 01234567 c0143a20 00000000 00000000 00000000 00000000 00000000 00000000\n1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n1f80: 00000000 00000000 00000000 0347d2a8 00000002 00000004 00000078 00000058\n1fa0: c010028c c0100060 00000002 00000004 fee1dead 28121969 01234567 00079028\n1fc0: 00000002 00000004 00000078 00000058 0002fdc5 00000000 00000000 00090acc\n1fe0: 00000058 becc9c64 b6e97e05 b6e0e5f6 600e0030 fee1dead 00000000 00000000\n msm_atomic_commit_tail from commit_tail+0x9c/0x188\n commit_tail from drm_atomic_helper_commit+0x160/0x188\n drm_atomic_helper_commit from drm_atomic_commit+0xac/0xe0\n drm_atomic_commit from drm_atomic_helper_disable_all+0x1b0/0x1c0\n drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x88/0x140\n drm_atomic_helper_shutdown from device_shutdown+0x16c/0x240\n device_shutdown from kernel_restart+0x38/0x90\n kernel_restart from __do_sys_reboot+0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52911", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fixed bug on error when unloading amdgpu\n\nFixed bug on error when unloading amdgpu.\n\nThe error message is as follows:\n[ 377.706202] kernel BUG at drivers/gpu/drm/drm_buddy.c:278!\n[ 377.706215] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 377.706222] CPU: 4 PID: 8610 Comm: modprobe Tainted: G IOE 6.0.0-thomas #1\n[ 377.706231] Hardware name: ASUS System Product Name/PRIME Z390-A, BIOS 2004 11/02/2021\n[ 377.706238] RIP: 0010:drm_buddy_free_block+0x26/0x30 [drm_buddy]\n[ 377.706264] Code: 00 00 00 90 0f 1f 44 00 00 48 8b 0e 89 c8 25 00 0c 00 00 3d 00 04 00 00 75 10 48 8b 47 18 48 d3 e0 48 01 47 28 e9 fa fe ff ff <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 55 48 89 f5 53\n[ 377.706282] RSP: 0018:ffffad2dc4683cb8 EFLAGS: 00010287\n[ 377.706289] RAX: 0000000000000000 RBX: ffff8b1743bd5138 RCX: 0000000000000000\n[ 377.706297] RDX: ffff8b1743bd5160 RSI: ffff8b1743bd5c78 RDI: ffff8b16d1b25f70\n[ 377.706304] RBP: ffff8b1743bd59e0 R08: 0000000000000001 R09: 0000000000000001\n[ 377.706311] R10: ffff8b16c8572400 R11: ffffad2dc4683cf0 R12: ffff8b16d1b25f70\n[ 377.706318] R13: ffff8b16d1b25fd0 R14: ffff8b1743bd59c0 R15: ffff8b16d1b25f70\n[ 377.706325] FS: 00007fec56c72c40(0000) GS:ffff8b1836500000(0000) knlGS:0000000000000000\n[ 377.706334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 377.706340] CR2: 00007f9b88c1ba50 CR3: 0000000110450004 CR4: 00000000003706e0\n[ 377.706347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 377.706354] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 377.706361] Call Trace:\n[ 377.706365] \n[ 377.706369] drm_buddy_free_list+0x2a/0x60 [drm_buddy]\n[ 377.706376] amdgpu_vram_mgr_fini+0xea/0x180 [amdgpu]\n[ 377.706572] amdgpu_ttm_fini+0x12e/0x1a0 [amdgpu]\n[ 377.706650] amdgpu_bo_fini+0x22/0x90 [amdgpu]\n[ 377.706727] gmc_v11_0_sw_fini+0x26/0x30 [amdgpu]\n[ 377.706821] amdgpu_device_fini_sw+0xa1/0x3c0 [amdgpu]\n[ 377.706897] amdgpu_driver_release_kms+0x12/0x30 [amdgpu]\n[ 377.706975] drm_dev_release+0x20/0x40 [drm]\n[ 377.707006] release_nodes+0x35/0xb0\n[ 377.707014] devres_release_all+0x8b/0xc0\n[ 377.707020] device_unbind_cleanup+0xe/0x70\n[ 377.707027] device_release_driver_internal+0xee/0x160\n[ 377.707033] driver_detach+0x44/0x90\n[ 377.707039] bus_remove_driver+0x55/0xe0\n[ 377.707045] pci_unregister_driver+0x3b/0x90\n[ 377.707052] amdgpu_exit+0x11/0x6c [amdgpu]\n[ 377.707194] __x64_sys_delete_module+0x142/0x2b0\n[ 377.707201] ? fpregs_assert_state_consistent+0x22/0x50\n[ 377.707208] ? exit_to_user_mode_prepare+0x3e/0x190\n[ 377.707215] do_syscall_64+0x38/0x90\n[ 377.707221] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52912", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential context UAFs\n\ngem_context_register() makes the context visible to userspace, and which\npoint a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl.\nSo we need to ensure that nothing uses the ctx ptr after this. And we\nneed to ensure that adding the ctx to the xarray is the *last* thing\nthat gem_context_register() does with the ctx pointer.\n\n[tursulin: Stable and fixes tags add/tidy.]\n(cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52913", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: add hash if ready poll request can't complete inline\n\nIf we don't, then we may lose access to it completely, leading to a\nrequest leak. This will eventually stall the ring exit process as\nwell.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52914", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer\n\nIn af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach af9035_i2c_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52915", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: aspeed: Fix memory overwrite if timing is 1600x900\n\nWhen capturing 1600x900, system could crash when system memory usage is\ntight.\n\nThe way to reproduce this issue:\n1. Use 1600x900 to display on host\n2. Mount ISO through 'Virtual media' on OpenBMC's web\n3. Run script as below on host to do sha continuously\n #!/bin/bash\n while [ [1] ];\n do\n\tfind /media -type f -printf '\"%h/%f\"\\n' | xargs sha256sum\n done\n4. Open KVM on OpenBMC's web\n\nThe size of macro block captured is 8x8. Therefore, we should make sure\nthe height of src-buf is 8 aligned to fix this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52916", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: cx23885: check cx23885_vdev_init() return\n\ncx23885_vdev_init() can return a NULL pointer, but that pointer\nis used in the next line without a check.\n\nAdd a NULL pointer check and go to the error unwind if it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52918", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2023-52919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix possible NULL pointer dereference in send_acknowledge()\n\nHandle memory allocation failure from nci_skb_alloc() (calling\nalloc_skb()) to avoid possible NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52919", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support non-r10 register spill/fill to/from stack in precision tracking\n\nUse instruction (jump) history to record instructions that performed\nregister spill/fill to/from stack, regardless if this was done through\nread-only r10 register, or any other register after copying r10 into it\n*and* potentially adjusting offset.\n\nTo make this work reliably, we push extra per-instruction flags into\ninstruction history, encoding stack slot index (spi) and stack frame\nnumber in extra 10 bit flags we take away from prev_idx in instruction\nhistory. We don't touch idx field for maximum performance, as it's\nchecked most frequently during backtracking.\n\nThis change removes basically the last remaining practical limitation of\nprecision backtracking logic in BPF verifier. It fixes known\ndeficiencies, but also opens up new opportunities to reduce number of\nverified states, explored in the subsequent patches.\n\nThere are only three differences in selftests' BPF object files\naccording to veristat, all in the positive direction (less states).\n\nFile Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n-------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------\ntest_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)\nxdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)\nxdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)\n\nNote, I avoided renaming jmp_history to more generic insn_hist to\nminimize number of lines changed and potential merge conflicts between\nbpf and bpf-next trees.\n\nNotice also cur_hist_entry pointer reset to NULL at the beginning of\ninstruction verification loop. This pointer avoids the problem of\nrelying on last jump history entry's insn_idx to determine whether we\nalready have entry for current instruction or not. It can happen that we\nadded jump history entry because current instruction is_jmp_point(), but\nalso we need to add instruction flags for stack access. In this case, we\ndon't want to entries, so we need to reuse last added entry, if it is\npresent.\n\nRelying on insn_idx comparison has the same ambiguity problem as the one\nthat was fixed recently in [0], so we avoid that.\n\n [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52920", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2023-52921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix possible UAF in amdgpu_cs_pass1()\n\nSince the gang_size check is outside of chunk parsing\nloop, we need to reset i before we free the chunk data.\n\nSuggested by Ye Zhang (@VAR10CK) of Baidu Security.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52921", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Fix UAF in bcm_proc_show()\n\nBUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80\nRead of size 8 at addr ffff888155846230 by task cat/7862\n\nCPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xd5/0x150\n print_report+0xc1/0x5e0\n kasan_report+0xba/0xf0\n bcm_proc_show+0x969/0xa80\n seq_read_iter+0x4f6/0x1260\n seq_read+0x165/0x210\n proc_reg_read+0x227/0x300\n vfs_read+0x1d5/0x8d0\n ksys_read+0x11e/0x240\n do_syscall_64+0x35/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAllocated by task 7846:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x9e/0xa0\n bcm_sendmsg+0x264b/0x44e0\n sock_sendmsg+0xda/0x180\n ____sys_sendmsg+0x735/0x920\n ___sys_sendmsg+0x11d/0x1b0\n __sys_sendmsg+0xfa/0x1d0\n do_syscall_64+0x35/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 7846:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x27/0x40\n ____kasan_slab_free+0x161/0x1c0\n slab_free_freelist_hook+0x119/0x220\n __kmem_cache_free+0xb4/0x2e0\n rcu_core+0x809/0x1bd0\n\nbcm_op is freed before procfs entry be removed in bcm_release(),\nthis lead to bcm_proc_show() may read the freed bcm_op.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52922", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: adapt set backend to use GC transaction API\n\nUse the GC transaction API to replace the old and buggy gc API and the\nbusy mark approach.\n\nNo set elements are removed from async garbage collection anymore,\ninstead the _DEAD bit is set on so the set element is not visible from\nlookup path anymore. Async GC enqueues transaction work that might be\naborted and retried later.\n\nrbtree and pipapo set backends does not set on the _DEAD bit from the\nsync GC path since this runs in control plane path where mutex is held.\nIn this case, set elements are deactivated, removed and then released\nvia RCU callback, sync GC never fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52923", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don't skip expired elements during walk\n\nThere is an asymmetry between commit/abort and preparation phase if the\nfollowing conditions are met:\n\n1. set is a verdict map (\"1.2.3.4 : jump foo\")\n2. timeouts are enabled\n\nIn this case, following sequence is problematic:\n\n1. element E in set S refers to chain C\n2. userspace requests removal of set S\n3. kernel does a set walk to decrement chain->use count for all elements\n from preparation phase\n4. kernel does another set walk to remove elements from the commit phase\n (or another walk to do a chain->use increment for all elements from\n abort phase)\n\nIf E has already expired in 1), it will be ignored during list walk, so its use count\nwon't have been changed.\n\nThen, when set is culled, ->destroy callback will zap the element via\nnf_tables_set_elem_destroy(), but this function is only safe for\nelements that have been deactivated earlier from the preparation phase:\nlack of earlier deactivate removes the element but leaks the chain use\ncount, which results in a WARN splat when the chain gets removed later,\nplus a leak of the nft_chain structure.\n\nUpdate pipapo_get() not to skip expired elements, otherwise flush\ncommand reports bogus ENOENT errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52924", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-52925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don't fail inserts if duplicate has expired\n\nnftables selftests fail:\nrun-tests.sh testcases/sets/0044interval_overlap_0\nExpected: 0-2 . 0-3, got:\nW: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1\n\nInsertion must ignore duplicate but expired entries.\n\nMoreover, there is a strange asymmetry in nft_pipapo_activate:\n\nIt refetches the current element, whereas the other ->activate callbacks\n(bitmap, hash, rhash, rbtree) use elem->priv.\nSame for .remove: other set implementations take elem->priv,\nnft_pipapo_remove fetches elem->priv, then does a relookup,\nremove this.\n\nI suspect this was the reason for the change that prompted the\nremoval of the expired check in pipapo_get() in the first place,\nbut skipping exired elements there makes no sense to me, this helper\nis used for normal get requests, insertions (duplicate check)\nand deactivate callback.\n\nIn first two cases expired elements must be skipped.\n\nFor ->deactivate(), this gets called for DELSETELEM, so it\nseems to me that expired elements should be skipped as well, i.e.\ndelete request should fail with -ENOENT error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52925", "detail": "fixed-version", "description": "Fixed from version 6.4.12" }, { "id": "CVE-2023-52926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIORING_OP_READ did not correctly consume the provided buffer list when\nread i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return).\nThis can lead to a potential use-after-free when the completion via\nio_rw_done runs at separate context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52926", "detail": "fixed-version", "description": "Fixed from version 6.7" }, { "id": "CVE-2023-52927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52927", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-52928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip invalid kfunc call in backtrack_insn\n\nThe verifier skips invalid kfunc call in check_kfunc_call(), which\nwould be captured in fixup_kfunc_call() if such insn is not eliminated\nby dead code elimination. However, this can lead to the following\nwarning in backtrack_insn(), also see [1]:\n\n ------------[ cut here ]------------\n verifier backtracking bug\n WARNING: CPU: 6 PID: 8646 at kernel/bpf/verifier.c:2756 backtrack_insn\n kernel/bpf/verifier.c:2756\n\t__mark_chain_precision kernel/bpf/verifier.c:3065\n\tmark_chain_precision kernel/bpf/verifier.c:3165\n\tadjust_reg_min_max_vals kernel/bpf/verifier.c:10715\n\tcheck_alu_op kernel/bpf/verifier.c:10928\n\tdo_check kernel/bpf/verifier.c:13821 [inline]\n\tdo_check_common kernel/bpf/verifier.c:16289\n [...]\n\nSo make backtracking conservative with this by returning ENOTSUPP.\n\n [1] https://lore.kernel.org/bpf/CACkBjsaXNceR8ZjkLG=dT3P=4A8SBsg0Z5h5PWLryF5=ghKq=g@mail.gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52928", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: fix cleanup after dev_set_name()\n\nIf dev_set_name() fails, we leak nvmem->wp_gpio as the cleanup does not\nput this. While a minimal fix for this would be to add the gpiod_put()\ncall, we can do better if we split device_register(), and use the\ntested nvmem_release() cleanup code by initialising the device early,\nand putting the device.\n\nThis results in a slightly larger fix, but results in clear code.\n\nNote: this patch depends on \"nvmem: core: initialise nvmem->id early\"\nand \"nvmem: core: remove nvmem_config wp_gpio\".\n\n[Srini: Fixed subject line and error code handing with wp_gpio while applying.]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52929", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential bit_17 double-free\n\nA userspace with multiple threads racing I915_GEM_SET_TILING to set the\ntiling to I915_TILING_NONE could trigger a double free of the bit_17\nbitmask. (Or conversely leak memory on the transition to tiled.) Move\nallocation/free'ing of the bitmask within the section protected by the\nobj lock.\n\n[tursulin: Correct fixes tag and added cc stable.]\n(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52930", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid potential vm use-after-free\n\nAdding the vm to the vm_xa table makes it visible to userspace, which\ncould try to race with us to close the vm. So we need to take our extra\nreference before putting it in the table.\n\n(cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52931", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swapfile: add cond_resched() in get_swap_pages()\n\nThe softlockup still occurs in get_swap_pages() under memory pressure. 64\nCPU cores, 64GB memory, and 28 zram devices, the disksize of each zram\ndevice is 50MB with same priority as si. Use the stress-ng tool to\nincrease memory pressure, causing the system to oom frequently.\n\nThe plist_for_each_entry_safe() loops in get_swap_pages() could reach tens\nof thousands of times to find available space (extreme case:\ncond_resched() is not called in scan_swap_map_slots()). Let's add\ncond_resched() into get_swap_pages() when failed to find available space\nto avoid softlockup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52932", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix handling and sanity checking of xattr_ids count\n\nA Sysbot [1] corrupted filesystem exposes two flaws in the handling and\nsanity checking of the xattr_ids count in the filesystem. Both of these\nflaws cause computation overflow due to incorrect typing.\n\nIn the corrupted filesystem the xattr_ids value is 4294967071, which\nstored in a signed variable becomes the negative number -225.\n\nFlaw 1 (64-bit systems only):\n\nThe signed integer xattr_ids variable causes sign extension.\n\nThis causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The\nvariable is first multiplied by sizeof(struct squashfs_xattr_id) where the\ntype of the sizeof operator is \"unsigned long\".\n\nOn a 64-bit system this is 64-bits in size, and causes the negative number\nto be sign extended and widened to 64-bits and then become unsigned. This\nproduces the very large number 18446744073709548016 or 2^64 - 3600. This\nnumber when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and\ndivided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0\n(stored in len).\n\nFlaw 2 (32-bit systems only):\n\nOn a 32-bit system the integer variable is not widened by the unsigned\nlong type of the sizeof operator (32-bits), and the signedness of the\nvariable has no effect due it always being treated as unsigned.\n\nThe above corrupted xattr_ids value of 4294967071, when multiplied\noverflows and produces the number 4294963696 or 2^32 - 3400. This number\nwhen rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by\nSQUASHFS_METADATA_SIZE overflows again and produces a length of 0.\n\nThe effect of the 0 length computation:\n\nIn conjunction with the corrupted xattr_ids field, the filesystem also has\na corrupted xattr_table_start value, where it matches the end of\nfilesystem value of 850.\n\nThis causes the following sanity check code to fail because the\nincorrectly computed len of 0 matches the incorrect size of the table\nreported by the superblock (0 bytes).\n\n len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);\n indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);\n\n /*\n * The computed size of the index table (len bytes) should exactly\n * match the table start and end points\n */\n start = table_start + sizeof(*id_table);\n end = msblk->bytes_used;\n\n if (len != (end - start))\n return ERR_PTR(-EINVAL);\n\nChanging the xattr_ids variable to be \"usigned int\" fixes the flaw on a\n64-bit system. This relies on the fact the computation is widened by the\nunsigned long type of the sizeof operator.\n\nCasting the variable to u64 in the above macro fixes this flaw on a 32-bit\nsystem.\n\nIt also means 64-bit systems do not implicitly rely on the type of the\nsizeof operator to widen the computation.\n\n[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52933", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups\n\nIn commit 34488399fa08 (\"mm/madvise: add file and shmem support to\nMADV_COLLAPSE\") we make the following change to find_pmd_or_thp_or_none():\n\n\t- if (!pmd_present(pmde))\n\t- return SCAN_PMD_NULL;\n\t+ if (pmd_none(pmde))\n\t+ return SCAN_PMD_NONE;\n\nThis was for-use by MADV_COLLAPSE file/shmem codepaths, where\nMADV_COLLAPSE might identify a pte-mapped hugepage, only to have\nkhugepaged race-in, free the pte table, and clear the pmd. Such codepaths\ninclude:\n\nA) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER\n already in the pagecache.\nB) In retract_page_tables(), if we fail to grab mmap_lock for the target\n mm/address.\n\nIn these cases, collapse_pte_mapped_thp() really does expect a none (not\njust !present) pmd, and we want to suitably identify that case separate\nfrom the case where no pmd is found, or it's a bad-pmd (of course, many\nthings could happen once we drop mmap_lock, and the pmd could plausibly\nundergo multiple transitions due to intervening fault, split, etc). \nRegardless, the code is prepared install a huge-pmd only when the existing\npmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd.\n\nHowever, the commit introduces a logical hole; namely, that we've allowed\n!none- && !huge- && !bad-pmds to be classified as genuine\npte-table-mapping-pmds. One such example that could leak through are swap\nentries. The pmd values aren't checked again before use in\npte_offset_map_lock(), which is expecting nothing less than a genuine\npte-table-mapping-pmd.\n\nWe want to put back the !pmd_present() check (below the pmd_none() check),\nbut need to be careful to deal with subtleties in pmd transitions and\ntreatments by various arch.\n\nThe issue is that __split_huge_pmd_locked() temporarily clears the present\nbit (or otherwise marks the entry as invalid), but pmd_present() and\npmd_trans_huge() still need to return true while the pmd is in this\ntransitory state. For example, x86's pmd_present() also checks the\n_PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also\nchecks a PMD_PRESENT_INVALID bit.\n\nCovering all 4 cases for x86 (all checks done on the same pmd value):\n\n1) pmd_present() && pmd_trans_huge()\n All we actually know here is that the PSE bit is set. Either:\n a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE\n is set.\n => huge-pmd\n b) We are currently racing with __split_huge_page(). The danger here\n is that we proceed as-if we have a huge-pmd, but really we are\n looking at a pte-mapping-pmd. So, what is the risk of this\n danger?\n\n The only relevant path is:\n\n\tmadvise_collapse() -> collapse_pte_mapped_thp()\n\n Where we might just incorrectly report back \"success\", when really\n the memory isn't pmd-backed. This is fine, since split could\n happen immediately after (actually) successful madvise_collapse().\n So, it should be safe to just assume huge-pmd here.\n\n2) pmd_present() && !pmd_trans_huge()\n Either:\n a) PSE not set and either PRESENT or PROTNONE is.\n => pte-table-mapping pmd (or PROT_NONE)\n b) devmap. This routine can be called immediately after\n unlocking/locking mmap_lock -- or called with no locks held (see\n khugepaged_scan_mm_slot()), so previous VMA checks have since been\n invalidated.\n\n3) !pmd_present() && pmd_trans_huge()\n Not possible.\n\n4) !pmd_present() && !pmd_trans_huge()\n Neither PRESENT nor PROTNONE set\n => not present\n\nI've checked all archs that implement pmd_trans_huge() (arm64, riscv,\npowerpc, longarch, x86, mips, s390) and this logic roughly translates\n(though devmap treatment is unique to x86 and powerpc, and (3) doesn't\nnecessarily hold in general -- but that doesn't matter since\n!pmd_present() always takes failure path).\n\nAlso, add a comment above find_pmd_or_thp_or_none()\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52934", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix ->anon_vma race\n\nIf an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an ->anon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing ->anon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the ->anon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(&vma->anon_vma->root->rwsem)\". \nIt can also lead to use-after-free access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52935", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52936", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHV: hv_balloon: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52937", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Don't attempt to resume the ports before they exist\n\nThis will fix null pointer dereference that was caused by\nthe driver attempting to resume ports that were not yet\nregistered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52938", "detail": "fixed-version", "description": "Fixed from version 6.1.11" }, { "id": "CVE-2023-52939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()\n\nAs commit 18365225f044 (\"hwpoison, memcg: forcibly uncharge LRU pages\"),\nhwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg\ncould be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could\noccurs a NULL pointer dereference, let's do not record the foreign\nwritebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to\nfix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52939", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: multi-gen LRU: fix crash during cgroup migration\n\nlru_gen_migrate_mm() assumes lru_gen_add_mm() runs prior to itself. This\nisn't true for the following scenario:\n\n CPU 1 CPU 2\n\n clone()\n cgroup_can_fork()\n cgroup_procs_write()\n cgroup_post_fork()\n task_lock()\n lru_gen_migrate_mm()\n task_unlock()\n task_lock()\n lru_gen_add_mm()\n task_unlock()\n\nAnd when the above happens, kernel crashes because of linked list\ncorruption (mm_struct->lru_gen.list).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52940", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: split tx timer into transmission and timeout\n\nThe timer for the transmission of isotp PDUs formerly had two functions:\n1. send two consecutive frames with a given time gap\n2. monitor the timeouts for flow control frames and the echo frames\n\nThis led to larger txstate checks and potentially to a problem discovered\nby syzbot which enabled the panic_on_warn feature while testing.\n\nThe former 'txtimer' function is split into 'txfrtimer' and 'txtimer'\nto handle the two above functionalities with separate timer callbacks.\n\nThe two simplified timers now run in one-shot mode and make the state\ntransitions (especially with isotp_rcv_echo) better understandable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52941", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask()\n\nIt was found that the check to see if a partition could use up all\nthe cpus from the parent cpuset in update_parent_subparts_cpumask()\nwas incorrect. As a result, it is possible to leave parent with no\neffective cpu left even if there are tasks in the parent cpuset. This\ncan lead to system panic as reported in [1].\n\nFix this probem by updating the check to fail the enabling the partition\nif parent's effective_cpus is a subset of the child's cpus_allowed.\n\nAlso record the error code when an error happens in update_prstate()\nand add a test case where parent partition and child have the same cpu\nlist and parent has task. Enabling partition in the child will fail in\nthis case.\n\n[1] https://www.spinics.net/lists/cgroups/msg36254.html", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52942", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF\n\nAfter a call to console_unlock() in vcs_read() the vc_data struct can be\nfreed by vc_deallocate(). Because of that, the struct vc_data pointer\nload must be done at the top of while loop in vcs_read() to avoid a UAF\nwhen vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537\n\nCPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1\nHardware name: Red Hat KVM, BIOS 1.15.0-2.module\nCall Trace:\n \n__asan_report_load4_noabort (mm/kasan/report_generic.c:350)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_read (drivers/tty/vt/vc_screen.c:415)\nvfs_read (fs/read_write.c:468 fs/read_write.c:450)\n...\n \n\nAllocated by task 1191:\n...\nkmalloc_trace (mm/slab_common.c:1069)\nvc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720\n drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)\ncon_install (drivers/tty/vt/vt.c:3383)\ntty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413\n drivers/tty/tty_io.c:1390)\ntty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:883)\nvfs_open (fs/open.c:1014)\n...\n\nFreed by task 1548:\n...\nkfree (mm/slab_common.c:1021)\nvc_port_destruct (drivers/tty/vt/vt.c:1094)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2776)\n...\n\nThe buggy address belongs to the object at ffff888113747800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n 1024-byte region [ffff888113747800, ffff888113747c00)\n\nThe buggy address belongs to the physical page:\npage:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000\n index:0x0 pfn:0x113740\nhead:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0\n compound_pincount:0\nanon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52973", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress\n\nIf during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,\nuserspace could be accessing the host's ipaddress attr. If we then free the\nsession via iscsi_session_teardown() while userspace is still accessing the\nsession we will hit a use after free bug.\n\nSet the tcp_sw_host->session after we have completed session creation and\ncan no longer fail.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52974", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3\n[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[ 276.944470] Call Trace:\n[ 276.944943] \n[ 276.945397] dump_stack_lvl+0x34/0x48\n[ 276.945887] print_address_description.constprop.0+0x86/0x1e7\n[ 276.946421] print_report+0x36/0x4f\n[ 276.947358] kasan_report+0xad/0x130\n[ 276.948234] kasan_check_range+0x35/0x1c0\n[ 276.948674] _raw_spin_lock_bh+0x78/0xe0\n[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[ 276.952185] dev_attr_show+0x3f/0x80\n[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0\n[ 276.953401] seq_read_iter+0x402/0x1020\n[ 276.954260] vfs_read+0x532/0x7b0\n[ 276.955113] ksys_read+0xed/0x1c0\n[ 276.955952] do_syscall_64+0x38/0x90\n[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.956769] RIP: 0033:0x7f5d3a679222\n[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[ 276.960536] \n[ 276.961357] Allocated by task 2209:\n[ 276.961756] kasan_save_stack+0x1e/0x40\n[ 276.962170] kasan_set_track+0x21/0x30\n[ 276.962557] __kasan_kmalloc+0x7e/0x90\n[ 276.962923] __kmalloc+0x5b/0x140\n[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]\n[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.965546] netlink_unicast+0x4d5/0x7b0\n[ 276.965905] netlink_sendmsg+0x78d/0xc30\n[ 276.966236] sock_sendmsg+0xe5/0x120\n[ 276.966576] ____sys_sendmsg+0x5fe/0x860\n[ 276.966923] ___sys_sendmsg+0xe0/0x170\n[ 276.967300] __sys_sendmsg+0xc8/0x170\n[ 276.967666] do_syscall_64+0x38/0x90\n[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.968773] Freed by task 2209:\n[ 276.969111] kasan_save_stack+0x1e/0x40\n[ 276.969449] kasan_set_track+0x21/0x30\n[ 276.969789] kasan_save_free_info+0x2a/0x50\n[ 276.970146] __kasan_slab_free+0x106/0x190\n[ 276.970470] __kmem_cache_free+0x133/0x270\n[ 276.970816] device_release+0x98/0x210\n[ 276.971145] kobject_cleanup+0x101/0x360\n[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.972808] netlink_unicast+0x4d5/0x7b0\n[ 276.973201] netlink_sendmsg+0x78d/0xc30\n[ 276.973544] sock_sendmsg+0xe5/0x120\n[ 276.973864] ____sys_sendmsg+0x5fe/0x860\n[ 276.974248] ___sys_\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52975", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix potential NULL deref in efi_mem_reserve_persistent\n\nWhen iterating on a linked list, a result of memremap is dereferenced\nwithout checking it for NULL.\n\nThis patch adds a check that falls back on allocating a new page in\ncase memremap doesn't succeed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[ardb: return -ENOMEM instead of breaking out of the loop]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52976", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix flow memory leak in ovs_flow_cmd_new\n\nSyzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is\nnot freed when an allocation of a key fails.\n\nBUG: memory leak\nunreferenced object 0xffff888116668000 (size 632):\n comm \"syz-executor231\", pid 1090, jiffies 4294844701 (age 18.871s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]\n [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77\n [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957\n [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739\n [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800\n [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515\n [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811\n [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339\n [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934\n [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]\n [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671\n [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356\n [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410\n [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439\n [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nTo fix this the patch rearranges the goto labels to reflect the order of\nobject allocations and adds appropriate goto statements on the error\npaths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52977", "detail": "fixed-version", "description": "Fixed from version 6.1.11" }, { "id": "CVE-2023-52978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kprobe: Fixup kernel panic when probing an illegal position\n\nThe kernel would panic when probed for an illegal position. eg:\n\n(CONFIG_RISCV_ISA_C=n)\n\necho 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events\necho 1 > events/kprobes/hello/enable\ncat trace\n\nKernel panic - not syncing: stack-protector: Kernel stack\nis corrupted in: __do_sys_newfstatat+0xb8/0xb8\nCPU: 0 PID: 111 Comm: sh Not tainted\n6.2.0-rc1-00027-g2d398fe49a4d #490\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x38/0x48\n[] show_stack+0x50/0x68\n[] dump_stack_lvl+0x60/0x84\n[] dump_stack+0x20/0x30\n[] panic+0x160/0x374\n[] generic_handle_arch_irq+0x0/0xa8\n[] sys_newstat+0x0/0x30\n[] sys_clone+0x20/0x30\n[] ret_from_syscall+0x0/0x4\n---[ end Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---\n\nThat is because the kprobe's ebreak instruction broke the kernel's\noriginal code. The user should guarantee the correction of the probe\nposition, but it couldn't make the kernel panic.\n\nThis patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an\nillegal position (Such as the middle of an instruction).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52978", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: extending queue_size to fix overflow\n\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\n\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\n\nExtend queue_size in ublk_device as \"unsigned int\".", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52980", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix request ref counting during error capture & debugfs dump\n\nWhen GuC support was added to error capture, the reference counting\naround the request object was broken. Fix it up.\n\nThe context based search manages the spinlocking around the search\ninternally. So it needs to grab the reference count internally as\nwell. The execlist only request based search relies on external\nlocking, so it needs an external reference count but within the\nspinlock not outside it.\n\nThe only other caller of the context based search is the code for\ndumping engine state to debugfs. That code wasn't previously getting\nan explicit reference at all as it does everything while holding the\nexeclist specific spinlock. So, that needs updaing as well as that\nspinlock doesn't help when using GuC submission. Rather than trying to\nconditionally get/put depending on submission model, just change it to\nalways do the get/put.\n\nv2: Explicitly document adding an extra blank line in some dense code\n(Andy Shevchenko). Fix multiple potential null pointer derefs in case\nof no request found (some spotted by Tvrtko, but there was more!).\nAlso fix a leaked request in case of !started and another in\n__guc_reset_context now that intel_context_find_active_request is\nactually reference counting the returned request.\nv3: Add a _get suffix to intel_context_find_active_request now that it\ngrabs a reference (Daniele).\nv4: Split the intel_guc_find_hung_context change to a separate patch\nand rename intel_context_find_active_request_get to\nintel_context_get_active_request (Tvrtko).\nv5: s/locking/reference counting/ in commit message (Tvrtko)\n\n(cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52981", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Use wait_on_bit() to wait for the freeing of relinquished volume\n\nThe freeing of relinquished volume will wake up the pending volume\nacquisition by using wake_up_bit(), however it is mismatched with\nwait_var_event() used in fscache_wait_on_volume_collision() and it will\nnever wake up the waiter in the wait-queue because these two functions\noperate on different wait-queues.\n\nAccording to the implementation in fscache_wait_on_volume_collision(),\nif the wake-up of pending acquisition is delayed longer than 20 seconds\n(e.g., due to the delay of on-demand fd closing), the first\nwait_var_event_timeout() will timeout and the following wait_var_event()\nwill hang forever as shown below:\n\n FS-Cache: Potential volume collision new=00000024 old=00000022\n ......\n INFO: task mount:1148 blocked for more than 122 seconds.\n Not tainted 6.1.0-rc6+ #1\n task:mount state:D stack:0 pid:1148 ppid:1\n Call Trace:\n \n __schedule+0x2f6/0xb80\n schedule+0x67/0xe0\n fscache_wait_on_volume_collision.cold+0x80/0x82\n __fscache_acquire_volume+0x40d/0x4e0\n erofs_fscache_register_volume+0x51/0xe0 [erofs]\n erofs_fscache_register_fs+0x19c/0x240 [erofs]\n erofs_fc_fill_super+0x746/0xaf0 [erofs]\n vfs_get_super+0x7d/0x100\n get_tree_nodev+0x16/0x20\n erofs_fc_get_tree+0x20/0x30 [erofs]\n vfs_get_tree+0x24/0xb0\n path_mount+0x2fa/0xa90\n do_mount+0x7c/0xa0\n __x64_sys_mount+0x8b/0xe0\n do_syscall_64+0x30/0x60\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nConsidering that wake_up_bit() is more selective, so fix it by using\nwait_on_bit() instead of wait_var_event() to wait for the freeing of\nrelinquished volume. In addition because waitqueue_active() is used in\nwake_up_bit() and clear_bit() doesn't imply any memory barrier, use\nclear_and_wake_up_bit() to add the missing memory barrier between\ncursor->flags and waitqueue_active().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52982", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bic_set_bfqq()\n\nAfter commit 64dc8c732f5c (\"block, bfq: fix possible uaf for 'bfqq->bic'\"),\nbic->bfqq will be accessed in bic_set_bfqq(), however, in some context\nbic->bfqq will be freed, and bic_set_bfqq() is called with the freed\nbic->bfqq.\n\nFix the problem by always freeing bfqq after bic_set_bfqq().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52983", "detail": "fixed-version", "description": "Fixed from version 6.1.11" }, { "id": "CVE-2023-52984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices\n\nThe probe() function is only used for the DP83822 PHY, leaving the\nprivate data pointer uninitialized for the smaller DP83825/26 models.\nWhile all uses of the private data structure are hidden in 82822 specific\ncallbacks, configuring the interrupt is shared across all models.\nThis causes a NULL pointer dereference on the smaller PHYs as it accesses\nthe private data unchecked. Verifying the pointer avoids that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52984", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: imx8mm-verdin: Do not power down eth-phy\n\nCurrently if suspending using either freeze or memory state, the fec\ndriver tries to power down the phy which leads to crash of the kernel\nand non-responsible kernel with the following call trace:\n\n[ 24.839889 ] Call trace:\n[ 24.839892 ] phy_error+0x18/0x60\n[ 24.839898 ] kszphy_handle_interrupt+0x6c/0x80\n[ 24.839903 ] phy_interrupt+0x20/0x2c\n[ 24.839909 ] irq_thread_fn+0x30/0xa0\n[ 24.839919 ] irq_thread+0x178/0x2c0\n[ 24.839925 ] kthread+0x154/0x160\n[ 24.839932 ] ret_from_fork+0x10/0x20\n\nSince there is currently no functionality in the phy subsystem to power\ndown phys let's just disable the feature of powering-down the ethernet\nphy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52985", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener\n\nA listening socket linked to a sockmap has its sk_prot overridden. It\npoints to one of the struct proto variants in tcp_bpf_prots. The variant\ndepends on the socket's family and which sockmap programs are attached.\n\nA child socket cloned from a TCP listener initially inherits their sk_prot.\nBut before cloning is finished, we restore the child's proto to the\nlistener's original non-tcp_bpf_prots one. This happens in\ntcp_create_openreq_child -> tcp_bpf_clone.\n\nToday, in tcp_bpf_clone we detect if the child's proto should be restored\nby checking only for the TCP_BPF_BASE proto variant. This is not\ncorrect. The sk_prot of listening socket linked to a sockmap can point to\nto any variant in tcp_bpf_prots.\n\nIf the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then\nthe child socket unintentionally is left if the inherited sk_prot by\ntcp_bpf_clone.\n\nThis leads to issues like infinite recursion on close [1], because the\nchild state is otherwise not set up for use with tcp_bpf_prot operations.\n\nAdjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.\n\nNote that it wouldn't be sufficient to check the socket state when\noverriding the sk_prot in tcp_bpf_update_proto in order to always use the\nTCP_BPF_BASE variant for listening sockets. Since commit\nb8b8315e39ff (\"bpf, sockmap: Remove unhash handler for BPF sockmap usage\")\nit is possible for a socket to transition to TCP_LISTEN state while already\nlinked to a sockmap, e.g. connect() -> insert into map ->\nconnect(AF_UNSPEC) -> listen().\n\n[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52986", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write()\n\nThe \"id\" comes from the user. Change the type to unsigned to prevent\nan array underflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52987", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()\n\nsnd_hda_get_connections() can return a negative error code.\nIt may lead to accessing 'conn' array at a negative index.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52988", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52989", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] \n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52991", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip task with pid=1 in send_signal_common()\n\nThe following kernel panic can be triggered when a task with pid=1 attaches\na prog that attempts to send killing signal to itself, also see [1] for more\ndetails:\n\n Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106\n panic+0x2c4/0x60f kernel/panic.c:275\n do_exit.cold+0x63/0xe4 kernel/exit.c:789\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x2460/0x2600 kernel/signal.c:2858\n arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nSo skip task with pid=1 in bpf_send_signal_common() to avoid the panic.\n\n [1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52992", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL\n\nBaoquan reported that after triggering a crash the subsequent crash-kernel\nfails to boot about half of the time. It triggers a NULL pointer\ndereference in the periodic tick code.\n\nThis happens because the legacy timer interrupt (IRQ0) is resent in\nsoftware which happens in soft interrupt (tasklet) context. In this context\nget_irq_regs() returns NULL which leads to the NULL pointer dereference.\n\nThe reason for the resend is a spurious APIC interrupt on the IRQ0 vector\nwhich is captured and leads to a resend when the legacy timer interrupt is\nenabled. This is wrong because the legacy PIC interrupts are level\ntriggered and therefore should never be resent in software, but nothing\never sets the IRQ_LEVEL flag on those interrupts, so the core code does not\nknow about their trigger type.\n\nEnsure that IRQ_LEVEL is set when the legacy PCI interrupts are set up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52993", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: Fix suspend with Xen PV\n\nCommit f1e525009493 (\"x86/boot: Skip realmode init code when running as\nXen PV guest\") missed one code path accessing real_mode_header, leading\nto dereferencing NULL when suspending the system under Xen:\n\n [ 348.284004] PM: suspend entry (deep)\n [ 348.289532] Filesystems sync: 0.005 seconds\n [ 348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done.\n [ 348.292457] OOM killer disabled.\n [ 348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done.\n [ 348.396612] printk: Suspending console(s) (use no_console_suspend to debug)\n [ 348.749228] PM: suspend devices took 0.352 seconds\n [ 348.769713] ACPI: EC: interrupt blocked\n [ 348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c\n [ 348.816080] #PF: supervisor read access in kernel mode\n [ 348.816081] #PF: error_code(0x0000) - not-present page\n [ 348.816083] PGD 0 P4D 0\n [ 348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ 348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1\n [ 348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022\n [ 348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20\n\nFix that by adding an optional acpi callback allowing to skip setting\nthe wakeup address, as in the Xen PV case this will be handled by the\nhypervisor anyway.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52994", "detail": "fixed-version", "description": "Fixed from version 6.1.9" }, { "id": "CVE-2023-52995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/kprobe: Fix instruction simulation of JALR\n\nSet kprobe at 'jalr 1140(ra)' of vfs_write results in the following\ncrash:\n\n[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170\n[ 32.093115] Oops [#1]\n[ 32.093251] Modules linked in:\n[ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16\n[ 32.093985] Hardware name: riscv-virtio,qemu (DT)\n[ 32.094280] epc : ksys_read+0x88/0xd6\n[ 32.094855] ra : ksys_read+0xc0/0xd6\n[ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0\n[ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80\n[ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60\n[ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708\n[ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300\n[ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff\n[ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170\n[ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030\n[ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410\n[ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c\n[ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54\n[ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d\n[ 32.098011] [] ksys_write+0x6c/0xd6\n[ 32.098222] [] sys_write+0x2a/0x38\n[ 32.098405] [] ret_from_syscall+0x0/0x2\n\nSince the rs1 and rd might be the same one, such as 'jalr 1140(ra)',\nhence it requires obtaining the target address from rs1 followed by\nupdating rd.\n\n[Palmer: Pick Guo's cleanup]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52995", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: prevent potential spectre v1 gadget in fib_metrics_match()\n\nif (!type)\n continue;\n if (type > RTAX_MAX)\n return false;\n ...\n fi_val = fi->fib_metrics->metrics[type - 1];\n\n@type being used as an array index, we need to prevent\ncpu speculation or risk leaking kernel memory content.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52996", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: prevent potential spectre v1 gadget in ip_metrics_convert()\n\nif (!type)\n\t\tcontinue;\n\tif (type > RTAX_MAX)\n\t\treturn -EINVAL;\n\t...\n\tmetrics[type - 1] = val;\n\n@type being used as an array index, we need to prevent\ncpu speculation or risk leaking kernel memory content.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52997", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Use page_pool_put_full_page when freeing rx buffers\n\nThe page_pool_release_page was used when freeing rx buffers, and this\nfunction just unmaps the page (if mapped) and does not recycle the page.\nSo after hundreds of down/up the eth0, the system will out of memory.\nFor more details, please refer to the following reproduce steps and\nbug logs. To solve this issue and refer to the doc of page pool, the\npage_pool_put_full_page should be used to replace page_pool_release_page.\nBecause this API will try to recycle the page if the page refcnt equal to\n1. After testing 20000 times, the issue can not be reproduced anymore\n(about testing 391 times the issue will occur on i.MX8MN-EVK before).\n\nReproduce steps:\nCreate the test script and run the script. The script content is as\nfollows:\nLOOPS=20000\ni=1\nwhile [ $i -le $LOOPS ]\ndo\n echo \"TINFO:ENET $curface up and down test $i times\"\n org_macaddr=$(cat /sys/class/net/eth0/address)\n ifconfig eth0 down\n ifconfig eth0 hw ether $org_macaddr up\n i=$(expr $i + 1)\ndone\nsleep 5\nif cat /sys/class/net/eth0/operstate | grep 'up';then\n echo \"TEST PASS\"\nelse\n echo \"TEST FAIL\"\nfi\n\nBug detail logs:\nTINFO:ENET up and down test 391 times\n[ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec\n[ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec\nTINFO:ENET up and down test 392 times\n[ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec\n[ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec\n[ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec\n[ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec\n[ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec\n[ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec\n[ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec\nTINFO:ENET up and down test 393 times\n[ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec\n[ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec\n[ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec\n[ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec\n[ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec\n[ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec\n[ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec\n[ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec\n[ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec\n[ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec\n[ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec\nTINFO:ENET up and down test 394 times\n[ 1492.8305\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52998", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-52999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UaF in netns ops registration error path\n\nIf net_assign_generic() fails, the current error path in ops_init() tries\nto clear the gen pointer slot. Anyway, in such error path, the gen pointer\nitself has not been modified yet, and the existing and accessed one is\nsmaller than the accessed index, causing an out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320\n Write of size 8 at addr ffff888109124978 by task modprobe/1018\n\n CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x6a/0x9f\n print_address_description.constprop.0+0x86/0x2b5\n print_report+0x11b/0x1fb\n kasan_report+0x87/0xc0\n ops_init+0x2de/0x320\n register_pernet_operations+0x2e4/0x750\n register_pernet_subsys+0x24/0x40\n tcf_register_action+0x9f/0x560\n do_one_initcall+0xf9/0x570\n do_init_module+0x190/0x650\n load_module+0x1fa5/0x23c0\n __do_sys_finit_module+0x10d/0x1b0\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n RIP: 0033:0x7f42518f778d\n Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48\n 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff\n ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d\n RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003\n RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000\n R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000\n \n\nThis change addresses the issue by skipping the gen pointer\nde-reference in the mentioned error-path.\n\nFound by code inspection and verified with explicit error injection\non a kasan-enabled kernel.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-52999", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: prevent potential spectre v1 gadgets\n\nMost netlink attributes are parsed and validated from\n__nla_validate_parse() or validate_nla()\n\n u16 type = nla_type(nla);\n\n if (type == 0 || type > maxtype) {\n /* error or continue */\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.\n\nThis should take care of vast majority of netlink uses,\nbut an audit is needed to take care of others where\nvalidation is not yet centralized in core netlink functions.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53000", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix a memory leak with reused mmap_offset\n\ndrm_vma_node_allow() and drm_vma_node_revoke() should be called in\nbalanced pairs. We call drm_vma_node_allow() once per-file everytime a\nuser calls mmap_offset, but only call drm_vma_node_revoke once per-file\non each mmap_offset. As the mmap_offset is reused by the client, the\nper-file vm_count may remain non-zero and the rbtree leaked.\n\nCall drm_vma_node_allow_once() instead to prevent that memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53002", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info\n\nThe memory for llcc_driv_data is allocated by the LLCC driver. But when\nit is passed as the private driver info to the EDAC core, it will get freed\nduring the qcom_edac driver release. So when the qcom_edac driver gets probed\nagain, it will try to use the freed data leading to the use-after-free bug.\n\nHence, do not pass llcc_driv_data as pvt_info but rather reference it\nusing the platform_data pointer in the qcom_edac driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53003", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix tmpfile leak\n\nMissed an error cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53004", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace_events_hist: add check for return value of 'create_hist_field'\n\nFunction 'create_hist_field' is called recursively at\ntrace_events_hist.c:1954 and can return NULL-value that's why we have\nto check it to avoid null pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53005", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix oops due to uncleared server->smbd_conn in reconnect\n\nIn smbd_destroy(), clear the server->smbd_conn pointer after freeing the\nsmbd_connection struct that it points to so that reconnection doesn't get\nconfused.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53006", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Make sure trace_printk() can output as soon as it can be used\n\nCurrently trace_printk() can be used as soon as early_trace_init() is\ncalled from start_kernel(). But if a crash happens, and\n\"ftrace_dump_on_oops\" is set on the kernel command line, all you get will\nbe:\n\n [ 0.456075] -0 0dN.2. 347519us : Unknown type 6\n [ 0.456075] -0 0dN.2. 353141us : Unknown type 6\n [ 0.456075] -0 0dN.2. 358684us : Unknown type 6\n\nThis is because the trace_printk() event (type 6) hasn't been registered\nyet. That gets done via an early_initcall(), which may be early, but not\nearly enough.\n\nInstead of registering the trace_printk() event (and other ftrace events,\nwhich are not trace events) via an early_initcall(), have them registered at\nthe same time that trace_printk() can be used. This way, if there is a\ncrash before early_initcall(), then the trace_printk()s will actually be\nuseful.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53007", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential memory leaks in session setup\n\nMake sure to free cifs_ses::auth_key.response before allocating it as\nwe might end up leaking memory in reconnect or mounting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53008", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Add sync after creating vram bo\n\nThere will be data corruption on vram allocated by svm\nif the initialization is not complete and application is\nwritting on the memory. Adding sync to wait for the\ninitialization completion is to resolve this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53009", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: Do not read past the end of test names\n\nTest names were being concatenated based on a offset beyond the end of\nthe first name, which tripped the buffer overflow detection logic:\n\n detected buffer overflow in strnlen\n [...]\n Call Trace:\n bnxt_ethtool_init.cold+0x18/0x18\n\nRefactor struct hwrm_selftest_qlist_output to use an actual array,\nand adjust the concatenation to use snprintf() rather than a series of\nstrncat() calls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53010", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: enable all safety features by default\n\nIn the original implementation of dwmac5\ncommit 8bf993a5877e (\"net: stmmac: Add support for DWMAC5 and implement Safety Features\")\nall safety features were enabled by default.\n\nLater it seems some implementations didn't have support for all the\nfeatures, so in\ncommit 5ac712dcdfef (\"net: stmmac: enable platform specific safety features\")\nthe safety_feat_cfg structure was added to the callback and defined for\nsome platforms to selectively enable these safety features.\n\nThe problem is that only certain platforms were given that software\nsupport. If the automotive safety package bit is set in the hardware\nfeatures register the safety feature callback is called for the platform,\nand for platforms that didn't get a safety_feat_cfg defined this results\nin the following NULL pointer dereference:\n\n[ 7.933303] Call trace:\n[ 7.935812] dwmac5_safety_feat_config+0x20/0x170 [stmmac]\n[ 7.941455] __stmmac_open+0x16c/0x474 [stmmac]\n[ 7.946117] stmmac_open+0x38/0x70 [stmmac]\n[ 7.950414] __dev_open+0x100/0x1dc\n[ 7.954006] __dev_change_flags+0x18c/0x204\n[ 7.958297] dev_change_flags+0x24/0x6c\n[ 7.962237] do_setlink+0x2b8/0xfa4\n[ 7.965827] __rtnl_newlink+0x4ec/0x840\n[ 7.969766] rtnl_newlink+0x50/0x80\n[ 7.973353] rtnetlink_rcv_msg+0x12c/0x374\n[ 7.977557] netlink_rcv_skb+0x5c/0x130\n[ 7.981500] rtnetlink_rcv+0x18/0x2c\n[ 7.985172] netlink_unicast+0x2e8/0x340\n[ 7.989197] netlink_sendmsg+0x1a8/0x420\n[ 7.993222] ____sys_sendmsg+0x218/0x280\n[ 7.997249] ___sys_sendmsg+0xac/0x100\n[ 8.001103] __sys_sendmsg+0x84/0xe0\n[ 8.004776] __arm64_sys_sendmsg+0x24/0x30\n[ 8.008983] invoke_syscall+0x48/0x114\n[ 8.012840] el0_svc_common.constprop.0+0xcc/0xec\n[ 8.017665] do_el0_svc+0x38/0xb0\n[ 8.021071] el0_svc+0x2c/0x84\n[ 8.024212] el0t_64_sync_handler+0xf4/0x120\n[ 8.028598] el0t_64_sync+0x190/0x194\n\nGo back to the original behavior, if the automotive safety package\nis found to be supported in hardware enable all the features unless\nsafety_feat_cfg is passed in saying this particular platform only\nsupports a subset of the features.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53011", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: call put_device() only after device_register() fails\n\nput_device() shouldn't be called before a prior call to\ndevice_register(). __thermal_cooling_device_register() doesn't follow\nthat properly and needs fixing. Also\nthermal_cooling_device_destroy_sysfs() is getting called unnecessarily\non few error paths.\n\nFix all this by placing the calls at the right place.\n\nBased on initial work done by Caleb Connolly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53012" }, { "id": "CVE-2023-53013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptdma: pt_core_execute_cmd() should use spinlock\n\nThe interrupt handler (pt_core_irq_handler()) of the ptdma\ndriver can be called from interrupt context. The code flow\nin this function can lead down to pt_core_execute_cmd() which\nwill attempt to grab a mutex, which is not appropriate in\ninterrupt context and ultimately leads to a kernel panic.\nThe fix here changes this mutex to a spinlock, which has\nbeen verified to resolve the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53013", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra: Fix memory leak in terminate_all()\n\nTerminate vdesc when terminating an ongoing transfer.\nThis will ensure that the vdesc is present in the desc_terminated list\nThe descriptor will be freed later in desc_free_list().\n\nThis fixes the memory leaks which can happen when terminating an\nongoing transfer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53014", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: check shape of output reports\n\nbetopff_init() only checks the total sum of the report counts for each\nreport field to be at least 4, but hid_betopff_play() expects 4 report\nfields.\nA device advertising an output report with one field and 4 report counts\nwould pass the check but crash the kernel with a NULL pointer dereference\nin hid_betopff_play().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53015", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix possible deadlock in rfcomm_sk_state_change\n\nsyzbot reports a possible deadlock in rfcomm_sk_state_change [1].\nWhile rfcomm_sock_connect acquires the sk lock and waits for\nthe rfcomm lock, rfcomm_sock_release could have the rfcomm\nlock and hit a deadlock for acquiring the sk lock.\nHere's a simplified flow:\n\nrfcomm_sock_connect:\n lock_sock(sk)\n rfcomm_dlc_open:\n rfcomm_lock()\n\nrfcomm_sock_release:\n rfcomm_sock_shutdown:\n rfcomm_lock()\n __rfcomm_dlc_close:\n rfcomm_k_state_change:\n\t lock_sock(sk)\n\nThis patch drops the sk lock before calling rfcomm_dlc_open to\navoid the possible deadlock and holds sk's reference count to\nprevent use-after-free after rfcomm_dlc_open completes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53016", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix memory leak in hci_update_adv_data()\n\nWhen hci_cmd_sync_queue() failed in hci_update_adv_data(), inst_ptr is\nnot freed, which will cause memory leak, convert to use ERR_PTR/PTR_ERR\nto pass the instance to callback so no memory needs to be allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53017", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix memory leaks\n\nWhen hci_cmd_sync_queue() failed in hci_le_terminate_big() or\nhci_le_big_terminate(), the memory pointed by variable d is not freed,\nwhich will cause memory leak. Add release process to error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53018", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: validate parameter addr in mdiobus_get_phy()\n\nThe caller may pass any value as addr, what may result in an out-of-bounds\naccess to array mdio_map. One existing case is stmmac_init_phy() that\nmay pass -1 as addr. Therefore validate addr before using it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53019", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: close all race conditions in l2tp_tunnel_register()\n\nThe code in l2tp_tunnel_register() is racy in several ways:\n\n1. It modifies the tunnel socket _after_ publishing it.\n\n2. It calls setup_udp_tunnel_sock() on an existing socket without\n locking.\n\n3. It changes sock lock class on fly, which triggers many syzbot\n reports.\n\nThis patch amends all of them by moving socket initialization code\nbefore publishing and under sock lock. As suggested by Jakub, the\nl2tp lockdep class is not necessary as we can just switch to\nbh_lock_sock_nested().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53020", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53021", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: avoid deadlock in enetc_tx_onestep_tstamp()\n\nThis lockdep splat says it better than I could:\n\n================================\nWARNING: inconsistent lock state\n6.2.0-rc2-07010-ga9b9500ffaac-dirty #967 Not tainted\n--------------------------------\ninconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\nkworker/1:3/179 [HC0[0]:SC0[0]:HE1:SE1] takes:\nffff3ec4036ce098 (_xmit_ETHER#2){+.?.}-{3:3}, at: netif_freeze_queues+0x5c/0xc0\n{IN-SOFTIRQ-W} state was registered at:\n _raw_spin_lock+0x5c/0xc0\n sch_direct_xmit+0x148/0x37c\n __dev_queue_xmit+0x528/0x111c\n ip6_finish_output2+0x5ec/0xb7c\n ip6_finish_output+0x240/0x3f0\n ip6_output+0x78/0x360\n ndisc_send_skb+0x33c/0x85c\n ndisc_send_rs+0x54/0x12c\n addrconf_rs_timer+0x154/0x260\n call_timer_fn+0xb8/0x3a0\n __run_timers.part.0+0x214/0x26c\n run_timer_softirq+0x3c/0x74\n __do_softirq+0x14c/0x5d8\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x2c/0x5c\n do_softirq_own_stack+0x1c/0x30\n __irq_exit_rcu+0x168/0x1a0\n irq_exit_rcu+0x10/0x40\n el1_interrupt+0x38/0x64\nirq event stamp: 7825\nhardirqs last enabled at (7825): [] exit_to_kernel_mode+0x34/0x130\nhardirqs last disabled at (7823): [] __do_softirq+0x550/0x5d8\nsoftirqs last enabled at (7824): [] __do_softirq+0x46c/0x5d8\nsoftirqs last disabled at (7811): [] ____do_softirq+0x10/0x20\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(_xmit_ETHER#2);\n \n lock(_xmit_ETHER#2);\n\n *** DEADLOCK ***\n\n3 locks held by kworker/1:3/179:\n #0: ffff3ec400004748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0\n #1: ffff80000a0bbdc8 ((work_completion)(&priv->tx_onestep_tstamp)){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0\n #2: ffff3ec4036cd438 (&dev->tx_global_lock){+.+.}-{3:3}, at: netif_tx_lock+0x1c/0x34\n\nWorkqueue: events enetc_tx_onestep_tstamp\nCall trace:\n print_usage_bug.part.0+0x208/0x22c\n mark_lock+0x7f0/0x8b0\n __lock_acquire+0x7c4/0x1ce0\n lock_acquire.part.0+0xe0/0x220\n lock_acquire+0x68/0x84\n _raw_spin_lock+0x5c/0xc0\n netif_freeze_queues+0x5c/0xc0\n netif_tx_lock+0x24/0x34\n enetc_tx_onestep_tstamp+0x20/0x100\n process_one_work+0x28c/0x6c0\n worker_thread+0x74/0x450\n kthread+0x118/0x11c\n\nbut I'll say it anyway: the enetc_tx_onestep_tstamp() work item runs in\nprocess context, therefore with softirqs enabled (i.o.w., it can be\ninterrupted by a softirq). If we hold the netif_tx_lock() when there is\nan interrupt, and the NET_TX softirq then gets scheduled, this will take\nthe netif_tx_lock() a second time and deadlock the kernel.\n\nTo solve this, use netif_tx_lock_bh(), which blocks softirqs from\nrunning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53022", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: Fix use-after-free in local_cleanup()\n\nFix a use-after-free that occurs in kfree_skb() called from\nlocal_cleanup(). This could happen when killing nfc daemon (e.g. neard)\nafter detaching an nfc device.\nWhen detaching an nfc device, local_cleanup() called from\nnfc_llcp_unregister_device() frees local->rx_pending and decreases\nlocal->ref by kref_put() in nfc_llcp_local_put().\nIn the terminating process, nfc daemon releases all sockets and it leads\nto decreasing local->ref. After the last release of local->ref,\nlocal_cleanup() called from local_release() frees local->rx_pending\nagain, which leads to the bug.\n\nSetting local->rx_pending to NULL in local_cleanup() could prevent\nuse-after-free when local_cleanup() is called twice.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in kfree_skb()\n\nCall Trace:\ndump_stack_lvl (lib/dump_stack.c:106)\nprint_address_description.constprop.0.cold (mm/kasan/report.c:306)\nkasan_check_range (mm/kasan/generic.c:189)\nkfree_skb (net/core/skbuff.c:955)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)\nnfc_llcp_local_put (net/nfc/llcp_core.c:181)\nllcp_sock_destruct (net/nfc/llcp_sock.c:959)\n__sk_destruct (net/core/sock.c:2133)\nsk_destruct (net/core/sock.c:2181)\n__sk_free (net/core/sock.c:2192)\nsk_free (net/core/sock.c:2203)\nllcp_sock_release (net/nfc/llcp_sock.c:646)\n__sock_release (net/socket.c:650)\nsock_close (net/socket.c:1365)\n__fput (fs/file_table.c:306)\ntask_work_run (kernel/task_work.c:179)\nptrace_notify (kernel/signal.c:2354)\nsyscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)\nsyscall_exit_to_user_mode (kernel/entry/common.c:296)\ndo_syscall_64 (arch/x86/entry/common.c:86)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)\n\nAllocated by task 4719:\nkasan_save_stack (mm/kasan/common.c:45)\n__kasan_slab_alloc (mm/kasan/common.c:325)\nslab_post_alloc_hook (mm/slab.h:766)\nkmem_cache_alloc_node (mm/slub.c:3497)\n__alloc_skb (net/core/skbuff.c:552)\npn533_recv_response (drivers/nfc/pn533/usb.c:65)\n__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)\nusb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)\ntasklet_action_common.isra.0 (kernel/softirq.c:797)\n__do_softirq (kernel/softirq.c:571)\n\nFreed by task 1901:\nkasan_save_stack (mm/kasan/common.c:45)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/genericdd.c:518)\n__kasan_slab_free (mm/kasan/common.c:236)\nkmem_cache_free (mm/slub.c:3809)\nkfree_skbmem (net/core/skbuff.c:874)\nkfree_skb (net/core/skbuff.c:931)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)\nnfc_unregister_device (net/nfc/core.c:1179)\npn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)\npn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)\nusb_unbind_interface (drivers/usb/core/driver.c:458)\ndevice_release_driver_internal (drivers/base/dd.c:1279)\nbus_remove_device (drivers/base/bus.c:529)\ndevice_del (drivers/base/core.c:3665)\nusb_disable_device (drivers/usb/core/message.c:1420)\nusb_disconnect (drivers/usb/core.c:2261)\nhub_event (drivers/usb/core/hub.c:5833)\nprocess_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)\nworker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)\nkthread (kernel/kthread.c:319)\nret_from_fork (arch/x86/entry/entry_64.S:301)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53023", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\n\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\n\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\n\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\n\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n\n [...]\n // r6 = 0 or 1 (skalar, unknown user input)\n // r7 = accessible ptr for side channel\n // r10 = frame pointer (fp), to be leaked\n //\n r9 = r10 # fp alias to encourage ssb\n *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n // lfence added here because of pointer spill to stack.\n //\n // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n // for no r9-r10 dependency.\n //\n *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n // store may be subject to SSB\n //\n // fix: also add an lfence when the slot contained a ptr\n //\n r8 = *(u64 *)(r9 - 8)\n // r8 = architecturally a scalar, speculatively a ptr\n //\n // leak ptr using branch-based cache side channel:\n r8 &= 1 // choose bit to leak\n if r8 == 0 goto SLOW // no mispredict\n // architecturally dead code if input r6 is 0,\n // only executes speculatively iff ptr bit is 1\n r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n [...]\n\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\n\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\n\nDo not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53024", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix ib block iterator counter overflow\n\nWhen registering a new DMA MR after selecting the best aligned page size\nfor it, we iterate over the given sglist to split each entry to smaller,\naligned to the selected page size, DMA blocks.\n\nIn given circumstances where the sg entry and page size fit certain\nsizes and the sg entry is not aligned to the selected page size, the\ntotal size of the aligned pages we need to cover the sg entry is >= 4GB.\nUnder this circumstances, while iterating page aligned blocks, the\ncounter responsible for counting how much we advanced from the start of\nthe sg entry is overflowed because its type is u32 and we pass 4GB in\nsize. This can lead to an infinite loop inside the iterator function\nbecause the overflow prevents the counter to be larger\nthan the size of the sg entry.\n\nFix the presented problem by changing the advancement condition to\neliminate overflow.\n\nBacktrace:\n[ 192.374329] efa_reg_user_mr_dmabuf\n[ 192.376783] efa_register_mr\n[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000\n[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]\n[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3\n[ 192.399559] hp_cnt[3], pages_in_hp[524288]\n[ 192.403690] umem->sgt_append.sgt.nents[1]\n[ 192.407905] number entries: [1], pg_bit: [31]\n[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]\n[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]\n[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]\n[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53026", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"wifi: mac80211: fix memory leak in ieee80211_if_add()\"\n\nThis reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.\n\nieee80211_if_free() is already called from free_netdev(ndev)\nbecause ndev->priv_destructor == ieee80211_if_free\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]\nRIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]\nRIP: 0010:free_percpu mm/percpu.c:2271 [inline]\nRIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254\nCode: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc\nRSP: 0018:ffffc90004ba7068 EFLAGS: 00010002\nRAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004\nRDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020\nRBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000\nR13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988\nFS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nnetdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352\nieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411\nmac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583\nhwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176\ngenl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968\ngenl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\ngenl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065\nnetlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564\ngenl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\nnetlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\nnetlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356\nnetlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg+0xd3/0x120 net/socket.c:734\n____sys_sendmsg+0x712/0x8c0 net/socket.c:2476\n___sys_sendmsg+0x110/0x1b0 net/socket.c:2530\n__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53028", "detail": "fixed-version", "description": "Fixed from version 6.1.8" }, { "id": "CVE-2023-53029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt\n\nThe commit 4af1b64f80fb (\"octeontx2-pf: Fix lmtst ID used in aura\nfree\") uses the get/put_cpu() to protect the usage of percpu pointer\nin ->aura_freeptr() callback, but it also unnecessarily disable the\npreemption for the blockable memory allocation. The commit 87b93b678e95\n(\"octeontx2-pf: Avoid use of GFP_KERNEL in atomic context\") tried to\nfix these sleep inside atomic warnings. But it only fix the one for\nthe non-rt kernel. For the rt kernel, we still get the similar warnings\nlike below.\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by swapper/0/1:\n #0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30\n #1: ffff000100c276c0 (&mbox->lock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4\n #2: ffffffbfef6537e0 (&cpu_rcache->lock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac\n Preemption disabled at:\n [] otx2_rq_aura_pool_init+0x14c/0x284\n CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n Call trace:\n dump_backtrace.part.0+0xe8/0xf4\n show_stack+0x20/0x30\n dump_stack_lvl+0x9c/0xd8\n dump_stack+0x18/0x34\n __might_resched+0x188/0x224\n rt_spin_lock+0x64/0x110\n alloc_iova_fast+0x1ac/0x2ac\n iommu_dma_alloc_iova+0xd4/0x110\n __iommu_dma_map+0x80/0x144\n iommu_dma_map_page+0xe8/0x260\n dma_map_page_attrs+0xb4/0xc0\n __otx2_alloc_rbuf+0x90/0x150\n otx2_rq_aura_pool_init+0x1c8/0x284\n otx2_init_hw_resources+0xe4/0x3a4\n otx2_open+0xf0/0x610\n __dev_open+0x104/0x224\n __dev_change_flags+0x1e4/0x274\n dev_change_flags+0x2c/0x7c\n ic_open_devs+0x124/0x2f8\n ip_auto_config+0x180/0x42c\n do_one_initcall+0x90/0x4dc\n do_basic_setup+0x10c/0x14c\n kernel_init_freeable+0x10c/0x13c\n kernel_init+0x2c/0x140\n ret_from_fork+0x10/0x20\n\nOf course, we can shuffle the get/put_cpu() to only wrap the invocation\nof ->aura_freeptr() as what commit 87b93b678e95 does. But there are only\ntwo ->aura_freeptr() callbacks, otx2_aura_freeptr() and\ncn10k_aura_freeptr(). There is no usage of perpcu variable in the\notx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.\nWe can move the get/put_cpu() into the corresponding callback which\nreally has the percpu variable usage and avoid the sprinkling of\nget/put_cpu() in several places.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53029", "detail": "fixed-version", "description": "Fixed from version 6.1.8" }, { "id": "CVE-2023-53030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Avoid use of GFP_KERNEL in atomic context\n\nUsing GFP_KERNEL in preemption disable context, causing below warning\nwhen CONFIG_DEBUG_ATOMIC_SLEEP is enabled.\n\n[ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274\n[ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n[ 32.558707] preempt_count: 1, expected: 0\n[ 32.562710] RCU nest depth: 0, expected: 0\n[ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7\n[ 32.576188] Hardware name: Marvell CN106XX board (DT)\n[ 32.581232] Call trace:\n[ 32.583670] dump_backtrace.part.0+0xe0/0xf0\n[ 32.587937] show_stack+0x18/0x30\n[ 32.591245] dump_stack_lvl+0x68/0x84\n[ 32.594900] dump_stack+0x18/0x34\n[ 32.598206] __might_resched+0x12c/0x160\n[ 32.602122] __might_sleep+0x48/0xa0\n[ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0\n[ 32.610301] __kmalloc+0x58/0x190\n[ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314\n[ 32.618134] otx2_open+0x1d4/0x9d0\n\nTo avoid use of GFP_ATOMIC for memory allocation, disable preemption\nafter all memory allocation is done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53030", "detail": "fixed-version", "description": "Fixed from version 6.1.8" }, { "id": "CVE-2023-53031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Fix use of mutex in IRQs disabled section\n\nCurrent imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP\nand CONFIG_PROVE_LOCKING enabled, while running a thread_imc event.\n\nCommand to trigger the warning:\n # perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5\n\n Performance counter stats for 'sleep 5':\n\n 0 thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/\n\n 5.002117947 seconds time elapsed\n\n 0.000131000 seconds user\n 0.001063000 seconds sys\n\nBelow is snippet of the warning in dmesg:\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec\n preempt_count: 2, expected: 0\n 4 locks held by perf-exec/2869:\n #0: c00000004325c540 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90\n #1: c00000004325c5d8 (&sig->exec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0\n #2: c0000003fa99d4e0 (&cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510\n #3: c000000017ab8418 (&ctx->lock){....}-{2:2}, at: perf_event_exec+0x29c/0x510\n irq event stamp: 4806\n hardirqs last enabled at (4805): [] _raw_spin_unlock_irqrestore+0x94/0xd0\n hardirqs last disabled at (4806): [] perf_event_exec+0x394/0x510\n softirqs last enabled at (0): [] copy_process+0xc34/0x1ff0\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61\n Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV\n Call Trace:\n dump_stack_lvl+0x98/0xe0 (unreliable)\n __might_resched+0x2f8/0x310\n __mutex_lock+0x6c/0x13f0\n thread_imc_event_add+0xf4/0x1b0\n event_sched_in+0xe0/0x210\n merge_sched_in+0x1f0/0x600\n visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0\n ctx_flexible_sched_in+0xcc/0x140\n ctx_sched_in+0x20c/0x2a0\n ctx_resched+0x104/0x1c0\n perf_event_exec+0x340/0x510\n begin_new_exec+0x730/0xef0\n load_elf_binary+0x3f8/0x1e10\n ...\n do not call blocking ops when !TASK_RUNNING; state=2001 set at [<00000000fd63e7cf>] do_nanosleep+0x60/0x1a0\n WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0\n CPU: 36 PID: 2869 Comm: sleep Tainted: G W 6.2.0-rc2-00011-g1247637727f2 #61\n Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV\n NIP: c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670\n REGS: c00000004d2134e0 TRAP: 0700 Tainted: G W (6.2.0-rc2-00011-g1247637727f2)\n MSR: 9000000000021033 CR: 48002824 XER: 00000000\n CFAR: c00000000013fb64 IRQMASK: 1\n\nThe above warning triggered because the current imc-pmu code uses mutex\nlock in interrupt disabled sections. The function mutex_lock()\ninternally calls __might_resched(), which will check if IRQs are\ndisabled and in case IRQs are disabled, it will trigger the warning.\n\nFix the issue by changing the mutex lock to spinlock.\n\n[mpe: Fix comments, trim oops in change log, add reported-by tags]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53031", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.\n\nWhen first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of\nan arithmetic expression 2 << (netmask - mask_bits - 1) is subject\nto overflow due to a failure casting operands to a larger data type\nbefore performing the arithmetic.\n\nNote that it's harmless since the value will be checked at the next step.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53032", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits\n\nIf the offset + length goes over the ethernet + vlan header, then the\nlength is adjusted to copy the bytes that are within the boundaries of\nthe vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +\nvlan header are copied directly from the skbuff data area.\n\nFix incorrect arithmetic operator: subtract, not add, the size of the\nvlan header in case of double-tagged packets to adjust the length\naccordingly to address CVE-2023-0179.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53033", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans\n\nThere is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and\nsize. This would make xlate_pos negative.\n\n[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000\n[ 23.734158] ================================================================================\n[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7\n[ 23.734418] shift exponent -1 is negative\n\nEnsuring xlate_pos is a positive or zero before BIT.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53034", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2023-53035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()\n\nThe ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a\nmetadata array to/from user space, may copy uninitialized buffer regions\nto user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO\nand NILFS_IOCTL_GET_CPINFO.\n\nThis can occur when the element size of the user space metadata given by\nthe v_size member of the argument nilfs_argv structure is larger than the\nsize of the metadata element (nilfs_suinfo structure or nilfs_cpinfo\nstructure) on the file system side.\n\nKMSAN-enabled kernels detect this issue as follows:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user\n include/linux/instrumented.h:121 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n copy_to_user include/linux/uaccess.h:169 [inline]\n nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Uninit was created at:\n __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572\n alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287\n __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599\n nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Bytes 16-127 of 3968 are uninitialized\n ...\n\nThis eliminates the leak issue by initializing the page allocated as\nbuffer using get_zeroed_page().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53035", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix call trace warning and hang when removing amdgpu device\n\nOn GPUs with RAS enabled, below call trace and hang are observed when\nshutting down device.\n\nv2: use DRM device unplugged flag instead of shutdown flag as the check to\nprevent memory wipe in shutdown stage.\n\n[ +0.000000] RIP: 0010:amdgpu_vram_mgr_fini+0x18d/0x1c0 [amdgpu]\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] amdgpu_ttm_fini+0x140/0x1c0 [amdgpu]\n[ +0.000183] amdgpu_bo_fini+0x27/0xa0 [amdgpu]\n[ +0.000184] gmc_v11_0_sw_fini+0x2b/0x40 [amdgpu]\n[ +0.000163] amdgpu_device_fini_sw+0xb6/0x510 [amdgpu]\n[ +0.000152] amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n[ +0.000090] drm_dev_release+0x28/0x50 [drm]\n[ +0.000016] devm_drm_dev_init_release+0x38/0x60 [drm]\n[ +0.000011] devm_action_release+0x15/0x20\n[ +0.000003] release_nodes+0x40/0xc0\n[ +0.000001] devres_release_all+0x9e/0xe0\n[ +0.000001] device_unbind_cleanup+0x12/0x80\n[ +0.000003] device_release_driver_internal+0xff/0x160\n[ +0.000001] driver_detach+0x4a/0x90\n[ +0.000001] bus_remove_driver+0x6c/0xf0\n[ +0.000001] driver_unregister+0x31/0x50\n[ +0.000001] pci_unregister_driver+0x40/0x90\n[ +0.000003] amdgpu_exit+0x15/0x120 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53036", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Bad drive in topology results kernel crash\n\nWhen the SAS Transport Layer support is enabled and a device exposed to\nthe OS by the driver fails INQUIRY commands, the driver frees up the memory\nallocated for an internal HBA port data structure. However, in some places,\nthe reference to the freed memory is not cleared. When the firmware sends\nthe Device Info change event for the same device again, the freed memory is\naccessed and that leads to memory corruption and OS crash.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53037", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read()\n\nIf kzalloc() fails in lpfc_sli4_cgn_params_read(), then we rely on\nlpfc_read_object()'s routine to NULL check pdata.\n\nCurrently, an early return error is thrown from lpfc_read_object() to\nprotect us from NULL ptr dereference, but the errno code is -ENODEV.\n\nChange the errno code to a more appropriate -ENOMEM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53038", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Fix potential use-after-free in work function\n\nWhen a reset notify IPC message is received, the ISR schedules a work\nfunction and passes the ISHTP device to it via a global pointer\nishtp_dev. If ish_probe() fails, the devm-managed device resources\nincluding ishtp_dev are freed, but the work is not cancelled, causing a\nuse-after-free when the work function tries to access ishtp_dev. Use\ndevm_work_autocancel() instead, so that the work is automatically\ncancelled if probe fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53039", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nca8210: fix mac_len negative array access\n\nThis patch fixes a buffer overflow access of skb->data if\nieee802154_hdr_peek_addrs() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53040", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Perform lockless command completion in abort path\n\nWhile adding and removing the controller, the following call trace was\nobserved:\n\nWARNING: CPU: 3 PID: 623596 at kernel/dma/mapping.c:532 dma_free_attrs+0x33/0x50\nCPU: 3 PID: 623596 Comm: sh Kdump: loaded Not tainted 5.14.0-96.el9.x86_64 #1\nRIP: 0010:dma_free_attrs+0x33/0x50\n\nCall Trace:\n qla2x00_async_sns_sp_done+0x107/0x1b0 [qla2xxx]\n qla2x00_abort_srb+0x8e/0x250 [qla2xxx]\n ? ql_dbg+0x70/0x100 [qla2xxx]\n __qla2x00_abort_all_cmds+0x108/0x190 [qla2xxx]\n qla2x00_abort_all_cmds+0x24/0x70 [qla2xxx]\n qla2x00_abort_isp_cleanup+0x305/0x3e0 [qla2xxx]\n qla2x00_remove_one+0x364/0x400 [qla2xxx]\n pci_device_remove+0x36/0xa0\n __device_release_driver+0x17a/0x230\n device_release_driver+0x24/0x30\n pci_stop_bus_device+0x68/0x90\n pci_stop_and_remove_bus_device_locked+0x16/0x30\n remove_store+0x75/0x90\n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x11f/0x1b0\n vfs_write+0x1eb/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x80\n ? do_user_addr_fault+0x1d8/0x680\n ? do_syscall_64+0x69/0x80\n ? exc_page_fault+0x62/0x140\n ? asm_exc_page_fault+0x8/0x30\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe command was completed in the abort path during driver unload with a\nlock held, causing the warning in abort path. Hence complete the command\nwithout any lock held.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53041", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not set DRR on pipe Commit\n\n[WHY]\nWriting to DRR registers such as OTG_V_TOTAL_MIN on the same frame as a\npipe commit can cause underflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53042", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: sc7280: Mark PCIe controller as cache coherent\n\nIf the controller is not marked as cache coherent, then kernel will\ntry to ensure coherency during dma-ops and that may cause data corruption.\nSo, mark the PCIe node as dma-coherent as the devices on PCIe bus are\ncache coherent.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53043", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm stats: check for and propagate alloc_percpu failure\n\nCheck alloc_precpu()'s return value and return an error from\ndm_stats_init() if it fails. Update alloc_dev() to fail if\ndm_stats_init() does.\n\nOtherwise, a NULL pointer dereference will occur in dm_stats_cleanup()\neven if dm-stats isn't being actively used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53044", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: don't let userspace block driver unbind\n\nIn the unbind callback for f_uac1 and f_uac2, a call to snd_card_free()\nvia g_audio_cleanup() will disconnect the card and then wait for all\nresources to be released, which happens when the refcount falls to zero.\nSince userspace can keep the refcount incremented by not closing the\nrelevant file descriptor, the call to unbind may block indefinitely.\nThis can cause a deadlock during reboot, as evidenced by the following\nblocked task observed on my machine:\n\n task:reboot state:D stack:0 pid:2827 ppid:569 flags:0x0000000c\n Call trace:\n __switch_to+0xc8/0x140\n __schedule+0x2f0/0x7c0\n schedule+0x60/0xd0\n schedule_timeout+0x180/0x1d4\n wait_for_completion+0x78/0x180\n snd_card_free+0x90/0xa0\n g_audio_cleanup+0x2c/0x64\n afunc_unbind+0x28/0x60\n ...\n kernel_restart+0x4c/0xac\n __do_sys_reboot+0xcc/0x1ec\n __arm64_sys_reboot+0x28/0x30\n invoke_syscall+0x4c/0x110\n ...\n\nThe issue can also be observed by opening the card with arecord and\nthen stopping the process through the shell before unbinding:\n\n # arecord -D hw:UAC2Gadget -f S32_LE -c 2 -r 48000 /dev/null\n Recording WAVE '/dev/null' : Signed 32 bit Little Endian, Rate 48000 Hz, Stereo\n ^Z[1]+ Stopped arecord -D hw:UAC2Gadget -f S32_LE -c 2 -r 48000 /dev/null\n # echo gadget.0 > /sys/bus/gadget/drivers/configfs-gadget/unbind\n (observe that the unbind command never finishes)\n\nFix the problem by using snd_card_free_when_closed() instead, which will\nstill disconnect the card as desired, but defer the task of freeing the\nresources to the core once userspace closes its file descriptor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53045", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix race condition in hci_cmd_sync_clear\n\nThere is a potential race condition in hci_cmd_sync_work and\nhci_cmd_sync_clear, and could lead to use-after-free. For instance,\nhci_cmd_sync_work is added to the 'req_workqueue' after cancel_work_sync\nThe entry of 'cmd_sync_work_list' may be freed in hci_cmd_sync_clear, and\ncausing kernel panic when it is used in 'hci_cmd_sync_work'.\n\nHere's the call trace:\n\ndump_stack_lvl+0x49/0x63\nprint_report.cold+0x5e/0x5d3\n? hci_cmd_sync_work+0x282/0x320\nkasan_report+0xaa/0x120\n? hci_cmd_sync_work+0x282/0x320\n__asan_report_load8_noabort+0x14/0x20\nhci_cmd_sync_work+0x282/0x320\nprocess_one_work+0x77b/0x11c0\n? _raw_spin_lock_irq+0x8e/0xf0\nworker_thread+0x544/0x1180\n? poll_idle+0x1e0/0x1e0\nkthread+0x285/0x320\n? process_one_work+0x11c0/0x11c0\n? kthread_complete_and_exit+0x30/0x30\nret_from_fork+0x22/0x30\n\n\nAllocated by task 266:\nkasan_save_stack+0x26/0x50\n__kasan_kmalloc+0xae/0xe0\nkmem_cache_alloc_trace+0x191/0x350\nhci_cmd_sync_queue+0x97/0x2b0\nhci_update_passive_scan+0x176/0x1d0\nle_conn_complete_evt+0x1b5/0x1a00\nhci_le_conn_complete_evt+0x234/0x340\nhci_le_meta_evt+0x231/0x4e0\nhci_event_packet+0x4c5/0xf00\nhci_rx_work+0x37d/0x880\nprocess_one_work+0x77b/0x11c0\nworker_thread+0x544/0x1180\nkthread+0x285/0x320\nret_from_fork+0x22/0x30\n\nFreed by task 269:\nkasan_save_stack+0x26/0x50\nkasan_set_track+0x25/0x40\nkasan_set_free_info+0x24/0x40\n____kasan_slab_free+0x176/0x1c0\n__kasan_slab_free+0x12/0x20\nslab_free_freelist_hook+0x95/0x1a0\nkfree+0xba/0x2f0\nhci_cmd_sync_clear+0x14c/0x210\nhci_unregister_dev+0xff/0x440\nvhci_release+0x7b/0xf0\n__fput+0x1f3/0x970\n____fput+0xe/0x20\ntask_work_run+0xd4/0x160\ndo_exit+0x8b0/0x22a0\ndo_group_exit+0xba/0x2a0\nget_signal+0x1e4a/0x25b0\narch_do_signal_or_restart+0x93/0x1f80\nexit_to_user_mode_prepare+0xf5/0x1a0\nsyscall_exit_to_user_mode+0x26/0x50\nret_from_fork+0x15/0x30", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53046", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix race condition in amdtee_open_session\n\nThere is a potential race condition in amdtee_open_session that may\nlead to use-after-free. For instance, in amdtee_open_session() after\nsess->sess_mask is set, and before setting:\n\n sess->session_info[i] = session_info;\n\nif amdtee_close_session() closes this same session, then 'sess' data\nstructure will be released, causing kernel panic when 'sess' is\naccessed within amdtee_open_session().\n\nThe solution is to set the bit sess->sess_mask as the last step in\namdtee_open_session().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53047", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix warning when handle discover_identity message\n\nSince both source and sink device can send discover_identity message in\nPD3, kernel may dump below warning:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0\nModules linked in:\nCPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567\nHardware name: NXP i.MX8MPlus EVK board (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tcpm_queue_vdm+0xe0/0xf0\nlr : tcpm_queue_vdm+0x2c/0xf0\nsp : ffff80000c19bcd0\nx29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8\nx26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081\nx23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc\nx20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580\nx14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001\nx11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098\nx8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004\nCall trace:\ntcpm_queue_vdm+0xe0/0xf0\ntcpm_pd_rx_handler+0x340/0x1ab0\nkthread_worker_fn+0xcc/0x18c\nkthread+0x10c/0x110\nret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\n\nBelow sequences may trigger this warning:\n\ntcpm_send_discover_work(work)\n tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);\n tcpm_queue_vdm(port, header, data, count);\n port->vdm_state = VDM_STATE_READY;\n\nvdm_state_machine_work(work);\n\t\t\t<-- received discover_identity from partner\n vdm_run_state_machine(port);\n port->vdm_state = VDM_STATE_SEND_MESSAGE;\n mod_vdm_delayed_work(port, x);\n\ntcpm_pd_rx_handler(work);\n tcpm_pd_data_request(port, msg);\n tcpm_handle_vdm_request(port, msg->payload, cnt);\n tcpm_queue_vdm(port, response[0], &response[1], rlen - 1);\n--> WARN_ON(port->vdm_state > VDM_STATE_DONE);\n\nFor this case, the state machine could still send out discover\nidentity message later if we skip current discover_identity message.\nSo we should handle the received message firstly and override the pending\ndiscover_identity message without warning in this case. Then, a delayed\nsend_discover work will send discover_identity message again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53048", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ucsi: Fix NULL pointer deref in ucsi_connector_change()\n\nWhen ucsi_init() fails, ucsi->connector is NULL, yet in case of\nucsi_acpi we may still get events which cause the ucs_acpi code to call\nucsi_connector_change(), which then derefs the NULL ucsi->connector\npointer.\n\nFix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()\nhas succeeded, so that ucsi_connector_change() ignores the events\nbecause UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53049", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix memory leak in margining\n\nMemory for the usb4->margining needs to be relased for the upstream port\nof the router as well, even though the debugfs directory gets released\nwith the router device removal. Fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53050", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm crypt: add cond_resched() to dmcrypt_write()\n\nThe loop in dmcrypt_write may be running for unbounded amount of time,\nthus we need cond_resched() in it.\n\nThis commit fixes the following warning:\n\n[ 3391.153255][ C12] watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [dmcrypt_write/2:2897]\n...\n[ 3391.387210][ C12] Call trace:\n[ 3391.390338][ C12] blk_attempt_bio_merge.part.6+0x38/0x158\n[ 3391.395970][ C12] blk_attempt_plug_merge+0xc0/0x1b0\n[ 3391.401085][ C12] blk_mq_submit_bio+0x398/0x550\n[ 3391.405856][ C12] submit_bio_noacct+0x308/0x380\n[ 3391.410630][ C12] dmcrypt_write+0x1e4/0x208 [dm_crypt]\n[ 3391.416005][ C12] kthread+0x130/0x138\n[ 3391.419911][ C12] ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53051", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix use-after-free bug in refresh_cache_worker()\n\nThe UAF bug occurred because we were putting DFS root sessions in\ncifs_umount() while DFS cache refresher was being executed.\n\nMake DFS root sessions have same lifetime as DFS tcons so we can avoid\nthe use-after-free bug is DFS cache refresher and other places that\nrequire IPCs to get new DFS referrals on. Also, get rid of mount\ngroup handling in DFS cache as we no longer need it.\n\nThis fixes below use-after-free bug catched by KASAN\n\n[ 379.946955] BUG: KASAN: use-after-free in __refresh_tcon.isra.0+0x10b/0xc10 [cifs]\n[ 379.947642] Read of size 8 at addr ffff888018f57030 by task kworker/u4:3/56\n[ 379.948096]\n[ 379.948208] CPU: 0 PID: 56 Comm: kworker/u4:3 Not tainted 6.2.0-rc7-lku #23\n[ 379.948661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.0-0-gd239552-rebuilt.opensuse.org 04/01/2014\n[ 379.949368] Workqueue: cifs-dfscache refresh_cache_worker [cifs]\n[ 379.949942] Call Trace:\n[ 379.950113] \n[ 379.950260] dump_stack_lvl+0x50/0x67\n[ 379.950510] print_report+0x16a/0x48e\n[ 379.950759] ? __virt_addr_valid+0xd8/0x160\n[ 379.951040] ? __phys_addr+0x41/0x80\n[ 379.951285] kasan_report+0xdb/0x110\n[ 379.951533] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]\n[ 379.952056] ? __refresh_tcon.isra.0+0x10b/0xc10 [cifs]\n[ 379.952585] __refresh_tcon.isra.0+0x10b/0xc10 [cifs]\n[ 379.953096] ? __pfx___refresh_tcon.isra.0+0x10/0x10 [cifs]\n[ 379.953637] ? __pfx___mutex_lock+0x10/0x10\n[ 379.953915] ? lock_release+0xb6/0x720\n[ 379.954167] ? __pfx_lock_acquire+0x10/0x10\n[ 379.954443] ? refresh_cache_worker+0x34e/0x6d0 [cifs]\n[ 379.954960] ? __pfx_wb_workfn+0x10/0x10\n[ 379.955239] refresh_cache_worker+0x4ad/0x6d0 [cifs]\n[ 379.955755] ? __pfx_refresh_cache_worker+0x10/0x10 [cifs]\n[ 379.956323] ? __pfx_lock_acquired+0x10/0x10\n[ 379.956615] ? read_word_at_a_time+0xe/0x20\n[ 379.956898] ? lockdep_hardirqs_on_prepare+0x12/0x220\n[ 379.957235] process_one_work+0x535/0x990\n[ 379.957509] ? __pfx_process_one_work+0x10/0x10\n[ 379.957812] ? lock_acquired+0xb7/0x5f0\n[ 379.958069] ? __list_add_valid+0x37/0xd0\n[ 379.958341] ? __list_add_valid+0x37/0xd0\n[ 379.958611] worker_thread+0x8e/0x630\n[ 379.958861] ? __pfx_worker_thread+0x10/0x10\n[ 379.959148] kthread+0x17d/0x1b0\n[ 379.959369] ? __pfx_kthread+0x10/0x10\n[ 379.959630] ret_from_fork+0x2c/0x50\n[ 379.959879] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53052", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: do not use skb_mac_header() in ndo_start_xmit()\n\nDrivers should not assume skb_mac_header(skb) == skb->data in their\nndo_start_xmit().\n\nUse skb_network_offset() and skb_transport_offset() which\nbetter describe what is needed in erspan_fb_xmit() and\nip6erspan_tunnel_xmit()\n\nsyzbot reported:\nWARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 skb_mac_header include/linux/skbuff.h:2873 [inline]\nWARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962\nModules linked in:\nCPU: 0 PID: 5083 Comm: syz-executor406 Not tainted 6.3.0-rc2-syzkaller-00866-gd4671cb96fa3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\nRIP: 0010:skb_mac_header include/linux/skbuff.h:2873 [inline]\nRIP: 0010:ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962\nCode: 04 02 41 01 de 84 c0 74 08 3c 03 0f 8e 1c 0a 00 00 45 89 b4 24 c8 00 00 00 c6 85 77 fe ff ff 01 e9 33 e7 ff ff e8 b4 27 a1 f8 <0f> 0b e9 b6 e7 ff ff e8 a8 27 a1 f8 49 8d bf f0 0c 00 00 48 b8 00\nRSP: 0018:ffffc90003b2f830 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000\nRDX: ffff888021273a80 RSI: ffffffff88e1bd4c RDI: 0000000000000003\nRBP: ffffc90003b2f9d8 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000000 R12: ffff88802b28da00\nR13: 00000000000000d0 R14: ffff88807e25b6d0 R15: ffff888023408000\nFS: 0000555556a61300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055e5b11eb6e8 CR3: 0000000027c1b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__netdev_start_xmit include/linux/netdevice.h:4900 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4914 [inline]\n__dev_direct_xmit+0x504/0x730 net/core/dev.c:4300\ndev_direct_xmit include/linux/netdevice.h:3088 [inline]\npacket_xmit+0x20a/0x390 net/packet/af_packet.c:285\npacket_snd net/packet/af_packet.c:3075 [inline]\npacket_sendmsg+0x31a0/0x5150 net/packet/af_packet.c:3107\nsock_sendmsg_nosec net/socket.c:724 [inline]\nsock_sendmsg+0xde/0x190 net/socket.c:747\n__sys_sendto+0x23a/0x340 net/socket.c:2142\n__do_sys_sendto net/socket.c:2154 [inline]\n__se_sys_sendto net/socket.c:2150 [inline]\n__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f123aaa1039\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc15d12058 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f123aaa1039\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f123aa648c0\nR13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53053", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: fix a devres leak in hw_enable upon suspend resume\n\nEach time the platform goes to low power, PM suspend / resume routines\ncall: __dwc2_lowlevel_hw_enable -> devm_add_action_or_reset().\nThis adds a new devres each time.\nThis may also happen at runtime, as dwc2_lowlevel_hw_enable() can be\ncalled from udc_start().\n\nThis can be seen with tracing:\n- echo 1 > /sys/kernel/debug/tracing/events/dev/devres_log/enable\n- go to low power\n- cat /sys/kernel/debug/tracing/trace\n\nA new \"ADD\" entry is found upon each low power cycle:\n... devres_log: 49000000.usb-otg ADD 82a13bba devm_action_release (8 bytes)\n... devres_log: 49000000.usb-otg ADD 49889daf devm_action_release (8 bytes)\n...\n\nA second issue is addressed here:\n- regulator_bulk_enable() is called upon each PM cycle (suspend/resume).\n- regulator_bulk_disable() never gets called.\n\nSo the reference count for these regulators constantly increase, by one\nupon each low power cycle, due to missing regulator_bulk_disable() call\nin __dwc2_lowlevel_hw_disable().\n\nThe original fix that introduced the devm_add_action_or_reset() call,\nfixed an issue during probe, that happens due to other errors in\ndwc2_driver_probe() -> dwc2_core_reset(). Then the probe fails without\ndisabling regulators, when dr_mode == USB_DR_MODE_PERIPHERAL.\n\nRather fix the error path: disable all the low level hardware in the\nerror path, by using the \"hsotg->ll_hw_enabled\" flag. Checking dr_mode\nhas been introduced to avoid a dual call to dwc2_lowlevel_hw_disable().\n\"ll_hw_enabled\" should achieve the same (and is used currently in the\nremove() routine).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53054", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: destroy keyring after security_sb_delete()\n\nfscrypt_destroy_keyring() must be called after all potentially-encrypted\ninodes were evicted; otherwise it cannot safely destroy the keyring.\nSince inodes that are in-use by the Landlock LSM don't get evicted until\nsecurity_sb_delete(), this means that fscrypt_destroy_keyring() must be\ncalled *after* security_sb_delete().\n\nThis fixes a WARN_ON followed by a NULL dereference, only possible if\nLandlock was being used on encrypted files.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53055", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Synchronize the IOCB count to be in order\n\nA system hang was observed with the following call trace:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 15 PID: 86747 Comm: nvme Kdump: loaded Not tainted 6.2.0+ #1\nHardware name: Dell Inc. PowerEdge R6515/04F3CJ, BIOS 2.7.3 03/31/2022\nRIP: 0010:__wake_up_common+0x55/0x190\nCode: 41 f6 01 04 0f 85 b2 00 00 00 48 8b 43 08 4c 8d\n 40 e8 48 8d 43 08 48 89 04 24 48 89 c6\\\n 49 8d 40 18 48 39 c6 0f 84 e9 00 00 00 <49> 8b 40 18 89 6c 24 14 31\n ed 4c 8d 60 e8 41 8b 18 f6 c3 04 75 5d\nRSP: 0018:ffffb05a82afbba0 EFLAGS: 00010082\nRAX: 0000000000000000 RBX: ffff8f9b83a00018 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8f9b83a00020 RDI: ffff8f9b83a00018\nRBP: 0000000000000001 R08: ffffffffffffffe8 R09: ffffb05a82afbbf8\nR10: 70735f7472617473 R11: 5f30307832616c71 R12: 0000000000000001\nR13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f815cf4c740(0000) GS:ffff8f9eeed80000(0000)\n\tknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 000000010633a000 CR4: 0000000000350ee0\nCall Trace:\n \n __wake_up_common_lock+0x83/0xd0\n qla_nvme_ls_req+0x21b/0x2b0 [qla2xxx]\n __nvme_fc_send_ls_req+0x1b5/0x350 [nvme_fc]\n nvme_fc_xmt_disconnect_assoc+0xca/0x110 [nvme_fc]\n nvme_fc_delete_association+0x1bf/0x220 [nvme_fc]\n ? nvme_remove_namespaces+0x9f/0x140 [nvme_core]\n nvme_do_delete_ctrl+0x5b/0xa0 [nvme_core]\n nvme_sysfs_delete+0x5f/0x70 [nvme_core]\n kernfs_fop_write_iter+0x12b/0x1c0\n vfs_write+0x2a3/0x3b0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x5c/0x90\n ? syscall_exit_work+0x103/0x130\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? exit_to_user_mode_loop+0xd0/0x130\n ? exit_to_user_mode_prepare+0xec/0x100\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n RIP: 0033:0x7f815cd3eb97\n\nThe IOCB counts are out of order and that would block any commands from\ngoing out and subsequently hang the system. Synchronize the IOCB count to\nbe in correct order.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53056", "detail": "fixed-version", "description": "Fixed from version 6.2.9" }, { "id": "CVE-2023-53057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Fix global-out-of-bounds\n\nTo loop a variable-length array, hci_init_stage_sync(stage) considers\nthat stage[i] is valid as long as stage[i-1].func is valid.\nThus, the last element of stage[].func should be intentionally invalid\nas hci_init0[], le_init2[], and others did.\nHowever, amp_init1[] and amp_init2[] have no invalid element, letting\nhci_init_stage_sync() keep accessing amp_init1[] over its valid range.\nThis patch fixes this by adding {} in the last of amp_init1[] and\namp_init2[].\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in hci_dev_open_sync (\n/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n/v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nRead of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032\nCPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04\nWorkqueue: hci1 hci_power_on\nCall Trace:\n \ndump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))\nprint_report (/v6.2-bzimage/mm/kasan/report.c:307\n /v6.2-bzimage/mm/kasan/report.c:417)\n? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nkasan_report (/v6.2-bzimage/mm/kasan/report.c:184\n /v6.2-bzimage/mm/kasan/report.c:519)\n? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nhci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\n? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)\n? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190\n /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443\n /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781\n /v6.2-bzimage/kernel/locking/mutex.c:171\n /v6.2-bzimage/kernel/locking/mutex.c:285)\n? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)\nhci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485\n /v6.2-bzimage/net/bluetooth/hci_core.c:984)\n? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)\n? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)\n? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62\n /v6.2-bzimage/lib/string.c:161)\nprocess_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)\nworker_thread (/v6.2-bzimage/./include/linux/list.h:292\n /v6.2-bzimage/kernel/workqueue.c:2437)\n? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)\nkthread (/v6.2-bzimage/kernel/kthread.c:376)\n? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)\nret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)\n \nThe buggy address belongs to the variable:\namp_init1+0x30/0x60\nThe buggy address belongs to the physical page:\npage:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00\n ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00\n>ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9\n \n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53057", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-Switch, Fix an Oops in error handling code\n\nThe error handling dereferences \"vport\". There is nothing we can do if\nit is an error pointer except returning the error code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53058", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_chardev: fix kernel data leak from ioctl\n\nIt is possible to peep kernel page's data by providing larger `insize`\nin struct cros_ec_command[1] when invoking EC host commands.\n\nFix it by using zeroed memory.\n\n[1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53059", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: revert rtnl_lock() that causes deadlock\n\nThe commit 6faee3d4ee8b (\"igb: Add lock to avoid data race\") adds\nrtnl_lock to eliminate a false data race shown below\n\n (FREE from device detaching) | (USE from netdev core)\nigb_remove | igb_ndo_get_vf_config\n igb_disable_sriov | vf >= adapter->vfs_allocated_count?\n kfree(adapter->vf_data) |\n adapter->vfs_allocated_count = 0 |\n | memcpy(... adapter->vf_data[vf]\n\nThe above race will never happen and the extra rtnl_lock causes deadlock\nbelow\n\n[ 141.420169] \n[ 141.420672] __schedule+0x2dd/0x840\n[ 141.421427] schedule+0x50/0xc0\n[ 141.422041] schedule_preempt_disabled+0x11/0x20\n[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0\n[ 141.423324] unregister_netdev+0xe/0x20\n[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf]\n[ 141.423791] pci_device_remove+0x36/0xb0\n[ 141.423990] device_release_driver_internal+0xc1/0x160\n[ 141.424270] pci_stop_bus_device+0x6d/0x90\n[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20\n[ 141.424789] pci_iov_remove_virtfn+0xba/0x120\n[ 141.425452] sriov_disable+0x2f/0xf0\n[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb]\n[ 141.426353] igb_remove+0xa0/0x130 [igb]\n[ 141.426599] pci_device_remove+0x36/0xb0\n[ 141.426796] device_release_driver_internal+0xc1/0x160\n[ 141.427060] driver_detach+0x44/0x90\n[ 141.427253] bus_remove_driver+0x55/0xe0\n[ 141.427477] pci_unregister_driver+0x2a/0xa0\n[ 141.428296] __x64_sys_delete_module+0x141/0x2b0\n[ 141.429126] ? mntput_no_expire+0x4a/0x240\n[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0\n[ 141.429653] do_syscall_64+0x5b/0x80\n[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0\n[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30\n[ 141.430849] ? do_syscall_64+0x67/0x80\n[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0\n[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30\n[ 141.432482] ? do_syscall_64+0x67/0x80\n[ 141.432714] ? exc_page_fault+0x64/0x140\n[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nSince the igb_disable_sriov() will call pci_disable_sriov() before\nreleasing any resources, the netdev core will synchronize the cleanup to\navoid any races. This patch removes the useless rtnl_(un)lock to guarantee\ncorrectness.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53060", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix possible refcount leak in smb2_open()\n\nReference count of acls will leak when memory allocation fails. Fix this\nby adding the missing posix_acl_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53061", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc95xx: Limit packet length to skb->len\n\nPacket length retrieved from descriptor may be larger than\nthe actual socket buffer length. In such case the cloned\nskb passed up the network stack will leak kernel memory contents.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53062", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix hang on reboot with ice\n\nWhen a system with E810 with existing VFs gets rebooted the following\nhang may be observed.\n\n Pid 1 is hung in iavf_remove(), part of a network driver:\n PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: \"systemd-shutdow\"\n #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb\n #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d\n #2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc\n #3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930\n #4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf]\n #5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513\n #6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa\n #7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc\n #8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e\n #9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429\n #10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4\n #11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice]\n #12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice]\n #13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice]\n #14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1\n #15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386\n #16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870\n #17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6\n #18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159\n #19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc\n #20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d\n #21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169\n #22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b\n RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7\n RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead\n RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90\n R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005\n R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000\n ORIG_RAX: 00000000000000a9 CS: 0033 SS: 002b\n\nDuring reboot all drivers PM shutdown callbacks are invoked.\nIn iavf_shutdown() the adapter state is changed to __IAVF_REMOVE.\nIn ice_shutdown() the call chain above is executed, which at some point\ncalls iavf_remove(). However iavf_remove() expects the VF to be in one\nof the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If\nthat's not the case it sleeps forever.\nSo if iavf_shutdown() gets invoked before iavf_remove() the system will\nhang indefinitely because the adapter is already in state __IAVF_REMOVE.\n\nFix this by returning from iavf_remove() if the state is __IAVF_REMOVE,\nas we already went through iavf_shutdown().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53064", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output\n\nsyzkaller reportes a KASAN issue with stack-out-of-bounds.\nThe call trace is as follows:\n dump_stack+0x9c/0xd3\n print_address_description.constprop.0+0x19/0x170\n __kasan_report.cold+0x6c/0x84\n kasan_report+0x3a/0x50\n __perf_event_header__init_id+0x34/0x290\n perf_event_header__init_id+0x48/0x60\n perf_output_begin+0x4a4/0x560\n perf_event_bpf_output+0x161/0x1e0\n perf_iterate_sb_cpu+0x29e/0x340\n perf_iterate_sb+0x4c/0xc0\n perf_event_bpf_event+0x194/0x2c0\n __bpf_prog_put.constprop.0+0x55/0xf0\n __cls_bpf_delete_prog+0xea/0x120 [cls_bpf]\n cls_bpf_delete_prog_work+0x1c/0x30 [cls_bpf]\n process_one_work+0x3c2/0x730\n worker_thread+0x93/0x650\n kthread+0x1b8/0x210\n ret_from_fork+0x1f/0x30\n\ncommit 267fb27352b6 (\"perf: Reduce stack usage of perf_output_begin()\")\nuse on-stack struct perf_sample_data of the caller function.\n\nHowever, perf_event_bpf_output uses incorrect parameter to convert\nsmall-sized data (struct perf_bpf_event) into large-sized data\n(struct perf_sample_data), which causes memory overwriting occurs in\n__perf_event_header__init_id.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53065", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info\n\nWe have to make sure that the info returned by the helper is valid\nbefore using it.\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE\nstatic analysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53066", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Only call get_timer_irq() once in constant_clockevent_init()\n\nUnder CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_DEBUG_PREEMPT=y, we can see\nthe following messages on LoongArch, this is because using might_sleep()\nin preemption disable context.\n\n[ 0.001127] smp: Bringing up secondary CPUs ...\n[ 0.001222] Booting CPU#1...\n[ 0.001244] 64-bit Loongson Processor probed (LA464 Core)\n[ 0.001247] CPU1 revision is: 0014c012 (Loongson-64bit)\n[ 0.001250] FPU1 revision is: 00000000\n[ 0.001252] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283\n[ 0.001255] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1\n[ 0.001257] preempt_count: 1, expected: 0\n[ 0.001258] RCU nest depth: 0, expected: 0\n[ 0.001259] Preemption disabled at:\n[ 0.001261] [<9000000000223800>] arch_dup_task_struct+0x20/0x110\n[ 0.001272] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc7+ #43\n[ 0.001275] Hardware name: Loongson Loongson-3A5000-7A1000-1w-A2101/Loongson-LS3A5000-7A1000-1w-A2101, BIOS vUDK2018-LoongArch-V4.0.05132-beta10 12/13/202\n[ 0.001277] Stack : 0072617764726148 0000000000000000 9000000000222f1c 90000001001e0000\n[ 0.001286] 90000001001e3be0 90000001001e3be8 0000000000000000 0000000000000000\n[ 0.001292] 90000001001e3be8 0000000000000040 90000001001e3cb8 90000001001e3a50\n[ 0.001297] 9000000001642000 90000001001e3be8 be694d10ce4139dd 9000000100174500\n[ 0.001303] 0000000000000001 0000000000000001 00000000ffffe0a2 0000000000000020\n[ 0.001309] 000000000000002f 9000000001354116 00000000056b0000 ffffffffffffffff\n[ 0.001314] 0000000000000000 0000000000000000 90000000014f6e90 9000000001642000\n[ 0.001320] 900000000022b69c 0000000000000001 0000000000000000 9000000001736a90\n[ 0.001325] 9000000100038000 0000000000000000 9000000000222f34 0000000000000000\n[ 0.001331] 00000000000000b0 0000000000000004 0000000000000000 0000000000070000\n[ 0.001337] ...\n[ 0.001339] Call Trace:\n[ 0.001342] [<9000000000222f34>] show_stack+0x5c/0x180\n[ 0.001346] [<90000000010bdd80>] dump_stack_lvl+0x60/0x88\n[ 0.001352] [<9000000000266418>] __might_resched+0x180/0x1cc\n[ 0.001356] [<90000000010c742c>] mutex_lock+0x20/0x64\n[ 0.001359] [<90000000002a8ccc>] irq_find_matching_fwspec+0x48/0x124\n[ 0.001364] [<90000000002259c4>] constant_clockevent_init+0x68/0x204\n[ 0.001368] [<900000000022acf4>] start_secondary+0x40/0xa8\n[ 0.001371] [<90000000010c0124>] smpboot_entry+0x60/0x64\n\nHere are the complete call chains:\n\nsmpboot_entry()\n start_secondary()\n constant_clockevent_init()\n get_timer_irq()\n irq_find_matching_fwnode()\n irq_find_matching_fwspec()\n mutex_lock()\n might_sleep()\n __might_sleep()\n __might_resched()\n\nIn order to avoid the above issue, we should break the call chains,\nusing timer_irq_installed variable as check condition to only call\nget_timer_irq() once in constant_clockevent_init() is a simple and\nproper way.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53067", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Limit packet length to skb->len\n\nPacket length retrieved from descriptor may be larger than\nthe actual socket buffer length. In such case the cloned\nskb passed up the network stack will leak kernel memory contents.\n\nAdditionally prevent integer underflow when size is less than\nETH_FCS_LEN.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53068", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-vf: Add missing free for alloc_percpu\n\nAdd the free_percpu for the allocated \"vf->hw.lmt_info\" in order to avoid\nmemory leak, same as the \"pf->hw.lmt_info\" in\n`drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53069", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PPTT: Fix to avoid sleep in the atomic context when PPTT is absent\n\nCommit 0c80f9e165f8 (\"ACPI: PPTT: Leave the table mapped for the runtime usage\")\nenabled to map PPTT once on the first invocation of acpi_get_pptt() and\nnever unmapped the same allowing it to be used at runtime with out the\nhassle of mapping and unmapping the table. This was needed to fetch LLC\ninformation from the PPTT in the cpuhotplug path which is executed in\nthe atomic context as the acpi_get_table() might sleep waiting for a\nmutex.\n\nHowever it missed to handle the case when there is no PPTT on the system\nwhich results in acpi_get_pptt() being called from all the secondary\nCPUs attempting to fetch the LLC information in the atomic context\nwithout knowing the absence of PPTT resulting in the splat like below:\n\n | BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:164\n | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1\n | preempt_count: 1, expected: 0\n | RCU nest depth: 0, expected: 0\n | no locks held by swapper/1/0.\n | irq event stamp: 0\n | hardirqs last enabled at (0): 0x0\n | hardirqs last disabled at (0): copy_process+0x61c/0x1b40\n | softirqs last enabled at (0): copy_process+0x61c/0x1b40\n | softirqs last disabled at (0): 0x0\n | CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.3.0-rc1 #1\n | Call trace:\n | dump_backtrace+0xac/0x138\n | show_stack+0x30/0x48\n | dump_stack_lvl+0x60/0xb0\n | dump_stack+0x18/0x28\n | __might_resched+0x160/0x270\n | __might_sleep+0x58/0xb0\n | down_timeout+0x34/0x98\n | acpi_os_wait_semaphore+0x7c/0xc0\n | acpi_ut_acquire_mutex+0x58/0x108\n | acpi_get_table+0x40/0xe8\n | acpi_get_pptt+0x48/0xa0\n | acpi_get_cache_info+0x38/0x140\n | init_cache_level+0xf4/0x118\n | detect_cache_attributes+0x2e4/0x640\n | update_siblings_masks+0x3c/0x330\n | store_cpu_topology+0x88/0xf0\n | secondary_start_kernel+0xd0/0x168\n | __secondary_switched+0xb8/0xc0\n\nUpdate acpi_get_pptt() to consider the fact that PPTT is once checked and\nis not available on the system and return NULL avoiding any attempts to\nfetch PPTT and thereby avoiding any possible sleep waiting for a mutex\nin the atomic context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53070", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: do not run mt76_unregister_device() on unregistered hw\n\nTrying to probe a mt7921e pci card without firmware results in a\nsuccessful probe where ieee80211_register_hw hasn't been called. When\nremoving the driver, ieee802111_unregister_hw is called unconditionally\nleading to a kernel NULL pointer dereference.\nFix the issue running mt76_unregister_device routine just for registered\nhw.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53071", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use the workqueue to destroy unaccepted sockets\n\nChristoph reported a UaF at token lookup time after having\nrefactored the passive socket initialization part:\n\n BUG: KASAN: use-after-free in __token_bucket_busy+0x253/0x260\n Read of size 4 at addr ffff88810698d5b0 by task syz-executor653/3198\n\n CPU: 1 PID: 3198 Comm: syz-executor653 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x6e/0x91\n print_report+0x16a/0x46f\n kasan_report+0xad/0x130\n __token_bucket_busy+0x253/0x260\n mptcp_token_new_connect+0x13d/0x490\n mptcp_connect+0x4ed/0x860\n __inet_stream_connect+0x80e/0xd90\n tcp_sendmsg_fastopen+0x3ce/0x710\n mptcp_sendmsg+0xff1/0x1a20\n inet_sendmsg+0x11d/0x140\n __sys_sendto+0x405/0x490\n __x64_sys_sendto+0xdc/0x1b0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nWe need to properly clean-up all the paired MPTCP-level\nresources and be sure to release the msk last, even when\nthe unaccepted subflow is destroyed by the TCP internals\nvia inet_child_forget().\n\nWe can re-use the existing MPTCP_WORK_CLOSE_SUBFLOW infra,\nexplicitly checking that for the critical scenario: the\nclosed subflow is the MPC one, the msk is not accepted and\neventually going through full cleanup.\n\nWith such change, __mptcp_destroy_sock() is always called\non msk sockets, even on accepted ones. We don't need anymore\nto transiently drop one sk reference at msk clone time.\n\nPlease note this commit depends on the parent one:\n\n mptcp: refactor passive socket initialization", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53072", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd/core: Always clear status for idx\n\nThe variable 'status' (which contains the unhandled overflow bits) is\nnot being properly masked in some cases, displaying the following\nwarning:\n\n WARNING: CPU: 156 PID: 475601 at arch/x86/events/amd/core.c:972 amd_pmu_v2_handle_irq+0x216/0x270\n\nThis seems to be happening because the loop is being continued before\nthe status bit being unset, in case x86_perf_event_set_period()\nreturns 0. This is also causing an inconsistency because the \"handled\"\ncounter is incremented, but the status bit is not cleaned.\n\nMove the bit cleaning together above, together when the \"handled\"\ncounter is incremented.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53073", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini\n\nThe call trace occurs when the amdgpu is removed after\nthe mode1 reset. During mode1 reset, from suspend to resume,\nthere is no need to reinitialize the ta firmware buffer\nwhich caused the bo pin_count increase redundantly.\n\n[ 489.885525] Call Trace:\n[ 489.885525] \n[ 489.885526] amdttm_bo_put+0x34/0x50 [amdttm]\n[ 489.885529] amdgpu_bo_free_kernel+0xe8/0x130 [amdgpu]\n[ 489.885620] psp_free_shared_bufs+0xb7/0x150 [amdgpu]\n[ 489.885720] psp_hw_fini+0xce/0x170 [amdgpu]\n[ 489.885815] amdgpu_device_fini_hw+0x2ff/0x413 [amdgpu]\n[ 489.885960] ? blocking_notifier_chain_unregister+0x56/0xb0\n[ 489.885962] amdgpu_driver_unload_kms+0x51/0x60 [amdgpu]\n[ 489.886049] amdgpu_pci_remove+0x5a/0x140 [amdgpu]\n[ 489.886132] ? __pm_runtime_resume+0x60/0x90\n[ 489.886134] pci_device_remove+0x3e/0xb0\n[ 489.886135] __device_release_driver+0x1ab/0x2a0\n[ 489.886137] driver_detach+0xf3/0x140\n[ 489.886138] bus_remove_driver+0x6c/0xf0\n[ 489.886140] driver_unregister+0x31/0x60\n[ 489.886141] pci_unregister_driver+0x40/0x90\n[ 489.886142] amdgpu_exit+0x15/0x451 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53074", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix invalid address access in lookup_rec() when index is 0\n\nKASAN reported follow problem:\n\n BUG: KASAN: use-after-free in lookup_rec\n Read of size 8 at addr ffff000199270ff0 by task modprobe\n CPU: 2 Comm: modprobe\n Call trace:\n kasan_report\n __asan_load8\n lookup_rec\n ftrace_location\n arch_check_ftrace_location\n check_kprobe_address_safe\n register_kprobe\n\nWhen checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a\npg which is newly added to ftrace_pages_start in ftrace_process_locs().\nBefore the first pg->index++, index is 0 and accessing pg->records[-1].ip\nwill cause this problem.\n\nDon't check the ip when pg->index is 0.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53075", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes\n\n[WHY]\nWhen PTEBufferSizeInRequests is zero, UBSAN reports the following\nwarning because dml_log2 returns an unexpected negative value:\n\n shift exponent 4294966273 is too large for 32-bit type 'int'\n\n[HOW]\n\nIn the case PTEBufferSizeInRequests is zero, skip the dml_log2() and\nassign the result directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53077", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()\n\nIf alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not\nfreed, which will cause following memleak:\n\nunreferenced object 0xffff88810b2c6980 (size 32):\n comm \"kworker/u16:2\", pid 635322, jiffies 4355801099 (age 1216426.076s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$.............\n backtrace:\n [<0000000098f3a26d>] alua_activate+0xb0/0x320\n [<000000003b529641>] scsi_dh_activate+0xb2/0x140\n [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath]\n [<000000007adc9ace>] process_one_work+0x3c5/0x730\n [<00000000c457a985>] worker_thread+0x93/0x650\n [<00000000cb80e628>] kthread+0x1ba/0x210\n [<00000000a1e61077>] ret_from_fork+0x22/0x30\n\nFix the problem by freeing 'qdata' in error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53078", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix steering rules cleanup\n\nvport's mc, uc and multicast rules are not deleted in teardown path when\nEEH happens. Since the vport's promisc settings(uc, mc and all) in\nfirmware are reset after EEH, mlx5 driver will try to delete the above\nrules in the initialization path. This cause kernel crash because these\nsoftware rules are no longer valid.\n\nFix by nullifying these rules right after delete to avoid accessing any dangling\npointers.\n\nCall Trace:\n__list_del_entry_valid+0xcc/0x100 (unreliable)\ntree_put_node+0xf4/0x1b0 [mlx5_core]\ntree_remove_node+0x30/0x70 [mlx5_core]\nmlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core]\nesw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core]\nesw_update_vport_rx_mode+0xb4/0x180 [mlx5_core]\nesw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core]\nesw_enable_vport+0x130/0x260 [mlx5_core]\nmlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core]\nmlx5_device_enable_sriov+0x74/0x440 [mlx5_core]\nmlx5_load_one+0x114c/0x1550 [mlx5_core]\nmlx5_pci_resume+0x68/0xf0 [mlx5_core]\neeh_report_resume+0x1a4/0x230\neeh_pe_dev_traverse+0x98/0x170\neeh_handle_normal_event+0x3e4/0x640\neeh_handle_event+0x4c/0x370\neeh_event_handler+0x14c/0x210\nkthread+0x168/0x1b0\nret_from_kernel_thread+0x5c/0x84", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53079", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Add missing overflow check in xdp_umem_reg\n\nThe number of chunks can overflow u32. Make sure to return -EINVAL on\noverflow. Also remove a redundant u32 cast assigning umem->npgs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53080", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix data corruption after failed write\n\nWhen buffered write fails to copy data into underlying page cache page,\nocfs2_write_end_nolock() just zeroes out and dirties the page. This can\nleave dirty page beyond EOF and if page writeback tries to write this page\nbefore write succeeds and expands i_size, page gets into inconsistent\nstate where page dirty bit is clear but buffer dirty bits stay set\nresulting in page data never getting written and so data copied to the\npage is lost. Fix the problem by invalidating page beyond EOF after\nfailed write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53081", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvp_vdpa: fix the crash in hot unplug with vp_vdpa\n\nWhile unplugging the vp_vdpa device, it triggers a kernel panic\nThe root cause is: vdpa_mgmtdev_unregister() will accesses modern\ndevices which will cause a use after free.\nSo need to change the sequence in vp_vdpa_remove\n\n[ 195.003359] BUG: unable to handle page fault for address: ff4e8beb80199014\n[ 195.004012] #PF: supervisor read access in kernel mode\n[ 195.004486] #PF: error_code(0x0000) - not-present page\n[ 195.004960] PGD 100000067 P4D 1001b6067 PUD 1001b7067 PMD 1001b8067 PTE 0\n[ 195.005578] Oops: 0000 1 PREEMPT SMP PTI\n[ 195.005968] CPU: 13 PID: 164 Comm: kworker/u56:10 Kdump: loaded Not tainted 5.14.0-252.el9.x86_64 #1\n[ 195.006792] Hardware name: Red Hat KVM/RHEL, BIOS edk2-20221207gitfff6d81270b5-2.el9 unknown\n[ 195.007556] Workqueue: kacpi_hotplug acpi_hotplug_work_fn\n[ 195.008059] RIP: 0010:ioread8+0x31/0x80\n[ 195.008418] Code: 77 28 48 81 ff 00 00 01 00 76 0b 89 fa ec 0f b6 c0 c3 cc cc cc cc 8b 15 ad 72 93 01 b8 ff 00 00 00 85 d2 75 0f c3 cc cc cc cc <8a> 07 0f b6 c0 c3 cc cc cc cc 83 ea 01 48 83 ec 08 48 89 fe 48 c7\n[ 195.010104] RSP: 0018:ff4e8beb8067bab8 EFLAGS: 00010292\n[ 195.010584] RAX: ffffffffc05834a0 RBX: ffffffffc05843c0 RCX: ff4e8beb8067bae0\n[ 195.011233] RDX: ff1bcbd580f88000 RSI: 0000000000000246 RDI: ff4e8beb80199014\n[ 195.011881] RBP: ff1bcbd587e39000 R08: ffffffff916fa2d0 R09: ff4e8beb8067ba68\n[ 195.012527] R10: 000000000000001c R11: 0000000000000000 R12: ff1bcbd5a3de9120\n[ 195.013179] R13: ffffffffc062d000 R14: 0000000000000080 R15: ff1bcbe402bc7805\n[ 195.013826] FS: 0000000000000000(0000) GS:ff1bcbe402740000(0000) knlGS:0000000000000000\n[ 195.014564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 195.015093] CR2: ff4e8beb80199014 CR3: 0000000107dea002 CR4: 0000000000771ee0\n[ 195.015741] PKRU: 55555554\n[ 195.016001] Call Trace:\n[ 195.016233] \n[ 195.016434] vp_modern_get_status+0x12/0x20\n[ 195.016823] vp_vdpa_reset+0x1b/0x50 [vp_vdpa]\n[ 195.017238] virtio_vdpa_reset+0x3c/0x48 [virtio_vdpa]\n[ 195.017709] remove_vq_common+0x1f/0x3a0 [virtio_net]\n[ 195.018178] virtnet_remove+0x5d/0x70 [virtio_net]\n[ 195.018618] virtio_dev_remove+0x3d/0x90\n[ 195.018986] device_release_driver_internal+0x1aa/0x230\n[ 195.019466] bus_remove_device+0xd8/0x150\n[ 195.019841] device_del+0x18b/0x3f0\n[ 195.020167] ? kernfs_find_ns+0x35/0xd0\n[ 195.020526] device_unregister+0x13/0x60\n[ 195.020894] unregister_virtio_device+0x11/0x20\n[ 195.021311] device_release_driver_internal+0x1aa/0x230\n[ 195.021790] bus_remove_device+0xd8/0x150\n[ 195.022162] device_del+0x18b/0x3f0\n[ 195.022487] device_unregister+0x13/0x60\n[ 195.022852] ? vdpa_dev_remove+0x30/0x30 [vdpa]\n[ 195.023270] vp_vdpa_dev_del+0x12/0x20 [vp_vdpa]\n[ 195.023694] vdpa_match_remove+0x2b/0x40 [vdpa]\n[ 195.024115] bus_for_each_dev+0x78/0xc0\n[ 195.024471] vdpa_mgmtdev_unregister+0x65/0x80 [vdpa]\n[ 195.024937] vp_vdpa_remove+0x23/0x40 [vp_vdpa]\n[ 195.025353] pci_device_remove+0x36/0xa0\n[ 195.025719] device_release_driver_internal+0x1aa/0x230\n[ 195.026201] pci_stop_bus_device+0x6c/0x90\n[ 195.026580] pci_stop_and_remove_bus_device+0xe/0x20\n[ 195.027039] disable_slot+0x49/0x90\n[ 195.027366] acpiphp_disable_and_eject_slot+0x15/0x90\n[ 195.027832] hotplug_event+0xea/0x210\n[ 195.028171] ? hotplug_event+0x210/0x210\n[ 195.028535] acpiphp_hotplug_notify+0x22/0x80\n[ 195.028942] ? hotplug_event+0x210/0x210\n[ 195.029303] acpi_device_hotplug+0x8a/0x1d0\n[ 195.029690] acpi_hotplug_work_fn+0x1a/0x30\n[ 195.030077] process_one_work+0x1e8/0x3c0\n[ 195.030451] worker_thread+0x50/0x3b0\n[ 195.030791] ? rescuer_thread+0x3a0/0x3a0\n[ 195.031165] kthread+0xd9/0x100\n[ 195.031459] ? kthread_complete_and_exit+0x20/0x20\n[ 195.031899] ret_from_fork+0x22/0x30\n[ 195.032233] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53082", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't replace page in rq_pages if it's a continuation of last page\n\nThe splice read calls nfsd_splice_actor to put the pages containing file\ndata into the svc_rqst->rq_pages array. It's possible however to get a\nsplice result that only has a partial page at the end, if (e.g.) the\nfilesystem hands back a short read that doesn't cover the whole page.\n\nnfsd_splice_actor will plop the partial page into its rq_pages array and\nreturn. Then later, when nfsd_splice_actor is called again, the\nremainder of the page may end up being filled out. At this point,\nnfsd_splice_actor will put the page into the array _again_ corrupting\nthe reply. If this is done enough times, rq_next_page will overrun the\narray and corrupt the trailing fields -- the rq_respages and\nrq_next_page pointers themselves.\n\nIf we've already added the page to the array in the last pass, don't add\nit to the array a second time when dealing with a splice continuation.\nThis was originally handled properly in nfsd_splice_actor, but commit\n91e23b1c3982 (\"NFSD: Clean up nfsd_splice_actor()\") removed the check\nfor it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53083", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Remove another errant put in error path\n\ndrm_gem_shmem_mmap() doesn't own reference in error code path, resulting\nin the dma-buf shmem GEM object getting prematurely freed leading to a\nlater use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53084", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/edid: fix info leak when failing to get panel id\n\nMake sure to clear the transfer buffer before fetching the EDID to\navoid leaking slab data to the logs on errors that leave the buffer\nunchanged.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53085", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: connac: do not check WED status for non-mmio devices\n\nWED is supported just for mmio devices, so do not check it for usb or\nsdio devices. This patch fixes the crash reported below:\n\n[ 21.946627] wlp0s3u1i3: authenticate with c4:41:1e:f5:2b:1d\n[ 22.525298] wlp0s3u1i3: send auth to c4:41:1e:f5:2b:1d (try 1/3)\n[ 22.548274] wlp0s3u1i3: authenticate with c4:41:1e:f5:2b:1d\n[ 22.557694] wlp0s3u1i3: send auth to c4:41:1e:f5:2b:1d (try 1/3)\n[ 22.565885] wlp0s3u1i3: authenticated\n[ 22.569502] wlp0s3u1i3: associate with c4:41:1e:f5:2b:1d (try 1/3)\n[ 22.578966] wlp0s3u1i3: RX AssocResp from c4:41:1e:f5:2b:1d (capab=0x11 status=30 aid=3)\n[ 22.579113] wlp0s3u1i3: c4:41:1e:f5:2b:1d rejected association temporarily; comeback duration 1000 TU (1024 ms)\n[ 23.649518] wlp0s3u1i3: associate with c4:41:1e:f5:2b:1d (try 2/3)\n[ 23.752528] wlp0s3u1i3: RX AssocResp from c4:41:1e:f5:2b:1d (capab=0x11 status=0 aid=3)\n[ 23.797450] wlp0s3u1i3: associated\n[ 24.959527] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)\n[ 24.959640] BUG: unable to handle page fault for address: ffff88800c223200\n[ 24.959706] #PF: supervisor instruction fetch in kernel mode\n[ 24.959788] #PF: error_code(0x0011) - permissions violation\n[ 24.959846] PGD 2c01067 P4D 2c01067 PUD 2c02067 PMD c2a8063 PTE 800000000c223163\n[ 24.959957] Oops: 0011 [#1] PREEMPT SMP\n[ 24.960009] CPU: 0 PID: 391 Comm: wpa_supplicant Not tainted 6.2.0-kvm #18\n[ 24.960089] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014\n[ 24.960191] RIP: 0010:0xffff88800c223200\n[ 24.960446] RSP: 0018:ffffc90000ff7698 EFLAGS: 00010282\n[ 24.960513] RAX: ffff888028397010 RBX: ffff88800c26e630 RCX: 0000000000000058\n[ 24.960598] RDX: ffff88800c26f844 RSI: 0000000000000006 RDI: ffff888028397010\n[ 24.960682] RBP: ffff88800ea72f00 R08: 18b873fbab2b964c R09: be06b38235f3c63c\n[ 24.960766] R10: 18b873fbab2b964c R11: be06b38235f3c63c R12: 0000000000000001\n[ 24.960853] R13: ffff88800c26f84c R14: ffff8880063f0ff8 R15: ffff88800c26e644\n[ 24.960950] FS: 00007effcea327c0(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n[ 24.961036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 24.961106] CR2: ffff88800c223200 CR3: 000000000eaa2000 CR4: 00000000000006b0\n[ 24.961190] Call Trace:\n[ 24.961219] \n[ 24.961245] ? mt76_connac_mcu_add_key+0x2cf/0x310\n[ 24.961313] ? mt7921_set_key+0x150/0x200\n[ 24.961365] ? drv_set_key+0xa9/0x1b0\n[ 24.961418] ? ieee80211_key_enable_hw_accel+0xd9/0x240\n[ 24.961485] ? ieee80211_key_replace+0x3f3/0x730\n[ 24.961541] ? crypto_shash_setkey+0x89/0xd0\n[ 24.961597] ? ieee80211_key_link+0x2d7/0x3a0\n[ 24.961664] ? crypto_aead_setauthsize+0x31/0x50\n[ 24.961730] ? sta_info_hash_lookup+0xa6/0xf0\n[ 24.961785] ? ieee80211_add_key+0x1fc/0x250\n[ 24.961842] ? rdev_add_key+0x41/0x140\n[ 24.961882] ? nl80211_parse_key+0x6c/0x2f0\n[ 24.961940] ? nl80211_new_key+0x24a/0x290\n[ 24.961984] ? genl_rcv_msg+0x36c/0x3a0\n[ 24.962036] ? rdev_mod_link_station+0xe0/0xe0\n[ 24.962102] ? nl80211_set_key+0x410/0x410\n[ 24.962143] ? nl80211_pre_doit+0x200/0x200\n[ 24.962187] ? genl_bind+0xc0/0xc0\n[ 24.962217] ? netlink_rcv_skb+0xaa/0xd0\n[ 24.962259] ? genl_rcv+0x24/0x40\n[ 24.962300] ? netlink_unicast+0x224/0x2f0\n[ 24.962345] ? netlink_sendmsg+0x30b/0x3d0\n[ 24.962388] ? ____sys_sendmsg+0x109/0x1b0\n[ 24.962388] ? ____sys_sendmsg+0x109/0x1b0\n[ 24.962440] ? __import_iovec+0x2e/0x110\n[ 24.962482] ? ___sys_sendmsg+0xbe/0xe0\n[ 24.962525] ? mod_objcg_state+0x25c/0x330\n[ 24.962576] ? __dentry_kill+0x19e/0x1d0\n[ 24.962618] ? call_rcu+0x18f/0x270\n[ 24.962660] ? __dentry_kill+0x19e/0x1d0\n[ 24.962702] ? __x64_sys_sendmsg+0x70/0x90\n[ 24.962744] ? do_syscall_64+0x3d/0x80\n[ 24.962796] ? exit_to_user_mode_prepare+0x1b/0x70\n[ 24.962852] ? entry_SYSCA\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53086", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/active: Fix misuse of non-idle barriers as fence trackers\n\nUsers reported oopses on list corruptions when using i915 perf with a\nnumber of concurrently running graphics applications. Root cause analysis\npointed at an issue in barrier processing code -- a race among perf open /\nclose replacing active barriers with perf requests on kernel context and\nconcurrent barrier preallocate / acquire operations performed during user\ncontext first pin / last unpin.\n\nWhen adding a request to a composite tracker, we try to reuse an existing\nfence tracker, already allocated and registered with that composite. The\ntracker we obtain may already track another fence, may be an idle barrier,\nor an active barrier.\n\nIf the tracker we get occurs a non-idle barrier then we try to delete that\nbarrier from a list of barrier tasks it belongs to. However, while doing\nthat we don't respect return value from a function that performs the\nbarrier deletion. Should the deletion ever fail, we would end up reusing\nthe tracker still registered as a barrier task. Since the same structure\nfield is reused with both fence callback lists and barrier tasks list,\nlist corruptions would likely occur.\n\nBarriers are now deleted from a barrier tasks list by temporarily removing\nthe list content, traversing that content with skip over the node to be\ndeleted, then populating the list back with the modified content. Should\nthat intentionally racy concurrent deletion attempts be not serialized,\none or more of those may fail because of the list being temporary empty.\n\nRelated code that ignores the results of barrier deletion was initially\nintroduced in v5.4 by commit d8af05ff38ae (\"drm/i915: Allow sharing the\nidle-barrier from other kernel requests\"). However, all users of the\nbarrier deletion routine were apparently serialized at that time, then the\nissue didn't exhibit itself. Results of git bisect with help of a newly\ndeveloped igt@gem_barrier_race@remote-request IGT test indicate that list\ncorruptions might start to appear after commit 311770173fac (\"drm/i915/gt:\nSchedule request retirement when timeline idles\"), introduced in v5.5.\n\nRespect results of barrier deletion attempts -- mark the barrier as idle\nonly if successfully deleted from the list. Then, before proceeding with\nsetting our fence as the one currently tracked, make sure that the tracker\nwe've got is not a non-idle barrier. If that check fails then don't use\nthat tracker but go back and try to acquire a new, usable one.\n\nv3: use unlikely() to document what outcome we expect (Andi),\n - fix bad grammar in commit description.\nv2: no code changes,\n - blame commit 311770173fac (\"drm/i915/gt: Schedule request retirement\n when timeline idles\"), v5.5, not commit d8af05ff38ae (\"drm/i915: Allow\n sharing the idle-barrier from other kernel requests\"), v5.4,\n - reword commit description.\n\n(cherry picked from commit 506006055769b10d1b2b4e22f636f3b45e0e9fc7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53087", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix UaF in listener shutdown\n\nAs reported by Christoph after having refactored the passive\nsocket initialization, the mptcp listener shutdown path is prone\nto an UaF issue.\n\n BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0\n Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266\n\n CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x6e/0x91\n print_report+0x16a/0x46f\n kasan_report+0xad/0x130\n kasan_check_range+0x14a/0x1a0\n _raw_spin_lock_bh+0x73/0xe0\n subflow_error_report+0x6d/0x110\n sk_error_report+0x3b/0x190\n tcp_disconnect+0x138c/0x1aa0\n inet_child_forget+0x6f/0x2e0\n inet_csk_listen_stop+0x209/0x1060\n __mptcp_close_ssk+0x52d/0x610\n mptcp_destroy_common+0x165/0x640\n mptcp_destroy+0x13/0x80\n __mptcp_destroy_sock+0xe7/0x270\n __mptcp_close+0x70e/0x9b0\n mptcp_close+0x2b/0x150\n inet_release+0xe9/0x1f0\n __sock_release+0xd2/0x280\n sock_close+0x15/0x20\n __fput+0x252/0xa20\n task_work_run+0x169/0x250\n exit_to_user_mode_prepare+0x113/0x120\n syscall_exit_to_user_mode+0x1d/0x40\n do_syscall_64+0x48/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe msk grace period can legitly expire in between the last\nreference count dropped in mptcp_subflow_queue_clean() and\nthe later eventual access in inet_csk_listen_stop()\n\nAfter the previous patch we don't need anymore special-casing\nmsk listener socket cleanup: the mptcp worker will process each\nof the unaccepted msk sockets.\n\nJust drop the now unnecessary code.\n\nPlease note this commit depends on the two parent ones:\n\n mptcp: refactor passive socket initialization\n mptcp: use the workqueue to destroy unaccepted sockets", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53088", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix task hung in ext4_xattr_delete_inode\n\nSyzbot reported a hung task problem:\n==================================================================\nINFO: task syz-executor232:5073 blocked for more than 143 seconds.\n Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004\nCall Trace:\n \n context_switch kernel/sched/core.c:5244 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6555\n schedule+0xcb/0x190 kernel/sched/core.c:6631\n __wait_on_freeing_inode fs/inode.c:2196 [inline]\n find_inode_fast+0x35a/0x4c0 fs/inode.c:950\n iget_locked+0xb1/0x830 fs/inode.c:1273\n __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861\n ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389\n ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148\n ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880\n ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296\n evict+0x2a4/0x620 fs/inode.c:664\n ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474\n __ext4_fill_super fs/ext4/super.c:5516 [inline]\n ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644\n get_tree_bdev+0x400/0x620 fs/super.c:1282\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fa5406fd5ea\nRSP: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea\nRDX: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970\nRBP: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432\nR10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004\nR13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000\n \n==================================================================\n\nThe problem is that the inode contains an xattr entry with ea_inum of 15\nwhen cleaning up an orphan inode <15>. When evict inode <15>, the reference\ncounting of the corresponding EA inode is decreased. When EA inode <15> is\nfound by find_inode_fast() in __ext4_iget(), it is found that the EA inode\nholds the I_FREEING flag and waits for the EA inode to complete deletion.\nAs a result, when inode <15> is being deleted, we wait for inode <15> to\ncomplete the deletion, resulting in an infinite loop and triggering Hung\nTask. To solve this problem, we only need to check whether the ino of EA\ninode and parent is the same before getting EA inode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53089", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix an illegal memory access\n\nIn the kfd_wait_on_events() function, the kfd_event_waiter structure is\nallocated by alloc_event_waiters(), but the event field of the waiter\nstructure is not initialized; When copy_from_user() fails in the\nkfd_wait_on_events() function, it will enter exception handling to\nrelease the previously allocated memory of the waiter structure;\nDue to the event field of the waiters structure being accessed\nin the free_waiters() function, this results in illegal memory access\nand system crash, here is the crash log:\n\nlocalhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0\nlocalhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082\nlocalhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000\nlocalhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0\nlocalhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64\nlocalhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002\nlocalhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698\nlocalhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000\nlocalhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nlocalhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0\nlocalhost kernel: Call Trace:\nlocalhost kernel: _raw_spin_lock_irqsave+0x30/0x40\nlocalhost kernel: remove_wait_queue+0x12/0x50\nlocalhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu]\nlocalhost kernel: ? ftrace_graph_caller+0xa0/0xa0\nlocalhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu]\nlocalhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu]\nlocalhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu]\nlocalhost kernel: ? ftrace_graph_caller+0xa0/0xa0\nlocalhost kernel: __x64_sys_ioctl+0x8e/0xd0\nlocalhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0\nlocalhost kernel: do_syscall_64+0x33/0x80\nlocalhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9\nlocalhost kernel: RIP: 0033:0x152a4dff68d7\n\nAllocate the structure with kcalloc, and remove redundant 0-initialization\nand a redundant loop condition check.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53090", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: update s_journal_inum if it changes after journal replay\n\nWhen mounting a crafted ext4 image, s_journal_inum may change after journal\nreplay, which is obviously unreasonable because we have successfully loaded\nand replayed the journal through the old s_journal_inum. And the new\ns_journal_inum bypasses some of the checks in ext4_get_journal(), which\nmay trigger a null pointer dereference problem. So if s_journal_inum\nchanges after the journal replay, we ignore the change, and rewrite the\ncurrent journal_inum to the superblock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53091", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: exynos: fix node leak in probe PM QoS error path\n\nMake sure to add the newly allocated interconnect node to the provider\nbefore adding the PM QoS request so that the node is freed on errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53092", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not let histogram values have some modifiers\n\nHistogram values can not be strings, stacktraces, graphs, symbols,\nsyscalls, or grouped in buckets or log. Give an error if a value is set to\ndo so.\n\nNote, the histogram code was not prepared to handle these modifiers for\nhistograms and caused a bug.\n\nMark Rutland reported:\n\n # echo 'p:copy_to_user __arch_copy_to_user n=$arg2' >> /sys/kernel/tracing/kprobe_events\n # echo 'hist:keys=n:vals=hitcount.buckets=8:sort=hitcount' > /sys/kernel/tracing/events/kprobes/copy_to_user/trigger\n # cat /sys/kernel/tracing/events/kprobes/copy_to_user/hist\n[ 143.694628] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 143.695190] Mem abort info:\n[ 143.695362] ESR = 0x0000000096000004\n[ 143.695604] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 143.695889] SET = 0, FnV = 0\n[ 143.696077] EA = 0, S1PTW = 0\n[ 143.696302] FSC = 0x04: level 0 translation fault\n[ 143.702381] Data abort info:\n[ 143.702614] ISV = 0, ISS = 0x00000004\n[ 143.702832] CM = 0, WnR = 0\n[ 143.703087] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000448f9000\n[ 143.703407] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 143.704137] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 143.704714] Modules linked in:\n[ 143.705273] CPU: 0 PID: 133 Comm: cat Not tainted 6.2.0-00003-g6fc512c10a7c #3\n[ 143.706138] Hardware name: linux,dummy-virt (DT)\n[ 143.706723] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 143.707120] pc : hist_field_name.part.0+0x14/0x140\n[ 143.707504] lr : hist_field_name.part.0+0x104/0x140\n[ 143.707774] sp : ffff800008333a30\n[ 143.707952] x29: ffff800008333a30 x28: 0000000000000001 x27: 0000000000400cc0\n[ 143.708429] x26: ffffd7a653b20260 x25: 0000000000000000 x24: ffff10d303ee5800\n[ 143.708776] x23: ffffd7a6539b27b0 x22: ffff10d303fb8c00 x21: 0000000000000001\n[ 143.709127] x20: ffff10d303ec2000 x19: 0000000000000000 x18: 0000000000000000\n[ 143.709478] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 143.709824] x14: 0000000000000000 x13: 203a6f666e692072 x12: 6567676972742023\n[ 143.710179] x11: 0a230a6d6172676f x10: 000000000000002c x9 : ffffd7a6521e018c\n[ 143.710584] x8 : 000000000000002c x7 : 7f7f7f7f7f7f7f7f x6 : 000000000000002c\n[ 143.710915] x5 : ffff10d303b0103e x4 : ffffd7a653b20261 x3 : 000000000000003d\n[ 143.711239] x2 : 0000000000020001 x1 : 0000000000000001 x0 : 0000000000000000\n[ 143.711746] Call trace:\n[ 143.712115] hist_field_name.part.0+0x14/0x140\n[ 143.712642] hist_field_name.part.0+0x104/0x140\n[ 143.712925] hist_field_print+0x28/0x140\n[ 143.713125] event_hist_trigger_print+0x174/0x4d0\n[ 143.713348] hist_show+0xf8/0x980\n[ 143.713521] seq_read_iter+0x1bc/0x4b0\n[ 143.713711] seq_read+0x8c/0xc4\n[ 143.713876] vfs_read+0xc8/0x2a4\n[ 143.714043] ksys_read+0x70/0xfc\n[ 143.714218] __arm64_sys_read+0x24/0x30\n[ 143.714400] invoke_syscall+0x50/0x120\n[ 143.714587] el0_svc_common.constprop.0+0x4c/0x100\n[ 143.714807] do_el0_svc+0x44/0xd0\n[ 143.714970] el0_svc+0x2c/0x84\n[ 143.715134] el0t_64_sync_handler+0xbc/0x140\n[ 143.715334] el0t_64_sync+0x190/0x194\n[ 143.715742] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (f9400000)\n[ 143.716510] ---[ end trace 0000000000000000 ]---\nSegmentation fault", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53093", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: fix race on RX DMA shutdown\n\nFrom time to time DMA completion can come in the middle of DMA shutdown:\n\n:\t\t\t\t:\nlpuart32_shutdown()\n lpuart_dma_shutdown()\n del_timer_sync()\n\t\t\t\t\tlpuart_dma_rx_complete()\n\t\t\t\t\t lpuart_copy_rx_to_tty()\n\t\t\t\t\t mod_timer()\n lpuart_dma_rx_free()\n\nWhen the timer fires a bit later, sport->dma_rx_desc is NULL:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000004\npc : lpuart_copy_rx_to_tty+0xcc/0x5bc\nlr : lpuart_timer_func+0x1c/0x2c\nCall trace:\n lpuart_copy_rx_to_tty\n lpuart_timer_func\n call_timer_fn\n __run_timers.part.0\n run_timer_softirq\n __do_softirq\n __irq_exit_rcu\n irq_exit\n handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n ...\n\nTo fix this fold del_timer_sync() into lpuart_dma_rx_free() after\ndmaengine_terminate_sync() to make sure timer will not be re-started in\nlpuart_copy_rx_to_tty() <= lpuart_dma_rx_complete().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53094", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix a NULL pointer dereference\n\nThe LRU mechanism may look up a resource in the process of being removed\nfrom an object. The locking rules here are a bit unclear but it looks\ncurrently like res->bo assignment is protected by the LRU lock, whereas\nbo->resource is protected by the object lock, while *clearing* of\nbo->resource is also protected by the LRU lock. This means that if\nwe check that bo->resource points to the LRU resource under the LRU\nlock we should be safe.\nSo perform that check before deciding to swap out a bo. That avoids\ndereferencing a NULL bo->resource in ttm_bo_swapout().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53095", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: fix mem leak when freeing nodes\n\nThe node link array is allocated when adding links to a node but is not\ndeallocated when nodes are destroyed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53096", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53097", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: gpio-ir-recv: add remove function\n\nIn case runtime PM is enabled, do runtime PM clean up to remove\ncpu latency qos request, otherwise driver removal may have below\nkernel dump:\n\n[ 19.463299] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000048\n[ 19.472161] Mem abort info:\n[ 19.474985] ESR = 0x0000000096000004\n[ 19.478754] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 19.484081] SET = 0, FnV = 0\n[ 19.487149] EA = 0, S1PTW = 0\n[ 19.490361] FSC = 0x04: level 0 translation fault\n[ 19.495256] Data abort info:\n[ 19.498149] ISV = 0, ISS = 0x00000004\n[ 19.501997] CM = 0, WnR = 0\n[ 19.504977] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000049f81000\n[ 19.511432] [0000000000000048] pgd=0000000000000000,\np4d=0000000000000000\n[ 19.518245] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 19.524520] Modules linked in: gpio_ir_recv(+) rc_core [last\nunloaded: rc_core]\n[ 19.531845] CPU: 0 PID: 445 Comm: insmod Not tainted\n6.2.0-rc1-00028-g2c397a46d47c #72\n[ 19.531854] Hardware name: FSL i.MX8MM EVK board (DT)\n[ 19.531859] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[ 19.551777] pc : cpu_latency_qos_remove_request+0x20/0x110\n[ 19.557277] lr : gpio_ir_recv_runtime_suspend+0x18/0x30\n[gpio_ir_recv]\n[ 19.557294] sp : ffff800008ce3740\n[ 19.557297] x29: ffff800008ce3740 x28: 0000000000000000 x27:\nffff800008ce3d50\n[ 19.574270] x26: ffffc7e3e9cea100 x25: 00000000000f4240 x24:\nffffc7e3f9ef0e30\n[ 19.574284] x23: 0000000000000000 x22: ffff0061803820f4 x21:\n0000000000000008\n[ 19.574296] x20: ffffc7e3fa75df30 x19: 0000000000000020 x18:\nffffffffffffffff\n[ 19.588570] x17: 0000000000000000 x16: ffffc7e3f9efab70 x15:\nffffffffffffffff\n[ 19.595712] x14: ffff800008ce37b8 x13: ffff800008ce37aa x12:\n0000000000000001\n[ 19.602853] x11: 0000000000000001 x10: ffffcbe3ec0dff87 x9 :\n0000000000000008\n[ 19.609991] x8 : 0101010101010101 x7 : 0000000000000000 x6 :\n000000000f0bfe9f\n[ 19.624261] x5 : 00ffffffffffffff x4 : 0025ab8e00000000 x3 :\nffff006180382010\n[ 19.631405] x2 : ffffc7e3e9ce8030 x1 : ffffc7e3fc3eb810 x0 :\n0000000000000020\n[ 19.638548] Call trace:\n[ 19.640995] cpu_latency_qos_remove_request+0x20/0x110\n[ 19.646142] gpio_ir_recv_runtime_suspend+0x18/0x30 [gpio_ir_recv]\n[ 19.652339] pm_generic_runtime_suspend+0x2c/0x44\n[ 19.657055] __rpm_callback+0x48/0x1dc\n[ 19.660807] rpm_callback+0x6c/0x80\n[ 19.664301] rpm_suspend+0x10c/0x640\n[ 19.667880] rpm_idle+0x250/0x2d0\n[ 19.671198] update_autosuspend+0x38/0xe0\n[ 19.675213] pm_runtime_set_autosuspend_delay+0x40/0x60\n[ 19.680442] gpio_ir_recv_probe+0x1b4/0x21c [gpio_ir_recv]\n[ 19.685941] platform_probe+0x68/0xc0\n[ 19.689610] really_probe+0xc0/0x3dc\n[ 19.693189] __driver_probe_device+0x7c/0x190\n[ 19.697550] driver_probe_device+0x3c/0x110\n[ 19.701739] __driver_attach+0xf4/0x200\n[ 19.705578] bus_for_each_dev+0x70/0xd0\n[ 19.709417] driver_attach+0x24/0x30\n[ 19.712998] bus_add_driver+0x17c/0x240\n[ 19.716834] driver_register+0x78/0x130\n[ 19.720676] __platform_driver_register+0x28/0x34\n[ 19.725386] gpio_ir_recv_driver_init+0x20/0x1000 [gpio_ir_recv]\n[ 19.731404] do_one_initcall+0x44/0x2ac\n[ 19.735243] do_init_module+0x48/0x1d0\n[ 19.739003] load_module+0x19fc/0x2034\n[ 19.742759] __do_sys_finit_module+0xac/0x12c\n[ 19.747124] __arm64_sys_finit_module+0x20/0x30\n[ 19.751664] invoke_syscall+0x48/0x114\n[ 19.755420] el0_svc_common.constprop.0+0xcc/0xec\n[ 19.760132] do_el0_svc+0x38/0xb0\n[ 19.763456] el0_svc+0x2c/0x84\n[ 19.766516] el0t_64_sync_handler+0xf4/0x120\n[ 19.770789] el0t_64_sync+0x190/0x194\n[ 19.774460] Code: 910003fd a90153f3 aa0003f3 91204021 (f9401400)\n[ 19.780556] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53098", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: xilinx: don't make a sleepable memory allocation from an atomic context\n\nThe following issue was discovered using lockdep:\n[ 6.691371] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:209\n[ 6.694602] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0\n[ 6.702431] 2 locks held by swapper/0/1:\n[ 6.706300] #0: ffffff8800f6f188 (&dev->mutex){....}-{3:3}, at: __device_driver_lock+0x4c/0x90\n[ 6.714900] #1: ffffffc009a2abb8 (enable_lock){....}-{2:2}, at: clk_enable_lock+0x4c/0x140\n[ 6.723156] irq event stamp: 304030\n[ 6.726596] hardirqs last enabled at (304029): [] _raw_spin_unlock_irqrestore+0xc0/0xd0\n[ 6.736142] hardirqs last disabled at (304030): [] clk_enable_lock+0xfc/0x140\n[ 6.744742] softirqs last enabled at (303958): [] _stext+0x4f0/0x894\n[ 6.752655] softirqs last disabled at (303951): [] irq_exit+0x238/0x280\n[ 6.760744] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G U 5.15.36 #2\n[ 6.768048] Hardware name: xlnx,zynqmp (DT)\n[ 6.772179] Call trace:\n[ 6.774584] dump_backtrace+0x0/0x300\n[ 6.778197] show_stack+0x18/0x30\n[ 6.781465] dump_stack_lvl+0xb8/0xec\n[ 6.785077] dump_stack+0x1c/0x38\n[ 6.788345] ___might_sleep+0x1a8/0x2a0\n[ 6.792129] __might_sleep+0x6c/0xd0\n[ 6.795655] kmem_cache_alloc_trace+0x270/0x3d0\n[ 6.800127] do_feature_check_call+0x100/0x220\n[ 6.804513] zynqmp_pm_invoke_fn+0x8c/0xb0\n[ 6.808555] zynqmp_pm_clock_getstate+0x90/0xe0\n[ 6.813027] zynqmp_pll_is_enabled+0x8c/0x120\n[ 6.817327] zynqmp_pll_enable+0x38/0xc0\n[ 6.821197] clk_core_enable+0x144/0x400\n[ 6.825067] clk_core_enable+0xd4/0x400\n[ 6.828851] clk_core_enable+0xd4/0x400\n[ 6.832635] clk_core_enable+0xd4/0x400\n[ 6.836419] clk_core_enable+0xd4/0x400\n[ 6.840203] clk_core_enable+0xd4/0x400\n[ 6.843987] clk_core_enable+0xd4/0x400\n[ 6.847771] clk_core_enable+0xd4/0x400\n[ 6.851555] clk_core_enable_lock+0x24/0x50\n[ 6.855683] clk_enable+0x24/0x40\n[ 6.858952] fclk_probe+0x84/0xf0\n[ 6.862220] platform_probe+0x8c/0x110\n[ 6.865918] really_probe+0x110/0x5f0\n[ 6.869530] __driver_probe_device+0xcc/0x210\n[ 6.873830] driver_probe_device+0x64/0x140\n[ 6.877958] __driver_attach+0x114/0x1f0\n[ 6.881828] bus_for_each_dev+0xe8/0x160\n[ 6.885698] driver_attach+0x34/0x50\n[ 6.889224] bus_add_driver+0x228/0x300\n[ 6.893008] driver_register+0xc0/0x1e0\n[ 6.896792] __platform_driver_register+0x44/0x60\n[ 6.901436] fclk_driver_init+0x1c/0x28\n[ 6.905220] do_one_initcall+0x104/0x590\n[ 6.909091] kernel_init_freeable+0x254/0x2bc\n[ 6.913390] kernel_init+0x24/0x130\n[ 6.916831] ret_from_fork+0x10/0x20\n\nFix it by passing the GFP_ATOMIC gfp flag for the corresponding\nmemory allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53099", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in ext4_update_inline_data\n\nSyzbot found the following issue:\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.\nfscrypt: AES-256-CTS-CBC using implementation \"cts-cbc-aes-aesni\"\nfscrypt: AES-256-XTS using implementation \"xts-aes-aesni\"\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525\nModules linked in:\nCPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525\nRSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246\nRAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000\nRDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248\nRBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220\nR10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40\nR13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c\nFS: 0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __alloc_pages_node include/linux/gfp.h:237 [inline]\n alloc_pages_node include/linux/gfp.h:260 [inline]\n __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113\n __do_kmalloc_node mm/slab_common.c:956 [inline]\n __kmalloc+0xfe/0x190 mm/slab_common.c:981\n kmalloc include/linux/slab.h:584 [inline]\n kzalloc include/linux/slab.h:720 [inline]\n ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346\n ext4_update_inline_dir fs/ext4/inline.c:1115 [inline]\n ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307\n ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385\n ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772\n ext4_create+0x36c/0x560 fs/ext4/namei.c:2817\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x12ac/0x2dd0 fs/namei.c:3711\n do_filp_open+0x264/0x4f0 fs/namei.c:3741\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_openat fs/open.c:1342 [inline]\n __se_sys_openat fs/open.c:1337 [inline]\n __x64_sys_openat+0x243/0x290 fs/open.c:1337\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAbove issue happens as follows:\next4_iget\n ext4_find_inline_data_nolock ->i_inline_off=164 i_inline_size=60\next4_try_add_inline_entry\n __ext4_mark_inode_dirty\n ext4_expand_extra_isize_ea ->i_extra_isize=32 s_want_extra_isize=44\n ext4_xattr_shift_entries\n\t ->after shift i_inline_off is incorrect, actually is change to 176\next4_try_add_inline_entry\n ext4_update_inline_dir\n get_max_inline_xattr_value_size\n if (EXT4_I(inode)->i_inline_off)\n\tentry = (struct ext4_xattr_entry *)((void *)raw_inode +\n\t\t\tEXT4_I(inode)->i_inline_off);\n free += EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size));\n\t->As entry is incorrect, then 'free' may be negative\n ext4_update_inline_data\n value = kzalloc(len, GFP_NOFS);\n -> len is unsigned int, maybe very large, then trigger warning when\n 'kzalloc()'\n\nTo resolve the above issue we need to update 'i_inline_off' after\n'ext4_xattr_shift_entries()'. We do not need to set\nEXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty()\nalready sets this flag if needed. Setting EXT4_STATE_MAY_INLINE_DATA\nwhen it is needed may trigger a BUG_ON in ext4_writepages().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53100", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: zero i_disksize when initializing the bootloader inode\n\nIf the boot loader inode has never been used before, the\nEXT4_IOC_SWAP_BOOT inode will initialize it, including setting the\ni_size to 0. However, if the \"never before used\" boot loader has a\nnon-zero i_size, then i_disksize will be non-zero, and the\ninconsistency between i_size and i_disksize can trigger a kernel\nwarning:\n\n WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319\n CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa\n RIP: 0010:ext4_file_write_iter+0xbc7/0xd10\n Call Trace:\n vfs_write+0x3b1/0x5c0\n ksys_write+0x77/0x160\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x39/0x80\n\nReproducer:\n 1. create corrupted image and mount it:\n mke2fs -t ext4 /tmp/foo.img 200\n debugfs -wR \"sif <5> size 25700\" /tmp/foo.img\n mount -t ext4 /tmp/foo.img /mnt\n cd /mnt\n echo 123 > file\n 2. Run the reproducer program:\n posix_memalign(&buf, 1024, 1024)\n fd = open(\"file\", O_RDWR | O_DIRECT);\n ioctl(fd, EXT4_IOC_SWAP_BOOT);\n write(fd, buf, 1024);\n\nFix this by setting i_disksize as well as i_size to zero when\ninitiaizing the boot loader inode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53101", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: xsk: disable txq irq before flushing hw\n\nice_qp_dis() intends to stop a given queue pair that is a target of xsk\npool attach/detach. One of the steps is to disable interrupts on these\nqueues. It currently is broken in a way that txq irq is turned off\n*after* HW flush which in turn takes no effect.\n\nice_qp_dis():\n-> ice_qvec_dis_irq()\n--> disable rxq irq\n--> flush hw\n-> ice_vsi_stop_tx_ring()\n-->disable txq irq\n\nBelow splat can be triggered by following steps:\n- start xdpsock WITHOUT loading xdp prog\n- run xdp_rxq_info with XDP_TX action on this interface\n- start traffic\n- terminate xdpsock\n\n[ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018\n[ 256.319560] #PF: supervisor read access in kernel mode\n[ 256.324775] #PF: error_code(0x0000) - not-present page\n[ 256.329994] PGD 0 P4D 0\n[ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51\n[ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice]\n[ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44\n[ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206\n[ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f\n[ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80\n[ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000\n[ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000\n[ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600\n[ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000\n[ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0\n[ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 256.457770] PKRU: 55555554\n[ 256.460529] Call Trace:\n[ 256.463015] \n[ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice]\n[ 256.469437] ice_napi_poll+0x46d/0x680 [ice]\n[ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40\n[ 256.478863] __napi_poll+0x29/0x160\n[ 256.482409] net_rx_action+0x136/0x260\n[ 256.486222] __do_softirq+0xe8/0x2e5\n[ 256.489853] ? smpboot_thread_fn+0x2c/0x270\n[ 256.494108] run_ksoftirqd+0x2a/0x50\n[ 256.497747] smpboot_thread_fn+0x1c1/0x270\n[ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10\n[ 256.506594] kthread+0xea/0x120\n[ 256.509785] ? __pfx_kthread+0x10/0x10\n[ 256.513597] ret_from_fork+0x29/0x50\n[ 256.517238] \n\nIn fact, irqs were not disabled and napi managed to be scheduled and run\nwhile xsk_pool pointer was still valid, but SW ring of xdp_buff pointers\nwas already freed.\n\nTo fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also\nwhile at it, remove redundant ice_clean_rx_ring() call - this is handled\nin ice_qp_clean_rings().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53102", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails\n\nsyzbot reported a warning[1] where the bond device itself is a slave and\nwe try to enslave a non-ethernet device as the first slave which fails\nbut then in the error path when ether_setup() restores the bond device\nit also clears all flags. In my previous fix[2] I restored the\nIFF_MASTER flag, but I didn't consider the case that the bond device\nitself might also be a slave with IFF_SLAVE set, so we need to restore\nthat flag as well. Use the bond_ether_setup helper which does the right\nthing and restores the bond's flags properly.\n\nSteps to reproduce using a nlmon dev:\n $ ip l add nlmon0 type nlmon\n $ ip l add bond1 type bond\n $ ip l add bond2 type bond\n $ ip l set bond1 master bond2\n $ ip l set dev nlmon0 master bond1\n $ ip -d l sh dev bond1\n 22: bond1: mtu 1500 qdisc noqueue master bond2 state DOWN mode DEFAULT group default qlen 1000\n (now bond1's IFF_SLAVE flag is gone and we'll hit a warning[3] if we\n try to delete it)\n\n[1] https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef\n[2] commit 7d5cd2ce5292 (\"bonding: correctly handle bonding type change on enslave failure\")\n[3] example warning:\n [ 27.008664] bond1: (slave nlmon0): The slave device specified does not support setting the MAC address\n [ 27.008692] bond1: (slave nlmon0): Error -95 calling set_mac_address\n [ 32.464639] bond1 (unregistering): Released all slaves\n [ 32.464685] ------------[ cut here ]------------\n [ 32.464686] WARNING: CPU: 1 PID: 2004 at net/core/dev.c:10829 unregister_netdevice_many+0x72a/0x780\n [ 32.464694] Modules linked in: br_netfilter bridge bonding virtio_net\n [ 32.464699] CPU: 1 PID: 2004 Comm: ip Kdump: loaded Not tainted 5.18.0-rc3+ #47\n [ 32.464703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014\n [ 32.464704] RIP: 0010:unregister_netdevice_many+0x72a/0x780\n [ 32.464707] Code: 99 fd ff ff ba 90 1a 00 00 48 c7 c6 f4 02 66 96 48 c7 c7 20 4d 35 96 c6 05 fa c7 2b 02 01 e8 be 6f 4a 00 0f 0b e9 73 fd ff ff <0f> 0b e9 5f fd ff ff 80 3d e3 c7 2b 02 00 0f 85 3b fd ff ff ba 59\n [ 32.464710] RSP: 0018:ffffa006422d7820 EFLAGS: 00010206\n [ 32.464712] RAX: ffff8f6e077140a0 RBX: ffffa006422d7888 RCX: 0000000000000000\n [ 32.464714] RDX: ffff8f6e12edbe58 RSI: 0000000000000296 RDI: ffffffff96d4a520\n [ 32.464716] RBP: ffff8f6e07714000 R08: ffffffff96d63600 R09: ffffa006422d7728\n [ 32.464717] R10: 0000000000000ec0 R11: ffffffff9698c988 R12: ffff8f6e12edb140\n [ 32.464719] R13: dead000000000122 R14: dead000000000100 R15: ffff8f6e12edb140\n [ 32.464723] FS: 00007f297c2f1740(0000) GS:ffff8f6e5d900000(0000) knlGS:0000000000000000\n [ 32.464725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 32.464726] CR2: 00007f297bf1c800 CR3: 00000000115e8000 CR4: 0000000000350ee0\n [ 32.464730] Call Trace:\n [ 32.464763] \n [ 32.464767] rtnl_dellink+0x13e/0x380\n [ 32.464776] ? cred_has_capability.isra.0+0x68/0x100\n [ 32.464780] ? __rtnl_unlock+0x33/0x60\n [ 32.464783] ? bpf_lsm_capset+0x10/0x10\n [ 32.464786] ? security_capable+0x36/0x50\n [ 32.464790] rtnetlink_rcv_msg+0x14e/0x3b0\n [ 32.464792] ? _copy_to_iter+0xb1/0x790\n [ 32.464796] ? post_alloc_hook+0xa0/0x160\n [ 32.464799] ? rtnl_calcit.isra.0+0x110/0x110\n [ 32.464802] netlink_rcv_skb+0x50/0xf0\n [ 32.464806] netlink_unicast+0x216/0x340\n [ 32.464809] netlink_sendmsg+0x23f/0x480\n [ 32.464812] sock_sendmsg+0x5e/0x60\n [ 32.464815] ____sys_sendmsg+0x22c/0x270\n [ 32.464818] ? import_iovec+0x17/0x20\n [ 32.464821] ? sendmsg_copy_msghdr+0x59/0x90\n [ 32.464823] ? do_set_pte+0xa0/0xe0\n [ 32.464828] ___sys_sendmsg+0x81/0xc0\n [ 32.464832] ? mod_objcg_state+0xc6/0x300\n [ 32.464835] ? refill_obj_stock+0xa9/0x160\n [ 32.464838] ? memcg_slab_free_hook+0x1a5/0x1f0\n [ 32.464842] __sys_sendm\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53103", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix cleanup null-ptr deref on encap lock\n\nDuring module is unloaded while a peer tc flow is still offloaded,\nfirst the peer uplink rep profile is changed to a nic profile, and so\nneigh encap lock is destroyed. Next during unload, the VF reps netdevs\nare unregistered which causes the original non-peer tc flow to be deleted,\nwhich deletes the peer flow. The peer flow deletion detaches the encap\nentry and try to take the already destroyed encap lock, causing the\nbelow trace.\n\nFix this by clearing peer flows during tc eswitch cleanup\n(mlx5e_tc_esw_cleanup()).\n\nRelevant trace:\n[ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8\n[ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40\n[ 4316.851897] Call Trace:\n[ 4316.852481] \n[ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core]\n[ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core]\n[ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core]\n[ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core]\n[ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core]\n[ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core]\n[ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core]\n[ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core]\n[ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core]\n[ 4316.865486] tc_setup_cb_reoffload+0x20/0x80\n[ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower]\n[ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0\n[ 4316.869649] tcf_block_unbind+0xe7/0x1b0\n[ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270\n[ 4316.879266] tcf_block_offload_unbind+0x61/0xa0\n[ 4316.879711] __tcf_block_put+0xa4/0x310", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53105", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: st-nci: Fix use after free bug in ndlc_remove due to race condition\n\nThis bug influences both st_nci_i2c_remove and st_nci_spi_remove.\nTake st_nci_i2c_remove as an example.\n\nIn st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work\nwith llt_ndlc_sm_work.\n\nWhen it calls ndlc_recv or timeout handler, it will finally call\nschedule_work to start the work.\n\nWhen we call st_nci_i2c_remove to remove the driver, there\nmay be a sequence as follows:\n\nFix it by finishing the work before cleanup in ndlc_remove\n\nCPU0 CPU1\n\n |llt_ndlc_sm_work\nst_nci_i2c_remove |\n ndlc_remove |\n st_nci_remove |\n nci_free_device|\n kfree(ndev) |\n//free ndlc->ndev |\n |llt_ndlc_rcv_queue\n |nci_recv_frame\n |//use ndlc->ndev", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53106", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Fix use after free in XDP_REDIRECT\n\nCommit 718a18a0c8a6 (\"veth: Rework veth_xdp_rcv_skb in order\nto accept non-linear skb\") introduced a bug where it tried to\nuse pskb_expand_head() if the headroom was less than\nXDP_PACKET_HEADROOM. This however uses kmalloc to expand the head,\nwhich will later allow consume_skb() to free the skb while is it still\nin use by AF_XDP.\n\nPreviously if the headroom was less than XDP_PACKET_HEADROOM we\ncontinued on to allocate a new skb from pages so this restores that\nbehavior.\n\nBUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0\nRead of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640\n\nCPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G O 6.1.4-cloudflare-kasan-2023.1.2 #1\nHardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018\nCall Trace:\n \n dump_stack_lvl+0x34/0x48\n print_report+0x170/0x473\n ? __xsk_rcv+0x18d/0x2c0\n kasan_report+0xad/0x130\n ? __xsk_rcv+0x18d/0x2c0\n kasan_check_range+0x149/0x1a0\n memcpy+0x20/0x60\n __xsk_rcv+0x18d/0x2c0\n __xsk_map_redirect+0x1f3/0x490\n ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n xdp_do_redirect+0x5ca/0xd60\n veth_xdp_rcv_skb+0x935/0x1ba0 [veth]\n ? __netif_receive_skb_list_core+0x671/0x920\n ? veth_xdp+0x670/0x670 [veth]\n veth_xdp_rcv+0x304/0xa20 [veth]\n ? do_xdp_generic+0x150/0x150\n ? veth_xdp_rcv_one+0xde0/0xde0 [veth]\n ? _raw_spin_lock_bh+0xe0/0xe0\n ? newidle_balance+0x887/0xe30\n ? __perf_event_task_sched_in+0xdb/0x800\n veth_poll+0x139/0x571 [veth]\n ? veth_xdp_rcv+0xa20/0xa20 [veth]\n ? _raw_spin_unlock+0x39/0x70\n ? finish_task_switch.isra.0+0x17e/0x7d0\n ? __switch_to+0x5cf/0x1070\n ? __schedule+0x95b/0x2640\n ? io_schedule_timeout+0x160/0x160\n __napi_poll+0xa1/0x440\n napi_threaded_poll+0x3d1/0x460\n ? __napi_poll+0x440/0x440\n ? __kthread_parkme+0xc6/0x1f0\n ? __napi_poll+0x440/0x440\n kthread+0x2a2/0x340\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \n\nFreed by task 148640:\n kasan_save_stack+0x23/0x50\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x169/0x1d0\n slab_free_freelist_hook+0xd2/0x190\n __kmem_cache_free+0x1a1/0x2f0\n skb_release_data+0x449/0x600\n consume_skb+0x9f/0x1c0\n veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n veth_xdp_rcv+0x304/0xa20 [veth]\n veth_poll+0x139/0x571 [veth]\n __napi_poll+0xa1/0x440\n napi_threaded_poll+0x3d1/0x460\n kthread+0x2a2/0x340\n ret_from_fork+0x22/0x30\n\nThe buggy address belongs to the object at ffff888976250000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 340 bytes inside of\n 2048-byte region [ffff888976250000, ffff888976250800)\n\nThe buggy address belongs to the physical page:\npage:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250\nhead:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)\nraw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00\nraw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53107", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Fix size of interrupt data\n\niucv_irq_data needs to be 4 bytes larger.\nThese bytes are not used by the iucv module, but written by\nthe z/VM hypervisor in case a CPU is deconfigured.\n\nReported as:\nBUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten\n-----------------------------------------------------------------------------\n0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc\nAllocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1\n__kmem_cache_alloc_node+0x166/0x450\nkmalloc_node_trace+0x3a/0x70\niucv_cpu_prepare+0x44/0xd0\ncpuhp_invoke_callback+0x156/0x2f0\ncpuhp_issue_call+0xf0/0x298\n__cpuhp_setup_state_cpuslocked+0x136/0x338\n__cpuhp_setup_state+0xf4/0x288\niucv_init+0xf4/0x280\ndo_one_initcall+0x78/0x390\ndo_initcalls+0x11a/0x140\nkernel_init_freeable+0x25e/0x2a0\nkernel_init+0x2e/0x170\n__ret_from_fork+0x3c/0x58\nret_from_fork+0xa/0x40\nFreed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1\n__kmem_cache_free+0x308/0x358\niucv_init+0x92/0x280\ndo_one_initcall+0x78/0x390\ndo_initcalls+0x11a/0x140\nkernel_init_freeable+0x25e/0x2a0\nkernel_init+0x2e/0x170\n__ret_from_fork+0x3c/0x58\nret_from_fork+0xa/0x40\nSlab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0|\nObject 0x0000000000400540 @offset=1344 fp=0x0000000000000000\nRedzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................\nRedzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................\nRedzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................\nRedzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................\nObject 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................\nObject 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................\nObject 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................\nObject 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................\nRedzone 0000000000400580: cc cc cc cc cc cc cc cc ........\nPadding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ\nPadding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ\nPadding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\nCPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1\nHardware name: IBM 3931 A01 704 (z/VM 7.3.0)\nCall Trace:\n[<000000032aa034ec>] dump_stack_lvl+0xac/0x100\n[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140\n[<0000000329f5aa78>] check_object+0x370/0x3c0\n[<0000000329f5ede6>] free_debug_processing+0x15e/0x348\n[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0\n[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8\n[<0000000329f61768>] __kmem_cache_free+0x308/0x358\n[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88\n[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0\n[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0\n[<0000000329c3243e>] cpu_device_down+0x4e/0x78\n[<000000032a61dee0>] device_offline+0xc8/0x118\n[<000000032a61e048>] online_store+0x60/0xe0\n[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8\n[<0000000329fab65c>] vfs_write+0x174/0x360\n[<0000000329fab9fc>] ksys_write+0x74/0x100\n[<000000032aa03a5a>] __do_syscall+0x1da/0x208\n[<000000032aa177b2>] system_call+0x82/0xb0\nINFO: lockdep is turned off.\nFIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc\nFIX dma-kmalloc-64: Object at 0x0000000000400540 not freed", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53108", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tunnels: annotate lockless accesses to dev->needed_headroom\n\nIP tunnels can apparently update dev->needed_headroom\nin their xmit path.\n\nThis patch takes care of three tunnels xmit, and also the\ncore LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA()\nhelpers.\n\nMore changes might be needed for completeness.\n\nBUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit\n\nread to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1:\nip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803\n__gre_xmit net/ipv4/ip_gre.c:469 [inline]\nipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661\n__netdev_start_xmit include/linux/netdevice.h:4881 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4895 [inline]\nxmit_one net/core/dev.c:3580 [inline]\ndev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596\n__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246\ndev_queue_xmit include/linux/netdevice.h:3051 [inline]\nneigh_direct_output+0x17/0x20 net/core/neighbour.c:1623\nneigh_output include/net/neighbour.h:546 [inline]\nip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228\nip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316\nNF_HOOK_COND include/linux/netfilter.h:291 [inline]\nip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430\ndst_output include/net/dst.h:444 [inline]\nip_local_out+0x64/0x80 net/ipv4/ip_output.c:126\niptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82\nip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813\n__gre_xmit net/ipv4/ip_gre.c:469 [inline]\nipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661\n__netdev_start_xmit include/linux/netdevice.h:4881 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4895 [inline]\nxmit_one net/core/dev.c:3580 [inline]\ndev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596\n__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246\ndev_queue_xmit include/linux/netdevice.h:3051 [inline]\nneigh_direct_output+0x17/0x20 net/core/neighbour.c:1623\nneigh_output include/net/neighbour.h:546 [inline]\nip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228\nip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316\nNF_HOOK_COND include/linux/netfilter.h:291 [inline]\nip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430\ndst_output include/net/dst.h:444 [inline]\nip_local_out+0x64/0x80 net/ipv4/ip_output.c:126\niptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82\nip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813\n__gre_xmit net/ipv4/ip_gre.c:469 [inline]\nipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661\n__netdev_start_xmit include/linux/netdevice.h:4881 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4895 [inline]\nxmit_one net/core/dev.c:3580 [inline]\ndev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596\n__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246\ndev_queue_xmit include/linux/netdevice.h:3051 [inline]\nneigh_direct_output+0x17/0x20 net/core/neighbour.c:1623\nneigh_output include/net/neighbour.h:546 [inline]\nip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228\nip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316\nNF_HOOK_COND include/linux/netfilter.h:291 [inline]\nip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430\ndst_output include/net/dst.h:444 [inline]\nip_local_out+0x64/0x80 net/ipv4/ip_output.c:126\niptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82\nip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813\n__gre_xmit net/ipv4/ip_gre.c:469 [inline]\nipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661\n__netdev_start_xmit include/linux/netdevice.h:4881 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4895 [inline]\nxmit_one net/core/dev.c:3580 [inline]\ndev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596\n__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246\ndev_queue_xmit include/linux/netdevice.h:3051 [inline]\nneigh_direct_output+0x17/0x20 net/core/neighbour.c:1623\nneigh_output include/net/neighbour.h:546 [inline]\nip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228\nip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316\nNF_HOOK_COND include/linux/netfilter.h:291 [inline]\nip_output+0xe5/0x1b0 net/i\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53109", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()\n\nWhen performing a stress test on SMC-R by rmmod mlx5_ib driver\nduring the wrk/nginx test, we found that there is a probability\nof triggering a panic while terminating all link groups.\n\nThis issue dues to the race between smc_smcr_terminate_all()\nand smc_buf_create().\n\n\t\t\tsmc_smcr_terminate_all\n\nsmc_buf_create\n/* init */\nconn->sndbuf_desc = NULL;\n...\n\n\t\t\t__smc_lgr_terminate\n\t\t\t\tsmc_conn_kill\n\t\t\t\t\tsmc_close_abort\n\t\t\t\t\t\tsmc_cdc_get_slot_and_msg_send\n\n\t\t\t__softirqentry_text_start\n\t\t\t\tsmc_wr_tx_process_cqe\n\t\t\t\t\tsmc_cdc_tx_handler\n\t\t\t\t\t\tREAD(conn->sndbuf_desc->len);\n\t\t\t\t\t\t/* panic dues to NULL sndbuf_desc */\n\nconn->sndbuf_desc = xxx;\n\nThis patch tries to fix the issue by always to check the sndbuf_desc\nbefore send any cdc msg, to make sure that no null pointer is\nseen during cqe processing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53110", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: Fix use-after-free issues\n\ndo_req_filebacked() calls blk_mq_complete_request() synchronously or\nasynchronously when using asynchronous I/O unless memory allocation fails.\nHence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor\n'rq' after do_req_filebacked() finished unless we are sure that the request\nhas not yet been completed. This patch fixes the following kernel crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000054\nCall trace:\n css_put.42938+0x1c/0x1ac\n loop_process_work+0xc8c/0xfd4\n loop_rootcg_workfn+0x24/0x34\n process_one_work+0x244/0x558\n worker_thread+0x400/0x8fc\n kthread+0x16c/0x1e0\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53111", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/sseu: fix max_subslices array-index-out-of-bounds access\n\nIt seems that commit bc3c5e0809ae (\"drm/i915/sseu: Don't try to store EU\nmask internally in UAPI format\") exposed a potential out-of-bounds\naccess, reported by UBSAN as following on a laptop with a gen 11 i915\ncard:\n\n UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27\n index 6 is out of range for type 'u16 [6]'\n CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic #9-Ubuntu\n Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022\n Call Trace:\n \n show_stack+0x4e/0x61\n dump_stack_lvl+0x4a/0x6f\n dump_stack+0x10/0x18\n ubsan_epilogue+0x9/0x3a\n __ubsan_handle_out_of_bounds.cold+0x42/0x47\n gen11_compute_sseu_info+0x121/0x130 [i915]\n intel_sseu_info_init+0x15d/0x2b0 [i915]\n intel_gt_init_mmio+0x23/0x40 [i915]\n i915_driver_mmio_probe+0x129/0x400 [i915]\n ? intel_gt_probe_all+0x91/0x2e0 [i915]\n i915_driver_probe+0xe1/0x3f0 [i915]\n ? drm_privacy_screen_get+0x16d/0x190 [drm]\n ? acpi_dev_found+0x64/0x80\n i915_pci_probe+0xac/0x1b0 [i915]\n ...\n\nAccording to the definition of sseu_dev_info, eu_mask->hsw is limited to\na maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices, but\ngen11_sseu_info_init() can potentially set 8 sub-slices, in the\n!IS_JSL_EHL(gt->i915) case.\n\nFix this by reserving up to 8 slots for max_subslices in the eu_mask\nstruct.\n\n(cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53112", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NULL-ptr deref in offchan check\n\nIf, e.g. in AP mode, the link was already created by userspace\nbut not activated yet, it has a chandef but the chandef isn't\nvalid and has no channel. Check for this and ignore this link.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53113", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during reboot when adapter is in recovery mode\n\nIf the driver detects during probe that firmware is in recovery\nmode then i40e_init_recovery_mode() is called and the rest of\nprobe function is skipped including pci_set_drvdata(). Subsequent\ni40e_shutdown() called during shutdown/reboot dereferences NULL\npointer as pci_get_drvdata() returns NULL.\n\nTo fix call pci_set_drvdata() also during entering to recovery mode.\n\nReproducer:\n1) Lets have i40e NIC with firmware in recovery mode\n2) Run reboot\n\nResult:\n[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver\n[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.\n[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.\n[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0\n[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.\n[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0\n...\n[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2\n[ 156.318330] #PF: supervisor write access in kernel mode\n[ 156.323546] #PF: error_code(0x0002) - not-present page\n[ 156.328679] PGD 0 P4D 0\n[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1\n[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022\n[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]\n[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00\n[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282\n[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001\n[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000\n[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40\n[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000\n[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000\n[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000\n[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0\n[ 156.438944] PKRU: 55555554\n[ 156.441647] Call Trace:\n[ 156.444096] \n[ 156.446199] pci_device_shutdown+0x38/0x60\n[ 156.450297] device_shutdown+0x163/0x210\n[ 156.454215] kernel_restart+0x12/0x70\n[ 156.457872] __do_sys_reboot+0x1ab/0x230\n[ 156.461789] ? vfs_writev+0xa6/0x1a0\n[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10\n[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0\n[ 156.475034] do_syscall_64+0x3e/0x90\n[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 156.483658] RIP: 0033:0x7fe7bff37ab7", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53114", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix memory leaks in mpi3mr_init_ioc()\n\nDon't allocate memory again when IOC is being reinitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53115", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: avoid potential UAF in nvmet_req_complete()\n\nAn nvme target ->queue_response() operation implementation may free the\nrequest passed as argument. Such implementation potentially could result\nin a use after free of the request pointer when percpu_ref_put() is\ncalled in nvmet_req_complete().\n\nAvoid such problem by using a local variable to save the sq pointer\nbefore calling __nvmet_req_complete(), thus avoiding dereferencing the\nreq pointer after that function call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53116", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: prevent out-of-bounds array speculation when closing a file descriptor\n\nGoogle-Bug-Id: 114199369", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53117", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a procfs host directory removal regression\n\nscsi_proc_hostdir_rm() decreases a reference counter and hence must only be\ncalled once per host that is removed. This change does not require a\nscsi_add_host_with_dma() change since scsi_add_host_with_dma() will return\n0 (success) if scsi_proc_host_add() is called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53118", "detail": "fixed-version", "description": "Fixed from version 6.2.8" }, { "id": "CVE-2023-53119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: initialize struct pn533_out_arg properly\n\nstruct pn533_out_arg used as a temporary context for out_urb is not\ninitialized properly. Its uninitialized 'phy' field can be dereferenced in\nerror cases inside pn533_out_complete() callback function. It causes the\nfollowing failure:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441\nCall Trace:\n \n __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671\n usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754\n dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988\n call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700\n expire_timers+0x234/0x330 kernel/time/timer.c:1751\n __run_timers kernel/time/timer.c:2022 [inline]\n __run_timers kernel/time/timer.c:1995 [inline]\n run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035\n __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571\n invoke_softirq kernel/softirq.c:445 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\n irq_exit_rcu+0x9/0x20 kernel/softirq.c:662\n sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107\n\nInitialize the field with the pn533_usb_phy currently used.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53119", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix config page DMA memory leak\n\nA fix for:\n\nDMA-API: pci 0000:83:00.0: device driver has pending DMA allocations while released from device [count=1]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53120", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: tcp_make_synack() can be called from process context\n\ntcp_rtx_synack() now could be called in process context as explained in\n0a375c822497 (\"tcp: tcp_rtx_synack() can be called from process\ncontext\").\n\ntcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU\nvariables with preemption enabled. This causes the following BUG:\n\n BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464\n caller is tcp_make_synack+0x841/0xac0\n Call Trace:\n \n dump_stack_lvl+0x10d/0x1a0\n check_preemption_disabled+0x104/0x110\n tcp_make_synack+0x841/0xac0\n tcp_v6_send_synack+0x5c/0x450\n tcp_rtx_synack+0xeb/0x1f0\n inet_rtx_syn_ack+0x34/0x60\n tcp_check_req+0x3af/0x9e0\n tcp_rcv_state_process+0x59b/0x2030\n tcp_v6_do_rcv+0x5f5/0x700\n release_sock+0x3a/0xf0\n tcp_sendmsg+0x33/0x40\n ____sys_sendmsg+0x2f2/0x490\n __sys_sendmsg+0x184/0x230\n do_syscall_64+0x3d/0x90\n\nAvoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use\nTCP_INC_STATS() which is safe to be called from context switch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53121", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: s390: Fix use-after-free of PCI resources with per-function hotplug\n\nOn s390 PCI functions may be hotplugged individually even when they\nbelong to a multi-function device. In particular on an SR-IOV device VFs\nmay be removed and later re-added.\n\nIn commit a50297cf8235 (\"s390/pci: separate zbus creation from\nscanning\") it was missed however that struct pci_bus and struct\nzpci_bus's resource list retained a reference to the PCI functions MMIO\nresources even though those resources are released and freed on\nhot-unplug. These stale resources may subsequently be claimed when the\nPCI function re-appears resulting in use-after-free.\n\nOne idea of fixing this use-after-free in s390 specific code that was\ninvestigated was to simply keep resources around from the moment a PCI\nfunction first appeared until the whole virtual PCI bus created for\na multi-function device disappears. The problem with this however is\nthat due to the requirement of artificial MMIO addreesses (address\ncookies) extra logic is then needed to keep the address cookies\ncompatible on re-plug. At the same time the MMIO resources semantically\nbelong to the PCI function so tying their lifecycle to the function\nseems more logical.\n\nInstead a simpler approach is to remove the resources of an individually\nhot-unplugged PCI function from the PCI bus's resource list while\nkeeping the resources of other PCI functions on the PCI bus untouched.\n\nThis is done by introducing pci_bus_remove_resource() to remove an\nindividual resource. Similarly the resource also needs to be removed\nfrom the struct zpci_bus's resource list. It turns out however, that\nthere is really no need to add the MMIO resources to the struct\nzpci_bus's resource list at all and instead we can simply use the\nzpci_bar_struct's resource pointer directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53123", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()\n\nPort is allocated by sas_port_alloc_num() and rphy is allocated by either\nsas_end_device_alloc() or sas_expander_alloc(), all of which may return\nNULL. So we need to check the rphy to avoid possible NULL pointer access.\n\nIf sas_rphy_add() returned with failure, rphy is set to NULL. We would\naccess the rphy in the following lines which would also result NULL pointer\naccess.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53124", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Limit packet length to skb->len\n\nPacket length retrieved from skb data may be larger than\nthe actual socket buffer length (up to 9026 bytes). In such\ncase the cloned skb passed up the network stack will leak\nkernel memory contents.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53125", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix sas_hba.phy memory leak in mpi3mr_remove()\n\nFree mrioc->sas_hba.phy at .remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53126", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix expander node leak in mpi3mr_remove()\n\nAdd a missing resource clean up in .remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53127", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix throttle_groups memory leak\n\nAdd a missing kfree().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53128", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a server shutdown leak\n\nFix a race where kthread_stop() may prevent the threadfn from ever getting\ncalled. If that happens the svc_rqst will not be cleaned up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53131", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix mpi3mr_hba_port memory leak in mpi3mr_remove()\n\nFree mpi3mr_hba_port at .remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53132", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser()\n\nWhen the buffer length of the recvmsg system call is 0, we got the\nflollowing soft lockup problem:\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149]\nCPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:remove_wait_queue+0xb/0xc0\nCode: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20\nRSP: 0018:ffff88811b5978b8 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768\nRDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040\nRBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7\nR10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800\nR13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0\nFS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tcp_msg_wait_data+0x279/0x2f0\n tcp_bpf_recvmsg_parser+0x3c6/0x490\n inet_recvmsg+0x280/0x290\n sock_recvmsg+0xfc/0x120\n ____sys_recvmsg+0x160/0x3d0\n ___sys_recvmsg+0xf0/0x180\n __sys_recvmsg+0xea/0x1a0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe logic in tcp_bpf_recvmsg_parser is as follows:\n\nmsg_bytes_ready:\n\tcopied = sk_msg_recvmsg(sk, psock, msg, len, flags);\n\tif (!copied) {\n\t\twait data;\n\t\tgoto msg_bytes_ready;\n\t}\n\nIn this case, \"copied\" always is 0, the infinite loop occurs.\n\nAccording to the Linux system call man page, 0 should be returned in this\ncase. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly\nreturn. Also modify several other functions with the same problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53133", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Avoid order-5 memory allocation for TPA data\n\nThe driver needs to keep track of all the possible concurrent TPA (GRO/LRO)\ncompletions on the aggregation ring. On P5 chips, the maximum number\nof concurrent TPA is 256 and the amount of memory we allocate is order-5\non systems using 4K pages. Memory allocation failure has been reported:\n\nNetworkManager: page allocation failure: order:5, mode:0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0-1\nCPU: 15 PID: 2995 Comm: NetworkManager Kdump: loaded Not tainted 5.10.156 #1\nHardware name: Dell Inc. PowerEdge R660/0M1CC5, BIOS 0.2.25 08/12/2022\nCall Trace:\n dump_stack+0x57/0x6e\n warn_alloc.cold.120+0x7b/0xdd\n ? _cond_resched+0x15/0x30\n ? __alloc_pages_direct_compact+0x15f/0x170\n __alloc_pages_slowpath.constprop.108+0xc58/0xc70\n __alloc_pages_nodemask+0x2d0/0x300\n kmalloc_order+0x24/0xe0\n kmalloc_order_trace+0x19/0x80\n bnxt_alloc_mem+0x1150/0x15c0 [bnxt_en]\n ? bnxt_get_func_stat_ctxs+0x13/0x60 [bnxt_en]\n __bnxt_open_nic+0x12e/0x780 [bnxt_en]\n bnxt_open+0x10b/0x240 [bnxt_en]\n __dev_open+0xe9/0x180\n __dev_change_flags+0x1af/0x220\n dev_change_flags+0x21/0x60\n do_setlink+0x35c/0x1100\n\nInstead of allocating this big chunk of memory and dividing it up for the\nconcurrent TPA instances, allocate each small chunk separately for each\nTPA instance. This will reduce it to order-0 allocations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53134", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode\n\nWhen CONFIG_FRAME_POINTER is unset, the stack unwinding function\nwalk_stackframe randomly reads the stack and then, when KASAN is enabled,\nit can lead to the following backtrace:\n\n[ 0.000000] ==================================================================\n[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a\n[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0\n[ 0.000000]\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43\n[ 0.000000] Hardware name: riscv-virtio,qemu (DT)\n[ 0.000000] Call Trace:\n[ 0.000000] [] walk_stackframe+0x0/0x11a\n[ 0.000000] [] init_param_lock+0x26/0x2a\n[ 0.000000] [] walk_stackframe+0xa2/0x11a\n[ 0.000000] [] dump_stack_lvl+0x22/0x36\n[ 0.000000] [] print_report+0x198/0x4a8\n[ 0.000000] [] init_param_lock+0x26/0x2a\n[ 0.000000] [] walk_stackframe+0xa2/0x11a\n[ 0.000000] [] kasan_report+0x9a/0xc8\n[ 0.000000] [] walk_stackframe+0xa2/0x11a\n[ 0.000000] [] walk_stackframe+0xa2/0x11a\n[ 0.000000] [] desc_make_final+0x80/0x84\n[ 0.000000] [] stack_trace_save+0x88/0xa6\n[ 0.000000] [] filter_irq_stacks+0x72/0x76\n[ 0.000000] [] devkmsg_read+0x32a/0x32e\n[ 0.000000] [] kasan_save_stack+0x28/0x52\n[ 0.000000] [] desc_make_final+0x7c/0x84\n[ 0.000000] [] stack_trace_save+0x84/0xa6\n[ 0.000000] [] kasan_set_track+0x12/0x20\n[ 0.000000] [] __kasan_slab_alloc+0x58/0x5e\n[ 0.000000] [] __kmem_cache_create+0x21e/0x39a\n[ 0.000000] [] create_boot_cache+0x70/0x9c\n[ 0.000000] [] kmem_cache_init+0x6c/0x11e\n[ 0.000000] [] mm_init+0xd8/0xfe\n[ 0.000000] [] start_kernel+0x190/0x3ca\n[ 0.000000]\n[ 0.000000] The buggy address belongs to stack of task swapper/0\n[ 0.000000] and is located at offset 0 in frame:\n[ 0.000000] stack_trace_save+0x0/0xa6\n[ 0.000000]\n[ 0.000000] This frame has 1 object:\n[ 0.000000] [32, 56) 'c'\n[ 0.000000]\n[ 0.000000] The buggy address belongs to the physical page:\n[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07\n[ 0.000000] flags: 0x1000(reserved|zone=0)\n[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000\n[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff\n[ 0.000000] page dumped because: kasan: bad access detected\n[ 0.000000]\n[ 0.000000] Memory state around the buggy address:\n[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3\n[ 0.000000] ^\n[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 0.000000] ==================================================================\n\nFix that by using READ_ONCE_NOCHECK when reading the stack in imprecise\nmode.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53135", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix struct pid leaks in OOB support\n\nsyzbot reported struct pid leak [1].\n\nIssue is that queue_oob() calls maybe_add_creds() which potentially\nholds a reference on a pid.\n\nBut skb->destructor is not set (either directly or by calling\nunix_scm_to_skb())\n\nThis means that subsequent kfree_skb() or consume_skb() would leak\nthis reference.\n\nIn this fix, I chose to fully support scm even for the OOB message.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff8881053e7f80 (size 128):\ncomm \"syz-executor242\", pid 5066, jiffies 4294946079 (age 13.220s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[] alloc_pid+0x6a/0x560 kernel/pid.c:180\n[] copy_process+0x169f/0x26c0 kernel/fork.c:2285\n[] kernel_clone+0xf7/0x610 kernel/fork.c:2684\n[] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825\n[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n[] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53136", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: Fix use-after-free in cfusbl_device_notify()\n\nsyzbot reported use-after-free in cfusbl_device_notify() [1]. This\ncauses a stack trace like below:\n\nBUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138\nRead of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214\n\nCPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313\n print_report mm/kasan/report.c:429 [inline]\n kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491\n cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138\n notifier_call_chain+0xb5/0x200 kernel/notifier.c:87\n call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10227 [inline]\n netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341\n default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334\n ops_exit_list+0x125/0x170 net/core/net_namespace.c:167\n cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594\n process_one_work+0x996/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e9/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302\n \n\nWhen unregistering a net device, unregister_netdevice_many_notify()\nsets the device's reg_state to NETREG_UNREGISTERING, calls notifiers\nwith NETDEV_UNREGISTER, and adds the device to the todo list.\n\nLater on, devices in the todo list are processed by netdev_run_todo().\nnetdev_run_todo() waits devices' reference count become 1 while\nrebdoadcasting NETDEV_UNREGISTER notification.\n\nWhen cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple\ntimes, the parent device might be freed. This could cause UAF.\nProcessing NETDEV_UNREGISTER multiple times also causes inbalance of\nreference count for the module.\n\nThis patch fixes the issue by accepting only first NETDEV_UNREGISTER\nnotification.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53138", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties\n\ndevm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause\nout-of-bounds write in device_property_read_u8_array later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53139", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Remove the /proc/scsi/${proc_name} directory earlier\n\nRemove the /proc/scsi/${proc_name} directory earlier to fix a race\ncondition between unloading and reloading kernel modules. This fixes a bug\nintroduced in 2009 by commit 77c019768f06 (\"[SCSI] fix /proc memory leak in\nthe SCSI core\").\n\nFix the following kernel warning:\n\nproc_dir_entry 'scsi/scsi_debug' already registered\nWARNING: CPU: 19 PID: 27986 at fs/proc/generic.c:376 proc_register+0x27d/0x2e0\nCall Trace:\n proc_mkdir+0xb5/0xe0\n scsi_proc_hostdir_add+0xb5/0x170\n scsi_host_alloc+0x683/0x6c0\n sdebug_driver_probe+0x6b/0x2d0 [scsi_debug]\n really_probe+0x159/0x540\n __driver_probe_device+0xdc/0x230\n driver_probe_device+0x4f/0x120\n __device_attach_driver+0xef/0x180\n bus_for_each_drv+0xe5/0x130\n __device_attach+0x127/0x290\n device_initial_probe+0x17/0x20\n bus_probe_device+0x110/0x130\n device_add+0x673/0xc80\n device_register+0x1e/0x30\n sdebug_add_host_helper+0x1a7/0x3b0 [scsi_debug]\n scsi_debug_init+0x64f/0x1000 [scsi_debug]\n do_one_initcall+0xd7/0x470\n do_init_module+0xe7/0x330\n load_module+0x122a/0x12c0\n __do_sys_finit_module+0x124/0x1a0\n __x64_sys_finit_module+0x46/0x50\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53140", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()\n\nila_xlat_nl_cmd_get_mapping() generates an empty skb,\ntriggerring a recent sanity check [1].\n\nInstead, return an error code, so that user space\ncan get it.\n\n[1]\nskb_assert_len\nWARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 skb_assert_len include/linux/skbuff.h:2527 [inline]\nWARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156\nModules linked in:\nCPU: 0 PID: 5923 Comm: syz-executor269 Not tainted 6.2.0-syzkaller-18300-g2ebd1fbb946d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : skb_assert_len include/linux/skbuff.h:2527 [inline]\npc : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156\nlr : skb_assert_len include/linux/skbuff.h:2527 [inline]\nlr : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156\nsp : ffff80001e0d6c40\nx29: ffff80001e0d6e60 x28: dfff800000000000 x27: ffff0000c86328c0\nx26: dfff800000000000 x25: ffff0000c8632990 x24: ffff0000c8632a00\nx23: 0000000000000000 x22: 1fffe000190c6542 x21: ffff0000c8632a10\nx20: ffff0000c8632a00 x19: ffff80001856e000 x18: ffff80001e0d5fc0\nx17: 0000000000000000 x16: ffff80001235d16c x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001\nx11: ff80800008353a30 x10: 0000000000000000 x9 : 21567eaf25bfb600\nx8 : 21567eaf25bfb600 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff80001e0d6558 x4 : ffff800015c74760 x3 : ffff800008596744\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000000e\nCall trace:\nskb_assert_len include/linux/skbuff.h:2527 [inline]\n__dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156\ndev_queue_xmit include/linux/netdevice.h:3033 [inline]\n__netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline]\n__netlink_deliver_tap+0x45c/0x6f8 net/netlink/af_netlink.c:325\nnetlink_deliver_tap+0xf4/0x174 net/netlink/af_netlink.c:338\n__netlink_sendskb net/netlink/af_netlink.c:1283 [inline]\nnetlink_sendskb+0x6c/0x154 net/netlink/af_netlink.c:1292\nnetlink_unicast+0x334/0x8d4 net/netlink/af_netlink.c:1380\nnlmsg_unicast include/net/netlink.h:1099 [inline]\ngenlmsg_unicast include/net/genetlink.h:433 [inline]\ngenlmsg_reply include/net/genetlink.h:443 [inline]\nila_xlat_nl_cmd_get_mapping+0x620/0x7d0 net/ipv6/ila/ila_xlat.c:493\ngenl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]\ngenl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\ngenl_rcv_msg+0x938/0xc1c net/netlink/genetlink.c:1065\nnetlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574\ngenl_rcv+0x38/0x50 net/netlink/genetlink.c:1076\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x800/0xae0 net/netlink/af_netlink.c:1942\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n____sys_sendmsg+0x558/0x844 net/socket.c:2479\n___sys_sendmsg net/socket.c:2533 [inline]\n__sys_sendmsg+0x26c/0x33c net/socket.c:2562\n__do_sys_sendmsg net/socket.c:2571 [inline]\n__se_sys_sendmsg net/socket.c:2569 [inline]\n__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2569\n__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\ninvoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52\nel0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142\ndo_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193\nel0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637\nel0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nirq event stamp: 136484\nhardirqs last enabled at (136483): [] __up_console_sem+0x60/0xb4 kernel/printk/printk.c:345\nhardirqs last disabled at (136484): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405\nsoftirqs last enabled at (136418): [] softirq_ha\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53141", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: copy last block omitted in ice_get_module_eeprom()\n\nice_get_module_eeprom() is broken since commit e9c9692c8a81 (\"ice:\nReimplement module reads used by ethtool\") In this refactor,\nice_get_module_eeprom() reads the eeprom in blocks of size 8.\nBut the condition that should protect the buffer overflow\nignores the last block. The last block always contains zeros.\n\nBug uncovered by ethtool upstream commit 9538f384b535\n(\"netlink: eeprom: Defer page requests to individual parsers\")\nAfter this commit, ethtool reads a block with length = 1;\nto read the SFF-8024 identifier value.\n\nunpatched driver:\n$ ethtool -m enp65s0f0np0 offset 0x90 length 8\nOffset Values\n------ ------\n0x0090: 00 00 00 00 00 00 00 00\n$ ethtool -m enp65s0f0np0 offset 0x90 length 12\nOffset Values\n------ ------\n0x0090: 00 00 01 a0 4d 65 6c 6c 00 00 00 00\n$\n\n$ ethtool -m enp65s0f0np0\nOffset Values\n------ ------\n0x0000: 11 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 00\n0x0070: 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\npatched driver:\n$ ethtool -m enp65s0f0np0 offset 0x90 length 8\nOffset Values\n------ ------\n0x0090: 00 00 01 a0 4d 65 6c 6c\n$ ethtool -m enp65s0f0np0 offset 0x90 length 12\nOffset Values\n------ ------\n0x0090: 00 00 01 a0 4d 65 6c 6c 61 6e 6f 78\n$ ethtool -m enp65s0f0np0\n Identifier : 0x11 (QSFP28)\n Extended identifier : 0x00\n Extended identifier description : 1.5W max. Power consumption\n Extended identifier description : No CDR in TX, No CDR in RX\n Extended identifier description : High Power Class (> 3.5 W) not enabled\n Connector : 0x23 (No separable connector)\n Transceiver codes : 0x88 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n Transceiver type : 40G Ethernet: 40G Base-CR4\n Transceiver type : 25G Ethernet: 25G Base-CR CA-N\n Encoding : 0x05 (64B/66B)\n BR, Nominal : 25500Mbps\n Rate identifier : 0x00\n Length (SMF,km) : 0km\n Length (OM3 50um) : 0m\n Length (OM2 50um) : 0m\n Length (OM1 62.5um) : 0m\n Length (Copper or Active cable) : 1m\n Transmitter technology : 0xa0 (Copper cable unequalized)\n Attenuation at 2.5GHz : 4db\n Attenuation at 5.0GHz : 5db\n Attenuation at 7.0GHz : 7db\n Attenuation at 12.9GHz : 10db\n ........\n ....", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53142", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix another off-by-one fsmap error on 1k block filesystems\n\nApparently syzbot figured out that issuing this FSMAP call:\n\nstruct fsmap_head cmd = {\n\t.fmh_count\t= ...;\n\t.fmh_keys\t= {\n\t\t{ .fmr_device = /* ext4 dev */, .fmr_physical = 0, },\n\t\t{ .fmr_device = /* ext4 dev */, .fmr_physical = 0, },\n\t},\n...\n};\nret = ioctl(fd, FS_IOC_GETFSMAP, &cmd);\n\nProduces this crash if the underlying filesystem is a 1k-block ext4\nfilesystem:\n\nkernel BUG at fs/ext4/ext4.h:3331!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 3 PID: 3227965 Comm: xfs_io Tainted: G W O 6.2.0-rc8-achx\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:ext4_mb_load_buddy_gfp+0x47c/0x570 [ext4]\nRSP: 0018:ffffc90007c03998 EFLAGS: 00010246\nRAX: ffff888004978000 RBX: ffffc90007c03a20 RCX: ffff888041618000\nRDX: 0000000000000000 RSI: 00000000000005a4 RDI: ffffffffa0c99b11\nRBP: ffff888012330000 R08: ffffffffa0c2b7d0 R09: 0000000000000400\nR10: ffffc90007c03950 R11: 0000000000000000 R12: 0000000000000001\nR13: 00000000ffffffff R14: 0000000000000c40 R15: ffff88802678c398\nFS: 00007fdf2020c880(0000) GS:ffff88807e100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd318a5fe8 CR3: 000000007f80f001 CR4: 00000000001706e0\nCall Trace:\n \n ext4_mballoc_query_range+0x4b/0x210 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]\n ext4_getfsmap_datadev+0x713/0x890 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]\n ext4_getfsmap+0x2b7/0x330 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]\n ext4_ioc_getfsmap+0x153/0x2b0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]\n __ext4_ioctl+0x2a7/0x17e0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80]\n __x64_sys_ioctl+0x82/0xa0\n do_syscall_64+0x2b/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fdf20558aff\nRSP: 002b:00007ffd318a9e30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00000000000200c0 RCX: 00007fdf20558aff\nRDX: 00007fdf1feb2010 RSI: 00000000c0c0583b RDI: 0000000000000003\nRBP: 00005625c0634be0 R08: 00005625c0634c40 R09: 0000000000000001\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fdf1feb2010\nR13: 00005625be70d994 R14: 0000000000000800 R15: 0000000000000000\n\nFor GETFSMAP calls, the caller selects a physical block device by\nwriting its block number into fsmap_head.fmh_keys[01].fmr_device.\nTo query mappings for a subrange of the device, the starting byte of the\nrange is written to fsmap_head.fmh_keys[0].fmr_physical and the last\nbyte of the range goes in fsmap_head.fmh_keys[1].fmr_physical.\n\nIOWs, to query what mappings overlap with bytes 3-14 of /dev/sda, you'd\nset the inputs as follows:\n\n\tfmh_keys[0] = { .fmr_device = major(8, 0), .fmr_physical = 3},\n\tfmh_keys[1] = { .fmr_device = major(8, 0), .fmr_physical = 14},\n\nWhich would return you whatever is mapped in the 12 bytes starting at\nphysical offset 3.\n\nThe crash is due to insufficient range validation of keys[1] in\next4_getfsmap_datadev. On 1k-block filesystems, block 0 is not part of\nthe filesystem, which means that s_first_data_block is nonzero.\next4_get_group_no_and_offset subtracts this quantity from the blocknr\nargument before cracking it into a group number and a block number\nwithin a group. IOWs, block group 0 spans blocks 1-8192 (1-based)\ninstead of 0-8191 (0-based) like what happens with larger blocksizes.\n\nThe net result of this encoding is that blocknr < s_first_data_block is\nnot a valid input to this function. The end_fsb variable is set from\nthe keys that are copied from userspace, which means that in the above\nexample, its value is zero. That leads to an underflow here:\n\n\tblocknr = blocknr - le32_to_cpu(es->s_first_data_block);\n\nThe division then operates on -1:\n\n\toffset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >>\n\t\tEXT4_SB(sb)->s_cluster_bits;\n\nLeaving an impossibly large group number (2^32-1) in blocknr.\next4_getfsmap_check_keys checked that keys[0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53143", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix wrong kunmap when using LZMA on HIGHMEM platforms\n\nAs the call trace shown, the root cause is kunmap incorrect pages:\n\n BUG: kernel NULL pointer dereference, address: 00000000\n CPU: 1 PID: 40 Comm: kworker/u5:0 Not tainted 6.2.0-rc5 #4\n Workqueue: erofs_worker z_erofs_decompressqueue_work\n EIP: z_erofs_lzma_decompress+0x34b/0x8ac\n z_erofs_decompress+0x12/0x14\n z_erofs_decompress_queue+0x7e7/0xb1c\n z_erofs_decompressqueue_work+0x32/0x60\n process_one_work+0x24b/0x4d8\n ? process_one_work+0x1a4/0x4d8\n worker_thread+0x14c/0x3fc\n kthread+0xe6/0x10c\n ? rescuer_thread+0x358/0x358\n ? kthread_complete_and_exit+0x18/0x18\n ret_from_fork+0x1c/0x28\n ---[ end trace 0000000000000000 ]---\n\nThe bug is trivial and should be fixed now. It has no impact on\n!HIGHMEM platforms.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53144", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition\n\nIn btsdio_probe, the data->work is bound with btsdio_work. It will be\nstarted in btsdio_send_frame.\n\nIf the btsdio_remove runs with a unfinished work, there may be a race\ncondition that hdev is freed but used in btsdio_work. Fix it by\ncanceling the work before do cleanup in btsdio_remove.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53145", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()\n\nIn dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach dw2102_i2c_transfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 950e252cb469\n(\"[media] dw2102: limit messages to buffer size\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53146", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: add NULL check in xfrm_update_ae_params\n\nNormally, x->replay_esn and x->preplay_esn should be allocated at\nxfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the\nxfrm_update_ae_params(...) is okay to update them. However, the current\nimplementation of xfrm_new_ae(...) allows a malicious user to directly\ndereference a NULL pointer and crash the kernel like below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4\nRIP: 0010:memcpy_orig+0xad/0x140\nCode: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c\nRSP: 0018:ffff888008f57658 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571\nRDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818\nR13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000\nFS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0\nCall Trace:\n \n ? __die+0x1f/0x70\n ? page_fault_oops+0x1e8/0x500\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? fixup_exception+0x36/0x460\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? exc_page_fault+0x5e/0xc0\n ? asm_exc_page_fault+0x26/0x30\n ? xfrm_update_ae_params+0xd1/0x260\n ? memcpy_orig+0xad/0x140\n ? __pfx__raw_spin_lock_bh+0x10/0x10\n xfrm_update_ae_params+0xe7/0x260\n xfrm_new_ae+0x298/0x4e0\n ? __pfx_xfrm_new_ae+0x10/0x10\n ? __pfx_xfrm_new_ae+0x10/0x10\n xfrm_user_rcv_msg+0x25a/0x410\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __alloc_skb+0xcf/0x210\n ? stack_trace_save+0x90/0xd0\n ? filter_irq_stacks+0x1c/0x70\n ? __stack_depot_save+0x39/0x4e0\n ? __kasan_slab_free+0x10a/0x190\n ? kmem_cache_free+0x9c/0x340\n ? netlink_recvmsg+0x23c/0x660\n ? sock_recvmsg+0xeb/0xf0\n ? __sys_recvfrom+0x13c/0x1f0\n ? __x64_sys_recvfrom+0x71/0x90\n ? do_syscall_64+0x3f/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n ? copyout+0x3e/0x50\n netlink_rcv_skb+0xd6/0x210\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_sock_has_perm+0x10/0x10\n ? mutex_lock+0x8d/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n xfrm_netlink_rcv+0x44/0x50\n netlink_unicast+0x36f/0x4c0\n ? __pfx_netlink_unicast+0x10/0x10\n ? netlink_recvmsg+0x500/0x660\n netlink_sendmsg+0x3b7/0x700\n\nThis Null-ptr-deref bug is assigned CVE-2023-3772. And this commit\nadds additional NULL check in xfrm_update_ae_params to fix the NPD.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53147", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix igb_down hung on surprise removal\n\nIn a setup where a Thunderbolt hub connects to Ethernet and a display\nthrough USB Type-C, users may experience a hung task timeout when they\nremove the cable between the PC and the Thunderbolt hub.\nThis is because the igb_down function is called multiple times when\nthe Thunderbolt hub is unplugged. For example, the igb_io_error_detected\ntriggers the first call, and the igb_remove triggers the second call.\nThe second call to igb_down will block at napi_synchronize.\nHere's the call trace:\n __schedule+0x3b0/0xddb\n ? __mod_timer+0x164/0x5d3\n schedule+0x44/0xa8\n schedule_timeout+0xb2/0x2a4\n ? run_local_timers+0x4e/0x4e\n msleep+0x31/0x38\n igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4]\n __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4]\n igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4]\n __dev_close_many+0x95/0xec\n dev_close_many+0x6e/0x103\n unregister_netdevice_many+0x105/0x5b1\n unregister_netdevice_queue+0xc2/0x10d\n unregister_netdev+0x1c/0x23\n igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4]\n pci_device_remove+0x3f/0x9c\n device_release_driver_internal+0xfe/0x1b4\n pci_stop_bus_device+0x5b/0x7f\n pci_stop_bus_device+0x30/0x7f\n pci_stop_bus_device+0x30/0x7f\n pci_stop_and_remove_bus_device+0x12/0x19\n pciehp_unconfigure_device+0x76/0xe9\n pciehp_disable_slot+0x6e/0x131\n pciehp_handle_presence_or_link_change+0x7a/0x3f7\n pciehp_ist+0xbe/0x194\n irq_thread_fn+0x22/0x4d\n ? irq_thread+0x1fd/0x1fd\n irq_thread+0x17b/0x1fd\n ? irq_forced_thread_fn+0x5f/0x5f\n kthread+0x142/0x153\n ? __irq_get_irqchip_state+0x46/0x46\n ? kthread_associate_blkcg+0x71/0x71\n ret_from_fork+0x1f/0x30\n\nIn this case, igb_io_error_detected detaches the network interface\nand requests a PCIE slot reset, however, the PCIE reset callback is\nnot being invoked and thus the Ethernet connection breaks down.\nAs the PCIE error in this case is a non-fatal one, requesting a\nslot reset can be avoided.\nThis patch fixes the task hung issue and preserves Ethernet\nconnection by ignoring non-fatal PCIE errors.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53148", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid deadlock in fs reclaim with page writeback\n\nExt4 has a filesystem wide lock protecting ext4_writepages() calls to\navoid races with switching of journalled data flag or inode format. This\nlock can however cause a deadlock like:\n\nCPU0 CPU1\n\next4_writepages()\n percpu_down_read(sbi->s_writepages_rwsem);\n ext4_change_inode_journal_flag()\n percpu_down_write(sbi->s_writepages_rwsem);\n - blocks, all readers block from now on\n ext4_do_writepages()\n ext4_init_io_end()\n kmem_cache_zalloc(io_end_cachep, GFP_KERNEL)\n fs_reclaim frees dentry...\n dentry_unlink_inode()\n iput() - last ref =>\n iput_final() - inode dirty =>\n write_inode_now()...\n ext4_writepages() tries to acquire sbi->s_writepages_rwsem\n and blocks forever\n\nMake sure we cannot recurse into filesystem reclaim from writeback code\nto avoid the deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53149", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Pointer may be dereferenced\n\nKlocwork tool reported pointer 'rport' returned from call to function\nfc_bsg_to_rport() may be NULL and will be dereferenced.\n\nAdd a fix to validate rport before dereferencing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53150", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: prevent soft lockup while flush writes\n\nCurrently, there is no limit for raid1/raid10 plugged bio. While flushing\nwrites, raid1 has cond_resched() while raid10 doesn't, and too many\nwrites can cause soft lockup.\n\nFollow up soft lockup can be triggered easily with writeback test for\nraid10 with ramdisks:\n\nwatchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293]\nCall Trace:\n \n call_rcu+0x16/0x20\n put_object+0x41/0x80\n __delete_object+0x50/0x90\n delete_object_full+0x2b/0x40\n kmemleak_free+0x46/0xa0\n slab_free_freelist_hook.constprop.0+0xed/0x1a0\n kmem_cache_free+0xfd/0x300\n mempool_free_slab+0x1f/0x30\n mempool_free+0x3a/0x100\n bio_free+0x59/0x80\n bio_put+0xcf/0x2c0\n free_r10bio+0xbf/0xf0\n raid_end_bio_io+0x78/0xb0\n one_write_done+0x8a/0xa0\n raid10_end_write_request+0x1b4/0x430\n bio_endio+0x175/0x320\n brd_submit_bio+0x3b9/0x9b7 [brd]\n __submit_bio+0x69/0xe0\n submit_bio_noacct_nocheck+0x1e6/0x5a0\n submit_bio_noacct+0x38c/0x7e0\n flush_pending_writes+0xf0/0x240\n raid10d+0xac/0x1ed0\n\nFix the problem by adding cond_resched() to raid10 like what raid1 did.\n\nNote that unlimited plugged bio still need to be optimized, for example,\nin the case of lots of dirty pages writeback, this will take lots of\nmemory and io will spend a long time in plug, hence io latency is bad.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53151", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix calltrace warning in amddrm_buddy_fini\n\nThe following call trace is observed when removing the amdgpu driver, which\nis caused by that BOs allocated for psp are not freed until removing.\n\n[61811.450562] RIP: 0010:amddrm_buddy_fini.cold+0x29/0x47 [amddrm_buddy]\n[61811.450577] Call Trace:\n[61811.450577] \n[61811.450579] amdgpu_vram_mgr_fini+0x135/0x1c0 [amdgpu]\n[61811.450728] amdgpu_ttm_fini+0x207/0x290 [amdgpu]\n[61811.450870] amdgpu_bo_fini+0x27/0xa0 [amdgpu]\n[61811.451012] gmc_v9_0_sw_fini+0x4a/0x60 [amdgpu]\n[61811.451166] amdgpu_device_fini_sw+0x117/0x520 [amdgpu]\n[61811.451306] amdgpu_driver_release_kms+0x16/0x30 [amdgpu]\n[61811.451447] devm_drm_dev_init_release+0x4d/0x80 [drm]\n[61811.451466] devm_action_release+0x15/0x20\n[61811.451469] release_nodes+0x40/0xb0\n[61811.451471] devres_release_all+0x9b/0xd0\n[61811.451473] __device_release_driver+0x1bb/0x2a0\n[61811.451476] driver_detach+0xf3/0x140\n[61811.451479] bus_remove_driver+0x6c/0xf0\n[61811.451481] driver_unregister+0x31/0x60\n[61811.451483] pci_unregister_driver+0x40/0x90\n[61811.451486] amdgpu_exit+0x15/0x447 [amdgpu]\n\nFor smu v13_0_2, if the GPU supports xgmi, refer to\n\ncommit f5c7e7797060 (\"drm/amdgpu: Adjust removal control flow for smu v13_0_2\"),\n\nit will run gpu recover in AMDGPU_RESET_FOR_DEVICE_REMOVE mode when removing,\nwhich makes all devices in hive list have hw reset but no resume except the\nbasic ip blocks, then other ip blocks will not call .hw_fini according to\nip_block.status.hw.\n\nSince psp_free_shared_bufs just includes some software operations, so move\nit to psp_sw_fini.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53152", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Fix use after free for wext\n\nKey information in wext.connect is not reset on (re)connect and can hold\ndata from a previous connection.\n\nReset key data to avoid that drivers or mac80211 incorrectly detect a\nWEP connection request and access the freed or already reused memory.\n\nAdditionally optimize cfg80211_sme_connect() and avoid an useless\nschedule of conn_work.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53153", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: don't hold ni_lock when calling truncate_setsize()\n\nsyzbot is reporting hung task at do_user_addr_fault() [1], for there is\na silent deadlock between PG_locked bit and ni_lock lock.\n\nSince filemap_update_page() calls filemap_read_folio() after calling\nfolio_trylock() which will set PG_locked bit, ntfs_truncate() must not\ncall truncate_setsize() which will wait for PG_locked bit to be cleared\nwhen holding ni_lock lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53163", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53164", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix uninitialized array access for some pathnames\n\nFor filenames that begin with . and are between 2 and 5 characters long,\nUDF charset conversion code would read uninitialized memory in the\noutput buffer. The only practical impact is that the name may be prepended a\n\"unification hash\" when it is not actually needed but still it is good\nto fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53165", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq25890: Fix external_power_changed race\n\nbq25890_charger_external_power_changed() dereferences bq->charger,\nwhich gets sets in bq25890_power_supply_init() like this:\n\n bq->charger = devm_power_supply_register(bq->dev, &bq->desc, &psy_cfg);\n\nAs soon as devm_power_supply_register() has called device_add()\nthe external_power_changed callback can get called. So there is a window\nwhere bq25890_charger_external_power_changed() may get called while\nbq->charger has not been set yet leading to a NULL pointer dereference.\n\nThis race hits during boot sometimes on a Lenovo Yoga Book 1 yb1-x90f\nwhen the cht_wcove_pwrsrc (extcon) power_supply is done with detecting\nthe connected charger-type which happens to exactly hit the small window:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n \n RIP: 0010:__power_supply_is_supplied_by+0xb/0xb0\n \n Call Trace:\n \n __power_supply_get_supplier_property+0x19/0x50\n class_for_each_device+0xb1/0xe0\n power_supply_get_property_from_supplier+0x2e/0x50\n bq25890_charger_external_power_changed+0x38/0x1b0 [bq25890_charger]\n __power_supply_changed_work+0x30/0x40\n class_for_each_device+0xb1/0xe0\n power_supply_changed_work+0x5f/0xe0\n \n\nFixing this is easy. The external_power_changed callback gets passed\nthe power_supply which will eventually get stored in bq->charger,\nso bq25890_charger_external_power_changed() can simply directly use\nthe passed in psy argument which is always valid.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53166", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix null pointer dereference in tracing_err_log_open()\n\nFix an issue in function 'tracing_err_log_open'.\nThe function doesn't call 'seq_open' if the file is opened only with\nwrite permissions, which results in 'file->private_data' being left as null.\nIf we then use 'lseek' on that opened file, 'seq_lseek' dereferences\n'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic.\nWriting to this node requires root privileges, therefore this bug\nhas very little security impact.\n\nTracefs node: /sys/kernel/tracing/error_log\n\nExample Kernel panic:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000038\nCall trace:\n mutex_lock+0x30/0x110\n seq_lseek+0x34/0xb8\n __arm64_sys_lseek+0x6c/0xb8\n invoke_syscall+0x58/0x13c\n el0_svc_common+0xc4/0x10c\n do_el0_svc+0x24/0x98\n el0_svc+0x24/0x88\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x1b4/0x1b8\nCode: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)\n---[ end trace 561d1b49c12cf8a5 ]---\nKernel panic - not syncing: Oops: Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53167", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ucsi_acpi: Increase the command completion timeout\n\nCommit 130a96d698d7 (\"usb: typec: ucsi: acpi: Increase command\ncompletion timeout value\") increased the timeout from 5 seconds\nto 60 seconds due to issues related to alternate mode discovery.\n\nAfter the alternate mode discovery switch to polled mode\nthe timeout was reduced, but instead of being set back to\n5 seconds it was reduced to 1 second.\n\nThis is causing problems when using a Lenovo ThinkPad X1 yoga gen7\nconnected over Type-C to a LG 27UL850-W (charging DP over Type-C).\n\nWhen the monitor is already connected at boot the following error\nis logged: \"PPM init failed (-110)\", /sys/class/typec is empty and\non unplugging the NULL pointer deref fixed earlier in this series\nhappens.\n\nWhen the monitor is connected after boot the following error\nis logged instead: \"GET_CONNECTOR_STATUS failed (-110)\".\n\nSetting the timeout back to 5 seconds fixes both cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53168", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/resctrl: Clear staged_config[] before and after it is used\n\nAs a temporary storage, staged_config[] in rdt_domain should be cleared\nbefore and after it is used. The stale value in staged_config[] could\ncause an MSR access error.\n\nHere is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3\nCache (MBA should be disabled if the number of CLOSIDs for MB is less than\n16.) :\n\tmount -t resctrl resctrl -o cdp /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..7}\n\tumount /sys/fs/resctrl/\n\tmount -t resctrl resctrl /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..8}\n\nAn error occurs when creating resource group named p8:\n unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60)\n Call Trace:\n \n __flush_smp_call_function_queue+0x11d/0x170\n __sysvec_call_function+0x24/0xd0\n sysvec_call_function+0x89/0xc0\n \n \n asm_sysvec_call_function+0x16/0x20\n\nWhen creating a new resource control group, hardware will be configured\nby the following process:\n rdtgroup_mkdir()\n rdtgroup_mkdir_ctrl_mon()\n rdtgroup_init_alloc()\n resctrl_arch_update_domains()\n\nresctrl_arch_update_domains() iterates and updates all resctrl_conf_type\nwhose have_new_ctrl is true. Since staged_config[] holds the same values as\nwhen CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA\nconfigurations. When group p8 is created, get_config_index() called in\nresctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for\nCDP_CODE and CDP_DATA, which will be translated to an invalid register -\n0xca0 in this scenario.\n\nFix it by clearing staged_config[] before and after it is used.\n\n[reinette: re-order commit tags]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53169", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: Removed unneeded of_node_put in felix_parse_ports_node\n\nRemove unnecessary of_node_put from the continue path to prevent\nchild node from being released twice, which could avoid resource\nleak or other unexpected issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53170", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: prevent underflow of locked_vm via exec()\n\nWhen a vfio container is preserved across exec, the task does not change,\nbut it gets a new mm with locked_vm=0, and loses the count from existing\ndma mappings. If the user later unmaps a dma mapping, locked_vm underflows\nto a large unsigned value, and a subsequent dma map request fails with\nENOMEM in __account_locked_vm.\n\nTo avoid underflow, grab and save the mm at the time a dma is mapped.\nUse that mm when adjusting locked_vm, rather than re-acquiring the saved\ntask's mm, which may have changed. If the saved mm is dead, do nothing.\n\nlocked_vm is incremented for existing mappings in a subsequent patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53171", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds\n\nCommit 56124d6c87fd (\"fsverity: support enabling with tree block size <\nPAGE_SIZE\") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read\nthe file's data, instead of direct pagecache accesses.\n\nAn unintended consequence of this is that the\n'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became\nreachable by fuzz tests. This happens if FS_IOC_ENABLE_VERITY is called\non a fd opened with access mode 3, which means \"ioctl access only\".\n\nArguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds. But\nioctl-only fds are a weird Linux extension that is rarely used and that\nfew people even know about. (The documentation for FS_IOC_ENABLE_VERITY\neven specifically says it requires O_RDONLY.) It's probably not\nworthwhile to make the ioctl internally open a new fd just to handle\nthis case. Thus, just reject the ioctl on such fds for now.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53172", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: pcn_uart: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53173", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix possible memory leak if device_add() fails\n\nIf device_add() returns error, the name allocated by dev_set_name() needs\nbe freed. As the comment of device_add() says, put_device() should be used\nto decrease the reference count in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53174", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation\n\nWhen a Linux VM with an assigned PCI device runs on Hyper-V, if the PCI\ndevice driver is not loaded yet (i.e. MSI-X/MSI is not enabled on the\ndevice yet), doing a VM hibernation triggers a panic in\nhv_pci_restore_msi_msg() -> msi_lock_descs(&pdev->dev), because\npdev->dev.msi.data is still NULL.\n\nAvoid the panic by checking if MSI-X/MSI is enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53175", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Reinit port->pm on port specific driver unbind\n\nWhen we unbind a serial port hardware specific 8250 driver, the generic\nserial8250 driver takes over the port. After that we see an oops about 10\nseconds later. This can produce the following at least on some TI SoCs:\n\nUnhandled fault: imprecise external abort (0x1406)\nInternal error: : 1406 [#1] SMP ARM\n\nTurns out that we may still have the serial port hardware specific driver\nport->pm in use, and serial8250_pm() tries to call it after the port\nspecific driver is gone:\n\nserial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base]\nuart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base]\nuart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c\n__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c\ndisassociate_ctty from do_exit+0x744/0xaac\ndo_exit from do_group_exit+0x40/0x8c\ndo_group_exit from __wake_up_parent+0x0/0x1c\n\nLet's fix the issue by calling serial8250_set_defaults() in\nserial8250_unregister_port(). This will set the port back to using\nthe serial8250 default functions, and sets the port->pm to point to\nserial8250_pm.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53176", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hi846: fix usage of pm_runtime_get_if_in_use()\n\npm_runtime_get_if_in_use() does not only return nonzero values when\nthe device is in use, it can return a negative errno too.\n\nAnd especially during resuming from system suspend, when runtime pm\nis not yet up again, -EAGAIN is being returned, so the subsequent\npm_runtime_put() call results in a refcount underflow.\n\nFix system-resume by handling -EAGAIN of pm_runtime_get_if_in_use().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53177", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix zswap writeback race condition\n\nThe zswap writeback mechanism can cause a race condition resulting in\nmemory corruption, where a swapped out page gets swapped in with data that\nwas written to a different page.\n\nThe race unfolds like this:\n1. a page with data A and swap offset X is stored in zswap\n2. page A is removed off the LRU by zpool driver for writeback in\n zswap-shrink work, data for A is mapped by zpool driver\n3. user space program faults and invalidates page entry A, offset X is\n considered free\n4. kswapd stores page B at offset X in zswap (zswap could also be\n full, if so, page B would then be IOed to X, then skip step 5.)\n5. entry A is replaced by B in tree->rbroot, this doesn't affect the\n local reference held by zswap-shrink work\n6. zswap-shrink work writes back A at X, and frees zswap entry A\n7. swapin of slot X brings A in memory instead of B\n\nThe fix:\nOnce the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),\nzswap-shrink work just checks that the local zswap_entry reference is\nstill the same as the one in the tree. If it's not the same it means that\nit's either been invalidated or replaced, in both cases the writeback is\naborted because the local entry contains stale data.\n\nReproducer:\nI originally found this by running `stress` overnight to validate my work\non the zswap writeback mechanism, it manifested after hours on my test\nmachine. The key to make it happen is having zswap writebacks, so\nwhatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do\nthe trick.\n\nIn order to reproduce this faster on a vm, I setup a system with ~100M of\navailable memory and a 500M swap file, then running `stress --vm 1\n--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens\nof minutes. One can speed things up even more by swinging\n/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20\nand 1; this makes it reproduce in tens of seconds. It's crucial to set\n`--vm-stride` to something other than 4096 otherwise `stress` won't\nrealize that memory has been corrupted because all pages would have the\nsame data.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53178", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c\n\nThe missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can\nlead to the use of wrong `CIDR_POS(c)` for calculating array offsets,\nwhich can lead to integer underflow. As a result, it leads to slab\nout-of-bound access.\nThis patch adds back the IP_SET_HASH_WITH_NET0 macro to\nip_set_hash_netportnet to address the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53179", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid NULL pointer access during management transmit cleanup\n\nCurrently 'ar' reference is not added in skb_cb.\nThough this is generally not used during transmit completion\ncallbacks, on interface removal the remaining idr cleanup callback\nuses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them\nduring transmit call for proper usage to avoid NULL pointer dereference.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53180", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/dma-resv: Stop leaking on krealloc() failure\n\nCurrently dma_resv_get_fences() will leak the previously\nallocated array if the fence iteration got restarted and\nthe krealloc_array() fails.\n\nFree the old array by hand, and make sure we still clear\nthe returned *fences so the caller won't end up accessing\nfreed memory. Some (but not all) of the callers of\ndma_resv_get_fences() seem to still trawl through the\narray even when dma_resv_get_fences() failed. And let's\nzero out *num_fences as well for good measure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53181", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid undefined behavior: applying zero offset to null pointer\n\nACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e\n\nBefore this change we see the following UBSAN stack trace in Fuchsia:\n\n #0 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302\n #1.2 0x000020d0f660777f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 +0x3d77f\n #1.1 0x000020d0f660777f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 +0x3d77f\n #1 0x000020d0f660777f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 +0x3d77f\n #2 0x000020d0f660b96d in handlepointer_overflow_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:809 +0x4196d\n #3 0x000020d0f660b50d in compiler-rt/lib/ubsan/ubsan_handlers.cpp:815 +0x4150d\n #4 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302\n #5 0x000021e4213e2369 in acpi_ds_call_control_method(struct acpi_thread_state*, struct acpi_walk_state*, union acpi_parse_object*) ../../third_party/acpica/source/components/dispatcher/dsmethod.c:605 +0x262369\n #6 0x000021e421437fac in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:550 +0x2b7fac\n #7 0x000021e4214464d2 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 +0x2c64d2\n #8 0x000021e4213aa052 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 +0x22a052\n #9 0x000021e421413dd8 in acpi_ns_init_one_device(acpi_handle, u32, void*, void**) ../../third_party/acpica/source/components/namespace/nsinit.c:735 +0x293dd8\n #10 0x000021e421429e98 in acpi_ns_walk_namespace(acpi_object_type, acpi_handle, u32, u32, acpi_walk_callback, acpi_walk_callback, void*, void**) ../../third_party/acpica/source/components/namespace/nswalk.c:298 +0x2a9e98\n #11 0x000021e4214131ac in acpi_ns_initialize_devices(u32) ../../third_party/acpica/source/components/namespace/nsinit.c:268 +0x2931ac\n #12 0x000021e42147c40d in acpi_initialize_objects(u32) ../../third_party/acpica/source/components/utilities/utxfinit.c:304 +0x2fc40d\n #13 0x000021e42126d603 in acpi::acpi_impl::initialize_acpi(acpi::acpi_impl*) ../../src/devices/board/lib/acpi/acpi-impl.cc:224 +0xed603\n\nAdd a simple check that avoids incrementing a pointer by zero, but\notherwise behaves as before. Note that our findings are against ACPICA\n20221020, but the same code exists on master.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53182", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Set new vector length before reallocating\n\nAs part of fixing the allocation of the buffer for SVE state when changing\nSME vector length we introduced an immediate reallocation of the SVE state,\nthis is also done when changing the SVE vector length for consistency.\nUnfortunately this reallocation is done prior to writing the new vector\nlength to the task struct, meaning the allocation is done with the old\nvector length and can lead to memory corruption due to an undersized buffer\nbeing used.\n\nMove the update of the vector length before the allocation to ensure that\nthe new vector length is taken into account.\n\nFor some reason this isn't triggering any problems when running tests on\nthe arm64 fixes branch (even after repeated tries) but is triggering\nissues very often after merge into mainline.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53184", "detail": "fixed-version", "description": "Fixed from version 6.4.8" }, { "id": "CVE-2023-53185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: don't allow to overwrite ENDPOINT0 attributes\n\nA bad USB device is able to construct a service connection response\nmessage with target endpoint being ENDPOINT0 which is reserved for\nHTC_CTRL_RSVD_SVC and should not be modified to be used for any other\nservices.\n\nReject such service connection responses.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53185", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: Fix a race between coalescing and releasing SKBs\n\nCommit 1effe8ca4e34 (\"skbuff: fix coalescing for page_pool fragment\nrecycling\") allowed coalescing to proceed with non page pool page and page\npool page when @from is cloned, i.e.\n\nto->pp_recycle --> false\nfrom->pp_recycle --> true\nskb_cloned(from) --> true\n\nHowever, it actually requires skb_cloned(@from) to hold true until\ncoalescing finishes in this situation. If the other cloned SKB is\nreleased while the merging is in process, from_shinfo->nr_frags will be\nset to 0 toward the end of the function, causing the increment of frag\npage _refcount to be unexpectedly skipped resulting in inconsistent\nreference counts. Later when SKB(@to) is released, it frees the page\ndirectly even though the page pool page is still in use, leading to\nuse-after-free or double-free errors. So it should be prohibited.\n\nThe double-free error message below prompted us to investigate:\nBUG: Bad page state in process swapper/1 pfn:0e0d1\npage:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000\nindex:0x2 pfn:0xe0d1\nflags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\nraw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000\nraw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000\npage dumped because: nonzero _refcount\n\nCPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+\nCall Trace:\n \ndump_stack_lvl+0x32/0x50\nbad_page+0x69/0xf0\nfree_pcp_prepare+0x260/0x2f0\nfree_unref_page+0x20/0x1c0\nskb_release_data+0x10b/0x1a0\nnapi_consume_skb+0x56/0x150\nnet_rx_action+0xf0/0x350\n? __napi_schedule+0x79/0x90\n__do_softirq+0xc8/0x2b1\n__irq_exit_rcu+0xb9/0xf0\ncommon_interrupt+0x82/0xa0\n\n\nasm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0xb/0x20", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53186", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free of new block group that became unused\n\nIf a task creates a new block group and that block group becomes unused\nbefore we finish its creation, at btrfs_create_pending_block_groups(),\nthen when btrfs_mark_bg_unused() is called against the block group, we\nassume that the block group is currently in the list of block groups to\nreclaim, and we move it out of the list of new block groups and into the\nlist of unused block groups. This has two consequences:\n\n1) We move it out of the list of new block groups associated to the\n current transaction. So the block group creation is not finished and\n if we attempt to delete the bg because it's unused, we will not find\n the block group item in the extent tree (or the new block group tree),\n its device extent items in the device tree etc, resulting in the\n deletion to fail due to the missing items;\n\n2) We don't increment the reference count on the block group when we\n move it to the list of unused block groups, because we assumed the\n block group was on the list of block groups to reclaim, and in that\n case it already has the correct reference count. However the block\n group was on the list of new block groups, in which case no extra\n reference was taken because it's local to the current task. This\n later results in doing an extra reference count decrement when\n removing the block group from the unused list, eventually leading the\n reference count to 0.\n\nThis second case was caught when running generic/297 from fstests, which\nproduced the following assertion failure and stack trace:\n\n [589.559] assertion failed: refcount_read(&block_group->refs) == 1, in fs/btrfs/block-group.c:4299\n [589.559] ------------[ cut here ]------------\n [589.559] kernel BUG at fs/btrfs/block-group.c:4299!\n [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.561] Code: 68 62 da c0 (...)\n [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246\n [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000\n [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff\n [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50\n [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00\n [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100\n [589.563] FS: 00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000\n [589.563] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0\n [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [589.564] Call Trace:\n [589.564] \n [589.565] ? __die_body+0x1b/0x60\n [589.565] ? die+0x39/0x60\n [589.565] ? do_trap+0xeb/0x110\n [589.565] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.566] ? do_error_trap+0x6a/0x90\n [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.566] ? exc_invalid_op+0x4e/0x70\n [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] ? asm_exc_invalid_op+0x16/0x20\n [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs]\n [589.567] close_ctree+0x35d/0x560 [btrfs]\n [589.568] ? fsnotify_sb_delete+0x13e/0x1d0\n [589.568] ? dispose_list+0x3a/0x50\n [589.568] ? evict_inodes+0x151/0x1a0\n [589.568] generic_shutdown_super+0x73/0x1a0\n [589.569] kill_anon_super+0x14/0x30\n [589.569] btrfs_kill_super+0x12/0x20 [btrfs]\n [589.569] deactivate_locked\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53187" }, { "id": "CVE-2023-53188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix race on port output\n\nassume the following setup on a single machine:\n1. An openvswitch instance with one bridge and default flows\n2. two network namespaces \"server\" and \"client\"\n3. two ovs interfaces \"server\" and \"client\" on the bridge\n4. for each ovs interface a veth pair with a matching name and 32 rx and\n tx queues\n5. move the ends of the veth pairs to the respective network namespaces\n6. assign ip addresses to each of the veth ends in the namespaces (needs\n to be the same subnet)\n7. start some http server on the server network namespace\n8. test if a client in the client namespace can reach the http server\n\nwhen following the actions below the host has a chance of getting a cpu\nstuck in a infinite loop:\n1. send a large amount of parallel requests to the http server (around\n 3000 curls should work)\n2. in parallel delete the network namespace (do not delete interfaces or\n stop the server, just kill the namespace)\n\nthere is a low chance that this will cause the below kernel cpu stuck\nmessage. If this does not happen just retry.\nBelow there is also the output of bpftrace for the functions mentioned\nin the output.\n\nThe series of events happening here is:\n1. the network namespace is deleted calling\n `unregister_netdevice_many_notify` somewhere in the process\n2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and\n then runs `synchronize_net`\n3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`\n4. this is then handled by `dp_device_event` which calls\n `ovs_netdev_detach_dev` (if a vport is found, which is the case for\n the veth interface attached to ovs)\n5. this removes the rx_handlers of the device but does not prevent\n packages to be sent to the device\n6. `dp_device_event` then queues the vport deletion to work in\n background as a ovs_lock is needed that we do not hold in the\n unregistration path\n7. `unregister_netdevice_many_notify` continues to call\n `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0\n8. port deletion continues (but details are not relevant for this issue)\n9. at some future point the background task deletes the vport\n\nIf after 7. but before 9. a packet is send to the ovs vport (which is\nnot deleted at this point in time) which forwards it to the\n`dev_queue_xmit` flow even though the device is unregistering.\nIn `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is\na while loop (if the packet has a rx_queue recorded) that is infinite if\n`dev->real_num_tx_queues` is zero.\n\nTo prevent this from happening we update `do_output` to handle devices\nwithout carrier the same as if the device is not found (which would\nbe the code path after 9. is done).\n\nAdditionally we now produce a warning in `skb_tx_hash` if we will hit\nthe infinite loop.\n\nbpftrace (first word is function name):\n\n__dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1\nnetdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1\ndp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\ndp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2\novs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2\nnetdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nnetdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2\ndp_\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53188", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6/addrconf: fix a potential refcount underflow for idev\n\nNow in addrconf_mod_rs_timer(), reference idev depends on whether\nrs_timer is not pending. Then modify rs_timer timeout.\n\nThere is a time gap in [1], during which if the pending rs_timer\nbecomes not pending. It will miss to hold idev, but the rs_timer\nis activated. Thus rs_timer callback function addrconf_rs_timer()\nwill be executed and put idev later without holding idev. A refcount\nunderflow issue for idev can be caused by this.\n\n\tif (!timer_pending(&idev->rs_timer))\n\t\tin6_dev_hold(idev);\n\t\t <--------------[1]\n\tmod_timer(&idev->rs_timer, jiffies + when);\n\nTo fix the issue, hold idev if mod_timer() return 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53189", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix memory leaks in error path\n\nThe memory allocated by vxlan_vnigroup_init() is not freed in the error\npath, leading to memory leaks [1]. Fix by calling\nvxlan_vnigroup_uninit() in the error path.\n\nThe leaks can be reproduced by annotating gro_cells_init() with\nALLOW_ERROR_INJECTION() and then running:\n\n # echo \"100\" > /sys/kernel/debug/fail_function/probability\n # echo \"1\" > /sys/kernel/debug/fail_function/times\n # echo \"gro_cells_init\" > /sys/kernel/debug/fail_function/inject\n # printf %#x -12 > /sys/kernel/debug/fail_function/gro_cells_init/retval\n # ip link add name vxlan0 type vxlan dstport 4789 external vnifilter\n RTNETLINK answers: Cannot allocate memory\n\n[1]\nunreferenced object 0xffff88810db84a00 (size 512):\n comm \"ip\", pid 330, jiffies 4295010045 (age 66.016s)\n hex dump (first 32 bytes):\n f8 d5 76 0e 81 88 ff ff 01 00 00 00 00 00 00 02 ..v.............\n 03 00 04 00 48 00 00 00 00 00 00 01 04 00 01 00 ....H...........\n backtrace:\n [] kmalloc_trace+0x2a/0x60\n [] vxlan_vnigroup_init+0x4c/0x160\n [] vxlan_init+0x1ae/0x280\n [] register_netdevice+0x57a/0x16d0\n [] __vxlan_dev_create+0x7c7/0xa50\n [] vxlan_newlink+0xd6/0x130\n [] __rtnl_newlink+0x112b/0x18a0\n [] rtnl_newlink+0x6c/0xa0\n [] rtnetlink_rcv_msg+0x43f/0xd40\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x53f/0x810\n [] netlink_sendmsg+0x958/0xe70\n [] ____sys_sendmsg+0x78f/0xa90\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x38/0x80\nunreferenced object 0xffff88810e76d5f8 (size 192):\n comm \"ip\", pid 330, jiffies 4295010045 (age 66.016s)\n hex dump (first 32 bytes):\n 04 00 00 00 00 00 00 00 db e1 4f e7 00 00 00 00 ..........O.....\n 08 d6 76 0e 81 88 ff ff 08 d6 76 0e 81 88 ff ff ..v.......v.....\n backtrace:\n [] __kmalloc_node+0x4e/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] vxlan_vnigroup_init+0x6c/0x160\n [] vxlan_init+0x1ae/0x280\n [] register_netdevice+0x57a/0x16d0\n [] __vxlan_dev_create+0x7c7/0xa50\n [] vxlan_newlink+0xd6/0x130\n [] __rtnl_newlink+0x112b/0x18a0\n [] rtnl_newlink+0x6c/0xa0\n [] rtnetlink_rcv_msg+0x43f/0xd40\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x53f/0x810\n [] netlink_sendmsg+0x958/0xe70\n [] ____sys_sendmsg+0x78f/0xa90", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53190", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53191", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix nexthop hash size\n\nThe nexthop code expects a 31 bit hash, such as what is returned by\nfib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash\nreturned by skb_get_hash() can lead to problems related to the fact that\n'int hash' is a negative number when the MSB is set.\n\nIn the case of hash threshold nexthop groups, nexthop_select_path_hthr()\nwill disproportionately select the first nexthop group entry. In the case\nof resilient nexthop groups, nexthop_select_path_res() may do an out of\nbounds access in nh_buckets[], for example:\n hash = -912054133\n num_nh_buckets = 2\n bucket_index = 65535\n\nwhich leads to the following panic:\n\nBUG: unable to handle page fault for address: ffffc900025910c8\nPGD 100000067 P4D 100000067 PUD 10026b067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:nexthop_select_path+0x197/0xbf0\nCode: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85\nRSP: 0018:ffff88810c36f260 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8\nRBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219\nR10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0\nR13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900\nFS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x1ee/0x5c0\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? search_bpf_extables+0xfe/0x1c0\n ? fixup_exception+0x3b/0x470\n ? exc_page_fault+0xf6/0x110\n ? asm_exc_page_fault+0x26/0x30\n ? nexthop_select_path+0x197/0xbf0\n ? nexthop_select_path+0x197/0xbf0\n ? lock_is_held_type+0xe7/0x140\n vxlan_xmit+0x5b2/0x2340\n ? __lock_acquire+0x92b/0x3370\n ? __pfx_vxlan_xmit+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_register_lock_class+0x10/0x10\n ? skb_network_protocol+0xce/0x2d0\n ? dev_hard_start_xmit+0xca/0x350\n ? __pfx_vxlan_xmit+0x10/0x10\n dev_hard_start_xmit+0xca/0x350\n __dev_queue_xmit+0x513/0x1e20\n ? __pfx___dev_queue_xmit+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? mark_held_locks+0x44/0x90\n ? skb_push+0x4c/0x80\n ? eth_header+0x81/0xe0\n ? __pfx_eth_header+0x10/0x10\n ? neigh_resolve_output+0x215/0x310\n ? ip6_finish_output2+0x2ba/0xc90\n ip6_finish_output2+0x2ba/0xc90\n ? lock_release+0x236/0x3e0\n ? ip6_mtu+0xbb/0x240\n ? __pfx_ip6_finish_output2+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? lock_is_held_type+0xe7/0x140\n ip6_finish_output+0x1ee/0x780\n ip6_output+0x138/0x460\n ? __pfx_ip6_output+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_ip6_finish_output+0x10/0x10\n NF_HOOK.constprop.0+0xc0/0x420\n ? __pfx_NF_HOOK.constprop.0+0x10/0x10\n ? ndisc_send_skb+0x2c0/0x960\n ? __pfx_lock_release+0x10/0x10\n ? __local_bh_enable_ip+0x93/0x110\n ? lock_is_held_type+0xe7/0x140\n ndisc_send_skb+0x4be/0x960\n ? __pfx_ndisc_send_skb+0x10/0x10\n ? mark_held_locks+0x65/0x90\n ? find_held_lock+0x83/0xa0\n ndisc_send_ns+0xb0/0x110\n ? __pfx_ndisc_send_ns+0x10/0x10\n addrconf_dad_work+0x631/0x8e0\n ? lock_acquire+0x180/0x3f0\n ? __pfx_addrconf_dad_work+0x10/0x10\n ? mark_held_locks+0x24/0x90\n process_one_work+0x582/0x9c0\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? mark_held_locks+0x24/0x90\n worker_thread+0x93/0x630\n ? __kthread_parkme+0xdc/0x100\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x1a5/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53192", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix amdgpu_irq_put call trace in gmc_v10_0_hw_fini\n\nThe gmc.ecc_irq is enabled by firmware per IFWI setting,\nand the host driver is not privileged to enable/disable\nthe interrupt. So, it is meaningless to use the amdgpu_irq_put\nfunction in gmc_v10_0_hw_fini, which also leads to the call\ntrace.\n\n[ 82.340264] Call Trace:\n[ 82.340265] \n[ 82.340269] gmc_v10_0_hw_fini+0x83/0xa0 [amdgpu]\n[ 82.340447] gmc_v10_0_suspend+0xe/0x20 [amdgpu]\n[ 82.340623] amdgpu_device_ip_suspend_phase2+0x127/0x1c0 [amdgpu]\n[ 82.340789] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]\n[ 82.340955] amdgpu_device_pre_asic_reset+0xdd/0x2b0 [amdgpu]\n[ 82.341122] amdgpu_device_gpu_recover.cold+0x4dd/0xbb2 [amdgpu]\n[ 82.341359] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]\n[ 82.341529] process_one_work+0x21d/0x3f0\n[ 82.341535] worker_thread+0x1fa/0x3c0\n[ 82.341538] ? process_one_work+0x3f0/0x3f0\n[ 82.341540] kthread+0xff/0x130\n[ 82.341544] ? kthread_complete_and_exit+0x20/0x20\n[ 82.341547] ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53193", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add length check in indx_get_root\n\nThis adds a length check to guarantee the retrieved index root is legit.\n\n[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320\n[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243\n[ 162.460851]\n[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42\n[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 162.462609] Call Trace:\n[ 162.462954] \n[ 162.463276] dump_stack_lvl+0x49/0x63\n[ 162.463822] print_report.cold+0xf5/0x689\n[ 162.464608] ? unwind_get_return_address+0x3a/0x60\n[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320\n[ 162.466975] kasan_report+0xa7/0x130\n[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0\n[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320\n[ 162.468536] __asan_load2+0x68/0x90\n[ 162.468923] hdr_find_e.isra.0+0x10c/0x320\n[ 162.469282] ? cmp_uints+0xe0/0xe0\n[ 162.469557] ? cmp_sdh+0x90/0x90\n[ 162.469864] ? ni_find_attr+0x214/0x300\n[ 162.470217] ? ni_load_mi+0x80/0x80\n[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 162.470931] ? ntfs_bread_run+0x190/0x190\n[ 162.471307] ? indx_get_root+0xe4/0x190\n[ 162.471556] ? indx_get_root+0x140/0x190\n[ 162.471833] ? indx_init+0x1e0/0x1e0\n[ 162.472069] ? fnd_clear+0x115/0x140\n[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100\n[ 162.472731] indx_find+0x184/0x470\n[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0\n[ 162.474704] ? do_syscall_64+0x3b/0x90\n[ 162.474962] dir_search_u+0x196/0x2f0\n[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450\n[ 162.475661] ? ntfs_security_init+0x3d6/0x440\n[ 162.475906] ? is_sd_valid+0x180/0x180\n[ 162.476191] ntfs_extend_init+0x13f/0x2c0\n[ 162.476496] ? ntfs_fix_post_read+0x130/0x130\n[ 162.476861] ? iput.part.0+0x286/0x320\n[ 162.477325] ntfs_fill_super+0x11e0/0x1b50\n[ 162.477709] ? put_ntfs+0x1d0/0x1d0\n[ 162.477970] ? vsprintf+0x20/0x20\n[ 162.478258] ? set_blocksize+0x95/0x150\n[ 162.478538] get_tree_bdev+0x232/0x370\n[ 162.478789] ? put_ntfs+0x1d0/0x1d0\n[ 162.479038] ntfs_fs_get_tree+0x15/0x20\n[ 162.479374] vfs_get_tree+0x4c/0x130\n[ 162.479729] path_mount+0x654/0xfe0\n[ 162.480124] ? putname+0x80/0xa0\n[ 162.480484] ? finish_automount+0x2e0/0x2e0\n[ 162.480894] ? putname+0x80/0xa0\n[ 162.481467] ? kmem_cache_free+0x1c4/0x440\n[ 162.482280] ? putname+0x80/0xa0\n[ 162.482714] do_mount+0xd6/0xf0\n[ 162.483264] ? path_mount+0xfe0/0xfe0\n[ 162.484782] ? __kasan_check_write+0x14/0x20\n[ 162.485593] __x64_sys_mount+0xca/0x110\n[ 162.486024] do_syscall_64+0x3b/0x90\n[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 162.487141] RIP: 0033:0x7f9d374e948a\n[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5\n[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a\n[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0\n[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020\n[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0\n[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 162.493644] \n[ 162.493908]\n[ 162.494214] The buggy address belongs to the physical page:\n[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc\n[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000\n[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000\n[ 162.500542] page dumped becau\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53194", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init\n\nThe line cards array is not freed in the error path of\nmlxsw_m_linecards_init(), which can lead to a memory leak. Fix by\nfreeing the array in the error path, thereby making the error path\nidentical to mlxsw_m_linecards_fini().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53195", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix potential memory leak\n\nFunction dwc3_qcom_probe() allocates memory for resource structure\nwhich is pointed by parent_res pointer. This memory is not\nfreed. This leads to memory leak. Use stack memory to prevent\nmemory leak.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53196", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: uhci: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53197", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nraw: Fix NULL deref in raw_get_next().\n\nDae R. Jeong reported a NULL deref in raw_get_next() [0].\n\nIt seems that the repro was running these sequences in parallel so\nthat one thread was iterating on a socket that was being freed in\nanother netns.\n\n unshare(0x40060200)\n r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\\x00')\n socket$inet_icmp_raw(0x2, 0x3, 0x1)\n pread64(r0, &(0x7f0000000000)=\"\"/10, 0xa, 0x10000000007f)\n\nAfter commit 0daf07e52709 (\"raw: convert raw sockets to RCU\"), we\nuse RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW\nsockets. However, we should use spinlock for slow paths to avoid\nthe NULL deref.\n\nAlso, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object\nis not reused during iteration in the grace period. In fact, the\nlockless readers do not check the nulls marker with get_nulls_value().\nSo, SOCK_RAW should use hlist instead of hlist_nulls.\n\nInstead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),\nlet's convert hlist_nulls to hlist and use sk_for_each_rcu() for\nfast paths and sk_for_each() and spinlock for /proc/net/raw.\n\n[0]:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]\nRIP: 0010:sock_net include/net/sock.h:649 [inline]\nRIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]\nRIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]\nRIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995\nCode: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef\nRSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206\nRAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000\nRDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338\nRBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9\nR10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78\nR13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030\nFS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225\n seq_read+0x224/0x320 fs/seq_file.c:162\n pde_read fs/proc/inode.c:316 [inline]\n proc_reg_read+0x23f/0x330 fs/proc/inode.c:328\n vfs_read+0x31e/0xd30 fs/read_write.c:468\n ksys_pread64 fs/read_write.c:665 [inline]\n __do_sys_pread64 fs/read_write.c:675 [inline]\n __se_sys_pread64 fs/read_write.c:672 [inline]\n __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x478d29\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011\nRAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29\nRDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000\nR10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740\nR13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53198", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails\n\nSyzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().\nWhile processing skbs in ath9k_hif_usb_rx_stream(), the already allocated\nskbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we\nhave an incorrect pkt_len or pkt_tag, the input skb is considered invalid\nand dropped. All the associated packets already in skb_pool should be\ndropped and freed. Added a comment describing this issue.\n\nThe patch also makes remain_skb NULL after being processed so that it\ncannot be referenced after potential free. The initialization of hif_dev\nfields which are associated with remain_skb (rx_remain_len,\nrx_transfer_len and rx_pad_len) is moved after a new remain_skb is\nallocated.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53199", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: fix percpu counter block leak on error path when creating new netns\n\nHere is the stack where we allocate percpu counter block:\n\n +-< __alloc_percpu\n +-< xt_percpu_counter_alloc\n +-< find_check_entry # {arp,ip,ip6}_tables.c\n +-< translate_table\n\nAnd it can be leaked on this code path:\n\n +-> ip6t_register_table\n +-> translate_table # allocates percpu counter block\n +-> xt_register_table # fails\n\nthere is no freeing of the counter block on xt_register_table fail.\nNote: xt_percpu_counter_free should be called to free it like we do in\ndo_replace through cleanup_entry helper (or in __ip6t_unregister_table).\n\nProbability of hitting this error path is low AFAICS (xt_register_table\ncan only return ENOMEM here, as it is not replacing anything, as we are\ncreating new netns, and it is hard to imagine that all previous\nallocations succeeded and after that one in xt_register_table failed).\nBut it's worth fixing even the rare leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53200", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: wraparound mbox producer index\n\nDriver is not handling the wraparound of the mbox producer index correctly.\nCurrently the wraparound happens once u32 max is reached.\n\nBit 31 of the producer index register is special and should be set\nonly once for the first command. Because the producer index overflow\nsetting bit31 after a long time, FW goes to initialization sequence\nand this causes FW hang.\n\nFix is to wraparound the mbox producer index once it reaches u16 max.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53201", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: domains: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53202", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: rely on mt76_connac2_mac_tx_rate_val\n\nIn order to fix a possible NULL pointer dereference in\nmt7996_mac_write_txwi() of vif pointer, export\nmt76_connac2_mac_tx_rate_val utility routine and reuse it\nin mt7996 driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53203", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-races around user->unix_inflight.\n\nuser->unix_inflight is changed under spin_lock(unix_gc_lock),\nbut too_many_unix_fds() reads it locklessly.\n\nLet's annotate the write/read accesses to user->unix_inflight.\n\nBUG: KCSAN: data-race in unix_attach_fds / unix_inflight\n\nwrite to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:\n unix_inflight+0x157/0x180 net/unix/scm.c:66\n unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nread to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:\n too_many_unix_fds net/unix/scm.c:101 [inline]\n unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110\n unix_scm_to_skb net/unix/af_unix.c:1827 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950\n unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]\n unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292\n sock_sendmsg_nosec net/socket.c:725 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:748\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2548\n __sys_sendmsg+0x94/0x140 net/socket.c:2577\n __do_sys_sendmsg net/socket.c:2586 [inline]\n __se_sys_sendmsg net/socket.c:2584 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nvalue changed: 0x000000000000000c -> 0x000000000000000d\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53204", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390/diag: fix racy access of physical cpu number in diag 9c handler\n\nWe do check for target CPU == -1, but this might change at the time we\nare going to use it. Hold the physical target CPU in a local variable to\navoid out-of-bound accesses to the cpu arrays.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53205", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus_core) Fix NULL pointer dereference\n\nPass i2c_client to _pmbus_is_enabled to drop the assumption\nthat a regulator device is passed in.\n\nThis will fix the issue of a NULL pointer dereference when called from\n_pmbus_get_flags.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53206", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fail to recover device if queue setup is interrupted\n\nIn ublk_ctrl_end_recovery(), if wait_for_completion_interruptible() is\ninterrupted by signal, queues aren't setup successfully yet, so we\nhave to fail UBLK_CMD_END_USER_RECOVERY, otherwise kernel oops can be\ntriggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53207", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state\n\nWhen emulating nested VM-Exit, load L1's TSC multiplier if L1's desired\nratio doesn't match the current ratio, not if the ratio L1 is using for\nL2 diverges from the default. Functionally, the end result is the same\nas KVM will run L2 with L1's multiplier if L2's multiplier is the default,\ni.e. checking that L1's multiplier is loaded is equivalent to checking if\nL2 has a non-default multiplier.\n\nHowever, the assertion that TSC scaling is exposed to L1 is flawed, as\nuserspace can trigger the WARN at will by writing the MSR and then\nupdating guest CPUID to hide the feature (modifying guest CPUID is\nallowed anytime before KVM_RUN). E.g. hacking KVM's state_test\nselftest to do\n\n vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105\n nested_svm_vmexit+0x6af/0x720 [kvm_amd]\n Call Trace:\n nested_svm_exit_handled+0x102/0x1f0 [kvm_amd]\n svm_handle_exit+0xb9/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n ? trace_hardirqs_off+0x4d/0xa0\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUnlike the nested VMRUN path, hoisting the svm->tsc_scaling_enabled check\ninto the if-statement is wrong as KVM needs to ensure L1's multiplier is\nloaded in the above scenario. Alternatively, the WARN_ON() could simply\nbe deleted, but that would make KVM's behavior even more subtle, e.g. it's\nnot immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when\nchecking only tsc_ratio_msr.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53208", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: Fix possible NULL dereference\n\nIn a call to mac80211_hwsim_select_tx_link() the sta pointer might\nbe NULL, thus need to check that it is not NULL before accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53209", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()\n\nr5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is\nempty, and then submit 'flush_bio', however, r5l_log_flush_endio()\nis clearing the list first and then clear the bio, which will cause\nnull-ptr-deref:\n\nT1: submit flush io\nraid5d\n handle_active_stripes\n r5l_flush_stripe_to_raid\n // list is empty\n // add 'io_end_ios' to the list\n bio_init\n submit_bio\n // io1\n\nT2: io1 is done\nr5l_log_flush_endio\n list_splice_tail_init\n // clear the list\n\t\t\tT3: submit new flush io\n\t\t\t...\n\t\t\tr5l_flush_stripe_to_raid\n\t\t\t // list is empty\n\t\t\t // add 'io_end_ios' to the list\n\t\t\t bio_init\n bio_uninit\n // clear bio->bi_blkg\n\t\t\t submit_bio\n\t\t\t // null-ptr-deref\n\nFix this problem by clearing bio before clearing the list in\nr5l_log_flush_endio().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53210", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: location: Free struct acpi_pld_info *pld before return false\n\nstruct acpi_pld_info *pld should be freed before the return of allocation\nfailure, to prevent memory leak, add the ACPI_FREE() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53211", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()\n\nFix a slab-out-of-bounds read that occurs in kmemdup() called from\nbrcmf_get_assoc_ies().\nThe bug could occur when assoc_info->req_len, data from a URB provided\nby a USB device, is bigger than the size of buffer which is defined as\nWL_EXTRA_BUF_MAX.\n\nAdd the size check for req_len/resp_len of assoc_info.\n\nFound by a modified version of syzkaller.\n\n[ 46.592467][ T7] ==================================================================\n[ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50\n[ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7\n[ 46.598575][ T7]\n[ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145\n[ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker\n[ 46.605943][ T7] Call Trace:\n[ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1\n[ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334\n[ 46.608610][ T7] ? kmemdup+0x3e/0x50\n[ 46.609341][ T7] kasan_report.cold+0x79/0xd5\n[ 46.610151][ T7] ? kmemdup+0x3e/0x50\n[ 46.610796][ T7] kasan_check_range+0x14e/0x1b0\n[ 46.611691][ T7] memcpy+0x20/0x60\n[ 46.612323][ T7] kmemdup+0x3e/0x50\n[ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60\n[ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0\n[ 46.614831][ T7] ? lock_chain_count+0x20/0x20\n[ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770\n[ 46.616552][ T7] ? lock_chain_count+0x20/0x20\n[ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770\n[ 46.618244][ T7] ? lock_chain_count+0x20/0x20\n[ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0\n[ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0\n[ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790\n[ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950\n[ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[ 46.623390][ T7] ? find_held_lock+0x2d/0x110\n[ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60\n[ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0\n[ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0\n[ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0\n[ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100\n[ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60\n[ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100\n[ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 46.630649][ T7] process_one_work+0x92b/0x1460\n[ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330\n[ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90\n[ 46.632347][ T7] worker_thread+0x95/0xe00\n[ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0\n[ 46.633393][ T7] ? process_one_work+0x1460/0x1460\n[ 46.633957][ T7] kthread+0x3a1/0x480\n[ 46.634369][ T7] ? set_kthread_struct+0x120/0x120\n[ 46.634933][ T7] ret_from_fork+0x1f/0x30\n[ 46.635431][ T7]\n[ 46.635687][ T7] Allocated by task 7:\n[ 46.636151][ T7] kasan_save_stack+0x1b/0x40\n[ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90\n[ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330\n[ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040\n[ 46.638275][ T7] brcmf_attach+0x389/0xd40\n[ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690\n[ 46.639279][ T7] usb_probe_interface+0x2aa/0x760\n[ 46.639820][ T7] really_probe+0x205/0xb70\n[ 46.640342][ T7] __driver_probe_device+0\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53213", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential memory corruption in __update_iostat_latency()\n\nAdd iotype sanity check to avoid potential memory corruption.\nThis is to fix the compile error below:\n\nfs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow\n'io_lat->peak_lat[type]' 3 <= 3\n\nvim +228 fs/f2fs/iostat.c\n\n 211 static inline void __update_iostat_latency(struct bio_iostat_ctx\n\t*iostat_ctx,\n 212\t\t\t\t\tenum iostat_lat_type type)\n 213 {\n 214\t\tunsigned long ts_diff;\n 215\t\tunsigned int page_type = iostat_ctx->type;\n 216\t\tstruct f2fs_sb_info *sbi = iostat_ctx->sbi;\n 217\t\tstruct iostat_lat_info *io_lat = sbi->iostat_io_lat;\n 218\t\tunsigned long flags;\n 219\n 220\t\tif (!sbi->iostat_enable)\n 221\t\t\treturn;\n 222\n 223\t\tts_diff = jiffies - iostat_ctx->submit_ts;\n 224\t\tif (page_type >= META_FLUSH)\n ^^^^^^^^^^\n\n 225\t\t\tpage_type = META;\n 226\n 227\t\tspin_lock_irqsave(&sbi->iostat_lat_lock, flags);\n @228\t\tio_lat->sum_lat[type][page_type] += ts_diff;\n ^^^^^^^^^\nMixup between META_FLUSH and NR_PAGE_TYPE leads to memory corruption.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53214", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Don't balance task to its current running CPU\n\nWe've run into the case that the balancer tries to balance a migration\ndisabled task and trigger the warning in set_task_cpu() like below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240\n Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip>\n CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1\n Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : set_task_cpu+0x188/0x240\n lr : load_balance+0x5d0/0xc60\n sp : ffff80000803bc70\n x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040\n x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001\n x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78\n x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000\n x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530\n x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e\n x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a\n x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001\n Call trace:\n set_task_cpu+0x188/0x240\n load_balance+0x5d0/0xc60\n rebalance_domains+0x26c/0x380\n _nohz_idle_balance.isra.0+0x1e0/0x370\n run_rebalance_domains+0x6c/0x80\n __do_softirq+0x128/0x3d8\n ____do_softirq+0x18/0x24\n call_on_irq_stack+0x2c/0x38\n do_softirq_own_stack+0x24/0x3c\n __irq_exit_rcu+0xcc/0xf4\n irq_exit_rcu+0x18/0x24\n el1_interrupt+0x4c/0xe4\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x74/0x78\n arch_cpu_idle+0x18/0x4c\n default_idle_call+0x58/0x194\n do_idle+0x244/0x2b0\n cpu_startup_entry+0x30/0x3c\n secondary_start_kernel+0x14c/0x190\n __secondary_switched+0xb0/0xb4\n ---[ end trace 0000000000000000 ]---\n\nFurther investigation shows that the warning is superfluous, the migration\ndisabled task is just going to be migrated to its current running CPU.\nThis is because that on load balance if the dst_cpu is not allowed by the\ntask, we'll re-select a new_dst_cpu as a candidate. If no task can be\nbalanced to dst_cpu we'll try to balance the task to the new_dst_cpu\ninstead. In this case when the migration disabled task is not on CPU it\nonly allows to run on its current CPU, load balance will select its\ncurrent CPU as new_dst_cpu and later triggers the warning above.\n\nThe new_dst_cpu is chosen from the env->dst_grpmask. Currently it\ncontains CPUs in sched_group_span() and if we have overlapped groups it's\npossible to run into this case. This patch makes env->dst_grpmask of\ngroup_balance_mask() which exclude any CPUs from the busiest group and\nsolve the issue. For balancing in a domain with no overlapped groups\nthe behaviour keeps same as before.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53215", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: efi: Make efi_rt_lock a raw_spinlock\n\nRunning a rt-kernel base on 6.2.0-rc3-rt1 on an Ampere Altra outputs\nthe following:\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9, name: kworker/u320:0\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by kworker/u320:0/9:\n #0: ffff3fff8c27d128 ((wq_completion)efi_rts_wq){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)\n #1: ffff80000861bdd0 ((work_completion)(&efi_rts_work.work)){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)\n #2: ffffdf7e1ed3e460 (efi_rt_lock){+.+.}-{3:3}, at: efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)\n Preemption disabled at:\n efi_virtmap_load (./arch/arm64/include/asm/mmu_context.h:248)\n CPU: 0 PID: 9 Comm: kworker/u320:0 Tainted: G W 6.2.0-rc3-rt1\n Hardware name: WIWYNN Mt.Jade Server System B81.03001.0005/Mt.Jade Motherboard, BIOS 1.08.20220218 (SCP: 1.08.20220218) 2022/02/18\n Workqueue: efi_rts_wq efi_call_rts\n Call trace:\n dump_backtrace (arch/arm64/kernel/stacktrace.c:158)\n show_stack (arch/arm64/kernel/stacktrace.c:165)\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n dump_stack (lib/dump_stack.c:114)\n __might_resched (kernel/sched/core.c:10134)\n rt_spin_lock (kernel/locking/rtmutex.c:1769 (discriminator 4))\n efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)\n [...]\n\nThis seems to come from commit ff7a167961d1 (\"arm64: efi: Execute\nruntime services from a dedicated stack\") which adds a spinlock. This\nspinlock is taken through:\nefi_call_rts()\n\\-efi_call_virt()\n \\-efi_call_virt_pointer()\n \\-arch_efi_call_virt_setup()\n\nMake 'efi_rt_lock' a raw_spinlock to avoid being preempted.\n\n[ardb: The EFI runtime services are called with a different set of\n translation tables, and are permitted to use the SIMD registers.\n The context switch code preserves/restores neither, and so EFI\n calls must be made with preemption disabled, rather than only\n disabling migration.]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53216", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnubus: Partially revert proc_create_single_data() conversion\n\nThe conversion to proc_create_single_data() introduced a regression\nwhereby reading a file in /proc/bus/nubus results in a seg fault:\n\n # grep -r . /proc/bus/nubus/e/\n Data read fault at 0x00000020 in Super Data (pc=0x1074c2)\n BAD KERNEL BUSERR\n Oops: 00000000\n Modules linked in:\n PC: [<001074c2>] PDE_DATA+0xc/0x16\n SR: 2010 SP: 38284958 a2: 01152370\n d0: 00000001 d1: 01013000 d2: 01002790 d3: 00000000\n d4: 00000001 d5: 0008ce2e a0: 00000000 a1: 00222a40\n Process grep (pid: 45, task=142f8727)\n Frame format=B ssw=074d isc=2008 isb=4e5e daddr=00000020 dobuf=01199e70\n baddr=001074c8 dibuf=ffffffff ver=f\n Stack from 01199e48:\n\t 01199e70 00222a58 01002790 00000000 011a3000 01199eb0 015000c0 00000000\n\t 00000000 01199ec0 01199ec0 000d551a 011a3000 00000001 00000000 00018000\n\t d003f000 00000003 00000001 0002800d 01052840 01199fa8 c01f8000 00000000\n\t 00000029 0b532b80 00000000 00000000 00000029 0b532b80 01199ee4 00103640\n\t 011198c0 d003f000 00018000 01199fa8 00000000 011198c0 00000000 01199f4c\n\t 000b3344 011198c0 d003f000 00018000 01199fa8 00000000 00018000 011198c0\n Call Trace: [<00222a58>] nubus_proc_rsrc_show+0x18/0xa0\n [<000d551a>] seq_read+0xc4/0x510\n [<00018000>] fp_fcos+0x2/0x82\n [<0002800d>] __sys_setreuid+0x115/0x1c6\n [<00103640>] proc_reg_read+0x5c/0xb0\n [<00018000>] fp_fcos+0x2/0x82\n [<000b3344>] __vfs_read+0x2c/0x13c\n [<00018000>] fp_fcos+0x2/0x82\n [<00018000>] fp_fcos+0x2/0x82\n [<000b8aa2>] sys_statx+0x60/0x7e\n [<000b34b6>] vfs_read+0x62/0x12a\n [<00018000>] fp_fcos+0x2/0x82\n [<00018000>] fp_fcos+0x2/0x82\n [<000b39c2>] ksys_read+0x48/0xbe\n [<00018000>] fp_fcos+0x2/0x82\n [<000b3a4e>] sys_read+0x16/0x1a\n [<00018000>] fp_fcos+0x2/0x82\n [<00002b84>] syscall+0x8/0xc\n [<00018000>] fp_fcos+0x2/0x82\n [<0000c016>] not_ext+0xa/0x18\n Code: 4e5e 4e75 4e56 0000 206e 0008 2068 ffe8 <2068> 0020 2008 4e5e 4e75 4e56 0000 2f0b 206e 0008 2068 0004 2668 0020 206b ffe8\n Disabling lock debugging due to kernel taint\n\n Segmentation fault\n\nThe proc_create_single_data() conversion does not work because\nsingle_open(file, nubus_proc_rsrc_show, PDE_DATA(inode)) is not\nequivalent to the original code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53217", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Make it so that a waiting process can be aborted\n\nWhen sendmsg() creates an rxrpc call, it queues it to wait for a connection\nand channel to be assigned and then waits before it can start shovelling\ndata as the encrypted DATA packet content includes a summary of the\nconnection parameters.\n\nHowever, sendmsg() may get interrupted before a connection gets assigned\nand further sendmsg() calls will fail with EBUSY until an assignment is\nmade.\n\nFix this so that the call can at least be aborted without failing on\nEBUSY. We have to be careful here as sendmsg() mustn't be allowed to start\nthe call timer if the call doesn't yet have a connection assigned as an\noops may follow shortly thereafter.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53218", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: netup_unidvb: fix use-after-free at del_timer()\n\nWhen Universal DVB card is detaching, netup_unidvb_dma_fini()\nuses del_timer() to stop dma->timeout timer. But when timer\nhandler netup_unidvb_dma_timeout() is running, del_timer()\ncould not stop it. As a result, the use-after-free bug could\nhappen. The process is shown below:\n\n (cleanup routine) | (timer routine)\n | mod_timer(&dev->tx_sim_timer, ..)\nnetup_unidvb_finidev() | (wait a time)\n netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()\n del_timer(&dma->timeout); |\n | ndev->pci_dev->dev //USE\n\nFix by changing del_timer() to del_timer_sync().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53219", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: az6007: Fix null-ptr-deref in az6007_i2c_xfer()\n\nIn az6007_i2c_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach az6007_i2c_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53220", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix memleak due to fentry attach failure\n\nIf it fails to attach fentry, the allocated bpf trampoline image will be\nleft in the system. That can be verified by checking /proc/kallsyms.\n\nThis meamleak can be verified by a simple bpf program as follows:\n\n SEC(\"fentry/trap_init\")\n int fentry_run()\n {\n return 0;\n }\n\nIt will fail to attach trap_init because this function is freed after\nkernel init, and then we can find the trampoline image is left in the\nsystem by checking /proc/kallsyms.\n\n $ tail /proc/kallsyms\n ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf]\n ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf]\n\n $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep \"FUNC 'trap_init'\"\n [2522] FUNC 'trap_init' type_id=119 linkage=static\n\n $ echo $((6442453466 & 0x7fffffff))\n 2522\n\nNote that there are two left bpf trampoline images, that is because the\nlibbpf will fallback to raw tracepoint if -EINVAL is returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53221", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: jfs_dmap: Validate db_l2nbperpage while mounting\n\nIn jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block\nnumber inside dbFree(). db_l2nbperpage, which is the log2 number of\nblocks per page, is passed as an argument to BLKTODMAP which uses it\nfor shifting.\n\nSyzbot reported a shift out-of-bounds crash because db_l2nbperpage is\ntoo big. This happens because the large value is set without any\nvalidation in dbMount() at line 181.\n\nThus, make sure that db_l2nbperpage is correct while mounting.\n\nMax number of blocks per page = Page size / Min block size\n=> log2(Max num_block per page) = log2(Page size / Min block size)\n\t\t\t\t= log2(Page size) - log2(Min block size)\n\n=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53222", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue as it may return\nNULL pointer and cause NULL pointer dereference.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517646/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53223", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: Fix function prototype mismatch for ext4_feat_ktype\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed.\n\next4_feat_ktype was setting the \"release\" handler to \"kfree\", which\ndoesn't have a matching function prototype. Add a simple wrapper\nwith the correct prototype.\n\nThis was found as a result of Clang's new -Wcast-function-type-strict\nflag, which is more sensitive than the simpler -Wcast-function-type,\nwhich only checks for type width mismatches.\n\nNote that this code is only reached when ext4 is a loadable module and\nit is being unloaded:\n\n CFI failure at kobject_put+0xbb/0x1b0 (target: kfree+0x0/0x180; expected type: 0x7c4aa698)\n ...\n RIP: 0010:kobject_put+0xbb/0x1b0\n ...\n Call Trace:\n \n ext4_exit_sysfs+0x14/0x60 [ext4]\n cleanup_module+0x67/0xedb [ext4]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53224", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: imx: Don't skip cleanup in remove's error path\n\nReturning early in a platform driver's remove callback is wrong. In this\ncase the dma resources are not released in the error path. this is never\nretried later and so this is a permanent leak. To fix this, only skip\nhardware disabling if waking the device fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53225", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix OOB and integer underflow when rx packets\n\nMake sure mwifiex_process_mgmt_packet,\nmwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet,\nmwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet\nnot out-of-bounds access the skb->data buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53226", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: drop redundant sched job cleanup when cs is aborted\n\nOnce command submission failed due to userptr invalidation in\namdgpu_cs_submit, legacy code will perform cleanup of scheduler\njob. However, it's not needed at all, as former commit has integrated\njob cleanup stuff into amdgpu_job_free. Otherwise, because of double\nfree, a NULL pointer dereference will occur in such scenario.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2457", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53228", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta\n\nAvoid potential data corruption issues caused by uninitialized driver\nprivate data structures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53229", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix warning in cifs_smb3_do_mount()\n\nThis fixes the following warning reported by kernel test robot\n\n fs/smb/client/cifsfs.c:982 cifs_smb3_do_mount() warn: possible\n memory leak of 'cifs_sb'", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53230", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: Fix detection of atomic context\n\nCurrent check for atomic context is not sufficient as\nz_erofs_decompressqueue_endio can be called under rcu lock\nfrom blk_mq_flush_plug_list(). See the stacktrace [1]\n\nIn such case we should hand off the decompression work for async\nprocessing rather than trying to do sync decompression in current\ncontext. Patch fixes the detection by checking for\nrcu_read_lock_any_held() and while at it use more appropriate\n!in_task() check than in_atomic().\n\nBackground: Historically erofs would always schedule a kworker for\ndecompression which would incur the scheduling cost regardless of\nthe context. But z_erofs_decompressqueue_endio() may not always\nbe in atomic context and we could actually benefit from doing the\ndecompression in z_erofs_decompressqueue_endio() if we are in\nthread context, for example when running with dm-verity.\nThis optimization was later added in patch [2] which has shown\nimprovement in performance benchmarks.\n\n==============================================\n[1] Problem stacktrace\n[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291\n[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi\n[name:core&]preempt_count: 0, expected: 0\n[name:core&]RCU nest depth: 1, expected: 0\nCPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1\nHardware name: MT6897 (DT)\nCall trace:\n dump_backtrace+0x108/0x15c\n show_stack+0x20/0x30\n dump_stack_lvl+0x6c/0x8c\n dump_stack+0x20/0x48\n __might_resched+0x1fc/0x308\n __might_sleep+0x50/0x88\n mutex_lock+0x2c/0x110\n z_erofs_decompress_queue+0x11c/0xc10\n z_erofs_decompress_kickoff+0x110/0x1a4\n z_erofs_decompressqueue_endio+0x154/0x180\n bio_endio+0x1b0/0x1d8\n __dm_io_complete+0x22c/0x280\n clone_endio+0xe4/0x280\n bio_endio+0x1b0/0x1d8\n blk_update_request+0x138/0x3a4\n blk_mq_plug_issue_direct+0xd4/0x19c\n blk_mq_flush_plug_list+0x2b0/0x354\n __blk_flush_plug+0x110/0x160\n blk_finish_plug+0x30/0x4c\n read_pages+0x2fc/0x370\n page_cache_ra_unbounded+0xa4/0x23c\n page_cache_ra_order+0x290/0x320\n do_sync_mmap_readahead+0x108/0x2c0\n filemap_fault+0x19c/0x52c\n __do_fault+0xc4/0x114\n handle_mm_fault+0x5b4/0x1168\n do_page_fault+0x338/0x4b4\n do_translation_fault+0x40/0x60\n do_mem_abort+0x60/0xc8\n el0_da+0x4c/0xe0\n el0t_64_sync_handler+0xd4/0xfc\n el0t_64_sync+0x1a0/0x1a4\n\n[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53231", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix kernel panic by accessing unallocated eeprom.data\n\nThe MT7921 driver no longer uses eeprom.data, but the relevant code has not\nbeen removed completely since\ncommit 16d98b548365 (\"mt76: mt7921: rely on mcu_get_nic_capability\").\nThis could result in potential invalid memory access.\n\nTo fix the kernel panic issue in mt7921, it is necessary to avoid accessing\nunallocated eeprom.data which can lead to invalid memory access.\n\nFurthermore, it is possible to entirely eliminate the\nmt7921_mcu_parse_eeprom function and solely depend on\nmt7921_mcu_parse_response to divide the RxD header.\n\n[2.702735] BUG: kernel NULL pointer dereference, address: 0000000000000550\n[2.702740] #PF: supervisor write access in kernel mode\n[2.702741] #PF: error_code(0x0002) - not-present page\n[2.702743] PGD 0 P4D 0\n[2.702747] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[2.702755] RIP: 0010:mt7921_mcu_parse_response+0x147/0x170 [mt7921_common]\n[2.702758] RSP: 0018:ffffae7c00fef828 EFLAGS: 00010286\n[2.702760] RAX: ffffa367f57be024 RBX: ffffa367cc7bf500 RCX: 0000000000000000\n[2.702762] RDX: 0000000000000550 RSI: 0000000000000000 RDI: ffffa367cc7bf500\n[2.702763] RBP: ffffae7c00fef840 R08: ffffa367cb167000 R09: 0000000000000005\n[2.702764] R10: 0000000000000000 R11: ffffffffc04702e4 R12: ffffa367e8329f40\n[2.702766] R13: 0000000000000000 R14: 0000000000000001 R15: ffffa367e8329f40\n[2.702768] FS: 000079ee6cf20c40(0000) GS:ffffa36b2f940000(0000) knlGS:0000000000000000\n[2.702769] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2.702775] CR2: 0000000000000550 CR3: 00000001233c6004 CR4: 0000000000770ee0\n[2.702776] PKRU: 55555554\n[2.702777] Call Trace:\n[2.702782] mt76_mcu_skb_send_and_get_msg+0xc3/0x11e [mt76 ]\n[2.702785] mt7921_run_firmware+0x241/0x853 [mt7921_common ]\n[2.702789] mt7921e_mcu_init+0x2b/0x56 [mt7921e ]\n[2.702792] mt7921_register_device+0x2eb/0x5a5 [mt7921_common ]\n[2.702795] ? mt7921_irq_tasklet+0x1d4/0x1d4 [mt7921e ]\n[2.702797] mt7921_pci_probe+0x2d6/0x319 [mt7921e ]\n[2.702799] pci_device_probe+0x9f/0x12a", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53232", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix deadlock triggered by cancel_delayed_work_syn()\n\nThe following LOCKDEP was detected:\n\t\tWorkqueue: events smc_lgr_free_work [smc]\n\t\tWARNING: possible circular locking dependency detected\n\t\t6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted\n\t\t------------------------------------------------------\n\t\tkworker/3:0/176251 is trying to acquire lock:\n\t\t00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0},\n\t\t\tat: __flush_workqueue+0x7a/0x4f0\n\t\tbut task is already holding lock:\n\t\t0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0},\n\t\t\tat: process_one_work+0x232/0x730\n\t\twhich lock already depends on the new lock.\n\t\tthe existing dependency chain (in reverse order) is:\n\t\t-> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}:\n\t\t __lock_acquire+0x58e/0xbd8\n\t\t lock_acquire.part.0+0xe2/0x248\n\t\t lock_acquire+0xac/0x1c8\n\t\t __flush_work+0x76/0xf0\n\t\t __cancel_work_timer+0x170/0x220\n\t\t __smc_lgr_terminate.part.0+0x34/0x1c0 [smc]\n\t\t smc_connect_rdma+0x15e/0x418 [smc]\n\t\t __smc_connect+0x234/0x480 [smc]\n\t\t smc_connect+0x1d6/0x230 [smc]\n\t\t __sys_connect+0x90/0xc0\n\t\t __do_sys_socketcall+0x186/0x370\n\t\t __do_syscall+0x1da/0x208\n\t\t system_call+0x82/0xb0\n\t\t-> #3 (smc_client_lgr_pending){+.+.}-{3:3}:\n\t\t __lock_acquire+0x58e/0xbd8\n\t\t lock_acquire.part.0+0xe2/0x248\n\t\t lock_acquire+0xac/0x1c8\n\t\t __mutex_lock+0x96/0x8e8\n\t\t mutex_lock_nested+0x32/0x40\n\t\t smc_connect_rdma+0xa4/0x418 [smc]\n\t\t __smc_connect+0x234/0x480 [smc]\n\t\t smc_connect+0x1d6/0x230 [smc]\n\t\t __sys_connect+0x90/0xc0\n\t\t __do_sys_socketcall+0x186/0x370\n\t\t __do_syscall+0x1da/0x208\n\t\t system_call+0x82/0xb0\n\t\t-> #2 (sk_lock-AF_SMC){+.+.}-{0:0}:\n\t\t __lock_acquire+0x58e/0xbd8\n\t\t lock_acquire.part.0+0xe2/0x248\n\t\t lock_acquire+0xac/0x1c8\n\t\t lock_sock_nested+0x46/0xa8\n\t\t smc_tx_work+0x34/0x50 [smc]\n\t\t process_one_work+0x30c/0x730\n\t\t worker_thread+0x62/0x420\n\t\t kthread+0x138/0x150\n\t\t __ret_from_fork+0x3c/0x58\n\t\t ret_from_fork+0xa/0x40\n\t\t-> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}:\n\t\t __lock_acquire+0x58e/0xbd8\n\t\t lock_acquire.part.0+0xe2/0x248\n\t\t lock_acquire+0xac/0x1c8\n\t\t process_one_work+0x2bc/0x730\n\t\t worker_thread+0x62/0x420\n\t\t kthread+0x138/0x150\n\t\t __ret_from_fork+0x3c/0x58\n\t\t ret_from_fork+0xa/0x40\n\t\t-> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}:\n\t\t check_prev_add+0xd8/0xe88\n\t\t validate_chain+0x70c/0xb20\n\t\t __lock_acquire+0x58e/0xbd8\n\t\t lock_acquire.part.0+0xe2/0x248\n\t\t lock_acquire+0xac/0x1c8\n\t\t __flush_workqueue+0xaa/0x4f0\n\t\t drain_workqueue+0xaa/0x158\n\t\t destroy_workqueue+0x44/0x2d8\n\t\t smc_lgr_free+0x9e/0xf8 [smc]\n\t\t process_one_work+0x30c/0x730\n\t\t worker_thread+0x62/0x420\n\t\t kthread+0x138/0x150\n\t\t __ret_from_fork+0x3c/0x58\n\t\t ret_from_fork+0xa/0x40\n\t\tother info that might help us debug this:\n\t\tChain exists of:\n\t\t (wq_completion)smc_tx_wq-00000000#2\n\t \t --> smc_client_lgr_pending\n\t\t --> (work_completion)(&(&lgr->free_work)->work)\n\t\t Possible unsafe locking scenario:\n\t\t CPU0 CPU1\n\t\t ---- ----\n\t\t lock((work_completion)(&(&lgr->free_work)->work));\n\t\t lock(smc_client_lgr_pending);\n\t\t lock((work_completion)\n\t\t\t\t\t(&(&lgr->free_work)->work));\n\t\t lock((wq_completion)smc_tx_wq-00000000#2);\n\t\t *** DEADLOCK ***\n\t\t2 locks held by kworker/3:0/176251:\n\t\t #0: 0000000080183548\n\t\t\t((wq_completion)events){+.+.}-{0:0},\n\t\t\t\tat: process_one_work+0x232/0x730\n\t\t #1: 0000037fffe97dc8\n\t\t\t((work_completion)\n\t\t\t (&(&lgr->free_work)->work)){+.+.}-{0:0},\n\t\t\t\tat: process_one_work+0x232/0x730\n\t\tstack backtr\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53233", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: Fix kmemleak in watchdog_cdev_register\n\nkmemleak reports memory leaks in watchdog_dev_register, as follows:\nunreferenced object 0xffff888116233000 (size 2048):\n comm \"\"modprobe\"\", pid 28147, jiffies 4353426116 (age 61.741s)\n hex dump (first 32 bytes):\n 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#.....\n 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#.............\n backtrace:\n [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220\n [<000000006a389304>] kmalloc_trace+0x21/0x110\n [<000000008d640eea>] watchdog_dev_register+0x4e/0x780 [watchdog]\n [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]\n [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]\n [<000000001f730178>] 0xffffffffc10880ae\n [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0\n [<00000000b98be325>] do_init_module+0x1ca/0x5f0\n [<0000000046d08e7c>] load_module+0x6133/0x70f0\n ...\n\nunreferenced object 0xffff888105b9fa80 (size 16):\n comm \"\"modprobe\"\", pid 28147, jiffies 4353426116 (age 61.741s)\n hex dump (first 16 bytes):\n 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1.......\n backtrace:\n [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220\n [<00000000486ab89b>] __kmalloc_node_track_caller+0x44/0x1b0\n [<000000005a39aab0>] kvasprintf+0xb5/0x140\n [<0000000024806f85>] kvasprintf_const+0x55/0x180\n [<000000009276cb7f>] kobject_set_name_vargs+0x56/0x150\n [<00000000a92e820b>] dev_set_name+0xab/0xe0\n [<00000000cec812c6>] watchdog_dev_register+0x285/0x780 [watchdog]\n [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog]\n [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog]\n [<000000001f730178>] 0xffffffffc10880ae\n [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0\n [<00000000b98be325>] do_init_module+0x1ca/0x5f0\n [<0000000046d08e7c>] load_module+0x6133/0x70f0\n ...\n\nThe reason is that put_device is not be called if cdev_device_add fails\nand wdd->id != 0.\n\nwatchdog_cdev_register\n wd_data = kzalloc [1]\n err = dev_set_name [2]\n ..\n err = cdev_device_add\n if (err) {\n if (wdd->id == 0) { // wdd->id != 0\n ..\n }\n return err; // [1],[2] would be leaked\n\nTo fix it, call put_device in all wdd->id cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53234", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: helpers: Avoid a driver uaf\n\nwhen using __drm_kunit_helper_alloc_drm_device() the driver may be\ndereferenced by device-managed resources up until the device is\nfreed, which is typically later than the kunit-managed resource code\nfrees it. Fix this by simply make the driver device-managed as well.\n\nIn short, the sequence leading to the UAF is as follows:\n\nINIT:\nCode allocates a struct device as a kunit-managed resource.\nCode allocates a drm driver as a kunit-managed resource.\nCode allocates a drm device as a device-managed resource.\n\nEXIT:\nKunit resource cleanup frees the drm driver\nKunit resource cleanup puts the struct device, which starts a\n device-managed resource cleanup\ndevice-managed cleanup calls drm_dev_put()\ndrm_dev_put() dereferences the (now freed) drm driver -> Boom.\n\nRelated KASAN message:\n[55272.551542] ==================================================================\n[55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353\n\n[55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155\n[55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021\n[55272.551626] Call Trace:\n[55272.551629] \n[55272.551633] dump_stack_lvl+0x57/0x90\n[55272.551639] print_report+0xcf/0x630\n[55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70\n[55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551694] kasan_report+0xd7/0x110\n[55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm]\n[55272.551783] devres_release_all+0x15d/0x1f0\n[55272.551790] ? __pfx_devres_release_all+0x10/0x10\n[55272.551797] device_unbind_cleanup+0x16/0x1a0\n[55272.551802] device_release_driver_internal+0x3e5/0x540\n[55272.551808] ? kobject_put+0x5d/0x4b0\n[55272.551814] bus_remove_device+0x1f1/0x3f0\n[55272.551819] device_del+0x342/0x910\n[55272.551826] ? __pfx_device_del+0x10/0x10\n[55272.551830] ? lock_release+0x339/0x5e0\n[55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit]\n[55272.551845] ? __pfx_lock_release+0x10/0x10\n[55272.551851] platform_device_del.part.0+0x1f/0x1e0\n[55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[55272.551863] kunit_remove_resource+0x195/0x290 [kunit]\n[55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60\n[55272.551877] kunit_cleanup+0x78/0x120 [kunit]\n[55272.551885] ? __kthread_parkme+0xc1/0x1f0\n[55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit]\n[55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]\n[55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]\n[55272.551919] kthread+0x2e7/0x3c0\n[55272.551924] ? __pfx_kthread+0x10/0x10\n[55272.551929] ret_from_fork+0x2d/0x70\n[55272.551935] ? __pfx_kthread+0x10/0x10\n[55272.551940] ret_from_fork_asm+0x1b/0x30\n[55272.551948] \n\n[55272.551953] Allocated by task 10351:\n[55272.551956] kasan_save_stack+0x1c/0x40\n[55272.551962] kasan_set_track+0x21/0x30\n[55272.551966] __kasan_kmalloc+0x8b/0x90\n[55272.551970] __kmalloc+0x5e/0x160\n[55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit]\n[55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test]\n[55272.551991] kunit_try_run_case+0xdd/0x250 [kunit]\n[55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit]\n[55272.552008] kthread+0x2e7/0x3c0\n[55272.552012] ret_from_fork+0x2d/0x70\n[55272.552017] ret_from_fork_asm+0x1b/0x30\n\n[55272.552024] Freed by task 10353:\n[55272.552027] kasan_save_stack+0x1c/0x40\n[55272.552032] kasan_set_track+0x21/0x30\n[55272.552036] kasan_save_free_info+0x27/0x40\n[55272.552041] __kasan_slab_free+0x106/0x180\n[55272.552046] slab_free_freelist_hook+0xb3/0x160\n[55272.552051] __kmem_cache_free+0xb2/0x290\n[55272.552056] kunit_remove_resource+0x195/0x290 [kunit]\n[55272.552064] kunit_cleanup+0x7\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53235", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not corrupt the pfn list when doing batch carry\n\nIf batch->end is 0 then setting npfns[0] before computing the new value of\npfns will fail to adjust the pfn and result in various page accounting\ncorruptions. It should be ordered after.\n\nThis seems to result in various kinds of page meta-data corruption related\nfailures:\n\n WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740\n Modules linked in:\n CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:try_grab_folio+0x503/0x740\n Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89\n RSP: 0018:ffffc90000f37908 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26\n RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002\n RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008\n R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540\n R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540\n FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \n internal_get_user_pages_fast+0xd32/0x2200\n pin_user_pages_fast+0x65/0x90\n pfn_reader_user_pin+0x376/0x390\n pfn_reader_next+0x14a/0x7b0\n pfn_reader_first+0x140/0x1b0\n iopt_area_fill_domain+0x74/0x210\n iopt_table_add_domain+0x30e/0x6e0\n iommufd_device_selftest_attach+0x7f/0x140\n iommufd_test+0x10ff/0x16f0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53236", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix amdgpu_irq_put call trace in gmc_v11_0_hw_fini\n\nThe gmc.ecc_irq is enabled by firmware per IFWI setting,\nand the host driver is not privileged to enable/disable\nthe interrupt. So, it is meaningless to use the amdgpu_irq_put\nfunction in gmc_v11_0_hw_fini, which also leads to the call\ntrace.\n\n[ 102.980303] Call Trace:\n[ 102.980303] \n[ 102.980304] gmc_v11_0_hw_fini+0x54/0x90 [amdgpu]\n[ 102.980357] gmc_v11_0_suspend+0xe/0x20 [amdgpu]\n[ 102.980409] amdgpu_device_ip_suspend_phase2+0x240/0x460 [amdgpu]\n[ 102.980459] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]\n[ 102.980520] amdgpu_device_pre_asic_reset+0xd9/0x490 [amdgpu]\n[ 102.980573] amdgpu_device_gpu_recover.cold+0x548/0xce6 [amdgpu]\n[ 102.980687] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]\n[ 102.980740] process_one_work+0x21f/0x3f0\n[ 102.980741] worker_thread+0x200/0x3e0\n[ 102.980742] ? process_one_work+0x3f0/0x3f0\n[ 102.980743] kthread+0xfd/0x130\n[ 102.980743] ? kthread_complete_and_exit+0x20/0x20\n[ 102.980744] ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53237", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()\n\nThe size of array 'priv->ports[]' is INNO_PHY_PORT_NUM.\n\nIn the for loop, 'i' is used as the index for array 'priv->ports[]'\nwith a check (i > INNO_PHY_PORT_NUM) which indicates that\nINNO_PHY_PORT_NUM is allowed value for 'i' in the same loop.\n\nThis > comparison needs to be changed to >=, otherwise it potentially leads\nto an out of bounds write on the next iteration through the loop", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53238", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Add check for kzalloc\n\nAs kzalloc may fail and return NULL pointer,\nit should be better to check the return value\nin order to avoid the NULL pointer dereference.\n\nPatchwork: https://patchwork.freedesktop.org/patch/514154/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53239", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: check IFF_UP earlier in Tx path\n\nXsk Tx can be triggered via either sendmsg() or poll() syscalls. These\ntwo paths share a call to common function xsk_xmit() which has two\nsanity checks within. A pseudo code example to show the two paths:\n\n__xsk_sendmsg() : xsk_poll():\nif (unlikely(!xsk_is_bound(xs))) if (unlikely(!xsk_is_bound(xs)))\n return -ENXIO; return mask;\nif (unlikely(need_wait)) (...)\n return -EOPNOTSUPP; xsk_xmit()\nmark napi id\n(...)\nxsk_xmit()\n\nxsk_xmit():\nif (unlikely(!(xs->dev->flags & IFF_UP)))\n\treturn -ENETDOWN;\nif (unlikely(!xs->tx))\n\treturn -ENOBUFS;\n\nAs it can be observed above, in sendmsg() napi id can be marked on\ninterface that was not brought up and this causes a NULL ptr\ndereference:\n\n[31757.505631] BUG: kernel NULL pointer dereference, address: 0000000000000018\n[31757.512710] #PF: supervisor read access in kernel mode\n[31757.517936] #PF: error_code(0x0000) - not-present page\n[31757.523149] PGD 0 P4D 0\n[31757.525726] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[31757.530154] CPU: 26 PID: 95641 Comm: xdpsock Not tainted 6.2.0-rc5+ #40\n[31757.536871] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[31757.547457] RIP: 0010:xsk_sendmsg+0xde/0x180\n[31757.551799] Code: 00 75 a2 48 8b 00 a8 04 75 9b 84 d2 74 69 8b 85 14 01 00 00 85 c0 75 1b 48 8b 85 28 03 00 00 48 8b 80 98 00 00 00 48 8b 40 20 <8b> 40 18 89 85 14 01 00 00 8b bd 14 01 00 00 81 ff 00 01 00 00 0f\n[31757.570840] RSP: 0018:ffffc90034f27dc0 EFLAGS: 00010246\n[31757.576143] RAX: 0000000000000000 RBX: ffffc90034f27e18 RCX: 0000000000000000\n[31757.583389] RDX: 0000000000000001 RSI: ffffc90034f27e18 RDI: ffff88984cf3c100\n[31757.590631] RBP: ffff88984714a800 R08: ffff88984714a800 R09: 0000000000000000\n[31757.597877] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000fffffffa\n[31757.605123] R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000000000\n[31757.612364] FS: 00007fb4c5931180(0000) GS:ffff88afdfa00000(0000) knlGS:0000000000000000\n[31757.620571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[31757.626406] CR2: 0000000000000018 CR3: 000000184b41c003 CR4: 00000000007706e0\n[31757.633648] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[31757.640894] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[31757.648139] PKRU: 55555554\n[31757.650894] Call Trace:\n[31757.653385] \n[31757.655524] sock_sendmsg+0x8f/0xa0\n[31757.659077] ? sockfd_lookup_light+0x12/0x70\n[31757.663416] __sys_sendto+0xfc/0x170\n[31757.667051] ? do_sched_setscheduler+0xdb/0x1b0\n[31757.671658] __x64_sys_sendto+0x20/0x30\n[31757.675557] do_syscall_64+0x38/0x90\n[31757.679197] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[31757.687969] Code: 8e f6 ff 44 8b 4c 24 2c 4c 8b 44 24 20 41 89 c4 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 3a 44 89 e7 48 89 44 24 08 e8 b5 8e f6 ff 48\n[31757.707007] RSP: 002b:00007ffd49c73c70 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\n[31757.714694] RAX: ffffffffffffffda RBX: 000055a996565380 RCX: 00007fb4c5727c16\n[31757.721939] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n[31757.729184] RBP: 0000000000000040 R08: 0000000000000000 R09: 0000000000000000\n[31757.736429] R10: 0000000000000040 R11: 0000000000000293 R12: 0000000000000000\n[31757.743673] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[31757.754940] \n\nTo fix this, let's make xsk_xmit a function that will be responsible for\ngeneric Tx, where RCU is handled accordingly and pull out sanity checks\nand xs->zc handling. Populate sanity checks to __xsk_sendmsg() and\nxsk_poll().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53240", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: call op_release, even when op_func returns an error\n\nFor ops with \"trivial\" replies, nfsd4_encode_operation will shortcut\nmost of the encoding work and skip to just marshalling up the status.\nOne of the things it skips is calling op_release. This could cause a\nmemory leak in the layoutget codepath if there is an error at an\ninopportune time.\n\nHave the compound processing engine always call op_release, even when\nop_func sets an error in op->status. With this change, we also need\nnfsd4_block_get_device_info_scsi to set the gd_device pointer to NULL\non error to avoid a double free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53241", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/hisi: Drop second sensor hi3660\n\nThe commit 74c8e6bffbe1 (\"driver core: Add __alloc_size hint to devm\nallocators\") exposes a panic \"BRK handler: Fatal exception\" on the\nhi3660_thermal_probe funciton.\nThis is because the function allocates memory for only one\nsensors array entry, but tries to fill up a second one.\n\nFix this by removing the unneeded second access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53242", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile\n\nCallers of `btrfs_reduce_alloc_profile` expect it to return exactly\none allocation profile flag, and failing to do so may ultimately\nresult in a WARN_ON and remount-ro when allocating new blocks, like\nthe below transaction abort on 6.1.\n\n`btrfs_reduce_alloc_profile` has two ways of determining the profile,\nfirst it checks if a conversion balance is currently running and\nuses the profile we're converting to. If no balance is currently\nrunning, it returns the max-redundancy profile which at least one\nblock in the selected block group has.\n\nThis works by simply checking each known allocation profile bit in\nredundancy order. However, `btrfs_reduce_alloc_profile` has not been\nupdated as new flags have been added - first with the `DUP` profile\nand later with the RAID1C34 profiles.\n\nBecause of the way it checks, if we have blocks with different\nprofiles and at least one is known, that profile will be selected.\nHowever, if none are known we may return a flag set with multiple\nallocation profiles set.\n\nThis is currently only possible when a balance from one of the three\nunhandled profiles to another of the unhandled profiles is canceled\nafter allocating at least one block using the new profile.\n\nIn that case, a transaction abort like the below will occur and the\nfilesystem will need to be mounted with -o skip_balance to get it\nmounted rw again (but the balance cannot be resumed without a\nsimilar abort).\n\n [770.648] ------------[ cut here ]------------\n [770.648] BTRFS: Transaction aborted (error -22)\n [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test\n [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0\n [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)\n [770.648] MSR: 9000000002029033 CR: 28848282 XER: 20040000\n [770.648] CFAR: c000000000135110 IRQMASK: 0\n\t GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026\n\t GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027\n\t GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8\n\t GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000\n\t GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000\n\t GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001\n\t GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800\n\t GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001\n [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]\n [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]\n [770.648] Call Trace:\n [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)\n [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]\n [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]\n [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]\n [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]\n [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]\n [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]\n [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]\n [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]\n [770.648] [\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53243", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish\n\nWhen the driver calls tw68_risc_buffer() to prepare the buffer, the\nfunction call dma_alloc_coherent may fail, resulting in a empty buffer\nbuf->cpu. Later when we free the buffer or access the buffer, null ptr\nderef is triggered.\n\nThis bug is similar to the following one:\nhttps://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.\n\nWe believe the bug can be also dynamically triggered from user side.\nSimilarly, we fix this by checking the return value of tw68_risc_buffer()\nand the value of buf->cpu before buffer free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53244", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix handling of virtual Fibre Channel timeouts\n\nHyper-V provides the ability to connect Fibre Channel LUNs to the host\nsystem and present them in a guest VM as a SCSI device. I/O to the vFC\ndevice is handled by the storvsc driver. The storvsc driver includes a\npartial integration with the FC transport implemented in the generic\nportion of the Linux SCSI subsystem so that FC attributes can be displayed\nin /sys. However, the partial integration means that some aspects of vFC\ndon't work properly. Unfortunately, a full and correct integration isn't\npractical because of limitations in what Hyper-V provides to the guest.\n\nIn particular, in the context of Hyper-V storvsc, the FC transport timeout\nfunction fc_eh_timed_out() causes a kernel panic because it can't find the\nrport and dereferences a NULL pointer. The original patch that added the\ncall from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this\nregard.\n\nIn many cases a timeout is due to a transient condition, so the situation\ncan be improved by just continuing to wait like with other I/O requests\nissued by storvsc, and avoiding the guaranteed panic. For a permanent\nfailure, continuing to wait may result in a hung thread instead of a panic,\nwhich again may be better.\n\nSo fix the panic by removing the storvsc call to fc_eh_timed_out(). This\nallows storvsc to keep waiting for a response. The change has been tested\nby users who experienced a panic in fc_eh_timed_out() due to transient\ntimeouts, and it solves their problem.\n\nIn the future we may want to deprecate the vFC functionality in storvsc\nsince it can't be fully fixed. But it has current users for whom it is\nworking well enough, so it should probably stay for a while longer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53245", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL\n\nWhen compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount\nis NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to\nS_AUTOMOUNT and corresponding dentry flags is retained regardless of\nCONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in\nVFS follow_automount() when traversing a DFS referral link:\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n Call Trace:\n \n __traverse_mounts+0xb5/0x220\n ? cifs_revalidate_mapping+0x65/0xc0 [cifs]\n step_into+0x195/0x610\n ? lookup_fast+0xe2/0xf0\n path_lookupat+0x64/0x140\n filename_lookup+0xc2/0x140\n ? __create_object+0x299/0x380\n ? kmem_cache_alloc+0x119/0x220\n ? user_path_at_empty+0x31/0x50\n user_path_at_empty+0x31/0x50\n __x64_sys_chdir+0x2a/0xd0\n ? exit_to_user_mode_prepare+0xca/0x100\n do_syscall_64+0x42/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler\nwhen CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to\navoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This\napproach was chosen as it provides more control over the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53246", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand\n\nWhile trying to get the subpage blocksize tests running, I hit the\nfollowing panic on generic/476\n\n assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229\n kernel BUG at fs/btrfs/subpage.c:229!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023\n pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : btrfs_subpage_assert+0xbc/0xf0\n lr : btrfs_subpage_assert+0xbc/0xf0\n Call trace:\n btrfs_subpage_assert+0xbc/0xf0\n btrfs_subpage_clear_checked+0x38/0xc0\n btrfs_page_clear_checked+0x48/0x98\n btrfs_truncate_block+0x5d0/0x6a8\n btrfs_cont_expand+0x5c/0x528\n btrfs_write_check.isra.0+0xf8/0x150\n btrfs_buffered_write+0xb4/0x760\n btrfs_do_write_iter+0x2f8/0x4b0\n btrfs_file_write_iter+0x1c/0x30\n do_iter_readv_writev+0xc8/0x158\n do_iter_write+0x9c/0x210\n vfs_iter_write+0x24/0x40\n iter_file_splice_write+0x224/0x390\n direct_splice_actor+0x38/0x68\n splice_direct_to_actor+0x12c/0x260\n do_splice_direct+0x90/0xe8\n generic_copy_file_range+0x50/0x90\n vfs_copy_file_range+0x29c/0x470\n __arm64_sys_copy_file_range+0xcc/0x498\n invoke_syscall.constprop.0+0x80/0xd8\n do_el0_svc+0x6c/0x168\n el0_svc+0x50/0x1b0\n el0t_64_sync_handler+0x114/0x120\n el0t_64_sync+0x194/0x198\n\nThis happens because during btrfs_cont_expand we'll get a page, set it\nas mapped, and if it's not Uptodate we'll read it. However between the\nread and re-locking the page we could have called release_folio() on the\npage, but left the page in the file mapping. release_folio() can clear\nthe page private, and thus further down we blow up when we go to modify\nthe subpage bits.\n\nFix this by putting the set_page_extent_mapped() after the read. This\nis safe because read_folio() will call set_page_extent_mapped() before\nit does the read, and then if we clear page private but leave it on the\nmapping we're completely safe re-setting set_page_extent_mapped(). With\nthis patch I can now run generic/476 without panicing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53247", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: install stub fence into potential unused fence pointers\n\nWhen using cpu to update page tables, vm update fences are unused.\nInstall stub fence into these fence pointers instead of NULL\nto avoid NULL dereference when calling dma_fence_wait() on them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53248", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe\n\nUse devm_of_iomap() instead of of_iomap() to automatically handle\nthe unused ioremap region.\n\nIf any error occurs, regions allocated by kzalloc() will leak,\nbut using devm_kzalloc() instead will automatically free the memory\nusing devm_kfree().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53249", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle\n\nKASAN reported a null-ptr-deref error:\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 1373 Comm: modprobe\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:dmi_sysfs_entry_release\n...\nCall Trace:\n \n kobject_put\n dmi_sysfs_register_handle (drivers/firmware/dmi-sysfs.c:540) dmi_sysfs\n dmi_decode_table (drivers/firmware/dmi_scan.c:133)\n dmi_walk (drivers/firmware/dmi_scan.c:1115)\n dmi_sysfs_init (drivers/firmware/dmi-sysfs.c:149) dmi_sysfs\n do_one_initcall (init/main.c:1296)\n ...\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x4000000 from 0xffffffff81000000\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nIt is because previous patch added kobject_put() to release the memory\nwhich will call dmi_sysfs_entry_release() and list_del().\n\nHowever, list_add_tail(entry->list) is called after the error block,\nso the list_head is uninitialized and cannot be deleted.\n\nMove error handling to after list_add_tail to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53250", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()\n\nrxq can be NULL only when trans_pcie->rxq is NULL and entry->entry\nis zero. For the case when entry->entry is not equal to 0, rxq\nwon't be NULL even if trans_pcie->rxq is NULL. Modify checker to\ncheck for trans_pcie->rxq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53251", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use RCU for hci_conn_params and iterate safely in hci_sync\n\nhci_update_accept_list_sync iterates over hdev->pend_le_conns and\nhdev->pend_le_reports, and waits for controller events in the loop body,\nwithout holding hdev lock.\n\nMeanwhile, these lists and the items may be modified e.g. by\nle_scan_cleanup. This can invalidate the list cursor or any other item\nin the list, resulting to invalid behavior (eg use-after-free).\n\nUse RCU for the hci_conn_params action lists. Since the loop bodies in\nhci_sync block and we cannot use RCU or hdev->lock for the whole loop,\ncopy list items first and then iterate on the copy. Only the flags field\nis written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we\nread valid values.\n\nFree params everywhere with hci_conn_params_free so the cleanup is\nguaranteed to be done properly.\n\nThis fixes the following, which can be triggered e.g. by BlueZ new\nmgmt-tester case \"Add + Remove Device Nowait - Success\", or by changing\nhci_le_set_cig_params to always return false, and running iso-tester:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nRead of size 8 at addr ffff888001265018 by task kworker/u3:0/32\n\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n\ndump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107)\nprint_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nkasan_report (mm/kasan/report.c:538)\n? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\nhci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841)\n? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780)\n? mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_lock (kernel/locking/mutex.c:282)\n? __pfx_mutex_unlock (kernel/locking/mutex.c:538)\n? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861)\nhci_cmd_sync_work (net/bluetooth/hci_sync.c:306)\nprocess_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399)\nworker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538)\n? __pfx_worker_thread (kernel/workqueue.c:2480)\nkthread (kernel/kthread.c:376)\n? __pfx_kthread (kernel/kthread.c:331)\nret_from_fork (arch/x86/entry/entry_64.S:314)\n\n\nAllocated by task 31:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\n__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383)\nhci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277)\nhci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589)\nhci_connect_cis (net/bluetooth/hci_conn.c:2266)\niso_connect_cis (net/bluetooth/iso.c:390)\niso_sock_connect (net/bluetooth/iso.c:899)\n__sys_connect (net/socket.c:2003 net/socket.c:2020)\n__x64_sys_connect (net/socket.c:2027)\ndo_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n\nFreed by task 15:\nkasan_save_stack (mm/kasan/common.c:46)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/generic.c:523)\n__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)\n__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)\nhci_conn_params_del (net/bluetooth/hci_core.c:2323)\nle_scan_cleanup (net/bluetooth/hci_conn.c:202)\nprocess_one_work (./arch/x86/include/asm/preempt.\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53252", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Reference hid_device devm allocation of input_dev name\n\nUse hid_device for devm allocation of the input_dev name to avoid a\nuse-after-free. input_unregister_device would trigger devres cleanup of all\nresources associated with the input_dev, free-ing the name. The name would\nsubsequently be used in a uevent fired at the end of unregistering the\ninput_dev.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53253", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Fix shared_cpu_map to handle shared caches at different levels\n\nThe cacheinfo sets up the shared_cpu_map by checking whether the caches\nwith the same index are shared between CPUs. However, this will trigger\nslab-out-of-bounds access if the CPUs do not have the same cache hierarchy.\nAnother problem is the mismatched shared_cpu_map when the shared cache does\nnot have the same index between CPUs.\n\nCPU0\tI\tD\tL3\nindex\t0\t1\t2\tx\n\t^\t^\t^\t^\nindex\t0\t1\t2\t3\nCPU1\tI\tD\tL2\tL3\n\nThis patch checks each cache is shared with all caches on other CPUs.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53254", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()\n\nsvc_create_memory_pool() is only called from stratix10_svc_drv_probe().\nMost of resources in the probe are managed, but not this memremap() call.\n\nThere is also no memunmap() call in the file.\n\nSo switch to devm_memremap() to avoid a resource leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53255", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Fix FFA device names for logical partitions\n\nEach physical partition can provide multiple services each with UUID.\nEach such service can be presented as logical partition with a unique\ncombination of VM ID and UUID. The number of distinct UUID in a system\nwill be less than or equal to the number of logical partitions.\n\nHowever, currently it fails to register more than one logical partition\nor service within a physical partition as the device name contains only\nVM ID while both VM ID and UUID are maintained in the partition information.\nThe kernel complains with the below message:\n\n | sysfs: cannot create duplicate filename '/devices/arm-ffa-8001'\n | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7 #8\n | Hardware name: FVP Base RevC (DT)\n | Call trace:\n | dump_backtrace+0xf8/0x118\n | show_stack+0x18/0x24\n | dump_stack_lvl+0x50/0x68\n | dump_stack+0x18/0x24\n | sysfs_create_dir_ns+0xe0/0x13c\n | kobject_add_internal+0x220/0x3d4\n | kobject_add+0x94/0x100\n | device_add+0x144/0x5d8\n | device_register+0x20/0x30\n | ffa_device_register+0x88/0xd8\n | ffa_setup_partitions+0x108/0x1b8\n | ffa_init+0x2ec/0x3a4\n | do_one_initcall+0xcc/0x240\n | do_initcall_level+0x8c/0xac\n | do_initcalls+0x54/0x94\n | do_basic_setup+0x1c/0x28\n | kernel_init_freeable+0x100/0x16c\n | kernel_init+0x20/0x1a0\n | ret_from_fork+0x10/0x20\n | kobject_add_internal failed for arm-ffa-8001 with -EEXIST, don't try to\n | register things with the same name in the same directory.\n | arm_ffa arm-ffa: unable to register device arm-ffa-8001 err=-17\n | ARM FF-A: ffa_setup_partitions: failed to register partition ID 0x8001\n\nBy virtue of being random enough to avoid collisions when generated in a\ndistributed system, there is no way to compress UUID keys to the number\nof bits required to identify each. We can eliminate '-' in the name but\nit is not worth eliminating 4 bytes and add unnecessary logic for doing\nthat. Also v1.0 doesn't provide the UUID of the partitions which makes\nit hard to use the same for the device name.\n\nSo to keep it simple, let us alloc an ID using ida_alloc() and append the\nsame to \"arm-ffa\" to make up a unique device name. Also stash the id value\nin ffa_dev to help freeing the ID later when the device is destroyed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53256", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check S1G action frame size\n\nBefore checking the action code, check that it even\nexists in the frame.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53257", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix possible underflow for displays with large vblank\n\n[Why]\nUnderflow observed when using a display with a large vblank region\nand low refresh rate\n\n[How]\nSimplify calculation of vblank_nom\n\nIncrease value for VBlankNomDefaultUS to 800us", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53258", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF\n\nThe call to get_user_pages_fast() in vmci_host_setup_notify() can return\nNULL context->notify_page causing a GPF. To avoid GPF check if\ncontext->notify_page == NULL and return error if so.\n\ngeneral protection fault, probably for non-canonical address\n 0xe0009d1000000060: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0x0005088000000300-\n 0x0005088000000307]\nCPU: 2 PID: 26180 Comm: repro_34802241 Not tainted 6.1.0-rc4 #1\nHardware name: Red Hat KVM, BIOS 1.15.0-2.module+el8.6.0 04/01/2014\nRIP: 0010:vmci_ctx_check_signal_notify+0x91/0xe0\nCall Trace:\n \n vmci_host_unlocked_ioctl+0x362/0x1f40\n __x64_sys_ioctl+0x1a1/0x230\n do_syscall_64+0x3a/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53259", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix null pointer dereference in ovl_permission()\n\nFollowing process:\n P1 P2\n path_lookupat\n link_path_walk\n inode_permission\n ovl_permission\n ovl_i_path_real(inode, &realpath)\n path->dentry = ovl_i_dentry_upper(inode)\n drop_cache\n\t\t\t __dentry_kill(ovl_dentry)\n\t\t iput(ovl_inode)\n\t\t ovl_destroy_inode(ovl_inode)\n\t\t dput(oi->__upperdentry)\n\t\t dentry_kill(upperdentry)\n\t\t dentry_unlink_inode\n\t\t\t\t upperdentry->d_inode = NULL\n realinode = d_inode(realpath.dentry) // return NULL\n inode_permission(realinode)\n inode->i_sb // NULL pointer dereference\n, will trigger an null pointer dereference at realinode:\n [ 335.664979] BUG: kernel NULL pointer dereference,\n address: 0000000000000002\n [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0\n [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0\n [ 335.678939] Call Trace:\n [ 335.679165] \n [ 335.679371] ovl_permission+0xde/0x320\n [ 335.679723] inode_permission+0x15e/0x2c0\n [ 335.680090] link_path_walk+0x115/0x550\n [ 335.680771] path_lookupat.isra.0+0xb2/0x200\n [ 335.681170] filename_lookup+0xda/0x240\n [ 335.681922] vfs_statx+0xa6/0x1f0\n [ 335.682233] vfs_fstatat+0x7b/0xb0\n\nFetch a reproducer in [Link].\n\nUse the helper ovl_i_path_realinode() to get realinode and then do\nnon-nullptr checking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53260", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Fix memory leak in acpi_buffer->pointer\n\nThere are memory leaks reported by kmemleak:\n...\nunreferenced object 0xffff00213c141000 (size 1024):\n comm \"systemd-udevd\", pid 2123, jiffies 4294909467 (age 6062.160s)\n hex dump (first 32 bytes):\n 04 00 00 00 02 00 00 00 18 10 14 3c 21 00 ff ff ...........] __kmem_cache_alloc_node+0x2f8/0x348\n [<00000000b0fc7ceb>] __kmalloc+0x58/0x108\n [<0000000064ff4695>] acpi_os_allocate+0x2c/0x68\n [<000000007d57d116>] acpi_ut_initialize_buffer+0x54/0xe0\n [<0000000024583908>] acpi_evaluate_object+0x388/0x438\n [<0000000017b2e72b>] acpi_evaluate_object_typed+0xe8/0x240\n [<000000005df0eac2>] coresight_get_platform_data+0x1b4/0x988 [coresight]\n...\n\nThe ACPI buffer memory (buf.pointer) should be freed. But the buffer\nis also used after returning from acpi_get_dsd_graph().\nMove the temporary variables buf to acpi_coresight_parse_graph(),\nand free it before the function return to prevent memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53261", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix scheduling while atomic in decompression path\n\n[ 16.945668][ C0] Call trace:\n[ 16.945678][ C0] dump_backtrace+0x110/0x204\n[ 16.945706][ C0] dump_stack_lvl+0x84/0xbc\n[ 16.945735][ C0] __schedule_bug+0xb8/0x1ac\n[ 16.945756][ C0] __schedule+0x724/0xbdc\n[ 16.945778][ C0] schedule+0x154/0x258\n[ 16.945793][ C0] bit_wait_io+0x48/0xa4\n[ 16.945808][ C0] out_of_line_wait_on_bit+0x114/0x198\n[ 16.945824][ C0] __sync_dirty_buffer+0x1f8/0x2e8\n[ 16.945853][ C0] __f2fs_commit_super+0x140/0x1f4\n[ 16.945881][ C0] f2fs_commit_super+0x110/0x28c\n[ 16.945898][ C0] f2fs_handle_error+0x1f4/0x2f4\n[ 16.945917][ C0] f2fs_decompress_cluster+0xc4/0x450\n[ 16.945942][ C0] f2fs_end_read_compressed_page+0xc0/0xfc\n[ 16.945959][ C0] f2fs_handle_step_decompress+0x118/0x1cc\n[ 16.945978][ C0] f2fs_read_end_io+0x168/0x2b0\n[ 16.945993][ C0] bio_endio+0x25c/0x2c8\n[ 16.946015][ C0] dm_io_dec_pending+0x3e8/0x57c\n[ 16.946052][ C0] clone_endio+0x134/0x254\n[ 16.946069][ C0] bio_endio+0x25c/0x2c8\n[ 16.946084][ C0] blk_update_request+0x1d4/0x478\n[ 16.946103][ C0] scsi_end_request+0x38/0x4cc\n[ 16.946129][ C0] scsi_io_completion+0x94/0x184\n[ 16.946147][ C0] scsi_finish_command+0xe8/0x154\n[ 16.946164][ C0] scsi_complete+0x90/0x1d8\n[ 16.946181][ C0] blk_done_softirq+0xa4/0x11c\n[ 16.946198][ C0] _stext+0x184/0x614\n[ 16.946214][ C0] __irq_exit_rcu+0x78/0x144\n[ 16.946234][ C0] handle_domain_irq+0xd4/0x154\n[ 16.946260][ C0] gic_handle_irq.33881+0x5c/0x27c\n[ 16.946281][ C0] call_on_irq_stack+0x40/0x70\n[ 16.946298][ C0] do_interrupt_handler+0x48/0xa4\n[ 16.946313][ C0] el1_interrupt+0x38/0x68\n[ 16.946346][ C0] el1h_64_irq_handler+0x20/0x30\n[ 16.946362][ C0] el1h_64_irq+0x78/0x7c\n[ 16.946377][ C0] finish_task_switch+0xc8/0x3d8\n[ 16.946394][ C0] __schedule+0x600/0xbdc\n[ 16.946408][ C0] preempt_schedule_common+0x34/0x5c\n[ 16.946423][ C0] preempt_schedule+0x44/0x48\n[ 16.946438][ C0] process_one_work+0x30c/0x550\n[ 16.946456][ C0] worker_thread+0x414/0x8bc\n[ 16.946472][ C0] kthread+0x16c/0x1e0\n[ 16.946486][ C0] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53262", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create\n\nWe can't simply free the connector after calling drm_connector_init on it.\nWe need to clean up the drm side first.\n\nIt might not fix all regressions from commit 2b5d1c29f6c4\n(\"drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts\"),\nbut at least it fixes a memory corruption in error handling related to\nthat commit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53263", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe\n\nUse devm_of_iomap() instead of of_iomap() to automatically\nhandle the unused ioremap region. If any error occurs, regions allocated by\nkzalloc() will leak, but using devm_kzalloc() instead will automatically\nfree the memory using devm_kfree().\n\nAlso, fix error handling of hws by adding unregister_hws label, which\nunregisters remaining hws when iomap failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53264", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: ensure that VID header offset + VID header size <= alloc, size\n\nEnsure that the VID header offset + VID header size does not exceed\nthe allocated area to avoid slab OOB.\n\nBUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]\nBUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]\nBUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197\nRead of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555\n\nCPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W\n6.0.0-1868 #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29\n04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x85/0xad lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433\n kasan_report+0xa7/0x11b mm/kasan/report.c:495\n crc32_body lib/crc32.c:111 [inline]\n crc32_le_generic lib/crc32.c:179 [inline]\n crc32_le_base+0x58c/0x626 lib/crc32.c:197\n ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067\n create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317\n create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]\n ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812\n ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601\n ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965\n ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0x0\nRIP: 0033:0x7f96d5cf753d\nCode:\nRSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d\nRDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003\nRBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0\nR13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000\n \n\nAllocated by task 1555:\n kasan_save_stack+0x20/0x3d mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:437 [inline]\n ____kasan_kmalloc mm/kasan/common.c:516 [inline]\n __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525\n kasan_kmalloc include/linux/kasan.h:234 [inline]\n __kmalloc+0x138/0x257 mm/slub.c:4429\n kmalloc include/linux/slab.h:605 [inline]\n ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]\n create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295\n create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]\n ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812\n ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601\n ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965\n ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0x0\n\nThe buggy address belongs to the object at ffff88802bb36e00\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 0 bytes to the right of\n 256-byte region [ffff88802bb36e00, ffff88802bb36f00)\n\nThe buggy address belongs to the physical page:\npage:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000\nindex:0x0 pfn:0x2bb36\nhead:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\nraw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40\nraw: 0000000000000000 00000000001\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53265", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: acpi: Fix possible memory leak of ffh_ctxt\n\nAllocated 'ffh_ctxt' memory leak is possible if the SMCCC version\nand conduit checks fail and -EOPNOTSUPP is returned without freeing the\nallocated memory.\n\nFix the same by moving the allocation after the SMCCC version and\nconduit checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53266", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: soc: xilinx: fix memory leak in xlnx_add_cb_for_notify_event()\n\nThe kfree() should be called when memory fails to be allocated for\ncb_data in xlnx_add_cb_for_notify_event(), otherwise there will be\na memory leak, so add kfree() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53267", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl_mqs: move of_node_put() to the correct location\n\nof_node_put() should have been done directly after\nmqs_priv->regmap = syscon_node_to_regmap(gpr_np);\notherwise it creates a reference leak on the success path.\n\nTo fix this, of_node_put() is moved to the correct location, and change\nall the gotos to direct returns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53268", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: make sure that block size is set correctly\n\nblock size is one very key setting for block layer, and bad block size\ncould panic kernel easily.\n\nMake sure that block size is set correctly.\n\nMeantime if ublk_validate_params() fails, clear ub->params so that disk\nis prevented from being added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53269", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix i_disksize exceeding i_size problem in paritally written case\n\nIt is possible for i_disksize can exceed i_size, triggering a warning.\n\ngeneric_perform_write\n copied = iov_iter_copy_from_user_atomic(len) // copied < len\n ext4_da_write_end\n | ext4_update_i_disksize\n | new_i_size = pos + copied;\n | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize\n | generic_write_end\n | copied = block_write_end(copied, len) // copied = 0\n | if (unlikely(copied < len))\n | if (!PageUptodate(page))\n | copied = 0;\n | if (pos + copied > inode->i_size) // return false\n if (unlikely(copied == 0))\n goto again;\n if (unlikely(iov_iter_fault_in_readable(i, bytes))) {\n status = -EFAULT;\n break;\n }\n\nWe get i_disksize greater than i_size here, which could trigger WARNING\ncheck 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:\n\next4_dio_write_iter\n iomap_dio_rw\n __iomap_dio_rw // return err, length is not aligned to 512\n ext4_handle_inode_extension\n WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops\n\n WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319\n CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2\n RIP: 0010:ext4_file_write_iter+0xbc7\n Call Trace:\n vfs_write+0x3b1\n ksys_write+0x77\n do_syscall_64+0x39\n\nFix it by updating 'copied' value before updating i_disksize just like\next4_write_inline_data_end() does.\n\nA reproducer can be found in the buganizer link below.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53270", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()\n\nThere is a memory leaks problem reported by kmemleak:\n\nunreferenced object 0xffff888102007a00 (size 128):\n comm \"ubirsvol\", pid 32090, jiffies 4298464136 (age 2361.231s)\n hex dump (first 32 bytes):\nff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\nff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n[] __kmalloc+0x4d/0x150\n[] ubi_eba_create_table+0x76/0x170 [ubi]\n[] ubi_resize_volume+0x1be/0xbc0 [ubi]\n[] ubi_cdev_ioctl+0x701/0x1850 [ubi]\n[] __x64_sys_ioctl+0x11d/0x170\n[] do_syscall_64+0x35/0x80\n[] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis is due to a mismatch between create and destroy interfaces, and\nin detail that \"new_eba_tbl\" created by ubi_eba_create_table() but\ndestroyed by kfree(), while will causing \"new_eba_tbl->entries\" not\nfreed.\n\nFix it by replacing kfree(new_eba_tbl) with\nubi_eba_destroy_table(new_eba_tbl)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53271", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: fix shift-out-of-bounds in exponential backoff\n\nThe ENA adapters on our instances occasionally reset. Once recently\nlogged a UBSAN failure to console in the process:\n\n UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13\n shift exponent 32 is too large for 32-bit type 'unsigned int'\n CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117\n Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017\n Workqueue: ena ena_fw_reset_device [ena]\n Call Trace:\n \n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n ? __const_udelay+0x43/0x50\n ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]\n wait_for_reset_state+0x54/0xa0 [ena]\n ena_com_dev_reset+0xc8/0x110 [ena]\n ena_down+0x3fe/0x480 [ena]\n ena_destroy_device+0xeb/0xf0 [ena]\n ena_fw_reset_device+0x30/0x50 [ena]\n process_one_work+0x22b/0x3d0\n worker_thread+0x4d/0x3f0\n ? process_one_work+0x3d0/0x3d0\n kthread+0x12a/0x150\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x22/0x30\n \n\nApparently, the reset delays are getting so large they can trigger a\nUBSAN panic.\n\nLooking at the code, the current timeout is capped at 5000us. Using a\nbase value of 100us, the current code will overflow after (1<<29). Even\nat values before 32, this function wraps around, perhaps\nunintentionally.\n\nCap the value of the exponent used for this backoff at (1<<16) which is\nlarger than currently necessary, but large enough to support bigger\nvalues in the future.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53272", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: vmbus: Check for channel allocation before looking up relids\n\nrelid2channel() assumes vmbus channel array to be allocated when called.\nHowever, in cases such as kdump/kexec, not all relids will be reset by the host.\nWhen the second kernel boots and if the guest receives a vmbus interrupt during\nvmbus driver initialization before vmbus_connect() is called, before it finishes,\nor if it fails, the vmbus interrupt service routine is called which in turn calls\nrelid2channel() and can cause a null pointer dereference.\n\nPrint a warning and error out in relid2channel() for a channel id that's invalid\nin the second kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53273", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: mt8183: Add back SSPM related clocks\n\nThis reverts commit 860690a93ef23b567f781c1b631623e27190f101.\n\nOn the MT8183, the SSPM related clocks were removed claiming a lack of\nusage. This however causes some issues when the driver was converted to\nthe new simple-probe mechanism. This mechanism allocates enough space\nfor all the clocks defined in the clock driver, not the highest index\nin the DT binding. This leads to out-of-bound writes if their are holes\nin the DT binding or the driver (due to deprecated or unimplemented\nclocks). These errors can go unnoticed and cause memory corruption,\nleading to crashes in unrelated areas, or nothing at all. KASAN will\ndetect them.\n\nAdd the SSPM related clocks back to the MT8183 clock driver to fully\nimplement the DT binding. The SSPM clocks are for the power management\nco-processor, and should never be turned off. They are marked as such.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53274", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()\n\nThe variable codec->regmap is often protected by the lock\ncodec->regmap_lock when is accessed. However, it is accessed without\nholding the lock when is accessed in snd_hdac_regmap_sync():\n\n if (codec->regmap)\n\nIn my opinion, this may be a harmful race, because if codec->regmap is\nset to NULL right after the condition is checked, a null-pointer\ndereference can occur in the called function regcache_sync():\n\n map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c\n\nTo fix this possible null-pointer dereference caused by data race, the\nmutex_lock coverage is extended to protect the if statement as well as the\nfunction call to regcache_sync().\n\n[ Note: the lack of the regmap_lock itself is harmless for the current\n codec driver implementations, as snd_hdac_regmap_sync() is only for\n PM runtime resume that is prohibited during the codec probe.\n But the change makes the whole code more consistent, so it's merged\n as is -- tiwai ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53275", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Free memory for tmpfile name\n\nWhen opening a ubifs tmpfile on an encrypted directory, function\nfscrypt_setup_filename allocates memory for the name that is to be\nstored in the directory entry, but after the name has been copied to the\ndirectory entry inode, the memory is not freed.\n\nWhen running kmemleak on it we see that it is registered as a leak. The\nreport below is triggered by a simple program 'tmpfile' just opening a\ntmpfile:\n\n unreferenced object 0xffff88810178f380 (size 32):\n comm \"tmpfile\", pid 509, jiffies 4294934744 (age 1524.742s)\n backtrace:\n __kmem_cache_alloc_node\n __kmalloc\n fscrypt_setup_filename\n ubifs_tmpfile\n vfs_tmpfile\n path_openat\n\nFree this memory after it has been copied to the inode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53276", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwl3945: Add missing check for create_singlethread_workqueue\n\nAdd the check for the return value of the create_singlethread_workqueue\nin order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53277", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in ubifs_sysfs_init()\n\nWhen insmod ubifs.ko, a kmemleak reported as below:\n\n unreferenced object 0xffff88817fb1a780 (size 8):\n comm \"insmod\", pid 25265, jiffies 4295239702 (age 100.130s)\n hex dump (first 8 bytes):\n 75 62 69 66 73 00 ff ff ubifs...\n backtrace:\n [] slab_post_alloc_hook+0x9c/0x3c0\n [] __kmalloc_track_caller+0x183/0x410\n [] kstrdup+0x3a/0x80\n [] kstrdup_const+0x66/0x80\n [] kvasprintf_const+0x155/0x190\n [] kobject_set_name_vargs+0x5b/0x150\n [] kobject_set_name+0xbb/0xf0\n [] do_one_initcall+0x14c/0x5a0\n [] do_init_module+0x1f0/0x660\n [] load_module+0x6d7e/0x7590\n [] __do_sys_finit_module+0x19f/0x230\n [] __x64_sys_finit_module+0x73/0xb0\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWhen kset_register() failed, we should call kset_put to cleanup it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53278", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: vmw_balloon: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53279", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Remove unused nvme_ls_waitq wait queue\n\nSystem crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up\ngets called for uninitialized wait queue sp->nvme_ls_waitq.\n\n qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0\n qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n\nRemove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed\npreviously in the commits tagged Fixed: below.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53280", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: staging: rtl8723bs: Fix locking in _rtw_join_timeout_handler()\n\nCommit 041879b12ddb (\"drivers: staging: rtl8192bs: Fix deadlock in\nrtw_joinbss_event_prehandle()\") besides fixing the deadlock also\nmodified _rtw_join_timeout_handler() to use spin_[un]lock_irq()\ninstead of spin_[un]lock_bh().\n\n_rtw_join_timeout_handler() calls rtw_do_join() which takes\npmlmepriv->scanned_queue.lock using spin_[un]lock_bh(). This\nspin_unlock_bh() call re-enables softirqs which triggers an oops in\nkernel/softirq.c: __local_bh_enable_ip() when it calls\nlockdep_assert_irqs_enabled():\n\n[ 244.506087] WARNING: CPU: 2 PID: 0 at kernel/softirq.c:376 __local_bh_enable_ip+0xa6/0x100\n...\n[ 244.509022] Call Trace:\n[ 244.509048] \n[ 244.509100] _rtw_join_timeout_handler+0x134/0x170 [r8723bs]\n[ 244.509468] ? __pfx__rtw_join_timeout_handler+0x10/0x10 [r8723bs]\n[ 244.509772] ? __pfx__rtw_join_timeout_handler+0x10/0x10 [r8723bs]\n[ 244.510076] call_timer_fn+0x95/0x2a0\n[ 244.510200] __run_timers.part.0+0x1da/0x2d0\n\nThis oops is causd by the switch to spin_[un]lock_irq() which disables\nthe IRQs for the entire duration of _rtw_join_timeout_handler().\n\nDisabling the IRQs is not necessary since all code taking this lock\nruns from either user contexts or from softirqs, switch back to\nspin_[un]lock_bh() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53281", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write\n\nDuring the sysfs firmware write process, a use-after-free read warning is\nlogged from the lpfc_wr_object() routine:\n\n BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc]\n Use-after-free read at 0x0000000000cf164d (in kfence-#111):\n lpfc_wr_object+0x235/0x310 [lpfc]\n lpfc_write_firmware.cold+0x206/0x30d [lpfc]\n lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc]\n lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc]\n kernfs_fop_write_iter+0x121/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1ef/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x59/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe driver accessed wr_object pointer data, which was initialized into\nmailbox payload memory, after the mailbox object was released back to the\nmailbox pool.\n\nFix by moving the mailbox free calls to the end of the routine ensuring\nthat we don't reference internal mailbox memory after release.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53282", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for null return of devm_kzalloc() in dpu_writeback_init()\n\nBecause of the possilble failure of devm_kzalloc(), dpu_wb_conn might\nbe NULL and will cause null pointer dereference later.\n\nTherefore, it might be better to check it and directly return -ENOMEM.\n\nPatchwork: https://patchwork.freedesktop.org/patch/512277/\n[DB: fixed typo in commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53284", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add bounds checking in get_max_inline_xattr_value_size()\n\nNormally the extended attributes in the inode body would have been\nchecked when the inode is first opened, but if someone is writing to\nthe block device while the file system is mounted, it's possible for\nthe inode table to get corrupted. Add bounds checking to avoid\nreading beyond the end of allocated memory if this happens.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53285", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Return the firmware result upon destroying QP/RQ\n\nPreviously when destroying a QP/RQ, the result of the firmware\ndestruction function was ignored and upper layers weren't informed\nabout the failure.\nWhich in turn could lead to various problems since when upper layer\nisn't aware of the failure it continues its operation thinking that the\nrelated QP/RQ was successfully destroyed while it actually wasn't,\nwhich could lead to the below kernel WARN.\n\nCurrently, we return the correct firmware destruction status to upper\nlayers which in case of the RQ would be mlx5_ib_destroy_wq() which\nwas already capable of handling RQ destruction failure or in case of\na QP to destroy_qp_common(), which now would actually warn upon qp\ndestruction failure.\n\nWARNING: CPU: 3 PID: 995 at drivers/infiniband/core/rdma_core.c:940 uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nModules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core overlay mlx5_core fuse\nCPU: 3 PID: 995 Comm: python3 Not tainted 5.16.0-rc5+ #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs]\nCode: 41 5c 41 5d 41 5e e9 44 34 f0 e0 48 89 df e8 4c 77 ff ff 49 8b 86 10 01 00 00 48 85 c0 74 a1 4c 89 e7 ff d0 eb 9a 0f 0b eb c1 <0f> 0b be 04 00 00 00 48 89 df e8 b6 f6 ff ff e9 75 ff ff ff 90 0f\nRSP: 0018:ffff8881533e3e78 EFLAGS: 00010287\nRAX: ffff88811b2cf3e0 RBX: ffff888106209700 RCX: 0000000000000000\nRDX: ffff888106209780 RSI: ffff8881533e3d30 RDI: ffff888109b101a0\nRBP: 0000000000000001 R08: ffff888127cb381c R09: 0de9890000000009\nR10: ffff888127cb3800 R11: 0000000000000000 R12: ffff888106209780\nR13: ffff888106209750 R14: ffff888100f20660 R15: 0000000000000000\nFS: 00007f8be353b740(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8bd5b117c0 CR3: 000000012cd8a004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ib_uverbs_close+0x1a/0x90 [ib_uverbs]\n __fput+0x82/0x230\n task_work_run+0x59/0x90\n exit_to_user_mode_prepare+0x138/0x140\n syscall_exit_to_user_mode+0x1d/0x50\n ? __x64_sys_close+0xe/0x40\n do_syscall_64+0x4a/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f8be3ae0abb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 83 43 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 c1 43 f9 ff 8b 44\nRSP: 002b:00007ffdb51909c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000557bb7f7c020 RCX: 00007f8be3ae0abb\nRDX: 0000557bb7c74010 RSI: 0000557bb7f14ca0 RDI: 0000000000000005\nRBP: 0000557bb7fbd598 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000557bb7fbd5b8\nR13: 0000557bb7fbd5a8 R14: 0000000000001000 R15: 0000557bb7f7c020\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53286", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: Put the cdns set active part outside the spin lock\n\nThe device may be scheduled during the resume process,\nso this cannot appear in atomic operations. Since\npm_runtime_set_active will resume suppliers, put set\nactive outside the spin lock, which is only used to\nprotect the struct cdns data structure, otherwise the\nkernel will report the following warning:\n\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 651, name: sh\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n CPU: 0 PID: 651 Comm: sh Tainted: G WC 6.1.20 #1\n Hardware name: Freescale i.MX8QM MEK (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x64/0x80\n dump_stack+0x1c/0x38\n __might_resched+0x1fc/0x240\n __might_sleep+0x68/0xc0\n __pm_runtime_resume+0x9c/0xe0\n rpm_get_suppliers+0x68/0x1b0\n __pm_runtime_set_status+0x298/0x560\n cdns_resume+0xb0/0x1c0\n cdns3_controller_resume.isra.0+0x1e0/0x250\n cdns3_plat_resume+0x28/0x40", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53287", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix memory leak in drm_client_modeset_probe\n\nWhen a new mode is set to modeset->mode, the previous mode should be freed.\nThis fixes the following kmemleak report:\n\ndrm_mode_duplicate+0x45/0x220 [drm]\ndrm_client_modeset_probe+0x944/0xf50 [drm]\n__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]\ndrm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]\ndrm_client_register+0x169/0x240 [drm]\nast_pci_probe+0x142/0x190 [ast]\nlocal_pci_probe+0xdc/0x180\nwork_for_cpu_fn+0x4e/0xa0\nprocess_one_work+0x8b7/0x1540\nworker_thread+0x70a/0xed0\nkthread+0x29f/0x340\nret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53288", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: bdisp: Add missing check for create_workqueue\n\nAdd the check for the return value of the create_workqueue\nin order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53289", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsamples/bpf: Fix fout leak in hbm's run_bpf_prog\n\nFix fout being fopen'ed but then not subsequently fclose'd. In the affected\nbranch, fout is otherwise going out of scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53290", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale\n\nRunning the 'kfree_rcu_test' test case [1] results in a splat [2].\nThe root cause is the kfree_scale_thread thread(s) continue running\nafter unloading the rcuscale module. This commit fixes that isue by\ninvoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing\nthe rcuscale module.\n\n[1] modprobe rcuscale kfree_rcu_test=1\n // After some time\n rmmod rcuscale\n rmmod torture\n\n[2] BUG: unable to handle page fault for address: ffffffffc0601a87\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0\n Oops: 0010 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:0xffffffffc0601a87\n Code: Unable to access opcode bytes at 0xffffffffc0601a5d.\n RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297\n RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de\n RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\n R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe\n FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? kvfree_call_rcu+0xf0/0x3a0\n ? kthread+0xf3/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ? ret_from_fork+0x1f/0x30\n \n Modules linked in: rfkill sunrpc ... [last unloaded: torture]\n CR2: ffffffffc0601a87\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53291", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none\n\nAfter grabbing q->sysfs_lock, q->elevator may become NULL because of\nelevator switch.\n\nFix the NULL dereference on q->elevator by checking it with lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53292", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()\n\nSyzbot reported a null-ptr-deref bug:\n\nntfs3: loop0: Different NTFS' sector size (1024) and media sector size\n(512)\nntfs3: loop0: Mark volume as dirty due to NTFS errors\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nRIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]\nRIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796\nCall Trace:\n \n d_splice_alias+0x122/0x3b0 fs/dcache.c:3191\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3688\n do_filp_open+0x264/0x4f0 fs/namei.c:3718\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_open fs/open.c:1334 [inline]\n __se_sys_open fs/open.c:1330 [inline]\n __x64_sys_open+0x221/0x270 fs/open.c:1330\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIf the MFT record of ntfs inode is not a base record, inode->i_op can be\nNULL. And a null-ptr-deref may happen:\n\nntfs_lookup()\n dir_search_u() # inode->i_op is set to NULL\n d_splice_alias()\n __d_add()\n d_flags_for_inode() # inode->i_op->get_link null-ptr-deref\n\nFix this by adding a Check on inode->i_op before calling the\nd_splice_alias() function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53294", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Do not update file length for failed writes to inline files\n\nWhen write to inline file fails (or happens only partly), we still\nupdated length of inline data as if the whole write succeeded. Fix the\nupdate of length of inline data to happen only if the write succeeds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53295", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: check send stream number after wait_for_sndbuf\n\nThis patch fixes a corner case where the asoc out stream count may change\nafter wait_for_sndbuf.\n\nWhen the main thread in the client starts a connection, if its out stream\ncount is set to N while the in stream count in the server is set to N - 2,\nanother thread in the client keeps sending the msgs with stream number\nN - 1, and waits for sndbuf before processing INIT_ACK.\n\nHowever, after processing INIT_ACK, the out stream count in the client is\nshrunk to N - 2, the same to the in stream count in the server. The crash\noccurs when the thread waiting for sndbuf is awake and sends the msg in a\nnon-existing stream(N - 1), the call trace is as below:\n\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n Call Trace:\n \n sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline]\n sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]\n sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170\n sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163\n sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868\n sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026\n inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825\n sock_sendmsg_nosec net/socket.c:722 [inline]\n sock_sendmsg+0xde/0x190 net/socket.c:745\n\nThe fix is to add an unlikely check for the send stream number after the\nthread wakes up from the wait_for_sndbuf.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53296", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: fix \"bad unlock balance\" in l2cap_disconnect_rsp\n\nconn->chan_lock isn't acquired before l2cap_get_chan_by_scid,\nif l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance'\nis triggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53297", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix memory leak of se_io context in nfc_genl_se_io\n\nThe callback context for sending/receiving APDUs to/from the selected\nsecure element is allocated inside nfc_genl_se_io and supposed to be\neventually freed in se_io_cb callback function. However, there are several\nerror paths where the bwi_timer is not charged to call se_io_cb later, and\nthe cb_context is leaked.\n\nThe patch proposes to free the cb_context explicitly on those error paths.\n\nAt the moment we can't simply check 'dev->ops->se_io()' return value as it\nmay be negative in both cases: when the timer was charged and was not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53298", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix leak of 'r10bio->remaining' for recovery\n\nraid10_sync_request() will add 'r10bio->remaining' for both rdev and\nreplacement rdev. However, if the read io fails, recovery_request_write()\nreturns without issuing the write io, in this case, end_sync_request()\nis only called once and 'remaining' is leaked, cause an io hang.\n\nFix the problem by decreasing 'remaining' according to if 'bio' and\n'repl_bio' is valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53299", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hi846: Fix memleak in hi846_init_controls()\n\nhi846_init_controls doesn't clean the allocated ctrl_hdlr\nin case there is a failure, which causes memleak. Add\nv4l2_ctrl_handler_free to free the resource properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53300", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix kernel crash due to null io->bio\n\nWe should return when io->bio is null before doing anything. Otherwise, panic.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nRIP: 0010:__submit_merged_write_cond+0x164/0x240 [f2fs]\nCall Trace:\n \n f2fs_submit_merged_write+0x1d/0x30 [f2fs]\n commit_checkpoint+0x110/0x1e0 [f2fs]\n f2fs_write_checkpoint+0x9f7/0xf00 [f2fs]\n ? __pfx_issue_checkpoint_thread+0x10/0x10 [f2fs]\n __checkpoint_and_complete_reqs+0x84/0x190 [f2fs]\n ? preempt_count_add+0x82/0xc0\n ? __pfx_issue_checkpoint_thread+0x10/0x10 [f2fs]\n issue_checkpoint_thread+0x4c/0xf0 [f2fs]\n ? __pfx_autoremove_wake_function+0x10/0x10\n kthread+0xff/0x130\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53301", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwl4965: Add missing check for create_singlethread_workqueue()\n\nAdd the check for the return value of the create_singlethread_workqueue()\nin order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53302", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: vcap api: Fix possible memory leak for vcap_dup_rule()\n\nInject fault When select CONFIG_VCAP_KUNIT_TEST, the below memory leak\noccurs. If kzalloc() for duprule succeeds, but the following\nkmemdup() fails, the duprule, ckf and caf memory will be leaked. So kfree\nthem in the error path.\n\nunreferenced object 0xffff122744c50600 (size 192):\n comm \"kunit_try_catch\", pid 346, jiffies 4294896122 (age 911.812s)\n hex dump (first 32 bytes):\n 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...\n 00 00 00 00 00 00 00 00 18 06 c5 44 27 12 ff ff ...........D'...\n backtrace:\n [<00000000394b0db8>] __kmem_cache_alloc_node+0x274/0x2f8\n [<0000000001bedc67>] kmalloc_trace+0x38/0x88\n [<00000000b0612f98>] vcap_dup_rule+0x50/0x460\n [<000000005d2d3aca>] vcap_add_rule+0x8cc/0x1038\n [<00000000eef9d0f8>] test_vcap_xn_rule_creator.constprop.0.isra.0+0x238/0x494\n [<00000000cbda607b>] vcap_api_rule_remove_in_front_test+0x1ac/0x698\n [<00000000c8766299>] kunit_try_run_case+0xe0/0x20c\n [<00000000c4fe9186>] kunit_generic_run_threadfn_adapter+0x50/0x94\n [<00000000f6864acf>] kthread+0x2e8/0x374\n [<0000000022e639b3>] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53303", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix overlap expiration walk\n\nThe lazy gc on insert that should remove timed-out entries fails to release\nthe other half of the interval, if any.\n\nCan be reproduced with tests/shell/testcases/sets/0044interval_overlap_0\nin nftables.git and kmemleak enabled kernel.\n\nSecond bug is the use of rbe_prev vs. prev pointer.\nIf rbe_prev() returns NULL after at least one iteration, rbe_prev points\nto element that is not an end interval, hence it should not be removed.\n\nLastly, check the genmask of the end interval if this is active in the\ncurrent generation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53304", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53305", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: force clear dirty mark if CoW\n\nXFS allows CoW on non-shared extents to combat fragmentation[1]. The old\nnon-shared extent could be mwrited before, its dax entry is marked dirty. \n\nThis results in a WARNing:\n\n[ 28.512349] ------------[ cut here ]------------\n[ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390\n[ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables\n[ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117\n[ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014\n[ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390\n[ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff <0f> 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48\n[ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086\n[ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b\n[ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff\n[ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8\n[ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155\n[ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8\n[ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000\n[ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0\n[ 28.520863] PKRU: 55555554\n[ 28.521043] Call Trace:\n[ 28.521219] \n[ 28.521368] dax_fault_iter+0x196/0x390\n[ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0\n[ 28.521852] __xfs_filemap_fault+0x234/0x2b0\n[ 28.522116] __do_fault+0x30/0x130\n[ 28.522334] do_fault+0x193/0x340\n[ 28.522586] __handle_mm_fault+0x2d3/0x690\n[ 28.522975] handle_mm_fault+0xe6/0x2c0\n[ 28.523259] do_user_addr_fault+0x1bc/0x6f0\n[ 28.523521] exc_page_fault+0x60/0x140\n[ 28.523763] asm_exc_page_fault+0x22/0x30\n[ 28.524001] RIP: 0033:0x7f14a0b589ca\n[ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90\n[ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202\n[ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046\n[ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000\n[ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000\n[ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c\n[ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0\n[ 28.527449] \n[ 28.527600] ---[ end trace 0000000000000000 ]---\n\n\nTo be able to delete this entry, clear its dirty mark before\ninvalidate_inode_pages2_range().\n\n[1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53306", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails\n\nIf getting an ID or setting up a work queue in rbd_dev_create() fails,\nuse-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts\nis triggered in do_rbd_add(). The root cause is that the ownership of\nthese structures is transfered to rbd_dev prematurely and they all end\nup getting freed when rbd_dev_create() calls rbd_dev_free() prior to\nreturning to do_rbd_add().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE, an\nincomplete patch submitted by Natalia Petrova .", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53307", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Better handle pm_runtime_get() failing in .remove()\n\nIn the (unlikely) event that pm_runtime_get() (disguised as\npm_runtime_resume_and_get()) fails, the remove callback returned an\nerror early. The problem with this is that the driver core ignores the\nerror value and continues removing the device. This results in a\nresource leak. Worse the devm allocated resources are freed and so if a\ncallback of the driver is called later the register mapping is already\ngone which probably results in a crash.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53308", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix integer overflow in radeon_cs_parser_init\n\nThe type of size is unsigned, if size is 0x40000000, there will be an\ninteger overflow, size will be zero after size *= sizeof(uint32_t),\nwill cause uninitialized memory to be referenced later", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53309", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: axp288_fuel_gauge: Fix external_power_changed race\n\nfuel_gauge_external_power_changed() dereferences info->bat,\nwhich gets sets in axp288_fuel_gauge_probe() like this:\n\n info->bat = devm_power_supply_register(dev, &fuel_gauge_desc, &psy_cfg);\n\nAs soon as devm_power_supply_register() has called device_add()\nthe external_power_changed callback can get called. So there is a window\nwhere fuel_gauge_external_power_changed() may get called while\ninfo->bat has not been set yet leading to a NULL pointer dereference.\n\nFixing this is easy. The external_power_changed callback gets passed\nthe power_supply which will eventually get stored in info->bat,\nso fuel_gauge_external_power_changed() can simply directly use\nthe passed in psy argument which is always valid.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53310", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,\nnilfs_evict_inode() could cause use-after-free read for nilfs_root if\ninodes are left in \"garbage_list\" and released by nilfs_dispose_list at\nthe end of nilfs_detach_log_writer(), and this bug was fixed by commit\n9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root in\nnilfs_evict_inode()\").\n\nHowever, it turned out that there is another possibility of UAF in the\ncall path where mark_inode_dirty_sync() is called from iput():\n\nnilfs_detach_log_writer()\n nilfs_dispose_list()\n iput()\n mark_inode_dirty_sync()\n __mark_inode_dirty()\n nilfs_dirty_inode()\n __nilfs_mark_inode_dirty()\n nilfs_load_inode_block() --> causes UAF of nilfs_root struct\n\nThis can happen after commit 0ae45f63d4ef (\"vfs: add support for a\nlazytime mount option\"), which changed iput() to call\nmark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME\nflag and i_nlink is non-zero.\n\nThis issue appears after commit 28a65b49eb53 (\"nilfs2: do not write dirty\ndata after degenerating to read-only\") when using the syzbot reproducer,\nbut the issue has potentially existed before.\n\nFix this issue by adding a \"purging flag\" to the nilfs structure, setting\nthat flag while disposing the \"garbage_list\" and checking it in\n__nilfs_mark_inode_dirty().\n\nUnlike commit 9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root\nin nilfs_evict_inode()\"), this patch does not rely on ns_writer to\ndetermine whether to skip operations, so as not to break recovery on\nmount. The nilfs_salvage_orphan_logs routine dirties the buffer of\nsalvaged data before attaching the log writer, so changing\n__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL\nwill cause recovery write to fail. The purpose of using the cleanup-only\nflag is to allow for narrowing of such conditions.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53311", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix net_dev_start_xmit trace event vs skb_transport_offset()\n\nAfter blamed commit, we must be more careful about using\nskb_transport_offset(), as reminded us by syzbot:\n\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nModules linked in:\nCPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet\nRIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]\nRIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]\nRIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nCode: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff\nRSP: 0018:ffffc900002bf700 EFLAGS: 00010293\nRAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280\nRDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff\nRBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67\nR13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0\nCall Trace:\n\n[] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]\n[] xmit_one net/core/dev.c:3643 [inline]\n[] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660\n[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[] dev_queue_xmit include/linux/netdevice.h:3030 [inline]\n[] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108\n[] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n[] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]\n[] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]\n[] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701\n[] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289\n[] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53312", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix wrong setting of max_corr_read_errors\n\nThere is no input check when echo md/max_read_errors and overflow might\noccur. Add check of input number.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53313", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev/ep93xx-fb: Do not assign to struct fb_info.dev\n\nDo not assing the Linux device to struct fb_info.dev. The call to\nregister_framebuffer() initializes the field to the fbdev device.\nDrivers should not override its value.\n\nFixes a bug where the driver incorrectly decreases the hardware\ndevice's reference counter and leaks the fbdev device.\n\nv2:\n\t* add Fixes tag (Dan)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53314", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix SKB corruption in REO destination ring\n\nWhile running traffics for a long time, randomly an RX descriptor\nfilled with value \"0\" from REO destination ring is received.\nThis descriptor which is invalid causes the wrong SKB (SKB stored in\nthe IDR lookup with buffer id \"0\") to be fetched which in turn\ncauses SKB memory corruption issue and the same leads to crash\nafter some time.\n\nChanged the start id for idr allocation to \"1\" and the buffer id \"0\"\nis reserved for error validation. Introduced Sanity check to validate\nthe descriptor, before processing the SKB.\n\nCrash Signature :\n\nUnable to handle kernel paging request at virtual address 3f004900\nPC points to \"b15_dma_inv_range+0x30/0x50\"\nLR points to \"dma_cache_maint_page+0x8c/0x128\".\nThe Backtrace obtained is as follows:\n[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)\n[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)\n[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])\n[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])\n[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])\n[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)\n[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)\n[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)\n[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)\n[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)\n[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)\n[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53315", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Free resources after unregistering them\n\nThe DP component's unbind operation walks through the submodules to\nunregister and clean things up. But if the unbind happens because the DP\ncontroller itself is being removed, all the memory for those submodules\nhas just been freed.\n\nChange the order of these operations to avoid the many use-after-free\nthat otherwise happens in this code path.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542166/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53316", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in mb_find_extent\n\nSyzbot found the following issue:\n\nEXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!\nEXT4-fs (loop0): orphan cleanup on readonly fs\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30\nModules linked in:\nCPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869\nRSP: 0018:ffffc90003c9e098 EFLAGS: 00010293\nRAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0\nRDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040\nRBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402\nR10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000\nR13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc\nFS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307\n ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735\n ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605\n ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286\n ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651\n ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864\n ext4_bread+0x2a/0x170 fs/ext4/inode.c:920\n ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105\n write_blk fs/quota/quota_tree.c:64 [inline]\n get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130\n do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n dq_insert_tree fs/quota/quota_tree.c:401 [inline]\n qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420\n v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358\n dquot_acquire+0x348/0x670 fs/quota/dquot.c:444\n ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740\n dqget+0x999/0xdc0 fs/quota/dquot.c:914\n __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492\n ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329\n ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474\n __ext4_fill_super fs/ext4/super.c:5516 [inline]\n ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644\n get_tree_bdev+0x400/0x620 fs/super.c:1282\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdd some debug information:\nmb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7\nblock_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAcctually, blocks per group is 64, but block bitmap indicate at least has\n128 blocks. Now, ext4_validate_block_bitmap() didn't check invalid block's\nbitmap if set.\nTo resolve above issue, add check like fsck \"Padding at end of block bitmap is\nnot set\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53317", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrecordmcount: Fix memory leaks in the uwrite function\n\nCommon realloc mistake: 'file_append' nulled but not freed upon failure", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53318", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm\n\nCurrently there is no synchronisation between finalize_pkvm() and\nkvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if\nkvm_arm_init() fails resulting in the following warning on all the CPUs\nand eventually a HYP panic:\n\n | kvm [1]: IPA Size Limit: 48 bits\n | kvm [1]: Failed to init hyp memory protection\n | kvm [1]: error initializing Hyp mode: -22\n |\n | \n |\n | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50\n | Modules linked in:\n | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n | pc : _kvm_host_prot_finalize+0x30/0x50\n | lr : __flush_smp_call_function_queue+0xd8/0x230\n |\n | Call trace:\n | _kvm_host_prot_finalize+0x3c/0x50\n | on_each_cpu_cond_mask+0x3c/0x6c\n | pkvm_drop_host_privileges+0x4c/0x78\n | finalize_pkvm+0x3c/0x5c\n | do_one_initcall+0xcc/0x240\n | do_initcall_level+0x8c/0xac\n | do_initcalls+0x54/0x94\n | do_basic_setup+0x1c/0x28\n | kernel_init_freeable+0x100/0x16c\n | kernel_init+0x20/0x1a0\n | ret_from_fork+0x10/0x20\n | Failed to finalize Hyp protection: -22\n | dtb=fvp-base-revc.dtb\n | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!\n | kvm [95]: nVHE call trace:\n | kvm [95]: [] __kvm_nvhe_hyp_panic+0xac/0xf8\n | kvm [95]: [] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac\n | kvm [95]: [] __kvm_nvhe_handle_trap+0x4c/0x160\n | kvm [95]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4\n | kvm [95]: ---[ end nVHE call trace ]---\n | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000\n | Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000\n | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | Workqueue: rpciod rpc_async_schedule\n | Call trace:\n | dump_backtrace+0xec/0x108\n | show_stack+0x18/0x2c\n | dump_stack_lvl+0x50/0x68\n | dump_stack+0x18/0x24\n | panic+0x138/0x33c\n | nvhe_hyp_panic_handler+0x100/0x184\n | new_slab+0x23c/0x54c\n | ___slab_alloc+0x3e4/0x770\n | kmem_cache_alloc_node+0x1f0/0x278\n | __alloc_skb+0xdc/0x294\n | tcp_stream_alloc_skb+0x2c/0xf0\n | tcp_sendmsg_locked+0x3d0/0xda4\n | tcp_sendmsg+0x38/0x5c\n | inet_sendmsg+0x44/0x60\n | sock_sendmsg+0x1c/0x34\n | xprt_sock_sendmsg+0xdc/0x274\n | xs_tcp_send_request+0x1ac/0x28c\n | xprt_transmit+0xcc/0x300\n | call_transmit+0x78/0x90\n | __rpc_execute+0x114/0x3d8\n | rpc_async_schedule+0x28/0x48\n | process_one_work+0x1d8/0x314\n | worker_thread+0x248/0x474\n | kthread+0xfc/0x184\n | ret_from_fork+0x10/0x20\n | SMP: stopping secondary CPUs\n | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000\n | PHYS_OFFSET: 0x80000000\n | CPU features: 0x00000000,1035b7a3,ccfe773f\n | Memory Limit: none\n | ---[ end Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000 ]---\n\nFix it by checking for the successfull initialisation of kvm_arm_init()\nin finalize_pkvm() before proceeding any futher.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53319", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()\n\nThe function mpi3mr_get_all_tgt_info() has four issues:\n\n1) It calculates valid entry length in alltgt_info assuming the header part\n of the struct mpi3mr_device_map_info would equal to sizeof(u32). The\n correct size is sizeof(u64).\n\n2) When it calculates the valid entry length kern_entrylen, it excludes one\n entry by subtracting 1 from num_devices.\n\n3) It copies num_device by calling memcpy(). Substitution is enough.\n\n4) It does not specify the calculated length to sg_copy_from_buffer().\n Instead, it specifies the payload length which is larger than the\n alltgt_info size. It causes \"BUG: KASAN: slab-out-of-bounds\".\n\nFix the issues by using the correct header size, removing the subtraction\nfrom num_devices, replacing the memcpy() with substitution and specifying\nthe correct length to sg_copy_from_buffer().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53320", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: drop short frames\n\nWhile technically some control frames like ACK are shorter and\nend after Address 1, such frames shouldn't be forwarded through\nwmediumd or similar userspace, so require the full 3-address\nheader to avoid accessing invalid memory if shorter frames are\npassed in.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53321", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Wait for io return on terminate rport\n\nSystem crash due to use after free.\nCurrent code allows terminate_rport_io to exit before making\nsure all IOs has returned. For FCP-2 device, IO's can hang\non in HW because driver has not tear down the session in FW at\nfirst sign of cable pull. When dev_loss_tmo timer pops,\nterminate_rport_io is called and upper layer is about to\nfree various resources. Terminate_rport_io trigger qla to do\nthe final cleanup, but the cleanup might not be fast enough where it\nleave qla still holding on to the same resource.\n\nWait for IO's to return to upper layer before resources are freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53322", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next2/dax: Fix ext2_setsize when len is page aligned\n\nPAGE_ALIGN(x) macro gives the next highest value which is multiple of\npagesize. But if x is already page aligned then it simply returns x.\nSo, if x passed is 0 in dax_zero_range() function, that means the\nlength gets passed as 0 to ->iomap_begin().\n\nIn ext2 it then calls ext2_get_blocks -> max_blocks as 0 and hits bug_on\nhere in ext2_get_blocks().\n\tBUG_ON(maxblocks == 0);\n\nInstead we should be calling dax_truncate_page() here which takes\ncare of it. i.e. it only calls dax_zero_range if the offset is not\npage/block aligned.\n\nThis can be easily triggered with following on fsdax mounted pmem\ndevice.\n\ndd if=/dev/zero of=file count=1 bs=512\ntruncate -s 0 file\n\n[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk\n[79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)\n[93.793207] ------------[ cut here ]------------\n[93.795102] kernel BUG at fs/ext2/inode.c:637!\n[93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139\n[93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610\n<...>\n[93.835298] Call Trace:\n[93.836253] \n[93.837103] ? lock_acquire+0xf8/0x110\n[93.838479] ? d_lookup+0x69/0xd0\n[93.839779] ext2_iomap_begin+0xa7/0x1c0\n[93.841154] iomap_iter+0xc7/0x150\n[93.842425] dax_zero_range+0x6e/0xa0\n[93.843813] ext2_setsize+0x176/0x1b0\n[93.845164] ext2_setattr+0x151/0x200\n[93.846467] notify_change+0x341/0x4e0\n[93.847805] ? lock_acquire+0xf8/0x110\n[93.849143] ? do_truncate+0x74/0xe0\n[93.850452] ? do_truncate+0x84/0xe0\n[93.851739] do_truncate+0x84/0xe0\n[93.852974] do_sys_ftruncate+0x2b4/0x2f0\n[93.854404] do_syscall_64+0x3f/0x90\n[93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53323", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Don't leak some plane state\n\nApparently no one noticed that mdp5 plane states leak like a sieve\never since we introduced plane_state->commit refcount a few years ago\nin 21a01abbe32a (\"drm/atomic: Fix freeing connector/plane state too\nearly by tracking commits, v3.\")\n\nFix it by using the right helpers.\n\nPatchwork: https://patchwork.freedesktop.org/patch/551236/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53324", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()\n\nChange logging from drm_{err,info}() to dev_{err,info}() in functions\nmtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be\nessential to avoid getting NULL pointer kernel panics if any kind\nof error happens during AUX transfers happening before the bridge\nis attached.\n\nThis may potentially start happening in a later commit implementing\naux-bus support, as AUX transfers will be triggered from the panel\ndriver (for EDID) before the mtk-dp bridge gets attached, and it's\ndone in preparation for the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53325", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Don't try to copy PPR for task with NULL pt_regs\n\npowerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which\nfrom my (arguably very short) checking is not commonly done for other\narchs. This is fine, except when PF_IO_WORKER's have been created and\nthe task does something that causes a coredump to be generated. Then we\nget this crash:\n\n Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)\n BUG: Kernel NULL pointer dereference on read at 0x00000160\n Faulting instruction address: 0xc0000000000c3a60\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries\n Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod\n CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88\n Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries\n NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0\n REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+)\n MSR: 800000000280b033 CR: 88082828 XER: 200400f8\n ...\n NIP memcpy_power7+0x200/0x7d0\n LR ppr_get+0x64/0xb0\n Call Trace:\n ppr_get+0x40/0xb0 (unreliable)\n __regset_get+0x180/0x1f0\n regset_get_alloc+0x64/0x90\n elf_core_dump+0xb98/0x1b60\n do_coredump+0x1c34/0x24a0\n get_signal+0x71c/0x1410\n do_notify_resume+0x140/0x6f0\n interrupt_exit_user_prepare_main+0x29c/0x320\n interrupt_exit_user_prepare+0x6c/0xa0\n interrupt_return_srr_user+0x8/0x138\n\nBecause ppr_get() is trying to copy from a PF_IO_WORKER with a NULL\npt_regs.\n\nCheck for a valid pt_regs in both ppc_get/ppr_set, and return an error\nif not set. The actual error value doesn't seem to be important here, so\njust pick -EINVAL.\n\n[mpe: Trim oops in change log, add Fixes & Cc stable]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53326", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/selftest: Catch overflow of uptr and length\n\nsyzkaller hits a WARN_ON when trying to have a uptr close to UINTPTR_MAX:\n\n WARNING: CPU: 1 PID: 393 at drivers/iommu/iommufd/selftest.c:403 iommufd_test+0xb19/0x16f0\n Modules linked in:\n CPU: 1 PID: 393 Comm: repro Not tainted 6.2.0-c9c3395d5e3d #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommufd_test+0xb19/0x16f0\n Code: 94 c4 31 ff 44 89 e6 e8 a5 54 17 ff 45 84 e4 0f 85 bb 0b 00 00 41 be fb ff ff ff e8 31 53 17 ff e9 a0 f7 ff ff e8 27 53 17 ff <0f> 0b 41 be 8\n RSP: 0018:ffffc90000eabdc0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8214c487\n RDX: 0000000000000000 RSI: ffff88800f5c8000 RDI: 0000000000000002\n RBP: ffffc90000eabe48 R08: 0000000000000000 R09: 0000000000000001\n R10: 0000000000000001 R11: 0000000000000000 R12: 00000000cd2b0000\n R13: 00000000cd2af000 R14: 0000000000000000 R15: ffffc90000eabe68\n FS: 00007f94d76d5740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000043 CR3: 0000000006880006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \n ? write_comp_data+0x2f/0x90\n iommufd_fops_ioctl+0x1ef/0x310\n __x64_sys_ioctl+0x10e/0x160\n ? __pfx_iommufd_fops_ioctl+0x10/0x10\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nCheck that the user memory range doesn't overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53327", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Enhance sanity check while generating attr_list\n\nni_create_attr_list uses WARN_ON to catch error cases while generating\nattribute list, which only prints out stack trace and may not be enough.\nThis repalces them with more proper error handling flow.\n\n[ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e\n[ 59.673268] #PF: supervisor read access in kernel mode\n[ 59.678354] #PF: error_code(0x0000) - not-present page\n[ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0\n[ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4\n[ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860\n[ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8\n[ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282\n[ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe\n[ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0\n[ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9\n[ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180\n[ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050\n[ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000\n[ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0\n[ 59.787607] Call Trace:\n[ 59.790271] \n[ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10\n[ 59.797235] ? kernel_text_address+0xd3/0xe0\n[ 59.800856] ? unwind_get_return_address+0x3e/0x60\n[ 59.805101] ? __kasan_check_write+0x18/0x20\n[ 59.809296] ? preempt_count_sub+0x1c/0xd0\n[ 59.813421] ni_ins_attr_ext+0x52c/0x5c0\n[ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10\n[ 59.821926] ? __vfs_setxattr+0x121/0x170\n[ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300\n[ 59.829562] ? __vfs_setxattr_locked+0x145/0x170\n[ 59.833987] ? vfs_setxattr+0x137/0x2a0\n[ 59.836732] ? do_setxattr+0xce/0x150\n[ 59.839807] ? setxattr+0x126/0x140\n[ 59.842353] ? path_setxattr+0x164/0x180\n[ 59.845275] ? __x64_sys_setxattr+0x71/0x90\n[ 59.848838] ? do_syscall_64+0x3f/0x90\n[ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 59.857046] ? stack_depot_save+0x17/0x20\n[ 59.860299] ni_insert_attr+0x1ba/0x420\n[ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10\n[ 59.867069] ? preempt_count_sub+0x1c/0xd0\n[ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 59.874088] ? __create_object+0x3ae/0x5d0\n[ 59.877865] ni_insert_resident+0xc4/0x1c0\n[ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10\n[ 59.886355] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.891117] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.894383] ntfs_set_ea+0x90d/0xbf0\n[ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10\n[ 59.901011] ? kernel_text_address+0xd3/0xe0\n[ 59.905308] ? __kernel_text_address+0x16/0x50\n[ 59.909811] ? unwind_get_return_address+0x3e/0x60\n[ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 59.920250] ? arch_stack_walk+0xa2/0x100\n[ 59.924560] ? filter_irq_stacks+0x27/0x80\n[ 59.928722] ntfs_setxattr+0x405/0x440\n[ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10\n[ 59.936634] ? kvmalloc_node+0x2d/0x120\n[ 59.940378] ? kasan_save_stack+0x41/0x60\n[ 59.943870] ? kasan_save_stack+0x2a/0x60\n[ 59.947719] ? kasan_set_track+0x29/0x40\n[ 59.951417] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.955733] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.959598] ? __kmalloc_node+0x68/0x150\n[ 59.963163] ? kvmalloc_node+0x2d/0x120\n[ 59.966490] ? vmemdup_user+0x2b/0xa0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53328", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: fix data race with the pwq->stats[] increment\n\nKCSAN has discovered a data race in kernel/workqueue.c:2598:\n\n[ 1863.554079] ==================================================================\n[ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work\n\n[ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:\n[ 1863.554154] process_one_work (kernel/workqueue.c:2598)\n[ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)\n[ 1863.554177] kthread (kernel/kthread.c:389)\n[ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)\n[ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)\n\n[ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:\n[ 1863.554224] process_one_work (kernel/workqueue.c:2598)\n[ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)\n[ 1863.554247] kthread (kernel/kthread.c:389)\n[ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)\n[ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)\n\n[ 1863.554280] value changed: 0x0000000000001766 -> 0x000000000000176a\n\n[ 1863.554295] Reported by Kernel Concurrency Sanitizer on:\n[ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44\n[ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023\n[ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n[ 1863.554941] ==================================================================\n\n lockdep_invariant_state(true);\n\u2192 pwq->stats[PWQ_STAT_STARTED]++;\n trace_workqueue_execute_start(work);\n worker->current_func(work);\n\nMoving pwq->stats[PWQ_STAT_STARTED]++; before the line\n\n raw_spin_unlock_irq(&pool->lock);\n\nresolves the data race without performance penalty.\n\nKCSAN detected at least one additional data race:\n\n[ 157.834751] ==================================================================\n[ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work\n\n[ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:\n[ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)\n[ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)\n[ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)\n[ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)\n[ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)\n\n[ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:\n[ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)\n[ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)\n[ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)\n[ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)\n[ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)\n\n[ 157.834920] value changed: 0x000000000000052a -> 0x0000000000000532\n\n[ 157.834933] Reported by Kernel Concurrency Sanitizer on:\n[ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4\n[ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023\n[ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n[ 157.835567] ==================================================================\n\nin code:\n\n trace_workqueue_execute_end(work, worker->current_func);\n\u2192 pwq->stats[PWQ_STAT_COM\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53329", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix memory leak in cfctrl_linkup_request()\n\nWhen linktype is unknown or kzalloc failed in cfctrl_linkup_request(),\npkt is not released. Add release process to error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53330", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Check start of empty przs during init\n\nAfter commit 30696378f68a (\"pstore/ram: Do not treat empty buffers as\nvalid\"), initialization would assume a prz was valid after seeing that\nthe buffer_size is zero (regardless of the buffer start position). This\nunchecked start value means it could be outside the bounds of the buffer,\nleading to future access panics when written to:\n\n sysdump_panic_event+0x3b4/0x5b8\n atomic_notifier_call_chain+0x54/0x90\n panic+0x1c8/0x42c\n die+0x29c/0x2a8\n die_kernel_fault+0x68/0x78\n __do_kernel_fault+0x1c4/0x1e0\n do_bad_area+0x40/0x100\n do_translation_fault+0x68/0x80\n do_mem_abort+0x68/0xf8\n el1_da+0x1c/0xc0\n __raw_writeb+0x38/0x174\n __memcpy_toio+0x40/0xac\n persistent_ram_update+0x44/0x12c\n persistent_ram_write+0x1a8/0x1b8\n ramoops_pstore_write+0x198/0x1e8\n pstore_console_write+0x94/0xe0\n ...\n\nTo avoid this, also check if the prz start is 0 during the initialization\nphase. If not, the next prz sanity check case will discover it (start >\nsize) and zap the buffer back to a sane state.\n\n[kees: update commit log with backtrace and clarifications]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53331", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()\n\nIf ipi_send_{mask|single}() is called with an invalid interrupt number, all\nthe local variables there will be NULL. ipi_send_verify() which is invoked\nfrom these functions does verify its 'data' parameter, resulting in a\nkernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets\ndereferenced.\n\nAdd a missing NULL pointer check in ipi_send_verify()...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53332", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one\n\nEric Dumazet says:\n nf_conntrack_dccp_packet() has an unique:\n\n dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);\n\n And nothing more is 'pulled' from the packet, depending on the content.\n dh->dccph_doff, and/or dh->dccph_x ...)\n So dccp_ack_seq() is happily reading stuff past the _dh buffer.\n\nBUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0\nRead of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371\n[..]\n\nFix this by increasing the stack buffer to also include room for\nthe extra sequence numbers and all the known dccp packet type headers,\nthen pull again after the initial validation of the basic header.\n\nWhile at it, mark packets invalid that lack 48bit sequence bit but\nwhere RFC says the type MUST use them.\n\nCompile tested only.\n\nv2: first skb_header_pointer() now needs to adjust the size to\n only pull the generic header. (Eric)\n\nHeads-up: I intend to remove dccp conntrack support later this year.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53333", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: chipidea: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53334", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cxgb4: Fix potential null-ptr-deref in pass_establish()\n\nIf get_ep_from_tid() fails to lookup non-NULL value for ep, ep is\ndereferenced later regardless of whether it is empty.\nThis patch adds a simple sanity check to fix the issue.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53335", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings\n\nWhen ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run\nsensor->adev is not set yet.\n\nSo if either of the dev_warn() calls about unknown values are hit this\nwill lead to a NULL pointer deref.\n\nSet sensor->adev earlier, with a borrowed ref to avoid making unrolling\non errors harder, to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53336", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: do not write dirty data after degenerating to read-only\n\nAccording to syzbot's report, mark_buffer_dirty() called from\nnilfs_segctor_do_construct() outputs a warning with some patterns after\nnilfs2 detects metadata corruption and degrades to read-only mode.\n\nAfter such read-only degeneration, page cache data may be cleared through\nnilfs_clear_dirty_page() which may also clear the uptodate flag for their\nbuffer heads. However, even after the degeneration, log writes are still\nperformed by unmount processing etc., which causes mark_buffer_dirty() to\nbe called for buffer heads without the \"uptodate\" flag and causes the\nwarning.\n\nSince any writes should not be done to a read-only file system in the\nfirst place, this fixes the warning in mark_buffer_dirty() by letting\nnilfs_segctor_do_construct() abort early if in read-only mode.\n\nThis also changes the retry check of nilfs_segctor_write_out() to avoid\nunnecessary log write retries if it detects -EROFS that\nnilfs_segctor_do_construct() returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53337", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlwt: Fix return values of BPF xmit ops\n\nBPF encap ops can return different types of positive values, such like\nNET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function\nskb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return\nvalues would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in\nip(6)_finish_output2. When this happens, skbs that have been freed would\ncontinue to the neighbor subsystem, causing use-after-free bug and\nkernel crashes.\n\nTo fix the incorrect behavior, skb_do_redirect return values can be\nsimply discarded, the same as tc-egress behavior. On the other hand,\nbpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU\ninformation. Thus convert its return values to avoid the conflict with\nLWTUNNEL_XMIT_CONTINUE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53338", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix BUG_ON condition in btrfs_cancel_balance\n\nPausing and canceling balance can race to interrupt balance lead to BUG_ON\npanic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance\ndoes not take this race scenario into account.\n\nHowever, the race condition has no other side effects. We can fix that.\n\nReproducing it with panic trace like this:\n\n kernel BUG at fs/btrfs/volumes.c:4618!\n RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0\n Call Trace:\n \n ? do_nanosleep+0x60/0x120\n ? hrtimer_nanosleep+0xb7/0x1a0\n ? sched_core_clone_cookie+0x70/0x70\n btrfs_ioctl_balance_ctl+0x55/0x70\n btrfs_ioctl+0xa46/0xd20\n __x64_sys_ioctl+0x7d/0xa0\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n Race scenario as follows:\n > mutex_unlock(&fs_info->balance_mutex);\n > --------------------\n > .......issue pause and cancel req in another thread\n > --------------------\n > ret = __btrfs_balance(fs_info);\n >\n > mutex_lock(&fs_info->balance_mutex);\n > if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) {\n > btrfs_info(fs_info, \"balance: paused\");\n > btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED);\n > }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53339", "detail": "fixed-version", "description": "Fixed from version 6.4.12" }, { "id": "CVE-2023-53340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Collect command failures data only for known commands\n\nDEVX can issue a general command, which is not used by mlx5 driver.\nIn case such command is failed, mlx5 is trying to collect the failure\ndata, However, mlx5 doesn't create a storage for this command, since\nmlx5 doesn't use it. This lead to array-index-out-of-bounds error.\n\nFix it by checking whether the command is known before collecting the\nfailure data.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53340", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof/fdt: run soc memory setup when early_init_dt_scan_memory fails\n\nIf memory has been found early_init_dt_scan_memory now returns 1. If\nit hasn't found any memory it will return 0, allowing other memory\nsetup mechanisms to carry on.\n\nPreviously early_init_dt_scan_memory always returned 0 without\ndistinguishing between any kind of memory setup being done or not. Any\ncode path after the early_init_dt_scan memory call in the ramips\nplat_mem_setup code wouldn't be executed anymore. Making\nearly_init_dt_scan_memory the only way to initialize the memory.\n\nSome boards, including my mt7621 based Cudy X6 board, depend on memory\ninitialization being done via the soc_info.mem_detect function\npointer. Those wouldn't be able to obtain memory and panic the kernel\nduring early bootup with the message \"early_init_dt_alloc_memory_arch:\nFailed to allocate 12416 bytes align=0x40\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53341", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix handling IPv4 routes with nhid\n\nFix handling IPv4 routes referencing a nexthop via its id by replacing\ncalls to fib_info_nh() with fib_info_nhc().\n\nTrying to add an IPv4 route referencing a nextop via nhid:\n\n $ ip link set up swp5\n $ ip a a 10.0.0.1/24 dev swp5\n $ ip nexthop add dev swp5 id 20 via 10.0.0.2\n $ ip route add 10.0.1.0/24 nhid 20\n\ntriggers warnings when trying to handle the route:\n\n[ 528.805763] ------------[ cut here ]------------\n[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]\n[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1\n[ 528.845178] Hardware name: delta,tn48m-dn (DT)\n[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]\n[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera]\n[ 528.876007] sp : ffff80000b20bc90\n[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48\n[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800\n[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200\n[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059\n[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000\n[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000\n[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020\n[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86\n[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc\n[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80\n[ 528.951058] Call trace:\n[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera]\n[ 528.965348] process_one_work+0x208/0x488\n[ 528.969387] worker_thread+0x4c/0x430\n[ 528.973068] kthread+0x120/0x138\n[ 528.976313] ret_from_fork+0x10/0x20\n[ 528.979909] ---[ end trace 0000000000000000 ]---\n[ 528.984998] ------------[ cut here ]------------\n[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]\n[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1\n[ 529.024368] Hardware name: delta,tn48m-dn (DT)\n[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]\n[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]\n[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera]\n[ 529.055452] sp : ffff80000b20bc60\n[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48\n[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800\n[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0\n[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059\n[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000\n[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000\n[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80\n[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53342", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().\n\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\n\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n\n # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done\n # python3\n >>> from socket import *\n >>> from scapy.all import *\n >>>\n >>> SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n >>>\n >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n >>>\n >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n >>> sk.sendto(bytes(pkt), (DST_ADDR, 0))\n\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n\n * ipv6_rthdr_rcv()\n * ipv6_rpl_srh_rcv()\n * ipv6_srh_rcv()\n\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\n\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev\nas the input device is the loopback interface. Then, we have to check if\nskb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ip6_pkt_drop (net/ipv6/route.c:4513)\n ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\n ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n __netif_receive_skb_one_core (net/core/dev.c:5455)\n process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n __napi_poll (net/core/dev.c:6460)\n net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n \n \n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4231)\n ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\n rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\n sock_sendmsg (net/socket.c:725 net/socket.c:748)\n __sys_sendto (net/socket.c:2134)\n __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53343", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write\n\nSyzkaller reported the following issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]\nBUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600\n aio_rw_done fs/aio.c:1520 [inline]\n aio_write+0x899/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc+0x11d/0x3b0 mm/slab_common.c:981\n kmalloc_array include/linux/slab.h:636 [inline]\n bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930\n bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n sock_write_iter+0x495/0x5e0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023\n=====================================================\n\nWe can follow the call chain and find that 'bcm_tx_setup' function\ncalls 'memcpy_from_msg' to copy some content to the newly allocated\nframe of 'op->frames'. After that the 'len' field of copied structure\nbeing compared with some constant value (64 or 8). However, if\n'memcpy_from_msg' returns an error, we will compare some uninitialized\nmemory. This triggers 'uninit-value' issue.\n\nThis patch will add 'memcpy_from_msg' possible errors processing to\navoid uninit-value issue.\n\nTested via syzkaller", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53344", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix potential data race in rxrpc_wait_to_be_connected()\n\nInside the loop in rxrpc_wait_to_be_connected() it checks call->error to\nsee if it should exit the loop without first checking the call state. This\nis probably safe as if call->error is set, the call is dead anyway, but we\nshould probably wait for the call state to have been set to completion\nfirst, lest it cause surprise on the way out.\n\nFix this by only accessing call->error if the call is complete. We don't\nactually need to access the error inside the loop as we'll do that after.\n\nThis caused the following report:\n\n BUG: KCSAN: data-race in rxrpc_send_data / rxrpc_set_call_completion\n\n write to 0xffff888159cf3c50 of 4 bytes by task 25673 on cpu 1:\n rxrpc_set_call_completion+0x71/0x1c0 net/rxrpc/call_state.c:22\n rxrpc_send_data_packet+0xba9/0x1650 net/rxrpc/output.c:479\n rxrpc_transmit_one+0x1e/0x130 net/rxrpc/output.c:714\n rxrpc_decant_prepared_tx net/rxrpc/call_event.c:326 [inline]\n rxrpc_transmit_some_data+0x496/0x600 net/rxrpc/call_event.c:350\n rxrpc_input_call_event+0x564/0x1220 net/rxrpc/call_event.c:464\n rxrpc_io_thread+0x307/0x1d80 net/rxrpc/io_thread.c:461\n kthread+0x1ac/0x1e0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n\n read to 0xffff888159cf3c50 of 4 bytes by task 25672 on cpu 0:\n rxrpc_send_data+0x29e/0x1950 net/rxrpc/sendmsg.c:296\n rxrpc_do_sendmsg+0xb7a/0xc20 net/rxrpc/sendmsg.c:726\n rxrpc_sendmsg+0x413/0x520 net/rxrpc/af_rxrpc.c:565\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg net/socket.c:747 [inline]\n ____sys_sendmsg+0x375/0x4c0 net/socket.c:2501\n ___sys_sendmsg net/socket.c:2555 [inline]\n __sys_sendmmsg+0x263/0x500 net/socket.c:2641\n __do_sys_sendmmsg net/socket.c:2670 [inline]\n __se_sys_sendmmsg net/socket.c:2667 [inline]\n __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n value changed: 0x00000000 -> 0xffffffea", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53345", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/fail_function: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53346", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Handle pairing of E-switch via uplink un/load APIs\n\nIn case user switch a device from switchdev mode to legacy mode, mlx5\nfirst unpair the E-switch and afterwards unload the uplink vport.\nFrom the other hand, in case user remove or reload a device, mlx5\nfirst unload the uplink vport and afterwards unpair the E-switch.\n\nThe latter is causing a bug[1], hence, handle pairing of E-switch as\npart of uplink un/load APIs.\n\n[1]\nIn case VF_LAG is used, every tc fdb flow is duplicated to the peer\nesw. However, the original esw keeps a pointer to this duplicated\nflow, not the peer esw.\ne.g.: if user create tc fdb flow over esw0, the flow is duplicated\nover esw1, in FW/HW, but in SW, esw0 keeps a pointer to the duplicated\nflow.\nDuring module unload while a peer tc fdb flow is still offloaded, in\ncase the first device to be removed is the peer device (esw1 in the\nexample above), the peer net-dev is destroyed, and so the mlx5e_priv\nis memset to 0.\nAfterwards, the peer device is trying to unpair himself from the\noriginal device (esw0 in the example above). Unpair API invoke the\noriginal device to clear peer flow from its eswitch (esw0), but the\npeer flow, which is stored over the original eswitch (esw0), is\ntrying to use the peer mlx5e_priv, which is memset to 0 and result in\nbellow kernel-oops.\n\n[ 157.964081 ] BUG: unable to handle page fault for address: 000000000002ce60\n[ 157.964662 ] #PF: supervisor read access in kernel mode\n[ 157.965123 ] #PF: error_code(0x0000) - not-present page\n[ 157.965582 ] PGD 0 P4D 0\n[ 157.965866 ] Oops: 0000 [#1] SMP\n[ 157.967670 ] RIP: 0010:mlx5e_tc_del_fdb_flow+0x48/0x460 [mlx5_core]\n[ 157.976164 ] Call Trace:\n[ 157.976437 ] \n[ 157.976690 ] __mlx5e_tc_del_fdb_peer_flow+0xe6/0x100 [mlx5_core]\n[ 157.977230 ] mlx5e_tc_clean_fdb_peer_flows+0x67/0x90 [mlx5_core]\n[ 157.977767 ] mlx5_esw_offloads_unpair+0x2d/0x1e0 [mlx5_core]\n[ 157.984653 ] mlx5_esw_offloads_devcom_event+0xbf/0x130 [mlx5_core]\n[ 157.985212 ] mlx5_devcom_send_event+0xa3/0xb0 [mlx5_core]\n[ 157.985714 ] esw_offloads_disable+0x5a/0x110 [mlx5_core]\n[ 157.986209 ] mlx5_eswitch_disable_locked+0x152/0x170 [mlx5_core]\n[ 157.986757 ] mlx5_eswitch_disable+0x51/0x80 [mlx5_core]\n[ 157.987248 ] mlx5_unload+0x2a/0xb0 [mlx5_core]\n[ 157.987678 ] mlx5_uninit_one+0x5f/0xd0 [mlx5_core]\n[ 157.988127 ] remove_one+0x64/0xe0 [mlx5_core]\n[ 157.988549 ] pci_device_remove+0x31/0xa0\n[ 157.988933 ] device_release_driver_internal+0x18f/0x1f0\n[ 157.989402 ] driver_detach+0x3f/0x80\n[ 157.989754 ] bus_remove_driver+0x70/0xf0\n[ 157.990129 ] pci_unregister_driver+0x34/0x90\n[ 157.990537 ] mlx5_cleanup+0xc/0x1c [mlx5_core]\n[ 157.990972 ] __x64_sys_delete_module+0x15a/0x250\n[ 157.991398 ] ? exit_to_user_mode_prepare+0xea/0x110\n[ 157.991840 ] do_syscall_64+0x3d/0x90\n[ 157.992198 ] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53347", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock when aborting transaction during relocation with scrub\n\nBefore relocating a block group we pause scrub, then do the relocation and\nthen unpause scrub. The relocation process requires starting and committing\na transaction, and if we have a failure in the critical section of the\ntransaction commit path (transaction state >= TRANS_STATE_COMMIT_START),\nwe will deadlock if there is a paused scrub.\n\nThat results in stack traces like the following:\n\n [42.479] BTRFS info (device sdc): relocating block group 53876686848 flags metadata|raid6\n [42.936] BTRFS warning (device sdc): Skipping commit of aborted transaction.\n [42.936] ------------[ cut here ]------------\n [42.936] BTRFS: Transaction aborted (error -28)\n [42.936] WARNING: CPU: 11 PID: 346822 at fs/btrfs/transaction.c:1977 btrfs_commit_transaction+0xcc8/0xeb0 [btrfs]\n [42.936] Modules linked in: dm_flakey dm_mod loop btrfs (...)\n [42.936] CPU: 11 PID: 346822 Comm: btrfs Tainted: G W 6.3.0-rc2-btrfs-next-127+ #1\n [42.936] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [42.936] RIP: 0010:btrfs_commit_transaction+0xcc8/0xeb0 [btrfs]\n [42.936] Code: ff ff 45 8b (...)\n [42.936] RSP: 0018:ffffb58649633b48 EFLAGS: 00010282\n [42.936] RAX: 0000000000000000 RBX: ffff8be6ef4d5bd8 RCX: 0000000000000000\n [42.936] RDX: 0000000000000002 RSI: ffffffffb35e7782 RDI: 00000000ffffffff\n [42.936] RBP: ffff8be6ef4d5c98 R08: 0000000000000000 R09: ffffb586496339e8\n [42.936] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8be6d38c7c00\n [42.936] R13: 00000000ffffffe4 R14: ffff8be6c268c000 R15: ffff8be6ef4d5cf0\n [42.936] FS: 00007f381a82b340(0000) GS:ffff8beddfcc0000(0000) knlGS:0000000000000000\n [42.936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [42.936] CR2: 00007f1e35fb7638 CR3: 0000000117680006 CR4: 0000000000370ee0\n [42.936] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [42.936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [42.936] Call Trace:\n [42.936] \n [42.936] ? start_transaction+0xcb/0x610 [btrfs]\n [42.936] prepare_to_relocate+0x111/0x1a0 [btrfs]\n [42.936] relocate_block_group+0x57/0x5d0 [btrfs]\n [42.936] ? btrfs_wait_nocow_writers+0x25/0xb0 [btrfs]\n [42.936] btrfs_relocate_block_group+0x248/0x3c0 [btrfs]\n [42.936] ? __pfx_autoremove_wake_function+0x10/0x10\n [42.936] btrfs_relocate_chunk+0x3b/0x150 [btrfs]\n [42.936] btrfs_balance+0x8ff/0x11d0 [btrfs]\n [42.936] ? __kmem_cache_alloc_node+0x14a/0x410\n [42.936] btrfs_ioctl+0x2334/0x32c0 [btrfs]\n [42.937] ? mod_objcg_state+0xd2/0x360\n [42.937] ? refill_obj_stock+0xb0/0x160\n [42.937] ? seq_release+0x25/0x30\n [42.937] ? __rseq_handle_notify_resume+0x3b5/0x4b0\n [42.937] ? percpu_counter_add_batch+0x2e/0xa0\n [42.937] ? __x64_sys_ioctl+0x88/0xc0\n [42.937] __x64_sys_ioctl+0x88/0xc0\n [42.937] do_syscall_64+0x38/0x90\n [42.937] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [42.937] RIP: 0033:0x7f381a6ffe9b\n [42.937] Code: 00 48 89 44 24 (...)\n [42.937] RSP: 002b:00007ffd45ecf060 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n [42.937] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f381a6ffe9b\n [42.937] RDX: 00007ffd45ecf150 RSI: 00000000c4009420 RDI: 0000000000000003\n [42.937] RBP: 0000000000000003 R08: 0000000000000013 R09: 0000000000000000\n [42.937] R10: 00007f381a60c878 R11: 0000000000000246 R12: 00007ffd45ed0423\n [42.937] R13: 00007ffd45ecf150 R14: 0000000000000000 R15: 00007ffd45ecf148\n [42.937] \n [42.937] ---[ end trace 0000000000000000 ]---\n [42.937] BTRFS: error (device sdc: state A) in cleanup_transaction:1977: errno=-28 No space left\n [59.196] INFO: task btrfs:346772 blocked for more than 120 seconds.\n [59.196] Tainted: G W 6.3.0-rc2-btrfs-next-127+ #1\n [59.196] \"echo 0 > /proc/sys/kernel/hung_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53348", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ov2740: Fix memleak in ov2740_init_controls()\n\nThere is a kmemleak when testing the media/i2c/ov2740.c with bpf mock\ndevice:\n\nunreferenced object 0xffff8881090e19e0 (size 16):\n comm \"51-i2c-ov2740\", pid 278, jiffies 4294781584 (age 23.613s)\n hex dump (first 16 bytes):\n 00 f3 7c 0b 81 88 ff ff 80 75 6a 09 81 88 ff ff ..|......uj.....\n backtrace:\n [<000000004e9fad8f>] __kmalloc_node+0x44/0x1b0\n [<0000000039c802f4>] kvmalloc_node+0x34/0x180\n [<000000009b8b5c63>] v4l2_ctrl_handler_init_class+0x11d/0x180\n[videodev]\n [<0000000038644056>] ov2740_probe+0x37d/0x84f [ov2740]\n [<0000000092489f59>] i2c_device_probe+0x28d/0x680\n [<000000001038babe>] really_probe+0x17c/0x3f0\n [<0000000098c7af1c>] __driver_probe_device+0xe3/0x170\n [<00000000e1b3dc24>] device_driver_attach+0x34/0x80\n [<000000005a04a34d>] bind_store+0x10b/0x1a0\n [<00000000ce25d4f2>] drv_attr_store+0x49/0x70\n [<000000007d9f4e9a>] sysfs_kf_write+0x8c/0xb0\n [<00000000be6cff0f>] kernfs_fop_write_iter+0x216/0x2e0\n [<0000000031ddb40a>] vfs_write+0x658/0x810\n [<0000000041beecdd>] ksys_write+0xd6/0x1b0\n [<0000000023755840>] do_syscall_64+0x38/0x90\n [<00000000b2cc2da2>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nov2740_init_controls() won't clean all the allocated resources in fail\npath, which may causes the memleaks. Add v4l2_ctrl_handler_free() to\nprevent memleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53349", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix slicing memory leak\n\nThe temporary buffer storing slicing configuration data from user is only\nfreed on error. This is a memory leak. Free the buffer unconditionally.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53350", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Check scheduler work queue before calling timeout handling\n\nDuring an IGT GPU reset test we see again oops despite of\ncommit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling\ntimeout handling).\n\nIt uses ready condition whether to call drm_sched_fault which unwind\nthe TDR leads to GPU reset.\nHowever it looks the ready condition is overloaded with other meanings,\nfor example, for the following stack is related GPU reset :\n\n0 gfx_v9_0_cp_gfx_start\n1 gfx_v9_0_cp_gfx_resume\n2 gfx_v9_0_cp_resume\n3 gfx_v9_0_hw_init\n4 gfx_v9_0_resume\n5 amdgpu_device_ip_resume_phase2\n\ndoes the following:\n\t/* start the ring */\n\tgfx_v9_0_cp_gfx_start(adev);\n\tring->sched.ready = true;\n\nThe same approach is for other ASICs as well :\ngfx_v8_0_cp_gfx_resume\ngfx_v10_0_kiq_resume, etc...\n\nAs a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault\nand then drm_sched_fault. However now it depends on whether the interrupt service routine\ndrm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready\nfield of the scheduler to true even for uninitialized schedulers and causes oops vs\nno fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and\nNULL pointer dereference does not occur.\n\nUse the field timeout_wq to prevent oops for uninitialized schedulers.\nThe field could be initialized by the work queue of resetting the domain.\n\nv1: Corrections to commit message (Luben)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53351", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: check null pointer before accessing when swapping\n\nAdd a check to avoid null pointer dereference as below:\n\n[ 90.002283] general protection fault, probably for non-canonical\naddress 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 90.002292] KASAN: null-ptr-deref in range\n[0x0000000000000000-0x0000000000000007]\n[ 90.002346] ? exc_general_protection+0x159/0x240\n[ 90.002352] ? asm_exc_general_protection+0x26/0x30\n[ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm]\n[ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm]\n[ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm]\n[ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm]\n[ 90.002391] ? lock_acquire+0x44d/0x4f0\n[ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm]\n[ 90.002412] ? lock_acquired+0x355/0xa00\n[ 90.002416] ? do_raw_spin_trylock+0xb6/0x190\n[ 90.002421] ? __pfx_lock_acquired+0x10/0x10\n[ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm]\n[ 90.002442] ttm_device_swapout+0x198/0x260 [ttm]\n[ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm]\n[ 90.002472] ttm_global_swapout+0x75/0x210 [ttm]\n[ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm]\n[ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm]\n[ 90.002517] ttm_bo_validate+0x275/0x430 [ttm]\n[ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm]\n[ 90.002544] ? kasan_save_stack+0x33/0x60\n[ 90.002550] ? kasan_set_track+0x25/0x30\n[ 90.002554] ? __kasan_kmalloc+0x8f/0xa0\n[ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu]\n[ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm]\n[ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu]\n[ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0\n[ 90.003210] ? do_syscall_64+0x60/0x90", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53352", "detail": "fixed-version", "description": "Fixed from version 6.4.10" }, { "id": "CVE-2023-53353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: postpone mem_mgr IDR destruction to hpriv_release()\n\nThe memory manager IDR is currently destroyed when user releases the\nfile descriptor.\nHowever, at this point the user context might be still held, and memory\nbuffers might be still in use.\nLater on, calls to release those buffers will fail due to not finding\ntheir handles in the IDR, leading to a memory leak.\nTo avoid this leak, split the IDR destruction from the memory manager\nfini, and postpone it to hpriv_release() when there is no user context\nand no buffers are used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53353", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: skb_segment, Call zero copy functions before using skbuff frags\n\nCommit bf5c25d60861 (\"skbuff: in skb_segment, call zerocopy functions\nonce per nskb\") added the call to zero copy functions in skb_segment().\nThe change introduced a bug in skb_segment() because skb_orphan_frags()\nmay possibly change the number of fragments or allocate new fragments\naltogether leaving nrfrags and frag to point to the old values. This can\ncause a panic with stacktrace like the one below.\n\n[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc\n[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26\n[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0\n[ 194.021892] Call Trace:\n[ 194.027422] \n[ 194.072861] tcp_gso_segment+0x107/0x540\n[ 194.082031] inet_gso_segment+0x15c/0x3d0\n[ 194.090783] skb_mac_gso_segment+0x9f/0x110\n[ 194.095016] __skb_gso_segment+0xc1/0x190\n[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem]\n[ 194.107071] dev_qdisc_enqueue+0x16/0x70\n[ 194.110884] __dev_queue_xmit+0x63b/0xb30\n[ 194.121670] bond_start_xmit+0x159/0x380 [bonding]\n[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0\n[ 194.131787] __dev_queue_xmit+0x8a0/0xb30\n[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan]\n[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0\n[ 194.144622] sch_direct_xmit+0xe3/0x280\n[ 194.147748] __dev_queue_xmit+0x54a/0xb30\n[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap]\n[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap]\n[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]\n[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net]\n[ 194.176959] vhost_worker+0x76/0xb0 [vhost]\n[ 194.183667] kthread+0x118/0x140\n[ 194.190358] ret_from_fork+0x1f/0x30\n[ 194.193670] \n\nIn this case calling skb_orphan_frags() updated nr_frags leaving nrfrags\nlocal variable in skb_segment() stale. This resulted in the code hitting\ni >= nrfrags prematurely and trying to move to next frag_skb using\nlist_skb pointer, which was NULL, and caused kernel panic. Move the call\nto zero copy functions before using frags and nr_frags.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53354", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: pi433: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once. This requires saving off the root directory dentry to make\ncreation of individual device subdirectories easier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53355", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Add null pointer check in gserial_suspend\n\nConsider a case where gserial_disconnect has already cleared\ngser->ioport. And if gserial_suspend gets called afterwards,\nit will lead to accessing of gser->ioport and thus causing\nnull pointer dereference.\n\nAvoid this by adding a null pointer check. Added a static\nspinlock to prevent gser->ioport from becoming null after\nthe newly added null pointer check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53356", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: check slab-out-of-bounds in md_bitmap_get_counter\n\nIf we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()\nwill return -EINVAL because 'page >= bitmap->pages', but the return value\nwas not checked immediately in md_bitmap_get_counter() in order to set\n*blocks value and slab-out-of-bounds occurs.\n\nMove check of 'page >= bitmap->pages' to md_bitmap_get_counter() and\nreturn directly if true.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53357", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix racy issue under cocurrent smb2 tree disconnect\n\nThere is UAF issue under cocurrent smb2 tree disconnect.\nThis patch introduce TREE_CONN_EXPIRE flags for tcon to avoid cocurrent\naccess.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53358", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53359", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: Rework scratch handling for READ_PLUS (again)\n\nI found that the read code might send multiple requests using the same\nnfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is\nhow we ended up occasionally double-freeing the scratch buffer, but also\nmeans we set a NULL pointer but non-zero length to the xdr scratch\nbuffer. This results in an oops the first time decoding needs to copy\nsomething to scratch, which frequently happens when decoding READ_PLUS\nhole segments.\n\nI fix this by moving scratch handling into the pageio read code. I\nprovide a function to allocate scratch space for decoding read replies,\nand free the scratch buffer when the nfs_pgio_header is freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53360", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: mm: Add p?d_leaf() definitions\n\nWhen I do LTP test, LTP test case ksm06 caused panic at\n\tbreak_ksm_pmd_entry\n\t -> pmd_leaf (Huge page table but False)\n\t -> pte_present (panic)\n\nThe reason is pmd_leaf() is not defined, So like commit 501b81046701\n(\"mips: mm: add p?d_leaf() definitions\") add p?d_leaf() definition for\nLoongArch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53361", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: don't assume child devices are all fsl-mc devices\n\nChanges in VFIO caused a pseudo-device to be created as child of\nfsl-mc devices causing a crash [1] when trying to bind a fsl-mc\ndevice to VFIO. Fix this by checking the device type when enumerating\nfsl-mc child devices.\n\n[1]\nModules linked in:\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1289 Comm: sh Not tainted 6.2.0-rc5-00047-g7c46948a6e9c #2\nHardware name: NXP Layerscape LX2160ARDB (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mc_send_command+0x24/0x1f0\nlr : dprc_get_obj_region+0xfc/0x1c0\nsp : ffff80000a88b900\nx29: ffff80000a88b900 x28: ffff48a9429e1400 x27: 00000000000002b2\nx26: ffff48a9429e1718 x25: 0000000000000000 x24: 0000000000000000\nx23: ffffd59331ba3918 x22: ffffd59331ba3000 x21: 0000000000000000\nx20: ffff80000a88b9b8 x19: 0000000000000000 x18: 0000000000000001\nx17: 7270642f636d2d6c x16: 73662e3030303030 x15: ffffffffffffffff\nx14: ffffd59330f1d668 x13: ffff48a8727dc389 x12: ffff48a8727dc386\nx11: 0000000000000002 x10: 00008ceaf02f35d4 x9 : 0000000000000012\nx8 : 0000000000000000 x7 : 0000000000000006 x6 : ffff80000a88bab0\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a88b9e8\nx2 : ffff80000a88b9e8 x1 : 0000000000000000 x0 : ffff48a945142b80\nCall trace:\n mc_send_command+0x24/0x1f0\n dprc_get_obj_region+0xfc/0x1c0\n fsl_mc_device_add+0x340/0x590\n fsl_mc_obj_device_add+0xd0/0xf8\n dprc_scan_objects+0x1c4/0x340\n dprc_scan_container+0x38/0x60\n vfio_fsl_mc_probe+0x9c/0xf8\n fsl_mc_driver_probe+0x24/0x70\n really_probe+0xbc/0x2a8\n __driver_probe_device+0x78/0xe0\n device_driver_attach+0x30/0x68\n bind_store+0xa8/0x130\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x44/0x60\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x334/0x448\n ksys_write+0x68/0xf0\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x44/0x108\n el0_svc_common.constprop.1+0x94/0xf8\n do_el0_svc+0x38/0xb0\n el0_svc+0x20/0x50\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x174/0x178\nCode: aa0103f4 a9025bf5 d5384100 b9400801 (79401260)\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53362", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix use-after-free in pci_bus_release_domain_nr()\n\nCommit c14f7ccc9f5d (\"PCI: Assign PCI domain IDs by ida_alloc()\")\nintroduced a use-after-free bug in the bus removal cleanup. The issue was\nfound with kfence:\n\n [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70\n\n [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115):\n [ 19.309677] pci_bus_release_domain_nr+0x10/0x70\n [ 19.309691] dw_pcie_host_deinit+0x28/0x78\n [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n [ 19.309752] platform_probe+0x90/0xd8\n ...\n\n [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k\n\n [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s:\n [ 19.311562] __kmem_cache_alloc_node+0x260/0x278\n [ 19.311571] kmalloc_trace+0x24/0x30\n [ 19.311580] pci_alloc_bus+0x24/0xa0\n [ 19.311590] pci_register_host_bridge+0x48/0x4b8\n [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8\n [ 19.311613] pci_host_probe+0x18/0xc0\n [ 19.311623] dw_pcie_host_init+0x2c0/0x568\n [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194]\n [ 19.311647] platform_probe+0x90/0xd8\n ...\n\n [ 19.311782] freed by task 96 on cpu 10 at 19.285833s:\n [ 19.311799] release_pcibus_dev+0x30/0x40\n [ 19.311808] device_release+0x30/0x90\n [ 19.311814] kobject_put+0xa8/0x120\n [ 19.311832] device_unregister+0x20/0x30\n [ 19.311839] pci_remove_bus+0x78/0x88\n [ 19.311850] pci_remove_root_bus+0x5c/0x98\n [ 19.311860] dw_pcie_host_deinit+0x28/0x78\n [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n [ 19.311900] platform_probe+0x90/0xd8\n ...\n\n [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4\n [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022\n [ 19.325852] Workqueue: events_unbound deferred_probe_work_func\n\nThe stack trace is a bit misleading as dw_pcie_host_deinit() doesn't\ndirectly call pci_bus_release_domain_nr(). The issue turns out to be in\npci_remove_root_bus() which first calls pci_remove_bus() which frees the\nstruct pci_bus when its struct device is released. Then\npci_bus_release_domain_nr() is called and accesses the freed struct\npci_bus. Reordering these fixes the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53363", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: better fix null deref with partial DT\n\nTwo versions of the original patch were sent but V1 was merged instead\nof V2 due to a mistake.\n\nSo update to V2.\n\nThe advantage of V2 is that it completely avoids dereferencing the pointer,\neven just to take the address, which may fix problems with some compilers.\nBoth versions work on my gcc 9.4 but use the safer one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53364", "detail": "fixed-version", "description": "Fixed from version 6.4.12" }, { "id": "CVE-2023-53365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6mr: Fix skb_under_panic in ip6mr_cache_report()\n\nskbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4\n head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg\n ------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:192!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Workqueue: ipv6_addrconf addrconf_dad_work\n RIP: 0010:skb_panic+0x152/0x1d0\n Call Trace:\n \n skb_push+0xc4/0xe0\n ip6mr_cache_report+0xd69/0x19b0\n reg_vif_xmit+0x406/0x690\n dev_hard_start_xmit+0x17e/0x6e0\n __dev_queue_xmit+0x2d6a/0x3d20\n vlan_dev_hard_start_xmit+0x3ab/0x5c0\n dev_hard_start_xmit+0x17e/0x6e0\n __dev_queue_xmit+0x2d6a/0x3d20\n neigh_connected_output+0x3ed/0x570\n ip6_finish_output2+0x5b5/0x1950\n ip6_finish_output+0x693/0x11c0\n ip6_output+0x24b/0x880\n NF_HOOK.constprop.0+0xfd/0x530\n ndisc_send_skb+0x9db/0x1400\n ndisc_send_rs+0x12a/0x6c0\n addrconf_dad_completed+0x3c9/0xea0\n addrconf_dad_work+0x849/0x1420\n process_one_work+0xa22/0x16e0\n worker_thread+0x679/0x10c0\n ret_from_fork+0x28/0x60\n ret_from_fork_asm+0x11/0x20\n\nWhen setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().\nreg_vif_xmit()\n ip6mr_cache_report()\n skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4\nAnd skb_push declared as:\n\tvoid *skb_push(struct sk_buff *skb, unsigned int len);\n\t\tskb->data -= len;\n\t\t//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850\nskb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53365", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: be a bit more careful in checking for NULL bdev while polling\n\nWei reports a crash with an application using polled IO:\n\nPGD 14265e067 P4D 14265e067 PUD 47ec50067 PMD 0\nOops: 0000 [#1] SMP\nCPU: 0 PID: 21915 Comm: iocore_0 Kdump: loaded Tainted: G S 5.12.0-0_fbk12_clang_7346_g1bb6f2e7058f #1\nHardware name: Wiwynn Delta Lake MP T8/Delta Lake-Class2, BIOS Y3DLM08 04/10/2022\nRIP: 0010:bio_poll+0x25/0x200\nCode: 0f 1f 44 00 00 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 28 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 48 8b 47 08 <48> 8b 80 70 02 00 00 4c 8b 70 50 8b 6f 34 31 db 83 fd ff 75 25 65\nRSP: 0018:ffffc90005fafdf8 EFLAGS: 00010292\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 74b43cd65dd66600\nRDX: 0000000000000003 RSI: ffffc90005fafe78 RDI: ffff8884b614e140\nRBP: ffff88849964df78 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff88849964df00\nR13: ffffc90005fafe78 R14: ffff888137d3c378 R15: 0000000000000001\nFS: 00007fd195000640(0000) GS:ffff88903f400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000270 CR3: 0000000466121001 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n iocb_bio_iopoll+0x1d/0x30\n io_do_iopoll+0xac/0x250\n __se_sys_io_uring_enter+0x3c5/0x5a0\n ? __x64_sys_write+0x89/0xd0\n do_syscall_64+0x2d/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x94f225d\nCode: 24 cc 00 00 00 41 8b 84 24 d0 00 00 00 c1 e0 04 83 e0 10 41 09 c2 8b 33 8b 53 04 4c 8b 43 18 4c 63 4b 0c b8 aa 01 00 00 0f 05 <85> c0 0f 88 85 00 00 00 29 03 45 84 f6 0f 84 88 00 00 00 41 f6 c7\nRSP: 002b:00007fd194ffcd88 EFLAGS: 00000202 ORIG_RAX: 00000000000001aa\nRAX: ffffffffffffffda RBX: 00007fd194ffcdc0 RCX: 00000000094f225d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007\nRBP: 00007fd194ffcdb0 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000001 R11: 0000000000000202 R12: 00007fd269d68030\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000\n\nwhich is due to bio->bi_bdev being NULL. This can happen if we have two\ntasks doing polled IO, and task B ends up completing IO from task A if\nthey are sharing a poll queue. If task B completes the IO and puts the\nbio into our cache, then it can allocate that bio again before task A\nis done polling for it. As that would necessitate a preempt between the\ntwo tasks, it's enough to just be a bit more careful in checking for\nwhether or not bio->bi_bdev is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53366", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: fix mem leak in capture user mappings\n\nThis commit fixes a memory leak caused when clearing the user_mappings\ninfo when a new context is opened immediately after user_mapping is\ncaptured and a hard reset is performed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53367", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))\n\n WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n Call Trace:\n ring_buffer_unlock_commit+0x42/0x250\n trace_buffer_unlock_commit_regs+0x3b/0x250\n trace_event_buffer_commit+0xe5/0x440\n trace_event_buffer_reserve+0x11c/0x150\n trace_event_raw_event_sched_switch+0x23c/0x2c0\n __traceiter_sched_switch+0x59/0x80\n __schedule+0x72b/0x1580\n schedule+0x92/0x120\n worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n -------- --------\n tracing_snapshot_write()\n [...]\n\n ring_buffer_lock_reserve()\n cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';\n [...]\n rb_reserve_next_event()\n [...]\n\n ring_buffer_swap_cpu()\n if (local_read(&cpu_buffer_a->committing))\n goto out_dec;\n if (local_read(&cpu_buffer_b->committing))\n goto out_dec;\n buffer_a->buffers[cpu] = cpu_buffer_b;\n buffer_b->buffers[cpu] = cpu_buffer_a;\n // 2. cpu_buffer has swapped here.\n\n rb_start_commit(cpu_buffer);\n if (unlikely(READ_ONCE(cpu_buffer->buffer)\n != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'\n [...] // has not changed here.\n return NULL;\n }\n cpu_buffer_b->buffer = buffer_a;\n cpu_buffer_a->buffer = buffer_b;\n [...]\n\n // 4. Reserve event from 'cpu_buffer_a'.\n\n ring_buffer_unlock_commit()\n [...]\n cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!\n rb_commit(cpu_buffer)\n rb_end_commit() // 6. WARN for the wrong 'committing' state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n ``` bash\n #!/bin/bash\n\n dmesg -n 7\n sysctl -w kernel.panic_on_warn=1\n TR=/sys/kernel/tracing\n echo 7 > ${TR}/buffer_size_kb\n echo \"sched:sched_switch\" > ${TR}/set_event\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53368", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dcb: choose correct policy to parse DCB_ATTR_BCN\n\nThe dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],\nwhich is introduced in commit 859ee3c43812 (\"DCB: Add support for DCB\nBCN\"). Please see the comment in below code\n\nstatic int dcbnl_bcn_setcfg(...)\n{\n ...\n ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )\n // !!! dcbnl_pfc_up_nest for attributes\n // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs\n ...\n for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {\n // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs\n ...\n value_byte = nla_get_u8(data[i]);\n ...\n }\n ...\n for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {\n // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs\n ...\n value_int = nla_get_u32(data[i]);\n ...\n }\n ...\n}\n\nThat is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest\nattributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the\nfollowing access code fetch each nlattr as dcbnl_bcn_attrs attributes.\nBy looking up the associated nla_policy for dcbnl_bcn_attrs. We can find\nthe beginning part of these two policies are \"same\".\n\nstatic const struct nla_policy dcbnl_pfc_up_nest[...] = {\n [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8},\n [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nstatic const struct nla_policy dcbnl_bcn_nest[...] = {\n [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8},\n [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG},\n // from here is somewhat different\n [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32},\n ...\n [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nTherefore, the current code is buggy and this\nnla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use\nthe adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.\n\nHence use the correct policy dcbnl_bcn_nest to parse the nested\ntb[DCB_ATTR_BCN] TLV.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53369", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix memory leak in mes self test\n\nThe fences associated with mes queue have to be freed\nup during amdgpu_ring_fini.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53370", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create\n\nThe memory pointed to by the fs->any pointer is not freed in the error\npath of mlx5e_fs_tt_redirect_any_create, which can lead to a memory leak.\nFix by freeing the memory in the error path, thereby making the error path\nidentical to mlx5e_fs_tt_redirect_any_destroy().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53371", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix a potential overflow in sctp_ifwdtsn_skip\n\nCurrently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only\nchecks the pos against the end of the chunk. However, the data left for\nthe last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference\nit as struct sctp_ifwdtsn_skip may cause coverflow.\n\nThis patch fixes it by checking the pos against \"the end of the chunk -\nsizeof(struct sctp_ifwdtsn_skip)\" in sctp_ifwdtsn_skip, similar to\nsctp_fwdtsn_skip.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53372", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Handle EBUSY correctly\n\nAs it is seqiv only handles the special return value of EINPROGERSS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of seqiv may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53373", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early\n\nNot calling hci_(dis)connect_cfm before deleting conn referred to by a\nsocket generally results to use-after-free.\n\nWhen cleaning up SCO connections when the parent ACL is deleted too\nearly, use hci_conn_failed to do the connection cleanup properly.\n\nWe also need to clean up ISO connections in a similar situation when\nconnecting has started but LE Create CIS is not yet sent, so do it too\nhere.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53374", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Free error logs of tracing instances\n\nWhen a tracing instance is removed, the error messages that hold errors\nthat occurred in the instance needs to be freed. The following reports a\nmemory leak:\n\n # cd /sys/kernel/tracing\n # mkdir instances/foo\n # echo 'hist:keys=x' > instances/foo/events/sched/sched_switch/trigger\n # cat instances/foo/error_log\n [ 117.404795] hist:sched:sched_switch: error: Couldn't find field\n Command: hist:keys=x\n ^\n # rmdir instances/foo\n\nThen check for memory leaks:\n\n # echo scan > /sys/kernel/debug/kmemleak\n # cat /sys/kernel/debug/kmemleak\nunreferenced object 0xffff88810d8ec700 (size 192):\n comm \"bash\", pid 869, jiffies 4294950577 (age 215.752s)\n hex dump (first 32 bytes):\n 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha....\n a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&.......\n backtrace:\n [<00000000dae26536>] kmalloc_trace+0x2a/0xa0\n [<00000000b2938940>] tracing_log_err+0x277/0x2e0\n [<000000004a0e1b07>] parse_atom+0x966/0xb40\n [<0000000023b24337>] parse_expr+0x5f3/0xdb0\n [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560\n [<00000000293a9645>] trigger_process_regex+0x135/0x1a0\n [<000000005c22b4f2>] event_trigger_write+0x87/0xf0\n [<000000002cadc509>] vfs_write+0x162/0x670\n [<0000000059c3b9be>] ksys_write+0xca/0x170\n [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0\n [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc\nunreferenced object 0xffff888170c35a00 (size 32):\n comm \"bash\", pid 869, jiffies 4294950577 (age 215.752s)\n hex dump (first 32 bytes):\n 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist\n 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x.........\n backtrace:\n [<000000006a747de5>] __kmalloc+0x4d/0x160\n [<000000000039df5f>] tracing_log_err+0x29b/0x2e0\n [<000000004a0e1b07>] parse_atom+0x966/0xb40\n [<0000000023b24337>] parse_expr+0x5f3/0xdb0\n [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560\n [<00000000293a9645>] trigger_process_regex+0x135/0x1a0\n [<000000005c22b4f2>] event_trigger_write+0x87/0xf0\n [<000000002cadc509>] vfs_write+0x162/0x670\n [<0000000059c3b9be>] ksys_write+0xca/0x170\n [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0\n [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe problem is that the error log needs to be freed when the instance is\nremoved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53375", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Use number of bits to manage bitmap sizes\n\nTo allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using\nbyte as unit. However, bitmap helper functions assume that bitmaps are\nallocated using unsigned long as unit. This gap causes memory access beyond\nthe bitmap sizes and results in \"BUG: KASAN: slab-out-of-bounds\". The BUG\nwas observed at firmware download to eHBA-9600. Call trace indicated that\nthe out-of-bounds access happened in find_first_zero_bit() called from\nmpi3mr_send_event_ack() for miroc->evtack_cmds_bitmap.\n\nTo fix the BUG, do not use bytes to manage bitmap sizes. Instead, use\nnumber of bits, and call bitmap helper functions which take number of bits\nas arguments. For memory allocation, call bitmap_zalloc() instead of\nkzalloc() and krealloc(). For memory free, call bitmap_free() instead of\nkfree(). For zero clear, call bitmap_clear() instead of memset().\n\nRemove three fields for bitmap byte sizes in struct scmd_priv which are no\nlonger required. Replace the field dev_handle_bitmap_sz with\ndev_handle_bitmap_bits to keep number of bits of removepend_bitmap across\nresize.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53376", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent use-after-free by freeing the cfile later\n\nIn smb2_compound_op we have a possible use-after-free\nwhich can cause hard to debug problems later on.\n\nThis was revealed during stress testing with KASAN enabled\nkernel. Fixing it by moving the cfile free call to\na few lines below, after the usage.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53377", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dpt: Treat the DPT BO as a framebuffer\n\nCurrently i915_gem_object_is_framebuffer() doesn't treat the\nBO containing the framebuffer's DPT as a framebuffer itself.\nThis means eg. that the shrinker can evict the DPT BO while\nleaving the actual FB BO bound, when the DPT is allocated\nfrom regular shmem.\n\nThat causes an immediate oops during hibernate as we\ntry to rewrite the PTEs inside the already evicted\nDPT obj.\n\nTODO: presumably this might also be the reason for the\nDPT related display faults under heavy memory pressure,\nbut I'm still not sure how that would happen as the object\nshould be pinned by intel_dpt_pin() while in active use by\nthe display engine...\n\n(cherry picked from commit 779cb5ba64ec7df80675a956c9022929514f517a)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53378", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()\n\nSmatch reports:\ndrivers/usb/phy/phy-tahvo.c: tahvo_usb_probe()\nwarn: missing unwind goto?\n\nAfter geting irq, if ret < 0, it will return without error handling to\nfree memory.\nJust add error handling to fix this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53379", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null-ptr-deref of mreplace in raid10_sync_request\n\nThere are two check of 'mreplace' in raid10_sync_request(). In the first\ncheck, 'need_replace' will be set and 'mreplace' will be used later if\nno-Faulty 'mreplace' exists, In the second check, 'mreplace' will be\nset to NULL if it is Faulty, but 'need_replace' will not be changed\naccordingly. null-ptr-deref occurs if Faulty is set between two check.\n\nFix it by merging two checks into one. And replace 'need_replace' with\n'mreplace' because their values are always the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53380", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix leaked reference count of nfsd4_ssc_umount_item\n\nThe reference count of nfsd4_ssc_umount_item is not decremented\non error conditions. This prevents the laundromat from unmounting\nthe vfsmount of the source file.\n\nThis patch decrements the reference count of nfsd4_ssc_umount_item\non error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53381", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Reset connection when trying to use SMCRv2 fails.\n\nWe found a crash when using SMCRv2 with 2 Mellanox ConnectX-4. It\ncan be reproduced by:\n\n- smc_run nginx\n- smc_run wrk -t 32 -c 500 -d 30 http://:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000014\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 8000000108713067 P4D 8000000108713067 PUD 151127067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 4 PID: 2441 Comm: kworker/4:249 Kdump: loaded Tainted: G W E 6.4.0-rc1+ #42\n Workqueue: smc_hs_wq smc_listen_work [smc]\n RIP: 0010:smc_clc_send_confirm_accept+0x284/0x580 [smc]\n RSP: 0018:ffffb8294b2d7c78 EFLAGS: 00010a06\n RAX: ffff8f1873238880 RBX: ffffb8294b2d7dc8 RCX: 0000000000000000\n RDX: 00000000000000b4 RSI: 0000000000000001 RDI: 0000000000b40c00\n RBP: ffffb8294b2d7db8 R08: ffff8f1815c5860c R09: 0000000000000000\n R10: 0000000000000400 R11: 0000000000000000 R12: ffff8f1846f56180\n R13: ffff8f1815c5860c R14: 0000000000000001 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8f1aefd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000014 CR3: 00000001027a0001 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? mlx5_ib_map_mr_sg+0xa1/0xd0 [mlx5_ib]\n ? smcr_buf_map_link+0x24b/0x290 [smc]\n ? __smc_buf_create+0x4ee/0x9b0 [smc]\n smc_clc_send_accept+0x4c/0xb0 [smc]\n smc_listen_work+0x346/0x650 [smc]\n ? __schedule+0x279/0x820\n process_one_work+0x1e5/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \n\nDuring the CLC handshake, server sequentially tries available SMCRv2\nand SMCRv1 devices in smc_listen_work().\n\nIf an SMCRv2 device is found. SMCv2 based link group and link will be\nassigned to the connection. Then assumed that some buffer assignment\nerrors happen later in the CLC handshake, such as RMB registration\nfailure, server will give up SMCRv2 and try SMCRv1 device instead. But\nthe resources assigned to the connection won't be reset.\n\nWhen server tries SMCRv1 device, the connection creation process will\nbe executed again. Since conn->lnk has been assigned when trying SMCRv2,\nit will not be set to the correct SMCRv1 link in\nsmcr_lgr_conn_assign_link(). So in such situation, conn->lgr points to\ncorrect SMCRv1 link group but conn->lnk points to the SMCRv2 link\nmistakenly.\n\nThen in smc_clc_send_confirm_accept(), conn->rmb_desc->mr[link->link_idx]\nwill be accessed. Since the link->link_idx is not correct, the related\nMR may not have been initialized, so crash happens.\n\n | Try SMCRv2 device first\n | |-> conn->lgr:\tassign existed SMCRv2 link group;\n | |-> conn->link:\tassign existed SMCRv2 link (link_idx may be 1 in SMC_LGR_SYMMETRIC);\n | |-> sndbuf & RMB creation fails, quit;\n |\n | Try SMCRv1 device then\n | |-> conn->lgr:\tcreate SMCRv1 link group and assign;\n | |-> conn->link:\tkeep SMCRv2 link mistakenly;\n | |-> sndbuf & RMB creation succeed, only RMB->mr[link_idx = 0]\n | initialized.\n |\n | Then smc_clc_send_confirm_accept() accesses\n | conn->rmb_desc->mr[conn->link->link_idx, which is 1], then crash.\n v\n\nThis patch tries to fix this by cleaning conn->lnk before assigning\nlink. In addition, it is better to reset the connection and clean the\nresources assigned if trying SMCRv2 failed in buffer creation or\nregistration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53382", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4\n\nThe T241 platform suffers from the T241-FABRIC-4 erratum which causes\nunexpected behavior in the GIC when multiple transactions are received\nsimultaneously from different sources. This hardware issue impacts\nNVIDIA server platforms that use more than two T241 chips\ninterconnected. Each chip has support for 320 {E}SPIs.\n\nThis issue occurs when multiple packets from different GICs are\nincorrectly interleaved at the target chip. The erratum text below\nspecifies exactly what can cause multiple transfer packets susceptible\nto interleaving and GIC state corruption. GIC state corruption can\nlead to a range of problems, including kernel panics, and unexpected\nbehavior.\n\n>From the erratum text:\n \"In some cases, inter-socket AXI4 Stream packets with multiple\n transfers, may be interleaved by the fabric when presented to ARM\n Generic Interrupt Controller. GIC expects all transfers of a packet\n to be delivered without any interleaving.\n\n The following GICv3 commands may result in multiple transfer packets\n over inter-socket AXI4 Stream interface:\n - Register reads from GICD_I* and GICD_N*\n - Register writes to 64-bit GICD registers other than GICD_IROUTERn*\n - ITS command MOVALL\n\n Multiple commands in GICv4+ utilize multiple transfer packets,\n including VMOVP, VMOVI, VMAPP, and 64-bit register accesses.\"\n\n This issue impacts system configurations with more than 2 sockets,\n that require multi-transfer packets to be sent over inter-socket\n AXI4 Stream interface between GIC instances on different sockets.\n GICv4 cannot be supported. GICv3 SW model can only be supported\n with the workaround. Single and Dual socket configurations are not\n impacted by this issue and support GICv3 and GICv4.\"\n\n\nWriting to the chip alias region of the GICD_In{E} registers except\nGICD_ICENABLERn has an equivalent effect as writing to the global\ndistributor. The SPI interrupt deactivate path is not impacted by\nthe erratum.\n\nTo fix this problem, implement a workaround that ensures read accesses\nto the GICD_In{E} registers are directed to the chip that owns the\nSPI, and disable GICv4.x features. To simplify code changes, the\ngic_configure_irq() function uses the same alias region for both read\nand write operations to GICD_ICFGR.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53383", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: avoid possible NULL skb pointer dereference\n\nIn 'mwifiex_handle_uap_rx_forward()', always check the value\nreturned by 'skb_copy()' to avoid potential NULL pointer\ndereference in 'mwifiex_uap_queue_bridged_pkt()', and drop\noriginal skb in case of copying failure.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53384", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mdp3: Fix resource leaks in of_find_device_by_node\n\nUse put_device to release the object get through of_find_device_by_node,\navoiding resource leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53385", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix potential use-after-free when clear keys\n\nSimilar to commit c5d2b6fa26b5 (\"Bluetooth: Fix use-after-free in\nhci_remove_ltk/hci_remove_irk\"). We can not access k after kfree_rcu()\ncall.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53386", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix device management cmd timeout flow\n\nIn the UFS error handling flow, the host will send a device management cmd\n(NOP OUT) to the device for link recovery. If this cmd times out and\nclearing the doorbell fails, ufshcd_wait_for_dev_cmd() will do nothing and\nreturn. hba->dev_cmd.complete struct is not set to NULL.\n\nWhen this happens, if cmd has been completed by device, then we will call\ncomplete() in __ufshcd_transfer_req_compl(). Because the complete struct is\nallocated on the stack, the following crash will occur:\n\n ipanic_die+0x24/0x38 [mrdump]\n die+0x344/0x748\n arm64_notify_die+0x44/0x104\n do_debug_exception+0x104/0x1e0\n el1_dbg+0x38/0x54\n el1_sync_handler+0x40/0x88\n el1_sync+0x8c/0x140\n queued_spin_lock_slowpath+0x2e4/0x3c0\n __ufshcd_transfer_req_compl+0x3b0/0x1164\n ufshcd_trc_handler+0x15c/0x308\n ufshcd_host_reset_and_restore+0x54/0x260\n ufshcd_reset_and_restore+0x28c/0x57c\n ufshcd_err_handler+0xeb8/0x1b6c\n process_one_work+0x288/0x964\n worker_thread+0x4bc/0xc7c\n kthread+0x15c/0x264\n ret_from_fork+0x10/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53387", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Clean dangling pointer on bind error path\n\nmtk_drm_bind() can fail, in which case drm_dev_put() is called,\ndestroying the drm_device object. However a pointer to it was still\nbeing held in the private object, and that pointer would be passed along\nto DRM in mtk_drm_sys_prepare() if a suspend were triggered at that\npoint, resulting in a panic. Clean the pointer when destroying the\nobject in the error path to prevent this from happening.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53388", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: Only trigger DRM HPD events if bridge is attached\n\nThe MediaTek DisplayPort interface bridge driver starts its interrupts\nas soon as its probed. However when the interrupts trigger the bridge\nmight not have been attached to a DRM device. As drm_helper_hpd_irq_event()\ndoes not check whether the passed in drm_device is valid or not, a NULL\npointer passed in results in a kernel NULL pointer dereference in it.\n\nCheck whether the bridge is attached and only trigger an HPD event if\nit is.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53389", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: dd: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53390", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs\n\nAs the ramfs-based tmpfs uses ramfs_init_fs_context() for the\ninit_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb()\nto free it and avoid a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53391", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix kernel panic during warm reset\n\nDuring warm reset device->fw_client is set to NULL. If a bus driver is\nregistered after this NULL setting and before new firmware clients are\nenumerated by ISHTP, kernel panic will result in the function\nishtp_cl_bus_match(). This is because of reference to\ndevice->fw_client->props.protocol_name.\n\nISH firmware after getting successfully loaded, sends a warm reset\nnotification to remove all clients from the bus and sets\ndevice->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel\nmodule drivers were loaded right after any of the first ISHTP device was\nregistered, regardless of whether it was a matched or an unmatched\ndevice. This resulted in all drivers getting registered much before the\nwarm reset notification from ISH.\n\nStarting kernel v5.16, this issue got exposed after the change was\nintroduced to load only bus drivers for the respective matching devices.\nIn this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are\nregistered after the warm reset device fw_client NULL setting.\ncros_ec_ishtp driver_register() triggers the callback to\nishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel\npanic in guid_equal() when dereferencing fw_client NULL pointer to get\nprotocol_name.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53392", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device\n\nCurrently, when mlx5_ib_get_hw_stats() is used for device (port_num = 0),\nthere is a special handling in order to use the correct counters, but,\nport_num is being passed down the stack without any change. Also, some\nfunctions assume that port_num >=1. As a result, the following oops can\noccur.\n\n BUG: unable to handle page fault for address: ffff89510294f1a8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP\n CPU: 8 PID: 1382 Comm: devlink Tainted: G W 6.1.0-rc4_for_upstream_base_2022_11_10_16_12 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:_raw_spin_lock+0xc/0x20\n Call Trace:\n \n mlx5_ib_get_native_port_mdev+0x73/0xe0 [mlx5_ib]\n do_get_hw_stats.constprop.0+0x109/0x160 [mlx5_ib]\n mlx5_ib_get_hw_stats+0xad/0x180 [mlx5_ib]\n ib_setup_device_attrs+0xf0/0x290 [ib_core]\n ib_register_device+0x3bb/0x510 [ib_core]\n ? atomic_notifier_chain_register+0x67/0x80\n __mlx5_ib_add+0x2b/0x80 [mlx5_ib]\n mlx5r_probe+0xb8/0x150 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x3c/0x70\n ? driver_sysfs_add+0x6b/0x90\n really_probe+0xcd/0x380\n __driver_probe_device+0x80/0x170\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n ? driver_allows_async_probing+0x60/0x60\n ? driver_allows_async_probing+0x60/0x60\n bus_for_each_drv+0x7b/0xc0\n __device_attach+0xbc/0x200\n bus_probe_device+0x87/0xa0\n device_add+0x404/0x940\n ? dev_set_name+0x53/0x70\n __auxiliary_device_add+0x43/0x60\n add_adev+0x99/0xe0 [mlx5_core]\n mlx5_attach_device+0xc8/0x120 [mlx5_core]\n mlx5_load_one_devl_locked+0xb2/0xe0 [mlx5_core]\n devlink_reload+0x133/0x250\n devlink_nl_cmd_reload+0x480/0x570\n ? devlink_nl_pre_doit+0x44/0x2b0\n genl_family_rcv_msg_doit.isra.0+0xc2/0x110\n genl_rcv_msg+0x180/0x2b0\n ? devlink_nl_cmd_region_read_dumpit+0x540/0x540\n ? devlink_reload+0x250/0x250\n ? devlink_put+0x50/0x50\n ? genl_family_rcv_msg_doit.isra.0+0x110/0x110\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1f6/0x2c0\n netlink_sendmsg+0x237/0x490\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? handle_mm_fault+0x10e/0x290\n ? do_user_addr_fault+0x1c0/0x5f0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFix it by setting port_num to 1 in order to get device status and remove\nunused variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53393", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: xsk: Fix crash on regular rq reactivation\n\nWhen the regular rq is reactivated after the XSK socket is closed\nit could be reading stale cqes which eventually corrupts the rq.\nThis leads to no more traffic being received on the regular rq and a\ncrash on the next close or deactivation of the rq.\n\nKal Cuttler Conely reported this issue as a crash on the release\npath when the xdpsock sample program is stopped (killed) and restarted\nin sequence while traffic is running.\n\nThis patch flushes all cqes when during the rq flush. The cqe flushing\nis done in the reset state of the rq. mlx5e_rq_to_ready code is moved\ninto the flush function to allow for this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53394", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer\n\nACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5\n\nAccording to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode.\n\nWhen ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed.\n\n=============================================================\nUBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]'\nCPU: 37 PID: 1678 Comm: cat Not tainted\n6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k\nHW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace:\n dump_backtrace+0xe0/0x130\n show_stack+0x20/0x60\n dump_stack_lvl+0x68/0x84\n dump_stack+0x18/0x34\n ubsan_epilogue+0x10/0x50\n __ubsan_handle_out_of_bounds+0x80/0x90\n acpi_ds_exec_end_op+0x1bc/0x6d8\n acpi_ps_parse_loop+0x57c/0x618\n acpi_ps_parse_aml+0x1e0/0x4b4\n acpi_ps_execute_method+0x24c/0x2b8\n acpi_ns_evaluate+0x3a8/0x4bc\n acpi_evaluate_object+0x15c/0x37c\n acpi_evaluate_integer+0x54/0x15c\n show_power+0x8c/0x12c [acpi_power_meter]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53395", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in do_rename\n\nIf renaming a file in an encrypted directory, function\nfscrypt_setup_filename allocates memory for a file name. This name is\nnever used, and before returning to the caller the memory for it is not\nfreed.\n\nWhen running kmemleak on it we see that it is registered as a leak. The\nreport below is triggered by a simple program 'rename' that renames a\nfile in an encrypted directory:\n\n unreferenced object 0xffff888101502840 (size 32):\n comm \"rename\", pid 9404, jiffies 4302582475 (age 435.735s)\n backtrace:\n __kmem_cache_alloc_node\n __kmalloc\n fscrypt_setup_filename\n do_rename\n ubifs_rename\n vfs_rename\n do_renameat2\n\nTo fix this we can remove the call to fscrypt_setup_filename as it's not\nneeded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53396", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodpost: fix off by one in is_executable_section()\n\nThe > comparison should be >= to prevent an out of bounds array\naccess.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53397", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: fix possible ptp queue fifo use-after-free\n\nFifo indexes are not checked during pop operations and it leads to\npotential use-after-free when poping from empty queue. Such case was\npossible during re-sync action. WARN_ON_ONCE covers future cases.\n\nThere were out-of-order cqe spotted which lead to drain of the queue and\nuse-after-free because of lack of fifo pointers check. Special check and\ncounter are added to avoid resync operation if SKB could not exist in the\nfifo because of OOO cqe (skb_id must be between consumer and producer\nindex).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53398", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()\n\nIf share is , share->path is NULL and it cause NULL pointer\ndereference issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53399", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix Oops by 9.1 surround channel names\n\nget_line_out_pfx() may trigger an Oops by overflowing the static array\nwith more than 8 channels. This was reported for MacBookPro 12,1 with\nCirrus codec.\n\nAs a workaround, extend for the 9.1 channels and also fix the\npotential Oops by unifying the code paths accessing the same array\nwith the proper size check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53400", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\n\nKCSAN found an issue in obj_stock_flush_required():\nstock->cached_objcg can be reset between the check and dereference:\n\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\n\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\n drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\n refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\n obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\n memcg_slab_free_hook mm/slab.h:587 [inline]\n __cache_free mm/slab.c:3373 [inline]\n __do_kmem_cache_free mm/slab.c:3577 [inline]\n kmem_cache_free+0x105/0x280 mm/slab.c:3602\n __d_free fs/dcache.c:298 [inline]\n dentry_free fs/dcache.c:375 [inline]\n __dentry_kill+0x422/0x4a0 fs/dcache.c:621\n dentry_kill+0x8d/0x1e0\n dput+0x118/0x1f0 fs/dcache.c:913\n __fput+0x3bf/0x570 fs/file_table.c:329\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x123/0x160 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\n do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\n obj_stock_flush_required mm/memcontrol.c:3319 [inline]\n drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\n try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\n try_charge mm/memcontrol.c:2837 [inline]\n mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\n sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\n sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\n udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\n udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\n sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n __sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n __do_sys_setsockopt net/socket.c:2282 [inline]\n __se_sys_setsockopt net/socket.c:2279 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff8881382d52c0 -> 0xffff888138893740\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\n\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock->cached_objcg.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53401", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/printk/index.c: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53402", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntime/debug: Fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53403", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: fotg210: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53404", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: gr_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53405", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: pxa25x_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53406", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53407", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace/blktrace: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53408", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: component: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53409", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: ULPI: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53410", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: EM: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53411", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53412", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: isp116x: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53413", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53414", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dwc3: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.\n\nNote, the root dentry for the debugfs directory for the device needs to\nbe saved so we don't have to keep looking it up, which required a bit\nmore refactoring to properly create and remove it when needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53415", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: isp1362: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53416", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: sl811: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53417", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53418", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect rcu_print_task_exp_stall() ->exp_tasks access\n\nFor kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can\nresult in a NULL-pointer dereference:\n\n CPU1 CPU2\nrcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall\n if (special.b.blocked) READ_ONCE(rnp->exp_tasks) != NULL\n raw_spin_lock_rcu_node\n np = rcu_next_node_entry(t, rnp)\n if (&t->rcu_node_entry == rnp->exp_tasks)\n WRITE_ONCE(rnp->exp_tasks, np)\n ....\n raw_spin_unlock_irqrestore_rcu_node\n raw_spin_lock_irqsave_rcu_node\n t = list_entry(rnp->exp_tasks->prev,\n struct task_struct, rcu_node_entry)\n (if rnp->exp_tasks is NULL, this\n will dereference a NULL pointer)\n\nThe problem is that CPU2 accesses the rcu_node structure's->exp_tasks\nfield without holding the rcu_node structure's ->lock and CPU2 did\nnot observe CPU1's change to rcu_node structure's ->exp_tasks in time.\nTherefore, if CPU1 sets rcu_node structure's->exp_tasks pointer to NULL,\nthen CPU2 might dereference that NULL pointer.\n\nThis commit therefore holds the rcu_node structure's ->lock while\naccessing that structure's->exp_tasks field.\n\n[ paulmck: Apply Frederic Weisbecker feedback. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53419", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()\n\nHere is a BUG report from syzbot:\n\nBUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\nBUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\nRead of size 1 at addr ffff888021acaf3d by task syz-executor128/3632\n\nCall Trace:\n ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]\n ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710\n vfs_listxattr fs/xattr.c:457 [inline]\n listxattr+0x293/0x2d0 fs/xattr.c:804\n\nFix the logic of ea_all iteration. When the ea->name_len is 0,\nreturn immediately, or Add2Ptr() would visit invalid memory\nin the next loop.\n\n[almaz.alexandrovich@paragon-software.com: lines of the patch have changed]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53420", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()\n\nWhen blkg_alloc() is called to allocate a blkcg_gq structure\nwith the associated blkg_iostat_set's, there are 2 fields within\nblkg_iostat_set that requires proper initialization - blkg & sync.\nThe former field was introduced by commit 3b8cc6298724 (\"blk-cgroup:\nOptimize blkcg_rstat_flush()\") while the later one was introduced by\ncommit f73316482977 (\"blk-cgroup: reimplement basic IO stats using\ncgroup rstat\").\n\nUnfortunately those fields in the blkg_iostat_set's are not properly\nre-initialized when they are cleared in v1's blkcg_reset_stats(). This\ncan lead to a kernel panic due to NULL pointer access of the blkg\npointer. The missing initialization of sync is less problematic and\ncan be a problem in a debug kernel due to missing lockdep initialization.\n\nFix these problems by re-initializing them after memory clearing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53421", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fw: fix memory leak in debugfs\n\nFix a memory leak that occurs when reading the fw_info\nfile all the way, since we return NULL indicating no\nmore data, but don't free the status tracking object.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53422", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool: Fix memory leak in create_static_call_sections()\n\nstrdup() allocates memory for key_name. We need to release the memory in\nthe following error paths. Add free() to avoid memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53423", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: fix of_iomap memory leak\n\nSmatch reports:\ndrivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn:\n 'base' from of_iomap() not released on lines: 496.\n\nThis problem was also found in linux-next. In mtk_clk_simple_probe(),\nbase is not released when handling errors\nif clk_data is not existed, which may cause a leak.\nSo free_base should be added here to release base.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53424", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: mediatek: vpu: fix NULL ptr dereference\n\nIf pdev is NULL, then it is still dereferenced.\n\nThis fixes this smatch warning:\n\ndrivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer 'pdev'", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53425", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix xsk_diag use-after-free error during socket cleanup\n\nFix a use-after-free error that is possible if the xsk_diag interface\nis used after the socket has been unbound from the device. This can\nhappen either due to the socket being closed or the device\ndisappearing. In the early days of AF_XDP, the way we tested that a\nsocket was not bound to a device was to simply check if the netdevice\npointer in the xsk socket structure was NULL. Later, a better system\nwas introduced by having an explicit state variable in the xsk socket\nstruct. For example, the state of a socket that is on the way to being\nclosed and has been unbound from the device is XSK_UNBOUND.\n\nThe commit in the Fixes tag below deleted the old way of signalling\nthat a socket is unbound, setting dev to NULL. This in the belief that\nall code using the old way had been exterminated. That was\nunfortunately not true as the xsk diagnostics code was still using the\nold way and thus does not work as intended when a socket is going\ndown. Fix this by introducing a test against the state variable. If\nthe socket is in the state XSK_UNBOUND, simply abort the diagnostic's\nnetlink operation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53426", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix warning and UAF when destroy the MR list\n\nIf the MR allocate failed, the MR recovery work not initialized\nand list not cleared. Then will be warning and UAF when release\nthe MR:\n\n WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110\n CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82\n RIP: 0010:__flush_work.isra.0+0xf7/0x110\n Call Trace:\n \n __cancel_work_timer+0x2ba/0x2e0\n smbd_destroy+0x4e1/0x990\n _smbd_get_connection+0x1cbd/0x2110\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990\n Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824\n CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82\n Call Trace:\n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n smbd_destroy+0x4fc/0x990\n _smbd_get_connection+0x1cbd/0x2110\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n Allocated by task 824:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x7a/0x90\n _smbd_get_connection+0x1b6f/0x2110\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n Freed by task 824:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x40\n ____kasan_slab_free+0x143/0x1b0\n __kmem_cache_free+0xc8/0x330\n _smbd_get_connection+0x1c6a/0x2110\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nLet's initialize the MR recovery work before MR allocate to prevent\nthe warning, remove the MRs from the list to prevent the UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53427", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: arm_scmi: Remove recursion while parsing zones\n\nPowercap zones can be defined as arranged in a hierarchy of trees and when\nregistering a zone with powercap_register_zone(), the kernel powercap\nsubsystem expects this to happen starting from the root zones down to the\nleaves; on the other side, de-registration by powercap_deregister_zone()\nmust begin from the leaf zones.\n\nAvailable SCMI powercap zones are retrieved dynamically from the platform\nat probe time and, while any defined hierarchy between the zones is\ndescribed properly in the zones descriptor, the platform returns the\navailables zones with no particular well-defined order: as a consequence,\nthe trees possibly composing the hierarchy of zones have to be somehow\nwalked properly to register the retrieved zones from the root.\n\nCurrently the ARM SCMI Powercap driver walks the zones using a recursive\nalgorithm; this approach, even though correct and tested can lead to kernel\nstack overflow when processing a returned hierarchy of zones composed by\nparticularly high trees.\n\nAvoid possible kernel stack overflow by substituting the recursive approach\nwith an iterative one supported by a dynamically allocated stack-like data\nstructure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53428", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't check PageError in __extent_writepage\n\n__extent_writepage currenly sets PageError whenever any error happens,\nand the also checks for PageError to decide if to call error handling.\nThis leads to very unclear responsibility for cleaning up on errors.\nIn the VM and generic writeback helpers the basic idea is that once\nI/O is fired off all error handling responsibility is delegated to the\nend I/O handler. But if that end I/O handler sets the PageError bit,\nand the submitter checks it, the bit could in some cases leak into the\nsubmission context for fast enough I/O.\n\nFix this by simply not checking PageError and just using the local\nret variable to check for submission errors. This also fundamentally\nsolves the long problem documented in a comment in __extent_writepage\nby never leaking the error bit into the submission context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53429", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: dma: fix memory leak running mt76_dma_tx_cleanup\n\nFix device unregister memory leak and alway cleanup all configured\nrx queues in mt76_dma_tx_cleanup routine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53430", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary component gracefully\n\nThis reverts commit 3fe97ff3d949 (\"scsi: ses: Don't attach if enclosure\nhas no components\") and introduces proper handling of case where there are\nno detected secondary components, but primary component (enumerated in\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\n.\n\nCompletely ignoring devices that have one primary enclosure and no\nsecondary one results in ses_intf_add() bailing completely\n\n\tscsi 2:0:0:254: enclosure has no enumerated components\n scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\n\neven on valid configurations with 1 primary and 0 secondary enclosures as\nbelow:\n\n\t# sg_ses /dev/sg0\n\t 3PARdata SES 3321\n\tSupported diagnostic pages:\n\t Supported Diagnostic Pages [sdp] [0x0]\n\t Configuration (SES) [cf] [0x1]\n\t Short Enclosure Status (SES) [ses] [0x8]\n\t# sg_ses -p cf /dev/sg0\n\t 3PARdata SES 3321\n\tConfiguration diagnostic page:\n\t number of secondary subenclosures: 0\n\t generation code: 0x0\n\t enclosure descriptor list\n\t Subenclosure identifier: 0 [primary]\n\t relative ES process id: 0, number of ES processes: 1\n\t number of type descriptor headers: 1\n\t enclosure logical identifier (hex): 20000002ac02068d\n\t enclosure vendor: 3PARdata product: VV rev: 3321\n\t type descriptor header and text list\n\t Element type: Unspecified, subenclosure id: 0\n\t number of possible elements: 1\n\nThe changelog for the original fix follows\n\n=====\nWe can get a crash when disconnecting the iSCSI session,\nthe call trace like this:\n\n [ffff00002a00fb70] kfree at ffff00000830e224\n [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\n [ffff00002a00fbd0] device_del at ffff0000086b6a98\n [ffff00002a00fc50] device_unregister at ffff0000086b6d58\n [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\n [ffff00002a00fca0] scsi_remove_device at ffff000008706134\n [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\n [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\n [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\n [ffff00002a00fdb0] process_one_work at ffff00000810f35c\n [ffff00002a00fe00] worker_thread at ffff00000810f648\n [ffff00002a00fe70] kthread at ffff000008116e98\n\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\nbut not saved in edev->component[i].scratch\n\nIn this situation, edev->component[0].scratch is an invalid pointer,\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\nThe call trace also could be other random cases when kfree cannot catch\nthe invalid pointer\n\nWe should not use edev->component[] array when the components count is 0\nWe also need check index when use edev->component[] array in\nses_enclosure_data_process\n=====", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53431", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: net: fix use after free in fwnet_finish_incoming_packet()\n\nThe netif_rx() function frees the skb so we can't dereference it to\nsave the skb->len.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53432", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add vlan_get_protocol_and_depth() helper\n\nBefore blamed commit, pskb_may_pull() was used instead\nof skb_header_pointer() in __vlan_get_protocol() and friends.\n\nFew callers depended on skb->head being populated with MAC header,\nsyzbot caught one of them (skb_mac_gso_segment())\n\nAdd vlan_get_protocol_and_depth() to make the intent clearer\nand use it where sensible.\n\nThis is a more generic fix than commit e9d3f80935b6\n(\"net/af_packet: make sure to pull mac header\") which was\ndealing with a similar issue.\n\nkernel BUG at include/linux/skbuff.h:2655 !\ninvalid opcode: 0000 [#1] SMP KASAN\nCPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nRIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline]\nRIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136\nCode: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41\nRSP: 0018:ffffc90001bd7520 EFLAGS: 00010286\nRAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9\nR10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012\nR13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7\nFS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n[] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419\n[] skb_gso_segment include/linux/netdevice.h:4819 [inline]\n[] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725\n[] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313\n[] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029\n[] packet_snd net/packet/af_packet.c:3111 [inline]\n[] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142\n[] sock_sendmsg_nosec net/socket.c:716 [inline]\n[] sock_sendmsg net/socket.c:736 [inline]\n[] __sys_sendto+0x472/0x5f0 net/socket.c:2139\n[] __do_sys_sendto net/socket.c:2151 [inline]\n[] __se_sys_sendto net/socket.c:2147 [inline]\n[] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147\n[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80\n[] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53433", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_dsp_rproc: Add custom memory copy implementation for i.MX DSP Cores\n\nThe IRAM is part of the HiFi DSP.\nAccording to hardware specification only 32-bits write are allowed\notherwise we get a Kernel panic.\n\nTherefore add a custom memory copy and memset functions to deal with\nthe above restriction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53434", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncassini: Fix a memory leak in the error handling path of cas_init_one()\n\ncas_saturn_firmware_init() allocates some memory using vmalloc(). This\nmemory is freed in the .remove() function but not it the error handling\npath of the probe.\n\nAdd the missing vfree() to avoid a memory leak, should an error occur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53435", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix possible memory leak if device_add() fails\n\nIf device_add() returns error, the name allocated by dev_set_name() needs\nbe freed. As the comment of device_add() says, put_device() should be used\nto give up the reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53436", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Handle cameras with invalid descriptors\n\nIf the source entity does not contain any pads, do not create a link.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53437", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE: Always save CS register on AMD Zen IF Poison errors\n\nThe Instruction Fetch (IF) units on current AMD Zen-based systems do not\nguarantee a synchronous #MC is delivered for poison consumption errors.\nTherefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the\nmicroarchitecture does guarantee that the exception is delivered within\nthe same context. In other words, the exact rIP is not known, but the\ncontext is known to not have changed.\n\nThere is no architecturally-defined method to determine this behavior.\n\nThe Code Segment (CS) register is always valid on such IF unit poison\nerrors regardless of the value of MCG_STATUS[EIPV|RIPV].\n\nAdd a quirk to save the CS register for poison consumption from the IF\nunit banks.\n\nThis is needed to properly determine the context of the error.\nOtherwise, the severity grading function will assume the context is\nIN_KERNEL due to the m->cs value being 0 (the initialized value). This\nleads to unnecessary kernel panics on data poison errors due to the\nkernel believing the poison consumption occurred in kernel context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53438", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb_partial_csum_set() fix against transport header magic value\n\nskb->transport_header uses the special 0xFFFF value\nto mark if the transport header was set or not.\n\nWe must prevent callers to accidentaly set skb->transport_header\nto 0xFFFF. Note that only fuzzers can possibly do this today.\n\nsyzbot reported:\n\nWARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 skb_transport_offset include/linux/skbuff.h:2956 [inline]\nWARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103\nModules linked in:\nCPU: 0 PID: 2340 Comm: syz-executor.0 Not tainted 6.3.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nRIP: 0010:skb_transport_header include/linux/skbuff.h:2847 [inline]\nRIP: 0010:skb_transport_offset include/linux/skbuff.h:2956 [inline]\nRIP: 0010:virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103\nCode: 41 39 df 0f 82 c3 04 00 00 48 8b 7c 24 10 44 89 e6 e8 08 6e 59 ff 48 85 c0 74 54 e8 ce 36 7e fc e9 37 f8 ff ff e8 c4 36 7e fc <0f> 0b e9 93 f8 ff ff 44 89 f7 44 89 e6 e8 32 38 7e fc 45 39 e6 0f\nRSP: 0018:ffffc90004497880 EFLAGS: 00010293\nRAX: ffffffff84fea55c RBX: 000000000000ffff RCX: ffff888120be2100\nRDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff\nRBP: ffffc90004497990 R08: ffffffff84fe9de5 R09: 0000000000000034\nR10: ffffea00048ebd80 R11: 0000000000000034 R12: ffff88811dc2d9c8\nR13: dffffc0000000000 R14: ffff88811dc2d9ae R15: 1ffff11023b85b35\nFS: 00007f9211a59700(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200002c0 CR3: 00000001215a5000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\npacket_snd net/packet/af_packet.c:3076 [inline]\npacket_sendmsg+0x4590/0x61a0 net/packet/af_packet.c:3115\nsock_sendmsg_nosec net/socket.c:724 [inline]\nsock_sendmsg net/socket.c:747 [inline]\n__sys_sendto+0x472/0x630 net/socket.c:2144\n__do_sys_sendto net/socket.c:2156 [inline]\n__se_sys_sendto net/socket.c:2152 [inline]\n__x64_sys_sendto+0xe5/0x100 net/socket.c:2152\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f9210c8c169\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f9211a59168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9210dabf80 RCX: 00007f9210c8c169\nRDX: 000000000000ffed RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00007f9210ce7ca1 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffe135d65cf R14: 00007f9211a59300 R15: 0000000000022000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53439", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix sysfs interface lifetime\n\nThe current nilfs2 sysfs support has issues with the timing of creation\nand deletion of sysfs entries, potentially leading to null pointer\ndereferences, use-after-free, and lockdep warnings.\n\nSome of the sysfs attributes for nilfs2 per-filesystem instance refer to\nmetadata file \"cpfile\", \"sufile\", or \"dat\", but\nnilfs_sysfs_create_device_group that creates those attributes is executed\nbefore the inodes for these metadata files are loaded, and\nnilfs_sysfs_delete_device_group which deletes these sysfs entries is\ncalled after releasing their metadata file inodes.\n\nTherefore, access to some of these sysfs attributes may occur outside of\nthe lifetime of these metadata files, resulting in inode NULL pointer\ndereferences or use-after-free.\n\nIn addition, the call to nilfs_sysfs_create_device_group() is made during\nthe locking period of the semaphore \"ns_sem\" of nilfs object, so the\nshrinker call caused by the memory allocation for the sysfs entries, may\nderive lock dependencies \"ns_sem\" -> (shrinker) -> \"locks acquired in\nnilfs_evict_inode()\".\n\nSince nilfs2 may acquire \"ns_sem\" deep in the call stack holding other\nlocks via its error handler __nilfs_error(), this causes lockdep to report\ncircular locking. This is a false positive and no circular locking\nactually occurs as no inodes exist yet when\nnilfs_sysfs_create_device_group() is called. Fortunately, the lockdep\nwarnings can be resolved by simply moving the call to\nnilfs_sysfs_create_device_group() out of \"ns_sem\".\n\nThis fixes these sysfs issues by revising where the device's sysfs\ninterface is created/deleted and keeping its lifetime within the lifetime\nof the metadata files above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53440", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: cpumap: Fix memory leak in cpu_map_update_elem\n\nSyzkaller reported a memory leak as follows:\n\nBUG: memory leak\nunreferenced object 0xff110001198ef748 (size 192):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 32 bytes):\n 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J...........\n 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(.......\n backtrace:\n [] __cpu_map_entry_alloc+0xf7/0xb00\n [] cpu_map_update_elem+0x2fe/0x3d0\n [] bpf_map_update_value.isra.0+0x2bd/0x520\n [] map_update_elem+0x4cb/0x720\n [] __se_sys_bpf+0x8c3/0xb90\n [] do_syscall_64+0x30/0x40\n [] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nBUG: memory leak\nunreferenced object 0xff110001198ef528 (size 192):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __cpu_map_entry_alloc+0x260/0xb00\n [] cpu_map_update_elem+0x2fe/0x3d0\n [] bpf_map_update_value.isra.0+0x2bd/0x520\n [] map_update_elem+0x4cb/0x720\n [] __se_sys_bpf+0x8c3/0xb90\n [] do_syscall_64+0x30/0x40\n [] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nBUG: memory leak\nunreferenced object 0xff1100010fd93d68 (size 8):\n comm \"syz-executor.3\", pid 17672, jiffies 4298118891 (age 9.906s)\n hex dump (first 8 bytes):\n 00 00 00 00 00 00 00 00 ........\n backtrace:\n [] kvmalloc_node+0x11e/0x170\n [] __cpu_map_entry_alloc+0x2f0/0xb00\n [] cpu_map_update_elem+0x2fe/0x3d0\n [] bpf_map_update_value.isra.0+0x2bd/0x520\n [] map_update_elem+0x4cb/0x720\n [] __se_sys_bpf+0x8c3/0xb90\n [] do_syscall_64+0x30/0x40\n [] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nIn the cpu_map_update_elem flow, when kthread_stop is called before\ncalling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bit\nof kthread has been set by kthread_stop, the threadfn of rcpu->kthread\nwill never be executed, and rcpu->refcnt will never be 0, which will\nlead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be\nreleased.\n\nCalling kthread_stop before executing kthread's threadfn will return\n-EINTR. We can complete the release of memory resources in this state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53441", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Block switchdev mode when ADQ is active and vice versa\n\nADQ and switchdev are not supported simultaneously. Enabling both at the\nsame time can result in nullptr dereference.\n\nTo prevent this, check if ADQ is active when changing devlink mode to\nswitchdev mode, and check if switchdev is active when enabling ADQ.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53442", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak\n\nIn arizona_clk32k_enable(), we should use pm_runtime_resume_and_get()\nas pm_runtime_get_sync() will increase the refcnt even when it\nreturns an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53443", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix bulk_move corruption when adding a entry\n\nWhen the resource is the first in the bulk_move range, adding it again\n(thus moving it to the tail) will corrupt the list since the first\npointer is not moved. This eventually lead to null pointer deref in\nttm_lru_bulk_move_del()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53444", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Fix a refcount bug in qrtr_recvmsg()\n\nSyzbot reported a bug as following:\n\nrefcount_t: addition on 0; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25\n...\nCall Trace:\n \n __refcount_add include/linux/refcount.h:199 [inline]\n __refcount_inc include/linux/refcount.h:250 [inline]\n refcount_inc include/linux/refcount.h:267 [inline]\n kref_get include/linux/kref.h:45 [inline]\n qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline]\n qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline]\n qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline]\n qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070\n sock_recvmsg_nosec net/socket.c:1017 [inline]\n sock_recvmsg+0xe2/0x160 net/socket.c:1038\n qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688\n process_one_work+0x991/0x15c0 kernel/workqueue.c:2390\n worker_thread+0x669/0x1090 kernel/workqueue.c:2537\n\nIt occurs in the concurrent scenario of qrtr_recvmsg() and\nqrtr_endpoint_unregister() as following:\n\n\tcpu0\t\t\t\t\tcpu1\nqrtr_recvmsg\t\t\t\tqrtr_endpoint_unregister\nqrtr_send_resume_tx\t\t\tqrtr_node_release\nqrtr_node_lookup\t\t\tmutex_lock(&qrtr_node_lock)\nspin_lock_irqsave(&qrtr_nodes_lock, )\trefcount_dec_and_test(&node->ref) [node->ref == 0]\nradix_tree_lookup [node != NULL]\t__qrtr_node_release\nqrtr_node_acquire\t\t\tspin_lock_irqsave(&qrtr_nodes_lock, )\nkref_get(&node->ref) [WARNING]\t\t...\n\t\t\t\t\tmutex_unlock(&qrtr_node_lock)\n\nUse qrtr_node_lock to protect qrtr_node_lookup() implementation, this\nis actually improving the protection of node reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53445", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free\n\nStruct pcie_link_state->downstream is a pointer to the pci_dev of function\n0. Previously we retained that pointer when removing function 0, and\nsubsequent ASPM policy changes dereferenced it, resulting in a\nuse-after-free warning from KASAN, e.g.:\n\n # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove\n # echo powersave > /sys/module/pcie_aspm/parameters/policy\n\n BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500\n Call Trace:\n kasan_report+0xae/0xe0\n pcie_config_aspm_link+0x42d/0x500\n pcie_aspm_set_policy+0x8e/0x1a0\n param_attr_store+0x162/0x2c0\n module_attr_store+0x3e/0x80\n\nPCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM\nControl value in all functions of multi-function devices.\n\nDisable ASPM and free the pcie_link_state when any child function is\nremoved so we can discard the dangling pcie_link_state->downstream pointer\nand maintain the same ASPM Control configuration for all functions.\n\n[bhelgaas: commit log and comment]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53446", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't reset unchangable mount option in f2fs_remount()\n\nsyzbot reports a bug as below:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN\nRIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942\nCall Trace:\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691\n __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline]\n _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300\n __drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100\n f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116\n f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664\n f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838\n vfs_fallocate+0x54b/0x6b0 fs/open.c:324\n ksys_fallocate fs/open.c:347 [inline]\n __do_sys_fallocate fs/open.c:355 [inline]\n __se_sys_fallocate fs/open.c:353 [inline]\n __x64_sys_fallocate+0xbd/0x100 fs/open.c:353\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is race condition as below:\n- since it tries to remount rw filesystem, so that do_remount won't\ncall sb_prepare_remount_readonly to block fallocate, there may be race\ncondition in between remount and fallocate.\n- in f2fs_remount(), default_options() will reset mount option to default\none, and then update it based on result of parse_options(), so there is\na hole which race condition can happen.\n\nThread A\t\t\tThread B\n- f2fs_fill_super\n - parse_options\n - clear_opt(READ_EXTENT_CACHE)\n\n- f2fs_remount\n - default_options\n - set_opt(READ_EXTENT_CACHE)\n\t\t\t\t- f2fs_fallocate\n\t\t\t\t - f2fs_insert_range\n\t\t\t\t - f2fs_drop_extent_tree\n\t\t\t\t - __drop_extent_tree\n\t\t\t\t - __may_extent_tree\n\t\t\t\t - test_opt(READ_EXTENT_CACHE) return true\n\t\t\t\t - write_lock(&et->lock) access NULL pointer\n - parse_options\n - clear_opt(READ_EXTENT_CACHE)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53447", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Removed unneeded release_mem_region\n\nRemove unnecessary release_mem_region from the error path to prevent\nmem region from being released twice, which could avoid resource leak\nor other unexpected issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53448", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: Fix potential memleak in dasd_eckd_init()\n\n`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it\nalso needs to be freed before the error returns, just like the other\ncases in this function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53449", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-5345", "summary": "A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation.\n\nIn case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free.\n\nWe recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5345" }, { "id": "CVE-2023-53450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: remove a BUG_ON in ext4_mb_release_group_pa()\n\nIf a malicious fuzzer overwrites the ext4 superblock while it is\nmounted such that the s_first_data_block is set to a very large\nnumber, the calculation of the block group can underflow, and trigger\na BUG_ON check. Change this to be an ext4_warning so that we don't\ncrash the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53450", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix potential NULL pointer dereference\n\nKlocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate\npointer before dereferencing the pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53451", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential race condition between napi_init and napi_enable\n\nA race condition can happen if netdev is registered, but NAPI isn't\ninitialized yet, and meanwhile user space starts the netdev that will\nenable NAPI. Then, it hits BUG_ON():\n\n kernel BUG at net/core/dev.c:6423!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 417 Comm: iwd Not tainted 6.2.7-slab-dirty #3 eb0f5a8a9d91\n Hardware name: LENOVO 21DL/LNVNB161216, BIOS JPCN20WW(V1.06) 09/20/2022\n RIP: 0010:napi_enable+0x3f/0x50\n Code: 48 89 c2 48 83 e2 f6 f6 81 89 08 00 00 02 74 0d 48 83 ...\n RSP: 0018:ffffada1414f3548 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffa01425802080 RCX: 0000000000000000\n RDX: 00000000000002ff RSI: ffffada14e50c614 RDI: ffffa01425808dc0\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000100 R12: ffffa01425808f58\n R13: 0000000000000000 R14: ffffa01423498940 R15: 0000000000000001\n FS: 00007f5577c0a740(0000) GS:ffffa0169fc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5577a19972 CR3: 0000000125a7a000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n rtw89_pci_ops_start+0x1c/0x70 [rtw89_pci 6cbc75429515c181cbc386478d5cfb32ffc5a0f8]\n rtw89_core_start+0xbe/0x160 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]\n rtw89_ops_start+0x26/0x40 [rtw89_core fe07ecb874820b6d778370d4acb6ef8a37847f22]\n drv_start+0x42/0x100 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n ieee80211_do_open+0x311/0x7d0 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n ieee80211_open+0x6a/0x90 [mac80211 c07fa22af8c3cf3f7d7ab3884ca990784d72e2d2]\n __dev_open+0xe0/0x180\n __dev_change_flags+0x1da/0x250\n dev_change_flags+0x26/0x70\n do_setlink+0x37c/0x12c0\n ? ep_poll_callback+0x246/0x290\n ? __nla_validate_parse+0x61/0xd00\n ? __wake_up_common_lock+0x8f/0xd0\n\nTo fix this, follow Jonas' suggestion to switch the order of these\nfunctions and move register netdev to be the last step of PCI probe.\nAlso, correct the error handling of rtw89_core_register_hw().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53452", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: free iio for atombios when driver shutdown\n\nFix below kmemleak when unload radeon driver:\n\nunreferenced object 0xffff9f8608ede200 (size 512):\n comm \"systemd-udevd\", pid 326, jiffies 4294682822 (age 716.338s)\n hex dump (first 32 bytes):\n 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500\n [<00000000b6883cea>] atom_parse+0x117/0x230 [radeon]\n [<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon]\n [<00000000683f672e>] si_init+0x57/0x750 [radeon]\n [<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon]\n [<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon]\n [<00000000b5155064>] drm_dev_register+0xdd/0x1d0\n [<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon]\n [<00000000e69ecca3>] pci_device_probe+0xe1/0x160\n [<0000000019484b76>] really_probe.part.0+0xc1/0x2c0\n [<000000003f2649da>] __driver_probe_device+0x96/0x130\n [<00000000231c5bb1>] driver_probe_device+0x24/0xf0\n [<0000000000a42377>] __driver_attach+0x77/0x190\n [<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0\n [<00000000633166d2>] driver_attach+0x1e/0x30\n [<00000000313b05b8>] bus_add_driver+0x12c/0x1e0\n\niio was allocated in atom_index_iio() called by atom_parse(),\nbut it doesn't got released when the dirver is shutdown.\nFix this kmemleak by free it in radeon_atombios_fini().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53453", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53454", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: drop all currently held locks if deadlock happens\n\nIf vc4_hdmi_reset_link() returns -EDEADLK, it means that a deadlock\nhappened in the locking context. This situation should be addressed by\ndropping all currently held locks and block until the contended lock\nbecomes available. Currently, vc4 is not dealing with the deadlock\nproperly, producing the following output when PROVE_LOCKING is enabled:\n\n[ 825.612809] ------------[ cut here ]------------\n[ 825.612852] WARNING: CPU: 1 PID: 116 at drivers/gpu/drm/drm_modeset_lock.c:276 drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.613458] Modules linked in: 8021q mrp garp stp llc\nraspberrypi_cpufreq brcmfmac brcmutil crct10dif_ce hci_uart cfg80211\nbtqca btbcm bluetooth vc4 raspberrypi_hwmon snd_soc_hdmi_codec cec\nclk_raspberrypi ecdh_generic drm_display_helper ecc rfkill\ndrm_dma_helper drm_kms_helper pwm_bcm2835 bcm2835_thermal bcm2835_rng\nrng_core i2c_bcm2835 drm fuse ip_tables x_tables ipv6\n[ 825.613735] CPU: 1 PID: 116 Comm: kworker/1:2 Tainted: G W 6.1.0-rc6-01399-g941aae326315 #3\n[ 825.613759] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 825.613777] Workqueue: events output_poll_execute [drm_kms_helper]\n[ 825.614038] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 825.614063] pc : drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.614603] lr : drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]\n[ 825.614829] sp : ffff800008313bf0\n[ 825.614844] x29: ffff800008313bf0 x28: ffffcd7778b8b000 x27: 0000000000000000\n[ 825.614883] x26: 0000000000000001 x25: 0000000000000001 x24: ffff677cc35c2758\n[ 825.614920] x23: ffffcd7707d01430 x22: ffffcd7707c3edc7 x21: 0000000000000001\n[ 825.614958] x20: 0000000000000000 x19: ffff800008313c10 x18: 000000000000b6d3\n[ 825.614995] x17: ffffcd777835e214 x16: ffffcd7777cef870 x15: fffff81000000000\n[ 825.615033] x14: 0000000000000000 x13: 0000000000000099 x12: 0000000000000002\n[ 825.615070] x11: 72917988020af800 x10: 72917988020af800 x9 : 72917988020af800\n[ 825.615108] x8 : ffff677cc665e0a8 x7 : d00a8c180000110c x6 : ffffcd77774c0054\n[ 825.615145] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\n[ 825.615181] x2 : ffff677cc55e1880 x1 : ffffcd7777cef8ec x0 : ffff800008313c10\n[ 825.615219] Call trace:\n[ 825.615232] drm_modeset_drop_locks+0x60/0x68 [drm]\n[ 825.615773] drm_helper_probe_detect+0x120/0x1b4 [drm_kms_helper]\n[ 825.616003] output_poll_execute+0xe4/0x224 [drm_kms_helper]\n[ 825.616233] process_one_work+0x2b4/0x618\n[ 825.616264] worker_thread+0x24c/0x464\n[ 825.616288] kthread+0xec/0x110\n[ 825.616310] ret_from_fork+0x10/0x20\n[ 825.616335] irq event stamp: 7634\n[ 825.616349] hardirqs last enabled at (7633): [] _raw_spin_unlock_irq+0x3c/0x78\n[ 825.616384] hardirqs last disabled at (7634): [] __schedule+0x134/0x9f0\n[ 825.616411] softirqs last enabled at (7630): [] local_bh_enable+0x4/0x30 [ipv6]\n[ 825.617019] softirqs last disabled at (7618): [] local_bh_disable+0x4/0x30 [ipv6]\n[ 825.617586] ---[ end trace 0000000000000000 ]---\n\nTherefore, deal with the deadlock as suggested by [1], using the\nfunction drm_modeset_backoff().\n\n[1] https://docs.kernel.org/gpu/drm-kms.html?highlight=kms#kms-locking", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53455", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Add length check when parsing nlattrs\n\nThere are three places that qla4xxx parses nlattrs:\n\n - qla4xxx_set_chap_entry()\n\n - qla4xxx_iface_set_param()\n\n - qla4xxx_sysfs_ddb_set_param()\n\nand each of them directly converts the nlattr to specific pointer of\nstructure without length checking. This could be dangerous as those\nattributes are not validated and a malformed nlattr (e.g., length 0) could\nresult in an OOB read that leaks heap dirty data.\n\nAdd the nla_len check before accessing the nlattr data and return EINVAL if\nthe length check fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53456", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Fix null-ptr-deref Read in txBegin\n\n Syzkaller reported an issue where txBegin may be called\n on a superblock in a read-only mounted filesystem which leads\n to NULL pointer deref. This could be solved by checking if\n the filesystem is read-only before calling txBegin, and returning\n with appropiate error code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53457", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()\n\nWhen the driver calls cx23885_risc_buffer() to prepare the buffer, the\nfunction call dma_alloc_coherent may fail, resulting in a empty buffer\nrisc->cpu. Later when we free the buffer or access the buffer, null ptr\nderef is triggered.\n\nThis bug is similar to the following one:\nhttps://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.\n\nWe believe the bug can be also dynamically triggered from user side.\nSimilarly, we fix this by checking the return value of cx23885_risc_buffer()\nand the value of risc->cpu before buffer free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53458", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: mcp-2221: prevent UAF in delayed work\n\nIf the device is plugged/unplugged without giving time for mcp_init_work()\nto complete, we might kick in the devm free code path and thus have\nunavailable struct mcp_2221 while in delayed work.\n\nCanceling the delayed_work item is enough to solve the issue, because\ncancel_delayed_work_sync will prevent the work item to requeue itself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53459", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix memory leak in rtw_usb_probe()\n\ndrivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe()\nwarn: 'hw' from ieee80211_alloc_hw() not released on lines: 811\n\nFix this by modifying return to a goto statement.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53460", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: wait interruptibly for request completions on exit\n\nWHen the ring exits, cleanup is done and the final cancelation and\nwaiting on completions is done by io_ring_exit_work. That function is\ninvoked by kworker, which doesn't take any signals. Because of that, it\ndoesn't really matter if we wait for completions in TASK_INTERRUPTIBLE\nor TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task\ndetection checker!\n\nNormally we expect cancelations and completions to happen rather\nquickly. Some test cases, however, will exit the ring and park the\nowning task stopped (eg via SIGSTOP). If the owning task needs to run\ntask_work to complete requests, then io_ring_exit_work won't make any\nprogress until the task is runnable again. Hence io_ring_exit_work can\ntrigger the hung task detection, which is particularly problematic if\npanic-on-hung-task is enabled.\n\nAs the ring exit doesn't take signals to begin with, have it wait\ninterruptibly rather than uninterruptibly. io_uring has a separate\nstuck-exit warning that triggers independently anyway, so we're not\nreally missing anything by making this switch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53461", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in fill_frame_info()\n\nSyzbot reports the following uninit-value access problem.\n\n=====================================================\nBUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]\nBUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n fill_frame_info net/hsr/hsr_forward.c:601 [inline]\n hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616\n hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4889 [inline]\n netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n xmit_one net/core/dev.c:3544 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560\n __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340\n dev_queue_xmit include/linux/netdevice.h:3082 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:644\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n __sys_sendto+0x781/0xa30 net/socket.c:2176\n __do_sys_sendto net/socket.c:2188 [inline]\n __se_sys_sendto net/socket.c:2184 [inline]\n __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nIt is because VLAN not yet supported in hsr driver. Return error\nwhen protocol is ETH_P_8021Q in fill_frame_info() now to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53462", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Do not reset dql stats on NON_FATAL err\n\nAll ibmvnic resets, make a call to netdev_tx_reset_queue() when\nre-opening the device. netdev_tx_reset_queue() resets the num_queued\nand num_completed byte counters. These stats are used in Byte Queue\nLimit (BQL) algorithms. The difference between these two stats tracks\nthe number of bytes currently sitting on the physical NIC. ibmvnic\nincreases the number of queued bytes though calls to\nnetdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports\nthat it is done transmitting bytes, the ibmvnic device increases the\nnumber of completed bytes through calls to netdev_tx_completed_queue().\nIt is important to note that the driver batches its transmit calls and\nnum_queued is increased every time that an skb is added to the next\nbatch, not necessarily when the batch is sent to VIOS for transmission.\n\nUnlike other reset types, a NON FATAL reset will not flush the sub crq\ntx buffers. Therefore, it is possible for the batched skb array to be\npartially full. So if there is call to netdev_tx_reset_queue() when\nre-opening the device, the value of num_queued (0) would not account\nfor the skb's that are currently batched. Eventually, when the batch\nis sent to VIOS, the call to netdev_tx_completed_queue() would increase\nnum_completed to a value greater than the num_queued. This causes a\nBUG_ON crash:\n\nibmvnic 30000002: Firmware reports error, cause: adapter problem.\nStarting recovery...\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\nibmvnic 30000002: tx error 600\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:27!\nOops: Exception in kernel mode, sig: 5\n[....]\nNIP dql_completed+0x28/0x1c0\nLR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]\nCall Trace:\nibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)\nibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]\n__handle_irq_event_percpu+0x98/0x270\n---[ end trace ]---\n\nTherefore, do not reset the dql stats when performing a NON_FATAL reset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53463", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()\n\nThe validity of sock should be checked before assignment to avoid incorrect\nvalues. Commit 57569c37f0ad (\"scsi: iscsi: iscsi_tcp: Fix null-ptr-deref\nwhile calling getpeername()\") introduced this change which may lead to\ninconsistent values of tcp_sw_conn->sendpage and conn->datadgst_en.\n\nFix the issue by moving the position of the assignment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53464", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: qcom: fix storing port config out-of-bounds\n\nThe 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14),\nhowever we index it starting from 1, not 0, to match real port numbers.\nThis can lead to writing port config past 'pconfig' bounds and\noverwriting next member of 'qcom_swrm_ctrl' struct. Reported also by\nsmatch:\n\n drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53465", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit\n\nAlways purge mcu skb queues in mt7915_mcu_exit routine even if\nmt7915_firmware_state fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53466", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential leak in rtw89_append_probe_req_ie()\n\nDo `kfree_skb(new)` before `goto out` to prevent potential leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53467", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in alloc_wbufs()\n\nkmemleak reported a sequence of memory leaks, and show them as following:\n\n unreferenced object 0xffff8881575f8400 (size 1024):\n comm \"mount\", pid 19625, jiffies 4297119604 (age 20.383s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0x4d/0x150\n [] ubifs_mount+0x307b/0x7170 [ubifs]\n [] legacy_get_tree+0xed/0x1d0\n [] vfs_get_tree+0x7d/0x230\n [] path_mount+0xdd4/0x17b0\n [] __x64_sys_mount+0x1fa/0x270\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n unreferenced object 0xffff8881798a6e00 (size 512):\n comm \"mount\", pid 19677, jiffies 4297121912 (age 37.816s)\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace:\n [] __kmalloc+0x4d/0x150\n [] ubifs_wbuf_init+0x52/0x480 [ubifs]\n [] ubifs_mount+0x31f5/0x7170 [ubifs]\n [] legacy_get_tree+0xed/0x1d0\n [] vfs_get_tree+0x7d/0x230\n [] path_mount+0xdd4/0x17b0\n [] __x64_sys_mount+0x1fa/0x270\n [] do_syscall_64+0x35/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe problem is that the ubifs_wbuf_init() returns an error in the\nloop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes\nthat were successfully alloced before are not freed.\n\nFix it by adding error hanging path in alloc_wbufs() which frees\nthe memory alloced before when ubifs_wbuf_init() returns an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53468", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: catch failure from devlink_alloc\n\nAdd a check for NULL on the alloc return. If devlink_alloc() fails and\nwe try to use devlink_priv() on the NULL return, the kernel gets very\nunhappy and panics. With this fix, the driver load will still fail,\nbut at least it won't panic the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53470", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras\n\ngfx9 cp_ecc_error_irq is only enabled when legacy gfx ras is assert.\nSo in gfx_v9_0_hw_fini, interrupt disablement for cp_ecc_error_irq\nshould be executed under such condition, otherwise, an amdgpu_irq_put\ncalltrace will occur.\n\n[ 7283.170322] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]\n[ 7283.170964] RSP: 0018:ffff9a5fc3967d00 EFLAGS: 00010246\n[ 7283.170967] RAX: ffff98d88afd3040 RBX: ffff98d89da20000 RCX: 0000000000000000\n[ 7283.170969] RDX: 0000000000000000 RSI: ffff98d89da2bef8 RDI: ffff98d89da20000\n[ 7283.170971] RBP: ffff98d89da20000 R08: ffff98d89da2ca18 R09: 0000000000000006\n[ 7283.170973] R10: ffffd5764243c008 R11: 0000000000000000 R12: 0000000000001050\n[ 7283.170975] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105\n[ 7283.170978] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000\n[ 7283.170981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7283.170983] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0\n[ 7283.170986] Call Trace:\n[ 7283.170988] \n[ 7283.170989] gfx_v9_0_hw_fini+0x1c/0x6d0 [amdgpu]\n[ 7283.171655] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]\n[ 7283.172245] amdgpu_device_suspend+0x103/0x180 [amdgpu]\n[ 7283.172823] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]\n[ 7283.173412] pci_pm_freeze+0x54/0xc0\n[ 7283.173419] ? __pfx_pci_pm_freeze+0x10/0x10\n[ 7283.173425] dpm_run_callback+0x98/0x200\n[ 7283.173430] __device_suspend+0x164/0x5f0\n\nv2: drop gfx11 as it's fixed in a different solution by retiring cp_ecc_irq funcs(Hawking)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53471", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: lpc32xx: Remove handling of PWM channels\n\nBecause LPC32xx PWM controllers have only a single output which is\nregistered as the only PWM device/channel per controller, it is known in\nadvance that pwm->hwpwm value is always 0. On basis of this fact\nsimplify the code by removing operations with pwm->hwpwm, there is no\ncontrols which require channel number as input.\n\nEven though I wasn't aware at the time when I forward ported that patch,\nthis fixes a null pointer dereference as lpc32xx->chip.pwms is NULL\nbefore devm_pwmchip_add() is called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53472", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: improve error handling from ext4_dirhash()\n\nThe ext4_dirhash() will *almost* never fail, especially when the hash\ntree feature was first introduced. However, with the addition of\nsupport of encrypted, casefolded file names, that function can most\ncertainly fail today.\n\nSo make sure the callers of ext4_dirhash() properly check for\nfailures, and reflect the errors back up to their callers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53473", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/MCE/AMD: Use an u64 for bank_map\n\nThee maximum number of MCA banks is 64 (MAX_NR_BANKS), see\n\n a0bc32b3cacf (\"x86/mce: Increase maximum number of banks to 64\").\n\nHowever, the bank_map which contains a bitfield of which banks to\ninitialize is of type unsigned int and that overflows when those bit\nnumbers are >= 32, leading to UBSAN complaining correctly:\n\n UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38\n shift exponent 32 is too large for 32-bit type 'int'\n\nChange the bank_map to a u64 and use the proper BIT_ULL() macro when\nmodifying bits in there.\n\n [ bp: Rewrite commit message. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53474", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: tegra: fix sleep in atomic call\n\nWhen we set the dual-role port to Host mode, we observed the following\nsplat:\n[ 167.057718] BUG: sleeping function called from invalid context at\ninclude/linux/sched/mm.h:229\n[ 167.057872] Workqueue: events tegra_xusb_usb_phy_work\n[ 167.057954] Call trace:\n[ 167.057962] dump_backtrace+0x0/0x210\n[ 167.057996] show_stack+0x30/0x50\n[ 167.058020] dump_stack_lvl+0x64/0x84\n[ 167.058065] dump_stack+0x14/0x34\n[ 167.058100] __might_resched+0x144/0x180\n[ 167.058140] __might_sleep+0x64/0xd0\n[ 167.058171] slab_pre_alloc_hook.constprop.0+0xa8/0x110\n[ 167.058202] __kmalloc_track_caller+0x74/0x2b0\n[ 167.058233] kvasprintf+0xa4/0x190\n[ 167.058261] kasprintf+0x58/0x90\n[ 167.058285] tegra_xusb_find_port_node.isra.0+0x58/0xd0\n[ 167.058334] tegra_xusb_find_port+0x38/0xa0\n[ 167.058380] tegra_xusb_padctl_get_usb3_companion+0x38/0xd0\n[ 167.058430] tegra_xhci_id_notify+0x8c/0x1e0\n[ 167.058473] notifier_call_chain+0x88/0x100\n[ 167.058506] atomic_notifier_call_chain+0x44/0x70\n[ 167.058537] tegra_xusb_usb_phy_work+0x60/0xd0\n[ 167.058581] process_one_work+0x1dc/0x4c0\n[ 167.058618] worker_thread+0x54/0x410\n[ 167.058650] kthread+0x188/0x1b0\n[ 167.058672] ret_from_fork+0x10/0x20\n\nThe function tegra_xusb_padctl_get_usb3_companion eventually calls\ntegra_xusb_find_port and this in turn calls kasprintf which might sleep\nand so cannot be called from an atomic context.\n\nFix this by moving the call to tegra_xusb_padctl_get_usb3_companion to\nthe tegra_xhci_id_work function where it is really needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53475", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()\n\nThis condition needs to match the previous \"if (epcp->state == LISTEN) {\"\nexactly to avoid a NULL dereference of either \"listen_ep\" or \"ep\". The\nproblem is that \"epcp\" has been re-assigned so just testing\n\"if (epcp->state == LISTEN) {\" a second time is not sufficient.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53476", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Add lwtunnel encap size of all siblings in nexthop calculation\n\nIn function rt6_nlmsg_size(), the length of nexthop is calculated\nby multipling the nexthop length of fib6_info and the number of\nsiblings. However if the fib6_info has no lwtunnel but the siblings\nhave lwtunnels, the nexthop length is less than it should be, and\nit will trigger a warning in inet6_rt_notify() as follows:\n\nWARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130\n......\nCall Trace:\n \n fib6_add_rt2node+0x685/0xa30\n fib6_add+0x96/0x1b0\n ip6_route_add+0x50/0xd0\n inet6_rtm_newroute+0x97/0xa0\n rtnetlink_rcv_msg+0x156/0x3d0\n netlink_rcv_skb+0x5a/0x110\n netlink_unicast+0x246/0x350\n netlink_sendmsg+0x250/0x4c0\n sock_sendmsg+0x66/0x70\n ___sys_sendmsg+0x7c/0xd0\n __sys_sendmsg+0x5d/0xb0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis bug can be reproduced by script:\n\nip -6 addr add 2002::2/64 dev ens2\nip -6 route add 100::/64 via 2002::1 dev ens2 metric 100\n\nfor i in 10 20 30 40 50 60 70;\ndo\n\tip link add link ens2 name ipv_$i type ipvlan\n\tip -6 addr add 2002::$i/64 dev ipv_$i\n\tifconfig ipv_$i up\ndone\n\nfor i in 10 20 30 40 50 60;\ndo\n\tip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1\ndev ipv_$i metric 100\ndone\n\nip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100\n\nThis patch fixes it by adding nexthop_len of every siblings using\nrt6_nh_nlmsg_size().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53477", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/synthetic: Fix races on freeing last_cmd\n\nCurrently, the \"last_cmd\" variable can be accessed by multiple processes\nasynchronously when multiple users manipulate synthetic_events node\nat the same time, it could lead to use-after-free or double-free.\n\nThis patch add \"lastcmd_mutex\" to prevent \"last_cmd\" from being accessed\nasynchronously.\n\n================================================================\n\nIt's easy to reproduce in the KASAN environment by running the two\nscripts below in different shells.\n\nscript 1:\n while :\n do\n echo -n -e '\\x88' > /sys/kernel/tracing/synthetic_events\n done\n\nscript 2:\n while :\n do\n echo -n -e '\\xb0' > /sys/kernel/tracing/synthetic_events\n done\n\n================================================================\ndouble-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.free last_cmd(double-free)\n\n================================================================\nuse-after-free scenario:\n\n process A process B\n------------------- ---------------\n1.kstrdup last_cmd\n 2.free last_cmd\n3.tracing_log_err(use-after-free)\n\n================================================================\n\nAppendix 1. KASAN report double-free:\n\nBUG: KASAN: double-free in kfree+0xdc/0x1d4\nFree of addr ***** by task sh/4879\nCall trace:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 4879:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x6c/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5464:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x60/0x1e8\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\n================================================================\nAppendix 2. KASAN report use-after-free:\n\nBUG: KASAN: use-after-free in strlen+0x5c/0x7c\nRead of size 1 at addr ***** by task sh/5483\nsh: CPU: 7 PID: 5483 Comm: sh\n ...\n __asan_report_load1_noabort+0x34/0x44\n strlen+0x5c/0x7c\n tracing_log_err+0x60/0x444\n create_or_delete_synth_event+0xc4/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nAllocated by task 5483:\n ...\n kstrdup+0x5c/0x98\n create_or_delete_synth_event+0x80/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...\n\nFreed by task 5480:\n ...\n kfree+0xdc/0x1d4\n create_or_delete_synth_event+0x74/0x204\n trace_parse_run_command+0x2bc/0x4b8\n synth_events_write+0x20/0x30\n vfs_write+0x200/0x830\n ...", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53478", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/acpi: Fix a use-after-free in cxl_parse_cfmws()\n\nKASAN and KFENCE detected an user-after-free in the CXL driver. This\nhappens in the cxl_decoder_add() fail path. KASAN prints the following\nerror:\n\n BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)\n\nThis happens in cxl_parse_cfmws(), where put_device() is called,\nreleasing cxld, which is accessed later.\n\nUse the local variables in the dev_err() instead of pointing to the\nreleased memory. Since the dev_err() is printing a resource, change the open\ncoded print format to use the %pr format specifier.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53479", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject: Add sanity check for kset->kobj.ktype in kset_register()\n\nWhen I register a kset in the following way:\n\tstatic struct kset my_kset;\n\tkobject_set_name(&my_kset.kobj, \"my_kset\");\n ret = kset_register(&my_kset);\n\nA null pointer dereference exception is occurred:\n[ 4453.568337] Unable to handle kernel NULL pointer dereference at \\\nvirtual address 0000000000000028\n... ...\n[ 4453.810361] Call trace:\n[ 4453.813062] kobject_get_ownership+0xc/0x34\n[ 4453.817493] kobject_add_internal+0x98/0x274\n[ 4453.822005] kset_register+0x5c/0xb4\n[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]\n... ...\n\nBecause I didn't initialize my_kset.kobj.ktype.\n\nAccording to the description in Documentation/core-api/kobject.rst:\n - A ktype is the type of object that embeds a kobject. Every structure\n that embeds a kobject needs a corresponding ktype.\n\nSo add sanity check to make sure kset->kobj.ktype is not NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53480", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed\n\nFollowing process will trigger an infinite loop in ubi_wl_put_peb():\n\n\tubifs_bgt\t\tubi_bgt\nubifs_leb_unmap\n ubi_leb_unmap\n ubi_eba_unmap_leb\n ubi_wl_put_peb\twear_leveling_worker\n e1 = rb_entry(rb_first(&ubi->used)\n\t\t\t e2 = get_peb_for_wl(ubi)\n\t\t\t ubi_io_read_vid_hdr // return err (flash fault)\n\t\t\t out_error:\n\t\t\t ubi->move_from = ubi->move_to = NULL\n\t\t\t wl_entry_destroy(ubi, e1)\n\t\t\t ubi->lookuptbl[e->pnum] = NULL\n retry:\n e = ubi->lookuptbl[pnum];\t// return NULL\n\tif (e == ubi->move_from) {\t// NULL == NULL gets true\n\t goto retry;\t\t\t// infinite loop !!!\n\n$ top\n PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND\n 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0\n\nFix it by:\n 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has\n been removed from 'ubi->lookuptbl'.\n 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an\n use-after-free problem for wl entry in ubi_wl_put_peb().\n\nFetch a reproducer in [Link].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53481", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix error unwind in iommu_group_alloc()\n\nIf either iommu_group_grate_file() fails then the\niommu_group is leaked.\n\nDestroy it on these error paths.\n\nFound by kselftest/iommu/iommufd_fail_nth", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53482", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()\n\ndevm_kzalloc() may fail, clk_data->name might be NULL and will\ncause a NULL pointer dereference later.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53483", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: cpu_rmap: Avoid use after free on rmap->obj array entries\n\nWhen calling irq_set_affinity_notifier() with NULL at the notify\nargument, it will cause freeing of the glue pointer in the\ncorresponding array entry but will leave the pointer in the array. A\nsubsequent call to free_irq_cpu_rmap() will try to free this entry again\nleading to possible use after free.\n\nFix that by setting NULL to the array entry and checking that we have\nnon-zero at the array entry when iterating over the array in\nfree_irq_cpu_rmap().\n\nThe current code does not suffer from this since there are no cases\nwhere irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the\nnotify arg) is called, followed by a call to free_irq_cpu_rmap() so we\ndon't hit and issue. Subsequent patches in this series excersize this\nflow, hence the required fix.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53484", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6\nindex -84 is out of range for type 's8[341]' (aka 'signed char[341]')\nCPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965\n dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809\n dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350\n dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874\n dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]\n dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863\n jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137\n lookup_open fs/namei.c:3492 [inline]\n open_last_lookups fs/namei.c:3560 [inline]\n path_openat+0x13df/0x3170 fs/namei.c:3788\n do_filp_open+0x234/0x490 fs/namei.c:3818\n do_sys_openat2+0x13f/0x500 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_openat fs/open.c:1388 [inline]\n __se_sys_openat fs/open.c:1383 [inline]\n __x64_sys_openat+0x247/0x290 fs/open.c:1383\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f1f4e33f7e9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9\nRDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c\nRBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nThe bug occurs when the dbAllocDmapLev()function attempts to access\ndp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative.\n\nTo rectify this, the patch introduces a safeguard within the\ndbAllocDmapLev() function. A check has been added to verify if leafidx is\nnegative. If it is, the function immediately returns an I/O error, preventing\nany further execution that could potentially cause harm.\n\nTested via syzbot.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53485", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Enhance the attribute size check\n\nThis combines the overflow and boundary check so that all attribute size\nwill be properly examined while enumerating them.\n\n[ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570\n[ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247\n[ 169.184046]\n[ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3\n[ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 169.187066] Call Trace:\n[ 169.187492] \n[ 169.188049] dump_stack_lvl+0x49/0x63\n[ 169.188495] print_report.cold+0xf5/0x689\n[ 169.188964] ? run_unpack+0x2e3/0x570\n[ 169.189331] kasan_report+0xa7/0x130\n[ 169.189714] ? run_unpack+0x2e3/0x570\n[ 169.190079] __asan_load1+0x51/0x60\n[ 169.190634] run_unpack+0x2e3/0x570\n[ 169.191290] ? run_pack+0x840/0x840\n[ 169.191569] ? run_lookup_entry+0xb3/0x1f0\n[ 169.192443] ? mi_enum_attr+0x20a/0x230\n[ 169.192886] run_unpack_ex+0xad/0x3e0\n[ 169.193276] ? run_unpack+0x570/0x570\n[ 169.193557] ? ni_load_mi+0x80/0x80\n[ 169.193889] ? debug_smp_processor_id+0x17/0x20\n[ 169.194236] ? mi_init+0x4a/0x70\n[ 169.194496] attr_load_runs_vcn+0x166/0x1c0\n[ 169.194851] ? attr_data_write_resident+0x250/0x250\n[ 169.195188] mi_read+0x133/0x2c0\n[ 169.195481] ntfs_iget5+0x277/0x1780\n[ 169.196017] ? call_rcu+0x1c7/0x330\n[ 169.196392] ? ntfs_get_block_bmap+0x70/0x70\n[ 169.196708] ? evict+0x223/0x280\n[ 169.197014] ? __kmalloc+0x33/0x540\n[ 169.197305] ? wnd_init+0x15b/0x1b0\n[ 169.197599] ntfs_fill_super+0x1026/0x1ba0\n[ 169.197994] ? put_ntfs+0x1d0/0x1d0\n[ 169.198299] ? vsprintf+0x20/0x20\n[ 169.198583] ? mutex_unlock+0x81/0xd0\n[ 169.198930] ? set_blocksize+0x95/0x150\n[ 169.199269] get_tree_bdev+0x232/0x370\n[ 169.199750] ? put_ntfs+0x1d0/0x1d0\n[ 169.200094] ntfs_fs_get_tree+0x15/0x20\n[ 169.200431] vfs_get_tree+0x4c/0x130\n[ 169.200714] path_mount+0x654/0xfe0\n[ 169.201067] ? putname+0x80/0xa0\n[ 169.201358] ? finish_automount+0x2e0/0x2e0\n[ 169.201965] ? putname+0x80/0xa0\n[ 169.202445] ? kmem_cache_free+0x1c4/0x440\n[ 169.203075] ? putname+0x80/0xa0\n[ 169.203414] do_mount+0xd6/0xf0\n[ 169.203719] ? path_mount+0xfe0/0xfe0\n[ 169.203977] ? __kasan_check_write+0x14/0x20\n[ 169.204382] __x64_sys_mount+0xca/0x110\n[ 169.204711] do_syscall_64+0x3b/0x90\n[ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 169.205571] RIP: 0033:0x7f67a80e948a\n[ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a\n[ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0\n[ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020\n[ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0\n[ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff\n[ 169.211913] \n[ 169.212304]\n[ 169.212680] Allocated by task 0:\n[ 169.212963] (stack is not available)\n[ 169.213200]\n[ 169.213472] The buggy address belongs to the object at ffff8880094b5e00\n[ 169.213472] which belongs to the cache UDP of size 1152\n[ 169.214095] The buggy address is located 1088 bytes inside of\n[ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280)\n[ 169.214639]\n[ 169.215004] The buggy address belongs to the physical page:\n[ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4\n[ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0\n[ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\n[ 169.220272] raw: 000fffffc0010200\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53486", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas_flash: allow user copy to flash block cache objects\n\nWith hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the\n/proc/powerpc/rtas/firmware_update interface to prepare a system\nfirmware update yields a BUG():\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in:\n CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2\n Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries\n NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000\n REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)\n MSR: 8000000000029033 CR: 24002242 XER: 0000000c\n CFAR: c0000000001fbd34 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP usercopy_abort+0xa0/0xb0\n LR usercopy_abort+0x9c/0xb0\n Call Trace:\n usercopy_abort+0x9c/0xb0 (unreliable)\n __check_heap_object+0x1b4/0x1d0\n __check_object_size+0x2d0/0x380\n rtas_flash_write+0xe4/0x250\n proc_reg_write+0xfc/0x160\n vfs_write+0xfc/0x4e0\n ksys_write+0x90/0x160\n system_call_exception+0x178/0x320\n system_call_common+0x160/0x2c4\n\nThe blocks of the firmware image are copied directly from user memory\nto objects allocated from flash_block_cache, so flash_block_cache must\nbe created using kmem_cache_create_usercopy() to mark it safe for user\naccess.\n\n[mpe: Trim and indent oops]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53487", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix possible panic during hotplug remove\n\nDuring hotplug remove it is possible that the update counters work\nmight be pending, and may run after memory has been freed.\nCancel the update counters work before freeing memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53488", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.\n\nsyzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY\nskbs. We can reproduce the problem with these sequences:\n\n sk = socket(AF_INET, SOCK_DGRAM, 0)\n sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)\n sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)\n sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53))\n sk.close()\n\nsendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets\nskb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct\nubuf_info_msgzc indirectly holds a refcnt of the socket. When the\nskb is sent, __skb_tstamp_tx() clones it and puts the clone into\nthe socket's error queue with the TX timestamp.\n\nWhen the original skb is received locally, skb_copy_ubufs() calls\nskb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt.\nThis additional count is decremented while freeing the skb, but struct\nubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is\nnot called.\n\nThe last refcnt is not released unless we retrieve the TX timestamped\nskb by recvmsg(). Since we clear the error queue in inet_sock_destruct()\nafter the socket's refcnt reaches 0, there is a circular dependency.\nIf we close() the socket holding such skbs, we never call sock_put()\nand leak the count, sk, and skb.\n\nTCP has the same problem, and commit e0c8bccd40fc (\"net: stream:\npurge sk_error_queue in sk_stream_kill_queues()\") tried to fix it\nby calling skb_queue_purge() during close(). However, there is a\nsmall chance that skb queued in a qdisc or device could be put\ninto the error queue after the skb_queue_purge() call.\n\nIn __skb_tstamp_tx(), the cloned skb should not have a reference\nto the ubuf to remove the circular dependency, but skb_clone() does\nnot call skb_copy_ubufs() for zerocopy skb. So, we need to call\nskb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88800c6d2d00 (size 1152):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................\n 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024\n [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083\n [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline]\n [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245\n [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515\n [<00000000b9b11231>] sock_create net/socket.c:1566 [inline]\n [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline]\n [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline]\n [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636\n [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline]\n [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline]\n [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647\n [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80\n [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nBUG: memory leak\nunreferenced object 0xffff888017633a00 (size 240):\n comm \"syz-executor392\", pid 264, jiffies 4294785440 (age 13.044s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....\n backtrace:\n [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497\n [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline]\n [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596\n [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]\n [<00000000be626478>]\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53489", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix disconnect vs accept race\n\nDespite commit 0ad529d9fd2b (\"mptcp: fix possible divide by zero in\nrecvmsg()\"), the mptcp protocol is still prone to a race between\ndisconnect() (or shutdown) and accept.\n\nThe root cause is that the mentioned commit checks the msk-level\nflag, but mptcp_stream_accept() does acquire the msk-level lock,\nas it can rely directly on the first subflow lock.\n\nAs reported by Christoph than can lead to a race where an msk\nsocket is accepted after that mptcp_subflow_queue_clean() releases\nthe listener socket lock and just before it takes destructive\nactions leading to the following splat:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\nPGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330\nCode: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89\nRSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300\nRDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a\nRBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020\nR13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880\nFS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n do_accept+0x1ae/0x260 net/socket.c:1872\n __sys_accept4+0x9b/0x110 net/socket.c:1913\n __do_sys_accept4 net/socket.c:1954 [inline]\n __se_sys_accept4 net/socket.c:1951 [inline]\n __x64_sys_accept4+0x20/0x30 net/socket.c:1951\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nAddress the issue by temporary removing the pending request socket\nfrom the accept queue, so that racing accept() can't touch them.\n\nAfter depleting the msk - the ssk still exists, as plain TCP sockets,\nre-insert them into the accept queue, so that later inet_csk_listen_stop()\nwill complete the tcp socket disposal.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53490", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstart_kernel: Add __no_stack_protector function attribute\n\nBack during the discussion of\ncommit a9a3ed1eff36 (\"x86: Fix early boot crash on gcc-10, third try\")\nwe discussed the need for a function attribute to control the omission\nof stack protectors on a per-function basis; at the time Clang had\nsupport for no_stack_protector but GCC did not. This was fixed in\ngcc-11. Now that the function attribute is available, let's start using\nit.\n\nCallers of boot_init_stack_canary need to use this function attribute\nunless they're compiled with -fno-stack-protector, otherwise the canary\nstored in the stack slot of the caller will differ upon the call to\nboot_init_stack_canary. This will lead to a call to __stack_chk_fail()\nthen panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53491", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when looking up chain by id\n\nWhen adding a rule to a chain referring to its ID, if that chain had been\ndeleted on the same batch, the rule might end up referring to a deleted\nchain.\n\nThis will lead to a WARNING like following:\n\n[ 33.098431] ------------[ cut here ]------------\n[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260\n[ 33.099217] Modules linked in:\n[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409\n[ 33.099726] Workqueue: events nf_tables_trans_destroy_work\n[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260\n[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7\n[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202\n[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000\n[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000\n[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500\n[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10\n[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000\n[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0\n[ 33.104872] PKRU: 55555554\n[ 33.104999] Call Trace:\n[ 33.105113] \n[ 33.105214] ? show_regs+0x72/0x90\n[ 33.105371] ? __warn+0xa5/0x210\n[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.105732] ? report_bug+0x1f2/0x200\n[ 33.105902] ? handle_bug+0x46/0x90\n[ 33.106546] ? exc_invalid_op+0x19/0x50\n[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20\n[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260\n[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260\n[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680\n[ 33.107782] ? mark_held_locks+0x28/0xa0\n[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10\n[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70\n[ 33.108538] process_one_work+0x68c/0xb70\n[ 33.108755] ? lock_acquire+0x17f/0x420\n[ 33.108977] ? __pfx_process_one_work+0x10/0x10\n[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0\n[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80\n[ 33.109634] worker_thread+0x2bd/0x700\n[ 33.109817] ? __pfx_worker_thread+0x10/0x10\n[ 33.110254] kthread+0x18b/0x1d0\n[ 33.110410] ? __pfx_kthread+0x10/0x10\n[ 33.110581] ret_from_fork+0x29/0x50\n[ 33.110757] \n[ 33.110866] irq event stamp: 1651\n[ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0\n[ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0\n[ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0\n[ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0\n[ 33.112453] ---[ end trace 0000000000000000 ]---\n\nThis is due to the nft_chain_lookup_byid ignoring the genmask. After this\nchange, adding the new rule will fail as it will not find the chain.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53492", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: tighten bounds checking in decode_message()\n\nCopy the bounds checking from encode_message() to decode_message().\n\nThis patch addresses the following concerns. Ensure that there is\nenough space for at least one header so that we don't have a negative\nsize later.\n\n\tif (msg_hdr_len < sizeof(*trans_hdr))\n\nEnsure that we have enough space to read the next header from the\nmsg->data.\n\n\tif (msg_len > msg_hdr_len - sizeof(*trans_hdr))\n\t\treturn -EINVAL;\n\nCheck that the trans_hdr->len is not below the minimum size:\n\n\tif (hdr_len < sizeof(*trans_hdr))\n\nThis minimum check ensures that we don't corrupt memory in\ndecode_passthrough() when we do.\n\n\tmemcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));\n\nAnd finally, use size_add() to prevent an integer overflow:\n\n\tif (size_add(msg_len, hdr_len) > msg_hdr_len)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53493", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xts - Handle EBUSY correctly\n\nAs it is xts only handles the special return value of EINPROGRESS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of xts may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53494", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()\n\nrules is allocated in ethtool_get_rxnfc and the size is determined by\nrule_cnt from user space. So rule_cnt needs to be check before using\nrules to avoid OOB writing or NULL pointer dereference.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53495", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Use alternate source for socket to node data\n\nThe UV code attempts to build a set of tables to allow it to do\nbidirectional socket<=>node lookups.\n\nBut when nr_cpus is set to a smaller number than actually present, the\ncpu_to_node() mapping information for unused CPUs is not available to\nbuild_socket_tables(). This results in skipping some nodes or sockets\nwhen creating the tables and leaving some -1's for later code to trip.\nover, causing oopses.\n\nThe problem is that the socket<=>node lookups are created by doing a\nloop over all CPUs, then looking up the CPU's APICID and socket. But\nif a CPU is not present, there is no way to start this lookup.\n\nInstead of looping over all CPUs, take CPUs out of the equation\nentirely. Loop over all APICIDs which are mapped to a valid NUMA node.\nThen just extract the socket-id from the APICID.\n\nThis avoid tripping over disabled CPUs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53496", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()\n\nThe vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()\nhandler to check if the .start_streaming() operation has been called,\nand decide whether to just add the buffer to an internal queue, or also\ntrigger a hardware run. vb2_is_streaming() relies on the vb2_queue\nstructure's streaming field, which used to be set only after calling the\n.start_streaming() operation.\n\nCommit a10b21532574 (\"media: vb2: add (un)prepare_streaming queue ops\")\nchanged this, setting the .streaming field in vb2_core_streamon() before\nenqueuing buffers to the driver and calling .start_streaming(). This\nbroke the vsp1 driver which now believes that .start_streaming() has\nbeen called when it hasn't, leading to a crash:\n\n[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[ 881.067495] Mem abort info:\n[ 881.070290] ESR = 0x0000000096000006\n[ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 881.079358] SET = 0, FnV = 0\n[ 881.082414] EA = 0, S1PTW = 0\n[ 881.085558] FSC = 0x06: level 2 translation fault\n[ 881.090439] Data abort info:\n[ 881.093320] ISV = 0, ISS = 0x00000006\n[ 881.097157] CM = 0, WnR = 0\n[ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000\n[ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000\n[ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP\n[ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem\n[ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556\n[ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n[ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0\n[ 881.162206] sp : ffff80000c267710\n[ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98\n[ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8\n[ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020\n[ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000\n[ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d\n[ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000\n[ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001\n[ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020\n[ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000\n[ 881.237092] Call trace:\n[ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0\n[ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0\n[ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0\n[ 881.253076] __enqueue_in_driver+0xbc/0x260\n[ 881.257269] vb2_start_streaming+0x48/0x200\n[ 881.261461] vb2_core_streamon+0x13c/0x280\n[ 881.265565] vb2_streamon+0x3c/0x90\n[ 881.269064] vsp1_video_streamon+0x2fc/0x3e0\n[ 881.273344] v4l_streamon+0x50/0x70\n[ 881.276844] __video_do_ioctl+0x2bc/0x5d0\n[ 881.280861] video_usercopy+0x2a8/0xc80\n[ 881.284704] video_ioctl2+0x20/0x40\n[ 881.288201] v4l2_ioctl+0xa4/0xc0\n[ 881.291525] __arm64_sys_ioctl+0xe8/0x110\n[ 881.295543] invoke_syscall+0x68/0x190\n[ 881.299303] el0_svc_common.constprop.0+0x88/0x170\n[ 881.304105] do_el0_svc+0x4c/0xf0\n[ 881.307430] el0_svc+0x4c/0xa0\n[ 881.310494] el0t_64_sync_handler+0xbc/0x140\n[ 881.314773] el0t_64_sync+0x190/0x194\n[ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)\n[ 881.324551] ---[ end trace 0000000000000000 ]---\n[ 881.329173] note: yavta[1271] exited with preempt_count 1\n\nA different r\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53497", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null dereference\n\nThe adev->dm.dc pointer can be NULL and dereferenced in amdgpu_dm_fini()\nwithout checking.\n\nAdd a NULL pointer check before calling dc_dmub_srv_destroy().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53498", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix error unwinding of XDP initialization\n\nWhen initializing XDP in virtnet_open(), some rq xdp initialization\nmay hit an error causing net device open failed. However, previous\nrqs have already initialized XDP and enabled NAPI, which is not the\nexpected behavior. Need to roll back the previous rq initialization\nto avoid leaks in error unwinding of init code.\n\nAlso extract helper functions of disable and enable queue pairs.\nUse newly introduced disable helper function in error unwinding and\nvirtnet_close. Use enable helper function in virtnet_open.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53499", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix slab-use-after-free in decode_session6\n\nWhen the xfrm device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when the xfrm device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff8881111458ef by task swapper/3/0\nCPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nxfrmi_xmit+0x173/0x1ca0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\n\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:intel_idle_hlt+0x23/0x30\nCode: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4\nRSP: 0018:ffffc90000197d78 EFLAGS: 00000246\nRAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5\nRDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50\nRBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d\nR10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001\nR13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000\ncpuidle_enter_state+0xd3/0x6f0\ncpuidle_enter+0x4e/0xa0\ndo_idle+0x2fe/0x3c0\ncpu_startup_entry+0x18/0x20\nstart_secondary+0x200/0x290\nsecondary_startup_64_no_verify+0x167/0x16b\n\nAllocated by task 939:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\ninet6_ifa_notify+0x118/0x230\n__ipv6_ifa_notify+0x177/0xbe0\naddrconf_dad_completed+0x133/0xe00\naddrconf_dad_work+0x764/0x1390\nprocess_one_work+0xa32/0x16f0\nworker_thread+0x67d/0x10c0\nkthread+0x344/0x440\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the object at ffff888111145800\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 239 bytes inside of\nfreed 640-byte region [ffff888111145800, ffff888111145a80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53500", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind\n\nWhen unbinding pasid - a race condition exists vs outstanding page faults.\n\nTo prevent this, the pasid_state object contains a refcount.\n * set to 1 on pasid bind\n * incremented on each ppr notification start\n * decremented on each ppr notification done\n * decremented on pasid unbind\n\nSince refcount_dec assumes that refcount will never reach 0:\n the current implementation causes the following to be invoked on\n pasid unbind:\n REFCOUNT_WARN(\"decrement hit 0; leaking memory\")\n\nFix this issue by changing refcount_dec to refcount_dec_and_test\nto explicitly handle refcount=1.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53501", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: allow ext4_get_group_info() to fail\n\nPreviously, ext4_get_group_info() would treat an invalid group number\nas BUG(), since in theory it should never happen. However, if a\nmalicious attaker (or fuzzer) modifies the superblock via the block\ndevice while it is the file system is mounted, it is possible for\ns_first_data_block to get set to a very large number. In that case,\nwhen calculating the block group of some block number (such as the\nstarting block of a preallocation region), could result in an\nunderflow and very large block group number. Then the BUG_ON check in\next4_get_group_info() would fire, resutling in a denial of service\nattack that can be triggered by root or someone with write access to\nthe block device.\n\nFor a quality of implementation perspective, it's best that even if\nthe system administrator does something that they shouldn't, that it\nwill not trigger a BUG. So instead of BUG'ing, ext4_get_group_info()\nwill call ext4_error and return NULL. We also add fallback code in\nall of the callers of ext4_get_group_info() that it might NULL.\n\nAlso, since ext4_get_group_info() was already borderline to be an\ninline function, un-inline it. The results in a next reduction of the\ncompiled text size of ext4 by roughly 2k.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53503", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF\n\nib_dealloc_device() should be called only after device cleanup. Fix the\ndealloc sequence.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53504", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: tegra124-emc: Fix potential memory leak\n\nThe tegra and tegra needs to be freed in the error handling path, otherwise\nit will be leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53505", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Do not bother merging very long extents\n\nWhen merging very long extents we try to push as much length as possible\nto the first extent. However this is unnecessarily complicated and not\nreally worth the trouble. Furthermore there was a bug in the logic\nresulting in corrupting extents in the file as syzbot reproducer shows.\nSo just don't bother with the merging of extents that are too long\ntogether.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53506", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Unregister devlink params in case interface is down\n\nCurrently, in case an interface is down, mlx5 driver doesn't\nunregister its devlink params, which leads to this WARN[1].\nFix it by unregistering devlink params in that case as well.\n\n[1]\n[ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc\n[ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61\n[ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023\n[ 295.543096 ] pc : devlink_free+0x174/0x1fc\n[ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.561816 ] sp : ffff80000809b850\n[ 295.711155 ] Call trace:\n[ 295.716030 ] devlink_free+0x174/0x1fc\n[ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core]\n[ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core]\n[ 295.743534 ] auxiliary_bus_remove+0x2c/0x50\n[ 295.751893 ] __device_release_driver+0x19c/0x280\n[ 295.761120 ] device_release_driver+0x34/0x50\n[ 295.769649 ] bus_remove_device+0xdc/0x170\n[ 295.777656 ] device_del+0x17c/0x3a4\n[ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core]\n[ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core]\n[ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core]\n[ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core]\n[ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core]\n[ 295.833439 ] pci_device_shutdown+0x3c/0xa0\n[ 295.841651 ] device_shutdown+0x170/0x340\n[ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0\n[ 295.857322 ] __arm64_sys_reboot+0x2c/0x40\n[ 295.865329 ] invoke_syscall+0x78/0x100\n[ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184\n[ 295.882392 ] do_el0_svc+0x30/0xac\n[ 295.889008 ] el0_svc+0x48/0x160\n[ 295.895278 ] el0t_64_sync_handler+0xa4/0x130\n[ 295.903807 ] el0t_64_sync+0x1a4/0x1a8\n[ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53507", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fail to start device if queue setup is interrupted\n\nIn ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is\ninterrupted by signal, queues aren't setup successfully yet, so we\nhave to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered.\n\nReported by German when working on qemu-storage-deamon which requires\nsingle thread ublk daemon.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53508", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: allow sleep in qed_mcp_trace_dump()\n\nBy default, qed_mcp_cmd_and_union() delays 10us at a time in a loop\nthat can run 500K times, so calls to qed_mcp_nvm_rd_cmd()\nmay block the current thread for over 5s.\nWe observed thread scheduling delays over 700ms in production,\nwith stacktraces pointing to this code as the culprit.\n\nqed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.\nIt already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().\nAdd a \"can sleep\" parameter to qed_find_nvram_image() and\nqed_nvram_read() so they can sleep during qed_mcp_trace_dump().\nqed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),\ncalled only by qed_mcp_trace_dump(), allow these functions to sleep.\nI can't tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,\nso keep b_can_sleep set to false when it calls these functions.\n\nAn example stacktrace from a custom warning we added to the kernel\nshowing a thread that has not scheduled despite long needing resched:\n[ 2745.362925,17] ------------[ cut here ]------------\n[ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()\n[ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99\n[ 2745.362956,17] Modules linked in: ...\n[ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x\n[ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020\n[ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20\n[ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000\n[ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000\n[ 2745.363379,17] Call Trace:\n[ 2745.363382,17] [] dump_stack+0x8e/0xcf\n[ 2745.363393,17] [] warn_slowpath_common+0x82/0xc0\n[ 2745.363398,17] [] warn_slowpath_fmt+0x4c/0x50\n[ 2745.363404,17] [] ? rcu_irq_exit+0xae/0xc0\n[ 2745.363408,17] [] do_IRQ+0x15e/0x1a0\n[ 2745.363413,17] [] common_interrupt+0x89/0x89\n[ 2745.363416,17] [] ? delay_tsc+0x24/0x50\n[ 2745.363425,17] [] __udelay+0x34/0x40\n[ 2745.363457,17] [] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]\n[ 2745.363473,17] [] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]\n[ 2745.363490,17] [] qed_mcp_trace_dump+0x4a7/0x630 [qed]\n[ 2745.363504,17] [] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]\n[ 2745.363520,17] [] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]\n[ 2745.363536,17] [] qed_dbg_feature_size+0x61/0xa0 [qed]\n[ 2745.363551,17] [] qed_dbg_all_data_size+0x247/0x260 [qed]\n[ 2745.363560,17] [] qede_get_regs_len+0x30/0x40 [qede]\n[ 2745.363566,17] [] ethtool_get_drvinfo+0xe3/0x190\n[ 2745.363570,17] [] dev_ethtool+0x1362/0x2140\n[ 2745.363575,17] [] ? finish_task_switch+0x76/0x260\n[ 2745.363580,17] [] ? __schedule+0x3c6/0x9d0\n[ 2745.363585,17] [] ? hrtimer_start_range_ns+0x1d0/0x370\n[ 2745.363589,17] [] ? dev_get_by_name_rcu+0x6b/0x90\n[ 2745.363594,17] [] dev_ioctl+0xe8/0x710\n[ 2745.363599,17] [] sock_do_ioctl+0x48/0x60\n[ 2745.363603,17] [] sock_ioctl+0x1c7/0x280\n[ 2745.363608,17] [] ? seccomp_phase1+0x83/0x220\n[ 2745.363612,17] [] do_vfs_ioctl+0x2b3/0x4e0\n[ 2745.363616,17] [] SyS_ioctl+0x41/0x70\n[ 2745.363619,17] [] entry_SYSCALL_64_fastpath+0x1e/0x79\n[ 2745.363622,17] ---[ end trace f6954aa440266421 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53509", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix handling of lrbp->cmd\n\nufshcd_queuecommand() may be called two times in a row for a SCSI command\nbefore it is completed. Hence make the following changes:\n\n - In the functions that submit a command, do not check the old value of\n lrbp->cmd nor clear lrbp->cmd in error paths.\n\n - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.\n\nSee also scsi_send_eh_cmnd().\n\nThis commit prevents that the following appears if a command times out:\n\nWARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8\nCall trace:\n ufshcd_queuecommand+0x6f8/0x9a8\n scsi_send_eh_cmnd+0x2c0/0x960\n scsi_eh_test_devices+0x100/0x314\n scsi_eh_ready_devs+0xd90/0x114c\n scsi_error_handler+0x2b4/0xb70\n kthread+0x16c/0x1e0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53510", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix fget leak when fs don't support nowait buffered read\n\nHeming reported a BUG when using io_uring doing link-cp on ocfs2. [1]\n\nDo the following steps can reproduce this BUG:\nmount -t ocfs2 /dev/vdc /mnt/ocfs2\ncp testfile /mnt/ocfs2/\n./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1\numount /mnt/ocfs2\n\nThen umount will fail, and it outputs:\numount: /mnt/ocfs2: target is busy.\n\nWhile tracing umount, it blames mnt_get_count() not return as expected.\nDo a deep investigation for fget()/fput() on related code flow, I've\nfinally found that fget() leaks since ocfs2 doesn't support nowait\nbuffered read.\n\nio_issue_sqe\n|-io_assign_file // do fget() first\n |-io_read\n |-io_iter_do_read\n |-ocfs2_file_read_iter // return -EOPNOTSUPP\n |-kiocb_done\n |-io_rw_done\n |-__io_complete_rw_common // set REQ_F_REISSUE\n |-io_resubmit_prep\n |-io_req_prep_async // override req->file, leak happens\n\nThis was introduced by commit a196c78b5443 in v5.18. Fix it by don't\nre-assign req->file if it has already been assigned.\n\n[1] https://lore.kernel.org/ocfs2-devel/ab580a75-91c8-d68a-3455-40361be1bfa8@linux.alibaba.com/T/#t", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53511", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix a memory leak\n\nAdd a forgotten kfree().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53512", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix incomplete validation of ioctl arg\n\nWe tested and found an alarm caused by nbd_ioctl arg without verification.\nThe UBSAN warning calltrace like below:\n\nUBSAN: Undefined behaviour in fs/buffer.c:1709:35\nsigned integer overflow:\n-9223372036854775808 - 1 cannot be represented in type 'long long int'\nCPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78\n show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x170/0x1dc lib/dump_stack.c:118\n ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161\n handle_overflow+0x188/0x1dc lib/ubsan.c:192\n __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206\n __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709\n block_write_full_page+0x1f0/0x280 fs/buffer.c:2934\n blkdev_writepage+0x34/0x40 fs/block_dev.c:607\n __writepage+0x68/0xe8 mm/page-writeback.c:2305\n write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240\n generic_writepages+0xdc/0x148 mm/page-writeback.c:2329\n blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114\n do_writepages+0xd4/0x250 mm/page-writeback.c:2344\n\nThe reason for triggering this warning is __block_write_full_page()\n-> i_size_read(inode) - 1 overflow.\ninode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize.\nWe think it is necessary to limit the size of arg to prevent errors.\n\nMoreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int.\nAssuming the value of arg is 0x80000000000000001) (on a 64-bit machine),\nit will become 1 after the coercion, which will return unexpected results.\n\nFix it by adding checks to prevent passing in too large numbers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53513", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix memory leak of device names\n\nThe device names allocated by dev_set_name() need be freed\nbefore module unloading, but they can not be freed because\nthe kobject's refcount which was set in device_initialize()\nhas not be decreased to 0.\n\nAs comment of device_add() says, if it fails, use only\nput_device() drop the refcount, then the name will be\nfreed in kobejct_cleanup().\n\ndevice_del() and put_device() can be replaced with\ndevice_unregister(), so call it to unregister the added\nsuccessfully devices, and just call put_device() to the\nnot added device.\n\nAdd a release() function to device to avoid null release()\nfunction WARNING in device_release(), it's empty, because\nthe context devices are freed together in\nhost1x_memory_context_list_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53514", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-mmio: don't break lifecycle of vm_dev\n\nvm_dev has a separate lifecycle because it has a 'struct device'\nembedded. Thus, having a release callback for it is correct.\n\nAllocating the vm_dev struct with devres totally breaks this protection,\nthough. Instead of waiting for the vm_dev release callback, the memory\nis freed when the platform_device is removed. Resulting in a\nuse-after-free when finally the callback is to be called.\n\nTo easily see the problem, compile the kernel with\nCONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.\n\nThe fix is easy, don't use devres in this case.\n\nFound during my research about object lifetime problems.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53515", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF\n\nThe previous commit 954d1fa1ac93 (\"macvlan: Add netlink attribute for\nbroadcast cutoff\") added one additional attribute named\nIFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.\n\nHowever, it forgot to describe the nla_policy at macvlan_policy\n(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer\ncan be faked as empty (0 bytes) by a malicious user, which could leads\nto OOB in heap just like CVE-2023-3773.\n\nTo fix it, this commit just completes the nla_policy description for\nIFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the\npotential OOB read.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53516", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: do not update mtu if msg_max is too small in mtu negotiation\n\nWhen doing link mtu negotiation, a malicious peer may send Activate msg\nwith a very small mtu, e.g. 4 in Shuang's testing, without checking for\nthe minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then\nn->links[bearer_id].mtu is set to 4294967228, which is a overflow of\n'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().\n\nWith tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:\n\n tipc: Too large msg, purging xmit list 1 5 0 40 4!\n tipc: Too large msg, purging xmit list 1 15 0 60 4!\n\nAnd with tipc_link_entry.mtu 4294967228, a huge skb was allocated in\nnamed_distribute(), and when purging it in tipc_link_xmit(), a crash\nwas even caused:\n\n general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19\n RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0\n Call Trace:\n \n skb_release_data+0xf9/0x1d0\n kfree_skb_reason+0x40/0x100\n tipc_link_xmit+0x57a/0x740 [tipc]\n tipc_node_xmit+0x16c/0x5c0 [tipc]\n tipc_named_node_up+0x27f/0x2c0 [tipc]\n tipc_node_write_unlock+0x149/0x170 [tipc]\n tipc_rcv+0x608/0x740 [tipc]\n tipc_udp_recv+0xdc/0x1f0 [tipc]\n udp_queue_rcv_one_skb+0x33e/0x620\n udp_unicast_rcv_skb.isra.72+0x75/0x90\n __udp4_lib_rcv+0x56d/0xc20\n ip_protocol_deliver_rcu+0x100/0x2d0\n\nThis patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),\nand not updating mtu if it is too small.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53517", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Fix leak in devfreq_dev_release()\n\nsrcu_init_notifier_head() allocates resources that need to be released\nwith a srcu_cleanup_notifier_head() call.\n\nReported by kmemleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53518", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: add lock to protect parameter num_rdy\n\nGetting below error when using KCSAN to check the driver. Adding lock to\nprotect parameter num_rdy when getting the value with function:\nv4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready.\n\nkworker/u16:3: [name:report&]BUG: KCSAN: data-race in v4l2_m2m_buf_queue\nkworker/u16:3: [name:report&]\n\nkworker/u16:3: [name:report&]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7:\nkworker/u16:3:\u00a0 v4l2_m2m_buf_queue+0xd8/0x10c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53519", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix hci_suspend_sync crash\n\nIf hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier\nmay still be accessing it, it can cause the program to crash.\nHere's the call trace:\n <4>[102152.653246] Call Trace:\n <4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth]\n <4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth]\n <4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth]\n <4>[102152.653268] notifier_call_chain+0x43/0x6b\n <4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69\n <4>[102152.653273] __pm_notifier_call_chain+0x22/0x39\n <4>[102152.653276] pm_suspend+0x287/0x57c\n <4>[102152.653278] state_store+0xae/0xe5\n <4>[102152.653281] kernfs_fop_write+0x109/0x173\n <4>[102152.653284] __vfs_write+0x16f/0x1a2\n <4>[102152.653287] ? selinux_file_permission+0xca/0x16f\n <4>[102152.653289] ? security_file_permission+0x36/0x109\n <4>[102152.653291] vfs_write+0x114/0x21d\n <4>[102152.653293] __x64_sys_write+0x7b/0xdb\n <4>[102152.653296] do_syscall_64+0x59/0x194\n <4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1\n\nThis patch holds the reference count of the hci_dev object while\nprocessing it in hci_suspend_notifier to avoid potential crash\ncaused by the race condition.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53520", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix slab-out-of-bounds in ses_intf_remove()\n\nA fix for:\n\nBUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses]\nRead of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013\n\nWhen edev->components is zero, accessing edev->component[0] members is\nwrong.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53521", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup,freezer: hold cpu_hotplug_lock before freezer_mutex\n\nsyzbot is reporting circular locking dependency between cpu_hotplug_lock\nand freezer_mutex, for commit f5d39b020809 (\"freezer,sched: Rewrite core\nfreezer logic\") replaced atomic_inc() in freezer_apply_state() with\nstatic_branch_inc() which holds cpu_hotplug_lock.\n\ncpu_hotplug_lock => cgroup_threadgroup_rwsem => freezer_mutex\n\n cgroup_file_write() {\n cgroup_procs_write() {\n __cgroup_procs_write() {\n cgroup_procs_write_start() {\n cgroup_attach_lock() {\n cpus_read_lock() {\n percpu_down_read(&cpu_hotplug_lock);\n }\n percpu_down_write(&cgroup_threadgroup_rwsem);\n }\n }\n cgroup_attach_task() {\n cgroup_migrate() {\n cgroup_migrate_execute() {\n freezer_attach() {\n mutex_lock(&freezer_mutex);\n (...snipped...)\n }\n }\n }\n }\n (...snipped...)\n }\n }\n }\n\nfreezer_mutex => cpu_hotplug_lock\n\n cgroup_file_write() {\n freezer_write() {\n freezer_change_state() {\n mutex_lock(&freezer_mutex);\n freezer_apply_state() {\n static_branch_inc(&freezer_active) {\n static_key_slow_inc() {\n cpus_read_lock();\n static_key_slow_inc_cpuslocked();\n cpus_read_unlock();\n }\n }\n }\n mutex_unlock(&freezer_mutex);\n }\n }\n }\n\nSwap locking order by moving cpus_read_lock() in freezer_apply_state()\nto before mutex_lock(&freezer_mutex) in freezer_change_state().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53522", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: fix time stamp counter initialization\n\nIf the gs_usb device driver is unloaded (or unbound) before the\ninterface is shut down, the USB stack first calls the struct\nusb_driver::disconnect and then the struct net_device_ops::ndo_stop\ncallback.\n\nIn gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more\nRX'ed CAN frames are send from the USB device to the host. Later in\ngs_can_close() a reset control message is send to each CAN channel to\nremove the controller from the CAN bus. In this race window the USB\ndevice can still receive CAN frames from the bus and internally queue\nthem to be send to the host.\n\nAt least in the current version of the candlelight firmware, the queue\nof received CAN frames is not emptied during the reset command. After\nloading (or binding) the gs_usb driver, new URBs are submitted during\nthe struct net_device_ops::ndo_open callback and the candlelight\nfirmware starts sending its already queued CAN frames to the host.\n\nHowever, this scenario was not considered when implementing the\nhardware timestamp function. The cycle counter/time counter\ninfrastructure is set up (gs_usb_timestamp_init()) after the USBs are\nsubmitted, resulting in a NULL pointer dereference if\ntimecounter_cyc2time() (via the call chain:\ngs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() ->\ngs_usb_skb_set_timestamp()) is called too early.\n\nMove the gs_usb_timestamp_init() function before the URBs are\nsubmitted to fix this problem.\n\nFor a comprehensive solution, we need to consider gs_usb devices with\nmore than 1 channel. The cycle counter/time counter infrastructure is\nsetup per channel, but the RX URBs are per device. Once gs_can_open()\nof _a_ channel has been called, and URBs have been submitted, the\ngs_usb_receive_bulk_callback() can be called for _all_ available\nchannels, even for channels that are not running, yet. As cycle\ncounter/time counter has not set up, this will again lead to a NULL\npointer dereference.\n\nConvert the cycle counter/time counter from a \"per channel\" to a \"per\ndevice\" functionality. Also set it up, before submitting any URBs to\nthe device.\n\nFurther in gs_usb_receive_bulk_callback(), don't process any URBs for\nnot started CAN channels, only resubmit the URB.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53523", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf\n\nAn integer overflow occurs in the iwl_write_to_user_buf() function,\nwhich is called by the iwl_dbgfs_monitor_data_read() function.\n\nstatic bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,\n\t\t\t\t void *buf, ssize_t *size,\n\t\t\t\t ssize_t *bytes_copied)\n{\n\tint buf_size_left = count - *bytes_copied;\n\n\tbuf_size_left = buf_size_left - (buf_size_left % sizeof(u32));\n\tif (*size > buf_size_left)\n\t\t*size = buf_size_left;\n\nIf the user passes a SIZE_MAX value to the \"ssize_t count\" parameter,\nthe ssize_t count parameter is assigned to \"int buf_size_left\".\nThen compare \"*size\" with \"buf_size_left\" . Here, \"buf_size_left\" is a\nnegative number, so \"*size\" is assigned \"buf_size_left\" and goes into\nthe third argument of the copy_to_user function, causing a heap overflow.\n\nThis is not a security vulnerability because iwl_dbgfs_monitor_data_read()\nis a debugfs operation with 0400 privileges.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53524", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Allow UD qp_type to join multicast only\n\nAs for multicast:\n- The SIDR is the only mode that makes sense;\n- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is\n UD compatible. In this case qkey also needs to be set [1].\n\nThis patch allows only UD qp_type to join multicast, and set qkey to\ndefault if it's not set, to fix an uninit-value error: the ib->rec.qkey\nfield is accessed without being initialized.\n\n=====================================================\nBUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]\nBUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570\n cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]\n cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570\n cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]\n rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814\n ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479\n ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546\n ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x8ce/0x2030 fs/read_write.c:588\n ksys_write+0x28c/0x520 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __ia32_sys_write+0xdb/0x120 fs/read_write.c:652\n do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]\n __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180\n do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205\n do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248\n entry_SYSENTER_compat_after_hwframe+0x4d/0x5c\n\nLocal variable ib.i created at:\ncma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]\nrdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814\nucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479\n\nCPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n=====================================================\n\n[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53525", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: check 'jh->b_transaction' before removing it from checkpoint\n\nFollowing process will corrupt ext4 image:\nStep 1:\njbd2_journal_commit_transaction\n __jbd2_journal_insert_checkpoint(jh, commit_transaction)\n // Put jh into trans1->t_checkpoint_list\n journal->j_checkpoint_transactions = commit_transaction\n // Put trans1 into journal->j_checkpoint_transactions\n\nStep 2:\ndo_get_write_access\n test_clear_buffer_dirty(bh) // clear buffer dirty\uff0cset jbd dirty\n __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2\n\nStep 3:\ndrop_cache\n journal_shrink_one_cp_list\n jbd2_journal_try_remove_checkpoint\n if (!trylock_buffer(bh)) // lock bh, true\n if (buffer_dirty(bh)) // buffer is not dirty\n __jbd2_journal_remove_checkpoint(jh)\n // remove jh from trans1->t_checkpoint_list\n\nStep 4:\njbd2_log_do_checkpoint\n trans1 = journal->j_checkpoint_transactions\n // jh is not in trans1->t_checkpoint_list\n jbd2_cleanup_journal_tail(journal) // trans1 is done\n\nStep 5: Power cut, trans2 is not committed, jh is lost in next mounting.\n\nFix it by checking 'jh->b_transaction' before remove it from checkpoint.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53526", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request()\n\nThe memory allocated in tb_queue_dp_bandwidth_request() needs to be\nreleased once the request is handled to avoid leaking it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53527", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix unsafe drain work queue code\n\nIf create_qp does not fully succeed it is possible for qp cleanup\ncode to attempt to drain the send or recv work queues before the\nqueues have been created causing a seg fault. This patch checks\nto see if the queues exist before attempting to drain them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53528", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: Fix memory leak in rtw88_usb\n\nKmemleak shows the following leak arising from routine in the usb\nprobe routine:\n\nunreferenced object 0xffff895cb29bba00 (size 512):\n comm \"(udev-worker)\", pid 534, jiffies 4294903932 (age 102751.088s)\n hex dump (first 32 bytes):\n 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0...\n 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U......\n backtrace:\n [] kmalloc_trace+0x26/0x90\n [] rtw_usb_probe+0x2f1/0x680 [rtw_usb]\n [] usb_probe_interface+0xdd/0x2e0 [usbcore]\n [] really_probe+0x18e/0x3d0\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xbf/0x1b0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x10e/0x210\n [] driver_register+0x55/0xf0\n [] usb_register_driver+0x88/0x140 [usbcore]\n [] do_one_initcall+0x43/0x210\n [] do_init_module+0x4a/0x200\n [] __do_sys_finit_module+0xac/0x120\n [] do_syscall_64+0x56/0x80\n [] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe leak was verified to be real by unloading the driver, which resulted\nin a dangling pointer to the allocation.\n\nThe allocated memory is freed in rtw_usb_intf_deinit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53529", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()\n\nThe following call trace was observed:\n\nlocalhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete\nlocalhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092\nlocalhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN \"nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291\"\nlocalhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\nlocalhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1\nlocalhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022\nlocalhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core]\nlocalhost kernel: Call Trace:\nlocalhost kernel: dump_stack_lvl+0x57/0x7d\nlocalhost kernel: check_preemption_disabled+0xc8/0xd0\nlocalhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx]\n\nUse raw_smp_processor_id() instead of smp_processor_id().\n\nAlso use queue_work() across the driver instead of queue_work_on() thus\navoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53530", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix poll request timeout handling\n\nWhen doing io_uring benchmark on /dev/nullb0, it's easy to crash the\nkernel if poll requests timeout triggered, as reported by David. [1]\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:null_timeout_rq+0x4e/0x91\nCall Trace:\n ? null_timeout_rq+0x4e/0x91\n blk_mq_handle_expired+0x31/0x4b\n bt_iter+0x68/0x84\n ? bt_tags_iter+0x81/0x81\n __sbitmap_for_each_set.constprop.0+0xb0/0xf2\n ? __blk_mq_complete_request_remote+0xf/0xf\n bt_for_each+0x46/0x64\n ? __blk_mq_complete_request_remote+0xf/0xf\n ? percpu_ref_get_many+0xc/0x2a\n blk_mq_queue_tag_busy_iter+0x14d/0x18e\n blk_mq_timeout_work+0x95/0x127\n process_one_work+0x185/0x263\n worker_thread+0x1b5/0x227\n\nThis is indeed a race problem between null_timeout_rq() and null_poll().\n\nnull_poll()\t\t\t\tnull_timeout_rq()\n spin_lock(&nq->poll_lock)\n list_splice_init(&nq->poll_list, &list)\n spin_unlock(&nq->poll_lock)\n\n while (!list_empty(&list))\n req = list_first_entry()\n list_del_init()\n ...\n blk_mq_add_to_batch()\n // req->rq_next = NULL\n\t\t\t\t\tspin_lock(&nq->poll_lock)\n\n\t\t\t\t\t// rq->queuelist->next == NULL\n\t\t\t\t\tlist_del_init(&rq->queuelist)\n\n\t\t\t\t\tspin_unlock(&nq->poll_lock)\n\nFix these problems by setting requests state to MQ_RQ_COMPLETE under\nnq->poll_lock protection, in which null_timeout_rq() can safely detect\nthis race and early return.\n\nNote this patch just fix the kernel panic when request timeout happen.\n\n[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53531", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix deinitialization of firmware resources\n\nCurrently, in ath11k_ahb_fw_resources_init(), iommu domain\nmapping is done only for the chipsets having fixed firmware\nmemory. Also, for such chipsets, mapping is done only if it\ndoes not have TrustZone support.\n\nDuring deinitialization, only if TrustZone support is not there,\niommu is unmapped back. However, for non fixed firmware memory\nchipsets, TrustZone support is not there and this makes the\ncondition check to true and it tries to unmap the memory which\nwas not mapped during initialization.\n\nThis leads to the following trace -\n\n[ 83.198790] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n[ 83.259537] Modules linked in: ath11k_ahb ath11k qmi_helpers\n.. snip ..\n[ 83.280286] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 83.287228] pc : __iommu_unmap+0x30/0x140\n[ 83.293907] lr : iommu_unmap+0x5c/0xa4\n[ 83.298072] sp : ffff80000b3abad0\n.. snip ..\n[ 83.369175] Call trace:\n[ 83.376282] __iommu_unmap+0x30/0x140\n[ 83.378541] iommu_unmap+0x5c/0xa4\n[ 83.382360] ath11k_ahb_fw_resource_deinit.part.12+0x2c/0xac [ath11k_ahb]\n[ 83.385666] ath11k_ahb_free_resources+0x140/0x17c [ath11k_ahb]\n[ 83.392521] ath11k_ahb_shutdown+0x34/0x40 [ath11k_ahb]\n[ 83.398248] platform_shutdown+0x20/0x2c\n[ 83.403455] device_shutdown+0x16c/0x1c4\n[ 83.407621] kernel_restart_prepare+0x34/0x3c\n[ 83.411529] kernel_restart+0x14/0x74\n[ 83.415781] __do_sys_reboot+0x1c4/0x22c\n[ 83.419427] __arm64_sys_reboot+0x1c/0x24\n[ 83.423420] invoke_syscall+0x44/0xfc\n[ 83.427326] el0_svc_common.constprop.3+0xac/0xe8\n[ 83.430974] do_el0_svc+0xa0/0xa8\n[ 83.435659] el0_svc+0x1c/0x44\n[ 83.438957] el0t_64_sync_handler+0x60/0x144\n[ 83.441910] el0t_64_sync+0x15c/0x160\n[ 83.446343] Code: aa0103f4 f9400001 f90027a1 d2800001 (f94006a0)\n[ 83.449903] ---[ end trace 0000000000000000 ]---\n\nThis can be reproduced by probing an AHB chipset which is not\nhaving a fixed memory region. During reboot (or rmmod) trace\ncan be seen.\n\nFix this issue by adding a condition check on firmware fixed memory\nhw_param as done in the counter initialization function.\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53532", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: raspberrypi-ts - fix refcount leak in rpi_ts_probe\n\nrpi_firmware_get() take reference, we need to release it in error paths\nas well. Use devm_rpi_firmware_get() helper to handling the resources.\nAlso remove the existing rpi_firmware_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53533", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: mtk_drm_crtc: Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53534", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmgenet: Add a check for oversized packets\n\nOccasionnaly we may get oversized packets from the hardware which\nexceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early\ncheck which drops the packet to avoid invoking skb_over_panic() and move\non to processing the next packet.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53535", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-crypto: make blk_crypto_evict_key() more robust\n\nIf blk_crypto_evict_key() sees that the key is still in-use (due to a\nbug) or that ->keyslot_evict failed, it currently just returns while\nleaving the key linked into the keyslot management structures.\n\nHowever, blk_crypto_evict_key() is only called in contexts such as inode\neviction where failure is not an option. So actually the caller\nproceeds with freeing the blk_crypto_key regardless of the return value\nof blk_crypto_evict_key().\n\nThese two assumptions don't match, and the result is that there can be a\nuse-after-free in blk_crypto_reprogram_all_keys() after one of these\nerrors occurs. (Note, these errors *shouldn't* happen; we're just\ntalking about what happens if they do anyway.)\n\nFix this by making blk_crypto_evict_key() unlink the key from the\nkeyslot management structures even on failure.\n\nAlso improve some comments.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53536", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free for cached IPU bio\n\nxfstest generic/019 reports a bug:\n\nkernel BUG at mm/filemap.c:1619!\nRIP: 0010:folio_end_writeback+0x8a/0x90\nCall Trace:\n end_page_writeback+0x1c/0x60\n f2fs_write_end_io+0x199/0x420\n bio_endio+0x104/0x180\n submit_bio_noacct+0xa5/0x510\n submit_bio+0x48/0x80\n f2fs_submit_write_bio+0x35/0x300\n f2fs_submit_merged_ipu_write+0x2a0/0x2b0\n f2fs_write_single_data_page+0x838/0x8b0\n f2fs_write_cache_pages+0x379/0xa30\n f2fs_write_data_pages+0x30c/0x340\n do_writepages+0xd8/0x1b0\n __writeback_single_inode+0x44/0x370\n writeback_sb_inodes+0x233/0x4d0\n __writeback_inodes_wb+0x56/0xf0\n wb_writeback+0x1dd/0x2d0\n wb_workfn+0x367/0x4a0\n process_one_work+0x21d/0x430\n worker_thread+0x4e/0x3c0\n kthread+0x103/0x130\n ret_from_fork+0x2c/0x50\n\nThe root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()\nin f2fs_write_single_data_page() tries to flush IPU bio in cache, however\nf2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,\nresult in submitting random cached bio which belong to other IO context,\nthen it will cause use-after-free issue, fix it by adding additional\nvalidity check.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53537", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: insert tree mod log move in push_node_left\n\nThere is a fairly unlikely race condition in tree mod log rewind that\ncan result in a kernel panic which has the following trace:\n\n [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096\n [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096\n [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002\n [530.618] #PF: supervisor read access in kernel mode\n [530.629] #PF: error_code(0x0000) - not-present page\n [530.641] PGD 0 P4D 0\n [530.647] Oops: 0000 [#1] SMP\n [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1\n [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017\n [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00\n [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246\n [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100\n [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8\n [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff\n [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000\n [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0\n [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000\n [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0\n [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [530.928] Call Trace:\n [530.934] ? btrfs_printk+0x13b/0x18c\n [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130\n [530.955] btrfs_map_bio+0x75/0x330\n [530.963] ? kmem_cache_alloc+0x12a/0x2d0\n [530.973] ? btrfs_submit_metadata_bio+0x63/0x100\n [530.984] btrfs_submit_metadata_bio+0xa4/0x100\n [530.995] submit_extent_page+0x30f/0x360\n [531.004] read_extent_buffer_pages+0x49e/0x6d0\n [531.015] ? submit_extent_page+0x360/0x360\n [531.025] btree_read_extent_buffer_pages+0x5f/0x150\n [531.037] read_tree_block+0x37/0x60\n [531.046] read_block_for_search+0x18b/0x410\n [531.056] btrfs_search_old_slot+0x198/0x2f0\n [531.066] resolve_indirect_ref+0xfe/0x6f0\n [531.076] ? ulist_alloc+0x31/0x60\n [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0\n [531.095] find_parent_nodes+0x720/0x1830\n [531.105] ? ulist_alloc+0x10/0x60\n [531.113] iterate_extent_inodes+0xea/0x370\n [531.123] ? btrfs_previous_extent_item+0x8f/0x110\n [531.134] ? btrfs_search_path_in_tree+0x240/0x240\n [531.146] iterate_inodes_from_logical+0x98/0xd0\n [531.157] ? btrfs_search_path_in_tree+0x240/0x240\n [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180\n [531.179] btrfs_ioctl+0xe2/0x2eb0\n\nThis occurs when logical inode resolution takes a tree mod log sequence\nnumber, and then while backref walking hits a rewind on a busy node\nwhich has the following sequence of tree mod log operations (numbers\nfilled in from a specific example, but they are somewhat arbitrary)\n\n REMOVE_WHILE_FREEING slot 532\n REMOVE_WHILE_FREEING slot 531\n REMOVE_WHILE_FREEING slot 530\n ...\n REMOVE_WHILE_FREEING slot 0\n REMOVE slot 455\n REMOVE slot 454\n REMOVE slot 453\n ...\n REMOVE slot 0\n ADD slot 455\n ADD slot 454\n ADD slot 453\n ...\n ADD slot 0\n MOVE src slot 0 -> dst slot 456 nritems 533\n REMOVE slot 455\n REMOVE slot 454\n REMOVE slot 453\n ...\n REMOVE slot 0\n\nWhen this sequence gets applied via btrfs_tree_mod_log_rewind, it\nallocates a fresh rewind eb, and first inserts the correct key info for\nthe 533 elements, then overwrites the first 456 of them, then decrements\nthe count by 456 via the add ops, then rewinds the move by doing a\nmemmove from 456:988->0:532. We have never written anything past 532,\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53538", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix incomplete state save in rxe_requester\n\nIf a send packet is dropped by the IP layer in rxe_requester()\nthe call to rxe_xmit_packet() can fail with err == -EAGAIN.\nTo recover, the state of the wqe is restored to the state before\nthe packet was sent so it can be resent. However, the routines\nthat save and restore the state miss a significnt part of the\nvariable state in the wqe, the dma struct which is used to process\nthrough the sge table. And, the state is not saved before the packet\nis built which modifies the dma struct.\n\nUnder heavy stress testing with many QPs on a fast node sending\nlarge messages to a slow node dropped packets are observed and\nthe resent packets are corrupted because the dma struct was not\nrestored. This patch fixes this behavior and allows the test cases\nto succeed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53539", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: reject auth/assoc to AP with our address\n\nIf the AP uses our own address as its MLD address or BSSID, then\nclearly something's wrong. Reject such connections so we don't\ntry and fail later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53540", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write\n\nWhen the oob buffer length is not in multiple of words, the oob write\nfunction does out-of-bounds read on the oob source buffer at the last\niteration. Fix that by always checking length limit on the oob buffer\nread and fill with 0xff when reaching the end of the buffer to the oob\nregisters.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53541", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy\n\nFor some reason, the driver adding support for Exynos5420 MIPI phy\nback in 2016 wasn't used on Exynos5420, which caused a kernel panic.\nAdd the proper compatible for it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53542", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa max vqp attr to avoid\nsuch bugs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53543", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: davinci: Fix clk use after free\n\nThe remove function first frees the clks and only then calls\ncpufreq_unregister_driver(). If one of the cpufreq callbacks is called\njust before cpufreq_unregister_driver() is run, the freed clks might be\nused.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53544", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: unmap and remove csa_va properly\n\nRoot PD BO should be reserved before unmap and remove\na bo_va from VM otherwise lockdep will complain.\n\nv2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)\n\n[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]\n[14616.937096] Call Trace:\n[14616.937097] \n[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]\n[14616.937187] drm_file_free+0x1d6/0x300 [drm]\n[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]\n[14616.937220] drm_release+0x5e/0x100 [drm]\n[14616.937234] __fput+0x9f/0x280\n[14616.937239] ____fput+0xe/0x20\n[14616.937241] task_work_run+0x61/0x90\n[14616.937246] exit_to_user_mode_prepare+0x215/0x220\n[14616.937251] syscall_exit_to_user_mode+0x2a/0x60\n[14616.937254] do_syscall_64+0x48/0x90\n[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53545", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx\n\nwhen mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory\npointed by 'in' is not released, which will cause memory leak. Move memory\nrelease after mlx5_cmd_exec.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53546", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix sdma v4 sw fini error\n\nFix sdma v4 sw fini error for sdma 4.2.2 to\nsolve the following general protection fault\n\n[ +0.108196] general protection fault, probably for non-canonical\naddress 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI\n[ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70\n[ +0.000022] Call Trace:\n[ +0.000012] \n[ +0.000011] release_firmware+0x55/0x80\n[ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]\n[ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]\n[ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53547", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb\n\nThe syzbot fuzzer identified a problem in the usbnet driver:\n\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc9000463f568 EFLAGS: 00010086\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001\nRBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003\nR13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0\nCall Trace:\n \n usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453\n __netdev_start_xmit include/linux/netdevice.h:4918 [inline]\n netdev_start_xmit include/linux/netdevice.h:4932 [inline]\n xmit_one net/core/dev.c:3578 [inline]\n dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594\n...\n\nThis bug is caused by the fact that usbnet trusts the bulk endpoint\naddresses its probe routine receives in the driver_info structure, and\nit does not check to see that these endpoints actually exist and have\nthe expected type and directions.\n\nThe fix is simply to add such a check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53548", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Rework long task execution when adding/deleting entries\n\nWhen adding/deleting large number of elements in one step in ipset, it can\ntake a reasonable amount of time and can result in soft lockup errors. The\npatch 5f7b51bf09ba (\"netfilter: ipset: Limit the maximal range of\nconsecutive elements to add/delete\") tried to fix it by limiting the max\nelements to process at all. However it was not enough, it is still possible\nthat we get hung tasks. Lowering the limit is not reasonable, so the\napproach in this patch is as follows: rely on the method used at resizing\nsets and save the state when we reach a smaller internal batch limit,\nunlock/lock and proceed from the saved state. Thus we can avoid long\ncontinuous tasks and at the same time removed the limit to add/delete large\nnumber of elements in one step.\n\nThe nfnl mutex is held during the whole operation which prevents one to\nissue other ipset commands in parallel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53549", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix global sysfs attribute type\n\nIn commit 3666062b87ec (\"cpufreq: amd-pstate: move to use bus_get_dev_root()\")\nthe \"amd_pstate\" attributes where moved from a dedicated kobject to the\ncpu root kobject.\n\nWhile the dedicated kobject expects to contain kobj_attributes the root\nkobject needs device_attributes.\n\nAs the changed arguments are not used by the callbacks it works most of\nthe time.\nHowever CFI will detect this issue:\n\n[ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)\n...\n[ 4947.849409] Call Trace:\n[ 4947.849410] \n[ 4947.849411] ? __warn+0xcf/0x1c0\n[ 4947.849414] ? dev_attr_show+0x24/0x60\n[ 4947.849415] ? report_cfi_failure+0x4e/0x60\n[ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0\n[ 4947.849419] ? __cfi_show_status+0x10/0x10\n[ 4947.849420] ? handle_bug+0x4f/0x90\n[ 4947.849421] ? exc_invalid_op+0x1a/0x60\n[ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20\n[ 4947.849424] ? __cfi_show_status+0x10/0x10\n[ 4947.849425] ? dev_attr_show+0x24/0x60\n[ 4947.849426] sysfs_kf_seq_show+0xa6/0x110\n[ 4947.849433] seq_read_iter+0x16c/0x4b0\n[ 4947.849436] vfs_read+0x272/0x2d0\n[ 4947.849438] ksys_read+0x72/0xe0\n[ 4947.849439] do_syscall_64+0x76/0xb0\n[ 4947.849440] ? do_user_addr_fault+0x252/0x650\n[ 4947.849442] ? exc_page_fault+0x7a/0x1b0\n[ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53550", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Add null pointer check in gserial_resume\n\nConsider a case where gserial_disconnect has already cleared\ngser->ioport. And if a wakeup interrupt triggers afterwards,\ngserial_resume gets called, which will lead to accessing of\ngser->ioport and thus causing null pointer dereference.Add\na null pointer check to prevent this.\n\nAdded a static spinlock to prevent gser->ioport from becoming\nnull after the newly added check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53551", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: mark requests for GuC virtual engines to avoid use-after-free\n\nReferences to i915_requests may be trapped by userspace inside a\nsync_file or dmabuf (dma-resv) and held indefinitely across different\nproceses. To counter-act the memory leaks, we try to not to keep\nreferences from the request past their completion.\nOn the other side on fence release we need to know if rq->engine\nis valid and points to hw engine (true for non-virtual requests).\nTo make it possible extra bit has been added to rq->execution_mask,\nfor marking virtual engines.\n\n(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53552", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: avoid struct memcpy overrun warning\n\nA previous patch addressed the fortified memcpy warning for most\nbuilds, but I still see this one with gcc-9:\n\nIn file included from include/linux/string.h:254,\n from drivers/hid/hid-hyperv.c:8:\nIn function 'fortify_memcpy_chk',\n inlined from 'mousevsc_on_receive' at drivers/hid/hid-hyperv.c:272:3:\ninclude/linux/fortify-string.h:583:4: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]\n 583 | __write_overflow_field(p_size_field, size);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMy guess is that the WARN_ON() itself is what confuses gcc, so it no\nlonger sees that there is a correct range check. Rework the code in a\nway that helps readability and avoids the warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53553", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()\n\nThe \"exc->key_len\" is a u16 that comes from the user. If it's over\nIW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53554", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: initialize damo_filter->list from damos_new_filter()\n\ndamos_new_filter() is not initializing the list field of newly allocated\nfilter object. However, DAMON sysfs interface and DAMON_RECLAIM are not\ninitializing it after calling damos_new_filter(). As a result, accessing\nuninitialized memory is possible. Actually, adding multiple DAMOS filters\nvia DAMON sysfs interface caused NULL pointer dereferencing. Initialize\nthe field just after the allocation from damos_new_filter().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53555", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix use-after-free in free_netdev\n\nWe do netif_napi_add() for all allocated q_vectors[], but potentially\ndo netif_napi_del() for part of them, then kfree q_vectors and leave\ninvalid pointers at dev->napi_list.\n\nReproducer:\n\n [root@host ~]# cat repro.sh\n #!/bin/bash\n\n pf_dbsf=\"0000:41:00.0\"\n vf0_dbsf=\"0000:41:02.0\"\n g_pids=()\n\n function do_set_numvf()\n {\n echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n }\n\n function do_set_channel()\n {\n local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n [ -z \"$nic\" ] && { sleep $((RANDOM%3)) ; return 1; }\n ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n ifconfig $nic up\n ethtool -L $nic combined 1\n ethtool -L $nic combined 4\n sleep $((RANDOM%3))\n }\n\n function on_exit()\n {\n local pid\n for pid in \"${g_pids[@]}\"; do\n kill -0 \"$pid\" &>/dev/null && kill \"$pid\" &>/dev/null\n done\n g_pids=()\n }\n\n trap \"on_exit; exit\" EXIT\n\n while :; do do_set_numvf ; done &\n g_pids+=($!)\n while :; do do_set_channel ; done &\n g_pids+=($!)\n\n wait\n\nResult:\n\n[ 4093.900222] ==================================================================\n[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390\n[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699\n[ 4093.900233]\n[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 4093.900239] Call Trace:\n[ 4093.900244] dump_stack+0x71/0xab\n[ 4093.900249] print_address_description+0x6b/0x290\n[ 4093.900251] ? free_netdev+0x308/0x390\n[ 4093.900252] kasan_report+0x14a/0x2b0\n[ 4093.900254] free_netdev+0x308/0x390\n[ 4093.900261] iavf_remove+0x825/0xd20 [iavf]\n[ 4093.900265] pci_device_remove+0xa8/0x1f0\n[ 4093.900268] device_release_driver_internal+0x1c6/0x460\n[ 4093.900271] pci_stop_bus_device+0x101/0x150\n[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20\n[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420\n[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 4093.900278] ? pci_get_subsys+0x90/0x90\n[ 4093.900280] sriov_disable+0xed/0x3e0\n[ 4093.900282] ? bus_find_device+0x12d/0x1a0\n[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 4093.900299] ? pci_get_device+0x7c/0x90\n[ 4093.900300] ? pci_get_subsys+0x90/0x90\n[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 4093.900318] sriov_numvfs_store+0x214/0x290\n[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30\n[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10\n[ 4093.900323] ? __check_object_size+0x15a/0x350\n[ 4093.900326] kernfs_fop_write+0x280/0x3f0\n[ 4093.900329] vfs_write+0x145/0x440\n[ 4093.900330] ksys_write+0xab/0x160\n[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0\n[ 4093.900334] ? fput_many+0x1a/0x120\n[ 4093.900335] ? filp_close+0xf0/0x130\n[ 4093.900338] do_syscall_64+0xa0/0x370\n[ 4093.900339] ? page_fault+0x8/0x30\n[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 4093.900357] RIP: 0033:0x7f16ad4d22c0\n[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24\n[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0\n[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001\n[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700\n[ 4093.9003\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53556", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfprobe: Release rethook after the ftrace_ops is unregistered\n\nWhile running bpf selftests it's possible to get following fault:\n\n general protection fault, probably for non-canonical address \\\n 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI\n ...\n Call Trace:\n \n fprobe_handler+0xc1/0x270\n ? __pfx_bpf_testmod_init+0x10/0x10\n ? __pfx_bpf_testmod_init+0x10/0x10\n ? bpf_fentry_test1+0x5/0x10\n ? bpf_fentry_test1+0x5/0x10\n ? bpf_testmod_init+0x22/0x80\n ? do_one_initcall+0x63/0x2e0\n ? rcu_is_watching+0xd/0x40\n ? kmalloc_trace+0xaf/0xc0\n ? do_init_module+0x60/0x250\n ? __do_sys_finit_module+0xac/0x120\n ? do_syscall_64+0x37/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n \n\nIn unregister_fprobe function we can't release fp->rethook while it's\npossible there are some of its users still running on another cpu.\n\nMoving rethook_free call after fp->ops is unregistered with\nunregister_ftrace_function call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53557", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()\n\npr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because\npr_info() calls printk() that might sleep, this will result in BUG\nlike below:\n\n[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues.\n[ 0.206463]\n[ 0.206464] =============================\n[ 0.206464] [ BUG: Invalid wait context ]\n[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted\n[ 0.206466] -----------------------------\n[ 0.206466] swapper/0/1 is trying to lock:\n[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0\n[ 0.206473] other info that might help us debug this:\n[ 0.206473] context-{5:5}\n[ 0.206474] 3 locks held by swapper/0/1:\n[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0\n[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e\n[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330\n[ 0.206485] stack backtrace:\n[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5\n[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[ 0.206489] Call Trace:\n[ 0.206490] \n[ 0.206491] dump_stack_lvl+0x6a/0x9f\n[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe\n[ 0.206496] ? stack_trace_save+0x46/0x70\n[ 0.206497] lock_acquire+0xd1/0x2f0\n[ 0.206499] ? serial8250_console_write+0x327/0x4a0\n[ 0.206500] ? __lock_acquire+0x5c7/0x2720\n[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90\n[ 0.206504] ? serial8250_console_write+0x327/0x4a0\n[ 0.206506] serial8250_console_write+0x327/0x4a0\n[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330\n[ 0.206511] console_unlock+0xf7/0x1f0\n[ 0.206512] vprintk_emit+0xf7/0x330\n[ 0.206514] _printk+0x63/0x7e\n[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32\n[ 0.206518] rcu_init_tasks_generic+0x5/0xd9\n[ 0.206522] kernel_init_freeable+0x15b/0x2a2\n[ 0.206523] ? rest_init+0x160/0x160\n[ 0.206526] kernel_init+0x11/0x120\n[ 0.206527] ret_from_fork+0x1f/0x30\n[ 0.206530] \n[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1.\n\nThis patch moves pr_info() so that it is called without\nrtp->cbs_gbl_lock locked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53558", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_vti: fix potential slab-use-after-free in decode_session6\n\nWhen ip_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ip_vti device sends IPv6 packets.\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53559", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Add histograms to hist_vars if they have referenced variables\n\nHist triggers can have referenced variables without having direct\nvariables fields. This can be the case if referenced variables are added\nfor trigger actions. In this case the newly added references will not\nhave field variables. Not taking such referenced variables into\nconsideration can result in a bug where it would be possible to remove\nhist trigger with variables being refenced. This will result in a bug\nthat is easily reproducable like so\n\n$ cd /sys/kernel/tracing\n$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events\n$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger\n$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger\n$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger\n\n[ 100.263533] ==================================================================\n[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180\n[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439\n[ 100.266320]\n[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4\n[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\n[ 100.268561] Call Trace:\n[ 100.268902] \n[ 100.269189] dump_stack_lvl+0x4c/0x70\n[ 100.269680] print_report+0xc5/0x600\n[ 100.270165] ? resolve_var_refs+0xc7/0x180\n[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0\n[ 100.271389] ? resolve_var_refs+0xc7/0x180\n[ 100.271913] kasan_report+0xbd/0x100\n[ 100.272380] ? resolve_var_refs+0xc7/0x180\n[ 100.272920] __asan_load8+0x71/0xa0\n[ 100.273377] resolve_var_refs+0xc7/0x180\n[ 100.273888] event_hist_trigger+0x749/0x860\n[ 100.274505] ? kasan_save_stack+0x2a/0x50\n[ 100.275024] ? kasan_set_track+0x29/0x40\n[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10\n[ 100.276138] ? ksys_write+0xd1/0x170\n[ 100.276607] ? do_syscall_64+0x3c/0x90\n[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 100.277771] ? destroy_hist_data+0x446/0x470\n[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860\n[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10\n[ 100.279627] ? __kasan_check_write+0x18/0x20\n[ 100.280177] ? mutex_unlock+0x85/0xd0\n[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10\n[ 100.281200] ? kfree+0x7b/0x120\n[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0\n[ 100.282197] ? event_trigger_write+0xac/0x100\n[ 100.282764] ? __kasan_slab_free+0x16/0x20\n[ 100.283293] ? __kmem_cache_free+0x153/0x2f0\n[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250\n[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10\n[ 100.285221] ? event_trigger_write+0xbc/0x100\n[ 100.285781] ? __kasan_check_read+0x15/0x20\n[ 100.286321] ? __bitmap_weight+0x66/0xa0\n[ 100.286833] ? _find_next_bit+0x46/0xe0\n[ 100.287334] ? task_mm_cid_work+0x37f/0x450\n[ 100.287872] event_triggers_call+0x84/0x150\n[ 100.288408] trace_event_buffer_commit+0x339/0x430\n[ 100.289073] ? ring_buffer_event_data+0x3f/0x60\n[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0\n[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0\n[ 100.298653] syscall_enter_from_user_mode+0x32/0x40\n[ 100.301808] do_syscall_64+0x1a/0x90\n[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 100.307775] RIP: 0033:0x7f686c75c1cb\n[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48\n[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021\n[ 100.321200] RA\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53560", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix NULL pointer dereference when removing device\n\nIn suspend and resume cycle, the removal and rescan of device ends\nup in NULL pointer dereference.\n\nDuring driver initialization, if the ipc_imem_wwan_channel_init()\nfails to get the valid device capabilities it returns an error and\nfurther no resource (wwan struct) will be allocated. Now in this\nsituation if driver removal procedure is initiated it would result\nin NULL pointer exception since unallocated wwan struct is dereferenced\ninside ipc_wwan_deinit().\n\nipc_imem_run_state_worker() to handle the called functions return value\nand to release the resource in failure case. It also reports the link\ndown event in failure cases. The user space application can handle this\nevent to do a device reset for restoring the device communication.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53561", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix vram leak on bind errors\n\nMake sure to release the VRAM buffer also in a case a subcomponent fails\nto bind.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525094/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53562", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate-ut: Fix kernel panic when loading the driver\n\nAfter loading the amd-pstate-ut driver, amd_pstate_ut_check_perf()\nand amd_pstate_ut_check_freq() use cpufreq_cpu_get() to get the policy\nof the CPU and mark it as busy.\n\nIn these functions, cpufreq_cpu_put() should be used to release the\npolicy, but it is not, so any other entity trying to access the policy\nis blocked indefinitely.\n\nOne such scenario is when amd_pstate mode is changed, leading to the\nfollowing splat:\n\n[ 1332.103727] INFO: task bash:2929 blocked for more than 120 seconds.\n[ 1332.110001] Not tainted 6.5.0-rc2-amd-pstate-ut #5\n[ 1332.115315] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 1332.123140] task:bash state:D stack:0 pid:2929 ppid:2873 flags:0x00004006\n[ 1332.123143] Call Trace:\n[ 1332.123145] \n[ 1332.123148] __schedule+0x3c1/0x16a0\n[ 1332.123154] ? _raw_read_lock_irqsave+0x2d/0x70\n[ 1332.123157] schedule+0x6f/0x110\n[ 1332.123160] schedule_timeout+0x14f/0x160\n[ 1332.123162] ? preempt_count_add+0x86/0xd0\n[ 1332.123165] __wait_for_common+0x92/0x190\n[ 1332.123168] ? __pfx_schedule_timeout+0x10/0x10\n[ 1332.123170] wait_for_completion+0x28/0x30\n[ 1332.123173] cpufreq_policy_put_kobj+0x4d/0x90\n[ 1332.123177] cpufreq_policy_free+0x157/0x1d0\n[ 1332.123178] ? preempt_count_add+0x58/0xd0\n[ 1332.123180] cpufreq_remove_dev+0xb6/0x100\n[ 1332.123182] subsys_interface_unregister+0x114/0x120\n[ 1332.123185] ? preempt_count_add+0x58/0xd0\n[ 1332.123187] ? __pfx_amd_pstate_change_driver_mode+0x10/0x10\n[ 1332.123190] cpufreq_unregister_driver+0x3b/0xd0\n[ 1332.123192] amd_pstate_change_driver_mode+0x1e/0x50\n[ 1332.123194] store_status+0xe9/0x180\n[ 1332.123197] dev_attr_store+0x1b/0x30\n[ 1332.123199] sysfs_kf_write+0x42/0x50\n[ 1332.123202] kernfs_fop_write_iter+0x143/0x1d0\n[ 1332.123204] vfs_write+0x2df/0x400\n[ 1332.123208] ksys_write+0x6b/0xf0\n[ 1332.123210] __x64_sys_write+0x1d/0x30\n[ 1332.123213] do_syscall_64+0x60/0x90\n[ 1332.123216] ? fpregs_assert_state_consistent+0x2e/0x50\n[ 1332.123219] ? exit_to_user_mode_prepare+0x49/0x1a0\n[ 1332.123223] ? irqentry_exit_to_user_mode+0xd/0x20\n[ 1332.123225] ? irqentry_exit+0x3f/0x50\n[ 1332.123226] ? exc_page_fault+0x8e/0x190\n[ 1332.123228] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 1332.123232] RIP: 0033:0x7fa74c514a37\n[ 1332.123234] RSP: 002b:00007ffe31dd0788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 1332.123238] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fa74c514a37\n[ 1332.123239] RDX: 0000000000000008 RSI: 000055e27c447aa0 RDI: 0000000000000001\n[ 1332.123241] RBP: 000055e27c447aa0 R08: 00007fa74c5d1460 R09: 000000007fffffff\n[ 1332.123242] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008\n[ 1332.123244] R13: 00007fa74c61a780 R14: 00007fa74c616600 R15: 00007fa74c615a00\n[ 1332.123247] \n\nFix this by calling cpufreq_cpu_put() wherever necessary.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53563", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix defrag path triggering jbd2 ASSERT\n\ncode path:\n\nocfs2_ioctl_move_extents\n ocfs2_move_extents\n ocfs2_defrag_extent\n __ocfs2_move_extent\n + ocfs2_journal_access_di\n + ocfs2_split_extent //sub-paths call jbd2_journal_restart\n + ocfs2_journal_dirty //crash by jbs2 ASSERT\n\ncrash stacks:\n\nPID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: \"defragfs.ocfs2\"\n #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01\n #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d\n #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d\n #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f\n #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205\n #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6\n #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18\n [exception RIP: jbd2_journal_dirty_metadata+0x2ba]\n RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207\n RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250\n RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000\n R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28\n R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2]\n #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2]\n #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2]\n\nAnalysis\n\nThis bug has the same root cause of 'commit 7f27ec978b0e (\"ocfs2: call\nocfs2_journal_access_di() before ocfs2_journal_dirty() in\nocfs2_write_end_nolock()\")'. For this bug, jbd2_journal_restart() is\ncalled by ocfs2_split_extent() during defragmenting.\n\nHow to fix\n\nFor ocfs2_split_extent() can handle journal operations totally by itself. \nCaller doesn't need to call journal access/dirty pair, and caller only\nneeds to call journal start/stop pair. The fix method is to remove\njournal access/dirty from __ocfs2_move_extent().\n\nThe discussion for this patch:\nhttps://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53564", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check for probe() id argument being NULL\n\nThe probe() id argument may be NULL in 2 scenarios:\n\n1. brcmf_pcie_pm_leave_D3() calling brcmf_pcie_probe() to reprobe\n the device.\n\n2. If a user tries to manually bind the driver from sysfs then the sdio /\n pcie / usb probe() function gets called with NULL as id argument.\n\n1. Is being hit by users causing the following oops on resume and causing\nwifi to stop working:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n\nHardware name: Dell Inc. XPS 13 9350/0PWNCR, BIDS 1.13.0 02/10/2020\nWorkgueue: events_unbound async_run_entry_fn\nRIP: 0010:brcmf_pcie_probe+Ox16b/0x7a0 [brcmfmac]\n\nCall Trace:\n \n brcmf_pcie_pm_leave_D3+0xc5/8x1a0 [brcmfmac be3b4cefca451e190fa35be8f00db1bbec293887]\n ? pci_pm_resume+0x5b/0xf0\n ? pci_legacy_resume+0x80/0x80\n dpm_run_callback+0x47/0x150\n device_resume+0xa2/0x1f0\n async_resume+0x1d/0x30\n\n\nFix this by checking for id being NULL.\n\nIn the PCI and USB cases try a manual lookup of the id so that manually\nbinding the driver through sysfs and more importantly brcmf_pcie_probe()\non resume will work.\n\nFor the SDIO case there is no helper to do a manual sdio_device_id lookup,\nso just directly error out on a NULL id there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53565", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix null deref on element insertion\n\nThere is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n nft_add_set_elem+0x14b0/0x2990\n nf_tables_newsetelem+0x528/0xb30\n\nFurthermore, there is a possible use-after-free while iterating,\n'node' can be free'd so we need to cache the next value to use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53566", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: qup: Don't skip cleanup in remove's error path\n\nReturning early in a platform driver's remove callback is wrong. In this\ncase the dma resources are not released in the error path. this is never\nretried later and so this is a permanent leak. To fix this, only skip\nhardware disabling if waking the device fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53567", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: don't leak memory if dev_set_name() fails\n\nWhen dev_set_name() fails, zcdn_create() doesn't free the newly\nallocated resources. Do it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53568", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next2: Check block size validity during mount\n\nCheck that log of block size stored in the superblock has sensible\nvalue. Otherwise the shift computing the block size can overflow leading\nto undefined behavior.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53569", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()\n\nnl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the\nnumber of MBSSID elements in the nested netlink attribute attrs, which can\nlead to an integer overflow if a user of the nl80211 interface specifies\n256 or more elements in the corresponding attribute in userspace. The\ninteger overflow can lead to a heap buffer overflow as num_elems determines\nthe size of the trailing array in elems, and this array is thereafter\nwritten to for each element in attrs.\n\nNote that this vulnerability only affects devices with the\nwiphy->mbssid_max_interfaces member set for the wireless physical device\nstruct in the device driver, and can only be triggered by a process with\nCAP_NET_ADMIN capabilities.\n\nFix this by checking for a maximum of 255 elements in attrs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53570", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Make intel_get_crtc_new_encoder() less oopsy\n\nThe point of the WARN was to print something, not oops\nstraight up. Currently that is precisely what happens\nif we can't find the connector for the crtc in the atomic\nstate. Get the dev pointer from the atomic state instead\nof the potentially NULL encoder to avoid that.\n\n(cherry picked from commit 3b6692357f70498f617ea1b31a0378070a0acf1c)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53571", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: scu: use _safe list iterator to avoid a use after free\n\nThis loop is freeing \"clk\" so it needs to use list_for_each_entry_safe().\nOtherwise it dereferences a freed variable to get the next item on the\nloop.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53572", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rs9: Fix suspend/resume\n\nDisabling the cache in commit 2ff4ba9e3702 (\"clk: rs9: Fix I2C accessors\")\nwithout removing cache synchronization in resume path results in a\nkernel panic as map->cache_ops is unset, due to REGCACHE_NONE.\nEnable flat cache again to support resume again. num_reg_defaults_raw\nis necessary to read the cache defaults from hardware. Some registers\nare strapped in hardware and cannot be provided in software.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53573", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: delete timer and free skb queue when unloading\n\nFix possible crash and memory leak on driver unload by deleting\nTX purge timer and freeing C2H queue in 'rtw_core_deinit()',\nshrink critical section in the latter by freeing COEX queue\nout of TX report lock scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53574", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix potential array out of bounds access\n\nAccount for IWL_SEC_WEP_KEY_OFFSET when needed while verifying\nkey_len size in iwl_mvm_sec_key_add().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53575", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: Always check queue mode setting from configfs\n\nMake sure to check device queue mode in the null_validate_conf() and\nreturn error for NULL_Q_RQ as we don't allow legacy I/O path, without\nthis patch we get OOPs when queue mode is set to 1 from configfs,\nfollowing are repro steps :-\n\nmodprobe null_blk nr_devices=0\nmkdir config/nullb/nullb0\necho 1 > config/nullb/nullb0/memory_backed\necho 4096 > config/nullb/nullb0/blocksize\necho 20480 > config/nullb/nullb0/size\necho 1 > config/nullb/nullb0/queue_mode\necho 1 > config/nullb/nullb0/power\n\nEntering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null)\ndue to oops @ 0xffffffffc041c329\nCPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk]\nCode: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20\nRSP: 0018:ffffc900052cbde0 EFLAGS: 00010246\nRAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00\nRBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740\nFS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0\nDR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a\nDR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n \n nullb_device_power_store+0xd1/0x120 [null_blk]\n configfs_write_iter+0xb4/0x120\n vfs_write+0x2ba/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7fd4460c57a7\nCode: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7\nRDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001\nRBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0\nR10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002\nR13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53576", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Make sure kthread is running before map update returns\n\nThe following warning was reported when running stress-mode enabled\nxdp_redirect_cpu with some RT threads:\n\n ------------[ cut here ]------------\n WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135\n CPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events cpu_map_kthread_stop\n RIP: 0010:put_cpu_map_entry+0xda/0x220\n ......\n Call Trace:\n \n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ......\n ? put_cpu_map_entry+0xda/0x220\n cpu_map_kthread_stop+0x41/0x60\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n \n\nThe root cause is the same as commit 436901649731 (\"bpf: cpumap: Fix memory\nleak in cpu_map_update_elem\"). The kthread is stopped prematurely by\nkthread_stop() in cpu_map_kthread_stop(), and kthread() doesn't call\ncpu_map_kthread_run() at all but XDP program has already queued some\nframes or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checks\nthe ptr_ring, it will find it was not emptied and report a warning.\n\nAn alternative fix is to use __cpu_map_ring_cleanup() to drop these\npending frames or skbs when kthread_stop() returns -EINTR, but it may\nconfuse the user, because these frames or skbs have been handled\ncorrectly by XDP program. So instead of dropping these frames or skbs,\njust make sure the per-cpu kthread is running before\n__cpu_map_entry_alloc() returns.\n\nAfter apply the fix, the error handle for kthread_stop() will be\nunnecessary because it will always return 0, so just remove it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53577", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()\n\nSyzbot reported a bug as following:\n\n=====================================================\nBUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988\n kmalloc_reserve net/core/skbuff.c:492 [inline]\n __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565\n __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630\n qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt)\nin qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post().\nBut size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type\nequals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot\nscenario. This triggers the uninit variable access bug.\n\nAdd size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in\nqrtr_endpoint_post() to fix the bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53578", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mvebu: fix irq domain leak\n\nUwe Kleine-K\u00f6nig pointed out we still have one resource leak in the mvebu\ndriver triggered on driver detach. Let's address it with a custom devm\naction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53579", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: Gadget: core: Help prevent panic during UVC unconfigure\n\nAvichal Rakesh reported a kernel panic that occurred when the UVC\ngadget driver was removed from a gadget's configuration. The panic\ninvolves a somewhat complicated interaction between the kernel driver\nand a userspace component (as described in the Link tag below), but\nthe analysis did make one thing clear: The Gadget core should\naccomodate gadget drivers calling usb_gadget_deactivate() as part of\ntheir unbind procedure.\n\nCurrently this doesn't work. gadget_unbind_driver() calls\ndriver->unbind() while holding the udc->connect_lock mutex, and\nusb_gadget_deactivate() attempts to acquire that mutex, which will\nresult in a deadlock.\n\nThe simple fix is for gadget_unbind_driver() to release the mutex when\ninvoking the ->unbind() callback. There is no particular reason for\nit to be holding the mutex at that time, and the mutex isn't held\nwhile the ->bind() callback is invoked. So we'll drop the mutex\nbefore performing the unbind callback and reacquire it afterward.\n\nWe'll also add a couple of comments to usb_gadget_activate() and\nusb_gadget_deactivate(). Because they run in process context they\nmust not be called from a gadget driver's ->disconnect() callback,\nwhich (according to the kerneldoc for struct usb_gadget_driver in\ninclude/linux/usb/gadget.h) may run in interrupt context. This may\nhelp prevent similar bugs from arising in the future.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53580", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Check for NOT_READY flag state after locking\n\nCurrently the check for NOT_READY flag is performed before obtaining the\nnecessary lock. This opens a possibility for race condition when the flow\nis concurrently removed from unready_flows list by the workqueue task,\nwhich causes a double-removal from the list and a crash[0]. Fix the issue\nby moving the flag check inside the section protected by\nuplink_priv->unready_flows_lock mutex.\n\n[0]:\n[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1\n[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06\n[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246\n[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00\n[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0\n[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001\n[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000\n[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000\n[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000\n[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0\n[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[44376.406339] Call Trace:\n[44376.406651] \n[44376.406939] ? die_addr+0x33/0x90\n[44376.407311] ? exc_general_protection+0x192/0x390\n[44376.407795] ? asm_exc_general_protection+0x22/0x30\n[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]\n[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]\n[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]\n[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]\n[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]\n[44376.411043] tc_setup_cb_reoffload+0x22/0x80\n[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]\n[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]\n[44376.413044] tcf_block_playback_offloads+0x76/0x170\n[44376.413497] tcf_block_unbind+0x7b/0xd0\n[44376.413881] tcf_block_setup+0x17d/0x1c0\n[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130\n[44376.414725] tcf_block_offload_unbind+0x43/0x70\n[44376.415153] __tcf_block_put+0x82/0x150\n[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]\n[44376.415986] qdisc_destroy+0x3b/0xd0\n[44376.416343] qdisc_graft+0x4d0/0x620\n[44376.416706] tc_get_qdisc+0x1c9/0x3b0\n[44376.417074] rtnetlink_rcv_msg+0x29c/0x390\n[44376.419978] ? rep_movs_alternative+0x3a/0xa0\n[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120\n[44376.420813] netlink_rcv_skb+0x54/0x100\n[44376.421192] netlink_unicast+0x1f6/0x2c0\n[44376.421573] netlink_sendmsg+0x232/0x4a0\n[44376.421980] sock_sendmsg+0x38/0x60\n[44376.422328] ____sys_sendmsg+0x1d0/0x1e0\n[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0\n[44376.423127] ___sys_sendmsg+0x80/0xc0\n[44376.423495] ? ___sys_recvmsg+0x8b/0xc0\n[44376.423869] __sys_sendmsg+0x51/0x90\n[44376.424226] do_syscall_64+0x3d/0x90\n[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[44376.425046] RIP: 0033:0x7f045134f887\n[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53581", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds\n\nFix a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with\na CLM version string by memcpy() in brcmf_fil_iovar_data_get().\nEnsure buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22\n[ 33.021554][ T1896] ==================================================================\n[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110\n[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896\n[ 33.023852][ T1896]\n[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132\n[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event\n[ 33.026581][ T1896] Call Trace:\n[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d\n[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334\n[ 33.028037][ T1896] ? strreplace+0xf2/0x110\n[ 33.028403][ T1896] ? strreplace+0xf2/0x110\n[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf\n[ 33.029283][ T1896] ? strreplace+0xf2/0x110\n[ 33.029666][ T1896] strreplace+0xf2/0x110\n[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40\n[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100\n[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0\n[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0\n[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0\n[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110\n[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260\n[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[ 33.033582][ T1896] brcmf_attach+0x246/0xd40\n[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50\n[ 33.034383][ T1896] ? kmemdup+0x30/0x40\n[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690\n[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710\n[ 33.036315][ T1896] really_probe+0x1be/0xa90\n[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0\n[ 33.037383][ T1896] driver_probe_device+0x49/0x120\n[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120\n[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0\n[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20\n[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120\n[ 33.042330][ T1896] __device_attach+0x207/0x330\n[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0\n[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0\n[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260\n[ 33.043914][ T1896] device_add+0xa61/0x1ce0\n[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660\n[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550\n[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770\n[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230\n[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90\n[ 33.046931][ T1896] usb_probe_device+0x9c/0x220\n[ 33.047434][ T1896] really_probe+0x1be/0xa90\n[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460\n[ 33.048134][ T1896] driver_probe_device+0x49/0x120\n[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250\n[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53582", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()\n\nSince commit 096b52fd2bb4 (\"perf: RISC-V: throttle perf events\") the\nperf_sample_event_took() function was added to report time spent in\noverflow interrupts. If the interrupt takes too long, the perf framework\nwill lower the sysctl_perf_event_sample_rate and max_samples_per_tick.\nWhen hwc->interrupts is larger than max_samples_per_tick, the\nhwc->interrupts will be set to MAX_INTERRUPTS, and events will be\nthrottled within the __perf_event_account_interrupt() function.\n\nHowever, the RISC-V PMU driver doesn't call riscv_pmu_stop() to update the\nPERF_HES_STOPPED flag after perf_event_overflow() in pmu_sbi_ovf_handler()\nfunction to avoid throttling. When the perf framework unthrottled the event\nin the timer interrupt handler, it triggers riscv_pmu_start() function\nand causes a WARN_ON_ONCE() warning, as shown below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 240 at drivers/perf/riscv_pmu.c:184 riscv_pmu_start+0x7c/0x8e\n Modules linked in:\n CPU: 0 PID: 240 Comm: ls Not tainted 6.4-rc4-g19d0788e9ef2 #1\n Hardware name: SiFive (DT)\n epc : riscv_pmu_start+0x7c/0x8e\n ra : riscv_pmu_start+0x28/0x8e\n epc : ffffffff80aef864 ra : ffffffff80aef810 sp : ffff8f80004db6f0\n gp : ffffffff81c83750 tp : ffffaf80069f9bc0 t0 : ffff8f80004db6c0\n t1 : 0000000000000000 t2 : 000000000000001f s0 : ffff8f80004db720\n s1 : ffffaf8008ca1068 a0 : 0000ffffffffffff a1 : 0000000000000000\n a2 : 0000000000000001 a3 : 0000000000000870 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : 0000000000000840 a7 : 0000000000000030\n s2 : 0000000000000000 s3 : ffffaf8005165800 s4 : ffffaf800424da00\n s5 : ffffffffffffffff s6 : ffffffff81cc7590 s7 : 0000000000000000\n s8 : 0000000000000006 s9 : 0000000000000001 s10: ffffaf807efbc340\n s11: ffffaf807efbbf00 t3 : ffffaf8006a16028 t4 : 00000000dbfbb796\n t5 : 0000000700000000 t6 : ffffaf8005269870\n status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n [] riscv_pmu_start+0x7c/0x8e\n [] perf_adjust_freq_unthr_context+0x15e/0x174\n [] perf_event_task_tick+0x88/0x9c\n [] scheduler_tick+0xfe/0x27c\n [] update_process_times+0x9a/0xba\n [] tick_sched_handle+0x32/0x66\n [] tick_sched_timer+0x64/0xb0\n [] __hrtimer_run_queues+0x156/0x2f4\n [] hrtimer_interrupt+0xe2/0x1fe\n [] riscv_timer_interrupt+0x38/0x42\n [] handle_percpu_devid_irq+0x90/0x1d2\n [] generic_handle_domain_irq+0x28/0x36\n\nAfter referring other PMU drivers like Arm, Loongarch, Csky, and Mips,\nthey don't call *_pmu_stop() to update with PERF_HES_STOPPED flag\nafter perf_event_overflow() function nor do they add PERF_HES_STOPPED\nflag checking in *_pmu_start() which don't cause this warning.\n\nThus, it's recommended to remove this unnecessary check in\nriscv_pmu_start() function to prevent this warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53583", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_releasepage: Remove ubifs_assert(0) to valid this process\n\nThere are two states for ubifs writing pages:\n1. Dirty, Private\n2. Not Dirty, Not Private\n\nThe normal process cannot go to ubifs_releasepage() which means there\nexists pages being private but not dirty. Reproducer[1] shows that it\ncould occur (which maybe related to [2]) with following process:\n\n PA PB PC\nlock(page)[PA]\nubifs_write_end\n attach_page_private // set Private\n __set_page_dirty_nobuffers // set Dirty\nunlock(page)\n\nwrite_cache_pages[PA]\n lock(page)\n clear_page_dirty_for_io(page)\t// clear Dirty\n ubifs_writepage\n\n do_truncation[PB]\n\t\t\t truncate_setsize\n\t\t\t i_size_write(inode, newsize) // newsize = 0\n\n i_size = i_size_read(inode)\t// i_size = 0\n end_index = i_size >> PAGE_SHIFT\n if (page->index > end_index)\n goto out // jump\nout:\nunlock(page) // Private, Not Dirty\n\n\t\t\t\t\t\tgeneric_fadvise[PC]\n\t\t\t\t\t\t lock(page)\n\t\t\t\t\t\t invalidate_inode_page\n\t\t\t\t\t\t try_to_release_page\n\t\t\t\t\t\t ubifs_releasepage\n\t\t\t\t\t\t ubifs_assert(c, 0)\n\t\t // bad assertion!\n\t\t\t\t\t\t unlock(page)\n\t\t\t truncate_pagecache[PB]\n\nThen we may get following assertion failed:\n UBIFS error (ubi0:0 pid 1683): ubifs_assert_failed [ubifs]:\n UBIFS assert failed: 0, in fs/ubifs/file.c:1513\n UBIFS warning (ubi0:0 pid 1683): ubifs_ro_mode [ubifs]:\n switched to read-only mode, error -22\n CPU: 2 PID: 1683 Comm: aa Not tainted 5.16.0-rc5-00184-g0bca5994cacc-dirty #308\n Call Trace:\n dump_stack+0x13/0x1b\n ubifs_ro_mode+0x54/0x60 [ubifs]\n ubifs_assert_failed+0x4b/0x80 [ubifs]\n ubifs_releasepage+0x67/0x1d0 [ubifs]\n try_to_release_page+0x57/0xe0\n invalidate_inode_page+0xfb/0x130\n __invalidate_mapping_pages+0xb9/0x280\n invalidate_mapping_pagevec+0x12/0x20\n generic_fadvise+0x303/0x3c0\n ksys_fadvise64_64+0x4c/0xb0\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=215373\n[2] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53584", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject unhashed sockets in bpf_sk_assign\n\nThe semantics for bpf_sk_assign are as follows:\n\n sk = some_lookup_func()\n bpf_sk_assign(skb, sk)\n bpf_sk_release(sk)\n\nThat is, the sk is not consumed by bpf_sk_assign. The function\ntherefore needs to make sure that sk lives long enough to be\nconsumed from __inet_lookup_skb. The path through the stack for a\nTCPv4 packet is roughly:\n\n netif_receive_skb_core: takes RCU read lock\n __netif_receive_skb_core:\n sch_handle_ingress:\n tcf_classify:\n bpf_sk_assign()\n deliver_ptype_list_skb:\n deliver_skb:\n ip_packet_type->func == ip_rcv:\n ip_rcv_core:\n ip_rcv_finish_core:\n dst_input:\n ip_local_deliver:\n ip_local_deliver_finish:\n ip_protocol_deliver_rcu:\n tcp_v4_rcv:\n __inet_lookup_skb:\n skb_steal_sock\n\nThe existing helper takes advantage of the fact that everything\nhappens in the same RCU critical section: for sockets with\nSOCK_RCU_FREE set bpf_sk_assign never takes a reference.\nskb_steal_sock then checks SOCK_RCU_FREE again and does sock_put\nif necessary.\n\nThis approach assumes that SOCK_RCU_FREE is never set on a sk\nbetween bpf_sk_assign and skb_steal_sock, but this invariant is\nviolated by unhashed UDP sockets. A new UDP socket is created\nin TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only\nadded in udp_lib_get_port() which happens when a socket is bound.\n\nWhen bpf_sk_assign was added it wasn't possible to access unhashed\nUDP sockets from BPF, so this wasn't a problem. This changed\nin commit 0c48eefae712 (\"sock_map: Lift socket state restriction\nfor datagram sockets\"), but the helper wasn't adjusted accordingly.\nThe following sequence of events will therefore lead to a refcount\nleak:\n\n1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.\n2. Pull socket out of sockmap and bpf_sk_assign it. Since\n SOCK_RCU_FREE is not set we increment the refcount.\n3. bind() or connect() the socket, setting SOCK_RCU_FREE.\n4. skb_steal_sock will now set refcounted = false due to\n SOCK_RCU_FREE.\n5. tcp_v4_rcv() skips sock_put().\n\nFix the problem by rejecting unhashed sockets in bpf_sk_assign().\nThis matches the behaviour of __inet_lookup_skb which is ultimately\nthe goal of bpf_sk_assign().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53585", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix multiple LUN_RESET handling\n\nThis fixes a bug where an initiator thinks a LUN_RESET has cleaned up\nrunning commands when it hasn't. The bug was added in commit 51ec502a3266\n(\"target: Delete tmr from list before processing\").\n\nThe problem occurs when:\n\n 1. We have N I/O cmds running in the target layer spread over 2 sessions.\n\n 2. The initiator sends a LUN_RESET for each session.\n\n 3. session1's LUN_RESET loops over all the running commands from both\n sessions and moves them to its local drain_task_list.\n\n 4. session2's LUN_RESET does not see the LUN_RESET from session1 because\n the commit above has it remove itself. session2 also does not see any\n commands since the other reset moved them off the state lists.\n\n 5. sessions2's LUN_RESET will then complete with a successful response.\n\n 6. sessions2's inititor believes the running commands on its session are\n now cleaned up due to the successful response and cleans up the running\n commands from its side. It then restarts them.\n\n 7. The commands do eventually complete on the backend and the target\n starts to return aborted task statuses for them. The initiator will\n either throw a invalid ITT error or might accidentally lookup a new\n task if the ITT has been reallocated already.\n\nFix the bug by reverting the patch, and serialize the execution of\nLUN_RESETs and Preempt and Aborts.\n\nAlso prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,\nbecause it turns out the original patch fixed a bug that was not\nmentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second\nLUN_RESET and wait on it. Then the second reset will run\ncore_tmr_drain_tmr_list and see the first reset and wait on it resulting in\na deadlock.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53586", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7\n Stack:\n 60c4f20f 0c203d48 41b58ab3 60f224fc\n 600477fa 60f35687 60c4f20f 601273dd\n 00000008 6101eb00 6101eab0 615be548\n Call Trace:\n [<60047a58>] show_stack+0x25e/0x282\n [<60c609e0>] dump_stack_lvl+0x96/0xfd\n [<60c50d4c>] print_report+0x1a7/0x5a8\n [<603078d3>] kasan_report+0xc1/0xe9\n [<60308950>] __asan_report_load8_noabort+0x1b/0x1d\n [<60232844>] irq_work_run_list+0x11a/0x13a\n [<602328b4>] irq_work_tick+0x24/0x34\n [<6017f9dc>] update_process_times+0x162/0x196\n [<6019f335>] tick_sched_handle+0x1a4/0x1c3\n [<6019fd9e>] tick_sched_timer+0x79/0x10c\n [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695\n [<60182913>] hrtimer_interrupt+0x16c/0x2c4\n [<600486a3>] um_timer+0x164/0x183\n [...]\n\n Allocated by task 411:\n save_stack_trace+0x99/0xb5\n stack_trace_save+0x81/0x9b\n kasan_save_stack+0x2d/0x54\n kasan_set_track+0x34/0x3e\n kasan_save_alloc_info+0x25/0x28\n ____kasan_kmalloc+0x8b/0x97\n __kasan_kmalloc+0x10/0x12\n __kmalloc+0xb2/0xe8\n load_elf_phdrs+0xee/0x182\n [...]\n\n The buggy address belongs to the object at 000000006d640800\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 584 bytes inside of\n freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn't exist.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53587", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check for station first in client probe\n\nWhen probing a client, first check if we have it, and then\ncheck for the channel context, otherwise you can trigger\nthe warning there easily by probing when the AP isn't even\nstarted yet. Since a client existing means the AP is also\noperating, we can then keep the warning.\n\nAlso simplify the moved code a bit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53588", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't trust firmware n_channels\n\nIf the firmware sends us a corrupted MCC response with\nn_channels much larger than the command response can be,\nwe might copy far too much (uninitialized) memory and\neven crash if the n_channels is large enough to make it\nrun out of the one page allocated for the FW response.\n\nFix that by checking the lengths. Doing a < comparison\nwould be sufficient, but the firmware should be doing\nit correctly, so check more strictly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53589", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: add a refcnt in sctp_stream_priorities to avoid a nested loop\n\nWith this refcnt added in sctp_stream_priorities, we don't need to\ntraverse all streams to check if the prio is used by other streams\nwhen freeing one stream's prio in sctp_sched_prio_free_sid(). This\ncan avoid a nested loop (up to 65535 * 65535), which may cause a\nstuck as Ying reported:\n\n watchdog: BUG: soft lockup - CPU#23 stuck for 26s! [ksoftirqd/23:136]\n Call Trace:\n \n sctp_sched_prio_free_sid+0xab/0x100 [sctp]\n sctp_stream_free_ext+0x64/0xa0 [sctp]\n sctp_stream_free+0x31/0x50 [sctp]\n sctp_association_free+0xa5/0x200 [sctp]\n\nNote that it doesn't need to use refcount_t type for this counter,\nas its accessing is always protected under the sock lock.\n\nv1->v2:\n - add a check in sctp_sched_prio_set to avoid the possible prio_head\n refcnt overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53590", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlock in tc route query code\n\nCited commit causes ABBA deadlock[0] when peer flows are created while\nholding the devcom rw semaphore. Due to peer flows offload implementation\nthe lock is taken much higher up the call chain and there is no obvious way\nto easily fix the deadlock. Instead, since tc route query code needs the\npeer eswitch structure only to perform a lookup in xarray and doesn't\nperform any sleeping operations with it, refactor the code for lockless\nexecution in following ways:\n\n- RCUify the devcom 'data' pointer. When resetting the pointer\nsynchronously wait for RCU grace period before returning. This is fine\nsince devcom is currently only used for synchronization of\npairing/unpairing of eswitches which is rare and already expensive as-is.\n\n- Wrap all usages of 'paired' boolean in {READ|WRITE}_ONCE(). The flag has\nalready been used in some unlocked contexts without proper\nannotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn't\nan issue since all relevant code paths checked it again after obtaining the\ndevcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as\n\"best effort\" check to return NULL when devcom is being unpaired. Note that\nwhile RCU read lock doesn't prevent the unpaired flag from being changed\nconcurrently it still guarantees that reader can continue to use 'data'.\n\n- Refactor mlx5e_tc_query_route_vport() function to use new\nmlx5_devcom_get_peer_data_rcu() API which fixes the deadlock.\n\n[0]:\n\n[ 164.599612] ======================================================\n[ 164.600142] WARNING: possible circular locking dependency detected\n[ 164.600667] 6.3.0-rc3+ #1 Not tainted\n[ 164.601021] ------------------------------------------------------\n[ 164.601557] handler1/3456 is trying to acquire lock:\n[ 164.601998] ffff88811f1714b0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[ 164.603078]\n but task is already holding lock:\n[ 164.603617] ffff88810137fc98 (&comp->sem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[ 164.604459]\n which lock already depends on the new lock.\n\n[ 164.605190]\n the existing dependency chain (in reverse order) is:\n[ 164.605848]\n -> #1 (&comp->sem){++++}-{3:3}:\n[ 164.606380] down_read+0x39/0x50\n[ 164.606772] mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[ 164.607336] mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core]\n[ 164.607914] mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core]\n[ 164.608495] mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core]\n[ 164.609063] mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core]\n[ 164.609627] __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core]\n[ 164.610175] mlx5e_configure_flower+0x952/0x1a20 [mlx5_core]\n[ 164.610741] tc_setup_cb_add+0xd4/0x200\n[ 164.611146] fl_hw_replace_filter+0x14c/0x1f0 [cls_flower]\n[ 164.611661] fl_change+0xc95/0x18a0 [cls_flower]\n[ 164.612116] tc_new_tfilter+0x3fc/0xd20\n[ 164.612516] rtnetlink_rcv_msg+0x418/0x5b0\n[ 164.612936] netlink_rcv_skb+0x54/0x100\n[ 164.613339] netlink_unicast+0x190/0x250\n[ 164.613746] netlink_sendmsg+0x245/0x4a0\n[ 164.614150] sock_sendmsg+0x38/0x60\n[ 164.614522] ____sys_sendmsg+0x1d0/0x1e0\n[ 164.614934] ___sys_sendmsg+0x80/0xc0\n[ 164.615320] __sys_sendmsg+0x51/0x90\n[ 164.615701] do_syscall_64+0x3d/0x90\n[ 164.616083] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 164.616568]\n -> #0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}:\n[ 164.617210] __lock_acquire+0x159e/0x26e0\n[ 164.617638] lock_acquire+0xc2/0x2a0\n[ 164.618018] __mutex_lock+0x92/0xcd0\n[ 164.618401] mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[ 164.618943] post_process_attr+0x153/0x2d0 [\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53591", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: sifive: Fix refcount leak in sifive_gpio_probe\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53592", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Release folio lock on fscache read hit.\n\nUnder the current code, when cifs_readpage_worker is called, the call\ncontract is that the callee should unlock the page. This is documented\nin the read_folio section of Documentation/filesystems/vfs.rst as:\n\n> The filesystem should unlock the folio once the read has completed,\n> whether it was successful or not.\n\nWithout this change, when fscache is in use and cache hit occurs during\na read, the page lock is leaked, producing the following stack on\nsubsequent reads (via mmap) to the page:\n\n$ cat /proc/3890/task/12864/stack\n[<0>] folio_wait_bit_common+0x124/0x350\n[<0>] filemap_read_folio+0xad/0xf0\n[<0>] filemap_fault+0x8b1/0xab0\n[<0>] __do_fault+0x39/0x150\n[<0>] do_fault+0x25c/0x3e0\n[<0>] __handle_mm_fault+0x6ca/0xc70\n[<0>] handle_mm_fault+0xe9/0x350\n[<0>] do_user_addr_fault+0x225/0x6c0\n[<0>] exc_page_fault+0x84/0x1b0\n[<0>] asm_exc_page_fault+0x27/0x30\n\nThis requires a reboot to resolve; it is a deadlock.\n\nNote however that the call to cifs_readpage_from_fscache does mark the\npage clean, but does not free the folio lock. This happens in\n__cifs_readpage_from_fscache on success. Releasing the lock at that\npoint however is not appropriate as cifs_readahead also calls\ncifs_readpage_from_fscache and *does* unconditionally release the lock\nafter its return. This change therefore effectively makes\ncifs_readpage_worker work like cifs_readahead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53593", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix resource leak in device_add()\n\nWhen calling kobject_add() failed in device_add(), it will call\ncleanup_glue_dir() to free resource. But in kobject_add(),\ndev->kobj.parent has been set to NULL. This will cause resource leak.\n\nThe process is as follows:\ndevice_add()\n\tget_device_parent()\n\t\tclass_dir_create_and_add()\n\t\t\tkobject_add()\t\t//kobject_get()\n\t...\n\tdev->kobj.parent = kobj;\n\t...\n\tkobject_add()\t\t//failed, but set dev->kobj.parent = NULL\n\t...\n\tglue_dir = get_glue_dir(dev)\t//glue_dir = NULL, and goto\n\t\t\t\t\t//\"Error\" label\n\t...\n\tcleanup_glue_dir()\t//becaues glue_dir is NULL, not call\n\t\t\t\t//kobject_put()\n\nThe preceding problem may cause insmod mac80211_hwsim.ko to failed.\nsysfs: cannot create duplicate filename '/devices/virtual/mac80211_hwsim'\nCall Trace:\n\ndump_stack_lvl+0x8e/0xd1\nsysfs_warn_dup.cold+0x1c/0x29\nsysfs_create_dir_ns+0x224/0x280\nkobject_add_internal+0x2aa/0x880\nkobject_add+0x135/0x1a0\nget_device_parent+0x3d7/0x590\ndevice_add+0x2aa/0x1cb0\ndevice_create_groups_vargs+0x1eb/0x260\ndevice_create+0xdc/0x110\nmac80211_hwsim_new_radio+0x31e/0x4790 [mac80211_hwsim]\ninit_mac80211_hwsim+0x48d/0x1000 [mac80211_hwsim]\ndo_one_initcall+0x10f/0x630\ndo_init_module+0x19f/0x5e0\nload_module+0x64b7/0x6eb0\n__do_sys_finit_module+0x140/0x200\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nkobject_add_internal failed for mac80211_hwsim with -EEXIST, don't try to\nregister things with the same name in the same directory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53594", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: mcs: Fix NULL pointer dereferences\n\nWhen system is rebooted after creating macsec interface\nbelow NULL pointer dereference crashes occurred. This\npatch fixes those crashes by using correct order of teardown\n\n[ 3324.406942] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 3324.415726] Mem abort info:\n[ 3324.418510] ESR = 0x96000006\n[ 3324.421557] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 3324.426865] SET = 0, FnV = 0\n[ 3324.429913] EA = 0, S1PTW = 0\n[ 3324.433047] Data abort info:\n[ 3324.435921] ISV = 0, ISS = 0x00000006\n[ 3324.439748] CM = 0, WnR = 0\n....\n[ 3324.575915] Call trace:\n[ 3324.578353] cn10k_mdo_del_secy+0x24/0x180\n[ 3324.582440] macsec_common_dellink+0xec/0x120\n[ 3324.586788] macsec_notify+0x17c/0x1c0\n[ 3324.590529] raw_notifier_call_chain+0x50/0x70\n[ 3324.594965] call_netdevice_notifiers_info+0x34/0x7c\n[ 3324.599921] rollback_registered_many+0x354/0x5bc\n[ 3324.604616] unregister_netdevice_queue+0x88/0x10c\n[ 3324.609399] unregister_netdev+0x20/0x30\n[ 3324.613313] otx2_remove+0x8c/0x310\n[ 3324.616794] pci_device_shutdown+0x30/0x70\n[ 3324.620882] device_shutdown+0x11c/0x204\n\n[ 966.664930] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 966.673712] Mem abort info:\n[ 966.676497] ESR = 0x96000006\n[ 966.679543] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 966.684848] SET = 0, FnV = 0\n[ 966.687895] EA = 0, S1PTW = 0\n[ 966.691028] Data abort info:\n[ 966.693900] ISV = 0, ISS = 0x00000006\n[ 966.697729] CM = 0, WnR = 0\n[ 966.833467] Call trace:\n[ 966.835904] cn10k_mdo_stop+0x20/0xa0\n[ 966.839557] macsec_dev_stop+0xe8/0x11c\n[ 966.843384] __dev_close_many+0xbc/0x140\n[ 966.847298] dev_close_many+0x84/0x120\n[ 966.851039] rollback_registered_many+0x114/0x5bc\n[ 966.855735] unregister_netdevice_many.part.0+0x14/0xa0\n[ 966.860952] unregister_netdevice_many+0x18/0x24\n[ 966.865560] macsec_notify+0x1ac/0x1c0\n[ 966.869303] raw_notifier_call_chain+0x50/0x70\n[ 966.873738] call_netdevice_notifiers_info+0x34/0x7c\n[ 966.878694] rollback_registered_many+0x354/0x5bc\n[ 966.883390] unregister_netdevice_queue+0x88/0x10c\n[ 966.888173] unregister_netdev+0x20/0x30\n[ 966.892090] otx2_remove+0x8c/0x310\n[ 966.895571] pci_device_shutdown+0x30/0x70\n[ 966.899660] device_shutdown+0x11c/0x204\n[ 966.903574] __do_sys_reboot+0x208/0x290\n[ 966.907487] __arm64_sys_reboot+0x20/0x30\n[ 966.911489] el0_svc_handler+0x80/0x1c0\n[ 966.915316] el0_svc+0x8/0x180\n[ 966.918362] Code: f9400000 f9400a64 91220014 f94b3403 (f9400060)\n[ 966.924448] ---[ end trace 341778e799c3d8d7 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53595", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: Free devm resources when unregistering a device\n\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\n\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\n\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\n\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\n\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53596", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix mid leak during reconnection after timeout threshold\n\nWhen the number of responses with status of STATUS_IO_TIMEOUT\nexceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect\nthe connection. But we do not return the mid, or the credits\nreturned for the mid, or reduce the number of in-flight requests.\n\nThis bug could result in the server->in_flight count to go bad,\nand also cause a leak in the mids.\n\nThis change moves the check to a few lines below where the\nresponse is decrypted, even of the response is read from the\ntransform header. This way, the code for returning the mids\ncan be reused.\n\nAlso, the cifs_reconnect was reconnecting just the transport\nconnection before. In case of multi-channel, this may not be\nwhat we want to do after several timeouts. Changed that to\nreconnect the session and the tree too.\n\nAlso renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name\nMAX_STATUS_IO_TIMEOUT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53597", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Range check CHDBOFF and ERDBOFF\n\nIf the value read from the CHDBOFF and ERDBOFF registers is outside the\nrange of the MHI register space then an invalid address might be computed\nwhich later causes a kernel panic. Range check the read value to prevent\na crash due to bad data from the device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53598", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix missing initialisation affecting gcm-aes-s390\n\nFix af_alg_alloc_areq() to initialise areq->first_rsgl.sgl.sgt.sgl to point\nto the scatterlist array in areq->first_rsgl.sgl.sgl.\n\nWithout this, the gcm-aes-s390 driver will oops when it tries to do\ngcm_walk_start() on req->dst because req->dst is set to the value of\nareq->first_rsgl.sgl.sgl by _aead_recvmsg() calling\naead_request_set_crypt().\n\nThe problem comes if an empty ciphertext is passed: the loop in\naf_alg_get_rsgl() just passes straight out and doesn't set areq->first_rsgl\nup.\n\nThis isn't a problem on x86_64 using gcmaes_crypt_by_sg() because, as far\nas I can tell, that ignores req->dst and only uses req->src[*].\n\n[*] Is this a bug in aesni-intel_glue.c?\n\nThe s390x oops looks something like:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0000000a00000000 TEID: 0000000a00000803\n Fault in home space mode while using kernel ASCE.\n AS:00000000a43a0007 R3:0000000000000024\n Oops: 003b ilc:2 [#1] SMP\n ...\n Call Trace:\n [<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390]\n [<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8\n [<00000000a2a60888>] aead_recvmsg+0x478/0x698\n [<00000000a2e519a0>] sock_recvmsg+0x70/0xb0\n [<00000000a2e51a56>] sock_read_iter+0x76/0xa0\n [<00000000a273e066>] vfs_read+0x26e/0x2a8\n [<00000000a273e8c4>] ksys_read+0xbc/0x100\n [<00000000a311d808>] __do_syscall+0x1d0/0x1f8\n [<00000000a312ff30>] system_call+0x70/0x98\n Last Breaking-Event-Address:\n [<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53599", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix kasan splat when generating ipv4 pmtu error\n\nIf we try to emit an icmp error in response to a nonliner skb, we get\n\nBUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220\nRead of size 4 at addr ffff88811c50db00 by task iperf3/1691\nCPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309\n[..]\n kasan_report+0x105/0x140\n ip_compute_csum+0x134/0x220\n iptunnel_pmtud_build_icmp+0x554/0x1020\n skb_tunnel_check_pmtu+0x513/0xb80\n vxlan_xmit_one+0x139e/0x2ef0\n vxlan_xmit+0x1867/0x2760\n dev_hard_start_xmit+0x1ee/0x4f0\n br_dev_queue_push_xmit+0x4d1/0x660\n [..]\n\nip_compute_csum() cannot deal with nonlinear skbs, so avoid it.\nAfter this change, splat is gone and iperf3 is no longer stuck.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53600", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: do not assume skb mac_header is set\n\nDrivers must not assume in their ndo_start_xmit() that\nskbs have their mac_header set. skb->data is all what is needed.\n\nbonding seems to be one of the last offender as caught by syzbot:\n\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skb_mac_offset include/linux/skbuff.h:2913 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 __bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]\nWARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470\nModules linked in:\nCPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\nRIP: 0010:skb_mac_header include/linux/skbuff.h:2907 [inline]\nRIP: 0010:skb_mac_offset include/linux/skbuff.h:2913 [inline]\nRIP: 0010:bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]\nRIP: 0010:bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]\nRIP: 0010:bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]\nRIP: 0010:__bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]\nRIP: 0010:bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470\nCode: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe <0f> 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e fe\nRSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283\nRAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000\nRDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6\nRBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584\nR10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7e\nR13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76\nFS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n[] netdev_start_xmit include/linux/netdevice.h:4925 [inline]\n[] __dev_direct_xmit+0x4ef/0x850 net/core/dev.c:4380\n[] dev_direct_xmit include/linux/netdevice.h:3043 [inline]\n[] packet_direct_xmit+0x18b/0x300 net/packet/af_packet.c:284\n[] packet_snd net/packet/af_packet.c:3112 [inline]\n[] packet_sendmsg+0x4a22/0x64d0 net/packet/af_packet.c:3143\n[] sock_sendmsg_nosec net/socket.c:716 [inline]\n[] sock_sendmsg net/socket.c:736 [inline]\n[] __sys_sendto+0x472/0x5f0 net/socket.c:2139\n[] __do_sys_sendto net/socket.c:2151 [inline]\n[] __se_sys_sendto net/socket.c:2147 [inline]\n[] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147\n[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80\n[] entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53601", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix memory leak in WMI firmware stats\n\nMemory allocated for firmware pdev, vdev and beacon statistics\nare not released during rmmod.\n\nFix it by calling ath11k_fw_stats_free() function before hardware\nunregister.\n\nWhile at it, avoid calling ath11k_fw_stats_free() while processing\nthe firmware stats received in the WMI event because the local list\nis getting spliced and reinitialised and hence there are no elements\nin the list after splicing.\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53602", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Avoid fcport pointer dereference\n\nKlocwork reported warning of NULL pointer may be dereferenced. The routine\nexits when sa_ctl is NULL and fcport is allocated after the exit call thus\ncausing NULL fcport pointer to dereference at the time of exit.\n\nTo avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53603", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: call kmem_cache_destroy() in dm_integrity_init() error path\n\nOtherwise the journal_io_cache will leak if dm_register_target() fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53604", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: amd: display: Fix memory leakage\n\nThis commit fixes memory leakage in dc_construct_ctx() function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53605", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clean up potential nfsd_file refcount leaks in COPY codepath\n\nThere are two different flavors of the nfsd4_copy struct. One is\nembedded in the compound and is used directly in synchronous copies. The\nother is dynamically allocated, refcounted and tracked in the client\nstruture. For the embedded one, the cleanup just involves releasing any\nnfsd_files held on its behalf. For the async one, the cleanup is a bit\nmore involved, and we need to dequeue it from lists, unhash it, etc.\n\nThere is at least one potential refcount leak in this code now. If the\nkthread_create call fails, then both the src and dst nfsd_files in the\noriginal nfsd4_copy object are leaked.\n\nThe cleanup in this codepath is also sort of weird. In the async copy\ncase, we'll have up to four nfsd_file references (src and dst for both\nflavors of copy structure). They are both put at the end of\nnfsd4_do_async_copy, even though the ones held on behalf of the embedded\none outlive that structure.\n\nChange it so that we always clean up the nfsd_file refs held by the\nembedded copy structure before nfsd4_copy returns. Rework\ncleanup_async_copy to handle both inter and intra copies. Eliminate\nnfsd4_cleanup_intra_ssc since it now becomes a no-op.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53606", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ymfpci: Fix BUG_ON in probe function\n\nThe snd_dma_buffer.bytes field now contains the aligned size, which this\nsnd_BUG_ON() did not account for, resulting in the following:\n\n[ 9.625915] ------------[ cut here ]------------\n[ 9.633440] WARNING: CPU: 0 PID: 126 at sound/pci/ymfpci/ymfpci_main.c:2168 snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.648926] Modules linked in: snd_ymfpci(+) snd_intel_dspcfg kvm(+) snd_intel_sdw_acpi snd_ac97_codec snd_mpu401_uart snd_opl3_lib irqbypass snd_hda_codec gameport snd_rawmidi crct10dif_pclmul crc32_pclmul cfg80211 snd_hda_core polyval_clmulni polyval_generic gf128mul snd_seq_device ghash_clmulni_intel snd_hwdep ac97_bus sha512_ssse3 rfkill snd_pcm aesni_intel tg3 snd_timer crypto_simd snd mxm_wmi libphy cryptd k10temp fam15h_power pcspkr soundcore sp5100_tco wmi acpi_cpufreq mac_hid dm_multipath sg loop fuse dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi firewire_ohci crc32c_intel firewire_core xhci_pci crc_itu_t pata_via xhci_pci_renesas floppy\n[ 9.711849] CPU: 0 PID: 126 Comm: kworker/0:2 Not tainted 6.1.21-1-lts #1 08d2e5ece03136efa7c6aeea9a9c40916b1bd8da\n[ 9.722200] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./990FX Extreme4, BIOS P2.70 06/05/2014\n[ 9.732204] Workqueue: events work_for_cpu_fn\n[ 9.736580] RIP: 0010:snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.742594] Code: 8c c0 4c 89 e2 48 89 df 48 c7 c6 92 c6 8c c0 e8 15 d0 e9 ff 48 83 c4 08 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 d3 7a 33 e3 <0f> 0b e9 cb fd ff ff 41 bd fb ff ff ff eb db 41 bd f4 ff ff ff eb\n[ 9.761358] RSP: 0018:ffffab64804e7da0 EFLAGS: 00010287\n[ 9.766594] RAX: ffff8fa2df06c400 RBX: ffff8fa3073a8000 RCX: ffff8fa303fbc4a8\n[ 9.773734] RDX: ffff8fa2df06d000 RSI: 0000000000000010 RDI: 0000000000000020\n[ 9.780876] RBP: ffff8fa300b5d0d0 R08: ffff8fa3073a8e50 R09: 00000000df06bf00\n[ 9.788018] R10: ffff8fa2df06bf00 R11: 00000000df068200 R12: ffff8fa3073a8918\n[ 9.795159] R13: 0000000000000000 R14: 0000000000000080 R15: ffff8fa2df068200\n[ 9.802317] FS: 0000000000000000(0000) GS:ffff8fa9fec00000(0000) knlGS:0000000000000000\n[ 9.810414] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.816158] CR2: 000055febaf66500 CR3: 0000000101a2e000 CR4: 00000000000406f0\n[ 9.823301] Call Trace:\n[ 9.825747] \n[ 9.827889] snd_card_ymfpci_probe+0x194/0x950 [snd_ymfpci b78a5fe64b5663a6390a909c67808567e3e73615]\n[ 9.837030] ? finish_task_switch.isra.0+0x90/0x2d0\n[ 9.841918] local_pci_probe+0x45/0x80\n[ 9.845680] work_for_cpu_fn+0x1a/0x30\n[ 9.849431] process_one_work+0x1c7/0x380\n[ 9.853464] worker_thread+0x1af/0x390\n[ 9.857225] ? rescuer_thread+0x3b0/0x3b0\n[ 9.861254] kthread+0xde/0x110\n[ 9.864414] ? kthread_complete_and_exit+0x20/0x20\n[ 9.869210] ret_from_fork+0x22/0x30\n[ 9.872792] \n[ 9.874985] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53607", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()\n\nThe finalization of nilfs_segctor_thread() can race with\nnilfs_segctor_kill_thread() which terminates that thread, potentially\ncausing a use-after-free BUG as KASAN detected.\n\nAt the end of nilfs_segctor_thread(), it assigns NULL to \"sc_task\" member\nof \"struct nilfs_sc_info\" to indicate the thread has finished, and then\nnotifies nilfs_segctor_kill_thread() of this using waitqueue\n\"sc_wait_task\" on the struct nilfs_sc_info.\n\nHowever, here, immediately after the NULL assignment to \"sc_task\", it is\npossible that nilfs_segctor_kill_thread() will detect it and return to\ncontinue the deallocation, freeing the nilfs_sc_info structure before the\nthread does the notification.\n\nThis fixes the issue by protecting the NULL assignment to \"sc_task\" and\nits notification, with spinlock \"sc_state_lock\" of the struct\nnilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to\nsee if \"sc_task\" is NULL with \"sc_state_lock\" locked, this can eliminate\nthe race.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53608", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed\"\n\nThe \"atomic_inc(&cmd->device->iorequest_cnt)\" in scsi_queue_rq() would\ncause kernel panic because cmd->device may be freed after returning from\nscsi_dispatch_cmd().\n\nThis reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53609", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip: Fix refcount leak in platform_irqchip_probe\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53610", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi_si: fix a memleak in try_smi_init()\n\nKmemleak reported the following leak info in try_smi_init():\n\nunreferenced object 0xffff00018ecf9400 (size 1024):\n comm \"modprobe\", pid 2707763, jiffies 4300851415 (age 773.308s)\n backtrace:\n [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0\n [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si]\n [<000000006460d325>] 0xffff800081b10148\n [<0000000039206ea5>] do_one_initcall+0x64/0x2a4\n [<00000000601399ce>] do_init_module+0x50/0x300\n [<000000003c12ba3c>] load_module+0x7a8/0x9e0\n [<00000000c246fffe>] __se_sys_init_module+0x104/0x180\n [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30\n [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250\n [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0\n [<000000005a05337f>] el0_svc+0x24/0x3c\n [<000000005eb248d6>] el0_sync_handler+0x160/0x164\n [<0000000030a59039>] el0_sync+0x160/0x180\n\nThe problem was that when an error occurred before handlers registration\nand after allocating `new_smi->si_sm`, the variable wouldn't be freed in\nthe error handling afterwards since `shutdown_smi()` hadn't been\nregistered yet. Fix it by adding a `kfree()` in the error handling path\nin `try_smi_init()`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53611", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Simplify platform device handling\n\nCoretemp's platform driver is unconventional. All the real work is done\nglobally by the initcall and CPU hotplug notifiers, while the \"driver\"\neffectively just wraps an allocation and the registration of the hwmon\ninterface in a long-winded round-trip through the driver core. The whole\nlogic of dynamically creating and destroying platform devices to bring\nthe interfaces up and down is error prone, since it assumes\nplatform_device_add() will synchronously bind the driver and set drvdata\nbefore it returns, thus results in a NULL dereference if drivers_autoprobe\nis turned off for the platform bus. Furthermore, the unusual approach of\ndoing that from within a CPU hotplug notifier, already commented in the\ncode that it deadlocks suspend, also causes lockdep issues for other\ndrivers or subsystems which may want to legitimately register a CPU\nhotplug notifier from a platform bus notifier.\n\nAll of these issues can be solved by ripping this unusual behaviour out\ncompletely, simply tying the platform devices to the lifetime of the\nmodule itself, and directly managing the hwmon interfaces from the\nhotplug notifiers. There is a slight user-visible change in that\n/sys/bus/platform/drivers/coretemp will no longer appear, and\n/sys/devices/platform/coretemp.n will remain present if package n is\nhotplugged off, but hwmon users should really only be looking for the\npresence of the hwmon interfaces, whose behaviour remains unchanged.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53612", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndax: Fix dax_mapping_release() use after free\n\nA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region\nprovider (like modprobe -r dax_hmem) yields:\n\n kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)\n [..]\n DEBUG_LOCKS_WARN_ON(1)\n WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260\n [..]\n RIP: 0010:__lock_acquire+0x9fc/0x2260\n [..]\n Call Trace:\n \n [..]\n lock_acquire+0xd4/0x2c0\n ? ida_free+0x62/0x130\n _raw_spin_lock_irqsave+0x47/0x70\n ? ida_free+0x62/0x130\n ida_free+0x62/0x130\n dax_mapping_release+0x1f/0x30\n device_release+0x36/0x90\n kobject_delayed_cleanup+0x46/0x150\n\nDue to attempting ida_free() on an ida object that has already been\nfreed. Devices typically only hold a reference on their parent while\nregistered. If a child needs a parent object to complete its release it\nneeds to hold a reference that it drops from its release callback.\nArrange for a dax_mapping to pin its parent dev_dax instance until\ndax_mapping_release().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53613", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix race with VMA iteration and mm_struct teardown\n\nexit_mmap() will tear down the VMAs and maple tree with the mmap_lock held\nin write mode. Ensure that the maple tree is still valid by checking\nksm_test_exit() after taking the mmap_lock in read mode, but before the\nfor_each_vma() iterator dereferences a destroyed maple tree.\n\nSince the maple tree is destroyed, the flags telling lockdep to check an\nexternal lock has been cleared. Skip the for_each_vma() iterator to avoid\ndereferencing a maple tree without the external lock flag, which would\ncreate a lockdep warning.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53614", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix deletion race condition\n\nSystem crash when using debug kernel due to link list corruption. The cause\nof the link list corruption is due to session deletion was allowed to queue\nup twice. Here's the internal trace that show the same port was allowed to\ndouble queue for deletion on different cpu.\n\n20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n\nMove the clearing/setting of deleted flag lock.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53615", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount\n\nsyzbot found an invalid-free in diUnmount:\n\nBUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674\nFree of addr ffff88806f410000 by task syz-executor131/3632\n\n CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1724 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750\n slab_free mm/slub.c:3661 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3674\n diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195\n jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1428\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1186\n task_work_run+0x243/0x300 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x664/0x2070 kernel/exit.c:820\n do_group_exit+0x1fd/0x2b0 kernel/exit.c:950\n __do_sys_exit_group kernel/exit.c:961 [inline]\n __se_sys_exit_group kernel/exit.c:959 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.\nIf jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().\nJFS_IP(ipimap)->i_imap will be freed once again.\nFix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53616", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: socinfo: Add kfree for kstrdup\n\nAdd kfree() in the later error handling in order to avoid memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53617", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject invalid reloc tree root keys with stack dump\n\n[BUG]\nSyzbot reported a crash that an ASSERT() got triggered inside\nprepare_to_merge().\n\nThat ASSERT() makes sure the reloc tree is properly pointed back by its\nsubvolume tree.\n\n[CAUSE]\nAfter more debugging output, it turns out we had an invalid reloc tree:\n\n BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17\n\nNote the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,\nQUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.\n\nBut reloc trees can only exist for subvolumes, as for non-subvolume\ntrees, we just COW the involved tree block, no need to create a reloc\ntree since those tree blocks won't be shared with other trees.\n\nOnly subvolumes tree can share tree blocks with other trees (thus they\nhave BTRFS_ROOT_SHAREABLE flag).\n\nThus this new debug output proves my previous assumption that corrupted\non-disk data can trigger that ASSERT().\n\n[FIX]\nBesides the dedicated fix and the graceful exit, also let tree-checker to\ncheck such root keys, to make sure reloc trees can only exist for subvolumes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53618", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: Avoid nf_ct_helper_hash uses after free\n\nIf nf_conntrack_init_start() fails (for example due to a\nregister_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()\nclean-up path frees the nf_ct_helper_hash map.\n\nWhen built with NF_CONNTRACK=y, further netfilter modules (e.g:\nnetfilter_conntrack_ftp) can still be loaded and call\nnf_conntrack_helpers_register(), independently of whether nf_conntrack\ninitialized correctly. This accesses the nf_ct_helper_hash dangling\npointer and causes a uaf, possibly leading to random memory corruption.\n\nThis patch guards nf_conntrack_helper_register() from accessing a freed\nor uninitialized nf_ct_helper_hash pointer and fixes possible\nuses-after-free when loading a conntrack module.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53619", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix soft lockup in status_resync\n\nstatus_resync() will calculate 'curr_resync - recovery_active' to show\nuser a progress bar like following:\n\n[============>........] resync = 61.4%\n\n'curr_resync' and 'recovery_active' is updated in md_do_sync(), and\nstatus_resync() can read them concurrently, hence it's possible that\n'curr_resync - recovery_active' can overflow to a huge number. In this\ncase status_resync() will be stuck in the loop to print a large amount\nof '=', which will end up soft lockup.\n\nFix the problem by setting 'resync' to MD_RESYNC_ACTIVE in this case,\nthis way resync in progress will be reported to user.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53620", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcontrol: ensure memcg acquired by id is properly set up\n\nIn the eviction recency check, we attempt to retrieve the memcg to which\nthe folio belonged when it was evicted, by the memcg id stored in the\nshadow entry. However, there is a chance that the retrieved memcg is not\nthe original memcg that has been killed, but a new one which happens to\nhave the same id.\n\nThis is a somewhat unfortunate, but acceptable and rare inaccuracy in the\nheuristics. However, if we retrieve this new memcg between its allocation\nand when it is properly attached to the memcg hierarchy, we could run into\nthe following NULL pointer exception during the memcg hierarchy traversal\ndone in mem_cgroup_get_nr_swap_pages():\n\n[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 155757.807568] #PF: supervisor read access in kernel mode\n[ 155757.818024] #PF: error_code(0x0000) - not-present page\n[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0\n[ 155757.839985] Oops: 0000 [#1] SMP\n[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 <48> 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48\n[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286\n[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000\n[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000\n[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0\n[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000\n[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354\n[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000\n[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0\n[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 155758.091376] PKRU: 55555554\n[ 155758.096957] Call Trace:\n[ 155758.102016] \n[ 155758.106502] ? __die+0x78/0xc0\n[ 155758.112793] ? page_fault_oops+0x286/0x380\n[ 155758.121175] ? exc_page_fault+0x5d/0x110\n[ 155758.129209] ? asm_exc_page_fault+0x22/0x30\n[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0\n[ 155758.148060] workingset_test_recent+0xda/0x1b0\n[ 155758.157133] workingset_refault+0xca/0x1e0\n[ 155758.165508] filemap_add_folio+0x4d/0x70\n[ 155758.173538] page_cache_ra_unbounded+0xed/0x190\n[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0\n[ 155758.191738] filemap_read+0x68d/0xdf0\n[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940\n[ 155758.207981] ? __napi_schedule+0x55/0x90\n[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0\n[ 155758.224601] do_syscall_64+0x3d/0x80\n[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 155758.242473] RIP: 0033:0x7f62c29153b5\n[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b\n[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5\n[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076\n[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c\n[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041\n[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450\n[ 155758.376661] \n\nThis patch fixes the issue by moving the memcg's id publication from the\nalloc stage to \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53621", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix possible data races in gfs2_show_options()\n\nSome fields such as gt_logd_secs of the struct gfs2_tune are accessed\nwithout holding the lock gt_spin in gfs2_show_options():\n\n val = sdp->sd_tune.gt_logd_secs;\n if (val != 30)\n seq_printf(s, \",commit=%d\", val);\n\nAnd thus can cause data races when gfs2_show_options() and other functions\nsuch as gfs2_reconfigure() are concurrently executed:\n\n spin_lock(>->gt_spin);\n gt->gt_logd_secs = newargs->ar_commit;\n\nTo fix these possible data races, the lock sdp->sd_tune.gt_spin is\nacquired before accessing the fields of gfs2_tune and released after these\naccesses.\n\nFurther changes by Andreas:\n\n- Don't hold the spin lock over the seq_printf operations.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53622", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix swap_info_struct race between swapoff and get_swap_pages()\n\nThe si->lock must be held when deleting the si from the available list. \nOtherwise, another thread can re-add the si to the available list, which\ncan lead to memory corruption. The only place we have found where this\nhappens is in the swapoff path. This case can be described as below:\n\ncore 0 core 1\nswapoff\n\ndel_from_avail_list(si) waiting\n\ntry lock si->lock acquire swap_avail_lock\n and re-add si into\n swap_avail_head\n\nacquire si->lock but missing si already being added again, and continuing\nto clear SWP_WRITEOK, etc.\n\nIt can be easily found that a massive warning messages can be triggered\ninside get_swap_pages() by some special cases, for example, we call\nmadvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,\nrun much swapon-swapoff operations (e.g. stress-ng-swap).\n\nHowever, in the worst case, panic can be caused by the above scene. In\nswapoff(), the memory used by si could be kept in swap_info[] after\nturning off a swap. This means memory corruption will not be caused\nimmediately until allocated and reset for a new swap in the swapon path. \nA panic message caused: (with CONFIG_PLIST_DEBUG enabled)\n\n------------[ cut here ]------------\ntop: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a\nprev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d\nnext: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a\nWARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70\nModules linked in: rfkill(E) crct10dif_ce(E)...\nCPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+\nHardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)\npc : plist_check_prev_next_node+0x50/0x70\nlr : plist_check_prev_next_node+0x50/0x70\nsp : ffff0018009d3c30\nx29: ffff0018009d3c40 x28: ffff800011b32a98\nx27: 0000000000000000 x26: ffff001803908000\nx25: ffff8000128ea088 x24: ffff800011b32a48\nx23: 0000000000000028 x22: ffff001800875c00\nx21: ffff800010f9e520 x20: ffff001800875c00\nx19: ffff001800fdc6e0 x18: 0000000000000030\nx17: 0000000000000000 x16: 0000000000000000\nx15: 0736076307640766 x14: 0730073007380731\nx13: 0736076307640766 x12: 0730073007380731\nx11: 000000000004058d x10: 0000000085a85b76\nx9 : ffff8000101436e4 x8 : ffff800011c8ce08\nx7 : 0000000000000000 x6 : 0000000000000001\nx5 : ffff0017df9ed338 x4 : 0000000000000001\nx3 : ffff8017ce62a000 x2 : ffff0017df9ed340\nx1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n plist_check_prev_next_node+0x50/0x70\n plist_check_head+0x80/0xf0\n plist_add+0x28/0x140\n add_to_avail_list+0x9c/0xf0\n _enable_swap_info+0x78/0xb4\n __do_sys_swapon+0x918/0xa10\n __arm64_sys_swapon+0x20/0x30\n el0_svc_common+0x8c/0x220\n do_el0_svc+0x2c/0x90\n el0_svc+0x1c/0x30\n el0_sync_handler+0xa8/0xb0\n el0_sync+0x148/0x180\nirq event stamp: 2082270\n\nNow, si->lock locked before calling 'del_from_avail_list()' to make sure\nother thread see the si had been deleted and SWP_WRITEOK cleared together,\nwill not reinsert again.\n\nThis problem exists in versions after stable 5.10.y.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53623", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_fq: fix integer overflow of \"credit\"\n\nif sch_fq is configured with \"initial quantum\" having values greater than\nINT_MAX, the first assignment of \"credit\" does signed integer overflow to\na very negative value.\nIn this situation, the syzkaller script provided by Cristoph triggers the\nCPU soft-lockup warning even with few sockets. It's not an infinite loop,\nbut \"credit\" wasn't probably meant to be minus 2Gb for each new flow.\nCapping \"initial quantum\" to INT_MAX proved to fix the issue.\n\nv2: validation of \"initial quantum\" is done in fq_policy, instead of open\n coding in fq_change() _ suggested by Jakub Kicinski", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53624", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix vgpu debugfs clean in remove\n\nCheck carefully on root debugfs available when destroying vgpu,\ne.g in remove case drm minor's debugfs root might already be destroyed,\nwhich led to kernel oops like below.\n\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nintel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14\nBUG: kernel NULL pointer dereference, address: 0000000000000150\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6\nHardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022\nRIP: 0010:__lock_acquire+0x5e2/0x1f90\nCode: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff <48> 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0\nRSP: 0018:ffff9f770274f948 EFLAGS: 00010046\nRAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000\nR13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n lock_acquire+0xbf/0x2b0\n ? simple_recursive_removal+0xa5/0x2b0\n ? lock_release+0x13d/0x2d0\n down_write+0x2a/0xd0\n ? simple_recursive_removal+0xa5/0x2b0\n simple_recursive_removal+0xa5/0x2b0\n ? start_creating.part.0+0x110/0x110\n ? _raw_spin_unlock+0x29/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]\n intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]\n intel_vgpu_release_dev+0xe/0x20 [kvmgt]\n device_release+0x30/0x80\n kobject_put+0x79/0x1b0\n device_release_driver_internal+0x1b8/0x230\n bus_remove_device+0xec/0x160\n device_del+0x189/0x400\n ? up_write+0x9c/0x1b0\n ? mdev_device_remove_common+0x60/0x60 [mdev]\n mdev_device_remove_common+0x22/0x60 [mdev]\n mdev_device_remove_cb+0x17/0x20 [mdev]\n device_for_each_child+0x56/0x80\n mdev_unregister_parent+0x5a/0x81 [mdev]\n intel_gvt_clean_device+0x2d/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2e/0xb0 [i915]\n i915_driver_remove+0xac/0x100 [i915]\n i915_pci_remove+0x1a/0x30 [i915]\n pci_device_remove+0x31/0xa0\n device_release_driver_internal+0x1b8/0x230\n unbind_store+0xd8/0x100\n kernfs_fop_write_iter+0x156/0x210\n vfs_write+0x236/0x4a0\n ksys_write+0x61/0xd0\n do_syscall_64+0x55/0x80\n ? find_held_lock+0x2b/0x80\n ? lock_release+0x13d/0x2d0\n ? up_read+0x17/0x20\n ? lock_is_held_type+0xe3/0x140\n ? asm_exc_page_fault+0x22/0x30\n ? lockdep_hardirqs_on+0x7d/0x100\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fc9b2c9e0c4\nCode: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48\nRSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4\nRDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001\nRBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30\nR10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d\nR13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00\n \nModules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53625", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-53626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix possible double unlock when moving a directory", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53626", "detail": "fixed-version", "description": "Fixed from version 6.2.8" }, { "id": "CVE-2023-53627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list\n\nWhen freeing slots in function slot_complete_v3_hw(), it is possible that\nsas_dev.list is being traversed elsewhere, and it may trigger a NULL\npointer exception, such as follows:\n\n==>cq thread ==>scsi_eh_6\n\n ==>scsi_error_handler()\n\t\t\t\t ==>sas_eh_handle_sas_errors()\n\t\t\t\t ==>sas_scsi_find_task()\n\t\t\t\t ==>lldd_abort_task()\n==>slot_complete_v3_hw() ==>hisi_sas_abort_task()\n ==>hisi_sas_slot_task_free()\t ==>dereg_device_v3_hw()\n ==>list_del_init() \t\t ==>list_for_each_entry_safe()\n\n[ 7165.434918] sas: Enter sas_scsi_recover_host busy: 32 failed: 32\n[ 7165.434926] sas: trying to find task 0x00000000769b5ba5\n[ 7165.434927] sas: sas_scsi_find_task: aborting task 0x00000000769b5ba5\n[ 7165.434940] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000769b5ba5) aborted\n[ 7165.434964] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000c9f7aa07) ignored\n[ 7165.434965] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000e2a1cf01) ignored\n[ 7165.434968] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 7165.434972] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000022d52d93) ignored\n[ 7165.434975] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000066a7516c) ignored\n[ 7165.434976] Mem abort info:\n[ 7165.434982] ESR = 0x96000004\n[ 7165.434991] Exception class = DABT (current EL), IL = 32 bits\n[ 7165.434992] SET = 0, FnV = 0\n[ 7165.434993] EA = 0, S1PTW = 0\n[ 7165.434994] Data abort info:\n[ 7165.434994] ISV = 0, ISS = 0x00000004\n[ 7165.434995] CM = 0, WnR = 0\n[ 7165.434997] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f29543f2\n[ 7165.434998] [0000000000000000] pgd=0000000000000000\n[ 7165.435003] Internal error: Oops: 96000004 [#1] SMP\n[ 7165.439863] Process scsi_eh_6 (pid: 4109, stack limit = 0x00000000c43818d5)\n[ 7165.468862] pstate: 00c00009 (nzcv daif +PAN +UAO)\n[ 7165.473637] pc : dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.479443] lr : dereg_device_v3_hw+0x2c/0xa8 [hisi_sas_v3_hw]\n[ 7165.485247] sp : ffff00001d623bc0\n[ 7165.488546] x29: ffff00001d623bc0 x28: ffffa027d03b9508\n[ 7165.493835] x27: ffff80278ed50af0 x26: ffffa027dd31e0a8\n[ 7165.499123] x25: ffffa027d9b27f88 x24: ffffa027d9b209f8\n[ 7165.504411] x23: ffffa027c45b0d60 x22: ffff80278ec07c00\n[ 7165.509700] x21: 0000000000000008 x20: ffffa027d9b209f8\n[ 7165.514988] x19: ffffa027d9b27f88 x18: ffffffffffffffff\n[ 7165.520276] x17: 0000000000000000 x16: 0000000000000000\n[ 7165.525564] x15: ffff0000091d9708 x14: ffff0000093b7dc8\n[ 7165.530852] x13: ffff0000093b7a23 x12: 6e7265746e692067\n[ 7165.536140] x11: 0000000000000000 x10: 0000000000000bb0\n[ 7165.541429] x9 : ffff00001d6238f0 x8 : ffffa027d877af00\n[ 7165.546718] x7 : ffffa027d6329600 x6 : ffff7e809f58ca00\n[ 7165.552006] x5 : 0000000000001f8a x4 : 000000000000088e\n[ 7165.557295] x3 : ffffa027d9b27fa8 x2 : 0000000000000000\n[ 7165.562583] x1 : 0000000000000000 x0 : 000000003000188e\n[ 7165.567872] Call trace:\n[ 7165.570309] dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.575775] hisi_sas_abort_task+0x248/0x358 [hisi_sas_main]\n[ 7165.581415] sas_eh_handle_sas_errors+0x258/0x8e0 [libsas]\n[ 7165.586876] sas_scsi_recover_host+0x134/0x458 [libsas]\n[ 7165.592082] scsi_error_handler+0xb4/0x488\n[ 7165.596163] kthread+0x134/0x138\n[ 7165.599380] ret_from_fork+0x10/0x18\n[ 7165.602940] Code: d5033e9f b9000040 aa0103e2 eb03003f (f9400021)\n[ 7165.609004] kernel fault(0x1) notification starting on CPU 75\n[ 7165.700728] ---[ end trace fc042cbbea224efc ]---\n[ 7165.705326] Kernel panic - not syncing: Fatal exception\n\nTo fix the issue, grab sas_dev lock when traversing the members of\nsas_dev.list in dereg_device_v3_hw() and hisi_sas_release_tasks() to avoid\nconcurrency of adding and deleting member. When \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53627", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: drop gfx_v11_0_cp_ecc_error_irq_funcs\n\nThe gfx.cp_ecc_error_irq is retired in gfx11. In gfx_v11_0_hw_fini still\nuse amdgpu_irq_put to disable this interrupt, which caused the call trace\nin this function.\n\n[ 102.873958] Call Trace:\n[ 102.873959] \n[ 102.873961] gfx_v11_0_hw_fini+0x23/0x1e0 [amdgpu]\n[ 102.874019] gfx_v11_0_suspend+0xe/0x20 [amdgpu]\n[ 102.874072] amdgpu_device_ip_suspend_phase2+0x240/0x460 [amdgpu]\n[ 102.874122] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]\n[ 102.874172] amdgpu_device_pre_asic_reset+0xd9/0x490 [amdgpu]\n[ 102.874223] amdgpu_device_gpu_recover.cold+0x548/0xce6 [amdgpu]\n[ 102.874321] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]\n[ 102.874375] process_one_work+0x21f/0x3f0\n[ 102.874377] worker_thread+0x200/0x3e0\n[ 102.874378] ? process_one_work+0x3f0/0x3f0\n[ 102.874379] kthread+0xfd/0x130\n[ 102.874380] ? kthread_complete_and_exit+0x20/0x20\n[ 102.874381] ret_from_fork+0x22/0x30\n\nv2:\n- Handle umc and gfx ras cases in separated patch\n- Retired the gfx_v11_0_cp_ecc_error_irq_funcs in gfx11\n\nv3:\n- Improve the subject and code comments\n- Add judgment on gfx11 in the function of amdgpu_gfx_ras_late_init\n\nv4:\n- Drop the define of CP_ME1_PIPE_INST_ADDR_INTERVAL and\nSET_ECC_ME_PIPE_STATE which using in gfx_v11_0_set_cp_ecc_error_state\n- Check cp_ecc_error_irq.funcs rather than ip version for a more\nsustainable life\n\nv5:\n- Simplify judgment conditions", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53628", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix use after free in midcomms commit\n\nWhile working on processing dlm message in softirq context I experienced\nthe following KASAN use-after-free warning:\n\n[ 151.760477] ==================================================================\n[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347\n\n[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828\n[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014\n[ 151.768726] Call Trace:\n[ 151.769277] \n[ 151.769748] dump_stack_lvl+0x5b/0x86\n[ 151.770556] print_report+0x180/0x4c8\n[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0\n[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.773069] kasan_report+0x93/0x1a0\n[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.774514] __asan_load4+0x7e/0xa0\n[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.776770] send_common+0x19f/0x1b0\n[ 151.777342] ? remove_from_waiters+0x60/0x60\n[ 151.778017] ? lock_downgrade+0x410/0x410\n[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20\n[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0\n[ 151.780292] _convert_lock+0x46/0x150\n[ 151.780893] convert_lock+0x7b/0xc0\n[ 151.781459] dlm_lock+0x3ac/0x580\n[ 151.781993] ? 0xffffffffc0540000\n[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70\n[ 151.784003] ? preempt_count_sub+0xd6/0x130\n[ 151.784661] ? is_module_address+0x47/0x70\n[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.786166] ? 0xffffffffc0540000\n[ 151.786693] ? lockdep_init_map_type+0xc3/0x360\n[ 151.787414] ? 0xffffffffc0540000\n[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.789858] ? 0xffffffffc0540000\n[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]\n[ 151.791347] ? delay_tsc+0x94/0xc0\n[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]\n[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]\n[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]\n[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0\n[ 151.797152] ? mark_held_locks+0x34/0xb0\n[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70\n[ 151.798581] ? __kthread_parkme+0x79/0x110\n[ 151.799246] ? trace_preempt_on+0x2a/0xf0\n[ 151.799902] ? __kthread_parkme+0x79/0x110\n[ 151.800579] ? preempt_count_sub+0xd6/0x130\n[ 151.801271] ? __kasan_check_read+0x11/0x20\n[ 151.801963] ? __kthread_parkme+0xec/0x110\n[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.803569] kthread+0x192/0x1d0\n[ 151.804104] ? kthread_complete_and_exit+0x30/0x30\n[ 151.804881] ret_from_fork+0x1f/0x30\n[ 151.805480] \n\n[ 151.806111] Allocated by task 1347:\n[ 151.806681] kasan_save_stack+0x26/0x50\n[ 151.807308] kasan_set_track+0x25/0x30\n[ 151.807920] kasan_save_alloc_info+0x1e/0x30\n[ 151.808609] __kasan_slab_alloc+0x63/0x80\n[ 151.809263] kmem_cache_alloc+0x1ad/0x830\n[ 151.809916] dlm_allocate_mhandle+0x17/0x20\n[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260\n[ 151.811344] _create_message+0x95/0x180\n[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.812880] send_common+0x129/0x1b0\n[ 151.813467] _convert_lock+0x46/0x150\n[ 151.814074] convert_lock+0x7b/0xc0\n[ 151.814648] dlm_lock+0x3ac/0x580\n[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.817129] lock_t\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53629", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix unpinning of pages when an access is present\n\nsyzkaller found that the calculation of batch_last_index should use\n'start_index' since at input to this function the batch is either empty or\nit has already been adjusted to cross any accesses so it will start at the\npoint we are unmapping from.\n\nGetting this wrong causes the unmap to run over the end of the pages\nwhich corrupts pages that were never mapped. In most cases this triggers\nthe num pinned debugging:\n\n WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560\n Modules linked in:\n CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__iopt_area_unfill_domain+0x152/0x560\n Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54\n RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85\n RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002\n RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014\n R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004\n R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800\n FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \n iopt_area_unfill_domain+0x32/0x40\n iopt_table_remove_domain+0x23f/0x4c0\n iommufd_device_selftest_detach+0x3a/0x90\n iommufd_selftest_destroy+0x55/0x70\n iommufd_object_destroy_user+0xce/0x130\n iommufd_destroy+0xa2/0xc0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAlso add some useful WARN_ON sanity checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53630", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-sysman: Fix reference leak\n\nIf a duplicate attribute is found using kset_find_obj(),\na reference to that attribute is returned. This means\nthat we need to dispose it accordingly. Use kobject_put()\nto dispose the duplicate attribute in such a case.\n\nCompile-tested only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53631", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Take RTNL lock when needed before calling xdp_set_features()\n\nHold RTNL lock when calling xdp_set_features() with a registered netdev,\nas the call triggers the netdev notifiers. This could happen when\nswitching from uplink rep to nic profile for example.\n\nThis resolves the following call trace:\n\nRTNL: assertion failed at net/core/dev.c (1953)\nWARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80\nModules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\nCPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:call_netdevice_notifiers_info+0x7c/0x80\nCode: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec\nRSP: 0018:ffff8882a21c3948 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027\nRDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0\nRBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003\nR10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968\nR13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0\nFS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __warn+0x79/0x120\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? call_netdevice_notifiers_info+0x7c/0x80\n ? call_netdevice_notifiers_info+0x7c/0x80\n call_netdevice_notifiers+0x2e/0x50\n mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]\n mlx5e_nic_init+0xf1/0x1a0 [mlx5_core]\n mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]\n mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]\n mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]\n mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core]\n mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core]\n __esw_offloads_unload_rep+0x52/0x60 [mlx5_core]\n mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core]\n esw_offloads_unload_rep+0x34/0x70 [mlx5_core]\n esw_offloads_disable+0x2b/0x90 [mlx5_core]\n mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core]\n ? devlink_get_from_attrs_lock+0x9e/0x110\n devlink_nl_cmd_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit.isra.0+0xc2/0x110\n genl_rcv_msg+0x17d/0x2b0\n ? devlink_get_from_attrs_lock+0x110/0x110\n ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290\n ? devlink_pernet_pre_exit+0xf0/0xf0\n ? genl_family_rcv_msg_doit.isra.0+0x110/0x110\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1f6/0x2c0\n netlink_sendmsg+0x232/0x4a0\n sock_sendmsg+0x38/0x60\n ? _copy_from_user+0x2a/0x60\n __sys_sendto+0x110/0x160\n ? __count_memcg_events+0x48/0x90\n ? handle_mm_fault+0x161/0x260\n ? do_user_addr_fault+0x278/0x6e0\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53632", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix a leak in map_user_pages()\n\nIf get_user_pages_fast() allocates some pages but not as many as we\nwanted, then the current code leaks those pages. Call put_page() on\nthe pages before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53633", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fixed a BTI error on returning to patched function\n\nWhen BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump\nback to the instruction next to call site to call the patched function.\nFor BTI-enabled kernel, the instruction next to call site is usually\nPACIASP, in this case, it's safe to jump back with BLR. But when\nthe call site is not followed by a PACIASP or bti, a BTI exception\nis triggered.\n\nHere is a fault log:\n\n Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)\n pc : bpf_fentry_test1+0xc/0x30\n lr : bpf_trampoline_6442573892_0+0x48/0x1000\n sp : ffff80000c0c3a50\n x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050\n x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a\n x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101\n x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001\n x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001\n Kernel panic - not syncing: Unhandled exception\n CPU: 0 PID: 263 Comm: test_progs Tainted: GF\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0xec/0x144\n show_stack+0x24/0x7c\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x1cc/0x3ec\n __el0_error_handler_common+0x0/0x130\n el1h_64_sync_handler+0x60/0xd0\n el1h_64_sync+0x78/0x7c\n bpf_fentry_test1+0xc/0x30\n bpf_fentry_test1+0xc/0x30\n bpf_prog_test_run_tracing+0xdc/0x2a0\n __sys_bpf+0x438/0x22a0\n __arm64_sys_bpf+0x30/0x54\n invoke_syscall+0x78/0x110\n el0_svc_common.constprop.0+0x6c/0x1d0\n do_el0_svc+0x38/0xe0\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0x1ac/0x1b0\n el0t_64_sync+0x1a0/0x1a4\n Kernel Offset: disabled\n CPU features: 0x0000,00034c24,f994fdab\n Memory Limit: none\n\nAnd the instruction next to call site of bpf_fentry_test1 is ADD,\nnot PACIASP:\n\n:\n\tbti c\n\tnop\n\tnop\n\tadd w0, w0, #0x1\n\tpaciasp\n\nFor BPF prog, JIT always puts a PACIASP after call site for BTI-enabled\nkernel, so there is no problem. To fix it, replace BLR with RET to bypass\nthe branch target check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53634", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: fix wrong ct->timeout value\n\n(struct nf_conn)->timeout is an interval before the conntrack\nconfirmed. After confirmed, it becomes a timestamp.\n\nIt is observed that timeout of an unconfirmed conntrack:\n- Set by calling ctnetlink_change_timeout(). As a result,\n `nfct_time_stamp` was wrongly added to `ct->timeout` twice.\n- Get by calling ctnetlink_dump_timeout(). As a result,\n `nfct_time_stamp` was wrongly subtracted.\n\nCall Trace:\n \n dump_stack_lvl\n ctnetlink_dump_timeout\n __ctnetlink_glue_build\n ctnetlink_glue_build\n __nfqnl_enqueue_packet\n nf_queue\n nf_hook_slow\n ip_mc_output\n ? __pfx_ip_finish_output\n ip_send_skb\n ? __pfx_dst_output\n udp_send_skb\n udp_sendmsg\n ? __pfx_ip_generic_getfrag\n sock_sendmsg\n\nSeparate the 2 cases in:\n- Setting `ct->timeout` in __nf_ct_set_timeout().\n- Getting `ct->timeout` in ctnetlink_dump_timeout().\n\nPablo appends:\n\nUpdate ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is\nset on, otherwise conntrack creation via ctnetlink breaks.\n\nNote that the problem described in this patch occurs since the\nintroduction of the nfnetlink_queue conntrack support, select a\nsufficiently old Fixes: tag for -stable kernel to pick up this fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53635", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: microchip: fix potential UAF in auxdev release callback\n\nSimilar to commit 1c11289b34ab (\"peci: cpu: Fix use-after-free in\nadev_release()\"), the auxiliary device is not torn down in the correct\norder. If auxiliary_device_add() fails, the release callback will be\ncalled twice, resulting in a UAF. Due to timing, the auxdev code in this\ndriver \"took inspiration\" from the aforementioned commit, and thus its\nbugs too!\n\nMoving auxiliary_device_uninit() to the unregister callback instead\navoids the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53636", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov772x: Fix memleak in ov772x_probe()\n\nA memory leak was reported when testing ov772x with bpf mock device:\n\nAssertionError: unreferenced object 0xffff888109afa7a8 (size 8):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 8 bytes):\n 80 22 88 15 81 88 ff ff .\"......\n backtrace:\n [<000000009990b438>] __kmalloc_node+0x44/0x1b0\n [<000000009e32f7d7>] kvmalloc_node+0x34/0x180\n [<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev]\n [<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x]\n [<000000003f0d225e>] i2c_device_probe+0x28d/0x680\n [<00000000e0b6db89>] really_probe+0x17c/0x3f0\n [<000000001b19fcee>] __driver_probe_device+0xe3/0x170\n [<0000000048370519>] driver_probe_device+0x49/0x120\n [<000000005ead07a0>] __device_attach_driver+0xf7/0x150\n [<0000000043f452b8>] bus_for_each_drv+0x114/0x180\n [<00000000358e5596>] __device_attach+0x1e5/0x2d0\n [<0000000043f83c5d>] bus_probe_device+0x126/0x140\n [<00000000ee0f3046>] device_add+0x810/0x1130\n [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0\n [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110\n [<00000000a9f2159d>] of_i2c_notify+0x100/0x160\nunreferenced object 0xffff888119825c00 (size 256):\n comm \"python3\", pid 279, jiffies 4294805921 (age 20.681s)\n hex dump (first 32 bytes):\n 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^......\n 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\\.......\\......\n backtrace:\n [<000000009990b438>] __kmalloc_node+0x44/0x1b0\n [<000000009e32f7d7>] kvmalloc_node+0x34/0x180\n [<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev]\n [<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x]\n [<000000003f0d225e>] i2c_device_probe+0x28d/0x680\n [<00000000e0b6db89>] really_probe+0x17c/0x3f0\n [<000000001b19fcee>] __driver_probe_device+0xe3/0x170\n [<0000000048370519>] driver_probe_device+0x49/0x120\n [<000000005ead07a0>] __device_attach_driver+0xf7/0x150\n [<0000000043f452b8>] bus_for_each_drv+0x114/0x180\n [<00000000358e5596>] __device_attach+0x1e5/0x2d0\n [<0000000043f83c5d>] bus_probe_device+0x126/0x140\n [<00000000ee0f3046>] device_add+0x810/0x1130\n [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0\n [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110\n\nThe reason is that if priv->hdl.error is set, ov772x_probe() jumps to the\nerror_mutex_destroy without doing v4l2_ctrl_handler_free(), and all\nresources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std()\nare leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53637", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: cancel queued works in probe error path\n\nIf it fails to get the devices's MAC address, octep_probe exits while\nleaving the delayed work intr_poll_task queued. When the work later\nruns, it's a use after free.\n\nMove the cancelation of intr_poll_task from octep_remove into\noctep_device_cleanup. This does not change anything in the octep_remove\nflow, but octep_device_cleanup is called also in the octep_probe error\npath, where the cancelation is needed.\n\nNote that the cancelation of ctrl_mbox_task has to follow\nintr_poll_task's, because the ctrl_mbox_task may be queued by\nintr_poll_task.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53638", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath6kl: reduce WARN to dev_dbg() in callback\n\nThe warn is triggered on a known race condition, documented in the code above\nthe test, that is correctly handled. Using WARN() hinders automated testing.\nReducing severity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53639", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: lpass: Fix for KASAN use_after_free out of bounds\n\nWhen we run syzkaller we get below Out of Bounds error.\n\n\"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\nBelow is the backtrace of the issue:\n\nBUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110\nRead of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144\nCPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W\nHardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)\nCall trace:\ndump_backtrace+0x0/0x4ec\nshow_stack+0x34/0x50\ndump_stack_lvl+0xdc/0x11c\nprint_address_description+0x30/0x2d8\nkasan_report+0x178/0x1e4\n__asan_report_load4_noabort+0x44/0x50\nregcache_flat_read+0x10c/0x110\nregcache_read+0xf8/0x5a0\n_regmap_read+0x45c/0x86c\n_regmap_update_bits+0x128/0x290\nregmap_update_bits_base+0xc0/0x15c\nsnd_soc_component_update_bits+0xa8/0x22c\nsnd_soc_component_write_field+0x68/0xd4\ntx_macro_put_dec_enum+0x1d0/0x268\nsnd_ctl_elem_write+0x288/0x474\n\nBy Error checking and checking valid values issue gets rectifies.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53640", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev->remain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy'd with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53641", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix clear_user_rep_good() exception handling annotation\n\nThis code no longer exists in mainline, because it was removed in\ncommit d2c95f9d6802 (\"x86: don't use REP_GOOD or ERMS for user memory\nclearing\") upstream.\n\nHowever, rather than backport the full range of x86 memory clearing and\ncopying cleanups, fix the exception table annotation placement for the\nfinal 'rep movsb' in clear_user_rep_good(): rather than pointing at the\nactual instruction that did the user space access, it pointed to the\nregister move just before it.\n\nThat made sense from a code flow standpoint, but not from an actual\nusage standpoint: it means that if user access takes an exception, the\nexception handler won't actually find the instruction in the exception\ntables.\n\nAs a result, rather than fixing it up and returning -EFAULT, it would\nthen turn it into a kernel oops report instead, something like:\n\n BUG: unable to handle page fault for address: 0000000020081000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n ...\n RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147\n ...\n Call Trace:\n __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline]\n clear_user arch/x86/include/asm/uaccess_64.h:124 [inline]\n iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800\n iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline]\n iomap_dio_iter fs/iomap/direct-io.c:440 [inline]\n __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601\n iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689\n ext4_dio_read_iter fs/ext4/file.c:94 [inline]\n ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145\n call_read_iter include/linux/fs.h:2183 [inline]\n do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733\n do_iter_read+0x2f2/0x750 fs/read_write.c:796\n vfs_readv+0xe5/0x150 fs/read_write.c:916\n do_preadv+0x1b6/0x270 fs/read_write.c:1008\n __do_sys_preadv2 fs/read_write.c:1070 [inline]\n __se_sys_preadv2 fs/read_write.c:1061 [inline]\n __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nwhich then looks like a filesystem bug rather than the incorrect\nexception annotation that it is.\n\n[ The alternative to this one-liner fix is to take the upstream series\n that cleans this all up:\n\n 68674f94ffc9 (\"x86: don't use REP_GOOD or ERMS for small memory copies\")\n 20f3337d350c (\"x86: don't use REP_GOOD or ERMS for small memory clearing\")\n adfcf4231b8c (\"x86: don't use REP_GOOD or ERMS for user memory copies\")\n * d2c95f9d6802 (\"x86: don't use REP_GOOD or ERMS for user memory clearing\")\n 3639a535587d (\"x86: move stac/clac from user copy routines into callers\")\n 577e6a7fd50d (\"x86: inline the 'rep movs' in user copies for the FSRM case\")\n 8c9b6a88b7e2 (\"x86: improve on the non-rep 'clear_user' function\")\n 427fda2c8a49 (\"x86: improve on the non-rep 'copy_user' function\")\n * e046fe5a36a9 (\"x86: set FSRS automatically on AMD CPUs that have FSRM\")\n e1f2750edc4a (\"x86: remove 'zerorest' argument from __copy_user_nocache()\")\n 034ff37d3407 (\"x86: rewrite '__copy_user_nocache' function\")\n\n with either the whole series or at a minimum the two marked commits\n being needed to fix this issue ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53642", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: don't access released socket during error recovery\n\nWhile the error recovery work is temporarily failing reconnect attempts,\nrunning the 'nvme list' command causes a kernel NULL pointer dereference\nby calling getsockname() with a released socket.\n\nDuring error recovery work, the nvme tcp socket is released and a new one\ncreated, so it is not safe to access the socket without proper check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53643", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: radio-shark: Add endpoint checks\n\nThe syzbot fuzzer was able to provoke a WARNING from the radio-shark2\ndriver:\n\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc90003876dd0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000\nRDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac\nRBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001\nR13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200\nFS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387\n shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88\n...\n\nThe problem was caused by the fact that the driver does not check\nwhether the endpoints it uses are actually present and have the\nappropriate types. This can be fixed by adding a simple check of\nthese endpoints (and similarly for the radio-shark driver).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53644", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Make bpf_refcount_acquire fallible for non-owning refs\n\nThis patch fixes an incorrect assumption made in the original\nbpf_refcount series [0], specifically that the BPF program calling\nbpf_refcount_acquire on some node can always guarantee that the node is\nalive. In that series, the patch adding failure behavior to rbtree_add\nand list_push_{front, back} breaks this assumption for non-owning\nreferences.\n\nConsider the following program:\n\n n = bpf_kptr_xchg(&mapval, NULL);\n /* skip error checking */\n\n bpf_spin_lock(&l);\n if(bpf_rbtree_add(&t, &n->rb, less)) {\n bpf_refcount_acquire(n);\n /* Failed to add, do something else with the node */\n }\n bpf_spin_unlock(&l);\n\nIt's incorrect to assume that bpf_refcount_acquire will always succeed in this\nscenario. bpf_refcount_acquire is being called in a critical section\nhere, but the lock being held is associated with rbtree t, which isn't\nnecessarily the lock associated with the tree that the node is already\nin. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop\nin it, the program has no ownership of the node's lifetime. Therefore\nthe node's refcount can be decr'd to 0 at any time after the failing\nrbtree_add. If this happens before the refcount_acquire above, the node\nmight be free'd, and regardless refcount_acquire will be incrementing a\n0 refcount.\n\nLater patches in the series exercise this scenario, resulting in the\nexpected complaint from the kernel (without this patch's changes):\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110\n Modules linked in: bpf_testmod(O)\n CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n RIP: 0010:refcount_warn_saturate+0xbc/0x110\n Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7\n RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082\n RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680\n RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7\n R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388\n R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048\n FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n bpf_refcount_acquire_impl+0xb5/0xc0\n\n (rest of output snipped)\n\nThe patch addresses this by changing bpf_refcount_acquire_impl to use\nrefcount_inc_not_zero instead of refcount_inc and marking\nbpf_refcount_acquire KF_RET_NULL.\n\nFor owning references, though, we know the above scenario is not possible\nand thus that bpf_refcount_acquire will always succeed. Some verifier\nbookkeeping is added to track \"is input owning ref?\" for bpf_refcount_acquire\ncalls and return false from is_kfunc_ret_null for bpf_refcount_acquire on\nowning refs despite it being marked KF_RET_NULL.\n\nExisting selftests using bpf_refcount_acquire are modified where\nnecessary to NULL-check its return value.\n\n [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53645", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/perf: add sentinel to xehp_oa_b_counters\n\nArrays passed to reg_in_range_table should end with empty record.\n\nThe patch solves KASAN detected bug with signature:\nBUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\nRead of size 4 at addr ffffffffa1555d90 by task perf/1518\n\nCPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1\nHardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023\nCall Trace:\n\n...\nxehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\n\n(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53646", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't dereference ACPI root object handle\n\nSince the commit referenced in the Fixes: tag below the VMBus client driver\nis walking the ACPI namespace up from the VMBus ACPI device to the ACPI\nnamespace root object trying to find Hyper-V MMIO ranges.\n\nHowever, if it is not able to find them it ends trying to walk resources of\nthe ACPI namespace root object itself.\nThis object has all-ones handle, which causes a NULL pointer dereference\nin the ACPI code (from dereferencing this pointer with an offset).\n\nThis in turn causes an oops on boot with VMBus host implementations that do\nnot provide Hyper-V MMIO ranges in their VMBus ACPI device or its\nancestors.\nThe QEMU VMBus implementation is an example of such implementation.\n\nI guess providing these ranges is optional, since all tested Windows\nversions seem to be able to use VMBus devices without them.\n\nFix this by explicitly terminating the lookup at the ACPI namespace root\nobject.\n\nNote that Linux guests under KVM/QEMU do not use the Hyper-V PV interface\nby default - they only do so if the KVM PV interface is missing or\ndisabled.\n\nExample stack trace of such oops:\n[ 3.710827] ? __die+0x1f/0x60\n[ 3.715030] ? page_fault_oops+0x159/0x460\n[ 3.716008] ? exc_page_fault+0x73/0x170\n[ 3.716959] ? asm_exc_page_fault+0x22/0x30\n[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0\n[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0\n[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0\n[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200\n[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0\n[ 3.723559] ? down_timeout+0x3a/0x60\n[ 3.724455] ? acpi_ns_get_node+0x3a/0x60\n[ 3.725412] acpi_ns_get_node+0x3a/0x60\n[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0\n[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0\n[ 3.728400] acpi_rs_get_method_data+0x2b/0x70\n[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus]\n[ 3.732411] acpi_walk_resources+0x78/0xd0\n[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus]\n[ 3.734802] platform_probe+0x3d/0x90\n[ 3.735684] really_probe+0x19b/0x400\n[ 3.736570] ? __device_attach_driver+0x100/0x100\n[ 3.737697] __driver_probe_device+0x78/0x160\n[ 3.738746] driver_probe_device+0x1f/0x90\n[ 3.739743] __driver_attach+0xc2/0x1b0\n[ 3.740671] bus_for_each_dev+0x70/0xc0\n[ 3.741601] bus_add_driver+0x10e/0x210\n[ 3.742527] driver_register+0x55/0xf0\n[ 3.744412] ? 0xffffffffc039a000\n[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53647", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer\n\nsmatch error:\nsound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:\nwe previously assumed 'rac97' could be null (see line 2072)\n\nremove redundant assignment, return error if rac97 is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53648", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf trace: Really free the evsel->priv area\n\nIn 3cb4d5e00e037c70 (\"perf trace: Free syscall tp fields in\nevsel->priv\") it only was freeing if strcmp(evsel->tp_format->system,\n\"syscalls\") returned zero, while the corresponding initialization of\nevsel->priv was being performed if it was _not_ zero, i.e. if the tp\nsystem wasn't 'syscalls'.\n\nJust stop looking for that and free it if evsel->priv was set, which\nshould be equivalent.\n\nAlso use the pre-existing evsel_trace__delete() function.\n\nThis resolves these leaks, detected with:\n\n $ make EXTRA_CFLAGS=\"-fsanitize=address\" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin\n\n =================================================================\n ==481565==ERROR: LeakSanitizer: detected memory leaks\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212\n #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n Direct leak of 40 byte(s) in 1 object(s) allocated from:\n #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)\n #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)\n #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307\n #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333\n #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458\n #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480\n #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205\n #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891\n #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156\n #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323\n #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377\n #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421\n #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537\n #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\n SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).\n [root@quaco ~]#\n\nWith this we plug all leaks with \"perf trace sleep 1\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53649", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()\n\nIf 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53650", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: exc3000 - properly stop timer on shutdown\n\nWe need to stop the timer on driver unbind or probe failures, otherwise\nwe get UAF/Oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53651", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add features attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa features attr to avoid\nsuch bugs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53652", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: fix REVERSE_INULL issues reported by coverity\n\nnull-checking of a pointor is suggested before dereferencing it", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53653", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation before accessing cgx and lmac\n\nwith the addition of new MAC blocks like CN10K RPM and CN10KB\nRPM_USX, LMACs are noncontiguous and CGX blocks are also\nnoncontiguous. But during RVU driver initialization, the driver\nis assuming they are contiguous and trying to access\ncgx or lmac with their id which is resulting in kernel panic.\n\nThis patch fixes the issue by adding proper checks.\n\n[ 23.219150] pc : cgx_lmac_read+0x38/0x70\n[ 23.219154] lr : rvu_program_channels+0x3f0/0x498\n[ 23.223852] sp : ffff000100d6fc80\n[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:\n000000000000005a\n[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:\nfffffffffff0f000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53654", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed\n\nRegistering a kprobe on __rcu_irq_enter_check_tick() can cause kernel\nstack overflow as shown below. This issue can be reproduced by enabling\nCONFIG_NO_HZ_FULL and booting the kernel with argument \"nohz_full=\",\nand then giving the following commands at the shell prompt:\n\n # cd /sys/kernel/tracing/\n # echo 'p:mp1 __rcu_irq_enter_check_tick' >> kprobe_events\n # echo 1 > events/kprobes/enable\n\nThis commit therefore adds __rcu_irq_enter_check_tick() to the kprobes\nblacklist using NOKPROBE_SYMBOL().\n\nInsufficient stack space to handle exception!\nESR: 0x00000000f2000004 -- BRK (AArch64)\nFAR: 0x0000ffffccf3e510\nTask stack: [0xffff80000ad30000..0xffff80000ad38000]\nIRQ stack: [0xffff800008050000..0xffff800008058000]\nOverflow stack: [0xffff089c36f9f310..0xffff089c36fa0310]\nCPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19\nHardware name: linux,dummy-virt (DT)\npstate: 400003c5 (nZcv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __rcu_irq_enter_check_tick+0x0/0x1b8\nlr : ct_nmi_enter+0x11c/0x138\nsp : ffff80000ad30080\nx29: ffff80000ad30080 x28: ffff089c82e20000 x27: 0000000000000000\nx26: 0000000000000000 x25: ffff089c02a8d100 x24: 0000000000000000\nx23: 00000000400003c5 x22: 0000ffffccf3e510 x21: ffff089c36fae148\nx20: ffff80000ad30120 x19: ffffa8da8fcce148 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffffa8da8e44ea6c\nx14: ffffa8da8e44e968 x13: ffffa8da8e03136c x12: 1fffe113804d6809\nx11: ffff6113804d6809 x10: 0000000000000a60 x9 : dfff800000000000\nx8 : ffff089c026b404f x7 : 00009eec7fb297f7 x6 : 0000000000000001\nx5 : ffff80000ad30120 x4 : dfff800000000000 x3 : ffffa8da8e3016f4\nx2 : 0000000000000003 x1 : 0000000000000000 x0 : 0000000000000000\nKernel panic - not syncing: kernel stack overflow\nCPU: 5 PID: 190 Comm: bash Not tainted 6.2.0-rc2-00320-g1f5abbd77e2c #19\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xf8/0x108\n show_stack+0x20/0x30\n dump_stack_lvl+0x68/0x84\n dump_stack+0x1c/0x38\n panic+0x214/0x404\n add_taint+0x0/0xf8\n panic_bad_stack+0x144/0x160\n handle_bad_stack+0x38/0x58\n __bad_stack+0x78/0x7c\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n [...]\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n arm64_enter_el1_dbg.isra.0+0x14/0x20\n el1_dbg+0x2c/0x90\n el1h_64_sync_handler+0xcc/0xe8\n el1h_64_sync+0x64/0x68\n __rcu_irq_enter_check_tick+0x0/0x1b8\n el1_interrupt+0x28/0x60\n el1h_64_irq_handler+0x18/0x28\n el1h_64_irq+0x64/0x68\n __ftrace_set_clr_event_nolock+0x98/0x198\n __ftrace_set_clr_event+0x58/0x80\n system_enable_write+0x144/0x178\n vfs_write+0x174/0x738\n ksys_write+0xd0/0x188\n __arm64_sys_write+0x4c/0x60\n invoke_syscall+0x64/0x180\n el0_svc_common.constprop.0+0x84/0x160\n do_el0_svc+0x48/0xe8\n el0_svc+0x34/0xd0\n el0t_64_sync_handler+0xb8/0xc0\n el0t_64_sync+0x190/0x194\nSMP: stopping secondary CPUs\nKernel Offset: 0x28da86000000 from 0xffff800008000000\nPHYS_OFFSET: 0xfffff76600000000\nCPU features: 0x00000,01a00100,0000421b\nMemory Limit: none", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53655", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: Don't migrate perf to the CPU going to teardown\n\nThe driver needs to migrate the perf context if the current using CPU going\nto teardown. By the time calling the cpuhp::teardown() callback the\ncpu_online_mask() hasn't updated yet and still includes the CPU going to\nteardown. In current driver's implementation we may migrate the context\nto the teardown CPU and leads to the below calltrace:\n\n...\n[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008\n[ 368.113699][ T932] Call trace:\n[ 368.116834][ T932] __switch_to+0x7c/0xbc\n[ 368.120924][ T932] __schedule+0x338/0x6f0\n[ 368.125098][ T932] schedule+0x50/0xe0\n[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24\n[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30\n[ 368.144573][ T932] mutex_lock+0x50/0x60\n[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0\n[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]\n[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650\n[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190\n[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0\n[ 368.175099][ T932] kthread+0x108/0x13c\n[ 368.179012][ T932] ret_from_fork+0x10/0x18\n...\n\nUse function cpumask_any_but() to find one correct active cpu to fixes\nthis issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53656", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't tx before switchdev is fully configured\n\nThere is possibility that ice_eswitch_port_start_xmit might be\ncalled while some resources are still not allocated which might\ncause NULL pointer dereference. Fix this by checking if switchdev\nconfiguration was finished.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53657", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm-qspi: return error if neither hif_mspi nor mspi is available\n\nIf neither a \"hif_mspi\" nor \"mspi\" resource is present, the driver will\njust early exit in probe but still return success. Apart from not doing\nanything meaningful, this would then also lead to a null pointer access\non removal, as platform_get_drvdata() would return NULL, which it would\nthen try to dereference when trying to unregister the spi master.\n\nFix this by unconditionally calling devm_ioremap_resource(), as it can\nhandle a NULL res and will then return a viable ERR_PTR() if we get one.\n\nThe \"return 0;\" was previously a \"goto qspi_resource_err;\" where then\nret was returned, but since ret was still initialized to 0 at this place\nthis was a valid conversion in 63c5395bb7a9 (\"spi: bcm-qspi: Fix\nuse-after-free on unbind\"). The issue was not introduced by this commit,\nonly made more obvious.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53658", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix out-of-bounds when setting channels on remove\n\nIf we set channels greater during iavf_remove(), and waiting reset done\nwould be timeout, then returned with error but changed num_active_queues\ndirectly, that will lead to OOB like the following logs. Because the\nnum_active_queues is greater than tx/rx_rings[] allocated actually.\n\nReproducer:\n\n [root@host ~]# cat repro.sh\n #!/bin/bash\n\n pf_dbsf=\"0000:41:00.0\"\n vf0_dbsf=\"0000:41:02.0\"\n g_pids=()\n\n function do_set_numvf()\n {\n echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs\n sleep $((RANDOM%3+1))\n }\n\n function do_set_channel()\n {\n local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/)\n [ -z \"$nic\" ] && { sleep $((RANDOM%3)) ; return 1; }\n ifconfig $nic 192.168.18.5 netmask 255.255.255.0\n ifconfig $nic up\n ethtool -L $nic combined 1\n ethtool -L $nic combined 4\n sleep $((RANDOM%3))\n }\n\n function on_exit()\n {\n local pid\n for pid in \"${g_pids[@]}\"; do\n kill -0 \"$pid\" &>/dev/null && kill \"$pid\" &>/dev/null\n done\n g_pids=()\n }\n\n trap \"on_exit; exit\" EXIT\n\n while :; do do_set_numvf ; done &\n g_pids+=($!)\n while :; do do_set_channel ; done &\n g_pids+=($!)\n\n wait\n\nResult:\n\n[ 3506.152887] iavf 0000:41:02.0: Removing device\n[ 3510.400799] ==================================================================\n[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536\n[ 3510.400823]\n[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1\n[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021\n[ 3510.400835] Call Trace:\n[ 3510.400851] dump_stack+0x71/0xab\n[ 3510.400860] print_address_description+0x6b/0x290\n[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400868] kasan_report+0x14a/0x2b0\n[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf]\n[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf]\n[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf]\n[ 3510.400891] ? wait_woken+0x1d0/0x1d0\n[ 3510.400895] ? notifier_call_chain+0xc1/0x130\n[ 3510.400903] pci_device_remove+0xa8/0x1f0\n[ 3510.400910] device_release_driver_internal+0x1c6/0x460\n[ 3510.400916] pci_stop_bus_device+0x101/0x150\n[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20\n[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420\n[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10\n[ 3510.400929] ? pci_get_subsys+0x90/0x90\n[ 3510.400932] sriov_disable+0xed/0x3e0\n[ 3510.400936] ? bus_find_device+0x12d/0x1a0\n[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e]\n[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e]\n[ 3510.400968] ? pci_get_device+0x7c/0x90\n[ 3510.400970] ? pci_get_subsys+0x90/0x90\n[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210\n[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e]\n[ 3510.401001] sriov_numvfs_store+0x214/0x290\n[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30\n[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10\n[ 3510.401011] ? __check_object_size+0x15a/0x350\n[ 3510.401018] kernfs_fop_write+0x280/0x3f0\n[ 3510.401022] vfs_write+0x145/0x440\n[ 3510.401025] ksys_write+0xab/0x160\n[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0\n[ 3510.401031] ? fput_many+0x1a/0x120\n[ 3510.401032] ? filp_close+0xf0/0x130\n[ 3510.401038] do_syscall_64+0xa0/0x370\n[ 3510.401041] ? page_fault+0x8/0x30\n[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 3510.401073] RIP: 0033:0x7f3a9bb842c0\n[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d \n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53659", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Handle skb as well when clean up ptr_ring\n\nThe following warning was reported when running xdp_redirect_cpu with\nboth skb-mode and stress-mode enabled:\n\n ------------[ cut here ]------------\n Incorrect XDP memory type (-2128176192) usage\n WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405\n Modules linked in:\n CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events __cpu_map_entry_free\n RIP: 0010:__xdp_return+0x1e4/0x4a0\n ......\n Call Trace:\n \n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ? __xdp_return+0x1e4/0x4a0\n ......\n xdp_return_frame+0x4d/0x150\n __cpu_map_entry_free+0xf9/0x230\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n \n\nThe reason for the warning is twofold. One is due to the kthread\ncpu_map_kthread_run() is stopped prematurely. Another one is\n__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in\nptr_ring as XDP frames.\n\nPrematurely-stopped kthread will be fixed by the preceding patch and\nptr_ring will be empty when __cpu_map_ring_cleanup() is called. But\nas the comments in __cpu_map_ring_cleanup() said, handling and freeing\nskbs in ptr_ring as well to \"catch any broken behaviour gracefully\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53660", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: avoid overflow in bnxt_get_nvram_directory()\n\nThe value of an arithmetic expression is subject\nof possible overflow due to a failure to cast operands to a larger data\ntype before performing arithmetic. Used macro for multiplication instead\noperator for avoiding overflow.\n\nFound by Security Code and Linux Verification\nCenter (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53661", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}\n\nIf the filename casefolding fails, we'll be leaking memory from the\nfscrypt_name struct, namely from the 'crypto_buf.name' member.\n\nMake sure we free it in the error path on both ext4_fname_setup_filename()\nand ext4_fname_prepare_lookup() functions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53662", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Check instead of asserting on nested TSC scaling support\n\nCheck for nested TSC scaling support on nested SVM VMRUN instead of\nasserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIO\nhas diverged from KVM's default. Userspace can trigger the WARN at will\nby writing the MSR and then updating guest CPUID to hide the feature\n(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking\nKVM's state_test selftest to do\n\n\t\tvcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n\t\tvcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699\n nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]\n Call Trace:\n \n enter_svm_guest_mode+0x114/0x560 [kvm_amd]\n nested_svm_vmrun+0x260/0x330 [kvm_amd]\n vmrun_interception+0x29/0x30 [kvm_amd]\n svm_invoke_exit_handler+0x35/0x100 [kvm_amd]\n svm_handle_exit+0xe7/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x45ca1b\n\nNote, the nested #VMEXIT path has the same flaw, but needs a different\nfix and will be handled separately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53663", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nOPP: Fix potential null ptr dereference in dev_pm_opp_get_required_pstate()\n\n\"opp\" pointer is dereferenced before the IS_ERR_OR_NULL() check. Fix it by\nremoving the dereference to cache opp_table and dereference it directly\nwhere opp_table is used.\n\nThis fixes the following smatch warning:\n\ndrivers/opp/core.c:232 dev_pm_opp_get_required_pstate() warn: variable\ndereferenced before IS_ERR check 'opp' (see line 230)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53664", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: don't dereference mddev after export_rdev()\n\nExcept for initial reference, mddev->kobject is referenced by\nrdev->kobject, and if the last rdev is freed, there is no guarantee that\nmddev is still valid. Hence mddev should not be used anymore after\nexport_rdev().\n\nThis problem can be triggered by following test for mdadm at very\nlow rate:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear > /sys/block/md0/md/array_state\n}\n\ntrap 'clean_up_test' EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt > /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove > /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 > /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs &\npid=\"$pid $!\"\n\nremove_by_sysfs &\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\nCPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\nCall Trace:\n \n mddev_unlock+0x1b6/0x310 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix this problem by don't dereference mddev after export_rdev().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53665", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix missing mbhc init error handling\n\nMBHC initialisation can fail so add the missing error handling to avoid\ndereferencing an error pointer when later configuring the jack:\n\n Unable to handle kernel paging request at virtual address fffffffffffffff8\n\n pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n\n Call trace:\n wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc]\n wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x]\n snd_soc_component_set_jack+0x28/0x8c [snd_soc_core]\n qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common]\n sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp]\n snd_soc_link_init+0x28/0x90 [snd_soc_core]\n snd_soc_bind_card+0x628/0xbfc [snd_soc_core]\n snd_soc_register_card+0xec/0x104 [snd_soc_core]\n devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]\n sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53666", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say 'struct skb_shared_info',\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n \n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53667", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix deadloop issue on reading trace_pipe\n\nSoft lockup occurs when reading file 'trace_pipe':\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]\n [...]\n RIP: 0010:ring_buffer_empty_cpu+0xed/0x170\n RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb\n RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218\n RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f\n R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901\n R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000\n [...]\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n __find_next_entry+0x1a8/0x4b0\n ? peek_next_entry+0x250/0x250\n ? down_write+0xa5/0x120\n ? down_write_killable+0x130/0x130\n trace_find_next_entry_inc+0x3b/0x1d0\n tracing_read_pipe+0x423/0xae0\n ? tracing_splice_read_pipe+0xcb0/0xcb0\n vfs_read+0x16b/0x490\n ksys_read+0x105/0x210\n ? __ia32_sys_pwrite64+0x200/0x200\n ? switch_fpu_return+0x108/0x220\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThrough the vmcore, I found it's because in tracing_read_pipe(),\nring_buffer_empty_cpu() found some buffer is not empty but then it\ncannot read anything due to \"rb_num_of_entries() == 0\" always true,\nThen it infinitely loop the procedure due to user buffer not been\nfilled, see following code path:\n\n tracing_read_pipe() {\n ... ...\n waitagain:\n tracing_wait_pipe() // 1. find non-empty buffer here\n trace_find_next_entry_inc() // 2. loop here try to find an entry\n __find_next_entry()\n ring_buffer_empty_cpu(); // 3. find non-empty buffer\n peek_next_entry() // 4. but peek always return NULL\n ring_buffer_peek()\n rb_buffer_peek()\n rb_get_reader_page()\n // 5. because rb_num_of_entries() == 0 always true here\n // then return NULL\n // 6. user buffer not been filled so goto 'waitgain'\n // and eventually leads to an deadloop in kernel!!!\n }\n\nBy some analyzing, I found that when resetting ringbuffer, the 'entries'\nof its pages are not all cleared (see rb_reset_cpu()). Then when reducing\nthe ringbuffer, and if some reduced pages exist dirty 'entries' data, they\nwill be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which\ncause wrong 'overrun' count and eventually cause the deadloop issue.\n\nTo fix it, we need to clear every pages in rb_reset_cpu().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53668", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix skb_copy_ubufs() vs BIG TCP\n\nDavid Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy\nusing hugepages, and skb length bigger than ~68 KB.\n\nskb_copy_ubufs() assumed it could copy all payload using up to\nMAX_SKB_FRAGS order-0 pages.\n\nThis assumption broke when BIG TCP was able to put up to 512 KB per skb.\n\nWe did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45\nand limit gso_max_size to 180000.\n\nA solution is to use higher order pages if needed.\n\nv2: add missing __GFP_COMP, or we leak memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53669", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix dev_pm_qos memleak\n\nCall dev_pm_qos_hide_latency_tolerance() in the error unwind patch to\navoid following kmemleak:-\n\nblktests (master) # kmemleak-clear; ./check nvme/044;\nblktests (master) # kmemleak-scan ; kmemleak-show\nnvme/044 (Test bi-directional authentication) [passed]\n runtime 2.111s ... 2.124s\nunreferenced object 0xffff888110c46240 (size 96):\n comm \"nvme\", pid 33461, jiffies 4345365353 (age 75.586s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000069ac2cec>] kmalloc_trace+0x25/0x90\n [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100\n [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core]\n [<000000007df61b4b>] 0xffffffffc05e88b3\n [<00000000d152b985>] 0xffffffffc05744cb\n [<00000000f04a4041>] vfs_write+0xc5/0x3c0\n [<00000000f9491baf>] ksys_write+0x5f/0xe0\n [<000000001c46513d>] do_syscall_64+0x3b/0x90\n [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53670", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL\n\nCommit 994f706872e6 (\"srcu: Make Tree SRCU able to operate without\nsnp_node array\") assumes that cpu 0 is always online. However, there\nreally are situations when some other CPU is the boot CPU, for example,\nwhen booting a kdump kernel with the maxcpus=1 boot parameter.\n\nOn PowerPC, the kdump kernel can hang as follows:\n...\n[ 1.740036] systemd[1]: Hostname set to \n[ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds.\n[ 243.686264] Not tainted 6.1.0-rc1 #1\n[ 243.686272] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000\n[ 243.686296] Call Trace:\n[ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable)\n[ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580\n[ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140\n[ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0\n[ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360\n[ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0\n[ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40\n[ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160\n[ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0\n[ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350\n[ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170\n[ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140\n[ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270\n[ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180\n[ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280\n[ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4\n[ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000\n[ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1)\n[ 243.686548] MSR: 800000000000d033 CR: 42044440 XER: 00000000\n[ 243.686572] IRQMASK: 0\n[ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000\n[ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001\n[ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000\n[ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000\n[ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570\n[ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98\n[ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4\n[ 243.686691] LR [0000000000000000] 0x0\n[ 243.686698] --- interrupt: 3000\n[ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.\n[ 243.686717] Not tainted 6.1.0-rc1 #1\n[ 243.686724] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800\n[ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn\n[ 243.686758] Call Trace:\n[ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable)\n[ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53671", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: output extra debug info if we failed to find an inline backref\n\n[BUG]\nSyzbot reported several warning triggered inside\nlookup_inline_extent_backref().\n\n[CAUSE]\nAs usual, the reproducer doesn't reliably trigger locally here, but at\nleast we know the WARN_ON() is triggered when an inline backref can not\nbe found, and it can only be triggered when @insert is true. (I.e.\ninserting a new inline backref, which means the backref should already\nexist)\n\n[ENHANCEMENT]\nAfter the WARN_ON(), dump all the parameters and the extent tree\nleaf to help debug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53672", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53673", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix memory leak in devm_clk_notifier_register()\n\ndevm_clk_notifier_register() allocates a devres resource for clk\nnotifier but didn't register that to the device, so the notifier didn't\nget unregistered on device detach and the allocated resource was leaked.\n\nFix the issue by registering the resource through devres_add().\n\nThis issue was found with kmemleak on a Chromebook.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53674", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible desc_ptr out-of-bounds accesses\n\nSanitize possible desc_ptr out-of-bounds accesses in\nses_enclosure_data_process().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53675", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it's possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53676", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix memory leaks in i915 selftests\n\nThis patch fixes memory leaks on error escapes in function fake_get_pages\n\n(cherry picked from commit 8bfbdadce85c4c51689da10f39c805a7106d4567)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53677", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix system suspend without fbdev being initialized\n\nIf fbdev is not initialized for some reason - in practice on platforms\nwithout display - suspending fbdev should be skipped during system\nsuspend, fix this up. While at it add an assert that suspending fbdev\nonly happens with the display present.\n\nThis fixes the following:\n\n[ 91.227923] PM: suspend entry (s2idle)\n[ 91.254598] Filesystems sync: 0.025 seconds\n[ 91.270518] Freezing user space processes\n[ 91.272266] Freezing user space processes completed (elapsed 0.001 seconds)\n[ 91.272686] OOM killer disabled.\n[ 91.272872] Freezing remaining freezable tasks\n[ 91.274295] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[ 91.659622] BUG: kernel NULL pointer dereference, address: 00000000000001c8\n[ 91.659981] #PF: supervisor write access in kernel mode\n[ 91.660252] #PF: error_code(0x0002) - not-present page\n[ 91.660511] PGD 0 P4D 0\n[ 91.660647] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 91.660875] CPU: 4 PID: 917 Comm: bash Not tainted 6.2.0-rc7+ #54\n[ 91.661185] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20221117gitfff6d81270b5-9.fc37 unknown\n[ 91.661680] RIP: 0010:mutex_lock+0x19/0x30\n[ 91.661914] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 53 48 89 fb e8 62 d3 ff ff 31 c0 65 48 8b 14 25 00 15 03 00 48 0f b1 13 75 06 5b c3 cc cc cc cc 48 89 df 5b eb b4 0f 1f 40\n[ 91.662840] RSP: 0018:ffffa1e8011ffc08 EFLAGS: 00010246\n[ 91.663087] RAX: 0000000000000000 RBX: 00000000000001c8 RCX: 0000000000000000\n[ 91.663440] RDX: ffff8be455eb0000 RSI: 0000000000000001 RDI: 00000000000001c8\n[ 91.663802] RBP: ffff8be459440000 R08: ffff8be459441f08 R09: ffffffff8e1432c0\n[ 91.664167] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 91.664532] R13: 00000000000001c8 R14: 0000000000000000 R15: ffff8be442f4fb20\n[ 91.664905] FS: 00007f28ffc16740(0000) GS:ffff8be4bb900000(0000) knlGS:0000000000000000\n[ 91.665334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 91.665626] CR2: 00000000000001c8 CR3: 0000000114926006 CR4: 0000000000770ee0\n[ 91.665988] PKRU: 55555554\n[ 91.666131] Call Trace:\n[ 91.666265] \n[ 91.666381] intel_fbdev_set_suspend+0x97/0x1b0 [i915]\n[ 91.666738] i915_drm_suspend+0xb9/0x100 [i915]\n[ 91.667029] pci_pm_suspend+0x78/0x170\n[ 91.667234] ? __pfx_pci_pm_suspend+0x10/0x10\n[ 91.667461] dpm_run_callback+0x47/0x150\n[ 91.667673] __device_suspend+0x10a/0x4e0\n[ 91.667880] dpm_suspend+0x134/0x270\n[ 91.668069] dpm_suspend_start+0x79/0x80\n[ 91.668272] suspend_devices_and_enter+0x11b/0x890\n[ 91.668526] pm_suspend.cold+0x270/0x2fc\n[ 91.668737] state_store+0x46/0x90\n[ 91.668916] kernfs_fop_write_iter+0x11b/0x200\n[ 91.669153] vfs_write+0x1e1/0x3a0\n[ 91.669336] ksys_write+0x53/0xd0\n[ 91.669510] do_syscall_64+0x58/0xc0\n[ 91.669699] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0\n[ 91.669980] ? syscall_exit_to_user_mode_prepare+0x18e/0x1c0\n[ 91.670278] ? syscall_exit_to_user_mode+0x17/0x40\n[ 91.670524] ? do_syscall_64+0x67/0xc0\n[ 91.670717] ? __irq_exit_rcu+0x3d/0x140\n[ 91.670931] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 91.671202] RIP: 0033:0x7f28ffd14284\n\nv2: CC stable. (Jani)\n\nReferences: https://gitlab.freedesktop.org/drm/intel/-/issues/8015\n(cherry picked from commit 9542d708409a41449e99c9a464deb5e062c4bee2)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53678", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt7601u: fix an integer underflow\n\nFix an integer underflow that leads to a null pointer dereference in\n'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet\ncould be manipulated, which could trigger an integer underflow of\n'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently\ncauses the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be\nbypassed, eventually leading to a dereference of the pointer 'p', which\nis a null pointer.\n\nEnsure that 'dma_len' is greater than 'min_seg_len'.\n\nFound by a modified version of syzkaller.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+\n#139\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n mt7601u_rx_tasklet+0xc73/0x1270\n ? mt7601u_submit_rx_buf.isra.0+0x510/0x510\n ? tasklet_action_common.isra.0+0x79/0x2f0\n tasklet_action_common.isra.0+0x206/0x2f0\n __do_softirq+0x1b5/0x880\n ? tasklet_unlock+0x30/0x30\n run_ksoftirqd+0x26/0x50\n smpboot_thread_fn+0x34f/0x7d0\n ? smpboot_register_percpu_thread+0x370/0x370\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\nModules linked in: 88XXau(O) 88x2bu(O)\n---[ end trace 57f34f93b4da0f9b ]---\nRIP: 0010:skb_add_rx_frag+0x143/0x370\nCode: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44\n89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02\n00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00\nRSP: 0018:ffffc900000cfc90 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8\nRBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010\nR10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000\nR13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008\nFS: 0000000000000000(0000) GS:ffff88811a800000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53679", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL\n\nOPDESC() simply indexes into nfsd4_ops[] by the op's operation\nnumber, without range checking that value. It assumes callers are\ncareful to avoid calling it with an out-of-bounds opnum value.\n\nnfsd4_decode_compound() is not so careful, and can invoke OPDESC()\nwith opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end\nof nfsd4_ops[].", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53680", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: Fix __bch_btree_node_alloc to make the failure behavior consistent\n\nIn some specific situations, the return value of __bch_btree_node_alloc\nmay be NULL. This may lead to a potential NULL pointer dereference in\ncaller function like a calling chain :\nbtree_split->bch_btree_node_alloc->__bch_btree_node_alloc.\n\nFix it by initializing the return value in __bch_btree_node_alloc.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53681", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (xgene) Fix ioremap and memremap leak\n\nSmatch reports:\n\ndrivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn:\n'ctx->pcc_comm_addr' from ioremap() not released on line: 757.\n\nThis is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(),\nioremap and memremap is not released, which may cause a leak.\n\nTo fix this, ioremap and memremap is modified to devm_ioremap and\ndevm_memremap.\n\n[groeck: Fixed formatting and subject]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53682", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()\n\nsyzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for\ncrafted filesystem image can contain bogus length. There conditions are\nnot kernel bugs that can justify kernel to panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53683", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Zero padding when dumping algos and encap\n\nWhen copying data to user-space we should ensure that only valid\ndata is copied over. Padding in structures may be filled with\nrandom (possibly sensitve) data and should never be given directly\nto user-space.\n\nThis patch fixes the copying of xfrm algorithms and the encap\ntemplate in xfrm_user so that padding is zeroed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53684", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: Fix memory leak for detached NAPI queue.\n\nsyzkaller reported [0] memory leaks of sk and skb related to the TUN\ndevice with no repro, but we can reproduce it easily with:\n\n struct ifreq ifr = {}\n int fd_tun, fd_tmp;\n char buf[4] = {};\n\n fd_tun = openat(AT_FDCWD, \"/dev/net/tun\", O_WRONLY, 0);\n ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE;\n ioctl(fd_tun, TUNSETIFF, &ifr);\n\n ifr.ifr_flags = IFF_DETACH_QUEUE;\n ioctl(fd_tun, TUNSETQUEUE, &ifr);\n\n fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0);\n ifr.ifr_flags = IFF_UP;\n ioctl(fd_tmp, SIOCSIFFLAGS, &ifr);\n\n write(fd_tun, buf, sizeof(buf));\n close(fd_tun);\n\nIf we enable NAPI and multi-queue on a TUN device, we can put skb into\ntfile->sk.sk_write_queue after the queue is detached. We should prevent\nit by checking tfile->detached before queuing skb.\n\nNote this must be done under tfile->sk.sk_write_queue.lock because write()\nand ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would\nbe a small race window:\n\n write() ioctl(IFF_DETACH_QUEUE)\n `- tun_get_user `- __tun_detach\n |- if (tfile->detached) |- tun_disable_queue\n | `-> false | `- tfile->detached = tun\n | `- tun_queue_purge\n |- spin_lock_bh(&queue->lock)\n `- __skb_queue_tail(queue, skb)\n\nAnother solution is to call tun_queue_purge() when closing and\nreattaching the detached queue, but it could paper over another\nproblems. Also, we do the same kind of test for IFF_NAPI_FRAGS.\n\n[0]:\nunreferenced object 0xffff88801edbc800 (size 2048):\n comm \"syz-executor.1\", pid 33269, jiffies 4295743834 (age 18.756s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline]\n [<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979\n [<000000003addde56>] kmalloc include/linux/slab.h:563 [inline]\n [<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035\n [<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088\n [<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438\n [<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165\n [<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414\n [<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920\n [<000000008eb24774>] do_open fs/namei.c:3636 [inline]\n [<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791\n [<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818\n [<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356\n [<00000000057be699>] do_sys_open fs/open.c:1372 [inline]\n [<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline]\n [<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline]\n [<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383\n [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80\n [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nunreferenced object 0xffff88802f671700 (size 240):\n comm \"syz-executor.1\", pid 33269, jiffies 4295743854 (age 18.736s)\n hex dump (first 32 bytes):\n 68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h.......\n 00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............\n backtrace:\n [<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644\n [<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline]\n [<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378\n [<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729\n [<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline]\n [<\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53685", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: fix null-ptr-deref in handshake_nl_done_doit()\n\nWe should not call trace_handshake_cmd_done_err() if socket lookup has failed.\n\nAlso we should call trace_handshake_cmd_done_err() before releasing the file,\notherwise dereferencing sock->sk can return garbage.\n\nThis also reverts 7afc6d0a107f (\"net/handshake: Fix uninitialized local variable\")\n\nUnable to handle kernel paging request at virtual address dfff800000000003\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nMem abort info:\nESR = 0x0000000096000005\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nData abort info:\nISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[dfff800000000003] address between user and kernel address ranges\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\nlr : handshake_nl_done_doit+0x180/0x9c8\nsp : ffff800096e37180\nx29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000\nx26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8\nx23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000\nx20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000\nx17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001\nx14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003\nx8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078\nx2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000\nCall trace:\nhandshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193\ngenl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]\ngenl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]\ngenl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067\nnetlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549\ngenl_rcv+0x38/0x50 net/netlink/genetlink.c:1078\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914\nsock_sendmsg_nosec net/socket.c:725 [inline]\nsock_sendmsg net/socket.c:748 [inline]\n____sys_sendmsg+0x56c/0x840 net/socket.c:2494\n___sys_sendmsg net/socket.c:2548 [inline]\n__sys_sendmsg+0x26c/0x33c net/socket.c:2577\n__do_sys_sendmsg net/socket.c:2586 [inline]\n__se_sys_sendmsg net/socket.c:2584 [inline]\n__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584\n__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\ninvoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\nel0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\ndo_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\nel0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591\nCode: 12800108 b90043e8 910062b3 d343fe68 (387b6908)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53686", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk\n\nWhen the best clk is searched, we iterate over all possible clk.\n\nIf we find a better match, the previous one, if any, needs to be freed.\nIf a better match has already been found, we still need to free the new\none, otherwise it leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53687", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free read in ext4_find_extent for bigalloc + inline\n\nSyzbot found the following issue:\nloop0: detected capacity change from 0 to 2048\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.\n==================================================================\nBUG: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\nBUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\nRead of size 4 at addr ffff888073644750 by task syz-executor420/5067\n\nCPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:306\n print_report+0x107/0x1f0 mm/kasan/report.c:417\n kasan_report+0xcd/0x100 mm/kasan/report.c:517\n ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline]\n ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931\n ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809\n ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline]\n ext4_da_map_blocks fs/ext4/inode.c:1806 [inline]\n ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870\n ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098\n ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285\n ext4_file_write_iter+0x1d0/0x18f0\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f4b7a9737b9\nRSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9\nRDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004\nRBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nAbove issue is happens when enable bigalloc and inline data feature. As\ncommit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for\nbigalloc + inline. But it only resolved issue when has inline data, if\ninline data has been converted to extent(ext4_da_convert_inline_data_to_extent)\nbefore writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However\ni_data is still store inline data in this scene. Then will trigger UAF\nwhen find extent.\nTo resolve above issue, there is need to add judge \"ext4_has_inline_data(inode)\"\nin ext4_clu_mapped().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53692", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix the memory leak in raw_gadget driver\n\nCurrently, increasing raw_dev->count happens before invoke the\nraw_queue_event(), if the raw_queue_event() return error, invoke\nraw_release() will not trigger the dev_free() to be called.\n\n[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event\n[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12\n[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12\n[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy\n[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16\n\nBUG: memory leak\n\n[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[] kmalloc include/linux/slab.h:582 [inline]\n[] kzalloc include/linux/slab.h:703 [inline]\n[] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline]\n[] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385\n[] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165\n\n[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[] kmalloc include/linux/slab.h:582 [inline]\n[] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460\n[] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250\n[] vfs_ioctl fs/ioctl.c:51 [inline]\n\n[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[] kmalloc include/linux/slab.h:582 [inline]\n[] kzalloc include/linux/slab.h:703 [inline]\n[] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665\n[] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196\n[] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292\n\nThis commit therefore invoke kref_get() under the condition that\nraw_queue_event() return success.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53693", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: ftrace: Fixup panic by disabling preemption\n\nIn RISCV, we must use an AUIPC + JALR pair to encode an immediate,\nforming a jump that jumps to an address over 4K. This may cause errors\nif we want to enable kernel preemption and remove dependency from\npatching code with stop_machine(). For example, if a task was switched\nout on auipc. And, if we changed the ftrace function before it was\nswitched back, then it would jump to an address that has updated 11:0\nbits mixing with previous XLEN:12 part.\n\np: patched area performed by dynamic ftrace\nftrace_prologue:\np| REG_S ra, -SZREG(sp)\np| auipc ra, 0x? ------------> preempted\n\t\t\t\t\t...\n\t\t\t\tchange ftrace function\n\t\t\t\t\t...\np| jalr -?(ra) <------------- switched back\np| REG_L ra, -SZREG(sp)\nfunc:\n\txxx\n\tret", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53694", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Detect system inodes linked into directory hierarchy\n\nWhen UDF filesystem is corrupted, hidden system inodes can be linked\ninto directory hierarchy which is an avenue for further serious\ncorruption of the filesystem and kernel confusion as noticed by syzbot\nfuzzed images. Refuse to access system inodes linked into directory\nhierarchy and vice versa.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53695", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix memory leak in qla2x00_probe_one()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffffc900003f0000 (size 12288):\n comm \"modprobe\", pid 19117, jiffies 4299751452 (age 42490.264s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000629261a8>] __vmalloc_node_range+0xe56/0x1110\n [<0000000001906886>] __vmalloc_node+0xbd/0x150\n [<000000005bb4dc34>] vmalloc+0x25/0x30\n [<00000000a2dc1194>] qla2x00_create_host+0x7a0/0xe30 [qla2xxx]\n [<0000000062b14b47>] qla2x00_probe_one+0x2eb8/0xd160 [qla2xxx]\n [<00000000641ccc04>] local_pci_probe+0xeb/0x1a0\n\nThe root cause is traced to an error-handling path in qla2x00_probe_one()\nwhen the adapter \"base_vha\" initialize failed. The fab_scan_rp \"scan.l\" is\nused to record the port information and it is allocated in\nqla2x00_create_host(). However, it is not released in the error handling\npath \"probe_failed\".\n\nFix this by freeing the memory of \"scan.l\" when an error occurs in the\nadapter initialization process.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53696", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()\n\nMemory pointed by 'nd_pmu->pmu.attr_groups' is allocated in function\n'register_nvdimm_pmu' and is lost after 'kfree(nd_pmu)' call in function\n'unregister_nvdimm_pmu'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53697", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix refcount underflow in error path\n\nFix a refcount underflow problem reported by syzbot that can happen\nwhen a system is running out of memory. If xp_alloc_tx_descs() fails,\nand it can only fail due to not having enough memory, then the error\npath is triggered. In this error path, the refcount of the pool is\ndecremented as it has incremented before. However, the reference to\nthe pool in the socket was not nulled. This means that when the socket\nis closed later, the socket teardown logic will think that there is a\npool attached to the socket and try to decrease the refcount again,\nleading to a refcount underflow.\n\nI chose this fix as it involved adding just a single line. Another\noption would have been to move xp_get_pool() and the assignment of\nxs->pool to after the if-statement and using xs_umem->pool instead of\nxs->pool in the whole if-statement resulting in somewhat simpler code,\nbut this would have led to much more churn in the code base perhaps\nmaking it harder to backport.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53698", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: move memblock_allow_resize() after linear mapping is ready\n\nThe initial memblock metadata is accessed from kernel image mapping. The\nregions arrays need to \"reallocated\" from memblock and accessed through\nlinear mapping to cover more memblock regions. So the resizing should\nnot be allowed until linear mapping is ready. Note that there are\nmemblock allocations when building linear mapping.\n\nThis patch is similar to 24cc61d8cb5a (\"arm64: memblock: don't permit\nmemblock resizing until linear mapping is up\").\n\nIn following log, many memblock regions are reserved before\ncreate_linear_mapping_page_table(). And then it triggered reallocation\nof memblock.reserved.regions and memcpy the old array in kernel image\nmapping to the new array in linear mapping which caused a page fault.\n\n[ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6\n[ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000\n[ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae\n[ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c\n[ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128\n[ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff]\n[ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000\n[ 0.000000] Oops [#1]\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66\n[ 0.000000] Hardware name: riscv-virtio,qemu (DT)\n[ 0.000000] epc : __memcpy+0x60/0xf8\n[ 0.000000] ra : memblock_double_array+0x192/0x248\n[ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0\n[ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000\n[ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60\n[ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8\n[ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000\n[ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000\n[ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00\n[ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000\n[ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000\n[ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000\n[ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000\n[ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f\n[ 0.000000] [] __kmalloc_node+0x44/0x1b0\n [<000000002f4912b7>] kvmalloc_node+0x34/0x180\n [<0000000057dc4cae>] v4l2_ctrl_new+0x325/0x10f0 [videodev]\n [<0000000026030272>] v4l2_ctrl_new_std+0x16f/0x210 [videodev]\n [<00000000f0d9ea2f>] max9286_probe+0x76e/0xbff [max9286]\n [<00000000ea8f6455>] i2c_device_probe+0x28d/0x680\n [<0000000087529af3>] really_probe+0x17c/0x3f0\n [<00000000b08be526>] __driver_probe_device+0xe3/0x170\n [<000000004382edea>] driver_probe_device+0x49/0x120\n [<000000007bde528a>] __device_attach_driver+0xf7/0x150\n [<000000009f9c6ab4>] bus_for_each_drv+0x114/0x180\n [<00000000c8aaf588>] __device_attach+0x1e5/0x2d0\n [<0000000041cc06b9>] bus_probe_device+0x126/0x140\n [<000000002309860d>] device_add+0x810/0x1130\n [<000000002827bf98>] i2c_new_client_device+0x359/0x4f0\n [<00000000593bdc85>] of_i2c_register_device+0xf1/0x110\n\nmax9286_v4l2_register() calls v4l2_ctrl_new_std(), but won't free the\ncreated v412_ctrl when fwnode_graph_get_endpoint_by_id() failed, which\ncauses the memleak. Call v4l2_ctrl_handler_free() to free the v412_ctrl.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53700", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/crypto: use vector instructions only if available for ChaCha20\n\nCommit 349d03ffd5f6 (\"crypto: s390 - add crypto library interface for\nChaCha20\") added a library interface to the s390 specific ChaCha20\nimplementation. However no check was added to verify if the required\nfacilities are installed before branching into the assembler code.\n\nIf compiled into the kernel, this will lead to the following crash,\nif vector instructions are not available:\n\ndata exception: 0007 ilc:3 [#1] SMP\nModules linked in:\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7+ #11\nHardware name: IBM 3931 A01 704 (KVM/Linux)\nKrnl PSW : 0704e00180000000 000000001857277a (chacha20_vx+0x32/0x818)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000037f0000000a ffffffffffffff60 000000008184b000 0000000019f5c8e6\n 0000000000000109 0000037fffb13c58 0000037fffb13c78 0000000019bb1780\n 0000037fffb13c58 0000000019f5c8e6 000000008184b000 0000000000000109\n 00000000802d8000 0000000000000109 0000000018571ebc 0000037fffb13718\nKrnl Code: 000000001857276a: c07000b1f80b larl %r7,0000000019bb1780\n 0000000018572770: a708000a lhi %r0,10\n #0000000018572774: e78950000c36 vlm %v24,%v25,0(%r5),0\n >000000001857277a: e7a060000806 vl %v26,0(%r6),0\n 0000000018572780: e7bf70004c36 vlm %v27,%v31,0(%r7),4\n 0000000018572786: e70b00000456 vlr %v0,%v27\n 000000001857278c: e71800000456 vlr %v1,%v24\n 0000000018572792: e74b00000456 vlr %v4,%v27\nCall Trace:\n [<000000001857277a>] chacha20_vx+0x32/0x818\nLast Breaking-Event-Address:\n [<0000000018571eb6>] chacha20_crypt_s390.constprop.0+0x6e/0xd8\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n\nFix this by adding a missing MACHINE_HAS_VX check.\n\n[agordeev@linux.ibm.com: remove duplicates in commit message]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53702", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix for shift-out-of-bounds\n\nShift operation of 'exp' and 'shift' variables exceeds the maximum number\nof shift values in the u32 range leading to UBSAN shift-out-of-bounds.\n\n...\n[ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50\n[ 6.120598] shift exponent 104 is too large for 64-bit type 'long unsigned int'\n[ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10\n[ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023\n[ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh]\n[ 6.120687] Call Trace:\n[ 6.120690] \n[ 6.120694] dump_stack_lvl+0x48/0x70\n[ 6.120704] dump_stack+0x10/0x20\n[ 6.120707] ubsan_epilogue+0x9/0x40\n[ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170\n[ 6.120720] ? psi_group_change+0x25f/0x4b0\n[ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh]\n[ 6.120739] get_input_rep+0x57/0x340 [amd_sfh]\n[ 6.120748] ? __schedule+0xba7/0x1b60\n[ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]\n[ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh]\n[ 6.120772] process_one_work+0x229/0x430\n[ 6.120780] worker_thread+0x4a/0x3c0\n[ 6.120784] ? __pfx_worker_thread+0x10/0x10\n[ 6.120788] kthread+0xf7/0x130\n[ 6.120792] ? __pfx_kthread+0x10/0x10\n[ 6.120795] ret_from_fork+0x29/0x50\n[ 6.120804] \n...\n\nFix this by adding the condition to validate shift ranges.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53703", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()\n\nReplace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc()\nwhich can automatically release the related memory when the device\nor driver is removed or unloaded to avoid potential memory leak.\n\nIn this case, iounmap(anatop_base) in line 427,433 are removed\nas manual release is not required.\n\nBesides, referring to clk-imx8mq.c, check the return code of\nof_clk_add_hw_provider, if it returns negtive, print error info\nand unregister hws, which makes the program more robust.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53704", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bounds access in ipv6_find_tlv()\n\noptlen is fetched without checking whether there is more than one byte to parse.\nIt can lead to out-of-bounds access.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53705", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmemmap/devdax: fix kernel crash when probing devdax devices\n\ncommit 4917f55b4ef9 (\"mm/sparse-vmemmap: improve memory savings for\ncompound devmaps\") added support for using optimized vmmemap for devdax\ndevices. But how vmemmap mappings are created are architecture specific. \nFor example, powerpc with hash translation doesn't have vmemmap mappings\nin init_mm page table instead they are bolted table entries in the\nhardware page table\n\nvmemmap_populate_compound_pages() used by vmemmap optimization code is not\naware of these architecture-specific mapping. Hence allow architecture to\nopt for this feature. I selected architectures supporting\nHUGETLB_PAGE_OPTIMIZE_VMEMMAP option as also supporting this feature.\n\nThis patch fixes the below crash on ppc64.\n\nBUG: Unable to handle kernel data access on write at 0xc00c000100400038\nFaulting instruction address: 0xc000000001269d90\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in:\nCPU: 7 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc5-150500.34-default+ #2 5c90a668b6bbd142599890245c2fb5de19d7d28a\nHardware name: IBM,9009-42G POWER9 (raw) 0x4e0202 0xf000005 of:IBM,FW950.40 (VL950_099) hv:phyp pSeries\nNIP: c000000001269d90 LR: c0000000004c57d4 CTR: 0000000000000000\nREGS: c000000003632c30 TRAP: 0300 Not tainted (6.3.0-rc5-150500.34-default+)\nMSR: 8000000000009033 CR: 24842228 XER: 00000000\nCFAR: c0000000004c57d0 DAR: c00c000100400038 DSISR: 42000000 IRQMASK: 0\n....\nNIP [c000000001269d90] __init_single_page.isra.74+0x14/0x4c\nLR [c0000000004c57d4] __init_zone_device_page+0x44/0xd0\nCall Trace:\n[c000000003632ed0] [c000000003632f60] 0xc000000003632f60 (unreliable)\n[c000000003632f10] [c0000000004c5ca0] memmap_init_zone_device+0x170/0x250\n[c000000003632fe0] [c0000000005575f8] memremap_pages+0x2c8/0x7f0\n[c0000000036330c0] [c000000000557b5c] devm_memremap_pages+0x3c/0xa0\n[c000000003633100] [c000000000d458a8] dev_dax_probe+0x108/0x3e0\n[c0000000036331a0] [c000000000d41430] dax_bus_probe+0xb0/0x140\n[c0000000036331d0] [c000000000cef27c] really_probe+0x19c/0x520\n[c000000003633260] [c000000000cef6b4] __driver_probe_device+0xb4/0x230\n[c0000000036332e0] [c000000000cef888] driver_probe_device+0x58/0x120\n[c000000003633320] [c000000000cefa6c] __device_attach_driver+0x11c/0x1e0\n[c0000000036333a0] [c000000000cebc58] bus_for_each_drv+0xa8/0x130\n[c000000003633400] [c000000000ceefcc] __device_attach+0x15c/0x250\n[c0000000036334a0] [c000000000ced458] bus_probe_device+0x108/0x110\n[c0000000036334f0] [c000000000ce92dc] device_add+0x7fc/0xa10\n[c0000000036335b0] [c000000000d447c8] devm_create_dev_dax+0x1d8/0x530\n[c000000003633640] [c000000000d46b60] __dax_pmem_probe+0x200/0x270\n[c0000000036337b0] [c000000000d46bf0] dax_pmem_probe+0x20/0x70\n[c0000000036337d0] [c000000000d2279c] nvdimm_bus_probe+0xac/0x2b0\n[c000000003633860] [c000000000cef27c] really_probe+0x19c/0x520\n[c0000000036338f0] [c000000000cef6b4] __driver_probe_device+0xb4/0x230\n[c000000003633970] [c000000000cef888] driver_probe_device+0x58/0x120\n[c0000000036339b0] [c000000000cefd08] __driver_attach+0x1d8/0x240\n[c000000003633a30] [c000000000cebb04] bus_for_each_dev+0xb4/0x130\n[c000000003633a90] [c000000000cee564] driver_attach+0x34/0x50\n[c000000003633ab0] [c000000000ced878] bus_add_driver+0x218/0x300\n[c000000003633b40] [c000000000cf1144] driver_register+0xa4/0x1b0\n[c000000003633bb0] [c000000000d21a0c] __nd_driver_register+0x5c/0x100\n[c000000003633c10] [c00000000206a2e8] dax_pmem_init+0x34/0x48\n[c000000003633c30] [c0000000000132d0] do_one_initcall+0x60/0x320\n[c000000003633d00] [c0000000020051b0] kernel_init_freeable+0x360/0x400\n[c000000003633de0] [c000000000013764] kernel_init+0x34/0x1d0\n[c000000003633e50] [c00000000000de14] ret_from_kernel_thread+0x5c/0x64", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53706", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix integer overflow in amdgpu_cs_pass1\n\nThe type of size is unsigned int, if size is 0x40000000, there will\nbe an integer overflow, size will be zero after size *= sizeof(uint32_t),\nwill cause uninitialized memory to be referenced later.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53707", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects\n\nIf a badly constructed firmware includes multiple `ACPI_TYPE_PACKAGE`\nobjects while evaluating the AMD LPS0 _DSM, there will be a memory\nleak. Explicitly guard against this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53708", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Handle race between rb_move_tail and rb_check_pages\n\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\n\n rb_check_pages() rb_handle_head_page():\n -------- --------\n rb_head_page_deactivate()\n rb_head_page_set_normal()\n rb_head_page_activate()\n\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let's refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n\n[1] and [2] are the test to reproduce and the crash report respectively.\n\n1:\n``` read_trace.sh\n while true;\n do\n # the \"trace\" file is closed after read\n head -1 /sys/kernel/tracing/trace > /dev/null\n done\n```\n``` repro.sh\n sysctl -w kernel.panic_on_warn=1\n # function tracer will writing enough data into ring_buffer\n echo function > /sys/kernel/tracing/current_tracer\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n ./read_trace.sh &\n```\n\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n \n ring_buffer_lock_reserve+0x136/0x360\n ? __do_softirq+0x287/0x2df\n ? __pfx_rcu_softirq_qs+0x10/0x10\n trace_function+0x21/0x110\n ? __pfx_rcu_softirq_qs+0x10/0x10\n ? __do_softirq+0x287/0x2df\n function_trace_call+0xf6/0x120\n 0xffffffffc038f097\n ? rcu_softirq_qs+0x5/0x140\n rcu_softirq_qs+0x5/0x140\n __do_softirq+0x287/0x2df\n run_ksoftirqd+0x2a/0x30\n smpboot_thread_fn+0x188/0x220\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0xe7/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \n---[ end trace 0000000000000000 ]---\n\n[ crash report and test reproducer credit goes to Zheng Yejian]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53709", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix error code of return in mt7921_acpi_read\n\nKernel NULL pointer dereference when ACPI SAR table isn't implemented well.\nFix the error code of return to mark the ACPI SAR table as invalid.\n\n[ 5.077128] mt7921e 0000:06:00.0: sar cnt = 0\n[ 5.077381] BUG: kernel NULL pointer dereference, address:\n0000000000000004\n[ 5.077630] #PF: supervisor read access in kernel mode\n[ 5.077883] #PF: error_code(0x0000) - not-present page\n[ 5.078138] PGD 0 P4D 0\n[ 5.078398] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 5.079202] RIP: 0010:mt7921_init_acpi_sar+0x106/0x220\n[mt7921_common]\n...\n[ 5.080786] Call Trace:\n[ 5.080786] \n[ 5.080786] mt7921_register_device+0x37d/0x490 [mt7921_common]\n[ 5.080786] mt7921_pci_probe.part.0+0x2ee/0x310 [mt7921e]\n[ 5.080786] mt7921_pci_probe+0x52/0x70 [mt7921e]\n[ 5.080786] local_pci_probe+0x47/0x90\n[ 5.080786] pci_call_probe+0x55/0x190\n[ 5.080786] pci_device_probe+0x84/0x120", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53710", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a potential data corruption\n\nWe must ensure that the subrequests are joined back into the head before\nwe can retransmit a request. If the head was not on the commit lists,\nbecause the server wrote it synchronously, we still need to add it back\nto the retransmission list.\nAdd a call that mirrors the effect of nfs_cancel_remove_inode() for\nO_DIRECT.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53711", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9317/1: kexec: Make smp stop calls asynchronous\n\nIf a panic is triggered by a hrtimer interrupt all online cpus will be\nnotified and set offline. But as highlighted by commit 19dbdcb8039c\n(\"smp: Warn on function calls from softirq context\") this call should\nnot be made synchronous with disabled interrupts:\n\n softdog: Initiating panic\n Kernel panic - not syncing: Software Watchdog Timer expired\n WARNING: CPU: 1 PID: 0 at kernel/smp.c:753 smp_call_function_many_cond\n unwind_backtrace:\n show_stack\n dump_stack_lvl\n __warn\n warn_slowpath_fmt\n smp_call_function_many_cond\n smp_call_function\n crash_smp_send_stop.part.0\n machine_crash_shutdown\n __crash_kexec\n panic\n softdog_fire\n __hrtimer_run_queues\n hrtimer_interrupt\n\nMake the smp call for machine_crash_nonpanic_core() asynchronous.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53712", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: sme: Use STR P to clear FFR context field in streaming SVE mode\n\nThe FFR is a predicate register which can vary between 16 and 256 bits\nin size depending upon the configured vector length. When saving the\nSVE state in streaming SVE mode, the FFR register is inaccessible and\nso commit 9f5848665788 (\"arm64/sve: Make access to FFR optional\") simply\nclears the FFR field of the in-memory context structure. Unfortunately,\nit achieves this using an unconditional 8-byte store and so if the SME\nvector length is anything other than 64 bytes in size we will either\nfail to clear the entire field or, worse, we will corrupt memory\nimmediately following the structure. This has led to intermittent kfence\nsplats in CI [1] and can trigger kmalloc Redzone corruption messages\nwhen running the 'fp-stress' kselftest:\n\n | =============================================================================\n | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten\n | -----------------------------------------------------------------------------\n |\n | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc\n | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531\n | __kmalloc+0x8c/0xcc\n | do_sme_acc+0x9c/0x220\n | ...\n\nReplace the 8-byte store with a store of a predicate register which has\nbeen zero-initialised with PFALSE, ensuring that the entire field is\ncleared in memory.\n\n[1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53713", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/stm: ltdc: fix late dereference check\n\nIn ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a\ncontainer_of() before the pointer check. This could cause a kernel panic.\n\nFix this smatch warning:\ndrivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53714", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex\n\nApparently the hex passphrase mechanism does not work on newer\nchips/firmware (e.g. BCM4387). It seems there was a simple way of\npassing it in binary all along, so use that and avoid the hexification.\n\nOpenBSD has been doing it like this from the beginning, so this should\nwork on all chips.\n\nAlso clear the structure before setting the PMK. This was leaking\nuninitialized stack contents to the device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53715", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix skb leak in __skb_tstamp_tx()\n\nCommit 50749f2dd685 (\"tcp/udp: Fix memleaks of sk and zerocopy skbs with\nTX timestamp.\") added a call to skb_orphan_frags_rx() to fix leaks with\nzerocopy skbs. But it ended up adding a leak of its own. When\nskb_orphan_frags_rx() fails, the function just returns, leaking the skb\nit just cloned. Free it before returning.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53716", "detail": "fixed-version", "description": "Fixed from version 6.3.5" }, { "id": "CVE-2023-53717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()\n\nFix a stack-out-of-bounds write that occurs in a WMI response callback\nfunction that is called after a timeout occurs in ath9k_wmi_cmd().\nThe callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that\ncould no longer be valid when a timeout occurs. Set wmi->last_seq_id to\n0 when a timeout occurred.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx\nWrite of size 4\nCall Trace:\n memcpy\n ath9k_wmi_ctrl_rx\n ath9k_htc_rx_msg\n ath9k_hif_usb_reg_in_cb\n __usb_hcd_giveback_urb\n usb_hcd_giveback_urb\n dummy_timer\n call_timer_fn\n run_timer_softirq\n __do_softirq\n irq_exit_rcu\n sysvec_apic_timer_interrupt", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53717", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not swap cpu_buffer during resize process\n\nWhen ring_buffer_swap_cpu was called during resize process,\nthe cpu buffer was swapped in the middle, resulting in incorrect state.\nContinuing to run in the wrong state will result in oops.\n\nThis issue can be easily reproduced using the following two scripts:\n/tmp # cat test1.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo 2000 > /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\n echo 5000 > /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\ndone\n/tmp # cat test2.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo irqsoff > /sys/kernel/debug/tracing/current_tracer\n sleep 1\n echo nop > /sys/kernel/debug/tracing/current_tracer\n sleep 1\ndone\n/tmp # ./test1.sh &\n/tmp # ./test2.sh &\n\nA typical oops log is as follows, sometimes with other different oops logs.\n\n[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8\n[ 231.713375] Modules linked in:\n[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 231.716750] Hardware name: linux,dummy-virt (DT)\n[ 231.718152] Workqueue: events update_pages_handler\n[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 231.721171] pc : rb_update_pages+0x378/0x3f8\n[ 231.722212] lr : rb_update_pages+0x25c/0x3f8\n[ 231.723248] sp : ffff800082b9bd50\n[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000\n[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0\n[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a\n[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000\n[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510\n[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002\n[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558\n[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001\n[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000\n[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208\n[ 231.744196] Call trace:\n[ 231.744892] rb_update_pages+0x378/0x3f8\n[ 231.745893] update_pages_handler+0x1c/0x38\n[ 231.746893] process_one_work+0x1f0/0x468\n[ 231.747852] worker_thread+0x54/0x410\n[ 231.748737] kthread+0x124/0x138\n[ 231.749549] ret_from_fork+0x10/0x20\n[ 231.750434] ---[ end trace 0000000000000000 ]---\n[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 233.721696] Mem abort info:\n[ 233.721935] ESR = 0x0000000096000004\n[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 233.722596] SET = 0, FnV = 0\n[ 233.722805] EA = 0, S1PTW = 0\n[ 233.723026] FSC = 0x04: level 0 translation fault\n[ 233.723458] Data abort info:\n[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000\n[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 233.726720] Modules linked in:\n[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 233.727777] Hardware name: linux,dummy-virt (DT)\n[ 233.728225] Workqueue: events update_pages_handler\n[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8\n[ 233.729334] lr : rb_update_pages+0x154/0x3f8\n[ 233.729592] sp : ffff800082b9bd50\n[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53718", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: arc_uart: fix of_iomap leak in `arc_serial_probe`\n\nSmatch reports:\n\ndrivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:\n'port->membase' from of_iomap() not released on lines: 631.\n\nIn arc_serial_probe(), if uart_add_one_port() fails,\nport->membase is not released, which would cause a resource leak.\n\nTo fix this, I replace of_iomap with devm_platform_ioremap_resource.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53719", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Release the label when replacing existing ct entry\n\nCited commit doesn't release the label mapping when replacing existing ct\nentry which leads to following memleak report:\n\nunreferenced object 0xffff8881854cf280 (size 96):\n comm \"kworker/u48:74\", pid 23093, jiffies 4296664564 (age 175.944s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<000000002722d368>] __kmalloc+0x4b/0x1c0\n [<00000000cc44e18f>] mapping_add+0x6e8/0xc90 [mlx5_core]\n [<000000003ad942a7>] mlx5_get_label_mapping+0x66/0xe0 [mlx5_core]\n [<00000000266308ac>] mlx5_tc_ct_entry_create_mod_hdr+0x1c4/0xf50 [mlx5_core]\n [<000000009a768b4f>] mlx5_tc_ct_entry_add_rule+0x16f/0xaf0 [mlx5_core]\n [<00000000a178f3e5>] mlx5_tc_ct_block_flow_offload_add+0x10cb/0x1f90 [mlx5_core]\n [<000000007b46c496>] mlx5_tc_ct_block_flow_offload+0x14a/0x630 [mlx5_core]\n [<00000000a9a18ac5>] nf_flow_offload_tuple+0x1a3/0x390 [nf_flow_table]\n [<00000000d0881951>] flow_offload_work_handler+0x257/0xd30 [nf_flow_table]\n [<000000009e4935a4>] process_one_work+0x7c2/0x13e0\n [<00000000f5cd36a7>] worker_thread+0x59d/0xec0\n [<00000000baed1daf>] kthread+0x28f/0x330\n [<0000000063d282a4>] ret_from_fork+0x1f/0x30\n\nFix the issue by correctly releasing the label mapping.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53720", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan()\n\nIn ath12k_mac_op_hw_scan(), the return value of kzalloc() is directly\nused in memcpy(), which may lead to a NULL pointer dereference on\nfailure of kzalloc().\n\nFix this bug by adding a check of arg.extraie.ptr.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53721", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: raid1: fix potential OOB in raid1_remove_disk()\n\nIf rddev->raid_disk is greater than mddev->raid_disks, there will be\nan out-of-bounds in raid1_remove_disk(). We have already found\nsimilar reports as follows:\n\n1) commit d17f744e883b (\"md-raid10: fix KASAN warning\")\n2) commit 1ebc2cec0b7d (\"dm raid: fix KASAN warning in raid5_remove_disk\")\n\nFix this bug by checking whether the \"number\" variable is\nvalid.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53722", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend\n\nsdma_v4_0_ip is shared on a few asics, but in sdma_v4_0_hw_fini,\ndriver unconditionally disables ecc_irq which is only enabled on\nthose asics enabling sdma ecc. This will introduce a warning in\nsuspend cycle on those chips with sdma ip v4.0, while without\nsdma ecc. So this patch correct this.\n\n[ 7283.166354] RIP: 0010:amdgpu_irq_put+0x45/0x70 [amdgpu]\n[ 7283.167001] RSP: 0018:ffff9a5fc3967d08 EFLAGS: 00010246\n[ 7283.167019] RAX: ffff98d88afd3770 RBX: 0000000000000001 RCX: 0000000000000000\n[ 7283.167023] RDX: 0000000000000000 RSI: ffff98d89da30390 RDI: ffff98d89da20000\n[ 7283.167025] RBP: ffff98d89da20000 R08: 0000000000036838 R09: 0000000000000006\n[ 7283.167028] R10: ffffd5764243c008 R11: 0000000000000000 R12: ffff98d89da30390\n[ 7283.167030] R13: ffff98d89da38978 R14: ffffffff999ae15a R15: ffff98d880130105\n[ 7283.167032] FS: 0000000000000000(0000) GS:ffff98d996f00000(0000) knlGS:0000000000000000\n[ 7283.167036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7283.167039] CR2: 00000000f7a9d178 CR3: 00000001c42ea000 CR4: 00000000003506e0\n[ 7283.167041] Call Trace:\n[ 7283.167046] \n[ 7283.167048] sdma_v4_0_hw_fini+0x38/0xa0 [amdgpu]\n[ 7283.167704] amdgpu_device_ip_suspend_phase2+0x101/0x1a0 [amdgpu]\n[ 7283.168296] amdgpu_device_suspend+0x103/0x180 [amdgpu]\n[ 7283.168875] amdgpu_pmops_freeze+0x21/0x60 [amdgpu]\n[ 7283.169464] pci_pm_freeze+0x54/0xc0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53723", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()\n\n`req` is allocated in pcf50633_adc_async_read(), but\nadc_enqueue_request() could fail to insert the `req` into queue.\nWe need to check the return value and free it in the case of failure.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53724", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe\n\nSmatch reports:\ndrivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()\nwarn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.\n\ntimer_baseaddr may have the problem of not being released after use,\nI replaced it with the devm_of_iomap() function and added the clk_put()\nfunction to cleanup the \"clk_ce\" and \"clk_cs\".", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53725", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: csum: Fix OoB access in IP checksum code for negative lengths\n\nAlthough commit c2c24edb1d9c (\"arm64: csum: Fix pathological zero-length\ncalls\") added an early return for zero-length input, syzkaller has\npopped up with an example of a _negative_ length which causes an\nundefined shift and an out-of-bounds read:\n\n | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975\n |\n | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\n | Call trace:\n | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233\n | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240\n | __dump_stack lib/dump_stack.c:88 [inline]\n | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n | print_address_description mm/kasan/report.c:351 [inline]\n | print_report+0x174/0x514 mm/kasan/report.c:462\n | kasan_report+0xd4/0x130 mm/kasan/report.c:572\n | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187\n | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31\n | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | csum_partial+0x30/0x58 lib/checksum.c:128\n | gso_make_checksum include/linux/skbuff.h:4928 [inline]\n | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332\n | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47\n | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119\n | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141\n | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401\n | skb_gso_segment include/linux/netdevice.h:4859 [inline]\n | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659\n | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709\n | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327\n | __dev_xmit_skb net/core/dev.c:3805 [inline]\n | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210\n | dev_queue_xmit include/linux/netdevice.h:3085 [inline]\n | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276\n | packet_snd net/packet/af_packet.c:3081 [inline]\n | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113\n | sock_sendmsg_nosec net/socket.c:724 [inline]\n | sock_sendmsg net/socket.c:747 [inline]\n | __sys_sendto+0x3b4/0x538 net/socket.c:2144\n\nExtend the early return to reject negative lengths as well, aligning our\nimplementation with the generic code in lib/checksum.c", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53726", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: avoid stalls in fq_pie_timer()\n\nWhen setting a high number of flows (limit being 65536),\nfq_pie_timer() is currently using too much time as syzbot reported.\n\nAdd logic to yield the cpu every 2048 flows (less than 150 usec\non debug kernels).\nIt should also help by not blocking qdisc fast paths for too long.\nWorst case (65536 flows) would need 31 jiffies for a complete scan.\n\nRelevant extract from syzbot report:\n\nrcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.\nrcu: blocking rcu_node structures (internal RCU debug):\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236\nCode: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b\nRSP: 0018:ffffc90000007bb8 EFLAGS: 00000206\nRAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0\nRDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415\n fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387\n call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53727", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Ensure timer ID search-loop limit is valid\n\nposix_timer_add() tries to allocate a posix timer ID by starting from the\ncached ID which was stored by the last successful allocation.\n\nThis is done in a loop searching the ID space for a free slot one by\none. The loop has to terminate when the search wrapped around to the\nstarting point.\n\nBut that's racy vs. establishing the starting point. That is read out\nlockless, which leads to the following problem:\n\nCPU0\t \t \t \t CPU1\nposix_timer_add()\n start = sig->posix_timer_id;\n lock(hash_lock);\n ...\t\t\t\t posix_timer_add()\n if (++sig->posix_timer_id < 0)\n \t\t\t start = sig->posix_timer_id;\n sig->posix_timer_id = 0;\n\nSo CPU1 can observe a negative start value, i.e. -1, and the loop break\nnever happens because the condition can never be true:\n\n if (sig->posix_timer_id == start)\n break;\n\nWhile this is unlikely to ever turn into an endless loop as the ID space is\nhuge (INT_MAX), the racy read of the start value caught the attention of\nKCSAN and Dmitry unearthed that incorrectness.\n\nRewrite it so that all id operations are under the hash lock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53728", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: qmi_encdec: Restrict string length in decode\n\nThe QMI TLV value for strings in a lot of qmi element info structures\naccount for null terminated strings with MAX_LEN + 1. If a string is\nactually MAX_LEN + 1 length, this will cause an out of bounds access\nwhen the NULL character is appended in decoding.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53729", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost\n\nadjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled\nwhen unlock. DEADLOCK might happen if we have held other locks and disabled\nIRQ before invoking it.\n\nFix it by using spin_lock_irqsave() instead, which can keep IRQ state\nconsistent with before when unlock.\n\n ================================\n WARNING: inconsistent lock state\n 5.10.0-02758-g8e5f91fd772f #26 Not tainted\n --------------------------------\n inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.\n kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes:\n ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq\n ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n {IN-HARDIRQ-W} state was registered at:\n __lock_acquire+0x3d7/0x1070\n lock_acquire+0x197/0x4a0\n __raw_spin_lock_irqsave\n _raw_spin_lock_irqsave+0x3b/0x60\n bfq_idle_slice_timer_body\n bfq_idle_slice_timer+0x53/0x1d0\n __run_hrtimer+0x477/0xa70\n __hrtimer_run_queues+0x1c6/0x2d0\n hrtimer_interrupt+0x302/0x9e0\n local_apic_timer_interrupt\n __sysvec_apic_timer_interrupt+0xfd/0x420\n run_sysvec_on_irqstack_cond\n sysvec_apic_timer_interrupt+0x46/0xa0\n asm_sysvec_apic_timer_interrupt+0x12/0x20\n irq event stamp: 837522\n hardirqs last enabled at (837521): [] __raw_spin_unlock_irqrestore\n hardirqs last enabled at (837521): [] _raw_spin_unlock_irqrestore+0x3d/0x40\n hardirqs last disabled at (837522): [] __raw_spin_lock_irq\n hardirqs last disabled at (837522): [] _raw_spin_lock_irq+0x43/0x50\n softirqs last enabled at (835852): [] __do_softirq+0x558/0x8ec\n softirqs last disabled at (835845): [] asm_call_irq_on_stack+0xf/0x20\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&bfqd->lock);\n \n lock(&bfqd->lock);\n\n *** DEADLOCK ***\n\n 3 locks held by kworker/2:3/388:\n #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0\n #1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0\n #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq\n #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n\n stack backtrace:\n CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n Workqueue: kthrotld blk_throtl_dispatch_work_fn\n Call Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x107/0x167\n print_usage_bug\n valid_state\n mark_lock_irq.cold+0x32/0x3a\n mark_lock+0x693/0xbc0\n mark_held_locks+0x9e/0xe0\n __trace_hardirqs_on_caller\n lockdep_hardirqs_on_prepare.part.0+0x151/0x360\n trace_hardirqs_on+0x5b/0x180\n __raw_spin_unlock_irq\n _raw_spin_unlock_irq+0x24/0x40\n spin_unlock_irq\n adjust_inuse_and_calc_cost+0x4fb/0x970\n ioc_rqos_merge+0x277/0x740\n __rq_qos_merge+0x62/0xb0\n rq_qos_merge\n bio_attempt_back_merge+0x12c/0x4a0\n blk_mq_sched_try_merge+0x1b6/0x4d0\n bfq_bio_merge+0x24a/0x390\n __blk_mq_sched_bio_merge+0xa6/0x460\n blk_mq_sched_bio_merge\n blk_mq_submit_bio+0x2e7/0x1ee0\n __submit_bio_noacct_mq+0x175/0x3b0\n submit_bio_noacct+0x1fb/0x270\n blk_throtl_dispatch_work_fn+0x1ef/0x2b0\n process_one_work+0x83e/0x13f0\n process_scheduled_works\n worker_thread+0x7e3/0xd80\n kthread+0x353/0x470\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53730", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: fix potential deadlock in netlink_set_err()\n\nsyzbot reported a possible deadlock in netlink_set_err() [1]\n\nA similar issue was fixed in commit 1d482e666b8e (\"netlink: disable IRQs\nfor netlink_lock_table()\") in netlink_lock_table()\n\nThis patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()\nwhich were not covered by cited commit.\n\n[1]\n\nWARNING: possible irq lock inversion dependency detected\n6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted\n\nsyz-executor.2/23011 just changed the state of lock:\nffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612\nbut this lock was taken by another, SOFTIRQ-safe lock in the past:\n (&local->queue_stop_reason_lock){..-.}-{2:2}\n\nand interrupts could create inverse lock ordering between them.\n\nother info that might help us debug this:\n Possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nl_table_lock);\n local_irq_disable();\n lock(&local->queue_stop_reason_lock);\n lock(nl_table_lock);\n \n lock(&local->queue_stop_reason_lock);\n\n *** DEADLOCK ***", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53731", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL dereference in ni_write_inode\n\nSyzbot reports a NULL dereference in ni_write_inode.\nWhen creating a new inode, if allocation fails in mi_init function\n(called in mi_format_new function), mi->mrec is set to NULL.\nIn the error path of this inode creation, mi->mrec is later\ndereferenced in ni_write_inode.\n\nAdd a NULL check to prevent NULL dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53732", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode\n\nWhen u32_replace_hw_knode fails, we need to undo the tcf_bind_filter\noperation done at u32_set_parms.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53733", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcsan: Avoid READ_ONCE() in read_instrumented_memory()\n\nHaibo Li reported:\n\n | Unable to handle kernel paging request at virtual address\n | ffffff802a0d8d7171\n | Mem abort info:o:\n | ESR = 0x9600002121\n | EC = 0x25: DABT (current EL), IL = 32 bitsts\n | SET = 0, FnV = 0 0\n | EA = 0, S1PTW = 0 0\n | FSC = 0x21: alignment fault\n | Data abort info:o:\n | ISV = 0, ISS = 0x0000002121\n | CM = 0, WnR = 0 0\n | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000\n | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003,\n | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707\n | Internal error: Oops: 96000021 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted\n | 5.15.78-android13-8-g63561175bbda-dirty #1\n | ...\n | pc : kcsan_setup_watchpoint+0x26c/0x6bc\n | lr : kcsan_setup_watchpoint+0x88/0x6bc\n | sp : ffffffc00ab4b7f0\n | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001\n | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80\n | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71\n | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060\n | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000\n | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0\n | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8\n | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007\n | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70\n | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000\n | Call trace:\n | kcsan_setup_watchpoint+0x26c/0x6bc\n | __tsan_read2+0x1f0/0x234\n | inflate_fast+0x498/0x750\n | zlib_inflate+0x1304/0x2384\n | __gunzip+0x3a0/0x45c\n | gunzip+0x20/0x30\n | unpack_to_rootfs+0x2a8/0x3fc\n | do_populate_rootfs+0xe8/0x11c\n | async_run_entry_fn+0x58/0x1bc\n | process_one_work+0x3ec/0x738\n | worker_thread+0x4c4/0x838\n | kthread+0x20c/0x258\n | ret_from_fork+0x10/0x20\n | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) )\n | ---[ end trace 613a943cb0a572b6 ]-----\n\nThe reason for this is that on certain arm64 configuration since\ne35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire when\nCONFIG_LTO=y\"), READ_ONCE() may be promoted to a full atomic acquire\ninstruction which cannot be used on unaligned addresses.\n\nFix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply\nforcing the compiler to do the required access by casting to the\nappropriate volatile type. In terms of generated code this currently\nonly affects architectures that do not use the default READ_ONCE()\nimplementation.\n\nThe only downside is that we are not guaranteed atomicity of the access\nitself, although on most architectures a plain load up to machine word\nsize should still be atomic (a fact the default READ_ONCE() still relies\non itself).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53742", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Free released resource after coalescing\n\nrelease_resource() doesn't actually free the resource or resource list\nentry so free the resource list entry to avoid a leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53743", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe\n\nwkup_m3_ipc_get() takes refcount, which should be freed by\nwkup_m3_ipc_put(). Add missing refcount release in the error paths.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53744", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: vector: Fix memory leak in vector_config\n\nIf the return value of the uml_parse_vector_ifspec function is NULL,\nwe should call kfree(params) to prevent memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53745", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vfio-ap: fix memory leak in vfio_ap device driver\n\nThe device release callback function invoked to release the matrix device\nuses the dev_get_drvdata(device *dev) function to retrieve the\npointer to the vfio_matrix_dev object in order to free its storage. The\nproblem is, this object is not stored as drvdata with the device; since the\nkfree function will accept a NULL pointer, the memory for the\nvfio_matrix_dev object is never freed.\n\nSince the device being released is contained within the vfio_matrix_dev\nobject, the container_of macro will be used to retrieve its pointer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53746", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF\n\nAfter a call to console_unlock() in vcs_write() the vc_data struct can be\nfreed by vc_port_destruct(). Because of that, the struct vc_data pointer\nmust be reloaded in the while loop in vcs_write() after console_lock() to\navoid a UAF when vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119\n\nCall Trace:\n \n__asan_report_load4_noabort (mm/kasan/report_generic.c:380)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_write (drivers/tty/vt/vc_screen.c:664)\nvfs_write (fs/read_write.c:582 fs/read_write.c:564)\n...\n \n\nAllocated by task 1213:\nkmalloc_trace (mm/slab_common.c:1064)\nvc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680\n drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)\ncon_install (drivers/tty/vt/vt.c:3334)\ntty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415\n drivers/tty/tty_io.c:1392)\ntty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:921)\nvfs_open (fs/open.c:1052)\n...\n\nFreed by task 4116:\nkfree (mm/slab_common.c:1016)\nvc_port_destruct (drivers/tty/vt/vt.c:1044)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2778)\n...\n\nThe buggy address belongs to the object at ffff8880beab8800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)\n\nThe buggy address belongs to the physical page:\npage:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000\n index:0x0 pfn:0xbeab8\nhead:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0\n pincount:0\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: 0xffffffff()\nraw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53747", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup\n\nvariable *nplanes is provided by user via system call argument. The\npossible value of q_data->fmt->num_planes is 1-3, while the value\nof *nplanes can be 1-8. The array access by index i can cause array\nout-of-bounds.\n\nFix this bug by checking *nplanes against the array size.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53748", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: freescale: Fix a memory out of bounds when num_configs is 1\n\nThe config passed in by pad wakeup is 1, when num_configs is 1,\nConfiguration [1] should not be fetched, which will be detected\nby KASAN as a memory out of bounds condition. Modify to get\nconfigs[1] when num_configs is 2.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53750", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential use-after-free bugs in TCP_Server_Info::hostname\n\nTCP_Server_Info::hostname may be updated once or many times during\nreconnect, so protect its access outside reconnect path as well and\nthen prevent any potential use-after-free bugs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53751", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: deal with integer overflows in kmalloc_reserve()\n\nBlamed commit changed:\n ptr = kmalloc(size);\n if (ptr)\n size = ksize(ptr);\n\n size = kmalloc_size_roundup(size);\n ptr = kmalloc(size);\n\nThis allowed various crash as reported by syzbot [1]\nand Kyle Zeng.\n\nProblem is that if @size is bigger than 0x80000001,\nkmalloc_size_roundup(size) returns 2^32.\n\nkmalloc_reserve() uses a 32bit variable (obj_size),\nso 2^32 is truncated to 0.\n\nkmalloc(0) returns ZERO_SIZE_PTR which is not handled by\nskb allocations.\n\nFollowing trace can be triggered if a netdev->mtu is set\nclose to 0x7fffffff\n\nWe might in the future limit netdev->mtu to more sensible\nlimit (like KMALLOC_MAX_SIZE).\n\nThis patch is based on a syzbot report, and also a report\nand tentative fix from Kyle Zeng.\n\n[1]\nBUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]\nBUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nWrite of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554\n\nCPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nCall trace:\ndump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106\nprint_report+0xe4/0x4b4 mm/kasan/report.c:398\nkasan_report+0x150/0x1ac mm/kasan/report.c:495\nkasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\nmemset+0x40/0x70 mm/kasan/shadow.c:44\n__build_skb_around net/core/skbuff.c:294 [inline]\n__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nalloc_skb include/linux/skbuff.h:1316 [inline]\nigmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359\nadd_grec+0x81c/0x1124 net/ipv4/igmp.c:534\nigmpv3_send_cr net/ipv4/igmp.c:667 [inline]\nigmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810\ncall_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474\nexpire_timers kernel/time/timer.c:1519 [inline]\n__run_timers+0x54c/0x710 kernel/time/timer.c:1790\nrun_timer_softirq+0x28/0x4c kernel/time/timer.c:1803\n_stext+0x380/0xfbc\n____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79\ncall_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891\ndo_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84\ninvoke_softirq kernel/softirq.c:437 [inline]\n__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683\nirq_exit_rcu+0x14/0x78 kernel/softirq.c:695\nel0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717\n__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724\nel0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729\nel0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53752", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix mapping to non-allocated address\n\n[Why]\nThere is an issue mapping non-allocated location of memory.\nIt would allocate gpio registers from an array out of bounds.\n\n[How]\nPatch correct numbers of bounds for using.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53753", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()\n\nWhen if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4)\nreturns false, drbl_regs_memmap_p is not remapped. This passes a NULL\npointer to iounmap(), which can trigger a WARN() on certain arches.\n\nWhen if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4)\nreturns true, drbl_regs_memmap_p may has been remapped and\nctrl_regs_memmap_p is not remapped. This is a resource leak and passes a\nNULL pointer to iounmap().\n\nTo fix these issues, we need to add null checks before iounmap(), and\nchange some goto labels.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53754", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ptdma: check for null desc before calling pt_cmd_callback\n\nResolves a panic that can occur on AMD systems, typically during host\nshutdown, after the PTDMA driver had been exercised. The issue was\nthe pt_issue_pending() function is mistakenly assuming that there will\nbe at least one descriptor in the Submitted queue when the function\nis called. However, it is possible that both the Submitted and Issued\nqueues could be empty, which could result in pt_cmd_callback() being\nmistakenly called with a NULL pointer.\nRef: Bugzilla Bug 216856.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53755", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Fix crash due to uninitialized current_vmcs\n\nKVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as\na nested hypervisor on top of Hyper-V. When MSR bitmap is updated,\nevmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark\nthat the msr bitmap was changed.\n\nvmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr\n-> vmx_msr_bitmap_l01_changed which in the end calls this function. The\nfunction checks for current_vmcs if it is null but the check is\ninsufficient because current_vmcs is not initialized. Because of this, the\ncode might incorrectly write to the structure pointed by current_vmcs value\nleft by another task. Preemption is not disabled, the current task can be\npreempted and moved to another CPU while current_vmcs is accessed multiple\ntimes from evmcs_touch_msr_bitmap() which leads to crash.\n\nThe manipulation of MSR bitmaps by callers happens only for vmcs01 so the\nsolution is to use vmx->vmcs01.vmcs instead of current_vmcs.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000338\n PGD 4e1775067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n ...\n RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]\n ...\n Call Trace:\n vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]\n vmx_vcpu_create+0xe6/0x540 [kvm_intel]\n kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]\n kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]\n kvm_vm_ioctl+0x53f/0x790 [kvm]\n __x64_sys_ioctl+0x8a/0xc0\n do_syscall_64+0x5c/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53756", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53757", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: atmel-quadspi: Free resources even if runtime resume failed in .remove()\n\nAn early error exit in atmel_qspi_remove() doesn't prevent the device\nunbind. So this results in an spi controller with an unbound parent\nand unmapped register space (because devm_ioremap_resource() is undone).\nSo using the remaining spi controller probably results in an oops.\n\nInstead unregister the controller unconditionally and only skip hardware\naccess and clk disable.\n\nAlso add a warning about resume failing and return zero unconditionally.\nThe latter has the only effect to suppress a less helpful error message by\nthe spi core.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53758", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hidraw: fix data race on device refcount\n\nThe hidraw_open() function increments the hidraw device reference\ncounter. The counter has no dedicated synchronization mechanism,\nresulting in a potential data race when concurrently opening a device.\n\nThe race is a regression introduced by commit 8590222e4b02 (\"HID:\nhidraw: Replace hidraw device table mutex with a rwsem\"). While\nminors_rwsem is intended to protect the hidraw_table itself, by instead\nacquiring the lock for writing, the reference counter is also protected.\nThis is symmetrical to hidraw_release().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53759", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock issue\n\nWhen ufshcd_err_handler() is executed, CQ event interrupt can enter waiting\nfor the same lock. This can happen in ufshcd_handle_mcq_cq_events() and\nalso in ufs_mtk_mcq_intr(). The following warning message will be generated\nwhen &hwq->cq_lock is used in IRQ context with IRQ enabled. Use\nufshcd_mcq_poll_cqe_lock() with spin_lock_irqsave instead of spin_lock to\nresolve the deadlock issue.\n\n[name:lockdep&]WARNING: inconsistent lock state\n[name:lockdep&]--------------------------------\n[name:lockdep&]inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.\n[name:lockdep&]kworker/u16:4/260 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffffff8028444600 (&hwq->cq_lock){?.-.}-{2:2}, at:\nufshcd_mcq_poll_cqe_lock+0x30/0xe0\n[name:lockdep&]{IN-HARDIRQ-W} state was registered at:\n lock_acquire+0x17c/0x33c\n _raw_spin_lock+0x5c/0x7c\n ufshcd_mcq_poll_cqe_lock+0x30/0xe0\n ufs_mtk_mcq_intr+0x60/0x1bc [ufs_mediatek_mod]\n __handle_irq_event_percpu+0x140/0x3ec\n handle_irq_event+0x50/0xd8\n handle_fasteoi_irq+0x148/0x2b0\n generic_handle_domain_irq+0x4c/0x6c\n gic_handle_irq+0x58/0x134\n call_on_irq_stack+0x40/0x74\n do_interrupt_handler+0x84/0xe4\n el1_interrupt+0x3c/0x78\n\n\nPossible unsafe locking scenario:\n CPU0\n ----\n lock(&hwq->cq_lock);\n \n lock(&hwq->cq_lock);\n *** DEADLOCK ***\n2 locks held by kworker/u16:4/260:\n\n[name:lockdep&]\n stack backtrace:\nCPU: 7 PID: 260 Comm: kworker/u16:4 Tainted: G S W OE\n6.1.17-mainline-android14-2-g277223301adb #1\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\n\n Call trace:\n dump_backtrace+0x10c/0x160\n show_stack+0x20/0x30\n dump_stack_lvl+0x98/0xd8\n dump_stack+0x20/0x60\n print_usage_bug+0x584/0x76c\n mark_lock_irq+0x488/0x510\n mark_lock+0x1ec/0x25c\n __lock_acquire+0x4d8/0xffc\n lock_acquire+0x17c/0x33c\n _raw_spin_lock+0x5c/0x7c\n ufshcd_mcq_poll_cqe_lock+0x30/0xe0\n ufshcd_poll+0x68/0x1b0\n ufshcd_transfer_req_compl+0x9c/0xc8\n ufshcd_err_handler+0x3bc/0xea0\n process_one_work+0x2f4/0x7e8\n worker_thread+0x234/0x450\n kthread+0x110/0x134\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53760", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbtmc: Fix direction for 0-length ioctl control messages\n\nThe syzbot fuzzer found a problem in the usbtmc driver: When a user\nsubmits an ioctl for a 0-length control transfer, the driver does not\ncheck that the direction is set to OUT:\n\n------------[ cut here ]------------\nusb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd\nWARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nCode: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41\nRSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000\nRDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001\nRBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528\nR13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100\nFS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]\n usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097\n\nTo fix this, we must override the direction in the bRequestType field\nof the control request structure when the length is 0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53761", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync\n\nUse-after-free can occur in hci_disconnect_all_sync if a connection is\ndeleted by concurrent processing of a controller event.\n\nTo prevent this the code now tries to iterate over the list backwards\nto ensure the links are cleanup before its parents, also it no longer\nrelies on a cursor, instead it always uses the last element since\nhci_abort_conn_sync is guaranteed to call hci_conn_del.\n\nUAF crash log:\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_set_powered_sync\n(net/bluetooth/hci_sync.c:5424) [bluetooth]\nRead of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124\n\nCPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W\n6.5.0-rc1+ #10\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work [bluetooth]\nCall Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xdd/0x160\n ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n kasan_report+0xa6/0xe0\n ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\n hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\n hci_cmd_sync_work+0x137/0x220 [bluetooth]\n process_one_work+0x526/0x9d0\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n worker_thread+0x92/0x630\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x196/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \n\nAllocated by task 1782:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n hci_conn_add+0xa5/0xa80 [bluetooth]\n hci_bind_cis+0x881/0x9b0 [bluetooth]\n iso_connect_cis+0x121/0x520 [bluetooth]\n iso_sock_connect+0x3f6/0x790 [bluetooth]\n __sys_connect+0x109/0x130\n __x64_sys_connect+0x40/0x50\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 695:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n __kasan_slab_free+0x10a/0x180\n __kmem_cache_free+0x14d/0x2e0\n device_release+0x5d/0xf0\n kobject_put+0xdf/0x270\n hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]\n hci_event_packet+0x579/0x7e0 [bluetooth]\n hci_rx_work+0x287/0xaa0 [bluetooth]\n process_one_work+0x526/0x9d0\n worker_thread+0x92/0x630\n kthread+0x196/0x1e0\n ret_from_fork+0x2c/0x50\n==================================================================", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53762", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: fix to do sanity check on extent cache correctly\"\n\nsyzbot reports a f2fs bug as below:\n\nUBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19\nindex 1409 is out of range for type '__le32[923]' (aka 'unsigned int[923]')\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n inline_data_addr fs/f2fs/f2fs.h:3275 [inline]\n __recover_inline_status fs/f2fs/inode.c:113 [inline]\n do_read_inode fs/f2fs/inode.c:480 [inline]\n f2fs_iget+0x4730/0x48b0 fs/f2fs/inode.c:604\n f2fs_fill_super+0x640e/0x80c0 fs/f2fs/super.c:4601\n mount_bdev+0x276/0x3b0 fs/super.c:1391\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue was bisected to:\n\ncommit d48a7b3a72f121655d95b5157c32c7d555e44c05\nAuthor: Chao Yu \nDate: Mon Jan 9 03:49:20 2023 +0000\n\n f2fs: fix to do sanity check on extent cache correctly\n\nThe root cause is we applied both v1 and v2 of the patch, v2 is the right\nfix, so it needs to revert v1 in order to fix reported issue.\n\nv1:\ncommit d48a7b3a72f1 (\"f2fs: fix to do sanity check on extent cache correctly\")\nhttps://lore.kernel.org/lkml/20230109034920.492914-1-chao@kernel.org/\n\nv2:\ncommit 269d11948100 (\"f2fs: fix to do sanity check on extent cache correctly\")\nhttps://lore.kernel.org/lkml/20230207134808.1827869-1-chao@kernel.org/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53763", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Handle lock during peer_id find\n\nath12k_peer_find_by_id() requires that the caller hold the\nab->base_lock. Currently the WBM error path does not hold\nthe lock and calling that function, leads to the\nfollowing lockdep_assert()in QCN9274:\n\n[105162.160893] ------------[ cut here ]------------\n[105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k]\n[105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)]\n[105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3\n[105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019\n[105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k]\n[105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00\n[105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246\n[105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000\n[105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7\n[105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000\n[105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0\n[105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040\n[105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000\n[105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0\n[105162.161041] Call Trace:\n[105162.161046] \n[105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k]\n[105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k]\n[105162.161084] ? __lock_acquire+0x4ca/0x1a60\n[105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k]\n[105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k]\n[105162.161133] __napi_poll+0x22/0x260\n[105162.161141] net_rx_action+0x2f8/0x380\n[105162.161153] __do_softirq+0xd0/0x4c9\n[105162.161162] irq_exit_rcu+0x88/0xe0\n[105162.161169] common_interrupt+0xa5/0xc0\n[105162.161174] \n[105162.161179] \n[105162.161184] asm_common_interrupt+0x22/0x40\n\nHandle spin lock/unlock in WBM error path to hold the necessary lock\nexpected by ath12k_peer_find_by_id().\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53764", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: free background tracker's queued work in btracker_destroy\n\nOtherwise the kernel can BUG with:\n\n[ 2245.426978] =============================================================================\n[ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown()\n[ 2245.445233] -----------------------------------------------------------------------------\n[ 2245.445233]\n[ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\n[ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19\n[ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021\n[ 2245.483646] Call Trace:\n[ 2245.486100] \n[ 2245.488206] dump_stack_lvl+0x34/0x48\n[ 2245.491878] slab_err+0x95/0xcd\n[ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136\n[ 2245.499821] kmem_cache_destroy+0x49/0x130\n[ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache]\n[ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq]\n[ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache]\n[ 2245.518834] destroy+0xc0/0x110 [dm_cache]\n[ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod]\n[ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod]\n[ 2245.532102] dev_remove+0x117/0x190 [dm_mod]\n[ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod]\n[ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod]\n[ 2245.544773] __x64_sys_ioctl+0x8a/0xc0\n[ 2245.548524] do_syscall_64+0x5c/0x90\n[ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30\n[ 2245.556897] ? do_syscall_64+0x69/0x90\n[ 2245.560648] ? do_syscall_64+0x69/0x90\n[ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 2245.569447] RIP: 0033:0x7fe52583ec6b\n...\n[ 2245.646771] ------------[ cut here ]------------\n[ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache]\n[ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130\n\nFound using: lvm2-testsuite --only \"cache-single-split.sh\"\n\nBen bisected and found that commit 0495e337b703 (\"mm/slab_common:\nDeleting kobject in kmem_cache_destroy() without holding\nslab_mutex/cpu_hotplug_lock\") first exposed dm-cache's incomplete\ncleanup of its background tracker work objects.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53765", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Check for read-only mounted filesystem in txBegin\n\n This patch adds a check for read-only mounted filesystem\n in txBegin before starting a transaction potentially saving\n from NULL pointer deref.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53766", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work()\n\nCurrently the buffer pointed by event is not freed in case\nATH12K_FLAG_UNREGISTERING bit is set, this causes memory leak.\n\nAdd a goto skip instead of return, to ensure event and all the\nlist entries are freed properly.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53767", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap-irq: Fix out-of-bounds access when allocating config buffers\n\nWhen allocating the 2D array for handling IRQ type registers in\nregmap_add_irq_chip_fwnode(), the intent is to allocate a matrix\nwith num_config_bases rows and num_config_regs columns.\n\nThis is currently handled by allocating a buffer to hold a pointer for\neach row (i.e. num_config_bases). After that, the logic attempts to\nallocate the memory required to hold the register configuration for\neach row. However, instead of doing this allocation for each row\n(i.e. num_config_bases allocations), the logic erroneously does this\nallocation num_config_regs number of times.\n\nThis scenario can lead to out-of-bounds accesses when num_config_regs\nis greater than num_config_bases. Fix this by updating the terminating\ncondition of the loop that allocates the memory for holding the register\nconfiguration to allocate memory only for each row in the matrix.\n\nAmit Pundir reported a crash that was occurring on his db845c device\ndue to memory corruption (see \"Closes\" tag for Amit's report). The KASAN\nreport below helped narrow it down to this issue:\n\n[ 14.033877][ T1] ==================================================================\n[ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364\n[ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1\n\n[ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850\n[ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8\n[ 14.255669][ T1] The buggy address is located 0 bytes inside of\n[ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53768", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt/coco/sev-guest: Double-buffer messages\n\nThe encryption algorithms read and write directly to shared unencrypted\nmemory, which may leak information as well as permit the host to tamper\nwith the message integrity. Instead, copy whole messages in or out as\nneeded before doing any computation on them.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53769", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: kill hooked chains to avoid loops on deduplicated compressed images\n\nAfter heavily stressing EROFS with several images which include a\nhand-crafted image of repeated patterns for more than 46 days, I found\ntwo chains could be linked with each other almost simultaneously and\nform a loop so that the entire loop won't be submitted. As a\nconsequence, the corresponding file pages will remain locked forever.\n\nIt can be _only_ observed on data-deduplicated compressed images.\nFor example, consider two chains with five pclusters in total:\n\tChain 1: 2->3->4->5 -- The tail pcluster is 5;\n Chain 2: 5->1->2 -- The tail pcluster is 2.\n\nChain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link\nto Chain 2 at the same time with pcluster 2.\n\nSince hooked chains are all linked locklessly now, I have no idea how\nto simply avoid the race. Instead, let's avoid hooked chains completely\nuntil I could work out a proper way to fix this and end users finally\ntell us that it's needed to add it back.\n\nActually, this optimization can be found with multi-threaded workloads\n(especially even more often on deduplicated compressed images), yet I'm\nnot sure about the overall system impacts of not having this compared\nwith implementation complexity.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53777", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Clean up integer overflow checking in map_user_pages()\n\nThe encode_dma() function has some validation on in_trans->size but it\nwould be more clear to move those checks to find_and_map_user_pages().\n\nThe encode_dma() had two checks:\n\n\tif (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)\n\t\treturn -EINVAL;\n\nThe in_trans->addr variable is the starting address. The in_trans->size\nvariable is the total size of the transfer. The transfer can occur in\nparts and the resources->xferred_dma_size tracks how many bytes we have\nalready transferred.\n\nThis patch introduces a new variable \"remaining\" which represents the\namount we want to transfer (in_trans->size) minus the amount we have\nalready transferred (resources->xferred_dma_size).\n\nI have modified the check for if in_trans->size is zero to instead check\nif in_trans->size is less than resources->xferred_dma_size. If we have\nalready transferred more bytes than in_trans->size then there are negative\nbytes remaining which doesn't make sense. If there are zero bytes\nremaining to be copied, just return success.\n\nThe check in encode_dma() checked that \"addr + size\" could not overflow\nand barring a driver bug that should work, but it's easier to check if\nwe do this in parts. First check that \"in_trans->addr +\nresources->xferred_dma_size\" is safe. Then check that \"xfer_start_addr +\nremaining\" is safe.\n\nMy final concern was that we are dealing with u64 values but on 32bit\nsystems the kmalloc() function will truncate the sizes to 32 bits. So\nI calculated \"total = in_trans->size + offset_in_page(xfer_start_addr);\"\nand returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit\nsystems.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53778", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix FCLK pstate change underflow\n\n[Why]\nCurrently we set FCLK p-state change\nwatermark calculated based on dummy\np-state latency when UCLK p-state is\nnot supported\n\n[How]\nCalculate FCLK p-state change watermark\nbased on on FCLK pstate change latency\nin case UCLK p-state is not supported", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53780", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric's ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket's sk_state might not be TCP_CLOSE. This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket's TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53781", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix out of bounds access in DCCP error handler\n\nThere was a previous attempt to fix an out-of-bounds access in the DCCP\nerror handlers, but that fix assumed that the error handlers only want\nto access the first 8 bytes of the DCCP header. Actually, they also look\nat the DCCP sequence number, which is stored beyond 8 bytes, so an\nexplicit pskb_may_pull() is required.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53782", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: fix divide by 0 error in calc_lcoefs()\n\necho max of u64 to cost.model can cause divide by 0 error.\n\n # echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model\n\n divide error: 0000 [#1] PREEMPT SMP\n RIP: 0010:calc_lcoefs+0x4c/0xc0\n Call Trace:\n \n ioc_refresh_params+0x2b3/0x4f0\n ioc_cost_model_write+0x3cb/0x4c0\n ? _copy_from_iter+0x6d/0x6c0\n ? kernfs_fop_write_iter+0xfc/0x270\n cgroup_file_write+0xa0/0x200\n kernfs_fop_write_iter+0x17d/0x270\n vfs_write+0x414/0x620\n ksys_write+0x73/0x160\n __x64_sys_write+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\ncalc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL,\noverflow would happen if bps plus IOC_PAGE_SIZE is greater than\nULLONG_MAX, it can cause divide by 0 error.\n\nFix the problem by setting basecost", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53783", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: dw_hdmi: fix connector access for scdc\n\nCommit 5d844091f237 (\"drm/scdc-helper: Pimp SCDC debugs\") changed the scdc\ninterface to pick up an i2c adapter from a connector instead. However, in\nthe case of dw-hdmi, the wrong connector was being used to pass i2c adapter\ninformation, since dw-hdmi's embedded connector structure is only populated\nwhen the bridge attachment callback explicitly asks for it.\n\ndrm-meson is handling connector creation, so this won't happen, leading to\na NULL pointer dereference.\n\nFix it by having scdc functions access dw-hdmi's current connector pointer\ninstead, which is assigned during the bridge enablement stage.\n\n[narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53784", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: don't assume adequate headroom for SDIO headers\n\nmt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and\nmt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that\nadequate headroom will be available in the passed skb. This assumption\ntypically is satisfied when the skb was allocated in the net core for\ntransmission via the mt7921 netdev (although even that is only an\noptimization and is not strictly guaranteed), but the assumption is\nsometimes not satisfied when the skb originated in the receive path of\nanother netdev and was passed through to the mt7921, such as by the\nbridge layer. Blindly prepending bytes to an skb is always wrong.\n\nThis commit introduces a call to skb_cow_head() before the call to\nmt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to\nensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be\npushed onto the skb.\n\nWithout this fix, I can trivially cause kernel panics by bridging an\nMT7921AU-based USB 802.11ax interface with an Ethernet interface on an\nIntel Atom-based x86 system using its onboard RTL8169 PCI Ethernet\nadapter and also on an ARM-based Raspberry Pi 1 using its onboard\nSMSC9512 USB Ethernet adapter. Note that the panics do not occur in\nevery system configuration, as they occur only if the receiving netdev\nleaves less headroom in its received skbs than the mt7921 needs for its\nSDIO headers.\n\nHere is an example stack trace of this panic on Raspberry Pi OS Lite\n2023-02-21 running kernel 6.1.24+ [1]:\n\n skb_panic from skb_push+0x44/0x48\n skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]\n mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]\n mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]\n __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]\n mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]\n mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]\n mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]\n __mt76_worker_fn [mt76] from kthread+0xbc/0xe0\n kthread from ret_from_fork+0x14/0x34\n\nAfter this fix, bridging the mt7921 interface works fine on both of my\npreviously problematic systems.\n\n[1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53785", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm flakey: fix a crash with invalid table line\n\nThis command will crash with NULL pointer dereference:\n dmsetup create flakey --table \\\n \"0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512\"\n\nFix the crash by checking if arg_name is non-NULL before comparing it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53786", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: fix null pointer deref with partial DT config\n\nWhen some of the da9063 regulators do not have corresponding DT nodes\na null pointer dereference occurs on boot because such regulators have\nno init_data causing the pointers calculated in\nda9063_check_xvp_constraints() to be invalid.\n\nDo not dereference them in this case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53787", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()\n\ntuning_ctl_set() might have buffer overrun at (X) if it didn't break\nfrom loop by matching (A).\n\n\tstatic int tuning_ctl_set(...)\n\t{\n\t\tfor (i = 0; i < TUNING_CTLS_COUNT; i++)\n(A)\t\t\tif (nid == ca0132_tuning_ctls[i].nid)\n\t\t\t\tbreak;\n\n\t\tsnd_hda_power_up(...);\n(X)\t\tdspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);\n\t\tsnd_hda_power_down(...); ^\n\n\t\treturn 1;\n\t}\n\nWe will get below error by cppcheck\n\n\tsound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12\n\t for (i = 0; i < TUNING_CTLS_COUNT; i++)\n\t ^\n\tsound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds\n\t dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,\n\t ^\nThis patch cares non match case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53788", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Improve page fault error reporting\n\nIf IOMMU domain for device group is not setup properly then we may hit\nIOMMU page fault. Current page fault handler assumes that domain is\nalways setup and it will hit NULL pointer derefence (see below sample log).\n\nLets check whether domain is setup or not and log appropriate message.\n\nSample log:\n----------\n amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89\n Hardware name: xxx\n RIP: 0010:report_iommu_fault+0x11/0x90\n [...]\n Call Trace:\n \n amd_iommu_int_thread+0x60c/0x760\n ? __pfx_irq_thread_fn+0x10/0x10\n irq_thread_fn+0x1f/0x60\n irq_thread+0xea/0x1a0\n ? preempt_count_add+0x6a/0xa0\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0xe9/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \n\n[joro: Edit commit message]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53789", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Zeroing allocated object from slab in bpf memory allocator\n\nCurrently the freed element in bpf memory allocator may be immediately\nreused, for htab map the reuse will reinitialize special fields in map\nvalue (e.g., bpf_spin_lock), but lookup procedure may still access\nthese special fields, and it may lead to hard-lockup as shown below:\n\n NMI backtrace for cpu 16\n CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0\n ......\n Call Trace:\n \n copy_map_value_locked+0xb7/0x170\n bpf_map_copy_value+0x113/0x3c0\n __sys_bpf+0x1c67/0x2780\n __x64_sys_bpf+0x1c/0x20\n do_syscall_64+0x30/0x60\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n ......\n \n\nFor htab map, just like the preallocated case, these is no need to\ninitialize these special fields in map value again once these fields\nhave been initialized. For preallocated htab map, these fields are\ninitialized through __GFP_ZERO in bpf_map_area_alloc(), so do the\nsimilar thing for non-preallocated htab in bpf memory allocator. And\nthere is no need to use __GFP_ZERO for per-cpu bpf memory allocator,\nbecause __alloc_percpu_gfp() does it implicitly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53790", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix warning for holder mismatch from export_rdev()\n\nCommit a1d767191096 (\"md: use mddev->external to select holder in\nexport_rdev()\") fix the problem that 'claim_rdev' is used for\nblkdev_get_by_dev() while 'rdev' is used for blkdev_put().\n\nHowever, if mddev->external is changed from 0 to 1, then 'rdev' is used\nfor blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And\nthis problem can be reporduced reliably by following:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear > /sys/block/md0/md/array_state\n}\n\ntrap 'clean_up_test' EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt > /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove > /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 > /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs &\npid=\"$pid $!\"\n\nremove_by_sysfs &\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330\nModules linked in: multipath md_mod loop\nCPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50\nRIP: 0010:blkdev_put+0x27c/0x330\nCall Trace:\n \n export_rdev.isra.23+0x50/0xa0 [md_mod]\n mddev_unlock+0x19d/0x300 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix the problem by recording if 'rdev' is used as holder.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53791", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_ctrl_secret\n\nFree dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we\nreturn when nvme_auth_generate_key() returns error.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53792", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf tool x86: Fix perf_env memory leak\n\nFound by leak sanitizer:\n```\n==1632594==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 21 byte(s) in 1 object(s) allocated from:\n #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439\n #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369\n #2 0x556701d70589 in perf_env__cpuid util/env.c:465\n #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14\n #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83\n #5 0x556701d8f78b in evsel__config util/evsel.c:1366\n #6 0x556701ef5872 in evlist__config util/record.c:108\n #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112\n #8 0x556701cacd07 in run_test tests/builtin-test.c:236\n #9 0x556701cacfac in test_and_print tests/builtin-test.c:265\n #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402\n #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559\n #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323\n #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377\n #14 0x556701d3be90 in run_argv tools/perf/perf.c:421\n #15 0x556701d3c3f8 in main tools/perf/perf.c:537\n #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s).\n```", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53793", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix session state check in reconnect to avoid use-after-free issue\n\nDon't collect exiting session in smb2_reconnect_server(), because it\nwill be released soon.\n\nNote that the exiting session will stay in server->smb_ses_list until\nit complete the cifs_free_ipc() and logoff() and then delete itself\nfrom the list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53794", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: IOMMUFD_DESTROY should not increase the refcount\n\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\n\n obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY);\n if (IS_ERR(obj))\n return PTR_ERR(obj);\n iommufd_ref_to_users(obj);\n /* See iommufd_ref_to_users() */\n if (!iommufd_object_destroy_user(ucmd->ictx, obj))\n\nAs part of the sequence to join the two existing primitives together.\n\nAllowing the refcount the be elevated without holding the destroy_rwsem\nviolates the assumption that all temporary refcount elevations are\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\niommufd_object_destroy_user() will cause spurious failures:\n\n WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\n Modules linked in:\n CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\n RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\n Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\n RSP: 0018:ffffc90003067e08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\n RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\n R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\n R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\n FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\n Call Trace:\n \n iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\n iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\n iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\nat all. Instead use the xa_lock to serialize everything. The refcount\ncheck == 1 and xa_erase can be done under a single critical region. This\navoids the need for any refcount incrementing.\n\nIt has the downside that if userspace races destroy with other operations\nit will get an EBUSY instead of waiting, but this is kind of racing is\nalready dangerous.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53795", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix information leak in f2fs_move_inline_dirents()\n\nWhen converting an inline directory to a regular one, f2fs is leaking\nuninitialized memory to disk because it doesn't initialize the entire\ndirectory block. Fix this by zero-initializing the block.\n\nThis bug was introduced by commit 4ec17d688d74 (\"f2fs: avoid unneeded\ninitializing when converting inline dentry\"), which didn't consider the\nsecurity implications of leaking uninitialized memory to disk.\n\nThis was found by running xfstest generic/435 on a KMSAN-enabled kernel.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53796", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: Use ktime_t rather than int when dealing with timestamps\n\nCode which interacts with timestamps needs to use the ktime_t type\nreturned by functions like ktime_get. The int type does not offer\nenough space to store these values, and attempting to use it is a\nrecipe for problems. In this particular case, overflows would occur\nwhen calculating/storing timestamps leading to incorrect values being\nreported to userspace. In some cases these bad timestamps cause input\nhandling in userspace to appear hung.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53797", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Fix uninitialized number of lanes\n\nIt is not possible to set the number of lanes when setting link modes\nusing the legacy IOCTL ethtool interface. Since 'struct\nethtool_link_ksettings' is not initialized in this path, drivers receive\nan uninitialized number of lanes in 'struct\nethtool_link_ksettings::lanes'.\n\nWhen this information is later queried from drivers, it results in the\nethtool code making decisions based on uninitialized memory, leading to\nthe following KMSAN splat [1]. In practice, this most likely only\nhappens with the tun driver that simply returns whatever it got in the\nset operation.\n\nAs far as I can tell, this uninitialized memory is not leaked to user\nspace thanks to the 'ethtool_ops->cap_link_lanes_supported' check in\nlinkmodes_prepare_data().\n\nFix by initializing the structure in the IOCTL path. Did not find any\nmore call sites that pass an uninitialized structure when calling\n'ethtool_ops::set_link_ksettings()'.\n\n[1]\nBUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]\nBUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333\n ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline]\n ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333\n ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640\n genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\n genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065\n netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg net/socket.c:747 [inline]\n ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555\n __sys_sendmsg net/socket.c:2584 [inline]\n __do_sys_sendmsg net/socket.c:2593 [inline]\n __se_sys_sendmsg net/socket.c:2591 [inline]\n __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544\n __ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441\n ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327\n ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640\n genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\n genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065\n netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg net/socket.c:747 [inline]\n ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555\n __sys_sendmsg net/socket.c:2584 [inline]\n __do_sys_sendmsg net/socket.c:2593 [inline]\n __se_sys_sendmsg net/socket.c:2591 [inline]\n __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553\n ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609\n __dev_ethtool net/ethtool/ioctl.c:3024 [inline]\n dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078\n dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524\n sock_do_ioctl+0x295/0x540 net/socket.c:1213\n sock_i\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53798", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: api - Use work queue in crypto_destroy_instance\n\nThe function crypto_drop_spawn expects to be called in process\ncontext. However, when an instance is unregistered while it still\nhas active users, the last user may cause the instance to be freed\nin atomic context.\n\nFix this by delaying the freeing to a work queue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53799", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix use-after-free when volume resizing failed\n\nThere is an use-after-free problem reported by KASAN:\n ==================================================================\n BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]\n Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735\n\n CPU: 2 PID: 4735 Comm: ubirsvol\n Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n BIOS 1.14.0-1.fc33 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x34/0x44\n print_report+0x171/0x472\n kasan_report+0xad/0x130\n ubi_eba_copy_table+0x11f/0x1c0 [ubi]\n ubi_resize_volume+0x4f9/0xbc0 [ubi]\n ubi_cdev_ioctl+0x701/0x1850 [ubi]\n __x64_sys_ioctl+0x11d/0x170\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n \n\nWhen ubi_change_vtbl_record() returns an error in ubi_resize_volume(),\n\"new_eba_tbl\" will be freed on error handing path, but it is holded\nby \"vol->eba_tbl\" in ubi_eba_replace_table(). It means that the liftcycle\nof \"vol->eba_tbl\" and \"vol\" are different, so when resizing volume in\nnext time, it causing an use-after-free fault.\n\nFix it by not freeing \"new_eba_tbl\" after it replaced in\nubi_eba_replace_table(), while will be freed in next volume resizing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53800", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sprd: Release dma buffer to avoid memory leak\n\nWhen attaching to a domain, the driver would alloc a DMA buffer which\nis used to store address mapping table, and it need to be released\nwhen the IOMMU domain is freed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53801", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function\n\nIt is stated that ath9k_htc_rx_msg() either frees the provided skb or\npasses its management to another callback function. However, the skb is\nnot freed in case there is no another callback function, and Syzkaller was\nable to cause a memory leak. Also minor comment fix.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53802", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()\n\nA fix for:\n\nBUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]\nRead of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271\n\nChecking after (and before in next loop) addl_desc_ptr[1] is sufficient, we\nexpect the size to be sanitized before first access to addl_desc_ptr[1].\nMake sure we don't walk beyond end of page.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53803", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). However, since\nnilfs_evict_inode() uses nilfs_root for some cleanup operations, it may\ncause use-after-free read if inodes are left in \"garbage_list\" and\nreleased by nilfs_dispose_list() at the end of nilfs_detach_log_writer().\n\nFix this issue by modifying nilfs_evict_inode() to only clear inode\nwithout additional metadata changes that use nilfs_root if the file system\nis degraded to read-only or the writer is detached.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53804", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: populate subvp cmd info only for the top pipe\n\n[Why]\nSystem restart observed while changing the display resolution\nto 8k with extended mode. Sytem restart was caused by a page fault.\n\n[How]\nWhen the driver populates subvp info it did it for both the pipes using\nvblank which caused an outof bounds array access causing the page fault.\nadded checks to allow the top pipe only to fix this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53806", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()\n\nSmatch detected this potential error pointer dereference\nclk_wzrd_register_divider(). If devm_clk_hw_register() fails then\nit sets \"hw\" to an error pointer and then dereferences it on the\nnext line. Return the error directly instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53807", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: fix memory leak in mwifiex_histogram_read()\n\nAlways free the zeroed page on return from 'mwifiex_histogram_read()'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53808", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\n\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\nThis situation is reproduced by the following program:\n\nint main(void)\n{\n\tint sock;\n\tstruct sockaddr_pppol2tp addr;\n\n\tsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\n\tif (sock < 0) {\n\t\tperror(\"socket\");\n\t\treturn 1;\n\t}\n\n\taddr.sa_family = AF_PPPOX;\n\taddr.sa_protocol = PX_PROTO_OL2TP;\n\taddr.pppol2tp.pid = 0;\n\taddr.pppol2tp.fd = sock;\n\taddr.pppol2tp.addr.sin_family = PF_INET;\n\taddr.pppol2tp.addr.sin_port = htons(0);\n\taddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\"192.168.0.1\");\n\taddr.pppol2tp.s_tunnel = 1;\n\taddr.pppol2tp.s_session = 0;\n\taddr.pppol2tp.d_tunnel = 0;\n\taddr.pppol2tp.d_session = 0;\n\n\tif (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {\n\t\tperror(\"connect\");\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nThis program causes the following lockdep warning:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.2.0-rc5-00205-gc96618275234 #56 Not tainted\n --------------------------------------------\n repro/8607 is trying to acquire lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\n\n but task is already holding lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(sk_lock-AF_PPPOX);\n lock(sk_lock-AF_PPPOX);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 1 lock held by repro/8607:\n #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n stack backtrace:\n CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x100/0x178\n __lock_acquire.cold+0x119/0x3b9\n ? lockdep_hardirqs_on_prepare+0x410/0x410\n lock_acquire+0x1e0/0x610\n ? l2tp_tunnel_register+0x2b7/0x11c0\n ? lock_downgrade+0x710/0x710\n ? __fget_files+0x283/0x3e0\n lock_sock_nested+0x3a/0xf0\n ? l2tp_tunnel_register+0x2b7/0x11c0\n l2tp_tunnel_register+0x2b7/0x11c0\n ? sprintf+0xc4/0x100\n ? l2tp_tunnel_del_work+0x6b0/0x6b0\n ? debug_object_deactivate+0x320/0x320\n ? lockdep_init_map_type+0x16d/0x7a0\n ? lockdep_init_map_type+0x16d/0x7a0\n ? l2tp_tunnel_create+0x2bf/0x4b0\n ? l2tp_tunnel_create+0x3c6/0x4b0\n pppol2tp_connect+0x14e1/0x1a30\n ? pppol2tp_put_sk+0xd0/0xd0\n ? aa_sk_perm+0x2b7/0xa80\n ? aa_af_perm+0x260/0x260\n ? bpf_lsm_socket_connect+0x9/0x10\n ? pppol2tp_put_sk+0xd0/0xd0\n __sys_connect_file+0x14f/0x190\n __sys_connect+0x133/0x160\n ? __sys_connect_file+0x190/0x190\n ? lockdep_hardirqs_on+0x7d/0x100\n ? ktime_get_coarse_real_ts64+0x1b7/0x200\n ? ktime_get_coarse_real_ts64+0x147/0x200\n ? __audit_syscall_entry+0x396/0x500\n __x64_sys_connect+0x72/0xb0\n do_syscall_64+0x38/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes the issue by getting/creating the tunnel before\nlocking the pppol2tp socket.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53809", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: release crypto keyslot before reporting I/O complete\n\nOnce all I/O using a blk_crypto_key has completed, filesystems can call\nblk_crypto_evict_key(). However, the block layer currently doesn't call\nblk_crypto_put_keyslot() until the request is being freed, which happens\nafter upper layers have been told (via bio_endio()) the I/O has\ncompleted. This causes a race condition where blk_crypto_evict_key()\ncan see 'slot_refs != 0' without there being an actual bug.\n\nThis makes __blk_crypto_evict_key() hit the\n'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without\ndoing anything, eventually causing a use-after-free in\nblk_crypto_reprogram_all_keys(). (This is a very rare bug and has only\nbeen seen when per-file keys are being used with fscrypt.)\n\nThere are two options to fix this: either release the keyslot before\nbio_endio() is called on the request's last bio, or make\n__blk_crypto_evict_key() ignore slot_refs. Let's go with the first\nsolution, since it preserves the ability to report bugs (via\nWARN_ON_ONCE) where a key is evicted while still in-use.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53810", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Cap MSIX used to online CPUs + 1\n\nThe irdma driver can use a maximum number of msix vectors equal\nto num_online_cpus() + 1 and the kernel warning stack below is shown\nif that number is exceeded.\n\nThe kernel throws a warning as the driver tries to update the affinity\nhint with a CPU mask greater than the max CPU IDs. Fix this by capping\nthe MSIX vectors to num_online_cpus() + 1.\n\n WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n Call Trace:\n irdma_rt_init_hw+0xa62/0x1290 [irdma]\n ? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma]\n ? __is_kernel_percpu_address+0x63/0x310\n ? rcu_read_lock_held_common+0xe/0xb0\n ? irdma_lan_unregister_qset+0x280/0x280 [irdma]\n ? irdma_request_reset+0x80/0x80 [irdma]\n ? ice_get_qos_params+0x84/0x390 [ice]\n irdma_probe+0xa40/0xfc0 [irdma]\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? irdma_remove+0x140/0x140 [irdma]\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? down_write+0x187/0x3d0\n ? auxiliary_match_id+0xf0/0x1a0\n ? irdma_remove+0x140/0x140 [irdma]\n auxiliary_bus_probe+0xa6/0x100\n __driver_probe_device+0x4a4/0xd50\n ? __device_attach_driver+0x2c0/0x2c0\n driver_probe_device+0x4a/0x110\n __driver_attach+0x1aa/0x350\n bus_for_each_dev+0x11d/0x1b0\n ? subsys_dev_iter_init+0xe0/0xe0\n bus_add_driver+0x3b1/0x610\n driver_register+0x18e/0x410\n ? 0xffffffffc0b88000\n irdma_init_module+0x50/0xaa [irdma]\n do_one_initcall+0x103/0x5f0\n ? perf_trace_initcall_level+0x420/0x420\n ? do_init_module+0x4e/0x700\n ? __kasan_kmalloc+0x7d/0xa0\n ? kmem_cache_alloc_trace+0x188/0x2b0\n ? kasan_unpoison+0x21/0x50\n do_init_module+0x1d1/0x700\n load_module+0x3867/0x5260\n ? layout_and_allocate+0x3990/0x3990\n ? rcu_read_lock_held_common+0xe/0xb0\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? __vmalloc_node_range+0x46b/0x890\n ? lock_release+0x5c8/0xba0\n ? alloc_vm_area+0x120/0x120\n ? selinux_kernel_module_from_file+0x2a5/0x300\n ? __inode_security_revalidate+0xf0/0xf0\n ? __do_sys_init_module+0x1db/0x260\n __do_sys_init_module+0x1db/0x260\n ? load_module+0x5260/0x5260\n ? do_syscall_64+0x22/0x450\n do_syscall_64+0xa5/0x450\n entry_SYSCALL_64_after_hwframe+0x66/0xdb", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53811", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix decoder disable pm crash\n\nCan't call pm_runtime_disable when the architecture support sub device for\n'dev->pm.dev' is NUll, or will get below crash log.\n\n[ 10.771551] pc : _raw_spin_lock_irq+0x4c/0xa0\n[ 10.771556] lr : __pm_runtime_disable+0x30/0x130\n[ 10.771558] sp : ffffffc01e4cb800\n[ 10.771559] x29: ffffffc01e4cb800 x28: ffffffdf082108a8\n[ 10.771563] x27: ffffffc01e4cbd70 x26: ffffff8605df55f0\n[ 10.771567] x25: 0000000000000002 x24: 0000000000000002\n[ 10.771570] x23: ffffff85c0dc9c00 x22: 0000000000000001\n[ 10.771573] x21: 0000000000000001 x20: 0000000000000000\n[ 10.771577] x19: 00000000000000f4 x18: ffffffdf2e9fbe18\n[ 10.771580] x17: 0000000000000000 x16: ffffffdf2df13c74\n[ 10.771583] x15: 00000000000002ea x14: 0000000000000058\n[ 10.771587] x13: ffffffdf2de1b62c x12: ffffffdf2e9e30e4\n[ 10.771590] x11: 0000000000000000 x10: 0000000000000001\n[ 10.771593] x9 : 0000000000000000 x8 : 00000000000000f4\n[ 10.771596] x7 : 6bff6264632c6264 x6 : 0000000000008000\n[ 10.771600] x5 : 0080000000000000 x4 : 0000000000000001\n[ 10.771603] x3 : 0000000000000008 x2 : 0000000000000001\n[ 10.771608] x1 : 0000000000000000 x0 : 00000000000000f4\n[ 10.771613] Call trace:\n[ 10.771617] _raw_spin_lock_irq+0x4c/0xa0\n[ 10.771620] __pm_runtime_disable+0x30/0x130\n[ 10.771657] mtk_vcodec_probe+0x69c/0x728 [mtk_vcodec_dec 800cc929d6631f79f9b273254c8db94d0d3500dc]\n[ 10.771662] platform_drv_probe+0x9c/0xbc\n[ 10.771665] really_probe+0x13c/0x3a0\n[ 10.771668] driver_probe_device+0x84/0xc0\n[ 10.771671] device_driver_attach+0x54/0x78", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53812", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix rbtree traversal bug in ext4_mb_use_preallocated\n\nDuring allocations, while looking for preallocations(PA) in the per\ninode rbtree, we can't do a direct traversal of the tree because\next4_mb_discard_group_preallocation() can paralelly mark the pa deleted\nand that can cause direct traversal to skip some entries. This was\nleading to a BUG_ON() being hit [1] when we missed a PA that could satisfy\nour request and ultimately tried to create a new PA that would overlap\nwith the missed one.\n\nTo makes sure we handle that case while still keeping the performance of\nthe rbtree, we make use of the fact that the only pa that could possibly\noverlap the original goal start is the one that satisfies the below\nconditions:\n\n 1. It must have it's logical start immediately to the left of\n (ie less than) original logical start.\n\n 2. It must not be deleted\n\nTo find this pa we use the following traversal method:\n\n1. Descend into the rbtree normally to find the immediate neighboring\nPA. Here we keep descending irrespective of if the PA is deleted or if\nit overlaps with our request etc. The goal is to find an immediately\nadjacent PA.\n\n2. If the found PA is on right of original goal, use rb_prev() to find\nthe left adjacent PA.\n\n3. Check if this PA is deleted and keep moving left with rb_prev() until\na non deleted PA is found.\n\n4. This is the PA we are looking for. Now we can check if it can satisfy\nthe original request and proceed accordingly.\n\nThis approach also takes care of having deleted PAs in the tree.\n\n(While we are at it, also fix a possible overflow bug in calculating the\nend of a PA)\n\n[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53813", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix dropping valid root bus resources with .end = zero\n\nOn r8a7791/koelsch:\n\n kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n # cat /sys/kernel/debug/kmemleak\n unreferenced object 0xc3a34e00 (size 64):\n comm \"swapper/0\", pid 1, jiffies 4294937460 (age 199.080s)\n hex dump (first 32 bytes):\n b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...]..........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0xf0/0x140\n [<34bd6bc0>] resource_list_create_entry+0x18/0x38\n [<767046bc>] pci_add_resource_offset+0x20/0x68\n [] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390\n\nWhen coalescing two resources for a contiguous aperture, the second\nresource is enlarged to cover the full contiguous range, while the first\nresource is marked invalid. This invalidation is done by clearing the\nflags, start, and end members.\n\nWhen adding the initial resources to the bus later, invalid resources are\nskipped. Unfortunately, the check for an invalid resource considers only\nthe end member, causing false positives.\n\nE.g. on r8a7791/koelsch, root bus resource 0 (\"bus 00\") is skipped, and no\nlonger registered with pci_bus_insert_busn_res() (causing the memory leak),\nnor printed:\n\n pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges:\n pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000\n pci-rcar-gen2 ee090000.pci: PCI: revision 11\n pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00\n -pci_bus 0000:00: root bus resource [bus 00]\n pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff]\n\nFix this by only skipping resources where all of the flags, start, and end\nmembers are zero.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53814", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Prevent RT livelock in itimer_delete()\n\nitimer_delete() has a retry loop when the timer is concurrently expired. On\nnon-RT kernels this just spin-waits until the timer callback has completed,\nexcept for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK\nenabled.\n\nIn that case and on RT kernels the existing task could live lock when\npreempting the task which does the timer delivery.\n\nReplace spin_unlock() with an invocation of timer_wait_running() to handle\nit the same way as the other retry loops in the posix timer code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53815", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: fix potential kgd_mem UAFs\n\nkgd_mem pointers returned by kfd_process_device_translate_handle are\nonly guaranteed to be valid while p->mutex is held. As soon as the mutex\nis unlocked, another thread can free the BO.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53816", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()\n\nDuring NVMeTCP Authentication a controller can trigger a kernel\noops by specifying the 8192 bit Diffie Hellman group and passing\na correctly sized, but zeroed Diffie Hellamn value.\nmpi_cmp_ui() was detecting this if the second parameter was 0,\nbut 1 is passed from dh_is_pubkey_valid(). This causes the null\npointer u->d to be dereferenced towards the end of mpi_cmp_ui()", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53817", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: zynq: Fix refcount leak in zynq_early_slcr_init\n\nof_find_compatible_node() returns a node pointer with refcount incremented,\nwe should use of_node_put() on error path.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53818", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namdgpu: validate offset_in_bo of drm_amdgpu_gem_va\n\nThis is motivated by OOB access in amdgpu_vm_update_range when\noffset_in_bo+map_size overflows.\n\nv2: keep the validations in amdgpu_vm_bo_map\nv3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map\n rather than to amdgpu_gem_va_ioctl", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53819", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: loop_set_status_from_info() check before assignment\n\nIn loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should\nbe checked before reassignment, because if an overflow error occurs, the\noriginal correct value will be changed to the wrong value, and it will not\nbe changed back.\n\nMore, the original patch did not solve the problem, the value was set and\nioctl returned an error, but the subsequent io used the value in the loop\ndriver, which still caused an alarm:\n\nloop_handle_cmd\n do_req_filebacked\n loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset;\n lo_rw_aio\n cmd->iocb.ki_pos = pos", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53820", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix slab-use-after-free in decode_session6\n\nWhen ipv6_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ipv6_vti device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff88802e08edc2 by task swapper/0/0\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nvti6_tnl_xmit+0x3e6/0x1ee0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\nAllocated by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\nnetlink_sendmsg+0x9b1/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nFreed by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x40\n____kasan_slab_free+0x160/0x1c0\nslab_free_freelist_hook+0x11b/0x220\nkmem_cache_free+0xf0/0x490\nskb_free_head+0x17f/0x1b0\nskb_release_data+0x59c/0x850\nconsume_skb+0xd2/0x170\nnetlink_unicast+0x54f/0x7f0\nnetlink_sendmsg+0x926/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe buggy address belongs to the object at ffff88802e08ed00\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 194 bytes inside of\nfreed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)->nhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53821", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Ignore frags from uninitialized peer in dp.\n\nWhen max virtual ap interfaces are configured in all the bands with\nACS and hostapd restart is done every 60s, a crash is observed at\nrandom times.\nIn this certain scenario, a fragmented packet is received for\nself peer, for which rx_tid and rx_frags are not initialized in\ndatapath. While handling this fragment, crash is observed as the\nrx_frag list is uninitialised and when we walk in\nath11k_dp_rx_h_sort_frags, skb null leads to exception.\n\nTo address this, before processing received fragments we check\ndp_setup_done flag is set to ensure that peer has completed its\ndp peer setup for fragment queue, else ignore processing the\nfragments.\n\nCall trace:\n ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]\n ath11k_dp_service_srng+0x70/0x370 [ath11k]\n 0xffffffc009693a04\n __napi_poll+0x30/0xa4\n net_rx_action+0x118/0x270\n __do_softirq+0x10c/0x244\n irq_exit+0x64/0xb4\n __handle_domain_irq+0x88/0xac\n gic_handle_irq+0x74/0xbc\n el1_irq+0xf0/0x1c0\n arch_cpu_idle+0x10/0x18\n do_idle+0x104/0x248\n cpu_startup_entry+0x20/0x64\n rest_init+0xd0/0xdc\n arch_call_rest_init+0xc/0x14\n start_kernel+0x480/0x4b8\n Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53822", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rq_qos: protect rq_qos apis with a new lock\n\ncommit 50e34d78815e (\"block: disable the elevator int del_gendisk\")\nmove rq_qos_exit() from disk_release() to del_gendisk(), this will\nintroduce some problems:\n\n1) If rq_qos_add() is triggered by enabling iocost/iolatency through\n cgroupfs, then it can concurrent with del_gendisk(), it's not safe to\n write 'q->rq_qos' concurrently.\n\n2) Activate cgroup policy that is relied on rq_qos will call\n rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is\n called in the middle, null-ptr-dereference will be triggered in\n blkcg_activate_policy().\n\n3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the\n disk, then if rq_qos_exit() from del_gendisk() is done before\n rq_qos_add(), then memory will be leaked.\n\nThis patch add a new disk level mutex 'rq_qos_mutex':\n\n1) The lock will protect rq_qos_exit() directly.\n\n2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be\n called from disk initialization for now because wbt can't be\n destructed until rq_qos_exit(), so it's safe not to protect wbt for\n now. Hoever, in case that rq_qos dynamically destruction is supported\n in the furture, this patch also protect rq_qos_add() from wbt_init()\n directly, this is enough because blk-sysfs already synchronize\n writers with disk removal.\n\n3) For iocost and iolatency, in order to synchronize disk removal and\n cgroup configuration, the lock is held after blkdev_get_no_open()\n from blkg_conf_open_bdev(), and is released in blkg_conf_exit().\n In order to fix the above memory leak, disk_live() is checked after\n holding the new lock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53823", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: annotate lockless accesses to nlk->max_recvmsg_len\n\nsyzbot reported a data-race in data-race in netlink_recvmsg() [1]\n\nIndeed, netlink_recvmsg() can be run concurrently,\nand netlink_dump() also needs protection.\n\n[1]\nBUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg\n\nread to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:\nnetlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988\nsock_recvmsg_nosec net/socket.c:1017 [inline]\nsock_recvmsg net/socket.c:1038 [inline]\n__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194\n__do_sys_recvfrom net/socket.c:2212 [inline]\n__se_sys_recvfrom net/socket.c:2208 [inline]\n__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nwrite to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:\nnetlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989\nsock_recvmsg_nosec net/socket.c:1017 [inline]\nsock_recvmsg net/socket.c:1038 [inline]\n____sys_recvmsg+0x156/0x310 net/socket.c:2720\n___sys_recvmsg net/socket.c:2762 [inline]\ndo_recvmmsg+0x2e5/0x710 net/socket.c:2856\n__sys_recvmmsg net/socket.c:2935 [inline]\n__do_sys_recvmmsg net/socket.c:2958 [inline]\n__se_sys_recvmmsg net/socket.c:2951 [inline]\n__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0x0000000000001000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53824", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().\n\nsyzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720\n(\"kcm: Fix memory leak in error path of kcm_sendmsg()\") suppressed it by\nupdating kcm_tx_msg(head)->last_skb if partial data is copied so that the\nfollowing sendmsg() will resume from the skb.\n\nHowever, we cannot know how many bytes were copied when we get the error.\nThus, we could mess up the MSG_MORE queue.\n\nWhen kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we\ndo so for UDP by udp_flush_pending_frames().\n\nEven without this change, when the error occurred, the following sendmsg()\nresumed from a wrong skb and the queue was messed up. However, we have\nyet to get such a report, and only syzkaller stumbled on it. So, this\ncan be changed safely.\n\nNote this does not change SOCK_SEQPACKET behaviour.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53825", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()\n\nWear-leveling entry could be freed in error path, which may be accessed\nagain in eraseblk_count_seq_show(), for example:\n\n__erase_worker eraseblk_count_seq_show\n wl = ubi->lookuptbl[*block_number]\n\t\t\t\tif (wl)\n wl_entry_destroy\n ubi->lookuptbl[e->pnum] = NULL\n kmem_cache_free(ubi_wl_entry_slab, e)\n\t\t erase_count = wl->ec // UAF!\n\nWear-leveling entry updating/accessing in ubi->lookuptbl should be\nprotected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize\nwl entry accessing between wl_entry_destroy() and\neraseblk_count_seq_show().\n\nFetch a reproducer in [Link].", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53826", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}\n\nSimilar to commit d0be8347c623 (\"Bluetooth: L2CAP: Fix use-after-free\ncaused by l2cap_chan_put\"), just use l2cap_chan_hold_unless_zero to\nprevent referencing a channel that is about to be destroyed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53827", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()\n\nKSAN reports use-after-free in hci_add_adv_monitor().\n\nWhile adding an adv monitor,\n hci_add_adv_monitor() calls ->\n msft_add_monitor_pattern() calls ->\n msft_add_monitor_sync() calls ->\n msft_le_monitor_advertisement_cb() calls in an error case ->\n hci_free_adv_monitor() which frees the *moniter.\n\nThis is referenced by bt_dev_dbg() in hci_add_adv_monitor().\n\nFix the bt_dev_dbg() by using handle instead of monitor->handle.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53828", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: flush inode if atomic file is aborted\n\nLet's flush the inode being aborted atomic operation to avoid stale dirty\ninode during eviction in this call stack:\n\n f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs]\n f2fs_abort_atomic_write+0xc4/0xf0 [f2fs]\n f2fs_evict_inode+0x3f/0x690 [f2fs]\n ? sugov_start+0x140/0x140\n evict+0xc3/0x1c0\n evict_inodes+0x17b/0x210\n generic_shutdown_super+0x32/0x120\n kill_block_super+0x21/0x50\n deactivate_locked_super+0x31/0x90\n cleanup_mnt+0x100/0x160\n task_work_run+0x59/0x90\n do_exit+0x33b/0xa50\n do_group_exit+0x2d/0x80\n __x64_sys_exit_group+0x14/0x20\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis triggers f2fs_bug_on() in f2fs_evict_inode:\n f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));\n\nThis fixes the syzbot report:\n\nloop0: detected capacity change from 0 to 131072\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): Found nat_bits in checkpoint\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inode.c:869!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007\nRBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000\nR13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0\nCall Trace:\n \n evict+0x2ed/0x6b0 fs/inode.c:665\n dispose_list+0x117/0x1e0 fs/inode.c:698\n evict_inodes+0x345/0x440 fs/inode.c:748\n generic_shutdown_super+0xaf/0x480 fs/super.c:478\n kill_block_super+0x64/0xb0 fs/super.c:1417\n kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704\n deactivate_locked_super+0x98/0x160 fs/super.c:330\n deactivate_super+0xb1/0xd0 fs/super.c:361\n cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa9a/0x29a0 kernel/exit.c:874\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1024\n __do_sys_exit_group kernel/exit.c:1035 [inline]\n __se_sys_exit_group kernel/exit.c:1033 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f309be71a09\nCode: Unable to access opcode bytes at 0x7f309be719df.\nRSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\nRBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40\nR10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53829", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix memory leak when showing current settings\n\nWhen retriving a item string with tlmi_setting(), the result has to be\nfreed using kfree(). In current_value_show() however, malformed\nitem strings are not freed, causing a memory leak.\nFix this by eliminating the early return responsible for this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53830", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: read sk->sk_family once in sk_mc_loop()\n\nsyzbot is playing with IPV6_ADDRFORM quite a lot these days,\nand managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()\n\nWe have many more similar issues to fix.\n\nWARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260\nModules linked in:\nCPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nWorkqueue: events_power_efficient gc_worker\nRIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782\nCode: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48\nRSP: 0018:ffffc90000388530 EFLAGS: 00010246\nRAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980\nRDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011\nRBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65\nR10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000\nR13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000\nFS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83\n[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]\n[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211\n[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]\n[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232\n[] dst_output include/net/dst.h:444 [inline]\n[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161\n[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]\n[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[] netdev_start_xmit include/linux/netdevice.h:4925 [inline]\n[] xmit_one net/core/dev.c:3644 [inline]\n[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342\n[] qdisc_restart net/sched/sch_generic.c:407 [inline]\n[] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415\n[] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n[] net_tx_action+0x7ac/0x940 net/core/dev.c:5247\n[] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599\n[] invoke_softirq kernel/softirq.c:430 [inline]\n[] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683\n[] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53831", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null-ptr-deref in raid10_sync_request\n\ninit_resync() inits mempool and sets conf->have_replacemnt at the beginning\nof sync, close_sync() frees the mempool when sync is completed.\n\nAfter [1] recovery might be skipped and init_resync() is called but\nclose_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.\n\nThe following is one way to reproduce the issue.\n\n 1) create a array, wait for resync to complete, mddev->recovery_cp is set\n to MaxSector.\n 2) recovery is woken and it is skipped. conf->have_replacement is set to\n 0 in init_resync(). close_sync() not called.\n 3) some io errors and rdev A is set to WantReplacement.\n 4) a new device is added and set to A's replacement.\n 5) recovery is woken, A have replacement, but conf->have_replacemnt is\n 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref\n occurs.\n\nFix it by not calling init_resync() if recovery skipped.\n\n[1] commit 7e83ccbecd60 (\"md/raid10: Allow skipping recovery when clean arrays are assembled\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53832", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix NULL ptr deref by checking new_crtc_state\n\nintel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't\nobtained previously with intel_atomic_get_crtc_state, so we must check it\nfor NULLness here, just as in many other places, where we can't guarantee\nthat intel_atomic_get_crtc_state was called.\nWe are currently getting NULL ptr deref because of that, so this fix was\nconfirmed to help.\n\n(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53833", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ina2xx: avoid NULL pointer dereference on OF device match\n\nThe affected lines were resulting in a NULL pointer dereference on our\nplatform because the device tree contained the following list of\ncompatible strings:\n\n power-sensor@40 {\n compatible = \"ti,ina232\", \"ti,ina231\";\n ...\n };\n\nSince the driver doesn't declare a compatible string \"ti,ina232\", the OF\nmatching succeeds on \"ti,ina231\". But the I2C device ID info is\npopulated via the first compatible string, cf. modalias population in\nof_i2c_get_board_info(). Since there is no \"ina232\" entry in the legacy\nI2C device ID table either, the struct i2c_device_id *id pointer in the\nprobe function is NULL.\n\nFix this by using the already populated type variable instead, which\npoints to the proper driver data. Since the name is also wanted, add a\ngeneric one to the ina2xx_config table.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53834", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix skb refcnt race after locking changes\n\nThere is a race where skb's from the sk_psock_backlog can be referenced\nafter userspace side has already skb_consumed() the sk_buff and its refcnt\ndropped to zer0 causing use after free.\n\nThe flow is the following:\n\n while ((skb = skb_peek(&psock->ingress_skb))\n sk_psock_handle_Skb(psock, skb, ..., ingress)\n if (!ingress) ...\n sk_psock_skb_ingress\n sk_psock_skb_ingress_enqueue(skb)\n msg->skb = skb\n sk_psock_queue_msg(psock, msg)\n skb_dequeue(&psock->ingress_skb)\n\nThe sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is\nwhat the application reads when recvmsg() is called. An application can\nread this anytime after the msg is placed on the queue. The recvmsg hook\nwill also read msg->skb and then after user space reads the msg will call\nconsume_skb(skb) on it effectively free'ing it.\n\nBut, the race is in above where backlog queue still has a reference to\nthe skb and calls skb_dequeue(). If the skb_dequeue happens after the\nuser reads and free's the skb we have a use after free.\n\nThe !ingress case does not suffer from this problem because it uses\nsendmsg_*(sk, msg) which does not pass the sk_buff further down the\nstack.\n\nThe following splat was observed with 'test_progs -t sockmap_listen':\n\n [ 1022.710250][ T2556] general protection fault, ...\n [...]\n [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog\n [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80\n [ 1022.713653][ T2556] Code: ...\n [...]\n [ 1022.720699][ T2556] Call Trace:\n [ 1022.720984][ T2556] \n [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M\n [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0\n [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30\n [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80\n [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300\n [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0\n [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0\n [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10\n [ 1022.724386][ T2556] kthread+0xfd/0x130\n [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50\n [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30\n [ 1022.726201][ T2556] \n\nTo fix we add an skb_get() before passing the skb to be enqueued in the\nengress queue. This bumps the skb->users refcnt so that consume_skb()\nand kfree_skb will not immediately free the sk_buff. With this we can\nbe sure the skb is still around when we do the dequeue. Then we just\nneed to decrement the refcnt or free the skb in the backlog case which\nwe do by calling kfree_skb() on the ingress case as well as the sendmsg\ncase.\n\nBefore locking change from fixes tag we had the sock locked so we\ncouldn't race with user and there was no issue here.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53836", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on snapshot tear down\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525099/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53837", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: synchronize atomic write aborts\n\nTo fix a race condition between atomic write aborts, I use the inode\nlock and make COW inode to be re-usable thoroughout the whole\natomic file inode lifetime.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53838", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix data-race around dp->dccps_mss_cache\n\ndccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.\nSame thing in do_dccp_getsockopt().\n\nAdd READ_ONCE()/WRITE_ONCE() annotations,\nand change dccp_sendmsg() to check again dccps_mss_cache\nafter socket is locked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53839", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: early: xhci-dbc: Fix a potential out-of-bound memory access\n\nIf xdbc_bulk_write() fails, the values in 'buf' can be anything. So the\nstring is not guaranteed to be NULL terminated when xdbc_trace() is called.\n\nReserve an extra byte, which will be zeroed automatically because 'buf' is\na static variable, in order to avoid troubles, should it happen.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53840", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: report devlink_port_type_warn source device\n\ndevlink_port_type_warn is scheduled for port devlink and warning\nwhen the port type is not set. But from this warning it is not easy\nfound out which device (driver) has no devlink port set.\n\n[ 3709.975552] Type was not set for devlink port.\n[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20\n[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm\n[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse\n[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1\n[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022\n[ 3710.108437] Workqueue: events devlink_port_type_warn\n[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20\n[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87\n[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282\n[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027\n[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8\n[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18\n[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600\n[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905\n[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000\n[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0\n[ 3710.108456] PKRU: 55555554\n[ 3710.108457] Call Trace:\n[ 3710.108458] \n[ 3710.108459] process_one_work+0x1e2/0x3b0\n[ 3710.108466] ? rescuer_thread+0x390/0x390\n[ 3710.108468] worker_thread+0x50/0x3a0\n[ 3710.108471] ? rescuer_thread+0x390/0x390\n[ 3710.108473] kthread+0xdd/0x100\n[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20\n[ 3710.108479] ret_from_fork+0x1f/0x30\n[ 3710.108485] \n[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---\n\nAfter patch:\n[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.\n[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53841", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove\n\nThe MBHC resources must be released on component probe failure and\nremoval so can not be tied to the lifetime of the component device.\n\nThis is specifically needed to allow probe deferrals of the sound card\nwhich otherwise fails when reprobing the codec component:\n\n snd-sc8280xp sound: ASoC: failed to instantiate card -517\n genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)\n wcd938x_codec audio-codec: Failed to request mbhc interrupts -16\n wcd938x_codec audio-codec: mbhc initialization failed\n wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16\n snd-sc8280xp sound: ASoC: failed to instantiate card -16", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53842", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: reject negative ifindex\n\nRecent changes in net-next (commit 759ab1edb56c (\"net: store netdevs\nin an xarray\")) refactored the handling of pre-assigned ifindexes\nand let syzbot surface a latent problem in ovs. ovs does not validate\nifindex, making it possible to create netdev ports with negative\nifindex values. It's easy to repro with YNL:\n\n$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \\\n --do new \\\n\t --json '{\"upcall-pid\": 1, \"name\":\"my-dp\"}'\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json '{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}'\n\n$ ip link show\n-65536: some-port0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000\n link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff\n...\n\nValidate the inputs. Now the second command correctly returns:\n\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json '{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}'\n\nlib.ynl.NlError: Netlink error: Numerical result out of range\nnl_len = 108 (92) nl_flags = 0x300 nl_type = 2\n\terror: -34\textack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x03\\x00\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x08\\x00\\x01\\x00\\x08\\x00\\x00\\x00'], 'bad-attr': '.ifindex'}\n\nAccept 0 since it used to be silently ignored.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53843", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don't leak a resource on swapout move error\n\nIf moving the bo to system for swapout failed, we were leaking\na resource. Fix.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53844", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix infinite loop in nilfs_mdt_get_block()\n\nIf the disk image that nilfs2 mounts is corrupted and a virtual block\naddress obtained by block lookup for a metadata file is invalid,\nnilfs_bmap_lookup_at_level() may return the same internal return code as\n-ENOENT, meaning the block does not exist in the metadata file.\n\nThis duplication of return codes confuses nilfs_mdt_get_block(), causing\nit to read and create a metadata block indefinitely.\n\nIn particular, if this happens to the inode metadata file, ifile,\nsemaphore i_rwsem can be left held, causing task hangs in lock_mount.\n\nFix this issue by making nilfs_bmap_lookup_at_level() treat virtual block\naddress translation failures with -ENOENT as metadata corruption instead\nof returning the error code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53845", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on direct node in truncate_dnode()\n\nsyzbot reports below bug:\n\nBUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\nRead of size 4 at addr ffff88802a25c000 by task syz-executor148/5000\n\nCPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\n truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944\n f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154\n f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721\n f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749\n f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799\n f2fs_truncate include/linux/fs.h:825 [inline]\n f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006\n notify_change+0xb2c/0x1180 fs/attr.c:483\n do_truncate+0x143/0x200 fs/open.c:66\n handle_truncate fs/namei.c:3295 [inline]\n do_open fs/namei.c:3640 [inline]\n path_openat+0x2083/0x2750 fs/namei.c:3791\n do_filp_open+0x1ba/0x410 fs/namei.c:3818\n do_sys_openat2+0x16d/0x4c0 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_creat fs/open.c:1448 [inline]\n __se_sys_creat fs/open.c:1442 [inline]\n __x64_sys_creat+0xcd/0x120 fs/open.c:1442\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is, inodeA references inodeB via inodeB's ino, once inodeA\nis truncated, it calls truncate_dnode() to truncate data blocks in inodeB's\nnode page, it traverse mapping data from node->i.i_addr[0] to\nnode->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.\n\nThis patch fixes to add sanity check on dnode page in truncate_dnode(),\nso that, it can help to avoid triggering such issue, and once it encounters\nsuch issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE\nerror into superblock, later fsck can detect such issue and try repairing.\n\nAlso, it removes f2fs_truncate_data_blocks() for cleanup due to the\nfunction has only one caller, and uses f2fs_truncate_data_blocks_range()\ninstead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53846", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Fix uninit-value in alauda_check_media()\n\nSyzbot got KMSAN to complain about access to an uninitialized value in\nthe alauda subdriver of usb-storage:\n\nBUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0\ndrivers/usb/storage/alauda.c:1137\nCPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x191/0x1f0 lib/dump_stack.c:113\n kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108\n __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250\n alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460\n\nThe problem is that alauda_check_media() doesn't verify that its USB\ntransfer succeeded before trying to use the received data. What\nshould happen if the transfer fails isn't entirely clear, but a\nreasonably conservative approach is to pretend that no media is\npresent.\n\nA similar problem exists in a usb_stor_dbg() call in\nalauda_get_media_status(). In this case, when an error occurs the\ncall is redundant, because usb_stor_ctrl_transfer() already will print\na debugging message.\n\nFinally, unrelated to the uninitialized memory access, is the fact\nthat alauda_check_media() performs DMA to a buffer on the stack.\nFortunately usb-storage provides a general purpose DMA-able buffer for\nuses like this. We'll use it instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53847", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix a deadlock in r5l_exit_log()\n\nCommit b13015af94cf (\"md/raid5-cache: Clear conf->log after finishing\nwork\") introduce a new problem:\n\n// caller hold reconfig_mutex\nr5l_exit_log\n flush_work(&log->disable_writeback_work)\n\t\t\tr5c_disable_writeback_async\n\t\t\t wait_event\n\t\t\t /*\n\t\t\t * conf->log is not NULL, and mddev_trylock()\n\t\t\t * will fail, wait_event() can never pass.\n\t\t\t */\n conf->log = NULL\n\nFix this problem by setting 'config->log' to NULL before wake_up() as it\nused to be, so that wait_event() from r5c_disable_writeback_async() can\nexist. In the meantime, move forward md_unregister_thread() so that\nnull-ptr-deref this commit fixed can still be fixed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53848", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix workqueue leak on bind errors\n\nMake sure to destroy the workqueue also in case of early errors during\nbind (e.g. a subcomponent failing to bind).\n\nSince commit c3b790ea07a1 (\"drm: Manage drm_mode_config_init with\ndrmm_\") the mode config will be freed when the drm device is released\nalso when using the legacy interface, but add an explicit cleanup for\nconsistency and to facilitate backporting.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525093/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53849", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: use internal state to free traffic IRQs\n\nIf the system tries to close the netdev while iavf_reset_task() is\nrunning, __LINK_STATE_START will be cleared and netif_running() will\nreturn false in iavf_reinit_interrupt_scheme(). This will result in\niavf_free_traffic_irqs() not being called and a leak as follows:\n\n [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0'\n [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0\n\nis shown when pci_disable_msix() is later called. Fix by using the\ninternal adapter state. The traffic IRQs will always exist if\nstate == __IAVF_RUNNING.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53850", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Drop aux devices together with DP controller\n\nUsing devres to depopulate the aux bus made sure that upon a probe\ndeferral the EDP panel device would be destroyed and recreated upon next\nattempt.\n\nBut the struct device which the devres is tied to is the DPUs\n(drm_dev->dev), which may be happen after the DP controller is torn\ndown.\n\nIndications of this can be seen in the commonly seen EDID-hexdump full\nof zeros in the log, or the occasional/rare KASAN fault where the\npanel's attempt to read the EDID information causes a use after free on\nDP resources.\n\nIt's tempting to move the devres to the DP controller's struct device,\nbut the resources used by the device(s) on the aux bus are explicitly\ntorn down in the error path. The KASAN-reported use-after-free also\nremains, as the DP aux \"module\" explicitly frees its devres-allocated\nmemory in this code path.\n\nAs such, explicitly depopulate the aux bus in the error path, and in the\ncomponent unbind path, to avoid these issues.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542163/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53851", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_secret_store\n\nFree dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return\nfix following kmemleack:-\n\nunreferenced object 0xffff8886376ea800 (size 64):\n comm \"check\", pid 22048, jiffies 4344316705 (age 92.199s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [<0000000030ce5d4b>] __kmalloc+0x4b/0x130\n [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0\n [<00000000437e7ced>] vfs_write+0x2ba/0x3c0\n [<00000000f9491baf>] ksys_write+0x5f/0xe0\n [<000000001c46513d>] do_syscall_64+0x3b/0x90\n [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc\nunreferenced object 0xffff8886376eaf00 (size 64):\n comm \"check\", pid 22048, jiffies 4344316736 (age 92.168s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [<0000000030ce5d4b>] __kmalloc+0x4b/0x130\n [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0\n [<00000000437e7ced>] vfs_write+0x2ba/0x3c0\n [<00000000f9491baf>] ksys_write+0x5f/0xe0\n [<000000001c46513d>] do_syscall_64+0x3b/0x90\n [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53852", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: annotate accesses to nlk->cb_running\n\nBoth netlink_recvmsg() and netlink_native_seq_show() read\nnlk->cb_running locklessly. Use READ_ONCE() there.\n\nAdd corresponding WRITE_ONCE() to netlink_dump() and\n__netlink_dump_start()\n\nsyzbot reported:\nBUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg\n\nwrite to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:\n__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399\nnetlink_dump_start include/linux/netlink.h:308 [inline]\nrtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130\nnetlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577\nrtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942\nsock_sendmsg_nosec net/socket.c:724 [inline]\nsock_sendmsg net/socket.c:747 [inline]\nsock_write_iter+0x1aa/0x230 net/socket.c:1138\ncall_write_iter include/linux/fs.h:1851 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x463/0x760 fs/read_write.c:584\nksys_write+0xeb/0x1a0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x42/0x50 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:\nnetlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022\nsock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017\n____sys_recvmsg+0x2db/0x310 net/socket.c:2718\n___sys_recvmsg net/socket.c:2762 [inline]\ndo_recvmmsg+0x2e5/0x710 net/socket.c:2856\n__sys_recvmmsg net/socket.c:2935 [inline]\n__do_sys_recvmmsg net/socket.c:2958 [inline]\n__se_sys_recvmmsg net/socket.c:2951 [inline]\n__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x00 -> 0x01", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53853", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8186: Fix use-after-free in driver remove path\n\nWhen devm runs function in the \"remove\" path for a device it runs them\nin the reverse order. That means that if you have parts of your driver\nthat aren't using devm or are using \"roll your own\" devm w/\ndevm_add_action_or_reset() you need to keep that in mind.\n\nThe mt8186 audio driver didn't quite get this right. Specifically, in\nmt8186_init_clock() it called mt8186_audsys_clk_register() and then\nwent on to call a bunch of other devm function. The caller of\nmt8186_init_clock() used devm_add_action_or_reset() to call\nmt8186_deinit_clock() but, because of the intervening devm functions,\nthe order was wrong.\n\nSpecifically at probe time, the order was:\n1. mt8186_audsys_clk_register()\n2. afe_priv->clk = devm_kcalloc(...)\n3. afe_priv->clk[i] = devm_clk_get(...)\n\nAt remove time, the order (which should have been 3, 2, 1) was:\n1. mt8186_audsys_clk_unregister()\n3. Free all of afe_priv->clk[i]\n2. Free afe_priv->clk\n\nThe above seemed to be causing a use-after-free. Luckily, it's easy to\nfix this by simply using devm more correctly. Let's move the\ndevm_add_action_or_reset() to the right place. In addition to fixing\nthe use-after-free, code inspection shows that this fixes a leak\n(missing call to mt8186_audsys_clk_unregister()) that would have\nhappened if any of the syscon_regmap_lookup_by_phandle() calls in\nmt8186_init_clock() had failed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53854", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove\n\nWhen the tagging protocol in current use is \"ocelot-8021q\" and we unbind\nthe driver, we see this splat:\n\n$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind\nmscc_felix 0000:00:00.5 swp0: left promiscuous mode\nsja1105 spi2.0: Link is Down\nDSA: tree 1 torn down\nmscc_felix 0000:00:00.5 swp2: left promiscuous mode\nsja1105 spi2.2: Link is Down\nDSA: tree 3 torn down\nfsl_enetc 0000:00:00.2 eno2: left promiscuous mode\nmscc_felix 0000:00:00.5: Link is Down\n------------[ cut here ]------------\nRTNL: assertion failed at net/dsa/tag_8021q.c (409)\nWARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0\nModules linked in:\nCPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771\npc : dsa_tag_8021q_unregister+0x12c/0x1a0\nlr : dsa_tag_8021q_unregister+0x12c/0x1a0\nCall trace:\n dsa_tag_8021q_unregister+0x12c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nRTNL: assertion failed at net/8021q/vlan_core.c (376)\nWARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0\nCPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771\npc : vlan_vid_del+0x1b8/0x1f0\nlr : vlan_vid_del+0x1b8/0x1f0\n dsa_tag_8021q_unregister+0x8c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\nDSA: tree 0 torn down\n\nThis was somewhat not so easy to spot, because \"ocelot-8021q\" is not the\ndefault tagging protocol, and thus, not everyone who tests the unbinding\npath may have switched to it beforehand. The default\nfelix_tag_npi_teardown() does not require rtnl_lock() to be held.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53855", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: overlay: Call of_changeset_init() early\n\nWhen of_overlay_fdt_apply() fails, the changeset may be partially\napplied, and the caller is still expected to call of_overlay_remove() to\nclean up this partial state.\n\nHowever, of_overlay_apply() calls of_resolve_phandles() before\ninit_overlay_changeset(). Hence if the overlay fails to apply due to an\nunresolved symbol, the overlay_changeset.cset.entries list is still\nuninitialized, and cleanup will crash with a NULL-pointer dereference in\noverlay_removal_is_ok().\n\nFix this by moving the call to of_changeset_init() from\ninit_overlay_changeset() to of_overlay_fdt_apply(), where all other\nearly initialization is done.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53856", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n\n'./test_progs -t test_local_storage' reported a splat:\n\n[ 27.137569] =============================\n[ 27.138122] [ BUG: Invalid wait context ]\n[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O\n[ 27.139542] -----------------------------\n[ 27.140106] test_progs/1729 is trying to lock:\n[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[ 27.141834] other info that might help us debug this:\n[ 27.142437] context-{5:5}\n[ 27.142856] 2 locks held by test_progs/1729:\n[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[ 27.145855] stack backtrace:\n[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247\n[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 27.149127] Call Trace:\n[ 27.149490] \n[ 27.149867] dump_stack_lvl+0x130/0x1d0\n[ 27.152609] dump_stack+0x14/0x20\n[ 27.153131] __lock_acquire+0x1657/0x2220\n[ 27.153677] lock_acquire+0x1b8/0x510\n[ 27.157908] local_lock_acquire+0x29/0x130\n[ 27.159048] obj_cgroup_charge+0xf4/0x3c0\n[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0\n[ 27.161931] __kmem_cache_alloc_node+0x51/0x210\n[ 27.163557] __kmalloc+0xaa/0x210\n[ 27.164593] bpf_map_kzalloc+0xbc/0x170\n[ 27.165147] bpf_selem_alloc+0x130/0x510\n[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0\n[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[ 27.169199] bpf_map_update_value+0x415/0x4f0\n[ 27.169871] map_update_elem+0x413/0x550\n[ 27.170330] __sys_bpf+0x5e9/0x640\n[ 27.174065] __x64_sys_bpf+0x80/0x90\n[ 27.174568] do_syscall_64+0x48/0xa0\n[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 27.175932] RIP: 0033:0x7effb40e41ad\n[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[ 27.184958] \n\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\n\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\n\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\n\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53857", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error\n\nIf clk_get_rate() fails, the clk that has just been allocated needs to be\nfreed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53858", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/idle: mark arch_cpu_idle() noinstr\n\nlinux-next commit (\"cpuidle: tracing: Warn about !rcu_is_watching()\")\nadds a new warning which hits on s390's arch_cpu_idle() function:\n\nRCU not on for: arch_cpu_idle+0x0/0x28\nWARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258\nModules linked in:\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4\nHardware name: IBM 8561 T01 703 (z/VM 7.3.0)\nKrnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\nKrnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000\n 0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000\n 0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0\n 0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8\nKrnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652\n 00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58\n #00000000002b55bc: af000000 mc 0,0\n >00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e\n 00000000002b55c4: 0707 bcr 0,%r7\n 00000000002b55c6: 0707 bcr 0,%r7\n 00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15)\n 00000000002b55ce: b90400ef lgr %r14,%r15\nCall Trace:\n [<00000000002b55c0>] arch_ftrace_ops_list_func+0x250/0x258\n([<00000000002b55bc>] arch_ftrace_ops_list_func+0x24c/0x258)\n [<0000000000f5f0fc>] ftrace_common+0x1c/0x20\n [<00000000001044f6>] arch_cpu_idle+0x6/0x28\n [<0000000000f4acf6>] default_idle_call+0x76/0x128\n [<00000000001cc374>] do_idle+0xf4/0x1b0\n [<00000000001cc6ce>] cpu_startup_entry+0x36/0x40\n [<0000000000119d00>] smp_start_secondary+0x140/0x150\n [<0000000000f5d2ae>] restart_int_handler+0x6e/0x90\n\nMark arch_cpu_idle() noinstr like all other architectures with\nCONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53859", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: don't attempt to queue IO under RCU protection\n\ndm looks up the table for IO based on the request type, with an\nassumption that if the request is marked REQ_NOWAIT, it's fine to\nattempt to submit that IO while under RCU read lock protection. This\nis not OK, as REQ_NOWAIT just means that we should not be sleeping\nwaiting on other IO, it does not mean that we can't potentially\nschedule.\n\nA simple test case demonstrates this quite nicely:\n\nint main(int argc, char *argv[])\n{\n struct iovec iov;\n int fd;\n\n fd = open(\"/dev/dm-0\", O_RDONLY | O_DIRECT);\n posix_memalign(&iov.iov_base, 4096, 4096);\n iov.iov_len = 4096;\n preadv2(fd, &iov, 1, 0, RWF_NOWAIT);\n return 0;\n}\n\nwhich will instantly spew:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:306\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x11d/0x1b0\n __might_resched+0x3c3/0x5e0\n ? preempt_count_sub+0x150/0x150\n mempool_alloc+0x1e2/0x390\n ? mempool_resize+0x7d0/0x7d0\n ? lock_sync+0x190/0x190\n ? lock_release+0x4b7/0x670\n ? internal_get_user_pages_fast+0x868/0x2d40\n bio_alloc_bioset+0x417/0x8c0\n ? bvec_alloc+0x200/0x200\n ? internal_get_user_pages_fast+0xb8c/0x2d40\n bio_alloc_clone+0x53/0x100\n dm_submit_bio+0x27f/0x1a20\n ? lock_release+0x4b7/0x670\n ? blk_try_enter_queue+0x1a0/0x4d0\n ? dm_dax_direct_access+0x260/0x260\n ? rcu_is_watching+0x12/0xb0\n ? blk_try_enter_queue+0x1cc/0x4d0\n __submit_bio+0x239/0x310\n ? __bio_queue_enter+0x700/0x700\n ? kvm_clock_get_cycles+0x40/0x60\n ? ktime_get+0x285/0x470\n submit_bio_noacct_nocheck+0x4d9/0xb80\n ? should_fail_request+0x80/0x80\n ? preempt_count_sub+0x150/0x150\n ? lock_release+0x4b7/0x670\n ? __bio_add_page+0x143/0x2d0\n ? iov_iter_revert+0x27/0x360\n submit_bio_noacct+0x53e/0x1b30\n submit_bio_wait+0x10a/0x230\n ? submit_bio_wait_endio+0x40/0x40\n __blkdev_direct_IO_simple+0x4f8/0x780\n ? blkdev_bio_end_io+0x4c0/0x4c0\n ? stack_trace_save+0x90/0xc0\n ? __bio_clone+0x3c0/0x3c0\n ? lock_release+0x4b7/0x670\n ? lock_sync+0x190/0x190\n ? atime_needs_update+0x3bf/0x7e0\n ? timestamp_truncate+0x21b/0x2d0\n ? inode_owner_or_capable+0x240/0x240\n blkdev_direct_IO.part.0+0x84a/0x1810\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n ? blkdev_read_iter+0x40d/0x530\n ? reacquire_held_locks+0x4e0/0x4e0\n ? __blkdev_direct_IO_simple+0x780/0x780\n ? rcu_is_watching+0x12/0xb0\n ? __mark_inode_dirty+0x297/0xd50\n ? preempt_count_add+0x72/0x140\n blkdev_read_iter+0x2a4/0x530\n do_iter_readv_writev+0x2f2/0x3c0\n ? generic_copy_file_range+0x1d0/0x1d0\n ? fsnotify_perm.part.0+0x25d/0x630\n ? security_file_permission+0xd8/0x100\n do_iter_read+0x31b/0x880\n ? import_iovec+0x10b/0x140\n vfs_readv+0x12d/0x1a0\n ? vfs_iter_read+0xb0/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n do_preadv+0x1b3/0x260\n ? do_readv+0x370/0x370\n __x64_sys_preadv2+0xef/0x150\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f5af41ad806\nCode: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55\nRSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806\nRDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003\nRBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003\nR13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001\n \n\nwhere in fact it is\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53860", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: correct grp validation in ext4_mb_good_group\n\nGroup corruption check will access memory of grp and will trigger kernel\ncrash if grp is NULL. So do NULL check before corruption check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53861", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nSyzbot found a kernel BUG in hfs_bnode_put():\n\n kernel BUG at fs/hfs/bnode.c:466!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: writeback wb_workfn (flush-7:0)\n RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466\n Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56\n RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293\n RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1\n R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80\n R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00\n FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n hfs_write_inode+0x1bc/0xb40\n write_inode fs/fs-writeback.c:1440 [inline]\n __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652\n writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878\n __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949\n wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054\n wb_check_start_all fs/fs-writeback.c:2176 [inline]\n wb_do_writeback fs/fs-writeback.c:2202 [inline]\n wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \n\nThe BUG_ON() is triggered at here:\n\n/* Dispose of resources used by a node */\nvoid hfs_bnode_put(struct hfs_bnode *node)\n{\n\tif (node) {\n \t\t\n \t\tBUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!\n \t\t\n \t}\n}\n\nBy tracing the refcnt, I found the node is created by hfs_bmap_alloc()\nwith refcnt 1. Then the node is used by hfs_btree_write(). There is a\nmissing of hfs_bnode_get() after find the node. The issue happened in\nfollowing path:\n\n\n hfs_bmap_alloc\n hfs_bnode_find\n __hfs_bnode_create <- allocate a new node with refcnt 1.\n hfs_bnode_put <- decrease the refcnt\n\n\n hfs_btree_write\n hfs_bnode_find\n __hfs_bnode_create\n hfs_bnode_findhash <- find the node without refcnt increased.\n hfs_bnode_put\t <- trigger the BUG_ON() since refcnt is 0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53862", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: do not hard code device address lenth in fdb dumps\n\nsyzbot reports that some netdev devices do not have a six bytes\naddress [1]\n\nReplace ETH_ALEN by dev->addr_len.\n\n[1] (Case of a device where dev->addr_len = 4)\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopyout+0xb8/0x100 lib/iov_iter.c:169\n_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536\ncopy_to_iter include/linux/uio.h:206 [inline]\nsimple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513\n__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527\nskb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\nnetlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970\nsock_recvmsg_nosec net/socket.c:1019 [inline]\nsock_recvmsg net/socket.c:1040 [inline]\n____sys_recvmsg+0x283/0x7f0 net/socket.c:2722\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1009 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1067\nnlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071\nnlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]\nndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456\nrtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629\nnetlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268\nnetlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995\nsock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019\n____sys_recvmsg+0x664/0x7f0 net/socket.c:2720\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716\nslab_alloc_node mm/slub.c:3451 [inline]\n__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490\nkmalloc_trace+0x51/0x200 mm/slab_common.c:1057\nkmalloc include/linux/slab.h:559 [inline]\n__hw_addr_create net/core/dev_addr_lists.c:60 [inline]\n__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118\n__dev_mc_add net/core/dev_addr_lists.c:867 [inline]\ndev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885\nigmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680\nipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754\nipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708\naddrconf_type_change net/ipv6/addrconf.c:3731 [inline]\naddrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699\nnotifier_call_chain kernel/notifier.c:93 [inline]\nraw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1935 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:1973 [inline]\ncall_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987\nbond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906\ndo_set_master net/core/rtnetlink.c:2626 [inline]\nrtnl_newlink_create net/core/rtnetlink.c:3460 [inline]\n__rtnl_newlink net/core/rtnetlink.c:3660 [inline]\nrtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673\nrtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395\nnetlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0xf28/0x1230 net/netlink/af_\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53863", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()\n\nWhen disabling overlay plane in mxsfb_plane_overlay_atomic_update(),\noverlay plane's framebuffer pointer is NULL. So, dereferencing it would\ncause a kernel Oops(NULL pointer dereferencing). Fix the issue by\ndisabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53864", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qgroups enabled after abort\n\nIf we have a transaction abort with qgroups enabled we get a warning\ntriggered when doing the final put on the transaction, like this:\n\n [552.6789] ------------[ cut here ]------------\n [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6817] Modules linked in: btrfs blake2b_generic xor (...)\n [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6821] Code: bd a0 01 00 (...)\n [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286\n [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000\n [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010\n [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20\n [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70\n [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028\n [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000\n [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0\n [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [552.6822] Call Trace:\n [552.6822] \n [552.6822] ? __warn+0x80/0x130\n [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6824] ? report_bug+0x1f4/0x200\n [552.6824] ? handle_bug+0x42/0x70\n [552.6824] ? exc_invalid_op+0x14/0x70\n [552.6824] ? asm_exc_invalid_op+0x16/0x20\n [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]\n [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40\n [552.6828] ? try_to_wake_up+0x94/0x5e0\n [552.6828] ? __pfx_process_timeout+0x10/0x10\n [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]\n [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]\n [552.6832] kthread+0xee/0x120\n [552.6832] ? __pfx_kthread+0x10/0x10\n [552.6832] ret_from_fork+0x29/0x50\n [552.6832] \n [552.6832] ---[ end trace 0000000000000000 ]---\n\nThis corresponds to this line of code:\n\n void btrfs_put_transaction(struct btrfs_transaction *transaction)\n {\n (...)\n WARN_ON(!RB_EMPTY_ROOT(\n &transaction->delayed_refs.dirty_extent_root));\n (...)\n }\n\nThe warning happens because btrfs_qgroup_destroy_extent_records(), called\nin the transaction abort path, we free all entries from the rbtree\n\"dirty_extent_root\" with rbtree_postorder_for_each_entry_safe(), but we\ndon't actually empty the rbtree - it's still pointing to nodes that were\nfreed.\n\nSo set the rbtree's root node to NULL to avoid this warning (assign\nRB_ROOT).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53865", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: Reposition and add pcm_mutex\n\nIf panic_on_warn is set and compress stream(DPCM) is started,\nthen kernel panic occurred because card->pcm_mutex isn't held appropriately.\nIn the following functions, warning were issued at this line\n\"snd_soc_dpcm_mutex_assert_held\".\n\nstatic int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,\n\t\tstruct snd_soc_pcm_runtime *be, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,\n\t\t\t int stream, int action)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(rtd);\n\t...\n}\n\nint dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,\n\tint event)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nThese functions are called by soc_compr_set_params_fe, soc_compr_open_fe\nand soc_compr_free_fe\nwithout pcm_mutex locking. And this is call stack.\n\n[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750\n[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750\n[ 414.527945][ T2179] Call trace:\n[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750\n[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc\n[ 414.527972][ T2179] snd_compr_open+0x180/0x248\n[ 414.527981][ T2179] snd_open+0x15c/0x194\n[ 414.528003][ T2179] chrdev_open+0x1b0/0x220\n[ 414.528023][ T2179] do_dentry_open+0x30c/0x594\n[ 414.528045][ T2179] vfs_open+0x34/0x44\n[ 414.528053][ T2179] path_openat+0x914/0xb08\n[ 414.528062][ T2179] do_filp_open+0xc0/0x170\n[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c\n[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4\n[ 414.528084][ T2179] invoke_syscall+0x48/0x10c\n[ 414.528094][ T2179] el0_svc_common+0xbc/0x104\n[ 414.528099][ T2179] do_el0_svc+0x34/0xd8\n[ 414.528103][ T2179] el0_svc+0x34/0xc4\n[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc\n[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4\n[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...\n\nSo, I reposition and add pcm_mutex to resolve lockdep error.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53866", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix potential use-after-free bug when trimming caps\n\nWhen trimming the caps and just after the 'session->s_cap_lock' is\nreleased in ceph_iterate_session_caps() the cap maybe removed by\nanother thread, and when using the stale cap memory in the callbacks\nit will trigger use-after-free crash.\n\nWe need to check the existence of the cap just after the 'ci->i_ceph_lock'\nbeing acquired. And do nothing if it's already removed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53867", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: disable RAC flush for TP1\n\nRAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1:\n[ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform\n[ 3.895011] Reserved instruction in kernel code[#1]:\n[ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0\n[ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060\n[ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0\n[ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000\n[ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa\n[ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470\n[ 3.932848] $20 : 00000000 00000000 55590000 77d70000\n[ 3.938251] $24 : 00000018 00000010\n[ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc\n[ 3.949058] Hi : 00000000\n[ 3.952013] Lo : 00000000\n[ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c\n[ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c\n[ 3.965913] Status: 10008703\tKERNEL EXL IE\n[ 3.970216] Cause : 00800028 (ExcCode 0a)\n[ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350)\n[ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common\n[ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8)\n[ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470\n[ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74\n[ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003\n[ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000\n[ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000\n[ 4.044196] ...\n[ 4.046706] Call Trace:\n[ 4.049238] [<80015808>] setup_sigcontext+0x54/0x24c\n[ 4.054356] [<80015c70>] setup_frame+0xdc/0x124\n[ 4.059015] [<80016414>] do_notify_resume+0x1dc/0x288\n[ 4.064207] [<80011b50>] work_notifysig+0x10/0x18\n[ 4.069036]\n[ 4.070538] Code: 8fc300b4 00001025 26240008 ac830004 3c048063 0c0228aa 24846a00 26240010\n[ 4.080686]\n[ 4.082517] ---[ end trace 22a8edb41f5f983b ]---\n[ 4.087374] Kernel panic - not syncing: Fatal exception\n[ 4.092753] Rebooting in 1 seconds..\n\nBecause the bootloader (CFE) is not initializing the Read-ahead cache properly\non the second thread (TP1). Since the RAC was not initialized properly, we\nshould avoid flushing it at the risk of corrupting the instruction stream as\nseen in the trace above.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53986", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nping: Fix potentail NULL deref for /proc/net/icmp.\n\nAfter commit dbca1596bbb0 (\"ping: convert to RCU lookups, get rid\nof rwlock\"), we use RCU for ping sockets, but we should use spinlock\nfor /proc/net/icmp to avoid a potential NULL deref mentioned in\nthe previous patch.\n\nLet's go back to using spinlock there.\n\nNote we can convert ping sockets to use hlist instead of hlist_nulls\nbecause we do not use SLAB_TYPESAFE_BY_RCU for ping sockets.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53987", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()\n\nHere is a BUG report from syzbot:\n\nBUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806\nRead of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631\n\nCall Trace:\n memmove+0x25/0x60 mm/kasan/shadow.c:54\n hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806\n indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193\n ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910\n ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712\n ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276\n\nBefore using the meta-data in struct INDEX_HDR, we need to\ncheck index header valid or not. Otherwise, the corruptedi\n(or malicious) fs image can cause out-of-bounds access which\ncould make kernel panic.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53988", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: fix VA-range sanity check\n\nBoth create_mapping_noalloc() and update_mapping_prot() sanity-check\ntheir 'virt' parameter, but the check itself doesn't make much sense.\nThe condition used today appears to be a historical accident.\n\nThe sanity-check condition:\n\n\tif ((virt >= PAGE_END) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\n... can only be true for the KASAN shadow region or the module region,\nand there's no reason to exclude these specifically for creating and\nupdateing mappings.\n\nWhen arm64 support was first upstreamed in commit:\n\n c1cc1552616d0f35 (\"arm64: MMU initialisation\")\n\n... the condition was:\n\n\tif (virt < VMALLOC_START) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nAt the time, VMALLOC_START was the lowest kernel address, and this was\nchecking whether 'virt' would be translated via TTBR1.\n\nSubsequently in commit:\n\n 14c127c957c1c607 (\"arm64: mm: Flip kernel VA space\")\n\n... the condition was changed to:\n\n\tif ((virt >= VA_START) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nThis appear to have been a thinko. The commit moved the linear map to\nthe bottom of the kernel address space, with VMALLOC_START being at the\nhalfway point. The old condition would warn for changes to the linear\nmap below this, and at the time VA_START was the end of the linear map.\n\nSubsequently we cleaned up the naming of VA_START in commit:\n\n 77ad4ce69321abbe (\"arm64: memory: rename VA_START to PAGE_END\")\n\n... keeping the erroneous condition as:\n\n\tif ((virt >= PAGE_END) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nCorrect the condition to check against the start of the TTBR1 address\nspace, which is currently PAGE_OFFSET. This simplifies the logic, and\nmore clearly matches the \"outside kernel range\" message in the warning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53989", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSMB3: Add missing locks to protect deferred close file list\n\ncifs_del_deferred_close function has a critical section which modifies\nthe deferred close file list. We must acquire deferred_lock before\ncalling cifs_del_deferred_close function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53990", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-53991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Disallow unallocated resources to be returned\n\nIn the event that the topology requests resources that have not been\ncreated by the system (because they are typically not represented in\ndpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC\nblocks, until their allocation/assignment is being sanity-checked in\n\"drm/msm/dpu: Reject topologies for which no DSC blocks are available\")\nremain NULL but will still be returned out of\ndpu_rm_get_assigned_resources, where the caller expects to get an array\ncontaining num_blks valid pointers (but instead gets these NULLs).\n\nTo prevent this from happening, where null-pointer dereferences\ntypically result in a hard-to-debug platform lockup, num_blks shouldn't\nincrease past NULL blocks and will print an error and break instead.\nAfter all, max_blks represents the static size of the maximum number of\nblocks whereas the actual amount varies per platform.\n\n^1: which can happen after a git rebase ended up moving additions to\n_dpu_cfg to a different struct which has the same patch context.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517636/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53991", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: ocb: don't leave if not joined\n\nIf there's no OCB state, don't ask the driver/mac80211 to\nleave, since that's just confusing. Since set/clear the\nchandef state, that's a simple check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53992", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y\n\nAfter a pci_doe_task completes, its work_struct needs to be destroyed\nto avoid a memory leak with CONFIG_DEBUG_OBJECTS=y.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53993", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-53994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: remove WARN_ON to prevent panic_on_warn\n\nRemove unnecessary early code development check and the WARN_ON\nthat it uses. The irq alloc and free paths have long been\ncleaned up and this check shouldn't have stuck around so long.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53994", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix one memleak in __inet_del_ifa()\n\nI got the below warning when do fuzzing test:\nunregister_netdevice: waiting for bond0 to become free. Usage count = 2\n\nIt can be repoduced via:\n\nip link add bond0 type bond\nsysctl -w net.ipv4.conf.bond0.promote_secondaries=1\nip addr add 4.117.174.103/0 scope 0x40 dev bond0\nip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0\nip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0\nip addr del 4.117.174.103/0 scope 0x40 dev bond0\nip link delete bond0 type bond\n\nIn this reproduction test case, an incorrect 'last_prim' is found in\n__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)\nis lost. The memory of the secondary address is leaked and the reference of\nin_device and net_device is leaked.\n\nFix this problem:\nLook for 'last_prim' starting at location of the deleted IP and inserting\nthe promoted IP into the location of 'last_prim'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53995", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Make enc_dec_hypercall() accept a size instead of npages\n\nenc_dec_hypercall() accepted a page count instead of a size, which\nforced its callers to round up. As a result, non-page aligned\nvaddrs caused pages to be spuriously marked as decrypted via the\nencryption status hypercall, which in turn caused consistent\ncorruption of pages during live migration. Live migration requires\naccurate encryption status information to avoid migrating pages\nfrom the wrong perspective.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53996", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-53997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: of: fix double-free on unregistration\n\nSince commit 3d439b1a2ad3 (\"thermal/core: Alloc-copy-free the thermal\nzone parameters structure\"), thermal_zone_device_register() allocates\na copy of the tzp argument and frees it when unregistering, so\nthermal_of_zone_register() now ends up leaking its original tzp and\ndouble-freeing the tzp copy. Fix this by locating tzp on stack instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53997", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: virtio - Fix race on data_avail and actual data\n\nThe virtio rng device kicks off a new entropy request whenever the\ndata available reaches zero. When a new request occurs at the end\nof a read operation, that is, when the result of that request is\nonly needed by the next reader, then there is a race between the\nwriting of the new data and the next reader.\n\nThis is because there is no synchronisation whatsoever between the\nwriter and the reader.\n\nFix this by writing data_avail with smp_store_release and reading\nit with smp_load_acquire when we first enter read. The subsequent\nreads are safe because they're either protected by the first load\nacquire, or by the completion mechanism.\n\nAlso remove the redundant zeroing of data_idx in random_recv_done\n(data_idx must already be zero at this point) and data_avail in\nrequest_entropy (ditto).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53998", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-53999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It's possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT 'new' state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n hex dump (first 32 bytes):\n 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................\n 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....\n backtrace:\n [<00000000e992680d>] kmalloc_trace+0x27/0x120\n [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410\n [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower]\n [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010\n [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0\n [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360\n [<0000000082dd6c8b>] netlink_unicast+0x438/0x710\n [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50\n [<0000000016e92590>] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53999", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix deadlock issue when externel_lb and reset are executed together\n\nWhen externel_lb and reset are executed together, a deadlock may\noccur:\n[ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds.\n[ 3147.230483] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008\n[ 3147.248045] Workqueue: hclge hclge_service_task [hclge]\n[ 3147.253957] Call trace:\n[ 3147.257093] __switch_to+0x7c/0xbc\n[ 3147.261183] __schedule+0x338/0x6f0\n[ 3147.265357] schedule+0x50/0xe0\n[ 3147.269185] schedule_preempt_disabled+0x18/0x24\n[ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 3147.279880] __mutex_lock_slowpath+0x1c/0x30\n[ 3147.284839] mutex_lock+0x50/0x60\n[ 3147.288841] rtnl_lock+0x20/0x2c\n[ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge]\n[ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge]\n[ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge]\n[ 3147.309718] hclge_service_task+0x2c/0x70 [hclge]\n[ 3147.315109] process_one_work+0x1d0/0x490\n[ 3147.319805] worker_thread+0x158/0x3d0\n[ 3147.324240] kthread+0x108/0x13c\n[ 3147.328154] ret_from_fork+0x10/0x18\n\nIn externel_lb process, the hns3 driver call napi_disable()\nfirst, then the reset happen, then the restore process of the\nexternel_lb will fail, and will not call napi_enable(). When\ndoing externel_lb again, napi_disable() will be double call,\ncause a deadlock of rtnl_lock().\n\nThis patch use the HNS3_NIC_STATE_DOWN state to protect the\ncalling of napi_disable() and napi_enable() in externel_lb\nprocess, just as the usage in ndo_stop() and ndo_start().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54000", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8712: Fix memory leak in _r8712_init_xmit_priv()\n\nIn the above mentioned routine, memory is allocated in several places.\nIf the first succeeds and a later one fails, the routine will leak memory.\nThis patch fixes commit 2865d42c78a9 (\"staging: r8712u: Add the new driver\nto the mainline kernel\"). A potential memory leak in\nr8712_xmit_resource_alloc() is also addressed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54001", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion of exclop condition when starting balance\n\nBalance as exclusive state is compatible with paused balance and device\nadd, which makes some things more complicated. The assertion of valid\nstates when starting from paused balance needs to take into account two\nmore states, the combinations can be hit when there are several threads\nracing to start balance and device add. This won't typically happen when\nthe commands are started from command line.\n\nScenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_finish executed finishes before assertion in\nbtrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_NONE state which lead to assertion failed:\n\n fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||\n fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD,\n in fs/btrfs/ioctl.c:456\n Call Trace:\n \n btrfs_exclop_balance+0x13c/0x310\n ? memdup_user+0xab/0xc0\n ? PTR_ERR+0x17/0x20\n btrfs_ioctl_add_dev+0x2ee/0x320\n btrfs_ioctl+0x9d5/0x10d0\n ? btrfs_ioctl_encoded_write+0xb80/0xb80\n __x64_sys_ioctl+0x197/0x210\n do_syscall_64+0x3c/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nScenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_balance executed finish before the latter thread execute\nassertion in btrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:\n\n fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE ||\n fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD ||\n fs_info->exclusive_operation == BTRFS_EXCLOP_NONE,\n fs/btrfs/ioctl.c:458\n Call Trace:\n \n btrfs_exclop_balance+0x240/0x410\n ? memdup_user+0xab/0xc0\n ? PTR_ERR+0x17/0x20\n btrfs_ioctl_add_dev+0x2ee/0x320\n btrfs_ioctl+0x9d5/0x10d0\n ? btrfs_ioctl_encoded_write+0xb80/0xb80\n __x64_sys_ioctl+0x197/0x210\n do_syscall_64+0x3c/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAn example of the failed assertion is below, which shows that the\npaused balance is also needed to be checked.\n\n root@syzkaller:/home/xsk# ./repro\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n Failed to add device /dev/vda, errno 14\n [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0\n Failed to add device /dev/vda, errno 14\n [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Failed to add device /dev/vda, errno 14\n [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3\n [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3\n Fai\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54002", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix GID entry ref leak when create_ah fails\n\nIf AH create request fails, release sgid_attr to avoid GID entry\nreferrence leak reported while releasing GID table", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54003", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().\n\nsyzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using\nIPPROTO_UDPLITE (0x88):\n\n 14:25:52 executing program 1:\n r0 = socket$inet6(0xa, 0x80002, 0x88)\n\nWe had a similar report [1] for probably sk_memory_allocated_add()\nin __sk_mem_raise_allocated(), and commit c915fe13cbaa (\"udplite: fix\nNULL pointer dereference\") fixed it by setting .memory_allocated for\nudplite_prot and udplitev6_prot.\n\nTo fix the variant, we need to set either .sysctl_wmem_offset or\n.sysctl_rmem.\n\nNow UDP and UDPLITE share the same value for .memory_allocated, so we\nuse the same .sysctl_wmem_offset for UDP and UDPLITE.\n\n[0]:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023\nRIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]\nRIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006\nCode: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b\nRSP: 0018:ffffc90005d7f450 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000\nRDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8\nRBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000\nR13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40\nCS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0\nCall Trace:\n \n __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077\n udp_rmem_schedule net/ipv4/udp.c:1539 [inline]\n __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581\n __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]\n udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775\n udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793\n __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]\n __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013\n ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437\n ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482\n NF_HOOK include/linux/netfilter.h:303 [inline]\n NF_HOOK include/linux/netfilter.h:297 [inline]\n ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491\n ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585\n dst_input include/net/dst.h:468 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:303 [inline]\n NF_HOOK include/linux/netfilter.h:297 [inline]\n ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309\n __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491\n __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605\n netif_receive_skb_internal net/core/dev.c:5691 [inline]\n netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750\n tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553\n tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989\n tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035\n call_write_iter include/linux/fs.h:1868 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x945/0xd50 fs/read_write.c:584\n ksys_write+0x12b/0x250 fs/read_write.c:637\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\nRIP: 0023:0xf7f21579\nCode: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54004", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix memory leak in binder_init()\n\nIn binder_init(), the destruction of binder_alloc_shrinker_init() is not\nperformed in the wrong path, which will cause memory leaks. So this commit\nintroduces binder_alloc_shrinker_exit() and calls it in the wrong path to\nfix that.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54005", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-race around unix_tot_inflight.\n\nunix_tot_inflight is changed under spin_lock(unix_gc_lock), but\nunix_release_sock() reads it locklessly.\n\nLet's use READ_ONCE() for unix_tot_inflight.\n\nNote that the writer side was marked by commit 9d6d7f1cb67c (\"af_unix:\nannote lockless accesses to unix_tot_inflight & gc_in_progress\")\n\nBUG: KCSAN: data-race in unix_inflight / unix_release_sock\n\nwrite (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:\n unix_inflight+0x130/0x180 net/unix/scm.c:64\n unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1832 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:747\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2547\n __sys_sendmsg+0x94/0x140 net/socket.c:2576\n __do_sys_sendmsg net/socket.c:2585 [inline]\n __se_sys_sendmsg net/socket.c:2583 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:\n unix_release_sock+0x608/0x910 net/unix/af_unix.c:671\n unix_release+0x59/0x80 net/unix/af_unix.c:1058\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1385\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00000000 -> 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54006", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n<- omitting registers ->\nCall Trace:\n \n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev->context;\n // Initialize context\n vmci_host_dev->context = vmci_ctx_create();\n vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., &context->host_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev->context first,\nand then reads vmci_host_dev->ct_type to check that\nvmci_host_dev->context is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev->context after checking\nthe value of vmci_host_dev->ct_type so that vmci_host_poll() always\nreads an initialized context.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54007", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_vdpa: build affinity masks conditionally\n\nWe try to build affinity mask via create_affinity_masks()\nunconditionally which may lead several issues:\n\n- the affinity mask is not used for parent without affinity support\n (only VDUSE support the affinity now)\n- the logic of create_affinity_masks() might not work for devices\n other than block. For example it's not rare in the networking device\n where the number of queues could exceed the number of CPUs. Such\n case breaks the current affinity logic which is based on\n group_cpus_evenly() who assumes the number of CPUs are not less than\n the number of groups. This can trigger a warning[1]:\n\n\tif (ret >= 0)\n\t\tWARN_ON(nr_present + nr_others < numgrps);\n\nFixing this by only build the affinity masks only when\n\n- Driver passes affinity descriptor, driver like virtio-blk can make\n sure to limit the number of queues when it exceeds the number of CPUs\n- Parent support affinity setting config ops\n\nThis help to avoid the warning. More optimizations could be done on\ntop.\n\n[1]\n[ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0\n[ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79\n[ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n[ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0\n[ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc\n[ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293\n[ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000\n[ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030\n[ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0\n[ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800\n[ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041\n[ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000\n[ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0\n[ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 682.146701] Call Trace:\n[ 682.146703] \n[ 682.146705] ? __warn+0x7b/0x130\n[ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146712] ? report_bug+0x1c8/0x1e0\n[ 682.146717] ? handle_bug+0x3c/0x70\n[ 682.146721] ? exc_invalid_op+0x14/0x70\n[ 682.146723] ? asm_exc_invalid_op+0x16/0x20\n[ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146729] ? group_cpus_evenly+0x15c/0x1c0\n[ 682.146731] create_affinity_masks+0xaf/0x1a0\n[ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0\n[ 682.146738] ? __pfx_default_calc_sets+0x10/0x10\n[ 682.146742] virtnet_find_vqs+0x1f0/0x370\n[ 682.146747] virtnet_probe+0x501/0xcd0\n[ 682.146749] ? vp_modern_get_status+0x12/0x20\n[ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0\n[ 682.146754] virtio_dev_probe+0x1af/0x260\n[ 682.146759] really_probe+0x1a5/0x410", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54008", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path\n\nThe cdns_i2c_master_xfer() function gets a runtime PM reference when the\nfunction is entered. This reference is released when the function is\nexited. There is currently one error path where the function exits\ndirectly, which leads to a leak of the runtime PM reference.\n\nMake sure that this error path also releases the runtime PM reference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54009", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects\n\nACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4\n\nACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause\nnull pointer dereference later.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54010", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix an issue found by KASAN\n\nWrite only correct size (32 instead of 64 bytes).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54011", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix stack overflow when LRO is disabled for virtual interfaces\n\nWhen the virtual interface's feature is updated, it synchronizes the\nupdated feature for its own lower interface.\nThis propagation logic should be worked as the iteration, not recursively.\nBut it works recursively due to the netdev notification unexpectedly.\nThis problem occurs when it disables LRO only for the team and bonding\ninterface type.\n\n team0\n |\n +------+------+-----+-----+\n | | | | |\nteam1 team2 team3 ... team200\n\nIf team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE\nevent to its own lower interfaces(team1 ~ team200).\nIt is worked by netdev_sync_lower_features().\nSo, the NETDEV_FEAT_CHANGE notification logic of each lower interface\nwork iteratively.\nBut generated NETDEV_FEAT_CHANGE event is also sent to the upper\ninterface too.\nupper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own\nlower interfaces again.\nlower and upper interfaces receive this event and generate this\nevent again and again.\nSo, the stack overflow occurs.\n\nBut it is not the infinite loop issue.\nBecause the netdev_sync_lower_features() updates features before\ngenerating the NETDEV_FEAT_CHANGE event.\nAlready synchronized lower interfaces skip notification logic.\nSo, it is just the problem that iteration logic is changed to the\nrecursive unexpectedly due to the notification mechanism.\n\nReproducer:\n\nip link add team0 type team\nethtool -K team0 lro on\nfor i in {1..200}\ndo\n ip link add team$i master team0 type team\n ethtool -K team$i lro on\ndone\n\nethtool -K team0 lro off\n\nIn order to fix it, the notifier_ctx member of bonding/team is introduced.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54012", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Fix locking for runpm vs reclaim\n\nFor cases where icc_bw_set() can be called in callbaths that could\ndeadlock against shrinker/reclaim, such as runpm resume, we need to\ndecouple the icc locking. Introduce a new icc_bw_lock for cases where\nwe need to serialize bw aggregation and update to decouple that from\npaths that require memory allocation such as node/link creation/\ndestruction.\n\nFixes this lockdep splat:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 6.2.0-rc8-debug+ #554 Not tainted\n ------------------------------------------------------\n ring0/132 is trying to acquire lock:\n ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234\n\n but task is already holding lock:\n ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #4 (dma_fence_map){++++}-{0:0}:\n __dma_fence_might_wait+0x74/0xc0\n dma_resv_lockdep+0x1f4/0x2f4\n do_one_initcall+0x104/0x2bc\n kernel_init_freeable+0x344/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:\n fs_reclaim_acquire+0x80/0xa8\n slab_pre_alloc_hook.constprop.0+0x40/0x25c\n __kmem_cache_alloc_node+0x60/0x1cc\n __kmalloc+0xd8/0x100\n topology_parse_cpu_capacity+0x8c/0x178\n get_cpu_for_node+0x88/0xc4\n parse_cluster+0x1b0/0x28c\n parse_cluster+0x8c/0x28c\n init_cpu_topology+0x168/0x188\n smp_prepare_cpus+0x24/0xf8\n kernel_init_freeable+0x18c/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n __fs_reclaim_acquire+0x3c/0x48\n fs_reclaim_acquire+0x54/0xa8\n slab_pre_alloc_hook.constprop.0+0x40/0x25c\n __kmem_cache_alloc_node+0x60/0x1cc\n __kmalloc+0xd8/0x100\n kzalloc.constprop.0+0x14/0x20\n icc_node_create_nolock+0x4c/0xc4\n icc_node_create+0x38/0x58\n qcom_icc_rpmh_probe+0x1b8/0x248\n platform_probe+0x70/0xc4\n really_probe+0x158/0x290\n __driver_probe_device+0xc8/0xe0\n driver_probe_device+0x44/0x100\n __driver_attach+0xf8/0x108\n bus_for_each_dev+0x78/0xc4\n driver_attach+0x2c/0x38\n bus_add_driver+0xd0/0x1d8\n driver_register+0xbc/0xf8\n __platform_driver_register+0x30/0x3c\n qnoc_driver_init+0x24/0x30\n do_one_initcall+0x104/0x2bc\n kernel_init_freeable+0x344/0x34c\n kernel_init+0x30/0x134\n ret_from_fork+0x10/0x20\n\n -> #1 (icc_lock){+.+.}-{3:3}:\n __mutex_lock+0xcc/0x3c8\n mutex_lock_nested+0x30/0x44\n icc_set_bw+0x88/0x2b4\n _set_opp_bw+0x8c/0xd8\n _set_opp+0x19c/0x300\n dev_pm_opp_set_opp+0x84/0x94\n a6xx_gmu_resume+0x18c/0x804\n a6xx_pm_resume+0xf8/0x234\n adreno_runtime_resume+0x2c/0x38\n pm_generic_runtime_resume+0x30/0x44\n __rpm_callback+0x15c/0x174\n rpm_callback+0x78/0x7c\n rpm_resume+0x318/0x524\n __pm_runtime_resume+0x78/0xbc\n adreno_load_gpu+0xc4/0x17c\n msm_open+0x50/0x120\n drm_file_alloc+0x17c/0x228\n drm_open_helper+0x74/0x118\n drm_open+0xa0/0x144\n drm_stub_open+0xd4/0xe4\n chrdev_open+0x1b8/0x1e4\n do_dentry_open+0x2f8/0x38c\n vfs_open+0x34/0x40\n path_openat+0x64c/0x7b4\n do_filp_open+0x54/0xc4\n do_sys_openat2+0x9c/0x100\n do_sys_open+0x50/0x7c\n __arm64_sys_openat+0x28/0x34\n invoke_syscall+0x8c/0x128\n el0_svc_common.constprop.0+0xa0/0x11c\n do_el0_\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54013", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()\n\nKlocwork reported warning of rport maybe NULL and will be dereferenced.\nrport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.\n\nCheck valid rport returned by fc_bsg_to_rport().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54014", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Devcom, fix error flow in mlx5_devcom_register_device\n\nIn case devcom allocation is failed, mlx5 is always freeing the priv.\nHowever, this priv might have been allocated by a different thread,\nand freeing it might lead to use-after-free bugs.\nFix it by freeing the priv only in case it was allocated by the\nrunning thread.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54015", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix memory leak in rx_desc and tx_desc\n\nCurrently when ath12k_dp_cc_desc_init() is called we allocate\nmemory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during\ndescriptor cleanup rx_descs and tx_descs memory is not freed.\n\nThis is cause of memory leak. These allocated memory should be\nfreed in ath12k_dp_cc_cleanup.\n\nIn ath12k_dp_cc_desc_init(), we can save base address of rx_descs\nand tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and\ntx_descs memory using their base address.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54016", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: fix possible memory leak in ibmebus_bus_init()\n\nIf device_register() returns error in ibmebus_bus_init(), name of kobject\nwhich is allocated in dev_set_name() called in device_add() is leaked.\n\nAs comment of device_add() says, it should call put_device() to drop\nthe reference count that was set in device_initialize() when it fails,\nso the name can be freed in kobject_cleanup().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54017", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue as it may return\nNULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and\n`hdmi_hpd.c`.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517211/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54018", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n vfs_poll\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n wake_up_pollfree(&t->event_wait)\n// vfs_poll is unblocked\n synchronize_rcu\n kfree(t)\n poll_freewait -> UAF access to the trigger's waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger's\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node->poll waitqueue head\nwith its lifecycle tied to the file's lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54019", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sf-pdma: pdma_desc memory leak fix\n\nCommit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread support for a\nDMA channel\") changed sf_pdma_prep_dma_memcpy() to unconditionally\nallocate a new sf_pdma_desc each time it is called.\n\nThe driver previously recycled descs, by checking the in_use flag, only\nallocating additional descs if the existing one was in use. This logic\nwas removed in commit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread\nsupport for a DMA channel\"), but sf_pdma_free_desc() was not changed to\nhandle the new behaviour.\n\nAs a result, each time sf_pdma_prep_dma_memcpy() is called, the previous\ndescriptor is leaked, over time leading to memory starvation:\n\n unreferenced object 0xffffffe008447300 (size 192):\n comm \"irq/39-mchp_dsc\", pid 343, jiffies 4294906910 (age 981.200s)\n hex dump (first 32 bytes):\n 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................\n 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............\n backtrace:\n [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28\n [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178\n [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112\n\nAdd the missing kfree() to sf_pdma_free_desc(), and remove the redundant\nin_use flag.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54020", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: set goal start correctly in ext4_mb_normalize_request\n\nWe need to set ac_g_ex to notify the goal start used in\next4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in\next4_mb_normalize_request.\nBesides we should assure goal start is in range [first_data_block,\nblocks_count) as ext4_mb_initialize_context does.\n\n[ Added a check to make sure size is less than ar->pright; otherwise\n we could end up passing an underflowed value of ar->pright - size to\n ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.\n - TYT ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54021", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks at error path for UMP open\n\nThe allocation and initialization errors at alloc_midi_urbs() that is\ncalled at MIDI 2.0 / UMP device are supposed to be handled at the\ncaller side by invoking free_midi_urbs(). However, free_midi_urbs()\nloops only for ep->num_urbs entries, and since ep->num_entries wasn't\nupdated yet at the allocation / init error in alloc_midi_urbs(), this\nentry won't be released.\n\nThe intention of free_midi_urbs() is to release the whole elements, so\nchange the loop size to NUM_URBS to scan over all elements for fixing\nthe missed releases.\n\nAlso, the call of free_midi_urbs() is missing at\nsnd_usb_midi_v2_open(). Although it'll be released later at\nreopen/close or disconnection, it's better to release immediately at\nthe error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54022", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between balance and cancel/pause\n\nSyzbot reported a panic that looks like this:\n\n assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/messages.c:259!\n RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259\n Call Trace:\n \n btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]\n btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]\n btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe reproducer is running a balance and a cancel or pause in parallel.\nThe way balance finishes is a bit wonky, if we were paused we need to\nsave the balance_ctl in the fs_info, but clear it otherwise and cleanup.\nHowever we rely on the return values being specific errors, or having a\ncancel request or no pause request. If balance completes and returns 0,\nbut we have a pause or cancel request we won't do the appropriate\ncleanup, and then the next time we try to start a balance we'll trip\nthis ASSERT.\n\nThe error handling is just wrong here, we always want to clean up,\nunless we got -ECANCELLED and we set the appropriate pause flag in the\nexclusive op. With this patch the reproducer ran for an hour without\ntripping, previously it would trip in less than a few minutes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54023", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy target device if coalesced MMIO unregistration fails\n\nDestroy and free the target coalesced MMIO device if unregistering said\ndevice fails. As clearly noted in the code, kvm_io_bus_unregister_dev()\ndoes not destroy the target device.\n\n BUG: memory leak\n unreferenced object 0xffff888112a54880 (size 64):\n comm \"syz-executor.2\", pid 5258, jiffies 4297861402 (age 14.129s)\n hex dump (first 32 bytes):\n 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g.....\n e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g.....\n backtrace:\n [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline]\n [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline]\n [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150\n [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323\n [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline]\n [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline]\n [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696\n [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713\n [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline]\n [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline]\n [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718\n [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290\n [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\n BUG: leak checking failed", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54024", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Do not configure WoWlan in shutdown hook if not enabled\n\nIn case WoWlan was never configured during the operation of the system,\nthe hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks\nwhether wowlan_config is non-NULL and if it is not, then WARNs about it.\nThe warning is valid, as during normal operation the rsi_config_wowlan()\nshould only ever be called with non-NULL wowlan_config. In shutdown this\nrsi_config_wowlan() should only ever be called if WoWlan was configured\nbefore by the user.\n\nAdd checks for non-NULL wowlan_config into the shutdown hook. While at it,\ncheck whether the wiphy is also non-NULL before accessing wowlan_config .\nDrop the single-use wowlan_config variable, just inline it into function\ncall.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54025", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\n\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\n\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\n\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\n\n Unable to handle kernel NULL pointer dereference when read\n CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\n PC is at _of_add_opp_table_v2 (include/linux/of.h:949\n drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\n drivers/opp/of.c:1032) -> lazy_link_required_opp_table()\n\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54026", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: Prevent invalid memory access when there is no parent\n\nCommit 813665564b3d (\"iio: core: Convert to use firmware node handle\ninstead of OF node\") switched the kind of nodes to use for label\nretrieval in device registration. Probably an unwanted change in that\ncommit was that if the device has no parent then NULL pointer is\naccessed. This is what happens in the stock IIO dummy driver when a\nnew entry is created in configfs:\n\n # mkdir /sys/kernel/config/iio/devices/dummy/foo\n BUG: kernel NULL pointer dereference, address: ...\n ...\n Call Trace:\n __iio_device_register\n iio_dummy_probe\n\nSince there seems to be no reason to make a parent device of an IIO\ndummy device mandatory, let\u2019s prevent the invalid memory access in\n__iio_device_register when the parent device is NULL. With this\nchange, the IIO dummy driver works fine with configfs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54027", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the error \"trying to register non-static key in rxe_cleanup_task\"\n\nIn the function rxe_create_qp(), rxe_qp_from_init() is called to\ninitialize qp, internally things like rxe_init_task are not setup until\nrxe_qp_init_req().\n\nIf an error occurred before this point then the unwind will call\nrxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()\nwhich will oops when trying to access the uninitialized spinlock.\n\nIf rxe_init_task is not executed, rxe_cleanup_task will not be called.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54028", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: don't overflow multishot recv\n\nDon't allow overflowing multishot recv CQEs, it might get out of\nhand, hurt performance, and in the worst case scenario OOM the task.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54030", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add queue index attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa queue index attr to avoid\nsuch bugs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54031", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info->dirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there's another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54032", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix a memory leak in the LRU and LRU_PERCPU hash maps\n\nThe LRU and LRU_PERCPU maps allocate a new element on update before locking the\ntarget hash table bucket. Right after that the maps try to lock the bucket.\nIf this fails, then maps return -EBUSY to the caller without releasing the\nallocated element. This makes the element untracked: it doesn't belong to\neither of free lists, and it doesn't belong to the hash table, so can't be\nre-used; this eventually leads to the permanent -ENOMEM on LRU map updates,\nwhich is unexpected. Fix this by returning the element to the local free list\nif bucket locking fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54033", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Make sure to zero vfio_iommu_type1_info before copying to user\n\nMissed a zero initialization here. Most of the struct is filled with\na copy_from_user(), however minsz for that copy is smaller than the\nactual struct by 8 bytes, thus we don't fill the padding.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54034", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix underflow in chain reference counter\n\nSet element addition error path decrements reference counter on chains\ntwice: once on element release and again via nft_data_release().\n\nThen, d6b478666ffa (\"netfilter: nf_tables: fix underflow in object\nreference counter\") incorrectly fixed this by removing the stateful\nobject reference count decrement.\n\nRestore the stateful object decrement as in b91d90368837 (\"netfilter:\nnf_tables: fix leaking object reference count\") and let\nnft_data_release() decrement the chain reference counter, so this is\ndone only once.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54035", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it's connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn't sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths > 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn't send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54036", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: prevent NULL pointer deref during reload\n\nCalling ethtool during reload can lead to call trace, because VSI isn't\nconfigured for some time, but netdev is alive.\n\nTo fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors\nto 0 after freeing and add a check for ::tx/rx_rings in ring related\nethtool ops.\n\nAdd proper unroll of filters in ice_start_eth().\n\nReproduction:\n$watch -n 0.1 -d 'ethtool -g enp24s0f0np0'\n$devlink dev reload pci/0000:18:00.0 action driver_reinit\n\nCall trace before fix:\n[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[66303.926259] #PF: supervisor read access in kernel mode\n[66303.926286] #PF: error_code(0x0000) - not-present page\n[66303.926311] PGD 0 P4D 0\n[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI\n[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1\n[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018\n[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice]\n[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48\n[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246\n[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48\n[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000\n[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000\n[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000\n[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50\n[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000\n[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0\n[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[66303.927060] PKRU: 55555554\n[66303.927075] Call Trace:\n[66303.927094] \n[66303.927111] ? __die+0x23/0x70\n[66303.927140] ? page_fault_oops+0x171/0x4e0\n[66303.927176] ? exc_page_fault+0x7f/0x180\n[66303.927209] ? asm_exc_page_fault+0x26/0x30\n[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice]\n[66303.927433] rings_prepare_data+0x62/0x80\n[66303.927469] ethnl_default_doit+0xe2/0x350\n[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140\n[66303.927538] genl_rcv_msg+0x1b1/0x2c0\n[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10\n[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10\n[66303.927615] netlink_rcv_skb+0x58/0x110\n[66303.927644] genl_rcv+0x28/0x40\n[66303.927665] netlink_unicast+0x19e/0x290\n[66303.927691] netlink_sendmsg+0x254/0x4d0\n[66303.927717] sock_sendmsg+0x93/0xa0\n[66303.927743] __sys_sendto+0x126/0x170\n[66303.927780] __x64_sys_sendto+0x24/0x30\n[66303.928593] do_syscall_64+0x5d/0x90\n[66303.929370] ? __count_memcg_events+0x60/0xa0\n[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30\n[66303.930920] ? handle_mm_fault+0x9e/0x350\n[66303.931688] ? do_user_addr_fault+0x258/0x740\n[66303.932452] ? exc_page_fault+0x7f/0x180\n[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54037", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link\n\nhci_connect_sco currently returns NULL when there is no link (i.e. when\nhci_conn_link() returns NULL).\n\nsco_connect() expects an ERR_PTR in case of any error (see line 266 in\nsco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which\ntries to get hcon->hdev, resulting in dereferencing a NULL pointer as\nreported by syzkaller.\n\nThe same issue exists for iso_connect_cis() calling hci_connect_cis().\n\nThus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR\ninstead of NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54038", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access\n\nIn the j1939_tp_tx_dat_new() function, an out-of-bounds memory access\ncould occur during the memcpy() operation if the size of skb->cb is\nlarger than the size of struct j1939_sk_buff_cb. This is because the\nmemcpy() operation uses the size of skb->cb, leading to a read beyond\nthe struct j1939_sk_buff_cb.\n\nUpdated the memcpy() operation to use the size of struct\nj1939_sk_buff_cb instead of the size of skb->cb. This ensures that the\nmemcpy() operation only reads the memory within the bounds of struct\nj1939_sk_buff_cb, preventing out-of-bounds memory access.\n\nAdditionally, add a BUILD_BUG_ON() to check that the size of skb->cb\nis greater than or equal to the size of struct j1939_sk_buff_cb. This\nensures that the skb->cb buffer is large enough to hold the\nj1939_sk_buff_cb structure.\n\n[mkl: rephrase commit message]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54039", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix wrong fallback logic for FDIR\n\nWhen adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure,\nthe inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr\nreturns failure, the fdir context info for irq handler will not be cleared\nwhich may lead to inconsistent or memory leak issue. This patch refines\nfailure cases to resolve this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54040", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memory leak when removing provided buffers\n\nWhen removing provided buffers, io_buffer structs are not being disposed\nof, leading to a memory leak. They can't be freed individually, because\nthey are allocated in page-sized groups. They need to be added to some\nfree list instead, such as io_buffers_cache. All callers already hold\nthe lock protecting it, apart from when destroying buffers, so had to\nextend the lock there.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54041", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix VAS mm use after free\n\nThe refcount on mm is dropped before the coprocessor is detached.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54042", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not add the same hwpt to the ioas->hwpt_list twice\n\nThe hwpt is added to the hwpt_list only during its creation, it is never\nadded again. This hunk is some missed leftover from rework. Adding it\ntwice will corrupt the linked list in some cases.\n\nIt effects HWPT specific attachment, which is something the test suite\ncannot cover until we can create a legitimate struct device with a\nnon-system iommu \"driver\" (ie we need the bus removed from the iommu code)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54043", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: Add a check for remove callback when removing a SPMI driver\n\nWhen removing a SPMI driver, there can be a crash due to NULL pointer\ndereference if it does not have a remove callback defined. This is\none such call trace observed when removing the QCOM SPMI PMIC driver:\n\n dump_backtrace.cfi_jt+0x0/0x8\n dump_stack_lvl+0xd8/0x16c\n panic+0x188/0x498\n __cfi_slowpath+0x0/0x214\n __cfi_slowpath+0x1dc/0x214\n spmi_drv_remove+0x16c/0x1e0\n device_release_driver_internal+0x468/0x79c\n driver_detach+0x11c/0x1a0\n bus_remove_driver+0xc4/0x124\n driver_unregister+0x58/0x84\n cleanup_module+0x1c/0xc24 [qcom_spmi_pmic]\n __do_sys_delete_module+0x3ec/0x53c\n __arm64_sys_delete_module+0x18/0x28\n el0_svc_common+0xdc/0x294\n el0_svc+0x38/0x9c\n el0_sync_handler+0x8c/0xf0\n el0_sync+0x1b4/0x1c0\n\nIf a driver has all its resources allocated through devm_() APIs and\ndoes not need any other explicit cleanup, it would not require a\nremove callback to be defined. Hence, add a check for remove callback\npresence before calling it when removing a SPMI driver.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54044", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix possible soft lockup in __audit_inode_child()\n\nTracefs or debugfs maybe cause hundreds to thousands of PATH records,\ntoo many PATH records maybe cause soft lockup.\n\nFor example:\n 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n\n 2. auditctl -a exit,always -S open -k key\n 3. sysctl -w kernel.watchdog_thresh=5\n 4. mkdir /sys/kernel/debug/tracing/instances/test\n\nThere may be a soft lockup as follows:\n watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498]\n Kernel panic - not syncing: softlockup: hung tasks\n Call trace:\n dump_backtrace+0x0/0x30c\n show_stack+0x20/0x30\n dump_stack+0x11c/0x174\n panic+0x27c/0x494\n watchdog_timer_fn+0x2bc/0x390\n __run_hrtimer+0x148/0x4fc\n __hrtimer_run_queues+0x154/0x210\n hrtimer_interrupt+0x2c4/0x760\n arch_timer_handler_phys+0x48/0x60\n handle_percpu_devid_irq+0xe0/0x340\n __handle_domain_irq+0xbc/0x130\n gic_handle_irq+0x78/0x460\n el1_irq+0xb8/0x140\n __audit_inode_child+0x240/0x7bc\n tracefs_create_file+0x1b8/0x2a0\n trace_create_file+0x18/0x50\n event_create_dir+0x204/0x30c\n __trace_add_new_event+0xac/0x100\n event_trace_add_tracer+0xa0/0x130\n trace_array_create_dir+0x60/0x140\n trace_array_create+0x1e0/0x370\n instance_mkdir+0x90/0xd0\n tracefs_syscall_mkdir+0x68/0xa0\n vfs_mkdir+0x21c/0x34c\n do_mkdirat+0x1b4/0x1d4\n __arm64_sys_mkdirat+0x4c/0x60\n el0_svc_common.constprop.0+0xa8/0x240\n do_el0_svc+0x8c/0xc0\n el0_svc+0x20/0x30\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x160/0x180\n\nTherefore, we add cond_resched() to __audit_inode_child() to fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54045", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Handle EBUSY correctly\n\nAs it is essiv only handles the special return value of EINPROGERSS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of essiv may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54046", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: dw_hdmi: cleanup drm encoder during unbind\n\nThis fixes a use-after-free crash during rmmod.\n\nThe DRM encoder is embedded inside the larger rockchip_hdmi,\nwhich is allocated with the component. The component memory\ngets freed before the main drm device is destroyed. Fix it\nby running encoder cleanup before tearing down its container.\n\n[moved encoder cleanup above clk_disable, similar to bind-error-path]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54047", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Prevent handling any completions after qp destroy\n\nHW may generate completions that indicates QP is destroyed.\nDriver should not be scheduling any more completion handlers\nfor this QP, after the QP is destroyed. Since CQs are active\nduring the QP destroy, driver may still schedule completion\nhandlers. This can cause a race where the destroy_cq and poll_cq\nrunning simultaneously.\n\nSnippet of kernel panic while doing bnxt_re driver load unload in loop.\nThis indicates a poll after the CQ is freed.\u00a0\n\n[77786.481636] Call Trace:\n[77786.481640] \u00a0\n[77786.481644] \u00a0bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]\n[77786.481658] \u00a0? kvm_clock_read+0x14/0x30\n[77786.481693] \u00a0__ib_process_cq+0x57/0x190 [ib_core]\n[77786.481728] \u00a0ib_cq_poll_work+0x26/0x80 [ib_core]\n[77786.481761] \u00a0process_one_work+0x1e5/0x3f0\n[77786.481768] \u00a0worker_thread+0x50/0x3a0\n[77786.481785] \u00a0? __pfx_worker_thread+0x10/0x10\n[77786.481790] \u00a0kthread+0xe2/0x110\n[77786.481794] \u00a0? __pfx_kthread+0x10/0x10\n[77786.481797] \u00a0ret_from_fork+0x2c/0x50\n\nTo avoid this, complete all completion handlers before returning the\ndestroy QP. If free_cq is called soon after destroy_qp, IB stack\nwill cancel the CQ work before invoking the destroy_cq verb and\nthis will prevent any race mentioned.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54048", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: glink: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54049", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memleak when insert_old_idx() failed\n\nFollowing process will cause a memleak for copied up znode:\n\ndirty_cow_znode\n zn = copy_znode(c, znode);\n err = insert_old_idx(c, zbr->lnum, zbr->offs);\n if (unlikely(err))\n return ERR_PTR(err); // No one refers to zn.\n\nFetch a reproducer in [Link].\n\nFunction copy_znode() is split into 2 parts: resource allocation\nand znode replacement, insert_old_idx() is split in similar way,\nso resource cleanup could be done in error handling path without\ncorrupting metadata(mem & disk).\nIt's okay that old index inserting is put behind of add_idx_dirt(),\nold index is used in layout_leb_in_gaps(), so the two processes do\nnot depend on each other.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54050", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not allow gso_size to be set to GSO_BY_FRAGS\n\nOne missing check in virtio_net_hdr_to_skb() allowed\nsyzbot to crash kernels again [1]\n\nDo not allow gso_size to be set to GSO_BY_FRAGS (0xffff),\nbecause this magic value is used by the kernel.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nRIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500\nCode: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01\nRSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000\nRDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070\nRBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6\nR13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff\nFS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x292/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625\n__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329\ndev_queue_xmit include/linux/netdevice.h:3082 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:727 [inline]\nsock_sendmsg+0xd9/0x180 net/socket.c:750\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2496\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2550\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2579\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ff27cdb34d9", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54051", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix skb leak by txs missing in AMSDU\n\ntxs may be dropped if the frame is aggregated in AMSDU. When the problem\nshows up, some SKBs would be hold in driver to cause network stopped\ntemporarily. Even if the problem can be recovered by txs timeout handling,\nmt7921 still need to disable txs in AMSDU to avoid this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54052", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: fix possible NULL pointer dereference\n\nIt is possible that iwl_pci_probe() will fail and free the trans,\nthen afterwards iwl_pci_remove() will be called and crash by trying\nto access trans which is already freed, fix it.\n\niwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2\n\t\t wfpm id 0xa5a5a5a2\niwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000028\n...\nRIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]\npci_device_remove+0x3e/0xb0\ndevice_release_driver_internal+0x103/0x1f0\ndriver_detach+0x4c/0x90\nbus_remove_driver+0x5c/0xd0\ndriver_unregister+0x31/0x50\npci_unregister_driver+0x40/0x90\niwl_pci_unregister_driver+0x15/0x20 [iwlwifi]\n__exit_compat+0x9/0x98 [iwlwifi]\n__x64_sys_delete_module+0x147/0x260", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54053", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix memory leak of PBLE objects\n\nOn rmmod of irdma, the PBLE object memory is not being freed. PBLE object\nmemory are not statically pre-allocated at function initialization time\nunlike other HMC objects. PBLEs objects and the Segment Descriptors (SD)\nfor it can be dynamically allocated during scale up and SD's remain\nallocated till function deinitialization.\n\nFix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table\nand skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54055", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkheaders: Use array declaration instead of char\n\nUnder CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination\nand source buffers. Defining kernel_headers_data as \"char\" would trip\nthis check. Since these addresses are treated as byte arrays, define\nthem as arrays (as done everywhere else).\n\nThis was seen with:\n\n $ cat /sys/kernel/kheaders.tar.xz >> /dev/null\n\n detected buffer overflow in memcpy\n kernel BUG at lib/string_helpers.c:1027!\n ...\n RIP: 0010:fortify_panic+0xf/0x20\n [...]\n Call Trace:\n \n ikheaders_read+0x45/0x50 [kheaders]\n kernfs_fop_read_iter+0x1a4/0x2f0\n ...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54056", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter\n\nThe 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,\nbecause the string specifier in the format string sscanf()\nhas no width limitation.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54057", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Check if ffa_driver remove is present before executing\n\nCurrently ffa_drv->remove() is called unconditionally from\nffa_device_remove(). Since the driver registration doesn't check for it\nand allows it to be registered without .remove callback, we need to check\nfor the presence of it before executing it from ffa_device_remove() to\nabove a NULL pointer dereference like the one below:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000086000004\n | EC = 0x21: IABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6\n | Hardware name: FVP Base RevC (DT)\n | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c)\n | pc : 0x0\n | lr : ffa_device_remove+0x20/0x2c\n | Call trace:\n | 0x0\n | device_release_driver_internal+0x16c/0x260\n | driver_detach+0x90/0xd0\n | bus_remove_driver+0xdc/0x11c\n | driver_unregister+0x30/0x54\n | ffa_driver_unregister+0x14/0x20\n | cleanup_module+0x18/0xeec\n | __arm64_sys_delete_module+0x234/0x378\n | invoke_syscall+0x40/0x108\n | el0_svc_common+0xb4/0xf0\n | do_el0_svc+0x30/0xa4\n | el0_svc+0x2c/0x7c\n | el0t_64_sync_handler+0x84/0xf0\n | el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54058", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: mediatek: mtk-svs: Enable the IRQ later\n\nIf the system does not come from reset (like when is booted via\nkexec()), the peripheral might triger an IRQ before the data structures\nare initialised.\n\n\n[ 0.227710] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000f08\n[ 0.227913] Call trace:\n[ 0.227918] svs_isr+0x8c/0x538", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54059", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Set end correctly when doing batch carry\n\nEven though the test suite covers this it somehow became obscured that\nthis wasn't working.\n\nThe test iommufd_ioas.mock_domain.access_domain_destory would blow up\nrarely.\n\nend should be set to 1 because this just pushed an item, the carry, to the\npfns list.\n\nSometimes the test would blow up with:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:batch_unpin+0xa2/0x100 [iommufd]\n Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc\n RSP: 0018:ffffc90001677a58 EFLAGS: 00010246\n RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c\n RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200\n R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001\n R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe\n FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? show_regs+0x5c/0x70\n ? __die+0x1f/0x60\n ? page_fault_oops+0x15d/0x440\n ? lock_release+0xbc/0x240\n ? exc_page_fault+0x4a4/0x970\n ? asm_exc_page_fault+0x27/0x30\n ? batch_unpin+0xa2/0x100 [iommufd]\n ? batch_unpin+0xba/0x100 [iommufd]\n __iopt_area_unfill_domain+0x198/0x430 [iommufd]\n ? __mutex_lock+0x8c/0xb80\n ? __mutex_lock+0x6aa/0xb80\n ? xa_erase+0x28/0x30\n ? iopt_table_remove_domain+0x162/0x320 [iommufd]\n ? lock_release+0xbc/0x240\n iopt_area_unfill_domain+0xd/0x10 [iommufd]\n iopt_table_remove_domain+0x195/0x320 [iommufd]\n iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd]\n iommufd_object_destroy_user+0x8e/0xf0 [iommufd]\n iommufd_device_detach+0xc5/0x140 [iommufd]\n iommufd_selftest_destroy+0x1f/0x70 [iommufd]\n iommufd_object_destroy_user+0x8e/0xf0 [iommufd]\n iommufd_destroy+0x3a/0x50 [iommufd]\n iommufd_fops_ioctl+0xfb/0x170 [iommufd]\n __x64_sys_ioctl+0x40d/0x9a0\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54060", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix invalid free tracking in ext4_xattr_move_to_block()\n\nIn ext4_xattr_move_to_block(), the value of the extended attribute\nwhich we need to move to an external block may be allocated by\nkvmalloc() if the value is stored in an external inode. So at the end\nof the function the code tried to check if this was the case by\ntesting entry->e_value_inum.\n\nHowever, at this point, the pointer to the xattr entry is no longer\nvalid, because it was removed from the original location where it had\nbeen stored. So we could end up calling kvfree() on a pointer which\nwas not allocated by kvmalloc(); or we could also potentially leak\nmemory by not freeing the buffer when it should be freed. Fix this by\nstoring whether it should be freed in a separate variable.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54062", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix OOB read in indx_insert_into_buffer\n\nSyzbot reported a OOB read bug:\n\nBUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0\nfs/ntfs3/index.c:1755\nRead of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630\n\nCall Trace:\n \n memmove+0x25/0x60 mm/kasan/shadow.c:54\n indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755\n indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863\n ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548\n ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n\nIf the member struct INDEX_BUFFER *index of struct indx_node is\nincorrect, that is, the value of __le32 used is greater than the value\nof __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when\nmemmove is called in indx_insert_into_buffer().\nFix this by adding a check in hdr_find_e().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54063", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ssif: Fix a memory leak when scanning for an adapter\n\nThe adapter scan ssif_info_find() sets info->adapter_name if the adapter\ninfo came from SMBIOS, as it's not set in that case. However, this\nfunction can be called more than once, and it will leak the adapter name\nif it had already been set. So check for NULL before setting it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54064", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: realtek: fix out-of-bounds access\n\nThe probe function sets priv->chip_data to (void *)priv + sizeof(*priv)\nwith the expectation that priv has enough trailing space.\n\nHowever, only realtek-smi actually allocated this chip_data space.\nDo likewise in realtek-mdio to fix out-of-bounds accesses.\n\nThese accesses likely went unnoticed so far, because of an (unused)\nbuf[4096] member in struct realtek_priv, which caused kmalloc to\nround up the allocated buffer to a big enough size, so nothing of\nvalue was overwritten. With a different allocator (like in the barebox\nbootloader port of the driver) or with KASAN, the memory corruption\nbecomes quickly apparent.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54065", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer\n\nIn gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach gl861_i2c_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54066", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting free space root from the dirty cow roots list\n\nWhen deleting the free space tree we are deleting the free space root\nfrom the list fs_info->dirty_cowonly_roots without taking the lock that\nprotects it, which is struct btrfs_fs_info::trans_lock.\nThis unsynchronized list manipulation may cause chaos if there's another\nconcurrent manipulation of this list, such as when adding a root to it\nwith ctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe free space root from that list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54067", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()\n\nBUG_ON() will be triggered when writing files concurrently,\nbecause the same page is writtenback multiple times.\n\n1597 void folio_end_writeback(struct folio *folio)\n1598 {\n\t\t......\n1618 if (!__folio_end_writeback(folio))\n1619 BUG();\n\t\t......\n1625 }\n\nkernel BUG at mm/filemap.c:1619!\nCall Trace:\n \n f2fs_write_end_io+0x1a0/0x370\n blk_update_request+0x6c/0x410\n blk_mq_end_request+0x15/0x130\n blk_complete_reqs+0x3c/0x50\n __do_softirq+0xb8/0x29b\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x19/0x20\n smpboot_thread_fn+0x10b/0x1d0\n kthread+0xde/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \n\nBelow is the concurrency scenario:\n\n[Process A]\t\t[Process B]\t\t[Process C]\nf2fs_write_raw_pages()\n - redirty_page_for_writepage()\n - unlock page()\n\t\t\tf2fs_do_write_data_page()\n\t\t\t - lock_page()\n\t\t\t - clear_page_dirty_for_io()\n\t\t\t - set_page_writeback() [1st writeback]\n\t\t\t .....\n\t\t\t - unlock page()\n\n\t\t\t\t\t\tgeneric_perform_write()\n\t\t\t\t\t\t - f2fs_write_begin()\n\t\t\t\t\t\t - wait_for_stable_page()\n\n\t\t\t\t\t\t - f2fs_write_end()\n\t\t\t\t\t\t - set_page_dirty()\n\n - lock_page()\n - f2fs_do_write_data_page()\n - set_page_writeback() [2st writeback]\n\nThis problem was introduced by the previous commit 7377e853967b (\"f2fs:\ncompress: fix potential deadlock of compress file\"). All pagelocks were\nreleased in f2fs_write_raw_pages(), but whether the page was\nin the writeback state was ignored in the subsequent writing process.\nLet's fix it by waiting for the page to writeback before writing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54068", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix BUG in ext4_mb_new_inode_pa() due to overflow\n\nWhen we calculate the end position of ext4_free_extent, this position may\nbe exactly where ext4_lblk_t (i.e. uint) overflows. For example, if\nac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the\ncomputed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not\nthe first case of adjusting the best extent, that is, new_bex_end > 0, the\nfollowing BUG_ON will be triggered:\n\n=========================================================\nkernel BUG at fs/ext4/mballoc.c:5116!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279\nRIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430\nCall Trace:\n \n ext4_mb_use_best_found+0x203/0x2f0\n ext4_mb_try_best_found+0x163/0x240\n ext4_mb_regular_allocator+0x158/0x1550\n ext4_mb_new_blocks+0x86a/0xe10\n ext4_ext_map_blocks+0xb0c/0x13a0\n ext4_map_blocks+0x2cd/0x8f0\n ext4_iomap_begin+0x27b/0x400\n iomap_iter+0x222/0x3d0\n __iomap_dio_rw+0x243/0xcb0\n iomap_dio_rw+0x16/0x80\n=========================================================\n\nA simple reproducer demonstrating the problem:\n\n\tmkfs.ext4 -F /dev/sda -b 4096 100M\n\tmount /dev/sda /tmp/test\n\tfallocate -l1M /tmp/test/tmp\n\tfallocate -l10M /tmp/test/file\n\tfallocate -i -o 1M -l16777203M /tmp/test/file\n\tfsstress -d /tmp/test -l 0 -n 100000 -p 8 &\n\tsleep 10 && killall -9 fsstress\n\trm -f /tmp/test/tmp\n\txfs_io -c \"open -ad /tmp/test/file\" -c \"pwrite -S 0xff 0 8192\"\n\nWe simply refactor the logic for adjusting the best extent by adding\na temporary ext4_free_extent ex and use extent_logical_end() to avoid\noverflow, which also simplifies the code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54069", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: clean up in all error paths when enabling SR-IOV\n\nAfter commit 50f303496d92 (\"igb: Enable SR-IOV after reinit\"), removing\nthe igb module could hang or crash (depending on the machine) when the\nmodule has been loaded with the max_vfs parameter set to some value != 0.\n\nIn case of one test machine with a dual port 82580, this hang occurred:\n\n[ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1\n[ 233.093257] igb 0000:41:00.1: IOV Disabled\n[ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0\n[ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata)\n[ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000\n[ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First)\n[ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c\n[ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata)\n[ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000\n[ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First)\n[ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c\n[ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback)\n[ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0\n[ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed\n[ 234.157244] igb 0000:41:00.0: IOV Disabled\n[ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds.\n[ 371.627489] Not tainted 6.4.0-dirty #2\n[ 371.632257] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this.\n[ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0\n[ 371.650330] Call Trace:\n[ 371.653061] \n[ 371.655407] __schedule+0x20e/0x660\n[ 371.659313] schedule+0x5a/0xd0\n[ 371.662824] schedule_preempt_disabled+0x11/0x20\n[ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0\n[ 371.673237] ? __pfx_aer_root_reset+0x10/0x10\n[ 371.678105] report_error_detected+0x25/0x1c0\n[ 371.682974] ? __pfx_report_normal_detected+0x10/0x10\n[ 371.688618] pci_walk_bus+0x72/0x90\n[ 371.692519] pcie_do_recovery+0xb2/0x330\n[ 371.696899] aer_process_err_devices+0x117/0x170\n[ 371.702055] aer_isr+0x1c0/0x1e0\n[ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0\n[ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10\n[ 371.715496] irq_thread_fn+0x20/0x60\n[ 371.719491] irq_thread+0xe6/0x1b0\n[ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10\n[ 371.728255] ? __pfx_irq_thread+0x10/0x10\n[ 371.732731] kthread+0xe2/0x110\n[ 371.736243] ? __pfx_kthread+0x10/0x10\n[ 371.740430] ret_from_fork+0x2c/0x50\n[ 371.744428] \n\nThe reproducer was a simple script:\n\n #!/bin/sh\n for i in `seq 1 5`; do\n modprobe -rv igb\n modprobe -v igb max_vfs=1\n sleep 1\n modprobe -rv igb\n done\n\nIt turned out that this could only be reproduce on 82580 (quad and\ndual-port), but not on 82576, i350 and i210. Further debugging showed\nthat igb_enable_sriov()'s call to pci_enable_sriov() is failing, because\ndev->is_physfn is 0 on 82580.\n\nPrior to commit 50f303496d92 (\"igb: Enable SR-IOV after reinit\"),\nigb_enable_sriov() jumped into the \"err_out\" cleanup branch. After this\ncommit it only returned the error code.\n\nSo the cleanup didn't take place, and the incorrect VF setup in the\nigb_adapter structure fooled the igb driver into assuming that VFs have\nbeen set up where no VF actually existed.\n\nFix this problem by cleaning up again if pci_enable_sriov() fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54070", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: use work to update rate to avoid RCU warning\n\nThe ieee80211_ops::sta_rc_update must be atomic, because\nieee80211_chan_bw_change() holds rcu_read lock while calling\ndrv_sta_rc_update(), so create a work to do original things.\n\n Voluntary context switch within RCU read-side critical section!\n WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318\n rcu_note_context_switch+0x571/0x5d0\n CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE\n Workqueue: phy3 ieee80211_chswitch_work [mac80211]\n RIP: 0010:rcu_note_context_switch+0x571/0x5d0\n Call Trace:\n \n __schedule+0xb0/0x1460\n ? __mod_timer+0x116/0x360\n schedule+0x5a/0xc0\n schedule_timeout+0x87/0x150\n ? trace_raw_output_tick_stop+0x60/0x60\n wait_for_completion_timeout+0x7b/0x140\n usb_start_wait_urb+0x82/0x160 [usbcore\n usb_control_msg+0xe3/0x140 [usbcore\n rtw_usb_read+0x88/0xe0 [rtw_usb\n rtw_usb_read8+0xf/0x10 [rtw_usb\n rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core\n rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core\n drv_sta_rc_update+0x7c/0x160 [mac80211\n ieee80211_chan_bw_change+0xfb/0x110 [mac80211\n ieee80211_change_chanctx+0x38/0x130 [mac80211\n ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211\n ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211\n ieee80211_chswitch_work+0x95/0x170 [mac80211\n process_one_work+0x201/0x410\n worker_thread+0x4a/0x3b0\n ? process_one_work+0x410/0x410\n kthread+0xe1/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54071", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential data race at PCM memory allocation helpers\n\nThe PCM memory allocation helpers have a sanity check against too many\nbuffer allocations. However, the check is performed without a proper\nlock and the allocation isn't serialized; this allows user to allocate\nmore memories than predefined max size.\n\nPractically seen, this isn't really a big problem, as it's more or\nless some \"soft limit\" as a sanity check, and it's not possible to\nallocate unlimitedly. But it's still better to address this for more\nconsistent behavior.\n\nThe patch covers the size check in do_alloc_pages() with the\ncard->memory_mutex, and increases the allocated size there for\npreventing the further overflow. When the actual allocation fails,\nthe size is decreased accordingly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54072", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site\n\nThe following crash was reported:\n\n[ 1950.279393] list_del corruption, ffff99560d485790->next is NULL\n[ 1950.279400] ------------[ cut here ]------------\n[ 1950.279401] kernel BUG at lib/list_debug.c:49!\n[ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1\n[ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P,\nBIOS F15c 05/11/2022\n[ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0\n[ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc\ncc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc\nff 0f 0b 48 89 fe\n[ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246\n[ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000\n[ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff\n[ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8\n[ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000\n[ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000\n[ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000\n[ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0\n[ 1950.279426] PKRU: 55555554\n[ 1950.279426] Call Trace:\n[ 1950.279428] \n[ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core]\n[ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm]\n\nAdd the forgotten !tpm_amd_is_rng_defective() invariant to the\nhwrng_unregister() call site inside tpm_chip_unregister().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54073", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Use correct encap attribute during invalidation\n\nWith introduction of post action infrastructure most of the users of encap\nattribute had been modified in order to obtain the correct attribute by\ncalling mlx5e_tc_get_encap_attr() helper instead of assuming encap action\nis always on default attribute. However, the cited commit didn't modify\nmlx5e_invalidate_encap() which prevents it from destroying correct modify\nheader action which leads to a warning [0]. Fix the issue by using correct\nattribute.\n\n[0]:\n\nFeb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:47:35 c-237-177-40-045 kernel: \nFeb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90\nFeb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54074", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: common: Fix refcount leak in parse_dai_link_info\n\nAdd missing of_node_put()s before the returns to balance\nof_node_get()s and of_node_put()s, which may get unbalanced\nin case the for loop 'for_each_available_child_of_node' returns\nearly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54075", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix missed ses refcounting\n\nUse new cifs_smb_ses_inc_refcount() helper to get an active reference\nof @ses and @ses->dfs_root_ses (if set). This will prevent\n@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses()\nand thus potentially causing an use-after-free bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54076", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix memory leak if ntfs_read_mft failed\n\nLabel ATTR_ROOT in ntfs_read_mft() sets is_root = true and\nni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC\nand alloc ni->dir.alloc_run. However two states are not always\nconsistent and can make memory leak.\n\n 1) attr_name in ATTR_ROOT does not fit the condition it will set\n is_root = true but NI_FLAG_DIR is not set.\n 2) next attr_name in ATTR_ALLOC fits the condition and alloc\n ni->dir.alloc_run\n 3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees\n ni->dir.alloc_run, otherwise it frees ni->file.run\n 4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is\n leaked as kmemleak reported:\n\nunreferenced object 0xffff888003bc5480 (size 64):\n backtrace:\n [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0\n [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0\n [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3]\n [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3]\n [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3]\n [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3]\n [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3]\n [<00000000b9170608>] get_tree_bdev+0x3fb/0x710\n [<000000004833798a>] vfs_get_tree+0x8e/0x280\n [<000000006e20b8e6>] path_mount+0xf3c/0x1930\n [<000000007bf15a5f>] do_mount+0xf3/0x110\n ...\n\nFix this by always setting is_root and NI_FLAG_DIR together.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54077", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: max9286: Free control handler\n\nThe control handler is leaked in some probe-time error paths, as well as\nin the remove path. Fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54078", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx: Fix poll_interval handling and races on remove\n\nBefore this patch bq27xxx_battery_teardown() was setting poll_interval = 0\nto avoid bq27xxx_battery_update() requeuing the delayed_work item.\n\nThere are 2 problems with this:\n\n1. If the driver is unbound through sysfs, rather then the module being\n rmmod-ed, this changes poll_interval unexpectedly\n\n2. This is racy, after it being set poll_interval could be changed\n before bq27xxx_battery_update() checks it through\n /sys/module/bq27xxx_battery/parameters/poll_interval\n\nFix this by added a removed attribute to struct bq27xxx_device_info and\nusing that instead of setting poll_interval to 0.\n\nThere also is another poll_interval related race on remove(), writing\n/sys/module/bq27xxx_battery/parameters/poll_interval will requeue\nthe delayed_work item for all devices on the bq27xxx_battery_devices\nlist and the device being removed was only removed from that list\nafter cancelling the delayed_work item.\n\nFix this by moving the removal from the bq27xxx_battery_devices list\nto before cancelling the delayed_work item.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54079", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: skip splitting and logical rewriting on pre-alloc write\n\nWhen doing a relocation, there is a chance that at the time of\nbtrfs_reloc_clone_csums(), there is no checksum for the corresponding\nregion.\n\nIn this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item\nand so ordered_extent's logical is set to some invalid value. Then,\nbtrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a\nblock group and will hit an assert or a null pointer dereference as\nfollowing.\n\nThis can be reprodcued by running btrfs/028 several times (e.g, 4 to 16\ntimes) with a null_blk setup. The device's zone size and capacity is set to\n32 MB and the storage size is set to 5 GB on my setup.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1\n Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015\n Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00\n > 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00\n RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088\n RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827\n R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000\n R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0\n Call Trace:\n \n ? die_addr+0x3c/0xa0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs]\n btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs]\n ? rcu_is_watching+0x11/0xb0\n ? lock_release+0x47a/0x620\n ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs]\n ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]\n ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs]\n ? __smp_call_single_queue+0x124/0x350\n ? rcu_is_watching+0x11/0xb0\n btrfs_work_helper+0x19f/0xc60 [btrfs]\n ? __pfx_try_to_wake_up+0x10/0x10\n ? _raw_spin_unlock_irq+0x24/0x50\n ? rcu_is_watching+0x11/0xb0\n process_one_work+0x8c1/0x1430\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? _raw_spin_lock_irq+0x52/0x60\n worker_thread+0x100/0x12c0\n ? __kthread_parkme+0xc1/0x1f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2ea/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nOn the zoned mode, writing to pre-allocated region means data relocation\nwrite. Such write always uses WRITE command so there is no need of splitting\nand rewriting logical address. Thus, we can just skip the function for the\ncase.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54080", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: speed up grant-table reclaim\n\nWhen a grant entry is still in use by the remote domain, Linux must put\nit on a deferred list. Normally, this list is very short, because\nthe PV network and block protocols expect the backend to unmap the grant\nfirst. However, Qubes OS's GUI protocol is subject to the constraints\nof the X Window System, and as such winds up with the frontend unmapping\nthe window first. As a result, the list can grow very large, resulting\nin a massive memory leak and eventual VM freeze.\n\nTo partially solve this problem, make the number of entries that the VM\nwill attempt to free at each iteration tunable. The default is still\n10, but it can be overridden via a module parameter.\n\nThis is Cc: stable because (when combined with appropriate userspace\nchanges) it fixes a severe performance and stability problem for Qubes\nOS users.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54081", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Clear the driver reference in usb-phy dev\n\nFor the dual-role port, it will assign the phy dev to usb-phy dev and\nuse the port dev driver as the dev driver of usb-phy.\n\nWhen we try to destroy the port dev, it will destroy its dev driver\nas well. But we did not remove the reference from usb-phy dev. This\nmight cause the use-after-free issue in KASAN.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54083", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-digi00x: prevent potential use after free\n\nThis code was supposed to return an error code if init_stream()\nfailed, but it instead freed dg00x->rx_stream and returned success.\nThis potentially leads to a use after free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54084", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer dereference on fastopen early fallback\n\nIn case of early fallback to TCP, subflow_syn_recv_sock() deletes\nthe subflow context before returning the newly allocated sock to\nthe caller.\n\nThe fastopen path does not cope with the above unconditionally\ndereferencing the subflow context.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54085", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add preempt_count_{sub,add} into btf id deny list\n\nThe recursion check in __bpf_prog_enter* and __bpf_prog_exit*\nleave preempt_count_{sub,add} unprotected. When attaching trampoline to\nthem we get panic as follows,\n\n[ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28)\n[ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI\n[ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4\n[ 867.843100] Call Trace:\n[ 867.843101] \n[ 867.843104] asm_exc_int3+0x3a/0x40\n[ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0\n[ 867.843135] __bpf_prog_enter_recur+0x17/0x90\n[ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000\n[ 867.843154] ? preempt_count_sub+0x1/0xa0\n[ 867.843157] preempt_count_sub+0x5/0xa0\n[ 867.843159] ? migrate_enable+0xac/0xf0\n[ 867.843164] __bpf_prog_exit_recur+0x2d/0x40\n[ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000\n...\n[ 867.843788] preempt_count_sub+0x5/0xa0\n[ 867.843793] ? migrate_enable+0xac/0xf0\n[ 867.843829] __bpf_prog_exit_recur+0x2d/0x40\n[ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35)\n[ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c)\n[ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec)\n[ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000\n...\n\nThat is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are\ncalled after prog->active is decreased.\n\nFixing this by adding these two functions into btf ids deny list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54086", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix possible null-ptr-deref in ubi_free_volume()\n\nIt willl cause null-ptr-deref in the following case:\n\nuif_init()\n ubi_add_volume()\n cdev_add() -> if it fails, call kill_volumes()\n device_register()\n\nkill_volumes() -> if ubi_add_volume() fails call this function\n ubi_free_volume()\n cdev_del()\n device_unregister() -> trying to delete a not added device,\n\t\t\t it causes null-ptr-deref\n\nSo in ubi_free_volume(), it delete devices whether they are added\nor not, it will causes null-ptr-deref.\n\nHandle the error case whlie calling ubi_add_volume() to fix this\nproblem. If add volume fails, set the corresponding vol to null,\nso it can not be accessed in kill_volumes() and release the\nresource in ubi_add_volume() error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54087", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: hold queue_lock when removing blkg->q_node\n\nWhen blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock\nhas to be held, otherwise, all kinds of bugs(list corruption, hard lockup,\n..) can be triggered from blkg_destroy_all().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54088", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pmem: add the missing REQ_OP_WRITE for flush bio\n\nWhen doing mkfs.xfs on a pmem device, the following warning was\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct\n Modules linked in:\n CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:submit_bio_noacct+0x340/0x520\n ......\n Call Trace:\n \n ? submit_bio_noacct+0xd5/0x520\n submit_bio+0x37/0x60\n async_pmem_flush+0x79/0xa0\n nvdimm_flush+0x17/0x40\n pmem_submit_bio+0x370/0x390\n __submit_bio+0xbc/0x190\n submit_bio_noacct_nocheck+0x14d/0x370\n submit_bio_noacct+0x1ef/0x520\n submit_bio+0x55/0x60\n submit_bio_wait+0x5a/0xc0\n blkdev_issue_flush+0x44/0x60\n\nThe root cause is that submit_bio_noacct() needs bio_op() is either\nWRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign\nREQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail\nthe flush bio.\n\nSimply fix it by adding the missing REQ_OP_WRITE for flush bio. And we\ncould fix the flush order issue and do flush optimization later.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54089", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix panic during XDP_TX with > 64 CPUs\n\nCommit 4fe815850bdc (\"ixgbe: let the xdpdrv work with more than 64 cpus\")\nadds support to allow XDP programs to run on systems with more than\n64 CPUs by locking the XDP TX rings and indexing them using cpu % 64\n(IXGBE_MAX_XDP_QS).\n\nUpon trying this out patch on a system with more than 64 cores,\nthe kernel paniced with an array-index-out-of-bounds at the return in\nixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx\nwas just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example\nsplat:\n\n ==========================================================================\n UBSAN: array-index-out-of-bounds in\n /var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26\n index 65 is out of range for type 'ixgbe_ring *[64]'\n ==========================================================================\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 65 PID: 408 Comm: ksoftirqd/65\n Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu\n Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020\n RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe]\n Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9\n 00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <44> 0f b7\n 47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0\n RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282\n RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000\n RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000\n RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001\n R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000\n R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c\n FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ixgbe_poll+0x103e/0x1280 [ixgbe]\n ? sched_clock_cpu+0x12/0xe0\n __napi_poll+0x30/0x160\n net_rx_action+0x11c/0x270\n __do_softirq+0xda/0x2ee\n run_ksoftirqd+0x2f/0x50\n smpboot_thread_fn+0xb7/0x150\n ? sort_range+0x30/0x30\n kthread+0x127/0x150\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x1f/0x30\n \n\nI think this is how it happens:\n\nUpon loading the first XDP program on a system with more than 64 CPUs,\nixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However,\nimmediately after this, the rings are reconfigured by ixgbe_setup_tc.\nixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls\nixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop.\nixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if\nit is non-zero. Commenting out the decrement in ixgbe_free_q_vector\nstopped my system from panicing.\n\nI suspect to make the original patch work, I would need to load an XDP\nprogram and then replace it in order to get ixgbe_xdp_locking_key back\nabove 0 since ixgbe_setup_tc is only called when transitioning between\nXDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is\nincremented every time ixgbe_xdp_setup is called.\n\nAlso, ixgbe_setup_tc can be called via ethtool --set-channels, so this\nbecomes another path to decrement ixgbe_xdp_locking_key to 0 on systems\nwith more than 64 CPUs.\n\nSince ixgbe_xdp_locking_key only protects the XDP_TX path and is tied\nto the number of CPUs present, there is no reason to disable it upon\nunloading an XDP program. To avoid confusion, I have moved enabling\nixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54090", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix memory leak in drm_client_target_cloned\n\ndmt_mode is allocated and never freed in this function.\nIt was found with the ast driver, but most drivers using generic fbdev\nsetup are probably affected.\n\nThis fixes the following kmemleak report:\n backtrace:\n [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm]\n [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm]\n [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm]\n [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]\n [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]\n [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm]\n [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast]\n [<00000000987f19bb>] local_pci_probe+0xdc/0x180\n [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0\n [<0000000000b85301>] process_one_work+0x8b7/0x1540\n [<000000003375b17c>] worker_thread+0x70a/0xed0\n [<00000000b0d43cd9>] kthread+0x29f/0x340\n [<000000008d770833>] ret_from_fork+0x1f/0x30\nunreferenced object 0xff11000333089a00 (size 128):", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54091", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: pv: fix index value of replaced ASCE\n\nThe index field of the struct page corresponding to a guest ASCE should\nbe 0. When replacing the ASCE in s390_replace_asce(), the index of the\nnew ASCE should also be set to 0.\n\nHaving the wrong index might lead to the wrong addresses being passed\naround when notifying pte invalidations, and eventually to validity\nintercepts (VM crash) if the prefix gets unmapped and the notifier gets\ncalled with the wrong address.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54092", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: anysee: fix null-ptr-deref in anysee_master_xfer\n\nIn anysee_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach anysee_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")\n\n[hverkuil: add spaces around +]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54093", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent skb corruption on frag list segmentation\n\nIan reported several skb corruptions triggered by rx-gro-list,\ncollecting different oops alike:\n\n[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 62.631083] #PF: supervisor read access in kernel mode\n[ 62.636312] #PF: error_code(0x0000) - not-present page\n[ 62.641541] PGD 0 P4D 0\n[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364\n[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022\n[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858\n./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261\nnet/ipv4/udp_offload.c:277)\n[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246\n[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000\n[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4\n[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9\n[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2\n[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9\n[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)\nknlGS:0000000000000000\n[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0\n[ 62.749948] Call Trace:\n[ 62.752498] \n[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)\n[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)\n[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))\n[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862\nnet/core/dev.c:3659)\n[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)\n[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)\n[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)\nnet/netfilter/core.c:626)\n[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)\n[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)\n[ 62.829420] br_flood (net/bridge/br_forward.c:233)\n[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)\n[ 62.837403] br_handle_frame (net/bridge/br_input.c:298\nnet/bridge/br_input.c:416)\n[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)\n[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)\n[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638\nnet/core/dev.c:5727)\n[ 62.876795] napi_complete_done (./include/linux/list.h:37\n./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067)\n[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)\n[ 62.893534] __napi_poll (net/core/dev.c:6498)\n[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89\nnet/core/dev.c:6640)\n[ 62.905276] kthread (kernel/kthread.c:379)\n[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)\n[ 62.917119] \n\nIn the critical scenario, rx-gro-list GRO-ed packets are fed, via a\nbridge, both to the local input path and to an egress device (tun).\n\nThe segmentation of such packets unsafely writes to the cloned skbs\nwith shared heads.\n\nThis change addresses the issue by uncloning as needed the\nto-be-segmented skbs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54094", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Fix notifiers being shared by PCI and VIO buses\n\nfail_iommu_setup() registers the fail_iommu_bus_notifier struct to both\nPCI and VIO buses. struct notifier_block is a linked list node, so this\ncauses any notifiers later registered to either bus type to also be\nregistered to the other since they share the same node.\n\nThis causes issues in (at least) the vgaarb code, which registers a\nnotifier for PCI buses. pci_notify() ends up being called on a vio\ndevice, converted with to_pci_dev() even though it's not a PCI device,\nand finally makes a bad access in vga_arbiter_add_pci_device() as\ndiscovered with KASAN:\n\n BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00\n Read of size 4 at addr c000000264c26fdc by task swapper/0/1\n\n Call Trace:\n dump_stack_lvl+0x1bc/0x2b8 (unreliable)\n print_report+0x3f4/0xc60\n kasan_report+0x244/0x698\n __asan_load4+0xe8/0x250\n vga_arbiter_add_pci_device+0x60/0xe00\n pci_notify+0x88/0x444\n notifier_call_chain+0x104/0x320\n blocking_notifier_call_chain+0xa0/0x140\n device_add+0xac8/0x1d30\n device_register+0x58/0x80\n vio_register_device_node+0x9ac/0xce0\n vio_bus_scan_register_devices+0xc4/0x13c\n __machine_initcall_pseries_vio_device_init+0x94/0xf0\n do_one_initcall+0x12c/0xaa8\n kernel_init_freeable+0xa48/0xba8\n kernel_init+0x64/0x400\n ret_from_kernel_thread+0x5c/0x64\n\nFix this by creating separate notifier_block structs for each bus type.\n\n[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54095", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: fix enumeration completion\n\nThe soundwire subsystem uses two completion structures that allow\ndrivers to wait for soundwire device to become enumerated on the bus and\ninitialised by their drivers, respectively.\n\nThe code implementing the signalling is currently broken as it does not\nsignal all current and future waiters and also uses the wrong\nreinitialisation function, which can potentially lead to memory\ncorruption if there are still waiters on the queue.\n\nNot signalling future waiters specifically breaks sound card probe\ndeferrals as codec drivers can not tell that the soundwire device is\nalready attached when being reprobed. Some codec runtime PM\nimplementations suffer from similar problems as waiting for enumeration\nduring resume can also timeout despite the device already having been\nenumerated.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54096", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: stm32-pwr: fix of_iomap leak\n\nSmatch reports:\ndrivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn:\n'base' from of_iomap() not released on lines: 151,166.\n\nIn stm32_pwr_regulator_probe(), base is not released\nwhen devm_kzalloc() fails to allocate memory or\ndevm_regulator_register() fails to register a new regulator device,\nwhich may cause a leak.\n\nTo fix this issue, replace of_iomap() with\ndevm_platform_ioremap_resource(). devm_platform_ioremap_resource()\nis a specialized function for platform devices.\nIt allows 'base' to be automatically released whether the probe\nfunction succeeds or fails.\n\nBesides, use IS_ERR(base) instead of !base\nas the return value of devm_platform_ioremap_resource()\ncan either be a pointer to the remapped memory or\nan ERR_PTR() encoded error code if the operation fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54097", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix gvt debugfs destroy\n\nWhen gvt debug fs is destroyed, need to have a sane check if drm\nminor's debugfs root is still available or not, otherwise in case like\ndevice remove through unbinding, drm minor's debugfs directory has\nalready been removed, then intel_gvt_debugfs_clean() would act upon\ndangling pointer like below oops.\n\ni915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2\ni915 0000:00:02.0: MDEV: Registered\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15\nHardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020\nRIP: 0010:down_write+0x1f/0x90\nCode: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01\nRSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000\nRDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8\nRBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0\nR10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0\nFS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0\nCall Trace:\n \n simple_recursive_removal+0x9f/0x2a0\n ? start_creating.part.0+0x120/0x120\n ? _raw_spin_lock+0x13/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]\n intel_gvt_clean_device+0x49/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2f/0xb0\n i915_driver_remove+0xa4/0xf0\n i915_pci_remove+0x1a/0x30\n pci_device_remove+0x33/0xa0\n device_release_driver_internal+0x1b2/0x230\n unbind_store+0xe0/0x110\n kernfs_fop_write_iter+0x11b/0x1f0\n vfs_write+0x203/0x3d0\n ksys_write+0x63/0xe0\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f6947cb5190\nCode: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\nRSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190\nRDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001\nRBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001\nR13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0\n \nModules linked in: kvmgt\nCR2: 00000000000000a0\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54098", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Protect reconfiguration of sb read-write from racing writes\n\nThe reconfigure / remount code takes a lot of effort to protect\nfilesystem's reconfiguration code from racing writes on remounting\nread-only. However during remounting read-only filesystem to read-write\nmode userspace writes can start immediately once we clear SB_RDONLY\nflag. This is inconvenient for example for ext4 because we need to do\nsome writes to the filesystem (such as preparation of quota files)\nbefore we can take userspace writes so we are clearing SB_RDONLY flag\nbefore we are fully ready to accept userpace writes and syzbot has found\na way to exploit this [1]. Also as far as I'm reading the code\nthe filesystem remount code was protected from racing writes in the\nlegacy mount path by the mount's MNT_READONLY flag so this is relatively\nnew problem. It is actually fairly easy to protect remount read-write\nfrom racing writes using sb->s_readonly_remount flag so let's just do\nthat instead of having to workaround these races in the filesystem code.\n\n[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54099", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix use after free bug in qedi_remove()\n\nIn qedi_probe() we call __qedi_probe() which initializes\n&qedi->recovery_work with qedi_recovery_handler() and\n&qedi->board_disable_work with qedi_board_disable_work().\n\nWhen qedi_schedule_recovery_handler() is called, schedule_delayed_work()\nwill finally start the work.\n\nIn qedi_remove(), which is called to remove the driver, the following\nsequence may be observed:\n\nFix this by finishing the work before cleanup in qedi_remove().\n\nCPU0 CPU1\n\n |qedi_recovery_handler\nqedi_remove |\n __qedi_remove |\niscsi_host_free |\nscsi_host_put |\n//free shost |\n |iscsi_host_for_each_session\n |//use qedi->shost\n\nCancel recovery_work and board_disable_work in __qedi_remove().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54100", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: soc: xilinx: use _safe loop iterator to avoid a use after free\n\nThe hash_for_each_possible() loop dereferences \"eve_data\" to get the\nnext item on the list. However the loop frees eve_data so it leads to\na use after free. Use hash_for_each_possible_safe() instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54101", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow\n\nA static code analysis tool flagged the possibility of buffer overflow when\nusing copy_from_user() for a debugfs entry.\n\nCurrently, it is possible that copy_from_user() copies more bytes than what\nwould fit in the mybuf char array. Add a min() restriction check between\nsizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect\nagainst buffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54102", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()\n\n'op-cs' is copied in 'fun->mchip_number' which is used to access the\n'mchip_offsets' and the 'rnb_gpio' arrays.\nThese arrays have NAND_MAX_CHIPS elements, so the index must be below this\nlimit.\n\nFix the sanity check in order to avoid the NAND_MAX_CHIPS value. This\nwould lead to out-of-bound accesses.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54104", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: check CAN address family in isotp_bind()\n\nAdd missing check to block non-AF_CAN binds.\n\nSyzbot created some code which matched the right sockaddr struct size\nbut used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family\nfield:\n\nbind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10)\n ^^^^\nThis has no funtional impact but the userspace should be notified about\nthe wrong address family field content.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54105", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fix potential memory leak in mlx5e_init_rep_rx\n\nThe memory pointed to by the priv->rx_res pointer is not freed in the error\npath of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing\nthe memory in the error path, thereby making the error path identical to\nmlx5e_cleanup_rep_rx().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54106", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: dropping parent refcount after pd_free_fn() is done\n\nSome cgroup policies will access parent pd through child pd even\nafter pd_offline_fn() is done. If pd_free_fn() for parent is called\nbefore child, then UAF can be triggered. Hence it's better to guarantee\nthe order of pd_free_fn().\n\nCurrently refcount of parent blkg is dropped in __blkg_release(), which\nis before pd_free_fn() is called in blkg_free_work_fn() while\nblkg_free_work_fn() is called asynchronously.\n\nThis patch make sure pd_free_fn() called from removing cgroup is ordered\nby delaying dropping parent refcount after calling pd_free_fn() for\nchild.\n\nBTW, pd_free_fn() will also be called from blkcg_deactivate_policy()\nfrom deleting device, and following patches will guarantee the order.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54107", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests\n\nThe following message and call trace was seen with debug kernels:\n\nDMA-API: qla2xxx 0000:41:00.0: device driver failed to check map\nerror [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as\nsingle]\nWARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017\n\t check_unmap+0xf42/0x1990\n\nCall Trace:\n\tdebug_dma_unmap_page+0xc9/0x100\n\tqla_nvme_ls_unmap+0x141/0x210 [qla2xxx]\n\nRemove DMA mapping from the driver altogether, as it is already done by FC\nlayer. This prevents the warning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54108", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rcar_fdp1: Fix refcount leak in probe and remove function\n\nrcar_fcp_get() take reference, which should be balanced with\nrcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and\nthe error paths of fdp1_probe() to fix this.\n\n[hverkuil: resolve merge conflict, remove() is now void]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54109", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: rndis_host: Secure rndis_query check against int overflow\n\nVariables off and len typed as uint32 in rndis_query function\nare controlled by incoming RNDIS response message thus their\nvalue may be manipulated. Setting off to a unexpectetly large\nvalue will cause the sum with len and 8 to overflow and pass\nthe implemented validation step. Consequently the response\npointer will be referring to a location past the expected\nbuffer boundaries allowing information leakage e.g. via\nRNDIS_OID_802_3_PERMANENT_ADDRESS OID.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54110", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups\n\nof_find_node_by_phandle() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54111", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Fix memory leak in error path of kcm_sendmsg()\n\nsyzbot reported a memory leak like below:\n\nBUG: memory leak\nunreferenced object 0xffff88810b088c00 (size 240):\n comm \"syz-executor186\", pid 5012, jiffies 4294943306 (age 13.680s)\n hex dump (first 32 bytes):\n 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634\n [] alloc_skb include/linux/skbuff.h:1289 [inline]\n [] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815\n [] sock_sendmsg_nosec net/socket.c:725 [inline]\n [] sock_sendmsg+0x56/0xb0 net/socket.c:748\n [] ____sys_sendmsg+0x365/0x470 net/socket.c:2494\n [] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548\n [] __sys_sendmsg+0xa6/0x120 net/socket.c:2577\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIn kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append\nnewly allocated skbs to 'head'. If some bytes are copied, an error occurred,\nand jumped to out_error label, 'last_skb' is left unmodified. A later\nkcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the\n'head' frag_list and causing the leak.\n\nThis patch fixes this issue by properly updating the last allocated skb in\n'last_skb'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54112", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: dump vmalloc memory info safely\n\nCurrently, for double invoke call_rcu(), will dump rcu_head objects memory\ninfo, if the objects is not allocated from the slab allocator, the\nvmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to\nbe held, since the call_rcu() can be invoked in interrupt context,\ntherefore, there is a possibility of spinlock deadlock scenarios.\n\nAnd in Preempt-RT kernel, the rcutorture test also trigger the following\nlockdep warning:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 1, expected: 0\nRCU nest depth: 1, expected: 1\n3 locks held by swapper/0/1:\n #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0\n #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370\n #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70\nirq event stamp: 565512\nhardirqs last enabled at (565511): [] __call_rcu_common+0x218/0x940\nhardirqs last disabled at (565512): [] rcu_torture_init+0x20b2/0x2370\nsoftirqs last enabled at (399112): [] __local_bh_enable_ip+0x126/0x170\nsoftirqs last disabled at (399106): [] inet_register_protosw+0x9/0x1d0\nPreemption disabled at:\n[] rcu_torture_init+0x1f13/0x2370\nCPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x68/0xb0\n dump_stack+0x14/0x20\n __might_resched+0x1aa/0x280\n ? __pfx_rcu_torture_err_cb+0x10/0x10\n rt_spin_lock+0x53/0x130\n ? find_vmap_area+0x1f/0x70\n find_vmap_area+0x1f/0x70\n vmalloc_dump_obj+0x20/0x60\n mem_dump_obj+0x22/0x90\n __call_rcu_common+0x5bf/0x940\n ? debug_smp_processor_id+0x1b/0x30\n call_rcu_hurry+0x14/0x20\n rcu_torture_init+0x1f82/0x2370\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_init+0x10/0x10\n do_one_initcall+0x6c/0x300\n ? debug_smp_processor_id+0x1b/0x30\n kernel_init_freeable+0x2b9/0x540\n ? __pfx_kernel_init+0x10/0x10\n kernel_init+0x1f/0x150\n ret_from_fork+0x40/0x50\n ? __pfx_kernel_init+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nThe previous patch fixes this by using the deadlock-safe best-effort\nversion of find_vm_area. However, in case of failure print the fact that\nthe pointer was a vmalloc pointer so that we print at least something.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54113", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()\n\nAs the call trace shows, skb_panic was caused by wrong skb->mac_header\nin nsh_gso_segment():\n\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1\nRIP: 0010:skb_panic+0xda/0xe0\ncall Trace:\n skb_push+0x91/0xa0\n nsh_gso_segment+0x4f3/0x570\n skb_mac_gso_segment+0x19e/0x270\n __skb_gso_segment+0x1e8/0x3c0\n validate_xmit_skb+0x452/0x890\n validate_xmit_skb_list+0x99/0xd0\n sch_direct_xmit+0x294/0x7c0\n __dev_queue_xmit+0x16f0/0x1d70\n packet_xmit+0x185/0x210\n packet_snd+0xc15/0x1170\n packet_sendmsg+0x7b/0xa0\n sock_sendmsg+0x14f/0x160\n\nThe root cause is:\nnsh_gso_segment() use skb->network_header - nhoff to reset mac_header\nin skb_gso_error_unwind() if inner-layer protocol gso fails.\nHowever, skb->network_header may be reset by inner-layer protocol\ngso function e.g. mpls_gso_segment. skb->mac_header reset by the\ninaccurate network_header will be larger than skb headroom.\n\nnsh_gso_segment\n nhoff = skb->network_header - skb->mac_header;\n __skb_pull(skb,nsh_len)\n skb_mac_gso_segment\n mpls_gso_segment\n skb_reset_network_header(skb);//skb->network_header+=nsh_len\n return -EINVAL;\n skb_gso_error_unwind\n skb_push(skb, nsh_len);\n skb->mac_header = skb->network_header - nhoff;\n // skb->mac_header > skb->headroom, cause skb_push panic\n\nUse correct mac_offset to restore mac_header and get rid of nhoff.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54114", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()\n\nWhen nonstatic_release_resource_db() frees all resources associated\nwith an PCMCIA socket, it forgets to free socket_data too, causing\na memory leak observable with kmemleak:\n\nunreferenced object 0xc28d1000 (size 64):\n comm \"systemd-udevd\", pid 297, jiffies 4294898478 (age 194.484s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................\n 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x2d7/0x4a0\n [<7e51f0c8>] kmalloc_trace+0x31/0xa4\n [] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc]\n [] pcmcia_register_socket+0x200/0x35c [pcmcia_core]\n [] yenta_probe+0x4d8/0xa70 [yenta_socket]\n [] pci_device_probe+0x99/0x194\n [<84b7c690>] really_probe+0x181/0x45c\n [<8060fe6e>] __driver_probe_device+0x75/0x1f4\n [] driver_probe_device+0x28/0xac\n [<648b766f>] __driver_attach+0xeb/0x1e4\n [<6e9659eb>] bus_for_each_dev+0x61/0xb4\n [<25a669f3>] driver_attach+0x1e/0x28\n [] bus_add_driver+0x102/0x20c\n [] driver_register+0x5b/0x120\n [<942cd8a4>] __pci_register_driver+0x44/0x4c\n [] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support]\n\nFix this by freeing socket_data too.\n\nTested on a Acer Travelmate 4002WLMi by manually binding/unbinding\nthe yenta_cardbus driver (yenta_socket).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54115", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-generic: prohibit potential out-of-bounds access\n\nThe fbdev test of IGT may write after EOF, which lead to out-of-bound\naccess for drm drivers with fbdev-generic. For example, run fbdev test\non a x86+ast2400 platform, with 1680x1050 resolution, will cause the\nlinux kernel hang with the following call trace:\n\n Oops: 0000 [#1] PREEMPT SMP PTI\n [IGT] fbdev: starting subtest eof\n Workqueue: events drm_fb_helper_damage_work [drm_kms_helper]\n [IGT] fbdev: starting subtest nullptr\n\n RIP: 0010:memcpy_erms+0xa/0x20\n RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246\n RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0\n RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000\n RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0\n R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80\n R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30\n FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0\n Call Trace:\n \n ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper]\n drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper]\n process_one_work+0x21f/0x430\n worker_thread+0x4e/0x3c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xf4/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \n CR2: ffffa17d40e0b000\n ---[ end trace 0000000000000000 ]---\n\nThe is because damage rectangles computed by\ndrm_fb_helper_memory_range_to_clip() function is not guaranteed to be\nbound in the screen's active display area. Possible reasons are:\n\n1) Buffers are allocated in the granularity of page size, for mmap system\n call support. The shadow screen buffer consumed by fbdev emulation may\n also choosed be page size aligned.\n\n2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip()\n will introduce off-by-one error.\n\nFor example, on a 16KB page size system, in order to store a 1920x1080\nXRGB framebuffer, we need allocate 507 pages. Unfortunately, the size\n1920*1080*4 can not be divided exactly by 16KB.\n\n 1920 * 1080 * 4 = 8294400 bytes\n 506 * 16 * 1024 = 8290304 bytes\n 507 * 16 * 1024 = 8306688 bytes\n\n line_length = 1920*4 = 7680 bytes\n\n 507 * 16 * 1024 / 7680 = 1081.6\n\n off / line_length = 507 * 16 * 1024 / 7680 = 1081\n DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082\n\nmemcpy_toio() typically issue the copy line by line, when copy the last\nline, out-of-bound access will be happen. Because:\n\n 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688\n\nNote that userspace may still write to the invisiable area if a larger\nbuffer than width x stride is exposed. But it is not a big issue as\nlong as there still have memory resolve the access if not drafting so\nfar.\n\n - Also limit the y1 (Daniel)\n - keep fix patch it to minimal (Daniel)\n - screen_size is page size aligned because of it need mmap (Thomas)\n - Adding fixes tag (Thomas)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54116", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dcssblk: fix kernel crash with list_add corruption\n\nCommit fb08a1908cb1 (\"dax: simplify the dax_device <-> gendisk\nassociation\") introduced new logic for gendisk association, requiring\ndrivers to explicitly call dax_add_host() and dax_remove_host().\n\nFor dcssblk driver, some dax_remove_host() calls were missing, e.g. in\ndevice remove path. The commit also broke error handling for out_dax case\nin device add path, resulting in an extra put_device() w/o the previous\nget_device() in that case.\n\nThis lead to stale xarray entries after device add / remove cycles. In the\ncase when a previously used struct gendisk pointer (xarray index) would be\nused again, because blk_alloc_disk() happened to return such a pointer, the\nxa_insert() in dax_add_host() would fail and go to out_dax, doing the extra\nput_device() in the error path. In combination with an already flawed error\nhandling in dcssblk (device_register() cleanup), which needs to be\naddressed in a separate patch, this resulted in a missing device_del() /\nklist_del(), and eventually in the kernel crash with list_add corruption on\na subsequent device_add() / klist_add().\n\nFix this by adding the missing dax_remove_host() calls, and also move the\nput_device() in the error path to restore the previous logic.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54117", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: setup GPIO controller later in probe\n\nThe GPIO controller component of the sc16is7xx driver is setup too\nearly, which can result in a race condition where another device tries\nto utilise the GPIO lines before the sc16is7xx device has finished\ninitialising.\n\nThis issue manifests itself as an Oops when the GPIO lines are configured:\n\n Unable to handle kernel read from unreadable memory at virtual address\n ...\n pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]\n lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx]\n ...\n Call trace:\n sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]\n gpiod_direction_output_raw_commit+0x64/0x318\n gpiod_direction_output+0xb0/0x170\n create_gpio_led+0xec/0x198\n gpio_led_probe+0x16c/0x4f0\n platform_drv_probe+0x5c/0xb0\n really_probe+0xe8/0x448\n driver_probe_device+0xe8/0x138\n __device_attach_driver+0x94/0x118\n bus_for_each_drv+0x8c/0xe0\n __device_attach+0x100/0x1b8\n device_initial_probe+0x28/0x38\n bus_probe_device+0xa4/0xb0\n deferred_probe_work_func+0x90/0xe0\n process_one_work+0x1c4/0x480\n worker_thread+0x54/0x430\n kthread+0x138/0x150\n ret_from_fork+0x10/0x1c\n\nThis patch moves the setup of the GPIO controller functions to later in the\nprobe function, ensuring the sc16is7xx device has already finished\ninitialising by the time other devices try to make use of the GPIO lines.\nThe error handling has also been reordered to reflect the new\ninitialisation order.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54118", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninotify: Avoid reporting event with invalid wd\n\nWhen inotify_freeing_mark() races with inotify_handle_inode_event() it\ncan happen that inotify_handle_inode_event() sees that i_mark->wd got\nalready reset to -1 and reports this value to userspace which can\nconfuse the inotify listener. Avoid the problem by validating that wd is\nsensible (and pretend the mark got removed before the event got\ngenerated otherwise).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54119", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix race condition in hidp_session_thread\n\nThere is a potential race condition in hidp_session_thread that may\nlead to use-after-free. For instance, the timer is active while\nhidp_del_timer is called in hidp_session_thread(). After hidp_session_put,\nthen 'session' will be freed, causing kernel panic when hidp_idle_timeout\nis running.\n\nThe solution is to use del_timer_sync instead of del_timer.\n\nHere is the call trace:\n\n? hidp_session_probe+0x780/0x780\ncall_timer_fn+0x2d/0x1e0\n__run_timers.part.0+0x569/0x940\nhidp_session_probe+0x780/0x780\ncall_timer_fn+0x1e0/0x1e0\nktime_get+0x5c/0xf0\nlapic_next_deadline+0x2c/0x40\nclockevents_program_event+0x205/0x320\nrun_timer_softirq+0xa9/0x1b0\n__do_softirq+0x1b9/0x641\n__irq_exit_rcu+0xdc/0x190\nirq_exit_rcu+0xe/0x20\nsysvec_apic_timer_interrupt+0xa1/0xc0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54120", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix incorrect splitting in btrfs_drop_extent_map_range\n\nIn production we were seeing a variety of WARN_ON()'s in the extent_map\ncode, specifically in btrfs_drop_extent_map_range() when we have to call\nadd_extent_mapping() for our second split.\n\nConsider the following extent map layout\n\n\tPINNED\n\t[0 16K) [32K, 48K)\n\nand then we call btrfs_drop_extent_map_range for [0, 36K), with\nskip_pinned == true. The initial loop will have\n\n\tstart = 0\n\tend = 36K\n\tlen = 36K\n\nwe will find the [0, 16k) extent, but since we are pinned we will skip\nit, which has this code\n\n\tstart = em_end;\n\tif (end != (u64)-1)\n\t\tlen = start + len - em_end;\n\nem_end here is 16K, so now the values are\n\n\tstart = 16K\n\tlen = 16K + 36K - 16K = 36K\n\nlen should instead be 20K. This is a problem when we find the next\nextent at [32K, 48K), we need to split this extent to leave [36K, 48k),\nhowever the code for the split looks like this\n\n\tsplit->start = start + len;\n\tsplit->len = em_end - (start + len);\n\nIn this case we have\n\n\tem_end = 48K\n\tsplit->start = 16K + 36K // this should be 16K + 20K\n\tsplit->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K\n\nand now we have an invalid extent_map in the tree that potentially\noverlaps other entries in the extent map. Even in the non-overlapping\ncase we will have split->start set improperly, which will cause problems\nwith any block related calculations.\n\nWe don't actually need len in this loop, we can simply use end as our\nend point, and only adjust start up when we find a pinned extent we need\nto skip.\n\nAdjust the logic to do this, which keeps us from inserting an invalid\nextent map.\n\nWe only skip_pinned in the relocation case, so this is relatively rare,\nexcept in the case where you are running relocation a lot, which can\nhappen with auto relocation on.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54121", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add check for cstate\n\nAs kzalloc may fail and return NULL pointer,\nit should be better to check cstate\nin order to avoid the NULL pointer dereference\nin __drm_atomic_helper_crtc_reset.\n\nPatchwork: https://patchwork.freedesktop.org/patch/514163/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54122", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix memleak for 'conf->bio_split'\n\nIn the error path of raid10_run(), 'conf' need be freed, however,\n'conf->bio_split' is missed and memory will be leaked.\n\nSince there are 3 places to free 'conf', factor out a helper to fix the\nproblem.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54123", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to drop all dirty pages during umount() if cp_error is set\n\nxfstest generic/361 reports a bug as below:\n\nf2fs_bug_on(sbi, sbi->fsync_node_num);\n\nkernel BUG at fs/f2fs/super.c:1627!\nRIP: 0010:f2fs_put_super+0x3a8/0x3b0\nCall Trace:\n generic_shutdown_super+0x8c/0x1b0\n kill_block_super+0x2b/0x60\n kill_f2fs_super+0x87/0x110\n deactivate_locked_super+0x39/0x80\n deactivate_super+0x46/0x50\n cleanup_mnt+0x109/0x170\n __cleanup_mnt+0x16/0x20\n task_work_run+0x65/0xa0\n exit_to_user_mode_prepare+0x175/0x190\n syscall_exit_to_user_mode+0x25/0x50\n do_syscall_64+0x4c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nDuring umount(), if cp_error is set, f2fs_wait_on_all_pages() should\nnot stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise,\nfsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing\nthis bug.\n\nIn this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs\nto drop all dirty pages rather than redirtying them.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54124", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Return error for inconsistent extended attributes\n\nntfs_read_ea is called when we want to read extended attributes. There\nare some sanity checks for the validity of the EAs. However, it fails to\nreturn a proper error code for the inconsistent attributes, which might\nlead to unpredicted memory accesses after return.\n\n[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\n[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\n[ 138.931132]\n[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\n[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 138.947327] Call Trace:\n[ 138.949557] \n[ 138.951539] dump_stack_lvl+0x4d/0x67\n[ 138.956834] print_report+0x16f/0x4a6\n[ 138.960798] ? ntfs_set_ea+0x453/0xbf0\n[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200\n[ 138.969793] ? ntfs_set_ea+0x453/0xbf0\n[ 138.973523] kasan_report+0xb8/0x140\n[ 138.976740] ? ntfs_set_ea+0x453/0xbf0\n[ 138.980578] __asan_store4+0x76/0xa0\n[ 138.984669] ntfs_set_ea+0x453/0xbf0\n[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10\n[ 138.993390] ? kernel_text_address+0xd3/0xe0\n[ 138.998270] ? __kernel_text_address+0x16/0x50\n[ 139.002121] ? unwind_get_return_address+0x3e/0x60\n[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 139.010177] ? arch_stack_walk+0xa2/0x100\n[ 139.013657] ? filter_irq_stacks+0x27/0x80\n[ 139.017018] ntfs_setxattr+0x405/0x440\n[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10\n[ 139.026569] ? kvmalloc_node+0x2d/0x120\n[ 139.030329] ? kasan_save_stack+0x41/0x60\n[ 139.033883] ? kasan_save_stack+0x2a/0x60\n[ 139.037338] ? kasan_set_track+0x29/0x40\n[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30\n[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0\n[ 139.047255] ? __kmalloc_node+0x68/0x150\n[ 139.051264] ? kvmalloc_node+0x2d/0x120\n[ 139.055301] ? vmemdup_user+0x2b/0xa0\n[ 139.058584] __vfs_setxattr+0x121/0x170\n[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10\n[ 139.066282] __vfs_setxattr_noperm+0x97/0x300\n[ 139.070061] __vfs_setxattr_locked+0x145/0x170\n[ 139.073580] vfs_setxattr+0x137/0x2a0\n[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10\n[ 139.080223] ? __kasan_check_write+0x18/0x20\n[ 139.084234] do_setxattr+0xce/0x150\n[ 139.087768] setxattr+0x126/0x140\n[ 139.091250] ? __pfx_setxattr+0x10/0x10\n[ 139.094948] ? __virt_addr_valid+0xcb/0x140\n[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330\n[ 139.102688] ? debug_smp_processor_id+0x1b/0x30\n[ 139.105985] ? kasan_quarantine_put+0x5b/0x190\n[ 139.109980] ? putname+0x84/0xa0\n[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0\n[ 139.117961] ? putname+0x84/0xa0\n[ 139.121316] ? preempt_count_sub+0x1c/0xd0\n[ 139.124427] ? __mnt_want_write+0xae/0x100\n[ 139.127836] ? mnt_want_write+0x8f/0x150\n[ 139.130954] path_setxattr+0x164/0x180\n[ 139.133998] ? __pfx_path_setxattr+0x10/0x10\n[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10\n[ 139.141299] ? debug_smp_processor_id+0x1b/0x30\n[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80\n[ 139.150796] __x64_sys_setxattr+0x71/0x90\n[ 139.155407] do_syscall_64+0x3f/0x90\n[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 139.163843] RIP: 0033:0x7f108cae4469\n[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\n[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\n[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\n[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\n[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\n[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54125", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: safexcel - Cleanup ring IRQ workqueues on load failure\n\nA failure loading the safexcel driver results in the following warning\non boot, because the IRQ affinity has not been correctly cleaned up.\nEnsure we clean up the affinity and workqueues on a failure to load the\ndriver.\n\ncrypto-safexcel: probe of f2800000.crypto failed with error -2\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340\nModules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4\nCPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3\nHardware name: MikroTik RB5009 (DT)\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : free_irq+0x300/0x340\nlr : free_irq+0x2e0/0x340\nsp : ffff800008fa3890\nx29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000\nx26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50\nx23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80\nx20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e\nx14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040\nx11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370\nx8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18\nx5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188\nx2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0\nCall trace:\n free_irq+0x300/0x340\n devm_irq_release+0x14/0x20\n devres_release_all+0xa0/0x100\n device_unbind_cleanup+0x14/0x60\n really_probe+0x198/0x2d4\n __driver_probe_device+0x74/0xdc\n driver_probe_device+0x3c/0x110\n __driver_attach+0x8c/0x190\n bus_for_each_dev+0x6c/0xc0\n driver_attach+0x20/0x30\n bus_add_driver+0x148/0x1fc\n driver_register+0x74/0x120\n __platform_driver_register+0x24/0x30\n safexcel_init+0x48/0x1000 [crypto_safexcel]\n do_one_initcall+0x4c/0x1b0\n do_init_module+0x44/0x1cc\n load_module+0x1724/0x1be4\n __do_sys_finit_module+0xbc/0x110\n __arm64_sys_finit_module+0x1c/0x24\n invoke_syscall+0x44/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x20/0x80\n el0_svc+0x14/0x4c\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x148/0x14c\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54126", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()\n\nSyzkaller reported the following issue:\n==================================================================\nBUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800\nFree of addr ffff888086408000 by task syz-executor.4/12750\n[...]\nCall Trace:\n \n[...]\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1386\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1291\n task_work_run+0x243/0x300 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296\n do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n \n\nAllocated by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:580 [inline]\n dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164\n jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121\n jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556\n mount_bdev+0x26c/0x3a0 fs/super.c:1359\n legacy_get_tree+0xea/0x180 fs/fs_context.c:610\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518\n ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3db/0x710 fs/jfs/super.c:454\n reconfigure_super+0x3bc/0x7b0 fs/super.c:935\n vfs_fsconfig_locked fs/fsopen.c:254 [inline]\n __do_sys_fsconfig fs/fsopen.c:439 [inline]\n __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in\ndbUnmount().\n\nSyzkaller uses faultinject to reproduce this KASAN double-free\nwarning. The issue is triggered if either diMount() or dbMount() fail\nin jfs_remount(), since diUnmount() or dbUnmount() already happened in\nsuch a case - they will do double-free on next execution: jfs_umount\nor jfs_remount.\n\nTested on both upstream and jfs-next by syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54127", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: drop peer group ids under namespace lock\n\nWhen cleaning up peer group ids in the failure path we need to make sure\nto hold on to the namespace lock. Otherwise another thread might just\nturn the mount from a shared into a non-shared mount concurrently.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54128", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation for lmac type\n\nUpon physical link change, firmware reports to the kernel about the\nchange along with the details like speed, lmac_type_id, etc.\nKernel derives lmac_type based on lmac_type_id received from firmware.\n\nIn a few scenarios, firmware returns an invalid lmac_type_id, which\nis resulting in below kernel panic. This patch adds the missing\nvalidation of the lmac_type_id field.\n\nInternal error: Oops: 96000005 [#1] PREEMPT SMP\n[ 35.321595] Modules linked in:\n[ 35.328982] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted\n5.4.210-g2e3169d8e1bc-dirty #17\n[ 35.337014] Hardware name: Marvell CN103XX board (DT)\n[ 35.344297] Workqueue: events work_for_cpu_fn\n[ 35.352730] pstate: 40400089 (nZcv daIf +PAN -UAO)\n[ 35.360267] pc : strncpy+0x10/0x30\n[ 35.366595] lr : cgx_link_change_handler+0x90/0x180", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54129", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling\n\nCommit 55d1cbbbb29e (\"hfs/hfsplus: use WARN_ON for sanity check\") fixed\na build warning by turning a comment into a WARN_ON(), but it turns out\nthat syzbot then complains because it can trigger said warning with a\ncorrupted hfs image.\n\nThe warning actually does warn about a bad situation, but we are much\nbetter off just handling it as the error it is. So rather than warn\nabout us doing bad things, stop doing the bad things and return -EIO.\n\nWhile at it, also fix a memory leak that was introduced by an earlier\nfix for a similar syzbot warning situation, and add a check for one case\nthat historically wasn't handled at all (ie neither comment nor\nsubsequent WARN_ON).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54130", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: Fix memory leak when handling surveys\n\nWhen removing a rt2x00 device, its associated channel surveys\nare not freed, causing a memory leak observable with kmemleak:\n\nunreferenced object 0xffff9620f0881a00 (size 512):\n comm \"systemd-udevd\", pid 2290, jiffies 4294906974 (age 33.768s)\n hex dump (first 32 bytes):\n 70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD..............\n 00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ................\n backtrace:\n [] __kmalloc+0x4b/0x130\n [] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]\n [] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]\n [] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]\n [] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]\n [] usb_probe_interface+0xe2/0x310 [usbcore]\n [] really_probe+0x1a5/0x410\n [] __driver_probe_device+0x78/0x180\n [] driver_probe_device+0x1e/0x90\n [] __driver_attach+0xd2/0x1c0\n [] bus_for_each_dev+0x77/0xd0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x5c/0x120\n [] usb_register_driver+0x88/0x150 [usbcore]\n [] do_one_initcall+0x44/0x220\n [] do_init_module+0x4c/0x220\n\nFix this by freeing the channel surveys on device removal.\n\nTested with a RT3070 based USB wireless adapter.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54131", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: stop parsing non-compact HEAD index if clusterofs is invalid\n\nSyzbot generated a crafted image [1] with a non-compact HEAD index of\nclusterofs 33024 while valid numbers should be 0 ~ lclustersize-1,\nwhich causes the following unexpected behavior as below:\n\n BUG: unable to handle page fault for address: fffff52101a3fff9\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 23ffed067 P4D 23ffed067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023\n Workqueue: erofs_worker z_erofs_decompressqueue_work\n RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40\n ...\n Call Trace:\n \n z_erofs_decompressqueue_work+0x99/0xe0\n process_one_work+0x8f6/0x1170\n worker_thread+0xa63/0x1210\n kthread+0x270/0x300\n ret_from_fork+0x1f/0x30\n\nNote that normal images or images using compact indexes are not\nimpacted. Let's fix this now.\n\n[1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54132", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: clean mc addresses in application firmware when closing port\n\nWhen moving devices from one namespace to another, mc addresses are\ncleaned in software while not removed from application firmware. Thus\nthe mc addresses are remained and will cause resource leak.\n\nNow use `__dev_mc_unsync` to clean mc addresses when closing port.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54133", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nautofs: fix memory leak of waitqueues in autofs_catatonic_mode\n\nSyzkaller reports a memory leak:\n\nBUG: memory leak\nunreferenced object 0xffff88810b279e00 (size 96):\n comm \"syz-executor399\", pid 3631, jiffies 4294964921 (age 23.870s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'.....\n 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'.............\n backtrace:\n [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n [] kmalloc include/linux/slab.h:576 [inline]\n [] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378\n [] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593\n [] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619\n [] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897\n [] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910\n [] vfs_ioctl fs/ioctl.c:51 [inline]\n [] __do_sys_ioctl fs/ioctl.c:870 [inline]\n [] __se_sys_ioctl fs/ioctl.c:856 [inline]\n [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nautofs_wait_queue structs should be freed if their wait_ctr becomes zero.\nOtherwise they will be lost.\n\nIn this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new\nwaitqueue struct is allocated in autofs_wait(), its initial wait_ctr\nequals 2. After that wait_event_killable() is interrupted (it returns\n-ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not\nsatisfied. Actually, this condition can be satisfied when\nautofs_wait_release() or autofs_catatonic_mode() is called and, what is\nalso important, wait_ctr is decremented in those places. Upon the exit of\nautofs_wait(), wait_ctr is decremented to 1. Then the unmounting process\nbegins: kill_sb calls autofs_catatonic_mode(), which should have freed the\nwaitqueues, but it only decrements its usage counter to zero which is not\na correct behaviour.\n\nedit:imk\nThis description is of course not correct. The umount performed as a result\nof an expire is a umount of a mount that has been automounted, it's not the\nautofs mount itself. They happen independently, usually after everything\nmounted within the autofs file system has been expired away. If everything\nhasn't been expired away the automount daemon can still exit leaving mounts\nin place. But expires done in both cases will result in a notification that\ncalls autofs_wait_release() with a result status. The problem case is the\nsummary execution of of the automount daemon. In this case any waiting\nprocesses won't be woken up until either they are terminated or the mount\nis umounted.\nend edit: imk\n\nSo in catatonic mode we should free waitqueues which counter becomes zero.\n\nedit: imk\nInitially I was concerned that the calling of autofs_wait_release() and\nautofs_catatonic_mode() was not mutually exclusive but that can't be the\ncase (obviously) because the queue entry (or entries) is removed from the\nlist when either of these two functions are called. Consequently the wait\nentry will be freed by only one of these functions or by the woken process\nin autofs_wait() depending on the order of the calls.\nend edit: imk", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54134", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix potential out-of-bounds access in mas_wr_end_piv()\n\nCheck the write offset end bounds before using it as the offset into the\npivot array. This avoids a possible out-of-bounds access on the pivot\narray if the write extends to the last slot in the node, in which case the\nnode maximum should be used as the end pivot.\n\nakpm: this doesn't affect any current callers, but new users of mapletree\nmay encounter this problem if backported into earlier kernels, so let's\nfix it in -stable kernels in case of this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54135", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sprd: Fix DMA buffer leak issue\n\nRelease DMA buffer when _probe() returns failure to avoid memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54136", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap->id, cap->version);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54137", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on irq uninstall\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525104/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54138", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/user_events: Ensure write index cannot be negative\n\nThe write index indicates which event the data is for and accesses a\nper-file array. The index is passed by user processes during write()\ncalls as the first 4 bytes. Ensure that it cannot be negative by\nreturning -EINVAL to prevent out of bounds accesses.\n\nUpdate ftrace self-test to ensure this occurs properly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54139", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse\n\nA syzbot stress test using a corrupted disk image reported that\nmark_buffer_dirty() called from __nilfs_mark_inode_dirty() or\nnilfs_palloc_commit_alloc_entry() may output a kernel warning, and can\npanic if the kernel is booted with panic_on_warn.\n\nThis is because nilfs2 keeps buffer pointers in local structures for some\nmetadata and reuses them, but such buffers may be forcibly discarded by\nnilfs_clear_dirty_page() in some critical situations.\n\nThis issue is reported to appear after commit 28a65b49eb53 (\"nilfs2: do\nnot write dirty data after degenerating to read-only\"), but the issue has\npotentially existed before.\n\nFix this issue by checking the uptodate flag when attempting to reuse an\ninternally held buffer, and reloading the metadata instead of reusing the\nbuffer if the flag was lost.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54140", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018\n\nDuring sending data after clients connected, hw_ops->get_ring_selector()\nwill be called. But for IPQ5018, this member isn't set, and the\nfollowing NULL pointer exception will be occurred:\n\n\t[ 38.840478] 8<--- cut here ---\n\t[ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000\n\t...\n\t[ 38.923161] PC is at 0x0\n\t[ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k]\n\t...\n\t[ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d)\n\t[ 39.068994] Stack: (0x856a9a68 to 0x856aa000)\n\t...\n\t[ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k])\n\t[ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211])\n\t[ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211])\n\t[ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211])\n\t[ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211])\n\t[ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211])\n\t[ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211])\n\t[ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340)\n\t[ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c)\n\t[ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34)\n\t[ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274)\n\t[ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440)\n\t[ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc)\n\t[ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc)\n\t[ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74)\n\t[ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40)\n\t...\n\t[ 39.620734] Code: bad PC value\n\t[ 39.625869] ---[ end trace 8aef983ad3cbc032 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54141", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n \n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54142", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()\n\nIf we encounter any error in the vdec_msg_queue_init() then we need\nto set \"msg_queue->wdma_addr.size = 0;\". Normally, this is done\ninside the vdec_msg_queue_deinit() function. However, if the\nfirst call to allocate &msg_queue->wdma_addr fails, then the\nvdec_msg_queue_deinit() function is a no-op. For that situation, just\nset the size to zero explicitly and return.\n\nThere were two other error paths which did not clean up before returning.\nChange those error paths to goto mem_alloc_err.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54143", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix kernel warning during topology setup\n\nThis patch fixes the following kernel warning seen during\ndriver load by correctly initializing the p2plink attr before\ncreating the sysfs file:\n\n[ +0.002865] ------------[ cut here ]------------\n[ +0.002327] kobject: '(null)' (0000000056260cfb): is not initialized, yet kobject_put() is being called.\n[ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0\n[ +0.001361] Call Trace:\n[ +0.001234] \n[ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu]\n[ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu]\n[ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu]\n[ +0.002844] ? lock_release+0x13c/0x2e0\n[ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu]\n[ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu]\n[ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu]\n[ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu]\n[ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu]\n[ +0.002970] ? pci_bus_read_config_word+0x43/0x80\n[ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu]\n[ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu]\n[ +0.002522] local_pci_probe+0x40/0x80\n[ +0.001896] work_for_cpu_fn+0x10/0x20\n[ +0.001892] process_one_work+0x26e/0x5a0\n[ +0.002029] worker_thread+0x1fd/0x3e0\n[ +0.001890] ? process_one_work+0x5a0/0x5a0\n[ +0.002115] kthread+0xea/0x110\n[ +0.001618] ? kthread_complete_and_exit+0x20/0x20\n[ +0.002422] ret_from_fork+0x1f/0x30\n[ +0.001808] \n[ +0.001103] irq event stamp: 59837\n[ +0.001718] hardirqs last enabled at (59849): [] __up_console_sem+0x52/0x60\n[ +0.004414] hardirqs last disabled at (59860): [] __up_console_sem+0x37/0x60\n[ +0.004414] softirqs last enabled at (59654): [] irq_exit_rcu+0xd7/0x130\n[ +0.004205] softirqs last disabled at (59649): [] irq_exit_rcu+0xd7/0x130\n[ +0.004203] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54144", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log\n\nIt's trivial for user to trigger \"verifier log line truncated\" warning,\nas verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at\nleast two pieces of user-provided information that can be output through\nthis buffer, and both can be arbitrarily sized by user:\n - BTF names;\n - BTF.ext source code lines strings.\n\nVerifier log buffer should be properly sized for typical verifier state\noutput. But it's sort-of expected that this buffer won't be long enough\nin some circumstances. So let's drop the check. In any case code will\nwork correctly, at worst truncating a part of a single line output.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54145", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Fix double-free of elf header buffer\n\nAfter\n\n b3e34a47f989 (\"x86/kexec: fix memory leak of elf header buffer\"),\n\nfreeing image->elf_headers in the error path of crash_load_segments()\nis not needed because kimage_file_post_load_cleanup() will take\ncare of that later. And not clearing it could result in a double-free.\n\nDrop the superfluous vfree() call at the error path of\ncrash_load_segments().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54146", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: mtk-mdp3: Add missing check and free for ida_alloc\n\nAdd the check for the return value of the ida_alloc in order to avoid\nNULL pointer dereference.\nMoreover, free allocated \"ctx->id\" if mdp_m2m_open fails later in order\nto avoid memory leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54147", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Move representor neigh cleanup to profile cleanup_tx\n\nFor IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as\nthe flow is duplicated to the peer eswitch, the related neighbour\ninformation on the peer uplink representor is created as well.\n\nIn the cited commit, eswitch devcom unpair is moved to uplink unload\nAPI, specifically the profile->cleanup_tx. If there is a encap rule\noffloaded in ECMP mode, when one eswitch does unpair (because of\nunloading the driver, for instance), and the peer rule from the peer\neswitch is going to be deleted, the use-after-free error is triggered\nwhile accessing neigh info, as it is already cleaned up in uplink's\nprofile->disable, which is before its profile->cleanup_tx.\n\nTo fix this issue, move the neigh cleanup to profile's cleanup_tx\ncallback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh\ninit is moved to init_tx for symmeter.\n\n[ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496\n\n[ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15\n[ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2453.384335] Call Trace:\n[ 2453.384625] \n[ 2453.384891] dump_stack_lvl+0x33/0x50\n[ 2453.385285] print_report+0xc2/0x610\n[ 2453.385667] ? __virt_addr_valid+0xb1/0x130\n[ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.386757] kasan_report+0xae/0xe0\n[ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core]\n[ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core]\n[ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core]\n[ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core]\n[ 2453.391015] ? complete_all+0x43/0xd0\n[ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core]\n[ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core]\n[ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core]\n[ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core]\n[ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core]\n[ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core]\n[ 2453.395268] ? down_write+0xaa/0x100\n[ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core]\n[ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core]\n[ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core]\n[ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core]\n[ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core]\n[ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core]\n[ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core]\n[ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core]\n[ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core]\n[ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core]\n[ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core]\n[ 2453.405170] ? up_write+0x39/0x60\n[ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0\n[ 2453.405985] auxiliary_bus_remove+0x2e/0x40\n[ 2453.406405] device_release_driver_internal+0x243/0x2d0\n[ 2453.406900] ? kobject_put+0x42/0x2d0\n[ 2453.407284] bus_remove_device+0x128/0x1d0\n[ 2453.407687] device_del+0x240/0x550\n[ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0\n[ 2453.408511] ? kobject_put+0xfa/0x2d0\n[ 2453.408889] ? __kmem_cache_free+0x14d/0x280\n[ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core]\n[ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core]\n[ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core]\n[ 2453.411111] remove_one+0x89/0x130 [mlx5_core]\n[ 24\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54148", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses\n\nWhen using the felix driver (the only one which supports UC filtering\nand MC filtering) as a DSA master for a random other DSA switch, one can\nsee the following stack trace when the downstream switch ports join a\nVLAN-aware bridge:\n\n=============================\nWARNING: suspicious RCU usage\n-----------------------------\nnet/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!\n\nstack backtrace:\nWorkqueue: dsa_ordered dsa_slave_switchdev_event_work\nCall trace:\n lockdep_rcu_suspicious+0x170/0x210\n vlan_for_each+0x8c/0x188\n dsa_slave_sync_uc+0x128/0x178\n __hw_addr_sync_dev+0x138/0x158\n dsa_slave_set_rx_mode+0x58/0x70\n __dev_set_rx_mode+0x88/0xa8\n dev_uc_add+0x74/0xa0\n dsa_port_bridge_host_fdb_add+0xec/0x180\n dsa_slave_switchdev_event_work+0x7c/0x1c8\n process_one_work+0x290/0x568\n\nWhat it's saying is that vlan_for_each() expects rtnl_lock() context and\nit's not getting it, when it's called from the DSA master's ndo_set_rx_mode().\n\nThe caller of that - dsa_slave_set_rx_mode() - is the slave DSA\ninterface's dsa_port_bridge_host_fdb_add() which comes from the deferred\ndsa_slave_switchdev_event_work().\n\nWe went to great lengths to avoid the rtnl_lock() context in that call\npath in commit 0faf890fc519 (\"net: dsa: drop rtnl_lock from\ndsa_slave_switchdev_event_work\"), and calling rtnl_lock() is simply not\nan option due to the possibility of deadlocking when calling\ndsa_flush_workqueue() from the call paths that do hold rtnl_lock() -\nbasically all of them.\n\nSo, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),\nthe state of the 8021q driver on this device is really not protected\nfrom concurrent access by anything.\n\nLooking at net/8021q/, I don't think that vlan_info->vid_list was\nparticularly designed with RCU traversal in mind, so introducing an RCU\nread-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so\neasy, and it also wouldn't be exactly what we need anyway.\n\nIn general I believe that the solution isn't in net/8021q/ anyway;\nvlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock()\nto be held per se - since it's not a netdev state change that we're\nblocking, but rather, just concurrent additions/removals to a VLAN list.\nWe don't even need sleepable context - the callback of vlan_for_each()\njust schedules deferred work.\n\nThe proposed escape is to remove the dependency on vlan_for_each() and\nto open-code a non-sleepable, rtnl-free alternative to that, based on\ncopies of the VLAN list modified from .ndo_vlan_rx_add_vid() and\n.ndo_vlan_rx_kill_vid().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54149", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix an out of bounds error in BIOS parser\n\nThe array is hardcoded to 8 in atomfirmware.h, but firmware provides\na bigger one sometimes. Deferencing the larger array causes an out\nof bounds error.\n\ncommit 4fc1ba4aa589 (\"drm/amd/display: fix array index out of bound error\nin bios parser\") fixed some of this, but there are two other cases\nnot covered by it. Fix those as well.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54150", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Fix system crash due to lack of free space in LFS\n\nWhen f2fs tries to checkpoint during foreground gc in LFS mode, system\ncrash occurs due to lack of free space if the amount of dirty node and\ndentry pages generated by data migration exceeds free space.\nThe reproduction sequence is as follows.\n\n - 20GiB capacity block device (null_blk)\n - format and mount with LFS mode\n - create a file and write 20,000MiB\n - 4k random write on full range of the file\n\n RIP: 0010:new_curseg+0x48a/0x510 [f2fs]\n Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff\n RSP: 0018:ffff977bc397b218 EFLAGS: 00010246\n RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0\n RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8\n RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40\n R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000\n R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000\n FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n allocate_segment_by_default+0x9c/0x110 [f2fs]\n f2fs_allocate_data_block+0x243/0xa30 [f2fs]\n ? __mod_lruvec_page_state+0xa0/0x150\n do_write_page+0x80/0x160 [f2fs]\n f2fs_do_write_node_page+0x32/0x50 [f2fs]\n __write_node_page+0x339/0x730 [f2fs]\n f2fs_sync_node_pages+0x5a6/0x780 [f2fs]\n block_operations+0x257/0x340 [f2fs]\n f2fs_write_checkpoint+0x102/0x1050 [f2fs]\n f2fs_gc+0x27c/0x630 [f2fs]\n ? folio_mark_dirty+0x36/0x70\n f2fs_balance_fs+0x16f/0x180 [f2fs]\n\nThis patch adds checking whether free sections are enough before checkpoint\nduring gc.\n\n[Jaegeuk Kim: code clean-up]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54151", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by moving j1939_sk_errqueue()\n\nThis commit addresses a deadlock situation that can occur in certain\nscenarios, such as when running data TP/ETP transfer and subscribing to\nthe error queue while receiving a net down event. The deadlock involves\nlocks in the following order:\n\n3\n j1939_session_list_lock -> active_session_list_lock\n j1939_session_activate\n ...\n j1939_sk_queue_activate_next -> sk_session_queue_lock\n ...\n j1939_xtp_rx_eoma_one\n\n2\n j1939_sk_queue_drop_all -> sk_session_queue_lock\n ...\n j1939_sk_netdev_event_netdown -> j1939_socks_lock\n j1939_netdev_notify\n\n1\n j1939_sk_errqueue -> j1939_socks_lock\n __j1939_session_cancel -> active_session_list_lock\n j1939_tp_rxtimer\n\n CPU0 CPU1\n ---- ----\n lock(&priv->active_session_list_lock);\n lock(&jsk->sk_session_queue_lock);\n lock(&priv->active_session_list_lock);\n lock(&priv->j1939_socks_lock);\n\nThe solution implemented in this commit is to move the\nj1939_sk_errqueue() call out of the active_session_list_lock context,\nthus preventing the deadlock situation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54152", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: turn quotas off if mount failed after enabling quotas\n\nYi found during a review of the patch \"ext4: don't BUG on inconsistent\njournal feature\" that when ext4_mark_recovery_complete() returns an error\nvalue, the error handling path does not turn off the enabled quotas,\nwhich triggers the following kmemleak:\n\n================================================================\nunreferenced object 0xffff8cf68678e7c0 (size 64):\ncomm \"mount\", pid 746, jiffies 4294871231 (age 11.540s)\nhex dump (first 32 bytes):\n00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A...\nc7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H...\nbacktrace:\n[<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880\n[<00000000d4e621d7>] kmalloc_trace+0x39/0x140\n[<00000000837eee74>] v2_read_file_info+0x18a/0x3a0\n[<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770\n[<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0\n[<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4]\n[<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4]\n[<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4]\n[<000000004a9489c4>] get_tree_bdev+0x1dc/0x370\n[<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4]\n[<00000000c7cb663d>] vfs_get_tree+0x31/0x160\n[<00000000320e1bed>] do_new_mount+0x1d5/0x480\n[<00000000c074654c>] path_mount+0x22e/0xbe0\n[<0000000003e97a8e>] do_mount+0x95/0xc0\n[<000000002f3d3736>] __x64_sys_mount+0xc4/0x160\n[<0000000027d2140c>] do_syscall_64+0x3f/0x90\n================================================================\n\nTo solve this problem, we add a \"failed_mount10\" tag, and call\next4_quota_off_umount() in this tag to release the enabled qoutas.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54153", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Fix target_cmd_counter leak\n\nThe target_cmd_counter struct allocated via target_alloc_cmd_counter() is\nnever freed, resulting in leaks across various transport types, e.g.:\n\n unreferenced object 0xffff88801f920120 (size 96):\n comm \"sh\", pid 102, jiffies 4294892535 (age 713.412s)\n hex dump (first 32 bytes):\n 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8.......\n backtrace:\n [<00000000e58a6252>] kmalloc_trace+0x11/0x20\n [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod]\n [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod]\n [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop]\n [<000000006a80e021>] configfs_write_iter+0xb1/0x120\n [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0\n [<000000008143433b>] ksys_write+0x80/0xb0\n [<00000000a7df29b2>] do_syscall_64+0x42/0x90\n [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFree the structure alongside the corresponding iscsit_conn / se_sess\nparent.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54154", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()\n\nSyzkaller reported the following issue:\n=======================================\nToo BIG xdp->frame_sz = 131072\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103\n...\nCall Trace:\n \n bpf_prog_4add87e5301a4105+0x1a/0x1c\n __bpf_prog_run include/linux/filter.h:600 [inline]\n bpf_prog_run_xdp include/linux/filter.h:775 [inline]\n bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721\n netif_receive_generic_xdp net/core/dev.c:4807 [inline]\n do_xdp_generic+0x35c/0x770 net/core/dev.c:4866\n tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919\n tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043\n call_write_iter include/linux/fs.h:1871 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x650/0xe40 fs/read_write.c:584\n ksys_write+0x12f/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nxdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87\n(\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\"). But Jesper\nDangaard Brouer noted that after introducing the\nxdp_init_buff() which all XDP driver use - it's safe to remove this\ncheck. The original intend was to catch cases where XDP drivers have\nnot been updated to use xdp.frame_sz, but that is not longer a concern\n(since xdp_init_buff).\n\nRunning the initial syzkaller repro it was discovered that the\ncontiguous physical memory allocation is used for both xdp paths in\ntun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also\nstated by Jesper Dangaard Brouer that XDP can\nwork on higher order pages, as long as this is contiguous physical\nmemory (e.g. a page).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54155", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix crash when reading stats while NIC is resetting\n\nefx_net_stats() (.ndo_get_stats64) can be called during an ethtool\n selftest, during which time nic_data->mc_stats is NULL as the NIC has\n been fini'd. In this case do not attempt to fetch the latest stats\n from the hardware, else we will crash on a NULL dereference:\n BUG: kernel NULL pointer dereference, address: 0000000000000038\n RIP efx_nic_update_stats\n abridged calltrace:\n efx_ef10_update_stats_pf\n efx_net_stats\n dev_get_stats\n dev_seq_printf_stats\nSkipping the read is safe, we will simply give out stale stats.\nTo ensure that the free in efx_ef10_fini_nic() does not race against\n efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the\n efx->stats_lock in fini_nic (it is already held across update_stats).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54156", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF of alloc->vma in race with munmap()\n\n[ cmllamas: clean forward port from commit 015ac18be7de (\"binder: fix\n UAF of alloc->vma in race with munmap()\") in 5.10 stable. It is needed\n in mainline after the revert of commit a43cfc87caaf (\"android: binder:\n stop saving a pointer to the VMA\") as pointed out by Liam. The commit\n log and tags have been tweaked to reflect this. ]\n\nIn commit 720c24192404 (\"ANDROID: binder: change down_write to\ndown_read\") binder assumed the mmap read lock is sufficient to protect\nalloc->vma inside binder_update_page_range(). This used to be accurate\nuntil commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\"), which now downgrades the mmap_lock after detaching the vma\nfrom the rbtree in munmap(). Then it proceeds to teardown and free the\nvma with only the read lock held.\n\nThis means that accesses to alloc->vma in binder_update_page_range() now\nwill race with vm_area_free() in munmap() and can cause a UAF as shown\nin the following KASAN trace:\n\n ==================================================================\n BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0\n Read of size 8 at addr ffff16204ad00600 by task server/558\n\n CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0x0/0x2a0\n show_stack+0x18/0x2c\n dump_stack+0xf8/0x164\n print_address_description.constprop.0+0x9c/0x538\n kasan_report+0x120/0x200\n __asan_load8+0xa0/0xc4\n vm_insert_page+0x7c/0x1f0\n binder_update_page_range+0x278/0x50c\n binder_alloc_new_buf+0x3f0/0xba0\n binder_transaction+0x64c/0x3040\n binder_thread_write+0x924/0x2020\n binder_ioctl+0x1610/0x2e5c\n __arm64_sys_ioctl+0xd4/0x120\n el0_svc_common.constprop.0+0xac/0x270\n do_el0_svc+0x38/0xa0\n el0_svc+0x1c/0x2c\n el0_sync_handler+0xe8/0x114\n el0_sync+0x180/0x1c0\n\n Allocated by task 559:\n kasan_save_stack+0x38/0x6c\n __kasan_kmalloc.constprop.0+0xe4/0xf0\n kasan_slab_alloc+0x18/0x2c\n kmem_cache_alloc+0x1b0/0x2d0\n vm_area_alloc+0x28/0x94\n mmap_region+0x378/0x920\n do_mmap+0x3f0/0x600\n vm_mmap_pgoff+0x150/0x17c\n ksys_mmap_pgoff+0x284/0x2dc\n __arm64_sys_mmap+0x84/0xa4\n el0_svc_common.constprop.0+0xac/0x270\n do_el0_svc+0x38/0xa0\n el0_svc+0x1c/0x2c\n el0_sync_handler+0xe8/0x114\n el0_sync+0x180/0x1c0\n\n Freed by task 560:\n kasan_save_stack+0x38/0x6c\n kasan_set_track+0x28/0x40\n kasan_set_free_info+0x24/0x4c\n __kasan_slab_free+0x100/0x164\n kasan_slab_free+0x14/0x20\n kmem_cache_free+0xc4/0x34c\n vm_area_free+0x1c/0x2c\n remove_vma+0x7c/0x94\n __do_munmap+0x358/0x710\n __vm_munmap+0xbc/0x130\n __arm64_sys_munmap+0x4c/0x64\n el0_svc_common.constprop.0+0xac/0x270\n do_el0_svc+0x38/0xa0\n el0_svc+0x1c/0x2c\n el0_sync_handler+0xe8/0x114\n el0_sync+0x180/0x1c0\n\n [...]\n ==================================================================\n\nTo prevent the race above, revert back to taking the mmap write lock\ninside binder_update_page_range(). One might expect an increase of mmap\nlock contention. However, binder already serializes these calls via top\nlevel alloc->mutex. Also, there was no performance impact shown when\nrunning the binder benchmark tests.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54157", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't free qgroup space unless specified\n\nBoris noticed in his simple quotas testing that he was getting a leak\nwith Sweet Tea's change to subvol create that stopped doing a\ntransaction commit. This was just a side effect of that change.\n\nIn the delayed inode code we have an optimization that will free extra\nreservations if we think we can pack a dir item into an already modified\nleaf. Previously this wouldn't be triggered in the subvolume create\ncase because we'd commit the transaction, it was still possible but\nmuch harder to trigger. It could actually be triggered if we did a\nmkdir && subvol create with qgroups enabled.\n\nThis occurs because in btrfs_insert_delayed_dir_index(), which gets\ncalled when we're adding the dir item, we do the following:\n\n btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);\n\nif we're able to skip reserving space.\n\nThe problem here is that trans->block_rsv points at the temporary block\nrsv for the subvolume create, which has qgroup reservations in the block\nrsv.\n\nThis is a problem because btrfs_block_rsv_release() will do the\nfollowing:\n\n if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {\n\t qgroup_to_release = block_rsv->qgroup_rsv_reserved -\n\t\t block_rsv->qgroup_rsv_size;\n\t block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;\n }\n\nThe temporary block rsv just has ->qgroup_rsv_reserved set,\n->qgroup_rsv_size == 0. The optimization in\nbtrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then\nlater on when we call btrfs_subvolume_release_metadata() which has\n\n btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);\n btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);\n\nqgroup_to_release is set to 0, and we do not convert the reserved\nmetadata space.\n\nThe problem here is that the block rsv code has been unconditionally\nmessing with ->qgroup_rsv_reserved, because the main place this is used\nis delalloc, and any time we call btrfs_block_rsv_release() we do it\nwith qgroup_to_release set, and thus do the proper accounting.\n\nThe subvolume code is the only other code that uses the qgroup\nreservation stuff, but it's intermingled with the above optimization,\nand thus was getting its reservation freed out from underneath it and\nthus leaking the reserved space.\n\nThe solution is to simply not mess with the qgroup reservations if we\ndon't have qgroup_to_release set. This works with the existing code as\nanything that messes with the delalloc reservations always have\nqgroup_to_release set. This fixes the leak that Boris was observing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54158", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix kernel panic at qmu transfer done irq handler\n\nWhen handle qmu transfer irq, it will unlock @mtu->lock before give back\nrequest, if another thread handle disconnect event at the same time, and\ntry to disable ep, it may lock @mtu->lock and free qmu ring, then qmu\nirq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before\nhandling it.\n\ne.g.\nqmu done irq on cpu0 thread running on cpu1\n\nqmu_done_tx()\n handle gpd [0]\n mtu3_requ_complete() mtu3_gadget_ep_disable()\n unlock @mtu->lock\n give back request lock @mtu->lock\n mtu3_ep_disable()\n mtu3_gpd_ring_free()\n unlock @mtu->lock\n lock @mtu->lock\n get next gpd [1]\n\n[1]: goto [0] to handle next gpd, and next gpd may be NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54159", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_sdei: Fix sleep from invalid context BUG\n\nRunning a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra\ntriggers:\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0\n preempt_count: 0, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by cpuhp/0/24:\n #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248\n #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248\n #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130\n irq event stamp: 36\n hardirqs last enabled at (35): [] finish_task_switch+0xb4/0x2b0\n hardirqs last disabled at (36): [] cpuhp_thread_fun+0x21c/0x248\n softirqs last enabled at (0): [] copy_process+0x63c/0x1ac0\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...]\n Hardware name: WIWYNN Mt.Jade Server [...]\n Call trace:\n dump_backtrace+0x114/0x120\n show_stack+0x20/0x70\n dump_stack_lvl+0x9c/0xd8\n dump_stack+0x18/0x34\n __might_resched+0x188/0x228\n rt_spin_lock+0x70/0x120\n sdei_cpuhp_up+0x3c/0x130\n cpuhp_invoke_callback+0x250/0xf08\n cpuhp_thread_fun+0x120/0x248\n smpboot_thread_fn+0x280/0x320\n kthread+0x130/0x140\n ret_from_fork+0x10/0x20\n\nsdei_cpuhp_up() is called in the STARTING hotplug section,\nwhich runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry\ninstead to execute the cpuhp cb later, with preemption enabled.\n\nSDEI originally got its own cpuhp slot to allow interacting\nwith perf. It got superseded by pNMI and this early slot is not\nrelevant anymore. [1]\n\nSome SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the\ncalling CPU. It is checked that preemption is disabled for them.\n_ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'.\nPreemption is enabled in those threads, but their cpumask is limited\nto 1 CPU.\nMove 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb\ndon't trigger them.\n\nAlso add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call\nwhich acts on the calling CPU.\n\n[1]:\nhttps://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54160", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix possible memory leak in smb2_lock()\n\nargv needs to be free when setup_async_work fails or when the current\nprocess is woken up.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54162", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: fix iso_conn related locking and validity issues\n\nsk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations\nthat check/update sk_state and access conn should hold lock_sock,\notherwise they can race.\n\nThe order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,\nwhich is how it is in connect/disconnect_cfm -> iso_conn_del ->\niso_chan_del.\n\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\naround updating sk_state and conn.\n\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\niso_conn. Hold hdev->lock longer to prevent that.\n\nThis should not reintroduce the issue fixed in commit 241f51931c35\n(\"Bluetooth: ISO: Avoid circular locking dependency\"), since the we\nacquire locks in order. We retain the fix in iso_sock_connect to release\nlock_sock before iso_connect_* acquires hdev->lock.\n\nSimilarly for commit 6a5ad251b7cd (\"Bluetooth: ISO: Fix possible\ncircular locking dependency\"). We retain the fix in iso_conn_ready to\nnot acquire iso_conn_lock before lock_sock.\n\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\nreusing an old CIS connection waiting for disconnect timeout (see\n__iso_sock_close where conn->hcon is set to NULL).\n\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\n===============================================================\niso_sock_create:771: sock 00000000be9b69b7\niso_sock_init:693: sk 000000004dff667e\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_connect:875: sk 000000004dff667e\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\n__iso_chan_add:214: conn 00000000daf8625e\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\niso_sock_clear_timer:117: sock 000000004dff667e state 3\n \niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\nhci_chan_list_flush:2780: hcon 000000007b65d182\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\n \nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\n===============================================================\n\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\n===============================================================\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_event_packet:7607: hci0: e\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54164", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: move LRU update from zs_map_object() to zs_malloc()\n\nUnder memory pressure, we sometimes observe the following crash:\n\n[ 5694.832838] ------------[ cut here ]------------\n[ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100)\n[ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80\n[ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S 5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1\n[ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021\n[ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80\n[ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7\n[ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246\n[ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000\n[ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480\n[ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370\n[ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002\n[ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240\n[ 5695.136717] FS: 00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000\n[ 5695.152899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0\n[ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 5695.207197] PKRU: 55555554\n[ 5695.212602] Call Trace:\n[ 5695.217486] \n[ 5695.221674] zs_map_object+0x91/0x270\n[ 5695.229000] zswap_frontswap_store+0x33d/0x870\n[ 5695.237885] ? do_raw_spin_lock+0x5d/0xa0\n[ 5695.245899] __frontswap_store+0x51/0xb0\n[ 5695.253742] swap_writepage+0x3c/0x60\n[ 5695.261063] shrink_page_list+0x738/0x1230\n[ 5695.269255] shrink_lruvec+0x5ec/0xcd0\n[ 5695.276749] ? shrink_slab+0x187/0x5f0\n[ 5695.284240] ? mem_cgroup_iter+0x6e/0x120\n[ 5695.292255] shrink_node+0x293/0x7b0\n[ 5695.299402] do_try_to_free_pages+0xea/0x550\n[ 5695.307940] try_to_free_pages+0x19a/0x490\n[ 5695.316126] __folio_alloc+0x19ff/0x3e40\n[ 5695.323971] ? __filemap_get_folio+0x8a/0x4e0\n[ 5695.332681] ? walk_component+0x2a8/0xb50\n[ 5695.340697] ? generic_permission+0xda/0x2a0\n[ 5695.349231] ? __filemap_get_folio+0x8a/0x4e0\n[ 5695.357940] ? walk_component+0x2a8/0xb50\n[ 5695.365955] vma_alloc_folio+0x10e/0x570\n[ 5695.373796] ? walk_component+0x52/0xb50\n[ 5695.381634] wp_page_copy+0x38c/0xc10\n[ 5695.388953] ? filename_lookup+0x378/0xbc0\n[ 5695.397140] handle_mm_fault+0x87f/0x1800\n[ 5695.405157] do_user_addr_fault+0x1bd/0x570\n[ 5695.413520] exc_page_fault+0x5d/0x110\n[ 5695.421017] asm_exc_page_fault+0x22/0x30\n\nAfter some investigation, I have found the following issue: unlike other\nzswap backends, zsmalloc performs the LRU list update at the object\nmapping time, rather than when the slot for the object is allocated.\nThis deviation was discussed and agreed upon during the review process\nof the zsmalloc writeback patch series:\n\nhttps://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/\n\nUnfortunately, this introduces a subtle bug that occurs when there is a\nconcurrent store and reclaim, which interleave as follows:\n\nzswap_frontswap_store() shrink_worker()\n zs_malloc() zs_zpool_shrink()\n spin_lock(&pool->lock) zs_reclaim_page()\n zspage = find_get_zspage()\n spin_unlock(&pool->lock)\n spin_lock(&pool->lock)\n zspage = list_first_entry(&pool->lru)\n \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54165", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix Kernel Panic during ndo_tx_timeout callback\n\nThe Xeon validation group has been carrying out some loaded tests\nwith various HW configurations, and they have seen some transmit\nqueue time out happening during the test. This will cause the\nreset adapter function to be called by igc_tx_timeout().\nSimilar race conditions may arise when the interface is being brought\ndown and up in igc_reinit_locked(), an interrupt being generated, and\nigc_clean_tx_irq() being called to complete the TX.\n\nWhen the igc_tx_timeout() function is invoked, this patch will turn\noff all TX ring HW queues during igc_down() process. TX ring HW queues\nwill be activated again during the igc_configure_tx_ring() process\nwhen performing the igc_up() procedure later.\n\nThis patch also moved existing igc_disable_tx_ring_hw() to avoid using\nforward declaration.\n\nKernel trace:\n[ 7678.747813] ------------[ cut here ]------------\n[ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out\n[ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0\n[ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat\nnf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO)\ncegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO)\nvtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO)\nsv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO)\ndsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO)\nsvbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO)\nfs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO)\nregsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel\nsnd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci\n[ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight\nconfigfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid\nmmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a\nusbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore\ncrct10dif_generic ptp crct10dif_common usb_common pps_core\n[ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0\n[ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c\n89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e\n89 c0 48 0f a3 05 0a c1\n[ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282\n[ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000\n[ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880\n[ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb\n[ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000\n[ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18\n[ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000\n[ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8\n[ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 7679.379370] PKRU: 55555554\n[ 7679.386446] Call Trace:\n[ 7679.393152] \n[ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10\n[ 7679.407870] call_timer_fn+0x31/0x110\n[ 7679.415698] e\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54166", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: mm: Move initrd phys_to_virt handling after paging_init()\n\nWhen booting with an initial ramdisk on platforms where physical memory\ndoes not start at address zero (e.g. on Amiga):\n\n initrd: 0ef0602c - 0f800000\n Zone ranges:\n DMA [mem 0x0000000008000000-0x000000f7ffffffff]\n Normal empty\n Movable zone start for each node\n Early memory node ranges\n node 0: [mem 0x0000000008000000-0x000000000f7fffff]\n Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff]\n Unable to handle kernel access at virtual address (ptrval)\n Oops: 00000000\n Modules linked in:\n PC: [<00201d3c>] memcmp+0x28/0x56\n\nAs phys_to_virt() relies on m68k_memoffset and module_fixup(), it must\nnot be called before paging_init(). Hence postpone the phys_to_virt\nhandling for the initial ramdisk until after calling paging_init().\n\nWhile at it, reduce #ifdef clutter by using IS_ENABLED() instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54167", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Prevent shift wrapping in set_user_sq_size()\n\nThe ucmd->log_sq_bb_count variable is controlled by the user so this\nshift can wrap. Fix it by using check_shl_overflow() in the same way\nthat it was done in commit 515f60004ed9 (\"RDMA/hns: Prevent undefined\nbehavior in hns_roce_set_user_sq_size()\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54168", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix memory leak in mlx5e_ptp_open\n\nWhen kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory\npointed by \"c\" or \"cparams\" is not freed, which can lead to a memory\nleak. Fix by freeing the array in the error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54169", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix linking a duplicate key to a keyring's assoc_array\n\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\n\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741] ? key_alloc+0x447/0x4b0\n[2158499.700768] ? __key_link_begin+0x43/0xa0\n[2158499.700790] __key_link_begin+0x43/0xa0\n[2158499.700814] request_key_and_link+0x2c7/0x730\n[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873] ? key_default_cmp+0x20/0x20\n[2158499.700898] request_key_tag+0x43/0xa0\n[2158499.700926] dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164] ? scnprintf+0x49/0x90\n[2158499.701190] ? __switch_to_asm+0x40/0x70\n[2158499.701211] ? __switch_to_asm+0x34/0x70\n[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632] process_one_work+0x1f8/0x3e0\n[2158499.701658] worker_thread+0x2d/0x3f0\n[2158499.701682] ? process_one_work+0x3e0/0x3e0\n[2158499.701703] kthread+0x10d/0x130\n[2158499.701723] ? kthread_park+0xb0/0xb0\n[2158499.701746] ret_from_fork+0x1f/0x40\n\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\n example, \"abcdef\". The function registers its global DNS resolver\n cache as current->cred.thread_keyring and passes the query to\n request_key_net() -> request_key_tag() -> request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\n object. Its match_data.cmp method gets set via a call to\n type->match_preparse() (resolves to dns_resolver_match_preparse()) to\n dns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\n search_process_keyrings_rcu() which returns that a given key was not\n found. The control is then passed to request_key_and_link() ->\n construct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n \"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n __key_link_begin() to determine an assoc_array_edit operation to\n insert a new key. Index keys in the array are compared exactly as-is,\n using keyring_compare_object(). The operation \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54170", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix memory leak of iter->temp when reading trace_pipe\n\nkmemleak reports:\n unreferenced object 0xffff88814d14e200 (size 256):\n comm \"cat\", pid 336, jiffies 4294871818 (age 779.490s)\n hex dump (first 32 bytes):\n 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................\n 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z......\n backtrace:\n [] __kmalloc+0x4f/0x140\n [] trace_find_next_entry+0xbb/0x1d0\n [] trace_print_lat_context+0xaf/0x4e0\n [] print_trace_line+0x3e0/0x950\n [] tracing_read_pipe+0x2d9/0x5a0\n [] vfs_read+0x143/0x520\n [] ksys_read+0xbd/0x160\n [] do_syscall_64+0x3f/0x90\n [] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nwhen reading file 'trace_pipe', 'iter->temp' is allocated or relocated\nin trace_find_next_entry() but not freed before 'trace_pipe' is closed.\n\nTo fix it, free 'iter->temp' in tracing_release_pipe().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54171", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction\n\nOn hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs\nwith ConfigVersion 9.3 or later support IBT in the guest. However,\ncurrent versions of Hyper-V have a bug in that there's not an ENDBR64\ninstruction at the beginning of the hypercall page. Since hypercalls are\nmade with an indirect call to the hypercall page, all hypercall attempts\nfail with an exception and Linux panics.\n\nA Hyper-V fix is in progress to add ENDBR64. But guard against the Linux\npanic by clearing X86_FEATURE_IBT if the hypercall page doesn't start\nwith ENDBR. The VM will boot and run without IBT.\n\nIf future Linux 32-bit kernels were to support IBT, additional hypercall\npage hackery would be needed to make IBT work for such kernels in a\nHyper-V VM.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54172", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable preemption in bpf_event_output\n\nWe received report [1] of kernel crash, which is caused by\nusing nesting protection without disabled preemption.\n\nThe bpf_event_output can be called by programs executed by\nbpf_prog_run_array_cg function that disabled migration but\nkeeps preemption enabled.\n\nThis can cause task to be preempted by another one inside the\nnesting protection and lead eventually to two tasks using same\nperf_sample_data buffer and cause crashes like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000001\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n ...\n ? perf_output_sample+0x12a/0x9a0\n ? finish_task_switch.isra.0+0x81/0x280\n ? perf_event_output+0x66/0xa0\n ? bpf_event_output+0x13a/0x190\n ? bpf_event_output_data+0x22/0x40\n ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb\n ? xa_load+0x87/0xe0\n ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0\n ? release_sock+0x3e/0x90\n ? sk_setsockopt+0x1a1/0x12f0\n ? udp_pre_connect+0x36/0x50\n ? inet_dgram_connect+0x93/0xa0\n ? __sys_connect+0xb4/0xe0\n ? udp_setsockopt+0x27/0x40\n ? __pfx_udp_push_pending_frames+0x10/0x10\n ? __sys_setsockopt+0xdf/0x1a0\n ? __x64_sys_connect+0xf/0x20\n ? do_syscall_64+0x3a/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFixing this by disabling preemption in bpf_event_output.\n\n[1] https://github.com/cilium/cilium/issues/26756", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54173", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio: Fix NULL pointer dereference caused by uninitialized group->iommufd\n\ngroup->iommufd is not initialized for the iommufd_ctx_put()\n\n[20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]\n...\n[20018.476483] Call Trace:\n[20018.479214] \n[20018.481555] vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]\n[20018.487586] __x64_sys_ioctl+0x6a/0xb0\n[20018.491773] ? trace_hardirqs_on+0xc5/0xe0\n[20018.496347] do_syscall_64+0x67/0x90\n[20018.500340] entry_SYSCALL_64_after_hwframe+0x4b/0xb5", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54174", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: xiic: xiic_xfer(): Fix runtime PM leak on error path\n\nThe xiic_xfer() function gets a runtime PM reference when the function is\nentered. This reference is released when the function is exited. There is\ncurrently one error path where the function exits directly, which leads to\na leak of the runtime PM reference.\n\nMake sure that this error path also releases the runtime PM reference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54175", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs reported by Christoph, the mptcp protocol can run the\nworker when the relevant msk socket is in an unexpected state:\n\nconnect()\n// incoming reset + fastclose\n// the mptcp worker is scheduled\nmptcp_disconnect()\n// msk is now CLOSED\nlisten()\nmptcp_worker()\n\nLeading to the following splat:\n\ndivide error: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nWorkqueue: events mptcp_worker\nRIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018\nRSP: 0018:ffffc900000b3c98 EFLAGS: 00010293\nRAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004\nRBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000\nR10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tcp_select_window net/ipv4/tcp_output.c:262 [inline]\n __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345\n tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]\n tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459\n mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]\n mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705\n process_one_work+0x3bd/0x950 kernel/workqueue.c:2390\n worker_thread+0x5b/0x610 kernel/workqueue.c:2537\n kthread+0x138/0x170 kernel/kthread.c:376\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \n\nThis change addresses the issue explicitly checking for bad states\nbefore running the mptcp worker.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54176", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix warning in dqgrab()\n\nThere's issue as follows when do fault injection:\nWARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0\nModules linked in:\nCPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541\nRIP: 0010:dquot_disable+0x13b7/0x18c0\nRSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980\nRDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002\nRBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130\nR13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118\nFS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n dquot_load_quota_sb+0xd53/0x1060\n dquot_resume+0x172/0x230\n ext4_reconfigure+0x1dc6/0x27b0\n reconfigure_super+0x515/0xa90\n __x64_sys_fsconfig+0xb19/0xd20\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAbove issue may happens as follows:\nProcessA ProcessB ProcessC\nsys_fsconfig\n vfs_fsconfig_locked\n reconfigure_super\n ext4_remount\n dquot_suspend -> suspend all type quota\n\n sys_fsconfig\n vfs_fsconfig_locked\n reconfigure_super\n ext4_remount\n dquot_resume\n ret = dquot_load_quota_sb\n add_dquot_ref\n do_open -> open file O_RDWR\n vfs_open\n do_dentry_open\n get_write_access\n atomic_inc_unless_negative(&inode->i_writecount)\n ext4_file_open\n dquot_file_open\n dquot_initialize\n __dquot_initialize\n dqget\n\t\t\t\t\t\t atomic_inc(&dquot->dq_count);\n\n __dquot_initialize\n __dquot_initialize\n dqget\n if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))\n ext4_acquire_dquot\n\t\t\t -> Return error DQ_ACTIVE_B flag isn't set\n dquot_disable\n\t\t\t invalidate_dquots\n\t\t\t if (atomic_read(&dquot->dq_count))\n\t dqgrab\n\t\t\t WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))\n\t -> Trigger warning\n\nIn the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when\ndqgrab().\nTo solve above issue just replace the dqgrab() use in invalidate_dquots() with\natomic_inc(&dquot->dq_count).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54177", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()\n\nwhen kmalloc() fail to allocate memory in kasprintf(), name\nor full_name will be NULL, strcmp() will cause\nnull pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54178", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Array index may go out of bound\n\nKlocwork reports array 'vha->host_str' of size 16 may use index value(s)\n16..19. Use snprintf() instead of sprintf().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54179", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle case when repair happens with dev-replace\n\n[BUG]\nThere is a bug report that a BUG_ON() in btrfs_repair_io_failure()\n(originally repair_io_failure() in v6.0 kernel) got triggered when\nreplacing a unreliable disk:\n\n BTRFS warning (device sda1): csum failed root 257 ino 2397453 off 39624704 csum 0xb0d18c75 expected csum 0x4dae9c5e mirror 3\n kernel BUG at fs/btrfs/extent_io.c:2380!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 3614331 Comm: kworker/u257:2 Tainted: G OE 6.0.0-5-amd64 #1 Debian 6.0.10-2\n Hardware name: Micro-Star International Co., Ltd. MS-7C60/TRX40 PRO WIFI (MS-7C60), BIOS 2.70 07/01/2021\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n RIP: 0010:repair_io_failure+0x24a/0x260 [btrfs]\n Call Trace:\n \n clean_io_failure+0x14d/0x180 [btrfs]\n end_bio_extent_readpage+0x412/0x6e0 [btrfs]\n ? __switch_to+0x106/0x420\n process_one_work+0x1c7/0x380\n worker_thread+0x4d/0x380\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0xe9/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n\n[CAUSE]\n\nBefore the BUG_ON(), we got some read errors from the replace target\nfirst, note the mirror number (3, which is beyond RAID1 duplication,\nthus it's read from the replace target device).\n\nThen at the BUG_ON() location, we are trying to writeback the repaired\nsectors back the failed device.\n\nThe check looks like this:\n\n\t\tret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, logical,\n\t\t\t\t &map_length, &bioc, mirror_num);\n\t\tif (ret)\n\t\t\tgoto out_counter_dec;\n\t\tBUG_ON(mirror_num != bioc->mirror_num);\n\nBut inside btrfs_map_block(), we can modify bioc->mirror_num especially\nfor dev-replace:\n\n\tif (dev_replace_is_ongoing && mirror_num == map->num_stripes + 1 &&\n\t !need_full_stripe(op) && dev_replace->tgtdev != NULL) {\n\t\tret = get_extra_mirror_from_replace(fs_info, logical, *length,\n\t\t\t\t\t\t dev_replace->srcdev->devid,\n\t\t\t\t\t\t &mirror_num,\n\t\t\t\t\t &physical_to_patch_in_first_stripe);\n\t\tpatch_the_first_stripe_for_dev_replace = 1;\n\t}\n\nThus if we're repairing the replace target device, we're going to\ntrigger that BUG_ON().\n\nBut in reality, the read failure from the replace target device may be\nthat, our replace hasn't reached the range we're reading, thus we're\nreading garbage, but with replace running, the range would be properly\nfilled later.\n\nThus in that case, we don't need to do anything but let the replace\nroutine to handle it.\n\n[FIX]\nInstead of a BUG_ON(), just skip the repair if we're repairing the\ndevice replace target device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54180", "detail": "fixed-version", "description": "Fixed from version 6.2" }, { "id": "CVE-2023-54181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix issue in verifying allow_ptr_leaks\n\nAfter we converted the capabilities of our networking-bpf program from\ncap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program\nfailed to start. Because it failed the bpf verifier, and the error log\nis \"R3 pointer comparison prohibited\".\n\nA simple reproducer as follows,\n\nSEC(\"cls-ingress\")\nint ingress(struct __sk_buff *skb)\n{\n\tstruct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);\n\n\tif ((long)(iph + 1) > (long)skb->data_end)\n\t\treturn TC_ACT_STOLEN;\n\treturn TC_ACT_OK;\n}\n\nPer discussion with Yonghong and Alexei [1], comparison of two packet\npointers is not a pointer leak. This patch fixes it.\n\nOur local kernel is 6.1.y and we expect this fix to be backported to\n6.1.y, so stable is CCed.\n\n[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54181", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to check readonly condition correctly\n\nWith below case, it can mount multi-device image w/ rw option, however\none of secondary device is set as ro, later update will cause panic, so\nlet's introduce f2fs_dev_is_readonly(), and check multi-devices rw status\nin f2fs_remount() w/ it in order to avoid such inconsistent mount status.\n\nmkfs.f2fs -c /dev/zram1 /dev/zram0 -f\nblockdev --setro /dev/zram1\nmount -t f2fs dev/zram0 /mnt/f2fs\nmount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.\nmount -t f2fs -o remount,rw mnt/f2fs\ndd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192\n\nkernel BUG at fs/f2fs/inline.c:258!\nRIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs]\nCall Trace:\n f2fs_write_single_data_page+0x26b/0x9f0 [f2fs]\n f2fs_write_cache_pages+0x389/0xa60 [f2fs]\n __f2fs_write_data_pages+0x26b/0x2d0 [f2fs]\n f2fs_write_data_pages+0x2e/0x40 [f2fs]\n do_writepages+0xd3/0x1b0\n __writeback_single_inode+0x5b/0x420\n writeback_sb_inodes+0x236/0x5a0\n __writeback_inodes_wb+0x56/0xf0\n wb_writeback+0x2a3/0x490\n wb_do_writeback+0x2b2/0x330\n wb_workfn+0x6a/0x260\n process_one_work+0x270/0x5e0\n worker_thread+0x52/0x3e0\n kthread+0xf4/0x120\n ret_from_fork+0x29/0x50", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54182", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()\n\nIf fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL,\nso fwnode_handle_put() is a no-op.\n\nRelease the reference taken from a previous fwnode_graph_get_port_parent()\ncall instead.\n\nAlso handle fwnode_graph_get_port_parent() failures.\n\nIn order to fix these issues, add an error handling path to the function\nand the needed gotos.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54183", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsit: Free cmds before session free\n\nCommands from recovery entries are freed after session has been closed.\nThat leads to use-after-free at command free or NPE with such call trace:\n\nTime2Retain timer expired for SID: 1, cleaning up iSCSI session.\nBUG: kernel NULL pointer dereference, address: 0000000000000140\nRIP: 0010:sbitmap_queue_clear+0x3a/0xa0\nCall Trace:\n target_release_cmd_kref+0xd1/0x1f0 [target_core_mod]\n transport_generic_free_cmd+0xd1/0x180 [target_core_mod]\n iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]\n iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]\n iscsit_close_session+0x13a/0x140 [iscsi_target_mod]\n iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]\n call_timer_fn+0x24/0x140\n\nMove cleanup of recovery enrties to before session freeing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54184", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG_ON()'s in add_new_free_space()\n\nAt add_new_free_space() we have these BUG_ON()'s that are there to deal\nwith any failure to add free space to the in memory free space cache.\nSuch failures are mostly -ENOMEM that should be very rare. However there's\nno need to have these BUG_ON()'s, we can just return any error to the\ncaller and all callers and their upper call chain are already dealing with\nerrors.\n\nSo just make add_new_free_space() return any errors, while removing the\nBUG_ON()'s, and returning the total amount of added free space to an\noptional u64 pointer argument.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54185", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: fix pin_assignment_show\n\nThis patch fixes negative indexing of buf array in pin_assignment_show\nwhen get_current_pin_assignments returns 0 i.e. no compatible pin\nassignments are found.\n\nBUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c\n...\nCall trace:\ndump_backtrace+0x110/0x204\ndump_stack_lvl+0x84/0xbc\nprint_report+0x358/0x974\nkasan_report+0x9c/0xfc\n__do_kernel_fault+0xd4/0x2d4\ndo_bad_area+0x48/0x168\ndo_tag_check_fault+0x24/0x38\ndo_mem_abort+0x6c/0x14c\nel1_abort+0x44/0x68\nel1h_64_sync_handler+0x64/0xa4\nel1h_64_sync+0x78/0x7c\npin_assignment_show+0x26c/0x33c\ndev_attr_show+0x50/0xc0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54186", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix potential corruption when moving a directory\n\nF2FS has the same issue in ext4_rename causing crash revealed by\nxfstests/generic/707.\n\nSee also commit 0813299c586b (\"ext4: Fix possible corruption when moving a directory\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54187", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: apple-admac: Fix 'current_tx' not getting freed\n\nIn terminate_all we should queue up all submitted descriptors to be\nfreed. We do that for the content of the 'issued' and 'submitted' lists,\nbut the 'current_tx' descriptor falls through the cracks as it's\nremoved from the 'issued' list once it gets assigned to be the current\ndescriptor. Explicitly queue up freeing of the 'current_tx' descriptor\nto address a memory leak that is otherwise present.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54188", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54189", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-core: Fix refcount leak in of_led_get()\n\nclass_find_device_by_of_node() calls class_find_device(), it will take\nthe reference, use the put_device() to drop the reference when not need\nanymore.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54190", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix memory leak in mt7996_mcu_exit\n\nAlways purge mcu skb queues in mt7996_mcu_exit routine even if\nmt7996_firmware_state fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54191", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block\n\nWe got a kernel panic if old_addr is NULL.\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=217266\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n Call Trace:\n \n f2fs_commit_atomic_write+0x619/0x990 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43]\n __f2fs_ioctl+0xd8e/0x4080 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43]\n ? vfs_write+0x2ae/0x3f0\n ? vfs_write+0x2ae/0x3f0\n __x64_sys_ioctl+0x91/0xd0\n do_syscall_64+0x5c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n RIP: 0033:0x7f69095fe53f", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54192", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: remove block_cb from driver_list before freeing\n\nError handler of tcf_block_bind() frees the whole bo->cb_list on error.\nHowever, by that time the flow_block_cb instances are already in the driver\nlist because driver ndo_setup_tc() callback is called before that up the\ncall chain in tcf_block_offload_cmd(). This leaves dangling pointers to\nfreed objects in the list and causes use-after-free[0]. Fix it by also\nremoving flow_block_cb instances from driver_list before deallocating them.\n\n[0]:\n[ 279.868433] ==================================================================\n[ 279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0\n[ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963\n\n[ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4\n[ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 279.876295] Call Trace:\n[ 279.876882] \n[ 279.877413] dump_stack_lvl+0x33/0x50\n[ 279.878198] print_report+0xc2/0x610\n[ 279.878987] ? flow_block_cb_setup_simple+0x631/0x7c0\n[ 279.879994] kasan_report+0xae/0xe0\n[ 279.880750] ? flow_block_cb_setup_simple+0x631/0x7c0\n[ 279.881744] ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core]\n[ 279.883047] flow_block_cb_setup_simple+0x631/0x7c0\n[ 279.884027] tcf_block_offload_cmd.isra.0+0x189/0x2d0\n[ 279.885037] ? tcf_block_setup+0x6b0/0x6b0\n[ 279.885901] ? mutex_lock+0x7d/0xd0\n[ 279.886669] ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0\n[ 279.887844] ? ingress_init+0x1c0/0x1c0 [sch_ingress]\n[ 279.888846] tcf_block_get_ext+0x61c/0x1200\n[ 279.889711] ingress_init+0x112/0x1c0 [sch_ingress]\n[ 279.890682] ? clsact_init+0x2b0/0x2b0 [sch_ingress]\n[ 279.891701] qdisc_create+0x401/0xea0\n[ 279.892485] ? qdisc_tree_reduce_backlog+0x470/0x470\n[ 279.893473] tc_modify_qdisc+0x6f7/0x16d0\n[ 279.894344] ? tc_get_qdisc+0xac0/0xac0\n[ 279.895213] ? mutex_lock+0x7d/0xd0\n[ 279.896005] ? __mutex_lock_slowpath+0x10/0x10\n[ 279.896910] rtnetlink_rcv_msg+0x5fe/0x9d0\n[ 279.897770] ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[ 279.898672] ? __sys_sendmsg+0xb5/0x140\n[ 279.899494] ? do_syscall_64+0x3d/0x90\n[ 279.900302] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 279.901337] ? kasan_save_stack+0x2e/0x40\n[ 279.902177] ? kasan_save_stack+0x1e/0x40\n[ 279.903058] ? kasan_set_track+0x21/0x30\n[ 279.903913] ? kasan_save_free_info+0x2a/0x40\n[ 279.904836] ? ____kasan_slab_free+0x11a/0x1b0\n[ 279.905741] ? kmem_cache_free+0x179/0x400\n[ 279.906599] netlink_rcv_skb+0x12c/0x360\n[ 279.907450] ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[ 279.908360] ? netlink_ack+0x1550/0x1550\n[ 279.909192] ? rhashtable_walk_peek+0x170/0x170\n[ 279.910135] ? kmem_cache_alloc_node+0x1af/0x390\n[ 279.911086] ? _copy_from_iter+0x3d6/0xc70\n[ 279.912031] netlink_unicast+0x553/0x790\n[ 279.912864] ? netlink_attachskb+0x6a0/0x6a0\n[ 279.913763] ? netlink_recvmsg+0x416/0xb50\n[ 279.914627] netlink_sendmsg+0x7a1/0xcb0\n[ 279.915473] ? netlink_unicast+0x790/0x790\n[ 279.916334] ? iovec_from_user.part.0+0x4d/0x220\n[ 279.917293] ? netlink_unicast+0x790/0x790\n[ 279.918159] sock_sendmsg+0xc5/0x190\n[ 279.918938] ____sys_sendmsg+0x535/0x6b0\n[ 279.919813] ? import_iovec+0x7/0x10\n[ 279.920601] ? kernel_sendmsg+0x30/0x30\n[ 279.921423] ? __copy_msghdr+0x3c0/0x3c0\n[ 279.922254] ? import_iovec+0x7/0x10\n[ 279.923041] ___sys_sendmsg+0xeb/0x170\n[ 279.923854] ? copy_msghdr_from_user+0x110/0x110\n[ 279.924797] ? ___sys_recvmsg+0xd9/0x130\n[ 279.925630] ? __perf_event_task_sched_in+0x183/0x470\n[ 279.926656] ? ___sys_sendmsg+0x170/0x170\n[ 279.927529] ? ctx_sched_in+0x530/0x530\n[ 279.928369] ? update_curr+0x283/0x4f0\n[ 279.929185] ? perf_event_update_userpage+0x570/0x570\n[ 279.930201] ? __fget_light+0x57/0x520\n[ 279.931023] ? __switch_to+0x53d/0xe70\n[ 27\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54193", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree\n\nThe call stack shown below is a scenario in the Linux 4.19 kernel.\nAllocating memory failed where exfat fs use kmalloc_array due to\nsystem memory fragmentation, while the u-disk was inserted without\nrecognition.\nDevices such as u-disk using the exfat file system are pluggable and\nmay be insert into the system at any time.\nHowever, long-term running systems cannot guarantee the continuity of\nphysical memory. Therefore, it's necessary to address this issue.\n\nBinder:2632_6: page allocation failure: order:4,\n mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null)\nCall trace:\n[242178.097582] dump_backtrace+0x0/0x4\n[242178.097589] dump_stack+0xf4/0x134\n[242178.097598] warn_alloc+0xd8/0x144\n[242178.097603] __alloc_pages_nodemask+0x1364/0x1384\n[242178.097608] kmalloc_order+0x2c/0x510\n[242178.097612] kmalloc_order_trace+0x40/0x16c\n[242178.097618] __kmalloc+0x360/0x408\n[242178.097624] load_alloc_bitmap+0x160/0x284\n[242178.097628] exfat_fill_super+0xa3c/0xe7c\n[242178.097635] mount_bdev+0x2e8/0x3a0\n[242178.097638] exfat_fs_mount+0x40/0x50\n[242178.097643] mount_fs+0x138/0x2e8\n[242178.097649] vfs_kern_mount+0x90/0x270\n[242178.097655] do_mount+0x798/0x173c\n[242178.097659] ksys_mount+0x114/0x1ac\n[242178.097665] __arm64_sys_mount+0x24/0x34\n[242178.097671] el0_svc_common+0xb8/0x1b8\n[242178.097676] el0_svc_handler+0x74/0x90\n[242178.097681] el0_svc+0x8/0x340\n\nBy analyzing the exfat code,we found that continuous physical memory\nis not required here,so kvmalloc_array is used can solve this problem.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54194", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn't yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t \n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated. The timer will be started when the first packet is transmitted.\n\nIt shouldn't be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54195", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'\n\nSyzbot found the following issue:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000016\nMem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000\n[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\npc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\nlr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226\nsp : ffff8000126c3800\nx29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000\nx26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000\nx23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000\nx20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0\nx17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500\nx14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500\nx11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500\nx8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]\n ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232\n ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744\n evict+0xec/0x334 fs/inode.c:665\n iput_final fs/inode.c:1748 [inline]\n iput+0x2c4/0x324 fs/inode.c:1774\n ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660\n ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278\n ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x804/0x11c4 fs/namei.c:3688\n do_filp_open+0xdc/0x1b8 fs/namei.c:3718\n do_sys_openat2+0xb8/0x22c fs/open.c:1311\n do_sys_open fs/open.c:1327 [inline]\n __do_sys_openat fs/open.c:1343 [inline]\n __se_sys_openat fs/open.c:1338 [inline]\n __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338\n __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]\n el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142\n do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206\n el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636\n el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654\n el0t_64_sync+0x18c/0x190\nCode: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)\n---[ end trace 0000000000000000 ]---\n\nAbove issue may happens as follows:\nntfs_new_inode\n mi_init\n mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory\n if (!mi->mrec)\n return -ENOMEM;\niput\n iput_final\n evict\n ntfs_evict_inode\n ni_write_inode\n\t is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref\n\nTo solve above issue if new inode failed make inode bad before call 'iput()' in\n'ntfs_new_inode()'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54196", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work\"\n\nThis reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.\n\nThis patch introduces a possible null-ptr-def problem. Revert it. And the\nfixed bug by this patch have resolved by commit 73f7b171b7c0 (\"Bluetooth:\nbtsdio: fix use after free bug in btsdio_remove due to race condition\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54197", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\n\nWhen specifying an invalid console= device like console=tty3270,\ntty_driver_lookup_tty() returns the tty struct without checking\nwhether index is a valid number.\n\nTo reproduce:\n\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\n-append \"console=ttyS0 console=tty3270\"\n\nThis crashes with:\n\n[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\n[ 0.771265] #PF: supervisor read access in kernel mode\n[ 0.771773] #PF: error_code(0x0000) - not-present page\n[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0\n[ 0.784013] chrdev_open+0xbd/0x230\n[ 0.784444] ? cdev_device_add+0x80/0x80\n[ 0.784920] do_dentry_open+0x1e0/0x410\n[ 0.785389] path_openat+0xca9/0x1050\n[ 0.785813] do_filp_open+0xaa/0x150\n[ 0.786240] file_open_name+0x133/0x1b0\n[ 0.786746] filp_open+0x27/0x50\n[ 0.787244] console_on_rootfs+0x14/0x4d\n[ 0.787800] kernel_init_freeable+0x1e4/0x20d\n[ 0.788383] ? rest_init+0xc0/0xc0\n[ 0.788881] kernel_init+0x11/0x120\n[ 0.789356] ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54198", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()\n\nFix the below kernel panic due to null pointer access:\n[ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048\n[ 18.513464] Mem abort info:\n[ 18.516346] ESR = 0x0000000096000005\n[ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 18.525706] SET = 0, FnV = 0\n[ 18.528878] EA = 0, S1PTW = 0\n[ 18.532117] FSC = 0x05: level 1 translation fault\n[ 18.537138] Data abort info:\n[ 18.540110] ISV = 0, ISS = 0x00000005\n[ 18.544060] CM = 0, WnR = 0\n[ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000\n[ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n**Snip**\n[ 18.696758] Call trace:\n[ 18.699278] adreno_gpu_cleanup+0x30/0x88\n[ 18.703396] a6xx_destroy+0xc0/0x130\n[ 18.707066] a6xx_gpu_init+0x308/0x424\n[ 18.710921] adreno_bind+0x178/0x288\n[ 18.714590] component_bind_all+0xe0/0x214\n[ 18.718797] msm_drm_bind+0x1d4/0x614\n[ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8\n[ 18.728105] __component_add+0xa0/0x158\n[ 18.732048] component_add+0x20/0x2c\n[ 18.735719] adreno_probe+0x40/0xc0\n[ 18.739300] platform_probe+0xb4/0xd4\n[ 18.743068] really_probe+0xfc/0x284\n[ 18.746738] __driver_probe_device+0xc0/0xec\n[ 18.751129] driver_probe_device+0x48/0x110\n[ 18.755421] __device_attach_driver+0xa8/0xd0\n[ 18.759900] bus_for_each_drv+0x90/0xdc\n[ 18.763843] __device_attach+0xfc/0x174\n[ 18.767786] device_initial_probe+0x20/0x2c\n[ 18.772090] bus_probe_device+0x40/0xa0\n[ 18.776032] deferred_probe_work_func+0x94/0xd0\n[ 18.780686] process_one_work+0x190/0x3d0\n[ 18.784805] worker_thread+0x280/0x3d4\n[ 18.788659] kthread+0x104/0x1c0\n[ 18.791981] ret_from_fork+0x10/0x20\n[ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516)\n[ 18.801913] ---[ end trace 0000000000000000 ]---\n[ 18.809039] Kernel panic - not syncing: Oops: Fatal exception\n\nPatchwork: https://patchwork.freedesktop.org/patch/515605/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54199", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: always release netdev hooks from notifier\n\nThis reverts \"netfilter: nf_tables: skip netdev events generated on netns removal\".\n\nThe problem is that when a veth device is released, the veth release\ncallback will also queue the peer netns device for removal.\n\nIts possible that the peer netns is also slated for removal. In this\ncase, the device memory is already released before the pre_exit hook of\nthe peer netns runs:\n\nBUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0\nRead of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45\nWorkqueue: netns cleanup_net\nCall Trace:\n nf_hook_entry_head+0x1b8/0x1d0\n __nf_unregister_net_hook+0x76/0x510\n nft_netdev_unregister_hooks+0xa0/0x220\n __nft_release_hook+0x184/0x490\n nf_tables_pre_exit_net+0x12f/0x1b0\n ..\n\nOrder is:\n1. First netns is released, veth_dellink() queues peer netns device\n for removal\n2. peer netns is queued for removal\n3. peer netns device is released, unreg event is triggered\n4. unreg event is ignored because netns is going down\n5. pre_exit hook calls nft_netdev_unregister_hooks but device memory\n might be free'd already.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54200", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix wrong resources deallocation order\n\nWhen trying to destroy QP or CQ, we first decrease the refcount and\npotentially free memory regions allocated for the object and then\nrequest the device to destroy the object. If the device fails, the\nobject isn't fully destroyed so the user/IB core can try to destroy the\nobject again which will lead to underflow when trying to decrease an\nalready zeroed refcount.\n\nDeallocate resources in reverse order of allocating them to safely free\nthem.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54201", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: fix race condition UAF in i915_perf_add_config_ioctl\n\nUserspace can guess the id value and try to race oa_config object creation\nwith config remove, resulting in a use-after-free if we dereference the\nobject after unlocking the metrics_lock. For that reason, unlocking the\nmetrics_lock must be done after we are done dereferencing the object.\n\n[tursulin: Manually added stable tag.]\n(cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54202", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr\n\nWhen smb1 mount fails, KASAN detect slab-out-of-bounds in\ninit_smb2_rsp_hdr like the following one.\nFor smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called.\nThe issue occurs while handling smb1 negotiate as smb2 server operations.\nAdd smb server operations for smb1 (get_cmd_val, init_rsp_hdr,\nallocate_rsp_buf, check_user_session) to handle smb1 negotiate so that\nsmb2 server operation does not handle it.\n\n[ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is\nnot recommended unless required for access to very old servers\n[ 411.400452] CIFS: Attempting to mount \\\\192.168.45.139\\homes\n[ 411.479312] ksmbd: init_smb2_rsp_hdr : 492\n[ 411.479323] ==================================================================\n[ 411.479327] BUG: KASAN: slab-out-of-bounds in\ninit_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]\n[ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199\n\n[ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G\n OE 6.1.21 #3\n[ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8\nSeries/Z10PA-D8 Series, BIOS 3801 08/23/2019\n[ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]\n[ 411.479425] Call Trace:\n[ 411.479428] \n[ 411.479432] dump_stack_lvl+0x49/0x63\n[ 411.479444] print_report+0x171/0x4a8\n[ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200\n[ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]\n[ 411.479497] kasan_report+0xb4/0x130\n[ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]\n[ 411.479537] kasan_check_range+0x149/0x1e0\n[ 411.479543] memcpy+0x24/0x70\n[ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]\n[ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd]\n[ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50\n[ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd]\n[ 411.479656] process_one_work+0x49c/0x790\n[ 411.479667] worker_thread+0x2b1/0x6e0\n[ 411.479674] ? process_one_work+0x790/0x790\n[ 411.479680] kthread+0x177/0x1b0\n[ 411.479686] ? kthread_complete_and_exit+0x30/0x30\n[ 411.479692] ret_from_fork+0x22/0x30\n[ 411.479702] ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54203", "detail": "fixed-version", "description": "Fixed from version 6.2.11" }, { "id": "CVE-2023-54204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sunplus: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\n1. the memory allocated in mmc_alloc_host() will be leaked\n2. null-ptr-deref will happen when calling mmc_remove_host()\nin remove function spmmc_drv_remove() because deleting not\nadded device.\n\nFix this by checking the return value of mmc_add_host(). Moreover,\nI fixed the error handling path of spmmc_drv_probe() to clean up.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54204", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54205", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: fix filter idr initialization\n\nThe cited commit moved idr initialization too early in fl_change() which\nallows concurrent users to access the filter that is still being\ninitialized and is in inconsistent state, which, in turn, can cause NULL\npointer dereference [0]. Since there is no obvious way to fix the ordering\nwithout reverting the whole cited commit, alternative approach taken to\nfirst insert NULL pointer into idr in order to allocate the handle but\nstill cause fl_get() to return NULL and prevent concurrent users from\nseeing the filter while providing miss-to-action infrastructure with valid\nhandle id early in fl_change().\n\n[ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\n[ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5\n[ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]\n[ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57\n[ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246\n[ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900\n[ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240\n[ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900\n[ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738\n[ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000\n[ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0\n[ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 152.453588] Call Trace:\n[ 152.454032] \n[ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0\n[ 152.455109] ? sock_sendmsg+0xc5/0x190\n[ 152.455689] ? ____sys_sendmsg+0x535/0x6b0\n[ 152.456320] ? ___sys_sendmsg+0xeb/0x170\n[ 152.456916] ? do_syscall_64+0x3d/0x90\n[ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.458321] ? ___sys_sendmsg+0xeb/0x170\n[ 152.458958] ? __sys_sendmsg+0xb5/0x140\n[ 152.459564] ? do_syscall_64+0x3d/0x90\n[ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]\n[ 152.461710] ? _raw_spin_lock+0x7a/0xd0\n[ 152.462299] ? _raw_read_lock_irq+0x30/0x30\n[ 152.462924] ? nla_put+0x15e/0x1c0\n[ 152.463480] fl_dump+0x228/0x650 [cls_flower]\n[ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower]\n[ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330\n[ 152.465592] ? nla_put+0x15e/0x1c0\n[ 152.466160] tcf_fill_node+0x515/0x9a0\n[ 152.466766] ? tc_setup_offload_action+0xf0/0xf0\n[ 152.467463] ? __alloc_skb+0x13c/0x2a0\n[ 152.468067] ? __build_skb_around+0x330/0x330\n[ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower]\n[ 152.469503] tc_del_tfilter+0x718/0x1330\n[ 152.470115] ? is_bpf_text_address+0xa/0x20\n[ 152.470765] ? tc_ctl_chain+0xee0/0xee0\n[ 152.471335] ? __kernel_text_address+0xe/0x30\n[ 152.471948] ? unwind_get_return_address+0x56/0xa0\n[ 152.472639] ? __thaw_task+0x150/0x150\n[ 152.473218] ? arch_stack_walk+0x98/0xf0\n[ 152.473839] ? __stack_depot_save+0x35/0x4c0\n[ 152.474501] ? stack_trace_save+0x91/0xc0\n[ 152.475119] ? security_capable+0x51/0x90\n[ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0\n[ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[ 152.477042]\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54206", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54207", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ov5675: Fix memleak in ov5675_init_controls()\n\nThere is a kmemleak when testing the media/i2c/ov5675.c with bpf mock\ndevice:\n\nAssertionError: unreferenced object 0xffff888107362160 (size 16):\n comm \"python3\", pid 277, jiffies 4294832798 (age 20.722s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0\n [<000000008a725aac>] kvmalloc_node+0x34/0x180\n [<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180\n[videodev]\n [<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675]\n [<00000000153d886c>] i2c_device_probe+0x28d/0x680\n [<000000004afb7e8f>] really_probe+0x17c/0x3f0\n [<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170\n [<000000000a001029>] driver_probe_device+0x49/0x120\n [<00000000e39743c7>] __device_attach_driver+0xf7/0x150\n [<00000000d32fd070>] bus_for_each_drv+0x114/0x180\n [<000000009083ac41>] __device_attach+0x1e5/0x2d0\n [<0000000015b4a830>] bus_probe_device+0x126/0x140\n [<000000007813deaf>] device_add+0x810/0x1130\n [<000000007becb867>] i2c_new_client_device+0x386/0x540\n [<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110\n [<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0\n\nov5675_init_controls() won't clean all the allocated resources in fail\npath, which may causes the memleaks. Add v4l2_ctrl_handler_free() to\nprevent memleak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54208", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix blktrace debugfs entries leakage\n\nCommit 99d055b4fd4b (\"block: remove per-disk debugfs files in\nblk_unregister_queue\") moves blk_trace_shutdown() from\nblk_release_queue() to blk_unregister_queue(), this is safe if blktrace\nis created through sysfs, however, there is a regression in corner\ncase.\n\nblktrace can still be enabled after del_gendisk() through ioctl if\nthe disk is opened before del_gendisk(), and if blktrace is not shutdown\nthrough ioctl before closing the disk, debugfs entries will be leaked.\n\nFix this problem by shutdown blktrace in disk_release(), this is safe\nbecause blk_trace_remove() is reentrant.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54209", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()\n\nKASAN reports that there's a use-after-free in\nhci_remove_adv_monitor(). Trawling through the disassembly, you can\nsee that the complaint is from the access in bt_dev_dbg() under the\nHCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because\nmsft_remove_monitor() can end up freeing the monitor\nstructure. Specifically:\n hci_remove_adv_monitor() ->\n msft_remove_monitor() ->\n msft_remove_monitor_sync() ->\n msft_le_cancel_monitor_advertisement_cb() ->\n hci_free_adv_monitor()\n\nLet's fix the problem by just stashing the relevant data when it's\nstill valid.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54210", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix warning in trace_buffered_event_disable()\n\nWarning happened in trace_buffered_event_disable() at\n WARN_ON_ONCE(!trace_buffered_event_ref)\n\n Call Trace:\n ? __warn+0xa5/0x1b0\n ? trace_buffered_event_disable+0x189/0x1b0\n __ftrace_event_enable_disable+0x19e/0x3e0\n free_probe_data+0x3b/0xa0\n unregister_ftrace_function_probe_func+0x6b8/0x800\n event_enable_func+0x2f0/0x3d0\n ftrace_process_regex.isra.0+0x12d/0x1b0\n ftrace_filter_write+0xe6/0x140\n vfs_write+0x1c9/0x6f0\n [...]\n\nThe cause of the warning is in __ftrace_event_enable_disable(),\ntrace_buffered_event_enable() was called once while\ntrace_buffered_event_disable() was called twice.\nReproduction script show as below, for analysis, see the comments:\n ```\n #!/bin/bash\n\n cd /sys/kernel/tracing/\n\n # 1. Register a 'disable_event' command, then:\n # 1) SOFT_DISABLED_BIT was set;\n # 2) trace_buffered_event_enable() was called first time;\n echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \\\n set_ftrace_filter\n\n # 2. Enable the event registered, then:\n # 1) SOFT_DISABLED_BIT was cleared;\n # 2) trace_buffered_event_disable() was called first time;\n echo 1 > events/initcall/initcall_finish/enable\n\n # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was\n # set again!!!\n cat /proc/cmdline\n\n # 4. Unregister the 'disable_event' command, then:\n # 1) SOFT_DISABLED_BIT was cleared again;\n # 2) trace_buffered_event_disable() was called second time!!!\n echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \\\n set_ftrace_filter\n ```\n\nTo fix it, IIUC, we can change to call trace_buffered_event_enable() at\nfist time soft-mode enabled, and call trace_buffered_event_disable() at\nlast time soft-mode disabled.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54211", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: sisusbvga: Add endpoint checks\n\nThe syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:\n\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95\nRBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003\nR13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600\nFS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]\n sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379\n sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]\n sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]\n sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177\n sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869\n...\n\nThe problem was caused by the fact that the driver does not check\nwhether the endpoints it uses are actually present and have the\nappropriate types. This can be fixed by adding a simple check of\nthe endpoints.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54213", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix potential user-after-free\n\nThis fixes all instances of which requires to allocate a buffer calling\nalloc_skb which may release the chan lock and reacquire later which\nmakes it possible that the chan is disconnected in the meantime.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54214", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs()\n\nFree the cpumask allocated by create_affinity_masks() before returning\nfrom the function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54215", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix using eswitch mapping in nic mode\n\nCited patch is using the eswitch object mapping pool while\nin nic mode where it isn't initialized. This results in the\ntrace below [0].\n\nFix that by using either nic or eswitch object mapping pool\ndepending if eswitch is enabled or not.\n\n[0]:\n[ 826.446057] ==================================================================\n[ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233\n\n[ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1\n[ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 826.449785] Call Trace:\n[ 826.450052] \n[ 826.450302] dump_stack_lvl+0x33/0x50\n[ 826.450650] print_report+0xc2/0x610\n[ 826.450998] ? __virt_addr_valid+0xb1/0x130\n[ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[ 826.451935] kasan_report+0xae/0xe0\n[ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[ 826.453368] ? __kmalloc_node+0x5a/0x120\n[ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core]\n[ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]\n[ 826.455011] ? mutex_unlock+0x80/0xd0\n[ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core]\n[ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]\n[ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]\n[ 826.457636] ? __kasan_kmalloc+0x77/0x90\n[ 826.458000] ? __kmalloc+0x57/0x120\n[ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]\n[ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0\n[ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]\n[ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]\n[ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]\n[ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]\n[ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core]\n[ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0\n[ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]\n[ 826.463163] ? kasan_save_stack+0x2e/0x40\n[ 826.463534] ? down_read+0x115/0x1b0\n[ 826.463878] ? down_write_killable+0x110/0x110\n[ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0\n[ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]\n[ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]\n[ 826.465878] tc_setup_cb_add+0x112/0x250\n[ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower]\n[ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]\n[ 826.467212] fl_change+0x14e1/0x2030 [cls_flower]\n[ 826.467636] ? sock_def_readable+0x89/0x120\n[ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[ 826.468509] ? kasan_unpoison+0x23/0x50\n[ 826.468873] ? get_random_u16+0x180/0x180\n[ 826.469244] ? __radix_tree_lookup+0x2b/0x130\n[ 826.469640] ? fl_get+0x7b/0x140 [cls_flower]\n[ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower]\n[ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[ 826.471427] tc_new_tfilter+0x644/0x1050\n[ 826.471795] ? tc_get_tfilter+0x860/0x860\n[ 826.472170] ? __thaw_task+0x130/0x130\n[ 826.472525] ? arch_stack_walk+0x98/0xf0\n[ 826.472892] ? cap_capable+0x9f/0xd0\n[ 826.473235] ? security_capable+0x47/0x60\n[ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550\n[ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[ 826.474383] ? __stack_depot_save+0x35/0x4c0\n[ 826.474779] ? kasan_save_stack+0x2e/0x40\n[ 826.475149] ? kasan_save_stack+0x1e/0x40\n[ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0\n[ 826.475939] ? task_work_add+0x77/0x1c0\n[ 826.476305] netlink_rcv_skb+0xe0/0x210\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54216", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/msm: Add missing check and destroy for alloc_ordered_workqueue\"\n\nThis reverts commit 643b7d0869cc7f1f7a5ac7ca6bd25d88f54e31d0.\n\nA recent patch that tried to fix up the msm_drm_init() paths with\nrespect to the workqueue but only ended up making things worse:\n\nFirst, the newly added calls to msm_drm_uninit() on early errors would\ntrigger NULL-pointer dereferences, for example, as the kms pointer would\nnot have been initialised. (Note that these paths were also modified by\na second broken error handling patch which in effect cancelled out this\npart when merged.)\n\nSecond, the newly added allocation sanity check would still leak the\npreviously allocated drm device.\n\nInstead of trying to salvage what was badly broken (and clearly not\ntested), let's revert the bad commit so that clean and backportable\nfixes can be added in its place.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525107/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54217", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().\n\nKCSAN found a data race in sock_recv_cmsgs() where the read access\nto sk->sk_stamp needs READ_ONCE().\n\nBUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg\n\nwrite (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0:\n sock_write_timestamp include/net/sock.h:2670 [inline]\n sock_recv_cmsgs include/net/sock.h:2722 [inline]\n packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:1019 [inline]\n sock_recvmsg+0x11a/0x130 net/socket.c:1040\n sock_read_iter+0x176/0x220 net/socket.c:1118\n call_read_iter include/linux/fs.h:1845 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x5e0/0x630 fs/read_write.c:470\n ksys_read+0x163/0x1a0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x41/0x50 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1:\n sock_recv_cmsgs include/net/sock.h:2721 [inline]\n packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:1019 [inline]\n sock_recvmsg+0x11a/0x130 net/socket.c:1040\n sock_read_iter+0x176/0x220 net/socket.c:1118\n call_read_iter include/linux/fs.h:1845 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x5e0/0x630 fs/read_write.c:470\n ksys_read+0x163/0x1a0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x41/0x50 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0xffffffffc4653600 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54218", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"IB/isert: Fix incorrect release of isert connection\"\n\nCommit: 699826f4e30a (\"IB/isert: Fix incorrect release of isert connection\") is\ncausing problems on OPA when DEVICE_REMOVAL is happening.\n\n ------------[ cut here ]------------\n WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359\nib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc\nscsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs\nrfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod\nopa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm\nib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core\nx86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt\nipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma\nintel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter\nacpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul\ncrc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci\nghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse\n CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1\n Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS\nSE5C610.86B.01.01.0014.121820151719 12/18/2015\n RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83\nc4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1\n90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f\n RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206\n RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d\n RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640\n RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d\n R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18\n R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38\n FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0\n Call Trace:\n \n ? __warn+0x80/0x130\n ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n ? report_bug+0x195/0x1a0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n disable_device+0x9d/0x160 [ib_core]\n __ib_unregister_device+0x42/0xb0 [ib_core]\n ib_unregister_device+0x22/0x30 [ib_core]\n rvt_unregister_device+0x20/0x90 [rdmavt]\n hfi1_unregister_ib_device+0x16/0xf0 [hfi1]\n remove_one+0x55/0x1a0 [hfi1]\n pci_device_remove+0x36/0xa0\n device_release_driver_internal+0x193/0x200\n driver_detach+0x44/0x90\n bus_remove_driver+0x69/0xf0\n pci_unregister_driver+0x2a/0xb0\n hfi1_mod_cleanup+0xc/0x3c [hfi1]\n __do_sys_delete_module.constprop.0+0x17a/0x2f0\n ? exit_to_user_mode_prepare+0xc4/0xd0\n ? syscall_trace_enter.constprop.0+0x126/0x1a0\n do_syscall_64+0x5c/0x90\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? syscall_exit_work+0x103/0x130\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? exc_page_fault+0x65/0x150\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7ff1e643f5ab\n Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3\n66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0\nff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab\n RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8\n RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000\n R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8\n R13: 00000000000\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54219", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix oops for port->pm on uart_change_pm()\n\nUnloading a hardware specific 8250 driver can produce error \"Unable to\nhandle kernel paging request at virtual address\" about ten seconds after\nunloading the driver. This happens on uart_hangup() calling\nuart_change_pm().\n\nTurns out commit 04e82793f068 (\"serial: 8250: Reinit port->pm on port\nspecific driver unbind\") was only a partial fix. If the hardware specific\ndriver has initialized port->pm function, we need to clear port->pm too.\nJust reinitializing port->ops does not do this. Otherwise serial8250_pm()\nwill call port->pm() instead of serial8250_do_pm().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54220", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe\n\nIn function probe(), it returns directly without unregistered hws\nwhen error occurs.\n\nFix this by adding 'goto unregister_hws;' on line 295 and\nline 310.\n\nUse devm_kzalloc() instead of kzalloc() to automatically\nfree the memory using devm_kfree() when error occurs.\n\nReplace of_iomap() with devm_of_iomap() to automatically\nhandle the unused ioremap region and delete 'iounmap(anatop_base);'\nin unregister_hws.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54221", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhte: tegra-194: Fix off by one in tegra_hte_map_to_line_id()\n\nThe \"map_sz\" is the number of elements in the \"m\" array so the >\ncomparison needs to be changed to >= to prevent an out of bounds\nread.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54222", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: xsk: Fix invalid buffer access for legacy rq\n\nThe below crash can be encountered when using xdpsock in rx mode for\nlegacy rq: the buffer gets released in the XDP_REDIRECT path, and then\nonce again in the driver. This fix sets the flag to avoid releasing on\nthe driver side.\n\nXSK handling of buffers for legacy rq was relying on the caller to set\nthe skip release flag. But the referenced fix started using fragment\ncounts for pages instead of the skip flag.\n\nCrash log:\n general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP\n CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28\n Code: ...\n RSP: 0018:ffff88810082fc98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc\n RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901\n RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006\n R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000\n R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00\n FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? die_addr+0x32/0x80\n ? exc_general_protection+0x192/0x390\n ? asm_exc_general_protection+0x22/0x30\n ? 0xffffffffa000b514\n ? bpf_prog_03b13f331978c78c+0xf/0x28\n mlx5e_xdp_handle+0x48/0x670 [mlx5_core]\n ? dev_gro_receive+0x3b5/0x6e0\n mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core]\n mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core]\n mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]\n mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core]\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28a/0x300\n __do_softirq+0xcd/0x279\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1a/0x20\n smpboot_thread_fn+0xa2/0x130\n kthread+0xc9/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \n Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54223", "detail": "fixed-version", "description": "Fixed from version 6.4.10" }, { "id": "CVE-2023-54224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node's mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node's mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n ------------------------------------------------------\n syz-executor.2/13257 is trying to acquire lock:\n ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n but task is already holding lock:\n ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n __lock_release kernel/locking/lockdep.c:5475 [inline]\n lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n search_leaf fs/btrfs/ctree.c:1986 [inline]\n btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n kthread+0x2b8/0x350 kernel/kthread.c:389\n ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n __mutex_lock kernel/locking/mutex.c:747 [inline]\n mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n vfs_fsync_range fs/sync.c:188 [inline]\n vfs_fsync fs/sync.c:202 [inline]\n do_fsync fs/sync.c:212 [inline]\n __do_sys_fsync fs/sync.c:220 [inline]\n __se_sys_fsync fs/sync.c:218 [inline]\n __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info that\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54224", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipa: only reset hashed tables when supported\n\nLast year, the code that manages GSI channel transactions switched\nfrom using spinlock-protected linked lists to using indexes into the\nring buffer used for a channel. Recently, Google reported seeing\ntransaction reference count underflows occasionally during shutdown.\n\nDoug Anderson found a way to reproduce the issue reliably, and\nbisected the issue to the commit that eliminated the linked lists\nand the lock. The root cause was ultimately determined to be\nrelated to unused transactions being committed as part of the modem\nshutdown cleanup activity. Unused transactions are not normally\nexpected (except in error cases).\n\nThe modem uses some ranges of IPA-resident memory, and whenever it\nshuts down we zero those ranges. In ipa_filter_reset_table() a\ntransaction is allocated to zero modem filter table entries. If\nhashing is not supported, hashed table memory should not be zeroed.\nBut currently nothing prevents that, and the result is an unused\ntransaction. Something similar occurs when we zero routing table\nentries for the modem.\n\nBy preventing any attempt to clear hashed tables when hashing is not\nsupported, the reference count underflow is avoided in this case.\n\nNote that there likely remains an issue with properly freeing unused\ntransactions (if they occur due to errors). This patch addresses\nonly the underflows that Google originally reported.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54225", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races around sk->sk_shutdown.\n\nKCSAN found a data race around sk->sk_shutdown where unix_release_sock()\nand unix_shutdown() update it under unix_state_lock(), OTOH unix_poll()\nand unix_dgram_poll() read it locklessly.\n\nWe need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().\n\nBUG: KCSAN: data-race in unix_poll / unix_release_sock\n\nwrite to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0:\n unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631\n unix_release+0x59/0x80 net/unix/af_unix.c:1042\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1397\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1:\n unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170\n sock_poll+0xcf/0x2b0 net/socket.c:1385\n vfs_poll include/linux/poll.h:88 [inline]\n ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855\n ep_send_events fs/eventpoll.c:1694 [inline]\n ep_poll fs/eventpoll.c:1823 [inline]\n do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258\n __do_sys_epoll_wait fs/eventpoll.c:2270 [inline]\n __se_sys_epoll_wait fs/eventpoll.c:2265 [inline]\n __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00 -> 0x03\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54226", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix tags leak when shrink nr_hw_queues\n\nAlthough we don't need to realloc set->tags[] when shrink nr_hw_queues,\nwe need to free them. Or these tags will be leaked.\n\nHow to reproduce:\n1. mount -t configfs configfs /mnt\n2. modprobe null_blk nr_devices=0 submit_queues=8\n3. mkdir /mnt/nullb/nullb0\n4. echo 1 > /mnt/nullb/nullb0/power\n5. echo 4 > /mnt/nullb/nullb0/submit_queues\n6. rmdir /mnt/nullb/nullb0\n\nIn step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then\nin step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue).\nAt last in step 6, only these 5 tags are freed, the other 4 tags leaked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54227", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: raa215300: Fix resource leak in case of error\n\nThe clk_register_clkdev() allocates memory by calling vclkdev_alloc() and\nthis memory is not freed in the error path. Similarly, resources allocated\nby clk_register_fixed_rate() are not freed in the error path.\n\nFix these issues by using devm_clk_hw_register_fixed_rate() and\ndevm_clk_hw_register_clkdev().\n\nAfter this, the static variable clk is not needed. Replace it with\u00a0\nlocal variable hw in probe() and drop calling clk_unregister_fixed_rate()\nfrom raa215300_rtc_unregister_device().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54228", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix registration of 6Ghz-only phy without the full channel range\n\nBecause of what seems to be a typo, a 6Ghz-only phy for which the BDF\ndoes not allow the 7115Mhz channel will fail to register:\n\n WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954\n Modules linked in: ath11k_pci sbsa_gwdt\n CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9\n Hardware name: Freebox V7R Board (DT)\n Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : wiphy_register+0x914/0x954\n lr : ieee80211_register_hw+0x67c/0xc10\n sp : ffffff800b123aa0\n x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418\n x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168\n x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014\n x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f\n x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd\n x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718\n x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006\n x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284\n x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n wiphy_register+0x914/0x954\n ieee80211_register_hw+0x67c/0xc10\n ath11k_mac_register+0x7c4/0xe10\n ath11k_core_qmi_firmware_ready+0x1f4/0x570\n ath11k_qmi_driver_event_work+0x198/0x590\n process_one_work+0x1b8/0x328\n worker_thread+0x6c/0x414\n kthread+0x100/0x104\n ret_from_fork+0x10/0x20\n ---[ end trace 0000000000000000 ]---\n ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22\n ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22\n ath11k_pci 0002:01:00.0: failed to create pdev core: -22", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54229", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namba: bus: fix refcount leak\n\ncommit 5de1540b7bc4 (\"drivers/amba: create devices from device tree\")\nincreases the refcount of of_node, but not releases it in\namba_device_release, so there is refcount leak. By using of_node_put\nto avoid refcount leak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54230", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: fix memory leak in wx_setup_rx_resources\n\nWhen wx_alloc_page_pool() failed in wx_setup_rx_resources(), it doesn't\nrelease DMA buffer. Add dma_free_coherent() in the error path to release\nthe DMA buffer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54231", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Only force 030 bus error if PC not in exception table\n\n__get_kernel_nofault() does copy data in supervisor mode when\nforcing a task backtrace log through /proc/sysrq_trigger.\nThis is expected cause a bus error exception on e.g. NULL\npointer dereferencing when logging a kernel task has no\nworkqueue associated. This bus error ought to be ignored.\n\nOur 030 bus error handler is ill equipped to deal with this:\n\nWhenever ssw indicates a kernel mode access on a data fault,\nwe don't even attempt to handle the fault and instead always\nsend a SEGV signal (or panic). As a result, the check\nfor exception handling at the fault PC (buried in\nsend_sig_fault() which gets called from do_page_fault()\neventually) is never used.\n\nIn contrast, both 040 and 060 access error handlers do not\ncare whether a fault happened on supervisor mode access,\nand will call do_page_fault() on those, ultimately honoring\nthe exception table.\n\nAdd a check in bus_error030 to call do_page_fault() in case\nwe do have an entry for the fault PC in our exception table.\n\nI had attempted a fix for this earlier in 2019 that did rely\non testing pagefault_disabled() (see link below) to achieve\nthe same thing, but this patch should be more generic.\n\nTested on 030 Atari Falcon.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54232", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: avoid a NULL dereference with unsupported widgets\n\nIf an IPC4 topology contains an unsupported widget, its .module_info\nfield won't be set, then sof_ipc4_route_setup() will cause a kernel\nOops trying to dereference it. Add a check for such cases.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54233", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization\n\nCommit c1af985d27da (\"scsi: mpi3mr: Add Event acknowledgment logic\")\nintroduced an array mrioc->evtack_cmds but initialization of the array\nelements was missed. They are just zero cleared. The function\nmpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the\nzero value of the host_tag field, the function calls clear_bit() for\nmrico->evtack_cmds_bitmap with wrong bit index. This results in memory\naccess to invalid address and \"BUG: KASAN: use-after-free\". This BUG was\nobserved at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add\nthe missing initialization of mrioc->evtack_cmds.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54234", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DOE: Fix destroy_work_on_stack() race\n\nThe following debug object splat was observed in testing:\n\n ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510\n WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0\n ...\n Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work\n RIP: 0010:debug_print_object+0x7d/0xb0\n ...\n Call Trace:\n ? debug_print_object+0x7d/0xb0\n ? __pfx_doe_statemachine_work+0x10/0x10\n debug_object_free.part.0+0x11b/0x150\n doe_statemachine_work+0x45e/0x510\n process_one_work+0x1d4/0x3c0\n\nThis occurs because destroy_work_on_stack() was called after signaling\nthe completion in the calling thread. This creates a race between\ndestroy_work_on_stack() and the task->work struct going out of scope in\npci_doe().\n\nSignal the work complete after destroying the work struct. This is safe\nbecause signal_task_complete() is the final thing the work item does and\nthe workqueue code is careful not to access the work struct after.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54235", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/net_failover: fix txq exceeding warning\n\nThe failover txq is inited as 16 queues.\nwhen a packet is transmitted from the failover device firstly,\nthe failover device will select the queue which is returned from\nthe primary device if the primary device is UP and running.\nIf the primary device txq is bigger than the default 16,\nit can lead to the following warning:\neth0 selects TX queue 18, but real number of TX queues is 16\n\nThe warning backtrace is:\n[ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1\n[ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014\n[ 32.147730] Call Trace:\n[ 32.147971] \n[ 32.148183] dump_stack_lvl+0x48/0x70\n[ 32.148514] dump_stack+0x10/0x20\n[ 32.148820] netdev_core_pick_tx+0xb1/0xe0\n[ 32.149180] __dev_queue_xmit+0x529/0xcf0\n[ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0\n[ 32.149967] ip_finish_output2+0x278/0x560\n[ 32.150327] __ip_finish_output+0x1fe/0x2f0\n[ 32.150690] ip_finish_output+0x2a/0xd0\n[ 32.151032] ip_output+0x7a/0x110\n[ 32.151337] ? __pfx_ip_finish_output+0x10/0x10\n[ 32.151733] ip_local_out+0x5e/0x70\n[ 32.152054] ip_send_skb+0x19/0x50\n[ 32.152366] udp_send_skb.isra.0+0x163/0x3a0\n[ 32.152736] udp_sendmsg+0xba8/0xec0\n[ 32.153060] ? __folio_memcg_unlock+0x25/0x60\n[ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10\n[ 32.153854] ? sock_has_perm+0x85/0xa0\n[ 32.154190] inet_sendmsg+0x6d/0x80\n[ 32.154508] ? inet_sendmsg+0x6d/0x80\n[ 32.154838] sock_sendmsg+0x62/0x70\n[ 32.155152] ____sys_sendmsg+0x134/0x290\n[ 32.155499] ___sys_sendmsg+0x81/0xc0\n[ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0\n[ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0\n[ 32.156649] ? get_random_u16+0x69/0xf0\n[ 32.156989] ? __fget_light+0xcf/0x110\n[ 32.157326] __sys_sendmmsg+0xc4/0x210\n[ 32.157657] ? __sys_connect+0xb7/0xe0\n[ 32.157995] ? __audit_syscall_entry+0xce/0x140\n[ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0\n[ 32.158820] __x64_sys_sendmmsg+0x24/0x30\n[ 32.159171] do_syscall_64+0x38/0x90\n[ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix that by reducing txq number as the non-existent primary-dev does.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54236", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix potential panic dues to unprotected smc_llc_srv_add_link()\n\nThere is a certain chance to trigger the following panic:\n\nPID: 5900 TASK: ffff88c1c8af4100 CPU: 1 COMMAND: \"kworker/1:48\"\n #0 [ffff9456c1cc79a0] machine_kexec at ffffffff870665b7\n #1 [ffff9456c1cc79f0] __crash_kexec at ffffffff871b4c7a\n #2 [ffff9456c1cc7ab0] crash_kexec at ffffffff871b5b60\n #3 [ffff9456c1cc7ac0] oops_end at ffffffff87026ce7\n #4 [ffff9456c1cc7ae0] page_fault_oops at ffffffff87075715\n #5 [ffff9456c1cc7b58] exc_page_fault at ffffffff87ad0654\n #6 [ffff9456c1cc7b80] asm_exc_page_fault at ffffffff87c00b62\n [exception RIP: ib_alloc_mr+19]\n RIP: ffffffffc0c9cce3 RSP: ffff9456c1cc7c38 RFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000004\n RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff88c1ea281d00 R8: 000000020a34ffff R9: ffff88c1350bbb20\n R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000\n R13: 0000000000000010 R14: ffff88c1ab040a50 R15: ffff88c1ea281d00\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #7 [ffff9456c1cc7c60] smc_ib_get_memory_region at ffffffffc0aff6df [smc]\n #8 [ffff9456c1cc7c88] smcr_buf_map_link at ffffffffc0b0278c [smc]\n #9 [ffff9456c1cc7ce0] __smc_buf_create at ffffffffc0b03586 [smc]\n\nThe reason here is that when the server tries to create a second link,\nsmc_llc_srv_add_link() has no protection and may add a new link to\nlink group. This breaks the security environment protected by\nllc_conf_mutex.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54237", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: fix skb leak while fifo resync and push\n\nDuring ptp resync operation SKBs were poped from the fifo but were never\nfreed neither by napi_consume nor by dev_kfree_skb_any. Add call to\nnapi_consume_skb to properly free SKBs.\n\nAnother leak was happening because mlx5e_skb_fifo_has_room() had an error\nin the check. Comparing free running counters works well unless C promotes\nthe types to something wider than the counter. In this case counters are\nu16 but the result of the substraction is promouted to int and it causes\nwrong result (negative value) of the check when producer have already\noverlapped but consumer haven't yet. Explicit cast to u16 fixes the issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54238", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Check for uptr overflow\n\nsyzkaller found that setting up a map with a user VA that wraps past zero\ncan trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0\ndue to invalid arguments.\n\nPrevent creating a pages with a uptr and size that would math overflow.\n\n WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390\n Modules linked in:\n CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:pfn_reader_user_pin+0x2e6/0x390\n Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00\n RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72\n RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002\n RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e\n R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60\n R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000\n FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \n pfn_reader_next+0x14a/0x7b0\n ? interval_tree_double_span_iter_update+0x11a/0x140\n pfn_reader_first+0x140/0x1b0\n iopt_pages_rw_slow+0x71/0x280\n ? __this_cpu_preempt_check+0x20/0x30\n iopt_pages_rw_access+0x2b2/0x5b0\n iommufd_access_rw+0x19f/0x2f0\n iommufd_test+0xd11/0x16f0\n ? write_comp_data+0x2f/0x90\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n ? __pfx_iommufd_fops_ioctl+0x10/0x10\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54239", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()\n\nrule_locs is allocated in ethtool_get_rxnfc and the size is determined by\nrule_cnt from user space. So rule_cnt needs to be check before using\nrule_locs to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54240", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: KVM: Fix NULL pointer dereference\n\nAfter commit 45c7e8af4a5e3f0bea4ac209 (\"MIPS: Remove KVM_TE support\") we\nget a NULL pointer dereference when creating a KVM guest:\n\n[ 146.243409] Starting KVM with MIPS VZ extensions\n[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c\n[ 149.849177] Oops[#1]:\n[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671\n[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020\n[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740\n[ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000\n[ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0\n[ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0\n[ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000\n[ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000\n[ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0\n[ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c\n[ 149.849293] Hi : 00000335b2111e66\n[ 149.849295] Lo : 6668d90061ae0ae9\n[ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm]\n[ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm]\n[ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE\n[ 149.849351] Cause : 1000000c (ExcCode 03)\n[ 149.849354] BadVA : 0000000000000300\n[ 149.849357] PrId : 0014c004 (ICT Loongson-3)\n[ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables\n[ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030)\n[ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4\n[ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000\n[ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920\n[ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240\n[ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010\n[ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000\n[ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28\n[ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0\n[ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255\n[ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255\n[ 149.849558] ...\n[ 149.849565] Call Trace:\n[ 149.849567] [] kvm_vz_vcpu_setup+0xc4/0x328 [kvm]\n[ 149.849586] [] kvm_arch_vcpu_create+0x184/0x228 [kvm]\n[ 149.849605] [] kvm_vm_ioctl+0x64c/0xf28 [kvm]\n[ 149.849623] [] sys_ioctl+0xc8/0x118\n[ 149.849631] [] syscall_common+0x34/0x58\n\nThe root cause is the deletion of kvm_mips_commpage_init() leaves vcpu\n->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded\nobject.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54241", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: Fix division by zero error on zero wsum\n\nWhen the weighted sum is zero the calculation of limit causes\na division by zero error. Fix this by continuing to the next level.\n\nThis was discovered by running as root:\n\nstress-ng --ioprio 0\n\nFixes divison by error oops:\n\n[ 521.450556] divide error: 0000 [#1] SMP NOPTI\n[ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1\n[ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\n[ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400\n[ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44\n[ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046\n[ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000\n[ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978\n[ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0\n[ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18\n[ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970\n[ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000\n[ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0\n[ 521.455491] PKRU: 55555554\n[ 521.455619] Call Trace:\n[ 521.455736] \n[ 521.455837] ? bfq_request_merge+0x3a/0xc0\n[ 521.456027] ? elv_merge+0x115/0x140\n[ 521.456191] bfq_limit_depth+0xc8/0x240\n[ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0\n[ 521.456577] blk_mq_submit_bio+0x23c/0x6c0\n[ 521.456766] __submit_bio+0xb8/0x140\n[ 521.457236] submit_bio_noacct_nocheck+0x212/0x300\n[ 521.457748] submit_bio_noacct+0x1a6/0x580\n[ 521.458220] submit_bio+0x43/0x80\n[ 521.458660] ext4_io_submit+0x23/0x80\n[ 521.459116] ext4_do_writepages+0x40a/0xd00\n[ 521.459596] ext4_writepages+0x65/0x100\n[ 521.460050] do_writepages+0xb7/0x1c0\n[ 521.460492] __filemap_fdatawrite_range+0xa6/0x100\n[ 521.460979] file_write_and_wait_range+0xbf/0x140\n[ 521.461452] ext4_sync_file+0x105/0x340\n[ 521.461882] __x64_sys_fsync+0x67/0x100\n[ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0\n[ 521.462768] do_syscall_64+0x3b/0xc0\n[ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4\n[ 521.463621] RIP: 0033:0x5640b6c56590\n[ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54242", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl->name, &ret, &ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table->private with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54243", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: Fix oops when removing custom query handlers\n\nWhen removing custom query handlers, the handler might still\nbe used inside the EC query workqueue, causing a kernel oops\nif the module holding the callback function was already unloaded.\n\nFix this by flushing the EC query workqueue when removing\ncustom query handlers.\n\nTested on a Acer Travelmate 4002WLMi", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54244", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds\n\nWhen we run syzkaller we get below Out of Bound.\n \"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\n Below is the backtrace of the issue:\n\n dump_backtrace+0x0/0x4c8\n show_stack+0x34/0x44\n dump_stack_lvl+0xd8/0x118\n print_address_description+0x30/0x2d8\n kasan_report+0x158/0x198\n __asan_report_load4_noabort+0x44/0x50\n regcache_flat_read+0x10c/0x110\n regcache_read+0xf4/0x180\n _regmap_read+0xc4/0x278\n _regmap_update_bits+0x130/0x290\n regmap_update_bits_base+0xc0/0x15c\n snd_soc_component_update_bits+0xa8/0x22c\n snd_soc_component_write_field+0x68/0xd4\n tx_macro_digital_mute+0xec/0x140\n\n Actually There is no need to have decimator with 32 bits.\n By limiting the variable with short type u8 issue is resolved.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54245", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()\n\nThe rcuscale.holdoff module parameter can be used to delay the start\nof rcu_scale_writer() kthread. However, the hung-task timeout will\ntrigger when the timeout specified by rcuscale.holdoff is greater than\nhung_task_timeout_secs:\n\nrunqemu kvm nographic slirp qemuparams=\"-smp 4 -m 2048M\"\nbootparams=\"rcuscale.shutdown=0 rcuscale.holdoff=300\"\n\n[ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds.\n[ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7\n[ 247.073400] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000\n[ 247.075346] Call Trace:\n[ 247.075660] \n[ 247.075965] __schedule+0x635/0x1280\n[ 247.076448] ? __pfx___schedule+0x10/0x10\n[ 247.076967] ? schedule_timeout+0x2dc/0x4d0\n[ 247.077471] ? __pfx_lock_release+0x10/0x10\n[ 247.078018] ? enqueue_timer+0xe2/0x220\n[ 247.078522] schedule+0x84/0x120\n[ 247.078957] schedule_timeout+0x2e1/0x4d0\n[ 247.079447] ? __pfx_schedule_timeout+0x10/0x10\n[ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.080591] ? __pfx_process_timeout+0x10/0x10\n[ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10\n[ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.082287] rcu_scale_writer+0x6b1/0x7f0\n[ 247.082773] ? mark_held_locks+0x29/0xa0\n[ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.084412] kthread+0x179/0x1c0\n[ 247.084759] ? __pfx_kthread+0x10/0x10\n[ 247.085098] ret_from_fork+0x2c/0x50\n[ 247.085433] \n\nThis commit therefore replaces schedule_timeout_uninterruptible() with\nschedule_timeout_idle().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54246", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Silence a warning in btf_type_id_size()\n\nsyzbot reported a warning in [1] with the following stacktrace:\n WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988\n ...\n RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988\n ...\n Call Trace:\n \n map_check_btf kernel/bpf/syscall.c:1024 [inline]\n map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198\n __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040\n __do_sys_bpf kernel/bpf/syscall.c:5162 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5160 [inline]\n __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWith the following btf\n [1] DECL_TAG 'a' type_id=4 component_idx=-1\n [2] PTR '(anon)' type_id=0\n [3] TYPE_TAG 'a' type_id=2\n [4] VAR 'a' type_id=3, linkage=static\nand when the bpf_attr.btf_key_type_id = 1 (DECL_TAG),\nthe following WARN_ON_ONCE in btf_type_id_size() is triggered:\n if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) &&\n !btf_type_is_var(size_type)))\n return NULL;\n\nNote that 'return NULL' is the correct behavior as we don't want\na DECL_TAG type to be used as a btf_{key,value}_type_id even\nfor the case like 'DECL_TAG -> STRUCT'. So there\nis no correctness issue here, we just want to silence warning.\n\nTo silence the warning, I added DECL_TAG as one of kinds in\nbtf_type_nosize() which will cause btf_type_id_size() returning\nNULL earlier without the warning.\n\n [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54247", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add check for kmemdup\n\nSince the kmemdup may return NULL pointer,\nit should be better to add check for the return value\nin order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54248", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: ep: Only send -ENOTCONN status if client driver is available\n\nFor the STOP and RESET commands, only send the channel disconnect status\n-ENOTCONN if client driver is available. Otherwise, it will result in\nnull pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54249", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: avoid out of bounds access in decode_preauth_ctxt()\n\nConfirm that the accessed pneg_ctxt->HashAlgorithms address sits within\nthe SMB request boundary; deassemble_neg_contexts() only checks that the\neight byte smb2_neg_context header + (client controlled) DataLength are\nwithin the packet boundary, which is insufficient.\n\nChecking for sizeof(struct smb2_preauth_neg_context) is overkill given\nthat the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54250", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\n\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched->cycle_time is the divisor.\n\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\n\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\n\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\n\nWe use s64 for cycle_time to cast it to ktime_t, so let's keep it and\nset max for cycle_time.\n\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\n\nAlso, we add a new tdc test case for this issue.\n\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n \n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n __dev_xmit_skb net/core/dev.c:3821 [inline]\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\n neigh_output include/net/neighbour.h:544 [inline]\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\n dst_output include/net/dst.h:458 [inline]\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \nModules linked in:", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54251", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings\n\nMy previous commit introduced a memory leak where the item allocated\nfrom tlmi_setting was not freed.\nThis commit also renames it to avoid confusion with the similarly name\nvariable in the same function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54252", "detail": "fixed-version", "description": "Fixed from version 6.2.11" }, { "id": "CVE-2023-54253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set page extent mapped after read_folio in relocate_one_page\n\nOne of the CI runs triggered the following panic\n\n assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/subpage.c:229!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1\n pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : btrfs_subpage_assert+0xbc/0xf0\n lr : btrfs_subpage_assert+0xbc/0xf0\n sp : ffff800093213720\n x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000\n x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff\n x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880\n x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff\n x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028\n x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000\n x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c\n x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8\n x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f\n Call trace:\n btrfs_subpage_assert+0xbc/0xf0\n btrfs_subpage_set_dirty+0x38/0xa0\n btrfs_page_set_dirty+0x58/0x88\n relocate_one_page+0x204/0x5f0\n relocate_file_extent_cluster+0x11c/0x180\n relocate_data_extent+0xd0/0xf8\n relocate_block_group+0x3d0/0x4e8\n btrfs_relocate_block_group+0x2d8/0x490\n btrfs_relocate_chunk+0x54/0x1a8\n btrfs_balance+0x7f4/0x1150\n btrfs_ioctl+0x10f0/0x20b8\n __arm64_sys_ioctl+0x120/0x11d8\n invoke_syscall.constprop.0+0x80/0xd8\n do_el0_svc+0x6c/0x158\n el0_svc+0x50/0x1b0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x194/0x198\n Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)\n\nThis is the same problem outlined in 17b17fcd6d44 (\"btrfs:\nset_page_extent_mapped after read_folio in btrfs_cont_expand\") , and the\nfix is the same. I originally looked for the same pattern elsewhere in\nour code, but mistakenly skipped over this code because I saw the page\ncache readahead before we set_page_extent_mapped, not realizing that\nthis was only in the !page case, that we can still end up with a\n!uptodate page and then do the btrfs_read_folio further down.\n\nThe fix here is the same as the above mentioned patch, move the\nset_page_extent_mapped call to after the btrfs_read_folio() block to\nmake sure that we have the subpage blocksize stuff setup properly before\nusing the page.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54253", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don't leak a resource on eviction error\n\nOn eviction errors other than -EMULTIHOP we were leaking a resource.\nFix.\n\nv2:\n- Avoid yet another goto (Andi Shyti)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54254", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: dma: Fix DMA channel offset calculation\n\nVarious SoCs of the SH3, SH4 and SH4A family, which use this driver,\nfeature a differing number of DMA channels, which can be distributed\nbetween up to two DMAC modules. The existing implementation fails to\ncorrectly accommodate for all those variations, resulting in wrong\nchannel offset calculations and leading to kernel panics.\n\nRewrite dma_base_addr() in order to properly calculate channel offsets\nin a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that\nthe correct DMAC module base is selected for the DMAOR register.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54255", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix a memory corruption in extended buffer descriptor mode\n\nFor quite some time we were chasing a bug which looked like a sudden\npermanent failure of networking and mmc on some of our devices.\nThe bug was very sensitive to any software changes and even more to\nany kernel debug options.\n\nFinally we got a setup where the problem was reproducible with\nCONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma:\n\n[ 16.992082] ------------[ cut here ]------------\n[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes]\n[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900\n[ 17.018977] Modules linked in: xxxxx\n[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28\n[ 17.045345] Hardware name: xxxxx\n[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO)\n[ 17.054322] pc : check_unmap+0x6a0/0x900\n[ 17.058243] lr : check_unmap+0x6a0/0x900\n[ 17.062163] sp : ffffffc010003c40\n[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c\n[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800\n[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8\n[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750\n[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000\n[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010\n[ 17.097343] x17: 0000000000000000 x16: 0000000000000000\n[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720\n[ 17.107959] x13: 0720072007200720 x12: 0720072007200720\n[ 17.113261] x11: 0720072007200720 x10: 0720072007200720\n[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d\n[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098\n[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000\n[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370\n[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000\n[ 17.145082] Call trace:\n[ 17.147524] check_unmap+0x6a0/0x900\n[ 17.151091] debug_dma_unmap_page+0x88/0x90\n[ 17.155266] gem_rx+0x114/0x2f0\n[ 17.158396] macb_poll+0x58/0x100\n[ 17.161705] net_rx_action+0x118/0x400\n[ 17.165445] __do_softirq+0x138/0x36c\n[ 17.169100] irq_exit+0x98/0xc0\n[ 17.172234] __handle_domain_irq+0x64/0xc0\n[ 17.176320] gic_handle_irq+0x5c/0xc0\n[ 17.179974] el1_irq+0xb8/0x140\n[ 17.183109] xiic_process+0x5c/0xe30\n[ 17.186677] irq_thread_fn+0x28/0x90\n[ 17.190244] irq_thread+0x208/0x2a0\n[ 17.193724] kthread+0x130/0x140\n[ 17.196945] ret_from_fork+0x10/0x20\n[ 17.200510] ---[ end trace 7240980785f81d6f ]---\n\n[ 237.021490] ------------[ cut here ]------------\n[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b\n[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240\n[ 237.041802] Modules linked in: xxxxx\n[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28\n[ 237.068941] Hardware name: xxxxx\n[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO)\n[ 237.077900] pc : add_dma_entry+0x214/0x240\n[ 237.081986] lr : add_dma_entry+0x214/0x240\n[ 237.086072] sp : ffffffc010003c30\n[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00\n[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0\n[ 237.099987] x25: 0000000000000002 x24: 0000000000000000\n[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00\n[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600\n[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010\n[ 237.121201] x17: 0000000000000000 x16: 0000000000000000\n[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720\n[ 237.131807] x13: 0720072007200720 x12: 0720072007200720\n[ 237.137111] x11: 0720072007200720 x10: 0720072007200720\n[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259\n[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000\n[ 237.15302\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54257", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential oops in cifs_oplock_break\n\nWith deferred close we can have closes that race with lease breaks,\nand so with the current checks for whether to send the lease response,\noplock_response(), this can mean that an unmount (kill_sb) can occur\njust before we were checking if the tcon->ses is valid. See below:\n\n[Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs]\n[Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39\n[Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206\n[Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009\n[Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188\n[Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900\n[Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138\n[Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000\n[Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000\n[Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0\n[Fri Aug 4 04:12:50 2023] Call Trace:\n[Fri Aug 4 04:12:50 2023] \n[Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0\n[Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0\n[Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0\n[Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150\n[Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50\n[Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30\n[Fri Aug 4 04:12:50 2023] \n\nTo fix this change the ordering of the checks before sending the oplock_response\nto first check if the openFileList is empty.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54258", "detail": "fixed-version", "description": "Fixed from version 6.4.12" }, { "id": "CVE-2023-54259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow\n\nThis reverts commit\n443a98e649b4 (\"soundwire: bus: use pm_runtime_resume_and_get()\")\n\nChange calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync().\nThis fixes a usage count underrun caused by doing a pm_runtime_put() even\nthough pm_runtime_resume_and_get() returned an error.\n\nThe three affected functions ignore -EACCES error from trying to get\npm_runtime, and carry on, including a put at the end of the function.\nBut pm_runtime_resume_and_get() does not increment the usage count if it\nreturns an error. So in the -EACCES case you must not call\npm_runtime_put().\n\nThe documentation for pm_runtime_get_sync() says:\n \"Consider using pm_runtime_resume_and_get() ... as this is likely to\n result in cleaner code.\"\n\nIn this case I don't think it results in cleaner code because the\npm_runtime_put() at the end of the function would have to be conditional on\nthe return value from pm_runtime_resume_and_get() at the top of the\nfunction.\n\npm_runtime_get_sync() doesn't have this problem because it always\nincrements the count, so always needs a put. The code can just flow through\nand do the pm_runtime_put() unconditionally.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54259", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix lost destroy smbd connection when MR allocate failed\n\nIf the MR allocate failed, the smb direct connection info is NULL,\nthen smbd_destroy() will directly return, then the connection info\nwill be leaked.\n\nLet's set the smb direct connection info to the server before call\nsmbd_destroy().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54260", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Add missing gfx11 MQD manager callbacks\n\nmqd_stride function was introduced in commit 2f77b9a242a2\n(\"drm/amdkfd: Update MQD management on multi XCC setup\")\nbut not assigned for gfx11. Fixes a NULL dereference in debugfs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54261", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't clone flow post action attributes second time\n\nThe code already clones post action attributes in\nmlx5e_clone_flow_attr_for_post_act(). Creating another copy in\nmlx5e_tc_post_act_add() is a erroneous leftover from original\nimplementation. Instead, assign handle->attribute to post_attr provided by\nthe caller. Note that cloning the attribute second time is not just\nwasteful but also causes issues like second copy not being properly updated\nin neigh update code which leads to following use-after-free:\n\nFeb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0\nFeb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22)\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22\nFeb 21 09:02:00 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:02:00 c-237-177-40-045 kernel: \nFeb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d\nFeb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476:\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833:\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54262", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP\n\nFixes OOPS on boards with ANX9805 DP encoders.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54263", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/sysv: Null check to prevent null-ptr-deref bug\n\nsb_getblk(inode->i_sb, parent) return a null ptr and taking lock on\nthat leads to the null-ptr-deref bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54264", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix an uninit variable access bug in __ip6_make_skb()\n\nSyzbot reported a bug as following:\n\n=====================================================\nBUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline]\nBUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline]\nBUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline]\nBUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956\n arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline]\n arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline]\n atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline]\n __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956\n ip6_finish_skb include/net/ipv6.h:1122 [inline]\n ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987\n rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579\n rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922\n inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530\n __sys_sendmsg net/socket.c:2559 [inline]\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988\n kmalloc_reserve net/core/skbuff.c:492 [inline]\n __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565\n alloc_skb include/linux/skbuff.h:1270 [inline]\n __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684\n ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854\n rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915\n inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530\n __sys_sendmsg net/socket.c:2559 [inline]\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because icmp6hdr does not in skb linear region under the scenario\nof SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will\ntrigger the uninit variable access bug.\n\nUse a local variable icmp6_type to carry the correct value in different\nscenarios.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54265", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()\n\n'read' is freed when it is known to be NULL, but not when a read error\noccurs.\n\nRevert the logic to avoid a small leak, should a m920x_read() call fail.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54266", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT\n\nlppaca_shared_proc() takes a pointer to the lppaca which is typically\naccessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads\nto checking if preemption is enabled, for example:\n\n BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693\n caller is lparcfg_data+0x408/0x19a0\n CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2\n Call Trace:\n dump_stack_lvl+0x154/0x200 (unreliable)\n check_preemption_disabled+0x214/0x220\n lparcfg_data+0x408/0x19a0\n ...\n\nThis isn't actually a problem however, as it does not matter which\nlppaca is accessed, the shared proc state will be the same.\nvcpudispatch_stats_procfs_init() already works around this by disabling\npreemption, but the lparcfg code does not, erroring any time\n/proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled.\n\nInstead of disabling preemption on the caller side, rework\nlppaca_shared_proc() to not take a pointer and instead directly access\nthe lppaca, bypassing any potential preemption checks.\n\n[mpe: Rework to avoid needing a definition in paca.h and lppaca.h]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54267", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndebugobjects: Don't wake up kswapd from fill_pool()\n\nsyzbot is reporting a lockdep warning in fill_pool() because the allocation\nfrom debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM)\nand therefore tries to wake up kswapd, which acquires kswapd_wait::lock.\n\nSince fill_pool() might be called with arbitrary locks held, fill_pool()\nshould not assume that acquiring kswapd_wait::lock is safe.\n\nUse __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for\n!__GFP_DIRECT_RECLAIM allocation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54268", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: double free xprt_ctxt while still in use\n\nWhen an RPC request is deferred, the rq_xprt_ctxt pointer is moved out\nof the svc_rqst into the svc_deferred_req.\nWhen the deferred request is revisited, the pointer is copied into\nthe new svc_rqst - and also remains in the svc_deferred_req.\n\nIn the (rare?) case that the request is deferred a second time, the old\nsvc_deferred_req is reused - it still has all the correct content.\nHowever in that case the rq_xprt_ctxt pointer is NOT cleared so that\nwhen xpo_release_xprt is called, the ctxt is freed (UDP) or possible\nadded to a free list (RDMA).\nWhen the deferred request is revisited for a second time, it will\nreference this ctxt which may be invalid, and the free the object a\nsecond time which is likely to oops.\n\nSo change svc_defer() to *always* clear rq_xprt_ctxt, and assert that\nthe value is now stored in the svc_deferred_req.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54269", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: siano: Fix use after free bugs caused by do_submit_urb\n\nThere are UAF bugs caused by do_submit_urb(). One of the KASan reports\nis shown below:\n\n[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890\n[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49\n[ 36.408316]\n[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8\n[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584\n[ 36.416157] Workqueue: 0x0 (events)\n[ 36.417654] Call Trace:\n[ 36.418546] \n[ 36.419320] dump_stack_lvl+0x96/0xd0\n[ 36.420522] print_address_description+0x75/0x350\n[ 36.421992] print_report+0x11b/0x250\n[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0\n[ 36.424806] ? __virt_addr_valid+0xcf/0x170\n[ 36.426069] ? worker_thread+0x4a2/0x890\n[ 36.427355] kasan_report+0x131/0x160\n[ 36.428556] ? worker_thread+0x4a2/0x890\n[ 36.430053] worker_thread+0x4a2/0x890\n[ 36.431297] ? worker_clr_flags+0x90/0x90\n[ 36.432479] kthread+0x166/0x190\n[ 36.433493] ? kthread_blkcg+0x50/0x50\n[ 36.434669] ret_from_fork+0x22/0x30\n[ 36.435923] \n[ 36.436684]\n[ 36.437215] Allocated by task 24:\n[ 36.438289] kasan_set_track+0x50/0x80\n[ 36.439436] __kasan_kmalloc+0x89/0xa0\n[ 36.440566] smsusb_probe+0x374/0xc90\n[ 36.441920] usb_probe_interface+0x2d1/0x4c0\n[ 36.443253] really_probe+0x1d5/0x580\n[ 36.444539] __driver_probe_device+0xe3/0x130\n[ 36.446085] driver_probe_device+0x49/0x220\n[ 36.447423] __device_attach_driver+0x19e/0x1b0\n[ 36.448931] bus_for_each_drv+0xcb/0x110\n[ 36.450217] __device_attach+0x132/0x1f0\n[ 36.451470] bus_probe_device+0x59/0xf0\n[ 36.452563] device_add+0x4ec/0x7b0\n[ 36.453830] usb_set_configuration+0xc63/0xe10\n[ 36.455230] usb_generic_driver_probe+0x3b/0x80\n[ 36.456166] printk: console [ttyGS0] disabled\n[ 36.456569] usb_probe_device+0x90/0x110\n[ 36.459523] really_probe+0x1d5/0x580\n[ 36.461027] __driver_probe_device+0xe3/0x130\n[ 36.462465] driver_probe_device+0x49/0x220\n[ 36.463847] __device_attach_driver+0x19e/0x1b0\n[ 36.465229] bus_for_each_drv+0xcb/0x110\n[ 36.466466] __device_attach+0x132/0x1f0\n[ 36.467799] bus_probe_device+0x59/0xf0\n[ 36.469010] device_add+0x4ec/0x7b0\n[ 36.470125] usb_new_device+0x863/0xa00\n[ 36.471374] hub_event+0x18c7/0x2220\n[ 36.472746] process_one_work+0x34c/0x5b0\n[ 36.474041] worker_thread+0x4b7/0x890\n[ 36.475216] kthread+0x166/0x190\n[ 36.476267] ret_from_fork+0x22/0x30\n[ 36.477447]\n[ 36.478160] Freed by task 24:\n[ 36.479239] kasan_set_track+0x50/0x80\n[ 36.480512] kasan_save_free_info+0x2b/0x40\n[ 36.481808] ____kasan_slab_free+0x122/0x1a0\n[ 36.483173] __kmem_cache_free+0xc4/0x200\n[ 36.484563] smsusb_term_device+0xcd/0xf0\n[ 36.485896] smsusb_probe+0xc85/0xc90\n[ 36.486976] usb_probe_interface+0x2d1/0x4c0\n[ 36.488303] really_probe+0x1d5/0x580\n[ 36.489498] __driver_probe_device+0xe3/0x130\n[ 36.491140] driver_probe_device+0x49/0x220\n[ 36.492475] __device_attach_driver+0x19e/0x1b0\n[ 36.493988] bus_for_each_drv+0xcb/0x110\n[ 36.495171] __device_attach+0x132/0x1f0\n[ 36.496617] bus_probe_device+0x59/0xf0\n[ 36.497875] device_add+0x4ec/0x7b0\n[ 36.498972] usb_set_configuration+0xc63/0xe10\n[ 36.500264] usb_generic_driver_probe+0x3b/0x80\n[ 36.501740] usb_probe_device+0x90/0x110\n[ 36.503084] really_probe+0x1d5/0x580\n[ 36.504241] __driver_probe_device+0xe3/0x130\n[ 36.505548] driver_probe_device+0x49/0x220\n[ 36.506766] __device_attach_driver+0x19e/0x1b0\n[ 36.508368] bus_for_each_drv+0xcb/0x110\n[ 36.509646] __device_attach+0x132/0x1f0\n[ 36.510911] bus_probe_device+0x59/0xf0\n[ 36.512103] device_add+0x4ec/0x7b0\n[ 36.513215] usb_new_device+0x863/0xa00\n[ 36.514736] hub_event+0x18c7/0x2220\n[ 36.516130] process_one_work+\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54270", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init\n\nblk-iocost sometimes causes the following crash:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000e0\n ...\n RIP: 0010:_raw_spin_lock+0x17/0x30\n Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00\n RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001\n RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0\n RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003\n R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000\n R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600\n FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0\n Call Trace:\n \n ioc_weight_write+0x13d/0x410\n cgroup_file_write+0x7a/0x130\n kernfs_fop_write_iter+0xf5/0x170\n vfs_write+0x298/0x370\n ksys_write+0x5f/0xb0\n __x64_sys_write+0x1b/0x20\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis happens because iocg->ioc is NULL. The field is initialized by\nioc_pd_init() and never cleared. The NULL deref is caused by\nblkcg_activate_policy() installing blkg_policy_data before initializing it.\n\nblkcg_activate_policy() was doing the following:\n\n1. Allocate pd's for all existing blkg's and install them in blkg->pd[].\n2. Initialize all pd's.\n3. Online all pd's.\n\nblkcg_activate_policy() only grabs the queue_lock and may release and\nre-acquire the lock as allocation may need to sleep. ioc_weight_write()\ngrabs blkcg->lock and iterates all its blkg's. The two can race and if\nioc_weight_write() runs during #1 or between #1 and #2, it can encounter a\npd which is not initialized yet, leading to crash.\n\nThe crash can be reproduced with the following script:\n\n #!/bin/bash\n\n echo +io > /sys/fs/cgroup/cgroup.subtree_control\n systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct\n echo 100 > /sys/fs/cgroup/system.slice/io.weight\n bash -c \"echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos\" &\n sleep .2\n echo 100 > /sys/fs/cgroup/system.slice/io.weight\n\nwith the following patch applied:\n\n> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c\n> index fc49be622e05..38d671d5e10c 100644\n> --- a/block/blk-cgroup.c\n> +++ b/block/blk-cgroup.c\n> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)\n> \t\tpd->online = false;\n> \t}\n>\n> + if (system_state == SYSTEM_RUNNING) {\n> + spin_unlock_irq(&q->queue_lock);\n> + ssleep(1);\n> + spin_lock_irq(&q->queue_lock);\n> + }\n> +\n> \t/* all allocated, init in the same order */\n> \tif (pol->pd_init_fn)\n> \t\tlist_for_each_entry_reverse(blkg, &q->blkg_list, q_node)\n\nI don't see a reason why all pd's should be allocated, initialized and\nonlined together. The only ordering requirement is that parent blkgs to be\ninitialized and onlined before children, which is guaranteed from the\nwalking order. Let's fix the bug by allocating, initializing and onlining pd\nfor each blkg and holding blkcg->lock over initialization and onlining. This\nensures that an installed blkg is always fully initialized and onlined\nremoving the the race window.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54271", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix a possible null-pointer dereference in ni_clear()\n\nIn a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode()\ncould be NULL, and thus a NULL check is added for this variable.\n\nHowever, in the same call stack, ni->mi.mrec can be also dereferenced\nin ni_clear():\n\nntfs_evict_inode(inode)\n ni_write_inode(inode, ...)\n ni = ntfs_i(inode);\n is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit\n ni_clear(ntfs_i(inode))\n is_rec_inuse(ni->mi.mrec) -> No check\n\nThus, a possible null-pointer dereference may exist in ni_clear().\nTo fix it, a NULL check is added in this function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54272", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix leak of dev tracker\n\nAt the stage of direction checks, the netdev reference tracker is\nalready initialized, but released with wrong *_put() call.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54273", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Add a check for valid 'mad_agent' pointer\n\nWhen unregistering MAD agent, srpt module has a non-null check\nfor 'mad_agent' pointer before invoking ib_unregister_mad_agent().\nThis check can pass if 'mad_agent' variable holds an error value.\nThe 'mad_agent' can have an error value for a short window when\nsrpt_add_one() and srpt_remove_one() is executed simultaneously.\n\nIn srpt module, added a valid pointer check for 'sport->mad_agent'\nbefore unregistering MAD agent.\n\nThis issue can hit when RoCE driver unregisters ib_device\n\nStack Trace:\n------------\nBUG: kernel NULL pointer dereference, address: 000000000000004d\nPGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P\nHardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020\nWorkqueue: bnxt_re bnxt_re_task [bnxt_re]\nRIP: 0010:_raw_spin_lock_irqsave+0x19/0x40\nCall Trace:\n ib_unregister_mad_agent+0x46/0x2f0 [ib_core]\n IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready\n ? __schedule+0x20b/0x560\n srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt]\n srpt_remove_one+0x20/0x150 [ib_srpt]\n remove_client_context+0x88/0xd0 [ib_core]\n bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex\n disable_device+0x8a/0x160 [ib_core]\n bond0: active interface up!\n ? kernfs_name_hash+0x12/0x80\n (NULL device *): Bonding Info Received: rdev: 000000006c0b8247\n __ib_unregister_device+0x42/0xb0 [ib_core]\n (NULL device *): Master: mode: 4 num_slaves:2\n ib_unregister_device+0x22/0x30 [ib_core]\n (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0\n bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re]\n bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54274", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup\n\ncrypto_alloc_shash() allocates resources, which should be released by\ncrypto_free_shash(). When ath11k_peer_find() fails, there has memory\nleak. Add missing crypto_free_shash() to fix this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54275", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\n\nCommit f5f9d4a314da (\"nfsd: move reply cache initialization into nfsd\nstartup\") moved the initialization of the reply cache into nfsd startup,\nbut didn't account for the stats counters, which can be accessed before\nnfsd is ever started. The result can be a NULL pointer dereference when\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\nshut down.\n\nThis is a regression and a user-triggerable oops in the right situation:\n\n- non-x86_64 arch\n- /proc/fs/nfsd is mounted in the namespace\n- nfsd is not started in the namespace\n- unprivileged user calls \"cat /proc/fs/nfsd/reply_cache_stats\"\n\nAlthough this is easy to trigger on some arches (like aarch64), on\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\nfixed_percpu_data. That struct looks just enough like a newly\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\nit without Oopsing.\n\nMove the initialization of the per-net+per-cpu reply-cache counters\nback into nfsd_init_net, while leaving the rest of the reply cache\nallocations to be done at nfsd startup time.\n\nKudos to Eirik who did most of the legwork to track this down.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54276", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: Fix endpoint check\n\nThe syzbot fuzzer detected a problem in the udlfb driver, caused by an\nendpoint not having the expected type:\n\nusb 1-1: Read EDID byte 0 failed: -71\nusb 1-1: Unable to get valid EDID from device/display\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880\ndrivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 9 Comm: kworker/0:1 Not tainted\n6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n04/28/2023\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980\n dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315\n dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111\n dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743\n\nThe current approach for this issue failed to catch the problem\nbecause it only checks for the existence of a bulk-OUT endpoint; it\ndoesn't check whether this endpoint is the one that the driver will\nactually use.\n\nWe can fix the problem by instead checking that the endpoint used by\nthe driver does exist and is bulk-OUT.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54277", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vmem: split pages when debug pagealloc is enabled\n\nSince commit bb1520d581a3 (\"s390/mm: start kernel with DAT enabled\")\nthe kernel crashes early during boot when debug pagealloc is enabled:\n\nmem auto-init: stack:off, heap alloc:off, heap free:off\naddressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC\nModules linked in:\nCPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630\n[..]\nKrnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e\n 00000000001325fc: eb880002000c srlg %r8,%r8,2\n #0000000000132602: b2210051 ipte %r5,%r1,%r0,0\n >0000000000132606: b90400d1 lgr %r13,%r1\n 000000000013260a: 41605008 la %r6,8(%r5)\n 000000000013260e: a7db1000 aghi %r13,4096\n 0000000000132612: b221006d ipte %r6,%r13,%r0,0\n 0000000000132616: e3d0d0000171 lay %r13,4096(%r13)\n\nCall Trace:\n __kernel_map_pages+0x14e/0x320\n __free_pages_ok+0x23a/0x5a8)\n free_low_memory_core_early+0x214/0x2c8\n memblock_free_all+0x28/0x58\n mem_init+0xb6/0x228\n mm_core_init+0xb6/0x3b0\n start_kernel+0x1d2/0x5a8\n startup_continue+0x36/0x40\nKernel panic - not syncing: Fatal exception: panic_on_oops\n\nThis is caused by using large mappings on machines with EDAT1/EDAT2. Add\nthe code to split the mappings into 4k pages if debug pagealloc is enabled\nby CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel\ncommand line option.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54278", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: fw: Allow firmware to pass a empty env\n\nfw_getenv will use env entry to determine style of env,\nhowever it is legal for firmware to just pass a empty list.\n\nCheck if first entry exist before running strchr to avoid\nnull pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54279", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential race when tree connecting ipc\n\nProtect access of TCP_Server_Info::hostname when building the ipc tree\nname as it might get freed in cifsd thread and thus causing an\nuse-after-free bug in __tree_connect_dfs_target(). Also, while at it,\nupdate status of IPC tcon on success and then avoid any extra tree\nconnects.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54280", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root's btree. If btrfs_iget()\nneeds to lookup the inode from the root's btree, because it's not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n ------------------------------------------------------\n syz-executor277/5012 is trying to acquire lock:\n ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n but task is already holding lock:\n ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n fc_mount fs/namespace.c:1112 [inline]\n vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n -> #0 (btrfs-tree-01){++++}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54281", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuners: qt1010: replace BUG_ON with a regular error\n\nBUG_ON is unnecessary here, and in addition it confuses smatch.\nReplacing this with an error return help resolve this smatch\nwarning:\n\ndrivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54282", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Address KCSAN report on bpf_lru_list\n\nKCSAN reported a data-race when accessing node->ref.\nAlthough node->ref does not have to be accurate,\ntake this chance to use a more common READ_ONCE() and WRITE_ONCE()\npattern instead of data_race().\n\nThere is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref().\nThis patch also adds bpf_lru_node_clear_ref() to do the\nWRITE_ONCE(node->ref, 0) also.\n\n==================================================================\nBUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem\n\nwrite to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1:\n__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline]\n__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline]\n__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240\nbpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline]\nbpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline]\nbpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499\nprealloc_lru_pop kernel/bpf/hashtab.c:290 [inline]\n__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316\nbpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313\nbpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200\ngeneric_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687\nbpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534\n__sys_bpf+0x338/0x810\n__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]\n__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0:\nbpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline]\n__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332\nbpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313\nbpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200\ngeneric_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687\nbpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534\n__sys_bpf+0x338/0x810\n__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]\n__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x01 -> 0x00\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023\n==================================================================", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54283", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: av7110: prevent underflow in write_ts_to_decoder()\n\nThe buf[4] value comes from the user via ts_play(). It is a value in\nthe u8 range. The final length we pass to av7110_ipack_instant_repack()\nis \"len - (buf[4] + 1) - 4\" so add a check to ensure that the length is\nnot negative. It's not clear that passing a negative len value does\nanything bad necessarily, but it's not best practice.\n\nWith the new bounds checking the \"if (!len)\" condition is no longer\npossible or required so remove that.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54284", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: Fix possible overflow condition in iomap_write_delalloc_scan\n\nfolio_next_index() returns an unsigned long value which left shifted\nby PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead\nuse folio_pos(folio) + folio_size(folio), which does this correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54285", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace\n\nA received TKIP key may be up to 32 bytes because it may contain\nMIC rx/tx keys too. These are not used by iwl and copying these\nover overflows the iwl_keyinfo.key field.\n\nAdd a check to not copy more data to iwl_keyinfo.key then will fit.\n\nThis fixes backtraces like this one:\n\n memcpy: detected field-spanning write (size 32) of single field \"sta_cmd.key.key\" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)\n WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n \n Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017\n RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n \n Call Trace:\n \n iwl_set_dynamic_key+0x1f0/0x220 [iwldvm]\n iwlagn_mac_set_key+0x1e4/0x280 [iwldvm]\n drv_set_key+0xa4/0x1b0 [mac80211]\n ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]\n ieee80211_key_replace+0x22d/0x8e0 [mac80211]\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54286", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: imx: disable Ageing Timer interrupt request irq\n\nThere maybe pending USR interrupt before requesting irq, however\nuart_add_one_port has not executed, so there will be kernel panic:\n[ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre\nss 0000000000000080\n[ 0.802701] Mem abort info:\n[ 0.805367] ESR = 0x0000000096000004\n[ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.814033] SET = 0, FnV = 0\n[ 0.816950] EA = 0, S1PTW = 0\n[ 0.819950] FSC = 0x04: level 0 translation fault\n[ 0.824617] Data abort info:\n[ 0.827367] ISV = 0, ISS = 0x00000004\n[ 0.831033] CM = 0, WnR = 0\n[ 0.833866] [0000000000000080] user address but active_mm is swapper\n[ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 0.845953] Modules linked in:\n[ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\n[ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT)\n[ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\n[ 0.872283] lr : imx_uart_int+0xf8/0x1ec\n\nThe issue only happends in the inmate linux when Jailhouse hypervisor\nenabled. The test procedure is:\nwhile true; do\n\tjailhouse enable imx8mp.cell\n\tjailhouse cell linux xxxx\n\tsleep 10\n\tjailhouse cell destroy 1\n\tjailhouse disable\n\tsleep 5\ndone\n\nAnd during the upper test, press keys to the 2nd linux console.\nWhen `jailhouse cell destroy 1`, the 2nd linux has no chance to put\nthe uart to a quiese state, so USR1/2 may has pending interrupts. Then\nwhen `jailhosue cell linux xx` to start 2nd linux again, the issue\ntrigger.\n\nIn order to disable irqs before requesting them, both UCR1 and UCR2 irqs\nshould be disabled, so here fix that, disable the Ageing Timer interrupt\nin UCR2 as UCR1 does.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54287", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\n\nIn the function ieee80211_tx_dequeue() there is a particular locking\nsequence:\n\nbegin:\n\tspin_lock(&local->queue_stop_reason_lock);\n\tq_stopped = local->queue_stop_reasons[q];\n\tspin_unlock(&local->queue_stop_reason_lock);\n\nHowever small the chance (increased by ftracetest), an asynchronous\ninterrupt can occur in between of spin_lock() and spin_unlock(),\nand the interrupt routine will attempt to lock the same\n&local->queue_stop_reason_lock again.\n\nThis will cause a costly reset of the CPU and the wifi device or an\naltogether hang in the single CPU and single core scenario.\n\nThe only remaining spin_lock(&local->queue_stop_reason_lock) that\ndid not disable interrupts was patched, which should prevent any\ndeadlocks on the same CPU/core and the same wifi device.\n\nThis is the probable trace of the deadlock:\n\nkernel: ================================\nkernel: WARNING: inconsistent lock state\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W\nkernel: --------------------------------\nkernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\nkernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\nkernel: {IN-SOFTIRQ-W} state was registered at:\nkernel: lock_acquire+0xc7/0x2d0\nkernel: _raw_spin_lock+0x36/0x50\nkernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\nkernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\nkernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\nkernel: ieee80211_queue_skb+0x450/0x730 [mac80211]\nkernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\nkernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\nkernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\nkernel: dev_hard_start_xmit+0xb5/0x260\nkernel: __dev_queue_xmit+0xdbe/0x1200\nkernel: neigh_resolve_output+0x166/0x260\nkernel: ip_finish_output2+0x216/0xb80\nkernel: __ip_finish_output+0x2a4/0x4d0\nkernel: ip_finish_output+0x2d/0xd0\nkernel: ip_output+0x82/0x2b0\nkernel: ip_local_out+0xec/0x110\nkernel: igmpv3_sendpack+0x5c/0x90\nkernel: igmp_ifc_timer_expire+0x26e/0x4e0\nkernel: call_timer_fn+0xa5/0x230\nkernel: run_timer_softirq+0x27f/0x550\nkernel: __do_softirq+0xb4/0x3a4\nkernel: irq_exit_rcu+0x9b/0xc0\nkernel: sysvec_apic_timer_interrupt+0x80/0xa0\nkernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30\nkernel: _raw_spin_unlock_irqrestore+0x3f/0x70\nkernel: free_to_partial_list+0x3d6/0x590\nkernel: __slab_free+0x1b7/0x310\nkernel: kmem_cache_free+0x52d/0x550\nkernel: putname+0x5d/0x70\nkernel: do_sys_openat2+0x1d7/0x310\nkernel: do_sys_open+0x51/0x80\nkernel: __x64_sys_openat+0x24/0x30\nkernel: do_syscall_64+0x5c/0x90\nkernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc\nkernel: irq event stamp: 5120729\nkernel: hardirqs last enabled at (5120729): [] trace_graph_return+0xd6/0x120\nkernel: hardirqs last disabled at (5120728): [] trace_graph_return+0xf0/0x120\nkernel: softirqs last enabled at (5069900): [] return_to_handler+0x0/0x40\nkernel: softirqs last disabled at (5067555): [] return_to_handler+0x0/0x40\nkernel:\n other info that might help us debug this:\nkernel: Possible unsafe locking scenario:\nkernel: CPU0\nkernel: ----\nkernel: lock(&local->queue_stop_reason_lock);\nkernel: \nkernel: lock(&local->queue_stop_reason_lock);\nkernel:\n *** DEADLOCK ***\nkernel: 8 locks held by kworker/5:0/25656:\nkernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\nkernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\nkernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\nkernel: #3: ffff9d619\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54288", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Fix NULL dereference in error handling\n\nSmatch reported:\n\ndrivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues()\nwarn: missing unwind goto?\n\nAt this point in the function, nothing has been allocated so we can return\ndirectly. In particular the \"qedf->global_queues\" have not been allocated\nso calling qedf_free_global_queues() will lead to a NULL dereference when\nwe check if (!gl[i]) and \"gl\" is NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54289", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: fix NULL pointer dereference\n\nvduse_vdpa_set_vq_affinity callback can be called\nwith NULL value as cpu_mask when deleting the vduse\ndevice.\n\nThis patch resets virtqueue's IRQ affinity mask value\nto set all CPUs instead of dereferencing NULL cpu_mask.\n\n[ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 4760.959110] #PF: supervisor read access in kernel mode\n[ 4760.964247] #PF: error_code(0x0000) - not-present page\n[ 4760.969385] PGD 0 P4D 0\n[ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4\n[ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020\n[ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130\n[ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66\n[ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246\n[ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400\n[ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898\n[ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000\n[ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000\n[ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10\n[ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000\n[ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0\n[ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4761.088909] PKRU: 55555554\n[ 4761.091620] Call Trace:\n[ 4761.094074] \n[ 4761.096180] ? __die+0x1f/0x70\n[ 4761.099238] ? page_fault_oops+0x171/0x4f0\n[ 4761.103340] ? exc_page_fault+0x7b/0x180\n[ 4761.107265] ? asm_exc_page_fault+0x22/0x30\n[ 4761.111460] ? memcpy_orig+0xc5/0x130\n[ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse]\n[ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net]\n[ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net]\n[ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net]\n[ 4761.136580] virtio_dev_remove+0x3a/0x90\n[ 4761.140509] device_release_driver_internal+0x19b/0x200\n[ 4761.145742] bus_remove_device+0xc2/0x130\n[ 4761.149755] device_del+0x158/0x3e0\n[ 4761.153245] ? kernfs_find_ns+0x35/0xc0\n[ 4761.157086] device_unregister+0x13/0x60\n[ 4761.161010] unregister_virtio_device+0x11/0x20\n[ 4761.165543] device_release_driver_internal+0x19b/0x200\n[ 4761.170770] bus_remove_device+0xc2/0x130\n[ 4761.174782] device_del+0x158/0x3e0\n[ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa]\n[ 4761.183336] device_unregister+0x13/0x60\n[ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54291", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix data race on CQP request done\n\nKCSAN detects a data race on cqp_request->request_done memory location\nwhich is accessed locklessly in irdma_handle_cqp_op while being\nupdated in irdma_cqp_ce_handler.\n\nAnnotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any\ncompiler optimizations like load fusing and/or KCSAN warning.\n\n[222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma]\n\n[222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5:\n[222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma]\n[222808.417725] cqp_compl_worker+0x1b/0x20 [irdma]\n[222808.417827] process_one_work+0x4d1/0xa40\n[222808.417835] worker_thread+0x319/0x700\n[222808.417842] kthread+0x180/0x1b0\n[222808.417852] ret_from_fork+0x22/0x30\n\n[222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1:\n[222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma]\n[222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma]\n[222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma]\n[222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma]\n[222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma]\n[222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma]\n[222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core]\n[222808.418823] __ib_unregister_device+0xde/0x100 [ib_core]\n[222808.418981] ib_unregister_device+0x22/0x40 [ib_core]\n[222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma]\n[222808.419248] i40iw_close+0x6f/0xc0 [irdma]\n[222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e]\n[222808.419450] i40iw_remove+0x21/0x30 [irdma]\n[222808.419554] auxiliary_bus_remove+0x31/0x50\n[222808.419563] device_remove+0x69/0xb0\n[222808.419572] device_release_driver_internal+0x293/0x360\n[222808.419582] driver_detach+0x7c/0xf0\n[222808.419592] bus_remove_driver+0x8c/0x150\n[222808.419600] driver_unregister+0x45/0x70\n[222808.419610] auxiliary_driver_unregister+0x16/0x30\n[222808.419618] irdma_exit_module+0x18/0x1e [irdma]\n[222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310\n[222808.419745] __x64_sys_delete_module+0x1b/0x30\n[222808.419755] do_syscall_64+0x39/0x90\n[222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[222808.419829] value changed: 0x01 -> 0x03", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54292", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fixup btree_cache_wait list damage\n\nWe get a kernel crash about \"list_add corruption. next->prev should be\nprev (ffff9c801bc01210), but was ffff9c77b688237c.\n(next=ffffae586d8afe68).\"\n\ncrash> struct list_head 0xffff9c801bc01210\nstruct list_head {\n next = 0xffffae586d8afe68,\n prev = 0xffffae586d8afe68\n}\ncrash> struct list_head 0xffff9c77b688237c\nstruct list_head {\n next = 0x0,\n prev = 0x0\n}\ncrash> struct list_head 0xffffae586d8afe68\nstruct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: \"gdb_readmem_callback\"\nCannot access memory at address 0xffffae586d8afe68\n\n[230469.019492] Call Trace:\n[230469.032041] prepare_to_wait+0x8a/0xb0\n[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]\n[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]\n[230469.068788] mca_alloc+0x2ae/0x450 [escache]\n[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]\n[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]\n[230469.104382] ? finish_wait+0x80/0x80\n[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]\n[230469.127259] kthread+0x112/0x130\n[230469.138448] ? kthread_flush_work_fn+0x10/0x10\n[230469.149477] ret_from_fork+0x35/0x40\n\nbch_btree_check_thread() and bch_dirty_init_thread() may call\nmca_cannibalize() to cannibalize other cached btree nodes. Only one thread\ncan do it at a time, so the op of other threads will be added to the\nbtree_cache_wait list.\n\nWe must call finish_wait() to remove op from btree_cache_wait before free\nit's memory address. Otherwise, the list will be damaged. Also should call\nbch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up\nother waiters.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54293", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix memleak of md thread\n\nIn raid10_run(), if setup_conf() succeed and raid10_run() failed before\nsetting 'mddev->thread', then in the error path 'conf->thread' is not\nfreed.\n\nFix the problem by setting 'mddev->thread' right after setup_conf().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54294", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type\n\nspi_nor_set_erase_type() was used either to set or to mask out an erase\ntype. When we used it to mask out an erase type a shift-out-of-bounds\nwas hit:\nUBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24\nshift exponent 4294967295 is too large for 32-bit type 'int'\n\nThe setting of the size_{shift, mask} and of the opcode are unnecessary\nwhen the erase size is zero, as throughout the code just the erase size\nis considered to determine whether an erase type is supported or not.\nSetting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF\nis an unused opcode. Thus when masking out an erase type, just set the\nerase size to zero. This will fix the shift-out-of-bounds.\n\n[ta: refine changes, new commit message, fix compilation error]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54295", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration\n\nFix a goof where KVM tries to grab source vCPUs from the destination VM\nwhen doing intrahost migration. Grabbing the wrong vCPU not only hoses\nthe guest, it also crashes the host due to the VMSA pointer being left\nNULL.\n\n BUG: unable to handle page fault for address: ffffe38687000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023\n RIP: 0010:__free_pages+0x15/0xd0\n RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100\n RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000\n RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000\n R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000\n R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \n sev_free_vcpu+0xcb/0x110 [kvm_amd]\n svm_vcpu_free+0x75/0xf0 [kvm_amd]\n kvm_arch_vcpu_destroy+0x36/0x140 [kvm]\n kvm_destroy_vcpus+0x67/0x100 [kvm]\n kvm_arch_destroy_vm+0x161/0x1d0 [kvm]\n kvm_put_kvm+0x276/0x560 [kvm]\n kvm_vm_release+0x25/0x30 [kvm]\n __fput+0x106/0x280\n ____fput+0x12/0x20\n task_work_run+0x86/0xb0\n do_exit+0x2e3/0x9c0\n do_group_exit+0xb1/0xc0\n __x64_sys_exit_group+0x1b/0x20\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \n CR2: ffffe38687000000", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54296", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix memory leak after finding block group with super blocks\n\nAt exclude_super_stripes(), if we happen to find a block group that has\nsuper blocks mapped to it and we are on a zoned filesystem, we error out\nas this is not supposed to happen, indicating either a bug or maybe some\nmemory corruption for example. However we are exiting the function without\nfreeing the memory allocated for the logical address of the super blocks.\nFix this by freeing the logical address.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54297", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: quark_dts: fix error pointer dereference\n\nIf alloc_soc_dts() fails, then we can just return. Trying to free\n\"soc_dts\" will lead to an Oops.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54298", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: bus: verify partner exists in typec_altmode_attention\n\nSome usb hubs will negotiate DisplayPort Alt mode with the device\nbut will then negotiate a data role swap after entering the alt\nmode. The data role swap causes the device to unregister all alt\nmodes, however the usb hub will still send Attention messages\neven after failing to reregister the Alt Mode. type_altmode_attention\ncurrently does not verify whether or not a device's altmode partner\nexists, which results in a NULL pointer error when dereferencing\nthe typec_altmode and typec_altmode_ops belonging to the altmode\npartner.\n\nVerify the presence of a device's altmode partner before sending\nthe Attention message to the Alt Mode driver.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54299", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx\n\nFor the reasons also described in commit b383e8abed41 (\"wifi: ath9k: avoid\nuninit memory read in ath9k_htc_rx_msg()\"), ath9k_htc_rx_msg() should\nvalidate pkt_len before accessing the SKB.\n\nFor example, the obtained SKB may have been badly constructed with\npkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr\nbut after being processed in ath9k_htc_rx_msg() and passed to\nath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI\ncommand header which should be located inside its data payload.\n\nImplement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit\nmemory can be referenced.\n\nTested on Qualcomm Atheros Communications AR9271 802.11n .\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54300", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_bcm7271: fix leak in `brcmuart_probe`\n\nSmatch reports:\ndrivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn:\n'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032.\n\nThe issue is fixed by using a managed clock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54301", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix data race on CQP completion stats\n\nCQP completion statistics is read lockesly in irdma_wait_event and\nirdma_check_cqp_progress while it can be updated in the completion\nthread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports.\n\nMake completion statistics an atomic variable to reflect coherent updates\nto it. This will also avoid load/store tearing logic bug potentially\npossible by compiler optimizations.\n\n[77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma]\n\n[77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4:\n[77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma]\n[77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma]\n[77346.171835] cqp_compl_worker+0x1b/0x20 [irdma]\n[77346.172009] process_one_work+0x4d1/0xa40\n[77346.172024] worker_thread+0x319/0x700\n[77346.172037] kthread+0x180/0x1b0\n[77346.172054] ret_from_fork+0x22/0x30\n\n[77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2:\n[77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma]\n[77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma]\n[77346.172592] irdma_create_aeq+0x390/0x45a [irdma]\n[77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma]\n[77346.172944] irdma_probe+0x54f/0x620 [irdma]\n[77346.173122] auxiliary_bus_probe+0x66/0xa0\n[77346.173137] really_probe+0x140/0x540\n[77346.173154] __driver_probe_device+0xc7/0x220\n[77346.173173] driver_probe_device+0x5f/0x140\n[77346.173190] __driver_attach+0xf0/0x2c0\n[77346.173208] bus_for_each_dev+0xa8/0xf0\n[77346.173225] driver_attach+0x29/0x30\n[77346.173240] bus_add_driver+0x29c/0x2f0\n[77346.173255] driver_register+0x10f/0x1a0\n[77346.173272] __auxiliary_driver_register+0xbc/0x140\n[77346.173287] irdma_init_module+0x55/0x1000 [irdma]\n[77346.173460] do_one_initcall+0x7d/0x410\n[77346.173475] do_init_module+0x81/0x2c0\n[77346.173491] load_module+0x1232/0x12c0\n[77346.173506] __do_sys_finit_module+0x101/0x180\n[77346.173522] __x64_sys_finit_module+0x3c/0x50\n[77346.173538] do_syscall_64+0x39/0x90\n[77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54302", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable preemption in bpf_perf_event_output\n\nThe nesting protection in bpf_perf_event_output relies on disabled\npreemption, which is guaranteed for kprobes and tracepoints.\n\nHowever bpf_perf_event_output can be also called from uprobes context\nthrough bpf_prog_run_array_sleepable function which disables migration,\nbut keeps preemption enabled.\n\nThis can cause task to be preempted by another one inside the nesting\nprotection and lead eventually to two tasks using same perf_sample_data\nbuffer and cause crashes like:\n\n kernel tried to execute NX-protected page - exploit attempt? (uid: 0)\n BUG: unable to handle page fault for address: ffffffff82be3eea\n ...\n Call Trace:\n ? __die+0x1f/0x70\n ? page_fault_oops+0x176/0x4d0\n ? exc_page_fault+0x132/0x230\n ? asm_exc_page_fault+0x22/0x30\n ? perf_output_sample+0x12b/0x910\n ? perf_event_output+0xd0/0x1d0\n ? bpf_perf_event_output+0x162/0x1d0\n ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87\n ? __uprobe_perf_func+0x12b/0x540\n ? uprobe_dispatcher+0x2c4/0x430\n ? uprobe_notify_resume+0x2da/0xce0\n ? atomic_notifier_call_chain+0x7b/0x110\n ? exit_to_user_mode_prepare+0x13e/0x290\n ? irqentry_exit_to_user_mode+0x5/0x30\n ? asm_exc_int3+0x35/0x40\n\nFixing this by disabling preemption in bpf_perf_event_output.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54303", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: meson_sm: fix to avoid potential NULL pointer dereference\n\nof_match_device() may fail and returns a NULL pointer.\n\nFix this by checking the return value of of_match_device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54304", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refuse to create ea block when umounted\n\nThe ea block expansion need to access s_root while it is\nalready set as NULL when umount is triggered. Refuse this\nrequest to avoid panic.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54305", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: avoid hanging tasks on the tx_lock\n\nsyzbot sent a hung task report and Eric explains that adversarial\nreceiver may keep RWIN at 0 for a long time, so we are not guaranteed\nto make forward progress. Thread which took tx_lock and went to sleep\nmay not release tx_lock for hours. Use interruptible sleep where\npossible and reschedule the work if it can't take the lock.\n\nTesting: existing selftest passes", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54306", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp_qoriq: fix memory leak in probe()\n\nSmatch complains that:\ndrivers/ptp/ptp_qoriq.c ptp_qoriq_probe()\nwarn: 'base' from ioremap() not released.\n\nFix this by revising the parameter from 'ptp_qoriq->base' to 'base'.\nThis is only a bug if ptp_qoriq_init() returns on the\nfirst -ENODEV error path.\nFor other error paths ptp_qoriq->base and base are the same.\nAnd this change makes the code more readable.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54307", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ymfpci: Create card with device-managed snd_devm_card_new()\n\nsnd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 (\"ALSA:\nymfpci: Allocate resources with device-managed APIs\"), but the call to\nsnd_card_new() was not replaced with snd_devm_card_new().\n\nSince there was no longer a call to snd_card_free, unloading the module\nwould eventually result in Oops:\n\n[697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480\n[697561.532893] #PF: supervisor read access in kernel mode\n[697561.532896] #PF: error_code(0x0000) - not-present page\n[697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0\n[697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G W OE 6.2.7 #1\n[697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022\n[697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0\n[697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f\n[697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246\n[697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000\n[697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a\n[697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380\n[697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480\n[697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80\n[697561.532942] FS: 00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000\n[697561.532945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0\n[697561.532949] Call Trace:\n[697561.532951] \n[697561.532955] try_module_get+0x13/0x30\n[697561.532960] snd_ctl_open+0x61/0x1c0 [snd]\n[697561.532976] snd_open+0xb4/0x1e0 [snd]\n[697561.532989] chrdev_open+0xc7/0x240\n[697561.532995] ? fsnotify_perm.part.0+0x6e/0x160\n[697561.533000] ? __pfx_chrdev_open+0x10/0x10\n[697561.533005] do_dentry_open+0x169/0x440\n[697561.533009] vfs_open+0x2d/0x40\n[697561.533012] path_openat+0xa9d/0x10d0\n[697561.533017] ? debug_smp_processor_id+0x17/0x20\n[697561.533022] ? trigger_load_balance+0x65/0x370\n[697561.533026] do_filp_open+0xb2/0x160\n[697561.533032] ? _raw_spin_unlock+0x19/0x40\n[697561.533036] ? alloc_fd+0xa9/0x190\n[697561.533040] do_sys_openat2+0x9f/0x160\n[697561.533044] __x64_sys_openat+0x55/0x90\n[697561.533048] do_syscall_64+0x3b/0x90\n[697561.533052] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[697561.533056] RIP: 0033:0x7f1308a40db4\n[697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44\n[697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101\n[697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4\n[697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c\n[697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012\n[697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000\n[697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000\n[697561.533078] ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54308", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation\n\n/dev/vtpmx is made visible before 'workqueue' is initialized, which can\nlead to a memory corruption in the worst case scenario.\n\nAddress this by initializing 'workqueue' as the very first step of the\ndriver initialization.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54309", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition\n\nmptlan_probe() calls mpt_register_lan_device() which initializes the\n&priv->post_buckets_task workqueue. A call to\nmpt_lan_wake_post_buckets_task() will subsequently start the work.\n\nDuring driver unload in mptlan_remove() the following race may occur:\n\nCPU0 CPU1\n\n |mpt_lan_post_receive_buckets_work()\nmptlan_remove() |\n free_netdev() |\n kfree(dev); |\n |\n | dev->mtu\n | //use\n\nFix this by finishing the work prior to cleaning up in mptlan_remove().\n\n[mkp: we really should remove mptlan instead of attempting to fix it]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54310", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock when converting an inline directory in nojournal mode\n\nIn no journal mode, ext4_finish_convert_inline_dir() can self-deadlock\nby calling ext4_handle_dirty_dirblock() when it already has taken the\ndirectory lock. There is a similar self-deadlock in\next4_incvert_inline_data_nolock() for data files which we'll fix at\nthe same time.\n\nA simple reproducer demonstrating the problem:\n\n mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64\n mount -t ext4 -o dirsync /dev/vdc /vdc\n cd /vdc\n mkdir file0\n cd file0\n touch file0\n touch file1\n attr -s BurnSpaceInEA -V abcde .\n touch supercalifragilisticexpialidocious", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54311", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsamples/bpf: Fix buffer overflow in tcp_basertt\n\nUsing sizeof(nv) or strlen(nv)+1 is correct.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54312", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix null pointer dereference in ovl_get_acl_rcu()\n\nFollowing process:\n P1 P2\n path_openat\n link_path_walk\n may_lookup\n inode_permission(rcu)\n ovl_permission\n acl_permission_check\n check_acl\n get_cached_acl_rcu\n\t ovl_get_inode_acl\n\t realinode = ovl_inode_real(ovl_inode)\n\t drop_cache\n\t\t __dentry_kill(ovl_dentry)\n\t\t\t\tiput(ovl_inode)\n\t\t ovl_destroy_inode(ovl_inode)\n\t\t dput(oi->__upperdentry)\n\t\t dentry_kill(upperdentry)\n\t\t dentry_unlink_inode\n\t\t\t\t upperdentry->d_inode = NULL\n\t ovl_inode_upper\n\t upperdentry = ovl_i_dentry_upper(ovl_inode)\n\t d_inode(upperdentry) // returns NULL\n\t IS_POSIXACL(realinode) // NULL pointer dereference\n, will trigger an null pointer dereference at realinode:\n [ 205.472797] BUG: kernel NULL pointer dereference, address:\n 0000000000000028\n [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted\n 6.3.0-12064-g2edfa098e750-dirty #1216\n [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300\n [ 205.489584] Call Trace:\n [ 205.489812] \n [ 205.490014] ovl_get_inode_acl+0x26/0x30\n [ 205.490466] get_cached_acl_rcu+0x61/0xa0\n [ 205.490908] generic_permission+0x1bf/0x4e0\n [ 205.491447] ovl_permission+0x79/0x1b0\n [ 205.491917] inode_permission+0x15e/0x2c0\n [ 205.492425] link_path_walk+0x115/0x550\n [ 205.493311] path_lookupat.isra.0+0xb2/0x200\n [ 205.493803] filename_lookup+0xda/0x240\n [ 205.495747] vfs_fstatat+0x7b/0xb0\n\nFetch a reproducer in [Link].\n\nUse the helper ovl_i_path_realinode() to get realinode and then do\nnon-nullptr checking.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54313", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: af9005: Fix null-ptr-deref in af9005_i2c_xfer\n\nIn af9005_i2c_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach af9005_i2c_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54314", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv/sriov: perform null check on iov before dereferencing iov\n\nCurrently pointer iov is being dereferenced before the null check of iov\nwhich can lead to null pointer dereference errors. Fix this by moving the\niov null check before the dereferencing.\n\nDetected using cppcheck static analysis:\nlinux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either\nthe condition '!iov' is redundant or there is possible null pointer\ndereference: iov. [nullPointerRedundantCheck]\n num_vfs = iov->num_vfs;\n ^", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54315", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrefscale: Fix uninitalized use of wait_queue_head_t\n\nRunning the refscale test occasionally crashes the kernel with the\nfollowing error:\n\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\n[ 8569.952900] #PF: supervisor read access in kernel mode\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\n :\n[ 8569.952940] Call Trace:\n[ 8569.952941] \n[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]\n[ 8569.952959] kthread+0x10e/0x130\n[ 8569.952966] ret_from_fork+0x1f/0x30\n[ 8569.952973] \n\nThe likely cause is that init_waitqueue_head() is called after the call to\nthe torture_create_kthread() function that creates the ref_scale_reader\nkthread. Although this init_waitqueue_head() call will very likely\ncomplete before this kthread is created and starts running, it is\npossible that the calling kthread will be delayed between the calls to\ntorture_create_kthread() and init_waitqueue_head(). In this case, the\nnew kthread will use the waitqueue head before it is properly initialized,\nwhich is not good for the kernel's health and well-being.\n\nThe above crash happened here:\n\n\tstatic inline void __add_wait_queue(...)\n\t{\n\t\t:\n\t\tif (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here\n\nThe offset of flags from list_head entry in wait_queue_entry is\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\nstructure is zero initialized, the instruction will try to access address\n0xffffffffffffffe8, which is exactly the fault address listed above.\n\nThis commit therefore invokes init_waitqueue_head() before creating\nthe kthread.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54316", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm flakey: don't corrupt the zero page\n\nWhen we need to zero some range on a block device, the function\n__blkdev_issue_zero_pages submits a write bio with the bio vector pointing\nto the zero page. If we use dm-flakey with corrupt bio writes option, it\nwill corrupt the content of the zero page which results in crashes of\nvarious userspace programs. Glibc assumes that memory returned by mmap is\nzeroed and it uses it for calloc implementation; if the newly mapped\nmemory is not zeroed, calloc will return non-zeroed memory.\n\nFix this bug by testing if the page is equal to ZERO_PAGE(0) and\navoiding the corruption in this case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54317", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add\n\nWhile doing smcr_port_add, there maybe linkgroup add into or delete\nfrom smc_lgr_list.list at the same time, which may result kernel crash.\nSo, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in\nsmcr_port_add.\n\nThe crash calltrace show below:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G\nHardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014\nWorkqueue: events smc_ib_port_event_work [smc]\nRIP: 0010:smcr_port_add+0xa6/0xf0 [smc]\nRSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297\nRAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000\nRBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918\nR10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4\nR13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08\nFS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0\nPKRU: 55555554\nCall Trace:\n smc_ib_port_event_work+0x18f/0x380 [smc]\n process_one_work+0x19b/0x340\n worker_thread+0x30/0x370\n ? process_one_work+0x340/0x340\n kthread+0x114/0x130\n ? __kthread_cancel_work+0x50/0x50\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54318", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91-pio4: check return value of devm_kasprintf()\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory.\nPointer could be NULL in case allocation fails. Check pointer validity.\nIdentified with coccinelle (kmerr.cocci script).\n\nDepends-on: 1c4e5c470a56 (\"pinctrl: at91: use devm_kasprintf() to avoid potential leaks\")\nDepends-on: 5a8f9cf269e8 (\"pinctrl: at91-pio4: use proper format specifier for unsigned int\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54319", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()\n\nFunction amd_pmc_stb_debugfs_open_v2() may be called when the STB\ndebug mechanism enabled.\n\nWhen amd_pmc_send_cmd() fails, the 'buf' needs to be released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54320", "detail": "fixed-version", "description": "Fixed from version 6.4" }, { "id": "CVE-2023-54321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential null-ptr-deref in device_add()\n\nI got the following null-ptr-deref report while doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n \n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x196/0x210\n bus_remove_device+0x1bd/0x240\n device_add+0xd3d/0x1100\n w1_add_master_device+0x476/0x490 [wire]\n ds2482_probe+0x303/0x3e0 [ds2482]\n\nThis is how it happened:\n\nw1_alloc_dev()\n // The dev->driver is set to w1_master_driver.\n memcpy(&dev->dev, device, sizeof(struct device));\n device_add()\n bus_add_device()\n dpm_sysfs_add() // It fails, calls bus_remove_device.\n\n // error path\n bus_remove_device()\n // The dev->driver is not null, but driver is not bound.\n __device_release_driver()\n klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.\n\n // normal path\n bus_probe_device() // It's not called yet.\n device_bind_driver()\n\nIf dev->driver is set, in the error path after calling bus_add_device()\nin device_add(), bus_remove_device() is called, then the device will be\ndetached from driver. But device_bind_driver() is not called yet, so it\ncauses null-ptr-deref while access the 'knode_driver'. To fix this, set\ndev->driver to null in the error path before calling bus_remove_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54321", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set __exception_irq_entry with __irq_entry as a default\n\nfilter_irq_stacks() is supposed to cut entries which are related irq entries\nfrom its call stack.\nAnd in_irqentry_text() which is called by filter_irq_stacks()\nuses __irqentry_text_start/end symbol to find irq entries in callstack.\n\nBut it doesn't work correctly as without \"CONFIG_FUNCTION_GRAPH_TRACER\",\narm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq\nbetween __irqentry_text_start and __irqentry_text_end as we discussed in below link.\nhttps://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t\n\nThis problem can makes unintentional deep call stack entries especially\nin KASAN enabled situation as below.\n\n[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity\n[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c\n[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c\n[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c\n[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0\n[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000\n[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd\n[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040\n[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000\n[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20\n[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8\n[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800\n[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8\n[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c\n[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022\n[ 2479.386231]I[0:launcher-loader: 1719] Call trace:\n[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c\n[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70\n[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138\n[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24\n[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170\n[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20\n[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c\n[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28\n[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0\n[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80\n[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98\n[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c\n[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0\n[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c\n[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4\n[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0\n[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c\n[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304\n[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160\n[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194\n[ 2479.386833]I\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54322", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-54323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pmem: Fix nvdimm registration races\n\nA loop of the form:\n\n while true; do modprobe cxl_pci; modprobe -r cxl_pci; done\n\n...fails with the following crash signature:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000040\n [..]\n RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core]\n [..]\n Call Trace:\n \n cxl_pmem_ctl+0x121/0x240 [cxl_pmem]\n nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm]\n nd_label_data_init+0x135/0x7e0 [libnvdimm]\n nvdimm_probe+0xd6/0x1c0 [libnvdimm]\n nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]\n really_probe+0xde/0x380\n __driver_probe_device+0x78/0x170\n driver_probe_device+0x1f/0x90\n __device_attach_driver+0x85/0x110\n bus_for_each_drv+0x7d/0xc0\n __device_attach+0xb4/0x1e0\n bus_probe_device+0x9f/0xc0\n device_add+0x445/0x9c0\n nd_async_device_register+0xe/0x40 [libnvdimm]\n async_run_entry_fn+0x30/0x130\n\n...namely that the bottom half of async nvdimm device registration runs\nafter the CXL has already torn down the context that cxl_pmem_ctl()\nneeds. Unlike the ACPI NFIT case that benefits from launching multiple\nnvdimm device registrations in parallel from those listed in the table,\nCXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a\nsynchronous registration path to preclude this scenario.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54323", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix a race condition in retrieve_deps\n\nThere's a race condition in the multipath target when retrieve_deps\nraces with multipath_message calling dm_get_device and dm_put_device.\nretrieve_deps walks the list of open devices without holding any lock\nbut multipath may add or remove devices to the list while it is\nrunning. The end result may be memory corruption or use-after-free\nmemory access.\n\nSee this description of a UAF with multipath_message():\nhttps://listman.redhat.com/archives/dm-devel/2022-October/052373.html\n\nFix this bug by introducing a new rw semaphore \"devices_lock\". We grab\ndevices_lock for read in retrieve_deps and we grab it for write in\ndm_get_device and dm_put_device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54324", "detail": "fixed-version", "description": "Fixed from version 6.6" }, { "id": "CVE-2023-54325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix out-of-bounds read\n\nWhen preparing an AER-CTR request, the driver copies the key provided by\nthe user into a data structure that is accessible by the firmware.\nIf the target device is QAT GEN4, the key size is rounded up by 16 since\na rounded up size is expected by the device.\nIf the key size is rounded up before the copy, the size used for copying\nthe key might be bigger than the size of the region containing the key,\ncausing an out-of-bounds read.\n\nFix by doing the copy first and then update the keylen.\n\nThis is to fix the following warning reported by KASAN:\n\n\t[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340\n\n\t[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45\n\t[ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n\t[ 138.150663] Call Trace:\n\t[ 138.150668] \n\t[ 138.150922] kasan_check_range+0x13a/0x1c0\n\t[ 138.150931] memcpy+0x1f/0x60\n\t[ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n\t[ 138.151073] crypto_skcipher_setkey+0x82/0x160\n\t[ 138.151085] ? prepare_keybuf+0xa2/0xd0\n\t[ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54325", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2023-54326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Free IRQs before removing the device\n\nIn pci_endpoint_test_remove(), freeing the IRQs after removing the device\ncreates a small race window for IRQs to be received with the test device\nmemory already released, causing the IRQ handler to access invalid memory,\nresulting in an oops.\n\nFree the device IRQs before removing the device to avoid this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-54326", "detail": "fixed-version", "description": "Fixed from version 6.5" }, { "id": "CVE-2023-5633", "summary": "The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5633" }, { "id": "CVE-2023-5717", "summary": "A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\n\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\n\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717" }, { "id": "CVE-2023-5972", "summary": "A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5972" }, { "id": "CVE-2023-6039", "summary": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" }, { "id": "CVE-2023-6040", "summary": "An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6040" }, { "id": "CVE-2023-6111", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.\n\nWe recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6111" }, { "id": "CVE-2023-6176", "summary": "A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176", "detail": "fixed-version", "description": "Fixed from version 6.6rc2" }, { "id": "CVE-2023-6200", "summary": "A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6200" }, { "id": "CVE-2023-6238", "summary": "A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6238" }, { "id": "CVE-2023-6240", "summary": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" }, { "id": "CVE-2023-6270", "summary": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270", "detail": "fixed-version", "description": "Fixed from 6.9" }, { "id": "CVE-2023-6356", "summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" }, { "id": "CVE-2023-6531", "summary": "A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531" }, { "id": "CVE-2023-6535", "summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535", "detail": "fixed-version", "description": "Fixed from 6.8" }, { "id": "CVE-2023-6536", "summary": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" }, { "id": "CVE-2023-6546", "summary": "A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546" }, { "id": "CVE-2023-6560", "summary": "An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6560" }, { "id": "CVE-2023-6606", "summary": "An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6606" }, { "id": "CVE-2023-6610", "summary": "An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610", "detail": "fixed-version", "description": "Fixed from 6.7rc7" }, { "id": "CVE-2023-6622", "summary": "A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6622" }, { "id": "CVE-2023-6679", "summary": "A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6679", "detail": "fixed-version", "description": "Fixed from 6.7rc6" }, { "id": "CVE-2023-6817", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\n\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6817" }, { "id": "CVE-2023-6915", "summary": "A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915" }, { "id": "CVE-2023-6931", "summary": "A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\n\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\n\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931" }, { "id": "CVE-2023-6932", "summary": "A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\n\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\n\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932" }, { "id": "CVE-2023-7042", "summary": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042", "detail": "fixed-version", "description": "Fixed from 6.9rc1" }, { "id": "CVE-2023-7192", "summary": "A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192" }, { "id": "CVE-2023-7324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses\n\nSanitize possible addl_desc_ptr out-of-bounds accesses in\nses_enclosure_data_process().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-7324", "detail": "fixed-version", "description": "Fixed from version 6.3" }, { "id": "CVE-2024-0193", "summary": "A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0193", "detail": "fixed-version", "description": "Fixed from 6.7" }, { "id": "CVE-2024-0340", "summary": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" }, { "id": "CVE-2024-0443", "summary": "A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0443" }, { "id": "CVE-2024-0562", "summary": "A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0562" }, { "id": "CVE-2024-0564", "summary": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" }, { "id": "CVE-2024-0565", "summary": "An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0565" }, { "id": "CVE-2024-0582", "summary": "A memory leak flaw was found in the Linux kernel\u2019s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0582" }, { "id": "CVE-2024-0607", "summary": "A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0607" }, { "id": "CVE-2024-0639", "summary": "A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel\u2019s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0639" }, { "id": "CVE-2024-0641", "summary": "A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel\u2019s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0641" }, { "id": "CVE-2024-0646", "summary": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0646" }, { "id": "CVE-2024-0775", "summary": "A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0775" }, { "id": "CVE-2024-0841", "summary": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", "scorev2": "0.0", "scorev3": "6.6", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" }, { "id": "CVE-2024-1085", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability.\n\nWe recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.\n\n", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1085" }, { "id": "CVE-2024-1086", "summary": "A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\n\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086" }, { "id": "CVE-2024-1151", "summary": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151" }, { "id": "CVE-2024-1312", "summary": "A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-1312" }, { "id": "CVE-2024-14027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-14027", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-20040", "summary": "In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08360153 (for MT6XXX chipsets) / WCNCR00363530 (for MT79XX chipsets); Issue ID: MSV-979.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-20040" }, { "id": "CVE-2024-21803", "summary": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", "scorev2": "0.0", "scorev3": "3.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" }, { "id": "CVE-2024-22099", "summary": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" }, { "id": "CVE-2024-22386", "summary": "A race condition was found in the Linux kernel's drm/exynos device driver in\u00a0exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" }, { "id": "CVE-2024-22705", "summary": "An issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705" }, { "id": "CVE-2024-23196", "summary": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" }, { "id": "CVE-2024-23307", "summary": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" }, { "id": "CVE-2024-23848", "summary": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" }, { "id": "CVE-2024-23849", "summary": "In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849" }, { "id": "CVE-2024-23850", "summary": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" }, { "id": "CVE-2024-23851", "summary": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" }, { "id": "CVE-2024-24855", "summary": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "scorev2": "0.0", "scorev3": "5.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" }, { "id": "CVE-2024-24857", "summary": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" }, { "id": "CVE-2024-24858", "summary": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" }, { "id": "CVE-2024-24859", "summary": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" }, { "id": "CVE-2024-24860", "summary": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" }, { "id": "CVE-2024-24861", "summary": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" }, { "id": "CVE-2024-24864", "summary": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write()\u00a0function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" }, { "id": "CVE-2024-25739", "summary": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" }, { "id": "CVE-2024-25740", "summary": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" }, { "id": "CVE-2024-25741", "summary": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741" }, { "id": "CVE-2024-25744", "summary": "In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-25744" }, { "id": "CVE-2024-26581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: don't try to destroy PHC on VFs\n\nPHC gets initialized in nsim_init_netdevsim(), which\nis only called if (nsim_dev_port_is_pf()).\n\nCreate a counterpart of nsim_init_netdevsim() and\nmove the mock_phc_destroy() there.\n\nThis fixes a crash trying to destroy netdevsim with\nVFs instantiated, as caught by running the devlink.sh test:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000b8\n RIP: 0010:mock_phc_destroy+0xd/0x30\n Call Trace:\n \n nsim_destroy+0x4a/0x70 [netdevsim]\n __nsim_dev_port_del+0x47/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x105/0x120 [netdevsim]\n nsim_drv_remove+0x2f/0xb0 [netdevsim]\n device_release_driver_internal+0x1a1/0x210\n bus_remove_device+0xd5/0x120\n device_del+0x159/0x490\n device_unregister+0x12/0x30\n del_device_store+0x11a/0x1a0 [netdevsim]\n kernfs_fop_write_iter+0x130/0x1d0\n vfs_write+0x30b/0x4b0\n ksys_write+0x69/0xf0\n do_syscall_64+0xcc/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26587", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Prevent out-of-bounds memory access\n\nThe test_tag test triggers an unhandled page fault:\n\n # ./test_tag\n [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70\n [ 130.640501] Oops[#3]:\n [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a\n [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40\n [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000\n [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000\n [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70\n [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0\n [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0\n [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000\n [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000\n [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988\n [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988\n [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)\n [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)\n [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n [ 130.642658] BADV: ffff80001b898004\n [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]\n [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)\n [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8\n [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0\n [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000\n [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000\n [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000\n [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000\n [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558\n [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000\n [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc\n [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0\n [ 130.644572] ...\n [ 130.644629] Call Trace:\n [ 130.644641] [<9000000003137f7c>] build_body+0xd8/0x4988\n [ 130.644785] [<900000000313ca94>] bpf_int_jit_compile+0x228/0x4ec\n [ 130.644891] [<90000000032acfb0>] bpf_prog_select_runtime+0x158/0x1b0\n [ 130.645003] [<90000000032b3504>] bpf_prog_load+0x760/0xb44\n [ 130.645089] [<90000000032b6744>] __sys_bpf+0xbb8/0x2588\n [ 130.645175] [<90000000032b8388>] sys_bpf+0x20/0x2c\n [ 130.645259] [<9000000003f6ab38>] do_syscall+0x7c/0x94\n [ 130.645369] [<9000000003121c5c>] handle_syscall+0xbc/0x158\n [ 130.645507]\n [ 130.645539] Code: 380839f6 380831f9 28412bae <24000ca6> 004081ad 0014cb50 004083e8 02bff34c 58008e91\n [ 130.645729]\n [ 130.646418] ---[ end trace 0000000000000000 ]---\n\nOn my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at\nloading a BPF prog with 2039 instructions:\n\n prog = (struct bpf_prog *)ffff80001b894000\n insn = (struct bpf_insn *)(prog->insnsi)fff\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26588", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\n\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\n\nThe following prog is accepted:\n\n func#0 @0\n 0: R1=ctx() R10=fp0\n 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n 2: (b7) r8 = 1024 ; R8_w=1024\n 3: (37) r8 /= 1 ; R8_w=scalar()\n 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\n smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n 5: (0f) r7 += r8\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n var_off=(0x0; 0x400))\n 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n 7: (95) exit\n\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\n\n BUG: unable to handle page fault for address: ffffc90014c80038\n [...]\n Call Trace:\n \n bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n __bpf_prog_run include/linux/filter.h:651 [inline]\n bpf_prog_run include/linux/filter.h:658 [inline]\n bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26589", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix re-attachment branch in bpf_tracing_prog_attach\n\nThe following case can cause a crash due to missing attach_btf:\n\n1) load rawtp program\n2) load fentry program with rawtp as target_fd\n3) create tracing link for fentry program with target_fd = 0\n4) repeat 3\n\nIn the end we have:\n\n- prog->aux->dst_trampoline == NULL\n- tgt_prog == NULL (because we did not provide target_fd to link_create)\n- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)\n- the program was loaded for tgt_prog but we have no way to find out which one\n\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x15b/0x430\n ? fixup_exception+0x22/0x330\n ? exc_page_fault+0x6f/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_tracing_prog_attach+0x279/0x560\n ? btf_obj_id+0x5/0x10\n bpf_tracing_prog_attach+0x439/0x560\n __sys_bpf+0x1cf4/0x2de0\n __x64_sys_bpf+0x1c/0x30\n do_syscall_64+0x41/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nReturn -EINVAL in this situation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26591", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\n\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26592", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate mech token in session setup\n\nIf client send invalid mech token in session setup request, ksmbd\nvalidate and make the error if it is invalid.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26594", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\n\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\n\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n \n\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\n\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\n\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26597", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26598", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: Fix out-of-bounds access in of_pwm_single_xlate()\n\nWith args->args_count == 2 args->args[2] is not defined. Actually the\nflags are contained in args->args[1].", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26599", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"kobject: Remove redundant checks for whether ktype is NULL\"\n\nThis reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31.\n\nIt is reported to cause problems, so revert it for now until the root\ncause can be found.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26604", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]\n[ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]\n[ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[ 53.326401] drm_client_register+0x5c/0xa0 [drm]\n[ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[ 53.336881] tidss_probe+0x128/0x264 [tidss]\n[ 53.341174] platform_probe+0x68/0xc4\n[ 53.344841] really_probe+0x188/0x3c4\n[ 53.348501] __driver_probe_device+0x7c/0x16c\n[ 53.352854] driver_probe_device+0x3c/0x10c\n[ 53.357033] __device_attach_driver+0xbc/0x158\n[ 53.361472] bus_for_each_drv+0x88/0xe8\n[ 53.365303] __device_attach+0xa0/0x1b4\n[ 53.369135] device_initial_probe+0x14/0x20\n[ 53.373314] bus_probe_device+0xb0/0xb4\n[ 53.377145] deferred_probe_work_func+0xcc/0x124\n[ 53.381757] process_one_work+0x1f0/0x518\n[ 53.385770] worker_thread+0x1e8/0x3dc\n[ 53.389519] kthread+0x11c/0x120\n[ 53.392750] ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n However, the sii902x driver has not set up the i2c part yet, leading\n to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26607", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix global oob in ksmbd_nl_policy\n\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\n\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n \n\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\n\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\n\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26608", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix a memory corruption\n\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26610", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\n\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] \n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\n\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\n\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26611", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs, fscache: Prevent Oops in fscache_put_cache()\n\nThis function dereferences \"cache\" and then checks if it's\nIS_ERR_OR_NULL(). Check first, then dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26612", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: make sure init the accept_queue's spinlocks once\n\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n\n _raw_spin_unlock (kernel/locking/spinlock.c:186)\n inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n __netif_receive_skb_one_core (net/core/dev.c:5529)\n process_backlog (./include/linux/rcupdate.h:779)\n __napi_poll (net/core/dev.c:6533)\n net_rx_action (net/core/dev.c:6604)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n\n\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4374)\n ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n __ip_queue_xmit (net/ipv4/ip_output.c:535)\n __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n release_sock (net/core/sock.c:3536)\n inet_wait_for_connect (net/ipv4/af_inet.c:609)\n __inet_stream_connect (net/ipv4/af_inet.c:702)\n inet_stream_connect (net/ipv4/af_inet.c:748)\n __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n RIP: 0033:0x7fa10ff05a3d\n Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n\n\nThe issue triggering process is analyzed as follows:\nThread A Thread B\ntcp_v4_rcv\t//receive ack TCP packet inet_shutdown\n tcp_check_req tcp_disconnect //disconnect sock\n ... tcp_set_state(sk, TCP_CLOSE)\n inet_csk_complete_hashdance ...\n inet_csk_reqsk_queue_add \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26614", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\n\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\n\n- run nginx/wrk test:\n smc_run nginx\n smc_run wrk -t 16 -c 1000 -d -H 'Connection: Close' \n\n- continuously dump SMC-D connections in parallel:\n watch -n 1 'smcss -D'\n\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE 6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x66/0x150\n ? exc_page_fault+0x69/0x140\n ? asm_exc_page_fault+0x26/0x30\n ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n ? __kmalloc_node_track_caller+0x35d/0x430\n ? __alloc_skb+0x77/0x170\n smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n smc_diag_dump+0x26/0x60 [smc_diag]\n netlink_dump+0x19f/0x320\n __netlink_dump_start+0x1dc/0x300\n smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n sock_diag_rcv_msg+0x121/0x140\n ? __pfx_sock_diag_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x5a/0x110\n sock_diag_rcv+0x28/0x40\n netlink_unicast+0x22a/0x330\n netlink_sendmsg+0x1f8/0x420\n __sock_sendmsg+0xb0/0xc0\n ____sys_sendmsg+0x24e/0x300\n ? copy_msghdr_from_user+0x62/0x80\n ___sys_sendmsg+0x7c/0xd0\n ? __do_fault+0x34/0x160\n ? do_read_fault+0x5f/0x100\n ? do_fault+0xb0/0x110\n ? __handle_mm_fault+0x2b0/0x6c0\n __sys_sendmsg+0x4d/0x80\n do_syscall_64+0x69/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26615", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: avoid use-after-free when chunk length is not 64K aligned\n\n[BUG]\nThere is a bug report that, on a ext4-converted btrfs, scrub leads to\nvarious problems, including:\n\n- \"unable to find chunk map\" errors\n BTRFS info (device vdb): scrub: started on devid 1\n BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096\n BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 45056\n\n This would lead to unrepariable errors.\n\n- Use-after-free KASAN reports:\n ==================================================================\n BUG: KASAN: slab-use-after-free in __blk_rq_map_sg+0x18f/0x7c0\n Read of size 8 at addr ffff8881013c9040 by task btrfs/909\n CPU: 0 PID: 909 Comm: btrfs Not tainted 6.7.0-x64v3-dbg #11 c50636e9419a8354555555245df535e380563b2b\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-2 12/24/2023\n Call Trace:\n \n dump_stack_lvl+0x43/0x60\n print_report+0xcf/0x640\n kasan_report+0xa6/0xd0\n __blk_rq_map_sg+0x18f/0x7c0\n virtblk_prep_rq.isra.0+0x215/0x6a0 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n virtio_queue_rqs+0xc4/0x310 [virtio_blk 19a65eeee9ae6fcf02edfad39bb9ddee07dcdaff]\n blk_mq_flush_plug_list.part.0+0x780/0x860\n __blk_flush_plug+0x1ba/0x220\n blk_finish_plug+0x3b/0x60\n submit_initial_group_read+0x10a/0x290 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n flush_scrub_stripes+0x38e/0x430 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_stripe+0x82a/0xae0 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_chunk+0x178/0x200 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n scrub_enumerate_chunks+0x4bc/0xa30 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n btrfs_scrub_dev+0x398/0x810 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n btrfs_ioctl+0x4b9/0x3020 [btrfs e57987a360bed82fe8756dcd3e0de5406ccfe965]\n __x64_sys_ioctl+0xbd/0x100\n do_syscall_64+0x5d/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n RIP: 0033:0x7f47e5e0952b\n\n- Crash, mostly due to above use-after-free\n\n[CAUSE]\nThe converted fs has the following data chunk layout:\n\n item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 2214658048) itemoff 16025 itemsize 80\n length 86016 owner 2 stripe_len 65536 type DATA|single\n\nFor above logical bytenr 2214744064, it's at the chunk end\n(2214658048 + 86016 = 2214744064).\n\nThis means btrfs_submit_bio() would split the bio, and trigger endio\nfunction for both of the two halves.\n\nHowever scrub_submit_initial_read() would only expect the endio function\nto be called once, not any more.\nThis means the first endio function would already free the bbio::bio,\nleaving the bvec freed, thus the 2nd endio call would lead to\nuse-after-free.\n\n[FIX]\n- Make sure scrub_read_endio() only updates bits in its range\n Since we may read less than 64K at the end of the chunk, we should not\n touch the bits beyond chunk boundary.\n\n- Make sure scrub_submit_initial_read() only to read the chunk range\n This is done by calculating the real number of sectors we need to\n read, and add sector-by-sector to the bio.\n\nThankfully the scrub read repair path won't need extra fixes:\n\n- scrub_stripe_submit_repair_read()\n With above fixes, we won't update error bit for range beyond chunk,\n thus scrub_stripe_submit_repair_read() should never submit any read\n beyond the chunk.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26616", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: move mmu notification mechanism inside mm lock\n\nMove mmu notification mechanism inside mm lock to prevent race condition\nin other components which depend on it. The notifier will invalidate\nmemory range. Depending upon the number of iterations, different memory\nranges would be invalidated.\n\nThe following warning would be removed by this patch:\nWARNING: CPU: 0 PID: 5067 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:734 kvm_mmu_notifier_change_pte+0x860/0x960 arch/x86/kvm/../../../virt/kvm/kvm_main.c:734\n\nThere is no behavioural and performance change with this patch when\nthere is no component registered with the mmu notifier.\n\n[akpm@linux-foundation.org: narrow the scope of `range', per Sean]", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26617", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26618", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix module loading free order\n\nReverse order of kfree calls to resolve use-after-free error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26619", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vfio-ap: always filter entire AP matrix\n\nThe vfio_ap_mdev_filter_matrix function is called whenever a new adapter or\ndomain is assigned to the mdev. The purpose of the function is to update\nthe guest's AP configuration by filtering the matrix of adapters and\ndomains assigned to the mdev. When an adapter or domain is assigned, only\nthe APQNs associated with the APID of the new adapter or APQI of the new\ndomain are inspected. If an APQN does not reference a queue device bound to\nthe vfio_ap device driver, then it's APID will be filtered from the mdev's\nmatrix when updating the guest's AP configuration.\n\nInspecting only the APID of the new adapter or APQI of the new domain will\nresult in passing AP queues through to a guest that are not bound to the\nvfio_ap device driver under certain circumstances. Consider the following:\n\nguest's AP configuration (all also assigned to the mdev's matrix):\n14.0004\n14.0005\n14.0006\n16.0004\n16.0005\n16.0006\n\nunassign domain 4\nunbind queue 16.0005\nassign domain 4\n\nWhen domain 4 is re-assigned, since only domain 4 will be inspected, the\nAPQNs that will be examined will be:\n14.0004\n16.0004\n\nSince both of those APQNs reference queue devices that are bound to the\nvfio_ap device driver, nothing will get filtered from the mdev's matrix\nwhen updating the guest's AP configuration. Consequently, queue 16.0005\nwill get passed through despite not being bound to the driver. This\nviolates the linux device model requirement that a guest shall only be\ngiven access to devices bound to the device driver facilitating their\npass-through.\n\nTo resolve this problem, every adapter and domain assigned to the mdev will\nbe inspected when filtering the mdev's matrix.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26620", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: don't force huge page alignment on 32 bit\n\ncommit efa7df3e3bb5 (\"mm: align larger anonymous mappings on THP\nboundaries\") caused two issues [1] [2] reported on 32 bit system or compat\nuserspace.\n\nIt doesn't make too much sense to force huge page alignment on 32 bit\nsystem due to the constrained virtual address space.\n\n[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/\n[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26621", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: Prevent race issues involving the adminq\n\nThere are multiple paths that can result in using the pdsc's\nadminq.\n\n[1] pdsc_adminq_isr and the resulting work from queue_work(),\n i.e. pdsc_work_thread()->pdsc_process_adminq()\n\n[2] pdsc_adminq_post()\n\nWhen the device goes through reset via PCIe reset and/or\na fw_down/fw_up cycle due to bad PCIe state or bad device\nstate the adminq is destroyed and recreated.\n\nA NULL pointer dereference can happen if [1] or [2] happens\nafter the adminq is already destroyed.\n\nIn order to fix this, add some further state checks and\nimplement reference counting for adminq uses. Reference\ncounting was used because multiple threads can attempt to\naccess the adminq at the same time via [1] or [2]. Additionally,\nmultiple clients (i.e. pds-vfio-pci) can be using [2]\nat the same time.\n\nThe adminq_refcnt is initialized to 1 when the adminq has been\nallocated and is ready to use. Users/clients of the adminq\n(i.e. [1] and [2]) will increment the refcnt when they are using\nthe adminq. When the driver goes into a fw_down cycle it will\nset the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt\nto hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent\nany further adminq_refcnt increments. Waiting for the\nadminq_refcnt to hit 1 allows for any current users of the adminq\nto finish before the driver frees the adminq. Once the\nadminq_refcnt hits 1 the driver clears the refcnt to signify that\nthe adminq is deleted and cannot be used. On the fw_up cycle the\ndriver will once again initialize the adminq_refcnt to 1 allowing\nthe adminq to be used again.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26623", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: call sock_orphan() at release time\n\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\n\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\n\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\n\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\n\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n list_empty include/linux/list.h:373 [inline]\n waitqueue_active include/linux/wait.h:127 [inline]\n sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n skb_release_all net/core/skbuff.c:1092 [inline]\n napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x956/0xe90 net/core/dev.c:6778\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n \n\nAllocated by task 5167:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3019 [inline]\n sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n alloc_inode+0x5d/0x220 fs/inode.c:260\n new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n sock_alloc+0x40/0x270 net/socket.c:634\n __sock_create+0xbc/0x800 net/socket.c:1535\n sock_create net/socket.c:1622 [inline]\n __sys_socket_create net/socket.c:1659 [inline]\n __sys_socket+0x14c/0x260 net/socket.c:1706\n __do_sys_socket net/socket.c:1720 [inline]\n __se_sys_socket net/socket.c:1718 [inline]\n __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 0:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n poison_slab_object mm/kasan/common.c:241 [inline]\n __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2121 [inlin\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: fix kernel panic when forwarding mcast packets\n\nThe stacktrace was:\n[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092\n[ 86.306815] #PF: supervisor read access in kernel mode\n[ 86.307717] #PF: error_code(0x0000) - not-present page\n[ 86.308624] PGD 0 P4D 0\n[ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1\n[ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014\n[ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f\n[ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246\n[ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000\n[ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80\n[ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000\n[ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0\n[ 86.326589] Call Trace:\n[ 86.327036] \n[ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479)\n[ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434)\n[ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707)\n[ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264)\n[ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1))\n[ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563)\n[ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570)\n[ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273)\n[ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363)\n[ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944)\n[ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862)\n[ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181)\n[ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415)\n[ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836)\n[ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13))\n[ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716)\n[ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313)\n[ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/kn\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26626", "detail": "fixed-version", "description": "Fixed from version 6.7.4" }, { "id": "CVE-2024-26627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\n\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\n\nThis can be too heavy in case of recovery, such as:\n\n - N hardware queues\n\n - queue depth is M for each hardware queue\n\n - each scsi_host_busy() iterates over (N * M) tag/requests\n\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\n\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\n\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\n\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: cachestat: fix folio read-after-free in cache walk\n\nIn cachestat, we access the folio from the page cache's xarray to compute\nits page offset, and check for its dirty and writeback flags. However, we\ndo not hold a reference to the folio before performing these actions,\nwhich means the folio can concurrently be released and reused as another\nfolio/page/slab.\n\nGet around this altogether by just using xarray's existing machinery for\nthe folio page offsets and dirty/writeback states.\n\nThis changes behavior for tmpfs files to now always report zeroes in their\ndirty and writeback counters. This is okay as tmpfs doesn't follow\nconventional writeback cache behavior: its pages get \"cleaned\" during\nswapout, after which they're no longer resident etc.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26630", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work\n\nidev->mc_ifc_count can be written over without proper locking.\n\nOriginally found by syzbot [1], fix this issue by encapsulating calls\nto mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with\nmutex_lock() and mutex_unlock() accordingly as these functions\nshould only be called with mc_lock per their declarations.\n\n[1]\nBUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:\n mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]\n ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725\n addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949\n addrconf_notify+0x310/0x980\n notifier_call_chain kernel/notifier.c:93 [inline]\n raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461\n __dev_notify_flags+0x205/0x3d0\n dev_change_flags+0xab/0xd0 net/core/dev.c:8685\n do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916\n rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3717 [inline]\n rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754\n rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558\n netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545\n rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910\n ...\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:\n mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700\n worker_thread+0x525/0x730 kernel/workqueue.c:2781\n ...", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26631", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix iterating over an empty bio with bio_for_each_folio_all\n\nIf the bio contains no data, bio_first_folio() calls page_folio() on a\nNULL pointer and oopses. Move the test that we've reached the end of\nthe bio from bio_next_folio() to bio_first_folio().\n\n[axboe: add unlikely() to error case]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26632", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\n\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\n\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\n\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26633", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix removing a namespace with conflicting altnames\n\nMark reports a BUG() when a net namespace is removed.\n\n kernel BUG at net/core/dev.c:11520!\n\nPhysical interfaces moved outside of init_net get \"refunded\"\nto init_net when that namespace disappears. The main interface\nname may get overwritten in the process if it would have\nconflicted. We need to also discard all conflicting altnames.\nRecent fixes addressed ensuring that altnames get moved\nwith the main interface, which surfaced this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26634", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: Drop support for ETH_P_TR_802_2.\n\nsyzbot reported an uninit-value bug below. [0]\n\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\n\n write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\n\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\n\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\n\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\n\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\n\nLet's remove llc_tr_packet_type and complete the deprecation.\n\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26635", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: make llc_ui_sendmsg() more robust against bonding changes\n\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\n\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\n\nThis fix:\n\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\n\n[1]\n\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\n\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n skb_panic net/core/skbuff.c:189 [inline]\n skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n skb_push+0xf0/0x108 net/core/skbuff.c:2451\n eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n dev_hard_header include/linux/netdevice.h:3188 [inline]\n llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_sendmsg+0x194/0x274 net/socket.c:767\n splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n do_splice_from fs/splice.c:933 [inline]\n direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n do_splice_direct+0x20c/0x348 fs/splice.c:1194\n do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26636", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: rely on mac80211 debugfs handling for vif\n\nmac80211 started to delete debugfs entries in certain cases, causing a\nath11k to crash when it tried to delete the entries later. Fix this by\nrelying on mac80211 to delete the entries when appropriate and adding\nthem from the vif_add_debugfs handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26637", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: always initialize struct msghdr completely\n\nsyzbot complains that msg->msg_get_inq value can be uninitialized [1]\n\nstruct msghdr got many new fields recently, we should always make\nsure their values is zero by default.\n\n[1]\n BUG: KMSAN: uninit-value in tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571\n tcp_recvmsg+0x686/0xac0 net/ipv4/tcp.c:2571\n inet_recvmsg+0x131/0x580 net/ipv4/af_inet.c:879\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg+0x12b/0x1e0 net/socket.c:1066\n __sock_xmit+0x236/0x5c0 drivers/block/nbd.c:538\n nbd_read_reply drivers/block/nbd.c:732 [inline]\n recv_work+0x262/0x3100 drivers/block/nbd.c:863\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700\n worker_thread+0xf45/0x1490 kernel/workqueue.c:2781\n kthread+0x3ed/0x540 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n\nLocal variable msg created at:\n __sock_xmit+0x4c/0x5c0 drivers/block/nbd.c:513\n nbd_read_reply drivers/block/nbd.c:732 [inline]\n recv_work+0x262/0x3100 drivers/block/nbd.c:863\n\nCPU: 1 PID: 7465 Comm: kworker/u5:1 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: nbd5-recv recv_work", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26638", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity checks to rx zerocopy\n\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\n\nThis patch adds to can_map_frag() these additional checks:\n\n- Page must not be a compound one.\n- page->mapping must be NULL.\n\nThis fixes the panic reported by ZhangPeng.\n\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\n\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26640", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\n\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\n\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:461 [inline]\n ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n netif_receive_skb_internal net/core/dev.c:5732 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n tun_alloc_skb drivers/net/tun.c:1531 [inline]\n tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout\n\nWhile the rhashtable set gc runs asynchronously, a race allows it to\ncollect elements from anonymous sets with timeouts while it is being\nreleased from the commit path.\n\nMingi Cho originally reported this issue in a different path in 6.1.x\nwith a pipapo set with low timeouts which is not possible upstream since\n7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set\nelement timeout\").\n\nFix this by setting on the dead flag for anonymous sets to skip async gc\nin this case.\n\nAccording to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on\ntransaction abort\"), Florian plans to accelerate abort path by releasing\nobjects via workqueue, therefore, this sets on the dead flag for abort\npath too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26643", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\n\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\n\n BTRFS: Transaction aborted (error -2)\n WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n Call Trace:\n \n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? __warn+0x81/0x130\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? report_bug+0x171/0x1a0\n ? handle_bug+0x3a/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n create_pending_snapshots+0x92/0xc0 [btrfs]\n btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n btrfs_mksubvol+0x301/0x4d0 [btrfs]\n btrfs_mksnapshot+0x80/0xb0 [btrfs]\n __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n btrfs_ioctl+0x8a6/0x2650 [btrfs]\n ? kmem_cache_free+0x22/0x340\n ? do_sys_openat2+0x97/0xe0\n __x64_sys_ioctl+0x97/0xd0\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7fe20abe83af\n RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n \n ---[ end trace 0000000000000000 ]---\n BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n BTRFS info (device vdc: state EA): forced readonly\n BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\n\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\n\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26644", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Ensure visibility when inserting an element into tracing_map\n\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\n\n $ while true; do\n echo hist:key=id.syscall:val=hitcount > \\\n /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n sleep 0.001\n done\n $ stress-ng --sysbadaddr $(nproc)\n\nThe warning looks as follows:\n\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626] tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220] hist_show+0x124/0x800\n[ 2911.195692] seq_read_iter+0x1d4/0x4e8\n[ 2911.196193] seq_read+0xe8/0x138\n[ 2911.196638] vfs_read+0xc8/0x300\n[ 2911.197078] ksys_read+0x70/0x108\n[ 2911.197534] __arm64_sys_read+0x24/0x38\n[ 2911.198046] invoke_syscall+0x78/0x108\n[ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157] do_el0_svc+0x28/0x40\n[ 2911.199613] el0_svc+0x40/0x178\n[ 2911.200048] el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621] el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\n\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\n\nThe check for the presence of an element with a given key in this\nfunction is:\n\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\n\nThe write of a new entry is:\n\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\n\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26645", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: hfi: Add syscore callbacks for system-wide PM\n\nThe kernel allocates a memory buffer and provides its location to the\nhardware, which uses it to update the HFI table. This allocation occurs\nduring boot and remains constant throughout runtime.\n\nWhen resuming from hibernation, the restore kernel allocates a second\nmemory buffer and reprograms the HFI hardware with the new location as\npart of a normal boot. The location of the second memory buffer may\ndiffer from the one allocated by the image kernel.\n\nWhen the restore kernel transfers control to the image kernel, its HFI\nbuffer becomes invalid, potentially leading to memory corruption if the\nhardware writes to it (the hardware continues to use the buffer from the\nrestore kernel).\n\nIt is also possible that the hardware \"forgets\" the address of the memory\nbuffer when resuming from \"deep\" suspend. Memory corruption may also occur\nin such a scenario.\n\nTo prevent the described memory corruption, disable HFI when preparing to\nsuspend or hibernate. Enable it when resuming.\n\nAdd syscore callbacks to handle the package of the boot CPU (packages of\nnon-boot CPUs are handled via CPU offline). Syscore ops always run on the\nboot CPU. Additionally, HFI only needs to be disabled during \"deep\" suspend\nand hibernation. Syscore ops only run in these cases.\n\n[ rjw: Comment adjustment, subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26646", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer when load rlc firmware\n\nIf the RLC firmware is invalid because of wrong header size,\nthe pointer to the rlc firmware is released in function\namdgpu_ucode_request. There will be a null pointer error\nin subsequent use. So skip validation to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26649", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsr9800: Add check for usbnet_get_endpoints\n\nAdd check for usbnet_get_endpoints() and return the error if it fails\nin order to transfer the error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26651", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pds_core: Fix possible double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release\ncalls kfree(padev) to free memory. We shouldn't call kfree(padev)\nagain in the error handling path.\n\nFix this by cleaning up the redundant kfree() and putting\nthe error handling back to where the errors happened.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26652", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: ljca: Fix double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function ljca_auxdev_release\ncalls kfree(auxdev->dev.platform_data) to free the parameter data\nof the function ljca_new_client_device. The callers of\nljca_new_client_device shouldn't call kfree() again\nin the error handling path to free the platform data.\n\nFix this by cleaning up the redundant kfree() in all callers and\nadding kfree() the passed in platform_data on errors which happen\nbefore auxiliary_device_init() succeeds .", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26653", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix memory leak in posix_clock_open()\n\nIf the clk ops.open() function returns an error, we don't release the\npccontext we allocated for this clock.\n\nRe-organize the code slightly to make it all more obvious.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26655", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: fix null-ptr-deref in init entity\n\nThe bug can be triggered by sending an amdgpu_cs_wait_ioctl\nto the AMDGPU DRM driver on any ASICs with valid context.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\n static void Syzkaller2(int fd)\n {\n\tunion drm_amdgpu_ctx arg1;\n\tunion drm_amdgpu_wait_cs arg2;\n\n\targ1.in.op = AMDGPU_CTX_OP_ALLOC_CTX;\n\tret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1);\n\n\targ2.in.handle = 0x0;\n\targ2.in.timeout = 0x2000000000000;\n\targ2.in.ip_type = AMD_IP_VPE /* 0x9 */;\n\targ2->in.ip_instance = 0x0;\n\targ2.in.ring = 0x0;\n\targ2.in.ctx_id = arg1.out.alloc.ctx_id;\n\n\tdrmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2);\n }\n\nThe ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that\nthe error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa\nmodified the logic and allowed to have sched_rq equal to NULL.\n\nAs a result when there is no job the ioctl AMDGPU_WAIT_CS returns success.\nThe change fixes null-ptr-deref in init entity and the stack below demonstrates\nthe error condition:\n\n[ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[ +0.007086] #PF: supervisor read access in kernel mode\n[ +0.005234] #PF: error_code(0x0000) - not-present page\n[ +0.005232] PGD 0 P4D 0\n[ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4\n[ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c\n[ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282\n[ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa\n[ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0\n[ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c\n[ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010\n[ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000\n[ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000\n[ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0\n[ +0.007175] Call Trace:\n[ +0.002561] \n[ +0.002141] ? show_regs+0x6a/0x80\n[ +0.003473] ? __die+0x25/0x70\n[ +0.003124] ? page_fault_oops+0x214/0x720\n[ +0.004179] ? preempt_count_sub+0x18/0xc0\n[ +0.004093] ? __pfx_page_fault_oops+0x10/0x10\n[ +0.004590] ? srso_return_thunk+0x5/0x5f\n[ +0.004000] ? vprintk_default+0x1d/0x30\n[ +0.004063] ? srso_return_thunk+0x5/0x5f\n[ +0.004087] ? vprintk+0x5c/0x90\n[ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005807] ? srso_return_thunk+0x5/0x5f\n[ +0.004090] ? _printk+0xb3/0xe0\n[ +0.003293] ? __pfx__printk+0x10/0x10\n[ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.005482] ? do_user_addr_fault+0x345/0x770\n[ +0.004361] ? exc_page_fault+0x64/0xf0\n[ +0.003972] ? asm_exc_page_fault+0x27/0x30\n[ +0.004271] ? add_taint+0x2a/0xa0\n[ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched]\n[ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu]\n[ +0.009530] ? finish_task_switch.isra.0+0x129/0x470\n[ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu]\n[ +0.010063] ? __kasan_check_write+0x14/0x20\n[ +0.004356] ? srso_return_thunk+0x5/0x5f\n[ +0.004001] ? mutex_unlock+0x81/0xd0\n[ +0.003802] ? srso_return_thunk+0x5/0x5f\n[ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu]\n[ +0.009355] ? __pfx_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26657", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: handle isoc Babble and Buffer Overrun events properly\n\nxHCI 4.9 explicitly forbids assuming that the xHC has released its\nownership of a multi-TRB TD when it reports an error on one of the\nearly TRBs. Yet the driver makes such assumption and releases the TD,\nallowing the remaining TRBs to be freed or overwritten by new TDs.\n\nThe xHC should also report completion of the final TRB due to its IOC\nflag being set by us, regardless of prior errors. This event cannot\nbe recognized if the TD has already been freed earlier, resulting in\n\"Transfer event TRB DMA ptr not part of current TD\" error message.\n\nFix this by reusing the logic for processing isoc Transaction Errors.\nThis also handles hosts which fail to report the final completion.\n\nFix transfer length reporting on Babble errors. They may be caused by\ndevice malfunction, no guarantee that the buffer has been filled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26659", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN301\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn301_stream_encoder_create\nreported by Smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26660", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\n\nsyzbot reported the following general protection fault [1]:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n \n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\n\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\n\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26663", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Fix out-of-bounds memory access\n\nFix a bug that pdata->cpu_map[] is set before out-of-bounds check.\nThe problem might be triggered on systems with more than 128 cores per\npackage.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26664", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix out of bounds access when building IPv6 PMTU error\n\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\n\n BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n Read of size 4 at addr ffff88811d402c80 by task netperf/820\n CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n ...\n kasan_report+0xd8/0x110\n do_csum+0x220/0x240\n csum_partial+0xc/0x20\n skb_tunnel_check_pmtu+0xeb9/0x3280\n vxlan_xmit_one+0x14c2/0x4080\n vxlan_xmit+0xf61/0x5c00\n dev_hard_start_xmit+0xfb/0x510\n __dev_queue_xmit+0x7cd/0x32a0\n br_dev_queue_push_xmit+0x39d/0x6a0\n\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26665", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix RCU use in TDLS fast-xmit\n\nThis looks up the link under RCU protection, but isn't\nguaranteed to actually have protection. Fix that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26666", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup\n\nThe commit 8b45a26f2ba9 (\"drm/msm/dpu: reserve cdm blocks for writeback\nin case of YUV output\") introduced a smatch warning about another\nconditional block in dpu_encoder_helper_phys_cleanup() which had assumed\nhw_pp will always be valid which may not necessarily be true.\n\nLets fix the other conditional block by making sure hw_pp is valid\nbefore dereferencing it.\n\nPatchwork: https://patchwork.freedesktop.org/patch/574878/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26667", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_limit: reject configurations that cause integer overflow\n\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\n\nIts better to reject this rather than having incorrect ratelimit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26668", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\n\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\n\nIn both cases the workaround is described as:\n\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\n\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\n\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n| \teret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\n\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\n\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| \t[ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| \teret\n\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26670", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26671", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations\n\n- Disallow families other than NFPROTO_{IPV4,IPV6,INET}.\n- Disallow layer 4 protocol with no ports, since destination port is a\n mandatory attribute for this object.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26673", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups\n\nDuring memory error injection test on kernels >= v6.4, the kernel panics\nlike below. However, this issue couldn't be reproduced on kernels <= v6.3.\n\n mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134\n mce: [Hardware Error]: RIP 10: {__get_user_nocheck_4+0x6/0x20}\n mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86\n mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490\n mce: [Hardware Error]: Run the above through 'mcelog --ascii'\n mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel\n Kernel panic - not syncing: Fatal local machine check\n\nThe MCA code can recover from an in-kernel #MC if the fixup type is\nEX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to\naccess userspace memory. However, if the fixup type is EX_TYPE_DEFAULT\nthe only thing that is raised for an in-kernel #MC is a panic.\n\nex_handler_uaccess() would warn if users gave a non-canonical addresses\n(with bit 63 clear) to {get, put}_user(), which was unexpected.\n\nTherefore, commit\n\n b19b74bc99b1 (\"x86/mm: Rework address range check in get_user() and put_user()\")\n\nreplaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()\nfixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.\n\nCommit\n\n 6014bc27561f (\"x86-64: make access_ok() independent of LAM\")\n\nadded the check gp_fault_address_ok() right before the WARN_ONCE() in\nex_handler_uaccess() to not warn about non-canonical user addresses due\nto LAM.\n\nWith that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()\nexception fixups in order to be able to handle in-kernel MCEs correctly\nagain.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26674", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp_async: limit MRU to 64K\n\nsyzbot triggered a warning [1] in __alloc_pages():\n\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\n\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\n\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\n\n[1]:\n\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26675", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.\n\nsyzbot reported a warning [0] in __unix_gc() with a repro, which\ncreates a socketpair and sends one socket's fd to itself using the\npeer.\n\n socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0\n sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"\\360\", iov_len=1}],\n msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,\n cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],\n msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1\n\nThis forms a self-cyclic reference that GC should finally untangle\nbut does not due to lack of MSG_OOB handling, resulting in memory\nleak.\n\nRecently, commit 11498715f266 (\"af_unix: Remove io_uring code for\nGC.\") removed io_uring's dead code in GC and revealed the problem.\n\nThe code was executed at the final stage of GC and unconditionally\nmoved all GC candidates from gc_candidates to gc_inflight_list.\nThat papered over the reported problem by always making the following\nWARN_ON_ONCE(!list_empty(&gc_candidates)) false.\n\nThe problem has been there since commit 2aab4b969002 (\"af_unix: fix\nstruct pid leaks in OOB support\") added full scm support for MSG_OOB\nwhile fixing another bug.\n\nTo fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb\nif the socket still exists in gc_candidates after purging collected skb.\n\nThen, we need to set NULL to oob_skb before calling kfree_skb() because\nit calls last fput() and triggers unix_release_sock(), where we call\nduplicate kfree_skb(u->oob_skb) if not NULL.\n\nNote that the leaked socket remained being linked to a global list, so\nkmemleak also could not detect it. We need to check /proc/net/protocol\nto notice the unfreed socket.\n\n[0]:\nWARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nModules linked in:\nCPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nCode: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8\nRSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e\nRDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30\nRBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66\nR10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000\nR13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n process_one_work+0x889/0x15e0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787\n kthread+0x2c6/0x3b0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26676", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section\n\nThe .compat section is a dummy PE section that contains the address of\nthe 32-bit entrypoint of the 64-bit kernel image if it is bootable from\n32-bit firmware (i.e., CONFIG_EFI_MIXED=y)\n\nThis section is only 8 bytes in size and is only referenced from the\nloader, and so it is placed at the end of the memory view of the image,\nto avoid the need for padding it to 4k, which is required for sections\nappearing in the middle of the image.\n\nUnfortunately, this violates the PE/COFF spec, and even if most EFI\nloaders will work correctly (including the Tianocore reference\nimplementation), PE loaders do exist that reject such images, on the\nbasis that both the file and memory views of the file contents should be\ndescribed by the section headers in a monotonically increasing manner\nwithout leaving any gaps.\n\nSo reorganize the sections to avoid this issue. This results in a slight\npadding overhead (< 4k) which can be avoided if desired by disabling\nCONFIG_EFI_MIXED (which is only needed in rare cases these days)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26678", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: read sk->sk_family once in inet_recv_error()\n\ninet_recv_error() is called without holding the socket lock.\n\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26679", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: avoid potential loop in nsim_dev_trap_report_work()\n\nMany syzbot reports include the following trace [1]\n\nIf nsim_dev_trap_report_work() can not grab the mutex,\nit should rearm itself at least one jiffie later.\n\n[1]\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]\n RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]\n RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]\n RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]\n RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\n RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189\nCode: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00\nRSP: 0018:ffffc90012dcf998 EFLAGS: 00000046\nRAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3\nRDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0\nRBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e\nR10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002\nR13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]\n debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]\n do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141\n __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]\n _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194\n debug_object_activate+0x349/0x540 lib/debugobjects.c:726\n debug_work_activate kernel/workqueue.c:578 [inline]\n insert_work+0x30/0x230 kernel/workqueue.c:1650\n __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802\n __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953\n queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989\n queue_delayed_work include/linux/workqueue.h:563 [inline]\n schedule_delayed_work include/linux/workqueue.h:677 [inline]\n nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842\n process_one_work+0x886/0x15d0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26681", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: improve CSA/ECSA connection refusal\n\nAs mentioned in the previous commit, we pretty quickly found\nthat some APs have ECSA elements stuck in their probe response,\nso using that to not attempt to connect while CSA is happening\nwe never connect to such an AP.\n\nImprove this situation by checking more carefully and ignoring\nthe ECSA if cfg80211 has previously detected the ECSA element\nbeing stuck in the probe response.\n\nAdditionally, allow connecting to an AP that's switching to a\nchannel it's already using, unless it's using quiet mode. In\nthis case, we may just have to adjust bandwidth later. If it's\nactually switching channels, it's better not to try to connect\nin the middle of that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26682", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: detect stuck ECSA element in probe resp\n\nWe recently added some validation that we don't try to\nconnect to an AP that is currently in a channel switch\nprocess, since that might want the channel to be quiet\nor we might not be able to connect in time to hear the\nswitching in a beacon. This was in commit c09c4f31998b\n(\"wifi: mac80211: don't connect to an AP while it's in\na CSA process\").\n\nHowever, we promptly got a report that this caused new\nconnection failures, and it turns out that the AP that\nwe now cannot connect to is permanently advertising an\nextended channel switch announcement, even with quiet.\nThe AP in question was an Asus RT-AC53, with firmware\n3.0.0.4.380_10760-g21a5898.\n\nAs a first step, attempt to detect that we're dealing\nwith such a situation, so mac80211 can use this later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26683", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\n\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26684", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential bug in end_buffer_async_write\n\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\n\nNilfs2 itself does not use end_buffer_async_write(). But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\n\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent. However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device. This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\n\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\n\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26685", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel: \n kernel: ? __die_body+0x1a/0x60\n kernel: ? page_fault_oops+0x16f/0x4a0\n kernel: ? search_bpf_extables+0x65/0x70\n kernel: ? fixup_exception+0x22/0x310\n kernel: ? exc_page_fault+0x69/0x150\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel: ? hugetlbfs_fill_super+0x28/0x1a0\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: vfs_get_super+0x40/0xa0\n kernel: ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel: vfs_get_tree+0x25/0xd0\n kernel: vfs_cmd_create+0x64/0xe0\n kernel: __x64_sys_fsconfig+0x395/0x410\n kernel: do_syscall_64+0x80/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? exc_page_fault+0x69/0x150\n kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26688", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: prevent use-after-free in encode_cap_msg()\n\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\n\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\n\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26689", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: protect updates of 64-bit statistics counters\n\nAs explained by a comment in , write side of struct\nu64_stats_sync must ensure mutual exclusion, or one seqcount update could\nbe lost on 32-bit platforms, thus blocking readers forever. Such lockups\nhave been observed in real world after stmmac_xmit() on one CPU raced with\nstmmac_napi_poll_tx() on another CPU.\n\nTo fix the issue without introducing a new lock, split the statics into\nthree parts:\n\n1. fields updated only under the tx queue lock,\n2. fields updated only during NAPI poll,\n3. fields updated only from interrupt context,\n\nUpdates to fields in the first two groups are already serialized through\nother locks. It is sufficient to split the existing struct u64_stats_sync\nso that each group has its own.\n\nNote that tx_set_ic_bit is updated from both contexts. Split this counter\nso that each context gets its own, and calculate their sum to get the total\nvalue in stmmac_get_ethtool_stats().\n\nFor the third group, multiple interrupts may be processed by different CPUs\nat the same time, but interrupts on the same CPU will not nest. Move fields\nfrom this group to a newly created per-cpu struct stmmac_pcpu_stats.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26690", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26692", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix a crash when we run out of stations\n\nA DoS tool that injects loads of authentication frames made our AP\ncrash. The iwl_mvm_is_dup() function couldn't find the per-queue\ndup_data which was not allocated.\n\nThe root cause for that is that we ran out of stations in the firmware\nand we didn't really add the station to the firmware, yet we didn't\nreturn an error to mac80211.\nMac80211 was thinking that we have the station and because of that,\nsta_info::uploaded was set to 1. This allowed\nieee80211_find_sta_by_ifaddr() to return a valid station object, but\nthat ieee80211_sta didn't have any iwl_mvm_sta object initialized and\nthat caused the crash mentioned earlier when we got Rx on that station.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26693", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26694", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked\n\nThe SEV platform device can be shutdown with a null psp_master,\ne.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:\n\n[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)\n[ 137.162647] ccp 0000:23:00.1: no command queues available\n[ 137.170598] ccp 0000:23:00.1: sev enabled\n[ 137.174645] ccp 0000:23:00.1: psp enabled\n[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]\n[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311\n[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c\n[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216\n[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e\n[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0\n[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66\n[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28\n[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8\n[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000\n[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0\n[ 137.182693] Call Trace:\n[ 137.182693] \n[ 137.182693] ? show_regs+0x6c/0x80\n[ 137.182693] ? __die_body+0x24/0x70\n[ 137.182693] ? die_addr+0x4b/0x80\n[ 137.182693] ? exc_general_protection+0x126/0x230\n[ 137.182693] ? asm_exc_general_protection+0x2b/0x30\n[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80\n[ 137.182693] sev_dev_destroy+0x49/0x100\n[ 137.182693] psp_dev_destroy+0x47/0xb0\n[ 137.182693] sp_destroy+0xbb/0x240\n[ 137.182693] sp_pci_remove+0x45/0x60\n[ 137.182693] pci_device_remove+0xaa/0x1d0\n[ 137.182693] device_remove+0xc7/0x170\n[ 137.182693] really_probe+0x374/0xbe0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] __driver_probe_device+0x199/0x460\n[ 137.182693] driver_probe_device+0x4e/0xd0\n[ 137.182693] __driver_attach+0x191/0x3d0\n[ 137.182693] ? __pfx___driver_attach+0x10/0x10\n[ 137.182693] bus_for_each_dev+0x100/0x190\n[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10\n[ 137.182693] ? __kasan_check_read+0x15/0x20\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? _raw_spin_unlock+0x27/0x50\n[ 137.182693] driver_attach+0x41/0x60\n[ 137.182693] bus_add_driver+0x2a8/0x580\n[ 137.182693] driver_register+0x141/0x480\n[ 137.182693] __pci_register_driver+0x1d6/0x2a0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] sp_pci_init+0x22/0x30\n[ 137.182693] sp_mod_init+0x14/0x30\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] do_one_initcall+0xd1/0x470\n[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10\n[ 137.182693] ? parameq+0x80/0xf0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? __kmalloc+0x3b0/0x4e0\n[ 137.182693] ? kernel_init_freeable+0x92d/0x1050\n[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] kernel_init_freeable+0xa64/0x1050\n[ 137.182693] ? __pfx_kernel_init+0x10/0x10\n[ 137.182693] kernel_init+0x24/0x160\n[ 137.182693] ? __switch_to_asm+0x3e/0x70\n[ 137.182693] ret_from_fork+0x40/0x80\n[ 137.182693] ? __pfx_kernel_init+0x1\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26695", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\n\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\n\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio. Thus causing a deadlock.\n\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty. Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed. Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\n\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\n\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26697", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002\n[ 654.568030] Call Trace:\n[ 654.571221] \n[ 654.573790] __schedule+0x2d6/0x960\n[ 654.577733] schedule+0x69/0xf0\n[ 654.581214] schedule_timeout+0x87/0x140\n[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20\n[ 654.590291] msleep+0x2d/0x40\n[ 654.593625] napi_disable+0x2b/0x80\n[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[ 654.611101] ? do_wait_intr+0xb0/0xb0\n[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]\n[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26698", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\n\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26702", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Move hrtimer_init to timerlat_fd open()\n\nCurrently, the timerlat's hrtimer is initialized at the first read of\ntimerlat_fd, and destroyed at close(). It works, but it causes an error\nif the user program open() and close() the file without reading.\n\nHere's an example:\n\n # echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options\n # echo timerlat > /sys/kernel/debug/tracing/current_tracer\n\n # cat < ./timerlat_load.py\n # !/usr/bin/env python3\n\n timerlat_fd = open(\"/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd\", 'r')\n timerlat_fd.close();\n EOF\n\n # ./taskset -c 0 ./timerlat_load.py\n\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:hrtimer_active+0xd/0x50\n Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d\n RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286\n RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08\n RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08\n R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000\n FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? srso_alias_return_thunk+0x5/0x7f\n ? avc_has_extended_perms+0x237/0x520\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? hrtimer_active+0xd/0x50\n hrtimer_cancel+0x15/0x40\n timerlat_fd_release+0x48/0xe0\n __fput+0xf5/0x290\n __x64_sys_close+0x3d/0x80\n do_syscall_64+0x60/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? __x64_sys_ioctl+0x72/0xd0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n ? srso_alias_return_thunk+0x5/0x7f\n ? exit_to_user_mode_prepare+0x142/0x1f0\n ? srso_alias_return_thunk+0x5/0x7f\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f2ffb321594\n Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d\n RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000\n R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003\n R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668\n \n CR2: 0000000000000010\n ---[ end trace 0000000000000000 ]---\n\nMove hrtimer_init to timerlat_fd open() to avoid this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26703", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26704", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: BTLB: Fix crash when setting up BTLB at CPU bringup\n\nWhen using hotplug and bringing up a 32-bit CPU, ask the firmware about the\nBTLB information to set up the static (block) TLB entries.\n\nFor that write access to the static btlb_info struct is needed, but\nsince it is marked __ro_after_init the kernel segfaults with missing\nwrite permissions.\n\nFix the crash by dropping the __ro_after_init annotation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26705", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix random data corruption from exception handler\n\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\n\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\n\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\n\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26706", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\n\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\n\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\n\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n \n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\n\nThis issue is also found in older kernels (at least up to 5.10).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26707", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: really cope with fastopen race\n\nFastopen and PM-trigger subflow shutdown can race, as reported by\nsyzkaller.\n\nIn my first attempt to close such race, I missed the fact that\nthe subflow status can change again before the subflow_state_change\ncallback is invoked.\n\nAddress the issue additionally copying with all the states directly\nreachable from TCP_FIN_WAIT1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26708", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Fix the missing iommu_group_put() during platform domain attach\n\nThe function spapr_tce_platform_iommu_attach_dev() is missing to call\niommu_group_put() when the domain is already set. This refcount leak\nshows up with BUG_ON() during DLPAR remove operation as:\n\n KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries\n \n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries\n NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000\n REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e)\n MSR: 8000000000029033 CR: 44002402 XER: 20040000\n CFAR: c000000000a0d170 IRQMASK: 0\n ...\n NIP iommu_reconfig_notifier+0x94/0x200\n LR iommu_reconfig_notifier+0x8c/0x200\n Call Trace:\n iommu_reconfig_notifier+0x8c/0x200 (unreliable)\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n of_reconfig_notify+0x44/0xdc\n of_detach_node+0x78/0xb0\n ofdt_write.part.0+0x86c/0xbb8\n proc_reg_write+0xf4/0x150\n vfs_write+0xf8/0x488\n ksys_write+0x84/0x140\n system_call_exception+0x138/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nThe patch adds the missing iommu_group_put() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26709", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Limit KASAN thread size increase to 32KB\n\nKASAN is seen to increase stack usage, to the point that it was reported\nto lead to stack overflow on some 32-bit machines (see link).\n\nTo avoid overflows the stack size was doubled for KASAN builds in\ncommit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with\nKASAN\").\n\nHowever with a 32KB stack size to begin with, the doubling leads to a\n64KB stack, which causes build errors:\n arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)\n\nAlthough the asm could be reworked, in practice a 32KB stack seems\nsufficient even for KASAN builds - the additional usage seems to be in\nthe 2-3KB range for a 64-bit KASAN build.\n\nSo only increase the stack for KASAN if the stack size is < 32KB.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "detail": "fixed-version", "description": "Fixed from version 6.7.6" }, { "id": "CVE-2024-26711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4130: zero-initialize clock init data\n\nThe clk_init_data struct does not have all its members\ninitialized, causing issues when trying to expose the internal\nclock on the CLK pin.\n\nFix this by zero-initializing the clk_init_data struct.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26711", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix addr error caused by page alignment\n\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\n\nAs a result, memory overwriting occurs.\n\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\n\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26712", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc->gadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc->gadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc->gadget_driver is already NULL because of which the\nNULL pointer deference occur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26715", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: Prevent null pointer dereference in update_port_device_state\n\nCurrently, the function update_port_device_state gets the usb_hub from\nudev->parent by calling usb_hub_to_struct_hub.\nHowever, in case the actconfig or the maxchild is 0, the usb_hub would\nbe NULL and upon further accessing to get port_dev would result in null\npointer dereference.\n\nFix this by introducing an if check after the usb_hub is populated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26716", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26717", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address\n\nCommit bd077259d0a9 (\"drm/i915/vdsc: Add function to read any PPS\nregister\") defines a new macro to calculate the DSC PPS register\naddresses with PPS number as an input. This macro correctly calculates\nthe addresses till PPS 11 since the addresses increment by 4. So in that\ncase the following macro works correctly to give correct register\naddress:\n\n_MMIO(_DSCA_PPS_0 + (pps) * 4)\n\nHowever after PPS 11, the register address for PPS 12 increments by 12\nbecause of RC Buffer memory allocation in between. Because of this\ndiscontinuity in the address space, the macro calculates wrong addresses\nfor PPS 12 - 16 resulting into incorrect DSC PPS parameter value\nread/writes causing DSC corruption.\n\nThis fixes it by correcting this macro to add the offset of 12 for PPS\n>=12.\n\nv3: Add correct paranthesis for pps argument (Jani Nikula)\n\n(cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26721", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26722", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26723", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DPLL, Fix possible use after free after delayed work timer triggers\n\nI managed to hit following use after free warning recently:\n\n[ 2169.711665] ==================================================================\n[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0\n[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0\n\n[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2\n[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2169.722457] Call Trace:\n[ 2169.722756] \n[ 2169.723024] dump_stack_lvl+0x58/0xb0\n[ 2169.723417] print_report+0xc5/0x630\n[ 2169.723807] ? __virt_addr_valid+0x126/0x2b0\n[ 2169.724268] kasan_report+0xbe/0xf0\n[ 2169.724667] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725116] ? __run_timers.part.0+0x179/0x4c0\n[ 2169.725570] __run_timers.part.0+0x179/0x4c0\n[ 2169.726003] ? call_timer_fn+0x320/0x320\n[ 2169.726404] ? lock_downgrade+0x3a0/0x3a0\n[ 2169.726820] ? kvm_clock_get_cycles+0x14/0x20\n[ 2169.727257] ? ktime_get+0x92/0x150\n[ 2169.727630] ? lapic_next_deadline+0x35/0x60\n[ 2169.728069] run_timer_softirq+0x40/0x80\n[ 2169.728475] __do_softirq+0x1a1/0x509\n[ 2169.728866] irq_exit_rcu+0x95/0xc0\n[ 2169.729241] sysvec_apic_timer_interrupt+0x6b/0x80\n[ 2169.729718] \n[ 2169.729993] \n[ 2169.730259] asm_sysvec_apic_timer_interrupt+0x16/0x20\n[ 2169.730755] RIP: 0010:default_idle+0x13/0x20\n[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00\n[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242\n[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62\n[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55\n[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14\n[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0\n[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200\n[ 2169.736478] ? ct_kernel_exit.constprop.0+0xa2/0xc0\n[ 2169.736954] ? do_idle+0x285/0x290\n[ 2169.737323] default_idle_call+0x63/0x90\n[ 2169.737730] do_idle+0x285/0x290\n[ 2169.738089] ? arch_cpu_idle_exit+0x30/0x30\n[ 2169.738511] ? mark_held_locks+0x1a/0x80\n[ 2169.738917] ? lockdep_hardirqs_on_prepare+0x12e/0x200\n[ 2169.739417] cpu_startup_entry+0x30/0x40\n[ 2169.739825] start_secondary+0x19a/0x1c0\n[ 2169.740229] ? set_cpu_sibling_map+0xbd0/0xbd0\n[ 2169.740673] secondary_startup_64_no_verify+0x15d/0x16b\n[ 2169.741179] \n\n[ 2169.741686] Allocated by task 1098:\n[ 2169.742058] kasan_save_stack+0x1c/0x40\n[ 2169.742456] kasan_save_track+0x10/0x30\n[ 2169.742852] __kasan_kmalloc+0x83/0x90\n[ 2169.743246] mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]\n[ 2169.743730] auxiliary_bus_probe+0x62/0xb0\n[ 2169.744148] really_probe+0x127/0x590\n[ 2169.744534] __driver_probe_device+0xd2/0x200\n[ 2169.744973] device_driver_attach+0x6b/0xf0\n[ 2169.745402] bind_store+0x90/0xe0\n[ 2169.745761] kernfs_fop_write_iter+0x1df/0x2a0\n[ 2169.746210] vfs_write+0x41f/0x790\n[ 2169.746579] ksys_write+0xc7/0x160\n[ 2169.746947] do_syscall_64+0x6f/0x140\n[ 2169.747333] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\n[ 2169.748049] Freed by task 1220:\n[ 2169.748393] kasan_save_stack+0x1c/0x40\n[ 2169.748789] kasan_save_track+0x10/0x30\n[ 2169.749188] kasan_save_free_info+0x3b/0x50\n[ 2169.749621] poison_slab_object+0x106/0x180\n[ 2169.750044] __kasan_slab_free+0x14/0x50\n[ 2169.750451] kfree+0x118/0x330\n[ 2169.750792] mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]\n[ 2169.751271] auxiliary_bus_remove+0x2e/0x40\n[ 2169.751694] device_release_driver_internal+0x24b/0x2e0\n[ 2169.752191] unbind_store+0xa6/0xb0\n[ 2169.752563] kernfs_fo\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26724", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix possible deadlock during netlink dump operation\n\nRecently, I've been hitting following deadlock warning during dpll pin\ndump:\n\n[52804.637962] ======================================================\n[52804.638536] WARNING: possible circular locking dependency detected\n[52804.639111] 6.8.0-rc2jiri+ #1 Not tainted\n[52804.639529] ------------------------------------------------------\n[52804.640104] python3/2984 is trying to acquire lock:\n[52804.640581] ffff88810e642678 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}, at: netlink_dump+0xb3/0x780\n[52804.641417]\n but task is already holding lock:\n[52804.642010] ffffffff83bde4c8 (dpll_lock){+.+.}-{3:3}, at: dpll_lock_dumpit+0x13/0x20\n[52804.642747]\n which lock already depends on the new lock.\n\n[52804.643551]\n the existing dependency chain (in reverse order) is:\n[52804.644259]\n -> #1 (dpll_lock){+.+.}-{3:3}:\n[52804.644836] lock_acquire+0x174/0x3e0\n[52804.645271] __mutex_lock+0x119/0x1150\n[52804.645723] dpll_lock_dumpit+0x13/0x20\n[52804.646169] genl_start+0x266/0x320\n[52804.646578] __netlink_dump_start+0x321/0x450\n[52804.647056] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.647575] genl_rcv_msg+0x1ed/0x3b0\n[52804.648001] netlink_rcv_skb+0xdc/0x210\n[52804.648440] genl_rcv+0x24/0x40\n[52804.648831] netlink_unicast+0x2f1/0x490\n[52804.649290] netlink_sendmsg+0x36d/0x660\n[52804.649742] __sock_sendmsg+0x73/0xc0\n[52804.650165] __sys_sendto+0x184/0x210\n[52804.650597] __x64_sys_sendto+0x72/0x80\n[52804.651045] do_syscall_64+0x6f/0x140\n[52804.651474] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.652001]\n -> #0 (nlk_cb_mutex-GENERIC){+.+.}-{3:3}:\n[52804.652650] check_prev_add+0x1ae/0x1280\n[52804.653107] __lock_acquire+0x1ed3/0x29a0\n[52804.653559] lock_acquire+0x174/0x3e0\n[52804.653984] __mutex_lock+0x119/0x1150\n[52804.654423] netlink_dump+0xb3/0x780\n[52804.654845] __netlink_dump_start+0x389/0x450\n[52804.655321] genl_family_rcv_msg_dumpit+0x155/0x1e0\n[52804.655842] genl_rcv_msg+0x1ed/0x3b0\n[52804.656272] netlink_rcv_skb+0xdc/0x210\n[52804.656721] genl_rcv+0x24/0x40\n[52804.657119] netlink_unicast+0x2f1/0x490\n[52804.657570] netlink_sendmsg+0x36d/0x660\n[52804.658022] __sock_sendmsg+0x73/0xc0\n[52804.658450] __sys_sendto+0x184/0x210\n[52804.658877] __x64_sys_sendto+0x72/0x80\n[52804.659322] do_syscall_64+0x6f/0x140\n[52804.659752] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[52804.660281]\n other info that might help us debug this:\n\n[52804.661077] Possible unsafe locking scenario:\n\n[52804.661671] CPU0 CPU1\n[52804.662129] ---- ----\n[52804.662577] lock(dpll_lock);\n[52804.662924] lock(nlk_cb_mutex-GENERIC);\n[52804.663538] lock(dpll_lock);\n[52804.664073] lock(nlk_cb_mutex-GENERIC);\n[52804.664490]\n\nThe issue as follows: __netlink_dump_start() calls control->start(cb)\nwith nlk->cb_mutex held. In control->start(cb) the dpll_lock is taken.\nThen nlk->cb_mutex is released and taken again in netlink_dump(), while\ndpll_lock still being held. That leads to ABBA deadlock when another\nCPU races with the same operation.\n\nFix this by moving dpll_lock taking into dumpit() callback which ensures\ncorrect lock taking order.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26725", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix null-pointer dereference on edid reading\n\nUse i2c adapter when there isn't aux_mode in dc_link to fix a\nnull-pointer derefence that happens when running\nigt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector\ndetected as below:\n\n[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0\n[ +0.000010] #PF: supervisor read access in kernel mode\n[ +0.000005] #PF: error_code(0x0000) - not-present page\n[ +0.000004] PGD 0 P4D 0\n[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152\n[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021\n[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100\n[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16\n[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246\n[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080\n[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0\n[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980\n[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080\n[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f\n[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0\n[ +0.000003] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000006] \n[ +0.000006] ? __die+0x23/0x70\n[ +0.000011] ? page_fault_oops+0x17d/0x4c0\n[ +0.000008] ? preempt_count_add+0x6e/0xa0\n[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000011] ? exc_page_fault+0x7f/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? i2c_transfer+0xd/0x100\n[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]\n[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]\n[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000042] edid_block_read+0x3b/0xd0 [drm]\n[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]\n[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]\n[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]\n[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]\n[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]\n[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]\n[ +0.000000] status_store+0xb2/0x1f0 [drm]\n[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0\n[ +0.000000] vfs_write+0x24d/0x440\n[ +0.000000] ksys_write+0x6f/0xf0\n[ +0.000000] do_syscall_64+0x60/0xc0\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ +0.000000] RIP: 0033:0x7f9ad46b4b00\n[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\n[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00\n[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009\n[ +0.000000] RBP: 0000000000000002 R08\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26728", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null pointer dereference in dc_dmub_srv\n\nFixes potential null pointer dereference warnings in the\ndc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()\nfunctions.\n\nIn both functions, the 'dc_dmub_srv' variable was being dereferenced\nbefore it was checked for null. This could lead to a null pointer\ndereference if 'dc_dmub_srv' is null. The fix is to check if\n'dc_dmub_srv' is null before dereferencing it.\n\nThus moving the null checks for 'dc_dmub_srv' to the beginning of the\nfunctions to ensure that 'dc_dmub_srv' is not null when it is\ndereferenced.\n\nFound by smatch & thus fixing the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26729", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix access to temperature configuration registers\n\nThe number of temperature configuration registers does\nnot always match the total number of temperature registers.\nThis can result in access errors reported if KASAN is enabled.\n\nBUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26730", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock->saved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk->sk_callback_lock.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26731", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: implement lockless setsockopt(SO_PEEK_OFF)\n\nsyzbot reported a lockdep violation [1] involving af_unix\nsupport of SO_PEEK_OFF.\n\nSince SO_PEEK_OFF is inherently not thread safe (it uses a per-socket\nsk_peek_off field), there is really no point to enforce a pointless\nthread safety in the kernel.\n\nAfter this patch :\n\n- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.\n\n- skb_consume_udp() no longer has to acquire the socket lock.\n\n- af_unix no longer needs a special version of sk_set_peek_off(),\n because it does not lock u->iolock anymore.\n\nAs a followup, we could replace prot->set_peek_off to be a boolean\nand avoid an indirect call, since we always use sk_set_peek_off().\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted\n\nsyz-executor.2/30025 is trying to acquire lock:\n ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n\nbut task is already holding lock:\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_nested+0x48/0x100 net/core/sock.c:3524\n lock_sock include/net/sock.h:1691 [inline]\n __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415\n sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046\n ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\n-> #0 (&u->iolock){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n sk_setsockopt+0x207e/0x3360\n do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307\n __sys_setsockopt+0x1ad/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor.2/30025:\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nstack backtrace:\nCPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0\nHardware name: Google Google C\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26732", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it's\nnot a problem.\n\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let's limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26733", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\n\nMake an unregister in case of unsuccessful registration.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26734", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26735", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26736", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer->timer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer->time;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer->timer;\n\t\t\t\t\t\ttimer->timer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t->timer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t->timer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer->timer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer->timer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer->timer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer->timer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t->flag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer->timer after\na rcu grace period.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26737", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller\n\nWhen a PCI device is dynamically added, the kernel oopses with a NULL\npointer dereference:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000030\n Faulting instruction address: 0xc0000000006bbe5c\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8\n REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)\n MSR: 8000000000009033 CR: 24002220 XER: 20040006\n CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0\n ...\n NIP sysfs_add_link_to_group+0x34/0x94\n LR iommu_device_link+0x5c/0x118\n Call Trace:\n iommu_init_device+0x26c/0x318 (unreliable)\n iommu_device_link+0x5c/0x118\n iommu_init_device+0xa8/0x318\n iommu_probe_device+0xc0/0x134\n iommu_bus_notifier+0x44/0x104\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n bus_notify+0x50/0x7c\n device_add+0x640/0x918\n pci_device_add+0x23c/0x298\n of_create_pci_dev+0x400/0x884\n of_scan_pci_dev+0x124/0x1b0\n __of_scan_bus+0x78/0x18c\n pcibios_scan_phb+0x2a4/0x3b0\n init_phb_dynamic+0xb8/0x110\n dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]\n add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]\n kobj_attr_store+0x2c/0x48\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x350/0x4a0\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nCommit a940904443e4 (\"powerpc/iommu: Add iommu_ops to report capabilities\nand allow blocking domains\") broke DLPAR add of PCI devices.\n\nThe above added iommu_device structure to pci_controller. During\nsystem boot, PCI devices are discovered and this newly added iommu_device\nstructure is initialized by a call to iommu_device_register().\n\nDuring DLPAR add of a PCI device, a new pci_controller structure is\nallocated but there are no calls made to iommu_device_register()\ninterface.\n\nFix is to register the iommu device during DLPAR add as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26738", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);\n\nHowever, the syzkaller's log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n \n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26741", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n\n--[ end trace 888a9b92e04c5c97 ]--", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26743", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n \n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26744", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26745", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Ensure safe user copy of completion record\n\nIf CONFIG_HARDENED_USERCOPY is enabled, copying completion record from\nevent log cache to user triggers a kernel bug.\n\n[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!\n[ 1987.170845] ------------[ cut here ]------------\n[ 1987.176086] kernel BUG at mm/usercopy.c:102!\n[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5\n[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]\n[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90\n[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f\n[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246\n[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000\n[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff\n[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff\n[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a\n[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899\n[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000\n[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0\n[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1987.324527] PKRU: 55555554\n[ 1987.327622] Call Trace:\n[ 1987.330424] \n[ 1987.332826] ? show_regs+0x6e/0x80\n[ 1987.336703] ? die+0x3c/0xa0\n[ 1987.339988] ? do_trap+0xd4/0xf0\n[ 1987.343662] ? do_error_trap+0x75/0xa0\n[ 1987.347922] ? usercopy_abort+0x72/0x90\n[ 1987.352277] ? exc_invalid_op+0x57/0x80\n[ 1987.356634] ? usercopy_abort+0x72/0x90\n[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30\n[ 1987.365734] ? usercopy_abort+0x72/0x90\n[ 1987.370088] __check_heap_object+0xb7/0xd0\n[ 1987.374739] __check_object_size+0x175/0x2d0\n[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]\n[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]\n[ 1987.389878] process_one_work+0x13e/0x300\n[ 1987.394435] ? __pfx_worker_thread+0x10/0x10\n[ 1987.399284] worker_thread+0x2f7/0x420\n[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 1987.409171] ? __pfx_worker_thread+0x10/0x10\n[ 1987.414019] kthread+0x107/0x140\n[ 1987.417693] ? __pfx_kthread+0x10/0x10\n[ 1987.421954] ret_from_fork+0x3d/0x60\n[ 1987.426019] ? __pfx_kthread+0x10/0x10\n[ 1987.430281] ret_from_fork_asm+0x1b/0x30\n[ 1987.434744] \n\nThe issue arises because event log cache is created using\nkmem_cache_create() which is not suitable for user copy.\n\nFix the issue by creating event log cache with\nkmem_cache_create_usercopy(), ensuring safe user copy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26746", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module's reference\n\nIn current design, usb role class driver will get usb_role_switch parent's\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module's reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don't need to find module by iterating long relations.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26747", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request->complete) {\n830 spin_unlock(&priv_dev->lock);\n831 usb_gadget_giveback_request(&priv_ep->endpoint,\n832 request);\n833 spin_lock(&priv_dev->lock);\n834 }\n835\n836 if (request->buf == priv_dev->zlp_buf)\n837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn't call\nusb_gadget_giveback_request() because it is allocated in this driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26748", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n list_del_init(&priv_req->list);\n ...\n\n'priv_req' actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req->list after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26749", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26750", "detail": "fixed-version", "description": "Fixed from version 5.15.151" }, { "id": "CVE-2024-26751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26751", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper >/dev/null 2>&1\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26753", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26754", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't suspend the array for interrupted reshape\n\nmd_start_sync() will suspend the array if there are spares that can be\nadded or removed from conf, however, if reshape is still in progress,\nthis won't happen at all or data will be corrupted(remove_and_add_spares\nwon't be called from md_choose_sync_action for reshape), hence there is\nno need to suspend the array if reshape is not done yet.\n\nMeanwhile, there is a potential deadlock for raid456:\n\n1) reshape is interrupted;\n\n2) set one of the disk WantReplacement, and add a new disk to the array,\n however, recovery won't start until the reshape is finished;\n\n3) then issue an IO across reshpae position, this IO will wait for\n reshape to make progress;\n\n4) continue to reshape, then md_start_sync() found there is a spare disk\n that can be added to conf, mddev_suspend() is called;\n\nStep 4 and step 3 is waiting for each other, deadlock triggered. Noted\nthis problem is found by code review, and it's not reporduced yet.\n\nFix this porblem by don't suspend the array for interrupted reshape,\nthis is safe because conf won't be changed until reshape is done.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26755", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26760", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder's CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26761", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\n\nThe PCI AER model is an awkward fit for CXL error handling. While the\nexpectation is that a PCI device can escalate to link reset to recover\nfrom an AER event, the same reset on CXL amounts to a surprise memory\nhotplug of massive amounts of memory.\n\nAt present, the CXL error handler attempts some optimistic error\nhandling to unbind the device from the cxl_mem driver after reaping some\nRAS register values. This results in a \"hopeful\" attempt to unplug the\nmemory, but there is no guarantee that will succeed.\n\nA subsequent AER notification after the memdev unbind event can no\nlonger assume the registers are mapped. Check for memdev bind before\nreaping status register values to avoid crashes of the form:\n\n BUG: unable to handle page fault for address: ffa00000195e9100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\n [...]\n Call Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x160\n ? kernelmode_fixup_or_oops+0x84/0x110\n ? exc_page_fault+0x113/0x170\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_dpc_reset_link+0x10/0x10\n ? __cxl_handle_ras+0x30/0x110 [cxl_core]\n ? find_cxl_port+0x59/0x80 [cxl_core]\n cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\n cxl_error_detected+0x6c/0xf0 [cxl_core]\n report_error_detected+0xc7/0x1c0\n pci_walk_bus+0x73/0x90\n pcie_do_recovery+0x23f/0x330\n\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\nneed to be replaced with a new PCI_ERS_RESULT_PANIC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26762", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don't modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26763", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26764", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[<90000000047a4828>] show_stack+0x48/0x1a0\n[<9000000005b61874>] dump_stack_lvl+0x84/0xcc\n[<90000000047f60ac>] __warn+0x8c/0x1e0\n[<9000000005b0ab34>] report_bug+0x1b4/0x280\n[<9000000005b63110>] do_bp+0x2d0/0x480\n[<90000000047a2e20>] handle_bp+0x120/0x1c0\n[<90000000048e3334>] rcu_cpu_starting+0x214/0x280\n[<90000000047bd568>] tlb_init+0x248/0x528\n[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160\n[<90000000047a19f4>] cpu_probe+0x494/0xa00\n[<90000000047b551c>] start_secondary+0x3c/0xc0\n[<9000000005b66134>] smpboot_entry+0x50/0x58", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26765", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 ,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94\n[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250\n[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c\n[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670\n[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26768", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26769", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26771", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26772", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn't use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac->ac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26773", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26774", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26776", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26777", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta->uploaded check and re-check fast xmit after inserting a sta.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26779", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26780", "detail": "fixed-version", "description": "Fixed from version 6.7.9" }, { "id": "CVE-2024-26781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26781", "detail": "fixed-version", "description": "Fixed from version 6.7.9" }, { "id": "CVE-2024-26782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n \n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n \n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n \n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26782", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn't have its local memory so it has no managed zones, the following\noops has been observed. It's because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n> BUG: unable to handle page fault for address: 00000000000033f3\n> #PF: supervisor read access in kernel mode\n> #PF: error_code(0x0000) - not-present page\n> PGD 0 P4D 0\n> Oops: 0000 [#1] PREEMPT SMP NOPTI\n> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n> Code: (omitted)\n> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> PKRU: 55555554\n> Call Trace:\n> \n> ? __die\n> ? page_fault_oops\n> ? __pte_offset_map_lock\n> ? exc_page_fault\n> ? asm_exc_page_fault\n> ? wakeup_kswapd\n> migrate_misplaced_page\n> __handle_mm_fault\n> handle_mm_fault\n> do_user_addr_fault\n> exc_page_fault\n> asm_exc_page_fault\n> RIP: 0033:0x55b897ba0808\n> Code: (omitted)\n> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n> ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26783", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: Fix NULL dereference on scmi_perf_domain removal\n\nOn unloading of the scmi_perf_domain module got the below splat, when in\nthe DT provided to the system under test the '#power-domain-cells' property\nwas missing. Indeed, this particular setup causes the probe to bail out\nearly without giving any error, which leads to the ->remove() callback gets\nto run too, but without all the expected initialized structures in place.\n\nAdd a check and bail out early on remove too.\n\n Call trace:\n scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain]\n scmi_dev_remove+0x28/0x40 [scmi_core]\n device_remove+0x54/0x90\n device_release_driver_internal+0x1dc/0x240\n driver_detach+0x58/0xa8\n bus_remove_driver+0x78/0x108\n driver_unregister+0x38/0x70\n scmi_driver_unregister+0x28/0x180 [scmi_core]\n scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain]\n __arm64_sys_delete_module+0x1a8/0x2c0\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0xb8\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x190/0x198\n Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80)\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26784", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n Call Trace:\n lock_acquire\n lock_acquire+0x1ce/0x4f0\n down_read+0x93/0x4a0\n iommufd_test_syz_conv_iova+0x56/0x1f0\n iommufd_test_access_rw.isra.0+0x2ec/0x390\n iommufd_test+0x1058/0x1e30\n iommufd_fops_ioctl+0x381/0x510\n vfs_ioctl\n __do_sys_ioctl\n __se_sys_ioctl\n __x64_sys_ioctl+0x170/0x1e0\n do_syscall_x64\n do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access->ioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access->ioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26785", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n Call Trace:\n iommufd_access_change_ioas+0x2fe/0x4e0\n iommufd_access_destroy_object+0x50/0xb0\n iommufd_object_remove+0x2a3/0x490\n iommufd_object_destroy_user\n iommufd_access_destroy+0x71/0xb0\n iommufd_test_staccess_release+0x89/0xd0\n __fput+0x272/0xb50\n __fput_sync+0x4b/0x60\n __do_sys_close\n __se_sys_close\n __x64_sys_close+0x8b/0x110\n do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access->iopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26786", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26787", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26788", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26789", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26790", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26791", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot->anon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot->anon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot->anon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n \n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n \n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26792", "detail": "fixed-version", "description": "Fixed from version 6.7.9" }, { "id": "CVE-2024-26793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26793", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap\u2019s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26795", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: ctr_get_width function for legacy is not defined\n\nWith parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n\nlinux kernel crashes when you try perf record:\n\n$ perf record ls\n[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 46.750199] Oops [#1]\n[ 46.750342] Modules linked in:\n[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2\n[ 46.750906] Hardware name: riscv-virtio,qemu (DT)\n[ 46.751184] epc : 0x0\n[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e\n[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0\n[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0\n[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930\n[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000\n[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004\n[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2\n[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000\n[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078\n[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001\n[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff\n[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30\n[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c\n[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.\n[ 46.754939] ---[ end trace 0000000000000000 ]---\n[ 46.755131] note: perf-exec[107] exited with irqs disabled\n[ 46.755546] note: perf-exec[107] exited with preempt_count 4\n\nThis happens because in the legacy case the ctr_get_width function was not\ndefined, but it is used in arch_perf_update_userpage.\n\nAlso remove extra check in riscv_pmu_ctr_get_width_mask", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26796", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent potential buffer overflow in map_hw_resources\n\nAdds a check in the map_hw_resources function to prevent a potential\nbuffer overflow. The function was accessing arrays using an index that\ncould potentially be greater than the size of the arrays, leading to a\nbuffer overflow.\n\nAdds a check to ensure that the index is within the bounds of the\narrays. If the index is out of bounds, an error message is printed and\nbreak it will continue execution with just ignoring extra data early to\nprevent the buffer overflow.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26797", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n \n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26798", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26799", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800", "detail": "fixed-version", "description": "Fixed from version 6.7.9" }, { "id": "CVE-2024-26801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth ]\n hci_error_reset+0x4f/0xa4 [bluetooth ]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26801", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won't work and TX queue will eventually timeout,\ncausing 'Reset adapter' error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n \n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26802", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26803", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb->data gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\n\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26804", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26805", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks\n\nThe ->runtime_suspend() and ->runtime_resume() callbacks are not\nexpected to call spi_controller_suspend() and spi_controller_resume().\nRemove calls to those in the cadence-qspi driver.\n\nThose helpers have two roles currently:\n - They stop/start the queue, including dealing with the kworker.\n - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It\n requires acquiring ctlr->bus_lock_mutex.\n\nStep one is irrelevant because cadence-qspi is not queued. Step two\nhowever has two implications:\n - A deadlock occurs, because ->runtime_resume() is called in a context\n where the lock is already taken (in the ->exec_op() callback, where\n the usage count is incremented).\n - It would disallow all operations once the device is auto-suspended.\n\nHere is a brief call tree highlighting the mutex deadlock:\n\nspi_mem_exec_op()\n ...\n spi_mem_access_start()\n mutex_lock(&ctlr->bus_lock_mutex)\n\n cqspi_exec_mem_op()\n pm_runtime_resume_and_get()\n cqspi_resume()\n spi_controller_resume()\n mutex_lock(&ctlr->bus_lock_mutex)\n ...\n\n spi_mem_access_end()\n mutex_unlock(&ctlr->bus_lock_mutex)\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26806", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBoth cadence-quadspi ->runtime_suspend() and ->runtime_resume()\nimplementations start with:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nThis obviously cannot be correct, unless \"struct cqspi_st\" is the\nfirst member of \" struct spi_controller\", or the other way around, but\nit is not the case. \"struct spi_controller\" is allocated by\ndevm_spi_alloc_host(), which allocates an extra amount of memory for\nprivate data, used to store \"struct cqspi_st\".\n\nThe ->probe() function of the cadence-quadspi driver then sets the\ndevice drvdata to store the address of the \"struct cqspi_st\"\nstructure. Therefore:\n\n\tstruct cqspi_st *cqspi = dev_get_drvdata(dev);\n\nis correct, but:\n\n\tstruct spi_controller *host = dev_get_drvdata(dev);\n\nis not, as it makes \"host\" point not to a \"struct spi_controller\" but\nto the same \"struct cqspi_st\" structure as above.\n\nThis obviously leads to bad things (memory corruption, kernel crashes)\ndirectly during ->probe(), as ->probe() enables the device using PM\nruntime, leading the ->runtime_resume() hook being called, which in\nturns calls spi_controller_resume() with the wrong pointer.\n\nThis has at least been reported [0] to cause a kernel crash, but the\nexact behavior will depend on the memory contents.\n\n[0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/\n\nThis issue potentially affects all platforms that are currently using\nthe cadence-quadspi driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\n\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26808", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26809", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26810", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check\n\ntaprio_parse_tc_entry() is not correctly checking\nTCA_TAPRIO_TC_ENTRY_INDEX attribute:\n\n\tint tc; // Signed value\n\n\ttc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);\n\tif (tc >= TC_QOPT_MAX_QUEUE) {\n\t\tNL_SET_ERR_MSG_MOD(extack, \"TC entry index out of range\");\n\t\treturn -ERANGE;\n\t}\n\nsyzbot reported that it could fed arbitary negative values:\n\nUBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18\nshift exponent -2147418108 is negative\nCPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386\n taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]\n taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]\n taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877\n taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134\n qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355\n tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f1b2dea3759\nCode: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004\nRBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340\nR13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26815", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86, relocs: Ignore relocations in .notes section\n\nWhen building with CONFIG_XEN_PV=y, .text symbols are emitted into\nthe .notes section so that Xen can find the \"startup_xen\" entry point.\nThis information is used prior to booting the kernel, so relocations\nare not useful. In fact, performing relocations against the .notes\nsection means that the KASLR base is exposed since /sys/kernel/notes\nis world-readable.\n\nTo avoid leaking the KASLR base without breaking unprivileged tools that\nare expecting to read /sys/kernel/notes, skip performing relocations in\nthe .notes section. The values readable in .notes are then identical to\nthose found in System.map.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26816", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26817", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/rtla: Fix clang warning about mount_point var size\n\nclang is reporting this warning:\n\n$ make HOSTCC=clang CC=clang LLVM_IAS=1\n[...]\nclang -O -g -DVERSION=\\\"6.8.0-rc3\\\" -flto=auto -fexceptions\n\t-fstack-protector-strong -fasynchronous-unwind-tables\n\t-fstack-clash-protection -Wall -Werror=format-security\n\t-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS\n\t$(pkg-config --cflags libtracefs) -c -o src/utils.o src/utils.c\n\nsrc/utils.c:548:66: warning: 'fscanf' may overflow; destination buffer in argument 3 has size 1024, but the corresponding specifier may require size 1025 [-Wfortify-source]\n 548 | while (fscanf(fp, \"%*s %\" STR(MAX_PATH) \"s %99s %*s %*d %*d\\n\", mount_point, type) == 2) {\n | ^\n\nIncrease mount_point variable size to MAX_PATH+1 to avoid the overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26818", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed\n\nIf hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER\nhandler cannot perform VF register successfully as the register call\nis received before netvsc_probe is finished. This is because we\nregister register_netdevice_notifier() very early( even before\nvmbus_driver_register()).\nTo fix this, we try to register each such matching VF( if it is visible\nas a netdevice) at the end of netvsc_probe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26820", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26822", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Restore quirk probing for ACPI-based systems\n\nWhile refactoring the way the ITSs are probed, the handling of quirks\napplicable to ACPI-based platforms was lost. As a result, systems such as\nHIP07 lose their GICv4 functionnality, and some other may even fail to\nboot, unless they are configured to boot with DT.\n\nMove the enabling of quirks into its_probe_one(), making it common to all\nfirmware implementations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26823", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - Remove bogus SGL free on zero-length error path\n\nWhen a zero-length message is hashed by algif_hash, and an error\nis triggered, it tries to free an SG list that was never allocated\nin the first place. Fix this by not freeing the SG list on the\nzero-length error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26824", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\n\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\n\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26826", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: fix a memleak in irtoy_tx\n\nWhen irtoy_command fails, buf should be freed since it is allocated by\nirtoy_tx, or there is a memleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26829", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26830", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: Fix handshake_req_destroy_test1\n\nRecently, handshake_req_destroy_test1 started failing:\n\nExpected handshake_req_destroy_test == req, but\n handshake_req_destroy_test == 0000000000000000\n req == 0000000060f99b40\nnot ok 11 req_destroy works\n\nThis is because \"sock_release(sock)\" was replaced with \"fput(filp)\"\nto address a memory leak. Note that sock_release() is synchronous\nbut fput() usually delays the final close and clean-up.\n\nThe delay is not consequential in the other cases that were changed\nbut handshake_req_destroy_test1 is testing that handshake_req_cancel()\nfollowed by closing the file actually does call the ->hp_destroy\nmethod. Thus the PTR_EQ test at the end has to be sure that the\nfinal close is complete before it checks the pointer.\n\nWe cannot use a completion here because if ->hp_destroy is never\ncalled (ie, there is an API bug) then the test will hang.\n\nReported by: Guenter Roeck ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26831", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26832", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak in dm_sw_fini()\n\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\n\nunreferenced object 0xffff896302b45800 (size 1024):\n comm \"(udev-worker)\", pid 222, jiffies 4294894636\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 6265fd77):\n [] kmalloc_trace+0x29d/0x340\n [] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n [] dm_sw_init+0x15/0x2b0 [amdgpu]\n [] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n [] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n [] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n [] local_pci_probe+0x3e/0x90\n [] pci_device_probe+0xc3/0x230\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] do_one_initcall+0x41/0x300\n\nFix this by freeing dmub_srv after destroying it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26833", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: release dst in case direct xmit path is used\n\nDirect xmit does not use it since it calls dev_queue_xmit() to send\npackets, hence it calls dst_release().\n\nkmemleak reports:\n\nunreferenced object 0xffff88814f440900 (size 184):\n comm \"softirq\", pid 0, jiffies 4294951896\n hex dump (first 32 bytes):\n 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[.............\n 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P.............\n backtrace (crc cb2bf5d6):\n [<000000003ee17107>] kmem_cache_alloc+0x286/0x340\n [<0000000021a5de2c>] dst_alloc+0x43/0xb0\n [<00000000f0671159>] rt_dst_alloc+0x2e/0x190\n [<00000000fe5092c9>] __mkroute_output+0x244/0x980\n [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160\n [<0000000045367433>] nf_ip_route+0xf/0x30\n [<0000000085da1d8e>] nf_route+0x2d/0x60\n [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload]\n [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload]\n [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables]\n [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables]\n [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables]\n [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160\n [<0000000005eccab1>] ip_forward+0x8b6/0x9b0\n [<00000000553a269b>] ip_rcv+0x221/0x230\n [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26834", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: set dormant flag on hook register failure\n\nWe need to set the dormant flag again if we fail to register\nthe hooks.\n\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\n\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26835", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix password opcode ordering for workstations\n\nThe Lenovo workstations require the password opcode to be run before\nthe attribute value is changed (if Admin password is enabled).\n\nTested on some Thinkpads to confirm they are OK with this order too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26836", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26837", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix KASAN issue with tasklet\n\nKASAN testing revealed the following issue assocated with freeing an IRQ.\n\n[50006.466686] Call Trace:\n[50006.466691] \n[50006.489538] dump_stack+0x5c/0x80\n[50006.493475] print_address_description.constprop.6+0x1a/0x150\n[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.511644] kasan_report.cold.11+0x7f/0x118\n[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]\n[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]\n[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]\n[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0\n[50006.551096] __do_softirq+0x1d0/0xaf8\n[50006.555396] irq_exit_rcu+0x219/0x260\n[50006.559670] irq_exit+0xa/0x20\n[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690\n[50006.568645] apic_timer_interrupt+0xf/0x20\n[50006.573341] \n\nThe issue is that a tasklet could be pending on another core racing\nthe delete of the irq.\n\nFix by insuring any scheduled tasklet is killed after deleting the\nirq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26838", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix a memleak in init_credit_return\n\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26839", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix memory leak in cachefiles_add_cache()\n\nThe following memory leak was reported after unbinding /dev/cachefiles:\n\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n comm \"cachefilesd2\", pid 680, jiffies 4294881224\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc ea38a44b):\n [] kmem_cache_alloc+0x2d5/0x370\n [] prepare_creds+0x26/0x2e0\n [] cachefiles_determine_cache_security+0x1f/0x120\n [] cachefiles_add_cache+0x13c/0x3a0\n [] cachefiles_daemon_write+0x146/0x1c0\n [] vfs_write+0xcb/0x520\n [] ksys_write+0x69/0xf0\n [] do_syscall_64+0x72/0x140\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\n\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26840", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Update cpu_sibling_map when disabling nonboot CPUs\n\nUpdate cpu_sibling_map when disabling nonboot CPUs by defining & calling\nclear_cpu_sibling_map(), otherwise we get such errors on SMT systems:\n\njump label: negative count!\nWARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\npc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20\na0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280\na4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001\nt0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000\nt4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964\nt8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8\ns1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040\ns5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006\n ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\nStack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000\n 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0\n 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001\n 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0\n 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f\n 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000\n 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000\n 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4\n 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n ...\nCall Trace:\n[<9000000000224528>] show_stack+0x48/0x1a0\n[<900000000179afc8>] dump_stack_lvl+0x78/0xa0\n[<9000000000263ed0>] __warn+0x90/0x1a0\n[<90000000017419b8>] report_bug+0x1b8/0x280\n[<900000000179c564>] do_bp+0x264/0x420\n[<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100\n[<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300\n[<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0\n[<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240\n[<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0\n[<900000000029a720>] kthread+0x140/0x160\n[<9000000000222288>] ret_from_kernel_thread+0xc/0xa4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26841", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26842", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: Fix potential overflow of soft-reserved region size\n\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26843", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26844", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Add TMF to tmr_list handling\n\nAn abort that is responded to by iSCSI itself is added to tmr_list but does\nnot go to target core. A LUN_RESET that goes through tmr_list takes a\nrefcounter on the abort and waits for completion. However, the abort will\nbe never complete because it was not started in target core.\n\n Unable to locate ITT: 0x05000000 on CID: 0\n Unable to locate RefTaskTag: 0x05000000 on CID: 0.\n wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n...\n INFO: task kworker/0:2:49 blocked for more than 491 seconds.\n task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800\n Workqueue: events target_tmr_work [target_core_mod]\nCall Trace:\n __switch_to+0x2c4/0x470\n _schedule+0x314/0x1730\n schedule+0x64/0x130\n schedule_timeout+0x168/0x430\n wait_for_completion+0x140/0x270\n target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]\n core_tmr_lun_reset+0x30/0xa0 [target_core_mod]\n target_tmr_work+0xc8/0x1b0 [target_core_mod]\n process_one_work+0x2d4/0x5d0\n worker_thread+0x78/0x6c0\n\nTo fix this, only add abort to tmr_list if it will be handled by target\ncore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26845", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26846", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: use correct function name for resetting TCE tables\n\nThe PAPR spec spells the function name as\n\n \"ibm,reset-pe-dma-windows\"\n\nbut in practice firmware uses the singular form:\n\n \"ibm,reset-pe-dma-window\"\n\nin the device tree. Since we have the wrong spelling in the RTAS\nfunction table, reverse lookups (token -> name) fail and warn:\n\n unexpected failed lookup for token 86\n WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4\n CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30\n Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries\n NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4\n LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4\n Call Trace:\n __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable)\n rtas_call+0x1f8/0x3e0\n enable_ddw.constprop.0+0x4d0/0xc84\n dma_iommu_dma_supported+0xe8/0x24c\n dma_set_mask+0x5c/0xd8\n mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core]\n probe_one+0xfc/0x32c [mlx5_core]\n local_pci_probe+0x68/0x12c\n pci_call_probe+0x68/0x1ec\n pci_device_probe+0xbc/0x1a8\n really_probe+0x104/0x570\n __driver_probe_device+0xb8/0x224\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x120\n driver_attach+0x34/0x48\n bus_add_driver+0x174/0x304\n driver_register+0x8c/0x1c4\n __pci_register_driver+0x68/0x7c\n mlx5_init+0xb8/0x118 [mlx5_core]\n do_one_initcall+0x60/0x388\n do_init_module+0x7c/0x2a4\n init_module_from_file+0xb4/0x108\n idempotent_init_module+0x184/0x34c\n sys_finit_module+0x90/0x114\n\nAnd oopses are possible when lockdep is enabled or the RTAS\ntracepoints are active, since those paths dereference the result of\nthe lookup.\n\nUse the correct spelling to match firmware's behavior, adjusting the\nrelated constants to match.", "scorev2": "0.0", "scorev3": "5.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26847", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: add nla be16/32 types to minlen array\n\nBUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]\nBUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]\nBUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]\nBUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631\n nla_validate_range_unsigned lib/nlattr.c:222 [inline]\n nla_validate_int_range lib/nlattr.c:336 [inline]\n validate_nla lib/nlattr.c:575 [inline]\n...\n\nThe message in question matches this policy:\n\n [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255),\n\nbut because NLA_BE32 size in minlen array is 0, the validation\ncode will read past the malformed (too small) attribute.\n\nNote: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:\nthose likely should be added too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26849", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: fix BUG_ON with pud advanced test\n\nArchitectures like powerpc add debug checks to ensure we find only devmap\nPUD pte entries. These debug checks are only done with CONFIG_DEBUG_VM. \nThis patch marks the ptes used for PUD advanced test devmap pte entries so\nthat we don't hit on debug checks on architecture like ppc64 as below.\n\nWARNING: CPU: 2 PID: 1 at arch/powerpc/mm/book3s64/radix_pgtable.c:1382 radix__pud_hugepage_update+0x38/0x138\n....\nNIP [c0000000000a7004] radix__pud_hugepage_update+0x38/0x138\nLR [c0000000000a77a8] radix__pudp_huge_get_and_clear+0x28/0x60\nCall Trace:\n[c000000004a2f950] [c000000004a2f9a0] 0xc000000004a2f9a0 (unreliable)\n[c000000004a2f980] [000d34c100000000] 0xd34c100000000\n[c000000004a2f9a0] [c00000000206ba98] pud_advanced_tests+0x118/0x334\n[c000000004a2fa40] [c00000000206db34] debug_vm_pgtable+0xcbc/0x1c48\n[c000000004a2fc10] [c00000000000fd28] do_one_initcall+0x60/0x388\n\nAlso\n\n kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:202!\n ....\n\n NIP [c000000000096510] pudp_huge_get_and_clear_full+0x98/0x174\n LR [c00000000206bb34] pud_advanced_tests+0x1b4/0x334\n Call Trace:\n [c000000004a2f950] [000d34c100000000] 0xd34c100000000 (unreliable)\n [c000000004a2f9a0] [c00000000206bb34] pud_advanced_tests+0x1b4/0x334\n [c000000004a2fa40] [c00000000206db34] debug_vm_pgtable+0xcbc/0x1c48\n [c000000004a2fc10] [c00000000000fd28] do_one_initcall+0x60/0x388", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26850", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\n\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\n\nvmlinux get_bitmap(b=75) + 712\n\nvmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n\nvmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n\nvmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n\nvmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n\nvmlinux DecodeRasMessage() + 304\n\nvmlinux ras_help() + 684\n\nvmlinux nf_confirm() + 188\n\n\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26851", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\n\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\n\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\n\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\n\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\n\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x167/0x540 mm/kasan/report.c:488\n kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n \n\nAllocated by task 23037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3981 [inline]\n __kmalloc+0x22e/0x490 mm/slub.c:3994\n kmalloc include/linux/slab.h:594 [inline]\n kzalloc include/linux/slab.h:711 [inline]\n fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nFreed by task 16:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n poison_slab_object+0xa6/0xe0 m\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26852", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26853", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix uninitialized dplls mutex usage\n\nThe pf->dplls.lock mutex is initialized too late, after its first use.\nMove it to the top of ice_dpll_init.\nNote that the \"err_exit\" error path destroys the mutex. And the mutex is\nthe last thing destroyed in ice_dpll_deinit.\nThis fixes the following warning with CONFIG_DEBUG_MUTEXES:\n\n ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0\n ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)\n ice 0000:10:00.0: PTP init successful\n ------------[ cut here ]------------\n DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40\n Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>\n CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3\n Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023\n Workqueue: events work_for_cpu_fn\n RIP: 0010:__mutex_lock+0x773/0xd40\n Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>\n RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff\n RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff\n R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8\n FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __warn+0x84/0x170\n ? __mutex_lock+0x773/0xd40\n ? report_bug+0x1c7/0x1d0\n ? prb_read_valid+0x1b/0x30\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? __mutex_lock+0x773/0xd40\n ? rcu_is_watching+0x11/0x50\n ? __kmalloc_node_track_caller+0x346/0x490\n ? ice_dpll_lock_status_get+0x28/0x50 [ice]\n ? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]\n ? ice_dpll_lock_status_get+0x28/0x50 [ice]\n ice_dpll_lock_status_get+0x28/0x50 [ice]\n dpll_device_get_one+0x14f/0x2e0\n dpll_device_event_send+0x7d/0x150\n dpll_device_register+0x124/0x180\n ice_dpll_init_dpll+0x7b/0xd0 [ice]\n ice_dpll_init+0x224/0xa40 [ice]\n ? _dev_info+0x70/0x90\n ice_load+0x468/0x690 [ice]\n ice_probe+0x75b/0xa10 [ice]\n ? _raw_spin_unlock_irqrestore+0x4f/0x80\n ? process_one_work+0x1a3/0x500\n local_pci_probe+0x47/0xa0\n work_for_cpu_fn+0x17/0x30\n process_one_work+0x20d/0x500\n worker_thread+0x1df/0x3e0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x103/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n irq event stamp: 125197\n hardirqs last enabled at (125197): [] finish_task_switch.isra.0+0x12d/0x3d0\n hardirqs last disabled at (125196): [] __schedule+0xea4/0x19f0\n softirqs last enabled at (105334): [] napi_get_frags_check+0x1a/0x60\n softirqs last disabled at (105332): [] napi_get_frags_check+0x1a/0x60\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26854", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\n\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26855", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sparx5: Fix use after free inside sparx5_del_mact_entry\n\nBased on the static analyzis of the code it looks like when an entry\nfrom the MAC table was removed, the entry was still used after being\nfreed. More precise the vid of the mac_entry was used after calling\ndevm_kfree on the mac_entry.\nThe fix consists in first using the vid of the mac_entry to delete the\nentry from the HW and after that to free it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26856", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: make sure to pull inner header in geneve_rx()\n\nsyzbot triggered a bug in geneve_rx() [1]\n\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n geneve_rx drivers/net/geneve.c:279 [inline]\n geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n process_backlog+0x480/0x8b0 net/core/dev.c:5976\n __napi_poll+0xe3/0x980 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n do_softirq+0x9a/0xf0 kernel/softirq.c:454\n __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1296 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26857", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map\n\nJust simply reordering the functions mlx5e_ptp_metadata_map_put and\nmlx5e_ptpsq_track_metadata in the mlx5e_txwqe_complete context is not good\nenough since both the compiler and CPU are free to reorder these two\nfunctions. If reordering does occur, the issue that was supposedly fixed by\n7e3f3ba97e6c (\"net/mlx5e: Track xmit submission to PTP WQ after populating\nmetadata map\") will be seen. This will lead to NULL pointer dereferences in\nmlx5e_ptpsq_mark_ts_cqes_undelivered in the NAPI polling context due to the\ntracking list being populated before the metadata map.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26858", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801 {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803 struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n EEH: Beginning: 'slot_reset'\n PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc0080000025065fc\n Oops: Kernel access of bad area, sig: 11 [#1]\n .....\n Call Trace:\n [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26859", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-integrity: fix a memory leak when rechecking the data\n\nMemory for the \"checksums\" pointer will leak if the data is rechecked\nafter checksum failure (because the associated kfree won't happen due\nto 'goto skip_io').\n\nFix this by freeing the checksums memory before recheck, and just use\nthe \"checksum_onstack\" memory for storing checksum during recheck.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26860", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: receive: annotate data-race around receiving_counter.counter\n\nSyzkaller with KCSAN identified a data-race issue when accessing\nkeypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()\nannotations to mark the data race as intentional.\n\n BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll\n\n write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:\n counter_validate drivers/net/wireguard/receive.c:321 [inline]\n wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461\n __napi_poll+0x60/0x3b0 net/core/dev.c:6536\n napi_poll net/core/dev.c:6605 [inline]\n net_rx_action+0x32b/0x750 net/core/dev.c:6738\n __do_softirq+0xc4/0x279 kernel/softirq.c:553\n do_softirq+0x5e/0x90 kernel/softirq.c:454\n __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]\n wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499\n process_one_work kernel/workqueue.c:2633 [inline]\n ...\n\n read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:\n decrypt_packet drivers/net/wireguard/receive.c:252 [inline]\n wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706\n worker_thread+0x525/0x730 kernel/workqueue.c:2787\n ...", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26861", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -> 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26862", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in hsr_get_node()\n\nKMSAN reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\n\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26863", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix refcnt handling in __inet_hash_connect().\n\nsyzbot reported a warning in sk_nulls_del_node_init_rcu().\n\nThe commit 66b60b0c8c4a (\"dccp/tcp: Unhash sk from ehash for tb2 alloc\nfailure after check_estalblished().\") tried to fix an issue that an\nunconnected socket occupies an ehash entry when bhash2 allocation fails.\n\nIn such a case, we need to revert changes done by check_established(),\nwhich does not hold refcnt when inserting socket into ehash.\n\nSo, to revert the change, we need to __sk_nulls_add_node_rcu() instead\nof sk_nulls_add_node_rcu().\n\nOtherwise, sock_put() will cause refcnt underflow and leak the socket.\n\n[0]:\nWARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nModules linked in:\nCPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nCode: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2\nRSP: 0018:ffffc900032d7848 EFLAGS: 00010246\nRAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000\nRDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000\nRBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28\nR10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140\nR13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130\nFS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139\n dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956\n __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678\n inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f3b8167dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9\nRDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8\n ", "scorev2": "0.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26864", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n 18:26:22 executing program 1:\n r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n ...\n connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n rds_tcp_listen_init().\n 2. syz-executor connect()s to it and creates a reqsk.\n 3. syz-executor exit()s immediately.\n 4. netns is dismantled. [0]\n 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]\n 6. listener is freed after RCU grace period. [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet's apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n __sock_create (net/socket.c:1572)\n rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n rds_tcp_init_net (net/rds/tcp.c:577)\n ops_init (net/core/net_namespace.c:137)\n setup_net (net/core/net_namespace.c:340)\n copy_net_ns (net/core/net_namespace.c:497)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n ksys_unshare (kernel/fork.c:3429)\n __x64_sys_unshare (kernel/fork.c:3496)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n \n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26865", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26866", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: comedi_8255: Correct error in subdevice initialization\n\nThe refactoring done in commit 5c57b1ccecc7 (\"comedi: comedi_8255: Rework\nsubdevice initialization functions\") to the initialization of the io\nfield of struct subdev_8255_private broke all cards using the\ndrivers/comedi/drivers/comedi_8255.c module.\n\nPrior to 5c57b1ccecc7, __subdev_8255_init() initialized the io field\nin the newly allocated struct subdev_8255_private to the non-NULL\ncallback given to the function, otherwise it used a flag parameter to\nselect between subdev_8255_mmio and subdev_8255_io. The refactoring\nremoved that logic and the flag, as subdev_8255_mm_init() and\nsubdev_8255_io_init() now explicitly pass subdev_8255_mmio and\nsubdev_8255_io respectively to __subdev_8255_init(), only\n__subdev_8255_init() never sets spriv->io to the supplied\ncallback. That spriv->io is NULL leads to a later BUG:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP PTI\nCPU: 1 PID: 1210 Comm: systemd-udevd Not tainted 6.7.3-x86_64 #1\nHardware name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b\nRDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00\nRBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000\nR13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8\nFS: 00007f72f4e8f500(0000) GS:ffff91f8d5c80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010540e000 CR4: 00000000000406f0\nCall Trace:\n \n ? __die_body+0x15/0x57\n ? page_fault_oops+0x2ef/0x33c\n ? insert_vmap_area.constprop.0+0xb6/0xd5\n ? alloc_vmap_area+0x529/0x5ee\n ? exc_page_fault+0x15a/0x489\n ? asm_exc_page_fault+0x22/0x30\n __subdev_8255_init+0x79/0x8d [comedi_8255]\n pci_8255_auto_attach+0x11a/0x139 [8255_pci]\n comedi_auto_config+0xac/0x117 [comedi]\n ? __pfx___driver_attach+0x10/0x10\n pci_device_probe+0x88/0xf9\n really_probe+0x101/0x248\n __driver_probe_device+0xbb/0xed\n driver_probe_device+0x1a/0x72\n __driver_attach+0xd4/0xed\n bus_for_each_dev+0x76/0xb8\n bus_add_driver+0xbe/0x1be\n driver_register+0x9a/0xd8\n comedi_pci_driver_register+0x28/0x48 [comedi_pci]\n ? __pfx_pci_8255_driver_init+0x10/0x10 [8255_pci]\n do_one_initcall+0x72/0x183\n do_init_module+0x5b/0x1e8\n init_module_from_file+0x86/0xac\n __do_sys_finit_module+0x151/0x218\n do_syscall_64+0x72/0xdb\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f72f50a0cb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 47 71 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffd47e512d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000562dd06ae070 RCX: 00007f72f50a0cb9\nRDX: 0000000000000000 RSI: 00007f72f52d32df RDI: 000000000000000e\nRBP: 0000000000000000 R08: 00007f72f5168b20 R09: 0000000000000000\nR10: 0000000000000050 R11: 0000000000000246 R12: 00007f72f52d32df\nR13: 0000000000020000 R14: 0000562dd06785c0 R15: 0000562dcfd0e9a8\n \nModules linked in: 8255_pci(+) comedi_8255 comedi_pci comedi intel_gtt e100(+) acpi_cpufreq rtc_cmos usbhid\nCR2: 0000000000000000\n---[ end trace 0000000000000000 ]---\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffa3f1c02d7b78 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff91f847aefd00 RCX: 000000000000009b\nRDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff91f840f6fc00\nRBP: ffff91f840f6fc00 R08: 0000000000000000 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000005f R12: 0000000000000000\nR13: 0000000000000000 R14: ffffffffc0102498 R15: ffff91f847ce6ba8\nFS: \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26867", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\n\nWe've been seeing the following panic in production\n\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n \n ? __die+0x78/0xc0\n ? page_fault_oops+0x286/0x380\n ? __rpc_execute+0x2c3/0x470 [sunrpc]\n ? rpc_new_task+0x42/0x1c0 [sunrpc]\n ? exc_page_fault+0x5d/0x110\n ? asm_exc_page_fault+0x22/0x30\n ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\n pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\n pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\n nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\n ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n __nfs_pageio_add_request+0x154/0x6c0 [nfs]\n nfs_pageio_add_request+0x26b/0x380 [nfs]\n nfs_do_writepage+0x111/0x1e0 [nfs]\n nfs_writepages_callback+0xf/0x30 [nfs]\n write_cache_pages+0x17f/0x380\n ? nfs_pageio_init_write+0x50/0x50 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n nfs_writepages+0x125/0x210 [nfs]\n do_writepages+0x67/0x220\n ? generic_perform_write+0x14b/0x210\n filemap_fdatawrite_wbc+0x5b/0x80\n file_write_and_wait_range+0x6d/0xc0\n nfs_file_fsync+0x81/0x170 [nfs]\n ? nfs_file_mmap+0x60/0x60 [nfs]\n __x64_sys_fsync+0x53/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nInspecting the core with drgn I was able to pull this\n\n >>> prog.crashed_thread().stack_trace()[0]\n #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n >>> prog.crashed_thread().stack_trace()[0]['idx']\n (u32)1\n >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds\n (struct nfs4_ff_layout_ds *)0xffffffffffffffed\n\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror->mirror_ds). This\nis inconsistent with the rest of the users of mirror_ds, which have\n\n if (IS_ERR_OR_NULL(mirror_ds))\n\nto keep from tripping over this exact scenario. Fix this up in\nff_layout_cancel_io() to make sure we don't panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26868", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26869", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n [ 99.403778] kernel BUG at mm/usercopy.c:102!\n [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n [ 99.415827] Call trace:\n [ 99.415985] usercopy_abort+0x70/0xa0\n [ 99.416227] __check_heap_object+0x134/0x158\n [ 99.416505] check_heap_object+0x150/0x188\n [ 99.416696] __check_object_size.part.0+0x78/0x168\n [ 99.416886] __check_object_size+0x28/0x40\n [ 99.417078] listxattr+0x8c/0x120\n [ 99.417252] path_listxattr+0x78/0xe0\n [ 99.417476] __arm64_sys_listxattr+0x28/0x40\n [ 99.417723] invoke_syscall+0x78/0x100\n [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0\n [ 99.418186] do_el0_svc+0x24/0x38\n [ 99.418376] el0_svc+0x3c/0x110\n [ 99.418554] el0t_64_sync_handler+0x120/0x130\n [ 99.418788] el0t_64_sync+0x194/0x198\n [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26870", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix NULL pointer dereference in f2fs_submit_page_write()\n\nBUG: kernel NULL pointer dereference, address: 0000000000000014\nRIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]\nCall Trace:\n\n? show_regs+0x6e/0x80\n? __die+0x29/0x70\n? page_fault_oops+0x154/0x4a0\n? prb_read_valid+0x20/0x30\n? __irq_work_queue_local+0x39/0xd0\n? irq_work_queue+0x36/0x70\n? do_user_addr_fault+0x314/0x6c0\n? exc_page_fault+0x7d/0x190\n? asm_exc_page_fault+0x2b/0x30\n? f2fs_submit_page_write+0x6cf/0x780 [f2fs]\n? f2fs_submit_page_write+0x736/0x780 [f2fs]\ndo_write_page+0x50/0x170 [f2fs]\nf2fs_outplace_write_data+0x61/0xb0 [f2fs]\nf2fs_do_write_data_page+0x3f8/0x660 [f2fs]\nf2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]\nf2fs_write_cache_pages+0x3da/0xbe0 [f2fs]\n...\nIt is possible that other threads have added this fio to io->bio\nand submitted the io->bio before entering f2fs_submit_page_write().\nAt this point io->bio = NULL.\nIf is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,\nthen an NULL pointer dereference error occurs at bio_get(io->bio).\nThe original code for determining zone end was after \"out:\",\nwhich would have missed some fio who is zone end. I've moved\n this code before \"skip:\" to make sure it's done for each fio.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26871", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Do not register event handler until srpt device is fully setup\n\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\n\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\n\nInstead, only register the event handler after srpt device initialization\nis complete.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26872", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Fix a deadlock issue related to automatic dump\n\nIf we issue a disabling PHY command, the device attached with it will go\noffline, if a 2 bit ECC error occurs at the same time, a hung task may be\nfound:\n\n[ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds.\n[ 4613.666297] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208\n[ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas]\n[ 4613.691518] Call trace:\n[ 4613.694678] __switch_to+0xf8/0x17c\n[ 4613.698872] __schedule+0x660/0xee0\n[ 4613.703063] schedule+0xac/0x240\n[ 4613.706994] schedule_timeout+0x500/0x610\n[ 4613.711705] __down+0x128/0x36c\n[ 4613.715548] down+0x240/0x2d0\n[ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main]\n[ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas]\n[ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas]\n[ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main]\n[ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main]\n[ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas]\n[ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas]\n[ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas]\n[ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas]\n[ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas]\n[ 4613.784716] process_one_work+0x248/0x950\n[ 4613.789424] worker_thread+0x318/0x934\n[ 4613.793878] kthread+0x190/0x200\n[ 4613.797810] ret_from_fork+0x10/0x18\n[ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds.\n[ 4613.816026] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208\n[ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main]\n[ 4613.841491] Call trace:\n[ 4613.844647] __switch_to+0xf8/0x17c\n[ 4613.848852] __schedule+0x660/0xee0\n[ 4613.853052] schedule+0xac/0x240\n[ 4613.856984] schedule_timeout+0x500/0x610\n[ 4613.861695] __down+0x128/0x36c\n[ 4613.865542] down+0x240/0x2d0\n[ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main]\n[ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main]\n[ 4613.883019] process_one_work+0x248/0x950\n[ 4613.887732] worker_thread+0x318/0x934\n[ 4613.892204] kthread+0x190/0x200\n[ 4613.896118] ret_from_fork+0x10/0x18\n[ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds.\n[ 4613.914341] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208\n[ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas]\n[ 4613.939549] Call trace:\n[ 4613.942702] __switch_to+0xf8/0x17c\n[ 4613.946892] __schedule+0x660/0xee0\n[ 4613.951083] schedule+0xac/0x240\n[ 4613.955015] schedule_timeout+0x500/0x610\n[ 4613.959725] wait_for_common+0x200/0x610\n[ 4613.964349] wait_for_completion+0x3c/0x5c\n[ 4613.969146] flush_workqueue+0x198/0x790\n[ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas]\n[ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas]\n[ 4613.985708] process_one_work+0x248/0x950\n[ 4613.990420] worker_thread+0x318/0x934\n[ 4613.994868] kthread+0x190/0x200\n[ 4613.998800] ret_from_fork+0x10/0x18\n\nThis is because when the device goes offline, we obtain the hisi_hba\nsemaphore and send the ABORT_DEV command to the device. However, the\ninternal abort timed out due to the 2 bit ECC error and triggers automatic\ndump. In addition, since the hisi_hba semaphore has been obtained, the dump\ncannot be executed and the controller cannot be reset.\n\nTherefore, the deadlocks occur on the following circular dependencies\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26873", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip\n\nIt's possible that mtk_crtc->event is NULL in\nmtk_drm_crtc_finish_page_flip().\n\npending_needs_vblank value is set by mtk_crtc->event, but in\nmtk_drm_crtc_atomic_flush(), it's is not guarded by the same\nlock in mtk_drm_finish_page_flip(), thus a race condition happens.\n\nConsider the following case:\n\nCPU1 CPU2\nstep 1:\nmtk_drm_crtc_atomic_begin()\nmtk_crtc->event is not null,\n step 1:\n mtk_drm_crtc_atomic_flush:\n mtk_drm_crtc_update_config(\n !!mtk_crtc->event)\nstep 2:\nmtk_crtc_ddp_irq ->\nmtk_drm_finish_page_flip:\nlock\nmtk_crtc->event set to null,\npending_needs_vblank set to false\nunlock\n pending_needs_vblank set to true,\n\n step 2:\n mtk_crtc_ddp_irq ->\n mtk_drm_finish_page_flip called again,\n pending_needs_vblank is still true\n //null pointer\n\nInstead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more\nefficient to just check if mtk_crtc->event is null before use.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26874", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\n\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\n\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\n\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\n\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\n\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26875", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26876", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xilinx - call finalize with bh disabled\n\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n Modules linked in: cryptodev(O)\n CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G O 6.8.0-rc1-yocto-standard #323\n Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : crypto_finalize_request+0xa0/0x118\n lr : crypto_finalize_request+0x104/0x118\n sp : ffffffc085353ce0\n x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n Call trace:\n crypto_finalize_request+0xa0/0x118\n crypto_finalize_aead_request+0x18/0x30\n zynqmp_handle_aes_req+0xcc/0x388\n crypto_pump_work+0x168/0x2d8\n kthread_worker_fn+0xfc/0x3a0\n kthread+0x118/0x138\n ret_from_fork+0x10/0x20\n irq event stamp: 40\n hardirqs last enabled at (39): [] _raw_spin_unlock_irqrestore+0x70/0xb0\n hardirqs last disabled at (40): [] el1_dbg+0x28/0x90\n softirqs last enabled at (36): [] kernel_neon_begin+0x8c/0xf0\n softirqs last disabled at (34): [] kernel_neon_begin+0x60/0xf0\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26877", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix potential NULL pointer dereference\n\nBelow race may cause NULL pointer dereference\n\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t drop_dquot_ref\n\t\t\t\t\t remove_dquot_ref\n\t\t\t\t\t dquots = i_dquot(inode)\n dquots = i_dquot(inode)\n srcu_read_lock\n dquots[cnt]) != NULL (1)\n\t\t\t\t\t dquots[type] = NULL (2)\n spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n ....\n\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\n\nSo let's fix it by using a temporary pointer to avoid this issue.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26878", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: meson: Add missing clocks to axg_clk_regmaps\n\nSome clocks were missing from axg_clk_regmaps, which caused kernel panic\nduring cat /sys/kernel/debug/clk/clk_summary\n\n[ 57.349402] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001fc\n...\n[ 57.430002] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 57.436900] pc : regmap_read+0x1c/0x88\n[ 57.440608] lr : clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.445611] sp : ffff800082f1b690\n[ 57.448888] x29: ffff800082f1b690 x28: 0000000000000000 x27: ffff800080eb9a70\n[ 57.455961] x26: 0000000000000007 x25: 0000000000000016 x24: 0000000000000000\n[ 57.463033] x23: ffff800080e8b488 x22: 0000000000000015 x21: ffff00000e7e7000\n[ 57.470106] x20: ffff00000400ec00 x19: 0000000000000000 x18: ffffffffffffffff\n[ 57.477178] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000042a3000\n[ 57.484251] x14: 0000000000000000 x13: ffff0000042a2fec x12: 0000000005f5e100\n[ 57.491323] x11: abcc77118461cefd x10: 0000000000000020 x9 : ffff8000805e4b24\n[ 57.498396] x8 : ffff0000028063c0 x7 : ffff800082f1b710 x6 : ffff800082f1b710\n[ 57.505468] x5 : 00000000ffffffd0 x4 : ffff800082f1b6e0 x3 : 0000000000001000\n[ 57.512541] x2 : ffff800082f1b6e4 x1 : 000000000000012c x0 : 0000000000000000\n[ 57.519615] Call trace:\n[ 57.522030] regmap_read+0x1c/0x88\n[ 57.525393] clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.530050] clk_core_is_enabled+0x44/0x120\n[ 57.534190] clk_summary_show_subtree+0x154/0x2f0\n[ 57.538847] clk_summary_show_subtree+0x220/0x2f0\n[ 57.543505] clk_summary_show_subtree+0x220/0x2f0\n[ 57.548162] clk_summary_show_subtree+0x220/0x2f0\n[ 57.552820] clk_summary_show_subtree+0x220/0x2f0\n[ 57.557477] clk_summary_show_subtree+0x220/0x2f0\n[ 57.562135] clk_summary_show_subtree+0x220/0x2f0\n[ 57.566792] clk_summary_show_subtree+0x220/0x2f0\n[ 57.571450] clk_summary_show+0x84/0xb8\n[ 57.575245] seq_read_iter+0x1bc/0x4b8\n[ 57.578954] seq_read+0x8c/0xd0\n[ 57.582059] full_proxy_read+0x68/0xc8\n[ 57.585767] vfs_read+0xb0/0x268\n[ 57.588959] ksys_read+0x70/0x108\n[ 57.592236] __arm64_sys_read+0x24/0x38\n[ 57.596031] invoke_syscall+0x50/0x128\n[ 57.599740] el0_svc_common.constprop.0+0x48/0xf8\n[ 57.604397] do_el0_svc+0x28/0x40\n[ 57.607675] el0_svc+0x34/0xb8\n[ 57.610694] el0t_64_sync_handler+0x13c/0x158\n[ 57.615006] el0t_64_sync+0x190/0x198\n[ 57.618635] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (b941fc00)\n[ 57.624668] ---[ end trace 0000000000000000 ]---\n\n[jbrunet: add missing Fixes tag]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26879", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: call the resume method on internal suspend\n\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\n\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\n\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\n\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n \n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26880", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\n\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\n\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n netif_receive_skb_internal net/core/dev.c:5734 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n tun_build_skb drivers/net/tun.c:1686 [inline]\n tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check on 32-bit arches\n\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\n\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix hashtab overflow check on 32-bit arches\n\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\n\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\n\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26886", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Fix memory leak\n\nThis checks if CONFIG_DEV_COREDUMP is enabled before attempting to clone\nthe skb and also make sure btmtk_process_coredump frees the skb passed\nfollowing the same logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26887", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: Fix memory leak\n\nFix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26888", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix possible buffer overflow\n\nstruct hci_dev_info has a fixed size name[8] field so in the event that\nhdev->name is bigger than that strcpy would attempt to write past its\nsize, so this fixes this problem by switching to use strscpy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26889", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btrtl: fix out of bounds memory access\n\nThe problem is detected by KASAN.\nbtrtl driver uses private hci data to store 'struct btrealtek_data'.\nIf btrtl driver is used with btusb, then memory for private hci data\nis allocated in btusb. But no private data is allocated after hci_dev,\nwhen btrtl is used with hci_h5.\n\nThis commit adds memory allocation for hci_h5 case.\n\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl]\n Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76\n\n Hardware name: Pine64 PinePhone (1.2) (DT)\n Workqueue: hci0 hci_power_on [bluetooth]\n Call trace:\n dump_backtrace+0x9c/0x128\n show_stack+0x20/0x38\n dump_stack_lvl+0x48/0x60\n print_report+0xf8/0x5d8\n kasan_report+0x90/0xd0\n __asan_store8+0x9c/0xc0\n \t [btrtl]\n h5_btrtl_setup+0xd0/0x2f8 [hci_uart]\n h5_setup+0x50/0x80 [hci_uart]\n hci_uart_setup+0xd4/0x260 [hci_uart]\n hci_dev_open_sync+0x1cc/0xf68 [bluetooth]\n hci_dev_do_open+0x34/0x90 [bluetooth]\n hci_power_on+0xc4/0x3c8 [bluetooth]\n process_one_work+0x328/0x6f0\n worker_thread+0x410/0x778\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n Allocated by task 53:\n kasan_save_stack+0x3c/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x68/0x78\n __kasan_kmalloc+0xd4/0xd8\n __kmalloc+0x1b4/0x3b0\n hci_alloc_dev_priv+0x28/0xa58 [bluetooth]\n hci_uart_register_device+0x118/0x4f8 [hci_uart]\n h5_serdev_probe+0xf4/0x178 [hci_uart]\n serdev_drv_probe+0x54/0xa0\n really_probe+0x254/0x588\n __driver_probe_device+0xc4/0x210\n driver_probe_device+0x64/0x160\n __driver_attach_async_helper+0x88/0x158\n async_run_entry_fn+0xd0/0x388\n process_one_work+0x328/0x6f0\n worker_thread+0x410/0x778\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n Last potentially related work creation:\n kasan_save_stack+0x3c/0x68\n __kasan_record_aux_stack+0xb0/0x150\n kasan_record_aux_stack_noalloc+0x14/0x20\n __queue_work+0x33c/0x960\n queue_work_on+0x98/0xc0\n hci_recv_frame+0xc8/0x1e8 [bluetooth]\n h5_complete_rx_pkt+0x2c8/0x800 [hci_uart]\n h5_rx_payload+0x98/0xb8 [hci_uart]\n h5_recv+0x158/0x3d8 [hci_uart]\n hci_uart_receive_buf+0xa0/0xe8 [hci_uart]\n ttyport_receive_buf+0xac/0x178\n flush_to_ldisc+0x130/0x2c8\n process_one_work+0x328/0x6f0\n worker_thread+0x410/0x778\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n Second to last potentially related work creation:\n kasan_save_stack+0x3c/0x68\n __kasan_record_aux_stack+0xb0/0x150\n kasan_record_aux_stack_noalloc+0x14/0x20\n __queue_work+0x788/0x960\n queue_work_on+0x98/0xc0\n __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth]\n __hci_cmd_sync+0x24/0x38 [bluetooth]\n btrtl_initialize+0x760/0x958 [btrtl]\n h5_btrtl_setup+0xd0/0x2f8 [hci_uart]\n h5_setup+0x50/0x80 [hci_uart]\n hci_uart_setup+0xd4/0x260 [hci_uart]\n hci_dev_open_sync+0x1cc/0xf68 [bluetooth]\n hci_dev_do_open+0x34/0x90 [bluetooth]\n hci_power_on+0xc4/0x3c8 [bluetooth]\n process_one_work+0x328/0x6f0\n worker_thread+0x410/0x778\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n ==================================================================", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26890", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Don't issue ATS Invalidation request when device is disconnected\n\nFor those endpoint devices connect to system via hotplug capable ports,\nusers could request a hot reset to the device by flapping device's link\nthrough setting the slot's link control register, as pciehp_ist() DLLSC\ninterrupt sequence response, pciehp will unload the device driver and\nthen power it off. thus cause an IOMMU device-TLB invalidation (Intel\nVT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence\ntarget device to be sent and deadly loop to retry that request after ITE\nfault triggered in interrupt context.\n\nThat would cause following continuous hard lockup warning and system hang\n\n[ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down\n[ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present\n[ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144\n[ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822623] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490\n[ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b\n 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1\n0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39\n[ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093\n[ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005\n[ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340\n[ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000\n[ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200\n[ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004\n[ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000)\nknlGS:0000000000000000\n[ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0\n[ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 4223.822628] PKRU: 55555554\n[ 4223.822628] Call Trace:\n[ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0\n[ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250\n[ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50\n[ 4223.822629] intel_iommu_release_device+0x1f/0x30\n[ 4223.822629] iommu_release_device+0x33/0x60\n[ 4223.822629] iommu_bus_notifier+0x7f/0x90\n[ 4223.822630] blocking_notifier_call_chain+0x60/0x90\n[ 4223.822630] device_del+0x2e5/0x420\n[ 4223.822630] pci_remove_bus_device+0x70/0x110\n[ 4223.822630] pciehp_unconfigure_device+0x7c/0x130\n[ 4223.822631] pciehp_disable_slot+0x6b/0x100\n[ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320\n[ 4223.822631] pciehp_ist+0x176/0x180\n[ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110\n[ 4223.822632] irq_thread_fn+0x19/0x50\n[ 4223.822632] irq_thread+0x104/0x190\n[ 4223.822632] ? irq_forced_thread_fn+0x90/0x90\n[ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0\n[ 4223.822633] kthread+0x114/0x130\n[ 4223.822633] ? __kthread_cancel_work+0x40/0x40\n[ 4223.822633] ret_from_fork+0x1f/0x30\n[ 4223.822633] Kernel panic - not syncing: Hard LOCKUP\n[ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822634] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822634] Call Trace:\n[ 4223.822634] \n[ 4223.822635] dump_stack+0x6d/0x88\n[ 4223.822635] panic+0x101/0x2d0\n[ 4223.822635] ? ret_from_fork+0x11/0x30\n[ 4223.822635] nmi_panic.cold.14+0xc/0xc\n[ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81\n[ 4223.822636] __perf_event_overflow+0x4f/0xf0\n[ 4223.822636] handle_pmi_common\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26891", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix use-after-free in free_irq()\n\nFrom commit a304e1b82808 (\"[PATCH] Debug shared irqs\"), there is a test\nto make sure the shared irq handler should be able to handle the unexpected\nevent after deregistration. For this case, let's apply MT76_REMOVED flag to\nindicate the device was removed and do not run into the resource access\nanymore.\n\nBUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e]\nRead of size 8 at addr ffff88824a7d3b78 by task rmmod/11115\nCPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10\nHardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I\nEDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024\nCall Trace:\n \n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x1f/0x190\n ? mt7921_irq_handler+0xd8/0x100 [mt7921e]\n ? mt7921_irq_handler+0xd8/0x100 [mt7921e]\n kasan_report.cold+0x7f/0x11b\n ? mt7921_irq_handler+0xd8/0x100 [mt7921e]\n mt7921_irq_handler+0xd8/0x100 [mt7921e]\n free_irq+0x627/0xaa0\n devm_free_irq+0x94/0xd0\n ? devm_request_any_context_irq+0x160/0x160\n ? kobject_put+0x18d/0x4a0\n mt7921_pci_remove+0x153/0x190 [mt7921e]\n pci_device_remove+0xa2/0x1d0\n __device_release_driver+0x346/0x6e0\n driver_detach+0x1ef/0x2c0\n bus_remove_driver+0xe7/0x2d0\n ? __check_object_size+0x57/0x310\n pci_unregister_driver+0x26/0x250\n __do_sys_delete_module+0x307/0x510\n ? free_module+0x6a0/0x6a0\n ? fpregs_assert_state_consistent+0x4b/0xb0\n ? rcu_read_lock_sched_held+0x10/0x70\n ? syscall_enter_from_user_mode+0x20/0x70\n ? trace_hardirqs_on+0x1c/0x130\n do_syscall_64+0x5c/0x80\n ? trace_hardirqs_on_prepare+0x72/0x160\n ? do_syscall_64+0x68/0x80\n ? trace_hardirqs_on_prepare+0x72/0x160\n entry_SYSCALL_64_after_hwframe+0x44/0xae", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26892", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26893", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()\n\nAfter unregistering the CPU idle device, the memory associated with\nit is not freed, leading to a memory leak:\n\nunreferenced object 0xffff896282f6c000 (size 1024):\n comm \"swapper/0\", pid 1, jiffies 4294893170\n hex dump (first 32 bytes):\n 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 8836a742):\n [] kmalloc_trace+0x29d/0x340\n [] acpi_processor_power_init+0xf3/0x1c0\n [] __acpi_processor_start+0xd3/0xf0\n [] acpi_processor_start+0x2c/0x50\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] acpi_processor_driver_init+0x3b/0xc0\n [] do_one_initcall+0x41/0x300\n [] kernel_init_freeable+0x320/0x470\n [] kernel_init+0x16/0x1b0\n [] ret_from_fork+0x2d/0x50\n\nFix this by freeing the CPU idle device after unregistering it.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26894", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26895", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26896", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26897", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\n\nThis patch is against CVE-2023-6270. The description of cve is:\n\n A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n `struct net_device`, and a use-after-free can be triggered by racing\n between the free on the struct and the access through the `skbtxq`\n global queue. This could lead to a denial of service condition or\n potential code execution.\n\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\n\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between bd_link_disk_holder and partition scan\n\n'open_mutex' of gendisk is used to protect open/close block devices. But\nin bd_link_disk_holder(), it is used to protect the creation of symlink\nbetween holding disk and slave bdev, which introduces some issues.\n\nWhen bd_link_disk_holder() is called, the driver is usually in the process\nof initialization/modification and may suspend submitting io. At this\ntime, any io hold 'open_mutex', such as scanning partitions, can cause\ndeadlocks. For example, in raid:\n\nT1 T2\nbdev_open_by_dev\n lock open_mutex [1]\n ...\n efi_partition\n ...\n md_submit_bio\n\t\t\t\tmd_ioctl mddev_syspend\n\t\t\t\t -> suspend all io\n\t\t\t\t md_add_new_disk\n\t\t\t\t bind_rdev_to_array\n\t\t\t\t bd_link_disk_holder\n\t\t\t\t try lock open_mutex [2]\n md_handle_request\n -> wait mddev_resume\n\nT1 scan partition, T2 add a new device to raid. T1 waits for T2 to resume\nmddev, but T2 waits for open_mutex held by T1. Deadlock occurs.\n\nFix it by introducing a local mutex 'blk_holder_mutex' to replace\n'open_mutex'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26899", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\n\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\n\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\n\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISCV: Fix panic on pmu overflow handler\n\n(1 << idx) of int is not desired when setting bits in unsigned long\noverflowed_ctrs, use BIT() instead. This panic happens when running\n'perf record -e branches' on sophgo sg2042.\n\n[ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n[ 273.320851] Oops [#1]\n[ 273.323179] Modules linked in:\n[ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9\n[ 273.332521] Hardware name: Sophgo Mango (DT)\n[ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e\n[ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0\n[ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978\n[ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70\n[ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000\n[ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015\n[ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a\n[ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0\n[ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210\n[ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098\n[ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca\n[ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8\n[ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d\n[ 273.434512] [] riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.441169] [] handle_percpu_devid_irq+0x98/0x1ee\n[ 273.447562] [] generic_handle_domain_irq+0x28/0x36\n[ 273.454151] [] riscv_intc_irq+0x36/0x4e\n[ 273.459659] [] handle_riscv_irq+0x4a/0x74\n[ 273.465442] [] do_irq+0x62/0x92\n[ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783\n[ 273.477921] ---[ end trace 0000000000000000 ]---\n[ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\n\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\n\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\n\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\n\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\n\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n \n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26906", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\n\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? show_regs+0x72/0x90\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? __warn+0x8d/0x160\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? report_bug+0x1bb/0x1d0\n ? handle_bug+0x46/0x90\n ? exc_invalid_op+0x19/0x80\n ? asm_exc_invalid_op+0x1b/0x20\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n ipoib_send+0x2ec/0x770 [ib_ipoib]\n ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n dev_hard_start_xmit+0x8e/0x1e0\n ? validate_xmit_skb_list+0x4d/0x80\n sch_direct_xmit+0x116/0x3a0\n __dev_xmit_skb+0x1fd/0x580\n __dev_queue_xmit+0x284/0x6b0\n ? _raw_spin_unlock_irq+0xe/0x50\n ? __flush_work.isra.0+0x20d/0x370\n ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n neigh_connected_output+0xcd/0x110\n ip_finish_output2+0x179/0x480\n ? __smp_call_single_queue+0x61/0xa0\n __ip_finish_output+0xc3/0x190\n ip_finish_output+0x2e/0xf0\n ip_output+0x78/0x110\n ? __pfx_ip_finish_output+0x10/0x10\n ip_local_out+0x64/0x70\n __ip_queue_xmit+0x18a/0x460\n ip_queue_xmit+0x15/0x30\n __tcp_transmit_skb+0x914/0x9c0\n tcp_write_xmit+0x334/0x8d0\n tcp_push_one+0x3c/0x60\n tcp_sendmsg_locked+0x2e1/0xac0\n tcp_sendmsg+0x2d/0x50\n inet_sendmsg+0x43/0x90\n sock_sendmsg+0x68/0x80\n sock_write_iter+0x93/0x100\n vfs_write+0x326/0x3c0\n ksys_write+0xbd/0xf0\n ? do_syscall_64+0x69/0x90\n __x64_sys_write+0x19/0x30\n do_syscall_\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink_altmode: fix drm bridge use-after-free\n\nA recent DRM series purporting to simplify support for \"transparent\nbridges\" and handling of probe deferrals ironically exposed a\nuse-after-free issue on pmic_glink_altmode probe deferral.\n\nThis has manifested itself as the display subsystem occasionally failing\nto initialise and NULL-pointer dereferences during boot of machines like\nthe Lenovo ThinkPad X13s.\n\nSpecifically, the dp-hpd bridge is currently registered before all\nresources have been acquired which means that it can also be\nderegistered on probe deferrals.\n\nIn the meantime there is a race window where the new aux bridge driver\n(or PHY driver previously) may have looked up the dp-hpd bridge and\nstored a (non-reference-counted) pointer to the bridge which is about to\nbe deallocated.\n\nWhen the display controller is later initialised, this triggers a\nuse-after-free when attaching the bridges:\n\n\tdp -> aux -> dp-hpd (freed)\n\nwhich may, for example, result in the freed bridge failing to attach:\n\n\t[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16\n\nor a NULL-pointer dereference:\n\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n\t...\n\tCall trace:\n\t drm_bridge_attach+0x70/0x1a8 [drm]\n\t drm_aux_bridge_attach+0x24/0x38 [aux_bridge]\n\t drm_bridge_attach+0x80/0x1a8 [drm]\n\t dp_bridge_init+0xa8/0x15c [msm]\n\t msm_dp_modeset_init+0x28/0xc4 [msm]\n\nThe DRM bridge implementation is clearly fragile and implicitly built on\nthe assumption that bridges may never go away. In this case, the fix is\nto move the bridge registration in the pmic_glink_altmode driver to\nafter all resources have been looked up.\n\nIncidentally, with the new dp-hpd bridge implementation, which registers\nchild devices, this is also a requirement due to a long-standing issue\nin driver core that can otherwise lead to a probe deferral loop (see\ncommit fbc35b45f9f6 (\"Add documentation on meaning of -EPROBE_DEFER\")).\n\n[DB: slightly fixed commit message by adding the word 'commit']", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26909", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix performance regression in swap operation\n\nThe patch \"netfilter: ipset: fix race condition between swap/destroy\nand kernel side add/del/test\", commit 28628fa9 fixes a race condition.\nBut the synchronize_rcu() added to the swap function unnecessarily slows\nit down: it can safely be moved to destroy and use call_rcu() instead.\n\nEric Dumazet pointed out that simply calling the destroy functions as\nrcu callback does not work: sets with timeout use garbage collectors\nwhich need cancelling at destroy which can wait. Therefore the destroy\nfunctions are split into two: cancelling garbage collectors safely at\nexecuting the command received by netlink and moving the remaining\npart only into the rcu callback.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/buddy: Fix alloc_range() error handling code\n\nFew users have observed display corruption when they boot\nthe machine to KDE Plasma or playing games. We have root\ncaused the problem that whenever alloc_range() couldn't\nfind the required memory blocks the function was returning\nSUCCESS in some of the corner cases.\n\nThe right approach would be if the total allocated size\nis less than the required size, the function should\nreturn -ENOSPC.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26911", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix several DMA buffer leaks\n\nNouveau manages GSP-RM DMA buffers with nvkm_gsp_mem objects. Several of\nthese buffers are never dealloced. Some of them can be deallocated\nright after GSP-RM is initialized, but the rest need to stay until the\ndriver unloads.\n\nAlso futher bullet-proof these objects by poisoning the buffer and\nclearing the nvkm_gsp_mem object when it is deallocated. Poisoning\nthe buffer should trigger an error (or crash) from GSP-RM if it tries\nto access the buffer after we've deallocated it, because we were wrong\nabout when it is safe to deallocate.\n\nFinally, change the mem->size field to a size_t because that's the same\ntype that dma_alloc_coherent expects.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26912", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue\n\n[why]\nodm calculation is missing for pipe split policy determination\nand cause Underflow/Corruption issue.\n\n[how]\nAdd the odm calculation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix incorrect mpc_combine array size\n\n[why]\nMAX_SURFACES is per stream, while MAX_PLANES is per asic. The\nmpc_combine is an array that records all the planes per asic. Therefore\nMAX_PLANES should be used as the array size. Using MAX_SURFACES causes\narray overflow when there are more than 3 planes.\n\n[how]\nUse the MAX_PLANES for the mpc_combine array size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26914", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Reset IH OVERFLOW_CLEAR bit\n\nAllows us to detect subsequent IH ring buffer overflows as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26915", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: flush any delayed gfxoff on suspend entry\"\n\ncommit ab4750332dbe (\"drm/amdgpu/sdma5.2: add begin/end_use ring\ncallbacks\") caused GFXOFF control to be used more heavily and the\ncodepath that was removed from commit 0dee72639533 (\"drm/amd: flush any\ndelayed gfxoff on suspend entry\") now can be exercised at suspend again.\n\nUsers report that by using GNOME to suspend the lockscreen trigger will\ncause SDMA traffic and the system can deadlock.\n\nThis reverts commit 0dee726395333fea833eaaf838bc80962df886c8.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26916", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26917", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix active state requirement in PME polling\n\nThe commit noted in fixes added a bogus requirement that runtime PM managed\ndevices need to be in the RPM_ACTIVE state for PME polling. In fact, only\ndevices in low power states should be polled.\n\nHowever there's still a requirement that the device config space must be\naccessible, which has implications for both the current state of the polled\ndevice and the parent bridge, when present. It's not sufficient to assume\nthe bridge remains in D0 and cases have been observed where the bridge\npasses the D0 test, but the PM state indicates RPM_SUSPENDING and config\nspace of the polled device becomes inaccessible during pci_pme_wakeup().\n\nTherefore, since the bridge is already effectively required to be in the\nRPM_ACTIVE state, formalize this in the code and elevate the PM usage count\nto maintain the state while polling the subordinate device.\n\nThis resolves a regression reported in the bugzilla below where a\nThunderbolt/USB4 hierarchy fails to scan for an attached NVMe endpoint\ndownstream of a bridge in a D3hot power state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26918", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: Fix debugfs directory leak\n\nThe ULPI per-device debugfs root is named after the ulpi device's\nparent, but ulpi_unregister_interface tries to remove a debugfs\ndirectory named after the ulpi device itself. This results in the\ndirectory sticking around and preventing subsequent (deferred) probes\nfrom succeeding. Change the directory name to match the ulpi device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26919", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/trigger: Fix to return error if failed to alloc snapshot\n\nFix register_snapshot_trigger() to return error code if it failed to\nallocate a snapshot instead of 0 (success). Unless that, it will register\nsnapshot trigger without an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26920", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-26921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26921", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26923", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: do not free live element\n\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern. Quoting Pablo:\n\n add_elem(\"00000000\") timeout 100 ms\n ...\n add_elem(\"0000000X\") timeout 100 ms\n del_elem(\"0000000X\") <---------------- delete one that was just added\n ...\n add_elem(\"00005000\") timeout 100 ms\n\n 1) nft_pipapo_remove() removes element 0000000X\n Then, KASAN shows a splat.\n\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\n\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\n\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\n\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\n\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\n\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\n\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\n\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\n\nv2: avoid uneeded temporary variable (Stefano)", "scorev2": "0.0", "scorev3": "5.9", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26924", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26925", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26926", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Add some bounds checking to firmware data\n\nSmatch complains about \"head->full_size - head->header_size\" can\nunderflow. To some extent, we're always going to have to trust the\nfirmware a bit. However, it's easy enough to add a check for negatives,\nand let's add a upper bounds check as well.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26927", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26928", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of the ha->vp_map pointer\n\nCoverity scan reported potential risk of double free of the pointer\nha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed\nin function qla2x00_mem_free(ha).\n\nAssign NULL to vp_map and kfree take care of NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26930", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26931", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[ 4.001206]\n[ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[ 4.017569] Workqueue: events_unbound deferred_probe_work_func\n[ 4.023456] Call trace:\n[ 4.025920] dump_backtrace+0x94/0xec\n[ 4.029629] show_stack+0x18/0x24\n[ 4.032974] dump_stack_lvl+0x78/0x90\n[ 4.036675] print_report+0xfc/0x5c0\n[ 4.040289] kasan_report_invalid_free+0xa0/0xc0\n[ 4.044937] __kasan_slab_free+0x124/0x154\n[ 4.049072] kfree+0xb4/0x1e8\n[ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc\n[ 4.056725] tcpm_register_port+0x1dd0/0x2558\n[ 4.061121] tcpci_register_port+0x420/0x71c\n[ 4.065430] tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26932", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in port \"disable\" sysfs attribute\n\nThe show and store callback routines for the \"disable\" sysfs attribute\nfile in port.c acquire the device lock for the port's parent hub\ndevice. This can cause problems if another process has locked the hub\nto remove it or change its configuration:\n\n\tRemoving the hub or changing its configuration requires the\n\thub interface to be removed, which requires the port device\n\tto be removed, and device_del() waits until all outstanding\n\tsysfs attribute callbacks for the ports have returned. The\n\tlock can't be released until then.\n\n\tBut the disable_show() or disable_store() routine can't return\n\tuntil after it has acquired the lock.\n\nThe resulting deadlock can be avoided by calling\nsysfs_break_active_protection(). This will cause the sysfs core not\nto wait for the attribute's callback routine to return, allowing the\nremoval to proceed. The disadvantage is that after making this call,\nthere is no guarantee that the hub structure won't be deallocated at\nany moment. To prevent this, we have to acquire a reference to it\nfirst by calling hub_get().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26933", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26935", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26936", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26938", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vma: Fix UAF on destroy against retire race\n\nObject debugging tools were sporadically reporting illegal attempts to\nfree a still active i915 VMA object when parking a GT believed to be idle.\n\n[161.359441] ODEBUG: free active (active state 0) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+0x0/0x50 [i915]\n[161.360082] WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+0x80/0xb0\n...\n[161.360304] CPU: 5 PID: 276 Comm: kworker/5:2 Not tainted 6.5.0-rc1-CI_DRM_13375-g003f860e5577+ #1\n[161.360314] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n[161.360322] Workqueue: i915-unordered __intel_wakeref_put_work [i915]\n[161.360592] RIP: 0010:debug_print_object+0x80/0xb0\n...\n[161.361347] debug_object_free+0xeb/0x110\n[161.361362] i915_active_fini+0x14/0x130 [i915]\n[161.361866] release_references+0xfe/0x1f0 [i915]\n[161.362543] i915_vma_parked+0x1db/0x380 [i915]\n[161.363129] __gt_park+0x121/0x230 [i915]\n[161.363515] ____intel_wakeref_put_last+0x1f/0x70 [i915]\n\nThat has been tracked down to be happening when another thread is\ndeactivating the VMA inside __active_retire() helper, after the VMA's\nactive counter has been already decremented to 0, but before deactivation\nof the VMA's object is reported to the object debugging tool.\n\nWe could prevent from that race by serializing i915_active_fini() with\n__active_retire() via ref->tree_lock, but that wouldn't stop the VMA from\nbeing used, e.g. from __i915_vma_retire() called at the end of\n__active_retire(), after that VMA has been already freed by a concurrent\ni915_vma_destroy() on return from the i915_active_fini(). Then, we should\nrather fix the issue at the VMA level, not in i915_active.\n\nSince __i915_vma_parked() is called from __gt_park() on last put of the\nGT's wakeref, the issue could be addressed by holding the GT wakeref long\nenough for __active_retire() to complete before that wakeref is released\nand the GT parked.\n\nI believe the issue was introduced by commit d93939730347 (\"drm/i915:\nRemove the vma refcount\") which moved a call to i915_active_fini() from\na dropped i915_vma_release(), called on last put of the removed VMA kref,\nto i915_vma_parked() processing path called on last put of a GT wakeref.\nHowever, its visibility to the object debugging tool was suppressed by a\nbug in i915_active that was fixed two weeks later with commit e92eb246feb9\n(\"drm/i915/active: Fix missing debug object activation\").\n\nA VMA associated with a request doesn't acquire a GT wakeref by itself.\nInstead, it depends on a wakeref held directly by the request's active\nintel_context for a GT associated with its VM, and indirectly on that\nintel_context's engine wakeref if the engine belongs to the same GT as the\nVMA's VM. Those wakerefs are released asynchronously to VMA deactivation.\n\nFix the issue by getting a wakeref for the VMA's GT when activating it,\nand putting that wakeref only after the VMA is deactivated. However,\nexclude global GTT from that processing path, otherwise the GPU never goes\nidle. Since __i915_vma_retire() may be called from atomic contexts, use\nasync variant of wakeref put. Also, to avoid circular locking dependency,\ntake care of acquiring the wakeref before VM mutex when both are needed.\n\nv7: Add inline comments with justifications for:\n - using untracked variants of intel_gt_pm_get/put() (Nirmoy),\n - using async variant of _put(),\n - not getting the wakeref in case of a global GTT,\n - always getting the first wakeref outside vm->mutex.\nv6: Since __i915_vma_active/retire() callbacks are not serialized, storing\n a wakeref tracking handle inside struct i915_vma is not safe, and\n there is no other good place for that. Use untracked variants of\n intel_gt_pm_get/put_async().\nv5: Replace \"tile\" with \"GT\" across commit description (Rodrigo),\n - \n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26939", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed\n\nThe driver creates /sys/kernel/debug/dri/0/mob_ttm even when the\ncorresponding ttm_resource_manager is not allocated.\nThis leads to a crash when trying to read from this file.\n\nAdd a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file\nonly when the corresponding ttm_resource_manager is allocated.\n\ncrash> bt\nPID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: \"grep\"\n #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3\n #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a\n #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1\n #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1\n #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913\n #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c\n #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887\n #7 [ffffb954506b3d40] page_fault at ffffffffb360116e\n [exception RIP: ttm_resource_manager_debug+0x11]\n RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246\n RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940\n RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000\n RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000\n R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff\n R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]\n #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3\n RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985\n RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003\n RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000\n R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003\n ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26940", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau\n\nFix a regression when using nouveau and unplugging a StarTech MSTDP122DP\nDisplayPort 1.2 MST hub (the same regression does not appear when using\na Cable Matters DisplayPort 1.4 MST hub). Trace:\n\n divide error: 0000 [#1] PREEMPT SMP PTI\n CPU: 7 PID: 2962 Comm: Xorg Not tainted 6.8.0-rc3+ #744\n Hardware name: Razer Blade/DANA_MB, BIOS 01.01 08/31/2018\n RIP: 0010:drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper]\n Code: c6 b8 01 00 00 00 75 61 01 c6 41 0f af f3 41 0f af f1 c1 e1 04 48 63 c7 31 d2 89 ff 48 8b 5d f8 c9 48 0f af f1 48 8d 44 06 ff <48> f7 f7 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 45 31\n RSP: 0018:ffffb2c5c211fa30 EFLAGS: 00010206\n RAX: ffffffffffffffff RBX: 0000000000000000 RCX: 0000000000f59b00\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb2c5c211fa48 R08: 0000000000000001 R09: 0000000000000020\n R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000023b4a\n R13: ffff91d37d165800 R14: ffff91d36fac6d80 R15: ffff91d34a764010\n FS: 00007f4a1ca3fa80(0000) GS:ffff91d6edbc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559491d49000 CR3: 000000011d180002 CR4: 00000000003706f0\n Call Trace:\n \n ? show_regs+0x6d/0x80\n ? die+0x37/0xa0\n ? do_trap+0xd4/0xf0\n ? do_error_trap+0x71/0xb0\n ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper]\n ? exc_divide_error+0x3a/0x70\n ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper]\n ? asm_exc_divide_error+0x1b/0x20\n ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper]\n ? drm_dp_calc_pbn_mode+0x2e/0x70 [drm_display_helper]\n nv50_msto_atomic_check+0xda/0x120 [nouveau]\n drm_atomic_helper_check_modeset+0xa87/0xdf0 [drm_kms_helper]\n drm_atomic_helper_check+0x19/0xa0 [drm_kms_helper]\n nv50_disp_atomic_check+0x13f/0x2f0 [nouveau]\n drm_atomic_check_only+0x668/0xb20 [drm]\n ? drm_connector_list_iter_next+0x86/0xc0 [drm]\n drm_atomic_commit+0x58/0xd0 [drm]\n ? __pfx___drm_printfn_info+0x10/0x10 [drm]\n drm_atomic_connector_commit_dpms+0xd7/0x100 [drm]\n drm_mode_obj_set_property_ioctl+0x1c5/0x450 [drm]\n ? __pfx_drm_connector_property_set_ioctl+0x10/0x10 [drm]\n drm_connector_property_set_ioctl+0x3b/0x60 [drm]\n drm_ioctl_kernel+0xb9/0x120 [drm]\n drm_ioctl+0x2d0/0x550 [drm]\n ? __pfx_drm_connector_property_set_ioctl+0x10/0x10 [drm]\n nouveau_drm_ioctl+0x61/0xc0 [nouveau]\n __x64_sys_ioctl+0xa0/0xf0\n do_syscall_64+0x76/0x140\n ? do_syscall_64+0x85/0x140\n ? do_syscall_64+0x85/0x140\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7f4a1cd1a94f\n Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00\n RSP: 002b:00007ffd2f1df520 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffd2f1df5b0 RCX: 00007f4a1cd1a94f\n RDX: 00007ffd2f1df5b0 RSI: 00000000c01064ab RDI: 000000000000000f\n RBP: 00000000c01064ab R08: 000056347932deb8 R09: 000056347a7d99c0\n R10: 0000000000000000 R11: 0000000000000246 R12: 000056347938a220\n R13: 000000000000000f R14: 0000563479d9f3f0 R15: 0000000000000000\n \n Modules linked in: rfcomm xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc ccm cmac algif_hash overlay algif_skcipher af_alg bnep binfmt_misc snd_sof_pci_intel_cnl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress snd_sof_intel_hda_mlink snd_hda_ext_core iwlmvm intel_rapl_msr intel_rapl_common intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp mac80211 coretemp kvm_intel snd_hda_codec_hdmi kvm snd_hda_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26941", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: qcom: at803x: fix kernel panic with at8031_probe\n\nOn reworking and splitting the at803x driver, in splitting function of\nat803x PHYs it was added a NULL dereference bug where priv is referenced\nbefore it's actually allocated and then is tried to write to for the\nis_1000basex and is_fiber variables in the case of at8031, writing on\nthe wrong address.\n\nFix this by correctly setting priv local variable only after\nat803x_probe is called and actually allocates priv in the phydev struct.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26942", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dmem: handle kcalloc() allocation failure\n\nThe kcalloc() in nouveau_dmem_evict_chunk() will return null if\nthe physical memory has run out. As a result, if we dereference\nsrc_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs\nwill happen.\n\nMoreover, the GPU is going away. If the kcalloc() fails, we could not\nevict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL\nflag in kcalloc().\n\nFinally, as there is no need to have physically contiguous memory,\nthis patch switches kcalloc() to kvcalloc() in order to avoid\nfailing allocations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26943", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26945", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address\n\nRead from an unsafe address with copy_from_kernel_nofault() in\narch_adjust_kprobe_addr() because this function is used before checking\nthe address is in text or not. Syzcaller bot found a bug and reported\nthe case if user specifies inaccessible data area,\narch_adjust_kprobe_addr() will cause a kernel panic.\n\n[ mingo: Clarified the comment. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26946", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is\uff1a0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26947", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26948", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix NULL pointer dereference when get power limit\n\nBecause powerplay_table initialization is skipped under\nsriov case, We check and set default lower and upper OD\nvalue if powerplay_table is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26949", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26950", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26953", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26954", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26955", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26956", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26958", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix btnxpuart_close\n\nFix scheduling while atomic BUG in btnxpuart_close(), properly\npurge the transmit queue and free the receive skb.\n\n[ 10.973809] BUG: scheduling while atomic: kworker/u9:0/80/0x00000002\n...\n[ 10.980740] CPU: 3 PID: 80 Comm: kworker/u9:0 Not tainted 6.8.0-rc7-0.0.0-devel-00005-g61fdfceacf09 #1\n[ 10.980751] Hardware name: Toradex Verdin AM62 WB on Dahlia Board (DT)\n[ 10.980760] Workqueue: hci0 hci_power_off [bluetooth]\n[ 10.981169] Call trace:\n...\n[ 10.981363] uart_update_mctrl+0x58/0x78\n[ 10.981373] uart_dtr_rts+0x104/0x114\n[ 10.981381] tty_port_shutdown+0xd4/0xdc\n[ 10.981396] tty_port_close+0x40/0xbc\n[ 10.981407] uart_close+0x34/0x9c\n[ 10.981414] ttyport_close+0x50/0x94\n[ 10.981430] serdev_device_close+0x40/0x50\n[ 10.981442] btnxpuart_close+0x24/0x98 [btnxpuart]\n[ 10.981469] hci_dev_close_sync+0x2d8/0x718 [bluetooth]\n[ 10.981728] hci_dev_do_close+0x2c/0x70 [bluetooth]\n[ 10.981862] hci_power_off+0x20/0x64 [bluetooth]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26959", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26961", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26962", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-am62: fix module unload/reload behavior\n\nAs runtime PM is enabled, the module can be runtime\nsuspended when .remove() is called.\n\nDo a pm_runtime_get_sync() to make sure module is active\nbefore doing any register operations.\n\nDoing a pm_runtime_put_sync() should disable the refclk\nso no need to disable it again.\n\nFixes the below warning at module removel.\n\n[ 39.705310] ------------[ cut here ]------------\n[ 39.710004] clk:162:3 already disabled\n[ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8\n\nWe called of_platform_populate() in .probe() so call the\ncleanup function of_platform_depopulate() in .remove().\nGet rid of the now unnnecessary dwc3_ti_remove_core().\nWithout this, module re-load doesn't work properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26963", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26964", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26965", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26966", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: camcc-sc8280xp: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26967", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq9574: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26968", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26969", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26970", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq5018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26971", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26973", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26974", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix a NULL pointer dereference\n\nA NULL pointer dereference is triggered when probing the MMIO RAPL\ndriver on platforms with CPU ID not listed in intel_rapl_common CPU\nmodel list.\n\nThis is because the intel_rapl_common module still probes on such\nplatforms even if 'defaults_msr' is not set after commit 1488ac990ac8\n(\"powercap: intel_rapl: Allow probing without CPUID match\"). Thus the\nMMIO RAPL rp->priv->defaults is NULL when registering to RAPL framework.\n\nFix the problem by adding sanity check to ensure rp->priv->rapl_defaults\nis always valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26975", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26976", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26977", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max310x: fix NULL pointer dereference in I2C instantiation\n\nWhen trying to instantiate a max14830 device from userspace:\n\n echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device\n\nwe get the following error:\n\n Unable to handle kernel NULL pointer dereference at virtual address...\n ...\n Call trace:\n max310x_i2c_probe+0x48/0x170 [max310x]\n i2c_device_probe+0x150/0x2a0\n ...\n\nAdd check for validity of devtype to prevent the error, and abort probe\nwith a meaningful error message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26978", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26980", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26981", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26982", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26983", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26984", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix bo leak in intel_fb_bo_framebuffer_init\n\nAdd a unreference bo in the error path, to prevent leaking a bo ref.\n\nReturn 0 on success to clarify the success path.\n\n(cherry picked from commit a2f3d731be3893e730417ae3190760fcaffdf549)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26985", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leak in create_process failure\n\nFix memory leak due to a leaked mmget reference on an error handling\ncode path that is triggered when attempting to create KFD processes\nwhile a GPU reset is in progress.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26986", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\n\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\n\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n __mutex_lock+0x6c/0x770\n page_alloc_cpu_online+0x3c/0x70\n cpuhp_invoke_callback+0x397/0x5f0\n __cpuhp_invoke_callback_range+0x71/0xe0\n _cpu_up+0xeb/0x210\n cpu_up+0x91/0xe0\n cpuhp_bringup_mask+0x49/0xb0\n bringup_nonboot_cpus+0xb7/0xe0\n smp_init+0x25/0xa0\n kernel_init_freeable+0x15f/0x3e0\n kernel_init+0x15/0x1b0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(pcp_batch_high_lock);\n lock(cpu_hotplug_lock);\n lock(pcp_batch_high_lock);\n rlock(cpu_hotplug_lock);\n\n *** DEADLOCK ***\n\n5 locks held by bash/46904:\n #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x68/0xa0\n check_noncircular+0x129/0x140\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\n\nIn short, below scene breaks the \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26987", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26988", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26989", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status\n\nCheck kvm_mmu_page_ad_need_write_protect() when deciding whether to\nwrite-protect or clear D-bits on TDP MMU SPTEs, so that the TDP MMU\naccounts for any role-specific reasons for disabling D-bit dirty logging.\n\nSpecifically, TDP MMU SPTEs must be write-protected when the TDP MMU is\nbeing used to run an L2 (i.e. L1 has disabled EPT) and PML is enabled.\nKVM always disables PML when running L2, even when L1 and L2 GPAs are in\nthe some domain, so failing to write-protect TDP MMU SPTEs will cause\nwrites made by L2 to not be reflected in the dirty log.\n\n[sean: massage shortlog and changelog, tweak ternary op formatting]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26990", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes\n\nFix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger\nKASAN splat, as seen in the private_mem_conversions_test selftest.\n\nWhen memory attributes are set on a GFN range, that range will have\nspecific properties applied to the TDP. A huge page cannot be used when\nthe attributes are inconsistent, so they are disabled for those the\nspecific huge pages. For internal KVM reasons, huge pages are also not\nallowed to span adjacent memslots regardless of whether the backing memory\ncould be mapped as huge.\n\nWhat GFNs support which huge page sizes is tracked by an array of arrays\n'lpage_info' on the memslot, of \u2018kvm_lpage_info\u2019 structs. Each index of\nlpage_info contains a vmalloc allocated array of these for a specific\nsupported page size. The kvm_lpage_info denotes whether a specific huge\npage (GFN and page size) on the memslot is supported. These arrays include\nindices for unaligned head and tail huge pages.\n\nPreventing huge pages from spanning adjacent memslot is covered by\nincrementing the count in head and tail kvm_lpage_info when the memslot is\nallocated, but disallowing huge pages for memory that has mixed attributes\nhas to be done in a more complicated way. During the\nKVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in\nthe range that has mismatched attributes. KVM does this a memslot at a\ntime, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info\nfor any huge page. This bit is essentially a permanently elevated count.\nSo huge pages will not be mapped for the GFN at that page size if the\ncount is elevated in either case: a huge head or tail page unaligned to\nthe memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed\nattributes.\n\nTo determine whether a huge page has consistent attributes, the\nKVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it\nconsistently has the incoming attribute. Since level - 1 huge pages are\naligned to level huge pages, it employs an optimization. As long as the\nlevel - 1 huge pages are checked first, it can just check these and assume\nthat if each level - 1 huge page contained within the level sized huge\npage is not mixed, then the level size huge page is not mixed. This\noptimization happens in the helper hugepage_has_attrs().\n\nUnfortunately, although the kvm_lpage_info array representing page size\n'level' will contain an entry for an unaligned tail page of size level,\nthe array for level - 1 will not contain an entry for each GFN at page\nsize level. The level - 1 array will only contain an index for any\nunaligned region covered by level - 1 huge page size, which can be a\nsmaller region. So this causes the optimization to overflow the level - 1\nkvm_lpage_info and perform a vmalloc out of bounds read.\n\nIn some cases of head and tail pages where an overflow could happen,\ncallers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not\nrequired to prevent huge pages as discussed earlier. But for memslots that\nare smaller than the 1GB page size, it does call hugepage_has_attrs(). In\nthis case the huge page is both the head and tail page. The issue can be\nobserved simply by compiling the kernel with CONFIG_KASAN_VMALLOC and\nrunning the selftest \u201cprivate_mem_conversions_test\u201d, which produces the\noutput like the following:\n\nBUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110\nRead of size 4 at addr ffffc900000a3008 by task private_mem_con/169\nCall Trace:\n dump_stack_lvl\n print_report\n ? __virt_addr_valid\n ? hugepage_has_attrs\n ? hugepage_has_attrs\n kasan_report\n ? hugepage_has_attrs\n hugepage_has_attrs\n kvm_arch_post_set_memory_attributes\n kvm_vm_ioctl\n\nIt is a little ambiguous whether the unaligned head page (in the bug case\nalso the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set.\nIt is not functionally required, as the unal\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26991", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/pmu: Disable support for adaptive PEBS\n\nDrop support for virtualizing adaptive PEBS, as KVM's implementation is\narchitecturally broken without an obvious/easy path forward, and because\nexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak\nhost kernel addresses to the guest.\n\nBug #1 is that KVM doesn't account for the upper 32 bits of\nIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g\nfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()\nstores local variables as u8s and truncates the upper bits too, etc.\n\nBug #2 is that, because KVM _always_ sets precise_ip to a non-zero value\nfor PEBS events, perf will _always_ generate an adaptive record, even if\nthe guest requested a basic record. Note, KVM will also enable adaptive\nPEBS in individual *counter*, even if adaptive PEBS isn't exposed to the\nguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,\ni.e. the guest will only ever see Basic records.\n\nBug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper\nbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and\nintel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE\neither. I.e. perf _always_ enables ADAPTIVE counters, regardless of what\nKVM requests.\n\nBug #4 is that adaptive PEBS *might* effectively bypass event filters set\nby the host, as \"Updated Memory Access Info Group\" records information\nthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.\n\nBug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least\nzeros) when entering a vCPU with adaptive PEBS, which allows the guest\nto read host LBRs, i.e. host RIPs/addresses, by enabling \"LBR Entries\"\nrecords.\n\nDisable adaptive PEBS support as an immediate fix due to the severity of\nthe LBR leak in particular, and because fixing all of the bugs will be\nnon-trivial, e.g. not suitable for backporting to stable kernels.\n\nNote! This will break live migration, but trying to make KVM play nice\nwith live migration would be quite complicated, wouldn't be guaranteed to\nwork (i.e. KVM might still kill/confuse the guest), and it's not clear\nthat there are any publicly available VMMs that support adaptive PEBS,\nlet alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't\nsupport PEBS in any capacity.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26992", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26993", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26994", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Correct the PDO counting in pd_set\n\nOff-by-one errors happen because nr_snk_pdo and nr_src_pdo are\nincorrectly added one. The index of the loop is equal to the number of\nPDOs to be updated when leaving the loop and it doesn't need to be added\none.\n\nWhen doing the power negotiation, TCPM relies on the \"nr_snk_pdo\" as\nthe size of the local sink PDO array to match the Source capabilities\nof the partner port. If the off-by-one overflow occurs, a wrong RDO\nmight be sent and unexpected power transfer might happen such as over\nvoltage or over current (than expected).\n\n\"nr_src_pdo\" is used to set the Rp level when the port is in Source\nrole. It is also the array size of the local Source capabilities when\nfilling up the buffer which will be sent as the Source PDOs (such as\nin Power Negotiation). If the off-by-one overflow occurs, a wrong Rp\nlevel might be set and wrong Source PDOs will be sent to the partner\nport. This could potentially cause over current or port resets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26995", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: host: Fix dereference issue in DDMA completion flow.\n\nFixed variable dereference issue in DDMA completion flow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26997", "detail": "fixed-version", "description": "Fixed from version 6.8.8" }, { "id": "CVE-2024-26998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: Clearing the circular buffer before NULLifying it\n\nThe circular buffer is NULLified in uart_tty_port_shutdown()\nunder the spin lock. However, the PM or other timer based callbacks\nmay still trigger after this event without knowning that buffer pointer\nis not valid. Since the serial code is a bit inconsistent in checking\nthe buffer state (some rely on the head-tail positions, some on the\nbuffer pointer), it's better to have both aligned, i.e. buffer pointer\nto be NULL and head-tail possitions to be the same, meaning it's empty.\nThis will prevent asynchronous calls to dereference NULL pointer as\nreported recently in 8250 case:\n\n BUG: kernel NULL pointer dereference, address: 00000cf5\n Workqueue: pm pm_runtime_work\n EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n ...\n ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n __start_tx (drivers/tty/serial/8250/8250_port.c:1551)\n serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)\n serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)\n __rpm_callback (drivers/base/power/runtime.c:393)\n ? serial_port_remove (drivers/tty/serial/serial_port.c:50)\n rpm_suspend (drivers/base/power/runtime.c:447)\n\nThe proposed change will prevent ->start_tx() to be called during\nsuspend on shut down port.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26998", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-26999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26999", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27000", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27001", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27002", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree for clk_summary\n\nSimilar to the previous commit, we should make sure that all devices are\nruntime resumed before printing the clk_summary through debugfs. Failure\nto do so would result in a deadlock if the thread is resuming a device\nto print clk state and that device is also runtime resuming in another\nthread, e.g the screen is turning on and the display driver is starting\nup. We remove the calls to clk_pm_runtime_{get,put}() in this path\nbecause they're superfluous now that we know the devices are runtime\nresumed. This also squashes a bug where the return value of\nclk_pm_runtime_get() wasn't checked, leading to an RPM count underflow\non error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27003", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27004", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27005", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up()\n\nThe count field in struct trip_stats, representing the number of times\nthe zone temperature was above the trip point, needs to be incremented\nin thermal_debug_tz_trip_up(), for two reasons.\n\nFirst, if a trip point is crossed on the way up for the first time,\nthermal_debug_update_temp() called from update_temperature() does\nnot see it because it has not been added to trips_crossed[] array\nin the thermal zone's struct tz_debugfs object yet. Therefore, when\nthermal_debug_tz_trip_up() is called after that, the trip point's\ncount value is 0, and the attempt to divide by it during the average\ntemperature computation leads to a divide error which causes the kernel\nto crash. Setting the count to 1 before the division by incrementing it\nfixes this problem.\n\nSecond, if a trip point is crossed on the way up, but it has been\ncrossed on the way up already before, its count value needs to be\nincremented to make a record of the fact that the zone temperature is\nabove the trip now. Without doing that, if the mitigations applied\nafter crossing the trip cause the zone temperature to drop below its\nthreshold, the count will not be updated for this episode at all and\nthe average temperature in the trip statistics record will be somewhat\nhigher than it should be.\n\nCc :6.8+ # 6.8+", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27006", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE\n\nCommit d7a08838ab74 (\"mm: userfaultfd: fix unexpected change to src_folio\nwhen UFFDIO_MOVE fails\") moved the src_folio->{mapping, index} changing to\nafter clearing the page-table and ensuring that it's not pinned. This\navoids failure of swapout+migration and possibly memory corruption.\n\nHowever, the commit missed fixing it in the huge-page case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27007", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27008", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27009", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27010", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27011", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: fix LED-related deadlock on module removal\n\nBinding devm_led_classdev_register() to the netdev is problematic\nbecause on module removal we get a RTNL-related deadlock. Fix this\nby avoiding the device-managed LED functions.\n\nNote: We can safely call led_classdev_unregister() for a LED even\nif registering it failed, because led_classdev_unregister() detects\nthis and is a no-op in this case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27021", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: defer linking file vma until vma is fully initialized\n\nThorvald reported a WARNING [1]. And the root cause is below race:\n\n CPU 1\t\t\t\t\tCPU 2\n fork\t\t\t\t\thugetlbfs_fallocate\n dup_mmap\t\t\t\t hugetlbfs_punch_hole\n i_mmap_lock_write(mapping);\n vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\n i_mmap_unlock_write(mapping);\n hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t i_mmap_lock_write(mapping);\n \t\t\t\t\t hugetlb_vmdelete_list\n\t\t\t\t\t vma_interval_tree_foreach\n\t\t\t\t\t hugetlb_vma_trylock_write -- Vma_lock is cleared.\n tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\n\t\t\t\t\t i_mmap_unlock_write(mapping);\n\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\ni_mmap_rwsem lock while vma lock can be used in the same time. Fix this\nby deferring linking file vma until vma is fully initialized. Those vmas\nshould be initialized first before they can be used.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27022", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Fix missing release of 'active_io' for flush\n\nsubmit_flushes\n atomic_set(&mddev->flush_pending, 1);\n rdev_for_each_rcu(rdev, mddev)\n atomic_inc(&mddev->flush_pending);\n bi->bi_end_io = md_end_flush\n submit_bio(bi);\n /* flush io is done first */\n md_end_flush\n if (atomic_dec_and_test(&mddev->flush_pending))\n percpu_ref_put(&mddev->active_io)\n -> active_io is not released\n\n if (atomic_dec_and_test(&mddev->flush_pending))\n -> missing release of active_io\n\nFor consequence, mddev_suspend() will wait for 'active_io' to be zero\nforever.\n\nFix this problem by releasing 'active_io' in submit_flushes() if\n'flush_pending' is decreased to zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27023", "detail": "fixed-version", "description": "Fixed from version 6.7.7" }, { "id": "CVE-2024-27024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix WARNING in rds_conn_connect_if_down\n\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27024", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27025", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix missing reserved tailroom\n\nUse rbi->len instead of rcd->len for non-dataring packet.\n\nFound issue:\n XDP_WARN: xdp_update_frame_from_buff(line:278): Driver BUG: missing reserved tailroom\n WARNING: CPU: 0 PID: 0 at net/core/xdp.c:586 xdp_warn+0xf/0x20\n CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W O 6.5.1 #1\n RIP: 0010:xdp_warn+0xf/0x20\n ...\n ? xdp_warn+0xf/0x20\n xdp_do_redirect+0x15f/0x1c0\n vmxnet3_run_xdp+0x17a/0x400 [vmxnet3]\n vmxnet3_process_xdp+0xe4/0x760 [vmxnet3]\n ? vmxnet3_tq_tx_complete.isra.0+0x21e/0x2c0 [vmxnet3]\n vmxnet3_rq_rx_complete+0x7ad/0x1120 [vmxnet3]\n vmxnet3_poll_rx_only+0x2d/0xa0 [vmxnet3]\n __napi_poll+0x20/0x180\n net_rx_action+0x177/0x390", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27026", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix dpll_xa_ref_*_del() for multiple registrations\n\nCurrently, if there are multiple registrations of the same pin on the\nsame dpll device, following warnings are observed:\nWARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:143 dpll_xa_ref_pin_del.isra.0+0x21e/0x230\nWARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:223 __dpll_pin_unregister+0x2b3/0x2c0\n\nThe problem is, that in both dpll_xa_ref_dpll_del() and\ndpll_xa_ref_pin_del() registration is only removed from list in case the\nreference count drops to zero. That is wrong, the registration has to\nbe removed always.\n\nTo fix this, remove the registration from the list and free\nit unconditionally, instead of doing it only when the ref reference\ncounter reaches zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27027", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\n\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\n\nAdd a check to trans->tx_buf before using it.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27028", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix mmhub client id out-of-bounds access\n\nProperly handle cid 0x140.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27029", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Use separate handlers for interrupts\n\nFor PF to AF interrupt vector and VF to AF vector same\ninterrupt handler is registered which is causing race condition.\nWhen two interrupts are raised to two CPUs at same time\nthen two cores serve same event corrupting the data.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27030", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\n\nThe loop inside nfs_netfs_issue_read() currently does not disable\ninterrupts while iterating through pages in the xarray to submit\nfor NFS read. This is not safe though since after taking xa_lock,\nanother page in the mapping could be processed for writeback inside\nan interrupt, and deadlock can occur. The fix is simple and clean\nif we use xa_for_each_range(), which handles the iteration with RCU\nwhile reducing code complexity.\n\nThe problem is easily reproduced with the following test:\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\n echo 3 > /proc/sys/vm/drop_caches\n dd if=/mnt/nfs/file1.bin of=/dev/null\n umount /mnt/nfs\n\nOn the console with a lockdep-enabled kernel a message similar to\nthe following will be seen:\n\n ================================\n WARNING: inconsistent lock state\n 6.7.0-lockdbg+ #10 Not tainted\n --------------------------------\n inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at:\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n {IN-SOFTIRQ-W} state was registered at:\n lock_acquire+0x144/0x380\n _raw_spin_lock_irqsave+0x4e/0xa0\n __folio_end_writeback+0x17e/0x5c0\n folio_end_writeback+0x93/0x1b0\n iomap_finish_ioend+0xeb/0x6a0\n blk_update_request+0x204/0x7f0\n blk_mq_end_request+0x30/0x1c0\n blk_complete_reqs+0x7e/0xa0\n __do_softirq+0x113/0x544\n __irq_exit_rcu+0xfe/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_call_function_single+0x6f/0x90\n asm_sysvec_call_function_single+0x1a/0x20\n pv_native_safe_halt+0xf/0x20\n default_idle+0x9/0x20\n default_idle_call+0x67/0xa0\n do_idle+0x2b5/0x300\n cpu_startup_entry+0x34/0x40\n start_secondary+0x19d/0x1c0\n secondary_startup_64_no_verify+0x18f/0x19b\n irq event stamp: 176891\n hardirqs last enabled at (176891): []\n_raw_spin_unlock_irqrestore+0x44/0x60\n hardirqs last disabled at (176890): []\n_raw_spin_lock_irqsave+0x79/0xa0\n softirqs last enabled at (176646): []\n__irq_exit_rcu+0xfe/0x120\n softirqs last disabled at (176633): []\n__irq_exit_rcu+0xfe/0x120\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&xa->xa_lock#4);\n \n lock(&xa->xa_lock#4);\n\n *** DEADLOCK ***\n\n 2 locks held by test5/1708:\n #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at:\n nfs_start_io_read+0x28/0x90 [nfs]\n #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\n page_cache_ra_unbounded+0xa4/0x280\n\n stack backtrace:\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\n Call Trace:\n dump_stack_lvl+0x5b/0x90\n mark_lock+0xb3f/0xd20\n __lock_acquire+0x77b/0x3360\n _raw_spin_lock+0x34/0x80\n nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n netfs_begin_read+0x77f/0x980 [netfs]\n nfs_netfs_readahead+0x45/0x60 [nfs]\n nfs_readahead+0x323/0x5a0 [nfs]\n read_pages+0xf3/0x5c0\n page_cache_ra_unbounded+0x1c8/0x280\n filemap_get_pages+0x38c/0xae0\n filemap_read+0x206/0x5e0\n nfs_file_read+0xb7/0x140 [nfs]\n vfs_read+0x2a9/0x460\n ksys_read+0xb7/0x140", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27031", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27032", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic\n\nverify_blkaddr() will trigger panic once we inject fault into\nf2fs_is_valid_blkaddr(), fix to remove this unnecessary f2fs_bug_on().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27033", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover normal cluster write with cp_rwsem\n\nWhen we overwrite compressed cluster w/ normal cluster, we should\nnot unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data\nwill be corrupted if partial blocks were persisted before CP & SPOR,\ndue to cluster metadata wasn't updated atomically.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27034", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27035", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix writeback data corruption\n\ncifs writeback doesn't correctly handle the case where\ncifs_extend_writeback() hits a point where it is considering an additional\nfolio, but this would overrun the wsize - at which point it drops out of\nthe xarray scanning loop and calls xas_pause(). The problem is that\nxas_pause() advances the loop counter - thereby skipping that page.\n\nWhat needs to happen is for xas_reset() to be called any time we decide we\ndon't want to process the page we're looking at, but rather send the\nrequest we are building and start a new one.\n\nFix this by copying and adapting the netfslib writepages code as a\ntemporary measure, with cifs writeback intending to be offloaded to\nnetfslib in the near future.\n\nThis also fixes the issue with the use of filemap_get_folios_tag() causing\nretry of a bunch of pages which the extender already dealt with.\n\nThis can be tested by creating, say, a 64K file somewhere not on cifs\n(otherwise copy-offload may get underfoot), mounting a cifs share with a\nwsize of 64000, copying the file to it and then comparing the original file\nand the copy:\n\n dd if=/dev/urandom of=/tmp/64K bs=64k count=1\n mount //192.168.6.1/test /mnt -o user=...,pass=...,wsize=64000\n cp /tmp/64K /mnt/64K\n cmp /tmp/64K /mnt/64K\n\nWithout the fix, the cmp fails at position 64000 (or shortly thereafter).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27036", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\n\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\n\nThis patch uses a stack variable to replace the kmalloc().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27037", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_core_get NULL dereference\n\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\n\nclk_core_get()\n of_clk_get_hw_from_clkspec()\n __of_clk_get_hw_from_provider()\n __clk_get_hw()\n\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw->core.\n\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\n\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\n\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27038", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: hisilicon: hi3559a: Fix an erroneous devm_kfree()\n\n'p_clk' is an array allocated just before the for loop for all clk that\nneed to be registered.\nIt is incremented at each loop iteration.\n\nIf a clk_register() call fails, 'p_clk' may point to something different\nfrom what should be freed.\n\nThe best we can do, is to avoid this wrong release of memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27039", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add 'replay' NULL check in 'edp_set_replay_allow_active()'\n\nIn the first if statement, we're checking if 'replay' is NULL. But in\nthe second if statement, we're not checking if 'replay' is NULL again\nbefore calling replay->funcs->replay_set_power_opt().\n\nif (replay == NULL && force_static)\n return false;\n\n...\n\nif (link->replay_settings.replay_feature_enabled &&\n replay->funcs->replay_set_power_opt) {\n\treplay->funcs->replay_set_power_opt(replay, *power_opts, panel_inst);\n\tlink->replay_settings.replay_power_opt_active = *power_opts;\n}\n\nIf 'replay' is NULL, this will cause a null pointer dereference.\n\nFixes the below found by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:895 edp_set_replay_allow_active() error: we previously assumed 'replay' could be null (see line 887)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27040", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27041", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: edia: dvbdev: fix a use-after-free\n\nIn dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed\nin several error-handling paths. However, *pdvbdev is not set to NULL\nafter dvbdev's deallocation, causing use-after-frees in many places,\nfor example, in the following call chain:\n\nbudget_register\n |-> dvb_dmxdev_init\n |-> dvb_register_device\n |-> dvb_dmxdev_release\n |-> dvb_unregister_device\n |-> dvb_remove_device\n |-> dvb_device_put\n |-> kref_put\n\nWhen calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in\ndvb_register_device) could point to memory that had been freed in\ndvb_register_device. Thereafter, this pointer is transferred to\nkref_put and triggering a use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27043", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\n\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27044", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\n\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27045", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: handle acti_netdevs allocation failure\n\nThe kmalloc_array() in nfp_fl_lag_do_work() will return null, if\nthe physical memory has run out. As a result, if we dereference\nthe acti_netdevs, the null pointer dereference bugs will happen.\n\nThis patch adds a check to judge whether allocation failure occurs.\nIf it happens, the delayed work will be rescheduled and try again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27046", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: fix phy_get_internal_delay accessing an empty array\n\nThe phy_get_internal_delay function could try to access to an empty\narray in the case that the driver is calling phy_get_internal_delay\nwithout defining delay_values and rx-internal-delay-ps or\ntx-internal-delay-ps is defined to 0 in the device-tree.\nThis will lead to \"unable to handle kernel NULL pointer dereference at\nvirtual address 0\". To avoid this kernel oops, the test should be delay\n>= 0. As there is already delay < 0 test just before, the test could\nonly be size == 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27047", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcm80211: handle pmk_op allocation failure\n\nThe kzalloc() in brcmf_pmksa_v3_op() will return null if the\nphysical memory has run out. As a result, if we dereference\nthe null value, the null pointer dereference bug will happen.\n\nReturn -ENOMEM from brcmf_pmksa_v3_op() if kzalloc() fails\nfor pmk_op.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27048", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925e: fix use-after-free in free_irq()\n\nFrom commit a304e1b82808 (\"[PATCH] Debug shared irqs\"), there is a test\nto make sure the shared irq handler should be able to handle the unexpected\nevent after deregistration. For this case, let's apply MT76_REMOVED flag to\nindicate the device was removed and do not run into the resource access\nanymore.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27049", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Use OPTS_SET() macro in bpf_xdp_query()\n\nWhen the feature_flags and xdp_zc_max_segs fields were added to the libbpf\nbpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro.\nThis causes libbpf to write to those fields unconditionally, which means\nthat programs compiled against an older version of libbpf (with a smaller\nsize of the bpf_xdp_query_opts struct) will have its stack corrupted by\nlibbpf writing out of bounds.\n\nThe patch adding the feature_flags field has an early bail out if the\nfeature_flags field is not part of the opts struct (via the OPTS_HAS)\nmacro, but the patch adding xdp_zc_max_segs does not. For consistency, this\nfix just changes the assignments to both fields to use the OPTS_SET()\nmacro.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27050", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value\n\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return 0 in case of error.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27051", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work\n\nThe workqueue might still be running, when the driver is stopped. To\navoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27052", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix RCU usage in connect path\n\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\n\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\n\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27053", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix double module refcount decrement\n\nOnce the discipline is associated with the device, deleting the device\ntakes care of decrementing the module's refcount. Doing it manually on\nthis error path causes refcount to artificially decrease on each error\nwhile it should just stay the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27054", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27056", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27057", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntmpfs: fix race on handling dquot rbtree\n\nA syzkaller reproducer found a race while attempting to remove dquot\ninformation from the rb tree.\n\nFetching the rb_tree root node must also be protected by the\ndqopt->dqio_sem, otherwise, giving the right timing, shmem_release_dquot()\nwill trigger a warning because it couldn't find a node in the tree, when\nthe real reason was the root node changing before the search starts:\n\nThread 1\t\t\t\tThread 2\n- shmem_release_dquot()\t\t\t- shmem_{acquire,release}_dquot()\n\n- fetch ROOT\t\t\t\t- Fetch ROOT\n\n\t\t\t\t\t- acquire dqio_sem\n- wait dqio_sem\n\n\t\t\t\t\t- do something, triger a tree rebalance\n\t\t\t\t\t- release dqio_sem\n\n- acquire dqio_sem\n- start searching for the node, but\n from the wrong location, missing\n the node, and triggering a warning.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27058", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix NULL pointer dereference in tb_port_update_credits()\n\nOlliver reported that his system crashes when plugging in Thunderbolt 1\ndevice:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:tb_port_do_update_credits+0x1b/0x130 [thunderbolt]\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? tb_port_do_update_credits+0x1b/0x130\n ? tb_switch_update_link_attributes+0x83/0xd0\n tb_switch_add+0x7a2/0xfe0\n tb_scan_port+0x236/0x6f0\n tb_handle_hotplug+0x6db/0x900\n process_one_work+0x171/0x340\n worker_thread+0x27b/0x3a0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nThis is due the fact that some Thunderbolt 1 devices only have one lane\nadapter. Fix this by checking for the lane 1 before we read its credits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27060", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ce - Fix use after free in unprepare\n\nsun8i_ce_cipher_unprepare should be called before\ncrypto_finalize_skcipher_request, because client callbacks may\nimmediately free memory, that isn't needed anymore. But it will be\nused by unprepare after free. Before removing prepare/unprepare\ncallbacks it was handled by crypto engine in crypto_finalize_request.\n\nUsually that results in a pointer dereference problem during a in\ncrypto selftest.\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000030\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000\n [0000000000000030] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n\nThis problem is detected by KASAN as well.\n ==================================================================\n BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\n Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373\n\n Hardware name: Pine64 PinePhone (1.2) (DT)\n Call trace:\n dump_backtrace+0x9c/0x128\n show_stack+0x20/0x38\n dump_stack_lvl+0x48/0x60\n print_report+0xf8/0x5d8\n kasan_report+0x90/0xd0\n __asan_load8+0x9c/0xc0\n sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce]\n crypto_pump_work+0x354/0x620 [crypto_engine]\n kthread_worker_fn+0x244/0x498\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n Allocated by task 379:\n kasan_save_stack+0x3c/0x68\n kasan_set_track+0x2c/0x40\n kasan_save_alloc_info+0x24/0x38\n __kasan_kmalloc+0xd4/0xd8\n __kmalloc+0x74/0x1d0\n alg_test_skcipher+0x90/0x1f0\n alg_test+0x24c/0x830\n cryptomgr_test+0x38/0x60\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n Freed by task 379:\n kasan_save_stack+0x3c/0x68\n kasan_set_track+0x2c/0x40\n kasan_save_free_info+0x38/0x60\n __kasan_slab_free+0x100/0x170\n slab_free_freelist_hook+0xd4/0x1e8\n __kmem_cache_free+0x15c/0x290\n kfree+0x74/0x100\n kfree_sensitive+0x80/0xb0\n alg_test_skcipher+0x12c/0x1f0\n alg_test+0x24c/0x830\n cryptomgr_test+0x38/0x60\n kthread+0x168/0x178\n ret_from_fork+0x10/0x20\n\n The buggy address belongs to the object at ffff00000dcdc000\n which belongs to the cache kmalloc-256 of size 256\n The buggy address is located 64 bytes inside of\n freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27061", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27062", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: netdev: Fix kernel panic on interface rename trig notify\n\nCommit d5e01266e7f5 (\"leds: trigger: netdev: add additional specific link\nspeed mode\") in the various changes, reworked the way to set the LINKUP\nmode in commit cee4bd16c319 (\"leds: trigger: netdev: Recheck\nNETDEV_LED_MODE_LINKUP on dev rename\") and moved it to a generic function.\n\nThis changed the logic where, in the previous implementation the dev\nfrom the trigger event was used to check if the carrier was ok, but in\nthe new implementation with the generic function, the dev in\ntrigger_data is used instead.\n\nThis is problematic and cause a possible kernel panic due to the fact\nthat the dev in the trigger_data still reference the old one as the\nnew one (passed from the trigger event) still has to be hold and saved\nin the trigger_data struct (done in the NETDEV_REGISTER case).\n\nOn calling of get_device_state(), an invalid net_dev is used and this\ncause a kernel panic.\n\nTo handle this correctly, move the call to get_device_state() after the\nnew net_dev is correctly set in trigger_data (in the NETDEV_REGISTER\ncase) and correctly parse the new dev.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27063", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix a memory leak in nf_tables_updchain\n\nIf nft_netdev_register_hooks() fails, the memory associated with\nnft_stats is not freed, causing a memory leak.\n\nThis patch fixes it by moving nft_stats_alloc() down after\nnft_netdev_register_hooks() succeeds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27064", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not compare internal table flags on updates\n\nRestore skipping transaction if table update does not modify flags.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27065", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: packed: fix unmap leak for indirect desc table\n\nWhen use_dma_api and premapped are true, then the do_unmap is false.\n\nBecause the do_unmap is false, vring_unmap_extra_packed is not called by\ndetach_buf_packed.\n\n if (unlikely(vq->do_unmap)) {\n curr = id;\n for (i = 0; i < state->num; i++) {\n vring_unmap_extra_packed(vq,\n &vq->packed.desc_extra[curr]);\n curr = vq->packed.desc_extra[curr].next;\n }\n }\n\nSo the indirect desc table is not unmapped. This causes the unmap leak.\n\nSo here, we check vq->use_dma_api instead. Synchronously, dma info is\nupdated based on use_dma_api judgment\n\nThis bug does not occur, because no driver use the premapped with\nindirect.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27066", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/evtchn: avoid WARN() when unbinding an event channel\n\nWhen unbinding a user event channel, the related handler might be\ncalled a last time in case the kernel was built with\nCONFIG_DEBUG_SHIRQ. This might cause a WARN() in the handler.\n\nAvoid that by adding an \"unbinding\" flag to struct user_event which\nwill short circuit the handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27067", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Fix a memory leak in an error handling path\n\nIf devm_krealloc() fails, then 'efuse' is leaking.\nSo free it to avoid a leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27068", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: relax WARN_ON in ovl_verify_area()\n\nsyzbot hit an assertion in copy up data loop which looks like it is\nthe result of a lower file whose size is being changed underneath\noverlayfs.\n\nThis type of use case is documented to cause undefined behavior, so\nreturning EIO error for the copy up makes sense, but it should not be\ncausing a WARN_ON assertion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27069", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free issue in f2fs_filemap_fault\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49\nRead of size 8 at addr ffff88807bb22680 by task syz-executor184/5058\n\nCPU: 0 PID: 5058 Comm: syz-executor184 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x163/0x540 mm/kasan/report.c:488\n kasan_report+0x142/0x170 mm/kasan/report.c:601\n f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49\n __do_fault+0x131/0x450 mm/memory.c:4376\n do_shared_fault mm/memory.c:4798 [inline]\n do_fault mm/memory.c:4872 [inline]\n do_pte_missing mm/memory.c:3745 [inline]\n handle_pte_fault mm/memory.c:5144 [inline]\n __handle_mm_fault+0x23b7/0x72b0 mm/memory.c:5285\n handle_mm_fault+0x27e/0x770 mm/memory.c:5450\n do_user_addr_fault arch/x86/mm/fault.c:1364 [inline]\n handle_page_fault arch/x86/mm/fault.c:1507 [inline]\n exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570\n\nThe root cause is: in f2fs_filemap_fault(), vmf->vma may be not alive after\nfilemap_fault(), so it may cause use-after-free issue when accessing\nvmf->vma->vm_flags in trace_f2fs_filemap_fault(). So it needs to keep vm_flags\nin separated temporary variable for tracepoint use.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27070", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: hx8357: Fix potential NULL pointer dereference\n\nThe \"im\" pins are optional. Add missing check in the hx8357_probe().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27071", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27072", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ttpci: fix two memleaks in budget_av_attach\n\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27073", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: go7007: fix a memleak in go7007_load_encoder\n\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\n\nsaa7134_go7007_init\n |-> go7007_boot_encoder\n |-> go7007_load_encoder\n |-> kfree(go)\n\ngo is freed and thus bounce is leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: avoid stack overflow warnings with clang\n\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\n\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\n\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27075", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx: csc/scaler: fix v4l2_ctrl_handler memory leak\n\nFree the memory allocated in v4l2_ctrl_handler_init on release.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27076", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\n\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27077", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-tpg: fix some memleaks in tpg_alloc\n\nIn tpg_alloc, resources should be deallocated in each and every\nerror-handling paths, since they are allocated in for statements.\nOtherwise there would be memleaks because tpg_free is called only when\ntpg_alloc return 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27078", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix NULL domain on device release\n\nIn the kdump kernel, the IOMMU operates in deferred_attach mode. In this\nmode, info->domain may not yet be assigned by the time the release_device\nfunction is called. It leads to the following crash in the crash kernel:\n\n BUG: kernel NULL pointer dereference, address: 000000000000003c\n ...\n RIP: 0010:do_raw_spin_lock+0xa/0xa0\n ...\n _raw_spin_lock_irqsave+0x1b/0x30\n intel_iommu_release_device+0x96/0x170\n iommu_deinit_device+0x39/0xf0\n __iommu_group_remove_device+0xa0/0xd0\n iommu_bus_notifier+0x55/0xb0\n notifier_call_chain+0x5a/0xd0\n blocking_notifier_call_chain+0x41/0x60\n bus_notify+0x34/0x50\n device_del+0x269/0x3d0\n pci_remove_bus_device+0x77/0x100\n p2sb_bar+0xae/0x1d0\n ...\n i801_probe+0x423/0x740\n\nUse the release_domain mechanism to fix it. The scalable mode context\nentry which is not part of release domain should be cleared in\nrelease_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27079", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when detecting delalloc ranges during fiemap\n\nFor fiemap we recently stopped locking the target extent range for the\nwhole duration of the fiemap call, in order to avoid a deadlock in a\nscenario where the fiemap buffer happens to be a memory mapped range of\nthe same file. This use case is very unlikely to be useful in practice but\nit may be triggered by fuzz testing (syzbot, etc).\n\nThis however introduced a race that makes us miss delalloc ranges for\nfile regions that are currently holes, so the caller of fiemap will not\nbe aware that there's data for some file regions. This can be quite\nserious for some use cases - for example in coreutils versions before 9.0,\nthe cp program used fiemap to detect holes and data in the source file,\ncopying only regions with data (extents or delalloc) from the source file\nto the destination file in order to preserve holes (see the documentation\nfor its --sparse command line option). This means that if cp was used\nwith a source file that had delalloc in a hole, the destination file could\nend up without that data, which is effectively a data loss issue, if it\nhappened to hit the race described below.\n\nThe race happens like this:\n\n1) Fiemap is called, without the FIEMAP_FLAG_SYNC flag, for a file that\n has delalloc in the file range [64M, 65M[, which is currently a hole;\n\n2) Fiemap locks the inode in shared mode, then starts iterating the\n inode's subvolume tree searching for file extent items, without having\n the whole fiemap target range locked in the inode's io tree - the\n change introduced recently by commit b0ad381fa769 (\"btrfs: fix\n deadlock with fiemap and extent locking\"). It only locks ranges in\n the io tree when it finds a hole or prealloc extent since that\n commit;\n\n3) Note that fiemap clones each leaf before using it, and this is to\n avoid deadlocks when locking a file range in the inode's io tree and\n the fiemap buffer is memory mapped to some file, because writing\n to the page with btrfs_page_mkwrite() will wait on any ordered extent\n for the page's range and the ordered extent needs to lock the range\n and may need to modify the same leaf, therefore leading to a deadlock\n on the leaf;\n\n4) While iterating the file extent items in the cloned leaf before\n finding the hole in the range [64M, 65M[, the delalloc in that range\n is flushed and its ordered extent completes - meaning the corresponding\n file extent item is in the inode's subvolume tree, but not present in\n the cloned leaf that fiemap is iterating over;\n\n5) When fiemap finds the hole in the [64M, 65M[ range by seeing the gap in\n the cloned leaf (or a file extent item with disk_bytenr == 0 in case\n the NO_HOLES feature is not enabled), it will lock that file range in\n the inode's io tree and then search for delalloc by checking for the\n EXTENT_DELALLOC bit in the io tree for that range and ordered extents\n (with btrfs_find_delalloc_in_range()). But it finds nothing since the\n delalloc in that range was already flushed and the ordered extent\n completed and is gone - as a result fiemap will not report that there's\n delalloc or an extent for the range [64M, 65M[, so user space will be\n mislead into thinking that there's a hole in that range.\n\nThis could actually be sporadically triggered with test case generic/094\nfrom fstests, which reports a missing extent/delalloc range like this:\n\n generic/094 2s ... - output mismatch (see /home/fdmanana/git/hub/xfstests/results//generic/094.out.bad)\n --- tests/generic/094.out\t2020-06-10 19:29:03.830519425 +0100\n +++ /home/fdmanana/git/hub/xfstests/results//generic/094.out.bad\t2024-02-28 11:00:00.381071525 +0000\n @@ -1,3 +1,9 @@\n QA output created by 094\n fiemap run with sync\n fiemap run without sync\n +ERROR: couldn't find extent at 7\n +map is 'HHDDHPPDPHPH'\n +logical: [ 5.. 6] phys:\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27080", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix some memleaks in gssx_dec_option_array\n\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27388", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()\n\nAs discussed in the past (commit 2d3916f31891 (\"ipv6: fix skb drops\nin igmp6_event_query() and igmp6_event_report()\")) I think the\nsynchronize_net() call in ipv6_mc_down() is not needed.\n\nUnder load, synchronize_net() can last between 200 usec and 5 ms.\n\nKASAN seems to agree as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27390", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: do not realloc workqueue everytime an interface is added\n\nCommit 09ed8bfc5215 (\"wilc1000: Rename workqueue from \"WILC_wq\" to\n\"NETDEV-wq\"\") moved workqueue creation in wilc_netdev_ifc_init in order to\nset the interface name in the workqueue name. However, while the driver\nneeds only one workqueue, the wilc_netdev_ifc_init is called each time we\nadd an interface over a phy, which in turns overwrite the workqueue with a\nnew one. This can be observed with the following commands:\n\nfor i in $(seq 0 10)\ndo\n iw phy phy0 interface add wlan1 type managed\n iw dev wlan1 del\ndone\nps -eo pid,comm|grep wlan\n\n 39 kworker/R-wlan0\n 98 kworker/R-wlan1\n102 kworker/R-wlan1\n105 kworker/R-wlan1\n108 kworker/R-wlan1\n111 kworker/R-wlan1\n114 kworker/R-wlan1\n117 kworker/R-wlan1\n120 kworker/R-wlan1\n123 kworker/R-wlan1\n126 kworker/R-wlan1\n129 kworker/R-wlan1\n\nFix this leakage by putting back hif_workqueue allocation in\nwilc_cfg80211_init. Regarding the workqueue name, it is indeed relevant to\nset it lowercase, however it is not attached to a specific netdev, so\nenforcing netdev name in the name is not so relevant. Still, enrich the\nname with the wiphy name to make it clear which phy is using the workqueue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27391", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()\n\nWhen nvme_identify_ns() fails, it frees the pointer to the struct\nnvme_id_ns before it returns. However, ns_update_nuse() calls kfree()\nfor the pointer even when nvme_identify_ns() fails. This results in\nKASAN double-free, which was observed with blktests nvme/045 with\nproposed patches [1] on the kernel v6.8-rc7. Fix the double-free by\nskipping kfree() when nvme_identify_ns() fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27392", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27393", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix Use-After-Free in tcp_ao_connect_init\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof tcp_ao_connect_init, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27394", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27395", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27396", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27399", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27400", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27401", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", "scorev2": "0.0", "scorev3": "5.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27402", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\n\ndst is transferred to the flow object, route object does not own it\nanymore. Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27403", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data races on remote_id\n\nSimilar to the previous patch, address the data race on\nremote_id, adding the suitable ONCE annotations.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27404", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\n\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\n\nAdding a few custom traces showed the following:\n[002] d..1 7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\n\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\n\nSame is case with packets of size 2048:\n[002] d..1 7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\n\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\n\n Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n Data(1024 bytes)\n Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n Data(1 byte)\n Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\n\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27405", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/Kconfig.debug: TEST_IOV_ITER depends on MMU\n\nTrying to run the iov_iter unit test on a nommu system such as the qemu\nkc705-nommu emulation results in a crash.\n\n KTAP version 1\n # Subtest: iov_iter\n # module: kunit_iov_iter\n 1..9\nBUG: failure at mm/nommu.c:318/vmap()!\nKernel panic - not syncing: BUG!\n\nThe test calls vmap() directly, but vmap() is not supported on nommu\nsystems, causing the crash. TEST_IOV_ITER therefore needs to depend on\nMMU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27406", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27407", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27408", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: HDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe HDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27409", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt's currently possible to change the mesh ID when the\ninterface isn't yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev->u union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere's no userspace that's going to do this, so just\ndisallow changes in iftype when setting mesh ID.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27410", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: keep DMA buffers required for suspend/resume\n\nNouveau deallocates a few buffers post GPU init which are required for GPU suspend/resume to function correctly.\nThis is likely not as big an issue on systems where the NVGPU is the only GPU, but on multi-GPU set ups it leads to a regression where the kernel module errors and results in a system-wide rendering freeze.\n\nThis commit addresses that regression by moving the two buffers required for suspend and resume to be deallocated at driver unload instead of post init.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27411", "detail": "fixed-version", "description": "Fixed from version 6.7.9" }, { "id": "CVE-2024-27412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx-i2c: Do not free non existing IRQ\n\nThe bq27xxx i2c-client may not have an IRQ, in which case\nclient->irq will be 0. bq27xxx_battery_i2c_probe() already has\nan if (client->irq) check wrapping the request_threaded_irq().\n\nBut bq27xxx_battery_i2c_remove() unconditionally calls\nfree_irq(client->irq) leading to:\n\n[ 190.310742] ------------[ cut here ]------------\n[ 190.310843] Trying to free already-free IRQ 0\n[ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310\n\nFollowed by a backtrace when unbinding the driver. Add\nan if (client->irq) to bq27xxx_battery_i2c_remove() mirroring\nprobe() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27412", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect allocation size\n\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\n\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n | ^\n\nUse the correct type instead here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27413", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back\n\nIn the commit d73ef2d69c0d (\"rtnetlink: let rtnl_bridge_setlink checks\nIFLA_BRIDGE_MODE length\"), an adjustment was made to the old loop logic\nin the function `rtnl_bridge_setlink` to enable the loop to also check\nthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustment\nremoved the `break` statement and led to an error logic of the flags\nwriting back at the end of this function.\n\nif (have_flags)\n memcpy(nla_data(attr), &flags, sizeof(flags));\n // attr should point to IFLA_BRIDGE_FLAGS NLA !!!\n\nBefore the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.\nHowever, this is not necessarily true fow now as the updated loop will let\nthe attr point to the last NLA, even an invalid NLA which could cause\noverflow writes.\n\nThis patch introduces a new variable `br_flag` to save the NLA pointer\nthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned\nerror logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27414", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: confirm multicast packets before passing them up the stack\n\nconntrack nf_confirm logic cannot handle cloned skbs referencing\nthe same nf_conn entry, which will happen for multicast (broadcast)\nframes on bridges.\n\n Example:\n macvlan0\n |\n br0\n / \\\n ethX ethY\n\n ethX (or Y) receives a L2 multicast or broadcast packet containing\n an IP packet, flow is not yet in conntrack table.\n\n 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.\n -> skb->_nfct now references a unconfirmed entry\n 2. skb is broad/mcast packet. bridge now passes clones out on each bridge\n interface.\n 3. skb gets passed up the stack.\n 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb\n and schedules a work queue to send them out on the lower devices.\n\n The clone skb->_nfct is not a copy, it is the same entry as the\n original skb. The macvlan rx handler then returns RX_HANDLER_PASS.\n 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.\n\nThe Macvlan broadcast worker and normal confirm path will race.\n\nThis race will not happen if step 2 already confirmed a clone. In that\ncase later steps perform skb_clone() with skb->_nfct already confirmed (in\nhash table). This works fine.\n\nBut such confirmation won't happen when eb/ip/nftables rules dropped the\npackets before they reached the nf_confirm step in postrouting.\n\nPablo points out that nf_conntrack_bridge doesn't allow use of stateful\nnat, so we can safely discard the nf_conn entry and let inet call\nconntrack again.\n\nThis doesn't work for bridge netfilter: skb could have a nat\ntransformation. Also bridge nf prevents re-invocation of inet prerouting\nvia 'sabotage_in' hook.\n\nWork around this problem by explicit confirmation of the entry at LOCAL_IN\ntime, before upper layer has a chance to clone the unconfirmed entry.\n\nThe downside is that this disables NAT and conntrack helpers.\n\nAlternative fix would be to add locking to all code parts that deal with\nunconfirmed packets, but even if that could be done in a sane way this\nopens up other problems, for example:\n\n-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4\n-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5\n\nFor multicast case, only one of such conflicting mappings will be\ncreated, conntrack only handles 1:1 NAT mappings.\n\nUsers should set create a setup that explicitly marks such traffic\nNOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass\nthem, ruleset might have accept rules for untracked traffic already,\nso user-visible behaviour would change.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27415", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST\n\nIf we received HCI_EV_IO_CAPA_REQUEST while\nHCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote\ndoes support SSP since otherwise this event shouldn't be generated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27416", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\n\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27417", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27418", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_net_busy_read\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27419", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\n\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\n\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27431", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-27432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix PPE hanging issue\n\nA patch to resolve an issue was found in MediaTek's GPL-licensed SDK:\nIn the mtk_ppe_stop() function, the PPE scan mode is not disabled before\ndisabling the PPE. This can potentially lead to a hang during the process\nof disabling the PPE.\n\nWithout this patch, the PPE may experience a hang during the reboot test.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27432", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe()\n\n'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling\nmtk_free_clk_data() explicitly in the remove function would lead to a\ndouble-free.\n\nRemove the redundant call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27433", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't set the MFP flag for the GTK\n\nThe firmware doesn't need the MFP flag for the GTK, it can even make the\nfirmware crash. in case the AP is configured with: group cipher TKIP and\nMFPC. We would send the GTK with cipher = TKIP and MFP which is of course\nnot possible.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27434", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27435", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Stop parsing channels bits when all channels are found.\n\nIf a usb audio device sets more bits than the amount of channels\nit could write outside of the map array.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27436", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-27437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-31076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-32936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: Fix races while restarting DMA\n\nAfter the frame is submitted to DMA, it may happen that the submitted\nlist is not updated soon enough, and the DMA callback is triggered\nbefore that.\n\nThis can lead to kernel crashes, so move everything in a single\nlock/unlock section to prevent such races.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-32936", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-33619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: libstub: only free priv.runtime_map when allocated\n\npriv.runtime_map is only allocated when efi_novamap is not set.\nOtherwise, it is an uninitialized value. In the error path, it is freed\nunconditionally. Avoid passing an uninitialized value to free_pool.\nFree priv.runtime_map only when it was allocated.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33619", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-33621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33621", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-33847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-33847", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-34027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-34027", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-34030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: of_property: Return error for int_map allocation failure\n\nReturn -ENOMEM from of_pci_prop_intr_map() if kcalloc() fails to prevent a\nNULL pointer dereference in this case.\n\n[bhelgaas: commit log]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-34030", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-34777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-34777", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-35247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35247", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-35784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35784", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix stale locked mutex in nouveau_gem_ioctl_pushbuf\n\nIf VM_BIND is enabled on the client the legacy submission ioctl can't be\nused, however if a client tries to do so regardless it will return an\nerror. In this case the clients mutex remained unlocked leading to a\ndeadlock inside nouveau_drm_postclose or any other nouveau ioctl call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35786", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: fix incorrect usage for sb_index\n\nCommit d7038f951828 (\"md-bitmap: don't use ->index for pages backing the\nbitmap file\") removed page->index from bitmap code, but left wrong code\nlogic for clustered-md. current code never set slot offset for cluster\nnodes, will sometimes cause crash in clustered env.\n\nCall trace (partly):\n md_bitmap_file_set_bit+0x110/0x1d8 [md_mod]\n md_bitmap_startwrite+0x13c/0x240 [md_mod]\n raid1_make_request+0x6b0/0x1c08 [raid1]\n md_handle_request+0x1dc/0x368 [md_mod]\n md_submit_bio+0x80/0xf8 [md_mod]\n __submit_bio+0x178/0x300\n submit_bio_noacct_nocheck+0x11c/0x338\n submit_bio_noacct+0x134/0x614\n submit_bio+0x28/0xdc\n submit_bh_wbc+0x130/0x1cc\n submit_bh+0x1c/0x28", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35787", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35789", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35790", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35791", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rk3288 - Fix use after free in unprepare\n\nThe unprepare call must be carried out before the finalize call\nas the latter can free the request.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35792", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndebugfs: fix wait/cancellation handling during remove\n\nBen Greear further reports deadlocks during concurrent debugfs\nremove while files are being accessed, even though the code in\nquestion now uses debugfs cancellations. Turns out that despite\nall the review on the locking, we missed completely that the\nlogic is wrong: if the refcount hits zero we can finish (and\nneed not wait for the completion), but if it doesn't we have\nto trigger all the cancellations. As written, we can _never_\nget into the loop triggering the cancellations. Fix this, and\nexplain it better while at it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35793", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35794", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix deadlock while reading mqd from debugfs\n\nAn errant disk backup on my desktop got into debugfs and triggered the\nfollowing deadlock scenario in the amdgpu debugfs files. The machine\nalso hard-resets immediately after those lines are printed (although I\nwasn't able to reproduce that part when reading by hand):\n\n[ 1318.016074][ T1082] ======================================================\n[ 1318.016607][ T1082] WARNING: possible circular locking dependency detected\n[ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted\n[ 1318.017598][ T1082] ------------------------------------------------------\n[ 1318.018096][ T1082] tar/1082 is trying to acquire lock:\n[ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x40/0x80\n[ 1318.019084][ T1082]\n[ 1318.019084][ T1082] but task is already holding lock:\n[ 1318.020052][ T1082] ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu]\n[ 1318.020607][ T1082]\n[ 1318.020607][ T1082] which lock already depends on the new lock.\n[ 1318.020607][ T1082]\n[ 1318.022081][ T1082]\n[ 1318.022081][ T1082] the existing dependency chain (in reverse order) is:\n[ 1318.023083][ T1082]\n[ 1318.023083][ T1082] -> #2 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[ 1318.024114][ T1082] __ww_mutex_lock.constprop.0+0xe0/0x12f0\n[ 1318.024639][ T1082] ww_mutex_lock+0x32/0x90\n[ 1318.025161][ T1082] dma_resv_lockdep+0x18a/0x330\n[ 1318.025683][ T1082] do_one_initcall+0x6a/0x350\n[ 1318.026210][ T1082] kernel_init_freeable+0x1a3/0x310\n[ 1318.026728][ T1082] kernel_init+0x15/0x1a0\n[ 1318.027242][ T1082] ret_from_fork+0x2c/0x40\n[ 1318.027759][ T1082] ret_from_fork_asm+0x11/0x20\n[ 1318.028281][ T1082]\n[ 1318.028281][ T1082] -> #1 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[ 1318.029297][ T1082] dma_resv_lockdep+0x16c/0x330\n[ 1318.029790][ T1082] do_one_initcall+0x6a/0x350\n[ 1318.030263][ T1082] kernel_init_freeable+0x1a3/0x310\n[ 1318.030722][ T1082] kernel_init+0x15/0x1a0\n[ 1318.031168][ T1082] ret_from_fork+0x2c/0x40\n[ 1318.031598][ T1082] ret_from_fork_asm+0x11/0x20\n[ 1318.032011][ T1082]\n[ 1318.032011][ T1082] -> #0 (&mm->mmap_lock){++++}-{3:3}:\n[ 1318.032778][ T1082] __lock_acquire+0x14bf/0x2680\n[ 1318.033141][ T1082] lock_acquire+0xcd/0x2c0\n[ 1318.033487][ T1082] __might_fault+0x58/0x80\n[ 1318.033814][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu]\n[ 1318.034181][ T1082] full_proxy_read+0x55/0x80\n[ 1318.034487][ T1082] vfs_read+0xa7/0x360\n[ 1318.034788][ T1082] ksys_read+0x70/0xf0\n[ 1318.035085][ T1082] do_syscall_64+0x94/0x180\n[ 1318.035375][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e\n[ 1318.035664][ T1082]\n[ 1318.035664][ T1082] other info that might help us debug this:\n[ 1318.035664][ T1082]\n[ 1318.036487][ T1082] Chain exists of:\n[ 1318.036487][ T1082] &mm->mmap_lock --> reservation_ww_class_acquire --> reservation_ww_class_mutex\n[ 1318.036487][ T1082]\n[ 1318.037310][ T1082] Possible unsafe locking scenario:\n[ 1318.037310][ T1082]\n[ 1318.037838][ T1082] CPU0 CPU1\n[ 1318.038101][ T1082] ---- ----\n[ 1318.038350][ T1082] lock(reservation_ww_class_mutex);\n[ 1318.038590][ T1082] lock(reservation_ww_class_acquire);\n[ 1318.038839][ T1082] lock(reservation_ww_class_mutex);\n[ 1318.039083][ T1082] rlock(&mm->mmap_lock);\n[ 1318.039328][ T1082]\n[ 1318.039328][ T1082] *** DEADLOCK ***\n[ 1318.039328][ T1082]\n[ 1318.040029][ T1082] 1 lock held by tar/1082:\n[ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu]\n[ 1318.040560][ T1082]\n[ 1318.040560][ T1082] stack backtrace:\n[\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35795", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35796", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: cachestat: fix two shmem bugs\n\nWhen cachestat on shmem races with swapping and invalidation, there\nare two possible bugs:\n\n1) A swapin error can have resulted in a poisoned swap entry in the\n shmem inode's xarray. Calling get_shadow_from_swap_cache() on it\n will result in an out-of-bounds access to swapper_spaces[].\n\n Validate the entry with non_swap_entry() before going further.\n\n2) When we find a valid swap entry in the shmem's inode, the shadow\n entry in the swapcache might not exist yet: swap IO is still in\n progress and we're before __remove_mapping; swapin, invalidation,\n or swapoff have removed the shadow from swapcache after we saw the\n shmem swap entry.\n\n This will send a NULL to workingset_test_recent(). The latter\n purely operates on pointer bits, so it won't crash - node 0, memcg\n ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a\n bogus test. In theory that could result in a false \"recently\n evicted\" count.\n\n Such a false positive wouldn't be the end of the world. But for\n code clarity and (future) robustness, be explicit about this case.\n\n Bail on get_shadow_from_swap_cache() returning NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35797", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race in read_extent_buffer_pages()\n\nThere are reports from tree-checker that detects corrupted nodes,\nwithout any obvious pattern so possibly an overwrite in memory.\nAfter some debugging it turns out there's a race when reading an extent\nbuffer the uptodate status can be missed.\n\nTo prevent concurrent reads for the same extent buffer,\nread_extent_buffer_pages() performs these checks:\n\n /* (1) */\n if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))\n return 0;\n\n /* (2) */\n if (test_and_set_bit(EXTENT_BUFFER_READING, &eb->bflags))\n goto done;\n\nAt this point, it seems safe to start the actual read operation. Once\nthat completes, end_bbio_meta_read() does\n\n /* (3) */\n set_extent_buffer_uptodate(eb);\n\n /* (4) */\n clear_bit(EXTENT_BUFFER_READING, &eb->bflags);\n\nNormally, this is enough to ensure only one read happens, and all other\ncallers wait for it to finish before returning. Unfortunately, there is\na racey interleaving:\n\n Thread A | Thread B | Thread C\n ---------+----------+---------\n (1) | |\n | (1) |\n (2) | |\n (3) | |\n (4) | |\n | (2) |\n | | (1)\n\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\nC will see UPTODATE set and return immediately, while the read from\nthread B is still in progress. This race could result in tree-checker\nerrors like this as the extent buffer is concurrently modified:\n\n BTRFS critical (device dm-0): corrupted node, root=256\n block=8550954455682405139 owner mismatch, have 11858205567642294356\n expect [256, 18446744073709551360]\n\nFix it by testing UPTODATE again after setting the READING bit, and if\nit's been set, skip the unnecessary read.\n\n[ minor update of changelog ]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35798", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35799", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix panic in kdump kernel\n\nCheck if get_next_variable() is actually valid pointer before\ncalling it. In kdump kernel this method is set to NULL that causes\npanic during the kexec-ed kernel boot.\n\nTested with QEMU and OVMF firmware.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35800", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35803", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35804", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35805", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35806", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35807", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35808", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix the lifetime of the bo cursor memory\n\nThe cleanup can be dispatched while the atomic update is still active,\nwhich means that the memory acquired in the atomic update needs to\nnot be invalidated by the cleanup. The buffer objects in vmw_plane_state\ninstead of using the builtin map_and_cache were trying to handle\nthe lifetime of the mapped memory themselves, leading to crashes.\n\nUse the map_and_cache instead of trying to manage the lifetime of the\nbuffer objects held by the vmw_plane_state.\n\nFixes kernel oops'es in IGT's kms_cursor_legacy forked-bo.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35810", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35813", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: Fix double-allocation of slots due to broken alignment handling\n\nCommit bbb73a103fbb (\"swiotlb: fix a braino in the alignment check fix\"),\nwhich was a fix for commit 0eee5ae10256 (\"swiotlb: fix slot alignment\nchecks\"), causes a functional regression with vsock in a virtual machine\nusing bouncing via a restricted DMA SWIOTLB pool.\n\nWhen virtio allocates the virtqueues for the vsock device using\ndma_alloc_coherent(), the SWIOTLB search can return page-unaligned\nallocations if 'area->index' was left unaligned by a previous allocation\nfrom the buffer:\n\n # Final address in brackets is the SWIOTLB address returned to the caller\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)\n\nThis ends badly (typically buffer corruption and/or a hang) because\nswiotlb_alloc() is expecting a page-aligned allocation and so blindly\nreturns a pointer to the 'struct page' corresponding to the allocation,\ntherefore double-allocating the first half (2KiB slot) of the 4KiB page.\n\nFix the problem by treating the allocation alignment separately to any\nadditional alignment requirements from the device, using the maximum\nof the two as the stride to search the buffer slots and taking care\nto ensure a minimum of page-alignment for buffers larger than a page.\n\nThis also resolves swiotlb allocation failures occuring due to the\ninclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and\nresulting in alignment requirements exceeding swiotlb_max_mapping_size().", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35814", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35815", "detail": "fixed-version", "description": "Fixed from version 6.7.12" }, { "id": "CVE-2024-35816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: prevent leak of left-over IRQ on unbind\n\nCommit 5a95f1ded28691e6 (\"firewire: ohci: use devres for requested IRQ\")\nalso removed the call to free_irq() in pci_remove(), leading to a\nleftover irq of devm_request_irq() at pci_disable_msi() in pci_remove()\nwhen unbinding the driver from the device\n\nremove_proc_entry: removing non-empty directory 'irq/136', leaking at\nleast 'firewire_ohci'\nCall Trace:\n ? remove_proc_entry+0x19c/0x1c0\n ? __warn+0x81/0x130\n ? remove_proc_entry+0x19c/0x1c0\n ? report_bug+0x171/0x1a0\n ? console_unlock+0x78/0x120\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? remove_proc_entry+0x19c/0x1c0\n unregister_irq_proc+0xf4/0x120\n free_desc+0x3d/0xe0\n ? kfree+0x29f/0x2f0\n irq_free_descs+0x47/0x70\n msi_domain_free_locked.part.0+0x19d/0x1d0\n msi_domain_free_irqs_all_locked+0x81/0xc0\n pci_free_msi_irqs+0x12/0x40\n pci_disable_msi+0x4c/0x60\n pci_remove+0x9d/0xc0 [firewire_ohci\n 01b483699bebf9cb07a3d69df0aa2bee71db1b26]\n pci_device_remove+0x37/0xa0\n device_release_driver_internal+0x19f/0x200\n unbind_store+0xa1/0xb0\n\nremove irq with devm_free_irq() before pci_disable_msi()\nalso remove it in fail_msi: of pci_probe() as this would lead to\nan identical leak", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35816", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35817", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Define the __io_aw() hook as mmiowb()\n\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\n\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\n\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\n\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\n\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\n\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35818", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35819", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35821", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35822", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35823", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume\n\nWhen not configured for wakeup lis3lv02d_i2c_suspend() will call\nlis3lv02d_poweroff() even if the device has already been turned off\nby the runtime-suspend handler and if configured for wakeup and\nthe device is runtime-suspended at this point then it is not turned\nback on to serve as a wakeup source.\n\nBefore commit b1b9f7a49440 (\"misc: lis3lv02d_i2c: Add missing setting\nof the reg_ctrl callback\"), lis3lv02d_poweroff() failed to disable\nthe regulators which as a side effect made calling poweroff() twice ok.\n\nNow that poweroff() correctly disables the regulators, doing this twice\ntriggers a WARN() in the regulator core:\n\nunbalanced disables for regulator-dummy\nWARNING: CPU: 1 PID: 92 at drivers/regulator/core.c:2999 _regulator_disable\n...\n\nFix lis3lv02d_i2c_suspend() to not call poweroff() a second time if\nalready runtime-suspended and add a poweron() call when necessary to\nmake wakeup work.\n\nlis3lv02d_i2c_resume() has similar issues, with an added weirness that\nit always powers on the device if it is runtime suspended, after which\nthe first runtime-resume will call poweron() again, causing the enabled\ncount for the regulator to increase by 1 every suspend/resume. These\nunbalanced regulator_enable() calls cause the regulator to never\nbe turned off and trigger the following WARN() on driver unbind:\n\nWARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put\n\nFix this by making lis3lv02d_i2c_resume() mirror the new suspend().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35824", "detail": "fixed-version", "description": "Fixed from version 6.7.12" }, { "id": "CVE-2024-35825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there\u2019s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35825", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35826", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35827", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\n\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35828", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix a memleak in lima_heap_alloc\n\nWhen lima_vm_map_bo fails, the resources need to be deallocated, or\nthere will be memleaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35829", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tc358743: register v4l2 async device only after successful setup\n\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35830", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix release of pinned pages when __io_uaddr_map fails\n\nLooking at the error path of __io_uaddr_map, if we fail after pinning\nthe pages for any reasons, ret will be set to -EINVAL and the error\nhandler won't properly release the pinned pages.\n\nI didn't manage to trigger it without forcing a failure, but it can\nhappen in real life when memory is heavily fragmented.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35831", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35832", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35833", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: recycle buffer in case Rx queue was full\n\nAdd missing xsk_buff_free() call when __xsk_rcv_zc() failed to produce\ndescriptor to XSK Rx queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35834", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35835", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix pin dump crash for rebound module\n\nWhen a kernel module is unbound but the pin resources were not entirely\nfreed (other kernel module instance of the same PCI device have had kept\nthe reference to that pin), and kernel module is again bound, the pin\nproperties would not be updated (the properties are only assigned when\nmemory for the pin is allocated), prop pointer still points to the\nkernel module memory of the kernel module which was deallocated on the\nunbind.\n\nIf the pin dump is invoked in this state, the result is a kernel crash.\nPrevent the crash by storing persistent pin properties in dpll subsystem,\ncopy the content from the kernel module when pin is allocated, instead of\nusing memory of the kernel module.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35836", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35837", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix potential sta-link leak\n\nWhen a station is allocated, links are added but not\nset to valid yet (e.g. during connection to an AP MLD),\nwe might remove the station without ever marking links\nvalid, and leak them. Fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35838", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\n\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(&neigh->arp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb->dev = nf_bridge->physindev\n br_handle_frame_finish\n\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35839", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35840", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls, fix WARNIING in __sk_msg_free\n\nA splice with MSG_SPLICE_PAGES will cause tls code to use the\ntls_sw_sendmsg_splice path in the TLS sendmsg code to move the user\nprovided pages from the msg into the msg_pl. This will loop over the\nmsg until msg_pl is full, checked by sk_msg_full(msg_pl). The user\ncan also set the MORE flag to hint stack to delay sending until receiving\nmore pages and ideally a full buffer.\n\nIf the user adds more pages to the msg than can fit in the msg_pl\nscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send\nthe buffer anyways.\n\nWhat actually happens though is we abort the msg to msg_pl scatterlist\nsetup and then because we forget to set 'full record' indicating we\ncan no longer consume data without a send we fallthrough to the 'continue'\npath which will check if msg_data_left(msg) has more bytes to send and\nthen attempts to fit them in the already full msg_pl. Then next\niteration of sender doing send will encounter a full msg_pl and throw\nthe warning in the syzbot report.\n\nTo fix simply check if we have a full_record in splice code path and\nif not send the msg regardless of MORE flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35841", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: sof-common: Add NULL check for normal_link string\n\nIt's not granted that all entries of struct sof_conn_stream declare\na `normal_link` (a non-SOF, direct link) string, and this is the case\nfor SoCs that support only SOF paths (hence do not support both direct\nand SOF usecases).\n\nFor example, in the case of MT8188 there is no normal_link string in\nany of the sof_conn_stream entries and there will be more drivers\ndoing that in the future.\n\nTo avoid possible NULL pointer KPs, add a NULL check for `normal_link`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35842", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-35843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35843", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix reserve_cblocks counting error when out of space\n\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\n\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\n\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\n\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\n\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\n\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\n\nAfter this patch, the fsck flag will be set to fix this problem.\n\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot then fsck will be executed\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35844", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35845", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix shrinker NULL crash with cgroup_disable=memory\n\nChristian reports a NULL deref in zswap that he bisected down to the zswap\nshrinker. The issue also cropped up in the bug trackers of libguestfs [1]\nand the Red Hat bugzilla [2].\n\nThe problem is that when memcg is disabled with the boot time flag, the\nzswap shrinker might get called with sc->memcg == NULL. This is okay in\nmany places, like the lruvec operations. But it crashes in\nmemcg_page_state() - which is only used due to the non-node accounting of\ncgroup's the zswap memory to begin with.\n\nNhat spotted that the memcg can be NULL in the memcg-disabled case, and I\nwas then able to reproduce the crash locally as well.\n\n[1] https://github.com/libguestfs/libguestfs/issues/139\n[2] https://bugzilla.redhat.com/show_bug.cgi?id=2275252", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35846", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35848", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev setup\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nsetup() is called for a non-serdev controller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35850", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35851", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35852", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "6.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35854", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35855", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix double free of skb in coredump\n\nhci_devcd_append() would free the skb on error so the caller don't\nhave to free it again otherwise it would cause the double free of skb.\n\nReported-by : Dan Carpenter ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35856", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35857", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix memory leak when bringing down interface\n\nWhen bringing down the TX rings we flush the rings but forget to\nreclaimed the flushed packets. This leads to a memory leak since we\ndo not free the dma mapped buffers. This also leads to tx control\nblock corruption when bringing down the interface for power\nmanagement.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35858", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix module reference leakage from bdev_open_by_dev error path\n\nAt the time bdev_may_open() is called, module reference is grabbed\nalready, hence module reference should be released if bdev_may_open()\nfailed.\n\nThis problem is found by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35859", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support deferring bpf_link dealloc to after RCU grace period\n\nBPF link for some program types is passed as a \"context\" which can be\nused by those BPF programs to look up additional information. E.g., for\nmulti-kprobes and multi-uprobes, link is used to fetch BPF cookie values.\n\nBecause of this runtime dependency, when bpf_link refcnt drops to zero\nthere could still be active BPF programs running accessing link data.\n\nThis patch adds generic support to defer bpf_link dealloc callback to\nafter RCU GP, if requested. This is done by exposing two different\ndeallocation callbacks, one synchronous and one deferred. If deferred\none is provided, bpf_link_free() will schedule dealloc_deferred()\ncallback to happen after RCU GP.\n\nBPF is using two flavors of RCU: \"classic\" non-sleepable one and RCU\ntasks trace one. The latter is used when sleepable BPF programs are\nused. bpf_link_free() accommodates that by checking underlying BPF\nprogram's sleepable flag, and goes either through normal RCU GP only for\nnon-sleepable, or through RCU tasks trace GP *and* then normal RCU GP\n(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF\nprogram is sleepable.\n\nWe use this for multi-kprobe and multi-uprobe links, which dereference\nlink during program run. We also preventively switch raw_tp link to use\ndeferred dealloc callback, as upcoming changes in bpf-next tree expose\nraw_tp link data (specifically, cookie value) to BPF program at runtime\nas well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35860", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35862", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35863", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35864", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35865", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35867", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35869", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35870", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35871", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35872", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix vector state restore in rt_sigreturn()\n\nThe RISC-V Vector specification states in \"Appendix D: Calling\nConvention for Vector State\" [1] that \"Executing a system call causes\nall caller-saved vector registers (v0-v31, vl, vtype) and vstart to\nbecome unspecified.\". In the RISC-V kernel this is called \"discarding\nthe vstate\".\n\nReturning from a signal handler via the rt_sigreturn() syscall, vector\ndiscard is also performed. However, this is not an issue since the\nvector state should be restored from the sigcontext, and therefore not\ncare about the vector discard.\n\nThe \"live state\" is the actual vector register in the running context,\nand the \"vstate\" is the vector state of the task. A dirty live state,\nmeans that the vstate and live state are not in synch.\n\nWhen vectorized user_from_copy() was introduced, an bug sneaked in at\nthe restoration code, related to the discard of the live state.\n\nAn example when this go wrong:\n\n 1. A userland application is executing vector code\n 2. The application receives a signal, and the signal handler is\n entered.\n 3. The application returns from the signal handler, using the\n rt_sigreturn() syscall.\n 4. The live vector state is discarded upon entering the\n rt_sigreturn(), and the live state is marked as \"dirty\", indicating\n that the live state need to be synchronized with the current\n vstate.\n 5. rt_sigreturn() restores the vstate, except the Vector registers,\n from the sigcontext\n 6. rt_sigreturn() restores the Vector registers, from the sigcontext,\n and now the vectorized user_from_copy() is used. The dirty live\n state from the discard is saved to the vstate, making the vstate\n corrupt.\n 7. rt_sigreturn() returns to the application, which crashes due to\n corrupted vstate.\n\nNote that the vectorized user_from_copy() is invoked depending on the\nvalue of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which\nmeans that vlen has to be larger than 128b for this bug to trigger.\n\nThe fix is simply to mark the live state as non-dirty/clean prior\nperforming the vstate restore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35873", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: Fix null ptr deref in aio_complete() wakeup\n\nlist_del_init_careful() needs to be the last access to the wait queue\nentry - it effectively unlocks access.\n\nPreviously, finish_wait() would see the empty list head and skip taking\nthe lock, and then we'd return - but the completion path would still\nattempt to do the wakeup after the task_struct pointer had been\noverwritten.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35874", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35875", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35877", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: hold io_buffer_list reference over mmap\n\nIf we look up the kbuf, ensure that it doesn't get unregistered until\nafter we're done with it. Since we're inside mmap, we cannot safely use\nthe io_uring lock. Rely on the fact that we can lookup the buffer list\nunder RCU now and grab a reference to it, preventing it from being\nunregistered until we're done with it. The lookup returns the\nio_buffer_list directly with it referenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35880", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a slow server-side memory leak with RPC-over-TCP\n\nJan Schunk reports that his small NFS servers suffer from memory\nexhaustion after just a few days. A bisect shows that commit\ne18e157bb5c8 (\"SUNRPC: Send RPC message on TCP with a single\nsock_sendmsg() call\") is the first bad commit.\n\nThat commit assumed that sock_sendmsg() releases all the pages in\nthe underlying bio_vec array, but the reality is that it doesn't.\nsvc_xprt_release() releases the rqst's response pages, but the\nrecord marker page fragment isn't one of those, so it is never\nreleased.\n\nThis is a narrow fix that can be applied to stable kernels. A\nmore extensive fix is in the works.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35882", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mchp-pci1xxx: Fix a possible null pointer dereference in pci1xxx_spi_probe\n\nIn function pci1xxxx_spi_probe, there is a potential null pointer that\nmay be caused by a failed memory allocation by the function devm_kzalloc.\nHence, a null pointer check needs to be added to prevent null pointer\ndereferencing later in the code.\n\nTo fix this issue, spi_bus->spi_int[iter] should be checked. The memory\nallocated by devm_kzalloc will be automatically released, so just directly\nreturn -ENOMEM without worrying about memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35883", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35885", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35886", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35888", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix kernel panic on unknown packet types\n\nIn the very rare case where a packet type is unknown to the driver,\nidpf_rx_process_skb_fields would return early without calling\neth_type_trans to set the skb protocol / the network layer handler.\nThis is especially problematic if tcpdump is running when such a\npacket is received, i.e. it would cause a kernel panic.\n\nInstead, call eth_type_trans for every single packet, even when\nthe packet type is unknown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35889", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35890", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: Fix potential null pointer dereference\n\nIn lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may\nreturn NULL as ptp_header due to abnormal packet type or corrupted packet.\nFix this bug by adding ptp_header check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35891", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35892", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: prevent BPF accessing lowat from a subflow socket.\n\nAlexei reported the following splat:\n\n WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0\n Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]\n CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23\n Call Trace:\n \n mptcp_set_rcvlowat+0x79/0x1d0\n sk_setsockopt+0x6c0/0x1540\n __bpf_setsockopt+0x6f/0x90\n bpf_sock_ops_setsockopt+0x3c/0x90\n bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b\n bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132\n bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86\n __cgroup_bpf_run_filter_sock_ops+0xbc/0x250\n tcp_connect+0x879/0x1160\n tcp_v6_connect+0x50c/0x870\n mptcp_connect+0x129/0x280\n __inet_stream_connect+0xce/0x370\n inet_stream_connect+0x36/0x50\n bpf_trampoline_6442491565+0x49/0xef\n inet_stream_connect+0x5/0x50\n __sys_connect+0x63/0x90\n __x64_sys_connect+0x14/0x20\n\nThe root cause of the issue is that bpf allows accessing mptcp-level\nproto_ops from a tcp subflow scope.\n\nFix the issue detecting the problematic call and preventing any action.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35894", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35895", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35896", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35897", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35898", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35899", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35900", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix Rx DMA datasize and skb_over_panic\n\nmana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be\nmultiple of 64. So a packet slightly bigger than mtu+14, say 1536,\ncan be received and cause skb_over_panic.\n\nSample dmesg:\n[ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:\n[ 5325.243689] ------------[ cut here ]------------\n[ 5325.245748] kernel BUG at net/core/skbuff.c:192!\n[ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60\n[ 5325.302941] Call Trace:\n[ 5325.304389] \n[ 5325.315794] ? skb_panic+0x4f/0x60\n[ 5325.317457] ? asm_exc_invalid_op+0x1f/0x30\n[ 5325.319490] ? skb_panic+0x4f/0x60\n[ 5325.321161] skb_put+0x4e/0x50\n[ 5325.322670] mana_poll+0x6fa/0xb50 [mana]\n[ 5325.324578] __napi_poll+0x33/0x1e0\n[ 5325.326328] net_rx_action+0x12e/0x280\n\nAs discussed internally, this alignment is not necessary. To fix\nthis bug, remove it from the code. So oversized packets will be\nmarked as CQE_RX_TRUNCATED by NIC, and dropped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35901", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bpf: Fix IP after emitting call depth accounting\n\nAdjust the IP passed to `emit_patch` so it calculates the correct offset\nfor the CALL instruction if `x86_call_depth_emit_accounting` emits code.\nOtherwise we will skip some instructions and most likely crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35903", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35905", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35908", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Split 64bit accesses to fix alignment issues\n\nSome of the registers are aligned on a 32bit boundary, causing\nalignment faults on 64bit platforms.\n\n Unable to handle kernel paging request at virtual address ffffffc084a1d004\n Mem abort info:\n ESR = 0x0000000096000061\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x21: alignment fault\n Data abort info:\n ISV = 0, ISS = 0x00000061, ISS2 = 0x00000000\n CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000046ad6000\n [ffffffc084a1d004] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013ffff003, pmd=0068000020a00711\n Internal error: Oops: 0000000096000061 [#1] SMP\n Modules linked in: mtk_t7xx(+) qcserial pppoe ppp_async option nft_fib_inet nf_flow_table_inet mt7921u(O) mt7921s(O) mt7921e(O) mt7921_common(O) iwlmvm(O) iwldvm(O) usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7996e(O) mt792x_usb(O) mt792x_lib(O) mt7915e(O) mt76_usb(O) mt76_sdio(O) mt76_connac_lib(O) mt76(O) mac80211(O) iwlwifi(O) huawei_cdc_ncm cfg80211(O) cdc_ncm cdc_ether wwan usbserial usbnet slhc sfp rtc_pcf8563 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mt6577_auxadc mdio_i2c libcrc32c compat(O) cdc_wdm cdc_acm at24 crypto_safexcel pwm_fan i2c_gpio i2c_smbus industrialio i2c_algo_bit i2c_mux_reg i2c_mux_pca954x i2c_mux_pca9541 i2c_mux_gpio i2c_mux dummy oid_registry tun sha512_arm64 sha1_ce sha1_generic seqiv\n md5 geniv des_generic libdes cbc authencesn authenc leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd nvme nvme_core gpio_button_hotplug(O) dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax usbcore usb_common ptp aquantia pps_core mii tpm encrypted_keys trusted\n CPU: 3 PID: 5266 Comm: kworker/u9:1 Tainted: G O 6.6.22 #0\n Hardware name: Bananapi BPI-R4 (DT)\n Workqueue: md_hk_wq t7xx_fsm_uninit [mtk_t7xx]\n pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n lr : t7xx_cldma_start+0xac/0x13c [mtk_t7xx]\n sp : ffffffc085d63d30\n x29: ffffffc085d63d30 x28: 0000000000000000 x27: 0000000000000000\n x26: 0000000000000000 x25: ffffff80c804f2c0 x24: ffffff80ca196c05\n x23: 0000000000000000 x22: ffffff80c814b9b8 x21: ffffff80c814b128\n x20: 0000000000000001 x19: ffffff80c814b080 x18: 0000000000000014\n x17: 0000000055c9806b x16: 000000007c5296d0 x15: 000000000f6bca68\n x14: 00000000dbdbdce4 x13: 000000001aeaf72a x12: 0000000000000001\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffffff80ca1ef6b4 x7 : ffffff80c814b818 x6 : 0000000000000018\n x5 : 0000000000000870 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000010a947000 x1 : ffffffc084a1d004 x0 : ffffffc084a1d004\n Call trace:\n t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n t7xx_fsm_uninit+0x578/0x5ec [mtk_t7xx]\n process_one_work+0x154/0x2a0\n worker_thread+0x2ac/0x488\n kthread+0xe0/0xec\n ret_from_fork+0x10/0x20\n Code: f9400800 91001000 8b214001 d50332bf (f9000022)\n ---[ end trace 0000000000000000 ]---\n\nThe inclusion of io-64-nonatomic-lo-hi.h indicates that all 64bit\naccesses can be replaced by pairs of nonatomic 32bit access. Fix\nalignment by forcing all accesses to be 32bit on 64bit platforms.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35909", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", "scorev2": "0.0", "scorev3": "5.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35910", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix memory corruption bug with suspend and rebuild\n\nThe ice driver would previously panic after suspend. This is caused\nfrom the driver *only* calling the ice_vsi_free_q_vectors() function by\nitself, when it is suspending. Since commit b3e7b3a6ee92 (\"ice: prevent\nNULL pointer deref during reload\") the driver has zeroed out\nnum_q_vectors, and only restored it in ice_vsi_cfg_def().\n\nThis further causes the ice_rebuild() function to allocate a zero length\nbuffer, after which num_q_vectors is updated, and then the new value of\nnum_q_vectors is used to index into the zero length buffer, which\ncorrupts memory.\n\nThe fix entails making sure all the code referencing num_q_vectors only\ndoes so after it has been reset via ice_vsi_cfg_def().\n\nI didn't perform a full bisect, but I was able to test against 6.1.77\nkernel and that ice driver works fine for suspend/resume with no panic,\nso sometime since then, this problem was introduced.\n\nAlso clean up an un-needed init of a local variable in the function\nbeing modified.\n\nPANIC from 6.8.0-rc1:\n\n[1026674.915596] PM: suspend exit\n[1026675.664697] ice 0000:17:00.1: PTP reset successful\n[1026675.664707] ice 0000:17:00.1: 2755 msecs passed between update to cached PHC time\n[1026675.667660] ice 0000:b1:00.0: PTP reset successful\n[1026675.675944] ice 0000:b1:00.0: 2832 msecs passed between update to cached PHC time\n[1026677.137733] ixgbe 0000:31:00.0 ens787: NIC Link is Up 1 Gbps, Flow Control: None\n[1026677.190201] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[1026677.192753] ice 0000:17:00.0: PTP reset successful\n[1026677.192764] ice 0000:17:00.0: 4548 msecs passed between update to cached PHC time\n[1026677.197928] #PF: supervisor read access in kernel mode\n[1026677.197933] #PF: error_code(0x0000) - not-present page\n[1026677.197937] PGD 1557a7067 P4D 0\n[1026677.212133] ice 0000:b1:00.1: PTP reset successful\n[1026677.212143] ice 0000:b1:00.1: 4344 msecs passed between update to cached PHC time\n[1026677.212575]\n[1026677.243142] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1026677.247918] CPU: 23 PID: 42790 Comm: kworker/23:0 Kdump: loaded Tainted: G W 6.8.0-rc1+ #1\n[1026677.257989] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022\n[1026677.269367] Workqueue: ice ice_service_task [ice]\n[1026677.274592] RIP: 0010:ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice]\n[1026677.281421] Code: 0f 84 3a ff ff ff 41 0f b7 74 ec 02 66 89 b0 22 02 00 00 81 e6 ff 1f 00 00 e8 ec fd ff ff e9 35 ff ff ff 48 8b 43 30 49 63 ed <41> 0f b7 34 24 41 83 c5 01 48 8b 3c e8 66 89 b7 aa 02 00 00 81 e6\n[1026677.300877] RSP: 0018:ff3be62a6399bcc0 EFLAGS: 00010202\n[1026677.306556] RAX: ff28691e28980828 RBX: ff28691e41099828 RCX: 0000000000188000\n[1026677.314148] RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff28691e41099828\n[1026677.321730] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[1026677.329311] R10: 0000000000000007 R11: ffffffffffffffc0 R12: 0000000000000010\n[1026677.336896] R13: 0000000000000000 R14: 0000000000000000 R15: ff28691e0eaa81a0\n[1026677.344472] FS: 0000000000000000(0000) GS:ff28693cbffc0000(0000) knlGS:0000000000000000\n[1026677.353000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1026677.359195] CR2: 0000000000000010 CR3: 0000000128df4001 CR4: 0000000000771ef0\n[1026677.366779] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[1026677.374369] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[1026677.381952] PKRU: 55555554\n[1026677.385116] Call Trace:\n[1026677.388023] \n[1026677.390589] ? __die+0x20/0x70\n[1026677.394105] ? page_fault_oops+0x82/0x160\n[1026677.398576] ? do_user_addr_fault+0x65/0x6a0\n[1026677.403307] ? exc_page_fault+0x6a/0x150\n[1026677.407694] ? asm_exc_page_fault+0x22/0x30\n[1026677.412349] ? ice_vsi_rebuild_set_coalesce+0x130/0x1e0 [ice]\n[1026677.4186\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35911", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35912", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF\n\nWhen we want to know whether we should look for the mac_id or the\nlink_id in struct iwl_mvm_session_prot_notif, we should look at the\nversion of SESSION_PROTECTION_NOTIF.\n\nThis causes WARNINGs:\n\nWARNING: CPU: 0 PID: 11403 at drivers/net/wireless/intel/iwlwifi/mvm/time-event.c:959 iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm]\nRIP: 0010:iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm]\nCode: 00 49 c7 84 24 48 07 00 00 00 00 00 00 41 c6 84 24 78 07 00 00 ff 4c 89 f7 e8 e9 71 54 d9 e9 7d fd ff ff 0f 0b e9 23 fe ff ff <0f> 0b e9 1c fe ff ff 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffb4bb00003d40 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff9ae63a361000 RCX: ffff9ae4a98b60d4\nRDX: ffff9ae4588499c0 RSI: 0000000000000305 RDI: ffff9ae4a98b6358\nRBP: ffffb4bb00003d68 R08: 0000000000000003 R09: 0000000000000010\nR10: ffffb4bb00003d00 R11: 000000000000000f R12: ffff9ae441399050\nR13: ffff9ae4761329e8 R14: 0000000000000001 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9ae7af400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055fb75680018 CR3: 00000003dae32006 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x150\n ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm]\n ? report_bug+0x196/0x1c0\n ? handle_bug+0x45/0x80\n ? exc_invalid_op+0x1c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? iwl_mvm_rx_session_protect_notif+0x333/0x340 [iwlmvm]\n iwl_mvm_rx_common+0x115/0x340 [iwlmvm]\n iwl_mvm_rx_mq+0xa6/0x100 [iwlmvm]\n iwl_pcie_rx_handle+0x263/0xa10 [iwlwifi]\n iwl_pcie_napi_poll_msix+0x32/0xd0 [iwlwifi]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35913", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix error cleanup path in nfsd_rename()\n\nCommit a8b0026847b8 (\"rename(): avoid a deadlock in the case of parents\nhaving no common ancestor\") added an error bail out path. However this\npath does not drop the remount protection that has been acquired. Fix\nthe cleanup path to properly drop the remount protection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35914", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: Fix NULL pointer dereference in sanitycheck()\n\nIf due to a memory allocation failure mock_chain() returns NULL, it is\npassed to dma_fence_enable_sw_signaling() resulting in NULL pointer\ndereference there.\n\nCall dma_fence_enable_sw_signaling() only if mock_chain() succeeds.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35916", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/bpf: Fix bpf_plt pointer arithmetic\n\nKui-Feng Lee reported a crash on s390x triggered by the\ndummy_st_ops/dummy_init_ptr_arg test [1]:\n\n [<0000000000000002>] 0x2\n [<00000000009d5cde>] bpf_struct_ops_test_run+0x156/0x250\n [<000000000033145a>] __sys_bpf+0xa1a/0xd00\n [<00000000003319dc>] __s390x_sys_bpf+0x44/0x50\n [<0000000000c4382c>] __do_syscall+0x244/0x300\n [<0000000000c59a40>] system_call+0x70/0x98\n\nThis is caused by GCC moving memcpy() after assignments in\nbpf_jit_plt(), resulting in NULL pointers being written instead of\nthe return and the target addresses.\n\nLooking at the GCC internals, the reordering is allowed because the\nalias analysis thinks that the memcpy() destination and the assignments'\nleft-hand-sides are based on different objects: new_plt and\nbpf_plt_ret/bpf_plt_target respectively, and therefore they cannot\nalias.\n\nThis is in turn due to a violation of the C standard:\n\n When two pointers are subtracted, both shall point to elements of the\n same array object, or one past the last element of the array object\n ...\n\nFrom the C's perspective, bpf_plt_ret and bpf_plt are distinct objects\nand cannot be subtracted. In the practical terms, doing so confuses the\nGCC's alias analysis.\n\nThe code was written this way in order to let the C side know a few\noffsets defined in the assembly. While nice, this is by no means\nnecessary. Fix the noncompliance by hardcoding these offsets.\n\n[1] https://lore.kernel.org/bpf/c9923c1d-971d-4022-8dc8-1364e929d34c@gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35917", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect encoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_enc_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35919", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: adding lock to protect decoder context list\n\nAdd a lock for the ctx_list, to avoid accessing a NULL pointer\nwithin the 'vpu_dec_ipi_handler' function when the ctx_list has\nbeen deleted due to an unexpected behavior on the SCP IP block.\n\nHardware name: Google juniper sku16 board (DT)\npstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--)\npc : vpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec]\nlr : scp_ipi_handler+0xd0/0x194 [mtk_scp]\nsp : ffffffc0131dbbd0\nx29: ffffffc0131dbbd0 x28: 0000000000000000\nx27: ffffff9bb277f348 x26: ffffff9bb242ad00\nx25: ffffffd2d440d3b8 x24: ffffffd2a13ff1d4\nx23: ffffff9bb7fe85a0 x22: ffffffc0133fbdb0\nx21: 0000000000000010 x20: ffffff9b050ea328\nx19: ffffffc0131dbc08 x18: 0000000000001000\nx17: 0000000000000000 x16: ffffffd2d461c6e0\nx15: 0000000000000242 x14: 000000000000018f\nx13: 000000000000004d x12: 0000000000000000\nx11: 0000000000000001 x10: fffffffffffffff0\nx9 : ffffff9bb6e793a8 x8 : 0000000000000000\nx7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : fffffffffffffff0\nx3 : 0000000000000020 x2 : ffffff9bb6e79080\nx1 : 0000000000000010 x0 : ffffffc0131dbc08\nCall trace:\nvpu_dec_ipi_handler+0x58/0x1f8 [mtk_vcodec_dec (HASH:6c3f 2)]\nscp_ipi_handler+0xd0/0x194 [mtk_scp (HASH:7046 3)]\nmt8183_scp_irq_handler+0x44/0x88 [mtk_scp (HASH:7046 3)]\nscp_irq_handler+0x48/0x90 [mtk_scp (HASH:7046 3)]\nirq_thread_fn+0x38/0x94\nirq_thread+0x100/0x1c0\nkthread+0x140/0x1fc\nret_from_fork+0x10/0x30\nCode: 54000088 f94ca50a eb14015f 54000060 (f9400108)\n---[ end trace ace43ce36cbd5c93 ]---\nKernel panic - not syncing: Oops: Fatal exception\nSMP: stopping secondary CPUs\nKernel Offset: 0x12c4000000 from 0xffffffc010000000\nPHYS_OFFSET: 0xffffffe580000000\nCPU features: 0x08240002,2188200c\nMemory Limit: none", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35920", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\n\nThe stateless HEVC decoder saves the instance pointer in the context\nregardless if the initialization worked or not. This caused a use after\nfree, when the pointer is freed in case of a failure in the deinit\nfunction.\nOnly store the instance pointer when the initialization was successful,\nto solve this issue.\n\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n sp : ffff80008750bc20\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\n Call trace:\n vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\n vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\n vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\n mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\n fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\n v4l2_release+0x7c/0x100\n __fput+0x80/0x2d8\n __fput_sync+0x58/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x38/0xd8\n el0t_64_sync_handler+0xc0/0xc8\n el0t_64_sync+0x1a8/0x1b0\n Code: d503201f f9401660 b900127f b900227f (f9400400)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35921", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35922", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35924", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35925", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35926", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35927", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35931", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35932", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35933", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35934", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35935", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35936", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35937", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35938", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35939", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35940", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35942", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35944", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35945", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35946", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35947", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35948", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35949", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35950", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35951", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: Fix soft lockup\n\nThere is a while-loop in ast_dp_set_on_off() that could lead to\ninfinite-loop. This is because the register, VGACRI-Dx, checked in\nthis API is a scratch register actually controlled by a MCU, named\nDPMCU, in BMC.\n\nThese scratch registers are protected by scu-lock. If suc-lock is not\noff, DPMCU can not update these registers and then host will have soft\nlockup due to never updated status.\n\nDPMCU is used to control DP and relative registers to handshake with\nhost's VGA driver. Even the most time-consuming task, DP's link\ntraining, is less than 100ms. 200ms should be enough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35952", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix deadlock in context_xa\n\nivpu_device->context_xa is locked both in kernel thread and IRQ context.\nIt requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization\notherwise the lock could be acquired from a thread and interrupted by\nan IRQ that locks it for the second time causing the deadlock.\n\nThis deadlock was reported by lockdep and observed in internal tests.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35953", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Avoid sg device teardown race\n\nsg_remove_sfp_usercontext() must not use sg_device_destroy() after calling\nscsi_device_put().\n\nsg_device_destroy() is accessing the parent scsi_device request_queue which\nwill already be set to NULL when the preceding call to scsi_device_put()\nremoved the last reference to the parent scsi_device.\n\nThe resulting NULL pointer exception will then crash the kernel.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35954", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35956", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix WARN_ON in iommu probe path\n\nCommit 1a75cc710b95 (\"iommu/vt-d: Use rbtree to track iommu probed\ndevices\") adds all devices probed by the iommu driver in a rbtree\nindexed by the source ID of each device. It assumes that each device\nhas a unique source ID. This assumption is incorrect and the VT-d\nspec doesn't state this requirement either.\n\nThe reason for using a rbtree to track devices is to look up the device\nwith PCI bus and devfunc in the paths of handling ATS invalidation time\nout error and the PRI I/O page faults. Both are PCI ATS feature related.\n\nOnly track the devices that have PCI ATS capabilities in the rbtree to\navoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some\nplatforms below kernel splat will be displayed and the iommu probe results\nin failure.\n\n WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90\n Call Trace:\n \n ? __warn+0x7e/0x180\n ? intel_iommu_probe_device+0x319/0xd90\n ? report_bug+0x1f8/0x200\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? intel_iommu_probe_device+0x319/0xd90\n ? debug_mutex_init+0x37/0x50\n __iommu_probe_device+0xf2/0x4f0\n iommu_probe_device+0x22/0x70\n iommu_bus_notifier+0x1e/0x40\n notifier_call_chain+0x46/0x150\n blocking_notifier_call_chain+0x42/0x60\n bus_notify+0x2f/0x50\n device_add+0x5ed/0x7e0\n platform_device_add+0xf5/0x240\n mfd_add_devices+0x3f9/0x500\n ? preempt_count_add+0x4c/0xa0\n ? up_write+0xa2/0x1b0\n ? __debugfs_create_file+0xe3/0x150\n intel_lpss_probe+0x49f/0x5b0\n ? pci_conf1_write+0xa3/0xf0\n intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci]\n pci_device_probe+0x95/0x120\n really_probe+0xd9/0x370\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x73/0x150\n driver_probe_device+0x19/0xa0\n __driver_attach+0xb6/0x180\n ? __pfx___driver_attach+0x10/0x10\n bus_for_each_dev+0x77/0xd0\n bus_add_driver+0x114/0x210\n driver_register+0x5b/0x110\n ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci]\n do_one_initcall+0x57/0x2b0\n ? kmalloc_trace+0x21e/0x280\n ? do_init_module+0x1e/0x210\n do_init_module+0x5f/0x210\n load_module+0x1d37/0x1fc0\n ? init_module_from_file+0x86/0xd0\n init_module_from_file+0x86/0xd0\n idempotent_init_module+0x17c/0x230\n __x64_sys_finit_module+0x56/0xb0\n do_syscall_64+0x6e/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35957", "detail": "fixed-version", "description": "Fixed from version 6.8.7" }, { "id": "CVE-2024-35958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35958", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35959", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35960", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Register devlink first under devlink lock\n\nIn case device is having a non fatal FW error during probe, the\ndriver will report the error to user via devlink. This will trigger\na WARN_ON, since mlx5 is calling devlink_register() last.\nIn order to avoid the WARN_ON[1], change mlx5 to invoke devl_register()\nfirst under devlink lock.\n\n[1]\nWARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0\nCPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core]\nRIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0\nCall Trace:\n \n ? __warn+0x79/0x120\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n devlink_health_report+0x4a/0x1c0\n mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core]\n process_one_work+0x1bb/0x3c0\n ? process_one_work+0x3c0/0x3c0\n worker_thread+0x4d/0x3c0\n ? process_one_work+0x3c0/0x3c0\n kthread+0xc6/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35961", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: complete validation of user input\n\nIn my recent commit, I missed that do_replace() handlers\nuse copy_from_sockptr() (which I fixed), followed\nby unsafe copy_from_sockptr_offset() calls.\n\nIn all functions, we can perform the @optlen validation\nbefore even calling xt_alloc_table_info() with the following\ncheck:\n\nif ((u64)optlen < (u64)tmp.size + sizeof(tmp))\n return -EINVAL;", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35962", "detail": "fixed-version", "description": "Fixed from version 6.8.7" }, { "id": "CVE-2024-35963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35963", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35964", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35965", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35967", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: Fix pdsc_check_pci_health function to use work thread\n\nWhen the driver notices fw_status == 0xff it tries to perform a PCI\nreset on itself via pci_reset_function() in the context of the driver's\nhealth thread. However, pdsc_reset_prepare calls\npdsc_stop_health_thread(), which attempts to stop/flush the health\nthread. This results in a deadlock because the stop/flush will never\ncomplete since the driver called pci_reset_function() from the health\nthread context. Fix by changing the pdsc_check_pci_health_function()\nto queue a newly introduced pdsc_pci_reset_thread() on the pdsc's\nwork queue.\n\nUnloading the driver in the fw_down/dead state uncovered another issue,\nwhich can be seen in the following trace:\n\nWARNING: CPU: 51 PID: 6914 at kernel/workqueue.c:1450 __queue_work+0x358/0x440\n[...]\nRIP: 0010:__queue_work+0x358/0x440\n[...]\nCall Trace:\n \n ? __warn+0x85/0x140\n ? __queue_work+0x358/0x440\n ? report_bug+0xfc/0x1e0\n ? handle_bug+0x3f/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? __queue_work+0x358/0x440\n queue_work_on+0x28/0x30\n pdsc_devcmd_locked+0x96/0xe0 [pds_core]\n pdsc_devcmd_reset+0x71/0xb0 [pds_core]\n pdsc_teardown+0x51/0xe0 [pds_core]\n pdsc_remove+0x106/0x200 [pds_core]\n pci_device_remove+0x37/0xc0\n device_release_driver_internal+0xae/0x140\n driver_detach+0x48/0x90\n bus_remove_driver+0x6d/0xf0\n pci_unregister_driver+0x2e/0xa0\n pdsc_cleanup_module+0x10/0x780 [pds_core]\n __x64_sys_delete_module+0x142/0x2b0\n ? syscall_trace_enter.isra.18+0x126/0x1a0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7fbd9d03a14b\n[...]\n\nFix this by preventing the devcmd reset if the FW is not running.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35968", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35970", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35971", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init()\n\nIf ulp = kzalloc() fails, the allocated edev will leak because it is\nnot properly assigned and the cleanup path will not be able to free it.\nFix it by assigning it properly immediately after allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35972", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35973", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35974", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix transmit scheduler resource leak\n\nInorder to support shaping and scheduling, Upon class creation\nNetdev driver allocates trasmit schedulers.\n\nThe previous patch which added support for Round robin scheduling has\na bug due to which driver is not freeing transmit schedulers post\nclass deletion.\n\nThis patch fixes the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35975", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", "scorev2": "0.0", "scorev3": "6.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35976", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_uart: properly fix race condition\n\nThe cros_ec_uart_probe() function calls devm_serdev_device_open() before\nit calls serdev_device_set_client_ops(). This can trigger a NULL pointer\ndereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n Call Trace:\n \n ...\n ? ttyport_receive_buf\n\nA simplified version of crashing code is as follows:\n\n static inline size_t serdev_controller_receive_buf(struct serdev_controller *ctrl,\n const u8 *data,\n size_t count)\n {\n struct serdev_device *serdev = ctrl->serdev;\n\n if (!serdev || !serdev->ops->receive_buf) // CRASH!\n return 0;\n\n return serdev->ops->receive_buf(serdev, data, count);\n }\n\nIt assumes that if SERPORT_ACTIVE is set and serdev exists, serdev->ops\nwill also exist. This conflicts with the existing cros_ec_uart_probe()\nlogic, as it first calls devm_serdev_device_open() (which sets\nSERPORT_ACTIVE), and only later sets serdev->ops via\nserdev_device_set_client_ops().\n\nCommit 01f95d42b8f4 (\"platform/chrome: cros_ec_uart: fix race\ncondition\") attempted to fix a similar race condition, but while doing\nso, made the window of error for this race condition to happen much\nwider.\n\nAttempt to fix the race condition again, making sure we fully setup\nbefore calling devm_serdev_device_open().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35977", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35979", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: tlb: Fix TLBI RANGE operand\n\nKVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty\npages are collected by VMM and the page table entries become write\nprotected during live migration. Unfortunately, the operand passed\nto the TLBI RANGE instruction isn't correctly sorted out due to the\ncommit 117940aa6e5f (\"KVM: arm64: Define kvm_tlb_flush_vmid_range()\").\nIt leads to crash on the destination VM after live migration because\nTLBs aren't flushed completely and some of the dirty pages are missed.\n\nFor example, I have a VM where 8GB memory is assigned, starting from\n0x40000000 (1GB). Note that the host has 4KB as the base page size.\nIn the middile of migration, kvm_tlb_flush_vmid_range() is executed\nto flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to\n__kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3\nand NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn't supported\nby __TLBI_RANGE_NUM(). In this specific case, -1 has been returned\nfrom __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop\nin the __flush_tlb_range_op() until the variable @scale underflows\nand becomes -9, 0xffff708000040000 is set as the operand. The operand\nis wrong since it's sorted out by __TLBI_VADDR_RANGE() according to\ninvalid @scale and @num.\n\nFix it by extending __TLBI_RANGE_NUM() to support the combination of\nSCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can\nbe returned from the macro, meaning the TLBs for 0x200000 pages in the\nabove example can be flushed in one shoot with SCALE#3 and NUM#31. The\nmacro TLBI_RANGE_MASK is dropped since no one uses it any more. The\ncomments are also adjusted accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35980", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Do not send RSS key if it is not supported\n\nThere is a bug when setting the RSS options in virtio_net that can break\nthe whole machine, getting the kernel into an infinite loop.\n\nRunning the following command in any QEMU virtual machine with virtionet\nwill reproduce this problem:\n\n # ethtool -X eth0 hfunc toeplitz\n\nThis is how the problem happens:\n\n1) ethtool_set_rxfh() calls virtnet_set_rxfh()\n\n2) virtnet_set_rxfh() calls virtnet_commit_rss_command()\n\n3) virtnet_commit_rss_command() populates 4 entries for the rss\nscatter-gather\n\n4) Since the command above does not have a key, then the last\nscatter-gatter entry will be zeroed, since rss_key_size == 0.\nsg_buf_size = vi->rss_key_size;\n\n5) This buffer is passed to qemu, but qemu is not happy with a buffer\nwith zero length, and do the following in virtqueue_map_desc() (QEMU\nfunction):\n\n if (!sz) {\n virtio_error(vdev, \"virtio: zero sized buffers are not allowed\");\n\n6) virtio_error() (also QEMU function) set the device as broken\n\n vdev->broken = true;\n\n7) Qemu bails out, and do not repond this crazy kernel.\n\n8) The kernel is waiting for the response to come back (function\nvirtnet_send_command())\n\n9) The kernel is waiting doing the following :\n\n while (!virtqueue_get_buf(vi->cvq, &tmp) &&\n\t !virtqueue_is_broken(vi->cvq))\n\t cpu_relax();\n\n10) None of the following functions above is true, thus, the kernel\nloops here forever. Keeping in mind that virtqueue_is_broken() does\nnot look at the qemu `vdev->broken`, so, it never realizes that the\nvitio is broken at QEMU side.\n\nFix it by not sending RSS commands if the feature is not available in\nthe device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35981", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS\n\nbits_per() rounds up to the next power of two when passed a power of\ntwo. This causes crashes on some machines and configurations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35983", "detail": "fixed-version", "description": "Fixed from version 6.8.9" }, { "id": "CVE-2024-35984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()\n\nIt was possible to have pick_eevdf() return NULL, which then causes a\nNULL-deref. This turned out to be due to entity_eligible() returning\nfalsely negative because of a s64 multiplcation overflow.\n\nSpecifically, reweight_eevdf() computes the vlag without considering\nthe limit placed upon vlag as update_entity_lag() does, and then the\nscaling multiplication (remember that weight is 20bit fixed point) can\noverflow. This then leads to the new vruntime being weird which then\ncauses the above entity_eligible() to go side-ways and claim nothing\nis eligible.\n\nThus limit the range of vlag accordingly.\n\nAll this was quite rare, but fatal when it does happen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35985", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered\n\nThe power_supply frame-work is not really designed for there to be\nlong living in kernel references to power_supply devices.\n\nSpecifically unregistering a power_supply while some other code has\na reference to it triggers a WARN in power_supply_unregister():\n\n\tWARN_ON(atomic_dec_return(&psy->use_cnt));\n\nFolllowed by the power_supply still getting removed and the\nbacking data freed anyway, leaving the tusb1210 charger-detect code\nwith a dangling reference, resulting in a crash the next time\ntusb1210_get_online() is called.\n\nFix this by only holding the reference in tusb1210_get_online()\nfreeing it at the end of the function. Note this still leaves\na theoretical race window, but it avoids the issue when manually\nrmmod-ing the charger chip driver during development.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35986", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix loading 64-bit NOMMU kernels past the start of RAM\n\ncommit 3335068f8721 (\"riscv: Use PUD/P4D/PGD pages for the linear\nmapping\") added logic to allow using RAM below the kernel load address.\nHowever, this does not work for NOMMU, where PAGE_OFFSET is fixed to the\nkernel load address. Since that range of memory corresponds to PFNs\nbelow ARCH_PFN_OFFSET, mm initialization runs off the beginning of\nmem_map and corrupts adjacent kernel memory. Fix this by restoring the\nprevious behavior for NOMMU kernels.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35987", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Convert spinlock to mutex to lock evl workqueue\n\ndrain_workqueue() cannot be called safely in a spinlocked context due to\npossible task rescheduling. In the multi-task scenario, calling\nqueue_work() while drain_workqueue() will lead to a Call Trace as\npushing a work on a draining workqueue is not permitted in spinlocked\ncontext.\n Call Trace:\n \n ? __warn+0x7d/0x140\n ? __queue_work+0x2b2/0x440\n ? report_bug+0x1f8/0x200\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? __queue_work+0x2b2/0x440\n queue_work_on+0x28/0x30\n idxd_misc_thread+0x303/0x5a0 [idxd]\n ? __schedule+0x369/0xb40\n ? __pfx_irq_thread_fn+0x10/0x10\n ? irq_thread+0xbc/0x1b0\n irq_thread_fn+0x21/0x70\n irq_thread+0x102/0x1b0\n ? preempt_count_add+0x74/0xa0\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0x103/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nThe current implementation uses a spinlock to protect event log workqueue\nand will lead to the Call Trace due to potential task rescheduling.\n\nTo address the locking issue, convert the spinlock to mutex, allowing\nthe drain_workqueue() to be called in a safe mutex-locked context.\n\nThis change ensures proper synchronization when accessing the event log\nworkqueue, preventing potential Call Trace and improving the overall\nrobustness of the code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35991", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: marvell: a3700-comphy: Fix out of bounds read\n\nThere is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'\nevery iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.\n\nMake sure 'gbe_phy_init[addr]' is used when all elements of\n'gbe_phy_init_fix' array are handled.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35992", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: turn folio_test_hugetlb into a PageType\n\nThe current folio_test_hugetlb() can be fooled by a concurrent folio split\ninto returning true for a folio which has never belonged to hugetlbfs. \nThis can't happen if the caller holds a refcount on it, but we have a few\nplaces (memory-failure, compaction, procfs) which do not and should not\ntake a speculative reference.\n\nSince hugetlb pages do not use individual page mapcounts (they are always\nfully mapped and use the entire_mapcount field to record the number of\nmappings), the PageType field is available now that page_mapcount()\nignores the value in this field.\n\nIn compaction and with CONFIG_DEBUG_VM enabled, the current implementation\ncan result in an oops, as reported by Luis. This happens since 9c5ccf2db04b\n(\"mm: remove HUGETLB_PAGE_DTOR\") effectively added some VM_BUG_ON() checks\nin the PageHuge() testing path.\n\n[willy@infradead.org: update vmcoreinfo]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35993", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: uefisecapp: Fix memory related IO errors and crashes\n\nIt turns out that while the QSEECOM APP_SEND command has specific fields\nfor request and response buffers, uefisecapp expects them both to be in\na single memory region. Failure to adhere to this has (so far) resulted\nin either no response being written to the response buffer (causing an\nEIO to be emitted down the line), the SCM call to fail with EINVAL\n(i.e., directly from TZ/firmware), or the device to be hard-reset.\n\nWhile this issue can be triggered deterministically, in the current form\nit seems to happen rather sporadically (which is why it has gone\nunnoticed during earlier testing). This is likely due to the two\nkzalloc() calls (for request and response) being directly after each\nother. Which means that those likely return consecutive regions most of\nthe time, especially when not much else is going on in the system.\n\nFix this by allocating a single memory region for both request and\nresponse buffers, properly aligning both structs inside it. This\nunfortunately also means that the qcom_scm_qseecom_app_send() interface\nneeds to be restructured, as it should no longer map the DMA regions\nseparately. Therefore, move the responsibility of DMA allocation (or\nmapping) to the caller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35994", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35995", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu: Re-enable CPU mitigations by default for !X86 architectures\n\nRename x86's to CPU_MITIGATIONS, define it in generic code, and force it\non for all architectures exception x86. A recent commit to turn\nmitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta\nmissed that \"cpu_mitigations\" is completely generic, whereas\nSPECULATION_MITIGATIONS is x86-specific.\n\nRename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it\nselect CPU_MITIGATIONS, as having two configs for the same thing is\nunnecessary and confusing. This will also allow x86 to use the knob to\nmanage mitigations that aren't strictly related to speculative\nexecution.\n\nUse another Kconfig to communicate to common code that CPU_MITIGATIONS\nis already defined instead of having x86's menu depend on the common\nCPU_MITIGATIONS. This allows keeping a single point of contact for all\nof x86's mitigations, and it's not clear that other architectures *want*\nto allow disabling mitigations at compile-time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35996", "detail": "fixed-version", "description": "Fixed from version 6.8.9" }, { "id": "CVE-2024-35997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35998", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-35999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-35999", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36000", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix the pre-flush when appending to a file in writethrough mode\n\nIn netfs_perform_write(), when the file is marked NETFS_ICTX_WRITETHROUGH\nor O_*SYNC or RWF_*SYNC was specified, write-through caching is performed\non a buffered file. When setting up for write-through, we flush any\nconflicting writes in the region and wait for the write to complete,\nfailing if there's a write error to return.\n\nThe issue arises if we're writing at or above the EOF position because we\nskip the flush and - more importantly - the wait. This becomes a problem\nif there's a partial folio at the end of the file that is being written out\nand we want to make a write to it too. Both the already-running write and\nthe write we start both want to clear the writeback mark, but whoever is\nsecond causes a warning looking something like:\n\n ------------[ cut here ]------------\n R=00000012: folio 11 is not under writeback\n WARNING: CPU: 34 PID: 654 at fs/netfs/write_collect.c:105\n ...\n CPU: 34 PID: 654 Comm: kworker/u386:27 Tainted: G S ...\n ...\n Workqueue: events_unbound netfs_write_collection_worker\n ...\n RIP: 0010:netfs_writeback_lookup_folio\n\nFix this by making the flush-and-wait unconditional. It will do nothing if\nthere are no folios in the pagecache and will return quickly if there are\nno folios in the region specified.\n\nFurther, move the WBC attachment above the flush call as the flush is going\nto attach a WBC and detach it again if it is not present - and since we\nneed one anyway we might as well share it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36001", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix dpll_pin_on_pin_register() for multiple parent pins\n\nIn scenario where pin is registered with multiple parent pins via\ndpll_pin_on_pin_register(..), all belonging to the same dpll device.\nA second call to dpll_pin_on_pin_unregister(..) would cause a call trace,\nas it tries to use already released registration resources (due to fix\nintroduced in b446631f355e). In this scenario pin was registered twice,\nso resources are not yet expected to be release until each registered\npin/pin pair is unregistered.\n\nCurrently, the following crash/call trace is produced when ice driver is\nremoved on the system with installed E810T NIC which includes dpll device:\n\nWARNING: CPU: 51 PID: 9155 at drivers/dpll/dpll_core.c:809 dpll_pin_ops+0x20/0x30\nRIP: 0010:dpll_pin_ops+0x20/0x30\nCall Trace:\n ? __warn+0x7f/0x130\n ? dpll_pin_ops+0x20/0x30\n dpll_msg_add_pin_freq+0x37/0x1d0\n dpll_cmd_pin_get_one+0x1c0/0x400\n ? __nlmsg_put+0x63/0x80\n dpll_pin_event_send+0x93/0x140\n dpll_pin_on_pin_unregister+0x3f/0x100\n ice_dpll_deinit_pins+0xa1/0x230 [ice]\n ice_remove+0xf1/0x210 [ice]\n\nFix by adding a parent pointer as a cookie when creating a registration,\nalso when searching for it. For the regular pins pass NULL, this allows to\ncreate separated registration for each parent the pin is registered with.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36002", "detail": "fixed-version", "description": "Fixed from version 6.8.9" }, { "id": "CVE-2024-36003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix LAG and VF lock dependency in ice_reset_vf()\n\n9f74a3dfcf83 (\"ice: Fix VF Reset paths when interface in a failed over\naggregate\"), the ice driver has acquired the LAG mutex in ice_reset_vf().\nThe commit placed this lock acquisition just prior to the acquisition of\nthe VF configuration lock.\n\nIf ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK\nflag, this could deadlock with ice_vc_cfg_qs_msg() because it always\nacquires the locks in the order of the VF configuration lock and then the\nLAG mutex.\n\nLockdep reports this violation almost immediately on creating and then\nremoving 2 VF:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-rc6 #54 Tainted: G W O\n------------------------------------------------------\nkworker/60:3/6771 is trying to acquire lock:\nff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice]\n\nbut task is already holding lock:\nff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&pf->lag_mutex){+.+.}-{3:3}:\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_vc_cfg_qs_msg+0x45/0x690 [ice]\n ice_vc_process_vf_msg+0x4f5/0x870 [ice]\n __ice_clean_ctrlq+0x2b5/0x600 [ice]\n ice_service_task+0x2c9/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\n-> #0 (&vf->cfg_lock){+.+.}-{3:3}:\n check_prev_add+0xe2/0xc50\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n lock_acquire+0xd4/0x2d0\n __mutex_lock+0x9b/0xbf0\n ice_reset_vf+0x22f/0x4d0 [ice]\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n kthread+0x104/0x140\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1b/0x30\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0 CPU1\n ---- ----\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n lock(&pf->lag_mutex);\n lock(&vf->cfg_lock);\n\n *** DEADLOCK ***\n4 locks held by kworker/60:3/6771:\n #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0\n #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice]\n #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice]\n\nstack backtrace:\nCPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54\nHardware name:\nWorkqueue: ice ice_service_task [ice]\nCall Trace:\n \n dump_stack_lvl+0x4a/0x80\n check_noncircular+0x12d/0x150\n check_prev_add+0xe2/0xc50\n ? save_trace+0x59/0x230\n ? add_chain_cache+0x109/0x450\n validate_chain+0x558/0x800\n __lock_acquire+0x4f8/0xb40\n ? lockdep_hardirqs_on+0x7d/0x100\n lock_acquire+0xd4/0x2d0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? lock_is_held_type+0xc7/0x120\n __mutex_lock+0x9b/0xbf0\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ? rcu_is_watching+0x11/0x50\n ? ice_reset_vf+0x22f/0x4d0 [ice]\n ice_reset_vf+0x22f/0x4d0 [ice]\n ? process_one_work+0x176/0x4d0\n ice_process_vflr_event+0x98/0xd0 [ice]\n ice_service_task+0x1cc/0x480 [ice]\n process_one_work+0x1e9/0x4d0\n worker_thread+0x1e1/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x104/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nTo avoid deadlock, we must acquire the LAG \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36003", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36004", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36005", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36007", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36009", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix string truncation warnings in igb_set_fw_version\n\nCommit 1978d3ead82c (\"intel: fix string truncation warnings\")\nfixes '-Wformat-truncation=' warnings in igb_main.c by using kasprintf.\n\ndrivers/net/ethernet/intel/igb/igb_main.c:3092:53: warning\uff1a\u2018%d\u2019 directive output may be truncated writing between 1 and 5 bytes into a region of size between 1 and 13 [-Wformat-truncation=]\n 3092 | \"%d.%d, 0x%08x, %d.%d.%d\",\n | ^~\ndrivers/net/ethernet/intel/igb/igb_main.c:3092:34: note\uff1adirective argument in the range [0, 65535]\n 3092 | \"%d.%d, 0x%08x, %d.%d.%d\",\n | ^~~~~~~~~~~~~~~~~~~~~~~~~\ndrivers/net/ethernet/intel/igb/igb_main.c:3092:34: note\uff1adirective argument in the range [0, 65535]\ndrivers/net/ethernet/intel/igb/igb_main.c:3090:25: note\uff1a\u2018snprintf\u2019 output between 23 and 43 bytes into a destination of size 32\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\n\nFix this warning by using a larger space for adapter->fw_version,\nand then fall back and continue to use snprintf.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36010", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-36011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Fix potential null-ptr-deref\n\nFix potential null-ptr-deref in hci_le_big_sync_established_evt().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36011", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36012", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n l2cap_connect\n \u250c mutex_lock(&conn->chan_lock);\n \u2502 chan = pchan->ops->new_connection(pchan); <- alloc chan\n \u2502 __l2cap_chan_add(conn, chan);\n \u2502 l2cap_chan_hold(chan);\n \u2502 list_add(&chan->list, &conn->chan_l); ... (1)\n \u2514 mutex_unlock(&conn->chan_lock);\n chan->conf_state ... (4) <- use after free\n\n[free]\nl2cap_conn_del\n\u250c mutex_lock(&conn->chan_lock);\n\u2502 foreach chan in conn->chan_l: ... (2)\n\u2502 l2cap_chan_put(chan);\n\u2502 l2cap_chan_destroy\n\u2502 kfree(chan) ... (3) <- chan freed\n\u2514 mutex_unlock(&conn->chan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", "scorev2": "0.0", "scorev3": "6.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36013", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppdev: Add an error check in register_device\n\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\n\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36015", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\n\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n Reason: Neither gsm->state nor gsm->len have been reset after\n reconfiguration.\n\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\n\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.", "scorev2": "0.0", "scorev3": "7.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36016", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36017", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/uvmm: fix addr/range calcs for remap operations\n\ndEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8\nwas causing a remap operation like the below.\n\nop_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000\nop_remap: next:\nop_remap: unmap: 0000003fffed0000 0000000000100000 0\nop_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000\n\nThis was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000\nwhich was corrupting the pagetables and oopsing the kernel.\n\nFixes the prev + unmap range calcs to use start/end and map back to addr/range.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36018", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: maple: Fix cache corruption in regcache_maple_drop()\n\nWhen keeping the upper end of a cache block entry, the entry[] array\nmust be indexed by the offset from the base register of the block,\ni.e. max - mas.index.\n\nThe code was indexing entry[] by only the register address, leading\nto an out-of-bounds access that copied some part of the kernel\nmemory over the cache contents.\n\nThis bug was not detected by the regmap KUnit test because it only\ntests with a block of registers starting at 0, so mas.index == 0.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36019", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix vf may be used uninitialized in this function warning\n\nTo fix the regression introduced by commit 52424f974bc5, which causes\nservers hang in very hard to reproduce conditions with resets races.\nUsing two sources for the information is the root cause.\nIn this function before the fix bumping v didn't mean bumping vf\npointer. But the code used this variables interchangeably, so stale vf\ncould point to different/not intended vf.\n\nRemove redundant \"v\" variable and iterate via single VF pointer across\nwhole function instead to guarantee VF pointer validity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36020", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during pf initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36021", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nJulia Lawall reported this null pointer dereference, this should fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36023", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable idle reallow as part of command/gpint execution\n\n[Why]\nWorkaroud for a race condition where DMCUB is in the process of\ncommitting to IPS1 during the handshake causing us to miss the\ntransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.\n\n[How]\nDisable the reallow to ensure that we have enough of a gap between entry\nand exit and we're not seeing back-to-back wake_and_executes.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36024", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix off by one in qla_edif_app_getstats()\n\nThe app_reply->elem[] array is allocated earlier in this function and it\nhas app_req.num_ports elements. Thus this > comparison needs to be >= to\nprevent memory corruption.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36025", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11\n\nWhile doing multiple S4 stress tests, GC/RLC/PMFW get into\nan invalid state resulting into hard hangs.\n\nAdding a GFX reset as workaround just before sending the\nMP1_UNLOAD message avoids this failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36026", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer\n\nBtrfs clears the content of an extent buffer marked as\nEXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is\nintroduced to prevent a write hole of an extent buffer, which is once\nallocated, marked dirty, but turns out unnecessary and cleaned up within\none transaction operation.\n\nCurrently, btrfs_clear_buffer_dirty() marks the extent buffer as\nEXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call\nhappens while the buffer is under IO (with the WRITEBACK flag set,\nwithout the DIRTY flag), we can add the ZEROOUT flag and clear the\nbuffer's content just before a bio submission. As a result:\n\n1) it can lead to adding faulty delayed reference item which leads to a\n FS corrupted (EUCLEAN) error, and\n\n2) it writes out cleared tree node on disk\n\nThe former issue is previously discussed in [1]. The corruption happens\nwhen it runs a delayed reference update. So, on-disk data is safe.\n\n[1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/\n\nThe latter one can reach on-disk data. But, as that node is already\nprocessed by btrfs_clear_buffer_dirty(), that will be invalidated in the\nnext transaction commit anyway. So, the chance of hitting the corruption\nis relatively small.\n\nAnyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to\nkeep the content under IO intact.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36027", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio()\n\nWhen I did memory failure tests recently, below warning occurs:\n\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire+0xccb/0x1ca0\nRSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082\nRAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0\nRBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb\nR10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10\nR13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004\nFS: 00007ff9f32aa740(0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff9f3134ba0 CR3: 00000008484e4000 CR4: 00000000000006f0\nCall Trace:\n \n lock_acquire+0xbe/0x2d0\n _raw_spin_lock_irqsave+0x3a/0x60\n hugepage_subpool_put_pages.part.0+0xe/0xc0\n free_huge_folio+0x253/0x3f0\n dissolve_free_huge_page+0x147/0x210\n __page_handle_poison+0x9/0x70\n memory_failure+0x4e6/0x8c0\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x380/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xbc/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff9f3114887\nRSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887\nRDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001\nRBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\nCPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n panic+0x326/0x350\n check_panic_on_warn+0x4f/0x50\n __warn+0x98/0x190\n report_bug+0x18e/0x1a0\n handle_bug+0x3d/0x70\n exc_invalid_op+0x18/0x70\n asm_exc_invalid_op+0x1a/0x20\nRIP: 0010:__lock_acquire+0xccb/0x1ca0\nRSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082\nRAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0\nRBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb\nR10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10\nR13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004\n lock_acquire+0xbe/0x2d0\n _raw_spin_lock_irqsave+0x3a/0x60\n hugepage_subpool_put_pages.part.0+0xe/0xc0\n free_huge_folio+0x253/0x3f0\n dissolve_free_huge_page+0x147/0x210\n __page_handle_poison+0x9/0x70\n memory_failure+0x4e6/0x8c0\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x380/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xbc/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff9f3114887\nRSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887\nRDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001\nRBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00\n \n\nAfter git bisecting and digging into the code, I believe the root cause is\nthat _deferred_list field of folio is unioned with _hugetlb_subpool field.\nIn __update_and_free_hugetlb_folio(), folio->_deferred_\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36028", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-msm: pervent access to suspended controller\n\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36029", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: fix the double free in rvu_npc_freemem()\n\nClang static checker(scan-build) warning\uff1a\ndrivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c:line 2184, column 2\nAttempt to free released memory.\n\nnpc_mcam_rsrcs_deinit() has released 'mcam->counters.bmap'. Deleted this\nredundant kfree() to fix this double free problem.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36030", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix overwrite of key expiration on instantiation\n\nThe expiry time of a key is unconditionally overwritten during\ninstantiation, defaulting to turn it permanent. This causes a problem\nfor DNS resolution as the expiration set by user-space is overwritten to\nTIME64_MAX, disabling further DNS updates. Fix this by restoring the\ncondition that key_set_expiry is only called when the pre-parser sets a\nspecific expiry.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36031", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching fw build id\n\nAdd the missing sanity checks and move the 255-byte build-id buffer off\nthe stack to avoid leaking stack data through debugfs in case the\nbuild-info reply is malformed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36032", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix info leak when fetching board id\n\nAdd the missing sanity check when fetching the board id to avoid leaking\nslab data when later requesting the firmware.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36033", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36244", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36270", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules\n\nrx_create no longer allocates a modify_hdr instance that needs to be\ncleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer\ndereference. A leak in the rules also previously occurred since there are\nnow two rules populated related to status.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 109907067 P4D 109907067 PUD 116890067 PMD 0\n Oops: 0000 [#1] SMP\n CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70\n \n Call Trace:\n \n ? show_regs+0x60/0x70\n ? __die+0x24/0x70\n ? page_fault_oops+0x15f/0x430\n ? free_to_partial_list.constprop.0+0x79/0x150\n ? do_user_addr_fault+0x2c9/0x5c0\n ? exc_page_fault+0x63/0x110\n ? asm_exc_page_fault+0x27/0x30\n ? mlx5_modify_header_dealloc+0xd/0x70\n rx_create+0x374/0x590\n rx_add_rule+0x3ad/0x500\n ? rx_add_rule+0x3ad/0x500\n ? mlx5_cmd_exec+0x2c/0x40\n ? mlx5_create_ipsec_obj+0xd6/0x200\n mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0\n mlx5e_xfrm_add_state+0x426/0xc00\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36281", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36286", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix loop termination condition in gss_free_in_token_pages()\n\nThe in_token->pages[] array is not NULL terminated. This results in\nthe following KASAN splat:\n\n KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36288", "detail": "fixed-version", "description": "Fixed from version 6.9.4" }, { "id": "CVE-2024-36476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs: Ensure 'ib_sge list' is accessible\n\nMove the declaration of the 'ib_sge list' variable outside the\n'always_invalidate' block to ensure it remains accessible for use\nthroughout the function.\n\nPreviously, 'ib_sge list' was declared within the 'always_invalidate'\nblock, limiting its accessibility, then caused a\n'BUG: kernel NULL pointer dereference'[1].\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2d0\n ? search_module_extables+0x19/0x60\n ? search_bpf_extables+0x5f/0x80\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? memcpy_orig+0xd5/0x140\n rxe_mr_copy+0x1c3/0x200 [rdma_rxe]\n ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]\n copy_data+0xa5/0x230 [rdma_rxe]\n rxe_requester+0xd9b/0xf70 [rdma_rxe]\n ? finish_task_switch.isra.0+0x99/0x2e0\n rxe_sender+0x13/0x40 [rdma_rxe]\n do_task+0x68/0x1e0 [rdma_rxe]\n process_one_work+0x177/0x330\n worker_thread+0x252/0x390\n ? __pfx_worker_thread+0x10/0x10\n\nThis change ensures the variable is available for subsequent operations\nthat require it.\n\n[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36476", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-36477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer\n\nThe TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the\nmaximum transfer length and the size of the transfer buffer. As such, it\ndoes not account for the 4 bytes of header that prepends the SPI data\nframe. This can result in out-of-bounds accesses and was confirmed with\nKASAN.\n\nIntroduce SPI_HDRSIZE to account for the header and use to allocate the\ntransfer buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36477", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36479", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: fix error check in parse_btf_field()\n\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36481", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36484", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: add missing firmware sanity checks\n\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36880", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: reset ptes when close() for wr-protected ones\n\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover\nthat too. This fixes a WARN trace.\n\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it. However hopefully that should be\nharmless, and nothing bad should happen even if so.\n\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\"mm/page_table_check:\nsupport userfault wr-protect entries\")), as we'll do sanity check on\nuffd-wp bits without vma context. So it's better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36881", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: use memalloc_nofs_save() in page_cache_ra_order()\n\nSee commit f2c817bed58d (\"mm: use memalloc_nofs_save in readahead path\"),\nensure that page_cache_ra_order() do not attempt to reclaim file-backed\npages too, or it leads to a deadlock, found issue when test ext4 large\nfolio.\n\n INFO: task DataXceiver for:7494 blocked for more than 120 seconds.\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:DataXceiver for state:D stack:0 pid:7494 ppid:1 flags:0x00000200\n Call trace:\n __switch_to+0x14c/0x240\n __schedule+0x82c/0xdd0\n schedule+0x58/0xf0\n io_schedule+0x24/0xa0\n __folio_lock+0x130/0x300\n migrate_pages_batch+0x378/0x918\n migrate_pages+0x350/0x700\n compact_zone+0x63c/0xb38\n compact_zone_order+0xc0/0x118\n try_to_compact_pages+0xb0/0x280\n __alloc_pages_direct_compact+0x98/0x248\n __alloc_pages+0x510/0x1110\n alloc_pages+0x9c/0x130\n folio_alloc+0x20/0x78\n filemap_alloc_folio+0x8c/0x1b0\n page_cache_ra_order+0x174/0x308\n ondemand_readahead+0x1c8/0x2b8\n page_cache_async_ra+0x68/0xb8\n filemap_readahead.isra.0+0x64/0xa8\n filemap_get_pages+0x3fc/0x5b0\n filemap_splice_read+0xf4/0x280\n ext4_file_splice_read+0x2c/0x48 [ext4]\n vfs_splice_read.part.0+0xa8/0x118\n splice_direct_to_actor+0xbc/0x288\n do_splice_direct+0x9c/0x108\n do_sendfile+0x328/0x468\n __arm64_sys_sendfile64+0x8c/0x148\n invoke_syscall+0x4c/0x118\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x4c/0x1f8\n el0t_64_sync_handler+0xc0/0xc8\n el0t_64_sync+0x188/0x190", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36882", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix out-of-bounds access in ops_init\n\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\n\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\n\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36883", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()\n\nThis was missed because of the function pointer indirection.\n\nnvidia_smmu_context_fault() is also installed as a irq function, and the\n'void *' was changed to a struct arm_smmu_domain. Since the iommu_domain\nis embedded at a non-zero offset this causes nvidia_smmu_context_fault()\nto miscompute the offset. Fixup the types.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000120\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c9f000\n [0000000000000120] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n Modules linked in:\n CPU: 1 PID: 47 Comm: kworker/u25:0 Not tainted 6.9.0-0.rc7.58.eln136.aarch64 #1\n Hardware name: Unknown NVIDIA Jetson Orin NX/NVIDIA Jetson Orin NX, BIOS 3.1-32827747 03/19/2023\n Workqueue: events_unbound deferred_probe_work_func\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : nvidia_smmu_context_fault+0x1c/0x158\n lr : __free_irq+0x1d4/0x2e8\n sp : ffff80008044b6f0\n x29: ffff80008044b6f0 x28: ffff000080a60b18 x27: ffffd32b5172e970\n x26: 0000000000000000 x25: ffff0000802f5aac x24: ffff0000802f5a30\n x23: ffff0000802f5b60 x22: 0000000000000057 x21: 0000000000000000\n x20: ffff0000802f5a00 x19: ffff000087d4cd80 x18: ffffffffffffffff\n x17: 6234362066666666 x16: 6630303078302d30 x15: ffff00008156d888\n x14: 0000000000000000 x13: ffff0000801db910 x12: ffff00008156d6d0\n x11: 0000000000000003 x10: ffff0000801db918 x9 : ffffd32b50f94d9c\n x8 : 1fffe0001032fda1 x7 : ffff00008197ed00 x6 : 000000000000000f\n x5 : 000000000000010e x4 : 000000000000010e x3 : 0000000000000000\n x2 : ffffd32b51720cd8 x1 : ffff000087e6f700 x0 : 0000000000000057\n Call trace:\n nvidia_smmu_context_fault+0x1c/0x158\n __free_irq+0x1d4/0x2e8\n free_irq+0x3c/0x80\n devm_free_irq+0x64/0xa8\n arm_smmu_domain_free+0xc4/0x158\n iommu_domain_free+0x44/0xa0\n iommu_deinit_device+0xd0/0xf8\n __iommu_group_remove_device+0xcc/0xe0\n iommu_bus_notifier+0x64/0xa8\n notifier_call_chain+0x78/0x148\n blocking_notifier_call_chain+0x4c/0x90\n bus_notify+0x44/0x70\n device_del+0x264/0x3e8\n pci_remove_bus_device+0x84/0x120\n pci_remove_root_bus+0x5c/0xc0\n dw_pcie_host_deinit+0x38/0xe0\n tegra_pcie_config_rp+0xc0/0x1f0\n tegra_pcie_dw_probe+0x34c/0x700\n platform_probe+0x70/0xe8\n really_probe+0xc8/0x3a0\n __driver_probe_device+0x84/0x160\n driver_probe_device+0x44/0x130\n __device_attach_driver+0xc4/0x170\n bus_for_each_drv+0x90/0x100\n __device_attach+0xa8/0x1c8\n device_initial_probe+0x1c/0x30\n bus_probe_device+0xb0/0xc0\n deferred_probe_work_func+0xbc/0x120\n process_one_work+0x194/0x490\n worker_thread+0x284/0x3b0\n kthread+0xf4/0x108\n ret_from_fork+0x10/0x20\n Code: a9b97bfd 910003fd a9025bf5 f85a0035 (b94122a1)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36884", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n \n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n \n \n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36886", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000e: change usleep_range to udelay in PHY mdic access\n\nThis is a partial revert of commit 6dbdd4de0362 (\"e1000e: Workaround\nfor sporadic MDI error on Meteor Lake systems\"). The referenced commit\nused usleep_range inside the PHY access routines, which are sometimes\ncalled from an atomic context. This can lead to a kernel panic in some\nscenarios, such as cable disconnection and reconnection on vPro systems.\n\nSolve this by changing the usleep_range calls back to udelay.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36887", "detail": "fixed-version", "description": "Fixed from version 6.8.10" }, { "id": "CVE-2024-36888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix selection of wake_cpu in kick_pool()\n\nWith cpu_possible_mask=0-63 and cpu_online_mask=0-7 the following\nkernel oops was observed:\n\nsmp: Bringing up secondary CPUs ...\nsmp: Brought up 1 node, 8 CPUs\nUnable to handle kernel pointer dereference in virtual kernel address space\nFailing address: 0000000000000000 TEID: 0000000000000803\n[..]\n Call Trace:\narch_vcpu_is_preempted+0x12/0x80\nselect_idle_sibling+0x42/0x560\nselect_task_rq_fair+0x29a/0x3b0\ntry_to_wake_up+0x38e/0x6e0\nkick_pool+0xa4/0x198\n__queue_work.part.0+0x2bc/0x3a8\ncall_timer_fn+0x36/0x160\n__run_timers+0x1e2/0x328\n__run_timer_base+0x5a/0x88\nrun_timer_softirq+0x40/0x78\n__do_softirq+0x118/0x388\nirq_exit_rcu+0xc0/0xd8\ndo_ext_irq+0xae/0x168\next_int_handler+0xbe/0xf0\npsw_idle_exit+0x0/0xc\ndefault_idle_call+0x3c/0x110\ndo_idle+0xd4/0x158\ncpu_startup_entry+0x40/0x48\nrest_init+0xc6/0xc8\nstart_kernel+0x3c4/0x5e0\nstartup_continue+0x3c/0x50\n\nThe crash is caused by calling arch_vcpu_is_preempted() for an offline\nCPU. To avoid this, select the cpu with cpumask_any_and_distribute()\nto mask __pod_cpumask with cpu_online_mask. In case no cpu is left in\nthe pool, skip the assignment.\n\ntj: This doesn't fully fix the bug as CPUs can still go down between picking\nthe target CPU and the wake call. Fixing that likely requires adding\ncpu_online() test to either the sched or s390 arch code. However, regardless\nof how that is fixed, workqueue shouldn't be picking a CPU which isn't\nonline as that would result in unpredictable and worse behavior.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36888", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36889", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: make __free(kfree) accept error pointers\n\nCurrently, if an automatically freed allocation is an error pointer that\nwill lead to a crash. An example of this is in wm831x_gpio_dbg_show().\n\n 171\tchar *label __free(kfree) = gpiochip_dup_line_label(chip, i);\n 172\tif (IS_ERR(label)) {\n 173\t\tdev_err(wm831x->dev, \"Failed to duplicate label\\n\");\n 174\t\tcontinue;\n 175 }\n\nThe auto clean up function should check for error pointers as well,\notherwise we're going to keep hitting issues like this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36890", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix mas_empty_area_rev() null pointer dereference\n\nCurrently the code calls mas_start() followed by mas_data_end() if the\nmaple state is MA_START, but mas_start() may return with the maple state\nnode == NULL. This will lead to a null pointer dereference when checking\ninformation in the NULL node, which is done in mas_data_end().\n\nAvoid setting the offset if there is no node by waiting until after the\nmaple state is checked for an empty or single entry state.\n\nA user could trigger the events to cause a kernel oops by unmapping all\nvmas to produce an empty maple tree, then mapping a vma that would cause\nthe scenario described above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36891", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid zeroing outside-object freepointer for single free\n\nCommit 284f17ac13fe (\"mm/slub: handle bulk and single object freeing\nseparately\") splits single and bulk object freeing in two functions\nslab_free() and slab_free_bulk() which leads slab_free() to call\nslab_free_hook() directly instead of slab_free_freelist_hook().\n\nIf `init_on_free` is set, slab_free_hook() zeroes the object.\nAfterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are\nset, the do_slab_free() slowpath executes freelist consistency\nchecks and try to decode a zeroed freepointer which leads to a\n\"Freepointer corrupt\" detection in check_object().\n\nDuring bulk free, slab_free_freelist_hook() isn't affected as it always\nsets it objects freepointer using set_freepointer() to maintain its\nreconstructed freelist after `init_on_free`.\n\nFor single free, object's freepointer thus needs to be avoided when\nstored outside the object if `init_on_free` is set. The freepointer left\nas is, check_object() may later detect an invalid pointer value due to\nobjects overflow.\n\nTo reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the\ncommand line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.\n\ndmesg sample log:\n[ 10.708715] =============================================================================\n[ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt\n[ 10.712695] -----------------------------------------------------------------------------\n[ 10.712695]\n[ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)\n[ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c\n[ 10.716698]\n[ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 ....\n[ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36892", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Check for port partner validity before consuming it\n\ntypec_register_partner() does not guarantee partner registration\nto always succeed. In the event of failure, port->partner is set\nto the error value or NULL. Given that port->partner validity is\nnot checked, this results in the following crash:\n\nUnable to handle kernel NULL pointer dereference at virtual address xx\n pc : run_state_machine+0x1bc8/0x1c08\n lr : run_state_machine+0x1b90/0x1c08\n..\n Call trace:\n run_state_machine+0x1bc8/0x1c08\n tcpm_state_machine_work+0x94/0xe4\n kthread_worker_fn+0x118/0x328\n kthread+0x1d0/0x23c\n ret_from_fork+0x10/0x20\n\nTo prevent the crash, check for port->partner validity before\nderefencing it in all the call sites.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36893", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\n\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC. There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect. For a DWC3 based implementation, the callstack looks\nlike the following:\n\n DWC3 Gadget FFS Application\ndwc3_gadget_soft_disconnect() ...\n --> dwc3_stop_active_transfers()\n --> dwc3_gadget_giveback(-ESHUTDOWN)\n --> ffs_epfile_async_io_complete() ffs_aio_cancel()\n --> usb_ep_free_request() --> usb_ep_dequeue()\n\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call. This can\nlead to accessing a stale/hanging pointer.\n\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context. Hence, leading\ninto a deadlock.\n\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock. This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\n\nThis fix depends on\n commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n consistently\")", "scorev2": "0.0", "scorev3": "5.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36894", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\n\nThis commit fixes uvc gadget support on 32-bit platforms.\n\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\n\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36895", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix access violation during port device removal\n\nTesting with KASAN and syzkaller revealed a bug in port.c:disable_store():\nusb_hub_to_struct_hub() can return NULL if the hub that the port belongs to\nis concurrently removed, but the function does not check for this\npossibility before dereferencing the returned value.\n\nIt turns out that the first dereference is unnecessary, since hub->intfdev\nis the parent of the port device, so it can be changed easily. Adding a\ncheck for hub == NULL prevents further problems.\n\nThe same bug exists in the disable_show() routine, and it can be fixed the\nsame way.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36896", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Atom Integrated System Info v2_2 for DCN35\n\nNew request from KMD/VBIOS in order to support new UMA carveout\nmodel. This fixes a null dereference from accessing\nCtx->dc_bios->integrated_info while it was NULL.\n\nDAL parses through the BIOS and extracts the necessary\nintegrated_info but was missing a case for the new BIOS\nversion 2.3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36897", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: fix uninitialised kfifo\n\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked. This results in events being written to and read from an\nuninitialised kfifo. Read events are returned to userspace.\n\nInitialise the kfifo in the case where the software debounce is\nalready active.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36898", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36899", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when devlink reload during initialization\n\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\n\nThis patch fixes this by registering the devlink after\nhardware initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36900", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent NULL dereference in ip6_output()\n\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36901", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\n\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\n\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n sctp_connect net/sctp/socket.c:4819 [inline]\n sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36902", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36903", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36904", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n TCP_CLOSE\nconnect()\n TCP_SYN_SENT\n TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \n tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36905", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9381/1: kasan: clear stale stack poison\n\nWe found below OOB crash:\n\n[ 33.452494] ==================================================================\n[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[ 33.455515]\n[ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1\n[ 33.456880] Hardware name: Generic DT based system\n[ 33.457555] unwind_backtrace from show_stack+0x18/0x1c\n[ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c\n[ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4\n[ 33.459863] print_report from kasan_report+0x9c/0x148\n[ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0\n[ 33.461424] kasan_check_range from memset+0x20/0x3c\n[ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[ 33.465029] do_idle from cpu_startup_entry+0x20/0x24\n[ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4\n[ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[ 33.467397]\n[ 33.467644] The buggy address belongs to stack of task swapper/0/0\n[ 33.468493] and is located at offset 112 in frame:\n[ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[ 33.469917]\n[ 33.470165] This frame has 2 objects:\n[ 33.470696] [32, 76) 'global_zone_diff'\n[ 33.470729] [112, 276) 'global_node_diff'\n[ 33.471294]\n[ 33.472095] The buggy address belongs to the physical page:\n[ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[ 33.473944] flags: 0x1000(reserved|zone=0)\n[ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[ 33.475656] raw: 00000000\n[ 33.476050] page dumped because: kasan: bad access detected\n[ 33.476816]\n[ 33.477061] Memory state around the buggy address:\n[ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[ 33.480415] ^\n[ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[ 33.482978] ==================================================================\n\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\n\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\n\nFrom cited commit [1] that explain the problem\n\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\n\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code. Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\n\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\n\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\n\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\n\nFrom cited commit [2]\n\nExtend to check for CONFIG_KASAN_STACK\n\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36906", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: do not WARN if iocg was already offlined\n\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\n\n WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n Call trace:\n iocg_pay_debt+0x14c/0x190\n iocg_kick_waitq+0x438/0x4c0\n iocg_waitq_timer_fn+0xd8/0x130\n __run_hrtimer+0x144/0x45c\n __hrtimer_run_queues+0x16c/0x244\n hrtimer_interrupt+0x2cc/0x7b0\n\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\n\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36908", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus ring buffer code could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the struct\nvmbus_gpadl for the ring buffers to decide whether to free the memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36909", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe VMBus device UIO driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36910", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Don't free decrypted memory\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nThe netvsc driver could free decrypted/shared pages if\nset_memory_decrypted() fails. Check the decrypted field in the gpadl\nto decide whether to free the memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36911", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Track decrypted status in vmbus_gpadl\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nIn order to make sure callers of vmbus_establish_gpadl() and\nvmbus_teardown_gpadl() don't return decrypted/shared pages to\nallocators, add a field in struct vmbus_gpadl to keep track of the\ndecryption status of the buffers. This will allow the callers to\nknow if they should free or leak the pages.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36912", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Leak pages if set_memory_encrypted() fails\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nVMBus code could free decrypted pages if set_memory_encrypted()/decrypted()\nfails. Leak the pages if this happens.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36913", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip on writeback when it's not applicable\n\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \"BUG: KASAN: slab-out-of-bounds\" as writeback connector does not\nsupport certain features which are not initialized.\n\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36914", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: fix nfc_llcp_setsockopt() unsafe copies\n\nsyzbot reported unsafe calls to copy_from_sockptr() [1]\n\nUse copy_safe_from_sockptr() instead.\n\n[1]\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\nRead of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078\n\nCPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255\n do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfd/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7f7fac07fd89\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89\nRDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36915", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: avoid out of bounds shift\n\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\n\n[ 186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n \n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\n\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\n\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36916", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix overflow in blk_ioctl_discard()\n\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check bloom filter map value size\n\nThis patch adds a missing check to bloom filter creating, rejecting\nvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line with\nmany other map types.\n\nThe lack of this protection can cause kernel crashes for value sizes\nthat overflow int's. Such a crash was caught by syzkaller. The next\npatch adds more guard-rails at a lower level.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36918", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\n\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\n\nThis will suppress following BUG_ON():\n\n[ 449.843143] ------------[ cut here ]------------\n[ 449.848302] kernel BUG at mm/vmalloc.c:2727!\n[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[ 449.882910] RIP: 0010:vunmap+0x2e/0x30\n[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 449.993028] Call Trace:\n[ 449.995756] __iommu_dma_free+0x96/0x100\n[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]\n[ 450.023103] process_one_work+0x1e8/0x3c0\n[ 450.027581] worker_thread+0x50/0x3b0\n[ 450.031669] ? rescuer_thread+0x370/0x370\n[ 450.036143] kthread+0x149/0x170\n[ 450.039744] ? set_kthread_struct+0x40/0x40\n[ 450.044411] ret_from_fork+0x22/0x30\n[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36919", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf->reply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number '1' from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36920", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: guard against invalid STA ID on removal\n\nGuard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that would\nresult in out-of-bounds array accesses. This prevents issues should the\ndriver get into a bad state during error handling.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36921", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36922", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36924", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y\n\nUsing restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction\nwith dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following\ncrash when initialising the restricted pools at boot-time:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n | pc : rmem_swiotlb_device_init+0xfc/0x1ec\n | lr : rmem_swiotlb_device_init+0xf0/0x1ec\n | Call trace:\n | rmem_swiotlb_device_init+0xfc/0x1ec\n | of_reserved_mem_device_init_by_idx+0x18c/0x238\n | of_dma_configure_id+0x31c/0x33c\n | platform_dma_configure+0x34/0x80\n\nfaddr2line reveals that the crash is in the list validation code:\n\n include/linux/list.h:83\n include/linux/rculist.h:79\n include/linux/rculist.h:106\n kernel/dma/swiotlb.c:306\n kernel/dma/swiotlb.c:1695\n\nbecause add_mem_pool() is trying to list_add_rcu() to a NULL\n'mem->pools'.\n\nFix the crash by initialising the 'mem->pools' list_head in\nrmem_swiotlb_device_init() before calling add_mem_pool().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36925", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: LPAR panics during boot up with a frozen PE\n\nAt the time of LPAR boot up, partition firmware provides Open Firmware\nproperty ibm,dma-window for the PE. This property is provided on the PCI\nbus the PE is attached to.\n\nThere are execptions where the partition firmware might not provide this\nproperty for the PE at the time of LPAR boot up. One of the scenario is\nwhere the firmware has frozen the PE due to some error condition. This\nPE is frozen for 24 hours or unless the whole system is reinitialized.\n\nWithin this time frame, if the LPAR is booted, the frozen PE will be\npresented to the LPAR but ibm,dma-window property could be missing.\n\nToday, under these circumstances, the LPAR oopses with NULL pointer\ndereference, when configuring the PCI bus the PE is attached to.\n\n BUG: Kernel NULL pointer dereference on read at 0x000000c8\n Faulting instruction address: 0xc0000000001024c0\n Oops: Kernel access of bad area, sig: 7 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in:\n Supported: Yes\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1\n Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries\n NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450\n REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default)\n MSR: 8000000002009033 CR: 28000822 XER: 00000000\n CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0\n ...\n NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0\n LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0\n Call Trace:\n pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable)\n pcibios_setup_bus_self+0x1c0/0x370\n __of_scan_bus+0x2f8/0x330\n pcibios_scan_phb+0x280/0x3d0\n pcibios_init+0x88/0x12c\n do_one_initcall+0x60/0x320\n kernel_init_freeable+0x344/0x3e4\n kernel_init+0x34/0x1d0\n ret_from_kernel_user_thread+0x14/0x1c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36926", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36927", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n >0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36928", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36929", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix null pointer dereference within spi_sync\n\nIf spi_sync() is called with the non-empty queue and the same spi_message\nis then reused, the complete callback for the message remains set while\nthe context is cleared, leading to a null pointer dereference when the\ncallback is invoked from spi_finalize_current_message().\n\nWith function inlining disabled, the call stack might look like this:\n\n _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58\n complete_with_flags from spi_complete+0x8/0xc\n spi_complete from spi_finalize_current_message+0xec/0x184\n spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474\n spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230\n __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4\n __spi_transfer_message_noqueue from __spi_sync+0x204/0x248\n __spi_sync from spi_sync+0x24/0x3c\n spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]\n mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154\n _regmap_raw_read from _regmap_bus_read+0x44/0x70\n _regmap_bus_read from _regmap_read+0x60/0xd8\n _regmap_read from regmap_read+0x3c/0x5c\n regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]\n mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]\n mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78\n irq_thread_fn from irq_thread+0x118/0x1f4\n irq_thread from kthread+0xd8/0xf4\n kthread from ret_from_fork+0x14/0x28\n\nFix this by also setting message->complete to NULL when the transfer is\ncomplete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36930", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36931", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Prevent use-after-free from occurring after cdev removal\n\nSince thermal_debug_cdev_remove() does not run under cdev->lock, it can\nrun in parallel with thermal_debug_cdev_state_update() and it may free\nthe struct thermal_debugfs object used by the latter after it has been\nchecked against NULL.\n\nIf that happens, thermal_debug_cdev_state_update() will access memory\nthat has been freed already causing the kernel to crash.\n\nAddress this by using cdev->lock in thermal_debug_cdev_remove() around\nthe cdev->debugfs value check (in case the same cdev is removed at the\nsame time in two different threads) and its reset to NULL.\n\nCc :6.8+ # 6.8+", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36932", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb->network_header\n 2. save the original skb->{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb->mac_header\n 5. set up skb->mac_len and skb->protocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb->protocol\n 7. push the NSH header\n 8. restore skb->mac_header\n 9. set skb->mac_header + mac_len to skb->network_header\n 10. restore skb->mac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 & 7, skb->data points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb->data point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb->{mac_header,network_header} in 8 & 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb->mac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb->mac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let's calculate the outer header position relatively from\nthe inner header and set skb->{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36933", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36934", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count bytes\nfrom userspace to that buffer. Later, we use sscanf on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can lead\nto OOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36935", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/unaccepted: touch soft lockup during memory accept\n\nCommit 50e782a86c98 (\"efi/unaccepted: Fix soft lockups caused by\nparallel memory acceptance\") has released the spinlock so other CPUs can\ndo memory acceptance in parallel and not triggers softlockup on other\nCPUs.\n\nHowever the softlock up was intermittent shown up if the memory of the\nTD guest is large, and the timeout of softlockup is set to 1 second:\n\n RIP: 0010:_raw_spin_unlock_irqrestore\n Call Trace:\n ? __hrtimer_run_queues\n \n ? hrtimer_interrupt\n ? watchdog_timer_fn\n ? __sysvec_apic_timer_interrupt\n ? __pfx_watchdog_timer_fn\n ? sysvec_apic_timer_interrupt\n \n ? __hrtimer_run_queues\n \n ? hrtimer_interrupt\n ? asm_sysvec_apic_timer_interrupt\n ? _raw_spin_unlock_irqrestore\n ? __sysvec_apic_timer_interrupt\n ? sysvec_apic_timer_interrupt\n accept_memory\n try_to_accept_memory\n do_huge_pmd_anonymous_page\n get_page_from_freelist\n __handle_mm_fault\n __alloc_pages\n __folio_alloc\n ? __tdx_hypercall\n handle_mm_fault\n vma_alloc_folio\n do_user_addr_fault\n do_huge_pmd_anonymous_page\n exc_page_fault\n ? __do_huge_pmd_anonymous_page\n asm_exc_page_fault\n __handle_mm_fault\n\nWhen the local irq is enabled at the end of accept_memory(), the\nsoftlockup detects that the watchdog on single CPU has not been fed for\na while. That is to say, even other CPUs will not be blocked by\nspinlock, the current CPU might be stunk with local irq disabled for a\nwhile, which hurts not only nmi watchdog but also softlockup.\n\nChao Gao pointed out that the memory accept could be time costly and\nthere was similar report before. Thus to avoid any softlocup detection\nduring this stage, give the softlockup a flag to skip the timeout check\nat the end of accept_memory(), by invoking touch_softlockup_watchdog().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36936", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36937", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\n\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\n\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\n\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nvalue changed: 0xffffffff83d7feb0 -> 0x0000000000000000\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\n\nPrior to this, commit 4cd12c6065df (\"bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\") fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \"write_lock_bh(&sk->sk_callback_lock);\".\n\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36938", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Handle error of rpc_proc_register() in nfs_net_init().\n\nsyzkaller reported a warning [0] triggered while destroying immature\nnetns.\n\nrpc_proc_register() was called in init_nfs_fs(), but its error\nhas been ignored since at least the initial commit 1da177e4c3f4\n(\"Linux-2.6.12-rc2\").\n\nRecently, commit d47151b79e32 (\"nfs: expose /proc/net/sunrpc/nfs\nin net namespaces\") converted the procfs to per-netns and made\nthe problem more visible.\n\nEven when rpc_proc_register() fails, nfs_net_init() could succeed,\nand thus nfs_net_exit() will be called while destroying the netns.\n\nThen, remove_proc_entry() will be called for non-existing proc\ndirectory and trigger the warning below.\n\nLet's handle the error of rpc_proc_register() properly in nfs_net_init().\n\n[0]:\nname 'nfs'\nWARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711\nCode: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb\nRSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c\nRDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc\nR13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8\nFS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310\n nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438\n ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170\n setup_net+0x46c/0x660 net/core/net_namespace.c:372\n copy_net_ns+0x244/0x590 net/core/net_namespace.c:505\n create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228\n ksys_unshare+0x342/0x760 kernel/fork.c:3322\n __do_sys_unshare kernel/fork.c:3393 [inline]\n __se_sys_unshare kernel/fork.c:3391 [inline]\n __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x7f30d0febe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002\nR13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36939", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: core: delete incorrect free in pinctrl_enable()\n\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\n\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: don't free NULL coalescing rule\n\nIf the parsing fails, we can dereference a NULL pointer here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36941", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: fix loss of young/dirty bits during pagemap scan\n\nmake_uffd_wp_pte() was previously doing:\n\n pte = ptep_get(ptep);\n ptep_modify_prot_start(ptep);\n pte = pte_mkuffd_wp(pte);\n ptep_modify_prot_commit(ptep, pte);\n\nBut if another thread accessed or dirtied the pte between the first 2\ncalls, this could lead to loss of that information. Since\nptep_modify_prot_start() gets and clears atomically, the following is the\ncorrect pattern and prevents any possible race. Any access after the\nfirst call would see an invalid pte and cause a fault:\n\n pte = ptep_modify_prot_start(ptep);\n pte = pte_mkuffd_wp(pte);\n ptep_modify_prot_commit(ptep, pte);", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36943", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nReapply \"drm/qxl: simplify qxl_fence_wait\"\n\nThis reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea.\n\nStephen Rostedt reports:\n \"I went to run my tests on my VMs and the tests hung on boot up.\n Unfortunately, the most I ever got out was:\n\n [ 93.607888] Testing event system initcall: OK\n [ 93.667730] Running tests on all trace events:\n [ 93.669757] Testing all events: OK\n [ 95.631064] ------------[ cut here ]------------\n Timed out after 60 seconds\"\n\nand further debugging points to a possible circular locking dependency\nbetween the console_owner locking and the worker pool locking.\n\nReverting the commit allows Steve's VM to boot to completion again.\n\n[ This may obviously result in the \"[TTM] Buffer eviction failed\"\n messages again, which was the reason for that original revert. But at\n this point this seems preferable to a non-booting system... ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36944", "detail": "fixed-version", "description": "Fixed from version 6.8.10" }, { "id": "CVE-2024-36945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36945", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet: fix rtm_phonet_notify() skb allocation\n\nfill_route() stores three components in the skb:\n\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\n\nTherefore, rtm_phonet_notify() should use\n\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36946", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix dentry leak\n\nsimple_recursive_removal() drops the pinning references to all positives\nin subtree. For the cases when its argument has been kept alive by\nthe pinning alone that's exactly the right thing to do, but here\nthe argument comes from dcache lookup, that needs to be balanced by\nexplicit dput().\n\nFucked-up-by: Al Viro ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36947", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_migrate: Cast to output precision before multiplying operands\n\nAddressing potential overflow in result of multiplication of two lower\nprecision (u32) operands before widening it to higher precision\n(u64).\n\n-v2\nFix commit message and description. (Rodrigo)\n\n(cherry picked from commit 34820967ae7b45411f8f4f737c2d63b0c608e0d7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36948", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36949", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\n\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\n\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\n\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\n\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\n\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\n\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36950", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36951", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36952", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()\n\nvgic_v2_parse_attr() is responsible for finding the vCPU that matches\nthe user-provided CPUID, which (of course) may not be valid. If the ID\nis invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled\ngracefully.\n\nSimilar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()\nactually returns something and fail the ioctl if not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36953", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a possible memleak in tipc_buf_append\n\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36954", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()\n\nThe documentation for device_get_named_child_node() mentions this\nimportant point:\n\n\"\nThe caller is responsible for calling fwnode_handle_put() on the\nreturned fwnode pointer.\n\"\n\nAdd fwnode_handle_put() to avoid a leaked reference.", "scorev2": "0.0", "scorev3": "7.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36955", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Free all thermal zone debug memory on zone removal\n\nBecause thermal_debug_tz_remove() does not free all memory allocated for\nthermal zone diagnostics, some of that memory becomes unreachable after\nfreeing the thermal zone's struct thermal_debugfs object.\n\nAddress this by making thermal_debug_tz_remove() free all of the memory\nin question.\n\nCc :6.8+ # 6.8+", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36956", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: avoid off-by-one read from userspace\n\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36957", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix nfsd4_encode_fattr4() crasher\n\nEnsure that args.acl is initialized early. It is used in an\nunconditional call to kfree() on the way out of\nnfsd4_encode_fattr4().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36958", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()\n\nIf we fail to allocate propname buffer, we need to drop the reference\ncount we just took. Because the pinctrl_dt_free_maps() includes the\ndroping operation, here we call it directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36959", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36960", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object. Then, it may clear\ntz->debugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s->private\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz->lock in thermal_debug_tz_remove()\naround the tz->debugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ # 6.8+", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36961", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\n\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\n\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\n\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36962", "detail": "fixed-version", "description": "Fixed from version 6.8.10" }, { "id": "CVE-2024-36963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Reset permissions on remount if permissions are options\n\nThere's an inconsistency with the way permissions are handled in tracefs.\nBecause the permissions are generated when accessed, they default to the\nroot inode's permission if they were never set by the user. If the user\nsets the permissions, then a flag is set and the permissions are saved via\nthe inode (for tracefs files) or an internal attribute field (for\neventfs).\n\nBut if a remount happens that specify the permissions, all the files that\nwere not changed by the user gets updated, but the ones that were are not.\nIf the user were to remount the file system with a given permission, then\nall files and directories within that file system should be updated.\n\nThis can cause security issues if a file's permission was updated but the\nadmin forgot about it. They could incorrectly think that remounting with\npermissions set would update all files, but miss some.\n\nFor example:\n\n # cd /sys/kernel/tracing\n # chgrp 1002 current_tracer\n # ls -l\n[..]\n -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root root 0 May 1 21:25 dynamic_events\n -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root root 0 May 1 21:25 enabled_functions\n\nWhere current_tracer now has group \"lkp\".\n\n # mount -o remount,gid=1001 .\n # ls -l\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events\n -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions\n\nEverything changed but the \"current_tracer\".\n\nAdd a new link list that keeps track of all the tracefs_inodes which has\nthe permission flags that tell if the file/dir should use the root inode's\npermission or not. Then on remount, clear all the flags so that the\ndefault behavior of using the root inode's permission is done for all\nfiles and directories.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36963", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36965", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: reliably distinguish block based and fscache mode\n\nWhen erofs_kill_sb() is called in block dev based mode, s_bdev may not\nhave been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled,\nit will be mistaken for fscache mode, and then attempt to free an anon_dev\nthat has never been allocated, triggering the following warning:\n\n============================================\nida_free called for id=0 which is not allocated.\nWARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140\nModules linked in:\nCPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630\nRIP: 0010:ida_free+0x134/0x140\nCall Trace:\n \n erofs_kill_sb+0x81/0x90\n deactivate_locked_super+0x35/0x80\n get_tree_bdev+0x136/0x1e0\n vfs_get_tree+0x2c/0xf0\n do_new_mount+0x190/0x2f0\n [...]\n============================================\n\nNow when erofs_kill_sb() is called, erofs_sb_info must have been\ninitialised, so use sbi->fsid to distinguish between the two modes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36966", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-36967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n'scratch' is never freed. Fix this by calling kfree() in the success, and\nin the error case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36967", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\n\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\n\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \nModules linked in:\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36968", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix division by zero in setup_dsc_config\n\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\n\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\n\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\n\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36969", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Use request_module_nowait\n\nThis appears to work around a deadlock regression that came in\nwith the LED merge in 6.9.\n\nThe deadlock happens on my system with 24 iwlwifi radios, so maybe\nit something like all worker threads are busy and some work that needs\nto complete cannot complete.\n\n[also remove unnecessary \"load_module\" var and now-wrong comment]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36970", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)->oob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let's update unix_sk(sk)->oob_skb under the\nsk_receive_queue's lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \nModules linked in:\nCR2: 0000000000000008", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36972", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe()\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function\ngp_auxiliary_device_release() calls ida_free() and\nkfree(aux_device_wrapper) to free memory. We should't\ncall them again in the error handling path.\n\nFix this by skipping the redundant cleanup functions.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36973", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36974", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36975", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"media: v4l2-ctrls: show all owned controls in log_status\"\n\nThis reverts commit 9801b5b28c6929139d6fceeee8d739cc67bb2739.\n\nThis patch introduced a potential deadlock scenario:\n\n[Wed May 8 10:02:06 2024] Possible unsafe locking scenario:\n\n[Wed May 8 10:02:06 2024] CPU0 CPU1\n[Wed May 8 10:02:06 2024] ---- ----\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);\n\nFor now just revert.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36976", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Wait unconditionally after issuing EndXfer command\n\nCurrently all controller IP/revisions except DWC3_usb3 >= 310a\nwait 1ms unconditionally for ENDXFER completion when IOC is not\nset. This is because DWC_usb3 controller revisions >= 3.10a\nsupports GUCTL2[14: Rst_actbitlater] bit which allows polling\nCMDACT bit to know whether ENDXFER command is completed.\n\nConsider a case where an IN request was queued, and parallelly\nsoft_disconnect was called (due to ffs_epfile_release). This\neventually calls stop_active_transfer with IOC cleared, hence\nsend_gadget_ep_cmd() skips waiting for CMDACT cleared during\nEndXfer. For DWC3 controllers with revisions >= 310a, we don't\nforcefully wait for 1ms either, and we proceed by unmapping the\nrequests. If ENDXFER didn't complete by this time, it leads to\nSMMU faults since the controller would still be accessing those\nrequests.\n\nFix this by ensuring ENDXFER completion by adding 1ms delay in\n__dwc3_stop_active_transfer() unconditionally.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36977", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36978", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-36979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n run_timer_base kernel/time/timer.c:2438 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-36979", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-37021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-37021", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-37026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Only use reserved BCS instances for usm migrate exec queue\n\nThe GuC context scheduling queue is 2 entires deep, thus it is possible\nfor a migration job to be stuck behind a fault if migration exec queue\nshares engines with user jobs. This can deadlock as the migrate exec\nqueue is required to service page faults. Avoid deadlock by only using\nreserved BCS instances for usm migrate exec queue.\n\n(cherry picked from commit 04f4a70a183a688a60fe3882d6e4236ea02cfc67)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-37026", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-37078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n \n nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n kthread+0x2f0/0x390\n ret_from_fork+0x4b/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-37078", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-37354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-37356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-37356", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n BUG: Bad page state in process kswapd0 pfn:d6e840\n page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n pfn:0xd6e840\n aops:btree_aops ino:1\n flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n page_type: 0xffffffff()\n raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n Thread A | Thread B\n-----------------------------------+-------------------------------------\n | btree_release_folio()\n\t\t\t\t | | This is for the page at X + 4K,\n\t\t\t\t | | Not page X.\n\t\t\t\t | |\nalloc_extent_buffer() | |- release_extent_buffer()\n|- filemap_add_folio() for the | | |- atomic_dec_and_test(eb->refs)\n| page at bytenr X (the first | | |\n| page). | | |\n| Which returned -EEXIST. | | |\n| | | |\n|- filemap_lock_folio() | | |\n| Returned the first page locked. | | |\n| | | |\n|- grab_extent_buffer() | | |\n| |- atomic_inc_not_zero() | | |\n| | Returned false | | |\n| |- folio_detach_private() | | |- folio_detach_private() for X\n| |- folio_test_private() | | |- folio_test_private()\n | Returned true | | | Returned true\n |- folio_put() | |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n If the release is on the same first page of an eb, page lock would kick\n in and prevent the race.\n\n- folio_detach_private() has a very small race window\n It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n #!/bin/sh\n drop_caches () {\n\t while(true); do\n\t\t echo 3 > /proc/sys/vm/drop_caches\n\t\t echo 1 > /proc/sys/vm/compact_memory\n\t done\n }\n\n run_tar () {\n\t while(true); do\n\t\t for x in `seq 1 80` ; do\n\t\t\t tar cf /dev/zero /mnt > /dev/null &\n\t\t done\n\t\t wait\n\t done\n }\n\n mkfs.btrfs -f -d single -m single\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38306", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from reorder of WRITE ->lqueued\n\n__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start\nis being executed.\n\nIf WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in\nthe loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one\nstat instance being added in blk_cgroup_bio_start(), then the local\nlist in __blkcg_rstat_flush() could be corrupted.\n\nFix the issue by adding one barrier.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38384", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()\n\nirq_find_at_or_after() dereferences the interrupt descriptor which is\nreturned by mt_find() while neither holding sparse_irq_lock nor RCU read\nlock, which means the descriptor can be freed between mt_find() and the\ndereference:\n\n CPU0 CPU1\n desc = mt_find()\n delayed_free_desc(desc)\n irq_desc_get_irq(desc)\n\nThe use-after-free is reported by KASAN:\n\n Call trace:\n irq_get_next_irq+0x58/0x84\n show_stat+0x638/0x824\n seq_read_iter+0x158/0x4ec\n proc_reg_read_iter+0x94/0x12c\n vfs_read+0x1e0/0x2c8\n\n Freed by task 4471:\n slab_free_freelist_hook+0x174/0x1e0\n __kmem_cache_free+0xa4/0x1dc\n kfree+0x64/0x128\n irq_kobj_release+0x28/0x3c\n kobject_put+0xcc/0x1e0\n delayed_free_desc+0x14/0x2c\n rcu_do_batch+0x214/0x720\n\nGuard the access with a RCU read lock section.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38385", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/cs_dsp_ctl: Use private_free for control cleanup\n\nUse the control private_free callback to free the associated data\nblock. This ensures that the memory won't leak, whatever way the\ncontrol gets destroyed.\n\nThe original implementation didn't actually remove the ALSA\ncontrols in hda_cs_dsp_control_remove(). It only freed the internal\ntracking structure. This meant it was possible to remove/unload the\namp driver while leaving its ALSA controls still present in the\nsoundcard. Obviously attempting to access them could cause segfaults\nor at least dereferencing stale pointers.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38388", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails\n\nCalling a6xx_destroy() before adreno_gpu_init() leads to a null pointer\ndereference on:\n\nmsm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);\n\nas gpu->pdev is only assigned in:\n\na6xx_gpu_init()\n|_ adreno_gpu_init\n |_ msm_gpu_init()\n\nInstead of relying on handwavy null checks down the cleanup chain,\nexplicitly de-allocate the LLC data and free a6xx_gpu instead.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588919/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38390", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38538", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw\n\nWhen running blktests nvme/rdma, the following kmemleak issue will appear.\n\nkmemleak: Kernel memory leak detector initialized (mempool available:36041)\nkmemleak: Automatic memory scanning thread started\nkmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nunreferenced object 0xffff88855da53400 (size 192):\n comm \"rdma\", pid 10630, jiffies 4296575922\n hex dump (first 32 bytes):\n 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7...............\n 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.]....\n backtrace (crc 47f66721):\n [] kmalloc_trace+0x30d/0x3b0\n [] alloc_gid_entry+0x47/0x380 [ib_core]\n [] add_modify_gid+0x166/0x930 [ib_core]\n [] ib_cache_update.part.0+0x6d8/0x910 [ib_core]\n [] ib_cache_setup_one+0x24a/0x350 [ib_core]\n [] ib_register_device+0x9e/0x3a0 [ib_core]\n [] 0xffffffffc2a3d389\n [] nldev_newlink+0x2b8/0x520 [ib_core]\n [] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]\n []\nrdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]\n [] netlink_unicast+0x445/0x710\n [] netlink_sendmsg+0x761/0xc40\n [] __sys_sendto+0x3a9/0x420\n [] __x64_sys_sendto+0xdc/0x1b0\n [] do_syscall_64+0x93/0x180\n [] entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause: rdma_put_gid_attr is not called when sgid_attr is set\nto ERR_PTR(-ENODEV).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38539", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38541", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: boundary check before installing cq callbacks\n\nAdd a boundary check inside mana_ib_install_cq_cb to prevent index overflow.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38542", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38543", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38544", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38545", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38546", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38547", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38548", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38549", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38550", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Assign dummy when codec not specified for a DAI link\n\nMediaTek sound card drivers are checking whether a DAI link is present\nand used on a board to assign the correct parameters and this is done\nby checking the codec DAI names at probe time.\n\nIf no real codec is present, assign the dummy codec to the DAI link\nto avoid NULL pointer during string comparison.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38551", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38555", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38556", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38557", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38559", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38560", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: Fix kthread reference\n\nThere is a race condition when a kthread finishes after the deadline and\nbefore the call to kthread_stop(), which may lead to use after free.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38561", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: Avoid address calculations via out of bounds array indexing\n\nBefore request->channels[] can be used, request->n_channels must be set.\nAdditionally, address calculations for memory after the \"channels\" array\nneed to be calculated from the allocation base (\"request\") rather than\nvia the first \"out of bounds\" index of \"channels\", otherwise run-time\nbounds checking will throw a warning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38562", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix potential memory leakage when reading chip temperature\n\nWithout this commit, reading chip temperature will cause memory leakage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38563", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38564", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38565", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix verifier assumptions about socket->sk\n\nThe verifier assumes that 'sk' field in 'struct socket' is valid\nand non-NULL when 'socket' pointer itself is trusted and non-NULL.\nThat may not be the case when socket was just created and\npassed to LSM socket_accept hook.\nFix this verifier assumption and adjust tests.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38566", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38567", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Fix out-of-bound access when valid event group\n\nThe perf tool allows users to create event groups through following\ncmd [1], but the driver does not check whether the array index is out\nof bounds when writing data to the event_group array. If the number of\nevents in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the\nmemory write overflow of event_group array occurs.\n\nAdd array index check to fix the possible array out of bounds violation,\nand return directly when write new events are written to array bounds.\n\nThere are 9 different events in an event_group.\n[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38568", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi_pcie: Fix out-of-bound access when valid event group\n\nThe perf tool allows users to create event groups through following\ncmd [1], but the driver does not check whether the array index is out of\nbounds when writing data to the event_group array. If the number of events\nin an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write\noverflow of event_group array occurs.\n\nAdd array index check to fix the possible array out of bounds violation,\nand return directly when write new events are written to array bounds.\n\nThere are 9 different events in an event_group.\n[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38569", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38571", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix out-of-bound access of qmi_invoke_handler()\n\nCurrently, there is no terminator entry for ath12k_qmi_msg_handlers hence\nfacing below KASAN warning,\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148\n Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273\n\n CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0\n Workqueue: qmi_msg_handler qmi_data_ready_work\n Call trace:\n dump_backtrace+0x0/0x20c\n show_stack+0x14/0x1c\n dump_stack+0xe0/0x138\n print_address_description.isra.5+0x30/0x330\n __kasan_report+0x16c/0x1bc\n kasan_report+0xc/0x14\n __asan_load8+0xa8/0xb0\n qmi_invoke_handler+0xa4/0x148\n qmi_handle_message+0x18c/0x1bc\n qmi_data_ready_work+0x4ec/0x528\n process_one_work+0x2c0/0x440\n worker_thread+0x324/0x4b8\n kthread+0x210/0x228\n ret_from_fork+0x10/0x18\n\n The address belongs to the variable:\n ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k]\n [...]\n ==================================================================\n\nAdd a dummy terminator entry at the end to assist the qmi_invoke_handler()\nin traversing up to the terminator entry without accessing an\nout-of-boundary index.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38572", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38573", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Prevent null-pointer dereference when prog to load has no BTF\n\nIn bpf_objec_load_prog(), there's no guarantee that obj->btf is non-NULL\nwhen passing it to btf__fd(), and this function does not perform any\ncheck before dereferencing its argument (as bpf_object__btf_fd() used to\ndo). As a consequence, we get segmentation fault errors in bpftool (for\nexample) when trying to load programs that come without BTF information.\n\nv2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38574", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: pcie: handle randbuf allocation failure\n\nThe kzalloc() in brcmf_pcie_download_fw_nvram() will return null\nif the physical memory has run out. As a result, if we use\nget_random_bytes() to generate random bytes in the randbuf, the\nnull pointer dereference bug will happen.\n\nIn order to prevent allocation failure, this patch adds a separate\nfunction using buffer on kernel stack to generate random bytes in\nthe randbuf, which could prevent the kernel stack from overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38575", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix buffer overflow in print_cpu_stall_info()\n\nThe rcuc-starvation output from print_cpu_stall_info() might overflow the\nbuffer if there is a huge difference in jiffies difference. The situation\nmight seem improbable, but computers sometimes get very confused about\ntime, which can result in full-sized integers, and, in this case,\nbuffer overflow.\n\nAlso, the unsigned jiffies difference is printed using %ld, which is\nnormally for signed integers. This is intentional for debugging purposes,\nbut it is not obvious from the code.\n\nThis commit therefore changes sprintf() to snprintf() and adds a\nclarifying comment about intention of %ld format.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38576", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38578", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38580", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-38581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix use-after-free issue\n\nDelete fence fallback timer to fix the ramdom\nuse-after-free issue.\n\nv2: move to amdgpu_mes.c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38581", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-38582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()\n\nIn the prueth_probe() function, if one of the calls to emac_phy_connect()\nfails due to of_phy_connect() returning NULL, then the subsequent call to\nphy_attached_info() will dereference a NULL pointer.\n\nCheck the return code of emac_phy_connect and fail cleanly if there is an\nerror.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38584", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/nolibc/stdlib: fix memory error in realloc()\n\nPass user_p_len to memcpy() instead of heap->len to prevent realloc()\nfrom copying an extra sizeof(heap) bytes from beyond the allocated\nregion.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38585", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38587", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38588", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38589", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38590", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38591", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Init `ddp_comp` with devm_kcalloc()\n\nIn the case where `conn_routes` is true we allocate an extra slot in\nthe `ddp_comp` array but mtk_drm_crtc_create() never seemed to\ninitialize it in the test case I ran. For me, this caused a later\ncrash when we looped through the array in mtk_drm_crtc_mode_valid().\nThis showed up for me when I booted with `slub_debug=FZPUA` which\npoisons the memory initially. Without `slub_debug` I couldn't\nreproduce, presumably because the later code handles the value being\nNULL and in most cases (not guaranteed in all cases) the memory the\nallocator returned started out as 0.\n\nIt really doesn't hurt to initialize the array with devm_kcalloc()\nsince the array is small and the overhead of initting a handful of\nelements to 0 is small. In general initting memory to zero is a safer\npractice and usually it's suggested to only use the non-initting alloc\nfunctions if you really need to.\n\nLet's switch the function to use an allocation function that zeros the\nmemory. For me, this avoids the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38592", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: micrel: Fix receiving the timestamp in the frame for lan8841\n\nThe blamed commit started to use the ptp workqueue to get the second\npart of the timestamp. And when the port was set down, then this\nworkqueue is stopped. But if the config option NETWORK_PHY_TIMESTAMPING\nis not enabled, then the ptp_clock is not initialized so then it would\ncrash when it would try to access the delayed work.\nSo then basically by setting up and then down the port, it would crash.\nThe fix consists in checking if the ptp_clock is initialized and only\nthen cancel the delayed work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38593", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38594", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix peer devlink set for SF representor devlink port\n\nThe cited patch change register devlink flow, and neglect to reflect\nthe changes for peer devlink set logic. Peer devlink set is\ntriggering a call trace if done after devl_register.[1]\n\nHence, align peer devlink set logic with register devlink flow.\n\n[1]\nWARNING: CPU: 4 PID: 3394 at net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180\nCPU: 4 PID: 3394 Comm: kworker/u40:1 Not tainted 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_08 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core]\nRIP: 0010:devlink_rel_nested_in_add+0x177/0x180\nCall Trace:\n \n ? __warn+0x78/0x120\n ? devlink_rel_nested_in_add+0x177/0x180\n ? report_bug+0x16d/0x180\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? devlink_port_init+0x30/0x30\n ? devlink_port_type_clear+0x50/0x50\n ? devlink_rel_nested_in_add+0x177/0x180\n ? devlink_rel_nested_in_add+0xdd/0x180\n mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core]\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_sf_dev_probe+0x185/0x3e0 [mlx5_core]\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x64f/0x860\n __auxiliary_device_add+0x3b/0xa0\n mlx5_sf_dev_add+0x139/0x330 [mlx5_core]\n mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core]\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core]\n process_one_work+0x13f/0x2e0\n worker_thread+0x2bd/0x3c0\n ? rescuer_thread+0x410/0x410\n kthread+0xc4/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38595", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38596", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38597", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38599", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38600", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38601", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\n\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\n\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38603", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: refine the EOF check in blkdev_iomap_begin\n\nblkdev_iomap_begin rounds down the offset to the logical block size\nbefore stashing it in iomap->offset and checking that it still is\ninside the inode size.\n\nCheck the i_size check to the raw pos value so that we don't try a\nzero size write if iter->pos is unaligned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38604", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38605", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - validate slices count returned by FW\n\nThe function adf_send_admin_tl_start() enables the telemetry (TL)\nfeature on a QAT device by sending the ICP_QAT_FW_TL_START message to\nthe firmware. This triggers the FW to start writing TL data to a DMA\nbuffer in memory and returns an array containing the number of\naccelerators of each type (slices) supported by this HW.\nThe pointer to this array is stored in the adf_tl_hw_data data\nstructure called slice_cnt.\n\nThe array slice_cnt is then used in the function tl_print_dev_data()\nto report in debugfs only statistics about the supported accelerators.\nAn incorrect value of the elements in slice_cnt might lead to an out\nof bounds memory read.\nAt the moment, there isn't an implementation of FW that returns a wrong\nvalue, but for robustness validate the slice count array returned by FW.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38606", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38607", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38608", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: connac: check for null before dereferencing\n\nThe wcid can be NULL. It should be checked for validity before\ndereferencing it to avoid crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38609", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38610", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38611", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38612", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38613", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenrisc: traps: Don't send signals to kernel mode threads\n\nOpenRISC exception handling sends signals to user processes on floating\npoint exceptions and trap instructions (for debugging) among others.\nThere is a bug where the trap handling logic may send signals to kernel\nthreads, we should not send these signals to kernel threads, if that\nhappens we treat it as an error.\n\nThis patch adds conditions to die if the kernel receives these\nexceptions in kernel mode code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38614", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38615", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: re-fix fortified-memset warning\n\nThe carl9170_tx_release() function sometimes triggers a fortified-memset\nwarning in my randconfig builds:\n\nIn file included from include/linux/string.h:254,\n from drivers/net/wireless/ath/carl9170/tx.c:40:\nIn function 'fortify_memset_chk',\n inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,\n inlined from 'kref_put' at include/linux/kref.h:65:3,\n inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:\ninclude/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]\n 493 | __write_overflow_field(p_size_field, size);\n\nKees previously tried to avoid this by using memset_after(), but it seems\nthis does not fully address the problem. I noticed that the memset_after()\nhere is done on a different part of the union (status) than the original\ncast was from (rate_driver_data), which may confuse the compiler.\n\nUnfortunately, the memset_after() trick does not work on driver_rates[]\nbecause that is part of an anonymous struct, and I could not get\nstruct_group() to do this either. Using two separate memset() calls\non the two members does address the warning though.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38616", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit/fortify: Fix mismatched kvalloc()/vfree() usage\n\nThe kv*() family of tests were accidentally freeing with vfree() instead\nof kvfree(). Use kvfree() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38617", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38618", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38619", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Remove HCI_AMP support\n\nSince BT_HS has been remove HCI_AMP controllers no longer has any use so\nremove it along with the capability of creating AMP controllers.\n\nSince we no longer need to differentiate between AMP and Primary\ncontrollers, as only HCI_PRIMARY is left, this also remove\nhdev->dev_type altogether.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38620", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38621", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add callback function pointer check before its call\n\nIn dpu_core_irq_callback_handler() callback function pointer is compared to NULL,\nbut then callback function is unconditionally called by this pointer.\nFix this bug by adding conditional return.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588237/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38622", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38623", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38624", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: clear FR_SENT when re-adding requests into pending list\n\nThe following warning was reported by lee bruce:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300\n fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n Modules linked in:\n CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n ......\n Call Trace:\n \n fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334\n fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367\n call_read_iter include/linux/fs.h:2104 [inline]\n new_sync_read fs/read_write.c:395 [inline]\n vfs_read+0x85b/0xba0 fs/read_write.c:476\n ksys_read+0x12f/0x260 fs/read_write.c:619\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ......\n \n\nThe warning is due to the FUSE_NOTIFY_RESEND notify sent by the write()\nsyscall in the reproducer program and it happens as follows:\n\n(1) calls fuse_dev_read() to read the INIT request\nThe read succeeds. During the read, bit FR_SENT will be set on the\nrequest.\n(2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify\nThe resend notify will resend all processing requests, so the INIT\nrequest is moved from processing list to pending list again.\n(3) calls fuse_dev_read() with an invalid output address\nfuse_dev_read() will try to copy the same INIT request to the output\naddress, but it will fail due to the invalid address, so the INIT\nrequest is ended and triggers the warning in fuse_request_end().\n\nFix it by clearing FR_SENT when re-adding requests into pending list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38626", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38627", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38628", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Avoid unnecessary destruction of file_ida\n\nfile_ida is allocated during cdev open and is freed accordingly\nduring cdev release. This sequence is guaranteed by driver file\noperations. Therefore, there is no need to destroy an already empty\nfile_ida when the WQ cdev is removed.\n\nWorse, ida_free() in cdev release may happen after destruction of\nfile_ida per WQ cdev. This can lead to accessing an id in file_ida\nafter it has been destroyed, resulting in a kernel panic.\n\nRemove ida_destroy(&file_ida) to address these issues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38629", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38630", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: PAC1934: fix accessing out of bounds array index\n\nFix accessing out of bounds array index for average\ncurrent and voltage measurements. The device itself has\nonly 4 channels, but in sysfs there are \"fake\"\nchannels for the average voltages and currents too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38631", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod \u2014 rmmod \u2014 insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38635", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: multidev: fix to recognize valid zero block address\n\nAs reported by Yi Zhang in mailing list [1], kernel warning was catched\nduring zbd/010 test as below:\n\n./check zbd/010\nzbd/010 (test gap zone support with F2FS) [failed]\n runtime ... 3.752s\n something found in dmesg:\n [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13\n [ 4378.192349] null_blk: module loaded\n [ 4378.209860] null_blk: disk nullb0 created\n [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim\npoll_queues to 0. poll_q/nr_hw = (0/1)\n [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520]\n dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0\n [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux\nscsi_debug 0191 PQ: 0 ANSI: 7\n [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred\n [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20\n [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device\n ...\n (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg'\n\nWARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51\nCPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1\nRIP: 0010:iomap_iter+0x32b/0x350\nCall Trace:\n \n __iomap_dio_rw+0x1df/0x830\n f2fs_file_read_iter+0x156/0x3d0 [f2fs]\n aio_read+0x138/0x210\n io_submit_one+0x188/0x8c0\n __x64_sys_io_submit+0x8c/0x1a0\n do_syscall_64+0x86/0x170\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nShinichiro Kawasaki helps to analyse this issue and proposes a potential\nfixing patch in [2].\n\nQuoted from reply of Shinichiro Kawasaki:\n\n\"I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a\nlook in the commit, but it looks fine to me. So I thought the cause is not\nin the commit diff.\n\nI found the WARN is printed when the f2fs is set up with multiple devices,\nand read requests are mapped to the very first block of the second device in the\ndirect read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached()\nmodify map->m_pblk as the physical block address from each block device. It\nbecomes zero when it is mapped to the first block of the device. However,\nf2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the\nwhole f2fs, across the all block devices. It compares map->m_pblk against\nNULL_ADDR == 0, then go into the unexpected branch and sets the invalid\niomap->length. The WARN catches the invalid iomap->length.\n\nThis WARN is printed even for non-zoned block devices, by following steps.\n\n - Create two (non-zoned) null_blk devices memory backed with 128MB size each:\n nullb0 and nullb1.\n # mkfs.f2fs /dev/nullb0 -c /dev/nullb1\n # mount -t f2fs /dev/nullb0 \"${mount_dir}\"\n # dd if=/dev/zero of=\"${mount_dir}/test.dat\" bs=1M count=192\n # dd if=\"${mount_dir}/test.dat\" of=/dev/null bs=1M count=192 iflag=direct\n\n...\"\n\nSo, the root cause of this issue is: when multi-devices feature is on,\nf2fs_map_blocks() may return zero blkaddr in non-primary device, which is\na verified valid block address, however, f2fs_iomap_begin() treats it as\nan invalid block address, and then it triggers the warning in iomap\nframework code.\n\nFinally, as discussed, we decide to use a more simple and direct way that\nchecking (map.m_flags & F2FS_MAP_MAPPED) condition instead of\n(map.m_pblk != NULL_ADDR) to fix this issue.\n\nThanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this\nissue.\n\n[1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/\n[2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38636", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38659", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from resetting io stat\n\nSince commit 3b8cc6298724 (\"blk-cgroup: Optimize blkcg_rstat_flush()\"),\neach iostat instance is added to blkcg percpu list, so blkcg_reset_stats()\ncan't reset the stat instance by memset(), otherwise the llist may be\ncorrupted.\n\nFix the issue by only resetting the counter part.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38663", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dpsub: Always register bridge\n\nWe must always register the DRM bridge, since zynqmp_dp_hpd_work_func\ncalls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be\ninitialized. We do this before zynqmp_dpsub_drm_init since that calls\ndrm_bridge_attach. This fixes the following lockdep warning:\n\n[ 19.217084] ------------[ cut here ]------------\n[ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550\n[ 19.241696] Modules linked in:\n[ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96\n[ 19.252046] Hardware name: xlnx,zynqmp (DT)\n[ 19.256421] Workqueue: events zynqmp_dp_hpd_work_func\n[ 19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 19.269104] pc : __mutex_lock+0x4bc/0x550\n[ 19.273364] lr : __mutex_lock+0x4bc/0x550\n[ 19.277592] sp : ffffffc085c5bbe0\n[ 19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8\n[ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000\n[ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000\n[ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000\n[ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720\n[ 19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001\n[ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888\n[ 19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000\n[ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000\n[ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880\n[ 19.356581] Call trace:\n[ 19.359160] __mutex_lock+0x4bc/0x550\n[ 19.363032] mutex_lock_nested+0x24/0x30\n[ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c\n[ 19.371698] zynqmp_dp_hpd_work_func+0x44/0x54\n[ 19.376364] process_one_work+0x3ac/0x988\n[ 19.380660] worker_thread+0x398/0x694\n[ 19.384736] kthread+0x1bc/0x1c0\n[ 19.388241] ret_from_fork+0x10/0x20\n[ 19.392031] irq event stamp: 183\n[ 19.395450] hardirqs last enabled at (183): [] finish_task_switch.isra.0+0xa8/0x2d4\n[ 19.405140] hardirqs last disabled at (182): [] __schedule+0x714/0xd04\n[ 19.413612] softirqs last enabled at (114): [] srcu_invoke_callbacks+0x158/0x23c\n[ 19.423128] softirqs last disabled at (110): [] srcu_invoke_callbacks+0x158/0x23c\n[ 19.432614] ---[ end trace 0000000000000000 ]---\n\n(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38664", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38667", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-38780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39276", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39277", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Fix FSM command timeout issue\n\nWhen driver processes the internal state change command, it use an\nasynchronous thread to process the command operation. If the main\nthread detects that the task has timed out, the asynchronous thread\nwill panic when executing the completion notification because the\nmain thread completion object has been released.\n\nBUG: unable to handle page fault for address: fffffffffffffff8\nPGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:complete_all+0x3e/0xa0\n[...]\nCall Trace:\n \n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? complete_all+0x3e/0xa0\n fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)]\n ? __pfx_autoremove_wake_function+0x10/0x10\n kthread+0xd8/0x110\n ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)]\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n[...]\nCR2: fffffffffffffff8\n---[ end trace 0000000000000000 ]---\n\nUse the reference counter to ensure safe release as Sergey suggests:\nhttps://lore.kernel.org/all/da90f64c-260a-4329-87bf-1f9ff20a5951@gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39282", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-39291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()\n\nThe function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating\nabout potential truncation of output when using the snprintf function.\nThe issue was due to the size of the buffer 'ucode_prefix' being too\nsmall to accommodate the maximum possible length of the string being\nwritten into it.\n\nThe string being written is \"amdgpu/%s_mec.bin\" or \"amdgpu/%s_rlc.bin\",\nwhere %s is replaced by the value of 'chip_name'. The length of this\nstring without the %s is 16 characters. The warning message indicated\nthat 'chip_name' could be up to 29 characters long, resulting in a total\nof 45 characters, which exceeds the buffer size of 30 characters.\n\nTo resolve this issue, the size of the 'ucode_prefix' buffer has been\nreduced from 30 to 15. This ensures that the maximum possible length of\nthe string being written into the buffer will not exceed its size, thus\npreventing potential buffer overflow and truncation issues.\n\nFixes the below with gcc W=1:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function \u2018gfx_v9_4_3_early_init\u2019:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n | ^~\n......\n 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);\n | ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n | ^~\n......\n 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix);\n | ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39291", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39293", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\"). Here are the relevant\nfunctions being called:\n\nbonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n bonding_debug_root = NULL; <--------- SET TO NULL HERE\n bond_netlink_fini()\n rtnl_link_unregister()\n __rtnl_link_unregister()\n unregister_netdevice_many_notify()\n bond_uninit()\n bond_debug_unregister()\n (commit removed check for bonding_debug_root == NULL)\n debugfs_remove()\n simple_recursive_removal()\n down_write() -> OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n rmmod bonding\n bonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n echo -bond0 > /sys/class/net/bonding_masters\n bond_uninit()\n bond_debug_unregister()\n if (!bonding_debug_root)\n\nCPU1\n bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval. The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39296", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n try_memory_failure_hugetlb\n me_huge_page\n __page_handle_poison\n dissolve_free_hugetlb_folio\n drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n take_page_off_buddy -- Failed as page is not in the \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39298", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for non-NULL file pointer in io_file_can_poll()\n\nIn earlier kernels, it was possible to trigger a NULL pointer\ndereference off the forced async preparation path, if no file had\nbeen assigned. The trace leading to that looks as follows:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\nRIP: 0010:io_buffer_select+0xc3/0x210\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\nFS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\nCall Trace:\n \n ? __die+0x1f/0x60\n ? page_fault_oops+0x14d/0x420\n ? do_user_addr_fault+0x61/0x6a0\n ? exc_page_fault+0x6c/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? io_buffer_select+0xc3/0x210\n __io_import_iovec+0xb5/0x120\n io_readv_prep_async+0x36/0x70\n io_queue_sqe_fallback+0x20/0x260\n io_submit_sqes+0x314/0x630\n __do_sys_io_uring_enter+0x339/0xbc0\n ? __do_sys_io_uring_register+0x11b/0xc50\n ? vm_mmap_pgoff+0xce/0x160\n do_syscall_64+0x5f/0x180\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x55e0a110a67e\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\n\nbecause the request is marked forced ASYNC and has a bad file fd, and\nhence takes the forced async prep path.\n\nCurrent kernels with the request async prep cleaned up can no longer hit\nthis issue, but for ease of backporting, let's add this safety check in\nhere too as it really doesn't hurt. For both cases, this will inevitably\nend with a CQE posted with -EBADF.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39371", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nraspberrypi_discover_clocks() due to ->num being assigned after ->hws\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4\n index 3 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39461", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: dvp: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nclk_dvp_probe() due to ->num being assigned after ->hws has been\naccessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2\n index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39462", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39463", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix notifier list entry init\n\nstruct v4l2_async_notifier has several list_head members, but only\nwaiting_list and done_list are initialized. notifier_entry was kept\n'zeroed' leading to an uninitialized list_head.\nThis results in a NULL-pointer dereference if csi2_async_register() fails,\ne.g. node for remote endpoint is disabled, and returns -ENOTCONN.\nThe following calls to v4l2_async_nf_unregister() results in a NULL\npointer dereference.\nAdd the missing list head initializer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39464", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mgb4: Fix double debugfs remove\n\nFixes an error where debugfs_remove_recursive() is called first on a parent\ndirectory and then again on a child which causes a kernel panic.\n\n[hverkuil: added Fixes/Cc tags]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39465", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39466", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39468", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39469", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Fix a possible null pointer dereference in eventfs_find_events()\n\nIn function eventfs_find_events,there is a potential null pointer\nthat may be caused by calling update_events_attr which will perform\nsome operations on the members of the ei struct when ei is NULL.\n\nHence,When ei->is_freed is set,return NULL directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39470", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39471", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix log recovery buffer allocation for the legacy h_size fixup\n\nCommit a70f9fe52daa (\"xfs: detect and handle invalid iclog size set by\nmkfs\") added a fixup for incorrect h_size values used for the initial\numount record in old xfsprogs versions. Later commit 0c771b99d6c9\n(\"xfs: clean up calculation of LR header blocks\") cleaned up the log\nreover buffer calculation, but stoped using the fixed up h_size value\nto size the log recovery buffer, which can lead to an out of bounds\naccess when the incorrect h_size does not come from the old mkfs\ntool, but a fuzzer.\n\nFix this by open coding xlog_logrec_hblks and taking the fixed h_size\ninto account for this calculation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39472", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension\n\nIf a process module does not have base config extension then the same\nformat applies to all of it's inputs and the process->base_config_ext is\nNULL, causing NULL dereference when specifically crafted topology and\nsequences used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39473", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL\n\ncommit a421ef303008 (\"mm: allow !GFP_KERNEL allocations for kvmalloc\")\nincludes support for __GFP_NOFAIL, but it presents a conflict with commit\ndd544141b9eb (\"vmalloc: back off when the current task is OOM-killed\"). A\npossible scenario is as follows:\n\nprocess-a\n__vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)\n __vmalloc_area_node()\n vm_area_alloc_pages()\n\t\t--> oom-killer send SIGKILL to process-a\n if (fatal_signal_pending(current)) break;\n--> return NULL;\n\nTo fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()\nif __GFP_NOFAIL set.\n\nThis issue occurred during OPLUS KASAN TEST. Below is part of the log\n-> oom-killer sends signal to process\n[65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198\n\n[65731.259685] [T32454] Call trace:\n[65731.259698] [T32454] dump_backtrace+0xf4/0x118\n[65731.259734] [T32454] show_stack+0x18/0x24\n[65731.259756] [T32454] dump_stack_lvl+0x60/0x7c\n[65731.259781] [T32454] dump_stack+0x18/0x38\n[65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump]\n[65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump]\n[65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc\n[65731.260047] [T32454] notify_die+0x114/0x198\n[65731.260073] [T32454] die+0xf4/0x5b4\n[65731.260098] [T32454] die_kernel_fault+0x80/0x98\n[65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8\n[65731.260146] [T32454] do_bad_area+0x68/0x148\n[65731.260174] [T32454] do_mem_abort+0x151c/0x1b34\n[65731.260204] [T32454] el1_abort+0x3c/0x5c\n[65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90\n[65731.260248] [T32454] el1h_64_sync+0x68/0x6c\n\n[65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258\n--> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);\n\tkernel panic by NULL pointer dereference.\n\terofs assume kvmalloc with __GFP_NOFAIL never return NULL.\n[65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c\n[65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968\n[65731.260339] [T32454] read_pages+0x170/0xadc\n[65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30\n[65731.260388] [T32454] page_cache_ra_order+0x24c/0x714\n[65731.260411] [T32454] filemap_fault+0xbf0/0x1a74\n[65731.260437] [T32454] __do_fault+0xd0/0x33c\n[65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0\n[65731.260486] [T32454] do_mem_abort+0x54c/0x1b34\n[65731.260509] [T32454] el0_da+0x44/0x94\n[65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4\n[65731.260553] [T32454] el0t_64_sync+0x198/0x19c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39474", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn't handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING\n\nXiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with\nsmall possibility, the root cause is exactly the same as commit\nbed9e27baf52 (\"Revert \"md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d\"\")\n\nHowever, Dan reported another hang after that, and junxiao investigated\nthe problem and found out that this is caused by plugged bio can't issue\nfrom raid5d().\n\nCurrent implementation in raid5d() has a weird dependence:\n\n1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear\n MD_SB_CHANGE_PENDING;\n2) raid5d() handles IO in a deadloop, until all IO are issued;\n3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared;\n\nThis behaviour is introduce before v2.6, and for consequence, if other\ncontext hold 'reconfig_mutex', and md_check_recovery() can't update\nsuper_block, then raid5d() will waste one cpu 100% by the deadloop, until\n'reconfig_mutex' is released.\n\nRefer to the implementation from raid1 and raid10, fix this problem by\nskipping issue IO if MD_SB_CHANGE_PENDING is still set after\nmd_check_recovery(), daemon thread will be woken up when 'reconfig_mutex'\nis released. Meanwhile, the hang problem will be fixed as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39476", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: do not call vma_add_reservation upon ENOMEM\n\nsysbot reported a splat [1] on __unmap_hugepage_range(). This is because\nvma_needs_reservation() can return -ENOMEM if\nallocate_file_region_entries() fails to allocate the file_region struct\nfor the reservation.\n\nCheck for that and do not call vma_add_reservation() if that is the case,\notherwise region_abort() and region_del() will see that we do not have any\nfile_regions.\n\nIf we detect that vma_needs_reservation() returned -ENOMEM, we clear the\nhugetlb_restore_reserve flag as if this reservation was still consumed, so\nfree_huge_folio() will not increment the resv count.\n\n[1] https://lore.kernel.org/linux-mm/0000000000004096100617c58d54@google.com/T/#ma5983bc1ab18a54910da83416b3f89f3c7ee43aa", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39477", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Do not free stack buffer\n\nRSA text data uses variable length buffer allocated in software stack.\nCalling kfree on it causes undefined behaviour in subsequent operations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39478", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hwmon: Get rid of devm\n\nWhen both hwmon and hwmon drvdata (on which hwmon depends) are device\nmanaged resources, the expectation, on device unbind, is that hwmon will be\nreleased before drvdata. However, in i915 there are two separate code\npaths, which both release either drvdata or hwmon and either can be\nreleased before the other. These code paths (for device unbind) are as\nfollows (see also the bug referenced below):\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_group+0xb2/0x110\ncomponent_unbind_all+0x8d/0xa0\ncomponent_del+0xa5/0x140\nintel_pxp_tee_component_fini+0x29/0x40 [i915]\nintel_pxp_fini+0x33/0x80 [i915]\ni915_driver_remove+0x4c/0x120 [i915]\ni915_pci_remove+0x19/0x30 [i915]\npci_device_remove+0x32/0xa0\ndevice_release_driver_internal+0x19c/0x200\nunbind_store+0x9c/0xb0\n\nand\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_all+0x8a/0xc0\ndevice_unbind_cleanup+0x9/0x70\ndevice_release_driver_internal+0x1c1/0x200\nunbind_store+0x9c/0xb0\n\nThis means that in i915, if use devm, we cannot gurantee that hwmon will\nalways be released before drvdata. Which means that we have a uaf if hwmon\nsysfs is accessed when drvdata has been released but hwmon hasn't.\n\nThe only way out of this seems to be do get rid of devm_ and release/free\neverything explicitly during device unbind.\n\nv2: Change commit message and other minor code changes\nv3: Cleanup from i915_hwmon_register on error (Armin Wolf)\nv4: Eliminate potential static analyzer warning (Rodrigo)\n Eliminate fetch_and_zero (Jani)\nv5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39479", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc: Fix graph walk in media_pipeline_start\n\nThe graph walk tries to follow all links, even if they are not between\npads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link.\n\nFix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK\nlinks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39481", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39482", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked\n\nWhen requesting an NMI window, WARN on vNMI support being enabled if and\nonly if NMIs are actually masked, i.e. if the vCPU is already handling an\nNMI. KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of\nview) is to inject one NMI and pend the other. When using vNMI, KVM pends\nthe second NMI simply by setting V_NMI_PENDING, and lets the CPU do the\nrest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected).\n\nHowever, if KVM can't immediately inject an NMI, e.g. because the vCPU is\nin an STI shadow or is running with GIF=0, then KVM will request an NMI\nwindow and trigger the WARN (but still function correctly).\n\nWhether or not the GIF=0 case makes sense is debatable, as the intent of\nKVM's behavior is to provide functionality that is as close to real\nhardware as possible. E.g. if two NMIs are sent in quick succession, the\nprobability of both NMIs arriving in an STI shadow is infinitesimally low\non real hardware, but significantly larger in a virtual environment, e.g.\nif the vCPU is preempted in the STI shadow. For GIF=0, the argument isn't\nas clear cut, because the window where two NMIs can collide is much larger\nin bare metal (though still small).\n\nThat said, KVM should not have divergent behavior for the GIF=0 case based\non whether or not vNMI support is enabled. And KVM has allowed\nsimultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400\n(\"KVM: Fix simultaneous NMIs\"). I.e. KVM's GIF=0 handling shouldn't be\nmodified without a *really* good reason to do so, and if KVM's behavior\nwere to be modified, it should be done irrespective of vNMI support.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39483", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback being\ndiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.\nusing sysfs or hotplug), the driver is just removed without the cleanup\nbeing performed. This results in resource leaks. Fix it by compiling in the\nremove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\nWARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in\nreference: davinci_mmcsd_driver+0x10 (section: .data) ->\ndavinci_mmcsd_remove (section: .exit.text)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39484", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Properly re-initialise notifier entry in unregister\n\nThe notifier_entry of a notifier is not re-initialised after unregistering\nthe notifier. This leads to dangling pointers being left there so use\nlist_del_init() to return the notifier_entry an empty list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39485", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/drm_file: Fix pid refcounting race\n\n, Maxime Ripard\n, Thomas Zimmermann \n\nfilp->pid is supposed to be a refcounted pointer; however, before this\npatch, drm_file_update_pid() only increments the refcount of a struct\npid after storing a pointer to it in filp->pid and dropping the\ndev->filelist_mutex, making the following race possible:\n\nprocess A process B\n========= =========\n begin drm_file_update_pid\n mutex_lock(&dev->filelist_mutex)\n rcu_replace_pointer(filp->pid, , 1)\n mutex_unlock(&dev->filelist_mutex)\nbegin drm_file_update_pid\nmutex_lock(&dev->filelist_mutex)\nrcu_replace_pointer(filp->pid, , 1)\nmutex_unlock(&dev->filelist_mutex)\nget_pid()\nsynchronize_rcu()\nput_pid() *** pid B reaches refcount 0 and is freed here ***\n get_pid() *** UAF ***\n synchronize_rcu()\n put_pid()\n\nAs far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y\nbecause it requires RCU to detect a quiescent state in code that is not\nexplicitly calling into the scheduler.\n\nThis race leads to use-after-free of a \"struct pid\".\nIt is probably somewhat hard to hit because process A has to pass\nthrough a synchronize_rcu() operation while process B is between\nmutex_unlock() and get_pid().\n\nFix it by ensuring that by the time a pointer to the current task's pid\nis stored in the file, an extra reference to the pid has been taken.\n\nThis fix also removes the condition for synchronize_rcu(); I think\nthat optimization is unnecessary complexity, since in that case we\nwould usually have bailed out on the lockless check above.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39486", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix missing sk_buff release in seg6_input_core\n\nThe seg6_input() function is responsible for adding the SRH into a\npacket, delegating the operation to the seg6_input_core(). This function\nuses the skb_cow_head() to ensure that there is sufficient headroom in\nthe sk_buff for accommodating the link-layer header.\nIn the event that the skb_cow_header() function fails, the\nseg6_input_core() catches the error but it does not release the sk_buff,\nwhich will result in a memory leak.\n\nThis issue was introduced in commit af3b5158b89d (\"ipv6: sr: fix BUG due\nto headroom too small after SRH push\") and persists even after commit\n7a3f5b0de364 (\"netfilter: add netfilter hooks to SRv6 data plane\"),\nwhere the entire seg6_input() code was refactored to deal with netfilter\nhooks.\n\nThe proposed patch addresses the identified memory leak by requiring the\nseg6_input_core() function to release the sk_buff in the event that\nskb_cow_head() fails.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39490", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l56: Fix lifetime of cs_dsp instance\n\nThe cs_dsp instance is initialized in the driver probe() so it\nshould be freed in the driver remove(). Also fix a missing call\nto cs_dsp_remove() in the error path of cs35l56_hda_common_probe().\n\nThe call to cs_dsp_remove() was being done in the component unbind\ncallback cs35l56_hda_unbind(). This meant that if the driver was\nunbound and then re-bound it would be using an uninitialized cs_dsp\ninstance.\n\nIt is best to initialize the cs_dsp instance in probe() so that it\ncan return an error if it fails. The component binding API doesn't\nhave any error handling so there's no way to handle a failure if\ncs_dsp was initialized in the bind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39491", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Fix pm_runtime_get_sync() warning in mbox shutdown\n\nThe return value of pm_runtime_get_sync() in cmdq_mbox_shutdown()\nwill return 1 when pm runtime state is active, and we don't want to\nget the warning message in this case.\n\nSo we change the return value < 0 for WARN_ON().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39492", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak\n\nUsing completion_done to determine whether the caller has gone\naway only works after a complete call. Furthermore it's still\npossible that the caller has not yet called wait_for_completion,\nresulting in another potential UAF.\n\nFix this by making the caller use cancel_work_sync and then freeing\nthe memory safely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39493", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Fix use-after-free on a dentry's dname.name\n\n->d_name.name can change on rename and the earlier value can be freed;\nthere are conditions sufficient to stabilize it (->d_lock on dentry,\n->d_lock on its parent, ->i_rwsem exclusive on the parent's inode,\nrename_lock), but none of those are met at any of the sites. Take a stable\nsnapshot of the name instead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39494", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: Fix use-after-free bug in gb_interface_release due to race condition.\n\nIn gb_interface_create, &intf->mode_switch_completion is bound with\ngb_interface_mode_switch_work. Then it will be started by\ngb_interface_request_mode_switch. Here is the relevant code.\nif (!queue_work(system_long_wq, &intf->mode_switch_work)) {\n\t...\n}\n\nIf we call gb_interface_release to make cleanup, there may be an\nunfinished work. This function will call kfree to free the object\n\"intf\". However, if gb_interface_mode_switch_work is scheduled to\nrun after kfree, it may cause use-after-free error as\ngb_interface_mode_switch_work will use the object \"intf\".\nThe possible execution flow that may lead to the issue is as follows:\n\nCPU0 CPU1\n\n | gb_interface_create\n | gb_interface_request_mode_switch\ngb_interface_release |\nkfree(intf) (free) |\n | gb_interface_mode_switch_work\n | mutex_lock(&intf->mutex) (use)\n\nFix it by canceling the work before kfree.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39495", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free due to race with dev replace\n\nWhile loading a zone's info during creation of a block group, we can race\nwith a device replace operation and then trigger a use-after-free on the\ndevice that was just replaced (source device of the replace operation).\n\nThis happens because at btrfs_load_zone_info() we extract a device from\nthe chunk map into a local variable and then use the device while not\nunder the protection of the device replace rwsem. So if there's a device\nreplace operation happening when we extract the device and that device\nis the source of the replace operation, we will trigger a use-after-free\nif before we finish using the device the replace operation finishes and\nfrees the device.\n\nFix this by enlarging the critical section under the protection of the\ndevice replace rwsem so that all uses of the device are done inside the\ncritical section.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39496", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)\n\nLack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap\nallows users to call mmap with PROT_WRITE and MAP_PRIVATE flag\ncausing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:\nBUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));\n\nReturn -EINVAL early if COW mapping is detected.\n\nThis bug affects all drm drivers using default shmem helpers.\nIt can be reproduced by this simple example:\nvoid *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);\nptr[0] = 0;", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39497", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2\n\n[Why]\nCommit:\n- commit 5aa1dfcdf0a4 (\"drm/mst: Refactor the flow for payload allocation/removement\")\naccidently overwrite the commit\n- commit 54d217406afe (\"drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2\")\nwhich cause regression.\n\n[How]\nRecover the original NULL fix and remove the unnecessary input parameter 'state' for\ndrm_dp_add_payload_part2().\n\n(cherry picked from commit 4545614c1d8da603e57b60dd66224d81b6ffc305)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39498", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\n\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\n\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\n\nOnly compile tested, no access to HW.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39499", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n \n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L rx 1 tx 1 combined 0\n ethtool -L rx 0 tx 0 combined 1\n ethtool -L rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39502", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix race between namespace cleanup and gc in the list:set type\n\nLion Ackermann reported that there is a race condition between namespace cleanup\nin ipset and the garbage collection of the list:set type. The namespace\ncleanup can destroy the list:set type of sets while the gc of the set type is\nwaiting to run in rcu cleanup. The latter uses data from the destroyed set which\nthus leads use after free. The patch contains the following parts:\n\n- When destroying all sets, first remove the garbage collectors, then wait\n if needed and then destroy the sets.\n- Fix the badly ordered \"wait then remove gc\" for the destroy a single set\n case.\n- Fix the missing rcu locking in the list:set type in the userspace test\n case.\n- Use proper RCU list handlings in the list:set type.\n\nThe patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39503", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: validate mandatory meta and payload\n\nCheck for mandatory netlink attributes in payload and meta expression\nwhen used embedded from the inner expression, otherwise NULL pointer\ndereference is possible from userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39504", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/komeda: check for error-valued pointer\n\nkomeda_pipeline_get_state() may return an error-valued pointer, thus\ncheck the pointer for negative or null value before dereferencing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39505", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t ->disp_fn(rdisp->rinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info->page to NULL.\nSo this check looks unneeded and doesn't solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can't do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39506", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39507", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at worker->flags\n\nUtilize set_bit() and test_bit() on worker->flags within io_uring/io-wq\nto address potential data races.\n\nThe structure io_worker->flags may be accessed through various data\npaths, leading to concurrency issues. When KCSAN is enabled, it reveals\ndata races occurring in io_worker_handle_work and\nio_wq_activate_free_worker functions.\n\n\t BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker\n\t write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:\n\t io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)\n\t io_wq_worker (io_uring/io-wq.c:?)\n\n\n\t read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:\n\t io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)\n\t io_wq_enqueue (io_uring/io-wq.c:947)\n\t io_queue_iowq (io_uring/io_uring.c:524)\n\t io_req_task_submit (io_uring/io_uring.c:1511)\n\t io_handle_tw_list (io_uring/io_uring.c:1198)\n\n\nLine numbers against commit 18daea77cca6 (\"Merge tag 'for-linus' of\ngit://git.kernel.org/pub/scm/virt/kvm/kvm\").\n\nThese races involve writes and reads to the same memory location by\ndifferent tasks running on different CPUs. To mitigate this, refactor\nthe code to use atomic operations such as set_bit(), test_bit(), and\nclear_bit() instead of basic \"and\" and \"or\" operations. This ensures\nthread-safe manipulation of worker flags.\n\nAlso, move `create_index` to avoid holes in the structure.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39508", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implement()\n\nSyzkaller hit a warning [1] in a call to implement() when trying\nto write a value into a field of smaller size in an output report.\n\nSince implement() already has a warn message printed out with the\nhelp of hid_warn() and value in question gets trimmed with:\n\t...\n\tvalue &= m;\n\t...\nWARN_ON may be considered superfluous. Remove it to suppress future\nsyzkaller triggers.\n\n[1]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]\nWARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\nModules linked in:\nCPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]\nRIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863\n...\nCall Trace:\n \n __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]\n usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636\n hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39509", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-39510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n msg->object_id = req->object->ondemand->ondemand_id\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n copy_to_user(_buffer, msg, n)\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n ------ close(fd) ------\n cachefiles_ondemand_fd_release\n cachefiles_put_object\n cachefiles_put_object\n kmem_cache_free(cachefiles_object_jar, object)\n REQ_A->object->ondemand->ondemand_id\n // object UAF !!!\n\nWhen we see the request within xa_lock, req->object must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-39510", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0\nWrite of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962\n\nCPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542\nCall Trace:\n kasan_report+0x94/0xc0\n cachefiles_ondemand_daemon_read+0x609/0xab0\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 626:\n __kmalloc+0x1df/0x4b0\n cachefiles_ondemand_send_req+0x24d/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 626:\n kfree+0xf1/0x2c0\n cachefiles_ondemand_send_req+0x568/0x690\n cachefiles_create_tmpfile+0x249/0xb30\n cachefiles_create_file+0x6f/0x140\n cachefiles_look_up_object+0x29c/0xa60\n cachefiles_lookup_cookie+0x37d/0xca0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n cachefiles_ondemand_get_fd\n copy_to_user(_buffer, msg, n)\n process_open_req(REQ_A)\n ------ restore ------\n cachefiles_ondemand_restore\n xas_for_each(&xas, req, ULONG_MAX)\n xas_set_mark(&xas, CACHEFILES_REQ_NEW);\n\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n REQ_A = cachefiles_ondemand_select_req\n\n write(devfd, (\"copen %u,%llu\", msg->msg_id, size));\n cachefiles_ondemand_copen\n xa_erase(&cache->reqs, id)\n complete(&REQ_A->done)\n kfree(REQ_A)\n cachefiles_ondemand_get_fd(REQ_A)\n fd = get_unused_fd_flags\n file = anon_inode_getfile\n fd_install(fd, file)\n load = (void *)REQ_A->msg.data;\n load->fd = fd;\n // load UAF !!!\n\nThis issue is caused by issuing a restore command when the daemon is still\nalive, which results in a request being processed multiple times thus\ntriggering a UAF. So to avoid this problem, add an additional reference\ncount to cachefiles_req, which is held while waiting and reading, and then\nreleased when the waiting and reading is over.\n\nNote that since there is only one reference count for waiting, we need to\navoid the same request being completed multiple times, so we can only\ncomplete the request if it is successfully removed from the xarray.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40899", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n mount | daemon_thread1 | daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n cachefiles_ondemand_send_req\n REQ_A = kzalloc(sizeof(*req) + data_len)\n wait_for_completion(&REQ_A->done)\n cachefiles_daemon_read\n cachefiles_ondemand_daemon_read\n // close dev fd\n cachefiles_flush_reqs\n complete(&REQ_A->done)\n kfree(REQ_A)\n xa_lock(&cache->reqs);\n cachefiles_ondemand_select_req\n req->msg.opcode != CACHEFILES_OP_READ\n // req use-after-free !!!\n xa_unlock(&cache->reqs);\n xa_destroy(&cache->reqs)\n\nHence remove requests from cache->reqs when flushing them to avoid\naccessing freed requests.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40900", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory\n\nThere is a potential out-of-bounds access when using test_bit() on a single\nword. The test_bit() and set_bit() functions operate on long values, and\nwhen testing or setting a single word, they can exceed the word\nboundary. KASAN detects this issue and produces a dump:\n\n\t BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas\n\n\t Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965\n\nFor full log, please look at [1].\n\nMake the allocation at least the size of sizeof(unsigned long) so that\nset_bit() and test_bit() have sufficient room for read/write operations\nwithout overwriting unallocated memory.\n\n[1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40901", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: xattr: fix buffer overflow for invalid xattr\n\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging. But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\n\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40902", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps\n\nThere could be a potential use-after-free case in\ntcpm_register_source_caps(). This could happen when:\n * new (say invalid) source caps are advertised\n * the existing source caps are unregistered\n * tcpm_register_source_caps() returns with an error as\n usb_power_delivery_register_capabilities() fails\n\nThis causes port->partner_source_caps to hold on to the now freed source\ncaps.\n\nReset port->partner_source_caps value to NULL after unregistering\nexisting source caps.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40903", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages\n\nThe syzbot fuzzer found that the interrupt-URB completion callback in\nthe cdc-wdm driver was taking too long, and the driver's immediate\nresubmission of interrupt URBs with -EPROTO status combined with the\ndummy-hcd emulation to cause a CPU lockup:\n\ncdc_wdm 1-1:1.0: nonzero urb status received: -71\ncdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes\nwatchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]\nCPU#0 Utilization every 4s during lockup:\n\t#1: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#2: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#3: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#4: 98% system,\t 0% softirq,\t 3% hardirq,\t 0% idle\n\t#5: 98% system,\t 1% softirq,\t 3% hardirq,\t 0% idle\nModules linked in:\nirq event stamp: 73096\nhardirqs last enabled at (73095): [] console_emit_next_record kernel/printk/printk.c:2935 [inline]\nhardirqs last enabled at (73095): [] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994\nhardirqs last disabled at (73096): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\nhardirqs last disabled at (73096): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\nsoftirqs last enabled at (73048): [] softirq_handle_end kernel/softirq.c:400 [inline]\nsoftirqs last enabled at (73048): [] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582\nsoftirqs last disabled at (73043): [] __do_softirq+0x14/0x20 kernel/softirq.c:588\nCPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n\nTesting showed that the problem did not occur if the two error\nmessages -- the first two lines above -- were removed; apparently adding\nmaterial to the kernel log takes a surprisingly large amount of time.\n\nIn any case, the best approach for preventing these lockups and to\navoid spamming the log with thousands of error messages per second is\nto ratelimit the two dev_err() calls. Therefore we replace them with\ndev_err_ratelimited().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40904", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40905", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always stop health timer during driver removal\n\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\n\nHence, stop the health monitor even if teardown_hca fails.\n\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x175/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n ? ioread32be+0x34/0x60\n mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n poll_health+0x42/0x230 [mlx5_core]\n ? __next_timer_interrupt+0xbc/0x110\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n call_timer_fn+0x21/0x130\n ? __pfx_poll_health+0x10/0x10 [mlx5_core]\n __run_timers+0x222/0x2c0\n run_timer_softirq+0x1d/0x40\n __do_softirq+0xc9/0x2c8\n __irq_exit_rcu+0xa6/0xc0\n sysvec_apic_timer_interrupt+0x72/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n ? cpuidle_enter_state+0xbd/0x440\n cpuidle_enter+0x2d/0x40\n do_idle+0x20d/0x270\n cpu_startup_entry+0x2a/0x30\n rest_init+0xd0/0xd0\n arch_call_rest_init+0xe/0x30\n start_kernel+0x709/0xa90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x96/0xa0\n secondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40906", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic in XDP_TX action\n\nIn the XDP_TX path, ionic driver sends a packet to the TX path with rx\npage and corresponding dma address.\nAfter tx is done, ionic_tx_clean() frees that page.\nBut RX ring buffer isn't reset to NULL.\nSo, it uses a freed page, which causes kernel panic.\n\nBUG: unable to handle page fault for address: ffff8881576c110c\nPGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060\nOops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\nCPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\nCode: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8\nRSP: 0018:ffff888104e6fa28 EFLAGS: 00010283\nRAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002\nRDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e\nRBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8\nR13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100\nFS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n\n? __die+0x20/0x70\n? page_fault_oops+0x254/0x790\n? __pfx_page_fault_oops+0x10/0x10\n? __pfx_is_prefetch.constprop.0+0x10/0x10\n? search_bpf_extables+0x165/0x260\n? fixup_exception+0x4a/0x970\n? exc_page_fault+0xcb/0xe0\n? asm_exc_page_fault+0x22/0x30\n? 0xffffffffc0051f64\n? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f\n? do_raw_spin_unlock+0x54/0x220\nionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\nionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]\n__napi_poll.constprop.0+0xa0/0x440\nnet_rx_action+0x7e7/0xc30\n? __pfx_net_rx_action+0x10/0x10", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40907", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Set run context for rawtp test_run callback\n\nsyzbot reported crash when rawtp program executed through the\ntest_run interface calls bpf_get_attach_cookie helper or any\nother helper that touches task->bpf_ctx pointer.\n\nSetting the run context (task->bpf_ctx pointer) for test_run\ncallback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40908", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a potential use-after-free in bpf_link_free()\n\nAfter commit 1a80dbcb2dba, bpf_link can be freed by\nlink->ops->dealloc_deferred, but the code still tests and uses\nlink->ops->dealloc afterward, which leads to a use-after-free as\nreported by syzbot. Actually, one of them should be sufficient, so\njust call one of them instead of both. Also add a WARN_ON() in case\nof any problematic implementation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40909", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n \n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40910", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Lock wiphy in cfg80211_get_station\n\nWiphy should be locked before calling rdev_get_station() (see lockdep\nassert in ieee80211_get_station()).\n\nThis fixes the following kernel NULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000\n [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000\n Internal error: Oops: 0000000096000006 [#1] SMP\n Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath\n CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705\n Hardware name: RPT (r1) (DT)\n Workqueue: bat_events batadv_v_elp_throughput_metric_update\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n lr : sta_set_sinfo+0xcc/0xbd4\n sp : ffff000007b43ad0\n x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98\n x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000\n x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc\n x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000\n x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d\n x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e\n x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000\n x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000\n x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90\n x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000\n Call trace:\n ath10k_sta_statistics+0x10/0x2dc [ath10k_core]\n sta_set_sinfo+0xcc/0xbd4\n ieee80211_get_station+0x2c/0x44\n cfg80211_get_station+0x80/0x154\n batadv_v_elp_get_throughput+0x138/0x1fc\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x1ec/0x414\n worker_thread+0x70/0x46c\n kthread+0xdc/0xe0\n ret_from_fork+0x10/0x20\n Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)\n\nThis happens because STA has time to disconnect and reconnect before\nbatadv_v_elp_throughput_metric_update() delayed work gets scheduled. In\nthis situation, ath10k_sta_state() can be in the middle of resetting\narsta data when the work queue get chance to be scheduled and ends up\naccessing it. Locking wiphy prevents that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40911", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()\n\nThe ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to\nsynchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from\nsoftirq context. However using only spin_lock() to get sta->ps_lock in\nieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute\non this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to\ntake this same lock ending in deadlock. Below is an example of rcu stall\nthat arises in such situation.\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996\n rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)\n CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742\n Hardware name: RPT (r1) (DT)\n pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : queued_spin_lock_slowpath+0x58/0x2d0\n lr : invoke_tx_handlers_early+0x5b4/0x5c0\n sp : ffff00001ef64660\n x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8\n x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000\n x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000\n x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000\n x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80\n x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da\n x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440\n x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880\n x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8\n Call trace:\n queued_spin_lock_slowpath+0x58/0x2d0\n ieee80211_tx+0x80/0x12c\n ieee80211_tx_pending+0x110/0x278\n tasklet_action_common.constprop.0+0x10c/0x144\n tasklet_action+0x20/0x28\n _stext+0x11c/0x284\n ____do_softirq+0xc/0x14\n call_on_irq_stack+0x24/0x34\n do_softirq_own_stack+0x18/0x20\n do_softirq+0x74/0x7c\n __local_bh_enable_ip+0xa0/0xa4\n _ieee80211_wake_txqs+0x3b0/0x4b8\n __ieee80211_wake_queue+0x12c/0x168\n ieee80211_add_pending_skbs+0xec/0x138\n ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480\n ieee80211_mps_sta_status_update.part.0+0xd8/0x11c\n ieee80211_mps_sta_status_update+0x18/0x24\n sta_apply_parameters+0x3bc/0x4c0\n ieee80211_change_station+0x1b8/0x2dc\n nl80211_set_station+0x444/0x49c\n genl_family_rcv_msg_doit.isra.0+0xa4/0xfc\n genl_rcv_msg+0x1b0/0x244\n netlink_rcv_skb+0x38/0x10c\n genl_rcv+0x34/0x48\n netlink_unicast+0x254/0x2bc\n netlink_sendmsg+0x190/0x3b4\n ____sys_sendmsg+0x1e8/0x218\n ___sys_sendmsg+0x68/0x8c\n __sys_sendmsg+0x44/0x84\n __arm64_sys_sendmsg+0x20/0x28\n do_el0_svc+0x6c/0xe8\n el0_svc+0x14/0x48\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x14c/0x150\n\nUsing spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise\non the same CPU that is holding the lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40912", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: defer exposing anon_fd until after copy_to_user() succeeds\n\nAfter installing the anonymous fd, we can now see it in userland and close\nit. However, at this point we may not have gotten the reference count of\nthe cache, but we will put it during colse fd, so this may cause a cache\nUAF.\n\nSo grab the cache reference count before fd_install(). In addition, by\nkernel convention, fd is taken over by the user land after fd_install(),\nand the kernel should not call close_fd() after that, i.e., it should call\nfd_install() after everything is ready, thus fd_install() is called after\ncopy_to_user() succeeds.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40913", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don't unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40914", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[] dump_backtrace+0x1c/0x24\n[] show_stack+0x2c/0x38\n[] dump_stack_lvl+0x5a/0x72\n[] dump_stack+0x14/0x1c\n[] __might_resched+0x104/0x10e\n[] __might_sleep+0x3e/0x62\n[] down_write+0x20/0x72\n[] __set_memory+0x82/0x2fa\n[] __kernel_map_pages+0x5a/0xd4\n[] __alloc_pages_bulk+0x3b2/0x43a\n[] __vmalloc_node_range+0x196/0x6ba\n[] copy_process+0x72c/0x17ec\n[] kernel_clone+0x60/0x2fe\n[] kernel_thread+0x82/0xa0\n[] kthreadd+0x14a/0x1be\n[] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40915", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found\n\nWhen reading EDID fails and driver reports no modes available, the DRM\ncore adds an artificial 1024x786 mode to the connector. Unfortunately\nsome variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not\nable to drive such mode, so report a safe 640x480 mode instead of nothing\nin case of the EDID reading failure.\n\nThis fixes the following issue observed on Trats2 board since commit\n13d5b040363c (\"drm/exynos: do not return negative values from .get_modes()\"):\n\n[drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations\nexynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)\nexynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)\nexynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)\nexynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)\nexynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)\n[drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1\nexynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state\npanel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c\nexynos-mixer 12c10000.mixer: timeout waiting for VSYNC\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n[CRTC:70:crtc-1] vblank wait timed out\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x68/0x88\n dump_stack_lvl from __warn+0x7c/0x1c4\n __warn from warn_slowpath_fmt+0x11c/0x1a8\n warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8\n drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c\n drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184\n commit_tail from drm_atomic_helper_commit+0x168/0x190\n drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0\n drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c\n drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc\n drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40\n drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4\n __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c\n drm_fb_helper_set_par from fbcon_init+0x3d8/0x550\n fbcon_init from visual_init+0xc0/0x108\n visual_init from do_bind_con_driver+0x1b8/0x3a4\n do_bind_con_driver from do_take_over_console+0x140/0x1ec\n do_take_over_console from do_fbcon_takeover+0x70/0xd0\n do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac\n fbcon_fb_registered from register_framebuffer+0x190/0x21c\n register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574\n __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0\n exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94\n drm_client_register from exynos_drm_bind+0x160/0x190\n exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8\n try_to_bring_up_aggregate_device from __component_add+0xb0/0x170\n __component_add from mixer_probe+0x74/0xcc\n mixer_probe from platform_probe+0x5c/0xb8\n platform_probe from really_probe+0xe0/0x3d8\n really_probe from __driver_probe_device+0x9c/0x1e4\n __driver_probe_device from driver_probe_device+0x30/0xc0\n driver_probe_device from __device_attach_driver+0xa8/0x120\n __device_attach_driver from bus_for_each_drv+0x80/0xcc\n bus_for_each_drv from __device_attach+0xac/0x1fc\n __device_attach from bus_probe_device+0x8c/0x90\n bus_probe_device from deferred_probe_work_func+0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40916", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemblock: make memblock_set_node() also warn about use of MAX_NUMNODES\n\nOn an (old) x86 system with SRAT just covering space above 4Gb:\n\n ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0xfffffffff] hotplug\n\nthe commit referenced below leads to this NUMA configuration no longer\nbeing refused by a CONFIG_NUMA=y kernel (previously\n\n NUMA: nodes only cover 6144MB of your 8185MB e820 RAM. Not used.\n No NUMA configuration found\n Faking a node at [mem 0x0000000000000000-0x000000027fffffff]\n\nwas seen in the log directly after the message quoted above), because of\nmemblock_validate_numa_coverage() checking for NUMA_NO_NODE (only). This\nin turn led to memblock_alloc_range_nid()'s warning about MAX_NUMNODES\ntriggering, followed by a NULL deref in memmap_init() when trying to\naccess node 64's (NODE_SHIFT=6) node data.\n\nTo compensate said change, make memblock_set_node() warn on and adjust\na passed in value of MAX_NUMNODES, just like various other functions\nalready do.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40917", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Try to fix random segmentation faults in package builds\n\nPA-RISC systems with PA8800 and PA8900 processors have had problems\nwith random segmentation faults for many years. Systems with earlier\nprocessors are much more stable.\n\nSystems with PA8800 and PA8900 processors have a large L2 cache which\nneeds per page flushing for decent performance when a large range is\nflushed. The combined cache in these systems is also more sensitive to\nnon-equivalent aliases than the caches in earlier systems.\n\nThe majority of random segmentation faults that I have looked at\nappear to be memory corruption in memory allocated using mmap and\nmalloc.\n\nMy first attempt at fixing the random faults didn't work. On\nreviewing the cache code, I realized that there were two issues\nwhich the existing code didn't handle correctly. Both relate\nto cache move-in. Another issue is that the present bit in PTEs\nis racy.\n\n1) PA-RISC caches have a mind of their own and they can speculatively\nload data and instructions for a page as long as there is a entry in\nthe TLB for the page which allows move-in. TLBs are local to each\nCPU. Thus, the TLB entry for a page must be purged before flushing\nthe page. This is particularly important on SMP systems.\n\nIn some of the flush routines, the flush routine would be called\nand then the TLB entry would be purged. This was because the flush\nroutine needed the TLB entry to do the flush.\n\n2) My initial approach to trying the fix the random faults was to\ntry and use flush_cache_page_if_present for all flush operations.\nThis actually made things worse and led to a couple of hardware\nlockups. It finally dawned on me that some lines weren't being\nflushed because the pte check code was racy. This resulted in\nrandom inequivalent mappings to physical pages.\n\nThe __flush_cache_page tmpalias flush sets up its own TLB entry\nand it doesn't need the existing TLB entry. As long as we can find\nthe pte pointer for the vm page, we can get the pfn and physical\naddress of the page. We can also purge the TLB entry for the page\nbefore doing the flush. Further, __flush_cache_page uses a special\nTLB entry that inhibits cache move-in.\n\nWhen switching page mappings, we need to ensure that lines are\nremoved from the cache. It is not sufficient to just flush the\nlines to memory as they may come back.\n\nThis made it clear that we needed to implement all the required\nflush operations using tmpalias routines. This includes flushes\nfor user and kernel pages.\n\nAfter modifying the code to use tmpalias flushes, it became clear\nthat the random segmentation faults were not fully resolved. The\nfrequency of faults was worse on systems with a 64 MB L2 (PA8900)\nand systems with more CPUs (rp4440).\n\nThe warning that I added to flush_cache_page_if_present to detect\npages that couldn't be flushed triggered frequently on some systems.\n\nHelge and I looked at the pages that couldn't be flushed and found\nthat the PTE was either cleared or for a swap page. Ignoring pages\nthat were swapped out seemed okay but pages with cleared PTEs seemed\nproblematic.\n\nI looked at routines related to pte_clear and noticed ptep_clear_flush.\nThe default implementation just flushes the TLB entry. However, it was\nobvious that on parisc we need to flush the cache page as well. If\nwe don't flush the cache page, stale lines will be left in the cache\nand cause random corruption. Once a PTE is cleared, there is no way\nto find the physical address associated with the PTE and flush the\nassociated page at a later time.\n\nI implemented an updated change with a parisc specific version of\nptep_clear_flush. It fixed the random data corruption on Helge's rp4440\nand rp3440, as well as on my c8000.\n\nAt this point, I realized that I could restore the code where we only\nflush in flush_cache_page_if_present if the page has been accessed.\nHowever, for this, we also need to flush the cache when the accessed\nbit is cleared in\n---truncated---", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40918", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()\n\nIn case of token is released due to token->state == BNXT_HWRM_DEFERRED,\nreleased token (set to NULL) is used in log messages. This issue is\nexpected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But\nthis error code is returned by recent firmware. So some firmware may not\nreturn it. This may lead to NULL pointer dereference.\nAdjust this issue by adding token pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40919", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix suspicious rcu usage in br_mst_set_state\n\nI converted br_mst_set_state to RCU to avoid a vlan use-after-free\nbut forgot to change the vlan group dereference helper. Switch to vlan\ngroup RCU deref helper to fix the suspicious rcu usage warning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40920", "detail": "fixed-version", "description": "Fixed from version 6.9.6" }, { "id": "CVE-2024-40921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: pass vlan group directly to br_mst_vlan_set_state\n\nPass the already obtained vlan group pointer to br_mst_vlan_set_state()\ninstead of dereferencing it again. Each caller has already correctly\ndereferenced it for their context. This change is required for the\nfollowing suspicious RCU dereference fix. No functional changes\nintended.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40921", "detail": "fixed-version", "description": "Fixed from version 6.9.6" }, { "id": "CVE-2024-40922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: don't lock while !TASK_RUNNING\n\nThere is a report of io_rsrc_ref_quiesce() locking a mutex while not\nTASK_RUNNING, which is due to forgetting restoring the state back after\nio_run_task_work_sig() and attempts to break out of the waiting loop.\n\ndo not call blocking ops when !TASK_RUNNING; state=1 set at\n[] prepare_to_wait+0xa4/0x380\nkernel/sched/wait.c:237\nWARNING: CPU: 2 PID: 397056 at kernel/sched/core.c:10099\n__might_sleep+0x114/0x160 kernel/sched/core.c:10099\nRIP: 0010:__might_sleep+0x114/0x160 kernel/sched/core.c:10099\nCall Trace:\n \n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0xb4/0x940 kernel/locking/mutex.c:752\n io_rsrc_ref_quiesce+0x590/0x940 io_uring/rsrc.c:253\n io_sqe_buffers_unregister+0xa2/0x340 io_uring/rsrc.c:799\n __io_uring_register io_uring/register.c:424 [inline]\n __do_sys_io_uring_register+0x5b9/0x2400 io_uring/register.c:613\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40922", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: disable rx data ring on dma allocation failure\n\nWhen vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,\nthe subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset\nrq->data_ring.desc_size for the data ring that failed, which presumably\ncauses the hypervisor to reference it on packet reception.\n\nTo fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell\nthe hypervisor to disable this feature.\n\n[ 95.436876] kernel BUG at net/core/skbuff.c:207!\n[ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1\n[ 95.441558] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018\n[ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f\n[ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50\nff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9\nff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24\n[ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246\n[ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f\n[ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f\n[ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60\n[ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000\n[ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0\n[ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000\n[ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0\n[ 95.459791] Call Trace:\n[ 95.460515] \n[ 95.461180] ? __die_body.cold+0x19/0x27\n[ 95.462150] ? die+0x2e/0x50\n[ 95.462976] ? do_trap+0xca/0x110\n[ 95.463973] ? do_error_trap+0x6a/0x90\n[ 95.464966] ? skb_panic+0x4d/0x4f\n[ 95.465901] ? exc_invalid_op+0x50/0x70\n[ 95.466849] ? skb_panic+0x4d/0x4f\n[ 95.467718] ? asm_exc_invalid_op+0x1a/0x20\n[ 95.468758] ? skb_panic+0x4d/0x4f\n[ 95.469655] skb_put.cold+0x10/0x10\n[ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3]\n[ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3]\n[ 95.473185] __napi_poll+0x2b/0x160\n[ 95.474145] net_rx_action+0x2c6/0x3b0\n[ 95.475115] handle_softirqs+0xe7/0x2a0\n[ 95.476122] __irq_exit_rcu+0x97/0xb0\n[ 95.477109] common_interrupt+0x85/0xa0\n[ 95.478102] \n[ 95.478846] \n[ 95.479603] asm_common_interrupt+0x26/0x40\n[ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20\n[ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90\n[ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246\n[ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000\n[ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001\n[ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3\n[ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260\n[ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000\n[ 95.495035] acpi_safe_halt+0x14/0x20\n[ 95.496127] acpi_idle_do_entry+0x2f/0x50\n[ 95.497221] acpi_idle_enter+0x7f/0xd0\n[ 95.498272] cpuidle_enter_state+0x81/0x420\n[ 95.499375] cpuidle_enter+0x2d/0x40\n[ 95.500400] do_idle+0x1e5/0x240\n[ 95.501385] cpu_startup_entry+0x29/0x30\n[ 95.502422] start_secondary+0x11c/0x140\n[ 95.503454] common_startup_64+0x13e/0x141\n[ 95.504466] \n[ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4\nnft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40923", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dpt: Make DPT object unshrinkable\n\nIn some scenarios, the DPT object gets shrunk but\nthe actual framebuffer did not and thus its still\nthere on the DPT's vm->bound_list. Then it tries to\nrewrite the PTEs via a stale CPU mapping. This causes panic.\n\n[vsyrjala: Add TODO comment]\n(cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40924", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix request.queuelist usage in flush\n\nFriedrich Weber reported a kernel crash problem and bisected to commit\n81ada09cc25e (\"blk-flush: reuse rq queuelist in flush state machine\").\n\nThe root cause is that we use \"list_move_tail(&rq->queuelist, pending)\"\nin the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since\nit's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch().\nWe don't initialize its queuelist just for this first request, although\nthe queuelist of all later popped requests will be initialized.\n\nFix it by changing to use \"list_add_tail(&rq->queuelist, pending)\" so\nrq->queuelist doesn't need to be initialized. It should be ok since rq\ncan't be on any list when PREFLUSH or POSTFLUSH, has no move actually.\n\nPlease note the commit 81ada09cc25e (\"blk-flush: reuse rq queuelist in\nflush state machine\") also has another requirement that no drivers would\ntouch rq->queuelist after blk_mq_end_request() since we will reuse it to\nadd rq to the post-flush pending list in POSTFLUSH. If this is not true,\nwe will have to revert that commit IMHO.\n\nThis updated version adds \"list_del_init(&rq->queuelist)\" in flush rq\ncallback since the dm layer may submit request of a weird invalid format\n(REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add\nif without this \"list_del_init(&rq->queuelist)\". The weird invalid format\nproblem should be fixed in dm layer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40925", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: don't attempt to schedule hpd_work on headless cards\n\nIf the card doesn't have display hardware, hpd_work and hpd_lock are\nleft uninitialized which causes BUG when attempting to schedule hpd_work\non runtime PM resume.\n\nFix it by adding headless flag to DRM and skip any hpd if it's set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40926", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn't\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn't have been left in at all).\n\n> Another fix to solve clearing the caches of all stream rings with\n> cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it's finally time to fix it. And maybe next time\nlet's not leave bugs unfixed (that are actually worse than the original\nbug), and let's actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn't get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro'd and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40927", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()\n\nClang static checker (scan-build) warning:\nnet/ethtool/ioctl.c:line 2233, column 2\nCalled function pointer is null (null dereference).\n\nReturn '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix\nthis typo error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40928", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: check n_ssids before accessing the ssids\n\nIn some versions of cfg80211, the ssids poinet might be a valid one even\nthough n_ssids is 0. Accessing the pointer in this case will cuase an\nout-of-bound access. Fix this by checking n_ssids first.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40929", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: validate HE operation element parsing\n\nValidate that the HE operation element has the correct\nlength before parsing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40930", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos/vidi: fix memory leak in .get_modes()\n\nThe duplicated EDID is never freed. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40932", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: temperature: mlx90635: Fix ERR_PTR dereference in mlx90635_probe()\n\nWhen devm_regmap_init_i2c() fails, regmap_ee could be error pointer,\ninstead of checking for IS_ERR(regmap_ee), regmap is checked which looks\nlike a copy paste error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40933", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40934", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: flush all requests after setting CACHEFILES_DEAD\n\nIn ondemand mode, when the daemon is processing an open request, if the\nkernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write()\nwill always return -EIO, so the daemon can't pass the copen to the kernel.\nThen the kernel process that is waiting for the copen triggers a hung_task.\n\nSince the DEAD state is irreversible, it can only be exited by closing\n/dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark\nthe cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to\navoid the above hungtask. We may still be able to read some of the cached\ndata before closing the fd of /dev/cachefiles.\n\nNote that this relies on the patch that adds reference counting to the req,\notherwise it may UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40935", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix memregion leaks in devm_cxl_add_region()\n\nMove the mode verification to __create_region() before allocating the\nmemregion to avoid the memregion leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40936", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40937", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix d_parent walk\n\nThe WARN_ON_ONCE() in collect_domain_accesses() can be triggered when\ntrying to link a root mount point. This cannot work in practice because\nthis directory is mounted, but the VFS check is done after the call to\nsecurity_path_link().\n\nDo not use source directory's d_parent when the source directory is the\nmount point.\n\n[mic: Fix commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40938", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: Fix tainted pointer delete is case of region creation fail\n\nIn case of region creation fail in ipc_devlink_create_region(), previously\ncreated regions delete process starts from tainted pointer which actually\nholds error code value.\nFix this bug by decreasing region index before delete.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40939", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix tainted pointer delete is case of flow rules creation fail\n\nIn case of flow rule creation fail in mlx5_lag_create_port_sel_table(),\ninstead of previously created rules, the tainted pointer is deleted\ndeveral times.\nFix this bug by using correct flow rules pointers.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40940", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't read past the mfuart notifcation\n\nIn case the firmware sends a notification that claims it has more data\nthan it has, we will read past that was allocated for the notification.\nRemove the print of the buffer, we won't see it by default. If needed,\nwe can see the content with tracing.\n\nThis was reported by KFENCE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40941", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: mesh: Fix leak of mesh_preq_queue objects\n\nThe hwmp code use objects of type mesh_preq_queue, added to a list in\nieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath\ngets deleted, ex mesh interface is removed, the entries in that list will\nnever get cleaned. Fix this by flushing all corresponding items of the\npreq_queue in mesh_path_flush_pending().\n\nThis should take care of KASAN reports like this:\n\nunreferenced object 0xffff00000668d800 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419552 (age 1836.444s)\n hex dump (first 32 bytes):\n 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....\n 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20\nunreferenced object 0xffff000009051f00 (size 128):\n comm \"kworker/u8:4\", pid 67, jiffies 4295419553 (age 1836.440s)\n hex dump (first 32 bytes):\n 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....\n 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....\n backtrace:\n [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c\n [<00000000049bd418>] kmalloc_trace+0x34/0x80\n [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8\n [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c\n [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4\n [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764\n [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4\n [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440\n [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c\n [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4\n [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508\n [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c\n [<00000000b36425d1>] worker_thread+0x9c/0x634\n [<0000000005852dd5>] kthread+0x1bc/0x1c4\n [<000000005fccd770>] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40942", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix races between hole punching and AIO+DIO\n\nAfter commit \"ocfs2: return real error code in ocfs2_dio_wr_get_block\",\nfstests/generic/300 become from always failed to sometimes failed:\n\n========================================================================\n[ 473.293420 ] run fstests generic/300\n\n[ 475.296983 ] JBD2: Ignoring recovery information on journal\n[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.\n[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found\n[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.\n[ 494.292018 ] OCFS2: File system is now read-only.\n[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30\n[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3\nfio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072\n=========================================================================\n\nIn __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten\nextents to a list. extents are also inserted into extent tree in\nocfs2_write_begin_nolock. Then another thread call fallocate to puch a\nhole at one of the unwritten extent. The extent at cpos was removed by\nocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list\nfound there is no such extent at the cpos.\n\n T1 T2 T3\n inode lock\n ...\n insert extents\n ...\n inode unlock\nocfs2_fallocate\n __ocfs2_change_file_space\n inode lock\n lock ip_alloc_sem\n ocfs2_remove_inode_range inode\n ocfs2_remove_btree_range\n ocfs2_remove_extent\n ^---remove the extent at cpos 78723\n ...\n unlock ip_alloc_sem\n inode unlock\n ocfs2_dio_end_io\n ocfs2_dio_end_io_write\n lock ip_alloc_sem\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_search_extent_list\n ^---failed to find extent\n ...\n unlock ip_alloc_sem\n\nIn most filesystems, fallocate is not compatible with racing with AIO+DIO,\nso fix it by adding to wait for all dio before fallocate/punch_hole like\next4.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40943", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Fix bug with call depth tracking\n\nThe call to cc_platform_has() triggers a fault and system crash if call depth\ntracking is active because the GS segment has been reset by load_segments() and\nGS_BASE is now 0 but call depth tracking uses per-CPU variables to operate.\n\nCall cc_platform_has() earlier in the function when GS is still valid.\n\n [ bp: Massage. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40944", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Return right value in iommu_sva_bind_device()\n\niommu_sva_bind_device() should return either a sva bond handle or an\nERR_PTR value in error cases. Existing drivers (idxd and uacce) only\ncheck the return value with IS_ERR(). This could potentially lead to\na kernel NULL pointer dereference issue if the function returns NULL\ninstead of an error pointer.\n\nIn reality, this doesn't cause any problems because iommu_sva_bind_device()\nonly returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.\nIn this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will\nreturn an error, and the device drivers won't call iommu_sva_bind_device()\nat all.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40945", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Avoid blocking in RCU read-side critical section\n\nA panic happens in ima_match_policy:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nPGD 42f873067 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 5 PID: 1286325 Comm: kubeletmonit.sh\nKdump: loaded Tainted: P\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n BIOS 0.0.0 02/06/2015\nRIP: 0010:ima_match_policy+0x84/0x450\nCode: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39\n 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d\n f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea\n 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f\nRSP: 0018:ff71570009e07a80 EFLAGS: 00010207\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200\nRDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000\nRBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739\nR10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970\nR13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001\nFS: 00007f5195b51740(0000)\nGS:ff3e278b12d40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ima_get_action+0x22/0x30\n process_measurement+0xb0/0x830\n ? page_add_file_rmap+0x15/0x170\n ? alloc_set_pte+0x269/0x4c0\n ? prep_new_page+0x81/0x140\n ? simple_xattr_get+0x75/0xa0\n ? selinux_file_open+0x9d/0xf0\n ima_file_check+0x64/0x90\n path_openat+0x571/0x1720\n do_filp_open+0x9b/0x110\n ? page_counter_try_charge+0x57/0xc0\n ? files_cgroup_alloc_fd+0x38/0x60\n ? __alloc_fd+0xd4/0x250\n ? do_sys_open+0x1bd/0x250\n do_sys_open+0x1bd/0x250\n do_syscall_64+0x5d/0x1d0\n entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nCommit c7423dbdbc9e (\"ima: Handle -ESTALE returned by\nima_filter_rule_match()\") introduced call to ima_lsm_copy_rule within a\nRCU read-side critical section which contains kmalloc with GFP_KERNEL.\nThis implies a possible sleep and violates limitations of RCU read-side\ncritical sections on non-PREEMPT systems.\n\nSleeping within RCU read-side critical section might cause\nsynchronize_rcu() returning early and break RCU protection, allowing a\nUAF to happen.\n\nThe root cause of this issue could be described as follows:\n|\tThread A\t|\tThread B\t|\n|\t\t\t|ima_match_policy\t|\n|\t\t\t| rcu_read_lock\t|\n|ima_lsm_update_rule\t|\t\t\t|\n| synchronize_rcu\t|\t\t\t|\n|\t\t\t| kmalloc(GFP_KERNEL)|\n|\t\t\t| sleep\t\t|\n==> synchronize_rcu returns early\n| kfree(entry)\t\t|\t\t\t|\n|\t\t\t| entry = entry->next|\n==> UAF happens and entry now becomes NULL (or could be anything).\n|\t\t\t| entry->action\t|\n==> Accessing entry might cause panic.\n\nTo fix this issue, we are converting all kmalloc that is called within\nRCU read-side critical section to use GFP_ATOMIC.\n\n[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40947", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_table_check: fix crash on ZONE_DEVICE\n\nNot all pages may apply to pgtable check. One example is ZONE_DEVICE\npages: they map PFNs directly, and they don't allocate page_ext at all\neven if there's struct page around. One may reference\ndevm_memremap_pages().\n\nWhen both ZONE_DEVICE and page-table-check enabled, then try to map some\ndax memories, one can trigger kernel bug constantly now when the kernel\nwas trying to inject some pfn maps on the dax device:\n\n kernel BUG at mm/page_table_check.c:55!\n\nWhile it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page\nfault resolutions, skip all the checks if page_ext doesn't even exist in\npgtable checker, which applies to ZONE_DEVICE but maybe more.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40948", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: shmem: fix getting incorrect lruvec when replacing a shmem folio\n\nWhen testing shmem swapin, I encountered the warning below on my machine. \nThe reason is that replacing an old shmem folio with a new one causes\nmem_cgroup_migrate() to clear the old folio's memcg data. As a result,\nthe old folio cannot get the correct memcg's lruvec needed to remove\nitself from the LRU list when it is being freed. This could lead to\npossible serious problems, such as LRU list crashes due to holding the\nwrong LRU lock, and incorrect LRU statistics.\n\nTo fix this issue, we can fallback to use the mem_cgroup_replace_folio()\nto replace the old shmem folio.\n\n[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960\n[ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)\n[ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000\n[ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000\n[ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000\n[ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000\n[ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())\n[ 5241.100338] ------------[ cut here ]------------\n[ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150\n[...]\n[ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150\n[ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150\n[ 5241.100376] sp : ffff80008b38b930\n[...]\n[ 5241.100398] Call trace:\n[ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150\n[ 5241.100401] __page_cache_release+0x90/0x300\n[ 5241.100404] __folio_put+0x50/0x108\n[ 5241.100406] shmem_replace_folio+0x1b4/0x240\n[ 5241.100409] shmem_swapin_folio+0x314/0x528\n[ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930\n[ 5241.100412] shmem_fault+0x74/0x160\n[ 5241.100414] __do_fault+0x40/0x218\n[ 5241.100417] do_shared_fault+0x34/0x1b0\n[ 5241.100419] do_fault+0x40/0x168\n[ 5241.100420] handle_pte_fault+0x80/0x228\n[ 5241.100422] __handle_mm_fault+0x1c4/0x440\n[ 5241.100424] handle_mm_fault+0x60/0x1f0\n[ 5241.100426] do_page_fault+0x120/0x488\n[ 5241.100429] do_translation_fault+0x4c/0x68\n[ 5241.100431] do_mem_abort+0x48/0xa0\n[ 5241.100434] el0_da+0x38/0xc0\n[ 5241.100436] el0t_64_sync_handler+0x68/0xc0\n[ 5241.100437] el0t_64_sync+0x14c/0x150\n[ 5241.100439] ---[ end trace 0000000000000000 ]---\n\n[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40949", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: fix misused mapping_large_folio_support() for anon folios\n\nWhen I did a large folios split test, a WARNING \"[ 5059.122759][ T166]\nCannot split file folio to non-0 order\" was triggered. But the test cases\nare only for anonmous folios. while mapping_large_folio_support() is only\nreasonable for page cache folios.\n\nIn split_huge_page_to_list_to_order(), the folio passed to\nmapping_large_folio_support() maybe anonmous folio. The folio_test_anon()\ncheck is missing. So the split of the anonmous THP is failed. This is\nalso the same for shmem_mapping(). We'd better add a check for both. But\nthe shmem_mapping() in __split_huge_page() is not involved, as for\nanonmous folios, the end parameter is set to -1, so (head[i].index >= end)\nis always false. shmem_mapping() is not called.\n\nAlso add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon\nmapping, So we can detect the wrong use more easily.\n\nTHP folios maybe exist in the pagecache even the file system doesn't\nsupport large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is\nenabled, khugepaged will try to collapse read-only file-backed pages to\nTHP. But the mapping does not actually support multi order large folios\nproperly.\n\nUsing /sys/kernel/debug/split_huge_pages to verify this, with this patch,\nlarge anon THP is successfully split and the warning is ceased.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40950", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()\n\nbdev->bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set\nbh->b_assoc_map, it will trigger NULL pointer dereference when calling\ninto ocfs2_abort_trigger().\n\nActually this was pointed out in history, see commit 74e364ad1b13. But\nI've made a mistake when reviewing commit 8887b94d9322 and then\nre-introduce this regression.\n\nSince we cannot revive bdev in buffer head, so fix this issue by\ninitializing all types of ocfs2 triggers when fill super, and then get the\nspecific ocfs2 trigger from ocfs2_caching_info when access journal.\n\n[joseph.qi@linux.alibaba.com: v2]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40951", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()\n\nbdev->bd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev->bd_super to b_assoc_map->host->i_sb. This introduces the\nfollowing NULL pointer dereference in ocfs2_journal_dirty() since\nb_assoc_map is still not initialized. This can be easily reproduced by\nrunning xfstests generic/186, which simulate no more credits.\n\n[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000\n...\n[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n...\n[ 134.365071] Call Trace:\n[ 134.365312] \n[ 134.365524] ? __die_body+0x1e/0x60\n[ 134.365868] ? page_fault_oops+0x13d/0x4f0\n[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10\n[ 134.366659] ? schedule+0x27/0xb0\n[ 134.366981] ? exc_page_fault+0x6a/0x140\n[ 134.367356] ? asm_exc_page_fault+0x26/0x30\n[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]\n[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]\n[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]\n[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]\n[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]\n[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]\n[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]\n[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]\n[ 134.372994] ? inode_update_timestamps+0x4a/0x120\n[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]\n[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]\n[ 134.376971] ? security_file_permission+0x29/0x50\n[ 134.377644] vfs_clone_file_range+0xfe/0x320\n[ 134.378268] ioctl_file_clone+0x45/0xa0\n[ 134.378853] do_vfs_ioctl+0x457/0x990\n[ 134.379422] __x64_sys_ioctl+0x6e/0xd0\n[ 134.379987] do_syscall_64+0x5d/0x170\n[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 134.381231] RIP: 0033:0x7fa4926397cb\n[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48\n[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb\n[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003\n[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000\n[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000\n[ 134.389207] \n\nFix it by only aborting transaction and journal in ocfs2_journal_dirty()\nnow, and leave ocfs2_abort() later when detecting an aborted handle,\ne.g. start next transaction. Also log the handle details in this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40952", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40953", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40954", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()\n\nWe can trigger a slab-out-of-bounds with the following commands:\n\n mkfs.ext4 -F /dev/$disk 10G\n mount /dev/$disk /tmp/test\n echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc\n echo test > /tmp/test/file && sync\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\nRead of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11\nCPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521\nCall Trace:\n dump_stack_lvl+0x2c/0x50\n kasan_report+0xb6/0xf0\n ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4]\n ext4_mb_regular_allocator+0x19e9/0x2370 [ext4]\n ext4_mb_new_blocks+0x88a/0x1370 [ext4]\n ext4_ext_map_blocks+0x14f7/0x2390 [ext4]\n ext4_map_blocks+0x569/0xea0 [ext4]\n ext4_do_writepages+0x10f6/0x1bc0 [ext4]\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\n// Set s_mb_group_prealloc to 2147483647 via sysfs\next4_mb_new_blocks\n ext4_mb_normalize_request\n ext4_mb_normalize_group_request\n ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc\n ext4_mb_regular_allocator\n ext4_mb_choose_next_group\n ext4_mb_choose_next_group_best_avail\n mb_avg_fragment_size_order\n order = fls(len) - 2 = 29\n ext4_mb_find_good_group_avg_frag_lists\n frag_list = &sbi->s_mb_avg_fragment_size[order]\n if (list_empty(frag_list)) // Trigger SOOB!\n\nAt 4k block size, the length of the s_mb_avg_fragment_size list is 14,\nbut an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds\nto be triggered by an attempt to access an element at index 29.\n\nAdd a new attr_id attr_clusters_in_group with values in the range\n[0, sbi->s_clusters_per_group] and declare mb_group_prealloc as\nthat type to fix the issue. In addition avoid returning an order\nfrom mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb)\nand reduce some useless loops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40955", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there's a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40956", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\n\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n\n [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n [74830.655633] #PF: supervisor read access in kernel mode\n [74830.657888] #PF: error_code(0x0000) - not-present page\n [74830.659500] PGD 0 P4D 0\n [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n ...\n [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n ...\n [74830.689725] Call Trace:\n [74830.690402] \n [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n [74830.694275] ? __die_body.cold+0x8/0xd\n [74830.695205] ? page_fault_oops+0xac/0x140\n [74830.696244] ? exc_page_fault+0x62/0x150\n [74830.697225] ? asm_exc_page_fault+0x22/0x30\n [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n [74830.700758] ? ip6_route_input+0x19d/0x240\n [74830.701752] nf_hook_slow+0x3f/0xb0\n [74830.702678] input_action_end_dx4+0x19b/0x1e0\n [74830.703735] ? input_action_end_t+0xe0/0xe0\n [74830.704734] seg6_local_input_core+0x2d/0x60\n [74830.705782] lwtunnel_input+0x5b/0xb0\n [74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n [74830.707825] process_backlog+0x99/0x140\n [74830.709538] __napi_poll+0x2c/0x160\n [74830.710673] net_rx_action+0x296/0x350\n [74830.711860] __do_softirq+0xcb/0x2ac\n [74830.713049] do_softirq+0x63/0x90\n\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\n\n static bool\n rpfilter_is_loopback(const struct sk_buff *skb,\n \t const struct net_device *in)\n {\n // in is NULL\n return skb->pkt_type == PACKET_LOOPBACK ||\n \t in->flags & IFF_LOOPBACK;\n }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40957", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetns: Make get_net_ns() handle zero refcount net\n\nSyzkaller hit a warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0\nModules linked in:\nCPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xdf/0x1d0\nCode: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1\nRSP: 0018:ffff8881067b7da0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac\nRDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001\nRBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139\nR10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4\nR13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040\nFS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0xa3/0xc0\n ? __warn+0xa5/0x1c0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? report_bug+0x1fc/0x2d0\n ? refcount_warn_saturate+0xdf/0x1d0\n ? handle_bug+0xa1/0x110\n ? exc_invalid_op+0x3c/0xb0\n ? asm_exc_invalid_op+0x1f/0x30\n ? __warn_printk+0xcc/0x140\n ? __warn_printk+0xd5/0x140\n ? refcount_warn_saturate+0xdf/0x1d0\n get_net_ns+0xa4/0xc0\n ? __pfx_get_net_ns+0x10/0x10\n open_related_ns+0x5a/0x130\n __tun_chr_ioctl+0x1616/0x2370\n ? __sanitizer_cov_trace_switch+0x58/0xa0\n ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30\n ? __pfx_tun_chr_ioctl+0x10/0x10\n tun_chr_ioctl+0x2f/0x40\n __x64_sys_ioctl+0x11b/0x160\n x64_sys_call+0x1211/0x20d0\n do_syscall_64+0x9e/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5b28f165d7\nCode: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8\nRSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7\nRDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003\nRBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0\nR10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730\nR13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nThis is trigger as below:\n ns0 ns1\ntun_set_iff() //dev is tun0\n tun->dev = dev\n//ip link set tun0 netns ns1\n put_net() //ref is 0\n__tun_chr_ioctl() //TUNGETDEVNETNS\n net = dev_net(tun->dev);\n open_related_ns(&net->ns, get_net_ns); //ns1\n get_net_ns()\n get_net() //addition on 0\n\nUse maybe_get_net() in get_net_ns in case net's ref is zero to fix this", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40958", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40959", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL dereference in rt6_probe()\n\nsyzbot caught a NULL dereference in rt6_probe() [1]\n\nBail out if __in6_dev_get() returns NULL.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\n RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\n nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\n find_rr_leaf net/ipv6/route.c:853 [inline]\n rt6_select net/ipv6/route.c:897 [inline]\n fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\n ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\n pol_lookup_func include/net/ip6_fib.h:616 [inline]\n fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\n ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\n ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\n ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\n rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\n inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_write_iter+0x4b8/0x5c0 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x6b6/0x1140 fs/read_write.c:590\n ksys_write+0x1f8/0x260 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40960", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( &idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40961", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: allocate dummy checksums for zoned NODATASUM writes\n\nShin'ichiro reported that when he's running fstests' test-case\nbtrfs/167 on emulated zoned devices, he's seeing the following NULL\npointer dereference in 'btrfs_zone_finish_endio()':\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n\n RSP: 0018:ffff88867f107a90 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534\n RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088\n RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028\n R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000\n R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210\n FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die_addr+0x46/0x70\n ? exc_general_protection+0x14f/0x250\n ? asm_exc_general_protection+0x26/0x30\n ? do_raw_read_unlock+0x44/0x70\n ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_write_lock+0x90/0x260\n ? __pfx_do_raw_write_lock+0x10/0x10\n ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]\n ? _raw_write_unlock+0x23/0x40\n ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]\n ? lock_acquire+0x435/0x500\n btrfs_work_helper+0x1b1/0xa70 [btrfs]\n ? __schedule+0x10a8/0x60b0\n ? __pfx___might_resched+0x10/0x10\n process_one_work+0x862/0x1410\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5e6/0x1010\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2c3/0x3a0\n ? trace_irq_enable.constprop.0+0xce/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nEnabling CONFIG_BTRFS_ASSERT revealed the following assertion to\ntrigger:\n\n assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815\n\nThis indicates, that we're missing the checksums list on the\nordered_extent. As btrfs/167 is doing a NOCOW write this is to be\nexpected.\n\nFurther analysis with drgn confirmed the assumption:\n\n >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode\n >>> btrfs_inode = drgn.container_of(inode, \"struct btrfs_inode\", \\\n \t\t\t\t\"vfs_inode\")\n >>> print(btrfs_inode.flags)\n (u32)1\n\nAs zoned emulation mode simulates conventional zones on regular devices,\nwe cannot use zone-append for writing. But we're only attaching dummy\nchecksums if we're doing a zone-append write.\n\nSo for NOCOW zoned data writes on conventional zones, also attach a\ndummy checksum.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40962", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40963", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()\n\nThe cs35l41_hda_unbind() function clears the hda_component entry\nmatching it's index and then dereferences the codec pointer held in the\nfirst element of the hda_component array, this is an issue when the\ndevice index was 0.\n\nInstead use the codec pointer stashed in the cs35l41_hda structure as it\nwill still be valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40964", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: lpi2c: Avoid calling clk_get_rate during transfer\n\nInstead of repeatedly calling clk_get_rate for each transfer, lock\nthe clock rate and cache the value.\nA deadlock has been observed while adding tlv320aic32x4 audio codec to\nthe system. When this clock provider adds its clock, the clk mutex is\nlocked already, it needs to access i2c, which in return needs the mutex\nfor clk_get_rate as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40965", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: add the option to have a tty reject a new ldisc\n\n... and use it to limit the virtual terminals to just N_TTY. They are\nkind of special, and in particular, the \"con_write()\" routine violates\nthe \"writes cannot sleep\" rule that some ldiscs rely on.\n\nThis avoids the\n\n BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\n\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40966", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: imx: Introduce timeout when waiting on transmitter empty\n\nBy waiting at most 1 second for USR2_TXDC to be set, we avoid a potential\ndeadlock.\n\nIn case of the timeout, there is not much we can do, so we simply ignore\nthe transmitter state and optimistically try to continue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40967", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Octeon: Add PCIe link status check\n\nThe standard PCIe configuration read-write interface is used to\naccess the configuration space of the peripheral PCIe devices\nof the mips processor after the PCIe link surprise down, it can\ngenerate kernel panic caused by \"Data bus error\". So it is\nnecessary to add PCIe link status check for system protection.\nWhen the PCIe link is down or in training, assigning a value\nof 0 to the configuration address can prevent read-write behavior\nto the configuration space of peripheral PCIe devices, thereby\npreventing kernel panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40968", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: don't set RO when shutting down f2fs\n\nShutdown does not check the error of thaw_super due to readonly, which\ncauses a deadlock like below.\n\nf2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread\n - bdev_freeze\n - freeze_super\n - f2fs_stop_checkpoint()\n - f2fs_handle_critical_error - sb_start_write\n - set RO - waiting\n - bdev_thaw\n - thaw_super_locked\n - return -EINVAL, if sb_rdonly()\n - f2fs_stop_discard_thread\n -> wait for kthread_stop(discard_thread);", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40969", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40970", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not create EA inode under buffer lock\n\next4_xattr_set_entry() creates new EA inodes while holding buffer lock\non the external xattr block. This is problematic as it nests all the\nallocation locking (which acquires locks on other buffers) under the\nbuffer lock. This can even deadlock when the filesystem is corrupted and\ne.g. quota file is setup to contain xattr block as data block. Move the\nallocation of EA inode out of ext4_xattr_set_entry() into the callers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40972", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-vcodec: potential null pointer deference in SCP\n\nThe return value of devm_kzalloc() needs to be checked to avoid\nNULL pointer deference. This is similar to CVE-2022-3113.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40973", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Enforce hcall result buffer validity and size\n\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\n\nFor example, if I write a bug like this:\n\n long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\n plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\n\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\n\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\n\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n | ^ ~~~~~~\n\n[1] Enabled for LLVM builds but not GCC for now. See commit\n 0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\n related changes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40974", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devices in reverse order\n\nNot all subsystems support a device getting removed while there are\nstill consumers of the device with a reference to the device.\n\nOne example of this is the regulator subsystem. If a regulator gets\nunregistered while there are still drivers holding a reference\na WARN() at drivers/regulator/core.c:5829 triggers, e.g.:\n\n WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister\n Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015\n RIP: 0010:regulator_unregister\n Call Trace:\n \n regulator_unregister\n devres_release_group\n i2c_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n x86_android_tablet_remove\n\nOn the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides\na 5V boost converter output for powering USB devices connected to the micro\nUSB port, the bq24190-charger driver exports this as a Vbus regulator.\n\nOn the 830 (8\") and 1050 (\"10\") models this regulator is controlled by\na platform_device and x86_android_tablet_remove() removes platform_device-s\nbefore i2c_clients so the consumer gets removed first.\n\nBut on the 1380 (13\") model there is a lc824206xa micro-USB switch\nconnected over I2C and the extcon driver for that controls the regulator.\nThe bq24190 i2c-client *must* be registered first, because that creates\nthe regulator with the lc824206xa listed as its consumer. If the regulator\nhas not been registered yet the lc824206xa driver will end up getting\na dummy regulator.\n\nSince in this case both the regulator provider and consumer are I2C\ndevices, the only way to ensure that the consumer is unregistered first\nis to unregister the I2C devices in reverse order of in which they were\ncreated.\n\nFor consistency and to avoid similar problems in the future change\nx86_android_tablet_remove() to unregister all device types in reverse\norder.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40975", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40976", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix potential hung tasks during chip recovery\n\nDuring chip recovery (e.g. chip reset), there is a possible situation that\nkernel worker reset_work is holding the lock and waiting for kernel thread\nstat_worker to be parked, while stat_worker is waiting for the release of\nthe same lock.\nIt causes a deadlock resulting in the dumping of hung tasks messages and\npossible rebooting of the device.\n\nThis patch prevents the execution of stat_worker during the chip recovery.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40977", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribute\n\nThe qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly\non a __user pointer, which results into the crash.\n\nTo fix this issue, use a small local stack buffer for sprintf() and then\ncall simple_read_from_buffer(), which in turns make the copy_to_user()\ncall.\n\nBUG: unable to handle page fault for address: 00007f4801111000\nPGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0\nOops: 0002 [#1] PREEMPT SMP PTI\nHardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023\nRIP: 0010:memcpy_orig+0xcd/0x130\nRSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202\nRAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f\nRDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000\nRBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572\nR10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff\nR13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af\nFS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x183/0x510\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? memcpy_orig+0xcd/0x130\n vsnprintf+0x102/0x4c0\n sprintf+0x51/0x80\n qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]\n full_proxy_read+0x50/0x80\n vfs_read+0xa5/0x2e0\n ? folio_add_new_anon_rmap+0x44/0xa0\n ? set_pte_at+0x15/0x30\n ? do_pte_missing+0x426/0x7f0\n ksys_read+0xa5/0xe0\n do_syscall_64+0x58/0x80\n ? __count_memcg_events+0x46/0x90\n ? count_memcg_event_mm+0x3d/0x60\n ? handle_mm_fault+0x196/0x2f0\n ? do_user_addr_fault+0x267/0x890\n ? exc_page_fault+0x69/0x150\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4800f20b4d", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40978", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix kernel crash during resume\n\nCurrently during resume, QMI target memory is not properly handled, resulting\nin kernel crash in case DMA remap is not supported:\n\nBUG: Bad page state in process kworker/u16:54 pfn:36e80\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80\npage dumped because: nonzero _refcount\nCall Trace:\n bad_page\n free_page_is_bad_report\n __free_pages_ok\n __free_pages\n dma_direct_free\n dma_free_attrs\n ath12k_qmi_free_target_mem_chunk\n ath12k_qmi_msg_mem_request_cb\n\nThe reason is:\nOnce ath12k module is loaded, firmware sends memory request to host. In case\nDMA remap not supported, ath12k refuses the first request due to failure in\nallocating with large segment size:\n\nath12k_pci 0000:04:00.0: qmi firmware request memory request\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 7077888\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 8454144\nath12k_pci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size\nath12k_pci 0000:04:00.0: qmi delays mem_request 2\nath12k_pci 0000:04:00.0: qmi firmware request memory request\n\nLater firmware comes back with more but small segments and allocation\nsucceeds:\n\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 262144\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 524288\nath12k_pci 0000:04:00.0: qmi mem seg type 4 size 65536\nath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288\n\nNow ath12k is working. If suspend is triggered, firmware will be reloaded\nduring resume. As same as before, firmware requests two large segments at\nfirst. In ath12k_qmi_msg_mem_request_cb() segment count and size are\nassigned:\n\n\tab->qmi.mem_seg_count == 2\n\tab->qmi.target_mem[0].size == 7077888\n\tab->qmi.target_mem[1].size == 8454144\n\nThen allocation failed like before and ath12k_qmi_free_target_mem_chunk()\nis called to free all allocated segments. Note the first segment is skipped\nbecause its v.addr is cleared due to allocation failure:\n\n\tchunk->v.addr = dma_alloc_coherent()\n\nAlso note that this leaks that segment because it has not been freed.\n\nWhile freeing the second segment, a size of 8454144 is passed to\ndma_free_coherent(). However remember that this segment is allocated at\nthe first time firmware is loaded, before suspend. So its real size is\n524288, much smaller than 8454144. As a result kernel found we are freeing\nsome memory which is in use and thus cras\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40979", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: replace spin_lock by raw_spin_lock\n\ntrace_drop_common() is called with preemption disabled, and it acquires\na spin_lock. This is problematic for RT kernels because spin_locks are\nsleeping locks in this configuration, which causes the following splat:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n5 locks held by rcuc/47/449:\n #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210\n #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130\n #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210\n #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70\n #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290\nirq event stamp: 139909\nhardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80\nhardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290\nsoftirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170\nsoftirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0\nPreemption disabled at:\n[] rt_mutex_slowunlock+0xab/0x2e0\nCPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7\nHardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022\nCall Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n __might_resched+0x21e/0x2f0\n rt_spin_lock+0x5e/0x130\n ? trace_drop_common.constprop.0+0xb5/0x290\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_drop_common.constprop.0+0xb5/0x290\n ? preempt_count_sub+0x1c/0xd0\n ? _raw_spin_unlock_irqrestore+0x4a/0x80\n ? __pfx_trace_drop_common.constprop.0+0x10/0x10\n ? rt_mutex_slowunlock+0x26a/0x2e0\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_rt_mutex_slowunlock+0x10/0x10\n ? skb_queue_purge_reason.part.0+0x1bf/0x230\n trace_kfree_skb_hit+0x15/0x20\n trace_kfree_skb+0xe9/0x150\n kfree_skb_reason+0x7b/0x110\n skb_queue_purge_reason.part.0+0x1bf/0x230\n ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10\n ? mark_lock.part.0+0x8a/0x520\n...\n\ntrace_drop_common() also disables interrupts, but this is a minor issue\nbecause we could easily replace it with a local_lock.\n\nReplace the spin_lock with raw_spin_lock to avoid sleeping in atomic\ncontext.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40980", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40981", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb's destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40983", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary's end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary's\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40984", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp_ao: Don't leak ao_info on error-path\n\nIt seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on\nversion 5 [1] of TCP-AO patches. Quite frustrative that having all these\nselftests that I've written, running kmemtest & kcov was always in todo.\n\n[1]: https://lore.kernel.org/netdev/20230215183335.800122-5-dima@arista.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40985", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()\n\nRequests the vchan lock before using xdma->stop_request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40986", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40987", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40988", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40989", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Add check for srq max_sge attribute\n\nmax_sge attribute is passed by the user, and is inserted and used\nunchecked, so verify that the value doesn't exceed maximum allowed value\nbefore using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40990", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-glue: Fix of_k3_udma_glue_parse_chn_by_id()\n\nThe of_k3_udma_glue_parse_chn_by_id() helper function erroneously\ninvokes \"of_node_put()\" on the \"udmax_np\" device-node passed to it,\nwithout having incremented its reference count at any point. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40991", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix responder length checking for UD request packets\n\nAccording to the IBA specification:\nIf a UD request packet is detected with an invalid length, the request\nshall be an invalid request and it shall be silently dropped by\nthe responder. The responder then waits for a new request packet.\n\ncommit 689c5421bfe0 (\"RDMA/rxe: Fix incorrect responder length checking\")\ndefers responder length check for UD QPs in function `copy_data`.\nBut it introduces a regression issue for UD QPs.\n\nWhen the packet size is too large to fit in the receive buffer.\n`copy_data` will return error code -EINVAL. Then `send_data_in`\nwill return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into\nERROR state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40992", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix suspicious rcu_dereference_protected()\n\nWhen destroying all sets, we are either in pernet exit phase or\nare executing a \"destroy all sets command\" from userspace. The latter\nwas taken into account in ip_set_dereference() (nfnetlink mutex is held),\nbut the former was not. The patch adds the required check to\nrcu_dereference_protected() in ip_set_dereference().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40993", "detail": "fixed-version", "description": "Fixed from version 6.9.7" }, { "id": "CVE-2024-40994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: fix integer overflow in max_vclocks_store\n\nOn 32bit systems, the \"4 * max\" multiply can overflow. Use kcalloc()\nto do the allocation to prevent this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40994", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()\n\nsyzbot found hanging tasks waiting on rtnl_lock [1]\n\nA reproducer is available in the syzbot bug.\n\nWhen a request to add multiple actions with the same index is sent, the\nsecond request will block forever on the first request. This holds\nrtnl_lock, and causes tasks to hang.\n\nReturn -EAGAIN to prevent infinite looping, while keeping documented\nbehavior.\n\n[1]\n\nINFO: task kworker/1:0:5088 blocked for more than 143 seconds.\nNot tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000\nWorkqueue: events_power_efficient reg_check_chans_work\nCall Trace:\n\ncontext_switch kernel/sched/core.c:5409 [inline]\n__schedule+0xf15/0x5d00 kernel/sched/core.c:6746\n__schedule_loop kernel/sched/core.c:6823 [inline]\nschedule+0xe7/0x350 kernel/sched/core.c:6838\nschedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895\n__mutex_lock_common kernel/locking/mutex.c:684 [inline]\n__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752\nwiphy_lock include/net/cfg80211.h:5953 [inline]\nreg_leave_invalid_chans net/wireless/reg.c:2466 [inline]\nreg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40995", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid splat in pskb_pull_reason\n\nsyzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug\nhint in pskb_may_pull.\n\nWe'd like to retain this debug check because it might hint at integer\noverflows and other issues (kernel code should pull headers, not huge\nvalue).\n\nIn bpf case, this splat isn't interesting at all: such (nonsensical)\nbpf programs are typically generated by a fuzzer anyway.\n\nDo what Eric suggested and suppress such warning.\n\nFor CONFIG_DEBUG_NET=n we don't need the extra check because\npskb_may_pull will do the right thing: return an error without the\nWARN() backtrace.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40996", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs->interval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n if (!rs->interval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(&rs->lock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(&rs->lock);\n // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40998", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-40999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Add validation for completion descriptors consistency\n\nValidate that `first` flag is set only for the first\ndescriptor in multi-buffer packets.\nIn case of an invalid descriptor, a reset will occur.\nA new reset reason for RX data corruption has been added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-40999", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/ioctl: prefer different overflow check\n\nRunning syzkaller with the newly reintroduced signed integer overflow\nsanitizer shows this report:\n\n[ 62.982337] ------------[ cut here ]------------\n[ 62.985692] cgroup: Invalid name\n[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46\n[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1\n[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'\n[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1\n[ 62.999369] random: crng reseeded on system resumption\n[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)\n[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 63.000682] Call Trace:\n[ 63.000686] \n[ 63.000731] dump_stack_lvl+0x93/0xd0\n[ 63.000919] __get_user_pages+0x903/0xd30\n[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0\n[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50\n[ 63.001072] ? try_get_folio+0x29c/0x2d0\n[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530\n[ 63.001109] iov_iter_extract_pages+0x23b/0x580\n[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220\n[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410\n[ 63.001297] __iomap_dio_rw+0xab4/0x1810\n[ 63.001316] iomap_dio_rw+0x45/0xa0\n[ 63.001328] ext4_file_write_iter+0xdde/0x1390\n[ 63.001372] vfs_write+0x599/0xbd0\n[ 63.001394] ksys_write+0xc8/0x190\n[ 63.001403] do_syscall_64+0xd4/0x1b0\n[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60\n[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77\n[ 63.001535] RIP: 0033:0x7f7fd3ebf539\n[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\n[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539\n[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004\n[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000\n[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8\n...\n[ 63.018142] ---[ end trace ]---\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang; It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rework this overflow checking logic to not actually perform an\noverflow during the check itself, thus avoiding the UBSAN splat.\n\n[1]: https://github.com/llvm/llvm-project/pull/82432", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41000", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: work around a potential audit memory leak\n\nkmemleak complains that there's a memory leak related to connect\nhandling:\n\nunreferenced object 0xffff0001093bdf00 (size 128):\ncomm \"iou-sqp-455\", pid 457, jiffies 4294894164\nhex dump (first 32 bytes):\n02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 2e481b1a):\n[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38\n[<000000009c30bb45>] kmalloc_trace+0x228/0x358\n[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138\n[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8\n[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4\n[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48\n[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4\n[<00000000d999b491>] ret_from_fork+0x10/0x20\n\nwhich can can happen if:\n\n1) The command type does something on the prep side that triggers an\n audit call.\n2) The thread hasn't done any operations before this that triggered\n an audit call inside ->issue(), where we have audit_uring_entry()\n and audit_uring_exit().\n\nWork around this by issuing a blanket NOP operation before the SQPOLL\ndoes anything.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41001", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/sec - Fix memory leak for sec resource release\n\nThe AIV is one of the SEC resources. When releasing resources,\nit need to release the AIV resources at the same time.\nOtherwise, memory leakage occurs.\n\nThe aiv resource release is added to the sec resource release\nfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41002", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reg_set_min_max corruption of fake_reg\n\nJuan reported that after doing some changes to buzzer [0] and implementing\na new fuzzing strategy guided by coverage, they noticed the following in\none of the probes:\n\n [...]\n 13: (79) r6 = *(u64 *)(r0 +0) ; R0=map_value(ks=4,vs=8) R6_w=scalar()\n 14: (b7) r0 = 0 ; R0_w=0\n 15: (b4) w0 = -1 ; R0_w=0xffffffff\n 16: (74) w0 >>= 1 ; R0_w=0x7fffffff\n 17: (5c) w6 &= w0 ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))\n 18: (44) w6 |= 2 ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))\n 19: (56) if w6 != 0x7ffffffd goto pc+1\n REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)\n REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)\n REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)\n 19: R6_w=0x7fffffff\n 20: (95) exit\n\n from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 21: (14) w6 -= 2147483632 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))\n 22: (76) if w6 s>= 0xe goto pc+1 ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))\n 23: (95) exit\n\n from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm\n 24: (14) w6 -= 14 ; R6_w=0\n [...]\n\nWhat can be seen here is a register invariant violation on line 19. After\nthe binary-or in line 18, the verifier knows that bit 2 is set but knows\nnothing about the rest of the content which was loaded from a map value,\nmeaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in\nline 19 the verifier analyzes the branch, it splits the register states\nin reg_set_min_max() into the registers of the true branch (true_reg1,\ntrue_reg2) and the registers of the false branch (false_reg1, false_reg2).\n\nSince the test is w6 != 0x7ffffffd, the src_reg is a known constant.\nInternally, the verifier creates a \"fake\" register initialized as scalar\nto the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,\nfor line 19, it is mathematically impossible to take the false branch of\nthis program, yet the verifier analyzes it. It is impossible because the\nsecond bit of r6 will be set due to the prior or operation and the\nconstant in the condition has that bit unset (hex(fd) == binary(1111 1101).\n\nWhen the verifier first analyzes the false / fall-through branch, it will\ncompute an intersection between the var_off of r6 and of the constant. This\nis because the verifier creates a \"fake\" register initialized to the value\nof the constant. The intersection result later refines both registers in\nregs_refine_cond_op():\n\n [...]\n t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off));\n reg1->var_o\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41003", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modules\n\nThe kprobes and synth event generation test modules add events and lock\n(get a reference) those event file reference in module init function,\nand unlock and delete it in module exit function. This is because those\nare designed for playing as modules.\n\nIf we make those modules as built-in, those events are left locked in the\nkernel, and never be removed. This causes kprobe event self-test failure\nas below.\n\n[ 97.349708] ------------[ cut here ]------------\n[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.357106] Modules linked in:\n[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14\n[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90\n[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286\n[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000\n[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68\n[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000\n[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000\n[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000\n[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0\n[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 97.391196] Call Trace:\n[ 97.391967] \n[ 97.392647] ? __warn+0xcc/0x180\n[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.395181] ? report_bug+0xbd/0x150\n[ 97.396234] ? handle_bug+0x3e/0x60\n[ 97.397311] ? exc_invalid_op+0x1a/0x50\n[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20\n[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20\n[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90\n[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480\n[ 97.403773] ? init_kprobe_trace+0x50/0x50\n[ 97.404972] do_one_initcall+0x112/0x240\n[ 97.406113] do_initcall_level+0x95/0xb0\n[ 97.407286] ? kernel_init+0x1a/0x1a0\n[ 97.408401] do_initcalls+0x3f/0x70\n[ 97.409452] kernel_init_freeable+0x16f/0x1e0\n[ 97.410662] ? rest_init+0x1f0/0x1f0\n[ 97.411738] kernel_init+0x1a/0x1a0\n[ 97.412788] ret_from_fork+0x39/0x50\n[ 97.413817] ? rest_init+0x1f0/0x1f0\n[ 97.414844] ret_from_fork_asm+0x11/0x20\n[ 97.416285] \n[ 97.417134] irq event stamp: 13437323\n[ 97.418376] hardirqs last enabled at (13437337): [] console_unlock+0x11c/0x150\n[ 97.421285] hardirqs last disabled at (13437370): [] console_unlock+0x101/0x150\n[ 97.423838] softirqs last enabled at (13437366): [] handle_softirqs+0x23f/0x2a0\n[ 97.426450] softirqs last disabled at (13437393): [] __irq_exit_rcu+0x66/0xd0\n[ 97.428850] ---[ end trace 0000000000000000 ]---\n\nAnd also, since we can not cleanup dynamic_event file, ftracetest are\nfailed too.\n\nTo avoid these issues, build these tests only as modules.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41004", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix race condition in netpoll_owner_active\n\nKCSAN detected a race condition in netpoll:\n\n\tBUG: KCSAN: data-race in net_rx_action / netpoll_send_skb\n\twrite (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:\n\tnet_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)\n\n\tread to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:\n\tnetpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)\n\tnetpoll_send_udp (net/core/netpoll.c:?)\n\n\tvalue changed: 0x0000000a -> 0xffffffff\n\nThis happens because netpoll_owner_active() needs to check if the\ncurrent CPU is the owner of the lock, touching napi->poll_owner\nnon atomically. The ->poll_owner field contains the current CPU holding\nthe lock.\n\nUse an atomic read to check if the poll owner is the current CPU.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41005", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41006", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has 'expired'.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk->icsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk->icsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41007", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm->task_info handling\n\nThis patch changes the handling and lifecycle of vm->task_info object.\nThe major changes are:\n- vm->task_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm->task_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41008", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-41009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk's\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A's header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We've tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41009", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix too early release of tcx_entry\n\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\nan issue that the tcx_entry can be released too early leading to a use\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\nshared tc block is later replaced by another ingress or clsact instance.\n\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\n\n 1. A network namespace is created\n 2. An ingress qdisc is created. This allocates a tcx_entry, and\n &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the\n same time, a tcf block with index 1 is created.\n 3. chain0 is attached to the tcf block. chain0 must be connected to\n the block linked to the ingress qdisc to later reach the function\n tcf_chain0_head_change_cb_del() which triggers the UAF.\n 4. Create and graft a clsact qdisc. This causes the ingress qdisc\n created in step 1 to be removed, thus freeing the previously linked\n tcx_entry:\n\n rtnetlink_rcv_msg()\n => tc_modify_qdisc()\n => qdisc_create()\n => clsact_init() [a]\n => qdisc_graft()\n => qdisc_destroy()\n => __qdisc_destroy()\n => ingress_destroy() [b]\n => tcx_entry_free()\n => kfree_rcu() // tcx_entry freed\n\n 5. Finally, the network namespace is closed. This registers the\n cleanup_net worker, and during the process of releasing the\n remaining clsact qdisc, it accesses the tcx_entry that was\n already freed in step 4, causing the UAF to occur:\n\n cleanup_net()\n => ops_exit_list()\n => default_device_exit_batch()\n => unregister_netdevice_many()\n => unregister_netdevice_many_notify()\n => dev_shutdown()\n => qdisc_put()\n => clsact_destroy() [c]\n => tcf_block_put_ext()\n => tcf_chain0_head_change_cb_del()\n => tcf_chain_head_change_item()\n => clsact_chain_head_change()\n => mini_qdisc_pair_swap() // UAF\n\nThere are also other variants, the gist is to add an ingress (or clsact)\nqdisc with a specific shared block, then to replace that qdisc, waiting\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\nthe current active qdisc's miniq one way or another.\n\nThe correct fix is to turn the miniq_active boolean into a counter. What\ncan be observed, at step 2 above, the counter transitions from 0->1, at\nstep [a] from 1->2 (in order for the miniq object to remain active during\nthe replacement), then in [b] from 2->1 and finally [c] 1->0 with the\neventual release. The reference counter in general ranges from [0,2] and\nit does not need to be atomic since all access to the counter is protected\nby the rtnl mutex. With this in place, there is no longer a UAF happening\nand the tcx_entry is freed at the correct time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41010", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: don't allow mapping the MMIO HDP page with large pages\n\nWe don't get the right offset in that case. The GPU has\nan unused 4K area of the register BAR space into which you can\nremap registers. We remap the HDP flush registers into this\nspace to allow userspace (CPU or GPU) to flush the HDP when it\nupdates VRAM. However, on systems with >4K pages, we end up\nexposing PAGE_SIZE of MMIO space.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41011", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-41012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can't corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41012", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41013", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41014", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41015", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41016", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41017", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add a check for attr_names and oatbl\n\nAdded out-of-bound checking for *ane (ATTR_NAME_ENTRY).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41018", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41019", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41020", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()\n\nThere is no support for HWPOISON, MEMORY_FAILURE, or ARCH_HAS_COPY_MC on\ns390. Therefore we do not expect to see VM_FAULT_HWPOISON in\ndo_exception().\n\nHowever, since commit af19487f00f3 (\"mm: make PTE_MARKER_SWAPIN_ERROR more\ngeneral\"), it is possible to see VM_FAULT_HWPOISON in combination with\nPTE_MARKER_POISONED, even on architectures that do not support HWPOISON\notherwise. In this case, we will end up on the BUG() in do_exception().\n\nFix this by treating VM_FAULT_HWPOISON the same as VM_FAULT_SIGBUS, similar\nto x86 when MEMORY_FAILURE is not configured. Also print unexpected fault\nflags, for easier debugging.\n\nNote that VM_FAULT_HWPOISON_LARGE is not expected, because s390 cannot\nsupport swap entries on other levels than PTE level.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41021", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41022", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41023", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix memory leak in audio daemon attach operation\n\nAudio PD daemon send the name as part of the init IOCTL call. This\nname needs to be copied to kernel for which memory is allocated.\nThis memory is never freed which might result in memory leak. Free\nthe memory when it is not needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41025", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length\n\nNo check is done on the size of the data to be transmiited. This causes\na kernel panic when this size exceeds the sg_miter's length.\n\nLimit the number of transmitted bytes to sgm->length.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41026", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41027", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: toshiba_acpi: Fix array out-of-bounds access\n\nIn order to use toshiba_dmi_quirks[] together with the standard DMI\nmatching functions, it must be terminated by a empty entry.\n\nSince this entry is missing, an array out-of-bounds access occurs\nevery time the quirk list is processed.\n\nFix this by adding the terminating empty entry.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41028", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: limit cell sysfs permissions to main attribute ones\n\nThe cell sysfs attribute should not provide more access to the nvmem\ndata than the main attribute itself.\nFor example if nvme_config::root_only was set, the cell attribute\nwould still provide read access to everybody.\n\nMask out permissions not available on the main attribute.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41029", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41030", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41031", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmalloc: check if a hash-index is in cpu_possible_mask\n\nThe problem is that there are systems where cpu_possible_mask has gaps\nbetween set CPUs, for example SPARC. In this scenario addr_to_vb_xa()\nhash function can return an index which accesses to not-possible and not\nsetup CPU area using per_cpu() macro. This results in an oops on SPARC.\n\nA per-cpu vmap_block_queue is also used as hash table, incorrectly\nassuming the cpu_possible_mask has no gaps. Fix it by adjusting an index\nto a next possible CPU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41032", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachestat: do not flush stats in recency check\n\nsyzbot detects that cachestat() is flushing stats, which can sleep, in its\nRCU read section (see [1]). This is done in the workingset_test_recent()\nstep (which checks if the folio's eviction is recent).\n\nMove the stat flushing step to before the RCU read section of cachestat,\nand skip stat flushing during the recency check.\n\n[1]: https://lore.kernel.org/cgroups/000000000000f71227061bdf97e0@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41033", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41034", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41035", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41036", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: fix null deref on system suspend entry\n\nWhen system enters suspend with an active stream, SOF core\ncalls hw_params_upon_resume(). On Intel platforms with HDA DMA used\nto manage the link DMA, this leads to call chain of\n\n hda_dsp_set_hw_params_upon_resume()\n -> hda_dsp_dais_suspend()\n -> hda_dai_suspend()\n -> hda_ipc4_post_trigger()\n\nA bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first,\nwhich clears hext_stream->link_substream, and then hda_ipc4_post_trigger()\nis called with a NULL snd_pcm_substream pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41037", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers\n\nCheck that all fields of a V2 algorithm header fit into the available\nfirmware data buffer.\n\nThe wmfw V2 format introduced variable-length strings in the algorithm\nblock header. This means the overall header length is variable, and the\nposition of most fields varies depending on the length of the string\nfields. Each field must be checked to ensure that it does not overflow\nthe firmware data buffer.\n\nAs this ia bugfix patch, the fixes avoid making any significant change to\nthe existing code. This makes it easier to review and less likely to\nintroduce new bugs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41038", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Fix overflow checking of wmfw header\n\nFix the checking that firmware file buffer is large enough for the\nwmfw header, to prevent overrunning the buffer.\n\nThe original code tested that the firmware data buffer contained\nenough bytes for the sums of the size of the structs\n\n\twmfw_header + wmfw_adsp1_sizes + wmfw_footer\n\nBut wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and\nHalo Core the equivalent struct is wmfw_adsp2_sizes, which is\n4 bytes longer. So the length check didn't guarantee that there\nare enough bytes in the firmware buffer for a header with\nwmfw_adsp2_sizes.\n\nThis patch splits the length check into three separate parts. Each\nof the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked\nseparately before they are used.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41039", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n \n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n \n \n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41040", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41041", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41042", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: drop bogus WARN_ON\n\nHappens when rules get flushed/deleted while packet is out, so remove\nthis WARN_ON.\n\nThis WARN exists in one form or another since v4.14, no need to backport\nthis to older releases, hence use a more recent fixes tag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41043", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41044", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41045", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41046", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] \n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] \n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41047", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41048", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41049", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41050", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: wait for ondemand_object_worker to finish when dropping object\n\nWhen queuing ondemand_object_worker() to re-open the object,\ncachefiles_object is not pinned. The cachefiles_object may be freed when\nthe pending read request is completed intentionally and the related\nerofs is umounted. If ondemand_object_worker() runs after the object is\nfreed, it will incur use-after-free problem as shown below.\n\nprocess A processs B process C process D\n\ncachefiles_ondemand_send_req()\n// send a read req X\n// wait for its completion\n\n // close ondemand fd\n cachefiles_ondemand_fd_release()\n // set object as CLOSE\n\n cachefiles_ondemand_daemon_read()\n // set object as REOPENING\n queue_work(fscache_wq, &info->ondemand_work)\n\n // close /dev/cachefiles\n cachefiles_daemon_release\n cachefiles_flush_reqs\n complete(&req->done)\n\n// read req X is completed\n// umount the erofs fs\ncachefiles_put_object()\n// object will be freed\ncachefiles_ondemand_deinit_obj_info()\nkmem_cache_free(object)\n // both info and object are freed\n ondemand_object_worker()\n\nWhen dropping an object, it is no longer necessary to reopen the object,\nso use cancel_work_sync() to cancel or wait for ondemand_object_worker()\nto finish.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41051", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Init the count variable in collecting hot-reset devices\n\nThe count variable is used without initialization, it results in mistakes\nin the device counting and crashes the userspace if the get hot reset info\npath is triggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41052", "detail": "fixed-version", "description": "Fixed from version 6.9.10" }, { "id": "CVE-2024-41053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix ufshcd_abort_one racing issue\n\nWhen ufshcd_abort_one is racing with the completion ISR, the completed tag\nof the request's mq_hctx pointer will be set to NULL by ISR. Return\nsuccess when request is completed by ISR because ufshcd_abort_one does not\nneed to do anything.\n\nThe racing flow is:\n\nThread A\nufshcd_err_handler\t\t\t\t\tstep 1\n\t...\n\tufshcd_abort_one\n\t\tufshcd_try_to_abort_task\n\t\t\tufshcd_cmd_inflight(true)\tstep 3\n\t\tufshcd_mcq_req_to_hwq\n\t\t\tblk_mq_unique_tag\n\t\t\t\trq->mq_hctx->queue_num\tstep 5\n\nThread B\nufs_mtk_mcq_intr(cq complete ISR)\t\t\tstep 2\n\tscsi_done\n\t\t...\n\t\t__blk_mq_free_request\n\t\t\trq->mq_hctx = NULL;\t\tstep 4\n\nBelow is KE back trace.\n ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device.\n ufshcd_try_to_abort_task: cmd at tag=41 is cleared.\n Aborting tag 41 / CDB 0x28 succeeded\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194\n pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14\n lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise]\n do_mem_abort+0x58/0x118\n el1_abort+0x3c/0x5c\n el1h_64_sync_handler+0x54/0x90\n el1h_64_sync+0x68/0x6c\n blk_mq_unique_tag+0x8/0x14\n ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise]\n process_one_work+0x208/0x4fc\n worker_thread+0x228/0x438\n kthread+0x104/0x1d4\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41053", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix ufshcd_clear_cmd racing issue\n\nWhen ufshcd_clear_cmd is racing with the completion ISR, the completed tag\nof the request's mq_hctx pointer will be set to NULL by the ISR. And\nufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE.\nReturn success when the request is completed by ISR because sq does not\nneed cleanup.\n\nThe racing flow is:\n\nThread A\nufshcd_err_handler\t\t\t\t\tstep 1\n\tufshcd_try_to_abort_task\n\t\tufshcd_cmd_inflight(true)\t\tstep 3\n\t\tufshcd_clear_cmd\n\t\t\t...\n\t\t\tufshcd_mcq_req_to_hwq\n\t\t\tblk_mq_unique_tag\n\t\t\t\trq->mq_hctx->queue_num\tstep 5\n\nThread B\nufs_mtk_mcq_intr(cq complete ISR)\t\t\tstep 2\n\tscsi_done\n\t\t...\n\t\t__blk_mq_free_request\n\t\t\trq->mq_hctx = NULL;\t\tstep 4\n\nBelow is KE back trace:\n\n ufshcd_try_to_abort_task: cmd pending in the device. tag = 6\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194\n pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14\n lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise]\n Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise]\n Call trace:\n dump_backtrace+0xf8/0x148\n show_stack+0x18/0x24\n dump_stack_lvl+0x60/0x7c\n dump_stack+0x18/0x3c\n mrdump_common_die+0x24c/0x398 [mrdump]\n ipanic_die+0x20/0x34 [mrdump]\n notify_die+0x80/0xd8\n die+0x94/0x2b8\n __do_kernel_fault+0x264/0x298\n do_page_fault+0xa4/0x4b8\n do_translation_fault+0x38/0x54\n do_mem_abort+0x58/0x118\n el1_abort+0x3c/0x5c\n el1h_64_sync_handler+0x54/0x90\n el1h_64_sync+0x68/0x6c\n blk_mq_unique_tag+0x8/0x14\n ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise]\n ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise]\n ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise]\n process_one_work+0x208/0x4fc\n worker_thread+0x228/0x438\n kthread+0x104/0x1d4\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41054", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41055", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files\n\nUse strnlen() instead of strlen() on the algorithm and coefficient name\nstring arrays in V1 wmfw files.\n\nIn V1 wmfw files the name is a NUL-terminated string in a fixed-size\narray. cs_dsp should protect against overrunning the array if the NUL\nterminator is missing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41056", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n \n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41057", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41058", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41059", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41060", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41061", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41062", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41063", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41064", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41065", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=, skb=, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41066", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41067", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41068", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41069", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41070", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41072", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41073", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41074", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41075", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41076", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41077", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41078", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41079", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41080", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41081", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41082", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix netfs_page_mkwrite() to check folio->mapping is valid\n\nFix netfs_page_mkwrite() to check that folio->mapping is valid once it has\ntaken the folio lock (as filemap_page_mkwrite() does). Without this,\ngeneric/247 occasionally oopses with something like the following:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n\n RIP: 0010:trace_event_raw_event_netfs_folio+0x61/0xc0\n ...\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x6e/0xa0\n ? exc_page_fault+0xc2/0xe0\n ? asm_exc_page_fault+0x22/0x30\n ? trace_event_raw_event_netfs_folio+0x61/0xc0\n trace_netfs_folio+0x39/0x40\n netfs_page_mkwrite+0x14c/0x1d0\n do_page_mkwrite+0x50/0x90\n do_pte_missing+0x184/0x200\n __handle_mm_fault+0x42d/0x500\n handle_mm_fault+0x121/0x1f0\n do_user_addr_fault+0x23e/0x3c0\n exc_page_fault+0xc2/0xe0\n asm_exc_page_fault+0x22/0x30\n\nThis is due to the invalidate_inode_pages2_range() issued at the end of the\nDIO write interfering with the mmap'd writes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41083", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Avoid null pointer dereference in region lookup\n\ncxl_dpa_to_region() looks up a region based on a memdev and DPA.\nIt wrongly assumes an endpoint found mapping the DPA is also of\na fully assembled region. When not true it leads to a null pointer\ndereference looking up the region name.\n\nThis appears during testing of region lookup after a failure to\nassemble a BIOS defined region or if the lookup raced with the\nassembly of the BIOS defined region.\n\nFailure to clean up BIOS defined regions that fail assembly is an\nissue in itself and a fix to that problem will alleviate some of\nthe impact. It will not alleviate the race condition so let's harden\nthis path.\n\nThe behavior change is that the kernel oops due to a null pointer\ndereference is replaced with a dev_dbg() message noting that an\nendpoint was mapped.\n\nAdditional comments are added so that future users of this function\ncan more clearly understand what it provides.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41084", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix no cxl_nvd during pmem region auto-assembling\n\nWhen CXL subsystem is auto-assembling a pmem region during cxl\nendpoint port probing, always hit below calltrace.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000078\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]\n Call Trace:\n \n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x160\n ? do_user_addr_fault+0x65/0x6b0\n ? exc_page_fault+0x7d/0x170\n ? asm_exc_page_fault+0x26/0x30\n ? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]\n ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem]\n cxl_bus_probe+0x1b/0x60 [cxl_core]\n really_probe+0x173/0x410\n ? __pfx___device_attach_driver+0x10/0x10\n __driver_probe_device+0x80/0x170\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x90/0x120\n bus_for_each_drv+0x84/0xe0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x90/0xa0\n device_add+0x51c/0x710\n devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core]\n cxl_bus_probe+0x1b/0x60 [cxl_core]\n\nThe cxl_nvd of the memdev needs to be available during the pmem region\nprobe. Currently the cxl_nvd is registered after the endpoint port probe.\nThe endpoint probe, in the case of autoassembly of regions, can cause a\npmem region probe requiring the not yet available cxl_nvd. Adjust the\nsequence so this dependency is met.\n\nThis requires adding a port parameter to cxl_find_nvdimm_bridge() that\ncan be used to query the ancestor root port. The endpoint port is not\nyet available, but will share a common ancestor with its parent, so\nstart the query from there instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41085", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Fix sb_field_downgrade validation\n\n- bch2_sb_downgrade_validate() wasn't checking for a downgrade entry\n extending past the end of the superblock section\n\n- for_each_downgrade_entry() is used in to_text() and needs to work on\n malformed input; it also was missing a check for a field extending\n past the end of the section", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41086", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\n\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41087", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251xfd: fix infinite loop when xmit fails\n\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\n\nError messages:\n[ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\n\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\n\nThe problem occurs because tx_ring->head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\n\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring->head, remove skb from the echo stack, and drop the message.\n\n[mkl: use more imperative wording in patch description]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41088", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\n\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41089", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41090", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41091", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-41092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n<3> [414.070354] Unable to pin Y-tiled fence; err:-4\n<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))\n...\n<4>[ 609.603992] ------------[ cut here ]------------\n<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n<4>[ 609.604271] Call Trace:\n<4>[ 609.604273] \n...\n<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]\n<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n<4>[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma->active via fence_update(). That commit introduced\nvma->fence->active in order for the fence_update() to be able to wait\nselectively on that one instead of vma->active since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.\nNo justification was provided on why we might then expect idleness of\nvma->fence->active without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma->fence->active in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41092", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41093", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only set smem_start is enable per module option\n\nOnly export struct fb_info.fix.smem_start if that is required by the\nuser and the memory does not come from vmalloc().\n\nSetting struct fb_info.fix.smem_start breaks systems where DMA\nmemory is backed by vmalloc address space. An example error is\nshown below.\n\n[ 3.536043] ------------[ cut here ]------------\n[ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)\n[ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98\n[ 3.565455] Modules linked in:\n[ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250\n[ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT)\n[ 3.582452] Workqueue: events_unbound deferred_probe_work_func\n[ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3.595233] pc : __virt_to_phys+0x68/0x98\n[ 3.599246] lr : __virt_to_phys+0x68/0x98\n[ 3.603276] sp : ffff800083603990\n[ 3.677939] Call trace:\n[ 3.680393] __virt_to_phys+0x68/0x98\n[ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238\n[ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0\n[ 3.695385] drm_fb_helper_initial_config+0x4c/0x68\n[ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0\n[ 3.705161] drm_client_register+0x60/0xb0\n[ 3.709269] drm_fbdev_dma_setup+0x94/0x148\n\nAdditionally, DMA memory is assumed to by contiguous in physical\naddress space, which is not guaranteed by vmalloc().\n\nResolve this by checking the module flag drm_leak_fbdev_smem when\nDRM allocated the instance of struct fb_info. Fbdev-dma then only\nsets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also\nguarantee that the framebuffer is not located in vmalloc address\nspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41094", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\n\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41095", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/MSI: Fix UAF in msi_capability_init\n\nKFENCE reports the following UAF:\n\n BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488\n\n Use-after-free read at 0x0000000024629571 (in kfence-#12):\n __pci_enable_msi_range+0x2c0/0x488\n pci_alloc_irq_vectors_affinity+0xec/0x14c\n pci_alloc_irq_vectors+0x18/0x28\n\n kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128\n\n allocated by task 81 on cpu 7 at 10.808142s:\n __kmem_cache_alloc_node+0x1f0/0x2bc\n kmalloc_trace+0x44/0x138\n msi_alloc_desc+0x3c/0x9c\n msi_domain_insert_msi_desc+0x30/0x78\n msi_setup_msi_desc+0x13c/0x184\n __pci_enable_msi_range+0x258/0x488\n pci_alloc_irq_vectors_affinity+0xec/0x14c\n pci_alloc_irq_vectors+0x18/0x28\n\n freed by task 81 on cpu 7 at 10.811436s:\n msi_domain_free_descs+0xd4/0x10c\n msi_domain_free_locked.part.0+0xc0/0x1d8\n msi_domain_alloc_irqs_all_locked+0xb4/0xbc\n pci_msi_setup_msi_irqs+0x30/0x4c\n __pci_enable_msi_range+0x2a8/0x488\n pci_alloc_irq_vectors_affinity+0xec/0x14c\n pci_alloc_irq_vectors+0x18/0x28\n\nDescriptor allocation done in:\n__pci_enable_msi_range\n msi_capability_init\n msi_setup_msi_desc\n msi_insert_msi_desc\n msi_domain_insert_msi_desc\n msi_alloc_desc\n ...\n\nFreed in case of failure in __msi_domain_alloc_locked()\n__pci_enable_msi_range\n msi_capability_init\n pci_msi_setup_msi_irqs\n msi_domain_alloc_irqs_all_locked\n msi_domain_alloc_locked\n __msi_domain_alloc_locked => fails\n msi_domain_free_locked\n ...\n\nThat failure propagates back to pci_msi_setup_msi_irqs() in\nmsi_capability_init() which accesses the descriptor for unmasking in the\nerror exit path.\n\nCure it by copying the descriptor and using the copy for the error exit path\nunmask operation.\n\n[ tglx: Massaged change log ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41096", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\n\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\n\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\n\nUnfortunately, this patch has not been tested on real hardware.\n\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41097", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix null pointer dereference on error\n\nIf the ata_port_alloc() call in ata_host_alloc() fails,\nata_host_release() will get called.\n\nHowever, the code in ata_host_release() tries to free ata_port struct\nmembers unconditionally, which can lead to the following:\n\nBUG: unable to handle page fault for address: 0000000000003990\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]\nCode: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41\nRSP: 0018:ffffc90000ebb968 EFLAGS: 00010246\nRAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0\nRBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68\nR10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004\nR13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006\nFS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? ata_host_release.cold+0x2f/0x6e [libata]\n ? ata_host_release.cold+0x2f/0x6e [libata]\n release_nodes+0x35/0xb0\n devres_release_group+0x113/0x140\n ata_host_alloc+0xed/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\n\nDo not access ata_port struct members unconditionally.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41098", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-41149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid to reuse `hctx` not removed from cpuhp callback list\n\nIf the 'hctx' isn't removed from cpuhp callback list, we can't reuse it,\notherwise use-after-free may be triggered.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41149", "detail": "fixed-version", "description": "Fixed from version 6.12.7" }, { "id": "CVE-2024-41932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: fix warning in sched_setaffinity\n\nCommit 8f9ea86fdf99b added some logic to sched_setaffinity that included\na WARN when a per-task affinity assignment races with a cpuset update.\n\nSpecifically, we can have a race where a cpuset update results in the\ntask affinity no longer being a subset of the cpuset. That's fine; we\nhave a fallback to instead use the cpuset mask. However, we have a WARN\nset up that will trigger if the cpuset mask has no overlap at all with\nthe requested task affinity. This shouldn't be a warning condition; its\ntrivial to create this condition.\n\nReproduced the warning by the following setup:\n\n- $PID inside a cpuset cgroup\n- another thread repeatedly switching the cpuset cpus from 1-2 to just 1\n- another thread repeatedly setting the $PID affinity (via taskset) to 2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41932", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-41935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to shrink read extent node in batches\n\nWe use rwlock to protect core structure data of extent tree during\nits shrink, however, if there is a huge number of extent nodes in\nextent tree, during shrink of extent tree, it may hold rwlock for\na very long time, which may trigger kernel hang issue.\n\nThis patch fixes to shrink read extent node in batches, so that,\ncritical region of the rwlock can be shrunk to avoid its extreme\nlong time hold.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-41935", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-42063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode\n\nsyzbot reported uninit memory usages during map_{lookup,delete}_elem.\n\n==========\nBUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\nBUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]\ndev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796\n____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]\nbpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38\n___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237\n==========\n\nThe reproducer should be in the interpreter mode.\n\nThe C reproducer is trying to run the following bpf prog:\n\n 0: (18) r0 = 0x0\n 2: (18) r1 = map[id:49]\n 4: (b7) r8 = 16777216\n 5: (7b) *(u64 *)(r10 -8) = r8\n 6: (bf) r2 = r10\n 7: (07) r2 += -229\n ^^^^^^^^^^\n\n 8: (b7) r3 = 8\n 9: (b7) r4 = 0\n 10: (85) call dev_map_lookup_elem#1543472\n 11: (95) exit\n\nIt is due to the \"void *key\" (r2) passed to the helper. bpf allows uninit\nstack memory access for bpf prog with the right privileges. This patch\nuses kmsan_unpoison_memory() to mark the stack as initialized.\n\nThis should address different syzbot reports on the uninit \"void *key\"\nargument during map_{lookup,delete}_elem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42063", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip pipe if the pipe idx not set properly\n\n[why]\nDriver crashes when pipe idx not set properly\n\n[how]\nAdd code to skip the pipe that idx not set properly", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42064", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42065", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix potential integer overflow in page size calculation\n\nExplicitly cast tbo->page_alignment to u64 before bit-shifting to\nprevent overflow when assigning to min_page_size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42066", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_rox() into account with bpf_jit_binary_lock_ro()\n\nset_memory_rox() can fail, leaving memory unprotected.\n\nCheck return and bail out when bpf_jit_binary_lock_ro() returns\nan error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42067", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()\n\nset_memory_ro() can fail, leaving memory unprotected.\n\nCheck its return and take it into account as an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42068", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix possible double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function adev_release\ncalls kfree(madev). We shouldn't call kfree(madev) again\nin the error handling path. Set 'madev' to NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42069", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42070", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: use dev_consume_skb_any outside of napi\n\nIf we're not in a NAPI softirq context, we need to be careful\nabout how we call napi_consume_skb(), specifically we need to\ncall it with budget==0 to signal to it that we're not in a\nsafe context.\n\nThis was found while running some configuration stress testing\nof traffic and a change queue config loop running, and this\ncurious note popped out:\n\n[ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545\n[ 4371.402897] caller is napi_skb_cache_put+0x16/0x80\n[ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G OE 6.10.0-rc3-netnext+ #8\n[ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021\n[ 4371.403460] Call Trace:\n[ 4371.403613] \n[ 4371.403758] dump_stack_lvl+0x4f/0x70\n[ 4371.403904] check_preemption_disabled+0xc1/0xe0\n[ 4371.404051] napi_skb_cache_put+0x16/0x80\n[ 4371.404199] ionic_tx_clean+0x18a/0x240 [ionic]\n[ 4371.404354] ionic_tx_cq_service+0xc4/0x200 [ionic]\n[ 4371.404505] ionic_tx_flush+0x15/0x70 [ionic]\n[ 4371.404653] ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic]\n[ 4371.404805] ionic_txrx_deinit+0x71/0x190 [ionic]\n[ 4371.404956] ionic_reconfigure_queues+0x5f5/0xff0 [ionic]\n[ 4371.405111] ionic_set_ringparam+0x2e8/0x3e0 [ionic]\n[ 4371.405265] ethnl_set_rings+0x1f1/0x300\n[ 4371.405418] ethnl_default_set_doit+0xbb/0x160\n[ 4371.405571] genl_family_rcv_msg_doit+0xff/0x130\n\t[...]\n\nI found that ionic_tx_clean() calls napi_consume_skb() which calls\nnapi_skb_cache_put(), but before that last call is the note\n /* Zero budget indicate non-NAPI context called us, like netpoll */\nand\n DEBUG_NET_WARN_ON_ONCE(!in_softirq());\n\nThose are pretty big hints that we're doing it wrong. We can pass a\ncontext hint down through the calls to let ionic_tx_clean() know what\nwe're doing so it can call napi_consume_skb() correctly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42071", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix may_goto with negative offset.\n\nZac's syzbot crafted a bpf prog that exposed two bugs in may_goto.\nThe 1st bug is the way may_goto is patched. When offset is negative\nit should be patched differently.\nThe 2nd bug is in the verifier:\nwhen current state may_goto_depth is equal to visited state may_goto_depth\nit means there is an actual infinite loop. It's not correct to prune\nexploration of the program at this point.\nNote, that this check doesn't limit the program to only one may_goto insn,\nsince 2nd and any further may_goto will increment may_goto_depth only\nin the queued state pushed for future exploration. The current state\nwill have may_goto_depth == 0 regardless of number of may_goto insns\nand the verifier has to explore the program until bpf_exit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42072", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems\n\nThe following two shared buffer operations make use of the Shared Buffer\nStatus Register (SBSR):\n\n # devlink sb occupancy snapshot pci/0000:01:00.0\n # devlink sb occupancy clearmax pci/0000:01:00.0\n\nThe register has two masks of 256 bits to denote on which ingress /\negress ports the register should operate on. Spectrum-4 has more than\n256 ports, so the register was extended by cited commit with a new\n'port_page' field.\n\nHowever, when filling the register's payload, the driver specifies the\nports as absolute numbers and not relative to the first port of the port\npage, resulting in memory corruptions [1].\n\nFix by specifying the ports relative to the first port of the port page.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0\nRead of size 1 at addr ffff8881068cb00f by task devlink/1566\n[...]\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0\n mlxsw_devlink_sb_occ_snapshot+0x75/0xb0\n devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0\n genl_family_rcv_msg_doit+0x20c/0x300\n genl_rcv_msg+0x567/0x800\n netlink_rcv_skb+0x170/0x450\n genl_rcv+0x2d/0x40\n netlink_unicast+0x547/0x830\n netlink_sendmsg+0x8d4/0xdb0\n __sys_sendto+0x49b/0x510\n __x64_sys_sendto+0xe5/0x1c0\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[...]\nAllocated by task 1:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n copy_verifier_state+0xbc2/0xfb0\n do_check_common+0x2c51/0xc7e0\n bpf_check+0x5107/0x9960\n bpf_prog_load+0xf0e/0x2690\n __sys_bpf+0x1a61/0x49d0\n __x64_sys_bpf+0x7d/0xc0\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 1:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x109/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xca/0x2b0\n free_verifier_state+0xce/0x270\n do_check_common+0x4828/0xc7e0\n bpf_check+0x5107/0x9960\n bpf_prog_load+0xf0e/0x2690\n __sys_bpf+0x1a61/0x49d0\n __x64_sys_bpf+0x7d/0xc0\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42073", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp: add a null check for chip_pdev structure\n\nWhen acp platform device creation is skipped, chip->chip_pdev value will\nremain NULL. Add NULL check for chip->chip_pdev structure in\nsnd_acp_resume() function to avoid null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42074", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix remap of arena.\n\nThe bpf arena logic didn't account for mremap operation. Add a refcnt for\nmultiple mmap events to prevent use-after-free in arena_vm_close.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42075", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: Initialize unused data in j1939_send_one()\n\nsyzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()\ncreates full frame including unused data, but it doesn't initialize\nit. This causes the kernel-infoleak issue. Fix this by initializing\nunused data.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n memcpy_to_msg include/linux/skbuff.h:4113 [inline]\n raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n ____sys_recvmsg+0x18a/0x620 net/socket.c:2803\n ___sys_recvmsg+0x223/0x840 net/socket.c:2845\n do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034\n x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1313 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n sock_alloc_send_skb include/net/sock.h:1842 [inline]\n j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]\n j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]\n j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBytes 12-15 of 16 are uninitialized\nMemory access of size 16 starts at ffff888120969690\nData copied to user address 00000000200017c0\n\nCPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42076", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix DIO failure due to insufficient transaction credits\n\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits(). This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\n\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases. For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents. Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error. This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\n\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\n\nHeming Zhao said:\n\n------\nPANIC: \"Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\"\n\nPID: xxx TASK: xxxx CPU: 5 COMMAND: \"SubmitThread-CA\"\n #0 machine_kexec at ffffffff8c069932\n #1 __crash_kexec at ffffffff8c1338fa\n #2 panic at ffffffff8c1d69b9\n #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42077", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: initialise nfsd_info.mutex early.\n\nnfsd_info.mutex can be dereferenced by svc_pool_stats_start()\nimmediately after the new netns is created. Currently this can\ntrigger an oops.\n\nMove the initialisation earlier before it can possibly be dereferenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42078", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->\ngfs2_log_flush).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42079", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Fix potential invalid address access\n\nstruct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME\nin ib_create_cq(), while if the module exited but forgot del this\nrdma_restrack_entry, it would cause a invalid address access in\nrdma_restrack_clean() when print the owner of this rdma_restrack_entry.\n\nThese code is used to help find one forgotten PD release in one of the\nULPs. But it is not needed anymore, so delete them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42080", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_devcoredump: Check NULL before assignments\n\nAssign 'xe_devcoredump_snapshot *' and 'xe_device *' only if\n'coredump' is not NULL.\n\nv2\n- Fix commit messages.\n\nv3\n- Define variables before code.(Ashutosh/Jose)\n\nv4\n- Drop return check for coredump_to_xe. (Jose/Rodrigo)\n\nv5\n- Modify misleading commit message. (Matt)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42081", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: Remove WARN() from __xdp_reg_mem_model()\n\nsyzkaller reports a warning in __xdp_reg_mem_model().\n\nThe warning occurs only if __mem_id_init_hash_table() returns an error. It\nreturns the error in two cases:\n\n 1. memory allocation fails;\n 2. rhashtable_init() fails when some fields of rhashtable_params\n struct are not initialized properly.\n\nThe second case cannot happen since there is a static const rhashtable_params\nstruct with valid fields. So, warning is only triggered when there is a\nproblem with memory allocation.\n\nThus, there is no sense in using WARN() to handle this error and it can be\nsafely removed.\n\nWARNING: CPU: 0 PID: 5065 at net/core/xdp.c:299 __xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCPU: 0 PID: 5065 Comm: syz-executor883 Not tainted 6.8.0-syzkaller-05271-gf99c5f563c17 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:__xdp_reg_mem_model+0x2d9/0x650 net/core/xdp.c:299\n\nCall Trace:\n xdp_reg_mem_model+0x22/0x40 net/core/xdp.c:344\n xdp_test_run_setup net/bpf/test_run.c:188 [inline]\n bpf_test_run_xdp_live+0x365/0x1e90 net/bpf/test_run.c:377\n bpf_prog_test_run_xdp+0x813/0x11b0 net/bpf/test_run.c:1267\n bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4240\n __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5649\n __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42082", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix kernel panic due to multi-buffer handling\n\nCurrently, the ionic_run_xdp() doesn't handle multi-buffer packets\nproperly for XDP_TX and XDP_REDIRECT.\nWhen a jumbo frame is received, the ionic_run_xdp() first makes xdp\nframe with all necessary pages in the rx descriptor.\nAnd if the action is either XDP_TX or XDP_REDIRECT, it should unmap\ndma-mapping and reset page pointer to NULL for all pages, not only the\nfirst page.\nBut it doesn't for SG pages. So, SG pages unexpectedly will be reused.\nIt eventually causes kernel panic.\n\nOops: general protection fault, probably for non-canonical address 0x504f4e4dbebc64ff: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.10.0-rc3+ #25\nRIP: 0010:xdp_return_frame+0x42/0x90\nCode: 01 75 12 5b 4c 89 e6 5d 31 c9 41 5c 31 d2 41 5d e9 73 fd ff ff 44 8b 6b 20 0f b7 43 0a 49 81 ed 68 01 00 00 49 29 c5 49 01 fd <41> 80 7d0\nRSP: 0018:ffff99d00122ce08 EFLAGS: 00010202\nRAX: 0000000000005453 RBX: ffff8d325f904000 RCX: 0000000000000001\nRDX: 00000000670e1000 RSI: 000000011f90d000 RDI: 504f4e4d4c4b4a49\nRBP: ffff99d003907740 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000011f90d000 R11: 0000000000000000 R12: ffff8d325f904010\nR13: 504f4e4dbebc64fd R14: ffff8d3242b070c8 R15: ffff99d0039077c0\nFS: 0000000000000000(0000) GS:ffff8d399f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f41f6c85e38 CR3: 000000037ac30000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x33/0x90\n ? exc_general_protection+0x251/0x2f0\n ? asm_exc_general_protection+0x22/0x30\n ? xdp_return_frame+0x42/0x90\n ionic_tx_clean+0x211/0x280 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]\n ionic_tx_cq_service+0xd3/0x210 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]\n ionic_txrx_napi+0x41/0x1b0 [ionic 15881354510e6a9c655c59c54812b319ed2cd015]\n __napi_poll.constprop.0+0x29/0x1b0\n net_rx_action+0x2c4/0x350\n handle_softirqs+0xf4/0x320\n irq_exit_rcu+0x78/0xa0\n common_interrupt+0x77/0x90", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42083", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftruncate: pass a signed offset\n\nThe old ftruncate() syscall, using the 32-bit off_t misses a sign\nextension when called in compat mode on 64-bit architectures. As a\nresult, passing a negative length accidentally succeeds in truncating\nto file size between 2GiB and 4GiB.\n\nChanging the type of the compat syscall to the signed compat_off_t\nchanges the behavior so it instead returns -EINVAL.\n\nThe native entry point, the truncate() syscall and the corresponding\nloff_t based variants are all correct already and do not suffer\nfrom this mistake.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42084", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock\n\nWhen config CONFIG_USB_DWC3_DUAL_ROLE is selected, and trigger system\nto enter suspend status with below command:\necho mem > /sys/power/state\nThere will be a deadlock issue occurring. Detailed invoking path as\nbelow:\ndwc3_suspend_common()\n spin_lock_irqsave(&dwc->lock, flags); <-- 1st\n dwc3_gadget_suspend(dwc);\n dwc3_gadget_soft_disconnect(dwc);\n spin_lock_irqsave(&dwc->lock, flags); <-- 2nd\nThis issue is exposed by commit c7ebd8149ee5 (\"usb: dwc3: gadget: Fix\nNULL pointer dereference in dwc3_gadget_suspend\") that removes the code\nof checking whether dwc->gadget_driver is NULL or not. It causes the\nfollowing code is executed and deadlock occurs when trying to get the\nspinlock. In fact, the root cause is the commit 5265397f9442(\"usb: dwc3:\nRemove DWC3 locking during gadget suspend/resume\") that forgot to remove\nthe lock of otg mode. So, remove the redundant lock of otg mode during\ngadget suspend/resume.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42085", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: bme680: Fix overflows in compensate() functions\n\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\"iio:\nchemical: Add support for Bosch BME680 sensor\").\n\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42086", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep\n\nThe ilitek-ili9881c controls the reset GPIO using the non-sleeping\ngpiod_set_value() function. This complains loudly when the GPIO\ncontroller needs to sleep. As the caller can sleep, use\ngpiod_set_value_cansleep() to fix the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42087", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link\n\nCommit e70b8dd26711 (\"ASoC: mediatek: mt8195: Remove afe-dai component\nand rework codec link\") removed the codec entry for the ETDM1_OUT_BE\ndai link entirely instead of replacing it with COMP_EMPTY(). This worked\nby accident as the remaining COMP_EMPTY() platform entry became the codec\nentry, and the platform entry became completely empty, effectively the\nsame as COMP_DUMMY() since snd_soc_fill_dummy_dai() doesn't do anything\nfor platform entries.\n\nThis causes a KASAN out-of-bounds warning in mtk_soundcard_common_probe()\nin sound/soc/mediatek/common/mtk-soundcard-driver.c:\n\n\tfor_each_card_prelinks(card, i, dai_link) {\n\t\tif (adsp_node && !strncmp(dai_link->name, \"AFE_SOF\", strlen(\"AFE_SOF\")))\n\t\t\tdai_link->platforms->of_node = adsp_node;\n\t\telse if (!dai_link->platforms->name && !dai_link->platforms->of_node)\n\t\t\tdai_link->platforms->of_node = platform_node;\n\t}\n\nwhere the code expects the platforms array to have space for at least one entry.\n\nAdd an COMP_EMPTY() entry so that dai_link->platforms has space.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42088", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl-asoc-card: set priv->pdev before using it\n\npriv->pdev pointer was set after being used in\nfsl_asoc_card_audmux_init().\nMove this assignment at the start of the probe function, so\nsub-functions can correctly use pdev through priv.\n\nfsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the\ndev struct, used with dev_err macros.\nAs priv is zero-initialised, there would be a NULL pointer dereference.\nNote that if priv->dev is dereferenced before assignment but never used,\nfor example if there is no error to be printed, the driver won't crash\nprobably due to compiler optimisations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42089", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\n\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\n\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42090", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Check pat.ops before dumping PAT settings\n\nWe may leave pat.ops unset when running on brand new platform or\nwhen running as a VF. While the former is unlikely, the latter\nis valid (future) use case and will cause NPD when someone will\ntry to dump PAT settings by debugfs.\n\nIt's better to check pointer to pat.ops instead of specific .dump\nhook, as we have this hook always defined for every .ops variant.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42091", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: davinci: Validate the obtained number of IRQs\n\nValue of pdata->gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips->irqs array boundaries access in\ndavinci_gpio_probe().\n\nValidate the obtained nirq value so that it won't exceed the maximum\nnumber of IRQs per bank.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42092", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/dpaa2: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42093", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: Avoid explicit cpumask var allocation on stack\n\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\n\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\n\nUse *cpumask_var API(s) to address it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42094", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_omap: Implementation of Errata i2310\n\nAs per Errata i2310[0], Erroneous timeout can be triggered,\nif this Erroneous interrupt is not cleared then it may leads\nto storm of interrupts, therefore apply Errata i2310 solution.\n\n[0] https://www.ti.com/lit/pdf/sprz536 page 23", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42095", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: stop playing stack games in profile_pc()\n\nThe 'profile_pc()' function is used for timer-based profiling, which\nisn't really all that relevant any more to begin with, but it also ends\nup making assumptions based on the stack layout that aren't necessarily\nvalid.\n\nBasically, the code tries to account the time spent in spinlocks to the\ncaller rather than the spinlock, and while I support that as a concept,\nit's not worth the code complexity or the KASAN warnings when no serious\nprofiling is done using timers anyway these days.\n\nAnd the code really does depend on stack layout that is only true in the\nsimplest of cases. We've lost the comment at some point (I think when\nthe 32-bit and 64-bit code was unified), but it used to say:\n\n\tAssume the lock function has either no stack frame or a copy\n\tof eflags from PUSHF.\n\nwhich explains why it just blindly loads a word or two straight off the\nstack pointer and then takes a minimal look at the values to just check\nif they might be eflags or the return pc:\n\n\tEflags always has bits 22 and up cleared unlike kernel addresses\n\nbut that basic stack layout assumption assumes that there isn't any lock\ndebugging etc going on that would complicate the code and cause a stack\nframe.\n\nIt causes KASAN unhappiness reported for years by syzkaller [1] and\nothers [2].\n\nWith no real practical reason for this any more, just remove the code.\n\nJust for historical interest, here's some background commits relating to\nthis code from 2006:\n\n 0cb91a229364 (\"i386: Account spinlocks to the caller during profiling for !FP kernels\")\n 31679f38d886 (\"Simplify profile_pc on x86-64\")\n\nand a code unification from 2009:\n\n ef4512882dbe (\"x86: time_32/64.c unify profile_pc\")\n\nbut the basics of this thing actually goes back to before the git tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42096", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emux: improve patch ioctl data validation\n\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\n\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42097", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdh - explicitly zeroize private_key\n\nprivate_key is overwritten with the key parameter passed in by the\ncaller (if present), or alternatively a newly generated private key.\nHowever, it is possible that the caller provides a key (or the newly\ngenerated key) which is shorter than the previous key. In that\nscenario, some key material from the previous key would not be\noverwritten. The easiest solution is to explicitly zeroize the entire\nprivate_key array first.\n\nNote that this patch slightly changes the behavior of this function:\npreviously, if the ecc_gen_privkey failed, the old private_key would\nremain. Now, the private_key is always zeroized. This behavior is\nconsistent with the case where params.key is set and ecc_is_key_valid\nfails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42098", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: Fix invalid dereferencing of indirect CCW data pointer\n\nFix invalid dereferencing of indirect CCW data pointer in\ndasd_eckd_dump_sense() that leads to a kernel panic in error cases.\n\nWhen using indirect addressing for DASD CCWs (IDAW) the CCW CDA pointer\ndoes not contain the data address itself but a pointer to the IDAL.\nThis needs to be translated from physical to virtual as well before\nusing it.\n\nThis dereferencing is also used for dasd_page_cache and also fixed\nalthough it is very unlikely that this code path ever gets used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42099", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common\n\nIn order to set the rate range of a hw sunxi_ccu_probe calls\nhw_to_ccu_common() assuming all entries in desc->ccu_clks are contained\nin a ccu_common struct. This assumption is incorrect and, in\nconsequence, causes invalid pointer de-references.\n\nRemove the faulty call. Instead, add one more loop that iterates over\nthe ccu_clks and sets the rate range, if required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42100", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix null pointer dereference in nouveau_connector_get_modes\n\nIn nouveau_connector_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42101", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\"\n\nPatch series \"mm: Avoid possible overflows in dirty throttling\".\n\nDirty throttling logic assumes dirty limits in page units fit into\n32-bits. This patch series makes sure this is true (see patch 2/2 for\nmore details).\n\n\nThis patch (of 2):\n\nThis reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.\n\nThe commit is broken in several ways. Firstly, the removed (u64) cast\nfrom the multiplication will introduce a multiplication overflow on 32-bit\narchs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the\ndefault settings with 4GB of RAM will trigger this). Secondly, the\ndiv64_u64() is unnecessarily expensive on 32-bit archs. We have\ndiv64_ul() in case we want to be safe & cheap. Thirdly, if dirty\nthresholds are larger than 1<<32 pages, then dirty balancing is going to\nblow up in many other spectacular ways anyway so trying to fix one\npossible overflow is just moot.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42102", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix adding block group to a reclaim list and the unused list during reclaim\n\nThere is a potential parallel list adding for retrying in\nbtrfs_reclaim_bgs_work and adding to the unused list. Since the block\ngroup is removed from the reclaim list and it is on a relocation work,\nit can be added into the unused list in parallel. When that happens,\nadding it to the reclaim list will corrupt the list head and trigger\nlist corruption like below.\n\nFix it by taking fs_info->unused_bgs_lock.\n\n [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104\n [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)\n [177.529][T2585409] ------------[ cut here ]------------\n [177.537][T2585409] kernel BUG at lib/list_debug.c:65!\n [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1\n [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022\n [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]\n [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72\n [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286\n [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000\n [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40\n [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08\n [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0\n [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000\n [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000\n [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0\n [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000\n [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400\n [177.742][T2585409] PKRU: 55555554\n [177.748][T2585409] Call Trace:\n [177.753][T2585409] \n [177.759][T2585409] ? __die_body.cold+0x19/0x27\n [177.766][T2585409] ? die+0x2e/0x50\n [177.772][T2585409] ? do_trap+0x1ea/0x2d0\n [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.788][T2585409] ? do_error_trap+0xa3/0x160\n [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.805][T2585409] ? handle_invalid_op+0x2c/0x40\n [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.820][T2585409] ? exc_invalid_op+0x2d/0x40\n [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20\n [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72\n [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]\n\nThere is a similar retry_list code in btrfs_delete_unused_bgs(), but it is\nsafe, AFAICS. Since the block group was in the unused list, the used bytes\nshould be 0 when it was added to the unused list. Then, it checks\nblock_group->{used,reserved,pinned} are still 0 under the\nblock_group->lock. So, they should be still eligible for the unused list,\nnot the reclaim list.\n\nThe reason it is safe there it's because because we're holding\nspace_info->groups_sem in write mode.\n\nThat means no other task can allocate from the block group, so while we\nare at deleted_unused_bgs() it's not possible for other tasks to\nallocate and deallocate extents from the block group, so it can't be\nadded to the unused list or the reclaim list by anyone else.\n\nThe bug can be reproduced by btrfs/166 after a few rounds. In practice\nthis can be hit when relocation cannot find more chunk space and ends\nwith ENOSPC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42103", "detail": "fixed-version", "description": "Fixed from version 6.9.9" }, { "id": "CVE-2024-42104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: add missing check for inode numbers on directory entries\n\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\n\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\n\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\n\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\n\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42104", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2's internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs->ns_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs->ns_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42105", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: Initialize pad field in struct inet_diag_req_v2\n\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\n\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\n\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\n\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42106", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't process extts if PTP is disabled\n\nThe ice_ptp_extts_event() function can race with ice_ptp_release() and\nresult in a NULL pointer dereference which leads to a kernel panic.\n\nPanic occurs because the ice_ptp_extts_event() function calls\nptp_clock_event() with a NULL pointer. The ice driver has already\nreleased the PTP clock by the time the interrupt for the next external\ntimestamp event occurs.\n\nTo fix this, modify the ice_ptp_extts_event() function to check the\nPTP state and bail early if PTP is not ready.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42107", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rswitch: Avoid use-after-free in rswitch_poll()\n\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\n\nLet's move around the instructions to use skb->len before the skb is\nfreed.\n\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42108", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally flush pending work before notifier\n\nsyzbot reports:\n\nKASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831\nKASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530\nKASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\nRead of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45\n[..]\nWorkqueue: events nf_tables_trans_destroy_work\nCall Trace:\n nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]\n nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]\n nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597\n\nProblem is that the notifier does a conditional flush, but its possible\nthat the table-to-be-removed is still referenced by transactions being\nprocessed by the worker, so we need to flush unconditionally.\n\nWe could make the flush_work depend on whether we found a table to delete\nin nf-next to avoid the flush for most cases.\n\nAFAICS this problem is only exposed in nf-next, with\ncommit e169285f8c56 (\"netfilter: nf_tables: do not store nft_ctx in transaction objects\"),\nwith this commit applied there is an unconditional fetch of\ntable->family which is whats triggering the above splat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42109", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()\n\nThe following is emitted when using idxd (DSA) dmanegine as the data\nmover for ntb_transport that ntb_netdev uses.\n\n[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526\n[74412.556784] caller is netif_rx_internal+0x42/0x130\n[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5\n[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024\n[74412.581699] Call Trace:\n[74412.584514] \n[74412.586933] dump_stack_lvl+0x55/0x70\n[74412.591129] check_preemption_disabled+0xc8/0xf0\n[74412.596374] netif_rx_internal+0x42/0x130\n[74412.600957] __netif_rx+0x20/0xd0\n[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]\n[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]\n[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]\n[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]\n[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]\n[74412.634046] irq_thread_fn+0x21/0x60\n[74412.638134] ? irq_thread+0xa8/0x290\n[74412.642218] irq_thread+0x1a0/0x290\n[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10\n[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10\n[74412.656117] ? __pfx_irq_thread+0x10/0x10\n[74412.660686] kthread+0x100/0x130\n[74412.664384] ? __pfx_kthread+0x10/0x10\n[74412.668639] ret_from_fork+0x31/0x50\n[74412.672716] ? __pfx_kthread+0x10/0x10\n[74412.676978] ret_from_fork_asm+0x1a/0x30\n[74412.681457] \n\nThe cause is due to the idxd driver interrupt completion handler uses\nthreaded interrupt and the threaded handler is not hard or soft interrupt\ncontext. However __netif_rx() can only be called from interrupt context.\nChange the call to netif_rx() in order to allow completion via normal\ncontext for dmaengine drivers that utilize threaded irq handling.\n\nWhile the following commit changed from netif_rx() to __netif_rx(),\nbaebdf48c360 (\"net: dev: Makes sure netif_rx() can be invoked in any context.\"),\nthe change should've been a noop instead. However, the code precedes this\nfix should've been using netif_rx_ni() or netif_rx_any_context().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42110", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always do the basic checks for btrfs_qgroup_inherit structure\n\n[BUG]\nSyzbot reports the following regression detected by KASAN:\n\n BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277\n Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171\n\n CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277\n create_pending_snapshot+0x1359/0x29b0 fs/btrfs/transaction.c:1854\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1922\n btrfs_commit_transaction+0xf20/0x3740 fs/btrfs/transaction.c:2382\n create_snapshot+0x6a1/0x9e0 fs/btrfs/ioctl.c:875\n btrfs_mksubvol+0x58f/0x710 fs/btrfs/ioctl.c:1029\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1075\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1340\n btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 fs/btrfs/ioctl.c:1422\n btrfs_ioctl+0x99e/0xc60\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fcbf1992509\n RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509\n RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660\n R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e\n \n\nAnd it also pinned it down to commit b5357cb268c4 (\"btrfs: qgroup: do not\ncheck qgroup inherit if qgroup is disabled\").\n\n[CAUSE]\nThat offending commit skips the whole qgroup inherit check if qgroup is\nnot enabled.\n\nBut that also skips the very basic checks like\nnum_ref_copies/num_excl_copies and the structure size checks.\n\nMeaning if a qgroup enable/disable race is happening at the background,\nand we pass a btrfs_qgroup_inherit structure when the qgroup is\ndisabled, the check would be completely skipped.\n\nThen at the time of transaction commitment, qgroup is re-enabled and\nbtrfs_qgroup_inherit() is going to use the incorrect structure and\ncausing the above KASAN error.\n\n[FIX]\nMake btrfs_qgroup_check_inherit() only skip the source qgroup checks.\nSo that even if invalid btrfs_qgroup_inherit structure is passed in, we\ncan still reject invalid ones no matter if qgroup is enabled or not.\n\nFurthermore we do already have an extra safety inside\nbtrfs_qgroup_inherit(), which would just ignore invalid qgroup sources,\nso even if we only skip the qgroup source check we're still safe.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42111", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: free isb resources at the right time\n\nWhen using MSI/INTx interrupt, the shared interrupts are still being\nhandled in the device remove routine, before free IRQs. So isb memory\nis still read after it is freed. Thus move wx_free_isb_resources()\nfrom txgbe_close() to txgbe_remove(). And fix the improper isb free\naction in txgbe_open() error handling path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42112", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: initialize num_q_vectors for MSI/INTx interrupts\n\nWhen using MSI/INTx interrupts, wx->num_q_vectors is uninitialized.\nThus there will be kernel panic in wx_alloc_q_vectors() to allocate\nqueue vectors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42113", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values\n\nsyzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM\nto 2^31.\n\nWe had a similar issue in sch_fq, fixed with commit\nd9e15a273306 (\"pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM\")\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]\nModules linked in:\nirq event stamp: 131135\n hardirqs last enabled at (131134): [] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]\n hardirqs last enabled at (131134): [] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95\n hardirqs last disabled at (131135): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (131135): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last enabled at (125892): [] neigh_hh_init net/core/neighbour.c:1538 [inline]\n softirqs last enabled at (125892): [] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553\n softirqs last disabled at (125896): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19\nCPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: mld mld_ifc_work\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __list_del include/linux/list.h:195 [inline]\n pc : __list_del_entry include/linux/list.h:218 [inline]\n pc : list_move_tail include/linux/list.h:310 [inline]\n pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n lr : __list_del_entry include/linux/list.h:218 [inline]\n lr : list_move_tail include/linux/list.h:310 [inline]\n lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854\nsp : ffff800093d36700\nx29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000\nx26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0\nx23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0\nx20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0\nx17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8\nx14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc\nx2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470\nCall trace:\n __list_del include/linux/list.h:195 [inline]\n __list_del_entry include/linux/list.h:218 [inline]\n list_move_tail include/linux/list.h:310 [inline]\n fq_tin_dequeue include/net/fq_impl.h:112 [inline]\n ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854\n wake_tx_push_queue net/mac80211/util.c:294 [inline]\n ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315\n drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]\n schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]\n ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664\n ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966\n ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062\n __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338\n ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547\n __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_fini\n---truncated---", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42114", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Fix potential illegal address access in jffs2_free_inode\n\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829] ESR = 0x96000004\n[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564] SET = 0, FnV = 0\n[ 2430.650795] EA = 0, S1PTW = 0\n[ 2430.651032] FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683] ISV = 0, ISS = 0x00000004\n[ 2430.652001] CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528] kfree+0x78/0x348\n[ 2430.664855] jffs2_free_inode+0x24/0x48\n[ 2430.665233] i_callback+0x24/0x50\n[ 2430.665528] rcu_do_batch+0x1ac/0x448\n[ 2430.665892] rcu_core+0x28c/0x3c8\n[ 2430.666151] rcu_core_si+0x18/0x28\n[ 2430.666473] __do_softirq+0x138/0x3cc\n[ 2430.666781] irq_exit+0xf0/0x110\n[ 2430.667065] handle_domain_irq+0x6c/0x98\n[ 2430.667447] gic_handle_irq+0xac/0xe8\n[ 2430.667739] call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\n\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\n\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42115", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: ASSERT when failing to find index by plane/stream id\n\n[WHY]\nfind_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns\nan array index and they return -1 when not found; however, -1 is not a\nvalid index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a positive number (which is\nfewer than callers' array size) instead.\n\nThis fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42117", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not return negative stream id for array\n\n[WHY]\nresource_stream_to_stream_idx returns an array index and it return -1\nwhen not found; however, -1 is not a valid array index number.\n\n[HOW]\nWhen this happens, call ASSERT(), and return a zero instead.\n\nThis fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42118", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip finding free audio for unknown engine_id\n\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\n\n[HOW]\nSkip and return NULL.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42119", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check pipe offset before setting vblank\n\npipe_ctx has a size of MAX_PIPES so checking its index before accessing\nthe array.\n\nThis fixes an OVERRUN issue reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42120", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index msg_id before read or write\n\n[WHAT]\nmsg_id is used as an array index and it cannot be a negative value, and\ntherefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).\n\n[HOW]\nCheck whether msg_id is valid before reading and setting.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42121", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42122", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix double free err_addr pointer warnings\n\nIn amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages\nwill be run many times so that double free err_addr in some special case.\nSo set the err_addr to NULL to avoid the warnings.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42123", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Make qedf_execute_tmf() non-preemptible\n\nStop calling smp_processor_id() from preemptible code in\nqedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.\n\n[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646\n[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42124", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband\n\nWe have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz\nsband will be NULL even if it is WiFi 7 chip. So, add NULL handling here\nto avoid crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42125", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\n\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\n\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\n\nWith kernel command line \"percpu_alloc=page\" we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\n\n[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[ 1.215719] --- interrupt: 200\n[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\n\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42126", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix shared irq handling on driver remove\n\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42127", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: an30259a: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42128", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: mlxreg: Use devm_mutex_init() for mutex initialization\n\nIn this driver LEDs are registered using devm_led_classdev_register()\nso they are automatically unregistered after module's remove() is done.\nled_classdev_unregister() calls module's led_set_brightness() to turn off\nthe LEDs and that callback uses mutex which was destroyed already\nin module's remove() so use devm API instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42129", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42131", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX\n\nSyzbot hit warning in hci_conn_del() caused by freeing handle that was\nnot allocated using ida allocator.\n\nThis is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by\nhci_le_big_sync_established_evt(), which makes code think it's unset\nconnection.\n\nAdd same check for handle upper bound as in hci_conn_set_handle() to\nprevent warning.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42132", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Ignore too large handle values in BIG\n\nhci_le_big_sync_established_evt is necessary to filter out cases where the\nhandle value is belonging to ida id range, otherwise ida will be erroneously\nreleased in hci_conn_cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42133", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Check if is_avq is NULL\n\n[bug]\nIn the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved\nto determine whether it is admin virtqueue, but this function vp_dev->is_avq\n may be empty. For installations, virtio_pci_legacy does not assign a value\n to vp_dev->is_avq.\n\n[fix]\nCheck whether it is vp_dev->is_avq before use.\n\n[test]\nTest with virsh Attach device\nBefore this patch, the following command would crash the guest system\n\nAfter applying the patch, everything seems to be working fine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42134", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_task: Handle SIGKILL by flushing work and exiting\n\nInstead of lingering until the device is closed, this has us handle\nSIGKILL by:\n\n1. marking the worker as killed so we no longer try to use it with\n new virtqueues and new flush operations.\n2. setting the virtqueue to worker mapping so no new works are queued.\n3. running all the exiting works.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42135", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42136", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42137", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file\n\nIn case of invalid INI file mlxsw_linecard_types_init() deallocates memory\nbut doesn't reset pointer to NULL and returns 0. In case of any error\noccurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init()\ncalls mlxsw_linecard_types_fini() which performs memory deallocation again.\n\nAdd pointer reset to NULL.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42138", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper extts handling\n\nExtts events are disabled and enabled by the application ts2phc.\nHowever, in case where the driver is removed when the application is\nrunning, a specific extts event remains enabled and can cause a kernel\ncrash.\nAs a side effect, when the driver is reloaded and application is started\nagain, remaining extts event for the channel from a previous run will\nkeep firing and the message \"extts on unexpected channel\" might be\nprinted to the user.\n\nTo avoid that, extts events shall be disabled when PTP is released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42139", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kexec: Avoid deadlock in kexec crash path\n\nIf the kexec crash code is called in the interrupt context, the\nmachine_kexec_mask_interrupts() function will trigger a deadlock while\ntrying to acquire the irqdesc spinlock and then deactivate irqchip in\nirq_set_irqchip_state() function.\n\nUnlike arm64, riscv only requires irq_eoi handler to complete EOI and\nkeeping irq_set_irqchip_state() will only leave this possible deadlock\nwithout any use. So we simply remove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42140", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Check socket flag instead of hcon\n\nThis fixes the following Smatch static checker warning:\n\nnet/bluetooth/iso.c:1364 iso_sock_recvmsg()\nerror: we previously assumed 'pi->conn->hcon' could be null (line 1359)\n\nnet/bluetooth/iso.c\n1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,\n1348 size_t len, int flags)\n1349 {\n1350 struct sock *sk = sock->sk;\n1351 struct iso_pinfo *pi = iso_pi(sk);\n1352\n1353 BT_DBG(\"sk %p\", sk);\n1354\n1355 if (test_and_clear_bit(BT_SK_DEFER_SETUP,\n &bt_sk(sk)->flags)) {\n1356 lock_sock(sk);\n1357 switch (sk->sk_state) {\n1358 case BT_CONNECT2:\n1359 if (pi->conn->hcon &&\n ^^^^^^^^^^^^^^ If ->hcon is NULL\n\n1360 test_bit(HCI_CONN_PA_SYNC,\n &pi->conn->hcon->flags)) {\n1361 iso_conn_big_sync(sk);\n1362 sk->sk_state = BT_LISTEN;\n1363 } else {\n--> 1364 iso_conn_defer_accept(pi->conn->hcon);\n ^^^^^^^^^^^^^^\n then we're toast\n\n1365 sk->sk_state = BT_CONFIG;\n1366 }\n1367 release_sock(sk);\n1368 return 0;\n1369 case BT_CONNECTED:\n1370 if (test_bit(BT_SK_PA_SYNC,", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42141", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-switch, Create ingress ACL when needed\n\nCurrently, ingress acl is used for three features. It is created only\nwhen vport metadata match and prio tag are enabled. But active-backup\nlag mode also uses it. It is independent of vport metadata match and\nprio tag. And vport metadata match can be disabled using the\nfollowing devlink command:\n\n # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\\n\tvalue false cmode runtime\n\nIf ingress acl is not created, will hit panic when creating drop rule\nfor active-backup lag mode. If always create it, there will be about\n5% performance degradation.\n\nFix it by creating ingress acl when needed. If esw_port_metadata is\ntrue, ingress acl exists, then create drop rule using existing\ningress acl. If esw_port_metadata is false, create ingress acl and\nthen create drop rule.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42142", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42144", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Implement a limit on UMAD receive List\n\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\n\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\n\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42145", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf\n\nAny kunit doing any memory access should get their own runtime_pm\nouter references since they don't use the standard driver API\nentries. In special this dma_buf from the same driver.\n\nFound by pre-merge CI on adding WARN calls for unprotected\ninner callers:\n\n<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver\n<4> [318.639957] ------------[ cut here ]------------\n<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection\n<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42146", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/debugfs - Fix debugfs uninit process issue\n\nDuring the zip probe process, the debugfs failure does not stop\nthe probe. When debugfs initialization fails, jumping to the\nerror branch will also release regs, in addition to its own\nrollback operation.\n\nAs a result, it may be released repeatedly during the regs\nuninit process. Therefore, the null check needs to be added to\nthe regs uninit process.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42147", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnx2x: Fix multiple UBSAN array-index-out-of-bounds\n\nFix UBSAN warnings that occur when using a system with 32 physical\ncpu cores or more, or when the user defines a number of Ethernet\nqueues greater than or equal to FP_SB_MAX_E1x using the num_queues\nmodule parameter.\n\nCurrently there is a read/write out of bounds that occurs on the array\n\"struct stats_query_entry query\" present inside the \"bnx2x_fw_stats_req\"\nstruct in \"drivers/net/ethernet/broadcom/bnx2x/bnx2x.h\".\nLooking at the definition of the \"struct stats_query_entry query\" array:\n\nstruct stats_query_entry query[FP_SB_MAX_E1x+\n BNX2X_FIRST_QUEUE_QUERY_IDX];\n\nFP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and\nhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3\nmeaning the array has a total size of 19.\nSince accesses to \"struct stats_query_entry query\" are offset-ted by\nBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet\nqueues should not exceed FP_SB_MAX_E1x (16). However one of these queues\nis reserved for FCOE and thus the number of Ethernet queues should be set\nto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if\nit is not.\n\nThis is also described in a comment in the source code in\ndrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition\nof FP_SB_MAX_E1x. Below is the part of this explanation that it important\nfor this patch\n\n/*\n * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is\n * control by the number of fast-path status blocks supported by the\n * device (HW/FW). Each fast-path status block (FP-SB) aka non-default\n * status block represents an independent interrupts context that can\n * serve a regular L2 networking queue. However special L2 queues such\n * as the FCoE queue do not require a FP-SB and other components like\n * the CNIC may consume FP-SB reducing the number of possible L2 queues\n *\n * If the maximum number of FP-SB available is X then:\n * a. If CNIC is supported it consumes 1 FP-SB thus the max number of\n * regular L2 queues is Y=X-1\n * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)\n * c. If the FCoE L2 queue is supported the actual number of L2 queues\n * is Y+1\n * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for\n * slow-path interrupts) or Y+2 if CNIC is supported (one additional\n * FP interrupt context for the CNIC).\n * e. The number of HW context (CID count) is always X or X+1 if FCoE\n * L2 queue is supported. The cid for the FCoE L2 queue is always X.\n */\n\nHowever this driver also supports NICs that use the E2 controller which can\nhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.\nLooking at the commits when the E2 support was added, it was originally\nusing the E1x parameters: commit f2e0899f0f27 (\"bnx2x: Add 57712 support\").\nBack then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver\nwas later updated to take full advantage of the E2 instead of having it be\nlimited to the capabilities of the E1x. But as far as we can tell, the\narray \"stats_query_entry query\" was still limited to using the FP-SB\navailable to the E1x cards as part of an oversignt when the driver was\nupdated to take full advantage of the E2, and now with the driver being\naware of the greater queue size supported by E2 NICs, it causes the UBSAN\nwarnings seen in the stack traces below.\n\nThis patch increases the size of the \"stats_query_entry query\" array by\nreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle\nboth types of NICs.\n\nStack traces:\n\nUBSAN: array-index-out-of-bounds in\n drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11\nindex 20 is out of range for type 'stats_query_entry [19]'\nCPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic\n\t #202405052133\nHardware name: HP ProLiant DL360 Gen9/ProLiant DL360 \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42148", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: don't misleadingly warn during thaw operations\n\nThe block device may have been frozen before it was claimed by a\nfilesystem. Concurrently another process might try to mount that\nfrozen block device and has temporarily claimed the block device for\nthat purpose causing a concurrent fs_bdev_thaw() to end up here. The\nmounter is already about to abort mounting because they still saw an\nelevanted bdev->bd_fsfreeze_count so get_bdev_super() will return\nNULL in that case.\n\nFor example, P1 calls dm_suspend() which calls into bdev_freeze() before\nthe block device has been claimed by the filesystem. This brings\nbdev->bd_fsfreeze_count to 1 and no call into fs_bdev_freeze() is\nrequired.\n\nNow P2 tries to mount that frozen block device. It claims it and checks\nbdev->bd_fsfreeze_count. As it's elevated it aborts mounting.\n\nIn the meantime P3 called dm_resume(). P3 sees that the block device is\nalready claimed by a filesystem and calls into fs_bdev_thaw().\n\nP3 takes a passive reference and realizes that the filesystem isn't\nready yet. P3 puts itself to sleep to wait for the filesystem to become\nready.\n\nP2 now puts the last active reference to the filesystem and marks it as\ndying. P3 gets woken, sees that the filesystem is dying and\nget_bdev_super() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42149", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: remove separate irq request for MSI and INTx\n\nWhen using MSI or INTx interrupts, request_irq() for pdev->irq will\nconflict with request_threaded_irq() for txgbe->misc.irq, to cause\nsystem crash. So remove txgbe_request_irq() for MSI/INTx case, and\nrename txgbe_request_msix_irqs() since it only request for queue irqs.\n\nAdd wx->misc_irq_domain to determine whether the driver creates an IRQ\ndomain and threaded request the IRQs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42150", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable\n\nTest case dummy_st_ops/dummy_init_ret_value passes NULL as the first\nparameter of the test_1() function. Mark this parameter as nullable to\nmake verifier aware of such possibility.\nOtherwise, NULL check in the test_1() code:\n\n SEC(\"struct_ops/test_1\")\n int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)\n {\n if (!state)\n return ...;\n\n ... access state ...\n }\n\nMight be removed by verifier, thus triggering NULL pointer dereference\nunder certain conditions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42151", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42152", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr\n\nWhen del_timer_sync() is called in an interrupt context it throws a warning\nbecause of potential deadlock. The timer is used only to exit from\nwait_for_completion() after a timeout so replacing the call with\nwait_for_completion_timeout() allows to remove the problematic timer and\nits related functions altogether.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42153", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn't have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated).", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42154", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of protected- and secure-keys\n\nAlthough the clear-key of neither protected- nor secure-keys is\naccessible, this key material should only be visible to the calling\nprocess. So wipe all copies of protected- or secure-keys from stack,\neven in case of an error.", "scorev2": "0.0", "scorev3": "1.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42155", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe copies of clear-key structures on failure\n\nWipe all sensitive data from stack for all IOCTLs, which convert a\nclear-key into a protected- or secure-key.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42156", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Wipe sensitive data on failure\n\nWipe sensitive data from stack also if the copy_to_user() fails.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42157", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Use kfree_sensitive() to fix Coccinelle warnings\n\nReplace memzero_explicit() and kfree() with kfree_sensitive() to fix\nwarnings reported by Coccinelle:\n\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)\nWARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42158", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Sanitise num_phys\n\nInformation is stored in mr_sas_port->phy_mask, values larger then size of\nthis field shouldn't be allowed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42159", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check validation of fault attrs in f2fs_build_fault_attr()\n\n- It missed to check validation of fault attrs in parse_options(),\nlet's fix to add check condition in f2fs_build_fault_attr().\n- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42160", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD\n\n[Changes from V1:\n - Use a default branch in the switch statement to initialize `val'.]\n\nGCC warns that `val' may be used uninitialized in the\nBPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:\n\n\t[...]\n\tunsigned long long val;\t\t\t\t\t\t \\\n\t[...]\t\t\t\t\t\t\t\t \\\n\tswitch (__CORE_RELO(s, field, BYTE_SIZE)) {\t\t\t \\\n\tcase 1: val = *(const unsigned char *)p; break;\t\t\t \\\n\tcase 2: val = *(const unsigned short *)p; break;\t\t \\\n\tcase 4: val = *(const unsigned int *)p; break;\t\t\t \\\n\tcase 8: val = *(const unsigned long long *)p; break;\t\t \\\n } \t\t\t\t\t\t\t \\\n\t[...]\n\tval;\t\t\t\t\t\t\t\t \\\n\t}\t\t\t\t\t\t\t\t \\\n\nThis patch adds a default entry in the switch statement that sets\n`val' to zero in order to avoid the warning, and random values to be\nused in case __builtin_preserve_field_info returns unexpected values\nfor BPF_FIELD_BYTE_SIZE.\n\nTested in bpf-next master.\nNo regressions.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42161", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Account for stopped queues when reading NIC stats\n\nWe now account for the fact that the NIC might send us stats for a\nsubset of queues. Without this change, gve_get_ethtool_stats might make\nan invalid access on the priv->stats_report->stats array.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42162", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: tda10048: Fix integer overflow\n\nstate->xtal_hz can be up to 16M, so it can overflow a 32 bit integer\nwhen multiplied by pll_mfactor.\n\nCreate a new 64 bit variable to hold the calculations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42223", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Correct check for empty list\n\nSince commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\") mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\n\nThis appears to be intended to guard against the list chip->mdios being\nempty. However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\n\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\n\nFlagged by Smatch.\nCompile tested only.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42224", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42225", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix overlapping copy within dml_core_mode_programming\n\n[WHY]\n&mode_lib->mp.Watermark and &locals->Watermark are\nthe same address. memcpy may lead to unexpected behavior.\n\n[HOW]\nmemmove should be used.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42227", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42228", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead,cipher - zeroize key buffer after use\n\nI.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding\ncryptographic information should be zeroized once they are no longer\nneeded. Accomplish this by using kfree_sensitive for buffers that\npreviously held the private key.", "scorev2": "0.0", "scorev3": "4.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42229", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn't easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42230", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix calc_available_free_space() for zoned mode\n\ncalc_available_free_space() returns the total size of metadata (or\nsystem) block groups, which can be allocated from unallocated disk\nspace. The logic is wrong on zoned mode in two places.\n\nFirst, the calculation of data_chunk_size is wrong. We always allocate\none zone as one chunk, and no partial allocation of a zone. So, we\nshould use zone_size (= data_sinfo->chunk_size) as it is.\n\nSecond, the result \"avail\" may not be zone aligned. Since we always\nallocate one zone as one chunk on zoned mode, returning non-zone size\naligned bytes will result in less pressure on the async metadata reclaim\nprocess.\n\nThis is serious for the nearly full state with a large zone size device.\nAllowing over-commit too much will result in less async reclaim work and\nend up in ENOSPC. We can align down to the zone size to avoid that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42231", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting(). Both of\nthese can requeue the delayed work which wouldn't be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn't mess with the delayed work in order\nto avoid interfering with the hunting interval logic. This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon < 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc->auth and monc->monmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc->cur_mon and monc->hunting as part of closing the session\n in ceph_monc_stop()\n- bail from delayed_work() if monc->cur_mon is cleared, similar to how\n it's done in mon_fault() and finish_hunting() (based on monc->hunting)\n- call cancel_delayed_work_sync() after the session is closed", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42232", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: replace pte_offset_map() with pte_offset_map_nolock()\n\nThe vmf->ptl in filemap_fault_recheck_pte_none() is still set from\nhandle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). \nAfter a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table\nmay be racily changed and vmf->ptl maybe fails to protect the actual page\ntable. Fix this by replacing pte_offset_map() with\npte_offset_map_nolock().\n\nAs David said, the PTL pointer might be stale so if we continue to use\nit infilemap_fault_recheck_pte_none(), it might trigger UAF. Also, if\nthe PTL fails, the issue fixed by commit 58f327f2ce80 (\"filemap: avoid\nunnecessary major faults in filemap_fault()\") might reappear.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42233", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix crashes from deferred split racing folio migration\n\nEven on 6.10-rc6, I've been seeing elusive \"Bad page state\"s (often on\nflags when freeing, yet the flags shown are not bad: PG_locked had been\nset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from\ndeferred_split_scan()'s folio_put(), and a variety of other BUG and WARN\nsymptoms implying double free by deferred split and large folio migration.\n\n6.7 commit 9bcef5973e31 (\"mm: memcg: fix split queue list crash when large\nfolio migration\") was right to fix the memcg-dependent locking broken in\n85ce2c517ade (\"memcontrol: only transfer the memcg data for migration\"),\nbut missed a subtlety of deferred_split_scan(): it moves folios to its own\nlocal list to work on them without split_queue_lock, during which time\nfolio->_deferred_list is not empty, but even the \"right\" lock does nothing\nto secure the folio and the list it is on.\n\nFortunately, deferred_split_scan() is careful to use folio_try_get(): so\nfolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()\nwhile the old folio's reference count is temporarily frozen to 0 - adding\nsuch a freeze in the !mapping case too (originally, folio lock and\nunmapping and no swap cache left an anon folio unreachable, so no freezing\nwas needed there: but the deferred split queue offers a way to reach it).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42234", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Add NULL pointer check to crst_table_free() base_crst_free()\n\ncrst_table_free() used to work with NULL pointers before the conversion\nto ptdescs. Since crst_table_free() can be called with a NULL pointer\n(error handling in crst_table_upgrade() add an explicit check.\n\nAlso add the same check to base_crst_free() for consistency reasons.\n\nIn real life this should not happen, since order two GFP_KERNEL\nallocations will not fail, unless FAIL_PAGE_ALLOC is enabled and used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42235", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\n\nUserspace provided string 's' could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == '\\n') followed closely by an OOB write in the form\n`str[0 - 1] = '\\0'`.\n\nThere is already a validating check to catch strings that are too long.\nLet's supply an additional check for invalid strings that are too short.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42236", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Validate payload length before processing block\n\nMove the payload length check in cs_dsp_load() and cs_dsp_coeff_load()\nto be done before the block is processed.\n\nThe check that the length of a block payload does not exceed the number\nof remaining bytes in the firwmware file buffer was being done near the\nend of the loop iteration. However, some code before that check used the\nlength field without validating it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42237", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Return error if block header overflows file\n\nReturn an error from cs_dsp_power_up() if a block header is longer\nthan the amount of data left in the file.\n\nThe previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop\nwhile there was enough data left in the file for a valid region. This\nprotected against overrunning the end of the file data, but it didn't\nabort the file processing with an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42238", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42239", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n <#DB>\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \n \n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42240", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem: disable PMD-sized page cache if needed\n\nFor shmem files, it's possible that PMD-sized page cache can't be\nsupported by xarray. For example, 512MB page cache on ARM64 when the base\npage size is 64KB can't be supported by xarray. It leads to errors as the\nfollowing messages indicate when this sort of xarray entry is split.\n\nWARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \\\nnft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \\\nnft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \\\nlibcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \\\nnet_failover virtio_console virtio_blk failover dimlib virtio_mmio\nCPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff8000882af5f0\nx29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768\nx26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c\nx8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0\nx5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n shmem_undo_range+0x2bc/0x6a8\n shmem_fallocate+0x134/0x430\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger\nthan MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a\nshmem file isn't represented by a multi-index entry and doesn't have this\nlimitation when the xarry entry is split until commit 6b24ca4a1a8d (\"mm:\nUse multi-index entries in the page cache\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42241", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE\n\nblk_queue_max_segment_size() ensured:\n\n\tif (max_size < PAGE_SIZE)\n\t\tmax_size = PAGE_SIZE;\n\nwhereas:\n\nblk_validate_limits() makes it an error:\n\n\tif (WARN_ON_ONCE(lim->max_segment_size < PAGE_SIZE))\n\t\treturn -EINVAL;\n\nThe change from one to the other, exposed sdhci which was setting maximum\nsegment size too low in some circumstances.\n\nFix the maximum segment size when it is too low.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42242", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can't support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc > 1 && !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd < 0) {\n\t\tfprintf(stderr, \"Unable to open <%s>\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap <%s>\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42243", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42244", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"sched/fair: Make sure to try to detach at least one movable task\"\n\nThis reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.\n\nb0defa7ae03ec changed the load balancing logic to ignore env.max_loop if\nall tasks examined to that point were pinned. The goal of the patch was\nto make it more likely to be able to detach a task buried in a long list\nof pinned tasks. However, this has the unfortunate side effect of\ncreating an O(n) iteration in detach_tasks(), as we now must fully\niterate every task on a cpu if all or most are pinned. Since this load\nbalance code is done with rq lock held, and often in softirq context, it\nis very easy to trigger hard lockups. We observed such hard lockups with\na user who affined O(10k) threads to a single cpu.\n\nWhen I discussed this with Vincent he initially suggested that we keep\nthe limit on the number of tasks to detach, but increase the number of\ntasks we can search. However, after some back and forth on the mailing\nlist, he recommended we instead revert the original patch, as it seems\nlikely no one was actually getting hit by the original issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42245", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket\n\nWhen using a BPF program on kernel_connect(), the call can return -EPERM. This\ncauses xs_tcp_setup_socket() to loop forever, filling up the syslog and causing\nthe kernel to potentially freeze up.\n\nNeil suggested:\n\n This will propagate -EPERM up into other layers which might not be ready\n to handle it. It might be safer to map EPERM to an error we would be more\n likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.\n\nECONNREFUSED as error seems reasonable. For programs setting a different error\ncan be out of reach (see handling in 4fbac77d2d09) in particular on kernels\nwhich do not have f10d05966196 (\"bpf: Make BPF_PROG_RUN_ARRAY return -err\ninstead of allow boolean\"), thus given that it is better to simply remap for\nconsistent behavior. UDP does handle EPERM in xs_udp_send_request().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42246", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: allowedips: avoid unaligned 64-bit memory accesses\n\nOn the parisc platform, the kernel issues kernel warnings because\nswap_endian() tries to load a 128-bit IPv6 address from an unaligned\nmemory location:\n\n Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)\n Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)\n\nAvoid such unaligned memory accesses by instead using the\nget_unaligned_be64() helper macro.\n\n[Jason: replace src[8] in original patch with src+8]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42247", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ma35d1: Add a NULL check for of_node\n\nThe pdev->dev.of_node can be NULL if the \"serial\" node is absent.\nAdd a NULL check to return an error in such cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42248", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: don't unoptimize message in spi_async()\n\nCalling spi_maybe_unoptimize_message() in spi_async() is wrong because\nthe message is likely to be in the queue and not transferred yet. This\ncan corrupt the message while it is being used by the controller driver.\n\nspi_maybe_unoptimize_message() is already called in the correct place\nin spi_finalize_current_message() to balance the call to\nspi_maybe_optimize_message() in spi_async().", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42249", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add missing lock protection when polling\n\nAdd missing lock protection in poll routine when iterating xarray,\notherwise:\n\nEven with RCU read lock held, only the slot of the radix tree is\nensured to be pinned there, while the data structure (e.g. struct\ncachefiles_req) stored in the slot has no such guarantee. The poll\nroutine will iterate the radix tree and dereference cachefiles_req\naccordingly. Thus RCU read lock is not adequate in this case and\nspinlock is needed here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42250", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: page_ref: remove folio_try_get_rcu()\n\nThe below bug was reported on a non-SMP kernel:\n\n[ 275.267158][ T4335] ------------[ cut here ]------------\n[ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275!\n[ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI\n[ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1\n[ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202\n[ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000\n[ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034\n[ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006\n[ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136\n[ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008\n[ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000\n[ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0\n[ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 275.280201][ T4335] Call Trace:\n[ 275.280499][ T4335] \n[ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\n[ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153)\n[ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174)\n[ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212)\n[ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264)\n[ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568)\n[ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3))\n[ 275.285278][ T4335] try_grab_folio (mm/gup.c:148)\n[ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1))\n[ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188)\n[ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825)\n[ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1))\n[ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209)\n[ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204)\n[ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722)\n[ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106)\n[ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350)\n[ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350)\n[ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1))\n[ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573)\n[ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360\n[ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10\n[ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573)\n[ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0\n[ 275.293384][ T4335] ? hlock_class (a\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42251", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclosures: Change BUG_ON() to WARN_ON()\n\nIf a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON()\n\nFor reference, this has popped up once in the CI, and we'll need more\ninfo to debug it:\n\n03240 ------------[ cut here ]------------\n03240 kernel BUG at lib/closure.c:21!\n03240 kernel BUG at lib/closure.c:21!\n03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n03240 Modules linked in:\n03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570\n03240 Hardware name: linux,dummy-virt (DT)\n03240 Workqueue: btree_update btree_interior_update_work\n03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n03240 pc : closure_put+0x224/0x2a0\n03240 lr : closure_put+0x24/0x2a0\n03240 sp : ffff0000d12071c0\n03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360\n03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040\n03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168\n03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001\n03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974\n03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d\n03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e\n03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b\n03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954\n03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000\n03240 Call trace:\n03240 closure_put+0x224/0x2a0\n03240 bch2_check_for_deadlock+0x910/0x1028\n03240 bch2_six_check_for_deadlock+0x1c/0x30\n03240 six_lock_slowpath.isra.0+0x29c/0xed0\n03240 six_lock_ip_waiter+0xa8/0xf8\n03240 __bch2_btree_node_lock_write+0x14c/0x298\n03240 bch2_trans_lock_write+0x6d4/0xb10\n03240 __bch2_trans_commit+0x135c/0x5520\n03240 btree_interior_update_work+0x1248/0x1c10\n03240 process_scheduled_works+0x53c/0xd90\n03240 worker_thread+0x370/0x8c8\n03240 kthread+0x258/0x2e8\n03240 ret_from_fork+0x10/0x20\n03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000)\n03240 ---[ end trace 0000000000000000 ]---\n03240 Kernel panic - not syncing: Oops - BUG: Fatal exception\n03240 SMP: stopping secondary CPUs\n03241 SMP: failed to stop secondary CPUs 13,15\n03241 Kernel Offset: disabled\n03241 CPU features: 0x00,00000003,80000008,4240500b\n03241 Memory Limit: none\n03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]---\n03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42252", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: pca953x: fix pca953x_irq_bus_sync_unlock race\n\nEnsure that `i2c_lock' is held when setting interrupt latch and mask in\npca953x_irq_bus_sync_unlock() in order to avoid races.\n\nThe other (non-probe) call site pca953x_gpio_set_multiple() ensures the\nlock is held before calling pca953x_write_regs().\n\nThe problem occurred when a request raced against irq_bus_sync_unlock()\napproximately once per thousand reboots on an i.MX8MP based system.\n\n * Normal case\n\n 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n\n * Race case\n\n 0-0022: write register AI|08 {ff,00,00,00,00} Output P3\n 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register ***\n 0-0022: write register AI|12 {fc,00,00,00,00} Config P3\n 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42253", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-42254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix error pbuf checking\n\nSyz reports a problem, which boils down to NULL vs IS_ERR inconsistent\nerror handling in io_alloc_pbuf_ring().\n\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341\nCall Trace:\n \n io_put_bl io_uring/kbuf.c:378 [inline]\n io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392\n io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613\n io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844\n process_one_work kernel/workqueue.c:3231 [inline]\n process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n worker_thread+0x86d/0xd40 kernel/workqueue.c:3390\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42254", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Use auth only after NULL check in tpm_buf_check_hmac_response()\n\nDereference auth after NULL check in tpm_buf_check_hmac_response().\nOtherwise, unless tpm2_sessions_init() was called, a call can cause NULL\ndereference, when TCG_TPM2_HMAC is enabled.\n\n[jarkko: adjusted the commit message.]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42255", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix server re-repick on subrequest retry\n\nWhen a subrequest is marked for needing retry, netfs will call\ncifs_prepare_write() which will make cifs repick the server for the op\nbefore renegotiating credits; it then calls cifs_issue_write() which\ninvokes smb2_async_writev() - which re-repicks the server.\n\nIf a different server is then selected, this causes the increment of\nserver->in_flight to happen against one record and the decrement to happen\nagainst another, leading to misaccounting.\n\nFix this by just removing the repick code in smb2_async_writev(). As this\nis only called from netfslib-driven code, cifs_prepare_write() should\nalways have been called first, and so server should never be NULL and the\npreparatory step is repeated in the event that we do a retry.\n\nThe problem manifests as a warning looking something like:\n\n WARNING: CPU: 4 PID: 72896 at fs/smb/client/smb2ops.c:97 smb2_add_credits+0x3f0/0x9e0 [cifs]\n ...\n RIP: 0010:smb2_add_credits+0x3f0/0x9e0 [cifs]\n ...\n smb2_writev_callback+0x334/0x560 [cifs]\n cifs_demultiplex_thread+0x77a/0x11b0 [cifs]\n kthread+0x187/0x1d0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n\nWhich may be triggered by a number of different xfstests running against an\nAzure server in multichannel mode. generic/249 seems the most repeatable,\nbut generic/215, generic/249 and generic/308 may also show it.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42256", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: use memtostr_pad() for s_volume_name\n\nAs with the other strings in struct ext4_super_block, s_volume_name is\nnot NUL terminated. The other strings were marked in commit 072ebb3bffe6\n(\"ext4: add nonstring annotations to ext4.h\"). Using strscpy() isn't\nthe right replacement for strncpy(); it should use memtostr_pad()\ninstead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42257", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines\n\nYves-Alexis Perez reported commit 4ef9ad19e176 (\"mm: huge_memory: don't\nforce huge page alignment on 32 bit\") didn't work for x86_32 [1]. It is\nbecause x86_32 uses CONFIG_X86_32 instead of CONFIG_32BIT.\n\n!CONFIG_64BIT should cover all 32 bit machines.\n\n[1] https://lore.kernel.org/linux-mm/CAHbLzkr1LwH3pcTgM+aGQ31ip2bKqiqEQ8=FQB+t2c3dhNKNHA@mail.gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42258", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix Virtual Memory mapping boundaries calculation\n\nCalculating the size of the mapped area as the lesser value\nbetween the requested size and the actual size does not consider\nthe partial mapping offset. This can cause page fault access.\n\nFix the calculation of the starting and ending addresses, the\ntotal size is now deduced from the difference between the end and\nstart addresses.\n\nAdditionally, the calculations have been rewritten in a clearer\nand more understandable form.\n\n[Joonas: Add Requires: tag]\nRequires: 60a2066c5005 (\"drm/i915/gem: Adjust vma offset for framebuffer mmap offset\")\n(cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42259", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Validate passed in drm syncobj handles in the performance extension\n\nIf userspace provides an unknown or invalid handle anywhere in the handle\narray the rest of the driver will not handle that well.\n\nFix it by checking handle was looked up successfully or otherwise fail the\nextension by jumping into the existing unwind.\n\n(cherry picked from commit a546b7e4d73c23838d7e4d2c92882b3ca902d213)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42260", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Validate passed in drm syncobj handles in the timestamp extension\n\nIf userspace provides an unknown or invalid handle anywhere in the handle\narray the rest of the driver will not handle that well.\n\nFix it by checking handle was looked up successfully or otherwise fail the\nextension by jumping into the existing unwind.\n\n(cherry picked from commit 8d1276d1b8f738c3afe1457d4dff5cc66fc848a3)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42261", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix potential memory leak in the performance extension\n\nIf fetching of userspace memory fails during the main loop, all drm sync\nobjs looked up until that point will be leaked because of the missing\ndrm_syncobj_put.\n\nFix it by exporting and using a common cleanup helper.\n\n(cherry picked from commit 484de39fa5f5b7bd0c5f2e2c5265167250ef7501)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42262", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix potential memory leak in the timestamp extension\n\nIf fetching of userspace memory fails during the main loop, all drm sync\nobjs looked up until that point will be leaked because of the missing\ndrm_syncobj_put.\n\nFix it by exporting and using a common cleanup helper.\n\n(cherry picked from commit 753ce4fea62182c77e1691ab4f9022008f25b62e)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42263", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Prevent out of bounds access in performance query extensions\n\nCheck that the number of perfmons userspace is passing in the copy and\nreset extensions is not greater than the internal kernel storage where\nthe ids will be copied into.\n\n(cherry picked from commit f32b5128d2c440368b5bf3a7a356823e235caabb)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42264", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nprotect the fetch of ->fd[fd] in do_dup2() from mispredictions\n\nboth callers have verified that fd is not greater than ->max_fds;\nhowever, misprediction might end up with\n tofree = fdt->fd[fd];\nbeing speculatively executed. That's wrong for the same reasons\nwhy it's wrong in close_fd()/file_close_fd_locked(); the same\nsolution applies - array_index_nospec(fd, fdt->max_fds) could differ\nfrom fd only in case of speculative execution on mispredicted path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42265", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make cow_file_range_inline() honor locked_page on error\n\nThe btrfs buffered write path runs through __extent_writepage() which\nhas some tricky return value handling for writepage_delalloc().\nSpecifically, when that returns 1, we exit, but for other return values\nwe continue and end up calling btrfs_folio_end_all_writers(). If the\nfolio has been unlocked (note that we check the PageLocked bit at the\nstart of __extent_writepage()), this results in an assert panic like\nthis one from syzbot:\n\n BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure\n BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction.\n BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure\n assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/subpage.c:871!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted\n 6.10.0-syzkaller-05505-gb1bc554e009e #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS\n Google 06/27/2024\n RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871\n Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d\n 0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8\n 6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89\n RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246\n RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00\n RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\n RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc\n R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001\n R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80\n FS: 0000000000000000(0000) GS:ffff8880b9500000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n __extent_writepage fs/btrfs/extent_io.c:1597 [inline]\n extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline]\n btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373\n do_writepages+0x359/0x870 mm/page-writeback.c:2656\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n __filemap_fdatawrite mm/filemap.c:436 [inline]\n filemap_flush+0xdf/0x130 mm/filemap.c:463\n btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547\n __fput+0x24a/0x8a0 fs/file_table.c:422\n task_work_run+0x24f/0x310 kernel/task_work.c:222\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0xa2f/0x27f0 kernel/exit.c:877\n do_group_exit+0x207/0x2c0 kernel/exit.c:1026\n __do_sys_exit_group kernel/exit.c:1037 [inline]\n __se_sys_exit_group kernel/exit.c:1035 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035\n x64_sys_call+0x2634/0x2640\n arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f5f075b70c9\n Code: Unable to access opcode bytes at\n 0x7f5f075b709f.\n\nI was hitting the same issue by doing hundreds of accelerated runs of\ngeneric/475, which also hits IO errors by design.\n\nI instrumented that reproducer with bpftrace and found that the\nundesirable folio_unlock was coming from the following callstack:\n\n folio_unlock+5\n __process_pages_contig+475\n cow_file_range_inline.constprop.0+230\n cow_file_range+803\n btrfs_run_delalloc_range+566\n writepage_delalloc+332\n __extent_writepage # inlined in my stacktrace, but I added it here\n extent_write_cache_pages+622\n\nLooking at the bisected-to pa\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42266", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()\n\nHandle VM_FAULT_SIGSEGV in the page fault path so that we correctly\nkill the process and we don't BUG() the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42267", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix missing lock on sync reset reload\n\nOn sync reset reload work, when remote host updates devlink on reload\nactions performed on that host, it misses taking devlink lock before\ncalling devlink_remote_reload_actions_performed() which results in\ntriggering lock assert like the following:\n\nWARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50\n\u2026\n CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116\n Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015\n Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]\n RIP: 0010:devl_assert_locked+0x3e/0x50\n\u2026\n Call Trace:\n \n ? __warn+0xa4/0x210\n ? devl_assert_locked+0x3e/0x50\n ? report_bug+0x160/0x280\n ? handle_bug+0x3f/0x80\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? devl_assert_locked+0x3e/0x50\n devlink_notify+0x88/0x2b0\n ? mlx5_attach_device+0x20c/0x230 [mlx5_core]\n ? __pfx_devlink_notify+0x10/0x10\n ? process_one_work+0x4b6/0xbb0\n process_one_work+0x4b6/0xbb0\n[\u2026]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42268", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().\n\nip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],\nbut the function is exposed to user space before the entry is allocated\nvia register_pernet_subsys().\n\nLet's call register_pernet_subsys() before xt_register_template().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42269", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42270", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv->path is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)\n[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138\n[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8\n[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48\n[452744.124820] [<00000000d5421642>] __fput+0xba/0x268\n[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0\n[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90\n[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42271", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: act_ct: take care of padding in struct zones_ht_key\n\nBlamed commit increased lookup key size from 2 bytes to 16 bytes,\nbecause zones_ht_key got a struct net pointer.\n\nMake sure rhashtable_lookup() is not using the padding bytes\nwhich are not initialized.\n\n BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n rht_ptr_rcu include/linux/rhashtable.h:376 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:607 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408\n tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425\n tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488\n tcf_action_add net/sched/act_api.c:2061 [inline]\n tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118\n rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2597\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651\n __sys_sendmsg net/socket.c:2680 [inline]\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687\n x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable key created at:\n tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324\n tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42272", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid\n\nmkdir /mnt/test/comp\nf2fs_io setflags compression /mnt/test/comp\ndd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1\ntruncate --size 13 /mnt/test/comp/testfile\n\nIn the above scenario, we can get a BUG_ON.\n kernel BUG at fs/f2fs/segment.c:3589!\n Call Trace:\n do_write_page+0x78/0x390 [f2fs]\n f2fs_outplace_write_data+0x62/0xb0 [f2fs]\n f2fs_do_write_data_page+0x275/0x740 [f2fs]\n f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]\n f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]\n f2fs_write_cache_pages+0xab1/0xc60 [f2fs]\n f2fs_write_data_pages+0x2d8/0x330 [f2fs]\n do_writepages+0xcf/0x270\n __writeback_single_inode+0x44/0x350\n writeback_sb_inodes+0x242/0x530\n __writeback_inodes_wb+0x54/0xf0\n wb_writeback+0x192/0x310\n wb_workfn+0x30d/0x400\n\nThe reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the\npage was set the gcing flag by set_cluster_dirty().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42273", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elapse event in process context\"\n\nCommit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period elapse event\nin process context\") removed the process context workqueue from\namdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove\nits overhead.\n\nWith RME Fireface 800, this lead to a regression since\nKernels 5.14.0, causing an AB/BA deadlock competition for the\nsubstream lock with eventual system freeze under ALSA operation:\n\nthread 0:\n * (lock A) acquire substream lock by\n\tsnd_pcm_stream_lock_irq() in\n\tsnd_pcm_status64()\n * (lock B) wait for tasklet to finish by calling\n \ttasklet_unlock_spin_wait() in\n\ttasklet_disable_in_atomic() in\n\tohci_flush_iso_completions() of ohci.c\n\nthread 1:\n * (lock B) enter tasklet\n * (lock A) attempt to acquire substream lock,\n \twaiting for it to be released:\n\tsnd_pcm_stream_lock_irqsave() in\n \tsnd_pcm_period_elapsed() in\n\tupdate_pcm_pointers() in\n\tprocess_ctx_payloads() in\n\tprocess_rx_packets() of amdtp-stream.c\n\n? tasklet_unlock_spin_wait\n \n \nohci_flush_iso_completions firewire_ohci\namdtp_domain_stream_pcm_pointer snd_firewire_lib\nsnd_pcm_update_hw_ptr0 snd_pcm\nsnd_pcm_status64 snd_pcm\n\n? native_queued_spin_lock_slowpath\n \n \n_raw_spin_lock_irqsave\nsnd_pcm_period_elapsed snd_pcm\nprocess_rx_packets snd_firewire_lib\nirq_target_callback snd_firewire_lib\nhandle_it_packet firewire_ohci\ncontext_tasklet firewire_ohci\n\nRestore the process context work queue to prevent deadlock\nAB/BA deadlock competition for ALSA substream lock of\nsnd_pcm_stream_lock_irq() in snd_pcm_status64()\nand snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().\n\nrevert commit 7ba5ca32fe6e (\"ALSA: firewire-lib: operate for period\nelapse event in process context\")\n\nReplace inline description to prevent future deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42274", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix error code in drm_client_buffer_vmap_local()\n\nThis function accidentally returns zero/success on the failure path.\nIt leads to locking issues and an uninitialized *map_copy in the\ncaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42275", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: add missing condition check for existence of mapped data\n\nnvme_map_data() is called when request has physical segments, hence\nthe nvme_unmap_data() should have same condition to avoid dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42276", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: sprd: Avoid NULL deref in sprd_iommu_hw_en\n\nIn sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()\ndom->sdev is equal to NULL, which leads to null dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42277", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: TAS2781: Fix tasdev_load_calibrated_data()\n\nThis function has a reversed if statement so it's either a no-op or it\nleads to a NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42278", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer\n\nWhile transmitting with rx_len == 0, the RX FIFO is not going to be\nemptied in the interrupt handler. A subsequent transfer could then\nread crap from the previous transfer out of the RX FIFO into the\nstart RX buffer. The core provides a register that will empty the RX and\nTX FIFOs, so do that before each transfer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42279", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix a use after free in hfcmulti_tx()\n\nDon't dereference *sp after calling dev_kfree_skb(*sp).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42280", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a segment issue when downgrading gso_size\n\nLinearize the skb when downgrading gso_size because it may trigger a\nBUG_ON() later when the skb is segmented as described in [1,2].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42281", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mediatek: Fix potential NULL pointer dereference in dummy net_device handling\n\nMove the freeing of the dummy net_device from mtk_free_dev() to\nmtk_remove().\n\nPreviously, if alloc_netdev_dummy() failed in mtk_probe(),\neth->dummy_dev would be NULL. The error path would then call\nmtk_free_dev(), which in turn called free_netdev() assuming dummy_dev\nwas allocated (but it was not), potentially causing a NULL pointer\ndereference.\n\nBy moving free_netdev() to mtk_remove(), we ensure it's only called when\nmtk_probe() has succeeded and dummy_dev is fully allocated. This\naddresses a potential NULL pointer dereference detected by Smatch[1].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42282", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: Initialize all fields in dumped nexthops\n\nstruct nexthop_grp contains two reserved fields that are not initialized by\nnla_put_nh_group(), and carry garbage. This can be observed e.g. with\nstrace (edited for clarity):\n\n # ip nexthop add id 1 dev lo\n # ip nexthop add id 101 group 1\n # strace -e recvmsg ip nexthop get id 101\n ...\n recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},\n [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52\n\nThe fields are reserved and therefore not currently used. But as they are, they\nleak kernel memory, and the fact they are not just zero complicates repurposing\nof the fields for new ends. Initialize the full structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42283", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Return non-zero value from tipc_udp_addr2str() on error\n\ntipc_udp_addr2str() should return non-zero value if the UDP media\naddress is invalid. Otherwise, a buffer overflow access can occur in\ntipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP\nmedia address.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42284", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix a use-after-free related to destroying CM IDs\n\niw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with\nan existing struct iw_cm_id (cm_id) as follows:\n\n conn_id->cm_id.iw = cm_id;\n cm_id->context = conn_id;\n cm_id->cm_handler = cma_iw_handler;\n\nrdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make\nsure that cm_work_handler() does not trigger a use-after-free by only\nfreeing of the struct rdma_id_private after all pending work has finished.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42285", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: validate nvme_local_port correctly\n\nThe driver load failed with error message,\n\nqla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef\n\nand with a kernel crash,\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000070\n\tWorkqueue: events_unbound qla_register_fcport_fn [qla2xxx]\n\tRIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc]\n\tRSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282\n\tRAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000\n\tRDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000\n\tRBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030\n\tR10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4\n\tR13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8\n\tFS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0\n\tCall Trace:\n\tqla_nvme_register_remote+0xeb/0x1f0 [qla2xxx]\n\t? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx]\n\tqla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx]\n\tqla_register_fcport_fn+0x54/0xc0 [qla2xxx]\n\nExit the qla_nvme_register_remote() function when qla_nvme_register_hba()\nfails and correctly validate nvme_local_port.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42286", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Complete command early within lock\n\nA crash was observed while performing NPIV and FW reset,\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 1 PREEMPT_RT SMP NOPTI\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0\n RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034\n R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000\n FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? page_fault_oops+0x16f/0x4a0\n ? do_user_addr_fault+0x174/0x7f0\n ? exc_page_fault+0x69/0x1a0\n ? asm_exc_page_fault+0x22/0x30\n ? dma_direct_unmap_sg+0x51/0x1e0\n ? preempt_count_sub+0x96/0xe0\n qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]\n qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]\n __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]\n\nThe command completion was done early while aborting the commands in driver\nunload path but outside lock to avoid the WARN_ON condition of performing\ndma_free_attr within the lock. However this caused race condition while\ncommand completion via multiple paths causing system crash.\n\nHence complete the command early in unload path but within the lock to\navoid race condition.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42287", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix for possible memory corruption\n\nInit Control Block is dereferenced incorrectly. Correctly dereference ICB", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42288", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: During vport delete send async logout explicitly\n\nDuring vport delete, it is observed that during unload we hit a crash\nbecause of stale entries in outstanding command array. For all these stale\nI/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but\nI/Os could not complete while vport delete is in process of deleting.\n\n BUG: kernel NULL pointer dereference, address: 000000000000001c\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n Workqueue: qla2xxx_wq qla_do_work [qla2xxx]\n RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0\n RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001\n RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0\n RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8\n R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000\n R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0\n Call Trace:\n \n qla2xxx_qpair_sp_free_dma+0x417/0x4e0\n ? qla2xxx_qpair_sp_compl+0x10d/0x1a0\n ? qla2x00_status_entry+0x768/0x2830\n ? newidle_balance+0x2f0/0x430\n ? dequeue_entity+0x100/0x3c0\n ? qla24xx_process_response_queue+0x6a1/0x19e0\n ? __schedule+0x2d5/0x1140\n ? qla_do_work+0x47/0x60\n ? process_one_work+0x267/0x440\n ? process_one_work+0x440/0x440\n ? worker_thread+0x2d/0x3d0\n ? process_one_work+0x440/0x440\n ? kthread+0x156/0x180\n ? set_kthread_struct+0x50/0x50\n ? ret_from_fork+0x22/0x30\n \n\nSend out async logout explicitly for all the ports during vport delete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42289", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/imx-irqsteer: Handle runtime power management correctly\n\nThe power domain is automatically activated from clk_prepare(). However, on\ncertain platforms like i.MX8QM and i.MX8QXP, the power-on handling invokes\nsleeping functions, which triggers the 'scheduling while atomic' bug in the\ncontext switch path during device probing:\n\n BUG: scheduling while atomic: kworker/u13:1/48/0x00000002\n Call trace:\n __schedule_bug+0x54/0x6c\n __schedule+0x7f0/0xa94\n schedule+0x5c/0xc4\n schedule_preempt_disabled+0x24/0x40\n __mutex_lock.constprop.0+0x2c0/0x540\n __mutex_lock_slowpath+0x14/0x20\n mutex_lock+0x48/0x54\n clk_prepare_lock+0x44/0xa0\n clk_prepare+0x20/0x44\n imx_irqsteer_resume+0x28/0xe0\n pm_generic_runtime_resume+0x2c/0x44\n __genpd_runtime_resume+0x30/0x80\n genpd_runtime_resume+0xc8/0x2c0\n __rpm_callback+0x48/0x1d8\n rpm_callback+0x6c/0x78\n rpm_resume+0x490/0x6b4\n __pm_runtime_resume+0x50/0x94\n irq_chip_pm_get+0x2c/0xa0\n __irq_do_set_handler+0x178/0x24c\n irq_set_chained_handler_and_data+0x60/0xa4\n mxc_gpio_probe+0x160/0x4b0\n\nCure this by implementing the irq_bus_lock/sync_unlock() interrupt chip\ncallbacks and handle power management in them as they are invoked from\nnon-atomic context.\n\n[ tglx: Rewrote change log, added Fixes tag ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42290", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add a per-VF limit on number of FDIR filters\n\nWhile the iavf driver adds a s/w limit (128) on the number of FDIR\nfilters that the VF can request, a malicious VF driver can request more\nthan that and exhaust the resources for other VFs.\n\nAdd a similar limit in ice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42291", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkobject_uevent: Fix OOB access within zap_modalias_env()\n\nzap_modalias_env() wrongly calculates size of memory block to move, so\nwill cause OOB memory access issue if variable MODALIAS is not the last\none within its @env parameter, fixed by correcting size to memmove.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42292", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: Fix lockless walks with static and dynamic page-table folding\n\nLina reports random oopsen originating from the fast GUP code when\n16K pages are used with 4-level page-tables, the fourth level being\nfolded at runtime due to lack of LPA2.\n\nIn this configuration, the generic implementation of\np4d_offset_lockless() will return a 'p4d_t *' corresponding to the\n'pgd_t' allocated on the stack of the caller, gup_fast_pgd_range().\nThis is normally fine, but when the fourth level of page-table is folded\nat runtime, pud_offset_lockless() will offset from the address of the\n'p4d_t' to calculate the address of the PUD in the same page-table page.\nThis results in a stray stack read when the 'p4d_t' has been allocated\non the stack and can send the walker into the weeds.\n\nFix the problem by providing our own definition of p4d_offset_lockless()\nwhen CONFIG_PGTABLE_LEVELS <= 4 which returns the real page-table\npointer rather than the address of the local stack variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42293", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix deadlock between sd_remove & sd_release\n\nOur test report the following hung task:\n\n[ 2538.459400] INFO: task \"kworker/0:0\":7 blocked for more than 188 seconds.\n[ 2538.459427] Call trace:\n[ 2538.459430] __switch_to+0x174/0x338\n[ 2538.459436] __schedule+0x628/0x9c4\n[ 2538.459442] schedule+0x7c/0xe8\n[ 2538.459447] schedule_preempt_disabled+0x24/0x40\n[ 2538.459453] __mutex_lock+0x3ec/0xf04\n[ 2538.459456] __mutex_lock_slowpath+0x14/0x24\n[ 2538.459459] mutex_lock+0x30/0xd8\n[ 2538.459462] del_gendisk+0xdc/0x350\n[ 2538.459466] sd_remove+0x30/0x60\n[ 2538.459470] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459474] device_release_driver+0x18/0x28\n[ 2538.459478] bus_remove_device+0x15c/0x174\n[ 2538.459483] device_del+0x1d0/0x358\n[ 2538.459488] __scsi_remove_device+0xa8/0x198\n[ 2538.459493] scsi_forget_host+0x50/0x70\n[ 2538.459497] scsi_remove_host+0x80/0x180\n[ 2538.459502] usb_stor_disconnect+0x68/0xf4\n[ 2538.459506] usb_unbind_interface+0xd4/0x280\n[ 2538.459510] device_release_driver_internal+0x1c4/0x2c4\n[ 2538.459514] device_release_driver+0x18/0x28\n[ 2538.459518] bus_remove_device+0x15c/0x174\n[ 2538.459523] device_del+0x1d0/0x358\n[ 2538.459528] usb_disable_device+0x84/0x194\n[ 2538.459532] usb_disconnect+0xec/0x300\n[ 2538.459537] hub_event+0xb80/0x1870\n[ 2538.459541] process_scheduled_works+0x248/0x4dc\n[ 2538.459545] worker_thread+0x244/0x334\n[ 2538.459549] kthread+0x114/0x1bc\n\n[ 2538.461001] INFO: task \"fsck.\":15415 blocked for more than 188 seconds.\n[ 2538.461014] Call trace:\n[ 2538.461016] __switch_to+0x174/0x338\n[ 2538.461021] __schedule+0x628/0x9c4\n[ 2538.461025] schedule+0x7c/0xe8\n[ 2538.461030] blk_queue_enter+0xc4/0x160\n[ 2538.461034] blk_mq_alloc_request+0x120/0x1d4\n[ 2538.461037] scsi_execute_cmd+0x7c/0x23c\n[ 2538.461040] ioctl_internal_command+0x5c/0x164\n[ 2538.461046] scsi_set_medium_removal+0x5c/0xb0\n[ 2538.461051] sd_release+0x50/0x94\n[ 2538.461054] blkdev_put+0x190/0x28c\n[ 2538.461058] blkdev_release+0x28/0x40\n[ 2538.461063] __fput+0xf8/0x2a8\n[ 2538.461066] __fput_sync+0x28/0x5c\n[ 2538.461070] __arm64_sys_close+0x84/0xe8\n[ 2538.461073] invoke_syscall+0x58/0x114\n[ 2538.461078] el0_svc_common+0xac/0xe0\n[ 2538.461082] do_el0_svc+0x1c/0x28\n[ 2538.461087] el0_svc+0x38/0x68\n[ 2538.461090] el0t_64_sync_handler+0x68/0xbc\n[ 2538.461093] el0t_64_sync+0x1a8/0x1ac\n\n T1:\t\t\t\tT2:\n sd_remove\n del_gendisk\n __blk_mark_disk_dead\n blk_freeze_queue_start\n ++q->mq_freeze_depth\n \t\t\t\tbdev_release\n \t\t\t\tmutex_lock(&disk->open_mutex)\n \t\t\t\tsd_release\n \t\t\t\tscsi_execute_cmd\n \t\t\t\tblk_queue_enter\n \t\t\t\twait_event(!q->mq_freeze_depth)\n mutex_lock(&disk->open_mutex)\n\nSCSI does not set GD_OWNS_QUEUE, so QUEUE_FLAG_DYING is not set in\nthis scenario. This is a classic ABBA deadlock. To fix the deadlock,\nmake sure we don't try to acquire disk->open_mutex after freezing\nthe queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42294", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle inconsistent state in nilfs_btnode_create_block()\n\nSyzbot reported that a buffer state inconsistency was detected in\nnilfs_btnode_create_block(), triggering a kernel bug.\n\nIt is not appropriate to treat this inconsistency as a bug; it can occur\nif the argument block address (the buffer index of the newly created\nblock) is a virtual block number and has been reallocated due to\ncorruption of the bitmap used to manage its allocation state.\n\nSo, modify nilfs_btnode_create_block() and its callers to treat it as a\npossible filesystem error, rather than triggering a kernel bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42295", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_convert_inline_inode()\n\nIf device is readonly, make f2fs_convert_inline_inode()\nreturn EROFS instead of zero, otherwise it may trigger\npanic during writeback of inline inode's dirty page as\nbelow:\n\n f2fs_write_single_data_page+0xbb6/0x1e90 fs/f2fs/data.c:2888\n f2fs_write_cache_pages fs/f2fs/data.c:3187 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3342 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3369\n do_writepages+0x359/0x870 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n file_write_and_wait_range+0x1aa/0x290 mm/filemap.c:788\n f2fs_do_sync_file+0x68a/0x1ae0 fs/f2fs/file.c:276\n generic_write_sync include/linux/fs.h:2806 [inline]\n f2fs_file_write_iter+0x7bd/0x24e0 fs/f2fs/file.c:4977\n call_write_iter include/linux/fs.h:2114 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42296", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't dirty inode for readonly filesystem\n\nsyzbot reports f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:933!\nRIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933\nCall Trace:\n evict+0x2a4/0x620 fs/inode.c:664\n dispose_list fs/inode.c:697 [inline]\n evict_inodes+0x5f8/0x690 fs/inode.c:747\n generic_shutdown_super+0x9d/0x2c0 fs/super.c:675\n kill_block_super+0x44/0x90 fs/super.c:1667\n kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894\n deactivate_locked_super+0xc1/0x130 fs/super.c:484\n cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256\n task_work_run+0x24a/0x300 kernel/task_work.c:180\n ptrace_notify+0x2cd/0x380 kernel/signal.c:2399\n ptrace_report_syscall include/linux/ptrace.h:411 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]\n syscall_exit_work kernel/entry/common.c:251 [inline]\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]\n syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296\n do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe root cause is:\n- do_sys_open\n - f2fs_lookup\n - __f2fs_find_entry\n - f2fs_i_depth_write\n - f2fs_mark_inode_dirty_sync\n - f2fs_dirty_inode\n - set_inode_flag(inode, FI_DIRTY_INODE)\n\n- umount\n - kill_f2fs_super\n - kill_block_super\n - generic_shutdown_super\n - sync_filesystem\n : sb is readonly, skip sync_filesystem()\n - evict_inodes\n - iput\n - f2fs_evict_inode\n - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE))\n : trigger kernel panic\n\nWhen we try to repair i_current_depth in readonly filesystem, let's\nskip dirty inode to avoid panic in later f2fs_evict_inode().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42297", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this returned\nvalue is not checked.\n\nFix this lack and check the returned value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42298", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Update log->page_{mask,bits} if log->page_size changed\n\nIf an NTFS file system is mounted to another system with different\nPAGE_SIZE from the original system, log->page_size will change in\nlog_replay(), but log->page_{mask,bits} don't change correspondingly.\nThis will cause a panic because \"u32 bytes = log->page_size - page_off\"\nwill get a negative value in the later read_log_page().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42299", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix race in z_erofs_get_gbuf()\n\nIn z_erofs_get_gbuf(), the current task may be migrated to another\nCPU between `z_erofs_gbuf_id()` and `spin_lock(&gbuf->lock)`.\n\nTherefore, z_erofs_put_gbuf() will trigger the following issue\nwhich was found by stress test:\n\n<2>[772156.434168] kernel BUG at fs/erofs/zutil.c:58!\n..\n<4>[772156.435007]\n<4>[772156.439237] CPU: 0 PID: 3078 Comm: stress Kdump: loaded Tainted: G E 6.10.0-rc7+ #2\n<4>[772156.439239] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 1.0.0 01/01/2017\n<4>[772156.439241] pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n<4>[772156.439243] pc : z_erofs_put_gbuf+0x64/0x70 [erofs]\n<4>[772156.439252] lr : z_erofs_lz4_decompress+0x600/0x6a0 [erofs]\n..\n<6>[772156.445958] stress (3127): drop_caches: 1\n<4>[772156.446120] Call trace:\n<4>[772156.446121] z_erofs_put_gbuf+0x64/0x70 [erofs]\n<4>[772156.446761] z_erofs_lz4_decompress+0x600/0x6a0 [erofs]\n<4>[772156.446897] z_erofs_decompress_queue+0x740/0xa10 [erofs]\n<4>[772156.447036] z_erofs_runqueue+0x428/0x8c0 [erofs]\n<4>[772156.447160] z_erofs_readahead+0x224/0x390 [erofs]\n..", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42300", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndev/parport: fix the array out-of-bounds risk\n\nFixed array out-of-bounds issues caused by sprintf\nby replacing it with snprintf for safer data copying,\nensuring the destination buffer is not overflowed.\n\nBelow is the stack trace I encountered during the actual issue:\n\n[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]\n[ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm:\nQThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2\n[ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp\n[ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun\nPGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024\n[ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace:\n[ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0\n[ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20\n[ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c\n[ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc\n[ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38\n[ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42301", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DPC: Fix use-after-free on concurrent DPC and hot-removal\n\nKeith reports a use-after-free when a DPC event occurs concurrently to\nhot-removal of the same portion of the hierarchy:\n\nThe dpc_handler() awaits readiness of the secondary bus below the\nDownstream Port where the DPC event occurred. To do so, it polls the\nconfig space of the first child device on the secondary bus. If that\nchild device is concurrently removed, accesses to its struct pci_dev\ncause the kernel to oops.\n\nThat's because pci_bridge_wait_for_secondary_bus() neglects to hold a\nreference on the child device. Before v6.3, the function was only\ncalled on resume from system sleep or on runtime resume. Holding a\nreference wasn't necessary back then because the pciehp IRQ thread\ncould never run concurrently. (On resume from system sleep, IRQs are\nnot enabled until after the resume_noirq phase. And runtime resume is\nalways awaited before a PCI device is removed.)\n\nHowever starting with v6.3, pci_bridge_wait_for_secondary_bus() is also\ncalled on a DPC event. Commit 53b54ad074de (\"PCI/DPC: Await readiness\nof secondary bus after reset\"), which introduced that, failed to\nappreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a\nreference on the child device because dpc_handler() and pciehp may\nindeed run concurrently. The commit was backported to v5.10+ stable\nkernels, so that's the oldest one affected.\n\nAdd the missing reference acquisition.\n\nAbridged stack trace:\n\n BUG: unable to handle page fault for address: 00000000091400c0\n CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0\n RIP: pci_bus_read_config_dword+0x17/0x50\n pci_dev_wait()\n pci_bridge_wait_for_secondary_bus()\n dpc_reset_link()\n pcie_do_recovery()\n dpc_handler()", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42302", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-pxp: Fix ERR_PTR dereference in pxp_probe()\n\ndevm_regmap_init_mmio() can fail, add a check and bail out in case of\nerror.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42303", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: make sure the first directory block is not a hole\n\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\n\n ext4_mknod\n ...\n ext4_add_entry\n // Read block 0\n ext4_read_dirblock(dir, block, DIRENT)\n bh = ext4_bread(NULL, inode, block, 0)\n if (!bh && (type == INDEX || type == DIRENT_HTREE))\n // The first directory block is a hole\n // But type == DIRENT, so no error is reported.\n\nAfter that, we get a directory block without '.' and '..' but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\n\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42304", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check dot and dotdot of dx_root before making dir indexed\n\nSyzbot reports a issue as follows:\n============================================\nBUG: unable to handle page fault for address: ffffed11022e24fe\nPGD 23ffee067 P4D 23ffee067 PUD 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0\nCall Trace:\n \n make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451\n ext4_rename fs/ext4/namei.c:3936 [inline]\n ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214\n[...]\n============================================\n\nThe immediate cause of this problem is that there is only one valid dentry\nfor the block to be split during do_split, so split==0 results in out of\nbounds accesses to the map triggering the issue.\n\n do_split\n unsigned split\n dx_make_map\n count = 1\n split = count/2 = 0;\n continued = hash2 == map[split - 1].hash;\n ---> map[4294967295]\n\nThe maximum length of a filename is 255 and the minimum block size is 1024,\nso it is always guaranteed that the number of entries is greater than or\nequal to 2 when do_split() is called.\n\nBut syzbot's crafted image has no dot and dotdot in dir, and the dentry\ndistribution in dirblock is as follows:\n\n bus dentry1 hole dentry2 free\n|xx--|xx-------------|...............|xx-------------|...............|\n0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024\n\nSo when renaming dentry1 increases its name_len length by 1, neither hole\nnor free is sufficient to hold the new dentry, and make_indexed_dir() is\ncalled.\n\nIn make_indexed_dir() it is assumed that the first two entries of the\ndirblock must be dot and dotdot, so bus and dentry1 are left in dx_root\nbecause they are treated as dot and dotdot, and only dentry2 is moved\nto the new leaf block. That's why count is equal to 1.\n\nTherefore add the ext4_check_dx_root() helper function to add more sanity\nchecks to dot and dotdot before starting the conversion to avoid the above\nissue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42305", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid using corrupted block bitmap buffer\n\nWhen the filesystem block bitmap is corrupted, we detect the corruption\nwhile loading the bitmap and fail the allocation with error. However the\nnext allocation from the same bitmap will notice the bitmap buffer is\nalready loaded and tries to allocate from the bitmap with mixed results\n(depending on the exact nature of the bitmap corruption). Fix the\nproblem by using BH_verified bit to indicate whether the bitmap is valid\nor not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42306", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential null pointer use in destroy_workqueue in init_cifs error path\n\nDan Carpenter reported a Smack static checker warning:\n fs/smb/client/cifsfs.c:1981 init_cifs()\n error: we previously assumed 'serverclose_wq' could be null (see line 1895)\n\nThe patch which introduced the serverclose workqueue used the wrong\noredering in error paths in init_cifs() for freeing it on errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42307", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes\n\nIn psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42309", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\n\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42310", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()\n\nSyzbot reports uninitialized value access issue as below:\n\nloop0: detected capacity change from 0 to 64\n=====================================================\nBUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30\n d_revalidate fs/namei.c:862 [inline]\n lookup_fast+0x89e/0x8e0 fs/namei.c:1649\n walk_component fs/namei.c:2001 [inline]\n link_path_walk+0x817/0x1480 fs/namei.c:2332\n path_lookupat+0xd9/0x6f0 fs/namei.c:2485\n filename_lookup+0x22e/0x740 fs/namei.c:2515\n user_path_at_empty+0x8b/0x390 fs/namei.c:2924\n user_path_at include/linux/namei.h:57 [inline]\n do_mount fs/namespace.c:3689 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x66b/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nBUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\nBUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n hfs_ext_read_extent fs/hfs/extent.c:196 [inline]\n hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366\n block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271\n hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39\n filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426\n do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553\n do_read_cache_page mm/filemap.c:3595 [inline]\n read_cache_page+0xfb/0x2f0 mm/filemap.c:3604\n read_mapping_page include/linux/pagemap.h:755 [inline]\n hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78\n hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204\n hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406\n mount_bdev+0x628/0x920 fs/super.c:1359\n hfs_mount+0xcd/0xe0 fs/hfs/super.c:456\n legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610\n vfs_get_tree+0xdc/0x5d0 fs/super.c:1489\n do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145\n path_mount+0xf98/0x26a0 fs/namespace.c:3475\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674\n __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2190 [inline]\n allocate_slab mm/slub.c:2354 [inline]\n new_slab+0x2d7/0x1400 mm/slub.c:2407\n ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540\n __slab_alloc mm/slub.c:3625 [inline]\n __slab_alloc_node mm/slub.c:3678 [inline]\n slab_alloc_node mm/slub.c:3850 [inline]\n kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3018 [inline]\n hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165\n alloc_inode+0x83/0x440 fs/inode.c:260\n new_inode_pseudo fs/inode.c:1005 [inline]\n new_inode+0x38/0x4f0 fs/inode.c:1031\n hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186\n hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228\n vfs_mkdir+0x49a/0x700 fs/namei.c:4126\n do_mkdirat+0x529/0x810 fs/namei.c:4149\n __do_sys_mkdirat fs/namei.c:4164 [inline]\n __se_sys_mkdirat fs/namei.c:4162 [inline]\n __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nIt missed to initialize .tz_secondswest, .cached_start and .cached_blocks\nfields in struct hfs_inode_info after hfs_alloc_inode(), fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42311", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: always initialize i_uid/i_gid\n\nAlways initialize i_uid/i_gid inside the sysfs core so set_ownership()\ncan safely skip setting them.\n\nCommit 5ec27ec735ba (\"fs/proc/proc_sysctl.c: fix the default values of\ni_uid/i_gid on /proc/sys inodes.\") added defaults for i_uid/i_gid when\nset_ownership() was not implemented. It also missed adjusting\nnet_ctl_set_ownership() to use the same default values in case the\ncomputation of a better value failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42312", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free in vdec_close\n\nThere appears to be a possible use after free with vdec_close().\nThe firmware will add buffer release work to the work queue through\nHFI callbacks as a normal part of decoding. Randomly closing the\ndecoder device from userspace during normal decoding can incur\na read after free for inst.\n\nFix it by cancelling the work in vdec_close.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42313", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix extent map use-after-free when adding pages to compressed bio\n\nAt add_ra_bio_pages() we are accessing the extent map to calculate\n'add_size' after we dropped our reference on the extent map, resulting\nin a use-after-free. Fix this by computing 'add_size' before dropping our\nextent map reference.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42314", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi->s_lock between the two processes may occur.\n\n CPU0 CPU1\n ---- ----\n kswapd\n balance_pgdat\n lock(fs_reclaim)\n exfat_iterate\n lock(&sbi->s_lock)\n exfat_readdir\n exfat_get_uniname_from_ext_entry\n exfat_get_dentry_set\n __exfat_get_dentry_set\n kmalloc_array\n ...\n lock(fs_reclaim)\n ...\n evict\n exfat_evict_inode\n lock(&sbi->s_lock)\n\nTo fix this, let's allocate bh-array with GFP_NOFS.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42315", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mglru: fix div-by-zero in vmpressure_calc_level()\n\nevict_folios() uses a second pass to reclaim folios that have gone through\npage writeback and become clean before it finishes the first pass, since\nfolio_rotate_reclaimable() cannot handle those folios due to the\nisolation.\n\nThe second pass tries to avoid potential double counting by deducting\nscan_control->nr_scanned. However, this can result in underflow of\nnr_scanned, under a condition where shrink_folio_list() does not increment\nnr_scanned, i.e., when folio_trylock() fails.\n\nThe underflow can cause the divisor, i.e., scale=scanned+reclaimed in\nvmpressure_calc_level(), to become zero, resulting in the following crash:\n\n [exception RIP: vmpressure_work_fn+101]\n process_one_work at ffffffffa3313f2b\n\nSince scan_control->nr_scanned has no established semantics, the potential\ndouble counting has minimal risks. Therefore, fix the problem by not\ndeducting scan_control->nr_scanned in evict_folios().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42316", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: avoid PMD-size page cache if needed\n\nxarray can't support arbitrary page cache size. the largest and supported\npage cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71\n(\"mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\"). However,\nit's possible to have 512MB page cache in the huge memory's collapsing\npath on ARM64 system whose base page size is 64KB. 512MB page cache is\nbreaking the limitation and a warning is raised when the xarray entry is\nsplit as shown in the following example.\n\n[root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize\nKernelPageSize: 64 kB\n[root@dhcp-10-26-1-207 ~]# cat /tmp/test.c\n :\nint main(int argc, char **argv)\n{\n\tconst char *filename = TEST_XFS_FILENAME;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret = 0;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stdout, \"System with 64KB base page size is required!\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open the xfs file */\n\tfd = open(filename, O_RDONLY);\n\tassert(fd > 0);\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);\n\tassert(buf != (void *)-1);\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);\n\tassert(ret == 0);\n\n\t/* Collapse VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);\n\tif (ret) {\n\t\tfprintf(stdout, \"Error %d to madvise(MADV_COLLAPSE)\\n\", errno);\n\t\tgoto out;\n\t}\n\n\t/* Split xarray entry. Write permission is needed */\n\tmunmap(buf, TEST_MEM_SIZE);\n\tbuf = (void *)-1;\n\tclose(fd);\n\tfd = open(filename, O_RDWR);\n\tassert(fd > 0);\n\tfallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\t TEST_MEM_SIZE - pgsize, pgsize);\nout:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn ret;\n}\n\n[root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test\n[root@dhcp-10-26-1-207 ~]# /tmp/test\n ------------[ cut here ]------------\n WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\n Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\n nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\n nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\n ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \\\n xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \\\n sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio\n CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : xas_split_alloc+0xf8/0x128\n lr : split_huge_page_to_list_to_order+0x1c4/0x780\n sp : ffff8000ac32f660\n x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0\n x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d\n x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c\n x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8\n x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40\n x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\n Call trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x780\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42317", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don't lose track of restrictions on cred_transfer\n\nWhen a process' cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent's credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42318", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()\n\nWhen mtk-cmdq unbinds, a WARN_ON message with condition\npm_runtime_get_sync() < 0 occurs.\n\nAccording to the call tracei below:\n cmdq_mbox_shutdown\n mbox_free_channel\n mbox_controller_unregister\n __devm_mbox_controller_unregister\n ...\n\nThe root cause can be deduced to be calling pm_runtime_get_sync() after\ncalling pm_runtime_disable() as observed below:\n1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()\n to bind the cmdq device to the mbox_controller, so\n devm_mbox_controller_unregister() will automatically unregister\n the device bound to the mailbox controller when the device-managed\n resource is removed. That means devm_mbox_controller_unregister()\n and cmdq_mbox_shoutdown() will be called after cmdq_remove().\n2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after\n devm_mbox_controller_register(), so that devm_pm_runtime_disable()\n will be called after cmdq_remove(), but before\n devm_mbox_controller_unregister().\n\nTo fix this problem, cmdq_probe() needs to move\ndevm_mbox_controller_register() after devm_pm_runtime_enable() to make\ndevm_pm_runtime_disable() be called after\ndevm_mbox_controller_unregister().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42319", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42320", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nThe following splat is easy to reproduce upstream as well as in -stable\nkernels. Florian Westphal provided the following commit:\n\n d1dab4f71d37 (\"net: add and use __skb_get_hash_symmetric_net\")\n\nbut this complementary fix has been also suggested by Willem de Bruijn\nand it can be easily backported to -stable kernel which consists in\nusing DEBUG_NET_WARN_ON_ONCE instead to silence the following splat\ngiven __skb_get_hash() is used by the nftables tracing infrastructure to\nto identify packets in traces.\n\n[69133.561393] ------------[ cut here ]------------\n[69133.561404] WARNING: CPU: 0 PID: 43576 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x134f/\n[...]\n[69133.561944] CPU: 0 PID: 43576 Comm: socat Not tainted 6.10.0-rc7+ #379\n[69133.561959] RIP: 0010:__skb_flow_dissect+0x134f/0x2ad0\n[69133.561970] Code: 83 f9 04 0f 84 b3 00 00 00 45 85 c9 0f 84 aa 00 00 00 41 83 f9 02 0f 84 81 fc ff\nff 44 0f b7 b4 24 80 00 00 00 e9 8b f9 ff ff <0f> 0b e9 20 f3 ff ff 41 f6 c6 20 0f 84 e4 ef ff ff 48 8d 7b 12 e8\n[69133.561979] RSP: 0018:ffffc90000006fc0 EFLAGS: 00010246\n[69133.561988] RAX: 0000000000000000 RBX: ffffffff82f33e20 RCX: ffffffff81ab7e19\n[69133.561994] RDX: dffffc0000000000 RSI: ffffc90000007388 RDI: ffff888103a1b418\n[69133.562001] RBP: ffffc90000007310 R08: 0000000000000000 R09: 0000000000000000\n[69133.562007] R10: ffffc90000007388 R11: ffffffff810cface R12: ffff888103a1b400\n[69133.562013] R13: 0000000000000000 R14: ffffffff82f33e2a R15: ffffffff82f33e28\n[69133.562020] FS: 00007f40f7131740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[69133.562027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[69133.562033] CR2: 00007f40f7346ee0 CR3: 000000015d200001 CR4: 00000000001706f0\n[69133.562040] Call Trace:\n[69133.562044] \n[69133.562049] ? __warn+0x9f/0x1a0\n[ 1211.841384] ? __skb_flow_dissect+0x107e/0x2860\n[...]\n[ 1211.841496] ? bpf_flow_dissect+0x160/0x160\n[ 1211.841753] __skb_get_hash+0x97/0x280\n[ 1211.841765] ? __skb_get_hash_symmetric+0x230/0x230\n[ 1211.841776] ? mod_find+0xbf/0xe0\n[ 1211.841786] ? get_stack_info_noinstr+0x12/0xe0\n[ 1211.841798] ? bpf_ksym_find+0x56/0xe0\n[ 1211.841807] ? __rcu_read_unlock+0x2a/0x70\n[ 1211.841819] nft_trace_init+0x1b9/0x1c0 [nf_tables]\n[ 1211.841895] ? nft_trace_notify+0x830/0x830 [nf_tables]\n[ 1211.841964] ? get_stack_info+0x2b/0x80\n[ 1211.841975] ? nft_do_chain_arp+0x80/0x80 [nf_tables]\n[ 1211.842044] nft_do_chain+0x79c/0x850 [nf_tables]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42321", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-42322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: properly dereference pe in ip_vs_add_service\n\nUse pe directly to resolve sparse warning:\n\n net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-42322", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock\n\nA deadlock may happen since the i3c_master_register() acquires\n&i3cbus->lock twice. See the log below.\nUse i3cdev->desc->info instead of calling i3c_device_info() to\navoid acquiring the lock twice.\n\nv2:\n - Modified the title and commit message\n\n============================================\nWARNING: possible recursive locking detected\n6.11.0-mainline\n--------------------------------------------\ninit/1 is trying to acquire lock:\nf1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock\n\nbut task is already holding lock:\nf1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&i3cbus->lock);\n lock(&i3cbus->lock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n2 locks held by init/1:\n #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach\n #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register\n\nstack backtrace:\nCPU: 6 UID: 0 PID: 1 Comm: init\nCall trace:\n dump_backtrace+0xfc/0x17c\n show_stack+0x18/0x28\n dump_stack_lvl+0x40/0xc0\n dump_stack+0x18/0x24\n print_deadlock_bug+0x388/0x390\n __lock_acquire+0x18bc/0x32ec\n lock_acquire+0x134/0x2b0\n down_read+0x50/0x19c\n i3c_bus_normaluse_lock+0x14/0x24\n i3c_device_get_info+0x24/0x58\n i3c_device_uevent+0x34/0xa4\n dev_uevent+0x310/0x384\n kobject_uevent_env+0x244/0x414\n kobject_uevent+0x14/0x20\n device_add+0x278/0x460\n device_register+0x20/0x34\n i3c_master_register_new_i3c_devs+0x78/0x154\n i3c_master_register+0x6a0/0x6d4\n mtk_i3c_master_probe+0x3b8/0x4d8\n platform_probe+0xa0/0xe0\n really_probe+0x114/0x454\n __driver_probe_device+0xa0/0x15c\n driver_probe_device+0x3c/0x1ac\n __driver_attach+0xc4/0x1f0\n bus_for_each_dev+0x104/0x160\n driver_attach+0x24/0x34\n bus_add_driver+0x14c/0x294\n driver_register+0x68/0x104\n __platform_driver_register+0x20/0x30\n init_module+0x20/0xfe4\n do_one_initcall+0x184/0x464\n do_init_module+0x58/0x1ec\n load_module+0xefc/0x10c8\n __arm64_sys_finit_module+0x238/0x33c\n invoke_syscall+0x58/0x10c\n el0_svc_common+0xa8/0xdc\n do_el0_svc+0x1c/0x28\n el0_svc+0x50/0xac\n el0t_64_sync_handler+0x70/0xbc\n el0t_64_sync+0x1a8/0x1ac", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43098", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-43815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: mxs-dcp - Ensure payload is zero when using key slot\n\nWe could leak stack memory through the payload field when running\nAES with a key from one of the hardware's key slots. Fix this by\nensuring the payload field is set to 0 in such cases.\n\nThis does not affect the common use case when the key is supplied\nfrom main memory via the descriptor payload.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43815", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages\n\nOn big endian architectures, it is possible to run into a memory out of\nbounds pointer dereference when FCP targets are zoned.\n\nIn lpfc_prep_embed_io, the memcpy(ptr, fcp_cmnd, sgl->sge_len) is\nreferencing a little endian formatted sgl->sge_len value. So, the memcpy\ncan cause big endian systems to crash.\n\nRedefine the *sgl ptr as a struct sli4_sge_le to make it clear that we are\nreferring to a little endian formatted data structure. And, update the\nroutine with proper le32_to_cpu macro usages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43816", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: missing check virtio\n\nTwo missing check in virtio_net_hdr_to_skb() allowed syzbot\nto crash kernels again\n\n1. After the skb_segment function the buffer may become non-linear\n(nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere\nthe __skb_linearize function will not be executed, then the buffer will\nremain non-linear. Then the condition (offset >= skb_headlen(skb))\nbecomes true, which causes WARN_ON_ONCE in skb_checksum_help.\n\n2. The struct sk_buff and struct virtio_net_hdr members must be\nmathematically related.\n(gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) must be greater than (needed) otherwise WARN_ON_ONCE.\n(remainder) may be 0 if division is without remainder.\n\noffset+2 (4191) > skb_headlen() (1116)\nWARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nModules linked in:\nCPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303\nCode: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef\nRSP: 0018:ffffc90003a9f338 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209\nRDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001\nRBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c\nR13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d\nFS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777\n ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584\n ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]\n __ip_finish_output net/ipv4/ip_output.c:308 [inline]\n __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:451 [inline]\n ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]\n sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3545 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x257/0x380 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n __sys_sendto+0x255/0x340 net/socket.c:2190\n __do_sys_sendto net/socket.c:2202 [inline]\n __se_sys_sendto net/socket.c:2198 [inline]\n __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43817", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: Adjust error handling in case of absent codec device\n\nacpi_get_first_physical_node() can return NULL in several cases (no such\ndevice, ACPI table error, reference count drop to 0, etc).\nExisting check just emit error message, but doesn't perform return.\nThen this NULL pointer is passed to devm_acpi_dev_add_driver_gpios()\nwhere it is dereferenced.\n\nAdjust this error handling by adding error code return.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43818", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43819", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume\n\nrm-raid devices will occasionally trigger the following warning when\nbeing resumed after a table load because DM_RECOVERY_RUNNING is set:\n\nWARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid]\n\nThe failing check is:\nWARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, &mddev->recovery));\n\nThis check is designed to make sure that the sync thread isn't\nregistered, but md_check_recovery can set MD_RECOVERY_RUNNING without\nthe sync_thread ever getting registered. Instead of checking if\nMD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43820", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix a possible null pointer dereference\n\nIn function lpfc_xcvr_data_show, the memory allocation with kmalloc might\nfail, thereby making rdp_context a null pointer. In the following context\nand functions that use this pointer, there are dereferencing operations,\nleading to null pointer dereference.\n\nTo fix this issue, a null pointer check should be added. If it is null,\nuse scnprintf to notify the user and return len.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43821", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoc: PCM6240: Return directly after a failed devm_kzalloc() in pcmdevice_i2c_probe()\n\nThe value \u201c-ENOMEM\u201d was assigned to the local variable \u201cret\u201d\nin one if branch after a devm_kzalloc() call failed at the beginning.\nThis error code will trigger then a pcmdevice_remove() call with a passed\nnull pointer so that an undesirable dereference will be performed.\nThus return the appropriate error code directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43822", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()\n\nIf IORESOURCE_MEM is not provided in Device Tree due to\nany error, resource_list_first_type() will return NULL and\npci_parse_request_of_pci_ranges() will just emit a warning.\n\nThis will cause a NULL pointer dereference. Fix this bug by adding NULL\nreturn check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43823", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), 'epc_features' got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43824", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: Fix the sorting functionality in iio_gts_build_avail_time_table\n\nThe sorting in iio_gts_build_avail_time_table is not working as intended.\nIt could result in an out-of-bounds access when the time is zero.\n\nHere are more details:\n\n1. When the gts->itime_table[i].time_us is zero, e.g., the time\nsequence is `3, 0, 1`, the inner for-loop will not terminate and do\nout-of-bound writes. This is because once `times[j] > new`, the value\n`new` will be added in the current position and the `times[j]` will be\nmoved to `j+1` position, which makes the if-condition always hold.\nMeanwhile, idx will be added one, making the loop keep running without\ntermination and out-of-bound write.\n2. If none of the gts->itime_table[i].time_us is zero, the elements\nwill just be copied without being sorted as described in the comment\n\"Sort times from all tables to one and remove duplicates\".\n\nFor more details, please refer to\nhttps://lore.kernel.org/all/6dd0d822-046c-4dd2-9532-79d7ab96ec05@gmail.com.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43825", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: pass explicit offset/count to trace events\n\nnfs_folio_length is unsafe to use without having the folio locked and a\ncheck for a NULL ->f_mapping that protects against truncations and can\nlead to kernel crashes. E.g. when running xfstests generic/065 with\nall nfs trace points enabled.\n\nFollow the model of the XFS trace points and pass in an expl\u0456cit offset\nand length. This has the additional benefit that these values can\nbe more accurate as some of the users touch partial folio ranges.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43826", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check before access structs\n\nIn enable_phantom_plane, we should better check null pointer before\naccessing various structs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43827", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix infinite loop when replaying fast_commit\n\nWhen doing fast_commit replay an infinite loop may occur due to an\nuninitialized extent_status struct. ext4_ext_determine_insert_hole() does\nnot detect the replay and calls ext4_es_find_extent_range(), which will\nreturn immediately without initializing the 'es' variable.\n\nBecause 'es' contains garbage, an integer overflow may happen causing an\ninfinite loop in this function, easily reproducible using fstest generic/039.\n\nThis commit fixes this issue by unconditionally initializing the structure\nin function ext4_es_find_extent_range().\n\nThanks to Zhang Yi, for figuring out the real problem!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43828", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/qxl: Add check for drm_cvt_mode\n\nAdd check for the return value of drm_cvt_mode() and return the error if\nit fails in order to avoid NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43829", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: trigger: Unregister sysfs attributes before calling deactivate()\n\nTriggers which have trigger specific sysfs attributes typically store\nrelated data in trigger-data allocated by the activate() callback and\nfreed by the deactivate() callback.\n\nCalling device_remove_groups() after calling deactivate() leaves a window\nwhere the sysfs attributes show/store functions could be called after\ndeactivation and then operate on the just freed trigger-data.\n\nMove the device_remove_groups() call to before deactivate() to close\nthis race window.\n\nThis also makes the deactivation path properly do things in reverse order\nof the activation path which calls the activate() callback before calling\ndevice_add_groups().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43830", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Handle invalid decoder vsi\n\nHandle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi\nis valid for future use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43831", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/uv: Don't call folio_wait_writeback() without a folio reference\n\nfolio_wait_writeback() requires that no spinlocks are held and that\na folio reference is held, as documented. After we dropped the PTL, the\nfolio could get freed concurrently. So grab a temporary reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43832", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix NULL pointer dereference in adding ancillary links\n\nIn v4l2_async_create_ancillary_links(), ancillary links are created for\nlens and flash sub-devices. These are sub-device to sub-device links and\nif the async notifier is related to a V4L2 device, the source sub-device\nof the ancillary link is NULL, leading to a NULL pointer dereference.\nCheck the notifier's sd field is non-NULL in\nv4l2_async_create_ancillary_links().\n\n[Sakari Ailus: Reword the subject and commit messages slightly.]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43833", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: fix invalid wait context of page_pool_destroy()\n\nIf the driver uses a page pool, it creates a page pool with\npage_pool_create().\nThe reference count of page pool is 1 as default.\nA page pool will be destroyed only when a reference count reaches 0.\npage_pool_destroy() is used to destroy page pool, it decreases a\nreference count.\nWhen a page pool is destroyed, ->disconnect() is called, which is\nmem_allocator_disconnect().\nThis function internally acquires mutex_lock().\n\nIf the driver uses XDP, it registers a memory model with\nxdp_rxq_info_reg_mem_model().\nThe xdp_rxq_info_reg_mem_model() internally increases a page pool\nreference count if a memory model is a page pool.\nNow the reference count is 2.\n\nTo destroy a page pool, the driver should call both page_pool_destroy()\nand xdp_unreg_mem_model().\nThe xdp_unreg_mem_model() internally calls page_pool_destroy().\nOnly page_pool_destroy() decreases a reference count.\n\nIf a driver calls page_pool_destroy() then xdp_unreg_mem_model(), we\nwill face an invalid wait context warning.\nBecause xdp_unreg_mem_model() calls page_pool_destroy() with\nrcu_read_lock().\nThe page_pool_destroy() internally acquires mutex_lock().\n\nSplat looks like:\n=============================\n[ BUG: Invalid wait context ]\n6.10.0-rc6+ #4 Tainted: G W\n-----------------------------\nethtool/1806 is trying to lock:\nffffffff90387b90 (mem_id_lock){+.+.}-{4:4}, at: mem_allocator_disconnect+0x73/0x150\nother info that might help us debug this:\ncontext-{5:5}\n3 locks held by ethtool/1806:\nstack backtrace:\nCPU: 0 PID: 1806 Comm: ethtool Tainted: G W 6.10.0-rc6+ #4 f916f41f172891c800f2fed\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nCall Trace:\n\ndump_stack_lvl+0x7e/0xc0\n__lock_acquire+0x1681/0x4de0\n? _printk+0x64/0xe0\n? __pfx_mark_lock.part.0+0x10/0x10\n? __pfx___lock_acquire+0x10/0x10\nlock_acquire+0x1b3/0x580\n? mem_allocator_disconnect+0x73/0x150\n? __wake_up_klogd.part.0+0x16/0xc0\n? __pfx_lock_acquire+0x10/0x10\n? dump_stack_lvl+0x91/0xc0\n__mutex_lock+0x15c/0x1690\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_prb_read_valid+0x10/0x10\n? mem_allocator_disconnect+0x73/0x150\n? __pfx_llist_add_batch+0x10/0x10\n? console_unlock+0x193/0x1b0\n? lockdep_hardirqs_on+0xbe/0x140\n? __pfx___mutex_lock+0x10/0x10\n? tick_nohz_tick_stopped+0x16/0x90\n? __irq_work_queue_local+0x1e5/0x330\n? irq_work_queue+0x39/0x50\n? __wake_up_klogd.part.0+0x79/0xc0\n? mem_allocator_disconnect+0x73/0x150\nmem_allocator_disconnect+0x73/0x150\n? __pfx_mem_allocator_disconnect+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? rcu_is_watching+0x11/0xb0\npage_pool_release+0x36e/0x6d0\npage_pool_destroy+0xd7/0x440\nxdp_unreg_mem_model+0x1a7/0x2a0\n? __pfx_xdp_unreg_mem_model+0x10/0x10\n? kfree+0x125/0x370\n? bnxt_free_ring.isra.0+0x2eb/0x500\n? bnxt_free_mem+0x5ac/0x2500\nxdp_rxq_info_unreg+0x4a/0xd0\nbnxt_free_mem+0x1356/0x2500\nbnxt_close_nic+0xf0/0x3b0\n? __pfx_bnxt_close_nic+0x10/0x10\n? ethnl_parse_bit+0x2c6/0x6d0\n? __pfx___nla_validate_parse+0x10/0x10\n? __pfx_ethnl_parse_bit+0x10/0x10\nbnxt_set_features+0x2a8/0x3e0\n__netdev_update_features+0x4dc/0x1370\n? ethnl_parse_bitset+0x4ff/0x750\n? __pfx_ethnl_parse_bitset+0x10/0x10\n? __pfx___netdev_update_features+0x10/0x10\n? mark_held_locks+0xa5/0xf0\n? _raw_spin_unlock_irqrestore+0x42/0x70\n? __pm_runtime_resume+0x7d/0x110\nethnl_set_features+0x32d/0xa20\n\nTo fix this problem, it uses rhashtable_lookup_fast() instead of\nrhashtable_lookup() with rcu_read_lock().\nUsing xa without rcu_read_lock() here is safe.\nxa is freed by __xdp_mem_allocator_rcu_free() and this is called by\ncall_rcu() of mem_xa_remove().\nThe mem_xa_remove() is called by page_pool_destroy() if a reference\ncount reaches 0.\nThe xa is already protected by the reference count mechanism well in the\ncontrol plane.\nSo removing rcu_read_lock() for page_pool_destroy() is safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43834", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix napi_skb_cache_put warning\n\nAfter the commit bdacf3e34945 (\"net: Use nested-BH locking for\nnapi_alloc_cache.\") was merged, the following warning began to appear:\n\n\t WARNING: CPU: 5 PID: 1 at net/core/skbuff.c:1451 napi_skb_cache_put+0x82/0x4b0\n\n\t __warn+0x12f/0x340\n\t napi_skb_cache_put+0x82/0x4b0\n\t napi_skb_cache_put+0x82/0x4b0\n\t report_bug+0x165/0x370\n\t handle_bug+0x3d/0x80\n\t exc_invalid_op+0x1a/0x50\n\t asm_exc_invalid_op+0x1a/0x20\n\t __free_old_xmit+0x1c8/0x510\n\t napi_skb_cache_put+0x82/0x4b0\n\t __free_old_xmit+0x1c8/0x510\n\t __free_old_xmit+0x1c8/0x510\n\t __pfx___free_old_xmit+0x10/0x10\n\nThe issue arises because virtio is assuming it's running in NAPI context\neven when it's not, such as in the netpoll case.\n\nTo resolve this, modify virtnet_poll_tx() to only set NAPI when budget\nis available. Same for virtnet_poll_cleantx(), which always assumed that\nit was in a NAPI context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43835", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: pse-pd: Fix possible null-deref\n\nFix a possible null dereference when a PSE supports both c33 and PoDL, but\nonly one of the netlink attributes is specified. The c33 or PoDL PSE\ncapabilities are already validated in the ethnl_set_pse_validate() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43836", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT\n\nWhen loading a EXT program without specifying `attr->attach_prog_fd`,\nthe `prog->aux->dst_prog` will be null. At this time, calling\nresolve_prog_type() anywhere will result in a null pointer dereference.\n\nExample stack trace:\n\n[ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n[ 8.108262] Mem abort info:\n[ 8.108384] ESR = 0x0000000096000004\n[ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 8.108722] SET = 0, FnV = 0\n[ 8.108827] EA = 0, S1PTW = 0\n[ 8.108939] FSC = 0x04: level 0 translation fault\n[ 8.109102] Data abort info:\n[ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000\n[ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000\n[ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 8.112783] Modules linked in:\n[ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1\n[ 8.113230] Hardware name: linux,dummy-virt (DT)\n[ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0\n[ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8\n[ 8.113798] sp : ffff80008283b9f0\n[ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001\n[ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000\n[ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000\n[ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff\n[ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720\n[ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720\n[ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4\n[ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f\n[ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c\n[ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000\n[ 8.114126] Call trace:\n[ 8.114159] may_access_direct_pkt_data+0x24/0xa0\n[ 8.114202] bpf_check+0x3bc/0x28c0\n[ 8.114214] bpf_prog_load+0x658/0xa58\n[ 8.114227] __sys_bpf+0xc50/0x2250\n[ 8.114240] __arm64_sys_bpf+0x28/0x40\n[ 8.114254] invoke_syscall.constprop.0+0x54/0xf0\n[ 8.114273] do_el0_svc+0x4c/0xd8\n[ 8.114289] el0_svc+0x3c/0x140\n[ 8.114305] el0t_64_sync_handler+0x134/0x150\n[ 8.114331] el0t_64_sync+0x168/0x170\n[ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403)\n[ 8.118672] ---[ end trace 0000000000000000 ]---\n\nOne way to fix it is by forcing `attach_prog_fd` non-empty when\nbpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type`\nAPI broken which use verifier log to probe prog type and will log\nnothing if we reject invalid EXT prog before bpf_check().\n\nAnother way is by adding null check in resolve_prog_type().\n\nThe issue was introduced by commit 4a9c7bbe2ed4 (\"bpf: Resolve to\nprog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT\") which wanted\nto correct type resolution for BPF_PROG_TYPE_TRACING programs. Before\nthat, the type resolution of BPF_PROG_TYPE_EXT prog actually follows\nthe logic below:\n\n prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type;\n\nIt implies that when EXT program is not yet attached to `dst_prog`,\nthe prog type should be EXT itself. This code worked fine in the past.\nSo just keep using it.\n\nFix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog`\nis not present in resolve_prog_type().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43837", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix overflow check in adjust_jmp_off()\n\nadjust_jmp_off() incorrectly used the insn->imm field for all overflow check,\nwhich is incorrect as that should only be done or the BPF_JMP32 | BPF_JA case,\nnot the general jump instruction case. Fix it by using insn->off for overflow\ncheck in the general case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43838", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbna: adjust 'name' buf size of bna_tcb and bna_ccb structures\n\nTo have enough space to write all possible sprintf() args. Currently\n'name' size is 16, but the first '%s' specifier may already need at\nleast 16 characters, since 'bnad->netdev->name' is used there.\n\nFor '%d' specifiers, assume that they require:\n * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX\n is 16\n\nAnd replace sprintf with snprintf.\n\nDetected using the static analysis tool - Svace.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43839", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG\n\nWhen BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls\n__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them\nthe struct bpf_tramp_image *im pointer as an argument in R0.\n\nThe trampoline generation code uses emit_addr_mov_i64() to emit\ninstructions for moving the bpf_tramp_image address into R0, but\nemit_addr_mov_i64() assumes the address to be in the vmalloc() space\nand uses only 48 bits. Because bpf_tramp_image is allocated using\nkzalloc(), its address can use more than 48-bits, in this case the\ntrampoline will pass an invalid address to __bpf_tramp_enter/exit()\ncausing a kernel crash.\n\nFix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()\nas it can work with addresses that are greater than 48-bits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43840", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: avoid reporting connection success with wrong SSID\n\nWhen user issues a connection with a different SSID than the one\nvirt_wifi has advertised, the __cfg80211_connect_result() will\ntrigger the warning: WARN_ON(bss_not_found).\n\nThe issue is because the connection code in virt_wifi does not\ncheck the SSID from user space (it only checks the BSSID), and\nvirt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS\neven if the SSID is different from the one virt_wifi has advertised.\nEventually cfg80211 won't be able to find the cfg80211_bss and generate\nthe warning.\n\nFixed it by checking the SSID (from user space) in the connection code.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43841", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()\n\nIn rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.\nBut then 'rate->he_gi' is used as array index instead of 'status->he_gi'.\nThis can lead to go beyond array boundaries in case of 'rate->he_gi' is\nnot equal to 'status->he_gi' and is bigger than array size. Looks like\n\"copy-paste\" mistake.\n\nFix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43842", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Fix out-of-bounds issue when preparing trampoline image\n\nWe get the size of the trampoline image during the dry run phase and\nallocate memory based on that size. The allocated image will then be\npopulated with instructions during the real patch phase. But after\ncommit 26ef208c209a (\"bpf: Use arch_bpf_trampoline_size\"), the `im`\nargument is inconsistent in the dry run and real patch phase. This may\ncause emit_imm in RV64 to generate a different number of instructions\nwhen generating the 'im' address, potentially causing out-of-bounds\nissues. Let's emit the maximum number of instructions for the \"im\"\naddress during dry run to fix this problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43843", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: wow: fix GTK offload H2C skbuff issue\n\nWe mistakenly put skb too large and that may exceed skb->end.\nTherefore, we fix it.\n\nskbuff: skb_over_panic: text:ffffffffc09e9a9d len:416 put:204 head:ffff8fba04eca780 data:ffff8fba04eca7e0 tail:0x200 end:0x140 dev:\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:192!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 4747 Comm: kworker/u4:44 Tainted: G O 6.6.30-02659-gc18865c4dfbd #1 86547039b47e46935493f615ee31d0b2d711d35e\nHardware name: HP Meep/Meep, BIOS Google_Meep.11297.262.0 03/18/2021\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:skb_panic+0x5d/0x60\nCode: c6 63 8b 8f bb 4c 0f 45 f6 48 c7 c7 4d 89 8b bb 48 89 ce 44 89 d1 41 56 53 41 53 ff b0 c8 00 00 00 e8 27 5f 23 00 48 83 c4 20 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44\nRSP: 0018:ffffaa700144bad0 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: 0000000000000140 RCX: 14432c5aad26c900\nRDX: 0000000000000000 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffaa700144bae0 R08: 0000000000000000 R09: ffffaa700144b920\nR10: 00000000ffffdfff R11: ffffffffbc28fbc0 R12: ffff8fba4e57a010\nR13: 0000000000000000 R14: ffffffffbb8f8b63 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8fba7bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007999c4ad1000 CR3: 000000015503a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? skb_panic+0x5d/0x60\n ? do_error_trap+0x6d/0x90\n ? skb_panic+0x5d/0x60\n ? handle_invalid_op+0x30/0x40\n ? skb_panic+0x5d/0x60\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_panic+0x5d/0x60\n skb_put+0x49/0x50\n rtw89_fw_h2c_wow_gtk_ofld+0xbd/0x220 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_wow_resume+0x31f/0x540 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n rtw89_ops_resume+0x2b/0xa0 [rtw89_core 778b32de31cd1f14df2d6721ae99ba8a83636fa5]\n ieee80211_reconfig+0x84/0x13e0 [mac80211 818a894e3b77da6298269c59ed7cdff065a4ed52]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n wiphy_resume+0x89/0x180 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 1a793119e2aeb157c4ca4091ff8e1d9ae233b59d]\n dpm_run_callback+0x3c/0x140\n device_resume+0x1f9/0x3c0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n process_scheduled_works+0x1d8/0x3d0\n worker_thread+0x1fc/0x2f0\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \nModules linked in: ccm 8021q r8153_ecm cdc_ether usbnet r8152 mii dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc uinput rfcomm cmac algif_hash rtw89_8922ae(O) algif_skcipher rtw89_8922a(O) af_alg rtw89_pci(O) rtw89_core(O) btusb(O) snd_soc_sst_bxt_da7219_max98357a btbcm(O) snd_soc_hdac_hdmi btintel(O) snd_soc_intel_hda_dsp_common snd_sof_probes btrtl(O) btmtk(O) snd_hda_codec_hdmi snd_soc_dmic uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2 videobuf2_common snd_sof_pci_intel_apl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda soundwire_intel soundwire_generic_allocation snd_sof_intel_hda_mlink soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp mac80211 snd_soc_acpi_intel_match snd_soc_acpi snd_sof snd_sof_utils soundwire_bus snd_soc_max98357a snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_intel_dspcfg snd_intel_sdw_acpi snd_soc_da7219 snd_hda_codec snd_hwdep snd_hda_core veth ip6table_nat xt_MASQUERADE xt_cgroup fuse bluetooth ecdh_generic\n cfg80211 ecc\ngsmi: Log Shutdown \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43844", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix bogus checksum computation in udf_rename()\n\nSyzbot reports uninitialized memory access in udf_rename() when updating\nchecksum of '..' directory entry of a moved directory. This is indeed\ntrue as we pass on-stack diriter.fi to the udf_update_tag() and because\nthat has only struct fileIdentDesc included in it and not the impUse or\nname fields, the checksumming function is going to checksum random stack\ncontents beyond the end of the structure. This is actually harmless\nbecause the following udf_fiiter_write_fi() will recompute the checksum\nfrom on-disk buffers where everything is properly included. So all that\nis needed is just removing the bogus calculation.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43845", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: objagg: Fix general protection fault\n\nThe library supports aggregation of objects into other objects only if\nthe parent object does not have a parent itself. That is, nesting is not\nsupported.\n\nAggregation happens in two cases: Without and with hints, where hints\nare a pre-computed recommendation on how to aggregate the provided\nobjects.\n\nNesting is not possible in the first case due to a check that prevents\nit, but in the second case there is no check because the assumption is\nthat nesting cannot happen when creating objects based on hints. The\nviolation of this assumption leads to various warnings and eventually to\na general protection fault [1].\n\nBefore fixing the root cause, error out when nesting happens and warn.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdead000000000d90: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 1083 Comm: kworker/1:9 Tainted: G W 6.9.0-rc6-custom-gd9b4f1cca7fb #7\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_erp_bf_insert+0x25/0x80\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0x256/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43846", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix invalid memory access while processing fragmented packets\n\nThe monitor ring and the reo reinject ring share the same ring mask index.\nWhen the driver receives an interrupt for the reo reinject ring, the\nmonitor ring is also processed, leading to invalid memory access. Since\nmonitor support is not yet enabled in ath12k, the ring mask for the monitor\nring should be removed.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43847", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix TTLM teardown work\n\nThe worker calculates the wrong sdata pointer, so if it ever\nruns, it'll crash. Fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43848", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: protect locator_addr with the main mutex\n\nIf the service locator server is restarted fast enough, the PDR can\nrewrite locator_addr fields concurrently. Protect them by placing\nmodification of those fields under the main pdr->lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43849", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove\n\nThe following warning is seen during bwmon_remove due to refcount\nimbalance, fix this by releasing the OPPs after use.\n\nLogs:\nWARNING: at drivers/opp/core.c:1640 _opp_table_kref_release+0x150/0x158\nHardware name: Qualcomm Technologies, Inc. X1E80100 CRD (DT)\n...\nCall trace:\n_opp_table_kref_release+0x150/0x158\ndev_pm_opp_remove_table+0x100/0x1b4\ndevm_pm_opp_of_table_release+0x10/0x1c\ndevm_action_release+0x14/0x20\ndevres_release_all+0xa4/0x104\ndevice_unbind_cleanup+0x18/0x60\ndevice_release_driver_internal+0x1ec/0x228\ndriver_detach+0x50/0x98\nbus_remove_driver+0x6c/0xbc\ndriver_unregister+0x30/0x60\nplatform_driver_unregister+0x14/0x20\nbwmon_driver_exit+0x18/0x524 [icc_bwmon]\n__arm64_sys_delete_module+0x184/0x264\ninvoke_syscall+0x48/0x118\nel0_svc_common.constprop.0+0xc8/0xe8\ndo_el0_svc+0x20/0x2c\nel0_svc+0x34/0xdc\nel0t_64_sync_handler+0x13c/0x158\nel0t_64_sync+0x190/0x194\n--[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43850", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: xilinx: rename cpu_number1 to dummy_cpu_number\n\nThe per cpu variable cpu_number1 is passed to xlnx_event_handler as\nargument \"dev_id\", but it is not used in this function. So drop the\ninitialization of this variable and rename it to dummy_cpu_number.\nThis patch is to fix the following call trace when the kernel option\nCONFIG_DEBUG_ATOMIC_SLEEP is enabled:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:274\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 1, expected: 0\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0 #53\n Hardware name: Xilinx Versal vmk180 Eval board rev1.1 (QSPI) (DT)\n Call trace:\n dump_backtrace+0xd0/0xe0\n show_stack+0x18/0x40\n dump_stack_lvl+0x7c/0xa0\n dump_stack+0x18/0x34\n __might_resched+0x10c/0x140\n __might_sleep+0x4c/0xa0\n __kmem_cache_alloc_node+0xf4/0x168\n kmalloc_trace+0x28/0x38\n __request_percpu_irq+0x74/0x138\n xlnx_event_manager_probe+0xf8/0x298\n platform_probe+0x68/0xd8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43851", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ltc2991) re-order conditions to fix off by one bug\n\nLTC2991_T_INT_CH_NR is 4. The st->temp_en[] array has LTC2991_MAX_CHANNEL\n(4) elements. Thus if \"channel\" is equal to LTC2991_T_INT_CH_NR then we\nhave read one element beyond the end of the array. Flip the conditions\naround so that we check if \"channel\" is valid before using it as an array\nindex.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43852", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nAn UAF can happen when /proc/cpuset is read as reported in [1].\n\nThis can be reproduced by the following methods:\n1.add an mdelay(1000) before acquiring the cgroup_lock In the\n cgroup_path_ns function.\n2.$cat /proc//cpuset repeatly.\n3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/\n$umount /sys/fs/cgroup/cpuset/ repeatly.\n\nThe race that cause this bug can be shown as below:\n\n(umount)\t\t|\t(cat /proc//cpuset)\ncss_release\t\t|\tproc_cpuset_show\ncss_release_work_fn\t|\tcss = task_get_css(tsk, cpuset_cgrp_id);\ncss_free_rwork_fn\t|\tcgroup_path_ns(css->cgroup, ...);\ncgroup_destroy_root\t|\tmutex_lock(&cgroup_mutex);\nrebind_subsystems\t|\ncgroup_free_root \t|\n\t\t\t|\t// cgrp was freed, UAF\n\t\t\t|\tcgroup_path_ns_locked(cgrp,..);\n\nWhen the cpuset is initialized, the root node top_cpuset.css.cgrp\nwill point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will\nallocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated\n&cgroup_root.cgrp. When the umount operation is executed,\ntop_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.\n\nThe problem is that when rebinding to cgrp_dfl_root, there are cases\nwhere the cgroup_root allocated by setting up the root for cgroup v1\nis cached. This could lead to a Use-After-Free (UAF) if it is\nsubsequently freed. The descendant cgroups of cgroup v1 can only be\nfreed after the css is released. However, the css of the root will never\nbe released, yet the cgroup_root should be freed when it is unmounted.\nThis means that obtaining a reference to the css of the root does\nnot guarantee that css.cgrp->root will not be freed.\n\nFix this problem by using rcu_read_lock in proc_cpuset_show().\nAs cgroup_root is kfree_rcu after commit d23b5c577715\n(\"cgroup: Make operations on the cgroup root_list RCU safe\"),\ncss->cgroup won't be freed during the critical section.\nTo call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to\nreplace task_get_css with task_css.\n\n[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43853", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn't used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43854", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix deadlock between mddev_suspend and flush bio\n\nDeadlock occurs when mddev is being suspended while some flush bio is in\nprogress. It is a complex issue.\n\nT1. the first flush is at the ending stage, it clears 'mddev->flush_bio'\n and tries to submit data, but is blocked because mddev is suspended\n by T4.\nT2. the second flush sets 'mddev->flush_bio', and attempts to queue\n md_submit_flush_data(), which is already running (T1) and won't\n execute again if on the same CPU as T1.\nT3. the third flush inc active_io and tries to flush, but is blocked because\n 'mddev->flush_bio' is not NULL (set by T2).\nT4. mddev_suspend() is called and waits for active_io dec to 0 which is inc\n by T3.\n\n T1\t\tT2\t\tT3\t\tT4\n (flush 1)\t(flush 2)\t(third 3)\t(suspend)\n md_submit_flush_data\n mddev->flush_bio = NULL;\n .\n .\t \tmd_flush_request\n .\t \t mddev->flush_bio = bio\n .\t \t queue submit_flushes\n .\t\t .\n .\t\t .\t\tmd_handle_request\n .\t\t .\t\t active_io + 1\n .\t\t .\t\t md_flush_request\n .\t\t .\t\t wait !mddev->flush_bio\n .\t\t .\n .\t\t .\t\t\t\tmddev_suspend\n .\t\t .\t\t\t\t wait !active_io\n .\t\t .\n .\t\t submit_flushes\n .\t\t queue_work md_submit_flush_data\n .\t\t //md_submit_flush_data is already running (T1)\n .\n md_handle_request\n wait resume\n\nThe root issue is non-atomic inc/dec of active_io during flush process.\nactive_io is dec before md_submit_flush_data is queued, and inc soon\nafter md_submit_flush_data() run.\n md_flush_request\n active_io + 1\n submit_flushes\n active_io - 1\n md_submit_flush_data\n md_handle_request\n active_io + 1\n make_request\n active_io - 1\n\nIf active_io is dec after md_handle_request() instead of within\nsubmit_flushes(), make_request() can be called directly intead of\nmd_handle_request() in md_submit_flush_data(), and active_io will\nonly inc and dec once in the whole flush process. Deadlock will be\nfixed.\n\nAdditionally, the only difference between fixing the issue and before is\nthat there is no return error handling of make_request(). But after\nprevious patch cleaned md_write_start(), make_requst() only return error\nin raid5_make_request() by dm-raid, see commit 41425f96d7aa (\"dm-raid456,\nmd/raid456: fix a deadlock for dm-raid456 while io concurrent with\nreshape)\". Since dm always splits data and flush operation into two\nseparate io, io size of flush submitted by dm always is 0, make_request()\nwill not be called in md_submit_flush_data(). To prevent future\nmodifications from introducing issues, add WARN_ON to ensure\nmake_request() no error is returned in this context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43855", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43856", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null reference error when checking end of zone\n\nThis patch fixes a potentially null pointer being accessed by\nis_end_zone_blkaddr() that checks the last block of a zone\nwhen f2fs is mounted as a single device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43857", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix array-index-out-of-bounds in diFree", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43858", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate preallocated blocks in f2fs_file_open()\n\nchenyuwen reports a f2fs bug as below:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000011\n fscrypt_set_bio_crypt_ctx+0x78/0x1e8\n f2fs_grab_read_bio+0x78/0x208\n f2fs_submit_page_read+0x44/0x154\n f2fs_get_read_data_page+0x288/0x5f4\n f2fs_get_lock_data_page+0x60/0x190\n truncate_partial_data_page+0x108/0x4fc\n f2fs_do_truncate_blocks+0x344/0x5f0\n f2fs_truncate_blocks+0x6c/0x134\n f2fs_truncate+0xd8/0x200\n f2fs_iget+0x20c/0x5ac\n do_garbage_collect+0x5d0/0xf6c\n f2fs_gc+0x22c/0x6a4\n f2fs_disable_checkpoint+0xc8/0x310\n f2fs_fill_super+0x14bc/0x1764\n mount_bdev+0x1b4/0x21c\n f2fs_mount+0x20/0x30\n legacy_get_tree+0x50/0xbc\n vfs_get_tree+0x5c/0x1b0\n do_new_mount+0x298/0x4cc\n path_mount+0x33c/0x5fc\n __arm64_sys_mount+0xcc/0x15c\n invoke_syscall+0x60/0x150\n el0_svc_common+0xb8/0xf8\n do_el0_svc+0x28/0xa0\n el0_svc+0x24/0x84\n el0t_64_sync_handler+0x88/0xec\n\nIt is because inode.i_crypt_info is not initialized during below path:\n- mount\n - f2fs_fill_super\n - f2fs_disable_checkpoint\n - f2fs_gc\n - f2fs_iget\n - f2fs_truncate\n\nSo, let's relocate truncation of preallocated blocks to f2fs_file_open(),\nafter fscrypt_file_open().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43859", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 < a < nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43860", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: fix memory leak for not ip packets\n\nFree the unused skb when not ip packets arrive.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43861", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex\n\nThe carrier_lock spinlock protects the carrier detection. While it is\nheld, framer_get_status() is called which in turn takes a mutex.\nThis is not correct and can lead to a deadlock.\n\nA run with PROVE_LOCKING enabled detected the issue:\n [ BUG: Invalid wait context ]\n ...\n c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78\n other info that might help us debug this:\n context-{4:4}\n 2 locks held by ifconfig/146:\n #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664\n #1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98\n\nAvoid the spinlock usage and convert carrier_lock to a mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43862", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a deadlock in dma buf fence polling\n\nIntroduce a version of the fence ops that on release doesn't remove\nthe fence from the pending list, and thus doesn't require a lock to\nfix poll->fence wait->fence unref deadlocks.\n\nvmwgfx overwrites the wait callback to iterate over the list of all\nfences and update their status, to do that it holds a lock to prevent\nthe list modifcations from other threads. The fence destroy callback\nboth deletes the fence and removes it from the list of pending\nfences, for which it holds a lock.\n\ndma buf polling cb unrefs a fence after it's been signaled: so the poll\ncalls the wait, which signals the fences, which are being destroyed.\nThe destruction tries to acquire the lock on the pending fences list\nwhich it can never get because it's held by the wait from which it\nwas called.\n\nOld bug, but not a lot of userspace apps were using dma-buf polling\ninterfaces. Fix those, in particular this fixes KDE stalls/deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43863", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix CT entry update leaks of modify header context\n\nThe cited commit allocates a new modify header to replace the old\none when updating CT entry. But if failed to allocate a new one, eg.\nexceed the max number firmware can support, modify header will be\nan error pointer that will trigger a panic when deallocating it. And\nthe old modify header point is copied to old attr. When the old\nattr is freed, the old modify header is lost.\n\nFix it by restoring the old attr to attr when failed to allocate a\nnew modify header context. So when the CT entry is freed, the right\nmodify header context will be freed. And the panic of accessing\nerror pointer is also fixed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43864", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/fpu: Re-add exception handling in load_fpu_state()\n\nWith the recent rewrite of the fpu code exception handling for the\nlfpc instruction within load_fpu_state() was erroneously removed.\n\nAdd it again to prevent that loading invalid floating point register\nvalues cause an unhandled specification exception.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43865", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Always drain health in shutdown callback\n\nThere is no point in recovery during device shutdown. if health\nwork started need to wait for it to avoid races and NULL pointer\naccess.\n\nHence, drain health WQ on shutdown callback.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43866", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix refcount underflow\n\nCalling nouveau_bo_ref() on a nouveau_bo without initializing it (and\nhence the backing ttm_bo) leads to a refcount underflow.\n\nInstead of calling nouveau_bo_ref() in the unwind path of\ndrm_gem_object_init(), clean things up manually.\n\n(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43867", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/purgatory: align riscv_kernel_entry\n\nWhen alignment handling is delegated to the kernel, everything must be\nword-aligned in purgatory, since the trap handler is then set to the\nkexec one. Without the alignment, hitting the exception would\nultimately crash. On other occasions, the kernel's handler would take\ncare of exceptions.\nThis has been tested on a JH7110 SoC with oreboot and its SBI delegating\nunaligned access exceptions and the kernel configured to handle them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43868", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nThe perf pending task work is never waited upon the matching event\nrelease. In the case of a child event, released via free_event()\ndirectly, this can potentially result in a leaked event, such as in the\nfollowing scenario that doesn't even require a weak IRQ work\nimplementation to trigger:\n\nschedule()\n prepare_task_switch()\n=======> \n perf_event_overflow()\n event->pending_sigtrap = ...\n irq_work_queue(&event->pending_irq)\n<======= \n perf_event_task_sched_out()\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n task_work_add(&event->pending_task)\n finish_lock_switch()\n=======> \n perf_pending_irq()\n //do nothing, rely on pending task work\n<======= \n\nbegin_new_exec()\n perf_event_exit_task()\n perf_event_exit_event()\n // If is child event\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // event is leaked\n\nSimilar scenarios can also happen with perf_event_remove_on_exec() or\nsimply against concurrent perf_event_release().\n\nFix this with synchonizing against the possibly remaining pending task\nwork while freeing the event, just like is done with remaining pending\nIRQ work. This means that the pending task callback neither need nor\nshould hold a reference to the event, preventing it from ever beeing\nfreed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43869", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is scheduled out, pending sigtrap deliveries are deferred\nto the target task upon resume to userspace via task_work.\n\nHowever failures while adding an event's callback to the task_work\nengine are ignored. And since the last call for events exit happen\nafter task work is eventually closed, there is a small window during\nwhich pending sigtrap can be queued though ignored, leaking the event\nrefcount addition such as in the following scenario:\n\n TASK A\n -----\n\n do_exit()\n exit_task_work(tsk);\n\n \n perf_event_overflow()\n event->pending_sigtrap = pending_id;\n irq_work_queue(&event->pending_irq);\n \n =========> PREEMPTION: TASK A -> TASK B\n event_sched_out()\n event->pending_sigtrap = 0;\n atomic_long_inc_not_zero(&event->refcount)\n // FAILS: task work has exited\n task_work_add(&event->pending_task)\n [...]\n \n perf_pending_irq()\n // early return: event->oncpu = -1\n \n [...]\n =========> TASK B -> TASK A\n perf_event_exit_task(tsk)\n perf_event_exit_event()\n free_event()\n WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)\n // leak event due to unexpected refcount == 2\n\nAs a result the event is never released while the task exits.\n\nFix this with appropriate task_work_add()'s error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43870", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevres: Fix memory leakage caused by driver API devm_free_percpu()\n\nIt will cause memory leakage when use driver API devm_free_percpu()\nto free memory allocated by devm_alloc_percpu(), fixed by using\ndevres_release() instead of devres_destroy() within devm_free_percpu().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43871", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup under heavy CEQE load\n\nCEQEs are handled in interrupt handler currently. This may cause the\nCPU core staying in interrupt context too long and lead to soft lockup\nunder heavy load.\n\nHandle CEQEs in BH workqueue and set an upper limit for the number of\nCEQE handled by a single call of work handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43872", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/vsock: always initialize seqpacket_allow\n\nThere are two issues around seqpacket_allow:\n1. seqpacket_allow is not initialized when socket is\n created. Thus if features are never set, it will be\n read uninitialized.\n2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,\n then seqpacket_allow will not be cleared appropriately\n (existing apps I know about don't usually do this but\n it's legal and there's no way to be sure no one relies\n on this).\n\nTo fix:\n\t- initialize seqpacket_allow after allocation\n\t- set it unconditionally in set_features", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43873", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked\n\nFix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE.\nReturn from __sev_snp_shutdown_locked() if the psp_device or the\nsev_device structs are not initialized. Without the fix, the driver will\nproduce the following splat:\n\n ccp 0000:55:00.5: enabling device (0000 -> 0002)\n ccp 0000:55:00.5: sev enabled\n ccp 0000:55:00.5: psp enabled\n BUG: kernel NULL pointer dereference, address: 00000000000000f0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI\n CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29\n RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150\n Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83\n RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808\n RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0\n R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8\n R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x6f/0xb0\n ? __die+0xcc/0xf0\n ? page_fault_oops+0x330/0x3a0\n ? save_trace+0x2a5/0x360\n ? do_user_addr_fault+0x583/0x630\n ? exc_page_fault+0x81/0x120\n ? asm_exc_page_fault+0x2b/0x30\n ? __sev_snp_shutdown_locked+0x2e/0x150\n __sev_firmware_shutdown+0x349/0x5b0\n ? pm_runtime_barrier+0x66/0xe0\n sev_dev_destroy+0x34/0xb0\n psp_dev_destroy+0x27/0x60\n sp_destroy+0x39/0x90\n sp_pci_remove+0x22/0x60\n pci_device_remove+0x4e/0x110\n really_probe+0x271/0x4e0\n __driver_probe_device+0x8f/0x160\n driver_probe_device+0x24/0x120\n __driver_attach+0xc7/0x280\n ? driver_attach+0x30/0x30\n bus_for_each_dev+0x10d/0x130\n driver_attach+0x22/0x30\n bus_add_driver+0x171/0x2b0\n ? unaccepted_memory_init_kdump+0x20/0x20\n driver_register+0x67/0x100\n __pci_register_driver+0x83/0x90\n sp_pci_init+0x22/0x30\n sp_mod_init+0x13/0x30\n do_one_initcall+0xb8/0x290\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? stack_depot_save_flags+0x21e/0x6a0\n ? local_clock+0x1c/0x60\n ? stack_depot_save_flags+0x21e/0x6a0\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? __lock_acquire+0xd90/0xe30\n ? sched_clock_noinstr+0xd/0x10\n ? local_clock_noinstr+0x3e/0x100\n ? __create_object+0x66/0x100\n ? local_clock+0x1c/0x60\n ? __create_object+0x66/0x100\n ? parameq+0x1b/0x90\n ? parse_one+0x6d/0x1d0\n ? parse_args+0xd7/0x1f0\n ? do_initcall_level+0x180/0x180\n do_initcall_level+0xb0/0x180\n do_initcalls+0x60/0xa0\n ? kernel_init+0x1f/0x1d0\n do_basic_setup+0x41/0x50\n kernel_init_freeable+0x1ac/0x230\n ? rest_init+0x1f0/0x1f0\n kernel_init+0x1f/0x1d0\n ? rest_init+0x1f0/0x1f0\n ret_from_fork+0x3d/0x50\n ? rest_init+0x1f0/0x1f0\n ret_from_fork_asm+0x11/0x20\n \n Modules linked in:\n CR2: 00000000000000f0\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150\n Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 <4c> 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83\n RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000\n RDX: 0000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43874", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43875", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()\n\nAvoid large backtrace, it is sufficient to warn the user that there has\nbeen a link problem. Either the link has failed and the system is in need\nof maintenance, or the link continues to work and user has been informed.\nThe message from the warning can be looked up in the sources.\n\nThis makes an actual link issue less verbose.\n\nFirst of all, this controller has a limitation in that the controller\ndriver has to assist the hardware with transition to L1 link state by\nwriting L1IATN to PMCTRL register, the L1 and L0 link state switching\nis not fully automatic on this controller.\n\nIn case of an ASMedia ASM1062 PCIe SATA controller which does not support\nASPM, on entry to suspend or during platform pm_test, the SATA controller\nenters D3hot state and the link enters L1 state. If the SATA controller\nwakes up before rcar_pcie_wakeup() was called and returns to D0, the link\nreturns to L0 before the controller driver even started its transition to\nL1 link state. At this point, the SATA controller did send an PM_ENTER_L1\nDLLP to the PCIe controller and the PCIe controller received it, and the\nPCIe controller did set PMSR PMEL1RX bit.\n\nOnce rcar_pcie_wakeup() is called, if the link is already back in L0 state\nand PMEL1RX bit is set, the controller driver has no way to determine if\nit should perform the link transition to L1 state, or treat the link as if\nit is in L0 state. Currently the driver attempts to perform the transition\nto L1 link state unconditionally, which in this specific case fails with a\nPMSR L1FAEG poll timeout, however the link still works as it is already\nback in L0 state.\n\nReduce this warning verbosity. In case the link is really broken, the\nrcar_pcie_config_access() would fail, otherwise it will succeed and any\nsystem with this controller and ASM1062 can suspend without generating\na backtrace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43876", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: ivtv: Add check for DMA map result\n\nIn case DMA fails, 'dma->SG_length' is 0. This value is later used to\naccess 'dma->SGarray[dma->SG_length - 1]', which will cause out of\nbounds access.\n\nAdd check to return early on invalid value. Adjust warnings accordingly.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43877", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix input error path memory access\n\nWhen there is a misconfiguration of input state slow path\nKASAN report error. Fix this error.\nwest login:\n[ 52.987278] eth1: renamed from veth11\n[ 53.078814] eth1: renamed from veth21\n[ 53.181355] eth1: renamed from veth31\n[ 54.921702] ==================================================================\n[ 54.922602] BUG: KASAN: wild-memory-access in xfrmi_rcv_cb+0x2d/0x295\n[ 54.923393] Read of size 8 at addr 6b6b6b6b00000000 by task ping/512\n[ 54.924169]\n[ 54.924386] CPU: 0 PID: 512 Comm: ping Not tainted 6.9.0-08574-gcd29a4313a1b #25\n[ 54.925290] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 54.926401] Call Trace:\n[ 54.926731] \n[ 54.927009] dump_stack_lvl+0x2a/0x3b\n[ 54.927478] kasan_report+0x84/0xa6\n[ 54.927930] ? xfrmi_rcv_cb+0x2d/0x295\n[ 54.928410] xfrmi_rcv_cb+0x2d/0x295\n[ 54.928872] ? xfrm4_rcv_cb+0x3d/0x5e\n[ 54.929354] xfrm4_rcv_cb+0x46/0x5e\n[ 54.929804] xfrm_rcv_cb+0x7e/0xa1\n[ 54.930240] xfrm_input+0x1b3a/0x1b96\n[ 54.930715] ? xfrm_offload+0x41/0x41\n[ 54.931182] ? raw_rcv+0x292/0x292\n[ 54.931617] ? nf_conntrack_confirm+0xa2/0xa2\n[ 54.932158] ? skb_sec_path+0xd/0x3f\n[ 54.932610] ? xfrmi_input+0x90/0xce\n[ 54.933066] xfrm4_esp_rcv+0x33/0x54\n[ 54.933521] ip_protocol_deliver_rcu+0xd7/0x1b2\n[ 54.934089] ip_local_deliver_finish+0x110/0x120\n[ 54.934659] ? ip_protocol_deliver_rcu+0x1b2/0x1b2\n[ 54.935248] NF_HOOK.constprop.0+0xf8/0x138\n[ 54.935767] ? ip_sublist_rcv_finish+0x68/0x68\n[ 54.936317] ? secure_tcpv6_ts_off+0x23/0x168\n[ 54.936859] ? ip_protocol_deliver_rcu+0x1b2/0x1b2\n[ 54.937454] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d\n[ 54.938135] NF_HOOK.constprop.0+0xf8/0x138\n[ 54.938663] ? ip_sublist_rcv_finish+0x68/0x68\n[ 54.939220] ? __xfrm_policy_check2.constprop.0+0x18d/0x18d\n[ 54.939904] ? ip_local_deliver_finish+0x120/0x120\n[ 54.940497] __netif_receive_skb_one_core+0xc9/0x107\n[ 54.941121] ? __netif_receive_skb_list_core+0x1c2/0x1c2\n[ 54.941771] ? blk_mq_start_stopped_hw_queues+0xc7/0xf9\n[ 54.942413] ? blk_mq_start_stopped_hw_queue+0x38/0x38\n[ 54.943044] ? virtqueue_get_buf_ctx+0x295/0x46b\n[ 54.943618] process_backlog+0xb3/0x187\n[ 54.944102] __napi_poll.constprop.0+0x57/0x1a7\n[ 54.944669] net_rx_action+0x1cb/0x380\n[ 54.945150] ? __napi_poll.constprop.0+0x1a7/0x1a7\n[ 54.945744] ? vring_new_virtqueue+0x17a/0x17a\n[ 54.946300] ? note_interrupt+0x2cd/0x367\n[ 54.946805] handle_softirqs+0x13c/0x2c9\n[ 54.947300] do_softirq+0x5f/0x7d\n[ 54.947727] \n[ 54.948014] \n[ 54.948300] __local_bh_enable_ip+0x48/0x62\n[ 54.948832] __neigh_event_send+0x3fd/0x4ca\n[ 54.949361] neigh_resolve_output+0x1e/0x210\n[ 54.949896] ip_finish_output2+0x4bf/0x4f0\n[ 54.950410] ? __ip_finish_output+0x171/0x1b8\n[ 54.950956] ip_send_skb+0x25/0x57\n[ 54.951390] raw_sendmsg+0xf95/0x10c0\n[ 54.951850] ? check_new_pages+0x45/0x71\n[ 54.952343] ? raw_hash_sk+0x21b/0x21b\n[ 54.952815] ? kernel_init_pages+0x42/0x51\n[ 54.953337] ? prep_new_page+0x44/0x51\n[ 54.953811] ? get_page_from_freelist+0x72b/0x915\n[ 54.954390] ? signal_pending_state+0x77/0x77\n[ 54.954936] ? preempt_count_sub+0x14/0xb3\n[ 54.955450] ? __might_resched+0x8a/0x240\n[ 54.955951] ? __might_sleep+0x25/0xa0\n[ 54.956424] ? first_zones_zonelist+0x2c/0x43\n[ 54.956977] ? __rcu_read_lock+0x2d/0x3a\n[ 54.957476] ? __pte_offset_map+0x32/0xa4\n[ 54.957980] ? __might_resched+0x8a/0x240\n[ 54.958483] ? __might_sleep+0x25/0xa0\n[ 54.958963] ? inet_send_prepare+0x54/0x54\n[ 54.959478] ? sock_sendmsg_nosec+0x42/0x6c\n[ 54.960000] sock_sendmsg_nosec+0x42/0x6c\n[ 54.960502] __sys_sendto+0x15d/0x1cc\n[ 54.960966] ? __x64_sys_getpeername+0x44/0x44\n[ 54.961522] ? __handle_mm_fault+0x679/0xae4\n[ 54.962068] ? find_vma+0x6b/0x\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43878", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()\n\nCurrently NL80211_RATE_INFO_HE_RU_ALLOC_2x996 is not handled in\ncfg80211_calculate_bitrate_he(), leading to below warning:\n\nkernel: invalid HE MCS: bw:6, ru:6\nkernel: WARNING: CPU: 0 PID: 2312 at net/wireless/util.c:1501 cfg80211_calculate_bitrate_he+0x22b/0x270 [cfg80211]\n\nFix it by handling 2x996 RU allocation in the same way as 160 MHz bandwidth.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43879", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_erp: Fix object nesting warning\n\nACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM\n(A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can\ncontain more ACLs (i.e., tc filters), but the number of masks in each\nregion (i.e., tc chain) is limited.\n\nIn order to mitigate the effects of the above limitation, the device\nallows filters to share a single mask if their masks only differ in up\nto 8 consecutive bits. For example, dst_ip/25 can be represented using\ndst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the\nnumber of masks being used (and therefore does not support mask\naggregation), but can contain a limited number of filters.\n\nThe driver uses the \"objagg\" library to perform the mask aggregation by\npassing it objects that consist of the filter's mask and whether the\nfilter is to be inserted into the A-TCAM or the C-TCAM since filters in\ndifferent TCAMs cannot share a mask.\n\nThe set of created objects is dependent on the insertion order of the\nfilters and is not necessarily optimal. Therefore, the driver will\nperiodically ask the library to compute a more optimal set (\"hints\") by\nlooking at all the existing objects.\n\nWhen the library asks the driver whether two objects can be aggregated\nthe driver only compares the provided masks and ignores the A-TCAM /\nC-TCAM indication. This is the right thing to do since the goal is to\nmove as many filters as possible to the A-TCAM. The driver also forbids\ntwo identical masks from being aggregated since this can only happen if\none was intentionally put in the C-TCAM to avoid a conflict in the\nA-TCAM.\n\nThe above can result in the following set of hints:\n\nH1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta\nH3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta\n\nAfter getting the hints from the library the driver will start migrating\nfilters from one region to another while consulting the computed hints\nand instructing the device to perform a lookup in both regions during\nthe transition.\n\nAssuming a filter with mask X is being migrated into the A-TCAM in the\nnew region, the hints lookup will return H1. Since H2 is the parent of\nH1, the library will try to find the object associated with it and\ncreate it if necessary in which case another hints lookup (recursive)\nwill be performed. This hints lookup for {mask Y, A-TCAM} will either\nreturn H2 or H3 since the driver passes the library an object comparison\nfunction that ignores the A-TCAM / C-TCAM indication.\n\nThis can eventually lead to nested objects which are not supported by\nthe library [1].\n\nFix by removing the object comparison function from both the driver and\nthe library as the driver was the only user. That way the lookup will\nonly return exact matches.\n\nI do not have a reliable reproducer that can reproduce the issue in a\ntimely manner, but before the fix the issue would reproduce in several\nminutes and with the fix it does not reproduce in over an hour.\n\nNote that the current usefulness of the hints is limited because they\ninclude the C-TCAM indication and represent aggregation that cannot\nactually happen. This will be addressed in net-next.\n\n[1]\nWARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0\nModules linked in:\nCPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42\nHardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:objagg_obj_parent_assign+0xb5/0xd0\n[...]\nCall Trace:\n \n __objagg_obj_get+0x2bb/0x580\n objagg_obj_get+0xe/0x80\n mlxsw_sp_acl_erp_mask_get+0xb5/0xf0\n mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270\n mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510\n process_one_work+0x151/0x370", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43880", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: change DMA direction while mapping reinjected packets\n\nFor fragmented packets, ath12k reassembles each fragment as a normal\npacket and then reinjects it into HW ring. In this case, the DMA\ndirection should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise,\nan invalid payload may be reinjected into the HW and\nsubsequently delivered to the host.\n\nGiven that arbitrary memory can be allocated to the skb buffer,\nknowledge about the data contained in the reinjected buffer is lacking.\nConsequently, there\u2019s a risk of private information being leaked.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43881", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Fix ToCToU between perm check and set-uid/gid usage\n\nWhen opening a file for exec via do_filp_open(), permission checking is\ndone against the file's metadata at that moment, and on success, a file\npointer is passed back. Much later in the execve() code path, the file\nmetadata (specifically mode, uid, and gid) is used to determine if/how\nto set the uid and gid. However, those values may have changed since the\npermissions check, meaning the execution may gain unintended privileges.\n\nFor example, if a file could change permissions from executable and not\nset-id:\n\n---------x 1 root root 16048 Aug 7 13:16 target\n\nto set-id and non-executable:\n\n---S------ 1 root root 16048 Aug 7 13:16 target\n\nit is possible to gain root privileges when execution should have been\ndisallowed.\n\nWhile this race condition is rare in real-world scenarios, it has been\nobserved (and proven exploitable) when package managers are updating\nthe setuid bits of installed programs. Such files start with being\nworld-executable but then are adjusted to be group-exec with a set-uid\nbit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only\nby uid \"root\" and gid \"cdrom\", while also becoming setuid-root:\n\n-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target\n\nbecomes:\n\n-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target\n\nBut racing the chmod means users without group \"cdrom\" membership can\nget the permission to execute \"target\" just before the chmod, and when\nthe chmod finishes, the exec reaches brpm_fill_uid(), and performs the\nsetuid to root, violating the expressed authorization of \"only cdrom\ngroup members can setuid to root\".\n\nRe-check that we still have execute permissions in case the metadata\nhas changed. It would be better to keep a copy from the perm-check time,\nbut until we can do that refactoring, the least-bad option is to do a\nfull inode_permission() call (under inode lock). It is understood that\nthis is safe against dead-locks, but hardly optimal.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43882", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: vhci-hcd: Do not drop references before new references are gained\n\nAt a few places the driver carries stale pointers\nto references that can still be used. Make sure that does not happen.\nThis strictly speaking closes ZDI-CAN-22273, though there may be\nsimilar races in the driver.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43883", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Add error handling to pair_device()\n\nhci_conn_params_add() never checks for a NULL value and could lead to a NULL\npointer dereference causing a crash.\n\nFixed by adding error handling in the function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43884", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check in resource_log_pipe_topology_update\n\n[WHY]\nWhen switching from \"Extend\" to \"Second Display Only\" we sometimes\ncall resource_get_otg_master_for_stream on a stream for the eDP,\nwhich is disconnected. This leads to a null pointer dereference.\n\n[HOW]\nAdded a null check in dc_resource.c/resource_log_pipe_topology_update.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43886", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Disable TCP-AO static key after RCU grace period\n\nThe lifetime of TCP-AO static_key is the same as the last\ntcp_ao_info. On the socket destruction tcp_ao_info ceases to be\nwith RCU grace period, while tcp-ao static branch is currently deferred\ndestructed. The static key definition is\n: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);\n\nwhich means that if RCU grace period is delayed by more than a second\nand tcp_ao_needed is in the process of disablement, other CPUs may\nyet see tcp_ao_info which atent dead, but soon-to-be.\nAnd that breaks the assumption of static_key_fast_inc_not_disabled().\n\nSee the comment near the definition:\n> * The caller must make sure that the static key can't get disabled while\n> * in this function. It doesn't patch jump labels, only adds a user to\n> * an already enabled static key.\n\nOriginally it was introduced in commit eb8c507296f6 (\"jump_label:\nPrevent key->enabled int overflow\"), which is needed for the atomic\ncontexts, one of which would be the creation of a full socket from a\nrequest socket. In that atomic context, it's known by the presence\nof the key (md5/ao) that the static branch is already enabled.\nSo, the ref counter for that static branch is just incremented\ninstead of holding the proper mutex.\nstatic_key_fast_inc_not_disabled() is just a helper for such usage\ncase. But it must not be used if the static branch could get disabled\nin parallel as it's not protected by jump_label_mutex and as a result,\nraces with jump_label_update() implementation details.\n\nHappened on netdev test-bot[1], so not a theoretical issue:\n\n[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1\n[] ------------[ cut here ]------------\n[] kernel BUG at arch/x86/kernel/jump_label.c:73!\n[] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1\n[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[] Workqueue: events jump_label_update_timeout\n[] RIP: 0010:__jump_label_patch+0x2f6/0x350\n...\n[] Call Trace:\n[] \n[] arch_jump_label_transform_queue+0x6c/0x110\n[] __jump_label_update+0xef/0x350\n[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60\n[] jump_label_update_timeout+0x2c/0x40\n[] process_one_work+0xe3b/0x1670\n[] worker_thread+0x587/0xce0\n[] kthread+0x28a/0x350\n[] ret_from_fork+0x31/0x70\n[] ret_from_fork_asm+0x1a/0x30\n[] \n[] Modules linked in: veth\n[] ---[ end trace 0000000000000000 ]---\n[] RIP: 0010:__jump_label_patch+0x2f6/0x350\n\n[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43887", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: list_lru: fix UAF for memory cgroup\n\nThe mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or\ncgroup_mutex or others which could prevent returned memcg from being\nfreed. Fix it by adding missing rcu read lock.\n\nFound by code inspection.\n\n[songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43888", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix possible divide-by-0 panic in padata_mt_helper()\n\nWe are hit with a not easily reproducible divide-by-0 panic in padata.c at\nbootup time.\n\n [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI\n [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1\n [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021\n [ 10.017908] Workqueue: events_unbound padata_mt_helper\n [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0\n :\n [ 10.017963] Call Trace:\n [ 10.017968] \n [ 10.018004] ? padata_mt_helper+0x39/0xb0\n [ 10.018084] process_one_work+0x174/0x330\n [ 10.018093] worker_thread+0x266/0x3a0\n [ 10.018111] kthread+0xcf/0x100\n [ 10.018124] ret_from_fork+0x31/0x50\n [ 10.018138] ret_from_fork_asm+0x1a/0x30\n [ 10.018147] \n\nLooking at the padata_mt_helper() function, the only way a divide-by-0\npanic can happen is when ps->chunk_size is 0. The way that chunk_size is\ninitialized in padata_do_multithreaded(), chunk_size can be 0 when the\nmin_chunk in the passed-in padata_mt_job structure is 0.\n\nFix this divide-by-0 panic by making sure that chunk_size will be at least\n1 no matter what the input parameters are.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43889", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix overflow in get_free_elt()\n\n\"tracing_map->next_elt\" in get_free_elt() is at risk of overflowing.\n\nOnce it overflows, new elements can still be inserted into the tracing_map\neven though the maximum number of elements (`max_elts`) has been reached.\nContinuing to insert elements after the overflow could result in the\ntracing_map containing \"tracing_map->max_size\" elements, leaving no empty\nentries.\nIf any attempt is made to insert an element into a full tracing_map using\n`__tracing_map_insert()`, it will cause an infinite loop with preemption\ndisabled, leading to a CPU hang problem.\n\nFix this by preventing any further increments to \"tracing_map->next_elt\"\nonce it reaches \"tracing_map->max_elt\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43890", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have format file honor EVENT_FILE_FL_FREED\n\nWhen eventfs was introduced, special care had to be done to coordinate the\nfreeing of the file meta data with the files that are exposed to user\nspace. The file meta data would have a ref count that is set when the file\nis created and would be decremented and freed after the last user that\nopened the file closed it. When the file meta data was to be freed, it\nwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,\nand any new references made (like new opens or reads) would fail as it is\nmarked freed. This allowed other meta data to be freed after this flag was\nset (under the event_mutex).\n\nAll the files that were dynamically created in the events directory had a\npointer to the file meta data and would call event_release() when the last\nreference to the user space file was closed. This would be the time that it\nis safe to free the file meta data.\n\nA shortcut was made for the \"format\" file. It's i_private would point to\nthe \"call\" entry directly and not point to the file's meta data. This is\nbecause all format files are the same for the same \"call\", so it was\nthought there was no reason to differentiate them. The other files\nmaintain state (like the \"enable\", \"trigger\", etc). But this meant if the\nfile were to disappear, the \"format\" file would be unaware of it.\n\nThis caused a race that could be trigger via the user_events test (that\nwould create dynamic events and free them), and running a loop that would\nread the user_events format files:\n\nIn one console run:\n\n # cd tools/testing/selftests/user_events\n # while true; do ./ftrace_test; done\n\nAnd in another console run:\n\n # cd /sys/kernel/tracing/\n # while true; do cat events/user_events/__test_event/format; done 2>/dev/null\n\nWith KASAN memory checking, it would trigger a use-after-free bug report\n(which was a real bug). This was because the format file was not checking\nthe file's meta data flag \"EVENT_FILE_FL_FREED\", so it would access the\nevent that the file meta data pointed to after the event was freed.\n\nAfter inspection, there are other locations that were found to not check\nthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a\nnew helper function: event_file_file() that will make sure that the\nevent_mutex is held, and will return NULL if the trace_event_file has the\nEVENT_FILE_FL_FREED flag set. Have the first reference of the struct file\npointer use event_file_file() and check for NULL. Later uses can still use\nthe event_file_data() helper function if the event_mutex is still held and\nwas not released since the event_file_file() call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43891", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: protect concurrent access to mem_cgroup_idr\n\nCommit 73f576c04b94 (\"mm: memcontrol: fix cgroup creation failure after\nmany small jobs\") decoupled the memcg IDs from the CSS ID space to fix the\ncgroup creation failures. It introduced IDR to maintain the memcg ID\nspace. The IDR depends on external synchronization mechanisms for\nmodifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace()\nhappen within css callback and thus are protected through cgroup_mutex\nfrom concurrent modifications. However idr_remove() for mem_cgroup_idr\nwas not protected against concurrency and can be run concurrently for\ndifferent memcgs when they hit their refcnt to zero. Fix that.\n\nWe have been seeing list_lru based kernel crashes at a low frequency in\nour fleet for a long time. These crashes were in different part of\nlist_lru code including list_lru_add(), list_lru_del() and reparenting\ncode. Upon further inspection, it looked like for a given object (dentry\nand inode), the super_block's list_lru didn't have list_lru_one for the\nmemcg of that object. The initial suspicions were either the object is\nnot allocated through kmem_cache_alloc_lru() or somehow\nmemcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but\nreturned success. No evidence were found for these cases.\n\nLooking more deeply, we started seeing situations where valid memcg's id\nis not present in mem_cgroup_idr and in some cases multiple valid memcgs\nhave same id and mem_cgroup_idr is pointing to one of them. So, the most\nreasonable explanation is that these situations can happen due to race\nbetween multiple idr_remove() calls or race between\nidr_alloc()/idr_replace() and idr_remove(). These races are causing\nmultiple memcgs to acquire the same ID and then offlining of one of them\nwould cleanup list_lrus on the system for all of them. Later access from\nother memcgs to the list_lru cause crashes due to missing list_lru_one.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43892", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divide by zero\n\nCalling ioctl TIOCSSERIAL with an invalid baud_base can\nresult in uartclk being zero, which will result in a\ndivide by zero error in uart_get_divisor(). The check for\nuartclk being zero in uart_set_info() needs to be done\nbefore other settings are made as subsequent calls to\nioctl TIOCSSERIAL for the same port would be impacted if\nthe uartclk check was done where uartclk gets set.\n\nOops: divide error: 0000 PREEMPT SMP KASAN PTI\nRIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580)\nCall Trace:\n \nserial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576\n drivers/tty/serial/8250/8250_port.c:2589)\nserial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502\n drivers/tty/serial/8250/8250_port.c:2741)\nserial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862)\nuart_change_line_settings (./include/linux/spinlock.h:376\n ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222)\nuart_port_startup (drivers/tty/serial/serial_core.c:342)\nuart_startup (drivers/tty/serial/serial_core.c:368)\nuart_set_info (drivers/tty/serial/serial_core.c:1034)\nuart_set_info_user (drivers/tty/serial/serial_core.c:1059)\ntty_set_serial (drivers/tty/tty_io.c:2637)\ntty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791)\n__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907\n fs/ioctl.c:893 fs/ioctl.c:893)\ndo_syscall_64 (arch/x86/entry/common.c:52\n (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nRule: add", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43893", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset->mode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43894", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: cs-amp-lib: Fix NULL pointer crash if efi.get_variable is NULL\n\nCall efi_rt_services_supported() to check that efi.get_variable exists\nbefore calling it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43896", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drop bad gso csum_start and offset in virtio_net_hdr\n\nTighten csum_start and csum_offset checks in virtio_net_hdr_to_skb\nfor GSO packets.\n\nThe function already checks that a checksum requested with\nVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets\nthis might not hold for segs after segmentation.\n\nSyzkaller demonstrated to reach this warning in skb_checksum_help\n\n\toffset = skb_checksum_start_offset(skb);\n\tret = -EINVAL;\n\tif (WARN_ON_ONCE(offset >= skb_headlen(skb)))\n\nBy injecting a TSO packet:\n\nWARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0\n ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774\n ip_finish_output_gso net/ipv4/ip_output.c:279 [inline]\n __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301\n iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813\n __gre_xmit net/ipv4/ip_gre.c:469 [inline]\n ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661\n __netdev_start_xmit include/linux/netdevice.h:4850 [inline]\n netdev_start_xmit include/linux/netdevice.h:4864 [inline]\n xmit_one net/core/dev.c:3595 [inline]\n dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611\n __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261\n packet_snd net/packet/af_packet.c:3073 [inline]\n\nThe geometry of the bad input packet at tcp_gso_segment:\n\n[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0\n[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244\n[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))\n[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536\nip_summed=3 complete_sw=0 valid=0 level=0)\n\nMitigate with stricter input validation.\n\ncsum_offset: for GSO packets, deduce the correct value from gso_type.\nThis is already done for USO. Extend it to TSO. Let UFO be:\nudp[46]_ufo_fragment ignores these fields and always computes the\nchecksum in software.\n\ncsum_start: finding the real offset requires parsing to the transport\nheader. Do not add a parser, use existing segmentation parsing. Thanks\nto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.\nAgain test both TSO and USO. Do not test UFO for the above reason, and\ndo not test UDP tunnel offload.\n\nGSO packet are almost always CHECKSUM_PARTIAL. USO packets may be\nCHECKSUM_NONE since commit 10154dbded6d6 (\"udp: Allow GSO transmit\nfrom devices with no checksum offload\"), but then still these fields\nare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no\nneed to test for ip_summed == CHECKSUM_PARTIAL first.\n\nThis revises an existing fix mentioned in the Fixes tag, which broke\nsmall packets with GSO offload, as detected by kselftests.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43897", "detail": "fixed-version", "description": "Fixed from version 6.10.5" }, { "id": "CVE-2024-43899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null pointer deref in dcn20_resource.c\n\nFixes a hang thats triggered when MPV is run on a DCN401 dGPU:\n\nmpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all\n\nand then enabling fullscreen playback (double click on the video)\n\nThe following calltrace will be seen:\n\n[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 181.843997] #PF: supervisor instruction fetch in kernel mode\n[ 181.844003] #PF: error_code(0x0010) - not-present page\n[ 181.844009] PGD 0 P4D 0\n[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018\n[ 181.844044] RIP: 0010:0x0\n[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246\n[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004\n[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400\n[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c\n[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8\n[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005\n[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000\n[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0\n[ 181.844141] Call Trace:\n[ 181.844146] \n[ 181.844153] ? show_regs+0x6d/0x80\n[ 181.844167] ? __die+0x24/0x80\n[ 181.844179] ? page_fault_oops+0x99/0x1b0\n[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0\n[ 181.844204] ? exc_page_fault+0x83/0x1b0\n[ 181.844216] ? asm_exc_page_fault+0x27/0x30\n[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]\n[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]\n[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]\n[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]\n[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]\n[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]\n[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43899", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: xc2028: avoid use-after-free in load_firmware_cb()\n\nsyzkaller reported use-after-free in load_firmware_cb() [1].\nThe reason is because the module allocated a struct tuner in tuner_probe(),\nand then the module initialization failed, the struct tuner was released.\nA worker which created during module initialization accesses this struct\ntuner later, it caused use-after-free.\n\nThe process is as follows:\n\ntask-6504 worker_thread\ntuner_probe <= alloc dvb_frontend [2]\n...\nrequest_firmware_nowait <= create a worker\n...\ntuner_remove <= free dvb_frontend\n...\n request_firmware_work_func <= the firmware is ready\n load_firmware_cb <= but now the dvb_frontend has been freed\n\nTo fix the issue, check the dvd_frontend in load_firmware_cb(), if it is\nnull, report a warning and just return.\n\n[1]:\n ==================================================================\n BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0\n Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504\n\n Call trace:\n load_firmware_cb+0x1310/0x17a0\n request_firmware_work_func+0x128/0x220\n process_one_work+0x770/0x1824\n worker_thread+0x488/0xea0\n kthread+0x300/0x430\n ret_from_fork+0x10/0x20\n\n Allocated by task 6504:\n kzalloc\n tuner_probe+0xb0/0x1430\n i2c_device_probe+0x92c/0xaf0\n really_probe+0x678/0xcd0\n driver_probe_device+0x280/0x370\n __device_attach_driver+0x220/0x330\n bus_for_each_drv+0x134/0x1c0\n __device_attach+0x1f4/0x410\n device_initial_probe+0x20/0x30\n bus_probe_device+0x184/0x200\n device_add+0x924/0x12c0\n device_register+0x24/0x30\n i2c_new_device+0x4e0/0xc44\n v4l2_i2c_new_subdev_board+0xbc/0x290\n v4l2_i2c_new_subdev+0xc8/0x104\n em28xx_v4l2_init+0x1dd0/0x3770\n\n Freed by task 6504:\n kfree+0x238/0x4e4\n tuner_remove+0x144/0x1c0\n i2c_device_remove+0xc8/0x290\n __device_release_driver+0x314/0x5fc\n device_release_driver+0x30/0x44\n bus_remove_device+0x244/0x490\n device_del+0x350/0x900\n device_unregister+0x28/0xd0\n i2c_unregister_device+0x174/0x1d0\n v4l2_device_unregister+0x224/0x380\n em28xx_v4l2_init+0x1d90/0x3770\n\n The buggy address belongs to the object at ffff8000d7ca2000\n which belongs to the cache kmalloc-2k of size 2048\n The buggy address is located 776 bytes inside of\n 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)\n The buggy address belongs to the page:\n page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0\n flags: 0x7ff800000000100(slab)\n raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\n[2]\n Actually, it is allocated for struct tuner, and dvb_frontend is inside.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43900", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] \n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43901", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43902", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing\n\nThis commit adds null checks for the 'stream' and 'plane' variables in\nthe dcn30_apply_idle_power_optimizations function. These variables were\npreviously assumed to be null at line 922, but they were used later in\nthe code without checking if they were null. This could potentially lead\nto a null pointer dereference, which would cause a crash.\n\nThe null checks ensure that 'stream' and 'plane' are not null before\nthey are used, preventing potential crashes.\n\nFixes the below static smatch checker:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43904", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43905", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/admgpu: fix dereferencing null pointer context\n\nWhen user space sets an invalid ta type, the pointer context will be empty.\nSo it need to check the pointer context before using it", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43906", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43907", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer dereference to ras_manager\n\nCheck ras_manager before using it", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43908", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference for smu7\n\noptimize the code to avoid pass a null pointer (hwmgr->backend)\nto function smu7_update_edc_leakage_table.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43909", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses\n\nCurrently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to\na global function as an argument. The adverse effects of this is that\nBPF helpers can continue to make use of this modified\nCONST_PTR_TO_DYNPTR from within the context of the global function,\nwhich can unintentionally result in out-of-bounds memory accesses and\ntherefore compromise overall system stability i.e.\n\n[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140\n[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302\n[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533\n[ 244.174318] Call Trace:\n[ 244.175787] \n[ 244.177356] dump_stack_lvl+0x66/0xa0\n[ 244.179531] print_report+0xce/0x670\n[ 244.182314] ? __virt_addr_valid+0x200/0x3e0\n[ 244.184908] kasan_report+0xd7/0x110\n[ 244.187408] ? bpf_dynptr_data+0x137/0x140\n[ 244.189714] ? bpf_dynptr_data+0x137/0x140\n[ 244.192020] bpf_dynptr_data+0x137/0x140\n[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26\n[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23\n[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570\n[ 244.204744] ? 0xffffffffc0009e58\n[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10\n[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b\n[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3\n[ 244.218691] __x64_sys_prlimit64+0x9/0xf0\n[ 244.220912] do_syscall_64+0xc1/0x1d0\n[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 244.226458] RIP: 0033:0x7ffa3eb8f059\n[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48\n[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e\n[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059\n[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0\n[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000\n[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80\n[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000\n[ 244.268303] \n\nAdd a check_func_arg_reg_off() to the path in which the BPF verifier\nverifies the arguments of global function arguments, specifically\nthose which take an argument of type ARG_PTR_TO_DYNPTR |\nMEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any\nexplicit and strict type matching on the supplied register type, so\nlet's also enforce that a register either type PTR_TO_STACK or\nCONST_PTR_TO_DYNPTR is by the caller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43910", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] \n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43911", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: disallow setting special AP channel widths\n\nSetting the AP channel width is meant for use with the normal\n20/40/... MHz channel width progression, and switching around\nin S1G or narrow channels isn't supported. Disallow that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43912", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43913", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-43914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: avoid BUG_ON() while continue reshape after reassembling\n\nCurrently, mdadm support --revert-reshape to abort the reshape while\nreassembling, as the test 07revert-grow. However, following BUG_ON()\ncan be triggerred by the test:\n\nkernel BUG at drivers/md/raid5.c:6278!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nirq event stamp: 158985\nCPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94\nRIP: 0010:reshape_request+0x3f1/0xe60\nCall Trace:\n \n raid5_sync_request+0x43d/0x550\n md_do_sync+0xb7a/0x2110\n md_thread+0x294/0x2b0\n kthread+0x147/0x1c0\n ret_from_fork+0x59/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nRoot cause is that --revert-reshape update the raid_disks from 5 to 4,\nwhile reshape position is still set, and after reassembling the array,\nreshape position will be read from super block, then during reshape the\nchecking of 'writepos' that is caculated by old reshape position will\nfail.\n\nFix this panic the easy way first, by converting the BUG_ON() to\nWARN_ON(), and stop the reshape if checkings fail.\n\nNoted that mdadm must fix --revert-shape as well, and probably md/raid\nshould enhance metadata validation as well, however this means\nreassemble will fail and there must be user tools to fix the wrong\nmetadata.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-43914", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: prevent potential speculation leaks in gpio_device_get_desc()\n\nUserspace may trigger a speculative read of an address outside the gpio\ndescriptor array.\nUsers can do that by calling gpio_ioctl() with an offset out of range.\nOffset is copied from user and then used as an array index to get\nthe gpio descriptor without sanitization in gpio_device_get_desc().\n\nThis change ensures that the offset is sanitized by using\narray_index_nospec() to mitigate any possibility of speculative\ninformation leaks.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44931", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix UAFs when destroying the queues\n\nThe second tagged commit started sometimes (very rarely, but possible)\nthrowing WARNs from\nnet/core/page_pool.c:page_pool_disable_direct_recycling().\nTurned out idpf frees interrupt vectors with embedded NAPIs *before*\nfreeing the queues making page_pools' NAPI pointers lead to freed\nmemory before these pools are destroyed by libeth.\nIt's not clear whether there are other accesses to the freed vectors\nwhen destroying the queues, but anyway, we usually free queue/interrupt\nvectors only when the queues are destroyed and the NAPIs are guaranteed\nto not be referenced anywhere.\n\nInvert the allocation and freeing logic making queue/interrupt vectors\nbe allocated first and freed last. Vectors don't require queues to be\npresent, so this is safe. Additionally, this change allows to remove\nthat useless queue->q_vector pointer cleanup, as vectors are still\nvalid when freeing the queues (+ both are freed within one function,\nso it's not clear why nullify the pointers at all).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44932", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\n\nA recent commit has modified the code in __bnxt_reserve_rings() to\nset the default RSS indirection table to default only when the number\nof RX rings is changing. While this works for newer firmware that\nrequires RX ring reservations, it causes the regression on older\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\nfalse).\n\nWith older firmware, RX ring reservations are not required and so\nhw_resc->resv_rx_rings is not always set to the proper value. The\ncomparison:\n\nif (old_rx_rings != bp->hw_resc.resv_rx_rings)\n\nin __bnxt_reserve_rings() may be false even when the RX rings are\nchanging. This will cause __bnxt_reserve_rings() to skip setting\nthe default RSS indirection table to default to match the current\nnumber of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to\nuse an out-of-range index.\n\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\nscenario. We just need to move it up in bnxt_need_reserve_rings()\nto be called unconditionally when using older firmware. Without the\nfix, if the TX rings are changing, we'll skip the\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\nin the last paragraph. Without setting the default RSS indirection\ntable to default, it causes the regression:\n\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\nCall Trace:\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\n __bnxt_setup_vnic_p5+0x12e/0x270\n __bnxt_open_nic+0x2262/0x2f30\n bnxt_open_nic+0x5d/0xf0\n ethnl_set_channels+0x5d4/0xb30\n ethnl_default_set_doit+0x2f1/0x620", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44933", "detail": "fixed-version", "description": "Fixed from version 6.10.5" }, { "id": "CVE-2024-44934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles when removing port\n\nsyzbot hit a use-after-free[1] which is caused because the bridge doesn't\nmake sure that all previous garbage has been collected when removing a\nport. What happens is:\n CPU 1 CPU 2\n start gc cycle remove port\n acquire gc lock first\n wait for lock\n call br_multicasg_gc() directly\n acquire lock now but free port\n the port can be freed\n while grp timers still\n running\n\nMake sure all previous gc cycles have finished by using flush_work before\nfreeing the port.\n\n[1]\n BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699\n\n CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861\n call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792\n expire_timers kernel/time/timer.c:1843 [inline]\n __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417\n __run_timer_base kernel/time/timer.c:2428 [inline]\n __run_timer_base kernel/time/timer.c:2421 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2437", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44934", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix null-ptr-deref in reuseport_add_sock().\n\nsyzbot reported a null-ptr-deref while accessing sk2->sk_reuseport_cb in\nreuseport_add_sock(). [0]\n\nThe repro first creates a listener with SO_REUSEPORT. Then, it creates\nanother listener on the same port and concurrently closes the first\nlistener.\n\nThe second listen() calls reuseport_add_sock() with the first listener as\nsk2, where sk2->sk_reuseport_cb is not expected to be cleared concurrently,\nbut the close() does clear it by reuseport_detach_sock().\n\nThe problem is SCTP does not properly synchronise reuseport_alloc(),\nreuseport_add_sock(), and reuseport_detach_sock().\n\nThe caller of reuseport_alloc() and reuseport_{add,detach}_sock() must\nprovide synchronisation for sockets that are classified into the same\nreuseport group.\n\nOtherwise, such sockets form multiple identical reuseport groups, and\nall groups except one would be silently dead.\n\n 1. Two sockets call listen() concurrently\n 2. No socket in the same group found in sctp_ep_hashtable[]\n 3. Two sockets call reuseport_alloc() and form two reuseport groups\n 4. Only one group hit first in __sctp_rcv_lookup_endpoint() receives\n incoming packets\n\nAlso, the reported null-ptr-deref could occur.\n\nTCP/UDP guarantees that would not happen by holding the hash bucket lock.\n\nLet's apply the locking strategy to __sctp_hash_endpoint() and\n__sctp_unhash_endpoint().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nRIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350\nCode: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14\nRSP: 0018:ffffc9000b947c98 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012\nRBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385\nR10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0\nR13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __sctp_hash_endpoint net/sctp/input.c:762 [inline]\n sctp_hash_endpoint+0x52a/0x600 net/sctp/input.c:790\n sctp_listen_start net/sctp/socket.c:8570 [inline]\n sctp_inet_listen+0x767/0xa20 net/sctp/socket.c:8625\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]\n __se_sys_listen net/socket.c:1900 [inline]\n __x64_sys_listen+0x5a/0x70 net/socket.c:1900\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f24e46039b9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f24e45b9228 EFLAGS: 00000246 ORIG_RAX: 0000000000000032\nRAX: ffffffffffffffda RBX: 00007f24e468e428 RCX: 00007f24e46039b9\nRDX: 00007f24e46039b9 RSI: 0000000000000003 RDI: 0000000000000004\nRBP: 00007f24e468e420 R08: 00007f24e45b96c0 R09: 00007f24e45b96c0\nR10: 00007f24e45b96c0 R11: 0000000000000246 R12: 00007f24e468e42c\nR13:\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44935", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: rt5033: Bring back i2c_set_clientdata\n\nCommit 3a93da231c12 (\"power: supply: rt5033: Use devm_power_supply_register() helper\")\nreworked the driver to use devm. While at it, the i2c_set_clientdata\nwas dropped along with the remove callback. Unfortunately other parts\nof the driver also rely on i2c clientdata so this causes kernel oops.\n\nBring the call back to fix the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44936", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel-vbtn: Protect ACPI notify handler against recursion\n\nSince commit e2ffcda16290 (\"ACPI: OSL: Allow Notify () handlers to run on\nall CPUs\") ACPI notify handlers like the intel-vbtn notify_handler() may\nrun on multiple CPU cores racing with themselves.\n\nThis race gets hit on Dell Venue 7140 tablets when undocking from\nthe keyboard, causing the handler to try and register priv->switches_dev\ntwice, as can be seen from the dev_info() message getting logged twice:\n\n[ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event\n[ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17\n[ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event\n\nAfter which things go seriously wrong:\n[ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17'\n...\n[ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory.\n[ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018\n...\n\nProtect intel-vbtn notify_handler() from racing with itself with a mutex\nto fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44937", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix shift-out-of-bounds in dbDiscardAG\n\nWhen searching for the next smaller log2 block, BLKSTOL2() returned 0,\ncausing shift exponent -1 to be negative.\n\nThis patch fixes the issue by exiting the loop directly when negative\nshift is found.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44938", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44939", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: remove warn in gue_gro_receive on unsupported protocol\n\nDrop the WARN_ON_ONCE inn gue_gro_receive if the encapsulated type is\nnot known or does not have a GRO handler.\n\nSuch a packet is easily constructed. Syzbot generates them and sets\noff this warning.\n\nRemove the warning as it is expected and not actionable.\n\nThe warning was previously reduced from WARN_ON to WARN_ON_ONCE in\ncommit 270136613bf7 (\"fou: Do WARN_ON_ONCE in gue_gro_receive for bad\nproto callbacks\").", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44940", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44941", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inline.c:258!\nCPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0\nRIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258\nCall Trace:\n f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834\n f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]\n f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315\n do_writepages+0x35b/0x870 mm/page-writeback.c:2612\n __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650\n writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941\n wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117\n wb_do_writeback fs/fs-writeback.c:2264 [inline]\n wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f2/0x390 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nThe root cause is: inline_data inode can be fuzzed, so that there may\nbe valid blkaddr in its direct node, once f2fs triggers background GC\nto migrate the block, it will hit f2fs_bug_on() during dirty page\nwriteback.\n\nLet's add sanity check on F2FS_INLINE_DATA flag in inode during GC,\nso that, it can forbid migrating inline_data inode's data block for\nfixing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44942", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: gup: stop abusing try_grab_folio\n\nA kernel warning was reported when pinning folio in CMA memory when\nlaunching SEV virtual machine. The splat looks like:\n\n[ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520\n[ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6\n[ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520\n[ 464.325515] Call Trace:\n[ 464.325520] \n[ 464.325523] ? __get_user_pages+0x423/0x520\n[ 464.325528] ? __warn+0x81/0x130\n[ 464.325536] ? __get_user_pages+0x423/0x520\n[ 464.325541] ? report_bug+0x171/0x1a0\n[ 464.325549] ? handle_bug+0x3c/0x70\n[ 464.325554] ? exc_invalid_op+0x17/0x70\n[ 464.325558] ? asm_exc_invalid_op+0x1a/0x20\n[ 464.325567] ? __get_user_pages+0x423/0x520\n[ 464.325575] __gup_longterm_locked+0x212/0x7a0\n[ 464.325583] internal_get_user_pages_fast+0xfb/0x190\n[ 464.325590] pin_user_pages_fast+0x47/0x60\n[ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd]\n[ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd]\n\nPer the analysis done by yangge, when starting the SEV virtual machine, it\nwill call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. \nBut the page is in CMA area, so fast GUP will fail then fallback to the\nslow path due to the longterm pinnalbe check in try_grab_folio().\n\nThe slow path will try to pin the pages then migrate them out of CMA area.\nBut the slow path also uses try_grab_folio() to pin the page, it will\nalso fail due to the same check then the above warning is triggered.\n\nIn addition, the try_grab_folio() is supposed to be used in fast path and\nit elevates folio refcount by using add ref unless zero. We are guaranteed\nto have at least one stable reference in slow path, so the simple atomic add\ncould be used. The performance difference should be trivial, but the\nmisuse may be confusing and misleading.\n\nRedefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page()\nto try_grab_folio(), and use them in the proper paths. This solves both\nthe abuse and the kernel warning.\n\nThe proper naming makes their usecase more clear and should prevent from\nabusing in the future.\n\npeterx said:\n\n: The user will see the pin fails, for gpu-slow it further triggers the WARN\n: right below that failure (as in the original report):\n: \n: folio = try_grab_folio(page, page_increm - 1,\n: foll_flags);\n: if (WARN_ON_ONCE(!folio)) { <------------------------ here\n: /*\n: * Release the 1st page ref if the\n: * folio is problematic, fail hard.\n: */\n: gup_put_folio(page_folio(page), 1,\n: foll_flags);\n: ret = -EFAULT;\n: goto out;\n: }\n\n[1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/\n\n[shy828301@gmail.com: fix implicit declaration of function try_grab_folio_fast]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44943", "detail": "fixed-version", "description": "Fixed from version 6.10" }, { "id": "CVE-2024-44944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use helper function to calculate expect ID\n\nDelete expectation path is missing a call to the nf_expect_get_id()\nhelper function to calculate the expectation ID, otherwise LSB of the\nexpectation object address is leaked to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44944", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink: Initialise extack before use in ACKs\n\nAdd missing extack initialisation when ACKing BATCH_BEGIN and BATCH_END.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44945", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Serialise kcm_sendmsg() for the same socket.\n\nsyzkaller reported UAF in kcm_release(). [0]\n\nThe scenario is\n\n 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.\n\n 2. Thread A resumes building skb from kcm->seq_skb but is blocked\n by sk_stream_wait_memory()\n\n 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb\n and puts the skb to the write queue\n\n 4. Thread A faces an error and finally frees skb that is already in the\n write queue\n\n 5. kcm_release() does double-free the skb in the write queue\n\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\n\nLet's add a per-sk mutex and serialise kcm_sendmsg().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\n\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall trace:\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x178/0x518 mm/kasan/report.c:488\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n __skb_unlink include/linux/skbuff.h:2366 [inline]\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\n __sock_release net/socket.c:659 [inline]\n sock_close+0xa4/0x1e8 net/socket.c:1421\n __fput+0x30c/0x738 fs/file_table.c:376\n ____fput+0x20/0x30 fs/file_table.c:404\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x618/0x1f64 kernel/exit.c:871\n do_group_exit+0x194/0x22c kernel/exit.c:1020\n get_signal+0x1500/0x15ec kernel/signal.c:2893\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nAllocated by task 6166:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\n alloc_skb include/linux/skbuff.h:1296 [inline]\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\n do_splice_from fs/splice.c:941 [inline]\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\n do_splice_direct_actor \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44946", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Initialize beyond-EOF page contents before setting uptodate\n\nfuse_notify_store(), unlike fuse_do_readpage(), does not enable page\nzeroing (because it can be used to change partial page contents).\n\nSo fuse_notify_store() must be more careful to fully initialize page\ncontents (including parts of the page that are beyond end-of-file)\nbefore marking the page uptodate.\n\nThe current code can leave beyond-EOF page contents uninitialized, which\nmakes these uninitialized page contents visible to userspace via mmap().\n\nThis is an information leak, but only affects systems which do not\nenable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the\ncorresponding kernel command line parameter).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44947", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mtrr: Check if fixed MTRRs exist before saving them\n\nMTRRs have an obsolete fixed variant for fine grained caching control\nof the 640K-1MB region that uses separate MSRs. This fixed variant has\na separate capability bit in the MTRR capability MSR.\n\nSo far all x86 CPUs which support MTRR have this separate bit set, so it\nwent unnoticed that mtrr_save_state() does not check the capability bit\nbefore accessing the fixed MTRR MSRs.\n\nThough on a CPU that does not support the fixed MTRR capability this\nresults in a #GP. The #GP itself is harmless because the RDMSR fault is\nhandled gracefully, but results in a WARN_ON().\n\nAdd the missing capability check to prevent this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44948", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: fix a possible DMA corruption\n\nARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be\npossible that two unrelated 16-byte allocations share a cache line. If\none of these allocations is written using DMA and the other is written\nusing cached write, the value that was written with DMA may be\ncorrupted.\n\nThis commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 -\nthat's the largest possible cache line size.\n\nAs different parisc microarchitectures have different cache line size, we\ndefine arch_slab_minalign(), cache_line_size() and\ndma_get_cache_alignment() so that the kernel may tune slab cache\nparameters dynamically, based on the detected cache line size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44949", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: fix invalid FIFO access with special register set\n\nWhen enabling access to the special register set, Receiver time-out and\nRHR interrupts can happen. In this case, the IRQ handler will try to read\nfrom the FIFO thru the RHR register at address 0x00, but address 0x00 is\nmapped to DLL register, resulting in erroneous FIFO reading.\n\nCall graph example:\n sc16is7xx_startup(): entry\n sc16is7xx_ms_proc(): entry\n sc16is7xx_set_termios(): entry\n sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set\n sc16is7xx_port_irq() entry --> IIR is 0x0C\n sc16is7xx_handle_rx() entry\n sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is\n mapped to DLL (LCR=LCR_CONF_MODE_A)\n sc16is7xx_set_baud(): exit --> Restore access to general register set\n\nFix the problem by claiming the efr_lock mutex when accessing the Special\nregister set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44950", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: fix TX fifo corruption\n\nSometimes, when a packet is received on channel A at almost the same time\nas a packet is about to be transmitted on channel B, we observe with a\nlogic analyzer that the received packet on channel A is transmitted on\nchannel B. In other words, the Tx buffer data on channel B is corrupted\nwith data from channel A.\n\nThe problem appeared since commit 4409df5866b7 (\"serial: sc16is7xx: change\nEFR lock to operate on each channels\"), which changed the EFR locking to\noperate on each channel instead of chip-wise.\n\nThis commit has introduced a regression, because the EFR lock is used not\nonly to protect the EFR registers access, but also, in a very obscure and\nundocumented way, to protect access to the data buffer, which is shared by\nthe Tx and Rx handlers, but also by each channel of the IC.\n\nFix this regression first by switching to kfifo_out_linear_ptr() in\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\n\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\neach channel.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44951", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix deadlock during RTC update\n\nThere is a deadlock when runtime suspend waits for the flush of RTC work,\nand the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume.\n\nHere is deadlock backtrace:\n\nkworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367\nptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff\n __switch_to+0x1a8/0x2d4\n __schedule+0x684/0xa98\n schedule+0x48/0xc8\n schedule_timeout+0x48/0x170\n do_wait_for_common+0x108/0x1b0\n wait_for_completion+0x44/0x60\n __flush_work+0x39c/0x424\n __cancel_work_sync+0xd8/0x208\n cancel_delayed_work_sync+0x14/0x28\n __ufshcd_wl_suspend+0x19c/0x480\n ufshcd_wl_runtime_suspend+0x3c/0x1d4\n scsi_runtime_suspend+0x78/0xc8\n __rpm_callback+0x94/0x3e0\n rpm_suspend+0x2d4/0x65c\n __pm_runtime_suspend+0x80/0x114\n scsi_runtime_idle+0x38/0x6c\n rpm_idle+0x264/0x338\n __pm_runtime_idle+0x80/0x110\n ufshcd_rtc_work+0x128/0x1e4\n process_one_work+0x26c/0x650\n worker_thread+0x260/0x3d8\n kthread+0x110/0x134\n ret_from_fork+0x10/0x20\n\nSkip updating RTC if RPM state is not RPM_ACTIVE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44953", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: line6: Fix racy access to midibuf\n\nThere can be concurrent accesses to line6 midibuf from both the URB\ncompletion callback and the rawmidi API access. This could be a cause\nof KMSAN warning triggered by syzkaller below (so put as reported-by\nhere).\n\nThis patch protects the midibuf call of the former code path with a\nspinlock for avoiding the possible races.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44954", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/preempt_fence: enlarge the fence critical section\n\nIt is really easy to introduce subtle deadlocks in\npreempt_fence_work_func() since we operate on single global ordered-wq\nfor signalling our preempt fences behind the scenes, so even though we\nsignal a particular fence, everything in the callback should be in the\nfence critical section, since blocking in the callback will prevent\nother published fences from signalling. If we enlarge the fence critical\nsection to cover the entire callback, then lockdep should be able to\nunderstand this better, and complain if we grab a sensitive lock like\nvm->lock, which is also held when waiting on preempt fences.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44956", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: privcmd: Switch from mutex to spinlock for irqfds\n\nirqfd_wakeup() gets EPOLLHUP, when it is called by\neventfd_release() by way of wake_up_poll(&ctx->wqh, EPOLLHUP), which\ngets called under spin_lock_irqsave(). We can't use a mutex here as it\nwill lead to a deadlock.\n\nFix it by switching over to a spin lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44957", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/smt: Fix unbalance sched_smt_present dec/inc\n\nI got the following warn report while doing stress test:\n\njump label: negative count!\nWARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0\nCall Trace:\n \n __static_key_slow_dec_cpuslocked+0x16/0x70\n sched_cpu_deactivate+0x26e/0x2a0\n cpuhp_invoke_callback+0x3ad/0x10d0\n cpuhp_thread_fun+0x3f5/0x680\n smpboot_thread_fn+0x56d/0x8d0\n kthread+0x309/0x400\n ret_from_fork+0x41/0x70\n ret_from_fork_asm+0x1b/0x30\n \n\nBecause when cpuset_cpu_inactive() fails in sched_cpu_deactivate(),\nthe cpu offline failed, but sched_smt_present is decremented before\ncalling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so\nfix it by incrementing sched_smt_present in the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44958", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Use generic inode RCU for synchronizing freeing\n\nWith structure layout randomization enabled for 'struct inode' we need to\navoid overlapping any of the RCU-used / initialized-only-once members,\ne.g. i_lru or i_sb_list to not corrupt related list traversals when making\nuse of the rcu_head.\n\nFor an unlucky structure layout of 'struct inode' we may end up with the\nfollowing splat when running the ftrace selftests:\n\n[<...>] list_del corruption, ffff888103ee2cb0->next (tracefs_inode_cache+0x0/0x4e0 [slab object]) is NULL (prev is tracefs_inode_cache+0x78/0x4e0 [slab object])\n[<...>] ------------[ cut here ]------------\n[<...>] kernel BUG at lib/list_debug.c:54!\n[<...>] invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n[<...>] CPU: 3 PID: 2550 Comm: mount Tainted: G N 6.8.12-grsec+ #122 ed2f536ca62f28b087b90e3cc906a8d25b3ddc65\n[<...>] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n[<...>] RIP: 0010:[] __list_del_entry_valid_or_report+0x138/0x3e0\n[<...>] Code: 48 b8 99 fb 65 f2 ff ff ff ff e9 03 5c d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff e9 33 5a d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff <0f> 0b 4c 89 e9 48 89 ea 48 89 ee 48 c7 c7 60 8f dd 89 31 c0 e8 2f\n[<...>] RSP: 0018:fffffe80416afaf0 EFLAGS: 00010283\n[<...>] RAX: 0000000000000098 RBX: ffff888103ee2cb0 RCX: 0000000000000000\n[<...>] RDX: ffffffff84655fe8 RSI: ffffffff89dd8b60 RDI: 0000000000000001\n[<...>] RBP: ffff888103ee2cb0 R08: 0000000000000001 R09: fffffbd0082d5f25\n[<...>] R10: fffffe80416af92f R11: 0000000000000001 R12: fdf99c16731d9b6d\n[<...>] R13: 0000000000000000 R14: ffff88819ad4b8b8 R15: 0000000000000000\n[<...>] RBX: tracefs_inode_cache+0x0/0x4e0 [slab object]\n[<...>] RDX: __list_del_entry_valid_or_report+0x108/0x3e0\n[<...>] RSI: __func__.47+0x4340/0x4400\n[<...>] RBP: tracefs_inode_cache+0x0/0x4e0 [slab object]\n[<...>] RSP: process kstack fffffe80416afaf0+0x7af0/0x8000 [mount 2550 2550]\n[<...>] R09: kasan shadow of process kstack fffffe80416af928+0x7928/0x8000 [mount 2550 2550]\n[<...>] R10: process kstack fffffe80416af92f+0x792f/0x8000 [mount 2550 2550]\n[<...>] R14: tracefs_inode_cache+0x78/0x4e0 [slab object]\n[<...>] FS: 00006dcb380c1840(0000) GS:ffff8881e0600000(0000) knlGS:0000000000000000\n[<...>] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[<...>] CR2: 000076ab72b30e84 CR3: 000000000b088004 CR4: 0000000000360ef0 shadow CR4: 0000000000360ef0\n[<...>] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[<...>] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[<...>] ASID: 0003\n[<...>] Stack:\n[<...>] ffffffff818a2315 00000000f5c856ee ffffffff896f1840 ffff888103ee2cb0\n[<...>] ffff88812b6b9750 0000000079d714b6 fffffbfff1e9280b ffffffff8f49405f\n[<...>] 0000000000000001 0000000000000000 ffff888104457280 ffffffff8248b392\n[<...>] Call Trace:\n[<...>] \n[<...>] [] ? lock_release+0x175/0x380 fffffe80416afaf0\n[<...>] [] list_lru_del+0x152/0x740 fffffe80416afb48\n[<...>] [] list_lru_del_obj+0x113/0x280 fffffe80416afb88\n[<...>] [] ? _atomic_dec_and_lock+0x119/0x200 fffffe80416afb90\n[<...>] [] iput_final+0x1c4/0x9a0 fffffe80416afbb8\n[<...>] [] dentry_unlink_inode+0x44b/0xaa0 fffffe80416afbf8\n[<...>] [] __dentry_kill+0x23c/0xf00 fffffe80416afc40\n[<...>] [] ? __this_cpu_preempt_check+0x1f/0xa0 fffffe80416afc48\n[<...>] [] ? shrink_dentry_list+0x1c5/0x760 fffffe80416afc70\n[<...>] [] ? shrink_dentry_list+0x51/0x760 fffffe80416afc78\n[<...>] [] shrink_dentry_list+0x288/0x760 fffffe80416afc80\n[<...>] [] shrink_dcache_sb+0x155/0x420 fffffe80416afcc8\n[<...>] [] ? debug_smp_processor_id+0x23/0xa0 fffffe80416afce0\n[<...>] [] ? do_one_tre\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44959", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: core: Check for unset descriptor\n\nMake sure the descriptor has been set before looking at maxpacket.\nThis fixes a null pointer panic in this case.\n\nThis may happen if the gadget doesn't properly set up the endpoint\nfor the current speed, or the gadget descriptors are malformed and\nthe descriptor for the speed/endpoint are not found.\n\nNo current gadget driver is known to have this problem, but this\nmay cause a hard-to-find bug during development of new gadgets.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44960", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Forward soft recovery errors to userspace\n\nAs we discussed before[1], soft recovery should be\nforwarded to userspace, or we can get into a really\nbad state where apps will keep submitting hanging\ncommand buffers cascading us to a hard reset.\n\n1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/\n(cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44961", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading\n\nWhen unload the btnxpuart driver, its associated timer will be deleted.\nIf the timer happens to be modified at this moment, it leads to the\nkernel call this timer even after the driver unloaded, resulting in\nkernel panic.\nUse timer_shutdown_sync() instead of del_timer_sync() to prevent rearming.\n\npanic log:\n Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP\n Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded: btnxpuart]\n CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1\n Hardware name: NXP i.MX95 19X19 board (DT)\n pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0xffff80007a2cf464\n lr : call_timer_fn.isra.0+0x24/0x80\n...\n Call trace:\n 0xffff80007a2cf464\n __run_timers+0x234/0x280\n run_timer_softirq+0x20/0x40\n __do_softirq+0x100/0x26c\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x24/0x4c\n do_softirq_own_stack+0x1c/0x2c\n irq_exit_rcu+0xc0/0xdc\n el0_interrupt+0x54/0xd8\n __el0_irq_handler_common+0x18/0x24\n el0t_64_irq_handler+0x10/0x1c\n el0t_64_irq+0x190/0x194\n Code: ???????? ???????? ???????? ???????? (????????)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n SMP: stopping secondary CPUs\n Kernel Offset: disabled\n CPU features: 0x0,c0000000,40028143,1000721b\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44962", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON() when freeing tree block after error\n\nWhen freeing a tree block, at btrfs_free_tree_block(), if we fail to\ncreate a delayed reference we don't deal with the error and just do a\nBUG_ON(). The error most likely to happen is -ENOMEM, and we have a\ncomment mentioning that only -ENOMEM can happen, but that is not true,\nbecause in case qgroups are enabled any error returned from\nbtrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned\nfrom btrfs_search_slot() for example) can be propagated back to\nbtrfs_free_tree_block().\n\nSo stop doing a BUG_ON() and return the error to the callers and make\nthem abort the transaction to prevent leaking space. Syzbot was\ntriggering this, likely due to memory allocation failure injection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44963", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leaks and crashes while performing a soft reset\n\nThe second tagged commit introduced a UAF, as it removed restoring\nq_vector->vport pointers after reinitializating the structures.\nThis is due to that all queue allocation functions are performed here\nwith the new temporary vport structure and those functions rewrite\nthe backpointers to the vport. Then, this new struct is freed and\nthe pointers start leading to nowhere.\n\nBut generally speaking, the current logic is very fragile. It claims\nto be more reliable when the system is low on memory, but in fact, it\nconsumes two times more memory as at the moment of running this\nfunction, there are two vports allocated with their queues and vectors.\nMoreover, it claims to prevent the driver from running into \"bad state\",\nbut in fact, any error during the rebuild leaves the old vport in the\npartially allocated state.\nFinally, if the interface is down when the function is called, it always\nallocates a new queue set, but when the user decides to enable the\ninterface later on, vport_open() allocates them once again, IOW there's\na clear memory leak here.\n\nJust don't allocate a new queue set when performing a reset, that solves\ncrashes and memory leaks. Readd the old queue number and reopen the\ninterface on rollback - that solves limbo states when the device is left\ndisabled and/or without HW queues enabled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44964", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix pti_clone_pgtable() alignment assumption\n\nGuenter reported dodgy crashes on an i386-nosmp build using GCC-11\nthat had the form of endless traps until entry stack exhaust and then\n#DF from the stack guard.\n\nIt turned out that pti_clone_pgtable() had alignment assumptions on\nthe start address, notably it hard assumes start is PMD aligned. This\nis true on x86_64, but very much not true on i386.\n\nThese assumptions can cause the end condition to malfunction, leading\nto a 'short' clone. Guess what happens when the user mapping has a\nshort copy of the entry text?\n\nUse the correct increment form for addr to avoid alignment\nassumptions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44965", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_flat: Fix corruption when not offsetting data start\n\nCommit 04d82a6d0881 (\"binfmt_flat: allow not offsetting data start\")\nintroduced a RISC-V specific variant of the FLAT format which does\nnot allocate any space for the (obsolete) array of shared library\npointers. However, it did not disable the code which initializes the\narray, resulting in the corruption of sizeof(long) bytes before the DATA\nsegment, generally the end of the TEXT segment.\n\nIntroduce MAX_SHARED_LIBS_UPDATE which depends on the state of\nCONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of\nthe shared library pointer region so that it will only be initialized\nif space is reserved for it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44966", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mgag200: Bind I2C lifetime to DRM device\n\nManaged cleanup with devm_add_action_or_reset() will release the I2C\nadapter when the underlying Linux device goes away. But the connector\nstill refers to it, so this cleanup leaves behind a stale pointer\nin struct drm_connector.ddc.\n\nBind the lifetime of the I2C adapter to the connector's lifetime by\nusing DRM's managed release. When the DRM device goes away (after\nthe Linux device) DRM will first clean up the connector and then\nclean up the I2C adapter.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44967", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntick/broadcast: Move per CPU pointer access into the atomic section\n\nThe recent fix for making the take over of the broadcast timer more\nreliable retrieves a per CPU pointer in preemptible context.\n\nThis went unnoticed as compilers hoist the access into the non-preemptible\nregion where the pointer is actually used. But of course it's valid that\nthe compiler keeps it at the place where the code puts it which rightfully\ntriggers:\n\n BUG: using smp_processor_id() in preemptible [00000000] code:\n caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0\n\nMove it to the actual usage site which is in a non-preemptible region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44968", "detail": "fixed-version", "description": "Fixed from version 6.10.5" }, { "id": "CVE-2024-44969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Prevent release of buffer in I/O\n\nWhen a task waiting for completion of a Store Data operation is\ninterrupted, an attempt is made to halt this operation. If this attempt\nfails due to a hardware or firmware problem, there is a chance that the\nSCLP facility might store data into buffers referenced by the original\noperation at a later time.\n\nHandle this situation by not releasing the referenced data buffers if\nthe halt attempt fails. For current use cases, this might result in a\nleak of few pages of memory in case of a rare hardware/firmware\nmalfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44969", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: SHAMPO, Fix invalid WQ linked list unlink\n\nWhen all the strides in a WQE have been consumed, the WQE is unlinked\nfrom the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible\nto receive CQEs with 0 consumed strides for the same WQE even after the\nWQE is fully consumed and unlinked. This triggers an additional unlink\nfor the same wqe which corrupts the linked list.\n\nFix this scenario by accepting 0 sized consumed strides without\nunlinking the WQE again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44970", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()\n\nbcm_sf2_mdio_register() calls of_phy_find_device() and then\nphy_device_remove() in a loop to remove existing PHY devices.\nof_phy_find_device() eventually calls bus_find_device(), which calls\nget_device() on the returned struct device * to increment the refcount.\nThe current implementation does not decrement the refcount, which causes\nmemory leak.\n\nThis commit adds the missing phy_device_free() call to decrement the\nrefcount via put_device() to balance the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44971", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slub: do not call do_slab_free for kfence object\n\nIn 782f8906f805 the freeing of kfence objects was moved from deep\ninside do_slab_free to the wrapper functions outside. This is a nice\nchange, but unfortunately it missed one spot in __kmem_cache_free_bulk.\n\nThis results in a crash like this:\n\nBUG skbuff_head_cache (Tainted: G S B E ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840\n\nslab_err (mm/slub.c:1129)\nfree_to_partial_list (mm/slub.c:? mm/slub.c:4036)\nslab_pad_check (mm/slub.c:864 mm/slub.c:1290)\ncheck_slab (mm/slub.c:?)\nfree_to_partial_list (mm/slub.c:3171 mm/slub.c:4036)\nkmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635)\nnapi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549)\n\nAll the other callers to do_slab_free appear to be ok.\n\nAdd a kfence_free check in __kmem_cache_free_bulk to avoid the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44973", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: avoid possible UaF when selecting endp\n\nselect_local_address() and select_signal_address() both select an\nendpoint entry from the list inside an RCU protected section, but return\na reference to it, to be read later on. If the entry is dereferenced\nafter the RCU unlock, reading info could cause a Use-after-Free.\n\nA simple solution is to copy the required info while inside the RCU\nprotected section to avoid any risk of UaF later. The address ID might\nneed to be modified later to handle the ID0 case later, so a copy seems\nOK to deal with.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44974", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: fix panic caused by partcmd_update\n\nWe find a bug as below:\nBUG: unable to handle page fault for address: 00000003\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4\nRIP: 0010:partition_sched_domains_locked+0x483/0x600\nCode: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9\nRSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202\nRAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80\nRBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000\nR10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002\nR13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0\nCall Trace:\n \n ? show_regs+0x8c/0xa0\n ? __die_body+0x23/0xa0\n ? __die+0x3a/0x50\n ? page_fault_oops+0x1d2/0x5c0\n ? partition_sched_domains_locked+0x483/0x600\n ? search_module_extables+0x2a/0xb0\n ? search_exception_tables+0x67/0x90\n ? kernelmode_fixup_or_oops+0x144/0x1b0\n ? __bad_area_nosemaphore+0x211/0x360\n ? up_read+0x3b/0x50\n ? bad_area_nosemaphore+0x1a/0x30\n ? exc_page_fault+0x890/0xd90\n ? __lock_acquire.constprop.0+0x24f/0x8d0\n ? __lock_acquire.constprop.0+0x24f/0x8d0\n ? asm_exc_page_fault+0x26/0x30\n ? partition_sched_domains_locked+0x483/0x600\n ? partition_sched_domains_locked+0xf0/0x600\n rebuild_sched_domains_locked+0x806/0xdc0\n update_partition_sd_lb+0x118/0x130\n cpuset_write_resmask+0xffc/0x1420\n cgroup_file_write+0xb2/0x290\n kernfs_fop_write_iter+0x194/0x290\n new_sync_write+0xeb/0x160\n vfs_write+0x16f/0x1d0\n ksys_write+0x81/0x180\n __x64_sys_write+0x21/0x30\n x64_sys_call+0x2f25/0x4630\n do_syscall_64+0x44/0xb0\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\nRIP: 0033:0x7f44a553c887\n\nIt can be reproduced with cammands:\ncd /sys/fs/cgroup/\nmkdir test\ncd test/\necho +cpuset > ../cgroup.subtree_control\necho root > cpuset.cpus.partition\ncat /sys/fs/cgroup/cpuset.cpus.effective\n0-3\necho 0-3 > cpuset.cpus // taking away all cpus from root\n\nThis issue is caused by the incorrect rebuilding of scheduling domains.\nIn this scenario, test/cpuset.cpus.partition should be an invalid root\nand should not trigger the rebuilding of scheduling domains. When calling\nupdate_parent_effective_cpumask with partcmd_update, if newmask is not\nnull, it should recheck newmask whether there are cpus is available\nfor parect/cs that has tasks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44975", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_macio: Fix DMA table overflow\n\nKolbj\u00f8rn and Jon\u00e1\u0161 reported that their 32-bit PowerMacs were crashing\nin pata-macio since commit 09fe2bfa6b83 (\"ata: pata_macio: Fix\nmax_segment_size with PAGE_SIZE == 64K\").\n\nFor example:\n\n kernel BUG at drivers/ata/pata_macio.c:544!\n Oops: Exception in kernel mode, sig: 5 [#1]\n BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac\n ...\n NIP pata_macio_qc_prep+0xf4/0x190\n LR pata_macio_qc_prep+0xfc/0x190\n Call Trace:\n 0xc1421660 (unreliable)\n ata_qc_issue+0x14c/0x2d4\n __ata_scsi_queuecmd+0x200/0x53c\n ata_scsi_queuecmd+0x50/0xe0\n scsi_queue_rq+0x788/0xb1c\n __blk_mq_issue_directly+0x58/0xf4\n blk_mq_plug_issue_direct+0x8c/0x1b4\n blk_mq_flush_plug_list.part.0+0x584/0x5e0\n __blk_flush_plug+0xf8/0x194\n __submit_bio+0x1b8/0x2e0\n submit_bio_noacct_nocheck+0x230/0x304\n btrfs_work_helper+0x200/0x338\n process_one_work+0x1a8/0x338\n worker_thread+0x364/0x4c0\n kthread+0x100/0x104\n start_kernel_thread+0x10/0x14\n\nThat commit increased max_segment_size to 64KB, with the justification\nthat the SCSI core was already using that size when PAGE_SIZE == 64KB,\nand that there was existing logic to split over-sized requests.\n\nHowever with a sufficiently large request, the splitting logic causes\neach sg to be split into two commands in the DMA table, leading to\noverflow of the DMA table, triggering the BUG_ON().\n\nWith default settings the bug doesn't trigger, because the request size\nis limited by max_sectors_kb == 1280, however max_sectors_kb can be\nincreased, and apparently some distros do that by default using udev\nrules.\n\nFix the bug for 4KB kernels by reverting to the old max_segment_size.\n\nFor 64KB kernels the sg_tablesize needs to be halved, to allow for the\npossibility that each sg will be split into two.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44976", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Validate TA binary size\n\nAdd TA binary size validation to avoid OOB write.\n\n(cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44977", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Free job before xe_exec_queue_put\n\nFree job depends on job->vm being valid, the last xe_exec_queue_put can\ndestroy the VM. Prevent UAF by freeing job before xe_exec_queue_put.\n\n(cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44978", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix missing workqueue destroy in xe_gt_pagefault\n\nOn driver reload we never free up the memory for the pagefault and\naccess counter workqueues. Add those destroy calls here.\n\n(cherry picked from commit 7586fc52b14e0b8edd0d1f8a434e0de2078b7b2b)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44979", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix opregion leak\n\nBeing part o the display, ideally the setup and cleanup would be done by\ndisplay itself. However this is a bigger refactor that needs to be done\non both i915 and xe. For now, just fix the leak:\n\nunreferenced object 0xffff8881a0300008 (size 192):\n comm \"modprobe\", pid 4354, jiffies 4295647021\n hex dump (first 32 bytes):\n 00 00 87 27 81 88 ff ff 18 80 9b 00 00 c9 ff ff ...'............\n 18 81 9b 00 00 c9 ff ff 00 00 00 00 00 00 00 00 ................\n backtrace (crc 99260e31):\n [] kmemleak_alloc+0x4b/0x80\n [] kmalloc_trace_noprof+0x312/0x3d0\n [] intel_opregion_setup+0x89/0x700 [xe]\n [] xe_display_init_noirq+0x2f/0x90 [xe]\n [] xe_device_probe+0x7a3/0xbf0 [xe]\n [] xe_pci_probe+0x333/0x5b0 [xe]\n [] local_pci_probe+0x48/0xb0\n [] pci_device_probe+0xc8/0x280\n [] really_probe+0xf8/0x390\n [] __driver_probe_device+0x8a/0x170\n [] driver_probe_device+0x23/0xb0\n [] __driver_attach+0xc7/0x190\n [] bus_for_each_dev+0x7d/0xd0\n [] driver_attach+0x1e/0x30\n [] bus_add_driver+0x117/0x250\n\n(cherry picked from commit 6f4e43a2f771b737d991142ec4f6d4b7ff31fbb4)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44980", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask()\n\nUBSAN reports the following 'subtraction overflow' error when booting\nin a virtual machine on Android:\n\n | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4\n | Hardware name: linux,dummy-virt (DT)\n | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : cancel_delayed_work+0x34/0x44\n | lr : cancel_delayed_work+0x2c/0x44\n | sp : ffff80008002ba60\n | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000\n | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0\n | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058\n | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d\n | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000\n | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000\n | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553\n | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620\n | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000\n | Call trace:\n | cancel_delayed_work+0x34/0x44\n | deferred_probe_extend_timeout+0x20/0x70\n | driver_register+0xa8/0x110\n | __platform_driver_register+0x28/0x3c\n | syscon_init+0x24/0x38\n | do_one_initcall+0xe4/0x338\n | do_initcall_level+0xac/0x178\n | do_initcalls+0x5c/0xa0\n | do_basic_setup+0x20/0x30\n | kernel_init_freeable+0x8c/0xf8\n | kernel_init+0x28/0x1b4\n | ret_from_fork+0x10/0x20\n | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception\n\nThis is due to shift_and_mask() using a signed immediate to construct\nthe mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so\nthat it ends up decrementing from INT_MIN.\n\nUse an unsigned constant '1U' to generate the mask in shift_and_mask().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44981", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: cleanup FB if dpu_format_populate_layout fails\n\nIf the dpu_format_populate_layout() fails, then FB is prepared, but not\ncleaned up. This ends up leaking the pin_count on the GEM object and\ncauses a splat during DRM file closure:\n\nmsm_obj->pin_count\nWARNING: CPU: 2 PID: 569 at drivers/gpu/drm/msm/msm_gem.c:121 update_lru_locked+0xc4/0xcc\n[...]\nCall trace:\n update_lru_locked+0xc4/0xcc\n put_pages+0xac/0x100\n msm_gem_free_object+0x138/0x180\n drm_gem_object_free+0x1c/0x30\n drm_gem_object_handle_put_unlocked+0x108/0x10c\n drm_gem_object_release_handle+0x58/0x70\n idr_for_each+0x68/0xec\n drm_gem_release+0x28/0x40\n drm_file_free+0x174/0x234\n drm_release+0xb0/0x160\n __fput+0xc0/0x2c8\n __fput_sync+0x50/0x5c\n __arm64_sys_close+0x38/0x7c\n invoke_syscall+0x48/0x118\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x4c/0x120\n el0t_64_sync_handler+0x100/0x12c\n el0t_64_sync+0x190/0x194\nirq event stamp: 129818\nhardirqs last enabled at (129817): [] console_unlock+0x118/0x124\nhardirqs last disabled at (129818): [] el1_dbg+0x24/0x8c\nsoftirqs last enabled at (129808): [] handle_softirqs+0x4c8/0x4e8\nsoftirqs last disabled at (129785): [] __do_softirq+0x14/0x20\n\nPatchwork: https://patchwork.freedesktop.org/patch/600714/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44982", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate vlan header\n\nEnsure there is sufficient room to access the protocol field of the\nVLAN header, validate it once before the flowtable lookup.\n\n=====================================================\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32\n nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n nf_ingress net/core/dev.c:5440 [inline]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44983", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix double DMA unmapping for XDP_REDIRECT\n\nRemove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT\ncode path. This should have been removed when we let the page pool\nhandle the DMA mapping. This bug causes the warning:\n\nWARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100\nCPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu\nHardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024\nRIP: 0010:iommu_dma_unmap_page+0xd5/0x100\nCode: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9\nRSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c\nR10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000\nR13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002\nFS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0\n? show_regs+0x6d/0x80\n? __warn+0x89/0x150\n? iommu_dma_unmap_page+0xd5/0x100\n? report_bug+0x16a/0x190\n? handle_bug+0x51/0xa0\n? exc_invalid_op+0x18/0x80\n? iommu_dma_unmap_page+0xd5/0x100\n? iommu_dma_unmap_page+0x35/0x100\ndma_unmap_page_attrs+0x55/0x220\n? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f\nbnxt_rx_xdp+0x237/0x520 [bnxt_en]\nbnxt_rx_pkt+0x640/0xdd0 [bnxt_en]\n__bnxt_poll_work+0x1a1/0x3d0 [bnxt_en]\nbnxt_poll+0xaa/0x1e0 [bnxt_en]\n__napi_poll+0x33/0x1e0\nnet_rx_action+0x18a/0x2f0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44984", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible UAF in ip6_xmit()\n\nIf skb_expand_head() returns NULL, skb has been freed\nand the associated dst/idev could also have been freed.\n\nWe must use rcu_read_lock() to prevent a possible UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44985", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible UAF in ip6_finish_output2()\n\nIf skb_expand_head() returns NULL, skb has been freed\nand associated dst/idev could also have been freed.\n\nWe need to hold rcu_read_lock() to make sure the dst and\nassociated idev are alive.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44986", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent UAF in ip6_send_skb()\n\nsyzbot reported an UAF in ip6_send_skb() [1]\n\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\n\nA similar issue has been fixed in commit\na688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\")\n\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\n\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\n\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n do_writev+0x1b1/0x350 fs/read_write.c:1018\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n \n\nAllocated by task 6530:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:312 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3988 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n dst_alloc+0x12b/0x190 net/core/dst.c:89\n ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 45:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2252 [inline]\n slab_free mm/slub.c:4473 [inline]\n kmem_cache_free+0x145/0x350 mm/slub.c:4548\n dst_destroy+0x2ac/0x460 net/core/dst.c:124\n rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44987", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: Fix out-of-bound access\n\nIf an ATU violation was caused by a CPU Load operation, the SPID could\nbe larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44988", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix xfrm real_dev null pointer dereference\n\nWe shouldn't set real_dev to NULL because packets can be in transit and\nxfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume\nreal_dev is set.\n\n Example trace:\n kernel: BUG: unable to handle page fault for address: 0000000000001030\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: #PF: supervisor write access in kernel mode\n kernel: #PF: error_code(0x0002) - not-present page\n kernel: PGD 0 P4D 0\n kernel: Oops: 0002 [#1] PREEMPT SMP\n kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12\n kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel:\n kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60\n kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00\n kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014\n kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000\n kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000\n kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: Call Trace:\n kernel: \n kernel: ? __die+0x1f/0x60\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ? page_fault_oops+0x142/0x4c0\n kernel: ? do_user_addr_fault+0x65/0x670\n kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: ? exc_page_fault+0x7b/0x180\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim]\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding]\n kernel: xfrm_output+0x61/0x3b0\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ip_push_pending_frames+0x56/0x80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44989", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix null pointer deref in bond_ipsec_offload_ok\n\nWe must check if there is an active slave before dereferencing the pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44990", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: prevent concurrent execution of tcp_sk_exit_batch\n\nIts possible that two threads call tcp_sk_exit_batch() concurrently,\nonce from the cleanup_net workqueue, once from a task that failed to clone\na new netns. In the latter case, error unwinding calls the exit handlers\nin reverse order for the 'failed' netns.\n\ntcp_sk_exit_batch() calls tcp_twsk_purge().\nProblem is that since commit b099ce2602d8 (\"net: Batch inet_twsk_purge\"),\nthis function picks up twsk in any dying netns, not just the one passed\nin via exit_batch list.\n\nThis means that the error unwind of setup_net() can \"steal\" and destroy\ntimewait sockets belonging to the exiting netns.\n\nThis allows the netns exit worker to proceed to call\n\nWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));\n\nwithout the expected 1 -> 0 transition, which then splats.\n\nAt same time, error unwind path that is also running inet_twsk_purge()\nwill splat as well:\n\nWARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210\n...\n refcount_dec include/linux/refcount.h:351 [inline]\n inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70\n inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221\n inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304\n tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n setup_net+0x714/0xb40 net/core/net_namespace.c:375\n copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n\n... because refcount_dec() of tw_refcount unexpectedly dropped to 0.\n\nThis doesn't seem like an actual bug (no tw sockets got lost and I don't\nsee a use-after-free) but as erroneous trigger of debug check.\n\nAdd a mutex to force strict ordering: the task that calls tcp_twsk_purge()\nblocks other task from doing final _dec_and_test before mutex-owner has\nremoved all tw sockets of dying netns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44991", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: avoid possible NULL dereference in cifs_free_subrequest()\n\nClang static checker (scan-build) warning:\n\tcifsglob.h:line 890, column 3\n\tAccess to field 'ops' results in a dereference of a null pointer.\n\nCommit 519be989717c (\"cifs: Add a tracepoint to track credits involved in\nR/W requests\") adds a check for 'rdata->server', and let clang throw this\nwarning about NULL dereference.\n\nWhen 'rdata->credits.value != 0 && rdata->server == NULL' happens,\nadd_credits_and_wake_if() will call rdata->server->ops->add_credits().\nThis will cause NULL dereference problem. Add a check for 'rdata->server'\nto avoid NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44992", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`\n\nWhen enabling UBSAN on Raspberry Pi 5, we get the following warning:\n\n[ 387.894977] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/v3d/v3d_sched.c:320:3\n[ 387.903868] index 7 is out of range for type '__u32 [7]'\n[ 387.909692] CPU: 0 PID: 1207 Comm: kworker/u16:2 Tainted: G WC 6.10.3-v8-16k-numa #151\n[ 387.919166] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)\n[ 387.925961] Workqueue: v3d_csd drm_sched_run_job_work [gpu_sched]\n[ 387.932525] Call trace:\n[ 387.935296] dump_backtrace+0x170/0x1b8\n[ 387.939403] show_stack+0x20/0x38\n[ 387.942907] dump_stack_lvl+0x90/0xd0\n[ 387.946785] dump_stack+0x18/0x28\n[ 387.950301] __ubsan_handle_out_of_bounds+0x98/0xd0\n[ 387.955383] v3d_csd_job_run+0x3a8/0x438 [v3d]\n[ 387.960707] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]\n[ 387.966862] process_one_work+0x62c/0xb48\n[ 387.971296] worker_thread+0x468/0x5b0\n[ 387.975317] kthread+0x1c4/0x1e0\n[ 387.978818] ret_from_fork+0x10/0x20\n[ 387.983014] ---[ end trace ]---\n\nThis happens because the UAPI provides only seven configuration\nregisters and we are reading the eighth position of this u32 array.\n\nTherefore, fix the out-of-bounds read in `v3d_csd_job_run()` by\naccessing only seven positions on the '__u32 [7]' array. The eighth\nregister exists indeed on V3D 7.1, but it isn't currently used. That\nbeing so, let's guarantee that it remains unused and add a note that it\ncould be set in a future patch.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44993", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Restore lost return in iommu_report_device_fault()\n\nWhen iommu_report_device_fault gets called with a partial fault it is\nsupposed to collect the fault into the group and then return.\n\nInstead the return was accidently deleted which results in trying to\nprocess the fault and an eventual crash.\n\nDeleting the return was a typo, put it back.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44994", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix a deadlock problem when config TC during resetting\n\nWhen config TC during the reset process, may cause a deadlock, the flow is\nas below:\n pf reset start\n \u2502\n \u25bc\n ......\nsetup tc \u2502\n \u2502 \u25bc\n \u25bc DOWN: napi_disable()\nnapi_disable()(skip) \u2502\n \u2502 \u2502\n \u25bc \u25bc\n ...... ......\n \u2502 \u2502\n \u25bc \u2502\nnapi_enable() \u2502\n \u25bc\n UINIT: netif_napi_del()\n \u2502\n \u25bc\n ......\n \u2502\n \u25bc\n INIT: netif_napi_add()\n \u2502\n \u25bc\n ...... global reset start\n \u2502 \u2502\n \u25bc \u25bc\n UP: napi_enable()(skip) ......\n \u2502 \u2502\n \u25bc \u25bc\n ...... napi_disable()\n\nIn reset process, the driver will DOWN the port and then UINIT, in this\ncase, the setup tc process will UP the port before UINIT, so cause the\nproblem. Adds a DOWN process in UINIT to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44995", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix recursive ->recvmsg calls\n\nAfter a vsock socket has been added to a BPF sockmap, its prot->recvmsg\nhas been replaced with vsock_bpf_recvmsg(). Thus the following\nrecursiion could happen:\n\nvsock_bpf_recvmsg()\n -> __vsock_recvmsg()\n -> vsock_connectible_recvmsg()\n -> prot->recvmsg()\n -> vsock_bpf_recvmsg() again\n\nWe need to fix it by calling the original ->recvmsg() without any BPF\nsockmap logic in __vsock_recvmsg().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44996", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb()\n\nWhen there are multiple ap interfaces on one band and with WED on,\nturning the interface down will cause a kernel panic on MT798X.\n\nPreviously, cb_priv was freed in mtk_wed_setup_tc_block() without\nmarking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too.\n\nAssign NULL after free cb_priv in mtk_wed_setup_tc_block() and check NULL\nin mtk_wed_setup_tc_block_cb().\n\n----------\nUnable to handle kernel paging request at virtual address 0072460bca32b4f5\nCall trace:\n mtk_wed_setup_tc_block_cb+0x4/0x38\n 0xffffffc0794084bc\n tcf_block_playback_offloads+0x70/0x1e8\n tcf_block_unbind+0x6c/0xc8\n...\n---------", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44997", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: idt77252: prevent use after free in dequeue_rx()\n\nWe can't dereference \"skb\" after calling vcc->push() because the skb\nis released.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44998", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-44999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: pull network headers in gtp_dev_xmit()\n\nsyzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1]\n\nWe must make sure the IPv4 or Ipv6 header is pulled in skb->head\nbefore accessing fields in them.\n\nUse pskb_inet_may_pull() to fix this issue.\n\n[1]\nBUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n ipv6_pdp_find drivers/net/gtp.c:220 [inline]\n gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline]\n gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281\n __netdev_start_xmit include/linux/netdevice.h:4913 [inline]\n netdev_start_xmit include/linux/netdevice.h:4922 [inline]\n xmit_one net/core/dev.c:3580 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596\n __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3145 [inline]\n packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3994 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815\n packet_alloc_skb net/packet/af_packet.c:2994 [inline]\n packet_snd net/packet/af_packet.c:3088 [inline]\n packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212\n x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44999", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/netfs/fscache_cookie: add missing \"n_accesses\" check\n\nThis fixes a NULL pointer dereference bug due to a data race which\nlooks like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43\n Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018\n Workqueue: events_unbound netfs_rreq_write_to_cache_work\n RIP: 0010:cachefiles_prepare_write+0x30/0xa0\n Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10\n RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286\n RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000\n RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438\n RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001\n R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68\n R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00\n FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0\n Call Trace:\n \n ? __die+0x1f/0x70\n ? page_fault_oops+0x15d/0x440\n ? search_module_extables+0xe/0x40\n ? fixup_exception+0x22/0x2f0\n ? exc_page_fault+0x5f/0x100\n ? asm_exc_page_fault+0x22/0x30\n ? cachefiles_prepare_write+0x30/0xa0\n netfs_rreq_write_to_cache_work+0x135/0x2e0\n process_one_work+0x137/0x2c0\n worker_thread+0x2e9/0x400\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n Modules linked in:\n CR2: 0000000000000008\n ---[ end trace 0000000000000000 ]---\n\nThis happened because fscache_cookie_state_machine() was slow and was\nstill running while another process invoked fscache_unuse_cookie();\nthis led to a fscache_cookie_lru_do_one() call, setting the\nFSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by\nfscache_cookie_state_machine(), withdrawing the cookie via\ncachefiles_withdraw_cookie(), clearing cookie->cache_priv.\n\nAt the same time, yet another process invoked\ncachefiles_prepare_write(), which found a NULL pointer in this code\nline:\n\n struct cachefiles_object *object = cachefiles_cres_object(cres);\n\nThe next line crashes, obviously:\n\n struct cachefiles_cache *cache = object->volume->cache;\n\nDuring cachefiles_prepare_write(), the \"n_accesses\" counter is\nnon-zero (via fscache_begin_operation()). The cookie must not be\nwithdrawn until it drops to zero.\n\nThe counter is checked by fscache_cookie_state_machine() before\nswitching to FSCACHE_COOKIE_STATE_RELINQUISHING and\nFSCACHE_COOKIE_STATE_WITHDRAWING (in \"case\nFSCACHE_COOKIE_STATE_FAILED\"), but not for\nFSCACHE_COOKIE_STATE_LRU_DISCARDING (\"case\nFSCACHE_COOKIE_STATE_ACTIVE\").\n\nThis patch adds the missing check. With a non-zero access counter,\nthe function returns and the next fscache_end_cookie_access() call\nwill queue another fscache_cookie_state_machine() call to handle the\nstill-pending FSCACHE_COOKIE_DO_LRU_DISCARD.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45000", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix RX buf alloc_size alignment and atomic op panic\n\nThe MANA driver's RX buffer alloc_size is passed into napi_build_skb() to\ncreate SKB. skb_shinfo(skb) is located at the end of skb, and its alignment\nis affected by the alloc_size passed into napi_build_skb(). The size needs\nto be aligned properly for better performance and atomic operations.\nOtherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic\noperations may panic on the skb_shinfo(skb)->dataref due to alignment fault.\n\nTo fix this bug, add proper alignment to the alloc_size calculation.\n\nSample panic info:\n[ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce\n[ 253.300900] Mem abort info:\n[ 253.301760] ESR = 0x0000000096000021\n[ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 253.304268] SET = 0, FnV = 0\n[ 253.305172] EA = 0, S1PTW = 0\n[ 253.306103] FSC = 0x21: alignment fault\nCall trace:\n __skb_clone+0xfc/0x198\n skb_clone+0x78/0xe0\n raw6_local_deliver+0xfc/0x228\n ip6_protocol_deliver_rcu+0x80/0x500\n ip6_input_finish+0x48/0x80\n ip6_input+0x48/0xc0\n ip6_sublist_rcv_finish+0x50/0x78\n ip6_sublist_rcv+0x1cc/0x2b8\n ipv6_list_rcv+0x100/0x150\n __netif_receive_skb_list_core+0x180/0x220\n netif_receive_skb_list_internal+0x198/0x2a8\n __napi_poll+0x138/0x250\n net_rx_action+0x148/0x330\n handle_softirqs+0x12c/0x3a0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45001", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtla/osnoise: Prevent NULL dereference in error handling\n\nIf the \"tool->data\" allocation fails then there is no need to call\nosnoise_free_top() and, in fact, doing so will lead to a NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45002", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don't evict inode under the inode lru traversing context\n\nThe inode reclaiming process(See function prune_icache_sb) collects all\nreclaimable inodes and mark them with I_FREEING flag at first, at that\ntime, other processes will be stuck if they try getting these inodes\n(See function find_inode_fast), then the reclaiming process destroy the\ninodes by function dispose_list(). Some filesystems(eg. ext4 with\nea_inode feature, ubifs with xattr) may do inode lookup in the inode\nevicting callback function, if the inode lookup is operated under the\ninode lru traversing context, deadlock problems may happen.\n\nCase 1: In function ext4_evict_inode(), the ea inode lookup could happen\n if ea_inode feature is enabled, the lookup process will be stuck\n\tunder the evicting context like this:\n\n 1. File A has inode i_reg and an ea inode i_ea\n 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea\n 3. Then, following three processes running like this:\n\n PA PB\n echo 2 > /proc/sys/vm/drop_caches\n shrink_slab\n prune_dcache_sb\n // i_reg is added into lru, lru->i_ea->i_reg\n prune_icache_sb\n list_lru_walk_one\n inode_lru_isolate\n i_ea->i_state |= I_FREEING // set inode state\n inode_lru_isolate\n __iget(i_reg)\n spin_unlock(&i_reg->i_lock)\n spin_unlock(lru_lock)\n rm file A\n i_reg->nlink = 0\n iput(i_reg) // i_reg->nlink is 0, do evict\n ext4_evict_inode\n ext4_xattr_delete_inode\n ext4_xattr_inode_dec_ref_all\n ext4_xattr_inode_iget\n ext4_iget(i_ea->i_ino)\n iget_locked\n find_inode_fast\n __wait_on_freeing_inode(i_ea) ----\u2192 AA deadlock\n dispose_list // cannot be executed by prune_icache_sb\n wake_up_bit(&i_ea->i_state)\n\nCase 2: In deleted inode writing function ubifs_jnl_write_inode(), file\n deleting process holds BASEHD's wbuf->io_mutex while getting the\n\txattr inode, which could race with inode reclaiming process(The\n reclaiming process could try locking BASEHD's wbuf->io_mutex in\n\tinode evicting function), then an ABBA deadlock problem would\n\thappen as following:\n\n 1. File A has inode ia and a xattr(with inode ixa), regular file B has\n inode ib and a xattr.\n 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa\n 3. Then, following three processes running like this:\n\n PA PB PC\n echo 2 > /proc/sys/vm/drop_caches\n shrink_slab\n prune_dcache_sb\n // ib and ia are added into lru, lru->ixa->ib->ia\n prune_icache_sb\n list_lru_walk_one\n inode_lru_isolate\n ixa->i_state |= I_FREEING // set inode state\n inode_lru_isolate\n __iget(ib)\n spin_unlock(&ib->i_lock)\n spin_unlock(lru_lock)\n rm file B\n ib->nlink = 0\n rm file A\n iput(ia)\n ubifs_evict_inode(ia)\n ubifs_jnl_delete_inode(ia)\n ubifs_jnl_write_inode(ia)\n make_reservation(BASEHD) // Lock wbuf->io_mutex\n ubifs_iget(ixa->i_ino)\n iget_locked\n find_inode_fast\n __wait_on_freeing_inode(ixa)\n | iput(ib) // ib->nlink is 0, do evict\n | ubifs_evict_inode\n | ubifs_jnl_delete_inode(ib)\n \u2193 ubifs_jnl_write_inode\n ABBA deadlock \u2190-----make_reservation(BASEHD)\n dispose_list // cannot be executed by prune_icache_sb\n wake_up_bit(&ixa->i_state)\n\nFix the possible deadlock by using new inode state flag I_LRU_ISOLATING\nto pin the inode in memory while inode_lru_isolate(\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45003", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: dcp: fix leak of blob encryption key\n\nTrusted keys unseal the key blob on load, but keep the sealed payload in\nthe blob field so that every subsequent read (export) will simply\nconvert this field to hex and send it to userspace.\n\nWith DCP-based trusted keys, we decrypt the blob encryption key (BEK)\nin the Kernel due hardware limitations and then decrypt the blob payload.\nBEK decryption is done in-place which means that the trusted key blob\nfield is modified and it consequently holds the BEK in plain text.\nEvery subsequent read of that key thus send the plain text BEK instead\nof the encrypted BEK to userspace.\n\nThis issue only occurs when importing a trusted DCP-based key and\nthen exporting it again. This should rarely happen as the common use cases\nare to either create a new trusted key and export it, or import a key\nblob and then just use it without exporting it again.\n\nFix this by performing BEK decryption and encryption in a dedicated\nbuffer. Further always wipe the plain text BEK buffer to prevent leaking\nthe key via uninitialized memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45004", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: fix validity interception issue when gisa is switched off\n\nWe might run into a SIE validity if gisa has been disabled either via using\nkernel parameter \"kvm.use_gisa=0\" or by setting the related sysfs\nattribute to N (echo N >/sys/module/kvm/parameters/use_gisa).\n\nThe validity is caused by an invalid value in the SIE control block's\ngisa designation. That happens because we pass the uninitialized gisa\norigin to virt_to_phys() before writing it to the gisa designation.\n\nTo fix this we return 0 in kvm_s390_get_gisa_desc() if the origin is 0.\nkvm_s390_get_gisa_desc() is used to determine which gisa designation to\nset in the SIE control block. A value of 0 in the gisa designation disables\ngisa usage.\n\nThe issue surfaces in the host kernel with the following kernel message as\nsoon a new kvm guest start is attemted.\n\nkvm: unhandled validity intercept 0x1011\nWARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept+0x42e/0x4d0 [kvm]\nModules linked in: vhost_net tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat x_tables nf_nat_tftp nf_conntrack_tftp vfio_pci_core irqbypass vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb kvm nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables sunrpc mlx5_ib ib_uverbs ib_core mlx5_core uvdevice s390_trng eadm_sch vfio_ccw zcrypt_cex4 mdev vfio_iommu_type1 vfio sch_fq_codel drm i2c_core loop drm_panel_orientation_quirks configfs nfnetlink lcs ctcm fsm dm_service_time ghash_s390 prng chacha_s390 libchacha aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common dm_mirror dm_region_hash dm_log zfcp scsi_transport_fc scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkey zcrypt dm_multipath rng_core autofs4 [last unloaded: vfio_pci]\nCPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6\nHardware name: IBM 3931 A01 701 (LPAR)\nKrnl PSW : 0704c00180000000 000003d93deb0122 (kvm_handle_sie_intercept+0x432/0x4d0 [kvm])\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\nKrnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000\n 000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff\n 000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412\n 000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960\nKrnl Code: 000003d93deb0112: c020fffe7259\tlarl\t%r2,000003d93de7e5c4\n 000003d93deb0118: c0e53fa8beac\tbrasl\t%r14,000003d9bd3c7e70\n #000003d93deb011e: af000000\t\tmc\t0,0\n >000003d93deb0122: a728ffea\t\tlhi\t%r2,-22\n 000003d93deb0126: a7f4fe24\t\tbrc\t15,000003d93deafd6e\n 000003d93deb012a: 9101f0b0\t\ttm\t176(%r15),1\n 000003d93deb012e: a774fe48\t\tbrc\t7,000003d93deafdbe\n 000003d93deb0132: 40a0f0ae\t\tsth\t%r10,174(%r15)\nCall Trace:\n [<000003d93deb0122>] kvm_handle_sie_intercept+0x432/0x4d0 [kvm]\n([<000003d93deb011e>] kvm_handle_sie_intercept+0x42e/0x4d0 [kvm])\n [<000003d93deacc10>] vcpu_post_run+0x1d0/0x3b0 [kvm]\n [<000003d93deaceda>] __vcpu_run+0xea/0x2d0 [kvm]\n [<000003d93dead9da>] kvm_arch_vcpu_ioctl_run+0x16a/0x430 [kvm]\n [<000003d93de93ee0>] kvm_vcpu_ioctl+0x190/0x7c0 [kvm]\n [<000003d9bd728b4e>] vfs_ioctl+0x2e/0x70\n [<000003d9bd72a092>] __s390x_sys_ioctl+0xc2/0xd0\n [<000003d9be0e9222>] __do_syscall+0x1f2/0x2e0\n [<000003d9be0f9a90>] system_call+0x70/0x98\nLast Breaking-Event-Address:\n [<000003d9bd3c7f58>] __warn_printk+0xe8/0xf0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45005", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix Panther point NULL pointer deref at full-speed re-enumeration\n\nre-enumerating full-speed devices after a failed address device command\ncan trigger a NULL pointer dereference.\n\nFull-speed devices may need to reconfigure the endpoint 0 Max Packet Size\nvalue during enumeration. Usb core calls usb_ep0_reinit() in this case,\nwhich ends up calling xhci_configure_endpoint().\n\nOn Panther point xHC the xhci_configure_endpoint() function will\nadditionally check and reserve bandwidth in software. Other hosts do\nthis in hardware\n\nIf xHC address device command fails then a new xhci_virt_device structure\nis allocated as part of re-enabling the slot, but the bandwidth table\npointers are not set up properly here.\nThis triggers the NULL pointer dereference the next time usb_ep0_reinit()\nis called and xhci_configure_endpoint() tries to check and reserve\nbandwidth\n\n[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd\n[46710.713699] usb 3-1: Device not responding to setup address.\n[46710.917684] usb 3-1: Device not responding to setup address.\n[46711.125536] usb 3-1: device not accepting address 5, error -71\n[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[46711.125600] #PF: supervisor read access in kernel mode\n[46711.125603] #PF: error_code(0x0000) - not-present page\n[46711.125606] PGD 0 P4D 0\n[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1\n[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.\n[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]\n[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c\n\nFix this by making sure bandwidth table pointers are set up correctly\nafter a failed address device command, and additionally by avoiding\nchecking for bandwidth in cases like this where no actual endpoints are\nadded or removed, i.e. only context for default control endpoint 0 is\nevaluated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45006", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: xillybus: Don't destroy workqueue from work item running on it\n\nTriggered by a kref decrement, destroy_workqueue() may be called from\nwithin a work item for destroying its own workqueue. This illegal\nsituation is averted by adding a module-global workqueue for exclusive\nuse of the offending work item. Other work items continue to be queued\non per-device workqueues to ensure performance.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45007", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: MT - limit max slots\n\nsyzbot is reporting too large allocation at input_mt_init_slots(), for\nnum_slots is supplied from userspace using ioctl(UI_DEV_CREATE).\n\nSince nobody knows possible max slots, this patch chose 1024.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45008", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only decrement add_addr_accepted for MPJ req\n\nAdding the following warning ...\n\n WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)\n\n... before decrementing the add_addr_accepted counter helped to find a\nbug when running the \"remove single subflow\" subtest from the\nmptcp_join.sh selftest.\n\nRemoving a 'subflow' endpoint will first trigger a RM_ADDR, then the\nsubflow closure. Before this patch, and upon the reception of the\nRM_ADDR, the other peer will then try to decrement this\nadd_addr_accepted. That's not correct because the attached subflows have\nnot been created upon the reception of an ADD_ADDR.\n\nA way to solve that is to decrement the counter only if the attached\nsubflow was an MP_JOIN to a remote id that was not 0, and initiated by\nthe host receiving the RM_ADDR.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45009", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only mark 'subflow' endp as available\n\nAdding the following warning ...\n\n WARN_ON_ONCE(msk->pm.local_addr_used == 0)\n\n... before decrementing the local_addr_used counter helped to find a bug\nwhen running the \"remove single address\" subtest from the mptcp_join.sh\nselftests.\n\nRemoving a 'signal' endpoint will trigger the removal of all subflows\nlinked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with\nrm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used\ncounter, which is wrong in this case because this counter is linked to\n'subflow' endpoints, and here it is a 'signal' endpoint that is being\nremoved.\n\nNow, the counter is decremented, only if the ID is being used outside\nof mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and\nif the ID is not 0 -- local_addr_used is not taking into account these\nones. This marking of the ID as being available, and the decrement is\ndone no matter if a subflow using this ID is currently available,\nbecause the subflow could have been closed before.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45010", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: xillybus: Check USB endpoints when probing device\n\nEnsure, as the driver probes the device, that all endpoints that the\ndriver may attempt to access exist and are of the correct type.\n\nAll XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at\naddress 1. This is verified in xillyusb_setup_base_eps().\n\nOn top of that, a XillyUSB device may have additional Bulk OUT\nendpoints. The information about these endpoints' addresses is deduced\nfrom a data structure (the IDT) that the driver fetches from the device\nwhile probing it. These endpoints are checked in setup_channels().\n\nA XillyUSB device never has more than one IN endpoint, as all data\ntowards the host is multiplexed in this single Bulk IN endpoint. This is\nwhy setup_channels() only checks OUT endpoints.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45011", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: use dma non-coherent allocator\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup, when the iommu is enabled:\n\nkernel BUG at include/linux/scatterlist.h:187!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\nHardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\nRIP: 0010:sg_init_one+0x85/0xa0\nCode: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\nRSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\nRBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\nR13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\nFS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\nCall Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n\nFix this by using the non-coherent allocator instead, I think there\nmight be a better answer to this, but it involve ripping up some of\nAPIs using sg lists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45012", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: move stopping keep-alive into nvme_uninit_ctrl()\n\nCommit 4733b65d82bd (\"nvme: start keep-alive after admin queue setup\")\nmoves starting keep-alive from nvme_start_ctrl() into\nnvme_init_ctrl_finish(), but don't move stopping keep-alive into\nnvme_uninit_ctrl(), so keep-alive work can be started and keep pending\nafter failing to start controller, finally use-after-free is triggered if\nnvme host driver is unloaded.\n\nThis patch fixes kernel panic when running nvme/004 in case that connection\nfailure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl().\n\nThis way is reasonable because keep-alive is now started in\nnvme_init_ctrl_finish().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45013", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/boot: Avoid possible physmem_info segment corruption\n\nWhen physical memory for the kernel image is allocated it does not\nconsider extra memory required for offsetting the image start to\nmatch it with the lower 20 bits of KASLR virtual base address. That\nmight lead to kernel access beyond its memory range.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45014", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()\n\nFor cases where the crtc's connectors_changed was set without enable/active\ngetting toggled , there is an atomic_enable() call followed by an\natomic_disable() but without an atomic_mode_set().\n\nThis results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in\nthe atomic_enable() as the dpu_encoder's connector was cleared in the\natomic_disable() but not re-assigned as there was no atomic_mode_set() call.\n\nFix the NULL ptr access by moving the assignment for atomic_enable() and also\nuse drm_atomic_get_new_connector_for_encoder() to get the connector from\nthe atomic_state.\n\nPatchwork: https://patchwork.freedesktop.org/patch/606729/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45015", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: fix return value if duplicate enqueue fails\n\nThere is a bug in netem_enqueue() introduced by\ncommit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\")\nthat can lead to a use-after-free.\n\nThis commit made netem_enqueue() always return NET_XMIT_SUCCESS\nwhen a packet is duplicated, which can cause the parent qdisc's q.qlen\nto be mistakenly incremented. When this happens qlen_notify() may be\nskipped on the parent during destruction, leaving a dangling pointer\nfor some classful qdiscs like DRR.\n\nThere are two ways for the bug happen:\n\n- If the duplicated packet is dropped by rootq->enqueue() and then\n the original packet is also dropped.\n- If rootq->enqueue() sends the duplicated packet to a different qdisc\n and the original packet is dropped.\n\nIn both cases NET_XMIT_SUCCESS is returned even though no packets\nare enqueued at the netem qdisc.\n\nThe fix is to defer the enqueue of the duplicate packet until after\nthe original packet has been guaranteed to return NET_XMIT_SUCCESS.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45016", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec RoCE MPV trace call\n\nPrevent the call trace below from happening, by not allowing IPsec\ncreation over a slave, if master device doesn't support IPsec.\n\nWARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94\nModules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec\n ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci]\nCPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2\nHardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021\nWorkqueue: events xfrm_state_gc_task\nRIP: 0010:down_read+0x75/0x94\nCode: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0\nRSP: 0018:ffffb26387773da8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000\nRBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540\nR13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905\nFS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? show_trace_log_lvl+0x1d6/0x2f9\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]\n ? down_read+0x75/0x94\n ? __warn+0x80/0x113\n ? down_read+0x75/0x94\n ? report_bug+0xa4/0x11d\n ? handle_bug+0x35/0x8b\n ? exc_invalid_op+0x14/0x75\n ? asm_exc_invalid_op+0x16/0x1b\n ? down_read+0x75/0x94\n ? down_read+0xe/0x94\n mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]\n mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core]\n tx_destroy+0x1b/0xc0 [mlx5_core]\n tx_ft_put+0x53/0xc0 [mlx5_core]\n mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core]\n ___xfrm_state_destroy+0x10f/0x1a2\n xfrm_state_gc_task+0x81/0xa9\n process_one_work+0x1f1/0x3c6\n worker_thread+0x53/0x3e4\n ? process_one_work.cold+0x46/0x3c\n kthread+0x127/0x144\n ? set_kthread_struct+0x60/0x52\n ret_from_fork+0x22/0x2d\n \n---[ end trace 5ef7896144d398e1 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45017", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: initialise extack before use\n\nFix missing initialisation of extack in flow offload.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45018", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Take state lock during tx timeout reporter\n\nmlx5e_safe_reopen_channels() requires the state lock taken. The\nreferenced changed in the Fixes tag removed the lock to fix another\nissue. This patch adds it back but at a later point (when calling\nmlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the\nFixes tag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45019", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a kernel verifier crash in stacksafe()\n\nDaniel Hodges reported a kernel verifier crash when playing with sched-ext.\nFurther investigation shows that the crash is due to invalid memory access\nin stacksafe(). More specifically, it is the following code:\n\n if (exact != NOT_EXACT &&\n old->stack[spi].slot_type[i % BPF_REG_SIZE] !=\n cur->stack[spi].slot_type[i % BPF_REG_SIZE])\n return false;\n\nThe 'i' iterates old->allocated_stack.\nIf cur->allocated_stack < old->allocated_stack the out-of-bound\naccess will happen.\n\nTo fix the issue add 'i >= cur->allocated_stack' check such that if\nthe condition is true, stacksafe() should fail. Otherwise,\ncur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45020", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg_write_event_control(): fix a user-triggerable oops\n\nwe are *not* guaranteed that anything past the terminating NUL\nis mapped (let alone initialized with anything sane).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45021", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0\n\nThe __vmap_pages_range_noflush() assumes its argument pages** contains\npages with the same page shift. However, since commit e9c3cda4d86e (\"mm,\nvmalloc: fix high order __GFP_NOFAIL allocations\"), if gfp_flags includes\n__GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation\nfailed for high order, the pages** may contain two different page shifts\n(high order and order-0). This could lead __vmap_pages_range_noflush() to\nperform incorrect mappings, potentially resulting in memory corruption.\n\nUsers might encounter this as follows (vmap_allow_huge = true, 2M is for\nPMD_SIZE):\n\nkvmalloc(2M, __GFP_NOFAIL|GFP_X)\n __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP)\n vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0\n vmap_pages_range()\n vmap_pages_range_noflush()\n __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens\n\nWe can remove the fallback code because if a high-order allocation fails,\n__vmalloc_node_range_noprof() will retry with order-0. Therefore, it is\nunnecessary to fallback to order-0 here. Therefore, fix this by removing\nthe fallback code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45022", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: Fix data corruption for degraded array with slow disk\n\nread_balance() will avoid reading from slow disks as much as possible,\nhowever, if valid data only lands in slow disks, and a new normal disk\nis still in recovery, unrecovered data can be read:\n\nraid1_read_request\n read_balance\n raid1_should_read_first\n -> return false\n choose_best_rdev\n -> normal disk is not recovered, return -1\n choose_bb_rdev\n -> missing the checking of recovery, return the normal disk\n -> read unrecovered data\n\nRoot cause is that the checking of recovery is missing in\nchoose_bb_rdev(). Hence add such checking to fix the problem.\n\nAlso fix similar problem in choose_slow_rdev().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45023", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb vs. core-mm PT locking\n\nWe recently made GUP's common page table walking code to also walk hugetlb\nVMAs without most hugetlb special-casing, preparing for the future of\nhaving less hugetlb-specific page table walking code in the codebase. \nTurns out that we missed one page table locking detail: page table locking\nfor hugetlb folios that are not mapped using a single PMD/PUD.\n\nAssume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB\nhugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the\npage tables, will perform a pte_offset_map_lock() to grab the PTE table\nlock.\n\nHowever, hugetlb that concurrently modifies these page tables would\nactually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the\nlocks would differ. Something similar can happen right now with hugetlb\nfolios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.\n\nThis issue can be reproduced [1], for example triggering:\n\n[ 3105.936100] ------------[ cut here ]------------\n[ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188\n[ 3105.944634] Modules linked in: [...]\n[ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1\n[ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024\n[ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3105.991108] pc : try_grab_folio+0x11c/0x188\n[ 3105.994013] lr : follow_page_pte+0xd8/0x430\n[ 3105.996986] sp : ffff80008eafb8f0\n[ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43\n[ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48\n[ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978\n[ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001\n[ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000\n[ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000\n[ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0\n[ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080\n[ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000\n[ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000\n[ 3106.047957] Call trace:\n[ 3106.049522] try_grab_folio+0x11c/0x188\n[ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0\n[ 3106.055527] follow_page_mask+0x1a0/0x2b8\n[ 3106.058118] __get_user_pages+0xf0/0x348\n[ 3106.060647] faultin_page_range+0xb0/0x360\n[ 3106.063651] do_madvise+0x340/0x598\n\nLet's make huge_pte_lockptr() effectively use the same PT locks as any\ncore-mm page table walker would. Add ptep_lockptr() to obtain the PTE\npage table lock using a pte pointer -- unfortunately we cannot convert\npte_lockptr() because virt_to_page() doesn't work with kmap'ed page tables\nwe can have with CONFIG_HIGHPTE.\n\nHandle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such\nthat when e.g., CONFIG_PGTABLE_LEVELS==2 with\nPGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document\nwhy that works.\n\nThere is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb\nfolio being mapped using two PTE page tables. While hugetlb wants to take\nthe PMD table lock, core-mm would grab the PTE table lock of one of both\nPTE page tables. In such corner cases, we have to make sure that both\nlocks match, which is (fortunately!) currently guaranteed for 8xx as it\ndoes not support SMP and consequently doesn't use split PT locks.\n\n[1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45024", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE\n\ncopy_fd_bitmaps(new, old, count) is expected to copy the first\ncount/BITS_PER_LONG bits from old->full_fds_bits[] and fill\nthe rest with zeroes. What it does is copying enough words\n(BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.\nThat works fine, *if* all bits past the cutoff point are\nclear. Otherwise we are risking garbage from the last word\nwe'd copied.\n\nFor most of the callers that is true - expand_fdtable() has\ncount equal to old->max_fds, so there's no open descriptors\npast count, let alone fully occupied words in ->open_fds[],\nwhich is what bits in ->full_fds_bits[] correspond to.\n\nThe other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),\nwhich is the smallest multiple of BITS_PER_LONG that covers all\nopened descriptors below max_fds. In the common case (copying on\nfork()) max_fds is ~0U, so all opened descriptors will be below\nit and we are fine, by the same reasons why the call in expand_fdtable()\nis safe.\n\nUnfortunately, there is a case where max_fds is less than that\nand where we might, indeed, end up with junk in ->full_fds_bits[] -\nclose_range(from, to, CLOSE_RANGE_UNSHARE) with\n\t* descriptor table being currently shared\n\t* 'to' being above the current capacity of descriptor table\n\t* 'from' being just under some chunk of opened descriptors.\nIn that case we end up with observably wrong behaviour - e.g. spawn\na child with CLONE_FILES, get all descriptors in range 0..127 open,\nthen close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending\nup with descriptor #128, despite #64 being observably not open.\n\nThe minimally invasive fix would be to deal with that in dup_fd().\nIf this proves to add measurable overhead, we can go that way, but\nlet's try to fix copy_fd_bitmaps() first.\n\n* new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).\n* make copy_fd_bitmaps() take the bitmap size in words, rather than\nbits; it's 'count' argument is always a multiple of BITS_PER_LONG,\nso we are not losing any information, and that way we can use the\nsame helper for all three bitmaps - compiler will see that count\nis a multiple of BITS_PER_LONG for the large ones, so it'll generate\nplain memcpy()+memset().\n\nReproducer added to tools/testing/selftests/core/close_range_test.c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45025", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error recovery leading to data corruption on ESE devices\n\nExtent Space Efficient (ESE) or thin provisioned volumes need to be\nformatted on demand during usual IO processing.\n\nThe dasd_ese_needs_format function checks for error codes that signal\nthe non existence of a proper track format.\n\nThe check for incorrect length is to imprecise since other error cases\nleading to transport of insufficient data also have this flag set.\nThis might lead to data corruption in certain error cases for example\nduring a storage server warmstart.\n\nFix by removing the check for incorrect length and replacing by\nexplicitly checking for invalid track format in transport mode.\n\nAlso remove the check for file protected since this is not a valid\nESE handling case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45026", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()\n\nIf xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop\nup the damage. If it fails early enough, before xhci->interrupters\nis allocated but after xhci->max_interrupters has been set, which\nhappens in most (all?) cases, things get uglier, as xhci_mem_cleanup()\nunconditionally derefences xhci->interrupters. With prejudice.\n\nGate the interrupt freeing loop with a check on xhci->interrupters\nbeing non-NULL.\n\nFound while debugging a DMA allocation issue that led the XHCI driver\non this exact path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45027", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_test: Fix NULL dereference on allocation failure\n\nIf the \"test->highmem = alloc_pages()\" allocation fails then calling\n__free_pages(test->highmem) will result in a NULL dereference. Also\nchange the error code to -ENOMEM instead of returning success.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45028", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: Do not mark ACPI devices as irq safe\n\nOn ACPI machines, the tegra i2c module encounters an issue due to a\nmutex being called inside a spinlock. This leads to the following bug:\n\n\tBUG: sleeping function called from invalid context at kernel/locking/mutex.c:585\n\t...\n\n\tCall trace:\n\t__might_sleep\n\t__mutex_lock_common\n\tmutex_lock_nested\n\tacpi_subsys_runtime_resume\n\trpm_resume\n\ttegra_i2c_xfer\n\nThe problem arises because during __pm_runtime_resume(), the spinlock\n&dev->power.lock is acquired before rpm_resume() is called. Later,\nrpm_resume() invokes acpi_subsys_runtime_resume(), which relies on\nmutexes, triggering the error.\n\nTo address this issue, devices on ACPI are now marked as not IRQ-safe,\nconsidering the dependency of acpi_subsys_runtime_resume() on mutexes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45029", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: cope with large MAX_SKB_FRAGS\n\nSabrina reports that the igb driver does not cope well with large\nMAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload\ncorruption on TX.\n\nAn easy reproducer is to run ssh to connect to the machine. With\nMAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has\nbeen reported originally in\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2265320\n\nThe root cause of the issue is that the driver does not take into\naccount properly the (possibly large) shared info size when selecting\nthe ring layout, and will try to fit two packets inside the same 4K\npage even when the 1st fraglist will trump over the 2nd head.\n\nAddress the issue by checking if 2K buffers are insufficient.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45030", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-45828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Mask ring interrupts before ring stop request\n\nBus cleanup path in DMA mode may trigger a RING_OP_STAT interrupt when\nthe ring is being stopped. Depending on timing between ring stop request\ncompletion, interrupt handler removal and code execution this may lead\nto a NULL pointer dereference in hci_dma_irq_handler() if it gets to run\nafter the io_data pointer is set to NULL in hci_dma_cleanup().\n\nPrevent this my masking the ring interrupts before ring stop request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-45828", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-46672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion\n\nwpa_supplicant 2.11 sends since 1efdba5fdc2c (\"Handle PMKSA flush in the\ndriver for SAE/OWE offload cases\") SSID based PMKSA del commands.\nbrcmfmac is not prepared and tries to dereference the NULL bssid and\npmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based\nupdates so copy the SSID.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46672", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aacraid: Fix double-free on probe failure\n\naac_probe_one() calls hardware-specific init functions through the\naac_driver_ident::init pointer, all of which eventually call down to\naac_init_adapter().\n\nIf aac_init_adapter() fails after allocating memory for aac_dev::queues,\nit frees the memory but does not clear that member.\n\nAfter the hardware-specific init function returns an error,\naac_probe_one() goes down an error path that frees the memory pointed to\nby aac_dev::queues, resulting.in a double-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46673", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: st: fix probed platform device ref count on probe error path\n\nThe probe function never performs any paltform device allocation, thus\nerror path \"undo_platform_dev_alloc\" is entirely bogus. It drops the\nreference count from the platform device being probed. If error path is\ntriggered, this will lead to unbalanced device reference counts and\npremature release of device resources, thus possible use-after-free when\nreleasing remaining devm-managed resources.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46674", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Prevent USB core invalid event buffer address access\n\nThis commit addresses an issue where the USB core could access an\ninvalid event buffer address during runtime suspend, potentially causing\nSMMU faults and other memory issues in Exynos platforms. The problem\narises from the following sequence.\n 1. In dwc3_gadget_suspend, there is a chance of a timeout when\n moving the USB core to the halt state after clearing the\n run/stop bit by software.\n 2. In dwc3_core_exit, the event buffer is cleared regardless of\n the USB core's status, which may lead to an SMMU faults and\n other memory issues. if the USB core tries to access the event\n buffer address.\n\nTo prevent this hardware quirk on Exynos platforms, this commit ensures\nthat the event buffer address is not cleared by software when the USB\ncore is active during runtime suspend by checking its status before\nclearing the buffer address.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46675", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Add poll mod list filling check\n\nIn case of im_protocols value is 1 and tm_protocols value is 0 this\ncombination successfully passes the check\n'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().\nBut then after pn533_poll_create_mod_list() call in pn533_start_poll()\npoll mod list will remain empty and dev->poll_mod_count will remain 0\nwhich lead to division by zero.\n\nNormally no im protocol has value 1 in the mask, so this combination is\nnot expected by driver. But these protocol values actually come from\nuserspace via Netlink interface (NFC_CMD_START_POLL operation). So a\nbroken or malicious program may pass a message containing a \"bad\"\ncombination of protocol parameter values so that dev->poll_mod_count\nis not incremented inside pn533_poll_create_mod_list(), thus leading\nto division by zero.\nCall trace looks like:\nnfc_genl_start_poll()\n nfc_start_poll()\n ->start_poll()\n pn533_start_poll()\n\nAdd poll mod list filling check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46676", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix a potential NULL pointer dereference\n\nWhen sockfd_lookup() fails, gtp_encap_enable_socket() returns a\nNULL pointer, but its callers only check for error pointers thus miss\nthe NULL pointer case.\n\nFix it by returning an error pointer with the error code carried from\nsockfd_lookup().\n\n(I found this bug during code inspection.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46677", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: change ipsec_lock from spin lock to mutex\n\nIn the cited commit, bond->ipsec_lock is added to protect ipsec_list,\nhence xdo_dev_state_add and xdo_dev_state_delete are called inside\nthis lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep,\n\"scheduling while atomic\" will be triggered when changing bond's\nactive slave.\n\n[ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200\n[ 101.055726] Modules linked in:\n[ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1\n[ 101.058760] Hardware name:\n[ 101.059434] Call Trace:\n[ 101.059436] \n[ 101.060873] dump_stack_lvl+0x51/0x60\n[ 101.061275] __schedule_bug+0x4e/0x60\n[ 101.061682] __schedule+0x612/0x7c0\n[ 101.062078] ? __mod_timer+0x25c/0x370\n[ 101.062486] schedule+0x25/0xd0\n[ 101.062845] schedule_timeout+0x77/0xf0\n[ 101.063265] ? asm_common_interrupt+0x22/0x40\n[ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10\n[ 101.064215] __wait_for_common+0x87/0x190\n[ 101.064648] ? usleep_range_state+0x90/0x90\n[ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core]\n[ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core]\n[ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core]\n[ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core]\n[ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding]\n[ 101.067738] ? kmalloc_trace+0x4d/0x350\n[ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core]\n[ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core]\n[ 101.069312] bond_change_active_slave+0x392/0x900 [bonding]\n[ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding]\n[ 101.070454] __bond_opt_set+0xa6/0x430 [bonding]\n[ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding]\n[ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding]\n[ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding]\n[ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0\n[ 101.073033] vfs_write+0x2d8/0x400\n[ 101.073416] ? alloc_fd+0x48/0x180\n[ 101.073798] ksys_write+0x5f/0xe0\n[ 101.074175] do_syscall_64+0x52/0x110\n[ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nAs bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called\nfrom bond_change_active_slave, which requires holding the RTNL lock.\nAnd bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state\nxdo_dev_state_add and xdo_dev_state_delete APIs, which are in user\ncontext. So ipsec_lock doesn't have to be spin lock, change it to\nmutex, and thus the above issue can be resolved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46678", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: check device is present when getting link settings\n\nA sysfs reader can race with a device reset or removal, attempting to\nread device state when the device is not actually present. eg:\n\n [exception RIP: qed_get_current_link+17]\n #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]\n #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3\n #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4\n #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300\n #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c\n #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b\n #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3\n #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1\n #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f\n #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb\n\n crash> struct net_device.state ffff9a9d21336000\n state = 5,\n\nstate 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).\nThe device is not present, note lack of __LINK_STATE_PRESENT (0b10).\n\nThis is the same sort of panic as observed in commit 4224cfd7fb65\n(\"net-sysfs: add check for netdevice being present to speed_show\").\n\nThere are many other callers of __ethtool_get_link_ksettings() which\ndon't have a device presence check.\n\nMove this check into ethtool to protect all callers.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46679", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix random crash seen while removing driver\n\nThis fixes the random kernel crash seen while removing the driver, when\nrunning the load/unload test over multiple iterations.\n\n1) modprobe btnxpuart\n2) hciconfig hci0 reset\n3) hciconfig (check hci0 interface up with valid BD address)\n4) modprobe -r btnxpuart\nRepeat steps 1 to 4\n\nThe ps_wakeup() call in btnxpuart_close() schedules the psdata->work(),\nwhich gets scheduled after module is removed, causing a kernel crash.\n\nThis hidden issue got highlighted after enabling Power Save by default\nin 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on\nstartup)\n\nThe new ps_cleanup() deasserts UART break immediately while closing\nserdev device, cancels any scheduled ps_work and destroys the ps_lock\nmutex.\n\n[ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258\n[ 85.884624] Mem abort info:\n[ 85.884625] ESR = 0x0000000086000007\n[ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 85.884633] SET = 0, FnV = 0\n[ 85.884636] EA = 0, S1PTW = 0\n[ 85.884638] FSC = 0x07: level 3 translation fault\n[ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000\n[ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000\n[ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP\n[ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]\n[ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1\n[ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT)\n[ 85.936182] Workqueue: events 0xffffd4a61638f380\n[ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 85.952817] pc : 0xffffd4a61638f258\n[ 85.952823] lr : 0xffffd4a61638f258\n[ 85.952827] sp : ffff8000084fbd70\n[ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000\n[ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305\n[ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970\n[ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000\n[ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090\n[ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139\n[ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50\n[ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8\n[ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000\n[ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000\n[ 85.977443] Call trace:\n[ 85.977446] 0xffffd4a61638f258\n[ 85.977451] 0xffffd4a61638f3e8\n[ 85.977455] process_one_work+0x1d4/0x330\n[ 85.977464] worker_thread+0x6c/0x430\n[ 85.977471] kthread+0x108/0x10c\n[ 85.977476] ret_from_fork+0x10/0x20\n[ 85.977488] Code: bad PC value\n[ 85.977491] ---[ end trace 0000000000000000 ]---\n\nPreset since v6.9.11", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46680", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npktgen: use cpus_read_lock() in pg_net_init()\n\nI have seen the WARN_ON(smp_processor_id() != cpu) firing\nin pktgen_thread_worker() during tests.\n\nWe must use cpus_read_lock()/cpus_read_unlock()\naround the for_each_online_cpu(cpu) loop.\n\nWhile we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46681", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open\n\nPrior to commit 3f29cc82a84c (\"nfsd: split sc_status out of\nsc_type\") states_show() relied on sc_type field to be of valid\ntype before calling into a subfunction to show content of a\nparticular stateid. From that commit, we split the validity of\nthe stateid into sc_status and no longer changed sc_type to 0\nwhile unhashing the stateid. This resulted in kernel oopsing\nfor nfsv4.0 opens that stay around and in nfs4_show_open()\nwould derefence sc_file which was NULL.\n\nInstead, for closed open stateids forgo displaying information\nthat relies of having a valid sc_file.\n\nTo reproduce: mount the server with 4.0, read and close\na file and then on the server cat /proc/fs/nfsd/clients/2/states\n\n[ 513.590804] Call trace:\n[ 513.590925] _raw_spin_lock+0xcc/0x160\n[ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]\n[ 513.591412] states_show+0x44c/0x488 [nfsd]\n[ 513.591681] seq_read_iter+0x5d8/0x760\n[ 513.591896] seq_read+0x188/0x208\n[ 513.592075] vfs_read+0x148/0x470\n[ 513.592241] ksys_read+0xcc/0x178", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46682", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: prevent UAF around preempt fence\n\nThe fence lock is part of the queue, therefore in the current design\nanything locking the fence should then also hold a ref to the queue to\nprevent the queue from being freed.\n\nHowever, currently it looks like we signal the fence and then drop the\nqueue ref, but if something is waiting on the fence, the waiter is\nkicked to wake up at some later point, where upon waking up it first\ngrabs the lock before checking the fence state. But if we have already\ndropped the queue ref, then the lock might already be freed as part of\nthe queue, leading to uaf.\n\nTo prevent this, move the fence lock into the fence itself so we don't\nrun into lifetime issues. Alternative might be to have device level\nlock, or only release the queue in the fence release callback, however\nthat might require pushing to another worker to avoid locking issues.\n\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020\n(cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46683", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined\n\ncreate_elf_fdpic_tables() does not correctly account the space for the\nAUX vector when an architecture has ELF_HWCAP2 defined. Prior to the\ncommit 10e29251be0e (\"binfmt_elf_fdpic: fix /proc//auxv\") it\nresulted in the last entry of the AUX vector being set to zero, but with\nthat change it results in a kernel BUG.\n\nFix that by adding one to the number of AUXV entries (nitems) when\nELF_HWCAP2 is defined.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46684", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference in pcs_get_function()\n\npinmux_generic_get_function() can return NULL and the pointer 'function'\nwas dereferenced without checking against NULL. Add checking of pointer\n'function' in pcs_get_function().\n\nFound by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46685", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()\n\nThis happens when called from SMB2_read() while using rdma\nand reaching the rdma_readwrite_threshold.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46686", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()\n\n[BUG]\nThere is an internal report that KASAN is reporting use-after-free, with\nthe following backtrace:\n\n BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45\n CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n Call Trace:\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x5e/0x2f0\n print_report+0x118/0x216\n kasan_report+0x11d/0x1f0\n btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n process_one_work+0xce0/0x12a0\n worker_thread+0x717/0x1250\n kthread+0x2e3/0x3c0\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n\n Allocated by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x7d/0x80\n kmem_cache_alloc_noprof+0x16e/0x3e0\n mempool_alloc_noprof+0x12e/0x310\n bio_alloc_bioset+0x3f0/0x7a0\n btrfs_bio_alloc+0x2e/0x50 [btrfs]\n submit_extent_page+0x4d1/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x4b/0x60\n kmem_cache_free+0x214/0x5d0\n bio_free+0xed/0x180\n end_bbio_data_read+0x1cc/0x580 [btrfs]\n btrfs_submit_chunk+0x98d/0x1880 [btrfs]\n btrfs_submit_bio+0x33/0x70 [btrfs]\n submit_one_bio+0xd4/0x130 [btrfs]\n submit_extent_page+0x3ea/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[CAUSE]\nAlthough I cannot reproduce the error, the report itself is good enough\nto pin down the cause.\n\nThe call trace is the regular endio workqueue context, but the\nfree-by-task trace is showing that during btrfs_submit_chunk() we\nalready hit a critical error, and is calling btrfs_bio_end_io() to error\nout. And the original endio function called bio_put() to free the whole\nbio.\n\nThis means a double freeing thus causing use-after-free, e.g.:\n\n1. Enter btrfs_submit_bio() with a read bio\n The read bio length is 128K, crossing two 64K stripes.\n\n2. The first run of btrfs_submit_chunk()\n\n2.1 Call btrfs_map_block(), which returns 64K\n2.2 Call btrfs_split_bio()\n Now there are two bios, one referring to the first 64K, the other\n referring to the second 64K.\n2.3 The first half is submitted.\n\n3. The second run of btrfs_submit_chunk()\n\n3.1 Call btrfs_map_block(), which by somehow failed\n Now we call btrfs_bio_end_io() to handle the error\n\n3.2 btrfs_bio_end_io() calls the original endio function\n Which is end_bbio_data_read(), and it calls bio_put() for the\n original bio.\n\n Now the original bio is freed.\n\n4. The submitted first 64K bio finished\n Now we call into btrfs_check_read_bio() and tries to advance the bio\n iter.\n But since the original bio (thus its iter) is already freed, we\n trigger the above use-after free.\n\n And even if the memory is not poisoned/corrupted, we will later call\n the original endio function, causing a double freeing.\n\n[FIX]\nInstead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),\nwhich has the extra check on split bios and do the pr\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46687", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails\n\nIf z_erofs_gbuf_growsize() partially fails on a global buffer due to\nmemory allocation failure or fault injection (as reported by syzbot [1]),\nnew pages need to be freed by comparing to the existing pages to avoid\nmemory leaks.\n\nHowever, the old gbuf->pages[] array may not be large enough, which can\nlead to null-ptr-deref or out-of-bound access.\n\nFix this by checking against gbuf->nrpages in advance.\n\n[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46688", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: cmd-db: Map shared memory as WC, not WB\n\nLinux does not write into cmd-db region. This region of memory is write\nprotected by XPU. XPU may sometime falsely detect clean cache eviction\nas \"write\" into the write protected region leading to secure interrupt\nwhich causes an endless loop somewhere in Trust Zone.\n\nThe only reason it is working right now is because Qualcomm Hypervisor\nmaps the same region as Non-Cacheable memory in Stage 2 translation\ntables. The issue manifests if we want to use another hypervisor (like\nXen or KVM), which does not know anything about those specific mappings.\n\nChanging the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC\nremoves dependency on correct mappings in Stage 2 tables. This patch\nfixes the issue by updating the mapping to MEMREMAP_WC.\n\nI tested this on SA8155P with Xen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46689", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease\n\nIt is not safe to dereference fl->c.flc_owner without first confirming\nfl->fl_lmops is the expected manager. nfsd4_deleg_getattr_conflict()\ntests fl_lmops but largely ignores the result and assumes that flc_owner\nis an nfs4_delegation anyway. This is wrong.\n\nWith this patch we restore the \"!= &nfsd_lease_mng_ops\" case to behave\nas it did before the change mentioned below. This is the same as the\ncurrent code, but without any reference to a possible delegation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46690", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Move unregister out of atomic section\n\nCommit '9329933699b3 (\"soc: qcom: pmic_glink: Make client-lock\nnon-sleeping\")' moved the pmic_glink client list under a spinlock, as it\nis accessed by the rpmsg/glink callback, which in turn is invoked from\nIRQ context.\n\nThis means that ucsi_unregister() is now called from atomic context,\nwhich isn't feasible as it's expecting a sleepable context. An effort is\nunder way to get GLINK to invoke its callbacks in a sleepable context,\nbut until then lets schedule the unregistration.\n\nA side effect of this is that ucsi_unregister() can now happen\nafter the remote processor, and thereby the communication link with it, is\ngone. pmic_glink_send() is amended with a check to avoid the resulting NULL\npointer dereference.\nThis does however result in the user being informed about this error by\nthe following entry in the kernel log:\n\n ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46691", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: Mark get_wq_ctx() as atomic call\n\nCurrently get_wq_ctx() is wrongly configured as a standard call. When two\nSMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to\nresume the corresponding sleeping thread. But if get_wq_ctx() is\ninterrupted, goes to sleep and another SMC call is waiting to be allocated\na waitq context, it leads to a deadlock.\n\nTo avoid this get_wq_ctx() must be an atomic call and can't be a standard\nSMC call. Hence mark get_wq_ctx() as a fast call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46692", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi->client = NULL;\n devm_pmic_glink_register_client()\n client->pdr_notify(client->priv, pg->client_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(&ucsi->register_work)\n \n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi->client)\n \n ucsi->client = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46693", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.\n\n(cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46694", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux,smack: don't bypass permissions check in inode_setsecctx hook\n\nMarek Gresko reports that the root user on an NFS client is able to\nchange the security labels on files on an NFS filesystem that is\nexported with root squashing enabled.\n\nThe end of the kerneldoc comment for __vfs_setxattr_noperm() states:\n\n * This function requires the caller to lock the inode's i_mutex before it\n * is executed. It also assumes that the caller will make the appropriate\n * permission checks.\n\nnfsd_setattr() does do permissions checking via fh_verify() and\nnfsd_permission(), but those don't do all the same permissions checks\nthat are done by security_inode_setxattr() and its related LSM hooks do.\n\nSince nfsd_setattr() is the only consumer of security_inode_setsecctx(),\nsimplest solution appears to be to replace the call to\n__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This\nfixes the above issue and has the added benefit of causing nfsd to\nrecall conflicting delegations on a file when a client tries to change\nits security label.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46695", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix potential UAF in nfsd4_cb_getattr_release\n\nOnce we drop the delegation reference, the fields embedded in it are no\nlonger safe to access. Do that last.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46696", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: ensure that nfsd4_fattr_args.context is zeroed out\n\nIf nfsd4_encode_fattr4 ends up doing a \"goto out\" before we get to\nchecking for the security label, then args.context will be set to\nuninitialized junk on the stack, which we'll then try to free.\nInitialize it early.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46697", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo/aperture: optionally match the device in sysfb_disable()\n\nIn aperture_remove_conflicting_pci_devices(), we currently only\ncall sysfb_disable() on vga class devices. This leads to the\nfollowing problem when the pimary device is not VGA compatible:\n\n1. A PCI device with a non-VGA class is the boot display\n2. That device is probed first and it is not a VGA device so\n sysfb_disable() is not called, but the device resources\n are freed by aperture_detach_platform_device()\n3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()\n4. NULL pointer dereference via sysfb_disable() since the resources\n have already been freed by aperture_detach_platform_device() when\n it was called by the other device.\n\nFix this by passing a device pointer to sysfb_disable() and checking\nthe device to determine if we should execute it or not.\n\nv2: Fix build when CONFIG_SCREEN_INFO is not set\nv3: Move device check into the mutex\n Drop primary variable in aperture_remove_conflicting_pci_devices()\n Drop __init on pci sysfb_pci_dev_is_enabled()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46698", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable preemption while updating GPU stats\n\nWe forgot to disable preemption around the write_seqcount_begin/end() pair\nwhile updating GPU stats:\n\n [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched]\n <...snip...>\n [ ] Call trace:\n [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d]\n [ ] v3d_bin_job_run+0x23c/0x388 [v3d]\n [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]\n [ ] process_one_work+0x62c/0xb48\n [ ] worker_thread+0x468/0x5b0\n [ ] kthread+0x1c4/0x1e0\n [ ] ret_from_fork+0x10/0x20\n\nFix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46699", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibfs: fix infinite directory reads for offset dir\n\nAfter we switch tmpfs dir operations from simple_dir_operations to\nsimple_offset_dir_operations, every rename happened will fill new dentry\nto dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free\nkey starting with octx->newx_offset, and then set newx_offset equals to\nfree key + 1. This will lead to infinite readdir combine with rename\nhappened at the same time, which fail generic/736 in xfstests(detail show\nas below).\n\n1. create 5000 files(1 2 3...) under one dir\n2. call readdir(man 3 readdir) once, and get one entry\n3. rename(entry, \"TEMPFILE\"), then rename(\"TEMPFILE\", entry)\n4. loop 2~3, until readdir return nothing or we loop too many\n times(tmpfs break test with the second condition)\n\nWe choose the same logic what commit 9b378f6ad48cf (\"btrfs: fix infinite\ndirectory reads\") to fix it, record the last_index when we open dir, and\ndo not emit the entry which index >= last_index. The file->private_data\nnow used in offset dir can use directly to do this, and we also update\nthe last_index when we llseek the dir file.\n\n[brauner: only update last_index after seek when offset is zero like Jan suggested]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46701", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Mark XDomain as unplugged when router is removed\n\nI noticed that when we do discrete host router NVM upgrade and it gets\nhot-removed from the PCIe side as a result of NVM firmware authentication,\nif there is another host connected with enabled paths we hang in tearing\nthem down. This is due to fact that the Thunderbolt networking driver\nalso tries to cleanup the paths and ends up blocking in\ntb_disconnect_xdomain_paths() waiting for the domain lock.\n\nHowever, at this point we already cleaned the paths in tb_stop() so\nthere is really no need for tb_disconnect_xdomain_paths() to do that\nanymore. Furthermore it already checks if the XDomain is unplugged and\nbails out early so take advantage of that and mark the XDomain as\nunplugged when we remove the parent router.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46702", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"serial: 8250_omap: Set the console genpd always on if no console suspend\"\n\nThis reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940.\n\nKevin reported that this causes a crash during suspend on platforms that\ndont use PM domains.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46703", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix spruious data race in __flush_work()\n\nWhen flushing a work item for cancellation, __flush_work() knows that it\nexclusively owns the work item through its PENDING bit. 134874e2eee9\n(\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\ncontexts on BH work items\") added a read of @work->data to determine whether\nto use busy wait for BH work items that are being canceled. While the read\nis safe when @from_cancel, @work->data was read before testing @from_cancel\nto simplify code structure:\n\n\tdata = *work_data_bits(work);\n\tif (from_cancel &&\n\t !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) {\n\nWhile the read data was never used if !@from_cancel, this could trigger\nKCSAN data race detection spuriously:\n\n ==================================================================\n BUG: KCSAN: data-race in __flush_work / __flush_work\n\n write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\n instrument_write include/linux/instrumented.h:41 [inline]\n ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\n insert_wq_barrier kernel/workqueue.c:3790 [inline]\n start_flush_work kernel/workqueue.c:4142 [inline]\n __flush_work+0x30b/0x570 kernel/workqueue.c:4178\n flush_work kernel/workqueue.c:4229 [inline]\n ...\n\n read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\n __flush_work+0x42a/0x570 kernel/workqueue.c:4188\n flush_work kernel/workqueue.c:4229 [inline]\n flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\n ...\n\n value changed: 0x0000000000400000 -> 0xffff88810006c00d\n\nReorganize the code so that @from_cancel is tested before @work->data is\naccessed. The only problem is triggering KCSAN detection spuriously. This\nshouldn't need READ_ONCE() or other access qualifiers.\n\nNo functional changes.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46704", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: reset mmio mappings with devm\n\nSet our various mmio mappings to NULL. This should make it easier to\ncatch something rogue trying to mess with mmio after device removal. For\nexample, we might unmap everything and then start hitting some mmio\naddress which has already been unmamped by us and then remapped by\nsomething else, causing all kinds of carnage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46705", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: mark last busy before uart_add_one_port\n\nWith \"earlycon initcall_debug=1 loglevel=8\" in bootargs, kernel\nsometimes boot hang. It is because normal console still is not ready,\nbut runtime suspend is called, so early console putchar will hang\nin waiting TRDE set in UARTSTAT.\n\nThe lpuart driver has auto suspend delay set to 3000ms, but during\nuart_add_one_port, a child device serial ctrl will added and probed with\nits pm runtime enabled(see serial_ctrl.c).\nThe runtime suspend call path is:\ndevice_add\n |-> bus_probe_device\n |->device_initial_probe\n\t |->__device_attach\n |-> pm_runtime_get_sync(dev->parent);\n\t\t\t |-> pm_request_idle(dev);\n\t\t\t |-> pm_runtime_put(dev->parent);\n\nSo in the end, before normal console ready, the lpuart get runtime\nsuspended. And earlycon putchar will hang.\n\nTo address the issue, mark last busy just after pm_runtime_enable,\nthree seconds is long enough to switch from bootconsole to normal\nconsole.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46706", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3\n\nOn a system with a GICv3, if a guest hasn't been configured with\nGICv3 and that the host is not capable of GICv2 emulation,\na write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.\n\nWe therefore try to emulate the SGI access, only to hit a NULL\npointer as no private interrupt is allocated (no GIC, remember?).\n\nThe obvious fix is to give the guest what it deserves, in the\nshape of a UNDEF exception.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46707", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: qcom: x1e80100: Fix special pin offsets\n\nRemove the erroneus 0x100000 offset to prevent the boards from crashing\non pin state setting, as well as for the intended state changes to take\neffect.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46708", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix prime with external buffers\n\nMake sure that for external buffers mapping goes through the dma_buf\ninterface instead of trying to access pages directly.\n\nExternal buffers might not provide direct access to readable/writable\npages so to make sure the bo's created from external dma_bufs can be\nread dma_buf interface has to be used.\n\nFixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't\ntrigger this due to the fact that virtual machines will not have\nmultiple GPUs but it enables better test coverage in IGT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46709", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Prevent unmapping active read buffers\n\nThe kms paths keep a persistent map active to read and compare the cursor\nbuffer. These maps can race with each other in simple scenario where:\na) buffer \"a\" mapped for update\nb) buffer \"a\" mapped for compare\nc) do the compare\nd) unmap \"a\" for compare\ne) update the cursor\nf) unmap \"a\" for update\nAt step \"e\" the buffer has been unmapped and the read contents is bogus.\n\nPrevent unmapping of active read buffers by simply keeping a count of\nhow many paths have currently active maps and unmap only when the count\nreaches 0.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46710", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: fix ID 0 endp usage after multiple re-creations\n\n'local_addr_used' and 'add_addr_accepted' are decremented for addresses\nnot related to the initial subflow (ID0), because the source and\ndestination addresses of the initial subflows are known from the\nbeginning: they don't count as \"additional local address being used\" or\n\"ADD_ADDR being accepted\".\n\nIt is then required not to increment them when the entrypoint used by\nthe initial subflow is removed and re-added during a connection. Without\nthis modification, this entrypoint cannot be removed and re-added more\nthan once.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46711", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Disable coherent dumb buffers without 3d\n\nCoherent surfaces make only sense if the host renders to them using\naccelerated apis. Without 3d the entire content of dumb buffers stays\nin the guest making all of the extra work they're doing to synchronize\nbetween guest and host useless.\n\nConfigurations without 3d also tend to run with very low graphics\nmemory limits. The pinned console fb, mob cursors and graphical login\nmanager tend to run out of 16MB graphics memory that those guests use.\n\nFix it by making sure the coherent dumb buffers are only used on\nconfigs with 3d enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46712", "detail": "fixed-version", "description": "Fixed from version 6.10.8" }, { "id": "CVE-2024-46713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/aux: Fix AUX buffer serialization\n\nOle reported that event->mmap_mutex is strictly insufficient to\nserialize the AUX buffer, add a per RB mutex to fully serialize it.\n\nNote that in the lock order comment the perf_event::mmap_mutex order\nwas already wrong, that is, it nesting under mmap_lock is not new with\nthis patch.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46713", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip wbscl_set_scaler_filter if filter is null\n\nCallers can pass null in filter (i.e. from returned from the function\nwbscl_get_filter_coeffs_16p) and a null check is added to ensure that is\nnot the case.\n\nThis fixes 4 NULL_RETURNS issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46714", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: iio: add missing checks on iio_info's callback access\n\nSome callbacks from iio_info structure are accessed without any check, so\nif a driver doesn't implement them trying to access the corresponding\nsysfs entries produce a kernel oops such as:\n\n[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute\n[...]\n[ 2203.783416] Call trace:\n[ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48\n[ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120\n[ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4\n[ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0\n[ 2203.802236] vfs_read from ksys_read+0xa4/0xd4\n[ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54\n[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)\n[ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000\n[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000\n[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0\n[ 2203.830363] Code: bad PC value\n[ 2203.832695] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46715", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor\n\nRemove list_del call in msgdma_chan_desc_cleanup, this should be the role\nof msgdma_free_descriptor. In consequence replace list_add_tail with\nlist_move_tail in msgdma_free_descriptor.\n\nThis fixes the path:\n msgdma_free_chan_resources -> msgdma_free_descriptors ->\n msgdma_free_desc_list -> msgdma_free_descriptor\n\nwhich does not correctly free the descriptors as first nodes were not\nremoved from the list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46716", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: SHAMPO, Fix incorrect page release\n\nUnder the following conditions:\n1) No skb created yet\n2) header_size == 0 (no SHAMPO header)\n3) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is the\n last page fragment of a SHAMPO header page)\n\na new skb is formed with a page that is NOT a SHAMPO header page (it\nis a regular data page). Further down in the same function\n(mlx5e_handle_rx_cqe_mpwrq_shampo()), a SHAMPO header page from\nheader_index is released. This is wrong and it leads to SHAMPO header\npages being released more than once.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46717", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don't overmap identity VRAM mapping\n\nOvermapping the identity VRAM mapping is triggering hardware bugs on\ncertain platforms. Use 2M pages for the last unaligned (to 1G) VRAM\nchunk.\n\nv2:\n - Always use 2M pages for last chunk (Fei Yang)\n - break loop when 2M pages are used\n - Add assert for usable_size being 2M aligned\nv3:\n - Fix checkpatch", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46718", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Fix null pointer dereference in trace\n\nucsi_register_altmode checks IS_ERR for the alt pointer and treats\nNULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled,\nucsi_register_displayport returns NULL which causes a NULL pointer\ndereference in trace. Rather than return NULL, call\ntypec_port_register_altmode to register DisplayPort alternate mode\nas a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46719", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix dereference after null check\n\ncheck the pointer hive before use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46720", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix possible NULL pointer dereference\n\nprofile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made\nfrom __create_missing_ancestors(..) and 'ent->old' is NULL in\naa_replace_profiles(..).\nIn that case, it must return an error code and the code, -ENOENT represents\nits state that the path of its parent is not existed yet.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000030\nPGD 0 P4D 0\nPREEMPT SMP PTI\nCPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:aafs_create.constprop.0+0x7f/0x130\nCode: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae\nRSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0\nCall Trace:\n \n ? show_regs+0x6d/0x80\n ? __die+0x24/0x80\n ? page_fault_oops+0x99/0x1b0\n ? kernelmode_fixup_or_oops+0xb2/0x140\n ? __bad_area_nosemaphore+0x1a5/0x2c0\n ? find_vma+0x34/0x60\n ? bad_area_nosemaphore+0x16/0x30\n ? do_user_addr_fault+0x2a2/0x6b0\n ? exc_page_fault+0x83/0x1b0\n ? asm_exc_page_fault+0x27/0x30\n ? aafs_create.constprop.0+0x7f/0x130\n ? aafs_create.constprop.0+0x51/0x130\n __aafs_profile_mkdir+0x3d6/0x480\n aa_replace_profiles+0x83f/0x1270\n policy_update+0xe3/0x180\n profile_load+0xbc/0x150\n ? rw_verify_area+0x47/0x140\n vfs_write+0x100/0x480\n ? __x64_sys_openat+0x55/0xa0\n ? syscall_exit_to_user_mode+0x86/0x260\n ksys_write+0x73/0x100\n __x64_sys_write+0x19/0x30\n x64_sys_call+0x7e/0x25c0\n do_syscall_64+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7be9f211c574\nCode: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\nRSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574\nRDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004\nRBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80\nR13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30\n \nModules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas\nCR2: 0000000000000030\n---[ end trace 0000000000000000 ]---\nRIP: 0010:aafs_create.constprop.0+0x7f/0x130\nCode: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae\nRSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46721", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix mc_data out-of-bounds read warning\n\nClear warning that read mc_data[i-1] may out-of-bounds.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46722", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix ucode out-of-bounds read warning\n\nClear warning that read ucode[] may out-of-bounds.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46723", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number\n\nCheck the fb_channel_number range to avoid the array out-of-bounds\nread error", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46724", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix out-of-bounds write warning\n\nCheck the ring type value to fix the out-of-bounds\nwrite warning", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46725", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Ensure index calculation will not overflow\n\n[WHY & HOW]\nMake sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will\nnever overflow and exceess array size.\n\nThis fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46726", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update\n\n[Why]\nCoverity reports NULL_RETURN warning.\n\n[How]\nAdd otg_master NULL check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46727", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check index for aux_rd_interval before using\n\naux_rd_interval has size of 7 and should be checked.\n\nThis fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46728", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix incorrect size calculation for loop\n\n[WHY]\nfe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is\nlager than the array size.\n\n[HOW]\nDivide byte size 20 by its element size.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46729", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Ensure array index tg_inst won't be -1\n\n[WHY & HOW]\ntg_inst will be a negative if timing_generator_count equals 0, which\nshould be checked before used.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46730", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix the Out-of-bounds read warning\n\nusing index i - 1U may beyond element index\nfor mc_data[] when i = 0.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46731", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign linear_pitch_alignment even for VM\n\n[Description]\nAssign linear_pitch_alignment so we don't cause a divide by 0\nerror in VM environments", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46732", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix qgroup reserve leaks in cow_file_range\n\nIn the buffered write path, the dirty page owns the qgroup reserve until\nit creates an ordered_extent.\n\nTherefore, any errors that occur before the ordered_extent is created\nmust free that reservation, or else the space is leaked. The fstest\ngeneric/475 exercises various IO error paths, and is able to trigger\nerrors in cow_file_range where we fail to get to allocating the ordered\nextent. Note that because we *do* clear delalloc, we are likely to\nremove the inode from the delalloc list, so the inodes/pages to not have\ninvalidate/launder called on them in the commit abort path.\n\nThis results in failures at the unmount stage of the test that look like:\n\n BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure\n BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure\n BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672\n ------------[ cut here ]------------\n WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]\n Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq\n CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]\n RSP: 0018:ffffb4465283be00 EFLAGS: 00010202\n RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8\n RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000\n R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0\n Call Trace:\n \n ? close_ctree+0x222/0x4d0 [btrfs]\n ? __warn.cold+0x8e/0xea\n ? close_ctree+0x222/0x4d0 [btrfs]\n ? report_bug+0xff/0x140\n ? handle_bug+0x3b/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? close_ctree+0x222/0x4d0 [btrfs]\n generic_shutdown_super+0x70/0x160\n kill_anon_super+0x11/0x40\n btrfs_kill_super+0x11/0x20 [btrfs]\n deactivate_locked_super+0x2e/0xa0\n cleanup_mnt+0xb5/0x150\n task_work_run+0x57/0x80\n syscall_exit_to_user_mode+0x121/0x130\n do_syscall_64+0xab/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f916847a887\n ---[ end trace 0000000000000000 ]---\n BTRFS error (device dm-8 state EA): qgroup reserved space leaked\n\nCases 2 and 3 in the out_reserve path both pertain to this type of leak\nand must free the reserved qgroup data. Because it is already an error\npath, I opted not to handle the possible errors in\nbtrfs_free_qgroup_data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46733", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between direct IO write and fsync when using same fd\n\nIf we have 2 threads that are using the same file descriptor and one of\nthem is doing direct IO writes while the other is doing fsync, we have a\nrace where we can end up either:\n\n1) Attempt a fsync without holding the inode's lock, triggering an\n assertion failures when assertions are enabled;\n\n2) Do an invalid memory access from the fsync task because the file private\n points to memory allocated on stack by the direct IO task and it may be\n used by the fsync task after the stack was destroyed.\n\nThe race happens like this:\n\n1) A user space program opens a file descriptor with O_DIRECT;\n\n2) The program spawns 2 threads using libpthread for example;\n\n3) One of the threads uses the file descriptor to do direct IO writes,\n while the other calls fsync using the same file descriptor.\n\n4) Call task A the thread doing direct IO writes and task B the thread\n doing fsyncs;\n\n5) Task A does a direct IO write, and at btrfs_direct_write() sets the\n file's private to an on stack allocated private with the member\n 'fsync_skip_inode_lock' set to true;\n\n6) Task B enters btrfs_sync_file() and sees that there's a private\n structure associated to the file which has 'fsync_skip_inode_lock' set\n to true, so it skips locking the inode's VFS lock;\n\n7) Task A completes the direct IO write, and resets the file's private to\n NULL since it had no prior private and our private was stack allocated.\n Then it unlocks the inode's VFS lock;\n\n8) Task B enters btrfs_get_ordered_extents_for_logging(), then the\n assertion that checks the inode's VFS lock is held fails, since task B\n never locked it and task A has already unlocked it.\n\nThe stack trace produced is the following:\n\n assertion failed: inode_is_locked(&inode->vfs_inode), in fs/btrfs/ordered-data.c:983\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ordered-data.c:983!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 9 PID: 5072 Comm: worker Tainted: G U OE 6.10.5-1-default #1 openSUSE Tumbleweed 69f48d427608e1c09e60ea24c6c55e2ca1b049e8\n Hardware name: Acer Predator PH315-52/Covini_CFS, BIOS V1.12 07/28/2020\n RIP: 0010:btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs]\n Code: 50 d6 86 c0 e8 (...)\n RSP: 0018:ffff9e4a03dcfc78 EFLAGS: 00010246\n RAX: 0000000000000054 RBX: ffff9078a9868e98 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff907dce4a7800 RDI: ffff907dce4a7800\n RBP: ffff907805518800 R08: 0000000000000000 R09: ffff9e4a03dcfb38\n R10: ffff9e4a03dcfb30 R11: 0000000000000003 R12: ffff907684ae7800\n R13: 0000000000000001 R14: ffff90774646b600 R15: 0000000000000000\n FS: 00007f04b96006c0(0000) GS:ffff907dce480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f32acbfc000 CR3: 00000001fd4fa005 CR4: 00000000003726f0\n Call Trace:\n \n ? __die_body.cold+0x14/0x24\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]\n ? exc_invalid_op+0x50/0x70\n ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]\n ? asm_exc_invalid_op+0x1a/0x20\n ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]\n ? btrfs_get_ordered_extents_for_logging.cold+0x1f/0x42 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]\n btrfs_sync_file+0x21a/0x4d0 [btrfs bb26272d49b4cdc847cf3f7faadd459b62caee9a]\n ? __seccomp_filter+0x31d/0x4f0\n __x64_sys_fdatasync+0x4f/0x90\n do_syscall_64+0x82/0x160\n ? do_futex+0xcb/0x190\n ? __x64_sys_futex+0x10e/0x1d0\n ? switch_fpu_return+0x4f/0xd0\n ? syscall_exit_to_user_mode+0x72/0x220\n ? do_syscall_64+0x8e/0x160\n ? syscall_exit_to_user_mod\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46734", "detail": "fixed-version", "description": "Fixed from version 6.10.10" }, { "id": "CVE-2024-46735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()\n\nWhen two UBLK_CMD_START_USER_RECOVERY commands are submitted, the\nfirst one sets 'ubq->ubq_daemon' to NULL, and the second one triggers\nWARN in ublk_queue_reinit() and subsequently a NULL pointer dereference\nissue.\n\nFix it by adding the check in ublk_ctrl_start_recovery() and return\nimmediately in case of zero 'ub->nr_queues_ready'.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x75/0x170\n ? exc_page_fault+0x64/0x140\n ? asm_exc_page_fault+0x22/0x30\n ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180\n ublk_ctrl_uring_cmd+0x4f7/0x6c0\n ? pick_next_task_idle+0x26/0x40\n io_uring_cmd+0x9a/0x1b0\n io_issue_sqe+0x193/0x3f0\n io_wq_submit_work+0x9b/0x390\n io_worker_handle_work+0x165/0x360\n io_wq_worker+0xcb/0x2f0\n ? finish_task_switch.isra.0+0x203/0x290\n ? finish_task_switch.isra.0+0x203/0x290\n ? __pfx_io_wq_worker+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_io_wq_worker+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46735", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_rename_path()\n\nIf smb2_set_path_attr() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() again as the\nreference of @cfile was already dropped by previous smb2_compound_op()\ncall.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46736", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix kernel crash if commands allocation fails\n\nIf the commands allocation fails in nvmet_tcp_alloc_cmds()\nthe kernel crashes in nvmet_tcp_release_queue_work() because of\na NULL pointer dereference.\n\n nvmet: failed to install queue 0 cntlid 1 ret 6\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000008\n\nFix the bug by setting queue->nr_cmds to zero in case\nnvmet_tcp_alloc_cmd() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46737", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix use-after-free when removing resource in vmci_resource_remove()\n\nWhen removing a resource from vmci_resource_table in\nvmci_resource_remove(), the search is performed using the resource\nhandle by comparing context and resource fields.\n\nIt is possible though to create two resources with different types\nbut same handle (same context and resource fields).\n\nWhen trying to remove one of the resources, vmci_resource_remove()\nmay not remove the intended one, but the object will still be freed\nas in the case of the datagram type in vmci_datagram_destroy_handle().\nvmci_resource_table will still hold a pointer to this freed resource\nleading to a use-after-free vulnerability.\n\nBUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]\nBUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147\nRead of size 4 at addr ffff88801c16d800 by task syz-executor197/1592\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106\n print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239\n __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425\n kasan_report+0x38/0x51 mm/kasan/report.c:442\n vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]\n vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147\n vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182\n ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444\n kref_put include/linux/kref.h:65 [inline]\n vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]\n vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195\n vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143\n __fput+0x261/0xa34 fs/file_table.c:282\n task_work_run+0xf0/0x194 kernel/task_work.c:164\n tracehook_notify_resume include/linux/tracehook.h:189 [inline]\n exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187\n exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220\n __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]\n syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313\n do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\n\nThis change ensures the type is also checked when removing\nthe resource from vmci_resource_table in vmci_resource_remove().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46738", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind\n\nFor primary VM Bus channels, primary_channel pointer is always NULL. This\npointer is valid only for the secondary channels. Also, rescind callback\nis meant for primary channels only.\n\nFix NULL pointer dereference by retrieving the device_obj from the parent\nfor the primary channel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46739", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF caused by offsets overwrite\n\nBinder objects are processed and copied individually into the target\nbuffer during transactions. Any raw data in-between these objects is\ncopied as well. However, this raw data copy lacks an out-of-bounds\ncheck. If the raw data exceeds the data section size then the copy\noverwrites the offsets section. This eventually triggers an error that\nattempts to unwind the processed objects. However, at this point the\noffsets used to index these objects are now corrupted.\n\nUnwinding with corrupted offsets can result in decrements of arbitrary\nnodes and lead to their premature release. Other users of such nodes are\nleft with a dangling pointer triggering a use-after-free. This issue is\nmade evident by the following KASAN report (trimmed):\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\n Write of size 4 at addr ffff47fc91598f04 by task binder-util/743\n\n CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n _raw_spin_lock+0xe4/0x19c\n binder_free_buf+0x128/0x434\n binder_thread_write+0x8a4/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Allocated by task 743:\n __kmalloc_cache_noprof+0x110/0x270\n binder_new_node+0x50/0x700\n binder_transaction+0x413c/0x6da8\n binder_thread_write+0x978/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Freed by task 745:\n kfree+0xbc/0x208\n binder_thread_read+0x1c5c/0x37d4\n binder_ioctl+0x16d8/0x258c\n [...]\n ==================================================================\n\nTo avoid this issue, let's check that the raw data copy is within the\nboundaries of the data section.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46740", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix double free of 'buf' in error path\n\nsmatch warning:\ndrivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf'\n\nIn fastrpc_req_mmap() error path, the fastrpc buffer is freed in\nfastrpc_req_munmap_impl() if unmap is successful.\n\nBut in the end, there is an unconditional call to fastrpc_buf_free().\nSo the above case triggers the double free of fastrpc buf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46741", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()\n\nnull-ptr-deref will occur when (req_op_level == SMB2_OPLOCK_LEVEL_LEASE)\nand parse_lease_state() return NULL.\n\nFix this by check if 'lease_ctx_info' is NULL.\n\nAdditionally, remove the redundant parentheses in\nparse_durable_handle_context().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46742", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof/irq: Prevent device address out-of-bounds read in interrupt map walk\n\nWhen of_irq_parse_raw() is invoked with a device address smaller than\nthe interrupt parent node (from #address-cells property), KASAN detects\nthe following out-of-bounds read when populating the initial match table\n(dyndbg=\"func of_irq_parse_* +p\"):\n\n OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0\n OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2\n OF: intspec=4\n OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2\n OF: -> addrsize=3\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0\n Read of size 4 at addr ffffff81beca5608 by task bash/764\n\n CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1\n Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023\n Call trace:\n dump_backtrace+0xdc/0x130\n show_stack+0x1c/0x30\n dump_stack_lvl+0x6c/0x84\n print_report+0x150/0x448\n kasan_report+0x98/0x140\n __asan_load4+0x78/0xa0\n of_irq_parse_raw+0x2b8/0x8d0\n of_irq_parse_one+0x24c/0x270\n parse_interrupts+0xc0/0x120\n of_fwnode_add_links+0x100/0x2d0\n fw_devlink_parse_fwtree+0x64/0xc0\n device_add+0xb38/0xc30\n of_device_add+0x64/0x90\n of_platform_device_create_pdata+0xd0/0x170\n of_platform_bus_create+0x244/0x600\n of_platform_notify+0x1b0/0x254\n blocking_notifier_call_chain+0x9c/0xd0\n __of_changeset_entry_notify+0x1b8/0x230\n __of_changeset_apply_notify+0x54/0xe4\n of_overlay_fdt_apply+0xc04/0xd94\n ...\n\n The buggy address belongs to the object at ffffff81beca5600\n which belongs to the cache kmalloc-128 of size 128\n The buggy address is located 8 bytes inside of\n 128-byte region [ffffff81beca5600, ffffff81beca5680)\n\n The buggy address belongs to the physical page:\n page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4\n head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0\n flags: 0x8000000000010200(slab|head|zone=2)\n raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300\n raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc\n ==================================================================\n OF: -> got it !\n\nPrevent the out-of-bounds read by copying the device address into a\nbuffer of sufficient size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46743", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: sanity check symbolic link size\n\nSyzkiller reports a \"KMSAN: uninit-value in pick_link\" bug.\n\nThis is caused by an uninitialised page, which is ultimately caused\nby a corrupted symbolic link size read from disk.\n\nThe reason why the corrupted symlink size causes an uninitialised\npage is due to the following sequence of events:\n\n1. squashfs_read_inode() is called to read the symbolic\n link from disk. This assigns the corrupted value\n 3875536935 to inode->i_size.\n\n2. Later squashfs_symlink_read_folio() is called, which assigns\n this corrupted value to the length variable, which being a\n signed int, overflows producing a negative number.\n\n3. The following loop that fills in the page contents checks that\n the copied bytes is less than length, which being negative means\n the loop is skipped, producing an uninitialised page.\n\nThis patch adds a sanity check which checks that the symbolic\nlink size is not larger than expected.\n\n--\n\nV2: fix spelling mistake.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46744", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - reject requests with unreasonable number of slots\n\n\nWhen exercising uinput interface syzkaller may try setting up device\nwith a really large number of slots, which causes memory allocation\nfailure in input_mt_init_slots(). While this allocation failure is\nhandled properly and request is rejected, it results in syzkaller\nreports. Additionally, such request may put undue burden on the\nsystem which will try to free a lot of memory for a bogus request.\n\nFix it by limiting allowed number of slots to 100. This can easily\nbe extended if we see devices that can track more than 100 contacts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46745", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: free driver_data after destroying hid device\n\nHID driver callbacks aren't called anymore once hid_destroy_device() has\nbeen called. Hence, hid driver_data should be freed only after the\nhid_destroy_device() function returned as driver_data is used in several\ncallbacks.\n\nI observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling\nKASAN to debug memory allocation, I got this output:\n\n [ 13.050438] ==================================================================\n [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]\n [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3\n [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479\n\n [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0\n [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024\n [ 13.067860] Call Trace:\n [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8\n [ 13.071486] \n [ 13.071492] dump_stack_lvl+0x5d/0x80\n [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)\n [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]\n [ 13.082199] print_report+0x174/0x505\n [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]\n [ 13.097464] kasan_report+0xc8/0x150\n [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]\n [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]\n [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]\n [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]\n [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]\n [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]\n [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0\n [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]\n [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.150446] ? __devm_add_action+0x167/0x1d0\n [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]\n [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.161814] platform_probe+0xa2/0x150\n [ 13.165029] really_probe+0x1e3/0x8a0\n [ 13.168243] __driver_probe_device+0x18c/0x370\n [ 13.171500] driver_probe_device+0x4a/0x120\n [ 13.175000] __driver_attach+0x190/0x4a0\n [ 13.178521] ? __pfx___driver_attach+0x10/0x10\n [ 13.181771] bus_for_each_dev+0x106/0x180\n [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10\n [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10\n [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.194382] bus_add_driver+0x29e/0x4d0\n [ 13.197328] driver_register+0x1a5/0x360\n [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]\n [ 13.203362] do_one_initcall+0xa7/0x380\n [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10\n [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5\n [ 13.213211] ? kasan_unpoison+0x44/0x70\n [ 13.216688] do_init_module+0x238/0x750\n [ 13.2196\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46746", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup\n\nreport_fixup for the Cougar 500k Gaming Keyboard was not verifying\nthat the report descriptor size was correct before accessing it", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46747", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set the max subreq size for cache writes to MAX_RW_COUNT\n\nSet the maximum size of a subrequest that writes to cachefiles to be\nMAX_RW_COUNT so that we don't overrun the maximum write we can make to the\nbacking filesystem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46748", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()\n\nThis adds a check before freeing the rx->skb in flush and close\nfunctions to handle the kernel crash seen while removing driver after FW\ndownload fails or before FW download completes.\n\ndmesg log:\n[ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080\n[ 54.643398] Mem abort info:\n[ 54.646204] ESR = 0x0000000096000004\n[ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 54.655286] SET = 0, FnV = 0\n[ 54.658348] EA = 0, S1PTW = 0\n[ 54.661498] FSC = 0x04: level 0 translation fault\n[ 54.666391] Data abort info:\n[ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000\n[ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000\n[ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse\n[ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2\n[ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT)\n[ 54.744368] Workqueue: hci0 hci_power_on\n[ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 54.757249] pc : kfree_skb_reason+0x18/0xb0\n[ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart]\n[ 54.782921] sp : ffff8000805ebca0\n[ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000\n[ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230\n[ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92\n[ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff\n[ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857\n[ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642\n[ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688\n[ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000\n[ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac\n[ 54.857599] Call trace:\n[ 54.857601] kfree_skb_reason+0x18/0xb0\n[ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart]\n[ 54.863888] hci_dev_open_sync+0x3a8/0xa04\n[ 54.872773] hci_power_on+0x54/0x2e4\n[ 54.881832] process_one_work+0x138/0x260\n[ 54.881842] worker_thread+0x32c/0x438\n[ 54.881847] kthread+0x118/0x11c\n[ 54.881853] ret_from_fork+0x10/0x20\n[ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400)\n[ 54.896410] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46749", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Add missing bridge lock to pci_bus_lock()\n\nOne of the true positives that the cfg_access_lock lockdep effort\nidentified is this sequence:\n\n WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70\n RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70\n Call Trace:\n \n ? __warn+0x8c/0x190\n ? pci_bridge_secondary_bus_reset+0x5d/0x70\n ? report_bug+0x1f8/0x200\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? pci_bridge_secondary_bus_reset+0x5d/0x70\n pci_reset_bus+0x1d8/0x270\n vmd_probe+0x778/0xa10\n pci_device_probe+0x95/0x120\n\nWhere pci_reset_bus() users are triggering unlocked secondary bus resets.\nIronically pci_bus_reset(), several calls down from pci_reset_bus(), uses\npci_bus_lock() before issuing the reset which locks everything *but* the\nbridge itself.\n\nFor the same motivation as adding:\n\n bridge = pci_upstream_bridge(dev);\n if (bridge)\n pci_dev_lock(bridge);\n\nto pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add\npci_dev_lock() for @bus->self to pci_bus_lock().\n\n[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:\nhttps://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46750", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()\n\nInstead of doing a BUG_ON() handle the error by returning -EUCLEAN,\naborting the transaction and logging an error message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46751", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: replace BUG_ON() with error handling at update_ref_for_cow()\n\nInstead of a BUG_ON() just return an error, log an error message and\nabort the transaction in case we find an extent buffer belonging to the\nrelocation tree that doesn't have the full backref flag set. This is\nunexpected and should never happen (save for bugs or a potential bad\nmemory).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46752", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle errors from btrfs_dec_ref() properly\n\nIn walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is\nincorrect, we have proper error handling here, return the error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46753", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Remove tst_run from lwt_seg6local_prog_ops.\n\nThe syzbot reported that the lwt_seg6 related BPF ops can be invoked\nvia bpf_test_run() without without entering input_action_end_bpf()\nfirst.\n\nMartin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL\nprobably didn't work since it was introduced in commit 04d4b274e2a\n(\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the\nper-CPU variable seg6_bpf_srh_states::srh is never assigned in the self\ntest case but each BPF function expects it.\n\nRemove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46754", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()\n\nmwifiex_get_priv_by_id() returns the priv pointer corresponding to\nthe bss_num and bss_type, but without checking if the priv is actually\ncurrently in use.\nUnused priv pointers do not have a wiphy attached to them which can\nlead to NULL pointer dereferences further down the callstack. Fix\nthis by returning only used priv pointers which have priv->bss_mode\nset to something else than NL80211_IFTYPE_UNSPECIFIED.\n\nSaid NULL pointer dereference happened when an Accesspoint was started\nwith wpa_supplicant -i mlan0 with this config:\n\nnetwork={\n ssid=\"somessid\"\n mode=2\n frequency=2412\n key_mgmt=WPA-PSK WPA-PSK-SHA256\n proto=RSN\n group=CCMP\n pairwise=CCMP\n psk=\"12345678\"\n}\n\nWhen waiting for the AP to be established, interrupting wpa_supplicant\nwith and starting it again this happens:\n\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140\n| Mem abort info:\n| ESR = 0x0000000096000004\n| EC = 0x25: DABT (current EL), IL = 32 bits\n| SET = 0, FnV = 0\n| EA = 0, S1PTW = 0\n| FSC = 0x04: level 0 translation fault\n| Data abort info:\n| ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n| CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000\n| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000\n| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio\n+mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs\n+imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6\n| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18\n| Hardware name: somemachine (DT)\n| Workqueue: events sdio_irq_work\n| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]\n| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]\n| sp : ffff8000818b3a70\n| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004\n| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9\n| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000\n| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000\n| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517\n| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1\n| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157\n| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124\n| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000\n| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000\n| Call trace:\n| mwifiex_get_cfp+0xd8/0x15c [mwifiex]\n| mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]\n| mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]\n| mwifiex_process_sta_event+0x298/0xf0c [mwifiex]\n| mwifiex_process_event+0x110/0x238 [mwifiex]\n| mwifiex_main_process+0x428/0xa44 [mwifiex]\n| mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]\n| process_sdio_pending_irqs+0x64/0x1b8\n| sdio_irq_work+0x4c/0x7c\n| process_one_work+0x148/0x2a0\n| worker_thread+0x2fc/0x40c\n| kthread+0x110/0x114\n| ret_from_fork+0x10/0x20\n| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)\n| ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46755", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (adc128d818) Fix underflows seen when writing limit attributes\n\nDIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large\nnegative number such as -9223372036854775808 is provided by the user.\nFix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46759", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: usb: schedule rx work after everything is set up\n\nRight now it's possible to hit NULL pointer dereference in\nrtw_rx_fill_rx_status on hw object and/or its fields because\ninitialization routine can start getting USB replies before\nrtw_dev is fully setup.\n\nThe stack trace looks like this:\n\nrtw_rx_fill_rx_status\nrtw8821c_query_rx_desc\nrtw_usb_rx_handler\n...\nqueue_work\nrtw_usb_read_port_complete\n...\nusb_submit_urb\nrtw_usb_rx_resubmit\nrtw_usb_init_rx\nrtw_usb_probe\n\nSo while we do the async stuff rtw_usb_probe continues and calls\nrtw_register_hw, which does all kinds of initialization (e.g.\nvia ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.\n\nFix this by moving the first usb_submit_urb after everything\nis set up.\n\nFor me, this bug manifested as:\n[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped\n[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status\nbecause I'm using Larry's backport of rtw88 driver with the NULL\nchecks in rtw_rx_fill_rx_status.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46760", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npci/hotplug/pnv_php: Fix hotplug driver crash on Powernv\n\nThe hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel\ncrash when we try to hot-unplug/disable the PCIe switch/bridge from\nthe PHB.\n\nThe crash occurs because although the MSI data structure has been\nreleased during disable/hot-unplug path and it has been assigned\nwith NULL, still during unregistration the code was again trying to\nexplicitly disable the MSI which causes the NULL pointer dereference and\nkernel crash.\n\nThe patch fixes the check during unregistration path to prevent invoking\npci_disable_msi/msix() since its data structure is already freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46761", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: privcmd: Fix possible access to a freed kirqfd instance\n\nNothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and\nprivcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd\ncreated and added to the irqfds_list by privcmd_irqfd_assign() may get\nremoved by another thread executing privcmd_irqfd_deassign(), while the\nformer is still using it after dropping the locks.\n\nThis can lead to a situation where an already freed kirqfd instance may\nbe accessed and cause kernel oops.\n\nUse SRCU locking to prevent the same, as is done for the KVM\nimplementation for irqfds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46762", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Fix null-ptr-deref in GRO.\n\nWe observed a null-ptr-deref in fou_gro_receive() while shutting down\na host. [0]\n\nThe NULL pointer is sk->sk_user_data, and the offset 8 is of protocol\nin struct fou.\n\nWhen fou_release() is called due to netns dismantle or explicit tunnel\nteardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.\nThen, the tunnel socket is destroyed after a single RCU grace period.\n\nSo, in-flight udp4_gro_receive() could find the socket and execute the\nFOU GRO handler, where sk->sk_user_data could be NULL.\n\nLet's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL\nchecks in FOU GRO handlers.\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0\nSMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1\nHardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017\nRIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]\nCode: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42\nRSP: 0018:ffffa330c0003d08 EFLAGS: 00010297\nRAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010\nRDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08\nRBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002\nR10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400\nR13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0\nFS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? no_context (arch/x86/mm/fault.c:752)\n ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)\n ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)\n ? fou_gro_receive (net/ipv4/fou.c:233) [fou]\n udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)\n udp4_gro_receive (net/ipv4/udp_offload.c:604)\n inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))\n dev_gro_receive (net/core/dev.c:6035 (discriminator 4))\n napi_gro_receive (net/core/dev.c:6170)\n ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]\n ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]\n napi_poll (net/core/dev.c:6847)\n net_rx_action (net/core/dev.c:6917)\n __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)\n asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)\n\n do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)\n irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)\n common_interrupt (arch/x86/kernel/irq.c:239)\n asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)\nRIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)\nCode: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00\nRSP: 0018:ffffffffb5603e58 EFLAGS: 00000246\nRAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900\nRDX: ffff93daee800000 RSI: ffff93d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46763", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: add check for invalid name in btf_name_valid_section()\n\nIf the length of the name string is 1 and the value of name[0] is NULL\nbyte, an OOB vulnerability occurs in btf_name_valid_section() and the\nreturn value is true, so the invalid name passes the check.\n\nTo solve this, you need to check if the first position is NULL byte and\nif the first character is printable.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46764", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: protect XDP configuration with a mutex\n\nThe main threat to data consistency in ice_xdp() is a possible asynchronous\nPF reset. It can be triggered by a user or by TX timeout handler.\n\nXDP setup and PF reset code access the same resources in the following\nsections:\n* ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked\n* ice_vsi_rebuild() for the PF VSI - not protected\n* ice_vsi_open() - already rtnl-locked\n\nWith an unfortunate timing, such accesses can result in a crash such as the\none below:\n\n[ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14\n[ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18\n[Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms\n[ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001\n[ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14\n[ +0.394718] ice 0000:b1:00.0: PTP reset successful\n[ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[ +0.000045] #PF: supervisor read access in kernel mode\n[ +0.000023] #PF: error_code(0x0000) - not-present page\n[ +0.000023] PGD 0 P4D 0\n[ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1\n[ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021\n[ +0.000036] Workqueue: ice ice_service_task [ice]\n[ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice]\n[...]\n[ +0.000013] Call Trace:\n[ +0.000016] \n[ +0.000014] ? __die+0x1f/0x70\n[ +0.000029] ? page_fault_oops+0x171/0x4f0\n[ +0.000029] ? schedule+0x3b/0xd0\n[ +0.000027] ? exc_page_fault+0x7b/0x180\n[ +0.000022] ? asm_exc_page_fault+0x22/0x30\n[ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice]\n[ +0.000194] ice_free_tx_ring+0xe/0x60 [ice]\n[ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice]\n[ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice]\n[ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice]\n[ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice]\n[ +0.000145] ice_rebuild+0x18c/0x840 [ice]\n[ +0.000145] ? delay_tsc+0x4a/0xc0\n[ +0.000022] ? delay_tsc+0x92/0xc0\n[ +0.000020] ice_do_reset+0x140/0x180 [ice]\n[ +0.000886] ice_service_task+0x404/0x1030 [ice]\n[ +0.000824] process_one_work+0x171/0x340\n[ +0.000685] worker_thread+0x277/0x3a0\n[ +0.000675] ? preempt_count_add+0x6a/0xa0\n[ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50\n[ +0.000679] ? __pfx_worker_thread+0x10/0x10\n[ +0.000653] kthread+0xf0/0x120\n[ +0.000635] ? __pfx_kthread+0x10/0x10\n[ +0.000616] ret_from_fork+0x2d/0x50\n[ +0.000612] ? __pfx_kthread+0x10/0x10\n[ +0.000604] ret_from_fork_asm+0x1b/0x30\n[ +0.000604] \n\nThe previous way of handling this through returning -EBUSY is not viable,\nparticularly when destroying AF_XDP socket, because the kernel proceeds\nwith removal anyway.\n\nThere is plenty of code between those calls and there is no need to create\na large critical section that covers all of them, same as there is no need\nto protect ice_vsi_rebuild() with rtnl_lock().\n\nAdd xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp().\n\nLeaving unprotected sections in between would result in two states that\nhave to be considered:\n1. when the VSI is closed, but not yet rebuild\n2. when VSI is already rebuild, but not yet open\n\nThe latter case is actually already handled through !netif_running() case,\nwe just need to adjust flag checking a little. The former one is not as\ntrivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of\nhardware interaction happens, this can make adding/deleting rings exit\nwith an error. Luckily, VSI rebuild is pending and can apply new\nconfiguration for us in a managed fashion.\n\nTherefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to\nindicate that ice_x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46765", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: move netif_queue_set_napi to rtnl-protected sections\n\nCurrently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is\nnot rtnl-locked when called from the reset. This creates the need to take\nthe rtnl_lock just for a single function and complicates the\nsynchronization with .ndo_bpf. At the same time, there no actual need to\nfill napi-to-queue information at this exact point.\n\nFill napi-to-queue information when opening the VSI and clear it when the\nVSI is being closed. Those routines are already rtnl-locked.\n\nAlso, rewrite napi-to-queue assignment in a way that prevents inclusion of\nXDP queues, as this leads to out-of-bounds writes, such as one below.\n\n[ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0\n[ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047\n[ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2\n[ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021\n[ +0.000003] Call Trace:\n[ +0.000003] \n[ +0.000002] dump_stack_lvl+0x60/0x80\n[ +0.000007] print_report+0xce/0x630\n[ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0\n[ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0\n[ +0.000003] kasan_report+0xe9/0x120\n[ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0\n[ +0.000004] netif_queue_set_napi+0x1c2/0x1e0\n[ +0.000005] ice_vsi_close+0x161/0x670 [ice]\n[ +0.000114] ice_dis_vsi+0x22f/0x270 [ice]\n[ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice]\n[ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice]\n[ +0.000087] pci_dev_save_and_disable+0x82/0xd0\n[ +0.000006] pci_reset_function+0x12d/0x230\n[ +0.000004] reset_store+0xa0/0x100\n[ +0.000006] ? __pfx_reset_store+0x10/0x10\n[ +0.000002] ? __pfx_mutex_lock+0x10/0x10\n[ +0.000004] ? __check_object_size+0x4c1/0x640\n[ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0\n[ +0.000006] vfs_write+0x5d6/0xdf0\n[ +0.000005] ? fd_install+0x180/0x350\n[ +0.000005] ? __pfx_vfs_write+0x10/0xA10\n[ +0.000004] ? do_fcntl+0x52c/0xcd0\n[ +0.000004] ? kasan_save_track+0x13/0x60\n[ +0.000003] ? kasan_save_free_info+0x37/0x60\n[ +0.000006] ksys_write+0xfa/0x1d0\n[ +0.000003] ? __pfx_ksys_write+0x10/0x10\n[ +0.000002] ? __x64_sys_fcntl+0x121/0x180\n[ +0.000004] ? _raw_spin_lock+0x87/0xe0\n[ +0.000005] do_syscall_64+0x80/0x170\n[ +0.000007] ? _raw_spin_lock+0x87/0xe0\n[ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10\n[ +0.000003] ? file_close_fd_locked+0x167/0x230\n[ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220\n[ +0.000005] ? do_syscall_64+0x8c/0x170\n[ +0.000004] ? do_syscall_64+0x8c/0x170\n[ +0.000003] ? do_syscall_64+0x8c/0x170\n[ +0.000003] ? fput+0x1a/0x2c0\n[ +0.000004] ? filp_close+0x19/0x30\n[ +0.000004] ? do_dup2+0x25a/0x4c0\n[ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0\n[ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220\n[ +0.000004] ? do_syscall_64+0x8c/0x170\n[ +0.000003] ? __count_memcg_events+0x113/0x380\n[ +0.000005] ? handle_mm_fault+0x136/0x820\n[ +0.000005] ? do_user_addr_fault+0x444/0xa80\n[ +0.000004] ? clear_bhb_loop+0x25/0x80\n[ +0.000004] ? clear_bhb_loop+0x25/0x80\n[ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ +0.000005] RIP: 0033:0x7f2033593154", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46766", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Fix missing of_node_put() for leds\n\nThe call of of_get_child_by_name() will cause refcount incremented\nfor leds, if it succeeds, it should call of_node_put() to decrease\nit, fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46767", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (hp-wmi-sensors) Check if WMI event data exists\n\nThe BIOS can choose to return no event data in response to a\nWMI event, so the ACPI object passed to the WMI notify handler\ncan be NULL.\n\nCheck for such a situation and ignore the event in such a case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46768", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: intel: Add check devm_kasprintf() returned value\n\nintel_spi_populate_chip() use devm_kasprintf() to set pdata->name.\nThis can return a NULL pointer on failure but this returned value\nis not checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46769", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add netif_device_attach/detach into PF reset flow\n\nEthtool callbacks can be executed while reset is in progress and try to\naccess deleted resources, e.g. getting coalesce settings can result in a\nNULL pointer dereference seen below.\n\nReproduction steps:\nOnce the driver is fully initialized, trigger reset:\n\t# echo 1 > /sys/class/net//device/reset\nwhen reset is in progress try to get coalesce settings using ethtool:\n\t# ethtool -c \n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP PTI\nCPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7\nRIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]\nRSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206\nRAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000\nR13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40\nFS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0\nCall Trace:\n\nice_get_coalesce+0x17/0x30 [ice]\ncoalesce_prepare_data+0x61/0x80\nethnl_default_doit+0xde/0x340\ngenl_family_rcv_msg_doit+0xf2/0x150\ngenl_rcv_msg+0x1b3/0x2c0\nnetlink_rcv_skb+0x5b/0x110\ngenl_rcv+0x28/0x40\nnetlink_unicast+0x19c/0x290\nnetlink_sendmsg+0x222/0x490\n__sys_sendto+0x1df/0x1f0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x82/0x160\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7faee60d8e27\n\nCalling netif_device_detach() before reset makes the net core not call\nthe driver when ethtool command is issued, the attempt to execute an\nethtool command during reset will result in the following message:\n\n netlink error: No such device\n\ninstead of NULL pointer dereference. Once reset is done and\nice_rebuild() is executing, the netif_device_attach() is called to allow\nfor ethtool operations to occur again in a safe manner.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46770", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Remove proc entry when dev is unregistered.\n\nsyzkaller reported a warning in bcm_connect() below. [0]\n\nThe repro calls connect() to vxcan1, removes vxcan1, and calls\nconnect() with ifindex == 0.\n\nCalling connect() for a BCM socket allocates a proc entry.\nThen, bcm_sk(sk)->bound is set to 1 to prevent further connect().\n\nHowever, removing the bound device resets bcm_sk(sk)->bound to 0\nin bcm_notify().\n\nThe 2nd connect() tries to allocate a proc entry with the same\nname and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the\noriginal proc entry.\n\nSince the proc entry is available only for connect()ed sockets,\nlet's clean up the entry when the bound netdev is unregistered.\n\n[0]:\nproc_dir_entry 'can-bcm/2456' already registered\nWARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375\nModules linked in:\nCPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375\nCode: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48\nRSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246\nRAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002\nRBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0\nR10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec\nFS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220\n bcm_connect+0x472/0x840 net/can/bcm.c:1673\n __sys_connect_file net/socket.c:2049 [inline]\n __sys_connect+0x5d2/0x690 net/socket.c:2066\n __do_sys_connect net/socket.c:2076 [inline]\n __se_sys_connect net/socket.c:2073 [inline]\n __x64_sys_connect+0x8f/0x100 net/socket.c:2073\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fbd708b0e5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d\nRDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040\nR10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098\nR13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000\n \nremove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46771", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check denominator crb_pipes before used\n\n[WHAT & HOW]\nA denominator cannot be 0, and is checked before used.\n\nThis fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46772", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check denominator pbn_div before used\n\n[WHAT & HOW]\nA denominator cannot be 0, and is checked before used.\n\nThis fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46773", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()\n\nSmatch warns:\n\n arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential\n spectre issue 'args.args' [r] (local cap)\n\nThe 'nargs' and 'nret' locals come directly from a user-supplied\nbuffer and are used as indexes into a small stack-based array and as\ninputs to copy_to_user() after they are subject to bounds checks.\n\nUse array_index_nospec() after the bounds checks to clamp these values\nfor speculative execution.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46774", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Validate function returns\n\n[WHAT & HOW]\nFunction return values must be checked before data can be used\nin subsequent functions.\n\nThis fixes 4 CHECKED_RETURN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46775", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Run DC_LOG_DC after checking link->link_enc\n\n[WHAT]\nThe DC_LOG_DC should be run after link->link_enc is checked, not before.\n\nThis fixes 1 REVERSE_INULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46776", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid excessive partition lengths\n\nAvoid mounting filesystems where the partition would overflow the\n32-bits used for block number. Also refuse to mount filesystems where\nthe partition length is so large we cannot safely index bits in a\nblock bitmap.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46777", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check UnboundedRequestEnabled's value\n\nCalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled\nis a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus\nif (p->UnboundedRequestEnabled) checks its address, not bool value.\n\nThis fixes 1 REVERSE_INULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46778", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Free pvr_vm_gpuva after unlink\n\nThis caused a measurable memory leak. Although the individual\nallocations are small, the leaks occurs in a high-usage codepath\n(remapping or unmapping device memory) so they add up quickly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46779", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: protect references to superblock parameters exposed in sysfs\n\nThe superblock buffers of nilfs2 can not only be overwritten at runtime\nfor modifications/repairs, but they are also regularly swapped, replaced\nduring resizing, and even abandoned when degrading to one side due to\nbacking device issues. So, accessing them requires mutual exclusion using\nthe reader/writer semaphore \"nilfs->ns_sem\".\n\nSome sysfs attribute show methods read this superblock buffer without the\nnecessary mutual exclusion, which can cause problems with pointer\ndereferencing and memory access, so fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46780", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix missing cleanup on rollforward recovery error\n\nIn an error injection test of a routine for mount-time recovery, KASAN\nfound a use-after-free bug.\n\nIt turned out that if data recovery was performed using partial logs\ncreated by dsync writes, but an error occurred before starting the log\nwriter to create a recovered checkpoint, the inodes whose data had been\nrecovered were left in the ns_dirty_files list of the nilfs object and\nwere not freed.\n\nFix this issue by cleaning up inodes that have read the recovery data if\nthe recovery routine fails midway before the log writer starts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46781", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: call nf_unregister_net_hooks() sooner\n\nsyzbot found an use-after-free Read in ila_nf_input [1]\n\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\nthen call nf_unregister_net_hooks().\n\nIt should be done in the reverse way, with a synchronize_rcu().\n\nThis is a good match for a pre_exit() method.\n\n[1]\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\n\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\n ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\n ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\n __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\n process_backlog+0x662/0x15b0 net/core/dev.c:6108\n __napi_poll+0xcb/0x490 net/core/dev.c:6772\n napi_poll net/core/dev.c:6841 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:6963\n handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\n smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xbfffffff(buddy)\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\n prep_new_page mm/page_alloc.c:1501 [inline]\n get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\n __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\n __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\n alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\n ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\n __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\n __do_kmalloc_node mm/slub.c:4146 [inline]\n __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\n __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\n bucket_table_alloc lib/rhashtable.c:186 [inline]\n rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\n ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\n ops_ini\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46782", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: fix return value of tcp_bpf_sendmsg()\n\nWhen we cork messages in psock->cork, the last message triggers the\nflushing will result in sending a sk_msg larger than the current\nmessage size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes\nnegative at least in the following case:\n\n468 case __SK_DROP:\n469 default:\n470 sk_msg_free_partial(sk, msg, tosend);\n471 sk_msg_apply_bytes(psock, tosend);\n472 *copied -= (tosend + delta); // <==== HERE\n473 return -EACCES;\n\nTherefore, it could lead to the following BUG with a proper value of\n'copied' (thanks to syzbot). We should not use negative 'copied' as a\nreturn value here.\n\n ------------[ cut here ]------------\n kernel BUG at net/socket.c:733!\n Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0\n Hardware name: linux,dummy-virt (DT)\n pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : sock_sendmsg_nosec net/socket.c:733 [inline]\n pc : sock_sendmsg_nosec net/socket.c:728 [inline]\n pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745\n lr : sock_sendmsg_nosec net/socket.c:730 [inline]\n lr : __sock_sendmsg+0x54/0x60 net/socket.c:745\n sp : ffff800088ea3b30\n x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000\n x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000\n x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90\n x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001\n x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0\n x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000\n x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef\n Call trace:\n sock_sendmsg_nosec net/socket.c:733 [inline]\n __sock_sendmsg+0x5c/0x60 net/socket.c:745\n ____sys_sendmsg+0x274/0x2ac net/socket.c:2597\n ___sys_sendmsg+0xac/0x100 net/socket.c:2651\n __sys_sendmsg+0x84/0xe0 net/socket.c:2680\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49\n el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151\n el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598\n Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46783", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup\n\nCurrently napi_disable() gets called during rxq and txq cleanup,\neven before napi is enabled and hrtimer is initialized. It causes\nkernel panic.\n\n? page_fault_oops+0x136/0x2b0\n ? page_counter_cancel+0x2e/0x80\n ? do_user_addr_fault+0x2f2/0x640\n ? refill_obj_stock+0xc4/0x110\n ? exc_page_fault+0x71/0x160\n ? asm_exc_page_fault+0x27/0x30\n ? __mmdrop+0x10/0x180\n ? __mmdrop+0xec/0x180\n ? hrtimer_active+0xd/0x50\n hrtimer_try_to_cancel+0x2c/0xf0\n hrtimer_cancel+0x15/0x30\n napi_disable+0x65/0x90\n mana_destroy_rxq+0x4c/0x2f0\n mana_create_rxq.isra.0+0x56c/0x6d0\n ? mana_uncfg_vport+0x50/0x50\n mana_alloc_queues+0x21b/0x320\n ? skb_dequeue+0x5f/0x80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46784", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Use list_del_rcu() for SRCU protected list variable\n\nChi Zhiling reported:\n\n We found a null pointer accessing in tracefs[1], the reason is that the\n variable 'ei_child' is set to LIST_POISON1, that means the list was\n removed in eventfs_remove_rec. so when access the ei_child->is_freed, the\n panic triggered.\n\n by the way, the following script can reproduce this panic\n\n loop1 (){\n while true\n do\n echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events\n echo \"\" > /sys/kernel/debug/tracing/kprobe_events\n done\n }\n loop2 (){\n while true\n do\n tree /sys/kernel/debug/tracing/events/kprobes/\n done\n }\n loop1 &\n loop2\n\n [1]:\n [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150\n [ 1147.968239][T17331] Mem abort info:\n [ 1147.971739][T17331] ESR = 0x0000000096000004\n [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 1147.982171][T17331] SET = 0, FnV = 0\n [ 1147.985906][T17331] EA = 0, S1PTW = 0\n [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault\n [ 1147.995292][T17331] Data abort info:\n [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges\n [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP\n [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls]\n [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2\n [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650\n [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020\n [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398\n [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398\n [ 1148.115969][T17331] sp : ffff80008d56bbd0\n [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000\n [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100\n [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10\n [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000\n [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0\n [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0\n [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862\n [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068\n [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001\n [ 1148.198131][T17331] Call trace:\n [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398\n [ 1148.205864][T17331] iterate_dir+0x98/0x188\n [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160\n [ 1148.215161][T17331] invoke_syscall+0x78/0x108\n [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0\n [ 1148.224977][T17331] do_el0_svc+0x24/0x38\n [ 1148.228974][T17331] el0_svc+0x40/0x168\n [ 1148.232798][T17\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46785", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF\n\nThe fscache_cookie_lru_timer is initialized when the fscache module\nis inserted, but is not deleted when the fscache module is removed.\nIf timer_reduce() is called before removing the fscache module,\nthe fscache_cookie_lru_timer will be added to the timer list of\nthe current cpu. Afterwards, a use-after-free will be triggered\nin the softIRQ after removing the fscache module, as follows:\n\n==================================================================\nBUG: unable to handle page fault for address: fffffbfff803c9e9\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855\nTainted: [W]=WARN\nRIP: 0010:__run_timer_base.part.0+0x254/0x8a0\nCall Trace:\n \n tmigr_handle_remote_up+0x627/0x810\n __walk_groups.isra.0+0x47/0x140\n tmigr_handle_remote+0x1fa/0x2f0\n handle_softirqs+0x180/0x590\n irq_exit_rcu+0x84/0xb0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\n default_idle_call+0x38/0x60\n do_idle+0x2b5/0x300\n cpu_startup_entry+0x54/0x60\n start_secondary+0x20d/0x280\n common_startup_64+0x13e/0x148\n \nModules linked in: [last unloaded: netfs]\n==================================================================\n\nTherefore delete fscache_cookie_lru_timer when removing the fscahe module.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46786", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: fix checks for huge PMDs\n\nPatch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2.\n\nThe pmd_trans_huge() code in mfill_atomic() is wrong in three different\nways depending on kernel version:\n\n1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit\n the right two race windows) - I've tested this in a kernel build with\n some extra mdelay() calls. See the commit message for a description\n of the race scenario.\n On older kernels (before 6.5), I think the same bug can even\n theoretically lead to accessing transhuge page contents as a page table\n if you hit the right 5 narrow race windows (I haven't tested this case).\n2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for\n detecting PMDs that don't point to page tables.\n On older kernels (before 6.5), you'd just have to win a single fairly\n wide race to hit this.\n I've tested this on 6.1 stable by racing migration (with a mdelay()\n patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86\n VM, that causes a kernel oops in ptlock_ptr().\n3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed\n to yank page tables out from under us (though I haven't tested that),\n so I think the BUG_ON() checks in mfill_atomic() are just wrong.\n\nI decided to write two separate fixes for these (one fix for bugs 1+2, one\nfix for bug 3), so that the first fix can be backported to kernels\naffected by bugs 1+2.\n\n\nThis patch (of 2):\n\nThis fixes two issues.\n\nI discovered that the following race can occur:\n\n mfill_atomic other thread\n ============ ============\n \n pmdp_get_lockless() [reads none pmd]\n \n \n \n __pte_alloc [no-op]\n \n \n BUG_ON(pmd_none(*dst_pmd))\n\nI have experimentally verified this in a kernel with extra mdelay() calls;\nthe BUG_ON(pmd_none(*dst_pmd)) triggers.\n\nOn kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow\npte_offset_map[_lock]() to fail\"), this can't lead to anything worse than\na BUG_ON(), since the page table access helpers are actually designed to\ndeal with page tables concurrently disappearing; but on older kernels\n(<=6.4), I think we could probably theoretically race past the two\nBUG_ON() checks and end up treating a hugepage as a page table.\n\nThe second issue is that, as Qi Zheng pointed out, there are other types\nof huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs\n(in particular, migration PMDs).\n\nOn <=6.4, this is worse than the first issue: If mfill_atomic() runs on a\nPMD that contains a migration entry (which just requires winning a single,\nfairly wide race), it will pass the PMD to pte_offset_map_lock(), which\nassumes that the PMD points to a page table.\n\nBreakage follows: First, the kernel tries to take the PTE lock (which will\ncrash or maybe worse if there is no \"struct page\" for the address bits in\nthe migration entry PMD - I think at least on X86 there usually is no\ncorresponding \"struct page\" thanks to the PTE inversion mitigation, amd64\nlooks different).\n\nIf that didn't crash, the kernel would next try to write a PTE into what\nit wrongly thinks is a page table.\n\nAs part of fixing these issues, get rid of the check for pmd_trans_huge()\nbefore __pte_alloc() - that's redundant, we're going to have to check for\nthat after the __pte_alloc() anyway.\n\nBackport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46787", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Use a cpumask to know what threads are kthreads\n\nThe start_kthread() and stop_thread() code was not always called with the\ninterface_lock held. This means that the kthread variable could be\nunexpectedly changed causing the kthread_stop() to be called on it when it\nshould not have been, leading to:\n\n while true; do\n rtla timerlat top -u -q & PID=$!;\n sleep 5;\n kill -INT $PID;\n sleep 0.001;\n kill -TERM $PID;\n wait $PID;\n done\n\nCausing the following OOPS:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:hrtimer_active+0x58/0x300\n Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f\n RSP: 0018:ffff88811d97f940 EFLAGS: 00010202\n RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b\n RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28\n RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60\n R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d\n R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28\n FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0\n Call Trace:\n \n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x154/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? hrtimer_active+0x58/0x300\n ? __pfx_mutex_lock+0x10/0x10\n ? __pfx_locks_remove_file+0x10/0x10\n hrtimer_cancel+0x15/0x40\n timerlat_fd_release+0x8e/0x1f0\n ? security_file_release+0x43/0x80\n __fput+0x372/0xb10\n task_work_run+0x11e/0x1f0\n ? _raw_spin_lock+0x85/0xe0\n ? __pfx_task_work_run+0x10/0x10\n ? poison_slab_object+0x109/0x170\n ? do_exit+0x7a0/0x24b0\n do_exit+0x7bd/0x24b0\n ? __pfx_migrate_enable+0x10/0x10\n ? __pfx_do_exit+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x64/0x140\n ? _raw_spin_lock_irq+0x86/0xe0\n do_group_exit+0xb0/0x220\n get_signal+0x17ba/0x1b50\n ? vfs_read+0x179/0xa40\n ? timerlat_fd_read+0x30b/0x9d0\n ? __pfx_get_signal+0x10/0x10\n ? __pfx_timerlat_fd_read+0x10/0x10\n arch_do_signal_or_restart+0x8c/0x570\n ? __pfx_arch_do_signal_or_restart+0x10/0x10\n ? vfs_read+0x179/0xa40\n ? ksys_read+0xfe/0x1d0\n ? __pfx_ksys_read+0x10/0x10\n syscall_exit_to_user_mode+0xbc/0x130\n do_syscall_64+0x74/0x110\n ? __pfx___rseq_handle_notify_resume+0x10/0x10\n ? __pfx_ksys_read+0x10/0x10\n ? fpregs_restore_userregs+0xdb/0x1e0\n ? fpregs_restore_userregs+0xdb/0x1e0\n ? syscall_exit_to_user_mode+0x116/0x130\n ? do_syscall_64+0x74/0x110\n ? do_syscall_64+0x74/0x110\n ? do_syscall_64+0x74/0x110\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n RIP: 0033:0x7ff0070eca9c\n Code: Unable to access opcode bytes at 0x7ff0070eca72.\n RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c\n RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003\n RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0\n R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003\n R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008\n \n Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core\n ---[ end trace 0000000000000000 ]---\n\nThis is because it would mistakenly call kthread_stop() on a user space\nthread making it \"exit\" before it actually exits.\n\nSince kthread\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46788", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: add check for s->flags in the alloc_tagging_slab_free_hook\n\nWhen enable CONFIG_MEMCG & CONFIG_KFENCE & CONFIG_KMEMLEAK, the following\nwarning always occurs,This is because the following call stack occurred:\nmem_pool_alloc\n kmem_cache_alloc_noprof\n slab_alloc_node\n kfence_alloc\n\nOnce the kfence allocation is successful,slab->obj_exts will not be empty,\nbecause it has already been assigned a value in kfence_init_pool.\n\nSince in the prepare_slab_obj_exts_hook function,we perform a check for\ns->flags & (SLAB_NO_OBJ_EXT | SLAB_NOLEAKTRACE),the alloc_tag_add function\nwill not be called as a result.Therefore,ref->ct remains NULL.\n\nHowever,when we call mem_pool_free,since obj_ext is not empty, it\neventually leads to the alloc_tag_sub scenario being invoked. This is\nwhere the warning occurs.\n\nSo we should add corresponding checks in the alloc_tagging_slab_free_hook.\nFor __GFP_NO_OBJ_EXT case,I didn't see the specific case where it's using\nkfence,so I won't add the corresponding check in\nalloc_tagging_slab_free_hook for now.\n\n[ 3.734349] ------------[ cut here ]------------\n[ 3.734807] alloc_tag was not set\n[ 3.735129] WARNING: CPU: 4 PID: 40 at ./include/linux/alloc_tag.h:130 kmem_cache_free+0x444/0x574\n[ 3.735866] Modules linked in: autofs4\n[ 3.736211] CPU: 4 UID: 0 PID: 40 Comm: ksoftirqd/4 Tainted: G W 6.11.0-rc3-dirty #1\n[ 3.736969] Tainted: [W]=WARN\n[ 3.737258] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n[ 3.737875] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3.738501] pc : kmem_cache_free+0x444/0x574\n[ 3.738951] lr : kmem_cache_free+0x444/0x574\n[ 3.739361] sp : ffff80008357bb60\n[ 3.739693] x29: ffff80008357bb70 x28: 0000000000000000 x27: 0000000000000000\n[ 3.740338] x26: ffff80008207f000 x25: ffff000b2eb2fd60 x24: ffff0000c0005700\n[ 3.740982] x23: ffff8000804229e4 x22: ffff800082080000 x21: ffff800081756000\n[ 3.741630] x20: fffffd7ff8253360 x19: 00000000000000a8 x18: ffffffffffffffff\n[ 3.742274] x17: ffff800ab327f000 x16: ffff800083398000 x15: ffff800081756df0\n[ 3.742919] x14: 0000000000000000 x13: 205d344320202020 x12: 5b5d373038343337\n[ 3.743560] x11: ffff80008357b650 x10: 000000000000005d x9 : 00000000ffffffd0\n[ 3.744231] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008237bad0 x6 : c0000000ffff7fff\n[ 3.744907] x5 : ffff80008237ba78 x4 : ffff8000820bbad0 x3 : 0000000000000001\n[ 3.745580] x2 : 68d66547c09f7800 x1 : 68d66547c09f7800 x0 : 0000000000000000\n[ 3.746255] Call trace:\n[ 3.746530] kmem_cache_free+0x444/0x574\n[ 3.746931] mem_pool_free+0x44/0xf4\n[ 3.747306] free_object_rcu+0xc8/0xdc\n[ 3.747693] rcu_do_batch+0x234/0x8a4\n[ 3.748075] rcu_core+0x230/0x3e4\n[ 3.748424] rcu_core_si+0x14/0x1c\n[ 3.748780] handle_softirqs+0x134/0x378\n[ 3.749189] run_ksoftirqd+0x70/0x9c\n[ 3.749560] smpboot_thread_fn+0x148/0x22c\n[ 3.749978] kthread+0x10c/0x118\n[ 3.750323] ret_from_fork+0x10/0x20\n[ 3.750696] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46789", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncodetag: debug: mark codetags for poisoned page as empty\n\nWhen PG_hwpoison pages are freed they are treated differently in\nfree_pages_prepare() and instead of being released they are isolated.\n\nPage allocation tag counters are decremented at this point since the page\nis considered not in use. Later on when such pages are released by\nunpoison_memory(), the allocation tag counters will be decremented again\nand the following warning gets reported:\n\n[ 113.930443][ T3282] ------------[ cut here ]------------\n[ 113.931105][ T3282] alloc_tag was not set\n[ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164\n[ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4\n[ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18\n[ 113.943003][ T3282] Tainted: [W]=WARN\n[ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n[ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164\n[ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164\n[ 113.946706][ T3282] sp : ffff800087093a10\n[ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0\n[ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000\n[ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000\n[ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff\n[ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210\n[ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339\n[ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0\n[ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff\n[ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001\n[ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000\n[ 113.957962][ T3282] Call trace:\n[ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164\n[ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c\n[ 113.959539][ T3282] free_unref_page+0xf4/0x4b8\n[ 113.960096][ T3282] __folio_put+0xd4/0x120\n[ 113.960614][ T3282] folio_put+0x24/0x50\n[ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0\n[ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject]\n[ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc\n[ 113.963183][ T3282] simple_attr_write+0x38/0x48\n[ 113.963750][ T3282] debugfs_attr_write+0x54/0x80\n[ 113.964330][ T3282] full_proxy_write+0x68/0x98\n[ 113.964880][ T3282] vfs_write+0xdc/0x4d0\n[ 113.965372][ T3282] ksys_write+0x78/0x100\n[ 113.965875][ T3282] __arm64_sys_write+0x24/0x30\n[ 113.966440][ T3282] invoke_syscall+0x7c/0x104\n[ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104\n[ 113.967652][ T3282] do_el0_svc+0x2c/0x38\n[ 113.968893][ T3282] el0_svc+0x3c/0x1b8\n[ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc\n[ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0\n[ 113.970511][ T3282] ---[ end trace 0000000000000000 ]---\n\nTo fix this, clear the page tag reference after the page got isolated\nand accounted for.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46790", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open\n\nThe mcp251x_hw_wake() function is called with the mpc_lock mutex held and\ndisables the interrupt handler so that no interrupts can be processed while\nwaking the device. If an interrupt has already occurred then waiting for\nthe interrupt handler to complete will deadlock because it will be trying\nto acquire the same mutex.\n\nCPU0 CPU1\n---- ----\nmcp251x_open()\n mutex_lock(&priv->mcp_lock)\n request_threaded_irq()\n \n mcp251x_can_ist()\n mutex_lock(&priv->mcp_lock)\n mcp251x_hw_wake()\n disable_irq() <-- deadlock\n\nUse disable_irq_nosync() instead because the interrupt handler does\neverything while holding the mutex so it doesn't matter if it's still\nrunning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46791", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: misaligned: Restrict user access to kernel memory\n\nraw_copy_{to,from}_user() do not call access_ok(), so this code allowed\nuserspace to access any virtual memory address.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46792", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder\n\nSince commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component\nvia COMP_DUMMY()\") dummy codecs declared like this:\n\nSND_SOC_DAILINK_DEF(dummy,\n DAILINK_COMP_ARRAY(COMP_DUMMY()));\n\nexpand to:\n\nstatic struct snd_soc_dai_link_component dummy[] = {\n};\n\nWhich means that dummy is a zero sized array and thus dais[i].codecs should\nnot be dereferenced *at all* since it points to the address of the next\nvariable stored in the data section as the \"dummy\" variable has an address\nbut no size, so even dereferencing dais[0] is already an out of bounds\narray reference.\n\nWhich means that the if (dais[i].codecs->name) check added in\ncommit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref\nin BYT/CHT boards\") relies on that the part of the next variable which\nthe name member maps to just happens to be NULL.\n\nWhich apparently so far it usually is, except when it isn't\nand then it results in crashes like this one:\n\n[ 28.795659] BUG: unable to handle page fault for address: 0000000000030011\n...\n[ 28.795780] Call Trace:\n[ 28.795787] \n...\n[ 28.795862] ? strcmp+0x18/0x40\n[ 28.795872] 0xffffffffc150c605\n[ 28.795887] platform_probe+0x40/0xa0\n...\n[ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]\n\nReally fix things this time around by checking dais.num_codecs != 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46793", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Fix data leak in mmio_read()\n\nThe mmio_read() function makes a TDVMCALL to retrieve MMIO data for an\naddress from the VMM.\n\nSean noticed that mmio_read() unintentionally exposes the value of an\ninitialized variable (val) on the stack to the VMM.\n\nThis variable is only needed as an output value. It did not need to be\npassed to the VMM in the first place.\n\nDo not send the original value of *val to the VMM.\n\n[ dhansen: clarify what 'val' is used for. ]", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46794", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset the binding mark of a reused connection\n\nSteve French reported null pointer dereference error from sha256 lib.\ncifs.ko can send session setup requests on reused connection.\nIf reused connection is used for binding session, conn->binding can\nstill remain true and generate_preauth_hash() will not set\nsess->Preauth_HashValue and it will be NULL.\nIt is used as a material to create an encryption key in\nksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer\ndereference error from crypto_shash_update().\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 8 PID: 429254 Comm: kworker/8:39\nHardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )\nWorkqueue: ksmbd-io handle_ksmbd_work [ksmbd]\nRIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n\n? show_regs+0x6d/0x80\n? __die+0x24/0x80\n? page_fault_oops+0x99/0x1b0\n? do_user_addr_fault+0x2ee/0x6b0\n? exc_page_fault+0x83/0x1b0\n? asm_exc_page_fault+0x27/0x30\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n_sha256_update+0x77/0xa0 [sha256_ssse3]\nsha256_avx2_update+0x15/0x30 [sha256_ssse3]\ncrypto_shash_update+0x1e/0x40\nhmac_update+0x12/0x20\ncrypto_shash_update+0x1e/0x40\ngenerate_key+0x234/0x380 [ksmbd]\ngenerate_smb3encryptionkey+0x40/0x1c0 [ksmbd]\nksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]\nntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]\nsmb2_sess_setup+0x952/0xaa0 [ksmbd]\n__process_request+0xa3/0x1d0 [ksmbd]\n__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]\nhandle_ksmbd_work+0x2d/0xa0 [ksmbd]\nprocess_one_work+0x16c/0x350\nworker_thread+0x306/0x440\n? __pfx_worker_thread+0x10/0x10\nkthread+0xef/0x120\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x44/0x70\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46795", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n CIFS: Attempting to mount //w22-fs0/scratch\n run fstests generic/013 at 2024-09-02 19:48:59\n ==================================================================\n BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n 04/01/2014\n Workqueue: cifsoplockd cifs_oplock_break [cifs]\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ? detach_if_pending+0xab/0x200\n print_report+0x156/0x4d9\n ? detach_if_pending+0xab/0x200\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? detach_if_pending+0xab/0x200\n kasan_report+0xda/0x110\n ? detach_if_pending+0xab/0x200\n detach_if_pending+0xab/0x200\n timer_delete+0x96/0xe0\n ? __pfx_timer_delete+0x10/0x10\n ? rcu_is_watching+0x20/0x50\n try_to_grab_pending+0x46/0x3b0\n __cancel_work+0x89/0x1b0\n ? __pfx___cancel_work+0x10/0x10\n ? kasan_save_track+0x14/0x30\n cifs_close_deferred_file+0x110/0x2c0 [cifs]\n ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n ? __pfx_down_read+0x10/0x10\n cifs_oplock_break+0x4c1/0xa50 [cifs]\n ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n ? lock_is_held_type+0x85/0xf0\n ? mark_held_locks+0x1a/0x90\n process_one_work+0x4c6/0x9f0\n ? find_held_lock+0x8a/0xa0\n ? __pfx_process_one_work+0x10/0x10\n ? lock_acquired+0x220/0x550\n ? __list_add_valid_or_report+0x37/0x100\n worker_thread+0x2e4/0x570\n ? __kthread_parkme+0xd1/0xf0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x17f/0x1c0\n ? kthread+0xda/0x1c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\n Allocated by task 1118:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n cifs_atomic_open+0x467/0x770 [cifs]\n lookup_open.isra.0+0x665/0x8b0\n path_openat+0x4c3/0x1380\n do_filp_open+0x167/0x270\n do_sys_openat2+0x129/0x160\n __x64_sys_creat+0xad/0xe0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 83:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n poison_slab_object+0xe9/0x160\n __kasan_slab_free+0x32/0x50\n kfree+0xf2/0x300\n process_one_work+0x4c6/0x9f0\n worker_thread+0x2e4/0x570\n kthread+0x17f/0x1c0\n ret_from_fork+0x31/0x60\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x30/0x50\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x29/0xe0\n __queue_work+0x5ea/0x760\n queue_work_on+0x6d/0x90\n _cifsFileInfo_put+0x3f6/0x770 [cifs]\n smb2_compound_op+0x911/0x3940 [cifs]\n smb2_set_path_size+0x228/0x270 [cifs]\n cifs_set_file_size+0x197/0x460 [cifs]\n cifs_setattr+0xd9c/0x14b0 [cifs]\n notify_change+0x4e3/0x740\n do_truncate+0xfa/0x180\n vfs_truncate+0x195/0x200\n __x64_sys_truncate+0x109/0x150\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46796", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/qspinlock: Fix deadlock in MCS queue\n\nIf an interrupt occurs in queued_spin_lock_slowpath() after we increment\nqnodesp->count and before node->lock is initialized, another CPU might\nsee stale lock values in get_tail_qnode(). If the stale lock value happens\nto match the lock on that CPU, then we write to the \"next\" pointer of\nthe wrong qnode. This causes a deadlock as the former CPU, once it becomes\nthe head of the MCS queue, will spin indefinitely until it's \"next\" pointer\nis set by its successor in the queue.\n\nRunning stress-ng on a 16 core (16EC/16VP) shared LPAR, results in\noccasional lockups similar to the following:\n\n $ stress-ng --all 128 --vm-bytes 80% --aggressive \\\n --maximize --oomable --verify --syslog \\\n --metrics --times --timeout 5m\n\n watchdog: CPU 15 Hard LOCKUP\n ......\n NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490\n LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90\n Call Trace:\n 0xc000002cfffa3bf0 (unreliable)\n _raw_spin_lock+0x6c/0x90\n raw_spin_rq_lock_nested.part.135+0x4c/0xd0\n sched_ttwu_pending+0x60/0x1f0\n __flush_smp_call_function_queue+0x1dc/0x670\n smp_ipi_demux_relaxed+0xa4/0x100\n xive_muxed_ipi_action+0x20/0x40\n __handle_irq_event_percpu+0x80/0x240\n handle_irq_event_percpu+0x2c/0x80\n handle_percpu_irq+0x84/0xd0\n generic_handle_irq+0x54/0x80\n __do_irq+0xac/0x210\n __do_IRQ+0x74/0xd0\n 0x0\n do_IRQ+0x8c/0x170\n hardware_interrupt_common_virt+0x29c/0x2a0\n --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490\n ......\n NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490\n LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90\n --- interrupt: 500\n 0xc0000029c1a41d00 (unreliable)\n _raw_spin_lock+0x6c/0x90\n futex_wake+0x100/0x260\n do_futex+0x21c/0x2a0\n sys_futex+0x98/0x270\n system_call_exception+0x14c/0x2f0\n system_call_vectored_common+0x15c/0x2ec\n\nThe following code flow illustrates how the deadlock occurs.\nFor the sake of brevity, assume that both locks (A and B) are\ncontended and we call the queued_spin_lock_slowpath() function.\n\n CPU0 CPU1\n ---- ----\n spin_lock_irqsave(A) |\n spin_unlock_irqrestore(A) |\n spin_lock(B) |\n | |\n \u25bc |\n id = qnodesp->count++; |\n (Note that nodes[0].lock == A) |\n | |\n \u25bc |\n Interrupt |\n (happens before \"nodes[0].lock = B\") |\n | |\n \u25bc |\n spin_lock_irqsave(A) |\n | |\n \u25bc |\n id = qnodesp->count++ |\n nodes[1].lock = A |\n | |\n \u25bc |\n Tail of MCS queue |\n | spin_lock_irqsave(A)\n \u25bc |\n Head of MCS queue \u25bc\n | CPU0 is previous tail\n \u25bc |\n Spin indefinitely \u25bc\n (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0)\n |\n \u25bc\n prev == &qnodes[CPU0].nodes[0]\n (as qnodes\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46797", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: dapm: Fix UAF for snd_soc_pcm_runtime object\n\nWhen using kernel with the following extra config,\n\n - CONFIG_KASAN=y\n - CONFIG_KASAN_GENERIC=y\n - CONFIG_KASAN_INLINE=y\n - CONFIG_KASAN_VMALLOC=y\n - CONFIG_FRAME_WARN=4096\n\nkernel detects that snd_pcm_suspend_all() access a freed\n'snd_soc_pcm_runtime' object when the system is suspended, which\nleads to a use-after-free bug:\n\n[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270\n[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330\n\n[ 52.047785] Call trace:\n[ 52.047787] dump_backtrace+0x0/0x3c0\n[ 52.047794] show_stack+0x34/0x50\n[ 52.047797] dump_stack_lvl+0x68/0x8c\n[ 52.047802] print_address_description.constprop.0+0x74/0x2c0\n[ 52.047809] kasan_report+0x210/0x230\n[ 52.047815] __asan_report_load1_noabort+0x3c/0x50\n[ 52.047820] snd_pcm_suspend_all+0x1a8/0x270\n[ 52.047824] snd_soc_suspend+0x19c/0x4e0\n\nThe snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before\nmaking any access. So we need to always set 'substream->runtime' to NULL\neverytime we kfree() it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46798", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX\n\nIf number of TX queues are set to 1 we get a NULL pointer\ndereference during XDP_TX.\n\n~# ethtool -L eth0 tx 1\n~# ./xdp-trafficgen udp -A -a eth0 -t 2\nTransmitting on eth0 (ifindex 2)\n[ 241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030\n\nFix this by using actual TX queues instead of max TX queues\nwhen picking the TX channel in am65_cpsw_ndo_xdp_xmit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46799", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch/netem: fix use after free in netem_dequeue\n\nIf netem_dequeue() enqueues packet to inner qdisc and that qdisc\nreturns __NET_XMIT_STOLEN. The packet is dropped but\nqdisc_tree_reduce_backlog() is not called to update the parent's\nq.qlen, leading to the similar use-after-free as Commit\ne04991a48dbaf382 (\"netem: fix return value if duplicate enqueue\nfails\")\n\nCommands to trigger KASAN UaF:\n\nip link add type dummy\nip link set lo up\nip link set dummy0 up\ntc qdisc add dev lo parent root handle 1: drr\ntc filter add dev lo parent 1: basic classid 1:1\ntc class add dev lo classid 1:1 drr\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2: handle 3: drr\ntc filter add dev lo parent 3: basic classid 3:1 action mirred egress\nredirect dev dummy0\ntc class add dev lo classid 3:1 drr\nping -c1 -W0.01 localhost # Trigger bug\ntc class del dev lo classid 1:1\ntc class add dev lo classid 1:1 drr\nping -c1 -W0.01 localhost # UaF", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46800", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibfs: fix get_stashed_dentry()\n\nget_stashed_dentry() tries to optimistically retrieve a stashed dentry\nfrom a provided location. It needs to ensure to hold rcu lock before it\ndereference the stashed location to prevent UAF issues. Use\nrcu_dereference() instead of READ_ONCE() it's effectively equivalent\nwith some lockdep bells and whistles and it communicates clearly that\nthis expects rcu protection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46801", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: added NULL check at start of dc_validate_stream\n\n[Why]\nprevent invalid memory access\n\n[How]\ncheck if dc and stream are NULL", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46802", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Check debug trap enable before write dbg_ev_file\n\nIn interrupt context, write dbg_ev_file will be run by work queue. It\nwill cause write dbg_ev_file execution after debug_trap_disable, which\nwill cause NULL pointer access.\nv2: cancel work \"debug_event_workarea\" before set dbg_ev_file as NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46803", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add array index check for hdcp ddc access\n\n[Why]\nCoverity reports OVERRUN warning. Do not check if array\nindex valid.\n\n[How]\nCheck msg_id valid and valid array index.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46804", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix the waring dereferencing hive\n\nCheck the amdgpu_hive_info *hive that maybe is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46805", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the warning division or modulo by zero\n\nChecks the partition mode and returns an error for an invalid mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46806", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Check tbo resource pointer\n\nValidate tbo resource pointer, skip if NULL", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46807", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range\n\n[Why & How]\nASSERT if return NULL from kcalloc.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46808", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check BIOS images before it is used\n\nBIOS images may fail to load and null checks are added before they are\nused.\n\nThis fixes 6 NULL_RETURNS issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46809", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ\n\nMake sure the connector is fully initialized before signalling any\nHPD events via drm_kms_helper_hotplug_event(), otherwise this may\nlead to NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46810", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box\n\n[Why]\nCoverity reports OVERRUN warning. soc.num_states could\nbe 40. But array range of bw_params->clk_table.entries is 8.\n\n[How]\nAssert if soc.num_states greater than 8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46811", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration\n\n[Why]\nCoverity reports Memory - illegal accesses.\n\n[How]\nSkip inactive planes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46812", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check link_index before accessing dc->links[]\n\n[WHY & HOW]\ndc->links[] has max size of MAX_LINKS and NULL is return when trying to\naccess with out-of-bound index.\n\nThis fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46813", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check msg_id before processing transcation\n\n[WHY & HOW]\nHDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid\narray index, and it needs checking before used.\n\nThis fixes 4 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46814", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]\n\n[WHY & HOW]\nnum_valid_sets needs to be checked to avoid a negative index when\naccessing reader_wm_sets[num_valid_sets - 1].\n\nThis fixes an OVERRUN issue reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46815", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links\n\n[Why]\nCoverity report OVERRUN warning. There are\nonly max_links elements within dc->links. link\ncount could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.\n\n[How]\nMake sure link count less than max_links.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46816", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6\n\n[Why]\nCoverity reports OVERRUN warning. Should abort amdgpu_dm\ninitialize.\n\n[How]\nReturn failure to amdgpu_dm_init.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46817", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check gpio_id before used as array index\n\n[WHY & HOW]\nGPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore\nshould be checked in advance.\n\nThis fixes 5 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46818", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: the warning dereferencing obj for nbio_v7_4\n\nif ras_manager obj null, don't print NBIO err data", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46819", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn: remove irq disabling in vcn 5 suspend\n\nWe do not directly enable/disable VCN IRQ in vcn 5.0.0.\nAnd we do not handle the IRQ state as well. So the calls to\ndisable IRQ and set state are removed. This effectively gets\nrid of the warining of\n \"WARN_ON(!amdgpu_irq_enabled(adev, src, type))\"\nin amdgpu_irq_put().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46820", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix negative array index read\n\nAvoid using the negative values\nfor clk_idex as an index into an array pptable->DpmDescriptor.\n\nV2: fix clk_index return check (Tim Huang)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46821", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry\n\nIn a review discussion of the changes to support vCPU hotplug where\na check was added on the GICC being enabled if was online, it was\nnoted that there is need to map back to the cpu and use that to index\ninto a cpumask. As such, a valid ID is needed.\n\nIf an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible\nfor the entry in cpu_madt_gicc[cpu] == NULL. This function would\nthen cause a NULL pointer dereference. Whilst a path to trigger\nthis has not been established, harden this caller against the\npossibility.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46822", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit/overflow: Fix UB in overflow_allocation_test\n\nThe 'device_name' array doesn't exist out of the\n'overflow_allocation_test' function scope. However, it is being used as\na driver name when calling 'kunit_driver_create' from\n'kunit_device_register'. It produces the kernel panic with KASAN\nenabled.\n\nSince this variable is used in one place only, remove it and pass the\ndevice name into kunit_device_register directly as an ascii string.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46823", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Require drivers to supply the cache_invalidate_user ops\n\nIf drivers don't do this then iommufd will oops invalidation ioctls with\nsomething like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9\n Hardware name: linux,dummy-virt (DT)\n pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c)\n pc : 0x0\n lr : iommufd_hwpt_invalidate+0xa4/0x204\n sp : ffff800080f3bcc0\n x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0\n x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000\n x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002\n x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80\n Call trace:\n 0x0\n iommufd_fops_ioctl+0x154/0x274\n __arm64_sys_ioctl+0xac/0xf0\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xb4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\n\nAll existing drivers implement this op for nesting, this is mostly a\nbisection aid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46824", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check\n\nThe lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is\nnormally called with input from the firmware, so it should use\nIWL_FW_CHECK() instead of WARN_ON().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46825", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nELF: fix kernel.randomize_va_space double read\n\nELF loader uses \"randomize_va_space\" twice. It is sysctl and can change\nat any moment, so 2 loads could see 2 different values in theory with\nunpredictable consequences.\n\nIssue exactly one load for consistent value across one exec.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46826", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix firmware crash due to invalid peer nss\n\nCurrently, if the access point receives an association\nrequest containing an Extended HE Capabilities Information\nElement with an invalid MCS-NSS, it triggers a firmware\ncrash.\n\nThis issue arises when EHT-PHY capabilities shows support\nfor a bandwidth and MCS-NSS set for that particular\nbandwidth is filled by zeros and due to this, driver obtains\npeer_nss as 0 and sending this value to firmware causes\ncrash.\n\nAddress this issue by implementing a validation step for\nthe peer_nss value before passing it to the firmware. If\nthe value is greater than zero, proceed with forwarding\nit to the firmware. However, if the value is invalid,\nreject the association request to prevent potential\nfirmware crashes.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46827", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: fix bulk flow accounting logic for host fairness\n\nIn sch_cake, we keep track of the count of active bulk flows per host,\nwhen running in dst/src host fairness mode, which is used as the\nround-robin weight when iterating through flows. The count of active\nbulk flows is updated whenever a flow changes state.\n\nThis has a peculiar interaction with the hash collision handling: when a\nhash collision occurs (after the set-associative hashing), the state of\nthe hash bucket is simply updated to match the new packet that collided,\nand if host fairness is enabled, that also means assigning new per-host\nstate to the flow. For this reason, the bulk flow counters of the\nhost(s) assigned to the flow are decremented, before new state is\nassigned (and the counters, which may not belong to the same host\nanymore, are incremented again).\n\nBack when this code was introduced, the host fairness mode was always\nenabled, so the decrement was unconditional. When the configuration\nflags were introduced the *increment* was made conditional, but\nthe *decrement* was not. Which of course can lead to a spurious\ndecrement (and associated wrap-around to U16_MAX).\n\nAFAICT, when host fairness is disabled, the decrement and wrap-around\nhappens as soon as a hash collision occurs (which is not that common in\nitself, due to the set-associative hashing). However, in most cases this\nis harmless, as the value is only used when host fairness mode is\nenabled. So in order to trigger an array overflow, sch_cake has to first\nbe configured with host fairness disabled, and while running in this\nmode, a hash collision has to occur to cause the overflow. Then, the\nqdisc has to be reconfigured to enable host fairness, which leads to the\narray out-of-bounds because the wrapped-around value is retained and\nused as an array index. It seems that syzbot managed to trigger this,\nwhich is quite impressive in its own right.\n\nThis patch fixes the issue by introducing the same conditional check on\ndecrement as is used on increment.\n\nThe original bug predates the upstreaming of cake, but the commit listed\nin the Fixes tag touched that code, meaning that this patch won't apply\nbefore that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46828", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Drop rt_mutex::wait_lock before scheduling\n\nrt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the\ngood case it returns with the lock held and in the deadlock case it emits a\nwarning and goes into an endless scheduling loop with the lock held, which\ntriggers the 'scheduling in atomic' warning.\n\nUnlock rt_mutex::wait_lock in the dead lock case before issuing the warning\nand dropping into the schedule for ever loop.\n\n[ tglx: Moved unlock before the WARN(), removed the pointless comment,\n \tmassaged changelog, added Fixes tag ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46829", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS\n\nGrab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\nreads guest memory.\n\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\nvia sync_regs(), which already holds SRCU. I.e. trying to precisely use\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\nproblems. Acquiring SRCU isn't all that expensive, so for simplicity,\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\n\n =============================\n WARNING: suspicious RCU usage\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by repro/1071:\n #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n\n stack backtrace:\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x13f/0x1a0\n kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\n load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\n kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\n ? mark_held_locks+0x49/0x70\n ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\n kvm_vcpu_ioctl+0x497/0x970 [kvm]\n ? lock_acquire+0xba/0x2d0\n ? find_held_lock+0x2b/0x80\n ? do_user_addr_fault+0x40c/0x6f0\n ? lock_release+0xb7/0x270\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7ff11eb1b539\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46830", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: vcap: Fix use-after-free error in kunit test\n\nThis is a clear use-after-free error. We remove it, and rely on checking\nthe return code of vcap_del_rule.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46831", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed\n\nThis avoids warning:\n\n[ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283\n\nCaused by get_c0_compare_int on secondary CPU.\n\nWe also skipped saving IRQ number to struct clock_event_device *cd as\nit's never used by clockevent core, as per comments it's only meant\nfor \"non CPU local devices\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46832", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: void array out of bound when loop tnl_num\n\nWhen query reg inf of SSU, it loops tnl_num times. However, tnl_num comes\nfrom hardware and the length of array is a fixed value. To void array out\nof bound, make sure the loop time is not greater than the length of array", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46833", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: fail closed if we can't get max channel used in indirection tables\n\nCommit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with\nactive RSS contexts\") proves that allowing indirection table to contain\nchannels with out of bounds IDs may lead to crashes. Currently the\nmax channel check in the core gets skipped if driver can't fetch\nthe indirection table or when we can't allocate memory.\n\nBoth of those conditions should be extremely rare but if they do\nhappen we should try to be safe and fail the channel change.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46834", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix smatch static checker warning\n\nadev->gfx.imu.funcs could be NULL", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46835", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: aspeed_udc: validate endpoint index for ast udc\n\nWe should verify the bound of the array to assure that host\nmay not manipulate the index to point past endpoint array.\n\nFound by static analysis.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46836", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Restrict high priorities on group_create\n\nWe were allowing any users to create a high priority group without any\npermission checks. As a result, this was allowing possible denial of\nservice.\n\nWe now only allow the DRM master or users with the CAP_SYS_NICE\ncapability to set higher priorities than PANTHOR_GROUP_PRIORITY_MEDIUM.\n\nAs the sole user of that uAPI lives in Mesa and hardcode a value of\nMEDIUM [1], this should be safe to do.\n\nAdditionally, as those checks are performed at the ioctl level,\npanthor_group_create now only check for priority level validity.\n\n[1]https://gitlab.freedesktop.org/mesa/mesa/-/blob/f390835074bdf162a63deb0311d1a6de527f9f89/src/gallium/drivers/panfrost/pan_csf.c#L1038", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46837", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: don't BUG_ON() if khugepaged yanks our page table\n\nSince khugepaged was changed to allow retracting page tables in file\nmappings without holding the mmap lock, these BUG_ON()s are wrong - get\nrid of them.\n\nWe could also remove the preceding \"if (unlikely(...))\" block, but then we\ncould reach pte_offset_map_lock() with transhuge pages not just for file\nmappings but also for anonymous mappings - which would probably be fine\nbut I think is not necessarily expected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46838", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: clean up our handling of refs == 0 in snapshot delete\n\nIn reada we BUG_ON(refs == 0), which could be unkind since we aren't\nholding a lock on the extent leaf and thus could get a transient\nincorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which\ncould happen if we have extent tree corruption. Change that to return\n-EUCLEAN. In do_walk_down() we catch this case and handle it correctly,\nhowever we return -EIO, which -EUCLEAN is a more appropriate error code.\nFinally in walk_up_proc we have the same BUG_ON(refs == 0), so convert\nthat to proper error handling. Also adjust the error message so we can\nactually do something with the information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46840", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc()\n\nWe handle errors here properly, ENOMEM isn't fatal, return the error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46841", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info\n\nThe MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the\nroutine unconditionally frees submitted mailbox commands regardless of\nreturn status. The issue is that for MBX_TIMEOUT cases, when firmware\nreturns SFP information at a later time, that same mailbox memory region\nreferences previously freed memory in its cmpl routine.\n\nFix by adding checks for the MBX_TIMEOUT return code. During mailbox\nresource cleanup, check the mbox flag to make sure that the wait did not\ntimeout. If the MBOX_WAKE flag is not set, then do not free the resources\nbecause it will be freed when firmware completes the mailbox at a later\ntime in its cmpl routine.\n\nAlso, increase the timeout from 30 to 60 seconds to accommodate boot\nscripts requiring longer timeouts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46842", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Remove SCSI host only if added\n\nIf host tries to remove ufshcd driver from a UFS device it would cause a\nkernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before\nadding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host\nhas been defered after MCQ configuration introduced by commit 0cab4023ec7b\n(\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\").\n\nTo guarantee that SCSI host is removed only if it has been added, set the\nscsi_host_added flag to true after adding a SCSI host and check whether it\nis set or not before removing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46843", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: line: always fill *error_out in setup_one_line()\n\nThe pointer isn't initialized by callers, but I have\nencountered cases where it's still printed; initialize\nit in all possible cases in setup_one_line().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46844", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Only clear timer if a kthread exists\n\nThe timerlat tracer can use user space threads to check for osnoise and\ntimer latency. If the program using this is killed via a SIGTERM, the\nthreads are shutdown one at a time and another tracing instance can start\nup resetting the threads before they are fully closed. That causes the\nhrtimer assigned to the kthread to be shutdown and freed twice when the\ndying thread finally closes the file descriptors, causing a use-after-free\nbug.\n\nOnly cancel the hrtimer if the associated thread is still around. Also add\nthe interface_lock around the resetting of the tlat_var->kthread.\n\nNote, this is just a quick fix that can be backported to stable. A real\nfix is to have a better synchronization between the shutdown of old\nthreads and the starting of new ones.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46845", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rockchip: Resolve unbalanced runtime PM / system PM handling\n\nCommit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during\nNOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and\nsimply disabled clocks unconditionally when suspending the system. This\ncauses problems when the device is already runtime suspended when we go\nto sleep -- in which case we double-disable clocks and produce a\nWARNing.\n\nSwitch back to pm_runtime_force_{suspend,resume}(), because that still\nseems like the right thing to do, and the aforementioned commit makes no\nexplanation why it stopped using it.\n\nAlso, refactor some of the resume() error handling, because it's not\nactually a good idea to re-disable clocks on failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46846", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmalloc: ensure vmap_block is initialised before adding to queue\n\nCommit 8c61291fd850 (\"mm: fix incorrect vbq reference in\npurge_fragmented_block\") extended the 'vmap_block' structure to contain a\n'cpu' field which is set at allocation time to the id of the initialising\nCPU.\n\nWhen a new 'vmap_block' is being instantiated by new_vmap_block(), the\npartially initialised structure is added to the local 'vmap_block_queue'\nxarray before the 'cpu' field has been initialised. If another CPU is\nconcurrently walking the xarray (e.g. via vm_unmap_aliases()), then it\nmay perform an out-of-bounds access to the remote queue thanks to an\nuninitialised index.\n\nThis has been observed as UBSAN errors in Android:\n\n | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\n |\n | Call trace:\n | purge_fragmented_block+0x204/0x21c\n | _vm_unmap_aliases+0x170/0x378\n | vm_unmap_aliases+0x1c/0x28\n | change_memory_common+0x1dc/0x26c\n | set_memory_ro+0x18/0x24\n | module_enable_ro+0x98/0x238\n | do_init_module+0x1b0/0x310\n\nMove the initialisation of 'vb->cpu' in new_vmap_block() ahead of the\naddition to the xarray.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46847", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Limit the period on Haswell\n\nRunning the ltp test cve-2015-3290 concurrently reports the following\nwarnings.\n\nperfevents: irq loop stuck!\n WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174\n intel_pmu_handle_irq+0x285/0x370\n Call Trace:\n \n ? __warn+0xa4/0x220\n ? intel_pmu_handle_irq+0x285/0x370\n ? __report_bug+0x123/0x130\n ? intel_pmu_handle_irq+0x285/0x370\n ? __report_bug+0x123/0x130\n ? intel_pmu_handle_irq+0x285/0x370\n ? report_bug+0x3e/0xa0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? irq_work_claim+0x1e/0x40\n ? intel_pmu_handle_irq+0x285/0x370\n perf_event_nmi_handler+0x3d/0x60\n nmi_handle+0x104/0x330\n\nThanks to Thomas Gleixner's analysis, the issue is caused by the low\ninitial period (1) of the frequency estimation algorithm, which triggers\nthe defects of the HW, specifically erratum HSW11 and HSW143. (For the\ndetails, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/)\n\nThe HSW11 requires a period larger than 100 for the INST_RETIRED.ALL\nevent, but the initial period in the freq mode is 1. The erratum is the\nsame as the BDM11, which has been supported in the kernel. A minimum\nperiod of 128 is enforced as well on HSW.\n\nHSW143 is regarding that the fixed counter 1 may overcount 32 with the\nHyper-Threading is enabled. However, based on the test, the hardware\nhas more issues than it tells. Besides the fixed counter 1, the message\n'interrupt took too long' can be observed on any counter which was armed\nwith a period < 32 and two events expired in the same NMI. A minimum\nperiod of 32 is enforced for the rest of the events.\nThe recommended workaround code of the HSW143 is not implemented.\nBecause it only addresses the issue for the fixed counter. It brings\nextra overhead through extra MSR writing. No related overcounting issue\nhas been reported so far.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46848", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: meson: axg-card: fix 'use-after-free'\n\nBuffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',\nso move 'pad' pointer initialization after this function when memory is\nalready reallocated.\n\nKasan bug report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc\nRead of size 8 at addr ffff000000e8b260 by task modprobe/356\n\nCPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1\nCall trace:\n dump_backtrace+0x94/0xec\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x90\n print_report+0xfc/0x5c0\n kasan_report+0xb8/0xfc\n __asan_load8+0x9c/0xb8\n axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card]\n meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils]\n platform_probe+0x8c/0xf4\n really_probe+0x110/0x39c\n __driver_probe_device+0xb8/0x18c\n driver_probe_device+0x108/0x1d8\n __driver_attach+0xd0/0x25c\n bus_for_each_dev+0xe0/0x154\n driver_attach+0x34/0x44\n bus_add_driver+0x134/0x294\n driver_register+0xa8/0x1e8\n __platform_driver_register+0x44/0x54\n axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card]\n do_one_initcall+0xdc/0x25c\n do_init_module+0x10c/0x334\n load_module+0x24c4/0x26cc\n init_module_from_file+0xd4/0x128\n __arm64_sys_finit_module+0x1f4/0x41c\n invoke_syscall+0x60/0x188\n el0_svc_common.constprop.0+0x78/0x13c\n do_el0_svc+0x30/0x40\n el0_svc+0x38/0x78\n el0t_64_sync_handler+0x100/0x12c\n el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46849", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()\n\ndc_state_destruct() nulls the resource context of the DC state. The pipe\ncontext passed to dcn35_set_drr() is a member of this resource context.\n\nIf dc_state_destruct() is called parallel to the IRQ processing (which\ncalls dcn35_set_drr() at some point), we can end up using already nulled\nfunction callback fields of struct stream_resource.\n\nThe logic in dcn35_set_drr() already tries to avoid this, by checking tg\nagainst NULL. But if the nulling happens exactly after the NULL check and\nbefore the next access, then we get a race.\n\nAvoid this by copying tg first to a local variable, and then use this\nvariable for all the operations. This should work, as long as nobody\nfrees the resource pool where the timing generators live.\n\n(cherry picked from commit 0607a50c004798a96e62c089a4c34c220179dcb5)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46850", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()\n\ndc_state_destruct() nulls the resource context of the DC state. The pipe\ncontext passed to dcn10_set_drr() is a member of this resource context.\n\nIf dc_state_destruct() is called parallel to the IRQ processing (which\ncalls dcn10_set_drr() at some point), we can end up using already nulled\nfunction callback fields of struct stream_resource.\n\nThe logic in dcn10_set_drr() already tries to avoid this, by checking tg\nagainst NULL. But if the nulling happens exactly after the NULL check and\nbefore the next access, then we get a race.\n\nAvoid this by copying tg first to a local variable, and then use this\nvariable for all the operations. This should work, as long as nobody\nfrees the resource pool where the timing generators live.\n\n(cherry picked from commit a3cc326a43bdc48fbdf53443e1027a03e309b643)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46851", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: heaps: Fix off-by-one in CMA heap fault handler\n\nUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 (\"dma-buf: heaps:\nDon't track CMA dma-buf pages under RssFile\") it was possible to obtain\na mapping larger than the buffer size via mremap and bypass the overflow\ncheck in dma_buf_mmap_internal. When using such a mapping to attempt to\nfault past the end of the buffer, the CMA heap fault handler also checks\nthe fault offset against the buffer size, but gets the boundary wrong by\n1. Fix the boundary check so that we don't read off the end of the pages\narray and insert an arbitrary page in the mapping.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46852", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: nxp-fspi: fix the KASAN report out-of-bounds bug\n\nChange the memcpy length to fix the out-of-bounds issue when writing the\ndata that is not 4 byte aligned to TX FIFO.\n\nTo reproduce the issue, write 3 bytes data to NOR chip.\n\ndd if=3b of=/dev/mtd0\n[ 36.926103] ==================================================================\n[ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838\n[ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455\n[ 36.946721]\n[ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070\n[ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT)\n[ 36.961260] Call trace:\n[ 36.963723] dump_backtrace+0x90/0xe8\n[ 36.967414] show_stack+0x18/0x24\n[ 36.970749] dump_stack_lvl+0x78/0x90\n[ 36.974451] print_report+0x114/0x5cc\n[ 36.978151] kasan_report+0xa4/0xf0\n[ 36.981670] __asan_report_load_n_noabort+0x1c/0x28\n[ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838\n[ 36.990800] spi_mem_exec_op+0x8ec/0xd30\n[ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0\n[ 36.999323] spi_mem_dirmap_write+0x238/0x32c\n[ 37.003710] spi_nor_write_data+0x220/0x374\n[ 37.007932] spi_nor_write+0x110/0x2e8\n[ 37.011711] mtd_write_oob_std+0x154/0x1f0\n[ 37.015838] mtd_write_oob+0x104/0x1d0\n[ 37.019617] mtd_write+0xb8/0x12c\n[ 37.022953] mtdchar_write+0x224/0x47c\n[ 37.026732] vfs_write+0x1e4/0x8c8\n[ 37.030163] ksys_write+0xec/0x1d0\n[ 37.033586] __arm64_sys_write+0x6c/0x9c\n[ 37.037539] invoke_syscall+0x6c/0x258\n[ 37.041327] el0_svc_common.constprop.0+0x160/0x22c\n[ 37.046244] do_el0_svc+0x44/0x5c\n[ 37.049589] el0_svc+0x38/0x78\n[ 37.052681] el0t_64_sync_handler+0x13c/0x158\n[ 37.057077] el0t_64_sync+0x190/0x194\n[ 37.060775]\n[ 37.062274] Allocated by task 455:\n[ 37.065701] kasan_save_stack+0x2c/0x54\n[ 37.069570] kasan_save_track+0x20/0x3c\n[ 37.073438] kasan_save_alloc_info+0x40/0x54\n[ 37.077736] __kasan_kmalloc+0xa0/0xb8\n[ 37.081515] __kmalloc_noprof+0x158/0x2f8\n[ 37.085563] mtd_kmalloc_up_to+0x120/0x154\n[ 37.089690] mtdchar_write+0x130/0x47c\n[ 37.093469] vfs_write+0x1e4/0x8c8\n[ 37.096901] ksys_write+0xec/0x1d0\n[ 37.100332] __arm64_sys_write+0x6c/0x9c\n[ 37.104287] invoke_syscall+0x6c/0x258\n[ 37.108064] el0_svc_common.constprop.0+0x160/0x22c\n[ 37.112972] do_el0_svc+0x44/0x5c\n[ 37.116319] el0_svc+0x38/0x78\n[ 37.119401] el0t_64_sync_handler+0x13c/0x158\n[ 37.123788] el0t_64_sync+0x190/0x194\n[ 37.127474]\n[ 37.128977] The buggy address belongs to the object at ffff00081037c2a0\n[ 37.128977] which belongs to the cache kmalloc-8 of size 8\n[ 37.141177] The buggy address is located 0 bytes inside of\n[ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)\n[ 37.153465]\n[ 37.154971] The buggy address belongs to the physical page:\n[ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c\n[ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)\n[ 37.175149] page_type: 0xfdffffff(slab)\n[ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000\n[ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000\n[ 37.194553] page dumped because: kasan: bad access detected\n[ 37.200144]\n[ 37.201647] Memory state around the buggy address:\n[ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc\n[ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc\n[ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc\n[ 37.228186] ^\n[ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 37.246962] ==============================================================\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46853", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dpaa: Pad packets to ETH_ZLEN\n\nWhen sending packets under 60 bytes, up to three bytes of the buffer\nfollowing the data may be leaked. Avoid this by extending all packets to\nETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be\nreproduced by running\n\n\t$ ping -s 11 destination", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46854", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_socket: fix sk refcount leaks\n\nWe must put 'sk' reference before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46855", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83822: Fix NULL pointer dereference on DP83825 devices\n\nThe probe() function is only used for DP83822 and DP83826 PHY,\nleaving the private data pointer uninitialized for the DP83825 models\nwhich causes a NULL pointer dereference in the recently introduced/changed\nfunctions dp8382x_config_init() and dp83822_set_wol().\n\nAdd the dp8382x_probe() function, so all PHY models will have a valid\nprivate data pointer to fix this issue and also prevent similar issues\nin the future.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46856", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix bridge mode operations when there are no VFs\n\nCurrently, trying to set the bridge mode attribute when numvfs=0 leads to a\ncrash:\n\nbridge link set dev eth2 hwmode vepa\n\n[ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[...]\n[ 168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core]\n[...]\n[ 168.976037] Call Trace:\n[ 168.976188] \n[ 168.978620] _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core]\n[ 168.979074] mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core]\n[ 168.979471] rtnl_bridge_setlink+0xe9/0x1f0\n[ 168.979714] rtnetlink_rcv_msg+0x159/0x400\n[ 168.980451] netlink_rcv_skb+0x54/0x100\n[ 168.980675] netlink_unicast+0x241/0x360\n[ 168.980918] netlink_sendmsg+0x1f6/0x430\n[ 168.981162] ____sys_sendmsg+0x3bb/0x3f0\n[ 168.982155] ___sys_sendmsg+0x88/0xd0\n[ 168.985036] __sys_sendmsg+0x59/0xa0\n[ 168.985477] do_syscall_64+0x79/0x150\n[ 168.987273] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 168.987773] RIP: 0033:0x7f8f7950f917\n\n(esw->fdb_table.legacy.vepa_fdb is null)\n\nThe bridge mode is only relevant when there are multiple functions per\nport. Therefore, prevent setting and getting this setting when there are no\nVFs.\n\nNote that after this change, there are no settings to change on the PF\ninterface using `bridge link` when there are no VFs, so the interface no\nlonger appears in the `bridge link` output.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46857", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: Fix uaf in __timer_delete_sync\n\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\n\n CPU1\t\t\t\tCPU2\n ==== ====\n net_rx_action\n napi_poll netlink_sendmsg\n __napi_poll netlink_unicast\n process_backlog netlink_unicast_kernel\n __netif_receive_skb genl_rcv\n __netif_receive_skb_one_core netlink_rcv_skb\n NF_HOOK genl_rcv_msg\n ip_local_deliver_finish genl_family_rcv_msg\n ip_protocol_deliver_rcu genl_family_rcv_msg_doit\n tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\n tcp_v4_do_rcv mptcp_nl_remove_addrs_list\n tcp_rcv_established mptcp_pm_remove_addrs_and_subflows\n tcp_data_queue remove_anno_list_by_saddr\n mptcp_incoming_options mptcp_pm_del_add_timer\n mptcp_pm_del_add_timer kfree(entry)\n\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\n\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\n\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46858", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: panasonic-laptop: Fix SINF array out of bounds accesses\n\nThe panasonic laptop code in various places uses the SINF array with index\nvalues of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array\nis big enough.\n\nNot all panasonic laptops have this many SINF array entries, for example\nthe Toughbook CF-18 model only has 10 SINF array entries. So it only\nsupports the AC+DC brightness entries and mute.\n\nCheck that the SINF array has a minimum size which covers all AC+DC\nbrightness entries and refuse to load if the SINF array is smaller.\n\nFor higher SINF indexes hide the sysfs attributes when the SINF array\ndoes not contain an entry for that attribute, avoiding show()/store()\naccessing the array out of bounds and add bounds checking to the probe()\nand resume() code accessing these.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46859", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change\n\nWhen disabling wifi mt7921_ipv6_addr_change() is called as a notifier.\nAt this point mvif->phy is already NULL so we cannot use it here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46860", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: do not stop RX on failing RX callback\n\nRX callbacks can fail for multiple reasons:\n\n* Payload too short\n* Payload formatted incorrecly (e.g. bad NCM framing)\n* Lack of memory\n\nNone of these should cause the driver to seize up.\n\nMake such failures non-critical and continue processing further\nincoming URBs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46861", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item\n\nThere is no links_num in struct snd_soc_acpi_mach {}, and we test\n!link->num_adr as a condition to end the loop in hda_sdw_machine_select().\nSo an empty item in struct snd_soc_acpi_link_adr array is required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46862", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item\n\nThere is no links_num in struct snd_soc_acpi_mach {}, and we test\n!link->num_adr as a condition to end the loop in hda_sdw_machine_select().\nSo an empty item in struct snd_soc_acpi_link_adr array is required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46863", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: fix kexec crash due to VP assist page corruption\n\ncommit 9636be85cc5b (\"x86/hyperv: Fix hyperv_pcpu_input_arg handling when\nCPUs go online/offline\") introduces a new cpuhp state for hyperv\ninitialization.\n\ncpuhp_setup_state() returns the state number if state is\nCPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states.\nFor the hyperv case, since a new cpuhp state was introduced it would\nreturn 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call\nis conditioned upon \"hyperv_init_cpuhp > 0\". This will never be true and\nso hv_cpu_die() won't be called on all CPUs. This means the VP assist page\nwon't be reset. When the kexec kernel tries to setup the VP assist page\nagain, the hypervisor corrupts the memory region of the old VP assist page\ncausing a panic in case the kexec kernel is using that memory elsewhere.\nThis was originally fixed in commit dfe94d4086e4 (\"x86/hyperv: Fix kexec\npanic/hang issues\").\n\nGet rid of hyperv_init_cpuhp entirely since we are no longer using a\ndynamic cpuhp state and use CPUHP_AP_HYPERV_ONLINE directly with\ncpuhp_remove_state().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46864", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: fix initialization of grc\n\nThe grc must be initialize first. There can be a condition where if\nfou is NULL, goto out will be executed and grc would be used\nuninitialized.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46865", "detail": "fixed-version", "description": "Fixed from version 6.10.11" }, { "id": "CVE-2024-46866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/client: add missing bo locking in show_meminfo()\n\nbo_meminfo() wants to inspect bo state like tt and the ttm resource,\nhowever this state can change at any point leading to stuff like NPD and\nUAF, if the bo lock is not held. Grab the bo lock when calling\nbo_meminfo(), ensuring we drop any spinlocks first. In the case of\nobject_idr we now also need to hold a ref.\n\nv2 (MattB)\n - Also add xe_bo_assert_held()\n\n(cherry picked from commit 4f63d712fa104c3ebefcb289d1e733e86d8698c7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46866", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/client: fix deadlock in show_meminfo()\n\nThere is a real deadlock as well as sleeping in atomic() bug in here, if\nthe bo put happens to be the last ref, since bo destruction wants to\ngrab the same spinlock and sleeping locks. Fix that by dropping the ref\nusing xe_bo_put_deferred(), and moving the final commit outside of the\nlock. Dropping the lock around the put is tricky since the bo can go\nout of scope and delete itself from the list, making it difficult to\nnavigate to the next list entry.\n\n(cherry picked from commit 0083b8e6f11d7662283a267d4ce7c966812ffd8a)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46867", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()\n\nIf the __qcuefi pointer is not set, then in the original code, we would\nhold onto the lock. That means that if we tried to set it later, then\nit would cause a deadlock. Drop the lock on the error path. That's\nwhat all the callers are expecting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46868", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel_pcie: Allocate memory for driver private data\n\nFix driver not allocating memory for struct btintel_data which is used\nto store internal data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46869", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-46870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable DMCUB timeout for DCN35\n\n[Why]\nDMCUB can intermittently take longer than expected to process commands.\n\nOld ASIC policy was to continue while logging a diagnostic error - which\nworks fine for ASIC without IPS, but with IPS this could lead to a race\ncondition where we attempt to access DCN state while it's inaccessible,\nleading to a system hang when the NIU port is not disabled or register\naccesses that timeout and the display configuration in an undefined\nstate.\n\n[How]\nWe need to investigate why these accesses take longer than expected, but\nfor now we should disable the timeout on DCN35 to avoid this race\ncondition. Since the waits happen only at lower interrupt levels the\nrisk of taking too long at higher IRQ and causing a system watchdog\ntimeout are minimal.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46870", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX\n\n[Why & How]\nIt actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller\nnumber to create array dmub_callback & dmub_thread_offload has potential to access\nitem out of array bound. Fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46871", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-46896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: don't access invalid sched\n\nSince 2320c9e6a768 (\"drm/sched: memset() 'job' in drm_sched_job_init()\")\naccessing job->base.sched can produce unexpected results as the initialisation\nof (*job)->base.sched done in amdgpu_job_alloc is overwritten by the\nmemset.\n\nThis commit fixes an issue when a CS would fail validation and would\nbe rejected after job->num_ibs is incremented. In this case,\namdgpu_ib_free(ring->adev, ...) will be called, which would crash the\nmachine because the ring value is bogus.\n\nTo fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this\nbecause the device is actually not used in this function.\n\nThe next commit will remove the ring argument completely.\n\n(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-46896", "detail": "fixed-version", "description": "Fixed from version 6.12.7" }, { "id": "CVE-2024-47141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinmux: Use sequential access to access desc->pinmux data\n\nWhen two client of the same gpio call pinctrl_select_state() for the\nsame functionality, we are seeing NULL pointer issue while accessing\ndesc->mux_owner.\n\nLet's say two processes A, B executing in pin_request() for the same pin\nand process A updates the desc->mux_usecount but not yet updated the\ndesc->mux_owner while process B see the desc->mux_usecount which got\nupdated by A path and further executes strcmp and while accessing\ndesc->mux_owner it crashes with NULL pointer.\n\nSerialize the access to mux related setting with a mutex lock.\n\n\tcpu0 (process A)\t\t\tcpu1(process B)\n\npinctrl_select_state() {\t\t pinctrl_select_state() {\n pin_request() {\t\t\t\tpin_request() {\n ...\n\t\t\t\t\t\t ....\n } else {\n desc->mux_usecount++;\n \t\t\t\t\t\tdesc->mux_usecount && strcmp(desc->mux_owner, owner)) {\n\n if (desc->mux_usecount > 1)\n return 0;\n desc->mux_owner = owner;\n\n }\t\t\t\t\t\t}", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47141", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-47143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-debug: fix a possible deadlock on radix_lock\n\nradix_lock() shouldn't be held while holding dma_hash_entry[idx].lock\notherwise, there's a possible deadlock scenario when\ndma debug API is called holding rq_lock():\n\nCPU0 CPU1 CPU2\ndma_free_attrs()\ncheck_unmap() add_dma_entry() __schedule() //out\n (A) rq_lock()\nget_hash_bucket()\n(A) dma_entry_hash\n check_sync()\n (A) radix_lock() (W) dma_entry_hash\ndma_entry_free()\n(W) radix_lock()\n // CPU2's one\n (W) rq_lock()\n\nCPU1 situation can happen when it extending radix tree and\nit tries to wake up kswapd via wake_all_kswapd().\n\nCPU2 situation can happen while perf_event_task_sched_out()\n(i.e. dma sync operation is called while deleting perf_event using\n etm and etr tmc which are Arm Coresight hwtracing driver backends).\n\nTo remove this possible situation, call dma_entry_free() after\nput_hash_bucket() in check_unmap().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47143", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-47408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check smcd_v2_ext_offset when receiving proposal msg\n\nWhen receiving proposal msg in server, the field smcd_v2_ext_offset in\nproposal msg is from the remote client and can not be fully trusted.\nOnce the value of smcd_v2_ext_offset exceed the max value, there has\nthe chance to access wrong address, and crash may happen.\n\nThis patch checks the value of smcd_v2_ext_offset before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47408", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-47658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: stm32/cryp - call finalize with bh disabled\n\nThe finalize operation in interrupt mode produce a produces a spinlock\nrecursion warning. The reason is the fact that BH must be disabled\nduring this process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47658", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: tcp: ipv4, fix incorrect labeling\n\nCurrently, Smack mirrors the label of incoming tcp/ipv4 connections:\nwhen a label 'foo' connects to a label 'bar' with tcp/ipv4,\n'foo' always gets 'foo' in returned ipv4 packets. So,\n1) returned packets are incorrectly labeled ('foo' instead of 'bar')\n2) 'bar' can write to 'foo' without being authorized to write.\n\nHere is a scenario how to see this:\n\n* Take two machines, let's call them C and S,\n with active Smack in the default state\n (no settings, no rules, no labeled hosts, only builtin labels)\n\n* At S, add Smack rule 'foo bar w'\n (labels 'foo' and 'bar' are instantiated at S at this moment)\n\n* At S, at label 'bar', launch a program\n that listens for incoming tcp/ipv4 connections\n\n* From C, at label 'foo', connect to the listener at S.\n (label 'foo' is instantiated at C at this moment)\n Connection succeedes and works.\n\n* Send some data in both directions.\n* Collect network traffic of this connection.\n\nAll packets in both directions are labeled with the CIPSO\nof the label 'foo'. Hence, label 'bar' writes to 'foo' without\nbeing authorized, and even without ever being known at C.\n\nIf anybody cares: exactly the same happens with DCCP.\n\nThis behavior 1st manifested in release 2.6.29.4 (see Fixes below)\nand it looks unintentional. At least, no explanation was provided.\n\nI changed returned packes label into the 'bar',\nto bring it into line with the Smack documentation claims.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47659", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: clear PARENT_WATCHED flags lazily\n\nIn some setups directories can have many (usually negative) dentries.\nHence __fsnotify_update_child_dentry_flags() function can take a\nsignificant amount of time. Since the bulk of this function happens\nunder inode->i_lock this causes a significant contention on the lock\nwhen we remove the watch from the directory as the\n__fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask()\nraces with __fsnotify_update_child_dentry_flags() calls from\n__fsnotify_parent() happening on children. This can lead upto softlockup\nreports reported by users.\n\nFix the problem by calling fsnotify_update_children_dentry_flags() to\nset PARENT_WATCHED flags only when parent starts watching children.\n\nWhen parent stops watching children, clear false positive PARENT_WATCHED\nflags lazily in __fsnotify_parent() for each accessed child.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47660", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid overflow from uint32_t to uint8_t\n\n[WHAT & HOW]\ndmub_rb_cmd's ramping_boundary has size of uint8_t and it is assigned\n0xFFFF. Fix it by changing it to uint8_t with value of 0xFF.\n\nThis fixes 2 INTEGER_OVERFLOW issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47661", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Remove register from DCN35 DMCUB diagnostic collection\n\n[Why]\nThese registers should not be read from driver and triggering the\nsecurity violation when DMCUB work times out and diagnostics are\ncollected blocks Z8 entry.\n\n[How]\nRemove the register read from DCN35.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47662", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: iio: frequency: ad9834: Validate frequency parameter value\n\nIn ad9834_write_frequency() clk_get_rate() can return 0. In such case\nad9834_calc_freqreg() call will lead to division by zero. Checking\n'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0.\nad9834_write_frequency() is called from ad9834_write(), where fout is\ntaken from text buffer, which can contain any value.\n\nModify parameters checking.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47663", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware\n\nIf the value of max_speed_hz is 0, it may cause a division by zero\nerror in hisi_calc_effective_speed().\nThe value of max_speed_hz is provided by firmware.\nFirmware is generally considered as a trusted domain. However, as\ndivision by zero errors can cause system failure, for defense measure,\nthe value of max_speed is validated here. So 0 is regarded as invalid\nand an error code is returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47664", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup\n\nDefinitely condition dma_get_cache_alignment * defined value > 256\nduring driver initialization is not reason to BUG_ON(). Turn that to\ngraceful error out with -EINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47665", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Set phy->enable_completion only when we wait for it\n\npm8001_phy_control() populates the enable_completion pointer with a stack\naddress, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and\nreturns. The problem arises when a phy control response comes late. After\n300 ms the pm8001_phy_control() function returns and the passed\nenable_completion stack address is no longer valid. Late phy control\nresponse invokes complete() on a dangling enable_completion pointer which\nleads to a kernel crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47666", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)\n\nErrata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0\n(SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an\ninbound PCIe TLP spans more than two internal AXI 128-byte bursts,\nthe bus may corrupt the packet payload and the corrupt data may\ncause associated applications or the processor to hang.\n\nThe workaround for Errata #i2037 is to limit the maximum read\nrequest size and maximum payload size to 128 bytes. Add workaround\nfor Errata #i2037 here.\n\nThe errata and workaround is applicable only to AM65x SR 1.0 and\nlater versions of the silicon will have this fixed.\n\n[1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47667", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()\n\nIf we need to increase the tree depth, allocate a new node, and then\nrace with another thread that increased the tree depth before us, we'll\nstill have a preallocated node that might be used later.\n\nIf we then use that node for a new non-root node, it'll still have a\npointer to the old root instead of being zeroed - fix this by zeroing it\nin the cmpxchg failure path.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47668", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix state management in error path of log writing function\n\nAfter commit a694291a6211 (\"nilfs2: separate wait function from\nnilfs_segctor_write\") was applied, the log writing function\nnilfs_segctor_do_construct() was able to issue I/O requests continuously\neven if user data blocks were split into multiple logs across segments,\nbut two potential flaws were introduced in its error handling.\n\nFirst, if nilfs_segctor_begin_construction() fails while creating the\nsecond or subsequent logs, the log writing function returns without\ncalling nilfs_segctor_abort_construction(), so the writeback flag set on\npages/folios will remain uncleared. This causes page cache operations to\nhang waiting for the writeback flag. For example,\ntruncate_inode_pages_final(), which is called via nilfs_evict_inode() when\nan inode is evicted from memory, will hang.\n\nSecond, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. \nAs a result, if the next log write involves checkpoint creation, that's\nfine, but if a partial log write is performed that does not, inodes with\nNILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\"\nlist, and their data and b-tree blocks may not be written to the device,\ncorrupting the block mapping.\n\nFix these issues by uniformly calling nilfs_segctor_abort_construction()\non failure of each step in the loop in nilfs_segctor_do_construct(),\nhaving it clean up logs and segment usages according to progress, and\ncorrecting the conditions for calling nilfs_redirty_inodes() to ensure\nthat the NILFS_I_COLLECTED flag is cleared.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47669", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_xattr_find_entry()\n\nAdd a paranoia check to make sure it doesn't stray beyond valid memory\nregion containing ocfs2 xattr entries when scanning for a match. It will\nprevent out-of-bound access in case of crafted images.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47670", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbtmc: prevent kernel-usb-infoleak\n\nThe syzbot reported a kernel-usb-infoleak in usbtmc_write,\nwe need to clear the structure before filling fields.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47671", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: pause TCM when the firmware is stopped\n\nNot doing so will make us send a host command to the transport while the\nfirmware is not alive, which will trigger a WARNING.\n\nbad state = 0\nWARNING: CPU: 2 PID: 17434 at drivers/net/wireless/intel/iwlwifi/iwl-trans.c:115 iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi]\nRIP: 0010:iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi]\nCall Trace:\n \n iwl_mvm_send_cmd+0x40/0xc0 [iwlmvm]\n iwl_mvm_config_scan+0x198/0x260 [iwlmvm]\n iwl_mvm_recalc_tcm+0x730/0x11d0 [iwlmvm]\n iwl_mvm_tcm_work+0x1d/0x30 [iwlmvm]\n process_one_work+0x29e/0x640\n worker_thread+0x2df/0x690\n ? rescuer_thread+0x540/0x540\n kthread+0x192/0x1e0\n ? set_kthread_struct+0x90/0x90\n ret_from_fork+0x22/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47673", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid leaving partial pfn mappings around in error case\n\nAs Jann points out, PFN mappings are special, because unlike normal\nmemory mappings, there is no lifetime information associated with the\nmapping - it is just a raw mapping of PFNs with no reference counting of\na 'struct page'.\n\nThat's all very much intentional, but it does mean that it's easy to\nmess up the cleanup in case of errors. Yes, a failed mmap() will always\neventually clean up any partial mappings, but without any explicit\nlifetime in the page table mapping itself, it's very easy to do the\nerror handling in the wrong order.\n\nIn particular, it's easy to mistakenly free the physical backing store\nbefore the page tables are actually cleaned up and (temporarily) have\nstale dangling PTE entries.\n\nTo make this situation less error-prone, just make sure that any partial\npfn mapping is torn down early, before any other error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47674", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix use-after-free in bpf_uprobe_multi_link_attach()\n\nIf bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the\nerror_free label and frees the array of bpf_uprobe's without calling\nbpf_uprobe_unregister().\n\nThis leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer\nwithout removing it from the uprobe->consumers list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47675", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb.c: fix UAF of vma in hugetlb fault pathway\n\nSyzbot reports a UAF in hugetlb_fault(). This happens because\nvmf_anon_prepare() could drop the per-VMA lock and allow the current VMA\nto be freed before hugetlb_vma_unlock_read() is called.\n\nWe can fix this by using a modified version of vmf_anon_prepare() that\ndoesn't release the VMA lock on failure, and then release it ourselves\nafter hugetlb_vma_unlock_read().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47676", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: resolve memory leak from exfat_create_upcase_table()\n\nIf exfat_load_upcase_table reaches end and returns -EINVAL,\nallocated memory doesn't get freed and while\nexfat_load_default_upcase_table allocates more memory, leading to a\nmemory leak.\n\nHere's link to syzkaller crash report illustrating this issue:\nhttps://syzkaller.appspot.com/text?tag=CrashReport&x=1406c201980000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47677", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47678", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n ->spin_lock(inode)\n ->dec i_count to 0\n ->iput_final() generic_shutdown_super()\n ->__inode_add_lru() ->evict_inodes()\n // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n ->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n ->find_inode()\n // found the above inode 261\n ->spin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n ->__iget()\n ->spin_unlock(inode) // schedule back\n ->spin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() ->spin_unlock(inode)\n ->spin_lock(inode)\t\t\t ->evict()\n // dec i_count to 0\n ->iput_final()\n ->spin_unlock()\n ->evict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47679", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check discard support for conventional zones\n\nAs the helper function f2fs_bdev_support_discard() shows, f2fs checks if\nthe target block devices support discard by calling\nbdev_max_discard_sectors() and bdev_is_zoned(). This check works well\nfor most cases, but it does not work for conventional zones on zoned\nblock devices. F2fs assumes that zoned block devices support discard,\nand calls __submit_discard_cmd(). When __submit_discard_cmd() is called\nfor sequential write required zones, it works fine since\n__submit_discard_cmd() issues zone reset commands instead of discard\ncommands. However, when __submit_discard_cmd() is called for\nconventional zones, __blkdev_issue_discard() is called even when the\ndevices do not support discard.\n\nThe inappropriate __blkdev_issue_discard() call was not a problem before\nthe commit 30f1e7241422 (\"block: move discard checks into the ioctl\nhandler\") because __blkdev_issue_discard() checked if the target devices\nsupport discard or not. If not, it returned EOPNOTSUPP. After the\ncommit, __blkdev_issue_discard() no longer checks it. It always returns\nzero and sets NULL to the given bio pointer. This NULL pointer triggers\nf2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the\ncommands below at the umount step, where /dev/nullb0 is a zoned null_blk\nwith 5GB total size, 128MB zone size and 10 conventional zones.\n\n$ mkfs.f2fs -f -m /dev/nullb0\n$ mount /dev/nullb0 /mnt\n$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done\n$ umount /mnt\n\nTo fix the BUG, avoid the inappropriate __blkdev_issue_discard() call.\nWhen discard is requested for conventional zones, check if the device\nsupports discard or not. If not, return EOPNOTSUPP.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47680", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he\n\nFix the NULL pointer dereference in mt7996_mcu_sta_bfer_he\nroutine adding an sta interface to the mt7996 driver.\n\nFound by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47681", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: Fix off-by-one error in sd_read_block_characteristics()\n\nFf the device returns page 0xb1 with length 8 (happens with qemu v2.x, for\nexample), sd_read_block_characteristics() may attempt an out-of-bounds\nmemory access when accessing the zoned field at offset 8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47682", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47683", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-47684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: check skb is non-NULL in tcp_rto_delta_us()\n\nWe have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic\nkernel that are running ceph and recently hit a null ptr dereference in\ntcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also\nsaw it getting hit from the RACK case as well. Here are examples of the oops\nmessages we saw in each of those cases:\n\nJul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020\nJul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode\nJul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page\nJul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0\nJul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI\nJul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu\nJul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023\nJul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3\nJul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246\nJul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000\nJul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60\nJul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8\nJul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900\nJul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30\nJul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000\nJul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nJul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0\nJul 26 15:05:02 rx [11061395.913822] PKRU: 55555554\nJul 26 15:05:02 rx [11061395.916786] Call Trace:\nJul 26 15:05:02 rx [11061395.919488]\nJul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f\nJul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9\nJul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380\nJul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0\nJul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50\nJul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0\nJul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20\nJul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450\nJul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140\nJul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90\nJul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0\nJul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40\nJul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220\nJul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240\nJul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0\nJul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240\nJul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130\nJul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280\nJul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10\nJul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30\nJul 26 15:05:02 rx [11061396.017718] ? lapic_next_even\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47684", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()\n\nsyzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending\ngarbage on the four reserved tcp bits (th->res1)\n\nUse skb_put_zero() to clear the whole TCP header,\nas done in nf_reject_ip_tcphdr_put()\n\nBUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775\n process_backlog+0x4ad/0xa50 net/core/dev.c:6108\n __napi_poll+0xe7/0x980 net/core/dev.c:6772\n napi_poll net/core/dev.c:6841 [inline]\n net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963\n handle_softirqs+0x1ce/0x800 kernel/softirq.c:554\n __do_softirq+0x14/0x1a kernel/softirq.c:588\n do_softirq+0x9a/0x100 kernel/softirq.c:455\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]\n __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366\n inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135\n __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466\n tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\n tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143\n tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333\n __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679\n inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750\n __sys_connect_file net/socket.c:2061 [inline]\n __sys_connect+0x606/0x690 net/socket.c:2078\n __do_sys_connect net/socket.c:2088 [inline]\n __se_sys_connect net/socket.c:2085 [inline]\n __x64_sys_connect+0x91/0xe0 net/socket.c:2085\n x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249\n nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core\n---truncated---", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47685", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()\n\nThe psc->div[] array has psc->num_div elements. These values come from\nwhen we call clk_hw_register_div(). It's adc_divisors and\nARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >=\ninstead of > to prevent an out of bounds read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47686", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix invalid mr resource destroy\n\nCertain error paths from mlx5_vdpa_dev_add() can end up releasing mr\nresources which never got initialized in the first place.\n\nThis patch adds the missing check in mlx5_vdpa_destroy_mr_resources()\nto block releasing non-initialized mr resources.\n\nReference trace:\n\n mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 140216067 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]\n Code: [...]\n RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246\n RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000\n RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670\n R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000\n R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea\n FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n\n ? show_trace_log_lvl+0x1c4/0x2df\n ? show_trace_log_lvl+0x1c4/0x2df\n ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]\n ? __die_body.cold+0x8/0xd\n ? page_fault_oops+0x134/0x170\n ? __irq_work_queue_local+0x2b/0xc0\n ? irq_work_queue+0x2c/0x50\n ? exc_page_fault+0x62/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]\n ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]\n mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]\n vdpa_release_dev+0x1e/0x50 [vdpa]\n device_release+0x31/0x90\n kobject_cleanup+0x37/0x130\n mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]\n vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]\n genl_family_rcv_msg_doit+0xd9/0x130\n genl_family_rcv_msg+0x14d/0x220\n ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n ? _copy_to_user+0x1a/0x30\n ? move_addr_to_user+0x4b/0xe0\n genl_rcv_msg+0x47/0xa0\n ? __import_iovec+0x46/0x150\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x245/0x370\n netlink_sendmsg+0x206/0x440\n __sys_sendto+0x1dc/0x1f0\n ? do_read_fault+0x10c/0x1d0\n ? do_pte_missing+0x10d/0x190\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x5c/0xf0\n ? __count_memcg_events+0x4f/0xb0\n ? mm_account_fault+0x6c/0x100\n ? handle_mm_fault+0x116/0x270\n ? do_user_addr_fault+0x1d6/0x6a0\n ? do_syscall_64+0x6b/0xf0\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n entry_SYSCALL_64_after_hwframe+0x78/0x80", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47687", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix a potential null-ptr-deref in module_add_driver()\n\nInject fault while probing of-fpga-region, if kasprintf() fails in\nmodule_add_driver(), the second sysfs_remove_link() in exit path will cause\nnull-ptr-deref as below because kernfs_name_hash() will call strlen() with\nNULL driver_name.\n\nFix it by releasing resources based on the exit path sequence.\n\n\t KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t Mem abort info:\n\t ESR = 0x0000000096000005\n\t EC = 0x25: DABT (current EL), IL = 32 bits\n\t SET = 0, FnV = 0\n\t EA = 0, S1PTW = 0\n\t FSC = 0x05: level 1 translation fault\n\t Data abort info:\n\t ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n\t CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t [dfffffc000000000] address between user and kernel address ranges\n\t Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\t Dumping ftrace buffer:\n\t (ftrace buffer empty)\n\t Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]\n\t CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295\n\t Hardware name: linux,dummy-virt (DT)\n\t pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\t pc : strlen+0x24/0xb0\n\t lr : kernfs_name_hash+0x1c/0xc4\n\t sp : ffffffc081f97380\n\t x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0\n\t x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000\n\t x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n\t x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840\n\t x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42\n\t x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d\n\t x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000\n\t x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001\n\t x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000\n\t x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000\n\t Call trace:\n\t strlen+0x24/0xb0\n\t kernfs_name_hash+0x1c/0xc4\n\t kernfs_find_ns+0x118/0x2e8\n\t kernfs_remove_by_name_ns+0x80/0x100\n\t sysfs_remove_link+0x74/0xa8\n\t module_add_driver+0x278/0x394\n\t bus_add_driver+0x1f0/0x43c\n\t driver_register+0xf4/0x3c0\n\t __platform_driver_register+0x60/0x88\n\t of_fpga_region_init+0x20/0x1000 [of_fpga_region]\n\t do_one_initcall+0x110/0x788\n\t do_init_module+0x1dc/0x5c8\n\t load_module+0x3c38/0x4cac\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2cc/0x528\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\t Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)\n\t ---[ end trace 0000000000000000 ]---\n\t Kernel panic - not syncing: Oops: Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47688", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177\nCPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0\nWorkqueue: events destroy_super_work\nRIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177\nCall Trace:\n percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42\n destroy_super_work+0xec/0x130 fs/super.c:282\n process_one_work kernel/workqueue.c:3231 [inline]\n process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n worker_thread+0x86d/0xd40 kernel/workqueue.c:3390\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nAs Christian Brauner pointed out [1]: the root cause is f2fs sets\nSB_RDONLY flag in internal function, rather than setting the flag\ncovered w/ sb->s_umount semaphore via remount procedure, then below\nrace condition causes this bug:\n\n- freeze_super()\n - sb_wait_write(sb, SB_FREEZE_WRITE)\n - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)\n - sb_wait_write(sb, SB_FREEZE_FS)\n\t\t\t\t\t- f2fs_handle_critical_error\n\t\t\t\t\t - sb->s_flags |= SB_RDONLY\n- thaw_super\n - thaw_super_locked\n - sb_rdonly() is true, so it skips\n sb_freeze_unlock(sb, SB_FREEZE_FS)\n - deactivate_locked_super\n\nSince f2fs has almost the same logic as ext4 [2] when handling critical\nerror in filesystem if it mounts w/ errors=remount-ro option:\n- set CP_ERROR_FLAG flag which indicates filesystem is stopped\n- record errors to superblock\n- set SB_RDONLY falg\nOnce we set CP_ERROR_FLAG flag, all writable interfaces can detect the\nflag and stop any further updates on filesystem. So, it is safe to not\nset SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].\n\n[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner\n[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3\n[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47689", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: get rid of online repaire on corrupted directory\n\nsyzbot reports a f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:896!\nRIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896\nCall Trace:\n evict+0x532/0x950 fs/inode.c:704\n dispose_list fs/inode.c:747 [inline]\n evict_inodes+0x5f9/0x690 fs/inode.c:797\n generic_shutdown_super+0x9d/0x2d0 fs/super.c:627\n kill_block_super+0x44/0x90 fs/super.c:1696\n kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898\n deactivate_locked_super+0xc4/0x130 fs/super.c:473\n cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n ptrace_notify+0x2d2/0x380 kernel/signal.c:2402\n ptrace_report_syscall include/linux/ptrace.h:415 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]\n syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]\n syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218\n do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896\n\nOnline repaire on corrupted directory in f2fs_lookup() can generate\ndirty data/meta while racing w/ readonly remount, it may leave dirty\ninode after filesystem becomes readonly, however, checkpoint() will\nskips flushing dirty inode in a state of readonly mode, result in\nabove panic.\n\nLet's get rid of online repaire in f2fs_lookup(), and leave the work\nto fsck.f2fs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47690", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()\n\nsyzbot reports a f2fs bug as below:\n\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_report+0xe8/0x550 mm/kasan/report.c:491\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]\n __refcount_add include/linux/refcount.h:184 [inline]\n __refcount_inc include/linux/refcount.h:241 [inline]\n refcount_inc include/linux/refcount.h:258 [inline]\n get_task_struct include/linux/sched/task.h:118 [inline]\n kthread_stop+0xca/0x630 kernel/kthread.c:704\n f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210\n f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283\n f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]\n __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is below race condition, it may cause use-after-free\nissue in sbi->gc_th pointer.\n\n- remount\n - f2fs_remount\n - f2fs_stop_gc_thread\n - kfree(gc_th)\n\t\t\t\t- f2fs_ioc_shutdown\n\t\t\t\t - f2fs_do_shutdown\n\t\t\t\t - f2fs_stop_gc_thread\n\t\t\t\t - kthread_stop(gc_th->f2fs_gc_task)\n : sbi->gc_thread = NULL;\n\nWe will call f2fs_do_shutdown() in two paths:\n- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore\nfor fixing.\n- for f2fs_shutdown() path, it's safe since caller has already grabbed\nsb->s_umount semaphore.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47691", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: return -EINVAL when namelen is 0\n\nWhen we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may\nresult in namelen being 0, which will cause memdup_user() to return\nZERO_SIZE_PTR.\nWhen we access the name.data that has been assigned the value of\nZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is\ntriggered.\n\n[ T1205] ==================================================================\n[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205\n[ T1205]\n[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406\n[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014\n[ T1205] Call Trace:\n[ T1205] dump_stack+0x9a/0xd0\n[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] __kasan_report.cold+0x34/0x84\n[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] kasan_report+0x3a/0x50\n[ T1205] nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] ? nfsd4_release_lockowner+0x410/0x410\n[ T1205] cld_pipe_downcall+0x5ca/0x760\n[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0\n[ T1205] ? down_write_killable_nested+0x170/0x170\n[ T1205] ? avc_policy_seqno+0x28/0x40\n[ T1205] ? selinux_file_permission+0x1b4/0x1e0\n[ T1205] rpc_pipe_write+0x84/0xb0\n[ T1205] vfs_write+0x143/0x520\n[ T1205] ksys_write+0xc9/0x170\n[ T1205] ? __ia32_sys_read+0x50/0x50\n[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110\n[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110\n[ T1205] do_syscall_64+0x33/0x40\n[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1\n[ T1205] RIP: 0033:0x7fdbdb761bc7\n[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514\n[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7\n[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008\n[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001\n[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b\n[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000\n[ T1205] ==================================================================\n\nFix it by checking namelen.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47692", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix ib_cache_setup_one error flow cleanup\n\nWhen ib_cache_update return an error, we exit ib_cache_setup_one\ninstantly with no proper cleanup, even though before this we had\nalready successfully done gid_table_setup_one, that results in\nthe kernel WARN below.\n\nDo proper cleanup using gid_table_cleanup_one before returning\nthe err in order to fix the issue.\n\nWARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0\nModules linked in:\nCPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:gid_table_release_one+0x181/0x1a0\nCode: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41\nRSP: 0018:ffffc90002b835b0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527\nRDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001\nRBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631\nR10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001\nR13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001\nFS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? show_regs+0x94/0xa0\n ? __warn+0x9e/0x1c0\n ? gid_table_release_one+0x181/0x1a0\n ? report_bug+0x1f9/0x340\n ? gid_table_release_one+0x181/0x1a0\n ? handle_bug+0xa2/0x110\n ? exc_invalid_op+0x31/0xa0\n ? asm_exc_invalid_op+0x16/0x20\n ? __warn_printk+0xc7/0x180\n ? __warn_printk+0xd4/0x180\n ? gid_table_release_one+0x181/0x1a0\n ib_device_release+0x71/0xe0\n ? __pfx_ib_device_release+0x10/0x10\n device_release+0x44/0xd0\n kobject_put+0x135/0x3d0\n put_device+0x20/0x30\n rxe_net_add+0x7d/0xa0\n rxe_newlink+0xd7/0x190\n nldev_newlink+0x1b0/0x2a0\n ? __pfx_nldev_newlink+0x10/0x10\n rdma_nl_rcv_msg+0x1ad/0x2e0\n rdma_nl_rcv_skb.constprop.0+0x176/0x210\n netlink_unicast+0x2de/0x400\n netlink_sendmsg+0x306/0x660\n __sock_sendmsg+0x110/0x120\n ____sys_sendmsg+0x30e/0x390\n ___sys_sendmsg+0x9b/0xf0\n ? kstrtouint+0x6e/0xa0\n ? kstrtouint_from_user+0x7c/0xb0\n ? get_pid_task+0xb0/0xd0\n ? proc_fail_nth_write+0x5b/0x140\n ? __fget_light+0x9a/0x200\n ? preempt_count_add+0x47/0xa0\n __sys_sendmsg+0x61/0xd0\n do_syscall_64+0x50/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47693", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix UMR pd cleanup on error flow of driver init\n\nThe cited commit moves the pd allocation from function\nmlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup().\nSo the fix in commit [1] is broken. In error flow, will hit panic [2].\n\nFix it by checking pd pointer to avoid panic if it is NULL;\n\n[1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init\n[2]\n [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model\n [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020\n [ 347.593438] #PF: supervisor read access in kernel mode\n [ 347.595176] #PF: error_code(0x0000) - not-present page\n [ 347.596962] PGD 0 P4D 0\n [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core]\n [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282\n [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000\n [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000\n [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0\n [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000\n [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001\n [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\n [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0\n [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 347.612804] Call Trace:\n [ 347.613130] \n [ 347.613417] ? __die+0x20/0x60\n [ 347.613793] ? page_fault_oops+0x150/0x3e0\n [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core]\n [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core]\n [ 347.615359] ? exc_page_fault+0x74/0x130\n [ 347.615808] ? asm_exc_page_fault+0x22/0x30\n [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core]\n [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib]\n [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib]\n [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib]\n [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib]\n [ 347.619032] ? kernfs_add_one+0x107/0x150\n [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n [ 347.619984] auxiliary_bus_probe+0x3e/0x90\n [ 347.620448] really_probe+0xc5/0x3a0\n [ 347.620857] __driver_probe_device+0x80/0x160\n [ 347.621325] driver_probe_device+0x1e/0x90\n [ 347.621770] __driver_attach+0xec/0x1c0\n [ 347.622213] ? __device_attach_driver+0x100/0x100\n [ 347.622724] bus_for_each_dev+0x71/0xc0\n [ 347.623151] bus_add_driver+0xed/0x240\n [ 347.623570] driver_register+0x58/0x100\n [ 347.623998] __auxiliary_driver_register+0x6a/0xc0\n [ 347.624499] ? driver_register+0xae/0x100\n [ 347.624940] ? 0xffffffffa0893000\n [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib]\n [ 347.625845] do_one_initcall+0x4a/0x2a0\n [ 347.626273] ? gcov_event+0x2e2/0x3a0\n [ 347.626706] do_init_module+0x8a/0x260\n [ 347.627126] init_module_from_file+0x8b/0xd0\n [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0\n [ 347.628089] do_syscall_64+0x4c/0x100", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47694", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds\n\nIn the function init_conns(), after the create_con() and create_cm() for\nloop if something fails. In the cleanup for loop after the destroy tag, we\naccess out of bound memory because cid is set to clt_path->s.con_num.\n\nThis commits resets the cid to clt_path->s.con_num - 1, to stay in bounds\nin the cleanup loop later.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47695", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency\n\nIn the commit aee2424246f9 (\"RDMA/iwcm: Fix a use-after-free related to\ndestroying CM IDs\"), the function flush_workqueue is invoked to flush the\nwork queue iwcm_wq.\n\nBut at that time, the work queue iwcm_wq was created via the function\nalloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.\n\nBecause the current process is trying to flush the whole iwcm_wq, if\niwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current\nprocess is not reclaiming memory or running on a workqueue which doesn't\nhave the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee\nleading to a deadlock.\n\nThe call trace is as below:\n\n[ 125.350876][ T1430] Call Trace:\n[ 125.356281][ T1430] \n[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)\n[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)\n[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)\n[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)\n[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)\n[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm\n[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)\n[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)\n[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)\n[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm\n[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma\n[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma\n[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)\n[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)\n[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)\n[ 125.531837][ T1430] kthread (kernel/kthread.c:389)\n[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)\n[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)\n[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)\n[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n[ 125.566487][ T1430] \n[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47696", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error\n\nEnsure index in rtl2830_pid_filter does not exceed 31 to prevent\nout-of-bounds access.\n\ndev->filters is a 32-bit value, so set_bit and clear_bit functions should\nonly operate on indices from 0 to 31. If index is 32, it will attempt to\naccess a non-existent 33rd bit, leading to out-of-bounds access.\nChange the boundary check from index > 32 to index >= 32 to resolve this\nissue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47697", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error\n\nEnsure index in rtl2832_pid_filter does not exceed 31 to prevent\nout-of-bounds access.\n\ndev->filters is a 32-bit value, so set_bit and clear_bit functions should\nonly operate on indices from 0 to 31. If index is 32, it will attempt to\naccess a non-existent 33rd bit, leading to out-of-bounds access.\nChange the boundary check from index > 32 to index >= 32 to resolve this\nissue.\n\n[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47698", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential null-ptr-deref in nilfs_btree_insert()\n\nPatch series \"nilfs2: fix potential issues with empty b-tree nodes\".\n\nThis series addresses three potential issues with empty b-tree nodes that\ncan occur with corrupted filesystem images, including one recently\ndiscovered by syzbot.\n\n\nThis patch (of 3):\n\nIf a b-tree is broken on the device, and the b-tree height is greater than\n2 (the level of the root node is greater than 1) even if the number of\nchild nodes of the b-tree root is 0, a NULL pointer dereference occurs in\nnilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().\n\nThis is because, when the number of child nodes of the b-tree root is 0,\nnilfs_btree_do_lookup() does not set the block buffer head in any of\npath[x].bp_bh, leaving it as the initial value of NULL, but if the level\nof the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),\nwhich accesses the buffer memory of path[x].bp_bh, is called.\n\nFix this issue by adding a check to nilfs_btree_root_broken(), which\nperforms sanity checks when reading the root node from the device, to\ndetect this inconsistency.\n\nThanks to Lizhi Xu for trying to solve the bug and clarifying the cause\nearly on.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47699", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check stripe size compatibility on remount as well\n\nWe disable stripe size in __ext4_fill_super if it is not a multiple of\nthe cluster ratio however this check is missed when trying to remount.\nThis can leave us with cases where stripe < cluster_ratio after\nremount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some\nunforeseen bugs like divide by 0.\n\nFix that by adding the check in remount path as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47700", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid OOB when system.data xattr changes underneath the filesystem\n\nWhen looking up for an entry in an inlined directory, if e_value_offs is\nchanged underneath the filesystem by some change in the block device, it\nwill lead to an out-of-bounds access that KASAN detects as an UAF.\n\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.\nloop0: detected capacity change from 2048 to 2047\n==================================================================\nBUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500\nRead of size 1 at addr ffff88803e91130f by task syz-executor269/5103\n\nCPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500\n ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697\n __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573\n ext4_lookup_entry fs/ext4/namei.c:1727 [inline]\n ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795\n lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633\n filename_create+0x297/0x540 fs/namei.c:3980\n do_symlinkat+0xf9/0x3a0 fs/namei.c:4587\n __do_sys_symlinkat fs/namei.c:4610 [inline]\n __se_sys_symlinkat fs/namei.c:4607 [inline]\n __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f3e73ced469\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a\nRAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469\nRDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0\nRBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290\nR10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c\nR13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0\n \n\nCalling ext4_xattr_ibody_find right after reading the inode with\next4_get_inode_loc will lead to a check of the validity of the xattrs,\navoiding this problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47701", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\n r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */\n r0 = r2\n r0 += 8\n if r3 > r0 goto +1\n ...\nNote that __sk_buff->data load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n r2 = *(u64 *)(r1 +208)\n r2 = (s32)r2\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n void *data = (void *)(long)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nand it will generate\n r2 = *(u64 *)(r1 +208)\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n\nIf we allow sign-extension,\n void *data = (void *)(long)(int)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nthe generated code looks like\n r2 = *(u64 *)(r1 +208)\n r2 <<= 32\n r2 s>>= 32\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\nand this will cause verification failure since \"r2 <<= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47702", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lsm: Add check for BPF LSM return value\n\nA bpf prog returning a positive number attached to file_alloc_security\nhook makes kernel panic.\n\nThis happens because file system can not filter out the positive number\nreturned by the LSM prog using IS_ERR, and misinterprets this positive\nnumber as a file pointer.\n\nGiven that hook file_alloc_security never returned positive number\nbefore the introduction of BPF LSM, and other BPF LSM hooks may\nencounter similar issues, this patch adds LSM return value check\nin verifier, to ensure no unexpected value is returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47703", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check link_res->hpo_dp_link_enc before using it\n\n[WHAT & HOW]\nFunctions dp_enable_link_phy and dp_disable_link_phy can pass link_res\nwithout initializing hpo_dp_link_enc and it is necessary to check for\nnull before dereferencing.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47704", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix potential invalid pointer dereference in blk_add_partition\n\nThe blk_add_partition() function initially used a single if-condition\n(IS_ERR(part)) to check for errors when adding a partition. This was\nmodified to handle the specific case of -ENXIO separately, allowing the\nfunction to proceed without logging the error in this case. However,\nthis change unintentionally left a path where md_autodetect_dev()\ncould be called without confirming that part is a valid pointer.\n\nThis commit separates the error handling logic by splitting the\ninitial if-condition, improving code readability and handling specific\nerror scenarios explicitly. The function now distinguishes the general\nerror case from -ENXIO without altering the existing behavior of\nmd_autodetect_dev() calls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47705", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | \u039b | \u039b\t\t | \u039b\n\t\t | | | |\t\t | |\n\t\t V | V |\t\t V |\n\t\t bfqq1 bfqq2\t\t bfqq3\nprocess ref:\t 1\t\t 1\t\t 1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | |\t\t | \u039b\n\t\t \\--------------\\|\t\t | |\n\t\t V\t\t V |\n\t\t bfqq1--------->bfqq2\t\t bfqq3\nprocess ref:\t 0\t\t 2\t\t 1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t here -> \u039b |\t\t |\n\t\t \\--------------\\ \\-------------\\|\n\t\t V\t\t V\n\t\t bfqq1--------->bfqq2---------->bfqq3\nprocess ref:\t 0\t\t 1\t\t 3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\n\nbfq_insert_request\n-> by Process 1\n bfqq = bfq_init_rq(rq)\n bfqq = bfq_get_bfqq_handle_split\n bfqq = bic_to_bfqq\n -> get bfqq2 from BIC1\n bfqq->ref++\n rq->elv.priv[0] = bic\n rq->elv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n bfqq->bic = bic\n -> record BIC1 to bfqq2\n\n __bfq_insert_request\n new_bfqq = bfq_setup_cooperator\n -> get bfqq3 from bfqq2->new_bfqq\n bfqq_request_freed(bfqq)\n new_bfqq->ref++\n rq->elv.priv[1] = new_bfqq\n -> handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n \n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47706", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()\n\nBlamed commit accidentally removed a check for rt->rt6i_idev being NULL,\nas spotted by syzbot:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\n RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]\n RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914\nCode: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06\nRSP: 0018:ffffc900047374e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0\nRBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c\nR10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18\nR13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930\nFS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856\n addrconf_notify+0x3cb/0x1020\n notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93\n call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]\n call_netdevice_notifiers net/core/dev.c:2046 [inline]\n unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352\n unregister_netdevice_many net/core/dev.c:11414 [inline]\n unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289\n unregister_netdevice include/linux/netdevice.h:3129 [inline]\n __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685\n tun_detach drivers/net/tun.c:701 [inline]\n tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510\n __fput+0x24a/0x8a0 fs/file_table.c:422\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0xa2f/0x27f0 kernel/exit.c:882\n do_group_exit+0x207/0x2c0 kernel/exit.c:1031\n __do_sys_exit_group kernel/exit.c:1042 [inline]\n __se_sys_exit_group kernel/exit.c:1040 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f1acc77def9\nCode: Unable to access opcode bytes at 0x7f1acc77decf.\nRSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043\nRBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\n RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]\n RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914\nCode: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06\nRSP: 0018:ffffc900047374e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0\nR\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47707", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetkit: Assign missing bpf_net_context\n\nDuring the introduction of struct bpf_net_context handling for\nXDP-redirect, the netkit driver has been missed, which also requires it\nbecause NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the\nper-CPU variables. Otherwise we see the following crash:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000038\n\tbpf_redirect()\n\tnetkit_xmit()\n\tdev_hard_start_xmit()\n\nSet the bpf_net_context before invoking netkit_xmit() program within the\nnetkit driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47708", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Clear bo->bcm_proc_read after remove_proc_entry().\n\nsyzbot reported a warning in bcm_release(). [0]\n\nThe blamed change fixed another warning that is triggered when\nconnect() is issued again for a socket whose connect()ed device has\nbeen unregistered.\n\nHowever, if the socket is just close()d without the 2nd connect(), the\nremaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()\nin bcm_release().\n\nLet's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().\n\n[0]\nname '4986'\nWARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711\nCode: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07\nRSP: 0018:ffffc9000345fa20 EFLAGS: 00010246\nRAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a\nR10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640\nR13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n bcm_release+0x250/0x880 net/can/bcm.c:1578\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbc/0x240 net/socket.c:1421\n __fput+0x24a/0x8a0 fs/file_table.c:422\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0xa2f/0x27f0 kernel/exit.c:882\n do_group_exit+0x207/0x2c0 kernel/exit.c:1031\n __do_sys_exit_group kernel/exit.c:1042 [inline]\n __se_sys_exit_group kernel/exit.c:1040 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcfb51ee969\nCode: Unable to access opcode bytes at 0x7fcfb51ee93f.\nRSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\nRBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0\nR13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47709", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: Add a cond_resched() in sock_hash_free()\n\nSeveral syzbot soft lockup reports all have in common sock_hash_free()\n\nIf a map with a large number of buckets is destroyed, we need to yield\nthe cpu when needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47710", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don't return OOB skb in manage_oob().\n\nsyzbot reported use-after-free in unix_stream_recv_urg(). [0]\n\nThe scenario is\n\n 1. send(MSG_OOB)\n 2. recv(MSG_OOB)\n -> The consumed OOB remains in recv queue\n 3. send(MSG_OOB)\n 4. recv()\n -> manage_oob() returns the next skb of the consumed OOB\n -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared\n 5. recv(MSG_OOB)\n -> unix_sk(sk)->oob_skb is used but already freed\n\nThe recent commit 8594d9b85c07 (\"af_unix: Don't call skb_get() for OOB\nskb.\") uncovered the issue.\n\nIf the OOB skb is consumed and the next skb is peeked in manage_oob(),\nwe still need to check if the skb is OOB.\n\nLet's do so by falling back to the following checks in manage_oob()\nand add the test case in selftest.\n\nNote that we need to add a similar check for SIOCATMARK.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\nRead of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235\n\nCPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\n unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640\n unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778\n unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2816\n ___sys_recvmsg net/socket.c:2858 [inline]\n __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5360d6b4e9\nCode: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9\nRDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003\nRBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001\n \n\nAllocated by task 5235:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:312 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3988 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080\n __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528\n sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815\n sock_alloc_send_skb include/net/sock.h:1778 [inline]\n queue_oob+0x108/0x680 net/unix/af_unix.c:2198\n unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5235:\n kasan_save_stack mm/kasan/common.c:47\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47711", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param\n\nIn the `wilc_parse_join_bss_param` function, the TSF field of the `ies`\nstructure is accessed after the RCU read-side critical section is\nunlocked. According to RCU usage rules, this is illegal. Reusing this\npointer can lead to unpredictable behavior, including accessing memory\nthat has been updated or causing use-after-free issues.\n\nThis possible bug was identified using a static analysis tool developed\nby myself, specifically designed to detect RCU-related issues.\n\nTo address this, the TSF value is now stored in a local variable\n`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is\nthen assigned using this local variable, ensuring that the TSF value is\nsafely accessed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47712", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()\n\nSince '__dev_queue_xmit()' should be called with interrupts enabled,\nthe following backtrace:\n\nieee80211_do_stop()\n ...\n spin_lock_irqsave(&local->queue_stop_reason_lock, flags)\n ...\n ieee80211_free_txskb()\n ieee80211_report_used_skb()\n ieee80211_report_ack_skb()\n cfg80211_mgmt_tx_status_ext()\n nl80211_frame_tx_status()\n genlmsg_multicast_netns()\n genlmsg_multicast_netns_filtered()\n nlmsg_multicast_filtered()\n\t netlink_broadcast_filtered()\n\t do_one_broadcast()\n\t netlink_broadcast_deliver()\n\t __netlink_sendskb()\n\t netlink_deliver_tap()\n\t __netlink_deliver_tap_skb()\n\t dev_queue_xmit()\n\t __dev_queue_xmit() ; with IRQS disabled\n ...\n spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)\n\nissues the warning (as reported by syzbot reproducer):\n\nWARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120\n\nFix this by implementing a two-phase skb reclamation in\n'ieee80211_do_stop()', where actual work is performed\noutside of a section with interrupts disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47713", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: use hweight16 to get correct tx antenna\n\nThe chainmask is u16 so using hweight8 cannot get correct tx_ant.\nWithout this patch, the tx_ant of band 2 would be -1 and lead to the\nfollowing issue:\nBUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47714", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix oops on non-dbdc mt7986\n\nmt7915_band_config() sets band_idx = 1 on the main phy for mt7986\nwith MT7975_ONE_ADIE or MT7976_ONE_ADIE.\n\nCommit 0335c034e726 (\"wifi: mt76: fix race condition related to\nchecking tx queue fill status\") introduced a dereference of the\nphys array indirectly indexed by band_idx via wcid->phy_idx in\nmt76_wcid_cleanup(). This caused the following Oops on affected\nmt7986 devices:\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000024\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005\n CM = 0, WnR = 0\n user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000\n [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] SMP\n Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...\n CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0\n Hardware name: ZyXEL EX5700 (Telenor) (DT)\n pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mt76_wcid_cleanup+0x84/0x22c [mt76]\n lr : mt76_wcid_cleanup+0x64/0x22c [mt76]\n sp : ffffffc00a803700\n x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00\n x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001\n x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8\n x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000\n x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0\n x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000\n x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28\n x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000\n x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001\n x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024\n Call trace:\n mt76_wcid_cleanup+0x84/0x22c [mt76]\n __mt76_sta_remove+0x70/0xbc [mt76]\n mt76_sta_state+0x8c/0x1a4 [mt76]\n mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]\n drv_sta_state+0x144/0x274 [mac80211]\n sta_info_move_state+0x1cc/0x2a4 [mac80211]\n sta_set_sinfo+0xaf8/0xc24 [mac80211]\n sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]\n\n ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]\n cfg80211_check_station_change+0x1360/0x4710 [cfg80211]\n genl_family_rcv_msg_doit+0xb4/0x110\n genl_rcv_msg+0xd0/0x1bc\n netlink_rcv_skb+0x58/0x120\n genl_rcv+0x34/0x50\n netlink_unicast+0x1f0/0x2ec\n netlink_sendmsg+0x198/0x3d0\n ____sys_sendmsg+0x1b0/0x210\n ___sys_sendmsg+0x80/0xf0\n __sys_sendmsg+0x44/0xa0\n __arm64_sys_sendmsg+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x40/0xd0\n el0_svc+0x14/0x4c\n el0t_64_sync_handler+0x100/0x110\n el0t_64_sync+0x15c/0x160\n Code: d2800002 910092c0 52800023 f9800011 (885f7c01)\n ---[ end trace 7e42dd9a39ed2281 ]---\n\nFix by using mt76_dev_phy() which will map band_idx to the correct phy\nfor all hardware combinations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47715", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros\n\nFloating point instructions in userspace can crash some arm kernels\nbuilt with clang/LLD 17.0.6:\n\n BUG: unsupported FP instruction in kernel mode\n FPEXC == 0xc0000780\n Internal error: Oops - undefined instruction: 0 [#1] ARM\n CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1\n Hardware name: BCM2835\n PC is at vfp_support_entry+0xc8/0x2cc\n LR is at do_undefinstr+0xa8/0x250\n pc : [] lr : [] psr: a0000013\n sp : dc8d1f68 ip : 60000013 fp : bedea19c\n r10: ec532b17 r9 : 00000010 r8 : 0044766c\n r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0\n r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c\n Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\n Control: 00c5387d Table: 0251c008 DAC: 00000051\n Register r0 information: non-paged memory\n Register r1 information: vmalloc memory\n Register r2 information: non-slab/vmalloc memory\n Register r3 information: non-slab/vmalloc memory\n Register r4 information: 2-page vmalloc region\n Register r5 information: slab kmalloc-cg-2k\n Register r6 information: vmalloc memory\n Register r7 information: non-slab/vmalloc memory\n Register r8 information: non-paged memory\n Register r9 information: zero-size pointer\n Register r10 information: vmalloc memory\n Register r11 information: non-paged memory\n Register r12 information: non-paged memory\n Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)\n Stack: (0xdc8d1f68 to 0xdc8d2000)\n 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0\n 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010\n 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188\n 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c\n 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000\n Call trace:\n [] (vfp_support_entry) from [] (do_undefinstr+0xa8/0x250)\n [] (do_undefinstr) from [] (__und_usr+0x70/0x80)\n Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)\n 1fa0: b6f68af8 00448fc0 00000000 bedea188\n 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c\n 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff\n Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception in interrupt\n ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---\n\nThis is a minimal userspace reproducer on a Raspberry Pi Zero W:\n\n #include \n #include \n\n int main(void)\n {\n double v = 1.0;\n printf(\"%fn\", NAN + *(volatile double *)&v);\n return 0;\n }\n\nAnother way to consistently trigger the oops is:\n\n calvin@raspberry-pi-zero-w ~$ python -c \"import json\"\n\nThe bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,\nbecause the pr_debug() calls act as barriers even when not activated.\n\nThis is the output from the same kernel source built with the same\ncompiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as\nexpected:\n\n VFP: bounce: trigger ec532b17 fpexc c0000780\n VFP: emulate: INST=0xee377b06 SCR=0x00000000\n VFP: bounce: trigger eef1fa10 fpexc c0000780\n VFP: emulate: INST=0xeeb40b40 SCR=0x00000000\n VFP: raising exceptions 30000000\n\n calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer\n nan\n\nCrudely grepping for vmsr/vmrs instructions in the otherwise nearly\nidential text for vfp_support_entry() makes the problem obvious:\n\n vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc\n vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0\n vmlinux.llvm.good [0xc0101d20\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47716", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Don't zero-out PMU snapshot area before freeing data\n\nWith the latest Linux-6.11-rc3, the below NULL pointer crash is observed\nwhen SBI PMU snapshot is enabled for the guest and the guest is forcefully\npowered-off.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508\n Oops [#1]\n Modules linked in: kvm\n CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3\n Hardware name: riscv-virtio,qemu (DT)\n epc : __kvm_write_guest_page+0x94/0xa6 [kvm]\n ra : __kvm_write_guest_page+0x54/0xa6 [kvm]\n epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0\n gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000\n t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0\n s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086\n a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0\n a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc\n s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000\n s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000\n s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001\n s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3\n t5 : ffffffff814126e0 t6 : ffffffff81412700\n status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d\n [] __kvm_write_guest_page+0x94/0xa6 [kvm]\n [] kvm_vcpu_write_guest+0x56/0x90 [kvm]\n [] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]\n [] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]\n [] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]\n [] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]\n [] kvm_destroy_vcpus+0x5a/0xda [kvm]\n [] kvm_arch_destroy_vm+0x14/0x28 [kvm]\n [] kvm_destroy_vm+0x168/0x2a0 [kvm]\n [] kvm_put_kvm+0x3c/0x58 [kvm]\n [] kvm_vm_release+0x22/0x2e [kvm]\n\nClearly, the kvm_vcpu_write_guest() function is crashing because it is\nbeing called from kvm_pmu_clear_snapshot_area() upon guest tear down.\n\nTo address the above issue, simplify the kvm_pmu_clear_snapshot_area() to\nnot zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because\nthe guest is anyway being tore down.\n\nThe kvm_pmu_clear_snapshot_area() is also called when guest changes\nPMU snapshot area of a VCPU but even in this case the previous PMU\nsnaphsot area must not be zeroed-out because the guest might have\nreclaimed the pervious PMU snapshot area for some other purpose.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47717", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: always wait for both firmware loading attempts\n\nIn 'rtw_wait_firmware_completion()', always wait for both (regular and\nwowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'\nhas failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue\n'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually\nthe wowlan one) is still in progress, causing UAF detected by KASAN.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47718", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Protect against overflow of ALIGN() during iova allocation\n\nUserspace can supply an iova and uptr such that the target iova alignment\nbecomes really big and ALIGN() overflows which corrupts the selected area\nrange during allocation. CONFIG_IOMMUFD_TEST can detect this:\n\n WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]\n WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352\n Modules linked in:\n CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]\n RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352\n Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38\n RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293\n RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00\n RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000\n RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942\n R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010\n R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00\n FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274\n iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCap the automatic alignment to the huge page size, which is probably a\nbetter idea overall. Huge automatic alignments can fragment and chew up\nthe available IOVA space without any reason.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47719", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47720", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading\n\nThe handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't\nimplemented, but driver expects number of handlers is\nNUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by\nremoving ID.\n\nAddresses-Coverity-ID: 1598775 (\"Out-of-bounds read\")", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47721", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix out-of-bounds in dbNextAG() and diAlloc()\n\nIn dbNextAG() , there is no check for the case where bmp->db_numag is\ngreater or same than MAXAG due to a polluted image, which causes an\nout-of-bounds. Therefore, a bounds check should be added in dbMount().\n\nAnd in dbNextAG(), a check for the case where agpref is greater than\nbmp->db_numag should be added, so an out-of-bounds exception should be\nprevented.\n\nAdditionally, a check for the case where agno is greater or same than\nMAXAG should be added in diAlloc() to prevent out-of-bounds.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47723", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: use work queue to process beacon tx event\n\nCommit 3a415daa3e8b (\"wifi: ath11k: add P2P IE in beacon template\")\nfrom Feb 28, 2024 (linux-next), leads to the following Smatch static\nchecker warning:\n\ndrivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()\nwarn: sleeping in atomic context\n\nThe reason is that ath11k_bcn_tx_status_event() will directly call might\nsleep function ath11k_wmi_cmd_send() during RCU read-side critical\nsections. The call trace is like:\n\nath11k_bcn_tx_status_event()\n-> rcu_read_lock()\n-> ath11k_mac_bcn_tx_event()\n\t-> ath11k_mac_setup_bcn_tmpl()\n\t\u2026\u2026\n\t\t-> ath11k_wmi_bcn_tmpl()\n\t\t\t-> ath11k_wmi_cmd_send()\n-> rcu_read_unlock()\n\nCommit 886433a98425 (\"ath11k: add support for BSS color change\") added the\nath11k_mac_bcn_tx_event(), commit 01e782c89108 (\"ath11k: fix warning\nof RCU usage for ath11k_mac_get_arvif_by_vdev_id()\") added the RCU lock\nto avoid warning but also introduced this BUG.\n\nUse work queue to avoid directly calling ath11k_mac_bcn_tx_event()\nduring RCU critical sections. No need to worry about the deletion of vif\nbecause cancel_work_sync() will drop the work if it doesn't start or\nblock vif deletion until the running work is done.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47724", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait dio completion\n\nIt should wait all existing dio write IOs before block removal,\notherwise, previous direct write IO may overwrite data in the\nblock which may be reused by other inode.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47726", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Fix \"in-kernel MMIO\" check\n\nTDX only supports kernel-initiated MMIO operations. The handle_mmio()\nfunction checks if the #VE exception occurred in the kernel and rejects\nthe operation if it did not.\n\nHowever, userspace can deceive the kernel into performing MMIO on its\nbehalf. For example, if userspace can point a syscall to an MMIO address,\nsyscall does get_user() or put_user() on it, triggering MMIO #VE. The\nkernel will treat the #VE as in-kernel MMIO.\n\nEnsure that the target MMIO address is within the kernel before decoding\ninstruction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47727", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error\n\nFor all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input\narguments, zero the value for the case of an error as otherwise it could leak\nmemory. For tracing, it is not needed given CAP_PERFMON can already read all\nkernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped\nin here.\n\nAlso, the MTU helpers mtu_len pointer value is being written but also read.\nTechnically, the MEM_UNINIT should not be there in order to always force init.\nRemoving MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now\nimplies two things actually: i) write into memory, ii) memory does not have\nto be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,\nii) memory must be initialized. This means that for bpf_*_check_mtu() we're\nreadding the issue we're trying to fix, that is, it would then be able to\nwrite back into things like .rodata BPF maps. Follow-up work will rework the\nMEM_UNINIT semantics such that the intent can be better expressed. For now\njust clear the *mtu_len on error path which can be lifted later again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47728", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Use reserved copy engine for user binds on faulting devices\n\nUser binds map to engines with can fault, faults depend on user binds\ncompletion, thus we can deadlock. Avoid this by using reserved copy\nengine for user binds on faulting devices.\n\nWhile we are here, normalize bind queue creation with a helper.\n\nv2:\n - Pass in extensions to bind queue creation (CI)\nv3:\n - s/resevered/reserved (Lucas)\n - Fix NULL hwe check (Jonathan)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47729", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - inject error before stopping queue\n\nThe master ooo cannot be completely closed when the\naccelerator core reports memory error. Therefore, the driver\nneeds to inject the qm error to close the master ooo. Currently,\nthe qm error is injected after stopping queue, memory may be\nreleased immediately after stopping queue, causing the device to\naccess the released memory. Therefore, error is injected to close master\nooo before stopping queue to ensure that the device does not access\nthe released memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47730", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: Fix ali_drw_pmu driver interrupt status clearing\n\nThe alibaba_uncore_pmu driver forgot to clear all interrupt status\nin the interrupt processing function. After the PMU counter overflow\ninterrupt occurred, an interrupt storm occurred, causing the system\nto hang.\n\nTherefore, clear the correct interrupt status in the interrupt handling\nfunction to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47731", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix potential use after free bug\n\nThe free_device_compression_mode(iaa_device, device_mode) function frees\n\"device_mode\" but it iss passed to iaa_compression_modes[i]->free() a few\nlines later resulting in a use after free.\n\nThe good news is that, so far as I can tell, nothing implements the\n->free() function and the use after free happens in dead code. But, with\nthis fix, when something does implement it, we'll be ready. :)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47732", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Delete subtree of 'fs/netfs' when netfs module exits\n\nIn netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs',\nbut in netfs_exit(), we only delete the proc entry of 'fs/netfs' without\ndeleting its subtree. This triggers the following WARNING:\n\n==================================================================\nremove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests'\nWARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0\nModules linked in: netfs(-)\nCPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860\nRIP: 0010:remove_proc_entry+0x160/0x1c0\nCall Trace:\n \n netfs_exit+0x12/0x620 [netfs]\n __do_sys_delete_module.isra.0+0x14c/0x2e0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nTherefore use remove_proc_subtree() instead of remove_proc_entry() to\nfix the above problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47733", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()\n\nsyzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce\nthis[1], one bond device (bond1) has xdpdrv, which increases\nbpf_master_redirect_enabled_key. Another bond device (bond0) which is\nunsupported by XDP but its slave (veth3) has xdpgeneric that returns\nXDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().\nTo reduce unnecessary warnings and improve log management, we need to\ndelete the WARN_ON_ONCE() and add ratelimit to the netdev_err().\n\n[1] Steps to reproduce:\n # Needs tx_xdp with return XDP_TX;\n ip l add veth0 type veth peer veth1\n ip l add veth3 type veth peer veth4\n ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP\n ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default\n ip l set veth0 master bond1\n ip l set bond1 up\n # Increases bpf_master_redirect_enabled_key\n ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx\n ip l set veth3 master bond0\n ip l set bond0 up\n ip l set veth4 up\n # Triggers WARN_ON_ONCE() from the xdp_master_redirect()\n ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47734", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled\n\nFix missuse of spin_lock_irq()/spin_unlock_irq() when\nspin_lock_irqsave()/spin_lock_irqrestore() was hold.\n\nThis was discovered through the lock debugging, and the corresponding\nlog is as follows:\n\nraw_local_irq_restore() called with IRQs enabled\nWARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40\n...\nCall trace:\n warn_bogus_irq_restore+0x30/0x40\n _raw_spin_unlock_irqrestore+0x84/0xc8\n add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]\n hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]\n hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]\n create_qp+0x138/0x258\n ib_create_qp_kernel+0x50/0xe8\n create_mad_qp+0xa8/0x128\n ib_mad_port_open+0x218/0x448\n ib_mad_init_device+0x70/0x1f8\n add_client_context+0xfc/0x220\n enable_device_and_get+0xd0/0x140\n ib_register_device.part.0+0xf4/0x1c8\n ib_register_device+0x34/0x50\n hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]\n hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]\n hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47735", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle overlapped pclusters out of crafted images properly\n\nsyzbot reported a task hang issue due to a deadlock case where it is\nwaiting for the folio lock of a cached folio that will be used for\ncache I/Os.\n\nAfter looking into the crafted fuzzed image, I found it's formed with\nseveral overlapped big pclusters as below:\n\n Ext: logical offset | length : physical offset | length\n 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384\n 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384\n 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384\n...\n\nHere, extent 0/1 are physically overlapped although it's entirely\n_impossible_ for normal filesystem images generated by mkfs.\n\nFirst, managed folios containing compressed data will be marked as\nup-to-date and then unlocked immediately (unlike in-place folios) when\ncompressed I/Os are complete. If physical blocks are not submitted in\nthe incremental order, there should be separate BIOs to avoid dependency\nissues. However, the current code mis-arranges z_erofs_fill_bio_vec()\nand BIO submission which causes unexpected BIO waits.\n\nSecond, managed folios will be connected to their own pclusters for\nefficient inter-queries. However, this is somewhat hard to implement\neasily if overlapped big pclusters exist. Again, these only appear in\nfuzzed images so let's simply fall back to temporary short-lived pages\nfor correctness.\n\nAdditionally, it justifies that referenced managed folios cannot be\ntruncated for now and reverts part of commit 2080ca1ed3e4 (\"erofs: tidy\nup `struct z_erofs_bvec`\") for simplicity although it shouldn't be any\ndifference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47736", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: call cache_put if xdr_reserve_space returns NULL\n\nIf not enough buffer space available, but idmap_lookup has triggered\nlookup_fn which calls cache_get and returns successfully. Then we\nmissed to call cache_put here which pairs with cache_get.\n\nReviwed-by: Jeff Layton ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47737", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't use rate mask for offchannel TX either\n\nLike the commit ab9177d83c04 (\"wifi: mac80211: don't use rate mask for\nscanning\"), ignore incorrect settings to avoid no supported rate warning\nreported by syzbot.\n\nThe syzbot did bisect and found cause is commit 9df66d5b9f45 (\"cfg80211:\nfix default HE tx bitrate mask in 2G band\"), which however corrects\nbitmask of HE MCS and recognizes correctly settings of empty legacy rate\nplus HE MCS rate instead of returning -EINVAL.\n\nAs suggestions [1], follow the change of SCAN TX to consider this case of\noffchannel TX as well.\n\n[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47738", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: use integer wrap around to prevent deadlock on seq_nr overflow\n\nWhen submitting more than 2^32 padata objects to padata_do_serial, the\ncurrent sorting implementation incorrectly sorts padata objects with\noverflowed seq_nr, causing them to be placed before existing objects in\nthe reorder list. This leads to a deadlock in the serialization process\nas padata_find_next cannot match padata->seq_nr and pd->processed\nbecause the padata instance with overflowed seq_nr will be selected\nnext.\n\nTo fix this, we use an unsigned integer wrap around to correctly sort\npadata objects in scenarios with integer overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47739", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Require FMODE_WRITE for atomic write ioctls\n\nThe F2FS ioctls for starting and committing atomic writes check for\ninode_owner_or_capable(), but this does not give LSMs like SELinux or\nLandlock an opportunity to deny the write access - if the caller's FSUID\nmatches the inode's UID, inode_owner_or_capable() immediately returns true.\n\nThere are scenarios where LSMs want to deny a process the ability to write\nparticular files, even files that the FSUID of the process owns; but this\ncan currently partially be bypassed using atomic write ioctls in two ways:\n\n - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can\n truncate an inode to size 0\n - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert\n changes another process concurrently made to a file\n\nFix it by requiring FMODE_WRITE for these operations, just like for\nF2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these\nioctls when intending to write into the file, that seems unlikely to break\nanything.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47740", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race setting file private on concurrent lseek using same fd\n\nWhen doing concurrent lseek(2) system calls against the same file\ndescriptor, using multiple threads belonging to the same process, we have\na short time window where a race happens and can result in a memory leak.\n\nThe race happens like this:\n\n1) A program opens a file descriptor for a file and then spawns two\n threads (with the pthreads library for example), lets call them\n task A and task B;\n\n2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at\n file.c:find_desired_extent() while holding a read lock on the inode;\n\n3) At the start of find_desired_extent(), it extracts the file's\n private_data pointer into a local variable named 'private', which has\n a value of NULL;\n\n4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode\n in shared mode and enters file.c:find_desired_extent(), where it also\n extracts file->private_data into its local variable 'private', which\n has a NULL value;\n\n5) Because it saw a NULL file private, task A allocates a private\n structure and assigns to the file structure;\n\n6) Task B also saw a NULL file private so it also allocates its own file\n private and then assigns it to the same file structure, since both\n tasks are using the same file descriptor.\n\n At this point we leak the private structure allocated by task A.\n\nBesides the memory leak, there's also the detail that both tasks end up\nusing the same cached state record in the private structure (struct\nbtrfs_file_private::llseek_cached_state), which can result in a\nuse-after-free problem since one task can free it while the other is\nstill using it (only one task took a reference count on it). Also, sharing\nthe cached state is not a good idea since it could result in incorrect\nresults in the future - right now it should not be a problem because it\nend ups being used only in extent-io-tree.c:count_range_bits() where we do\nrange validation before using the cached state.\n\nFix this by protecting the private assignment and check of a file while\nholding the inode's spinlock and keep track of the task that allocated\nthe private, so that it's used only by that task in order to prevent\nuser-after-free issues with the cached state record as well as potentially\nusing it incorrectly in the future.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47741", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Block path traversal\n\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\n\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n\n - lpfc_sli4_request_firmware_update() seems to construct the firmware\n filename from \"ModelName\", a string that was previously parsed out of\n some descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n - nfp_net_fw_find() seems to construct a firmware filename from a model\n name coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\n think parses some descriptor that was read from the device.\n (But this case likely isn't exploitable because the format string looks\n like \"netronome/nic_%s\", and there shouldn't be any *folders* starting\n with \"netronome/nic_\". The previous case was different because there,\n the \"%s\" is *at the start* of the format string.)\n - module_flash_fw_schedule() is reachable from the\n ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\n GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\n enough to pass the privilege check), and takes a userspace-provided\n firmware name.\n (But I think to reach this case, you need to have CAP_NET_ADMIN over a\n network namespace that a special kind of ethernet device is mapped into,\n so I think this is not a viable attack path in practice.)\n\nFix it by rejecting any firmware names containing \"..\" path components.\n\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47742", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: prevent NULL pointer dereference in find_asymmetric_key()\n\nIn find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2}\narguments, the kernel will first emit WARN but then have an oops\nbecause id_2 gets dereferenced anyway.\n\nAdd the missing id_2 check and move WARN_ON() to the final else branch\nto avoid duplicate NULL checks.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47743", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock\n\nUse a dedicated mutex to guard kvm_usage_count to fix a potential deadlock\non x86 due to a chain of locks and SRCU synchronizations. Translating the\nbelow lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on\nCPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the\nfairness of r/w semaphores).\n\n CPU0 CPU1 CPU2\n1 lock(&kvm->slots_lock);\n2 lock(&vcpu->mutex);\n3 lock(&kvm->srcu);\n4 lock(cpu_hotplug_lock);\n5 lock(kvm_lock);\n6 lock(&kvm->slots_lock);\n7 lock(cpu_hotplug_lock);\n8 sync(&kvm->srcu);\n\nNote, there are likely more potential deadlocks in KVM x86, e.g. the same\npattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with\n__kvmclock_cpufreq_notifier():\n\n cpuhp_cpufreq_online()\n |\n -> cpufreq_online()\n |\n -> cpufreq_gov_performance_limits()\n |\n -> __cpufreq_driver_target()\n |\n -> __target_index()\n |\n -> cpufreq_freq_transition_begin()\n |\n -> cpufreq_notify_transition()\n |\n -> ... __kvmclock_cpufreq_notifier()\n\nBut, actually triggering such deadlocks is beyond rare due to the\ncombination of dependencies and timings involved. E.g. the cpufreq\nnotifier is only used on older CPUs without a constant TSC, mucking with\nthe NX hugepage mitigation while VMs are running is very uncommon, and\ndoing so while also onlining/offlining a CPU (necessary to generate\ncontention on cpu_hotplug_lock) would be even more unusual.\n\nThe most robust solution to the general cpu_hotplug_lock issue is likely\nto switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq\nnotifier doesn't to take kvm_lock. For now, settle for fixing the most\nblatant deadlock, as switching to an RCU-protected list is a much more\ninvolved change, but add a comment in locking.rst to call out that care\nneeds to be taken when walking holding kvm_lock and walking vm_list.\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S O\n ------------------------------------------------------\n tee/35048 is trying to acquire lock:\n ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm]\n\n but task is already holding lock:\n ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm]\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (kvm_lock){+.+.}-{3:3}:\n __mutex_lock+0x6a/0xb40\n mutex_lock_nested+0x1f/0x30\n kvm_dev_ioctl+0x4fb/0xe50 [kvm]\n __se_sys_ioctl+0x7b/0xd0\n __x64_sys_ioctl+0x21/0x30\n x64_sys_call+0x15d0/0x2e60\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n -> #2 (cpu_hotplug_lock){++++}-{0:0}:\n cpus_read_lock+0x2e/0xb0\n static_key_slow_inc+0x16/0x30\n kvm_lapic_set_base+0x6a/0x1c0 [kvm]\n kvm_set_apic_base+0x8f/0xe0 [kvm]\n kvm_set_msr_common+0x9ae/0xf80 [kvm]\n vmx_set_msr+0xa54/0xbe0 [kvm_intel]\n __kvm_set_msr+0xb6/0x1a0 [kvm]\n kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm]\n kvm_vcpu_ioctl+0x485/0x5b0 [kvm]\n __se_sys_ioctl+0x7b/0xd0\n __x64_sys_ioctl+0x21/0x30\n x64_sys_call+0x15d0/0x2e60\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n -> #1 (&kvm->srcu){.+.+}-{0:0}:\n __synchronize_srcu+0x44/0x1a0\n \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47744", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call the security_mmap_file() LSM hook in remap_file_pages()\n\nThe remap_file_pages syscall handler calls do_mmap() directly, which\ndoesn't contain the LSM security check. And if the process has called\npersonality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for\nRW pages, this will actually result in remapping the pages to RWX,\nbypassing a W^X policy enforced by SELinux.\n\nSo we should check prot by security_mmap_file LSM hook in the\nremap_file_pages syscall handler before do_mmap() is called. Otherwise, it\npotentially permits an attacker to bypass a W^X policy enforced by\nSELinux.\n\nThe bypass is similar to CVE-2016-10044, which bypass the same thing via\nAIO and can be found in [1].\n\nThe PoC:\n\n$ cat > test.c\n\nint main(void) {\n\tsize_t pagesz = sysconf(_SC_PAGE_SIZE);\n\tint mfd = syscall(SYS_memfd_create, \"test\", 0);\n\tconst char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,\n\t\tMAP_SHARED, mfd, 0);\n\tunsigned int old = syscall(SYS_personality, 0xffffffff);\n\tsyscall(SYS_personality, READ_IMPLIES_EXEC | old);\n\tsyscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);\n\tsyscall(SYS_personality, old);\n\t// show the RWX page exists even if W^X policy is enforced\n\tint fd = open(\"/proc/self/maps\", O_RDONLY);\n\tunsigned char buf2[1024];\n\twhile (1) {\n\t\tint ret = read(fd, buf2, 1024);\n\t\tif (ret <= 0) break;\n\t\twrite(1, buf2, ret);\n\t}\n\tclose(fd);\n}\n\n$ gcc test.c -o test\n$ ./test | grep rwx\n7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)\n\n[PM: subject line tweaks]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47745", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set\n\nThis may be a typo. The comment has said shared locks are\nnot allowed when this bit is set. If using shared lock, the\nwait in `fuse_file_cached_io_open` may be forever.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47746", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition\n\nIn the ether3_probe function, a timer is initialized with a callback\nfunction ether3_ledoff, bound to &prev(dev)->timer. Once the timer is\nstarted, there is a risk of a race condition if the module or device\nis removed, triggering the ether3_remove function to perform cleanup.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ether3_ledoff\nether3_remove |\n free_netdev(dev); |\n put_devic |\n kfree(dev); |\n | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);\n | // use dev\n\nFix it by ensuring that the timer is canceled before proceeding with\nthe cleanup in ether3_remove.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47747", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_vdpa: assign irq bypass producer token correctly\n\nWe used to call irq_bypass_unregister_producer() in\nvhost_vdpa_setup_vq_irq() which is problematic as we don't know if the\ntoken pointer is still valid or not.\n\nActually, we use the eventfd_ctx as the token so the life cycle of the\ntoken should be bound to the VHOST_SET_VRING_CALL instead of\nvhost_vdpa_setup_vq_irq() which could be called by set_status().\n\nFixing this by setting up irq bypass producer's token when handling\nVHOST_SET_VRING_CALL and un-registering the producer before calling\nvhost_vring_ioctl() to prevent a possible use after free as eventfd\ncould have been released in vhost_vring_ioctl(). And such registering\nand unregistering will only be done if DRIVER_OK is set.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47748", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cxgb4: Added NULL check for lookup_atid\n\nThe lookup_atid() function can return NULL if the ATID is\ninvalid or does not exist in the identifier table, which\ncould lead to dereferencing a null pointer without a\ncheck in the `act_establish()` and `act_open_rpl()` functions.\nAdd a NULL check to prevent null pointer dereferencing.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47749", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix Use-After-Free of rsv_qp on HIP08\n\nCurrently rsv_qp is freed before ib_unregister_device() is called\non HIP08. During the time interval, users can still dereg MR and\nrsv_qp will be used in this process, leading to a UAF. Move the\nrelease of rsv_qp after calling ib_unregister_device() to fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47750", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()\n\nWithin kirin_pcie_parse_port(), the pcie->num_slots is compared to\npcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead\nto an overflow.\n\nThus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move\npcie->num_slots increment below the if-statement to avoid out-of-bounds\narray access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47751", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix H264 stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_h264_req_if.c.\nWhich leads to a kernel crash when fb is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47752", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix VP8 stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_vp8_req_if.c.\nWhich leads to a kernel crash when fb is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47753", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_h264_req_multi_if.c.\nWhich leads to a kernel crash when fb is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47754", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix if-statement expression in ks_pcie_quirk()\n\nThis code accidentally uses && where || was intended. It potentially\nresults in a NULL dereference.\n\nThus, fix the if-statement expression to use the correct condition.\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47756", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential oob read in nilfs_btree_check_delete()\n\nThe function nilfs_btree_check_delete(), which checks whether degeneration\nto direct mapping occurs before deleting a b-tree entry, causes memory\naccess outside the block buffer when retrieving the maximum key if the\nroot node has no entries.\n\nThis does not usually happen because b-tree mappings with 0 child nodes\nare never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen\nif the b-tree root node read from a device is configured that way, so fix\nthis potential issue by adding a check for that case.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47757", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-47794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tailcall infinite loop caused by freplace\n\nThere is a potential infinite loop issue that can occur when using a\ncombination of tail calls and freplace.\n\nIn an upcoming selftest, the attach target for entry_freplace of\ntailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in\nentry_freplace leads to entry_tc. This results in an infinite loop:\n\nentry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.\n\nThe problem arises because the tail_call_cnt in entry_freplace resets to\nzero each time entry_freplace is executed, causing the tail call mechanism\nto never terminate, eventually leading to a kernel panic.\n\nTo fix this issue, the solution is twofold:\n\n1. Prevent updating a program extended by an freplace program to a\n prog_array map.\n2. Prevent extending a program that is already part of a prog_array map\n with an freplace program.\n\nThis ensures that:\n\n* If a program or its subprogram has been extended by an freplace program,\n it can no longer be updated to a prog_array map.\n* If a program has been added to a prog_array map, neither it nor its\n subprograms can be extended by an freplace program.\n\nMoreover, an extension program should not be tailcalled. As such, return\n-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a\nprog_array map.\n\nAdditionally, fix a minor code style issue by replacing eight spaces with a\ntab for proper formatting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47794", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-47809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix possible lkb_resource null dereference\n\nThis patch fixes a possible null pointer dereference when this function is\ncalled from request_lock() as lkb->lkb_resource is not assigned yet,\nonly after validate_lock_args() by calling attach_lkb(). Another issue\nis that a resource name could be a non printable bytearray and we cannot\nassume to be ASCII coded.\n\nThe log functionality is probably never being hit when DLM is used in\nnormal way and no debug logging is enabled. The null pointer dereference\ncan only occur on a new created lkb that does not have the resource\nassigned yet, it probably never hits the null pointer dereference but we\nshould be sure that other changes might not change this behaviour and we\nactually can hit the mentioned null pointer dereference.\n\nIn this patch we just drop the printout of the resource name, the lkb id\nis enough to make a possible connection to a resource name if this\nexists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-47809", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-48873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: check return value of ieee80211_probereq_get() for RNR\n\nThe return value of ieee80211_probereq_get() might be NULL, so check it\nbefore using to avoid NULL pointer access.\n\nAddresses-Coverity-ID: 1529805 (\"Dereference null return value\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48873", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-48875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't take dev_replace rwsem on task already holding it\n\nRunning fstests btrfs/011 with MKFS_OPTIONS=\"-O rst\" to force the usage of\nthe RAID stripe-tree, we get the following splat from lockdep:\n\n BTRFS info (device sdd): dev_replace from /dev/sdd (devid 1) to /dev/sdb started\n\n ============================================\n WARNING: possible recursive locking detected\n 6.11.0-rc3-btrfs-for-next #599 Not tainted\n --------------------------------------------\n btrfs/2326 is trying to acquire lock:\n ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250\n\n but task is already holding lock:\n ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&fs_info->dev_replace.rwsem);\n lock(&fs_info->dev_replace.rwsem);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 1 lock held by btrfs/2326:\n #0: ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250\n\n stack backtrace:\n CPU: 1 UID: 0 PID: 2326 Comm: btrfs Not tainted 6.11.0-rc3-btrfs-for-next #599\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n \n dump_stack_lvl+0x5b/0x80\n __lock_acquire+0x2798/0x69d0\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n lock_acquire+0x19d/0x4a0\n ? btrfs_map_block+0x39f/0x2250\n ? __pfx_lock_acquire+0x10/0x10\n ? find_held_lock+0x2d/0x110\n ? lock_is_held_type+0x8f/0x100\n down_read+0x8e/0x440\n ? btrfs_map_block+0x39f/0x2250\n ? __pfx_down_read+0x10/0x10\n ? do_raw_read_unlock+0x44/0x70\n ? _raw_read_unlock+0x23/0x40\n btrfs_map_block+0x39f/0x2250\n ? btrfs_dev_replace_by_ioctl+0xd69/0x1d00\n ? btrfs_bio_counter_inc_blocked+0xd9/0x2e0\n ? __kasan_slab_alloc+0x6e/0x70\n ? __pfx_btrfs_map_block+0x10/0x10\n ? __pfx_btrfs_bio_counter_inc_blocked+0x10/0x10\n ? kmem_cache_alloc_noprof+0x1f2/0x300\n ? mempool_alloc_noprof+0xed/0x2b0\n btrfs_submit_chunk+0x28d/0x17e0\n ? __pfx_btrfs_submit_chunk+0x10/0x10\n ? bvec_alloc+0xd7/0x1b0\n ? bio_add_folio+0x171/0x270\n ? __pfx_bio_add_folio+0x10/0x10\n ? __kasan_check_read+0x20/0x20\n btrfs_submit_bio+0x37/0x80\n read_extent_buffer_pages+0x3df/0x6c0\n btrfs_read_extent_buffer+0x13e/0x5f0\n read_tree_block+0x81/0xe0\n read_block_for_search+0x4bd/0x7a0\n ? __pfx_read_block_for_search+0x10/0x10\n btrfs_search_slot+0x78d/0x2720\n ? __pfx_btrfs_search_slot+0x10/0x10\n ? lock_is_held_type+0x8f/0x100\n ? kasan_save_track+0x14/0x30\n ? __kasan_slab_alloc+0x6e/0x70\n ? kmem_cache_alloc_noprof+0x1f2/0x300\n btrfs_get_raid_extent_offset+0x181/0x820\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_btrfs_get_raid_extent_offset+0x10/0x10\n ? down_read+0x194/0x440\n ? __pfx_down_read+0x10/0x10\n ? do_raw_read_unlock+0x44/0x70\n ? _raw_read_unlock+0x23/0x40\n btrfs_map_block+0x5b5/0x2250\n ? __pfx_btrfs_map_block+0x10/0x10\n scrub_submit_initial_read+0x8fe/0x11b0\n ? __pfx_scrub_submit_initial_read+0x10/0x10\n submit_initial_group_read+0x161/0x3a0\n ? lock_release+0x20e/0x710\n ? __pfx_submit_initial_group_read+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n scrub_simple_mirror.isra.0+0x3eb/0x580\n scrub_stripe+0xe4d/0x1440\n ? lock_release+0x20e/0x710\n ? __pfx_scrub_stripe+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_read_unlock+0x44/0x70\n ? _raw_read_unlock+0x23/0x40\n scrub_chunk+0x257/0x4a0\n scrub_enumerate_chunks+0x64c/0xf70\n ? __mutex_unlock_slowpath+0x147/0x5f0\n ? __pfx_scrub_enumerate_chunks+0x10/0x10\n ? bit_wait_timeout+0xb0/0x170\n ? __up_read+0x189/0x700\n ? scrub_workers_get+0x231/0x300\n ? up_write+0x490/0x4f0\n btrfs_scrub_dev+0x52e/0xcd0\n ? create_pending_snapshots+0x230/0x250\n ? __pfx_btrfs_scrub_dev+0x10/0x10\n btrfs_dev_replace_by_ioctl+0xd69/0x1d00\n ? lock_acquire+0x19d/0x4a0\n ? __pfx_btrfs_dev_replace_by_ioctl+0x10/0x10\n ?\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48875", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-48876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstackdepot: fix stack_depot_save_flags() in NMI context\n\nPer documentation, stack_depot_save_flags() was meant to be usable from\nNMI context if STACK_DEPOT_FLAG_CAN_ALLOC is unset. However, it still\nwould try to take the pool_lock in an attempt to save a stack trace in the\ncurrent pool (if space is available).\n\nThis could result in deadlock if an NMI is handled while pool_lock is\nalready held. To avoid deadlock, only try to take the lock in NMI context\nand give up if unsuccessful.\n\nThe documentation is fixed to clearly convey this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48876", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-48881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: revert replacing IS_ERR_OR_NULL with IS_ERR again\n\nCommit 028ddcac477b (\"bcache: Remove unnecessary NULL point check in\nnode allocations\") leads a NULL pointer deference in cache_set_flush().\n\n1721 if (!IS_ERR_OR_NULL(c->root))\n1722 list_add(&c->root->list, &c->btree_cache);\n\n>From the above code in cache_set_flush(), if previous registration code\nfails before allocating c->root, it is possible c->root is NULL as what\nit is initialized. __bch_btree_node_alloc() never returns NULL but\nc->root is possible to be NULL at above line 1721.\n\nThis patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-48881", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-49568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg\n\nWhen receiving proposal msg in server, the fields v2_ext_offset/\neid_cnt/ism_gid_cnt in proposal msg are from the remote client\nand can not be fully trusted. Especially the field v2_ext_offset,\nonce exceed the max value, there has the chance to access wrong\naddress, and crash may happen.\n\nThis patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt\nbefore using them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49568", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-49569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-rdma: unquiesce admin_q before destroy it\n\nKernel will hang on destroy admin_q while we create ctrl failed, such\nas following calltrace:\n\nPID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: \"nvme\"\n #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15\n #1 [ff61d23de260fc08] schedule at ffffffff8323c014\n #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1\n #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a\n #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006\n #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce\n #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced\n #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b\n #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362\n #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25\n RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202\n RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574\n RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004\n RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90\n R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004\n R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500\n ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b\n\nThis due to we have quiesced admi_q before cancel requests, but forgot\nto unquiesce before destroy it, as a result we fail to drain the\npending requests, and hang on blk_mq_freeze_queue_wait() forever. Here\ntry to reuse nvme_rdma_teardown_admin_queue() to fix this issue and\nsimplify the code.", "scorev2": "0.0", "scorev3": "5.7", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49569", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-49570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/tracing: Fix a potential TP_printk UAF\n\nThe commit\nafd2627f727b (\"tracing: Check \"%s\" dereference via the field and not the TP_printk format\")\nexposes potential UAFs in the xe_bo_move trace event.\n\nFix those by avoiding dereferencing the\nxe_mem_type_to_name[] array at TP_printk time.\n\nSince some code refactoring has taken place, explicit backporting may\nbe needed for kernels older than 6.10.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49570", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-49571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg\n\nWhen receiving proposal msg in server, the field iparea_offset\nand the field ipv6_prefixes_cnt in proposal msg are from the\nremote client and can not be fully trusted. Especially the\nfield iparea_offset, once exceed the max value, there has the\nchance to access wrong address, and crash may happen.\n\nThis patch checks iparea_offset and ipv6_prefixes_cnt before using them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49571", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-49573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix NEXT_BUDDY\n\nAdam reports that enabling NEXT_BUDDY insta triggers a WARN in\npick_next_entity().\n\nMoving clear_buddies() up before the delayed dequeue bits ensures\nno ->next buddy becomes delayed. Further ensure no new ->next buddy\never starts as delayed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49573", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-49850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos\n\nIn case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL\nreferencing a non-existing BTF type, function bpf_core_calc_relo_insn\nwould cause a null pointer deference.\n\nFix this by adding a proper check upper in call stack, as malformed\nrelocation records could be passed from user space.\n\nSimplest reproducer is a program:\n\n r0 = 0\n exit\n\nWith a single relocation record:\n\n .insn_off = 0, /* patch first instruction */\n .type_id = 100500, /* this type id does not exist */\n .access_str_off = 6, /* offset of string \"0\" */\n .kind = BPF_CORE_TYPE_ID_LOCAL,\n\nSee the link for original reproducer or next commit for a test case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49850", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Clean up TPM space after command failure\n\ntpm_dev_transmit prepares the TPM space before attempting command\ntransmission. However if the command fails no rollback of this\npreparation is done. This can result in transient handles being leaked\nif the device is subsequently closed with no further commands performed.\n\nFix this by flushing the space in the event of command transmission\nfailure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49851", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()\n\nThe kref_put() function will call nport->release if the refcount drops to\nzero. The nport->release release function is _efc_nport_free() which frees\n\"nport\". But then we dereference \"nport\" on the next line which is a use\nafter free. Re-order these lines to avoid the use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49852", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in OPTEE transport\n\nChannels can be shared between protocols, avoid freeing the same channel\ndescriptors twice when unloading the stack.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49853", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for accessing waker_bfqq after splitting\n\nAfter commit 42c306ed7233 (\"block, bfq: don't break merge chain in\nbfq_split_bfqq()\"), if the current procress is the last holder of bfqq,\nthe bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and\nthen access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq\nmay in the merge chain of bfqq, hence just recored waker_bfqq is still\nnot safe.\n\nFix the problem by adding a helper bfq_waker_bfqq() to check if\nbfqq->waker_bfqq is in the merge chain, and current procress is the only\nholder.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49854" }, { "id": "CVE-2024-49855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between timeout and normal completion\n\nIf request timetout is handled by nbd_requeue_cmd(), normal completion\nhas to be stopped for avoiding to complete this requeued request, other\nuse-after-free can be triggered.\n\nFix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime\nmake sure that cmd->lock is grabbed for clearing the flag and the\nrequeue.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49855", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Fix deadlock in SGX NUMA node search\n\nWhen the current node doesn't have an EPC section configured by firmware\nand all other EPC sections are used up, CPU can get stuck inside the\nwhile loop that looks for an available EPC page from remote nodes\nindefinitely, leading to a soft lockup. Note how nid_of_current will\nnever be equal to nid in that while loop because nid_of_current is not\nset in sgx_numa_mask.\n\nAlso worth mentioning is that it's perfectly fine for the firmware not\nto setup an EPC section on a node. While setting up an EPC section on\neach node can enhance performance, it is not a requirement for\nfunctionality.\n\nRework the loop to start and end on *a* node that has SGX memory. This\navoids the deadlock looking for the current SGX-lacking node to show up\nin the loop when it never will.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49856", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: set the cipher for secured NDP ranging\n\nThe cipher pointer is not set, but is derefereced trying to set its\ncontent, which leads to a NULL pointer dereference.\nFix it by pointing to the cipher parameter before dereferencing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49857", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefistub/tpm: Use ACPI reclaim memory for event log to avoid corruption\n\nThe TPM event log table is a Linux specific construct, where the data\nproduced by the GetEventLog() boot service is cached in memory, and\npassed on to the OS using an EFI configuration table.\n\nThe use of EFI_LOADER_DATA here results in the region being left\nunreserved in the E820 memory map constructed by the EFI stub, and this\nis the memory description that is passed on to the incoming kernel by\nkexec, which is therefore unaware that the region should be reserved.\n\nEven though the utility of the TPM2 event log after a kexec is\nquestionable, any corruption might send the parsing code off into the\nweeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY\ninstead, which is always treated as reserved by the E820 conversion\nlogic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49858", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to check atomic_file in f2fs ioctl interfaces\n\nSome f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),\nf2fs_move_file_range(), and f2fs_defragment_range() missed to\ncheck atomic_write status, which may cause potential race issue,\nfix it.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49859", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: sysfs: validate return type of _STR method\n\nOnly buffer objects are valid return values of _STR.\n\nIf something else is returned description_show() will access invalid\nmemory.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49860", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix helper writes to read-only maps\n\nLonial found an issue that despite user- and BPF-side frozen BPF map\n(like in case of .rodata), it was still possible to write into it from\na BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}\nas arguments.\n\nIn check_func_arg() when the argument is as mentioned, the meta->raw_mode\nis never set. Later, check_helper_mem_access(), under the case of\nPTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the\nsubsequent call to check_map_access_type() and given the BPF map is\nread-only it succeeds.\n\nThe helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT\nwhen results are written into them as opposed to read out of them. The\nlatter indicates that it's okay to pass a pointer to uninitialized memory\nas the memory is written to anyway.\n\nHowever, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM\njust with additional alignment requirement. So it is better to just get\nrid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the\nfixed size memory types. For this, add MEM_ALIGNED to additionally ensure\nalignment given these helpers write directly into the args via * = val.\nThe .arg*_size has been initialized reflecting the actual sizeof(*).\n\nMEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated\nargument types, since in !MEM_FIXED_SIZE cases the verifier does not know\nthe buffer size a priori and therefore cannot blindly write * = val.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49861", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix off by one in get_rpi()\n\nThe rp->priv->rpi array is either rpi_msr or rpi_tpmi which have\nNR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=\nto prevent an off by one access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49862", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/scsi: null-ptr-dereference in vhost_scsi_get_req()\n\nSince commit 3f8ca2e115e5 (\"vhost/scsi: Extract common handling code\nfrom control queue handler\") a null pointer dereference bug can be\ntriggered when guest sends an SCSI AN request.\n\nIn vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with\n`&v_req.tmf.lun[1]` within a switch-case block and is then passed to\nvhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for\na `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is\nset to NULL in this branch. Later, in vhost_scsi_get_req(),\n`vc->target` is dereferenced without being checked, leading to a null\npointer dereference bug. This bug can be triggered from guest.\n\nWhen this bug occurs, the vhost_worker process is killed while holding\n`vq->mutex` and the corresponding tpg will remain occupied\nindefinitely.\n\nBelow is the KASAN report:\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS\n1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vhost_scsi_get_req+0x165/0x3a0\nCode: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6\n04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00\nRSP: 0018:ffff888017affb50 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8\nRBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000\nFS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0\nCall Trace:\n \n ? show_regs+0x86/0xa0\n ? die_addr+0x4b/0xd0\n ? exc_general_protection+0x163/0x260\n ? asm_exc_general_protection+0x27/0x30\n ? vhost_scsi_get_req+0x165/0x3a0\n vhost_scsi_ctl_handle_vq+0x2a4/0xca0\n ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10\n ? __switch_to+0x721/0xeb0\n ? __schedule+0xda5/0x5710\n ? __kasan_check_write+0x14/0x30\n ? _raw_spin_lock+0x82/0xf0\n vhost_scsi_ctl_handle_kick+0x52/0x90\n vhost_run_work_list+0x134/0x1b0\n vhost_task_fn+0x121/0x350\n...\n \n---[ end trace 0000000000000000 ]---\n\nLet's add a check in vhost_scsi_get_req.\n\n[whitespace fixes]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49863", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix a race between socket set up and I/O thread creation\n\nIn rxrpc_open_socket(), it sets up the socket and then sets up the I/O\nthread that will handle it. This is a problem, however, as there's a gap\nbetween the two phases in which a packet may come into rxrpc_encap_rcv()\nfrom the UDP packet but we oops when trying to wake the not-yet created I/O\nthread.\n\nAs a quick fix, just make rxrpc_encap_rcv() discard the packet if there's\nno I/O thread yet.\n\nA better, but more intrusive fix would perhaps be to rearrange things such\nthat the socket creation is done by the I/O thread.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49864", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xa_alloc to prevent UAF\n\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\n\nv2:\n - Rebase\n\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49865", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Fix a race during cpuhp processing\n\nThere is another found exception that the \"timerlat/1\" thread was\nscheduled on CPU0, and lead to timer corruption finally:\n\n```\nODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220\nWARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0\nModules linked in:\nCPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:debug_print_object+0x7d/0xb0\n...\nCall Trace:\n \n ? __warn+0x7c/0x110\n ? debug_print_object+0x7d/0xb0\n ? report_bug+0xf1/0x1d0\n ? prb_read_valid+0x17/0x20\n ? handle_bug+0x3f/0x70\n ? exc_invalid_op+0x13/0x60\n ? asm_exc_invalid_op+0x16/0x20\n ? debug_print_object+0x7d/0xb0\n ? debug_print_object+0x7d/0xb0\n ? __pfx_timerlat_irq+0x10/0x10\n __debug_object_init+0x110/0x150\n hrtimer_init+0x1d/0x60\n timerlat_main+0xab/0x2d0\n ? __pfx_timerlat_main+0x10/0x10\n kthread+0xb7/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x40\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n```\n\nAfter tracing the scheduling event, it was discovered that the migration\nof the \"timerlat/1\" thread was performed during thread creation. Further\nanalysis confirmed that it is because the CPU online processing for\nosnoise is implemented through workers, which is asynchronous with the\noffline processing. When the worker was scheduled to create a thread, the\nCPU may has already been removed from the cpu_online_mask during the offline\nprocess, resulting in the inability to select the right CPU:\n\nT1 | T2\n[CPUHP_ONLINE] | cpu_device_down()\nosnoise_hotplug_workfn() |\n | cpus_write_lock()\n | takedown_cpu(1)\n | cpus_write_unlock()\n[CPUHP_OFFLINE] |\n cpus_read_lock() |\n start_kthread(1) |\n cpus_read_unlock() |\n\nTo fix this, skip online processing if the CPU is already offline.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49866", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\n\nDuring unmount, at close_ctree(), we have the following steps in this order:\n\n1) Park the cleaner kthread - this doesn't destroy the kthread, it basically\n halts its execution (wake ups against it work but do nothing);\n\n2) We stop the cleaner kthread - this results in freeing the respective\n struct task_struct;\n\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\n the work queues and then free the work queues.\n\nSyzbot reported a case where a fixup worker resulted in a crash when doing\na delayed iput on its inode while attempting to wake up the cleaner at\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\nwas already freed. This can happen during unmount because we don't wait\nfor any fixup workers still running before we call kthread_stop() against\nthe cleaner kthread, which stops and free all its resources.\n\nFix this by waiting for any fixup workers at close_ctree() before we call\nkthread_stop() against the cleaner and run pending delayed iputs.\n\nThe stack traces reported by syzbot were the following:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\n\n CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Workqueue: btrfs-fixup btrfs_work_helper\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\n btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\n btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\n Allocated by task 2:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:319 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n kasan_slab_alloc include/linux/kasan.h:247 [inline]\n slab_post_alloc_hook mm/slub.c:4086 [inline]\n slab_alloc_node mm/slub.c:4135 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\n alloc_task_struct_node kernel/fork.c:180 [inline]\n dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\n copy_process+0x5d1/0x3d50 kernel/fork.c:2206\n kernel_clone+0x223/0x880 kernel/fork.c:2787\n kernel_thread+0x1bc/0x240 kernel/fork.c:2849\n create_kthread kernel/kthread.c:412 [inline]\n kthreadd+0x60d/0x810 kernel/kthread.c:765\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n Freed by task 61:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:230 [inline]\n slab_free_h\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49867", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a NULL pointer dereference when failed to start a new trasacntion\n\n[BUG]\nSyzbot reported a NULL pointer dereference with the following crash:\n\n FAULT_INJECTION: forcing a failure.\n start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676\n prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642\n relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678\n ...\n BTRFS info (device loop0): balance: ended with status: -12\n Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]\n RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926\n Call Trace:\n \n commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496\n btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430\n del_balance_item fs/btrfs/volumes.c:3678 [inline]\n reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742\n btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574\n btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nThe allocation failure happens at the start_transaction() inside\nprepare_to_relocate(), and during the error handling we call\nunset_reloc_control(), which makes fs_info->balance_ctl to be NULL.\n\nThen we continue the error path cleanup in btrfs_balance() by calling\nreset_balance_state() which will call del_balance_item() to fully delete\nthe balance item in the root tree.\n\nHowever during the small window between set_reloc_contrl() and\nunset_reloc_control(), we can have a subvolume tree update and created a\nreloc_root for that subvolume.\n\nThen we go into the final btrfs_commit_transaction() of\ndel_balance_item(), and into btrfs_update_reloc_root() inside\ncommit_fs_roots().\n\nThat function checks if fs_info->reloc_ctl is in the merge_reloc_tree\nstage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer\ndereference.\n\n[FIX]\nJust add extra check on fs_info->reloc_ctl inside\nbtrfs_update_reloc_root(), before checking\nfs_info->reloc_ctl->merge_reloc_tree.\n\nThat DEAD_RELOC_TREE handling is to prevent further modification to the\nreloc tree during merge stage, but since there is no reloc_ctl at all,\nwe do not need to bother that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49868", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n strcpy: detected buffer overflow: 20 byte write of buffer size 19\n WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n RIP: 0010:__fortify_report+0x45/0x50\n Code: 48 8b 34 (...)\n RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n Call Trace:\n \n ? __warn+0x12a/0x1d0\n ? __fortify_report+0x45/0x50\n ? report_bug+0x154/0x1c0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x1a/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? __fortify_report+0x45/0x50\n __fortify_panic+0x9/0x10\n __get_cur_name_and_parent+0x3bc/0x3c0\n get_cur_path+0x207/0x3b0\n send_extent_data+0x709/0x10d0\n ? find_parent_nodes+0x22df/0x25d0\n ? mas_nomem+0x13/0x90\n ? mtree_insert_range+0xa5/0x110\n ? btrfs_lru_cache_store+0x5f/0x1e0\n ? iterate_extent_inodes+0x52d/0x5a0\n process_extent+0xa96/0x11a0\n ? __pfx_lookup_backref_cache+0x10/0x10\n ? __pfx_store_backref_cache+0x10/0x10\n ? __pfx_iterate_backrefs+0x10/0x10\n ? __pfx_check_extent_item+0x10/0x10\n changed_cb+0x6fa/0x930\n ? tree_advance+0x362/0x390\n ? memcmp_extent_buffer+0xd7/0x160\n send_subvol+0xf0a/0x1520\n btrfs_ioctl_send+0x106b/0x11d0\n ? __pfx___clone_root_cmp_sort+0x10/0x10\n _btrfs_ioctl_send+0x1ac/0x240\n btrfs_ioctl+0x75b/0x850\n __se_sys_ioctl+0xca/0x150\n do_syscall_64+0x85/0x160\n ? __count_memcg_events+0x69/0x100\n ? handle_mm_fault+0x1327/0x15c0\n ? __se_sys_rt_sigprocmask+0xf1/0x180\n ? syscall_exit_to_user_mode+0x75/0xa0\n ? do_syscall_64+0x91/0x160\n ? do_user_addr_fault+0x21d/0x630\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fae145eeb4f\n Code: 00 48 89 (...)\n RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n \n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n https://github.com/KSPP/linux/issues/90", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49869", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix dentry leak in cachefiles_open_file()\n\nA dentry leak may be caused when a lookup cookie and a cull are concurrent:\n\n P1 | P2\n-----------------------------------------------------------\ncachefiles_lookup_cookie\n cachefiles_look_up_object\n lookup_one_positive_unlocked\n // get dentry\n cachefiles_cull\n inode->i_flags |= S_KERNEL_FILE;\n cachefiles_open_file\n cachefiles_mark_inode_in_use\n __cachefiles_mark_inode_in_use\n can_use = false\n if (!(inode->i_flags & S_KERNEL_FILE))\n can_use = true\n\t return false\n return false\n // Returns an error but doesn't put dentry\n\nAfter that the following WARNING will be triggered when the backend folder\nis umounted:\n\n==================================================================\nBUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]\nWARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70\nCPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25\nRIP: 0010:umount_check+0x5d/0x70\nCall Trace:\n \n d_walk+0xda/0x2b0\n do_one_tree+0x20/0x40\n shrink_dcache_for_umount+0x2c/0x90\n generic_shutdown_super+0x20/0x160\n kill_block_super+0x1a/0x40\n ext4_kill_sb+0x22/0x40\n deactivate_locked_super+0x35/0x80\n cleanup_mnt+0x104/0x160\n==================================================================\n\nWhether cachefiles_open_file() returns true or false, the reference count\nobtained by lookup_positive_unlocked() in cachefiles_look_up_object()\nshould be released.\n\nTherefore release that reference count in cachefiles_look_up_object() to\nfix the above issue and simplify the code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49870", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: adp5589-keys - fix NULL pointer dereference\n\nWe register a devm action to call adp5589_clear_config() and then pass\nthe i2c client as argument so that we can call i2c_get_clientdata() in\norder to get our device object. However, i2c_set_clientdata() is only\nbeing set at the end of the probe function which means that we'll get a\nNULL pointer dereference in case the probe function fails early.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49871", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix memfd_pin_folios alloc race panic\n\nIf memfd_pin_folios tries to create a hugetlb page, but someone else\nalready did, then folio gets the value -EEXIST here:\n\n folio = memfd_alloc_folio(memfd, start_idx);\n if (IS_ERR(folio)) {\n ret = PTR_ERR(folio);\n if (ret != -EEXIST)\n goto err;\n\nthen on the next trip through the \"while start_idx\" loop we panic here:\n\n if (folio) {\n folio_put(folio);\n\nTo fix, set the folio to NULL on error.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49872", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: fix filemap_get_folios_contig THP panic\n\nPatch series \"memfd-pin huge page fixes\".\n\nFix multiple bugs that occur when using memfd_pin_folios with hugetlb\npages and THP. The hugetlb bugs only bite when the page is not yet\nfaulted in when memfd_pin_folios is called. The THP bug bites when the\nstarting offset passed to memfd_pin_folios is not huge page aligned. See\nthe commit messages for details.\n\n\nThis patch (of 5):\n\nmemfd_pin_folios on memory backed by THP panics if the requested start\noffset is not huge page aligned:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000036\nRIP: 0010:filemap_get_folios_contig+0xdf/0x290\nRSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002\n\nThe fault occurs here, because xas_load returns a folio with value 2:\n\n filemap_get_folios_contig()\n for (folio = xas_load(&xas); folio && xas.xa_index <= end;\n folio = xas_next(&xas)) {\n ...\n if (!folio_try_get(folio)) <-- BOOM\n\n\"2\" is an xarray sibling entry. We get it because memfd_pin_folios does\nnot round the indices passed to filemap_get_folios_contig to huge page\nboundaries for THP, so we load from the middle of a huge page range see a\nsibling. (It does round for hugetlbfs, at the is_file_hugepages test).\n\nTo fix, if the folio is a sibling, then return the next index as the\nstarting point for the next call to filemap_get_folios_contig.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49873", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition\n\nIn the svc_i3c_master_probe function, &master->hj_work is bound with\nsvc_i3c_master_hj_work, &master->ibi_work is bound with\nsvc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the\nhj_work, svc_i3c_master_irq_handler can start the ibi_work.\n\nIf we remove the module which will call svc_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | svc_i3c_master_hj_work\nsvc_i3c_master_remove |\ni3c_master_unregister(&master->base)|\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with the\ncleanup in svc_i3c_master_remove.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49874", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: map the EBADMSG to nfserr_io to avoid warning\n\nExt4 will throw -EBADMSG through ext4_readdir when a checksum error\noccurs, resulting in the following WARNING.\n\nFix it by mapping EBADMSG to nfserr_io.\n\nnfsd_buffered_readdir\n iterate_dir // -EBADMSG -74\n ext4_readdir // .iterate_shared\n ext4_dx_readdir\n ext4_htree_fill_tree\n htree_dirblock_to_tree\n ext4_read_dirblock\n __ext4_read_dirblock\n ext4_dirblock_csum_verify\n warn_no_space_for_csum\n __warn_no_space_for_csum\n return ERR_PTR(-EFSBADCRC) // -EBADMSG -74\n nfserrno // WARNING\n\n[ 161.115610] ------------[ cut here ]------------\n[ 161.116465] nfsd: non-standard errno: -74\n[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0\n[ 161.118596] Modules linked in:\n[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138\n[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe\nmu.org 04/01/2014\n[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0\n[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6\n 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33\n[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286\n[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a\n[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827\n[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021\n[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8\n[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000\n[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0\n[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 161.141519] PKRU: 55555554\n[ 161.142076] Call Trace:\n[ 161.142575] ? __warn+0x9b/0x140\n[ 161.143229] ? nfserrno+0x9d/0xd0\n[ 161.143872] ? report_bug+0x125/0x150\n[ 161.144595] ? handle_bug+0x41/0x90\n[ 161.145284] ? exc_invalid_op+0x14/0x70\n[ 161.146009] ? asm_exc_invalid_op+0x12/0x20\n[ 161.146816] ? nfserrno+0x9d/0xd0\n[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0\n[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0\n[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170\n[ 161.151004] ? generic_file_llseek_size+0x48/0x160\n[ 161.151895] nfsd_readdir+0x132/0x190\n[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.153516] ? nfsd_unlink+0x380/0x380\n[ 161.154256] ? override_creds+0x45/0x60\n[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0\n[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210\n[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0\n[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0\n[ 161.158494] ? lock_downgrade+0x90/0x90\n[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10\n[ 161.160092] nfsd4_encode_operation+0x15a/0x440\n[ 161.160959] nfsd4_proc_compound+0x718/0xe90\n[ 161.161818] nfsd_dispatch+0x18e/0x2c0\n[ 161.162586] svc_process_common+0x786/0xc50\n[ 161.163403] ? nfsd_svc+0x380/0x380\n[ 161.164137] ? svc_printk+0x160/0x160\n[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380\n[ 161.165808] ? nfsd_svc+0x380/0x380\n[ 161.166523] ? rcu_is_watching+0x23/0x40\n[ 161.167309] svc_process+0x1a5/0x200\n[ 161.168019] nfsd+0x1f5/0x380\n[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260\n[ 161.169554] kthread+0x1c4/0x210\n[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80\n[ 161.171246] ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49875", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix UAF around queue destruction\n\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\n\nv2 (Matt B)\n - Looks much safer to use a waitqueue and then just wait for the\n xa_array to become empty before triggering the drain.\n\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49876", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate\n\nWhen doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger\nNULL pointer dereference in the following ocfs2_set_buffer_uptodate() if\nbh is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49877", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nresource: fix region_intersects() vs add_memory_driver_managed()\n\nOn a system with CXL memory, the resource tree (/proc/iomem) related to\nCXL memory may look like something as follows.\n\n490000000-50fffffff : CXL Window 0\n 490000000-50fffffff : region0\n 490000000-50fffffff : dax0.0\n 490000000-50fffffff : System RAM (kmem)\n\nBecause drivers/dax/kmem.c calls add_memory_driver_managed() during\nonlining CXL memory, which makes \"System RAM (kmem)\" a descendant of \"CXL\nWindow X\". This confuses region_intersects(), which expects all \"System\nRAM\" resources to be at the top level of iomem_resource. This can lead to\nbugs.\n\nFor example, when the following command line is executed to write some\nmemory in CXL memory range via /dev/mem,\n\n $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1\n dd: error writing '/dev/mem': Bad address\n 1+0 records in\n 0+0 records out\n 0 bytes copied, 0.0283507 s, 0.0 kB/s\n\nthe command fails as expected. However, the error code is wrong. It\nshould be \"Operation not permitted\" instead of \"Bad address\". More\nseriously, the /dev/mem permission checking in devmem_is_allowed() passes\nincorrectly. Although the accessing is prevented later because ioremap()\nisn't allowed to map system RAM, it is a potential security issue. During\ncommand executing, the following warning is reported in the kernel log for\ncalling ioremap() on system RAM.\n\n ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff\n WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d\n Call Trace:\n memremap+0xcb/0x184\n xlate_dev_mem_ptr+0x25/0x2f\n write_mem+0x94/0xfb\n vfs_write+0x128/0x26d\n ksys_write+0xac/0xfe\n do_syscall_64+0x9a/0xfd\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe details of command execution process are as follows. In the above\nresource tree, \"System RAM\" is a descendant of \"CXL Window 0\" instead of a\ntop level resource. So, region_intersects() will report no System RAM\nresources in the CXL memory region incorrectly, because it only checks the\ntop level resources. Consequently, devmem_is_allowed() will return 1\n(allow access via /dev/mem) for CXL memory region incorrectly. \nFortunately, ioremap() doesn't allow to map System RAM and reject the\naccess.\n\nSo, region_intersects() needs to be fixed to work correctly with the\nresource tree with \"System RAM\" not at top level as above. To fix it, if\nwe found a unmatched resource in the top level, we will continue to search\nmatched resources in its descendant resources. So, we will not miss any\nmatched resources in resource tree anymore.\n\nIn the new implementation, an example resource tree\n\n|------------- \"CXL Window 0\" ------------|\n|-- \"System RAM\" --|\n\nwill behave similar as the following fake resource tree for\nregion_intersects(, IORESOURCE_SYSTEM_RAM, ),\n\n|-- \"System RAM\" --||-- \"CXL Window 0a\" --|\n\nWhere \"CXL Window 0a\" is part of the original \"CXL Window 0\" that\nisn't covered by \"System RAM\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49878", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: omapdrm: Add missing check for alloc_ordered_workqueue\n\nAs it may return NULL pointer and cause NULL pointer dereference. Add check\nfor the return value of alloc_ordered_workqueue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49879", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off by one issue in alloc_flex_gd()\n\nWesley reported an issue:\n\n==================================================================\nEXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks\n------------[ cut here ]------------\nkernel BUG at fs/ext4/resize.c:324!\nCPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27\nRIP: 0010:ext4_resize_fs+0x1212/0x12d0\nCall Trace:\n __ext4_ioctl+0x4e0/0x1800\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0x99/0xd0\n x64_sys_call+0x1206/0x20d0\n do_syscall_64+0x72/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nWhile reviewing the patch, Honza found that when adjusting resize_bg in\nalloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than\nflexbg_size.\n\nThe reproduction of the problem requires the following:\n\n o_group = flexbg_size * 2 * n;\n o_size = (o_group + 1) * group_size;\n n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)\n o_size = (n_group + 1) * group_size;\n\nTake n=0,flexbg_size=16 as an example:\n\n last:15\n|o---------------|--------------n-|\no_group:0 resize to n_group:30\n\nThe corresponding reproducer is:\n\nimg=test.img\nrm -f $img\ntruncate -s 600M $img\nmkfs.ext4 -F $img -b 1024 -G 16 8M\ndev=`losetup -f --show $img`\nmkdir -p /tmp/test\nmount $dev /tmp/test\nresize2fs $dev 248M\n\nDelete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()\nto prevent the issue from happening again.\n\n[ Note: another reproucer which this commit fixes is:\n\n img=test.img\n rm -f $img\n truncate -s 25MiB $img\n mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img\n truncate -s 3GiB $img\n dev=`losetup -f --show $img`\n mkdir -p /tmp/test\n mount $dev /tmp/test\n resize2fs $dev 3G\n umount $dev\n losetup -d $dev\n\n -- TYT ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49880", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: update orig_path in ext4_find_extent()\n\nIn ext4_find_extent(), if the path is not big enough, we free it and set\n*orig_path to NULL. But after reallocating and successfully initializing\nthe path, we don't update *orig_path, in which case the caller gets a\nvalid path but a NULL ppath, and this may cause a NULL pointer dereference\nor a path memory leak. For example:\n\next4_split_extent\n path = *ppath = 2000\n ext4_find_extent\n if (depth > path[0].p_maxdepth)\n kfree(path = 2000);\n *orig_path = path = NULL;\n path = kcalloc() = 3000\n ext4_split_extent_at(*ppath = NULL)\n path = *ppath;\n ex = path[depth].p_ext;\n // NULL pointer dereference!\n\n==================================================================\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nCPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847\nRIP: 0010:ext4_split_extent_at+0x6d/0x560\nCall Trace:\n \n ext4_split_extent.isra.0+0xcb/0x1b0\n ext4_ext_convert_to_initialized+0x168/0x6c0\n ext4_ext_handle_unwritten_extents+0x325/0x4d0\n ext4_ext_map_blocks+0x520/0xdb0\n ext4_map_blocks+0x2b0/0x690\n ext4_iomap_begin+0x20e/0x2c0\n[...]\n==================================================================\n\nTherefore, *orig_path is updated when the extent lookup succeeds, so that\nthe caller can safely use path or *ppath.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49881", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double brelse() the buffer of the extents path\n\nIn ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been\nreleased, otherwise it may be released twice. An example of what triggers\nthis is as follows:\n\n split2 map split1\n|--------|-------|--------|\n\next4_ext_map_blocks\n ext4_ext_handle_unwritten_extents\n ext4_split_convert_extents\n // path->p_depth == 0\n ext4_split_extent\n // 1. do split1\n ext4_split_extent_at\n |ext4_ext_insert_extent\n | ext4_ext_create_new_leaf\n | ext4_ext_grow_indepth\n | le16_add_cpu(&neh->eh_depth, 1)\n | ext4_find_extent\n | // return -ENOMEM\n |// get error and try zeroout\n |path = ext4_find_extent\n | path->p_depth = 1\n |ext4_ext_try_to_merge\n | ext4_ext_try_to_merge_up\n | path->p_depth = 0\n | brelse(path[1].p_bh) ---> not set to NULL here\n |// zeroout success\n // 2. update path\n ext4_find_extent\n // 3. do split2\n ext4_split_extent_at\n ext4_ext_insert_extent\n ext4_ext_create_new_leaf\n ext4_ext_grow_indepth\n le16_add_cpu(&neh->eh_depth, 1)\n ext4_find_extent\n path[0].p_bh = NULL;\n path->p_depth = 1\n read_extent_tree_block ---> return err\n // path[1].p_bh is still the old value\n ext4_free_ext_path\n ext4_ext_drop_refs\n // path->p_depth == 1\n brelse(path[1].p_bh) ---> brelse a buffer twice\n\nFinally got the following WARRNING when removing the buffer from lru:\n\n============================================\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90\nCPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716\nRIP: 0010:__brelse+0x58/0x90\nCall Trace:\n \n __find_get_block+0x6e7/0x810\n bdev_getblk+0x2b/0x480\n __ext4_get_inode_loc+0x48a/0x1240\n ext4_get_inode_loc+0xb2/0x150\n ext4_reserve_inode_write+0xb7/0x230\n __ext4_mark_inode_dirty+0x144/0x6a0\n ext4_ext_insert_extent+0x9c8/0x3230\n ext4_ext_map_blocks+0xf45/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n============================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49882", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: aovid use-after-free in ext4_ext_insert_extent()\n\nAs Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is\nreallocated in ext4_ext_create_new_leaf(), we'll use the stale path and\ncause UAF. Below is a sample trace with dummy values:\n\next4_ext_insert_extent\n path = *ppath = 2000\n ext4_ext_create_new_leaf(ppath)\n ext4_find_extent(ppath)\n path = *ppath = 2000\n if (depth > path[0].p_maxdepth)\n kfree(path = 2000);\n *ppath = path = NULL;\n path = kcalloc() = 3000\n *ppath = 3000;\n return path;\n /* here path is still 2000, UAF! */\n eh = path[depth].p_hdr\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330\nRead of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179\nCPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866\nCall Trace:\n \n ext4_ext_insert_extent+0x26d4/0x3330\n ext4_ext_map_blocks+0xe22/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n[...]\n\nAllocated by task 179:\n ext4_find_extent+0x81c/0x1f70\n ext4_ext_map_blocks+0x146/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n ext4_writepages+0x26d/0x4e0\n do_writepages+0x175/0x700\n[...]\n\nFreed by task 179:\n kfree+0xcb/0x240\n ext4_find_extent+0x7c0/0x1f70\n ext4_ext_insert_extent+0xa26/0x3330\n ext4_ext_map_blocks+0xe22/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n ext4_writepages+0x26d/0x4e0\n do_writepages+0x175/0x700\n[...]\n==================================================================\n\nSo use *ppath to update the path to avoid the above problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49883", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-use-after-free in ext4_split_extent_at()\n\nWe hit the following use-after-free:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0\nRead of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40\nCPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724\nCall Trace:\n \n kasan_report+0x93/0xc0\n ext4_split_extent_at+0xba8/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nAllocated by task 40:\n __kmalloc_noprof+0x1ac/0x480\n ext4_find_extent+0xf3b/0x1e70\n ext4_ext_map_blocks+0x188/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nFreed by task 40:\n kfree+0xf1/0x2b0\n ext4_find_extent+0xa71/0x1e70\n ext4_ext_insert_extent+0xa22/0x3260\n ext4_split_extent_at+0x3ef/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\next4_split_extent_at\n path = *ppath\n ext4_ext_insert_extent(ppath)\n ext4_ext_create_new_leaf(ppath)\n ext4_find_extent(orig_path)\n path = *orig_path\n read_extent_tree_block\n // return -ENOMEM or -EIO\n ext4_free_ext_path(path)\n kfree(path)\n *orig_path = NULL\n a. If err is -ENOMEM:\n ext4_ext_dirty(path + path->p_depth)\n // path use-after-free !!!\n b. If err is -EIO and we have EXT_DEBUG defined:\n ext4_ext_show_leaf(path)\n eh = path[depth].p_hdr\n // path also use-after-free !!!\n\nSo when trying to zeroout or fix the extent length, call ext4_find_extent()\nto update the path.\n\nIn addition we use *ppath directly as an ext4_ext_show_leaf() input to\navoid possible use-after-free when EXT_DEBUG is defined, and to avoid\nunnecessary path updates.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49884", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slub: avoid zeroing kmalloc redzone\n\nSince commit 946fa0dbf2d8 (\"mm/slub: extend redzone check to extra\nallocated kmalloc space than requested\"), setting orig_size treats\nthe wasted space (object_size - orig_size) as a redzone. However with\ninit_on_free=1 we clear the full object->size, including the redzone.\n\nAdditionally we clear the object metadata, including the stored orig_size,\nmaking it zero, which makes check_object() treat the whole object as a\nredzone.\n\nThese issues lead to the following BUG report with \"slub_debug=FUZ\ninit_on_free=1\":\n\n[ 0.000000] =============================================================================\n[ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten\n[ 0.000000] -----------------------------------------------------------------------------\n[ 0.000000]\n[ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc\n[ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc\n[ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)\n[ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8\n[ 0.000000]\n[ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144\n[ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT)\n[ 0.000000] Call trace:\n[ 0.000000] dump_backtrace+0x90/0xe8\n[ 0.000000] show_stack+0x18/0x24\n[ 0.000000] dump_stack_lvl+0x74/0x8c\n[ 0.000000] dump_stack+0x18/0x24\n[ 0.000000] print_trailer+0x150/0x218\n[ 0.000000] check_object+0xe4/0x454\n[ 0.000000] free_to_partial_list+0x2f8/0x5ec\n\nTo address the issue, use orig_size to clear the used area. And restore\nthe value of orig_size after clear the remaining area.\n\nWhen CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns\ns->object_size. So when using memset to init the area, the size can simply\nbe orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not\nenabled. And orig_size can never be bigger than object_size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49885", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug\n\nAttaching SST PCI device to VM causes \"BUG: KASAN: slab-out-of-bounds\".\nkasan report:\n[ 19.411889] ==================================================================\n[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113\n[ 19.417368]\n[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10\n[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022\n[ 19.422687] Call Trace:\n[ 19.424091] \n[ 19.425448] dump_stack_lvl+0x5d/0x80\n[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.428694] print_report+0x19d/0x52e\n[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.433539] kasan_report+0xf0/0x170\n[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10\n[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]\n[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]\n[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360\n[ 19.444797] cpuhp_invoke_callback+0x221/0xec0\n[ 19.446337] cpuhp_thread_fun+0x21b/0x610\n[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10\n[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0\n[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10\n[ 19.452405] kthread+0x29c/0x350\n[ 19.453817] ? __pfx_kthread+0x10/0x10\n[ 19.455253] ret_from_fork+0x31/0x70\n[ 19.456685] ? __pfx_kthread+0x10/0x10\n[ 19.458114] ret_from_fork_asm+0x1a/0x30\n[ 19.459573] \n[ 19.460853]\n[ 19.462055] Allocated by task 1198:\n[ 19.463410] kasan_save_stack+0x30/0x50\n[ 19.464788] kasan_save_track+0x14/0x30\n[ 19.466139] __kasan_kmalloc+0xaa/0xb0\n[ 19.467465] __kmalloc+0x1cd/0x470\n[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]\n[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]\n[ 19.471670] do_one_initcall+0xa4/0x380\n[ 19.472903] do_init_module+0x238/0x760\n[ 19.474105] load_module+0x5239/0x6f00\n[ 19.475285] init_module_from_file+0xd1/0x130\n[ 19.476506] idempotent_init_module+0x23b/0x650\n[ 19.477725] __x64_sys_finit_module+0xbe/0x130\n[ 19.476506] idempotent_init_module+0x23b/0x650\n[ 19.477725] __x64_sys_finit_module+0xbe/0x130\n[ 19.478920] do_syscall_64+0x82/0x160\n[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 19.481292]\n[ 19.482205] The buggy address belongs to the object at ffff888829e65000\n which belongs to the cache kmalloc-512 of size 512\n[ 19.484818] The buggy address is located 0 bytes to the right of\n allocated 512-byte region [ffff888829e65000, ffff888829e65200)\n[ 19.487447]\n[ 19.488328] The buggy address belongs to the physical page:\n[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60\n[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)\n[ 19.493914] page_type: 0xffffffff()\n[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001\n[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000\n[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001\n[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000\n[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff\n[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 19.503784] page dumped because: k\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49886", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't panic system for no free segment fault injection\n\nf2fs: fix to don't panic system for no free segment fault injection\n\nsyzbot reports a f2fs bug as below:\n\nF2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167\nF2FS-fs (loop0): Stopped filesystem due to reason: 7\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2748!\nCPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]\nRIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836\nCall Trace:\n __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167\n f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]\n f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195\n f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799\n f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903\n vfs_fallocate+0x553/0x6c0 fs/open.c:334\n do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886\n __do_sys_ioctl fs/ioctl.c:905 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]\nRIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836\n\nThe root cause is when we inject no free segment fault into f2fs,\nwe should not panic system, fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49887", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a sdiv overflow issue\n\nZac Ecob reported a problem where a bpf program may cause kernel crash due\nto the following error:\n Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI\n\nThe failure is due to the below signed divide:\n LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808.\nLLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808,\nbut it is impossible since for 64-bit system, the maximum positive\nnumber is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will\ncause a kernel exception. On arm64, the result for LLONG_MIN/-1 is\nLLONG_MIN.\n\nFurther investigation found all the following sdiv/smod cases may trigger\nan exception when bpf program is running on x86_64 platform:\n - LLONG_MIN/-1 for 64bit operation\n - INT_MIN/-1 for 32bit operation\n - LLONG_MIN%-1 for 64bit operation\n - INT_MIN%-1 for 32bit operation\nwhere -1 can be an immediate or in a register.\n\nOn arm64, there are no exceptions:\n - LLONG_MIN/-1 = LLONG_MIN\n - INT_MIN/-1 = INT_MIN\n - LLONG_MIN%-1 = 0\n - INT_MIN%-1 = 0\nwhere -1 can be an immediate or in a register.\n\nInsn patching is needed to handle the above cases and the patched codes\nproduced results aligned with above arm64 result. The below are pseudo\ncodes to handle sdiv/smod exceptions including both divisor -1 and divisor 0\nand the divisor is stored in a register.\n\nsdiv:\n tmp = rX\n tmp += 1 /* [-1, 0] -> [0, 1]\n if tmp >(unsigned) 1 goto L2\n if tmp == 0 goto L1\n rY = 0\n L1:\n rY = -rY;\n goto L3\n L2:\n rY /= rX\n L3:\n\nsmod:\n tmp = rX\n tmp += 1 /* [-1, 0] -> [0, 1]\n if tmp >(unsigned) 1 goto L1\n if tmp == 1 (is64 ? goto L2 : goto L3)\n rY = 0;\n goto L2\n L1:\n rY %= rX\n L2:\n goto L4 // only when !is64\n L3:\n wY = wY // only when !is64\n L4:\n\n [1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49888", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid use-after-free in ext4_ext_show_leaf()\n\nIn ext4_find_extent(), path may be freed by error or be reallocated, so\nusing a previously saved *ppath may have been freed and thus may trigger\nuse-after-free, as follows:\n\next4_split_extent\n path = *ppath;\n ext4_split_extent_at(ppath)\n path = ext4_find_extent(ppath)\n ext4_split_extent_at(ppath)\n // ext4_find_extent fails to free path\n // but zeroout succeeds\n ext4_ext_show_leaf(inode, path)\n eh = path[depth].p_hdr\n // path use-after-free !!!\n\nSimilar to ext4_split_extent_at(), we use *ppath directly as an input to\next4_ext_show_leaf(). Fix a spelling error by the way.\n\nSame problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only\nused in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.\n\nThis issue is triggered only when EXT_DEBUG is defined and therefore does\nnot affect functionality.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49889", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: ensure the fw_info is not null before using it\n\nThis resolves the dereference null return value warning\nreported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49890", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths\n\nWhen the HBA is undergoing a reset or is handling an errata event, NULL ptr\ndereference crashes may occur in routines such as\nlpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or\nlpfc_abort_handler().\n\nAdd NULL ptr checks before dereferencing hdwq pointers that may have been\nfreed due to operations colliding with a reset or errata event handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49891", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Initialize get_bytes_per_element's default to 1\n\nVariables, used as denominators and maybe not assigned to other values,\nshould not be 0. bytes_per_element_y & bytes_per_element_c are\ninitialized by get_bytes_per_element() which should never return 0.\n\nThis fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49892", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check stream_status before it is used\n\n[WHAT & HOW]\ndc_state_get_stream_status can return null, and therefore null must be\nchecked before stream_status is used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49893", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in degamma hardware format translation\n\nFixes index out of bounds issue in\n`cm_helper_translate_curve_to_degamma_hw_format` function. The issue\ncould occur when the index 'i' exceeds the number of transfer function\npoints (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds the function returns\nfalse to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49894", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation\n\nThis commit addresses a potential index out of bounds issue in the\n`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30\ncolor management module. The issue could occur when the index 'i'\nexceeds the number of transfer function points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, the function returns\nfalse to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49895", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check stream before comparing them\n\n[WHAT & HOW]\namdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is\nnecessary to check for null before dereferencing them.\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49896", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check phantom_stream before it is used\n\ndcn32_enable_phantom_stream can return null, so returned value\nmust be checked before used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49897", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null-initialized variables\n\n[WHAT & HOW]\ndrr_timing and subvp_pipe are initialized to null and they are not\nalways assigned new values. It is necessary to check for null before\ndereferencing.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49898", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Initialize denominators' default to 1\n\n[WHAT & HOW]\nVariables used as denominators and maybe not assigned to other values,\nshould not be 0. Change their default to 1 so they are never 0.\n\nThis fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49899", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of new_ea in ea_buffer\n\nsyzbot reports that lzo1x_1_do_compress is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178\n\n...\n\nUninit was stored to memory at:\n ea_put fs/jfs/xattr.c:639 [inline]\n\n...\n\nLocal variable ea_buf created at:\n __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662\n __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934\n\n=====================================================\n\nThe reason is ea_buf->new_ea is not initialized properly.\n\nFix this by using memset to empty its content at the beginning\nin ea_get().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49900", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs\n\nThere are some cases, such as the one uncovered by Commit 46d4efcccc68\n(\"drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails\")\nwhere\n\nmsm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);\n\nis called on gpu->pdev == NULL, as the GPU device has not been fully\ninitialized yet.\n\nTurns out that there's more than just the aforementioned path that\ncauses this to happen (e.g. the case when there's speedbin data in the\ncatalog, but opp-supported-hw is missing in DT).\n\nAssigning msm_gpu->pdev earlier seems like the least painful solution\nto this, therefore do so.\n\nPatchwork: https://patchwork.freedesktop.org/patch/602742/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49901", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: check if leafidx greater than num leaves per dmap tree\n\nsyzbot report a out of bounds in dbSplit, it because dmt_leafidx greater\nthan num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.\n\nShaggy:\nModified sanity check to apply to control pages as well as leaf pages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49902", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uaf in dbFreeBits\n\n[syzbot reported]\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\nRead of size 8 at addr ffff8880229254b0 by task syz-executor357/5216\n\nCPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __mutex_lock_common kernel/locking/mutex.c:587 [inline]\n __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\n dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390\n dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]\n dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409\n dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650\n jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100\n jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n\nFreed by task 5218:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2252 [inline]\n slab_free mm/slub.c:4473 [inline]\n kfree+0x149/0x360 mm/slub.c:4594\n dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278\n jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454\n reconfigure_super+0x445/0x880 fs/super.c:1083\n vfs_cmd_reconfigure fs/fsopen.c:263 [inline]\n vfs_fsconfig_locked fs/fsopen.c:292 [inline]\n __do_sys_fsconfig fs/fsopen.c:473 [inline]\n __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[Analysis]\nThere are two paths (dbUnmount and jfs_ioc_trim) that generate race\ncondition when accessing bmap, which leads to the occurrence of uaf.\n\nUse the lock s_umount to synchronize them, in order to avoid uaf caused\nby race condition.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49903", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add list empty check to avoid null pointer issue\n\nAdd list empty check to avoid null pointer issues in some corner cases.\n- list_for_each_entry_safe()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49904", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nChanges since v1:\n- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49905", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointer before try to access it\n\n[why & how]\nChange the order of the pipe_ctx->plane_state check to ensure that\nplane_state is not null before accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49906", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before using dc->clk_mgr\n\n[WHY & HOW]\ndc->clk_mgr is null checked previously in the same function, indicating\nit might be null.\n\nPassing \"dc\" to \"dc->hwss.apply_idle_power_optimizations\", which\ndereferences null \"dc->clk_mgr\". (The function pointer resolves to\n\"dcn35_apply_idle_power_optimizations\".)\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49907", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be\nnull at line 8388, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nChanges since v1:\n- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor()\n\terror: we previously assumed 'afb' could be null (see line 8388)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49908", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn32_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for null, but then it was being\ndereferenced without any null check. This could lead to a null pointer\ndereference if set_output_gamma is null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a null check for set_output_gamma\nbefore the call to set_output_gamma.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49909", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn401_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for null, but then it was being\ndereferenced without any null check. This could lead to a null pointer\ndereference if set_output_gamma is null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a null check for set_output_gamma\nbefore the call to set_output_gamma.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49910", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn20_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for null at line 1030, but then it\nwas being dereferenced without any null check at line 1048. This could\npotentially lead to a null pointer dereference error if set_output_gamma\nis null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a null check for set_output_gamma\nbefore the call to set_output_gamma at line 1048.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49911", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'\n\nThis commit adds a null check for 'stream_status' in the function\n'planes_changed_for_existing_stream'. Previously, the code assumed\n'stream_status' could be null, but did not handle the case where it was\nactually null. This could lead to a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49912", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream\n\nThis commit addresses a null pointer dereference issue in the\n`commit_planes_for_stream` function at line 4140. The issue could occur\nwhen `top_pipe_to_program` is null.\n\nThe fix adds a check to ensure `top_pipe_to_program` is not null before\naccessing its stream_res. This prevents a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49913", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe\n\nThis commit addresses a null pointer dereference issue in the\n`dcn20_program_pipe` function. The issue could occur when\n`pipe_ctx->plane_state` is null.\n\nThe fix adds a check to ensure `pipe_ctx->plane_state` is not null\nbefore accessing. This prevents a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49914", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is\nnull.\n\nThe fix adds a check to ensure `dc->clk_mgr` is not null before\naccessing its functions. This prevents a potential null pointer\ndereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49915", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn401_init_hw` function. The issue could occur when `dc->clk_mgr` or\n`dc->clk_mgr->funcs` is null.\n\nThe fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is\nnot null before accessing its functions. This prevents a potential null\npointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn401/dcn401_hwseq.c:416 dcn401_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 225)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49916", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or\n`dc->clk_mgr->funcs` is null.\n\nThe fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is\nnot null before accessing its functions. This prevents a potential null\npointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49917", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue\ncould occur when `head_pipe` is null.\n\nThe fix adds a check to ensure `head_pipe` is not null before asserting\nit. If `head_pipe` is null, the function returns NULL to prevent a\npotential null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49918", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn201_acquire_free_pipe_for_layer` function. The issue could occur\nwhen `head_pipe` is null.\n\nThe fix adds a check to ensure `head_pipe` is not null before asserting\nit. If `head_pipe` is null, the function returns NULL to prevent a\npotential null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49919", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before multiple uses\n\n[WHAT & HOW]\nPoniters, such as stream_enc and dc->bw_vbios, are null checked previously\nin the same function, so Coverity warns \"implies that stream_enc and\ndc->bw_vbios might be null\". They are used multiple times in the\nsubsequent code and need to be checked.\n\nThis fixes 10 FORWARD_NULL issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49920", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before used\n\n[WHAT & HOW]\nPoniters, such as dc->clk_mgr, are null checked previously in the same\nfunction, so Coverity warns \"implies that \"dc->clk_mgr\" might be null\".\nAs a result, these pointers need to be checked when used again.\n\nThis fixes 10 FORWARD_NULL issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49921", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before using them\n\n[WHAT & HOW]\nThese pointers are null checked previously in the same function,\nindicating they might be null as reported by Coverity. As a result,\nthey need to be checked when used again.\n\nThis fixes 3 FORWARD_NULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49922", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags\n\n[WHAT & HOW]\n\"dcn20_validate_apply_pipe_split_flags\" dereferences merge, and thus it\ncannot be a null pointer. Let's pass a valid pointer to avoid null\ndereference.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49923", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which &fbi->task is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the &pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi->fb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | pxafb_task\npxafb_remove |\nunregister_framebuffer(info) |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info) |\n// free fbi->fb | set_ctrlr_state(fbi, state)\n | __pxafb_lcd_power(fbi, 0)\n | fbi->lcd_power(on, &fbi->fb.var)\n | //use fbi->fb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49924", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: efifb: Register sysfs groups through driver core\n\nThe driver core can register and cleanup sysfs groups already.\nMake use of that functionality to simplify the error handling and\ncleanup.\n\nAlso avoid a UAF race during unregistering where the sysctl attributes\nwere usable after the info struct was freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49925", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()\n\nFor kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is\ndefined as NR_CPUS instead of the number of possible cpus, this\nwill cause the following system panic:\n\nsmpboot: Allowing 4 CPUs, 0 hotplug CPUs\n...\nsetup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1\n...\nBUG: unable to handle page fault for address: ffffffff9911c8c8\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W\n6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6\nRIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0\nRSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082\nCR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0\nCall Trace:\n\n? __die+0x23/0x80\n? page_fault_oops+0xa4/0x180\n? exc_page_fault+0x152/0x180\n? asm_exc_page_fault+0x26/0x40\n? rcu_tasks_need_gpcb+0x25d/0x2c0\n? __pfx_rcu_tasks_kthread+0x40/0x40\nrcu_tasks_one_gp+0x69/0x180\nrcu_tasks_kthread+0x94/0xc0\nkthread+0xe8/0x140\n? __pfx_kthread+0x40/0x40\nret_from_fork+0x34/0x80\n? __pfx_kthread+0x40/0x40\nret_from_fork_asm+0x1b/0x80\n\n\nConsidering that there may be holes in the CPU numbers, use the\nmaximum possible cpu number, instead of nr_cpu_ids, for configuring\nenqueue and dequeue limits.\n\n[ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49926", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/ioapic: Handle allocation failures gracefully\n\nBreno observed panics when using failslab under certain conditions during\nruntime:\n\n can not alloc irq_pin_list (-1,0,20)\n Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed\n\n panic+0x4e9/0x590\n mp_irqdomain_alloc+0x9ab/0xa80\n irq_domain_alloc_irqs_locked+0x25d/0x8d0\n __irq_domain_alloc_irqs+0x80/0x110\n mp_map_pin_to_irq+0x645/0x890\n acpi_register_gsi_ioapic+0xe6/0x150\n hpet_open+0x313/0x480\n\nThat's a pointless panic which is a leftover of the historic IO/APIC code\nwhich panic'ed during early boot when the interrupt allocation failed.\n\nThe only place which might justify panic is the PIT/HPET timer_check() code\nwhich tries to figure out whether the timer interrupt is delivered through\nthe IO/APIC. But that code does not require to handle interrupt allocation\nfailures. If the interrupt cannot be allocated then timer delivery fails\nand it either panics due to that or falls back to legacy mode.\n\nCure this by removing the panic wrapper around __add_pin_to_irq_node() and\nmaking mp_irqdomain_alloc() aware of the failure condition and handle it as\nany other failure in this function gracefully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49927", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid reading out of bounds when loading TX power FW elements\n\nBecause the loop-expression will do one more time before getting false from\ncond-expression, the original code copied one more entry size beyond valid\nregion.\n\nFix it by moving the entry copy to loop-body.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49928", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: avoid NULL pointer dereference\n\niwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta\npointer is not NULL.\nIt retrieves this pointer using iwl_mvm_sta_from_mac80211, which is\ndereferencing the ieee80211_sta pointer.\nIf sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL\npointer.\nFix this by checking the sta pointer before retrieving the mvmsta\nfrom it. If sta is not NULL, then mvmsta isn't either.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49929", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix array out-of-bound access in SoC stats\n\nCurrently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a\nmaximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()\nfunction access ath11k_soc_dp_stats::hal_reo_error using the REO\ndestination SRNG ring ID, which is incorrect. SRNG ring ID differ from\nnormal ring ID, and this usage leads to out-of-bounds array access. To fix\nthis issue, modify ath11k_dp_process_rx() to use the normal ring ID\ndirectly instead of the SRNG ring ID to avoid out-of-bounds array access.\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49930", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix array out-of-bound access in SoC stats\n\nCurrently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a\nmaximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()\nfunction access ath12k_soc_dp_stats::hal_reo_error using the REO\ndestination SRNG ring ID, which is incorrect. SRNG ring ID differ from\nnormal ring ID, and this usage leads to out-of-bounds array access. To\nfix this issue, modify ath12k_dp_rx_process() to use the normal ring ID\ndirectly instead of the SRNG ring ID to avoid out-of-bounds array access.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49931", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't readahead the relocation inode on RST\n\nOn relocation we're doing readahead on the relocation inode, but if the\nfilesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to\npreallocated extents not being mapped in the RST) from the lookup.\n\nBut readahead doesn't handle the error and submits invalid reads to the\ndevice, causing an assertion in the scatter-gather list code:\n\n BTRFS info (device nvme1n1): balance: start -d -m -s\n BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0\n BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0\n ------------[ cut here ]------------\n kernel BUG at include/linux/scatterlist.h:115!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567\n RIP: 0010:__blk_rq_map_sg+0x339/0x4a0\n RSP: 0018:ffffc90001a43820 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802\n RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000\n RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8\n R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000\n FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0\n Call Trace:\n \n ? __die_body.cold+0x14/0x25\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x65/0x80\n ? __blk_rq_map_sg+0x339/0x4a0\n ? exc_invalid_op+0x50/0x70\n ? __blk_rq_map_sg+0x339/0x4a0\n ? asm_exc_invalid_op+0x1a/0x20\n ? __blk_rq_map_sg+0x339/0x4a0\n nvme_prep_rq.part.0+0x9d/0x770\n nvme_queue_rq+0x7d/0x1e0\n __blk_mq_issue_directly+0x2a/0x90\n ? blk_mq_get_budget_and_tag+0x61/0x90\n blk_mq_try_issue_list_directly+0x56/0xf0\n blk_mq_flush_plug_list.part.0+0x52b/0x5d0\n __blk_flush_plug+0xc6/0x110\n blk_finish_plug+0x28/0x40\n read_pages+0x160/0x1c0\n page_cache_ra_unbounded+0x109/0x180\n relocate_file_extent_cluster+0x611/0x6a0\n ? btrfs_search_slot+0xba4/0xd20\n ? balance_dirty_pages_ratelimited_flags+0x26/0xb00\n relocate_data_extent.constprop.0+0x134/0x160\n relocate_block_group+0x3f2/0x500\n btrfs_relocate_block_group+0x250/0x430\n btrfs_relocate_chunk+0x3f/0x130\n btrfs_balance+0x71b/0xef0\n ? kmalloc_trace_noprof+0x13b/0x280\n btrfs_ioctl+0x2c2e/0x3030\n ? kvfree_call_rcu+0x1e6/0x340\n ? list_lru_add_obj+0x66/0x80\n ? mntput_no_expire+0x3a/0x220\n __x64_sys_ioctl+0x96/0xc0\n do_syscall_64+0x54/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fcc04514f9b\n Code: Unable to access opcode bytes at 0x7fcc04514f71.\n RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b\n RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001\n R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5\n R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0\n \n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__blk_rq_map_sg+0x339/0x4a0\n RSP: 0018:ffffc90001a43820 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802\n RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000\n RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8\n R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000\n FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0\n Kernel p\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49932", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk_iocost: fix more out of bound shifts\n\nRecently running UBSAN caught few out of bound shifts in the\nioc_forgive_debts() function:\n\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38\nshift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long\nlong')\n...\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30\nshift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long\nlong')\n...\nCall Trace:\n\ndump_stack_lvl+0xca/0x130\n__ubsan_handle_shift_out_of_bounds+0x22c/0x280\n? __lock_acquire+0x6441/0x7c10\nioc_timer_fn+0x6cec/0x7750\n? blk_iocost_init+0x720/0x720\n? call_timer_fn+0x5d/0x470\ncall_timer_fn+0xfa/0x470\n? blk_iocost_init+0x720/0x720\n__run_timer_base+0x519/0x700\n...\n\nActual impact of this issue was not identified but I propose to fix the\nundefined behaviour.\nThe proposed fix to prevent those out of bound shifts consist of\nprecalculating exponent before using it the shift operations by taking\nmin value from the actual exponent and maximum possible number of bits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49933", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name\n\nIt's observed that a crash occurs during hot-remove a memory device,\nin which user is accessing the hugetlb. See calltrace as following:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790\nModules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s\nmirror dm_region_hash dm_log dm_mod\nCPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:do_user_addr_fault+0x2a0/0x790\nCode: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41\nRSP: 0000:ffffc90000a575f0 EFLAGS: 00010046\nRAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658\nR13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000\nFS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __warn+0x8d/0x190\n ? do_user_addr_fault+0x2a0/0x790\n ? report_bug+0x1c3/0x1d0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? do_user_addr_fault+0x2a0/0x790\n ? exc_page_fault+0x31/0x200\n exc_page_fault+0x68/0x200\n<...snip...>\nBUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n ---[ end trace 0000000000000000 ]---\n BUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:dentry_name+0x1f4/0x440\n<...snip...>\n? dentry_name+0x2fa/0x440\nvsnprintf+0x1f3/0x4f0\nvprintk_store+0x23a/0x540\nvprintk_emit+0x6d/0x330\n_printk+0x58/0x80\ndump_mapping+0x10b/0x1a0\n? __pfx_free_object_rcu+0x10/0x10\n__dump_page+0x26b/0x3e0\n? vprintk_emit+0xe0/0x330\n? _printk+0x58/0x80\n? dump_page+0x17/0x50\ndump_page+0x17/0x50\ndo_migrate_range+0x2f7/0x7f0\n? do_migrate_range+0x42/0x7f0\n? offline_pages+0x2f4/0x8c0\noffline_pages+0x60a/0x8c0\nmemory_subsys_offline+0x9f/0x1c0\n? lockdep_hardirqs_on+0x77/0x100\n? _raw_spin_unlock_irqrestore+0x38/0x60\ndevice_offline+0xe3/0x110\nstate_store+0x6e/0xc0\nkernfs_fop_write_iter+0x143/0x200\nvfs_write+0x39f/0x560\nksys_write+0x65/0xf0\ndo_syscall_64+0x62/0x130\n\nPreviously, some sanity check have been done in dump_mapping() before\nthe print facility parsing '%pd' though, it's still possible to run into\nan invalid dentry.d_name.name.\n\nSince dump_mapping() only needs to dump the filename only, retrieve it\nby itself in a safer way to prevent an unnecessary crash.\n\nNote that either retrieving the filename with '%pd' or\nstrncpy_from_kernel_nofault(), the filename could be unreliable.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49934", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PAD: fix crash in exit_round_robin()\n\nThe kernel occasionally crashes in cpumask_clear_cpu(), which is called\nwithin exit_round_robin(), because when executing clear_bit(nr, addr) with\nnr set to 0xffffffff, the address calculation may cause misalignment within\nthe memory, leading to access to an invalid memory address.\n\n----------\nBUG: unable to handle kernel paging request at ffffffffe0740618\n ...\nCPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1\n ...\nRIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]\nCode: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31\nRSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202\nRAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\nRBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e\nR13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e\nFS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n ? acpi_pad_add+0x120/0x120 [acpi_pad]\n kthread+0x10b/0x130\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x1f/0x40\n ...\nCR2: ffffffffe0740618\n\ncrash> dis -lr ffffffffc0726923\n ...\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114\n0xffffffffc0726918 :\tmov %r12d,%r12d\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325\n0xffffffffc072691b :\tmov -0x3f8d7de0(,%r12,4),%eax\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80\n0xffffffffc0726923 :\tlock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 \n\ncrash> px tsk_in_cpu[14]\n$66 = 0xffffffff\n\ncrash> px 0xffffffffc072692c+0x19cf4\n$99 = 0xffffffffc0740620\n\ncrash> sym 0xffffffffc0740620\nffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]\n\ncrash> px pad_busy_cpus_bits[0]\n$42 = 0xfffc0\n----------\n\nTo fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling\ncpumask_clear_cpu() in exit_round_robin(), just as it is done in\nround_robin_cpu().\n\n[ rjw: Subject edit, avoid updates to the same value ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49935", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/xen-netback: prevent UAF in xenvif_flush_hash()\n\nDuring the list_for_each_entry_rcu iteration call of xenvif_flush_hash,\nkfree_rcu does not exist inside the rcu read critical section, so if\nkfree_rcu is called when the rcu grace period ends during the iteration,\nUAF occurs when accessing head->next after the entry becomes free.\n\nTherefore, to solve this, you need to change it to list_for_each_entry_safe.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49936", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Set correct chandef when starting CAC\n\nWhen starting CAC in a mode other than AP mode, it return a\n\"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\"\ncaused by the chandef.chan being null at the end of CAC.\n\nSolution: Ensure the channel definition is set for the different modes\nwhen starting CAC to avoid getting a NULL 'chan' at the end of CAC.\n\n Call Trace:\n ? show_regs.part.0+0x14/0x16\n ? __warn+0x67/0xc0\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? report_bug+0xa7/0x130\n ? exc_overflow+0x30/0x30\n ? handle_bug+0x27/0x50\n ? exc_invalid_op+0x18/0x60\n ? handle_exception+0xf6/0xf6\n ? exc_overflow+0x30/0x30\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? exc_overflow+0x30/0x30\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]\n ? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]\n ? process_one_work+0x165/0x280\n ? worker_thread+0x120/0x3f0\n ? kthread+0xc2/0xf0\n ? process_one_work+0x280/0x280\n ? kthread_complete_and_exit+0x20/0x20\n ? ret_from_fork+0x19/0x24\n\n[shorten subject, remove OCB, reorder cases to match previous list]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49937", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit\n\nSyzbot points out that skb_trim() has a sanity check on the existing length of\nthe skb, which can be uninitialised in some error paths. The intent here is\nclearly just to reset the length to zero before resubmitting, so switch to\ncalling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()\nalready contains a call to skb_reset_tail_pointer(), so remove the redundant\ncall.\n\nThe syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar\nusage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49938", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to add interface to list twice when SER\n\nIf SER L2 occurs during the WoWLAN resume flow, the add interface flow\nis triggered by ieee80211_reconfig(). However, due to\nrtw89_wow_resume() return failure, it will cause the add interface flow\nto be executed again, resulting in a double add list and causing a kernel\npanic. Therefore, we have added a check to prevent double adding of the\nlist.\n\nlist_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:37!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7\nHardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021\nWorkqueue: events_freezable ieee80211_restart_work [mac80211]\nRIP: 0010:__list_add_valid_or_report+0x5e/0xb0\nCode: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12\nRSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246\nRAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900\nRDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0\nR10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060\nR13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010\nFS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0\nCall Trace:\n \n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? __list_add_valid_or_report+0x5e/0xb0\n ? do_error_trap+0x6d/0x90\n ? __list_add_valid_or_report+0x5e/0xb0\n ? handle_invalid_op+0x30/0x40\n ? __list_add_valid_or_report+0x5e/0xb0\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_add_valid_or_report+0x5e/0xb0\n rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]\n drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n ? finish_wait+0x3e/0x90\n ? synchronize_rcu_expedited+0x174/0x260\n ? sync_rcu_exp_done_unlocked+0x50/0x50\n ? wake_bit_function+0x40/0x40\n ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n process_scheduled_works+0x1e5/0x480\n worker_thread+0xea/0x1e0\n kthread+0xdb/0x110\n ? move_linked_works+0x90/0x90\n ? kthread_associate_blkcg+0xa0/0xa0\n ret_from_fork+0x3b/0x50\n ? kthread_associate_blkcg+0xa0/0xa0\n ret_from_fork_asm+0x11/0x20\n \nModules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev\ngsmi: Log Shutdown Reason 0x03\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49939", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: prevent possible tunnel refcount underflow\n\nWhen a session is created, it sets a backpointer to its tunnel. When\nthe session refcount drops to 0, l2tp_session_free drops the tunnel\nrefcount if session->tunnel is non-NULL. However, session->tunnel is\nset in l2tp_session_create, before the tunnel refcount is incremented\nby l2tp_session_register, which leaves a small window where\nsession->tunnel is non-NULL when the tunnel refcount hasn't been\nbumped.\n\nMoving the assignment to l2tp_session_register is trivial but\nl2tp_session_create calls l2tp_session_set_header_len which uses\nsession->tunnel to get the tunnel's encap. Add an encap arg to\nl2tp_session_set_header_len to avoid using session->tunnel.\n\nIf l2tpv3 sessions have colliding IDs, it is possible for\nl2tp_v3_session_get to race with l2tp_session_register and fetch a\nsession which doesn't yet have session->tunnel set. Add a check for\nthis case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49940", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: Fix potential NULL pointer dereference in gpiod_get_label()\n\nIn `gpiod_get_label()`, it is possible that `srcu_dereference_check()` may\nreturn a NULL pointer, leading to a scenario where `label->str` is accessed\nwithout verifying if `label` itself is NULL.\n\nThis patch adds a proper NULL check for `label` before accessing\n`label->str`. The check for `label->str != NULL` is removed because\n`label->str` can never be NULL if `label` is not NULL.\n\nThis fixes the issue where the label name was being printed as `(efault)`\nwhen dumping the sysfs GPIO file when `label == NULL`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49941", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Prevent null pointer access in xe_migrate_copy\n\nxe_migrate_copy designed to copy content of TTM resources. When source\nresource is null, it will trigger a NULL pointer dereference in\nxe_migrate_copy. To avoid this situation, update lacks source flag to\ntrue for this case, the flag will trigger xe_migrate_clear rather than\nxe_migrate_copy.\n\nIssue trace:\n<7> [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14,\n sizes: 4194304 & 4194304\n<7> [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15,\n sizes: 4194304 & 4194304\n<1> [317.128055] BUG: kernel NULL pointer dereference, address:\n 0000000000000010\n<1> [317.128064] #PF: supervisor read access in kernel mode\n<1> [317.128066] #PF: error_code(0x0000) - not-present page\n<6> [317.128069] PGD 0 P4D 0\n<4> [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n<4> [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted:\n G U N 6.11.0-rc7-xe #1\n<4> [317.128078] Tainted: [U]=USER, [N]=TEST\n<4> [317.128080] Hardware name: Intel Corporation Lunar Lake Client\n Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024\n<4> [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe]\n<4> [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8\n fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31\n ff <8b> 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff\n<4> [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246\n<4> [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX:\n 0000000000000000\n<4> [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI:\n 0000000000000000\n<4> [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09:\n 0000000000000001\n<4> [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12:\n ffff88814e7b1f08\n<4> [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15:\n 0000000000000001\n<4> [317.128174] FS: 0000000000000000(0000) GS:ffff88846f280000(0000)\n knlGS:0000000000000000\n<4> [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n<4> [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4:\n 0000000000770ef0\n<4> [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n 0000000000000000\n<4> [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7:\n 0000000000000400\n<4> [317.128184] PKRU: 55555554\n<4> [317.128185] Call Trace:\n<4> [317.128187] \n<4> [317.128189] ? show_regs+0x67/0x70\n<4> [317.128194] ? __die_body+0x20/0x70\n<4> [317.128196] ? __die+0x2b/0x40\n<4> [317.128198] ? page_fault_oops+0x15f/0x4e0\n<4> [317.128203] ? do_user_addr_fault+0x3fb/0x970\n<4> [317.128205] ? lock_acquire+0xc7/0x2e0\n<4> [317.128209] ? exc_page_fault+0x87/0x2b0\n<4> [317.128212] ? asm_exc_page_fault+0x27/0x30\n<4> [317.128216] ? xe_migrate_copy+0x66/0x13e0 [xe]\n<4> [317.128263] ? __lock_acquire+0xb9d/0x26f0\n<4> [317.128265] ? __lock_acquire+0xb9d/0x26f0\n<4> [317.128267] ? sg_free_append_table+0x20/0x80\n<4> [317.128271] ? lock_acquire+0xc7/0x2e0\n<4> [317.128273] ? mark_held_locks+0x4d/0x80\n<4> [317.128275] ? trace_hardirqs_on+0x1e/0xd0\n<4> [317.128278] ? _raw_spin_unlock_irqrestore+0x31/0x60\n<4> [317.128281] ? __pm_runtime_resume+0x60/0xa0\n<4> [317.128284] xe_bo_move+0x682/0xc50 [xe]\n<4> [317.128315] ? lock_is_held_type+0xaa/0x120\n<4> [317.128318] ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm]\n<4> [317.128324] ttm_bo_validate+0xd1/0x1a0 [ttm]\n<4> [317.128328] shrink_test_run_device+0x721/0xc10 [xe]\n<4> [317.128360] ? find_held_lock+0x31/0x90\n<4> [317.128363] ? lock_release+0xd1/0x2a0\n<4> [317.128365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10\n [kunit]\n<4> [317.128370] xe_bo_shrink_kunit+0x11/0x20 [xe]\n<4> [317.128397] kunit_try_run_case+0x6e/0x150 [kunit]\n<4> [317.128400] ? trace_hardirqs_on+0x1e/0xd0\n<4> [317.128402] ? _raw_spin_unlock_irqrestore+0x31/0x60\n<4> [317.128404] kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49942", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc_submit: add missing locking in wedged_fini\n\nAny non-wedged queue can have a zero refcount here and can be running\nconcurrently with an async queue destroy, therefore dereferencing the\nqueue ptr to check wedge status after the lookup can trigger UAF if\nqueue is not wedged. Fix this by keeping the submission_state lock held\naround the check to postpone the free and make the check safe, before\ndropping again around the put() to avoid the deadlock.\n\n(cherry picked from commit d28af0b6b9580b9f90c265a7da0315b0ad20bbfd)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49943", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start\n\nIn sctp_listen_start() invoked by sctp_inet_listen(), it should set the\nsk_state back to CLOSED if sctp_autobind() fails due to whatever reason.\n\nOtherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse\nis already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will\nbe dereferenced as sk_state is LISTENING, which causes a crash as bind_hash\nis NULL.\n\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617\n Call Trace:\n \n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49944", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ncsi: Disable the ncsi work before freeing the associated structure\n\nThe work function can run after the ncsi device is freed, resulting\nin use-after-free bugs or kernel panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49945", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: do not assume bh is held in ppp_channel_bridge_input()\n\nNetworking receive path is usually handled from BH handler.\nHowever, some protocols need to acquire the socket lock, and\npackets might be stored in the socket backlog is the socket was\nowned by a user process.\n\nIn this case, release_sock(), __release_sock(), and sk_backlog_rcv()\nmight call the sk->sk_backlog_rcv() handler in process context.\n\nsybot caught ppp was not considering this case in\nppp_channel_bridge_input() :\n\nWARNING: inconsistent lock state\n6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted\n--------------------------------\ninconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.\nksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304\n{SOFTIRQ-ON-W} state was registered at:\n lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]\n ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304\n pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv include/net/sock.h:1111 [inline]\n __release_sock+0x1a8/0x3d8 net/core/sock.c:3004\n release_sock+0x68/0x1b8 net/core/sock.c:3558\n pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x374/0x4f4 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nirq event stamp: 282914\n hardirqs last enabled at (282914): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]\n hardirqs last enabled at (282914): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194\n hardirqs last disabled at (282913): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]\n hardirqs last disabled at (282913): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162\n softirqs last enabled at (282904): [] softirq_handle_end kernel/softirq.c:400 [inline]\n softirqs last enabled at (282904): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582\n softirqs last disabled at (282909): [] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&pch->downl);\n \n lock(&pch->downl);\n\n *** DEADLOCK ***\n\n1 lock held by ksoftirqd/1/24:\n #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall trace:\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326\n __dump_sta\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49946", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: test for not too small csum_start in virtio_net_hdr_to_skb()\n\nsyzbot was able to trigger this warning [1], after injecting a\nmalicious packet through af_packet, setting skb->csum_start and thus\nthe transport header to an incorrect value.\n\nWe can at least make sure the transport header is after\nthe end of the network header (with a estimated minimal size).\n\n[1]\n[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0\nmac=(-1,-1) mac_len=0 net=(16,-6) trans=10\nshinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))\ncsum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)\nhash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0\npriority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0\nencapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)\n[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9\n[ 67.877764] sk family=17 type=3 proto=0\n[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00\n[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02\n[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00\n[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e\n[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00\n[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.887384] skb frag: 00000100: 00 00\n[ 67.887878] ------------[ cut here ]------------\n[ 67.887908] offset (-6) >= skb_headlen() (14)\n[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs\n[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011\n[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891043] Call Trace:\n[ 67.891173] \n[ 67.891274] ? __warn (kernel/panic.c:741)\n[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)\n[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)\n[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))\n[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 ne\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49947", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add more sanity checks to qdisc_pkt_len_init()\n\nOne path takes care of SKB_GSO_DODGY, assuming\nskb->len is bigger than hdr_len.\n\nvirtio_net_hdr_to_skb() does not fully dissect TCP headers,\nit only make sure it is at least 20 bytes.\n\nIt is possible for an user to provide a malicious 'GSO' packet,\ntotal length of 80 bytes.\n\n- 20 bytes of IPv4 header\n- 60 bytes TCP header\n- a small gso_size like 8\n\nvirtio_net_hdr_to_skb() would declare this packet as a normal\nGSO packet, because it would see 40 bytes of payload,\nbigger than gso_size.\n\nWe need to make detect this case to not underflow\nqdisc_skb_cb(skb)->pkt_len.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49948", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\n\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\n\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\n\nIPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.\n\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb->len\n\nThen the following sets gso_segs to 0 :\n\ngso_segs = DIV_ROUND_UP(skb->len - hdr_len,\n shinfo->gso_size);\n\nThen later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/\n\nqdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;\n\nThis leads to the following crash in fq_codel [1]\n\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\n\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n\n[1]\n[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 70.724561] #PF: supervisor read access in kernel mode\n[ 70.724561] #PF: error_code(0x0000) - not-present page\n[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n 0:\t24 08 \tand $0x8,%al\n 2:\t49 c1 e1 06 \tshl $0x6,%r9\n 6:\t44 89 7c 24 18 \tmov %r15d,0x18(%rsp)\n b:\t45 31 ed \txor %r13d,%r13d\n e:\t45 31 c0 \txor %r8d,%r8d\n 11:\t31 ff \txor %edi,%edi\n 13:\t89 44 24 14 \tmov %eax,0x14(%rsp)\n 17:\t4c 03 8b 90 01 00 00 \tadd 0x190(%rbx),%r9\n 1e:\teb 04 \tjmp 0x24\n 20:\t39 ca \tcmp %ecx,%edx\n 22:\t73 37 \tjae 0x5b\n 24:\t4d 8b 39 \tmov (%r9),%r15\n 27:\t83 c7 01 \tadd $0x1,%edi\n 2a:*\t49 8b 17 \tmov (%r15),%rdx\t\t<-- trapping instruction\n 2d:\t49 89 11 \tmov %rdx,(%r9)\n 30:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n 34:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n 38:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 3f:\t49 \trex.WB\n\nCode starting with the faulting instruction\n===========================================\n 0:\t49 8b 17 \tmov (%r15),%rdx\n 3:\t49 89 11 \tmov %rdx,(%r9)\n 6:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n a:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n e:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 15:\t49 \trex.WB\n[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49949", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix uaf in l2cap_connect\n\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\nRead of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54\n\nCPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nWorkqueue: hci2 hci_rx_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\n l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]\n l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]\n l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]\n l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825\n l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514\n hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]\n hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028\n process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n...\n\nFreed by task 5245:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579\n poison_slab_object+0xf7/0x160 mm/kasan/common.c:240\n __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2256 [inline]\n slab_free mm/slub.c:4477 [inline]\n kfree+0x12a/0x3b0 mm/slub.c:4598\n l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]\n kref_put include/linux/kref.h:65 [inline]\n l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]\n l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802\n l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241\n hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]\n hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265\n hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583\n abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917\n hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328\n process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49950", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible crash on mgmt_index_removed\n\nIf mgmt_index_removed is called while there are commands queued on\ncmd_sync it could lead to crashes like the bellow trace:\n\n0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc\n0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]\n0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]\n0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]\n\nSo while handling mgmt_index_removed this attempts to dequeue\ncommands passed as user_data to cmd_sync.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49951", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n ip_local_out net/ipv4/ip_output.c:129 [inline]\n ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n __do_sys_sendmmsg net/socket.c:2766 [inline]\n __se_sys_sendmmsg net/socket.c:2763 [inline]\n __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49952", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice\n\nThe km.state is not checked in driver's delayed work. When\nxfrm_state_check_expire() is called, the state can be reset to\nXFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This\nhappens when xfrm state is deleted, but not freed yet. As\n__xfrm_state_delete() is called again in xfrm timer, the following\ncrash occurs.\n\nTo fix this issue, skip xfrm_state_check_expire() if km.state is not\nXFRM_STATE_VALID.\n\n Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]\n RIP: 0010:__xfrm_state_delete+0x3d/0x1b0\n Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48\n RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246\n RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036\n RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980\n RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000\n R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246\n R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400\n FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? die_addr+0x33/0x90\n ? exc_general_protection+0x1a2/0x390\n ? asm_exc_general_protection+0x22/0x30\n ? __xfrm_state_delete+0x3d/0x1b0\n ? __xfrm_state_delete+0x2f/0x1b0\n xfrm_timer_handler+0x174/0x350\n ? __xfrm_state_delete+0x1b0/0x1b0\n __hrtimer_run_queues+0x121/0x270\n hrtimer_run_softirq+0x88/0xd0\n handle_softirqs+0xcc/0x270\n do_softirq+0x3c/0x50\n \n \n __local_bh_enable_ip+0x47/0x50\n mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]\n process_one_work+0x137/0x2d0\n worker_thread+0x28d/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49953", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstatic_call: Replace pointless WARN_ON() in static_call_module_notify()\n\nstatic_call_module_notify() triggers a WARN_ON(), when memory allocation\nfails in __static_call_add_module().\n\nThat's not really justified, because the failure case must be correctly\nhandled by the well known call chain and the error code is passed\nthrough to the initiating userspace application.\n\nA memory allocation fail is not a fatal problem, but the WARN_ON() takes\nthe machine out when panic_on_warn is set.\n\nReplace it with a pr_warn().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49954", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: battery: Fix possible crash when unregistering a battery hook\n\nWhen a battery hook returns an error when adding a new battery, then\nthe battery hook is automatically unregistered.\nHowever the battery hook provider cannot know that, so it will later\ncall battery_hook_unregister() on the already unregistered battery\nhook, resulting in a crash.\n\nFix this by using the list head to mark already unregistered battery\nhooks as already being unregistered so that they can be ignored by\nbattery_hook_unregister().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49955", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix double destroy_workqueue error\n\nWhen gfs2_fill_super() fails, destroy_workqueue() is called within\ngfs2_gl_hash_clear(), and the subsequent code path calls\ndestroy_workqueue() on the same work queue again.\n\nThis issue can be fixed by setting the work queue pointer to NULL after\nthe first destroy_workqueue() call and checking for a NULL pointer\nbefore attempting to destroy the work queue again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49956", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix null-ptr-deref when journal load failed.\n\nDuring the mounting process, if journal_reset() fails because of too short\njournal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. \nSubsequently, ocfs2_journal_shutdown() calls\njbd2_journal_flush()->jbd2_cleanup_journal_tail()->\n__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()\n->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer\ndereference error.\n\nTo resolve this issue, we should check the JBD2_LOADED flag to ensure the\njournal was properly loaded. Additionally, use journal instead of\nosb->journal directly to simplify the code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49957", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: reserve space for inline xattr before attaching reflink tree\n\nOne of our customers reported a crash and a corrupted ocfs2 filesystem. \nThe crash was due to the detection of corruption. Upon troubleshooting,\nthe fsck -fn output showed the below corruption\n\n[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,\nbut fsck believes the largest valid value is 227. Clamp the next record value? n\n\nThe stat output from the debugfs.ocfs2 showed the following corruption\nwhere the \"Next Free Rec:\" had overshot the \"Count:\" in the root metadata\nblock.\n\n Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)\n FS Generation: 904309833 (0x35e6ac49)\n CRC32: 00000000 ECC: 0000\n Type: Regular Attr: 0x0 Flags: Valid\n Dynamic Features: (0x16) HasXattr InlineXattr Refcounted\n Extended Attributes Block: 0 Extended Attributes Inline Size: 256\n User: 0 (root) Group: 0 (root) Size: 281320357888\n Links: 1 Clusters: 141738\n ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024\n atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024\n mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024\n dtime: 0x0 -- Wed Dec 31 17:00:00 1969\n Refcount Block: 2777346\n Last Extblk: 2886943 Orphan Slot: 0\n Sub Alloc Slot: 0 Sub Alloc Bit: 14\n Tree Depth: 1 Count: 227 Next Free Rec: 230\n ## Offset Clusters Block#\n 0 0 2310 2776351\n 1 2310 2139 2777375\n 2 4449 1221 2778399\n 3 5670 731 2779423\n 4 6401 566 2780447\n ....... .... .......\n ....... .... .......\n\nThe issue was in the reflink workfow while reserving space for inline\nxattr. The problematic function is ocfs2_reflink_xattr_inline(). By the\ntime this function is called the reflink tree is already recreated at the\ndestination inode from the source inode. At this point, this function\nreserves space for inline xattrs at the destination inode without even\nchecking if there is space at the root metadata block. It simply reduces\nthe l_count from 243 to 227 thereby making space of 256 bytes for inline\nxattr whereas the inode already has extents beyond this index (in this\ncase up to 230), thereby causing corruption.\n\nThe fix for this is to reserve space for inline metadata at the destination\ninode before the reflink tree gets recreated. The customer has verified the\nfix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49958", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error\n\nIn __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()\nto recover some journal space. But if an error occurs while executing\njbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free\nspace right away, we try other branches, and if j_committing_transaction\nis NULL (i.e., the tid is 0), we will get the following complain:\n\n============================================\nJBD2: I/O error when updating journal superblock for sdd-8.\n__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available\n__jbd2_log_wait_for_space: no way to get more journal space in sdd-8\n------------[ cut here ]------------\nWARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0\nModules linked in:\nCPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1\nRIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0\nCall Trace:\n \n add_transaction_credits+0x5d1/0x5e0\n start_this_handle+0x1ef/0x6a0\n jbd2__journal_start+0x18b/0x340\n ext4_dirty_inode+0x5d/0xb0\n __mark_inode_dirty+0xe4/0x5d0\n generic_update_time+0x60/0x70\n[...]\n============================================\n\nSo only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to\nclean up at the moment, continue to try to reclaim free space in other ways.\n\nNote that this fix relies on commit 6f6a6fda2945 (\"jbd2: fix ocfs2 corrupt\nwhen updating journal superblock fails\") to make jbd2_cleanup_journal_tail\nreturn the correct error code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49959", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix timer use-after-free on failed mount\n\nSyzbot has found an ODEBUG bug in ext4_fill_super\n\nThe del_timer_sync function cancels the s_err_report timer,\nwhich reminds about filesystem errors daily. We should\nguarantee the timer is no longer active before kfree(sbi).\n\nWhen filesystem mounting fails, the flow goes to failed_mount3,\nwhere an error occurs when ext4_stop_mmpd is called, causing\na read I/O failure. This triggers the ext4_handle_error function\nthat ultimately re-arms the timer,\nleaving the s_err_report timer active before kfree(sbi) is called.\n\nFix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49960", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ar0521: Use cansleep version of gpiod_set_value()\n\nIf we use GPIO reset from I2C port expander, we must use *_cansleep()\nvariant of GPIO functions.\nThis was not done in ar0521_power_on()/ar0521_power_off() functions.\nLet's fix that.\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c\nModules linked in:\nCPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53\nHardware name: Diasom DS-RK3568-SOM-EVB (DT)\nWorkqueue: events_unbound deferred_probe_work_func\npstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : gpiod_set_value+0x74/0x7c\nlr : ar0521_power_on+0xcc/0x290\nsp : ffffff8001d7ab70\nx29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000\nx26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088\nx23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088\nx20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80\nx17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000\nx14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930\nx11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0\nx8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780\nx5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n gpiod_set_value+0x74/0x7c\n ar0521_power_on+0xcc/0x290\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49961", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()\n\nACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0\n\nACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause\nNULL pointer dereference later.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49962", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: bcm2835: Fix timeout during suspend mode\n\nDuring noirq suspend phase the Raspberry Pi power driver suffer of\nfirmware property timeouts. The reason is that the IRQ of the underlying\nBCM2835 mailbox is disabled and rpi_firmware_property_list() will always\nrun into a timeout [1].\n\nSince the VideoCore side isn't consider as a wakeup source, set the\nIRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled\nduring suspend-resume cycle.\n\n[1]\nPM: late suspend of devices complete after 1.754 msecs\nWARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128\n rpi_firmware_property_list+0x204/0x22c\nFirmware transaction 0x00028001 timeout\nModules linked in:\nCPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17\nHardware name: BCM2835\nCall trace:\nunwind_backtrace from show_stack+0x18/0x1c\nshow_stack from dump_stack_lvl+0x34/0x44\ndump_stack_lvl from __warn+0x88/0xec\n__warn from warn_slowpath_fmt+0x7c/0xb0\nwarn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c\nrpi_firmware_property_list from rpi_firmware_property+0x68/0x8c\nrpi_firmware_property from rpi_firmware_set_power+0x54/0xc0\nrpi_firmware_set_power from _genpd_power_off+0xe4/0x148\n_genpd_power_off from genpd_sync_power_off+0x7c/0x11c\ngenpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0\ngenpd_finish_suspend from dpm_run_callback+0x78/0xd0\ndpm_run_callback from device_suspend_noirq+0xc0/0x238\ndevice_suspend_noirq from dpm_suspend_noirq+0xb0/0x168\ndpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac\nsuspend_devices_and_enter from pm_suspend+0x254/0x2e4\npm_suspend from state_store+0xa8/0xd4\nstate_store from kernfs_fop_write_iter+0x154/0x1a0\nkernfs_fop_write_iter from vfs_write+0x12c/0x184\nvfs_write from ksys_write+0x78/0xc0\nksys_write from ret_fast_syscall+0x0/0x54\nException stack(0xcc93dfa8 to 0xcc93dff0)\n[...]\nPM: noirq suspend of devices complete after 3095.584 msecs", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49963", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix memfd_pin_folios free_huge_pages leak\n\nmemfd_pin_folios followed by unpin_folios fails to restore free_huge_pages\nif the pages were not already faulted in, because the folio refcount for\npages created by memfd_alloc_folio never goes to 0. memfd_pin_folios\nneeds another folio_put to undo the folio_try_get below:\n\nmemfd_alloc_folio()\n alloc_hugetlb_folio_nodemask()\n dequeue_hugetlb_folio_nodemask()\n dequeue_hugetlb_folio_node_exact()\n folio_ref_unfreeze(folio, 1); ; adds 1 refcount\n folio_try_get() ; adds 1 refcount\n hugetlb_add_to_page_cache() ; adds 512 refcount (on x86)\n\nWith the fix, after memfd_pin_folios + unpin_folios, the refcount for the\n(unfaulted) page is 512, which is correct, as the refcount for a faulted\nunpinned page is 513.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49964", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: remove unreasonable unlock in ocfs2_read_blocks\n\nPatch series \"Misc fixes for ocfs2_read_blocks\", v5.\n\nThis series contains 2 fixes for ocfs2_read_blocks(). The first patch fix\nthe issue reported by syzbot, which detects bad unlock balance in\nocfs2_read_blocks(). The second patch fixes an issue reported by Heming\nZhao when reviewing above fix.\n\n\nThis patch (of 2):\n\nThere was a lock release before exiting, so remove the unreasonable unlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49965", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: cancel dqi_sync_work before freeing oinfo\n\nocfs2_global_read_info() will initialize and schedule dqi_sync_work at the\nend, if error occurs after successfully reading global quota, it will\ntrigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:\n\nODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c\n\nThis reports that there is an active delayed work when freeing oinfo in\nerror handling, so cancel dqi_sync_work first. BTW, return status instead\nof -1 when .read_file_info fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49966", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filesystems without casefold feature cannot be mounted with siphash\n\nWhen mounting the ext4 filesystem, if the default hash version is set to\nDX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49968", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in DCN30 color transformation\n\nThis commit addresses a potential index out of bounds issue in the\n`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color\nmanagement module. The issue could occur when the index 'i' exceeds the\nnumber of transfer function points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, the function returns\nfalse to indicate an error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49969", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN401\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn401_stream_encoder_create\n\nFound by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn401/dcn401_resource.c:1209 dcn401_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49970", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Increase array size of dummy_boolean\n\n[WHY]\ndml2_core_shared_mode_support and dml_core_mode_support access the third\nelement of dummy_boolean, i.e. hw_debug5 = &s->dummy_boolean[2], when\ndummy_boolean has size of 2. Any assignment to hw_debug5 causes an\nOVERRUN.\n\n[HOW]\nIncrease dummy_boolean's array size to 3.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49971", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Deallocate DML memory if allocation fails\n\n[Why]\nWhen DC state create DML memory allocation fails, memory is not\ndeallocated subsequently, resulting in uninitialized structure\nthat is not NULL.\n\n[How]\nDeallocate memory if DML memory allocation fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49972", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: add tally counter fields added with RTL8125\n\nRTL8125 added fields to the tally counter, what may result in the chip\ndma'ing these new fields to unallocated memory. Therefore make sure\nthat the allocated memory area is big enough to hold all of the\ntally counter values, even if we use only parts of it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49973", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49974", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: fix kernel info leak via \"[uprobes]\" vma\n\nxol_add_vma() maps the uninitialized page allocated by __create_xol_area()\ninto userspace. On some architectures (x86) this memory is readable even\nwithout VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,\nalthough this doesn't really matter, debugger can read this memory anyway.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49975", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Drop interface_lock in stop_kthread()\n\nstop_kthread() is the offline callback for \"trace/osnoise:online\", since\ncommit 5bfbcd1ee57b (\"tracing/timerlat: Add interface_lock around clearing\nof kthread in stop_kthread()\"), the following ABBA deadlock scenario is\nintroduced:\n\nT1 | T2 [BP] | T3 [AP]\nosnoise_hotplug_workfn() | work_for_cpu_fn() | cpuhp_thread_fun()\n | _cpu_down() | osnoise_cpu_die()\n mutex_lock(&interface_lock) | | stop_kthread()\n | cpus_write_lock() | mutex_lock(&interface_lock)\n cpus_read_lock() | cpuhp_kick_ap() |\n\nAs the interface_lock here in just for protecting the \"kthread\" field of\nthe osn_var, use xchg() instead to fix this issue. Also use\nfor_each_online_cpu() back in stop_per_cpu_kthreads() as it can take\ncpu_read_lock() again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49976", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Fix zero-division error when disabling tc cbs\n\nThe commit b8c43360f6e4 (\"net: stmmac: No need to calculate speed divider\nwhen offload is disabled\") allows the \"port_transmit_rate_kbps\" to be\nset to a value of 0, which is then passed to the \"div_s64\" function when\ntc-cbs is disabled. This leads to a zero-division error.\n\nWhen tc-cbs is disabled, the idleslope, sendslope, and credit values the\ncredit values are not required to be configured. Therefore, adding a return\nstatement after setting the txQ mode to DCB when tc-cbs is disabled would\nprevent a zero-division error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49977", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngso: fix udp gso fraglist segmentation after pull from frag_list\n\nDetect gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For UDP, this\ncauses a NULL ptr deref in __udpv4_gso_segment_list_csum at\nudp_hdr(seg->next)->dest.\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49978", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix tcp fraglist segmentation after pull from frag_list\n\nDetect tcp gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For TCP, this\ncauses a NULL ptr deref in __tcpv4_gso_segment_list_csum at\ntcp_hdr(seg->next).\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.\n\nApproach and description based on a patch by Willem de Bruijn.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49979", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: revert \"vrf: Remove unnecessary RCU-bh critical section\"\n\nThis reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.\n\ndev_queue_xmit_nit is expected to be called with BH disabled.\n__dev_queue_xmit has the following:\n\n /* Disable soft irqs for various locks below. Also\n * stops preemption for RCU.\n */\n rcu_read_lock_bh();\n\nVRF must follow this invariant. The referenced commit removed this\nprotection. Which triggered a lockdep warning:\n\n\t================================\n\tWARNING: inconsistent lock state\n\t6.11.0 #1 Tainted: G W\n\t--------------------------------\n\tinconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n\tbtserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:\n\tffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30\n\t{IN-SOFTIRQ-W} state was registered at:\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t packet_rcv+0xa33/0x1320\n\t __netif_receive_skb_core.constprop.0+0xcb0/0x3a90\n\t __netif_receive_skb_list_core+0x2c9/0x890\n\t netif_receive_skb_list_internal+0x610/0xcc0\n [...]\n\n\tother info that might help us debug this:\n\t Possible unsafe locking scenario:\n\n\t CPU0\n\t ----\n\t lock(rlock-AF_PACKET);\n\t \n\t lock(rlock-AF_PACKET);\n\n\t *** DEADLOCK ***\n\n\tCall Trace:\n\t \n\t dump_stack_lvl+0x73/0xa0\n\t mark_lock+0x102e/0x16b0\n\t __lock_acquire+0x9ae/0x6170\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t tpacket_rcv+0x863/0x3b30\n\t dev_queue_xmit_nit+0x709/0xa40\n\t vrf_finish_direct+0x26e/0x340 [vrf]\n\t vrf_l3_out+0x5f4/0xe80 [vrf]\n\t __ip_local_out+0x51e/0x7a0\n [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49980", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free bug in venus_remove due to race condition\n\nin venus_probe, core->work is bound with venus_sys_error_handler, which is\nused to handle error. The code use core->sys_err_done to make sync work.\nThe core->work is started in venus_event_notify.\n\nIf we call venus_remove, there might be an unfished work. The possible\nsequence is as follows:\n\nCPU0 CPU1\n\n |venus_sys_error_handler\nvenus_remove |\nhfi_destroy\t \t\t |\nvenus_hfi_destroy\t |\nkfree(hdev);\t |\n |hfi_reinit\n\t\t\t\t\t |venus_hfi_queues_reinit\n |//use hdev\n\nFix it by canceling the work in venus_remove.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49981", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in more places\n\nFor fixing CVE-2023-6270, f98364e92662 (\"aoe: fix the potential\nuse-after-free problem in aoecmd_cfg_pkts\") makes tx() calling dev_put()\ninstead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs\ninto use-after-free.\n\nThen Nicolai Stange found more places in aoe have potential use-after-free\nproblem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()\nand aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push\npacket to tx queue. So they should also use dev_hold() to increase the\nrefcnt of skb->dev.\n\nOn the other hand, moving dev_put() to tx() causes that the refcnt of\nskb->dev be reduced to a negative value, because corresponding\ndev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),\nprobe(), and aoecmd_cfg_rsp(). This patch fixed this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49982", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free\n\nWhen calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(),\nthe 'ppath' is updated but it is the 'path' that is freed, thus potentially\ntriggering a double-free in the following process:\n\next4_ext_replay_update_ex\n ppath = path\n ext4_force_split_extent_at(&ppath)\n ext4_split_extent_at\n ext4_ext_insert_extent\n ext4_ext_create_new_leaf\n ext4_ext_grow_indepth\n ext4_find_extent\n if (depth > path[0].p_maxdepth)\n kfree(path) ---> path First freed\n *orig_path = path = NULL ---> null ppath\n kfree(path) ---> path double-free !!!\n\nSo drop the unnecessary ppath and use path directly to avoid this problem.\nAnd use ext4_find_extent() directly to update path, avoiding unnecessary\nmemory allocation and freeing. Also, propagate the error returned by\next4_find_extent() instead of using strange error codes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49983", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Prevent out of bounds access in performance query extensions\n\nCheck that the number of perfmons userspace is passing in the copy and\nreset extensions is not greater than the internal kernel storage where\nthe ids will be copied into.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49984", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume\n\nIn case there is any sort of clock controller attached to this I2C bus\ncontroller, for example Versaclock or even an AIC32x4 I2C codec, then\nan I2C transfer triggered from the clock controller clk_ops .prepare\ncallback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.\n\nThis is because the clock controller first grabs the prepare_lock mutex\nand then performs the prepare operation, including its I2C access. The\nI2C access resumes this I2C bus controller via .runtime_resume callback,\nwhich calls clk_prepare_enable(), which attempts to grab the prepare_lock\nmutex again and deadlocks.\n\nSince the clock are already prepared since probe() and unprepared in\nremove(), use simple clk_enable()/clk_disable() calls to enable and\ndisable the clock on runtime suspend and resume, to avoid hitting the\nprepare_lock mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49985", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors\n\nx86_android_tablet_remove() frees the pdevs[] array, so it should not\nbe used after calling x86_android_tablet_remove().\n\nWhen platform_device_register() fails, store the pdevs[x] PTR_ERR() value\ninto the local ret variable before calling x86_android_tablet_remove()\nto avoid using pdevs[] after it has been freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49986", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpftool: Fix undefined behavior in qsort(NULL, 0, ...)\n\nWhen netfilter has no entry to display, qsort is called with\nqsort(NULL, 0, ...). This results in undefined behavior, as UBSan\nreports:\n\nnet.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null\n\nAlthough the C standard does not explicitly state whether calling qsort\nwith a NULL pointer when the size is 0 constitutes undefined behavior,\nSection 7.1.4 of the C standard (Use of library functions) mentions:\n\n\"Each of the following statements applies unless explicitly stated\notherwise in the detailed descriptions that follow: If an argument to a\nfunction has an invalid value (such as a value outside the domain of\nthe function, or a pointer outside the address space of the program, or\na null pointer, or a pointer to non-modifiable storage when the\ncorresponding parameter is not const-qualified) or a type (after\npromotion) not expected by a function with variable number of\narguments, the behavior is undefined.\"\n\nTo avoid this, add an early return when nf_link_info is NULL to prevent\ncalling qsort with a NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49987", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add refcnt to ksmbd_conn struct\n\nWhen sending an oplock break request, opinfo->conn is used,\nBut freed ->conn can be used on multichannel.\nThis patch add a reference count to the ksmbd_conn struct\nso that it can be freed when it is no longer used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49988", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix double free issue during amdgpu module unload\n\nFlexible endpoints use DIGs from available inflexible endpoints,\nso only the encoders of inflexible links need to be freed.\nOtherwise, a double free issue may occur when unloading the\namdgpu module.\n\n[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0\n[ 279.190577] Call Trace:\n[ 279.190580] \n[ 279.190582] ? show_regs+0x69/0x80\n[ 279.190590] ? die+0x3b/0x90\n[ 279.190595] ? do_trap+0xc8/0xe0\n[ 279.190601] ? do_error_trap+0x73/0xa0\n[ 279.190605] ? __slab_free+0x152/0x2f0\n[ 279.190609] ? exc_invalid_op+0x56/0x70\n[ 279.190616] ? __slab_free+0x152/0x2f0\n[ 279.190642] ? asm_exc_invalid_op+0x1f/0x30\n[ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191096] ? __slab_free+0x152/0x2f0\n[ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191469] kfree+0x260/0x2b0\n[ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191821] link_destroy+0xd7/0x130 [amdgpu]\n[ 279.192248] dc_destruct+0x90/0x270 [amdgpu]\n[ 279.192666] dc_destroy+0x19/0x40 [amdgpu]\n[ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu]\n[ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu]\n[ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu]\n[ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu]\n[ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu]\n[ 279.194632] pci_device_remove+0x3a/0xa0\n[ 279.194638] device_remove+0x40/0x70\n[ 279.194642] device_release_driver_internal+0x1ad/0x210\n[ 279.194647] driver_detach+0x4e/0xa0\n[ 279.194650] bus_remove_driver+0x6f/0xf0\n[ 279.194653] driver_unregister+0x33/0x60\n[ 279.194657] pci_unregister_driver+0x44/0x90\n[ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu]\n[ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0\n[ 279.194946] __x64_sys_delete_module+0x16/0x20\n[ 279.194950] do_syscall_64+0x58/0x120\n[ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 279.194980] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49989", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Check GSC structure validity\n\nSometimes xe_gsc is not initialized when checked at HDCP capability\ncheck. Add gsc structure check to avoid null pointer error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49990", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer\n\nPass pointer reference to amdgpu_bo_unref to clear the correct pointer,\notherwise amdgpu_bo_unref clear the local variable, the original pointer\nnot set to NULL, this could cause use-after-free bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49991", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/stm: Avoid use-after-free issues with crtc and plane\n\nltdc_load() calls functions drm_crtc_init_with_planes(),\ndrm_universal_plane_init() and drm_encoder_init(). These functions\nshould not be called with parameters allocated with devm_kzalloc()\nto avoid use-after-free issues [1].\n\nUse allocations managed by the DRM framework.\n\nFound by Linux Verification Center (linuxtesting.org).\n\n[1]\nhttps://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49992", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49994", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49996", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix memory disclosure\n\nWhen applying padding, the buffer is not zeroed, which results in memory\ndisclosure. The mentioned data is observed on the wire. This patch uses\nskb_put_padto() to pad Ethernet frames properly. The mentioned function\nzeroes the expanded buffer.\n\nIn case the packet cannot be padded it is silently dropped. Statistics\nare also not incremented. This driver does not support statistics in the\nold 32-bit format or the new 64-bit format. These will be added in the\nfuture. In its current form, the patch should be easily backported to\nstable versions.\n\nEthernet MACs on Amazon-SE and Danube cannot do padding of the packets\nin hardware, so software padding must be applied.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49997", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: improve shutdown sequence\n\nAlexander Sverdlin presents 2 problems during shutdown with the\nlan9303 driver. One is specific to lan9303 and the other just happens\nto reproduce there.\n\nThe first problem is that lan9303 is unique among DSA drivers in that it\ncalls dev_get_drvdata() at \"arbitrary runtime\" (not probe, not shutdown,\nnot remove):\n\nphy_state_machine()\n-> ...\n -> dsa_user_phy_read()\n -> ds->ops->phy_read()\n -> lan9303_phy_read()\n -> chip->ops->phy_read()\n -> lan9303_mdio_phy_read()\n -> dev_get_drvdata()\n\nBut we never stop the phy_state_machine(), so it may continue to run\nafter dsa_switch_shutdown(). Our common pattern in all DSA drivers is\nto set drvdata to NULL to suppress the remove() method that may come\nafterwards. But in this case it will result in an NPD.\n\nThe second problem is that the way in which we set\ndp->conduit->dsa_ptr = NULL; is concurrent with receive packet\nprocessing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,\nbut afterwards, rather than continuing to use that non-NULL value,\ndev->dsa_ptr is dereferenced again and again without NULL checks:\ndsa_conduit_find_user() and many other places. In between dereferences,\nthere is no locking to ensure that what was valid once continues to be\nvalid.\n\nBoth problems have the common aspect that closing the conduit interface\nsolves them.\n\nIn the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN\nevent in dsa_user_netdevice_event() which closes user ports as well.\ndsa_port_disable_rt() calls phylink_stop(), which synchronously stops\nthe phylink state machine, and ds->ops->phy_read() will thus no longer\ncall into the driver after this point.\n\nIn the second case, dev_close(conduit) should do this, as per\nDocumentation/networking/driver.rst:\n\n| Quiescence\n| ----------\n|\n| After the ndo_stop routine has been called, the hardware must\n| not receive or transmit any data. All in flight packets must\n| be aborted. If necessary, poll or wait for completion of\n| any reset commands.\n\nSo it should be sufficient to ensure that later, when we zeroize\nconduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call\non this conduit.\n\nThe addition of the netif_device_detach() function is to ensure that\nioctls, rtnetlinks and ethtool requests on the user ports no longer\npropagate down to the driver - we're no longer prepared to handle them.\n\nThe race condition actually did not exist when commit 0650bf52b31f\n(\"net: dsa: be compatible with masters which unregister on shutdown\")\nfirst introduced dsa_switch_shutdown(). It was created later, when we\nstopped unregistering the user interfaces from a bad spot, and we just\nreplaced that sequence with a racy zeroization of conduit->dsa_ptr\n(one which doesn't ensure that the interfaces aren't up).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49998", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-49999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix the setting of the server responding flag\n\nIn afs_wait_for_operation(), we set transcribe the call responded flag to\nthe server record that we used after doing the fileserver iteration loop -\nbut it's possible to exit the loop having had a response from the server\nthat we've discarded (e.g. it returned an abort or we started receiving\ndata, but the call didn't complete).\n\nThis means that op->server might be NULL, but we don't check that before\nattempting to set the server flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-49999", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()\n\nIn mlx5e_tir_builder_alloc() kvzalloc() may return NULL\nwhich is dereferenced on the next line in a reference\nto the modify field.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50000", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix error path in multi-packet WQE transmit\n\nRemove the erroneous unmap in case no DMA mapping was established\n\nThe multi-packet WQE transmit code attempts to obtain a DMA mapping for\nthe skb. This could fail, e.g. under memory pressure, when the IOMMU\ndriver just can't allocate more memory for page tables. While the code\ntries to handle this in the path below the err_unmap label it erroneously\nunmaps one entry from the sq's FIFO list of active mappings. Since the\ncurrent map attempt failed this unmap is removing some random DMA mapping\nthat might still be required. If the PCI function now presents that IOVA,\nthe IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI\nfunction in error state.\n\nThe erroneous behavior was seen in a stress-test environment that created\nmemory pressure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50001", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstatic_call: Handle module init failure correctly in static_call_del_module()\n\nModule insertion invokes static_call_add_module() to initialize the static\ncalls in a module. static_call_add_module() invokes __static_call_init(),\nwhich allocates a struct static_call_mod to either encapsulate the built-in\nstatic call sites of the associated key into it so further modules can be\nadded or to append the module to the module chain.\n\nIf that allocation fails the function returns with an error code and the\nmodule core invokes static_call_del_module() to clean up eventually added\nstatic_call_mod entries.\n\nThis works correctly, when all keys used by the module were converted over\nto a module chain before the failure. If not then static_call_del_module()\ncauses a #GP as it blindly assumes that key::mods points to a valid struct\nstatic_call_mod.\n\nThe problem is that key::mods is not a individual struct member of struct\nstatic_call_key, it's part of a union to save space:\n\n union {\n /* bit 0: 0 = mods, 1 = sites */\n unsigned long type;\n struct static_call_mod *mods;\n struct static_call_site *sites;\n\t};\n\nkey::sites is a pointer to the list of built-in usage sites of the static\ncall. The type of the pointer is differentiated by bit 0. A mods pointer\nhas the bit clear, the sites pointer has the bit set.\n\nAs static_call_del_module() blidly assumes that the pointer is a valid\nstatic_call_mod type, it fails to check for this failure case and\ndereferences the pointer to the list of built-in call sites, which is\nobviously bogus.\n\nCure it by checking whether the key has a sites or a mods pointer.\n\nIf it's a sites pointer then the key is not to be touched. As the sites are\nwalked in the same order as in __static_call_init() the site walk can be\nterminated because all subsequent sites have not been touched by the init\ncode due to the error exit.\n\nIf it was converted before the allocation fail, then the inner loop which\nsearches for a module match will find nothing.\n\nA fail in the second allocation in __static_call_init() is harmless and\ndoes not require special treatment. The first allocation succeeded and\nconverted the key to a module chain. That first entry has mod::mod == NULL\nand mod::next == NULL, so the inner loop of static_call_del_module() will\nneither find a module match nor a module chain. The next site in the walk\nwas either already converted, but can't match the module, or it will exit\nthe outer loop because it has a static_call_site pointer and not a\nstatic_call_mod pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50002", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix system hang while resume with TBT monitor\n\n[Why]\nConnected with a Thunderbolt monitor and do the suspend and the system\nmay hang while resume.\n\nThe TBT monitor HPD will be triggered during the resume procedure\nand call the drm_client_modeset_probe() while\nstruct drm_connector connector->dev->master is NULL.\n\nIt will mess up the pipe topology after resume.\n\n[How]\nSkip the TBT monitor HPD during the resume procedure because we\ncurrently will probe the connectors after resume by default.\n\n(cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50003", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35\n\n[WHY & HOW]\nMismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause\ngrey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override\nto match HW spec.\n\n(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50004", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: Fix potential RCU dereference issue in mac802154_scan_worker\n\nIn the `mac802154_scan_worker` function, the `scan_req->type` field was\naccessed after the RCU read-side critical section was unlocked. According\nto RCU usage rules, this is illegal and can lead to unpredictable\nbehavior, such as accessing memory that has been updated or causing\nuse-after-free issues.\n\nThis possible bug was identified using a static analysis tool developed\nby myself, specifically designed to detect RCU-related issues.\n\nTo address this, the `scan_req->type` value is now stored in a local\nvariable `scan_req_type` while still within the RCU read-side critical\nsection. The `scan_req_type` is then used after the RCU lock is released,\nensuring that the type value is safely accessed without violating RCU\nrules.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50005", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix i_data_sem unlock order in ext4_ind_migrate()\n\nFuzzing reports a possible deadlock in jbd2_log_wait_commit.\n\nThis issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require\nsynchronous updates because the file descriptor is opened with O_SYNC.\nThis can lead to the jbd2_journal_stop() function calling\njbd2_might_wait_for_commit(), potentially causing a deadlock if the\nEXT4_IOC_MIGRATE call races with a write(2) system call.\n\nThis problem only arises when CONFIG_PROVE_LOCKING is enabled. In this\ncase, the jbd2_might_wait_for_commit macro locks jbd2_handle in the\njbd2_journal_stop function while i_data_sem is locked. This triggers\nlockdep because the jbd2_journal_start function might also lock the same\njbd2_handle simultaneously.\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.\n\nRule: add", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50006", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: asihpi: Fix potential OOB array access\n\nASIHPI driver stores some values in the static array upon a response\nfrom the driver, and its index depends on the firmware. We shouldn't\ntrust it blindly.\n\nThis patch adds a sanity check of the array index to fit in the array\nsize.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50007", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()\n\nReplace one-element array with a flexible-array member in\n`struct host_cmd_ds_802_11_scan_ext`.\n\nWith this, fix the following warning:\n\nelo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------\nelo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field \"ext_scan->tlv_buffer\" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)\nelo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50008", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: add check for cpufreq_cpu_get's return value\n\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return in case of error.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50009", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: don't WARN for racy path_noexec check\n\nBoth i_mode and noexec checks wrapped in WARN_ON stem from an artifact\nof the previous implementation. They used to legitimately check for the\ncondition, but that got moved up in two commits:\n633fb6ac3980 (\"exec: move S_ISREG() check earlier\")\n0fd338b2d2cd (\"exec: move path_noexec() check earlier\")\n\nInstead of being removed said checks are WARN_ON'ed instead, which\nhas some debug value.\n\nHowever, the spurious path_noexec check is racy, resulting in\nunwarranted warnings should someone race with setting the noexec flag.\n\nOne can note there is more to perm-checking whether execve is allowed\nand none of the conditions are guaranteed to still hold after they were\ntested for.\n\nAdditionally this does not validate whether the code path did any perm\nchecking to begin with -- it will pass if the inode happens to be\nregular.\n\nKeep the redundant path_noexec() check even though it's mindless\nnonsense checking for guarantee that isn't given so drop the WARN.\n\nReword the commentary and do small tidy ups while here.\n\n[brauner: keep redundant path_noexec() check]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50010", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item\n\nThere is no links_num in struct snd_soc_acpi_mach {}, and we test\n!link->num_adr as a condition to end the loop in hda_sdw_machine_select().\nSo an empty item in struct snd_soc_acpi_link_adr array is required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50011", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: Avoid a bad reference count on CPU node\n\nIn the parse_perf_domain function, if the call to\nof_parse_phandle_with_args returns an error, then the reference to the\nCPU device node that was acquired at the start of the function would not\nbe properly decremented.\n\nAddress this by declaring the variable with the __free(device_node)\ncleanup attribute.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50012", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix memory leak in exfat_load_bitmap()\n\nIf the first directory entry in the root directory is not a bitmap\ndirectory entry, 'bh' will not be released and reassigned, which\nwill cause a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50013", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix access to uninitialised lock in fc replay path\n\nThe following kernel trace can be triggered with fstest generic/629 when\nexecuted against a filesystem with fast-commit feature enabled:\n\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x66/0x90\n register_lock_class+0x759/0x7d0\n __lock_acquire+0x85/0x2630\n ? __find_get_block+0xb4/0x380\n lock_acquire+0xd1/0x2d0\n ? __ext4_journal_get_write_access+0xd5/0x160\n _raw_spin_lock+0x33/0x40\n ? __ext4_journal_get_write_access+0xd5/0x160\n __ext4_journal_get_write_access+0xd5/0x160\n ext4_reserve_inode_write+0x61/0xb0\n __ext4_mark_inode_dirty+0x79/0x270\n ? ext4_ext_replay_set_iblocks+0x2f8/0x450\n ext4_ext_replay_set_iblocks+0x330/0x450\n ext4_fc_replay+0x14c8/0x1540\n ? jread+0x88/0x2e0\n ? rcu_is_watching+0x11/0x40\n do_one_pass+0x447/0xd00\n jbd2_journal_recover+0x139/0x1b0\n jbd2_journal_load+0x96/0x390\n ext4_load_and_init_journal+0x253/0xd40\n ext4_fill_super+0x2cc6/0x3180\n...\n\nIn the replay path there's an attempt to lock sbi->s_bdev_wb_lock in\nfunction ext4_check_bdev_write_error(). Unfortunately, at this point this\nspinlock has not been initialized yet. Moving it's initialization to an\nearlier point in __ext4_fill_super() fixes this splat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50014", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: dax: fix overflowing extents beyond inode size when partially writing\n\nThe dax_iomap_rw() does two things in each iteration: map written blocks\nand copy user data to blocks. If the process is killed by user(See signal\nhandling in dax_iomap_iter()), the copied data will be returned and added\non inode size, which means that the length of written extents may exceed\nthe inode size, then fsck will fail. An example is given as:\n\ndd if=/dev/urandom of=file bs=4M count=1\n dax_iomap_rw\n iomap_iter // round 1\n ext4_iomap_begin\n ext4_iomap_alloc // allocate 0~2M extents(written flag)\n dax_iomap_iter // copy 2M data\n iomap_iter // round 2\n iomap_iter_advance\n iter->pos += iter->processed // iter->pos = 2M\n ext4_iomap_begin\n ext4_iomap_alloc // allocate 2~4M extents(written flag)\n dax_iomap_iter\n fatal_signal_pending\n done = iter->pos - iocb->ki_pos // done = 2M\n ext4_handle_inode_extension\n ext4_update_inode_size // inode size = 2M\n\nfsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?\n\nFix the problem by truncating extents if the written length is smaller\nthan expected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50015", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/ident_map: Use gbpages only where full GB page should be mapped.\n\nWhen ident_pud_init() uses only GB pages to create identity maps, large\nranges of addresses not actually requested can be included in the resulting\ntable; a 4K request will map a full GB. This can include a lot of extra\naddress space past that requested, including areas marked reserved by the\nBIOS. That allows processor speculation into reserved regions, that on UV\nsystems can cause system halts.\n\nOnly use GB pages when map creation requests include the full GB page of\nspace. Fall back to using smaller 2M pages when only portions of a GB page\nare included in the request.\n\nNo attempt is made to coalesce mapping requests. If a request requires a\nmap entry at the 2M (pmd) level, subsequent mapping requests within the\nsame 1G region will also be at the pmd level, even if adjacent or\noverlapping such requests could have been combined to map a full GB page.\nExisting usage starts with larger regions and then adds smaller regions, so\nthis should not have any great consequence.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50017", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkthread: unpark only parked kthread\n\nCalling into kthread unparking unconditionally is mostly harmless when\nthe kthread is already unparked. The wake up is then simply ignored\nbecause the target is not in TASK_PARKED state.\n\nHowever if the kthread is per CPU, the wake up is preceded by a call\nto kthread_bind() which expects the task to be inactive and in\nTASK_PARKED state, which obviously isn't the case if it is unparked.\n\nAs a result, calling kthread_stop() on an unparked per-cpu kthread\ntriggers such a warning:\n\n\tWARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525\n\t \n\t kthread_stop+0x17a/0x630 kernel/kthread.c:707\n\t destroy_workqueue+0x136/0xc40 kernel/workqueue.c:5810\n\t wg_destruct+0x1e2/0x2e0 drivers/net/wireguard/device.c:257\n\t netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10693\n\t default_device_exit_batch+0xa14/0xa90 net/core/dev.c:11769\n\t ops_exit_list net/core/net_namespace.c:178 [inline]\n\t cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:640\n\t process_one_work kernel/workqueue.c:3231 [inline]\n\t process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n\t worker_thread+0x86d/0xd70 kernel/workqueue.c:3393\n\t kthread+0x2f0/0x390 kernel/kthread.c:389\n\t ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n\t ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\t \n\nFix this with skipping unecessary unparking while stopping a kthread.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50019", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()\n\nThis patch addresses an issue with improper reference count handling in the\nice_sriov_set_msix_vec_count() function.\n\nFirst, the function calls ice_get_vf_by_id(), which increments the\nreference count of the vf pointer. If the subsequent call to\nice_get_vf_vsi() fails, the function currently returns an error without\ndecrementing the reference count of the vf pointer, leading to a reference\ncount leak. The correct behavior, as implemented in this patch, is to\ndecrement the reference count using ice_put_vf(vf) before returning an\nerror when vsi is NULL.\n\nSecond, the function calls ice_sriov_get_irqs(), which sets\nvf->first_vector_idx. If this call returns a negative value, indicating an\nerror, the function returns an error without decrementing the reference\ncount of the vf pointer, resulting in another reference count leak. The\npatch addresses this by adding a call to ice_put_vf(vf) before returning\nan error when vf->first_vector_idx < 0.\n\nThis bug was identified by an experimental static analysis tool developed\nby our team. The tool specializes in analyzing reference count operations\nand identifying potential mismanagement of reference counts. In this case,\nthe tool flagged the missing decrement operation as a potential issue,\nleading to this patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50020", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()\n\nThis patch addresses a reference count handling issue in the\nice_dpll_init_rclk_pins() function. The function calls ice_dpll_get_pins(),\nwhich increments the reference count of the relevant resources. However,\nif the condition WARN_ON((!vsi || !vsi->netdev)) is met, the function\ncurrently returns an error without properly releasing the resources\nacquired by ice_dpll_get_pins(), leading to a reference count leak.\n\nTo resolve this, the check has been moved to the top of the function. This\nensures that the function verifies the state before any resources are\nacquired, avoiding the need for additional resource management in the\nerror path.\n\nThis bug was identified by an experimental static analysis tool developed\nby our team. The tool specializes in analyzing reference count operations\nand detecting potential issues where resources are not properly managed.\nIn this case, the tool flagged the missing release operation as a\npotential problem, which led to the development of this patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50021", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevice-dax: correct pgoff align in dax_set_mapping()\n\npgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise,\nvmf->address not aligned to fault_size will be aligned to the next\nalignment, that can result in memory failure getting the wrong address.\n\nIt's a subtle situation that only can be observed in\npage_mapped_in_vma() after the page is page fault handled by\ndev_dax_huge_fault. Generally, there is little chance to perform\npage_mapped_in_vma in dev-dax's page unless in specific error injection\nto the dax device to trigger an MCE - memory-failure. In that case,\npage_mapped_in_vma() will be triggered to determine which task is\naccessing the failure address and kill that task in the end.\n\n\nWe used self-developed dax device (which is 2M aligned mapping) , to\nperform error injection to random address. It turned out that error\ninjected to non-2M-aligned address was causing endless MCE until panic.\nBecause page_mapped_in_vma() kept resulting wrong address and the task\naccessing the failure address was never killed properly:\n\n\n[ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.049006] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.448042] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.792026] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.162502] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.461116] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.764730] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.042128] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.464293] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.818090] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3787.085297] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n\nIt took us several weeks to pinpoint this problem,\u00a0 but we eventually\nused bpftrace to trace the page fault and mce address and successfully\nidentified the issue.\n\n\nJoao added:\n\n; Likely we never reproduce in production because we always pin\n: device-dax regions in the region align they provide (Qemu does\n: similarly with prealloc in hugetlb/file backed memory). I think this\n: bug requires that we touch *unpinned* device-dax regions unaligned to\n: the device-dax selected alignment (page size i.e. 4K/2M/1G)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50022", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Remove LED entry from LEDs list on unregister\n\nCommit c938ab4da0eb (\"net: phy: Manual remove LEDs to ensure correct\nordering\") correctly fixed a problem with using devm_ but missed\nremoving the LED entry from the LEDs list.\n\nThis cause kernel panic on specific scenario where the port for the PHY\nis torn down and up and the kmod for the PHY is removed.\n\nOn setting the port down the first time, the assosiacted LEDs are\ncorrectly unregistered. The associated kmod for the PHY is now removed.\nThe kmod is now added again and the port is now put up, the associated LED\nare registered again.\nOn putting the port down again for the second time after these step, the\nLED list now have 4 elements. With the first 2 already unregistered\npreviously and the 2 new one registered again.\n\nThis cause a kernel panic as the first 2 element should have been\nremoved.\n\nFix this by correctly removing the element when LED is unregistered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50023", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix an unsafe loop on the list\n\nThe kernel may crash when deleting a genetlink family if there are still\nlisteners for that family:\n\nOops: Kernel access of bad area, sig: 11 [#1]\n ...\n NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0\n LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0\n Call Trace:\n__netlink_clear_multicast_users+0x74/0xc0\ngenl_unregister_family+0xd4/0x2d0\n\nChange the unsafe loop on the list to a safe one, because inside the\nloop there is an element removal from this list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50024", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: fnic: Move flush_work initialization out of if block\n\nAfter commit 379a58caa199 (\"scsi: fnic: Move fnic_fnic_flush_tx() to a\nwork queue\"), it can happen that a work item is sent to an uninitialized\nwork queue. This may has the effect that the item being queued is never\nactually queued, and any further actions depending on it will not\nproceed.\n\nThe following warning is observed while the fnic driver is loaded:\n\nkernel: WARNING: CPU: 11 PID: 0 at ../kernel/workqueue.c:1524 __queue_work+0x373/0x410\nkernel: \nkernel: queue_work_on+0x3a/0x50\nkernel: fnic_wq_copy_cmpl_handler+0x54a/0x730 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]\nkernel: fnic_isr_msix_wq_copy+0x2d/0x60 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]\nkernel: __handle_irq_event_percpu+0x36/0x1a0\nkernel: handle_irq_event_percpu+0x30/0x70\nkernel: handle_irq_event+0x34/0x60\nkernel: handle_edge_irq+0x7e/0x1a0\nkernel: __common_interrupt+0x3b/0xb0\nkernel: common_interrupt+0x58/0xa0\nkernel: \n\nIt has been observed that this may break the rediscovery of Fibre\nChannel devices after a temporary fabric failure.\n\nThis patch fixes it by moving the work queue initialization out of\nan if block in fnic_probe().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50025", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: wd33c93: Don't use stale scsi_pointer value\n\nA regression was introduced with commit dbb2da557a6a (\"scsi: wd33c93:\nMove the SCSI pointer to private command data\") which results in an oops\nin wd33c93_intr(). That commit added the scsi_pointer variable and\ninitialized it from hostdata->connected. However, during selection,\nhostdata->connected is not yet valid. Fix this by getting the current\nscsi_pointer from hostdata->selecting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50026", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Free tzp copy along with the thermal zone\n\nThe object pointed to by tz->tzp may still be accessed after being\nfreed in thermal_zone_device_unregister(), so move the freeing of it\nto the point after the removal completion has been completed at which\nit cannot be accessed any more.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50027", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Reference count the zone in thermal_zone_get_by_id()\n\nThere are places in the thermal netlink code where nothing prevents\nthe thermal zone object from going away while being accessed after it\nhas been returned by thermal_zone_get_by_id().\n\nTo address this, make thermal_zone_get_by_id() get a reference on the\nthermal zone device object to be returned with the help of get_device(),\nunder thermal_list_lock, and adjust all of its callers to this change\nwith the help of the cleanup.h infrastructure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50028", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync\n\nThis checks if the ACL connection remains valid as it could be destroyed\nwhile hci_enhanced_setup_sync is pending on cmd_sync leading to the\nfollowing trace:\n\nBUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60\nRead of size 1 at addr ffff888002328ffd by task kworker/u5:2/37\n\nCPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n dump_stack_lvl+0x5d/0x80\n ? hci_enhanced_setup_sync+0x91b/0xa60\n print_report+0x152/0x4c0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n ? __virt_addr_valid+0x1fa/0x420\n ? hci_enhanced_setup_sync+0x91b/0xa60\n kasan_report+0xda/0x1b0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n hci_enhanced_setup_sync+0x91b/0xa60\n ? __pfx_hci_enhanced_setup_sync+0x10/0x10\n ? __pfx___mutex_lock+0x10/0x10\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x167/0x240\n worker_thread+0x5b7/0xf60\n ? __kthread_parkme+0xac/0x1c0\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x293/0x360\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 34:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __hci_conn_add+0x187/0x17d0\n hci_connect_sco+0x2e1/0xb90\n sco_sock_connect+0x2a2/0xb80\n __sys_connect+0x227/0x2a0\n __x64_sys_connect+0x6d/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 37:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x101/0x160\n kfree+0xd0/0x250\n device_release+0x9a/0x210\n kobject_put+0x151/0x280\n hci_conn_del+0x448/0xbf0\n hci_abort_conn_sync+0x46f/0x980\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n worker_thread+0x5b7/0xf60\n kthread+0x293/0x360\n ret_from_fork+0x2f/0x70\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50029", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/ct: prevent UAF in send_recv()\n\nEnsure we serialize with completion side to prevent UAF with fence going\nout of scope on the stack, since we have no clue if it will fire after\nthe timeout before we can erase from the xa. Also we have some dependent\nloads and stores for which we need the correct ordering, and we lack the\nneeded barriers. Fix this by grabbing the ct->lock after the wait, which\nis also held by the completion side.\n\nv2 (Badal):\n - Also print done after acquiring the lock and seeing timeout.\n\n(cherry picked from commit 52789ce35c55ccd30c4b67b9cc5b2af55e0122ea)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50030", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop the active perfmon before being destroyed\n\nWhen running `kmscube` with one or more performance monitors enabled\nvia `GALLIUM_HUD`, the following kernel panic can occur:\n\n[ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4\n[ 55.008368] Mem abort info:\n[ 55.008377] ESR = 0x0000000096000005\n[ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 55.008402] SET = 0, FnV = 0\n[ 55.008412] EA = 0, S1PTW = 0\n[ 55.008421] FSC = 0x05: level 1 translation fault\n[ 55.008434] Data abort info:\n[ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000\n[ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper\ngpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb\ndrm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n[ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1\n[ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n[ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608\n[ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608\n[ 55.008895] sp : ffffffc080673cf0\n[ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28\n[ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148\n[ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38\n[ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000\n[ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90\n[ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0\n[ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04\n[ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857\n[ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470\n[ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470\n[ 55.013292] Call trace:\n[ 55.013959] __mutex_lock.constprop.0+0x90/0x608\n[ 55.014646] __mutex_lock_slowpath+0x1c/0x30\n[ 55.015317] mutex_lock+0x50/0x68\n[ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d]\n[ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d]\n[ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched]\n[ 55.017921] kthread+0x11c/0x128\n[ 55.018554] ret_from_fork+0x10/0x20\n[ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)\n[ 55.019776] ---[ end trace 0000000000000000 ]---\n[ 55.020411] note: v3d_bin[166] exited with preempt_count 1\n\nThis issue arises because, upon closing the file descriptor (which happens\nwhen we interrupt `kmscube`), the active performance monitor is not\nstopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,\nthe active performance monitor's pointer (`v3d->active_perfmon`) is still\nretained.\n\nIf `kmscube` is run again, the driver will attempt to stop the active\nperformance monitor using the stale pointer in `v3d->active_perfmon`.\nHowever, this pointer is no longer valid because the previous process has\nalready terminated, and all performance monitors associated with it have\nbeen destroyed and freed.\n\nTo fix this, when the active performance monitor belongs to a given\nprocess, explicitly stop it before destroying and freeing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50031", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: make slhc_remember() more robust against malicious packets\n\nsyzbot found that slhc_remember() was missing checks against\nmalicious packets [1].\n\nslhc_remember() only checked the size of the packet was at least 20,\nwhich is not good enough.\n\nWe need to make sure the packet includes the IPv4 and TCP header\nthat are supposed to be carried.\n\nAdd iph and th pointers to make the code more readable.\n\n[1]\n\nBUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455\n ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]\n ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212\n ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327\n pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\n __release_sock+0x1da/0x330 net/core/sock.c:3072\n release_sock+0x6b/0x250 net/core/sock.c:3626\n pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4091 [inline]\n slab_alloc_node mm/slub.c:4134 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1322 [inline]\n sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\n pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50033", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\n\nEric report a panic on IPPROTO_SMC, and give the facts\nthat when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.\n\nBug: Unable to handle kernel NULL pointer dereference at virtual address\n0000000000000000\nMem abort info:\nESR = 0x0000000086000005\nEC = 0x21: IABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000\n[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,\npud=0000000000000000\nInternal error: Oops: 0000000086000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted\n6.11.0-rc7-syzkaller-g5f5673607153 #0\nHardware name: Google Google Compute Engine/Google Compute Engine,\nBIOS Google 08/06/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : 0x0\nlr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910\nsp : ffff80009b887a90\nx29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000\nx26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00\nx23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000\nx20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee\nx17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001\nx14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003\nx11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000\nCall trace:\n0x0\nnetlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000\nsmack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593\nsmack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973\nsecurity_socket_post_create+0x94/0xd4 security/security.c:4425\n__sock_create+0x4c8/0x884 net/socket.c:1587\nsock_create net/socket.c:1622 [inline]\n__sys_socket_create net/socket.c:1659 [inline]\n__sys_socket+0x134/0x340 net/socket.c:1706\n__do_sys_socket net/socket.c:1720 [inline]\n__se_sys_socket net/socket.c:1718 [inline]\n__arm64_sys_socket+0x7c/0x94 net/socket.c:1718\n__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\ninvoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\nel0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\ndo_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\nel0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: ???????? ???????? ???????? ???????? (????????)\n---[ end trace 0000000000000000 ]---\n\nThis patch add a toy implementation that performs a simple return to\nprevent such panic. This is because MSS can be set in sock_create_kern\nor smc_setsockopt, similar to how it's done in AF_SMC. However, for\nAF_SMC, there is currently no way to synchronize MSS within\n__sys_connect_file. This toy implementation lays the groundwork for us\nto support such feature for IPPROTO_SMC in the future.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50034", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix ppp_async_encode() illegal access\n\nsyzbot reported an issue in ppp_async_encode() [1]\n\nIn this case, pppoe_sendmsg() is called with a zero size.\nThen ppp_async_encode() is called with an empty skb.\n\nBUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]\n BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675\n ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]\n ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675\n ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]\n ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304\n pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\n __release_sock+0x1da/0x330 net/core/sock.c:3072\n release_sock+0x6b/0x250 net/core/sock.c:3626\n pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4092 [inline]\n slab_alloc_node mm/slub.c:4135 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1322 [inline]\n sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\n pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50035", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n dst_release_immediate(child), this might also cause UAF\n if the child does not have DST_NOCOUNT set.\n IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n which might happen in future kernels.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50036", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only cleanup deferred I/O if necessary\n\nCommit 5a498d4d06d6 (\"drm/fbdev-dma: Only install deferred I/O if\nnecessary\") initializes deferred I/O only if it is used.\ndrm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()\nunconditionally with struct fb_info.fbdefio == NULL. KASAN with the\nout-of-tree Apple silicon display driver posts following warning from\n__flush_work() of a random struct work_struct instead of the expected\nNULL pointer derefs.\n\n[ 22.053799] ------------[ cut here ]------------\n[ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580\n[ 22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram\n[ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev\n[ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 22.078567] pc : __flush_work+0x4d8/0x580\n[ 22.079471] lr : __flush_work+0x54/0x580\n[ 22.080345] sp : ffffc000836ef820\n[ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128\n[ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358\n[ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470\n[ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000\n[ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005\n[ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000\n[ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e\n[ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001\n[ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020\n[ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000\n[ 22.096955] Call trace:\n[ 22.097505] __flush_work+0x4d8/0x580\n[ 22.098330] flush_delayed_work+0x80/0xb8\n[ 22.099231] fb_deferred_io_cleanup+0x3c/0x130\n[ 22.100217] drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]\n[ 22.101559] unregister_framebuffer+0x210/0x2f0\n[ 22.102575] drm_fb_helper_unregister_info+0x48/0x60\n[ 22.103683] drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]\n[ 22.105147] drm_client_dev_unregister+0x1cc/0x230\n[ 22.106217] drm_dev_unregister+0x58/0x570\n[ 22.107125] apple_drm_unbind+0x50/0x98 [appledrm]\n[ 22.108199] component_del+0x1f8/0x3a8\n[ 22.109042] dcp_platform_shutdown+0x24/0x38 [apple_dcp]\n[ 22.110357] platform_shutdown+0x70/0x90\n[ 22.111219] device_shutdown+0x368/0x4d8\n[ 22.112095] kernel_restart+0x6c/0x1d0\n[ 22.112946] __arm64_sys_reboot+0x1c8/0x328\n[ 22.113868] invoke_syscall+0x78/0x1a8\n[ 22.114703] do_el0_svc+0x124/0x1a0\n[ 22.115498] el0_svc+0x3c/0xe0\n[ 22.116181] el0t_64_sync_handler+0x70/0xc0\n[ 22.117110] el0t_64_sync+0x190/0x198\n[ 22.117931] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50037", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xtables: avoid NFPROTO_UNSPEC where needed\n\nsyzbot managed to call xt_cluster match via ebtables:\n\n WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780\n [..]\n ebt_do_table+0x174b/0x2a40\n\nModule registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet\nprocessing. As this is only useful to restrict locally terminating\nTCP/UDP traffic, register this for ipv4 and ipv6 family only.\n\nPablo points out that this is a general issue, direct users of the\nset/getsockopt interface can call into targets/matches that were only\nintended for use with ip(6)tables.\n\nCheck all UNSPEC matches and targets for similar issues:\n\n- matches and targets are fine except if they assume skb_network_header()\n is valid -- this is only true when called from inet layer: ip(6) stack\n pulls the ip/ipv6 header into linear data area.\n- targets that return XT_CONTINUE or other xtables verdicts must be\n restricted too, they are incompatbile with the ebtables traverser, e.g.\n EBT_CONTINUE is a completely different value than XT_CONTINUE.\n\nMost matches/targets are changed to register for NFPROTO_IPV4/IPV6, as\nthey are provided for use by ip(6)tables.\n\nThe MARK target is also used by arptables, so register for NFPROTO_ARP too.\n\nWhile at it, bail out if connbytes fails to enable the corresponding\nconntrack family.\n\nThis change passes the selftests in iptables.git.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50038", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: accept TCA_STAB only for root qdisc\n\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\n\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\n\nWe can't support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n\n[1]\n[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 88.798611] #PF: supervisor read access in kernel mode\n[ 88.799014] #PF: error_code(0x0000) - not-present page\n[ 88.799506] PGD 0 P4D 0\n[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n 0:\t0f b7 50 12 \tmovzwl 0x12(%rax),%edx\n 4:\t48 8d 04 d5 00 00 00 \tlea 0x0(,%rdx,8),%rax\n b:\t00\n c:\t48 89 d6 \tmov %rdx,%rsi\n f:\t48 29 d0 \tsub %rdx,%rax\n 12:\t48 8b 91 c0 01 00 00 \tmov 0x1c0(%rcx),%rdx\n 19:\t48 c1 e0 03 \tshl $0x3,%rax\n 1d:\t48 01 c2 \tadd %rax,%rdx\n 20:\t66 83 7a 1a 00 \tcmpw $0x0,0x1a(%rdx)\n 25:\t7e c0 \tjle 0xffffffffffffffe7\n 27:\t48 8b 3a \tmov (%rdx),%rdi\n 2a:*\t4c 8b 07 \tmov (%rdi),%r8\t\t<-- trapping instruction\n 2d:\t4c 89 02 \tmov %r8,(%rdx)\n 30:\t49 89 50 08 \tmov %rdx,0x8(%r8)\n 34:\t48 c7 47 08 00 00 00 \tmovq $0x0,0x8(%rdi)\n 3b:\t00\n 3c:\t48 \trex.W\n 3d:\tc7 \t.byte 0xc7\n 3e:\t07 \t(bad)\n\t...\n\nCode starting with the faulting instruction\n===========================================\n 0:\t4c 8b 07 \tmov (%rdi),%r8\n 3:\t4c 89 02 \tmov %r8,(%rdx)\n 6:\t49 89 50 08 \tmov %rdx,0x8(%r8)\n a:\t48 c7 47 08 00 00 00 \tmovq $0x0,0x8(%rdi)\n 11:\t00\n 12:\t48 \trex.W\n 13:\tc7 \t.byte 0xc7\n 14:\t07 \t(bad)\n\t...\n[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[ 88.808165] Call Trace:\n[ 88.808459] \n[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50039", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Do not bring the device up after non-fatal error\n\nCommit 004d25060c78 (\"igb: Fix igb_down hung on surprise removal\")\nchanged igb_io_error_detected() to ignore non-fatal pcie errors in order\nto avoid hung task that can happen when igb_down() is called multiple\ntimes. This caused an issue when processing transient non-fatal errors.\nigb_io_resume(), which is called after igb_io_error_detected(), assumes\nthat device is brought down by igb_io_error_detected() if the interface\nis up. This resulted in panic with stacktrace below.\n\n[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down\n[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0\n[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)\n[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000\n[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000\n[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message\n[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.\n[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message\n[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message\n[ T292] ------------[ cut here ]------------\n[ T292] kernel BUG at net/core/dev.c:6539!\n[ T292] invalid opcode: 0000 [#1] PREEMPT SMP\n[ T292] RIP: 0010:napi_enable+0x37/0x40\n[ T292] Call Trace:\n[ T292] \n[ T292] ? die+0x33/0x90\n[ T292] ? do_trap+0xdc/0x110\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? do_error_trap+0x70/0xb0\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? exc_invalid_op+0x4e/0x70\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? asm_exc_invalid_op+0x16/0x20\n[ T292] ? napi_enable+0x37/0x40\n[ T292] igb_up+0x41/0x150\n[ T292] igb_io_resume+0x25/0x70\n[ T292] report_resume+0x54/0x70\n[ T292] ? report_frozen_detected+0x20/0x20\n[ T292] pci_walk_bus+0x6c/0x90\n[ T292] ? aer_print_port_info+0xa0/0xa0\n[ T292] pcie_do_recovery+0x22f/0x380\n[ T292] aer_process_err_devices+0x110/0x160\n[ T292] aer_isr+0x1c1/0x1e0\n[ T292] ? disable_irq_nosync+0x10/0x10\n[ T292] irq_thread_fn+0x1a/0x60\n[ T292] irq_thread+0xe3/0x1a0\n[ T292] ? irq_set_affinity_notifier+0x120/0x120\n[ T292] ? irq_affinity_notify+0x100/0x100\n[ T292] kthread+0xe2/0x110\n[ T292] ? kthread_complete_and_exit+0x20/0x20\n[ T292] ret_from_fork+0x2d/0x50\n[ T292] ? kthread_complete_and_exit+0x20/0x20\n[ T292] ret_from_fork_asm+0x11/0x20\n[ T292] \n\nTo fix this issue igb_io_resume() checks if the interface is running and\nthe device is not down this means igb_io_error_detected() did not bring\nthe device down and there is no need to bring it up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50040", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix macvlan leak by synchronizing access to mac_filter_hash\n\nThis patch addresses a macvlan leak issue in the i40e driver caused by\nconcurrent access to vsi->mac_filter_hash. The leak occurs when multiple\nthreads attempt to modify the mac_filter_hash simultaneously, leading to\ninconsistent state and potential memory leaks.\n\nTo fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing\nvf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock),\nensuring atomic operations and preventing concurrent access.\n\nAdditionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in\ni40e_add_mac_filter() to help catch similar issues in the future.\n\nReproduction steps:\n1. Spawn VFs and configure port vlan on them.\n2. Trigger concurrent macvlan operations (e.g., adding and deleting\n\tportvlan and/or mac filters).\n3. Observe the potential memory leak and inconsistent state in the\n\tmac_filter_hash.\n\nThis synchronization ensures the integrity of the mac_filter_hash and prevents\nthe described leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50041", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix increasing MSI-X on VF\n\nIncreasing MSI-X value on a VF leads to invalid memory operations. This\nis caused by not reallocating some arrays.\n\nReproducer:\n modprobe ice\n echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe\n echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs\n echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count\n\nDefault MSI-X is 16, so 17 and above triggers this issue.\n\nKASAN reports:\n\n BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n Read of size 8 at addr ffff8888b937d180 by task bash/28433\n (...)\n\n Call Trace:\n (...)\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n kasan_report+0xed/0x120\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_cfg_def+0x3360/0x4770 [ice]\n ? mutex_unlock+0x83/0xd0\n ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]\n ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vf_reconfig_vsi+0x114/0x210 [ice]\n ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]\n sriov_vf_msix_count_store+0x21c/0x300\n (...)\n\n Allocated by task 28201:\n (...)\n ice_vsi_cfg_def+0x1c8e/0x4770 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vsi_setup+0x179/0xa30 [ice]\n ice_sriov_configure+0xcaa/0x1520 [ice]\n sriov_numvfs_store+0x212/0x390\n (...)\n\nTo fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This\ncauses the required arrays to be reallocated taking the new queue count\ninto account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq\nbefore ice_vsi_rebuild(), so that realloc uses the newly set queue\ncount.\n\nAdditionally, ice_vsi_rebuild() does not remove VSI filters\n(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer\nnecessary.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50042", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix possible badness in FREE_STATEID\n\nWhen multiple FREE_STATEIDs are sent for the same delegation stateid,\nit can lead to a possible either use-after-free or counter refcount\nunderflow errors.\n\nIn nfsd4_free_stateid() under the client lock we find a delegation\nstateid, however the code drops the lock before calling nfs4_put_stid(),\nthat allows another FREE_STATE to find the stateid again. The first one\nwill proceed to then free the stateid which leads to either\nuse-after-free or decrementing already zeroed counter.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50043", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change\n\nrfcomm_sk_state_change attempts to use sock_lock so it must never be\ncalled with it locked but rfcomm_sock_ioctl always attempt to lock it\ncausing the following trace:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted\n------------------------------------------------------\nsyz-executor386/5093 is trying to acquire lock:\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73\n\nbut task is already holding lock:\nffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50044", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: fix panic with metadata_dst skb\n\nFix a kernel panic in the br_netfilter module when sending untagged\ntraffic via a VxLAN device.\nThis happens during the check for fragmentation in br_nf_dev_queue_xmit.\n\nIt is dependent on:\n1) the br_netfilter module being loaded;\n2) net.bridge.bridge-nf-call-iptables set to 1;\n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;\n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded\n\nWhen forwarding the untagged packet to the VxLAN bridge port, before\nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and\nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type\nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.\n\nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check\nfor frames that needs to be fragmented: frames with higher MTU than the\nVxLAN device end up calling br_nf_ip_fragment, which in turns call\nip_skb_dst_mtu.\n\nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst\nwith valid dst->dev, thus the crash.\n\nThis case was never supported in the first place, so drop the packet\ninstead.\n\nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.\n[ 176.291791] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000110\n[ 176.292101] Mem abort info:\n[ 176.292184] ESR = 0x0000000096000004\n[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 176.292530] SET = 0, FnV = 0\n[ 176.292709] EA = 0, S1PTW = 0\n[ 176.292862] FSC = 0x04: level 0 translation fault\n[ 176.293013] Data abort info:\n[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000\n[ 176.294166] [0000000000000110] pgd=0000000000000000,\np4d=0000000000000000\n[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth\nbr_netfilter bridge stp llc ipv6 crct10dif_ce\n[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted\n6.8.0-rc3-g5b3fbd61b9d1 #2\n[ 176.296314] Hardware name: linux,dummy-virt (DT)\n[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]\n[ 176.297636] sp : ffff800080003630\n[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:\nffff6828c49ad9f8\n[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:\n00000000000003e8\n[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:\nffff6828c3b16d28\n[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:\n0000000000000014\n[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:\n0000000095744632\n[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:\nffffb7e137926a70\n[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :\n0000000000000000\n[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :\nf20e0100bebafeca\n[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :\n0000000000000000\n[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :\nffff6828c7f918f0\n[ 176.300889] Call trace:\n[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]\n[ 176.301703] nf_hook_slow+0x48/0x124\n[ 176.302060] br_forward_finish+0xc8/0xe8 [bridge]\n[ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter]\n[ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter]\n[ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]\n[ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter]\n[ 176.303359] nf_hook_slow+0x48/0x124\n[ 176.303\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50045", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()\n\nOn the node of an NFS client, some files saved in the mountpoint of the\nNFS server were copied to another location of the same NFS server.\nAccidentally, the nfs42_complete_copies() got a NULL-pointer dereference\ncrash with the following syslog:\n\n[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n[232066.588586] Mem abort info:\n[232066.588701] ESR = 0x0000000096000007\n[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits\n[232066.589084] SET = 0, FnV = 0\n[232066.589216] EA = 0, S1PTW = 0\n[232066.589340] FSC = 0x07: level 3 translation fault\n[232066.589559] Data abort info:\n[232066.589683] ISV = 0, ISS = 0x00000007\n[232066.589842] CM = 0, WnR = 0\n[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400\n[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000\n[232066.590757] Internal error: Oops: 96000007 [#1] SMP\n[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2\n[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs\n[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1\n[232066.597356] Hardware name: Great Wall .\\x93\\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06\n[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]\n[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]\n[232066.598595] sp : ffff8000f568fc70\n[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000\n[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001\n[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050\n[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000\n[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000\n[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6\n[232066.600498] x11: 00000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50046", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in async decryption\n\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\n\nReproducer:\n # mount.cifs -o ...,seal,esize=1 //srv/share /mnt\n # dd if=/mnt/largefile of=/dev/null\n ...\n [ 194.196391] ==================================================================\n [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n [ 194.197707]\n [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n [ 194.200032] Call Trace:\n [ 194.200191] \n [ 194.200327] dump_stack_lvl+0x4e/0x70\n [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.200809] print_report+0x174/0x505\n [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n [ 194.201352] ? srso_return_thunk+0x5/0x5f\n [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0\n [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202128] kasan_report+0xc8/0x150\n [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202616] gf128mul_4k_lle+0xc1/0x110\n [ 194.202863] ghash_update+0x184/0x210\n [ 194.203103] shash_ahash_update+0x184/0x2a0\n [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10\n [ 194.203651] ? srso_return_thunk+0x5/0x5f\n [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340\n [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140\n [ 194.204434] crypt_message+0xec1/0x10a0 [cifs]\n [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]\n [ 194.208507] ? srso_return_thunk+0x5/0x5f\n [ 194.209205] ? srso_return_thunk+0x5/0x5f\n [ 194.209925] ? srso_return_thunk+0x5/0x5f\n [ 194.210443] ? srso_return_thunk+0x5/0x5f\n [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]\n [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n [ 194.214670] ? srso_return_thunk+0x5/0x5f\n [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]\n\nThis is because TFM is being used in parallel.\n\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\n\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it's always going to be a synchronous operation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50047", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Fix a NULL pointer dereference issue in fbcon_putcs\n\nsyzbot has found a NULL pointer dereference bug in fbcon.\nHere is the simplified C reproducer:\n\nstruct param {\n\tuint8_t type;\n\tstruct tiocl_selection ts;\n};\n\nint main()\n{\n\tstruct fb_con2fbmap con2fb;\n\tstruct param param;\n\n\tint fd = open(\"/dev/fb1\", 0, 0);\n\n\tcon2fb.console = 0x19;\n\tcon2fb.framebuffer = 0;\n\tioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);\n\n\tparam.type = 2;\n\tparam.ts.xs = 0; param.ts.ys = 0;\n\tparam.ts.xe = 0; param.ts.ye = 0;\n\tparam.ts.sel_mode = 0;\n\n\tint fd1 = open(\"/dev/tty1\", O_RDWR, 0);\n\tioctl(fd1, TIOCLINUX, ¶m);\n\n\tcon2fb.console = 1;\n\tcon2fb.framebuffer = 0;\n\tioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);\n\n\treturn 0;\n}\n\nAfter calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)\ncauses the kernel to follow a different execution path:\n\n set_con2fb_map\n -> con2fb_init_display\n -> fbcon_set_disp\n -> redraw_screen\n -> hide_cursor\n -> clear_selection\n -> highlight\n -> invert_screen\n -> do_update_region\n -> fbcon_putcs\n -> ops->putcs\n\nSince ops->putcs is a NULL pointer, this leads to a kernel panic.\nTo prevent this, we need to call set_blitting_type() within set_con2fb_map()\nto properly initialize ops->putcs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50048", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointer before dereferencing se\n\n[WHAT & HOW]\nse is null checked previously in the same function, indicating\nit might be null; therefore, it must be checked when used again.\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50049", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: Add cancel_work_sync before module remove\n\nIf we remove the module which will call mpc52xx_spi_remove\nit will free 'ms' through spi_unregister_controller.\nwhile the work ms->work will be used. The sequence of operations\nthat may lead to a UAF bug.\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in mpc52xx_spi_remove.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50051", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-50055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: bus: Fix double free in driver API bus_register()\n\nFor bus_register(), any error which happens after kset_register() will\ncause that @priv are freed twice, fixed by setting @priv with NULL after\nthe first free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50055", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c\n\nFix potential dereferencing of ERR_PTR() in find_format_by_pix()\nand uvc_v4l2_enum_format().\n\nFix the following smatch errors:\n\ndrivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()\nerror: 'fmtdesc' dereferencing possible ERR_PTR()\n\ndrivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()\nerror: 'fmtdesc' dereferencing possible ERR_PTR()\n\nAlso, fix similar issue in uvc_v4l2_try_format() for potential\ndereferencing of ERR_PTR().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50056", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Free IRQ only if it was requested before\n\nIn polling mode, if no IRQ was requested there is no need to free it.\nCall devm_free_irq() only if client->irq is set. This fixes the warning\ncaused by the tps6598x module removal:\n\nWARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c\n...\n...\nCall trace:\n devm_free_irq+0x80/0x8c\n tps6598x_remove+0x28/0x88 [tps6598x]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x50/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]\n __arm64_sys_delete_module+0x184/0x264\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc8/0xe8\n do_el0_svc+0x20/0x2c\n el0_svc+0x28/0x98\n el0t_64_sync_handler+0x13c/0x158\n el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50057", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: protect uart_port_dtr_rts() in uart_shutdown() too\n\nCommit af224ca2df29 (serial: core: Prevent unsafe uart port access, part\n3) added few uport == NULL checks. It added one to uart_shutdown(), so\nthe commit assumes, uport can be NULL in there. But right after that\nprotection, there is an unprotected \"uart_port_dtr_rts(uport, false);\"\ncall. That is invoked only if HUPCL is set, so I assume that is the\nreason why we do not see lots of these reports.\n\nOr it cannot be NULL at this point at all for some reason :P.\n\nUntil the above is investigated, stay on the safe side and move this\ndereference to the if too.\n\nI got this inconsistency from Coverity under CID 1585130. Thanks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50058", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition\n\nIn the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev\nfunction, then &sndev->check_link_status_work is bound with\ncheck_link_status_work. switchtec_ntb_link_notification may be called\nto start the work.\n\nIf we remove the module which will call switchtec_ntb_remove to make\ncleanup, it will free sndev through kfree(sndev), while the work\nmentioned above will be used. The sequence of operations that may lead\nto a UAF bug is as follows:\n\nCPU0 CPU1\n\n | check_link_status_work\nswitchtec_ntb_remove |\nkfree(sndev); |\n | if (sndev->link_force_down)\n | // use sndev\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in switchtec_ntb_remove.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50059", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check if we need to reschedule during overflow flush\n\nIn terms of normal application usage, this list will always be empty.\nAnd if an application does overflow a bit, it'll have a few entries.\nHowever, nothing obviously prevents syzbot from running a test case\nthat generates a ton of overflow entries, and then flushing them can\ntake quite a while.\n\nCheck for needing to reschedule while flushing, and drop our locks and\ndo so if necessary. There's no state to maintain here as overflows\nalways prune from head-of-list, hence it's fine to drop and reacquire\nthe locks at the end of the loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50060", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, &master->hj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | cdns_i3c_master_hj\ncdns_i3c_master_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50061", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-srv: Avoid null pointer deref during path establishment\n\nFor RTRS path establishment, RTRS client initiates and completes con_num\nof connections. After establishing all its connections, the information\nis exchanged between the client and server through the info_req message.\nDuring this exchange, it is essential that all connections have been\nestablished, and the state of the RTRS srv path is CONNECTED.\n\nSo add these sanity checks, to make sure we detect and abort process in\nerror scenarios to avoid null pointer deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50062", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tail call between progs attached to different hooks\n\nbpf progs can be attached to kernel functions, and the attached functions\ncan take different parameters or return different return values. If\nprog attached to one kernel function tail calls prog attached to another\nkernel function, the ctx access or return value verification could be\nbypassed.\n\nFor example, if prog1 is attached to func1 which takes only 1 parameter\nand prog2 is attached to func2 which takes two parameters. Since verifier\nassumes the bpf ctx passed to prog2 is constructed based on func2's\nprototype, verifier allows prog2 to access the second parameter from\nthe bpf ctx passed to it. The problem is that verifier does not prevent\nprog1 from passing its bpf ctx to prog2 via tail call. In this case,\nthe bpf ctx passed to prog2 is constructed from func1 instead of func2,\nthat is, the assumption for ctx access verification is bypassed.\n\nAnother example, if BPF LSM prog1 is attached to hook file_alloc_security,\nand BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier\nknows the return value rules for these two hooks, e.g. it is legal for\nbpf_lsm_audit_rule_known to return positive number 1, and it is illegal\nfor file_alloc_security to return positive number. So verifier allows\nprog2 to return positive number 1, but does not allow prog1 to return\npositive number. The problem is that verifier does not prevent prog1\nfrom calling prog2 via tail call. In this case, prog2's return value 1\nwill be used as the return value for prog1's hook file_alloc_security.\nThat is, the return value rule is bypassed.\n\nThis patch adds restriction for tail call to prevent such bypasses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50063", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: free secondary algorithms names\n\nWe need to kfree() secondary algorithms names when reset zram device that\nhad multi-streams, otherwise we leak memory.\n\n[senozhatsky@chromium.org: kfree(NULL) is legal]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50064", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Change to non-blocking allocation in ntfs_d_hash\n\nd_hash is done while under \"rcu-walk\" and should not sleep.\n__get_name() allocates using GFP_KERNEL, having the possibility\nto sleep when under memory pressure. Change the allocation to\nGFP_NOWAIT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50065", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix move_normal_pmd/retract_page_tables race\n\nIn mremap(), move_page_tables() looks at the type of the PMD entry and the\nspecified address range to figure out by which method the next chunk of\npage table entries should be moved.\n\nAt that point, the mmap_lock is held in write mode, but no rmap locks are\nheld yet. For PMD entries that point to page tables and are fully covered\nby the source address range, move_pgt_entry(NORMAL_PMD, ...) is called,\nwhich first takes rmap locks, then does move_normal_pmd(). \nmove_normal_pmd() takes the necessary page table locks at source and\ndestination, then moves an entire page table from the source to the\ndestination.\n\nThe problem is: The rmap locks, which protect against concurrent page\ntable removal by retract_page_tables() in the THP code, are only taken\nafter the PMD entry has been read and it has been decided how to move it. \nSo we can race as follows (with two processes that have mappings of the\nsame tmpfs file that is stored on a tmpfs mount with huge=advise); note\nthat process A accesses page tables through the MM while process B does it\nthrough the file rmap:\n\nprocess A process B\n========= =========\nmremap\n mremap_to\n move_vma\n move_page_tables\n get_old_pmd\n alloc_new_pmd\n *** PREEMPT ***\n madvise(MADV_COLLAPSE)\n do_madvise\n madvise_walk_vmas\n madvise_vma_behavior\n madvise_collapse\n hpage_collapse_scan_file\n collapse_file\n retract_page_tables\n i_mmap_lock_read(mapping)\n pmdp_collapse_flush\n i_mmap_unlock_read(mapping)\n move_pgt_entry(NORMAL_PMD, ...)\n take_rmap_locks\n move_normal_pmd\n drop_rmap_locks\n\nWhen this happens, move_normal_pmd() can end up creating bogus PMD entries\nin the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect\ndepends on arch-specific and machine-specific details; on x86, you can end\nup with physical page 0 mapped as a page table, which is likely\nexploitable for user->kernel privilege escalation.\n\nFix the race by letting process B recheck that the PMD still points to a\npage table after the rmap locks have been taken. Otherwise, we bail and\nlet the caller fall back to the PTE-level copying path, which will then\nbail immediately at the pmd_none() check.\n\nBug reachability: Reaching this bug requires that you can create\nshmem/file THP mappings - anonymous THP uses different code that doesn't\nzap stuff under rmap locks. File THP is gated on an experimental config\nflag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need\nshmem THP to hit this bug. As far as I know, getting shmem THP normally\nrequires that you can mount your own tmpfs with the right mount flags,\nwhich would require creating your own user+mount namespace; though I don't\nknow if some distros maybe enable shmem THP by default or something like\nthat.\n\nBug impact: This issue can likely be used for user->kernel privilege\nescalation when it is reachable.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50066", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobe: avoid out-of-bounds memory access of fetching args\n\nUprobe needs to fetch args into a percpu buffer, and then copy to ring\nbuffer to avoid non-atomic context problem.\n\nSometimes user-space strings, arrays can be very large, but the size of\npercpu buffer is only page size. And store_trace_args() won't check\nwhether these data exceeds a single page or not, caused out-of-bounds\nmemory access.\n\nIt could be reproduced by following steps:\n1. build kernel with CONFIG_KASAN enabled\n2. save follow program as test.c\n\n```\n\\#include \n\\#include \n\\#include \n\n// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()\n// will return 0, cause __get_data_size() return shorter size, and\n// store_trace_args() will not trigger out-of-bounds access.\n// So make string length less than 4096.\n\\#define STRLEN 4093\n\nvoid generate_string(char *str, int n)\n{\n int i;\n for (i = 0; i < n; ++i)\n {\n char c = i % 26 + 'a';\n str[i] = c;\n }\n str[n-1] = '\\0';\n}\n\nvoid print_string(char *str)\n{\n printf(\"%s\\n\", str);\n}\n\nint main()\n{\n char tmp[STRLEN];\n\n generate_string(tmp, STRLEN);\n print_string(tmp);\n\n return 0;\n}\n```\n3. compile program\n`gcc -o test test.c`\n\n4. get the offset of `print_string()`\n```\nobjdump -t test | grep -w print_string\n0000000000401199 g F .text 000000000000001b print_string\n```\n\n5. configure uprobe with offset 0x1199\n```\noff=0x1199\n\ncd /sys/kernel/debug/tracing/\necho \"p /root/test:${off} arg1=+0(%di):ustring arg2=\\$comm arg3=+0(%di):ustring\"\n > uprobe_events\necho 1 > events/uprobes/enable\necho 1 > tracing_on\n```\n\n6. run `test`, and kasan will report error.\n==================================================================\nBUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0\nWrite of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18\nHardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x27/0x310\n kasan_report+0x10f/0x120\n ? strncpy_from_user+0x1d6/0x1f0\n strncpy_from_user+0x1d6/0x1f0\n ? rmqueue.constprop.0+0x70d/0x2ad0\n process_fetch_insn+0xb26/0x1470\n ? __pfx_process_fetch_insn+0x10/0x10\n ? _raw_spin_lock+0x85/0xe0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __pte_offset_map+0x1f/0x2d0\n ? unwind_next_frame+0xc5f/0x1f80\n ? arch_stack_walk+0x68/0xf0\n ? is_bpf_text_address+0x23/0x30\n ? kernel_text_address.part.0+0xbb/0xd0\n ? __kernel_text_address+0x66/0xb0\n ? unwind_get_return_address+0x5e/0xa0\n ? __pfx_stack_trace_consume_entry+0x10/0x10\n ? arch_stack_walk+0xa2/0xf0\n ? _raw_spin_lock_irqsave+0x8b/0xf0\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? depot_alloc_stack+0x4c/0x1f0\n ? _raw_spin_unlock_irqrestore+0xe/0x30\n ? stack_depot_save_flags+0x35d/0x4f0\n ? kasan_save_stack+0x34/0x50\n ? kasan_save_stack+0x24/0x50\n ? mutex_lock+0x91/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n prepare_uprobe_buffer.part.0+0x2cd/0x500\n uprobe_dispatcher+0x2c3/0x6a0\n ? __pfx_uprobe_dispatcher+0x10/0x10\n ? __kasan_slab_alloc+0x4d/0x90\n handler_chain+0xdd/0x3e0\n handle_swbp+0x26e/0x3d0\n ? __pfx_handle_swbp+0x10/0x10\n ? uprobe_pre_sstep_notifier+0x151/0x1b0\n irqentry_exit_to_user_mode+0xe2/0x1b0\n asm_exc_int3+0x39/0x40\nRIP: 0033:0x401199\nCode: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce\nRSP: 002b:00007ffdf00576a8 EFLAGS: 00000206\nRAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2\nRDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0\nRBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20\nR10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040\nR13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000\n \n\nThis commit enforces the buffer's maxlen less than a page-size to avoid\nstore_trace_args() out-of-memory access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50067", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets()\n\nThe sysfs_target->regions allocated in damon_sysfs_regions_alloc() is not\nfreed in damon_sysfs_test_add_targets(), which cause the following memory\nleak, free it to fix it.\n\n\tunreferenced object 0xffffff80c2a8db80 (size 96):\n\t comm \"kunit_try_catch\", pid 187, jiffies 4294894363\n\t hex dump (first 32 bytes):\n\t 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n\t 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n\t backtrace (crc 0):\n\t [<0000000001e3714d>] kmemleak_alloc+0x34/0x40\n\t [<000000008e6835c1>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<000000001286d9f8>] damon_sysfs_test_add_targets+0x1cc/0x738\n\t [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac\n\t [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000adf936cf>] kthread+0x2e8/0x374\n\t [<0000000041bb1628>] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50068", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: apple: check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this returned\nvalue is not checked. Fix this lack and check the returned value.\n\nFound by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50069", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: stm32: check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this returned\nvalue is not checked. Fix this lack and check the returned value.\n\nFound by code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50070", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()\n\n'new_map' is allocated using devm_* which takes care of freeing the\nallocated data on device removal, call to\n\n\t.dt_free_map = pinconf_generic_dt_free_map\n\ndouble frees the map as pinconf_generic_dt_free_map() calls\npinctrl_utils_free_map().\n\nFix this by using kcalloc() instead of auto-managed devm_kcalloc().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50071", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bugs: Use code segment selector for VERW operand\n\nRobert Gill reported below #GP in 32-bit mode when dosemu software was\nexecuting vm86() system call:\n\n general protection fault: 0000 [#1] PREEMPT SMP\n CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1\n Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010\n EIP: restore_all_switch_stack+0xbe/0xcf\n EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000\n ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc\n DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046\n CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0\n Call Trace:\n show_regs+0x70/0x78\n die_addr+0x29/0x70\n exc_general_protection+0x13c/0x348\n exc_bounds+0x98/0x98\n handle_exception+0x14d/0x14d\n exc_bounds+0x98/0x98\n restore_all_switch_stack+0xbe/0xcf\n exc_bounds+0x98/0x98\n restore_all_switch_stack+0xbe/0xcf\n\nThis only happens in 32-bit mode when VERW based mitigations like MDS/RFDS\nare enabled. This is because segment registers with an arbitrary user value\ncan result in #GP when executing VERW. Intel SDM vol. 2C documents the\nfollowing behavior for VERW instruction:\n\n #GP(0) - If a memory operand effective address is outside the CS, DS, ES,\n\t FS, or GS segment limit.\n\nCLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user\nspace. Use %cs selector to reference VERW operand. This ensures VERW will\nnot #GP for an arbitrary user %ds.\n\n[ mingo: Fixed the SOB chain. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50072", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: Fix use-after-free in gsm_cleanup_mux\n\nBUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0\ndrivers/tty/n_gsm.c:3160 [n_gsm]\nRead of size 8 at addr ffff88815fe99c00 by task poc/3379\nCPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56\nHardware name: VMware, Inc. VMware Virtual Platform/440BX\nDesktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n \n gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]\n __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]\n __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389\n update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500\n __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846\n __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161\n gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]\n _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107\n __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]\n ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195\n ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79\n __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338\n __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805\n tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818\n\nAllocated by task 65:\n gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]\n gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]\n gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]\n gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]\n tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391\n tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39\n flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445\n process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229\n worker_thread+0x3dc/0x950 kernel/workqueue.c:3391\n kthread+0x2a3/0x370 kernel/kthread.c:389\n ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257\n\nFreed by task 3367:\n kfree+0x126/0x420 mm/slub.c:4580\n gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]\n gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]\n tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818\n\n[Analysis]\ngsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux\ncan be freed by multi threads through ioctl,which leads\nto the occurrence of uaf. Protect it by gsm tx lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50073", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparport: Proper fix for array out-of-bounds access\n\nThe recent fix for array out-of-bounds accesses replaced sprintf()\ncalls blindly with snprintf(). However, since snprintf() returns the\nwould-be-printed size, not the actually output size, the length\ncalculation can still go over the given limit.\n\nUse scnprintf() instead of snprintf(), which returns the actually\noutput letters, for addressing the potential out-of-bounds access\nproperly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50074", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: tegra: fix checked USB2 port number\n\nIf USB virtualizatoin is enabled, USB2 ports are shared between all\nVirtual Functions. The USB2 port number owned by an USB2 root hub in\na Virtual Function may be less than total USB2 phy number supported\nby the Tegra XUSB controller.\n\nUsing total USB2 phy number as port number to check all PORTSC values\nwould cause invalid memory access.\n\n[ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f\n...\n[ 117.213640] Call trace:\n[ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658\n[ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68\n[ 117.227260] pm_generic_runtime_suspend+0x30/0x50\n[ 117.232847] __rpm_callback+0x84/0x3c0\n[ 117.237038] rpm_suspend+0x2dc/0x740\n[ 117.241229] pm_runtime_work+0xa0/0xb8\n[ 117.245769] process_scheduled_works+0x24c/0x478\n[ 117.251007] worker_thread+0x23c/0x328\n[ 117.255547] kthread+0x104/0x1b0\n[ 117.259389] ret_from_fork+0x10/0x20\n[ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50075", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: prevent kernel-infoleak in con_font_get()\n\nfont.data may not initialize all memory spaces depending on the implementation\nof vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it\nis safest to modify it to initialize the allocated memory space to 0, and it\ngenerally does not affect the overall performance of the system.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50076", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix multiple init when debugfs is disabled\n\nIf bt_debugfs is not created successfully, which happens if either\nCONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()\nreturns early and does not set iso_inited to true. This means that a\nsubsequent call to iso_init() will result in duplicate calls to\nproto_register(), bt_sock_register(), etc.\n\nWith CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the\nduplicate call to proto_register() triggers this BUG():\n\n list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,\n next=ffffffffc0b280d0.\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:35!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1\n RIP: 0010:__list_add_valid_or_report+0x9a/0xa0\n ...\n __list_add_valid_or_report+0x9a/0xa0\n proto_register+0x2b5/0x340\n iso_init+0x23/0x150 [bluetooth]\n set_iso_socket_func+0x68/0x1b0 [bluetooth]\n kmem_cache_free+0x308/0x330\n hci_sock_sendmsg+0x990/0x9e0 [bluetooth]\n __sock_sendmsg+0x7b/0x80\n sock_write_iter+0x9a/0x110\n do_iter_readv_writev+0x11d/0x220\n vfs_writev+0x180/0x3e0\n do_writev+0xca/0x100\n ...\n\nThis change removes the early return. The check for iso_debugfs being\nNULL was unnecessary, it is always NULL when iso_inited is false.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50077", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Call iso_exit() on module unload\n\nIf iso_init() has been called, iso_exit() must be called on module\nunload. Without that, the struct proto that iso_init() registered with\nproto_register() becomes invalid, which could cause unpredictable\nproblems later. In my case, with CONFIG_LIST_HARDENED and\nCONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually\ntriggers this BUG():\n\n list_add corruption. next->prev should be prev (ffffffffb5355fd0),\n but was 0000000000000068. (next=ffffffffc0a010d0).\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:29!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1\n RIP: 0010:__list_add_valid_or_report+0x61/0xa0\n ...\n __list_add_valid_or_report+0x61/0xa0\n proto_register+0x299/0x320\n hci_sock_init+0x16/0xc0 [bluetooth]\n bt_init+0x68/0xd0 [bluetooth]\n __pfx_bt_init+0x10/0x10 [bluetooth]\n do_one_initcall+0x80/0x2f0\n do_init_module+0x8b/0x230\n __do_sys_init_module+0x15f/0x190\n do_syscall_64+0x68/0x110\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50078", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work\n\nWhen the sqpoll is exiting and cancels pending work items, it may need\nto run task_work. If this happens from within io_uring_cancel_generic(),\nthen it may be under waiting for the io_uring_task waitqueue. This\nresults in the below splat from the scheduler, as the ring mutex may be\nattempted grabbed while in a TASK_INTERRUPTIBLE state.\n\nEnsure that the task state is set appropriately for that, just like what\nis done for the other cases in io_run_task_work().\n\ndo not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000029387fd2>] prepare_to_wait+0x88/0x2fc\nWARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140\nModules linked in:\nCPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456\nHardware name: linux,dummy-virt (DT)\npstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\npc : __might_sleep+0xf4/0x140\nlr : __might_sleep+0xf4/0x140\nsp : ffff80008c5e7830\nx29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230\nx26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50\nx23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180\nx20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90\nx17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720\nx14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b\nx11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000\nx8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001\nx5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180\nCall trace:\n __might_sleep+0xf4/0x140\n mutex_lock+0x84/0x124\n io_handle_tw_list+0xf4/0x260\n tctx_task_work_run+0x94/0x340\n io_run_task_work+0x1ec/0x3c0\n io_uring_cancel_generic+0x364/0x524\n io_sq_thread+0x820/0x124c\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50079", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: don't allow user copy for unprivileged device\n\nUBLK_F_USER_COPY requires userspace to call write() on ublk char\ndevice for filling request buffer, and unprivileged device can't\nbe trusted.\n\nSo don't allow user copy for unprivileged device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50080", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: setup queue ->tag_set before initializing hctx\n\nCommit 7b815817aa58 (\"blk-mq: add helper for checking if one CPU is mapped to specified hctx\")\nneeds to check queue mapping via tag set in hctx's cpuhp handler.\n\nHowever, q->tag_set may not be setup yet when the cpuhp handler is\nenabled, then kernel oops is triggered.\n\nFix the issue by setup queue tag_set before initializing hctx.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50081", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race\n\nWe're seeing crashes from rq_qos_wake_function that look like this:\n\n BUG: unable to handle page fault for address: ffffafe180a40084\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0\n Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40\n Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00\n RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084\n RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011\n R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002\n R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003\n FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n try_to_wake_up+0x5a/0x6a0\n rq_qos_wake_function+0x71/0x80\n __wake_up_common+0x75/0xa0\n __wake_up+0x36/0x60\n scale_up.part.0+0x50/0x110\n wb_timer_fn+0x227/0x450\n ...\n\nSo rq_qos_wake_function() calls wake_up_process(data->task), which calls\ntry_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).\n\np comes from data->task, and data comes from the waitqueue entry, which\nis stored on the waiter's stack in rq_qos_wait(). Analyzing the core\ndump with drgn, I found that the waiter had already woken up and moved\non to a completely unrelated code path, clobbering what was previously\ndata->task. Meanwhile, the waker was passing the clobbered garbage in\ndata->task to wake_up_process(), leading to the crash.\n\nWhat's happening is that in between rq_qos_wake_function() deleting the\nwaitqueue entry and calling wake_up_process(), rq_qos_wait() is finding\nthat it already got a token and returning. The race looks like this:\n\nrq_qos_wait() rq_qos_wake_function()\n==============================================================\nprepare_to_wait_exclusive()\n data->got_token = true;\n list_del_init(&curr->entry);\nif (data.got_token)\n break;\nfinish_wait(&rqw->wait, &data.wq);\n ^- returns immediately because\n list_empty_careful(&wq_entry->entry)\n is true\n... return, go do something else ...\n wake_up_process(data->task)\n (NO LONGER VALID!)-^\n\nNormally, finish_wait() is supposed to synchronize against the waker.\nBut, as noted above, it is returning immediately because the waitqueue\nentry has already been removed from the waitqueue.\n\nThe bug is that rq_qos_wake_function() is accessing the waitqueue entry\nAFTER deleting it. Note that autoremove_wake_function() wakes the waiter\nand THEN deletes the waitqueue entry, which is the proper order.\n\nFix it by swapping the order. We also need to use\nlist_del_init_careful() to match the list_empty_careful() in\nfinish_wait().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50082", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix mptcp DSS corruption due to large pmtu xmit\n\nSyzkaller was able to trigger a DSS corruption:\n\n TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies.\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\n Modules linked in:\n CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\n RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\n Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff\n RSP: 0018:ffffc90000006db8 EFLAGS: 00010246\n RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00\n RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0\n RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8\n R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000\n R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5\n FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n move_skbs_to_msk net/mptcp/protocol.c:811 [inline]\n mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854\n subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490\n tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283\n tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237\n tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\n tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350\n ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n __netif_receive_skb_one_core net/core/dev.c:5662 [inline]\n __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775\n process_backlog+0x662/0x15b0 net/core/dev.c:6107\n __napi_poll+0xcb/0x490 net/core/dev.c:6771\n napi_poll net/core/dev.c:6840 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:6962\n handle_softirqs+0x2c5/0x980 kernel/softirq.c:554\n do_softirq+0x11b/0x1e0 kernel/softirq.c:455\n \n \n __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451\n dev_queue_xmit include/linux/netdevice.h:3094 [inline]\n neigh_hh_output include/net/neighbour.h:526 [inline]\n neigh_output include/net/neighbour.h:540 [inline]\n ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n ip_local_out net/ipv4/ip_output.c:130 [inline]\n __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536\n __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466\n tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\n tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline]\n tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752\n __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015\n tcp_push_pending_frames include/net/tcp.h:2107 [inline]\n tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline]\n tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239\n tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\n sk_backlog_rcv include/net/sock.h:1113 [inline]\n __release_sock+0x214/0x350 net/core/sock.c:3072\n release_sock+0x61/0x1f0 net/core/sock.c:3626\n mptcp_push_\n---truncated---", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50083", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()\n\nCommit a3c1e45156ad (\"net: microchip: vcap: Fix use-after-free error in\nkunit test\") fixed the use-after-free error, but introduced below\nmemory leaks by removing necessary vcap_free_rule(), add it to fix it.\n\n\tunreferenced object 0xffffff80ca58b700 (size 192):\n\t comm \"kunit_try_catch\", pid 1215, jiffies 4294898264\n\t hex dump (first 32 bytes):\n\t 00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00 ..z.........d...\n\t 00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff ................\n\t backtrace (crc 9c09c3fe):\n\t [<0000000052a0be73>] kmemleak_alloc+0x34/0x40\n\t [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<0000000040a01b8d>] vcap_alloc_rule+0x3cc/0x9c4\n\t [<000000003fe86110>] vcap_api_encode_rule_test+0x1ac/0x16b0\n\t [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac\n\t [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000c5d82c9a>] kthread+0x2e8/0x374\n\t [<00000000f4287308>] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0400 (size 64):\n\t comm \"kunit_try_catch\", pid 1215, jiffies 4294898265\n\t hex dump (first 32 bytes):\n\t 80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff ..........X.....\n\t 39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff 9...............\n\t backtrace (crc daf014e9):\n\t [<0000000052a0be73>] kmemleak_alloc+0x34/0x40\n\t [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528\n\t [<00000000dfdb1e81>] vcap_api_encode_rule_test+0x224/0x16b0\n\t [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac\n\t [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000c5d82c9a>] kthread+0x2e8/0x374\n\t [<00000000f4287308>] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0700 (size 64):\n\t comm \"kunit_try_catch\", pid 1215, jiffies 4294898265\n\t hex dump (first 32 bytes):\n\t 80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff ........(.X.....\n\t 3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff <......../......\n\t backtrace (crc 8d877792):\n\t [<0000000052a0be73>] kmemleak_alloc+0x34/0x40\n\t [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<000000006eadfab7>] vcap_rule_add_action+0x2d0/0x52c\n\t [<00000000323475d1>] vcap_api_encode_rule_test+0x4d4/0x16b0\n\t [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac\n\t [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000c5d82c9a>] kthread+0x2e8/0x374\n\t [<00000000f4287308>] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0900 (size 64):\n\t comm \"kunit_try_catch\", pid 1215, jiffies 4294898266\n\t hex dump (first 32 bytes):\n\t 80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff ................\n\t 7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00 }...............\n\t backtrace (crc 34181e56):\n\t [<0000000052a0be73>] kmemleak_alloc+0x34/0x40\n\t [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528\n\t [<00000000991e3564>] vcap_val_rule+0xcf0/0x13e8\n\t [<00000000fc9868e5>] vcap_api_encode_rule_test+0x678/0x16b0\n\t [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac\n\t [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000c5d82c9a>] kthread+0x2e8/0x374\n\t [<00000000f4287308>] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0980 (size 64):\n\t comm \"kunit_try_catch\", pid 1215, jiffies 4294898266\n\t hex dump (first 32 bytes):\n\t 18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff ..X.............\n\t 67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff g.........t.....\n\t backtrace (crc 275fd9be):\n\t [<0000000052a0be73>] kmemleak_alloc+0x34/0x40\n\t [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528\n\t [<000000001396a1a2>] test_add_de\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50084", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow\n\nSyzkaller reported this splat:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881\n Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662\n\n CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881\n mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline]\n mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572\n mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603\n genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg net/socket.c:744 [inline]\n ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607\n ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661\n __sys_sendmsg+0x117/0x1f0 net/socket.c:2690\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386\n do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n RIP: 0023:0xf7fe4579\n Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00\n RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172\n RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\n Allocated by task 5387:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:878 [inline]\n kzalloc_noprof include/linux/slab.h:1014 [inline]\n subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803\n subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956\n __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline]\n tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167\n mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764\n __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592\n mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642\n mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline]\n mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943\n mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777\n process_one_work+0x958/0x1b30 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/ke\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50085", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix user-after-free from session log off\n\nThere is racy issue between smb2 session log off and smb2 session setup.\nIt will cause user-after-free from session log off.\nThis add session_lock when setting SMB2_SESSION_EXPIRED and referece\ncount to session struct not to free session while it is being used.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50086", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix uninitialized pointer free on read_alloc_one_name() error\n\nThe function read_alloc_one_name() does not initialize the name field of\nthe passed fscrypt_str struct if kmalloc fails to allocate the\ncorresponding buffer. Thus, it is not guaranteed that\nfscrypt_str.name is initialized when freeing it.\n\nThis is a follow-up to the linked patch that fixes the remaining\ninstances of the bug introduced by commit e43eec81c516 (\"btrfs: use\nstruct qstr instead of name and namelen pairs\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50087", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix uninitialized pointer free in add_inode_ref()\n\nThe add_inode_ref() function does not initialize the \"name\" struct when\nit is declared. If any of the following calls to \"read_one_inode()\nreturns NULL,\n\n\tdir = read_one_inode(root, parent_objectid);\n\tif (!dir) {\n\t\tret = -ENOENT;\n\t\tgoto out;\n\t}\n\n\tinode = read_one_inode(root, inode_objectid);\n\tif (!inode) {\n\t\tret = -EIO;\n\t\tgoto out;\n\t}\n\nthen \"name.name\" would be freed on \"out\" before being initialized.\n\nout:\n\t...\n\tkfree(name.name);\n\nThis issue was reported by Coverity with CID 1526744.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50088", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix overflow in oa batch buffer\n\nBy default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch\nbuffer, this is not a problem if batch buffer is only used once but\noa reuses the batch buffer for the same metric and at each call\nit appends a MI_BATCH_BUFFER_END, printing the warning below and then\noverflowing.\n\n[ 381.072016] ------------[ cut here ]------------\n[ 381.072019] xe 0000:00:02.0: [drm] Assertion `bb->len * 4 + bb_prefetch(q->gt) <= size` failed!\n platform: LUNARLAKE subplatform: 1\n graphics: Xe2_LPG / Xe2_HPG 20.04 step B0\n media: Xe2_LPM / Xe2_HPM 20.00 step B0\n tile: 0 VRAM 0 B\n GT: 0 type 1\n\nSo here checking if batch buffer already have MI_BATCH_BUFFER_END if\nnot append it.\n\nv2:\n- simply fix, suggestion from Ashutosh\n\n(cherry picked from commit 9ba0e0f30ca42a98af3689460063edfb6315718a)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50090", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm vdo: don't refer to dedupe_context after releasing it\n\nClear the dedupe_context pointer in a data_vio whenever ownership of\nthe context is lost, so that vdo can't examine it accidentally.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50091", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netconsole: fix wrong warning\n\nA warning is triggered when there is insufficient space in the buffer\nfor userdata. However, this is not an issue since userdata will be sent\nin the next iteration.\n\nCurrent warning message:\n\n ------------[ cut here ]------------\n WARNING: CPU: 13 PID: 3013042 at drivers/net/netconsole.c:1122 write_ext_msg+0x3b6/0x3d0\n ? write_ext_msg+0x3b6/0x3d0\n console_flush_all+0x1e9/0x330\n\nThe code incorrectly issues a warning when this_chunk is zero, which is\na valid scenario. The warning should only be triggered when this_chunk\nis negative.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50092", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: int340x: processor: Fix warning during module unload\n\nThe processor_thermal driver uses pcim_device_enable() to enable a PCI\ndevice, which means the device will be automatically disabled on driver\ndetach. Thus there is no need to call pci_disable_device() again on it.\n\nWith recent PCI device resource management improvements, e.g. commit\nf748a07a0b64 (\"PCI: Remove legacy pcim_release()\"), this problem is\nexposed and triggers the warining below.\n\n [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device\n [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100\n ...\n [ 224.010844] Call Trace:\n [ 224.010845] \n [ 224.010847] ? show_regs+0x6d/0x80\n [ 224.010851] ? __warn+0x8c/0x140\n [ 224.010854] ? pci_disable_device+0xe5/0x100\n [ 224.010856] ? report_bug+0x1c9/0x1e0\n [ 224.010859] ? handle_bug+0x46/0x80\n [ 224.010862] ? exc_invalid_op+0x1d/0x80\n [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30\n [ 224.010867] ? pci_disable_device+0xe5/0x100\n [ 224.010869] ? pci_disable_device+0xe5/0x100\n [ 224.010871] ? kfree+0x21a/0x2b0\n [ 224.010873] pcim_disable_device+0x20/0x30\n [ 224.010875] devm_action_release+0x16/0x20\n [ 224.010878] release_nodes+0x47/0xc0\n [ 224.010880] devres_release_all+0x9f/0xe0\n [ 224.010883] device_unbind_cleanup+0x12/0x80\n [ 224.010885] device_release_driver_internal+0x1ca/0x210\n [ 224.010887] driver_detach+0x4e/0xa0\n [ 224.010889] bus_remove_driver+0x6f/0xf0\n [ 224.010890] driver_unregister+0x35/0x60\n [ 224.010892] pci_unregister_driver+0x44/0x90\n [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci]\n ...\n [ 224.010921] ---[ end trace 0000000000000000 ]---\n\nRemove the excess pci_disable_device() calls.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50093", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: Don't invoke xdp_do_flush() from netpoll.\n\nYury reported a crash in the sfc driver originated from\nnetpoll_send_udp(). The netconsole sends a message and then netpoll\ninvokes the driver's NAPI function with a budget of zero. It is\ndedicated to allow driver to free TX resources, that it may have used\nwhile sending the packet.\n\nIn the netpoll case the driver invokes xdp_do_flush() unconditionally,\nleading to crash because bpf_net_context was never assigned.\n\nInvoke xdp_do_flush() only if budget is not zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50094", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mad: Improve handling of timed out WRs of mad agent\n\nCurrent timeout handler of mad agent acquires/releases mad_agent_priv\nlock for every timed out WRs. This causes heavy locking contention\nwhen higher no. of WRs are to be handled inside timeout handler.\n\nThis leads to softlockup with below trace in some use cases where\nrdma-cm path is used to establish connection between peer nodes\n\nTrace:\n-----\n BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]\n CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE\n ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1\n Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019\n Workqueue: ib_mad1 timeout_sends [ib_core]\n RIP: 0010:__do_softirq+0x78/0x2ac\n RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246\n RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f\n RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b\n RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000\n R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? show_trace_log_lvl+0x1c4/0x2df\n ? show_trace_log_lvl+0x1c4/0x2df\n ? __irq_exit_rcu+0xa1/0xc0\n ? watchdog_timer_fn+0x1b2/0x210\n ? __pfx_watchdog_timer_fn+0x10/0x10\n ? __hrtimer_run_queues+0x127/0x2c0\n ? hrtimer_interrupt+0xfc/0x210\n ? __sysvec_apic_timer_interrupt+0x5c/0x110\n ? sysvec_apic_timer_interrupt+0x37/0x90\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? __do_softirq+0x78/0x2ac\n ? __do_softirq+0x60/0x2ac\n __irq_exit_rcu+0xa1/0xc0\n sysvec_call_function_single+0x72/0x90\n \n \n asm_sysvec_call_function_single+0x16/0x20\n RIP: 0010:_raw_spin_unlock_irq+0x14/0x30\n RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247\n RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800\n RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c\n RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000\n R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538\n R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c\n cm_process_send_error+0x122/0x1d0 [ib_cm]\n timeout_sends+0x1dd/0x270 [ib_core]\n process_one_work+0x1e2/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n worker_thread+0x50/0x3a0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xdd/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x50\n \n\nSimplified timeout handler by creating local list of timed out WRs\nand invoke send handler post creating the list. The new method acquires/\nreleases lock once to fetch the list and hence helps to reduce locking\ncontetiong when processing higher no. of WRs", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50095", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error\n\nThe `nouveau_dmem_copy_one` function ensures that the copy push command is\nsent to the device firmware but does not track whether it was executed\nsuccessfully.\n\nIn the case of a copy error (e.g., firmware or hardware failure), the\ncopy push command will be sent via the firmware channel, and\n`nouveau_dmem_copy_one` will likely report success, leading to the\n`migrate_to_ram` function returning a dirty HIGH_USER page to the user.\n\nThis can result in a security vulnerability, as a HIGH_USER page that may\ncontain sensitive or corrupted data could be returned to the user.\n\nTo prevent this vulnerability, we allocate a zero page. Thus, in case of\nan error, a non-dirty (zero) page will be returned to the user.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50096", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: don't save PTP state if PTP is unsupported\n\nSome platforms (such as i.MX25 and i.MX27) do not support PTP, so on\nthese platforms fec_ptp_init() is not called and the related members\nin fep are not initialized. However, fec_ptp_save_state() is called\nunconditionally, which causes the kernel to panic. Therefore, add a\ncondition so that fec_ptp_save_state() is not called if PTP is not\nsupported.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50097", "detail": "fixed-version", "description": "Fixed from version 6.11.4" }, { "id": "CVE-2024-50098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down\n\nThere is a history of deadlock if reboot is performed at the beginning\nof booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS\nshutdown, and at that time the audio driver was waiting on\nblk_mq_submit_bio() holding a mutex_lock while reading the fw binary.\nAfter that, a deadlock issue occurred while audio driver shutdown was\nwaiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set\nSDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down\nafter a UFS shutdown will return an error.\n\n[ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown]\n[ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49]\n[ 31.907806]I[0: swapper/0: 0] Call trace:\n[ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338\n[ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc\n[ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8\n[ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40\n[ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac\n[ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24\n[ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec\n[ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280\n[ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c\n[ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280\n[ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158\n[ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4\n[ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0\n[ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0\n[ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4\n[ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4\n\n[ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter]\n[ 31.908783]I[0: swapper/0: 0] Call trace:\n[ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338\n[ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc\n[ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8\n[ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178\n[ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c\n[ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50098", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Remove broken LDR (literal) uprobe support\n\nThe simulate_ldr_literal() and simulate_ldrsw_literal() functions are\nunsafe to use for uprobes. Both functions were originally written for\nuse with kprobes, and access memory with plain C accesses. When uprobes\nwas added, these were reused unmodified even though they cannot safely\naccess user memory.\n\nThere are three key problems:\n\n1) The plain C accesses do not have corresponding extable entries, and\n thus if they encounter a fault the kernel will treat these as\n unintentional accesses to user memory, resulting in a BUG() which\n will kill the kernel thread, and likely lead to further issues (e.g.\n lockup or panic()).\n\n2) The plain C accesses are subject to HW PAN and SW PAN, and so when\n either is in use, any attempt to simulate an access to user memory\n will fault. Thus neither simulate_ldr_literal() nor\n simulate_ldrsw_literal() can do anything useful when simulating a\n user instruction on any system with HW PAN or SW PAN.\n\n3) The plain C accesses are privileged, as they run in kernel context,\n and in practice can access a small range of kernel virtual addresses.\n The instructions they simulate have a range of +/-1MiB, and since the\n simulated instructions must itself be a user instructions in the\n TTBR0 address range, these can address the final 1MiB of the TTBR1\n acddress range by wrapping downwards from an address in the first\n 1MiB of the TTBR0 address range.\n\n In contemporary kernels the last 8MiB of TTBR1 address range is\n reserved, and accesses to this will always fault, meaning this is no\n worse than (1).\n\n Historically, it was theoretically possible for the linear map or\n vmemmap to spill into the final 8MiB of the TTBR1 address range, but\n in practice this is extremely unlikely to occur as this would\n require either:\n\n * Having enough physical memory to fill the entire linear map all the\n way to the final 1MiB of the TTBR1 address range.\n\n * Getting unlucky with KASLR randomization of the linear map such\n that the populated region happens to overlap with the last 1MiB of\n the TTBR address range.\n\n ... and in either case if we were to spill into the final page there\n would be larger problems as the final page would alias with error\n pointers.\n\nPractically speaking, (1) and (2) are the big issues. Given there have\nbeen no reports of problems since the broken code was introduced, it\nappears that no-one is relying on probing these instructions with\nuprobes.\n\nAvoid these issues by not allowing uprobes on LDR (literal) and LDRSW\n(literal), limiting the use of simulate_ldr_literal() and\nsimulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR\n(literal) and LDRSW (literal) will be rejected as\narm_probe_decode_insn() will return INSN_REJECTED. In future we can\nconsider introducing working uprobes support for these instructions, but\nthis will require more significant work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50099", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: dummy-hcd: Fix \"task hung\" problem\n\nThe syzbot fuzzer has been encountering \"task hung\" problems ever\nsince the dummy-hcd driver was changed to use hrtimers instead of\nregular timers. It turns out that the problems are caused by a subtle\ndifference between the timer_pending() and hrtimer_active() APIs.\n\nThe changeover blindly replaced the first by the second. However,\ntimer_pending() returns True when the timer is queued but not when its\ncallback is running, whereas hrtimer_active() returns True when the\nhrtimer is queued _or_ its callback is running. This difference\noccasionally caused dummy_urb_enqueue() to think that the callback\nroutine had not yet started when in fact it was almost finished. As a\nresult the hrtimer was not restarted, which made it impossible for the\ndriver to dequeue later the URB that was just enqueued. This caused\nusb_kill_urb() to hang, and things got worse from there.\n\nSince hrtimers have no API for telling when they are queued and the\ncallback isn't running, the driver must keep track of this for itself.\nThat's what this patch does, adding a new \"timer_pending\" flag and\nsetting or clearing it at the appropriate times.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50100", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices\n\nPreviously, the domain_context_clear() function incorrectly called\npci_for_each_dma_alias() to set up context entries for non-PCI devices.\nThis could lead to kernel hangs or other unexpected behavior.\n\nAdd a check to only call pci_for_each_dma_alias() for PCI devices. For\nnon-PCI devices, domain_context_clear_one() is called directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50101", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix user address masking non-canonical speculation issue\n\nIt turns out that AMD has a \"Meltdown Lite(tm)\" issue with non-canonical\naccesses in kernel space. And so using just the high bit to decide\nwhether an access is in user space or kernel space ends up with the good\nold \"leak speculative data\" if you have the right gadget using the\nresult:\n\n CVE-2020-12965 \u201cTransient Execution of Non-Canonical Accesses\u201c\n\nNow, the kernel surrounds the access with a STAC/CLAC pair, and those\ninstructions end up serializing execution on older Zen architectures,\nwhich closes the speculation window.\n\nBut that was true only up until Zen 5, which renames the AC bit [1].\nThat improves performance of STAC/CLAC a lot, but also means that the\nspeculation window is now open.\n\nNote that this affects not just the new address masking, but also the\nregular valid_user_address() check used by access_ok(), and the asm\nversion of the sign bit check in the get_user() helpers.\n\nIt does not affect put_user() or clear_user() variants, since there's no\nspeculative result to be used in a gadget for those operations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50102", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()\n\nA devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could\npossibly return NULL pointer. NULL Pointer Dereference may be\ntriggerred without addtional check.\nAdd a NULL check for the returned pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50103", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: sdm845: add missing soundwire runtime stream alloc\n\nDuring the migration of Soundwire runtime stream allocation from\nthe Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845\nsoundcard was forgotten.\n\nAt this point any playback attempt or audio daemon startup, for instance\non sdm845-db845c (Qualcomm RB3 board), will result in stream pointer\nNULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000020\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000\n [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n Modules linked in: ...\n CPU: 5 UID: 0 PID: 1198 Comm: aplay\n Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18\n Hardware name: Thundercomm Dragonboard 845c (DT)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n sp : ffff80008a2035c0\n x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000\n x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800\n x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003\n x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec\n x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003\n x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8\n Call trace:\n sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]\n snd_soc_dai_hw_params+0x3c/0xa4\n __soc_pcm_hw_params+0x230/0x660\n dpcm_be_dai_hw_params+0x1d0/0x3f8\n dpcm_fe_dai_hw_params+0x98/0x268\n snd_pcm_hw_params+0x124/0x460\n snd_pcm_common_ioctl+0x998/0x16e8\n snd_pcm_ioctl+0x34/0x58\n __arm64_sys_ioctl+0xac/0xf8\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xe0\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\n Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)\n ---[ end trace 0000000000000000 ]---\n\n0000000000006108 :\n 6108: d503233f paciasp\n 610c: a9b97bfd stp x29, x30, [sp, #-112]!\n 6110: 910003fd mov x29, sp\n 6114: a90153f3 stp x19, x20, [sp, #16]\n 6118: a9025bf5 stp x21, x22, [sp, #32]\n 611c: aa0103f6 mov x22, x1\n 6120: 2a0303f5 mov w21, w3\n 6124: a90363f7 stp x23, x24, [sp, #48]\n 6128: aa0003f8 mov x24, x0\n 612c: aa0203f7 mov x23, x2\n 6130: a9046bf9 stp x25, x26, [sp, #64]\n 6134: aa0403f9 mov x25, x4 <-- x4 copied to x25\n 6138: a90573fb stp x27, x28, [sp, #80]\n 613c: aa0403fb mov x27, x4\n 6140: f9418400 ldr x0, [x0, #776]\n 6144: 9100e000 add x0, x0, #0x38\n 6148: 94000000 bl 0 \n 614c: f8420f22 ldr x2, [x25, #32]! <-- offset 0x44\n ^^^\nThis is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()\nwhere data abort happens.\nwsa881x_hw_params() is called with stream = NULL and passes it further\nin register x4 (5th argu\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50104", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc\n\nCommit 15c7fab0e047 (\"ASoC: qcom: Move Soundwire runtime stream alloc to\nsoundcards\") moved the allocation of Soundwire stream runtime from the\nQualcomm Soundwire driver to each individual machine sound card driver,\nexcept that it forgot to update SC7280 card.\n\nJust like for other Qualcomm sound cards using Soundwire, the card\ndriver should allocate and release the runtime. Otherwise sound\nplayback will result in a NULL pointer dereference or other effect of\nuninitialized memory accesses (which was confirmed on SDM845 having\nsimilar issue).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50105", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix race between laundromat and free_stateid\n\nThere is a race between laundromat handling of revoked delegations\nand a client sending free_stateid operation. Laundromat thread\nfinds that delegation has expired and needs to be revoked so it\nmarks the delegation stid revoked and it puts it on a reaper list\nbut then it unlock the state lock and the actual delegation revocation\nhappens without the lock. Once the stid is marked revoked a racing\nfree_stateid processing thread does the following (1) it calls\nlist_del_init() which removes it from the reaper list and (2) frees\nthe delegation stid structure. The laundromat thread ends up not\ncalling the revoke_delegation() function for this particular delegation\nbut that means it will no release the lock lease that exists on\nthe file.\n\nNow, a new open for this file comes in and ends up finding that\nlease list isn't empty and calls nfsd_breaker_owns_lease() which ends\nup trying to derefence a freed delegation stateid. Leading to the\nfollowint use-after-free KASAN warning:\n\nkernel: ==================================================================\nkernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd]\nkernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205\nkernel:\nkernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9\nkernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024\nkernel: Call trace:\nkernel: dump_backtrace+0x98/0x120\nkernel: show_stack+0x1c/0x30\nkernel: dump_stack_lvl+0x80/0xe8\nkernel: print_address_description.constprop.0+0x84/0x390\nkernel: print_report+0xa4/0x268\nkernel: kasan_report+0xb4/0xf8\nkernel: __asan_report_load8_noabort+0x1c/0x28\nkernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd]\nkernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd]\nkernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd]\nkernel: nfs4_get_vfs_file+0x634/0x958 [nfsd]\nkernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd]\nkernel: nfsd4_open+0xa08/0xe80 [nfsd]\nkernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd]\nkernel: nfsd_dispatch+0x22c/0x718 [nfsd]\nkernel: svc_process_common+0x8e8/0x1960 [sunrpc]\nkernel: svc_process+0x3d4/0x7e0 [sunrpc]\nkernel: svc_handle_xprt+0x828/0xe10 [sunrpc]\nkernel: svc_recv+0x2cc/0x6a8 [sunrpc]\nkernel: nfsd+0x270/0x400 [nfsd]\nkernel: kthread+0x288/0x310\nkernel: ret_from_fork+0x10/0x20\n\nThis patch proposes a fixed that's based on adding 2 new additional\nstid's sc_status values that help coordinate between the laundromat\nand other operations (nfsd4_free_stateid() and nfsd4_delegreturn()).\n\nFirst to make sure, that once the stid is marked revoked, it is not\nremoved by the nfsd4_free_stateid(), the laundromat take a reference\non the stateid. Then, coordinating whether the stid has been put\non the cl_revoked list or we are processing FREE_STATEID and need to\nmake sure to remove it from the list, each check that state and act\naccordingly. If laundromat has added to the cl_revoke list before\nthe arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove\nit from the list. If nfsd4_free_stateid() finds that operations arrived\nbefore laundromat has placed it on cl_revoke list, it marks the state\nfreed and then laundromat will no longer add it to the list.\n\nAlso, for nfsd4_delegreturn() when looking for the specified stid,\nwe need to access stid that are marked removed or freeable, it means\nthe laundromat has started processing it but hasn't finished and this\ndelegreturn needs to return nfserr_deleg_revoked and not\nnfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the\nlack of it will leave this stid on the cl_revoked list indefinitely.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50106", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for valid addresses\n\nCommit 50c6dbdfd16e (\"x86/ioremap: Improve iounmap() address range checks\")\nintroduces a WARN when adrress ranges of iounmap are invalid. On Thinkpad\nP1 Gen 7 (Meteor Lake-P) this caused the following warning to appear:\n\nWARNING: CPU: 7 PID: 713 at arch/x86/mm/ioremap.c:461 iounmap+0x58/0x1f0\nModules linked in: rfkill(+) snd_timer(+) fjes(+) snd soundcore intel_pmc_core(+)\nint3403_thermal(+) int340x_thermal_zone intel_vsec pmt_telemetry acpi_pad pmt_class\nacpi_tad int3400_thermal acpi_thermal_rel joydev loop nfnetlink zram xe drm_suballoc_helper\nnouveau i915 mxm_wmi drm_ttm_helper gpu_sched drm_gpuvm drm_exec drm_buddy i2c_algo_bit\ncrct10dif_pclmul crc32_pclmul ttm crc32c_intel polyval_clmulni rtsx_pci_sdmmc ucsi_acpi\npolyval_generic mmc_core hid_multitouch drm_display_helper ghash_clmulni_intel typec_ucsi\nnvme sha512_ssse3 video sha256_ssse3 nvme_core intel_vpu sha1_ssse3 rtsx_pci cec typec\nnvme_auth i2c_hid_acpi i2c_hid wmi pinctrl_meteorlake serio_raw ip6_tables ip_tables fuse\nCPU: 7 UID: 0 PID: 713 Comm: (udev-worker) Not tainted 6.12.0-rc2iounmap+ #42\nHardware name: LENOVO 21KWCTO1WW/21KWCTO1WW, BIOS N48ET19W (1.06 ) 07/18/2024\nRIP: 0010:iounmap+0x58/0x1f0\nCode: 85 6a 01 00 00 48 8b 05 e6 e2 28 04 48 39 c5 72 19 eb 26 cc cc cc 48 ba 00 00 00 00 00 00 32 00 48 8d 44 02 ff 48 39 c5 72 23 <0f> 0b 48 83 c4 08 5b 5d 41 5c c3 cc cc cc cc 48 ba 00 00 00 00 00\nRSP: 0018:ffff888131eff038 EFLAGS: 00010207\nRAX: ffffc90000000000 RBX: 0000000000000000 RCX: ffff888e33b80000\nRDX: dffffc0000000000 RSI: ffff888e33bc29c0 RDI: 0000000000000000\nRBP: 0000000000000000 R08: ffff8881598a8000 R09: ffff888e2ccedc10\nR10: 0000000000000003 R11: ffffffffb3367634 R12: 00000000fe000000\nR13: ffff888101d0da28 R14: ffffffffc2e437e0 R15: ffff888110b03b28\nFS: 00007f3c1d4b3980(0000) GS:ffff888e33b80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005651cfc93578 CR3: 0000000124e4c002 CR4: 0000000000f70ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\n? __warn.cold+0xb6/0x176\n? iounmap+0x58/0x1f0\n? report_bug+0x1f4/0x2b0\n? handle_bug+0x58/0x90\n? exc_invalid_op+0x17/0x40\n? asm_exc_invalid_op+0x1a/0x20\n? iounmap+0x58/0x1f0\npmc_core_ssram_get_pmc+0x477/0x6c0 [intel_pmc_core]\n? __pfx_pmc_core_ssram_get_pmc+0x10/0x10 [intel_pmc_core]\n? __pfx_do_pci_enable_device+0x10/0x10\n? pci_wait_for_pending+0x60/0x110\n? pci_enable_device_flags+0x1e3/0x2e0\n? __pfx_mtl_core_init+0x10/0x10 [intel_pmc_core]\npmc_core_ssram_init+0x7f/0x110 [intel_pmc_core]\nmtl_core_init+0xda/0x130 [intel_pmc_core]\n? __mutex_init+0xb9/0x130\npmc_core_probe+0x27e/0x10b0 [intel_pmc_core]\n? _raw_spin_lock_irqsave+0x96/0xf0\n? __pfx_pmc_core_probe+0x10/0x10 [intel_pmc_core]\n? __pfx_mutex_unlock+0x10/0x10\n? __pfx_mutex_lock+0x10/0x10\n? device_pm_check_callbacks+0x82/0x370\n? acpi_dev_pm_attach+0x234/0x2b0\nplatform_probe+0x9f/0x150\nreally_probe+0x1e0/0x8a0\n__driver_probe_device+0x18c/0x370\n? __pfx___driver_attach+0x10/0x10\ndriver_probe_device+0x4a/0x120\n__driver_attach+0x190/0x4a0\n? __pfx___driver_attach+0x10/0x10\nbus_for_each_dev+0x103/0x180\n? __pfx_bus_for_each_dev+0x10/0x10\n? klist_add_tail+0x136/0x270\nbus_add_driver+0x2fc/0x540\ndriver_register+0x1a5/0x360\n? __pfx_pmc_core_driver_init+0x10/0x10 [intel_pmc_core]\ndo_one_initcall+0xa4/0x380\n? __pfx_do_one_initcall+0x10/0x10\n? kasan_unpoison+0x44/0x70\ndo_init_module+0x296/0x800\nload_module+0x5090/0x6ce0\n? __pfx_load_module+0x10/0x10\n? ima_post_read_file+0x193/0x200\n? __pfx_ima_post_read_file+0x10/0x10\n? rw_verify_area+0x152/0x4c0\n? kernel_read_file+0x257/0x750\n? __pfx_kernel_read_file+0x10/0x10\n? __pfx_filemap_get_read_batch+0x10/0x10\n? init_module_from_file+0xd1/0x130\ninit_module_from_file+0xd1/0x130\n? __pfx_init_module_from_file+0x10/0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50107", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Disable PSR-SU on Parade 08-01 TCON too\n\nStuart Hayhurst has found that both at bootup and fullscreen VA-API video\nis leading to black screens for around 1 second and kernel WARNING [1] traces\nwhen calling dmub_psr_enable() with Parade 08-01 TCON.\n\nThese symptoms all go away with PSR-SU disabled for this TCON, so disable\nit for now while DMUB traces [2] from the failure can be analyzed and the failure\nstate properly root caused.\n\n(cherry picked from commit afb634a6823d8d9db23c5fb04f79c5549349628b)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50108", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null ptr dereference in raid10_size()\n\nIn raid10_run() if raid10_set_queue_limits() succeed, the return value\nis set to zero, and if following procedures failed raid10_run() will\nreturn zero while mddev->private is still NULL, causing null ptr\ndereference in raid10_size().\n\nFix the problem by only overwrite the return value if\nraid10_set_queue_limits() failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50109", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix one more kernel-infoleak in algo dumping\n\nDuring fuzz testing, the following issue was discovered:\n\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30\n _copy_to_iter+0x598/0x2a30\n __skb_datagram_iter+0x168/0x1060\n skb_copy_datagram_iter+0x5b/0x220\n netlink_recvmsg+0x362/0x1700\n sock_recvmsg+0x2dc/0x390\n __sys_recvfrom+0x381/0x6d0\n __x64_sys_recvfrom+0x130/0x200\n x64_sys_call+0x32c8/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nUninit was stored to memory at:\n copy_to_user_state_extra+0xcc1/0x1e00\n dump_one_state+0x28c/0x5f0\n xfrm_state_walk+0x548/0x11e0\n xfrm_dump_sa+0x1e0/0x840\n netlink_dump+0x943/0x1c40\n __netlink_dump_start+0x746/0xdb0\n xfrm_user_rcv_msg+0x429/0xc00\n netlink_rcv_skb+0x613/0x780\n xfrm_netlink_rcv+0x77/0xc0\n netlink_unicast+0xe90/0x1280\n netlink_sendmsg+0x126d/0x1490\n __sock_sendmsg+0x332/0x3d0\n ____sys_sendmsg+0x863/0xc30\n ___sys_sendmsg+0x285/0x3e0\n __x64_sys_sendmsg+0x2d6/0x560\n x64_sys_call+0x1316/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nUninit was created at:\n __kmalloc+0x571/0xd30\n attach_auth+0x106/0x3e0\n xfrm_add_sa+0x2aa0/0x4230\n xfrm_user_rcv_msg+0x832/0xc00\n netlink_rcv_skb+0x613/0x780\n xfrm_netlink_rcv+0x77/0xc0\n netlink_unicast+0xe90/0x1280\n netlink_sendmsg+0x126d/0x1490\n __sock_sendmsg+0x332/0x3d0\n ____sys_sendmsg+0x863/0xc30\n ___sys_sendmsg+0x285/0x3e0\n __x64_sys_sendmsg+0x2d6/0x560\n x64_sys_call+0x1316/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nBytes 328-379 of 732 are uninitialized\nMemory access of size 732 starts at ffff88800e18e000\nData copied to user address 00007ff30f48aff0\n\nCPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n\nFixes copying of xfrm algorithms where some random\ndata of the structure fields can end up in userspace.\nPadding in structures may be filled with random (possibly sensitve)\ndata and should never be given directly to user-space.\n\nA similar issue was resolved in the commit\n8222d5910dae (\"xfrm: Zero padding when dumping algos and encap\")\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50110", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Enable IRQ if do_ale() triggered in irq-enabled context\n\nUnaligned access exception can be triggered in irq-enabled context such\nas user mode, in this case do_ale() may call get_user() which may cause\nsleep. Then we will get:\n\n BUG: sleeping function called from invalid context at arch/loongarch/kernel/access-helper.h:7\n in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 129, name: modprobe\n preempt_count: 0, expected: 0\n RCU nest depth: 0, expected: 0\n CPU: 0 UID: 0 PID: 129 Comm: modprobe Tainted: G W 6.12.0-rc1+ #1723\n Tainted: [W]=WARN\n Stack : 9000000105e0bd48 0000000000000000 9000000003803944 9000000105e08000\n 9000000105e0bc70 9000000105e0bc78 0000000000000000 0000000000000000\n 9000000105e0bc78 0000000000000001 9000000185e0ba07 9000000105e0b890\n ffffffffffffffff 9000000105e0bc78 73924b81763be05b 9000000100194500\n 000000000000020c 000000000000000a 0000000000000000 0000000000000003\n 00000000000023f0 00000000000e1401 00000000072f8000 0000007ffbb0e260\n 0000000000000000 0000000000000000 9000000005437650 90000000055d5000\n 0000000000000000 0000000000000003 0000007ffbb0e1f0 0000000000000000\n 0000005567b00490 0000000000000000 9000000003803964 0000007ffbb0dfec\n 00000000000000b0 0000000000000007 0000000000000003 0000000000071c1d\n ...\n Call Trace:\n [<9000000003803964>] show_stack+0x64/0x1a0\n [<9000000004c57464>] dump_stack_lvl+0x74/0xb0\n [<9000000003861ab4>] __might_resched+0x154/0x1a0\n [<900000000380c96c>] emulate_load_store_insn+0x6c/0xf60\n [<9000000004c58118>] do_ale+0x78/0x180\n [<9000000003801bc8>] handle_ale+0x128/0x1e0\n\nSo enable IRQ if unaligned access exception is triggered in irq-enabled\ncontext to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50111", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lam: Disable ADDRESS_MASKING in most cases\n\nLinear Address Masking (LAM) has a weakness related to transient\nexecution as described in the SLAM paper[1]. Unless Linear Address\nSpace Separation (LASS) is enabled this weakness may be exploitable.\n\nUntil kernel adds support for LASS[2], only allow LAM for COMPILE_TEST,\nor when speculation mitigations have been disabled at compile time,\notherwise keep LAM disabled.\n\nThere are no processors in market that support LAM yet, so currently\nnobody is affected by this issue.\n\n[1] SLAM: https://download.vusec.net/papers/slam_sp24.pdf\n[2] LASS: https://lore.kernel.org/lkml/20230609183632.48706-1-alexander.shishkin@linux.intel.com/\n\n[ dhansen: update SPECULATION_MITIGATIONS -> CPU_MITIGATIONS ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50112", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: core: fix invalid port index for parent device\n\nIn a commit 24b7f8e5cd65 (\"firewire: core: use helper functions for self\nID sequence\"), the enumeration over self ID sequence was refactored with\nsome helper functions with KUnit tests. These helper functions are\nguaranteed to work expectedly by the KUnit tests, however their application\nincludes a mistake to assign invalid value to the index of port connected\nto parent device.\n\nThis bug affects the case that any extra node devices which has three or\nmore ports are connected to 1394 OHCI controller. In the case, the path\nto update the tree cache could hits WARN_ON(), and gets general protection\nfault due to the access to invalid address computed by the invalid value.\n\nThis commit fixes the bug to assign correct port index.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50113", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unregister redistributor for failed vCPU creation\n\nAlex reports that syzkaller has managed to trigger a use-after-free when\ntearing down a VM:\n\n BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758\n\n CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119\n print_report+0x144/0x7a4 mm/kasan/report.c:377\n kasan_report+0xcc/0x128 mm/kasan/report.c:601\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409\n __fput+0x198/0x71c fs/file_table.c:422\n ____fput+0x20/0x30 fs/file_table.c:450\n task_work_run+0x1cc/0x23c kernel/task_work.c:228\n do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50\n el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169\n el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nUpon closer inspection, it appears that we do not properly tear down the\nMMIO registration for a vCPU that fails creation late in the game, e.g.\na vCPU w/ the same ID already exists in the VM.\n\nIt is important to consider the context of commit that introduced this bug\nby moving the unregistration out of __kvm_vgic_vcpu_destroy(). That\nchange correctly sought to avoid an srcu v. config_lock inversion by\nbreaking up the vCPU teardown into two parts, one guarded by the\nconfig_lock.\n\nFix the use-after-free while avoiding lock inversion by adding a\nspecial-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe\nbecause failed vCPUs are torn down outside of the config_lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50114", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory\n\nIgnore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits\n4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't\nenforce 32-byte alignment of nCR3.\n\nIn the absolute worst case scenario, failure to ignore bits 4:0 can result\nin an out-of-bounds read, e.g. if the target page is at the end of a\nmemslot, and the VMM isn't using guard pages.\n\nPer the APM:\n\n The CR3 register points to the base address of the page-directory-pointer\n table. The page-directory-pointer table is aligned on a 32-byte boundary,\n with the low 5 address bits 4:0 assumed to be 0.\n\nAnd the SDM's much more explicit:\n\n 4:0 Ignored\n\nNote, KVM gets this right when loading PDPTRs, it's only the nSVM flow\nthat is broken.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50115", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug due to missing clearing of buffer delay flag\n\nSyzbot reported that after nilfs2 reads a corrupted file system image\nand degrades to read-only, the BUG_ON check for the buffer delay flag\nin submit_bh_wbc() may fail, causing a kernel bug.\n\nThis is because the buffer delay flag is not cleared when clearing the\nbuffer state flags to discard a page/folio or a buffer head. So, fix\nthis.\n\nThis became necessary when the use of nilfs2's own page clear routine\nwas expanded. This state inconsistency does not occur if the buffer\nis written normally by log writing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50116", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Guard against bad data for ATIF ACPI method\n\nIf a BIOS provides bad data in response to an ATIF method call\nthis causes a NULL pointer dereference in the caller.\n\n```\n? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1))\n? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434)\n? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2))\n? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1))\n? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642)\n? exc_page_fault (arch/x86/mm/fault.c:1542)\n? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu\n? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu\n```\n\nIt has been encountered on at least one system, so guard for it.\n\n(cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50117", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro->rw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n BTRFS info (device loop0 state MCS): disabling free space tree\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n Call Trace:\n \n btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n do_mount fs/namespace.c:3812 [inline]\n __do_sys_mount fs/namespace.c:4020 [inline]\n __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n will happen.\n\n- Mount a subvolume rw of the same fs.\n We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n because our new fc is RW, different from the original fs.\n\n Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n first so that we can grab the existing fs_info.\n Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n This means we will restart the v2 cache clearing, and convert back to\n v1 cache.\n This will trigger fs writes, and since the original fs has \"rescue=all\"\n option, it skips the csum tree read.\n\n And eventually causing NULL pointer dereference in super block\n writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn't really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50118", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix warning when destroy 'cifs_io_request_pool'\n\nThere's a issue as follows:\nWARNING: CPU: 1 PID: 27826 at mm/slub.c:4698 free_large_kmalloc+0xac/0xe0\nRIP: 0010:free_large_kmalloc+0xac/0xe0\nCall Trace:\n \n ? __warn+0xea/0x330\n mempool_destroy+0x13f/0x1d0\n init_cifs+0xa50/0xff0 [cifs]\n do_one_initcall+0xdc/0x550\n do_init_module+0x22d/0x6b0\n load_module+0x4e96/0x5ff0\n init_module_from_file+0xcd/0x130\n idempotent_init_module+0x330/0x620\n __x64_sys_finit_module+0xb3/0x110\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nObviously, 'cifs_io_request_pool' is not created by mempool_create().\nSo just use mempool_exit() to revert 'cifs_io_request_pool'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50119", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Handle kstrdup failures for passwords\n\nIn smb3_reconfigure(), after duplicating ctx->password and\nctx->password2 with kstrdup(), we need to check for allocation\nfailures.\n\nIf ses->password allocation fails, return -ENOMEM.\nIf ses->password2 allocation fails, free ses->password, set it\nto NULL, and return -ENOMEM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50120", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net\n\nIn the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the\nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will\nrelease all resources related to the hashed `nfs4_client`. If the\n`nfsd_client_shrinker` is running concurrently, the `expire_client`\nfunction will first unhash this client and then destroy it. This can\nlead to the following warning. Additionally, numerous use-after-free\nerrors may occur as well.\n\nnfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads\n\nexpire_client nfsd_shutdown_net\n unhash_client ...\n nfs4_state_shutdown_net\n /* won't wait shrinker exit */\n /* cancel_work(&nn->nfsd_shrinker_work)\n * nfsd_file for this /* won't destroy unhashed client1 */\n * client1 still alive nfs4_state_destroy_net\n */\n\n nfsd_file_cache_shutdown\n /* trigger warning */\n kmem_cache_destroy(nfsd_file_slab)\n kmem_cache_destroy(nfsd_file_mark_slab)\n /* release nfsd_file and mark */\n __destroy_client\n\n====================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n--------------------------------------------------------------------\nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xac/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n====================================================================\nBUG nfsd_file_mark (Tainted: G B W ): Objects remaining\nnfsd_file_mark on __kmem_cache_shutdown()\n--------------------------------------------------------------------\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous\nmode in nfs4_state_shutdown_net.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50121", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Hold rescan lock while adding devices during host probe\n\nSince adding the PCI power control code, we may end up with a race between\nthe pwrctl platform device rescanning the bus and host controller probe\nfunctions. The latter need to take the rescan lock when adding devices or\nwe may end up in an undefined state having two incompletely added devices\nand hit the following crash when trying to remove the device over sysfs:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n Call trace:\n __pi_strlen+0x14/0x150\n kernfs_find_ns+0x80/0x13c\n kernfs_remove_by_name_ns+0x54/0xf0\n sysfs_remove_bin_file+0x24/0x34\n pci_remove_resource_files+0x3c/0x84\n pci_remove_sysfs_dev_files+0x28/0x38\n pci_stop_bus_device+0x8c/0xd8\n pci_stop_bus_device+0x40/0xd8\n pci_stop_and_remove_bus_device_locked+0x28/0x48\n remove_store+0x70/0xb0\n dev_attr_store+0x20/0x38\n sysfs_kf_write+0x58/0x78\n kernfs_fop_write_iter+0xe8/0x184\n vfs_write+0x2dc/0x308\n ksys_write+0x7c/0xec", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50122", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add the missing BPF_LINK_TYPE invocation for sockmap\n\nThere is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap\nlink fd. Fix it by adding the missing BPF_LINK_TYPE invocation for\nsockmap link\n\nAlso add comments for bpf_link_type to prevent missing updates in the\nfuture.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50123", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix UAF on iso_sock_timeout\n\nconn->sk maybe have been unlinked/freed while waiting for iso_conn_lock\nso this checks if the conn->sk is still valid by checking if it part of\niso_sk_list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50124", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_sock_timeout\n\nconn->sk maybe have been unlinked/freed while waiting for sco_conn_lock\nso this checks if the conn->sk is still valid by checking if it part of\nsco_sk_list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50125", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in 'taprio_dump()' by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50126", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix use-after-free in taprio_change()\n\nIn 'taprio_change()', 'admin' pointer may become dangling due to sched\nswitch / removal caused by 'advance_sched()', and critical section\nprotected by 'q->current_entry_lock' is too small to prevent from such\na scenario (which causes use-after-free detected by KASAN). Fix this\nby prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update\n'admin' immediately before an attempt to schedule freeing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50127", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: fix global oob in wwan_rtnl_policy\n\nThe variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to\na global out-of-bounds read when parsing the netlink attributes. Exactly\nsame bug cause as the oob fixed in commit b33fb5b801c6 (\"net: qualcomm:\nrmnet: fix global oob in rmnet_policy\").\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603\nRead of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862\n\nCPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x14f/0x750 mm/kasan/report.c:395\n kasan_report+0x139/0x170 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:388 [inline]\n __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603\n __nla_parse+0x3c/0x50 lib/nlattr.c:700\n nla_parse_nested_deprecated include/net/netlink.h:1269 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3514 [inline]\n rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623\n rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122\n netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508\n netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]\n netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352\n netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874\n sock_sendmsg_nosec net/socket.c:716 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499\n ___sys_sendmsg+0x21c/0x290 net/socket.c:2553\n __sys_sendmsg net/socket.c:2582 [inline]\n __do_sys_sendmsg net/socket.c:2591 [inline]\n __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f67b19a24ad\nRSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad\nRDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004\nRBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40\n \n\nThe buggy address belongs to the variable:\n wwan_rtnl_policy+0x20/0x40\n\nThe buggy address belongs to the physical page:\npage:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c\nflags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner info is not present (never set?)\n\nMemory state around the buggy address:\n ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9\n ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9\n>ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9\n ^\n ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n==================================================================\n\nAccording to the comment of `nla_parse_nested_deprecated`, use correct size\n`IFLA_WWAN_MAX` here to fix this issue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50128", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pse-pd: Fix out of bound for loop\n\nAdjust the loop limit to prevent out-of-bounds access when iterating over\nPI structures. The loop should not reach the index pcdev->nr_lines since\nwe allocate exactly pcdev->nr_lines number of PI structures. This fix\nensures proper bounds are maintained during iterations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50129", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: must hold reference on net namespace\n\nBUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0\nRead of size 8 at addr ffff8880106fe400 by task repro/72=\nbpf_nf_link_release+0xda/0x1e0\nbpf_link_free+0x139/0x2d0\nbpf_link_release+0x68/0x80\n__fput+0x414/0xb60\n\nEric says:\n It seems that bpf was able to defer the __nf_unregister_net_hook()\n after exit()/close() time.\n Perhaps a netns reference is missing, because the netns has been\n dismantled/freed already.\n bpf_nf_link_attach() does :\n link->net = net;\n But I do not see a reference being taken on net.\n\nAdd such a reference and release it after hook unreg.\nNote that I was unable to get syzbot reproducer to work, so I\ndo not know if this resolves this splat.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50130", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Consider the NULL character when validating the event length\n\nstrlen() returns a string length excluding the null byte. If the string\nlength equals to the maximum buffer length, the buffer will have no\nspace for the NULL terminating character.\n\nThis commit checks this condition and returns failure for it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50131", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: Fix MAX_TRACE_ARGS limit handling\n\nWhen creating a trace_probe we would set nr_args prior to truncating the\narguments to MAX_TRACE_ARGS. However, we would only initialize arguments\nup to the limit.\n\nThis caused invalid memory access when attempting to set up probes with\nmore than 128 fetchargs.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:__set_print_fmt+0x134/0x330\n\nResolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return\nan error when there are too many arguments instead of silently\ntruncating.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50132", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Don't crash in stack_top() for tasks without vDSO\n\nNot all tasks have a vDSO mapped, for example kthreads never do. If such\na task ever ends up calling stack_top(), it will derefence the NULL vdso\npointer and crash.\n\nThis can for example happen when using kunit:\n\n\t[<9000000000203874>] stack_top+0x58/0xa8\n\t[<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220\n\t[<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c\n\t[<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c\n\t[<90000000003c2704>] kunit_vm_mmap+0x88/0xc8\n\t[<9000000000410b14>] usercopy_test_init+0xbc/0x25c\n\t[<90000000003c1db4>] kunit_try_run_case+0x5c/0x184\n\t[<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48\n\t[<900000000022e4bc>] kthread+0xc8/0xd4\n\t[<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50133", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA\n\nReplace the fake VLA at end of the vbva_mouse_pointer_shape shape with\na real VLA to fix a \"memcpy: detected field-spanning write error\" warning:\n\n[ 13.319813] memcpy: detected field-spanning write (size 16896) of single field \"p->data\" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4)\n[ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo]\n[ 13.320038] Call Trace:\n[ 13.320173] hgsmi_update_pointer_shape [vboxvideo]\n[ 13.320184] vbox_cursor_atomic_update [vboxvideo]\n\nNote as mentioned in the added comment it seems the original length\ncalculation for the allocated and send hgsmi buffer is 4 bytes too large.\nChanging this is not the goal of this patch, so this behavior is kept.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50134", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix race condition between reset and nvme_dev_disable()\n\nnvme_dev_disable() modifies the dev->online_queues field, therefore\nnvme_pci_update_nr_queues() should avoid racing against it, otherwise\nwe could end up passing invalid values to blk_mq_update_nr_hw_queues().\n\n WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347\n pci_irq_get_affinity+0x187/0x210\n Workqueue: nvme-reset-wq nvme_reset_work [nvme]\n RIP: 0010:pci_irq_get_affinity+0x187/0x210\n Call Trace:\n \n ? blk_mq_pci_map_queues+0x87/0x3c0\n ? pci_irq_get_affinity+0x187/0x210\n blk_mq_pci_map_queues+0x87/0x3c0\n nvme_pci_map_queues+0x189/0x460 [nvme]\n blk_mq_update_nr_hw_queues+0x2a/0x40\n nvme_reset_work+0x1be/0x2a0 [nvme]\n\nFix the bug by locking the shutdown_lock mutex before using\ndev->online_queues. Give up if nvme_dev_disable() is running or if\nit has been executed already.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50135", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Unregister notifier on eswitch init failure\n\nIt otherwise remains registered and a subsequent attempt at eswitch\nenabling might trigger warnings of the sort:\n\n[ 682.589148] ------------[ cut here ]------------\n[ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered\n[ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90\n[...snipped]\n[ 682.610052] Call Trace:\n[ 682.610369] \n[ 682.610663] ? __warn+0x7c/0x110\n[ 682.611050] ? notifier_chain_register+0x3e/0x90\n[ 682.611556] ? report_bug+0x148/0x170\n[ 682.611977] ? handle_bug+0x36/0x70\n[ 682.612384] ? exc_invalid_op+0x13/0x60\n[ 682.612817] ? asm_exc_invalid_op+0x16/0x20\n[ 682.613284] ? notifier_chain_register+0x3e/0x90\n[ 682.613789] atomic_notifier_chain_register+0x25/0x40\n[ 682.614322] mlx5_eswitch_enable_locked+0x1d4/0x3b0 [mlx5_core]\n[ 682.614965] mlx5_eswitch_enable+0xc9/0x100 [mlx5_core]\n[ 682.615551] mlx5_device_enable_sriov+0x25/0x340 [mlx5_core]\n[ 682.616170] mlx5_core_sriov_configure+0x50/0x170 [mlx5_core]\n[ 682.616789] sriov_numvfs_store+0xb0/0x1b0\n[ 682.617248] kernfs_fop_write_iter+0x117/0x1a0\n[ 682.617734] vfs_write+0x231/0x3f0\n[ 682.618138] ksys_write+0x63/0xe0\n[ 682.618536] do_syscall_64+0x4c/0x100\n[ 682.618958] entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50136", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC\n\ndata->asserted will be NULL on JH7110 SoC since commit 82327b127d41\n(\"reset: starfive: Add StarFive JH7110 reset driver\") was added. Add\nthe judgment condition to avoid errors when calling reset_control_status\non JH7110 SoC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50137", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use raw_spinlock_t in ringbuf\n\nThe function __bpf_ringbuf_reserve is invoked from a tracepoint, which\ndisables preemption. Using spinlock_t in this context can lead to a\n\"sleep in atomic\" warning in the RT variant. This issue is illustrated\nin the example below:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs\npreempt_count: 1, expected: 0\nRCU nest depth: 1, expected: 1\nINFO: lockdep is turned off.\nPreemption disabled at:\n[] migrate_enable+0xc0/0x39c\nCPU: 7 PID: 556208 Comm: test_progs Tainted: G\nHardware name: Qualcomm SA8775P Ride (DT)\nCall trace:\n dump_backtrace+0xac/0x130\n show_stack+0x1c/0x30\n dump_stack_lvl+0xac/0xe8\n dump_stack+0x18/0x30\n __might_resched+0x3bc/0x4fc\n rt_spin_lock+0x8c/0x1a4\n __bpf_ringbuf_reserve+0xc4/0x254\n bpf_ringbuf_reserve_dynptr+0x5c/0xdc\n bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238\n trace_call_bpf+0x238/0x774\n perf_call_bpf_enter.isra.0+0x104/0x194\n perf_syscall_enter+0x2f8/0x510\n trace_sys_enter+0x39c/0x564\n syscall_trace_enter+0x220/0x3c0\n do_el0_svc+0x138/0x1dc\n el0_svc+0x54/0x130\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nSwitch the spinlock to raw_spinlock_t to avoid this error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50138", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix shift-out-of-bounds bug\n\nFix a shift-out-of-bounds bug reported by UBSAN when running\nVM with MTE enabled host kernel.\n\nUBSAN: shift-out-of-bounds in arch/arm64/kvm/sys_regs.c:1988:14\nshift exponent 33 is too large for 32-bit type 'int'\nCPU: 26 UID: 0 PID: 7629 Comm: qemu-kvm Not tainted 6.12.0-rc2 #34\nHardware name: IEI NF5280R7/Mitchell MB, BIOS 00.00. 2024-10-12 09:28:54 10/14/2024\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x20/0x38\n dump_stack_lvl+0x74/0x90\n dump_stack+0x18/0x28\n __ubsan_handle_shift_out_of_bounds+0xf8/0x1e0\n reset_clidr+0x10c/0x1c8\n kvm_reset_sys_regs+0x50/0x1c8\n kvm_reset_vcpu+0xec/0x2b0\n __kvm_vcpu_set_target+0x84/0x158\n kvm_vcpu_set_target+0x138/0x168\n kvm_arch_vcpu_ioctl_vcpu_init+0x40/0x2b0\n kvm_arch_vcpu_ioctl+0x28c/0x4b8\n kvm_vcpu_ioctl+0x4bc/0x7a8\n __arm64_sys_ioctl+0xb4/0x100\n invoke_syscall+0x70/0x100\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x3c/0x158\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x194/0x198", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50139", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Disable page allocation in task_tick_mm_cid()\n\nWith KASAN and PREEMPT_RT enabled, calling task_work_add() in\ntask_tick_mm_cid() may cause the following splat.\n\n[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe\n[ 63.696416] preempt_count: 10001, expected: 0\n[ 63.696416] RCU nest depth: 1, expected: 1\n\nThis problem is caused by the following call trace.\n\n sched_tick() [ acquire rq->__lock ]\n -> task_tick_mm_cid()\n -> task_work_add()\n -> __kasan_record_aux_stack()\n -> kasan_save_stack()\n -> stack_depot_save_flags()\n -> alloc_pages_mpol_noprof()\n -> __alloc_pages_noprof()\n\t -> get_page_from_freelist()\n\t -> rmqueue()\n\t -> rmqueue_pcplist()\n\t -> __rmqueue_pcplist()\n\t -> rmqueue_bulk()\n\t -> rt_spin_lock()\n\nThe rq lock is a raw_spinlock_t. We can't sleep while holding\nit. IOW, we can't call alloc_pages() in stack_depot_save_flags().\n\nThe task_tick_mm_cid() function with its task_work_add() call was\nintroduced by commit 223baf9d17f2 (\"sched: Fix performance regression\nintroduced by mm_cid\") in v6.4 kernel.\n\nFortunately, there is a kasan_record_aux_stack_noalloc() variant that\ncalls stack_depot_save_flags() while not allowing it to allocate\nnew pages. To allow task_tick_mm_cid() to use task_work without\npage allocation, a new TWAF_NO_ALLOC flag is added to enable calling\nkasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()\nif set. The task_tick_mm_cid() function is modified to add this new flag.\n\nThe possible downside is the missing stack trace in a KASAN report due\nto new page allocation required when task_work_add_noallloc() is called\nwhich should be rare.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50140", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context\n\nPRMT needs to find the correct type of block to translate the PA-VA\nmapping for EFI runtime services.\n\nThe issue arises because the PRMT is finding a block of type\nEFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services\nas described in Section 2.2.2 (Runtime Services) of the UEFI\nSpecification [1]. Since the PRM handler is a type of runtime service,\nthis causes an exception when the PRM handler is called.\n\n [Firmware Bug]: Unable to handle paging request in EFI runtime service\n WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341\n __efi_queue_work+0x11c/0x170\n Call trace:\n\nLet PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM\ncontext.\n\nIf no suitable block is found, a warning message will be printed, but\nthe procedure continues to manage the next PRM handler.\n\nHowever, if the PRM handler is actually called without proper allocation,\nit would result in a failure during error handling.\n\nBy using the correct memory types for runtime services, ensure that the\nPRM handler and the context are properly mapped in the virtual address\nspace during runtime, preventing the paging request error.\n\nThe issue is really that only memory that has been remapped for runtime\nby the firmware can be used by the PRM handler, and so the region needs\nto have the EFI_MEMORY_RUNTIME attribute.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50141", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: validate new SA's prefixlen using SA family when sel.family is unset\n\nThis expands the validation introduced in commit 07bf7908950a (\"xfrm:\nValidate address prefix lengths in the xfrm selector.\")\n\nsyzbot created an SA with\n usersa.sel.family = AF_UNSPEC\n usersa.sel.prefixlen_s = 128\n usersa.family = AF_INET\n\nBecause of the AF_UNSPEC selector, verify_newsa_info doesn't put\nlimits on prefixlen_{s,d}. But then copy_from_user_state sets\nx->sel.family to usersa.family (AF_INET). Do the same conversion in\nverify_newsa_info before validating prefixlen_{s,d}, since that's how\nprefixlen is going to be used later on.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50142", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix uninit-value use in udf_get_fileshortad\n\nCheck for overflow when computing alen in udf_current_aext to mitigate\nlater uninit-value use in udf_get_fileshortad KMSAN bug[1].\nAfter applying the patch reproducer did not trigger any issue[2].\n\n[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df\n[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50143", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix unbalanced rpm put() with fence_fini()\n\nCurrently we can call fence_fini() twice if something goes wrong when\nsending the GuC CT for the tlb request, since we signal the fence and\nreturn an error, leading to the caller also calling fini() on the error\npath in the case of stack version of the flow, which leads to an extra\nrpm put() which might later cause device to enter suspend when it\nshouldn't. It looks like we can just drop the fini() call since the\nfence signaller side will already call this for us.\n\nThere are known mysterious splats with device going to sleep even with\nan rpm ref, and this could be one candidate.\n\nv2 (Matt B):\n - Prefer warning if we detect double fini()\n\n(cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50144", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()\n\nbuild_skb() returns NULL in case of a memory allocation failure so handle\nit inside __octep_oq_process_rx() to avoid NULL pointer dereference.\n\n__octep_oq_process_rx() is called during NAPI polling by the driver. If\nskb allocation fails, keep on pulling packets out of the Rx DMA queue: we\nshouldn't break the polling immediately and thus falsely indicate to the\noctep_napi_poll() that the Rx pressure is going down. As there is no\nassociated skb in this case, don't process the packets and don't push them\nup the network stack - they are skipped.\n\nHelper function is implemented to unmmap/flush all the fragment buffers\nused by the dropped packet. 'alloc_failures' counter is incremented to\nmark the skb allocation error in driver statistics.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50145", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't call cleanup on profile rollback failure\n\nWhen profile rollback fails in mlx5e_netdev_change_profile, the netdev\nprofile var is left set to NULL. Avoid a crash when unloading the driver\nby not calling profile->cleanup in such a case.\n\nThis was encountered while testing, with the original trigger that\nthe wq rescuer thread creation got interrupted (presumably due to\nCtrl+C-ing modprobe), which gets converted to ENOMEM (-12) by\nmlx5e_priv_init, the profile rollback also fails for the same reason\n(signal still active) so the profile is left as NULL, leading to a crash\nlater in _mlx5e_remove.\n\n [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)\n [ 734.525513] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12\n [ 734.560153] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008\n [ 745.538222] #PF: supervisor read access in kernel mode\n\n [ 745.551290] Call Trace:\n [ 745.551590] \n [ 745.551866] ? __die+0x20/0x60\n [ 745.552218] ? page_fault_oops+0x150/0x400\n [ 745.555307] ? exc_page_fault+0x79/0x240\n [ 745.555729] ? asm_exc_page_fault+0x22/0x30\n [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core]\n [ 745.556698] auxiliary_bus_remove+0x18/0x30\n [ 745.557134] device_release_driver_internal+0x1df/0x240\n [ 745.557654] bus_remove_device+0xd7/0x140\n [ 745.558075] device_del+0x15b/0x3c0\n [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]\n [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core]\n [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core]\n [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core]\n [ 745.560694] pci_device_remove+0x39/0xa0\n [ 745.561112] device_release_driver_internal+0x1df/0x240\n [ 745.561631] driver_detach+0x47/0x90\n [ 745.562022] bus_remove_driver+0x84/0x100\n [ 745.562444] pci_unregister_driver+0x3b/0x90\n [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core]\n [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0\n [ 745.563886] ? kmem_cache_free+0x1b0/0x460\n [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190\n [ 745.564825] do_syscall_64+0x6d/0x140\n [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n [ 745.565725] RIP: 0033:0x7f1579b1288b", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50146", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix command bitmask initialization\n\nCommand bitmask have a dedicated bit for MANAGE_PAGES command, this bit\nisn't Initialize during command bitmask Initialization, only during\nMANAGE_PAGES.\n\nIn addition, mlx5_cmd_trigger_completions() is trying to trigger\ncompletion for MANAGE_PAGES command as well.\n\nHence, in case health error occurred before any MANAGE_PAGES command\nhave been invoke (for example, during mlx5_enable_hca()),\nmlx5_cmd_trigger_completions() will try to trigger completion for\nMANAGE_PAGES command, which will result in null-ptr-deref error.[1]\n\nFix it by Initialize command bitmask correctly.\n\nWhile at it, re-write the code for better understanding.\n\n[1]\nBUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]\nWrite of size 4 at addr 0000000000000214 by task kworker/u96:2/12078\nCPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]\nCall Trace:\n \n dump_stack_lvl+0x7e/0xc0\n kasan_report+0xb9/0xf0\n kasan_check_range+0xec/0x190\n mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]\n mlx5_cmd_flush+0x94/0x240 [mlx5_core]\n enter_error_state+0x6c/0xd0 [mlx5_core]\n mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]\n process_one_work+0x787/0x1490\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? pwq_dec_nr_in_flight+0xda0/0xda0\n ? assign_work+0x168/0x240\n worker_thread+0x586/0xd30\n ? rescuer_thread+0xae0/0xae0\n kthread+0x2df/0x3b0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x70\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50147", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bnep: fix wild-memory-access in proto_unregister\n\nThere's issue as follows:\n KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]\n CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W\n RIP: 0010:proto_unregister+0xee/0x400\n Call Trace:\n \n __do_sys_delete_module+0x318/0x580\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAs bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()\nwill cleanup all resource. Then when remove bnep module will call\nbnep_sock_cleanup() to cleanup sock's resource.\nTo solve above issue just return bnep_sock_init()'s return value in\nbnep_exit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50148", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don't free job in TDR\n\nFreeing job in TDR is not safe as TDR can pass the run_job thread\nresulting in UAF. It is only safe for free job to naturally be called by\nthe scheduler. Rather free job in TDR, add to pending list.\n\n(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50149", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmode should keep reference to parent\n\nThe altmode device release refers to its parent device, but without keeping\na reference to it.\n\nWhen registering the altmode, get a reference to the parent and put it in\nthe release function.\n\nBefore this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues\nlike this:\n\n[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)\n[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 46.612867] ==================================================================\n[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129\n[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48\n[ 46.614538]\n[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535\n[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 46.616042] Workqueue: events kobject_delayed_cleanup\n[ 46.616446] Call Trace:\n[ 46.616648] \n[ 46.616820] dump_stack_lvl+0x5b/0x7c\n[ 46.617112] ? typec_altmode_release+0x38/0x129\n[ 46.617470] print_report+0x14c/0x49e\n[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69\n[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab\n[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d\n[ 46.618807] ? typec_altmode_release+0x38/0x129\n[ 46.619161] kasan_report+0x8d/0xb4\n[ 46.619447] ? typec_altmode_release+0x38/0x129\n[ 46.619809] ? process_scheduled_works+0x3cb/0x85f\n[ 46.620185] typec_altmode_release+0x38/0x129\n[ 46.620537] ? process_scheduled_works+0x3cb/0x85f\n[ 46.620907] device_release+0xaf/0xf2\n[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a\n[ 46.621584] process_scheduled_works+0x4f6/0x85f\n[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10\n[ 46.622353] ? hlock_class+0x31/0x9a\n[ 46.622647] ? lock_acquired+0x361/0x3c3\n[ 46.622956] ? move_linked_works+0x46/0x7d\n[ 46.623277] worker_thread+0x1ce/0x291\n[ 46.623582] ? __kthread_parkme+0xc8/0xdf\n[ 46.623900] ? __pfx_worker_thread+0x10/0x10\n[ 46.624236] kthread+0x17e/0x190\n[ 46.624501] ? kthread+0xfb/0x190\n[ 46.624756] ? __pfx_kthread+0x10/0x10\n[ 46.625015] ret_from_fork+0x20/0x40\n[ 46.625268] ? __pfx_kthread+0x10/0x10\n[ 46.625532] ret_from_fork_asm+0x1a/0x30\n[ 46.625805] \n[ 46.625953]\n[ 46.626056] Allocated by task 678:\n[ 46.626287] kasan_save_stack+0x24/0x44\n[ 46.626555] kasan_save_track+0x14/0x2d\n[ 46.626811] __kasan_kmalloc+0x3f/0x4d\n[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0\n[ 46.627362] typec_register_port+0x23/0x491\n[ 46.627698] cros_typec_probe+0x634/0xbb6\n[ 46.628026] platform_probe+0x47/0x8c\n[ 46.628311] really_probe+0x20a/0x47d\n[ 46.628605] device_driver_attach+0x39/0x72\n[ 46.628940] bind_store+0x87/0xd7\n[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218\n[ 46.629574] vfs_write+0x1d6/0x29b\n[ 46.629856] ksys_write+0xcd/0x13b\n[ 46.630128] do_syscall_64+0xd4/0x139\n[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 46.630820]\n[ 46.630946] Freed by task 48:\n[ 46.631182] kasan_save_stack+0x24/0x44\n[ 46.631493] kasan_save_track+0x14/0x2d\n[ 46.631799] kasan_save_free_info+0x3f/0x4d\n[ 46.632144] __kasan_slab_free+0x37/0x45\n[ 46.632474]\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50150", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOBs when building SMB2_IOCTL request\n\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\n\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\n\n mount.cifs //srv/share /mnt -o ...,seal\n ln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\n\n BUG: KASAN: slab-out-of-bounds in\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n Write of size 4116 at addr ffff8881148fcab8 by task ln/859\n\n CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n 1.16.3-2.fc40 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n print_report+0x156/0x4d9\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n ? __virt_addr_valid+0x145/0x310\n ? __phys_addr+0x46/0x90\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_report+0xda/0x110\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_check_range+0x10f/0x1f0\n __asan_memcpy+0x3c/0x60\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n smb2_compound_op+0x238c/0x3840 [cifs]\n ? kasan_save_track+0x14/0x30\n ? kasan_save_free_info+0x3b/0x70\n ? vfs_symlink+0x1a1/0x2c0\n ? do_symlinkat+0x108/0x1c0\n ? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n ? kmem_cache_free+0x118/0x3e0\n ? cifs_get_writable_path+0xeb/0x1a0 [cifs]\n smb2_get_reparse_inode+0x423/0x540 [cifs]\n ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? __kmalloc_noprof+0x37c/0x480\n ? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\n cifs_symlink+0x24f/0x960 [cifs]\n ? __pfx_make_vfsuid+0x10/0x10\n ? __pfx_cifs_symlink+0x10/0x10 [cifs]\n ? make_vfsgid+0x6b/0xc0\n ? generic_permission+0x96/0x2d0\n vfs_symlink+0x1a1/0x2c0\n do_symlinkat+0x108/0x1c0\n ? __pfx_do_symlinkat+0x10/0x10\n ? strncpy_from_user+0xaa/0x160\n __x64_sys_symlinkat+0xb9/0xf0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f08d75c13bb", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50151", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix possible double free in smb2_set_ea()\n\nClang static checker(scan-build) warning\uff1a\nfs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.\n 1304 | kfree(ea);\n | ^~~~~~~~~\n\nThere is a double free in such case:\n'ea is initialized to NULL' -> 'first successful memory allocation for\nea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'\n-> 'goto replay_again' -> 'second goto sea_exit before allocate memory\nfor ea' -> 'second memory release for ea resulted in double free'.\n\nRe-initialie 'ea' to NULL near to the replay_again label, it can fix this\ndouble free problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50152", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Fix null-ptr-deref in target_alloc_device()\n\nThere is a null-ptr-deref issue reported by KASAN:\n\nBUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n...\n kasan_report+0xb9/0xf0\n target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]\n target_core_init_configfs+0x205/0x420 [target_core_mod]\n do_one_initcall+0xdd/0x4e0\n...\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nIn target_alloc_device(), if allocing memory for dev queues fails, then\ndev will be freed by dev->transport->free_device(), but dev->transport\nis not initialized at that time, which will lead to a null pointer\nreference problem.\n\nFixing this bug by freeing dev with hba->backend->ops->free_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50153", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n \"\"\"\n We are seeing a use-after-free from a bpf prog attached to\n trace_tcp_retransmit_synack. The program passes the req->sk to the\n bpf_sk_storage_get_tracing kernel helper which does check for null\n before using it.\n \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer->entry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req->sk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n but del_timer_sync() is missed\n\n 2. reqsk timer is executed and scheduled again\n\n 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n reqsk timer still has another one, and inet_csk_accept() does not\n clear req->sk for non-TFO sockets\n\n 4. sk is close()d\n\n 5. reqsk timer is executed again, and BPF touches req->sk\n\nLet's not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50154", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: use cond_resched() in nsim_dev_trap_report_work()\n\nI am still seeing many syzbot reports hinting that syzbot\nmight fool nsim_dev_trap_report_work() with hundreds of ports [1]\n\nLets use cond_resched(), and system_unbound_wq\ninstead of implicit system_wq.\n\n[1]\nINFO: task syz-executor:20633 blocked for more than 143 seconds.\n Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006\n...\nNMI backtrace for cpu 1\nCPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210\nCode: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0\nRSP: 0018:ffffc90000a187e8 EFLAGS: 00000246\nRAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00\nRDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577\nR10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000\nR13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00\nFS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]\n nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50155", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Avoid NULL dereference in msm_disp_state_print_regs()\n\nIf the allocation in msm_disp_state_dump_regs() failed then\n`block->state` can be NULL. The msm_disp_state_print_regs() function\n_does_ have code to try to handle it with:\n\n if (*reg)\n dump_addr = *reg;\n\n...but since \"dump_addr\" is initialized to NULL the above is actually\na noop. The code then goes on to dereference `dump_addr`.\n\nMake the function print \"Registers not stored\" when it sees a NULL to\nsolve this. Since we're touching the code, fix\nmsm_disp_state_print_regs() not to pointlessly take a double-pointer\nand properly mark the pointer as `const`.\n\nPatchwork: https://patchwork.freedesktop.org/patch/619657/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50156", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop\n\nDriver waits indefinitely for the fifo occupancy to go below a threshold\nas soon as the pacing interrupt is received. This can cause soft lockup on\none of the processors, if the rate of DB is very high.\n\nAdd a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th\nif the loop is taking more time. Pacing will be continuing until the\noccupancy is below the threshold. This is ensured by the checks in\nbnxt_re_pacing_timer_exp and further scheduling the work for pacing based\non the fifo occupancy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50157", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix out of bound check\n\nDriver exports pacing stats only on GenP5 and P7 adapters. But while\nparsing the pacing stats, driver has a check for \"rdev->dbr_pacing\". This\ncaused a trace when KASAN is enabled.\n\nBUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re]\nWrite of size 8 at addr ffff8885942a6340 by task modprobe/4809", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50158", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()\n\nClang static checker(scan-build) throws below warning\uff1a\n | drivers/firmware/arm_scmi/driver.c:line 2915, column 2\n | Attempt to free released memory.\n\nWhen devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()\nwill run twice which causes double free of 'dbg->name'.\n\nRemove the redundant scmi_debugfs_common_cleanup() to fix this problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50159", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/cs8409: Fix possible NULL dereference\n\nIf snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then\nNULL pointer dereference will occur in the next line.\n\nSince dolphin_fixups function is a hda_fixup function which is not supposed\nto return any errors, add simple check before dereference, ignore the fail.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50160", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the remaining info_cnt before repeating btf fields\n\nWhen trying to repeat the btf fields for array of nested struct, it\ndoesn't check the remaining info_cnt. The following splat will be\nreported when the value of ret * nelems is greater than BTF_FIELDS_MAX:\n\n ------------[ cut here ]------------\n UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49\n index 11 is out of range for type 'btf_field_info [11]'\n CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...\n Call Trace:\n \n dump_stack_lvl+0x57/0x70\n dump_stack+0x10/0x20\n ubsan_epilogue+0x9/0x40\n __ubsan_handle_out_of_bounds+0x6f/0x80\n ? kallsyms_lookup_name+0x48/0xb0\n btf_parse_fields+0x992/0xce0\n map_create+0x591/0x770\n __sys_bpf+0x229/0x2410\n __x64_sys_bpf+0x1f/0x30\n x64_sys_call+0x199/0x9f0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7fea56f2cc5d\n ......\n \n ---[ end trace ]---\n\nFix it by checking the remaining info_cnt in btf_repeat_fields() before\nrepeating the btf fields.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50161", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: devmap: provide rxq after redirect\n\nrxq contains a pointer to the device from where\nthe redirect happened. Currently, the BPF program\nthat was executed after a redirect via BPF_MAP_TYPE_DEVMAP*\ndoes not have it set.\n\nThis is particularly bad since accessing ingress_ifindex, e.g.\n\nSEC(\"xdp\")\nint prog(struct xdp_md *pkt)\n{\n return bpf_redirect_map(&dev_redirect_map, 0, 0);\n}\n\nSEC(\"xdp/devmap\")\nint prog_after_redirect(struct xdp_md *pkt)\n{\n bpf_printk(\"ifindex %i\", pkt->ingress_ifindex);\n return XDP_PASS;\n}\n\ndepends on access to rxq, so a NULL pointer gets dereferenced:\n\n<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000\n<1>[ 574.475188] #PF: supervisor read access in kernel mode\n<1>[ 574.475194] #PF: error_code(0x0000) - not-present page\n<6>[ 574.475199] PGD 0 P4D 0\n<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23\n<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023\n<4>[ 574.475231] Workqueue: mld mld_ifc_work\n<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b\n<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206\n<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000\n<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0\n<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001\n<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000\n<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000\n<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000\n<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0\n<4>[ 574.475303] PKRU: 55555554\n<4>[ 574.475306] Call Trace:\n<4>[ 574.475313] \n<4>[ 574.475318] ? __die+0x23/0x70\n<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0\n<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490\n<4>[ 574.475346] ? kmem_cache_free+0x257/0x280\n<4>[ 574.475357] ? exc_page_fault+0x67/0x150\n<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30\n<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n<4>[ 574.475386] bq_xmit_all+0x158/0x420\n<4>[ 574.475397] __dev_flush+0x30/0x90\n<4>[ 574.475407] veth_poll+0x216/0x250 [veth]\n<4>[ 574.475421] __napi_poll+0x28/0x1c0\n<4>[ 574.475430] net_rx_action+0x32d/0x3a0\n<4>[ 574.475441] handle_softirqs+0xcb/0x2c0\n<4>[ 574.475451] do_softirq+0x40/0x60\n<4>[ 574.475458] \n<4>[ 574.475461] \n<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70\n<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40\n<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420\n<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0\n<4>[ 574.475502] ip6_finish_output2+0x2be/0x640\n<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0\n<4>[ 574.475521] ip6_finish_output+0x194/0x300\n<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10\n<4>[ 574.475538] mld_sendpack+0x17c/0x240\n<4>[ 574.475548] mld_ifc_work+0x192/0x410\n<4>[ 574.475557] process_one_work+0x15d/0x380\n<4>[ 574.475566] worker_thread+0x29d/0x3a0\n<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10\n<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10\n<4>[ 574.475587] kthread+0xcd/0x100\n<4>[ 574.475597] ? __pfx_kthread+0x10/0x10\n<4>[ 574.475606] ret_from_fork+0x31/0x50\n<4>[ 574.475615] ? __pfx_kthread+0x10/0x10\n<4>[ 574.475623] ret_from_fork_asm+0x1a/0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50162", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Make sure internal and UAPI bpf_redirect flags don't overlap\n\nThe bpf_redirect_info is shared between the SKB and XDP redirect paths,\nand the two paths use the same numeric flag values in the ri->flags\nfield (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that\nif skb bpf_redirect_neigh() is used with a non-NULL params argument and,\nsubsequently, an XDP redirect is performed using the same\nbpf_redirect_info struct, the XDP path will get confused and end up\ncrashing, which syzbot managed to trigger.\n\nWith the stack-allocated bpf_redirect_info, the structure is no longer\nshared between the SKB and XDP paths, so the crash doesn't happen\nanymore. However, different code paths using identically-numbered flag\nvalues in the same struct field still seems like a bit of a mess, so\nthis patch cleans that up by moving the flag definitions together and\nredefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap\nwith the flags used for XDP. It also adds a BUILD_BUG_ON() check to make\nsure the overlap is not re-introduced by mistake.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50163", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overloading of MEM_UNINIT's meaning\n\nLonial reported an issue in the BPF verifier where check_mem_size_reg()\nhas the following code:\n\n if (!tnum_is_const(reg->var_off))\n /* For unprivileged variable accesses, disable raw\n * mode so that the program is required to\n * initialize all the memory that the helper could\n * just partially fill up.\n */\n meta = NULL;\n\nThis means that writes are not checked when the register containing the\nsize of the passed buffer has not a fixed size. Through this bug, a BPF\nprogram can write to a map which is marked as read-only, for example,\n.rodata global maps.\n\nThe problem is that MEM_UNINIT's initial meaning that \"the passed buffer\nto the BPF helper does not need to be initialized\" which was added back\nin commit 435faee1aae9 (\"bpf, verifier: add ARG_PTR_TO_RAW_STACK type\")\ngot overloaded over time with \"the passed buffer is being written to\".\n\nThe problem however is that checks such as the above which were added later\nvia 06c1c049721a (\"bpf: allow helpers access to variable memory\") set meta\nto NULL in order force the user to always initialize the passed buffer to\nthe helper. Due to the current double meaning of MEM_UNINIT, this bypasses\nverifier write checks to the memory (not boundary checks though) and only\nassumes the latter memory is read instead.\n\nFix this by reverting MEM_UNINIT back to its original meaning, and having\nMEM_WRITE as an annotation to BPF helpers in order to then trigger the\nBPF verifier checks for writing to memory.\n\nSome notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}\nwe can access fn->arg_type[arg - 1] since it must contain a preceding\nARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed\naltogether since we do check both BPF_READ and BPF_WRITE. Same for the\nequivalent check_kfunc_mem_size_reg().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50164", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Preserve param->string when parsing mount options\n\nIn bpf_parse_param(), keep the value of param->string intact so it can\nbe freed later. Otherwise, the kmalloc area pointed to by param->string\nwill be leaked as shown below:\n\nunreferenced object 0xffff888118c46d20 (size 8):\n comm \"new_name\", pid 12109, jiffies 4295580214\n hex dump (first 8 bytes):\n 61 6e 79 00 38 c9 5c 7e any.8.\\~\n backtrace (crc e1b7f876):\n [<00000000c6848ac7>] kmemleak_alloc+0x4b/0x80\n [<00000000de9f7d00>] __kmalloc_node_track_caller_noprof+0x36e/0x4a0\n [<000000003e29b886>] memdup_user+0x32/0xa0\n [<0000000007248326>] strndup_user+0x46/0x60\n [<0000000035b3dd29>] __x64_sys_fsconfig+0x368/0x3d0\n [<0000000018657927>] x64_sys_call+0xff/0x9f0\n [<00000000c0cabc95>] do_syscall_64+0x3b/0xc0\n [<000000002f331597>] entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50165", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsl/fman: Fix refcount handling of fman-related devices\n\nIn mac_probe() there are multiple calls to of_find_device_by_node(),\nfman_bind() and fman_port_bind() which takes references to of_dev->dev.\nNot all references taken by these calls are released later on error path\nin mac_probe() and in mac_remove() which lead to reference leaks.\n\nAdd references release.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50166", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: fix potential memory leak in be_xmit()\n\nThe be_xmit() returns NETDEV_TX_OK without freeing skb\nin case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50167", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sun3_82586: fix potential memory leak in sun3_82586_send_packet()\n\nThe sun3_82586_send_packet() returns NETDEV_TX_OK without freeing skb\nin case of skb->len being too long, add dev_kfree_skb() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50168", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Update rx_bytes on read_skb()\n\nMake sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()\ncalls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after\nvsock_transport::read_skb().\n\nWhile here, also inform the peer that we've freed up space and it has more\ncredit.\n\nFailing to update rx_bytes after packet is dequeued leads to a warning on\nSOCK_STREAM recv():\n\n[ 233.396654] rx_queue is empty, but rx_bytes is non-zero\n[ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50169", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix potential memory leak in bcmasp_xmit()\n\nThe bcmasp_xmit() returns NETDEV_TX_OK without freeing skb\nin case of mapping fails, add dev_kfree_skb() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50170", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: systemport: fix potential memory leak in bcm_sysport_xmit()\n\nThe bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb\nin case of dma_map_single() fails, add dev_kfree_skb() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50171", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix a possible memory leak\n\nIn bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails\ndriver is not freeing the memory allocated for \"rdev->chip_ctx\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50172", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup()\n\nThe group variable can't be used to retrieve ptdev in our second loop,\nbecause it points to the previously iterated list_head, not a valid\ngroup. Get the ptdev object from the scheduler instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50173", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix race when converting group handle to group object\n\nXArray provides it's own internal lock which protects the internal array\nwhen entries are being simultaneously added and removed. However there\nis still a race between retrieving the pointer from the XArray and\nincrementing the reference count.\n\nTo avoid this race simply hold the internal XArray lock when\nincrementing the reference count, this ensures there cannot be a racing\ncall to xa_erase().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50174", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: qcom: camss: Remove use_count guard in stop_streaming\n\nThe use_count check was introduced so that multiple concurrent Raw Data\nInterfaces RDIs could be driven by different virtual channels VCs on the\nCSIPHY input driving the video pipeline.\n\nThis is an invalid use of use_count though as use_count pertains to the\nnumber of times a video entity has been opened by user-space not the number\nof active streams.\n\nIf use_count and stream-on count don't agree then stop_streaming() will\nbreak as is currently the case and has become apparent when using CAMSS\nwith libcamera's released softisp 0.3.\n\nThe use of use_count like this is a bit hacky and right now breaks regular\nusage of CAMSS for a single stream case. Stopping qcam results in the splat\nbelow, and then it cannot be started again and any attempts to do so fails\nwith -EBUSY.\n\n[ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]\n...\n[ 1265.510630] Call trace:\n[ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]\n[ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common]\n[ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2]\n[ 1265.510673] v4l_streamoff+0x24/0x30 [videodev]\n[ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev]\n[ 1265.510732] video_usercopy+0x304/0x8c4 [videodev]\n[ 1265.510757] video_ioctl2+0x18/0x34 [videodev]\n[ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev]\n...\n[ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state\n[ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state\n[ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st\n\nOne CAMSS specific way to handle multiple VCs on the same RDI might be:\n\n- Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx.\n- The video buffers are already associated with msm_vfeN_rdiX so\n release video buffers when told to do so by stop_streaming.\n- Only release the power-domains for the CSIPHY, CSID and VFE when\n their internal refcounts drop.\n\nEither way refusing to release video buffers based on use_count is\nerroneous and should be reverted. The silicon enabling code for selecting\nVCs is perfectly fine. Its a \"known missing feature\" that concurrent VCs\nwon't work with CAMSS right now.\n\nInitial testing with this code didn't show an error but, SoftISP and \"real\"\nusage with Google Hangouts breaks the upstream code pretty quickly, we need\nto do a partial revert and take another pass at VCs.\n\nThis commit partially reverts commit 89013969e232 (\"media: camss: sm8250:\nPipeline starting and stopping for multiple virtual channels\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50175", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: k3-r5: Fix error handling when power-up failed\n\nBy simply bailing out, the driver was violating its rule and internal\nassumptions that either both or no rproc should be initialized. E.g.,\nthis could cause the first core to be available but not the second one,\nleading to crashes on its shutdown later on while trying to dereference\nthat second instance.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50176", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a UBSAN warning in DML2.1\n\nWhen programming phantom pipe, since cursor_width is explicity set to 0,\nthis causes calculation logic to trigger overflow for an unsigned int\ntriggering the kernel's UBSAN check as below:\n\n[ 40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34\n[ 40.962849] shift exponent 4294967170 is too large for 32-bit type 'unsigned int'\n[ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu\n[ 40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024\n[ 40.962856] Call Trace:\n[ 40.962857] \n[ 40.962860] dump_stack_lvl+0x48/0x70\n[ 40.962870] dump_stack+0x10/0x20\n[ 40.962872] __ubsan_handle_shift_out_of_bounds+0x1ac/0x360\n[ 40.962878] calculate_cursor_req_attributes.cold+0x1b/0x28 [amdgpu]\n[ 40.963099] dml_core_mode_support+0x6b91/0x16bc0 [amdgpu]\n[ 40.963327] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.963331] ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu]\n[ 40.963534] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.963536] ? dml_core_mode_support+0xb3db/0x16bc0 [amdgpu]\n[ 40.963730] dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\n[ 40.963906] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.963909] ? dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\n[ 40.964078] core_dcn4_mode_support+0x72/0xbf0 [amdgpu]\n[ 40.964247] dml2_top_optimization_perform_optimization_phase+0x1d3/0x2a0 [amdgpu]\n[ 40.964420] dml2_build_mode_programming+0x23d/0x750 [amdgpu]\n[ 40.964587] dml21_validate+0x274/0x770 [amdgpu]\n[ 40.964761] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.964763] ? resource_append_dpp_pipes_for_plane_composition+0x27c/0x3b0 [amdgpu]\n[ 40.964942] dml2_validate+0x504/0x750 [amdgpu]\n[ 40.965117] ? dml21_copy+0x95/0xb0 [amdgpu]\n[ 40.965291] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.965295] dcn401_validate_bandwidth+0x4e/0x70 [amdgpu]\n[ 40.965491] update_planes_and_stream_state+0x38d/0x5c0 [amdgpu]\n[ 40.965672] update_planes_and_stream_v3+0x52/0x1e0 [amdgpu]\n[ 40.965845] ? srso_alias_return_thunk+0x5/0x7f\n[ 40.965849] dc_update_planes_and_stream+0x71/0xb0 [amdgpu]\n\nFix this by adding a guard for checking cursor width before triggering\nthe size calculation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50177", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: loongson3: Use raw_smp_processor_id() in do_service_request()\n\nUse raw_smp_processor_id() instead of plain smp_processor_id() in\ndo_service_request(), otherwise we may get some errors with the driver\nenabled:\n\n BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/208\n caller is loongson3_cpufreq_probe+0x5c/0x250 [loongson3_cpufreq]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50178", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: remove the incorrect Fw reference check when dirtying pages\n\nWhen doing the direct-io reads it will also try to mark pages dirty,\nbut for the read path it won't hold the Fw caps and there is case\nwill it get the Fw reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50179", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sisfb: Fix strbuf array overflow\n\nThe values of the variables xres and yres are placed in strbuf.\nThese variables are obtained from strbuf1.\nThe strbuf1 array contains digit characters\nand a space if the array contains non-digit characters.\nThen, when executing sprintf(strbuf, \"%ux%ux8\", xres, yres);\nmore than 16 bytes will be written to strbuf.\nIt is suggested to increase the size of the strbuf array to 24.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50180", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsecretmem: disable memfd_secret() if arch cannot set direct map\n\nReturn -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This\nis the case for example on some arm64 configurations, where marking 4k\nPTEs in the direct map not present can only be done if the direct map is\nset up at 4k granularity in the first place (as ARM's break-before-make\nsemantics do not easily allow breaking apart large/gigantic pages).\n\nMore precisely, on arm64 systems with !can_set_direct_map(),\nset_direct_map_invalid_noflush() is a no-op, however it returns success\n(0) instead of an error. This means that memfd_secret will seemingly\n\"work\" (e.g. syscall succeeds, you can mmap the fd and fault in pages),\nbut it does not actually achieve its goal of removing its memory from the\ndirect map.\n\nNote that with this patch, memfd_secret() will start erroring on systems\nwhere can_set_direct_map() returns false (arm64 with\nCONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and\nCONFIG_KFENCE=n), but that still seems better than the current silent\nfailure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most\narm64 systems actually have a working memfd_secret() and aren't be\naffected.\n\nFrom going through the iterations of the original memfd_secret patch\nseries, it seems that disabling the syscall in these scenarios was the\nintended behavior [1] (preferred over having\nset_direct_map_invalid_noflush return an error as that would result in\nSIGBUSes at page-fault time), however the check for it got dropped between\nv16 [2] and v17 [3], when secretmem moved away from CMA allocations.\n\n[1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/\n[2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t\n[3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50182", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance\n\nDeleting an NPIV instance requires all fabric ndlps to be released before\nan NPIV's resources can be torn down. Failure to release fabric ndlps\nbeforehand opens kref imbalance race conditions. Fix by forcing the DA_ID\nto complete synchronously with usage of wait_queue.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50183", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pmem: Check device status before requesting flush\n\nIf a pmem device is in a bad status, the driver side could wait for\nhost ack forever in virtio_pmem_flush(), causing the system to hang.\n\nSo add a status check in the beginning of virtio_pmem_flush() to return\nearly if the device is not activated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50184", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle consistently DSS corruption\n\nBugged peer implementation can send corrupted DSS options, consistently\nhitting a few warning in the data path. Use DEBUG_NET assertions, to\navoid the splat on some builds and handle consistently the error, dumping\nrelated MIBs and performing fallback and/or reset according to the\nsubflow type.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50185", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: explicitly clear the sk pointer, when pf->create fails\n\nWe have recently noticed the exact same KASAN splat as in commit\n6cd4a78d962b (\"net: do not leave a dangling sk pointer, when socket\ncreation fails\"). The problem is that commit did not fully address the\nproblem, as some pf->create implementations do not use sk_common_release\nin their error paths.\n\nFor example, we can use the same reproducer as in the above commit, but\nchanging ping to arping. arping uses AF_PACKET socket and if packet_create\nfails, it will just sk_free the allocated sk object.\n\nWhile we could chase all the pf->create implementations and make sure they\nNULL the freed sk object on error from the socket, we can't guarantee\nfuture protocols will not make the same mistake.\n\nSo it is easier to just explicitly NULL the sk pointer upon return from\npf->create in __sock_create. We do know that pf->create always releases the\nallocated sk object on error, so if the pointer is not NULL, it is\ndefinitely dangling.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50186", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Stop the active perfmon before being destroyed\n\nUpon closing the file descriptor, the active performance monitor is not\nstopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`,\nthe active performance monitor's pointer (`vc4->active_perfmon`) is still\nretained.\n\nIf we open a new file descriptor and submit a few jobs with performance\nmonitors, the driver will attempt to stop the active performance monitor\nusing the stale pointer in `vc4->active_perfmon`. However, this pointer\nis no longer valid because the previous process has already terminated,\nand all performance monitors associated with it have been destroyed and\nfreed.\n\nTo fix this, when the active performance monitor belongs to a given\nprocess, explicitly stop it before destroying and freeing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50187", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83869: fix memory corruption when enabling fiber\n\nWhen configuring the fiber port, the DP83869 PHY driver incorrectly\ncalls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit\nnumber (10). This corrupts some other memory location -- in case of\narm64 the priv pointer in the same structure.\n\nSince the advertising flags are updated from supported at the end of the\nfunction the incorrect line isn't needed at all and can be removed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50188", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Switch to device-managed dmam_alloc_coherent()\n\nUsing the device-managed version allows to simplify clean-up in probe()\nerror path.\n\nAdditionally, this device-managed ensures proper cleanup, which helps to\nresolve memory errors, page faults, btrfs going read-only, and btrfs\ndisk corruption.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50189", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix memleak in ice_init_tx_topology()\n\nFix leak of the FW blob (DDP pkg).\n\nMake ice_cfg_tx_topo() const-correct, so ice_init_tx_topology() can avoid\ncopying whole FW blob. Copy just the topology section, and only when\nneeded. Reuse the buffer allocated for the read of the current topology.\n\nThis was found by kmemleak, with the following trace for each PF:\n [] kmemdup_noprof+0x1d/0x50\n [] ice_init_ddp_config+0x100/0x220 [ice]\n [] ice_init_dev+0x6f/0x200 [ice]\n [] ice_init+0x29/0x560 [ice]\n [] ice_probe+0x21d/0x310 [ice]\n\nConstify ice_cfg_tx_topo() @buf parameter.\nThis cascades further down to few more functions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50190", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don't set SB_RDONLY after filesystem errors\n\nWhen the filesystem is mounted with errors=remount-ro, we were setting\nSB_RDONLY flag to stop all filesystem modifications. We knew this misses\nproper locking (sb->s_umount) and does not go through proper filesystem\nremount procedure but it has been the way this worked since early ext2\ndays and it was good enough for catastrophic situation damage\nmitigation. Recently, syzbot has found a way (see link) to trigger\nwarnings in filesystem freezing because the code got confused by\nSB_RDONLY changing under its hands. Since these days we set\nEXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all\nfilesystem modifications, modifying SB_RDONLY shouldn't be needed. So\nstop doing that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50191", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v4: Don't allow a VMOVP on a dying VPE\n\nKunkun Jiang reported that there is a small window of opportunity for\nuserspace to force a change of affinity for a VPE while the VPE has already\nbeen unmapped, but the corresponding doorbell interrupt still visible in\n/proc/irq/.\n\nPlug the race by checking the value of vmapp_count, which tracks whether\nthe VPE is mapped ot not, and returning an error in this case.\n\nThis involves making vmapp_count common to both GICv4.1 and its v4.0\nancestor.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50192", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/entry_32: Clear CPU buffers after register restore in NMI return\n\nCPU buffers are currently cleared after call to exc_nmi, but before\nregister state is restored. This may be okay for MDS mitigation but not for\nRDFS. Because RDFS mitigation requires CPU buffers to be cleared when\nregisters don't have any sensitive data.\n\nMove CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50193", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Fix uprobes for big-endian kernels\n\nThe arm64 uprobes code is broken for big-endian kernels as it doesn't\nconvert the in-memory instruction encoding (which is always\nlittle-endian) into the kernel's native endianness before analyzing and\nsimulating instructions. This may result in a few distinct problems:\n\n* The kernel may may erroneously reject probing an instruction which can\n safely be probed.\n\n* The kernel may erroneously erroneously permit stepping an\n instruction out-of-line when that instruction cannot be stepped\n out-of-line safely.\n\n* The kernel may erroneously simulate instruction incorrectly dur to\n interpretting the byte-swapped encoding.\n\nThe endianness mismatch isn't caught by the compiler or sparse because:\n\n* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so\n the compiler and sparse have no idea these contain a little-endian\n 32-bit value. The core uprobes code populates these with a memcpy()\n which similarly does not handle endianness.\n\n* While the uprobe_opcode_t type is an alias for __le32, both\n arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]\n to the similarly-named probe_opcode_t, which is an alias for u32.\n Hence there is no endianness conversion warning.\n\nFix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and\nadding the appropriate __le32_to_cpu() conversions prior to consuming\nthe instruction encoding. The core uprobes copies these fields as opaque\nranges of bytes, and so is unaffected by this change.\n\nAt the same time, remove MAX_UINSN_BYTES and consistently use\nAARCH64_INSN_SIZE for clarity.\n\nTested with the following:\n\n| #include \n| #include \n|\n| #define noinline __attribute__((noinline))\n|\n| static noinline void *adrp_self(void)\n| {\n| void *addr;\n|\n| asm volatile(\n| \" adrp %x0, adrp_self\\n\"\n| \" add %x0, %x0, :lo12:adrp_self\\n\"\n| : \"=r\" (addr));\n| }\n|\n|\n| int main(int argc, char *argv)\n| {\n| void *ptr = adrp_self();\n| bool equal = (ptr == adrp_self);\n|\n| printf(\"adrp_self => %p\\n\"\n| \"adrp_self() => %p\\n\"\n| \"%s\\n\",\n| adrp_self, ptr, equal ? \"EQUAL\" : \"NOT EQUAL\");\n|\n| return 0;\n| }\n\n.... where the adrp_self() function was compiled to:\n\n| 00000000004007e0 :\n| 4007e0: 90000000 adrp x0, 400000 <__ehdr_start>\n| 4007e4: 911f8000 add x0, x0, #0x7e0\n| 4007e8: d65f03c0 ret\n\nBefore this patch, the ADRP is not recognized, and is assumed to be\nsteppable, resulting in corruption of the result:\n\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0xffffffffff7e0\n| NOT EQUAL\n\nAfter this patch, the ADRP is correctly recognized and simulated:\n\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| #\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50194", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-clock: Fix missing timespec64 check in pc_clock_settime()\n\nAs Andrew pointed out, it will make sense that the PTP core\nchecked timespec64 struct's tv_sec and tv_nsec range before calling\nptp->info->settime64().\n\nAs the man manual of clock_settime() said, if tp.tv_sec is negative or\ntp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,\nwhich include dynamic clocks which handles PTP clock, and the condition is\nconsistent with timespec64_valid(). As Thomas suggested, timespec64_valid()\nonly check the timespec is valid, but not ensure that the time is\nin a valid range, so check it ahead using timespec64_valid_strict()\nin pc_clock_settime() and return -EINVAL if not valid.\n\nThere are some drivers that use tp->tv_sec and tp->tv_nsec directly to\nwrite registers without validity checks and assume that the higher layer\nhas checked it, which is dangerous and will benefit from this, such as\nhclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),\nand some drivers can remove the checks of itself.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50195", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: ocelot: fix system hang on level based interrupts\n\nThe current implementation only calls chained_irq_enter() and\nchained_irq_exit() if it detects pending interrupts.\n\n```\nfor (i = 0; i < info->stride; i++) {\n\turegmap_read(info->map, id_reg + 4 * i, ®);\n\tif (!reg)\n\t\tcontinue;\n\n\tchained_irq_enter(parent_chip, desc);\n```\n\nHowever, in case of GPIO pin configured in level mode and the parent\ncontroller configured in edge mode, GPIO interrupt might be lowered by the\nhardware. In the result, if the interrupt is short enough, the parent\ninterrupt is still pending while the GPIO interrupt is cleared;\nchained_irq_enter() never gets called and the system hangs trying to\nservice the parent interrupt.\n\nMoving chained_irq_enter() and chained_irq_exit() outside the for loop\nensures that they are called even when GPIO interrupt is lowered by the\nhardware.\n\nThe similar code with chained_irq_enter() / chained_irq_exit() functions\nwrapping interrupt checking loop may be found in many other drivers:\n```\ngrep -r -A 10 chained_irq_enter drivers/pinctrl\n```", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50196", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: intel: platform: fix error path in device_for_each_child_node()\n\nThe device_for_each_child_node() loop requires calls to\nfwnode_handle_put() upon early returns to decrement the refcount of\nthe child node and avoid leaking memory if that error path is triggered.\n\nThere is one early returns within that loop in\nintel_platform_pinctrl_prepare_community(), but fwnode_handle_put() is\nmissing.\n\nInstead of adding the missing call, the scoped version of the loop can\nbe used to simplify the code and avoid mistakes in the future if new\nearly returns are added, as the child node is only used for parsing, and\nit is never assigned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50197", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: veml6030: fix IIO device retrieval from embedded device\n\nThe dev pointer that is received as an argument in the\nin_illuminance_period_available_show function references the device\nembedded in the IIO device, not in the i2c client.\n\ndev_to_iio_dev() must be used to accessthe right data. The current\nimplementation leads to a segmentation fault on every attempt to read\nthe attribute because indio_dev gets a NULL assignment.\n\nThis bug has been present since the first appearance of the driver,\napparently since the last version (V6) before getting applied. A\nconstant attribute was used until then, and the last modifications might\nhave not been tested again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50198", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swapfile: skip HugeTLB pages for unuse_vma\n\nI got a bad pud error and lost a 1GB HugeTLB when calling swapoff. The\nproblem can be reproduced by the following steps:\n\n 1. Allocate an anonymous 1GB HugeTLB and some other anonymous memory.\n 2. Swapout the above anonymous memory.\n 3. run swapoff and we will get a bad pud error in kernel message:\n\n mm/pgtable-generic.c:42: bad pud 00000000743d215d(84000001400000e7)\n\nWe can tell that pud_clear_bad is called by pud_none_or_clear_bad in\nunuse_pud_range() by ftrace. And therefore the HugeTLB pages will never\nbe freed because we lost it from page table. We can skip HugeTLB pages\nfor unuse_vma to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50199", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: correct tree corruption on spanning store\n\nPatch series \"maple_tree: correct tree corruption on spanning store\", v3.\n\nThere has been a nasty yet subtle maple tree corruption bug that appears\nto have been in existence since the inception of the algorithm.\n\nThis bug seems far more likely to happen since commit f8d112a4e657\n(\"mm/mmap: avoid zeroing vma tree in mmap_region()\"), which is the point\nat which reports started to be submitted concerning this bug.\n\nWe were made definitely aware of the bug thanks to the kind efforts of\nBert Karwatzki who helped enormously in my being able to track this down\nand identify the cause of it.\n\nThe bug arises when an attempt is made to perform a spanning store across\ntwo leaf nodes, where the right leaf node is the rightmost child of the\nshared parent, AND the store completely consumes the right-mode node.\n\nThis results in mas_wr_spanning_store() mitakenly duplicating the new and\nexisting entries at the maximum pivot within the range, and thus maple\ntree corruption.\n\nThe fix patch corrects this by detecting this scenario and disallowing the\nmistaken duplicate copy.\n\nThe fix patch commit message goes into great detail as to how this occurs.\n\nThis series also includes a test which reliably reproduces the issue, and\nasserts that the fix works correctly.\n\nBert has kindly tested the fix and confirmed it resolved his issues. Also\nMikhail Gavrilov kindly reported what appears to be precisely the same\nbug, which this fix should also resolve.\n\n\nThis patch (of 2):\n\nThere has been a subtle bug present in the maple tree implementation from\nits inception.\n\nThis arises from how stores are performed - when a store occurs, it will\noverwrite overlapping ranges and adjust the tree as necessary to\naccommodate this.\n\nA range may always ultimately span two leaf nodes. In this instance we\nwalk the two leaf nodes, determine which elements are not overwritten to\nthe left and to the right of the start and end of the ranges respectively\nand then rebalance the tree to contain these entries and the newly\ninserted one.\n\nThis kind of store is dubbed a 'spanning store' and is implemented by\nmas_wr_spanning_store().\n\nIn order to reach this stage, mas_store_gfp() invokes\nmas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to\nwalk the tree and update the object (mas) to traverse to the location\nwhere the write should be performed, determining its store type.\n\nWhen a spanning store is required, this function returns false stopping at\nthe parent node which contains the target range, and mas_wr_store_type()\nmarks the mas->store_type as wr_spanning_store to denote this fact.\n\nWhen we go to perform the store in mas_wr_spanning_store(), we first\ndetermine the elements AFTER the END of the range we wish to store (that\nis, to the right of the entry to be inserted) - we do this by walking to\nthe NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we\nhave just determined contains the range over which we intend to write.\n\nWe then turn our attention to the entries to the left of the entry we are\ninserting, whose state is represented by l_mas, and copy these into a 'big\nnode', which is a special node which contains enough slots to contain two\nleaf node's worth of data.\n\nWe then copy the entry we wish to store immediately after this - the copy\nand the insertion of the new entry is performed by mas_store_b_node().\n\nAfter this we copy the elements to the right of the end of the range which\nwe are inserting, if we have not exceeded the length of the node (i.e. \nr_mas.offset <= r_mas.end).\n\nHerein lies the bug - under very specific circumstances, this logic can\nbreak and corrupt the maple tree.\n\nConsider the following tree:\n\nHeight\n 0 Root Node\n / \\\n pivot = 0xffff / \\ pivot = ULONG_MAX\n / \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50200", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix encoder->possible_clones\n\nInclude the encoder itself in its possible_clones bitmask.\nIn the past nothing validated that drivers were populating\npossible_clones correctly, but that changed in commit\n74d2aacbe840 (\"drm: Validate encoder->possible_clones\").\nLooks like radeon never got the memo and is still not\nfollowing the rules 100% correctly.\n\nThis results in some warnings during driver initialization:\nBogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7)\nWARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c\n...\n\n(cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50201", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: propagate directory read errors from nilfs_find_entry()\n\nSyzbot reported that a task hang occurs in vcs_open() during a fuzzing\ntest for nilfs2.\n\nThe root cause of this problem is that in nilfs_find_entry(), which\nsearches for directory entries, ignores errors when loading a directory\npage/folio via nilfs_get_folio() fails.\n\nIf the filesystem images is corrupted, and the i_size of the directory\ninode is large, and the directory page/folio is successfully read but\nfails the sanity check, for example when it is zero-filled,\nnilfs_check_folio() may continue to spit out error messages in bursts.\n\nFix this issue by propagating the error to the callers when loading a\npage/folio fails in nilfs_find_entry().\n\nThe current interface of nilfs_find_entry() and its callers is outdated\nand cannot propagate error codes such as -EIO and -ENOMEM returned via\nnilfs_find_entry(), so fix it together.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50202", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix address emission with tag-based KASAN enabled\n\nWhen BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image\nstruct on the stack is passed during the size calculation pass and\nan address on the heap is passed during code generation. This may\ncause a heap buffer overflow if the heap address is tagged because\nemit_a64_mov_i64() will emit longer code than it did during the size\ncalculation pass. The same problem could occur without tag-based\nKASAN if one of the 16-bit words of the stack address happened to\nbe all-ones during the size calculation pass. Fix the problem by\nassuming the worst case (4 instructions) when calculating the size\nof the bpf_tramp_image address emission.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50203", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: don't try and remove empty rbtree node\n\nWhen copying a namespace we won't have added the new copy into the\nnamespace rbtree until after the copy succeeded. Calling free_mnt_ns()\nwill try to remove the copy from the rbtree which is invalid. Simply\nfree the namespace skeleton directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50204", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()\n\nThe step variable is initialized to zero. It is changed in the loop,\nbut if it's not changed it will remain zero. Add a variable check\nbefore the division.\n\nThe observed behavior was introduced by commit 826b5de90c0b\n(\"ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size\"),\nand it is difficult to show that any of the interval parameters will\nsatisfy the snd_interval_test() condition with data from the\namdtp_rate_table[] table.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50205", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix memory corruption during fq dma init\n\nThe loop responsible for allocating up to MTK_FQ_DMA_LENGTH buffers must\nonly touch as many descriptors, otherwise it ends up corrupting unrelated\nmemory. Fix the loop iteration count accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50206", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix reader locking when changing the sub buffer order\n\nThe function ring_buffer_subbuf_order_set() updates each\nring_buffer_per_cpu and installs new sub buffers that match the requested\npage order. This operation may be invoked concurrently with readers that\nrely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or\nthe ring_buffer_per_cpu.pages and reader_page pointers. However, no\nexclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying\nthe mentioned data while a reader also operates on them can then result in\nincorrect memory access and various crashes.\n\nFix the problem by taking the reader_lock when updating a specific\nring_buffer_per_cpu in ring_buffer_subbuf_order_set().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50207", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages\n\nAvoid memory corruption while setting up Level-2 PBL pages for the non MR\nresources when num_pages > 256K.\n\nThere will be a single PDE page address (contiguous pages in the case of >\nPAGE_SIZE), but, current logic assumes multiple pages, leading to invalid\nmemory access after 256K PBL entries in the PDE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50208", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Add a check for memory allocation\n\n__alloc_pbl() can return error when memory allocation fails.\nDriver is not checking the status on one of the instances.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50209", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()\n\nIf get_clock_desc() succeeds, it calls fget() for the clockid's fd,\nand get the clk->rwsem read lock, so the error path should release\nthe lock to make the lock balance and fput the clockid's fd to make\nthe refcount balance and release the fd related resource.\n\nHowever the below commit left the error path locked behind resulting in\nunbalanced locking. Check timespec64_valid_strict() before\nget_clock_desc() to fix it, because the \"ts\" is not changed\nafter that.\n\n[pabeni@redhat.com: fixed commit message typo]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50210", "detail": "fixed-version", "description": "Fixed from version 6.11.6" }, { "id": "CVE-2024-50211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: refactor inode_bmap() to handle error\n\nRefactor inode_bmap() to handle error since udf_next_aext() can return\nerror now. On situations like ftruncate, udf_extend_file() can now\ndetect errors and bail out early without resorting to checking for\nparticular offsets and assuming internal behavior of these functions.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50211", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: alloc_tag_module_unload must wait for pending kfree_rcu calls\n\nBen Greear reports following splat:\n ------------[ cut here ]------------\n net/netfilter/nf_nat_core.c:1114 module nf_nat func:nf_nat_register_fn has 256 allocated at module unload\n WARNING: CPU: 1 PID: 10421 at lib/alloc_tag.c:168 alloc_tag_module_unload+0x22b/0x3f0\n Modules linked in: nf_nat(-) btrfs ufs qnx4 hfsplus hfs minix vfat msdos fat\n...\n Hardware name: Default string Default string/SKYBAY, BIOS 5.12 08/04/2020\n RIP: 0010:alloc_tag_module_unload+0x22b/0x3f0\n codetag_unload_module+0x19b/0x2a0\n ? codetag_load_module+0x80/0x80\n\nnf_nat module exit calls kfree_rcu on those addresses, but the free\noperation is likely still pending by the time alloc_tag checks for leaks.\n\nWait for outstanding kfree_rcu operations to complete before checking\nresolves this warning.\n\nReproducer:\nunshare -n iptables-nft -t nat -A PREROUTING -p tcp\ngrep nf_nat /proc/allocinfo # will list 4 allocations\nrmmod nft_chain_nat\nrmmod nf_nat # will WARN.\n\n[akpm@linux-foundation.org: add comment]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50212", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic()\n\nmodprobe drm_hdmi_state_helper_test and then rmmod it, the following\nmemory leak occurs.\n\nThe `mode` allocated in drm_mode_duplicate() called by\ndrm_display_mode_from_cea_vic() is not freed, which cause the memory leak:\n\n\tunreferenced object 0xffffff80ccd18100 (size 128):\n\t comm \"kunit_try_catch\", pid 1851, jiffies 4295059695\n\t hex dump (first 32 bytes):\n\t 57 62 00 00 80 02 90 02 f0 02 20 03 00 00 e0 01 Wb........ .....\n\t ea 01 ec 01 0d 02 00 00 0a 00 00 00 00 00 00 00 ................\n\t backtrace (crc c2f1aa95):\n\t [<000000000f10b11b>] kmemleak_alloc+0x34/0x40\n\t [<000000001cd4cf73>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<00000000f1f3cffa>] drm_mode_duplicate+0x44/0x19c\n\t [<000000008cbeef13>] drm_display_mode_from_cea_vic+0x88/0x98\n\t [<0000000019daaacf>] 0xffffffedc11ae69c\n\t [<000000000aad0f85>] kunit_try_run_case+0x13c/0x3ac\n\t [<00000000a9210bac>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<000000000a0b2e9e>] kthread+0x2e8/0x374\n\t [<00000000bd668858>] ret_from_fork+0x10/0x20\n\t......\n\nFree `mode` by using drm_kunit_display_mode_from_cea_vic()\nto fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50213", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic()\n\nmodprobe drm_connector_test and then rmmod drm_connector_test,\nthe following memory leak occurs.\n\nThe `mode` allocated in drm_mode_duplicate() called by\ndrm_display_mode_from_cea_vic() is not freed, which cause the memory leak:\n\n\tunreferenced object 0xffffff80cb0ee400 (size 128):\n\t comm \"kunit_try_catch\", pid 1948, jiffies 4294950339\n\t hex dump (first 32 bytes):\n\t 14 44 02 00 80 07 d8 07 04 08 98 08 00 00 38 04 .D............8.\n\t 3c 04 41 04 65 04 00 00 05 00 00 00 00 00 00 00 <.A.e...........\n\t backtrace (crc 90e9585c):\n\t [<00000000ec42e3d7>] kmemleak_alloc+0x34/0x40\n\t [<00000000d0ef055a>] __kmalloc_cache_noprof+0x26c/0x2f4\n\t [<00000000c2062161>] drm_mode_duplicate+0x44/0x19c\n\t [<00000000f96c74aa>] drm_display_mode_from_cea_vic+0x88/0x98\n\t [<00000000d8f2c8b4>] 0xffffffdc982a4868\n\t [<000000005d164dbc>] kunit_try_run_case+0x13c/0x3ac\n\t [<000000006fb23398>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<000000006ea56ca0>] kthread+0x2e8/0x374\n\t [<000000000676063f>] ret_from_fork+0x10/0x20\n\t......\n\nFree `mode` by using drm_kunit_display_mode_from_cea_vic()\nto fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50214", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-auth: assign dh_key to NULL after kfree_sensitive\n\nctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup()\nfor the same controller. So it's better to nullify it after release on\nerror path in order to avoid double free later in nvmet_destroy_auth().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50215", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix finding a last resort AG in xfs_filestream_pick_ag\n\nWhen the main loop in xfs_filestream_pick_ag fails to find a suitable\nAG it tries to just pick the online AG. But the loop for that uses\nargs->pag as loop iterator while the later code expects pag to be\nset. Fix this by reusing the max_pag case for this last resort, and\nalso add a check for impossible case of no AG just to make sure that\nthe uninitialized pag doesn't even escape in theory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50216", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()\n\nMounting btrfs from two images (which have the same one fsid and two\ndifferent dev_uuids) in certain executing order may trigger an UAF for\nvariable 'device->bdev_file' in __btrfs_free_extra_devids(). And\nfollowing are the details:\n\n1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs\n devices by ioctl(BTRFS_IOC_SCAN_DEV):\n\n / btrfs_device_1 \u2192 loop0\n fs_device\n \\ btrfs_device_2 \u2192 loop1\n2. mount /dev/loop0 /mnt\n btrfs_open_devices\n btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0)\n btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)\n btrfs_fill_super\n open_ctree\n fail: btrfs_close_devices // -ENOMEM\n\t btrfs_close_bdev(btrfs_device_1)\n fput(btrfs_device_1->bdev_file)\n\t // btrfs_device_1->bdev_file is freed\n\t btrfs_close_bdev(btrfs_device_2)\n fput(btrfs_device_2->bdev_file)\n\n3. mount /dev/loop1 /mnt\n btrfs_open_devices\n btrfs_get_bdev_and_sb(&bdev_file)\n // EIO, btrfs_device_1->bdev_file is not assigned,\n // which points to a freed memory area\n btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1)\n btrfs_fill_super\n open_ctree\n btrfs_free_extra_devids\n if (btrfs_device_1->bdev_file)\n fput(btrfs_device_1->bdev_file) // UAF !\n\nFix it by setting 'device->bdev_file' as 'NULL' after closing the\nbtrfs_device in btrfs_close_one_device().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50217", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: pass u64 to ocfs2_truncate_inline maybe overflow\n\nSyzbot reported a kernel BUG in ocfs2_truncate_inline. There are two\nreasons for this: first, the parameter value passed is greater than\nocfs2_max_inline_data_with_xattr, second, the start and end parameters of\nocfs2_truncate_inline are \"unsigned int\".\n\nSo, we need to add a sanity check for byte_start and byte_len right before\nocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater\nthan ocfs2_max_inline_data_with_xattr return -EINVAL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50218", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: do not invoke uffd on fork if error occurs\n\nPatch series \"fork: do not expose incomplete mm on fork\".\n\nDuring fork we may place the virtual memory address space into an\ninconsistent state before the fork operation is complete.\n\nIn addition, we may encounter an error during the fork operation that\nindicates that the virtual memory address space is invalidated.\n\nAs a result, we should not be exposing it in any way to external machinery\nthat might interact with the mm or VMAs, machinery that is not designed to\ndeal with incomplete state.\n\nWe specifically update the fork logic to defer khugepaged and ksm to the\nend of the operation and only to be invoked if no error arose, and\ndisallow uffd from observing fork events should an error have occurred.\n\n\nThis patch (of 2):\n\nCurrently on fork we expose the virtual address space of a process to\nuserland unconditionally if uffd is registered in VMAs, regardless of\nwhether an error arose in the fork.\n\nThis is performed in dup_userfaultfd_complete() which is invoked\nunconditionally, and performs two duties - invoking registered handlers\nfor the UFFD_EVENT_FORK event via dup_fctx(), and clearing down\nuserfaultfd_fork_ctx objects established in dup_userfaultfd().\n\nThis is problematic, because the virtual address space may not yet be\ncorrectly initialised if an error arose.\n\nThe change in commit d24062914837 (\"fork: use __mt_dup() to duplicate\nmaple tree in dup_mmap()\") makes this more pertinent as we may be in a\nstate where entries in the maple tree are not yet consistent.\n\nWe address this by, on fork error, ensuring that we roll back state that\nwe would otherwise expect to clean up through the event being handled by\nuserland and perform the memory freeing duty otherwise performed by\ndup_userfaultfd_complete().\n\nWe do this by implementing a new function, dup_userfaultfd_fail(), which\nperforms the same loop, only decrementing reference counts.\n\nNote that we perform mmgrab() on the parent and child mm's, however\nuserfaultfd_ctx_put() will mmdrop() this once the reference count drops to\nzero, so we will avoid memory leaks correctly here.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50220", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Vangogh: Fix kernel memory out of bounds write\n\nKASAN reports that the GPU metrics table allocated in\nvangogh_tables_init() is not large enough for the memset done in\nsmu_cmn_init_soft_gpu_metrics(). Condensed report follows:\n\n[ 33.861314] BUG: KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu]\n[ 33.861799] Write of size 168 at addr ffff888129f59500 by task mangoapp/1067\n...\n[ 33.861808] CPU: 6 UID: 1000 PID: 1067 Comm: mangoapp Tainted: G W 6.12.0-rc4 #356 1a56f59a8b5182eeaf67eb7cb8b13594dd23b544\n[ 33.861816] Tainted: [W]=WARN\n[ 33.861818] Hardware name: Valve Galileo/Galileo, BIOS F7G0107 12/01/2023\n[ 33.861822] Call Trace:\n[ 33.861826] \n[ 33.861829] dump_stack_lvl+0x66/0x90\n[ 33.861838] print_report+0xce/0x620\n[ 33.861853] kasan_report+0xda/0x110\n[ 33.862794] kasan_check_range+0xfd/0x1a0\n[ 33.862799] __asan_memset+0x23/0x40\n[ 33.862803] smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]\n[ 33.863306] vangogh_get_gpu_metrics_v2_4+0x123/0xad0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]\n[ 33.864257] vangogh_common_get_gpu_metrics+0xb0c/0xbc0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]\n[ 33.865682] amdgpu_dpm_get_gpu_metrics+0xcc/0x110 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]\n[ 33.866160] amdgpu_get_gpu_metrics+0x154/0x2d0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779]\n[ 33.867135] dev_attr_show+0x43/0xc0\n[ 33.867147] sysfs_kf_seq_show+0x1f1/0x3b0\n[ 33.867155] seq_read_iter+0x3f8/0x1140\n[ 33.867173] vfs_read+0x76c/0xc50\n[ 33.867198] ksys_read+0xfb/0x1d0\n[ 33.867214] do_syscall_64+0x90/0x160\n...\n[ 33.867353] Allocated by task 378 on cpu 7 at 22.794876s:\n[ 33.867358] kasan_save_stack+0x33/0x50\n[ 33.867364] kasan_save_track+0x17/0x60\n[ 33.867367] __kasan_kmalloc+0x87/0x90\n[ 33.867371] vangogh_init_smc_tables+0x3f9/0x840 [amdgpu]\n[ 33.867835] smu_sw_init+0xa32/0x1850 [amdgpu]\n[ 33.868299] amdgpu_device_init+0x467b/0x8d90 [amdgpu]\n[ 33.868733] amdgpu_driver_load_kms+0x19/0xf0 [amdgpu]\n[ 33.869167] amdgpu_pci_probe+0x2d6/0xcd0 [amdgpu]\n[ 33.869608] local_pci_probe+0xda/0x180\n[ 33.869614] pci_device_probe+0x43f/0x6b0\n\nEmpirically we can confirm that the former allocates 152 bytes for the\ntable, while the latter memsets the 168 large block.\n\nRoot cause appears that when GPU metrics tables for v2_4 parts were added\nit was not considered to enlarge the table to fit.\n\nThe fix in this patch is rather \"brute force\" and perhaps later should be\ndone in a smarter way, by extracting and consolidating the part version to\nsize logic to a common helper, instead of brute forcing the largest\npossible allocation. Nevertheless, for now this works and fixes the out of\nbounds write.\n\nv2:\n * Drop impossible v3_0 case. (Mario)\n\n(cherry picked from commit 0880f58f9609f0200483a49429af0f050d281703)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50221", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP\n\ngeneric/077 on x86_32 CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP=y with highmem,\non huge=always tmpfs, issues a warning and then hangs (interruptibly):\n\nWARNING: CPU: 5 PID: 3517 at mm/highmem.c:622 kunmap_local_indexed+0x62/0xc9\nCPU: 5 UID: 0 PID: 3517 Comm: cp Not tainted 6.12.0-rc4 #2\n...\ncopy_page_from_iter_atomic+0xa6/0x5ec\ngeneric_perform_write+0xf6/0x1b4\nshmem_file_write_iter+0x54/0x67\n\nFix copy_page_from_iter_atomic() by limiting it in that case\n(include/linux/skbuff.h skb_frag_must_loop() does similar).\n\nBut going forward, perhaps CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is too\nsurprising, has outlived its usefulness, and should just be removed?", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50222", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/numa: Fix the potential null pointer dereference in task_numa_work()\n\nWhen running stress-ng-vm-segv test, we found a null pointer dereference\nerror in task_numa_work(). Here is the backtrace:\n\n [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ......\n [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se\n ......\n [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)\n [323676.067115] pc : vma_migratable+0x1c/0xd0\n [323676.067122] lr : task_numa_work+0x1ec/0x4e0\n [323676.067127] sp : ffff8000ada73d20\n [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010\n [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000\n [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000\n [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8\n [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035\n [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8\n [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4\n [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001\n [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000\n [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000\n [323676.067152] Call trace:\n [323676.067153] vma_migratable+0x1c/0xd0\n [323676.067155] task_numa_work+0x1ec/0x4e0\n [323676.067157] task_work_run+0x78/0xd8\n [323676.067161] do_notify_resume+0x1ec/0x290\n [323676.067163] el0_svc+0x150/0x160\n [323676.067167] el0t_64_sync_handler+0xf8/0x128\n [323676.067170] el0t_64_sync+0x17c/0x180\n [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)\n [323676.067177] SMP: stopping secondary CPUs\n [323676.070184] Starting crashdump kernel...\n\nstress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error\nhandling function of the system, which tries to cause a SIGSEGV error on\nreturn from unmapping the whole address space of the child process.\n\nNormally this program will not cause kernel crashes. But before the\nmunmap system call returns to user mode, a potential task_numa_work()\nfor numa balancing could be added and executed. In this scenario, since the\nchild process has no vma after munmap, the vma_next() in task_numa_work()\nwill return a null pointer even if the vma iterator restarts from 0.\n\nRecheck the vma pointer before dereferencing it in task_numa_work().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50223", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-dspi: Fix crash when not using GPIO chip select\n\nAdd check for the return value of spi_get_csgpiod() to avoid passing a NULL\npointer to gpiod_direction_output(), preventing a crash when GPIO chip\nselect is not used.\n\nFix below crash:\n[ 4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 4.260762] Mem abort info:\n[ 4.263556] ESR = 0x0000000096000004\n[ 4.267308] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.272624] SET = 0, FnV = 0\n[ 4.275681] EA = 0, S1PTW = 0\n[ 4.278822] FSC = 0x04: level 0 translation fault\n[ 4.283704] Data abort info:\n[ 4.286583] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 4.292074] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.297130] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.302445] [0000000000000000] user address but active_mm is swapper\n[ 4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 4.315072] Modules linked in:\n[ 4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359\n[ 4.328130] Hardware name: LS1046A QDS Board (DT)\n[ 4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.339794] pc : gpiod_direction_output+0x34/0x5c\n[ 4.344505] lr : gpiod_direction_output+0x18/0x5c\n[ 4.349208] sp : ffff80008003b8f0\n[ 4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068\n[ 4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810\n[ 4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002\n[ 4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff\n[ 4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007\n[ 4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e\n[ 4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008\n[ 4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000\n[ 4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000\n[ 4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000\n[ 4.423921] Call trace:\n[ 4.426362] gpiod_direction_output+0x34/0x5c (P)\n[ 4.431067] gpiod_direction_output+0x18/0x5c (L)\n[ 4.435771] dspi_setup+0x220/0x334", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50224", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix error propagation of split bios\n\nThe purpose of btrfs_bbio_propagate_error() shall be propagating an error\nof split bio to its original btrfs_bio, and tell the error to the upper\nlayer. However, it's not working well on some cases.\n\n* Case 1. Immediate (or quick) end_bio with an error\n\nWhen btrfs sends btrfs_bio to mirrored devices, btrfs calls\nbtrfs_bio_end_io() when all the mirroring bios are completed. If that\nbtrfs_bio was split, it is from btrfs_clone_bioset and its end_io function\nis btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error()\naccesses the orig_bbio's bio context to increase the error count.\n\nThat works well in most cases. However, if the end_io is called enough\nfast, orig_bbio's (remaining part after split) bio context may not be\nproperly set at that time. Since the bio context is set when the orig_bbio\n(the last btrfs_bio) is sent to devices, that might be too late for earlier\nsplit btrfs_bio's completion. That will result in NULL pointer\ndereference.\n\nThat bug is easily reproducible by running btrfs/146 on zoned devices [1]\nand it shows the following trace.\n\n[1] You need raid-stripe-tree feature as it create \"-d raid0 -m raid1\" FS.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n Workqueue: writeback wb_workfn (flush-btrfs-5)\n RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs]\n BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0\n RSP: 0018:ffffc9000006f248 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc\n RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080\n RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001\n R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58\n R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158\n FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? __die_body.cold+0x19/0x26\n ? page_fault_oops+0x13e/0x2b0\n ? _printk+0x58/0x73\n ? do_user_addr_fault+0x5f/0x750\n ? exc_page_fault+0x76/0x240\n ? asm_exc_page_fault+0x22/0x30\n ? btrfs_bio_end_io+0xae/0xc0 [btrfs]\n ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs]\n btrfs_orig_write_end_io+0x51/0x90 [btrfs]\n dm_submit_bio+0x5c2/0xa50 [dm_mod]\n ? find_held_lock+0x2b/0x80\n ? blk_try_enter_queue+0x90/0x1e0\n __submit_bio+0xe0/0x130\n ? ktime_get+0x10a/0x160\n ? lockdep_hardirqs_on+0x74/0x100\n submit_bio_noacct_nocheck+0x199/0x410\n btrfs_submit_bio+0x7d/0x150 [btrfs]\n btrfs_submit_chunk+0x1a1/0x6d0 [btrfs]\n ? lockdep_hardirqs_on+0x74/0x100\n ? __folio_start_writeback+0x10/0x2c0\n btrfs_submit_bbio+0x1c/0x40 [btrfs]\n submit_one_bio+0x44/0x60 [btrfs]\n submit_extent_folio+0x13f/0x330 [btrfs]\n ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs]\n extent_writepage_io+0x18b/0x360 [btrfs]\n extent_write_locked_range+0x17c/0x340 [btrfs]\n ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs]\n run_delalloc_cow+0x71/0xd0 [btrfs]\n btrfs_run_delalloc_range+0x176/0x500 [btrfs]\n ? find_lock_delalloc_range+0x119/0x260 [btrfs]\n writepage_delalloc+0x2ab/0x480 [btrfs]\n extent_write_cache_pages+0x236/0x7d0 [btrfs]\n btrfs_writepages+0x72/0x130 [btrfs]\n do_writepages+0xd4/0x240\n ? find_held_lock+0x2b/0x80\n ? wbc_attach_and_unlock_inode+0x12c/0x290\n ? wbc_attach_and_unlock_inode+0x12c/0x29\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50225", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use-after-free, permit out-of-order decoder shutdown\n\nIn support of investigating an initialization failure report [1],\ncxl_test was updated to register mock memory-devices after the mock\nroot-port/bus device had been registered. That led to cxl_test crashing\nwith a use-after-free bug with the following signature:\n\n cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1\n cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1\n cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0\n1) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1\n [..]\n cxld_unregister: cxl decoder14.0:\n cxl_region_decode_reset: cxl_region region3:\n mock_decoder_reset: cxl_port port3: decoder3.0 reset\n2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1\n cxl_endpoint_decoder_release: cxl decoder14.0:\n [..]\n cxld_unregister: cxl decoder7.0:\n3) cxl_region_decode_reset: cxl_region region3:\n Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI\n [..]\n RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core]\n [..]\n Call Trace:\n \n cxl_region_decode_reset+0x69/0x190 [cxl_core]\n cxl_region_detach+0xe8/0x210 [cxl_core]\n cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n cxld_unregister+0x5d/0x60 [cxl_core]\n\nAt 1) a region has been established with 2 endpoint decoders (7.0 and\n14.0). Those endpoints share a common switch-decoder in the topology\n(3.0). At teardown, 2), decoder14.0 is the first to be removed and hits\nthe \"out of order reset case\" in the switch decoder. The effect though\nis that region3 cleanup is aborted leaving it in-tact and\nreferencing decoder14.0. At 3) the second attempt to teardown region3\ntrips over the stale decoder14.0 object which has long since been\ndeleted.\n\nThe fix here is to recognize that the CXL specification places no\nmandate on in-order shutdown of switch-decoders, the driver enforces\nin-order allocation, and hardware enforces in-order commit. So, rather\nthan fail and leave objects dangling, always remove them.\n\nIn support of making cxl_region_decode_reset() always succeed,\ncxl_region_invalidate_memregion() failures are turned into warnings.\nCrashing the kernel is ok there since system integrity is at risk if\ncaches cannot be managed around physical address mutation events like\nCXL region destruction.\n\nA new device_for_each_child_reverse_from() is added to cleanup\nport->commit_end after all dependent decoders have been disabled. In\nother words if decoders are allocated 0->1->2 and disabled 1->2->0 then\nport->commit_end only decrements from 2 after 2 has been disabled, and\nit decrements all the way to zero since 1 was disabled previously.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50226", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()\n\nKASAN reported following issue:\n\n BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387\n Tainted: [U]=USER\n Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]\n Call Trace:\n \n dump_stack_lvl+0x6c/0x90\n print_report+0xd1/0x630\n kasan_report+0xdb/0x110\n __asan_report_load4_noabort+0x14/0x20\n tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n tb_scan_port+0xa6f/0x2060 [thunderbolt]\n tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]\n process_one_work+0x626/0x1100\n worker_thread+0x6c8/0xfa0\n kthread+0x2c8/0x3a0\n ret_from_fork+0x3a/0x80\n ret_from_fork_asm+0x1a/0x30\n\nThis happens because the loop variable still gets incremented by one so\nmax becomes 3 instead of 2, and this makes the second loop read past the\nthe array declared on the stack.\n\nFix this by assigning to max directly in the loop body.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50227", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential deadlock with newly created symlinks\n\nSyzbot reported that page_symlink(), called by nilfs_symlink(), triggers\nmemory reclamation involving the filesystem layer, which can result in\ncircular lock dependencies among the reader/writer semaphore\nnilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the\nfs_reclaim pseudo lock.\n\nThis is because after commit 21fc61c73c39 (\"don't put symlink bodies in\npagecache into highmem\"), the gfp flags of the page cache for symbolic\nlinks are overwritten to GFP_KERNEL via inode_nohighmem().\n\nThis is not a problem for symlinks read from the backing device, because\nthe __GFP_FS flag is dropped after inode_nohighmem() is called. However,\nwhen a new symlink is created with nilfs_symlink(), the gfp flags remain\noverwritten to GFP_KERNEL. Then, memory allocation called from\npage_symlink() etc. triggers memory reclamation including the FS layer,\nwhich may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can\ncause a deadlock if they are called while nilfs->ns_segctor_sem is held:\n\nFix this issue by dropping the __GFP_FS flag from the page cache GFP flags\nof newly created symlinks in the same way that nilfs_new_inode() and\n__nilfs_read_inode() do, as a workaround until we adopt nofs allocation\nscope consistently or improve the locking constraints.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50229", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug due to missing clearing of checked flag\n\nSyzbot reported that in directory operations after nilfs2 detects\nfilesystem corruption and degrades to read-only,\n__block_write_begin_int(), which is called to prepare block writes, may\nfail the BUG_ON check for accesses exceeding the folio/page size,\ntriggering a kernel bug.\n\nThis was found to be because the \"checked\" flag of a page/folio was not\ncleared when it was discarded by nilfs2's own routine, which causes the\nsanity check of directory entries to be skipped when the directory\npage/folio is reloaded. So, fix that.\n\nThis was necessary when the use of nilfs2's own page discard routine was\napplied to more than just metadata files.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50230", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()\n\nmodprobe iio-test-gts and rmmod it, then the following memory leak\noccurs:\n\n\tunreferenced object 0xffffff80c810be00 (size 64):\n\t comm \"kunit_try_catch\", pid 1654, jiffies 4294913981\n\t hex dump (first 32 bytes):\n\t 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@...\n\t 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................\n\t backtrace (crc a63d875e):\n\t [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40\n\t [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0\n\t [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4\n\t [<0000000071bb4b09>] 0xffffffdf052a62e0\n\t [<000000000315bc18>] 0xffffffdf052a6488\n\t [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac\n\t [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000f505065d>] kthread+0x2e8/0x374\n\t [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cbfe9e70 (size 16):\n\t comm \"kunit_try_catch\", pid 1658, jiffies 4294914015\n\t hex dump (first 16 bytes):\n\t 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@...........\n\t backtrace (crc 857f0cb4):\n\t [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40\n\t [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0\n\t [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4\n\t [<0000000071bb4b09>] 0xffffffdf052a62e0\n\t [<000000007d089d45>] 0xffffffdf052a6864\n\t [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac\n\t [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t [<00000000f505065d>] kthread+0x2e8/0x374\n\t [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20\n\t......\n\nIt includes 5*5 times \"size 64\" memory leaks, which correspond to 5 times\ntest_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int))\nand gts_test_itimes size 5. It also includes 5*1 times \"size 16\"\nmemory leak, which correspond to one time __test_init_iio_gain_scale()\ncall with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes\nsize 5.\n\nThe reason is that the per_time_gains[i] is not freed which is allocated in\nthe \"gts->num_itime\" for loop in iio_gts_build_avail_scale_table().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50231", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()\n\nIn the ad7124_write_raw() function, parameter val can potentially\nbe zero. This may lead to a division by zero when DIV_ROUND_CLOSEST()\nis called within ad7124_set_channel_odr(). The ad7124_write_raw()\nfunction is invoked through the sequence: iio_write_channel_raw() ->\niio_write_channel_attribute() -> iio_channel_write(), with no checks\nin place to ensure val is non-zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50232", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()\n\nIn the ad9832_write_frequency() function, clk_get_rate() might return 0.\nThis can lead to a division by zero when calling ad9832_calc_freqreg().\nThe check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect\nagainst the case when fout is 0. The ad9832_write_frequency() function\nis called from ad9832_write(), and fout is derived from a text buffer,\nwhich can contain any value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50233", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlegacy: Clear stale interrupts before resuming device\n\niwl4965 fails upon resume from hibernation on my laptop. The reason\nseems to be a stale interrupt which isn't being cleared out before\ninterrupts are enabled. We end up with a race beween the resume\ntrying to bring things back up, and the restart work (queued form\nthe interrupt handler) trying to bring things down. Eventually\nthe whole thing blows up.\n\nFix the problem by clearing out any stale interrupts before\ninterrupts get enabled during resume.\n\nHere's a debug log of the indicent:\n[ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000\n[ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000\n[ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.\n[ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload\n[ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282\n[ 12.052207] ieee80211 phy0: il4965_mac_start enter\n[ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff\n[ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready\n[ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions\n[ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S\n[ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm\n[ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm\n[ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK\n[ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations\n[ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up\n[ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.\n[ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down\n[ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout\n[ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort\n[ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver\n[ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared\n[ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state\n[ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master\n[ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.\n[ 12.058869] ieee80211 phy0: Hardware restart was requested\n[ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.\n[ 16.132303] ------------[ cut here ]------------\n[ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.\n[ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]\n[ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev\n[ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143\n[ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010\n[ 16.132463] Workqueue: async async_run_entry_fn\n[ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]\n[ 16.132501] Code: da 02 00 0\n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50234", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: clear wdev->cqm_config pointer on free\n\nWhen we free wdev->cqm_config when unregistering, we also\nneed to clear out the pointer since the same wdev/netdev\nmay get re-registered in another network namespace, then\ndestroyed later, running this code again, which results in\na double-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50235", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Fix memory leak in management tx\n\nIn the current logic, memory is allocated for storing the MSDU context\nduring management packet TX but this memory is not being freed during\nmanagement TX completion. Similar leaks are seen in the management TX\ncleanup logic.\n\nKmemleak reports this problem as below,\n\nunreferenced object 0xffffff80b64ed250 (size 16):\n comm \"kworker/u16:7\", pid 148, jiffies 4294687130 (age 714.199s)\n hex dump (first 16 bytes):\n 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t......\n backtrace:\n [] __kmem_cache_alloc_node+0x1e4/0x2d8\n [] kmalloc_trace+0x48/0x110\n [] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]\n [] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]\n [] process_scheduled_works+0x1ac/0x400\n [] worker_thread+0x208/0x328\n [] kthread+0x100/0x1c0\n [] ret_from_fork+0x10/0x20\n\nFree the memory during completion and cleanup to fix the leak.\n\nProtect the mgmt_pending_tx idr_remove() operation in\nath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to\nother instances.\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50236", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: do not pass a stopped vif to the driver in .get_txpower\n\nAvoid potentially crashing in the driver because of uninitialized private data", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50237", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom: qmp-usbc: fix NULL-deref on runtime suspend\n\nCommit 413db06c05e7 (\"phy: qcom-qmp-usb: clean up probe initialisation\")\nremoved most users of the platform device driver data from the\nqcom-qmp-usb driver, but mistakenly also removed the initialisation\ndespite the data still being used in the runtime PM callbacks. This bug\nwas later reproduced when the driver was copied to create the qmp-usbc\ndriver.\n\nRestore the driver data initialisation at probe to avoid a NULL-pointer\ndereference on runtime suspend.\n\nApparently no one uses runtime PM, which currently needs to be enabled\nmanually through sysfs, with these drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50238", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend\n\nCommit 413db06c05e7 (\"phy: qcom-qmp-usb: clean up probe initialisation\")\nremoved most users of the platform device driver data from the\nqcom-qmp-usb driver, but mistakenly also removed the initialisation\ndespite the data still being used in the runtime PM callbacks. This bug\nwas later reproduced when the driver was copied to create the\nqmp-usb-legacy driver.\n\nRestore the driver data initialisation at probe to avoid a NULL-pointer\ndereference on runtime suspend.\n\nApparently no one uses runtime PM, which currently needs to be enabled\nmanually through sysfs, with these drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50239", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom: qmp-usb: fix NULL-deref on runtime suspend\n\nCommit 413db06c05e7 (\"phy: qcom-qmp-usb: clean up probe initialisation\")\nremoved most users of the platform device driver data, but mistakenly\nalso removed the initialisation despite the data still being used in the\nruntime PM callbacks.\n\nRestore the driver data initialisation at probe to avoid a NULL-pointer\ndereference on runtime suspend.\n\nApparently no one uses runtime PM, which currently needs to be enabled\nmanually through sysfs, with this driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50240", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Initialize struct nfsd4_copy earlier\n\nEnsure the refcount and async_copies fields are initialized early.\ncleanup_async_copy() will reference these fields if an error occurs\nin nfsd4_copy(). If they are not correctly initialized, at the very\nleast, a refcount underflow occurs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50241", "detail": "fixed-version", "description": "Fixed from version 6.11.7" }, { "id": "CVE-2024-50242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Additional check in ntfs_file_release", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50242", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix general protection fault in run_is_mapped_full\n\nFixed deleating of a non-resident attribute in ntfs_create_inode()\nrollback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50243", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Additional check in ni_clear()\n\nChecking of NTFS_FLAGS_LOG_REPLAYING added to prevent access to\nuninitialized bitmap during replay process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50244", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix possible deadlock in mi_read\n\nMutex lock with another subclass used in ni_lock_dir().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50245", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add rough attr alloc_size check", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50246", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check if more than chunk-size bytes are written\n\nA incorrectly formatted chunk may decompress into\nmore than LZNT_CHUNK_SIZE bytes and a index out of bounds\nwill occur in s_max_off.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50247", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Add bounds checking to mi_enum_attr()\n\nAdded bounds checking to make sure that every attr don't stray beyond\nvalid memory region.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50248", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Make rmw_lock a raw_spin_lock\n\nThe following BUG was triggered:\n\n=============================\n[ BUG: Invalid wait context ]\n6.12.0-rc2-XXX #406 Not tainted\n-----------------------------\nkworker/1:1/62 is trying to lock:\nffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370\nother info that might help us debug this:\ncontext-{5:5}\n2 locks held by kworker/1:1/62:\n #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50\n #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280\nstack backtrace:\nCPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406\nWorkqueue: 0x0 (events)\nCall trace:\n dump_backtrace+0xa4/0x130\n show_stack+0x20/0x38\n dump_stack_lvl+0x90/0xd0\n dump_stack+0x18/0x28\n __lock_acquire+0x480/0x1ad8\n lock_acquire+0x114/0x310\n _raw_spin_lock+0x50/0x70\n cpc_write+0xcc/0x370\n cppc_set_perf+0xa0/0x3a8\n cppc_cpufreq_fast_switch+0x40/0xc0\n cpufreq_driver_fast_switch+0x4c/0x218\n sugov_update_shared+0x234/0x280\n update_load_avg+0x6ec/0x7b8\n dequeue_entities+0x108/0x830\n dequeue_task_fair+0x58/0x408\n __schedule+0x4f0/0x1070\n schedule+0x54/0x130\n worker_thread+0xc0/0x2e8\n kthread+0x130/0x148\n ret_from_fork+0x10/0x20\n\nsugov_update_shared() locks a raw_spinlock while cpc_write() locks a\nspinlock.\n\nTo have a correct wait-type order, update rmw_lock to a raw spinlock and\nensure that interrupts will be disabled on the CPU holding it.\n\n[ rjw: Changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50249", "detail": "fixed-version", "description": "Fixed from version 6.11.7" }, { "id": "CVE-2024-50250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: dax_unshare_iter needs to copy entire blocks\n\nThe code that copies data from srcmap to iomap in dax_unshare_iter is\nvery very broken, which bfoster's recent fsx changes have exposed.\n\nIf the pos and len passed to dax_file_unshare are not aligned to an\nfsblock boundary, the iter pos and length in the _iter function will\nreflect this unalignment.\n\ndax_iomap_direct_access always returns a pointer to the start of the\nkmapped fsdax page, even if its pos argument is in the middle of that\npage. This is catastrophic for data integrity when iter->pos is not\naligned to a page, because daddr/saddr do not point to the same byte in\nthe file as iter->pos. Hence we corrupt user data by copying it to the\nwrong place.\n\nIf iter->pos + iomap_length() in the _iter function not aligned to a\npage, then we fail to copy a full block, and only partially populate the\ndestination block. This is catastrophic for data confidentiality\nbecause we expose stale pmem contents.\n\nFix both of these issues by aligning copy_pos/copy_len to a page\nboundary (remember, this is fsdax so 1 fsblock == 1 base page) so that\nwe always copy full blocks.\n\nWe're not done yet -- there's no call to invalidate_inode_pages2_range,\nso programs that have the file range mmap'd will continue accessing the\nold memory mapping after the file metadata updates have completed.\n\nBe careful with the return value -- if the unshare succeeds, we still\nneed to return the number of bytes that the iomap iter thinks we're\noperating on.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50250", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_payload: sanitize offset and length before calling skb_checksum()\n\nIf access to offset + length is larger than the skbuff length, then\nskb_checksum() triggers BUG_ON().\n\nskb_checksum() internally subtracts the length parameter while iterating\nover skbuff, BUG_ON(len) at the end of it checks that the expected\nlength to be included in the checksum calculation is fully consumed.", "scorev2": "0.0", "scorev3": "6.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50251", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address\n\nThe device stores IPv6 addresses that are used for encapsulation in\nlinear memory that is managed by the driver.\n\nChanging the remote address of an ip6gre net device never worked\nproperly, but since cited commit the following reproducer [1] would\nresult in a warning [2] and a memory leak [3]. The problem is that the\nnew remote address is never added by the driver to its hash table (and\ntherefore the device) and the old address is never removed from it.\n\nFix by programming the new address when the configuration of the ip6gre\nnet device changes and removing the old one. If the address did not\nchange, then the above would result in increasing the reference count of\nthe address and then decreasing it.\n\n[1]\n # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit\n # ip link set dev bla type ip6gre remote 2001:db8:3::1\n # ip link del dev bla\n # devlink dev reload pci/0000:01:00.0\n\n[2]\nWARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0\nModules linked in:\nCPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nRIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0\n[...]\nCall Trace:\n \n mlxsw_sp_router_netdevice_event+0x55f/0x1240\n notifier_call_chain+0x5a/0xd0\n call_netdevice_notifiers_info+0x39/0x90\n unregister_netdevice_many_notify+0x63e/0x9d0\n rtnl_dellink+0x16b/0x3a0\n rtnetlink_rcv_msg+0x142/0x3f0\n netlink_rcv_skb+0x50/0x100\n netlink_unicast+0x242/0x390\n netlink_sendmsg+0x1de/0x420\n ____sys_sendmsg+0x2bd/0x320\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xd0\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[3]\nunreferenced object 0xffff898081f597a0 (size 32):\n comm \"ip\", pid 1626, jiffies 4294719324\n hex dump (first 32 bytes):\n 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ...............\n 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia.............\n backtrace (crc fd9be911):\n [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260\n [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340\n [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240\n [<00000000743e7757>] notifier_call_chain+0x5a/0xd0\n [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90\n [<000000002509645d>] register_netdevice+0x5f7/0x7a0\n [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130\n [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120\n [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20\n [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0\n [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100\n [<00000000908bca63>] netlink_unicast+0x242/0x390\n [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420\n [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320\n [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0\n [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50252", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the validity of nr_words in bpf_iter_bits_new()\n\nCheck the validity of nr_words in bpf_iter_bits_new(). Without this\ncheck, when multiplication overflow occurs for nr_bits (e.g., when\nnr_words = 0x0400-0001, nr_bits becomes 64), stack corruption may occur\ndue to bpf_probe_read_kernel_common(..., nr_bytes = 0x2000-0008).\n\nFix it by limiting the maximum value of nr_words to 511. The value is\nderived from the current implementation of BPF memory allocator. To\nensure compatibility if the BPF memory allocator's size limitation\nchanges in the future, use the helper bpf_mem_alloc_check_size() to\ncheck whether nr_bytes is too larger. And return -E2BIG instead of\n-ENOMEM for oversized nr_bytes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50253", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free dynamically allocated bits in bpf_iter_bits_destroy()\n\nbpf_iter_bits_destroy() uses \"kit->nr_bits <= 64\" to check whether the\nbits are dynamically allocated. However, the check is incorrect and may\ncause a kmemleak as shown below:\n\nunreferenced object 0xffff88812628c8c0 (size 32):\n comm \"swapper/0\", pid 1, jiffies 4294727320\n hex dump (first 32 bytes):\n\tb0 c1 55 f5 81 88 ff ff f0 f0 f0 f0 f0 f0 f0 f0 ..U...........\n\tf0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00 00 00 00 00 ..............\n backtrace (crc 781e32cc):\n\t[<00000000c452b4ab>] kmemleak_alloc+0x4b/0x80\n\t[<0000000004e09f80>] __kmalloc_node_noprof+0x480/0x5c0\n\t[<00000000597124d6>] __alloc.isra.0+0x89/0xb0\n\t[<000000004ebfffcd>] alloc_bulk+0x2af/0x720\n\t[<00000000d9c10145>] prefill_mem_cache+0x7f/0xb0\n\t[<00000000ff9738ff>] bpf_mem_alloc_init+0x3e2/0x610\n\t[<000000008b616eac>] bpf_global_ma_init+0x19/0x30\n\t[<00000000fc473efc>] do_one_initcall+0xd3/0x3c0\n\t[<00000000ec81498c>] kernel_init_freeable+0x66a/0x940\n\t[<00000000b119f72f>] kernel_init+0x20/0x160\n\t[<00000000f11ac9a7>] ret_from_fork+0x3c/0x70\n\t[<0000000004671da4>] ret_from_fork_asm+0x1a/0x30\n\nThat is because nr_bits will be set as zero in bpf_iter_bits_next()\nafter all bits have been iterated.\n\nFix the issue by setting kit->bit to kit->nr_bits instead of setting\nkit->nr_bits to zero when the iteration completes in\nbpf_iter_bits_next(). In addition, use \"!nr_bits || bits >= nr_bits\" to\ncheck whether the iteration is complete and still use \"nr_bits > 64\" to\nindicate whether bits are dynamically allocated. The \"!nr_bits\" check is\nnecessary because bpf_iter_bits_new() may fail before setting\nkit->nr_bits, and this condition will stop the iteration early instead\nof accessing the zeroed or freed kit->bits.\n\nConsidering the initial value of kit->bits is -1 and the type of\nkit->nr_bits is unsigned int, change the type of kit->nr_bits to int.\nThe potential overflow problem will be handled in the following patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50254", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs\n\nFix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.\n\n__hci_cmd_sync_sk() returns NULL if a command returns a status event.\nHowever, it also returns NULL where an opcode doesn't exist in the\nhci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]\nfor unknown opcodes.\nThis leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as\nthere is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes\nstatus = skb->data[0].\n\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci7 hci_power_on\nRIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138\nCode: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78\nRSP: 0018:ffff888120bafac8 EFLAGS: 00010212\nRAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040\nRDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4\nRBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054\nR10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000\nFS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]\n hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]\n hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]\n hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]\n hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]\n hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994\n hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]\n hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015\n process_one_work kernel/workqueue.c:3267 [inline]\n process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348\n worker_thread+0x91f/0xe50 kernel/workqueue.c:3429\n kthread+0x2cb/0x360 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50255", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()\n\nI got a syzbot report without a repro [1] crashing in nf_send_reset6()\n\nI think the issue is that dev->hard_header_len is zero, and we attempt\nlater to push an Ethernet header.\n\nUse LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c.\n\n[1]\n\nskbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc900045269b0 EFLAGS: 00010282\nRAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800\nRDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000\nRBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc\nR10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140\nR13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c\nFS: 00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n eth_header+0x38/0x1f0 net/ethernet/eth.c:83\n dev_hard_header include/linux/netdevice.h:3208 [inline]\n nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358\n nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]\n br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424\n __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562\n __netif_receive_skb_one_core net/core/dev.c:5666 [inline]\n __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781\n netif_receive_skb_internal net/core/dev.c:5867 [inline]\n netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926\n tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550\n tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007\n tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053\n new_sync_write fs/read_write.c:590 [inline]\n vfs_write+0xa6d/0xc90 fs/read_write.c:683\n ksys_write+0x183/0x2b0 fs/read_write.c:736\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdbeeb7d1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48\nRSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff\nRDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8\nRBP: 00007fdbeebf12be R08: 0000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50256", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: Fix use-after-free in get_info()\n\nip6table_nat module unload has refcnt warning for UAF. call trace is:\n\nWARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80\nModules linked in: ip6table_nat(-)\nCPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:module_put+0x6f/0x80\nCall Trace:\n \n get_info+0x128/0x180\n do_ip6t_get_ctl+0x6a/0x430\n nf_getsockopt+0x46/0x80\n ipv6_getsockopt+0xb9/0x100\n rawv6_getsockopt+0x42/0x190\n do_sock_getsockopt+0xaa/0x180\n __sys_getsockopt+0x70/0xc0\n __x64_sys_getsockopt+0x20/0x30\n do_syscall_64+0xa2/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nConcurrent execution of module unload and get_info() trigered the warning.\nThe root cause is as follows:\n\ncpu0\t\t\t\t cpu1\nmodule_exit\n//mod->state = MODULE_STATE_GOING\n ip6table_nat_exit\n xt_unregister_template\n\tkfree(t)\n\t//removed from templ_list\n\t\t\t\t getinfo()\n\t\t\t\t\t t = xt_find_table_lock\n\t\t\t\t\t\tlist_for_each_entry(tmpl, &xt_templates[af]...)\n\t\t\t\t\t\t\tif (strcmp(tmpl->name, name))\n\t\t\t\t\t\t\t\tcontinue; //table not found\n\t\t\t\t\t\t\ttry_module_get\n\t\t\t\t\t\tlist_for_each_entry(t, &xt_net->tables[af]...)\n\t\t\t\t\t\t\treturn t; //not get refcnt\n\t\t\t\t\t module_put(t->me) //uaf\n unregister_pernet_subsys\n //remove table from xt_net list\n\nWhile xt_table module was going away and has been removed from\nxt_templates list, we couldnt get refcnt of xt_table->me. Check\nmodule in xt_net->tables list re-traversal to fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50257", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix crash when config small gso_max_size/gso_ipv4_max_size\n\nConfig a small gso_max_size/gso_ipv4_max_size will lead to an underflow\nin sk_dst_gso_max_size(), which may trigger a BUG_ON crash,\nbecause sk->sk_gso_max_size would be much bigger than device limits.\nCall Trace:\ntcp_write_xmit\n tso_segs = tcp_init_tso_segs(skb, mss_now);\n tcp_set_skb_tso_segs\n tcp_skb_pcount_set\n // skb->len = 524288, mss_now = 8\n // u16 tso_segs = 524288/8 = 65535 -> 0\n tso_segs = DIV_ROUND_UP(skb->len, mss_now)\n BUG_ON(!tso_segs)\nAdd check for the minimum value of gso_max_size and gso_ipv4_max_size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50258", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()\n\nThis was found by a static analyzer.\nWe should not forget the trailing zero after copy_from_user()\nif we will further do some string operations, sscanf() in this\ncase. Adding a trailing zero will ensure that the function\nperforms properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50259", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: fix a NULL pointer dereference in sock_map_link_update_prog()\n\nThe following race condition could trigger a NULL pointer dereference:\n\nsock_map_link_detach():\t\tsock_map_link_update_prog():\n mutex_lock(&sockmap_mutex);\n ...\n sockmap_link->map = NULL;\n mutex_unlock(&sockmap_mutex);\n \t\t\t\t mutex_lock(&sockmap_mutex);\n\t\t\t\t ...\n\t\t\t\t sock_map_prog_link_lookup(sockmap_link->map);\n\t\t\t\t mutex_unlock(&sockmap_mutex);\n \n\nFix it by adding a NULL pointer check. In this specific case, it makes\nno sense to update a link which is being released.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50260", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: Fix use-after-free while sending the offloading packet\n\nKASAN reports the following UAF. The metadata_dst, which is used to\nstore the SCI value for macsec offload, is already freed by\nmetadata_dst_free() in macsec_free_netdev(), while driver still use it\nfor sending the packet.\n\nTo fix this issue, dst_release() is used instead to release\nmetadata_dst. So it is not freed instantly in macsec_free_netdev() if\nstill referenced by skb.\n\n BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714\n [...]\n Workqueue: mld mld_ifc_work\n Call Trace:\n \n dump_stack_lvl+0x51/0x60\n print_report+0xc1/0x600\n kasan_report+0xab/0xe0\n mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]\n dev_hard_start_xmit+0x120/0x530\n sch_direct_xmit+0x149/0x11e0\n __qdisc_run+0x3ad/0x1730\n __dev_queue_xmit+0x1196/0x2ed0\n vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]\n dev_hard_start_xmit+0x120/0x530\n __dev_queue_xmit+0x14a7/0x2ed0\n macsec_start_xmit+0x13e9/0x2340\n dev_hard_start_xmit+0x120/0x530\n __dev_queue_xmit+0x14a7/0x2ed0\n ip6_finish_output2+0x923/0x1a70\n ip6_finish_output+0x2d7/0x970\n ip6_output+0x1ce/0x3a0\n NF_HOOK.constprop.0+0x15f/0x190\n mld_sendpack+0x59a/0xbd0\n mld_ifc_work+0x48a/0xa80\n process_one_work+0x5aa/0xe50\n worker_thread+0x79c/0x1290\n kthread+0x28f/0x350\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n \n\n Allocated by task 3922:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x77/0x90\n __kmalloc_noprof+0x188/0x400\n metadata_dst_alloc+0x1f/0x4e0\n macsec_newlink+0x914/0x1410\n __rtnl_newlink+0xe08/0x15b0\n rtnl_newlink+0x5f/0x90\n rtnetlink_rcv_msg+0x667/0xa80\n netlink_rcv_skb+0x12c/0x360\n netlink_unicast+0x551/0x770\n netlink_sendmsg+0x72d/0xbd0\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x52e/0x6a0\n ___sys_sendmsg+0xeb/0x170\n __sys_sendmsg+0xb5/0x140\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 4011:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n poison_slab_object+0x10c/0x190\n __kasan_slab_free+0x11/0x30\n kfree+0xe0/0x290\n macsec_free_netdev+0x3f/0x140\n netdev_run_todo+0x450/0xc70\n rtnetlink_rcv_msg+0x66f/0xa80\n netlink_rcv_skb+0x12c/0x360\n netlink_unicast+0x551/0x770\n netlink_sendmsg+0x72d/0xbd0\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x52e/0x6a0\n ___sys_sendmsg+0xeb/0x170\n __sys_sendmsg+0xb5/0x140\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50261", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix out-of-bounds write in trie_get_next_key()\n\ntrie_get_next_key() allocates a node stack with size trie->max_prefixlen,\nwhile it writes (trie->max_prefixlen + 1) nodes to the stack when it has\nfull paths from the root to leaves. For example, consider a trie with\nmax_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...\n0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with\n.prefixlen = 8 make 9 nodes be written on the node stack with size 8.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50262", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: only invoke khugepaged, ksm hooks if no error\n\nThere is no reason to invoke these hooks early against an mm that is in an\nincomplete state.\n\nThe change in commit d24062914837 (\"fork: use __mt_dup() to duplicate\nmaple tree in dup_mmap()\") makes this more pertinent as we may be in a\nstate where entries in the maple tree are not yet consistent.\n\nTheir placement early in dup_mmap() only appears to have been meaningful\nfor early error checking, and since functionally it'd require a very small\nallocation to fail (in practice 'too small to fail') that'd only occur in\nthe most dire circumstances, meaning the fork would fail or be OOM'd in\nany case.\n\nSince both khugepaged and KSM tracking are there to provide optimisations\nto memory performance rather than critical functionality, it doesn't\nreally matter all that much if, under such dire memory pressure, we fail\nto register an mm with these.\n\nAs a result, we follow the example of commit d2081b2bf819 (\"mm:\nkhugepaged: make khugepaged_enter() void function\") and make ksm_fork() a\nvoid function also.\n\nWe only expose the mm to these functions once we are done with them and\nonly if no error occurred in the fork operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50263", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Initialization of the dangling pointer occurring in vsk->trans\n\nDuring loopback communication, a dangling pointer can be created in\nvsk->trans, potentially leading to a Use-After-Free condition. This\nissue is resolved by initializing vsk->trans to NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50264", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()\n\nSyzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():\n\n[ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12\n[ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry\n[ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004\n[...]\n[ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0\n[...]\n[ 57.331328] Call Trace:\n[ 57.331477] \n[...]\n[ 57.333511] ? do_user_addr_fault+0x3e5/0x740\n[ 57.333778] ? exc_page_fault+0x70/0x170\n[ 57.334016] ? asm_exc_page_fault+0x2b/0x30\n[ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10\n[ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0\n[ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0\n[ 57.335164] ocfs2_xa_set+0x704/0xcf0\n[ 57.335381] ? _raw_spin_unlock+0x1a/0x40\n[ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20\n[ 57.335915] ? trace_preempt_on+0x1e/0x70\n[ 57.336153] ? start_this_handle+0x16c/0x500\n[ 57.336410] ? preempt_count_sub+0x50/0x80\n[ 57.336656] ? _raw_read_unlock+0x20/0x40\n[ 57.336906] ? start_this_handle+0x16c/0x500\n[ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0\n[ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0\n[ 57.337706] ? ocfs2_start_trans+0x13d/0x290\n[ 57.337971] ocfs2_xattr_set+0xb13/0xfb0\n[ 57.338207] ? dput+0x46/0x1c0\n[ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30\n[ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30\n[ 57.338948] __vfs_removexattr+0x92/0xc0\n[ 57.339182] __vfs_removexattr_locked+0xd5/0x190\n[ 57.339456] ? preempt_count_sub+0x50/0x80\n[ 57.339705] vfs_removexattr+0x5f/0x100\n[...]\n\nReproducer uses faultinject facility to fail ocfs2_xa_remove() ->\nocfs2_xa_value_truncate() with -ENOMEM.\n\nIn this case the comment mentions that we can return 0 if\nocfs2_xa_cleanup_value_truncate() is going to wipe the entry\nanyway. But the following 'rc' check is wrong and execution flow do\n'ocfs2_xa_remove_entry(loc);' twice:\n* 1st: in ocfs2_xa_cleanup_value_truncate();\n* 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'.\n\nFix this by skipping the 2nd removal of the same entry and making\nsyzkaller repro happy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50265", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs\n\nA recent change in the venus driver results in a stuck clock on the\nLenovo ThinkPad X13s, for example, when streaming video in firefox:\n\n\tvideo_cc_mvs0_clk status stuck at 'off'\n\tWARNING: CPU: 6 PID: 2885 at drivers/clk/qcom/clk-branch.c:87 clk_branch_wait+0x144/0x15c\n\t...\n\tCall trace:\n\t clk_branch_wait+0x144/0x15c\n\t clk_branch2_enable+0x30/0x40\n\t clk_core_enable+0xd8/0x29c\n\t clk_enable+0x2c/0x4c\n\t vcodec_clks_enable.isra.0+0x94/0xd8 [venus_core]\n\t coreid_power_v4+0x464/0x628 [venus_core]\n\t vdec_start_streaming+0xc4/0x510 [venus_dec]\n\t vb2_start_streaming+0x6c/0x180 [videobuf2_common]\n\t vb2_core_streamon+0x120/0x1dc [videobuf2_common]\n\t vb2_streamon+0x1c/0x6c [videobuf2_v4l2]\n\t v4l2_m2m_ioctl_streamon+0x30/0x80 [v4l2_mem2mem]\n\t v4l_streamon+0x24/0x30 [videodev]\n\nusing the out-of-tree sm8350/sc8280xp venus support. [1]\n\nUpdate also the sm8350/sc8280xp GDSC definitions so that the hw control\nmode can be changed at runtime as the venus driver now requires.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50266", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: io_edgeport: fix use after free in debug printk\n\nThe \"dev_dbg(&urb->dev->dev, ...\" which happens after usb_free_urb(urb)\nis a use after free of the \"urb\" pointer. Store the \"dev\" pointer at the\nstart of the function to avoid this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50267", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()\n\nThe \"*cmd\" variable can be controlled by the user via debugfs. That means\n\"new_cam\" can be as high as 255 while the size of the uc->updated[] array\nis UCSI_MAX_ALTMODES (30).\n\nThe call tree is:\nucsi_cmd() // val comes from simple_attr_write_xsigned()\n-> ucsi_send_command()\n -> ucsi_send_command_common()\n -> ucsi_run_command() // calls ucsi->ops->sync_control()\n -> ucsi_ccg_sync_control()", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50268", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: sunxi: Fix accessing an released usb phy\n\nCommit 6ed05c68cbca (\"usb: musb: sunxi: Explicitly release USB PHY on\nexit\") will cause that usb phy @glue->xceiv is accessed after released.\n\n1) register platform driver @sunxi_musb_driver\n// get the usb phy @glue->xceiv\nsunxi_musb_probe() -> devm_usb_get_phy().\n\n2) register and unregister platform driver @musb_driver\nmusb_probe() -> sunxi_musb_init()\nuse the phy here\n//the phy is released here\nmusb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()\n\n3) register @musb_driver again\nmusb_probe() -> sunxi_musb_init()\nuse the phy here but the phy has been released at 2).\n...\n\nFixed by reverting the commit, namely, removing devm_usb_put_phy()\nfrom sunxi_musb_exit().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50269", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid overflow in damon_feed_loop_next_input()\n\ndamon_feed_loop_next_input() is inefficient and fragile to overflows. \nSpecifically, 'score_goal_diff_bp' calculation can overflow when 'score'\nis high. The calculation is actually unnecessary at all because 'goal' is\na constant of value 10,000. Calculation of 'compensation' is again\nfragile to overflow. Final calculation of return value for under-achiving\ncase is again fragile to overflow when the current score is\nunder-achieving the target.\n\nAdd two corner cases handling at the beginning of the function to make the\nbody easier to read, and rewrite the body of the function to avoid\noverflows and the unnecessary bp value calcuation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50270", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsignal: restore the override_rlimit logic\n\nPrior to commit d64696905554 (\"Reimplement RLIMIT_SIGPENDING on top of\nucounts\") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of\nsignals. However now it's enforced unconditionally, even if\noverride_rlimit is set. This behavior change caused production issues. \n\nFor example, if the limit is reached and a process receives a SIGSEGV\nsignal, sigqueue_alloc fails to allocate the necessary resources for the\nsignal delivery, preventing the signal from being delivered with siginfo. \nThis prevents the process from correctly identifying the fault address and\nhandling the error. From the user-space perspective, applications are\nunaware that the limit has been reached and that the siginfo is\neffectively 'corrupted'. This can lead to unpredictable behavior and\ncrashes, as we observed with java applications.\n\nFix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip\nthe comparison to max there if override_rlimit is set. This effectively\nrestores the old behavior.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50271", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: Fix bounds checking in filemap_read()\n\nIf the caller supplies an iocb->ki_pos value that is close to the\nfilesystem upper limit, and an iterator with a count that causes us to\noverflow that limit, then filemap_read() enters an infinite loop.\n\nThis behaviour was discovered when testing xfstests generic/525 with the\n\"localio\" optimisation for loopback NFS mounts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50272", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reinitialize delayed ref list after deleting it from the list\n\nAt insert_delayed_ref() if we need to update the action of an existing\nref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's\nref_add_list using list_del(), which leaves the ref's add_list member\nnot reinitialized, as list_del() sets the next and prev members of the\nlist to LIST_POISON1 and LIST_POISON2, respectively.\n\nIf later we end up calling drop_delayed_ref() against the ref, which can\nhappen during merging or when destroying delayed refs due to a transaction\nabort, we can trigger a crash since at drop_delayed_ref() we call\nlist_empty() against the ref's add_list, which returns false since\nthe list was not reinitialized after the list_del() and as a consequence\nwe call list_del() again at drop_delayed_ref(). This results in an\ninvalid list access since the next and prev members are set to poison\npointers, resulting in a splat if CONFIG_LIST_HARDENED and\nCONFIG_DEBUG_LIST are set or invalid poison pointer dereferences\notherwise.\n\nSo fix this by deleting from the list with list_del_init() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50273", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: avoid vport access in idpf_get_link_ksettings\n\nWhen the device control plane is removed or the platform\nrunning device control plane is rebooted, a reset is detected\non the driver. On driver reset, it releases the resources and\nwaits for the reset to complete. If the reset fails, it takes\nthe error path and releases the vport lock. At this time if the\nmonitoring tools tries to access link settings, it call traces\nfor accessing released vport pointer.\n\nTo avoid it, move link_speed_mbps to netdev_priv structure\nwhich removes the dependency on vport pointer and the vport lock\nin idpf_get_link_ksettings. Also use netif_carrier_ok()\nto check the link status and adjust the offsetof to use link_up\ninstead of link_speed_mbps.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50274", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sve: Discard stale CPU state when handling SVE traps\n\nThe logic for handling SVE traps manipulates saved FPSIMD/SVE state\nincorrectly, and a race with preemption can result in a task having\nTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SVE traps enabled). This has been observed to result\nin warnings from do_sve_acc() where SVE traps are not expected while\nTIF_SVE is set:\n\n| if (test_and_set_thread_flag(TIF_SVE))\n| WARN_ON(1); /* SVE access shouldn't have trapped */\n\nWarnings of this form have been reported intermittently, e.g.\n\n https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/\n https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/\n\nThe race can occur when the SVE trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sve_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled\n| // task->fpsimd_cpu is 0.\n| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| if (test_and_set_thread_flag(TIF_SVE))\n| WARN_ON(1); /* SVE access shouldn't have trapped */\n|\n| sve_init_regs() {\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| ...\n| } else {\n| fpsimd_to_sve(current);\n| current->thread.fp_type = FP_STATE_SVE;\n| }\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task->fpsimd_cpu is still 0\n| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SVE traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50275", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vertexcom: mse102x: Fix possible double free of TX skb\n\nThe scope of the TX skb is wider than just mse102x_tx_frame_spi(),\nso in case the TX skb room needs to be expanded, we should free the\nthe temporary skb instead of the original skb. Otherwise the original\nTX skb pointer would be freed again in mse102x_tx_work(), which leads\nto crashes:\n\n Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP\n CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23\n Hardware name: chargebyte Charge SOM DC-ONE (DT)\n Workqueue: events mse102x_tx_work [mse102x]\n pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_release_data+0xb8/0x1d8\n lr : skb_release_data+0x1ac/0x1d8\n sp : ffff8000819a3cc0\n x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0\n x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff\n x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50\n x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc\n x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000\n x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000\n x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8\n x8 : fffffc00001bc008\n x7 : 0000000000000000 x6 : 0000000000000008\n x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009\n x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n skb_release_data+0xb8/0x1d8\n kfree_skb_reason+0x48/0xb0\n mse102x_tx_work+0x164/0x35c [mse102x]\n process_one_work+0x138/0x260\n worker_thread+0x32c/0x438\n kthread+0x118/0x11c\n ret_from_fork+0x10/0x20\n Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50276", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix a crash if blk_alloc_disk fails\n\nIf blk_alloc_disk fails, the variable md->disk is set to an error value.\ncleanup_mapped_device will see that md->disk is non-NULL and it will\nattempt to access it, causing a crash on this statement\n\"md->disk->private_data = NULL;\".", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50277", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix potential out-of-bounds access on the first resume\n\nOut-of-bounds access occurs if the fast device is expanded unexpectedly\nbefore the first-time resume of the cache table. This happens because\nexpanding the fast device requires reloading the cache table for\ncache_create to allocate new in-core data structures that fit the new\nsize, and the check in cache_preresume is not performed during the\nfirst resume, leading to the issue.\n\nReproduce steps:\n\n1. prepare component devices:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\n\n2. load a cache table of 512 cache blocks, and deliberately expand the\n fast device before resuming the cache, making the in-core data\n structures inadequate.\n\ndmsetup create cache --notable\ndmsetup reload cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup reload cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\n3. suspend the cache to write out the in-core dirty bitset and hint\n array, leading to out-of-bounds access to the dirty bitset at offset\n 0x40:\n\ndmsetup suspend cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80\n Read of size 8 at addr ffffc90000085040 by task dmsetup/90\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc90000085000, ffffc90000087000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by checking the size change on the first resume.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50278", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix out-of-bounds access to the dirty bitset when resizing\n\ndm-cache checks the dirty bits of the cache blocks to be dropped when\nshrinking the fast device, but an index bug in bitset iteration causes\nout-of-bounds access.\n\nReproduce steps:\n\n1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. shrink the fast device to 512 cache blocks, triggering out-of-bounds\n access to the dirty bitset (offset 0x80)\n\ndmsetup suspend cache\ndmsetup reload cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0\n Read of size 8 at addr ffffc900000f3080 by task dmsetup/131\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc900000f3000, ffffc900000f5000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by making the index post-incremented.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50279", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix flushing uninitialized delayed_work on cache_ctr error\n\nAn unexpected WARN_ON from flush_work() may occur when cache creation\nfails, caused by destroying the uninitialized delayed_work waker in the\nerror path of cache_create(). For example, the warning appears on the\nsuperblock checksum error.\n\nReproduce steps:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\nKernel logs:\n\n(snip)\nWARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890\n\nFix by pulling out the cancel_delayed_work_sync() from the constructor's\nerror path. This patch doesn't affect the use-after-free fix for\nconcurrent dm_resume and dm_destroy (commit 6a459d8edbdb (\"dm cache: Fix\nUAF in destroy()\")) as cache_dtr is not changed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50280", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation\n\nWhen sealing or unsealing a key blob we currently do not wait for\nthe AEAD cipher operation to finish and simply return after submitting\nthe request. If there is some load on the system we can exit before\nthe cipher operation is done and the buffer we read from/write to\nis already removed from the stack. This will e.g. result in NULL\npointer dereference errors in the DCP driver during blob creation.\n\nFix this by waiting for the AEAD cipher operation to finish before\nresuming the seal and unseal calls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50281", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()\n\nAvoid a possible buffer overflow if size is larger than 4K.\n\n(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50282", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp\n\nksmbd_user_session_put should be called under smb3_preauth_hash_rsp().\nIt will avoid freeing session before calling smb3_preauth_hash_rsp().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50283", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix the missing xa_store error check\n\nxa_store() can fail, it return xa_err(-EINVAL) if the entry cannot\nbe stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,\nso check error for xa_store() to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50284", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: check outstanding simultaneous SMB operations\n\nIf Client send simultaneous SMB operations to ksmbd, It exhausts too much\nmemory through the \"ksmbd_work_cache\u201d. It will cause OOM issue.\nksmbd has a credit mechanism but it can't handle this problem. This patch\nadd the check if it exceeds max credits to prevent this problem by assuming\nthat one smb request consumes at least one credit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50285", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in ksmbd_smb2_session_create\n\nThere is a race condition between ksmbd_smb2_session_create and\nksmbd_expire_session. This patch add missing sessions_table_lock\nwhile adding/deleting session from global session table.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50286", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-tpg: prevent the risk of a division by zero\n\nAs reported by Coverity, the logic at tpg_precalculate_line()\nblindly rescales the buffer even when scaled_witdh is equal to\nzero. If this ever happens, this will cause a division by zero.\n\nInstead, add a WARN_ON_ONCE() to trigger such cases and return\nwithout doing any precalculation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50287", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: fix buffer overwrite when using > 32 buffers\n\nThe maximum number of buffers that can be requested was increased to\n64 for the video capture queue. But video capture used a must_blank\narray that was still sized for 32 (VIDEO_MAX_FRAME). This caused an\nout-of-bounds write when using buffer indices >= 32.\n\nCreate a new define MAX_VID_CAP_BUFFERS that is used to access the\nmust_blank array and set max_num_buffers for the video capture queue.\n\nThis solves a crash reported by:\n\n\thttps://bugzilla.kernel.org/show_bug.cgi?id=219258", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50288", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: av7110: fix a spectre vulnerability\n\nAs warned by smatch:\n\tdrivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap)\n\nThere is a spectre-related vulnerability at the code. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50289", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx24116: prevent overflows on SNR calculus\n\nas reported by Coverity, if reading SNR registers fail, a negative\nnumber will be returned, causing an underflow when reading SNR\nregisters.\n\nPrevent that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50290", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: add missing buffer index check\n\ndvb_vb2_expbuf() didn't check if the given buffer index was\nfor a valid buffer. Add this check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50291", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove\n\nIn case of error when requesting ctrl_chan DMA channel, ctrl_chan is not\nnull. So the release of the dma channel leads to the following issue:\n[ 4.879000] st,stm32-spdifrx 500d0000.audio-controller:\ndma_request_slave_channel error -19\n[ 4.888975] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000003d\n[...]\n[ 5.096577] Call trace:\n[ 5.099099] dma_release_channel+0x24/0x100\n[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]\n[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]\n\nTo avoid this issue, release channel only if the pointer is valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50292", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: do not leave a dangling sk pointer in __smc_create()\n\nThanks to commit 4bbd360a5084 (\"socket: Print pf->create() when\nit does not clear sock->sk on failure.\"), syzbot found an issue with AF_SMC:\n\nsmc_create must clear sock->sk on failure, family: 43, type: 1, protocol: 0\n WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563\nModules linked in:\nCPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563\nCode: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 <0f> 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7\nRSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246\nRAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50\nR10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8\nR13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0\nFS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_create net/socket.c:1616 [inline]\n __sys_socket_create net/socket.c:1653 [inline]\n __sys_socket+0x150/0x3c0 net/socket.c:1700\n __do_sys_socket net/socket.c:1714 [inline]\n __se_sys_socket net/socket.c:1712 [inline]\n\nFor reference, see commit 2d859aff775d (\"Merge branch\n'do-not-leave-dangling-sk-pointers-in-pf-create-functions'\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50293", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing locking causing hanging calls\n\nIf a call gets aborted (e.g. because kafs saw a signal) between it being\nqueued for connection and the I/O thread picking up the call, the abort\nwill be prioritised over the connection and it will be removed from\nlocal->new_client_calls by rxrpc_disconnect_client_call() without a lock\nbeing held. This may cause other calls on the list to disappear if a race\noccurs.\n\nFix this by taking the client_call_lock when removing a call from whatever\nlist its ->wait_link happens to be on.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50294", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arc: fix the device for dma_map_single/dma_unmap_single\n\nThe ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent\nwhich has dma_mask, ndev->dev.parent is just pdev->dev.\nOr it would cause the following issue:\n\n[ 39.933526] ------------[ cut here ]------------\n[ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50295", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when uninstalling driver\n\nWhen the driver is uninstalled and the VF is disabled concurrently, a\nkernel crash occurs. The reason is that the two actions call function\npci_disable_sriov(). The num_VFs is checked to determine whether to\nrelease the corresponding resources. During the second calling, num_VFs\nis not 0 and the resource release function is called. However, the\ncorresponding resource has been released during the first invoking.\nTherefore, the problem occurs:\n\n[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n...\n[15278.131557][T50670] Call trace:\n[15278.134686][T50670] klist_put+0x28/0x12c\n[15278.138682][T50670] klist_del+0x14/0x20\n[15278.142592][T50670] device_del+0xbc/0x3c0\n[15278.146676][T50670] pci_remove_bus_device+0x84/0x120\n[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80\n[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c\n[15278.162485][T50670] sriov_disable+0x50/0x11c\n[15278.166829][T50670] pci_disable_sriov+0x24/0x30\n[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]\n[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]\n[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230\n[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30\n[15278.193848][T50670] invoke_syscall+0x50/0x11c\n[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164\n[15278.203837][T50670] do_el0_svc+0x34/0xcc\n[15278.207834][T50670] el0_svc+0x20/0x30\n\nFor details, see the following figure.\n\n rmmod hclge disable VFs\n----------------------------------------------------\nhclge_exit() sriov_numvfs_store()\n ... device_lock()\n pci_disable_sriov() hns3_pci_sriov_configure()\n pci_disable_sriov()\n sriov_disable()\n sriov_disable() if !num_VFs :\n if !num_VFs : return;\n return; sriov_del_vfs()\n sriov_del_vfs() ...\n ... klist_put()\n klist_put() ...\n ... num_VFs = 0;\n num_VFs = 0; device_unlock();\n\nIn this patch, when driver is removing, we get the device_lock()\nto protect num_VFs, just like sriov_numvfs_store().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50296", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts\n\nEnqueue packets in dql after dma engine starts causes race condition.\nTx transfer starts once dma engine is started and may execute dql dequeue\nin completion before it gets queued. It results in following kernel crash\nwhile running iperf stress test:\n\nkernel BUG at lib/dynamic_queue_limits.c:99!\n\nInternal error: Oops - BUG: 00000000f2000800 [#1] SMP\npc : dql_completed+0x238/0x248\nlr : dql_completed+0x3c/0x248\n\nCall trace:\n dql_completed+0x238/0x248\n axienet_dma_tx_cb+0xa0/0x170\n xilinx_dma_do_tasklet+0xdc/0x290\n tasklet_action_common+0xf8/0x11c\n tasklet_action+0x30/0x3c\n handle_softirqs+0xf8/0x230\n\n\nStart dmaengine after enqueue in dql fixes the crash.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50297", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: allocate vf_state during PF probes\n\nIn the previous implementation, vf_state is allocated memory only when VF\nis enabled. However, net_device_ops::ndo_set_vf_mac() may be called before\nVF is enabled to configure the MAC address of VF. If this is the case,\nenetc_pf_set_vf_mac() will access vf_state, resulting in access to a null\npointer. The simplified error log is as follows.\n\nroot@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89\n[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy\n[ 173.641973] lr : do_setlink+0x4a8/0xec8\n[ 173.732292] Call trace:\n[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80\n[ 173.738847] __rtnl_newlink+0x530/0x89c\n[ 173.742692] rtnl_newlink+0x50/0x7c\n[ 173.746189] rtnetlink_rcv_msg+0x128/0x390\n[ 173.750298] netlink_rcv_skb+0x60/0x130\n[ 173.754145] rtnetlink_rcv+0x18/0x24\n[ 173.757731] netlink_unicast+0x318/0x380\n[ 173.761665] netlink_sendmsg+0x17c/0x3c8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50298", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: properly validate chunk size in sctp_sf_ootb()\n\nA size validation fix similar to that in Commit 50619dbf8db7 (\"sctp: add\nsize validation when walking chunks\") is also required in sctp_sf_ootb()\nto address a crash reported by syzbot:\n\n BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712\n sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712\n sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166\n sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407\n sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243\n sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159\n ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50299", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: rtq2208: Fix uninitialized use of regulator_config\n\nFix rtq2208 driver uninitialized use to cause kernel error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50300", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsecurity/keys: fix slab-out-of-bounds in key_task_permission\n\nKASAN reports an out of bounds read:\nBUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36\nBUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]\nBUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410\nsecurity/keys/permission.c:54\nRead of size 4 at addr ffff88813c3ab618 by task stress-ng/4362\n\nCPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0x107/0x167 lib/dump_stack.c:123\n print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n __kuid_val include/linux/uidgid.h:36 [inline]\n uid_eq include/linux/uidgid.h:63 [inline]\n key_task_permission+0x394/0x410 security/keys/permission.c:54\n search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793\n\nThis issue was also reported by syzbot.\n\nIt can be reproduced by following these steps(more details [1]):\n1. Obtain more than 32 inputs that have similar hashes, which ends with the\n pattern '0xxxxxxxe6'.\n2. Reboot and add the keys obtained in step 1.\n\nThe reproducer demonstrates how this issue happened:\n1. In the search_nested_keyrings function, when it iterates through the\n slots in a node(below tag ascend_to_node), if the slot pointer is meta\n and node->back_pointer != NULL(it means a root), it will proceed to\n descend_to_node. However, there is an exception. If node is the root,\n and one of the slots points to a shortcut, it will be treated as a\n keyring.\n2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.\n However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as\n ASSOC_ARRAY_PTR_SUBTYPE_MASK.\n3. When 32 keys with the similar hashes are added to the tree, the ROOT\n has keys with hashes that are not similar (e.g. slot 0) and it splits\n NODE A without using a shortcut. When NODE A is filled with keys that\n all hashes are xxe6, the keys are similar, NODE A will split with a\n shortcut. Finally, it forms the tree as shown below, where slot 6 points\n to a shortcut.\n\n NODE A\n +------>+---+\n ROOT | | 0 | xxe6\n +---+ | +---+\n xxxx | 0 | shortcut : : xxe6\n +---+ | +---+\n xxe6 : : | | | xxe6\n +---+ | +---+\n | 6 |---+ : : xxe6\n +---+ +---+\n xxe6 : : | f | xxe6\n +---+ +---+\n xxe6 | f |\n +---+\n\n4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,\n it may be mistakenly transferred to a key*, leading to a read\n out-of-bounds read.\n\nTo fix this issue, one should jump to descend_to_node if the ptr is a\nshortcut, regardless of whether the node is root or not.\n\n[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/\n\n[jarkko: tweaked the commit message a bit to have an appropriate closes\n tag.]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50301", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: zero-initialize the report buffer\n\nSince the report buffer is used by all kinds of drivers in various ways, let's\nzero-initialize it during allocation to make sure that it can't be ever used\nto leak kernel memory via specially-crafted report.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50302", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nresource,kexec: walk_system_ram_res_rev must retain resource flags\n\nwalk_system_ram_res_rev() erroneously discards resource flags when passing\nthe information to the callback.\n\nThis causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have\nthese resources selected during kexec to store kexec buffers if that\nmemory happens to be at placed above normal system ram.\n\nThis leads to undefined behavior after reboot. If the kexec buffer is\nnever touched, nothing happens. If the kexec buffer is touched, it could\nlead to a crash (like below) or undefined behavior.\n\nTested on a system with CXL memory expanders with driver managed memory,\nTPM enabled, and CONFIG_IMA_KEXEC=y. Adding printk's showed the flags\nwere being discarded and as a result the check for\nIORESOURCE_SYSRAM_DRIVER_MANAGED passes.\n\nfind_next_iomem_res: name(System RAM (kmem))\n\t\t start(10000000000)\n\t\t end(1034fffffff)\n\t\t flags(83000200)\n\nlocate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0)\n\n[.] BUG: unable to handle page fault for address: ffff89834ffff000\n[.] #PF: supervisor read access in kernel mode\n[.] #PF: error_code(0x0000) - not-present page\n[.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0\n[.] Oops: 0000 [#1] SMP\n[.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0\n[.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286\n[.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000\n[.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018\n[.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900\n[.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000\n[.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000\n[.] FS: 0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000\n[.] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[.] ata5: SATA link down (SStatus 0 SControl 300)\n[.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0\n[.] PKRU: 55555554\n[.] Call Trace:\n[.] \n[.] ? __die+0x78/0xc0\n[.] ? page_fault_oops+0x2a8/0x3a0\n[.] ? exc_page_fault+0x84/0x130\n[.] ? asm_exc_page_fault+0x22/0x30\n[.] ? ima_restore_measurement_list+0x95/0x4b0\n[.] ? template_desc_init_fields+0x317/0x410\n[.] ? crypto_alloc_tfm_node+0x9c/0xc0\n[.] ? init_ima_lsm+0x30/0x30\n[.] ima_load_kexec_buffer+0x72/0xa0\n[.] ima_init+0x44/0xa0\n[.] __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0\n[.] ? init_ima_lsm+0x30/0x30\n[.] do_one_initcall+0xad/0x200\n[.] ? idr_alloc_cyclic+0xaa/0x110\n[.] ? new_slab+0x12c/0x420\n[.] ? new_slab+0x12c/0x420\n[.] ? number+0x12a/0x430\n[.] ? sysvec_apic_timer_interrupt+0xa/0x80\n[.] ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n[.] ? parse_args+0xd4/0x380\n[.] ? parse_args+0x14b/0x380\n[.] kernel_init_freeable+0x1c1/0x2b0\n[.] ? rest_init+0xb0/0xb0\n[.] kernel_init+0x16/0x1a0\n[.] ret_from_fork+0x2f/0x40\n[.] ? rest_init+0xb0/0xb0\n[.] ret_from_fork_asm+0x11/0x20\n[.] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50303", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-50304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()\n\nThe per-netns IP tunnel hash table is protected by the RTNL mutex and\nip_tunnel_find() is only called from the control path where the mutex is\ntaken.\n\nAdd a lockdep expression to hlist_for_each_entry_rcu() in\nip_tunnel_find() in order to validate that the mutex is held and to\nsilence the suspicious RCU usage warning [1].\n\n[1]\nWARNING: suspicious RCU usage\n6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted\n-----------------------------\nnet/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by ip/362:\n #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60\n\nstack backtrace:\nCPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139\nHardware name: Bochs Bochs, BIOS Bochs 01/01/2011\nCall Trace:\n \n dump_stack_lvl+0xba/0x110\n lockdep_rcu_suspicious.cold+0x4f/0xd6\n ip_tunnel_find+0x435/0x4d0\n ip_tunnel_newlink+0x517/0x7a0\n ipgre_newlink+0x14c/0x170\n __rtnl_newlink+0x1173/0x19c0\n rtnl_newlink+0x6c/0xa0\n rtnetlink_rcv_msg+0x3cc/0xf60\n netlink_rcv_skb+0x171/0x450\n netlink_unicast+0x539/0x7f0\n netlink_sendmsg+0x8c1/0xd80\n ____sys_sendmsg+0x8f9/0xc20\n ___sys_sendmsg+0x197/0x1e0\n __sys_sendmsg+0x122/0x1f0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-50304", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-51729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: use aligned address in copy_user_gigantic_page()\n\nIn current kernel, hugetlb_wp() calls copy_user_large_folio() with the\nfault address. Where the fault address may be not aligned with the huge\npage size. Then, copy_user_large_folio() may call\ncopy_user_gigantic_page() with the address, while\ncopy_user_gigantic_page() requires the address to be huge page size\naligned. So, this may cause memory corruption or information leak,\naddtional, use more obvious naming 'addr_hint' instead of 'addr' for\ncopy_user_gigantic_page().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-51729", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-52319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: use aligned address in clear_gigantic_page()\n\nIn current kernel, hugetlb_no_page() calls folio_zero_user() with the\nfault address. Where the fault address may be not aligned with the huge\npage size. Then, folio_zero_user() may call clear_gigantic_page() with\nthe address, while clear_gigantic_page() requires the address to be huge\npage size aligned. So, this may cause memory corruption or information\nleak, addtional, use more obvious naming 'addr_hint' instead of 'addr' for\nclear_gigantic_page().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-52319", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-52332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix potential invalid memory access in igb_init_module()\n\nThe pci_register_driver() can fail and when this happened, the dca_notifier\nneeds to be unregistered, otherwise the dca_notifier can be called when\nigb fails to install, resulting to invalid memory access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-52332", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-52557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dp: Fix integer overflow in zynqmp_dp_rate_get()\n\nThis patch fixes a potential integer overflow in the zynqmp_dp_rate_get()\n\nThe issue comes up when the expression\ndrm_dp_bw_code_to_link_rate(dp->test.bw_code) * 10000 is evaluated using 32-bit\nNow the constant is a compatible 64-bit type.\n\nResolves coverity issues: CID 1636340 and CID 1635811", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-52557", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-52559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()\n\nThe \"submit->cmd[i].size\" and \"submit->cmd[i].offset\" variables are u32\nvalues that come from the user via the submit_lookup_cmds() function.\nThis addition could lead to an integer wrapping bug so use size_add()\nto prevent that.\n\nPatchwork: https://patchwork.freedesktop.org/patch/624696/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-52559", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-52560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Mark inode as bad as soon as error detected in mi_enum_attr()\n\nExtended the `mi_enum_attr()` function interface with an additional\nparameter, `struct ntfs_inode *ni`, to allow marking the inode\nas bad as soon as an error is detected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-52560", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-53042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()\n\nThere are code paths from which the function is called without holding\nthe RCU read lock, resulting in a suspicious RCU usage warning [1].\n\nFix by using l3mdev_master_upper_ifindex_by_index() which will acquire\nthe RCU read lock before calling\nl3mdev_master_upper_ifindex_by_index_rcu().\n\n[1]\nWARNING: suspicious RCU usage\n6.12.0-rc3-custom-gac8f72681cf2 #141 Not tainted\n-----------------------------\nnet/core/dev.c:876 RCU-list traversed in non-reader section!!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by ip/361:\n #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60\n\nstack backtrace:\nCPU: 3 UID: 0 PID: 361 Comm: ip Not tainted 6.12.0-rc3-custom-gac8f72681cf2 #141\nHardware name: Bochs Bochs, BIOS Bochs 01/01/2011\nCall Trace:\n \n dump_stack_lvl+0xba/0x110\n lockdep_rcu_suspicious.cold+0x4f/0xd6\n dev_get_by_index_rcu+0x1d3/0x210\n l3mdev_master_upper_ifindex_by_index_rcu+0x2b/0xf0\n ip_tunnel_bind_dev+0x72f/0xa00\n ip_tunnel_newlink+0x368/0x7a0\n ipgre_newlink+0x14c/0x170\n __rtnl_newlink+0x1173/0x19c0\n rtnl_newlink+0x6c/0xa0\n rtnetlink_rcv_msg+0x3cc/0xf60\n netlink_rcv_skb+0x171/0x450\n netlink_unicast+0x539/0x7f0\n netlink_sendmsg+0x8c1/0xd80\n ____sys_sendmsg+0x8f9/0xc20\n ___sys_sendmsg+0x197/0x1e0\n __sys_sendmsg+0x122/0x1f0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53042", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp i2c: handle NULL header address\n\ndaddr can be NULL if there is no neighbour table entry present,\nin that case the tx packet should be dropped.\n\nsaddr will usually be set by MCTP core, but check for NULL in case a\npacket is transmitted by a different protocol.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53043", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext()\n\nThis command:\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: block dev insert failed: -EBUSY.\n\nfails because user space requests the same block index to be set for\nboth ingress and egress.\n\n[ side note, I don't think it even failed prior to commit 913b47d3424e\n (\"net/sched: Introduce tc block netdev tracking infra\"), because this\n is a command from an old set of notes of mine which used to work, but\n alas, I did not scientifically bisect this ]\n\nThe problem is not that it fails, but rather, that the second time\naround, it fails differently (and irrecoverably):\n\n$ tc qdisc replace dev eth0 ingress_block 1 egress_block 1 clsact\nError: dsa_core: Flow block cb is busy.\n\n[ another note: the extack is added by me for illustration purposes.\n the context of the problem is that clsact_init() obtains the same\n &q->ingress_block pointer as &q->egress_block, and since we call\n tcf_block_get_ext() on both of them, \"dev\" will be added to the\n block->ports xarray twice, thus failing the operation: once through\n the ingress block pointer, and once again through the egress block\n pointer. the problem itself is that when xa_insert() fails, we have\n emitted a FLOW_BLOCK_BIND command through ndo_setup_tc(), but the\n offload never sees a corresponding FLOW_BLOCK_UNBIND. ]\n\nEven correcting the bad user input, we still cannot recover:\n\n$ tc qdisc replace dev swp3 ingress_block 1 egress_block 2 clsact\nError: dsa_core: Flow block cb is busy.\n\nBasically the only way to recover is to reboot the system, or unbind and\nrebind the net device driver.\n\nTo fix the bug, we need to fill the correct error teardown path which\nwas missed during code movement, and call tcf_block_offload_unbind()\nwhen xa_insert() fails.\n\n[ last note, fundamentally I blame the label naming convention in\n tcf_block_get_ext() for the bug. The labels should be named after what\n they do, not after the error path that jumps to them. This way, it is\n obviously wrong that two labels pointing to the same code mean\n something is wrong, and checking the code correctness at the goto site\n is also easier ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53044", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: dapm: fix bounds checker error in dapm_widget_list_create\n\nThe widgets array in the snd_soc_dapm_widget_list has a __counted_by\nattribute attached to it, which points to the num_widgets variable. This\nattribute is used in bounds checking, and if it is not set before the\narray is filled, then the bounds sanitizer will issue a warning or a\nkernel panic if CONFIG_UBSAN_TRAP is set.\n\nThis patch sets the size of the widgets list calculated with\nlist_for_each as the initial value for num_widgets as it is used for\nallocating memory for the array. It is updated with the actual number of\nadded elements after the array is filled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53045", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: imx8ulp: correct the flexspi compatible string\n\nThe flexspi on imx8ulp only has 16 LUTs, and imx8mm flexspi has\n32 LUTs, so correct the compatible string here, otherwise will\nmeet below error:\n\n[ 1.119072] ------------[ cut here ]------------\n[ 1.123926] WARNING: CPU: 0 PID: 1 at drivers/spi/spi-nxp-fspi.c:855 nxp_fspi_exec_op+0xb04/0xb64\n[ 1.133239] Modules linked in:\n[ 1.136448] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc6-next-20240902-00001-g131bf9439dd9 #69\n[ 1.146821] Hardware name: NXP i.MX8ULP EVK (DT)\n[ 1.151647] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.158931] pc : nxp_fspi_exec_op+0xb04/0xb64\n[ 1.163496] lr : nxp_fspi_exec_op+0xa34/0xb64\n[ 1.168060] sp : ffff80008002b2a0\n[ 1.171526] x29: ffff80008002b2d0 x28: 0000000000000000 x27: 0000000000000000\n[ 1.179002] x26: ffff2eb645542580 x25: ffff800080610014 x24: ffff800080610000\n[ 1.186480] x23: ffff2eb645548080 x22: 0000000000000006 x21: ffff2eb6455425e0\n[ 1.193956] x20: 0000000000000000 x19: ffff80008002b5e0 x18: ffffffffffffffff\n[ 1.201432] x17: ffff2eb644467508 x16: 0000000000000138 x15: 0000000000000002\n[ 1.208907] x14: 0000000000000000 x13: ffff2eb6400d8080 x12: 00000000ffffff00\n[ 1.216378] x11: 0000000000000000 x10: ffff2eb6400d8080 x9 : ffff2eb697adca80\n[ 1.223850] x8 : ffff2eb697ad3cc0 x7 : 0000000100000000 x6 : 0000000000000001\n[ 1.231324] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000007a6\n[ 1.238795] x2 : 0000000000000000 x1 : 00000000000001ce x0 : 00000000ffffff92\n[ 1.246267] Call trace:\n[ 1.248824] nxp_fspi_exec_op+0xb04/0xb64\n[ 1.253031] spi_mem_exec_op+0x3a0/0x430\n[ 1.257139] spi_nor_read_id+0x80/0xcc\n[ 1.261065] spi_nor_scan+0x1ec/0xf10\n[ 1.264901] spi_nor_probe+0x108/0x2fc\n[ 1.268828] spi_mem_probe+0x6c/0xbc\n[ 1.272574] spi_probe+0x84/0xe4\n[ 1.275958] really_probe+0xbc/0x29c\n[ 1.279713] __driver_probe_device+0x78/0x12c\n[ 1.284277] driver_probe_device+0xd8/0x15c\n[ 1.288660] __device_attach_driver+0xb8/0x134\n[ 1.293316] bus_for_each_drv+0x88/0xe8\n[ 1.297337] __device_attach+0xa0/0x190\n[ 1.301353] device_initial_probe+0x14/0x20\n[ 1.305734] bus_probe_device+0xac/0xb0\n[ 1.309752] device_add+0x5d0/0x790\n[ 1.313408] __spi_add_device+0x134/0x204\n[ 1.317606] of_register_spi_device+0x3b4/0x590\n[ 1.322348] spi_register_controller+0x47c/0x754\n[ 1.327181] devm_spi_register_controller+0x4c/0xa4\n[ 1.332289] nxp_fspi_probe+0x1cc/0x2b0\n[ 1.336307] platform_probe+0x68/0xc4\n[ 1.340145] really_probe+0xbc/0x29c\n[ 1.343893] __driver_probe_device+0x78/0x12c\n[ 1.348457] driver_probe_device+0xd8/0x15c\n[ 1.352838] __driver_attach+0x90/0x19c\n[ 1.356857] bus_for_each_dev+0x7c/0xdc\n[ 1.360877] driver_attach+0x24/0x30\n[ 1.364624] bus_add_driver+0xe4/0x208\n[ 1.368552] driver_register+0x5c/0x124\n[ 1.372573] __platform_driver_register+0x28/0x34\n[ 1.377497] nxp_fspi_driver_init+0x1c/0x28\n[ 1.381888] do_one_initcall+0x80/0x1c8\n[ 1.385908] kernel_init_freeable+0x1c4/0x28c\n[ 1.390472] kernel_init+0x20/0x1d8\n[ 1.394138] ret_from_fork+0x10/0x20\n[ 1.397885] ---[ end trace 0000000000000000 ]---\n[ 1.407908] ------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53046", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: init: protect sched with rcu_read_lock\n\nEnabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT\ncreates this splat when an MPTCP socket is created:\n\n =============================\n WARNING: suspicious RCU usage\n 6.12.0-rc2+ #11 Not tainted\n -----------------------------\n net/mptcp/sched.c:44 RCU-list traversed in non-reader section!!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n no locks held by mptcp_connect/176.\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n \n dump_stack_lvl (lib/dump_stack.c:123)\n lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)\n mptcp_sched_find (net/mptcp/sched.c:44 (discriminator 7))\n mptcp_init_sock (net/mptcp/protocol.c:2867 (discriminator 1))\n ? sock_init_data_uid (arch/x86/include/asm/atomic.h:28)\n inet_create.part.0.constprop.0 (net/ipv4/af_inet.c:386)\n ? __sock_create (include/linux/rcupdate.h:347 (discriminator 1))\n __sock_create (net/socket.c:1576)\n __sys_socket (net/socket.c:1671)\n ? __pfx___sys_socket (net/socket.c:1712)\n ? do_user_addr_fault (arch/x86/mm/fault.c:1419 (discriminator 1))\n __x64_sys_socket (net/socket.c:1728)\n do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nThat's because when the socket is initialised, rcu_read_lock() is not\nused despite the explicit comment written above the declaration of\nmptcp_sched_find() in sched.c. Adding the missing lock/unlock avoids the\nwarning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53047", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash on probe for DPLL enabled E810 LOM\n\nThe E810 Lan On Motherboard (LOM) design is vendor specific. Intel\nprovides the reference design, but it is up to vendor on the final\nproduct design. For some cases, like Linux DPLL support, the static\nvalues defined in the driver does not reflect the actual LOM design.\nCurrent implementation of dpll pins is causing the crash on probe\nof the ice driver for such DPLL enabled E810 LOM designs:\n\nWARNING: (...) at drivers/dpll/dpll_core.c:495 dpll_pin_get+0x2c4/0x330\n...\nCall Trace:\n \n ? __warn+0x83/0x130\n ? dpll_pin_get+0x2c4/0x330\n ? report_bug+0x1b7/0x1d0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? dpll_pin_get+0x117/0x330\n ? dpll_pin_get+0x2c4/0x330\n ? dpll_pin_get+0x117/0x330\n ice_dpll_get_pins.isra.0+0x52/0xe0 [ice]\n...\n\nThe number of dpll pins enabled by LOM vendor is greater than expected\nand defined in the driver for Intel designed NICs, which causes the crash.\n\nPrevent the crash and allow generic pin initialization within Linux DPLL\nsubsystem for DPLL enabled E810 LOM designs.\n\nNewly designed solution for described issue will be based on \"per HW\ndesign\" pin initialization. It requires pin information dynamically\nacquired from the firmware and is already in progress, planned for\nnext-tree only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53048", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof\n\n'modprobe slub_kunit' will have a warning as shown below. The root cause\nis that __kmalloc_cache_noprof was directly used, which resulted in no\nalloc_tag being allocated. This caused current->alloc_tag to be null,\nleading to a warning in alloc_tag_add_check.\n\nLet's add an alloc_hook layer to __kmalloc_cache_noprof specifically\nwithin lib/slub_kunit.c, which is the only user of this internal slub\nfunction outside kmalloc implementation itself.\n\n[58162.947016] WARNING: CPU: 2 PID: 6210 at\n./include/linux/alloc_tag.h:125 alloc_tagging_slab_alloc_hook+0x268/0x27c\n[58162.957721] Call trace:\n[58162.957919] alloc_tagging_slab_alloc_hook+0x268/0x27c\n[58162.958286] __kmalloc_cache_noprof+0x14c/0x344\n[58162.958615] test_kmalloc_redzone_access+0x50/0x10c [slub_kunit]\n[58162.959045] kunit_try_run_case+0x74/0x184 [kunit]\n[58162.959401] kunit_generic_run_threadfn_adapter+0x2c/0x4c [kunit]\n[58162.959841] kthread+0x10c/0x118\n[58162.960093] ret_from_fork+0x10/0x20\n[58162.960363] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53049", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hdcp: Add encoder check in hdcp2_get_capability\n\nAdd encoder check in intel_hdcp2_get_capability to avoid\nnull pointer error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53050", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hdcp: Add encoder check in intel_hdcp_get_capability\n\nSometimes during hotplug scenario or suspend/resume scenario encoder is\nnot always initialized when intel_hdcp_get_capability add\na check to avoid kernel null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53051", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: fix missing NOWAIT check for O_DIRECT start write\n\nWhen io_uring starts a write, it'll call kiocb_start_write() to bump the\nsuper block rwsem, preventing any freezes from happening while that\nwrite is in-flight. The freeze side will grab that rwsem for writing,\nexcluding any new writers from happening and waiting for existing writes\nto finish. But io_uring unconditionally uses kiocb_start_write(), which\nwill block if someone is currently attempting to freeze the mount point.\nThis causes a deadlock where freeze is waiting for previous writes to\ncomplete, but the previous writes cannot complete, as the task that is\nsupposed to complete them is blocked waiting on starting a new write.\nThis results in the following stuck trace showing that dependency with\nthe write blocked starting a new write:\n\ntask:fio state:D stack:0 pid:886 tgid:886 ppid:876\nCall trace:\n __switch_to+0x1d8/0x348\n __schedule+0x8e8/0x2248\n schedule+0x110/0x3f0\n percpu_rwsem_wait+0x1e8/0x3f8\n __percpu_down_read+0xe8/0x500\n io_write+0xbb8/0xff8\n io_issue_sqe+0x10c/0x1020\n io_submit_sqes+0x614/0x2110\n __arm64_sys_io_uring_enter+0x524/0x1038\n invoke_syscall+0x74/0x268\n el0_svc_common.constprop.0+0x160/0x238\n do_el0_svc+0x44/0x60\n el0_svc+0x44/0xb0\n el0t_64_sync_handler+0x118/0x128\n el0t_64_sync+0x168/0x170\nINFO: task fsfreeze:7364 blocked for more than 15 seconds.\n Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963\n\nwith the attempting freezer stuck trying to grab the rwsem:\n\ntask:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995\nCall trace:\n __switch_to+0x1d8/0x348\n __schedule+0x8e8/0x2248\n schedule+0x110/0x3f0\n percpu_down_write+0x2b0/0x680\n freeze_super+0x248/0x8a8\n do_vfs_ioctl+0x149c/0x1b18\n __arm64_sys_ioctl+0xd0/0x1a0\n invoke_syscall+0x74/0x268\n el0_svc_common.constprop.0+0x160/0x238\n do_el0_svc+0x44/0x60\n el0_svc+0x44/0xb0\n el0t_64_sync_handler+0x118/0x128\n el0t_64_sync+0x168/0x170\n\nFix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a\nblocking grab of the super block rwsem if it isn't set. For normal issue\nwhere IOCB_NOWAIT would always be set, this returns -EAGAIN which will\nhave io_uring core issue a blocking attempt of the write. That will in\nturn also get completions run, ensuring forward progress.\n\nSince freezing requires CAP_SYS_ADMIN in the first place, this isn't\nsomething that can be triggered by a regular user.", "scorev2": "0.0", "scorev3": "4.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53052", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix another deadlock during RTC update\n\nIf ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm's usage_count\nis 0, we will enter the runtime suspend callback. However, the runtime\nsuspend callback will wait to flush ufshcd_rtc_work, causing a deadlock.\n\nReplace ufshcd_rpm_put_sync() with ufshcd_rpm_put() to avoid the\ndeadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53053", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix 6 GHz scan construction\n\nIf more than 255 colocated APs exist for the set of all\nAPs found during 2.4/5 GHz scanning, then the 6 GHz scan\nconstruction will loop forever since the loop variable\nhas type u8, which can never reach the number found when\nthat's bigger than 255, and is stored in a u32 variable.\nAlso move it into the loops to have a smaller scope.\n\nUsing a u32 there is fine, we limit the number of APs in\nthe scan list and each has a limit on the number of RNR\nentries due to the frame size. With a limit of 1000 scan\nresults, a frame size upper bound of 4096 (really it's\nmore like ~2300) and a TBTT entry size of at least 11,\nwe get an upper bound for the number of ~372k, well in\nthe bounds of a u32.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53055", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()\n\nIn mtk_crtc_create(), if the call to mbox_request_channel() fails then we\nset the \"mtk_crtc->cmdq_client.chan\" pointer to NULL. In that situation,\nwe do not call cmdq_pkt_create().\n\nDuring the cleanup, we need to check if the \"mtk_crtc->cmdq_client.chan\"\nis NULL first before calling cmdq_pkt_destroy(). Calling\ncmdq_pkt_destroy() is unnecessary if we didn't call cmdq_pkt_create() and\nit will result in a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53056", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it's valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53057", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\n\nIn case the non-paged data of a SKB carries protocol header and protocol\npayload to be transmitted on a certain platform that the DMA AXI address\nwidth is configured to 40-bit/48-bit, or the size of the non-paged data\nis bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI\naddress width is configured to 32-bit, then this SKB requires at least\ntwo DMA transmit descriptors to serve it.\n\nFor example, three descriptors are allocated to split one DMA buffer\nmapped from one piece of non-paged data:\n dma_desc[N + 0],\n dma_desc[N + 1],\n dma_desc[N + 2].\nThen three elements of tx_q->tx_skbuff_dma[] will be allocated to hold\nextra information to be reused in stmmac_tx_clean():\n tx_q->tx_skbuff_dma[N + 0],\n tx_q->tx_skbuff_dma[N + 1],\n tx_q->tx_skbuff_dma[N + 2].\nNow we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer\naddress returned by DMA mapping call. stmmac_tx_clean() will try to\nunmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf\nis a valid buffer address.\n\nThe expected behavior that saves DMA buffer address of this non-paged\ndata to tx_q->tx_skbuff_dma[entry].buf is:\n tx_q->tx_skbuff_dma[N + 0].buf = NULL;\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();\nUnfortunately, the current code misbehaves like this:\n tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();\n tx_q->tx_skbuff_dma[N + 1].buf = NULL;\n tx_q->tx_skbuff_dma[N + 2].buf = NULL;\n\nOn the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the\nDMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address\nobviously, then the DMA buffer will be unmapped immediately.\nThere may be a rare case that the DMA engine does not finish the\npending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go\nhorribly wrong, DMA is going to access a unmapped/unreferenced memory\nregion, corrupted data will be transmited or iommu fault will be\ntriggered :(\n\nIn contrast, the for-loop that maps SKB fragments behaves perfectly\nas expected, and that is how the driver should do for both non-paged\ndata and paged frags actually.\n\nThis patch corrects DMA map/unmap sequences by fixing the array index\nfor tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.\n\nTested and verified on DWXGMAC CORE 3.20a", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53058", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()\n\n1. The size of the response packet is not validated.\n2. The response buffer is not freed.\n\nResolve these issues by switching to iwl_mvm_send_cmd_status(),\nwhich handles both size validation and frees the buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53059", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: prevent NULL pointer dereference if ATIF is not supported\n\nacpi_evaluate_object() may return AE_NOT_FOUND (failure), which\nwould result in dereferencing buffer.pointer (obj) while being NULL.\n\nAlthough this case may be unrealistic for the current code, it is\nstill better to protect against possible bugs.\n\nBail out also when status is AE_NOT_FOUND.\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity\nReport: CID 1600951: Null pointer dereferences (FORWARD_NULL)\n\n(cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53060", "detail": "fixed-version", "description": "Fixed from version 6.11.8" }, { "id": "CVE-2024-53061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: s5p-jpeg: prevent buffer overflows\n\nThe current logic allows word to be less than 2. If this happens,\nthere will be buffer overflows, as reported by smatch. Add extra\nchecks to prevent it.\n\nWhile here, remove an unused word = 0 assignment.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53061", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mgb4: protect driver against spectre\n\nFrequency range is set from sysfs via frequency_range_store(),\nbeing vulnerable to spectre, as reported by smatch:\n\n\tdrivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r]\n\tdrivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half. 'reg_set'\n\nFix it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53062", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: prevent the risk of out of memory access\n\nThe dvbdev contains a static variable used to store dvb minors.\n\nThe behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set\nor not. When not set, dvb_register_device() won't check for\nboundaries, as it will rely that a previous call to\ndvb_register_adapter() would already be enforcing it.\n\nOn a similar way, dvb_device_open() uses the assumption\nthat the register functions already did the needed checks.\n\nThis can be fragile if some device ends using different\ncalls. This also generate warnings on static check analysers\nlike Coverity.\n\nSo, add explicit guards to prevent potential risk of OOM issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53063", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix idpf_vc_core_init error path\n\nIn an event where the platform running the device control plane\nis rebooted, reset is detected on the driver. It releases\nall the resources and waits for the reset to complete. Once the\nreset is done, it tries to build the resources back. At this\ntime if the device control plane is not yet started, then\nthe driver timeouts on the virtchnl message and retries to\nestablish the mailbox again.\n\nIn the retry flow, mailbox is deinitialized but the mailbox\nworkqueue is still alive and polling for the mailbox message.\nThis results in accessing the released control queue leading to\nnull-ptr-deref. Fix it by unrolling the work queue cancellation\nand mailbox deinitialization in the reverse order which they got\ninitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53064", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: fix warning caused by duplicate kmem_cache creation in kmem_buckets_create\n\nCommit b035f5a6d852 (\"mm: slab: reduce the kmalloc() minimum alignment\nif DMA bouncing possible\") reduced ARCH_KMALLOC_MINALIGN to 8 on arm64.\nHowever, with KASAN_HW_TAGS enabled, arch_slab_minalign() becomes 16.\nThis causes kmalloc_caches[*][8] to be aliased to kmalloc_caches[*][16],\nresulting in kmem_buckets_create() attempting to create a kmem_cache for\nsize 16 twice. This duplication triggers warnings on boot:\n\n[ 2.325108] ------------[ cut here ]------------\n[ 2.325135] kmem_cache of name 'memdup_user-16' already exists\n[ 2.325783] WARNING: CPU: 0 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0\n[ 2.327957] Modules linked in:\n[ 2.328550] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5mm-unstable-arm64+ #12\n[ 2.328683] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024\n[ 2.328790] pstate: 61000009 (nZCv daif -PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2.328911] pc : __kmem_cache_create_args+0xb8/0x3b0\n[ 2.328930] lr : __kmem_cache_create_args+0xb8/0x3b0\n[ 2.328942] sp : ffff800083d6fc50\n[ 2.328961] x29: ffff800083d6fc50 x28: f2ff0000c1674410 x27: ffff8000820b0598\n[ 2.329061] x26: 000000007fffffff x25: 0000000000000010 x24: 0000000000002000\n[ 2.329101] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388\n[ 2.329118] x20: f2ff0000c1674410 x19: f5ff0000c16364c0 x18: ffff800083d80030\n[ 2.329135] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 2.329152] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120\n[ 2.329169] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000\n[ 2.329194] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n[ 2.329210] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 2.329226] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n[ 2.329291] Call trace:\n[ 2.329407] __kmem_cache_create_args+0xb8/0x3b0\n[ 2.329499] kmem_buckets_create+0xfc/0x320\n[ 2.329526] init_user_buckets+0x34/0x78\n[ 2.329540] do_one_initcall+0x64/0x3c8\n[ 2.329550] kernel_init_freeable+0x26c/0x578\n[ 2.329562] kernel_init+0x3c/0x258\n[ 2.329574] ret_from_fork+0x10/0x20\n[ 2.329698] ---[ end trace 0000000000000000 ]---\n\n[ 2.403704] ------------[ cut here ]------------\n[ 2.404716] kmem_cache of name 'msg_msg-16' already exists\n[ 2.404801] WARNING: CPU: 2 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0\n[ 2.404842] Modules linked in:\n[ 2.404971] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.12.0-rc5mm-unstable-arm64+ #12\n[ 2.405026] Tainted: [W]=WARN\n[ 2.405043] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024\n[ 2.405057] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2.405079] pc : __kmem_cache_create_args+0xb8/0x3b0\n[ 2.405100] lr : __kmem_cache_create_args+0xb8/0x3b0\n[ 2.405111] sp : ffff800083d6fc50\n[ 2.405115] x29: ffff800083d6fc50 x28: fbff0000c1674410 x27: ffff8000820b0598\n[ 2.405135] x26: 000000000000ffd0 x25: 0000000000000010 x24: 0000000000006000\n[ 2.405153] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388\n[ 2.405169] x20: fbff0000c1674410 x19: fdff0000c163d6c0 x18: ffff800083d80030\n[ 2.405185] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 2.405201] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120\n[ 2.405217] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000\n[ 2.405233] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n[ 2.405248] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 2.405271] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n[ 2.405287] Call trace:\n[ 2\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53065", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Fix KMSAN warning in decode_getfattr_attrs()\n\nFix the following KMSAN warning:\n\nCPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B\nTainted: [B]=BAD_PAGE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n=====================================================\n=====================================================\nBUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90\n decode_getfattr_attrs+0x2d6d/0x2f90\n decode_getfattr_generic+0x806/0xb00\n nfs4_xdr_dec_getattr+0x1de/0x240\n rpcauth_unwrap_resp_decode+0xab/0x100\n rpcauth_unwrap_resp+0x95/0xc0\n call_decode+0x4ff/0xb50\n __rpc_execute+0x57b/0x19d0\n rpc_execute+0x368/0x5e0\n rpc_run_task+0xcfe/0xee0\n nfs4_proc_getattr+0x5b5/0x990\n __nfs_revalidate_inode+0x477/0xd00\n nfs_access_get_cached+0x1021/0x1cc0\n nfs_do_access+0x9f/0xae0\n nfs_permission+0x1e4/0x8c0\n inode_permission+0x356/0x6c0\n link_path_walk+0x958/0x1330\n path_lookupat+0xce/0x6b0\n filename_lookup+0x23e/0x770\n vfs_statx+0xe7/0x970\n vfs_fstatat+0x1f2/0x2c0\n __se_sys_newfstatat+0x67/0x880\n __x64_sys_newfstatat+0xbd/0x120\n x64_sys_call+0x1826/0x3cf0\n do_syscall_64+0xd0/0x1b0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe KMSAN warning is triggered in decode_getfattr_attrs(), when calling\ndecode_attr_mdsthreshold(). It appears that fattr->mdsthreshold is not\ninitialized.\n\nFix the issue by initializing fattr->mdsthreshold to NULL in\nnfs_fattr_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53066", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Start the RTC update work later\n\nThe RTC update work involves runtime resuming the UFS controller. Hence,\nonly start the RTC update work after runtime power management in the UFS\ndriver has been fully initialized. This patch fixes the following kernel\ncrash:\n\nInternal error: Oops: 0000000096000006 [#1] PREEMPT SMP\nWorkqueue: events ufshcd_rtc_work\nCall trace:\n _raw_spin_lock_irqsave+0x34/0x8c (P)\n pm_runtime_get_if_active+0x24/0x9c (L)\n pm_runtime_get_if_active+0x24/0x9c\n ufshcd_rtc_work+0x138/0x1b4\n process_one_work+0x148/0x288\n worker_thread+0x2cc/0x3d4\n kthread+0x110/0x114\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53067", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()\n\nThe scmi_dev->name is released prematurely in __scmi_device_destroy(),\nwhich causes slab-use-after-free when accessing scmi_dev->name in\nscmi_bus_notifier(). So move the release of scmi_dev->name to\nscmi_device_release() to avoid slab-use-after-free.\n\n | BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec\n | Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1\n |\n | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1\n | Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT)\n | Call trace:\n | dump_backtrace+0x94/0x114\n | show_stack+0x18/0x24\n | dump_stack_lvl+0x48/0x60\n | print_report+0xf4/0x5b0\n | kasan_report+0xa4/0xec\n | __asan_report_load1_noabort+0x20/0x2c\n | strncmp+0xe4/0xec\n | scmi_bus_notifier+0x5c/0x54c\n | notifier_call_chain+0xb4/0x31c\n | blocking_notifier_call_chain+0x68/0x9c\n | bus_notify+0x54/0x78\n | device_del+0x1bc/0x840\n | device_unregister+0x20/0xb4\n | __scmi_device_destroy+0xac/0x280\n | scmi_device_destroy+0x94/0xd0\n | scmi_chan_setup+0x524/0x750\n | scmi_probe+0x7fc/0x1508\n | platform_probe+0xc4/0x19c\n | really_probe+0x32c/0x99c\n | __driver_probe_device+0x15c/0x3c4\n | driver_probe_device+0x5c/0x170\n | __driver_attach+0x1c8/0x440\n | bus_for_each_dev+0xf4/0x178\n | driver_attach+0x3c/0x58\n | bus_add_driver+0x234/0x4d4\n | driver_register+0xf4/0x3c0\n | __platform_driver_register+0x60/0x88\n | scmi_driver_init+0xb0/0x104\n | do_one_initcall+0xb4/0x664\n | kernel_init_freeable+0x3c8/0x894\n | kernel_init+0x24/0x1e8\n | ret_from_fork+0x10/0x20\n |\n | Allocated by task 1:\n | kasan_save_stack+0x2c/0x54\n | kasan_set_track+0x2c/0x40\n | kasan_save_alloc_info+0x24/0x34\n | __kasan_kmalloc+0xa0/0xb8\n | __kmalloc_node_track_caller+0x6c/0x104\n | kstrdup+0x48/0x84\n | kstrdup_const+0x34/0x40\n | __scmi_device_create.part.0+0x8c/0x408\n | scmi_device_create+0x104/0x370\n | scmi_chan_setup+0x2a0/0x750\n | scmi_probe+0x7fc/0x1508\n | platform_probe+0xc4/0x19c\n | really_probe+0x32c/0x99c\n | __driver_probe_device+0x15c/0x3c4\n | driver_probe_device+0x5c/0x170\n | __driver_attach+0x1c8/0x440\n | bus_for_each_dev+0xf4/0x178\n | driver_attach+0x3c/0x58\n | bus_add_driver+0x234/0x4d4\n | driver_register+0xf4/0x3c0\n | __platform_driver_register+0x60/0x88\n | scmi_driver_init+0xb0/0x104\n | do_one_initcall+0xb4/0x664\n | kernel_init_freeable+0x3c8/0x894\n | kernel_init+0x24/0x1e8\n | ret_from_fork+0x10/0x20\n |\n | Freed by task 1:\n | kasan_save_stack+0x2c/0x54\n | kasan_set_track+0x2c/0x40\n | kasan_save_free_info+0x38/0x5c\n | __kasan_slab_free+0xe8/0x164\n | __kmem_cache_free+0x11c/0x230\n | kfree+0x70/0x130\n | kfree_const+0x20/0x40\n | __scmi_device_destroy+0x70/0x280\n | scmi_device_destroy+0x94/0xd0\n | scmi_chan_setup+0x524/0x750\n | scmi_probe+0x7fc/0x1508\n | platform_probe+0xc4/0x19c\n | really_probe+0x32c/0x99c\n | __driver_probe_device+0x15c/0x3c4\n | driver_probe_device+0x5c/0x170\n | __driver_attach+0x1c8/0x440\n | bus_for_each_dev+0xf4/0x178\n | driver_attach+0x3c/0x58\n | bus_add_driver+0x234/0x4d4\n | driver_register+0xf4/0x3c0\n | __platform_driver_register+0x60/0x88\n | scmi_driver_init+0xb0/0x104\n | do_one_initcall+0xb4/0x664\n | kernel_init_freeable+0x3c8/0x894\n | kernel_init+0x24/0x1e8\n | ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53068", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: fix a NULL-pointer dereference\n\nSome SCM calls can be invoked with __scm being NULL (the driver may not\nhave been and will not be probed as there's no SCM entry in device-tree).\nMake sure we don't dereference a NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53069", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: fix fault at system suspend if device was already runtime suspended\n\nIf the device was already runtime suspended then during system suspend\nwe cannot access the device registers else it will crash.\n\nAlso we cannot access any registers after dwc3_core_exit() on some\nplatforms so move the dwc3_enable_susphy() call to the top.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53070", "detail": "fixed-version", "description": "Fixed from version 6.11.8" }, { "id": "CVE-2024-53071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Be stricter about IO mapping flags\n\nThe current panthor_device_mmap_io() implementation has two issues:\n\n1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET,\n panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear\n VM_MAYWRITE. That means userspace can use mprotect() to make the mapping\n writable later on. This is a classic Linux driver gotcha.\n I don't think this actually has any impact in practice:\n When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and\n when the GPU is not powered, the dummy_latest_flush page provided by the\n driver is deliberately designed to not do any flushes, so the only thing\n writing to the dummy_latest_flush could achieve would be to make *more*\n flushes happen.\n\n2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are\n mappings without the VM_SHARED flag).\n MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has\n copy-on-write semantics, which for VM_PFNMAP are semi-supported but\n fairly cursed.\n In particular, in such a mapping, the driver can only install PTEs\n during mmap() by calling remap_pfn_range() (because remap_pfn_range()\n wants to **store the physical address of the mapped physical memory into\n the vm_pgoff of the VMA**); installing PTEs later on with a fault\n handler (as panthor does) is not supported in private mappings, and so\n if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when\n it hits a BUG() check.\n\nFix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID\ndoesn't make sense) and requiring VM_SHARED (copy-on-write semantics for\nthe FLUSH_ID don't make sense).\n\nReproducers for both scenarios are in the notes of my patch on the mailing\nlist; I tested that these bugs exist on a Rock 5B machine.\n\nNote that I only compile-tested the patch, I haven't tested it; I don't\nhave a working kernel build setup for the test machine yet. Please test it\nbefore applying it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53071", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Detect when STB is not available\n\nLoading the amd_pmc module as:\n\n amd_pmc enable_stb=1\n\n...can result in the following messages in the kernel ring buffer:\n\n amd_pmc AMDI0009:00: SMU cmd failed. err: 0xff\n ioremap on RAM at 0x0000000000000000 - 0x0000000000ffffff\n WARNING: CPU: 10 PID: 2151 at arch/x86/mm/ioremap.c:217 __ioremap_caller+0x2cd/0x340\n\nFurther debugging reveals that this occurs when the requests for\nS2D_PHYS_ADDR_LOW and S2D_PHYS_ADDR_HIGH return a value of 0,\nindicating that the STB is inaccessible. To prevent the ioremap\nwarning and provide clarity to the user, handle the invalid address\nand display an error message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53072", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Never decrement pending_async_copies on error\n\nThe error flow in nfsd4_copy() calls cleanup_async_copy(), which\nalready decrements nn->pending_async_copies.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53073", "detail": "fixed-version", "description": "Fixed from version 6.11.7" }, { "id": "CVE-2024-53074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't leak a link on AP removal\n\nRelease the link mapping resource in AP removal. This impacted devices\nthat do not support the MLD API (9260 and down).\nOn those devices, we couldn't start the AP again after the AP has been\nalready started and stopped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53074", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Prevent a bad reference count on CPU nodes\n\nWhen populating cache leaves we previously fetched the CPU device node\nat the very beginning. But when ACPI is enabled we go through a\nspecific branch which returns early and does not call 'of_node_put' for\nthe node that was acquired.\n\nSince we are not using a CPU device node for the ACPI code anyways, we\ncan simply move the initialization of it just passed the ACPI block, and\nwe are guaranteed to have an 'of_node_put' call for the acquired node.\nThis prevents a bad reference count of the CPU device node.\n\nMoreover, the previous function did not check for errors when acquiring\nthe device node, so a return -ENOENT has been added for that case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53075", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()\n\nIf per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop\nof iio_gts_build_avail_scale_table(), the err_free_out will fail to call\nkfree() each time when i is reduced to 0, so all the per_time_scales[0]\nand per_time_gains[0] will not be freed, which will cause memory leaks.\n\nFix it by checking if i >= 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53076", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpcrdma: Always release the rpcrdma_device's xa_array\n\nDai pointed out that the xa_init_flags() in rpcrdma_add_one() needs\nto have a matching xa_destroy() in rpcrdma_remove_one() to release\nunderlying memory that the xarray might have accrued during\noperation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53077", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix NULL vs IS_ERR() check in probe()\n\nThe iommu_paging_domain_alloc() function doesn't return NULL pointers,\nit returns error pointers. Update the check to match.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53078", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/thp: fix deferred split unqueue naming and locking\n\nRecent changes are putting more pressure on THP deferred split queues:\nunder load revealing long-standing races, causing list_del corruptions,\n\"Bad page state\"s and worse (I keep BUGs in both of those, so usually\ndon't get to see how badly they end up without). The relevant recent\nchanges being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin,\nimproved swap allocation, and underused THP splitting.\n\nBefore fixing locking: rename misleading folio_undo_large_rmappable(),\nwhich does not undo large_rmappable, to folio_unqueue_deferred_split(),\nwhich is what it does. But that and its out-of-line __callee are mm\ninternals of very limited usability: add comment and WARN_ON_ONCEs to\ncheck usage; and return a bool to say if a deferred split was unqueued,\nwhich can then be used in WARN_ON_ONCEs around safety checks (sparing\ncallers the arcane conditionals in __folio_unqueue_deferred_split()).\n\nJust omit the folio_unqueue_deferred_split() from free_unref_folios(), all\nof whose callers now call it beforehand (and if any forget then bad_page()\nwill tell) - except for its caller put_pages_list(), which itself no\nlonger has any callers (and will be deleted separately).\n\nSwapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0\nwithout checking and unqueueing a THP folio from deferred split list;\nwhich is unfortunate, since the split_queue_lock depends on the memcg\n(when memcg is enabled); so swapout has been unqueueing such THPs later,\nwhen freeing the folio, using the pgdat's lock instead: potentially\ncorrupting the memcg's list. __remove_mapping() has frozen refcount to 0\nhere, so no problem with calling folio_unqueue_deferred_split() before\nresetting memcg_data.\n\nThat goes back to 5.4 commit 87eaceb3faa5 (\"mm: thp: make deferred split\nshrinker memcg aware\"): which included a check on swapcache before adding\nto deferred queue, but no check on deferred queue before adding THP to\nswapcache. That worked fine with the usual sequence of events in reclaim\n(though there were a couple of rare ways in which a THP on deferred queue\ncould have been swapped out), but 6.12 commit dafff3f4c850 (\"mm: split\nunderused THPs\") avoids splitting underused THPs in reclaim, which makes\nswapcache THPs on deferred queue commonplace.\n\nKeep the check on swapcache before adding to deferred queue? Yes: it is\nno longer essential, but preserves the existing behaviour, and is likely\nto be a worthwhile optimization (vmstat showed much more traffic on the\nqueue under swapping load if the check was removed); update its comment.\n\nMemcg-v1 move (deprecated): mem_cgroup_move_account() has been changing\nfolio->memcg_data without checking and unqueueing a THP folio from the\ndeferred list, sometimes corrupting \"from\" memcg's list, like swapout. \nRefcount is non-zero here, so folio_unqueue_deferred_split() can only be\nused in a WARN_ON_ONCE to validate the fix, which must be done earlier:\nmem_cgroup_move_charge_pte_range() first try to split the THP (splitting\nof course unqueues), or skip it if that fails. Not ideal, but moving\ncharge has been requested, and khugepaged should repair the THP later:\nnobody wants new custom unqueueing code just for this deprecated case.\n\nThe 87eaceb3faa5 commit did have the code to move from one deferred list\nto another (but was not conscious of its unsafety while refcount non-0);\nbut that was removed by 5.6 commit fac0516b5534 (\"mm: thp: don't need care\ndeferred split queue in memcg charge move path\"), which argued that the\nexistence of a PMD mapping guarantees that the THP cannot be on a deferred\nlist. As above, false in rare cases, and now commonly false.\n\nBackport to 6.11 should be straightforward. Earlier backports must take\ncare that other _deferred_list fixes and dependencies are included. There\nis not a strong case for backports, but they can fix cornercases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53079", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Lock XArray when getting entries for the VM\n\nSimilar to commit cac075706f29 (\"drm/panthor: Fix race when converting\ngroup handle to group object\") we need to use the XArray's internal\nlocking when retrieving a vm pointer from there.\n\nv2: Removed part of the patch that was trying to protect fetching\nthe heap pointer from XArray, as that operation is protected by\nthe @pool->lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53080", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ar0521: don't overflow when checking PLL values\n\nThe PLL checks are comparing 64 bit integers with 32 bit\nones, as reported by Coverity. Depending on the values of\nthe variables, this may underflow.\n\nFix it ensuring that both sides of the expression are u64.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53081", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Add hash_key_length check\n\nAdd hash_key_length check in virtnet_probe() to avoid possible out of\nbound errors when setting/reading the hash key.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53082", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier\n\nIf the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and\ntxbuf_len are uninitialized. This commit stops to print uninitialized\nvalue and misleading/false data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53083", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Break an object reference loop\n\nWhen remaining resources are being cleaned up on driver close,\noutstanding VM mappings may result in resources being leaked, due\nto an object reference loop, as shown below, with each object (or\nset of objects) referencing the object below it:\n\n PVR GEM Object\n GPU scheduler \"finished\" fence\n GPU scheduler \u201cscheduled\u201d fence\n PVR driver \u201cdone\u201d fence\n PVR Context\n PVR VM Context\n PVR VM Mappings\n PVR GEM Object\n\nThe reference that the PVR VM Context has on the VM mappings is a\nsoft one, in the sense that the freeing of outstanding VM mappings\nis done as part of VM context destruction; no reference counts are\ninvolved, as is the case for all the other references in the loop.\n\nTo break the reference loop during cleanup, free the outstanding\nVM mappings before destroying the PVR Context associated with the\nVM context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53084", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Lock TPM chip in tpm_pm_suspend() first\n\nSetting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy\naccording, as this leaves window for tpm_hwrng_read() to be called while\nthe operation is in progress. The recent bug report gives also evidence of\nthis behaviour.\n\nAadress this by locking the TPM chip before checking any chip->flags both\nin tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED\ncheck inside tpm_get_random() so that it will be always checked only when\nthe lock is reserved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53085", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL\n\nUpon failure all locks need to be dropped before returning to the user.\n\n(cherry picked from commit 7d1a4258e602ffdce529f56686925034c1b3b095)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53086", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix possible exec queue leak in exec IOCTL\n\nIn a couple of places after an exec queue is looked up the exec IOCTL\nreturns on input errors without dropping the exec queue ref. Fix this\nensuring the exec queue ref is dropped on input error.\n\n(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53087", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix race condition by adding filter's intermediate sync state\n\nFix a race condition in the i40e driver that leads to MAC/VLAN filters\nbecoming corrupted and leaking. Address the issue that occurs under\nheavy load when multiple threads are concurrently modifying MAC/VLAN\nfilters by setting mac and port VLAN.\n\n1. Thread T0 allocates a filter in i40e_add_filter() within\n i40e_ndo_set_vf_port_vlan().\n2. Thread T1 concurrently frees the filter in __i40e_del_filter() within\n i40e_ndo_set_vf_mac().\n3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which\n refers to the already freed filter memory, causing corruption.\n\nReproduction steps:\n1. Spawn multiple VFs.\n2. Apply a concurrent heavy load by running parallel operations to change\n MAC addresses on the VFs and change port VLANs on the host.\n3. Observe errors in dmesg:\n\"Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX,\n\tplease set promiscuous on manually for VF XX\".\n\nExact code for stable reproduction Intel can't open-source now.\n\nThe fix involves implementing a new intermediate filter state,\nI40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list.\nThese filters cannot be deleted from the hash list directly but\nmust be removed using the full process.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53088", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Mark hrtimer to expire in hard interrupt context\n\nLike commit 2c0d278f3293f (\"KVM: LAPIC: Mark hrtimer to expire in hard\ninterrupt context\") and commit 9090825fa9974 (\"KVM: arm/arm64: Let the\ntimer expire in hardirq context on RT\"), On PREEMPT_RT enabled kernels\nunmarked hrtimers are moved into soft interrupt expiry mode by default.\nThen the timers are canceled from an preempt-notifier which is invoked\nwith disabled preemption which is not allowed on PREEMPT_RT.\n\nThe timer callback is short so in could be invoked in hard-IRQ context.\nSo let the timer expire on hard-IRQ context even on -RT.\n\nThis fix a \"scheduling while atomic\" bug for PREEMPT_RT enabled kernels:\n\n BUG: scheduling while atomic: qemu-system-loo/1011/0x00000002\n Modules linked in: amdgpu rfkill nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat ns\n CPU: 1 UID: 0 PID: 1011 Comm: qemu-system-loo Tainted: G W 6.12.0-rc2+ #1774\n Tainted: [W]=WARN\n Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022\n Stack : ffffffffffffffff 0000000000000000 9000000004e3ea38 9000000116744000\n 90000001167475a0 0000000000000000 90000001167475a8 9000000005644830\n 90000000058dc000 90000000058dbff8 9000000116747420 0000000000000001\n 0000000000000001 6a613fc938313980 000000000790c000 90000001001c1140\n 00000000000003fe 0000000000000001 000000000000000d 0000000000000003\n 0000000000000030 00000000000003f3 000000000790c000 9000000116747830\n 90000000057ef000 0000000000000000 9000000005644830 0000000000000004\n 0000000000000000 90000000057f4b58 0000000000000001 9000000116747868\n 900000000451b600 9000000005644830 9000000003a13998 0000000010000020\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d\n ...\n Call Trace:\n [<9000000003a13998>] show_stack+0x38/0x180\n [<9000000004e3ea34>] dump_stack_lvl+0x84/0xc0\n [<9000000003a71708>] __schedule_bug+0x48/0x60\n [<9000000004e45734>] __schedule+0x1114/0x1660\n [<9000000004e46040>] schedule_rtlock+0x20/0x60\n [<9000000004e4e330>] rtlock_slowlock_locked+0x3f0/0x10a0\n [<9000000004e4f038>] rt_spin_lock+0x58/0x80\n [<9000000003b02d68>] hrtimer_cancel_wait_running+0x68/0xc0\n [<9000000003b02e30>] hrtimer_cancel+0x70/0x80\n [] kvm_restore_timer+0x50/0x1a0 [kvm]\n [] kvm_arch_vcpu_load+0x68/0x2a0 [kvm]\n [] kvm_sched_in+0x34/0x60 [kvm]\n [<9000000003a749a0>] finish_task_switch.isra.0+0x140/0x2e0\n [<9000000004e44a70>] __schedule+0x450/0x1660\n [<9000000004e45cb0>] schedule+0x30/0x180\n [] kvm_vcpu_block+0x70/0x120 [kvm]\n [] kvm_vcpu_halt+0x60/0x3e0 [kvm]\n [] kvm_handle_gspr+0x3f4/0x4e0 [kvm]\n [] kvm_handle_exit+0x1c8/0x260 [kvm]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53089", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix lock recursion\n\nafs_wake_up_async_call() can incur lock recursion. The problem is that it\nis called from AF_RXRPC whilst holding the ->notify_lock, but it tries to\ntake a ref on the afs_call struct in order to pass it to a work queue - but\nif the afs_call is already queued, we then have an extraneous ref that must\nbe put... calling afs_put_call() may call back down into AF_RXRPC through\nrxrpc_kernel_shutdown_call(), however, which might try taking the\n->notify_lock again.\n\nThis case isn't very common, however, so defer it to a workqueue. The oops\nlooks something like:\n\n BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646\n lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351\n Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n do_raw_spin_lock+0x3c/0x90\n rxrpc_kernel_shutdown_call+0x83/0xb0\n afs_put_call+0xd7/0x180\n rxrpc_notify_socket+0xa0/0x190\n rxrpc_input_split_jumbo+0x198/0x1d0\n rxrpc_input_data+0x14b/0x1e0\n ? rxrpc_input_call_packet+0xc2/0x1f0\n rxrpc_input_call_event+0xad/0x6b0\n rxrpc_input_packet_on_conn+0x1e1/0x210\n rxrpc_input_packet+0x3f2/0x4d0\n rxrpc_io_thread+0x243/0x410\n ? __pfx_rxrpc_io_thread+0x10/0x10\n kthread+0xcf/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x24/0x40\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53090", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx\n\nAs the introduction of the support for vsock and unix sockets in sockmap,\ntls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.\nvsock and af_unix sockets have vsock_sock and unix_sock instead of\ninet_connection_sock. For these sockets, tls_get_ctx may return an invalid\npointer and cause page fault in function tls_sw_ctx_rx.\n\nBUG: unable to handle page fault for address: 0000000000040030\nWorkqueue: vsock-loopback vsock_loopback_work\nRIP: 0010:sk_psock_strp_data_ready+0x23/0x60\nCall Trace:\n ? __die+0x81/0xc3\n ? no_context+0x194/0x350\n ? do_page_fault+0x30/0x110\n ? async_page_fault+0x3e/0x50\n ? sk_psock_strp_data_ready+0x23/0x60\n virtio_transport_recv_pkt+0x750/0x800\n ? update_load_avg+0x7e/0x620\n vsock_loopback_work+0xd0/0x100\n process_one_work+0x1a7/0x360\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x112/0x130\n ? __kthread_cancel_work+0x40/0x40\n ret_from_fork+0x1f/0x40\n\nv2:\n - Add IS_ICSK check\nv3:\n - Update the commits in Fixes", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53091", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pci: Fix admin vq cleanup by using correct info pointer\n\nvp_modern_avq_cleanup() and vp_del_vqs() clean up admin vq\nresources by virtio_pci_vq_info pointer. The info pointer of admin\nvq is stored in vp_dev->admin_vq.info instead of vp_dev->vqs[].\nUsing the info pointer from vp_dev->vqs[] for admin vq causes a\nkernel NULL pointer dereference bug.\nIn vp_modern_avq_cleanup() and vp_del_vqs(), get the info pointer\nfrom vp_dev->admin_vq.info for admin vq to clean up the resources.\nAlso make info ptr as argument of vp_del_vq() to be symmetric with\nvp_setup_vq().\n\nvp_reset calls vp_modern_avq_cleanup, and causes the Call Trace:\n==================================================================\nBUG: kernel NULL pointer dereference, address:0000000000000000\n...\nCPU: 49 UID: 0 PID: 4439 Comm: modprobe Not tainted 6.11.0-rc5 #1\nRIP: 0010:vp_reset+0x57/0x90 [virtio_pci]\nCall Trace:\n \n...\n ? vp_reset+0x57/0x90 [virtio_pci]\n ? vp_reset+0x38/0x90 [virtio_pci]\n virtio_reset_device+0x1d/0x30\n remove_vq_common+0x1c/0x1a0 [virtio_net]\n virtnet_remove+0xa1/0xc0 [virtio_net]\n virtio_dev_remove+0x46/0xa0\n...\n virtio_pci_driver_exit+0x14/0x810 [virtio_pci]\n==================================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53092", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: defer partition scanning\n\nWe need to suppress the partition scan from occuring within the\ncontroller's scan_work context. If a path error occurs here, the IO will\nwait until a path becomes available or all paths are torn down, but that\naction also occurs within scan_work, so it would deadlock. Defer the\npartion scan to a different context that does not block scan_work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53093", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES\n\nWhile running ISER over SIW, the initiator machine encounters a warning\nfrom skb_splice_from_iter() indicating that a slab page is being used in\nsend_page. To address this, it is better to add a sendpage_ok() check\nwithin the driver itself, and if it returns 0, then MSG_SPLICE_PAGES flag\nshould be disabled before entering the network stack.\n\nA similar issue has been discussed for NVMe in this thread:\nhttps://lore.kernel.org/all/20240530142417.146696-1-ofir.gal@volumez.com/\n\n WARNING: CPU: 0 PID: 5342 at net/core/skbuff.c:7140 skb_splice_from_iter+0x173/0x320\n Call Trace:\n tcp_sendmsg_locked+0x368/0xe40\n siw_tx_hdt+0x695/0xa40 [siw]\n siw_qp_sq_process+0x102/0xb00 [siw]\n siw_sq_resume+0x39/0x110 [siw]\n siw_run_sq+0x74/0x160 [siw]\n kthread+0xd2/0x100\n ret_from_fork+0x34/0x40\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53094", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free of network namespace.\n\nRecently, we got a customer report that CIFS triggers oops while\nreconnecting to a server. [0]\n\nThe workload runs on Kubernetes, and some pods mount CIFS servers\nin non-root network namespaces. The problem rarely happened, but\nit was always while the pod was dying.\n\nThe root cause is wrong reference counting for network namespace.\n\nCIFS uses kernel sockets, which do not hold refcnt of the netns that\nthe socket belongs to. That means CIFS must ensure the socket is\nalways freed before its netns; otherwise, use-after-free happens.\n\nThe repro steps are roughly:\n\n 1. mount CIFS in a non-root netns\n 2. drop packets from the netns\n 3. destroy the netns\n 4. unmount CIFS\n\nWe can reproduce the issue quickly with the script [1] below and see\nthe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.\n\nWhen the socket is TCP, it is hard to guarantee the netns lifetime\nwithout holding refcnt due to async timers.\n\nLet's hold netns refcnt for each socket as done for SMC in commit\n9744d2bf1976 (\"smc: Fix use-after-free in tcp_write_timer_handler().\").\n\nNote that we need to move put_net() from cifs_put_tcp_session() to\nclean_demultiplex_info(); otherwise, __sock_create() still could touch a\nfreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().\n\nAlso, maybe_get_net() cannot be put just before __sock_create() because\nthe code is not under RCU and there is a small chance that the same\naddress happened to be reallocated to another netns.\n\n[0]:\nCIFS: VFS: \\\\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...\nCIFS: Serverclose failed 4 times, giving up\nUnable to handle kernel paging request at virtual address 14de99e461f84a07\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\n[14de99e461f84a07] address between user and kernel address ranges\nInternal error: Oops: 0000000096000004 [#1] SMP\nModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs\nCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1\nHardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018\npstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : fib_rules_lookup+0x44/0x238\nlr : __fib_lookup+0x64/0xbc\nsp : ffff8000265db790\nx29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01\nx26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580\nx23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500\nx20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002\nx11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294\nx8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0\nx2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500\nCall trace:\n fib_rules_lookup+0x44/0x238\n __fib_lookup+0x64/0xbc\n ip_route_output_key_hash_rcu+0x2c4/0x398\n ip_route_output_key_hash+0x60/0x8c\n tcp_v4_connect+0x290/0x488\n __inet_stream_connect+0x108/0x3d0\n inet_stream_connect+0x50/0x78\n kernel_connect+0x6c/0xac\n generic_ip_conne\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53095", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: resolve faulty mmap_region() error path behaviour\n\nThe mmap_region() function is somewhat terrifying, with spaghetti-like\ncontrol flow and numerous means by which issues can arise and incomplete\nstate, memory leaks and other unpleasantness can occur.\n\nA large amount of the complexity arises from trying to handle errors late\nin the process of mapping a VMA, which forms the basis of recently\nobserved issues with resource leaks and observable inconsistent state.\n\nTaking advantage of previous patches in this series we move a number of\nchecks earlier in the code, simplifying things by moving the core of the\nlogic into a static internal function __mmap_region().\n\nDoing this allows us to perform a number of checks up front before we do\nany real work, and allows us to unwind the writable unmap check\nunconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE\nvalidation unconditionally also.\n\nWe move a number of things here:\n\n1. We preallocate memory for the iterator before we call the file-backed\n memory hook, allowing us to exit early and avoid having to perform\n complicated and error-prone close/free logic. We carefully free\n iterator state on both success and error paths.\n\n2. The enclosing mmap_region() function handles the mapping_map_writable()\n logic early. Previously the logic had the mapping_map_writable() at the\n point of mapping a newly allocated file-backed VMA, and a matching\n mapping_unmap_writable() on success and error paths.\n\n We now do this unconditionally if this is a file-backed, shared writable\n mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however\n doing so does not invalidate the seal check we just performed, and we in\n any case always decrement the counter in the wrapper.\n\n We perform a debug assert to ensure a driver does not attempt to do the\n opposite.\n\n3. We also move arch_validate_flags() up into the mmap_region()\n function. This is only relevant on arm64 and sparc64, and the check is\n only meaningful for SPARC with ADI enabled. We explicitly add a warning\n for this arch if a driver invalidates this check, though the code ought\n eventually to be fixed to eliminate the need for this.\n\nWith all of these measures in place, we no longer need to explicitly close\nthe VMA on error paths, as we place all checks which might fail prior to a\ncall to any driver mmap hook.\n\nThis eliminates an entire class of errors, makes the code easier to reason\nabout and more robust.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53096", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: krealloc: Fix MTE false alarm in __do_krealloc\n\nThis patch addresses an issue introduced by commit 1a83a716ec233 (\"mm:\nkrealloc: consider spare memory for __GFP_ZERO\") which causes MTE\n(Memory Tagging Extension) to falsely report a slab-out-of-bounds error.\n\nThe problem occurs when zeroing out spare memory in __do_krealloc. The\noriginal code only considered software-based KASAN and did not account\nfor MTE. It does not reset the KASAN tag before calling memset, leading\nto a mismatch between the pointer tag and the memory tag, resulting\nin a false positive.\n\nExample of the error:\n==================================================================\nswapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188\nswapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1\nswapper/0: Pointer tag: [f4], memory tag: [fe]\nswapper/0:\nswapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.\nswapper/0: Hardware name: MT6991(ENG) (DT)\nswapper/0: Call trace:\nswapper/0: dump_backtrace+0xfc/0x17c\nswapper/0: show_stack+0x18/0x28\nswapper/0: dump_stack_lvl+0x40/0xa0\nswapper/0: print_report+0x1b8/0x71c\nswapper/0: kasan_report+0xec/0x14c\nswapper/0: __do_kernel_fault+0x60/0x29c\nswapper/0: do_bad_area+0x30/0xdc\nswapper/0: do_tag_check_fault+0x20/0x34\nswapper/0: do_mem_abort+0x58/0x104\nswapper/0: el1_abort+0x3c/0x5c\nswapper/0: el1h_64_sync_handler+0x80/0xcc\nswapper/0: el1h_64_sync+0x68/0x6c\nswapper/0: __memset+0x84/0x188\nswapper/0: btf_populate_kfunc_set+0x280/0x3d8\nswapper/0: __register_btf_kfunc_id_set+0x43c/0x468\nswapper/0: register_btf_kfunc_id_set+0x48/0x60\nswapper/0: register_nf_nat_bpf+0x1c/0x40\nswapper/0: nf_nat_init+0xc0/0x128\nswapper/0: do_one_initcall+0x184/0x464\nswapper/0: do_initcall_level+0xdc/0x1b0\nswapper/0: do_initcalls+0x70/0xc0\nswapper/0: do_basic_setup+0x1c/0x28\nswapper/0: kernel_init_freeable+0x144/0x1b8\nswapper/0: kernel_init+0x20/0x1a8\nswapper/0: ret_from_fork+0x10/0x20\n==================================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53097", "detail": "fixed-version", "description": "Fixed from version 6.11.9" }, { "id": "CVE-2024-53098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/ufence: Prefetch ufence addr to catch bogus address\n\naccess_ok() only checks for addr overflow so also try to read the addr\nto catch invalid addr sent from userspace.\n\n(cherry picked from commit 9408c4508483ffc60811e910a93d6425b8e63928)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53098", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check validity of link->type in bpf_link_show_fdinfo()\n\nIf a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing\nbpf_link_type_strs[link->type] may result in an out-of-bounds access.\n\nTo spot such missed invocations early in the future, checking the\nvalidity of link->type in bpf_link_show_fdinfo() and emitting a warning\nwhen such invocations are missed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53099", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: tcp: avoid race between queue_lock lock and destroy\n\nCommit 76d54bf20cdc (\"nvme-tcp: don't access released socket during\nerror recovery\") added a mutex_lock() call for the queue->queue_lock\nin nvme_tcp_get_address(). However, the mutex_lock() races with\nmutex_destroy() in nvme_tcp_free_queue(), and causes the WARN below.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 34077 at kernel/locking/mutex.c:587 __mutex_lock+0xcf0/0x1220\nModules linked in: nvmet_tcp nvmet nvme_tcp nvme_fabrics iw_cm ib_cm ib_core pktcdvd nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr sunrpc ppdev 9pnet_virtio 9pnet pcspkr netfs parport_pc parport e1000 i2c_piix4 i2c_smbus loop fuse nfnetlink zram bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper xfs drm sym53c8xx floppy nvme scsi_transport_spi nvme_core nvme_auth serio_raw ata_generic pata_acpi dm_multipath qemu_fw_cfg [last unloaded: ib_uverbs]\nCPU: 3 UID: 0 PID: 34077 Comm: udisksd Not tainted 6.11.0-rc7 #319\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:__mutex_lock+0xcf0/0x1220\nCode: 08 84 d2 0f 85 c8 04 00 00 8b 15 ef b6 c8 01 85 d2 0f 85 78 f4 ff ff 48 c7 c6 20 93 ee af 48 c7 c7 60 91 ee af e8 f0 a7 6d fd <0f> 0b e9 5e f4 ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1\nRSP: 0018:ffff88811305f760 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88812c652058 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: ffff88811305f8b0 R08: 0000000000000001 R09: ffffed1075c36341\nR10: ffff8883ae1b1a0b R11: 0000000000010498 R12: 0000000000000000\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffff88812c652058\nFS: 00007f9713ae4980(0000) GS:ffff8883ae180000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fcd78483c7c CR3: 0000000122c38000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __warn.cold+0x5b/0x1af\n ? __mutex_lock+0xcf0/0x1220\n ? report_bug+0x1ec/0x390\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x13/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? __mutex_lock+0xcf0/0x1220\n ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]\n ? __pfx___mutex_lock+0x10/0x10\n ? __lock_acquire+0xd6a/0x59e0\n ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]\n nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]\n ? __pfx_nvme_tcp_get_address+0x10/0x10 [nvme_tcp]\n nvme_sysfs_show_address+0x81/0xc0 [nvme_core]\n dev_attr_show+0x42/0x80\n ? __asan_memset+0x1f/0x40\n sysfs_kf_seq_show+0x1f0/0x370\n seq_read_iter+0x2cb/0x1130\n ? rw_verify_area+0x3b1/0x590\n ? __mutex_lock+0x433/0x1220\n vfs_read+0x6a6/0xa20\n ? lockdep_hardirqs_on+0x78/0x100\n ? __pfx_vfs_read+0x10/0x10\n ksys_read+0xf7/0x1d0\n ? __pfx_ksys_read+0x10/0x10\n ? __x64_sys_openat+0x105/0x1d0\n do_syscall_64+0x93/0x180\n ? lockdep_hardirqs_on_prepare+0x16d/0x400\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on+0x78/0x100\n ? do_syscall_64+0x9f/0x180\n ? __pfx_ksys_read+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x16d/0x400\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on+0x78/0x100\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on_prepare+0x16d/0x400\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on+0x78/0x100\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on_prepare+0x16d/0x400\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on+0x78/0x100\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on_prepare+0x16d/0x400\n ? do_syscall_64+0x9f/0x180\n ? lockdep_hardirqs_on+0x78/0x100\n ? do_syscall_64+0x9f/0x180\n ? do_syscall_64+0x9f/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f9713f55cfa\nCode: 55 48 89 e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 e8 74 f8 ff 48 8b 55 e8 48 8b 75 f0 4\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53100", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Fix uninitialized value issue in from_kuid and from_kgid\n\nocfs2_setattr() uses attr->ia_mode, attr->ia_uid and attr->ia_gid in\na trace point even though ATTR_MODE, ATTR_UID and ATTR_GID aren't set.\n\nInitialize all fields of newattrs to avoid uninitialized variables, by\nchecking if ATTR_MODE, ATTR_UID, ATTR_GID are initialized, otherwise 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53101", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer\n\nWhen hvs is released, there is a possibility that vsk->trans may not\nbe initialized to NULL, which could lead to a dangling pointer.\nThis issue is resolved by initializing vsk->trans to NULL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53103", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format\n\nThis can lead to out of bounds writes since frames of this type were not\ntaken into account when calculating the size of the frames buffer in\nuvc_parse_streaming.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53104", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: page_alloc: move mlocked flag clearance into free_pages_prepare()\n\nSyzbot reported a bad page state problem caused by a page being freed\nusing free_page() still having a mlocked flag at free_pages_prepare()\nstage:\n\n BUG: Bad page state in process syz.5.504 pfn:61f45\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45\n flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff)\n raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n page_owner tracks the page as allocated\n page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537\n prep_new_page mm/page_alloc.c:1545 [inline]\n get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457\n __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733\n alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265\n kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99\n kvm_create_vm virt/kvm/kvm_main.c:1235 [inline]\n kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline]\n kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530\n __do_compat_sys_ioctl fs/ioctl.c:1007 [inline]\n __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386\n do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n page last free pid 8399 tgid 8399 stack trace:\n reset_page_owner include/linux/page_owner.h:25 [inline]\n free_pages_prepare mm/page_alloc.c:1108 [inline]\n free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686\n folios_put_refs+0x76c/0x860 mm/swap.c:1007\n free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335\n __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]\n tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]\n tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]\n tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373\n tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465\n exit_mmap+0x496/0xc40 mm/mmap.c:1926\n __mmput+0x115/0x390 kernel/fork.c:1348\n exit_mm+0x220/0x310 kernel/exit.c:571\n do_exit+0x9b2/0x28e0 kernel/exit.c:926\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n Modules linked in:\n CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n bad_page+0x176/0x1d0 mm/page_alloc.c:501\n free_page_is_bad mm/page_alloc.c:918 [inline]\n free_pages_prepare mm/page_alloc.c:1100 [inline]\n free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638\n kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline]\n kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386\n kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [in\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53105", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: fix buffer overrun in ima_eventdigest_init_common\n\nFunction ima_eventdigest_init() calls ima_eventdigest_init_common()\nwith HASH_ALGO__LAST which is then used to access the array\nhash_digest_size[] leading to buffer overrun. Have a conditional\nstatement to handle this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53106", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()\n\nThe \"arg->vec_len\" variable is a u64 that comes from the user at the start\nof the function. The \"arg->vec_len * sizeof(struct page_region))\"\nmultiplication can lead to integer wrapping. Use size_mul() to avoid\nthat.\n\nAlso the size_add/mul() functions work on unsigned long so for 32bit\nsystems we need to ensure that \"arg->vec_len\" fits in an unsigned long.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53107", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Adjust VSDB parser for replay feature\n\nAt some point, the IEEE ID identification for the replay check in the\nAMD EDID was added. However, this check causes the following\nout-of-bounds issues when using KASAN:\n\n[ 27.804016] BUG: KASAN: slab-out-of-bounds in amdgpu_dm_update_freesync_caps+0xefa/0x17a0 [amdgpu]\n[ 27.804788] Read of size 1 at addr ffff8881647fdb00 by task systemd-udevd/383\n\n...\n\n[ 27.821207] Memory state around the buggy address:\n[ 27.821215] ffff8881647fda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 27.821224] ffff8881647fda80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 27.821234] >ffff8881647fdb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 27.821243] ^\n[ 27.821250] ffff8881647fdb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 27.821259] ffff8881647fdc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 27.821268] ==================================================================\n\nThis is caused because the ID extraction happens outside of the range of\nthe edid lenght. This commit addresses this issue by considering the\namd_vsdb_block size.\n\n(cherry picked from commit b7e381b1ccd5e778e3d9c44c669ad38439a861d8)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53108", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnommu: pass NULL argument to vma_iter_prealloc()\n\nWhen deleting a vma entry from a maple tree, it has to pass NULL to\nvma_iter_prealloc() in order to calculate internal state of the tree, but\nit passed a wrong argument. As a result, nommu kernels crashed upon\naccessing a vma iterator, such as acct_collect() reading the size of vma\nentries after do_munmap().\n\nThis commit fixes this issue by passing a right argument to the\npreallocation call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53109", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvp_vdpa: fix id_table array not null terminated error\n\nAllocate one extra virtio_device_id as null terminator, otherwise\nvdpa_mgmtdev_get_classes() may iterate multiple times and visit\nundefined memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53110", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tables()\n\nOn 32-bit platforms, it is possible for the expression `len + old_addr <\nold_end` to be false-positive if `len + old_addr` wraps around. \n`old_addr` is the cursor in the old range up to which page table entries\nhave been moved; so if the operation succeeded, `old_addr` is the *end* of\nthe old region, and adding `len` to it can wrap.\n\nThe overflow causes mremap() to mistakenly believe that PTEs have been\ncopied; the consequence is that mremap() bails out, but doesn't move the\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\nregion to be lost. So basically if userspace tries to mremap() a\nprivate-anon region and hits this bug, mremap() will return an error and\nthe private-anon region's contents appear to have been zeroed.\n\nThe idea of this check is that `old_end - len` is the original start\naddress, and writing the check that way also makes it easier to read; so\nfix the check by rearranging the comparison accordingly.\n\n(An alternate fix would be to refactor this function by introducing an\n\"orig_old_start\" variable or such.)\n\n\nTested in a VM with a 32-bit X86 kernel; without the patch:\n\n```\nuser@horn:~/big_mremap$ cat test.c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n\n#define ADDR1 ((void*)0x60000000)\n#define ADDR2 ((void*)0x10000000)\n#define SIZE 0x50000000uL\n\nint main(void) {\n unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,\n MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n if (p1 == MAP_FAILED)\n err(1, \"mmap 1\");\n unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,\n MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n if (p2 == MAP_FAILED)\n err(1, \"mmap 2\");\n *p1 = 0x41;\n printf(\"first char is 0x%02hhx\\n\", *p1);\n unsigned char *p3 = mremap(p1, SIZE, SIZE,\n MREMAP_MAYMOVE|MREMAP_FIXED, p2);\n if (p3 == MAP_FAILED) {\n printf(\"mremap() failed; first char is 0x%02hhx\\n\", *p1);\n } else {\n printf(\"mremap() succeeded; first char is 0x%02hhx\\n\", *p3);\n }\n}\nuser@horn:~/big_mremap$ gcc -static -o test test.c\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() failed; first char is 0x00\n```\n\nWith the patch:\n\n```\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() succeeded; first char is 0x41\n```", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53111", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: uncache inode which has failed entering the group\n\nSyzbot has reported the following BUG:\n\nkernel BUG at fs/ocfs2/uptodate.c:509!\n...\nCall Trace:\n \n ? __die_body+0x5f/0xb0\n ? die+0x9e/0xc0\n ? do_trap+0x15a/0x3a0\n ? ocfs2_set_new_buffer_uptodate+0x145/0x160\n ? do_error_trap+0x1dc/0x2c0\n ? ocfs2_set_new_buffer_uptodate+0x145/0x160\n ? __pfx_do_error_trap+0x10/0x10\n ? handle_invalid_op+0x34/0x40\n ? ocfs2_set_new_buffer_uptodate+0x145/0x160\n ? exc_invalid_op+0x38/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? ocfs2_set_new_buffer_uptodate+0x2e/0x160\n ? ocfs2_set_new_buffer_uptodate+0x144/0x160\n ? ocfs2_set_new_buffer_uptodate+0x145/0x160\n ocfs2_group_add+0x39f/0x15a0\n ? __pfx_ocfs2_group_add+0x10/0x10\n ? __pfx_lock_acquire+0x10/0x10\n ? mnt_get_write_access+0x68/0x2b0\n ? __pfx_lock_release+0x10/0x10\n ? rcu_read_lock_any_held+0xb7/0x160\n ? __pfx_rcu_read_lock_any_held+0x10/0x10\n ? smack_log+0x123/0x540\n ? mnt_get_write_access+0x68/0x2b0\n ? mnt_get_write_access+0x68/0x2b0\n ? mnt_get_write_access+0x226/0x2b0\n ocfs2_ioctl+0x65e/0x7d0\n ? __pfx_ocfs2_ioctl+0x10/0x10\n ? smack_file_ioctl+0x29e/0x3a0\n ? __pfx_smack_file_ioctl+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x43d/0x780\n ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10\n ? __pfx_ocfs2_ioctl+0x10/0x10\n __se_sys_ioctl+0xfb/0x170\n do_syscall_64+0xf3/0x230\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n \n\nWhen 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular\ninode in 'ocfs2_verify_group_and_input()', corresponding buffer head\nremains cached and subsequent call to the same 'ioctl()' for the same\ninode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying\nto cache the same buffer head of that inode). Fix this by uncaching\nthe buffer head with 'ocfs2_remove_from_cache()' on error path in\n'ocfs2_group_add()'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53112", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix NULL pointer dereference in alloc_pages_bulk_noprof\n\nWe triggered a NULL pointer dereference for ac.preferred_zoneref->zone in\nalloc_pages_bulk_noprof() when the task is migrated between cpusets.\n\nWhen cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be\n¤t->mems_allowed. when first_zones_zonelist() is called to find\npreferred_zoneref, the ac->nodemask may be modified concurrently if the\ntask is migrated between different cpusets. Assuming we have 2 NUMA Node,\nwhen traversing Node1 in ac->zonelist, the nodemask is 2, and when\ntraversing Node2 in ac->zonelist, the nodemask is 1. As a result, the\nac->preferred_zoneref points to NULL zone.\n\nIn alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a\nallowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading\nto NULL pointer dereference.\n\n__alloc_pages_noprof() fixes this issue by checking NULL pointer in commit\nea57485af8f4 (\"mm, page_alloc: fix check for NULL preferred_zone\") and\ncommit df76cee6bbeb (\"mm, page_alloc: remove redundant checks from alloc\nfastpath\").\n\nTo fix it, check NULL pointer for preferred_zoneref->zone.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53113", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client\n\nA number of Zen4 client SoCs advertise the ability to use virtualized\nVMLOAD/VMSAVE, but using these instructions is reported to be a cause\nof a random host reboot.\n\nThese instructions aren't intended to be advertised on Zen4 client\nso clear the capability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53114", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle\n\nThe 'vmw_user_object_buffer' function may return NULL with incorrect\ninputs. To avoid possible null pointer dereference, add a check whether\nthe 'bo' is NULL in the vmw_framebuffer_surface_create_handle.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53115", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix handling of partial GPU mapping of BOs\n\nThis commit fixes the bug in the handling of partial mapping of the\nbuffer objects to the GPU, which caused kernel warnings.\n\nPanthor didn't correctly handle the case where the partial mapping\nspanned multiple scatterlists and the mapping offset didn't point\nto the 1st page of starting scatterlist. The offset variable was\nnot cleared after reaching the starting scatterlist.\n\nFollowing warning messages were seen.\nWARNING: CPU: 1 PID: 650 at drivers/iommu/io-pgtable-arm.c:659 __arm_lpae_unmap+0x254/0x5a0\n\npc : __arm_lpae_unmap+0x254/0x5a0\nlr : __arm_lpae_unmap+0x2cc/0x5a0\n\nCall trace:\n __arm_lpae_unmap+0x254/0x5a0\n __arm_lpae_unmap+0x108/0x5a0\n __arm_lpae_unmap+0x108/0x5a0\n __arm_lpae_unmap+0x108/0x5a0\n arm_lpae_unmap_pages+0x80/0xa0\n panthor_vm_unmap_pages+0xac/0x1c8 [panthor]\n panthor_gpuva_sm_step_unmap+0x4c/0xc8 [panthor]\n op_unmap_cb.isra.23.constprop.30+0x54/0x80\n __drm_gpuvm_sm_unmap+0x184/0x1c8\n drm_gpuvm_sm_unmap+0x40/0x60\n panthor_vm_exec_op+0xa8/0x120 [panthor]\n panthor_vm_bind_exec_sync_op+0xc4/0xe8 [panthor]\n panthor_ioctl_vm_bind+0x10c/0x170 [panthor]\n drm_ioctl_kernel+0xbc/0x138\n drm_ioctl+0x210/0x4b0\n __arm64_sys_ioctl+0xb0/0xf8\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.1+0x98/0xf8\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0xc8\n el0t_64_sync_handler+0xa0/0xc8\n el0t_64_sync+0x174/0x178\n\npanthor : [drm] drm_WARN_ON(unmapped_sz != pgsize * pgcount)\nWARNING: CPU: 1 PID: 650 at drivers/gpu/drm/panthor/panthor_mmu.c:922 panthor_vm_unmap_pages+0x124/0x1c8 [panthor]\n\npc : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]\nlr : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]\n\npanthor : [drm] *ERROR* failed to unmap range ffffa388f000-ffffa3890000 (requested range ffffa388c000-ffffa3890000)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53116", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Improve MSG_ZEROCOPY error handling\n\nAdd a missing kfree_skb() to prevent memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53117", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix sk_error_queue memory leak\n\nKernel queues MSG_ZEROCOPY completion notifications on the error queue.\nWhere they remain, until explicitly recv()ed. To prevent memory leaks,\nclean up the queue when the socket is destroyed.\n\nunreferenced object 0xffff8881028beb00 (size 224):\n comm \"vsock_test\", pid 1218, jiffies 4294694897\n hex dump (first 32 bytes):\n 90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff ..!.......!.....\n 00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff ..........!.....\n backtrace (crc 6c7031ca):\n [] kmem_cache_alloc_node_noprof+0x2f7/0x370\n [] __alloc_skb+0x132/0x180\n [] sock_omalloc+0x4b/0x80\n [] msg_zerocopy_realloc+0x9e/0x240\n [] virtio_transport_send_pkt_info+0x412/0x4c0\n [] virtio_transport_stream_enqueue+0x43/0x50\n [] vsock_connectible_sendmsg+0x373/0x450\n [] ____sys_sendmsg+0x365/0x3a0\n [] ___sys_sendmsg+0x84/0xd0\n [] __sys_sendmsg+0x47/0x80\n [] do_syscall_64+0x93/0x180\n [] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53118", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Fix accept_queue memory leak\n\nAs the final stages of socket destruction may be delayed, it is possible\nthat virtio_transport_recv_listen() will be called after the accept_queue\nhas been flushed, but before the SOCK_DONE flag has been set. As a result,\nsockets enqueued after the flush would remain unremoved, leading to a\nmemory leak.\n\nvsock_release\n __vsock_release\n lock\n virtio_transport_release\n virtio_transport_close\n schedule_delayed_work(close_work)\n sk_shutdown = SHUTDOWN_MASK\n(!) flush accept_queue\n release\n virtio_transport_recv_pkt\n vsock_find_bound_socket\n lock\n if flag(SOCK_DONE) return\n virtio_transport_recv_listen\n child = vsock_create_connected\n (!) vsock_enqueue_accept(child)\n release\nclose_work\n lock\n virtio_transport_do_close\n set_flag(SOCK_DONE)\n virtio_transport_remove_sock\n vsock_remove_sock\n vsock_remove_bound\n release\n\nIntroduce a sk_shutdown check to disallow vsock_enqueue_accept() during\nsocket destruction.\n\nunreferenced object 0xffff888109e3f800 (size 2040):\n comm \"kworker/5:2\", pid 371, jiffies 4294940105\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............\n backtrace (crc 9e5f4e84):\n [] kmem_cache_alloc_noprof+0x2c1/0x360\n [] sk_prot_alloc+0x30/0x120\n [] sk_alloc+0x2c/0x4b0\n [] __vsock_create.constprop.0+0x2a/0x310\n [] virtio_transport_recv_pkt+0x4dc/0x9a0\n [] vsock_loopback_work+0xfd/0x140\n [] process_one_work+0x20c/0x570\n [] worker_thread+0x1bf/0x3a0\n [] kthread+0xdd/0x110\n [] ret_from_fork+0x2d/0x50\n [] ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53119", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT: Fix null-ptr-deref in add rule err flow\n\nIn error flow of mlx5_tc_ct_entry_add_rule(), in case ct_rule_add()\ncallback returns error, zone_rule->attr is used uninitiated. Fix it to\nuse attr which has the needed pointer value.\n\nKernel log:\n BUG: kernel NULL pointer dereference, address: 0000000000000110\n RIP: 0010:mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]\n\u2026\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x140\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]\n ? mlx5_tc_ct_entry_add_rule+0x1d5/0x2f0 [mlx5_core]\n mlx5_tc_ct_block_flow_offload+0xc6a/0xf90 [mlx5_core]\n ? nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table]\n nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table]\n flow_offload_work_handler+0x142/0x320 [nf_flow_table]\n ? finish_task_switch.isra.0+0x15b/0x2b0\n process_one_work+0x16c/0x320\n worker_thread+0x28c/0x3a0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xb8/0xf0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53120", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, lock FTE when checking if active\n\nThe referenced commits introduced a two-step process for deleting FTEs:\n\n- Lock the FTE, delete it from hardware, set the hardware deletion function\n to NULL and unlock the FTE.\n- Lock the parent flow group, delete the software copy of the FTE, and\n remove it from the xarray.\n\nHowever, this approach encounters a race condition if a rule with the same\nmatch value is added simultaneously. In this scenario, fs_core may set the\nhardware deletion function to NULL prematurely, causing a panic during\nsubsequent rule deletions.\n\nTo prevent this, ensure the active flag of the FTE is checked under a lock,\nwhich will prevent the fs_core layer from attaching a new steering rule to\nan FTE that is in the process of deletion.\n\n[ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func\n[ 438.968205] ------------[ cut here ]------------\n[ 438.968654] refcount_t: decrement hit 0; leaking memory.\n[ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110\n[ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower]\n[ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8\n[ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110\n[ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90\n[ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286\n[ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000\n[ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0\n[ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0\n[ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0\n[ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0\n[ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n[ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0\n[ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 438.986507] Call Trace:\n[ 438.986799] \n[ 438.987070] ? __warn+0x7d/0x110\n[ 438.987426] ? refcount_warn_saturate+0xfb/0x110\n[ 438.987877] ? report_bug+0x17d/0x190\n[ 438.988261] ? prb_read_valid+0x17/0x20\n[ 438.988659] ? handle_bug+0x53/0x90\n[ 438.989054] ? exc_invalid_op+0x14/0x70\n[ 438.989458] ? asm_exc_invalid_op+0x16/0x20\n[ 438.989883] ? refcount_warn_saturate+0xfb/0x110\n[ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core]\n[ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core]\n[ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core]\n[ 438.992054] ? xas_load+0x9/0xb0\n[ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core]\n[ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core]\n[ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core]\n[ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core]\n[ 438.994728] tc_setup_cb_destroy+0xb9/0x190\n[ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n[ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower]\n[ 438.996105] tc_new_tfilter+0x347/0xbc0\n[ 438.996503] ? __\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53121", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: cope racing subflow creation in mptcp_rcv_space_adjust\n\nAdditional active subflows - i.e. created by the in kernel path\nmanager - are included into the subflow list before starting the\n3whs.\n\nA racing recvmsg() spooling data received on an already established\nsubflow would unconditionally call tcp_cleanup_rbuf() on all the\ncurrent subflows, potentially hitting a divide by zero error on\nthe newly created ones.\n\nExplicitly check that the subflow is in a suitable state before\ninvoking tcp_cleanup_rbuf().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53122", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: error out earlier on disconnect\n\nEric reported a division by zero splat in the MPTCP protocol:\n\nOops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted\n6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0\nHardware name: Google Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nRIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163\nCode: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8\n0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 7c\n24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89\nRSP: 0018:ffffc900041f7930 EFLAGS: 00010293\nRAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b\nRDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004\nRBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67\nR10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80\nR13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000\nFS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493\nmptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline]\nmptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289\ninet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885\nsock_recvmsg_nosec net/socket.c:1051 [inline]\nsock_recvmsg+0x1b2/0x250 net/socket.c:1073\n__sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265\n__do_sys_recvfrom net/socket.c:2283 [inline]\n__se_sys_recvfrom net/socket.c:2279 [inline]\n__x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7feb5d857559\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559\nRDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000\nR10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c\nR13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef\n\nand provided a nice reproducer.\n\nThe root cause is the current bad handling of racing disconnect.\nAfter the blamed commit below, sk_wait_data() can return (with\nerror) with the underlying socket disconnected and a zero rcv_mss.\n\nCatch the error and return without performing any additional\noperations on the current socket.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53123", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix data-races around sk->sk_forward_alloc\n\nSyzkaller reported this warning:\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0\n Modules linked in:\n CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:inet_sock_destruct+0x1c5/0x1e0\n Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206\n RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007\n RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00\n RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007\n R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00\n R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78\n FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? __warn+0x88/0x130\n ? inet_sock_destruct+0x1c5/0x1e0\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? inet_sock_destruct+0x1c5/0x1e0\n __sk_destruct+0x2a/0x200\n rcu_do_batch+0x1aa/0x530\n ? rcu_do_batch+0x13b/0x530\n rcu_core+0x159/0x2f0\n handle_softirqs+0xd3/0x2b0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n run_ksoftirqd+0x25/0x30\n smpboot_thread_fn+0xdd/0x1d0\n kthread+0xd3/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n ---[ end trace 0000000000000000 ]---\n\nIts possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()\nconcurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,\nwhich triggers a data-race around sk->sk_forward_alloc:\ntcp_v6_rcv\n tcp_v6_do_rcv\n skb_clone_and_charge_r\n sk_rmem_schedule\n __sk_mem_schedule\n sk_forward_alloc_add()\n skb_set_owner_r\n sk_mem_charge\n sk_forward_alloc_add()\n __kfree_skb\n skb_release_all\n skb_release_head_state\n sock_rfree\n sk_mem_uncharge\n sk_forward_alloc_add()\n sk_mem_reclaim\n // set local var reclaimable\n __sk_mem_reclaim\n sk_forward_alloc_add()\n\nIn this syzkaller testcase, two threads call\ntcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like\nthis:\n (cpu 1) | (cpu 2) | sk_forward_alloc\n ... | ... | 0\n __sk_mem_schedule() | | +4096 = 4096\n | __sk_mem_schedule() | +4096 = 8192\n sk_mem_charge() | | -768 = 7424\n | sk_mem_charge() | -768 = 6656\n ... | ... |\n sk_mem_uncharge() | | +768 = 7424\n reclaimable=7424 | |\n | sk_mem_uncharge() | +768 = 8192\n | reclaimable=8192 |\n __sk_mem_reclaim() | | -4096 = 4096\n | __sk_mem_reclaim() | -8192 = -4096 != 0\n\nThe skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when\nsk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().\nFix the same issue in dccp_v6_do_rcv().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53124", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sync_linked_regs() must preserve subreg_def\n\nRange propagation must not affect subreg_def marks, otherwise the\nfollowing example is rewritten by verifier incorrectly when\nBPF_F_TEST_RND_HI32 flag is set:\n\n 0: call bpf_ktime_get_ns call bpf_ktime_get_ns\n 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff\n 2: w1 = w0 rewrites w1 = w0\n 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r)\n 4: r1 >>= 32 r11 <<= 32 (r)\n 5: r0 = r1 r1 |= r11 (r)\n 6: exit; if w0 < 0xa goto pc+0\n r1 >>= 32\n r0 = r1\n exit\n\n(or zero extension of w1 at (2) is missing for architectures that\n require zero extension for upper register half).\n\nThe following happens w/o this patch:\n- r0 is marked as not a subreg at (0);\n- w1 is marked as subreg at (2);\n- w1 subreg_def is overridden at (3) by copy_register_state();\n- w1 is read at (5) but mark_insn_zext() does not mark (2)\n for zero extension, because w1 subreg_def is not set;\n- because of BPF_F_TEST_RND_HI32 flag verifier inserts random\n value for hi32 bits of (2) (marked (r));\n- this random value is read at (5).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53125", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: solidrun: Fix UB bug with devres\n\nIn psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to\npcim_iomap_regions() is placed on the stack. Neither\npcim_iomap_regions() nor the functions it calls copy that string.\n\nShould the string later ever be used, this, consequently, causes\nundefined behavior since the stack frame will by then have disappeared.\n\nFix the bug by allocating the strings on the heap through\ndevm_kasprintf().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53126", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"\n\nThe commit 8396c793ffdf (\"mmc: dw_mmc: Fix IDMAC operation with pages\nbigger than 4K\") increased the max_req_size, even for 4K pages, causing\nvarious issues:\n- Panic booting the kernel/rootfs from an SD card on Rockchip RK3566\n- Panic booting the kernel/rootfs from an SD card on StarFive JH7100\n- \"swiotlb buffer is full\" and data corruption on StarFive JH7110\n\nAt this stage no fix have been found, so it's probably better to just\nrevert the change.\n\nThis reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53127", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/task_stack: fix object_is_on_stack() for KASAN tagged pointers\n\nWhen CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the\nobject_is_on_stack() function may produce incorrect results due to the\npresence of tags in the obj pointer, while the stack pointer does not have\ntags. This discrepancy can lead to incorrect stack object detection and\nsubsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.\n\nExample of the warning:\n\nODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364\nModules linked in:\nCPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4\nHardware name: linux,dummy-virt (DT)\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __debug_object_init+0x330/0x364\nlr : __debug_object_init+0x330/0x364\nsp : ffff800082ea7b40\nx29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534\nx26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0\nx23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418\nx20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000\nx17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e\nx14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e\nx11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800\nx8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4\nx2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050\nCall trace:\n __debug_object_init+0x330/0x364\n debug_object_init_on_stack+0x30/0x3c\n schedule_hrtimeout_range_clock+0xac/0x26c\n schedule_hrtimeout+0x1c/0x30\n wait_task_inactive+0x1d4/0x25c\n kthread_bind_mask+0x28/0x98\n init_rescuer+0x1e8/0x280\n workqueue_init+0x1a0/0x3cc\n kernel_init_freeable+0x118/0x200\n kernel_init+0x28/0x1f0\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\nODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.\n------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53128", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop: Fix a dereferenced before check warning\n\nThe 'state' can't be NULL, we should check crtc_state.\n\nFix warning:\ndrivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096\nvop_plane_atomic_async_check() warn: variable dereferenced before check\n'state' (see line 1077)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53129", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint\n\nWhen using the \"block:block_dirty_buffer\" tracepoint, mark_buffer_dirty()\nmay cause a NULL pointer dereference, or a general protection fault when\nKASAN is enabled.\n\nThis happens because, since the tracepoint was added in\nmark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev\nregardless of whether the buffer head has a pointer to a block_device\nstructure.\n\nIn the current implementation, nilfs_grab_buffer(), which grabs a buffer\nto read (or create) a block of metadata, including b-tree node blocks,\ndoes not set the block device, but instead does so only if the buffer is\nnot in the \"uptodate\" state for each of its caller block reading\nfunctions. However, if the uptodate flag is set on a folio/page, and the\nbuffer heads are detached from it by try_to_free_buffers(), and new buffer\nheads are then attached by create_empty_buffers(), the uptodate flag may\nbe restored to each buffer without the block device being set to\nbh->b_bdev, and mark_buffer_dirty() may be called later in that state,\nresulting in the bug mentioned above.\n\nFix this issue by making nilfs_grab_buffer() always set the block device\nof the super block structure to the buffer head, regardless of the state\nof the buffer's uptodate flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53130", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_touch_buffer tracepoint\n\nPatch series \"nilfs2: fix null-ptr-deref bugs on block tracepoints\".\n\nThis series fixes null pointer dereference bugs that occur when using\nnilfs2 and two block-related tracepoints.\n\n\nThis patch (of 2):\n\nIt has been reported that when using \"block:block_touch_buffer\"\ntracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a\nNULL pointer dereference, or a general protection fault when KASAN is\nenabled.\n\nThis happens because since the tracepoint was added in touch_buffer(), it\nreferences the dev_t member bh->b_bdev->bd_dev regardless of whether the\nbuffer head has a pointer to a block_device structure. In the current\nimplementation, the block_device structure is set after the function\nreturns to the caller.\n\nHere, touch_buffer() is used to mark the folio/page that owns the buffer\nhead as accessed, but the common search helper for folio/page used by the\ncaller function was optimized to mark the folio/page as accessed when it\nwas reimplemented a long time ago, eliminating the need to call\ntouch_buffer() here in the first place.\n\nSo this solves the issue by eliminating the touch_buffer() call itself.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53131", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix \"Missing outer runtime PM protection\" warning\n\nFix the following drm_WARN:\n\n[953.586396] xe 0000:00:02.0: [drm] Missing outer runtime PM protection\n...\n<4> [953.587090] ? xe_pm_runtime_get_noresume+0x8d/0xa0 [xe]\n<4> [953.587208] guc_exec_queue_add_msg+0x28/0x130 [xe]\n<4> [953.587319] guc_exec_queue_fini+0x3a/0x40 [xe]\n<4> [953.587425] xe_exec_queue_destroy+0xb3/0xf0 [xe]\n<4> [953.587515] xe_oa_release+0x9c/0xc0 [xe]\n\n(cherry picked from commit b107c63d2953907908fd0cafb0e543b3c3167b75)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53132", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Handle dml allocation failure to avoid crash\n\n[Why]\nIn the case where a dml allocation fails for any reason, the\ncurrent state's dml contexts would no longer be valid. Then\nsubsequent calls dc_state_copy_internal would shallow copy\ninvalid memory and if the new state was released, a double\nfree would occur.\n\n[How]\nReset dml pointers in new_state to NULL and avoid invalid\npointer\n\n(cherry picked from commit bcafdc61529a48f6f06355d78eb41b3aeda5296c)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53133", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx93-blk-ctrl: correct remove path\n\nThe check condition should be 'i < bc->onecell_data.num_domains', not\n'bc->onecell_data.num_domains' which will make the look never finish\nand cause kernel panic.\n\nAlso disable runtime to address\n\"imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53134", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN\n\nHide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support\nfor virtualizing Intel PT via guest/host mode unless BROKEN=y. There are\nmyriad bugs in the implementation, some of which are fatal to the guest,\nand others which put the stability and health of the host at risk.\n\nFor guest fatalities, the most glaring issue is that KVM fails to ensure\ntracing is disabled, and *stays* disabled prior to VM-Enter, which is\nnecessary as hardware disallows loading (the guest's) RTIT_CTL if tracing\nis enabled (enforced via a VMX consistency check). Per the SDM:\n\n If the logical processor is operating with Intel PT enabled (if\n IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the \"load\n IA32_RTIT_CTL\" VM-entry control must be 0.\n\nOn the host side, KVM doesn't validate the guest CPUID configuration\nprovided by userspace, and even worse, uses the guest configuration to\ndecide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring\nguest CPUID to enumerate more address ranges than are supported in hardware\nwill result in KVM trying to passthrough, save, and load non-existent MSRs,\nwhich generates a variety of WARNs, ToPA ERRORs in the host, a potential\ndeadlock, etc.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53135", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: revert \"mm: shmem: fix data-race in shmem_getattr()\"\n\nRevert d949d1d14fa2 (\"mm: shmem: fix data-race in shmem_getattr()\") as\nsuggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over\nNFS.\n\nAs Hugh commented, \"added just to silence a syzbot sanitizer splat: added\nwhere there has never been any practical problem\".", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53136", "detail": "fixed-version", "description": "Fixed from version 6.11.10" }, { "id": "CVE-2024-53137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: fix cacheflush with PAN\n\nIt seems that the cacheflush syscall got broken when PAN for LPAE was\nimplemented. User access was not enabled around the cache maintenance\ninstructions, causing them to fault.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53137", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: kTLS, Fix incorrect page refcounting\n\nThe kTLS tx handling code is using a mix of get_page() and\npage_ref_inc() APIs to increment the page reference. But on the release\npath (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used.\n\nThis is an issue when using pages from large folios: the get_page()\nreferences are stored on the folio page while the page_ref_inc()\nreferences are stored directly in the given page. On release the folio\npage will be dereferenced too many times.\n\nThis was found while doing kTLS testing with sendfile() + ZC when the\nserved file was read from NFS on a kernel with NFS large folios support\n(commit 49b29a573da8 (\"nfs: add support for large folios\")).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53138", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix possible UAF in sctp_v6_available()\n\nA lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints\nthat sctp_v6_available() is calling dev_get_by_index_rcu()\nand ipv6_chk_addr() without holding rcu.\n\n[1]\n =============================\n WARNING: suspicious RCU usage\n 6.12.0-rc5-virtme #1216 Tainted: G W\n -----------------------------\n net/core/dev.c:876 RCU-list traversed in non-reader section!!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by sctp_hello/31495:\n #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp\n\nstack backtrace:\n CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216\n Tainted: [W]=WARN\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n \n dump_stack_lvl (lib/dump_stack.c:123)\n lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)\n dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7))\n sctp_v6_available (net/sctp/ipv6.c:701) sctp\n sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp\n sctp_bind (net/sctp/socket.c:320) sctp\n inet6_bind_sk (net/ipv6/af_inet6.c:465)\n ? security_socket_bind (security/security.c:4581 (discriminator 1))\n __sys_bind (net/socket.c:1848 net/socket.c:1869)\n ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340)\n ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13))\n __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1))\n do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n RIP: 0033:0x7f59b934a1e7\n Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48\nAll code\n========\n 0:\t44 00 00 \tadd %r8b,(%rax)\n 3:\t48 8b 15 39 8c 0c 00 \tmov 0xc8c39(%rip),%rdx # 0xc8c43\n a:\tf7 d8 \tneg %eax\n c:\t64 89 02 \tmov %eax,%fs:(%rdx)\n f:\tb8 ff ff ff ff \tmov $0xffffffff,%eax\n 14:\teb bd \tjmp 0xffffffffffffffd3\n 16:\t66 2e 0f 1f 84 00 00 \tcs nopw 0x0(%rax,%rax,1)\n 1d:\t00 00 00\n 20:\t0f 1f 00 \tnopl (%rax)\n 23:\tb8 31 00 00 00 \tmov $0x31,%eax\n 28:\t0f 05 \tsyscall\n 2a:*\t48 3d 01 f0 ff ff \tcmp $0xfffffffffffff001,%rax\t\t<-- trapping instruction\n 30:\t73 01 \tjae 0x33\n 32:\tc3 \tret\n 33:\t48 8b 0d 09 8c 0c 00 \tmov 0xc8c09(%rip),%rcx # 0xc8c43\n 3a:\tf7 d8 \tneg %eax\n 3c:\t64 89 01 \tmov %eax,%fs:(%rcx)\n 3f:\t48 \trex.W\n\nCode starting with the faulting instruction\n===========================================\n 0:\t48 3d 01 f0 ff ff \tcmp $0xfffffffffffff001,%rax\n 6:\t73 01 \tjae 0x9\n 8:\tc3 \tret\n 9:\t48 8b 0d 09 8c 0c 00 \tmov 0xc8c09(%rip),%rcx # 0xc8c19\n 10:\tf7 d8 \tneg %eax\n 12:\t64 89 01 \tmov %eax,%fs:(%rcx)\n 15:\t48 \trex.W\n RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031\n RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7\n RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005\n RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000\n R10: 00007f59b9253298 R11: 000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53139", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon't actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we're back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn't have to take a reference of its own.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53140", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add missing range check in bitmap_ip_uadt\n\nWhen tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,\nthe values of ip and ip_to are slightly swapped. Therefore, the range check\nfor ip should be done later, but this part is missing and it seems that the\nvulnerability occurs.\n\nSo we should add missing range checks and remove unnecessary range checks.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53141", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninitramfs: avoid filename buffer overrun\n\nThe initramfs filename field is defined in\nDocumentation/driver-api/early-userspace/buffer-format.rst as:\n\n 37 cpio_file := ALGN(4) + cpio_header + filename + \"\\0\" + ALGN(4) + data\n...\n 55 ============= ================== =========================\n 56 Field name Field size Meaning\n 57 ============= ================== =========================\n...\n 70 c_namesize 8 bytes Length of filename, including final \\0\n\nWhen extracting an initramfs cpio archive, the kernel's do_name() path\nhandler assumes a zero-terminated path at @collected, passing it\ndirectly to filp_open() / init_mkdir() / init_mknod().\n\nIf a specially crafted cpio entry carries a non-zero-terminated filename\nand is followed by uninitialized memory, then a file may be created with\ntrailing characters that represent the uninitialized memory. The ability\nto create an initramfs entry would imply already having full control of\nthe system, so the buffer overrun shouldn't be considered a security\nvulnerability.\n\nAppend the output of the following bash script to an existing initramfs\nand observe any created /initramfs_test_fname_overrunAA* path. E.g.\n ./reproducer.sh | gzip >> /myinitramfs\n\nIt's easiest to observe non-zero uninitialized memory when the output is\ngzipped, as it'll overflow the heap allocated @out_buf in __gunzip(),\nrather than the initrd_start+initrd_size block.\n\n---- reproducer.sh ----\nnilchar=\"A\"\t# change to \"\\0\" to properly zero terminate / pad\nmagic=\"070701\"\nino=1\nmode=$(( 0100777 ))\nuid=0\ngid=0\nnlink=1\nmtime=1\nfilesize=0\ndevmajor=0\ndevminor=1\nrdevmajor=0\nrdevminor=0\ncsum=0\nfname=\"initramfs_test_fname_overrun\"\nnamelen=$(( ${#fname} + 1 ))\t# plus one to account for terminator\n\nprintf \"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\" \\\n\t$magic $ino $mode $uid $gid $nlink $mtime $filesize \\\n\t$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname\n\ntermpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))\nprintf \"%.s${nilchar}\" $(seq 1 $termpadlen)\n---- reproducer.sh ----\n\nSymlink filename fields handled in do_symlink() won't overrun past the\ndata segment, due to the explicit zero-termination of the symlink\ntarget.\n\nFix filename buffer overrun by aborting the initramfs FSM if any cpio\nentry doesn't carry a zero-terminator at the expected (name_len - 1)\noffset.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53142", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: Fix ordering of iput() and watched_objects decrement\n\nEnsure the superblock is kept alive until we're done with iput().\nHolding a reference to an inode is not allowed unless we ensure the\nsuperblock stays alive, which fsnotify does by keeping the\nwatched_objects count elevated, so iput() must happen before the\nwatched_objects decrement.\nThis can lead to a UAF of something like sb->s_fs_info in tmpfs, but the\nUAF is hard to hit because race orderings that oops are more likely, thanks\nto the CHECK_DATA_CORRUPTION() block in generic_shutdown_super().\n\nAlso, ensure that fsnotify_put_sb_watched_objects() doesn't call\nfsnotify_sb_watched_objects() on a superblock that may have already been\nfreed, which would cause a UAF read of sb->s_fsnotify_info.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53143", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE\n\nThis aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4\n(\"Bluetooth: Always request for user confirmation for Just Works\")\nalways request user confirmation with confirm_hint set since the\nlikes of bluetoothd have dedicated policy around JUST_WORKS method\n(e.g. main.conf:JustWorksRepairing).\n\nCVE: CVE-2024-8805", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53144", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-53145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Fix potential integer overflow during physmem setup\n\nThis issue happens when the real map size is greater than LONG_MAX,\nwhich can be easily triggered on UML/i386.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53145", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Prevent a potential integer overflow\n\nIf the tag length is >= U32_MAX - 3 then the \"length + 4\" addition\ncan result in an integer overflow. Address this by splitting the\ndecoding into several steps so that decode_cb_compound4res() does\nnot have to perform arithmetic on the unsafe length value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53146", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix out-of-bounds access of directory entries\n\nIn the case of the directory size is greater than or equal to\nthe cluster size, if start_clu becomes an EOF cluster(an invalid\ncluster) due to file system corruption, then the directory entry\nwhere ei->hint_femp.eidx hint is outside the directory, resulting\nin an out-of-bounds access, which may cause further file system\ncorruption.\n\nThis commit adds a check for start_clu, if it is an invalid cluster,\nthe file or directory will be treated as empty.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53147", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Flush partial mappings in error case\n\nIf some remap_pfn_range() calls succeeded before one failed, we still have\nbuffer pages mapped into the userspace page tables when we drop the buffer\nreference with comedi_buf_map_put(bm). The userspace mappings are only\ncleaned up later in the mmap error path.\n\nFix it by explicitly flushing all mappings in our VMA on the error path.\n\nSee commit 79a61cc3fc04 (\"mm: avoid leaving partial pfn mappings around in\nerror case\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53148", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: glink: fix off-by-one in connector_status\n\nUCSI connector's indices start from 1 up to 3, PMIC_GLINK_MAX_PORTS.\nCorrect the condition in the pmic_glink_ucsi_connector_status()\ncallback, fixing Type-C orientation reporting for the third USB-C\nconnector.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53149", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out of bounds reads when finding clock sources\n\nThe current USB-audio driver code doesn't check bLength of each\ndescriptor at traversing for clock descriptors. That is, when a\ndevice provides a bogus descriptor with a shorter bLength, the driver\nmight hit out-of-bounds reads.\n\nFor addressing it, this patch adds sanity checks to the validator\nfunctions for the clock descriptor traversal. When the descriptor\nlength is shorter than expected, it's skipped in the loop.\n\nFor the clock source and clock multiplier descriptors, we can just\ncheck bLength against the sizeof() of each descriptor type.\nOTOH, the clock selector descriptor of UAC2 and UAC3 has an array\nof bNrInPins elements and two more fields at its tail, hence those\nhave to be checked in addition to the sizeof() check.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53150", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: Address an integer overflow\n\nDan Carpenter reports:\n> Commit 78147ca8b4a9 (\"svcrdma: Add a \"parsed chunk list\" data\n> structure\") from Jun 22, 2020 (linux-next), leads to the following\n> Smatch static checker warning:\n>\n>\tnet/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk()\n>\twarn: potential user controlled sizeof overflow 'segcount * 4 * 4'\n>\n> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c\n> 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)\n> 489 {\n> 490 u32 segcount;\n> 491 __be32 *p;\n> 492\n> 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))\n> ^^^^^^^^\n>\n> 494 return false;\n> 495\n> 496 /* A bogus segcount causes this buffer overflow check to fail. */\n> 497 p = xdr_inline_decode(&rctxt->rc_stream,\n> --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p));\n>\n>\n> segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will\n> have an integer overflow and some those values will be accepted by\n> xdr_inline_decode().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53151", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: tegra194: Move controller cleanups to pex_ep_event_pex_rst_deassert()\n\nCurrently, the endpoint cleanup function dw_pcie_ep_cleanup() and EPF\ndeinit notify function pci_epc_deinit_notify() are called during the\nexecution of pex_ep_event_pex_rst_assert() i.e., when the host has asserted\nPERST#. But quickly after this step, refclk will also be disabled by the\nhost.\n\nAll of the tegra194 endpoint SoCs supported as of now depend on the refclk\nfrom the host for keeping the controller operational. Due to this\nlimitation, any access to the hardware registers in the absence of refclk\nwill result in a whole endpoint crash. Unfortunately, most of the\ncontroller cleanups require accessing the hardware registers (like eDMA\ncleanup performed in dw_pcie_ep_cleanup(), etc...). So these cleanup\nfunctions can cause the crash in the endpoint SoC once host asserts PERST#.\n\nOne way to address this issue is by generating the refclk in the endpoint\nitself and not depending on the host. But that is not always possible as\nsome of the endpoint designs do require the endpoint to consume refclk from\nthe host.\n\nThus, fix this crash by moving the controller cleanups to the start of\nthe pex_ep_event_pex_rst_deassert() function. This function is called\nwhenever the host has deasserted PERST# and it is guaranteed that the\nrefclk would be active at this point. So at the start of this function\n(after enabling resources) the controller cleanup can be performed. Once\nfinished, rest of the code execution for PERST# deassert can continue as\nusual.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53152", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: qcom-ep: Move controller cleanups to qcom_pcie_perst_deassert()\n\nCurrently, the endpoint cleanup function dw_pcie_ep_cleanup() and EPF\ndeinit notify function pci_epc_deinit_notify() are called during the\nexecution of qcom_pcie_perst_assert() i.e., when the host has asserted\nPERST#. But quickly after this step, refclk will also be disabled by the\nhost.\n\nAll of the Qcom endpoint SoCs supported as of now depend on the refclk from\nthe host for keeping the controller operational. Due to this limitation,\nany access to the hardware registers in the absence of refclk will result\nin a whole endpoint crash. Unfortunately, most of the controller cleanups\nrequire accessing the hardware registers (like eDMA cleanup performed in\ndw_pcie_ep_cleanup(), powering down MHI EPF etc...). So these cleanup\nfunctions are currently causing the crash in the endpoint SoC once host\nasserts PERST#.\n\nOne way to address this issue is by generating the refclk in the endpoint\nitself and not depending on the host. But that is not always possible as\nsome of the endpoint designs do require the endpoint to consume refclk from\nthe host (as I was told by the Qcom engineers).\n\nThus, fix this crash by moving the controller cleanups to the start of\nthe qcom_pcie_perst_deassert() function. qcom_pcie_perst_deassert() is\ncalled whenever the host has deasserted PERST# and it is guaranteed that\nthe refclk would be active at this point. So at the start of this function\n(after enabling resources), the controller cleanup can be performed. Once\nfinished, rest of the code execution for PERST# deassert can continue as\nusual.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53153", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clk-apple-nco: Add NULL check in applnco_probe\n\nAdd NULL check in applnco_probe, to handle kernel NULL pointer\ndereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53154", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix uninitialized value in ocfs2_file_read_iter()\n\nSyzbot has reported the following KMSAN splat:\n\nBUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80\n ocfs2_file_read_iter+0x9a4/0xf80\n __io_read+0x8d4/0x20f0\n io_read+0x3e/0xf0\n io_issue_sqe+0x42b/0x22c0\n io_wq_submit_work+0xaf9/0xdc0\n io_worker_handle_work+0xd13/0x2110\n io_wq_worker+0x447/0x1410\n ret_from_fork+0x6f/0x90\n ret_from_fork_asm+0x1a/0x30\n\nUninit was created at:\n __alloc_pages_noprof+0x9a7/0xe00\n alloc_pages_mpol_noprof+0x299/0x990\n alloc_pages_noprof+0x1bf/0x1e0\n allocate_slab+0x33a/0x1250\n ___slab_alloc+0x12ef/0x35e0\n kmem_cache_alloc_bulk_noprof+0x486/0x1330\n __io_alloc_req_refill+0x84/0x560\n io_submit_sqes+0x172f/0x2f30\n __se_sys_io_uring_enter+0x406/0x41c0\n __x64_sys_io_uring_enter+0x11f/0x1a0\n x64_sys_call+0x2b54/0x3ba0\n do_syscall_64+0xcd/0x1e0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nSince an instance of 'struct kiocb' may be passed from the block layer\nwith 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()'\nand use it from where 'ocfs2_dio_end_io()' might take care, i.e. in\n'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53155", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()\n\nI found the following bug in my fuzzer:\n\n UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51\n index 255 is out of range for type 'htc_endpoint [22]'\n CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Workqueue: events request_firmware_work_func\n Call Trace:\n \n dump_stack_lvl+0x180/0x1b0\n __ubsan_handle_out_of_bounds+0xd4/0x130\n htc_issue_send.constprop.0+0x20c/0x230\n ? _raw_spin_unlock_irqrestore+0x3c/0x70\n ath9k_wmi_cmd+0x41d/0x610\n ? mark_held_locks+0x9f/0xe0\n ...\n\nSince this bug has been confirmed to be caused by insufficient verification\nof conn_rsp_epid, I think it would be appropriate to add a range check for\nconn_rsp_epid to htc_connect_service() to prevent the bug from occurring.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53156", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scpi: Check the DVFS OPP count returned by the firmware\n\nFix a kernel crash with the below call trace when the SCPI firmware\nreturns OPP count of zero.\n\ndvfs_info.opp_count may be zero on some platforms during the reboot\ntest, and the kernel will crash after dereferencing the pointer to\nkcalloc(info->count, sizeof(*opp), GFP_KERNEL).\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028\n | Mem abort info:\n | ESR = 0x96000004\n | Exception class = DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | Data abort info:\n | ISV = 0, ISS = 0x00000004\n | CM = 0, WnR = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c\n | [0000000000000028] pgd=0000000000000000\n | Internal error: Oops: 96000004 [#1] SMP\n | scpi-hwmon: probe of PHYT000D:00 failed with error -110\n | Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c)\n | CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1\n | Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS\n | pstate: 60000005 (nZCv daif -PAN -UAO)\n | pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]\n | lr : clk_register+0x438/0x720\n | Call trace:\n | scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]\n | devm_clk_hw_register+0x50/0xa0\n | scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi]\n | scpi_clocks_probe+0x528/0x70c [clk_scpi]\n | platform_drv_probe+0x58/0xa8\n | really_probe+0x260/0x3d0\n | driver_probe_device+0x12c/0x148\n | device_driver_attach+0x74/0x98\n | __driver_attach+0xb4/0xe8\n | bus_for_each_dev+0x88/0xe0\n | driver_attach+0x30/0x40\n | bus_add_driver+0x178/0x2b0\n | driver_register+0x64/0x118\n | __platform_driver_register+0x54/0x60\n | scpi_clocks_driver_init+0x24/0x1000 [clk_scpi]\n | do_one_initcall+0x54/0x220\n | do_init_module+0x54/0x1c8\n | load_module+0x14a4/0x1668\n | __se_sys_finit_module+0xf8/0x110\n | __arm64_sys_finit_module+0x24/0x30\n | el0_svc_common+0x78/0x170\n | el0_svc_handler+0x38/0x78\n | el0_svc+0x8/0x340\n | Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820)\n | ---[ end trace 06feb22469d89fa8 ]---\n | Kernel panic - not syncing: Fatal exception\n | SMP: stopping secondary CPUs\n | Kernel Offset: disabled\n | CPU features: 0x10,a0002008\n | Memory Limit: none", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53157", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()\n\nThis loop is supposed to break if the frequency returned from\nclk_round_rate() is the same as on the previous iteration. However,\nthat check doesn't make sense on the first iteration through the loop.\nIt leads to reading before the start of these->clk_perf_tbl[] array.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53158", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu\n\nKCSAN reports a data race when access the krcp->monitor_work.timer.expires\nvariable in the schedule_delayed_monitor_work() function:\n\n\nBUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu\n\nread to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1:\n schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline]\n kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839\n trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441\n bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203\n generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849\n bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143\n __sys_bpf+0x2e5/0x7a0\n __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]\n __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739\n x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nwrite to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0:\n __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173\n add_timer_global+0x51/0x70 kernel/time/timer.c:1330\n __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523\n queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552\n queue_delayed_work include/linux/workqueue.h:677 [inline]\n schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline]\n kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310\n worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391\n kthread+0x1d1/0x210 kernel/kthread.c:389\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_unbound kfree_rcu_monitor\n\n\nkfree_rcu_monitor() rearms the work if a \"krcp\" has to be still\noffloaded and this is done without holding krcp->lock, whereas\nthe kvfree_call_rcu() holds it.\n\nFix it by acquiring the \"krcp->lock\" for kfree_rcu_monitor() so\nboth functions do not race anymore.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53160", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/bluefield: Fix potential integer overflow\n\nThe 64-bit argument for the \"get DIMM info\" SMC call consists of mem_ctrl_idx\nleft-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as\n32-bits wide the left-shift operation truncates the upper 16 bits of\ninformation during the calculation of the SMC argument.\n\nThe mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any\npotential integer overflow, i.e. loss of data from upper 16 bits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53161", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat/qat_4xxx - fix off by one in uof_get_name()\n\nThe fw_objs[] array has \"num_objs\" elements so the > needs to be >= to\nprevent an out of bounds read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53162", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat/qat_420xx - fix off by one in uof_get_name()\n\nThis is called from uof_get_name_420xx() where \"num_objs\" is the\nARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of\nbounds access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53163", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ordering of qlen adjustment\n\nChanges to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen\n_before_ a call to said function because otherwise it may fail to notify\nparent qdiscs when the child is about to become empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53164", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: intc: Fix use-after-free bug in register_intc_controller()\n\nIn the error handling for this function, d is freed without ever\nremoving it from intc_list which would lead to a use after free.\nTo fix this, let's only add it to the list after everything has\nsucceeded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53165", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix bfqq uaf in bfq_limit_depth()\n\nSet new allocated bfqq to bic or remove freed bfqq from bic are both\nprotected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq\nfrom bic without the lock, this can lead to UAF if the io_context is\nshared by multiple tasks.\n\nFor example, test bfq with io_uring can trigger following UAF in v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50\n\nCall Trace:\n \n dump_stack_lvl+0x47/0x80\n print_address_description.constprop.0+0x66/0x300\n print_report+0x3e/0x70\n kasan_report+0xb4/0xf0\n bfqq_group+0x15/0x50\n bfqq_request_over_limit+0x130/0x9a0\n bfq_limit_depth+0x1b5/0x480\n __blk_mq_alloc_requests+0x2b5/0xa00\n blk_mq_get_new_requests+0x11d/0x1d0\n blk_mq_submit_bio+0x286/0xb00\n submit_bio_noacct_nocheck+0x331/0x400\n __block_write_full_folio+0x3d0/0x640\n writepage_cb+0x3b/0xc0\n write_cache_pages+0x254/0x6c0\n write_cache_pages+0x254/0x6c0\n do_writepages+0x192/0x310\n filemap_fdatawrite_wbc+0x95/0xc0\n __filemap_fdatawrite_range+0x99/0xd0\n filemap_write_and_wait_range.part.0+0x4d/0xa0\n blkdev_read_iter+0xef/0x1e0\n io_read+0x1b6/0x8a0\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork_asm+0x1b/0x30\n \n\nAllocated by task 808602:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x83/0x90\n kmem_cache_alloc_node+0x1b1/0x6d0\n bfq_get_queue+0x138/0xfa0\n bfq_get_bfqq_handle_split+0xe3/0x2c0\n bfq_init_rq+0x196/0xbb0\n bfq_insert_request.isra.0+0xb5/0x480\n bfq_insert_requests+0x156/0x180\n blk_mq_insert_request+0x15d/0x440\n blk_mq_submit_bio+0x8a4/0xb00\n submit_bio_noacct_nocheck+0x331/0x400\n __blkdev_direct_IO_async+0x2dd/0x330\n blkdev_write_iter+0x39a/0x450\n io_write+0x22a/0x840\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x1b/0x30\n\nFreed by task 808589:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x27/0x40\n __kasan_slab_free+0x126/0x1b0\n kmem_cache_free+0x10c/0x750\n bfq_put_queue+0x2dd/0x770\n __bfq_insert_request.isra.0+0x155/0x7a0\n bfq_insert_request.isra.0+0x122/0x480\n bfq_insert_requests+0x156/0x180\n blk_mq_dispatch_plug_list+0x528/0x7e0\n blk_mq_flush_plug_list.part.0+0xe5/0x590\n __blk_flush_plug+0x3b/0x90\n blk_finish_plug+0x40/0x60\n do_writepages+0x19d/0x310\n filemap_fdatawrite_wbc+0x95/0xc0\n __filemap_fdatawrite_range+0x99/0xd0\n filemap_write_and_wait_range.part.0+0x4d/0xa0\n blkdev_read_iter+0xef/0x1e0\n io_read+0x1b6/0x8a0\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x1b/0x30\n\nFix the problem by protecting bic_to_bfqq() with bfqd->lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53166", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/blocklayout: Don't attempt unregister for invalid block device\n\nSince commit d869da91cccb (\"nfs/blocklayout: Fix premature PR key\nunregistration\") an unmount of a pNFS SCSI layout-enabled NFS may\ndereference a NULL block_device in:\n\n bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver]\n bl_free_device+0x70/0x80 [blocklayoutdriver]\n bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver]\n nfs4_put_deviceid_node+0x60/0xc0 [nfsv4]\n nfs4_deviceid_purge_client+0x132/0x190 [nfsv4]\n unset_pnfs_layoutdriver+0x59/0x60 [nfsv4]\n nfs4_destroy_server+0x36/0x70 [nfsv4]\n nfs_free_server+0x23/0xe0 [nfs]\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x59/0x90\n syscall_exit_to_user_mode+0x217/0x220\n do_syscall_64+0x8e/0x160\n\nThis happens because even though we were able to create the\nnfs4_deviceid_node, the lookup for the device was unable to attach the\nblock device to the pnfs_block_dev.\n\nIf we never found a block device to register, we can avoid this case with\nthe PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the\nflag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53167", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix one UAF issue caused by sunrpc kernel tcp socket\n\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0\nRead of size 1 at addr ffff888111f322cd by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1\nCall Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_address_description.constprop.0+0x2c/0x3d0\n print_report+0xb4/0x270\n kasan_report+0xbd/0xf0\n tcp_write_timer_handler+0x156/0x3e0\n tcp_write_timer+0x66/0x170\n call_timer_fn+0xfb/0x1d0\n __run_timers+0x3f8/0x480\n run_timer_softirq+0x9b/0x100\n handle_softirqs+0x153/0x390\n __irq_exit_rcu+0x103/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_apic_timer_interrupt+0x76/0x90\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\nCode: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90\n 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 c3 cc cc cc\n cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90\nRSP: 0018:ffffffffa2007e28 EFLAGS: 00000242\nRAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d\nR10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000\nR13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0\n default_idle_call+0x6b/0xa0\n cpuidle_idle_call+0x1af/0x1f0\n do_idle+0xbc/0x130\n cpu_startup_entry+0x33/0x40\n rest_init+0x11f/0x210\n start_kernel+0x39a/0x420\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x97/0xa0\n common_startup_64+0x13e/0x141\n \n\nAllocated by task 595:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x87/0x90\n kmem_cache_alloc_noprof+0x12b/0x3f0\n copy_net_ns+0x94/0x380\n create_new_namespaces+0x24c/0x500\n unshare_nsproxy_namespaces+0x75/0xf0\n ksys_unshare+0x24e/0x4f0\n __x64_sys_unshare+0x1f/0x30\n do_syscall_64+0x70/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 100:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x54/0x70\n kmem_cache_free+0x156/0x5d0\n cleanup_net+0x5d3/0x670\n process_one_work+0x776/0xa90\n worker_thread+0x2e2/0x560\n kthread+0x1a8/0x1f0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n\nReproduction script:\n\nmkdir -p /mnt/nfsshare\nmkdir -p /mnt/nfs/netns_1\nmkfs.ext4 /dev/sdb\nmount /dev/sdb /mnt/nfsshare\nsystemctl restart nfs-server\nchmod 777 /mnt/nfsshare\nexportfs -i -o rw,no_root_squash *:/mnt/nfsshare\n\nip netns add netns_1\nip link add name veth_1_peer type veth peer veth_1\nifconfig veth_1_peer 11.11.0.254 up\nip link set veth_1 netns netns_1\nip netns exec netns_1 ifconfig veth_1 11.11.0.1\n\nip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \\\n\t--tcp-flags FIN FIN -j DROP\n\n(note: In my environment, a DESTROY_CLIENTID operation is always sent\n immediately, breaking the nfs tcp connection.)\nip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \\\n\t11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1\n\nip netns del netns_1\n\nThe reason here is that the tcp socket in netns_1 (nfs side) has been\nshutdown and closed (done in xs_destroy), but the FIN message (with ack)\nis discarded, and the nfsd side keeps sending retransmission messages.\nAs a result, when the tcp sock in netns_1 processes the received message,\nit sends the message (FIN message) in the sending queue, and the tcp timer\nis re-established. When the network namespace is deleted, the net structure\naccessed by tcp's timer handler function causes problems.\n\nTo fix this problem, let's hold netns refcnt for the tcp kernel socket as\ndone in other modules. This is an ugly hack which can easily be backported\nto earlier kernels. A proper fix which cleans up the interfaces will\nfollow, but may not be so easy to backport.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53168", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: fix kernel crash while shutting down controller\n\nThe nvme keep-alive operation, which executes at a periodic interval,\ncould potentially sneak in while shutting down a fabric controller.\nThis may lead to a race between the fabric controller admin queue\ndestroy code path (invoked while shutting down controller) and hw/hctx\nqueue dispatcher called from the nvme keep-alive async request queuing\noperation. This race could lead to the kernel crash shown below:\n\nCall Trace:\n autoremove_wake_function+0x0/0xbc (unreliable)\n __blk_mq_sched_dispatch_requests+0x114/0x24c\n blk_mq_sched_dispatch_requests+0x44/0x84\n blk_mq_run_hw_queue+0x140/0x220\n nvme_keep_alive_work+0xc8/0x19c [nvme_core]\n process_one_work+0x200/0x4e0\n worker_thread+0x340/0x504\n kthread+0x138/0x140\n start_kernel_thread+0x14/0x18\n\nWhile shutting down fabric controller, if nvme keep-alive request sneaks\nin then it would be flushed off. The nvme_keep_alive_end_io function is\nthen invoked to handle the end of the keep-alive operation which\ndecrements the admin->q_usage_counter and assuming this is the last/only\nrequest in the admin queue then the admin->q_usage_counter becomes zero.\nIf that happens then blk-mq destroy queue operation (blk_mq_destroy_\nqueue()) which could be potentially running simultaneously on another\ncpu (as this is the controller shutdown code path) would forward\nprogress and deletes the admin queue. So, now from this point onward\nwe are not supposed to access the admin queue resources. However the\nissue here's that the nvme keep-alive thread running hw/hctx queue\ndispatch operation hasn't yet finished its work and so it could still\npotentially access the admin queue resource while the admin queue had\nbeen already deleted and that causes the above crash.\n\nThe above kernel crash is regression caused due to changes implemented\nin commit a54a93d0e359 (\"nvme: move stopping keep-alive into\nnvme_uninit_ctrl()\"). Ideally we should stop keep-alive before destroyin\ng the admin queue and freeing the admin tagset so that it wouldn't sneak\nin during the shutdown operation. However we removed the keep alive stop\noperation from the beginning of the controller shutdown code path in commit\na54a93d0e359 (\"nvme: move stopping keep-alive into nvme_uninit_ctrl()\")\nand added it under nvme_uninit_ctrl() which executes very late in the\nshutdown code path after the admin queue is destroyed and its tagset is\nremoved. So this change created the possibility of keep-alive sneaking in\nand interfering with the shutdown operation and causing observed kernel\ncrash.\n\nTo fix the observed crash, we decided to move nvme_stop_keep_alive() from\nnvme_uninit_ctrl() to nvme_remove_admin_tag_set(). This change would ensure\nthat we don't forward progress and delete the admin queue until the keep-\nalive operation is finished (if it's in-flight) or cancelled and that would\nhelp contain the race condition explained above and hence avoid the crash.\n\nMoving nvme_stop_keep_alive() to nvme_remove_admin_tag_set() instead of\nadding nvme_stop_keep_alive() to the beginning of the controller shutdown\ncode path in nvme_stop_ctrl(), as was the case earlier before commit\na54a93d0e359 (\"nvme: move stopping keep-alive into nvme_uninit_ctrl()\"),\nwould help save one callsite of nvme_stop_keep_alive().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53169", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53170", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n\nAfter an insertion in TNC, the tree might split and cause a node to\nchange its `znode->parent`. A further deletion of other nodes in the\ntree (which also could free the nodes), the aforementioned node's\n`znode->cparent` could still point to a freed node. This\n`znode->cparent` may not be updated when getting nodes to commit in\n`ubifs_tnc_start_commit()`. This could then trigger a use-after-free\nwhen accessing the `znode->cparent` in `write_index()` in\n`ubifs_tnc_end_commit()`.\n\nThis can be triggered by running\n\n rm -f /etc/test-file.bin\n dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync\n\nin a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then\nreports:\n\n BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950\n Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153\n\n Call trace:\n dump_backtrace+0x0/0x340\n show_stack+0x18/0x24\n dump_stack_lvl+0x9c/0xbc\n print_address_description.constprop.0+0x74/0x2b0\n kasan_report+0x1d8/0x1f0\n kasan_check_range+0xf8/0x1a0\n memcpy+0x84/0xf4\n ubifs_tnc_end_commit+0xa5c/0x1950\n do_commit+0x4e0/0x1340\n ubifs_bg_thread+0x234/0x2e0\n kthread+0x36c/0x410\n ret_from_fork+0x10/0x20\n\n Allocated by task 401:\n kasan_save_stack+0x38/0x70\n __kasan_kmalloc+0x8c/0xd0\n __kmalloc+0x34c/0x5bc\n tnc_insert+0x140/0x16a4\n ubifs_tnc_add+0x370/0x52c\n ubifs_jnl_write_data+0x5d8/0x870\n do_writepage+0x36c/0x510\n ubifs_writepage+0x190/0x4dc\n __writepage+0x58/0x154\n write_cache_pages+0x394/0x830\n do_writepages+0x1f0/0x5b0\n filemap_fdatawrite_wbc+0x170/0x25c\n file_write_and_wait_range+0x140/0x190\n ubifs_fsync+0xe8/0x290\n vfs_fsync_range+0xc0/0x1e4\n do_fsync+0x40/0x90\n __arm64_sys_fsync+0x34/0x50\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\n Freed by task 403:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x28/0x40\n kasan_set_free_info+0x28/0x4c\n __kasan_slab_free+0xd4/0x13c\n kfree+0xc4/0x3a0\n tnc_delete+0x3f4/0xe40\n ubifs_tnc_remove_range+0x368/0x73c\n ubifs_tnc_remove_ino+0x29c/0x2e0\n ubifs_jnl_delete_inode+0x150/0x260\n ubifs_evict_inode+0x1d4/0x2e4\n evict+0x1c8/0x450\n iput+0x2a0/0x3c4\n do_unlinkat+0x2cc/0x490\n __arm64_sys_unlinkat+0x90/0x100\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\nThe offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free\nwhen a node becomes root in TNC but still has a `cparent` to an already\nfreed node. More specifically, consider the following TNC:\n\n zroot\n /\n /\n zp1\n /\n /\n zn\n\nInserting a new node `zn_new` with a key smaller then `zn` will trigger\na split in `tnc_insert()` if `zp1` is full:\n\n zroot\n / \\\n / \\\n zp1 zp2\n / \\\n / \\\n zn_new zn\n\n`zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still\npoints to `zp1`.\n\nNow, consider a removal of all the nodes _except_ `zn`. Just when\n`tnc_delete()` is about to delete `zroot` and `zp2`:\n\n zroot\n \\\n \\\n zp2\n \\\n \\\n zn\n\n`zroot` and `zp2` get freed and the tree collapses:\n\n zn\n\n`zn` now becomes the new `zroot`.\n\n`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and\n`write_index()` will check its `znode->cparent` that wrongly points to\nthe already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called\nwith `znode->cparent->zbranch[znode->iip].hash` that triggers the\nuse-after-free!\n\nFix this by explicitly setting `znode->cparent` to `NULL` in\n`get_znodes_to_commit()` for the root node. The search for the dirty\nnodes\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53171", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: fastmap: Fix duplicate slab cache names while attaching\n\nSince commit 4c39529663b9 (\"slab: Warn on duplicate cache names when\nDEBUG_VM=y\"), the duplicate slab cache names can be detected and a\nkernel WARNING is thrown out.\nIn UBI fast attaching process, alloc_ai() could be invoked twice\nwith the same slab cache name 'ubi_aeb_slab_cache', which will trigger\nfollowing warning messages:\n kmem_cache of name 'ubi_aeb_slab_cache' already exists\n WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107\n __kmem_cache_create_args+0x100/0x5f0\n Modules linked in: ubi(+) nandsim [last unloaded: nandsim]\n CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2\n RIP: 0010:__kmem_cache_create_args+0x100/0x5f0\n Call Trace:\n __kmem_cache_create_args+0x100/0x5f0\n alloc_ai+0x295/0x3f0 [ubi]\n ubi_attach+0x3c3/0xcc0 [ubi]\n ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi]\n ubi_init+0x3fb/0x800 [ubi]\n do_init_module+0x265/0x7d0\n __x64_sys_finit_module+0x7a/0xc0\n\nThe problem could be easily reproduced by loading UBI device by fastmap\nwith CONFIG_DEBUG_VM=y.\nFix it by using different slab names for alloc_ai() callers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53172", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.0: Fix a use-after-free problem in the asynchronous open()\n\nYang Erkun reports that when two threads are opening files at the same\ntime, and are forced to abort before a reply is seen, then the call to\nnfs_release_seqid() in nfs4_opendata_free() can result in a\nuse-after-free of the pointer to the defunct rpc task of the other\nthread.\nThe fix is to ensure that if the RPC call is aborted before the call to\nnfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()\nin nfs4_open_release() before the rpc_task is freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53173", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: make sure cache entry active before cache_show\n\nThe function `c_show` was called with protection from RCU. This only\nensures that `cp` will not be freed. Therefore, the reference count for\n`cp` can drop to zero, which will trigger a refcount use-after-free\nwarning when `cache_get` is called. To resolve this issue, use\n`cache_get_rcu` to ensure that `cp` remains active.\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 822 at lib/refcount.c:25\nrefcount_warn_saturate+0xb1/0x120\nCPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb1/0x120\n\nCall Trace:\n \n c_show+0x2fc/0x380 [sunrpc]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n proc_reg_read+0xe1/0x140\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53174", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix memleak if msg_init_ns failed in create_ipc_ns\n\nPercpu memory allocation may failed during create_ipc_ns however this\nfail is not handled properly since ipc sysctls and mq sysctls is not\nreleased properly. Fix this by release these two resource when failure.\n\nHere is the kmemleak stack when percpu failed:\n\nunreferenced object 0xffff88819de2a600 (size 512):\n comm \"shmem_2nstest\", pid 120711, jiffies 4300542254\n hex dump (first 32 bytes):\n 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H.....\n 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V.....\n backtrace (crc be7cba35):\n [] __kmalloc_node_track_caller_noprof+0x333/0x420\n [] kmemdup_noprof+0x26/0x50\n [] setup_mq_sysctls+0x57/0x1d0\n [] copy_ipcs+0x29c/0x3b0\n [] create_new_namespaces+0x1d0/0x920\n [] copy_namespaces+0x2e9/0x3e0\n [] copy_process+0x29f3/0x7ff0\n [] kernel_clone+0xc0/0x650\n [] __do_sys_clone+0xa1/0xe0\n [] do_syscall_64+0xbf/0x1c0\n [] entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53175", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: During unmount, ensure all cached dir instances drop their dentry\n\nThe unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can\nrace with various cached directory operations, which ultimately results\nin dentries not being dropped and these kernel BUGs:\n\nBUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]\nVFS: Busy inodes after unmount of cifs (cifs)\n------------[ cut here ]------------\nkernel BUG at fs/super.c:661!\n\nThis happens when a cfid is in the process of being cleaned up when, and\nhas been removed from the cfids->entries list, including:\n\n- Receiving a lease break from the server\n- Server reconnection triggers invalidate_all_cached_dirs(), which\n removes all the cfids from the list\n- The laundromat thread decides to expire an old cfid.\n\nTo solve these problems, dropping the dentry is done in queued work done\nin a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()\nflushes that workqueue after it drops all the dentries of which it's\naware. This is a global workqueue (rather than scoped to a mount), but\nthe queued work is minimal.\n\nThe final cleanup work for cleaning up a cfid is performed via work\nqueued in the serverclose_wq workqueue; this is done separate from\ndropping the dentries so that close_all_cached_dirs() doesn't block on\nany server operations.\n\nBoth of these queued works expect to invoked with a cfid reference and\na tcon reference to avoid those objects from being freed while the work\nis ongoing.\n\nWhile we're here, add proper locking to close_all_cached_dirs(), and\nlocking around the freeing of cfid->dentry.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53176", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: prevent use-after-free due to open_cached_dir error paths\n\nIf open_cached_dir() encounters an error parsing the lease from the\nserver, the error handling may race with receiving a lease break,\nresulting in open_cached_dir() freeing the cfid while the queued work is\npending.\n\nUpdate open_cached_dir() to drop refs rather than directly freeing the\ncfid.\n\nHave cached_dir_lease_break(), cfids_laundromat_worker(), and\ninvalidate_all_cached_dirs() clear has_lease immediately while still\nholding cfids->cfid_list_lock, and then use this to also simplify the\nreference counting in cfids_laundromat_worker() and\ninvalidate_all_cached_dirs().\n\nFixes this KASAN splat (which manually injects an error and lease break\nin open_cached_dir()):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0\nRead of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65\n\nCPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nWorkqueue: cifsiod smb2_cached_lease_break\nCall Trace:\n \n dump_stack_lvl+0x77/0xb0\n print_report+0xce/0x660\n kasan_report+0xd3/0x110\n smb2_cached_lease_break+0x27/0xb0\n process_one_work+0x50a/0xc50\n worker_thread+0x2ba/0x530\n kthread+0x17c/0x1c0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 2464:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n open_cached_dir+0xa7d/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2464:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x51/0x70\n kfree+0x174/0x520\n open_cached_dir+0x97f/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n __kasan_record_aux_stack+0xad/0xc0\n insert_work+0x32/0x100\n __queue_work+0x5c9/0x870\n queue_work_on+0x82/0x90\n open_cached_dir+0x1369/0x1fb0\n smb2_query_path_info+0x43c/0x6e0\n cifs_get_fattr+0x346/0xf10\n cifs_get_inode_info+0x157/0x210\n cifs_revalidate_dentry_attr+0x2d1/0x460\n cifs_getattr+0x173/0x470\n vfs_statx_path+0x10f/0x160\n vfs_statx+0xe9/0x150\n vfs_fstatat+0x5e/0xc0\n __do_sys_newfstatat+0x91/0xf0\n do_syscall_64+0x95/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe buggy address belongs to the object at ffff88811cc24c00\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 16 bytes inside of\n freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53177", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Don't leak cfid when reconnect races with open_cached_dir\n\nopen_cached_dir() may either race with the tcon reconnection even before\ncompound_send_recv() or directly trigger a reconnection via\nSMB2_open_init() or SMB_query_info_init().\n\nThe reconnection process invokes invalidate_all_cached_dirs() via\ncifs_mark_open_files_invalid(), which removes all cfids from the\ncfids->entries list but doesn't drop a ref if has_lease isn't true. This\nresults in the currently-being-constructed cfid not being on the list,\nbut still having a refcount of 2. It leaks if returned from\nopen_cached_dir().\n\nFix this by setting cfid->has_lease when the ref is actually taken; the\ncfid will not be used by other threads until it has a valid time.\n\nAddresses these kmemleaks:\n\nunreferenced object 0xffff8881090c4000 (size 1024):\n comm \"bash\", pid 1860, jiffies 4295126592\n hex dump (first 32 bytes):\n 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........\".......\n 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E\"......O.....\n backtrace (crc 6f58c20f):\n [] __kmalloc_cache_noprof+0x2be/0x350\n [] open_cached_dir+0x993/0x1fb0\n [] cifs_readdir+0x15a0/0x1d50\n [] iterate_dir+0x28f/0x4b0\n [] __x64_sys_getdents64+0xfd/0x200\n [] do_syscall_64+0x95/0x1a0\n [] entry_SYSCALL_64_after_hwframe+0x76/0x7e\nunreferenced object 0xffff8881044fdcf8 (size 8):\n comm \"bash\", pid 1860, jiffies 4295126592\n hex dump (first 8 bytes):\n 00 cc cc cc cc cc cc cc ........\n backtrace (crc 10c106a9):\n [] __kmalloc_node_track_caller_noprof+0x363/0x480\n [] kstrdup+0x36/0x60\n [] open_cached_dir+0x9b0/0x1fb0\n [] cifs_readdir+0x15a0/0x1d50\n [] iterate_dir+0x28f/0x4b0\n [] __x64_sys_getdents64+0xfd/0x200\n [] do_syscall_64+0x95/0x1a0\n [] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAnd addresses these BUG splats when unmounting the SMB filesystem:\n\nBUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]\nWARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100\nModules linked in:\nCPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:umount_check+0xd0/0x100\nCode: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41\nRSP: 0018:ffff88811cc27978 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40\nRBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3\nR10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08\nR13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0\nFS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0\nCall Trace:\n \n d_walk+0x6a/0x530\n shrink_dcache_for_umount+0x6a/0x200\n generic_shutdown_super+0x52/0x2a0\n kill_anon_super+0x22/0x40\n cifs_kill_sb+0x159/0x1e0\n deactivate_locked_super+0x66/0xe0\n cleanup_mnt+0x140/0x210\n task_work_run+0xfb/0x170\n syscall_exit_to_user_mode+0x29f/0x2b0\n do_syscall_64+0xa1/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f23bfb93ae7\nCode: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53178", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free of signing key\n\nCustomers have reported use-after-free in @ses->auth_key.response with\nSMB2.1 + sign mounts which occurs due to following race:\n\ntask A task B\ncifs_mount()\n dfs_mount_share()\n get_session()\n cifs_mount_get_session() cifs_send_recv()\n cifs_get_smb_ses() compound_send_recv()\n cifs_setup_session() smb2_setup_request()\n kfree_sensitive() smb2_calc_signature()\n crypto_shash_setkey() *UAF*\n\nFix this by ensuring that we have a valid @ses->auth_key.response by\nchecking whether @ses->ses_status is SES_GOOD or SES_EXITING with\n@ses->ses_lock held. After commit 24a9799aa8ef (\"smb: client: fix UAF\nin smb2_reconnect_server()\"), we made sure to call ->logoff() only\nwhen @ses was known to be good (e.g. valid ->auth_key.response), so\nit's safe to access signing key when @ses->ses_status == SES_EXITING.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53179", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Add sanity NULL check for the default mmap fault handler\n\nA driver might allow the mmap access before initializing its\nruntime->dma_area properly. Add a proper NULL check before passing to\nvirt_to_page() for avoiding a panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53180", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: vector: Do not use drvdata in release\n\nThe drvdata is not available in release. Let's just use container_of()\nto get the vector_device instance. Otherwise, removing a vector device\nwill result in a crash:\n\nRIP: 0033:vector_device_release+0xf/0x50\nRSP: 00000000e187bc40 EFLAGS: 00010202\nRAX: 0000000060028f61 RBX: 00000000600f1baf RCX: 00000000620074e0\nRDX: 000000006220b9c0 RSI: 0000000060551c80 RDI: 0000000000000000\nRBP: 00000000e187bc50 R08: 00000000603ad594 R09: 00000000e187bb70\nR10: 000000000000135a R11: 00000000603ad422 R12: 00000000623ae028\nR13: 000000006287a200 R14: 0000000062006d30 R15: 00000000623700b6\nKernel panic - not syncing: Segfault with no mm\nCPU: 0 UID: 0 PID: 16 Comm: kworker/0:1 Not tainted 6.12.0-rc6-g59b723cd2adb #1\nWorkqueue: events mc_work_proc\nStack:\n 60028f61 623ae028 e187bc80 60276fcd\n 6220b9c0 603f5820 623ae028 00000000\n e187bcb0 603a2bcd 623ae000 62370010\nCall Trace:\n [<60028f61>] ? vector_device_release+0x0/0x50\n [<60276fcd>] device_release+0x70/0xba\n [<603a2bcd>] kobject_put+0xba/0xe7\n [<60277265>] put_device+0x19/0x1c\n [<60281266>] platform_device_put+0x26/0x29\n [<60281e5f>] platform_device_unregister+0x2c/0x2e\n [<60029422>] vector_remove+0x52/0x58\n [<60031316>] ? mconsole_reply+0x0/0x50\n [<600310c8>] mconsole_remove+0x160/0x1cc\n [<603b19f4>] ? strlen+0x0/0x15\n [<60066611>] ? __dequeue_entity+0x1a9/0x206\n [<600666a7>] ? set_next_entity+0x39/0x63\n [<6006666e>] ? set_next_entity+0x0/0x63\n [<60038fa6>] ? um_set_signals+0x0/0x43\n [<6003070c>] mc_work_proc+0x77/0x91\n [<60057664>] process_scheduled_works+0x1b3/0x2dd\n [<60055f32>] ? assign_work+0x0/0x58\n [<60057f0a>] worker_thread+0x1e9/0x293\n [<6005406f>] ? set_pf_worker+0x0/0x64\n [<6005d65d>] ? arch_local_irq_save+0x0/0x2d\n [<6005d748>] ? kthread_exit+0x0/0x3a\n [<60057d21>] ? worker_thread+0x0/0x293\n [<6005dbf1>] kthread+0x126/0x12b\n [<600219c5>] new_thread_handler+0x85/0xb6", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53181", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()\"\n\nThis reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de.\n\nThe bic is associated with sync_bfqq, and bfq_release_process_ref cannot\nbe put into bfq_put_cooperator.\n\nkasan report:\n[ 400.347277] ==================================================================\n[ 400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230\n[ 400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800\n[ 400.347430]\n[ 400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32\n[ 400.347450] Tainted: [E]=UNSIGNED_MODULE\n[ 400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022\n[ 400.347460] Call Trace:\n[ 400.347464] \n[ 400.347468] dump_stack_lvl+0x5d/0x80\n[ 400.347490] print_report+0x174/0x505\n[ 400.347521] kasan_report+0xe0/0x160\n[ 400.347541] bic_set_bfqq+0x200/0x230\n[ 400.347549] bfq_bic_update_cgroup+0x419/0x740\n[ 400.347560] bfq_bio_merge+0x133/0x320\n[ 400.347584] blk_mq_submit_bio+0x1761/0x1e20\n[ 400.347625] __submit_bio+0x28b/0x7b0\n[ 400.347664] submit_bio_noacct_nocheck+0x6b2/0xd30\n[ 400.347690] iomap_readahead+0x50c/0x680\n[ 400.347731] read_pages+0x17f/0x9c0\n[ 400.347785] page_cache_ra_unbounded+0x366/0x4a0\n[ 400.347795] filemap_fault+0x83d/0x2340\n[ 400.347819] __xfs_filemap_fault+0x11a/0x7d0 [xfs]\n[ 400.349256] __do_fault+0xf1/0x610\n[ 400.349270] do_fault+0x977/0x11a0\n[ 400.349281] __handle_mm_fault+0x5d1/0x850\n[ 400.349314] handle_mm_fault+0x1f8/0x560\n[ 400.349324] do_user_addr_fault+0x324/0x970\n[ 400.349337] exc_page_fault+0x76/0xf0\n[ 400.349350] asm_exc_page_fault+0x26/0x30\n[ 400.349360] RIP: 0033:0x55a480d77375\n[ 400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 <83> 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80\n[ 400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216\n[ 400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000\n[ 400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000\n[ 400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80\n[ 400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008\n[ 400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000\n[ 400.349430] \n[ 400.349452]\n[ 400.349454] Allocated by task 5800:\n[ 400.349459] kasan_save_stack+0x30/0x50\n[ 400.349469] kasan_save_track+0x14/0x30\n[ 400.349475] __kasan_slab_alloc+0x89/0x90\n[ 400.349482] kmem_cache_alloc_node_noprof+0xdc/0x2a0\n[ 400.349492] bfq_get_queue+0x1ef/0x1100\n[ 400.349502] __bfq_get_bfqq_handle_split+0x11a/0x510\n[ 400.349511] bfq_insert_requests+0xf55/0x9030\n[ 400.349519] blk_mq_flush_plug_list+0x446/0x14c0\n[ 400.349527] __blk_flush_plug+0x27c/0x4e0\n[ 400.349534] blk_finish_plug+0x52/0xa0\n[ 400.349540] _xfs_buf_ioapply+0x739/0xc30 [xfs]\n[ 400.350246] __xfs_buf_submit+0x1b2/0x640 [xfs]\n[ 400.350967] xfs_buf_read_map+0x306/0xa20 [xfs]\n[ 400.351672] xfs_trans_read_buf_map+0x285/0x7d0 [xfs]\n[ 400.352386] xfs_imap_to_bp+0x107/0x270 [xfs]\n[ 400.353077] xfs_iget+0x70d/0x1eb0 [xfs]\n[ 400.353786] xfs_lookup+0x2ca/0x3a0 [xfs]\n[ 400.354506] xfs_vn_lookup+0x14e/0x1a0 [xfs]\n[ 400.355197] __lookup_slow+0x19c/0x340\n[ 400.355204] lookup_one_unlocked+0xfc/0x120\n[ 400.355211] ovl_lookup_single+0x1b3/0xcf0 [overlay]\n[ 400.355255] ovl_lookup_layer+0x316/0x490 [overlay]\n[ 400.355295] ovl_lookup+0x844/0x1fd0 [overlay]\n[ 400.355351] lookup_one_qstr_excl+0xef/0x150\n[ 400.355357] do_unlinkat+0x22a/0x620\n[ 400.355366] __x64_sys_unlinkat+0x109/0x1e0\n[ 400.355375] do_syscall_64+0x82/0x160\n[ 400.355384] entry_SYSCALL_64_after_hwframe+0x76/0x7\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53182", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: net: Do not use drvdata in release\n\nThe drvdata is not available in release. Let's just use container_of()\nto get the uml_net instance. Otherwise, removing a network device will\nresult in a crash:\n\nRIP: 0033:net_device_release+0x10/0x6f\nRSP: 00000000e20c7c40 EFLAGS: 00010206\nRAX: 000000006002e4e7 RBX: 00000000600f1baf RCX: 00000000624074e0\nRDX: 0000000062778000 RSI: 0000000060551c80 RDI: 00000000627af028\nRBP: 00000000e20c7c50 R08: 00000000603ad594 R09: 00000000e20c7b70\nR10: 000000000000135a R11: 00000000603ad422 R12: 0000000000000000\nR13: 0000000062c7af00 R14: 0000000062406d60 R15: 00000000627700b6\nKernel panic - not syncing: Segfault with no mm\nCPU: 0 UID: 0 PID: 29 Comm: kworker/0:2 Not tainted 6.12.0-rc6-g59b723cd2adb #1\nWorkqueue: events mc_work_proc\nStack:\n 627af028 62c7af00 e20c7c80 60276fcd\n 62778000 603f5820 627af028 00000000\n e20c7cb0 603a2bcd 627af000 62770010\nCall Trace:\n [<60276fcd>] device_release+0x70/0xba\n [<603a2bcd>] kobject_put+0xba/0xe7\n [<60277265>] put_device+0x19/0x1c\n [<60281266>] platform_device_put+0x26/0x29\n [<60281e5f>] platform_device_unregister+0x2c/0x2e\n [<6002ec9c>] net_remove+0x63/0x69\n [<60031316>] ? mconsole_reply+0x0/0x50\n [<600310c8>] mconsole_remove+0x160/0x1cc\n [<60087d40>] ? __remove_hrtimer+0x38/0x74\n [<60087ff8>] ? hrtimer_try_to_cancel+0x8c/0x98\n [<6006b3cf>] ? dl_server_stop+0x3f/0x48\n [<6006b390>] ? dl_server_stop+0x0/0x48\n [<600672e8>] ? dequeue_entities+0x327/0x390\n [<60038fa6>] ? um_set_signals+0x0/0x43\n [<6003070c>] mc_work_proc+0x77/0x91\n [<60057664>] process_scheduled_works+0x1b3/0x2dd\n [<60055f32>] ? assign_work+0x0/0x58\n [<60057f0a>] worker_thread+0x1e9/0x293\n [<6005406f>] ? set_pf_worker+0x0/0x64\n [<6005d65d>] ? arch_local_irq_save+0x0/0x2d\n [<6005d748>] ? kthread_exit+0x0/0x3a\n [<60057d21>] ? worker_thread+0x0/0x293\n [<6005dbf1>] kthread+0x126/0x12b\n [<600219c5>] new_thread_handler+0x85/0xb6", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53183", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: ubd: Do not use drvdata in release\n\nThe drvdata is not available in release. Let's just use container_of()\nto get the ubd instance. Otherwise, removing a ubd device will result\nin a crash:\n\nRIP: 0033:blk_mq_free_tag_set+0x1f/0xba\nRSP: 00000000e2083bf0 EFLAGS: 00010246\nRAX: 000000006021463a RBX: 0000000000000348 RCX: 0000000062604d00\nRDX: 0000000004208060 RSI: 00000000605241a0 RDI: 0000000000000348\nRBP: 00000000e2083c10 R08: 0000000062414010 R09: 00000000601603f7\nR10: 000000000000133a R11: 000000006038c4bd R12: 0000000000000000\nR13: 0000000060213a5c R14: 0000000062405d20 R15: 00000000604f7aa0\nKernel panic - not syncing: Segfault with no mm\nCPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 6.8.0-rc3-00107-gba3f67c11638 #1\nWorkqueue: events mc_work_proc\nStack:\n 00000000 604f7ef0 62c5d000 62405d20\n e2083c30 6002c776 6002c755 600e47ff\n e2083c60 6025ffe3 04208060 603d36e0\nCall Trace:\n [<6002c776>] ubd_device_release+0x21/0x55\n [<6002c755>] ? ubd_device_release+0x0/0x55\n [<600e47ff>] ? kfree+0x0/0x100\n [<6025ffe3>] device_release+0x70/0xba\n [<60381d6a>] kobject_put+0xb5/0xe2\n [<6026027b>] put_device+0x19/0x1c\n [<6026a036>] platform_device_put+0x26/0x29\n [<6026ac5a>] platform_device_unregister+0x2c/0x2e\n [<6002c52e>] ubd_remove+0xb8/0xd6\n [<6002bb74>] ? mconsole_reply+0x0/0x50\n [<6002b926>] mconsole_remove+0x160/0x1cc\n [<6002bbbc>] ? mconsole_reply+0x48/0x50\n [<6003379c>] ? um_set_signals+0x3b/0x43\n [<60061c55>] ? update_min_vruntime+0x14/0x70\n [<6006251f>] ? dequeue_task_fair+0x164/0x235\n [<600620aa>] ? update_cfs_group+0x0/0x40\n [<603a0e77>] ? __schedule+0x0/0x3ed\n [<60033761>] ? um_set_signals+0x0/0x43\n [<6002af6a>] mc_work_proc+0x77/0x91\n [<600520b4>] process_scheduled_works+0x1af/0x2c3\n [<6004ede3>] ? assign_work+0x0/0x58\n [<600527a1>] worker_thread+0x2f7/0x37a\n [<6004ee3b>] ? set_pf_worker+0x0/0x64\n [<6005765d>] ? arch_local_irq_save+0x0/0x2d\n [<60058e07>] ? kthread_exit+0x0/0x3a\n [<600524aa>] ? worker_thread+0x0/0x37a\n [<60058f9f>] kthread+0x130/0x135\n [<6002068e>] new_thread_handler+0x85/0xb6", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53184", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix NULL ptr deref in crypto_aead_setkey()\n\nNeither SMB3.0 or SMB3.02 supports encryption negotiate context, so\nwhen SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response,\nthe client uses AES-128-CCM as the default cipher. See MS-SMB2\n3.3.5.4.\n\nCommit b0abcd65ec54 (\"smb: client: fix UAF in async decryption\") added\na @server->cipher_type check to conditionally call\nsmb3_crypto_aead_allocate(), but that check would always be false as\n@server->cipher_type is unset for SMB3.02.\n\nFix the following KASAN splat by setting @server->cipher_type for\nSMB3.02 as well.\n\nmount.cifs //srv/share /mnt -o vers=3.02,seal,...\n\nBUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130\nRead of size 8 at addr 0000000000000020 by task mount.cifs/1095\nCPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x5d/0x80\n ? crypto_aead_setkey+0x2c/0x130\n kasan_report+0xda/0x110\n ? crypto_aead_setkey+0x2c/0x130\n crypto_aead_setkey+0x2c/0x130\n crypt_message+0x258/0xec0 [cifs]\n ? __asan_memset+0x23/0x50\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? mark_lock+0xb0/0x6a0\n ? hlock_class+0x32/0xb0\n ? mark_lock+0xb0/0x6a0\n smb3_init_transform_rq+0x352/0x3f0 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n smb_send_rqst+0x144/0x230 [cifs]\n ? __pfx_smb_send_rqst+0x10/0x10 [cifs]\n ? hlock_class+0x32/0xb0\n ? smb2_setup_request+0x225/0x3a0 [cifs]\n ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs]\n compound_send_recv+0x59b/0x1140 [cifs]\n ? __pfx_compound_send_recv+0x10/0x10 [cifs]\n ? __create_object+0x5e/0x90\n ? hlock_class+0x32/0xb0\n ? do_raw_spin_unlock+0x9a/0xf0\n cifs_send_recv+0x23/0x30 [cifs]\n SMB2_tcon+0x3ec/0xb30 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? __pfx_lock_release+0x10/0x10\n ? do_raw_spin_trylock+0xc6/0x120\n ? lock_acquire+0x3f/0x90\n ? _get_xid+0x16/0xd0 [cifs]\n ? __pfx_SMB2_tcon+0x10/0x10 [cifs]\n ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n cifs_get_smb_ses+0xcdd/0x10a0 [cifs]\n ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs]\n ? cifs_get_tcp_session+0xaa0/0xca0 [cifs]\n cifs_mount_get_session+0x8a/0x210 [cifs]\n dfs_mount_share+0x1b0/0x11d0 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? lock_acquire.part.0+0xf4/0x2a0\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? lock_release+0x203/0x5d0\n cifs_mount+0xb3/0x3d0 [cifs]\n ? do_raw_spin_trylock+0xc6/0x120\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? lock_acquire+0x3f/0x90\n ? find_nls+0x16/0xa0\n ? smb3_update_mnt_flags+0x372/0x3b0 [cifs]\n cifs_smb3_do_mount+0x1e2/0xc80 [cifs]\n ? __pfx_vfs_parse_fs_string+0x10/0x10\n ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs]\n smb3_get_tree+0x1bf/0x330 [cifs]\n vfs_get_tree+0x4a/0x160\n path_mount+0x3c1/0xfb0\n ? kasan_quarantine_put+0xc7/0x1d0\n ? __pfx_path_mount+0x10/0x10\n ? kmem_cache_free+0x118/0x3e0\n ? user_path_at+0x74/0xa0\n __x64_sys_mount+0x1a6/0x1e0\n ? __pfx___x64_sys_mount+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53185", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero:\n `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using\n `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls\n `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn->r_count`,\n it may still access `conn->r_count_q` in the following line:\n `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)`\n This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller's support for SMB requests.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53186", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for overflows in io_pin_pages\n\nWARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144\nCPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0\nCall Trace:\n \n __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183\n io_rings_map io_uring/io_uring.c:2611 [inline]\n io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470\n io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692\n io_uring_setup io_uring/io_uring.c:3781 [inline]\n ...\n \n\nio_pin_pages()'s uaddr parameter came directly from the user and can be\ngarbage. Don't just add size to it as it can overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53187", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix crash when unbinding\n\nIf there is an error during some initialization related to firmware,\nthe function ath12k_dp_cc_cleanup is called to release resources.\nHowever this is released again when the device is unbinded (ath12k_pci),\nand we get:\nBUG: kernel NULL pointer dereference, address: 0000000000000020\nat RIP: 0010:ath12k_dp_cc_cleanup.part.0+0xb6/0x500 [ath12k]\nCall Trace:\nath12k_dp_cc_cleanup\nath12k_dp_free\nath12k_core_deinit\nath12k_pci_remove\n...\n\nThe issue is always reproducible from a VM because the MSI addressing\ninitialization is failing.\n\nIn order to fix the issue, just set to NULL the released structure in\nath12k_dp_cc_cleanup at the end.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53188", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix bounds checker error in nl80211_parse_sched_scan\n\nThe channels array in the cfg80211_scan_request has a __counted_by\nattribute attached to it, which points to the n_channels variable. This\nattribute is used in bounds checking, and if it is not set before the\narray is filled, then the bounds sanitizer will issue a warning or a\nkernel panic if CONFIG_UBSAN_TRAP is set.\n\nThis patch sets the size of allocated memory as the initial value for\nn_channels. It is updated with the actual number of added elements after\nthe array is filled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53189", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures\n\nSyzkaller reported a hung task with uevent_show() on stack trace. That\nspecific issue was addressed by another commit [0], but even with that\nfix applied (for example, running v6.12-rc5) we face another type of hung\ntask that comes from the same reproducer [1]. By investigating that, we\ncould narrow it to the following path:\n\n(a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and\ndummy_hcd infrastructure.\n\n(b) During the probe of rtl8192cu, the driver ends-up performing an efuse\nread procedure (which is related to EEPROM load IIUC), and here lies the\nissue: the function read_efuse() calls read_efuse_byte() many times, as\nloop iterations depending on the efuse size (in our example, 512 in total).\n\nThis procedure for reading efuse bytes relies in a loop that performs an\nI/O read up to *10k* times in case of failures. We measured the time of\nthe loop inside read_efuse_byte() alone, and in this reproducer (which\ninvolves the dummy_hcd emulation layer), it takes 15 seconds each. As a\nconsequence, we have the driver stuck in its probe routine for big time,\nexposing a stack trace like below if we attempt to reboot the system, for\nexample:\n\ntask:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __schedule+0xe22/0xeb6\n schedule_timeout+0xe7/0x132\n __wait_for_common+0xb5/0x12e\n usb_start_wait_urb+0xc5/0x1ef\n ? usb_alloc_urb+0x95/0xa4\n usb_control_msg+0xff/0x184\n _usbctrl_vendorreq_sync+0xa0/0x161\n _usb_read_sync+0xb3/0xc5\n read_efuse_byte+0x13c/0x146\n read_efuse+0x351/0x5f0\n efuse_read_all_map+0x42/0x52\n rtl_efuse_shadow_map_update+0x60/0xef\n rtl_get_hwinfo+0x5d/0x1c2\n rtl92cu_read_eeprom_info+0x10a/0x8d5\n ? rtl92c_read_chip_version+0x14f/0x17e\n rtl_usb_probe+0x323/0x851\n usb_probe_interface+0x278/0x34b\n really_probe+0x202/0x4a4\n __driver_probe_device+0x166/0x1b2\n driver_probe_device+0x2f/0xd8\n [...]\n\nWe propose hereby to drastically reduce the attempts of doing the I/O\nreads in case of failures, restricted to USB devices (given that\nthey're inherently slower than PCIe ones). By retrying up to 10 times\n(instead of 10000), we got reponsiveness in the reproducer, while seems\nreasonable to believe that there's no sane USB device implementation in\nthe field requiring this amount of retries at every I/O read in order\nto properly work. Based on that assumption, it'd be good to have it\nbackported to stable but maybe not since driver implementation (the 10k\nnumber comes from day 0), perhaps up to 6.x series makes sense.\n\n[0] Commit 15fffc6a5624 (\"driver core: Fix uevent_show() vs driver detach race\")\n\n[1] A note about that: this syzkaller report presents multiple reproducers\nthat differs by the type of emulated USB device. For this specific case,\ncheck the entry from 2024/08/08 06:23 in the list of crashes; the C repro\nis available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53190", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix warning when unbinding\n\nIf there is an error during some initialization related to firmware,\nthe buffers dp->tx_ring[i].tx_status are released.\nHowever this is released again when the device is unbinded (ath12k_pci),\nand we get:\nWARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80\nCall Trace:\nfree_large_kmalloc\nath12k_dp_free\nath12k_core_deinit\nath12k_pci_remove\n...\n\nThe issue is always reproducible from a VM because the MSI addressing\ninitialization is failing.\n\nIn order to fix the issue, just set the buffers to NULL after releasing in\norder to avoid the double free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53191", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clk-loongson2: Fix potential buffer overflow in flexible-array member access\n\nFlexible-array member `hws` in `struct clk_hw_onecell_data` is annotated\nwith the `counted_by()` attribute. This means that when memory is\nallocated for this array, the _counter_, which in this case is member\n`num` in the flexible structure, should be set to the maximum number of\nelements the flexible array can contain, or fewer.\n\nIn this case, the total number of elements for the flexible array is\ndetermined by variable `clks_num` when allocating heap space via\n`devm_kzalloc()`, as shown below:\n\n289 struct loongson2_clk_provider *clp;\n\t...\n296 for (p = data; p->name; p++)\n297 clks_num++;\n298\n299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),\n300 GFP_KERNEL);\n\nSo, `clp->clk_data.num` should be set to `clks_num` or less, and not\nexceed `clks_num`, as is currently the case. Otherwise, if data is\nwritten into `clp->clk_data.hws[clks_num]`, the instrumentation\nprovided by the compiler won't detect the overflow, leading to a\nmemory corruption bug at runtime.\n\nFix this issue by setting `clp->clk_data.num` to `clks_num`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53192", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider\n\nSome heap space is allocated for the flexible structure `struct\nclk_hw_onecell_data` and its flexible-array member `hws` through\nthe composite structure `struct loongson2_clk_provider` in function\n`loongson2_clk_probe()`, as shown below:\n\n289 struct loongson2_clk_provider *clp;\n\t...\n296 for (p = data; p->name; p++)\n297 clks_num++;\n298\n299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),\n300 GFP_KERNEL);\n\nThen some data is written into the flexible array:\n\n350 clp->clk_data.hws[p->id] = hw;\n\nThis corrupts `clk_lock`, which is the spinlock variable immediately\nfollowing the `clk_data` member in `struct loongson2_clk_provider`:\n\nstruct loongson2_clk_provider {\n\tvoid __iomem *base;\n\tstruct device *dev;\n\tstruct clk_hw_onecell_data clk_data;\n\tspinlock_t clk_lock;\t/* protect access to DIV registers */\n};\n\nThe problem is that the flexible structure is currently placed in the\nmiddle of `struct loongson2_clk_provider` instead of at the end.\n\nFix this by moving `struct clk_hw_onecell_data clk_data;` to the end of\n`struct loongson2_clk_provider`. Also, add a code comment to help\nprevent this from happening again in case new members are added to the\nstructure in the future.\n\nThis change also fixes the following -Wflex-array-member-not-at-end\nwarning:\n\ndrivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53193", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix use-after-free of slot->bus on hot remove\n\nDennis reports a boot crash on recent Lenovo laptops with a USB4 dock.\n\nSince commit 0fc70886569c (\"thunderbolt: Reset USB4 v2 host router\") and\ncommit 59a54c5f3dbd (\"thunderbolt: Reset topology created by the boot\nfirmware\"), USB4 v2 and v1 Host Routers are reset on probe of the\nthunderbolt driver.\n\nThe reset clears the Presence Detect State and Data Link Layer Link Active\nbits at the USB4 Host Router's Root Port and thus causes hot removal of the\ndock.\n\nThe crash occurs when pciehp is unbound from one of the dock's Downstream\nPorts: pciehp creates a pci_slot on bind and destroys it on unbind. The\npci_slot contains a pointer to the pci_bus below the Downstream Port, but\na reference on that pci_bus is never acquired. The pci_bus is destroyed\nbefore the pci_slot, so a use-after-free ensues when pci_slot_release()\naccesses slot->bus.\n\nIn principle this should not happen because pci_stop_bus_device() unbinds\npciehp (and therefore destroys the pci_slot) before the pci_bus is\ndestroyed by pci_remove_bus_device().\n\nHowever the stacktrace provided by Dennis shows that pciehp is unbound from\npci_remove_bus_device() instead of pci_stop_bus_device(). To understand\nthe significance of this, one needs to know that the PCI core uses a two\nstep process to remove a portion of the hierarchy: It first unbinds all\ndrivers in the sub-hierarchy in pci_stop_bus_device() and then actually\nremoves the devices in pci_remove_bus_device(). There is no precaution to\nprevent driver binding in-between pci_stop_bus_device() and\npci_remove_bus_device().\n\nIn Dennis' case, it seems removal of the hierarchy by pciehp races with\ndriver binding by pci_bus_add_devices(). pciehp is bound to the\nDownstream Port after pci_stop_bus_device() has run, so it is unbound by\npci_remove_bus_device() instead of pci_stop_bus_device(). Because the\npci_bus has already been destroyed at that point, accesses to it result in\na use-after-free.\n\nOne might conclude that driver binding needs to be prevented after\npci_stop_bus_device() has run. However it seems risky that pci_slot points\nto pci_bus without holding a reference. Solely relying on correct ordering\nof driver unbind versus pci_bus destruction is certainly not defensive\nprogramming.\n\nIf pci_slot has a need to access data in pci_bus, it ought to acquire a\nreference. Amend pci_create_slot() accordingly. Dennis reports that the\ncrash is not reproducible with this change.\n\nAbridged stacktrace:\n\n pcieport 0000:00:07.0: PME: Signaling with IRQ 156\n pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+\n pci_bus 0000:20: dev 00, created physical slot 12\n pcieport 0000:00:07.0: pciehp: Slot(12): Card not present\n ...\n pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0\n Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1\n RIP: 0010:dev_driver_string+0x12/0x40\n pci_destroy_slot\n pciehp_remove\n pcie_port_remove_service\n device_release_driver_internal\n bus_remove_device\n device_del\n device_unregister\n remove_iter\n device_for_each_child\n pcie_portdrv_remove\n pci_device_remove\n device_release_driver_internal\n bus_remove_device\n device_del\n pci_remove_bus_device (recursive invocation)\n pci_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53194", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Get rid of userspace_irqchip_in_use\n\nImproper use of userspace_irqchip_in_use led to syzbot hitting the\nfollowing WARN_ON() in kvm_timer_update_irq():\n\nWARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459\nkvm_timer_update_irq+0x21c/0x394\nCall trace:\n kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459\n kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968\n kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264\n kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline]\n kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline]\n kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695\n kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nThe following sequence led to the scenario:\n - Userspace creates a VM and a vCPU.\n - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during\n KVM_ARM_VCPU_INIT.\n - Without any other setup, such as vGIC or vPMU, userspace issues\n KVM_RUN on the vCPU. Since the vPMU is requested, but not setup,\n kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change().\n As a result, KVM_RUN returns after enabling the timer, but before\n incrementing 'userspace_irqchip_in_use':\n kvm_arch_vcpu_run_pid_change()\n ret = kvm_arm_pmu_v3_enable()\n if (!vcpu->arch.pmu.created)\n return -EINVAL;\n if (ret)\n return ret;\n [...]\n if (!irqchip_in_kernel(kvm))\n static_branch_inc(&userspace_irqchip_in_use);\n - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again.\n Since the timer is already enabled, control moves through the\n following flow, ultimately hitting the WARN_ON():\n kvm_timer_vcpu_reset()\n if (timer->enabled)\n kvm_timer_update_irq()\n if (!userspace_irqchip())\n ret = kvm_vgic_inject_irq()\n ret = vgic_lazy_init()\n if (unlikely(!vgic_initialized(kvm)))\n if (kvm->arch.vgic.vgic_model !=\n KVM_DEV_TYPE_ARM_VGIC_V2)\n return -EBUSY;\n WARN_ON(ret);\n\nTheoretically, since userspace_irqchip_in_use's functionality can be\nsimply replaced by '!irqchip_in_kernel()', get rid of the static key\nto avoid the mismanagement, which also helps with the syzbot issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53195", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Don't retire aborted MMIO instruction\n\nReturning an abort to the guest for an unsupported MMIO access is a\ndocumented feature of the KVM UAPI. Nevertheless, it's clear that this\nplumbing has seen limited testing, since userspace can trivially cause a\nWARN in the MMIO return:\n\n WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536\n Call trace:\n kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536\n kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133\n kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487\n __do_sys_ioctl fs/ioctl.c:51 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nThe splat is complaining that KVM is advancing PC while an exception is\npending, i.e. that KVM is retiring the MMIO instruction despite a\npending synchronous external abort. Womp womp.\n\nFix the glaring UAPI bug by skipping over all the MMIO emulation in\ncase there is a pending synchronous exception. Note that while userspace\nis capable of pending an asynchronous exception (SError, IRQ, or FIQ),\nit is still safe to retire the MMIO instruction in this case as (1) they\nare by definition asynchronous, and (2) KVM relies on hardware support\nfor pending/delivering these exceptions instead of the software state\nmachine for advancing PC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53196", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices\n\nA bogus device can provide a bNumConfigurations value that exceeds the\ninitial value used in usb_get_configuration for allocating dev->config.\n\nThis can lead to out-of-bounds accesses later, e.g. in\nusb_destroy_configuration.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53197", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: Fix the issue of resource not being properly released in xenbus_dev_probe()\n\nThis patch fixes an issue in the function xenbus_dev_probe(). In the\nxenbus_dev_probe() function, within the if (err) branch at line 313, the\nprogram incorrectly returns err directly without releasing the resources\nallocated by err = drv->probe(dev, id). As the return value is non-zero,\nthe upper layers assume the processing logic has failed. However, the probe\noperation was performed earlier without a corresponding remove operation.\nSince the probe actually allocates resources, failing to perform the remove\noperation could lead to problems.\n\nTo fix this issue, we followed the resource release logic of the\nxenbus_dev_remove() function by adding a new block fail_remove before the\nfail_put block. After entering the branch if (err) at line 313, the\nfunction will use a goto statement to jump to the fail_remove block,\nensuring that the previously acquired resources are correctly released,\nthus preventing the reference count leak.\n\nThis bug was identified by an experimental static analysis tool developed\nby our team. The tool specializes in analyzing reference count operations\nand detecting potential issues where resources are not properly managed.\nIn this case, the tool flagged the missing release operation as a\npotential problem, which led to the development of this patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53198", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: imx-audmix: Add NULL check in imx_audmix_probe\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in imx_audmix_probe() is not checked.\nAdd NULL check in imx_audmix_probe(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53199", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null check for pipe_ctx->plane_state in hwss_setup_dpp\n\nThis commit addresses a null pointer dereference issue in\nhwss_setup_dpp(). The issue could occur when pipe_ctx->plane_state is\nnull. The fix adds a check to ensure `pipe_ctx->plane_state` is not null\nbefore accessing. This prevents a null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53200", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null check for pipe_ctx->plane_state in dcn20_program_pipe\n\nThis commit addresses a null pointer dereference issue in\ndcn20_program_pipe(). Previously, commit 8e4ed3cf1642 (\"drm/amd/display:\nAdd null check for pipe_ctx->plane_state in dcn20_program_pipe\")\npartially fixed the null pointer dereference issue. However, in\ndcn20_update_dchubp_dpp(), the variable pipe_ctx is passed in, and\nplane_state is accessed again through pipe_ctx. Multiple if statements\ndirectly call attributes of plane_state, leading to potential null\npointer dereference issues. This patch adds necessary null checks to\nensure stability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53201", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Fix possible resource leak in fw_log_firmware_info()\n\nThe alg instance should be released under the exception path, otherwise\nthere may be resource leak here.\n\nTo mitigate this, free the alg instance with crypto_free_shash when kmalloc\nfails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53202", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: fix potential array underflow in ucsi_ccg_sync_control()\n\nThe \"command\" variable can be controlled by the user via debugfs. The\nworry is that if con_index is zero then \"&uc->ucsi->connector[con_index\n- 1]\" would be an array underflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53203", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: realtek: usb: fix NULL deref in rtk_usb3phy_probe\n\nIn rtk_usb3phy_probe() devm_kzalloc() may return NULL\nbut this returned value is not checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53204", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: realtek: usb: fix NULL deref in rtk_usb2phy_probe\n\nIn rtk_usb2phy_probe() devm_kzalloc() may return NULL\nbut this returned value is not checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53205", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix use-after-free of nreq in reqsk_timer_handler().\n\nThe cited commit replaced inet_csk_reqsk_queue_drop_and_put() with\n__inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler().\n\nThen, oreq should be passed to reqsk_put() instead of req; otherwise\nuse-after-free of nreq could happen when reqsk is migrated but the\nretry attempt failed (e.g. due to timeout).\n\nLet's pass oreq to reqsk_put().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53206", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible deadlocks\n\nThis fixes possible deadlocks like the following caused by\nhci_cmd_sync_dequeue causing the destroy function to run:\n\n INFO: task kworker/u19:0:143 blocked for more than 120 seconds.\n Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000\n Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n Call Trace:\n \n __schedule+0x374/0xaf0\n schedule+0x3c/0xf0\n schedule_preempt_disabled+0x1c/0x30\n __mutex_lock.constprop.0+0x3ef/0x7a0\n __mutex_lock_slowpath+0x13/0x20\n mutex_lock+0x3c/0x50\n mgmt_set_connectable_complete+0xa4/0x150 [bluetooth]\n ? kfree+0x211/0x2a0\n hci_cmd_sync_dequeue+0xae/0x130 [bluetooth]\n ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth]\n cmd_complete_rsp+0x26/0x80 [bluetooth]\n mgmt_pending_foreach+0x4d/0x70 [bluetooth]\n __mgmt_power_off+0x8d/0x180 [bluetooth]\n ? _raw_spin_unlock_irq+0x23/0x40\n hci_dev_close_sync+0x445/0x5b0 [bluetooth]\n hci_set_powered_sync+0x149/0x250 [bluetooth]\n set_powered_sync+0x24/0x60 [bluetooth]\n hci_cmd_sync_work+0x90/0x150 [bluetooth]\n process_one_work+0x13e/0x300\n worker_thread+0x2f7/0x420\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x107/0x140\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x3d/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53207", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353\nRead of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54\n\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\nq kasan_report+0x143/0x180 mm/kasan/report.c:601\n set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328\n process_one_work kernel/workqueue.c:3231 [inline]\n process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n worker_thread+0x86d/0xd10 kernel/workqueue.c:3389\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nAllocated by task 5247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193\n kmalloc_noprof include/linux/slab.h:681 [inline]\n kzalloc_noprof include/linux/slab.h:807 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n sock_write_iter+0x2dd/0x400 net/socket.c:1160\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xa72/0xc90 fs/read_write.c:590\n ksys_write+0x1a0/0x2c0 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5246:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2256 [inline]\n slab_free mm/slub.c:4477 [inline]\n kfree+0x149/0x360 mm/slub.c:4598\n settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455\n hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53208", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix receive ring space parameters when XDP is active\n\nThe MTU setting at the time an XDP multi-buffer is attached\ndetermines whether the aggregation ring will be used and the\nrx_skb_func handler. This is done in bnxt_set_rx_skb_mode().\n\nIf the MTU is later changed, the aggregation ring setting may need\nto be changed and it may become out-of-sync with the settings\ninitially done in bnxt_set_rx_skb_mode(). This may result in\nrandom memory corruption and crashes as the HW may DMA data larger\nthan the allocated buffer size, such as:\n\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1\nHardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021\nRIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]\nCode: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f\nRSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202\nRAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff\nRDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380\nRBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf\nR10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980\nR13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990\nFS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]\n\nTo address the issue, we now call bnxt_set_rx_skb_mode() within\nbnxt_change_mtu() to properly set the AGG rings configuration and\nupdate rx_skb_func based on the new MTU value.\nAdditionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of\nbnxt_set_rx_skb_mode() to make sure it gets set or cleared based on\nthe current MTU.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53209", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct()\n\nPassing MSG_PEEK flag to skb_recv_datagram() increments skb refcount\n(skb->users) and iucv_sock_recvmsg() does not decrement skb refcount\nat exit.\nThis results in skb memory leak in skb_queue_purge() and WARN_ON in\niucv_sock_destruct() during socket close. To fix this decrease\nskb refcount by one if MSG_PEEK is set in order to prevent memory\nleak and WARN_ON.\n\nWARNING: CPU: 2 PID: 6292 at net/iucv/af_iucv.c:286 iucv_sock_destruct+0x144/0x1a0 [af_iucv]\nCPU: 2 PID: 6292 Comm: afiucv_test_msg Kdump: loaded Tainted: G W 6.10.0-rc7 #1\nHardware name: IBM 3931 A01 704 (z/VM 7.3.0)\nCall Trace:\n [<001587c682c4aa98>] iucv_sock_destruct+0x148/0x1a0 [af_iucv]\n [<001587c682c4a9d0>] iucv_sock_destruct+0x80/0x1a0 [af_iucv]\n [<001587c704117a32>] __sk_destruct+0x52/0x550\n [<001587c704104a54>] __sock_release+0xa4/0x230\n [<001587c704104c0c>] sock_close+0x2c/0x40\n [<001587c702c5f5a8>] __fput+0x2e8/0x970\n [<001587c7024148c4>] task_work_run+0x1c4/0x2c0\n [<001587c7023b0716>] do_exit+0x996/0x1050\n [<001587c7023b13aa>] do_group_exit+0x13a/0x360\n [<001587c7023b1626>] __s390x_sys_exit_group+0x56/0x60\n [<001587c7022bccca>] do_syscall+0x27a/0x380\n [<001587c7049a6a0c>] __do_syscall+0x9c/0x160\n [<001587c7049ce8a8>] system_call+0x70/0x98\n Last Breaking-Event-Address:\n [<001587c682c4a9d4>] iucv_sock_destruct+0x84/0x1a0 [af_iucv]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53210", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/l2tp: fix warning in l2tp_exit_net found by syzbot\n\nIn l2tp's net exit handler, we check that an IDR is empty before\ndestroying it:\n\n\tWARN_ON_ONCE(!idr_is_empty(&pn->l2tp_tunnel_idr));\n\tidr_destroy(&pn->l2tp_tunnel_idr);\n\nBy forcing memory allocation failures in idr_alloc_32, syzbot is able\nto provoke a condition where idr_is_empty returns false despite there\nbeing no items in the IDR. This turns out to be because the radix tree\nof the IDR contains only internal radix-tree nodes and it is this that\ncauses idr_is_empty to return false. The internal nodes are cleaned by\nidr_destroy.\n\nUse idr_for_each to check that the IDR is empty instead of\nidr_is_empty to avoid the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53211", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: fix false positive warning in extack during dumps\n\nCommit under fixes extended extack reporting to dumps.\nIt works under normal conditions, because extack errors are\nusually reported during ->start() or the first ->dump(),\nit's quite rare that the dump starts okay but fails later.\nIf the dump does fail later, however, the input skb will\nalready have the initiating message pulled, so checking\nif bad attr falls within skb->data will fail.\n\nSwitch the check to using nlh, which is always valid.\n\nsyzbot found a way to hit that scenario by filling up\nthe receive queue. In this case we initiate a dump\nbut don't call ->dump() until there is read space for\nan skb.\n\nWARNING: CPU: 1 PID: 5845 at net/netlink/af_netlink.c:2210 netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209\nRIP: 0010:netlink_ack_tlv_fill+0x1a8/0x560 net/netlink/af_netlink.c:2209\nCall Trace:\n \n netlink_dump_done+0x513/0x970 net/netlink/af_netlink.c:2250\n netlink_dump+0x91f/0xe10 net/netlink/af_netlink.c:2351\n netlink_recvmsg+0x6bb/0x11d0 net/netlink/af_netlink.c:1983\n sock_recvmsg_nosec net/socket.c:1051 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1073\n __sys_recvfrom+0x246/0x3d0 net/socket.c:2267\n __do_sys_recvfrom net/socket.c:2285 [inline]\n __se_sys_recvfrom net/socket.c:2281 [inline]\n __x64_sys_recvfrom+0xde/0x100 net/socket.c:2281\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7ff37dd17a79", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53212", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Fix double free issue with interrupt buffer allocation\n\nIn lan78xx_probe(), the buffer `buf` was being freed twice: once\nimplicitly through `usb_free_urb(dev->urb_intr)` with the\n`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused\na double free issue.\n\nTo resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to\nsimplify the initialization sequence and removed the redundant\n`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring\nit is correctly managed by `usb_fill_int_urb()` and freed by\n`usb_free_urb()` as intended.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53213", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended capability\n\nThere are cases where a PCIe extended capability should be hidden from\nthe user. For example, an unknown capability (i.e., capability with ID\ngreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally\nchosen to be hidden from the user.\n\nHiding a capability is done by virtualizing and modifying the 'Next\nCapability Offset' field of the previous capability so it points to the\ncapability after the one that should be hidden.\n\nThe special case where the first capability in the list should be hidden\nis handled differently because there is no previous capability that can\nbe modified. In this case, the capability ID and version are zeroed\nwhile leaving the next pointer intact. This hides the capability and\nleaves an anchor for the rest of the capability list.\n\nHowever, today, hiding the first capability in the list is not done\nproperly if the capability is unknown, as struct\nvfio_pci_core_device->pci_config_map is set to the capability ID during\ninitialization but the capability ID is not properly checked later when\nused in vfio_config_do_rw(). This leads to the following warning [1] and\nto an out-of-bounds access to ecap_perms array.\n\nFix it by checking cap_id in vfio_config_do_rw(), and if it is greater\nthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct\nread only access instead of the ecap_perms array.\n\nNote that this is safe since the above is the only case where cap_id can\nexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which\nare already checked before).\n\n[1]\n\nWARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\nCPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1\n(snip)\nCall Trace:\n \n ? show_regs+0x69/0x80\n ? __warn+0x8d/0x140\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? report_bug+0x18f/0x1a0\n ? handle_bug+0x63/0xa0\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]\n ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]\n vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]\n vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]\n vfio_device_fops_read+0x27/0x40 [vfio]\n vfs_read+0xbd/0x340\n ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]\n ? __rseq_handle_notify_resume+0xa4/0x4b0\n __x64_sys_pread64+0x96/0xc0\n x64_sys_call+0x1c3d/0x20d0\n do_syscall_64+0x4d/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53214", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()\n\nThere's issue as follows:\nRPC: Registered rdma transport module.\nRPC: Registered rdma backchannel transport module.\nRPC: Unregistered rdma transport module.\nRPC: Unregistered rdma backchannel transport module.\nBUG: unable to handle page fault for address: fffffbfff80c609a\nPGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\nRIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0\nCall Trace:\n \n __die+0x1f/0x70\n page_fault_oops+0x2cd/0x860\n spurious_kernel_fault+0x36/0x450\n do_kern_addr_fault+0xca/0x100\n exc_page_fault+0x128/0x150\n asm_exc_page_fault+0x26/0x30\n percpu_counter_destroy_many+0xf7/0x2a0\n mmdrop+0x209/0x350\n finish_task_switch.isra.0+0x481/0x840\n schedule_tail+0xe/0xd0\n ret_from_fork+0x23/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nIf register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not\ndestroy the percpu counters which init in svc_rdma_proc_init().\nIf CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the\n'percpu_counters' list. The above issue may occur once the module is\nremoved. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory\nleakage occurs.\nTo solve above issue just destroy all percpu counters when\nregister_sysctl() return NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53215", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: release svc_expkey/svc_export with rcu_work\n\nThe last reference for `cache_head` can be reduced to zero in `c_show`\nand `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,\n`svc_export_put` and `expkey_put` will be invoked, leading to two\nissues:\n\n1. The `svc_export_put` will directly free ex_uuid. However,\n `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can\n trigger a use-after-free issue, shown below.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]\n Read of size 1 at addr ff11000010fdc120 by task cat/870\n\n CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x53/0x70\n print_address_description.constprop.0+0x2c/0x3a0\n print_report+0xb9/0x280\n kasan_report+0xae/0xe0\n svc_export_show+0x362/0x430 [nfsd]\n c_show+0x161/0x390 [sunrpc]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n proc_reg_read+0xe1/0x140\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Allocated by task 830:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc_node_track_caller_noprof+0x1bc/0x400\n kmemdup_noprof+0x22/0x50\n svc_export_parse+0x8a9/0xb80 [nfsd]\n cache_do_downcall+0x71/0xa0 [sunrpc]\n cache_write_procfs+0x8e/0xd0 [sunrpc]\n proc_reg_write+0xe1/0x140\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 868:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kfree+0xf3/0x3e0\n svc_export_put+0x87/0xb0 [nfsd]\n cache_purge+0x17f/0x1f0 [sunrpc]\n nfsd_destroy_serv+0x226/0x2d0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.\n However, `svc_export_put`/`expkey_put` will call path_put, which\n subsequently triggers a sleeping operation due to the following\n `dput`.\n\n =============================\n WARNING: suspicious RCU usage\n 5.10.0-dirty #141 Not tainted\n -----------------------------\n ...\n Call Trace:\n dump_stack+0x9a/0xd0\n ___might_sleep+0x231/0x240\n dput+0x39/0x600\n path_put+0x1b/0x30\n svc_export_put+0x17/0x80\n e_show+0x1c9/0x200\n seq_read_iter+0x63f/0x7c0\n seq_read+0x226/0x2d0\n vfs_read+0x113/0x2c0\n ksys_read+0xc9/0x170\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFix these issues by using `rcu_work` to help release\n`svc_expkey`/`svc_export`. This approach allows for an asynchronous\ncontext to invoke `path_put` and also facilitates the freeing of\n`uuid/exp/key` after an RCU grace period.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53216", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Prevent NULL dereference in nfsd4_process_cb_update()\n\n@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no\navailable backchannel session, setup_callback_client() will try to\ndereference @ses and segfault.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53217", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix race in concurrent f2fs_stop_gc_thread\n\nIn my test case, concurrent calls to f2fs shutdown report the following\nstack trace:\n\n Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85\n Call Trace:\n \n ? show_regs+0x8b/0xa0\n ? __die_body+0x26/0xa0\n ? die_addr+0x54/0x90\n ? exc_general_protection+0x24b/0x5c0\n ? asm_exc_general_protection+0x26/0x30\n ? kthread_stop+0x46/0x390\n f2fs_stop_gc_thread+0x6c/0x110\n f2fs_do_shutdown+0x309/0x3a0\n f2fs_ioc_shutdown+0x150/0x1c0\n __f2fs_ioctl+0xffd/0x2ac0\n f2fs_ioctl+0x76/0xe0\n vfs_ioctl+0x23/0x60\n __x64_sys_ioctl+0xce/0xf0\n x64_sys_call+0x2b1b/0x4540\n do_syscall_64+0xa7/0x240\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe root cause is a race condition in f2fs_stop_gc_thread() called from\ndifferent f2fs shutdown paths:\n\n [CPU0] [CPU1]\n ---------------------- -----------------------\n f2fs_stop_gc_thread f2fs_stop_gc_thread\n gc_th = sbi->gc_thread\n gc_th = sbi->gc_thread\n kfree(gc_th)\n sbi->gc_thread = NULL\n < gc_th != NULL >\n kthread_stop(gc_th->f2fs_gc_task) //UAF\n\nThe commit c7f114d864ac (\"f2fs: fix to avoid use-after-free in\nf2fs_stop_gc_thread()\") attempted to fix this issue by using a read\nsemaphore to prevent races between shutdown and remount threads, but\nit fails to prevent all race conditions.\n\nFix it by converting to write lock of s_umount in f2fs_do_shutdown().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53218", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: use pages instead of pointer for kernel direct IO\n\nWhen trying to insert a 10MB kernel module kept in a virtio-fs with cache\ndisabled, the following warning was reported:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ......\n Modules linked in:\n CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:__alloc_pages+0x2bf/0x380\n ......\n Call Trace:\n \n ? __warn+0x8e/0x150\n ? __alloc_pages+0x2bf/0x380\n __kmalloc_large_node+0x86/0x160\n __kmalloc+0x33c/0x480\n virtio_fs_enqueue_req+0x240/0x6d0\n virtio_fs_wake_pending_and_unlock+0x7f/0x190\n queue_request_and_unlock+0x55/0x60\n fuse_simple_request+0x152/0x2b0\n fuse_direct_io+0x5d2/0x8c0\n fuse_file_read_iter+0x121/0x160\n __kernel_read+0x151/0x2d0\n kernel_read+0x45/0x50\n kernel_read_file+0x1a9/0x2a0\n init_module_from_file+0x6a/0xe0\n idempotent_init_module+0x175/0x230\n __x64_sys_finit_module+0x5d/0xb0\n x64_sys_call+0x1c3/0x9e0\n do_syscall_64+0x3d/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ......\n \n ---[ end trace 0000000000000000 ]---\n\nThe warning is triggered as follows:\n\n1) syscall finit_module() handles the module insertion and it invokes\nkernel_read_file() to read the content of the module first.\n\n2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and\npasses it to kernel_read(). kernel_read() constructs a kvec iter by\nusing iov_iter_kvec() and passes it to fuse_file_read_iter().\n\n3) virtio-fs disables the cache, so fuse_file_read_iter() invokes\nfuse_direct_io(). As for now, the maximal read size for kvec iter is\nonly limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, so\nfuse_direct_io() doesn't split the 10MB buffer. It saves the address and\nthe size of the 10MB-sized buffer in out_args[0] of a fuse request and\npasses the fuse request to virtio_fs_wake_pending_and_unlock().\n\n4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to\nqueue the request. Because virtiofs need DMA-able address, so\nvirtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for\nall fuse args, copies these args into the bounce buffer and passed the\nphysical address of the bounce buffer to virtiofsd. The total length of\nthese fuse args for the passed fuse request is about 10MB, so\ncopy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and\nit triggers the warning in __alloc_pages():\n\n\tif (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))\n\t\treturn NULL;\n\n5) virtio_fs_enqueue_req() will retry the memory allocation in a\nkworker, but it won't help, because kmalloc() will always return NULL\ndue to the abnormal size and finit_module() will hang forever.\n\nA feasible solution is to limit the value of max_read for virtio-fs, so\nthe length passed to kmalloc() will be limited. However it will affect\nthe maximal read size for normal read. And for virtio-fs write initiated\nfrom kernel, it has the similar problem but now there is no way to limit\nfc->max_write in kernel.\n\nSo instead of limiting both the values of max_read and max_write in\nkernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as\ntrue in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use\npages instead of pointer to pass the KVEC_IO data.\n\nAfter switching to pages for KVEC_IO data, these pages will be used for\nDMA through virtio-fs. If these pages are backed by vmalloc(),\n{flush|invalidate}_kernel_vmap_range() are necessary to flush or\ninvalidate the cache before the DMA operation. So add two new fields in\nfuse_args_pages to record the base address of vmalloc area and the\ncondition indicating whether invalidation is needed. Perform the flush\nin fuse_get_user_pages() for write operations and the invalidation in\nfuse_release_user_pages() for read operations.\n\nIt may seem necessary to introduce another fie\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53219", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to account dirty data in __get_secs_required()\n\nIt will trigger system panic w/ testcase in [1]:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2752!\nRIP: 0010:new_curseg+0xc81/0x2110\nCall Trace:\n f2fs_allocate_data_block+0x1c91/0x4540\n do_write_page+0x163/0xdf0\n f2fs_outplace_write_data+0x1aa/0x340\n f2fs_do_write_data_page+0x797/0x2280\n f2fs_write_single_data_page+0x16cd/0x2190\n f2fs_write_cache_pages+0x994/0x1c80\n f2fs_write_data_pages+0x9cc/0xea0\n do_writepages+0x194/0x7a0\n filemap_fdatawrite_wbc+0x12b/0x1a0\n __filemap_fdatawrite_range+0xbb/0xf0\n file_write_and_wait_range+0xa1/0x110\n f2fs_do_sync_file+0x26f/0x1c50\n f2fs_sync_file+0x12b/0x1d0\n vfs_fsync_range+0xfa/0x230\n do_fsync+0x3d/0x80\n __x64_sys_fsync+0x37/0x50\n x64_sys_call+0x1e88/0x20d0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe root cause is if checkpoint_disabling and lfs_mode are both on,\nit will trigger OPU for all overwritten data, it may cost more free\nsegment than expected, so f2fs must account those data correctly to\ncalculate cosumed free segments later, and return ENOSPC earlier to\navoid run out of free segment during block allocation.\n\n[1] https://lore.kernel.org/fstests/20241015025106.3203676-1-chao@kernel.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53220", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null-ptr-deref in f2fs_submit_page_bio()\n\nThere's issue as follows when concurrently installing the f2fs.ko\nmodule and mounting the f2fs file system:\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nRIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]\nCall Trace:\n \n f2fs_submit_page_bio+0x126/0x8b0 [f2fs]\n __get_meta_page+0x1d4/0x920 [f2fs]\n get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]\n validate_checkpoint+0xac/0x290 [f2fs]\n f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]\n f2fs_fill_super+0x1007/0x39b0 [f2fs]\n mount_bdev+0x183/0x250\n legacy_get_tree+0xf4/0x1e0\n vfs_get_tree+0x88/0x340\n do_new_mount+0x283/0x5e0\n path_mount+0x2b2/0x15b0\n __x64_sys_mount+0x1fe/0x270\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAbove issue happens as the biset of the f2fs file system is not\ninitialized before register \"f2fs_fs_type\".\nTo address above issue just register \"f2fs_fs_type\" at the last in\ninit_f2fs_fs(). Ensure that all f2fs file system resources are\ninitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53221", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix NULL pointer in comp_algorithm_show()\n\nLTP reported a NULL pointer dereference as followed:\n\n CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __pi_strcmp+0x24/0x140\n lr : zcomp_available_show+0x60/0x100 [zram]\n sp : ffff800088b93b90\n x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0\n x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000\n x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280\n x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c\n x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000\n Call trace:\n __pi_strcmp+0x24/0x140\n comp_algorithm_show+0x40/0x70 [zram]\n dev_attr_show+0x28/0x80\n sysfs_kf_seq_show+0x90/0x140\n kernfs_seq_show+0x34/0x48\n seq_read_iter+0x1d4/0x4e8\n kernfs_fop_read_iter+0x40/0x58\n new_sync_read+0x9c/0x168\n vfs_read+0x1a8/0x1f8\n ksys_read+0x74/0x108\n __arm64_sys_read+0x24/0x38\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x38/0x138\n el0t_64_sync_handler+0xc0/0xc8\n el0t_64_sync+0x188/0x190\n\nThe zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if\ncomp_algorithm_set() has not been called. User can access the zram device\nby sysfs after device_add_disk(), so there is a time window to trigger the\nNULL pointer dereference. Move it ahead device_add_disk() to make sure\nwhen user can access the zram device, it is ready. comp_algorithm_set()\nis protected by zram->init_lock in other places and no such problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53222", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs\n\nBase clocks are the first in being probed and are real dependencies of the\nrest of fixed, factor and peripheral clocks. For old ralink SoCs RT2880,\nRT305x and RT3883 'xtal' must be defined first since in any other case,\nwhen fixed clocks are probed they are delayed until 'xtal' is probed so the\nfollowing warning appears:\n\n WARNING: CPU: 0 PID: 0 at drivers/clk/ralink/clk-mtmips.c:499 rt3883_bus_recalc_rate+0x98/0x138\n Modules linked in:\n CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.43 #0\n Stack : 805e58d0 00000000 00000004 8004f950 00000000 00000004 00000000 00000000\n 80669c54 80830000 80700000 805ae570 80670068 00000001 80669bf8 00000000\n 00000000 00000000 805ae570 80669b38 00000020 804db7dc 00000000 00000000\n 203a6d6d 80669b78 80669e48 70617773 00000000 805ae570 00000000 00000009\n 00000000 00000001 00000004 00000001 00000000 00000000 83fe43b0 00000000\n ...\n Call Trace:\n [<800065d0>] show_stack+0x64/0xf4\n [<804bca14>] dump_stack_lvl+0x38/0x60\n [<800218ac>] __warn+0x94/0xe4\n [<8002195c>] warn_slowpath_fmt+0x60/0x94\n [<80259ff8>] rt3883_bus_recalc_rate+0x98/0x138\n [<80254530>] __clk_register+0x568/0x688\n [<80254838>] of_clk_hw_register+0x18/0x2c\n [<8070b910>] rt2880_clk_of_clk_init_driver+0x18c/0x594\n [<8070b628>] of_clk_init+0x1c0/0x23c\n [<806fc448>] plat_time_init+0x58/0x18c\n [<806fdaf0>] time_init+0x10/0x6c\n [<806f9bc4>] start_kernel+0x458/0x67c\n\n ---[ end trace 0000000000000000 ]---\n\nWhen this driver was mainlined we could not find any active users of old\nralink SoCs so we cannot perform any real tests for them. Now, one user\nof a Belkin f9k1109 version 1 device which uses RT3883 SoC appeared and\nreported some issues in openWRT:\n- https://github.com/openwrt/openwrt/issues/16054\n\nThus, define a 'rt2880_xtal_recalc_rate()' just returning the expected\nfrequency 40Mhz and use it along the old ralink SoCs to have a correct\nboot trace with no warnings and a working clock plan from the beggining.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53223", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Move events notifier registration to be after device registration\n\nMove pkey change work initialization and cleanup from device resources\nstage to notifier stage, since this is the stage which handles this work\nevents.\n\nFix a race between the device deregistration and pkey change work by moving\nMLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to\nensure that the notifier is deregistered before the device during cleanup.\nWhich ensures there are no works that are being executed after the\ndevice has already unregistered which can cause the panic below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1\nHardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023\nWorkqueue: events pkey_change_handler [mlx5_ib]\nRIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]\nCode: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 <4c> 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40\nRSP: 0018:ffffbcc54068be20 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36\nRDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128\nRBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001\nR10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000\nR13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905\nFS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\nmlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]\nprocess_one_work+0x1e8/0x3c0\nworker_thread+0x50/0x3b0\n? rescuer_thread+0x380/0x380\nkthread+0x149/0x170\n? set_kthread_struct+0x50/0x50\nret_from_fork+0x22/0x30\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]\nCR2: 0000000000000000\n---[ end trace f6f8be4eae12f7bc ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53224", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/tegra241-cmdqv: Fix alignment failure at max_n_shift\n\nWhen configuring a kernel with PAGE_SIZE=4KB, depending on its setting of\nCONFIG_CMA_ALIGNMENT, VCMDQ_LOG2SIZE_MAX=19 could fail the alignment test\nand trigger a WARN_ON:\n WARNING: at drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:3646\n Call trace:\n arm_smmu_init_one_queue+0x15c/0x210\n tegra241_cmdqv_init_structures+0x114/0x338\n arm_smmu_device_probe+0xb48/0x1d90\n\nFix it by capping max_n_shift to CMDQ_MAX_SZ_SHIFT as SMMUv3 CMDQ does.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53225", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()\n\nib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.\nThe driver needs to check whether it is a NULL pointer before\ndereferencing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53226", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Fix use-after-free in bfad_im_module_exit()\n\nBUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20\nRead of size 8 at addr ffff8881082d80c8 by task modprobe/25303\n\nCall Trace:\n \n dump_stack_lvl+0x95/0xe0\n print_report+0xcb/0x620\n kasan_report+0xbd/0xf0\n __lock_acquire+0x2aca/0x3a20\n lock_acquire+0x19b/0x520\n _raw_spin_lock+0x2b/0x40\n attribute_container_unregister+0x30/0x160\n fc_release_transport+0x19/0x90 [scsi_transport_fc]\n bfad_im_module_exit+0x23/0x60 [bfa]\n bfad_init+0xdb/0xff0 [bfa]\n do_one_initcall+0xdc/0x550\n do_init_module+0x22d/0x6b0\n load_module+0x4e96/0x5ff0\n init_module_from_file+0xcd/0x130\n idempotent_init_module+0x330/0x620\n __x64_sys_finit_module+0xb3/0x110\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nAllocated by task 25303:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]\n bfad_im_module_init+0x17/0x80 [bfa]\n bfad_init+0x23/0xff0 [bfa]\n do_one_initcall+0xdc/0x550\n do_init_module+0x22d/0x6b0\n load_module+0x4e96/0x5ff0\n init_module_from_file+0xcd/0x130\n idempotent_init_module+0x330/0x620\n __x64_sys_finit_module+0xb3/0x110\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 25303:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x38/0x50\n kfree+0x212/0x480\n bfad_im_module_init+0x7e/0x80 [bfa]\n bfad_init+0x23/0xff0 [bfa]\n do_one_initcall+0xdc/0x550\n do_init_module+0x22d/0x6b0\n load_module+0x4e96/0x5ff0\n init_module_from_file+0xcd/0x130\n idempotent_init_module+0x330/0x620\n __x64_sys_finit_module+0xb3/0x110\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAbove issue happens as follows:\n\nbfad_init\n error = bfad_im_module_init()\n fc_release_transport(bfad_im_scsi_transport_template);\n if (error)\n goto ext;\n\next:\n bfad_im_module_exit();\n fc_release_transport(bfad_im_scsi_transport_template);\n --> Trigger double release\n\nDon't call bfad_im_module_exit() if bfad_im_module_init() failed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53227", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kvm: Fix out-of-bounds array access\n\nIn kvm_riscv_vcpu_sbi_init() the entry->ext_idx can contain an\nout-of-bound index. This is used as a special marker for the base\nextensions, that cannot be disabled. However, when traversing the\nextensions, that special marker is not checked prior indexing the\narray.\n\nAdd an out-of-bounds check to the function.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53228", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the qp flush warnings in req\n\nWhen the qp is in error state, the status of WQEs in the queue should be\nset to error. Or else the following will appear.\n\n[ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe]\n[ 920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6\n[ 920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G O 6.1.113-storage+ #65\n[ 920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe]\n[ 920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24\n[ 920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246\n[ 920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008\n[ 920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac\n[ 920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450\n[ 920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800\n[ 920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000\n[ 920.622609] FS: 0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000\n[ 920.622979] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0\n[ 920.623680] Call Trace:\n[ 920.623815] \n[ 920.623933] ? __warn+0x79/0xc0\n[ 920.624116] ? rxe_completer+0x989/0xcc0 [rdma_rxe]\n[ 920.624356] ? report_bug+0xfb/0x150\n[ 920.624594] ? handle_bug+0x3c/0x60\n[ 920.624796] ? exc_invalid_op+0x14/0x70\n[ 920.624976] ? asm_exc_invalid_op+0x16/0x20\n[ 920.625203] ? rxe_completer+0x989/0xcc0 [rdma_rxe]\n[ 920.625474] ? rxe_completer+0x329/0xcc0 [rdma_rxe]\n[ 920.625749] rxe_do_task+0x80/0x110 [rdma_rxe]\n[ 920.626037] rxe_requester+0x625/0xde0 [rdma_rxe]\n[ 920.626310] ? rxe_cq_post+0xe2/0x180 [rdma_rxe]\n[ 920.626583] ? do_complete+0x18d/0x220 [rdma_rxe]\n[ 920.626812] ? rxe_completer+0x1a3/0xcc0 [rdma_rxe]\n[ 920.627050] rxe_do_task+0x80/0x110 [rdma_rxe]\n[ 920.627285] tasklet_action_common.constprop.0+0xa4/0x120\n[ 920.627522] handle_softirqs+0xc2/0x250\n[ 920.627728] ? sort_range+0x20/0x20\n[ 920.627942] run_ksoftirqd+0x1f/0x30\n[ 920.628158] smpboot_thread_fn+0xc7/0x1b0\n[ 920.628334] kthread+0xd6/0x100\n[ 920.628504] ? kthread_complete_and_exit+0x20/0x20\n[ 920.628709] ret_from_fork+0x1f/0x30\n[ 920.628892] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53229", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost()\n\ncpufreq_cpu_get_raw() may return NULL if the cpu is not in\npolicy->cpus cpu mask and it will cause null pointer dereference,\nso check NULL for cppc_get_cpu_cost().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53230", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()\n\ncpufreq_cpu_get_raw() may return NULL if the cpu is not in\npolicy->cpus cpu mask and it will cause null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53231", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/s390: Implement blocking domain\n\nThis fixes a crash when surprise hot-unplugging a PCI device. This crash\nhappens because during hot-unplug __iommu_group_set_domain_nofail()\nattaching the default domain fails when the platform no longer\nrecognizes the device as it has already been removed and we end up with\na NULL domain pointer and UAF. This is exactly the case referred to in\nthe second comment in __iommu_device_set_domain() and just as stated\nthere if we can instead attach the blocking domain the UAF is prevented\nas this can handle the already removed device. Implement the blocking\ndomain to use this handling. With this change, the crash is fixed but\nwe still hit a warning attempting to change DMA ownership on a blocked\ndevice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53232", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nunicode: Fix utf8_load() error path\n\nutf8_load() requests the symbol \"utf8_data_table\" and then checks if the\nrequested UTF-8 version is supported. If it's unsupported, it tries to\nput the data table using symbol_put(). If an unsupported version is\nrequested, symbol_put() fails like this:\n\n kernel BUG at kernel/module/main.c:786!\n RIP: 0010:__symbol_put+0x93/0xb0\n Call Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x65/0x80\n ? __symbol_put+0x93/0xb0\n ? exc_invalid_op+0x51/0x70\n ? __symbol_put+0x93/0xb0\n ? asm_exc_invalid_op+0x1a/0x20\n ? __pfx_cmp_name+0x10/0x10\n ? __symbol_put+0x93/0xb0\n ? __symbol_put+0x62/0xb0\n utf8_load+0xf8/0x150\n\nThat happens because symbol_put() expects the unique string that\nidentify the symbol, instead of a pointer to the loaded symbol. Fix that\nby using such string.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53233", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle NONHEAD !delta[1] lclusters gracefully\n\nsyzbot reported a WARNING in iomap_iter_done:\n iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80\n ioctl_fiemap fs/ioctl.c:220 [inline]\n\nGenerally, NONHEAD lclusters won't have delta[1]==0, except for crafted\nimages and filesystems created by pre-1.0 mkfs versions.\n\nPreviously, it would immediately bail out if delta[1]==0, which led to\ninadequate decompressed lengths (thus FIEMAP is impacted). Treat it as\ndelta[1]=1 to work around these legacy mkfs versions.\n\n`lclusterbits > 14` is illegal for compact indexes, error out too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53234", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix file-backed mounts over FUSE\n\nsyzbot reported a null-ptr-deref in fuse_read_args_fill:\n fuse_read_folio+0xb0/0x100 fs/fuse/file.c:905\n filemap_read_folio+0xc6/0x2a0 mm/filemap.c:2367\n do_read_cache_folio+0x263/0x5c0 mm/filemap.c:3825\n read_mapping_folio include/linux/pagemap.h:1011 [inline]\n erofs_bread+0x34d/0x7e0 fs/erofs/data.c:41\n erofs_read_superblock fs/erofs/super.c:281 [inline]\n erofs_fc_fill_super+0x2b9/0x2500 fs/erofs/super.c:625\n\nUnlike most filesystems, some network filesystems and FUSE need\nunavoidable valid `file` pointers for their read I/Os [1].\nAnyway, those use cases need to be supported too.\n\n[1] https://docs.kernel.org/filesystems/vfs.html", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53235", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Free skb when TX metadata options are invalid\n\nWhen a new skb is allocated for transmitting an xsk descriptor, i.e., for\nevery non-multibuf descriptor or the first frag of a multibuf descriptor,\nbut the descriptor is later found to have invalid options set for the TX\nmetadata, the new skb is never freed. This can leak skbs until the send\nbuffer is full which makes sending more packets impossible.\n\nFix this by freeing the skb in the error path if we are currently dealing\nwith the first frag, i.e., an skb allocated in this iteration of\nxsk_build_skb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53236", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix use-after-free in device_for_each_child()\n\nSyzbot has reported the following KASAN splat:\n\nBUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0\nRead of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980\n\nCPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x100/0x190\n ? device_for_each_child+0x18f/0x1a0\n print_report+0x13a/0x4cb\n ? __virt_addr_valid+0x5e/0x590\n ? __phys_addr+0xc6/0x150\n ? device_for_each_child+0x18f/0x1a0\n kasan_report+0xda/0x110\n ? device_for_each_child+0x18f/0x1a0\n ? __pfx_dev_memalloc_noio+0x10/0x10\n device_for_each_child+0x18f/0x1a0\n ? __pfx_device_for_each_child+0x10/0x10\n pm_runtime_set_memalloc_noio+0xf2/0x180\n netdev_unregister_kobject+0x1ed/0x270\n unregister_netdevice_many_notify+0x123c/0x1d80\n ? __mutex_trylock_common+0xde/0x250\n ? __pfx_unregister_netdevice_many_notify+0x10/0x10\n ? trace_contention_end+0xe6/0x140\n ? __mutex_lock+0x4e7/0x8f0\n ? __pfx_lock_acquire.part.0+0x10/0x10\n ? rcu_is_watching+0x12/0xc0\n ? unregister_netdev+0x12/0x30\n unregister_netdevice_queue+0x30d/0x3f0\n ? __pfx_unregister_netdevice_queue+0x10/0x10\n ? __pfx_down_write+0x10/0x10\n unregister_netdev+0x1c/0x30\n bnep_session+0x1fb3/0x2ab0\n ? __pfx_bnep_session+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_woken_wake_function+0x10/0x10\n ? __kthread_parkme+0x132/0x200\n ? __pfx_bnep_session+0x10/0x10\n ? kthread+0x13a/0x370\n ? __pfx_bnep_session+0x10/0x10\n kthread+0x2b7/0x370\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x48/0x80\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 4974:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n __kmalloc_noprof+0x1d1/0x440\n hci_alloc_dev_priv+0x1d/0x2820\n __vhci_create_device+0xef/0x7d0\n vhci_write+0x2c7/0x480\n vfs_write+0x6a0/0xfc0\n ksys_write+0x12f/0x260\n do_syscall_64+0xc7/0x250\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 4979:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x4f/0x70\n kfree+0x141/0x490\n hci_release_dev+0x4d9/0x600\n bt_host_release+0x6a/0xb0\n device_release+0xa4/0x240\n kobject_put+0x1ec/0x5a0\n put_device+0x1f/0x30\n vhci_release+0x81/0xf0\n __fput+0x3f6/0xb30\n task_work_run+0x151/0x250\n do_exit+0xa79/0x2c30\n do_group_exit+0xd5/0x2a0\n get_signal+0x1fcd/0x2210\n arch_do_signal_or_restart+0x93/0x780\n syscall_exit_to_user_mode+0x140/0x290\n do_syscall_64+0xd4/0x250\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIn 'hci_conn_del_sysfs()', 'device_unregister()' may be called when\nan underlying (kobject) reference counter is greater than 1. This\nmeans that reparenting (happened when the device is actually freed)\nis delayed and, during that delay, parent controller device (hciX)\nmay be deleted. Since the latter may create a dangling pointer to\nfreed parent, avoid that scenario by reparenting to NULL explicitly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53237", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtk: adjust the position to init iso data anchor\n\nMediaTek iso data anchor init should be moved to where MediaTek\nclaims iso data interface.\nIf there is an unexpected BT usb disconnect during setup flow,\nit will cause a NULL pointer crash issue when releasing iso\nanchor since the anchor wasn't been init yet. Adjust the position\nto do iso data anchor init.\n\n[ 17.137991] pc : usb_kill_anchored_urbs+0x60/0x168\n[ 17.137998] lr : usb_kill_anchored_urbs+0x44/0x168\n[ 17.137999] sp : ffffffc0890cb5f0\n[ 17.138000] x29: ffffffc0890cb5f0 x28: ffffff80bb6c2e80\n[ 17.144081] gpio gpiochip0: registered chardev handle for 1 lines\n[ 17.148421] x27: 0000000000000000\n[ 17.148422] x26: ffffffd301ff4298 x25: 0000000000000003 x24: 00000000000000f0\n[ 17.148424] x23: 0000000000000000 x22: 00000000ffffffff x21: 0000000000000001\n[ 17.148425] x20: ffffffffffffffd8 x19: ffffff80c0f25560 x18: 0000000000000000\n[ 17.148427] x17: ffffffd33864e408 x16: ffffffd33808f7c8 x15: 0000000000200000\n[ 17.232789] x14: e0cd73cf80ffffff x13: 50f2137c0a0338c9 x12: 0000000000000001\n[ 17.239912] x11: 0000000080150011 x10: 0000000000000002 x9 : 0000000000000001\n[ 17.247035] x8 : 0000000000000000 x7 : 0000000000008080 x6 : 8080000000000000\n[ 17.254158] x5 : ffffffd33808ebc0 x4 : fffffffe033dcf20 x3 : 0000000080150011\n[ 17.261281] x2 : ffffff8087a91400 x1 : 0000000000000000 x0 : ffffff80c0f25588\n[ 17.268404] Call trace:\n[ 17.270841] usb_kill_anchored_urbs+0x60/0x168\n[ 17.275274] btusb_mtk_release_iso_intf+0x2c/0xd8 [btusb (HASH:5afe 6)]\n[ 17.284226] btusb_mtk_disconnect+0x14/0x28 [btusb (HASH:5afe 6)]\n[ 17.292652] btusb_disconnect+0x70/0x140 [btusb (HASH:5afe 6)]\n[ 17.300818] usb_unbind_interface+0xc4/0x240\n[ 17.305079] device_release_driver_internal+0x18c/0x258\n[ 17.310296] device_release_driver+0x1c/0x30\n[ 17.314557] bus_remove_device+0x140/0x160\n[ 17.318643] device_del+0x1c0/0x330\n[ 17.322121] usb_disable_device+0x80/0x180\n[ 17.326207] usb_disconnect+0xec/0x300\n[ 17.329948] hub_quiesce+0x80/0xd0\n[ 17.333339] hub_disconnect+0x44/0x190\n[ 17.337078] usb_unbind_interface+0xc4/0x240\n[ 17.341337] device_release_driver_internal+0x18c/0x258\n[ 17.346551] device_release_driver+0x1c/0x30\n[ 17.350810] usb_driver_release_interface+0x70/0x88\n[ 17.355677] proc_ioctl+0x13c/0x228\n[ 17.359157] proc_ioctl_default+0x50/0x80\n[ 17.363155] usbdev_ioctl+0x830/0xd08\n[ 17.366808] __arm64_sys_ioctl+0x94/0xd0\n[ 17.370723] invoke_syscall+0x6c/0xf8\n[ 17.374377] el0_svc_common+0x84/0xe0\n[ 17.378030] do_el0_svc+0x20/0x30\n[ 17.381334] el0_svc+0x34/0x60\n[ 17.384382] el0t_64_sync_handler+0x88/0xf0\n[ 17.388554] el0t_64_sync+0x180/0x188\n[ 17.392208] Code: f9400677 f100a2f4 54fffea0 d503201f (b8350288)\n[ 17.398289] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53238", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: Release resources at card release\n\nThe current 6fire code tries to release the resources right after the\ncall of usb6fire_chip_abort(). But at this moment, the card object\nmight be still in use (as we're calling snd_card_free_when_closed()).\n\nFor avoid potential UAFs, move the release of resources to the card's\nprivate_free instead of the manual call of usb6fire_chip_destroy() at\nthe USB disconnect callback.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53239", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netfront: fix crash when removing device\n\nWhen removing a netfront device directly after a suspend/resume cycle\nit might happen that the queues have not been setup again, causing a\ncrash during the attempt to stop the queues another time.\n\nFix that by checking the queues are existing before trying to stop\nthem.\n\nThis is XSA-465 / CVE-2024-53240.", "scorev2": "0.0", "scorev3": "5.7", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53240", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: don't do PV iret hypercall through hypercall page\n\nInstead of jumping to the Xen hypercall page for doing the iret\nhypercall, directly code the required sequence in xen-asm.S.\n\nThis is done in preparation of no longer using hypercall page at all,\nas it has shown to cause problems with speculation mitigations.\n\nThis is part of XSA-466 / CVE-2024-53241.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53241", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()\n\nUnder certain kernel configurations when building with Clang/LLVM, the\ncompiler does not generate a return or jump as the terminator\ninstruction for ip_vs_protocol_init(), triggering the following objtool\nwarning during build time:\n\n vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()\n\nAt runtime, this either causes an oops when trying to load the ipvs\nmodule or a boot-time panic if ipvs is built-in. This same issue has\nbeen reported by the Intel kernel test robot previously.\n\nDigging deeper into both LLVM and the kernel code reveals this to be a\nundefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer\nof 64 chars to store the registered protocol names and leaves it\nuninitialized after definition. The function calls strnlen() when\nconcatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE\nstrnlen() performs an extra step to check whether the last byte of the\ninput char buffer is a null character (commit 3009f891bb9f (\"fortify:\nAllow strlen() and strnlen() to pass compile-time known lengths\")).\nThis, together with possibly other configurations, cause the following\nIR to be generated:\n\n define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section \".init.text\" align 16 !kcfi_type !29 {\n %1 = alloca [64 x i8], align 16\n ...\n\n 14: ; preds = %11\n %15 = getelementptr inbounds i8, ptr %1, i64 63\n %16 = load i8, ptr %15, align 1\n %17 = tail call i1 @llvm.is.constant.i8(i8 %16)\n %18 = icmp eq i8 %16, 0\n %19 = select i1 %17, i1 %18, i1 false\n br i1 %19, label %20, label %23\n\n 20: ; preds = %14\n %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23\n ...\n\n 23: ; preds = %14, %11, %20\n %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24\n ...\n }\n\nThe above code calculates the address of the last char in the buffer\n(value %15) and then loads from it (value %16). Because the buffer is\nnever initialized, the LLVM GVN pass marks value %16 as undefined:\n\n %13 = getelementptr inbounds i8, ptr %1, i64 63\n br i1 undef, label %14, label %17\n\nThis gives later passes (SCCP, in particular) more DCE opportunities by\npropagating the undef value further, and eventually removes everything\nafter the load on the uninitialized stack location:\n\n define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section \".init.text\" align 16 !kcfi_type !11 {\n %1 = alloca [64 x i8], align 16\n ...\n\n 12: ; preds = %11\n %13 = getelementptr inbounds i8, ptr %1, i64 63\n unreachable\n }\n\nIn this way, the generated native code will just fall through to the\nnext function, as LLVM does not generate any code for the unreachable IR\ninstruction and leaves the function without a terminator.\n\nZero the on-stack buffer to avoid this possible UB.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53680", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Don't overflow subsysnqn\n\nnvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed\nsize buffer, even though it is dynamically allocated to the size of the\nstring.\n\nCreate a new string with kstrndup instead of using the old buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53681", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: axp20x: AXP717: set ramp_delay\n\nAXP717 datasheet says that regulator ramp delay is 15.625 us/step,\nwhich is 10mV in our case.\n\nAdd a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to\nexpand to AXP_DESC_RANGES_DELAY with ramp_delay = 0\n\nFor DCDC4, steps is 100mv\n\nAdd a AXP_DESC_DELAY macro and update AXP_DESC macro to\nexpand to AXP_DESC_DELAY with ramp_delay = 0\n\nThis patch fix crashes when using CPU DVFS.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53682", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: give up on paths longer than PATH_MAX\n\nIf the full path to be built by ceph_mdsc_build_path() happens to be\nlonger than PATH_MAX, then this function will enter an endless (retry)\nloop, effectively blocking the whole task. Most of the machine\nbecomes unusable, making this a very simple and effective DoS\nvulnerability.\n\nI cannot imagine why this retry was ever implemented, but it seems\nrather useless and harmful to me. Let's remove it and fail with\nENAMETOOLONG instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53685", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix IPIs usage in kfence_protect_page()\n\nflush_tlb_kernel_range() may use IPIs to flush the TLBs of all the\ncores, which triggers the following warning when the irqs are disabled:\n\n[ 3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520\n[ 3.456647] Modules linked in:\n[ 3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1\n[ 3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS\n[ 3.457633] epc : smp_call_function_many_cond+0x452/0x520\n[ 3.457736] ra : on_each_cpu_cond_mask+0x1e/0x30\n[ 3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50\n[ 3.457824] gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f\n[ 3.457859] t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10\n[ 3.457920] s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001\n[ 3.457953] a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000\n[ 3.458006] a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000\n[ 3.458042] s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0\n[ 3.458076] s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001\n[ 3.458109] s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001\n[ 3.458141] s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0\n[ 3.458172] t5 : 0000000000000000 t6 : ff200000000236d0\n[ 3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003\n[ 3.458373] [] smp_call_function_many_cond+0x452/0x520\n[ 3.458593] [] on_each_cpu_cond_mask+0x1e/0x30\n[ 3.458625] [] __flush_tlb_range+0x118/0x1ca\n[ 3.458656] [] flush_tlb_kernel_range+0x1e/0x26\n[ 3.458683] [] kfence_protect+0xc0/0xce\n[ 3.458717] [] kfence_guarded_free+0xc6/0x1c0\n[ 3.458742] [] __kfence_free+0x62/0xc6\n[ 3.458764] [] kfree+0x106/0x32c\n[ 3.458786] [] detach_buf_split+0x188/0x1a8\n[ 3.458816] [] virtqueue_get_buf_ctx+0xb6/0x1f6\n[ 3.458839] [] virtqueue_get_buf+0xe/0x16\n[ 3.458880] [] virtblk_done+0x5c/0xe2\n[ 3.458908] [] vring_interrupt+0x6a/0x74\n[ 3.458930] [] __handle_irq_event_percpu+0x7c/0xe2\n[ 3.458956] [] handle_irq_event+0x3c/0x86\n[ 3.458978] [] handle_simple_irq+0x9e/0xbe\n[ 3.459004] [] generic_handle_domain_irq+0x1c/0x2a\n[ 3.459027] [] imsic_handle_irq+0xba/0x120\n[ 3.459056] [] generic_handle_domain_irq+0x1c/0x2a\n[ 3.459080] [] riscv_intc_aia_irq+0x24/0x34\n[ 3.459103] [] handle_riscv_irq+0x2e/0x4c\n[ 3.459133] [] call_on_irq_stack+0x32/0x40\n\nSo only flush the local TLB and let the lazy kfence page fault handling\ndeal with the faults which could happen when a core has an old protected\npte version cached in its TLB. That leads to potential inaccuracies which\ncan be tolerated when using kfence.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53687", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-53690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent use of deleted inode\n\nsyzbot reported a WARNING in nilfs_rmdir. [1]\n\nBecause the inode bitmap is corrupted, an inode with an inode number that\nshould exist as a \".nilfs\" file was reassigned by nilfs_mkdir for \"file0\",\ncausing an inode duplication during execution. And this causes an\nunderflow of i_nlink in rmdir operations.\n\nThe inode is used twice by the same task to unmount and remove directories\n\".nilfs\" and \"file0\", it trigger warning in nilfs_rmdir.\n\nAvoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means\nthat this inode has been deleted, and iput is executed to reclaim it.\n\n[1]\nWARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407\n...\nCall Trace:\n \n nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342\n vfs_rmdir+0x3a3/0x510 fs/namei.c:4394\n do_rmdir+0x3b5/0x580 fs/namei.c:4453\n __do_sys_rmdir fs/namei.c:4472 [inline]\n __se_sys_rmdir fs/namei.c:4470 [inline]\n __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-53690", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-54031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext\n\nAccess to genmask field in struct nft_set_ext results in unaligned\natomic read:\n\n[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c\n[ 72.131036] Mem abort info:\n[ 72.131213] ESR = 0x0000000096000021\n[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 72.132209] SET = 0, FnV = 0\n[ 72.133216] EA = 0, S1PTW = 0\n[ 72.134080] FSC = 0x21: alignment fault\n[ 72.135593] Data abort info:\n[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\n[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000\n[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,\n+pte=0068000102bb7707\n[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP\n[...]\n[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2\n[ 72.170509] Tainted: [E]=UNSIGNED_MODULE\n[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023\n[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]\n[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]\n[ 72.172546] sp : ffff800081f2bce0\n[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038\n[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78\n[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78\n[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000\n[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978\n[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0\n[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000\n[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000\n[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000\n[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004\n[ 72.176207] Call trace:\n[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)\n[ 72.176653] process_one_work+0x178/0x3d0\n[ 72.176831] worker_thread+0x200/0x3f0\n[ 72.176995] kthread+0xe8/0xf8\n[ 72.177130] ret_from_fork+0x10/0x20\n[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)\n[ 72.177557] ---[ end trace 0000000000000000 ]---\n\nAlign struct nft_set_ext to word size to address this and\ndocumentation it.\n\npahole reports that this increases the size of elements for rhash and\npipapo in 8 bytes on x86_64.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54031", "detail": "fixed-version", "description": "Fixed from version 6.12.9" }, { "id": "CVE-2024-54191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_conn_big_sync\n\nThis fixes the circular locking dependency warning below, by reworking\niso_sock_recvmsg, to ensure that the socket lock is always released\nbefore calling a function that locks hdev.\n\n[ 561.670344] ======================================================\n[ 561.670346] WARNING: possible circular locking dependency detected\n[ 561.670349] 6.12.0-rc6+ #26 Not tainted\n[ 561.670351] ------------------------------------------------------\n[ 561.670353] iso-tester/3289 is trying to acquire lock:\n[ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3},\n at: iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670405]\n but task is already holding lock:\n[ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},\n at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]\n[ 561.670450]\n which lock already depends on the new lock.\n\n[ 561.670452]\n the existing dependency chain (in reverse order) is:\n[ 561.670453]\n -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:\n[ 561.670458] lock_acquire+0x7c/0xc0\n[ 561.670463] lock_sock_nested+0x3b/0xf0\n[ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]\n[ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth]\n[ 561.670547] do_accept+0x3dd/0x610\n[ 561.670550] __sys_accept4+0xd8/0x170\n[ 561.670553] __x64_sys_accept+0x74/0xc0\n[ 561.670556] x64_sys_call+0x17d6/0x25f0\n[ 561.670559] do_syscall_64+0x87/0x150\n[ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670567]\n -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[ 561.670571] lock_acquire+0x7c/0xc0\n[ 561.670574] lock_sock_nested+0x3b/0xf0\n[ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth]\n[ 561.670617] __sys_listen_socket+0xef/0x130\n[ 561.670620] __x64_sys_listen+0xe1/0x190\n[ 561.670623] x64_sys_call+0x2517/0x25f0\n[ 561.670626] do_syscall_64+0x87/0x150\n[ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670632]\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n[ 561.670636] __lock_acquire+0x32ad/0x6ab0\n[ 561.670639] lock_acquire.part.0+0x118/0x360\n[ 561.670642] lock_acquire+0x7c/0xc0\n[ 561.670644] __mutex_lock+0x18d/0x12f0\n[ 561.670647] mutex_lock_nested+0x1b/0x30\n[ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth]\n[ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth]\n[ 561.670722] sock_recvmsg+0x1d5/0x240\n[ 561.670725] sock_read_iter+0x27d/0x470\n[ 561.670727] vfs_read+0x9a0/0xd30\n[ 561.670731] ksys_read+0x1a8/0x250\n[ 561.670733] __x64_sys_read+0x72/0xc0\n[ 561.670736] x64_sys_call+0x1b12/0x25f0\n[ 561.670738] do_syscall_64+0x87/0x150\n[ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 561.670744]\n other info that might help us debug this:\n\n[ 561.670745] Chain exists of:\n&hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH\n\n[ 561.670751] Possible unsafe locking scenario:\n\n[ 561.670753] CPU0 CPU1\n[ 561.670754] ---- ----\n[ 561.670756] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670758] lock(sk_lock\n AF_BLUETOOTH-BTPROTO_ISO);\n[ 561.670761] lock(sk_lock-AF_BLUETOOTH);\n[ 561.670764] lock(&hdev->lock);\n[ 561.670767]\n *** DEADLOCK ***", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54191", "detail": "fixed-version", "description": "Fixed from version 6.12.6" }, { "id": "CVE-2024-54193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal()\n\nMove pm_runtime_set_active() to ivpu_pm_init() so when\nivpu_ipc_send_receive_internal() is executed before ivpu_pm_enable()\nit already has correct runtime state, even if last resume was\nnot successful.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54193", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-54455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix general protection fault in ivpu_bo_list()\n\nCheck if ctx is not NULL before accessing its fields.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54455", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-54456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()\n\nname is char[64] where the size of clnt->cl_program->name remains\nunknown. Invoking strcat() directly will also lead to potential buffer\noverflow. Change them to strscpy() and strncat() to fix potential\nissues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54456", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-54458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: bsg: Set bsg_queue to NULL after removal\n\nCurrently, this does not cause any issues, but I believe it is necessary to\nset bsg_queue to NULL after removing it to prevent potential use-after-free\n(UAF) access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54458", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-54460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Fix circular lock in iso_listen_bis\n\nThis fixes the circular locking dependency warning below, by\nreleasing the socket lock before enterning iso_listen_bis, to\navoid any potential deadlock with hdev lock.\n\n[ 75.307983] ======================================================\n[ 75.307984] WARNING: possible circular locking dependency detected\n[ 75.307985] 6.12.0-rc6+ #22 Not tainted\n[ 75.307987] ------------------------------------------------------\n[ 75.307987] kworker/u81:2/2623 is trying to acquire lock:\n[ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO)\n at: iso_connect_cfm+0x253/0x840 [bluetooth]\n[ 75.308021]\n but task is already holding lock:\n[ 75.308022] ffff8fdd61a10078 (&hdev->lock)\n at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[ 75.308053]\n which lock already depends on the new lock.\n\n[ 75.308054]\n the existing dependency chain (in reverse order) is:\n[ 75.308055]\n -> #1 (&hdev->lock){+.+.}-{3:3}:\n[ 75.308057] __mutex_lock+0xad/0xc50\n[ 75.308061] mutex_lock_nested+0x1b/0x30\n[ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth]\n[ 75.308085] __sys_listen_socket+0x49/0x60\n[ 75.308088] __x64_sys_listen+0x4c/0x90\n[ 75.308090] x64_sys_call+0x2517/0x25f0\n[ 75.308092] do_syscall_64+0x87/0x150\n[ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 75.308098]\n -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:\n[ 75.308100] __lock_acquire+0x155e/0x25f0\n[ 75.308103] lock_acquire+0xc9/0x300\n[ 75.308105] lock_sock_nested+0x32/0x90\n[ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth]\n[ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth]\n[ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth]\n[ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth]\n[ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth]\n[ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth]\n[ 75.308254] process_one_work+0x212/0x740\n[ 75.308256] worker_thread+0x1bd/0x3a0\n[ 75.308258] kthread+0xe4/0x120\n[ 75.308259] ret_from_fork+0x44/0x70\n[ 75.308261] ret_from_fork_asm+0x1a/0x30\n[ 75.308263]\n other info that might help us debug this:\n\n[ 75.308264] Possible unsafe locking scenario:\n\n[ 75.308264] CPU0 CPU1\n[ 75.308265] ---- ----\n[ 75.308265] lock(&hdev->lock);\n[ 75.308267] lock(sk_lock-\n AF_BLUETOOTH-BTPROTO_ISO);\n[ 75.308268] lock(&hdev->lock);\n[ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);\n[ 75.308270]\n *** DEADLOCK ***\n\n[ 75.308271] 4 locks held by kworker/u81:2/2623:\n[ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0},\n at: process_one_work+0x443/0x740\n[ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)),\n at: process_one_work+0x1ce/0x740\n[ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3}\n at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]\n[ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2},\n at: hci_connect_cfm+0x29/0x190 [bluetooth]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54460", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-54683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: IDLETIMER: Fix for possible ABBA deadlock\n\nDeletion of the last rule referencing a given idletimer may happen at\nthe same time as a read of its file in sysfs:\n\n| ======================================================\n| WARNING: possible circular locking dependency detected\n| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted\n| ------------------------------------------------------\n| iptables/3303 is trying to acquire lock:\n| ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20\n|\n| but task is already holding lock:\n| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]\n|\n| which lock already depends on the new lock.\n\nA simple reproducer is:\n\n| #!/bin/bash\n|\n| while true; do\n| iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label \"testme\"\n| done &\n| while true; do\n| cat /sys/class/xt_idletimer/timers/testme >/dev/null\n| done\n\nAvoid this by freeing list_mutex right after deleting the element from\nthe list, then continuing with the teardown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-54683", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-55639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: renesas: rswitch: avoid use-after-put for a device tree node\n\nThe device tree node saved in the rswitch_device structure is used at\nseveral driver locations. So passing this node to of_node_put() after\nthe first use is wrong.\n\nMove of_node_put() for this node to exit paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-55639", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-55641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: unlock inodes when erroring out of xfs_trans_alloc_dir\n\nDebugging a filesystem patch with generic/475 caused the system to hang\nafter observing the following sequences in dmesg:\n\n XFS (dm-0): metadata I/O error in \"xfs_imap_to_bp+0x61/0xe0 [xfs]\" at daddr 0x491520 len 32 error 5\n XFS (dm-0): metadata I/O error in \"xfs_btree_read_buf_block+0xba/0x160 [xfs]\" at daddr 0x3445608 len 8 error 5\n XFS (dm-0): metadata I/O error in \"xfs_imap_to_bp+0x61/0xe0 [xfs]\" at daddr 0x138e1c0 len 32 error 5\n XFS (dm-0): log I/O error -5\n XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ea/0x4b0 [xfs] (fs/xfs/xfs_trans_buf.c:311). Shutting down filesystem.\n XFS (dm-0): Please unmount the filesystem and rectify the problem(s)\n XFS (dm-0): Internal error dqp->q_ino.reserved < dqp->q_ino.count at line 869 of file fs/xfs/xfs_trans_dquot.c. Caller xfs_trans_dqresv+0x236/0x440 [xfs]\n XFS (dm-0): Corruption detected. Unmount and run xfs_repair\n XFS (dm-0): Unmounting Filesystem be6bcbcc-9921-4deb-8d16-7cc94e335fa7\n\nThe system is stuck in unmount trying to lock a couple of inodes so that\nthey can be purged. The dquot corruption notice above is a clue to what\nhappened -- a link() call tried to set up a transaction to link a child\ninto a directory. Quota reservation for the transaction failed after IO\nerrors shut down the filesystem, but then we forgot to unlock the inodes\non our way out. Fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-55641", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-55642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Prevent potential deadlocks in zone write plug error recovery\n\nZone write plugging for handling writes to zones of a zoned block\ndevice always execute a zone report whenever a write BIO to a zone\nfails. The intent of this is to ensure that the tracking of a zone write\npointer is always correct to ensure that the alignment to a zone write\npointer of write BIOs can be checked on submission and that we can\nalways correctly emulate zone append operations using regular write\nBIOs.\n\nHowever, this error recovery scheme introduces a potential deadlock if a\ndevice queue freeze is initiated while BIOs are still plugged in a zone\nwrite plug and one of these write operation fails. In such case, the\ndisk zone write plug error recovery work is scheduled and executes a\nreport zone. This in turn can result in a request allocation in the\nunderlying driver to issue the report zones command to the device. But\nwith the device queue freeze already started, this allocation will\nblock, preventing the report zone execution and the continuation of the\nprocessing of the plugged BIOs. As plugged BIOs hold a queue usage\nreference, the queue freeze itself will never complete, resulting in a\ndeadlock.\n\nAvoid this problem by completely removing from the zone write plugging\ncode the use of report zones operations after a failed write operation,\ninstead relying on the device user to either execute a report zones,\nreset the zone, finish the zone, or give up writing to the device (which\nis a fairly common pattern for file systems which degrade to read-only\nafter write failures). This is not an unreasonnable requirement as all\nwell-behaved applications, FSes and device mapper already use report\nzones to recover from write errors whenever possible by comparing the\ncurrent position of a zone write pointer with what their assumption\nabout the position is.\n\nThe changes to remove the automatic error recovery are as follows:\n - Completely remove the error recovery work and its associated\n resources (zone write plug list head, disk error list, and disk\n zone_wplugs_work work struct). This also removes the functions\n disk_zone_wplug_set_error() and disk_zone_wplug_clear_error().\n\n - Change the BLK_ZONE_WPLUG_ERROR zone write plug flag into\n BLK_ZONE_WPLUG_NEED_WP_UPDATE. This new flag is set for a zone write\n plug whenever a write opration targetting the zone of the zone write\n plug fails. This flag indicates that the zone write pointer offset is\n not reliable and that it must be updated when the next report zone,\n reset zone, finish zone or disk revalidation is executed.\n\n - Modify blk_zone_write_plug_bio_endio() to set the\n BLK_ZONE_WPLUG_NEED_WP_UPDATE flag for the target zone of a failed\n write BIO.\n\n - Modify the function disk_zone_wplug_set_wp_offset() to clear this\n new flag, thus implementing recovery of a correct write pointer\n offset with the reset (all) zone and finish zone operations.\n\n - Modify blkdev_report_zones() to always use the disk_report_zones_cb()\n callback so that disk_zone_wplug_sync_wp_offset() can be called for\n any zone marked with the BLK_ZONE_WPLUG_NEED_WP_UPDATE flag.\n This implements recovery of a correct write pointer offset for zone\n write plugs marked with BLK_ZONE_WPLUG_NEED_WP_UPDATE and within\n the range of the report zones operation executed by the user.\n\n - Modify blk_revalidate_seq_zone() to call\n disk_zone_wplug_sync_wp_offset() for all sequential write required\n zones when a zoned block device is revalidated, thus always resolving\n any inconsistency between the write pointer offset of zone write\n plugs and the actual write pointer position of sequential zones.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-55642", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-55881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Play nice with protected guests in complete_hypercall_exit()\n\nUse is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit\nhypercall when completing said hypercall. For guests with protected state,\ne.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit\nmode as the vCPU state needed to detect 64-bit mode is unavailable.\n\nHacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE\nhypercall via VMGEXIT trips the WARN:\n\n ------------[ cut here ]------------\n WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm]\n Modules linked in: kvm_amd kvm ... [last unloaded: kvm]\n CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470\n Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024\n RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm]\n Call Trace:\n \n kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm]\n kvm_vcpu_ioctl+0x54f/0x630 [kvm]\n __se_sys_ioctl+0x6b/0xc0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-55881", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-55916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: util: Avoid accessing a ringbuffer not initialized yet\n\nIf the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is\nfully initialized, we can hit the panic below:\n\nhv_utils: Registering HyperV Utility Driver\nhv_vmbus: registering driver hv_utils\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1\nRIP: 0010:hv_pkt_iter_first+0x12/0xd0\nCall Trace:\n...\n vmbus_recvpacket\n hv_kvp_onchannelcallback\n vmbus_on_event\n tasklet_action_common\n tasklet_action\n handle_softirqs\n irq_exit_rcu\n sysvec_hyperv_stimer0\n \n \n asm_sysvec_hyperv_stimer0\n...\n kvp_register_done\n hvt_op_read\n vfs_read\n ksys_read\n __x64_sys_read\n\nThis can happen because the KVP/VSS channel callback can be invoked\neven before the channel is fully opened:\n1) as soon as hv_kvp_init() -> hvutil_transport_init() creates\n/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and\nregister itself to the driver by writing a message KVP_OP_REGISTER1 to the\nfile (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and\nreading the file for the driver's response, which is handled by\nhvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().\n\n2) the problem with kvp_register_done() is that it can cause the\nchannel callback to be called even before the channel is fully opened,\nand when the channel callback is starting to run, util_probe()->\nvmbus_open() may have not initialized the ringbuffer yet, so the\ncallback can hit the panic of NULL pointer dereference.\n\nTo reproduce the panic consistently, we can add a \"ssleep(10)\" for KVP in\n__vmbus_open(), just before the first hv_ringbuffer_init(), and then we\nunload and reload the driver hv_utils, and run the daemon manually within\nthe 10 seconds.\n\nFix the panic by reordering the steps in util_probe() so the char dev\nentry used by the KVP or VSS daemon is not created until after\nvmbus_open() has completed. This reordering prevents the race condition\nfrom happening.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-55916", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix overflow in __rb_map_vma\n\nAn overflow occurred when performing the following calculation:\n\n nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff;\n\nAdd a check before the calculation to avoid this problem.\n\nsyzbot reported this as a slab-out-of-bounds in __rb_map_vma:\n\nBUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058\nRead of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836\n\nCPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:489\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058\n ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138\n tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482\n call_mmap include/linux/fs.h:2183 [inline]\n mmap_file mm/internal.h:124 [inline]\n __mmap_new_file_vma mm/vma.c:2291 [inline]\n __mmap_new_vma mm/vma.c:2355 [inline]\n __mmap_region+0x1786/0x2670 mm/vma.c:2456\n mmap_region+0x127/0x320 mm/mmap.c:1348\n do_mmap+0xc00/0xfc0 mm/mmap.c:496\n vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580\n ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542\n __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]\n __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]\n __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe reproducer for this bug is:\n\n------------------------8<-------------------------\n #include \n #include \n #include \n #include \n #include \n\n int main(int argc, char **argv)\n {\n\tint page_size = getpagesize();\n\tint fd;\n\tvoid *meta;\n\n\tsystem(\"echo 1 > /sys/kernel/tracing/buffer_size_kb\");\n\tfd = open(\"/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw\", O_RDONLY);\n\n\tmeta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);\n }\n------------------------>8-------------------------", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56368", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/modes: Avoid divide by zero harder in drm_mode_vrefresh()\n\ndrm_mode_vrefresh() is trying to avoid divide by zero\nby checking whether htotal or vtotal are zero. But we may\nstill end up with a div-by-zero of vtotal*htotal*...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56369", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: fix tun_napi_alloc_frags()\n\nsyzbot reported the following crash [1]\n\nIssue came with the blamed commit. Instead of going through\nall the iov components, we keep using the first one\nand end up with a malformed skb.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2849 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6230 Comm: syz-executor132 Not tainted 6.13.0-rc1-syzkaller-00407-g96b6fcc0ee41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n RIP: 0010:__pskb_pull_tail+0x1568/0x1570 net/core/skbuff.c:2848\nCode: 38 c1 0f 8c 32 f1 ff ff 4c 89 f7 e8 92 96 74 f8 e9 25 f1 ff ff e8 e8 ae 09 f8 48 8b 5c 24 08 e9 eb fb ff ff e8 d9 ae 09 f8 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffc90004cbef30 EFLAGS: 00010293\nRAX: ffffffff8995c347 RBX: 00000000fffffff2 RCX: ffff88802cf45a00\nRDX: 0000000000000000 RSI: 00000000fffffff2 RDI: 0000000000000000\nRBP: ffff88807df0c06a R08: ffffffff8995b084 R09: 1ffff1100fbe185c\nR10: dffffc0000000000 R11: ffffed100fbe185d R12: ffff888076e85d50\nR13: ffff888076e85c80 R14: ffff888076e85cf4 R15: ffff888076e85c80\nFS: 00007f0dca6ea6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0dca6ead58 CR3: 00000000119da000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_cow_data+0x2da/0xcb0 net/core/skbuff.c:5284\n tipc_aead_decrypt net/tipc/crypto.c:894 [inline]\n tipc_crypto_rcv+0x402/0x24e0 net/tipc/crypto.c:1844\n tipc_rcv+0x57e/0x12a0 net/tipc/node.c:2109\n tipc_l2_rcv_msg+0x2bd/0x450 net/tipc/bearer.c:668\n __netif_receive_skb_list_ptype net/core/dev.c:5720 [inline]\n __netif_receive_skb_list_core+0x8b7/0x980 net/core/dev.c:5762\n __netif_receive_skb_list net/core/dev.c:5814 [inline]\n netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5905\n gro_normal_list include/net/gro.h:515 [inline]\n napi_complete_done+0x2b5/0x870 net/core/dev.c:6256\n napi_complete include/linux/netdevice.h:567 [inline]\n tun_get_user+0x2ea0/0x4890 drivers/net/tun.c:1982\n tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2057\n do_iter_readv_writev+0x600/0x880\n vfs_writev+0x376/0xba0 fs/read_write.c:1050\n do_writev+0x1b6/0x360 fs/read_write.c:1096\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56372", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: Use snd_card_free_when_closed() at disconnection\n\nThe USB disconnect callback is supposed to be short and not too-long\nwaiting. OTOH, the current code uses snd_card_free() at\ndisconnection, but this waits for the close of all used fds, hence it\ncan take long. It eventually blocks the upper layer USB ioctls, which\nmay trigger a soft lockup.\n\nAn easy workaround is to replace snd_card_free() with\nsnd_card_free_when_closed(). This variant returns immediately while\nthe release of resources is done asynchronously by the card device\nrelease at the last close.\n\nThis patch also splits the code to the disconnect and the free phases;\nthe former is called immediately at the USB disconnect callback while\nthe latter is called from the card destructor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56531", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: us122l: Use snd_card_free_when_closed() at disconnection\n\nThe USB disconnect callback is supposed to be short and not too-long\nwaiting. OTOH, the current code uses snd_card_free() at\ndisconnection, but this waits for the close of all used fds, hence it\ncan take long. It eventually blocks the upper layer USB ioctls, which\nmay trigger a soft lockup.\n\nAn easy workaround is to replace snd_card_free() with\nsnd_card_free_when_closed(). This variant returns immediately while\nthe release of resources is done asynchronously by the card device\nrelease at the last close.\n\nThe loop of us122l->mmap_count check is dropped as well. The check is\nuseless for the asynchronous operation with *_when_closed().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56532", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usx2y: Use snd_card_free_when_closed() at disconnection\n\nThe USB disconnect callback is supposed to be short and not too-long\nwaiting. OTOH, the current code uses snd_card_free() at\ndisconnection, but this waits for the close of all used fds, hence it\ncan take long. It eventually blocks the upper layer USB ioctls, which\nmay trigger a soft lockup.\n\nAn easy workaround is to replace snd_card_free() with\nsnd_card_free_when_closed(). This variant returns immediately while\nthe release of resources is done asynchronously by the card device\nrelease at the last close.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56533", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: avoid memory leak in iocharset\n\nA memleak was found as below:\n\nunreferenced object 0xffff0000d10164d8 (size 8):\n comm \"pool-udisksd\", pid 108217, jiffies 4295408555\n hex dump (first 8 bytes):\n 75 74 66 38 00 cc cc cc utf8....\n backtrace (crc de430d31):\n [] kmemleak_alloc+0xb8/0xc8\n [] __kmalloc_node_track_caller_noprof+0x380/0x474\n [] kstrdup+0x70/0xfc\n [] isofs_parse_param+0x228/0x2c0 [isofs]\n [] vfs_parse_fs_param+0xf4/0x164\n [] vfs_parse_fs_string+0x8c/0xd4\n [] vfs_parse_monolithic_sep+0xb0/0xfc\n [] generic_parse_monolithic+0x30/0x3c\n [] parse_monolithic_mount_data+0x40/0x4c\n [] path_mount+0x6c4/0x9ec\n [] do_mount+0xac/0xc4\n [] __arm64_sys_mount+0x16c/0x2b0\n [] invoke_syscall+0x7c/0x104\n [] el0_svc_common.constprop.1+0xe0/0x104\n [] do_el0_svc+0x2c/0x38\n [] el0_svc+0x3c/0x1b8\n\nThe opt->iocharset is freed inside the isofs_fill_super function,\nBut there may be situations where it's not possible to\nenter this function.\n\nFor example, in the get_tree_bdev_flags function,when\nencountering the situation where \"Can't mount, would change RO state,\"\nIn such a case, isofs_fill_super will not have the opportunity\nto be called,which means that opt->iocharset will not have the chance\nto be freed,ultimately leading to a memory leak.\n\nLet's move the memory freeing of opt->iocharset into\nisofs_free_fc function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56534", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: coex: check NULL return of kmalloc in btc_fw_set_monreg()\n\nkmalloc may fail, return value might be NULL and will cause\nNULL pointer dereference. Add check NULL return of kmalloc in\nbtc_fw_set_monreg().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56535", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cw1200: Fix potential NULL dereference\n\nA recent refactoring was identified by static analysis to\ncause a potential NULL dereference, fix this!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56536", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: xlnx: zynqmp_disp: layer may be null while releasing\n\nlayer->info can be null if we have an error on the first layer in\nzynqmp_disp_create_layers", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56537", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_kms: Unplug DRM device before removal\n\nPrevent userspace accesses to the DRM device from causing\nuse-after-frees by unplugging the device before we remove it. This\ncauses any further userspace accesses to result in an error without\nfurther calls into this driver's internals.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56538", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()\n\nReplace one-element array with a flexible-array member in `struct\nmwifiex_ie_types_wildcard_ssid_params` to fix the following warning\non a MT8173 Chromebook (mt8173-elm-hana):\n\n[ 356.775250] ------------[ cut here ]------------\n[ 356.784543] memcpy: detected field-spanning write (size 6) of single field \"wildcard_ssid_tlv->ssid\" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)\n[ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]\n\nThe \"(size 6)\" above is exactly the length of the SSID of the network\nthis device was connected to. The source of the warning looks like:\n\n ssid_len = user_scan_in->ssid_list[i].ssid_len;\n [...]\n memcpy(wildcard_ssid_tlv->ssid,\n user_scan_in->ssid_list[i].ssid, ssid_len);\n\nThere is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this\nstruct, but it already didn't account for the size of the one-element\narray, so it doesn't need to be changed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56539", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Prevent recovery invocation during probe and resume\n\nRefactor IPC send and receive functions to allow correct\nhandling of operations that should not trigger a recovery process.\n\nExpose ivpu_send_receive_internal(), which is now utilized by the D0i3\nentry, DCT initialization, and HWS initialization functions.\nThese functions have been modified to return error codes gracefully,\nrather than initiating recovery.\n\nThe updated functions are invoked within ivpu_probe() and ivpu_resume(),\nensuring that any errors encountered during these stages result in a proper\nteardown or shutdown sequence. The previous approach of triggering recovery\nwithin these functions could lead to a race condition, potentially causing\nundefined behavior and kernel crashes due to null pointer dereferences.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56540", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()\n\nDuring ath12k module removal, in ath12k_core_deinit(),\nath12k_mac_destroy() un-registers ah->hw from mac80211 and frees\nthe ah->hw as well as all the ar's in it. After this\nath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()\ntries to access one of the freed ar's from pending skb.\n\nThis is because during mac destroy, driver failed to flush few\ndata packets, which were accessed later in ath12k_dp_cc_cleanup()\nand freed, but using ar from the packet led to this use-after-free.\n\nBUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\nWrite of size 4 at addr ffff888150bd3514 by task modprobe/8926\nCPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted\n6.11.0-rc2-wt-ath+ #1746\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS\nHNKBLi70.86A.0067.2021.0528.1339 05/28/2021\n\nCall Trace:\n \n dump_stack_lvl+0x7d/0xe0\n print_address_description.constprop.0+0x33/0x3a0\n print_report+0xb5/0x260\n ? kasan_addr_to_slab+0x24/0x80\n kasan_report+0xd8/0x110\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n kasan_check_range+0xf3/0x1a0\n __kasan_check_write+0x14/0x20\n ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]\n ath12k_dp_free+0x178/0x420 [ath12k]\n ath12k_core_stop+0x176/0x200 [ath12k]\n ath12k_core_deinit+0x13f/0x210 [ath12k]\n ath12k_pci_remove+0xad/0x1c0 [ath12k]\n pci_device_remove+0x9b/0x1b0\n device_remove+0xbf/0x150\n device_release_driver_internal+0x3c3/0x580\n ? __kasan_check_read+0x11/0x20\n driver_detach+0xc4/0x190\n bus_remove_driver+0x130/0x2a0\n driver_unregister+0x68/0x90\n pci_unregister_driver+0x24/0x240\n ? find_module_all+0x13e/0x1e0\n ath12k_pci_exit+0x10/0x20 [ath12k]\n __do_sys_delete_module+0x32c/0x580\n ? module_flags+0x2f0/0x2f0\n ? kmem_cache_free+0xf0/0x410\n ? __fput+0x56f/0xab0\n ? __fput+0x56f/0xab0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_delete_module+0x4f/0x70\n x64_sys_call+0x522/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f8182c6ac8b\n\nCommit 24de1b7b231c (\"wifi: ath12k: fix flush failure in recovery\nscenarios\") added the change to decrement the pending packets count\nin case of recovery which make sense as ah->hw as well all\nar's in it are intact during recovery, but during core deinit there\nis no use in decrementing packets count or waking up the empty waitq\nas the module is going to be removed also ar's from pending skb's\ncan't be used and the packets should just be released back.\n\nTo fix this, avoid accessing ar from skb->cb when driver is being\nunregistered.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56541", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a memleak issue when driver is removed\n\nRunning \"modprobe amdgpu\" the second time (followed by a modprobe -r\namdgpu) causes a call trace like:\n\n[ 845.212163] Memory manager not clean during takedown.\n[ 845.212170] WARNING: CPU: 4 PID: 2481 at drivers/gpu/drm/drm_mm.c:999 drm_mm_takedown+0x2b/0x40\n[ 845.212177] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amddrm_buddy(OE) amdxcp(OE) amd_sched(OE) drm_exec drm_suballoc_helper drm_display_helper i2c_algo_bit amdttm(OE) amdkcl(OE) cec rc_core sunrpc qrtr intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi edac_mce_amd snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_usb_audio snd_hda_codec snd_usbmidi_lib kvm_amd snd_hda_core snd_ump mc snd_hwdep kvm snd_pcm snd_seq_midi snd_seq_midi_event irqbypass crct10dif_pclmul snd_rawmidi polyval_clmulni polyval_generic ghash_clmulni_intel sha256_ssse3 sha1_ssse3 snd_seq aesni_intel crypto_simd snd_seq_device cryptd snd_timer mfd_aaeon asus_nb_wmi eeepc_wmi joydev asus_wmi snd ledtrig_audio sparse_keymap ccp wmi_bmof input_leds k10temp i2c_piix4 platform_profile rapl soundcore gpio_amdpt mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid ahci xhci_pci igc crc32_pclmul libahci xhci_pci_renesas video\n[ 845.212284] wmi [last unloaded: amddrm_ttm_helper(OE)]\n[ 845.212290] CPU: 4 PID: 2481 Comm: modprobe Tainted: G W OE 6.8.0-31-generic #31-Ubuntu\n[ 845.212296] RIP: 0010:drm_mm_takedown+0x2b/0x40\n[ 845.212300] Code: 1f 44 00 00 48 8b 47 38 48 83 c7 38 48 39 f8 75 09 31 c0 31 ff e9 90 2e 86 00 55 48 c7 c7 d0 f6 8e 8a 48 89 e5 e8 f5 db 45 ff <0f> 0b 5d 31 c0 31 ff e9 74 2e 86 00 66 0f 1f 84 00 00 00 00 00 90\n[ 845.212302] RSP: 0018:ffffb11302127ae0 EFLAGS: 00010246\n[ 845.212305] RAX: 0000000000000000 RBX: ffff92aa5020fc08 RCX: 0000000000000000\n[ 845.212307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 845.212309] RBP: ffffb11302127ae0 R08: 0000000000000000 R09: 0000000000000000\n[ 845.212310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004\n[ 845.212312] R13: ffff92aa50200000 R14: ffff92aa5020fb10 R15: ffff92aa5020faa0\n[ 845.212313] FS: 0000707dd7c7c080(0000) GS:ffff92b93de00000(0000) knlGS:0000000000000000\n[ 845.212316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 845.212318] CR2: 00007d48b0aee200 CR3: 0000000115a58000 CR4: 0000000000f50ef0\n[ 845.212320] PKRU: 55555554\n[ 845.212321] Call Trace:\n[ 845.212323] \n[ 845.212328] ? show_regs+0x6d/0x80\n[ 845.212333] ? __warn+0x89/0x160\n[ 845.212339] ? drm_mm_takedown+0x2b/0x40\n[ 845.212344] ? report_bug+0x17e/0x1b0\n[ 845.212350] ? handle_bug+0x51/0xa0\n[ 845.212355] ? exc_invalid_op+0x18/0x80\n[ 845.212359] ? asm_exc_invalid_op+0x1b/0x20\n[ 845.212366] ? drm_mm_takedown+0x2b/0x40\n[ 845.212371] amdgpu_gtt_mgr_fini+0xa9/0x130 [amdgpu]\n[ 845.212645] amdgpu_ttm_fini+0x264/0x340 [amdgpu]\n[ 845.212770] amdgpu_bo_fini+0x2e/0xc0 [amdgpu]\n[ 845.212894] gmc_v12_0_sw_fini+0x2a/0x40 [amdgpu]\n[ 845.213036] amdgpu_device_fini_sw+0x11a/0x590 [amdgpu]\n[ 845.213159] amdgpu_driver_release_kms+0x16/0x40 [amdgpu]\n[ 845.213302] devm_drm_dev_init_release+0x5e/0x90\n[ 845.213305] devm_action_release+0x12/0x30\n[ 845.213308] release_nodes+0x42/0xd0\n[ 845.213311] devres_release_all+0x97/0xe0\n[ 845.213314] device_unbind_cleanup+0x12/0x80\n[ 845.213317] device_release_driver_internal+0x230/0x270\n[ 845.213319] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThis is caused by lost memory during early init phase. First time driver\nis removed, memory is freed but when second time the driver is inserted,\nVBIOS dmub is not active, since the PSP policy is to retain the driver\nloaded version on subsequent warm boots. Hence, communication with VBIOS\nDMUB fails.\n\nFix this by aborting further comm\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56542", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Skip Rx TID cleanup for self peer\n\nDuring peer create, dp setup for the peer is done where Rx TID is\nupdated for all the TIDs. Peer object for self peer will not go through\ndp setup.\n\nWhen core halts, dp cleanup is done for all the peers. While cleanup,\nrx_tid::ab is accessed which causes below stack trace for self peer.\n\nWARNING: CPU: 6 PID: 12297 at drivers/net/wireless/ath/ath12k/dp_rx.c:851\nCall Trace:\n__warn+0x7b/0x1a0\nath12k_dp_rx_frags_cleanup+0xd2/0xe0 [ath12k]\nreport_bug+0x10b/0x200\nhandle_bug+0x3f/0x70\nexc_invalid_op+0x13/0x60\nasm_exc_invalid_op+0x16/0x20\nath12k_dp_rx_frags_cleanup+0xd2/0xe0 [ath12k]\nath12k_dp_rx_frags_cleanup+0xca/0xe0 [ath12k]\nath12k_dp_rx_peer_tid_cleanup+0x39/0xa0 [ath12k]\nath12k_mac_peer_cleanup_all+0x61/0x100 [ath12k]\nath12k_core_halt+0x3b/0x100 [ath12k]\nath12k_core_reset+0x494/0x4c0 [ath12k]\n\nsta object in peer will be updated when remote peer is created. Hence\nuse peer::sta to detect the self peer and skip the cleanup.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56543", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: change folios array from kmalloc to kvmalloc\n\nWhen PAGE_SIZE 4096, MAX_PAGE_ORDER 10, 64bit machine,\npage_alloc only support 4MB.\nIf above this, trigger this warn and return NULL.\n\nudmabuf can change size limit, if change it to 3072(3GB), and then alloc\n3GB udmabuf, will fail create.\n\n[ 4080.876581] ------------[ cut here ]------------\n[ 4080.876843] WARNING: CPU: 3 PID: 2015 at mm/page_alloc.c:4556 __alloc_pages+0x2c8/0x350\n[ 4080.878839] RIP: 0010:__alloc_pages+0x2c8/0x350\n[ 4080.879470] Call Trace:\n[ 4080.879473] \n[ 4080.879473] ? __alloc_pages+0x2c8/0x350\n[ 4080.879475] ? __warn.cold+0x8e/0xe8\n[ 4080.880647] ? __alloc_pages+0x2c8/0x350\n[ 4080.880909] ? report_bug+0xff/0x140\n[ 4080.881175] ? handle_bug+0x3c/0x80\n[ 4080.881556] ? exc_invalid_op+0x17/0x70\n[ 4080.881559] ? asm_exc_invalid_op+0x1a/0x20\n[ 4080.882077] ? udmabuf_create+0x131/0x400\n\nBecause MAX_PAGE_ORDER, kmalloc can max alloc 4096 * (1 << 10), 4MB\nmemory, each array entry is pointer(8byte), so can save 524288 pages(2GB).\n\nFurther more, costly order(order 3) may not be guaranteed that it can be\napplied for, due to fragmentation.\n\nThis patch change udmabuf array use kvmalloc_array, this can fallback\nalloc into vmalloc, which can guarantee allocation for any size and does\nnot affect the performance of kmalloc allocations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56544", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: streamline driver probe to avoid devres issues\n\nIt was found that unloading 'hid_hyperv' module results in a devres\ncomplaint:\n\n ...\n hv_vmbus: unregistering driver hid_hyperv\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 3983 at drivers/base/devres.c:691 devres_release_group+0x1f2/0x2c0\n ...\n Call Trace:\n \n ? devres_release_group+0x1f2/0x2c0\n ? __warn+0xd1/0x1c0\n ? devres_release_group+0x1f2/0x2c0\n ? report_bug+0x32a/0x3c0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? devres_release_group+0x1f2/0x2c0\n ? devres_release_group+0x90/0x2c0\n ? rcu_is_watching+0x15/0xb0\n ? __pfx_devres_release_group+0x10/0x10\n hid_device_remove+0xf5/0x220\n device_release_driver_internal+0x371/0x540\n ? klist_put+0xf3/0x170\n bus_remove_device+0x1f1/0x3f0\n device_del+0x33f/0x8c0\n ? __pfx_device_del+0x10/0x10\n ? cleanup_srcu_struct+0x337/0x500\n hid_destroy_device+0xc8/0x130\n mousevsc_remove+0xd2/0x1d0 [hid_hyperv]\n device_release_driver_internal+0x371/0x540\n driver_detach+0xc5/0x180\n bus_remove_driver+0x11e/0x2a0\n ? __mutex_unlock_slowpath+0x160/0x5e0\n vmbus_driver_unregister+0x62/0x2b0 [hv_vmbus]\n ...\n\nAnd the issue seems to be that the corresponding devres group is not\nallocated. Normally, devres_open_group() is called from\n__hid_device_probe() but Hyper-V HID driver overrides 'hid_dev->driver'\nwith 'mousevsc_hid_driver' stub and basically re-implements\n__hid_device_probe() by calling hid_parse() and hid_hw_start() but not\ndevres_open_group(). hid_device_probe() does not call __hid_device_probe()\nfor it. Later, when the driver is removed, hid_device_remove() calls\ndevres_release_group() as it doesn't check whether hdev->driver was\ninitially overridden or not.\n\nThe issue seems to be related to the commit 62c68e7cee33 (\"HID: ensure\ntimely release of driver-allocated resources\") but the commit itself seems\nto be correct.\n\nFix the issue by dropping the 'hid_dev->driver' override and using\nhid_register_driver()/hid_unregister_driver() instead. Alternatively, it\nwould have been possible to rely on the default handling but\nHID_CONNECT_DEFAULT implies HID_CONNECT_HIDRAW and it doesn't seem to work\nfor mousevsc as-is.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56545", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: soc: xilinx: add the missing kfree in xlnx_add_cb_for_suspend()\n\nIf we fail to allocate memory for cb_data by kmalloc, the memory\nallocation for eve_data is never freed, add the missing kfree()\nin the error handling path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56546", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nCurrently, running rcutorture test with torture_type=rcu fwd_progress=8\nn_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60\ntest_boost=2, will trigger the following warning:\n\n\tWARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0\n\tRIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t Call Trace:\n\t \n\t ? __warn+0x7e/0x120\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t ? report_bug+0x18e/0x1a0\n\t ? handle_bug+0x3d/0x70\n\t ? exc_invalid_op+0x18/0x70\n\t ? asm_exc_invalid_op+0x1a/0x20\n\t ? rcu_nocb_rdp_deoffload+0x292/0x2a0\n\t rcu_nocb_cpu_deoffload+0x70/0xa0\n\t rcu_nocb_toggle+0x136/0x1c0\n\t ? __pfx_rcu_nocb_toggle+0x10/0x10\n\t kthread+0xd1/0x100\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork+0x2f/0x50\n\t ? __pfx_kthread+0x10/0x10\n\t ret_from_fork_asm+0x1a/0x30\n\t \n\nCPU0 CPU2 CPU3\n//rcu_nocb_toggle //nocb_cb_wait //rcutorture\n\n// deoffload CPU1 // process CPU1's rdp\nrcu_barrier()\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 2\n // enqueue barrier\n // callback to CPU1's\n // rdp->cblist\n rcu_do_batch()\n // invoke CPU1's rdp->cblist\n // callback\n rcu_barrier_callback()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // still see len == 2\n // enqueue barrier callback\n // to CPU1's rdp->cblist\n rcu_segcblist_entrain()\n rcu_segcblist_add_len(1);\n // len == 3\n // decrement len\n rcu_segcblist_add_len(-2);\n kthread_parkme()\n\n// CPU1's rdp->cblist len == 1\n// Warn because there is\n// still a pending barrier\n// trigger warning\nWARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));\ncpus_read_unlock();\n\n // wait CPU1 to comes online and\n // invoke barrier callback on\n // CPU1 rdp's->cblist\n wait_for_completion(&rcu_state.barrier_completion);\n// deoffload CPU4\ncpus_read_lock()\n rcu_barrier()\n mutex_lock(&rcu_state.barrier_mutex);\n // block on barrier_mutex\n // wait rcu_barrier() on\n // CPU3 to unlock barrier_mutex\n // but CPU3 unlock barrier_mutex\n // need to wait CPU1 comes online\n // when CPU1 going online will block on cpus_write_lock\n\nThe above scenario will not only trigger a WARN_ON_ONCE(), but also\ntrigger a deadlock.\n\nThanks to nocb locking, a second racing rcu_barrier() on an offline CPU\nwill either observe the decremented callback counter down to 0 and spare\nthe callback enqueue, or rcuo will observe the new callback and keep\nrdp->nocb_cb_sleep to false.\n\nTherefore check rdp->nocb_cb_sleep before parking to make sure no\nfurther rcu_barrier() is waiting on the rdp.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56547", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: don't query the device logical block size multiple times\n\nDevices block sizes may change. One of these cases is a loop device by\nusing ioctl LOOP_SET_BLOCK_SIZE.\n\nWhile this may cause other issues like IO being rejected, in the case of\nhfsplus, it will allocate a block by using that size and potentially write\nout-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the\nlatter function reads a different io_size.\n\nUsing a new min_io_size initally set to sb_min_blocksize works for the\npurposes of the original fix, since it will be set to the max between\nHFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the\nmax between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not\ninitialized.\n\nTested by mounting an hfsplus filesystem with loop block sizes 512, 1024\nand 4096.\n\nThe produced KASAN report before the fix looks like this:\n\n[ 419.944641] ==================================================================\n[ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a\n[ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678\n[ 419.947612]\n[ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84\n[ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 419.950035] Call Trace:\n[ 419.950384] \n[ 419.950676] dump_stack_lvl+0x57/0x78\n[ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a\n[ 419.951830] print_report+0x14c/0x49e\n[ 419.952361] ? __virt_addr_valid+0x267/0x278\n[ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d\n[ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a\n[ 419.954231] kasan_report+0x89/0xb0\n[ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a\n[ 419.955367] hfsplus_read_wrapper+0x659/0xa0a\n[ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10\n[ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9\n[ 419.957214] ? _raw_spin_unlock+0x1a/0x2e\n[ 419.957772] hfsplus_fill_super+0x348/0x1590\n[ 419.958355] ? hlock_class+0x4c/0x109\n[ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10\n[ 419.959499] ? __pfx_string+0x10/0x10\n[ 419.960006] ? lock_acquire+0x3e2/0x454\n[ 419.960532] ? bdev_name.constprop.0+0xce/0x243\n[ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10\n[ 419.961799] ? pointer+0x3f0/0x62f\n[ 419.962277] ? __pfx_pointer+0x10/0x10\n[ 419.962761] ? vsnprintf+0x6c4/0xfba\n[ 419.963178] ? __pfx_vsnprintf+0x10/0x10\n[ 419.963621] ? setup_bdev_super+0x376/0x3b3\n[ 419.964029] ? snprintf+0x9d/0xd2\n[ 419.964344] ? __pfx_snprintf+0x10/0x10\n[ 419.964675] ? lock_acquired+0x45c/0x5e9\n[ 419.965016] ? set_blocksize+0x139/0x1c1\n[ 419.965381] ? sb_set_blocksize+0x6d/0xae\n[ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10\n[ 419.966179] mount_bdev+0x12f/0x1bf\n[ 419.966512] ? __pfx_mount_bdev+0x10/0x10\n[ 419.966886] ? vfs_parse_fs_string+0xce/0x111\n[ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10\n[ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10\n[ 419.968073] legacy_get_tree+0x104/0x178\n[ 419.968414] vfs_get_tree+0x86/0x296\n[ 419.968751] path_mount+0xba3/0xd0b\n[ 419.969157] ? __pfx_path_mount+0x10/0x10\n[ 419.969594] ? kmem_cache_free+0x1e2/0x260\n[ 419.970311] do_mount+0x99/0xe0\n[ 419.970630] ? __pfx_do_mount+0x10/0x10\n[ 419.971008] __do_sys_mount+0x199/0x1c9\n[ 419.971397] do_syscall_64+0xd0/0x135\n[ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 419.972233] RIP: 0033:0x7c3cb812972e\n[ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48\n[ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5\n[ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e\n[ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI:\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56548", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Fix NULL pointer dereference in object->file\n\nAt present, the object->file has the NULL pointer dereference problem in\nondemand-mode. The root cause is that the allocated fd and object->file\nlifetime are inconsistent, and the user-space invocation to anon_fd uses\nobject->file. Following is the process that triggers the issue:\n\n\t [write fd]\t\t\t\t[umount]\ncachefiles_ondemand_fd_write_iter\n\t\t\t\t fscache_cookie_state_machine\n\t\t\t\t\t cachefiles_withdraw_cookie\n if (!file) return -ENOBUFS\n\t\t\t\t\t cachefiles_clean_up_object\n\t\t\t\t\t cachefiles_unmark_inode_in_use\n\t\t\t\t\t fput(object->file)\n\t\t\t\t\t object->file = NULL\n // file NULL pointer dereference!\n __cachefiles_write(..., file, ...)\n\nFix this issue by add an additional reference count to the object->file\nbefore write/llseek, and decrement after it finished.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56549", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/stacktrace: Use break instead of return statement\n\narch_stack_walk_user_common() contains a return statement instead of a\nbreak statement in case store_ip() fails while trying to store a callchain\nentry of a user space process.\nThis may lead to a missing pagefault_enable() call.\n\nIf this happens any subsequent page fault of the process won't be resolved\nby the page fault handler and this in turn will lead to the process being\nkilled.\n\nUse a break instead of a return statement to fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56550", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix usage slab after free\n\n[ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]\n[ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147\n\n[ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1\n[ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000016] Call Trace:\n[ +0.000008] \n[ +0.000009] dump_stack_lvl+0x76/0xa0\n[ +0.000017] print_report+0xce/0x5f0\n[ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]\n[ +0.000019] ? srso_return_thunk+0x5/0x5f\n[ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200\n[ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]\n[ +0.000019] kasan_report+0xbe/0x110\n[ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]\n[ +0.000023] __asan_report_load8_noabort+0x14/0x30\n[ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_write+0x14/0x30\n[ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched]\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_write+0x14/0x30\n[ +0.000013] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? enable_work+0x124/0x220\n[ +0.000015] ? __pfx_enable_work+0x10/0x10\n[ +0.000013] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? free_large_kmalloc+0x85/0xf0\n[ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched]\n[ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu]\n[ +0.000735] ? __kasan_check_read+0x11/0x20\n[ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu]\n[ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu]\n[ +0.000679] ? mutex_unlock+0x80/0xe0\n[ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu]\n[ +0.000662] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_check_write+0x14/0x30\n[ +0.000013] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? mutex_unlock+0x80/0xe0\n[ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu]\n[ +0.000663] drm_minor_release+0xc9/0x140 [drm]\n[ +0.000081] drm_release+0x1fd/0x390 [drm]\n[ +0.000082] __fput+0x36c/0xad0\n[ +0.000018] __fput_sync+0x3c/0x50\n[ +0.000014] __x64_sys_close+0x7d/0xe0\n[ +0.000014] x64_sys_call+0x1bc6/0x2680\n[ +0.000014] do_syscall_64+0x70/0x130\n[ +0.000014] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? irqentry_exit+0x43/0x50\n[ +0.000012] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? exc_page_fault+0x7c/0x110\n[ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ +0.000014] RIP: 0033:0x7ffff7b14f67\n[ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff\n[ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003\n[ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67\n[ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003\n[ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000\n[ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8\n[ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040\n[ +0.000020] \n\n[ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s:\n[ +0.000014] kasan_save_stack+0x28/0x60\n[ +0.000008] kasan_save_track+0x18/0x70\n[ +0.000007] kasan_save_alloc_info+0x38/0x60\n[ +0.000007] __kasan_kmalloc+0xc1/0xd0\n[ +0.000007] kmalloc_trace_noprof+0x180/0x380\n[ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched]\n[ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu]\n[ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu]\n[ +0.000662] amdgpu_pci_p\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56551", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc_submit: fix race around suspend_pending\n\nCurrently in some testcases we can trigger:\n\nxe 0000:03:00.0: [drm] Assertion `exec_queue_destroyed(q)` failed!\n....\nWARNING: CPU: 18 PID: 2640 at drivers/gpu/drm/xe/xe_guc_submit.c:1826 xe_guc_sched_done_handler+0xa54/0xef0 [xe]\nxe 0000:03:00.0: [drm] *ERROR* GT1: DEREGISTER_DONE: Unexpected engine state 0x00a1, guc_id=57\n\nLooking at a snippet of corresponding ftrace for this GuC id we can see:\n\n162.673311: xe_sched_msg_add: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673317: xe_sched_msg_recv: dev=0000:03:00.0, gt=1 guc_id=57, opcode=3\n162.673319: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674089: xe_exec_queue_kill: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0x29, flags=0x0\n162.674108: xe_exec_queue_close: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.674488: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa9, flags=0x0\n162.678452: xe_exec_queue_deregister: dev=0000:03:00.0, 1:0x2, gt=1, width=1, guc_id=57, guc_state=0xa1, flags=0x0\n\nIt looks like we try to suspend the queue (opcode=3), setting\nsuspend_pending and triggering a disable_scheduling. The user then\ncloses the queue. However the close will also forcefully signal the\nsuspend fence after killing the queue, later when the G2H response for\ndisable_scheduling comes back we have now cleared suspend_pending when\nsignalling the suspend fence, so the disable_scheduling now incorrectly\ntries to also deregister the queue. This leads to warnings since the queue\nhas yet to even be marked for destruction. We also seem to trigger\nerrors later with trying to double unregister the same queue.\n\nTo fix this tweak the ordering when handling the response to ensure we\ndon't race with a disable_scheduling that didn't actually intend to\nperform an unregister. The destruction path should now also correctly\nwait for any pending_disable before marking as destroyed.\n\n(cherry picked from commit f161809b362f027b6d72bd998e47f8f0bad60a2e)", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56552", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix memleak of proc->delivered_freeze\n\nIf a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION\nbefore calling binder_freeze_notification_done(), then it is detached\nfrom its reference (e.g. ref->freeze) but the work remains queued in\nproc->delivered_freeze. This leads to a memory leak when the process\nexits as any pending entries in proc->delivered_freeze are not freed:\n\n unreferenced object 0xffff38e8cfa36180 (size 64):\n comm \"binder-util\", pid 655, jiffies 4294936641\n hex dump (first 32 bytes):\n b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..\n 0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....\n backtrace (crc 95983b32):\n [<000000000d0582cf>] kmemleak_alloc+0x34/0x40\n [<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280\n [<00000000313b1704>] binder_thread_write+0xdec/0x439c\n [<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc\n [<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190\n [<00000000b439adee>] invoke_syscall+0x6c/0x254\n [<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230\n [<0000000084f72311>] do_el0_svc+0x40/0x58\n [<000000008b872457>] el0_svc+0x38/0x78\n [<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c\n [<00000000a8ec61bf>] el0t_64_sync+0x190/0x194\n\nThis patch fixes the leak by ensuring that any pending entries in\nproc->delivered_freeze are freed during binder_deferred_release().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56553", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix freeze UAF in binder_release_work()\n\nWhen a binder reference is cleaned up, any freeze work queued in the\nassociated process should also be removed. Otherwise, the reference is\nfreed while its ref->freeze.work is still queued in proc->work leading\nto a use-after-free issue as shown by the following KASAN report:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0\n Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211\n\n CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22\n Hardware name: linux,dummy-virt (DT)\n Workqueue: events binder_deferred_func\n Call trace:\n binder_release_work+0x398/0x3d0\n binder_deferred_func+0xb60/0x109c\n process_one_work+0x51c/0xbd4\n worker_thread+0x608/0xee8\n\n Allocated by task 703:\n __kmalloc_cache_noprof+0x130/0x280\n binder_thread_write+0xdb4/0x42a0\n binder_ioctl+0x18f0/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n invoke_syscall+0x6c/0x254\n\n Freed by task 211:\n kfree+0xc4/0x230\n binder_deferred_func+0xae8/0x109c\n process_one_work+0x51c/0xbd4\n worker_thread+0x608/0xee8\n ==================================================================\n\nThis commit fixes the issue by ensuring any queued freeze work is removed\nwhen cleaning up a binder reference.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56554", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix OOB in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc->nodes with the\nproc->inner_lock held. However, this lock is temporarily dropped to\nacquire the node->lock first (lock nesting order). This can race with\nbinder_deferred_release() which removes the nodes from the proc->nodes\nrbtree and adds them into binder_dead_nodes list. This leads to a broken\niteration in binder_add_freeze_work() as rb_next() will use data from\nbinder_dead_nodes, triggering an out-of-bounds access:\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124\n Read of size 8 at addr ffffcb84285f7170 by task freeze/660\n\n CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n rb_next+0xfc/0x124\n binder_add_freeze_work+0x344/0x534\n binder_ioctl+0x1e70/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n The buggy address belongs to the variable:\n binder_dead_nodes+0x10/0x40\n [...]\n ==================================================================\n\nThis is possible because proc->nodes (rbtree) and binder_dead_nodes\n(list) share entries in binder_node through a union:\n\n\tstruct binder_node {\n\t[...]\n\t\tunion {\n\t\t\tstruct rb_node rb_node;\n\t\t\tstruct hlist_node dead_node;\n\t\t};\n\nFix the race by checking that the proc is still alive. If not, simply\nbreak out of the iteration.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56555", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix node UAF in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc->nodes with the\nproc->inner_lock held. However, this lock is temporarily dropped in\norder to acquire the node->lock first (lock nesting order). This can\nrace with binder_node_release() and trigger a use-after-free:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\n Write of size 4 at addr ffff53c04c29dd04 by task freeze/640\n\n CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n _raw_spin_lock+0xe4/0x19c\n binder_add_freeze_work+0x148/0x478\n binder_ioctl+0x1e70/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n Allocated by task 637:\n __kmalloc_cache_noprof+0x12c/0x27c\n binder_new_node+0x50/0x700\n binder_transaction+0x35ac/0x6f74\n binder_thread_write+0xfb8/0x42a0\n binder_ioctl+0x18f0/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n Freed by task 637:\n kfree+0xf0/0x330\n binder_thread_read+0x1e88/0x3a68\n binder_ioctl+0x16d8/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n ==================================================================\n\nFix the race by taking a temporary reference on the node before\nreleasing the proc->inner lock. This ensures the node remains alive\nwhile in use.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56556", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer\n\nThe AD7923 was updated to support devices with 8 channels, but the size\nof tx_buf and ring_xfer was not increased accordingly, leading to a\npotential buffer overflow in ad7923_update_scan_mode().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56557", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: make sure exp active before svc_export_show\n\nThe function `e_show` was called with protection from RCU. This only\nensures that `exp` will not be freed. Therefore, the reference count for\n`exp` can drop to zero, which will trigger a refcount use-after-free\nwarning when `exp_get` is called. To resolve this issue, use\n`cache_get_rcu` to ensure that `exp` remains active.\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 3 PID: 819 at lib/refcount.c:25\nrefcount_warn_saturate+0xb1/0x120\nCPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb1/0x120\n...\nCall Trace:\n \n e_show+0x20b/0x230 [nfsd]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56558", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: combine all TLB flush operations of KASAN shadow virtual address into one operation\n\nWhen compiling kernel source 'make -j $(nproc)' with the up-and-running\nKASAN-enabled kernel on a 256-core machine, the following soft lockup is\nshown:\n\nwatchdog: BUG: soft lockup - CPU#28 stuck for 22s! [kworker/28:1:1760]\nCPU: 28 PID: 1760 Comm: kworker/28:1 Kdump: loaded Not tainted 6.10.0-rc5 #95\nWorkqueue: events drain_vmap_area_work\nRIP: 0010:smp_call_function_many_cond+0x1d8/0xbb0\nCode: 38 c8 7c 08 84 c9 0f 85 49 08 00 00 8b 45 08 a8 01 74 2e 48 89 f1 49 89 f7 48 c1 e9 03 41 83 e7 07 4c 01 e9 41 83 c7 03 f3 90 <0f> b6 01 41 38 c7 7c 08 84 c0 0f 85 d4 06 00 00 8b 45 08 a8 01 75\nRSP: 0018:ffffc9000cb3fb60 EFLAGS: 00000202\nRAX: 0000000000000011 RBX: ffff8883bc4469c0 RCX: ffffed10776e9949\nRDX: 0000000000000002 RSI: ffff8883bb74ca48 RDI: ffffffff8434dc50\nRBP: ffff8883bb74ca40 R08: ffff888103585dc0 R09: ffff8884533a1800\nR10: 0000000000000004 R11: ffffffffffffffff R12: ffffed1077888d39\nR13: dffffc0000000000 R14: ffffed1077888d38 R15: 0000000000000003\nFS: 0000000000000000(0000) GS:ffff8883bc400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005577b5c8d158 CR3: 0000000004850000 CR4: 0000000000350ef0\nCall Trace:\n \n ? watchdog_timer_fn+0x2cd/0x390\n ? __pfx_watchdog_timer_fn+0x10/0x10\n ? __hrtimer_run_queues+0x300/0x6d0\n ? sched_clock_cpu+0x69/0x4e0\n ? __pfx___hrtimer_run_queues+0x10/0x10\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get_update_offsets_now+0x7f/0x2a0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? hrtimer_interrupt+0x2ca/0x760\n ? __sysvec_apic_timer_interrupt+0x8c/0x2b0\n ? sysvec_apic_timer_interrupt+0x6a/0x90\n \n \n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? smp_call_function_many_cond+0x1d8/0xbb0\n ? __pfx_do_kernel_range_flush+0x10/0x10\n on_each_cpu_cond_mask+0x20/0x40\n flush_tlb_kernel_range+0x19b/0x250\n ? srso_return_thunk+0x5/0x5f\n ? kasan_release_vmalloc+0xa7/0xc0\n purge_vmap_node+0x357/0x820\n ? __pfx_purge_vmap_node+0x10/0x10\n __purge_vmap_area_lazy+0x5b8/0xa10\n drain_vmap_area_work+0x21/0x30\n process_one_work+0x661/0x10b0\n worker_thread+0x844/0x10e0\n ? srso_return_thunk+0x5/0x5f\n ? __kthread_parkme+0x82/0x140\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2a5/0x370\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nDebugging Analysis:\n\n 1. The following ftrace log shows that the lockup CPU spends too much\n time iterating vmap_nodes and flushing TLB when purging vm_area\n structures. (Some info is trimmed).\n\n kworker: funcgraph_entry: | drain_vmap_area_work() {\n kworker: funcgraph_entry: | mutex_lock() {\n kworker: funcgraph_entry: 1.092 us | __cond_resched();\n kworker: funcgraph_exit: 3.306 us | }\n ... ...\n kworker: funcgraph_entry: | flush_tlb_kernel_range() {\n ... ...\n kworker: funcgraph_exit: # 7533.649 us | }\n ... ...\n kworker: funcgraph_entry: 2.344 us | mutex_unlock();\n kworker: funcgraph_exit: $ 23871554 us | }\n\n The drain_vmap_area_work() spends over 23 seconds.\n\n There are 2805 flush_tlb_kernel_range() calls in the ftrace log.\n * One is called in __purge_vmap_area_lazy().\n * Others are called by purge_vmap_node->kasan_release_vmalloc.\n purge_vmap_node() iteratively releases kasan vmalloc\n allocations and flushes TLB for each vmap_area.\n - [Rough calculation] Each flush_tlb_kernel_range() runs\n about 7.5ms.\n -- 2804 * 7.5ms = 21.03 seconds.\n -- That's why a soft lock is triggered.\n\n 2. Extending the soft lockup time can work around the issue (For example,\n # echo\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56559", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: Fix too strict alignment check in create_cache()\n\nOn m68k, where the minimum alignment of unsigned long is 2 bytes:\n\n Kernel panic - not syncing: __kmem_cache_create_args: Failed to create slab 'io_kiocb'. Error -22\n CPU: 0 UID: 0 PID: 1 Comm: swapper Not tainted 6.12.0-atari-03776-g7eaa1f99261a #1783\n Stack from 0102fe5c:\n\t 0102fe5c 00514a2b 00514a2b ffffff00 00000001 0051f5ed 00425e78 00514a2b\n\t 0041eb74 ffffffea 00000310 0051f5ed ffffffea ffffffea 00601f60 00000044\n\t 0102ff20 000e7a68 0051ab8e 004383b8 0051f5ed ffffffea 000000b8 00000007\n\t 01020c00 00000000 000e77f0 0041e5f0 005f67c0 0051f5ed 000000b6 0102fef4\n\t 00000310 0102fef4 00000000 00000016 005f676c 0060a34c 00000010 00000004\n\t 00000038 0000009a 01000000 000000b8 005f668e 0102e000 00001372 0102ff88\n Call Trace: [<00425e78>] dump_stack+0xc/0x10\n [<0041eb74>] panic+0xd8/0x26c\n [<000e7a68>] __kmem_cache_create_args+0x278/0x2e8\n [<000e77f0>] __kmem_cache_create_args+0x0/0x2e8\n [<0041e5f0>] memset+0x0/0x8c\n [<005f67c0>] io_uring_init+0x54/0xd2\n\nThe minimal alignment of an integral type may differ from its size,\nhence is not safe to assume that an arbitrary freeptr_t (which is\nbasically an unsigned long) is always aligned to 4 or 8 bytes.\n\nAs nothing seems to require the additional alignment, it is safe to fix\nthis by relaxing the check to the actual minimum alignment of freeptr_t.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56560", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()\n\npci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI\ndomain ID, but there are two issues:\n\n - 'epc->dev' is passed to pci_bus_release_domain_nr() which was already\n freed by device_unregister(), leading to a use-after-free issue.\n\n - Domain ID corresponds to the EPC device parent, so passing 'epc->dev'\n is also wrong.\n\nFix these issues by passing 'epc->dev.parent' to\npci_bus_release_domain_nr() and also do it before device_unregister().\n\n[mani: reworded subject and description]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56561", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()\n\nif (dev->boardinfo && dev->boardinfo->init_dyn_addr)\n ^^^ here check \"init_dyn_addr\"\n\ti3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, ...)\n\t\t\t\t\t\t ^^^^\n\t\t\t\t\t\t\tfree \"dyn_addr\"\nFix copy/paste error \"dyn_addr\" by replacing it with \"init_dyn_addr\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56562", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix cred leak in ceph_mds_check_access()\n\nget_current_cred() increments the reference counter, but the\nput_cred() call was missing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56563", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: pass cred pointer to ceph_mds_auth_match()\n\nThis eliminates a redundant get_current_cred() call, because\nceph_mds_check_access() has already obtained this pointer.\n\nAs a side effect, this also fixes a reference leak in\nceph_mds_auth_match(): by omitting the get_current_cred() call, no\nadditional cred reference is taken.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56564", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to drop all discards after creating snapshot on lvm device\n\nPiergiorgio reported a bug in bugzilla as below:\n\n------------[ cut here ]------------\nWARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330\nRIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs]\nCall Trace:\n __issue_discard_cmd+0x1ca/0x350 [f2fs]\n issue_discard_thread+0x191/0x480 [f2fs]\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nw/ below testcase, it can reproduce this bug quickly:\n- pvcreate /dev/vdb\n- vgcreate myvg1 /dev/vdb\n- lvcreate -L 1024m -n mylv1 myvg1\n- mount /dev/myvg1/mylv1 /mnt/f2fs\n- dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20\n- sync\n- rm /mnt/f2fs/file\n- sync\n- lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1\n- umount /mnt/f2fs\n\nThe root cause is: it will update discard_max_bytes of mounted lvm\ndevice to zero after creating snapshot on this lvm device, then,\n__submit_discard_cmd() will pass parameter @nr_sects w/ zero value\nto __blkdev_issue_discard(), it returns a NULL bio pointer, result\nin panic.\n\nThis patch changes as below for fixing:\n1. Let's drop all remained discards in f2fs_unfreeze() if snapshot\nof lvm device is created.\n2. Checking discard_max_bytes before submitting discard during\n__submit_discard_cmd().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56565", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: Avoid list corruption when removing a slab from the full list\n\nBoot with slub_debug=UFPZ.\n\nIf allocated object failed in alloc_consistency_checks, all objects of\nthe slab will be marked as used, and then the slab will be removed from\nthe partial list.\n\nWhen an object belonging to the slab got freed later, the remove_full()\nfunction is called. Because the slab is neither on the partial list nor\non the full list, it eventually lead to a list corruption (actually a\nlist poison being detected).\n\nSo we need to mark and isolate the slab page with metadata corruption,\ndo not put it back in circulation.\n\nBecause the debug caches avoid all the fastpaths, reusing the frozen bit\nto mark slab page with metadata corruption seems to be fine.\n\n[ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100)\n[ 4277.387023] ------------[ cut here ]------------\n[ 4277.387880] kernel BUG at lib/list_debug.c:56!\n[ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1\n[ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]\n[ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91\n[ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082\n[ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000\n[ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff\n[ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0\n[ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910\n[ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0\n[ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000\n[ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0\n[ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4277.410000] PKRU: 55555554\n[ 4277.410645] Call Trace:\n[ 4277.411234] \n[ 4277.411777] ? die+0x32/0x80\n[ 4277.412439] ? do_trap+0xd6/0x100\n[ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.414158] ? do_error_trap+0x6a/0x90\n[ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.415915] ? exc_invalid_op+0x4c/0x60\n[ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.417675] ? asm_exc_invalid_op+0x16/0x20\n[ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.420410] free_to_partial_list+0x515/0x5e0\n[ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]\n[ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs]\n[ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs]\n[ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs]\n[ 4277.428567] xfs_inactive+0x22d/0x290 [xfs]\n[ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.430479] process_one_work+0x171/0x340\n[ 4277.431227] worker_thread+0x277/0x390\n[ 4277.431962] ? __pfx_worker_thread+0x10/0x10\n[ 4277.432752] kthread+0xf0/0x120\n[ 4277.433382] ? __pfx_kthread+0x10/0x10\n[ 4277.434134] ret_from_fork+0x2d/0x50\n[ 4277.434837] ? __pfx_kthread+0x10/0x10\n[ 4277.435566] ret_from_fork_asm+0x1b/0x30\n[ 4277.436280] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56566", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nad7780: fix division by zero in ad7780_write_raw()\n\nIn the ad7780_write_raw() , val2 can be zero, which might lead to a\ndivision by zero error in DIV_ROUND_CLOSEST(). The ad7780_write_raw()\nis based on iio_info's write_raw. While val is explicitly declared that\ncan be zero (in read mode), val2 is not specified to be non-zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56567", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Defer probe of clients after smmu device bound\n\nNull pointer dereference occurs due to a race between smmu\ndriver probe and client driver probe, when of_dma_configure()\nfor client is called after the iommu_device_register() for smmu driver\nprobe has executed but before the driver_bound() for smmu driver\nhas been called.\n\nFollowing is how the race occurs:\n\nT1:Smmu device probe\t\tT2: Client device probe\n\nreally_probe()\narm_smmu_device_probe()\niommu_device_register()\n\t\t\t\t\treally_probe()\n\t\t\t\t\tplatform_dma_configure()\n\t\t\t\t\tof_dma_configure()\n\t\t\t\t\tof_dma_configure_id()\n\t\t\t\t\tof_iommu_configure()\n\t\t\t\t\tiommu_probe_device()\n\t\t\t\t\tiommu_init_device()\n\t\t\t\t\tarm_smmu_probe_device()\n\t\t\t\t\tarm_smmu_get_by_fwnode()\n\t\t\t\t\t\tdriver_find_device_by_fwnode()\n\t\t\t\t\t\tdriver_find_device()\n\t\t\t\t\t\tnext_device()\n\t\t\t\t\t\tklist_next()\n\t\t\t\t\t\t /* null ptr\n\t\t\t\t\t\t assigned to smmu */\n\t\t\t\t\t/* null ptr dereference\n\t\t\t\t\t while smmu->streamid_mask */\ndriver_bound()\n\tklist_add_tail()\n\nWhen this null smmu pointer is dereferenced later in\narm_smmu_probe_device, the device crashes.\n\nFix this by deferring the probe of the client device\nuntil the smmu device has bound to the arm smmu driver.\n\n[will: Add comment]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56568", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix regression with module command in stack_trace_filter\n\nWhen executing the following command:\n\n # echo \"write*:mod:ext3\" > /sys/kernel/tracing/stack_trace_filter\n\nThe current mod command causes a null pointer dereference. While commit\n0f17976568b3f (\"ftrace: Fix regression with module command in stack_trace_filter\")\nhas addressed part of the issue, it left a corner case unhandled, which still\nresults in a kernel crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56569", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: Filter invalid inodes with missing lookup function\n\nAdd a check to the ovl_dentry_weird() function to prevent the\nprocessing of directory inodes that lack the lookup function.\nThis is important because such inodes can cause errors in overlayfs\nwhen passed to the lowerstack.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56570", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()\n\nThe buffer in the loop should be released under the exception path,\notherwise there may be a memory leak here.\n\nTo mitigate this, free the buffer when allegro_alloc_buffer fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56572", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/libstub: Free correct pointer on failure\n\ncmdline_ptr is an out parameter, which is not allocated by the function\nitself, and likely points into the caller's stack.\n\ncmdline refers to the pool allocation that should be freed when cleaning\nup after a failure, so pass this instead to free_pool().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56573", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ts2020: fix null-ptr-deref in ts2020_probe()\n\nKASAN reported a null-ptr-deref issue when executing the following\ncommand:\n\n # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]\n RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809\n RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010\n RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6\n R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790\n R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001\n FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ts2020_probe+0xad/0xe10 [ts2020]\n i2c_device_probe+0x421/0xb40\n really_probe+0x266/0x850\n ...\n\nThe cause of the problem is that when using sysfs to dynamically register\nan i2c device, there is no platform data, but the probe process of ts2020\nneeds to use platform data, resulting in a null pointer being accessed.\n\nSolve this problem by adding checks to platform data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56574", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Ensure power suppliers be suspended before detach them\n\nThe power suppliers are always requested to suspend asynchronously,\ndev_pm_domain_detach() requires the caller to ensure proper\nsynchronization of this function with power management callbacks.\notherwise the detach may led to kernel panic, like below:\n\n[ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040\n[ 1457.116777] Mem abort info:\n[ 1457.119589] ESR = 0x0000000096000004\n[ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1457.128692] SET = 0, FnV = 0\n[ 1457.131764] EA = 0, S1PTW = 0\n[ 1457.134920] FSC = 0x04: level 0 translation fault\n[ 1457.139812] Data abort info:\n[ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000\n[ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000\n[ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec]\n[ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66\n[ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT)\n[ 1457.199236] Workqueue: pm pm_runtime_work\n[ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290\n[ 1457.214886] lr : __rpm_callback+0x48/0x1d8\n[ 1457.218968] sp : ffff80008250bc50\n[ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000\n[ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240\n[ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008\n[ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff\n[ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674\n[ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002\n[ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0\n[ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000\n[ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000\n[ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000\n[ 1457.293510] Call trace:\n[ 1457.295946] genpd_runtime_suspend+0x20/0x290\n[ 1457.300296] __rpm_callback+0x48/0x1d8\n[ 1457.304038] rpm_callback+0x6c/0x78\n[ 1457.307515] rpm_suspend+0x10c/0x570\n[ 1457.311077] pm_runtime_work+0xc4/0xc8\n[ 1457.314813] process_one_work+0x138/0x248\n[ 1457.318816] worker_thread+0x320/0x438\n[ 1457.322552] kthread+0x110/0x114\n[ 1457.325767] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56575", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix crash in the probe error path when using polling\n\nIf an error occurs in the probe() function, we should remove the polling\ntimer that was alarmed earlier, otherwise the timer is called with\narguments that are already freed, which results in a crash.\n\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268\nModules linked in:\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226\nHardware name: Diasom DS-RK3568-SOM-EVB (DT)\npstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __run_timers+0x244/0x268\nlr : __run_timers+0x1d4/0x268\nsp : ffffff80eff2baf0\nx29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00\nx26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00\nx23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000\nx20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff\nx17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e\nx14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000\nx11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009\nx8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480\nx5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240\nx2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0\nCall trace:\n\u00a0__run_timers+0x244/0x268\n\u00a0timer_expire_remote+0x50/0x68\n\u00a0tmigr_handle_remote+0x388/0x39c\n\u00a0run_timer_softirq+0x38/0x44\n\u00a0handle_softirqs+0x138/0x298\n\u00a0__do_softirq+0x14/0x20\n\u00a0____do_softirq+0x10/0x1c\n\u00a0call_on_irq_stack+0x24/0x4c\n\u00a0do_softirq_own_stack+0x1c/0x2c\n\u00a0irq_exit_rcu+0x9c/0xcc\n\u00a0el1_interrupt+0x48/0xc0\n\u00a0el1h_64_irq_handler+0x18/0x24\n\u00a0el1h_64_irq+0x7c/0x80\n\u00a0default_idle_call+0x34/0x68\n\u00a0do_idle+0x23c/0x294\n\u00a0cpu_startup_entry+0x38/0x3c\n\u00a0secondary_start_kernel+0x128/0x160\n\u00a0__secondary_switched+0xb8/0xbc\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56576", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix null-ptr-deref during unload module\n\nThe workqueue should be destroyed in mtk_jpeg_core.c since commit\n09aea13ecf6f (\"media: mtk-jpeg: refactor some variables\"), otherwise\nthe below calltrace can be easily triggered.\n\n[ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023\n[ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\n...\n[ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17\n...\n[ 677.882838] pc : destroy_workqueue+0x3c/0x770\n[ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[ 677.884314] sp : ffff80008ad974f0\n[ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070\n[ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690\n[ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000\n[ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0\n[ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10\n[ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d\n[ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90\n[ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001\n[ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000\n[ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118\n[ 677.893977] Call trace:\n[ 677.894297] destroy_workqueue+0x3c/0x770\n[ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[ 677.895677] devm_action_release+0x50/0x90\n[ 677.896211] release_nodes+0xe8/0x170\n[ 677.896688] devres_release_all+0xf8/0x178\n[ 677.897219] device_unbind_cleanup+0x24/0x170\n[ 677.897785] device_release_driver_internal+0x35c/0x480\n[ 677.898461] device_release_driver+0x20/0x38\n...\n[ 677.912665] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56577", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Set video drvdata before register video device\n\nThe video drvdata should be set before the video device is registered,\notherwise video_drvdata() may return NULL in the open() file ops, and led\nto oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56578", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: Set video drvdata before register video device\n\nThe video drvdata should be set before the video device is registered,\notherwise video_drvdata() may return NULL in the open() file ops, and led\nto oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56579", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: qcom: camss: fix error path on configuration of power domains\n\nThere is a chance to meet runtime issues during configuration of CAMSS\npower domains, because on the error path dev_pm_domain_detach() is\nunexpectedly called with NULL or error pointer.\n\nOne of the simplest ways to reproduce the problem is to probe CAMSS\ndriver before registration of CAMSS power domains, for instance if\na platform CAMCC driver is simply not built.\n\nWarning backtrace example:\n\n Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a2\n\n \n\n pc : dev_pm_domain_detach+0x8/0x48\n lr : camss_probe+0x374/0x9c0\n\n \n\n Call trace:\n dev_pm_domain_detach+0x8/0x48\n platform_probe+0x70/0xf0\n really_probe+0xc4/0x2a8\n __driver_probe_device+0x80/0x140\n driver_probe_device+0x48/0x170\n __device_attach_driver+0xc0/0x148\n bus_for_each_drv+0x88/0xf0\n __device_attach+0xb0/0x1c0\n device_initial_probe+0x1c/0x30\n bus_probe_device+0xb4/0xc0\n deferred_probe_work_func+0x90/0xd0\n process_one_work+0x164/0x3e0\n worker_thread+0x310/0x420\n kthread+0x120/0x130\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56580", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ref-verify: fix use-after-free after invalid ref action\n\nAt btrfs_ref_tree_mod() after we successfully inserted the new ref entry\n(local variable 'ref') into the respective block entry's rbtree (local\nvariable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,\nwe error out and free the ref entry without removing it from the block\nentry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call\nbtrfs_free_ref_cache(), which iterates over all block entries and then\ncalls free_block_entry() for each one, and there we will trigger a\nuse-after-free when we are called against the block entry to which we\nadded the freed ref entry to its rbtree, since the rbtree still points\nto the block entry, as we didn't remove it from the rbtree before freeing\nit in the error path at btrfs_ref_tree_mod(). Fix this by removing the\nnew ref entry from the rbtree before freeing it.\n\nSyzbot report this with the following stack traces:\n\n BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314\n btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]\n btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23\n btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482\n btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293\n vfs_unlink+0x365/0x650 fs/namei.c:4469\n do_unlinkat+0x4ae/0x830 fs/namei.c:4533\n __do_sys_unlinkat fs/namei.c:4576 [inline]\n __se_sys_unlinkat fs/namei.c:4569 [inline]\n __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1\n __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521\n update_ref_for_cow+0x96a/0x11f0\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]\n __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137\n __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171\n btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313\n prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586\n relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611\n btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081\n btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377\n __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161\n btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538\n BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615\n __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523\n update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512\n btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594\n btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754\n btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411\n __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030\n btrfs_update_delayed_i\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56581", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free in btrfs_encoded_read_endio()\n\nShinichiro reported the following use-after free that sometimes is\nhappening in our CI system when running fstests' btrfs/284 on a TCMU\nrunner device:\n\n BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780\n Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219\n\n CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n Call Trace:\n \n dump_stack_lvl+0x6e/0xa0\n ? lock_release+0x708/0x780\n print_report+0x174/0x505\n ? lock_release+0x708/0x780\n ? __virt_addr_valid+0x224/0x410\n ? lock_release+0x708/0x780\n kasan_report+0xda/0x1b0\n ? lock_release+0x708/0x780\n ? __wake_up+0x44/0x60\n lock_release+0x708/0x780\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? lock_is_held_type+0x9a/0x110\n _raw_spin_unlock_irqrestore+0x1f/0x60\n __wake_up+0x44/0x60\n btrfs_encoded_read_endio+0x14b/0x190 [btrfs]\n btrfs_check_read_bio+0x8d9/0x1360 [btrfs]\n ? lock_release+0x1b0/0x780\n ? trace_lock_acquire+0x12f/0x1a0\n ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs]\n ? process_one_work+0x7e3/0x1460\n ? lock_acquire+0x31/0xc0\n ? process_one_work+0x7e3/0x1460\n process_one_work+0x85c/0x1460\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5e6/0xfc0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2c3/0x3a0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\n Allocated by task 3661:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs]\n send_extent_data+0xf0f/0x24a0 [btrfs]\n process_extent+0x48a/0x1830 [btrfs]\n changed_cb+0x178b/0x2ea0 [btrfs]\n btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]\n _btrfs_ioctl_send+0x117/0x330 [btrfs]\n btrfs_ioctl+0x184a/0x60a0 [btrfs]\n __x64_sys_ioctl+0x12e/0x1a0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 3661:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x4f/0x70\n kfree+0x143/0x490\n btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs]\n send_extent_data+0xf0f/0x24a0 [btrfs]\n process_extent+0x48a/0x1830 [btrfs]\n changed_cb+0x178b/0x2ea0 [btrfs]\n btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]\n _btrfs_ioctl_send+0x117/0x330 [btrfs]\n btrfs_ioctl+0x184a/0x60a0 [btrfs]\n __x64_sys_ioctl+0x12e/0x1a0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff888106a83f00\n which belongs to the cache kmalloc-rnd-07-96 of size 96\n The buggy address is located 24 bytes inside of\n freed 96-byte region [ffff888106a83f00, ffff888106a83f60)\n\n The buggy address belongs to the physical page:\n page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83\n flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f5(slab)\n raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004\n raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ==================================================================\n\nFurther analyzing the trace and \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56582", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix warning in migrate_enable for boosted tasks\n\nWhen running the following command:\n\nwhile true; do\n stress-ng --cyclic 30 --timeout 30s --minimize --quiet\ndone\n\na warning is eventually triggered:\n\nWARNING: CPU: 43 PID: 2848 at kernel/sched/deadline.c:794\nsetup_new_dl_entity+0x13e/0x180\n...\nCall Trace:\n \n ? show_trace_log_lvl+0x1c4/0x2df\n ? enqueue_dl_entity+0x631/0x6e0\n ? setup_new_dl_entity+0x13e/0x180\n ? __warn+0x7e/0xd0\n ? report_bug+0x11a/0x1a0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n enqueue_dl_entity+0x631/0x6e0\n enqueue_task_dl+0x7d/0x120\n __do_set_cpus_allowed+0xe3/0x280\n __set_cpus_allowed_ptr_locked+0x140/0x1d0\n __set_cpus_allowed_ptr+0x54/0xa0\n migrate_enable+0x7e/0x150\n rt_spin_unlock+0x1c/0x90\n group_send_sig_info+0xf7/0x1a0\n ? kill_pid_info+0x1f/0x1d0\n kill_pid_info+0x78/0x1d0\n kill_proc_info+0x5b/0x110\n __x64_sys_kill+0x93/0xc0\n do_syscall_64+0x5c/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7f0dab31f92b\n\nThis warning occurs because set_cpus_allowed dequeues and enqueues tasks\nwith the ENQUEUE_RESTORE flag set. If the task is boosted, the warning\nis triggered. A boosted task already had its parameters set by\nrt_mutex_setprio, and a new call to setup_new_dl_entity is unnecessary,\nhence the WARN_ON call.\n\nCheck if we are requeueing a boosted task and avoid calling\nsetup_new_dl_entity if that's the case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56583", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/tctx: work around xa_store() allocation error issue\n\nsyzbot triggered the following WARN_ON:\n\nWARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51\n\nwhich is the\n\nWARN_ON_ONCE(!xa_empty(&tctx->xa));\n\nsanity check in __io_uring_free() when a io_uring_task is going through\nits final put. The syzbot test case includes injecting memory allocation\nfailures, and it very much looks like xa_store() can fail one of its\nmemory allocations and end up with ->head being non-NULL even though no\nentries exist in the xarray.\n\nUntil this issue gets sorted out, work around it by attempting to\niterate entries in our xarray, and WARN_ON_ONCE() if one is found.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56584", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix sleeping in atomic context for PREEMPT_RT\n\nCommit bab1c299f3945ffe79 (\"LoongArch: Fix sleeping in atomic context in\nsetup_tlb_handler()\") changes the gfp flag from GFP_KERNEL to GFP_ATOMIC\nfor alloc_pages_node(). However, for PREEMPT_RT kernels we can still get\na \"sleeping in atomic context\" error:\n\n[ 0.372259] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 0.372266] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1\n[ 0.372268] preempt_count: 1, expected: 0\n[ 0.372270] RCU nest depth: 1, expected: 1\n[ 0.372272] 3 locks held by swapper/1/0:\n[ 0.372274] #0: 900000000c9f5e60 (&pcp->lock){+.+.}-{3:3}, at: get_page_from_freelist+0x524/0x1c60\n[ 0.372294] #1: 90000000087013b8 (rcu_read_lock){....}-{1:3}, at: rt_spin_trylock+0x50/0x140\n[ 0.372305] #2: 900000047fffd388 (&zone->lock){+.+.}-{3:3}, at: __rmqueue_pcplist+0x30c/0xea0\n[ 0.372314] irq event stamp: 0\n[ 0.372316] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n[ 0.372322] hardirqs last disabled at (0): [<9000000005947320>] copy_process+0x9c0/0x26e0\n[ 0.372329] softirqs last enabled at (0): [<9000000005947320>] copy_process+0x9c0/0x26e0\n[ 0.372335] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[ 0.372341] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7+ #1891\n[ 0.372346] Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022\n[ 0.372349] Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 9000000100388000\n[ 0.372486] 900000010038b890 0000000000000000 900000010038b898 9000000007e53788\n[ 0.372492] 900000000815bcc8 900000000815bcc0 900000010038b700 0000000000000001\n[ 0.372498] 0000000000000001 4b031894b9d6b725 00000000055ec000 9000000100338fc0\n[ 0.372503] 00000000000000c4 0000000000000001 000000000000002d 0000000000000003\n[ 0.372509] 0000000000000030 0000000000000003 00000000055ec000 0000000000000003\n[ 0.372515] 900000000806d000 9000000007e53788 00000000000000b0 0000000000000004\n[ 0.372521] 0000000000000000 0000000000000000 900000000c9f5f10 0000000000000000\n[ 0.372526] 90000000076f12d8 9000000007e53788 9000000005924778 0000000000000000\n[ 0.372532] 00000000000000b0 0000000000000004 0000000000000000 0000000000070000\n[ 0.372537] ...\n[ 0.372540] Call Trace:\n[ 0.372542] [<9000000005924778>] show_stack+0x38/0x180\n[ 0.372548] [<90000000071519c4>] dump_stack_lvl+0x94/0xe4\n[ 0.372555] [<900000000599b880>] __might_resched+0x1a0/0x260\n[ 0.372561] [<90000000071675cc>] rt_spin_lock+0x4c/0x140\n[ 0.372565] [<9000000005cbb768>] __rmqueue_pcplist+0x308/0xea0\n[ 0.372570] [<9000000005cbed84>] get_page_from_freelist+0x564/0x1c60\n[ 0.372575] [<9000000005cc0d98>] __alloc_pages_noprof+0x218/0x1820\n[ 0.372580] [<900000000593b36c>] tlb_init+0x1ac/0x298\n[ 0.372585] [<9000000005924b74>] per_cpu_trap_init+0x114/0x140\n[ 0.372589] [<9000000005921964>] cpu_probe+0x4e4/0xa60\n[ 0.372592] [<9000000005934874>] start_secondary+0x34/0xc0\n[ 0.372599] [<900000000715615c>] smpboot_entry+0x64/0x6c\n\nThis is because in PREEMPT_RT kernels normal spinlocks are replaced by\nrt spinlocks and rt_spin_lock() will cause sleeping. Fix it by disabling\nNUMA optimization completely for PREEMPT_RT kernels.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56585", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.\n\ncreating a large files during checkpoint disable until it runs out of\nspace and then delete it, then remount to enable checkpoint again, and\nthen unmount the filesystem triggers the f2fs_bug_on as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inode.c:896!\nCPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:f2fs_evict_inode+0x58c/0x610\nCall Trace:\n __die_body+0x15/0x60\n die+0x33/0x50\n do_trap+0x10a/0x120\n f2fs_evict_inode+0x58c/0x610\n do_error_trap+0x60/0x80\n f2fs_evict_inode+0x58c/0x610\n exc_invalid_op+0x53/0x60\n f2fs_evict_inode+0x58c/0x610\n asm_exc_invalid_op+0x16/0x20\n f2fs_evict_inode+0x58c/0x610\n evict+0x101/0x260\n dispose_list+0x30/0x50\n evict_inodes+0x140/0x190\n generic_shutdown_super+0x2f/0x150\n kill_block_super+0x11/0x40\n kill_f2fs_super+0x7d/0x140\n deactivate_locked_super+0x2a/0x70\n cleanup_mnt+0xb3/0x140\n task_work_run+0x61/0x90\n\nThe root cause is: creating large files during disable checkpoint\nperiod results in not enough free segments, so when writing back root\ninode will failed in f2fs_enable_checkpoint. When umount the file\nsystem after enabling checkpoint, the root inode is dirty in\nf2fs_evict_inode function, which triggers BUG_ON. The steps to\nreproduce are as follows:\n\ndd if=/dev/zero of=f2fs.img bs=1M count=55\nmount f2fs.img f2fs_dir -o checkpoint=disable:10%\ndd if=/dev/zero of=big bs=1M count=50\nsync\nrm big\nmount -o remount,checkpoint=enable f2fs_dir\numount f2fs_dir\n\nLet's redirty inode when there is not free segments during checkpoint\nis disable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56586", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: class: Protect brightness_show() with led_cdev->led_access mutex\n\nThere is NULL pointer issue observed if from Process A where hid device\nbeing added which results in adding a led_cdev addition and later a\nanother call to access of led_cdev attribute from Process B can result\nin NULL pointer issue.\n\nUse mutex led_cdev->led_access to protect access to led->cdev and its\nattribute inside brightness_show() and max_brightness_show() and also\nupdate the comment for mutex that it should be used to protect the led\nclass device fields.\n\n\tProcess A \t\t\t\tProcess B\n\n kthread+0x114\n worker_thread+0x244\n process_scheduled_works+0x248\n uhid_device_add_worker+0x24\n hid_add_device+0x120\n device_add+0x268\n bus_probe_device+0x94\n device_initial_probe+0x14\n __device_attach+0xfc\n bus_for_each_drv+0x10c\n __device_attach_driver+0x14c\n driver_probe_device+0x3c\n __driver_probe_device+0xa0\n really_probe+0x190\n hid_device_probe+0x130\n ps_probe+0x990\n ps_led_register+0x94\n devm_led_classdev_register_ext+0x58\n led_classdev_register_ext+0x1f8\n device_create_with_groups+0x48\n device_create_groups_vargs+0xc8\n device_add+0x244\n kobject_uevent+0x14\n kobject_uevent_env[jt]+0x224\n mutex_unlock[jt]+0xc4\n __mutex_unlock_slowpath+0xd4\n wake_up_q+0x70\n try_to_wake_up[jt]+0x48c\n preempt_schedule_common+0x28\n __schedule+0x628\n __switch_to+0x174\n\t\t\t\t\t\tel0t_64_sync+0x1a8/0x1ac\n\t\t\t\t\t\tel0t_64_sync_handler+0x68/0xbc\n\t\t\t\t\t\tel0_svc+0x38/0x68\n\t\t\t\t\t\tdo_el0_svc+0x1c/0x28\n\t\t\t\t\t\tel0_svc_common+0x80/0xe0\n\t\t\t\t\t\tinvoke_syscall+0x58/0x114\n\t\t\t\t\t\t__arm64_sys_read+0x1c/0x2c\n\t\t\t\t\t\tksys_read+0x78/0xe8\n\t\t\t\t\t\tvfs_read+0x1e0/0x2c8\n\t\t\t\t\t\tkernfs_fop_read_iter+0x68/0x1b4\n\t\t\t\t\t\tseq_read_iter+0x158/0x4ec\n\t\t\t\t\t\tkernfs_seq_show+0x44/0x54\n\t\t\t\t\t\tsysfs_kf_seq_show+0xb4/0x130\n\t\t\t\t\t\tdev_attr_show+0x38/0x74\n\t\t\t\t\t\tbrightness_show+0x20/0x4c\n\t\t\t\t\t\tdualshock4_led_get_brightness+0xc/0x74\n\n[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 3313.874301][ T4013] Mem abort info:\n[ 3313.874303][ T4013] ESR = 0x0000000096000006\n[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 3313.874307][ T4013] SET = 0, FnV = 0\n[ 3313.874309][ T4013] EA = 0, S1PTW = 0\n[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault\n[ 3313.874313][ T4013] Data abort info:\n[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000\n..\n\n[ 3313.874332][ T4013] Dumping ftrace buffer:\n[ 3313.874334][ T4013] (ftrace buffer empty)\n..\n..\n[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader\n[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74\n[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60\n[ 3313.874656][ T4013] sp : ffffffc0b910bbd0\n..\n..\n[ 3313.874685][ T4013] Call trace:\n[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74\n[ 3313.874690][ T4013] brightness_show+0x20/0x4c\n[ 3313.874692][ T4013] dev_attr_show+0x38/0x74\n[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130\n[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54\n[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec\n[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4\n[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8\n[ 3313.874711][ T4013] ksys_read+0x78/0xe8\n[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c\n[ 3313.874718][ T4013] invoke_syscall+0x58/0x114\n[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0\n[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28\n[ 3313.874727][ T4013] el0_svc+0x38/0x68\n[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc\n[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56587", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Create all dump files during debugfs initialization\n\nFor the current debugfs of hisi_sas, after user triggers dump, the\ndriver allocate memory space to save the register information and create\ndebugfs files to display the saved information. In this process, the\ndebugfs files created after each dump.\n\nTherefore, when the dump is triggered while the driver is unbind, the\nfollowing hang occurs:\n\n[67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[67840.862947] Mem abort info:\n[67840.865855] ESR = 0x0000000096000004\n[67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits\n[67840.875125] SET = 0, FnV = 0\n[67840.878291] EA = 0, S1PTW = 0\n[67840.881545] FSC = 0x04: level 0 translation fault\n[67840.886528] Data abort info:\n[67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000\n[67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000\n[67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[67841.003628] pc : down_write+0x30/0x98\n[67841.007546] lr : start_creating.part.0+0x60/0x198\n[67841.012495] sp : ffff8000b979ba20\n[67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40\n[67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8\n[67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18\n[67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020\n[67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff\n[67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18\n[67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18\n[67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9\n[67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001\n[67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0\n[67841.089759] Call trace:\n[67841.092456] down_write+0x30/0x98\n[67841.096017] start_creating.part.0+0x60/0x198\n[67841.100613] debugfs_create_dir+0x48/0x1f8\n[67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw]\n[67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw]\n[67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw]\n[67841.125115] full_proxy_write+0x68/0xc8\n[67841.129175] vfs_write+0xd8/0x3f0\n[67841.132708] ksys_write+0x70/0x108\n[67841.136317] __arm64_sys_write+0x24/0x38\n[67841.140440] invoke_syscall+0x50/0x128\n[67841.144385] el0_svc_common.constprop.0+0xc8/0xf0\n[67841.149273] do_el0_svc+0x24/0x38\n[67841.152773] el0_svc+0x38/0xd8\n[67841.156009] el0t_64_sync_handler+0xc0/0xc8\n[67841.160361] el0t_64_sync+0x1a4/0x1a8\n[67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05)\n[67841.170443] ---[ end trace 0000000000000000 ]---\n\nTo fix this issue, create all directories and files during debugfs\ninitialization. In this way, the driver only needs to allocate memory\nspace to save information each time the user triggers dumping.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56588", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Add cond_resched() for no forced preemption model\n\nFor no forced preemption model kernel, in the scenario where the\nexpander is connected to 12 high performance SAS SSDs, the following\ncall trace may occur:\n\n[ 214.409199][ C240] watchdog: BUG: soft lockup - CPU#240 stuck for 22s! [irq/149-hisi_sa:3211]\n[ 214.568533][ C240] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[ 214.575224][ C240] pc : fput_many+0x8c/0xdc\n[ 214.579480][ C240] lr : fput+0x1c/0xf0\n[ 214.583302][ C240] sp : ffff80002de2b900\n[ 214.587298][ C240] x29: ffff80002de2b900 x28: ffff1082aa412000\n[ 214.593291][ C240] x27: ffff3062a0348c08 x26: ffff80003a9f6000\n[ 214.599284][ C240] x25: ffff1062bbac5c40 x24: 0000000000001000\n[ 214.605277][ C240] x23: 000000000000000a x22: 0000000000000001\n[ 214.611270][ C240] x21: 0000000000001000 x20: 0000000000000000\n[ 214.617262][ C240] x19: ffff3062a41ae580 x18: 0000000000010000\n[ 214.623255][ C240] x17: 0000000000000001 x16: ffffdb3a6efe5fc0\n[ 214.629248][ C240] x15: ffffffffffffffff x14: 0000000003ffffff\n[ 214.635241][ C240] x13: 000000000000ffff x12: 000000000000029c\n[ 214.641234][ C240] x11: 0000000000000006 x10: ffff80003a9f7fd0\n[ 214.647226][ C240] x9 : ffffdb3a6f0482fc x8 : 0000000000000001\n[ 214.653219][ C240] x7 : 0000000000000002 x6 : 0000000000000080\n[ 214.659212][ C240] x5 : ffff55480ee9b000 x4 : fffffde7f94c6554\n[ 214.665205][ C240] x3 : 0000000000000002 x2 : 0000000000000020\n[ 214.671198][ C240] x1 : 0000000000000021 x0 : ffff3062a41ae5b8\n[ 214.677191][ C240] Call trace:\n[ 214.680320][ C240] fput_many+0x8c/0xdc\n[ 214.684230][ C240] fput+0x1c/0xf0\n[ 214.687707][ C240] aio_complete_rw+0xd8/0x1fc\n[ 214.692225][ C240] blkdev_bio_end_io+0x98/0x140\n[ 214.696917][ C240] bio_endio+0x160/0x1bc\n[ 214.701001][ C240] blk_update_request+0x1c8/0x3bc\n[ 214.705867][ C240] scsi_end_request+0x3c/0x1f0\n[ 214.710471][ C240] scsi_io_completion+0x7c/0x1a0\n[ 214.715249][ C240] scsi_finish_command+0x104/0x140\n[ 214.720200][ C240] scsi_softirq_done+0x90/0x180\n[ 214.724892][ C240] blk_mq_complete_request+0x5c/0x70\n[ 214.730016][ C240] scsi_mq_done+0x48/0xac\n[ 214.734194][ C240] sas_scsi_task_done+0xbc/0x16c [libsas]\n[ 214.739758][ C240] slot_complete_v3_hw+0x260/0x760 [hisi_sas_v3_hw]\n[ 214.746185][ C240] cq_thread_v3_hw+0xbc/0x190 [hisi_sas_v3_hw]\n[ 214.752179][ C240] irq_thread_fn+0x34/0xa4\n[ 214.756435][ C240] irq_thread+0xc4/0x130\n[ 214.760520][ C240] kthread+0x108/0x13c\n[ 214.764430][ C240] ret_from_fork+0x10/0x18\n\nThis is because in the hisi_sas driver, both the hardware interrupt\nhandler and the interrupt thread are executed on the same CPU. In the\nperformance test scenario, function irq_wait_for_interrupt() will always\nreturn 0 if lots of interrupts occurs and the CPU will be continuously\nconsumed. As a result, the CPU cannot run the watchdog thread. When the\nwatchdog time exceeds the specified time, call trace occurs.\n\nTo fix it, add cond_resched() to execute the watchdog thread.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56589", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix not checking skb length on hci_acldata_packet\n\nThis fixes not checking if skb really contains an ACL header otherwise\nthe code may attempt to access some uninitilized/invalid memory past the\nvalid skb->data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56590", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Use disable_delayed_work_sync\n\nThis makes use of disable_delayed_work_sync instead\ncancel_delayed_work_sync as it not only cancel the ongoing work but also\ndisables new submit which is disarable since the object holding the work\nis about to be freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56591", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Call free_htab_elem() after htab_unlock_bucket()\n\nFor htab of maps, when the map is removed from the htab, it may hold the\nlast reference of the map. bpf_map_fd_put_ptr() will invoke\nbpf_map_free_id() to free the id of the removed map element. However,\nbpf_map_fd_put_ptr() is invoked while holding a bucket lock\n(raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock\n(spinlock_t), triggering the following lockdep warning:\n\n =============================\n [ BUG: Invalid wait context ]\n 6.11.0-rc4+ #49 Not tainted\n -----------------------------\n test_maps/4881 is trying to lock:\n ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70\n other info that might help us debug this:\n context-{5:5}\n 2 locks held by test_maps/4881:\n #0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270\n #1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80\n stack backtrace:\n CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...\n Call Trace:\n \n dump_stack_lvl+0x6e/0xb0\n dump_stack+0x10/0x20\n __lock_acquire+0x73e/0x36c0\n lock_acquire+0x182/0x450\n _raw_spin_lock_irqsave+0x43/0x70\n bpf_map_free_id.part.0+0x21/0x70\n bpf_map_put+0xcf/0x110\n bpf_map_fd_put_ptr+0x9a/0xb0\n free_htab_elem+0x69/0xe0\n htab_map_update_elem+0x50f/0xa80\n bpf_fd_htab_map_update_elem+0x131/0x270\n htab_map_update_elem+0x50f/0xa80\n bpf_fd_htab_map_update_elem+0x131/0x270\n bpf_map_update_value+0x266/0x380\n __sys_bpf+0x21bb/0x36b0\n __x64_sys_bpf+0x45/0x60\n x64_sys_call+0x1b2a/0x20d0\n do_syscall_64+0x5d/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nOne way to fix the lockdep warning is using raw_spinlock_t for\nmap_idr_lock as well. However, bpf_map_alloc_id() invokes\nidr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a\nsimilar lockdep warning because the slab's lock (s->cpu_slab->lock) is\nstill a spinlock.\n\nInstead of changing map_idr_lock's type, fix the issue by invoking\nhtab_put_fd_value() after htab_unlock_bucket(). However, only deferring\nthe invocation of htab_put_fd_value() is not enough, because the old map\npointers in htab of maps can not be saved during batched deletion.\nTherefore, also defer the invocation of free_htab_elem(), so these\nto-be-freed elements could be linked together similar to lru map.\n\nThere are four callers for ->map_fd_put_ptr:\n\n(1) alloc_htab_elem() (through htab_put_fd_value())\nIt invokes ->map_fd_put_ptr() under a raw_spinlock_t. The invocation of\nhtab_put_fd_value() can not simply move after htab_unlock_bucket(),\nbecause the old element has already been stashed in htab->extra_elems.\nIt may be reused immediately after htab_unlock_bucket() and the\ninvocation of htab_put_fd_value() after htab_unlock_bucket() may release\nthe newly-added element incorrectly. Therefore, saving the map pointer\nof the old element for htab of maps before unlocking the bucket and\nreleasing the map_ptr after unlock. Beside the map pointer in the old\nelement, should do the same thing for the special fields in the old\nelement as well.\n\n(2) free_htab_elem() (through htab_put_fd_value())\nIts caller includes __htab_map_lookup_and_delete_elem(),\nhtab_map_delete_elem() and __htab_map_lookup_and_delete_batch().\n\nFor htab_map_delete_elem(), simply invoke free_htab_elem() after\nhtab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just\nlike lru map, linking the to-be-freed element into node_to_free list\nand invoking free_htab_elem() for these element after unlock. It is safe\nto reuse batch_flink as the link for node_to_free, because these\nelements have been removed from the hash llist.\n\nBecause htab of maps doesn't support lookup_and_delete operation,\n__htab_map_lookup_and_delete_elem() doesn't have the problem, so kept\nit as\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56592", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()\n\nThis patch fixes a NULL pointer dereference bug in brcmfmac that occurs\nwhen a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs\nare sent from the pkt queue.\n\nThe problem is the number of entries in the pre-allocated sgtable, it is\nnents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1.\nGiven the default [rt]xglom_size=32 it's actually 35 which is too small.\nWorst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB\nis added for each original SKB if tailroom isn't enough to hold tail_pad.\nAt least one sg entry is needed for each SKB. So, eventually the \"skb_queue_walk loop\"\nin brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return\nNULL and this causes the oops.\n\nThe patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle\nthe worst-case.\nBtw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464\nadditional bytes of memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56593", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: set the right AMDGPU sg segment limitation\n\nThe driver needs to set the correct max_segment_size;\notherwise debug_dma_map_sg() will complain about the\nover-mapping of the AMDGPU sg length as following:\n\nWARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370\n[ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd\n[ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492\n[ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370\n[ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05\n[ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286\n[ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027\n[ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680\n[ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930\n[ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000\n[ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800\n[ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000\n[ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0\n[ 364.049605] Call Trace:\n[ 364.049607] \n[ 364.049609] ? show_regs+0x6d/0x80\n[ 364.049614] ? __warn+0x8c/0x140\n[ 364.049618] ? debug_dma_map_sg+0x2dc/0x370\n[ 364.049621] ? report_bug+0x193/0x1a0\n[ 364.049627] ? handle_bug+0x46/0x80\n[ 364.049631] ? exc_invalid_op+0x1d/0x80\n[ 364.049635] ? asm_exc_invalid_op+0x1f/0x30\n[ 364.049642] ? debug_dma_map_sg+0x2dc/0x370\n[ 364.049647] __dma_map_sg_attrs+0x90/0xe0\n[ 364.049651] dma_map_sgtable+0x25/0x40\n[ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu]\n[ 364.049935] ? srso_return_thunk+0x5/0x5f\n[ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu]\n[ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm]\n[ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm]\n[ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu]\n[ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu]\n[ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu]\n[ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu]\n[ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]\n[ 364.05105\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56594", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add a check to prevent array-index-out-of-bounds in dbAdjTree\n\nWhen the value of lp is 0 at the beginning of the for loop, it will\nbecome negative in the next assignment and we should bail out.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56595", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in jfs_readdir\n\nThe stbl might contain some invalid values. Added a check to\nreturn error code in that case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56596", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix shift-out-of-bounds in dbSplit\n\nWhen dmt_budmin is less than zero, it causes errors\nin the later stages. Added a check to return an error beforehand\nin dbAllocCtl itself.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56597", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: array-index-out-of-bounds fix in dtReadFirst\n\nThe value of stbl can be sometimes out of bounds due\nto a bad filesystem. Added a check with appopriate return\nof error code in that case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56598", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: avoid NULL pointer error during sdio remove\n\nWhen running 'rmmod ath10k', ath10k_sdio_remove() will free sdio\nworkqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON\nis set to yes, kernel panic will happen:\nCall trace:\n destroy_workqueue+0x1c/0x258\n ath10k_sdio_remove+0x84/0x94\n sdio_bus_remove+0x50/0x16c\n device_release_driver_internal+0x188/0x25c\n device_driver_detach+0x20/0x2c\n\nThis is because during 'rmmod ath10k', ath10k_sdio_remove() will call\nath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()\nwill finally be called in ath10k_core_destroy(). This function will free\nstruct cfg80211_registered_device *rdev and all its members, including\nwiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio\nworkqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.\n\nAfter device release, destroy_workqueue() will use NULL pointer then the\nkernel panic happen.\n\nCall trace:\nath10k_sdio_remove\n ->ath10k_core_unregister\n \u2026\u2026\n ->ath10k_core_stop\n ->ath10k_hif_stop\n ->ath10k_sdio_irq_disable\n ->ath10k_hif_power_down\n ->del_timer_sync(&ar_sdio->sleep_timer)\n ->ath10k_core_destroy\n ->ath10k_mac_destroy\n ->ieee80211_free_hw\n ->wiphy_free\n \u2026\u2026\n ->wiphy_dev_release\n ->destroy_workqueue\n\nNeed to call destroy_workqueue() before ath10k_core_destroy(), free\nthe work queue buffer first and then free pointer of work queue by\nath10k_core_destroy(). This order matches the error path order in\nath10k_sdio_probe().\n\nNo work will be queued on sdio workqueue between it is destroyed and\nath10k_core_destroy() is called. Based on the call_stack above, the\nreason is:\nOnly ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and\nath10k_sdio_irq_disable() will queue work on sdio workqueue.\nSleep timer will be deleted before ath10k_core_destroy() in\nath10k_hif_power_down().\nath10k_sdio_irq_disable() only be called in ath10k_hif_stop().\nath10k_core_unregister() will call ath10k_hif_power_down() to stop hif\nbus, so ath10k_sdio_hif_tx_sg() won't be called anymore.\n\nTested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56599", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: inet6: do not leave a dangling sk pointer in inet6_create()\n\nsock_init_data() attaches the allocated sk pointer to the provided sock\nobject. If inet6_create() fails later, the sk object is released, but the\nsock object retains the dangling sk pointer, which may cause use-after-free\nlater.\n\nClear the sock sk pointer on error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56600", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: inet: do not leave a dangling sk pointer in inet_create()\n\nsock_init_data() attaches the allocated sk object to the provided sock\nobject. If inet_create() fails later, the sk object is freed, but the\nsock object retains the dangling pointer, which may create use-after-free\nlater.\n\nClear the sk pointer in the sock object on error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56601", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: do not leave a dangling sk pointer in ieee802154_create()\n\nsock_init_data() attaches the allocated sk object to the provided sock\nobject. If ieee802154_create() fails later, the allocated sk object is\nfreed, but the dangling pointer remains in the provided sock object, which\nmay allow use-after-free.\n\nClear the sk pointer in the sock object on error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56602", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_can: do not leave a dangling sk pointer in can_create()\n\nOn error can_create() frees the allocated sk object, but sock_init_data()\nhas already attached it to the provided sock object. This will leave a\ndangling sk pointer in the sock object and may cause use-after-free later.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56603", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()\n\nbt_sock_alloc() attaches allocated sk object to the provided sock object.\nIf rfcomm_dlc_alloc() fails, we release the sk object, but leave the\ndangling pointer in the sock object, which may cause use-after-free.\n\nFix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56604", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()\n\nbt_sock_alloc() allocates the sk object and attaches it to the provided\nsock object. On error l2cap_sock_alloc() frees the sk object, but the\ndangling pointer is still attached to the sock object, which may create\nuse-after-free in other code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56605", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: avoid erroring out after sock_init_data() in packet_create()\n\nAfter sock_init_data() the allocated sk object is attached to the provided\nsock object. On error, packet_create() frees the sk object leaving the\ndangling pointer in the sock object on return. Some other code may try\nto use this pointer and cause use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56606", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix atomic calls in ath12k_mac_op_set_bitrate_mask()\n\nWhen I try to manually set bitrates:\n\niw wlan0 set bitrates legacy-2.4 1\n\nI get sleeping from invalid context error, see below. Fix that by switching to\nuse recently introduced ieee80211_iterate_stations_mtx().\n\nDo note that WCN6855 firmware is still crashing, I'm not sure if that firmware\neven supports bitrate WMI commands and should we consider disabling\nath12k_mac_op_set_bitrate_mask() for WCN6855? But that's for another patch.\n\nBUG: sleeping function called from invalid context at drivers/net/wireless/ath/ath12k/wmi.c:420\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 2236, name: iw\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\n3 locks held by iw/2236:\n #0: ffffffffabc6f1d8 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x40\n #1: ffff888138410810 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0x54d/0x800 [cfg80211]\n #2: ffffffffab2cfaa0 (rcu_read_lock){....}-{1:2}, at: ieee80211_iterate_stations_atomic+0x2f/0x200 [mac80211]\nCPU: 3 UID: 0 PID: 2236 Comm: iw Not tainted 6.11.0-rc7-wt-ath+ #1772\nHardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021\nCall Trace:\n \n dump_stack_lvl+0xa4/0xe0\n dump_stack+0x10/0x20\n __might_resched+0x363/0x5a0\n ? __alloc_skb+0x165/0x340\n __might_sleep+0xad/0x160\n ath12k_wmi_cmd_send+0xb1/0x3d0 [ath12k]\n ? ath12k_wmi_init_wcn7850+0xa40/0xa40 [ath12k]\n ? __netdev_alloc_skb+0x45/0x7b0\n ? __asan_memset+0x39/0x40\n ? ath12k_wmi_alloc_skb+0xf0/0x150 [ath12k]\n ? reacquire_held_locks+0x4d0/0x4d0\n ath12k_wmi_set_peer_param+0x340/0x5b0 [ath12k]\n ath12k_mac_disable_peer_fixed_rate+0xa3/0x110 [ath12k]\n ? ath12k_mac_vdev_stop+0x4f0/0x4f0 [ath12k]\n ieee80211_iterate_stations_atomic+0xd4/0x200 [mac80211]\n ath12k_mac_op_set_bitrate_mask+0x5d2/0x1080 [ath12k]\n ? ath12k_mac_vif_chan+0x320/0x320 [ath12k]\n drv_set_bitrate_mask+0x267/0x470 [mac80211]\n ieee80211_set_bitrate_mask+0x4cc/0x8a0 [mac80211]\n ? __this_cpu_preempt_check+0x13/0x20\n nl80211_set_tx_bitrate_mask+0x2bc/0x530 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? trace_contention_end+0xef/0x140\n ? rtnl_unlock+0x9/0x10\n ? nl80211_pre_doit+0x557/0x800 [cfg80211]\n genl_family_rcv_msg_doit+0x1f0/0x2e0\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x250/0x250\n ? ns_capable+0x57/0xd0\n genl_family_rcv_msg+0x34c/0x600\n ? genl_family_rcv_msg_dumpit+0x310/0x310\n ? __lock_acquire+0xc62/0x1de0\n ? he_set_mcs_mask.isra.0+0x8d0/0x8d0 [cfg80211]\n ? nl80211_parse_tx_bitrate_mask+0x2320/0x2320 [cfg80211]\n ? cfg80211_external_auth_request+0x690/0x690 [cfg80211]\n genl_rcv_msg+0xa0/0x130\n netlink_rcv_skb+0x14c/0x400\n ? genl_family_rcv_msg+0x600/0x600\n ? netlink_ack+0xd70/0xd70\n ? rwsem_optimistic_spin+0x4f0/0x4f0\n ? genl_rcv+0x14/0x40\n ? down_read_killable+0x580/0x580\n ? netlink_deliver_tap+0x13e/0x350\n ? __this_cpu_preempt_check+0x13/0x20\n genl_rcv+0x23/0x40\n netlink_unicast+0x45e/0x790\n ? netlink_attachskb+0x7f0/0x7f0\n netlink_sendmsg+0x7eb/0xdb0\n ? netlink_unicast+0x790/0x790\n ? __this_cpu_preempt_check+0x13/0x20\n ? selinux_socket_sendmsg+0x31/0x40\n ? netlink_unicast+0x790/0x790\n __sock_sendmsg+0xc9/0x160\n ____sys_sendmsg+0x620/0x990\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x410/0x410\n ? __kasan_check_read+0x11/0x20\n ? mark_lock+0xe6/0x1470\n ___sys_sendmsg+0xe9/0x170\n ? copy_msghdr_from_user+0x120/0x120\n ? __lock_acquire+0xc62/0x1de0\n ? do_fault_around+0x2c6/0x4e0\n ? do_user_addr_fault+0x8c1/0xde0\n ? reacquire_held_locks+0x220/0x4d0\n ? do_user_addr_fault+0x8c1/0xde0\n ? __kasan_check_read+0x11/0x20\n ? __fdget+0x4e/0x1d0\n ? sockfd_lookup_light+0x1a/0x170\n __sys_sendmsg+0xd2/0x180\n ? __sys_sendmsg_sock+0x20/0x20\n ? reacquire_held_locks+0x4d0/0x4d0\n ? debug_smp_processor_id+0x17/0x20\n __x64_sys_sendmsg+0x72/0xb0\n ? lockdep_hardirqs_on+0x7d/0x100\n x64_sys_call+0x894/0x9f0\n do_syscall_64+0x64/0x130\n entry_SYSCALL_64_after_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56607", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'\n\nAn issue was identified in the dcn21_link_encoder_create function where\nan out-of-bounds access could occur when the hpd_source index was used\nto reference the link_enc_hpd_regs array. This array has a fixed size\nand the index was not being checked against the array's bounds before\naccessing it.\n\nThis fix adds a conditional check to ensure that the hpd_source index is\nwithin the valid range of the link_enc_hpd_regs array. If the index is\nout of bounds, the function now returns NULL to prevent undefined\nbehavior.\n\nReferences:\n\n[ 65.920507] ------------[ cut here ]------------\n[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29\n[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'\n[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13\n[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020\n[ 65.920527] Call Trace:\n[ 65.920529] \n[ 65.920532] dump_stack_lvl+0x48/0x70\n[ 65.920541] dump_stack+0x10/0x20\n[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0\n[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu]\n[ 65.921009] link_create+0x6d3/0xed0 [amdgpu]\n[ 65.921355] create_links+0x18a/0x4e0 [amdgpu]\n[ 65.921679] dc_create+0x360/0x720 [amdgpu]\n[ 65.921999] ? dmi_matches+0xa0/0x220\n[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]\n[ 65.922342] ? console_unlock+0x77/0x120\n[ 65.922348] ? dev_printk_emit+0x86/0xb0\n[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu]\n[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu]\n[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]\n[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu]\n[ 65.923087] local_pci_probe+0x4b/0xb0\n[ 65.923087] pci_device_probe+0xc8/0x280\n[ 65.923087] really_probe+0x187/0x300\n[ 65.923087] __driver_probe_device+0x85/0x130\n[ 65.923087] driver_probe_device+0x24/0x110\n[ 65.923087] __driver_attach+0xac/0x1d0\n[ 65.923087] ? __pfx___driver_attach+0x10/0x10\n[ 65.923087] bus_for_each_dev+0x7d/0xd0\n[ 65.923087] driver_attach+0x1e/0x30\n[ 65.923087] bus_add_driver+0xf2/0x200\n[ 65.923087] driver_register+0x64/0x130\n[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]\n[ 65.923087] __pci_register_driver+0x61/0x70\n[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu]\n[ 65.923087] do_one_initcall+0x49/0x310\n[ 65.923087] ? kmalloc_trace+0x136/0x360\n[ 65.923087] do_init_module+0x6a/0x270\n[ 65.923087] load_module+0x1fce/0x23a0\n[ 65.923087] init_module_from_file+0x9c/0xe0\n[ 65.923087] ? init_module_from_file+0x9c/0xe0\n[ 65.923087] idempotent_init_module+0x179/0x230\n[ 65.923087] __x64_sys_finit_module+0x5d/0xa0\n[ 65.923087] do_syscall_64+0x76/0x120\n[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 65.923087] RIP: 0033:0x7f2d80f1e88d\n[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48\n[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d\n[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f\n[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002\n[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480\n[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0\n[ 65.923087] \n[ 65.923927] ---[ end trace ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56608", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb\n\nWhen removing kernel modules by:\n rmmod rtw88_8723cs rtw88_8703b rtw88_8723x rtw88_sdio rtw88_core\n\nDriver uses skb_queue_purge() to purge TX skb, but not report tx status\ncausing \"Have pending ack frames!\" warning. Use ieee80211_purge_tx_queue()\nto correct this.\n\nSince ieee80211_purge_tx_queue() doesn't take locks, to prevent racing\nbetween TX work and purge TX queue, flush and destroy TX work in advance.\n\n wlan0: deauthenticating from aa:f5:fd:60:4c:a8 by local\n choice (Reason: 3=DEAUTH_LEAVING)\n ------------[ cut here ]------------\n Have pending ack frames!\n WARNING: CPU: 3 PID: 9232 at net/mac80211/main.c:1691\n ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n CPU: 3 PID: 9232 Comm: rmmod Tainted: G C\n 6.10.1-200.fc40.aarch64 #1\n Hardware name: pine64 Pine64 PinePhone Braveheart\n (1.1)/Pine64 PinePhone Braveheart (1.1), BIOS 2024.01 01/01/2024\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n lr : ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n sp : ffff80008c1b37b0\n x29: ffff80008c1b37b0 x28: ffff000003be8000 x27: 0000000000000000\n x26: 0000000000000000 x25: ffff000003dc14b8 x24: ffff80008c1b37d0\n x23: ffff000000ff9f80 x22: 0000000000000000 x21: 000000007fffffff\n x20: ffff80007c7e93d8 x19: ffff00006e66f400 x18: 0000000000000000\n x17: ffff7ffffd2b3000 x16: ffff800083fc0000 x15: 0000000000000000\n x14: 0000000000000000 x13: 2173656d61726620 x12: 6b636120676e6964\n x11: 0000000000000000 x10: 000000000000005d x9 : ffff8000802af2b0\n x8 : ffff80008c1b3430 x7 : 0000000000000001 x6 : 0000000000000001\n x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000003be8000\n Call trace:\n ieee80211_free_ack_frame+0x5c/0x90 [mac80211]\n idr_for_each+0x74/0x110\n ieee80211_free_hw+0x44/0xe8 [mac80211]\n rtw_sdio_remove+0x9c/0xc0 [rtw88_sdio]\n sdio_bus_remove+0x44/0x180\n device_remove+0x54/0x90\n device_release_driver_internal+0x1d4/0x238\n driver_detach+0x54/0xc0\n bus_remove_driver+0x78/0x108\n driver_unregister+0x38/0x78\n sdio_unregister_driver+0x2c/0x40\n rtw_8723cs_driver_exit+0x18/0x1000 [rtw88_8723cs]\n __do_sys_delete_module.isra.0+0x190/0x338\n __arm64_sys_delete_module+0x1c/0x30\n invoke_syscall+0x74/0x100\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x3c/0x158\n el0t_64_sync_handler+0x120/0x138\n el0t_64_sync+0x194/0x198\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56609", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcsan: Turn report_filterlist_lock into a raw_spinlock\n\nRan Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see\nsplats like:\n\n| BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1\n| preempt_count: 10002, expected: 0\n| RCU nest depth: 0, expected: 0\n| no locks held by swapper/1/0.\n| irq event stamp: 156674\n| hardirqs last enabled at (156673): [] do_idle+0x1f9/0x240\n| hardirqs last disabled at (156674): [] sysvec_apic_timer_interrupt+0x14/0xc0\n| softirqs last enabled at (0): [] copy_process+0xfc7/0x4b60\n| softirqs last disabled at (0): [<0000000000000000>] 0x0\n| Preemption disabled at:\n| [] paint_ptr+0x2a/0x90\n| CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3\n| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014\n| Call Trace:\n| \n| dump_stack_lvl+0x7e/0xc0\n| dump_stack+0x1d/0x30\n| __might_resched+0x1a2/0x270\n| rt_spin_lock+0x68/0x170\n| kcsan_skip_report_debugfs+0x43/0xe0\n| print_report+0xb5/0x590\n| kcsan_report_known_origin+0x1b1/0x1d0\n| kcsan_setup_watchpoint+0x348/0x650\n| __tsan_unaligned_write1+0x16d/0x1d0\n| hrtimer_interrupt+0x3d6/0x430\n| __sysvec_apic_timer_interrupt+0xe8/0x3a0\n| sysvec_apic_timer_interrupt+0x97/0xc0\n| \n\nOn a detected data race, KCSAN's reporting logic checks if it should\nfilter the report. That list is protected by the report_filterlist_lock\n*non-raw* spinlock which may sleep on RT kernels.\n\nSince KCSAN may report data races in any context, convert it to a\nraw_spinlock.\n\nThis requires being careful about when to allocate memory for the filter\nlist itself which can be done via KCSAN's debugfs interface. Concurrent\nmodification of the filter list via debugfs should be rare: the chosen\nstrategy is to optimistically pre-allocate memory before the critical\nsection and discard if unused.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56610", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM\n\nWe currently assume that there is at least one VMA in a MM, which isn't\ntrue.\n\nSo we might end up having find_vma() return NULL, to then de-reference\nNULL. So properly handle find_vma() returning NULL.\n\nThis fixes the report:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nRIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline]\nRIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194\nCode: ...\nRSP: 0018:ffffc9000375fd08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000\nRDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044\nRBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1\nR10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003\nR13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8\nFS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709\n __do_sys_migrate_pages mm/mempolicy.c:1727 [inline]\n __se_sys_migrate_pages mm/mempolicy.c:1723 [inline]\n __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[akpm@linux-foundation.org: add unlikely()]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56611", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: handle NULL pages in unpin_user_pages()\n\nThe recent addition of \"pofs\" (pages or folios) handling to gup has a\nflaw: it assumes that unpin_user_pages() handles NULL pages in the pages**\narray. That's not the case, as I discovered when I ran on a new\nconfiguration on my test machine.\n\nFix this by skipping NULL pages in unpin_user_pages(), just like\nunpin_folios() already does.\n\nDetails: when booting on x86 with \"numa=fake=2 movablecore=4G\" on Linux\n6.12, and running this:\n\n tools/testing/selftests/mm/gup_longterm\n\n...I get the following crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nRIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0\n...\nCall Trace:\n \n ? __die_body+0x66/0xb0\n ? page_fault_oops+0x30c/0x3b0\n ? do_user_addr_fault+0x6c3/0x720\n ? irqentry_enter+0x34/0x60\n ? exc_page_fault+0x68/0x100\n ? asm_exc_page_fault+0x22/0x30\n ? sanity_check_pinned_pages+0x3a/0x2d0\n unpin_user_pages+0x24/0xe0\n check_and_migrate_movable_pages_or_folios+0x455/0x4b0\n __gup_longterm_locked+0x3bf/0x820\n ? mmap_read_lock_killable+0x12/0x50\n ? __pfx_mmap_read_lock_killable+0x10/0x10\n pin_user_pages+0x66/0xa0\n gup_test_ioctl+0x358/0xb20\n __se_sys_ioctl+0x6b/0xc0\n do_syscall_64+0x7b/0x150\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56612", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/numa: fix memory leak due to the overwritten vma->numab_state\n\n[Problem Description]\nWhen running the hackbench program of LTP, the following memory leak is\nreported by kmemleak.\n\n # /opt/ltp/testcases/bin/hackbench 20 thread 1000\n Running with 20*40 (== 800) tasks.\n\n # dmesg | grep kmemleak\n ...\n kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\n # cat /sys/kernel/debug/kmemleak\n unreferenced object 0xffff888cd8ca2c40 (size 64):\n comm \"hackbench\", pid 17142, jiffies 4299780315\n hex dump (first 32 bytes):\n ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc bff18fd4):\n [] __kmalloc_cache_noprof+0x2f9/0x3f0\n [] task_numa_work+0x725/0xa00\n [] task_work_run+0x58/0x90\n [] syscall_exit_to_user_mode+0x1c8/0x1e0\n [] do_syscall_64+0x85/0x150\n [] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\nThis issue can be consistently reproduced on three different servers:\n * a 448-core server\n * a 256-core server\n * a 192-core server\n\n[Root Cause]\nSince multiple threads are created by the hackbench program (along with\nthe command argument 'thread'), a shared vma might be accessed by two or\nmore cores simultaneously. When two or more cores observe that\nvma->numab_state is NULL at the same time, vma->numab_state will be\noverwritten.\n\nAlthough current code ensures that only one thread scans the VMAs in a\nsingle 'numa_scan_period', there might be a chance for another thread\nto enter in the next 'numa_scan_period' while we have not gotten till\nnumab_state allocation [1].\n\nNote that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000`\ncannot the reproduce the issue. It is verified with 200+ test runs.\n\n[Solution]\nUse the cmpxchg atomic operation to ensure that only one thread executes\nthe vma->numab_state assignment.\n\n[1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56613", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix OOB map writes when deleting elements\n\nJordy says:\n\n\"\nIn the xsk_map_delete_elem function an unsigned integer\n(map->max_entries) is compared with a user-controlled signed integer\n(k). Due to implicit type conversion, a large unsigned value for\nmap->max_entries can bypass the intended bounds check:\n\n\tif (k >= map->max_entries)\n\t\treturn -EINVAL;\n\nThis allows k to hold a negative value (between -2147483648 and -2),\nwhich is then used as an array index in m->xsk_map[k], which results\nin an out-of-bounds access.\n\n\tspin_lock_bh(&m->lock);\n\tmap_entry = &m->xsk_map[k]; // Out-of-bounds map_entry\n\told_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write\n\tif (old_xs)\n\t\txsk_map_sock_delete(old_xs, map_entry);\n\tspin_unlock_bh(&m->lock);\n\nThe xchg operation can then be used to cause an out-of-bounds write.\nMoreover, the invalid map_entry passed to xsk_map_sock_delete can lead\nto further memory corruption.\n\"\n\nIt indeed results in following splat:\n\n[76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108\n[76612.904330] #PF: supervisor write access in kernel mode\n[76612.909639] #PF: error_code(0x0002) - not-present page\n[76612.914855] PGD 0 P4D 0\n[76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP\n[76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470\n[76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60\n[76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31\n[76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246\n[76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000\n[76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000\n[76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007\n[76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8\n[76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0\n[76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000\n[76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0\n[76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[76613.041086] PKRU: 55555554\n[76613.043842] Call Trace:\n[76613.046331] \n[76613.048468] ? __die+0x20/0x60\n[76613.051581] ? page_fault_oops+0x15a/0x450\n[76613.055747] ? search_extable+0x22/0x30\n[76613.059649] ? search_bpf_extables+0x5f/0x80\n[76613.063988] ? exc_page_fault+0xa9/0x140\n[76613.067975] ? asm_exc_page_fault+0x22/0x30\n[76613.072229] ? xsk_map_delete_elem+0x2d/0x60\n[76613.076573] ? xsk_map_delete_elem+0x23/0x60\n[76613.080914] __sys_bpf+0x19b7/0x23c0\n[76613.084555] __x64_sys_bpf+0x1a/0x20\n[76613.088194] do_syscall_64+0x37/0xb0\n[76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[76613.096962] RIP: 0033:0x7f80b6d1e88d\n[76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48\n[76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141\n[76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d\n[76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003\n[76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000\n[76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8\n[76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56614", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix OOB devmap writes when deleting elements\n\nJordy reported issue against XSKMAP which also applies to DEVMAP - the\nindex used for accessing map entry, due to being a signed integer,\ncauses the OOB writes. Fix is simple as changing the type from int to\nu32, however, when compared to XSKMAP case, one more thing needs to be\naddressed.\n\nWhen map is released from system via dev_map_free(), we iterate through\nall of the entries and an iterator variable is also an int, which\nimplies OOB accesses. Again, change it to be u32.\n\nExample splat below:\n\n[ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000\n[ 160.731662] #PF: supervisor read access in kernel mode\n[ 160.736876] #PF: error_code(0x0000) - not-present page\n[ 160.742095] PGD 0 P4D 0\n[ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP\n[ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487\n[ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[ 160.767642] Workqueue: events_unbound bpf_map_free_deferred\n[ 160.773308] RIP: 0010:dev_map_free+0x77/0x170\n[ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff\n[ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202\n[ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024\n[ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000\n[ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001\n[ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122\n[ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000\n[ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000\n[ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0\n[ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 160.874092] PKRU: 55555554\n[ 160.876847] Call Trace:\n[ 160.879338] \n[ 160.881477] ? __die+0x20/0x60\n[ 160.884586] ? page_fault_oops+0x15a/0x450\n[ 160.888746] ? search_extable+0x22/0x30\n[ 160.892647] ? search_bpf_extables+0x5f/0x80\n[ 160.896988] ? exc_page_fault+0xa9/0x140\n[ 160.900973] ? asm_exc_page_fault+0x22/0x30\n[ 160.905232] ? dev_map_free+0x77/0x170\n[ 160.909043] ? dev_map_free+0x58/0x170\n[ 160.912857] bpf_map_free_deferred+0x51/0x90\n[ 160.917196] process_one_work+0x142/0x370\n[ 160.921272] worker_thread+0x29e/0x3b0\n[ 160.925082] ? rescuer_thread+0x4b0/0x4b0\n[ 160.929157] kthread+0xd4/0x110\n[ 160.932355] ? kthread_park+0x80/0x80\n[ 160.936079] ret_from_fork+0x2d/0x50\n[ 160.943396] ? kthread_park+0x80/0x80\n[ 160.950803] ret_from_fork_asm+0x11/0x20\n[ 160.958482] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56615", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Fix MST sideband message body length check\n\nFix the MST sideband message body length check, which must be at least 1\nbyte accounting for the message body CRC (aka message data CRC) at the\nend of the message.\n\nThis fixes a case where an MST branch device returns a header with a\ncorrect header CRC (indicating a correctly received body length), with\nthe body length being incorrectly set to 0. This will later lead to a\nmemory corruption in drm_dp_sideband_append_payload() and the following\nerrors in dmesg:\n\n UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25\n index -1 is out of range for type 'u8 [48]'\n Call Trace:\n drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper]\n drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]\n drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]\n\n memcpy: detected field-spanning write (size 18446744073709551615) of single field \"&msg->msg[msg->curlen]\" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256)\n Call Trace:\n drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper]\n drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]\n drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56616", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU\n\nCommit\n\n 5944ce092b97 (\"arch_topology: Build cacheinfo from primary CPU\")\n\nadds functionality that architectures can use to optionally allocate and\nbuild cacheinfo early during boot. Commit\n\n 6539cffa9495 (\"cacheinfo: Add arch specific early level initializer\")\n\nlets secondary CPUs correct (and reallocate memory) cacheinfo data if\nneeded.\n\nIf the early build functionality is not used and cacheinfo does not need\ncorrection, memory for cacheinfo is never allocated. x86 does not use\nthe early build functionality. Consequently, during the cacheinfo CPU\nhotplug callback, last_level_cache_is_valid() attempts to dereference\na NULL pointer:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEPMT SMP NOPTI\n CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1\n RIP: 0010: last_level_cache_is_valid+0x95/0xe0a\n\nAllocate memory for cacheinfo during the cacheinfo CPU hotplug callback\nif not done earlier.\n\nMoreover, before determining the validity of the last-level cache info,\nensure that it has been allocated. Simply checking for non-zero\ncache_leaves() is not sufficient, as some architectures (e.g., Intel\nprocessors) have non-zero cache_leaves() before allocation.\n\nDereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size().\nThis function iterates over all online CPUs. However, a CPU may have come\nonline recently, but its cacheinfo may not have been allocated yet.\n\nWhile here, remove an unnecessary indentation in allocate_cache_info().\n\n [ bp: Massage. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56617", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx: gpcv2: Adjust delay after power up handshake\n\nThe udelay(5) is not enough, sometimes below kernel panic\nstill be triggered:\n\n[ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt\n[ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1\n[ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT)\n[ 4.012985] Call trace:\n[...]\n[ 4.013029] arm64_serror_panic+0x64/0x70\n[ 4.013034] do_serror+0x3c/0x70\n[ 4.013039] el1h_64_error_handler+0x30/0x54\n[ 4.013046] el1h_64_error+0x64/0x68\n[ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48\n[ 4.013059] __genpd_runtime_resume+0x30/0x80\n[ 4.013066] genpd_runtime_resume+0x114/0x29c\n[ 4.013073] __rpm_callback+0x48/0x1e0\n[ 4.013079] rpm_callback+0x68/0x80\n[ 4.013084] rpm_resume+0x3bc/0x6a0\n[ 4.013089] __pm_runtime_resume+0x50/0x9c\n[ 4.013095] pm_runtime_get_suppliers+0x60/0x8c\n[ 4.013101] __driver_probe_device+0x4c/0x14c\n[ 4.013108] driver_probe_device+0x3c/0x120\n[ 4.013114] __driver_attach+0xc4/0x200\n[ 4.013119] bus_for_each_dev+0x7c/0xe0\n[ 4.013125] driver_attach+0x24/0x30\n[ 4.013130] bus_add_driver+0x110/0x240\n[ 4.013135] driver_register+0x68/0x124\n[ 4.013142] __platform_driver_register+0x24/0x30\n[ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma]\n[ 4.013163] do_one_initcall+0x60/0x1e0\n[ 4.013168] do_init_module+0x5c/0x21c\n[ 4.013175] load_module+0x1a98/0x205c\n[ 4.013181] init_module_from_file+0x88/0xd4\n[ 4.013187] __arm64_sys_finit_module+0x258/0x350\n[ 4.013194] invoke_syscall.constprop.0+0x50/0xe0\n[ 4.013202] do_el0_svc+0xa8/0xe0\n[ 4.013208] el0_svc+0x3c/0x140\n[ 4.013215] el0t_64_sync_handler+0x120/0x12c\n[ 4.013222] el0t_64_sync+0x190/0x194\n[ 4.013228] SMP: stopping secondary CPUs\n\nThe correct way is to wait handshake, but it needs BUS clock of\nBLK-CTL be enabled, which is in separate driver. So delay is the\nonly option here. The udelay(10) is a data got by experiment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56618", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()\n\nSyzbot reported that when searching for records in a directory where the\ninode's i_size is corrupted and has a large value, memory access outside\nthe folio/page range may occur, or a use-after-free bug may be detected if\nKASAN is enabled.\n\nThis is because nilfs_last_byte(), which is called by nilfs_find_entry()\nand others to calculate the number of valid bytes of directory data in a\npage from i_size and the page index, loses the upper 32 bits of the 64-bit\nsize information due to an inappropriate type of local variable to which\nthe i_size value is assigned.\n\nThis caused a large byte offset value due to underflow in the end address\ncalculation in the calling nilfs_find_entry(), resulting in memory access\nthat exceeds the folio/page size.\n\nFix this issue by changing the type of the local variable causing the bit\nloss from \"unsigned int\" to \"u64\". The return value of nilfs_last_byte()\nis also of type \"unsigned int\", but it is truncated so as not to exceed\nPAGE_SIZE and no bit loss occurs, so no change is required.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56619", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: qcom: Only free platform MSIs when ESI is enabled\n\nOtherwise, it will result in a NULL pointer dereference as below:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nCall trace:\n mutex_lock+0xc/0x54\n platform_device_msi_free_irqs_all+0x14/0x20\n ufs_qcom_remove+0x34/0x48 [ufs_qcom]\n platform_remove+0x28/0x44\n device_remove+0x4c/0x80\n device_release_driver_internal+0xd8/0x178\n driver_detach+0x50/0x9c\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n platform_driver_unregister+0x14/0x20\n ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom]\n __arm64_sys_delete_module+0x180/0x260\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xdc\n el0t_64_sync_handler+0xc0/0xc4\n el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56620", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Cancel RTC work during ufshcd_remove()\n\nCurrently, RTC work is only cancelled during __ufshcd_wl_suspend(). When\nufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to\nthis, any further trigger of the RTC work after ufshcd_remove() would\nresult in a NULL pointer dereference as below:\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000002a4\nWorkqueue: events ufshcd_rtc_work\nCall trace:\n _raw_spin_lock_irqsave+0x34/0x8c\n pm_runtime_get_if_active+0x24/0xb4\n ufshcd_rtc_work+0x124/0x19c\n process_scheduled_works+0x18c/0x2d8\n worker_thread+0x144/0x280\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n\nSince RTC work accesses the ufshcd internal structures, it should be cancelled\nwhen ufshcd is removed. So do that in ufshcd_remove(), as per the order in\nufshcd_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56621", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: sysfs: Prevent div by zero\n\nPrevent a division by 0 when monitoring is not enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56622", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix use after free on unload\n\nSystem crash is observed with stack trace warning of use after\nfree. There are 2 signals to tell dpc_thread to terminate (UNLOADING\nflag and kthread_stop).\n\nOn setting the UNLOADING flag when dpc_thread happens to run at the time\nand sees the flag, this causes dpc_thread to exit and clean up\nitself. When kthread_stop is called for final cleanup, this causes use\nafter free.\n\nRemove UNLOADING signal to terminate dpc_thread. Use the kthread_stop\nas the main signal to exit dpc_thread.\n\n[596663.812935] kernel BUG at mm/slub.c:294!\n[596663.812950] invalid opcode: 0000 [#1] SMP PTI\n[596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1\n[596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012\n[596663.812974] RIP: 0010:__slab_free+0x17d/0x360\n\n...\n[596663.813008] Call Trace:\n[596663.813022] ? __dentry_kill+0x121/0x170\n[596663.813030] ? _cond_resched+0x15/0x30\n[596663.813034] ? _cond_resched+0x15/0x30\n[596663.813039] ? wait_for_completion+0x35/0x190\n[596663.813048] ? try_to_wake_up+0x63/0x540\n[596663.813055] free_task+0x5a/0x60\n[596663.813061] kthread_stop+0xf3/0x100\n[596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56623", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix out_fput in iommufd_fault_alloc()\n\nAs fput() calls the file->f_op->release op, where fault obj and ictx are\ngetting released, there is no need to release these two after fput() one\nmore time, which would result in imbalanced refcounts:\n refcount_t: decrement hit 0; leaking memory.\n WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230\n Call trace:\n refcount_warn_saturate+0x60/0x230 (P)\n refcount_warn_saturate+0x60/0x230 (L)\n iommufd_fault_fops_release+0x9c/0xe0 [iommufd]\n ...\n VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd])\n WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0\n Call trace:\n filp_flush+0x3c/0xf0 (P)\n filp_flush+0x3c/0xf0 (L)\n __arm64_sys_close+0x34/0x98\n ...\n imbalanced put on file reference count\n WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138\n Call trace:\n __file_ref_put+0x100/0x138 (P)\n __file_ref_put+0x100/0x138 (L)\n __fput_sync+0x4c/0xd0\n\nDrop those two lines to fix the warnings above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56624", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_set_termination(): allow sleeping GPIOs\n\nIn commit 6e86a1543c37 (\"can: dev: provide optional GPIO based\ntermination support\") GPIO based termination support was added.\n\nFor no particular reason that patch uses gpiod_set_value() to set the\nGPIO. This leads to the following warning, if the systems uses a\nsleeping GPIO, i.e. behind an I2C port expander:\n\n| WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c\n| CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c\n\nReplace gpiod_set_value() by gpiod_set_value_cansleep() to allow the\nuse of sleeping GPIOs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56625", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write\n\nAn offset from client could be a negative value, It could allows\nto write data outside the bounds of the allocated buffer.\nNote that this issue is coming when setting\n'vfs objects = streams_xattr parameter' in ksmbd.conf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56626", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read\n\nAn offset from client could be a negative value, It could lead\nto an out-of-bounds read from the stream_buf.\nNote that this issue is coming when setting\n'vfs objects = streams_xattr parameter' in ksmbd.conf.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56627", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Add architecture specific huge_pte_clear()\n\nWhen executing mm selftests run_vmtests.sh, there is such an error:\n\n BUG: Bad page state in process uffd-unit-tests pfn:00000\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff)\n raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat\n virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse\n nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs\n CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000\n 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8\n 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001\n 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000\n 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000\n 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940\n 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000\n 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000\n 0000000000000000 0000000000000000 9000000000223a94 000000012001839c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d\n ...\n Call Trace:\n [<9000000000223a94>] show_stack+0x5c/0x180\n [<9000000001c3fd64>] dump_stack_lvl+0x6c/0xa0\n [<900000000056aa08>] bad_page+0x1a0/0x1f0\n [<9000000000574978>] free_unref_folios+0xbf0/0xd20\n [<90000000004e65cc>] folios_put_refs+0x1a4/0x2b8\n [<9000000000599a0c>] free_pages_and_swap_cache+0x164/0x260\n [<9000000000547698>] tlb_batch_pages_flush+0xa8/0x1c0\n [<9000000000547f30>] tlb_finish_mmu+0xa8/0x218\n [<9000000000543cb8>] exit_mmap+0x1a0/0x360\n [<9000000000247658>] __mmput+0x78/0x200\n [<900000000025583c>] do_exit+0x43c/0xde8\n [<9000000000256490>] do_group_exit+0x68/0x110\n [<9000000000256554>] sys_exit_group+0x1c/0x20\n [<9000000001c413b4>] do_syscall+0x94/0x130\n [<90000000002216d8>] handle_syscall+0xb8/0x158\n Disabling lock debugging due to kernel taint\n BUG: non-zero pgtables_bytes on freeing mm: -16384\n\nOn LoongArch system, invalid huge pte entry should be invalid_pte_table\nor a single _PAGE_HUGE bit rather than a zero value. And it should be\nthe same with invalid pmd entry, since pmd_none() is called by function\nfree_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single\n_PAGE_HUGE bit is also treated as a valid pte table and free_pte_range()\nwill be called in free_pmd_range().\n\n free_pmd_range()\n pmd = pmd_offset(pud, addr);\n do {\n next = pmd_addr_end(addr, end);\n if (pmd_none_or_clear_bad(pmd))\n continue;\n free_pte_range(tlb, pmd, addr);\n } while (pmd++, addr = next, addr != end);\n\nHere invalid_pte_table is used for both invalid huge pte entry and\npmd entry.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56628", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix when get product name maybe null pointer\n\nDue to incorrect dev->product reporting by certain devices, null\npointer dereferences occur when dev->product is empty, leading to\npotential system crashes.\n\nThis issue was found on EXCELSIOR DL37-D05 device with\nLoongson-LS3A6000-7A2000-DL37 motherboard.\n\nKernel logs:\n[ 56.470885] usb 4-3: new full-speed USB device number 4 using ohci-pci\n[ 56.671638] usb 4-3: string descriptor 0 read error: -22\n[ 56.671644] usb 4-3: New USB device found, idVendor=056a, idProduct=0374, bcdDevice= 1.07\n[ 56.671647] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3\n[ 56.678839] hid-generic 0003:056A:0374.0004: hiddev0,hidraw3: USB HID v1.10 Device [HID 056a:0374] on usb-0000:00:05.0-3/input0\n[ 56.697719] CPU 2 Unable to handle kernel paging request at virtual address 0000000000000000, era == 90000000066e35c8, ra == ffff800004f98a80\n[ 56.697732] Oops[#1]:\n[ 56.697734] CPU: 2 PID: 2742 Comm: (udev-worker) Tainted: G OE 6.6.0-loong64-desktop #25.00.2000.015\n[ 56.697737] Hardware name: Inspur CE520L2/C09901N000000000, BIOS 2.09.00 10/11/2024\n[ 56.697739] pc 90000000066e35c8 ra ffff800004f98a80 tp 9000000125478000 sp 900000012547b8a0\n[ 56.697741] a0 0000000000000000 a1 ffff800004818b28 a2 0000000000000000 a3 0000000000000000\n[ 56.697743] a4 900000012547b8f0 a5 0000000000000000 a6 0000000000000000 a7 0000000000000000\n[ 56.697745] t0 ffff800004818b2d t1 0000000000000000 t2 0000000000000003 t3 0000000000000005\n[ 56.697747] t4 0000000000000000 t5 0000000000000000 t6 0000000000000000 t7 0000000000000000\n[ 56.697748] t8 0000000000000000 u0 0000000000000000 s9 0000000000000000 s0 900000011aa48028\n[ 56.697750] s1 0000000000000000 s2 0000000000000000 s3 ffff800004818e80 s4 ffff800004810000\n[ 56.697751] s5 90000001000b98d0 s6 ffff800004811f88 s7 ffff800005470440 s8 0000000000000000\n[ 56.697753] ra: ffff800004f98a80 wacom_update_name+0xe0/0x300 [wacom]\n[ 56.697802] ERA: 90000000066e35c8 strstr+0x28/0x120\n[ 56.697806] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 56.697816] PRMD: 0000000c (PPLV0 +PIE +PWE)\n[ 56.697821] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 56.697827] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n[ 56.697831] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 56.697835] BADV: 0000000000000000\n[ 56.697836] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)\n[ 56.697838] Modules linked in: wacom(+) bnep bluetooth rfkill qrtr nls_iso8859_1 nls_cp437 snd_hda_codec_conexant snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore input_leds mousedev led_class joydev deepin_netmonitor(OE) fuse nfnetlink dmi_sysfs ip_tables x_tables overlay amdgpu amdxcp drm_exec gpu_sched drm_buddy radeon drm_suballoc_helper i2c_algo_bit drm_ttm_helper r8169 ttm drm_display_helper spi_loongson_pci xhci_pci cec xhci_pci_renesas spi_loongson_core hid_generic realtek gpio_loongson_64bit\n[ 56.697887] Process (udev-worker) (pid: 2742, threadinfo=00000000aee0d8b4, task=00000000a9eff1f3)\n[ 56.697890] Stack : 0000000000000000 ffff800004817e00 0000000000000000 0000251c00000000\n[ 56.697896] 0000000000000000 00000011fffffffd 0000000000000000 0000000000000000\n[ 56.697901] 0000000000000000 1b67a968695184b9 0000000000000000 90000001000b98d0\n[ 56.697906] 90000001000bb8d0 900000011aa48028 0000000000000000 ffff800004f9d74c\n[ 56.697911] 90000001000ba000 ffff800004f9ce58 0000000000000000 ffff800005470440\n[ 56.697916] ffff800004811f88 90000001000b98d0 9000000100da2aa8 90000001000bb8d0\n[ 56.697921] 0000000000000000 90000001000ba000 900000011aa48028 ffff800004f9d74c\n[ 56.697926] ffff8000054704e8 90000001000bb8b8 90000001000ba000 0000000000000000\n[ 56.697931] 90000001000bb8d0 \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56629", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: free inode when ocfs2_get_init_inode() fails\n\nsyzbot is reporting busy inodes after unmount, for commit 9c89fe0af826\n(\"ocfs2: Handle error from dquot_initialize()\") forgot to call iput() when\nnew_inode() succeeded and dquot_initialize() failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56630", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Fix slab-use-after-free read in sg_release()\n\nFix a use-after-free bug in sg_release(), detected by syzbot with KASAN:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30\nkernel/locking/lockdep.c:5838\n__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912\nsg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407\n\nIn sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is\ncalled before releasing the open_rel_lock mutex. The kref_put() call may\ndecrement the reference count of sfp to zero, triggering its cleanup\nthrough sg_remove_sfp(). This cleanup includes scheduling deferred work\nvia sg_remove_sfp_usercontext(), which ultimately frees sfp.\n\nAfter kref_put(), sg_release() continues to unlock open_rel_lock and may\nreference sfp or sdp. If sfp has already been freed, this results in a\nslab-use-after-free error.\n\nMove the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the\nopen_rel_lock mutex. This ensures:\n\n - No references to sfp or sdp occur after the reference count is\n decremented.\n\n - Cleanup functions such as sg_remove_sfp() and\n sg_remove_sfp_usercontext() can safely execute without impacting the\n mutex handling in sg_release().\n\nThe fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures proper\nsequencing of resource cleanup and mutex operations, eliminating the\nrisk of use-after-free errors in sg_release().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56631", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix the memleak while create new ctrl failed\n\nNow while we create new ctrl failed, we have not free the\ntagset occupied by admin_q, here try to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56632", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg\n\nThe current sk memory accounting logic in __SK_REDIRECT is pre-uncharging\ntosend bytes, which is either msg->sg.size or a smaller value apply_bytes.\n\nPotential problems with this strategy are as follows:\n\n- If the actual sent bytes are smaller than tosend, we need to charge some\n bytes back, as in line 487, which is okay but seems not clean.\n\n- When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may\n miss uncharging (msg->sg.size - apply_bytes) bytes.\n\n[...]\n415 tosend = msg->sg.size;\n416 if (psock->apply_bytes && psock->apply_bytes < tosend)\n417 tosend = psock->apply_bytes;\n[...]\n443 sk_msg_return(sk, msg, tosend);\n444 release_sock(sk);\n446 origsize = msg->sg.size;\n447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,\n448 msg, tosend, flags);\n449 sent = origsize - msg->sg.size;\n[...]\n454 lock_sock(sk);\n455 if (unlikely(ret < 0)) {\n456 int free = sk_msg_free_nocharge(sk, msg);\n458 if (!cork)\n459 *copied -= free;\n460 }\n[...]\n487 if (eval == __SK_REDIRECT)\n488 sk_mem_charge(sk, tosend - sent);\n[...]\n\nWhen running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply,\nthe following warning will be reported:\n\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0\nModules linked in:\nCPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nWorkqueue: events sk_psock_destroy\nRIP: 0010:inet_sock_destruct+0x190/0x1a0\nRSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206\nRAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800\nRDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900\nRBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0\nR10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400\nR13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100\nFS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\n? __warn+0x89/0x130\n? inet_sock_destruct+0x190/0x1a0\n? report_bug+0xfc/0x1e0\n? handle_bug+0x5c/0xa0\n? exc_invalid_op+0x17/0x70\n? asm_exc_invalid_op+0x1a/0x20\n? inet_sock_destruct+0x190/0x1a0\n__sk_destruct+0x25/0x220\nsk_psock_destroy+0x2b2/0x310\nprocess_scheduled_works+0xa3/0x3e0\nworker_thread+0x117/0x240\n? __pfx_worker_thread+0x10/0x10\nkthread+0xcf/0x100\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x40\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\n---[ end trace 0000000000000000 ]---\n\nIn __SK_REDIRECT, a more concise way is delaying the uncharging after sent\nbytes are finalized, and uncharge this value. When (ret < 0), we shall\ninvoke sk_msg_free.\n\nSame thing happens in case __SK_DROP, when tosend is set to apply_bytes,\nwe may miss uncharging (msg->sg.size - apply_bytes) bytes. The same\nwarning will be reported in selftest.\n\n[...]\n468 case __SK_DROP:\n469 default:\n470 sk_msg_free_partial(sk, msg, tosend);\n471 sk_msg_apply_bytes(psock, tosend);\n472 *copied -= (tosend + delta);\n473 return -EACCES;\n[...]\n\nSo instead of sk_msg_free_partial we can do sk_msg_free here.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56633", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: grgpio: Add NULL check in grgpio_probe\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in grgpio_probe is not checked.\nAdd NULL check in grgpio_probe, to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56634", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential UAF in default_operstate()\n\nsyzbot reported an UAF in default_operstate() [1]\n\nIssue is a race between device and netns dismantles.\n\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\n\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\n\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n\n[1]\n\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\n\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\n default_operstate net/core/link_watch.c:51 [inline]\n rfc2863_policy+0x224/0x300 net/core/link_watch.c:67\n linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\n netdev_run_todo+0x461/0x1000 net/core/dev.c:10894\n rtnl_unlock net/core/rtnetlink.c:152 [inline]\n rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\n rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\n rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n \n\nAllocated by task 5339:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kmalloc_array_noprof include/linux/slab.h:945 [inline]\n netdev_create_hash net/core/dev.c:11870 [inline]\n netdev_init+0x10c/0x250 net/core/dev.c:11890\n ops_init+0x31e/0x590 net/core/net_namespace.c:138\n setup_net+0x287/0x9e0 net/core/net_namespace.c:362\n copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\n create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\n ksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n __do_sys_unshare kernel/fork.c:3385 [inline]\n __se_sys_unshare kernel/fork.c:3383 [inline]\n __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x8\n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56635", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: do not assume mac header is set in geneve_xmit_skb()\n\nWe should not assume mac header is set in output path.\n\nUse skb_eth_hdr() instead of eth_hdr() to fix the issue.\n\nsysbot reported the following :\n\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline]\n WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039\nModules linked in:\nCPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline]\n RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline]\n RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline]\n RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039\nCode: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 <0f> 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff\nRSP: 0018:ffffc90003b2f870 EFLAGS: 00010283\nRAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000\nRDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003\nRBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000\nR13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23\nFS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490\n dev_direct_xmit include/linux/netdevice.h:3181 [inline]\n packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285\n packet_snd net/packet/af_packet.c:3146 [inline]\n packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg net/socket.c:726 [inline]\n __sys_sendto+0x488/0x4f0 net/socket.c:2197\n __do_sys_sendto net/socket.c:2204 [inline]\n __se_sys_sendto net/socket.c:2200 [inline]\n __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56636", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Hold module reference while requesting a module\n\nUser space may unload ip_set.ko while it is itself requesting a set type\nbackend module, leading to a kernel crash. The race condition may be\nprovoked by inserting an mdelay() right after the nfnl_unlock() call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56637", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: incorrect percpu area handling under softirq\n\nSoftirq can interrupt ongoing packet from process context that is\nwalking over the percpu area that contains inner header offsets.\n\nDisable bh and perform three checks before restoring the percpu inner\nheader offsets to validate that the percpu area is valid for this\nskbuff:\n\n1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff\n has already been parsed before for inner header fetching to\n register.\n\n2) Validate that the percpu area refers to this skbuff using the\n skbuff pointer as a cookie. If there is a cookie mismatch, then\n this skbuff needs to be parsed again.\n\n3) Finally, validate if the percpu area refers to this tunnel type.\n\nOnly after these three checks the percpu area is restored to a on-stack\ncopy and bh is enabled again.\n\nAfter inner header fetching, the on-stack copy is stored back to the\npercpu area.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56638", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: must allocate more bytes for RedBox support\n\nBlamed commit forgot to change hsr_init_skb() to allocate\nlarger skb for RedBox case.\n\nIndeed, send_hsr_supervision_frame() will add\ntwo additional components (struct hsr_sup_tlv\nand struct hsr_sup_payload)\n\nsyzbot reported the following crash:\nskbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206\nCode: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c\nRSP: 0018:ffffc90000858ab8 EFLAGS: 00010282\nRAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69\nRDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005\nRBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a\nR13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140\nFS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_over_panic net/core/skbuff.c:211 [inline]\n skb_put+0x174/0x1b0 net/core/skbuff.c:2617\n send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342\n hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436\n call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794\n expire_timers kernel/time/timer.c:1845 [inline]\n __run_timers+0x6e8/0x930 kernel/time/timer.c:2419\n __run_timer_base kernel/time/timer.c:2430 [inline]\n __run_timer_base kernel/time/timer.c:2423 [inline]\n run_timer_base+0x111/0x190 kernel/time/timer.c:2439\n run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449\n handle_softirqs+0x213/0x8f0 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu kernel/softirq.c:637 [inline]\n irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56639", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix LGR and link use-after-free issue\n\nWe encountered a LGR/link use-after-free issue, which manifested as\nthe LGR/link refcnt reaching 0 early and entering the clear process,\nmaking resource access unsafe.\n\n refcount_t: addition on 0; use-after-free.\n WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140\n Workqueue: events smc_lgr_terminate_work [smc]\n Call trace:\n refcount_warn_saturate+0x9c/0x140\n __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]\n smc_lgr_terminate_work+0x28/0x30 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nor\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140\n Workqueue: smc_hs_wq smc_listen_work [smc]\n Call trace:\n refcount_warn_saturate+0xf0/0x140\n smcr_link_put+0x1cc/0x1d8 [smc]\n smc_conn_free+0x110/0x1b0 [smc]\n smc_conn_abort+0x50/0x60 [smc]\n smc_listen_find_device+0x75c/0x790 [smc]\n smc_listen_work+0x368/0x8a0 [smc]\n process_one_work+0x1b8/0x420\n worker_thread+0x158/0x510\n kthread+0x114/0x118\n\nIt is caused by repeated release of LGR/link refcnt. One suspect is that\nsmc_conn_free() is called repeatedly because some smc_conn_free() from\nserver listening path are not protected by sock lock.\n\ne.g.\n\nCalls under socklock | smc_listen_work\n-------------------------------------------------------\nlock_sock(sk) | smc_conn_abort\nsmc_conn_free | \\- smc_conn_free\n\\- smcr_link_put | \\- smcr_link_put (duplicated)\nrelease_sock(sk)\n\nSo here add sock lock protection in smc_listen_work() path, making it\nexclusive with other connection operations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56640", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: initialize close_work early to avoid warning\n\nWe encountered a warning that close_work was canceled before\ninitialization.\n\n WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0\n Workqueue: events smc_lgr_terminate_work [smc]\n RIP: 0010:__flush_work+0x19e/0x1b0\n Call Trace:\n ? __wake_up_common+0x7a/0x190\n ? work_busy+0x80/0x80\n __cancel_work_timer+0xe3/0x160\n smc_close_cancel_work+0x1a/0x70 [smc]\n smc_close_active_abort+0x207/0x360 [smc]\n __smc_lgr_terminate.part.38+0xc8/0x180 [smc]\n process_one_work+0x19e/0x340\n worker_thread+0x30/0x370\n ? process_one_work+0x340/0x340\n kthread+0x117/0x130\n ? __kthread_cancel_work+0x50/0x50\n ret_from_fork+0x22/0x30\n\nThis is because when smc_close_cancel_work is triggered, e.g. the RDMA\ndriver is rmmod and the LGR is terminated, the conn->close_work is\nflushed before initialization, resulting in WARN_ON(!work->func).\n\n__smc_lgr_terminate | smc_connect_{rdma|ism}\n-------------------------------------------------------------\n | smc_conn_create\n\t\t\t\t| \\- smc_lgr_register_conn\nfor conn in lgr->conns_all |\n\\- smc_conn_kill |\n \\- smc_close_active_abort |\n \\- smc_close_cancel_work |\n \\- cancel_work_sync |\n \\- __flush_work |\n\t (close_work) |\n\t | smc_close_init\n\t | \\- INIT_WORK(&close_work)\n\nSo fix this by initializing close_work before establishing the\nconnection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56641", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free of kernel socket in cleanup_bearer().\n\nsyzkaller reported a use-after-free of UDP kernel socket\nin cleanup_bearer() without repro. [0][1]\n\nWhen bearer_disable() calls tipc_udp_disable(), cleanup\nof the UDP kernel socket is deferred by work calling\ncleanup_bearer().\n\ntipc_exit_net() waits for such works to finish by checking\ntipc_net(net)->wq_count. However, the work decrements the\ncount too early before releasing the kernel socket,\nunblocking cleanup_net() and resulting in use-after-free.\n\nLet's move the decrement after releasing the socket in\ncleanup_bearer().\n\n[0]:\nref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at\n sk_alloc+0x438/0x608\n inet_create+0x4c8/0xcb0\n __sock_create+0x350/0x6b8\n sock_create_kern+0x58/0x78\n udp_sock_create4+0x68/0x398\n udp_sock_create+0x88/0xc8\n tipc_udp_enable+0x5e8/0x848\n __tipc_nl_bearer_enable+0x84c/0xed8\n tipc_nl_bearer_enable+0x38/0x60\n genl_family_rcv_msg_doit+0x170/0x248\n genl_rcv_msg+0x400/0x5b0\n netlink_rcv_skb+0x1dc/0x398\n genl_rcv+0x44/0x68\n netlink_unicast+0x678/0x8b0\n netlink_sendmsg+0x5e4/0x898\n ____sys_sendmsg+0x500/0x830\n\n[1]:\nBUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]\nBUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n udp_hashslot include/net/udp.h:85 [inline]\n udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979\n sk_common_release+0xaf/0x3f0 net/core/sock.c:3820\n inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437\n inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489\n __sock_release net/socket.c:658 [inline]\n sock_release+0xa0/0x210 net/socket.c:686\n cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\n slab_free_hook mm/slub.c:2269 [inline]\n slab_free mm/slub.c:4580 [inline]\n kmem_cache_free+0x207/0xc40 mm/slub.c:4682\n net_free net/core/net_namespace.c:454 [inline]\n cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310\n worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391\n kthread+0x531/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244\n\nCPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: events cleanup_bearer", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56642", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix memory leak in dccp_feat_change_recv\n\nIf dccp_feat_push_confirm() fails after new value for SP feature was accepted\nwithout reconciliation ('entry == NULL' branch), memory allocated for that value\nwith dccp_feat_clone_sp_val() is never freed.\n\nHere is the kmemleak stack for this:\n\nunreferenced object 0xffff88801d4ab488 (size 8):\n comm \"syz-executor310\", pid 1127, jiffies 4295085598 (age 41.666s)\n hex dump (first 8 bytes):\n 01 b4 4a 1d 80 88 ff ff ..J.....\n backtrace:\n [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128\n [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline]\n [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]\n [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]\n [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]\n [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416\n [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125\n [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650\n [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688\n [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline]\n [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570\n [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111\n [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]\n [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696\n [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735\n [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865\n [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882\n [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline]\n [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline]\n [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889\n [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nClean up the allocated memory in case of dccp_feat_push_confirm() failure\nand bail out with an error reset code.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56643", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: release expired exception dst cached in socket\n\nDst objects get leaked in ip6_negative_advice() when this function is\nexecuted for an expired IPv6 route located in the exception table. There\nare several conditions that must be fulfilled for the leak to occur:\n* an ICMPv6 packet indicating a change of the MTU for the path is received,\n resulting in an exception dst being created\n* a TCP connection that uses the exception dst for routing packets must\n start timing out so that TCP begins retransmissions\n* after the exception dst expires, the FIB6 garbage collector must not run\n before TCP executes ip6_negative_advice() for the expired exception dst\n\nWhen TCP executes ip6_negative_advice() for an exception dst that has\nexpired and if no other socket holds a reference to the exception dst, the\nrefcount of the exception dst is 2, which corresponds to the increment\nmade by dst_init() and the increment made by the TCP socket for which the\nconnection is timing out. The refcount made by the socket is never\nreleased. The refcount of the dst is decremented in sk_dst_reset() but\nthat decrement is counteracted by a dst_hold() intentionally placed just\nbefore the sk_dst_reset() in ip6_negative_advice(). After\nip6_negative_advice() has finished, there is no other object tied to the\ndst. The socket lost its reference stored in sk_dst_cache and the dst is\nno longer in the exception table. The exception dst becomes a leaked\nobject.\n\nAs a result of this dst leak, an unbalanced refcount is reported for the\nloopback device of a net namespace being destroyed under kernels that do\nnot contain e5f80fcf869a (\"ipv6: give an IPv6 dev to blackhole_netdev\"):\nunregister_netdevice: waiting for lo to become free. Usage count = 2\n\nFix the dst leak by removing the dst_hold() in ip6_negative_advice(). The\npatch that introduced the dst_hold() in ip6_negative_advice() was\n92f1655aa2b22 (\"net: fix __dst_negative_advice() race\"). But 92f1655aa2b22\nmerely refactored the code with regards to the dst refcount so the issue\nwas present even before 92f1655aa2b22. The bug was introduced in\n54c1a859efd9f (\"ipv6: Don't drop cache route entry unless timer actually\nexpired.\") where the expired cached route is deleted and the sk_dst_cache\nmember of the socket is set to NULL by calling dst_negative_advice() but\nthe refcount belonging to the socket is left unbalanced.\n\nThe IPv4 version - ipv4_negative_advice() - is not affected by this bug.\nWhen the TCP connection times out ipv4_negative_advice() merely resets the\nsk_dst_cache of the socket while decrementing the refcount of the\nexception dst.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56644", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_session_new(): fix skb reference counting\n\nSince j1939_session_skb_queue() does an extra skb_get() for each new\nskb, do the same for the initial one in j1939_session_new() to avoid\nrefcount underflow.\n\n[mkl: clean up commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56645", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in modify_prefix_route()\n\nsyzbot found a NULL deref [1] in modify_prefix_route(), caused by one\nfib6_info without a fib6_table pointer set.\n\nThis can happen for net->ipv6.fib6_null_entry\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089\nCode: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84\nRSP: 0018:ffffc900035d7268 EFLAGS: 00010006\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001\nR10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030\nR13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831\n inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]\n inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055\n rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg net/socket.c:726 [inline]\n ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583\n ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637\n __sys_sendmsg+0x16e/0x220 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fd1dcef8b79\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79\nRDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c\nR13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56646", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix icmp host relookup triggering ip_rt_bug\n\narp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:\n\nWARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20\nModules linked in:\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:ip_rt_bug+0x14/0x20\nCall Trace:\n \n ip_send_skb+0x14/0x40\n __icmp_send+0x42d/0x6a0\n ipv4_link_failure+0xe2/0x1d0\n arp_error_report+0x3c/0x50\n neigh_invalidate+0x8d/0x100\n neigh_timer_handler+0x2e1/0x330\n call_timer_fn+0x21/0x120\n __run_timer_base.part.0+0x1c9/0x270\n run_timer_softirq+0x4c/0x80\n handle_softirqs+0xac/0x280\n irq_exit_rcu+0x62/0x80\n sysvec_apic_timer_interrupt+0x77/0x90\n\nThe script below reproduces this scenario:\nip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \\\n\tdir out priority 0 ptype main flag localok icmp\nip l a veth1 type veth\nip a a 192.168.141.111/24 dev veth0\nip l s veth0 up\nping 192.168.141.155 -c 1\n\nicmp_route_lookup() create input routes for locally generated packets\nwhile xfrm relookup ICMP traffic.Then it will set input route\n(dst->out = ip_rt_bug) to skb for DESTUNREACH.\n\nFor ICMP err triggered by locally generated packets, dst->dev of output\nroute is loopback. Generally, xfrm relookup verification is not required\non loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).\n\nSkip icmp relookup for locally generated packets to fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56647", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: avoid potential out-of-bound access in fill_frame_info()\n\nsyzbot is able to feed a packet with 14 bytes, pretending\nit is a vlan one.\n\nSince fill_frame_info() is relying on skb->mac_len already,\nextend the check to cover this case.\n\nBUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:709 [inline]\n BUG: KMSAN: uninit-value in hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724\n fill_frame_info net/hsr/hsr_forward.c:709 [inline]\n hsr_forward_skb+0x9ee/0x3b10 net/hsr/hsr_forward.c:724\n hsr_dev_xmit+0x2f0/0x350 net/hsr/hsr_device.c:235\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3606\n __dev_queue_xmit+0x366a/0x57d0 net/core/dev.c:4434\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3146 [inline]\n packet_sendmsg+0x91ae/0xa6f0 net/packet/af_packet.c:3178\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:726\n __sys_sendto+0x594/0x750 net/socket.c:2197\n __do_sys_sendto net/socket.c:2204 [inline]\n __se_sys_sendto net/socket.c:2200 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200\n x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4091 [inline]\n slab_alloc_node mm/slub.c:4134 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1323 [inline]\n alloc_skb_with_frags+0xc8/0xd00 net/core/skbuff.c:6612\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2881\n packet_alloc_skb net/packet/af_packet.c:2995 [inline]\n packet_snd net/packet/af_packet.c:3089 [inline]\n packet_sendmsg+0x74c6/0xa6f0 net/packet/af_packet.c:3178\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:726\n __sys_sendto+0x594/0x750 net/socket.c:2197\n __do_sys_sendto net/socket.c:2204 [inline]\n __se_sys_sendto net/socket.c:2200 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2200\n x64_sys_call+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:45\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56648", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: Do not configure preemptible TCs if SIs do not support\n\nBoth ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure\nMQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()\nto configure preemptible TCs. However, only PF is able to configure\npreemptible TCs. Because only PF has related registers, while VF does not\nhave these registers. So for VF, its hw->port pointer is NULL. Therefore,\nVF will access an invalid pointer when accessing a non-existent register,\nwhich will cause a crash issue. The simplified log is as follows.\n\nroot@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \\\nmqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1\n[ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00\n[ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400\n[ 187.511140] Call trace:\n[ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[ 187.518918] enetc_setup_tc_mqprio+0x180/0x214\n[ 187.523374] enetc_vf_setup_tc+0x1c/0x30\n[ 187.527306] mqprio_enable_offload+0x144/0x178\n[ 187.531766] mqprio_init+0x3ec/0x668\n[ 187.535351] qdisc_create+0x15c/0x488\n[ 187.539023] tc_modify_qdisc+0x398/0x73c\n[ 187.542958] rtnetlink_rcv_msg+0x128/0x378\n[ 187.547064] netlink_rcv_skb+0x60/0x130\n[ 187.550910] rtnetlink_rcv+0x18/0x24\n[ 187.554492] netlink_unicast+0x300/0x36c\n[ 187.558425] netlink_sendmsg+0x1a8/0x420\n[ 187.606759] ---[ end trace 0000000000000000 ]---\n\nIn addition, some PFs also do not support configuring preemptible TCs,\nsuch as eno1 and eno3 on LS1028A. It won't crash like it does for VFs,\nbut we should prevent these PFs from accessing these unimplemented\nregisters.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56649", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: fix LED ID check in led_tg_check()\n\nSyzbot has reported the following BUG detected by KASAN:\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70\nRead of size 1 at addr ffff8881022da0c8 by task repro/5879\n...\nCall Trace:\n \n dump_stack_lvl+0x241/0x360\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? _printk+0xd5/0x120\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n print_report+0x169/0x550\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x45f/0x530\n ? __phys_addr+0xba/0x170\n ? strlen+0x58/0x70\n kasan_report+0x143/0x180\n ? strlen+0x58/0x70\n strlen+0x58/0x70\n kstrdup+0x20/0x80\n led_tg_check+0x18b/0x3c0\n xt_check_target+0x3bb/0xa40\n ? __pfx_xt_check_target+0x10/0x10\n ? stack_depot_save_flags+0x6e4/0x830\n ? nft_target_init+0x174/0xc30\n nft_target_init+0x82d/0xc30\n ? __pfx_nft_target_init+0x10/0x10\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? rcu_is_watching+0x15/0xb0\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? __kmalloc_noprof+0x21a/0x400\n nf_tables_newrule+0x1860/0x2980\n ? __pfx_nf_tables_newrule+0x10/0x10\n ? __nla_parse+0x40/0x60\n nfnetlink_rcv+0x14e5/0x2ab0\n ? __pfx_validate_chain+0x10/0x10\n ? __pfx_nfnetlink_rcv+0x10/0x10\n ? __lock_acquire+0x1384/0x2050\n ? netlink_deliver_tap+0x2e/0x1b0\n ? __pfx_lock_release+0x10/0x10\n ? netlink_deliver_tap+0x2e/0x1b0\n netlink_unicast+0x7f8/0x990\n ? __pfx_netlink_unicast+0x10/0x10\n ? __virt_addr_valid+0x183/0x530\n ? __check_object_size+0x48e/0x900\n netlink_sendmsg+0x8e4/0xcb0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? aa_sock_msg_perm+0x91/0x160\n ? __pfx_netlink_sendmsg+0x10/0x10\n __sock_sendmsg+0x223/0x270\n ____sys_sendmsg+0x52a/0x7e0\n ? __pfx_____sys_sendmsg+0x10/0x10\n __sys_sendmsg+0x292/0x380\n ? __pfx___sys_sendmsg+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x43d/0x780\n ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10\n ? exc_page_fault+0x590/0x8c0\n ? do_syscall_64+0xb6/0x230\n do_syscall_64+0xf3/0x230\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n \n\nSince an invalid (without '\\0' byte at all) byte sequence may be passed\nfrom userspace, add an extra check to ensure that such a sequence is\nrejected as possible ID and so never passed to 'kstrdup()' and further.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56650", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: hi3110_can_ist(): fix potential use-after-free\n\nThe commit a22bd630cfff (\"can: hi311x: do not report txerr and rxerr\nduring bus-off\") removed the reporting of rxerr and txerr even in case\nof correct operation (i. e. not bus-off).\n\nThe error count information added to the CAN frame after netif_rx() is\na potential use after free, since there is no guarantee that the skb\nis in the same state. It might be freed or reused.\n\nFix the issue by postponing the netif_rx() call in case of txerr and\nrxerr reporting.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56651", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/reg_sr: Remove register pool\n\nThat pool implementation doesn't really work: if the krealloc happens to\nmove the memory and return another address, the entries in the xarray\nbecome invalid, leading to use-after-free later:\n\n\tBUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]\n\tRead of size 4 at addr ffff8881244b2590 by task modprobe/2753\n\n\tAllocated by task 2753:\n\t kasan_save_stack+0x39/0x70\n\t kasan_save_track+0x14/0x40\n\t kasan_save_alloc_info+0x37/0x60\n\t __kasan_kmalloc+0xc3/0xd0\n\t __kmalloc_node_track_caller_noprof+0x200/0x6d0\n\t krealloc_noprof+0x229/0x380\n\nSimplify the code to fix the bug. A better pooling strategy may be added\nback later if needed.\n\n(cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56652", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtk: avoid UAF in btmtk_process_coredump\n\nhci_devcd_append may lead to the release of the skb, so it cannot be\naccessed once it is called.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]\nRead of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82\n\nCPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c\nHardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024\nWorkqueue: events btusb_rx_work [btusb]\nCall Trace:\n \n dump_stack_lvl+0xfd/0x150\n print_report+0x131/0x780\n kasan_report+0x177/0x1c0\n btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]\n btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\n btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n \n\nAllocated by task 82:\n stack_trace_save+0xdc/0x190\n kasan_set_track+0x4e/0x80\n __kasan_slab_alloc+0x4e/0x60\n kmem_cache_alloc+0x19f/0x360\n skb_clone+0x132/0xf70\n btusb_recv_acl_mtk+0x104/0x1a0 [btusb]\n btusb_rx_work+0x9e/0xe0 [btusb]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n\nFreed by task 1733:\n stack_trace_save+0xdc/0x190\n kasan_set_track+0x4e/0x80\n kasan_save_free_info+0x28/0xb0\n ____kasan_slab_free+0xfd/0x170\n kmem_cache_free+0x183/0x3f0\n hci_devcd_rx+0x91a/0x2060 [bluetooth]\n worker_thread+0xe44/0x2cc0\n kthread+0x2ff/0x3a0\n ret_from_fork+0x51/0x80\n ret_from_fork_asm+0x1b/0x30\n\nThe buggy address belongs to the object at ffff888033cfab40\n which belongs to the cache skbuff_head_cache of size 232\nThe buggy address is located 112 bytes inside of\n freed 232-byte region [ffff888033cfab40, ffff888033cfac28)\n\nThe buggy address belongs to the physical page:\npage:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa\nhead:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0x4000000000000840(slab|head|zone=1)\npage_type: 0xffffffff()\nraw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001\nraw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc\n ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nCheck if we need to call hci_devcd_complete before calling\nhci_devcd_append. That requires that we check data->cd_info.cnt >=\nMTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we\nincrement data->cd_info.cnt only once the call to hci_devcd_append\nsucceeds.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56653", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix using rcu_read_(un)lock while iterating\n\nThe usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is\nnot safe since for the most part entries fetched this way shall be\ntreated as rcu_dereference:\n\n\tNote that the value returned by rcu_dereference() is valid\n\tonly within the enclosing RCU read-side critical section [1]_.\n\tFor example, the following is **not** legal::\n\n\t\trcu_read_lock();\n\t\tp = rcu_dereference(head.next);\n\t\trcu_read_unlock();\n\t\tx = p->address;\t/* BUG!!! */\n\t\trcu_read_lock();\n\t\ty = p->data;\t/* BUG!!! */\n\t\trcu_read_unlock();", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56654", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not defer rule destruction via call_rcu\n\nnf_tables_chain_destroy can sleep, it can't be used from call_rcu\ncallbacks.\n\nMoreover, nf_tables_rule_release() is only safe for error unwinding,\nwhile transaction mutex is held and the to-be-desroyed rule was not\nexposed to either dataplane or dumps, as it deactives+frees without\nthe required synchronize_rcu() in-between.\n\nnft_rule_expr_deactivate() callbacks will change ->use counters\nof other chains/sets, see e.g. nft_lookup .deactivate callback, these\nmust be serialized via transaction mutex.\n\nAlso add a few lockdep asserts to make this more explicit.\n\nCalling synchronize_rcu() isn't ideal, but fixing this without is hard\nand way more intrusive. As-is, we can get:\n\nWARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x..\nWorkqueue: events nf_tables_trans_destroy_work\nRIP: 0010:nft_set_destroy+0x3fe/0x5c0\nCall Trace:\n \n nf_tables_trans_destroy_work+0x6b7/0xad0\n process_one_work+0x64a/0xce0\n worker_thread+0x613/0x10d0\n\nIn case the synchronize_rcu becomes an issue, we can explore alternatives.\n\nOne way would be to allocate nft_trans_rule objects + one nft_trans_chain\nobject, deactivate the rules + the chain and then defer the freeing to the\nnft destroy workqueue. We'd still need to keep the synchronize_rcu path as\na fallback to handle -ENOMEM corner cases though.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56655", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips\n\nThe 5760X (P7) chip's HW GRO/LRO interface is very similar to that of\nthe previous generation (5750X or P5). However, the aggregation ID\nfields in the completion structures on P7 have been redefined from\n16 bits to 12 bits. The freed up 4 bits are redefined for part of the\nmetadata such as the VLAN ID. The aggregation ID mask was not modified\nwhen adding support for P7 chips. Including the extra 4 bits for the\naggregation ID can potentially cause the driver to store or fetch the\npacket header of GRO/LRO packets in the wrong TPA buffer. It may hit\nthe BUG() condition in __skb_pull() because the SKB contains no valid\npacket header:\n\nkernel BUG at include/linux/skbuff.h:2766!\nOops: invalid opcode: 0000 1 PREEMPT SMP NOPTI\nCPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022\nRIP: 0010:eth_type_trans+0xda/0x140\nCode: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48\nRSP: 0018:ff615003803fcc28 EFLAGS: 00010283\nRAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040\nRDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000\nRBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001\nR10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0\nR13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000\nFS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? eth_type_trans+0xda/0x140\n ? do_error_trap+0x65/0x80\n ? eth_type_trans+0xda/0x140\n ? exc_invalid_op+0x4e/0x70\n ? eth_type_trans+0xda/0x140\n ? asm_exc_invalid_op+0x16/0x20\n ? eth_type_trans+0xda/0x140\n bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]\n ? bnxt_tpa_start+0x195/0x320 [bnxt_en]\n bnxt_rx_pkt+0x902/0xd90 [bnxt_en]\n ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]\n ? kmem_cache_free+0x343/0x440\n ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]\n __bnxt_poll_work+0x193/0x370 [bnxt_en]\n bnxt_poll_p5+0x9a/0x300 [bnxt_en]\n ? try_to_wake_up+0x209/0x670\n __napi_poll+0x29/0x1b0\n\nFix it by redefining the aggregation ID mask for P5_PLUS chips to be\n12 bits. This will work because the maximum aggregation ID is less\nthan 4096 on all P5_PLUS chips.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56656", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: control: Avoid WARN() for symlink errors\n\nUsing WARN() for showing the error of symlink creations don't give\nmore information than telling that something goes wrong, since the\nusual code path is a lregister callback from each control element\ncreation. More badly, the use of WARN() rather confuses fuzzer as if\nit were serious issues.\n\nThis patch downgrades the warning messages to use the normal dev_err()\ninstead of WARN(). For making it clearer, add the function name to\nthe prefix, too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56657", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: defer final 'struct net' free in netns dismantle\n\nIlya reported a slab-use-after-free in dst_destroy [1]\n\nIssue is in xfrm6_net_init() and xfrm4_net_init() :\n\nThey copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops.\n\nBut net structure might be freed before all the dst callbacks are\ncalled. So when dst_destroy() calls later :\n\nif (dst->ops->destroy)\n dst->ops->destroy(dst);\n\ndst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed.\n\nSee a relevant issue fixed in :\n\nac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\")\n\nA fix is to queue the 'struct net' to be freed after one\nanother cleanup_net() round (and existing rcu_barrier())\n\n[1]\n\nBUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)\nRead of size 8 at addr ffff8882137ccab0 by task swapper/37/0\nDec 03 05:46:18 kernel:\nCPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67\nHardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:124)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\n? dst_destroy (net/core/dst.c:112)\nprint_report (mm/kasan/report.c:489)\n? dst_destroy (net/core/dst.c:112)\n? kasan_addr_to_slab (mm/kasan/common.c:37)\nkasan_report (mm/kasan/report.c:603)\n? dst_destroy (net/core/dst.c:112)\n? rcu_do_batch (kernel/rcu/tree.c:2567)\ndst_destroy (net/core/dst.c:112)\nrcu_do_batch (kernel/rcu/tree.c:2567)\n? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)\nrcu_core (kernel/rcu/tree.c:2825)\nhandle_softirqs (kernel/softirq.c:554)\n__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)\nirq_exit_rcu (kernel/softirq.c:651)\nsysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)\n \n \nasm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)\nRIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)\nCode: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90\nRSP: 0018:ffff888100d2fe00 EFLAGS: 00000246\nRAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d\nR10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000\nR13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000\n? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)\n? cpuidle_idle_call (kernel/sched/idle.c:186)\ndefault_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)\ncpuidle_idle_call (kernel/sched/idle.c:186)\n? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)\n? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)\n? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)\ndo_idle (kernel/sched/idle.c:326)\ncpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))\nstart_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)\n? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)\n? soft_restart_cpu (arch/x86/kernel/head_64.S:452)\ncommon_startup_64 (arch/x86/kernel/head_64.S:414)\n \nDec 03 05:46:18 kernel:\nAllocated by task 12184:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)\n__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\nkmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)\ncopy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)\ncreate_new_namespaces\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56658", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapb: increase LAPB_HEADER_LEN\n\nIt is unclear if net/lapb code is supposed to be ready for 8021q.\n\nWe can at least avoid crashes like the following :\n\nskbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc90002ddf638 EFLAGS: 00010282\nRAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600\nRDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000\nRBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60\nR10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140\nR13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016\nFS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n nr_header+0x36/0x320 net/netrom/nr_dev.c:69\n dev_hard_header include/linux/netdevice.h:3148 [inline]\n vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83\n dev_hard_header include/linux/netdevice.h:3148 [inline]\n lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257\n lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447\n lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149\n lapb_establish_data_link+0x84/0xd0\n lapb_device_event+0x4e0/0x670\n notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93\n __dev_notify_flags+0x207/0x400\n dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922\n devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188\n inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003\n sock_do_ioctl+0x158/0x460 net/socket.c:1227\n sock_ioctl+0x626/0x8e0 net/socket.c:1346\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56659", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DR, prevent potential error pointer dereference\n\nThe dr_domain_add_vport_cap() function generally returns NULL on error\nbut sometimes we want it to return ERR_PTR(-EBUSY) so the caller can\nretry. The problem here is that \"ret\" can be either -EBUSY or -ENOMEM\nand if it's and -ENOMEM then the error pointer is propogated back and\neventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56660", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL deref in cleanup_bearer()\n\nsyzbot found [1] that after blamed commit, ub->ubsock->sk\nwas NULL when attempting the atomic_dec() :\n\natomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);\n\nFix this by caching the tipc_net pointer.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events cleanup_bearer\n RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline]\n RIP: 0010:sock_net include/net/sock.h:655 [inline]\n RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820\nCode: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b\nRSP: 0018:ffffc9000410fb70 EFLAGS: 00010206\nRAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900\nRBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20\nR10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980\nR13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918\nFS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56661", "detail": "fixed-version", "description": "Fixed from version 6.12.6" }, { "id": "CVE-2024-56662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl\n\nFix an issue detected by syzbot with KASAN:\n\nBUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/\ncore.c:416 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0\ndrivers/acpi/nfit/core.c:459\n\nThe issue occurs in cmd_to_func when the call_pkg->nd_reserved2\narray is accessed without verifying that call_pkg points to a buffer\nthat is appropriately sized as a struct nd_cmd_pkg. This can lead\nto out-of-bounds access and undefined behavior if the buffer does not\nhave sufficient space.\n\nTo address this, a check was added in acpi_nfit_ctl() to ensure that\nbuf is not NULL and that buf_len is less than sizeof(*call_pkg)\nbefore accessing it. This ensures safe access to the members of\ncall_pkg, including the nd_reserved2 array.", "scorev2": "0.0", "scorev3": "6.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56662", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one\n\nSince the netlink attribute range validation provides inclusive\nchecking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be\nIEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.\n\nOne crash stack for demonstration:\n==================================================================\nBUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\nRead of size 6 at addr 001102080000000c by task fuzzer.386/9508\n\nCPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106\n print_report+0xe0/0x750 mm/kasan/report.c:398\n kasan_report+0x139/0x170 mm/kasan/report.c:495\n kasan_check_range+0x287/0x290 mm/kasan/generic.c:189\n memcpy+0x25/0x60 mm/kasan/shadow.c:65\n ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\n rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]\n nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453\n genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]\n netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352\n netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874\n sock_sendmsg_nosec net/socket.c:716 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499\n ___sys_sendmsg+0x21c/0x290 net/socket.c:2553\n __sys_sendmsg net/socket.c:2582 [inline]\n __do_sys_sendmsg net/socket.c:2591 [inline]\n __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUpdate the policy to ensure correct validation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56663", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix race between element replace and close()\n\nElement replace (with a socket different from the one stored) may race\nwith socket's close() link popping & unlinking. __sock_map_delete()\nunconditionally unrefs the (wrong) element:\n\n// set map[0] = s0\nmap_update_elem(map, 0, s0)\n\n// drop fd of s0\nclose(s0)\n sock_map_close()\n lock_sock(sk) (s0!)\n sock_map_remove_links(sk)\n link = sk_psock_link_pop()\n sock_map_unlink(sk, link)\n sock_map_delete_from_link\n // replace map[0] with s1\n map_update_elem(map, 0, s1)\n sock_map_update_elem\n (s1!) lock_sock(sk)\n sock_map_update_common\n psock = sk_psock(sk)\n spin_lock(&stab->lock)\n osk = stab->sks[idx]\n sock_map_add_link(..., &stab->sks[idx])\n sock_map_unref(osk, &stab->sks[idx])\n psock = sk_psock(osk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test(&psock))\n sk_psock_drop(sk, psock)\n spin_unlock(&stab->lock)\n unlock_sock(sk)\n __sock_map_delete\n spin_lock(&stab->lock)\n sk = *psk // s1 replaced s0; sk == s1\n if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch\n sk = xchg(psk, NULL)\n if (sk)\n sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle\n psock = sk_psock(sk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test())\n sk_psock_drop(sk, psock)\n spin_unlock(&stab->lock)\n release_sock(sk)\n\nThen close(map) enqueues bpf_map_free_deferred, which finally calls\nsock_map_free(). This results in some refcount_t warnings along with\na KASAN splat [1].\n\nFix __sock_map_delete(), do not allow sock_map_unref() on elements that\nmay have been replaced.\n\n[1]:\nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330\nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063\n\nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\nWorkqueue: events_unbound bpf_map_free_deferred\nCall Trace:\n \n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n kasan_check_range+0x10f/0x1e0\n sock_map_free+0x10e/0x330\n bpf_map_free_deferred+0x173/0x320\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1202:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n unix_create1+0x88/0x8a0\n unix_create+0xc5/0x180\n __sock_create+0x241/0x650\n __sys_socketpair+0x1ce/0x420\n __x64_sys_socketpair+0x92/0x100\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 46:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n sk_psock_destroy+0x73e/0xa50\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThe bu\n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56664", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog\n\nSyzbot reported [1] crash that happens for following tracing scenario:\n\n - create tracepoint perf event with attr.inherit=1, attach it to the\n process and set bpf program to it\n - attached process forks -> chid creates inherited event\n\n the new child event shares the parent's bpf program and tp_event\n (hence prog_array) which is global for tracepoint\n\n - exit both process and its child -> release both events\n - first perf_event_detach_bpf_prog call will release tp_event->prog_array\n and second perf_event_detach_bpf_prog will crash, because\n tp_event->prog_array is NULL\n\nThe fix makes sure the perf_event_detach_bpf_prog checks prog_array\nis valid before it tries to remove the bpf program from it.\n\n[1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56665", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Dereference null return value\n\nIn the function pqm_uninit there is a call-assignment of \"pdd =\nkfd_get_process_device_data\" which could be null, and this value was\nlater dereferenced without checking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56666", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix NULL pointer dereference in capture_engine\n\nWhen the intel_context structure contains NULL,\nit raises a NULL pointer dereference error in drm_info().\n\n(cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56667", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix qi_batch NULL pointer with nested parent domain\n\nThe qi_batch is allocated when assigning cache tag for a domain. While\nfor nested parent domain, it is missed. Hence, when trying to map pages\nto the nested parent, NULL dereference occurred. Also, there is potential\nmemleak since there is no lock around domain->qi_batch allocation.\n\nTo solve it, add a helper for qi_batch allocation, and call it in both\nthe __cache_tag_assign_domain() and __cache_tag_assign_parent_domain().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000200\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 8104795067 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632\n Call Trace:\n ? __die+0x24/0x70\n ? page_fault_oops+0x80/0x150\n ? do_user_addr_fault+0x63/0x7b0\n ? exc_page_fault+0x7c/0x220\n ? asm_exc_page_fault+0x26/0x30\n ? cache_tag_flush_range_np+0x13c/0x260\n intel_iommu_iotlb_sync_map+0x1a/0x30\n iommu_map+0x61/0xf0\n batch_to_domain+0x188/0x250\n iopt_area_fill_domains+0x125/0x320\n ? rcu_is_watching+0x11/0x50\n iopt_map_pages+0x63/0x100\n iopt_map_common.isra.0+0xa7/0x190\n iopt_map_user_pages+0x6a/0x80\n iommufd_ioas_map+0xcd/0x1d0\n iommufd_fops_ioctl+0x118/0x1c0\n __x64_sys_ioctl+0x93/0xc0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56668", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Remove cache tags before disabling ATS\n\nThe current implementation removes cache tags after disabling ATS,\nleading to potential memory leaks and kernel crashes. Specifically,\nCACHE_TAG_DEVTLB type cache tags may still remain in the list even\nafter the domain is freed, causing a use-after-free condition.\n\nThis issue really shows up when multiple VFs from different PFs\npassed through to a single user-space process via vfio-pci. In such\ncases, the kernel may crash with kernel messages like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000014\n PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2\n RIP: 0010:cache_tag_flush_range+0x9b/0x250\n Call Trace:\n \n ? __die+0x1f/0x60\n ? page_fault_oops+0x163/0x590\n ? exc_page_fault+0x72/0x190\n ? asm_exc_page_fault+0x22/0x30\n ? cache_tag_flush_range+0x9b/0x250\n ? cache_tag_flush_range+0x5d/0x250\n intel_iommu_tlb_sync+0x29/0x40\n intel_iommu_unmap_pages+0xfe/0x160\n __iommu_unmap+0xd8/0x1a0\n vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1]\n vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1]\n vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1]\n\nMove cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix\nit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56669", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer\n\nConsidering that in some extreme cases,\nwhen u_serial driver is accessed by multiple threads,\nThread A is executing the open operation and calling the gs_open,\nThread B is executing the disconnect operation and calling the\ngserial_disconnect function,The port->port_usb pointer will be set to NULL.\n\nE.g.\n Thread A Thread B\n gs_open() gadget_unbind_driver()\n gs_start_io() composite_disconnect()\n gs_start_rx() gserial_disconnect()\n ... ...\n spin_unlock(&port->port_lock)\n status = usb_ep_queue() spin_lock(&port->port_lock)\n spin_lock(&port->port_lock) port->port_usb = NULL\n gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock)\n Crash\n\nThis causes thread A to access a null pointer (port->port_usb is null)\nwhen calling the gs_free_requests function, causing a crash.\n\nIf port_usb is NULL, the release request will be skipped as it\nwill be done by gserial_disconnect.\n\nSo add a null pointer check to gs_start_io before attempting\nto access the value of the pointer port->port_usb.\n\nCall trace:\n gs_start_io+0x164/0x25c\n gs_open+0x108/0x13c\n tty_open+0x314/0x638\n chrdev_open+0x1b8/0x258\n do_dentry_open+0x2c4/0x700\n vfs_open+0x2c/0x3c\n path_openat+0xa64/0xc60\n do_filp_open+0xb8/0x164\n do_sys_openat2+0x84/0xf0\n __arm64_sys_openat+0x70/0x9c\n invoke_syscall+0x58/0x114\n el0_svc_common+0x80/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x38/0x68", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56670", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: graniterapids: Fix vGPIO driver crash\n\nMove setting irq_chip.name from probe() function to the initialization\nof \"irq_chip\" struct in order to fix vGPIO driver crash during bootup.\n\nCrash was caused by unauthorized modification of irq_chip.name field\nwhere irq_chip struct was initialized as const.\n\nThis behavior is a consequence of suboptimal implementation of\ngpio_irq_chip_set_chip(), which should be changed to avoid\ncasting away const qualifier.\n\nCrash log:\nBUG: unable to handle page fault for address: ffffffffc0ba81c0\n/#PF: supervisor write access in kernel mode\n/#PF: error_code(0x0003) - permissions violation\nCPU: 33 UID: 0 PID: 1075 Comm: systemd-udevd Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 #1\nHardware name: Intel Corporation Kaseyville RP/Kaseyville RP, BIOS KVLDCRB1.PGS.0026.D73.2410081258 10/08/2024\nRIP: 0010:gnr_gpio_probe+0x171/0x220 [gpio_graniterapids]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56671", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix UAF in blkcg_unpin_online()\n\nblkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To\nwalk up, it uses blkcg_parent(blkcg) but it was calling that after\nblkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the\nfollowing UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270\n Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117\n\n CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n \n dump_stack_lvl+0x27/0x80\n print_report+0x151/0x710\n kasan_report+0xc0/0x100\n blkcg_unpin_online+0x15a/0x270\n cgwb_release_workfn+0x194/0x480\n process_scheduled_works+0x71b/0xe20\n worker_thread+0x82a/0xbd0\n kthread+0x242/0x2c0\n ret_from_fork+0x33/0x70\n ret_from_fork_asm+0x1a/0x30\n \n ...\n Freed by task 1944:\n kasan_save_track+0x2b/0x70\n kasan_save_free_info+0x3c/0x50\n __kasan_slab_free+0x33/0x50\n kfree+0x10c/0x330\n css_free_rwork_fn+0xe6/0xb30\n process_scheduled_works+0x71b/0xe20\n worker_thread+0x82a/0xbd0\n kthread+0x242/0x2c0\n ret_from_fork+0x33/0x70\n ret_from_fork_asm+0x1a/0x30\n\nNote that the UAF is not easy to trigger as the free path is indirected\nbehind a couple RCU grace periods and a work item execution. I could only\ntrigger it with artifical msleep() injected in blkcg_unpin_online().\n\nFix it by reading the parent pointer before destroying the blkcg's blkg's.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56672", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n | tools/testing/selftests/mm# ./test_hmm.sh smoke\n | ... # when unloading the test_hmm.ko module\n | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n | flags: 0x1000000000000000(node=0|zone=1)\n | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n | ------------[ cut here ]------------\n | kernel BUG at include/linux/mm.h:3080!\n | Kernel BUG [#1]\n | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2\n | Tainted: [W]=WARN\n | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n | epc : remove_pgd_mapping+0xbec/0x1070\n | ra : remove_pgd_mapping+0xbec/0x1070\n | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n | t5 : ff60000080244000 t6 : ff20000000a73708\n | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n | [] remove_pgd_mapping+0xbec/0x1070\n | [] vmemmap_free+0x14/0x1e\n | [] section_deactivate+0x220/0x452\n | [] sparse_remove_section+0x4a/0x58\n | [] __remove_pages+0x7e/0xba\n | [] memunmap_pages+0x2bc/0x3fe\n | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n | [] __riscv_sys_delete_module+0x15a/0x2a6\n | [] do_trap_ecall_u+0x1f2/0x266\n | [] _new_vmalloc_restore_context_a0+0xc6/0xd2\n | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56673", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: correct netdev_tx_reset_queue() invocation point\n\nWhen virtnet_close is followed by virtnet_open, some TX completions can\npossibly remain unconsumed, until they are finally processed during the\nfirst NAPI poll after the netdev_tx_reset_queue(), resulting in a crash\n[1]. Commit b96ed2c97c79 (\"virtio_net: move netdev_tx_reset_queue() call\nbefore RX napi enable\") was not sufficient to eliminate all BQL crash\ncases for virtio-net.\n\nThis issue can be reproduced with the latest net-next master by running:\n`while :; do ip l set DEV down; ip l set DEV up; done` under heavy network\nTX load from inside the machine.\n\nnetdev_tx_reset_queue() can actually be dropped from virtnet_open path;\nthe device is not stopped in any case. For BQL core part, it's just like\ntraffic nearly ceases to exist for some period. For stall detector added\nto BQL, even if virtnet_close could somehow lead to some TX completions\ndelayed for long, followed by virtnet_open, we can just take it as stall\nas mentioned in commit 6025b9135f7a (\"net: dqs: add NIC stall detector\nbased on BQL\"). Note also that users can still reset stall_max via sysfs.\n\nSo, drop netdev_tx_reset_queue() from virtnet_enable_queue_pair(). This\neliminates the BQL crashes. As a result, netdev_tx_reset_queue() is now\nexplicitly required in freeze/restore path. This patch adds it to\nimmediately after free_unused_bufs(), following the rule of thumb:\nnetdev_tx_reset_queue() should follow any SKB freeing not followed by\nnetdev_tx_completed_queue(). This seems the most consistent and\nstreamlined approach, and now netdev_tx_reset_queue() runs whenever\nfree_unused_bufs() is done.\n\n[1]:\n------------[ cut here ]------------\nkernel BUG at lib/dynamic_queue_limits.c:99!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 7 UID: 0 PID: 1598 Comm: ip Tainted: G N 6.12.0net-next_main+ #2\nTainted: [N]=TEST\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), \\\nBIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:dql_completed+0x26b/0x290\nCode: b7 c2 49 89 e9 44 89 da 89 c6 4c 89 d7 e8 ed 17 47 00 58 65 ff 0d\n4d 27 90 7e 0f 85 fd fe ff ff e8 ea 53 8d ff e9 f3 fe ff ff <0f> 0b 01\nd2 44 89 d1 29 d1 ba 00 00 00 00 0f 48 ca e9 28 ff ff ff\nRSP: 0018:ffffc900002b0d08 EFLAGS: 00010297\nRAX: 0000000000000000 RBX: ffff888102398c80 RCX: 0000000080190009\nRDX: 0000000000000000 RSI: 000000000000006a RDI: 0000000000000000\nRBP: ffff888102398c00 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000000000ca R11: 0000000000015681 R12: 0000000000000001\nR13: ffffc900002b0d68 R14: ffff88811115e000 R15: ffff8881107aca40\nFS: 00007f41ded69500(0000) GS:ffff888667dc0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000556ccc2dc1a0 CR3: 0000000104fd8003 CR4: 0000000000772ef0\nPKRU: 55555554\nCall Trace:\n \n ? die+0x32/0x80\n ? do_trap+0xd9/0x100\n ? dql_completed+0x26b/0x290\n ? dql_completed+0x26b/0x290\n ? do_error_trap+0x6d/0xb0\n ? dql_completed+0x26b/0x290\n ? exc_invalid_op+0x4c/0x60\n ? dql_completed+0x26b/0x290\n ? asm_exc_invalid_op+0x16/0x20\n ? dql_completed+0x26b/0x290\n __free_old_xmit+0xff/0x170 [virtio_net]\n free_old_xmit+0x54/0xc0 [virtio_net]\n virtnet_poll+0xf4/0xe30 [virtio_net]\n ? __update_load_avg_cfs_rq+0x264/0x2d0\n ? update_curr+0x35/0x260\n ? reweight_entity+0x1be/0x260\n __napi_poll.constprop.0+0x28/0x1c0\n net_rx_action+0x329/0x420\n ? enqueue_hrtimer+0x35/0x90\n ? trace_hardirqs_on+0x1d/0x80\n ? kvm_sched_clock_read+0xd/0x20\n ? sched_clock+0xc/0x30\n ? kvm_sched_clock_read+0xd/0x20\n ? sched_clock+0xc/0x30\n ? sched_clock_cpu+0xd/0x1a0\n handle_softirqs+0x138/0x3e0\n do_softirq.part.0+0x89/0xc0\n \n \n __local_bh_enable_ip+0xa7/0xb0\n virtnet_open+0xc8/0x310 [virtio_net]\n __dev_open+0xfa/0x1b0\n __dev_change_flags+0x1de/0x250\n dev_change_flags+0x22/0x60\n do_setlink.isra.0+0x2df/0x10b0\n ? rtnetlink_rcv_msg+0x34f/0x3f0\n ? netlink_rcv_skb+0x54/0x100\n ? netlink_unicas\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56674", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors\n\nUprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU\nprotection. But it is possible to attach a non-sleepable BPF program to a\nuprobe, and non-sleepable BPF programs are freed via normal RCU (see\n__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal\nRCU grace period does not imply a tasks-trace-RCU grace period.\n\nFix it by explicitly waiting for a tasks-trace-RCU grace period after\nremoving the attachment of a bpf_prog to a perf_event.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56675", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: testing: Initialize some variables annoteded with _free()\n\nVariables annotated with __free() need to be initialized if the function\ncan return before they get updated for the first time or the attempt to\nfree the memory pointed to by them upon function return may crash the\nkernel.\n\nFix this issue in some places in the thermal testing code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56676", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()\n\nDuring early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE,\nsince pageblock_order is still zero and it gets initialized\nlater during initmem_init() e.g.\nsetup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order()\n\nOne such use case where this causes issue is -\nearly_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init()\n\nThis causes CMA memory alignment check to be bypassed in\ncma_init_reserved_mem(). Then later cma_activate_area() can hit\na VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory\narea was not pageblock_order aligned.\n\nFix it by moving the fadump_cma_init() after initmem_init(),\nwhere other such cma reservations also gets called.\n\n\n==============\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010\nflags: 0x13ffff800000000(node=1|zone=0|lastcpupid=0x7ffff) CMA\nraw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1))\n------------[ cut here ]------------\nkernel BUG at mm/page_alloc.c:778!\n\nCall Trace:\n__free_one_page+0x57c/0x7b0 (unreliable)\nfree_pcppages_bulk+0x1a8/0x2c8\nfree_unref_page_commit+0x3d4/0x4e4\nfree_unref_page+0x458/0x6d0\ninit_cma_reserved_pageblock+0x114/0x198\ncma_init_reserved_areas+0x270/0x3e0\ndo_one_initcall+0x80/0x2f8\nkernel_init_freeable+0x33c/0x530\nkernel_init+0x34/0x26c\nret_from_kernel_user_thread+0x14/0x1c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56677", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm/fault: Fix kfence page fault reporting\n\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\n\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\n\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\n\nSome example false negatives:\n\n ===============================\n BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\n Invalid read at 0xc0000000fdff0000:\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec\n\n BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\n Use-after-free read at 0xc0000000fe050000 (in kfence-#2):\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56678", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c\n\nAdd error pointer check after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56679", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: intel/ipu6: do not handle interrupts when device is disabled\n\nSome IPU6 devices have shared interrupts. We need to handle properly\ncase when interrupt is triggered from other device on shared irq line\nand IPU6 itself disabled. In such case we get 0xffffffff from\nISR_STATUS register and handle all irq's cases, for what we are not\nnot prepared and usually hang the whole system.\n\nTo avoid the issue use pm_runtime_get_if_active() to check if\nthe device is enabled and prevent suspending it when we handle irq\nuntil the end of irq. Additionally use synchronize_irq() in suspend", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56680", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - add error check in the ahash_hmac_init function\n\nThe ahash_init functions may return fails. The ahash_hmac_init should\nnot return ok when ahash_init returns error. For an example, ahash_init\nwill return -ENOMEM when allocation memory is error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56681", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/riscv-aplic: Prevent crash when MSI domain is missing\n\nIf the APLIC driver is probed before the IMSIC driver, the parent MSI\ndomain will be missing, which causes a NULL pointer dereference in\nmsi_create_device_irq_domain().\n\nAvoid this by deferring probe until the parent MSI domain is available. Use\ndev_err_probe() to avoid printing an error message when returning\n-EPROBE_DEFER.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56682", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: hdmi: Avoid hang with debug registers when suspended\n\nTrying to read /sys/kernel/debug/dri/1/hdmi1_regs\nwhen the hdmi is disconnected results in a fatal system hang.\n\nThis is due to the pm suspend code disabling the dvp clock.\nThat is just a gate of the 108MHz clock in DVP_HT_RPI_MISC_CONFIG,\nwhich results in accesses hanging AXI bus.\n\nProtect against this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56683", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mtk-cmdq: fix wrong use of sizeof in cmdq_get_clocks()\n\nIt should be size of the struct clk_bulk_data, not data pointer pass to\ndevm_kcalloc().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56684", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Check num_codecs is not zero to avoid panic during probe\n\nFollowing commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy\nComponent via COMP_DUMMY()\"), COMP_DUMMY() became an array with zero\nlength, and only gets populated with the dummy struct after the card is\nregistered. Since the sound card driver's probe happens before the card\nregistration, accessing any of the members of a dummy component during\nprobe will result in undefined behavior.\n\nThis can be observed in the mt8188 and mt8195 machine sound drivers. By\nomitting a dai link subnode in the sound card's node in the Devicetree,\nthe default uninitialized dummy codec is used, and when its dai_name\npointer gets passed to strcmp() it results in a null pointer dereference\nand a kernel panic.\n\nIn addition to that, set_card_codec_info() in the generic helpers file,\nmtk-soundcard-driver.c, will populate a dai link with a dummy codec when\na dai link node is present in DT but with no codec property.\n\nThe result is that at probe time, a dummy codec can either be\nuninitialized with num_codecs = 0, or be an initialized dummy codec,\nwith num_codecs = 1 and dai_name = \"snd-soc-dummy-dai\". In order to\naccommodate for both situations, check that num_codecs is not zero\nbefore accessing the codecs' fields but still check for the codec's dai\nname against \"snd-soc-dummy-dai\" as needed.\n\nWhile at it, also drop the check that dai_name is not null in the mt8192\ndriver, introduced in commit 4d4e1b6319e5 (\"ASoC: mediatek: mt8192:\nCheck existence of dai_name before dereferencing\"), as it is actually\nredundant given the preceding num_codecs != 0 check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56685", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: Fix hardware lockup on first Rx endpoint request\n\nThere is a possibility that a request's callback could be invoked from\nusb_ep_queue() (call trace below, supplemented with missing calls):\n\nreq->complete from usb_gadget_giveback_request\n\t(drivers/usb/gadget/udc/core.c:999)\nusb_gadget_giveback_request from musb_g_giveback\n\t(drivers/usb/musb/musb_gadget.c:147)\nmusb_g_giveback from rxstate\n\t(drivers/usb/musb/musb_gadget.c:784)\nrxstate from musb_ep_restart\n\t(drivers/usb/musb/musb_gadget.c:1169)\nmusb_ep_restart from musb_ep_restart_resume_work\n\t(drivers/usb/musb/musb_gadget.c:1176)\nmusb_ep_restart_resume_work from musb_queue_resume_work\n\t(drivers/usb/musb/musb_core.c:2279)\nmusb_queue_resume_work from musb_gadget_queue\n\t(drivers/usb/musb/musb_gadget.c:1241)\nmusb_gadget_queue from usb_ep_queue\n\t(drivers/usb/gadget/udc/core.c:300)\n\nAccording to the docstring of usb_ep_queue(), this should not happen:\n\n\"Note that @req's ->complete() callback must never be called from within\nusb_ep_queue() as that can create deadlock situations.\"\n\nIn fact, a hardware lockup might occur in the following sequence:\n\n1. The gadget is initialized using musb_gadget_enable().\n2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an\n interrupt.\n3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an\n empty queue (next_request() returns NULL). The interrupt flag has\n already been cleared by the glue layer handler, but the RXPKTRDY flag\n remains set.\n4. The first request is enqueued using usb_ep_queue(), leading to the call\n of req->complete(), as shown in the call trace above.\n5. If the callback enables IRQs and another packet is waiting, step (3)\n repeats. The request queue is empty because usb_g_giveback() removes the\n request before invoking the callback.\n6. The endpoint remains locked up, as the interrupt triggered by hardware\n setting the RXPKTRDY flag has been handled, but the flag itself remains\n set.\n\nFor this scenario to occur, it is only necessary for IRQs to be enabled at\nsome point during the complete callback. This happens with the USB Ethernet\ngadget, whose rx_complete() callback calls netif_rx(). If called in the\ntask context, netif_rx() disables the bottom halves (BHs). When the BHs are\nre-enabled, IRQs are also enabled to allow soft IRQs to be processed. The\ngadget itself is initialized at module load (or at boot if built-in), but\nthe first request is enqueued when the network interface is brought up,\ntriggering rx_complete() in the task context via ioctl(). If a packet\narrives while the interface is down, it can prevent the interface from\nreceiving any further packets from the USB host.\n\nThe situation is quite complicated with many parties involved. This\nparticular issue can be resolved in several possible ways:\n\n1. Ensure that callbacks never enable IRQs. This would be difficult to\n enforce, as discovering how netif_rx() interacts with interrupts was\n already quite challenging and u_ether is not the only function driver.\n Similar \"bugs\" could be hidden in other drivers as well.\n2. Disable MUSB interrupts in musb_g_giveback() before calling the callback\n and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(),\n for example). This would ensure that MUSB interrupts are not handled\n during the callback, even if IRQs are enabled. In fact, it would allow\n IRQs to be enabled when releasing the lock. However, this feels like an\n inelegant hack.\n3. Modify the interrupt handler to clear the RXPKTRDY flag if the request\n queue is empty. While this approach also feels like a hack, it wastes\n CPU time by attempting to handle incoming packets when the software is\n not ready to process them.\n4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart().\n This ensures that the hardware can receive packets when there is at\n least one request in the queue. Once I\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56687", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport\n\nSince transport->sock has been set to NULL during reset transport,\nXPRT_SOCK_UPD_TIMEOUT also needs to be cleared. Otherwise, the\nxs_tcp_set_socket_timeouts() may be triggered in xs_tcp_send_request()\nto dereference the transport->sock that has been set to NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56688", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: epf-mhi: Avoid NULL dereference if DT lacks 'mmio'\n\nIf platform_get_resource_byname() fails and returns NULL because DT lacks\nan 'mmio' property for the MHI endpoint, dereferencing res->start will\ncause a NULL pointer access. Add a check to prevent it.\n\n[kwilczynski: error message update per the review feedback]\n[bhelgaas: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56689", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY\n\nSince commit 8f4f68e788c3 (\"crypto: pcrypt - Fix hungtask for\nPADATA_RESET\"), the pcrypt encryption and decryption operations return\n-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is\ngenerated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns\n-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.\nFix this issue by calling crypto layer directly without parallelization\nin that case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56690", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device\n\nWhile design wise the idea of converting the driver to use\nthe hierarchy of the IRQ chips is correct, the implementation\nhas (inherited) flaws. This was unveiled when platform_get_irq()\nhad started WARN() on IRQ 0 that is supposed to be a Linux\nIRQ number (also known as vIRQ).\n\nRework the driver to respect IRQ domain when creating each MFD\ndevice separately, as the domain is not the same for all of them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56691", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node blkaddr in truncate_node()\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2534!\nRIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534\nCall Trace:\n truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909\n f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288\n f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856\n evict+0x4e8/0x9b0 fs/inode.c:723\n f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986\n f2fs_create+0x357/0x530 fs/f2fs/namei.c:394\n lookup_open fs/namei.c:3595 [inline]\n open_last_lookups fs/namei.c:3694 [inline]\n path_openat+0x1c03/0x3590 fs/namei.c:3930\n do_filp_open+0x235/0x490 fs/namei.c:3960\n do_sys_openat2+0x13e/0x1d0 fs/open.c:1415\n do_sys_open fs/open.c:1430 [inline]\n __do_sys_openat fs/open.c:1446 [inline]\n __se_sys_openat fs/open.c:1441 [inline]\n __x64_sys_openat+0x247/0x2a0 fs/open.c:1441\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534\n\nThe root cause is: on a fuzzed image, blkaddr in nat entry may be\ncorrupted, then it will cause system panic when using it in\nf2fs_invalidate_blocks(), to avoid this, let's add sanity check on\nnat blkaddr in truncate_node().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56692", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrd: defer automatic disk creation until module initialization succeeds\n\nMy colleague Wupeng found the following problems during fault injection:\n\nBUG: unable to handle page fault for address: fffffbfff809d073\nPGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:__asan_load8+0x4c/0xa0\n...\nCall Trace:\n \n blkdev_put_whole+0x41/0x70\n bdev_release+0x1a3/0x250\n blkdev_release+0x11/0x20\n __fput+0x1d7/0x4a0\n task_work_run+0xfc/0x180\n syscall_exit_to_user_mode+0x1de/0x1f0\n do_syscall_64+0x6b/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nloop_init() is calling loop_add() after __register_blkdev() succeeds and\nis ignoring disk_add() failure from loop_add(), for loop_add() failure\nis not fatal and successfully created disks are already visible to\nbdev_open().\n\nbrd_init() is currently calling brd_alloc() before __register_blkdev()\nsucceeds and is releasing successfully created disks when brd_init()\nreturns an error. This can cause UAF for the latter two case:\n\ncase 1:\n T1:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n add_disk\n disk_scan_partitions\n bdev_file_open_by_dev // alloc file\n fput // won't free until back to userspace\n brd_alloc(1) // failed since mem alloc error inject\n // error path for modprobe will release code segment\n // back to userspace\n __fput\n blkdev_release\n bdev_release\n blkdev_put_whole\n bdev->bd_disk->fops->release // fops is freed now, UAF!\n\ncase 2:\n T1: T2:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n open(/dev/ram0)\n brd_alloc(1) // fail\n // error path for modprobe\n\n close(/dev/ram0)\n ...\n /* UAF! */\n bdev->bd_disk->fops->release\n\nFix this problem by following what loop_init() does. Besides,\nreintroduce brd_devices_mutex to help serialize modifications to\nbrd_list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56693", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix recursive lock when verdict program return SK_PASS\n\nWhen the stream_verdict program returns SK_PASS, it places the received skb\ninto its own receive queue, but a recursive lock eventually occurs, leading\nto an operating system deadlock. This issue has been present since v6.9.\n\n'''\nsk_psock_strp_data_ready\n write_lock_bh(&sk->sk_callback_lock)\n strp_data_ready\n strp_read_sock\n read_sock -> tcp_read_sock\n strp_recv\n cb.rcv_msg -> sk_psock_strp_read\n # now stream_verdict return SK_PASS without peer sock assign\n __SK_PASS = sk_psock_map_verd(SK_PASS, NULL)\n sk_psock_verdict_apply\n sk_psock_skb_ingress_self\n sk_psock_skb_ingress_enqueue\n sk_psock_data_ready\n read_lock_bh(&sk->sk_callback_lock) <= dead lock\n\n'''\n\nThis topic has been discussed before, but it has not been fixed.\nPrevious discussion:\nhttps://lore.kernel.org/all/6684a5864ec86_403d20898@john.notmuch", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56694", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Use dynamic allocation for CU occupancy array in 'kfd_get_cu_occupancy()'\n\nThe `kfd_get_cu_occupancy` function previously declared a large\n`cu_occupancy` array as a local variable, which could lead to stack\noverflows due to excessive stack usage. This commit replaces the static\narray allocation with dynamic memory allocation using `kcalloc`,\nthereby reducing the stack size.\n\nThis change avoids the risk of stack overflows in kernel space, in\nscenarios where `AMDGPU_MAX_QUEUES` is large. The allocated memory is\nfreed using `kfree` before the function returns to prevent memory\nleaks.\n\nFixes the below with gcc W=1:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_process.c: In function \u2018kfd_get_cu_occupancy\u2019:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_process.c:322:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]\n 322 | }\n | ^", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56695", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix possible NULL dereference caused by kunit_kzalloc()\n\nkunit_kzalloc() may return a NULL pointer, dereferencing it without\nNULL check may lead to NULL dereference.\nAdd NULL checks for all the kunit_kzalloc() in sound_kunit.c", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56696", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the memory allocation issue in amdgpu_discovery_get_nps_info()\n\nFix two issues with memory allocation in amdgpu_discovery_get_nps_info()\nfor mem_ranges:\n\n - Add a check for allocation failure to avoid dereferencing a null\n pointer.\n\n - As suggested by Christophe, use kvcalloc() for memory allocation,\n which checks for multiplication overflow.\n\nAdditionally, assign the output parameters nps_type and range_cnt after\nthe kvcalloc() call to prevent modifying the output parameters in case\nof an error return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56697", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix looping of queued SG entries\n\nThe dwc3_request->num_queued_sgs is decremented on completion. If a\npartially completed request is handled, then the\ndwc3_request->num_queued_sgs no longer reflects the total number of\nnum_queued_sgs (it would be cleared).\n\nCorrectly check the number of request SG entries remained to be prepare\nand queued. Failure to do this may cause null pointer dereference when\naccessing non-existent SG entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56698", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Fix potential double remove of hotplug slot\n\nIn commit 6ee600bfbe0f (\"s390/pci: remove hotplug slot when releasing the\ndevice\") the zpci_exit_slot() was moved from zpci_device_reserved() to\nzpci_release_device() with the intention of keeping the hotplug slot\naround until the device is actually removed.\n\nNow zpci_release_device() is only called once all references are\ndropped. Since the zPCI subsystem only drops its reference once the\ndevice is in the reserved state it follows that zpci_release_device()\nmust only deal with devices in the reserved state. Despite that it\ncontains code to tear down from both configured and standby state. For\nthe standby case this already includes the removal of the hotplug slot\nso would cause a double removal if a device was ever removed in\neither configured or standby state.\n\nInstead of causing a potential double removal in a case that should\nnever happen explicitly WARN_ON() if a device in non-reserved state is\nreleased and get rid of the dead code cases.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56699", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: wl128x: Fix atomicity violation in fmc_send_cmd()\n\nAtomicity violation occurs when the fmc_send_cmd() function is executed\nsimultaneously with the modification of the fmdev->resp_skb value.\nConsider a scenario where, after passing the validity check within the\nfunction, a non-null fmdev->resp_skb variable is assigned a null value.\nThis results in an invalid fmdev->resp_skb variable passing the validity\ncheck. As seen in the later part of the function, skb = fmdev->resp_skb;\nwhen the invalid fmdev->resp_skb passes the check, a null pointer\ndereference error may occur at line 478, evt_hdr = (void *)skb->data;\n\nTo address this issue, it is recommended to include the validity check of\nfmdev->resp_skb within the locked section of the function. This\nmodification ensures that the value of fmdev->resp_skb does not change\nduring the validation process, thereby maintaining its validity.\n\nThis possible bug is found by an experimental static analysis tool\ndeveloped by our team. This tool analyzes the locking APIs\nto extract function pairs that can be concurrently executed, and then\nanalyzes the instructions in the paired functions to identify possible\nconcurrency bugs including data races and atomicity violations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56700", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix dtl_access_lock to be a rw_semaphore\n\nThe dtl_access_lock needs to be a rw_sempahore, a sleeping lock, because\nthe code calls kmalloc() while holding it, which can sleep:\n\n # echo 1 > /proc/powerpc/vcpudispatch_stats\n BUG: sleeping function called from invalid context at include/linux/sched/mm.h:337\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 199, name: sh\n preempt_count: 1, expected: 0\n 3 locks held by sh/199:\n #0: c00000000a0743f8 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x324/0x438\n #1: c0000000028c7058 (dtl_enable_mutex){+.+.}-{3:3}, at: vcpudispatch_stats_write+0xd4/0x5f4\n #2: c0000000028c70b8 (dtl_access_lock){+.+.}-{2:2}, at: vcpudispatch_stats_write+0x220/0x5f4\n CPU: 0 PID: 199 Comm: sh Not tainted 6.10.0-rc4 #152\n Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries\n Call Trace:\n dump_stack_lvl+0x130/0x148 (unreliable)\n __might_resched+0x174/0x410\n kmem_cache_alloc_noprof+0x340/0x3d0\n alloc_dtl_buffers+0x124/0x1ac\n vcpudispatch_stats_write+0x2a8/0x5f4\n proc_reg_write+0xf4/0x150\n vfs_write+0xfc/0x438\n ksys_write+0x88/0x148\n system_call_exception+0x1c4/0x5a0\n system_call_common+0xf4/0x258", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56701", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\n\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL. However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\n\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier's knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\n\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don't do this when ref_obj_id > 0, as in\nthat case this is an acquired object and doesn't need such adjustment.\n\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\n\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\n\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\n\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon't regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\n\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n\n [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56702", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix soft lockups in fib6_select_path under high next hop churn\n\nSoft lockups have been observed on a cluster of Linux-based edge routers\nlocated in a highly dynamic environment. Using the `bird` service, these\nrouters continuously update BGP-advertised routes due to frequently\nchanging nexthop destinations, while also managing significant IPv6\ntraffic. The lockups occur during the traversal of the multipath\ncircular linked-list in the `fib6_select_path` function, particularly\nwhile iterating through the siblings in the list. The issue typically\narises when the nodes of the linked list are unexpectedly deleted\nconcurrently on a different core\u2014indicated by their 'next' and\n'previous' elements pointing back to the node itself and their reference\ncount dropping to zero. This results in an infinite loop, leading to a\nsoft lockup that triggers a system panic via the watchdog timer.\n\nApply RCU primitives in the problematic code sections to resolve the\nissue. Where necessary, update the references to fib6_siblings to\nannotate or use the RCU APIs.\n\nInclude a test script that reproduces the issue. The script\nperiodically updates the routing table while generating a heavy load\nof outgoing IPv6 traffic through multiple iperf3 clients. It\nconsistently induces infinite soft lockups within a couple of minutes.\n\nKernel log:\n\n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb\n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3\n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4\n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03\n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f\n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756\n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af\n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d\n-- --\n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb\n [exception RIP: fib6_select_path+299]\n RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287\n RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000\n RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618\n RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830\n R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c\n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c\n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5\n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47\n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0\n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274\n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474\n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615\n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec\n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3\n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9\n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]\n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]\n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]\n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000\n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581\n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9\n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47\n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30\n28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f\n29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64\n30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56703", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: fix release of IRQ\n\nKernel logs indicate an IRQ was double-freed.\n\nPass correct device ID during IRQ release.\n\n[Dominique: remove confusing variable reset to 0]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56704", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: Add check for rgby_data memory allocation failure\n\nIn ia_css_3a_statistics_allocate(), there is no check on the allocation\nresult of the rgby_data memory. If rgby_data is not successfully\nallocated, it may trigger the assert(host_stats->rgby_data) assertion in\nia_css_s3a_hmem_decode(). Adding a check to fix this potential issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56705", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cpum_sf: Fix and protect memory allocation of SDBs with mutex\n\nReservation of the PMU hardware is done at first event creation\nand is protected by a pair of mutex_lock() and mutex_unlock().\nAfter reservation of the PMU hardware the memory\nrequired for the PMUs the event is to be installed on is\nallocated by allocate_buffers() and alloc_sampling_buffer().\nThis done outside of the mutex protection.\nWithout mutex protection two or more concurrent invocations of\nperf_event_init() may run in parallel.\nThis can lead to allocation of Sample Data Blocks (SDBs)\nmultiple times for the same PMU.\nPrevent this and protect memory allocation of SDBs by\nmutex.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56706", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c\n\nAdd error pointer checks after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56707", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/igen6: Avoid segmentation fault on module unload\n\nThe segmentation fault happens because:\n\nDuring modprobe:\n1. In igen6_probe(), igen6_pvt will be allocated with kzalloc()\n2. In igen6_register_mci(), mci->pvt_info will point to\n &igen6_pvt->imc[mc]\n\nDuring rmmod:\n1. In mci_release() in edac_mc.c, it will kfree(mci->pvt_info)\n2. In igen6_remove(), it will kfree(igen6_pvt);\n\nFix this issue by setting mci->pvt_info to NULL to avoid the double\nkfree.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56708", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check if iowq is killed before queuing\n\ntask work can be executed after the task has gone through io_uring\ntermination, whether it's the final task_work run or the fallback path.\nIn this case, task work will find ->io_wq being already killed and\nnull'ed, which is a problem if it then tries to forward the request to\nio_queue_iowq(). Make io_queue_iowq() fail requests in this case.\n\nNote that it also checks PF_KTHREAD, because the user can first close\na DEFER_TASKRUN ring and shortly after kill the task, in which case\n->iowq check would race.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56709", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_direct_read_write()\n\nThe bvecs array which is allocated in iter_get_bvecs_alloc() is leaked\nand pages remain pinned if ceph_alloc_sparse_ext_map() fails.\n\nThere is no need to delay the allocation of sparse_ext map until after\nthe bvecs array is set up, so fix this by moving sparse_ext allocation\na bit earlier. Also, make a similar adjustment in __ceph_sync_read()\nfor consistency (a leak of the same kind in __ceph_sync_read() has been\naddressed differently).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56710", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference\n\ndrm_mode_duplicate() could return NULL due to lack of memory,\nwhich will then call NULL pointer dereference. Add a check to\nprevent it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56711", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: fix memory leak on last export_udmabuf() error path\n\nIn export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a\ndma_buf owning the udmabuf has already been created; but the error handling\nin udmabuf_create() will tear down the udmabuf without doing anything about\nthe containing dma_buf.\n\nThis leaves a dma_buf in memory that contains a dangling pointer; though\nthat doesn't seem to lead to anything bad except a memory leak.\n\nFix it by moving the dma_buf_fd() call out of export_udmabuf() so that we\ncan give it different error handling.\n\nNote that the shape of this code changed a lot in commit 5e72b2b41a21\n(\"udmabuf: convert udmabuf driver to use folios\"); but the memory leak\nseems to have existed since the introduction of udmabuf.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56712", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: fix nsim_pp_hold_write()\n\nnsim_pp_hold_write() has two problems:\n\n1) It may return with rtnl held, as found by syzbot.\n\n2) Its return value does not propagate an error if any.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56713", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: no double destroy workqueue\n\nThere are some FW error handling paths that can cause us to\ntry to destroy the workqueue more than once, so let's be sure\nwe're checking for that.\n\nThe case where this popped up was in an AER event where the\nhandlers got called in such a way that ionic_reset_prepare()\nand thus ionic_dev_teardown() got called twice in a row.\nThe second time through the workqueue was already destroyed,\nand destroy_workqueue() choked on the bad wq pointer.\n\nWe didn't hit this in AER handler testing before because at\nthat time we weren't using a private workqueue. Later we\nreplaced the use of the system workqueue with our own private\nworkqueue but hadn't rerun the AER handler testing since then.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56714", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: Fix netdev notifier unregister on failure\n\nIf register_netdev() fails, then the driver leaks the netdev notifier.\nFix this by calling ionic_lif_unregister() on register_netdev()\nfailure. This will also call ionic_lif_unregister_phc() if it has\nalready been registered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56715", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: prevent bad user input in nsim_dev_health_break_write()\n\nIf either a zero count or a large one is provided, kernel can crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56716", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()\n\nPackets injected by the CPU should have a SRC_PORT field equal to the\nCPU port module index in the Analyzer block (ocelot->num_phys_ports).\n\nThe blamed commit copied the ocelot_ifh_set_basic() call incorrectly\nfrom ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling\nwith \"x\", it calls with BIT_ULL(x), but the field is not a port mask,\nbut rather a single port index.\n\n[ side note: this is the technical debt of code duplication :( ]\n\nThe error used to be silent and doesn't appear to have other\nuser-visible manifestations, but with new changes in the packing\nlibrary, it now fails loudly as follows:\n\n------------[ cut here ]------------\nCannot store 0x40 inside bits 46-43 - will truncate\nsja1105 spi2.0: xmit timed out\nWARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198\nsja1105 spi2.0: timed out polling for tstamp\nCPU: 1 UID: 0 PID: 102 Comm: felix_xmit\nTainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605\nCall trace:\n __pack+0x90/0x198 (P)\n __pack+0x90/0x198 (L)\n packing+0x78/0x98\n ocelot_ifh_set_basic+0x260/0x368\n ocelot_port_inject_frame+0xa8/0x250\n felix_port_deferred_xmit+0x14c/0x258\n kthread_worker_fn+0x134/0x350\n kthread+0x114/0x138\n\nThe code path pertains to the ocelot switchdev driver and to the felix\nsecondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q.\n\nThe messenger (packing) is not really to blame, so fix the original\ncommit instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56717", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: protect link down work from execute after lgr freed\n\nlink down work may be scheduled before lgr freed but execute\nafter lgr freed, which may result in crash. So it is need to\nhold a reference before shedule link down work, and put the\nreference after work executed or canceled.\n\nThe relevant crash call stack as follows:\n list_del corruption. prev->next should be ffffb638c9c0fe20,\n but was 0000000000000000\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:51!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1\n Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014\n Workqueue: events smc_link_down_work [smc]\n RIP: 0010:__list_del_entry_valid.cold+0x31/0x47\n RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086\n RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000\n RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38\n R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002\n R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0\n FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n rwsem_down_write_slowpath+0x17e/0x470\n smc_link_down_work+0x3c/0x60 [smc]\n process_one_work+0x1ac/0x350\n worker_thread+0x49/0x2f0\n ? rescuer_thread+0x360/0x360\n kthread+0x118/0x140\n ? __kthread_bind_mask+0x60/0x60\n ret_from_fork+0x1f/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56718", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]'s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv->dma_cap.addr64 > 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56719", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Several fixes to bpf_msg_pop_data\n\nSeveral fixes to bpf_msg_pop_data,\n1. In sk_msg_shift_left, we should put_page\n2. if (len == 0), return early is better\n3. pop the entire sk_msg (last == msg->sg.size) should be supported\n4. Fix for the value of variable \"a\"\n5. In sk_msg_shift_left, after shifting, i has already pointed to the next\nelement. Addtional sk_msg_iter_var_next may result in BUG.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56720", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Terminate the erratum_1386_microcode array\n\nThe erratum_1386_microcode array requires an empty entry at the end.\nOtherwise x86_match_cpu_with_stepping() will continue iterate the array after\nit ended.\n\nAdd an empty entry to erratum_1386_microcode to its end.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56721", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix cpu stuck caused by printings during reset\n\nDuring reset, cmd to destroy resources such as qp, cq, and mr may fail,\nand error logs will be printed. When a large number of resources are\ndestroyed, there will be lots of printings, and it may lead to a cpu\nstuck.\n\nDelete some unnecessary printings and replace other printing functions\nin these paths with the ratelimited version.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56722", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices\n\nWhile design wise the idea of converting the driver to use\nthe hierarchy of the IRQ chips is correct, the implementation\nhas (inherited) flaws. This was unveiled when platform_get_irq()\nhad started WARN() on IRQ 0 that is supposed to be a Linux\nIRQ number (also known as vIRQ).\n\nRework the driver to respect IRQ domain when creating each MFD\ndevice separately, as the domain is not the same for all of them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56723", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device\n\nWhile design wise the idea of converting the driver to use\nthe hierarchy of the IRQ chips is correct, the implementation\nhas (inherited) flaws. This was unveiled when platform_get_irq()\nhad started WARN() on IRQ 0 that is supposed to be a Linux\nIRQ number (also known as vIRQ).\n\nRework the driver to respect IRQ domain when creating each MFD\ndevice separately, as the domain is not the same for all of them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56724", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c\n\nAdd error pointer check after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56725", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c\n\nAdd error pointer check after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56726", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c\n\nAdding error pointer check after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56727", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c\n\nAdd error pointer check after calling otx2_mbox_get_rsp().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56728", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Initialize cfid->tcon before performing network ops\n\nAvoid leaking a tcon ref when a lease break races with opening the\ncached directory. Processing the leak break might take a reference to\nthe tcon in cached_dir_lease_break() and then fail to release the ref in\ncached_dir_offload_close, since cfid->tcon is still NULL.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56729", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p/usbg: fix handling of the failed kzalloc() memory allocation\n\nOn the linux-next, next-20241108 vanilla kernel, the coccinelle tool gave the\nfollowing error report:\n\n./net/9p/trans_usbg.c:912:5-11: ERROR: allocation function on line 911 returns\nNULL not ERR_PTR on failure\n\nkzalloc() failure is fixed to handle the NULL return case on the memory exhaustion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56730", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: check if __rtc_read_time was successful in rtc_timer_do_work()\n\nIf the __rtc_read_time call fails,, the struct rtc_time tm; may contain\nuninitialized data, or an illegal date/time read from the RTC hardware.\n\nWhen calling rtc_tm_to_ktime later, the result may be a very large value\n(possibly KTIME_MAX). If there are periodic timers in rtc->timerqueue,\nthey will continually expire, may causing kernel softlockup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56739", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/localio: must clear res.replen in nfs_local_read_done\n\nOtherwise memory corruption can occur due to NFSv3 LOCALIO reads\nleaving garbage in res.replen:\n- nfs3_read_done() copies that into server->read_hdrsize; from there\n nfs3_proc_read_setup() copies it to args.replen in new requests.\n- nfs3_xdr_enc_read3args() passes that to rpc_prepare_reply_pages()\n which includes it in hdrsize for xdr_init_pages, so that rq_rcv_buf\n contains a ridiculous len.\n- This is copied to rq_private_buf and xs_read_stream_request()\n eventually passes the kvec to sock_recvmsg() which receives incoming\n data into entirely the wrong place.\n\nThis is easily reproduced with NFSv3 LOCALIO that is servicing reads\nwhen it is made to pivot back to using normal RPC. This switch back\nto using normal NFSv3 with RPC can occur for a few reasons but this\nissue was exposed with a test that stops and then restarts the NFSv3\nserver while LOCALIO is performing heavy read IO.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56740", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages()\n\nFix an unwind issue in mlx5vf_add_migration_pages().\n\nIf a set of pages is allocated but fails to be added to the SG table,\nthey need to be freed to prevent a memory leak.\n\nAny pages successfully added to the SG table will be freed as part of\nmlx5vf_free_data_buffer().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56742", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs_common: must not hold RCU while calling nfsd_file_put_local\n\nMove holding the RCU from nfs_to_nfsd_file_put_local to\nnfs_to_nfsd_net_put. It is the call to nfs_to->nfsd_serv_put that\nrequires the RCU anyway (the puts for nfsd_file and netns were\ncombined to avoid an extra indirect reference but that\nmicro-optimization isn't possible now).\n\nThis fixes xfstests generic/013 and it triggering:\n\n\"Voluntary context switch within RCU read-side critical section!\"\n\n[ 143.545738] Call Trace:\n[ 143.546206] \n[ 143.546625] ? show_regs+0x6d/0x80\n[ 143.547267] ? __warn+0x91/0x140\n[ 143.547951] ? rcu_note_context_switch+0x496/0x5d0\n[ 143.548856] ? report_bug+0x193/0x1a0\n[ 143.549557] ? handle_bug+0x63/0xa0\n[ 143.550214] ? exc_invalid_op+0x1d/0x80\n[ 143.550938] ? asm_exc_invalid_op+0x1f/0x30\n[ 143.551736] ? rcu_note_context_switch+0x496/0x5d0\n[ 143.552634] ? wakeup_preempt+0x62/0x70\n[ 143.553358] __schedule+0xaa/0x1380\n[ 143.554025] ? _raw_spin_unlock_irqrestore+0x12/0x40\n[ 143.554958] ? try_to_wake_up+0x1fe/0x6b0\n[ 143.555715] ? wake_up_process+0x19/0x20\n[ 143.556452] schedule+0x2e/0x120\n[ 143.557066] schedule_preempt_disabled+0x19/0x30\n[ 143.557933] rwsem_down_read_slowpath+0x24d/0x4a0\n[ 143.558818] ? xfs_efi_item_format+0x50/0xc0 [xfs]\n[ 143.559894] down_read+0x4e/0xb0\n[ 143.560519] xlog_cil_commit+0x1b2/0xbc0 [xfs]\n[ 143.561460] ? _raw_spin_unlock+0x12/0x30\n[ 143.562212] ? xfs_inode_item_precommit+0xc7/0x220 [xfs]\n[ 143.563309] ? xfs_trans_run_precommits+0x69/0xd0 [xfs]\n[ 143.564394] __xfs_trans_commit+0xb5/0x330 [xfs]\n[ 143.565367] xfs_trans_roll+0x48/0xc0 [xfs]\n[ 143.566262] xfs_defer_trans_roll+0x57/0x100 [xfs]\n[ 143.567278] xfs_defer_finish_noroll+0x27a/0x490 [xfs]\n[ 143.568342] xfs_defer_finish+0x1a/0x80 [xfs]\n[ 143.569267] xfs_bunmapi_range+0x4d/0xb0 [xfs]\n[ 143.570208] xfs_itruncate_extents_flags+0x13d/0x230 [xfs]\n[ 143.571353] xfs_free_eofblocks+0x12e/0x190 [xfs]\n[ 143.572359] xfs_file_release+0x12d/0x140 [xfs]\n[ 143.573324] __fput+0xe8/0x2d0\n[ 143.573922] __fput_sync+0x1d/0x30\n[ 143.574574] nfsd_filp_close+0x33/0x60 [nfsd]\n[ 143.575430] nfsd_file_free+0x96/0x150 [nfsd]\n[ 143.576274] nfsd_file_put+0xf7/0x1a0 [nfsd]\n[ 143.577104] nfsd_file_put_local+0x18/0x30 [nfsd]\n[ 143.578070] nfs_close_local_fh+0x101/0x110 [nfs_localio]\n[ 143.579079] __put_nfs_open_context+0xc9/0x180 [nfs]\n[ 143.580031] nfs_file_clear_open_context+0x4a/0x60 [nfs]\n[ 143.581038] nfs_file_release+0x3e/0x60 [nfs]\n[ 143.581879] __fput+0xe8/0x2d0\n[ 143.582464] __fput_sync+0x1d/0x30\n[ 143.583108] __x64_sys_close+0x41/0x80\n[ 143.583823] x64_sys_call+0x189a/0x20d0\n[ 143.584552] do_syscall_64+0x64/0x170\n[ 143.585240] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 143.586185] RIP: 0033:0x7f3c5153efd7", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56743", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock in f2fs_record_stop_reason()\n\nsyzbot reports deadlock issue of f2fs as below:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.12.0-rc3-syzkaller-00087-gc964ced77262 #0 Not tainted\n------------------------------------------------------\nkswapd0/79 is trying to acquire lock:\nffff888011824088 (&sbi->sb_lock){++++}-{3:3}, at: f2fs_down_write fs/f2fs/f2fs.h:2199 [inline]\nffff888011824088 (&sbi->sb_lock){++++}-{3:3}, at: f2fs_record_stop_reason+0x52/0x1d0 fs/f2fs/super.c:4068\n\nbut task is already holding lock:\nffff88804bd92610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x662/0x15c0 fs/f2fs/inode.c:842\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #2 (sb_internal#2){.+.+}-{0:0}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n percpu_down_read include/linux/percpu-rwsem.h:51 [inline]\n __sb_start_write include/linux/fs.h:1716 [inline]\n sb_start_intwrite+0x4d/0x1c0 include/linux/fs.h:1899\n f2fs_evict_inode+0x662/0x15c0 fs/f2fs/inode.c:842\n evict+0x4e8/0x9b0 fs/inode.c:725\n f2fs_evict_inode+0x1a4/0x15c0 fs/f2fs/inode.c:807\n evict+0x4e8/0x9b0 fs/inode.c:725\n dispose_list fs/inode.c:774 [inline]\n prune_icache_sb+0x239/0x2f0 fs/inode.c:963\n super_cache_scan+0x38c/0x4b0 fs/super.c:223\n do_shrink_slab+0x701/0x1160 mm/shrinker.c:435\n shrink_slab+0x1093/0x14d0 mm/shrinker.c:662\n shrink_one+0x43b/0x850 mm/vmscan.c:4818\n shrink_many mm/vmscan.c:4879 [inline]\n lru_gen_shrink_node mm/vmscan.c:4957 [inline]\n shrink_node+0x3799/0x3de0 mm/vmscan.c:5937\n kswapd_shrink_node mm/vmscan.c:6765 [inline]\n balance_pgdat mm/vmscan.c:6957 [inline]\n kswapd+0x1ca3/0x3700 mm/vmscan.c:7226\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n-> #1 (fs_reclaim){+.+.}-{0:0}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __fs_reclaim_acquire mm/page_alloc.c:3834 [inline]\n fs_reclaim_acquire+0x88/0x130 mm/page_alloc.c:3848\n might_alloc include/linux/sched/mm.h:318 [inline]\n prepare_alloc_pages+0x147/0x5b0 mm/page_alloc.c:4493\n __alloc_pages_noprof+0x16f/0x710 mm/page_alloc.c:4722\n alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265\n alloc_pages_noprof mm/mempolicy.c:2345 [inline]\n folio_alloc_noprof+0x128/0x180 mm/mempolicy.c:2352\n filemap_alloc_folio_noprof+0xdf/0x500 mm/filemap.c:1010\n do_read_cache_folio+0x2eb/0x850 mm/filemap.c:3787\n read_mapping_folio include/linux/pagemap.h:1011 [inline]\n f2fs_commit_super+0x3c0/0x7d0 fs/f2fs/super.c:4032\n f2fs_record_stop_reason+0x13b/0x1d0 fs/f2fs/super.c:4079\n f2fs_handle_critical_error+0x2ac/0x5c0 fs/f2fs/super.c:4174\n f2fs_write_inode+0x35f/0x4d0 fs/f2fs/inode.c:785\n write_inode fs/fs-writeback.c:1503 [inline]\n __writeback_single_inode+0x711/0x10d0 fs/fs-writeback.c:1723\n writeback_single_inode+0x1f3/0x660 fs/fs-writeback.c:1779\n sync_inode_metadata+0xc4/0x120 fs/fs-writeback.c:2849\n f2fs_release_file+0xa8/0x100 fs/f2fs/file.c:1941\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:114 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218\n do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56744", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix reset_method_store() memory leak\n\nIn reset_method_store(), a string is allocated via kstrndup() and assigned\nto the local \"options\". options is then used in with strsep() to find\nspaces:\n\n while ((name = strsep(&options, \" \")) != NULL) {\n\nIf there are no remaining spaces, then options is set to NULL by strsep(),\nso the subsequent kfree(options) doesn't free the memory allocated via\nkstrndup().\n\nFix by using a separate tmp_options to iterate with strsep() so options is\npreserved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56745", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()\n\nWhen information such as info->screen_base is not ready, calling\nsh7760fb_free_mem() does not release memory correctly. Call\ndma_free_coherent() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56746", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()\n\nHook \"qedi_ops->common->sb_init = qed_sb_init\" does not release the DMA\nmemory sb_virt when it fails. Add dma_free_coherent() to free it. This\nis the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56747", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb()\n\nHook \"qed_ops->common->sb_init = qed_sb_init\" does not release the DMA\nmemory sb_virt when it fails. Add dma_free_coherent() to free it. This\nis the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56748", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix dlm_recover_members refcount on error\n\nIf dlm_recover_members() fails we don't drop the references of the\nprevious created root_list that holds and keep all rsbs alive during the\nrecovery. It might be not an unlikely event because ping_members() could\nrun into an -EINTR if another recovery progress was triggered again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56749", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix blksize < PAGE_SIZE for file-backed mounts\n\nAdjust sb->s_blocksize{,_bits} directly for file-backed\nmounts when the fs block size is smaller than PAGE_SIZE.\n\nPreviously, EROFS used sb_set_blocksize(), which caused\na panic if bdev-backed mounts is not used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56750", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: release nexthop on device removal\n\nThe CI is hitting some aperiodic hangup at device removal time in the\npmtu.sh self-test:\n\nunregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6\nref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at\n\tdst_init+0x84/0x4a0\n\tdst_alloc+0x97/0x150\n\tip6_dst_alloc+0x23/0x90\n\tip6_rt_pcpu_alloc+0x1e6/0x520\n\tip6_pol_route+0x56f/0x840\n\tfib6_rule_lookup+0x334/0x630\n\tip6_route_output_flags+0x259/0x480\n\tip6_dst_lookup_tail.constprop.0+0x5c2/0x940\n\tip6_dst_lookup_flow+0x88/0x190\n\tudp_tunnel6_dst_lookup+0x2a7/0x4c0\n\tvxlan_xmit_one+0xbde/0x4a50 [vxlan]\n\tvxlan_xmit+0x9ad/0xf20 [vxlan]\n\tdev_hard_start_xmit+0x10e/0x360\n\t__dev_queue_xmit+0xf95/0x18c0\n\tarp_solicit+0x4a2/0xe00\n\tneigh_probe+0xaa/0xf0\n\nWhile the first suspect is the dst_cache, explicitly tracking the dst\nowing the last device reference via probes proved such dst is held by\nthe nexthop in the originating fib6_info.\n\nSimilar to commit f5b51fe804ec (\"ipv6: route: purge exception on\nremoval\"), we need to explicitly release the originating fib info when\ndisconnecting a to-be-removed device from a live ipv6 dst: move the\nfib6_info cleanup into ip6_dst_ifdown().\n\nTested running:\n\n./pmtu.sh cleanup_ipv6_exception\n\nin a tight loop for more than 400 iterations with no spat, running an\nunpatched kernel I observed a splat every ~10 iterations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56751", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/gr/gf100: Fix missing unlock in gf100_gr_chan_new()\n\nWhen the call to gf100_grctx_generate() fails, unlock gr->fecs.mutex\nbefore returning the error.\n\nFixes smatch warning:\n\ndrivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c:480 gf100_gr_chan_new() warn: inconsistent returns '&gr->fecs.mutex'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56752", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/gfx9: Add Cleaner Shader Deinitialization in gfx_v9_0 Module\n\nThis commit addresses an omission in the previous patch related to the\ncleaner shader support for GFX9 hardware. Specifically, it adds the\nnecessary deinitialization code for the cleaner shader in the\ngfx_v9_0_sw_fini function.\n\nThe added line amdgpu_gfx_cleaner_shader_sw_fini(adev); ensures that any\nallocated resources for the cleaner shader are freed correctly, avoiding\npotential memory leaks and ensuring that the GPU state is clean for the\nnext initialization sequence.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56753", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - Fix the pointer passed to caam_qi_shutdown()\n\nThe type of the last parameter given to devm_add_action_or_reset() is\n\"struct caam_drv_private *\", but in caam_qi_shutdown(), it is casted to\n\"struct device *\".\n\nPass the correct parameter to devm_add_action_or_reset() so that the\nresources are released as expected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56754", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING\n\nIn fscache_create_volume(), there is a missing memory barrier between the\nbit-clearing operation and the wake-up operation. This may cause a\nsituation where, after a wake-up, the bit-clearing operation hasn't been\ndetected yet, leading to an indefinite wait. The triggering process is as\nfollows:\n\n [cookie1] [cookie2] [volume_work]\nfscache_perform_lookup\n fscache_create_volume\n fscache_perform_lookup\n fscache_create_volume\n\t\t\t fscache_create_volume_work\n cachefiles_acquire_volume\n clear_and_wake_up_bit\n test_and_set_bit\n test_and_set_bit\n goto maybe_wait\n goto no_wait\n\nIn the above process, cookie1 and cookie2 has the same volume. When cookie1\nenters the -no_wait- process, it will clear the bit and wake up the waiting\nprocess. If a barrier is missing, it may cause cookie2 to remain in the\n-wait- process indefinitely.\n\nIn commit 3288666c7256 (\"fscache: Use clear_and_wake_up_bit() in\nfscache_create_volume_work()\"), barriers were added to similar operations\nin fscache_create_volume_work(), but fscache_create_volume() was missed.\n\nBy combining the clear and wake operations into clear_and_wake_up_bit() to\nfix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56755", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix freeing of the HMB descriptor table\n\nThe HMB descriptor table is sized to the maximum number of descriptors\nthat could be used for a given device, but __nvme_alloc_host_mem could\nbreak out of the loop earlier on memory allocation failure and end up\nusing less descriptors than planned for, which leads to an incorrect\nsize passed to dma_free_coherent.\n\nIn practice this was not showing up because the number of descriptors\ntends to be low and the dma coherent allocator always allocates and\nfrees at least a page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56756", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: add intf release flow when usb disconnect\n\nMediaTek claim an special usb intr interface for ISO data transmission.\nThe interface need to be released before unregistering hci device when\nusb disconnect. Removing BT usb dongle without properly releasing the\ninterface may cause Kernel panic while unregister hci device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56757", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: check folio mapping after unlock in relocate_one_folio()\n\nWhen we call btrfs_read_folio() to bring a folio uptodate, we unlock the\nfolio. The result of that is that a different thread can modify the\nmapping (like remove it with invalidate) before we call folio_lock().\nThis results in an invalid page and we need to try again.\n\nIn particular, if we are relocating concurrently with aborting a\ntransaction, this can result in a crash like the following:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 76 PID: 1411631 Comm: kworker/u322:5\n Workqueue: events_unbound btrfs_reclaim_bgs_work\n RIP: 0010:set_page_extent_mapped+0x20/0xb0\n RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246\n RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880\n RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0\n R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000\n R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff\n FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x78/0xc0\n ? page_fault_oops+0x2a8/0x3a0\n ? __switch_to+0x133/0x530\n ? wq_worker_running+0xa/0x40\n ? exc_page_fault+0x63/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? set_page_extent_mapped+0x20/0xb0\n relocate_file_extent_cluster+0x1a7/0x940\n relocate_data_extent+0xaf/0x120\n relocate_block_group+0x20f/0x480\n btrfs_relocate_block_group+0x152/0x320\n btrfs_relocate_chunk+0x3d/0x120\n btrfs_reclaim_bgs_work+0x2ae/0x4e0\n process_scheduled_works+0x184/0x370\n worker_thread+0xc6/0x3e0\n ? blk_add_timer+0xb0/0xb0\n kthread+0xae/0xe0\n ? flush_tlb_kernel_range+0x90/0x90\n ret_from_fork+0x2f/0x40\n ? flush_tlb_kernel_range+0x90/0x90\n ret_from_fork_asm+0x11/0x20\n \n\nThis occurs because cleanup_one_transaction() calls\ndestroy_delalloc_inodes() which calls invalidate_inode_pages2() which\ntakes the folio_lock before setting mapping to NULL. We fail to check\nthis, and subsequently call set_extent_mapping(), which assumes that\nmapping != NULL (in fact it asserts that in debug mode)\n\nNote that the \"fixes\" patch here is not the one that introduced the\nrace (the very first iteration of this code from 2009) but a more recent\nchange that made this particular crash happen in practice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56758", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when COWing tree bock and tracing is enabled\n\nWhen a COWing a tree block, at btrfs_cow_block(), and we have the\ntracepoint trace_btrfs_cow_block() enabled and preemption is also enabled\n(CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent\nbuffer while inside the tracepoint code. This is because in some paths\nthat call btrfs_cow_block(), such as btrfs_search_slot(), we are holding\nthe last reference on the extent buffer @buf so btrfs_force_cow_block()\ndrops the last reference on the @buf extent buffer when it calls\nfree_extent_buffer_stale(buf), which schedules the release of the extent\nbuffer with RCU. This means that if we are on a kernel with preemption,\nthe current task may be preempted before calling trace_btrfs_cow_block()\nand the extent buffer already released by the time trace_btrfs_cow_block()\nis called, resulting in a use-after-free.\n\nFix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to\nbtrfs_force_cow_block() before the COWed extent buffer is freed.\nThis also has a side effect of invoking the tracepoint in the tree defrag\ncode, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is\ncalled there, but this is fine and it was actually missing there.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56759", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/MSI: Handle lack of irqdomain gracefully\n\nAlexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a\nRISCV platform which does not provide PCI/MSI support:\n\n WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32\n __pci_enable_msix_range+0x30c/0x596\n pci_msi_setup_msi_irqs+0x2c/0x32\n pci_alloc_irq_vectors_affinity+0xb8/0xe2\n\nRISCV uses hierarchical interrupt domains and correctly does not implement\nthe legacy fallback. The warning triggers from the legacy fallback stub.\n\nThat warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent\ndomain is associated with the device or not. There is a check for MSI-X,\nwhich has a legacy assumption. But that legacy fallback assumption is only\nvalid when legacy support is enabled, but otherwise the check should simply\nreturn -ENOTSUPP.\n\nLoongarch tripped over the same problem and blindly enabled legacy support\nwithout implementing the legacy fallbacks. There are weak implementations\nwhich return an error, so the problem was papered over.\n\nCorrect pci_msi_domain_supports() to evaluate the legacy mode and add\nthe missing supported check into the MSI enable path to complete it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56760", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary. When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue. Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn't preserve WFE and\nIRET doesn't set WFE. But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56761", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Prevent bad count for tracing_cpumask_write\n\nIf a large count is provided, it will trigger a warning in bitmap_parse_user.\nAlso check zero for it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56763", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: detach gendisk from ublk device if add_disk() fails\n\nInside ublk_abort_requests(), gendisk is grabbed for aborting all\ninflight requests. And ublk_abort_requests() is called when exiting\nthe uring context or handling timeout.\n\nIf add_disk() fails, the gendisk may have been freed when calling\nublk_abort_requests(), so use-after-free can be caused when getting\ndisk's reference in ublk_abort_requests().\n\nFixes the bug by detaching gendisk from ublk device if add_disk() fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56764", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/vas: Add close() callback in vas_vm_ops struct\n\nThe mapping VMA address is saved in VAS window struct when the\npaste address is mapped. This VMA address is used during migration\nto unmap the paste address if the window is active. The paste\naddress mapping will be removed when the window is closed or with\nthe munmap(). But the VMA address in the VAS window is not updated\nwith munmap() which is causing invalid access during migration.\n\nThe KASAN report shows:\n[16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8\n[16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928\n\n[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2\n[16386.255128] Tainted: [B]=BAD_PAGE\n[16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries\n[16386.255181] Call Trace:\n[16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)\n[16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764\n[16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8\n[16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0\n[16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8\n[16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc\n[16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4\n...\n\n[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:\n[16386.256149] kasan_save_stack+0x34/0x68\n[16386.256163] kasan_save_track+0x34/0x80\n[16386.256175] kasan_save_alloc_info+0x58/0x74\n[16386.256196] __kasan_slab_alloc+0xb8/0xdc\n[16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0\n[16386.256225] vm_area_alloc+0x44/0x150\n[16386.256245] mmap_region+0x214/0x10c4\n[16386.256265] do_mmap+0x5fc/0x750\n[16386.256277] vm_mmap_pgoff+0x14c/0x24c\n[16386.256292] ksys_mmap_pgoff+0x20c/0x348\n[16386.256303] sys_mmap+0xd0/0x160\n...\n\n[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:\n[16386.256363] kasan_save_stack+0x34/0x68\n[16386.256374] kasan_save_track+0x34/0x80\n[16386.256384] kasan_save_free_info+0x64/0x10c\n[16386.256396] __kasan_slab_free+0x120/0x204\n[16386.256415] kmem_cache_free+0x128/0x450\n[16386.256428] vm_area_free_rcu_cb+0xa8/0xd8\n[16386.256441] rcu_do_batch+0x2c8/0xcf0\n[16386.256458] rcu_core+0x378/0x3c4\n[16386.256473] handle_softirqs+0x20c/0x60c\n[16386.256495] do_softirq_own_stack+0x6c/0x88\n[16386.256509] do_softirq_own_stack+0x58/0x88\n[16386.256521] __irq_exit_rcu+0x1a4/0x20c\n[16386.256533] irq_exit+0x20/0x38\n[16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c\n...\n\n[16386.256717] Last potentially related work creation:\n[16386.256729] kasan_save_stack+0x34/0x68\n[16386.256741] __kasan_record_aux_stack+0xcc/0x12c\n[16386.256753] __call_rcu_common.constprop.0+0x94/0xd04\n[16386.256766] vm_area_free+0x28/0x3c\n[16386.256778] remove_vma+0xf4/0x114\n[16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870\n[16386.256811] __vm_munmap+0xe0/0x1f8\n[16386.256821] sys_munmap+0x54/0x6c\n[16386.256830] system_call_exception+0x1a0/0x4a0\n[16386.256841] system_call_vectored_common+0x15c/0x2ec\n\n[16386.256868] The buggy address belongs to the object at c00000014a819670\n which belongs to the cache vm_area_struct of size 168\n[16386.256887] The buggy address is located 0 bytes inside of\n freed 168-byte region [c00000014a819670, c00000014a819718)\n\n[16386.256915] The buggy address belongs to the physical page:\n[16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81\n[16386.256950] memcg:c0000000ba430001\n[16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)\n[16386.256975] page_type: 0xfdffffff(slab)\n[16386\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56765", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: fix double free in atmel_pmecc_create_user()\n\nThe \"user\" pointer was converted from being allocated with kzalloc() to\nbeing allocated by devm_kzalloc(). Calling kfree(user) will lead to a\ndouble free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56766", "detail": "fixed-version", "description": "Fixed from version 6.12.8" }, { "id": "CVE-2024-56767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset\n\nThe at_xdmac_memset_create_desc may return NULL, which will lead to a\nnull pointer dereference. For example, the len input is error, or the\natchan->free_descs_list is empty and memory is exhausted. Therefore, add\ncheck to avoid this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56767", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP\n\nOn x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP\ndisabled can trigger the following bug, as pcpu_hot is unavailable:\n\n [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c\n [ 8.471849] #PF: supervisor read access in kernel mode\n [ 8.471881] #PF: error_code(0x0000) - not-present page\n\nFix by inlining a return 0 in the !CONFIG_SMP case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56768", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg\n\nSyzbot reports [1] an uninitialized value issue found by KMSAN in\ndib3000_read_reg().\n\nLocal u8 rb[2] is used in i2c_transfer() as a read buffer; in case\nthat call fails, the buffer may end up with some undefined values.\n\nSince no elaborate error handling is expected in dib3000_write_reg(),\nsimply zero out rb buffer to mitigate the problem.\n\n[1] Syzkaller report\ndvb-usb: bulk message failed: -22 (6/0)\n=====================================================\nBUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758\n dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758\n dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31\n dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290\n dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline]\n dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline]\n dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310\n dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110\n...\nLocal variable rb created at:\n dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54\n dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56769", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: netem: account for backlog updates from child qdisc\n\nIn general, 'qlen' of any classful qdisc should keep track of the\nnumber of packets that the qdisc itself and all of its children holds.\nIn case of netem, 'qlen' only accounts for the packets in its internal\ntfifo. When netem is used with a child qdisc, the child qdisc can use\n'qdisc_tree_reduce_backlog' to inform its parent, netem, about created\nor dropped SKBs. This function updates 'qlen' and the backlog statistics\nof netem, but netem does not account for changes made by a child qdisc.\n'qlen' then indicates the wrong number of packets in the tfifo.\nIf a child qdisc creates new SKBs during enqueue and informs its parent\nabout this, netem's 'qlen' value is increased. When netem dequeues the\nnewly created SKBs from the child, the 'qlen' in netem is not updated.\nIf 'qlen' reaches the configured sch->limit, the enqueue function stops\nworking, even though the tfifo is not full.\n\nReproduce the bug:\nEnsure that the sender machine has GSO enabled. Configure netem as root\nqdisc and tbf as its child on the outgoing interface of the machine\nas follows:\n$ tc qdisc add dev root handle 1: netem delay 100ms limit 100\n$ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms\n\nSend bulk TCP traffic out via this interface, e.g., by running an iPerf3\nclient on the machine. Check the qdisc statistics:\n$ tc -s qdisc show dev \n\nStatistics after 10s of iPerf3 TCP test before the fix (note that\nnetem's backlog > limit, netem stopped accepting packets):\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)\n backlog 4294528236b 1155p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)\n backlog 0b 0p requeues 0\n\nStatistics after the fix:\nqdisc netem 1: root refcnt 2 limit 1000 delay 100ms\n Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0\nqdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms\n Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)\n backlog 0b 0p requeues 0\n\ntbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'.\nThe interface fully stops transferring packets and \"locks\". In this case,\nthe child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at\nits limit and no more packets are accepted.\n\nThis patch adds a counter for the entries in the tfifo. Netem's 'qlen' is\nonly decreased when a packet is returned by its dequeue function, and not\nduring enqueuing into the child qdisc. External updates to 'qlen' are thus\naccounted for and only the behavior of the backlog statistics changes. As\nin other qdiscs, 'qlen' then keeps track of how many packets are held in\nnetem and all of its children. As before, sch->limit remains as the\nmaximum number of packets in the tfifo. The same applies to netem's\nbacklog statistics.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56770", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spinand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information\n\nThese four chips:\n* W25N512GW\n* W25N01GW\n* W25N01JW\n* W25N02JW\nall require a single bit of ECC strength and thus feature an on-die\nHamming-like ECC engine. There is no point in filling a ->get_status()\ncallback for them because the main ECC status bytes are located in\nstandard places, and retrieving the number of bitflips in case of\ncorrected chunk is both useless and unsupported (if there are bitflips,\nthen there is 1 at most, so no need to query the chip for that).\n\nWithout this change, a kernel warning triggers every time a bit flips.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56771", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: string-stream: Fix a UAF bug in kunit_init_suite()\n\nIn kunit_debugfs_create_suite(), if alloc_string_stream() fails in the\nkunit_suite_for_each_test_case() loop, the \"suite->log = stream\"\nhas assigned before, and the error path only free the suite->log's stream\nmemory but not set it to NULL, so the later string_stream_clear() of\nsuite->log in kunit_init_suite() will cause below UAF bug.\n\nSet stream pointer to NULL after free to fix it.\n\n\tUnable to handle kernel paging request at virtual address 006440150000030d\n\tMem abort info:\n\t ESR = 0x0000000096000004\n\t EC = 0x25: DABT (current EL), IL = 32 bits\n\t SET = 0, FnV = 0\n\t EA = 0, S1PTW = 0\n\t FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n\t CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[006440150000030d] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n\tDumping ftrace buffer:\n\t (ftrace buffer empty)\n\tModules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts]\n\tCPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458\n\tTainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : string_stream_clear+0x54/0x1ac\n\tlr : string_stream_clear+0x1a8/0x1ac\n\tsp : ffffffc080b47410\n\tx29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98\n\tx26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003\n\tx23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000\n\tx20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840\n\tx17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4\n\tx14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75\n\tx11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000\n\tx8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001\n\tx5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000\n\tCall trace:\n\t string_stream_clear+0x54/0x1ac\n\t __kunit_test_suites_init+0x108/0x1d8\n\t kunit_exec_run_tests+0xb8/0x100\n\t kunit_module_notify+0x400/0x55c\n\t notifier_call_chain+0xfc/0x3b4\n\t blocking_notifier_call_chain+0x68/0x9c\n\t do_init_module+0x24c/0x5c8\n\t load_module+0x4acc/0x4e90\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2d4/0x57c\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\tCode: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56772", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: Fix potential null dereference in kunit_device_driver_test()\n\nkunit_kzalloc() may return a NULL pointer, dereferencing it without\nNULL check may lead to NULL dereference.\nAdd a NULL check for test_state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56773", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add a sanity check for btrfs root in btrfs_search_slot()\n\nSyzbot reports a null-ptr-deref in btrfs_search_slot().\n\nThe reproducer is using rescue=ibadroots, and the extent tree root is\ncorrupted thus the extent tree is NULL.\n\nWhen scrub tries to search the extent tree to gather the needed extent\ninfo, btrfs_search_slot() doesn't check if the target root is NULL or\nnot, resulting the null-ptr-deref.\n\nAdd sanity check for btrfs root before using it in btrfs_search_slot().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56774", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix handling of plane refcount\n\n[Why]\nThe mechanism to backup and restore plane states doesn't maintain\nrefcount, which can cause issues if the refcount of the plane changes\nin between backup and restore operations, such as memory leaks if the\nrefcount was supposed to go down, or double frees / invalid memory\naccesses if the refcount was supposed to go up.\n\n[How]\nCache and re-apply current refcount when restoring plane states.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56775", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: avoid potential dereference of error pointers\n\nThe return value of drm_atomic_get_crtc_state() needs to be\nchecked. To avoid use of error pointer 'crtc_state' in case\nof the failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56776", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check\n\nThe return value of drm_atomic_get_crtc_state() needs to be\nchecked. To avoid use of error pointer 'crtc_state' in case\nof the failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56777", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check\n\nThe return value of drm_atomic_get_crtc_state() needs to be\nchecked. To avoid use of error pointer 'crtc_state' in case\nof the failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56778", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur\n\nThe action force umount(umount -f) will attempt to kill all rpc_task even\numount operation may ultimately fail if some files remain open.\nConsequently, if an action attempts to open a file, it can potentially\nsend two rpc_task to nfs server.\n\n NFS CLIENT\nthread1 thread2\nopen(\"file\")\n...\nnfs4_do_open\n _nfs4_do_open\n _nfs4_open_and_get_state\n _nfs4_proc_open\n nfs4_run_open_task\n /* rpc_task1 */\n rpc_run_task\n rpc_wait_for_completion_task\n\n umount -f\n nfs_umount_begin\n rpc_killall_tasks\n rpc_signal_task\n rpc_task1 been wakeup\n and return -512\n _nfs4_do_open // while loop\n ...\n nfs4_run_open_task\n /* rpc_task2 */\n rpc_run_task\n rpc_wait_for_completion_task\n\nWhile processing an open request, nfsd will first attempt to find or\nallocate an nfs4_openowner. If it finds an nfs4_openowner that is not\nmarked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since\ntwo rpc_task can attempt to open the same file simultaneously from the\nclient to server, and because two instances of nfsd can run\nconcurrently, this situation can lead to lots of memory leak.\nAdditionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be\ntriggered.\n\n NFS SERVER\nnfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads\n\nnfsd4_open\n nfsd4_process_open1\n find_or_alloc_open_stateowner\n // alloc oo1, stateid1\n nfsd4_open\n nfsd4_process_open1\n find_or_alloc_open_stateowner\n // find oo1, without NFS4_OO_CONFIRMED\n release_openowner\n unhash_openowner_locked\n list_del_init(&oo->oo_perclient)\n // cannot find this oo\n // from client, LEAK!!!\n alloc_stateowner // alloc oo2\n\n nfsd4_process_open2\n init_open_stateid\n // associate oo1\n // with stateid1, stateid1 LEAK!!!\n nfs4_get_vfs_file\n // alloc nfsd_file1 and nfsd_file_mark1\n // all LEAK!!!\n\n nfsd4_process_open2\n ...\n\n write_threads\n ...\n nfsd_destroy_serv\n nfsd_shutdown_net\n nfs4_state_shutdown_net\n nfs4_state_destroy_net\n destroy_client\n __destroy_client\n // won't find oo1!!!\n nfsd_shutdown_generic\n nfsd_file_cache_shutdown\n kmem_cache_destroy\n for nfsd_file_slab\n and nfsd_file_mark_slab\n // bark since nfsd_file1\n // and nfsd_file_mark1\n // still alive\n\n=======================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n-----------------------------------------------------------------------\n\nSlab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28\nflags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)\nCPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nCall Trace:\n \n dum\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56779", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: flush quota_release_work upon quota writeback\n\nOne of the paths quota writeback is called from is:\n\nfreeze_super()\n sync_filesystem()\n ext4_sync_fs()\n dquot_writeback_dquots()\n\nSince we currently don't always flush the quota_release_work queue in\nthis path, we can end up with the following race:\n\n 1. dquot are added to releasing_dquots list during regular operations.\n 2. FS Freeze starts, however, this does not flush the quota_release_work queue.\n 3. Freeze completes.\n 4. Kernel eventually tries to flush the workqueue while FS is frozen which\n hits a WARN_ON since transaction gets started during frozen state:\n\n ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)\n __ext4_journal_start_sb+0x64/0x1c0 [ext4]\n ext4_release_dquot+0x90/0x1d0 [ext4]\n quota_release_workfn+0x43c/0x4d0\n\nWhich is the following line:\n\n WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);\n\nWhich ultimately results in generic/390 failing due to dmesg\nnoise. This was detected on powerpc machine 15 cores.\n\nTo avoid this, make sure to flush the workqueue during\ndquot_writeback_dquots() so we dont have any pending workitems after\nfreeze.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56780", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: x86: Add adev NULL check to acpi_quirk_skip_serdev_enumeration()\n\nacpi_dev_hid_match() does not check for adev == NULL, dereferencing\nit unconditional.\n\nAdd a check for adev being NULL before calling acpi_dev_hid_match().\n\nAt the moment acpi_quirk_skip_serdev_enumeration() is never called with\na controller_parent without an ACPI companion, but better safe than sorry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56782", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level\n\ncgroup maximum depth is INT_MAX by default, there is a cgroup toggle to\nrestrict this maximum depth to a more reasonable value not to harm\nperformance. Remove unnecessary WARN_ON_ONCE which is reachable from\nuserspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56783", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Adding array index check to prevent memory corruption\n\n[Why & How]\nArray indices out of bound caused memory corruption. Adding checks to\nensure that array index stays in bound.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56784", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a\n\nFix the dtc warnings:\n\n arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider\n arch/mips/boot/dts/loongson/ls7a-pch.dtsi:68.16-416.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider\n arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'\n\nAnd a runtime warning introduced in commit 045b14ca5c36 (\"of: WARN on\ndeprecated #address-cells/#size-cells handling\"):\n\n WARNING: CPU: 0 PID: 1 at drivers/of/base.c:106 of_bus_n_addr_cells+0x9c/0xe0\n Missing '#address-cells' in /bus@10000000/pci@1a000000/pci_bridge@9,0\n\nThe fix is similar to commit d89a415ff8d5 (\"MIPS: Loongson64: DTS: Fix PCIe\nport nodes for ls7a\"), which has fixed the issue for ls2k (despite its\nsubject mentions ls7a).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56785", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: imx8m: Probe the SoC driver as platform driver\n\nWith driver_async_probe=* on kernel command line, the following trace is\nproduced because on i.MX8M Plus hardware because the soc-imx8m.c driver\ncalls of_clk_get_by_name() which returns -EPROBE_DEFER because the clock\ndriver is not yet probed. This was not detected during regular testing\nwithout driver_async_probe.\n\nConvert the SoC code to platform driver and instantiate a platform device\nin its current device_initcall() to probe the platform driver. Rework\n.soc_revision callback to always return valid error code and return SoC\nrevision via parameter. This way, if anything in the .soc_revision callback\nreturn -EPROBE_DEFER, it gets propagated to .probe and the .probe will get\nretried later.\n\n\"\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1 at drivers/soc/imx/soc-imx8m.c:115 imx8mm_soc_revision+0xdc/0x180\nCPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-next-20240924-00002-g2062bb554dea #603\nHardware name: DH electronics i.MX8M Plus DHCOM Premium Developer Kit (3) (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : imx8mm_soc_revision+0xdc/0x180\nlr : imx8mm_soc_revision+0xd0/0x180\nsp : ffff8000821fbcc0\nx29: ffff8000821fbce0 x28: 0000000000000000 x27: ffff800081810120\nx26: ffff8000818a9970 x25: 0000000000000006 x24: 0000000000824311\nx23: ffff8000817f42c8 x22: ffff0000df8be210 x21: fffffffffffffdfb\nx20: ffff800082780000 x19: 0000000000000001 x18: ffffffffffffffff\nx17: ffff800081fff418 x16: ffff8000823e1000 x15: ffff0000c03b65e8\nx14: ffff0000c00051b0 x13: ffff800082790000 x12: 0000000000000801\nx11: ffff80008278ffff x10: ffff80008209d3a6 x9 : ffff80008062e95c\nx8 : ffff8000821fb9a0 x7 : 0000000000000000 x6 : 00000000000080e3\nx5 : ffff0000df8c03d8 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : fffffffffffffdfb x0 : fffffffffffffdfb\nCall trace:\n imx8mm_soc_revision+0xdc/0x180\n imx8_soc_init+0xb0/0x1e0\n do_one_initcall+0x94/0x1a8\n kernel_init_freeable+0x240/0x2a8\n kernel_init+0x28/0x140\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\nSoC: i.MX8MP revision 1.1\n\"", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56787", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-56788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: oa_tc6: fix tx skb race condition between reference pointers\n\nThere are two skb pointers to manage tx skb's enqueued from n/w stack.\nwaiting_tx_skb pointer points to the tx skb which needs to be processed\nand ongoing_tx_skb pointer points to the tx skb which is being processed.\n\nSPI thread prepares the tx data chunks from the tx skb pointed by the\nongoing_tx_skb pointer. When the tx skb pointed by the ongoing_tx_skb is\nprocessed, the tx skb pointed by the waiting_tx_skb is assigned to\nongoing_tx_skb and the waiting_tx_skb pointer is assigned with NULL.\nWhenever there is a new tx skb from n/w stack, it will be assigned to\nwaiting_tx_skb pointer if it is NULL. Enqueuing and processing of a tx skb\nhandled in two different threads.\n\nConsider a scenario where the SPI thread processed an ongoing_tx_skb and\nit moves next tx skb from waiting_tx_skb pointer to ongoing_tx_skb pointer\nwithout doing any NULL check. At this time, if the waiting_tx_skb pointer\nis NULL then ongoing_tx_skb pointer is also assigned with NULL. After\nthat, if a new tx skb is assigned to waiting_tx_skb pointer by the n/w\nstack and there is a chance to overwrite the tx skb pointer with NULL in\nthe SPI thread. Finally one of the tx skb will be left as unhandled,\nresulting packet missing and memory leak.\n\n- Consider the below scenario where the TXC reported from the previous\ntransfer is 10 and ongoing_tx_skb holds an tx ethernet frame which can be\ntransported in 20 TXCs and waiting_tx_skb is still NULL.\n\ttx_credits = 10; /* 21 are filled in the previous transfer */\n\tongoing_tx_skb = 20;\n\twaiting_tx_skb = NULL; /* Still NULL */\n- So, (tc6->ongoing_tx_skb || tc6->waiting_tx_skb) becomes true.\n- After oa_tc6_prepare_spi_tx_buf_for_tx_skbs()\n\tongoing_tx_skb = 10;\n\twaiting_tx_skb = NULL; /* Still NULL */\n- Perform SPI transfer.\n- Process SPI rx buffer to get the TXC from footers.\n- Now let's assume previously filled 21 TXCs are freed so we are good to\ntransport the next remaining 10 tx chunks from ongoing_tx_skb.\n\ttx_credits = 21;\n\tongoing_tx_skb = 10;\n\twaiting_tx_skb = NULL;\n- So, (tc6->ongoing_tx_skb || tc6->waiting_tx_skb) becomes true again.\n- In the oa_tc6_prepare_spi_tx_buf_for_tx_skbs()\n\tongoing_tx_skb = NULL;\n\twaiting_tx_skb = NULL;\n\n- Now the below bad case might happen,\n\nThread1 (oa_tc6_start_xmit)\tThread2 (oa_tc6_spi_thread_handler)\n---------------------------\t-----------------------------------\n- if waiting_tx_skb is NULL\n\t\t\t\t- if ongoing_tx_skb is NULL\n\t\t\t\t- ongoing_tx_skb = waiting_tx_skb\n- waiting_tx_skb = skb\n\t\t\t\t- waiting_tx_skb = NULL\n\t\t\t\t...\n\t\t\t\t- ongoing_tx_skb = NULL\n- if waiting_tx_skb is NULL\n- waiting_tx_skb = skb\n\nTo overcome the above issue, protect the moving of tx skb reference from\nwaiting_tx_skb pointer to ongoing_tx_skb pointer and assigning new tx skb\nto waiting_tx_skb pointer, so that the other thread can't access the\nwaiting_tx_skb pointer until the current thread completes moving the tx\nskb reference safely.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-56788", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: check return value of sock_recvmsg when draining clc data\n\nWhen receiving clc msg, the field length in smc_clc_msg_hdr indicates the\nlength of msg should be received from network and the value should not be\nfully trusted as it is from the network. Once the value of length exceeds\nthe value of buflen in function smc_clc_wait_msg it may run into deadloop\nwhen trying to drain the remaining data exceeding buflen.\n\nThis patch checks the return value of sock_recvmsg when draining data in\ncase of deadloop in draining.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57791", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: gpio-charger: Fix set charge current limits\n\nFix set charge current limits for devices which allow to set the lowest\ncharge current limit to be greater zero. If requested charge current limit\nis below lowest limit, the index equals current_limit_map_size which leads\nto accessing memory beyond allocated memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57792", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Just leak decrypted memory on unrecoverable errors\n\nIn CoCo VMs it is possible for the untrusted host to cause\nset_memory_decrypted() to fail such that an error is returned\nand the resulting memory is shared. Callers need to take care\nto handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional\nor security issues.\n\nLeak the decrypted memory when set_memory_decrypted() fails,\nand don't need to print an error since set_memory_decrypted()\nwill call WARN_ONCE().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57793", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57795", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()\n\nWhile receiving an MST up request message from one thread in\ndrm_dp_mst_handle_up_req(), the MST topology could be removed from\nanother thread via drm_dp_mst_topology_mgr_set_mst(false), freeing\nmst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.\nThis could lead to a NULL deref/use-after-free of mst_primary in\ndrm_dp_mst_handle_up_req().\n\nAvoid the above by holding a reference for mst_primary in\ndrm_dp_mst_handle_up_req() while it's used.\n\nv2: Fix kfreeing the request if getting an mst_primary reference fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57798", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM\n\nIn some cases, rk_hdptx_phy_runtime_resume() may be invoked before\nplatform_set_drvdata() is executed in ->probe(), leading to a NULL\npointer dereference when using the return of dev_get_drvdata().\n\nEnsure platform_set_drvdata() is called before devm_pm_runtime_enable().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57799", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: memalloc: prefer dma_mapping_error() over explicit address checking\n\nWith CONFIG_DMA_API_DEBUG enabled, the following warning is observed:\n\nDMA-API: snd_hda_intel 0000:03:00.1: device driver failed to check map error[device address=0x00000000ffff0000] [size=20480 bytes] [mapped as single]\nWARNING: CPU: 28 PID: 2255 at kernel/dma/debug.c:1036 check_unmap+0x1408/0x2430\nCPU: 28 UID: 42 PID: 2255 Comm: wireplumber Tainted: G W L 6.12.0-10-133577cad6bf48e5a7848c4338124081393bfe8a+ #759\ndebug_dma_unmap_page+0xe9/0xf0\nsnd_dma_wc_free+0x85/0x130 [snd_pcm]\nsnd_pcm_lib_free_pages+0x1e3/0x440 [snd_pcm]\nsnd_pcm_common_ioctl+0x1c9a/0x2960 [snd_pcm]\nsnd_pcm_ioctl+0x6a/0xc0 [snd_pcm]\n...\n\nCheck for returned DMA addresses using specialized dma_mapping_error()\nhelper which is generally recommended for this purpose by\nDocumentation/core-api/dma-api.rst.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57800", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Skip restore TC rules for vport rep without loaded flag\n\nDuring driver unload, unregister_netdev is called after unloading\nvport rep. So, the mlx5e_rep_priv is already freed while trying to get\nrpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free.\nSo add the checking to make sure access the data of vport rep which is\nstill loaded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57801", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: check buffer length before accessing it\n\nSyzkaller reports an uninit value read from ax25cmp when sending raw message\nthrough ieee802154 implementation.\n\n=====================================================\nBUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601\n nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774\n nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780\n sock_alloc_send_skb include/net/sock.h:1884 [inline]\n raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nThis issue occurs because the skb buffer is too small, and it's actual\nallocation is aligned. This hides an actual issue, which is that nr_route_frame\ndoes not validate the buffer size before using it.\n\nFix this issue by checking skb->len before accessing any fields in skb->data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57802", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs\n\nThe driver, through the SAS transport, exposes a sysfs interface to\nenable/disable PHYs in a controller/expander setup. When multiple PHYs\nare disabled and enabled in rapid succession, the persistent and current\nconfig pages related to SAS IO unit/SAS Expander pages could get\ncorrupted.\n\nUse separate memory for each config request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57804", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP\n\nThe linkDMA should not be released on stop trigger since a stream re-start\nmight happen without closing of the stream. This leaves a short time for\nother streams to 'steal' the linkDMA since it has been released.\n\nThis issue is not easy to reproduce under normal conditions as usually\nafter stop the stream is closed, or the same stream is restarted, but if\nanother stream got in between the stop and start, like this:\naplay -Dhw:0,3 -c2 -r48000 -fS32_LE /dev/zero -d 120\nCTRL+z\naplay -Dhw:0,0 -c2 -r48000 -fS32_LE /dev/zero -d 120\n\nthen the link DMA channels will be mixed up, resulting firmware error or\ncrash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57805", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction atomicity bug when enabling simple quotas\n\nSet squota incompat bit before committing the transaction that enables\nthe feature.\n\nWith the config CONFIG_BTRFS_ASSERT enabled, an assertion\nfailure occurs regarding the simple quota feature.\n\n [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365\n [5.597098] ------------[ cut here ]------------\n [5.597371] kernel BUG at fs/btrfs/qgroup.c:365!\n [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146\n [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0\n [5.604303] \n [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.605538] ? exc_invalid_op+0x56/0x70\n [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.606066] ? asm_exc_invalid_op+0x1f/0x30\n [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0\n [5.607038] ? try_to_wake_up+0x317/0x760\n [5.607286] open_ctree+0xd9c/0x1710\n [5.607509] btrfs_get_tree+0x58a/0x7e0\n [5.608002] vfs_get_tree+0x2e/0x100\n [5.608224] fc_mount+0x16/0x60\n [5.608420] btrfs_get_tree+0x2f8/0x7e0\n [5.608897] vfs_get_tree+0x2e/0x100\n [5.609121] path_mount+0x4c8/0xbc0\n [5.609538] __x64_sys_mount+0x10d/0x150\n\nThe issue can be easily reproduced using the following reproducer:\n\n root@q:linux# cat repro.sh\n set -e\n\n mkfs.btrfs -q -f /dev/sdb\n mount /dev/sdb /mnt/btrfs\n btrfs quota enable -s /mnt/btrfs\n umount /mnt/btrfs\n mount /dev/sdb /mnt/btrfs\n\nThe issue is that when enabling quotas, at btrfs_quota_enable(), we set\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist\nit in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but\nwe only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we\ncommit the transaction used to enable simple quotas.\n\nThis means that if after that transaction commit we unmount the filesystem\nwithout starting and committing any other transaction, or we have a power\nfailure, the next time we mount the filesystem we will find the flag\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key\nBTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit\nBTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an\nassertion failure at:\n\n btrfs_read_qgroup_config() -> qgroup_read_enable_gen()\n\nTo fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag\nimmediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.\nThis ensures that both flags are flushed to disk within the same\ntransaction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57806", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix for a potential deadlock\n\nThis fixes a 'possible circular locking dependency detected' warning\n CPU0 CPU1\n ---- ----\n lock(&instance->reset_mutex);\n lock(&shost->scan_mutex);\n lock(&instance->reset_mutex);\n lock(&shost->scan_mutex);\n\nFix this by temporarily releasing the reset_mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57807", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: imx6: Fix suspend/resume support on i.MX6QDL\n\nThe suspend/resume functionality is currently broken on the i.MX6QDL\nplatform, as documented in the NXP errata (ERR005723):\n\n https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf\n\nThis patch addresses the issue by sharing most of the suspend/resume\nsequences used by other i.MX devices, while avoiding modifications to\ncritical registers that disrupt the PCIe functionality. It targets the\nsame problem as the following downstream commit:\n\n https://github.com/nxp-imx/linux-imx/commit/4e92355e1f79d225ea842511fcfd42b343b32995\n\nUnlike the downstream commit, this patch also resets the connected PCIe\ndevice if possible. Without this reset, certain drivers, such as ath10k\nor iwlwifi, will crash on resume. The device reset is also done by the\ndriver on other i.MX platforms, making this patch consistent with\nexisting practices.\n\nUpon resuming, the kernel will hang and display an error. Here's an\nexample of the error encountered with the ath10k driver:\n\n ath10k_pci 0000:01:00.0: Unable to change power state from D3hot to D0, device inaccessible\n Unhandled fault: imprecise external abort (0x1406) at 0x0106f944\n\nWithout this patch, suspend/resume will fail on i.MX6QDL devices if a\nPCIe device is connected.\n\n[kwilczynski: commit log, added tag for stable releases]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57809", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread\n\nsyzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]\n\nIf dvb->mux is not initialized successfully by vidtv_mux_init() in the\nvidtv_start_streaming(), it will trigger null pointer dereference about mux\nin vidtv_mux_stop_thread().\n\nAdjust the timing of streaming initialization and check it before\nstopping it.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\nCPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471\nCode: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8\nRSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125\nRDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128\nRBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188\nR13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710\nFS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]\n vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252\n dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000\n dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486\n dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3f8/0xb60 fs/file_table.c:450\n task_work_run+0x14e/0x250 kernel/task_work.c:239\n get_signal+0x1d3/0x2610 kernel/signal.c:2790\n arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57834", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/entry: Mark IRQ entries to fix stack depot warnings\n\nThe stack depot filters out everything outside of the top interrupt\ncontext as an uninteresting or irrelevant part of the stack traces. This\nhelps with stack trace de-duplication, avoiding an explosion of saved\nstack traces that share the same IRQ context code path but originate\nfrom different randomly interrupted points, eventually exhausting the\nstack depot.\n\nFiltering uses in_irqentry_text() to identify functions within the\n.irqentry.text and .softirqentry.text sections, which then become the\nlast stack trace entries being saved.\n\nWhile __do_softirq() is placed into the .softirqentry.text section by\ncommon code, populating .irqentry.text is architecture-specific.\n\nCurrently, the .irqentry.text section on s390 is empty, which prevents\nstack depot filtering and de-duplication and could result in warnings\nlike:\n\nStack depot reached limit capacity\nWARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8\n\nwith PREEMPT and KASAN enabled.\n\nFix this by moving the IO/EXT interrupt handlers from .kprobes.text into\nthe .irqentry.text section and updating the kprobes blacklist to include\nthe .irqentry.text section.\n\nThis is done only for asynchronous interrupts and explicitly not for\nprogram checks, which are synchronous and where the context beyond the\nprogram check is important to preserve. Despite machine checks being\nsomewhat in between, they are extremely rare, and preserving context\nwhen possible is also of value.\n\nSVCs and Restart Interrupts are not relevant, one being always at the\nboundary to user space and the other being a one-time thing.\n\nIRQ entries filtering is also optionally used in ftrace function graph,\nwhere the same logic applies.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57838", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"readahead: properly shorten readahead when falling back to do_page_cache_ra()\"\n\nThis reverts commit 7c877586da3178974a8a94577b6045a48377ff25.\n\nAnders and Philippe have reported that recent kernels occasionally hang\nwhen used with NFS in readahead code. The problem has been bisected to\n7c877586da3 (\"readahead: properly shorten readahead when falling back to\ndo_page_cache_ra()\"). The cause of the problem is that ra->size can be\nshrunk by read_pages() call and subsequently we end up calling\ndo_page_cache_ra() with negative (read huge positive) number of pages. \nLet's revert 7c877586da3 for now until we can find a proper way how the\nlogic in read_pages() and page_cache_ra_order() can coexist. This can\nlead to reduced readahead throughput due to readahead window confusion but\nthat's better than outright hangs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57839", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in tcp_conn_request()\n\nIf inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will\nreturn without free the dst memory, which allocated in af_ops->route_req.\n\nHere is the kmemleak stack:\n\nunreferenced object 0xffff8881198631c0 (size 240):\n comm \"softirq\", pid 0, jiffies 4299266571 (age 1802.392s)\n hex dump (first 32 bytes):\n 00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff ................\n 81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00 .U..............\n backtrace:\n [] kmem_cache_alloc+0x60c/0xa80\n [] dst_alloc+0x55/0x250\n [] rt_dst_alloc+0x46/0x1d0\n [] __mkroute_output+0x29a/0xa50\n [] ip_route_output_key_hash+0x10b/0x240\n [] ip_route_output_flow+0x1d/0x90\n [] inet_csk_route_req+0x2c5/0x500\n [] tcp_conn_request+0x691/0x12c0\n [] tcp_rcv_state_process+0x3c8/0x11b0\n [] tcp_v4_do_rcv+0x156/0x3b0\n [] tcp_v4_rcv+0x1cf8/0x1d80\n [] ip_protocol_deliver_rcu+0xf6/0x360\n [] ip_local_deliver_finish+0xe6/0x1e0\n [] ip_local_deliver+0xee/0x360\n [] ip_rcv+0xad/0x2f0\n [] __netif_receive_skb_one_core+0x123/0x140\n\nCall dst_release() to free the dst memory when\ninet_csk_reqsk_queue_hash_add() return false in tcp_conn_request().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57841", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix overflow inside virtnet_rq_alloc\n\nWhen the frag just got a page, then may lead to regression on VM.\nSpecially if the sysctl net.core.high_order_alloc_disable value is 1,\nthen the frag always get a page when do refill.\n\nWhich could see reliable crashes or scp failure (scp a file 100M in size\nto VM).\n\nThe issue is that the virtnet_rq_dma takes up 16 bytes at the beginning\nof a new frag. When the frag size is larger than PAGE_SIZE,\neverything is fine. However, if the frag is only one page and the\ntotal size of the buffer and virtnet_rq_dma is larger than one page, an\noverflow may occur.\n\nThe commit f9dac92ba908 (\"virtio_ring: enable premapped mode whatever\nuse_dma_api\") introduced this problem. And we reverted some commits to\nfix this in last linux version. Now we try to enable it and fix this\nbug directly.\n\nHere, when the frag size is not enough, we reduce the buffer len to fix\nthis problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57843", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix fault on fd close after unbind\n\nIf userspace holds an fd open, unbinds the device and then closes it,\nthe driver shouldn't try to access the hardware. Protect it by using\ndrm_dev_enter()/drm_dev_exit(). This fixes the following page fault:\n\n<6> [IGT] xe_wedged: exiting, ret=98\n<1> BUG: unable to handle page fault for address: ffffc901bc5e508c\n<1> #PF: supervisor read access in kernel mode\n<1> #PF: error_code(0x0000) - not-present page\n...\n<4> xe_lrc_update_timestamp+0x1c/0xd0 [xe]\n<4> xe_exec_queue_update_run_ticks+0x50/0xb0 [xe]\n<4> xe_exec_queue_fini+0x16/0xb0 [xe]\n<4> __guc_exec_queue_fini_async+0xc4/0x190 [xe]\n<4> guc_exec_queue_fini_async+0xa0/0xe0 [xe]\n<4> guc_exec_queue_fini+0x23/0x40 [xe]\n<4> xe_exec_queue_destroy+0xb3/0xf0 [xe]\n<4> xe_file_close+0xd4/0x1a0 [xe]\n<4> drm_file_free+0x210/0x280 [drm]\n<4> drm_close_helper.isra.0+0x6d/0x80 [drm]\n<4> drm_release_noglobal+0x20/0x90 [drm]\n\n(cherry picked from commit 4ca1fd418338d4d135428a0eb1e16e3b3ce17ee8)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57844", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cpum_sf: Handle CPU hotplug remove during sampling\n\nCPU hotplug remove handling triggers the following function\ncall sequence:\n\n CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()\n ...\n CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()\n\nThe s390 CPUMF sampling CPU hotplug handler invokes:\n\n s390_pmu_sf_offline_cpu()\n +--> cpusf_pmu_setup()\n +--> setup_pmc_cpu()\n +--> deallocate_buffers()\n\nThis function de-allocates all sampling data buffers (SDBs) allocated\nfor that CPU at event initialization. It also clears the\nPMU_F_RESERVED bit. The CPU is gone and can not be sampled.\n\nWith the event still being active on the removed CPU, the CPU event\nhotplug support in kernel performance subsystem triggers the\nfollowing function calls on the removed CPU:\n\n perf_event_exit_cpu()\n +--> perf_event_exit_cpu_context()\n +--> __perf_event_exit_context()\n\t +--> __perf_remove_from_context()\n\t +--> event_sched_out()\n\t +--> cpumsf_pmu_del()\n\t +--> cpumsf_pmu_stop()\n +--> hw_perf_event_update()\n\nto stop and remove the event. During removal of the event, the\nsampling device driver tries to read out the remaining samples from\nthe sample data buffers (SDBs). But they have already been freed\n(and may have been re-assigned). This may lead to a use after free\nsituation in which case the samples are most likely invalid. In the\nbest case the memory has not been reassigned and still contains\nvalid data.\n\nRemedy this situation and check if the CPU is still in reserved\nstate (bit PMU_F_RESERVED set). In this case the SDBs have not been\nreleased an contain valid data. This is always the case when\nthe event is removed (and no CPU hotplug off occured).\nIf the PMU_F_RESERVED bit is not set, the SDB buffers are gone.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57849", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: Prevent rtime decompress memory corruption\n\nThe rtime decompression routine does not fully check bounds during the\nentirety of the decompression pass and can corrupt memory outside the\ndecompression buffer if the compressed data is corrupted. This adds the\nrequired check to prevent this failure mode.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57850", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: smc: Handle missing SCM device\n\nCommit ca61d6836e6f (\"firmware: qcom: scm: fix a NULL-pointer\ndereference\") makes it explicit that qcom_scm_get_tzmem_pool() can\nreturn NULL, therefore its users should handle this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57852", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Remove direct link to net_device\n\nDo not manage a per device direct link to net_device. Rely\non associated ib_devices net_device management, not doubling\nthe effort locally. A badly managed local link to net_device\nwas causing a 'KASAN: slab-use-after-free' exception during\nsiw_query_port() call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57857", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()\n\nThis will ensure that the scsi host is cleaned up properly using\nscsi_host_dev_release(). Otherwise, it may lead to memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57872", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL\n\nCurrently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl'\nvariable, and a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently tagged_addr_ctrl_set() will consume an\narbitrary value, potentially leaking up to 64 bits of memory from the\nkernel stack. The read is limited to a specific slot on the stack, and\nthe issue does not provide a write mechanism.\n\nAs set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and\nrejects other values, a partial SETREGSET attempt will randomly succeed\nor fail depending on the value of the uninitialized value, and the\nexposure is significantly limited.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\nvalue of the tagged address ctrl will be retained.\n\nThe NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the\nuser_aarch64_view used by a native AArch64 task to manipulate another\nnative AArch64 task. As get_tagged_addr_ctrl() only returns an error\nvalue when called for a compat task, tagged_addr_ctrl_get() and\ntagged_addr_ctrl_set() should never observe an error value from\nget_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that\nsuch an error would be unexpected, and error handlnig is not missing in\neither case.", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57874", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: RCU protect disk->conv_zones_bitmap\n\nEnsure that a disk revalidation changing the conventional zones bitmap\nof a disk does not cause invalid memory references when using the\ndisk_zone_is_conv() helper by RCU protecting the disk->conv_zones_bitmap\npointer.\n\ndisk_zone_is_conv() is modified to operate under the RCU read lock and\nthe function disk_set_conv_zones_bitmap() is added to update a disk\nconv_zones_bitmap pointer using rcu_replace_pointer() with the disk\nzone_wplugs_lock spinlock held.\n\ndisk_free_zone_resources() is modified to call\ndisk_update_zone_resources() with a NULL bitmap pointer to free the disk\nconv_zones_bitmap. disk_set_conv_zones_bitmap() is also used in\ndisk_update_zone_resources() to set the new (revalidated) bitmap and\nfree the old one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57875", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Fix resetting msg rx state after topology removal\n\nIf the MST topology is removed during the reception of an MST down reply\nor MST up request sideband message, the\ndrm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset\nfrom one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with\nthe reading/parsing of the message from another thread via\ndrm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is\npossible since the reader/parser doesn't hold any lock while accessing\nthe reception state. This in turn can lead to a memory corruption in the\nreader/parser as described by commit bd2fccac61b4 (\"drm/dp_mst: Fix MST\nsideband message body length check\").\n\nFix the above by resetting the message reception state if needed before\nreading/parsing a message. Another solution would be to hold the\ndrm_dp_mst_topology_mgr::lock for the whole duration of the message\nreception/parsing in drm_dp_mst_handle_down_rep() and\ndrm_dp_mst_handle_up_req(), however this would require a bigger change.\nSince the fix is also needed for stable, opting for the simpler solution\nin this patch.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57876", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_POE\n\nCurrently poe_set() doesn't initialize the temporary 'ctrl' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.por_el0, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of POR_EL1 will be retained.\n\nBefore this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50\n\nAfter this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57877", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn't initialize the temporary 'fpmr' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d", "scorev2": "0.0", "scorev3": "6.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57878", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: iso: Always release hdev at the end of iso_listen_bis\n\nSince hci_get_route holds the device before returning, the hdev\nshould be released with hci_dev_put at the end of iso_listen_bis\neven if the function returns with an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57879", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: Add space for a terminator into DAIs array\n\nThe code uses the initialised member of the asoc_sdw_dailink struct to\ndetermine if a member of the array is in use. However in the case the\narray is completely full this will lead to an access 1 past the end of\nthe array, expand the array by one entry to include a space for a\nterminator.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57880", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy()\n\nIn split_large_buddy(), we might call pfn_to_page() on a PFN that might\nnot exist. In corner cases, such as when freeing the highest pageblock in\nthe last memory section, this could result with CONFIG_SPARSEMEM &&\n!CONFIG_SPARSEMEM_EXTREME in __pfn_to_section() returning NULL and and\n__section_mem_map_addr() dereferencing that NULL pointer.\n\nLet's fix it, and avoid doing a pfn_to_page() call for the first\niteration, where we already have the page.\n\nSo far this was found by code inspection, but let's just CC stable as the\nfix is easy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57881", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix TCP options overflow.\n\nSyzbot reported the following splat:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\nRIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]\nRIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552\nCode: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83\nRSP: 0000:ffffc90003916c90 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000\nRDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac\nR10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007\nR13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_page_unref include/linux/skbuff_ref.h:43 [inline]\n __skb_frag_unref include/linux/skbuff_ref.h:56 [inline]\n skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb+0x55/0x70 net/core/skbuff.c:1204\n tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]\n tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032\n tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805\n tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939\n tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351\n ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n __netif_receive_skb_one_core net/core/dev.c:5672 [inline]\n __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785\n process_backlog+0x662/0x15b0 net/core/dev.c:6117\n __napi_poll+0xcb/0x490 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:7074\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\nRIP: 0033:0x7f34f4519ad5\nCode: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83\nRSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246\nRAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5\nRDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0\nRBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000\nR10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4\nR13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68\n \n\nEric noted a probable shinfo->nr_frags corruption, which indeed\noccurs.\n\nThe root cause is a buggy MPTCP option len computation in some\ncircumstances: the ADD_ADDR option should be mutually exclusive\nwith DSS since the blamed commit.\n\nStill, mptcp_established_options_add_addr() tries to set the\nrelevant info in mptcp_out_options, if \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57882", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: independent PMD page table shared count\n\nThe folio refcount may be increased unexpectly through try_get_folio() by\ncaller such as split_huge_pages. In huge_pmd_unshare(), we use refcount\nto check whether a pmd page table is shared. The check is incorrect if\nthe refcount is increased by the above caller, and this can cause the page\ntable leaked:\n\n BUG: Bad page state in process sh pfn:109324\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324\n flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)\n page_type: f2(table)\n raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000\n raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000\n page dumped because: nonzero mapcount\n ...\n CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7\n Tainted: [B]=BAD_PAGE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n dump_stack+0x18/0x28\n bad_page+0x8c/0x130\n free_page_is_bad_report+0xa4/0xb0\n free_unref_page+0x3cc/0x620\n __folio_put+0xf4/0x158\n split_huge_pages_all+0x1e0/0x3e8\n split_huge_pages_write+0x25c/0x2d8\n full_proxy_write+0x64/0xd8\n vfs_write+0xcc/0x280\n ksys_write+0x70/0x110\n __arm64_sys_write+0x24/0x38\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0x128\n el0t_64_sync_handler+0xc8/0xd0\n el0t_64_sync+0x190/0x198\n\nThe issue may be triggered by damon, offline_page, page_idle, etc, which\nwill increase the refcount of page table.\n\n1. The page table itself will be discarded after reporting the\n \"nonzero mapcount\".\n\n2. The HugeTLB page mapped by the page table miss freeing since we\n treat the page table as shared and a shared page table will not be\n unmapped.\n\nFix it by introducing independent PMD page table shared count. As\ndescribed by comment, pt_index/pt_mm/pt_frag_refcount are used for s390\ngmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv\npmds, so we can reuse the field as pt_share_count.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57883", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()\n\nThe task sometimes continues looping in throttle_direct_reclaim() because\nallow_direct_reclaim(pgdat) keeps returning false. \n\n #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac\n #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c\n #2 [ffff80002cb6f990] schedule at ffff800008abc50c\n #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550\n #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68\n #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660\n #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98\n #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8\n #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974\n #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4\n\nAt this point, the pgdat contains the following two zones:\n\n NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: \"DMA32\"\n SIZE: 20480 MIN/LOW/HIGH: 11/28/45\n VM_STAT:\n NR_FREE_PAGES: 359\n NR_ZONE_INACTIVE_ANON: 18813\n NR_ZONE_ACTIVE_ANON: 0\n NR_ZONE_INACTIVE_FILE: 50\n NR_ZONE_ACTIVE_FILE: 0\n NR_ZONE_UNEVICTABLE: 0\n NR_ZONE_WRITE_PENDING: 0\n NR_MLOCK: 0\n NR_BOUNCE: 0\n NR_ZSPAGES: 0\n NR_FREE_CMA_PAGES: 0\n\n NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: \"Normal\"\n SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264\n VM_STAT:\n NR_FREE_PAGES: 146\n NR_ZONE_INACTIVE_ANON: 94668\n NR_ZONE_ACTIVE_ANON: 3\n NR_ZONE_INACTIVE_FILE: 735\n NR_ZONE_ACTIVE_FILE: 78\n NR_ZONE_UNEVICTABLE: 0\n NR_ZONE_WRITE_PENDING: 0\n NR_MLOCK: 0\n NR_BOUNCE: 0\n NR_ZSPAGES: 0\n NR_FREE_CMA_PAGES: 0\n\nIn allow_direct_reclaim(), while processing ZONE_DMA32, the sum of\ninactive/active file-backed pages calculated in zone_reclaimable_pages()\nbased on the result of zone_page_state_snapshot() is zero. \n\nAdditionally, since this system lacks swap, the calculation of inactive/\nactive anonymous pages is skipped.\n\n crash> p nr_swap_pages\n nr_swap_pages = $1937 = {\n counter = 0\n }\n\nAs a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to\nthe processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having\nfree pages significantly exceeding the high watermark.\n\nThe problem is that the pgdat->kswapd_failures hasn't been incremented.\n\n crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures\n $1935 = 0x0\n\nThis is because the node deemed balanced. The node balancing logic in\nbalance_pgdat() evaluates all zones collectively. If one or more zones\n(e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the\nentire node is deemed balanced. This causes balance_pgdat() to exit early\nbefore incrementing the kswapd_failures, as it considers the overall\nmemory state acceptable, even though some zones (like ZONE_NORMAL) remain\nunder significant pressure.\n\n\nThe patch ensures that zone_reclaimable_pages() includes free pages\n(NR_FREE_PAGES) in its calculation when no other reclaimable pages are\navailable (e.g., file-backed or anonymous pages). This change prevents\nzones like ZONE_DMA32, which have sufficient free pages, from being\nmistakenly deemed unreclaimable. By doing so, the patch ensures proper\nnode balancing, avoids masking pressure on other zones like ZONE_NORMAL,\nand prevents infinite loops in throttle_direct_reclaim() caused by\nallow_direct_reclaim(pgdat) repeatedly returning false.\n\n\nThe kernel hangs due to a task stuck in throttle_direct_reclaim(), caused\nby a node being incorrectly deemed balanced despite pressure in certain\nzones, such as ZONE_NORMAL. This issue arises from\nzone_reclaimable_pages\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57884", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: fix sleeping function called from invalid context at print message\n\nAddress a bug in the kernel that triggers a \"sleeping function called from\ninvalid context\" warning when /sys/kernel/debug/kmemleak is printed under\nspecific conditions:\n- CONFIG_PREEMPT_RT=y\n- Set SELinux as the LSM for the system\n- Set kptr_restrict to 1\n- kmemleak buffer contains at least one item\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n6 locks held by cat/136:\n #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30\n #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128\n #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0\n #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0\n #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0\nirq event stamp: 136660\nhardirqs last enabled at (136659): [] _raw_spin_unlock_irqrestore+0xa8/0xd8\nhardirqs last disabled at (136660): [] _raw_spin_lock_irqsave+0x8c/0xb0\nsoftirqs last enabled at (0): [] copy_process+0x11d8/0x3df8\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nPreemption disabled at:\n[] kmemleak_seq_show+0x3c/0x1e0\nCPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34\nTainted: [E]=UNSIGNED_MODULE\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x1c/0x30\n dump_stack_lvl+0xe8/0x198\n dump_stack+0x18/0x20\n rt_spin_lock+0x8c/0x1a8\n avc_perm_nonode+0xa0/0x150\n cred_has_capability.isra.0+0x118/0x218\n selinux_capable+0x50/0x80\n security_capable+0x7c/0xd0\n has_ns_capability_noaudit+0x94/0x1b0\n has_capability_noaudit+0x20/0x30\n restricted_pointer+0x21c/0x4b0\n pointer+0x298/0x760\n vsnprintf+0x330/0xf70\n seq_printf+0x178/0x218\n print_unreferenced+0x1a4/0x2d0\n kmemleak_seq_show+0xd0/0x1e0\n seq_read_iter+0x354/0xe30\n seq_read+0x250/0x378\n full_proxy_read+0xd8/0x148\n vfs_read+0x190/0x918\n ksys_read+0xf0/0x1e0\n __arm64_sys_read+0x70/0xa8\n invoke_syscall.constprop.0+0xd4/0x1d8\n el0_svc+0x50/0x158\n el0t_64_sync+0x17c/0x180\n\n%pS and %pK, in the same back trace line, are redundant, and %pS can void\n%pK service in certain contexts.\n\n%pS alone already provides the necessary information, and if it cannot\nresolve the symbol, it falls back to printing the raw address voiding\nthe original intent behind the %pK.\n\nAdditionally, %pK requires a privilege check CAP_SYSLOG enforced through\nthe LSM, which can trigger a \"sleeping function called from invalid\ncontext\" warning under RT_PREEMPT kernels when the check occurs in an\natomic context. This issue may also affect other LSMs.\n\nThis change avoids the unnecessary privilege check and resolves the\nsleeping function warning without any loss of information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57885", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix new damon_target objects leaks on damon_commit_targets()\n\nPatch series \"mm/damon/core: fix memory leaks and ignored inputs from\ndamon_commit_ctx()\".\n\nDue to two bugs in damon_commit_targets() and damon_commit_schemes(),\nwhich are called from damon_commit_ctx(), some user inputs can be ignored,\nand some mmeory objects can be leaked. Fix those.\n\nNote that only DAMON sysfs interface users are affected. Other DAMON core\nAPI user modules that more focused more on simple and dedicated production\nusages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy\nfunction in the way, so not affected.\n\n\nThis patch (of 2):\n\nWhen new DAMON targets are added via damon_commit_targets(), the newly\ncreated targets are not deallocated when updating the internal data\n(damon_commit_target()) is failed. Worse yet, even if the setup is\nsuccessfully done, the new target is not linked to the context. Hence,\nthe new targets are always leaked regardless of the internal data setup\nfailure. Fix the leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57886", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: adv7511: Fix use-after-free in adv7533_attach_dsi()\n\nThe host_node pointer was assigned and freed in adv7533_parse_dt(), and\nlater, adv7533_attach_dsi() uses the same. Fix this use-after-free issue\nby\u00a0dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()\nin error path of probe() and also in the remove().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57887", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker\n\nAfter commit\n746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")\namdgpu started seeing the following warning:\n\n [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]\n...\n [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]\n...\n [ ] Call Trace:\n [ ] \n...\n [ ] ? check_flush_dependency+0xf5/0x110\n...\n [ ] cancel_delayed_work_sync+0x6e/0x80\n [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]\n [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]\n [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]\n [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]\n [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]\n [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]\n [ ] process_one_work+0x217/0x720\n...\n [ ] \n\nThe intent of the verifcation done in check_flush_depedency is to ensure\nforward progress during memory reclaim, by flagging cases when either a\nmemory reclaim process, or a memory reclaim work item is flushed from a\ncontext not marked as memory reclaim safe.\n\nThis is correct when flushing, but when called from the\ncancel(_delayed)_work_sync() paths it is a false positive because work is\neither already running, or will not be running at all. Therefore\ncancelling it is safe and we can relax the warning criteria by letting the\nhelper know of the calling context.\n\nReferences: 746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57888", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking\n\nIf a device uses MCP23xxx IO expander to receive IRQs, the following\nbug can happen:\n\n BUG: sleeping function called from invalid context\n at kernel/locking/mutex.c:283\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...\n preempt_count: 1, expected: 0\n ...\n Call Trace:\n ...\n __might_resched+0x104/0x10e\n __might_sleep+0x3e/0x62\n mutex_lock+0x20/0x4c\n regmap_lock_mutex+0x10/0x18\n regmap_update_bits_base+0x2c/0x66\n mcp23s08_irq_set_type+0x1ae/0x1d6\n __irq_set_trigger+0x56/0x172\n __setup_irq+0x1e6/0x646\n request_threaded_irq+0xb6/0x160\n ...\n\nWe observed the problem while experimenting with a touchscreen driver which\nused MCP23017 IO expander (I2C).\n\nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from\nconcurrent accesses, which is the default for regmaps without .fast_io,\n.disable_locking, etc.\n\nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter\nlocks the mutex.\n\nHowever, __setup_irq() locks desc->lock spinlock before calling these\nfunctions. As a result, the system tries to lock the mutex whole holding\nthe spinlock.\n\nIt seems, the internal regmap locks are not needed in this driver at all.\nmcp->lock seems to protect the regmap from concurrent accesses already,\nexcept, probably, in mcp_pinconf_get/set.\n\nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under\nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes\nmcp->lock and enables regmap caching, so that the potentially slow I2C\naccesses are deferred until chip_bus_unlock().\n\nThe accesses to the regmap from mcp23s08_probe_one() do not need additional\nlocking.\n\nIn all remaining places where the regmap is accessed, except\nmcp_pinconf_get/set(), the driver already takes mcp->lock.\n\nThis patch adds locking in mcp_pinconf_get/set() and disables internal\nlocking in the regmap config. Among other things, it fixes the sleeping\nin atomic context described above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57889", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Prevent integer overflow issue\n\nIn the expression \"cmd.wqe_size * cmd.wr_count\", both variables are u32\nvalues that come from the user so the multiplication can lead to integer\nwrapping. Then we pass the result to uverbs_request_next_ptr() which also\ncould potentially wrap. The \"cmd.sge_count * sizeof(struct ib_uverbs_sge)\"\nmultiplication can also overflow on 32bit systems although it's fine on\n64bit systems.\n\nThis patch does two things. First, I've re-arranged the condition in\nuverbs_request_next_ptr() so that the use controlled variable \"len\" is on\none side of the comparison by itself without any math. Then I've modified\nall the callers to use size_mul() for the multiplications.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57890", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix invalid irq restore in scx_ops_bypass()\n\nWhile adding outer irqsave/restore locking, 0e7ffff1b811 (\"scx: Fix raciness\nin scx_ops_bypass()\") forgot to convert an inner rq_unlock_irqrestore() to\nrq_unlock() which could re-enable IRQ prematurely leading to the following\nwarning:\n\n raw_local_irq_restore() called with IRQs enabled\n WARNING: CPU: 1 PID: 96 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40\n ...\n Sched_ext: create_dsq (enabling)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : warn_bogus_irq_restore+0x30/0x40\n lr : warn_bogus_irq_restore+0x30/0x40\n ...\n Call trace:\n warn_bogus_irq_restore+0x30/0x40 (P)\n warn_bogus_irq_restore+0x30/0x40 (L)\n scx_ops_bypass+0x224/0x3b8\n scx_ops_enable.isra.0+0x2c8/0xaa8\n bpf_scx_reg+0x18/0x30\n ...\n irq event stamp: 33739\n hardirqs last enabled at (33739): [] scx_ops_bypass+0x174/0x3b8\n hardirqs last disabled at (33738): [] _raw_spin_lock_irqsave+0xb4/0xd8\n\nDrop the stray _irqrestore().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57891", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix slab-use-after-free due to dangling pointer dqi_priv\n\nWhen mounting ocfs2 and then remounting it as read-only, a\nslab-use-after-free occurs after the user uses a syscall to\nquota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the\ndangling pointer.\n\nDuring the remounting process, the pointer dqi_priv is freed but is never\nset as null leaving it to be accessed. Additionally, the read-only option\nfor remounting sets the DQUOT_SUSPENDED flag instead of setting the\nDQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the\nnext quota, the function ocfs2_get_next_id is called and only checks the\nquota usage flags and not the quota suspended flags.\n\nTo fix this, I set dqi_priv to null when it is freed after remounting with\nread-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.\n\n[akpm@linux-foundation.org: coding-style cleanups]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57892", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: oss: Fix races at processing SysEx messages\n\nOSS sequencer handles the SysEx messages split in 6 bytes packets, and\nALSA sequencer OSS layer tries to combine those. It stores the data\nin the internal buffer and this access is racy as of now, which may\nlead to the out-of-bounds access.\n\nAs a temporary band-aid fix, introduce a mutex for serializing the\nprocess of the SysEx message packets.", "scorev2": "0.0", "scorev3": "6.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57893", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: set ATTR_CTIME flags when setting mtime\n\nDavid reported that the new warning from setattr_copy_mgtime is coming\nlike the following.\n\n[ 113.215316] ------------[ cut here ]------------\n[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200\n[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234\n[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]\n[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200\n[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0\n[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202\n[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003\n[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0\n[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa\n[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38\n[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000\n[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000\n[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0\n[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 113.234797] Call Trace:\n[ 113.235116] \n[ 113.235393] ? __warn+0x73/0xd0\n[ 113.235802] ? setattr_copy+0x1ee/0x200\n[ 113.236299] ? report_bug+0xf3/0x1e0\n[ 113.236757] ? handle_bug+0x4d/0x90\n[ 113.237202] ? exc_invalid_op+0x13/0x60\n[ 113.237689] ? asm_exc_invalid_op+0x16/0x20\n[ 113.238185] ? setattr_copy+0x1ee/0x200\n[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs]\n[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0\n[ 113.239857] ? __module_address+0x22/0xa0\n[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd]\n[ 113.240993] ? __module_text_address+0x9/0x50\n[ 113.241545] ? __module_address+0x22/0xa0\n[ 113.242033] ? unwind_next_frame+0x10e/0x920\n[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 113.243268] notify_change+0x2c2/0x4e0\n[ 113.243746] ? stack_depot_save_flags+0x27/0x730\n[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd]\n[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd]\n[ 113.245613] ? process_scheduled_works+0xbe/0x310\n[ 113.246181] ? worker_thread+0x100/0x240\n[ 113.246696] ? kthread+0xc8/0x100\n[ 113.247126] ? ret_from_fork+0x2b/0x40\n[ 113.247606] ? ret_from_fork_asm+0x1a/0x30\n[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd]\n\nksmbd is trying to set the atime and mtime via notify_change without also\nsetting the ctime. so This patch add ATTR_CTIME flags when setting mtime\nto avoid a warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57895", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: flush delalloc workers queue before stopping cleaner kthread during unmount\n\nDuring the unmount path, at close_ctree(), we first stop the cleaner\nkthread, using kthread_stop() which frees the associated task_struct, and\nthen stop and destroy all the work queues. However after we stopped the\ncleaner we may still have a worker from the delalloc_workers queue running\ninode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),\nwhich in turn tries to wake up the cleaner kthread - which was already\ndestroyed before, resulting in a use-after-free on the task_struct.\n\nSyzbot reported this with the following stack traces:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52\n\n CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Workqueue: btrfs-delalloc btrfs_work_helper\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205\n submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615\n run_ordered_work fs/btrfs/async-thread.c:288 [inline]\n btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\n Allocated by task 2:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:319 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n kasan_slab_alloc include/linux/kasan.h:250 [inline]\n slab_post_alloc_hook mm/slub.c:4104 [inline]\n slab_alloc_node mm/slub.c:4153 [inline]\n kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205\n alloc_task_struct_node kernel/fork.c:180 [inline]\n dup_task_struct+0x57/0x8c0 kernel/fork.c:1113\n copy_process+0x5d1/0x3d50 kernel/fork.c:2225\n kernel_clone+0x223/0x870 kernel/fork.c:2807\n kernel_thread+0x1bc/0x240 kernel/fork.c:2869\n create_kthread kernel/kthread.c:412 [inline]\n kthreadd+0x60d/0x810 kernel/kthread.c:767\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n Freed by task 24:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kmem_cache_free+0x195/0x410 mm/slub.c:4700\n put_task_struct include/linux/sched/task.h:144 [inline]\n delayed_put_task_struct+0x125/0x300 kernel/exit.c:227\n rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:943\n \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57896", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Correct the migration DMA map direction\n\nThe SVM DMA device map direction should be set the same as\nthe DMA unmap setting, otherwise the DMA core will report\nthe following warning.\n\nBefore finialize this solution, there're some discussion on\nthe DMA mapping type(stream-based or coherent) in this KFD\nmigration case, followed by https://lore.kernel.org/all/04d4ab32\n-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/.\n\nAs there's no dma_sync_single_for_*() in the DMA buffer accessed\nthat because this migration operation should be sync properly and\nautomatically. Give that there's might not be a performance problem\nin various cache sync policy of DMA sync. Therefore, in order to\nsimplify the DMA direction setting alignment, let's set the DMA map\ndirection as BIDIRECTIONAL.\n\n[ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930\n[ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds\n[ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492\n[ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930\n[ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50\n[ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086\n[ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027\n[ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680\n[ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850\n[ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40\n[ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b\n[ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000\n[ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0\n[ 150.834383] Call Trace:\n[ 150.834385] \n[ 150.834387] ? show_regs+0x6d/0x80\n[ 150.834393] ? __warn+0x8c/0x140\n[ 150.834397] ? check_unmap+0x1cc/0x930\n[ 150.834400] ? report_bug+0x193/0x1a0\n[ 150.834406] ? handle_bug+0x46/0x80\n[ 150.834410] ? exc_invalid_op+0x1d/0x80\n[ 150.834413] ? asm_exc_invalid_op+0x1f/0x30\n[ 150.834420] ? check_unmap+0x1cc/0x930\n[ 150.834425] debug_dma_unmap_page+0x86/0x90\n[ 150.834431] ? srso_return_thunk+0x5/0x5f\n[ 150.834435] \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57897", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: clear link ID from bitmap during link delete after clean up\n\nCurrently, during link deletion, the link ID is first removed from the\nvalid_links bitmap before performing any clean-up operations. However, some\nfunctions require the link ID to remain in the valid_links bitmap. One\nsuch example is cfg80211_cac_event(). The flow is -\n\nnl80211_remove_link()\n cfg80211_remove_link()\n ieee80211_del_intf_link()\n ieee80211_vif_set_links()\n ieee80211_vif_update_links()\n ieee80211_link_stop()\n cfg80211_cac_event()\n\ncfg80211_cac_event() requires link ID to be present but it is cleared\nalready in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.\n\nTherefore, clear the link ID from the bitmap only after completing the link\nclean-up.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57898", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix mbss changed flags corruption on 32 bit systems\n\nOn 32-bit systems, the size of an unsigned long is 4 bytes,\nwhile a u64 is 8 bytes. Therefore, when using\nor_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE),\nthe code is incorrectly searching for a bit in a 32-bit\nvariable that is expected to be 64 bits in size,\nleading to incorrect bit finding.\n\nSolution: Ensure that the size of the bits variable is correctly\nadjusted for each architecture.\n\n Call Trace:\n ? show_regs+0x54/0x58\n ? __warn+0x6b/0xd4\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? report_bug+0x113/0x150\n ? exc_overflow+0x30/0x30\n ? handle_bug+0x27/0x44\n ? exc_invalid_op+0x18/0x50\n ? handle_exception+0xf6/0xf6\n ? exc_overflow+0x30/0x30\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? exc_overflow+0x30/0x30\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? ieee80211_mesh_work+0xff/0x260 [mac80211]\n ? cfg80211_wiphy_work+0x72/0x98 [cfg80211]\n ? process_one_work+0xf1/0x1fc\n ? worker_thread+0x2c0/0x3b4\n ? kthread+0xc7/0xf0\n ? mod_delayed_work_on+0x4c/0x4c\n ? kthread_complete_and_exit+0x14/0x14\n ? ret_from_fork+0x24/0x38\n ? kthread_complete_and_exit+0x14/0x14\n ? ret_from_fork_asm+0xf/0x14\n ? entry_INT80_32+0xf0/0xf0\n\n[restore no-op path for no changes]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57899", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: serialize calls to nf_register_net_hooks()\n\nsyzbot found a race in ila_add_mapping() [1]\n\ncommit 031ae72825ce (\"ila: call nf_unregister_net_hooks() sooner\")\nattempted to fix a similar issue.\n\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\n\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\n\n[1]\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\n\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:489\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\n ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\n nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\n __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\n process_backlog+0x443/0x15f0 net/core/dev.c:6117\n __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0xa94/0x1010 net/core/dev.c:7074\n handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57900", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK\n\nBlamed commit forgot MSG_PEEK case, allowing a crash [1] as found\nby syzbot.\n\nRework vlan_get_protocol_dgram() to not touch skb at all,\nso that it can be used from many cpus on the same skb.\n\nAdd a const qualifier to skb argument.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc900038d7638 EFLAGS: 00010282\nRAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60\nR10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140\nR13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011\nFS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585\n packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552\n sock_recvmsg_nosec net/socket.c:1033 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1055\n ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x426/0xab0 net/socket.c:2940\n __sys_recvmmsg net/socket.c:3014 [inline]\n __do_sys_recvmmsg net/socket.c:3037 [inline]\n __se_sys_recvmmsg net/socket.c:3030 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57901", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: fix vlan_get_tci() vs MSG_PEEK\n\nBlamed commit forgot MSG_PEEK case, allowing a crash [1] as found\nby syzbot.\n\nRework vlan_get_tci() to not touch skb at all,\nso that it can be used from many cpus on the same skb.\n\nAdd a const qualifier to skb argument.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev:\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286\nRAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50\nR10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140\nR13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014\nFS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565\n packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1066\n ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814\n ___sys_recvmsg net/socket.c:2856 [inline]\n do_recvmmsg+0x426/0xab0 net/socket.c:2951\n __sys_recvmmsg net/socket.c:3025 [inline]\n __do_sys_recvmmsg net/socket.c:3048 [inline]\n __se_sys_recvmmsg net/socket.c:3041 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57902", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: restrict SO_REUSEPORT to inet sockets\n\nAfter blamed commit, crypto sockets could accidentally be destroyed\nfrom RCU call back, as spotted by zyzbot [1].\n\nTrying to acquire a mutex in RCU callback is not allowed.\n\nRestrict SO_REUSEPORT socket option to inet sockets.\n\nv1 of this patch supported TCP, UDP and SCTP sockets,\nbut fcnal-test.sh test needed RAW and ICMP support.\n\n[1]\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:562\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1\npreempt_count: 100, expected: 0\nRCU nest depth: 0, expected: 0\n1 lock held by ksoftirqd/1/24:\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823\nPreemption disabled at:\n [] softirq_handle_begin kernel/softirq.c:402 [inline]\n [] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537\nCPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n __might_resched+0x5d4/0x780 kernel/sched/core.c:8758\n __mutex_lock_common kernel/locking/mutex.c:562 [inline]\n __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735\n crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179\n aead_release+0x3d/0x50 crypto/algif_aead.c:489\n alg_do_release crypto/af_alg.c:118 [inline]\n alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502\n __sk_destruct+0x58/0x5f0 net/core/sock.c:2260\n rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:950\n smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57903", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: at91: call input_free_device() on allocated iio_dev\n\nCurrent implementation of at91_ts_register() calls input_free_deivce()\non st->ts_input, however, the err label can be reached before the\nallocated iio_dev is stored to st->ts_input. Thus call\ninput_free_device() on input instead of st->ts_input.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57904", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads1119: fix information leak in triggered buffer\n\nThe 'scan' local struct is used to push data to user space from a\ntriggered buffer, but it has a hole between the sample (unsigned int)\nand the timestamp. This hole is never initialized.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57905", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads8688: fix information leak in triggered buffer\n\nThe 'buffer' local array is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57906", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: rockchip_saradc: fix information leak in triggered buffer\n\nThe 'data' local struct is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57907", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: kmx61: fix information leak in triggered buffer\n\nThe 'buffer' local array is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57908", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: bh1745: fix information leak in triggered buffer\n\nThe 'scan' local struct is used to push data to user space from a\ntriggered buffer, but it does not set values for inactive channels, as\nit only uses iio_for_each_active_channel() to assign new values.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57909", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: vcnl4035: fix information leak in triggered buffer\n\nThe 'buffer' local array is used to push data to userspace from a\ntriggered buffer, but it does not set an initial value for the single\ndata element, which is an u16 aligned to 8 bytes. That leaves at least\n4 bytes uninitialized even after writing an integer value with\nregmap_read().\n\nInitialize the array to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57910", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer\n\nThe 'data' array is allocated via kmalloc() and it is used to push data\nto user space from a triggered buffer, but it does not set values for\ninactive channels, as it only uses iio_for_each_active_channel()\nto assign new values.\n\nUse kzalloc for the memory allocation to avoid pushing uninitialized\ninformation to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57911", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: pressure: zpa2326: fix information leak in triggered buffer\n\nThe 'sample' local struct is used to push data to user space from a\ntriggered buffer, but it has a hole between the temperature and the\ntimestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).\nThis hole is never initialized.\n\nInitialize the struct to zero before using it to avoid pushing\nuninitialized information to userspace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57912", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Remove WARN_ON in functionfs_bind\n\nThis commit addresses an issue related to below kernel panic where\npanic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON\nin functionsfs_bind, which easily leads to the following scenarios.\n\n1.adb_write in adbd 2. UDC write via configfs\n =================\t =====================\n\n->usb_ffs_open_thread() ->UDC write\n ->open_functionfs() ->configfs_write_iter()\n ->adb_open() ->gadget_dev_desc_UDC_store()\n ->adb_write() ->usb_gadget_register_driver_owner\n ->driver_register()\n->StartMonitor() ->bus_add_driver()\n ->adb_read() ->gadget_bind_driver()\n ->configfs_composite_bind()\n ->usb_add_function()\n->open_functionfs() ->ffs_func_bind()\n ->adb_open() ->functionfs_bind()\n state !=FFS_ACTIVE>\n\nThe adb_open, adb_read, and adb_write operations are invoked from the\ndaemon, but trying to bind the function is a process that is invoked by\nUDC write through configfs, which opens up the possibility of a race\ncondition between the two paths. In this race scenario, the kernel panic\noccurs due to the WARN_ON from functionfs_bind when panic_on_warn is\nenabled. This commit fixes the kernel panic by removing the unnecessary\nWARN_ON.\n\nKernel panic - not syncing: kernel: panic_on_warn set ...\n[ 14.542395] Call trace:\n[ 14.542464] ffs_func_bind+0x1c8/0x14a8\n[ 14.542468] usb_add_function+0xcc/0x1f0\n[ 14.542473] configfs_composite_bind+0x468/0x588\n[ 14.542478] gadget_bind_driver+0x108/0x27c\n[ 14.542483] really_probe+0x190/0x374\n[ 14.542488] __driver_probe_device+0xa0/0x12c\n[ 14.542492] driver_probe_device+0x3c/0x220\n[ 14.542498] __driver_attach+0x11c/0x1fc\n[ 14.542502] bus_for_each_dev+0x104/0x160\n[ 14.542506] driver_attach+0x24/0x34\n[ 14.542510] bus_add_driver+0x154/0x270\n[ 14.542514] driver_register+0x68/0x104\n[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4\n[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144\n[ 14.542526] configfs_write_iter+0xf0/0x138", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57913", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpci: fix NULL pointer issue on shared irq case\n\nThe tcpci_irq() may meet below NULL pointer dereference issue:\n\n[ 2.641851] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n[ 2.641951] status 0x1, 0x37f\n[ 2.650659] Mem abort info:\n[ 2.656490] ESR = 0x0000000096000004\n[ 2.660230] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2.665532] SET = 0, FnV = 0\n[ 2.668579] EA = 0, S1PTW = 0\n[ 2.671715] FSC = 0x04: level 0 translation fault\n[ 2.676584] Data abort info:\n[ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 2.695284] [0000000000000010] user address but active_mm is swapper\n[ 2.701632] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 2.707883] Modules linked in:\n[ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 Not tainted 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4\n[ 2.720570] Hardware name: NXP i.MX93 11X11 EVK board (DT)\n[ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2.732989] pc : tcpci_irq+0x38/0x318\n[ 2.736647] lr : _tcpci_irq+0x14/0x20\n[ 2.740295] sp : ffff80008324bd30\n[ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70\n[ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000\n[ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000\n[ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001\n[ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040\n[ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a\n[ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00\n[ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031\n[ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002\n[ 2.807713] x2 : ffff80008324bd3a x1 : 0000000000000010 x0 : 0000000000000000\n[ 2.814838] Call trace:\n[ 2.817273] tcpci_irq+0x38/0x318\n[ 2.820583] _tcpci_irq+0x14/0x20\n[ 2.823885] irq_thread_fn+0x2c/0xa8\n[ 2.827456] irq_thread+0x16c/0x2f4\n[ 2.830940] kthread+0x110/0x114\n[ 2.834164] ret_from_fork+0x10/0x20\n[ 2.837738] Code: f9426420 f9001fe0 d2800000 52800201 (f9400a60)\n\nThis may happen on shared irq case. Such as two Type-C ports share one\nirq. After the first port finished tcpci_register_port(), it may trigger\ninterrupt. However, if the interrupt comes by chance the 2nd port finishes\ndevm_request_threaded_irq(), the 2nd port interrupt handler will run at\nfirst. Then the above issue happens due to tcpci is still a NULL pointer\nin tcpci_irq() when dereference to regmap.\n\n devm_request_threaded_irq()\n\t\t\t\t<-- port1 irq comes\n disable_irq(client->irq);\n tcpci_register_port()\n\nThis will restore the logic to the state before commit (77e85107a771 \"usb:\ntypec: tcpci: support edge irq\").\n\nHowever, moving tcpci_register_port() earlier creates a problem when use\nedge irq because tcpci_init() will be called before\ndevm_request_threaded_irq(). The tcpci_init() writes the ALERT_MASK to\nthe hardware to tell it to start generating interrupts but we're not ready\nto deal with them yet, then the ALERT events may be missed and ALERT line\nwill not recover to high level forever. To avoid the issue, this will also\nset ALERT_MASK register after devm_request_threaded_irq() return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57914", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling\n\nResolve kernel panic caused by improper handling of IRQs while\naccessing GPIO values. This is done by replacing generic_handle_irq with\nhandle_nested_irq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57916", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntopology: Keep the cpumask unchanged when printing cpumap\n\nDuring fuzz testing, the following warning was discovered:\n\n different return values (15 and 11) from vsnprintf(\"%*pbl\n \", ...)\n\n test:keyward is WARNING in kvasprintf\n WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130\n Call Trace:\n kvasprintf+0x121/0x130\n kasprintf+0xa6/0xe0\n bitmap_print_to_buf+0x89/0x100\n core_siblings_list_read+0x7e/0xb0\n kernfs_file_read_iter+0x15b/0x270\n new_sync_read+0x153/0x260\n vfs_read+0x215/0x290\n ksys_read+0xb9/0x160\n do_syscall_64+0x56/0x100\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe call trace shows that kvasprintf() reported this warning during the\nprinting of core_siblings_list. kvasprintf() has several steps:\n\n (1) First, calculate the length of the resulting formatted string.\n\n (2) Allocate a buffer based on the returned length.\n\n (3) Then, perform the actual string formatting.\n\n (4) Check whether the lengths of the formatted strings returned in\n steps (1) and (2) are consistent.\n\nIf the core_cpumask is modified between steps (1) and (3), the lengths\nobtained in these two steps may not match. Indeed our test includes cpu\nhotplugging, which should modify core_cpumask while printing.\n\nTo fix this issue, cache the cpumask into a temporary variable before\ncalling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged\nduring the printing process.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57917", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix page fault due to max surface definition mismatch\n\nDC driver is using two different values to define the maximum number of\nsurfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as\nthe unique definition for surface updates across DC.\n\nIt fixes page fault faced by Cosmic users on AMD display versions that\nsupport two overlay planes, since the introduction of cursor overlay\nmode.\n\n[Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b\n[ +0.000015] #PF: supervisor read access in kernel mode\n[ +0.000006] #PF: error_code(0x0000) - not-present page\n[ +0.000005] PGD 0 P4D 0\n[ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300\n[ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]\n[ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b <0f> b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b\n[ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206\n[ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070\n[ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000\n[ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000\n[ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000\n[ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000\n[ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0\n[ +0.000005] Call Trace:\n[ +0.000011] \n[ +0.000010] ? __die_body.cold+0x19/0x27\n[ +0.000012] ? page_fault_oops+0x15a/0x2d0\n[ +0.000014] ? exc_page_fault+0x7e/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]\n[ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]\n[ +0.000450] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]\n[ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu]\n[ +0.000464] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? sort+0x31/0x50\n[ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]\n[ +0.000508] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]\n[ +0.000377] ? srso_return_thunk+0x5/0x5f\n[ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]\n[ +0.000058] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? dma_fence_default_wait+0x8c/0x260\n[ +0.000010] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? wait_for_completion_timeout+0x13b/0x170\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? dma_fence_wait_timeout+0x108/0x140\n[ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper]\n[ +0.000024] ? process_one_work+0x177/0x330\n[ +0.000008] ? worker_thread+0x266/0x3a0\n[ +0.000006] ? __pfx_worker_thread+0x10/0x10\n[ +0.000004] ? kthread+0xd2/0x100\n[ +0.000006] ? __pfx_kthread+0x10/0x10\n[ +0.000006] ? ret_from_fork+0x34/0x50\n[ +0.000004] ? __pfx_kthread+0x10/0x10\n[ +0.000005] ? ret_from_fork_asm+0x1a/0x30\n[ +0.000011] \n\n(cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57918", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix divide error in DM plane scale calcs\n\ndm_get_plane_scale doesn't take into account plane scaled size equal to\nzero, leading to a kernel oops due to division by zero. Fix by setting\nout-scale size as zero when the dst size is zero, similar to what is\ndone by drm_calc_scale(). This issue started with the introduction of\ncursor ovelay mode that uses this function to assess cursor mode changes\nvia dm_crtc_get_cursor_mode() before checking plane state.\n\n[Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231\n[ +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[ +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[ +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 <41> f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66\n[ +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246\n[ +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500\n[ +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4\n[ +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00\n[ +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010\n[ +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0\n[ +0.000004] FS: 00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000\n[ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0\n[ +0.000004] Call Trace:\n[ +0.000007] \n[ +0.000006] ? __die_body.cold+0x19/0x27\n[ +0.000009] ? die+0x2e/0x50\n[ +0.000007] ? do_trap+0xca/0x110\n[ +0.000007] ? do_error_trap+0x6a/0x90\n[ +0.000006] ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[ +0.000504] ? exc_divide_error+0x38/0x50\n[ +0.000005] ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[ +0.000488] ? asm_exc_divide_error+0x1a/0x20\n[ +0.000011] ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[ +0.000593] dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu]\n[ +0.000562] amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu]\n[ +0.000501] drm_atomic_check_only+0x5e1/0xa30 [drm]\n[ +0.000047] drm_mode_atomic_ioctl+0x832/0xcb0 [drm]\n[ +0.000050] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm]\n[ +0.000047] drm_ioctl_kernel+0xb3/0x100 [drm]\n[ +0.000062] drm_ioctl+0x27a/0x4f0 [drm]\n[ +0.000049] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm]\n[ +0.000055] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]\n[ +0.000360] __x64_sys_ioctl+0x97/0xd0\n[ +0.000010] do_syscall_64+0x82/0x190\n[ +0.000008] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm]\n[ +0.000044] ? srso_return_thunk+0x5/0x5f\n[ +0.000006] ? drm_ioctl_kernel+0xb3/0x100 [drm]\n[ +0.000040] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? __check_object_size+0x50/0x220\n[ +0.000007] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? drm_ioctl+0x2a4/0x4f0 [drm]\n[ +0.000039] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm]\n[ +0.000043] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? __pm_runtime_suspend+0x69/0xc0\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu]\n[ +0.000366] ? srso_return_thunk+0x5/0x5f\n[ +0.000006] ? syscall_exit_to_user_mode+0x77/0x210\n[ +0.000007] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? do_syscall_64+0x8e/0x190\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000006] ? do_syscall_64+0x8e/0x190\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ +0.000008] RIP: 0033:0x55bb7cd962bc\n[ +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57919", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add a lock when accessing the buddy trim function\n\nWhen running YouTube videos and Steam games simultaneously,\nthe tester found a system hang / race condition issue with\nthe multi-display configuration setting. Adding a lock to\nthe buddy allocator's trim function would be the solution.\n\n\n[ 7197.250436] general protection fault, probably for non-canonical address 0xdead000000000108\n[ 7197.250447] RIP: 0010:__alloc_range+0x8b/0x340 [amddrm_buddy]\n[ 7197.250470] Call Trace:\n[ 7197.250472] \n[ 7197.250475] ? show_regs+0x6d/0x80\n[ 7197.250481] ? die_addr+0x37/0xa0\n[ 7197.250483] ? exc_general_protection+0x1db/0x480\n[ 7197.250488] ? drm_suballoc_new+0x13c/0x93d [drm_suballoc_helper]\n[ 7197.250493] ? asm_exc_general_protection+0x27/0x30\n[ 7197.250498] ? __alloc_range+0x8b/0x340 [amddrm_buddy]\n[ 7197.250501] ? __alloc_range+0x109/0x340 [amddrm_buddy]\n[ 7197.250506] amddrm_buddy_block_trim+0x1b5/0x260 [amddrm_buddy]\n[ 7197.250511] amdgpu_vram_mgr_new+0x4f5/0x590 [amdgpu]\n[ 7197.250682] amdttm_resource_alloc+0x46/0xb0 [amdttm]\n[ 7197.250689] ttm_bo_alloc_resource+0xe4/0x370 [amdttm]\n[ 7197.250696] amdttm_bo_validate+0x9d/0x180 [amdttm]\n[ 7197.250701] amdgpu_bo_pin+0x15a/0x2f0 [amdgpu]\n[ 7197.250831] amdgpu_dm_plane_helper_prepare_fb+0xb2/0x360 [amdgpu]\n[ 7197.251025] ? try_wait_for_completion+0x59/0x70\n[ 7197.251030] drm_atomic_helper_prepare_planes.part.0+0x2f/0x1e0\n[ 7197.251035] drm_atomic_helper_prepare_planes+0x5d/0x70\n[ 7197.251037] drm_atomic_helper_commit+0x84/0x160\n[ 7197.251040] drm_atomic_nonblocking_commit+0x59/0x70\n[ 7197.251043] drm_mode_atomic_ioctl+0x720/0x850\n[ 7197.251047] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n[ 7197.251049] drm_ioctl_kernel+0xb9/0x120\n[ 7197.251053] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 7197.251056] drm_ioctl+0x2d4/0x550\n[ 7197.251058] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n[ 7197.251063] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]\n[ 7197.251186] __x64_sys_ioctl+0xa0/0xf0\n[ 7197.251190] x64_sys_call+0x143b/0x25c0\n[ 7197.251193] do_syscall_64+0x7f/0x180\n[ 7197.251197] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 7197.251199] ? amdgpu_display_user_framebuffer_create+0x215/0x320 [amdgpu]\n[ 7197.251329] ? drm_internal_framebuffer_create+0xb7/0x1a0\n[ 7197.251332] ? srso_alias_return_thunk+0x5/0xfbef5\n\n(cherry picked from commit 3318ba94e56b9183d0304577c74b33b6b01ce516)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57921", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add check for granularity in dml ceil/floor helpers\n\n[Why]\nWrapper functions for dcn_bw_ceil2() and dcn_bw_floor2()\nshould check for granularity is non zero to avoid assert and\ndivide-by-zero error in dcn_bw_ functions.\n\n[How]\nAdd check for granularity 0.\n\n(cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57922", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zlib: fix avail_in bytes for s390 zlib HW compression path\n\nSince the input data length passed to zlib_compress_folios() can be\narbitrary, always setting strm.avail_in to a multiple of PAGE_SIZE may\ncause read-in bytes to exceed the input range. Currently this triggers\nan assert in btrfs_compress_folios() on the debug kernel (see below).\nFix strm.avail_in calculation for S390 hardware acceleration path.\n\n assertion failed: *total_in <= orig_len, in fs/btrfs/compression.c:1041\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/compression.c:1041!\n monitor event: 0040 ilc:2 [#1] PREEMPT SMP\n CPU: 16 UID: 0 PID: 325 Comm: kworker/u273:3 Not tainted 6.13.0-20241204.rc1.git6.fae3b21430ca.300.fc41.s390x+debug #1\n Hardware name: IBM 3931 A01 703 (z/VM 7.4.0)\n Workqueue: btrfs-delalloc btrfs_work_helper\n Krnl PSW : 0704d00180000000 0000021761df6538 (btrfs_compress_folios+0x198/0x1a0)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000080000000 0000000000000001 0000000000000047 0000000000000000\n 0000000000000006 ffffff01757bb000 000001976232fcc0 000000000000130c\n 000001976232fcd0 000001976232fcc8 00000118ff4a0e30 0000000000000001\n 00000111821ab400 0000011100000000 0000021761df6534 000001976232fb58\n Krnl Code: 0000021761df6528: c020006f5ef4 larl %r2,0000021762be2310\n 0000021761df652e: c0e5ffbd09d5 brasl %r14,00000217615978d8\n #0000021761df6534: af000000 mc 0,0\n >0000021761df6538: 0707 bcr 0,%r7\n 0000021761df653a: 0707 bcr 0,%r7\n 0000021761df653c: 0707 bcr 0,%r7\n 0000021761df653e: 0707 bcr 0,%r7\n 0000021761df6540: c004004bb7ec brcl 0,000002176276d518\n Call Trace:\n [<0000021761df6538>] btrfs_compress_folios+0x198/0x1a0\n ([<0000021761df6534>] btrfs_compress_folios+0x194/0x1a0)\n [<0000021761d97788>] compress_file_range+0x3b8/0x6d0\n [<0000021761dcee7c>] btrfs_work_helper+0x10c/0x160\n [<0000021761645760>] process_one_work+0x2b0/0x5d0\n [<000002176164637e>] worker_thread+0x20e/0x3e0\n [<000002176165221a>] kthread+0x15a/0x170\n [<00000217615b859c>] __ret_from_fork+0x3c/0x60\n [<00000217626e72d2>] ret_from_fork+0xa/0x38\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000021761597924>] _printk+0x4c/0x58\n Kernel panic - not syncing: Fatal exception: panic_on_oops", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57923", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: relax assertions on failure to encode file handles\n\nEncoding file handles is usually performed by a filesystem >encode_fh()\nmethod that may fail for various reasons.\n\nThe legacy users of exportfs_encode_fh(), namely, nfsd and\nname_to_handle_at(2) syscall are ready to cope with the possibility\nof failure to encode a file handle.\n\nThere are a few other users of exportfs_encode_{fh,fid}() that\ncurrently have a WARN_ON() assertion when ->encode_fh() fails.\nRelax those assertions because they are wrong.\n\nThe second linked bug report states commit 16aac5ad1fa9 (\"ovl: support\nencoding non-decodable file handles\") in v6.6 as the regressing commit,\nbut this is not accurate.\n\nThe aforementioned commit only increases the chances of the assertion\nand allows triggering the assertion with the reproducer using overlayfs,\ninotify and drop_caches.\n\nTriggering this assertion was always possible with other filesystems and\nother reasons of ->encode_fh() failures and more particularly, it was\nalso possible with the exact same reproducer using overlayfs that is\nmounted with options index=on,nfs_export=on also on kernels < v6.6.\nTherefore, I am not listing the aforementioned commit as a Fixes commit.\n\nBackport hint: this patch will have a trivial conflict applying to\nv6.6.y, and other trivial conflicts applying to stable kernels < v6.6.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57924", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix a missing return value check bug\n\nIn the smb2_send_interim_resp(), if ksmbd_alloc_work_struct()\nfails to allocate a node, it returns a NULL pointer to the\nin_work pointer. This can lead to an illegal memory write of\nin_work->response_buf when allocate_interim_rsp_buf() attempts\nto perform a kzalloc() on it.\n\nTo address this issue, incorporating a check for the return\nvalue of ksmbd_alloc_work_struct() ensures that the function\nreturns immediately upon allocation failure, thereby preventing\nthe aforementioned illegal memory access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57925", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err\n\nThe pointer need to be set to NULL, otherwise KASAN complains about\nuse-after-free. Because in mtk_drm_bind, all private's drm are set\nas follows.\n\nprivate->all_drm_private[i]->drm = drm;\n\nAnd drm will be released by drm_dev_put in case mtk_drm_kms_init returns\nfailure. However, the shutdown path still accesses the previous allocated\nmemory in drm_atomic_helper_shutdown.\n\n[ 84.874820] watchdog: watchdog0: watchdog did not stop!\n[ 86.512054] ==================================================================\n[ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378\n[ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1\n[ 86.515213]\n[ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55\n[ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022\n[ 86.517960] Call trace:\n[ 86.518333] show_stack+0x20/0x38 (C)\n[ 86.518891] dump_stack_lvl+0x90/0xd0\n[ 86.519443] print_report+0xf8/0x5b0\n[ 86.519985] kasan_report+0xb4/0x100\n[ 86.520526] __asan_report_load8_noabort+0x20/0x30\n[ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378\n[ 86.521966] mtk_drm_shutdown+0x54/0x80\n[ 86.522546] platform_shutdown+0x64/0x90\n[ 86.523137] device_shutdown+0x260/0x5b8\n[ 86.523728] kernel_restart+0x78/0xf0\n[ 86.524282] __do_sys_reboot+0x258/0x2f0\n[ 86.524871] __arm64_sys_reboot+0x90/0xd8\n[ 86.525473] invoke_syscall+0x74/0x268\n[ 86.526041] el0_svc_common.constprop.0+0xb0/0x240\n[ 86.526751] do_el0_svc+0x4c/0x70\n[ 86.527251] el0_svc+0x4c/0xc0\n[ 86.527719] el0t_64_sync_handler+0x144/0x168\n[ 86.528367] el0t_64_sync+0x198/0x1a0\n[ 86.528920]\n[ 86.529157] The buggy address belongs to the physical page:\n[ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc\n[ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)\n[ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000\n[ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000\n[ 86.534511] page dumped because: kasan: bad access detected\n[ 86.535323]\n[ 86.535559] Memory state around the buggy address:\n[ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 86.544733] ^\n[ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 86.563928] ==================================================================\n[ 86.571093] Disabling lock debugging due to kernel taint\n[ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b\n[ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]\n...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57926", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Fix oops in nfs_netfs_init_request() when copying to cache\n\nWhen netfslib wants to copy some data that has just been read on behalf of\nnfs, it creates a new write request and calls nfs_netfs_init_request() to\ninitialise it, but with a NULL file pointer. This causes\nnfs_file_open_context() to oops - however, we don't actually need the nfs\ncontext as we're only going to write to the cache.\n\nFix this by just returning if we aren't given a file pointer and emit a\nwarning if the request was for something other than copy-to-cache.\n\nFurther, fix nfs_netfs_free_request() so that it doesn't try to free the\ncontext if the pointer is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57927", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix enomem handling in buffered reads\n\nIf netfs_read_to_pagecache() gets an error from either ->prepare_read() or\nfrom netfs_prepare_read_iterator(), it needs to decrement ->nr_outstanding,\ncancel the subrequest and break out of the issuing loop. Currently, it\nonly does this for two of the cases, but there are two more that aren't\nhandled.\n\nFix this by moving the handling to a common place and jumping to it from\nall four places. This is in preference to inserting a wrapper around\nnetfs_prepare_read_iterator() as proposed by Dmitry Antipov[1].", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57928", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm array: fix releasing a faulty array block twice in dm_array_cursor_end\n\nWhen dm_bm_read_lock() fails due to locking or checksum errors, it\nreleases the faulty block implicitly while leaving an invalid output\npointer behind. The caller of dm_bm_read_lock() should not operate on\nthis invalid dm_block pointer, or it will lead to undefined result.\nFor example, the dm_array_cursor incorrectly caches the invalid pointer\non reading a faulty array block, causing a double release in\ndm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().\n\nReproduce steps:\n\n1. initialize a cache device\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. wipe the second array block offline\n\ndmsteup remove cache cmeta cdata corig\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try reopen the cache device\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc $262144\"\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\nKernel logs:\n\n(snip)\ndevice-mapper: array: array_block_check failed: blocknr 0 != wanted 10\ndevice-mapper: block manager: array validator check failed for block 10\ndevice-mapper: array: get_ablock failed\ndevice-mapper: cache metadata: dm_array_cursor_next for mapping failed\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-bufio.c:638!\n\nFix by setting the cached block pointer to NULL on errors.\n\nIn addition to the reproducer described above, this fix can be\nverified using the \"array_cursor/damaged\" test in dm-unit:\n dm-unit run /pdata/array_cursor/damaged --kernel-dir ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57929", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have process_string() also allow arrays\n\nIn order to catch a common bug where a TRACE_EVENT() TP_fast_assign()\nassigns an address of an allocated string to the ring buffer and then\nreferences it in TP_printk(), which can be executed hours later when the\nstring is free, the function test_event_printk() runs on all events as\nthey are registered to make sure there's no unwanted dereferencing.\n\nIt calls process_string() to handle cases in TP_printk() format that has\n\"%s\". It returns whether or not the string is safe. But it can have some\nfalse positives.\n\nFor instance, xe_bo_move() has:\n\n TP_printk(\"move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s\",\n __entry->move_lacks_source ? \"yes\" : \"no\", __entry->bo, __entry->size,\n xe_mem_type_to_name[__entry->old_placement],\n xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))\n\nWhere the \"%s\" references into xe_mem_type_to_name[]. This is an array of\npointers that should be safe for the event to access. Instead of flagging\nthis as a bad reference, if a reference points to an array, where the\nrecord field is the index, consider it safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57930", "detail": "fixed-version", "description": "Fixed from version 6.12.9" }, { "id": "CVE-2024-57931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: ignore unknown extended permissions\n\nWhen evaluating extended permissions, ignore unknown permissions instead\nof calling BUG(). This commit ensures that future permissions can be\nadded without interfering with older kernels.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57931", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XDP xmit NDO on existence of xdp queues\n\nIn GVE, dedicated XDP queues only exist when an XDP program is installed\nand the interface is up. As such, the NDO XDP XMIT callback should\nreturn early if either of these conditions are false.\n\nIn the case of no loaded XDP program, priv->num_xdp_queues=0 which can\ncause a divide-by-zero error, and in the case of interface down,\nnum_xdp_queues remains untouched to persist XDP queue count for the next\ninterface up, but the TX pointer itself would be NULL.\n\nThe XDP xmit callback also needs to synchronize with a device\ntransitioning from open to close. This synchronization will happen via\nthe GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,\nwhich waits for any RCU critical sections at call-time to complete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57932", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XSK operations on the existence of queues\n\nThis patch predicates the enabling and disabling of XSK pools on the\nexistence of queues. As it stands, if the interface is down, disabling\nor enabling XSK pools would result in a crash, as the RX queue pointer\nwould be NULL. XSK pool registration will occur as part of the next\ninterface up.\n\nSimilarly, xsk_wakeup needs be guarded against queues disappearing\nwhile the function is executing, so a check against the\nGVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the\ndisabling of the bit and the synchronize_net() in gve_turndown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57933", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfgraph: Add READ_ONCE() when accessing fgraph_array[]\n\nIn __ftrace_return_to_handler(), a loop iterates over the fgraph_array[]\nelements, which are fgraph_ops. The loop checks if an element is a\nfgraph_stub to prevent using a fgraph_stub afterward.\n\nHowever, if the compiler reloads fgraph_array[] after this check, it might\nrace with an update to fgraph_array[] that introduces a fgraph_stub. This\ncould result in the stub being processed, but the stub contains a null\n\"func_hash\" field, leading to a NULL pointer dereference.\n\nTo ensure that the gops compared against the fgraph_stub matches the gops\nprocessed later, add a READ_ONCE(). A similar patch appears in commit\n63a8dfb (\"function_graph: Add READ_ONCE() when accessing fgraph_array[]\").", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57934", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix accessing invalid dip_ctx during destroying QP\n\nIf it fails to modify QP to RTR, dip_ctx will not be attached. And\nduring detroying QP, the invalid dip_ctx pointer will be accessed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57935", "detail": "fixed-version", "description": "Fixed from version 6.12.9" }, { "id": "CVE-2024-57936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix max SGEs for the Work Request\n\nGen P7 supports up to 13 SGEs for now. WQE software structure\ncan hold only 6 now. Since the max send sge is reported as\n13, the stack can give requests up to 13 SGEs. This is causing\ntraffic failures and system crashes.\n\nUse the define for max SGE supported for variable size. This\nwill work for both static and variable WQEs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57936", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: Prevent autoclose integer overflow in sctp_association_init()\n\nWhile by default max_autoclose equals to INT_MAX / HZ, one may set\nnet.sctp.max_autoclose to UINT_MAX. There is code in\nsctp_association_init() that can consequently trigger overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57938", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix sleeping in invalid context in die()\n\ndie() can be called in exception handler, and therefore cannot sleep.\nHowever, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.\nThat causes the following warning:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex\npreempt_count: 110001, expected: 0\nRCU nest depth: 0, expected: 0\nCPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n dump_backtrace+0x1c/0x24\n show_stack+0x2c/0x38\n dump_stack_lvl+0x5a/0x72\n dump_stack+0x14/0x1c\n __might_resched+0x130/0x13a\n rt_spin_lock+0x2a/0x5c\n die+0x24/0x112\n do_trap_insn_illegal+0xa0/0xea\n _new_vmalloc_restore_context_a0+0xcc/0xd8\nOops - illegal instruction [#1]\n\nSwitch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT\nenabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57939", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix the infinite loop in exfat_readdir()\n\nIf the file system is corrupted so that a cluster is linked to\nitself in the cluster chain, and there is an unused directory\nentry in the cluster, 'dentry' will not be incremented, causing\ncondition 'dentry < max_dentries' unable to prevent an infinite\nloop.\n\nThis infinite loop causes s_lock not to be released, and other\ntasks will hang, such as exfat_sync_fs().\n\nThis commit stops traversing the cluster chain when there is unused\ndirectory entry in the cluster to avoid this infinite loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57940", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix the (non-)cancellation of copy when cache is temporarily disabled\n\nWhen the caching for a cookie is temporarily disabled (e.g. due to a DIO\nwrite on that file), future copying to the cache for that file is disabled\nuntil all fds open on that file are closed. However, if netfslib is using\nthe deprecated PG_private_2 method (such as is currently used by ceph), and\ndecides it wants to copy to the cache, netfs_advance_write() will just bail\nat the first check seeing that the cache stream is unavailable, and\nindicate that it dealt with all the content.\n\nThis means that we have no subrequests to provide notifications to drive\nthe state machine or even to pin the request and the request just gets\ndiscarded, leaving the folios with PG_private_2 set.\n\nFix this by jumping directly to cancel the request if the cache is not\navailable. That way, we don't remove mark3 from the folio_queue list and\nnetfs_pgpriv2_cancel() will clean up the folios.\n\nThis was found by running the generic/013 xfstest against ceph with an\nactive cache and the \"-o fsc\" option passed to ceph. That would usually\nhang", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57941", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix ceph copy to cache on write-begin\n\nAt the end of netfs_unlock_read_folio() in which folios are marked\nappropriately for copying to the cache (either with by being marked dirty\nand having their private data set or by having PG_private_2 set) and then\nunlocked, the folio_queue struct has the entry pointing to the folio\ncleared. This presents a problem for netfs_pgpriv2_write_to_the_cache(),\nwhich is used to write folios marked with PG_private_2 to the cache as it\nexpects to be able to trawl the folio_queue list thereafter to find the\nrelevant folios, leading to a hang.\n\nFix this by not clearing the folio_queue entry if we're going to do the\ndeprecated copy-to-cache. The clearance will be done instead as the folios\nare written to the cache.\n\nThis can be reproduced by starting cachefiles, mounting a ceph filesystem\nwith \"-o fsc\" and writing to it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57942", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix the new buffer was not zeroed before writing\n\nBefore writing, if a buffer_head marked as new, its data must\nbe zeroed, otherwise uninitialized data in the page cache will\nbe written.\n\nSo this commit uses folio_zero_new_buffers() to zero the new\nbuffers before ->write_end().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57943", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-ads1298: Add NULL check in ads1298_init\n\ndevm_kasprintf() can return a NULL pointer on failure. A check on the\nreturn value of such a call in ads1298_init() is missing. Add it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57944", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Fix the out of bound issue of vmemmap address\n\nIn sparse vmemmap model, the virtual address of vmemmap is calculated as:\n((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).\nAnd the struct page's va can be calculated with an offset:\n(vmemmap + (pfn)).\n\nHowever, when initializing struct pages, kernel actually starts from the\nfirst page from the same section that phys_ram_base belongs to. If the\nfirst page's physical address is not (phys_ram_base >> PAGE_SHIFT), then\nwe get an va below VMEMMAP_START when calculating va for it's struct page.\n\nFor example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the\nfirst page in the same section is actually pfn 0x80000. During\ninit_unavailable_range(), we will initialize struct page for pfn 0x80000\nwith virtual address ((struct page *)VMEMMAP_START - 0x2000), which is\nbelow VMEMMAP_START as well as PCI_IO_END.\n\nThis commit fixes this bug by introducing a new variable\n'vmemmap_start_pfn' which is aligned with memory section size and using\nit to calculate vmemmap address instead of phys_ram_base.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57945", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: don't keep queue frozen during system suspend\n\nCommit 4ce6e2db00de (\"virtio-blk: Ensure no requests in virtqueues before\ndeleting vqs.\") replaces queue quiesce with queue freeze in virtio-blk's\nPM callbacks. And the motivation is to drain inflight IOs before suspending.\n\nblock layer's queue freeze looks very handy, but it is also easy to cause\ndeadlock, such as, any attempt to call into bio_queue_enter() may run into\ndeadlock if the queue is frozen in current context. There are all kinds\nof ->suspend() called in suspend context, so keeping queue frozen in the\nwhole suspend context isn't one good idea. And Marek reported lockdep\nwarning[1] caused by virtio-blk's freeze queue in virtblk_freeze().\n\n[1] https://lore.kernel.org/linux-block/ca16370e-d646-4eee-b9cc-87277c89c43c@samsung.com/\n\nGiven the motivation is to drain in-flight IOs, it can be done by calling\nfreeze & unfreeze, meantime restore to previous behavior by keeping queue\nquiesced during suspend.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57946", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo: fix initial map fill\n\nThe initial buffer has to be inited to all-ones, but it must restrict\nit to the size of the first field, not the total field size.\n\nAfter each round in the map search step, the result and the fill map\nare swapped, so if we have a set where f->bsize of the first element\nis smaller than m->bsize_max, those one-bits are leaked into future\nrounds result map.\n\nThis makes pipapo find an incorrect matching results for sets where\nfirst field size is not the largest.\n\nFollowup patch adds a test case to nft_concat_range.sh selftest script.\n\nThanks to Stefano Brivio for pointing out that we need to zero out\nthe remainder explicitly, only correcting memset() argument isn't enough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57947", "detail": "fixed-version", "description": "Fixed from version 6.11" }, { "id": "CVE-2024-57948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: check local interfaces before deleting sdata list\n\nsyzkaller reported a corrupted list in ieee802154_if_remove. [1]\n\nRemove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4\nhardware device from the system.\n\nCPU0\t\t\t\t\tCPU1\n====\t\t\t\t\t====\ngenl_family_rcv_msg_doit\t\tieee802154_unregister_hw\nieee802154_del_iface\t\t\tieee802154_remove_interfaces\nrdev_del_virtual_intf_deprecated\tlist_del(&sdata->list)\nieee802154_if_remove\nlist_del_rcu\n\nThe net device has been unregistered, since the rcu grace period,\nunregistration must be run before ieee802154_if_remove.\n\nTo avoid this issue, add a check for local->interfaces before deleting\nsdata list.\n\n[1]\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56\nCode: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7\nRSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246\nRAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d\nR10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000\nR13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0\nFS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __list_del_entry_valid include/linux/list.h:124 [inline]\n __list_del_entry include/linux/list.h:215 [inline]\n list_del_rcu include/linux/rculist.h:157 [inline]\n ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687\n rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]\n ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:744\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607\n ___sys_sendmsg net/socket.c:2661 [inline]\n __sys_sendmsg+0x292/0x380 net/socket.c:2690\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57948", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity()\n\nThe following call-chain leads to enabling interrupts in a nested interrupt\ndisabled section:\n\nirq_set_vcpu_affinity()\n irq_get_desc_lock()\n raw_spin_lock_irqsave() <--- Disable interrupts\n its_irq_set_vcpu_affinity()\n guard(raw_spinlock_irq) <--- Enables interrupts when leaving the guard()\n irq_put_desc_unlock() <--- Warns because interrupts are enabled\n\nThis was broken in commit b97e8a2f7130, which replaced the original\nraw_spin_[un]lock() pair with guard(raw_spinlock_irq).\n\nFix the issue by using guard(raw_spinlock).\n\n[ tglx: Massaged change log ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57949", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Initialize denominator defaults to 1\n\n[WHAT & HOW]\nVariables, used as denominators and maybe not assigned to other values,\nshould be initialized to non-zero to avoid DIVIDE_BY_ZERO, as reported\nby Coverity.\n\n(cherry picked from commit e2c4c6c10542ccfe4a0830bb6c9fd5b177b7bbb7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57950", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n \tmodification in the prepare() callback and clear the remaining\n \tstate in the starting callback instead of the prepare callback ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57951", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-57952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"libfs: fix infinite directory reads for offset dir\"\n\nThe current directory offset allocator (based on mtree_alloc_cyclic)\nstores the next offset value to return in octx->next_offset. This\nmechanism typically returns values that increase monotonically over\ntime. Eventually, though, the newly allocated offset value wraps\nback to a low number (say, 2) which is smaller than other already-\nallocated offset values.\n\nYu Kuai reports that, after commit 64a7ce76fb90\n(\"libfs: fix infinite directory reads for offset dir\"), if a\ndirectory's offset allocator wraps, existing entries are no longer\nvisible via readdir/getdents because offset_readdir() stops listing\nentries once an entry's offset is larger than octx->next_offset.\nThese entries vanish persistently -- they can be looked up, but will\nnever again appear in readdir(3) output.\n\nThe reason for this is that the commit treats directory offsets as\nmonotonically increasing integer values rather than opaque cookies,\nand introduces this comparison:\n\n\tif (dentry2offset(dentry) >= last_index) {\n\nOn 64-bit platforms, the directory offset value upper bound is\n2^63 - 1. Directory offsets will monotonically increase for millions\nof years without wrapping.\n\nOn 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator\ncan wrap after only a few weeks (at worst).\n\nRevert commit 64a7ce76fb90 (\"libfs: fix infinite directory reads for\noffset dir\") to prepare for a fix that can work properly on 32-bit\nsystems and might apply to recent LTS kernels where shmem employs\nthe simple_offset mechanism.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57952", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: tps6594: Fix integer overflow on 32bit systems\n\nThe problem is this multiply in tps6594_rtc_set_offset()\n\n\ttmp = offset * TICKS_PER_HOUR;\n\nThe \"tmp\" variable is an s64 but \"offset\" is a long in the\n(-277774)-277774 range. On 32bit systems a long can hold numbers up to\napproximately two billion. The number of TICKS_PER_HOUR is really large,\n(32768 * 3600) or roughly a hundred million. When you start multiplying\nby a hundred million it doesn't take long to overflow the two billion\nmark.\n\nProbably the safest way to fix this is to change the type of\nTICKS_PER_HOUR to long long because it's such a large number.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57953", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrdma/cxgb4: Prevent potential integer overflow on 32bit\n\nThe \"gl->tot_len\" variable is controlled by the user. It comes from\nprocess_responses(). On 32bit systems, the \"gl->tot_len + sizeof(struct\ncpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an\ninteger wrapping bug. Use size_add() to prevent this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57973", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Deal with race between UDP socket address change and rehash\n\nIf a UDP socket changes its local address while it's receiving\ndatagrams, as a result of connect(), there is a period during which\na lookup operation might fail to find it, after the address is changed\nbut before the secondary hash (port and address) and the four-tuple\nhash (local and remote ports and addresses) are updated.\n\nSecondary hash chains were introduced by commit 30fff9231fad (\"udp:\nbind() optimisation\") and, as a result, a rehash operation became\nneeded to make a bound socket reachable again after a connect().\n\nThis operation was introduced by commit 719f835853a9 (\"udp: add\nrehash on connect()\") which isn't however a complete fix: the\nsocket will be found once the rehashing completes, but not while\nit's pending.\n\nThis is noticeable with a socat(1) server in UDP4-LISTEN mode, and a\nclient sending datagrams to it. After the server receives the first\ndatagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to\nthe address of the sender, in order to set up a directed flow.\n\nNow, if the client, running on a different CPU thread, happens to\nsend a (subsequent) datagram while the server's socket changes its\naddress, but is not rehashed yet, this will result in a failed\nlookup and a port unreachable error delivered to the client, as\napparent from the following reproducer:\n\n LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))\n dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in\n\n while :; do\n \ttaskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &\n \tsleep 0.1 || sleep 1\n \ttaskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null\n \twait\n done\n\nwhere the client will eventually get ECONNREFUSED on a write()\n(typically the second or third one of a given iteration):\n\n 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused\n\nThis issue was first observed as a seldom failure in Podman's tests\nchecking UDP functionality while using pasta(1) to connect the\ncontainer's network namespace, which leads us to a reproducer with\nthe lookup error resulting in an ICMP packet on a tap device:\n\n LOCAL_ADDR=\"$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == \"global\").local')\"\n\n while :; do\n \t./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &\n \tsleep 0.2 || sleep 1\n \tsocat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null\n \twait\n \tcmp tmp.in tmp.out\n done\n\nOnce this fails:\n\n tmp.in tmp.out differ: char 8193, line 29\n\nwe can finally have a look at what's going on:\n\n $ tshark -r pasta.pcap\n 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2\n 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164\n 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55\n 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable)\n 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192\n 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096\n 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0\n\nOn the third datagram received, the network namespace of the container\ninitiates an ARP lookup to deliver the ICMP message.\n\nIn another variant of this reproducer, starting the client with:\n\n strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,tru\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57974", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when run_delalloc_nocow() failed\n\n[BUG]\nWith CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash\nwith the following VM_BUG_ON_FOLIO():\n\n BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28\n BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28\n page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664\n aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\"\n flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)\n page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))\n ------------[ cut here ]------------\n kernel BUG at mm/page-writeback.c:2992!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : folio_clear_dirty_for_io+0x128/0x258\n lr : folio_clear_dirty_for_io+0x128/0x258\n Call trace:\n folio_clear_dirty_for_io+0x128/0x258\n btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]\n __process_folios_contig+0x154/0x268 [btrfs]\n extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]\n run_delalloc_nocow+0x5f8/0x760 [btrfs]\n btrfs_run_delalloc_range+0xa8/0x220 [btrfs]\n writepage_delalloc+0x230/0x4c8 [btrfs]\n extent_writepage+0xb8/0x358 [btrfs]\n extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n btrfs_writepages+0x94/0x150 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x88/0xc8\n start_delalloc_inodes+0x178/0x3a8 [btrfs]\n btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n shrink_delalloc+0x114/0x280 [btrfs]\n flush_space+0x250/0x2f8 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x164/0x408\n worker_thread+0x25c/0x388\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThe first two lines of extra debug messages show the problem is caused\nby the error handling of run_delalloc_nocow().\n\nE.g. we have the following dirtied range (4K blocksize 4K page size):\n\n 0 16K 32K\n |//////////////////////////////////////|\n | Pre-allocated |\n\nAnd the range [0, 16K) has a preallocated extent.\n\n- Enter run_delalloc_nocow() for range [0, 16K)\n Which found range [0, 16K) is preallocated, can do the proper NOCOW\n write.\n\n- Enter fallback_to_fow() for range [16K, 32K)\n Since the range [16K, 32K) is not backed by preallocated extent, we\n have to go COW.\n\n- cow_file_range() failed for range [16K, 32K)\n So cow_file_range() will do the clean up by clearing folio dirty,\n unlock the folios.\n\n Now the folios in range [16K, 32K) is unlocked.\n\n- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()\n Which is called with PAGE_START_WRITEBACK to start page writeback.\n But folios can only be marked writeback when it's properly locked,\n thus this triggered the VM_BUG_ON_FOLIO().\n\nFurthermore there is another hidden but common bug that\nrun_delalloc_nocow() is not clearing the folio dirty flags in its error\nhandling path.\nThis is the common bug shared between run_delalloc_nocow() and\ncow_file_range().\n\n[FIX]\n- Clear folio dirty for range [@start, @cur_offset)\n Introduce a helper, cleanup_dirty_folios(), which\n will find and lock the folio in the range, clear the dirty flag and\n start/end the writeback, with the extra handling for the\n @locked_folio.\n\n- Introduce a helper to clear folio dirty, start and end writeback\n\n- Introduce a helper to record the last failed COW range end\n This is to trace which range we should skip, to avoid double\n unlocking.\n\n- Skip the failed COW range for the e\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57975", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when cow_file_range() failed\n\n[BUG]\nWhen testing with COW fixup marked as BUG_ON() (this is involved with the\nnew pin_user_pages*() change, which should not result new out-of-band\ndirty pages), I hit a crash triggered by the BUG_ON() from hitting COW\nfixup path.\n\nThis BUG_ON() happens just after a failed btrfs_run_delalloc_range():\n\n BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/extent_io.c:1444!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : extent_writepage_io+0x2d4/0x308 [btrfs]\n lr : extent_writepage_io+0x2d4/0x308 [btrfs]\n Call trace:\n extent_writepage_io+0x2d4/0x308 [btrfs]\n extent_writepage+0x218/0x330 [btrfs]\n extent_write_cache_pages+0x1d4/0x4b0 [btrfs]\n btrfs_writepages+0x94/0x150 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x88/0xc8\n start_delalloc_inodes+0x180/0x3b0 [btrfs]\n btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n shrink_delalloc+0x114/0x280 [btrfs]\n flush_space+0x250/0x2f8 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x164/0x408\n worker_thread+0x25c/0x388\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThat failure is mostly from cow_file_range(), where we can hit -ENOSPC.\n\nAlthough the -ENOSPC is already a bug related to our space reservation\ncode, let's just focus on the error handling.\n\nFor example, we have the following dirty range [0, 64K) of an inode,\nwith 4K sector size and 4K page size:\n\n 0 16K 32K 48K 64K\n |///////////////////////////////////////|\n |#######################################|\n\nWhere |///| means page are still dirty, and |###| means the extent io\ntree has EXTENT_DELALLOC flag.\n\n- Enter extent_writepage() for page 0\n\n- Enter btrfs_run_delalloc_range() for range [0, 64K)\n\n- Enter cow_file_range() for range [0, 64K)\n\n- Function btrfs_reserve_extent() only reserved one 16K extent\n So we created extent map and ordered extent for range [0, 16K)\n\n 0 16K 32K 48K 64K\n |////////|//////////////////////////////|\n |<- OE ->|##############################|\n\n And range [0, 16K) has its delalloc flag cleared.\n But since we haven't yet submit any bio, involved 4 pages are still\n dirty.\n\n- Function btrfs_reserve_extent() returns with -ENOSPC\n Now we have to run error cleanup, which will clear all\n EXTENT_DELALLOC* flags and clear the dirty flags for the remaining\n ranges:\n\n 0 16K 32K 48K 64K\n |////////| |\n | | |\n\n Note that range [0, 16K) still has its pages dirty.\n\n- Some time later, writeback is triggered again for the range [0, 16K)\n since the page range still has dirty flags.\n\n- btrfs_run_delalloc_range() will do nothing because there is no\n EXTENT_DELALLOC flag.\n\n- extent_writepage_io() finds page 0 has no ordered flag\n Which falls into the COW fixup path, triggering the BUG_ON().\n\nUnfortunately this error handling bug dates back to the introduction of\nbtrfs. Thankfully with the abuse of COW fixup, at least it won't crash\nthe kernel.\n\n[FIX]\nInstead of immediately unlocking the extent and folios, we keep the extent\nand folios locked until either erroring out or the whole delalloc range\nfinished.\n\nWhen the whole delalloc range finished without error, we just unlock the\nwhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked\ncases)\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57976", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: fix soft lockup in the OOM process\n\nA soft lockup issue was found in the product with about 56,000 tasks were\nin the OOM cgroup, it was traversing them when the soft lockup was\ntriggered.\n\nwatchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066]\nCPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G\nHardware name: Huawei Cloud OpenStack Nova, BIOS\nRIP: 0010:console_unlock+0x343/0x540\nRSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13\nRAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247\nRBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040\nR10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0\nR13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n vprintk_emit+0x193/0x280\n printk+0x52/0x6e\n dump_task+0x114/0x130\n mem_cgroup_scan_tasks+0x76/0x100\n dump_header+0x1fe/0x210\n oom_kill_process+0xd1/0x100\n out_of_memory+0x125/0x570\n mem_cgroup_out_of_memory+0xb5/0xd0\n try_charge+0x720/0x770\n mem_cgroup_try_charge+0x86/0x180\n mem_cgroup_try_charge_delay+0x1c/0x40\n do_anonymous_page+0xb5/0x390\n handle_mm_fault+0xc4/0x1f0\n\nThis is because thousands of processes are in the OOM cgroup, it takes a\nlong time to traverse all of them. As a result, this lead to soft lockup\nin the OOM process.\n\nTo fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks'\nfunction per 1000 iterations. For global OOM, call\n'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57977", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Fix potential error pointer dereference in detach_pm()\n\nThe proble is on the first line:\n\n\tif (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i]))\n\nIf jpeg->pd_dev[i] is an error pointer, then passing it to\npm_runtime_suspended() will lead to an Oops. The other conditions\ncheck for both error pointers and NULL, but it would be more clear to\nuse the IS_ERR_OR_NULL() check for that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57978", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I'm seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n pps pps1: removed\n ------------[ cut here ]------------\n kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : kobject_put+0x120/0x150\n lr : kobject_put+0x120/0x150\n sp : ffffffc0803d3ae0\n x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n kobject_put+0x120/0x150\n cdev_put+0x20/0x3c\n __fput+0x2c4/0x2d8\n ____fput+0x1c/0x38\n task_work_run+0x70/0xfc\n do_exit+0x2a0/0x924\n do_group_exit+0x34/0x90\n get_signal+0x7fc/0x8c0\n do_signal+0x128/0x13b4\n do_notify_resume+0xdc/0x160\n el0_svc+0xd4/0xf8\n el0t_64_sync_handler+0x140/0x14c\n el0t_64_sync+0x190/0x194\n ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n refcount_t: underflow; use-after-free.\n kernel BUG at lib/list_debug.c:62!\n Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can't explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I've\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps->dev refcount can't reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.\n\n pps_core: source serial1 got cdev (251:1)\n <...>\n pps pps1: removed\n pps_core: unregistering pps1\n pps_core: deallocating pps1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57979", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev->status pointer but doesn't reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev->status pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57980", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon't attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it's harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57981", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: state: fix out-of-bounds read during lookup\n\nlookup and resize can run in parallel.\n\nThe xfrm_state_hash_generation seqlock ensures a retry, but the hash\nfunctions can observe a hmask value that is too large for the new hlist\narray.\n\nrehash does:\n rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..]\n net->xfrm.state_hmask = nhashmask;\n\nWhile state lookup does:\n h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);\n hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) {\n\nThis is only safe in case the update to state_bydst is larger than\nnet->xfrm.xfrm_state_hmask (or if the lookup function gets\nserialized via state spinlock again).\n\nFix this by prefetching state_hmask and the associated pointers.\nThe xfrm_state_hash_generation seqlock retry will ensure that the pointer\nand the hmask will be consistent.\n\nThe existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side,\nadd lockdep assertions to document that they are only safe for insert\nside.\n\nxfrm_state_lookup_byaddr() uses the spinlock rather than RCU.\nAFAICS this is an oversight from back when state lookup was converted to\nRCU, this lock should be replaced with RCU in a future patch.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57982", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: th1520: Fix memory corruption due to incorrect array size\n\nThe functions th1520_mbox_suspend_noirq and th1520_mbox_resume_noirq are\nintended to save and restore the interrupt mask registers in the MBOX\nICU0. However, the array used to store these registers was incorrectly\nsized, leading to memory corruption when accessing all four registers.\n\nThis commit corrects the array size to accommodate all four interrupt\nmask registers, preventing memory corruption during suspend and resume\noperations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57983", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition\n\nIn dw_i3c_common_probe, &master->hj_work is bound with\ndw_i3c_hj_work. And dw_i3c_master_irq_handler can call\ndw_i3c_master_irq_handle_ibis function to start the work.\n\nIf we remove the module which will call dw_i3c_common_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | dw_i3c_hj_work\ndw_i3c_common_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in dw_i3c_common_remove.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57984", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: Cleanup global '__scm' on probe failures\n\nIf SCM driver fails the probe, it should not leave global '__scm'\nvariable assigned, because external users of this driver will assume the\nprobe finished successfully. For example TZMEM parts ('__scm->mempool')\nare initialized later in the probe, but users of it (__scm_smc_call())\nrely on the '__scm' variable.\n\nThis fixes theoretical NULL pointer exception, triggered via introducing\nprobe deferral in SCM driver with call trace:\n\n qcom_tzmem_alloc+0x70/0x1ac (P)\n qcom_tzmem_alloc+0x64/0x1ac (L)\n qcom_scm_assign_mem+0x78/0x194\n qcom_rmtfs_mem_probe+0x2d4/0x38c\n platform_probe+0x68/0xc8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57985", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Fix assumption that Resolution Multipliers must be in Logical Collections\n\nA report in 2019 by the syzbot fuzzer was found to be connected to two\nerrors in the HID core associated with Resolution Multipliers. One of\nthe errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop\nin hid_apply_multiplier.\"), but the other has not been fixed.\n\nThis error arises because hid_apply_multipler() assumes that every\nResolution Multiplier control is contained in a Logical Collection,\ni.e., there's no way the routine can ever set multiplier_collection to\nNULL. This is in spite of the fact that the function starts with a\nbig comment saying:\n\n\t * \"The Resolution Multiplier control must be contained in the same\n\t * Logical Collection as the control(s) to which it is to be applied.\n\t ...\n\t * If no Logical Collection is\n\t * defined, the Resolution Multiplier is associated with all\n\t * controls in the report.\"\n\t * HID Usage Table, v1.12, Section 4.3.1, p30\n\t *\n\t * Thus, search from the current collection upwards until we find a\n\t * logical collection...\n\nThe comment and the code overlook the possibility that none of the\ncollections found may be a Logical Collection.\n\nThe fix is to set the multiplier_collection pointer to NULL if the\ncollection found isn't a Logical Collection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57986", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btrtl: check for NULL in btrtl_setup_realtek()\n\nIf insert an USB dongle which chip is not maintained in ic_id_table, it\nwill hit the NULL point accessed. Add a null point check to avoid the\nKernel Oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57987", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()\n\ndevm_kstrdup() can return a NULL pointer on failure,but this\nreturned value in btbcm_get_board_name() is not checked.\nAdd NULL check in btbcm_get_board_name(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57988", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links\n\nIn mt7925_change_vif_links() devm_kzalloc() may return NULL but this\nreturned value is not checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57989", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_load_clc()\n\nThis comparison should be >= instead of > to prevent an out of bounds\nread and write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57990", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: chan: fix soft lockup in rtw89_entity_recalc_mgnt_roles()\n\nDuring rtw89_entity_recalc_mgnt_roles(), there is a normalizing process\nwhich will re-order the list if an entry with target pattern is found.\nAnd once one is found, should have aborted the list_for_each_entry. But,\n`break` just aborted the inner for-loop. The outer list_for_each_entry\nstill continues. Normally, only the first entry will match the target\npattern, and the re-ordering will change nothing, so there won't be\nsoft lockup. However, in some special cases, soft lockup would happen.\n\nFix it by `goto fill` to break from the list_for_each_entry.\n\nThe following is a sample of kernel log for this problem.\n\nwatchdog: BUG: soft lockup - CPU#1 stuck for 26s! [wpa_supplicant:2055]\n[...]\nRIP: 0010:rtw89_entity_recalc ([...] chan.c:392 chan.c:479) rtw89_core\n[...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57991", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: unregister wiphy only if it has been registered\n\nThere is a specific error path in probe functions in wilc drivers (both\nsdio and spi) which can lead to kernel panic, as this one for example\nwhen using SPI:\n\nUnable to handle kernel paging request at virtual address 9f000000 when read\n[9f000000] *pgd=00000000\nInternal error: Oops: 5 [#1] ARM\nModules linked in: wilc1000_spi(+) crc_itu_t crc7 wilc1000 cfg80211 bluetooth ecdh_generic ecc\nCPU: 0 UID: 0 PID: 106 Comm: modprobe Not tainted 6.13.0-rc3+ #22\nHardware name: Atmel SAMA5\nPC is at wiphy_unregister+0x244/0xc40 [cfg80211]\nLR is at wiphy_unregister+0x1c0/0xc40 [cfg80211]\n[...]\n wiphy_unregister [cfg80211] from wilc_netdev_cleanup+0x380/0x494 [wilc1000]\n wilc_netdev_cleanup [wilc1000] from wilc_bus_probe+0x360/0x834 [wilc1000_spi]\n wilc_bus_probe [wilc1000_spi] from spi_probe+0x15c/0x1d4\n spi_probe from really_probe+0x270/0xb2c\n really_probe from __driver_probe_device+0x1dc/0x4e8\n __driver_probe_device from driver_probe_device+0x5c/0x140\n driver_probe_device from __driver_attach+0x220/0x540\n __driver_attach from bus_for_each_dev+0x13c/0x1a8\n bus_for_each_dev from bus_add_driver+0x2a0/0x6a4\n bus_add_driver from driver_register+0x27c/0x51c\n driver_register from do_one_initcall+0xf8/0x564\n do_one_initcall from do_init_module+0x2e4/0x82c\n do_init_module from load_module+0x59a0/0x70c4\n load_module from init_module_from_file+0x100/0x148\n init_module_from_file from sys_finit_module+0x2fc/0x924\n sys_finit_module from ret_fast_syscall+0x0/0x1c\n\nThe issue can easily be reproduced, for example by not wiring correctly\na wilc device through SPI (and so, make it unresponsive to early SPI\ncommands). It is due to a recent change decoupling wiphy allocation from\nwiphy registration, however wilc_netdev_cleanup has not been updated\naccordingly, letting it possibly call wiphy unregister on a wiphy which\nhas never been registered.\n\nFix this crash by moving wiphy_unregister/wiphy_free out of\nwilc_netdev_cleanup, and by adjusting error paths in both drivers", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57992", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check\n\nsyzbot has found a type mismatch between a USB pipe and the transfer\nendpoint, which is triggered by the hid-thrustmaster driver[1].\nThere is a number of similar, already fixed issues [2].\nIn this case as in others, implementing check for endpoint type fixes the issue.\n\n[1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470\n[2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57993", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptr_ring: do not block hard interrupts in ptr_ring_resize_multiple()\n\nJakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page()\nto increase test coverage.\n\nsyzbot found a splat caused by hard irq blocking in\nptr_ring_resize_multiple() [1]\n\nAs current users of ptr_ring_resize_multiple() do not require\nhard irqs being masked, replace it to only block BH.\n\nRename helpers to better reflect they are safe against BH only.\n\n- ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh()\n- skb_array_resize_multiple() to skb_array_resize_multiple_bh()\n\n[1]\n\nWARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline]\nWARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780\nModules linked in:\nCPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline]\nRIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780\nCode: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85\nRSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083\nRAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000\nRDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843\nRBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d\nR10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040\nR13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff\nFS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tun_ptr_free drivers/net/tun.c:617 [inline]\n __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline]\n ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline]\n tun_queue_resize drivers/net/tun.c:3694 [inline]\n tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714\n notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93\n call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]\n call_netdevice_notifiers net/core/dev.c:2046 [inline]\n dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024\n do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923\n rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201\n rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57994", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()\n\nIn ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different\nradio, it gets deleted from that radio through a call to\nath12k_mac_unassign_link_vif(). This action frees the arvif pointer.\nSubsequently, there is a check involving arvif, which will result in a\nread-after-free scenario.\n\nFix this by moving this check after arvif is again assigned via call to\nath12k_mac_assign_link_vif().\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57995", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don't allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type 'struct sfq_head[128]'\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x125/0x19f lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:148 [inline]\n __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n sfq_link net/sched/sch_sfq.c:210 [inline]\n sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n __dev_close_many+0x214/0x350 net/core/dev.c:1468\n dev_close_many+0x207/0x510 net/core/dev.c:1506\n unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n unregister_netdevice include/linux/netdevice.h:2893 [inline]\n __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n tun_detach drivers/net/tun.c:705 [inline]\n tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n __fput+0x203/0x840 fs/file_table.c:280\n task_work_run+0x129/0x1b0 kernel/task_work.c:185\n exit_task_work include/linux/task_work.h:33 [inline]\n do_exit+0x5ce/0x2200 kernel/exit.c:931\n do_group_exit+0x144/0x310 kernel/exit.c:1046\n __do_sys_exit_group kernel/exit.c:1057 [inline]\n __se_sys_exit_group kernel/exit.c:1055 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n however q->tail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57996", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wcn36xx: fix channel survey memory allocation size\n\nKASAN reported a memory allocation issue in wcn->chan_survey\ndue to incorrect size calculation.\nThis commit uses kcalloc to allocate memory for wcn->chan_survey,\nensuring proper initialization and preventing the use of uninitialized\nvalues when there are no frames on the channel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57997", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nOPP: add index check to assert to avoid buffer overflow in _read_freq()\n\nPass the freq index to the assert function to make sure\nwe do not read a freq out of the opp->rates[] table when called\nfrom the indexed variants:\ndev_pm_opp_find_freq_exact_indexed() or\ndev_pm_opp_find_freq_ceil/floor_indexed().\n\nAdd a secondary parameter to the assert function, unused\nfor assert_single_clk() then add assert_clk_index() which\nwill check for the clock index when called from the _indexed()\nfind functions.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57998", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-57999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW\n\nPower Hypervisor can possibily allocate MMIO window intersecting with\nDynamic DMA Window (DDW) range, which is over 32-bit addressing.\n\nThese MMIO pages needs to be marked as reserved so that IOMMU doesn't map\nDMA buffers in this range.\n\nThe current code is not marking these pages correctly which is resulting\nin LPAR to OOPS while booting. The stack is at below\n\nBUG: Unable to handle kernel data access on read at 0xc00800005cd40000\nFaulting instruction address: 0xc00000000005cdac\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod\nSupported: Yes, External\nCPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b\nHardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries\nWorkqueue: events work_for_cpu_fn\nNIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000\nREGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)\nMSR: 800000000280b033 CR: 24228448 XER: 00000001\nCFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0\nGPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800\nGPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000\nGPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff\nGPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000\nGPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800\nGPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b\nGPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8\nGPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800\nNIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100\nLR [c00000000005e830] iommu_init_table+0x80/0x1e0\nCall Trace:\n[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)\n[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40\n[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230\n[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90\n[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80\n[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]\n[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110\n[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60\n[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620\n[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620\n[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150\n[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18\n\nThere are 2 issues in the code\n\n1. The index is \"int\" while the address is \"unsigned long\". This results in\n negative value when setting the bitmap.\n\n2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit\n address). MMIO address needs to be page shifted as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-57999", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent reg-wait speculations\n\nWith *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments\nfor the waiting loop the user can specify an offset into a pre-mapped\nregion of memory, in which case the\n[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the\nargument.\n\nAs we address a kernel array using a user given index, it'd be a subject\nto speculation type of exploits. Use array_index_nospec() to prevent\nthat. Make sure to pass not the full region size but truncate by the\nmaximum offset allowed considering the structure size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58000", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle a symlink read error correctly\n\nPatch series \"Convert ocfs2 to use folios\".\n\nMark did a conversion of ocfs2 to use folios and sent it to me as a\ngiant patch for review ;-)\n\nSo I've redone it as individual patches, and credited Mark for the patches\nwhere his code is substantially the same. It's not a bad way to do it;\nhis patch had some bugs and my patches had some bugs. Hopefully all our\nbugs were different from each other. And hopefully Mark likes all the\nchanges I made to his code!\n\n\nThis patch (of 23):\n\nIf we can't read the buffer, be sure to unlock the page before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58001", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58002", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ds90ub9x3: Fix extra fwnode_handle_put()\n\nThe ub913 and ub953 drivers call fwnode_handle_put(priv->sd.fwnode) as\npart of their remove process, and if the driver is removed multiple\ntimes, eventually leads to put \"overflow\", possibly causing memory\ncorruption or crash.\n\nThe fwnode_handle_put() is a leftover from commit 905f88ccebb1 (\"media:\ni2c: ds90ub9x3: Fix sub-device matching\"), which changed the code\nrelated to the sd.fwnode, but missed removing these fwnode_handle_put()\ncalls.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58003", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: intel/ipu6: remove cpu latency qos request on error\n\nFix cpu latency qos list corruption like below. It happens when\nwe do not remove cpu latency request on error path and free\ncorresponding memory.\n\n[ 30.634378] l7 kernel: list_add corruption. prev->next should be next (ffffffff9645e960), but was 0000000100100001. (prev=ffff8e9e877e20a8).\n[ 30.634388] l7 kernel: WARNING: CPU: 2 PID: 2008 at lib/list_debug.c:32 __list_add_valid_or_report+0x83/0xa0\n\n[ 30.634640] l7 kernel: Call Trace:\n[ 30.634650] l7 kernel: \n[ 30.634659] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0\n[ 30.634669] l7 kernel: ? __warn.cold+0x93/0xf6\n[ 30.634678] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0\n[ 30.634690] l7 kernel: ? report_bug+0xff/0x140\n[ 30.634702] l7 kernel: ? handle_bug+0x58/0x90\n[ 30.634712] l7 kernel: ? exc_invalid_op+0x17/0x70\n[ 30.634723] l7 kernel: ? asm_exc_invalid_op+0x1a/0x20\n[ 30.634733] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0\n[ 30.634742] l7 kernel: plist_add+0xdd/0x140\n[ 30.634754] l7 kernel: pm_qos_update_target+0xa0/0x1f0\n[ 30.634764] l7 kernel: cpu_latency_qos_update_request+0x61/0xc0\n[ 30.634773] l7 kernel: intel_dp_aux_xfer+0x4c7/0x6e0 [i915 1f824655ed04687c2b0d23dbce759fa785f6d033]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58004", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Change to kvalloc() in eventlog/acpi.c\n\nThe following failure was reported on HPE ProLiant D320:\n\n[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)\n[ 10.848132][ T1] ------------[ cut here ]------------\n[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330\n[ 10.862827][ T1] Modules linked in:\n[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375\n[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024\n[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330\n[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1\n[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246\n[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000\n[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0\n\nThe above transcript shows that ACPI pointed a 16 MiB buffer for the log\nevents because RSI maps to the 'order' parameter of __alloc_pages_noprof().\nAddress the bug by moving from devm_kmalloc() to devm_add_action() and\nkvmalloc() and devm_add_action().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58005", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()\n\nIn commit 4284c88fff0e (\"PCI: designware-ep: Allow pci_epc_set_bar() update\ninbound map address\") set_bar() was modified to support dynamically\nchanging the backing physical address of a BAR that was already configured.\n\nThis means that set_bar() can be called twice, without ever calling\nclear_bar() (as calling clear_bar() would clear the BAR's PCI address\nassigned by the host).\n\nThis can only be done if the new BAR size/flags does not differ from the\nexisting BAR configuration. Add these missing checks.\n\nIf we allow set_bar() to set e.g. a new BAR size that differs from the\nexisting BAR size, the new address translation range will be smaller than\nthe BAR size already determined by the host, which would mean that a read\npast the new BAR size would pass the iATU untranslated, which could allow\nthe host to read memory not belonging to the new struct pci_epf_bar.\n\nWhile at it, add comments which clarifies the support for dynamically\nchanging the physical address of a BAR. (Which was also missing.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58006", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: socinfo: Avoid out of bounds read of serial number\n\nOn MSM8916 devices, the serial number exposed in sysfs is constant and does\nnot change across individual devices. It's always:\n\n db410c:/sys/devices/soc0$ cat serial_number\n 2644893864\n\nThe firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not\nhave support for the serial_num field in the socinfo struct. There is an\nexisting check to avoid exposing the serial number in that case, but it's\nnot correct: When checking the item_size returned by SMEM, we need to make\nsure the *end* of the serial_num is within bounds, instead of comparing\nwith the *start* offset. The serial_number currently exposed on MSM8916\ndevices is just an out of bounds read of whatever comes after the socinfo\nstruct in SMEM.\n\nFix this by changing offsetof() to offsetofend(), so that the size of the\nfield is also taken into account.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58007", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: dcp: fix improper sg use with CONFIG_VMAP_STACK=y\n\nWith vmalloc stack addresses enabled (CONFIG_VMAP_STACK=y) DCP trusted\nkeys can crash during en- and decryption of the blob encryption key via\nthe DCP crypto driver. This is caused by improperly using sg_init_one()\nwith vmalloc'd stack buffers (plain_key_blob).\n\nFix this by always using kmalloc() for buffers we give to the DCP crypto\ndriver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58008", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc\n\nA NULL sock pointer is passed into l2cap_sock_alloc() when it is called\nfrom l2cap_sock_new_connection_cb() and the error handling paths should\nalso be aware of it.\n\nSeemingly a more elegant solution would be to swap bt_sock_alloc() and\nl2cap_chan_create() calls since they are not interdependent to that moment\nbut then l2cap_chan_create() adds the soon to be deallocated and still\ndummy-initialized channel to the global list accessible by many L2CAP\npaths. The channel would be removed from the list in short period of time\nbut be a bit more straight-forward here and just check for NULL instead of\nchanging the order of function calls.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58009", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_flat: Fix integer overflow bug on 32 bit systems\n\nMost of these sizes and counts are capped at 256MB so the math doesn't\nresult in an integer overflow. The \"relocs\" count needs to be checked\nas well. Otherwise on 32bit systems the calculation of \"full_data\"\ncould be wrong.\n\n\tfull_data = data_len + relocs * sizeof(unsigned long);", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58010", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58011", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params\n\nEach cpu DAI should associate with a widget. However, the topology might\nnot create the right number of DAI widgets for aggregated amps. And it\nwill cause NULL pointer deference.\nCheck that the DAI widget associated with the CPU DAI is valid to prevent\nNULL pointer deference due to missing DAI widgets in topologies with\naggregated amps.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58012", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\n\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nAllocated by task 16026:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n sock_write_iter+0x2d7/0x3f0 net/socket.c:1147\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0xaeb/0xd30 fs/read_write.c:679\n ksys_write+0x18f/0x2b0 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 16022:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kfree+0x196/0x420 mm/slub.c:4746\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\n hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1209\n sock_ioctl+0x626/0x8e0 net/socket.c:1328\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58013", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()\n\nIn 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN()\ninstead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access.\nCompile tested only.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58014", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix for out-of bound access error\n\nSelfgen stats are placed in a buffer using print_array_to_buf_index() function.\nArray length parameter passed to the function is too big, resulting in possible\nout-of bound memory error.\nDecreasing buffer size by one fixes faulty upper bound of passed array.\n\nDiscovered in coverity scan, CID 1600742 and CID 1600758", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58015", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsafesetid: check size of policy writes\n\nsyzbot attempts to write a buffer with a large size to a sysfs entry\nwith writes handled by handle_policy_update(), triggering a warning\nin kmalloc.\n\nCheck the size specified for write buffers before allocating.\n\n[PM: subject tweak]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58016", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nprintk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX\n\nShifting 1 << 31 on a 32-bit int causes signed integer overflow, which\nleads to undefined behavior. To prevent this, cast 1 to u32 before\nperforming the shift, ensuring well-defined behavior.\n\nThis change explicitly avoids any potential overflow by ensuring that\nthe shift occurs on an unsigned 32-bit integer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58017", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm: correctly calculate the available space of the GSP cmdq buffer\n\nr535_gsp_cmdq_push() waits for the available page in the GSP cmdq\nbuffer when handling a large RPC request. When it sees at least one\navailable page in the cmdq, it quits the waiting with the amount of\nfree buffer pages in the queue.\n\nUnfortunately, it always takes the [write pointer, buf_size) as\navailable buffer pages before rolling back and wrongly calculates the\nsize of the data should be copied. Thus, it can overwrite the RPC\nrequest that GSP is currently reading, which causes GSP hang due\nto corrupted RPC request:\n\n[ 549.209389] ------------[ cut here ]------------\n[ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E)\n[ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)]\n[ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1\n[ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff <0f> 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c\n[ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246\n[ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28\n[ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730\n[ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70\n[ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020\n[ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000\n[ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000\n[ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0\n[ 549.427963] PKRU: 55555554\n[ 549.430672] Call Trace:\n[ 549.433126] \n[ 549.435233] ? __warn+0x7f/0x130\n[ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[ 549.443426] ? report_bug+0x18a/0x1a0\n[ 549.447098] ? handle_bug+0x3c/0x70\n[ 549.450589] ? exc_invalid_op+0x14/0x70\n[ 549.454430] ? asm_exc_invalid_op+0x16/0x20\n[ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm]\n[ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm]\n[ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm]\n[ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm]\n[ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm]\n[ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm]\n[ 549.498338] local_pci_probe+0x46/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58018", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm/gsp: correctly advance the read pointer of GSP message queue\n\nA GSP event message consists three parts: message header, RPC header,\nmessage body. GSP calculates the number of pages to write from the\ntotal size of a GSP message. This behavior can be observed from the\nmovement of the write pointer.\n\nHowever, nvkm takes only the size of RPC header and message body as\nthe message size when advancing the read pointer. When handling a\ntwo-page GSP message in the non rollback case, It wrongly takes the\nmessage body of the previous message as the message header of the next\nmessage. As the \"message length\" tends to be zero, in the calculation of\nsize needs to be copied (0 - size of (message header)), the size needs to\nbe copied will be \"0xffffffxx\". It also triggers a kernel panic due to a\nNULL pointer error.\n\n[ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@.......\n[ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................\n[ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................\n[ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................\n[ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[ 547.669485] #PF: supervisor read access in kernel mode\n[ 547.674624] #PF: error_code(0x0000) - not-present page\n[ 547.679755] PGD 0 P4D 0\n[ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1\n[ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]\n[ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05\n[ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203\n[ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f\n[ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010\n[ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0\n[ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000\n[ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000\n[ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000\n[ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0\n[ 547.793896] PKRU: 55555554\n[ 547.796600] Call Trace:\n[ 547.799046] \n[ 547.801152] ? __die+0x20/0x70\n[ 547.804211] ? page_fault_oops+0x75/0x170\n[ 547.808221] ? print_hex_dump+0x100/0x160\n[ 547.812226] ? exc_page_fault+0x64/0x150\n[ 547.816152] ? asm_exc_page_fault+0x22/0x30\n[ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm]\n[ 547.829845] process_one_work+0x196/0x3d0\n[ 547.833861] worker_thread+0x2fc/0x410\n[ 547.837613] ? __pfx_worker_thread+0x10/0x10\n[ 547.841885] kthread+0xdf/0x110\n[ 547.845031] ? __pfx_kthread+0x10/0x10\n[ 547.848775] ret_from_fork+0x30/0x50\n[ 547.852354] ? __pfx_kthread+0x10/0x10\n[ 547.856097] ret_from_fork_asm+0x1a/0x30\n[ 547.860019] \n[ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58019", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Add NULL check in mt_input_configured\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt_input_configured() is not checked.\nAdd NULL check in mt_input_configured(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58020", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: winwing: Add NULL check in winwing_init_led()\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in winwing_init_led() is not checked.\nAdd NULL check in winwing_init_led(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58021", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: th1520: Fix a NULL vs IS_ERR() bug\n\nThe devm_ioremap() function doesn't return error pointers, it returns\nNULL. Update the error checking to match.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58022", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()\n\nAs of_find_node_by_name() release the reference of the argument device\nnode, tegra_emc_find_node_by_ram_code() releases some device nodes while\nstill in use, resulting in possible UAFs. According to the bindings and\nthe in-tree DTS files, the \"emc-tables\" node is always device's child\nnode with the property \"nvidia,use-ram-code\", and the \"lpddr2\" node is a\nchild of the \"emc-tables\" node. Thus utilize the\nfor_each_child_of_node() macro and of_get_child_by_name() instead of\nof_find_node_by_name() to simplify the code.\n\nThis bug was found by an experimental verification tool that I am\ndeveloping.\n\n[krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58034", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrhashtable: Fix potential deadlock by moving schedule_work outside lock\n\nMove the hash table growth check and work scheduling outside the\nrht lock to prevent a possible circular locking dependency.\n\nThe original implementation could trigger a lockdep warning due to\na potential deadlock scenario involving nested locks between\nrhashtable bucket, rq lock, and dsq lock. By relocating the\ngrowth check and work scheduling after releasing the rth lock, we break\nthis potential deadlock chain.\n\nThis change expands the flexibility of rhashtable by removing\nrestrictive locking that previously limited its use in scheduler\nand workqueue contexts.\n\nImport to say that this calls rht_grow_above_75(), which reads from\nstruct rhashtable without holding the lock, if this is a problem, we can\nmove the check to the lock, and schedule the workqueue after the lock.\n\n\nModified so that atomic_inc is also moved outside of the bucket\nlock along with the growth above 75% check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58042", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ipmb: Add check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this\nreturned value is not checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58051", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table\n\nThe function atomctrl_get_smc_sclk_range_table() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to\nretrieve SMU_Info table, it returns NULL which is later dereferenced.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nIn practice this should never happen as this code only gets called\non polaris chips and the vbios data table will always be present on\nthose chips.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58052", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix handling of received connection abort\n\nFix the handling of a connection abort that we've received. Though the\nabort is at the connection level, it needs propagating to the calls on that\nconnection. Whilst the propagation bit is performed, the calls aren't then\nwoken up to go and process their termination, and as no further input is\nforthcoming, they just hang.\n\nAlso add some tracing for the logging of connection aborts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58053", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: max96712: fix kernel oops when removing module\n\nThe following kernel oops is thrown when trying to remove the max96712\nmodule:\n\nUnable to handle kernel paging request at virtual address 00007375746174db\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000\n[00007375746174db] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan\n snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2\n imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev\n snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils\n max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse\n [last unloaded: imx8_isi]\nCPU: 0 UID: 0 PID: 754 Comm: rmmod\n\t Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17\nTainted: [C]=CRAP\nHardware name: NXP i.MX95 19X19 board (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : led_put+0x1c/0x40\nlr : v4l2_subdev_put_privacy_led+0x48/0x58\nsp : ffff80008699bbb0\nx29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000\nx26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8\nx20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000\nx11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010\nx8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\nx5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1\nx2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473\nCall trace:\n led_put+0x1c/0x40\n v4l2_subdev_put_privacy_led+0x48/0x58\n v4l2_async_unregister_subdev+0x2c/0x1a4\n max96712_remove+0x1c/0x38 [max96712]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x4c/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n max96712_i2c_driver_exit+0x18/0x1d0 [max96712]\n __arm64_sys_delete_module+0x1a4/0x290\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xd8\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\nCode: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)\n---[ end trace 0000000000000000 ]---\n\nThis happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()\nis called again and the data is overwritten to point to sd, instead of\npriv. So, in remove(), the wrong pointer is passed to\nv4l2_async_unregister_subdev(), leading to a crash.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58054", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Don't free command immediately\n\nDon't prematurely free the command. Wait for the status completion of\nthe sense status. It can be freed then. Otherwise we will double-free\nthe command.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58055", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Fix ida_free call while not allocated\n\nIn the rproc_alloc() function, on error, put_device(&rproc->dev) is\ncalled, leading to the call of the rproc_type_release() function.\nAn error can occurs before ida_alloc is called.\n\nIn such case in rproc_type_release(), the condition (rproc->index >= 0) is\ntrue as rproc->index has been initialized to 0.\nida_free() is called reporting a warning:\n[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164\n[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0\n[ 4.188854] ida_free called for id=0 which is not allocated.\n[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000\n[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)\n[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442\n[ 4.231481] Hardware name: STM32 (Device Tree Support)\n[ 4.236627] Workqueue: events_unbound deferred_probe_work_func\n[ 4.242504] Call trace:\n[ 4.242522] unwind_backtrace from show_stack+0x10/0x14\n[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64\n[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c\n[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188\n[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164\n[ 4.270565] ida_free from rproc_type_release+0x38/0x60\n[ 4.275832] rproc_type_release from device_release+0x30/0xa0\n[ 4.281601] device_release from kobject_put+0xc4/0x294\n[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c\n[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4\n[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]\n[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc\n\nCalling ida_alloc earlier in rproc_alloc ensures that the rproc->index is\nproperly set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58056", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert workqueues to unbound\n\nWhen a workqueue is created with `WQ_UNBOUND`, its work items are\nserved by special worker-pools, whose host workers are not bound to\nany specific CPU. In the default configuration (i.e. when\n`queue_delayed_work` and friends do not specify which CPU to run the\nwork item on), `WQ_UNBOUND` allows the work item to be executed on any\nCPU in the same node of the CPU it was enqueued on. While this\nsolution potentially sacrifices locality, it avoids contention with\nother processes that might dominate the CPU time of the processor the\nwork item was scheduled on.\n\nThis is not just a theoretical problem: in a particular scenario\nmisconfigured process was hogging most of the time from CPU0, leaving\nless than 0.5% of its CPU time to the kworker. The IDPF workqueues\nthat were using the kworker on CPU0 suffered large completion delays\nas a result, causing performance degradation, timeouts and eventual\nsystem crash.\n\n\n* I have also run a manual test to gauge the performance\n improvement. The test consists of an antagonist process\n (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This\n process is run under `taskset 01` to bind it to CPU0, and its\n priority is changed with `chrt -pQ 9900 10000 ${pid}` and\n `renice -n -20 ${pid}` after start.\n\n Then, the IDPF driver is forced to prefer CPU0 by editing all calls\n to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.\n\n Finally, `ktraces` for the workqueue events are collected.\n\n Without the current patch, the antagonist process can force\n arbitrary delays between `workqueue_queue_work` and\n `workqueue_execute_start`, that in my tests were as high as\n `30ms`. With the current patch applied, the workqueue can be\n migrated to another unloaded CPU in the same node, and, keeping\n everything else equal, the maximum delay I could see was `6us`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58057", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: skip dumping tnc tree when zroot is null\n\nClearing slab cache will free all znode in memory and make\nc->zroot.znode = NULL, then dumping tnc tree will access\nc->zroot.znode which cause null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58058", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix deadlock during uvc_probe\n\nIf uvc_probe() fails, it can end up calling uvc_status_unregister() before\nuvc_status_init() is called.\n\nFix this by checking if dev->status is NULL or not in\nuvc_status_unregister().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58059", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing\n\nThere is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.\nIn particular, the report is on tcp_congestion_ops that has\na \"struct module *owner\" member.\n\nFor struct_ops that has a \"struct module *owner\" member,\nit can be extended either by the regular kernel module or\nby the bpf_struct_ops. bpf_try_module_get() will be used\nto do the refcounting and different refcount is done\nbased on the owner pointer. When CONFIG_MODULES=n,\nthe btf_id of the \"struct module\" is missing:\n\nWARN: resolve_btfids: unresolved symbol module\n\nThus, the bpf_try_module_get() cannot do the correct refcounting.\n\nNot all subsystem's struct_ops requires the \"struct module *owner\" member.\ne.g. the recent sched_ext_ops.\n\nThis patch is to disable bpf_struct_ops registration if\nthe struct_ops has the \"struct module *\" member and the\n\"struct module\" btf_id is missing. The btf_type_is_fwd() helper\nis moved to the btf.h header file for this test.\n\nThis has happened since the beginning of bpf_struct_ops which has gone\nthrough many changes. The Fixes tag is set to a recent commit that this\npatch can apply cleanly. Considering CONFIG_MODULES=n is not\ncommon and the age of the issue, targeting for bpf-next also.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58060", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: prohibit deactivating all links\n\nIn the internal API this calls this is a WARN_ON, but that\nshould remain since internally we want to know about bugs\nthat may cause this. Prevent deactivating all links in the\ndebugfs write directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58061", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: avoid NULL pointer dereference\n\nWhen iterating over the links of a vif, we need to make sure that the\npointer is valid (in other words - that the link exists) before\ndereferncing it.\nUse for_each_vif_active_link that also does the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58062", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: fix memory leaks and invalid access at probe error path\n\nDeinitialize at reverse order when probe fails.\n\nWhen init_sw_vars fails, rtl_deinit_core should not be called, specially\nnow that it destroys the rtl_wq workqueue.\n\nAnd call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be\nleaked.\n\nRemove pci_set_drvdata call as it will already be cleaned up by the core\ndriver code and could lead to memory leaks too. cf. commit 8d450935ae7f\n(\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and\ncommit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58063", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: tests: Fix potential NULL dereference in test_cfg80211_parse_colocated_ap()\n\nkunit_kzalloc() may return NULL, dereferencing it without NULL check may\nlead to NULL dereference.\nAdd a NULL check for ies.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58064", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mmp: pxa1908-apbc: Fix NULL vs IS_ERR() check\n\nThe devm_kzalloc() function returns NULL on error, not error pointers.\nFix the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58065", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mmp: pxa1908-apbcp: Fix a NULL vs IS_ERR() check\n\nThe devm_kzalloc() function doesn't return error pointers, it returns\nNULL on error. Update the check to match.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58066", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mmp: pxa1908-mpmu: Fix a NULL vs IS_ERR() check\n\nThe devm_kzalloc() function returns NULL on error, not error pointers.\nUpdate the check to match.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58067", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nOPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized\n\nIf a driver calls dev_pm_opp_find_bw_ceil/floor() the retrieve bandwidth\nfrom the OPP table but the bandwidth table was not created because the\ninterconnect properties were missing in the OPP consumer node, the\nkernel will crash with:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n...\npc : _read_bw+0x8/0x10\nlr : _opp_table_find_key+0x9c/0x174\n...\nCall trace:\n _read_bw+0x8/0x10 (P)\n _opp_table_find_key+0x9c/0x174 (L)\n _find_key+0x98/0x168\n dev_pm_opp_find_bw_ceil+0x50/0x88\n...\n\nIn order to fix the crash, create an assert function to check\nif the bandwidth table was created before trying to get a\nbandwidth with _read_bw().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58068", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read\n\nThe nvmem interface supports variable buffer sizes, while the regmap\ninterface operates with fixed-size storage. If an nvmem client uses a\nbuffer size less than 4 bytes, regmap_read will write out of bounds\nas it expects the buffer to point at an unsigned int.\n\nFix this by using an intermediary unsigned int to hold the value.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58069", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT\n\nIn PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible\ncontext. bpf_mem_alloc must be used in PREEMPT_RT. This patch is\nto enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT\nis enabled.\n\n[ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs\n[ 35.118569] preempt_count: 1, expected: 0\n[ 35.118571] RCU nest depth: 1, expected: 1\n[ 35.118577] INFO: lockdep is turned off.\n ...\n[ 35.118647] __might_resched+0x433/0x5b0\n[ 35.118677] rt_spin_lock+0xc3/0x290\n[ 35.118700] ___slab_alloc+0x72/0xc40\n[ 35.118723] __kmalloc_noprof+0x13f/0x4e0\n[ 35.118732] bpf_map_kzalloc+0xe5/0x220\n[ 35.118740] bpf_selem_alloc+0x1d2/0x7b0\n[ 35.118755] bpf_local_storage_update+0x2fa/0x8b0\n[ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0\n[ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66\n[ 35.118795] bpf_trace_run3+0x222/0x400\n[ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20\n[ 35.118824] trace_inet_sock_set_state+0x112/0x130\n[ 35.118830] inet_sk_state_store+0x41/0x90\n[ 35.118836] tcp_set_state+0x3b3/0x640\n\nThere is no need to adjust the gfp_flags passing to the\nbpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL.\nThe verifier has ensured GFP_KERNEL is passed only in sleepable context.\n\nIt has been an old issue since the first introduction of the\nbpf_local_storage ~5 years ago, so this patch targets the bpf-next.\n\nbpf_mem_alloc is needed to solve it, so the Fixes tag is set\nto the commit when bpf_mem_alloc was first used in the bpf_local_storage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58070", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: prevent adding a device which is already a team device lower\n\nPrevent adding a device which is already a team device lower,\ne.g. adding veth0 if vlan1 was already added and veth0 is a lower of\nvlan1.\n\nThis is not useful in practice and can lead to recursive locking:\n\n$ ip link add veth0 type veth peer name veth1\n$ ip link set veth0 up\n$ ip link set veth1 up\n$ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1\n$ ip link add team0 type team\n$ ip link set veth0.1 down\n$ ip link set veth0.1 master team0\nteam0: Port device veth0.1 added\n$ ip link set veth0 down\n$ ip link set veth0 master team0\n\n============================================\nWARNING: possible recursive locking detected\n6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted\n--------------------------------------------\nip/7684 is trying to acquire lock:\nffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n\nbut task is already holding lock:\nffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977)\n\nother info that might help us debug this:\nPossible unsafe locking scenario:\n\nCPU0\n----\nlock(team->team_lock_key);\nlock(team->team_lock_key);\n\n*** DEADLOCK ***\n\nMay be due to missing lock nesting notation\n\n2 locks held by ip/7684:\n\nstack backtrace:\nCPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n\ndump_stack_lvl (lib/dump_stack.c:122)\nprint_deadlock_bug.cold (kernel/locking/lockdep.c:3040)\n__lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226)\n? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548)\nlock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851)\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2))\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n? lock_acquire (kernel/locking/lockdep.c:5822)\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n__mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735)\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\n? fib_sync_up (net/ipv4/fib_semantics.c:2167)\n? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\nteam_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)\nnotifier_call_chain (kernel/notifier.c:85)\ncall_netdevice_notifiers_info (net/core/dev.c:1996)\n__dev_notify_flags (net/core/dev.c:8993)\n? __dev_change_flags (net/core/dev.c:8975)\ndev_change_flags (net/core/dev.c:9027)\nvlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470)\n? br_device_event (net/bridge/br.c:143)\nnotifier_call_chain (kernel/notifier.c:85)\ncall_netdevice_notifiers_info (net/core/dev.c:1996)\ndev_open (net/core/dev.c:1519 net/core/dev.c:1505)\nteam_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977)\n? __pfx_team_add_slave (drivers/net/team/team_core.c:1972)\ndo_set_master (net/core/rtnetlink.c:2917)\ndo_setlink.isra.0 (net/core/rtnetlink.c:3117)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58071", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: remove unused check_buddy_priv\n\nCommit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global\nlist of private data structures.\n\nLater on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match\nvendor version 2013.02.07\") started adding the private data to that list at\nprobe time and added a hook, check_buddy_priv to find the private data from\na similar device.\n\nHowever, that function was never used.\n\nBesides, though there is a lock for that list, it is never used. And when\nthe probe fails, the private data is never removed from the list. This\nwould cause a second probe to access freed memory.\n\nRemove the unused hook, structures and members, which will prevent the\npotential race condition on the list and its corruption during a second\nprobe when probe fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58072", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check dpu_plane_atomic_print_state() for valid sspp\n\nSimilar to the r_pipe sspp protect, add a check to protect\nthe pipe state prints to avoid NULL ptr dereference for cases when\nthe state is dumped without a corresponding atomic_check() where the\npipe->sspp is assigned.\n\nPatchwork: https://patchwork.freedesktop.org/patch/628404/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58073", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Grab intel_display from the encoder to avoid potential oopsies\n\nGrab the intel_display from 'encoder' rather than 'state'\nin the encoder hooks to avoid the massive footgun that is\nintel_sanitize_encoder(), which passes NULL as the 'state'\nargument to encoder .disable() and .post_disable().\n\nTODO: figure out how to actually fix intel_sanitize_encoder()...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58074", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: tegra - do not transfer req when tegra init fails\n\nThe tegra_cmac_init or tegra_sha_init function may return an error when\nmemory is exhausted. It should not transfer the request when they return\nan error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58075", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-sm6350: Add missing parent_map for two clocks\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we'll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n [ 3.388105] Call trace:\n [ 3.390664] qcom_find_src_index+0x3c/0x70 (P)\n [ 3.395301] qcom_find_src_index+0x1c/0x70 (L)\n [ 3.399934] _freq_tbl_determine_rate+0x48/0x100\n [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28\n [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4\n [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc\n [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc\n [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300\n [ 3.455886] clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for two clocks where it's missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58076", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback\n\ncommit 1f5664351410 (\"ASoC: lower \"no backend DAIs enabled for ... Port\"\nlog severity\") ignores -EINVAL error message on common soc_pcm_ret().\nIt is used from many functions, ignoring -EINVAL is over-kill.\n\nThe reason why -EINVAL was ignored was it really should only be used\nupon invalid parameters coming from userspace and in that case we don't\nwant to log an error since we do not want to give userspace a way to do\na denial-of-service attack on the syslog / diskspace.\n\nSo don't use soc_pcm_ret() on .prepare callback is better idea.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58077", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors\n\nmisc_minor_alloc was allocating id using ida for minor only in case of\nMISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids\nusing ida_free causing a mismatch and following warn:\n> > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f\n> > ida_free called for id=127 which is not allocated.\n> > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n...\n> > [<60941eb4>] ida_free+0x3e0/0x41f\n> > [<605ac993>] misc_minor_free+0x3e/0xbc\n> > [<605acb82>] misc_deregister+0x171/0x1b3\n\nmisc_minor_alloc is changed to allocate id from ida for all minors\nfalling in the range of dynamic/ misc dynamic minors", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58078", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix crash during unbind if gpio unit is in use\n\nWe used the wrong device for the device managed functions. We used the\nusb device, when we should be using the interface device.\n\nIf we unbind the driver from the usb interface, the cleanup functions\nare never called. In our case, the IRQ is never disabled.\n\nIf an IRQ is triggered, it will try to access memory sections that are\nalready free, causing an OOPS.\n\nWe cannot use the function devm_request_threaded_irq here. The devm_*\nclean functions may be called after the main structure is released by\nuvc_delete.\n\nLuckily this bug has small impact, as it is only affected by devices\nwith gpio units and the user has to unbind the device, a disconnect will\nnot trigger this error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58079", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: dispcc-sm6350: Add missing parent_map for a clock\n\nIf a clk_rcg2 has a parent, it should also have parent_map defined,\notherwise we'll get a NULL pointer dereference when calling clk_set_rate\nlike the following:\n\n [ 3.388105] Call trace:\n [ 3.390664] qcom_find_src_index+0x3c/0x70 (P)\n [ 3.395301] qcom_find_src_index+0x1c/0x70 (L)\n [ 3.399934] _freq_tbl_determine_rate+0x48/0x100\n [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28\n [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4\n [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc\n [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc\n [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300\n [ 3.455886] clk_set_rate+0x38/0x14c\n\nAdd the parent_map property for the clock where it's missing and also\nun-inline the parent_data as well to keep the matching parent_map and\nparent_data together.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58080", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mmp2: call pm_genpd_init() only after genpd.name is set\n\nSetting the genpd's struct device's name with dev_set_name() is\nhappening within pm_genpd_init(). If it remains NULL, things can blow up\nlater, such as when crafting the devfs hierarchy for the power domain:\n\n Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n ...\n Call trace:\n strlen from start_creating+0x90/0x138\n start_creating from debugfs_create_dir+0x20/0x178\n debugfs_create_dir from genpd_debug_add.part.0+0x4c/0x144\n genpd_debug_add.part.0 from genpd_debug_init+0x74/0x90\n genpd_debug_init from do_one_initcall+0x5c/0x244\n do_one_initcall from kernel_init_freeable+0x19c/0x1f4\n kernel_init_freeable from kernel_init+0x1c/0x12c\n kernel_init from ret_from_fork+0x14/0x28\n\nBisecting tracks this crash back to commit 899f44531fe6 (\"pmdomain: core:\nAdd GENPD_FLAG_DEV_NAME_FW flag\"), which exchanges use of genpd->name\nwith dev_name(&genpd->dev) in genpd_debug_add.part().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58081", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nuvoton: Fix an error check in npcm_video_ece_init()\n\nWhen function of_find_device_by_node() fails, it returns NULL instead of\nan error code. So the corresponding error check logic should be modified\nto check whether the return value is NULL and set the error code to be\nreturned as -ENODEV.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58082", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu(). If the index is \"bad\", the nospec clamping will\ngenerate '0', i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn't exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm->vcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0. Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum. Preventing\naccesses to vCPU0 before it's fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58083", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()\n\nCommit 2e4955167ec5 (\"firmware: qcom: scm: Fix __scm and waitq\ncompletion variable initialization\") introduced a write barrier in probe\nfunction to store global '__scm' variable. We all known barriers are\npaired (see memory-barriers.txt: \"Note that write barriers should\nnormally be paired with read or address-dependency barriers\"), therefore\naccessing it from concurrent contexts requires read barrier. Previous\ncommit added such barrier in qcom_scm_is_available(), so let's use that\ndirectly.\n\nLack of this read barrier can result in fetching stale '__scm' variable\nvalue, NULL, and dereferencing it.\n\nNote that barrier in qcom_scm_is_available() satisfies here the control\ndependency.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58084", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: don't emit warning in tomoyo_write_control()\n\nsyzbot is reporting too large allocation warning at tomoyo_write_control(),\nfor one can write a very very long line without new line character. To fix\nthis warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,\nfor practically a valid line should be always shorter than 32KB where the\n\"too small to fail\" memory-allocation rule applies.\n\nOne might try to write a valid line that is longer than 32KB, but such\nrequest will likely fail with -ENOMEM. Therefore, I feel that separately\nreturning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.\nThere is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58085", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop active perfmon if it is being destroyed\n\nIf the active performance monitor (`v3d->active_perfmon`) is being\ndestroyed, stop it first. Currently, the active perfmon is not\nstopped during destruction, leaving the `v3d->active_perfmon` pointer\nstale. This can lead to undefined behavior and instability.\n\nThis patch ensures that the active perfmon is stopped before being\ndestroyed, aligning with the behavior introduced in commit\n7d1fd3638ee3 (\"drm/v3d: Stop the active perfmon before being destroyed\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58086", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix racy issue from session lookup and expire\n\nIncrement the session reference count within the lock for lookup to avoid\nracy issue with session expire.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58087", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-58088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix deadlock when freeing cgroup storage\n\nThe following commit\nbc235cdb423a (\"bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]\")\nfirst introduced deadlock prevention for fentry/fexit programs attaching\non bpf_task_storage helpers. That commit also employed the logic in map\nfree path in its v6 version.\n\nLater bpf_cgrp_storage was first introduced in\nc4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\")\nwhich faces the same issue as bpf_task_storage, instead of its busy\ncounter, NULL was passed to bpf_local_storage_map_free() which opened\na window to cause deadlock:\n\n\t\n\t\t(acquiring local_storage->lock)\n\t_raw_spin_lock_irqsave+0x3d/0x50\n\tbpf_local_storage_update+0xd1/0x460\n\tbpf_cgrp_storage_get+0x109/0x130\n\tbpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170\n\t? __bpf_prog_enter_recur+0x16/0x80\n\tbpf_trampoline_6442485186+0x43/0xa4\n\tcgroup_storage_ptr+0x9/0x20\n\t\t(holding local_storage->lock)\n\tbpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160\n\tbpf_selem_unlink_storage+0x6f/0x110\n\tbpf_local_storage_map_free+0xa2/0x110\n\tbpf_map_free_deferred+0x5b/0x90\n\tprocess_one_work+0x17c/0x390\n\tworker_thread+0x251/0x360\n\tkthread+0xd2/0x100\n\tret_from_fork+0x34/0x50\n\tret_from_fork_asm+0x1a/0x30\n\t\n\nProgs:\n - A: SEC(\"fentry/cgroup_storage_ptr\")\n - cgid (BPF_MAP_TYPE_HASH)\n\tRecord the id of the cgroup the current task belonging\n\tto in this hash map, using the address of the cgroup\n\tas the map key.\n - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)\n\tIf current task is a kworker, lookup the above hash\n\tmap using function parameter @owner as the key to get\n\tits corresponding cgroup id which is then used to get\n\ta trusted pointer to the cgroup through\n\tbpf_cgroup_from_id(). This trusted pointer can then\n\tbe passed to bpf_cgrp_storage_get() to finally trigger\n\tthe deadlock issue.\n - B: SEC(\"tp_btf/sys_enter\")\n - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)\n\tThe only purpose of this prog is to fill Prog A's\n\thash map by calling bpf_cgrp_storage_get() for as\n\tmany userspace tasks as possible.\n\nSteps to reproduce:\n - Run A;\n - while (true) { Run B; Destroy B; }\n\nFix this issue by passing its busy counter to the free procedure so\nit can be properly incremented before storage/smap locking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58088", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double accounting race when btrfs_run_delalloc_range() failed\n\n[BUG]\nWhen running btrfs with block size (4K) smaller than page size (64K,\naarch64), there is a very high chance to crash the kernel at\ngeneric/750, with the following messages:\n(before the call traces, there are 3 extra debug messages added)\n\n BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental\n BTRFS info (device dm-3): checking UUID tree\n hrtimer: interrupt took 5451385 ns\n BTRFS error (device dm-3): cow_file_range failed, root=4957 inode=257 start=1605632 len=69632: -28\n BTRFS error (device dm-3): run_delalloc_nocow failed, root=4957 inode=257 start=1605632 len=69632: -28\n BTRFS error (device dm-3): failed to run delalloc range, root=4957 ino=257 folio=1572864 submit_bitmap=8-15 start=1605632 len=69632: -28\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs]\n CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs]\n lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs]\n Call trace:\n can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P)\n can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L)\n btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs]\n extent_writepage+0x10c/0x3b8 [btrfs]\n extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n btrfs_writepages+0x94/0x160 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x74/0xa0\n start_delalloc_inodes+0x17c/0x3b0 [btrfs]\n btrfs_start_delalloc_roots+0x17c/0x288 [btrfs]\n shrink_delalloc+0x11c/0x280 [btrfs]\n flush_space+0x288/0x328 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x228/0x680\n worker_thread+0x1bc/0x360\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n ---[ end trace 0000000000000000 ]---\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0\n CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write)\n pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : process_one_work+0x110/0x680\n lr : worker_thread+0x1bc/0x360\n Call trace:\n process_one_work+0x110/0x680 (P)\n worker_thread+0x1bc/0x360 (L)\n worker_thread+0x1bc/0x360\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Oops: Fatal exception\n SMP: stopping secondary CPUs\n SMP: failed to stop secondary CPUs 2-3\n Dumping ftrace buffer:\n (ftrace buffer empty)\n Kernel Offset: 0x275bb9540000 from 0xffff800080000000\n PHYS_OFFSET: 0xffff8fbba0000000\n CPU features: 0x100,00000070,00801250,8201720b\n\n[CAUSE]\nThe above warning is triggered immediately after the delalloc range\nfailure, this happens in the following sequence:\n\n- Range [1568K, 1636K) is dirty\n\n 1536K 1568K 1600K 1636K 1664K\n | |/////////|////////| |\n\n Where 1536K, 1600K and 1664K are page boundaries (64K page size)\n\n- Enter extent_writepage() for page 1536K\n\n- Enter run_delalloc_nocow() with locke\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58089", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Prevent rescheduling when interrupts are disabled\n\nDavid reported a warning observed while loop testing kexec jump:\n\n Interrupts enabled after irqrouter_resume+0x0/0x50\n WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220\n kernel_kexec+0xf6/0x180\n __do_sys_reboot+0x206/0x250\n do_syscall_64+0x95/0x180\n\nThe corresponding interrupt flag trace:\n\n hardirqs last enabled at (15573): [] __up_console_sem+0x7e/0x90\n hardirqs last disabled at (15580): [] __up_console_sem+0x63/0x90\n\nThat means __up_console_sem() was invoked with interrupts enabled. Further\ninstrumentation revealed that in the interrupt disabled section of kexec\njump one of the syscore_suspend() callbacks woke up a task, which set the\nNEED_RESCHED flag. A later callback in the resume path invoked\ncond_resched() which in turn led to the invocation of the scheduler:\n\n __cond_resched+0x21/0x60\n down_timeout+0x18/0x60\n acpi_os_wait_semaphore+0x4c/0x80\n acpi_ut_acquire_mutex+0x3d/0x100\n acpi_ns_get_node+0x27/0x60\n acpi_ns_evaluate+0x1cb/0x2d0\n acpi_rs_set_srs_method_data+0x156/0x190\n acpi_pci_link_set+0x11c/0x290\n irqrouter_resume+0x54/0x60\n syscore_resume+0x6a/0x200\n kernel_kexec+0x145/0x1c0\n __do_sys_reboot+0xeb/0x240\n do_syscall_64+0x95/0x180\n\nThis is a long standing problem, which probably got more visible with\nthe recent printk changes. Something does a task wakeup and the\nscheduler sets the NEED_RESCHED flag. cond_resched() sees it set and\ninvokes schedule() from a completely bogus context. The scheduler\nenables interrupts after context switching, which causes the above\nwarning at the end.\n\nQuite some of the code paths in syscore_suspend()/resume() can result in\ntriggering a wakeup with the exactly same consequences. They might not\nhave done so yet, but as they share a lot of code with normal operations\nit's just a question of time.\n\nThe problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling\nmodels. Full preemption is not affected as cond_resched() is disabled and\nthe preemption check preemptible() takes the interrupt disabled flag into\naccount.\n\nCure the problem by adding a corresponding check into cond_resched().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58090", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Add shadow buffering for deferred I/O\n\nDMA areas are not necessarily backed by struct page, so we cannot\nrely on it for deferred I/O. Allocate a shadow buffer for drivers\nthat require deferred I/O and use it as framebuffer memory.\n\nFixes driver errors about being \"Unable to handle kernel NULL pointer\ndereference at virtual address\" or \"Unable to handle kernel paging\nrequest at virtual address\".\n\nThe patch splits drm_fbdev_dma_driver_fbdev_probe() in an initial\nallocation, which creates the DMA-backed buffer object, and a tail\nthat sets up the fbdev data structures. There is a tail function for\ndirect memory mappings and a tail function for deferred I/O with\nthe shadow buffer.\n\nIt is no longer possible to use deferred I/O without shadow buffer.\nIt can be re-added if there exists a reliably test for usable struct\npage in the allocated DMA-backed buffer object.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58091", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix legacy client tracking initialization\n\nGet rid of the nfsd4_legacy_tracking_ops->init() call in\ncheck_for_legacy_methods(). That will be handled in the caller\n(nfsd4_client_tracking_init()). Otherwise, we'll wind up calling\nnfsd4_legacy_tracking_ops->init() twice, and the second time we'll\ntrigger the BUG_ON() in nfsd4_init_recdir().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58092", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2024-58093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix link state exit during switch upstream function removal\n\nBefore 456d8aa37d0f (\"PCI/ASPM: Disable ASPM on MFD function removal to\navoid use-after-free\"), we would free the ASPM link only after the last\nfunction on the bus pertaining to the given link was removed.\n\nThat was too late. If function 0 is removed before sibling function,\nlink->downstream would point to free'd memory after.\n\nAfter above change, we freed the ASPM parent link state upon any function\nremoval on the bus pertaining to a given link.\n\nThat is too early. If the link is to a PCIe switch with MFD on the upstream\nport, then removing functions other than 0 first would free a link which\nstill remains parent_link to the remaining downstream ports.\n\nThe resulting GPFs are especially frequent during hot-unplug, because\npciehp removes devices on the link bus in reverse order.\n\nOn that switch, function 0 is the virtual P2P bridge to the internal bus.\nFree exactly when function 0 is removed -- before the parent link is\nobsolete, but after all subordinate links are gone.\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58093", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2024-58094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add check read-only before truncation in jfs_truncate_nolock()\n\nAdded a check for \"read-only\" mode in the `jfs_truncate_nolock`\nfunction to avoid errors related to writing to a read-only\nfilesystem.\n\nCall stack:\n\nblock_write_begin() {\n jfs_write_failed() {\n jfs_truncate() {\n jfs_truncate_nolock() {\n txEnd() {\n ...\n log = JFS_SBI(tblk->sb)->log;\n // (log == NULL)\n\nIf the `isReadOnly(ip)` condition is triggered in\n`jfs_truncate_nolock`, the function execution will stop, and no\nfurther data modification will occur. Instead, the `xtTruncate`\nfunction will be called with the \"COMMIT_WMAP\" flag, preventing\nmodifications in \"read-only\" mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58094", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2024-58095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add check read-only before txBeginAnon() call\n\nAdded a read-only check before calling `txBeginAnon` in `extAlloc`\nand `extRecord`. This prevents modification attempts on a read-only\nmounted filesystem, avoiding potential errors or crashes.\n\nCall trace:\n txBeginAnon+0xac/0x154\n extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78\n jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248\n __block_write_begin_int+0x580/0x166c fs/buffer.c:2128\n __block_write_begin fs/buffer.c:2177 [inline]\n block_write_begin+0x98/0x11c fs/buffer.c:2236\n jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58095", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2024-58096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode\n\nath11k_hal_srng_* should be used with srng->lock to protect srng data.\n\nFor ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(),\nthey use ath11k_hal_srng_* for many times but never call srng->lock.\n\nSo when running (full) monitor mode, warning will occur:\nRIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]\nCall Trace:\n ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]\n ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k]\n ? idr_alloc_u32+0x97/0xd0\n ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k]\n ath11k_dp_service_srng+0x289/0x5a0 [ath11k]\n ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k]\n __napi_poll+0x30/0x1f0\n net_rx_action+0x198/0x320\n __do_softirq+0xdd/0x319\n\nSo add srng->lock for them to avoid such warnings.\n\nInorder to fetch the srng->lock, should change srng's definition from\n'void' to 'struct hal_srng'. And initialize them elsewhere to prevent\none line of code from being too long. This is consistent with other ring\nprocess functions, such as ath11k_dp_process_rx().\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58096", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2024-58097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix RCU stall while reaping monitor destination ring\n\nWhile processing the monitor destination ring, MSDUs are reaped from the\nlink descriptor based on the corresponding buf_id.\n\nHowever, sometimes the driver cannot obtain a valid buffer corresponding\nto the buf_id received from the hardware. This causes an infinite loop\nin the destination processing, resulting in a kernel crash.\n\nkernel log:\nath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309\nath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed\nath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309\nath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed\n\nFix this by skipping the problematic buf_id and reaping the next entry,\nreplacing the break with the next MSDU processing.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58097", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2024-58098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: track changes_pkt_data property for global functions\n\nWhen processing calls to certain helpers, verifier invalidates all\npacket pointers in a current state. For example, consider the\nfollowing program:\n\n __attribute__((__noinline__))\n long skb_pull_data(struct __sk_buff *sk, __u32 len)\n {\n return bpf_skb_pull_data(sk, len);\n }\n\n SEC(\"tc\")\n int test_invalidate_checks(struct __sk_buff *sk)\n {\n int *p = (void *)(long)sk->data;\n if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP;\n skb_pull_data(sk, 0);\n *p = 42;\n return TCX_PASS;\n }\n\nAfter a call to bpf_skb_pull_data() the pointer 'p' can't be used\nsafely. See function filter.c:bpf_helper_changes_pkt_data() for a list\nof such helpers.\n\nAt the moment verifier invalidates packet pointers when processing\nhelper function calls, and does not traverse global sub-programs when\nprocessing calls to global sub-programs. This means that calls to\nhelpers done from global sub-programs do not invalidate pointers in\nthe caller state. E.g. the program above is unsafe, but is not\nrejected by verifier.\n\nThis commit fixes the omission by computing field\nbpf_subprog_info->changes_pkt_data for each sub-program before main\nverification pass.\nchanges_pkt_data should be set if:\n- subprogram calls helper for which bpf_helper_changes_pkt_data\n returns true;\n- subprogram calls a global function,\n for which bpf_subprog_info->changes_pkt_data should be set.\n\nThe verifier.c:check_cfg() pass is modified to compute this\ninformation. The commit relies on depth first instruction traversal\ndone by check_cfg() and absence of recursive function calls:\n- check_cfg() would eventually visit every call to subprogram S in a\n state when S is fully explored;\n- when S is fully explored:\n - every direct helper call within S is explored\n (and thus changes_pkt_data is set if needed);\n - every call to subprogram S1 called by S was visited with S1 fully\n explored (and thus S inherits changes_pkt_data from S1).\n\nThe downside of such approach is that dead code elimination is not\ntaken into account: if a helper call inside global function is dead\nbecause of current configuration, verifier would conservatively assume\nthat the call occurs for the purpose of the changes_pkt_data\ncomputation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58098", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-58099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame\n\nAndrew and Nikolay reported connectivity issues with Cilium's service\nload-balancing in case of vmxnet3.\n\nIf a BPF program for native XDP adds an encapsulation header such as\nIPIP and transmits the packet out the same interface, then in case\nof vmxnet3 a corrupted packet is being sent and subsequently dropped\non the path.\n\nvmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()\nthrough vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:\n\n page = virt_to_page(xdpf->data);\n tbi->dma_addr = page_pool_get_dma_addr(page) +\n VMXNET3_XDP_HEADROOM;\n dma_sync_single_for_device(&adapter->pdev->dev,\n tbi->dma_addr, buf_size,\n DMA_TO_DEVICE);\n\nThe above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP\nBPF program could have moved xdp->data. While the passed buf_size is\ncorrect (xdpf->len), the dma_addr needs to have a dynamic offset which\ncan be calculated as xdpf->data - (void *)xdpf, that is, xdp->data -\nxdp->data_hard_start.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58099", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2024-58100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: check changes_pkt_data property for extension programs\n\nWhen processing calls to global sub-programs, verifier decides whether\nto invalidate all packet pointers in current state depending on the\nchanges_pkt_data property of the global sub-program.\n\nBecause of this, an extension program replacing a global sub-program\nmust be compatible with changes_pkt_data property of the sub-program\nbeing replaced.\n\nThis commit:\n- adds changes_pkt_data flag to struct bpf_prog_aux:\n - this flag is set in check_cfg() for main sub-program;\n - in jit_subprogs() for other sub-programs;\n- modifies bpf_check_attach_btf_id() to check changes_pkt_data flag;\n- moves call to check_attach_btf_id() after the call to check_cfg(),\n because it needs changes_pkt_data flag to be set:\n\n bpf_check:\n ... ...\n - check_attach_btf_id resolve_pseudo_ldimm64\n resolve_pseudo_ldimm64 --> bpf_prog_is_offloaded\n bpf_prog_is_offloaded check_cfg\n check_cfg + check_attach_btf_id\n ... ...\n\nThe following fields are set by check_attach_btf_id():\n- env->ops\n- prog->aux->attach_btf_trace\n- prog->aux->attach_func_name\n- prog->aux->attach_func_proto\n- prog->aux->dst_trampoline\n- prog->aux->mod\n- prog->aux->saved_dst_attach_type\n- prog->aux->saved_dst_prog_type\n- prog->expected_attach_type\n\nNeither of these fields are used by resolve_pseudo_ldimm64() or\nbpf_prog_offload_verifier_prep() (for netronome and netdevsim\ndrivers), so the reordering is safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58100", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-58237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: consider that tail calls invalidate packet pointers\n\nTail-called programs could execute any of the helpers that invalidate\npacket pointers. Hence, conservatively assume that each tail call\ninvalidates packet pointers.\n\nMaking the change in bpf_helper_changes_pkt_data() automatically makes\nuse of check_cfg() logic that computes 'changes_pkt_data' effect for\nglobal sub-programs, such that the following program could be\nrejected:\n\n int tail_call(struct __sk_buff *sk)\n {\n \tbpf_tail_call_static(sk, &jmp_table, 0);\n \treturn 0;\n }\n\n SEC(\"tc\")\n int not_safe(struct __sk_buff *sk)\n {\n \tint *p = (void *)(long)sk->data;\n \t... make p valid ...\n \ttail_call(sk);\n \t*p = 42; /* this is unsafe */\n \t...\n }\n\nThe tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that\ncan invalidate packet pointers. Otherwise, it can't be freplaced with\ntailcall_freplace.c:entry_freplace() that does a tail call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58237", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2024-58238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Resolve TX timeout error in power save stress test\n\nThis fixes the tx timeout issue seen while running a stress test on\nbtnxpuart for couple of hours, such that the interval between two HCI\ncommands coincide with the power save timeout value of 2 seconds.\n\nTest procedure using bash script:\n\nhciconfig hci0 up\n//Enable Power Save feature\nhcitool -i hci0 cmd 3f 23 02 00 00\nwhile (true)\ndo\n hciconfig hci0 leadv\n sleep 2\n hciconfig hci0 noleadv\n sleep 2\ndone\n\nError log, after adding few more debug prints:\nBluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00\nBluetooth: hci0: Set UART break: on, status=0\nBluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled\nBluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00\nCan't set advertise mode on hci0: Connection timed out (110)\nBluetooth: hci0: command 0x200a tx timeout\n\nWhen the power save mechanism turns on UART break, and btnxpuart_tx_work()\nis scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE,\nwhich prevents the psdata->work from being scheduled, which is responsible\nto turn OFF UART break.\n\nThis issue is fixed by adding a ps_lock mutex around UART break on/off as\nwell as around ps_state read/write.\nbtnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is\nPS_STATE_SLEEP, it will first schedule psdata->work, and then it will\nreschedule itself once UART break has been turned off and ps_state is\nPS_STATE_AWAKE.\n\nTested above script for 50,000 iterations and TX timeout error was not\nobserved anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58238", "detail": "fixed-version", "description": "Fixed from version 6.9" }, { "id": "CVE-2024-58239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: stop recv() if initial process_rx_list gave us non-DATA\n\nIf we have a non-DATA record on the rx_list and another record of the\nsame type still on the queue, we will end up merging them:\n - process_rx_list copies the non-DATA record\n - we start the loop and process the first available record since it's\n of the same type\n - we break out of the loop since the record was not DATA\n\nJust check the record type and jump to the end in case process_rx_list\ndid some work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58239", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-58240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: separate no-async decryption request handling from async\n\nIf we're not doing async, the handling is much simpler. There's no\nreference counting, we just need to wait for the completion to wake us\nup and return its result.\n\nWe should preferably also use a separate crypto_wait. I'm not seeing a\nUAF as I did in the past, I think aec7961916f3 (\"tls: fix race between\nasync notify and socket close\") took care of it.\n\nThis will make the next fix easier.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58240", "detail": "fixed-version", "description": "Fixed from version 6.8" }, { "id": "CVE-2024-58241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Disable works on hci_unregister_dev\n\nThis make use of disable_work_* on hci_unregister_dev since the hci_dev is\nabout to be freed new submissions are not disarable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-58241", "detail": "fixed-version", "description": "Fixed from version 6.12" }, { "id": "CVE-2025-21629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\n\nThe blamed commit disabled hardware offoad of IPv6 packets with\nextension headers on devices that advertise NETIF_F_IPV6_CSUM,\nbased on the definition of that feature in skbuff.h:\n\n * * - %NETIF_F_IPV6_CSUM\n * - Driver (device) is only able to checksum plain\n * TCP or UDP packets over IPv6. These are specifically\n * unencapsulated packets of the form IPv6|TCP or\n * IPv6|UDP where the Next Header field in the IPv6\n * header is either TCP or UDP. IPv6 extension headers\n * are not supported with this feature. This feature\n * cannot be set in features for a device with\n * NETIF_F_HW_CSUM also set. This feature is being\n * DEPRECATED (see below).\n\nThe change causes skb_warn_bad_offload to fire for BIG TCP\npackets.\n\n[ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0\n\n[ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0\n[ 496.310300] skb_checksum_help+0x129/0x1f0\n[ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0\n[ 496.310306] validate_xmit_skb+0x159/0x270\n[ 496.310309] validate_xmit_skb_list+0x41/0x70\n[ 496.310312] sch_direct_xmit+0x5c/0x250\n[ 496.310317] __qdisc_run+0x388/0x620\n\nBIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to\ncommunicate packet length, as this is an IPv6 jumbogram. But, the\nfeature is only enabled on devices that support BIG TCP TSO. The\nheader is only present for PF_PACKET taps like tcpdump, and not\ntransmitted by physical devices.\n\nFor this specific case of extension headers that are not\ntransmitted, return to the situation before the blamed commit\nand support hardware offload.\n\nipv6_has_hopopt_jumbo() tests not only whether this header is present,\nbut also that it is the only extension header before a terminal (L4)\nheader.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21629", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix waker_bfqq UAF after bfq_split_bfqq()\n\nOur syzkaller report a following UAF for v6.6:\n\nBUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\nRead of size 8 at addr ffff8881b57147d8 by task fsstress/232726\n\nCPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\n print_report+0x3e/0x70 mm/kasan/report.c:475\n kasan_report+0xb8/0xf0 mm/kasan/report.c:588\n hlist_add_head include/linux/list.h:1023 [inline]\n bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230\n __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567\n ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947\n ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182\n ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660\n ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569\n iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91\n iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80\n ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051\n ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220\n do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811\n __do_sys_ioctl fs/ioctl.c:869 [inline]\n __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nAllocated by task 232719:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:768 [inline]\n slab_alloc_node mm/slub.c:3492 [inline]\n kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537\n bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869\n bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776\n bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938\n bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\n bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\n blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\n blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n __submit_bio+0xa0/0x6b0 block/blk-core.c:639\n __submit_bio_noacct_mq block/blk-core.c:718 [inline]\n submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\n submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n __ext4_read_bh fs/ext4/super.c:205 [inline]\n ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217\n ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242\n ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958\n __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671\n ext4_lookup_entry fs/ext4/namei.c:1774 [inline]\n ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842\n ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839\n __lookup_slow+0x257/0x480 fs/namei.c:1696\n lookup_slow fs/namei.c:1713 [inline]\n walk_component+0x454/0x5c0 fs/namei.c:2004\n link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331\n link_path_walk fs/namei.c:3826 [inline]\n path_openat+0x1b9/0x520 fs/namei.c:3826\n do_filp_open+0x1b7/0x400 fs/namei.c:3857\n do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428\n do_sys_open fs/open.c:1443 [inline]\n __do_sys_openat fs/open.c:1459 [inline]\n __se_sys_openat fs/open.c:1454 [inline]\n __x64_sys_openat+0x148/0x200 fs/open.c:1454\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_6\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21631", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Ensure shadow stack is active before \"getting\" registers\n\nThe x86 shadow stack support has its own set of registers. Those registers\nare XSAVE-managed, but they are \"supervisor state components\" which means\nthat userspace can not touch them with XSAVE/XRSTOR. It also means that\nthey are not accessible from the existing ptrace ABI for XSAVE state.\nThus, there is a new ptrace get/set interface for it.\n\nThe regset code that ptrace uses provides an ->active() handler in\naddition to the get/set ones. For shadow stack this ->active() handler\nverifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the\nthread struct. The ->active() handler is checked from some call sites of\nthe regset get/set handlers, but not the ptrace ones. This was not\nunderstood when shadow stack support was put in place.\n\nAs a result, both the set/get handlers can be called with\nXFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to\nreturn NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an\nssp_active() check to avoid surprising the kernel with shadow stack\nbehavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That\ncheck just happened to avoid the warning.\n\nBut the ->get() side wasn't so lucky. It can be called with shadow stacks\ndisabled, triggering the warning in practice, as reported by Christina\nSchimpe:\n\nWARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0\n[...]\nCall Trace:\n\n? show_regs+0x6e/0x80\n? ssp_get+0x89/0xa0\n? __warn+0x91/0x150\n? ssp_get+0x89/0xa0\n? report_bug+0x19d/0x1b0\n? handle_bug+0x46/0x80\n? exc_invalid_op+0x1d/0x80\n? asm_exc_invalid_op+0x1f/0x30\n? __pfx_ssp_get+0x10/0x10\n? ssp_get+0x89/0xa0\n? ssp_get+0x52/0xa0\n__regset_get+0xad/0xf0\ncopy_regset_to_user+0x52/0xc0\nptrace_regset+0x119/0x140\nptrace_request+0x13c/0x850\n? wait_task_inactive+0x142/0x1d0\n? do_syscall_64+0x6d/0x90\narch_ptrace+0x102/0x300\n[...]\n\nEnsure that shadow stacks are active in a thread before looking them up\nin the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are\nset at the same time, the active check ensures that there will be\nsomething to find in the XSAVE buffer.\n\n[ dhansen: changelog/subject tweaks ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21632", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: remove kernfs active break\n\nA warning was found:\n\nWARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828\nCPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G\nRIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0\nRSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202\nRAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000\nRDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04\nRBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180\nR10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08\nR13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0\nFS: 00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n kernfs_drain+0x15e/0x2f0\n __kernfs_remove+0x165/0x300\n kernfs_remove_by_name_ns+0x7b/0xc0\n cgroup_rm_file+0x154/0x1c0\n cgroup_addrm_files+0x1c2/0x1f0\n css_clear_dir+0x77/0x110\n kill_css+0x4c/0x1b0\n cgroup_destroy_locked+0x194/0x380\n cgroup_rmdir+0x2a/0x140\n\nIt can be explained by:\nrmdir \t\t\t\techo 1 > cpuset.cpus\n\t\t\t\tkernfs_fop_write_iter // active=0\ncgroup_rm_file\nkernfs_remove_by_name_ns\tkernfs_get_active // active=1\n__kernfs_remove\t\t\t\t\t // active=0x80000002\nkernfs_drain\t\t\tcpuset_write_resmask\nwait_event\n//waiting (active == 0x80000001)\n\t\t\t\tkernfs_break_active_protection\n\t\t\t\t// active = 0x80000001\n// continue\n\t\t\t\tkernfs_unbreak_active_protection\n\t\t\t\t// active = 0x80000002\n...\nkernfs_should_drain_open_files\n// warning occurs\n\t\t\t\tkernfs_put_active\n\nThis warning is caused by 'kernfs_break_active_protection' when it is\nwriting to cpuset.cpus, and the cgroup is removed concurrently.\n\nThe commit 3a5a6d0c2b03 (\"cpuset: don't nest cgroup_mutex inside\nget_online_cpus()\") made cpuset_hotplug_workfn asynchronous, This change\ninvolves calling flush_work(), which can create a multiple processes\ncircular locking dependency that involve cgroup_mutex, potentially leading\nto a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 (\"cpuset: break\nkernfs active protection in cpuset_write_resmask()\") added\n'kernfs_break_active_protection' in the cpuset_write_resmask. This could\nlead to this warning.\n\nAfter the commit 2125c0034c5d (\"cgroup/cpuset: Make cpuset hotplug\nprocessing synchronous\"), the cpuset_write_resmask no longer needs to\nwait the hotplug to finish, which means that concurrent hotplug and cpuset\noperations are no longer possible. Therefore, the deadlock doesn't exist\nanymore and it does not have to 'break active protection' now. To fix this\nwarning, just remove kernfs_break_active_protection operation in the\n'cpuset_write_resmask'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21634", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe per-netns structure can be obtained from the table->data using\ncontainer_of(), then the 'net' one can be retrieved from the listen\nsocket (if available).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21635", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'net' structure can be obtained from the table->data using\ncontainer_of().\n\nNote that table->data could also be used directly, as this is the only\nmember needed from the 'net' structure, but that would increase the size\nof this fix, to use '*data' everywhere 'net->sctp.probe_interval' is\nused.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21636", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: udp_port: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'net' structure can be obtained from the table->data using\ncontainer_of().\n\nNote that table->data could also be used directly, but that would\nincrease the size of this fix, while 'sctp.ctl_sock' still needs to be\nretrieved from 'net' structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21637", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: auth_enable: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'net' structure can be obtained from the table->data using\ncontainer_of().\n\nNote that table->data could also be used directly, but that would\nincrease the size of this fix, while 'sctp.ctl_sock' still needs to be\nretrieved from 'net' structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21638", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: rto_min/max: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'net' structure can be obtained from the table->data using\ncontainer_of().\n\nNote that table->data could also be used directly, as this is the only\nmember needed from the 'net' structure, but that would increase the size\nof this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21639", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy\n\nAs mentioned in a previous commit of this series, using the 'net'\nstructure via 'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'net' structure can be obtained from the table->data using\ncontainer_of().\n\nNote that table->data could also be used directly, as this is the only\nmember needed from the 'net' structure, but that would increase the size\nof this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is\nused.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21640", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: sysctl: blackhole timeout: avoid using current->nsproxy\n\nAs mentioned in the previous commit, using the 'net' structure via\n'current' is not recommended for different reasons:\n\n- Inconsistency: getting info from the reader's/writer's netns vs only\n from the opener's netns.\n\n- current->nsproxy can be NULL in some cases, resulting in an 'Oops'\n (null-ptr-deref), e.g. when the current task is exiting, as spotted by\n syzbot [1] using acct(2).\n\nThe 'pernet' structure can be obtained from the table->data using\ncontainer_of().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21641", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: sysctl: sched: avoid using current->nsproxy\n\nUsing the 'net' structure via 'current' is not recommended for different\nreasons.\n\nFirst, if the goal is to use it to read or write per-netns data, this is\ninconsistent with how the \"generic\" sysctl entries are doing: directly\nby only using pointers set to the table entry, e.g. table->data. Linked\nto that, the per-netns data should always be obtained from the table\nlinked to the netns it had been created for, which may not coincide with\nthe reader's or writer's netns.\n\nAnother reason is that access to current->nsproxy->netns can oops if\nattempted when current->nsproxy had been dropped when the current task\nis exiting. This is what syzbot found, when using acct(2):\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125\n Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00\n RSP: 0018:ffffc900034774e8 EFLAGS: 00010206\n\n RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620\n RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028\n RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040\n R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000\n R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000\n FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601\n __kernel_write_iter+0x318/0xa80 fs/read_write.c:612\n __kernel_write+0xf6/0x140 fs/read_write.c:632\n do_acct_process+0xcb0/0x14a0 kernel/acct.c:539\n acct_pin_kill+0x2d/0x100 kernel/acct.c:192\n pin_kill+0x194/0x7c0 fs/fs_pin.c:44\n mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81\n cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366\n task_work_run+0x14e/0x250 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xad8/0x2d70 kernel/exit.c:938\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n get_signal+0x2576/0x2610 kernel/signal.c:3017\n arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fee3cb87a6a\n Code: Unable to access opcode bytes at 0x7fee3cb87a40.\n RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037\n RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a\n RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7\n R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500\n R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000\n \n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125\n Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21642", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel async DIO\n\nNetfslib needs to be able to handle kernel-initiated asynchronous DIO that\nis supplied with a bio_vec[] array. Currently, because of the async flag,\nthis gets passed to netfs_extract_user_iter() which throws a warning and\nfails because it only handles IOVEC and UBUF iterators. This can be\ntriggered through a combination of cifs and a loopback blockdev with\nsomething like:\n\n mount //my/cifs/share /foo\n dd if=/dev/zero of=/foo/m0 bs=4K count=1K\n losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0\n echo hello >/dev/loop2046\n\nThis causes the following to appear in syslog:\n\n WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs]\n\nand the write to fail.\n\nFix this by removing the check in netfs_unbuffered_write_iter_locked() that\ncauses async kernel DIO writes to be handled as userspace writes. Note\nthat this change relies on the kernel caller maintaining the existence of\nthe bio_vec array (or kvec[] or folio_queue) until the op is complete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21643", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix tlb invalidation when wedging\n\nIf GuC fails to load, the driver wedges, but in the process it tries to\ndo stuff that may not be initialized yet. This moves the\nxe_gt_tlb_invalidation_init() to be done earlier: as its own doc says,\nit's a software-only initialization and should had been named with the\n_early() suffix.\n\nMove it to be called by xe_gt_init_early(), so the locks and seqno are\ninitialized, avoiding a NULL ptr deref when wedging:\n\n\txe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01\n\txe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed\n\txe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged.\n\t...\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t#PF: supervisor read access in kernel mode\n\t#PF: error_code(0x0000) - not-present page\n\tPGD 0 P4D 0\n\tOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n\tCPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G U W 6.13.0-rc4-xe+ #3\n\tTainted: [U]=USER, [W]=WARN\n\tHardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022\n\tRIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe]\n\nThis can be easily triggered by poking the GuC binary to force a\nsignature failure. There will still be an extra message,\n\n\txe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100\n\nbut that's better than a NULL ptr deref.\n\n(cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21644", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it\n\nWakeup for IRQ1 should be disabled only in cases where i8042 had\nactually enabled it, otherwise \"wake_depth\" for this IRQ will try to\ndrop below zero and there will be an unpleasant WARN() logged:\n\nkernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug\nkernel: ------------[ cut here ]------------\nkernel: Unbalanced IRQ 1 wake disable\nkernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0\n\nThe PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops\nwhich sets amd_pmc_suspend_handler() to the .suspend, .freeze, and\n.poweroff handlers. i8042_pm_suspend(), however, is only set as\nthe .suspend handler.\n\nFix the issue by call PMC suspend handler only from the same set of\ndev_pm_ops handlers as i8042_pm_suspend(), which currently means just\nthe .suspend handler.\n\nTo reproduce this issue try hibernating (S4) the machine after a fresh boot\nwithout putting it into s2idle first.\n\n[ij: edited the commit message.]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21645", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix the maximum cell name length\n\nThe kafs filesystem limits the maximum length of a cell to 256 bytes, but a\nproblem occurs if someone actually does that: kafs tries to create a\ndirectory under /proc/net/afs/ with the name of the cell, but that fails\nwith a warning:\n\n WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405\n\nbecause procfs limits the maximum filename length to 255.\n\nHowever, the DNS limits the maximum lookup length and, by extension, the\nmaximum cell name, to 255 less two (length count and trailing NUL).\n\nFix this by limiting the maximum acceptable cellname length to 253. This\nalso allows us to be sure we can create the \"/afs/./\" mountpoint too.\n\nFurther, split the YFS VL record cell name maximum to be the 256 allowed by\nthe protocol and ignore the record retrieved by YFSVL.GetCellName if it\nexceeds 253.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21646", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: sch_cake: add bounds checks to host bulk flow fairness counts\n\nEven though we fixed a logic error in the commit cited below, syzbot\nstill managed to trigger an underflow of the per-host bulk flow\ncounters, leading to an out of bounds memory access.\n\nTo avoid any such logic errors causing out of bounds memory accesses,\nthis commit factors out all accesses to the per-host bulk flow counters\nto a series of helpers that perform bounds-checking before any\nincrements and decrements. This also has the benefit of improving\nreadability by moving the conditional checks for the flow mode into\nthese helpers, instead of having them spread out throughout the\ncode (which was the cause of the original logic error).\n\nAs part of this change, the flow quantum calculation is consolidated\ninto a helper function, which means that the dithering applied to the\nost load scaling is now applied both in the DRR rotation and when a\nsparse flow's quantum is first initiated. The only user-visible effect\nof this is that the maximum packet size that can be sent while a flow\nstays sparse will now vary with +/- one byte in some cases. This should\nnot make a noticeable difference in practice, and thus it's not worth\ncomplicating the code to preserve the old behaviour.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21647", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: clamp maximum hashtable size to INT_MAX\n\nUse INT_MAX as maximum size for the conntrack hashtable. Otherwise, it\nis possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when\nresizing hashtable because __GFP_NOWARN is unset. See:\n\n 0708a0afe291 (\"mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls\")\n\nNote: hashtable resize is only possible from init_netns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21648", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when 1588 is sent on HIP08 devices\n\nCurrently, HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL. But the tx process would still try to set hardware time\nstamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash.\n\n[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge]\n[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge]\n[ 128.292938] sp : ffff800059b93140\n[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280\n[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080\n[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001\n[ 128.315969] x23: 0000000000000000 x22: 0000000000000194\n[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000\n[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000\n[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24\n[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000\n[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368\n[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02\n[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0\n[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000\n[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff\n[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294\n[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080\n[ 128.390626] Call trace:\n[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge]\n[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3]\n[ 128.405468] xmit_one.constprop.0+0xc4/0x200\n[ 128.410600] dev_hard_start_xmit+0x54/0xf0\n[ 128.415556] sch_direct_xmit+0xe8/0x634\n[ 128.420246] __dev_queue_xmit+0x224/0xc70\n[ 128.425101] dev_queue_xmit+0x1c/0x40\n[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch]\n[ 128.435409] do_output+0x60/0x17c [openvswitch]\n[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch]\n[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch]\n[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch]\n[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch]\n[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch]\n[ 128.471460] xmit_one.constprop.0+0xc4/0x200\n[ 128.476561] dev_hard_start_xmit+0x54/0xf0\n[ 128.481489] __dev_queue_xmit+0x968/0xc70\n[ 128.486330] dev_queue_xmit+0x1c/0x40\n[ 128.490856] ip_finish_output2+0x250/0x570\n[ 128.495810] __ip_finish_output+0x170/0x1e0\n[ 128.500832] ip_finish_output+0x3c/0xf0\n[ 128.505504] ip_output+0xbc/0x160\n[ 128.509654] ip_send_skb+0x58/0xd4\n[ 128.513892] udp_send_skb+0x12c/0x354\n[ 128.518387] udp_sendmsg+0x7a8/0x9c0\n[ 128.522793] inet_sendmsg+0x4c/0x8c\n[ 128.527116] __sock_sendmsg+0x48/0x80\n[ 128.531609] __sys_sendto+0x124/0x164\n[ 128.536099] __arm64_sys_sendto+0x30/0x5c\n[ 128.540935] invoke_syscall+0x50/0x130\n[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124\n[ 128.551205] do_el0_svc+0x34/0xdc\n[ 128.555347] el0_svc+0x20/0x30\n[ 128.559227] el0_sync_handler+0xb8/0xc0\n[ 128.563883] el0_sync+0x160/0x180", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21649", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue\n\nThe TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs\n1024-1279 are in different BAR space addresses. However,\nhclge_fetch_pf_reg does not distinguish the tqp space information when\nreading the tqp space information. When the number of TQPs is greater\nthan 1024, access bar space overwriting occurs.\nThe problem of different segments has been considered during the\ninitialization of tqp.io_base. Therefore, tqp.io_base is directly used\nwhen the queue is read in hclge_fetch_pf_reg.\n\nThe error message:\n\nUnable to handle kernel paging request at virtual address ffff800037200000\npc : hclge_fetch_pf_reg+0x138/0x250 [hclge]\nlr : hclge_get_regs+0x84/0x1d0 [hclge]\nCall trace:\n hclge_fetch_pf_reg+0x138/0x250 [hclge]\n hclge_get_regs+0x84/0x1d0 [hclge]\n hns3_get_regs+0x2c/0x50 [hns3]\n ethtool_get_regs+0xf4/0x270\n dev_ethtool+0x674/0x8a0\n dev_ioctl+0x270/0x36c\n sock_do_ioctl+0x110/0x2a0\n sock_ioctl+0x2ac/0x530\n __arm64_sys_ioctl+0xa8/0x100\n invoke_syscall+0x4c/0x124\n el0_svc_common.constprop.0+0x140/0x15c\n do_el0_svc+0x30/0xd0\n el0_svc+0x1c/0x2c\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x168/0x180", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21650", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: don't auto enable misc vector\n\nCurrently, there is a time window between misc irq enabled\nand service task inited. If an interrupte is reported at\nthis time, it will cause warning like below:\n\n[ 16.324639] Call trace:\n[ 16.324641] __queue_delayed_work+0xb8/0xe0\n[ 16.324643] mod_delayed_work_on+0x78/0xd0\n[ 16.324655] hclge_errhand_task_schedule+0x58/0x90 [hclge]\n[ 16.324662] hclge_misc_irq_handle+0x168/0x240 [hclge]\n[ 16.324666] __handle_irq_event_percpu+0x64/0x1e0\n[ 16.324667] handle_irq_event+0x80/0x170\n[ 16.324670] handle_fasteoi_edge_irq+0x110/0x2bc\n[ 16.324671] __handle_domain_irq+0x84/0xfc\n[ 16.324673] gic_handle_irq+0x88/0x2c0\n[ 16.324674] el1_irq+0xb8/0x140\n[ 16.324677] arch_cpu_idle+0x18/0x40\n[ 16.324679] default_idle_call+0x5c/0x1bc\n[ 16.324682] cpuidle_idle_call+0x18c/0x1c4\n[ 16.324684] do_idle+0x174/0x17c\n[ 16.324685] cpu_startup_entry+0x30/0x6c\n[ 16.324687] secondary_start_kernel+0x1a4/0x280\n[ 16.324688] ---[ end trace 6aa0bff672a964aa ]---\n\nSo don't auto enable misc vector when request irq..", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21651", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix use-after-free in ipvlan_get_iflink().\n\nsyzbot presented an use-after-free report [0] regarding ipvlan and\nlinkwatch.\n\nipvlan does not hold a refcnt of the lower device unlike vlan and\nmacvlan.\n\nIf the linkwatch work is triggered for the ipvlan dev, the lower dev\nmight have already been freed, resulting in UAF of ipvlan->phy_dev in\nipvlan_get_iflink().\n\nWe can delay the lower dev unregistration like vlan and macvlan by\nholding the lower dev's refcnt in dev->netdev_ops->ndo_init() and\nreleasing it in dev->priv_destructor().\n\nJakub pointed out calling .ndo_XXX after unregister_netdevice() has\nreturned is error prone and suggested [1] addressing this UAF in the\ncore by taking commit 750e51603395 (\"net: avoid potential UAF in\ndefault_operstate()\") further.\n\nLet's assume unregistering devices DOWN and use RCU protection in\ndefault_operstate() not to race with the device unregistration.\n\n[0]:\nBUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\nRead of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944\n\nCPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47\nHardware name: linux,dummy-virt (DT)\nWorkqueue: events_unbound linkwatch_event\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380\n ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353\n dev_get_iflink+0x7c/0xd8 net/core/dev.c:674\n default_operstate net/core/link_watch.c:45 [inline]\n rfc2863_policy+0x144/0x360 net/core/link_watch.c:72\n linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175\n __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239\n linkwatch_event+0x64/0xa8 net/core/link_watch.c:282\n process_one_work+0x700/0x1398 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391\n kthread+0x2b0/0x360 kernel/kthread.c:389\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862\n\nAllocated by task 9303:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4283 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650\n alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209\n rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771\n __rtnl_newlink net/core/rtnetlink.c:3896 [inline]\n rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg net/socket.c:726 [inline]\n __sys_sendto+0x2ec/0x438 net/socket.c:2197\n __do_sys_sendto net/socket.c:2204 [inline]\n __se_sys_sendto net/socket.c:2200 [inline]\n __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21652", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute\n\nsyzbot found that TCA_FLOW_RSHIFT attribute was not validated.\nRight shitfing a 32bit integer is undefined for large shift values.\n\nUBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23\nshift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: ipv6_addrconf addrconf_dad_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1771 [inline]\n tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867\n sfb_classify net/sched/sch_sfb.c:260 [inline]\n sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318\n dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793\n __dev_xmit_skb net/core/dev.c:3889 [inline]\n __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_hh_output include/net/neighbour.h:523 [inline]\n neigh_output include/net/neighbour.h:537 [inline]\n ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\n iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82\n udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173\n geneve_xmit_skb drivers/net/geneve.c:916 [inline]\n geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606\n __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21653", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: support encoding fid from inode with no alias\n\nDmitry Safonov reported that a WARN_ON() assertion can be trigered by\nuserspace when calling inotify_show_fdinfo() for an overlayfs watched\ninode, whose dentry aliases were discarded with drop_caches.\n\nThe WARN_ON() assertion in inotify_show_fdinfo() was removed, because\nit is possible for encoding file handle to fail for other reason, but\nthe impact of failing to encode an overlayfs file handle goes beyond\nthis assertion.\n\nAs shown in the LTP test case mentioned in the link below, failure to\nencode an overlayfs file handle from a non-aliased inode also leads to\nfailure to report an fid with FAN_DELETE_SELF fanotify events.\n\nAs Dmitry notes in his analyzis of the problem, ovl_encode_fh() fails\nif it cannot find an alias for the inode, but this failure can be fixed.\novl_encode_fh() seldom uses the alias and in the case of non-decodable\nfile handles, as is often the case with fanotify fid info,\novl_encode_fh() never needs to use the alias to encode a file handle.\n\nDefer finding an alias until it is actually needed so ovl_encode_fh()\nwill not fail in the common case of FAN_DELETE_SELF fanotify events.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21654", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/eventfd: ensure io_eventfd_signal() defers another RCU period\n\nio_eventfd_do_signal() is invoked from an RCU callback, but when\ndropping the reference to the io_ev_fd, it calls io_eventfd_free()\ndirectly if the refcount drops to zero. This isn't correct, as any\npotential freeing of the io_ev_fd should be deferred another RCU grace\nperiod.\n\nJust call io_eventfd_put() rather than open-code the dec-and-test and\nfree, which will correctly defer it another RCU grace period.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21655", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur\n\nscsi_execute_cmd() function can return both negative (linux codes) and\npositive (scsi_cmnd result field) error codes.\n\nCurrently the driver just passes error codes of scsi_execute_cmd() to\nhwmon core, which is incorrect because hwmon only checks for negative\nerror codes. This leads to hwmon reporting uninitialized data to\nuserspace in case of SCSI errors (for example if the disk drive was\ndisconnected).\n\nThis patch checks scsi_execute_cmd() output and returns -EIO if it's\nerror code is positive.\n\n[groeck: Avoid inline variable declaration for portability]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21656", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Replace rq_lock() to raw_spin_rq_lock() in scx_ops_bypass()\n\nscx_ops_bypass() iterates all CPUs to re-enqueue all the scx tasks.\nFor each CPU, it acquires a lock using rq_lock() regardless of whether\na CPU is offline or the CPU is currently running a task in a higher\nscheduler class (e.g., deadline). The rq_lock() is supposed to be used\nfor online CPUs, and the use of rq_lock() may trigger an unnecessary\nwarning in rq_pin_lock(). Therefore, replace rq_lock() to\nraw_spin_rq_lock() in scx_ops_bypass().\n\nWithout this change, we observe the following warning:\n\n===== START =====\n[ 6.615205] rq->balance_callback && rq->balance_callback != &balance_push_callback\n[ 6.615208] WARNING: CPU: 2 PID: 0 at kernel/sched/sched.h:1730 __schedule+0x1130/0x1c90\n===== END =====", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21657", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid NULL pointer dereference if no valid extent tree\n\n[BUG]\nSyzbot reported a crash with the following call trace:\n\n BTRFS info (device loop0): scrub: started on devid 1\n BUG: kernel NULL pointer dereference, address: 0000000000000208\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs]\n Call Trace:\n \n scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs]\n scrub_simple_mirror+0x175/0x260 [btrfs]\n scrub_stripe+0x5d4/0x6c0 [btrfs]\n scrub_chunk+0xbb/0x170 [btrfs]\n scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs]\n btrfs_scrub_dev+0x240/0x600 [btrfs]\n btrfs_ioctl+0x1dc8/0x2fa0 [btrfs]\n ? do_sys_openat2+0xa5/0xf0\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x4f/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\n[CAUSE]\nThe reproducer is using a corrupted image where extent tree root is\ncorrupted, thus forcing to use \"rescue=all,ro\" mount option to mount the\nimage.\n\nThen it triggered a scrub, but since scrub relies on extent tree to find\nwhere the data/metadata extents are, scrub_find_fill_first_stripe()\nrelies on an non-empty extent root.\n\nBut unfortunately scrub_find_fill_first_stripe() doesn't really expect\nan NULL pointer for extent root, it use extent_root to grab fs_info and\ntriggered a NULL pointer dereference.\n\n[FIX]\nAdd an extra check for a valid extent root at the beginning of\nscrub_find_fill_first_stripe().\n\nThe new error path is introduced by 42437a6386ff (\"btrfs: introduce\nmount option rescue=ignorebadroots\"), but that's pretty old, and later\ncommit b979547513ff (\"btrfs: scrub: introduce helper to find and fill\nsector info for a scrub_stripe\") changed how we do scrub.\n\nSo for kernels older than 6.6, the fix will need manual backport.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21658", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdev: prevent accessing NAPI instances from another namespace\n\nThe NAPI IDs were not fully exposed to user space prior to the netlink\nAPI, so they were never namespaced. The netlink API must ensure that\nat the very least NAPI instance belongs to the same netns as the owner\nof the genl sock.\n\nnapi_by_id() can become static now, but it needs to move because of\ndev_get_by_napi_id().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21659", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked\n\nWhen `ksmbd_vfs_kern_path_locked` met an error and it is not the last\nentry, it will exit without restoring changed path buffer. But later this\nbuffer may be used as the filename for creation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21660", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix missing lookup table cleanups\n\nWhen a virtuser device is created via configfs and the probe fails due\nto an incorrect lookup table, the table is not removed. This prevents\nsubsequent probe attempts from succeeding, even if the issue is\ncorrected, unless the device is released. Additionally, cleanup is also\nneeded in the less likely case of platform_device_register_full()\nfailure.\n\nBesides, a consistent memory leak in lookup_table->dev_id was spotted\nusing kmemleak by toggling the live state between 0 and 1 with a correct\nlookup table.\n\nIntroduce gpio_virtuser_remove_lookup_table() as the counterpart to the\nexisting gpio_virtuser_make_lookup_table() and call it from all\nnecessary points to ensure proper cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21661", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix variable not being completed when function returns\n\nWhen cmd_alloc_index(), fails cmd_work_handler() needs\nto complete ent->slotted before returning early.\nOtherwise the task which issued the command may hang:\n\n mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry\n INFO: task kworker/13:2:4055883 blocked for more than 120 seconds.\n Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n kworker/13:2 D 0 4055883 2 0x00000228\n Workqueue: events mlx5e_tx_dim_work [mlx5_core]\n Call trace:\n __switch_to+0xe8/0x150\n __schedule+0x2a8/0x9b8\n schedule+0x2c/0x88\n schedule_timeout+0x204/0x478\n wait_for_common+0x154/0x250\n wait_for_completion+0x28/0x38\n cmd_exec+0x7a0/0xa00 [mlx5_core]\n mlx5_cmd_exec+0x54/0x80 [mlx5_core]\n mlx5_core_modify_cq+0x6c/0x80 [mlx5_core]\n mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core]\n mlx5e_tx_dim_work+0x54/0x68 [mlx5_core]\n process_one_work+0x1b0/0x448\n worker_thread+0x54/0x468\n kthread+0x134/0x138\n ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21662", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwmac-tegra: Read iommu stream id from device tree\n\nNvidia's Tegra MGBE controllers require the IOMMU \"Stream ID\" (SID) to be\nwritten to the MGBE_WRAP_AXI_ASID0_CTRL register.\n\nThe current driver is hard coded to use MGBE0's SID for all controllers.\nThis causes softirq time outs and kernel panics when using controllers\nother than MGBE0.\n\nExample dmesg errors when an ethernet cable is connected to MGBE1:\n\n[ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms\n[ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter.\n[ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0\n[ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171)\n[ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features\n[ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported\n[ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock\n[ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode\n[ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n[ 181.921404] rcu: \t7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337\n[ 181.921684] rcu: \t(detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8)\n[ 181.921878] Sending NMI from CPU 4 to CPUs 7:\n[ 181.921886] NMI backtrace for cpu 7\n[ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6\n[ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024\n[ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 181.922847] pc : handle_softirqs+0x98/0x368\n[ 181.922978] lr : __do_softirq+0x18/0x20\n[ 181.923095] sp : ffff80008003bf50\n[ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000\n[ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0\n[ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70\n[ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000\n[ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000\n[ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d\n[ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160\n[ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74\n[ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1\n[ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000\n[ 181.967591] Call trace:\n[ 181.970043] handle_softirqs+0x98/0x368 (P)\n[ 181.974240] __do_softirq+0x18/0x20\n[ 181.977743] ____do_softirq+0x14/0x28\n[ 181.981415] call_on_irq_stack+0x24/0x30\n[ 181.985180] do_softirq_own_stack+0x20/0x30\n[ 181.989379] __irq_exit_rcu+0x114/0x140\n[ 181.993142] irq_exit_rcu+0x14/0x28\n[ 181.996816] el1_interrupt+0x44/0xb8\n[ 182.000316] el1h_64_irq_handler+0x14/0x20\n[ 182.004343] el1h_64_irq+0x80/0x88\n[ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P)\n[ 182.012305] cpuidle_enter+0x3c/0x58\n[ 182.015980] cpuidle_idle_call+0x128/0x1c0\n[ 182.020005] do_idle+0xe0/0xf0\n[ 182.023155] cpu_startup_entry+0x3c/0x48\n[ 182.026917] secondary_start_kernel+0xdc/0x120\n[ 182.031379] __secondary_switched+0x74/0x78\n[ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/.\n[ 212.985935] rcu: blocking rcu_node structures (internal RCU debug):\n[ 212.992758] Sending NMI from CPU 0 to CPUs 7:\n[ 212.998539] NMI backtrace for cpu 7\n[ 213.004304] CPU: 7 UID: 0 PI\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21663", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: make get_first_thin use rcu-safe list first function\n\nThe documentation in rculist.h explains the absence of list_empty_rcu()\nand cautions programmers against relying on a list_empty() ->\nlist_first() sequence in RCU safe code. This is because each of these\nfunctions performs its own READ_ONCE() of the list head. This can lead\nto a situation where the list_empty() sees a valid list entry, but the\nsubsequent list_first() sees a different view of list head state after a\nmodification.\n\nIn the case of dm-thin, this author had a production box crash from a GP\nfault in the process_deferred_bios path. This function saw a valid list\nhead in get_first_thin() but when it subsequently dereferenced that and\nturned it into a thin_c, it got the inside of the struct pool, since the\nlist was now empty and referring to itself. The kernel on which this\noccurred printed both a warning about a refcount_t being saturated, and\na UBSAN error for an out-of-bounds cpuid access in the queued spinlock,\nprior to the fault itself. When the resulting kdump was examined, it\nwas possible to see another thread patiently waiting in thin_dtr's\nsynchronize_rcu.\n\nThe thin_dtr call managed to pull the thin_c out of the active thins\nlist (and have it be the last entry in the active_thins list) at just\nthe wrong moment which lead to this crash.\n\nFortunately, the fix here is straight forward. Switch get_first_thin()\nfunction to use list_first_or_null_rcu() which performs just a single\nREAD_ONCE() and returns NULL if the list is already empty.\n\nThis was run against the devicemapper test suite's thin-provisioning\nsuites for delete and suspend and no regressions were observed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21664", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: avoid truncating 64-bit offset to 32 bits\n\nOn 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a\n64-bit value to 32 bits, leading to a possible infinite loop when writing\nto an xfs filesystem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21665", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: prevent null-ptr-deref in vsock_*[has_data|has_space]\n\nRecent reports have shown how we sometimes call vsock_*_has_data()\nwhen a vsock socket has been de-assigned from a transport (see attached\nlinks), but we shouldn't.\n\nPrevious commits should have solved the real problems, but we may have\nmore in the future, so to avoid null-ptr-deref, we can return 0\n(no space, no data available) but with a warning.\n\nThis way the code should continue to run in a nearly consistent state\nand have a warning that allows us to debug future problems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21666", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: avoid avoid truncating 64-bit offset to 32 bits\n\non 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a\n32-bit position due to folio_next_index() returning an unsigned long.\nThis could lead to an infinite loop when writing to an xfs filesystem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21667", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: add missing loop break condition\n\nCurrently imx8mp_blk_ctrl_remove() will continue the for loop\nuntil an out-of-bounds exception occurs.\n\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : dev_pm_domain_detach+0x8/0x48\nlr : imx8mp_blk_ctrl_shutdown+0x58/0x90\nsp : ffffffc084f8bbf0\nx29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000\nx26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028\nx23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0\nx20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff\nx17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72\nx14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000\nx11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8\nx8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077\nx2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000\nCall trace:\n dev_pm_domain_detach+0x8/0x48\n platform_shutdown+0x2c/0x48\n device_shutdown+0x158/0x268\n kernel_restart_prepare+0x40/0x58\n kernel_kexec+0x58/0xe8\n __do_sys_reboot+0x198/0x258\n __arm64_sys_reboot+0x2c/0x40\n invoke_syscall+0x5c/0x138\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x38/0xc8\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x190/0x198\nCode: 8128c2d0 ffffffc0 aa1e03e9 d503201f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21668", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: discard packets if the transport changes\n\nIf the socket has been de-assigned or assigned to another transport,\nwe must discard any packets received because they are not expected\nand would cause issues when we access vsk->transport.\n\nA possible scenario is described by Hyunwoo Kim in the attached link,\nwhere after a first connect() interrupted by a signal, and a second\nconnect() failed, we can find `vsk->transport` at NULL, leading to a\nNULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21669", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/bpf: return early if transport is not assigned\n\nSome of the core functions can only be called if the transport\nhas been assigned.\n\nAs Michal reported, a socket might have the transport at NULL,\nfor example after a failed connect(), causing the following trace:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000a0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+\n RIP: 0010:vsock_connectible_has_data+0x1f/0x40\n Call Trace:\n vsock_bpf_recvmsg+0xca/0x5e0\n sock_recvmsg+0xb9/0xc0\n __sys_recvfrom+0xb3/0x130\n __x64_sys_recvfrom+0x20/0x30\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSo we need to check the `vsk->transport` in vsock_bpf_recvmsg(),\nespecially for connected sockets (stream/seqpacket) as we already\ndo in __vsock_connectible_recvmsg().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21670", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix potential UAF of zram table\n\nIf zram_meta_alloc failed early, it frees allocated zram->table without\nsetting it NULL. Which will potentially cause zram_meta_free to access\nthe table if user reset an failed and uninitialized device.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21671", "detail": "fixed-version", "description": "Fixed from version 6.12.11" }, { "id": "CVE-2025-21672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix merge preference rule failure condition\n\nsyzbot reported a lock held when returning to userspace[1]. This is\nbecause if argc is less than 0 and the function returns directly, the held\ninode lock is not released.\n\nFix this by store the error in ret and jump to done to clean up instead of\nreturning directly.\n\n[dh: Modified Lizhi Xu's original patch to make it honour the error code\nfrom afs_split_string()]\n\n[1]\nWARNING: lock held when returning to user space!\n6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted\n------------------------------------------------\nsyz-executor133/5823 is leaving the kernel with locks still held!\n1 lock held by syz-executor133/5823:\n #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]\n #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21672", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double free of TCP_Server_Info::hostname\n\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\nmight be reconnecting to multiple DFS targets before it realizes it\nshould exit the loop, so @server->hostname can't be freed as long as\ncifsd thread isn't done. Otherwise the following can happen:\n\n RIP: 0010:__slab_free+0x223/0x3c0\n Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\n 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f>\n 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\n RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\n RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\n RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\n RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\n R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\n R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\n FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\n 000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\n PKRU: 55555554\n Call Trace:\n \n ? show_trace_log_lvl+0x1c4/0x2df\n ? show_trace_log_lvl+0x1c4/0x2df\n ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0xce/0x120\n ? __slab_free+0x223/0x3c0\n ? do_error_trap+0x65/0x80\n ? __slab_free+0x223/0x3c0\n ? exc_invalid_op+0x4e/0x70\n ? __slab_free+0x223/0x3c0\n ? asm_exc_invalid_op+0x16/0x20\n ? __slab_free+0x223/0x3c0\n ? extract_hostname+0x5c/0xa0 [cifs]\n ? extract_hostname+0x5c/0xa0 [cifs]\n ? __kmalloc+0x4b/0x140\n __reconnect_target_unlocked+0x3e/0x160 [cifs]\n reconnect_dfs_server+0x145/0x430 [cifs]\n cifs_handle_standard+0x1ad/0x1d0 [cifs]\n cifs_demultiplex_thread+0x592/0x730 [cifs]\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n kthread+0xdd/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x50\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21673", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel\n\nAttempt to enable IPsec packet offload in tunnel mode in debug kernel\ngenerates the following kernel panic, which is happening due to two\nissues:\n1. In SA add section, the should be _bh() variant when marking SA mode.\n2. There is not needed flush_workqueue in SA delete routine. It is not\nneeded as at this stage as it is removed from SADB and the running work\nwill be canceled later in SA free.\n\n =====================================================\n WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected\n 6.12.0+ #4 Not tainted\n -----------------------------------------------------\n charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire:\n ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]\n\n and this task is already holding:\n ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n which would create a new lock dependency:\n (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3}\n\n but this new dependency connects a SOFTIRQ-irq-safe lock:\n (&x->lock){+.-.}-{3:3}\n\n ... which became SOFTIRQ-irq-safe at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_timer_handler+0x91/0xd70\n __hrtimer_run_queues+0x1dd/0xa60\n hrtimer_run_softirq+0x146/0x2e0\n handle_softirqs+0x266/0x860\n irq_exit_rcu+0x115/0x1a0\n sysvec_apic_timer_interrupt+0x6e/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n default_idle+0x13/0x20\n default_idle_call+0x67/0xa0\n do_idle+0x2da/0x320\n cpu_startup_entry+0x50/0x60\n start_secondary+0x213/0x2a0\n common_startup_64+0x129/0x138\n\n to a SOFTIRQ-irq-unsafe lock:\n (&xa->xa_lock#24){+.+.}-{3:3}\n\n ... which became SOFTIRQ-irq-unsafe at:\n ...\n lock_acquire+0x1be/0x520\n _raw_spin_lock+0x2c/0x40\n xa_set_mark+0x70/0x110\n mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core]\n xfrm_dev_state_add+0x3bb/0xd70\n xfrm_add_sa+0x2451/0x4a90\n xfrm_user_rcv_msg+0x493/0x880\n netlink_rcv_skb+0x12e/0x380\n xfrm_netlink_rcv+0x6d/0x90\n netlink_unicast+0x42f/0x740\n netlink_sendmsg+0x745/0xbe0\n __sock_sendmsg+0xc5/0x190\n __sys_sendto+0x1fe/0x2c0\n __x64_sys_sendto+0xdc/0x1b0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n other info that might help us debug this:\n\n Possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&xa->xa_lock#24);\n local_irq_disable();\n lock(&x->lock);\n lock(&xa->xa_lock#24);\n \n lock(&x->lock);\n\n *** DEADLOCK ***\n\n 2 locks held by charon/1337:\n #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90\n #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n\n the dependencies between SOFTIRQ-irq-safe lock and the holding lock:\n -> (&x->lock){+.-.}-{3:3} ops: 29 {\n HARDIRQ-ON-W at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_alloc_spi+0xc0/0xe60\n xfrm_alloc_userspi+0x5f6/0xbc0\n xfrm_user_rcv_msg+0x493/0x880\n netlink_rcv_skb+0x12e/0x380\n xfrm_netlink_rcv+0x6d/0x90\n netlink_unicast+0x42f/0x740\n netlink_sendmsg+0x745/0xbe0\n __sock_sendmsg+0xc5/0x190\n __sys_sendto+0x1fe/0x2c0\n __x64_sys_sendto+0xdc/0x1b0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n IN-SOFTIRQ-W at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_timer_handler+0x91/0xd70\n __hrtimer_run_queues+0x1dd/0xa60\n \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21674", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clear port select structure when fail to create\n\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That's because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\n\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 1\n mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 0\n mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\n CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n sp : ffff800085fafb00\n x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\n x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\n x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\n x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\n x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\n x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\n x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\n x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\n Call trace:\n mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\n mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\n mlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\n mlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\n process_one_work+0x170/0x3e0\n worker_thread+0x2d8/0x3e0\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21675", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: handle page_pool_dev_alloc_pages error\n\nThe fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did\nnot handle the case when it returned NULL. There was a WARN_ON(!new_page)\nbut it would still proceed to use the NULL pointer and then crash.\n\nThis case does seem somewhat rare but when the system is under memory\npressure it can happen. One case where I can duplicate this with some\nfrequency is when writing over a smbd share to a SATA HDD attached to an\nimx6q.\n\nSetting /proc/sys/vm/min_free_kbytes to higher values also seems to solve\nthe problem for my test case. But it still seems wrong that the fec driver\nignores the memory allocation error and can crash.\n\nThis commit handles the allocation error by dropping the current packet.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21676", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npfcp: Destroy device along with udp socket's netns dismantle.\n\npfcp_newlink() links the device to a list in dev_net(dev) instead\nof net, where a udp tunnel socket is created.\n\nEven when net is removed, the device stays alive on dev_net(dev).\nThen, removing net triggers the splat below. [0]\n\nIn this example, pfcp0 is created in ns2, but the udp socket is\ncreated in ns1.\n\n ip netns add ns1\n ip netns add ns2\n ip -n ns1 link add netns ns2 name pfcp0 type pfcp\n ip netns del ns1\n\nLet's link the device to the socket's netns instead.\n\nNow, pfcp_net_exit() needs another netdev iteration to remove\nall pfcp devices in the netns.\n\npfcp_dev_list is not used under RCU, so the list API is converted\nto the non-RCU variant.\n\npfcp_net_exit() can be converted to .exit_batch_rtnl() in net-next.\n\n[0]:\nref_tracker: net notrefcnt@00000000128b34dc has 1/1 users at\n sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236)\n inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252)\n __sock_create (net/socket.c:1558)\n udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18)\n pfcp_create_sock (drivers/net/pfcp.c:168)\n pfcp_newlink (drivers/net/pfcp.c:182 drivers/net/pfcp.c:197)\n rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6922)\n netlink_rcv_skb (net/netlink/af_netlink.c:2542)\n netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347)\n netlink_sendmsg (net/netlink/af_netlink.c:1891)\n ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583)\n ___sys_sendmsg (net/socket.c:2639)\n __sys_sendmsg (net/socket.c:2669)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nWARNING: CPU: 1 PID: 11 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\nModules linked in:\nCPU: 1 UID: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179)\nCode: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89\nRSP: 0018:ff11000007f3fb60 EFLAGS: 00010286\nRAX: 00000000000020ef RBX: ff1100000d6481e0 RCX: 1ffffffff0e40d82\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c\nRBP: ff1100000d648230 R08: 0000000000000001 R09: fffffbfff0e395af\nR10: 0000000000000001 R11: 0000000000000000 R12: ff1100000d648230\nR13: dead000000000100 R14: ff1100000d648230 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005620e1363990 CR3: 000000000eeb2002 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __warn (kernel/panic.c:748)\n ? ref_tracker_dir_exit (lib/ref_tracker.c:179)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:285)\n ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)\n ? ref_tracker_dir_exit (lib/ref_tracker.c:179)\n ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158)\n ? kfree (mm/slub.c:4613 mm/slub.c:4761)\n net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467)\n cleanup_net (net/cor\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21677", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Destroy device along with udp socket's netns dismantle.\n\ngtp_newlink() links the device to a list in dev_net(dev) instead of\nsrc_net, where a udp tunnel socket is created.\n\nEven when src_net is removed, the device stays alive on dev_net(dev).\nThen, removing src_net triggers the splat below. [0]\n\nIn this example, gtp0 is created in ns2, and the udp socket is created\nin ns1.\n\n ip netns add ns1\n ip netns add ns2\n ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn\n ip netns del ns1\n\nLet's link the device to the socket's netns instead.\n\nNow, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove\nall gtp devices in the netns.\n\n[0]:\nref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at\n sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236)\n inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252)\n __sock_create (net/socket.c:1558)\n udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18)\n gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423)\n gtp_create_sockets (drivers/net/gtp.c:1447)\n gtp_newlink (drivers/net/gtp.c:1507)\n rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6922)\n netlink_rcv_skb (net/netlink/af_netlink.c:2542)\n netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347)\n netlink_sendmsg (net/netlink/af_netlink.c:1891)\n ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583)\n ___sys_sendmsg (net/socket.c:2639)\n __sys_sendmsg (net/socket.c:2669)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n\nWARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\nModules linked in:\nCPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179)\nCode: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89\nRSP: 0018:ff11000009a07b60 EFLAGS: 00010286\nRAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c\nRBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae\nR10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0\nR13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __warn (kernel/panic.c:748)\n ? ref_tracker_dir_exit (lib/ref_tracker.c:179)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:285)\n ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)\n ? ref_tracker_dir_exit (lib/ref_tracker.c:179)\n ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158)\n ? kfree (mm/slub.c:4613 mm/slub.c:4761)\n net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467)\n cleanup_net (net/core/net_namespace.c:664 (discriminator 3))\n process_one_work (kernel/workqueue.c:3229)\n worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21678", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add the missing error handling inside get_canonical_dev_path\n\nInside function get_canonical_dev_path(), we call d_path() to get the\nfinal device path.\n\nBut d_path() can return error, and in that case the next strscpy() call\nwill trigger an invalid memory access.\n\nAdd back the missing error handling for d_path().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21679", "detail": "fixed-version", "description": "Fixed from version 6.12.11" }, { "id": "CVE-2025-21680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npktgen: Avoid out-of-bounds access in get_imix_entries\n\nPassing a sufficient amount of imix entries leads to invalid access to the\npkt_dev->imix_entries array because of the incorrect boundary check.\n\nUBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24\nindex 20 is out of range for type 'imix_pkt [20]'\nCPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n\ndump_stack_lvl lib/dump_stack.c:117\n__ubsan_handle_out_of_bounds lib/ubsan.c:429\nget_imix_entries net/core/pktgen.c:874\npktgen_if_write net/core/pktgen.c:1063\npde_write fs/proc/inode.c:334\nproc_reg_write fs/proc/inode.c:346\nvfs_write fs/read_write.c:593\nksys_write fs/read_write.c:644\ndo_syscall_64 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[ fp: allow to fill the array completely; minor changelog cleanup ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21680", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix lockup on tx to unregistering netdev with carrier\n\nCommit in a fixes tag attempted to fix the issue in the following\nsequence of calls:\n\n do_output\n -> ovs_vport_send\n -> dev_queue_xmit\n -> __dev_queue_xmit\n -> netdev_core_pick_tx\n -> skb_tx_hash\n\nWhen device is unregistering, the 'dev->real_num_tx_queues' goes to\nzero and the 'while (unlikely(hash >= qcount))' loop inside the\n'skb_tx_hash' becomes infinite, locking up the core forever.\n\nBut unfortunately, checking just the carrier status is not enough to\nfix the issue, because some devices may still be in unregistering\nstate while reporting carrier status OK.\n\nOne example of such device is a net/dummy. It sets carrier ON\non start, but it doesn't implement .ndo_stop to set the carrier off.\nAnd it makes sense, because dummy doesn't really have a carrier.\nTherefore, while this device is unregistering, it's still easy to hit\nthe infinite loop in the skb_tx_hash() from the OVS datapath. There\nmight be other drivers that do the same, but dummy by itself is\nimportant for the OVS ecosystem, because it is frequently used as a\npacket sink for tcpdump while debugging OVS deployments. And when the\nissue is hit, the only way to recover is to reboot.\n\nFix that by also checking if the device is running. The running\nstate is handled by the net core during unregistering, so it covers\nunregistering case better, and we don't really need to send packets\nto devices that are not running anyway.\n\nWhile only checking the running state might be enough, the carrier\ncheck is preserved. The running and the carrier states seem disjoined\nthroughout the code and different drivers. And other core functions\nlike __dev_direct_xmit() check both before attempting to transmit\na packet. So, it seems safer to check both flags in OVS as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21681", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: always recalculate features after XDP clearing, fix null-deref\n\nRecalculate features when XDP is detached.\n\nBefore:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: off [requested on]\n\nAfter:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: on\n\nThe fact that HW-GRO doesn't get re-enabled automatically is just\na minor annoyance. The real issue is that the features will randomly\ncome back during another reconfiguration which just happens to invoke\nnetdev_update_features(). The driver doesn't handle reconfiguring\ntwo things at a time very robustly.\n\nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table\nif the \"effective\" number of Rx rings has changed. If HW-GRO is\nenabled \"effective\" number of rings is 2x what user sees.\nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"\nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings\ndoing 2x and the ethtool -L doing / 2 may cancel each other out,\nand the:\n\n if (old_rx_rings != bp->hw_resc.resv_rx_rings &&\n\ncondition in __bnxt_reserve_rings() will be false.\nThe RSS map won't get updated, and we'll crash with:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000168\n RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0\n bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180\n __bnxt_setup_vnic_p5+0x58/0x110\n bnxt_init_nic+0xb72/0xf50\n __bnxt_open_nic+0x40d/0xab0\n bnxt_open_nic+0x2b/0x60\n ethtool_set_channels+0x18c/0x1d0\n\nAs we try to access a freed ring.\n\nThe issue is present since XDP support was added, really, but\nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") it wasn't causing major issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21682", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_sk_select_reuseport() memory leak\n\nAs pointed out in the original comment, lookup in sockmap can return a TCP\nESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF\nset before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb\ndoes not imply a non-refcounted socket.\n\nDrop sk's reference in both error paths.\n\nunreferenced object 0xffff888101911800 (size 2048):\n comm \"test_progs\", pid 44109, jiffies 4297131437\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 9336483b):\n __kmalloc_noprof+0x3bf/0x560\n __reuseport_alloc+0x1d/0x40\n reuseport_alloc+0xca/0x150\n reuseport_attach_prog+0x87/0x140\n sk_reuseport_attach_bpf+0xc8/0x100\n sk_setsockopt+0x1181/0x1990\n do_sock_setsockopt+0x12b/0x160\n __sys_setsockopt+0x7b/0xc0\n __x64_sys_setsockopt+0x1b/0x30\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21683", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: xilinx: Convert gpio_lock to raw spinlock\n\nirq_chip functions may be called in raw spinlock context. Therefore, we\nmust also use a raw spinlock for our own internal locking.\n\nThis fixes the following lockdep splat:\n\n[ 5.349336] =============================\n[ 5.353349] [ BUG: Invalid wait context ]\n[ 5.357361] 6.13.0-rc5+ #69 Tainted: G W\n[ 5.363031] -----------------------------\n[ 5.367045] kworker/u17:1/44 is trying to lock:\n[ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))\n[ 5.380079] other info that might help us debug this:\n[ 5.385138] context-{5:5}\n[ 5.387762] 5 locks held by kworker/u17:1/44:\n[ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204)\n[ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205)\n[ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006)\n[ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596)\n[ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614)\n[ 5.436472] stack backtrace:\n[ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69\n[ 5.448690] Tainted: [W]=WARN\n[ 5.451656] Hardware name: xlnx,zynqmp (DT)\n[ 5.455845] Workqueue: events_unbound deferred_probe_work_func\n[ 5.461699] Call trace:\n[ 5.464147] show_stack+0x18/0x24 C\n[ 5.467821] dump_stack_lvl (lib/dump_stack.c:123)\n[ 5.471501] dump_stack (lib/dump_stack.c:130)\n[ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176)\n[ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814)\n[ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)\n[ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))\n[ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345)\n[ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250)\n[ 5.497645] irq_startup (kernel/irq/chip.c:270)\n[ 5.501143] __setup_irq (kernel/irq/manage.c:1807)\n[ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21684", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race\n\nThe yt2_1380_fc_serdev_probe() function calls devm_serdev_device_open()\nbefore setting the client ops via serdev_device_set_client_ops(). This\nordering can trigger a NULL pointer dereference in the serdev controller's\nreceive_buf handler, as it assumes serdev->ops is valid when\nSERPORT_ACTIVE is set.\n\nThis is similar to the issue fixed in commit 5e700b384ec1\n(\"platform/chrome: cros_ec_uart: properly fix race condition\") where\ndevm_serdev_device_open() was called before fully initializing the\ndevice.\n\nFix the race by ensuring client ops are set before enabling the port via\ndevm_serdev_device_open().\n\nNote, serdev_device_set_baudrate() and serdev_device_set_flow_control()\ncalls should be after the devm_serdev_device_open() call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21685", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: check the bounds of read/write syscalls\n\ncount and offset are passed from user space and not checked, only\noffset is capped to 40 bits, which can be used to read/write out of\nbounds of the device.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21687", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Assign job pointer to NULL before signaling the fence\n\nIn commit e4b5ccd392b9 (\"drm/v3d: Ensure job pointer is set to NULL\nafter job completion\"), we introduced a change to assign the job pointer\nto NULL after completing a job, indicating job completion.\n\nHowever, this approach created a race condition between the DRM\nscheduler workqueue and the IRQ execution thread. As soon as the fence is\nsignaled in the IRQ execution thread, a new job starts to be executed.\nThis results in a race condition where the IRQ execution thread sets the\njob pointer to NULL simultaneously as the `run_job()` function assigns\na new job to the pointer.\n\nThis race condition can lead to a NULL pointer dereference if the IRQ\nexecution thread sets the job pointer to NULL after `run_job()` assigns\nit to the new job. When the new job completes and the GPU emits an\ninterrupt, `v3d_irq()` is triggered, potentially causing a crash.\n\n[ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n[ 466.318928] Mem abort info:\n[ 466.321723] ESR = 0x0000000096000005\n[ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 466.330807] SET = 0, FnV = 0\n[ 466.333864] EA = 0, S1PTW = 0\n[ 466.337010] FSC = 0x05: level 1 translation fault\n[ 466.341900] Data abort info:\n[ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000\n[ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6\n[ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18\n[ 466.467336] Tainted: [C]=CRAP\n[ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)\n[ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d]\n[ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228\n[ 466.492327] sp : ffffffc080003ea0\n[ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000\n[ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200\n[ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000\n[ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000\n[ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000\n[ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0\n[ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n[ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70\n[ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000\n[ 466.567263] Call trace:\n[ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P)\n[ 466.\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21688", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()\n\nThis patch addresses a null-ptr-deref in qt2_process_read_urb() due to\nan incorrect bounds check in the following:\n\n if (newport > serial->num_ports) {\n dev_err(&port->dev,\n \"%s - port change to invalid port: %i\\n\",\n __func__, newport);\n break;\n }\n\nThe condition doesn't account for the valid range of the serial->port\nbuffer, which is from 0 to serial->num_ports - 1. When newport is equal\nto serial->num_ports, the assignment of \"port\" in the\nfollowing code is out-of-bounds and NULL:\n\n serial_priv->current_port = newport;\n port = serial->port[serial_priv->current_port];\n\nThe fix checks if newport is greater than or equal to serial->num_ports\nindicating it is out-of-bounds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21689", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Ratelimit warning logs to prevent VM denial of service\n\nIf there's a persistent error in the hypervisor, the SCSI warning for\nfailed I/O can flood the kernel log and max out CPU utilization,\npreventing troubleshooting from the VM side. Ratelimit the warning so\nit doesn't DoS the VM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21690", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachestat: fix page cache statistics permission checking\n\nWhen the 'cachestat()' system call was added in commit cf264e1329fb\n(\"cachestat: implement cachestat syscall\"), it was meant to be a much\nmore convenient (and performant) version of mincore() that didn't need\nmapping things into the user virtual address space in order to work.\n\nBut it ended up missing the \"check for writability or ownership\" fix for\nmincore(), done in commit 134fca9063ad (\"mm/mincore.c: make mincore()\nmore conservative\").\n\nThis just adds equivalent logic to 'cachestat()', modified for the file\ncontext (rather than vma).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21691", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ets qdisc OOB Indexing\n\nHaowei Yan found that ets_class_from_arg() can\nindex an Out-Of-Bound class in ets_class_from_arg() when passed clid of\n0. The overflow may cause local privilege escalation.\n\n [ 18.852298] ------------[ cut here ]------------\n [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20\n [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'\n [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17\n [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [ 18.856532] Call Trace:\n [ 18.857441] \n [ 18.858227] dump_stack_lvl+0xc2/0xf0\n [ 18.859607] dump_stack+0x10/0x20\n [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0\n [ 18.864022] ets_class_change+0x3d6/0x3f0\n [ 18.864322] tc_ctl_tclass+0x251/0x910\n [ 18.864587] ? lock_acquire+0x5e/0x140\n [ 18.865113] ? __mutex_lock+0x9c/0xe70\n [ 18.866009] ? __mutex_lock+0xa34/0xe70\n [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0\n [ 18.866806] ? __lock_acquire+0x578/0xc10\n [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n [ 18.867503] netlink_rcv_skb+0x59/0x110\n [ 18.867776] rtnetlink_rcv+0x15/0x30\n [ 18.868159] netlink_unicast+0x1c3/0x2b0\n [ 18.868440] netlink_sendmsg+0x239/0x4b0\n [ 18.868721] ____sys_sendmsg+0x3e2/0x410\n [ 18.869012] ___sys_sendmsg+0x88/0xe0\n [ 18.869276] ? rseq_ip_fixup+0x198/0x260\n [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190\n [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0\n [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220\n [ 18.870547] ? do_syscall_64+0x93/0x150\n [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290\n [ 18.871157] __sys_sendmsg+0x69/0xd0\n [ 18.871416] __x64_sys_sendmsg+0x1d/0x30\n [ 18.871699] x64_sys_call+0x9e2/0x2670\n [ 18.871979] do_syscall_64+0x87/0x150\n [ 18.873280] ? do_syscall_64+0x93/0x150\n [ 18.874742] ? lock_release+0x7b/0x160\n [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0\n [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210\n [ 18.879608] ? irqentry_exit+0x77/0xb0\n [ 18.879808] ? clear_bhb_loop+0x15/0x70\n [ 18.880023] ? clear_bhb_loop+0x15/0x70\n [ 18.880223] ? clear_bhb_loop+0x15/0x70\n [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [ 18.880683] RIP: 0033:0x44a957\n [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10\n [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957\n [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003\n [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0\n [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001\n [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001\n [ 18.888395] \n [ 18.888610] ---[ end trace ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21692", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: properly synchronize freeing resources during CPU hotunplug\n\nIn zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the\ncurrent CPU at the beginning of the operation is retrieved and used\nthroughout. However, since neither preemption nor migration are disabled,\nit is possible that the operation continues on a different CPU.\n\nIf the original CPU is hotunplugged while the acomp_ctx is still in use,\nwe run into a UAF bug as some of the resources attached to the acomp_ctx\nare freed during hotunplug in zswap_cpu_comp_dead() (i.e. \nacomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).\n\nThe problem was introduced in commit 1ec3b5fe6eec (\"mm/zswap: move to use\ncrypto_acomp API for hardware acceleration\") when the switch to the\ncrypto_acomp API was made. Prior to that, the per-CPU crypto_comp was\nretrieved using get_cpu_ptr() which disables preemption and makes sure the\nCPU cannot go away from under us. Preemption cannot be disabled with the\ncrypto_acomp API as a sleepable context is needed.\n\nUse the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating\nand freeing resources with compression/decompression paths. Make sure\nthat acomp_ctx.req is NULL when the resources are freed. In the\ncompression/decompression paths, check if acomp_ctx.req is NULL after\nacquiring the mutex (meaning the CPU was offlined) and retry on the new\nCPU.\n\nThe initialization of acomp_ctx.mutex is moved from the CPU hotplug\ncallback to the pool initialization where it belongs (where the mutex is\nallocated). In addition to adding clarity, this makes sure that CPU\nhotplug cannot reinitialize a mutex that is already locked by\ncompression/decompression.\n\nPreviously a fix was attempted by holding cpus_read_lock() [1]. This\nwould have caused a potential deadlock as it is possible for code already\nholding the lock to fall into reclaim and enter zswap (causing a\ndeadlock). A fix was also attempted using SRCU for synchronization, but\nJohannes pointed out that synchronize_srcu() cannot be used in CPU hotplug\nnotifiers [2].\n\nAlternative fixes that were considered/attempted and could have worked:\n- Refcounting the per-CPU acomp_ctx. This involves complexity in\n handling the race between the refcount dropping to zero in\n zswap_[de]compress() and the refcount being re-initialized when the\n CPU is onlined.\n- Disabling migration before getting the per-CPU acomp_ctx [3], but\n that's discouraged and is a much bigger hammer than needed, and could\n result in subtle performance issues.\n\n[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/\n[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/\n[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/\n\n[yosryahmed@google.com: remove comment]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21693", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix softlockup in __read_vmcore (part 2)\n\nSince commit 5cbcb62dddf5 (\"fs/proc: fix softlockup in __read_vmcore\") the\nnumber of softlockups in __read_vmcore at kdump time have gone down, but\nthey still happen sometimes.\n\nIn a memory constrained environment like the kdump image, a softlockup is\nnot just a harmless message, but it can interfere with things like RCU\nfreeing memory, causing the crashdump to get stuck.\n\nThe second loop in __read_vmcore has a lot more opportunities for natural\nsleep points, like scheduling out while waiting for a data write to\nhappen, but apparently that is not always enough.\n\nAdd a cond_resched() to the second loop in __read_vmcore to (hopefully)\nget rid of the softlockups.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21694", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-uart-backlight: fix serdev race\n\nThe dell_uart_bl_serdev_probe() function calls devm_serdev_device_open()\nbefore setting the client ops via serdev_device_set_client_ops(). This\nordering can trigger a NULL pointer dereference in the serdev controller's\nreceive_buf handler, as it assumes serdev->ops is valid when\nSERPORT_ACTIVE is set.\n\nThis is similar to the issue fixed in commit 5e700b384ec1\n(\"platform/chrome: cros_ec_uart: properly fix race condition\") where\ndevm_serdev_device_open() was called before fully initializing the\ndevice.\n\nFix the race by ensuring client ops are set before enabling the port via\ndevm_serdev_device_open().\n\nNote, serdev_device_set_baudrate() and serdev_device_set_flow_control()\ncalls should be after the devm_serdev_device_open() call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21695", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: clear uffd-wp PTE/PMD state on mremap()\n\nWhen mremap()ing a memory region previously registered with userfaultfd as\nwrite-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in\nflag clearing leads to a mismatch between the vma flags (which have\nuffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp\ncleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to\ntrigger a warning in page_table_check_pte_flags() due to setting the pte\nto writable while uffd-wp is still set.\n\nFix this by always explicitly clearing the uffd-wp pte/pmd flags on any\nsuch mremap() so that the values are consistent with the existing clearing\nof VM_UFFD_WP. Be careful to clear the logical flag regardless of its\nphysical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE,\nhuge PMD and hugetlb paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21696", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Ensure job pointer is set to NULL after job completion\n\nAfter a job completes, the corresponding pointer in the device must\nbe set to NULL. Failing to do so triggers a warning when unloading\nthe driver, as it appears the job is still active. To prevent this,\nassign the job pointer to NULL after completing the job, indicating\nthe job has finished.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21697", "detail": "fixed-version", "description": "Fixed from version 6.13" }, { "id": "CVE-2025-21699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Truncate address space when flipping GFS2_DIF_JDATA flag\n\nTruncate an inode's address space when flipping the GFS2_DIF_JDATA flag:\ndepending on that flag, the pages in the address space will either use\nbuffer heads or iomap_folio_state structs, and we cannot mix the two.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21699", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: Disallow replacing of child qdisc from one parent to another\n\nLion Ackermann was able to create a UAF which can be abused for privilege\nescalation with the following script\n\nStep 1. create root qdisc\ntc qdisc add dev lo root handle 1:0 drr\n\nstep2. a class for packet aggregation do demonstrate uaf\ntc class add dev lo classid 1:1 drr\n\nstep3. a class for nesting\ntc class add dev lo classid 1:2 drr\n\nstep4. a class to graft qdisc to\ntc class add dev lo classid 1:3 drr\n\nstep5.\ntc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024\n\nstep6.\ntc qdisc add dev lo parent 1:2 handle 3:0 drr\n\nstep7.\ntc class add dev lo classid 3:1 drr\n\nstep 8.\ntc qdisc add dev lo parent 3:1 handle 4:0 pfifo\n\nstep 9. Display the class/qdisc layout\n\ntc class ls dev lo\n class drr 1:1 root leaf 2: quantum 64Kb\n class drr 1:2 root leaf 3: quantum 64Kb\n class drr 3:1 root leaf 4: quantum 64Kb\n\ntc qdisc ls\n qdisc drr 1: dev lo root refcnt 2\n qdisc plug 2: dev lo parent 1:1\n qdisc pfifo 4: dev lo parent 3:1 limit 1000p\n qdisc drr 3: dev lo parent 1:2\n\nstep10. trigger the bug <=== prevented by this patch\ntc qdisc replace dev lo parent 1:3 handle 4:0\n\nstep 11. Redisplay again the qdiscs/classes\n\ntc class ls dev lo\n class drr 1:1 root leaf 2: quantum 64Kb\n class drr 1:2 root leaf 3: quantum 64Kb\n class drr 1:3 root leaf 4: quantum 64Kb\n class drr 3:1 root leaf 4: quantum 64Kb\n\ntc qdisc ls\n qdisc drr 1: dev lo root refcnt 2\n qdisc plug 2: dev lo parent 1:1\n qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p\n qdisc drr 3: dev lo parent 1:2\n\nObserve that a) parent for 4:0 does not change despite the replace request.\nThere can only be one parent. b) refcount has gone up by two for 4:0 and\nc) both class 1:3 and 3:1 are pointing to it.\n\nStep 12. send one packet to plug\necho \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))\nstep13. send one packet to the grafted fifo\necho \"\" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))\n\nstep14. lets trigger the uaf\ntc class delete dev lo classid 1:3\ntc class delete dev lo classid 1:1\n\nThe semantics of \"replace\" is for a del/add _on the same node_ and not\na delete from one node(3:1) and add to another node (1:3) as in step10.\nWhile we could \"fix\" with a more complex approach there could be\nconsequences to expectations so the patch takes the preventive approach of\n\"disallow such config\".\n\nJoint work with Lion Ackermann ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21700", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid race between device unregistration and ethnl ops\n\nThe following trace can be seen if a device is being unregistered while\nits number of channels are being modified.\n\n DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120\n CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771\n RIP: 0010:__mutex_lock+0xc8a/0x1120\n Call Trace:\n \n ethtool_check_max_channel+0x1ea/0x880\n ethnl_set_channels+0x3c3/0xb10\n ethnl_default_set_doit+0x306/0x650\n genl_family_rcv_msg_doit+0x1e3/0x2c0\n genl_rcv_msg+0x432/0x6f0\n netlink_rcv_skb+0x13d/0x3b0\n genl_rcv+0x28/0x40\n netlink_unicast+0x42e/0x720\n netlink_sendmsg+0x765/0xc20\n __sys_sendto+0x3ac/0x420\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x95/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because unregister_netdevice_many_notify might run before the\nrtnl lock section of ethnl operations, eg. set_channels in the above\nexample. In this example the rss lock would be destroyed by the device\nunregistration path before being used again, but in general running\nethnl operations while dismantle has started is not a good idea.\n\nFix this by denying any operation on devices being unregistered. A check\nwas already there in ethnl_ops_begin, but not wide enough.\n\nNote that the same issue cannot be seen on the ioctl version\n(__dev_ethtool) because the device reference is retrieved from within\nthe rtnl lock section there. Once dismantle started, the net device is\nunlisted and no reference will be found.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21701", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.\n Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch->limit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B->q.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21702", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops->qlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses ->qlen_notify() to maintain its active list.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21703", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can't\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm->nb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device's vendor/product IDs and\nits other interfaces.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21704", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n Modules linked in:\n CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f6e86ebfe69\n Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n \n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21705", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the 'fullmesh'\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n'subflow' endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed 'implicit' endpoints to get the 'fullmesh' flag while it is not\nallowed before.\n\nThat's what syzbot found, triggering the following warning:\n\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Modules linked in:\n CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f5fe8785d29\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21706", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: consolidate suboption status\n\nMPTCP maintains the received sub-options status is the bitmask carrying\nthe received suboptions and in several bitfields carrying per suboption\nadditional info.\n\nZeroing the bitmask before parsing is not enough to ensure a consistent\nstatus, and the MPTCP code has to additionally clear some bitfiled\ndepending on the actually parsed suboption.\n\nThe above schema is fragile, and syzbot managed to trigger a path where\na relevant bitfield is not cleared/initialized:\n\n BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline]\n BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n ack_update_msk net/mptcp/options.c:1060 [inline]\n mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233\n tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264\n tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916\n tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351\n ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:460 [inline]\n ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567\n __netif_receive_skb_one_core net/core/dev.c:5704 [inline]\n __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817\n process_backlog+0x4ad/0xa50 net/core/dev.c:6149\n __napi_poll+0xe7/0x980 net/core/dev.c:6902\n napi_poll net/core/dev.c:6971 [inline]\n net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_hh_output include/net/neighbour.h:523 [inline]\n neigh_output include/net/neighbour.h:537 [inline]\n ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236\n __ip_finish_output+0x287/0x810\n ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434\n dst_output include/net/dst.h:450 [inline]\n ip_local_out net/ipv4/ip_output.c:130 [inline]\n __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536\n ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550\n __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468\n tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline]\n tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829\n __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012\n tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618\n __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130\n __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496\n mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550\n mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889\n mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline]\n mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline]\n mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline]\n mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21707", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: enable basic endpoint checking\n\nSyzkaller reports [1] encountering a common issue of utilizing a wrong\nusb endpoint type during URB submitting stage. This, in turn, triggers\na warning shown below.\n\nFor now, enable simple endpoint checking (specifically, bulk and\ninterrupt eps, testing control one is not essential) to mitigate\nthe issue with a view to do other related cosmetic changes later,\nif they are necessary.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv>\nModules linked in:\nCPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617>\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nCode: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8>\nRSP: 0018:ffffc9000441f740 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9\nRDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001\nRBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c\nFS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733\n __dev_open+0x2d4/0x4e0 net/core/dev.c:1474\n __dev_change_flags+0x561/0x720 net/core/dev.c:8838\n dev_change_flags+0x8f/0x160 net/core/dev.c:8910\n devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177\n inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003\n sock_do_ioctl+0x116/0x280 net/socket.c:1222\n sock_ioctl+0x22e/0x6c0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fc04ef73d49\n...\n\nThis change has not been tested on real hardware.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21708", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel: be more careful about dup_mmap() failures and uprobe registering\n\nIf a memory allocation fails during dup_mmap(), the maple tree can be left\nin an unsafe state for other iterators besides the exit path. All the\nlocks are dropped before the exit_mmap() call (in mm/mmap.c), but the\nincomplete mm_struct can be reached through (at least) the rmap finding\nthe vmas which have a pointer back to the mm_struct.\n\nUp to this point, there have been no issues with being able to find an\nmm_struct that was only partially initialised. Syzbot was able to make\nthe incomplete mm_struct fail with recent forking changes, so it has been\nproven unsafe to use the mm_struct that hasn't been initialised, as\nreferenced in the link below.\n\nAlthough 8ac662f5da19f (\"fork: avoid inappropriate uprobe access to\ninvalid mm\") fixed the uprobe access, it does not completely remove the\nrace.\n\nThis patch sets the MMF_OOM_SKIP to avoid the iteration of the vmas on the\noom side (even though this is extremely unlikely to be selected as an oom\nvictim in the race window), and sets MMF_UNSTABLE to avoid other potential\nusers from using a partially initialised mm_struct.\n\nWhen registering vmas for uprobe, skip the vmas in an mm that is marked\nunstable. Modifying a vma in an unstable mm may cause issues if the mm\nisn't fully initialised.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21709", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: correct handling of extreme memory squeeze\n\nTesting with iperf3 using the \"pasta\" protocol splicer has revealed\na problem in the way tcp handles window advertising in extreme memory\nsqueeze situations.\n\nUnder memory pressure, a socket endpoint may temporarily advertise\na zero-sized window, but this is not stored as part of the socket data.\nThe reasoning behind this is that it is considered a temporary setting\nwhich shouldn't influence any further calculations.\n\nHowever, if we happen to stall at an unfortunate value of the current\nwindow size, the algorithm selecting a new value will consistently fail\nto advertise a non-zero window once we have freed up enough memory.\nThis means that this side's notion of the current window size is\ndifferent from the one last advertised to the peer, causing the latter\nto not send any data to resolve the sitution.\n\nThe problem occurs on the iperf3 server side, and the socket in question\nis a completely regular socket with the default settings for the\nfedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.\n\nThe following excerpt of a logging session, with own comments added,\nshows more in detail what is happening:\n\n// tcp_v4_rcv(->)\n// tcp_rcv_established(->)\n[5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====\n[5201<->39222]: tcp_data_queue(->)\n[5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM\n [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0]\n [OFO queue: gap: 65480, len: 0]\n[5201<->39222]: tcp_data_queue(<-)\n[5201<->39222]: __tcp_transmit_skb(->)\n [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]\n[5201<->39222]: tcp_select_window(->)\n[5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE\n [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]\n returning 0\n[5201<->39222]: tcp_select_window(<-)\n[5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160\n[5201<->39222]: [__tcp_transmit_skb(<-)\n[5201<->39222]: tcp_rcv_established(<-)\n[5201<->39222]: tcp_v4_rcv(<-)\n\n// Receive queue is at 85 buffers and we are out of memory.\n// We drop the incoming buffer, although it is in sequence, and decide\n// to send an advertisement with a window of zero.\n// We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means\n// we unconditionally shrink the window.\n\n[5201<->39222]: tcp_recvmsg_locked(->)\n[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160\n[5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368]\n[5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0]\n[5201<->39222]: NOT calling tcp_send_ack()\n [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]\n[5201<->39222]: __tcp_cleanup_rbuf(<-)\n [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0]\n returning 6104 bytes\n[5201<->39222]: tcp_recvmsg_locked(<-)\n\n// After each read, the algorithm for calculating the new receive\n// window in __tcp_cleanup_rbuf() finds it is too small to advertise\n// or to update tp->rcv_wnd.\n// Meanwhile, the peer thinks the window is zero, and will not send\n// any more data to trigger an update from the interrupt mode side.\n\n[5201<->39222]: tcp_recvmsg_locked(->)\n[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160\n[5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21710", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rose: prevent integer overflows in rose_setsockopt()\n\nIn case of possible unpredictably large arguments passed to\nrose_setsockopt() and multiplied by extra values on top of that,\ninteger overflows may occur.\n\nDo the safest minimum and fix these issues by checking the\ncontents of 'opt' and returning -EINVAL if they are too large. Also,\nswitch to unsigned int and remove useless check for negative 'opt'\nin ROSE_IDLE case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21711", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime\n\nAfter commit ec6bb299c7c3 (\"md/md-bitmap: add 'sync_size' into struct\nmd_bitmap_stats\"), following panic is reported:\n\nOops: general protection fault, probably for non-canonical address\nRIP: 0010:bitmap_get_stats+0x2b/0xa0\nCall Trace:\n \n md_seq_show+0x2d2/0x5b0\n seq_read_iter+0x2b9/0x470\n seq_read+0x12f/0x180\n proc_reg_read+0x57/0xb0\n vfs_read+0xf6/0x380\n ksys_read+0x6c/0xf0\n do_syscall_64+0x82/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRoot cause is that bitmap_get_stats() can be called at anytime if mddev\nis still there, even if bitmap is destroyed, or not fully initialized.\nDeferenceing bitmap in this case can crash the kernel. Meanwhile, the\nabove commit start to deferencing bitmap->storage, make the problem\neasier to trigger.\n\nFix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21712", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: Don't unset window if it was never set\n\nOn pSeries, when user attempts to use the same vfio container used by\ndifferent iommu group, the spapr_tce_set_window() returns -EPERM\nand the subsequent cleanup leads to the below crash.\n\n Kernel attempted to read user page (308) - exploit attempt?\n BUG: Kernel NULL pointer dereference on read at 0x00000308\n Faulting instruction address: 0xc0000000001ce358\n Oops: Kernel access of bad area, sig: 11 [#1]\n NIP: c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0\n \n NIP [c0000000001ce358] spapr_tce_unset_window+0x3b8/0x510\n LR [c0000000001ce05c] spapr_tce_unset_window+0xbc/0x510\n Call Trace:\n spapr_tce_unset_window+0xbc/0x510 (unreliable)\n tce_iommu_attach_group+0x24c/0x340 [vfio_iommu_spapr_tce]\n vfio_container_attach_group+0xec/0x240 [vfio]\n vfio_group_fops_unl_ioctl+0x548/0xb00 [vfio]\n sys_ioctl+0x754/0x1580\n system_call_exception+0x13c/0x330\n system_call_vectored_common+0x15c/0x2ec\n \n --- interrupt: 3000\n\nFix this by having null check for the tbl passed to the\nspapr_tce_unset_window().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21713", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP use after free\n\nPrevent double queueing of implicit ODP mr destroy work by using\n__xa_cmpxchg() to make sure this is the only time we are destroying this\nspecific mr.\n\nWithout this change, we could try to invalidate this mr twice, which in\nturn could result in queuing a MR work destroy twice, and eventually the\nsecond work could execute after the MR was freed due to the first work,\ncausing a user after free and trace below.\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130\n Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\n CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]\n RIP: 0010:refcount_warn_saturate+0x12b/0x130\n Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff\n RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027\n RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0\n RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019\n R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00\n R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0\n FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? refcount_warn_saturate+0x12b/0x130\n free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]\n process_one_work+0x1cc/0x3c0\n worker_thread+0x218/0x3c0\n kthread+0xc6/0xf0\n ret_from_fork+0x1f/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21714", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: davicom: fix UAF in dm9000_drv_remove\n\ndm is netdev private data and it cannot be\nused after free_netdev() call. Using dm after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.\n\nThis is similar to the issue fixed in commit\nad297cd2db89 (\"net: qcom/emac: fix UAF in emac_remove\").\n\nThis bug is detected by our static analysis tool.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21715", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix uninit-value in vxlan_vnifilter_dump()\n\nKMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1].\n\nIf the length of the netlink message payload is less than\nsizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes\nbeyond the message. This can lead to uninit-value access. Fix this by\nreturning an error in such situations.\n\n[1]\nBUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422\n vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786\n netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317\n __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432\n netlink_dump_start include/linux/netlink.h:340 [inline]\n rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline]\n rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882\n netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542\n rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:726\n ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637\n __sys_sendmsg net/socket.c:2669 [inline]\n __do_sys_sendmsg net/socket.c:2674 [inline]\n __se_sys_sendmsg net/socket.c:2672 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672\n x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4110 [inline]\n slab_alloc_node mm/slub.c:4153 [inline]\n kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205\n kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1323 [inline]\n netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196\n netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:726\n ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637\n __sys_sendmsg net/socket.c:2669 [inline]\n __do_sys_sendmsg net/socket.c:2674 [inline]\n __se_sys_sendmsg net/socket.c:2672 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672\n x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21716", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq\n\nkvzalloc_node is not doing a runtime check on the node argument\n(__alloc_pages_node_noprof does have a VM_BUG_ON, but it expands to\nnothing on !CONFIG_DEBUG_VM builds), so doing any ethtool/netlink\noperation that calls mlx5e_open on a CPU that's larger that MAX_NUMNODES\ntriggers OOB access and panic (see the trace below).\n\nAdd missing cpu_to_node call to convert cpu id to node id.\n\n[ 165.427394] mlx5_core 0000:5c:00.0 beth1: Link up\n[ 166.479327] BUG: unable to handle page fault for address: 0000000800000010\n[ 166.494592] #PF: supervisor read access in kernel mode\n[ 166.505995] #PF: error_code(0x0000) - not-present page\n...\n[ 166.816958] Call Trace:\n[ 166.822380] \n[ 166.827034] ? __die_body+0x64/0xb0\n[ 166.834774] ? page_fault_oops+0x2cd/0x3f0\n[ 166.843862] ? exc_page_fault+0x63/0x130\n[ 166.852564] ? asm_exc_page_fault+0x22/0x30\n[ 166.861843] ? __kvmalloc_node_noprof+0x43/0xd0\n[ 166.871897] ? get_partial_node+0x1c/0x320\n[ 166.880983] ? deactivate_slab+0x269/0x2b0\n[ 166.890069] ___slab_alloc+0x521/0xa90\n[ 166.898389] ? __kvmalloc_node_noprof+0x43/0xd0\n[ 166.908442] __kmalloc_node_noprof+0x216/0x3f0\n[ 166.918302] ? __kvmalloc_node_noprof+0x43/0xd0\n[ 166.928354] __kvmalloc_node_noprof+0x43/0xd0\n[ 166.938021] mlx5e_open_channels+0x5e2/0xc00\n[ 166.947496] mlx5e_open_locked+0x3e/0xf0\n[ 166.956201] mlx5e_open+0x23/0x50\n[ 166.963551] __dev_open+0x114/0x1c0\n[ 166.971292] __dev_change_flags+0xa2/0x1b0\n[ 166.980378] dev_change_flags+0x21/0x60\n[ 166.988887] do_setlink+0x38d/0xf20\n[ 166.996628] ? ep_poll_callback+0x1b9/0x240\n[ 167.005910] ? __nla_validate_parse.llvm.10713395753544950386+0x80/0xd70\n[ 167.020782] ? __wake_up_sync_key+0x52/0x80\n[ 167.030066] ? __mutex_lock+0xff/0x550\n[ 167.038382] ? security_capable+0x50/0x90\n[ 167.047279] rtnl_setlink+0x1c9/0x210\n[ 167.055403] ? ep_poll_callback+0x1b9/0x240\n[ 167.064684] ? security_capable+0x50/0x90\n[ 167.073579] rtnetlink_rcv_msg+0x2f9/0x310\n[ 167.082667] ? rtnetlink_bind+0x30/0x30\n[ 167.091173] netlink_rcv_skb+0xb1/0xe0\n[ 167.099492] netlink_unicast+0x20f/0x2e0\n[ 167.108191] netlink_sendmsg+0x389/0x420\n[ 167.116896] __sys_sendto+0x158/0x1c0\n[ 167.125024] __x64_sys_sendto+0x22/0x30\n[ 167.133534] do_syscall_64+0x63/0x130\n[ 167.141657] ? __irq_exit_rcu.llvm.17843942359718260576+0x52/0xd0\n[ 167.155181] entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21717", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRose timers only acquire the socket spinlock, without\nchecking if the socket is owned by one user thread.\n\nAdd a check and rearm the timers if needed.\n\nBUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\nRead of size 2 at addr ffff88802f09b82a by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\n call_timer_fn+0x187/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430\n run_timer_base kernel/time/timer.c:2439 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049\n ", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21718", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: do not call mr_mfc_uses_dev() for unres entries\n\nsyzbot found that calling mr_mfc_uses_dev() for unres entries\nwould crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif\nalias to \"struct sk_buff_head unresolved\", which contain two pointers.\n\nThis code never worked, lets remove it.\n\n[1]\nUnable to handle kernel paging request at virtual address ffff5fff2d536613\nKASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]\nModules linked in:\nCPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]\n pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334\n lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]\n lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334\nCall trace:\n mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)\n mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)\n mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382\n ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648\n rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327\n rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791\n netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317\n netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973\n sock_recvmsg_nosec net/socket.c:1033 [inline]\n sock_recvmsg net/socket.c:1055 [inline]\n sock_read_iter+0x2d8/0x40c net/socket.c:1125\n new_sync_read fs/read_write.c:484 [inline]\n vfs_read+0x740/0x970 fs/read_write.c:565\n ksys_read+0x15c/0x26c fs/read_write.c:708", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21719", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete intermediate secpath entry in packet offload mode\n\nPackets handled by hardware have added secpath as a way to inform XFRM\ncore code that this path was already handled. That secpath is not needed\nat all after policy is checked and it is removed later in the stack.\n\nHowever, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward),\nthat secpath is not removed and packets which already were handled are reentered\nto the driver TX path with xfrm_offload set.\n\nThe following kernel panic is observed in mlx5 in such case:\n\n mlx5_core 0000:04:00.0 enp4s0f0np0: Link up\n mlx5_core 0000:04:00.1 enp4s0f1np1: Link up\n Initializing XFRM netlink socket\n IPsec XFRM device driver\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0010 [#1] PREEMPT SMP\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n RIP: 0010:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 0018:ffffb87380003800 EFLAGS: 00010206\n RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf\n RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00\n RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010\n R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00\n R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e\n FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0\n Call Trace:\n \n ? show_regs+0x63/0x70\n ? __die_body+0x20/0x60\n ? __die+0x2b/0x40\n ? page_fault_oops+0x15c/0x550\n ? do_user_addr_fault+0x3ed/0x870\n ? exc_page_fault+0x7f/0x190\n ? asm_exc_page_fault+0x27/0x30\n mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core]\n mlx5e_xmit+0x58e/0x1980 [mlx5_core]\n ? __fib_lookup+0x6a/0xb0\n dev_hard_start_xmit+0x82/0x1d0\n sch_direct_xmit+0xfe/0x390\n __dev_queue_xmit+0x6d8/0xee0\n ? __fib_lookup+0x6a/0xb0\n ? internal_add_timer+0x48/0x70\n ? mod_timer+0xe2/0x2b0\n neigh_resolve_output+0x115/0x1b0\n __neigh_update+0x26a/0xc50\n neigh_update+0x14/0x20\n arp_process+0x2cb/0x8e0\n ? __napi_build_skb+0x5e/0x70\n arp_rcv+0x11e/0x1c0\n ? dev_gro_receive+0x574/0x820\n __netif_receive_skb_list_core+0x1cf/0x1f0\n netif_receive_skb_list_internal+0x183/0x2a0\n napi_complete_done+0x76/0x1c0\n mlx5e_napi_poll+0x234/0x7a0 [mlx5_core]\n __napi_poll+0x2d/0x1f0\n net_rx_action+0x1a6/0x370\n ? atomic_notifier_call_chain+0x3b/0x50\n ? irq_int_handler+0x15/0x20 [mlx5_core]\n handle_softirqs+0xb9/0x2f0\n ? handle_irq_event+0x44/0x60\n irq_exit_rcu+0xdb/0x100\n common_interrupt+0x98/0xc0\n \n \n asm_common_interrupt+0x27/0x40\n RIP: 0010:pv_native_safe_halt+0xb/0x10\n Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22\n 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb\n40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8\n RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680\n RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4\n RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70\n R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40\n R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8\n ? default_idle+0x9/0x20\n arch_cpu_idle+0x9/0x10\n default_idle_call+0x29/0xf0\n do_idle+0x1f2/0x240\n cpu_startup_entry+0x2c/0x30\n rest_init+0xe7/0x100\n start_kernel+0x76b/0xb90\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0xc0/0x110\n ? setup_ghcb+0xe/0x130\n common_startup_64+0x13e/0x141\n \n Modules linked in: esp4_offload esp4 xfrm_interface\nxfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21720", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: handle errors that nilfs_prepare_chunk() may return\n\nPatch series \"nilfs2: fix issues with rename operations\".\n\nThis series fixes BUG_ON check failures reported by syzbot around rename\noperations, and a minor behavioral issue where the mtime of a child\ndirectory changes when it is renamed instead of moved.\n\n\nThis patch (of 2):\n\nThe directory manipulation routines nilfs_set_link() and\nnilfs_delete_entry() rewrite the directory entry in the folio/page\npreviously read by nilfs_find_entry(), so error handling is omitted on the\nassumption that nilfs_prepare_chunk(), which prepares the buffer for\nrewriting, will always succeed for these. And if an error is returned, it\ntriggers the legacy BUG_ON() checks in each routine.\n\nThis assumption is wrong, as proven by syzbot: the buffer layer called by\nnilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may\nfail due to metadata corruption or other reasons. This has been there all\nalong, but improved sanity checks and error handling may have made it more\nreproducible in fuzzing tests.\n\nFix this issue by adding missing error paths in nilfs_set_link(),\nnilfs_delete_entry(), and their caller nilfs_rename().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21721", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: do not force clear folio if buffer is referenced\n\nPatch series \"nilfs2: protect busy buffer heads from being force-cleared\".\n\nThis series fixes the buffer head state inconsistency issues reported by\nsyzbot that occurs when the filesystem is corrupted and falls back to\nread-only, and the associated buffer head use-after-free issue.\n\n\nThis patch (of 2):\n\nSyzbot has reported that after nilfs2 detects filesystem corruption and\nfalls back to read-only, inconsistencies in the buffer state may occur.\n\nOne of the inconsistencies is that when nilfs2 calls mark_buffer_dirty()\nto set a data or metadata buffer as dirty, but it detects that the buffer\nis not in the uptodate state:\n\n WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520\n fs/buffer.c:1177\n ...\n Call Trace:\n \n nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598\n nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73\n nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344\n nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218\n vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n __do_sys_mkdirat fs/namei.c:4295 [inline]\n __se_sys_mkdirat fs/namei.c:4293 [inline]\n __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe other is when nilfs_btree_propagate(), which propagates the dirty\nstate to the ancestor nodes of a b-tree that point to a dirty buffer,\ndetects that the origin buffer is not dirty, even though it should be:\n\n WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089\n nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089\n ...\n Call Trace:\n \n nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345\n nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587\n nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006\n nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045\n nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline]\n nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline]\n nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115\n nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline]\n nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nBoth of these issues are caused by the callbacks that handle the\npage/folio write requests, forcibly clear various states, including the\nworking state of the buffers they hold, at unexpected times when they\ndetect read-only fallback.\n\nFix these issues by checking if the buffer is referenced before clearing\nthe page/folio state, and skipping the clear if it is.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21722", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix possible crash when setting up bsg fails\n\nIf bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.\nConsequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc->bsg_queue)\"\nwill not be satisfied, preventing execution from entering\nbsg_remove_queue(), which could lead to the following crash:\n\nBUG: kernel NULL pointer dereference, address: 000000000000041c\nCall Trace:\n \n mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]\n mpi3mr_remove+0x6f/0x340 [mpi3mr]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x19d/0x220\n unbind_store+0xa4/0xb0\n kernfs_fop_write_iter+0x11f/0x200\n vfs_write+0x1fc/0x3e0\n ksys_write+0x67/0xe0\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x78/0xe2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21723", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()\n\nResolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()\nwhere shifting the constant \"1\" (of type int) by bitmap->mapped.pgshift\n(an unsigned long value) could result in undefined behavior.\n\nThe constant \"1\" defaults to a 32-bit \"int\", and when \"pgshift\" exceeds\n31 (e.g., pgshift = 63) the shift operation overflows, as the result\ncannot be represented in a 32-bit type.\n\nTo resolve this, the constant is updated to \"1UL\", promoting it to an\nunsigned long type to match the operand's type.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21724", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix oops due to unset link speed\n\nIt isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always\nbe set by the server, so the client must handle any values and then\nprevent oopses like below from happening:\n\nOops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nRIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48\n89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8\ne7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89\nc3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24\nRSP: 0018:ffffc90001817be0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99\nRDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228\nRBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac\nR10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200\nR13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58\nFS: 00007fe27119e740(0000) GS:ffff888148600000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0x159/0x1b0\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? do_error_trap+0x90/0x130\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? exc_divide_error+0x39/0x50\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? asm_exc_divide_error+0x1a/0x20\n ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs]\n ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]\n ? seq_read_iter+0x42e/0x790\n seq_read_iter+0x19a/0x790\n proc_reg_read_iter+0xbe/0x110\n ? __pfx_proc_reg_read_iter+0x10/0x10\n vfs_read+0x469/0x570\n ? do_user_addr_fault+0x398/0x760\n ? __pfx_vfs_read+0x10/0x10\n ? find_held_lock+0x8a/0xa0\n ? __pfx_lock_release+0x10/0x10\n ksys_read+0xd3/0x170\n ? __pfx_ksys_read+0x10/0x10\n ? __rcu_read_unlock+0x50/0x270\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe271288911\nCode: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8\n20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d\n00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec\nRSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911\nRDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003\nRBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380\nR10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000\nR13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000\n \n\nFix this by setting cifs_server_iface::speed to a sane value (1Gbps)\nby default when link speed is unset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21725", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: avoid UAF for reorder_work\n\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\n\ncrypto_request\t\t\tcrypto_request\t\tcrypto_del_alg\npadata_do_serial\n ...\n padata_reorder\n // processes all remaining\n // requests then breaks\n while (1) {\n if (!padata)\n break;\n ...\n }\n\n\t\t\t\tpadata_do_serial\n\t\t\t\t // new request added\n\t\t\t\t list_add\n // sees the new request\n queue_work(reorder_work)\n\t\t\t\t padata_reorder\n\t\t\t\t queue_work_on(squeue->work)\n...\n\n\t\t\t\t\n\t\t\t\tpadata_serial_worker\n\t\t\t\t// completes new request,\n\t\t\t\t// no more outstanding\n\t\t\t\t// requests\n\n\t\t\t\t\t\t\tcrypto_del_alg\n\t\t\t\t\t\t\t // free pd\n\n\ninvoke_padata_reorder\n // UAF of pd\n\nTo avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'\ninto the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21726", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf 'mdelay(10)' is added before calling 'padata_find_next' in the\n'padata_reorder' function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(&pd->refcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps->pd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in 'while', if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n'padata_find_next', which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21727", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Send signals asynchronously if !preemptible\n\nBPF programs can execute in all kinds of contexts and when a program\nrunning in a non-preemptible context uses the bpf_send_signal() kfunc,\nit will cause issues because this kfunc can sleep.\nChange `irqs_disabled()` to `!preemptible()`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21728", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n \n ? show_regs+0x61/0x73\n ? __die_body+0x20/0x73\n ? die_addr+0x4f/0x7b\n ? exc_general_protection+0x191/0x1db\n ? asm_exc_general_protection+0x27/0x30\n ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx_do_raw_spin_lock+0x10/0x10\n rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n ? _raw_spin_unlock+0xe/0x24\n ? __mutex_lock.constprop.0+0x40c/0x471\n ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n ? __mutex_lock_slowpath+0x13/0x1f\n ? mutex_lock+0xa2/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n ieee80211_prep_connection+0x858/0x899 [mac80211]\n ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n ? is_bss+0x1b7/0x1d7 [cfg80211]\n ieee80211_auth+0x18/0x27 [mac80211]\n cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? __kasan_check_write+0x14/0x22\n ? mutex_lock+0x8e/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n ? __pfx___radix_tree_lookup+0x10/0x10\n cfg80211_conn_work+0x245/0x34d [cfg80211]\n ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n ? update_cfs_rq_load_avg+0x3bc/0x3d7\n ? sched_clock_noinstr+0x9/0x1a\n ? sched_clock+0x10/0x24\n ? sched_clock_cpu+0x7e/0x42e\n ? newidle_balance+0x796/0x937\n ? __pfx_sched_clock_cpu+0x10/0x10\n ? __pfx_newidle_balance+0x10/0x10\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? _raw_spin_unlock+0xe/0x24\n ? raw_spin_rq_unlock+0x47/0x54\n ? raw_spin_rq_unlock_irq+0x9/0x1f\n ? finish_task_switch.isra.0+0x347/0x586\n ? __schedule+0x27bf/0x2892\n ? mutex_unlock+0x80/0xd0\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx___schedule+0x10/0x10\n process_scheduled_works+0x58c/0x821\n worker_thread+0x4c7/0x586\n ? __kasan_check_read+0x11/0x1f\n kthread+0x285/0x294\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x6f\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21729", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed\n\nIf WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered\nwithout removing the interface first. Then the mgnt_entry list init again,\ncausing the list_empty() check in rtw89_chanctx_ops_assign_vif()\nuseless, and list_add_tail() again. Therefore, we have added a check to\nprevent double adding of the list.\n\nrtw89_8852ce 0000:01:00.0: failed to check wow status disabled\nrtw89_8852ce 0000:01:00.0: wow: failed to check disable fw ready\nrtw89_8852ce 0000:01:00.0: wow: failed to swap to normal fw\nrtw89_8852ce 0000:01:00.0: failed to disable wow\nrtw89_8852ce 0000:01:00.0: failed to resume for wow -110\nrtw89_8852ce 0000:01:00.0: MAC has already powered on\ni2c_hid_acpi i2c-ILTK0001:00: PM: acpi_subsys_resume+0x0/0x60 returned 0 after 284705 usecs\nlist_add corruption. prev->next should be next (ffff9d9719d82228), but was ffff9d9719f96030. (prev=ffff9d9719f96030).\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:34!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 2 PID: 6918 Comm: kworker/u8:19 Tainted: G U O\nHardware name: Google Anraggar/Anraggar, BIOS Google_Anraggar.15217.514.0 03/25/2024\nWorkqueue: events_unbound async_run_entry_fn\nRIP: 0010:__list_add_valid_or_report+0x9f/0xb0\nCode: e8 56 89 ff ff 0f 0b 48 c7 c7 3e fc e0 96 48 89 c6 e8 45 89 ff ...\nRSP: 0018:ffffa51b42bbbaf0 EFLAGS: 00010246\nRAX: 0000000000000075 RBX: ffff9d9719d82ab0 RCX: 13acb86e047a4400\nRDX: 3fffffffffffffff RSI: 0000000000000000 RDI: 00000000ffffdfff\nRBP: ffffa51b42bbbb28 R08: ffffffff9768e250 R09: 0000000000001fff\nR10: ffffffff9765e250 R11: 0000000000005ffd R12: ffff9d9719f95c40\nR13: ffff9d9719f95be8 R14: ffff9d97081bfd78 R15: ffff9d9719d82060\nFS: 0000000000000000(0000) GS:ffff9d9a6fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007e7d029a4060 CR3: 0000000345e38000 CR4: 0000000000750ee0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body+0x68/0xb0\n ? die+0xaa/0xd0\n ? do_trap+0x9f/0x170\n ? __list_add_valid_or_report+0x9f/0xb0\n ? __list_add_valid_or_report+0x9f/0xb0\n ? handle_invalid_op+0x69/0x90\n ? __list_add_valid_or_report+0x9f/0xb0\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_add_valid_or_report+0x9f/0xb0\n rtw89_chanctx_ops_assign_vif+0x1f9/0x210 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]\n ? __mutex_unlock_slowpath+0xa0/0xf0\n rtw89_ops_assign_vif_chanctx+0x4b/0x90 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]\n drv_assign_vif_chanctx+0xa7/0x1f0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]\n ieee80211_reconfig+0x9cb/0x17b0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n ? dev_printk_emit+0x51/0x70\n ? _dev_info+0x6e/0x90\n wiphy_resume+0x89/0x180 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n ? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]\n dpm_run_callback+0x37/0x1e0\n device_resume+0x26d/0x4b0\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x29/0xd0\n worker_thread+0x397/0x970\n kthread+0xed/0x110\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21730", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don't allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n nbd_genl_disconnect\n nbd_disconnect_and_put\n nbd_disconnect\n flush_workqueue(nbd->recv_workq)\n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n nbd_config_put\n -> due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n nbd_genl_reconfigure\n config = nbd_get_config_unlocked(nbd)\n if (!config)\n -> succeed\n if (!test_bit(NBD_RT_BOUND, ...))\n -> succeed\n nbd_reconnect_socket\n queue_work(nbd->recv_workq, &args->work)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n recv_work\n nbd_config_put(nbd)\n -> nbd_config is freed\n atomic_dec(&config->recv_threads)\n -> UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21731", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error\n\nThis patch addresses a race condition for an ODP MR that can result in a\nCQE with an error on the UMR QP.\n\nDuring the __mlx5_ib_dereg_mr() flow, the following sequence of calls\noccurs:\n\nmlx5_revoke_mr()\n mlx5r_umr_revoke_mr()\n mlx5r_umr_post_send_wait()\n\nAt this point, the lkey is freed from the hardware's perspective.\n\nHowever, concurrently, mlx5_ib_invalidate_range() might be triggered by\nanother task attempting to invalidate a range for the same freed lkey.\n\nThis task will:\n - Acquire the umem_odp->umem_mutex lock.\n - Call mlx5r_umr_update_xlt() on the UMR QP.\n - Since the lkey has already been freed, this can lead to a CQE error,\n causing the UMR QP to enter an error state [1].\n\nTo resolve this race condition, the umem_odp->umem_mutex lock is now also\nacquired as part of the mlx5_revoke_mr() scope. Upon successful revoke,\nwe set umem_odp->private which points to that MR to NULL, preventing any\nfurther invalidation attempts on its lkey.\n\n[1] From dmesg:\n\n infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error\n cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2\n\n WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\n CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n [..]\n Call Trace:\n \n mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]\n mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]\n __mmu_notifier_invalidate_range_start+0x1e1/0x240\n zap_page_range_single+0xf1/0x1a0\n madvise_vma_behavior+0x677/0x6e0\n do_madvise+0x1a2/0x4b0\n __x64_sys_madvise+0x25/0x30\n do_syscall_64+0x6b/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21732", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix resetting of tracepoints\n\nIf a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD\ndisabled, but then that option is enabled and timerlat is removed, the\ntracepoints that were enabled on timerlat registration do not get\ndisabled. If the option is disabled again and timelat is started, then it\ntriggers a warning in the tracepoint code due to registering the\ntracepoint again without ever disabling it.\n\nDo not use the same user space defined options to know to disable the\ntracepoints when timerlat is removed. Instead, set a global flag when it\nis enabled and use that flag to know to disable the events.\n\n ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options\n ~# echo timerlat > /sys/kernel/tracing/current_tracer\n ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options\n ~# echo nop > /sys/kernel/tracing/current_tracer\n ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options\n ~# echo timerlat > /sys/kernel/tracing/current_tracer\n\nTriggers:\n\n ------------[ cut here ]------------\n WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0\n Modules linked in:\n CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:tracepoint_add_func+0x3b6/0x3f0\n Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b\n RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202\n RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410\n RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002\n R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001\n R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008\n FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0\n Call Trace:\n \n ? __warn.cold+0xb7/0x14d\n ? tracepoint_add_func+0x3b6/0x3f0\n ? report_bug+0xea/0x170\n ? handle_bug+0x58/0x90\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n ? tracepoint_add_func+0x3b6/0x3f0\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n tracepoint_probe_register+0x78/0xb0\n ? __pfx_trace_sched_migrate_callback+0x10/0x10\n osnoise_workload_start+0x2b5/0x370\n timerlat_tracer_init+0x76/0x1b0\n tracing_set_tracer+0x244/0x400\n tracing_set_trace_write+0xa0/0xe0\n vfs_write+0xfc/0x570\n ? do_sys_openat2+0x9c/0xe0\n ksys_write+0x72/0xf0\n do_syscall_64+0x79/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21733", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix copy buffer page size\n\nFor non-registered buffer, fastrpc driver copies the buffer and\npass it to the remote subsystem. There is a problem with current\nimplementation of page size calculation which is not considering\nthe offset in the calculation. This might lead to passing of\nimproper and out-of-bounds page size which could result in\nmemory issue. Calculate page start and page end using the offset\nadjusted address instead of absolute address.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21734", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Add bounds checking in nci_hci_create_pipe()\n\nThe \"pipe\" variable is a u8 which comes from the network. If it's more\nthan 127, then it results in memory corruption in the caller,\nnci_hci_connect_gate().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21735", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix possible int overflows in nilfs_fiemap()\n\nSince nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result\nby being prepared to go through potentially maxblocks == INT_MAX blocks,\nthe value in n may experience an overflow caused by left shift of blkbits.\n\nWhile it is extremely unlikely to occur, play it safe and cast right hand\nexpression to wider type to mitigate the issue.\n\nFound by Linux Verification Center (linuxtesting.org) with static analysis\ntool SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21736", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_mds_auth_match()\n\nWe now free the temporary target path substring allocation on every\npossible branch, instead of omitting the default branch. In some\ncases, a memory leak occured, which could rapidly crash the system\n(depending on how many file accesses were attempted).\n\nThis was detected in production because it caused a continuous memory\ngrowth, eventually triggering kernel OOM and completely hard-locking\nthe kernel.\n\nRelevant kmemleak stacktrace:\n\n unreferenced object 0xffff888131e69900 (size 128):\n comm \"git\", pid 66104, jiffies 4295435999\n hex dump (first 32 bytes):\n 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe\n 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g\n backtrace (crc 2f3bb450):\n [] __kmalloc_noprof+0x359/0x510\n [] ceph_mds_check_access+0x5bf/0x14e0 [ceph]\n [] ceph_open+0x312/0xd80 [ceph]\n [] do_dentry_open+0x456/0x1120\n [] vfs_open+0x79/0x360\n [] path_openat+0x1de5/0x4390\n [] do_filp_open+0x19c/0x3c0\n [] do_sys_openat2+0x141/0x180\n [] __x64_sys_open+0xe5/0x1a0\n [] do_syscall_64+0xb7/0x210\n [] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIt can be triggered by mouting a subdirectory of a CephFS filesystem,\nand then trying to access files on this subdirectory with an auth token\nusing a path-scoped capability:\n\n $ ceph auth get client.services\n [client.services]\n key = REDACTED\n caps mds = \"allow rw fsname=cephfs path=/volumes/\"\n caps mon = \"allow r fsname=cephfs\"\n caps osd = \"allow rw tag cephfs data=cephfs\"\n\n $ cat /proc/self/mounts\n services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0\n\n $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \\\n seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}\n\n[ idryomov: combine if statements, rename rc to path_matched and make\n it a bool, formatting ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21737", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-sff: Ensure that we cannot write outside the allocated buffer\n\nreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len\nset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to\nATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to\nwrite outside the allocated buffer, overwriting random memory.\n\nWhile a ATA device is supposed to abort a ATA_NOP command, there does seem\nto be a bug either in libata-sff or QEMU, where either this status is not\nset, or the status is cleared before read by ata_sff_hsm_move().\nAnyway, that is most likely a separate bug.\n\nLooking at __atapi_pio_bytes(), it already has a safety check to ensure\nthat __atapi_pio_bytes() cannot write outside the allocated buffer.\n\nAdd a similar check to ata_pio_sector(), such that also ata_pio_sector()\ncannot write outside the allocated buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21738", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix use-after free in init error and remove paths\n\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\nthe associated (platform-) device is being released. For UFS, the\ncrypto private data and pointers are stored as part of the ufs_hba's\ndata structure 'struct ufs_hba::crypto_profile'. This structure is\nallocated as part of the underlying ufshcd and therefore Scsi_host\nallocation.\n\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\nthis structure is released as part of ufshcd_dealloc_host() before the\n(platform-) device associated with the crypto call above is released.\nOnce this device is released, the crypto cleanup code will run, using\nthe just-released 'struct ufs_hba::crypto_profile'. This causes a\nuse-after-free situation:\n\n Call trace:\n kfree+0x60/0x2d8 (P)\n kvfree+0x44/0x60\n blk_crypto_profile_destroy_callback+0x28/0x70\n devm_action_release+0x1c/0x30\n release_nodes+0x6c/0x108\n devres_release_all+0x98/0x100\n device_unbind_cleanup+0x20/0x70\n really_probe+0x218/0x2d0\n\nIn other words, the initialisation code flow is:\n\n platform-device probe\n ufshcd_pltfrm_init()\n ufshcd_alloc_host()\n scsi_host_alloc()\n allocation of struct ufs_hba\n creation of scsi-host devices\n devm_blk_crypto_profile_init()\n devm registration of cleanup handler using platform-device\n\nand during error handling of ufshcd_pltfrm_init() or during driver\nremoval:\n\n ufshcd_dealloc_host()\n scsi_host_put()\n put_device(scsi-host)\n release of struct ufs_hba\n put_device(platform-device)\n crypto cleanup handler\n\nTo fix this use-after free, change ufshcd_alloc_host() to register a\ndevres action to automatically cleanup the underlying SCSI device on\nufshcd destruction, without requiring explicit calls to\nufshcd_dealloc_host(). This way:\n\n * the crypto profile and all other ufs_hba-owned resources are\n destroyed before SCSI (as they've been registered after)\n * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\n side-effect\n * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\n it's not needed anymore\n * no future drivers using ufshcd_alloc_host() could ever forget\n adding the cleanup", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21739", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix DPE OoB read\n\nFix an out-of-bounds DPE read, limit the number of processed DPEs to\nthe amount that fits into the fixed-size NDP16 header.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21741", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: use static NDP16 location in URB\n\nOriginal code allowed for the start of NDP16 to be anywhere within the\nURB based on the `wNdpIndex` value in NTH16. Only the start position of\nNDP16 was checked, so it was possible for even the fixed-length part\nof NDP16 to extend past the end of URB, leading to an out-of-bounds\nread.\n\nOn iOS devices, the NDP16 header always directly follows NTH16. Rely on\nand check for this specific format.\n\nThis, along with NCM-specific minimal URB length check that already\nexists, will ensure that the fixed-length part of NDP16 plus a set\namount of DPEs fit within the URB.\n\nNote that this commit alone does not fully address the OoB read.\nThe limit on the amount of DPEs needs to be enforced separately.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21742", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: ipheth: fix possible overflow in DPE length check\n\nOriginally, it was possible for the DPE length check to overflow if\nwDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB\nread.\n\nMove the wDatagramIndex term to the other side of the inequality.\n\nAn existing condition ensures that wDatagramIndex < urb->actual_length.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21743", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()\n\nOn removal of the device or unloading of the kernel module a potential NULL\npointer dereference occurs.\n\nThe following sequence deletes the interface:\n\n brcmf_detach()\n brcmf_remove_interface()\n brcmf_del_if()\n\nInside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to\nBRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.\n\nAfter brcmf_remove_interface() call the brcmf_proto_detach() function is\ncalled providing the following sequence:\n\n brcmf_detach()\n brcmf_proto_detach()\n brcmf_proto_msgbuf_detach()\n brcmf_flowring_detach()\n brcmf_msgbuf_delete_flowring()\n brcmf_msgbuf_remove_flowring()\n brcmf_flowring_delete()\n brcmf_get_ifp()\n brcmf_txfinalize()\n\nSince brcmf_get_ip() can and actually will return NULL in this case the\ncall to brcmf_txfinalize() will result in a NULL pointer dereference inside\nbrcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.\n\nThis will only happen if a flowring still has an skb.\n\nAlthough the NULL pointer dereference has only been seen when trying to\nupdate the tx statistic, all other uses of the ifp pointer have been\nguarded as well with an early return if ifp is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21744", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix class @block_class's subsystem refcount leakage\n\nblkcg_fill_root_iostats() iterates over @block_class's devices by\nclass_dev_iter_(init|next)(), but does not end iterating with\nclass_dev_iter_exit(), so causes the class's subsystem refcount leakage.\n\nFix by ending the iterating with class_dev_iter_exit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21745", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics - fix crash when enabling pass-through port\n\nWhen enabling a pass-through port an interrupt might come before psmouse\ndriver binds to the pass-through port. However synaptics sub-driver\ntries to access psmouse instance presumably associated with the\npass-through port to figure out if only 1 byte of response or entire\nprotocol packet needs to be forwarded to the pass-through port and may\ncrash if psmouse instance has not been attached to the port yet.\n\nFix the crash by introducing open() and close() methods for the port and\ncheck if the port is open before trying to access psmouse instance.\nBecause psmouse calls serio_open() only after attaching psmouse instance\nto serio port instance this prevents the potential crash.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21746", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: astdp: Fix timeout for enabling video signal\n\nThe ASTDP transmitter sometimes takes up to 1 second for enabling the\nvideo signal, while the timeout is only 200 msec. This results in a\nkernel error message. Increase the timeout to 1 second. An example\nof the error message is shown below.\n\n[ 697.084433] ------------[ cut here ]------------\n[ 697.091115] ast 0000:02:00.0: [drm] drm_WARN_ON(!__ast_dp_wait_enable(ast, enabled))\n[ 697.091233] WARNING: CPU: 1 PID: 160 at drivers/gpu/drm/ast/ast_dp.c:232 ast_dp_set_enable+0x123/0x140 [ast]\n[...]\n[ 697.272469] RIP: 0010:ast_dp_set_enable+0x123/0x140 [ast]\n[...]\n[ 697.415283] Call Trace:\n[ 697.420727] \n[ 697.425908] ? show_trace_log_lvl+0x196/0x2c0\n[ 697.433304] ? show_trace_log_lvl+0x196/0x2c0\n[ 697.440693] ? drm_atomic_helper_commit_modeset_enables+0x30a/0x470\n[ 697.450115] ? ast_dp_set_enable+0x123/0x140 [ast]\n[ 697.458059] ? __warn.cold+0xaf/0xca\n[ 697.464713] ? ast_dp_set_enable+0x123/0x140 [ast]\n[ 697.472633] ? report_bug+0x134/0x1d0\n[ 697.479544] ? handle_bug+0x58/0x90\n[ 697.486127] ? exc_invalid_op+0x13/0x40\n[ 697.492975] ? asm_exc_invalid_op+0x16/0x20\n[ 697.500224] ? preempt_count_sub+0x14/0xc0\n[ 697.507473] ? ast_dp_set_enable+0x123/0x140 [ast]\n[ 697.515377] ? ast_dp_set_enable+0x123/0x140 [ast]\n[ 697.523227] drm_atomic_helper_commit_modeset_enables+0x30a/0x470\n[ 697.532388] drm_atomic_helper_commit_tail+0x58/0x90\n[ 697.540400] ast_mode_config_helper_atomic_commit_tail+0x30/0x40 [ast]\n[ 697.550009] commit_tail+0xfe/0x1d0\n[ 697.556547] drm_atomic_helper_commit+0x198/0x1c0\n\nThis is a cosmetical problem. Enabling the video signal still works\neven with the error message. The problem has always been present, but\nonly recent versions of the ast driver warn about missing the timeout.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21747", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix integer overflows on 32 bit systems\n\nOn 32bit systems the addition operations in ipc_msg_alloc() can\npotentially overflow leading to memory corruption.\nAdd bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21748", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: lock the socket in rose_bind()\n\nsyzbot reported a soft lockup in rose_loopback_timer(),\nwith a repro calling bind() from multiple threads.\n\nrose_bind() must lock the socket to avoid this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21749", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the return value of of_property_read_string_index()\n\nSomewhen between 6.10 and 6.11 the driver started to crash on my\nMacBookPro14,3. The property doesn't exist and 'tmp' remains\nuninitialized, so we pass a random pointer to devm_kstrdup().\n\nThe crash I am getting looks like this:\n\nBUG: unable to handle page fault for address: 00007f033c669379\nPF: supervisor read access in kernel mode\nPF: error_code(0x0001) - permissions violation\nPGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025\nOops: Oops: 0001 [#1] SMP PTI\nCPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1\nHardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024\nRIP: 0010:strlen+0x4/0x30\nCode: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc\nRSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202\nRAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001\nRDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379\nRBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a\nR10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8\nR13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30\nFS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x149/0x4c0\n ? raw_spin_rq_lock_nested+0xe/0x20\n ? sched_balance_newidle+0x22b/0x3c0\n ? update_load_avg+0x78/0x770\n ? exc_page_fault+0x6f/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_pci_conf1_write+0x10/0x10\n ? strlen+0x4/0x30\n devm_kstrdup+0x25/0x70\n brcmf_of_probe+0x273/0x350 [brcmfmac]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21750", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, change error flow on matcher disconnect\n\nCurrently, when firmware failure occurs during matcher disconnect flow,\nthe error flow of the function reconnects the matcher back and returns\nan error, which continues running the calling function and eventually\nfrees the matcher that is being disconnected.\nThis leads to a case where we have a freed matcher on the matchers list,\nwhich in turn leads to use-after-free and eventual crash.\n\nThis patch fixes that by not trying to reconnect the matcher back when\nsome FW command fails during disconnect.\n\nNote that we're dealing here with FW error. We can't overcome this\nproblem. This might lead to bad steering state (e.g. wrong connection\nbetween matchers), and will also lead to resource leakage, as it is\nthe case with any other error handling during resource destruction.\n\nHowever, the goal here is to allow the driver to continue and not crash\nthe machine with use-after-free error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21751", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents\n\nDon't use btrfs_set_item_key_safe() to modify the keys in the RAID\nstripe-tree, as this can lead to corruption of the tree, which is caught\nby the checks in btrfs_set_item_key_safe():\n\n BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12\n BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030\n [ snip ]\n item 105 key (354549760 230 20480) itemoff 14587 itemsize 16\n stride 0 devid 5 physical 67502080\n item 106 key (354631680 230 4096) itemoff 14571 itemsize 16\n stride 0 devid 1 physical 88559616\n item 107 key (354631680 230 32768) itemoff 14555 itemsize 16\n stride 0 devid 1 physical 88555520\n item 108 key (354717696 230 28672) itemoff 14539 itemsize 16\n stride 0 devid 2 physical 67604480\n [ snip ]\n BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2602!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270\n Code: \n RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287\n RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff\n RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500\n R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000\n R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58\n FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0\n Call Trace:\n \n ? __die_body.cold+0x14/0x1a\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x65/0x80\n ? btrfs_set_item_key_safe+0xf7/0x270\n ? exc_invalid_op+0x50/0x70\n ? btrfs_set_item_key_safe+0xf7/0x270\n ? asm_exc_invalid_op+0x1a/0x20\n ? btrfs_set_item_key_safe+0xf7/0x270\n btrfs_partially_delete_raid_extent+0xc4/0xe0\n btrfs_delete_raid_extent+0x227/0x240\n __btrfs_free_extent.isra.0+0x57f/0x9c0\n ? exc_coproc_segment_overrun+0x40/0x40\n __btrfs_run_delayed_refs+0x2fa/0xe80\n btrfs_run_delayed_refs+0x81/0xe0\n btrfs_commit_transaction+0x2dd/0xbe0\n ? preempt_count_add+0x52/0xb0\n btrfs_sync_file+0x375/0x4c0\n do_fsync+0x39/0x70\n __x64_sys_fsync+0x13/0x20\n do_syscall_64+0x54/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f7d7550ef90\n Code: \n RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90\n RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004\n RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c\n R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c\n R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8\n \n\nWhile the root cause of the tree order corruption isn't clear, using\nbtrfs_duplicate_item() to copy the item and then adjusting both the key\nand the per-device physical addresses is a safe way to counter this\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21752", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it's aborted,\nwe read its 'aborted' field after unlocking fs_info->trans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its 'aborted' field, leading to a use-after-free.\n\nFix this by reading the 'aborted' field while holding fs_info->trans_lock\nsince any freeing task must first acquire that lock and set\nfs_info->running_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Workqueue: events_unbound btrfs_async_reclaim_data_space\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\n Allocated by task 5315:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n kmalloc_noprof include/linux/slab.h:901 [inline]\n join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n lookup_open fs/namei.c:3649 [inline]\n open_last_lookups fs/namei.c:3748 [inline]\n path_openat+0x1c03/0x3590 fs/namei.c:3984\n do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n do_sys_open fs/open.c:1417 [inline]\n __do_sys_creat fs/open.c:1495 [inline]\n __se_sys_creat fs/open.c:1489 [inline]\n __x64_sys_creat+0x123/0x170 fs/open.c:1489\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 5336:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2353 [inline]\n slab_free mm/slub.c:4613 [inline]\n kfree+0x196/0x430 mm/slub.c:4761\n cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n btrfs_balance+0x992/\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21753", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion failure when splitting ordered extent after transaction abort\n\nIf while we are doing a direct IO write a transaction abort happens, we\nmark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done\nat btrfs_destroy_ordered_extents()), and then after that if we enter\nbtrfs_split_ordered_extent() and the ordered extent has bytes left\n(meaning we have a bio that doesn't cover the whole ordered extent, see\ndetails at btrfs_extract_ordered_extent()), we will fail on the following\nassertion at btrfs_split_ordered_extent():\n\n ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS));\n\nbecause the BTRFS_ORDERED_IOERR flag is set and the definition of\nBTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the\ntype of write (regular, nocow, prealloc, compressed, direct IO, encoded).\n\nFix this by returning an error from btrfs_extract_ordered_extent() if we\nfind the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will\nbe the error that resulted in the transaction abort or -EIO if no\ntransaction abort happened.\n\nThis was recently reported by syzbot with the following trace:\n\n FAULT_INJECTION: forcing a failure.\n name failslab, interval 1, probability 0, space 0, times 1\n CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n fail_dump lib/fault-inject.c:53 [inline]\n should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154\n should_failslab+0xac/0x100 mm/failslab.c:46\n slab_pre_alloc_hook mm/slub.c:4072 [inline]\n slab_alloc_node mm/slub.c:4148 [inline]\n __do_kmalloc_node mm/slub.c:4297 [inline]\n __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742\n reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292\n check_system_chunk fs/btrfs/block-group.c:4319 [inline]\n do_chunk_alloc fs/btrfs/block-group.c:3891 [inline]\n btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187\n find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline]\n find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579\n btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672\n btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline]\n btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321\n btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525\n iomap_iter+0x697/0xf60 fs/iomap/iter.c:90\n __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702\n btrfs_dio_write fs/btrfs/direct-io.c:775 [inline]\n btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880\n btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397\n do_iter_readv_writev+0x600/0x880\n vfs_writev+0x376/0xba0 fs/read_write.c:1050\n do_pwritev fs/read_write.c:1146 [inline]\n __do_sys_pwritev2 fs/read_write.c:1204 [inline]\n __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f1281f85d29\n RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148\n RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29\n RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005\n RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003\n R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002\n R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328\n \n BTRFS error (device loop0 state A): Transaction aborted (error -12)\n BTRFS: error (device loop0 state A\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21754", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Keep the binding until socket destruction\n\nPreserve sockets bindings; this includes both resulting from an explicit\nbind() and those implicitly bound through autobind during connect().\n\nPrevents socket unbinding during a transport reassignment, which fixes a\nuse-after-free:\n\n 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)\n 2. transport->release() calls vsock_remove_bound() without checking if\n sk was bound and moved to bound list (refcnt=1)\n 3. vsock_bind() assumes sk is in unbound list and before\n __vsock_insert_bound(vsock_bound_sockets()) calls\n __vsock_remove_bound() which does:\n list_del_init(&vsk->bound_table); // nop\n sock_put(&vsk->sk); // refcnt=0\n\nBUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730\nRead of size 4 at addr ffff88816b46a74c by task a.out/2057\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n __vsock_bind+0x62e/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n __vsock_create.constprop.0+0x2e/0xb60\n vsock_create+0xe4/0x420\n __sock_create+0x241/0x650\n __sys_socket+0xf2/0x1a0\n __x64_sys_socket+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2057:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n __vsock_bind+0x5e1/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150\nRIP: 0010:refcount_warn_saturate+0xce/0x150\n __vsock_bind+0x66d/0x730\n vsock_bind+0x97/0xe0\n __sys_bind+0x154/0x1f0\n __x64_sys_bind+0x6e/0xb0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150\nRIP: 0010:refcount_warn_saturate+0xee/0x150\n vsock_remove_bound+0x187/0x1e0\n __vsock_release+0x383/0x4a0\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x359/0xa80\n task_work_run+0x107/0x1d0\n do_exit+0x847/0x2560\n do_group_exit+0xb8/0x250\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0xfec/0x14f0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21756", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: add RCU protection to mld_newpack()\n\nmld_newpack() can be called without RTNL or RCU being held.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net->ipv6.igmp_sk\nsocket under RCU protection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21758", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: extend RCU protection in igmp6_send()\n\nigmp6_send() can be called without RTNL or RCU being held.\n\nExtend RCU protection so that we can safely fetch the net pointer\nand avoid a potential UAF.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net->ipv6.igmp_sk\nsocket under RCU protection.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21759", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: extend RCU protection in ndisc_send_skb()\n\nndisc_send_skb() can be called without RTNL or RCU held.\n\nAcquire rcu_read_lock() earlier, so that we can use dev_net_rcu()\nand avoid a potential UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21760", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: use RCU protection in ovs_vport_cmd_fill_info()\n\novs_vport_cmd_fill_info() can be called without RTNL or RCU.\n\nUse RCU protection and dev_net_rcu() to avoid potential UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21761", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: use RCU protection in arp_xmit()\n\narp_xmit() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21762", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: use RCU protection in __neigh_notify()\n\n__neigh_notify() can be called without RTNL or RCU protection.\n\nUse RCU protection to avoid potential UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21763", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: use RCU protection in ndisc_alloc_skb()\n\nndisc_alloc_skb() can be called without RTNL or RCU being held.\n\nAdd RCU protection to avoid possible UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21764", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU protection in ip6_default_advmss()\n\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21765", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21766", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context\n\nThe following bug report happened with a PREEMPT_RT kernel:\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n get_random_u32+0x4f/0x110\n clocksource_verify_choose_cpus+0xab/0x1a0\n clocksource_verify_percpu.part.0+0x6b/0x330\n clocksource_watchdog_kthread+0x193/0x1a0\n\nIt is due to the fact that clocksource_verify_choose_cpus() is invoked with\npreemption disabled. This function invokes get_random_u32() to obtain\nrandom numbers for choosing CPUs. The batched_entropy_32 local lock and/or\nthe base_crng.lock spinlock in driver/char/random.c will be acquired during\nthe call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot\nbe acquired in atomic context.\n\nFix this problem by using migrate_disable() to allow smp_processor_id() to\nbe reliably used without introducing atomic context. preempt_disable() is\nthen called after clocksource_verify_choose_cpus() but before the\nclocksource measurement is being run to avoid introducing unexpected\nlatency.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21767", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels\n\nSome lwtunnels have a dst cache for post-transformation dst.\nIf the packet destination did not change we may end up recording\na reference to the lwtunnel in its own cache, and the lwtunnel\nstate will never be freed.\n\nDiscovered by the ioam6.sh test, kmemleak was recently fixed\nto catch per-cpu memory leaks. I'm not sure if rpl and seg6\ncan actually hit this, but in principle I don't see why not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21768", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: vmclock: Add .owner to vmclock_miscdev_fops\n\nWithout the .owner field, the module can be unloaded while /dev/vmclock0\nis open, leading to an oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21769", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential memory leak in iopf_queue_remove_device()\n\nThe iopf_queue_remove_device() helper removes a device from the per-iommu\niopf queue when PRI is disabled on the device. It responds to all\noutstanding iopf's with an IOMMU_PAGE_RESP_INVALID code and detaches the\ndevice from the queue.\n\nHowever, it fails to release the group structure that represents a group\nof iopf's awaiting for a response after responding to the hardware. This\ncan cause a memory leak if iopf_queue_remove_device() is called with\npending iopf's.\n\nFix it by calling iopf_free_group() after the iopf group is responded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21770", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix incorrect autogroup migration detection\n\nscx_move_task() is called from sched_move_task() and tells the BPF scheduler\nthat cgroup migration is being committed. sched_move_task() is used by both\ncgroup and autogroup migrations and scx_move_task() tried to filter out\nautogroup migrations by testing the destination cgroup and PF_EXITING but\nthis is not enough. In fact, without explicitly tagging the thread which is\ndoing the cgroup migration, there is no good way to tell apart\nscx_move_task() invocations for racing migration to the root cgroup and an\nautogroup migration.\n\nThis led to scx_move_task() incorrectly ignoring a migration from non-root\ncgroup to an autogroup of the root cgroup triggering the following warning:\n\n WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340\n ...\n Call Trace:\n \n cgroup_migrate_execute+0x5b1/0x700\n cgroup_attach_task+0x296/0x400\n __cgroup_procs_write+0x128/0x140\n cgroup_procs_write+0x17/0x30\n kernfs_fop_write_iter+0x141/0x1f0\n vfs_write+0x31d/0x4a0\n __x64_sys_write+0x72/0xf0\n do_syscall_64+0x82/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it by adding an argument to sched_move_task() that indicates whether the\nmoving is for a cgroup or autogroup migration. After the change,\nscx_move_task() is called only for cgroup migrations and renamed to\nscx_cgroup_move_task().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21771", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n (which results in partition table entries straddling sector boundaries),\n bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n termination - use strnlen() and strncmp() instead of strlen() and\n strcmp().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21772", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: fix potential NULL pointer dereference on udev->serial\n\nThe driver assumed that es58x_dev->udev->serial could never be NULL.\nWhile this is true on commercially available devices, an attacker\ncould spoof the device identity providing a NULL USB serial number.\nThat would trigger a NULL pointer dereference.\n\nAdd a check on es58x_dev->udev->serial before accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21773", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: rockchip: rkcanfd_handle_rx_fifo_overflow_int(): bail out if skb cannot be allocated\n\nFix NULL pointer check in rkcanfd_handle_rx_fifo_overflow_int() to\nbail out if skb cannot be allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21774", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ctucanfd: handle skb allocation failure\n\nIf skb allocation fails, the pointer to struct can_frame is NULL. This\nis actually handled everywhere inside ctucan_err_interrupt() except for\nthe only place.\n\nAdd the missed NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21775", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: hub: Ignore non-compliant devices with too many configs or interfaces\n\nRobert Morris created a test program which can cause\nusb_hub_to_struct_hub() to dereference a NULL or inappropriate\npointer:\n\nOops: general protection fault, probably for non-canonical address\n0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI\nCPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14\nHardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110\n...\nCall Trace:\n \n ? die_addr+0x31/0x80\n ? exc_general_protection+0x1b4/0x3c0\n ? asm_exc_general_protection+0x26/0x30\n ? usb_hub_adjust_deviceremovable+0x78/0x110\n hub_probe+0x7c7/0xab0\n usb_probe_interface+0x14b/0x350\n really_probe+0xd0/0x2d0\n ? __pfx___device_attach_driver+0x10/0x10\n __driver_probe_device+0x6e/0x110\n driver_probe_device+0x1a/0x90\n __device_attach_driver+0x7e/0xc0\n bus_for_each_drv+0x7f/0xd0\n __device_attach+0xaa/0x1a0\n bus_probe_device+0x8b/0xa0\n device_add+0x62e/0x810\n usb_set_configuration+0x65d/0x990\n usb_generic_driver_probe+0x4b/0x70\n usb_probe_device+0x36/0xd0\n\nThe cause of this error is that the device has two interfaces, and the\nhub driver binds to interface 1 instead of interface 0, which is where\nusb_hub_to_struct_hub() looks.\n\nWe can prevent the problem from occurring by refusing to accept hub\ndevices that violate the USB spec by having more than one\nconfiguration or interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21776", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Validate the persistent meta data subbuf array\n\nThe meta data for a mapped ring buffer contains an array of indexes of all\nthe subbuffers. The first entry is the reader page, and the rest of the\nentries lay out the order of the subbuffers in how the ring buffer link\nlist is to be created.\n\nThe validator currently makes sure that all the entries are within the\nrange of 0 and nr_subbufs. But it does not check if there are any\nduplicates.\n\nWhile working on the ring buffer, I corrupted this array, where I added\nduplicates. The validator did not catch it and created the ring buffer\nlink list on top of it. Luckily, the corruption was only that the reader\npage was also in the writer path and only presented corrupted data but did\nnot crash the kernel. But if there were duplicates in the writer side,\nthen it could corrupt the ring buffer link list and cause a crash.\n\nCreate a bitmask array with the size of the number of subbuffers. Then\nclear it. When walking through the subbuf array checking to see if the\nentries are within the range, test if its bit is already set in the\nsubbuf_mask. If it is, then there is duplicates and fail the validation.\nIf not, set the corresponding bit and continue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21777", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not allow mmap() of persistent ring buffer\n\nWhen trying to mmap a trace instance buffer that is attached to\nreserve_mem, it would crash:\n\n BUG: unable to handle page fault for address: ffffe97bd00025c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 2862f3067 P4D 2862f3067 PUD 0\n Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI\n CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:validate_page_before_insert+0x5/0xb0\n Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89\n RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246\n RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29\n RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08\n RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004\n R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000\n R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000\n FS: 00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0\n Call Trace:\n \n ? __die_body.cold+0x19/0x1f\n ? __die+0x2e/0x40\n ? page_fault_oops+0x157/0x2b0\n ? search_module_extables+0x53/0x80\n ? validate_page_before_insert+0x5/0xb0\n ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70\n ? __bad_area_nosemaphore+0x16e/0x1b0\n ? bad_area_nosemaphore+0x16/0x20\n ? do_kern_addr_fault+0x77/0x90\n ? exc_page_fault+0x22b/0x230\n ? asm_exc_page_fault+0x2b/0x30\n ? validate_page_before_insert+0x5/0xb0\n ? vm_insert_pages+0x151/0x400\n __rb_map_vma+0x21f/0x3f0\n ring_buffer_map+0x21b/0x2f0\n tracing_buffers_mmap+0x70/0xd0\n __mmap_region+0x6f0/0xbd0\n mmap_region+0x7f/0x130\n do_mmap+0x475/0x610\n vm_mmap_pgoff+0xf2/0x1d0\n ksys_mmap_pgoff+0x166/0x200\n __x64_sys_mmap+0x37/0x50\n x64_sys_call+0x1670/0x1d70\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe reason was that the code that maps the ring buffer pages to user space\nhas:\n\n\tpage = virt_to_page((void *)cpu_buffer->subbuf_ids[s]);\n\nAnd uses that in:\n\n\tvm_insert_pages(vma, vma->vm_start, pages, &nr_pages);\n\nBut virt_to_page() does not work with vmap()'d memory which is what the\npersistent ring buffer has. It is rather trivial to allow this, but for\nnow just disable mmap() of instances that have their ring buffer from the\nreserve_mem option.\n\nIf an mmap() is performed on a persistent buffer it will return -ENODEV\njust like it would if the .mmap field wasn't defined in the\nfile_operations structure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21778", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel\n\nAdvertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and\nonly if the local API is emulated/virtualized by KVM, and explicitly reject\nsaid hypercalls if the local APIC is emulated in userspace, i.e. don't rely\non userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.\n\nRejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if\nHyper-V enlightenments are exposed to the guest without an in-kernel local\nAPIC:\n\n dump_stack+0xbe/0xfd\n __kasan_report.cold+0x34/0x84\n kasan_report+0x3a/0x50\n __apic_accept_irq+0x3a/0x5c0\n kvm_hv_send_ipi.isra.0+0x34e/0x820\n kvm_hv_hypercall+0x8d9/0x9d0\n kvm_emulate_hypercall+0x506/0x7e0\n __vmx_handle_exit+0x283/0xb60\n vmx_handle_exit+0x1d/0xd0\n vcpu_enter_guest+0x16b0/0x24c0\n vcpu_run+0xc0/0x550\n kvm_arch_vcpu_ioctl_run+0x170/0x6d0\n kvm_vcpu_ioctl+0x413/0xb20\n __se_sys_ioctl+0x111/0x160\n do_syscal1_64+0x30/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nNote, checking the sending vCPU is sufficient, as the per-VM irqchip_mode\ncan't be modified after vCPUs are created, i.e. if one vCPU has an\nin-kernel local APIC, then all vCPUs have an in-kernel local APIC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21779", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21780", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn't a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh->bat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21781", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix a oob in orangefs_debug_write\n\nI got a syzbot report: slab-out-of-bounds Read in\norangefs_debug_write... several people suggested fixes,\nI tested Al Viro's suggestion and made this patch.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21782", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: Fix crash on error in gpiochip_get_ngpios()\n\nThe gpiochip_get_ngpios() uses chip_*() macros to print messages.\nHowever these macros rely on gpiodev to be initialised and set,\nwhich is not the case when called via bgpio_init(). In such a case\nthe printing messages will crash on NULL pointer dereference.\nReplace chip_*() macros by the respective dev_*() ones to avoid\nsuch crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21783", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()\n\nIn function psp_init_cap_microcode(), it should bail out when failed to\nload firmware, otherwise it may cause invalid memory access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21784", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array\n\nThe loop that detects/populates cache information already has a bounds\ncheck on the array size but does not account for cache levels with\nseparate data/instructions cache. Fix this by incrementing the index\nfor any populated leaf (instead of any populated level).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21785", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Put the pwq after detaching the rescuer from the pool\n\nThe commit 68f83057b913(\"workqueue: Reap workers via kthread_stop() and\nremove detach_completion\") adds code to reap the normal workers but\nmistakenly does not handle the rescuer and also removes the code waiting\nfor the rescuer in put_unbound_pool(), which caused a use-after-free bug\nreported by Cheung Wall.\n\nTo avoid the use-after-free bug, the pool\u2019s reference must be held until\nthe detachment is complete. Therefore, move the code that puts the pwq\nafter detaching the rescuer from the pool.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21786", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: better TEAM_OPTION_TYPE_STRING validation\n\nsyzbot reported following splat [1]\n\nMake sure user-provided data contains one nul byte.\n\n[1]\n BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]\n BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714\n string_nocheck lib/vsprintf.c:633 [inline]\n string+0x3ec/0x5f0 lib/vsprintf.c:714\n vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843\n __request_module+0x252/0x9f0 kernel/module/kmod.c:149\n team_mode_get drivers/net/team/team_core.c:480 [inline]\n team_change_mode drivers/net/team/team_core.c:607 [inline]\n team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401\n team_option_set drivers/net/team/team_core.c:375 [inline]\n team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:733\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2573\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627\n __sys_sendmsg net/socket.c:2659 [inline]\n __do_sys_sendmsg net/socket.c:2664 [inline]\n __se_sys_sendmsg net/socket.c:2662 [inline]\n __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662\n x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21787", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: fix memleak in certain XDP cases\n\nIf the XDP program doesn't result in XDP_PASS then we leak the\nmemory allocated by am65_cpsw_build_skb().\n\nIt is pointless to allocate SKB memory before running the XDP\nprogram as we would be wasting CPU cycles for cases other than XDP_PASS.\nMove the SKB allocation after evaluating the XDP program result.\n\nThis fixes the memleak. A performance boost is seen for XDP_DROP test.\n\nXDP_DROP test:\nBefore: 460256 rx/s 0 err/s\nAfter: 784130 rx/s 0 err/s", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21788", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: csum: Fix OoB access in IP checksum code for negative lengths\n\nCommit 69e3a6aa6be2 (\"LoongArch: Add checksum optimization for 64-bit\nsystem\") would cause an undefined shift and an out-of-bounds read.\n\nCommit 8bd795fedb84 (\"arm64: csum: Fix OoB access in IP checksum code\nfor negative lengths\") fixes the same issue on ARM64.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21789", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: check vxlan_vnigroup_init() return value\n\nvxlan_init() must check vxlan_vnigroup_init() success\notherwise a crash happens later, spotted by syzbot.\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167]\nCPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912\nCode: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00\nRSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb\nRDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18\nRBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000\nR13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000\nFS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942\n unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824\n unregister_netdevice_many net/core/dev.c:11866 [inline]\n unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736\n register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901\n __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981\n vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407\n rtnl_newlink_create net/core/rtnetlink.c:3795 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21790", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n ip_send_skb()\n ip_local_out()\n __ip_local_out()\n l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21791", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt\n\nIf an AX25 device is bound to a socket by setting the SO_BINDTODEVICE\nsocket option, a refcount leak will occur in ax25_release().\n\nCommit 9fd75b66b8f6 (\"ax25: Fix refcount leaks caused by ax25_cb_del()\")\nadded decrement of device refcounts in ax25_release(). In order for that\nto work correctly the refcounts must already be incremented when the\ndevice is bound to the socket. An AX25 device can be bound to a socket\nby either calling ax25_bind() or setting SO_BINDTODEVICE socket option.\nIn both cases the refcounts should be incremented, but in fact it is done\nonly in ax25_bind().\n\nThis bug leads to the following issue reported by Syzkaller:\n\n================================================================\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31\nModules linked in:\nCPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31\nCall Trace:\n \n __refcount_dec include/linux/refcount.h:336 [inline]\n refcount_dec include/linux/refcount.h:351 [inline]\n ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236\n netdev_tracker_free include/linux/netdevice.h:4156 [inline]\n netdev_put include/linux/netdevice.h:4173 [inline]\n netdev_put include/linux/netdevice.h:4169 [inline]\n ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069\n __sock_release+0xb0/0x270 net/socket.c:640\n sock_close+0x1c/0x30 net/socket.c:1408\n ...\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ...\n \n================================================================\n\nFix the implementation of ax25_setsockopt() by adding increment of\nrefcounts for the new device bound, and decrement of refcounts for\nthe old unbound device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21792", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sn-f-ospi: Fix division by zero\n\nWhen there is no dummy cycle in the spi-nor commands, both dummy bus cycle\nbytes and width are zero. Because of the cpu's warning when divided by\nzero, the warning should be avoided. Return just zero to avoid such\ncalculations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21793", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()\n\nSyzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from\nhid-thrustmaster driver. This array is passed to usb_check_int_endpoints\nfunction from usb.c core driver, which executes a for loop that iterates\nover the elements of the passed array. Not finding a null element at the end of\nthe array, it tries to read the next, non-existent element, crashing the kernel.\n\nTo fix this, a 0 element was added at the end of the array to break the for\nloop.\n\n[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21794", "detail": "fixed-version", "description": "Fixed from version 6.13.4" }, { "id": "CVE-2025-21795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix hang in nfsd4_shutdown_callback\n\nIf nfs4_client is in courtesy state then there is no point to send\nthe callback. This causes nfsd4_shutdown_callback to hang since\ncl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP\nnotifies NFSD that the connection was dropped.\n\nThis patch modifies nfsd4_run_cb_work to skip the RPC call if\nnfs4_client is in courtesy state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21795", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS: 0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21796", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: corsair-void: Add missing delayed work cancel for headset status\n\nThe cancel_delayed_work_sync() call was missed, causing a use-after-free\nin corsair_void_remove().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21797", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: test: Fix potential null dereference in firewire kunit test\n\nkunit_kzalloc() may return a NULL pointer, dereferencing it without\nNULL check may lead to NULL dereference.\nAdd a NULL check for test_state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21798", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()\n\nWhen getting the IRQ we use k3_udma_glue_tx_get_irq() which returns\nnegative error value on error. So not NULL check is not sufficient\nto deteremine if IRQ is valid. Check that IRQ is greater then zero\nto ensure it is valid.\n\nThere is no issue at probe time but at runtime user can invoke\n.set_channels which results in the following call chain.\nam65_cpsw_set_channels()\n am65_cpsw_nuss_update_tx_rx_chns()\n am65_cpsw_nuss_remove_tx_chns()\n am65_cpsw_nuss_init_tx_chns()\n\nAt this point if am65_cpsw_nuss_init_tx_chns() fails due to\nk3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a\nnegative value.\n\nThen, at subsequent .set_channels with higher channel count we\nwill attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()\nleading to a kernel warning.\n\nThe issue is present in the original commit that introduced this driver,\nalthough there, am65_cpsw_nuss_update_tx_rx_chns() existed as\nam65_cpsw_nuss_update_tx_chns().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21799", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, fix definer's HWS_SET32 macro for negative offset\n\nWhen bit offset for HWS_SET32 macro is negative,\nUBSAN complains about the shift-out-of-bounds:\n\n UBSAN: shift-out-of-bounds in\n drivers/net/ethernet/mellanox/mlx5/core/steering/hws/definer.c:177:2\n shift exponent -8 is negative", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21800", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ravb: Fix missing rtnl lock in suspend/resume path\n\nFix the suspend/resume path by ensuring the rtnl lock is held where\nrequired. Calls to ravb_open, ravb_close and wol operations must be\nperformed under the rtnl lock to prevent conflicts with ongoing ndo\noperations.\n\nWithout this fix, the following warning is triggered:\n[ 39.032969] =============================\n[ 39.032983] WARNING: suspicious RCU usage\n[ 39.033019] -----------------------------\n[ 39.033033] drivers/net/phy/phy_device.c:2004 suspicious\nrcu_dereference_protected() usage!\n...\n[ 39.033597] stack backtrace:\n[ 39.033613] CPU: 0 UID: 0 PID: 174 Comm: python3 Not tainted\n6.13.0-rc7-next-20250116-arm64-renesas-00002-g35245dfdc62c #7\n[ 39.033623] Hardware name: Renesas SMARC EVK version 2 based on\nr9a08g045s33 (DT)\n[ 39.033628] Call trace:\n[ 39.033633] show_stack+0x14/0x1c (C)\n[ 39.033652] dump_stack_lvl+0xb4/0xc4\n[ 39.033664] dump_stack+0x14/0x1c\n[ 39.033671] lockdep_rcu_suspicious+0x16c/0x22c\n[ 39.033682] phy_detach+0x160/0x190\n[ 39.033694] phy_disconnect+0x40/0x54\n[ 39.033703] ravb_close+0x6c/0x1cc\n[ 39.033714] ravb_suspend+0x48/0x120\n[ 39.033721] dpm_run_callback+0x4c/0x14c\n[ 39.033731] device_suspend+0x11c/0x4dc\n[ 39.033740] dpm_suspend+0xdc/0x214\n[ 39.033748] dpm_suspend_start+0x48/0x60\n[ 39.033758] suspend_devices_and_enter+0x124/0x574\n[ 39.033769] pm_suspend+0x1ac/0x274\n[ 39.033778] state_store+0x88/0x124\n[ 39.033788] kobj_attr_store+0x14/0x24\n[ 39.033798] sysfs_kf_write+0x48/0x6c\n[ 39.033808] kernfs_fop_write_iter+0x118/0x1a8\n[ 39.033817] vfs_write+0x27c/0x378\n[ 39.033825] ksys_write+0x64/0xf4\n[ 39.033833] __arm64_sys_write+0x18/0x20\n[ 39.033841] invoke_syscall+0x44/0x104\n[ 39.033852] el0_svc_common.constprop.0+0xb4/0xd4\n[ 39.033862] do_el0_svc+0x18/0x20\n[ 39.033870] el0_svc+0x3c/0xf0\n[ 39.033880] el0t_64_sync_handler+0xc0/0xc4\n[ 39.033888] el0t_64_sync+0x154/0x158\n[ 39.041274] ravb 11c30000.ethernet eth0: Link is Down", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21801", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix oops when unload drivers paralleling\n\nWhen unload hclge driver, it tries to disable sriov first for each\nae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at\nthe time, because it removes all the ae_dev nodes, and it may cause\noops.\n\nBut we can't simply use hnae3_common_lock for this. Because in the\nprocess flow of pci_disable_sriov(), it will trigger the remove flow\nof VF, which will also take hnae3_common_lock.\n\nTo fixes it, introduce a new mutex to protect the unload process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21802", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix warnings during S3 suspend\n\nThe enable_gpe_wakeup() function calls acpi_enable_all_wakeup_gpes(),\nand the later one may call the preempt_schedule_common() function,\nresulting in a thread switch and causing the CPU to be in an interrupt\nenabled state after the enable_gpe_wakeup() function returns, leading\nto the warnings as follow.\n\n[ C0] WARNING: ... at kernel/time/timekeeping.c:845 ktime_get+0xbc/0xc8\n[ C0] ...\n[ C0] Call Trace:\n[ C0] [<90000000002243b4>] show_stack+0x64/0x188\n[ C0] [<900000000164673c>] dump_stack_lvl+0x60/0x88\n[ C0] [<90000000002687e4>] __warn+0x8c/0x148\n[ C0] [<90000000015e9978>] report_bug+0x1c0/0x2b0\n[ C0] [<90000000016478e4>] do_bp+0x204/0x3b8\n[ C0] [<90000000025b1924>] exception_handlers+0x1924/0x10000\n[ C0] [<9000000000343bbc>] ktime_get+0xbc/0xc8\n[ C0] [<9000000000354c08>] tick_sched_timer+0x30/0xb0\n[ C0] [<90000000003408e0>] __hrtimer_run_queues+0x160/0x378\n[ C0] [<9000000000341f14>] hrtimer_interrupt+0x144/0x388\n[ C0] [<9000000000228348>] constant_timer_interrupt+0x38/0x48\n[ C0] [<90000000002feba4>] __handle_irq_event_percpu+0x64/0x1e8\n[ C0] [<90000000002fed48>] handle_irq_event_percpu+0x20/0x80\n[ C0] [<9000000000306b9c>] handle_percpu_irq+0x5c/0x98\n[ C0] [<90000000002fd4a0>] generic_handle_domain_irq+0x30/0x48\n[ C0] [<9000000000d0c7b0>] handle_cpu_irq+0x70/0xa8\n[ C0] [<9000000001646b30>] handle_loongarch_irq+0x30/0x48\n[ C0] [<9000000001646bc8>] do_vint+0x80/0xe0\n[ C0] [<90000000002aea1c>] finish_task_switch.isra.0+0x8c/0x2a8\n[ C0] [<900000000164e34c>] __schedule+0x314/0xa48\n[ C0] [<900000000164ead8>] schedule+0x58/0xf0\n[ C0] [<9000000000294a2c>] worker_thread+0x224/0x498\n[ C0] [<900000000029d2f0>] kthread+0xf8/0x108\n[ C0] [<9000000000221f28>] ret_from_kernel_thread+0xc/0xa4\n[ C0]\n[ C0] ---[ end trace 0000000000000000 ]---\n\nThe root cause is acpi_enable_all_wakeup_gpes() uses a mutex to protect\nacpi_hw_enable_all_wakeup_gpes(), and acpi_ut_acquire_mutex() may cause\na thread switch. Since there is no longer concurrent execution during\nloongarch_acpi_suspend(), we can call acpi_hw_enable_all_wakeup_gpes()\ndirectly in enable_gpe_wakeup().\n\nThe solution is similar to commit 22db06337f590d01 (\"ACPI: sleep: Avoid\nbreaking S3 wakeup due to might_sleep()\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21803", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()\n\nThe rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()\nmacro to request a needed resource. A string variable that lives on the\nstack is then used to store a dynamically computed resource name, which\nis then passed on as one of the macro arguments. This can lead to\nundefined behavior.\n\nDepending on the current contents of the memory, the manifestations of\nerrors may vary. One possible output may be as follows:\n\n $ cat /proc/iomem\n 30000000-37ffffff :\n 38000000-3fffffff :\n\nSometimes, garbage may appear after the colon.\n\nIn very rare cases, if no NULL-terminator is found in memory, the system\nmight crash because the string iterator will overrun which can lead to\naccess of unmapped memory above the stack.\n\nThus, fix this by replacing outbound_name with the name of the previously\nrequested resource. With the changes applied, the output will be as\nfollows:\n\n $ cat /proc/iomem\n 30000000-37ffffff : memory2\n 38000000-3fffffff : memory3\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21804", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs: Add missing deinit() call\n\nA warning is triggered when repeatedly connecting and disconnecting the\nrnbd:\n list_add corruption. prev->next should be next (ffff88800b13e480), but was ffff88801ecd1338. (prev=ffff88801ecd1340).\n WARNING: CPU: 1 PID: 36562 at lib/list_debug.c:32 __list_add_valid_or_report+0x7f/0xa0\n Workqueue: ib_cm cm_work_handler [ib_cm]\n RIP: 0010:__list_add_valid_or_report+0x7f/0xa0\n ? __list_add_valid_or_report+0x7f/0xa0\n ib_register_event_handler+0x65/0x93 [ib_core]\n rtrs_srv_ib_dev_init+0x29/0x30 [rtrs_server]\n rtrs_ib_dev_find_or_add+0x124/0x1d0 [rtrs_core]\n __alloc_path+0x46c/0x680 [rtrs_server]\n ? rtrs_rdma_connect+0xa6/0x2d0 [rtrs_server]\n ? rcu_is_watching+0xd/0x40\n ? __mutex_lock+0x312/0xcf0\n ? get_or_create_srv+0xad/0x310 [rtrs_server]\n ? rtrs_rdma_connect+0xa6/0x2d0 [rtrs_server]\n rtrs_rdma_connect+0x23c/0x2d0 [rtrs_server]\n ? __lock_release+0x1b1/0x2d0\n cma_cm_event_handler+0x4a/0x1a0 [rdma_cm]\n cma_ib_req_handler+0x3a0/0x7e0 [rdma_cm]\n cm_process_work+0x28/0x1a0 [ib_cm]\n ? _raw_spin_unlock_irq+0x2f/0x50\n cm_req_handler+0x618/0xa60 [ib_cm]\n cm_work_handler+0x71/0x520 [ib_cm]\n\nCommit 667db86bcbe8 (\"RDMA/rtrs: Register ib event handler\") introduced a\nnew element .deinit but never used it at all. Fix it by invoking the\n`deinit()` to appropriately unregister the IB event handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21805", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: let net.core.dev_weight always be non-zero\n\nThe following problem was encountered during stability test:\n\n(NULL net_device): NAPI poll function process_backlog+0x0/0x530 \\\n\treturned 1, exceeding its budget of 0.\n------------[ cut here ]------------\nlist_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \\\n\tnext=ffff88905f746e40.\nWARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \\\n\t__list_add_valid_or_report+0xf3/0x130\nCPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+\nRIP: 0010:__list_add_valid_or_report+0xf3/0x130\nCall Trace:\n? __warn+0xcd/0x250\n? __list_add_valid_or_report+0xf3/0x130\nenqueue_to_backlog+0x923/0x1070\nnetif_rx_internal+0x92/0x2b0\n__netif_rx+0x15/0x170\nloopback_xmit+0x2ef/0x450\ndev_hard_start_xmit+0x103/0x490\n__dev_queue_xmit+0xeac/0x1950\nip_finish_output2+0x6cc/0x1620\nip_output+0x161/0x270\nip_push_pending_frames+0x155/0x1a0\nraw_sendmsg+0xe13/0x1550\n__sys_sendto+0x3bf/0x4e0\n__x64_sys_sendto+0xdc/0x1b0\ndo_syscall_64+0x5b/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reproduction command is as follows:\n sysctl -w net.core.dev_weight=0\n ping 127.0.0.1\n\nThis is because when the napi's weight is set to 0, process_backlog() may\nreturn 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this\nnapi to be re-polled in net_rx_action() until __do_softirq() times out.\nSince the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can\nbe retriggered in enqueue_to_backlog(), causing this issue.\n\nMaking the napi's weight always non-zero solves this problem.\n\nTriggering this issue requires system-wide admin (setting is\nnot namespaced).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21806", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix queue freeze vs limits lock order in sysfs store methods\n\nqueue_attr_store() always freezes a device queue before calling the\nattribute store operation. For attributes that control queue limits, the\nstore operation will also lock the queue limits with a call to\nqueue_limits_start_update(). However, some drivers (e.g. SCSI sd) may\nneed to issue commands to a device to obtain limit values from the\nhardware with the queue limits locked. This creates a potential ABBA\ndeadlock situation if a user attempts to modify a limit (thus freezing\nthe device queue) while the device driver starts a revalidation of the\ndevice queue limits.\n\nAvoid such deadlock by not freezing the queue before calling the\n->store_limit() method in struct queue_sysfs_entry and instead use the\nqueue_limits_commit_update_frozen helper to freeze the queue after taking\nthe limits lock.\n\nThis also removes taking the sysfs lock for the store_limit method as\nit doesn't protect anything here, but creates even more nesting.\nHopefully it will go away from the actual sysfs methods entirely soon.\n\n(commit log adapted from a similar patch from Damien Le Moal)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21807", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xdp: Disallow attaching device-bound programs in generic mode\n\nDevice-bound programs are used to support RX metadata kfuncs. These\nkfuncs are driver-specific and rely on the driver context to read the\nmetadata. This means they can't work in generic XDP mode. However, there\nis no check to disallow such programs from being attached in generic\nmode, in which case the metadata kfuncs will be called in an invalid\ncontext, leading to crashes.\n\nFix this by adding a check to disallow attaching device-bound programs\nin generic mode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21808", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc, afs: Fix peer hash locking vs RCU callback\n\nIn its address list, afs now retains pointers to and refs on one or more\nrxrpc_peer objects. The address list is freed under RCU and at this time,\nit puts the refs on those peers.\n\nNow, when an rxrpc_peer object runs out of refs, it gets removed from the\npeer hash table and, for that, rxrpc has to take a spinlock. However, it\nis now being called from afs's RCU cleanup, which takes place in BH\ncontext - but it is just taking an ordinary spinlock.\n\nThe put may also be called from non-BH context, and so there exists the\npossibility of deadlock if the BH-based RCU cleanup happens whilst the hash\nspinlock is held. This led to the attached lockdep complaint.\n\nFix this by changing spinlocks of rxnet->peer_hash_lock back to\nBH-disabling locks.\n\n ================================\n WARNING: inconsistent lock state\n 6.13.0-rc5-build2+ #1223 Tainted: G E\n --------------------------------\n inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.\n swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:\n ffff88810babe228 (&rxnet->peer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180\n {SOFTIRQ-ON-W} state was registered at:\n mark_usage+0x164/0x180\n __lock_acquire+0x544/0x990\n lock_acquire.part.0+0x103/0x280\n _raw_spin_lock+0x2f/0x40\n rxrpc_peer_keepalive_worker+0x144/0x440\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x19b/0x1b0\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n irq event stamp: 972402\n hardirqs last enabled at (972402): [] _raw_spin_unlock_irqrestore+0x2e/0x50\n hardirqs last disabled at (972401): [] _raw_spin_lock_irqsave+0x18/0x60\n softirqs last enabled at (972300): [] handle_softirqs+0x3ee/0x430\n softirqs last disabled at (972313): [] __irq_exit_rcu+0x44/0x110\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n CPU0\n ----\n lock(&rxnet->peer_hash_lock);\n \n lock(&rxnet->peer_hash_lock);\n\n *** DEADLOCK ***\n 1 lock held by swapper/1/0:\n #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30\n\n stack backtrace:\n CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G E 6.13.0-rc5-build2+ #1223\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\n Call Trace:\n \n dump_stack_lvl+0x57/0x80\n print_usage_bug.part.0+0x227/0x240\n valid_state+0x53/0x70\n mark_lock_irq+0xa5/0x2f0\n mark_lock+0xf7/0x170\n mark_usage+0xe1/0x180\n __lock_acquire+0x544/0x990\n lock_acquire.part.0+0x103/0x280\n _raw_spin_lock+0x2f/0x40\n rxrpc_put_peer+0xcb/0x180\n afs_free_addrlist+0x46/0x90 [kafs]\n rcu_do_batch+0x2d2/0x640\n rcu_core+0x2f7/0x350\n handle_softirqs+0x1ee/0x430\n __irq_exit_rcu+0x44/0x110\n irq_exit_rcu+0xa/0x30\n sysvec_apic_timer_interrupt+0x7f/0xa0\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21809", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: class: Fix wild pointer dereferences in API class_dev_iter_next()\n\nThere are a potential wild pointer dereferences issue regarding APIs\nclass_dev_iter_(init|next|exit)(), as explained by below typical usage:\n\n// All members of @iter are wild pointers.\nstruct class_dev_iter iter;\n\n// class_dev_iter_init(@iter, @class, ...) checks parameter @class for\n// potential class_to_subsys() error, and it returns void type and does\n// not initialize its output parameter @iter, so caller can not detect\n// the error and continues to invoke class_dev_iter_next(@iter) even if\n// @iter still contains wild pointers.\nclass_dev_iter_init(&iter, ...);\n\n// Dereference these wild pointers in @iter here once suffer the error.\nwhile (dev = class_dev_iter_next(&iter)) { ... };\n\n// Also dereference these wild pointers here.\nclass_dev_iter_exit(&iter);\n\nActually, all callers of these APIs have such usage pattern in kernel tree.\nFix by:\n- Initialize output parameter @iter by memset() in class_dev_iter_init()\n and give callers prompt by pr_crit() for the error.\n- Check if @iter is valid in class_dev_iter_next().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21810", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: protect access to buffers with no active references\n\nnilfs_lookup_dirty_data_buffers(), which iterates through the buffers\nattached to dirty data folios/pages, accesses the attached buffers without\nlocking the folios/pages.\n\nFor data cache, nilfs_clear_folio_dirty() may be called asynchronously\nwhen the file system degenerates to read only, so\nnilfs_lookup_dirty_data_buffers() still has the potential to cause use\nafter free issues when buffers lose the protection of their dirty state\nmidway due to this asynchronous clearing and are unintentionally freed by\ntry_to_free_buffers().\n\nEliminate this race issue by adjusting the lock section in this function.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21811", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: rcu protect dev->ax25_ptr\n\nsyzbot found a lockdep issue [1].\n\nWe should remove ax25 RTNL dependency in ax25_setsockopt()\n\nThis should also fix a variety of possible UAF in ax25.\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted\n------------------------------------------------------\nsyz.5.1818/12806 is trying to acquire lock:\n ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680\n\nbut task is already holding lock:\n ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]\n ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (sk_lock-AF_AX25){+.+.}-{0:0}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n lock_sock_nested+0x48/0x100 net/core/sock.c:3642\n lock_sock include/net/sock.h:1618 [inline]\n ax25_kill_by_device net/ax25/af_ax25.c:101 [inline]\n ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146\n notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85\n __dev_notify_flags+0x207/0x400\n dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026\n dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563\n dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820\n sock_do_ioctl+0x240/0x460 net/socket.c:1234\n sock_ioctl+0x626/0x8e0 net/socket.c:1339\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (rtnl_mutex){+.+.}-{4:4}:\n check_prev_add kernel/locking/lockdep.c:3161 [inline]\n check_prevs_add kernel/locking/lockdep.c:3280 [inline]\n validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904\n __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735\n ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2324\n __sys_setsockopt net/socket.c:2349 [inline]\n __do_sys_setsockopt net/socket.c:2355 [inline]\n __se_sys_setsockopt net/socket.c:2352 [inline]\n __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_AX25);\n lock(rtnl_mutex);\n lock(sk_lock-AF_AX25);\n lock(rtnl_mutex);\n\n *** DEADLOCK ***\n\n1 lock held by syz.5.1818/12806:\n #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]\n #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074\n check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206\n check_prev_add kernel/locking/lockdep.c:3161 [inline]\n check_prevs_add kernel/lockin\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21812", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers/migration: Fix off-by-one root mis-connection\n\nBefore attaching a new root to the old root, the children counter of the\nnew root is checked to verify that only the upcoming CPU's top group have\nbeen connected to it. However since the recently added commit b729cc1ec21a\n(\"timers/migration: Fix another race between hotplug and idle entry/exit\")\nthis check is not valid anymore because the old root is pre-accounted\nas a child to the new root. Therefore after connecting the upcoming\nCPU's top group to the new root, the children count to be expected must\nbe 2 and not 1 anymore.\n\nThis omission results in the old root to not be connected to the new\nroot. Then eventually the system may run with more than one top level,\nwhich defeats the purpose of a single idle migrator.\n\nAlso the old root is pre-accounted but not connected upon the new root\ncreation. But it can be connected to the new root later on. Therefore\nthe old root may be accounted twice to the new root. The propagation of\nsuch overcommit can end up creating a double final top-level root with a\ngroupmask incorrectly initialized. Although harmless given that the final\ntop level roots will never have a parent to walk up to, this oddity\nopportunistically reported the core issue:\n\n WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote\n CPU: 8 UID: 0 PID: 0 Comm: swapper/8\n RIP: 0010:tmigr_requires_handle_remote\n Call Trace:\n \n ? tmigr_requires_handle_remote\n ? hrtimer_run_queues\n update_process_times\n tick_periodic\n tick_handle_periodic\n __sysvec_apic_timer_interrupt\n sysvec_apic_timer_interrupt\n \n\nFix the problem by taking the old root into account in the children count\nof the new root so the connection is not omitted.\n\nAlso warn when more than one top level group exists to better detect\nsimilar issues in the future.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21813", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Ensure info->enable callback is always set\n\nThe ioctl and sysfs handlers unconditionally call the ->enable callback.\nNot all drivers implement that callback, leading to NULL dereferences.\nExample of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.\n\nInstead use a dummy callback if no better was specified by the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21814", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/compaction: fix UBSAN shift-out-of-bounds warning\n\nsyzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order)\nin isolate_freepages_block(). The bogus compound_order can be any value\nbecause it is union with flags. Add back the MAX_PAGE_ORDER check to fix\nthe warning.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21815", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING\n\nhrtimers are migrated away from the dying CPU to any online target at\nthe CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers\nhandling tasks involved in the CPU hotplug forward progress.\n\nHowever wakeups can still be performed by the outgoing CPU after\nCPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being\narmed. Depending on several considerations (crystal ball power management\nbased election, earliest timer already enqueued, timer migration enabled or\nnot), the target may eventually be the current CPU even if offline. If that\nhappens, the timer is eventually ignored.\n\nThe most notable example is RCU which had to deal with each and every of\nthose wake-ups by deferring them to an online CPU, along with related\nworkarounds:\n\n_ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying)\n_ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU)\n_ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq)\n\nThe problem isn't confined to RCU though as the stop machine kthread\n(which runs CPUHP_AP_HRTIMERS_DYING) reports its completion at the end\nof its work through cpu_stop_signal_done() and performs a wake up that\neventually arms the deadline server timer:\n\n WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimer_start_range_ns+0x289/0x2d0\n CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted\n Stopper: multi_cpu_stop+0x0/0x120 <- stop_machine_cpuslocked+0x66/0xc0\n RIP: 0010:hrtimer_start_range_ns+0x289/0x2d0\n Call Trace:\n \n start_dl_timer\n enqueue_dl_entity\n dl_server_start\n enqueue_task_fair\n enqueue_task\n ttwu_do_activate\n try_to_wake_up\n complete\n cpu_stopper_thread\n\nInstead of providing yet another bandaid to work around the situation, fix\nit in the hrtimers infrastructure instead: always migrate away a timer to\nan online target whenever it is enqueued from an offline CPU.\n\nThis will also allow to revert all the above RCU disgraceful hacks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21816", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: mark GFP_NOIO around sysfs ->store()\n\nsysfs ->store is called with queue freezed, meantime we have several\n->store() callbacks(update_nr_requests, wbt, scheduler) to allocate\nmemory with GFP_KERNEL which may run into direct reclaim code path,\nthen potential deadlock can be caused.\n\nFix the issue by marking NOIO around sysfs ->store()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21817", "detail": "fixed-version", "description": "Fixed from version 6.13.3" }, { "id": "CVE-2025-21819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/display: Use HW lock mgr for PSR1\"\n\nThis reverts commit\na2b5a9956269 (\"drm/amd/display: Use HW lock mgr for PSR1\")\n\nBecause it may cause system hang while connect with two edp panel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21819", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: xilinx_uartps: split sysrq handling\n\nlockdep detects the following circular locking dependency:\n\nCPU 0 CPU 1\n========================== ============================\ncdns_uart_isr() printk()\n uart_port_lock(port) console_lock()\n\t\t\t cdns_uart_console_write()\n if (!port->sysrq)\n uart_port_lock(port)\n uart_handle_break()\n port->sysrq = ...\n uart_handle_sysrq_char()\n printk()\n console_lock()\n\nThe fixed commit attempts to avoid this situation by only taking the\nport lock in cdns_uart_console_write if port->sysrq unset. However, if\n(as shown above) cdns_uart_console_write runs before port->sysrq is set,\nthen it will try to take the port lock anyway. This may result in a\ndeadlock.\n\nFix this by splitting sysrq handling into two parts. We use the prepare\nhelper under the port lock and defer handling until we release the lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21820", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omap: use threaded IRQ for LCD DMA\n\nWhen using touchscreen and framebuffer, Nokia 770 crashes easily with:\n\n BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000\n Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd\n CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2\n Hardware name: Nokia 770\n Call trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x54/0x5c\n dump_stack_lvl from __schedule_bug+0x50/0x70\n __schedule_bug from __schedule+0x4d4/0x5bc\n __schedule from schedule+0x34/0xa0\n schedule from schedule_preempt_disabled+0xc/0x10\n schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4\n __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4\n clk_prepare_lock from clk_set_rate+0x18/0x154\n clk_set_rate from sossi_read_data+0x4c/0x168\n sossi_read_data from hwa742_read_reg+0x5c/0x8c\n hwa742_read_reg from send_frame_handler+0xfc/0x300\n send_frame_handler from process_pending_requests+0x74/0xd0\n process_pending_requests from lcd_dma_irq_handler+0x50/0x74\n lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130\n __handle_irq_event_percpu from handle_irq_event+0x28/0x68\n handle_irq_event from handle_level_irq+0x9c/0x170\n handle_level_irq from generic_handle_domain_irq+0x2c/0x3c\n generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c\n omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c\n generic_handle_arch_irq from call_with_stack+0x1c/0x24\n call_with_stack from __irq_svc+0x94/0xa8\n Exception stack(0xc5255da0 to 0xc5255de8)\n 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248\n 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94\n 5de0: 60000013 ffffffff\n __irq_svc from clk_prepare_lock+0x4c/0xe4\n clk_prepare_lock from clk_get_rate+0x10/0x74\n clk_get_rate from uwire_setup_transfer+0x40/0x180\n uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c\n spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664\n spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498\n __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8\n __spi_sync from spi_sync+0x24/0x40\n spi_sync from ads7846_halfd_read_state+0x5c/0x1c0\n ads7846_halfd_read_state from ads7846_irq+0x58/0x348\n ads7846_irq from irq_thread_fn+0x1c/0x78\n irq_thread_fn from irq_thread+0x120/0x228\n irq_thread from kthread+0xc8/0xe8\n kthread from ret_from_fork+0x14/0x28\n\nAs a quick fix, switch to a threaded IRQ which provides a stable system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21821", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: vmclock: Set driver data before its usage\n\nIf vmclock_ptp_register() fails during probing, vmclock_remove() is\ncalled to clean up the ptp clock and misc device.\nIt uses dev_get_drvdata() to access the vmclock state.\nHowever the driver data is not yet set at this point.\n\nAssign the driver data earlier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21822", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Drop unmanaged ELP metric worker\n\nThe ELP worker needs to calculate new metric values for all neighbors\n\"reachable\" over an interface. Some of the used metric sources require\nlocks which might need to sleep. This sleep is incompatible with the RCU\nlist iterator used for the recorded neighbors. The initial approach to work\naround of this problem was to queue another work item per neighbor and then\nrun this in a new context.\n\nEven when this solved the RCU vs might_sleep() conflict, it has a major\nproblems: Nothing was stopping the work item in case it is not needed\nanymore - for example because one of the related interfaces was removed or\nthe batman-adv module was unloaded - resulting in potential invalid memory\naccesses.\n\nDirectly canceling the metric worker also has various problems:\n\n* cancel_work_sync for a to-be-deactivated interface is called with\n rtnl_lock held. But the code in the ELP metric worker also tries to use\n rtnl_lock() - which will never return in this case. This also means that\n cancel_work_sync would never return because it is waiting for the worker\n to finish.\n* iterating over the neighbor list for the to-be-deactivated interface is\n currently done using the RCU specific methods. Which means that it is\n possible to miss items when iterating over it without the associated\n spinlock - a behaviour which is acceptable for a periodic metric check\n but not for a cleanup routine (which must \"stop\" all still running\n workers)\n\nThe better approch is to get rid of the per interface neighbor metric\nworker and handle everything in the interface worker. The original problems\nare solved by:\n\n* creating a list of neighbors which require new metric information inside\n the RCU protected context, gathering the metric according to the new list\n outside the RCU protected context\n* only use rcu_trylock inside metric gathering code to avoid a deadlock\n when the cancel_delayed_work_sync is called in the interface removal code\n (which is called with the rtnl_lock held)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21823", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix a use of uninitialized mutex\n\ncommit c8347f915e67 (\"gpu: host1x: Fix boot regression for Tegra\")\ncaused a use of uninitialized mutex leading to below warning when\nCONFIG_DEBUG_MUTEXES and CONFIG_DEBUG_LOCK_ALLOC are enabled.\n\n[ 41.662843] ------------[ cut here ]------------\n[ 41.663012] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 41.663035] WARNING: CPU: 4 PID: 794 at kernel/locking/mutex.c:587 __mutex_lock+0x670/0x878\n[ 41.663458] Modules linked in: rtw88_8822c(+) bluetooth(+) rtw88_pci rtw88_core mac80211 aquantia libarc4 crc_itu_t cfg80211 tegra194_cpufreq dwmac_tegra(+) arm_dsu_pmu stmmac_platform stmmac pcs_xpcs rfkill at24 host1x(+) tegra_bpmp_thermal ramoops reed_solomon fuse loop nfnetlink xfs mmc_block rpmb_core ucsi_ccg ina3221 crct10dif_ce xhci_tegra ghash_ce lm90 sha2_ce sha256_arm64 sha1_ce sdhci_tegra pwm_fan sdhci_pltfm sdhci gpio_keys rtc_tegra cqhci mmc_core phy_tegra_xusb i2c_tegra tegra186_gpc_dma i2c_tegra_bpmp spi_tegra114 dm_mirror dm_region_hash dm_log dm_mod\n[ 41.665078] CPU: 4 UID: 0 PID: 794 Comm: (udev-worker) Not tainted 6.11.0-29.31_1538613708.el10.aarch64+debug #1\n[ 41.665838] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS 36.3.0-gcid-35594366 02/26/2024\n[ 41.672555] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 41.679636] pc : __mutex_lock+0x670/0x878\n[ 41.683834] lr : __mutex_lock+0x670/0x878\n[ 41.688035] sp : ffff800084b77090\n[ 41.691446] x29: ffff800084b77160 x28: ffffdd4bebf7b000 x27: ffffdd4be96b1000\n[ 41.698799] x26: 1fffe0002308361c x25: 1ffff0001096ee18 x24: 0000000000000000\n[ 41.706149] x23: 0000000000000000 x22: 0000000000000002 x21: ffffdd4be6e3c7a0\n[ 41.713500] x20: ffff800084b770f0 x19: ffff00011841b1e8 x18: 0000000000000000\n[ 41.720675] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720\n[ 41.728023] x14: 0000000000000000 x13: 0000000000000001 x12: ffff6001a96eaab3\n[ 41.735375] x11: 1fffe001a96eaab2 x10: ffff6001a96eaab2 x9 : ffffdd4be4838bbc\n[ 41.742723] x8 : 00009ffe5691554e x7 : ffff000d4b755593 x6 : 0000000000000001\n[ 41.749985] x5 : ffff000d4b755590 x4 : 1fffe0001d88f001 x3 : dfff800000000000\n[ 41.756988] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000ec478000\n[ 41.764251] Call trace:\n[ 41.766695] __mutex_lock+0x670/0x878\n[ 41.770373] mutex_lock_nested+0x2c/0x40\n[ 41.774134] host1x_intr_start+0x54/0xf8 [host1x]\n[ 41.778863] host1x_runtime_resume+0x150/0x228 [host1x]\n[ 41.783935] pm_generic_runtime_resume+0x84/0xc8\n[ 41.788485] __rpm_callback+0xa0/0x478\n[ 41.792422] rpm_callback+0x15c/0x1a8\n[ 41.795922] rpm_resume+0x698/0xc08\n[ 41.799597] __pm_runtime_resume+0xa8/0x140\n[ 41.803621] host1x_probe+0x810/0xbc0 [host1x]\n[ 41.807909] platform_probe+0xcc/0x1a8\n[ 41.811845] really_probe+0x188/0x800\n[ 41.815347] __driver_probe_device+0x164/0x360\n[ 41.819810] driver_probe_device+0x64/0x1a8\n[ 41.823834] __driver_attach+0x180/0x490\n[ 41.827773] bus_for_each_dev+0x104/0x1a0\n[ 41.831797] driver_attach+0x44/0x68\n[ 41.835296] bus_add_driver+0x23c/0x4e8\n[ 41.839235] driver_register+0x15c/0x3a8\n[ 41.843170] __platform_register_drivers+0xa4/0x208\n[ 41.848159] tegra_host1x_init+0x4c/0xff8 [host1x]\n[ 41.853147] do_one_initcall+0xd4/0x380\n[ 41.856997] do_init_module+0x1dc/0x698\n[ 41.860758] load_module+0xc70/0x1300\n[ 41.864435] __do_sys_init_module+0x1a8/0x1d0\n[ 41.868721] __arm64_sys_init_module+0x74/0xb0\n[ 41.873183] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 41.877997] do_el0_svc+0x154/0x1d0\n[ 41.881671] el0_svc+0x54/0x140\n[ 41.884820] el0t_64_sync_handler+0x120/0x130\n[ 41.889285] el0t_64_sync+0x1a4/0x1a8\n[ 41.892960] irq event stamp: 69737\n[ 41.896370] hardirqs last enabled at (69737): [] _raw_spin_unlock_irqrestore+0x44/0xe8\n[ 41.905739] hardirqs last disabled at (69736):\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21824", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Cancel the running bpf_timer through kworker for PREEMPT_RT\n\nDuring the update procedure, when overwrite element in a pre-allocated\nhtab, the freeing of old_element is protected by the bucket lock. The\nreason why the bucket lock is necessary is that the old_element has\nalready been stashed in htab->extra_elems after alloc_htab_elem()\nreturns. If freeing the old_element after the bucket lock is unlocked,\nthe stashed element may be reused by concurrent update procedure and the\nfreeing of old_element will run concurrently with the reuse of the\nold_element. However, the invocation of check_and_free_fields() may\nacquire a spin-lock which violates the lockdep rule because its caller\nhas already held a raw-spin-lock (bucket lock). The following warning\nwill be reported when such race happens:\n\n BUG: scheduling while atomic: test_progs/676/0x00000003\n 3 locks held by test_progs/676:\n #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830\n #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500\n #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0\n Modules linked in: bpf_testmod(O)\n Preemption disabled at:\n [] htab_map_update_elem+0x293/0x1500\n CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11\n Tainted: [W]=WARN, [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...\n Call Trace:\n \n dump_stack_lvl+0x57/0x70\n dump_stack+0x10/0x20\n __schedule_bug+0x120/0x170\n __schedule+0x300c/0x4800\n schedule_rtlock+0x37/0x60\n rtlock_slowlock_locked+0x6d9/0x54c0\n rt_spin_lock+0x168/0x230\n hrtimer_cancel_wait_running+0xe9/0x1b0\n hrtimer_cancel+0x24/0x30\n bpf_timer_delete_work+0x1d/0x40\n bpf_timer_cancel_and_free+0x5e/0x80\n bpf_obj_free_fields+0x262/0x4a0\n check_and_free_fields+0x1d0/0x280\n htab_map_update_elem+0x7fc/0x1500\n bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43\n bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e\n bpf_prog_test_run_syscall+0x322/0x830\n __sys_bpf+0x135d/0x3ca0\n __x64_sys_bpf+0x75/0xb0\n x64_sys_call+0x1b5/0xa10\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ...\n \n\nIt seems feasible to break the reuse and refill of per-cpu extra_elems\ninto two independent parts: reuse the per-cpu extra_elems with bucket\nlock being held and refill the old_element as per-cpu extra_elems after\nthe bucket lock is unlocked. However, it will make the concurrent\noverwrite procedures on the same CPU return unexpected -E2BIG error when\nthe map is full.\n\nTherefore, the patch fixes the lock problem by breaking the cancelling\nof bpf_timer into two steps for PREEMPT_RT:\n1) use hrtimer_try_to_cancel() and check its return value\n2) if the timer is running, use hrtimer_cancel() through a kworker to\n cancel it again\nConsidering that the current implementation of hrtimer_cancel() will try\nto acquire a being held softirq_expiry_lock when the current timer is\nrunning, these steps above are reasonable. However, it also has\ndownside. When the timer is running, the cancelling of the timer is\ndelayed when releasing the last map uref. The delay is also fixable\n(e.g., break the cancelling of bpf timer into two parts: one part in\nlocked scope, another one in unlocked scope), it can be revised later if\nnecessary.\n\nIt is a bit hard to decide the right fix tag. One reason is that the\nproblem depends on PREEMPT_RT which is enabled in v6.12. Considering the\nsoftirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced\nin v5.15, the bpf_timer commit is used in the fixes tag and an extra\ndepends-on tag is added to state the dependency on PREEMPT_RT.\n\nDepends-on: v6.12+ with PREEMPT_RT enabled", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21825", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject mismatching sum of field_len with set key length\n\nThe field length description provides the length of each separated key\nfield in the concatenation, each field gets rounded up to 32-bits to\ncalculate the pipapo rule width from pipapo_init(). The set key length\nprovides the total size of the key aligned to 32-bits.\n\nRegister-based arithmetics still allows for combining mismatching set\nkey length and field length description, eg. set key length 10 and field\ndescription [ 5, 4 ] leading to pipapo width of 12.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21826", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()\n\nThe documentation for usb_driver_claim_interface() says that \"the\ndevice lock\" is needed when the function is called from places other\nthan probe(). This appears to be the lock for the USB interface\ndevice. The Mediatek btusb code gets called via this path:\n\n Workqueue: hci0 hci_power_on [bluetooth]\n Call trace:\n usb_driver_claim_interface\n btusb_mtk_claim_iso_intf\n btusb_mtk_setup\n hci_dev_open_sync\n hci_power_on\n process_scheduled_works\n worker_thread\n kthread\n\nWith the above call trace the device lock hasn't been claimed. Claim\nit.\n\nWithout this fix, we'd sometimes see the error \"Failed to claim iso\ninterface\". Sometimes we'd even see worse errors, like a NULL pointer\ndereference (where `intf->dev.driver` was NULL) with a trace like:\n\n Call trace:\n usb_suspend_both\n usb_runtime_suspend\n __rpm_callback\n rpm_suspend\n pm_runtime_work\n process_scheduled_works\n\nBoth errors appear to be fixed with the proper locking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21827", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't flush non-uploaded STAs\n\nIf STA state is pre-moved to AUTHORIZED (such as in IBSS\nscenarios) and insertion fails, the station is freed.\nIn this case, the driver never knew about the station,\nso trying to flush it is unexpected and may crash.\n\nCheck if the sta was uploaded to the driver before and\nfix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21828", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the warning \"__rxe_cleanup+0x12c/0x170 [rdma_rxe]\"\n\nThe Call Trace is as below:\n\"\n \n ? show_regs.cold+0x1a/0x1f\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? __warn+0x84/0xd0\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? report_bug+0x105/0x180\n ? handle_bug+0x46/0x80\n ? exc_invalid_op+0x19/0x70\n ? asm_exc_invalid_op+0x1b/0x20\n ? __rxe_cleanup+0x12c/0x170 [rdma_rxe]\n ? __rxe_cleanup+0x124/0x170 [rdma_rxe]\n rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe]\n ib_destroy_qp_user+0x118/0x190 [ib_core]\n rdma_destroy_qp.cold+0x43/0x5e [rdma_cm]\n rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core]\n rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server]\n process_one_work+0x21d/0x3f0\n worker_thread+0x4a/0x3c0\n ? process_one_work+0x3f0/0x3f0\n kthread+0xf0/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \n\"\nWhen too many rdma resources are allocated, rxe needs more time to\nhandle these rdma resources. Sometimes with the current timeout, rxe\ncan not release the rdma resources correctly.\n\nCompared with other rdma drivers, a bigger timeout is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21829", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Handle weird files\n\nA corrupted filesystem (e.g. bcachefs) might return weird files.\nInstead of throwing a warning and allowing access to such file, treat\nthem as regular files.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21830", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1\n\ncommit 9d26d3a8f1b0 (\"PCI: Put PCIe ports into D3 during suspend\") sets the\npolicy that all PCIe ports are allowed to use D3. When the system is\nsuspended if the port is not power manageable by the platform and won't be\nused for wakeup via a PME this sets up the policy for these ports to go\ninto D3hot.\n\nThis policy generally makes sense from an OSPM perspective but it leads to\nproblems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a\nspecific old BIOS. This manifests as a system hang.\n\nOn the affected Device + BIOS combination, add a quirk for the root port of\nthe problematic controller to ensure that these root ports are not put into\nD3hot at suspend.\n\nThis patch is based on\n\n https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com\n\nbut with the added condition both in the documentation and in the code to\napply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only\nthe affected root ports.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21831", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't revert iter for -EIOCBQUEUED\n\nblkdev_read_iter() has a few odd checks, like gating the position and\ncount adjustment on whether or not the result is bigger-than-or-equal to\nzero (where bigger than makes more sense), and not checking the return\nvalue of blkdev_direct_IO() before doing an iov_iter_revert(). The\nlatter can lead to attempting to revert with a negative value, which\nwhen passed to iov_iter_revert() as an unsigned value will lead to\nthrowing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.\n\nBe sane and don't revert for -EIOCBQUEUED, like what is done in other\nspots.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21832", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid use of NULL after WARN_ON_ONCE\n\nThere is a WARN_ON_ONCE to catch an unlikely situation when\ndomain_remove_dev_pasid can't find the `pasid`. In case it nevertheless\nhappens we must avoid using a NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21833", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: passthrough uretprobe systemcall without filtering\n\nWhen attaching uretprobes to processes running inside docker, the attached\nprocess is segfaulted when encountering the retprobe.\n\nThe reason is that now that uretprobe is a system call the default seccomp\nfilters in docker block it as they only allow a specific set of known\nsyscalls. This is true for other userspace applications which use seccomp\nto control their syscall surface.\n\nSince uretprobe is a \"kernel implementation detail\" system call which is\nnot used by userspace application code directly, it is impractical and\nthere's very little point in forcing all userspace applications to\nexplicitly allow it in order to avoid crashing tracked processes.\n\nPass this systemcall through seccomp without depending on configuration.\n\nNote: uretprobe is currently only x86_64 and isn't expected to ever be\nsupported in i386.\n\n[kees: minimized changes for easier backporting, tweaked commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21834", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_midi: fix MIDI Streaming descriptor lengths\n\nWhile the MIDI jacks are configured correctly, and the MIDIStreaming\nendpoint descriptors are filled with the correct information,\nbNumEmbMIDIJack and bLength are set incorrectly in these descriptors.\n\nThis does not matter when the numbers of in and out ports are equal, but\nwhen they differ the host will receive broken descriptors with\nuninitialized stack memory leaking into the descriptor for whichever\nvalue is smaller.\n\nThe precise meaning of \"in\" and \"out\" in the port counts is not clearly\ndefined and can be confusing. But elsewhere the driver consistently\nuses this to match the USB meaning of IN and OUT viewed from the host,\nso that \"in\" ports send data to the host and \"out\" ports receive data\nfrom it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21835", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: reallocate buf lists on upgrade\n\nIORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it\nwas created for legacy selected buffer and has been emptied. It violates\nthe requirement that most of the field should stay stable after publish.\nAlways reallocate it instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21836", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: core: flush gadget workqueue after device removal\n\ndevice_del() can lead to new work being scheduled in gadget->work\nworkqueue. This is observed, for example, with the dwc3 driver with the\nfollowing call stack:\n device_del()\n gadget_unbind_driver()\n usb_gadget_disconnect_locked()\n dwc3_gadget_pullup()\n\t dwc3_gadget_soft_disconnect()\n\t usb_gadget_set_state()\n\t schedule_work(&gadget->work)\n\nMove flush_work() after device_del() to ensure the workqueue is cleaned\nup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21838", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop\n\nMove the conditional loading of hardware DR6 with the guest's DR6 value\nout of the core .vcpu_run() loop to fix a bug where KVM can load hardware\nwith a stale vcpu->arch.dr6.\n\nWhen the guest accesses a DR and host userspace isn't debugging the guest,\nKVM disables DR interception and loads the guest's values into hardware on\nVM-Enter and saves them on VM-Exit. This allows the guest to access DRs\nat will, e.g. so that a sequence of DR accesses to configure a breakpoint\nonly generates one VM-Exit.\n\nFor DR0-DR3, the logic/behavior is identical between VMX and SVM, and also\nidentical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)\nand KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading\nDR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.\n\nBut for DR6, the guest's value doesn't need to be loaded into hardware for\nKVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas\nVMX requires software to manually load the guest value, and so loading the\nguest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done\n_inside_ the core run loop.\n\nUnfortunately, saving the guest values on VM-Exit is initiated by common\nx86, again outside of the core run loop. If the guest modifies DR6 (in\nhardware, when DR interception is disabled), and then the next VM-Exit is\na fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and\nclobber the guest's actual value.\n\nThe bug shows up primarily with nested VMX because KVM handles the VMX\npreemption timer in the fastpath, and the window between hardware DR6\nbeing modified (in guest context) and DR6 being read by guest software is\norders of magnitude larger in a nested setup. E.g. in non-nested, the\nVMX preemption timer would need to fire precisely between #DB injection\nand the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the\nwindow where hardware DR6 is \"dirty\" extends all the way from L1 writing\nDR6 to VMRESUME (in L1).\n\n L1's view:\n ==========\n \n CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0\n A: L1 Writes DR6\n CPU 0/KVM-7289 [023] d.... 2925.640963: : Set DRs, DR6 = 0xffff0ff1\n\n B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec\n\n D: L1 reads DR6, arch.dr6 = 0\n CPU 0/KVM-7289 [023] d.... 2925.640969: : Sync DRs, DR6 = 0xffff0ff0\n\n CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0\n L2 reads DR6, L1 disables DR interception\n CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216\n CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0\n\n CPU 0/KVM-7289 [023] d.... 2925.640983: : Set DRs, DR6 = 0xffff0ff0\n\n L2 detects failure\n CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT\n L1 reads DR6 (confirms failure)\n CPU 0/KVM-7289 [023] d.... 2925.640990: : Sync DRs, DR6 = 0xffff0ff0\n\n L0's view:\n ==========\n L2 reads DR6, arch.dr6 = 0\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n\n L2 => L1 nested VM-Exit\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216\n\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21839", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/netlink: Prevent userspace segmentation fault by adjusting UAPI header\n\nThe intel-lpmd tool [1], which uses the THERMAL_GENL_ATTR_CPU_CAPABILITY\nattribute to receive HFI events from kernel space, encounters a\nsegmentation fault after commit 1773572863c4 (\"thermal: netlink: Add the\ncommands and the events for the thresholds\").\n\nThe issue arises because the THERMAL_GENL_ATTR_CPU_CAPABILITY raw value\nwas changed while intel_lpmd still uses the old value.\n\nAlthough intel_lpmd can be updated to check the THERMAL_GENL_VERSION and\nuse the appropriate THERMAL_GENL_ATTR_CPU_CAPABILITY value, the commit\nitself is questionable.\n\nThe commit introduced a new element in the middle of enum thermal_genl_attr,\nwhich affects many existing attributes and introduces potential risks\nand unnecessary maintenance burdens for userspace thermal netlink event\nusers.\n\nSolve the issue by moving the newly introduced\nTHERMAL_GENL_ATTR_TZ_PREV_TEMP attribute to the end of the\nenum thermal_genl_attr. This ensures that all existing thermal generic\nnetlink attributes remain unaffected.\n\n[ rjw: Subject edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21840", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq/amd-pstate: Fix cpufreq_policy ref counting\n\namd_pstate_update_limits() takes a cpufreq_policy reference but doesn't\ndecrement the refcount in one of the exit paths, fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21841", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: properly free gang_ctx_bo when failed to init user queue\n\nThe destructor of a gtt bo is declared as\nvoid amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj);\nWhich takes void** as the second parameter.\n\nGCC allows passing void* to the function because void* can be implicitly\ncasted to any other types, so it can pass compiling.\n\nHowever, passing this void* parameter into the function's\nexecution process(which expects void** and dereferencing void**)\nwill result in errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21842", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: avoid garbage value in panthor_ioctl_dev_query()\n\n'priorities_info' is uninitialized, and the uninitialized value is copied\nto user object when calling PANTHOR_UOBJ_SET(). Using memset to initialize\n'priorities_info' to avoid this garbage value problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21843", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Add check for next_buffer in receive_encrypted_standard()\n\nAdd check for the return value of cifs_buf_get() and cifs_small_buf_get()\nin receive_encrypted_standard() to prevent null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21844", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: sst: Fix SST write failure\n\n'commit 18bcb4aa54ea (\"mtd: spi-nor: sst: Factor out common write operation\nto `sst_nor_write_data()`\")' introduced a bug where only one byte of data\nis written, regardless of the number of bytes passed to\nsst_nor_write_data(), causing a kernel crash during the write operation.\nEnsure the correct number of bytes are written as passed to\nsst_nor_write_data().\n\nCall trace:\n[ 57.400180] ------------[ cut here ]------------\n[ 57.404842] While writing 2 byte written 1 bytes\n[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74\n[ 57.418464] Modules linked in:\n[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30\n[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)\n[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 57.444557] pc : sst_nor_write_data+0x6c/0x74\n[ 57.448911] lr : sst_nor_write_data+0x6c/0x74\n[ 57.453264] sp : ffff80008232bb40\n[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001\n[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000\n[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000\n[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006\n[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580\n[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4\n[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530\n[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001\n[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000\n[ 57.527916] Call trace:\n[ 57.530354] sst_nor_write_data+0x6c/0x74\n[ 57.534361] sst_nor_write+0xb4/0x18c\n[ 57.538019] mtd_write_oob_std+0x7c/0x88\n[ 57.541941] mtd_write_oob+0x70/0xbc\n[ 57.545511] mtd_write+0x68/0xa8\n[ 57.548733] mtdchar_write+0x10c/0x290\n[ 57.552477] vfs_write+0xb4/0x3a8\n[ 57.555791] ksys_write+0x74/0x10c\n[ 57.559189] __arm64_sys_write+0x1c/0x28\n[ 57.563109] invoke_syscall+0x54/0x11c\n[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0\n[ 57.571557] do_el0_svc+0x1c/0x28\n[ 57.574868] el0_svc+0x30/0xcc\n[ 57.577921] el0t_64_sync_handler+0x120/0x12c\n[ 57.582276] el0t_64_sync+0x190/0x194\n[ 57.585933] ---[ end trace 0000000000000000 ]---\n\n[pratyush@kernel.org: add Cc stable tag]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21845", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: perform last write from workqueue\n\nIn [1] it was reported that the acct(2) system call can be used to\ntrigger NULL deref in cases where it is set to write to a file that\ntriggers an internal lookup. This can e.g., happen when pointing acc(2)\nto /sys/power/resume. At the point the where the write to this file\nhappens the calling task has already exited and called exit_fs(). A\nlookup will thus trigger a NULL-deref when accessing current->fs.\n\nReorganize the code so that the the final write happens from the\nworkqueue but with the caller's credentials. This preserves the\n(strange) permission model and has almost no regression risk.\n\nThis api should stop to exist though.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21846", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()\n\nThe nullity of sps->cstream should be checked similarly as it is done in\nsof_set_stream_data_offset() function.\nAssuming that it is not NULL if sps->stream is NULL is incorrect and can\nlead to NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21847", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: bpf: Add check for nfp_app_ctrl_msg_alloc()\n\nAdd check for the return value of nfp_app_ctrl_msg_alloc() in\nnfp_bpf_cmsg_alloc() to prevent null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21848", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Use spin_lock_irqsave() in interruptible context\n\nspin_lock/unlock() functions used in interrupt contexts could\nresult in a deadlock, as seen in GitLab issue #13399,\nwhich occurs when interrupt comes in while holding a lock.\n\nTry to remedy the problem by saving irq state before spin lock\nacquisition.\n\nv2: add irqs' state save/restore calls to all locks/unlocks in\n signal_irq_work() execution (Maciej)\n\nv3: use with spin_lock_irqsave() in guc_lrc_desc_unpin() instead\n of other lock/unlock calls and add Fixes and Cc tags (Tvrtko);\n change title and commit message\n\n(cherry picked from commit c088387ddd6482b40f21ccf23db1125e8fa4af7e)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21849", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Fix crash when a namespace is disabled\n\nThe namespace percpu counter protects pending I/O, and we can\nonly safely diable the namespace once the counter drop to zero.\nOtherwise we end up with a crash when running blktests/nvme/058\n(eg for loop transport):\n\n[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232\n[ 2352.930438] [ T53909] Tainted: [W]=WARN\n[ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\n[ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180\n\nas the queue is already torn down when calling submit_bio();\n\nSo we need to init the percpu counter in nvmet_ns_enable(), and\nwait for it to drop to zero in nvmet_ns_disable() to avoid having\nI/O pending after the namespace has been disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21850", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix softlockup in arena_map_free on 64k page kernel\n\nOn an aarch64 kernel with CONFIG_PAGE_SIZE_64KB=y,\narena_htab tests cause a segmentation fault and soft lockup.\nThe same failure is not observed with 4k pages on aarch64.\n\nIt turns out arena_map_free() is calling\napply_to_existing_page_range() with the address returned by\nbpf_arena_get_kern_vm_start(). If this address is not page-aligned\nthe code ends up calling apply_to_pte_range() with that unaligned\naddress causing soft lockup.\n\nFix it by round up GUARD_SZ to PAGE_SIZE << 1 so that the\ndivision by 2 in bpf_arena_get_kern_vm_start() returns\na page-aligned value.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21851", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Add rx_skb of kfree_skb to raw_tp_null_args[].\n\nYan Zhai reported a BPF prog could trigger a null-ptr-deref [0]\nin trace_kfree_skb if the prog does not check if rx_sk is NULL.\n\nCommit c53795d48ee8 (\"net: add rx_sk to trace_kfree_skb\") added\nrx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL.\n\nLet's add kfree_skb to raw_tp_null_args[] to let the BPF verifier\nvalidate such a prog and prevent the issue.\n\nNow we fail to load such a prog:\n\n libbpf: prog 'drop': -- BEGIN PROG LOAD LOG --\n 0: R1=ctx() R10=fp0\n ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21\n 0: (79) r3 = *(u64 *)(r1 +24)\n func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock'\n 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1)\n ; bpf_printk(\"sk: %d, %d\\n\", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24\n 1: (69) r4 = *(u16 *)(r3 +16)\n R3 invalid mem access 'trusted_ptr_or_null_'\n processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0\n -- END PROG LOAD LOG --\n\nNote this fix requires commit 838a10bd2ebf (\"bpf: Augment raw_tp\narguments with PTR_MAYBE_NULL\").\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000010\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP\nRIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\nCall Trace:\n \n ? __die+0x1f/0x60\n ? page_fault_oops+0x148/0x420\n ? search_bpf_extables+0x5b/0x70\n ? fixup_exception+0x27/0x2c0\n ? exc_page_fault+0x75/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\n bpf_trace_run4+0x68/0xd0\n ? unix_stream_connect+0x1f4/0x6f0\n sk_skb_reason_drop+0x90/0x120\n unix_stream_connect+0x1f4/0x6f0\n __sys_connect+0x7f/0xb0\n __x64_sys_connect+0x14/0x20\n do_syscall_64+0x47/0xc30\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21852", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: avoid holding freeze_mutex during mmap operation\n\nWe use map->freeze_mutex to prevent races between map_freeze() and\nmemory mapping BPF map contents with writable permissions. The way we\nnaively do this means we'll hold freeze_mutex for entire duration of all\nthe mm and VMA manipulations, which is completely unnecessary. This can\npotentially also lead to deadlocks, as reported by syzbot in [0].\n\nSo, instead, hold freeze_mutex only during writeability checks, bump\n(proactively) \"write active\" count for the map, unlock the mutex and\nproceed with mmap logic. And only if something went wrong during mmap\nlogic, then undo that \"write active\" counter increment.\n\n [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21853", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsockmap, vsock: For connectible sockets allow only connected\n\nsockmap expects all vsocks to have a transport assigned, which is expressed\nin vsock_proto::psock_update_sk_prot(). However, there is an edge case\nwhere an unconnected (connectible) socket may lose its previously assigned\ntransport. This is handled with a NULL check in the vsock/BPF recv path.\n\nAnother design detail is that listening vsocks are not supposed to have any\ntransport assigned at all. Which implies they are not supported by the\nsockmap. But this is complicated by the fact that a socket, before\nswitching to TCP_LISTEN, may have had some transport assigned during a\nfailed connect() attempt. Hence, we may end up with a listening vsock in a\nsockmap, which blows up quickly:\n\nKASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]\nCPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+\nWorkqueue: vsock-loopback vsock_loopback_work\nRIP: 0010:vsock_read_skb+0x4b/0x90\nCall Trace:\n sk_psock_verdict_data_ready+0xa4/0x2e0\n virtio_transport_recv_pkt+0x1ca8/0x2acc\n vsock_loopback_work+0x27d/0x3f0\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x35a/0x700\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nFor connectible sockets, instead of relying solely on the state of\nvsk->transport, tell sockmap to only allow those representing established\nconnections. This aligns with the behaviour for AF_INET and AF_UNIX.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21854", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don't reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb->len\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n <...>\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n <...>\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n <...>\n The buggy address belongs to the object at c00000024eb48a00 which\n belongs to the cache skbuff_head_cache of size 224\n==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21855", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ism: add release function for struct device\n\nAccording to device_release() in /drivers/base/core.c,\na device without a release function is a broken device\nand must be fixed.\n\nThe current code directly frees the device after calling device_add()\nwithout waiting for other kernel parts to release their references.\nThus, a reference could still be held to a struct device,\ne.g., by sysfs, leading to potential use-after-free\nissues if a proper release function is not set.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21856", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: fix error handling causing NULL dereference\n\ntcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can\nreturn 1 if the allocation succeeded after wrapping. This was treated as\nan error, with value 1 returned to caller tcf_exts_init_ex() which sets\nexts->actions to NULL and returns 1 to caller fl_change().\n\nfl_change() treats err == 1 as success, calling tcf_exts_validate_ex()\nwhich calls tcf_action_init() with exts->actions as argument, where it\nis dereferenced.\n\nExample trace:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1\nRIP: 0010:tcf_action_init+0x1f8/0x2c0\nCall Trace:\n tcf_action_init+0x1f8/0x2c0\n tcf_exts_validate_ex+0x175/0x190\n fl_change+0x537/0x1120 [cls_flower]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21857", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: Fix use-after-free in geneve_find_dev().\n\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\n\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)->geneve_list.\n\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\n\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\n\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\n\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\n\nLet's call geneve_dellink() instead in geneve_destroy_tunnels().\n\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\n\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\n geneve_find_dev drivers/net/geneve.c:1295 [inline]\n geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\n geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\n rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:713 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n __sys_sendmsg net/socket.c:2654 [inline]\n __do_sys_sendmsg net/socket.c:2659 [inline]\n __se_sys_sendmsg net/socket.c:2657 [inline]\n __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\n\nAllocated by task 13247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4298 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\n alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\n rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_n\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21858", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: f_midi: f_midi_complete to call queue_work\n\nWhen using USB MIDI, a lock is attempted to be acquired twice through a\nre-entrant call to f_midi_transmit, causing a deadlock.\n\nFix it by using queue_work() to schedule the inner f_midi_transmit() via\na high priority work queue from the completion handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21859", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/zswap: fix inconsistency when zswap_store_page() fails\n\nCommit b7c0ccdfbafd (\"mm: zswap: support large folios in zswap_store()\")\nskips charging any zswap entries when it failed to zswap the entire folio.\n\nHowever, when some base pages are zswapped but it failed to zswap the\nentire folio, the zswap operation is rolled back. When freeing zswap\nentries for those pages, zswap_entry_free() uncharges the zswap entries\nthat were not previously charged, causing zswap charging to become\ninconsistent.\n\nThis inconsistency triggers two warnings with following steps:\n # On a machine with 64GiB of RAM and 36GiB of zswap\n $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng\n $ sudo reboot\n\n The two warnings are:\n in mm/memcontrol.c:163, function obj_cgroup_release():\n WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1));\n\n in mm/page_counter.c:60, function page_counter_cancel():\n if (WARN_ONCE(new < 0, \"page_counter underflow: %ld nr_pages=%lu\\n\",\n\t new, nr_pages))\n\nzswap_stored_pages also becomes inconsistent in the same way.\n\nAs suggested by Kanchana, increment zswap_stored_pages and charge zswap\nentries within zswap_store_page() when it succeeds. This way,\nzswap_entry_free() will decrement the counter and uncharge the entries\nwhen it failed to zswap the entire folio.\n\nWhile this could potentially be optimized by batching objcg charging and\nincrementing the counter, let's focus on fixing the bug this time and\nleave the optimization for later after some evaluation.\n\nAfter resolving the inconsistency, the warnings disappear.\n\n[42.hyeyoo@gmail.com: refactor zswap_store_page()]", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21860", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()\n\nIf migration succeeded, we called\nfolio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the\nold to the new folio. This will set memcg_data of the old folio to 0.\n\nSimilarly, if migration failed, memcg_data of the dst folio is left unset.\n\nIf we call folio_putback_lru() on such folios (memcg_data == 0), we will\nadd the folio to be freed to the LRU, making memcg code unhappy. Running\nthe hmm selftests:\n\n # ./hmm-tests\n ...\n # RUN hmm.hmm_device_private.migrate ...\n [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00\n [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)\n [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9\n [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000\n [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())\n [ 102.087230][T14893] ------------[ cut here ]------------\n [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.090478][T14893] Modules linked in:\n [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151\n [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.096104][T14893] Code: ...\n [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293\n [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426\n [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880\n [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\n [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8\n [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000\n [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000\n [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0\n [ 102.113478][T14893] PKRU: 55555554\n [ 102.114172][T14893] Call Trace:\n [ 102.114805][T14893] \n [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.116547][T14893] ? __warn.cold+0x110/0x210\n [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.118667][T14893] ? report_bug+0x1b9/0x320\n [ 102.119571][T14893] ? handle_bug+0x54/0x90\n [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50\n [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20\n [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0\n [ 102.123506][T14893] ? dump_page+0x4f/0x60\n [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200\n [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720\n [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.129550][T14893] folio_putback_lru+0x16/0x80\n [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530\n [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0\n [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80\n\nLikely, nothing else goes wrong: putting the last folio reference will\nremove the folio from the LRU again. So besides memcg complaining, adding\nthe folio to be freed to the LRU is just an unnecessary step.\n\nThe new flow resembles what we have in migrate_folio_move(): add the dst\nto the lru, rem\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21861", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let's place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21862", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent opcode speculation\n\nsqe->opcode is used for different tables, make sure we santitise it\nagainst speculations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21863", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free'd by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU's\ndefer_list), and don't flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don't\nexpect at this point.\n\nWe already drop the skb's dst in the TCP receive path when it's no\nlonger needed, so let's also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21864", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger ->dellink() twice for the same device during\n->exit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n 1. cleanup_net() processes netns A and then B.\n\n 2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns A's gn->gtp_dev_list and calls ->dellink().\n\n [ device B is not yet unlinked from netns B\n as unregister_netdevice_many() has not been called. ]\n\n 3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n netns B's for_each_netdev() and calls ->dellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn->gtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n \n [] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [] list_del include/linux/list.h:262 [inl\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21865", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n\nErhard reported the following KASAN hit while booting his PowerMac G4\nwith a KASAN-enabled kernel 6.13-rc6:\n\n BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8\n Write of size 8 at addr f1000000 by task chronyd/1293\n\n CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2\n Tainted: [W]=WARN\n Hardware name: PowerMac3,6 7455 0x80010303 PowerMac\n Call Trace:\n [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)\n [c24375b0] [c0504998] print_report+0xdc/0x504\n [c2437610] [c050475c] kasan_report+0xf8/0x108\n [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c\n [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8\n [c24376c0] [c004c014] patch_instructions+0x15c/0x16c\n [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c\n [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac\n [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec\n [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478\n [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14\n [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4\n [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890\n [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420\n [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c\n --- interrupt: c00 at 0x5a1274\n NIP: 005a1274 LR: 006a3b3c CTR: 005296c8\n REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4)\n MSR: 0200f932 CR: 24004422 XER: 00000000\n\n GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932\n GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57\n GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002\n GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001\n NIP [005a1274] 0x5a1274\n LR [006a3b3c] 0x6a3b3c\n --- interrupt: c00\n\n The buggy address belongs to the virtual mapping at\n [f1000000, f1002000) created by:\n text_area_cpu_up+0x20/0x190\n\n The buggy address belongs to the physical page:\n page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30\n flags: 0x80000000(zone=2)\n raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001\n raw: 00000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ==================================================================\n\nf8 corresponds to KASAN_VMALLOC_INVALID which means the area is not\ninitialised hence not supposed to be used yet.\n\nPowerpc text patching infrastructure allocates a virtual memory area\nusing get_vm_area() and flags it as VM_ALLOC. But that flag is meant\nto be used for vmalloc() and vmalloc() allocated memory is not\nsupposed to be used before a call to __vmalloc_node_range() which is\nnever called for that area.\n\nThat went undetected until commit e4137f08816b (\"mm, kasan, kmsan:\ninstrument copy_from/to_kernel_nofault\")\n\nThe area allocated by text_area_cpu_up() is not vmalloc memory, it is\nmapped directly on demand when needed by map_kernel_page(). There is\nno VM flag corresponding to such usage, so just pass no flag. That way\nthe area will be unpoisonned and usable immediately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21866", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()\n\nKMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The\ncause of the issue was that eth_skb_pkt_type() accessed skb's data\nthat didn't contain an Ethernet header. This occurs when\nbpf_prog_test_run_xdp() passes an invalid value as the user_data\nargument to bpf_test_init().\n\nFix this by returning an error when user_data is less than ETH_HLEN in\nbpf_test_init(). Additionally, remove the check for \"if (user_size >\nsize)\" as it is unnecessary.\n\n[1]\nBUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\nBUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\n eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635\n xdp_recv_frames net/bpf/test_run.c:272 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318\n bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371\n __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777\n __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]\n __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864\n x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1056 [inline]\n free_unref_page+0x156/0x1320 mm/page_alloc.c:2657\n __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838\n bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]\n ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235\n bpf_map_free kernel/bpf/syscall.c:838 [inline]\n bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310\n worker_thread+0xedf/0x1550 kernel/workqueue.c:3391\n kthread+0x535/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nCPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21867", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: allow small head cache usage with large MAX_SKB_FRAGS values\n\nSabrina reported the following splat:\n\n WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0\n Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48\n RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e\n RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6\n RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c\n R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168\n R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007\n FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n gro_cells_init+0x1ba/0x270\n xfrm_input_init+0x4b/0x2a0\n xfrm_init+0x38/0x50\n ip_rt_init+0x2d7/0x350\n ip_init+0xf/0x20\n inet_init+0x406/0x590\n do_one_initcall+0x9d/0x2e0\n do_initcalls+0x23b/0x280\n kernel_init_freeable+0x445/0x490\n kernel_init+0x20/0x1d0\n ret_from_fork+0x46/0x80\n ret_from_fork_asm+0x1a/0x30\n \n irq event stamp: 584330\n hardirqs last enabled at (584338): [] __up_console_sem+0x77/0xb0\n hardirqs last disabled at (584345): [] __up_console_sem+0x5c/0xb0\n softirqs last enabled at (583242): [] netlink_insert+0x14d/0x470\n softirqs last disabled at (583754): [] netif_napi_add_weight_locked+0x77d/0xba0\n\non kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024)\nis smaller than GRO_MAX_HEAD.\n\nSuch built additionally contains the revert of the single page frag cache\nso that napi_get_frags() ends up using the page frag allocator, triggering\nthe splat.\n\nNote that the underlying issue is independent from the mentioned\nrevert; address it ensuring that the small head cache will fit either TCP\nand GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb()\nto select kmalloc() usage for any allocation fitting such cache.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21868", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[ 12.028126] ==================================================================\n[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3\n[ 12.028408] Tainted: [T]=RANDSTRUCT\n[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[ 12.028500] Call Trace:\n[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)\n[ 12.029735] MSR: 900000000280f032 CR: 42004848 XER: 00000000\n[ 12.029855] IRQMASK: 0\n GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030405] --- interrupt: 3000\n[ 12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn't disable\nKASAN reports during patching. This wasn't a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21869", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers\n\nOther, non DAI copier widgets could have the same stream name (sname) as\nthe ALH copier and in that case the copier->data is NULL, no alh_data is\nattached, which could lead to NULL pointer dereference.\nWe could check for this NULL pointer in sof_ipc4_prepare_copier_module()\nand avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()\nwill miscalculate the ALH device count, causing broken audio.\n\nThe correct fix is to harden the matching logic by making sure that the\n1. widget is a DAI widget - so dai = w->private is valid\n2. the dai (and thus the copier) is ALH copier", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21870", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix supplicant wait loop\n\nOP-TEE supplicant is a user-space daemon and it's possible for it\nbe hung or crashed or killed in the middle of processing an OP-TEE\nRPC call. It becomes more complicated when there is incorrect shutdown\nordering of the supplicant process vs the OP-TEE client application which\ncan eventually lead to system hang-up waiting for the closure of the\nclient application.\n\nAllow the client process waiting in kernel for supplicant response to\nbe killed rather than indefinitely waiting in an unkillable state. Also,\na normal uninterruptible wait should not have resulted in the hung-task\nwatchdog getting triggered, but the endless loop would.\n\nThis fixes issues observed during system reboot/shutdown when supplicant\ngot hung for some reason or gets crashed/killed which lead to client\ngetting hung in an unkillable state. It in turn lead to system being in\nhung up state requiring hard power off/on to recover.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21871", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Don't map the entire mokvar table to determine its size\n\nCurrently, when validating the mokvar table, we (re)map the entire table\non each iteration of the loop, adding space as we discover new entries.\nIf the table grows over a certain size, this fails due to limitations of\nearly_memmap(), and we get a failure and traceback:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220\n ...\n Call Trace:\n \n ? __early_ioremap+0xef/0x220\n ? __warn.cold+0x93/0xfa\n ? __early_ioremap+0xef/0x220\n ? report_bug+0xff/0x140\n ? early_fixup_exception+0x5d/0xb0\n ? early_idt_handler_common+0x2f/0x3a\n ? __early_ioremap+0xef/0x220\n ? efi_mokvar_table_init+0xce/0x1d0\n ? setup_arch+0x864/0xc10\n ? start_kernel+0x6b/0xa10\n ? x86_64_start_reservations+0x24/0x30\n ? x86_64_start_kernel+0xed/0xf0\n ? common_startup_64+0x13e/0x141\n \n ---[ end trace 0000000000000000 ]---\n mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187.\n\nMapping the entire structure isn't actually necessary, as we don't ever\nneed more than one entry header mapped at once.\n\nChanges efi_mokvar_table_init() to only map each entry header, not the\nentire table, when determining the table size. Since we're not mapping\nany data past the variable name, it also changes the code to enforce\nthat each variable name is NUL terminated, rather than attempting to\nverify it in place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21872", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: bsg: Fix crash when arpmb command fails\n\nIf the device doesn't support arpmb we'll crash due to copying user data in\nbsg_transport_sg_io_fn().\n\nIn the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not\nset the job's reply_len.\n\nMemory crash backtrace:\n3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22\n\n4,1308,531166555,-;Call Trace:\n\n4,1309,531166559,-; \n\n4,1310,531166565,-; ? show_regs+0x6d/0x80\n\n4,1311,531166575,-; ? die+0x37/0xa0\n\n4,1312,531166583,-; ? do_trap+0xd4/0xf0\n\n4,1313,531166593,-; ? do_error_trap+0x71/0xb0\n\n4,1314,531166601,-; ? usercopy_abort+0x6c/0x80\n\n4,1315,531166610,-; ? exc_invalid_op+0x52/0x80\n\n4,1316,531166622,-; ? usercopy_abort+0x6c/0x80\n\n4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20\n\n4,1318,531166643,-; ? usercopy_abort+0x6c/0x80\n\n4,1319,531166652,-; __check_heap_object+0xe3/0x120\n\n4,1320,531166661,-; check_heap_object+0x185/0x1d0\n\n4,1321,531166670,-; __check_object_size.part.0+0x72/0x150\n\n4,1322,531166679,-; __check_object_size+0x23/0x30\n\n4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21873", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-integrity: Avoid divide by zero in table status in Inline mode\n\nIn Inline mode, the journal is unused, and journal_sectors is zero.\n\nCalculating the journal watermark requires dividing by journal_sectors,\nwhich should be done only if the journal is configured.\n\nOtherwise, a simple table query (dmsetup table) can cause OOPS.\n\nThis bug did not show on some systems, perhaps only due to\ncompiler optimization.\n\nOn my 32-bit testing machine, this reliably crashes with the following:\n\n : Oops: divide error: 0000 [#1] PREEMPT SMP\n : CPU: 0 UID: 0 PID: 2450 Comm: dmsetup Not tainted 6.14.0-rc2+ #959\n : EIP: dm_integrity_status+0x2f8/0xab0 [dm_integrity]\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21874", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Modules linked in:\n CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:733\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n ___sys_sendmsg net/socket.c:2627 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7e9998cde9\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21875", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix suspicious RCU usage\n\nCommit (\"iommu/vt-d: Allocate DMAR fault interrupts\nlocally\") moved the call to enable_drhd_fault_handling() to a code\npath that does not hold any lock while traversing the drhd list. Fix\nit by ensuring the dmar_global_lock lock is held when traversing the\ndrhd list.\n\nWithout this fix, the following warning is triggered:\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3 #55 Not tainted\n -----------------------------\n drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!\n other info that might help us debug this:\n rcu_scheduler_active = 1, debug_locks = 1\n 2 locks held by cpuhp/1/23:\n #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n stack backtrace:\n CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55\n Call Trace:\n \n dump_stack_lvl+0xb7/0xd0\n lockdep_rcu_suspicious+0x159/0x1f0\n ? __pfx_enable_drhd_fault_handling+0x10/0x10\n enable_drhd_fault_handling+0x151/0x180\n cpuhp_invoke_callback+0x1df/0x990\n cpuhp_thread_fun+0x1ea/0x2c0\n smpboot_thread_fn+0x1f5/0x2e0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x12a/0x2d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x4a/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nHolding the lock in enable_drhd_fault_handling() triggers a lockdep splat\nabout a possible deadlock between dmar_global_lock and cpu_hotplug_lock.\nThis is avoided by not holding dmar_global_lock when calling\niommu_device_register(), which initiates the device probe process.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21876", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21877", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[ 28.183351] Modules linked in:\n[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 28.208128] pc : __do_softirq+0xb0/0x368\n[ 28.212055] lr : __do_softirq+0x70/0x368\n[ 28.215972] sp : ffffff8035ebca00\n[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[ 28.290611] Call trace:\n[ 28.293052] __do_softirq+0xb0/0x368\n[ 28.296625] __irq_exit_rcu+0xe0/0x100\n[ 28.300374] irq_exit+0x14/0x20\n[ 28.303513] handle_domain_irq+0x68/0x90\n[ 28.307440] gic_handle_irq+0x78/0xb0\n[ 28.311098] call_on_irq_stack+0x20/0x38\n[ 28.315019] do_interrupt_handler+0x54/0x5c\n[ 28.319199] el1_interrupt+0x2c/0x4c\n[ 28.322777] el1h_64_irq_handler+0x14/0x20\n[ 28.326872] el1h_64_irq+0x74/0x78\n[ 28.330269] __setup_irq+0x454/0x780\n[ 28.333841] request_threaded_irq+0xd0/0x1b4\n[ 28.338107] devm_request_threaded_irq+0x84/0x100\n[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0\n[ 28.346990] platform_probe+0x6c/0xc4\n[ 28.350653] really_probe+0xcc/0x45c\n[ 28.354227] __driver_probe_device+0x8c/0x160\n[ 28.358578] driver_probe_device+0x44/0xe0\n[ 28.362670] __driver_attach+0x124/0x1d0\n[ 28.366589] bus_for_each_dev+0x7c/0xe0\n[ 28.370426] driver_attach+0x28/0x30\n[ 28.373997] bus_add_driver+0x124/0x240\n[ 28.377830] driver_register+0x7c/0x124\n[ 28.381662] __platform_driver_register+0x2c/0x34\n[ 28.386362] npcm_i2c_init+0x3c/0x5c\n[ 28.389937] do_one_initcall+0x74/0x230\n[ 28.393768] kernel_init_freeable+0x24c/0x2b4\n[ 28.398126] kernel_init+0x28/0x130\n[ 28.401614] ret_from_fork+0x10/0x20\n[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[ 28.411011] SMP: stopping secondary CPUs\n[ 28.414933] Kernel Offset: disabled\n[ 28.418412] CPU features: 0x00000000,00000802\n[ 28.427644] Rebooting in 20 seconds..", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21878", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free on inode when scanning root during em shrinking\n\nAt btrfs_scan_root() we are accessing the inode's root (and fs_info) in a\ncall to btrfs_fs_closing() after we have scheduled the inode for a delayed\niput, and that can result in a use-after-free on the inode in case the\ncleaner kthread does the iput before we dereference the inode in the call\nto btrfs_fs_closing().\n\nFix this by using the fs_info stored already in a local variable instead\nof doing inode->root->fs_info.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21879", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix EFAULT handling\n\nCurrently we treat EFAULT from hmm_range_fault() as a non-fatal error\nwhen called from xe_vm_userptr_pin() with the idea that we want to avoid\nkilling the entire vm and chucking an error, under the assumption that\nthe user just did an unmap or something, and has no intention of\nactually touching that memory from the GPU. At this point we have\nalready zapped the PTEs so any access should generate a page fault, and\nif the pin fails there also it will then become fatal.\n\nHowever it looks like it's possible for the userptr vma to still be on\nthe rebind list in preempt_rebind_work_func(), if we had to retry the\npin again due to something happening in the caller before we did the\nrebind step, but in the meantime needing to re-validate the userptr and\nthis time hitting the EFAULT.\n\nThis explains an internal user report of hitting:\n\n[ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe]\n[ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738690] Call Trace:\n[ 191.738692] \n[ 191.738694] ? show_regs+0x69/0x80\n[ 191.738698] ? __warn+0x93/0x1a0\n[ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738759] ? report_bug+0x18f/0x1a0\n[ 191.738764] ? handle_bug+0x63/0xa0\n[ 191.738767] ? exc_invalid_op+0x19/0x70\n[ 191.738770] ? asm_exc_invalid_op+0x1b/0x20\n[ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738834] ? ret_from_fork_asm+0x1a/0x30\n[ 191.738849] bind_op_prepare+0x105/0x7b0 [xe]\n[ 191.738906] ? dma_resv_reserve_fences+0x301/0x380\n[ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe]\n[ 191.738966] ? kmemleak_alloc+0x4b/0x80\n[ 191.738973] ops_execute+0x188/0x9d0 [xe]\n[ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe]\n[ 191.739098] ? trace_hardirqs_on+0x4d/0x60\n[ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe]\n\nFollowed by NPD, when running some workload, since the sg was never\nactually populated but the vma is still marked for rebind when it should\nbe skipped for this special EFAULT case. This is confirmed to fix the\nuser report.\n\nv2 (MattB):\n - Move earlier.\nv3 (MattB):\n - Update the commit message to make it clear that this indeed fixes the\n issue.\n\n(cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21880", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: Reject the shared zeropage in uprobe_write_opcode()\n\nWe triggered the following crash in syzkaller tests:\n\n BUG: Bad page state in process syz.7.38 pfn:1eff3\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3\n flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)\n raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x32/0x50\n bad_page+0x69/0xf0\n free_unref_page_prepare+0x401/0x500\n free_unref_page+0x6d/0x1b0\n uprobe_write_opcode+0x460/0x8e0\n install_breakpoint.part.0+0x51/0x80\n register_for_each_vma+0x1d9/0x2b0\n __uprobe_register+0x245/0x300\n bpf_uprobe_multi_link_attach+0x29b/0x4f0\n link_create+0x1e2/0x280\n __sys_bpf+0x75f/0xac0\n __x64_sys_bpf+0x1a/0x30\n do_syscall_64+0x56/0x100\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\n BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1\n\nThe following syzkaller test case can be used to reproduce:\n\n r2 = creat(&(0x7f0000000000)='./file0\\x00', 0x8)\n write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)\n r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x42, 0x0)\n mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)\n r5 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})\n r6 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))\n ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})\n ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})\n r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], &(0x7f0000000000)='GPL\\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)\n bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)\n\nThe cause is that zero pfn is set to the PTE without increasing the RSS\ncount in mfill_atomic_pte_zeropage() and the refcount of zero folio does\nnot increase accordingly. Then, the operation on the same pfn is performed\nin uprobe_write_opcode()->__replace_page() to unconditional decrease the\nRSS count and old_folio's refcount.\n\nTherefore, two bugs are introduced:\n\n 1. The RSS count is incorrect, when process exit, the check_mm() report\n error \"Bad rss-count\".\n\n 2. The reserved folio (zero folio) is freed when folio->refcount is zero,\n then free_pages_prepare->free_page_is_bad() report error\n \"Bad page state\".\n\nThere is more, the following warning could also theoretically be triggered:\n\n __replace_page()\n -> ...\n -> folio_remove_rmap_pte()\n -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)\n\nConsidering that uprobe hit on the zero folio is a very rare case, just\nreject zero old folio immediately after get_user_page_vma_remote().\n\n[ mingo: Cleaned up the changelog ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21881", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix vport QoS cleanup on error\n\nWhen enabling vport QoS fails, the scheduling node was never freed,\ncausing a leak.\n\nAdd the missing free and reset the vport scheduling node pointer to\nNULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21882", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix deinitializing VF in error path\n\nIf ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees\nall VFs without removing them from snapshot PF-VF mailbox list, leading\nto list corruption.\n\nReproducer:\n devlink dev eswitch set $PF1_PCI mode switchdev\n ip l s $PF1 up\n ip l s $PF1 promisc on\n sleep 1\n echo 1 > /sys/class/net/$PF1/device/sriov_numvfs\n sleep 1\n echo 1 > /sys/class/net/$PF1/device/sriov_numvfs\n\nTrace (minimized):\n list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).\n kernel BUG at lib/list_debug.c:29!\n RIP: 0010:__list_add_valid_or_report+0xa6/0x100\n ice_mbx_init_vf_info+0xa7/0x180 [ice]\n ice_initialize_vf_entry+0x1fa/0x250 [ice]\n ice_sriov_configure+0x8d7/0x1520 [ice]\n ? __percpu_ref_switch_mode+0x1b1/0x5d0\n ? __pfx_ice_sriov_configure+0x10/0x10 [ice]\n\nSometimes a KASAN report can be seen instead with a similar stack trace:\n BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100\n\nVFs are added to this list in ice_mbx_init_vf_info(), but only removed\nin ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is\nalso being called in other places where VFs are being removed (including\nice_free_vfs() itself).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21883", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: better track kernel sockets lifetime\n\nWhile kernel sockets are dismantled during pernet_operations->exit(),\ntheir freeing can be delayed by any tx packets still held in qdisc\nor device queues, due to skb_set_owner_w() prior calls.\n\nThis then trigger the following warning from ref_tracker_dir_exit() [1]\n\nTo fix this, make sure that kernel sockets own a reference on net->passive.\n\nAdd sk_net_refcnt_upgrade() helper, used whenever a kernel socket\nis converted to a refcounted one.\n\n[1]\n\n[ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.263918][ T35] sk_alloc+0x2b3/0x370\n[ 136.263918][ T35] inet6_create+0x6ce/0x10f0\n[ 136.263918][ T35] __sock_create+0x4c0/0xa30\n[ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.263918][ T35] igmp6_net_init+0x39/0x390\n[ 136.263918][ T35] ops_init+0x31e/0x590\n[ 136.263918][ T35] setup_net+0x287/0x9e0\n[ 136.263918][ T35] copy_net_ns+0x33f/0x570\n[ 136.263918][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.263918][ T35] ksys_unshare+0x57d/0xa70\n[ 136.263918][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.263918][ T35] do_syscall_64+0xf3/0x230\n[ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 136.263918][ T35]\n[ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.343488][ T35] sk_alloc+0x2b3/0x370\n[ 136.343488][ T35] inet6_create+0x6ce/0x10f0\n[ 136.343488][ T35] __sock_create+0x4c0/0xa30\n[ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0\n[ 136.343488][ T35] ops_init+0x31e/0x590\n[ 136.343488][ T35] setup_net+0x287/0x9e0\n[ 136.343488][ T35] copy_net_ns+0x33f/0x570\n[ 136.343488][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.343488][ T35] ksys_unshare+0x57d/0xa70\n[ 136.343488][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.343488][ T35] do_syscall_64+0xf3/0x230\n[ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21884", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix the page details for the srq created by kernel consumers\n\nWhile using nvme target with use_srq on, below kernel panic is noticed.\n\n[ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)\n[ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n..\n[ 566.393799] \n[ 566.393807] ? __die_body+0x1a/0x60\n[ 566.393823] ? die+0x38/0x60\n[ 566.393835] ? do_trap+0xe4/0x110\n[ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393881] ? do_error_trap+0x7c/0x120\n[ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393911] ? exc_divide_error+0x34/0x50\n[ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393939] ? asm_exc_divide_error+0x16/0x20\n[ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]\n[ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]\n[ 566.394057] ? srso_return_thunk+0x5/0x5f\n[ 566.394068] ? __init_swait_queue_head+0x4a/0x60\n[ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]\n[ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]\n[ 566.394174] ? lock_release+0x22c/0x3f0\n[ 566.394187] ? srso_return_thunk+0x5/0x5f\n\nPage size and shift info is set only for the user space SRQs.\nSet page size and page shift for kernel space SRQs also.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21885", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP hang on parent deregistration\n\nFix the destroy_unused_implicit_child_mr() to prevent hanging during\nparent deregistration as of below [1].\n\nUpon entering destroy_unused_implicit_child_mr(), the reference count\nfor the implicit MR parent is incremented using:\nrefcount_inc_not_zero().\n\nA corresponding decrement must be performed if\nfree_implicit_child_mr_work() is not called.\n\nThe code has been updated to properly manage the reference count that\nwas incremented.\n\n[1]\nINFO: task python3:2157 blocked for more than 120 seconds.\nNot tainted 6.12.0-rc7+ #1633\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000\nCall Trace:\n\n__schedule+0x420/0xd30\nschedule+0x47/0x130\n__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]\n? __pfx_autoremove_wake_function+0x10/0x10\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n __x64_sys_ioctl+0x1b0/0xa70\n? kmem_cache_free+0x221/0x400\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f20f21f017b\nRSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b\nRDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60\nR10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890\nR13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21886", "detail": "fixed-version", "description": "Fixed from version 6.13.6" }, { "id": "CVE-2025-21887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper->d_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21887", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21888", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Add RCU read lock protection to perf_iterate_ctx()\n\nThe perf_iterate_ctx() function performs RCU list traversal but\ncurrently lacks RCU read lock protection. This causes lockdep warnings\nwhen running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y:\n\n\tWARNING: suspicious RCU usage\n\tkernel/events/core.c:8168 RCU-list traversed in non-reader section!!\n\n\t Call Trace:\n\t lockdep_rcu_suspicious\n\t ? perf_event_addr_filters_apply\n\t perf_iterate_ctx\n\t perf_event_exec\n\t begin_new_exec\n\t ? load_elf_phdrs\n\t load_elf_binary\n\t ? lock_acquire\n\t ? find_held_lock\n\t ? bprm_execve\n\t bprm_execve\n\t do_execveat_common.isra.0\n\t __x64_sys_execve\n\t do_syscall_64\n\t entry_SYSCALL_64_after_hwframe\n\nThis protection was previously present but was removed in commit\nbd2756811766 (\"perf: Rewrite core context handling\"). Add back the\nnecessary rcu_read_lock()/rcu_read_unlock() pair around\nperf_iterate_ctx() call in perf_event_exec().\n\n[ mingo: Use scoped_guard() as suggested by Peter ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21889", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix checksums set in idpf_rx_rsc()\n\nidpf_rx_rsc() uses skb_transport_offset(skb) while the transport header\nis not set yet.\n\nThis triggers the following warning for CONFIG_DEBUG_NET=y builds.\n\nDEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))\n\n[ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth\n[ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697\n[ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)\n[ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261687] ? report_bug (lib/bug.c:?)\n[ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)\n[ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)\n[ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf\n[ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf\n[ 69.261712] __napi_poll (net/core/dev.c:7194)\n[ 69.261716] net_rx_action (net/core/dev.c:7265)\n[ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)\n[ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)\n[ 69.261726] handle_softirqs (kernel/softirq.c:561)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21890", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb->head [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n ipv6_addr_type include/net/ipv6.h:555 [inline]\n ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n xmit_one net/core/dev.c:3735 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n qdisc_restart net/sched/sch_generic.c:408 [inline]\n __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n net_tx_action+0x78b/0x940 net/core/dev.c:5484\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3132 [inline]\n packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n sock_sendmsg_nosec net/socket.c:718 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21891", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix the recovery flow of the UMR QP\n\nThis patch addresses an issue in the recovery flow of the UMR QP,\nensuring tasks do not get stuck, as highlighted by the call trace [1].\n\nDuring recovery, before transitioning the QP to the RESET state, the\nsoftware must wait for all outstanding WRs to complete.\n\nFailing to do so can cause the firmware to skip sending some flushed\nCQEs with errors and simply discard them upon the RESET, as per the IB\nspecification.\n\nThis race condition can result in lost CQEs and tasks becoming stuck.\n\nTo resolve this, the patch sends a final WR which serves only as a\nbarrier before moving the QP state to RESET.\n\nOnce a CQE is received for that final WR, it guarantees that no\noutstanding WRs remain, making it safe to transition the QP to RESET and\nsubsequently back to RTS, restoring proper functionality.\n\nNote:\nFor the barrier WR, we simply reuse the failed and ready WR.\nSince the QP is in an error state, it will only receive\nIB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't\ncare about its status.\n\n[1]\nINFO: task rdma_resource_l:1922 blocked for more than 120 seconds.\nTainted: G W 6.12.0-rc7+ #1626\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369\n flags:0x00004004\nCall Trace:\n\n__schedule+0x420/0xd30\nschedule+0x47/0x130\nschedule_timeout+0x280/0x300\n? mark_held_locks+0x48/0x80\n? lockdep_hardirqs_on_prepare+0xe5/0x1a0\nwait_for_completion+0x75/0x130\nmlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]\n? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]\nmlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? __lock_acquire+0x64e/0x2080\n? mark_held_locks+0x48/0x80\n? find_held_lock+0x2d/0xa0\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? __fget_files+0xc3/0x1b0\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f99c918b17b\nRSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:\n 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:\n 00007f99c918b17b\nRDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:\n 0000000000000003\nRBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:\n 000000000000bd7e\nR10: 00007f99c94c1c70 R11: 0000000000000246 R12:\n 00007ffc766d0530\nR13: 000000000000001c R14: 0000000040246a80 R15:\n 0000000000000000\n", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21892", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix UAF in key_put()\n\nOnce a key's reference count has been reduced to 0, the garbage collector\nthread may destroy it at any time and so key_put() is not allowed to touch\nthe key after that point. The most key_put() is normally allowed to do is\nto touch key_gc_work as that's a static global variable.\n\nHowever, in an effort to speed up the reclamation of quota, this is now\ndone in key_put() once the key's usage is reduced to 0 - but now the code\nis looking at the key after the deadline, which is forbidden.\n\nFix this by using a flag to indicate that a key can be gc'd now rather than\nlooking at the key's refcount in the garbage collector.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21893", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC\n\nActually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only\nENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash\nif VFs are used to test one-step timestamp, the crash log as follows.\n\n[ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0\n[ 129.287769] Call trace:\n[ 129.290219] enetc_port_mac_wr+0x30/0xec (P)\n[ 129.294504] enetc_start_xmit+0xda4/0xe74\n[ 129.298525] enetc_xmit+0x70/0xec\n[ 129.301848] dev_hard_start_xmit+0x98/0x118", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21894", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Order the PMU list to fix warning about unordered pmu_ctx_list\n\nSyskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in\nperf_event_swap_task_ctx_data(). vmcore shows that two lists have the same\nperf_event_pmu_context, but not in the same order.\n\nThe problem is that the order of pmu_ctx_list for the parent is impacted by\nthe time when an event/PMU is added. While the order for a child is\nimpacted by the event order in the pinned_groups and flexible_groups. So\nthe order of pmu_ctx_list in the parent and child may be different.\n\nTo fix this problem, insert the perf_event_pmu_context to its proper place\nafter iteration of the pmu_ctx_list.\n\nThe follow testcase can trigger above warning:\n\n # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out &\n # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out\n\n test.c\n\n void main() {\n int count = 0;\n pid_t pid;\n\n printf(\"%d running\\n\", getpid());\n sleep(30);\n printf(\"running\\n\");\n\n pid = fork();\n if (pid == -1) {\n printf(\"fork error\\n\");\n return;\n }\n if (pid == 0) {\n while (1) {\n count++;\n }\n } else {\n while (1) {\n count++;\n }\n }\n }\n\nThe testcase first opens an LBR event, so it will allocate task_ctx_data,\nand then open tracepoint and software events, so the parent context will\nhave 3 different perf_event_pmu_contexts. On inheritance, child ctx will\ninsert the perf_event_pmu_context in another order and the warning will\ntrigger.\n\n[ mingo: Tidied up the changelog. ]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21895", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: revert back to __readahead_folio() for readahead\n\nIn commit 3eab9d7bc2f4 (\"fuse: convert readahead to use folios\"), the\nlogic was converted to using the new folio readahead code, which drops\nthe reference on the folio once it is locked, using an inferred\nreference on the folio. Previously we held a reference on the folio for\nthe entire duration of the readpages call.\n\nThis is fine, however for the case for splice pipe responses where we\nwill remove the old folio and splice in the new folio (see\nfuse_try_move_page()), we assume that there is a reference held on the\nfolio for ap->folios, which is no longer the case.\n\nTo fix this, revert back to __readahead_folio() which allows us to hold\nthe reference on the folio for the duration of readpages until either we\ndrop the reference ourselves in fuse_readpages_end() or the reference is\ndropped after it's replaced in the page cache in the splice case.\nThis will fix the UAF bug that was reported.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21896", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix pick_task_scx() picking non-queued tasks when it's called without balance()\n\na6250aa251ea (\"sched_ext: Handle cases where pick_task_scx() is called\nwithout preceding balance_scx()\") added a workaround to handle the cases\nwhere pick_task_scx() is called without prececing balance_scx() which is due\nto a fair class bug where pick_taks_fair() may return NULL after a true\nreturn from balance_fair().\n\nThe workaround detects when pick_task_scx() is called without preceding\nbalance_scx() and emulates SCX_RQ_BAL_KEEP and triggers kicking to avoid\nstalling. Unfortunately, the workaround code was testing whether @prev was\non SCX to decide whether to keep the task running. This is incorrect as the\ntask may be on SCX but no longer runnable.\n\nThis could lead to a non-runnable task to be returned from pick_task_scx()\nwhich cause interesting confusions and failures. e.g. A common failure mode\nis the task ending up with (!on_rq && on_cpu) state which can cause\npotential wakers to busy loop, which can easily lead to deadlocks.\n\nFix it by testing whether @prev has SCX_TASK_QUEUED set. This makes\n@prev_on_scx only used in one place. Open code the usage and improve the\ncomment while at it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21897", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Avoid potential division by zero in function_stat_show()\n\nCheck whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64}\nproduce zero and skip stddev computation in that case.\n\nFor now don't care about rec->counter * rec->counter overflow because\nrec->time * rec->time overflow will likely happen earlier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21898", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix bad hist from corrupting named_triggers list\n\nThe following commands causes a crash:\n\n ~# cd /sys/kernel/tracing/events/rcu/rcu_callback\n ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger\n bash: echo: write error: Invalid argument\n ~# echo 'hist:name=bad:keys=common_pid' > trigger\n\nBecause the following occurs:\n\nevent_trigger_write() {\n trigger_process_regex() {\n event_hist_trigger_parse() {\n\n data = event_trigger_alloc(..);\n\n event_trigger_register(.., data) {\n cmd_ops->reg(.., data, ..) [hist_register_trigger()] {\n data->ops->init() [event_hist_trigger_init()] {\n save_named_trigger(name, data) {\n list_add(&data->named_list, &named_triggers);\n }\n }\n }\n }\n\n ret = create_actions(); (return -EINVAL)\n if (ret)\n goto out_unreg;\n[..]\n ret = hist_trigger_enable(data, ...) {\n list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!)\n[..]\n out_unreg:\n event_hist_unregister(.., data) {\n cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] {\n list_for_each_entry(iter, &file->triggers, list) {\n if (!hist_trigger_match(data, iter, named_data, false)) <- never matches\n continue;\n [..]\n test = iter;\n }\n if (test && test->ops->free) <<<-- test is NULL\n\n test->ops->free(test) [event_hist_trigger_free()] {\n [..]\n if (data->name)\n del_named_trigger(data) {\n list_del(&data->named_list); <<<<-- NEVER gets removed!\n }\n }\n }\n }\n\n [..]\n kfree(data); <<<-- frees item but it is still on list\n\nThe next time a hist with name is registered, it causes an u-a-f bug and\nthe kernel can crash.\n\nMove the code around such that if event_trigger_register() succeeds, the\nnext thing called is hist_trigger_enable() which adds it to the list.\n\nA bunch of actions is called if get_named_trigger_data() returns false.\nBut that doesn't need to be called after event_trigger_register(), so it\ncan be moved up, allowing event_trigger_register() to be called just\nbefore hist_trigger_enable() keeping them together and allowing the\nfile->triggers to be properly populated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21899", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a deadlock when recovering state on a sillyrenamed file\n\nIf the file is sillyrenamed, and slated for delete on close, it is\npossible for a server reboot to triggeer an open reclaim, with can again\nrace with the application call to close(). When that happens, the call\nto put_nfs_open_context() can trigger a synchronous delegreturn call\nwhich deadlocks because it is not marked as privileged.\n\nInstead, ensure that the call to nfs4_inode_return_delegation_on_close()\ncatches the delegreturn, and schedules it asynchronously.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21900", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Add sanity checks on rdev validity\n\nThere is a possibility that ulp_irq_stop and ulp_irq_start\ncallbacks will be called when the device is in detached state.\nThis can cause a crash due to NULL pointer dereference as\nthe rdev is already freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21901", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: typec: ucsi: Introduce a ->poll_cci method\n\nFor the ACPI backend of UCSI the UCSI \"registers\" are just a memory copy\nof the register values in an opregion. The ACPI implementation in the\nBIOS ensures that the opregion contents are synced to the embedded\ncontroller and it ensures that the registers (in particular CCI) are\nsynced back to the opregion on notifications. While there is an ACPI call\nthat syncs the actual registers to the opregion there is rarely a need to\ndo this and on some ACPI implementations it actually breaks in various\ninteresting ways.\n\nThe only reason to force a sync from the embedded controller is to poll\nCCI while notifications are disabled. Only the ucsi core knows if this\nis the case and guessing based on the current command is suboptimal, i.e.\nleading to the following spurious assertion splat:\n\nWARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1\nHardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023\nWorkqueue: events_long ucsi_init_work [typec_ucsi]\nRIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCall Trace:\n \n ucsi_init_work+0x3c/0xac0 [typec_ucsi]\n process_one_work+0x179/0x330\n worker_thread+0x252/0x390\n kthread+0xd2/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n \n\nThus introduce a ->poll_cci() method that works like ->read_cci() with an\nadditional forced sync and document that this should be used when polling\nwith notifications disabled. For all other backends that presumably don't\nhave this issue use the same implementation for both methods.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21902", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp i3c: handle NULL header address\n\ndaddr can be NULL if there is no neighbour table entry present,\nin that case the tx packet should be dropped.\n\nsaddr will usually be set by MCTP core, but check for NULL in case a\npacket is transmitted by a different protocol.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21903", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif_virtio: fix wrong pointer check in cfv_probe()\n\ndel_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked\nfor NULL before calling it, not cfv->vdev. Also the current implementation\nis redundant because the pointer cfv->vdev is dereferenced before it is\nchecked for NULL.\n\nFix this by checking cfv->vq_tx for NULL instead of cfv->vdev before\ncalling del_vqs().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21904", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: limit printed string from FW file\n\nThere's no guarantee here that the file is always with a\nNUL-termination, so reading the string may read beyond the\nend of the TLV. If that's the last TLV in the file, it can\nperhaps even read beyond the end of the file buffer.\n\nFix that by limiting the print format to the size of the\nbuffer we have.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21905", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: clean up ROC on failure\n\nIf the firmware fails to start the session protection, then we\ndo call iwl_mvm_roc_finished() here, but that won't do anything\nat all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set.\nSet IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path.\nIf it started successfully before, it's already set, so that\ndoesn't matter, and if it didn't start it needs to be set to\nclean up.\n\nNot doing so will lead to a WARN_ON() later on a fresh remain-\non-channel, since the link is already active when activated as\nit was never deactivated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21906", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memory-failure: update ttu flag inside unmap_poisoned_folio\n\nPatch series \"mm: memory_failure: unmap poisoned folio during migrate\nproperly\", v3.\n\nFix two bugs during folio migration if the folio is poisoned.\n\n\nThis patch (of 3):\n\nCommit 6da6b1d4a7df (\"mm/hwpoison: convert TTU_IGNORE_HWPOISON to\nTTU_HWPOISON\") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in\norder to stop send SIGBUS signal when accessing an error page after a\nmemory error on a clean folio. However during page migration, anon folio\nmust be set with TTU_HWPOISON during unmap_*(). For pagecache we need\nsome policy just like the one in hwpoison_user_mappings to set this flag. \nSo move this policy from hwpoison_user_mappings to unmap_poisoned_folio to\nhandle this warning properly.\n\nWarning will be produced during unamp poison folio with the following log:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c\n Modules linked in:\n CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G W 6.13.0-rc1-00018-gacdb4bbda7ab #42\n Tainted: [W]=WARN\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : try_to_unmap_one+0x8fc/0xd3c\n lr : try_to_unmap_one+0x3dc/0xd3c\n Call trace:\n try_to_unmap_one+0x8fc/0xd3c (P)\n try_to_unmap_one+0x3dc/0xd3c (L)\n rmap_walk_anon+0xdc/0x1f8\n rmap_walk+0x3c/0x58\n try_to_unmap+0x88/0x90\n unmap_poisoned_folio+0x30/0xa8\n do_migrate_range+0x4a0/0x568\n offline_pages+0x5a4/0x670\n memory_block_action+0x17c/0x374\n memory_subsys_offline+0x3c/0x78\n device_offline+0xa4/0xd0\n state_store+0x8c/0xf0\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x44/0x54\n kernfs_fop_write_iter+0x118/0x1a8\n vfs_write+0x3a8/0x4bc\n ksys_write+0x6c/0xf8\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0xc8/0xcc\n el0t_64_sync+0x198/0x19c\n ---[ end trace 0000000000000000 ]---\n\n[mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping', per Miaohe]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21907", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: fix nfs_release_folio() to not deadlock via kcompactd writeback\n\nAdd PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so\nnfs_release_folio() can skip calling nfs_wb_folio() from kcompactd.\n\nOtherwise NFS can deadlock waiting for kcompactd enduced writeback which\nrecurses back to NFS (which triggers writeback to NFSD via NFS loopback\nmount on the same host, NFSD blocks waiting for XFS's call to\n__filemap_get_folio):\n\n6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds.\n\n{---\n[58] \"kcompactd0\"\n[<0>] folio_wait_bit+0xe8/0x200\n[<0>] folio_wait_writeback+0x2b/0x80\n[<0>] nfs_wb_folio+0x80/0x1b0 [nfs]\n[<0>] nfs_release_folio+0x68/0x130 [nfs]\n[<0>] split_huge_page_to_list_to_order+0x362/0x840\n[<0>] migrate_pages_batch+0x43d/0xb90\n[<0>] migrate_pages_sync+0x9a/0x240\n[<0>] migrate_pages+0x93c/0x9f0\n[<0>] compact_zone+0x8e2/0x1030\n[<0>] compact_node+0xdb/0x120\n[<0>] kcompactd+0x121/0x2e0\n[<0>] kthread+0xcf/0x100\n[<0>] ret_from_fork+0x31/0x40\n[<0>] ret_from_fork_asm+0x1a/0x30\n---}\n\n[akpm@linux-foundation.org: fix build]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21908", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject cooked mode if it is set along with other flags\n\nIt is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE\nflags simultaneously on the same monitor interface from the userspace. This\ncauses a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit\nset because the monitor interface is in the cooked state and it takes\nprecedence over all other states. When the interface is then being deleted\nthe kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing\nthat bit.\n\nFix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with\nother flags.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21909", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: regulatory: improve invalid hints checking\n\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\nsent from userspace get through into user_alpha2[] via\nregulatory_hint_user() call. Such invalid regulatory hints should be\nrejected.\n\nWhile a sanity check from commit 47caf685a685 (\"cfg80211: regulatory:\nreject invalid hints\") looks to be enough to deter these very cases,\nthere is a way to get around it due to 2 reasons.\n\n1) The way isalpha() works, symbols other than latin lower and\nupper letters may be used to determine a country/domain.\nFor instance, greek letters will also be considered upper/lower\nletters and for such characters isalpha() will return true as well.\nHowever, ISO-3166-1 alpha2 codes should only hold latin\ncharacters.\n\n2) While processing a user regulatory request, between\nreg_process_hint_user() and regulatory_hint_user() there happens to\nbe a call to queue_regulatory_request() which modifies letters in\nrequest->alpha2[] with toupper(). This works fine for latin symbols,\nless so for weird letter characters from the second part of _ctype[].\n\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\nover an unexpected non-latin letter that gets malformed by toupper()\ninto a character that ends up failing isalpha() check.\n\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\nsymbols are latin letters and nothing else.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nUnexpected user alpha2: A\ufffd\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\nModules linked in:\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_power_efficient crda_timeout_work\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\n...\nCall Trace:\n \n crda_timeout_work+0x27/0x50 net/wireless/reg.c:542\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21910", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: avoid deadlock on fence release\n\nDo scheduler queue fence release processing on a workqueue, rather\nthan in the release function itself.\n\nFixes deadlock issues such as the following:\n\n[ 607.400437] ============================================\n[ 607.405755] WARNING: possible recursive locking detected\n[ 607.415500] --------------------------------------------\n[ 607.420817] weston:zfq0/24149 is trying to acquire lock:\n[ 607.426131] ffff000017d041a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: pvr_gem_object_vunmap+0x40/0xc0 [powervr]\n[ 607.436728]\n but task is already holding lock:\n[ 607.442554] ffff000017d105a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: dma_buf_ioctl+0x250/0x554\n[ 607.451727]\n other info that might help us debug this:\n[ 607.458245] Possible unsafe locking scenario:\n\n[ 607.464155] CPU0\n[ 607.466601] ----\n[ 607.469044] lock(reservation_ww_class_mutex);\n[ 607.473584] lock(reservation_ww_class_mutex);\n[ 607.478114]\n *** DEADLOCK ***", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21911", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: rcar: Use raw_spinlock to protect register access\n\nUse raw_spinlock in order to fix spurious messages about invalid context\nwhen spinlock debugging is enabled. The lock is only used to serialize\nregister access.\n\n [ 4.239592] =============================\n [ 4.239595] [ BUG: Invalid wait context ]\n [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted\n [ 4.239603] -----------------------------\n [ 4.239606] kworker/u8:5/76 is trying to lock:\n [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164\n [ 4.239641] other info that might help us debug this:\n [ 4.239643] context-{5:5}\n [ 4.239646] 5 locks held by kworker/u8:5/76:\n [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c\n [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value.\n [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c\n [ 4.254109] #2: ffff00000920c8f8\n [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value.\n [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc\n [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690\n [ 4.264840] #4:\n [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value.\n [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690\n [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz\n [ 4.304082] stack backtrace:\n [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35\n [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n [ 4.304097] Workqueue: async async_run_entry_fn\n [ 4.304106] Call trace:\n [ 4.304110] show_stack+0x14/0x20 (C)\n [ 4.304122] dump_stack_lvl+0x6c/0x90\n [ 4.304131] dump_stack+0x14/0x1c\n [ 4.304138] __lock_acquire+0xdfc/0x1584\n [ 4.426274] lock_acquire+0x1c4/0x33c\n [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80\n [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164\n [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8\n [ 4.444422] __irq_set_trigger+0x5c/0x178\n [ 4.448435] __setup_irq+0x2e4/0x690\n [ 4.452012] request_threaded_irq+0xc4/0x190\n [ 4.456285] devm_request_threaded_irq+0x7c/0xf4\n [ 4.459398] ata1: link resume succeeded after 1 retries\n [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0\n [ 4.470660] mmc_start_host+0x50/0xac\n [ 4.474327] mmc_add_host+0x80/0xe4\n [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440\n [ 4.482094] renesas_sdhi_probe+0x488/0x6f4\n [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78\n [ 4.491509] platform_probe+0x64/0xd8\n [ 4.495178] really_probe+0xb8/0x2a8\n [ 4.498756] __driver_probe_device+0x74/0x118\n [ 4.503116] driver_probe_device+0x3c/0x154\n [ 4.507303] __device_attach_driver+0xd4/0x160\n [ 4.511750] bus_for_each_drv+0x84/0xe0\n [ 4.515588] __device_attach_async_helper+0xb0/0xdc\n [ 4.520470] async_run_entry_fn+0x30/0xd8\n [ 4.524481] process_one_work+0x210/0x62c\n [ 4.528494] worker_thread+0x1ac/0x340\n [ 4.532245] kthread+0x10c/0x110\n [ 4.535476] ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21912", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()\n\nXen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results\nin the following warning:\n\n unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0)\n Call Trace:\n xen_read_msr+0x1e/0x30\n amd_get_mmconfig_range+0x2b/0x80\n quirk_amd_mmconfig_area+0x28/0x100\n pnp_fixup_device+0x39/0x50\n __pnp_add_device+0xf/0x150\n pnp_add_device+0x3d/0x100\n pnpacpi_add_device_handler+0x1f9/0x280\n acpi_ns_get_device_callback+0x104/0x1c0\n acpi_ns_walk_namespace+0x1d0/0x260\n acpi_get_devices+0x8a/0xb0\n pnpacpi_init+0x50/0x80\n do_one_initcall+0x46/0x2e0\n kernel_init_freeable+0x1da/0x2f0\n kernel_init+0x16/0x1b0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\n\nbased on quirks for a \"PNP0c01\" device. Treating MMCFG as disabled is the\nright course of action, so no change is needed there.\n\nThis was most likely exposed by fixing the Xen MSR accessors to not be\nsilently-safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21913", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: messaging: Free transaction ID in delayed interrupt scenario\n\nIn case of interrupt delay for any reason, slim_do_transfer()\nreturns timeout error but the transaction ID (TID) is not freed.\nThis results into invalid memory access inside\nqcom_slim_ngd_rx_msgq_cb() due to invalid TID.\n\nFix the issue by freeing the TID in slim_do_transfer() before\nreturning timeout error to avoid invalid memory access.\n\nCall trace:\n__memcpy_fromio+0x20/0x190\nqcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl]\nvchan_complete+0x2a0/0x4a0\ntasklet_action_common+0x274/0x700\ntasklet_action+0x28/0x3c\n_stext+0x188/0x620\nrun_ksoftirqd+0x34/0x74\nsmpboot_thread_fn+0x1d8/0x464\nkthread+0x178/0x238\nret_from_fork+0x10/0x20\nCode: aa0003e8 91000429 f100044a 3940002b (3800150b)\n---[ end trace 0fe00bec2b975c99 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21914", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdx: Fix possible UAF error in driver_override_show()\n\nFixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c\n\nThis function driver_override_show() is part of DEVICE_ATTR_RW, which\nincludes both driver_override_show() and driver_override_store().\nThese functions can be executed concurrently in sysfs.\n\nThe driver_override_store() function uses driver_set_override() to\nupdate the driver_override value, and driver_set_override() internally\nlocks the device (device_lock(dev)). If driver_override_show() reads\ncdx_dev->driver_override without locking, it could potentially access\na freed pointer if driver_override_store() frees the string\nconcurrently. This could lead to printing a kernel address, which is a\nsecurity risk since DEVICE_ATTR can be read by all users.\n\nAdditionally, a similar pattern is used in drivers/amba/bus.c, as well\nas many other bus drivers, where device_lock() is taken in the show\nfunction, and it has been working without issues.\n\nThis potential bug was detected by our experimental static analysis\ntool, which analyzes locking APIs and paired functions to identify\ndata races and atomicity violations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21915", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix a flaw in existing endpoint checks\n\nSyzbot once again identified a flaw in usb endpoint checking, see [1].\nThis time the issue stems from a commit authored by me (2eabb655a968\n(\"usb: atm: cxacru: fix endpoint checking in cxacru_bind()\")).\n\nWhile using usb_find_common_endpoints() may usually be enough to\ndiscard devices with wrong endpoints, in this case one needs more\nthan just finding and identifying the sufficient number of endpoints\nof correct types - one needs to check the endpoint's address as well.\n\nSince cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind,\nswitch the endpoint verification approach to usb_check_XXX_endpoints()\ninstead to fix incomplete ep testing.\n\n[1] Syzbot report:\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nRIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649\n cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline]\n cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223\n usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058\n cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377\n usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396\n really_probe+0x2b9/0xad0 drivers/base/dd.c:658\n __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800\n driver_probe_device+0x50/0x430 drivers/base/dd.c:830\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21916", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Flush the notify_hotplug_work\n\nWhen performing continuous unbind/bind operations on the USB drivers\navailable on the Renesas RZ/G2L SoC, a kernel crash with the message\n\"Unable to handle kernel NULL pointer dereference at virtual address\"\nmay occur. This issue points to the usbhsc_notify_hotplug() function.\n\nFlush the delayed work to avoid its execution when driver resources are\nunavailable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21917", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Fix NULL pointer access\n\nResources should be released only after all threads that utilize them\nhave been destroyed.\nThis commit ensures that resources are not released prematurely by waiting\nfor the associated workqueue to complete before deallocating them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21918", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq.\nThis 'prev' pointer can originate from struct rq's leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same\nleaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list.\n\nThis adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the 'prev' pointer against the current rq's list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21919", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: enforce underlying device type\n\nCurrently, VLAN devices can be created on top of non-ethernet devices.\n\nBesides the fact that it doesn't make much sense, this also causes a\nbug which leaks the address of a kernel function to usermode.\n\nWhen creating a VLAN device, we initialize GARP (garp_init_applicant)\nand MRP (mrp_init_applicant) for the underlying device.\n\nAs part of the initialization process, we add the multicast address of\neach applicant to the underlying device, by calling dev_mc_add.\n\n__dev_mc_add uses dev->addr_len to determine the length of the new\nmulticast address.\n\nThis causes an out-of-bounds read if dev->addr_len is greater than 6,\nsince the multicast addresses provided by GARP and MRP are only 6\nbytes long.\n\nThis behaviour can be reproduced using the following commands:\n\nip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo\nip l set up dev gretest\nip link add link gretest name vlantest type vlan id 100\n\nThen, the following command will display the address of garp_pdu_rcv:\n\nip maddr show | grep 01:80:c2:00:00:21\n\nFix the bug by enforcing the type of the underlying device during VLAN\ndevice initialization.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21920", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev's\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that's used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a ->set operation however, there's no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info->extack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there's only the PLCA command that is in that case, as\nthe other phydev-specific commands don't have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21921", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: Fix KMSAN uninit-value warning with bpf\n\nSyzbot caught an \"KMSAN: uninit-value\" warning [1], which is caused by the\nppp driver not initializing a 2-byte header when using socket filter.\n\nThe following code can generate a PPP filter BPF program:\n'''\nstruct bpf_program fp;\npcap_t *handle;\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\npcap_compile(handle, &fp, \"ip and outbound\", 0, 0);\nbpf_dump(&fp, 1);\n'''\nIts output is:\n'''\n(000) ldh [2]\n(001) jeq #0x21 jt 2 jf 5\n(002) ldb [0]\n(003) jeq #0x1 jt 4 jf 5\n(004) ret #65535\n(005) ret #0\n'''\nWen can find similar code at the following link:\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\nThe maintainer of this code repository is also the original maintainer\nof the ppp driver.\n\nAs you can see the BPF program skips 2 bytes of data and then reads the\n'Protocol' field to determine if it's an IP packet. Then it read the first\nbyte of the first 2 bytes to determine the direction.\n\nThe issue is that only the first byte indicating direction is initialized\nin current ppp driver code while the second byte is not initialized.\n\nFor normal BPF programs generated by libpcap, uninitialized data won't be\nused, so it's not a problem. However, for carefully crafted BPF programs,\nsuch as those generated by syzkaller [2], which start reading from offset\n0, the uninitialized data will be used and caught by KMSAN.\n\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\n[2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21922", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-steam: Fix use-after-free when detaching device\n\nWhen a hid-steam device is removed it must clean up the client_hdev used for\nintercepting hidraw access. This can lead to scheduling deferred work to\nreattach the input device. Though the cleanup cancels the deferred work, this\nwas done before the client_hdev itself is cleaned up, so it gets rescheduled.\nThis patch fixes the ordering to make sure the deferred work is properly\ncanceled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21923", "detail": "fixed-version", "description": "Fixed from version 6.13.7" }, { "id": "CVE-2025-21924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error\n\nDuring the initialization of ptp, hclge_ptp_get_cycle might return an error\nand returned directly without unregister clock and free it. To avoid that,\ncall hclge_ptp_destroy_clock to unregist and free clock if\nhclge_ptp_get_cycle failed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21924", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: do not use skb_get() before dev_queue_xmit()\n\nsyzbot is able to crash hosts [1], using llc and devices\nnot supporting IFF_TX_SKB_SHARING.\n\nIn this case, e1000 driver calls eth_skb_pad(), while\nthe skb is shared.\n\nSimply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c\n\nNote that e1000 driver might have an issue with pktgen,\nbecause it does not clear IFF_TX_SKB_SHARING, this is an\northogonal change.\n\nWe need to audit other skb_get() uses in net/llc.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2178 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178\nCall Trace:\n \n __skb_pad+0x18a/0x610 net/core/skbuff.c:2466\n __skb_put_padto include/linux/skbuff.h:3843 [inline]\n skb_put_padto include/linux/skbuff.h:3862 [inline]\n eth_skb_pad include/linux/etherdevice.h:656 [inline]\n e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3806 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:4045 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621\n dev_queue_xmit include/linux/netdevice.h:3313 [inline]\n llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144\n llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209\n llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993\n sock_sendmsg_nosec net/socket.c:718 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21925", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)\n RIP: 0010:ip_rcv_core+0x8b2/0xca0\n Call Trace:\n ip_rcv+0xab/0x6e0\n __netif_receive_skb_one_core+0x168/0x1b0\n process_backlog+0x384/0x1100\n __napi_poll.constprop.0+0xa1/0x370\n net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n goes through queue_gso_packets and then __udp_gso_segment, where its\n destructor is removed.\n2. The segments' data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21926", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()\n\nnvme_tcp_recv_pdu() doesn't check the validity of the header length.\nWhen header digests are enabled, a target might send a packet with an\ninvalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()\nto access memory outside the allocated area and cause memory corruptions\nby overwriting it with the calculated digest.\n\nFix this by rejecting packets with an unexpected header length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21927", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()\n\nThe system can experience a random crash a few minutes after the driver is\nremoved. This issue occurs due to improper handling of memory freeing in\nthe ishtp_hid_remove() function.\n\nThe function currently frees the `driver_data` directly within the loop\nthat destroys the HID devices, which can lead to accessing freed memory.\nSpecifically, `hid_destroy_device()` uses `driver_data` when it calls\n`hid_ishtp_set_feature()` to power off the sensor, so freeing\n`driver_data` beforehand can result in accessing invalid memory.\n\nThis patch resolves the issue by storing the `driver_data` in a temporary\nvariable before calling `hid_destroy_device()`, and then freeing the\n`driver_data` after the device is destroyed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21928", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()\n\nDuring the `rmmod` operation for the `intel_ishtp_hid` driver, a\nuse-after-free issue can occur in the hid_ishtp_cl_remove() function.\nThe function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(),\nwhich can lead to accessing freed memory or resources during the\nremoval process.\n\nCall Trace:\n ? ishtp_cl_send+0x168/0x220 [intel_ishtp]\n ? hid_output_report+0xe3/0x150 [hid]\n hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid]\n ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid]\n hid_hw_request+0x1f/0x40 [hid]\n sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub]\n _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger]\n hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger]\n sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub]\n hid_device_remove+0x49/0xb0 [hid]\n hid_destroy_device+0x6f/0x90 [hid]\n ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid]\n hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid]\n ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp]\n ...\n\nAdditionally, ishtp_hid_remove() is a HID level power off, which should\noccur before the ISHTP level disconnect.\n\nThis patch resolves the issue by reordering the calls in\nhid_ishtp_cl_remove(). The function ishtp_hid_remove() is now\ncalled before hid_ishtp_cl_deinit().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21929", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't try to talk to a dead firmware\n\nThis fixes:\n\n bad state = 0\n WARNING: CPU: 10 PID: 702 at drivers/net/wireless/inel/iwlwifi/iwl-trans.c:178 iwl_trans_send_cmd+0xba/0xe0 [iwlwifi]\n Call Trace:\n \n ? __warn+0xca/0x1c0\n ? iwl_trans_send_cmd+0xba/0xe0 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4]\n iwl_fw_dbg_clear_monitor_buf+0xd7/0x110 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4]\n _iwl_dbgfs_fw_dbg_clear_write+0xe2/0x120 [iwlmvm 0e8adb18cea92d2c341766bcc10b18699290068a]\n\nAsk whether the firmware is alive before sending a command.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21930", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio\n\nCommit b15c87263a69 (\"hwpoison, memory_hotplug: allow hwpoisoned pages to\nbe offlined) add page poison checks in do_migrate_range in order to make\noffline hwpoisoned page possible by introducing isolate_lru_page and\ntry_to_unmap for hwpoisoned page. However folio lock must be held before\ncalling try_to_unmap. Add it to fix this problem.\n\nWarning will be produced if folio is not locked during unmap:\n\n ------------[ cut here ]------------\n kernel BUG at ./include/linux/swapops.h:400!\n Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41\n Tainted: [W]=WARN\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : try_to_unmap_one+0xb08/0xd3c\n lr : try_to_unmap_one+0x3dc/0xd3c\n Call trace:\n try_to_unmap_one+0xb08/0xd3c (P)\n try_to_unmap_one+0x3dc/0xd3c (L)\n rmap_walk_anon+0xdc/0x1f8\n rmap_walk+0x3c/0x58\n try_to_unmap+0x88/0x90\n unmap_poisoned_folio+0x30/0xa8\n do_migrate_range+0x4a0/0x568\n offline_pages+0x5a4/0x670\n memory_block_action+0x17c/0x374\n memory_subsys_offline+0x3c/0x78\n device_offline+0xa4/0xd0\n state_store+0x8c/0xf0\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x44/0x54\n kernfs_fop_write_iter+0x118/0x1a8\n vfs_write+0x3a8/0x4bc\n ksys_write+0x6c/0xf8\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0xc8/0xcc\n el0t_64_sync+0x198/0x19c\n Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21931", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: abort vma_modify() on merge out of memory failure\n\nThe remainder of vma_modify() relies upon the vmg state remaining pristine\nafter a merge attempt.\n\nUsually this is the case, however in the one edge case scenario of a merge\nattempt failing not due to the specified range being unmergeable, but\nrather due to an out of memory error arising when attempting to commit the\nmerge, this assumption becomes untrue.\n\nThis results in vmg->start, end being modified, and thus the proceeding\nattempts to split the VMA will be done with invalid start/end values.\n\nThankfully, it is likely practically impossible for us to hit this in\nreality, as it would require a maple tree node pre-allocation failure that\nwould likely never happen due to it being 'too small to fail', i.e. the\nkernel would simply keep retrying reclaim until it succeeded.\n\nHowever, this scenario remains theoretically possible, and what we are\ndoing here is wrong so we must correct it.\n\nThe safest option is, when this scenario occurs, to simply give up the\noperation. If we cannot allocate memory to merge, then we cannot allocate\nmemory to split either (perhaps moreso!).\n\nAny scenario where this would be happening would be under very extreme\n(likely fatal) memory pressure, so it's best we give up early.\n\nSo there is no doubt it is appropriate to simply bail out in this\nscenario.\n\nHowever, in general we must if at all possible never assume VMG state is\nstable after a merge attempt, since merge operations update VMG fields. \nAs a result, additionally also make this clear by storing start, end in\nlocal variables.\n\nThe issue was reported originally by syzkaller, and by Brad Spengler (via\nan off-list discussion), and in both instances it manifested as a\ntriggering of the assert:\n\n\tVM_WARN_ON_VMG(start >= end, vmg);\n\nIn vma_merge_existing_range().\n\nIt seems at least one scenario in which this is occurring is one in which\nthe merge being attempted is due to an madvise() across multiple VMAs\nwhich looks like this:\n\n start end\n |<------>|\n |----------|------|\n | vma | next |\n |----------|------|\n\nWhen madvise_walk_vmas() is invoked, we first find vma in the above\n(determining prev to be equal to vma as we are offset into vma), and then\nenter the loop.\n\nWe determine the end of vma that forms part of the range we are\nmadvise()'ing by setting 'tmp' to this value:\n\n\t\t/* Here vma->vm_start <= start < (end|vma->vm_end) */\n\t\ttmp = vma->vm_end;\n\nWe then invoke the madvise() operation via visit(), letting prev get\nupdated to point to vma as part of the operation:\n\n\t\t/* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */\n\t\terror = visit(vma, &prev, start, tmp, arg);\n\nWhere the visit() function pointer in this instance is\nmadvise_vma_behavior().\n\nAs observed in syzkaller reports, it is ultimately madvise_update_vma()\nthat is invoked, calling vma_modify_flags_name() and vma_modify() in turn.\n\nThen, in vma_modify(), we attempt the merge:\n\n\tmerged = vma_merge_existing_range(vmg);\n\tif (merged)\n\t\treturn merged;\n\nWe invoke this with vmg->start, end set to start, tmp as such:\n\n start tmp\n |<--->|\n |----------|------|\n | vma | next |\n |----------|------|\n\nWe find ourselves in the merge right scenario, but the one in which we\ncannot remove the middle (we are offset into vma).\n\nHere we have a special case where vmg->start, end get set to perhaps\nunintuitive values - we intended to shrink the middle VMA and expand the\nnext.\n\nThis means vmg->start, end are set to... vma->vm_start, start.\n\nNow the commit_merge() fails, and vmg->start, end are left like this. \nThis means we return to the rest of vma_modify() with vmg->start, end\n(here denoted as start', end') set as:\n\n start' end'\n |<-->|\n |----------|------|\n | vma | next |\n |----------|------|\n\nSo we now erroneously try to split accordingly. This is where the\nunfortunate\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21932", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm: pgtable: fix NULL pointer dereference issue\n\nWhen update_mmu_cache_range() is called by update_mmu_cache(), the vmf\nparameter is NULL, which will cause a NULL pointer dereference issue in\nadjust_pte():\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000030 when read\nHardware name: Atmel AT91SAM9\nPC is at update_mmu_cache_range+0x1e0/0x278\nLR is at pte_offset_map_rw_nolock+0x18/0x2c\nCall trace:\n update_mmu_cache_range from remove_migration_pte+0x29c/0x2ec\n remove_migration_pte from rmap_walk_file+0xcc/0x130\n rmap_walk_file from remove_migration_ptes+0x90/0xa4\n remove_migration_ptes from migrate_pages_batch+0x6d4/0x858\n migrate_pages_batch from migrate_pages+0x188/0x488\n migrate_pages from compact_zone+0x56c/0x954\n compact_zone from compact_node+0x90/0xf0\n compact_node from kcompactd+0x1d4/0x204\n kcompactd from kthread+0x120/0x12c\n kthread from ret_from_fork+0x14/0x38\nException stack(0xc0d8bfb0 to 0xc0d8bff8)\n\nTo fix it, do not rely on whether 'ptl' is equal to decide whether to hold\nthe pte lock, but decide it by whether CONFIG_SPLIT_PTE_PTLOCKS is\nenabled. In addition, if two vmas map to the same PTE page, there is no\nneed to hold the pte lock again, otherwise a deadlock will occur. Just\nadd the need_lock parameter to let adjust_pte() know this information.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21933", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: fix an API misues when rio_add_net() fails\n\nrio_add_net() calls device_register() and fails when device_register()\nfails. Thus, put_device() should be used rather than kfree(). Add\n\"mport->net = NULL;\" to avoid a use after free issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21934", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: add check for rio_add_net() in rio_scan_alloc_net()\n\nThe return value of rio_add_net() should be checked. If it fails,\nput_device() should be called to free the memory and give up the reference\ninitialized in rio_add_net().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21935", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()\n\nAdd check for the return value of mgmt_alloc_skb() in\nmgmt_device_connected() to prevent null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21936", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()\n\nAdd check for the return value of mgmt_alloc_skb() in\nmgmt_remote_name() to prevent null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21937", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr\n\nIf multiple connection requests attempt to create an implicit mptcp\nendpoint in parallel, more than one caller may end up in\nmptcp_pm_nl_append_new_local_addr because none found the address in\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id. In this\ncase, the concurrent new_local_addr calls may delete the address entry\ncreated by the previous caller. These deletes use synchronize_rcu, but\nthis is not permitted in some of the contexts where this function may be\ncalled. During packet recv, the caller may be in a rcu read critical\nsection and have preemption disabled.\n\nAn example stack:\n\n BUG: scheduling while atomic: swapper/2/0/0x00000302\n\n Call Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\n dump_stack (lib/dump_stack.c:124)\n __schedule_bug (kernel/sched/core.c:5943)\n schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\n __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\n schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\n schedule_timeout (kernel/time/timer.c:2160)\n wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\n __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\n synchronize_rcu (kernel/rcu/tree.c:3609)\n mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\n mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\n mptcp_pm_get_local_id (net/mptcp/pm.c:420)\n subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\n subflow_v4_route_req (net/mptcp/subflow.c:305)\n tcp_conn_request (net/ipv4/tcp_input.c:7216)\n subflow_v4_conn_request (net/mptcp/subflow.c:651)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\n tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\n ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\n ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\n ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\n ip_sublist_rcv (net/ipv4/ip_input.c:640)\n ip_list_rcv (net/ipv4/ip_input.c:675)\n __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\n netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\n napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\n igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\n __napi_poll (net/core/dev.c:6582)\n net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\n handle_softirqs (kernel/softirq.c:553)\n __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\n irq_exit_rcu (kernel/softirq.c:651)\n common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\n \n\nThis problem seems particularly prevalent if the user advertises an\nendpoint that has a different external vs internal address. In the case\nwhere the external address is advertised and multiple connections\nalready exist, multiple subflow SYNs arrive in parallel which tends to\ntrigger the race during creation of the first local_addr_list entries\nwhich have the internal address instead.\n\nFix by skipping the replacement of an existing implicit local address if\ncalled via mptcp_pm_nl_get_local_id.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21938", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hmm: Don't dereference struct page pointers without notifier lock\n\nThe pnfs that we obtain from hmm_range_fault() point to pages that\nwe don't have a reference on, and the guarantee that they are still\nin the cpu page-tables is that the notifier lock must be held and the\nnotifier seqno is still valid.\n\nSo while building the sg table and marking the pages accesses / dirty\nwe need to hold this lock with a validated seqno.\n\nHowever, the lock is reclaim tainted which makes\nsg_alloc_table_from_pages_segment() unusable, since it internally\nallocates memory.\n\nInstead build the sg-table manually. For the non-iommu case\nthis might lead to fewer coalesces, but if that's a problem it can\nbe fixed up later in the resource cursor code. For the iommu case,\nthe whole sg-table may still be coalesced to a single contigous\ndevice va region.\n\nThis avoids marking pages that we don't own dirty and accessed, and\nit also avoid dereferencing struct pages that we don't own.\n\nv2:\n- Use assert to check whether hmm pfns are valid (Matthew Auld)\n- Take into account that large pages may cross range boundaries\n (Matthew Auld)\n\nv3:\n- Don't unnecessarily check for a non-freed sg-table. (Matthew Auld)\n- Add a missing up_read() in an error path. (Matthew Auld)\n\n(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21939", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix NULL Pointer Dereference in KFD queue\n\nThrough KFD IOCTL Fuzzing we encountered a NULL pointer derefrence\nwhen calling kfd_queue_acquire_buffers.\n\n(cherry picked from commit 049e5bf3c8406f87c3d8e1958e0a16804fa1d530)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21940", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params\n\nNull pointer dereference issue could occur when pipe_ctx->plane_state\nis null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not\nnull before accessing. This prevents a null pointer dereference.\n\nFound by code review.\n\n(cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21941", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix extent range end unlock in cow_file_range()\n\nRunning generic/751 on the for-next branch often results in a hang like\nbelow. They are both stack by locking an extent. This suggests someone\nforget to unlock an extent.\n\n INFO: task kworker/u128:1:12 blocked for more than 323 seconds.\n Not tainted 6.13.0-BTRFS-ZNS+ #503\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u128:1 state:D stack:0 pid:12 tgid:12 ppid:2 flags:0x00004000\n Workqueue: btrfs-fixup btrfs_work_helper [btrfs]\n Call Trace:\n \n __schedule+0x534/0xdd0\n schedule+0x39/0x140\n __lock_extent+0x31b/0x380 [btrfs]\n ? __pfx_autoremove_wake_function+0x10/0x10\n btrfs_writepage_fixup_worker+0xf1/0x3a0 [btrfs]\n btrfs_work_helper+0xff/0x480 [btrfs]\n ? lock_release+0x178/0x2c0\n process_one_work+0x1ee/0x570\n ? srso_return_thunk+0x5/0x5f\n worker_thread+0x1d1/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10b/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n INFO: task kworker/u134:0:184 blocked for more than 323 seconds.\n Not tainted 6.13.0-BTRFS-ZNS+ #503\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u134:0 state:D stack:0 pid:184 tgid:184 ppid:2 flags:0x00004000\n Workqueue: writeback wb_workfn (flush-btrfs-4)\n Call Trace:\n \n __schedule+0x534/0xdd0\n schedule+0x39/0x140\n __lock_extent+0x31b/0x380 [btrfs]\n ? __pfx_autoremove_wake_function+0x10/0x10\n find_lock_delalloc_range+0xdb/0x260 [btrfs]\n writepage_delalloc+0x12f/0x500 [btrfs]\n ? srso_return_thunk+0x5/0x5f\n extent_write_cache_pages+0x232/0x840 [btrfs]\n btrfs_writepages+0x72/0x130 [btrfs]\n do_writepages+0xe7/0x260\n ? srso_return_thunk+0x5/0x5f\n ? lock_acquire+0xd2/0x300\n ? srso_return_thunk+0x5/0x5f\n ? find_held_lock+0x2b/0x80\n ? wbc_attach_and_unlock_inode.part.0+0x102/0x250\n ? wbc_attach_and_unlock_inode.part.0+0x102/0x250\n __writeback_single_inode+0x5c/0x4b0\n writeback_sb_inodes+0x22d/0x550\n __writeback_inodes_wb+0x4c/0xe0\n wb_writeback+0x2f6/0x3f0\n wb_workfn+0x32a/0x510\n process_one_work+0x1ee/0x570\n ? srso_return_thunk+0x5/0x5f\n worker_thread+0x1d1/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10b/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nThis happens because we have another success path for the zoned mode. When\nthere is no active zone available, btrfs_reserve_extent() returns\n-EAGAIN. In this case, we have two reactions.\n\n(1) If the given range is never allocated, we can only wait for someone\n to finish a zone, so wait on BTRFS_FS_NEED_ZONE_FINISH bit and retry\n afterward.\n\n(2) Or, if some allocations are already done, we must bail out and let\n the caller to send IOs for the allocation. This is because these IOs\n may be necessary to finish a zone.\n\nThe commit 06f364284794 (\"btrfs: do proper folio cleanup when\ncow_file_range() failed\") moved the unlock code from the inside of the\nloop to the outside. So, previously, the allocated extents are unlocked\njust after the allocation and so before returning from the function.\nHowever, they are no longer unlocked on the case (2) above. That caused\nthe hang issue.\n\nFix the issue by modifying the 'end' to the end of the allocated\nrange. Then, we can exit the loop and the same unlock code can properly\nhandle the case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21942", "detail": "fixed-version", "description": "Fixed from version 6.13.7" }, { "id": "CVE-2025-21943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: aggregator: protect driver attr handlers against module unload\n\nBoth new_device_store and delete_device_store touch module global\nresources (e.g. gpio_aggregator_lock). To prevent race conditions with\nmodule unload, a reference needs to be held.\n\nAdd try_module_get() in these handlers.\n\nFor new_device_store, this eliminates what appears to be the most dangerous\nscenario: if an id is allocated from gpio_aggregator_idr but\nplatform_device_register has not yet been called or completed, a concurrent\nmodule unload could fail to unregister/delete the device, leaving behind a\ndangling platform device/GPIO forwarder. This can result in various issues.\nThe following simple reproducer demonstrates these problems:\n\n #!/bin/bash\n while :; do\n # note: whether 'gpiochip0 0' exists or not does not matter.\n echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device\n done &\n while :; do\n modprobe gpio-aggregator\n modprobe -r gpio-aggregator\n done &\n wait\n\n Starting with the following warning, several kinds of warnings will appear\n and the system may become unstable:\n\n ------------[ cut here ]------------\n list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100)\n WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120\n [...]\n RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120\n [...]\n Call Trace:\n \n ? __list_del_entry_valid_or_report+0xa3/0x120\n ? __warn.cold+0x93/0xf2\n ? __list_del_entry_valid_or_report+0xa3/0x120\n ? report_bug+0xe6/0x170\n ? __irq_work_queue_local+0x39/0xe0\n ? handle_bug+0x58/0x90\n ? exc_invalid_op+0x13/0x60\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_del_entry_valid_or_report+0xa3/0x120\n gpiod_remove_lookup_table+0x22/0x60\n new_device_store+0x315/0x350 [gpio_aggregator]\n kernfs_fop_write_iter+0x137/0x1f0\n vfs_write+0x262/0x430\n ksys_write+0x60/0xd0\n do_syscall_64+0x6c/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21943", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix bug on trap in smb2_lock\n\nIf lock count is greater than 1, flags could be old value.\nIt should be checked with flags of smb_lock, not flags.\nIt will cause bug-on trap from locks_free_lock in error handling\nroutine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21944", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_lock\n\nIf smb_lock->zero_len has value, ->llist of smb_lock is not delete and\nflock is old one. It will cause use-after-free on error handling\nroutine.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21945", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds in parse_sec_desc()\n\nIf osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd\nstruct size. If it is smaller, It could cause slab-out-of-bounds.\nAnd when validating sid, It need to check it included subauth array size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21946", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix type confusion via race condition when using ipc_msg_send_request\n\nreq->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on\nida_alloc. req->handle from ksmbd_ipc_login_request and\nFSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion\nbetween messages, resulting in access to unexpected parts of memory after\nan incorrect delivery. ksmbd check type of ipc response but missing add\ncontinue to check next ipc reponse.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21947", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw event handle\n\nSyzkaller reports a NULL pointer dereference issue in input_event().\n\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\n\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n is_event_supported drivers/input/input.c:67 [inline]\n input_event+0x42/0xa0 drivers/input/input.c:395\n input_report_key include/linux/input.h:439 [inline]\n key_down drivers/hid/hid-appleir.c:159 [inline]\n appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\n hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\n usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\n dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n __run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\n hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\n handle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\n add_timer+0x62/0x90 kernel/time/timer.c:1295\n schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\n usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\n usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\n hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\n\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn't claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21948", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set hugetlb mmap base address aligned with pmd size\n\nWith ltp test case \"testcases/bin/hugefork02\", there is a dmesg error\nreport message such as:\n\n kernel BUG at mm/hugetlb.c:5550!\n Oops - BUG[#1]:\n CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940\n a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000\n a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000\n t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000\n t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001\n t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280\n s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10\n s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08\n ra: 9000000000485538 unmap_vmas+0x130/0x218\n ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64)\n Call Trace:\n [<90000000004eaf1c>] __unmap_hugepage_range+0x6f4/0x7d0\n [<9000000000485534>] unmap_vmas+0x12c/0x218\n [<9000000000494068>] exit_mmap+0xe0/0x308\n [<900000000025fdc4>] mmput+0x74/0x180\n [<900000000026a284>] do_exit+0x294/0x898\n [<900000000026aa30>] do_group_exit+0x30/0x98\n [<900000000027bed4>] get_signal+0x83c/0x868\n [<90000000002457b4>] arch_do_signal_or_restart+0x54/0xfa0\n [<90000000015795e8>] irqentry_exit_to_user_mode+0xb8/0x138\n [<90000000002572d0>] tlb_do_page_fault_1+0x114/0x1b4\n\nThe problem is that base address allocated from hugetlbfs is not aligned\nwith pmd size. Here add a checking for hugetlbfs and align base address\nwith pmd size. After this patch the test case \"testcases/bin/hugefork02\"\npasses to run.\n\nThis is similar to the commit 7f24cbc9c4d42db8a3c8484d1 (\"mm/mmap: teach\ngeneric_get_unmapped_area{_topdown} to handle hugetlb mappings\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21949", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl\n\nIn the \"pmcmd_ioctl\" function, three memory objects allocated by\nkmalloc are initialized by \"hcall_get_cpu_state\", which are then\ncopied to user space. The initializer is indeed implemented in\n\"acrn_hypercall2\" (arch/x86/include/asm/acrn.h). There is a risk of\ninformation leakage due to uninitialized bytes.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21950", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock\n\nThere are multiple places from where the recovery work gets scheduled\nasynchronously. Also, there are multiple places where the caller waits\nsynchronously for the recovery to be completed. One such place is during\nthe PM shutdown() callback.\n\nIf the device is not alive during recovery_work, it will try to reset the\ndevice using pci_reset_function(). This function internally will take the\ndevice_lock() first before resetting the device. By this time, if the lock\nhas already been acquired, then recovery_work will get stalled while\nwaiting for the lock. And if the lock was already acquired by the caller\nwhich waits for the recovery_work to be completed, it will lead to\ndeadlock.\n\nThis is what happened on the X1E80100 CRD device when the device died\nbefore shutdown() callback. Driver core calls the driver's shutdown()\ncallback while holding the device_lock() leading to deadlock.\n\nAnd this deadlock scenario can occur on other paths as well, like during\nthe PM suspend() callback, where the driver core would hold the\ndevice_lock() before calling driver's suspend() callback. And if the\nrecovery_work was already started, it could lead to deadlock. This is also\nobserved on the X1E80100 CRD.\n\nSo to fix both issues, use pci_try_reset_function() in recovery_work. This\nfunction first checks for the availability of the device_lock() before\ntrying to reset the device. If the lock is available, it will acquire it\nand reset the device. Otherwise, it will return -EAGAIN. If that happens,\nrecovery_work will fail with the error message \"Recovery failed\" as not\nmuch could be done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21951", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: corsair-void: Update power supply values with a unified work handler\n\ncorsair_void_process_receiver can be called from an interrupt context,\nlocking battery_mutex in it was causing a kernel panic.\nFix it by moving the critical section into its own work, sharing this\nwork with battery_add_work and battery_remove_work to remove the need\nfor any locking", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21952", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: cleanup mana struct after debugfs_remove()\n\nWhen on a MANA VM hibernation is triggered, as part of hibernate_snapshot(),\nmana_gd_suspend() and mana_gd_resume() are called. If during this\nmana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs\npointer does not get reinitialized and ends up pointing to older,\ncleaned-up dentry.\nFurther in the hibernation path, as part of power_down(), mana_gd_shutdown()\nis triggered. This call, unaware of the failures in resume, tries to cleanup\nthe already cleaned up mana_port_debugfs value and hits the following bug:\n\n[ 191.359296] mana 7870:00:00.0: Shutdown was called\n[ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[ 191.360584] #PF: supervisor write access in kernel mode\n[ 191.361125] #PF: error_code(0x0002) - not-present page\n[ 191.361727] PGD 1080ea067 P4D 0\n[ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI\n[ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2\n[ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[ 191.364124] RIP: 0010:down_write+0x19/0x50\n[ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d\n[ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246\n[ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000\n[ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098\n[ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001\n[ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000\n[ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020\n[ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000\n[ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0\n[ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 191.372906] Call Trace:\n[ 191.373262] \n[ 191.373621] ? show_regs+0x64/0x70\n[ 191.374040] ? __die+0x24/0x70\n[ 191.374468] ? page_fault_oops+0x290/0x5b0\n[ 191.374875] ? do_user_addr_fault+0x448/0x800\n[ 191.375357] ? exc_page_fault+0x7a/0x160\n[ 191.375971] ? asm_exc_page_fault+0x27/0x30\n[ 191.376416] ? down_write+0x19/0x50\n[ 191.376832] ? down_write+0x12/0x50\n[ 191.377232] simple_recursive_removal+0x4a/0x2a0\n[ 191.377679] ? __pfx_remove_one+0x10/0x10\n[ 191.378088] debugfs_remove+0x44/0x70\n[ 191.378530] mana_detach+0x17c/0x4f0\n[ 191.378950] ? __flush_work+0x1e2/0x3b0\n[ 191.379362] ? __cond_resched+0x1a/0x50\n[ 191.379787] mana_remove+0xf2/0x1a0\n[ 191.380193] mana_gd_shutdown+0x3b/0x70\n[ 191.380642] pci_device_shutdown+0x3a/0x80\n[ 191.381063] device_shutdown+0x13e/0x230\n[ 191.381480] kernel_power_off+0x35/0x80\n[ 191.381890] hibernate+0x3c6/0x470\n[ 191.382312] state_store+0xcb/0xd0\n[ 191.382734] kobj_attr_store+0x12/0x30\n[ 191.383211] sysfs_kf_write+0x3e/0x50\n[ 191.383640] kernfs_fop_write_iter+0x140/0x1d0\n[ 191.384106] vfs_write+0x271/0x440\n[ 191.384521] ksys_write+0x72/0xf0\n[ 191.384924] __x64_sys_write+0x19/0x20\n[ 191.385313] x64_sys_call+0x2b0/0x20b0\n[ 191.385736] do_syscall_64+0x79/0x150\n[ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240\n[ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0\n[ 191.387124] ? __pfx_lru_add+0x10/0x10\n[ 191.387515] ? queued_spin_unlock+0x9/0x10\n[ 191.387937] ? do_anonymous_page+0x33c/0xa00\n[ 191.388374] ? __handle_mm_fault+0xcf3/0x1210\n[ 191.388805] ? __count_memcg_events+0xbe/0x180\n[ 191.389235] ? handle_mm_fault+0xae/0x300\n[ 19\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21953", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetmem: prevent TX of unreadable skbs\n\nCurrently on stable trees we have support for netmem/devmem RX but not\nTX. It is not safe to forward/redirect an RX unreadable netmem packet\ninto the device's TX path, as the device may call dma-mapping APIs on\ndma addrs that should not be passed to it.\n\nFix this by preventing the xmit of unreadable skbs.\n\nTested by configuring tc redirect:\n\nsudo tc qdisc add dev eth1 ingress\nsudo tc filter add dev eth1 ingress protocol ip prio 1 flower ip_proto \\\n\ttcp src_ip 192.168.1.12 action mirred egress redirect dev eth1\n\nBefore, I see unreadable skbs in the driver's TX path passed to dma\nmapping APIs.\n\nAfter, I don't see unreadable skbs in the driver's TX path passed to dma\nmapping APIs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21954", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent connection release during oplock break notification\n\nksmbd_work could be freed when after connection release.\nIncrement r_count of ksmbd_conn to indicate that requests\nare not finished yet and to not release the connection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21955", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign normalized_pix_clk when color depth = 14\n\n[WHY & HOW]\nA warning message \"WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397\ncalculate_phy_pix_clks+0xef/0x100 [amdgpu]\" occurs because the\ndisplay_color_depth == COLOR_DEPTH_141414 is not handled. This is\nobserved in Radeon RX 6600 XT.\n\nIt is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.\n\nAlso fixes the indentation in get_norm_pix_clk.\n\n(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21956", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla1280: Fix kernel oops when debug level > 2\n\nA null dereference or oops exception will eventually occur when qla1280.c\ndriver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I\nthink its clear from the code that the intention here is sg_dma_len(s) not\nlength of sg_next(s) when printing the debug info.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21957", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"openvswitch: switch to per-action label counting in conntrack\"\n\nCurrently, ovs_ct_set_labels() is only called for confirmed conntrack\nentries (ct) within ovs_ct_commit(). However, if the conntrack entry\ndoes not have the labels_ext extension, attempting to allocate it in\novs_ct_get_conn_labels() for a confirmed entry triggers a warning in\nnf_ct_ext_add():\n\n WARN_ON(nf_ct_is_confirmed(ct));\n\nThis happens when the conntrack entry is created externally before OVS\nincrements net->ct.labels_used. The issue has become more likely since\ncommit fcb1aa5163b1 (\"openvswitch: switch to per-action label counting\nin conntrack\"), which changed to use per-action label counting and\nincrement net->ct.labels_used when a flow with ct action is added.\n\nSince there\u2019s no straightforward way to fully resolve this issue at the\nmoment, this reverts the commit to avoid breaking existing use cases.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21958", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()\n\nSince commit b36e4523d4d5 (\"netfilter: nf_conncount: fix garbage\ncollection confirm race\"), `cpu` and `jiffies32` were introduced to\nthe struct nf_conncount_tuple.\n\nThe commit made nf_conncount_add() initialize `conn->cpu` and\n`conn->jiffies32` when allocating the struct.\nIn contrast, count_tree() was not changed to initialize them.\n\nBy commit 34848d5c896e (\"netfilter: nf_conncount: Split insert and\ntraversal\"), count_tree() was split and the relevant allocation\ncode now resides in insert_tree().\nInitialize `conn->cpu` and `conn->jiffies32` in insert_tree().\n\nBUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]\nBUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n find_or_evict net/netfilter/nf_conncount.c:117 [inline]\n __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n count_tree net/netfilter/nf_conncount.c:438 [inline]\n nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669\n __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]\n __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983\n __netif_receive_skb_list net/core/dev.c:6035 [inline]\n netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126\n netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178\n xdp_recv_frames net/bpf/test_run.c:280 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316\n bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813\n __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]\n __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900\n ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4121 [inline]\n slab_alloc_node mm/slub.c:4164 [inline]\n kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171\n insert_tree net/netfilter/nf_conncount.c:372 [inline]\n count_tree net/netfilter/nf_conncount.c:450 [inline]\n nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ip\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21959", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: do not update checksum in bnxt_xdp_build_skb()\n\nThe bnxt_rx_pkt() updates ip_summed value at the end if checksum offload\nis enabled.\nWhen the XDP-MB program is attached and it returns XDP_PASS, the\nbnxt_xdp_build_skb() is called to update skb_shared_info.\nThe main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,\nbut it updates ip_summed value too if checksum offload is enabled.\nThis is actually duplicate work.\n\nWhen the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed\nis CHECKSUM_NONE or not.\nIt means that ip_summed should be CHECKSUM_NONE at this moment.\nBut ip_summed may already be updated to CHECKSUM_UNNECESSARY in the\nXDP-MB-PASS path.\nSo the by skb_checksum_none_assert() WARNS about it.\n\nThis is duplicate work and updating ip_summed in the\nbnxt_xdp_build_skb() is not needed.\n\nSplat looks like:\nWARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nModules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]\nCPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27\nTainted: [W]=WARN\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nCode: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f\nRSP: 0018:ffff88881ba09928 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000\nRDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8\nRBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070\nR10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080\nR13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000\nFS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0xcd/0x2f0\n ? bnxt_rx_pkt+0x479b/0x7610\n ? report_bug+0x326/0x3c0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x14/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? bnxt_rx_pkt+0x479b/0x7610\n ? bnxt_rx_pkt+0x3e41/0x7610\n ? __pfx_bnxt_rx_pkt+0x10/0x10\n ? napi_complete_done+0x2cf/0x7d0\n __bnxt_poll_work+0x4e8/0x1220\n ? __pfx___bnxt_poll_work+0x10/0x10\n ? __pfx_mark_lock.part.0+0x10/0x10\n bnxt_poll_p5+0x36a/0xfa0\n ? __pfx_bnxt_poll_p5+0x10/0x10\n __napi_poll.constprop.0+0xa0/0x440\n net_rx_action+0x899/0xd00\n...\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going\nto be able to reproduce this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21960", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix truesize for mb-xdp-pass case\n\nWhen mb-xdp is set and return is XDP_PASS, packet is converted from\nxdp_buff to sk_buff with xdp_update_skb_shared_info() in\nbnxt_xdp_build_skb().\nbnxt_xdp_build_skb() passes incorrect truesize argument to\nxdp_update_skb_shared_info().\nThe truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but\nthe skb_shared_info was wiped by napi_build_skb() before.\nSo it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it\ninstead of getting skb_shared_info from xdp_get_shared_info_from_buff().\n\nSplat looks like:\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590\n Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms\n CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3\n RIP: 0010:skb_try_coalesce+0x504/0x590\n Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99\n RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287\n RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0\n RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003\n RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900\n R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740\n R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n \n ? __warn+0x84/0x130\n ? skb_try_coalesce+0x504/0x590\n ? report_bug+0x18a/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_try_coalesce+0x504/0x590\n inet_frag_reasm_finish+0x11f/0x2e0\n ip_defrag+0x37a/0x900\n ip_local_deliver+0x51/0x120\n ip_sublist_rcv_finish+0x64/0x70\n ip_sublist_rcv+0x179/0x210\n ip_list_rcv+0xf9/0x130\n\nHow to reproduce:\n\nip link set $interface1 xdp obj xdp_pass.o\nip link set $interface1 mtu 9000 up\nip a a 10.0.0.1/24 dev $interface1\n\nip link set $interfac2 mtu 9000 up\nip a a 10.0.0.2/24 dev $interface2\nping 10.0.0.1 -s 65000\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going to be\nable to reproduce this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21961", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing closetimeo mount option\n\nUser-provided mount parameter closetimeo of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21962", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing acdirmax mount option\n\nUser-provided mount parameter acdirmax of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21963", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing acregmax mount option\n\nUser-provided mount parameter acregmax of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21964", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Validate prev_cpu in scx_bpf_select_cpu_dfl()\n\nIf a BPF scheduler provides an invalid CPU (outside the nr_cpu_ids\nrange) as prev_cpu to scx_bpf_select_cpu_dfl() it can cause a kernel\ncrash.\n\nTo prevent this, validate prev_cpu in scx_bpf_select_cpu_dfl() and\ntrigger an scx error if an invalid CPU is specified.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21965", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-flakey: Fix memory corruption in optional corrupt_bio_byte feature\n\nFix memory corruption due to incorrect parameter being passed to bio_init", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21966", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_free_work_struct\n\n->interim_entry of ksmbd_work could be deleted after oplock is freed.\nWe don't need to manage it with linked list. The interim request could be\nimmediately sent whenever a oplock break wait is needed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21967", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix slab-use-after-free on hdcp_work\n\n[Why]\nA slab-use-after-free is reported when HDCP is destroyed but the\nproperty_validate_dwork queue is still running.\n\n[How]\nCancel the delayed work when destroying workqueue.\n\n(cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21968", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd\n\nAfter the hci sync command releases l2cap_conn, the hci receive data work\nqueue references the released l2cap_conn when sending to the upper layer.\nAdd hci dev lock to the hci receive data work queue to synchronize the two.\n\n[1]\nBUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954\nRead of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837\n\nCPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci1 hci_rx_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]\n l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954\n l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline]\n l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline]\n l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817\n hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline]\n hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nAllocated by task 5837:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860\n l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239\n hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]\n hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726\n hci_event_func net/bluetooth/hci_event.c:7473 [inline]\n hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525\n hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nFreed by task 54:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2353 [inline]\n slab_free mm/slub.c:4613 [inline]\n kfree+0x196/0x430 mm/slub.c:4761\n l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235\n hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]\n hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266\n hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21969", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Bridge, fix the crash caused by LAG state check\n\nWhen removing LAG device from bridge, NETDEV_CHANGEUPPER event is\ntriggered. Driver finds the lower devices (PFs) to flush all the\noffloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns\nfalse if one of PF is unloaded. In such case,\nmlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of\nthe alive PF, and the flush is skipped.\n\nBesides, the bridge fdb entry's lastuse is updated in mlx5 bridge\nevent handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be\nignored in this case because the upper interface for bond is deleted,\nand the entry will never be aged because lastuse is never updated.\n\nTo make things worse, as the entry is alive, mlx5 bridge workqueue\nkeeps sending that event, which is then handled by kernel bridge\nnotifier. It causes the following crash when accessing the passed bond\nnetdev which is already destroyed.\n\nTo fix this issue, remove such checks. LAG state is already checked in\ncommit 15f8f168952f (\"net/mlx5: Bridge, verify LAG state when adding\nbond to bridge\"), driver still need to skip offload if LAG becomes\ninvalid state after initialization.\n\n Oops: stack segment: 0000 [#1] SMP\n CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]\n RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]\n Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7\n RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297\n RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff\n RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0\n RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60\n R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x1a/0x60\n ? die+0x38/0x60\n ? do_trap+0x10b/0x120\n ? do_error_trap+0x64/0xa0\n ? exc_stack_segment+0x33/0x50\n ? asm_exc_stack_segment+0x22/0x30\n ? br_switchdev_event+0x2c/0x110 [bridge]\n ? sched_balance_newidle.isra.149+0x248/0x390\n notifier_call_chain+0x4b/0xa0\n atomic_notifier_call_chain+0x16/0x20\n mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]\n mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]\n process_scheduled_works+0x81/0x390\n worker_thread+0x106/0x250\n ? bh_worker+0x110/0x110\n kthread+0xb7/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21970", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21971", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: unshare packets when reassembling\n\nEnsure that the frag_list used for reassembly isn't shared with other\npackets. This avoids incorrect reassembly when packets are cloned, and\nprevents a memory leak due to circular references between fragments and\ntheir skb_shared_info.\n\nThe upcoming MCTP-over-USB driver uses skb_clone which can trigger the\nproblem - other MCTP drivers don't share SKBs.\n\nA kunit test is added to reproduce the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21972", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}\n\nWhen qstats-get operation is executed, callbacks of netdev_stats_ops\nare called. The bnxt_get_queue_stats{rx | tx} collect per-queue stats\nfrom sw_stats in the rings.\nBut {rx | tx | cp}_ring are allocated when the interface is up.\nSo, these rings are not allocated when the interface is down.\n\nThe qstats-get is allowed even if the interface is down. However,\nthe bnxt_get_queue_stats{rx | tx}() accesses cp_ring and tx_ring\nwithout null check.\nSo, it needs to avoid accessing rings if the interface is down.\n\nReproducer:\n ip link set $interface down\n ./cli.py --spec netdev.yaml --dump qstats-get\nOR\n ip link set $interface down\n python ./stats.py\n\nSplat looks like:\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1680fa067 P4D 1680fa067 PUD 16be3b067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 UID: 0 PID: 1495 Comm: python3 Not tainted 6.14.0-rc4+ #32 5cd0f999d5a15c574ac72b3e4b907341\n Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\n RIP: 0010:bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en]\n Code: c6 87 b5 18 00 00 02 eb a2 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 01\n RSP: 0018:ffffabef43cdb7e0 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffc04c8710 RCX: 0000000000000000\n RDX: ffffabef43cdb858 RSI: 0000000000000000 RDI: ffff8d504e850000\n RBP: ffff8d506c9f9c00 R08: 0000000000000004 R09: ffff8d506bcd901c\n R10: 0000000000000015 R11: ffff8d506bcd9000 R12: 0000000000000000\n R13: ffffabef43cdb8c0 R14: ffff8d504e850000 R15: 0000000000000000\n FS: 00007f2c5462b080(0000) GS:ffff8d575f600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000167fd0000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x15a/0x460\n ? sched_balance_find_src_group+0x58d/0xd10\n ? exc_page_fault+0x6e/0x180\n ? asm_exc_page_fault+0x22/0x30\n ? bnxt_get_queue_stats_rx+0xf/0x70 [bnxt_en cdd546fd48563c280cfd30e9647efa420db07bf1]\n netdev_nl_stats_by_netdev+0x2b1/0x4e0\n ? xas_load+0x9/0xb0\n ? xas_find+0x183/0x1d0\n ? xa_find+0x8b/0xe0\n netdev_nl_qstats_get_dumpit+0xbf/0x1e0\n genl_dumpit+0x31/0x90\n netlink_dump+0x1a8/0x360", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21973", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()\n\nThe bnxt_queue_mem_alloc() is called to allocate new queue memory when\na queue is restarted.\nIt internally accesses rx buffer descriptor corresponding to the index.\nThe rx buffer descriptor is allocated and set when the interface is up\nand it's freed when the interface is down.\nSo, if queue is restarted if interface is down, kernel panic occurs.\n\nSplat looks like:\n BUG: unable to handle page fault for address: 000000000000b240\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 UID: 0 PID: 1563 Comm: ncdevmem2 Not tainted 6.14.0-rc2+ #9 844ddba6e7c459cafd0bf4db9a3198e\n Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\n RIP: 0010:bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en]\n Code: 41 54 4d 89 c4 4d 69 c0 c0 05 00 00 55 48 89 f5 53 48 89 fb 4c 8d b5 40 05 00 00 48 83 ec 15\n RSP: 0018:ffff9dcc83fef9e8 EFLAGS: 00010202\n RAX: ffffffffc0457720 RBX: ffff934ed8d40000 RCX: 0000000000000000\n RDX: 000000000000001f RSI: ffff934ea508f800 RDI: ffff934ea508f808\n RBP: ffff934ea508f800 R08: 000000000000b240 R09: ffff934e84f4b000\n R10: ffff9dcc83fefa30 R11: ffff934e84f4b000 R12: 000000000000001f\n R13: ffff934ed8d40ac0 R14: ffff934ea508fd40 R15: ffff934e84f4b000\n FS: 00007fa73888c740(0000) GS:ffff93559f780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000b240 CR3: 0000000145a2e000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x20/0x70\n ? page_fault_oops+0x15a/0x460\n ? exc_page_fault+0x6e/0x180\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_bnxt_queue_mem_alloc+0x10/0x10 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]\n ? bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]\n netdev_rx_queue_restart+0xc5/0x240\n net_devmem_bind_dmabuf_to_queue+0xf8/0x200\n netdev_nl_bind_rx_doit+0x3a7/0x450\n genl_family_rcv_msg_doit+0xd9/0x130\n genl_rcv_msg+0x184/0x2b0\n ? __pfx_netdev_nl_bind_rx_doit+0x10/0x10\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21974", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: handle errors in mlx5_chains_create_table()\n\nIn mlx5_chains_create_table(), the return value of\u00a0mlx5_get_fdb_sub_ns()\nand mlx5_get_flow_namespace() must be checked to prevent NULL pointer\ndereferences. If either function fails, the function should log error\nmessage with mlx5_core_warn() and return error pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21975", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: hyperv_fb: Allow graceful removal of framebuffer\n\nWhen a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to\nrelease the framebuffer forcefully. If this framebuffer is in use it\nproduce the following WARN and hence this framebuffer is never released.\n\n[ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40\n< snip >\n[ 44.111289] Call Trace:\n[ 44.111290] \n[ 44.111291] ? show_regs+0x6c/0x80\n[ 44.111295] ? __warn+0x8d/0x150\n[ 44.111298] ? framebuffer_release+0x2c/0x40\n[ 44.111300] ? report_bug+0x182/0x1b0\n[ 44.111303] ? handle_bug+0x6e/0xb0\n[ 44.111306] ? exc_invalid_op+0x18/0x80\n[ 44.111308] ? asm_exc_invalid_op+0x1b/0x20\n[ 44.111311] ? framebuffer_release+0x2c/0x40\n[ 44.111313] ? hvfb_remove+0x86/0xa0 [hyperv_fb]\n[ 44.111315] vmbus_remove+0x24/0x40 [hv_vmbus]\n[ 44.111323] device_remove+0x40/0x80\n[ 44.111325] device_release_driver_internal+0x20b/0x270\n[ 44.111327] ? bus_find_device+0xb3/0xf0\n\nFix this by moving the release of framebuffer and assosiated memory\nto fb_ops.fb_destroy function, so that framebuffer framework handles\nit gracefully.\n\nWhile we fix this, also replace manual registrations/unregistration of\nframebuffer with devm_register_framebuffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21976", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs\n\nGen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer\ndevice. When the kdump kernel runs in such a VM, loading the efifb\ndriver may hang because of accessing the framebuffer at the wrong\nmemory address.\n\nThe scenario occurs when the hyperv_fb driver in the original kernel\nmoves the framebuffer to a different MMIO address because of conflicts\nwith an already-running efifb or simplefb driver. The hyperv_fb driver\nthen informs Hyper-V of the change, which is allowed by the Hyper-V FB\nVMBus device protocol. However, when the kexec command loads the kdump\nkernel into crash memory via the kexec_file_load() system call, the\nsystem call doesn't know the framebuffer has moved, and it sets up the\nkdump screen_info using the original framebuffer address. The transition\nto the kdump kernel does not go through the Hyper-V host, so Hyper-V\ndoes not reset the framebuffer address like it would do on a reboot.\nWhen efifb tries to run, it accesses a non-existent framebuffer\naddress, which traps to the Hyper-V host. After many such accesses,\nthe Hyper-V host thinks the guest is being malicious, and throttles\nthe guest to the point that it runs very slowly or appears to have hung.\n\nWhen the kdump kernel is loaded into crash memory via the kexec_load()\nsystem call, the problem does not occur. In this case, the kexec command\nbuilds the screen_info table itself in user space from data returned\nby the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the\nnew framebuffer location.\n\nThis problem was originally reported in 2020 [1], resulting in commit\n3cb73bc3fa2a (\"hyperv_fb: Update screen_info after removing old\nframebuffer\"). This commit solved the problem by setting orig_video_isVGA\nto 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb\ndriver did not try to load, and no hang occurred. But in 2024, commit\nc25a19afb81c (\"fbdev/hyperv_fb: Do not clear global screen_info\")\neffectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference\nto 3cb73bc3fa2a, so perhaps it was done without knowing the implications\nthat were reported with 3cb73bc3fa2a. In any case, as of commit\nc25a19afb81c, the original problem came back again.\n\nInterestingly, the hyperv_drm driver does not have this problem because\nit never moves the framebuffer. The difference is that the hyperv_drm\ndriver removes any conflicting framebuffers *before* allocating an MMIO\naddress, while the hyperv_fb drivers removes conflicting framebuffers\n*after* allocating an MMIO address. With the \"after\" ordering, hyperv_fb\nmay encounter a conflict and move the framebuffer to a different MMIO\naddress. But the conflict is essentially bogus because it is removed\na few lines of code later.\n\nRather than fix the problem with the approach from 2020 in commit\n3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so\nconflicting framebuffers are removed before allocating an MMIO address.\nThen the default framebuffer MMIO address should always be available, and\nthere's never any confusion about which framebuffer address the kdump\nkernel should use -- it's always the original address provided by\nthe Hyper-V host. This approach is already used by the hyperv_drm\ndriver, and is consistent with the usage guidelines at the head of\nthe module with the function aperture_remove_conflicting_devices().\n\nThis approach also solves a related minor problem when kexec_load()\nis used to load the kdump kernel. With current code, unbinding and\nrebinding the hyperv_fb driver could result in the framebuffer moving\nback to the default framebuffer address, because on the rebind there\nare no conflicts. If such a move is done after the kdump kernel is\nloaded with the new framebuffer address, at kdump time it could again\nhave the wrong address.\n\nThis problem and fix are described in terms of the kdump kernel, but\nit can also occur\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21977", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hyperv: Fix address space leak when Hyper-V DRM device is removed\n\nWhen a Hyper-V DRM device is probed, the driver allocates MMIO space for\nthe vram, and maps it cacheable. If the device removed, or in the error\npath for device probing, the MMIO space is released but no unmap is done.\nConsequently the kernel address space for the mapping is leaked.\n\nFix this by adding iounmap() calls in the device removal path, and in the\nerror path during device probing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21978", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel wiphy_work before freeing wiphy\n\nA wiphy_work can be queued from the moment the wiphy is allocated and\ninitialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the\nrdev::wiphy_work is getting queued.\n\nIf wiphy_free is called before the rdev::wiphy_work had a chance to run,\nthe wiphy memory will be freed, and then when it eventally gets to run\nit'll use invalid memory.\n\nFix this by canceling the work before freeing the wiphy.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21979", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: address a potential NULL pointer dereference in the GRED scheduler.\n\nIf kzalloc in gred_init returns a NULL pointer, the code follows the\nerror handling path, invoking gred_destroy. This, in turn, calls\ngred_offload, where memset could receive a NULL pointer as input,\npotentially leading to a kernel crash.\n\nWhen table->opt is NULL in gred_init(), gred_change_table_def()\nis not called yet, so it is not necessary to call ->ndo_setup_tc()\nin gred_offload().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21980", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix memory leak in aRFS after reset\n\nFix aRFS (accelerated Receive Flow Steering) structures memory leak by\nadding a checker to verify if aRFS memory is already allocated while\nconfiguring VSI. aRFS objects are allocated in two cases:\n- as part of VSI initialization (at probe), and\n- as part of reset handling\n\nHowever, VSI reconfiguration executed during reset involves memory\nallocation one more time, without prior releasing already allocated\nresources. This led to the memory leak with the following signature:\n\n[root@os-delivery ~]# cat /sys/kernel/debug/kmemleak\nunreferenced object 0xff3c1ca7252e6000 (size 8192):\n comm \"kworker/0:0\", pid 8, jiffies 4296833052\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 0):\n [] __kmalloc_cache_noprof+0x275/0x340\n [] ice_init_arfs+0x3a/0xe0 [ice]\n [] ice_vsi_cfg_def+0x607/0x850 [ice]\n [] ice_vsi_setup+0x5b/0x130 [ice]\n [] ice_init+0x1c1/0x460 [ice]\n [] ice_probe+0x2af/0x520 [ice]\n [] local_pci_probe+0x43/0xa0\n [] work_for_cpu_fn+0x13/0x20\n [] process_one_work+0x179/0x390\n [] worker_thread+0x239/0x340\n [] kthread+0xcc/0x100\n [] ret_from_fork+0x2d/0x50\n [] ret_from_fork_asm+0x1a/0x30\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21981", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw\n\ndevm_kasprintf() calls can return null pointers on failure.\nBut the return values were not checked in npcm8xx_gpio_fw().\nAdd NULL check in npcm8xx_gpio_fw(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21982", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq\n\nCurrently kvfree_rcu() APIs use a system workqueue which is\n\"system_unbound_wq\" to driver RCU machinery to reclaim a memory.\n\nRecently, it has been noted that the following kernel warning can\nbe observed:\n\n\nworkqueue: WQ_MEM_RECLAIM nvme-wq:nvme_scan_work is flushing !WQ_MEM_RECLAIM events_unbound:kfree_rcu_work\n WARNING: CPU: 21 PID: 330 at kernel/workqueue.c:3719 check_flush_dependency+0x112/0x120\n Modules linked in: intel_uncore_frequency(E) intel_uncore_frequency_common(E) skx_edac(E) ...\n CPU: 21 UID: 0 PID: 330 Comm: kworker/u144:6 Tainted: G E 6.13.2-0_g925d379822da #1\n Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM20 02/01/2023\n Workqueue: nvme-wq nvme_scan_work\n RIP: 0010:check_flush_dependency+0x112/0x120\n Code: 05 9a 40 14 02 01 48 81 c6 c0 00 00 00 48 8b 50 18 48 81 c7 c0 00 00 00 48 89 f9 48 ...\n RSP: 0018:ffffc90000df7bd8 EFLAGS: 00010082\n RAX: 000000000000006a RBX: ffffffff81622390 RCX: 0000000000000027\n RDX: 00000000fffeffff RSI: 000000000057ffa8 RDI: ffff88907f960c88\n RBP: 0000000000000000 R08: ffffffff83068e50 R09: 000000000002fffd\n R10: 0000000000000004 R11: 0000000000000000 R12: ffff8881001a4400\n R13: 0000000000000000 R14: ffff88907f420fb8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff88907f940000(0000) knlGS:0000000000000000\n CR2: 00007f60c3001000 CR3: 000000107d010005 CR4: 00000000007726f0\n PKRU: 55555554\n Call Trace:\n \n ? __warn+0xa4/0x140\n ? check_flush_dependency+0x112/0x120\n ? report_bug+0xe1/0x140\n ? check_flush_dependency+0x112/0x120\n ? handle_bug+0x5e/0x90\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? timer_recalc_next_expiry+0x190/0x190\n ? check_flush_dependency+0x112/0x120\n ? check_flush_dependency+0x112/0x120\n __flush_work.llvm.1643880146586177030+0x174/0x2c0\n flush_rcu_work+0x28/0x30\n kvfree_rcu_barrier+0x12f/0x160\n kmem_cache_destroy+0x18/0x120\n bioset_exit+0x10c/0x150\n disk_release.llvm.6740012984264378178+0x61/0xd0\n device_release+0x4f/0x90\n kobject_put+0x95/0x180\n nvme_put_ns+0x23/0xc0\n nvme_remove_invalid_namespaces+0xb3/0xd0\n nvme_scan_work+0x342/0x490\n process_scheduled_works+0x1a2/0x370\n worker_thread+0x2ff/0x390\n ? pwq_release_workfn+0x1e0/0x1e0\n kthread+0xb1/0xe0\n ? __kthread_parkme+0x70/0x70\n ret_from_fork+0x30/0x40\n ? __kthread_parkme+0x70/0x70\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n\n\nTo address this switch to use of independent WQ_MEM_RECLAIM\nworkqueue, so the rules are not violated from workqueue framework\npoint of view.\n\nApart of that, since kvfree_rcu() does reclaim memory it is worth\nto go with WQ_MEM_RECLAIM type of wq because it is designed for\nthis purpose.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21983", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix kernel BUG when userfaultfd_move encounters swapcache\n\nuserfaultfd_move() checks whether the PTE entry is present or a\nswap entry.\n\n- If the PTE entry is present, move_present_pte() handles folio\n migration by setting:\n\n src_folio->index = linear_page_index(dst_vma, dst_addr);\n\n- If the PTE entry is a swap entry, move_swap_pte() simply copies\n the PTE to the new dst_addr.\n\nThis approach is incorrect because, even if the PTE is a swap entry,\nit can still reference a folio that remains in the swap cache.\n\nThis creates a race window between steps 2 and 4.\n 1. add_to_swap: The folio is added to the swapcache.\n 2. try_to_unmap: PTEs are converted to swap entries.\n 3. pageout: The folio is written back.\n 4. Swapcache is cleared.\nIf userfaultfd_move() occurs in the window between steps 2 and 4,\nafter the swap PTE has been moved to the destination, accessing the\ndestination triggers do_swap_page(), which may locate the folio in\nthe swapcache. However, since the folio's index has not been updated\nto match the destination VMA, do_swap_page() will detect a mismatch.\n\nThis can result in two critical issues depending on the system\nconfiguration.\n\nIf KSM is disabled, both small and large folios can trigger a BUG\nduring the add_rmap operation due to:\n\n page_pgoff(folio, page) != linear_page_index(vma, address)\n\n[ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c\n[ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0\n[ 13.337716] memcg:ffff00000405f000\n[ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)\n[ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001\n[ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000\n[ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))\n[ 13.340190] ------------[ cut here ]------------\n[ 13.340316] kernel BUG at mm/rmap.c:1380!\n[ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ 13.340969] Modules linked in:\n[ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299\n[ 13.341470] Hardware name: linux,dummy-virt (DT)\n[ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0\n[ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0\n[ 13.342018] sp : ffff80008752bb20\n[ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001\n[ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001\n[ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00\n[ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff\n[ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f\n[ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0\n[ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40\n[ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8\n[ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f\n[ 13.343876] Call trace:\n[ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P)\n[ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320\n[ 13.344333] do_swap_page+0x1060/0x1400\n[ 13.344417] __handl\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21984", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bound accesses\n\n[WHAT & HOW]\nhpo_stream_to_link_encoder_mapping has size MAX_HPO_DP2_ENCODERS(=4),\nbut location can have size up to 6. As a result, it is necessary to\ncheck location against MAX_HPO_DP2_ENCODERS.\n\nSimiliarly, disp_cfg_stream_location can be used as an array index which\nshould be 0..5, so the ASSERT's conditions should be less without equal.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21985", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: switchdev: Convert blocking notification chain to a raw one\n\nA blocking notification chain uses a read-write semaphore to protect the\nintegrity of the chain. The semaphore is acquired for writing when\nadding / removing notifiers to / from the chain and acquired for reading\nwhen traversing the chain and informing notifiers about an event.\n\nIn case of the blocking switchdev notification chain, recursive\nnotifications are possible which leads to the semaphore being acquired\ntwice for reading and to lockdep warnings being generated [1].\n\nSpecifically, this can happen when the bridge driver processes a\nSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notifications\nabout deferred events when calling switchdev_deferred_process().\n\nFix this by converting the notification chain to a raw notification\nchain in a similar fashion to the netdev notification chain. Protect\nthe chain using the RTNL mutex by acquiring it when modifying the chain.\nEvents are always informed under the RTNL mutex, but add an assertion in\ncall_switchdev_blocking_notifiers() to make sure this is not violated in\nthe future.\n\nMaintain the \"blocking\" prefix as events are always emitted from process\ncontext and listeners are allowed to block.\n\n[1]:\nWARNING: possible recursive locking detected\n6.14.0-rc4-custom-g079270089484 #1 Not tainted\n--------------------------------------------\nip/52731 is trying to acquire lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nbut task is already holding lock:\nffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0\n----\nlock((switchdev_blocking_notif_chain).rwsem);\nlock((switchdev_blocking_notif_chain).rwsem);\n\n*** DEADLOCK ***\nMay be due to missing lock nesting notation\n3 locks held by ip/52731:\n #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0\n #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0\n #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0\n\nstack backtrace:\n...\n? __pfx_down_read+0x10/0x10\n? __pfx_mark_lock+0x10/0x10\n? __pfx_switchdev_port_attr_set_deferred+0x10/0x10\nblocking_notifier_call_chain+0x58/0xa0\nswitchdev_port_attr_notify.constprop.0+0xb3/0x1b0\n? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10\n? mark_held_locks+0x94/0xe0\n? switchdev_deferred_process+0x11a/0x340\nswitchdev_port_attr_set_deferred+0x27/0xd0\nswitchdev_deferred_process+0x164/0x340\nbr_switchdev_port_unoffload+0xc8/0x100 [bridge]\nbr_switchdev_blocking_event+0x29f/0x580 [bridge]\nnotifier_call_chain+0xa2/0x440\nblocking_notifier_call_chain+0x6e/0xa0\nswitchdev_bridge_port_unoffload+0xde/0x1a0\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21986", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: init return value in amdgpu_ttm_clear_buffer\n\nOtherwise an uninitialized value can be returned if\namdgpu_res_cleared returns true for all regions.\n\nPossibly closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812\n\n(cherry picked from commit 7c62aacc3b452f73a1284198c81551035fac6d71)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21987", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/netfs/read_collect: add to next->prev_donated\n\nIf multiple subrequests donate data to the same \"next\" request\n(depending on the subrequest completion order), each of them would\noverwrite the `prev_donated` field, causing data corruption and a\nBUG() crash (\"Can't donate prior to front\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21988", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix missing .is_two_pixels_per_container\n\nStarting from 6.11, AMDGPU driver, while being loaded with amdgpu.dc=1,\ndue to lack of .is_two_pixels_per_container function in dce60_tg_funcs,\ncauses a NULL pointer dereference on PCs with old GPUs, such as R9 280X.\n\nSo this fix adds missing .is_two_pixels_per_container to dce60_tg_funcs.\n\n(cherry picked from commit bd4b125eb949785c6f8a53b0494e32795421209d)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21989", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags\n\nPRT BOs may not have any backing store, so bo->tbo.resource will be\nNULL. Check for that before dereferencing.\n\n(cherry picked from commit 3e3fcd29b505cebed659311337ea03b7698767fc)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21990", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n \"Some memory may share the same node as a CPU, and others are provided as\n memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn't have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n index 512 is out of range for type 'unsigned long[512]'\n [...]\n Call Trace:\n dump_stack\n __ubsan_handle_out_of_bounds\n load_microcode_amd\n request_microcode_amd\n reload_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n [ bp: Massage commit message, fix typo. ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21991", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: ignore non-functional sensor in HP 5MP Camera\n\nThe HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that\nis not actually implemented. Attempting to access this non-functional\nsensor via iio_info causes system hangs as runtime PM tries to wake up\nan unresponsive sensor.\n\n [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff\n [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff\n\nAdd this device to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21992", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()\n\nWhen performing an iSCSI boot using IPv6, iscsistart still reads the\n/sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix\nlength is 64, this causes the shift exponent to become negative,\ntriggering a UBSAN warning. As the concept of a subnet mask does not\napply to IPv6, the value is set to ~0 to suppress the warning message.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21993", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix incorrect validation for num_aces field of smb_acl\n\nparse_dcal() validate num_aces to allocate posix_ace_state_array.\n\nif (num_aces > ULONG_MAX / sizeof(struct smb_ace *))\n\nIt is an incorrect validation that we can create an array of size ULONG_MAX.\nsmb_acl has ->size field to calculate actual number of aces in request buffer\nsize. Use this to check invalid num_aces.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21994", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix fence reference count leak\n\nThe last_scheduled fence leaks when an entity is being killed and adding\nthe cleanup callback fails.\n\nDecrement the reference count of prev when dma_fence_add_callback()\nfails, ensuring proper balance.\n\n[phasta: add git tag info for stable kernel]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21995", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()\n\nOn the off chance that command stream passed from userspace via\nioctl() call to radeon_vce_cs_parse() is weirdly crafted and\nfirst command to execute is to encode (case 0x03000001), the function\nin question will attempt to call radeon_vce_cs_reloc() with size\nargument that has not been properly initialized. Specifically, 'size'\nwill point to 'tmp' variable before the latter had a chance to be\nassigned any value.\n\nPlay it safe and init 'tmp' with 0, thus ensuring that\nradeon_vce_cs_reloc() will catch an early error in cases like these.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.\n\n(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21996", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix an integer overflow in xp_create_and_assign_umem()\n\nSince the i and pool->chunk_size variables are of type 'u32',\ntheir product can wrap around and then be cast to 'u64'.\nThis can lead to two different XDP buffers pointing to the same\nmemory area.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21997", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: uefisecapp: fix efivars registration race\n\nSince the conversion to using the TZ allocator, the efivars service is\nregistered before the memory pool has been allocated, something which\ncan lead to a NULL-pointer dereference in case of a racing EFI variable\naccess.\n\nMake sure that all resources have been set up before registering the\nefivars.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21998", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-21999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX's inode instantiation.\n\nThe bug is that pde->proc_ops don't belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde->proc_ops->... dereference.\n\n rmmod lookup\nsys_delete_module\n proc_lookup_de\n\t\t\t pde_get(de);\n\t\t\t proc_get_inode(dir->i_sb, de);\n mod->exit()\n proc_remove\n remove_proc_subtree\n proc_entry_rundown(de);\n free_module(mod);\n\n if (S_ISREG(inode->i_mode))\n\t if (de->proc_ops->proc_read_iter)\n --> As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don't do 2 atomic ops on the common path]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-21999", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: drop beyond-EOF folios with the right number of refs\n\nWhen an after-split folio is large and needs to be dropped due to EOF,\nfolio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all\npage cache refs. Otherwise, the folio will not be freed, causing memory\nleak.\n\nThis leak would happen on a filesystem with blocksize > page_size and a\ntruncate is performed, where the blocksize makes folios split to >0 order\nones, causing truncated folios not being freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22000", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix integer overflow in qaic_validate_req()\n\nThese are u64 variables that come from the user via\nqaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that\nthe math doesn't have an integer wrapping bug.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22001", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Call `invalidate_cache` only if implemented\n\nMany filesystems such as NFS and Ceph do not implement the\n`invalidate_cache` method. On those filesystems, if writing to the\ncache (`NETFS_WRITE_TO_CACHE`) fails for some reason, the kernel\ncrashes like this:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0010 [#1] SMP PTI\n CPU: 9 UID: 0 PID: 3380 Comm: kworker/u193:11 Not tainted 6.13.3-cm4all1-hp #437\n Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018\n Workqueue: events_unbound netfs_write_collection_worker\n RIP: 0010:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 0018:ffff9b86e2ca7dc0 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 7fffffffffffffff\n RDX: 0000000000000001 RSI: ffff89259d576a18 RDI: ffff89259d576900\n RBP: ffff89259d5769b0 R08: ffff9b86e2ca7d28 R09: 0000000000000002\n R10: ffff89258ceaca80 R11: 0000000000000001 R12: 0000000000000020\n R13: ffff893d158b9338 R14: ffff89259d576900 R15: ffff89259d5769b0\n FS: 0000000000000000(0000) GS:ffff893c9fa40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffffffffffd6 CR3: 000000054442e003 CR4: 00000000001706f0\n Call Trace:\n \n ? __die+0x1f/0x60\n ? page_fault_oops+0x15c/0x460\n ? try_to_wake_up+0x2d2/0x530\n ? exc_page_fault+0x5e/0x100\n ? asm_exc_page_fault+0x22/0x30\n netfs_write_collection_worker+0xe9f/0x12b0\n ? xs_poll_check_readable+0x3f/0x80\n ? xs_stream_data_receive_workfn+0x8d/0x110\n process_one_work+0x134/0x2d0\n worker_thread+0x299/0x3a0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xba/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in:\n CR2: 0000000000000000\n\nThis patch adds the missing `NULL` check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22002", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix out of bound read in strscpy() source\n\nCommit 7fdaf8966aae (\"can: ucan: use strscpy() to instead of strncpy()\")\nunintentionally introduced a one byte out of bound read on strscpy()'s\nsource argument (which is kind of ironic knowing that strscpy() is meant\nto be a more secure alternative :)).\n\nLet's consider below buffers:\n\n dest[len + 1]; /* will be NUL terminated */\n src[len]; /* may not be NUL terminated */\n\nWhen doing:\n\n strncpy(dest, src, len);\n dest[len] = '\\0';\n\nstrncpy() will read up to len bytes from src.\n\nOn the other hand:\n\n strscpy(dest, src, len + 1);\n\nwill read up to len + 1 bytes from src, that is to say, an out of bound\nread of one byte will occur on src if it is not NUL terminated. Note\nthat the src[len] byte is never copied, but strscpy() still needs to\nread it to check whether a truncation occurred or not.\n\nThis exact pattern happened in ucan.\n\nThe root cause is that the source is not NUL terminated. Instead of\ndoing a copy in a local buffer, directly NUL terminate it as soon as\nusb_control_msg() returns. With this, the local firmware_str[] variable\ncan be removed.\n\nOn top of this do a couple refactors:\n\n - ucan_ctl_payload->raw is only used for the firmware string, so\n rename it to ucan_ctl_payload->fw_str and change its type from u8 to\n char.\n\n - ucan_device_request_in() is only used to retrieve the firmware\n string, so rename it to ucan_get_fw_str() and refactor it to make it\n directly handle all the string termination logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22003", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix use after free in lec_send()\n\nThe ->send() operation frees skb so save the length before calling\n->send() to avoid a use after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22004", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().\n\nfib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything\nwhen it fails.\n\nCommit 7dd73168e273 (\"ipv6: Always allocate pcpu memory in a fib6_nh\")\nmoved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()\nbut forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in\ncase it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak.\n\nLet's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the\nerror path.\n\nNote that we can remove the fib6_nh_release() call in nh_create_ipv6()\nlater in net-next.git.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22005", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw: Fix NAPI registration sequence\n\nRegistering the interrupts for TX or RX DMA Channels prior to registering\ntheir respective NAPI callbacks can result in a NULL pointer dereference.\nThis is seen in practice as a random occurrence since it depends on the\nrandomness associated with the generation of traffic by Linux and the\nreception of traffic from the wire.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22006", "detail": "fixed-version", "description": "Fixed from version 6.13.9" }, { "id": "CVE-2025-22007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix error code in chan_alloc_skb_cb()\n\nThe chan_alloc_skb_cb() function is supposed to return error pointers on\nerror. Returning NULL will lead to a NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22007", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: check that dummy regulator has been probed before using it\n\nDue to asynchronous driver probing there is a chance that the dummy\nregulator hasn't already been probed when first accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22008", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: dummy: force synchronous probing\n\nSometimes I get a NULL pointer dereference at boot time in kobject_get()\nwith the following call stack:\n\nanatop_regulator_probe()\n devm_regulator_register()\n regulator_register()\n regulator_resolve_supply()\n kobject_get()\n\nBy placing some extra BUG_ON() statements I could verify that this is\nraised because probing of the 'dummy' regulator driver is not completed\n('dummy_regulator_rdev' is still NULL).\n\nIn the JTAG debugger I can see that dummy_regulator_probe() and\nanatop_regulator_probe() can be run by different kernel threads\n(kworker/u4:*). I haven't further investigated whether this can be\nchanged or if there are other possibilities to force synchronization\nbetween these two probe routines. On the other hand I don't expect much\nboot time penalty by probing the 'dummy' regulator synchronously.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22009", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix soft lockup during bt pages loop\n\nDriver runs a for-loop when allocating bt pages and mapping them with\nbuffer pages. When a large buffer (e.g. MR over 100GB) is being allocated,\nit may require a considerable loop count. This will lead to soft lockup:\n\n watchdog: BUG: soft lockup - CPU#27 stuck for 22s!\n ...\n Call trace:\n hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2]\n hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2]\n hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2]\n alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2]\n hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2]\n ib_uverbs_reg_mr+0x118/0x290\n\n watchdog: BUG: soft lockup - CPU#35 stuck for 23s!\n ...\n Call trace:\n hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2]\n mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2]\n hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2]\n alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2]\n hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2]\n ib_uverbs_reg_mr+0x120/0x2bc\n\nAdd a cond_resched() to fix soft lockup during these loops. In order not\nto affect the allocation performance of normal-size buffer, set the loop\ncount of a 100GB MR as the threshold to call cond_resched().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22010", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: dts: bcm2711: Fix xHCI power-domain\n\nDuring s2idle tests on the Raspberry CM4 the VPU firmware always crashes\non xHCI power-domain resume:\n\nroot@raspberrypi:/sys/power# echo freeze > state\n[ 70.724347] xhci_suspend finished\n[ 70.727730] xhci_plat_suspend finished\n[ 70.755624] bcm2835-power bcm2835-power: Power grafx off\n[ 70.761127] USB: Set power to 0\n\n[ 74.653040] USB: Failed to set power to 1 (-110)\n\nThis seems to be caused because of the mixed usage of\nraspberrypi-power and bcm2835-power at the same time. So avoid\nthe usage of the VPU firmware power-domain driver, which\nprevents the VPU crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22011", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"arm64: dts: qcom: sdm845: Affirm IDR0.CCTW on apps_smmu\"\n\nThere are reports that the pagetable walker cache coherency is not a\ngiven across the spectrum of SDM845/850 devices, leading to lock-ups\nand resets. It works fine on some devices (like the Dragonboard 845c,\nbut not so much on the Lenovo Yoga C630).\n\nThis unfortunately looks like a fluke in firmware development, where\nlikely somewhere in the vast hypervisor stack, a change to accommodate\nfor this was only introduced after the initial software release (which\noften serves as a baseline for products).\n\nRevert the change to avoid additional guesswork around crashes.\n\nThis reverts commit 6b31a9744b8726c69bb0af290f8475a368a4b805.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22012", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state\n\nThere are several problems with the way hyp code lazily saves the host's\nFPSIMD/SVE state, including:\n\n* Host SVE being discarded unexpectedly due to inconsistent\n configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to\n result in QEMU crashes where SVE is used by memmove(), as reported by\n Eric Auger:\n\n https://issues.redhat.com/browse/RHEL-68997\n\n* Host SVE state is discarded *after* modification by ptrace, which was an\n unintentional ptrace ABI change introduced with lazy discarding of SVE state.\n\n* The host FPMR value can be discarded when running a non-protected VM,\n where FPMR support is not exposed to a VM, and that VM uses\n FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR\n before unbinding the host's FPSIMD/SVE/SME state, leaving a stale\n value in memory.\n\nAvoid these by eagerly saving and \"flushing\" the host's FPSIMD/SVE/SME\nstate when loading a vCPU such that KVM does not need to save any of the\nhost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is\nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is\nplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'\nshould not be used, they are set to NULL; all uses of these will be\nremoved in subsequent patches.\n\nHistorical problems go back at least as far as v5.17, e.g. erroneous\nassumptions about TIF_SVE being clear in commit:\n\n 8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")\n\n... and so this eager save+flush probably needs to be backported to ALL\nstable trees.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22013", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pdr: Fix the potential deadlock\n\nWhen some client process A call pdr_add_lookup() to add the look up for\nthe service and does schedule locator work, later a process B got a new\nserver packet indicating locator is up and call pdr_locator_new_server()\nwhich eventually sets pdr->locator_init_complete to true which process A\nsees and takes list lock and queries domain list but it will timeout due\nto deadlock as the response will queued to the same qmi->wq and it is\nordered workqueue and process B is not able to complete new server\nrequest work due to deadlock on list lock.\n\nFix it by removing the unnecessary list iteration as the list iteration\nis already being done inside locator work, so avoid it here and just\ncall schedule_work() here.\n\n Process A Process B\n\n process_scheduled_works()\npdr_add_lookup() qmi_data_ready_work()\n process_scheduled_works() pdr_locator_new_server()\n pdr->locator_init_complete=true;\n pdr_locator_work()\n mutex_lock(&pdr->list_lock);\n\n pdr_locate_service() mutex_lock(&pdr->list_lock);\n\n pdr_get_domain_list()\n pr_err(\"PDR: %s get domain list\n txn wait failed: %d\\n\",\n req->service_name,\n ret);\n\nTimeout error log due to deadlock:\n\n\"\n PDR: tms/servreg get domain list txn wait failed: -110\n PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110\n\"\n\nThanks to Bjorn and Johan for letting me know that this commit also fixes\nan audio regression when using the in-kernel pd-mapper as that makes it\neasier to hit this race. [1]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22014", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate: fix shmem xarray update during migration\n\nA shmem folio can be either in page cache or in swap cache, but not at the\nsame time. Namely, once it is in swap cache, folio->mapping should be\nNULL, and the folio is no longer in a shmem mapping.\n\nIn __folio_migrate_mapping(), to determine the number of xarray entries to\nupdate, folio_test_swapbacked() is used, but that conflates shmem in page\ncache case and shmem in swap cache case. It leads to xarray multi-index\nentry corruption, since it turns a sibling entry to a normal entry during\nxas_store() (see [1] for a userspace reproduction). Fix it by only using\nfolio_test_swapcache() to determine whether xarray is storing swap cache\nentries or not to choose the right number of xarray entries to update.\n\n[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/\n\nNote:\nIn __split_huge_page(), folio_test_anon() && folio_test_swapcache() is\nused to get swap_cache address space, but that ignores the shmem folio in\nswap cache case. It could lead to NULL pointer dereferencing when a\nin-swap-cache shmem folio is split at __xa_store(), since\n!folio_test_anon() is true and folio->mapping is NULL. But fortunately,\nits caller split_huge_page_to_list_to_order() bails out early with EBUSY\nwhen folio->mapping is NULL. So no need to take care of it here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22015", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: fix xa_alloc_cyclic() error handling\n\nIn case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will\nbe returned, which will cause IS_ERR() to be false. Which can lead to\ndereference not allocated pointer (pin).\n\nFix it by checking if err is lower than zero.\n\nThis wasn't found in real usecase, only noticed. Credit to Pierre.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22016", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix xa_alloc_cyclic() error handling\n\nIn case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will\nbe returned, which will cause IS_ERR() to be false. Which can lead to\ndereference not allocated pointer (rel).\n\nFix it by checking if err is lower than zero.\n\nThis wasn't found in real usecase, only noticed. Credit to Pierre.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22017", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-22018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Fix NULL pointer dereference\n\nWhen MPOA_cache_impos_rcvd() receives the msg, it can trigger\nNull Pointer Dereference Vulnerability if both entry and\nholding_time are NULL. Because there is only for the situation\nwhere entry is NULL and holding_time exists, it can be passed\nwhen both entry and holding_time are NULL. If these are NULL,\nthe entry will be passd to eg_cache_put() as parameter and\nit is referenced by entry->use code in it.\n\nkasan log:\n\n[ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I\n[ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102\n[ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470\n[ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80\n[ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006\n[ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e\n[ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030\n[ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88\n[ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15\n[ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068\n[ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000\n[ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0\n[ 3.326430] Call Trace:\n[ 3.326725] \n[ 3.326927] ? die_addr+0x3c/0xa0\n[ 3.327330] ? exc_general_protection+0x161/0x2a0\n[ 3.327662] ? asm_exc_general_protection+0x26/0x30\n[ 3.328214] ? vprintk_emit+0x15e/0x420\n[ 3.328543] ? eg_cache_remove_entry+0xa5/0x470\n[ 3.328910] ? eg_cache_remove_entry+0x9a/0x470\n[ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10\n[ 3.329664] ? console_unlock+0x107/0x1d0\n[ 3.329946] ? __pfx_console_unlock+0x10/0x10\n[ 3.330283] ? do_syscall_64+0xa6/0x1a0\n[ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f\n[ 3.331090] ? __pfx_prb_read_valid+0x10/0x10\n[ 3.331395] ? down_trylock+0x52/0x80\n[ 3.331703] ? vprintk_emit+0x15e/0x420\n[ 3.331986] ? __pfx_vprintk_emit+0x10/0x10\n[ 3.332279] ? down_trylock+0x52/0x80\n[ 3.332527] ? _printk+0xbf/0x100\n[ 3.332762] ? __pfx__printk+0x10/0x10\n[ 3.333007] ? _raw_write_lock_irq+0x81/0xe0\n[ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10\n[ 3.333614] msg_from_mpoad+0x1185/0x2750\n[ 3.333893] ? __build_skb_around+0x27b/0x3a0\n[ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10\n[ 3.334501] ? __alloc_skb+0x1c0/0x310\n[ 3.334809] ? __pfx___alloc_skb+0x10/0x10\n[ 3.335283] ? _raw_spin_lock+0xe0/0xe0\n[ 3.335632] ? finish_wait+0x8d/0x1e0\n[ 3.335975] vcc_sendmsg+0x684/0xba0\n[ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10\n[ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10\n[ 3.337056] ? fdget+0x176/0x3e0\n[ 3.337348] __sys_sendto+0x4a2/0x510\n[ 3.337663] ? __pfx___sys_sendto+0x10/0x10\n[ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400\n[ 3.338364] ? sock_ioctl+0x1bb/0x5a0\n[ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20\n[ 3.339017] ? __pfx_sock_ioctl+0x10/0x10\n[ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10\n[ 3.339727] ? selinux_file_ioctl+0xa4/0x260\n[ 3.340166] __x64_sys_sendto+0xe0/0x1c0\n[ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140\n[ 3.340898] do_syscall_64+0xa6/0x1a0\n[ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 3.341533] RIP: 0033:0x44a380\n[ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00\n[ \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22018", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: bch2_ioctl_subvolume_destroy() fixes\n\nbch2_evict_subvolume_inodes() was getting stuck - due to incorrectly\npruning the dcache.\n\nAlso, fix missing permissions checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22019", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\n\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1\nTainted: [E]=UNSIGNED_MODULE\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\nCall Trace:\n \n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x27/0x320\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n print_report+0x3e/0x70\n kasan_report+0xab/0xe0\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\n ? __pfx___schedule+0x10/0x10\n ? kick_pool+0x3b/0x270\n process_one_work+0x357/0x660\n worker_thread+0x390/0x4c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x190/0x1d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 161446:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x1a7/0x470\n memstick_alloc_host+0x1f/0xe0 [memstick]\n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\n platform_probe+0x60/0xe0\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n bus_probe_device+0xbd/0xd0\n device_add+0x4a5/0x760\n platform_device_add+0x189/0x370\n mfd_add_device+0x587/0x5e0\n mfd_add_devices+0xb1/0x130\n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\n usb_probe_interface+0x15c/0x460\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n rebind_marked_interfaces.isra.0+0xcc/0x110\n usb_reset_device+0x352/0x410\n usbdev_do_ioctl+0xe5c/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 161506:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x36/0x60\n __kasan_slab_free+0x34/0x50\n kfree+0x1fd/0x3b0\n device_release+0x56/0xf0\n kobject_cleanup+0x73/0x1c0\n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\n platform_remove+0x2f/0x50\n device_release_driver_internal+0x24b/0x2e0\n bus_remove_device+0x124/0x1d0\n device_del+0x239/0x530\n platform_device_del.part.0+0x19/0xe0\n platform_device_unregister+0x1c/0x40\n mfd_remove_devices_fn+0x167/0x170\n device_for_each_child_reverse+0xc9/0x130\n mfd_remove_devices+0x6e/0xa0\n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\n usb_unbind_interface+0xf3/0x3f0\n device_release_driver_internal+0x24b/0x2e0\n proc_disconnect_claim+0x13d/0x220\n usbdev_do_ioctl+0xb5e/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x360\n __irq_exit_rcu+0x114/0x130\n sysvec_apic_timer_interrupt+0x72/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22020", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: socket: Lookup orig tuple for IPv6 SNAT\n\nnf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to\nrestore the original 5-tuple in case of SNAT, to be able to find the\nright socket (if any). Then socket_match() can correctly check whether\nthe socket was transparent.\n\nHowever, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this\nconntrack lookup, making xt_socket fail to match on the socket when the\npacket was SNATed. Add the same logic to nf_sk_lookup_slow_v6.\n\nIPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as\npods' addresses are in the fd00::/8 ULA subnet and need to be replaced\nwith the node's external address. Cilium leverages Envoy to enforce L7\npolicies, and Envoy uses transparent sockets. Cilium inserts an iptables\nprerouting rule that matches on `-m socket --transparent` and redirects\nthe packets to localhost, but it fails to match SNATed IPv6 packets due\nto that missing conntrack lookup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22021", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Apply the link chain quirk on NEC isoc endpoints\n\nTwo clearly different specimens of NEC uPD720200 (one with start/stop\nbug, one without) were seen to cause IOMMU faults after some Missed\nService Errors. Faulting address is immediately after a transfer ring\nsegment and patched dynamic debug messages revealed that the MSE was\nreceived when waiting for a TD near the end of that segment:\n\n[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0\n[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]\n[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]\n\nIt gets even funnier if the next page is a ring segment accessible to\nthe HC. Below, it reports MSE in segment at ff1e8000, plows through a\nzero-filled page at ff1e9000 and starts reporting events for TRBs in\npage at ff1ea000 every microframe, instead of jumping to seg ff1e6000.\n\n[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0\n[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.\n[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint\n[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31\n[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n\nAt some point completion events change from Isoch Buffer Overrun to\nShort Packet and the HC finally finds cycle bit mismatch in ff1ec000.\n\n[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13\n[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820\n[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2\n\nIt's possible that data from the isochronous device were written to\nrandom buffers of pending TDs on other endpoints (either IN or OUT),\nother devices or even other HCs in the same IOMMU domain.\n\nLastly, an error from a different USB device on another HC. Was it\ncaused by the above? I don't know, but it may have been. The disk\nwas working without any other issues and generated PCIe traffic to\nstarve the NEC of upstream BW and trigger those MSEs. The two HCs\nshared one x1 slot by means of a commercial \"PCIe splitter\" board.\n\n[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd\n[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s\n[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00\n[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0\n\nFortunately, it appears that this ridiculous bug is avoided by setting\nthe chain bit of Link TRBs on isochronous rings. Other ancient HCs are\nknown which also expect the bit to be set and they ignore Link TRBs if\nit's not. Reportedly, 0.95 spec guaranteed that the bit is set.\n\nThe bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports\ntens of MSEs per second and runs into the bug within seconds. Chaining\nLink TRBs allows the same workload to run for many minutes, many times.\n\nNo ne\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22022", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Don't skip on Stopped - Length Invalid\n\nUp until commit d56b0b2ab142 (\"usb: xhci: ensure skipped isoc TDs are\nreturned when isoc ring is stopped\") in v6.11, the driver didn't skip\nmissed isochronous TDs when handling Stoppend and Stopped - Length\nInvalid events. Instead, it erroneously cleared the skip flag, which\nwould cause the ring to get stuck, as future events won't match the\nmissed TD which is never removed from the queue until it's cancelled.\n\nThis buggy logic seems to have been in place substantially unchanged\nsince the 3.x series over 10 years ago, which probably speaks first\nand foremost about relative rarity of this case in normal usage, but\nby the spec I see no reason why it shouldn't be possible.\n\nAfter d56b0b2ab142, TDs are immediately skipped when handling those\nStopped events. This poses a potential problem in case of Stopped -\nLength Invalid, which occurs either on completed TDs (likely already\ngiven back) or Link and No-Op TRBs. Such event won't be recognized\nas matching any TD (unless it's the rare Link TRB inside a TD) and\nwill result in skipping all pending TDs, giving them back possibly\nbefore they are done, risking isoc data loss and maybe UAF by HW.\n\nAs a compromise, don't skip and don't clear the skip flag on this\nkind of event. Then the next event will skip missed TDs. A downside\nof not handling Stopped - Length Invalid on a Link inside a TD is\nthat if the TD is cancelled, its actual length will not be updated\nto account for TRBs (silently) completed before the TD was stopped.\n\nI had no luck producing this sequence of completion events so there\nis no compelling demonstration of any resulting disaster. It may be\na very rare, obscure condition. The sole motivation for this patch\nis that if such unlikely event does occur, I'd rather risk reporting\na cancelled partially done isoc frame as empty than gamble with UAF.\n\nThis will be fixed more properly by looking at Stopped event's TRB\npointer when making skipping decisions, but such rework is unlikely\nto be backported to v6.12, which will stay around for a few years.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22023", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix management of listener transports\n\nCurrently, when no active threads are running, a root user using nfsdctl\ncommand can try to remove a particular listener from the list of previously\nadded ones, then start the server by increasing the number of threads,\nit leads to the following problem:\n\n[ 158.835354] refcount_t: addition on 0; use-after-free.\n[ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0\n[ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse\n[ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7\n[ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0\n[ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0\n[ 158.842000] sp : ffff800089be7d80\n[ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148\n[ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010\n[ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028\n[ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000\n[ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493\n[ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000\n[ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001\n[ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc\n[ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000\n[ 158.845528] Call trace:\n[ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P)\n[ 158.845894] svc_recv+0x58c/0x680 [sunrpc]\n[ 158.846183] nfsd+0x1fc/0x348 [nfsd]\n[ 158.846390] kthread+0x274/0x2f8\n[ 158.846546] ret_from_fork+0x10/0x20\n[ 158.846714] ---[ end trace 0000000000000000 ]---\n\nnfsd_nl_listener_set_doit() would manipulate the list of transports of\nserver's sv_permsocks and close the specified listener but the other\nlist of transports (server's sp_xprts list) would not be changed leading\nto the problem above.\n\nInstead, determined if the nfsdctl is trying to remove a listener, in\nwhich case, delete all the existing listener transports and re-create\nall-but-the-removed ones.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22024", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: put dl_stid if fail to queue dl_recall\n\nBefore calling nfsd4_run_cb to queue dl_recall to the callback_wq, we\nincrement the reference count of dl_stid.\nWe expect that after the corresponding work_struct is processed, the\nreference count of dl_stid will be decremented through the callback\nfunction nfsd4_cb_recall_release.\nHowever, if the call to nfsd4_run_cb fails, the incremented reference\ncount of dl_stid will not be decremented correspondingly, leading to the\nfollowing nfs4_stid leak:\nunreferenced object 0xffff88812067b578 (size 344):\n comm \"nfsd\", pid 2761, jiffies 4295044002 (age 5541.241s)\n hex dump (first 32 bytes):\n 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........\n 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..\n backtrace:\n kmem_cache_alloc+0x4b9/0x700\n nfsd4_process_open1+0x34/0x300\n nfsd4_open+0x2d1/0x9d0\n nfsd4_proc_compound+0x7a2/0xe30\n nfsd_dispatch+0x241/0x3e0\n svc_process_common+0x5d3/0xcc0\n svc_process+0x2a3/0x320\n nfsd+0x180/0x2e0\n kthread+0x199/0x1d0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\nunreferenced object 0xffff8881499f4d28 (size 368):\n comm \"nfsd\", pid 2761, jiffies 4295044005 (age 5541.239s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....\n 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......\n backtrace:\n kmem_cache_alloc+0x4b9/0x700\n nfs4_alloc_stid+0x29/0x210\n alloc_init_deleg+0x92/0x2e0\n nfs4_set_delegation+0x284/0xc00\n nfs4_open_delegation+0x216/0x3f0\n nfsd4_process_open2+0x2b3/0xee0\n nfsd4_open+0x770/0x9d0\n nfsd4_proc_compound+0x7a2/0xe30\n nfsd_dispatch+0x241/0x3e0\n svc_process_common+0x5d3/0xcc0\n svc_process+0x2a3/0x320\n nfsd+0x180/0x2e0\n kthread+0x199/0x1d0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\nFix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if\nfail to queue dl_recall.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22025", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don't ignore the return code of svc_proc_register()\n\nCurrently, nfsd_proc_stat_init() ignores the return value of\nsvc_proc_register(). If the procfile creation fails, then the kernel\nwill WARN when it tries to remove the entry later.\n\nFix nfsd_proc_stat_init() to return the same type of pointer as\nsvc_proc_register(), and fix up nfsd_net_init() to check that and fail\nthe nfsd_net construction if it occurs.\n\nsvc_proc_register() can fail if the dentry can't be allocated, or if an\nidentical dentry already exists. The second case is pretty unlikely in\nthe nfsd_net construction codepath, so if this happens, return -ENOMEM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22026", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: streamzap: fix race between device disconnection and urb callback\n\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev->raw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev->raw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\n\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22027", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vimc: skip .s_stream() for stopped entities\n\nSyzbot reported [1] a warning prompted by a check in call_s_stream()\nthat checks whether .s_stream() operation is warranted for unstarted\nor stopped subdevs.\n\nAdd a simple fix in vimc_streamer_pipeline_terminate() ensuring that\nentities skip a call to .s_stream() unless they have been previously\nproperly started.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460\nModules linked in:\nCPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0\n...\nCall Trace:\n \n vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62\n vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline]\n vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203\n vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256\n vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789\n vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348\n vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline]\n vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118\n __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122\n video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463\n v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2b85c01b19\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22028", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()\n\nCurrently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding\nthe per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock\n(through crypto_exit_scomp_ops_async()).\n\nOn the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through\ncrypto_scomp_init_tfm()), and then allocates memory. If the allocation\nresults in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.\n\nThe above dependencies can cause an ABBA deadlock. For example in the\nfollowing scenario:\n\n(1) Task A running on CPU #1:\n crypto_alloc_acomp_node()\n Holds scomp_lock\n Enters reclaim\n Reads per_cpu_ptr(pool->acomp_ctx, 1)\n\n(2) Task A is descheduled\n\n(3) CPU #1 goes offline\n zswap_cpu_comp_dead(CPU #1)\n Holds per_cpu_ptr(pool->acomp_ctx, 1))\n Calls crypto_free_acomp()\n Waits for scomp_lock\n\n(4) Task A running on CPU #2:\n Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1\n DEADLOCK\n\nSince there is no requirement to call crypto_free_acomp() with the per-CPU\nacomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is\nunlocked. Also move the acomp_request_free() and kfree() calls for\nconsistency and to avoid any potential sublte locking dependencies in the\nfuture.\n\nWith this, only setting acomp_ctx fields to NULL occurs with the mutex\nheld. This is similar to how zswap_cpu_comp_prepare() only initializes\nacomp_ctx fields with the mutex held, after performing all allocations\nbefore holding the mutex.\n\nOpportunistically, move the NULL check on acomp_ctx so that it takes place\nbefore the mutex dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22030", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\n\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration. If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge's pci_dev remains NULL.\n\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\n\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead. This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\n\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers. PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge. A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power. So error out silently.\n\nUser-visible messages:\n\n pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n [...]\n pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\n pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n [...]\n pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n [...]\n BUG: kernel NULL pointer dereference\n RIP: pcie_update_link_speed\n pcie_bwnotif_enable\n pcie_bwnotif_probe\n pcie_port_probe_service\n really_probe", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22031", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix kernel panic due to null pointer dereference\n\nAddress a kernel panic caused by a null pointer dereference in the\n`mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure\nis not properly initialized with the `sta` context. This patch ensures that the\n`deflink` structure is correctly linked to the `sta` context, preventing the\nnull pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000400\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1\n Hardware name: /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011\n RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000\n RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000\n R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119\n R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000\n FS: 0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0\n Call Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2f0\n ? search_module_extables+0x19/0x60\n ? search_bpf_extables+0x5f/0x80\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common]\n mt76u_alloc_queues+0x784/0x810 [mt76_usb]\n ? __pfx___mt76_worker_fn+0x10/0x10 [mt76]\n __mt76_worker_fn+0x4f/0x80 [mt76]\n kthread+0xd2/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22032", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Don't call NULL in do_compat_alignment_fixup()\n\ndo_alignment_t32_to_handler() only fixes up alignment faults for\nspecific instructions; it returns NULL otherwise (e.g. LDREX). When\nthat's the case, signal to the caller that it needs to proceed with the\nregular alignment fault handling (i.e. SIGBUS). Without this patch, the\nkernel panics:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000006\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000\n [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000\n Internal error: Oops: 0000000086000006 [#1] SMP\n Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa>\n libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c>\n CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1\n Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : do_compat_alignment_fixup+0xd8/0x3dc\n sp : ffff80000f973dd0\n x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001\n x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000\n x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001\n Call trace:\n 0x0\n do_alignment_fault+0x40/0x50\n do_mem_abort+0x4c/0xa0\n el0_da+0x48/0xf0\n el0t_32_sync_handler+0x110/0x140\n el0t_32_sync+0x190/0x194\n Code: bad PC value\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22033", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs\n\nPatch series \"mm: fixes for device-exclusive entries (hmm)\", v2.\n\nDiscussing the PageTail() call in make_device_exclusive_range() with\nWilly, I recently discovered [1] that device-exclusive handling does not\nproperly work with THP, making the hmm-tests selftests fail if THPs are\nenabled on the system.\n\nLooking into more details, I found that hugetlb is not properly fenced,\nand I realized that something that was bugging me for longer -- how\ndevice-exclusive entries interact with mapcounts -- completely breaks\nmigration/swapout/split/hwpoison handling of these folios while they have\ndevice-exclusive PTEs.\n\nThe program below can be used to allocate 1 GiB worth of pages and making\nthem device-exclusive on a kernel with CONFIG_TEST_HMM.\n\nOnce they are device-exclusive, these folios cannot get swapped out\n(proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much\none forces memory reclaim), and when having a memory block onlined to\nZONE_MOVABLE, trying to offline it will loop forever and complain about\nfailed migration of a page that should be movable.\n\n# echo offline > /sys/devices/system/memory/memory136/state\n# echo online_movable > /sys/devices/system/memory/memory136/state\n# ./hmm-swap &\n... wait until everything is device-exclusive\n# echo offline > /sys/devices/system/memory/memory136/state\n[ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000\n index:0x7f20671f7 pfn:0x442b6a\n[ 285.196618][T14882] memcg:ffff888179298000\n[ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate|\n dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff)\n[ 285.201734][T14882] raw: ...\n[ 285.204464][T14882] raw: ...\n[ 285.207196][T14882] page dumped because: migration failure\n[ 285.209072][T14882] page_owner tracks the page as allocated\n[ 285.210915][T14882] page last allocated via order 0, migratetype\n Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO),\n id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774\n[ 285.216765][T14882] post_alloc_hook+0x197/0x1b0\n[ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280\n[ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740\n[ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540\n[ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340\n[ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0\n[ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0\n[ 285.230822][T14882] handle_mm_fault+0x368/0x9f0\n...\n\nThis series fixes all issues I found so far. There is no easy way to fix\nwithout a bigger rework/cleanup. I have a bunch of cleanups on top (some\nprevious sent, some the result of the discussion in v1) that I will send\nout separately once this landed and I get to it.\n\nI wish we could just use some special present PROT_NONE PTEs instead of\nthese (non-present, non-none) fake-swap entries; but that just results in\nthe same problem we keep having (lack of spare PTE bits), and staring at\nother similar fake-swap entries, that ship has sailed.\n\nWith this series, make_device_exclusive() doesn't actually belong into\nmm/rmap.c anymore, but I'll leave moving that for another day.\n\nI only tested this series with the hmm-tests selftests due to lack of HW,\nso I'd appreciate some testing, especially if the interaction between two\nGPUs wanting a device-exclusive entry works as expected.\n\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define HMM_DMIRROR_EXCLUSIVE _IOWR('H', 0x05, struct hmm_dmirror_cmd)\n\nstruct hmm_dmirror_cmd {\n\t__u64 addr;\n\t__u64 ptr;\n\t__u64 npages;\n\t__u64 cpages;\n\t__u64 faults;\n};\n\nconst size_t size = 1 * 1024 * 1024 * 1024ul;\nconst size_t chunk_size = 2 * 1024 * 1024ul;\n\nint m\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22034", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix use-after-free in print_graph_function_flags during tracer switching\n\nKairui reported a UAF issue in print_graph_function_flags() during\nftrace stress testing [1]. This issue can be reproduced if puting a\n'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),\nand executing the following script:\n\n $ echo function_graph > current_tracer\n $ cat trace > /dev/null &\n $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point\n $ echo timerlat > current_tracer\n\nThe root cause lies in the two calls to print_graph_function_flags\nwithin print_trace_line during each s_show():\n\n * One through 'iter->trace->print_line()';\n * Another through 'event->funcs->trace()', which is hidden in\n print_trace_fmt() before print_trace_line returns.\n\nTracer switching only updates the former, while the latter continues\nto use the print_line function of the old tracer, which in the script\nabove is print_graph_function_flags.\n\nMoreover, when switching from the 'function_graph' tracer to the\n'timerlat' tracer, s_start only calls graph_trace_close of the\n'function_graph' tracer to free 'iter->private', but does not set\nit to NULL. This provides an opportunity for 'event->funcs->trace()'\nto use an invalid 'iter->private'.\n\nTo fix this issue, set 'iter->private' to NULL immediately after\nfreeing it in graph_trace_close(), ensuring that an invalid pointer\nis not passed to other tracers. Additionally, clean up the unnecessary\n'iter->private = NULL' during each 'cat trace' when using wakeup and\nirqsoff tracers.\n\n [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22035", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix random stack corruption after get_block\n\nWhen get_block is called with a buffer_head allocated on the stack, such\nas do_mpage_readpage, stack corruption due to buffer_head UAF may occur in\nthe following race condition situation.\n\n \nmpage_read_folio\n <>\n do_mpage_readpage\n exfat_get_block\n bh_read\n __bh_read\n\t get_bh(bh)\n submit_bh\n wait_on_buffer\n ...\n end_buffer_read_sync\n __end_buffer_read_notouch\n unlock_buffer\n <>\n ...\n ...\n ...\n ...\n<>\n .\n .\nanother_function\n <>\n put_bh(bh)\n atomic_dec(bh->b_count)\n * stack corruption here *\n\nThis patch returns -EAGAIN if a folio does not have buffers when bh_read\nneeds to be called. By doing this, the caller can fallback to functions\nlike block_read_full_folio(), create a buffer_head in the folio, and then\ncall get_block again.\n\nLet's do not call bh_read() with on-stack buffer_head.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22036", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference in alloc_preauth_hash()\n\nThe Client send malformed smb2 negotiate request. ksmbd return error\nresponse. Subsequently, the client can send smb2 session setup even\nthought conn->preauth_info is not allocated.\nThis patch add KSMBD_SESS_NEED_SETUP status of connection to ignore\nsession setup request if smb2 negotiate phase is not complete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22037", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate zero num_subauth before sub_auth is accessed\n\nAccess psid->sub_auth[psid->num_subauth - 1] without checking\nif num_subauth is non-zero leads to an out-of-bounds read.\nThis patch adds a validation step to ensure num_subauth != 0\nbefore sub_auth is accessed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22038", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix overflow in dacloffset bounds check\n\nThe dacloffset field was originally typed as int and used in an\nunchecked addition, which could overflow and bypass the existing\nbounds check in both smb_check_perm_dacl() and smb_inherit_dacl().\n\nThis could result in out-of-bounds memory access and a kernel crash\nwhen dereferencing the DACL pointer.\n\nThis patch converts dacloffset to unsigned int and uses\ncheck_add_overflow() to validate access to the DACL.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22039", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix session use-after-free in multichannel connection\n\nThere is a race condition between session setup and\nksmbd_sessions_deregister. The session can be freed before the connection\nis added to channel list of session.\nThis patch check reference count of session before freeing it.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22040", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_sessions_deregister()\n\nIn multichannel mode, UAF issue can occur in session_deregister\nwhen the second channel sets up a session through the connection of\nthe first channel. session that is freed through the global session\ntable can be accessed again through ->sessions of connection.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22041", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add bounds check for create lease context\n\nAdd missing bounds check for create lease context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22042", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add bounds check for durable handle context\n\nAdd missing bounds check for durable handle context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22043", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: nfit: fix narrowing conversion in acpi_nfit_ctl\n\nSyzkaller has reported a warning in to_nfit_bus_uuid(): \"only secondary\nbus families can be translated\". This warning is emited if the argument\nis equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first\nverifies that a user-provided value call_pkg->nd_family of type u64 is\nnot equal to 0. Then the value is converted to int, and only after that\nis compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid\nargument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while\nthe lower 32 bits are zero.\n\nFurthermore, it is best to return EINVAL immediately upon seeing the\ninvalid user input. The WARNING is insufficient to prevent further\nundefined behavior based on other invalid user input.\n\nAll checks of the input value should be applied to the original variable\ncall_pkg->nd_family.\n\n[iweiny: update commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22044", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\n\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\n\n collapse_pte_mapped_thp\n pmdp_collapse_flush\n flush_tlb_range\n\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\n\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn't have much impact:\n\n - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\n IPI'd to avoid issues with speculative page table walks.\n - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\n\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n)\nwould probably be making the impact of this a lot worse.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22045", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes/x86: Harden uretprobe syscall trampoline check\n\nJann reported a possible issue when trampoline_check_ip returns\naddress near the bottom of the address space that is allowed to\ncall into the syscall if uretprobes are not set up:\n\n https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf\n\nThough the mmap minimum address restrictions will typically prevent\ncreating mappings there, let's make sure uretprobe syscall checks\nfor that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22046", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix __apply_microcode_amd()'s return value\n\nWhen verify_sha256_digest() fails, __apply_microcode_amd() should propagate\nthe failure by returning false (and not -1 which is promoted to true).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22047", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Don't override subprog's return value\n\nThe verifier test `calls: div by 0 in subprog` triggers a panic at the\nld.bu instruction. The ld.bu insn is trying to load byte from memory\naddress returned by the subprog. The subprog actually set the correct\naddress at the a5 register (dedicated register for BPF return values).\nBut at commit 73c359d1d356 (\"LoongArch: BPF: Sign-extend return values\")\nwe also sign extended a5 to the a0 register (return value in LoongArch).\nFor function call insn, we later propagate the a0 register back to a5\nregister. This is right for native calls but wrong for bpf2bpf calls\nwhich expect zero-extended return value in a5 register. So only move a0\nto a5 for native calls (i.e. non-BPF_PSEUDO_CALL).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22048", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Increase ARCH_DMA_MINALIGN up to 16\n\nARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices\n(such as APBDMA) require 16 bytes alignment. When the data buffer length\nis too small, the hardware may make an error writing cacheline. Thus, it\nis dangerous to allocate a small memory buffer for DMA. It's always safe\nto define ARCH_DMA_MINALIGN as L1_CACHE_BYTES but unnecessary (kmalloc()\nneed small memory objects). Therefore, just increase it to 16.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22049", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet:fix NPE during rx_complete\n\nMissing usbnet_going_away Check in Critical Path.\nThe usb_submit_urb function lacks a usbnet_going_away\nvalidation, whereas __usbnet_queue_skb includes this check.\n\nThis inconsistency creates a race condition where:\nA URB request may succeed, but the corresponding SKB data\nfails to be queued.\n\nSubsequent processes:\n(e.g., rx_complete \u2192 defer_bh \u2192 __skb_unlink(skb, list))\nattempt to access skb->next, triggering a NULL pointer\ndereference (Kernel Panic).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22050", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gpib: Fix Oops after disconnect in agilent usb\n\nIf the agilent usb dongle is disconnected subsequent calls to the\ndriver cause a NULL dereference Oops as the bus_interface\nis set to NULL on disconnect.\n\nThis problem was introduced by setting usb_dev from the bus_interface\nfor dev_xxx messages.\n\nPreviously bus_interface was checked for NULL only in the functions\ndirectly calling usb_fill_bulk_urb or usb_control_msg.\n\nCheck for valid bus_interface on all interface entry points\nand return -ENODEV if it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22051", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gpib: Fix Oops after disconnect in ni_usb\n\nIf the usb dongle is disconnected subsequent calls to the\ndriver cause a NULL dereference Oops as the bus_interface\nis set to NULL on disconnect.\n\nThis problem was introduced by setting usb_dev from the bus_interface\nfor dev_xxx messages.\n\nPreviously bus_interface was checked for NULL only in the the functions\ndirectly calling usb_fill_bulk_urb or usb_control_msg.\n\nCheck for valid bus_interface on all interface entry points\nand return -ENODEV if it is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22052", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ibmveth: make veth_pool_store stop hanging\n\nv2:\n- Created a single error handling unlock and exit in veth_pool_store\n- Greatly expanded commit message with previous explanatory-only text\n\nSummary: Use rtnl_mutex to synchronize veth_pool_store with itself,\nibmveth_close and ibmveth_open, preventing multiple calls in a row to\nnapi_disable.\n\nBackground: Two (or more) threads could call veth_pool_store through\nwriting to /sys/devices/vio/30000002/pool*/*. You can do this easily\nwith a little shell script. This causes a hang.\n\nI configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new\nkernel. I ran this test again and saw:\n\n Setting pool0/active to 0\n Setting pool1/active to 1\n [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting\n Setting pool1/active to 1\n Setting pool1/active to 0\n [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting\n [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete\n [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting\n [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification.\n [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification.\n [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds.\n [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8\n [ 243.683833][ T123] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000\n [ 243.683852][ T123] Call Trace:\n [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable)\n [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0\n [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0\n [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210\n [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50\n [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0\n [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60\n [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc\n [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270\n [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0\n [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0\n [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650\n [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150\n [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340\n [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n ...\n [ 243.684087][ T123] Showing all locks held in the system:\n [ 243.684095][ T123] 1 lock held by khungtaskd/123:\n [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248\n [ 243.684114][ T123] 4 locks held by stress.sh/4365:\n [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150\n [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0\n [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0\n [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60\n [ 243.684166][ T123] 5 locks held by stress.sh/4366:\n [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150\n [ 243.\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22053", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narcnet: Add NULL check in com20020pci_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ncom20020pci_probe() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensure\nno resources are left allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22054", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix geneve_opt length integer overflow\n\nstruct geneve_opt uses 5 bit length for each single option, which\nmeans every vary size option should be smaller than 128 bytes.\n\nHowever, all current related Netlink policies cannot promise this\nlength condition and the attacker can exploit a exact 128-byte size\noption to *fake* a zero length option and confuse the parsing logic,\nfurther achieve heap out-of-bounds read.\n\nOne example crash log is like below:\n\n[ 3.905425] ==================================================================\n[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0\n[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177\n[ 3.906646]\n[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1\n[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 3.907784] Call Trace:\n[ 3.907925] \n[ 3.908048] dump_stack_lvl+0x44/0x5c\n[ 3.908258] print_report+0x184/0x4be\n[ 3.909151] kasan_report+0xc5/0x100\n[ 3.909539] kasan_check_range+0xf3/0x1a0\n[ 3.909794] memcpy+0x1f/0x60\n[ 3.909968] nla_put+0xa9/0xe0\n[ 3.910147] tunnel_key_dump+0x945/0xba0\n[ 3.911536] tcf_action_dump_1+0x1c1/0x340\n[ 3.912436] tcf_action_dump+0x101/0x180\n[ 3.912689] tcf_exts_dump+0x164/0x1e0\n[ 3.912905] fw_dump+0x18b/0x2d0\n[ 3.913483] tcf_fill_node+0x2ee/0x460\n[ 3.914778] tfilter_notify+0xf4/0x180\n[ 3.915208] tc_new_tfilter+0xd51/0x10d0\n[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560\n[ 3.919118] netlink_rcv_skb+0xcd/0x200\n[ 3.919787] netlink_unicast+0x395/0x530\n[ 3.921032] netlink_sendmsg+0x3d0/0x6d0\n[ 3.921987] __sock_sendmsg+0x99/0xa0\n[ 3.922220] __sys_sendto+0x1b7/0x240\n[ 3.922682] __x64_sys_sendto+0x72/0x90\n[ 3.922906] do_syscall_64+0x5e/0x90\n[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 3.924122] RIP: 0033:0x7e83eab84407\n[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\n[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407\n[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003\n[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c\n[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0\n[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8\n\nFix these issues by enforing correct length condition in related\npolicies.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22055", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tunnel: fix geneve_opt type confusion addition\n\nWhen handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the\nparsing logic should place every geneve_opt structure one by one\ncompactly. Hence, when deciding the next geneve_opt position, the\npointer addition should be in units of char *.\n\nHowever, the current implementation erroneously does type conversion\nbefore the addition, which will lead to heap out-of-bounds write.\n\n[ 6.989857] ==================================================================\n[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70\n[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178\n[ 6.991162]\n[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1\n[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 6.992281] Call Trace:\n[ 6.992423] \n[ 6.992586] dump_stack_lvl+0x44/0x5c\n[ 6.992801] print_report+0x184/0x4be\n[ 6.993790] kasan_report+0xc5/0x100\n[ 6.994252] kasan_check_range+0xf3/0x1a0\n[ 6.994486] memcpy+0x38/0x60\n[ 6.994692] nft_tunnel_obj_init+0x977/0xa70\n[ 6.995677] nft_obj_init+0x10c/0x1b0\n[ 6.995891] nf_tables_newobj+0x585/0x950\n[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020\n[ 6.998997] nfnetlink_rcv+0x1df/0x220\n[ 6.999537] netlink_unicast+0x395/0x530\n[ 7.000771] netlink_sendmsg+0x3d0/0x6d0\n[ 7.001462] __sock_sendmsg+0x99/0xa0\n[ 7.001707] ____sys_sendmsg+0x409/0x450\n[ 7.002391] ___sys_sendmsg+0xfd/0x170\n[ 7.003145] __sys_sendmsg+0xea/0x170\n[ 7.004359] do_syscall_64+0x5e/0x90\n[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 7.006127] RIP: 0033:0x7ec756d4e407\n[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407\n[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003\n[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000\n[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8\n\nFix this bug with correct pointer addition and conversion in parse\nand dump code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22056", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: decrease cached dst counters in dst_release\n\nUpstream fix ac888d58869b (\"net: do not delay dst_entries_add() in\ndst_release()\") moved decrementing the dst count from dst_destroy to\ndst_release to avoid accessing already freed data in case of netns\ndismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels\nare used, this fix is incomplete as the same issue will be seen for\ncached dsts:\n\n Unable to handle kernel paging request at virtual address ffff5aabf6b5c000\n Call trace:\n percpu_counter_add_batch+0x3c/0x160 (P)\n dst_release+0xec/0x108\n dst_cache_destroy+0x68/0xd8\n dst_destroy+0x13c/0x168\n dst_destroy_rcu+0x1c/0xb0\n rcu_do_batch+0x18c/0x7d0\n rcu_core+0x174/0x378\n rcu_core_si+0x18/0x30\n\nFix this by invalidating the cache, and thus decrementing cached dst\ncounters, in dst_release too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22057", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix memory accounting leak.\n\nMatt Dowling reported a weird UDP memory usage issue.\n\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\nremains close to zero. However, it occasionally spiked to 524,288 pages\nand never dropped. Moreover, the value doubled when the application was\nterminated. Finally, it caused intermittent packet drops.\n\nWe can reproduce the issue with the script below [0]:\n\n 1. /proc/net/sockstat reports 0 pages\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 0\n\n 2. Run the script till the report reaches 524,288\n\n # python3 test.py & sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT\n\n 3. Kill the socket and confirm the number never drops\n\n # pkill python3 && sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 524288\n\n 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\n\n # python3 test.py & sleep 1 && pkill python3\n\n 5. The number doubles\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 1048577\n\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\noverflow in udp_rmem_release().\n\nWhen a socket is close()d, udp_destruct_common() purges its receive\nqueue and sums up skb->truesize in the queue. This total is calculated\nand stored in a local unsigned integer variable.\n\nThe total size is then passed to udp_rmem_release() to adjust memory\naccounting. However, because the function takes a signed integer\nargument, the total size can wrap around, causing an overflow.\n\nThen, the released amount is calculated as follows:\n\n 1) Add size to sk->sk_forward_alloc.\n 2) Round down sk->sk_forward_alloc to the nearest lower multiple of\n PAGE_SIZE and assign it to amount.\n 3) Subtract amount from sk->sk_forward_alloc.\n 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated().\n\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\n\nAt 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and\n2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't\nsee a warning in inet_sock_destruct(). However, udp_memory_allocated\nends up doubling at 4).\n\nSince commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for\nmemory_allocated\"), memory usage no longer doubles immediately after\na socket is close()d because __sk_mem_reduce_allocated() caches the\namount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP\nsocket receives a packet, the subtraction takes effect, causing UDP\nmemory usage to double.\n\nThis issue makes further memory allocation fail once the socket's\nsk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\ndrops.\n\nTo prevent this issue, let's use unsigned int for the calculation and\ncall sk_forward_alloc_add() only once for the small delta.\n\nNote that first_packet_length() also potentially has the same problem.\n\n[0]:\nfrom socket import *\n\nSO_RCVBUFFORCE = 33\nINT_MAX = (2 ** 31) - 1\n\ns = socket(AF_INET, SOCK_DGRAM)\ns.bind(('', 0))\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\n\nc = socket(AF_INET, SOCK_DGRAM)\nc.connect(s.getsockname())\n\ndata = b'a' * 100\n\nwhile True:\n c.send(data)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22058", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix multiple wraparounds of sk->sk_rmem_alloc.\n\n__udp_enqueue_schedule_skb() has the following condition:\n\n if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n goto drop;\n\nsk->sk_rcvbuf is initialised by net.core.rmem_default and later can\nbe configured by SO_RCVBUF, which is limited by net.core.rmem_max,\nor SO_RCVBUFFORCE.\n\nIf we set INT_MAX to sk->sk_rcvbuf, the condition is always false\nas sk->sk_rmem_alloc is also signed int.\n\nThen, the size of the incoming skb is added to sk->sk_rmem_alloc\nunconditionally.\n\nThis results in integer overflow (possibly multiple times) on\nsk->sk_rmem_alloc and allows a single socket to have skb up to\nnet.core.udp_mem[1].\n\nFor example, if we set a large value to udp_mem[1] and INT_MAX to\nsk->sk_rcvbuf and flood packets to the socket, we can see multiple\noverflows:\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15\n ^- PAGE_SHIFT\n # ss -uam\n State Recv-Q ...\n UNCONN -1757018048 ... <-- flipping the sign repeatedly\n skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)\n\nPreviously, we had a boundary check for INT_MAX, which was removed by\ncommit 6a1f12dd85a8 (\"udp: relax atomic operation on sk->sk_rmem_alloc\").\n\nA complete fix would be to revert it and cap the right operand by\nINT_MAX:\n\n rmem = atomic_add_return(size, &sk->sk_rmem_alloc);\n if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX))\n goto uncharge_drop;\n\nbut we do not want to add the expensive atomic_add_return() back just\nfor the corner case.\n\nCasting rmem to unsigned int prevents multiple wraparounds, but we still\nallow a single wraparound.\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12\n\n # ss -uam\n State Recv-Q ...\n UNCONN -2147482816 ... <-- INT_MAX + 831 bytes\n skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)\n\nSo, let's define rmem and rcvbuf as unsigned int and check skb->truesize\nonly when rcvbuf is large enough to lower the overflow possibility.\n\nNote that we still have a small chance to see overflow if multiple skbs\nto the same socket are processed on different core at the same time and\neach size does not exceed the limit but the total size does.\n\nNote also that we must ignore skb->truesize for a small buffer as\nexplained in commit 363dc73acacb (\"udp: be less conservative with\nsock rmem accounting\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22059", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: Prevent parser TCAM memory corruption\n\nProtect the parser TCAM/SRAM memory, and the cached (shadow) SRAM\ninformation, from concurrent modifications.\n\nBoth the TCAM and SRAM tables are indirectly accessed by configuring\nan index register that selects the row to read or write to. This means\nthat operations must be atomic in order to, e.g., avoid spreading\nwrites across multiple rows. Since the shadow SRAM array is used to\nfind free rows in the hardware table, it must also be protected in\norder to avoid TOCTOU errors where multiple cores allocate the same\nrow.\n\nThis issue was detected in a situation where `mvpp2_set_rx_mode()` ran\nconcurrently on two CPUs. In this particular case the\nMVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the\nclassifier unit to drop all incoming unicast - indicated by the\n`rx_classifier_drops` counter.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22060", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue()\n\nFix the following kernel warning deleting HTB offloaded leafs and/or root\nHTB qdisc in airoha_eth driver properly reporting qid in\nairoha_tc_get_htb_get_leaf_queue routine.\n\n$tc qdisc replace dev eth1 root handle 10: htb offload\n$tc class add dev eth1 arent 10: classid 10:4 htb rate 100mbit ceil 100mbit\n$tc qdisc replace dev eth1 parent 10:4 handle 4: ets bands 8 \\\n quanta 1514 3028 4542 6056 7570 9084 10598 12112\n$tc qdisc del dev eth1 root\n\n[ 55.827864] ------------[ cut here ]------------\n[ 55.832493] WARNING: CPU: 3 PID: 2678 at 0xffffffc0798695a4\n[ 55.956510] CPU: 3 PID: 2678 Comm: tc Tainted: G O 6.6.71 #0\n[ 55.963557] Hardware name: Airoha AN7581 Evaluation Board (DT)\n[ 55.969383] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 55.976344] pc : 0xffffffc0798695a4\n[ 55.979851] lr : 0xffffffc079869a20\n[ 55.983358] sp : ffffffc0850536a0\n[ 55.986665] x29: ffffffc0850536a0 x28: 0000000000000024 x27: 0000000000000001\n[ 55.993800] x26: 0000000000000000 x25: ffffff8008b19000 x24: ffffff800222e800\n[ 56.000935] x23: 0000000000000001 x22: 0000000000000000 x21: ffffff8008b19000\n[ 56.008071] x20: ffffff8002225800 x19: ffffff800379d000 x18: 0000000000000000\n[ 56.015206] x17: ffffffbf9ea59000 x16: ffffffc080018000 x15: 0000000000000000\n[ 56.022342] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000001\n[ 56.029478] x11: ffffffc081471008 x10: ffffffc081575a98 x9 : 0000000000000000\n[ 56.036614] x8 : ffffffc08167fd40 x7 : ffffffc08069e104 x6 : ffffff8007f86000\n[ 56.043748] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000001\n[ 56.050884] x2 : 0000000000000000 x1 : 0000000000000250 x0 : ffffff800222c000\n[ 56.058020] Call trace:\n[ 56.060459] 0xffffffc0798695a4\n[ 56.063618] 0xffffffc079869a20\n[ 56.066777] __qdisc_destroy+0x40/0xa0\n[ 56.070528] qdisc_put+0x54/0x6c\n[ 56.073748] qdisc_graft+0x41c/0x648\n[ 56.077324] tc_get_qdisc+0x168/0x2f8\n[ 56.080978] rtnetlink_rcv_msg+0x230/0x330\n[ 56.085076] netlink_rcv_skb+0x5c/0x128\n[ 56.088913] rtnetlink_rcv+0x14/0x1c\n[ 56.092490] netlink_unicast+0x1e0/0x2c8\n[ 56.096413] netlink_sendmsg+0x198/0x3c8\n[ 56.100337] ____sys_sendmsg+0x1c4/0x274\n[ 56.104261] ___sys_sendmsg+0x7c/0xc0\n[ 56.107924] __sys_sendmsg+0x44/0x98\n[ 56.111492] __arm64_sys_sendmsg+0x20/0x28\n[ 56.115580] invoke_syscall.constprop.0+0x58/0xfc\n[ 56.120285] do_el0_svc+0x3c/0xbc\n[ 56.123592] el0_svc+0x18/0x4c\n[ 56.126647] el0t_64_sync_handler+0x118/0x124\n[ 56.131005] el0t_64_sync+0x150/0x154\n[ 56.134660] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22061", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: add mutual exclusion in proc_sctp_do_udp_port()\n\nWe must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()\nor risk a crash as syzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\n RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653\nCall Trace:\n \n udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181\n sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930\n proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553\n proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601\n iter_file_splice_write+0x91c/0x1150 fs/splice.c:738\n do_splice_from fs/splice.c:935 [inline]\n direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158\n splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102\n do_splice_direct_actor fs/splice.c:1201 [inline]\n do_splice_direct+0x174/0x240 fs/splice.c:1227\n do_sendfile+0xafd/0xe50 fs/read_write.c:1368\n __do_sys_sendfile64 fs/read_write.c:1429 [inline]\n __se_sys_sendfile64 fs/read_write.c:1415 [inline]\n __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22062", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets\n\nWhen calling netlbl_conn_setattr(), addr->sa_family is used\nto determine the function behavior. If sk is an IPv4 socket,\nbut the connect function is called with an IPv6 address,\nthe function calipso_sock_setattr() is triggered.\nInside this function, the following code is executed:\n\nsk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;\n\nSince sk is an IPv4 socket, pinet6 is NULL, leading to a\nnull pointer dereference.\n\nThis patch fixes the issue by checking if inet6_sk(sk)\nreturns a NULL pointer before accessing pinet6.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22063", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don't unregister hook when table is dormant\n\nWhen nf_tables_updchain encounters an error, hook registration needs to\nbe rolled back.\n\nThis should only be done if the hook has been registered, which won't\nhappen when the table is flagged as dormant (inactive).\n\nJust move the assignment into the registration block.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22064", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix adapter NULL pointer dereference on reboot\n\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\nsriov_disable(), because the VF devices use the idpf driver, hence the\nsame remove routine. When that happens, it is possible for the adapter\nto be NULL from the first call to idpf_remove(), leading to a NULL\npointer dereference.\n\necho 1 > /sys/class/net//device/sriov_numvfs\nreboot\n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\n...\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\n...\n? idpf_remove+0x22/0x1f0 [idpf]\n? idpf_remove+0x1e4/0x1f0 [idpf]\npci_device_remove+0x3f/0xb0\ndevice_release_driver_internal+0x19f/0x200\npci_stop_bus_device+0x6d/0x90\npci_stop_and_remove_bus_device+0x12/0x20\npci_iov_remove_virtfn+0xbe/0x120\nsriov_disable+0x34/0xe0\nidpf_sriov_configure+0x58/0x140 [idpf]\nidpf_remove+0x1b9/0x1f0 [idpf]\nidpf_shutdown+0x12/0x30 [idpf]\npci_device_shutdown+0x35/0x60\ndevice_shutdown+0x156/0x200\n...\n\nReplace the direct idpf_remove() call in idpf_shutdown() with\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\ndestroying the vports and freeing the mailbox. This avoids the calls to\nsriov_disable() in addition to a small netdev cleanup, and destroying\nworkqueues, which don't seem to be required on shutdown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22065", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: imx-card: Add NULL check in imx_card_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nimx_card_probe() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22066", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence: Fix out-of-bounds array access in cdns_mrvl_xspi_setup_clock()\n\nIf requested_clk > 128, cdns_mrvl_xspi_setup_clock() iterates over the\nentire cdns_mrvl_xspi_clk_div_list array without breaking out early,\ncausing 'i' to go beyond the array bounds.\n\nFix that by stopping the loop when it gets to the last entry, clamping\nthe clock to the minimum 6.25 MHz.\n\nFixes the following warning with an UBSAN kernel:\n\n vmlinux.o: warning: objtool: cdns_mrvl_xspi_setup_clock: unexpected end of section .text.cdns_mrvl_xspi_setup_clock", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22067", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: make sure ubq->canceling is set when queue is frozen\n\nNow ublk driver depends on `ubq->canceling` for deciding if the request\ncan be dispatched via uring_cmd & io_uring_cmd_complete_in_task().\n\nOnce ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd()\nand io_uring_cmd_done().\n\nSo set ubq->canceling when queue is frozen, this way makes sure that the\nflag can be observed from ublk_queue_rq() reliably, and avoids\nuse-after-free on uring_cmd.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22068", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler\n\nNaresh Kamboju reported a \"Bad frame pointer\" kernel warning while\nrunning LTP trace ftrace_stress_test.sh in riscv. We can reproduce the\nsame issue with the following command:\n\n```\n$ cd /sys/kernel/debug/tracing\n$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events\n$ echo 1 > events/fprobes/enable\n$ echo 1 > tracing_on\n$ sleep 1\n```\n\nAnd we can get the following kernel warning:\n\n[ 127.692888] ------------[ cut here ]------------\n[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000\n[ 127.693755] from func do_nanosleep return to ffffffff800ccb16\n[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be\n[ 127.699894] Modules linked in:\n[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32\n[ 127.701453] Hardware name: riscv-virtio,qemu (DT)\n[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10\n[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000\n[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80\n[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20\n[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000\n[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0\n[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068\n[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001\n[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e\n[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18\n[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003\n[ 127.703292] [] ftrace_return_to_handler+0x1b2/0x1be\n[ 127.703760] [] return_to_handler+0x16/0x26\n[ 127.704009] [] return_to_handler+0x0/0x26\n[ 127.704057] [] common_nsleep+0x42/0x54\n[ 127.704117] [] __riscv_sys_clock_nanosleep+0xba/0x10a\n[ 127.704176] [] do_trap_ecall_u+0x188/0x218\n[ 127.704295] [] handle_exception+0x14a/0x156\n[ 127.705436] ---[ end trace 0000000000000000 ]---\n\nThe reason is that the stack layout for constructing argument for the\nftrace_return_to_handler in the return_to_handler does not match the\n__arch_ftrace_regs structure of riscv, leading to unexpected results.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22069", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix NULL pointer dereference on mkdir\n\nWhen a 9p tree was mounted with option 'posixacl', parent directory had a\ndefault ACL set for its subdirectories, e.g.:\n\n setfacl -m default:group:simpsons:rwx parentdir\n\nthen creating a subdirectory crashed 9p client, as v9fs_fid_add() call in\nfunction v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL\n(since dafbe689736) even though the subsequent v9fs_set_create_acl() call\nexpects a valid non-NULL 'fid' pointer:\n\n [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n [ 37.322338] Call Trace:\n [ 37.323043] \n [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)\n [ 37.325532] ? search_module_extables (kernel/module/main.c:3733)\n [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)\n [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)\n [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)\n [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p\n [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p\n [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p\n [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p\n [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p\n [ 37.338590] vfs_mkdir (fs/namei.c:4313)\n [ 37.339535] do_mkdirat (fs/namei.c:4336)\n [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354)\n [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by simply swapping the sequence of these two calls in\nv9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before\nv9fs_fid_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22070", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix a leak in spufs_create_context()\n\nLeak fixes back in 2008 missed one case - if we are trying to set affinity\nand spufs_mkdir() fails, we need to drop the reference to neighbor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22071", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix gang directory lifetimes\n\nprior to \"[POWERPC] spufs: Fix gang destroy leaks\" we used to have\na problem with gang lifetimes - creation of a gang returns opened\ngang directory, which normally gets removed when that gets closed,\nbut if somebody has created a context belonging to that gang and\nkept it alive until the gang got closed, removal failed and we\nended up with a leak.\n\nUnfortunately, it had been fixed the wrong way. Dentry of gang\ndirectory was no longer pinned, and rmdir on close was gone.\nOne problem was that failure of open kept calling simple_rmdir()\nas cleanup, which meant an unbalanced dput(). Another bug was\nin the success case - gang creation incremented link count on\nroot directory, but that was no longer undone when gang got\ndestroyed.\n\nFix consists of\n\t* reverting the commit in question\n\t* adding a counter to gang, protected by ->i_rwsem\nof gang directory inode.\n\t* having it set to 1 at creation time, dropped\nin both spufs_dir_close() and spufs_gang_close() and bumped\nin spufs_create_context(), provided that it's not 0.\n\t* using simple_recursive_removal() to take the gang\ndirectory out when counter reaches zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22072", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspufs: fix a leak on spufs_new_file() failure\n\nIt's called from spufs_fill_dir(), and caller of that will do\nspufs_rmdir() in case of failure. That does remove everything\nwe'd managed to create, but... the problem dentry is still\nnegative. IOW, it needs to be explicitly dropped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22073", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix r_count dec/increment mismatch\n\nr_count is only increased when there is an oplock break wait,\nso r_count inc/decrement are not paired. This can cause r_count\nto become negative, which can lead to a problem where the ksmbd\nthread does not terminate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22074", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Allocate vfinfo size for VF GUIDs when supported\n\nCommit 30aad41721e0 (\"net/core: Add support for getting VF GUIDs\")\nadded support for getting VF port and node GUIDs in netlink ifinfo\nmessages, but their size was not taken into consideration in the\nfunction that allocates the netlink message, causing the following\nwarning when a netlink message is filled with many VF port and node\nGUIDs:\n # echo 64 > /sys/bus/pci/devices/0000\\:08\\:00.0/sriov_numvfs\n # ip link show dev ib0\n RTNETLINK answers: Message too long\n Cannot send link get request: Message too long\n\nKernel warning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0\n Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core\n CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:rtnl_getlink+0x586/0x5a0\n Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00\n RSP: 0018:ffff888113557348 EFLAGS: 00010246\n RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000\n RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8\n RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000\n R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00\n R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff\n FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ? __warn+0xa5/0x230\n ? rtnl_getlink+0x586/0x5a0\n ? report_bug+0x22d/0x240\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x14/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_trim+0x6a/0x80\n ? rtnl_getlink+0x586/0x5a0\n ? __pfx_rtnl_getlink+0x10/0x10\n ? rtnetlink_rcv_msg+0x1e5/0x860\n ? __pfx___mutex_lock+0x10/0x10\n ? rcu_is_watching+0x34/0x60\n ? __pfx_lock_acquire+0x10/0x10\n ? stack_trace_save+0x90/0xd0\n ? filter_irq_stacks+0x1d/0x70\n ? kasan_save_stack+0x30/0x40\n ? kasan_save_stack+0x20/0x40\n ? kasan_save_track+0x10/0x30\n rtnetlink_rcv_msg+0x21c/0x860\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n ? arch_stack_walk+0x9e/0xf0\n ? rcu_is_watching+0x34/0x60\n ? lock_acquire+0xd5/0x410\n ? rcu_is_watching+0x34/0x60\n netlink_rcv_skb+0xe0/0x210\n ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? rcu_is_watching+0x34/0x60\n ? __pfx___netlink_lookup+0x10/0x10\n ? lock_release+0x62/0x200\n ? netlink_deliver_tap+0xfd/0x290\n ? rcu_is_watching+0x34/0x60\n ? lock_release+0x62/0x200\n ? netlink_deliver_tap+0x95/0x290\n netlink_unicast+0x31f/0x480\n ? __pfx_netlink_unicast+0x10/0x10\n ? rcu_is_watching+0x34/0x60\n ? lock_acquire+0xd5/0x410\n netlink_sendmsg+0x369/0x660\n ? lock_release+0x62/0x200\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? import_ubuf+0xb9/0xf0\n ? __import_iovec+0x254/0x2b0\n ? lock_release+0x62/0x200\n ? __pfx_netlink_sendmsg+0x10/0x10\n ____sys_sendmsg+0x559/0x5a0\n ? __pfx_____sys_sendmsg+0x10/0x10\n ? __pfx_copy_msghdr_from_user+0x10/0x10\n ? rcu_is_watching+0x34/0x60\n ? do_read_fault+0x213/0x4a0\n ? rcu_is_watching+0x34/0x60\n ___sys_sendmsg+0xe4/0x150\n ? __pfx____sys_sendmsg+0x10/0x10\n ? do_fault+0x2cc/0x6f0\n ? handle_pte_fault+0x2e3/0x3d0\n ? __pfx_handle_pte_fault+0x10/0x10\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22075", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix missing shutdown check\n\nxfstests generic/730 test failed because after deleting the device\nthat still had dirty data, the file could still be read without\nreturning an error. The reason is the missing shutdown check in\n->read_iter.\n\nI also noticed that shutdown checks were missing from ->write_iter,\n->splice_read, and ->mmap. This commit adds shutdown checks to all\nof them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22076", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"smb: client: fix TCP timers deadlock after rmmod\"\n\nThis reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.\n\nCommit e9f2517a3e18 (\"smb: client: fix TCP timers deadlock after\nrmmod\") is intended to fix a null-ptr-deref in LOCKDEP, which is\nmentioned as CVE-2024-54680, but is actually did not fix anything;\nThe issue can be reproduced on top of it. [0]\n\nAlso, it reverted the change by commit ef7134c7fc48 (\"smb: client:\nFix use-after-free of network namespace.\") and introduced a real\nissue by reviving the kernel TCP socket.\n\nWhen a reconnect happens for a CIFS connection, the socket state\ntransitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync()\nin tcp_close() stops all timers for the socket.\n\nIf an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1\nforever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.\n\nUsually, FIN can be retransmitted by the peer, but if the peer aborts\nthe connection, the issue comes into reality.\n\nI warned about this privately by pointing out the exact report [1],\nbut the bogus fix was finally merged.\n\nSo, we should not stop the timers to finally kill the connection on\nour side in that case, meaning we must not use a kernel socket for\nTCP whose sk->sk_net_refcnt is 0.\n\nThe kernel socket does not have a reference to its netns to make it\npossible to tear down netns without cleaning up every resource in it.\n\nFor example, tunnel devices use a UDP socket internally, but we can\ndestroy netns without removing such devices and let it complete\nduring exit. Otherwise, netns would be leaked when the last application\ndied.\n\nHowever, this is problematic for TCP sockets because TCP has timers to\nclose the connection gracefully even after the socket is close()d. The\nlifetime of the socket and its netns is different from the lifetime of\nthe underlying connection.\n\nIf the socket user does not maintain the netns lifetime, the timer could\nbe fired after the socket is close()d and its netns is freed up, resulting\nin use-after-free.\n\nActually, we have seen so many similar issues and converted such sockets\nto have a reference to netns.\n\nThat's why I converted the CIFS client socket to have a reference to\nnetns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope\nof CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right\nfix**.\n\nRegarding the LOCKDEP issue, we can prevent the module unload by\nbumping the module refcount when switching the LOCKDDEP key in\nsock_lock_init_class_and_name(). [2]\n\nFor a while, let's revert the bogus fix.\n\nNote that now we can use sk_net_refcnt_upgrade() for the socket\nconversion, but I'll do so later separately to make backport easy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22077", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_arm: Fix possible NPR of keep-alive thread\n\nIn case vchiq_platform_conn_state_changed() is never called or fails before\ndriver removal, ka_thread won't be a valid pointer to a task_struct. So\ndo the necessary checks before calling kthread_stop to avoid a crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22078", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate l_tree_depth to avoid out-of-bounds access\n\nThe l_tree_depth field is 16-bit (__le16), but the actual maximum depth is\nlimited to OCFS2_MAX_PATH_DEPTH.\n\nAdd a check to prevent out-of-bounds access if l_tree_depth has an invalid\nvalue, which may occur when reading from a corrupted mounted disk [1].", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22079", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Prevent integer overflow in hdr_first_de()\n\nThe \"de_off\" and \"used\" variables come from the disk so they both need to\ncheck. The problem is that on 32bit systems if they're both greater than\nUINT_MAX - 16 then the check does work as intended because of an integer\noverflow.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22080", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix a couple integer overflows on 32bit systems\n\nOn 32bit systems the \"off + sizeof(struct NTFS_DE)\" addition can\nhave an integer wrapping issue. Fix it by using size_add().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22081", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: backend: make sure to NULL terminate stack buffer\n\nMake sure to NULL terminate the buffer in\niio_backend_debugfs_write_reg() before passing it to sscanf(). It is a\nstack variable so we should not assume it will 0 initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22082", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint\n\nIf vhost_scsi_set_endpoint is called multiple times without a\nvhost_scsi_clear_endpoint between them, we can hit multiple bugs\nfound by Haoran Zhang:\n\n1. Use-after-free when no tpgs are found:\n\nThis fixes a use after free that occurs when vhost_scsi_set_endpoint is\ncalled more than once and calls after the first call do not find any\ntpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds\ntpgs to add to the vs_tpg array match=true, so we will do:\n\nvhost_vq_set_backend(vq, vs_tpg);\n...\n\nkfree(vs->vs_tpg);\nvs->vs_tpg = vs_tpg;\n\nIf vhost_scsi_set_endpoint is called again and no tpgs are found\nmatch=false so we skip the vhost_vq_set_backend call leaving the\npointer to the vs_tpg we then free via:\n\nkfree(vs->vs_tpg);\nvs->vs_tpg = vs_tpg;\n\nIf a scsi request is then sent we do:\n\nvhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend\n\nwhich sees the vs_tpg we just did a kfree on.\n\n2. Tpg dir removal hang:\n\nThis patch fixes an issue where we cannot remove a LIO/target layer\ntpg (and structs above it like the target) dir due to the refcount\ndropping to -1.\n\nThe problem is that if vhost_scsi_set_endpoint detects a tpg is already\nin the vs->vs_tpg array or if the tpg has been removed so\ntarget_depend_item fails, the undepend goto handler will do\ntarget_undepend_item on all tpgs in the vs_tpg array dropping their\nrefcount to 0. At this time vs_tpg contains both the tpgs we have added\nin the current vhost_scsi_set_endpoint call as well as tpgs we added in\nprevious calls which are also in vs->vs_tpg.\n\nLater, when vhost_scsi_clear_endpoint runs it will do\ntarget_undepend_item on all the tpgs in the vs->vs_tpg which will drop\ntheir refcount to -1. Userspace will then not be able to remove the tpg\nand will hang when it tries to do rmdir on the tpg dir.\n\n3. Tpg leak:\n\nThis fixes a bug where we can leak tpgs and cause them to be\nun-removable because the target name is overwritten when\nvhost_scsi_set_endpoint is called multiple times but with different\ntarget names.\n\nThe bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup\na vhost-scsi device to target/tpg mapping, then calls\nVHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we\nhaven't seen before (target1 has tpg1 but target2 has tpg2). When this\nhappens we don't teardown the old target tpg mapping and just overwrite\nthe target name and the vs->vs_tpg array. Later when we do\nvhost_scsi_clear_endpoint, we are passed in either target1 or target2's\nname and we will only match that target's tpgs when we loop over the\nvs->vs_tpg. We will then return from the function without doing\ntarget_undepend_item on the tpgs.\n\nBecause of all these bugs, it looks like being able to call\nvhost_scsi_set_endpoint multiple times was never supported. The major\nuser, QEMU, already has checks to prevent this use case. So to fix the\nissues, this patch prevents vhost_scsi_set_endpoint from being called\nif it's already successfully added tpgs. To add, remove or change the\ntpg config or target name, you must do a vhost_scsi_clear_endpoint\nfirst.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22083", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: fix NULL pointer dereference in probe\n\nThe w1_uart_probe() function calls w1_uart_serdev_open() (which includes\ndevm_serdev_device_open()) before setting the client ops via\nserdev_device_set_client_ops(). This ordering can trigger a NULL pointer\ndereference in the serdev controller's receive_buf handler, as it assumes\nserdev->ops is valid when SERPORT_ACTIVE is set.\n\nThis is similar to the issue fixed in commit 5e700b384ec1\n(\"platform/chrome: cros_ec_uart: properly fix race condition\") where\ndevm_serdev_device_open() was called before fully initializing the\ndevice.\n\nFix the race by ensuring client ops are set before enabling the port via\nw1_uart_serdev_open().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22084", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix use-after-free when rename device name\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099\nRead of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025\n\nCPU: 0 UID: 0 PID: 10025 Comm: syz.0.988\nNot tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x16e/0x5b0 mm/kasan/report.c:521\n kasan_report+0x143/0x180 mm/kasan/report.c:634\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n nla_put+0xd3/0x150 lib/nlattr.c:1099\n nla_put_string include/net/netlink.h:1621 [inline]\n fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265\n rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857\n ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344\n ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460\n rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\n rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\n nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:709 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:724\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2564\n ___sys_sendmsg net/socket.c:2618 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2650\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f42d1b8d169\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...\nRSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169\nRDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c\nRBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8\n \n\nAllocated by task 10025:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313\n __kmemdup_nul mm/util.c:61 [inline]\n kstrdup+0x42/0x100 mm/util.c:81\n kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274\n dev_set_name+0xd5/0x120 drivers/base/core.c:3468\n assign_name drivers/infiniband/core/device.c:1202 [inline]\n ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384\n rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\n rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\n nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8de/0xcb0 net\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22085", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow\n\nWhen cur_qp isn't NULL, in order to avoid fetching the QP from\nthe radix tree again we check if the next cqe QP is identical to\nthe one we already have.\n\nThe bug however is that we are checking if the QP is identical by\nchecking the QP number inside the CQE against the QP number inside the\nmlx5_ib_qp, but that's wrong since the QP number from the CQE is from\nFW so it should be matched against mlx5_core_qp which is our FW QP\nnumber.\n\nOtherwise we could use the wrong QP when handling a CQE which could\ncause the kernel trace below.\n\nThis issue is mainly noticeable over QPs 0 & 1, since for now they are\nthe only QPs in our driver whereas the QP number inside mlx5_ib_qp\ndoesn't match the QP number inside mlx5_core_qp.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21\n RSP: 0018:ffff88810511bd60 EFLAGS: 00010046\n RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a\n RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000\n R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0\n FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0\n Call Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n __ib_process_cq+0x5a/0x150 [ib_core]\n ib_cq_poll_work+0x31/0x90 [ib_core]\n process_one_work+0x169/0x320\n worker_thread+0x288/0x3a0\n ? work_busy+0xb0/0xb0\n kthread+0xd7/0x1f0\n ? kthreads_online_cpu+0x130/0x130\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork+0x2d/0x50\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork_asm+0x11/0x20\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22086", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22087", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/erdma: Prevent use-after-free in erdma_accept_newconn()\n\nAfter the erdma_cep_put(new_cep) being called, new_cep will be freed,\nand the following dereference will cause a UAF problem. Fix this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22088", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Don't expose hw_counters outside of init net namespace\n\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn't expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756] \n[42021.953842] [] ? show_regs+0x64/0x70\n[42021.959030] [] ? __die+0x78/0xc0\n[42021.963874] [] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749] [] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549] [] ? asm_exc_page_fault+0x26/0x30\n[42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438] [] dev_attr_show+0x1e/0x50\n[42022.000803] [] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508] [] seq_read_iter+0xf4/0x410\n[42022.011954] [] vfs_read+0x16e/0x2f0\n[42022.017058] [] ksys_read+0x6e/0xe0\n[42022.022073] [] do_syscall_64+0x6a/0xa0\n[42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe problem can be reproduced using the following steps:\n ip netns add foo\n ip netns exec foo bash\n cat /sys/class/infiniband/mlx4_0/hw_counters/*\n\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\n\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\n\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\n\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\n find /sys/class/infiniband/mlx4_0/ -name hw_counters\n /sys/class/infiniband/mlx4_0/ports/1/hw_counters\n /sys/class/infiniband/mlx4_0/ports/2/hw_counters\n /sys/class/infiniband/mlx4_0/hw_counters\n\n ip netns add foo\n ip netns exec foo bash\n find /sys/class/infiniband/mlx4_0/ -name hw_counters", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22089", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()\n\nIf track_pfn_copy() fails, we already added the dst VMA to the maple\ntree. As fork() fails, we'll cleanup the maple tree, and stumble over\nthe dst VMA for which we neither performed any reservation nor copied\nany page tables.\n\nConsequently untrack_pfn() will see VM_PAT and try obtaining the\nPAT information from the page table -- which fails because the page\ntable was not copied.\n\nThe easiest fix would be to simply clear the VM_PAT flag of the dst VMA\nif track_pfn_copy() fails. However, the whole thing is about \"simply\"\nclearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()\nand performed a reservation, but copying the page tables fails, we'll\nsimply clear the VM_PAT flag, not properly undoing the reservation ...\nwhich is also wrong.\n\nSo let's fix it properly: set the VM_PAT flag only if the reservation\nsucceeded (leaving it clear initially), and undo the reservation if\nanything goes wrong while copying the page tables: clearing the VM_PAT\nflag after undoing the reservation.\n\nNote that any copied page table entries will get zapped when the VMA will\nget removed later, after copy_page_range() succeeded; as VM_PAT is not set\nthen, we won't try cleaning VM_PAT up once more and untrack_pfn() will be\nhappy. Note that leaving these page tables in place without a reservation\nis not a problem, as we are aborting fork(); this process will never run.\n\nA reproducer can trigger this usually at the first try:\n\n https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c\n\n WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110\n Modules linked in: ...\n CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:get_pat_info+0xf6/0x110\n ...\n Call Trace:\n \n ...\n untrack_pfn+0x52/0x110\n unmap_single_vma+0xa6/0xe0\n unmap_vmas+0x105/0x1f0\n exit_mmap+0xf6/0x460\n __mmput+0x4b/0x120\n copy_process+0x1bf6/0x2aa0\n kernel_clone+0xab/0x440\n __do_sys_clone+0x66/0x90\n do_syscall_64+0x95/0x180\n\nLikely this case was missed in:\n\n d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\")\n\n... and instead of undoing the reservation we simply cleared the VM_PAT flag.\n\nKeep the documentation of these functions in include/linux/pgtable.h,\none place is more than sufficient -- we should clean that up for the other\nfunctions like track_pfn_remap/untrack_pfn separately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22090", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix page_size variable overflow\n\nChange all variables storing mlx5_umem_mkc_find_best_pgsz() result to\nunsigned long to support values larger than 31 and avoid overflow.\n\nFor example: If we try to register 4GB of memory that is contiguous in\nphysical memory, the driver will optimize the page_size and try to use\nan mkey with 4GB entity size. The 'unsigned int' page_size variable will\noverflow to '0' and we'll hit the WARN_ON() in alloc_cacheable_mr().\n\nWARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib]\nModules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core]\nCPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib]\nCode: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 <0f> 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41\nRSP: 0018:ffffc900006ffac8 EFLAGS: 00010246\nRAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001\nRDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600\nRBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000\nR10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240\nR13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00\nFS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x81/0x130\n ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib]\n ? report_bug+0xfc/0x1e0\n ? handle_bug+0x55/0x90\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib]\n create_real_mr+0x54/0x150 [mlx5_ib]\n ib_uverbs_reg_mr+0x17f/0x2a0 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xca/0x140 [ib_uverbs]\n ib_uverbs_run_method+0x6d0/0x780 [ib_uverbs]\n ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x19b/0x360 [ib_uverbs]\n ? walk_system_ram_range+0x79/0xd0\n ? ___pte_offset_map+0x1b/0x110\n ? __pte_offset_map_lock+0x80/0x100\n ib_uverbs_ioctl+0xac/0x110 [ib_uverbs]\n __x64_sys_ioctl+0x94/0xb0\n do_syscall_64+0x50/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fb7ecf0737b\nCode: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 00007fb7ecf0737b\nRDX: 00007ffdbe03eda0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffdbe03ed80 R08: 00007fb7ecc84010 R09: 00007ffdbe03eed4\nR10: 0000000000000009 R11: 0000000000000246 R12: 00007ffdbe03eed4\nR13: 000000000000000c R14: 000000000000000c R15: 00007fb7ecc84150\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22091", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix NULL dereference in SR-IOV VF creation error path\n\nClean up when virtfn setup fails to prevent NULL pointer dereference\nduring device removal. The kernel oops below occurred due to incorrect\nerror handling flow when pci_setup_device() fails.\n\nAdd pci_iov_scan_device(), which handles virtfn allocation and setup and\ncleans up if pci_setup_device() fails, so pci_iov_add_virtfn() doesn't need\nto call pci_stop_and_remove_bus_device(). This prevents accessing\npartially initialized virtfn devices during removal.\n\n BUG: kernel NULL pointer dereference, address: 00000000000000d0\n RIP: 0010:device_del+0x3d/0x3d0\n Call Trace:\n pci_remove_bus_device+0x7c/0x100\n pci_iov_add_virtfn+0xfa/0x200\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x6a/0x160 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n\n[bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22092", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: avoid NPD when ASIC does not support DMUB\n\nctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is\ntested in dm_dmub_sw_init.\n\nHowever, it will be dereferenced in dmub_hw_lock_mgr_cmd if\nshould_use_dmub_lock returns true.\n\nThis has been the case since dmub support has been added for PSR1.\n\nFix this by checking for dmub_srv in should_use_dmub_lock.\n\n[ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[ 37.447808] #PF: supervisor read access in kernel mode\n[ 37.452959] #PF: error_code(0x0000) - not-present page\n[ 37.458112] PGD 0 P4D 0\n[ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88\n[ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023\n[ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0\n[ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5\n[ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202\n[ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358\n[ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000\n[ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5\n[ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000\n[ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000\n[ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000\n[ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0\n[ 37.572697] Call Trace:\n[ 37.575152] \n[ 37.577258] ? __die_body+0x66/0xb0\n[ 37.580756] ? page_fault_oops+0x3e7/0x4a0\n[ 37.584861] ? exc_page_fault+0x3e/0xe0\n[ 37.588706] ? exc_page_fault+0x5c/0xe0\n[ 37.592550] ? asm_exc_page_fault+0x22/0x30\n[ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0\n[ 37.601107] dcn10_cursor_lock+0x1e1/0x240\n[ 37.605211] program_cursor_attributes+0x81/0x190\n[ 37.609923] commit_planes_for_stream+0x998/0x1ef0\n[ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0\n[ 37.619703] dc_update_planes_and_stream+0x78/0x140\n[ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0\n[ 37.629832] ? srso_return_thunk+0x5/0x5f\n[ 37.633847] ? mark_held_locks+0x6d/0xd0\n[ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50\n[ 37.642135] ? srso_return_thunk+0x5/0x5f\n[ 37.646148] ? lockdep_hardirqs_on+0x95/0x150\n[ 37.650510] ? srso_return_thunk+0x5/0x5f\n[ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50\n[ 37.658883] ? srso_return_thunk+0x5/0x5f\n[ 37.662897] ? wait_for_common+0x186/0x1c0\n[ 37.666998] ? srso_return_thunk+0x5/0x5f\n[ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170\n[ 37.675983] commit_tail+0xf5/0x1c0\n[ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0\n[ 37.684186] drm_atomic_commit+0xd6/0x100\n[ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10\n[ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130\n[ 37.698054] drm_mode_cursor_common+0x501/0x670\n[ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[ 37.707572] drm_mode_cursor_ioctl+0x48/0x70\n[ 37.711851] drm_ioctl_kernel+0xf2/0x150\n[ 37.715781] drm_ioctl+0x363/0x590\n[ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[ 37.724165] amdgpu_drm_ioctl+0x41/0x80\n[ 37.728013] __se_sys_ioctl+0x7f/0xd0\n[ 37.731685] do_syscall_64+0x87/0x100\n[ 37.735355] ? vma_end_read+0x12/0xe0\n[ 37.739024] ? srso_return_thunk+0x5/0x5f\n[ 37.743041] ? find_held_lock+0x47/0xf0\n[ 37.746884] ? vma_end_read+0x12/0xe0\n[ 37.750552] ? srso_return_thunk+0x5/0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22093", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/perf: Fix ref-counting on the PMU 'vpa_pmu'\n\nCommit 176cda0619b6 (\"powerpc/perf: Add perf interface to expose vpa\ncounters\") introduced 'vpa_pmu' to expose Book3s-HV nested APIv2 provided\nL1<->L2 context switch latency counters to L1 user-space via\nperf-events. However the newly introduced PMU named 'vpa_pmu' doesn't\nassign ownership of the PMU to the module 'vpa_pmu'. Consequently the\nmodule 'vpa_pmu' can be unloaded while one of the perf-events are still\nactive, which can lead to kernel oops and panic of the form below on a\nPseries-LPAR:\n\nBUG: Kernel NULL pointer dereference on read at 0x00000058\n\n NIP [c000000000506cb8] event_sched_out+0x40/0x258\n LR [c00000000050e8a4] __perf_remove_from_context+0x7c/0x2b0\n Call Trace:\n [c00000025fc3fc30] [c00000025f8457a8] 0xc00000025f8457a8 (unreliable)\n [c00000025fc3fc80] [fffffffffffffee0] 0xfffffffffffffee0\n [c00000025fc3fcd0] [c000000000501e70] event_function+0xa8/0x120\n\n Kernel panic - not syncing: Aiee, killing interrupt handler!\n\nFix this by adding the module ownership to 'vpa_pmu' so that the module\n'vpa_pmu' is ref-counted and prevented from being unloaded when perf-events\nare initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22094", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: brcmstb: Fix error path after a call to regulator_bulk_get()\n\nIf the regulator_bulk_get() returns an error and no regulators\nare created, we need to set their number to zero.\n\nIf we don't do this and the PCIe link up fails, a call to the\nregulator_bulk_free() will result in a kernel panic.\n\nWhile at it, print the error value, as we cannot return an error\nupwards as the kernel will WARN() on an error from add_bus().\n\n[kwilczynski: commit log, use comma in the message to match style with\nother similar messages]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22095", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gem: Fix error code msm_parse_deps()\n\nThe SUBMIT_ERROR() macro turns the error code negative. This extra '-'\noperation turns it back to positive EINVAL again. The error code is\npassed to ERR_PTR() and since positive values are not an IS_ERR() it\neventually will lead to an oops. Delete the '-'.\n\nPatchwork: https://patchwork.freedesktop.org/patch/637625/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22096", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22097", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dp: Fix a deadlock in zynqmp_dp_ignore_hpd_set()\n\nInstead of attempting the same mutex twice, lock and unlock it.\n\nThis bug has been detected by the Clang thread-safety analyzer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22098", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: xlnx: zynqmp_dpsub: Add NULL check in zynqmp_audio_init\n\ndevm_kasprintf() calls can return null pointers on failure.\nBut some return values were not checked in zynqmp_audio_init().\n\nAdd NULL check in zynqmp_audio_init(), avoid referencing null\npointers in the subsequent code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22099", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix race condition when gathering fdinfo group samples\n\nCommit e16635d88fa0 (\"drm/panthor: add DRM fdinfo support\") failed to\nprotect access to groups with an xarray lock, which could lead to\nuse-after-free errors.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22100", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: fix Tx L4 checksum\n\nThe hardware only supports L4 checksum offload for TCP/UDP/SCTP protocol.\nThere was a bug to set Tx checksum flag for the other protocol that results\nin Tx ring hang. Fix to compute software checksum for these packets.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22101", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix kernel panic during FW release\n\nThis fixes a kernel panic seen during release FW in a stress test\nscenario where WLAN and BT FW download occurs simultaneously, and due to\na HW bug, chip sends out only 1 bootloader signatures.\n\nWhen driver receives the bootloader signature, it enters FW download\nmode, but since no consequtive bootloader signatures seen, FW file is\nnot requested.\n\nAfter 60 seconds, when FW download times out, release_firmware causes a\nkernel panic.\n\n[ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573\n[ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000\n[ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000\n[ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP\n[ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev\n[ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1\n[ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT)\n[ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2602.010191] pc : _raw_spin_lock+0x34/0x68\n[ 2602.010201] lr : free_fw_priv+0x20/0xfc\n[ 2602.020561] sp : ffff800089363b30\n[ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000\n[ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000\n[ 2602.020577] x23: ffff0000dc856f38\n[ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000\n[ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000\n[ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480\n[ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002\n[ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30\n[ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000\n[ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001\n[ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573\n[ 2602.083354] Call trace:\n[ 2602.083356] _raw_spin_lock+0x34/0x68\n[ 2602.083364] release_firmware+0x48/0x6c\n[ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart]\n[ 2602.083383] hci_dev_open_sync+0xf0/0xa34\n[ 2602.083391] hci_dev_open+0xd8/0x178\n[ 2602.083399] hci_sock_ioctl+0x3b0/0x590\n[ 2602.083405] sock_do_ioctl+0x60/0x118\n[ 2602.083413] sock_ioctl+0x2f4/0x374\n[ 2602.091430] __arm64_sys_ioctl+0xac/0xf0\n[ 2602.091437] invoke_syscall+0x48/0x110\n[ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0\n[ 2602.091452] do_el0_svc+0x1c/0x28\n[ 2602.091457] el0_svc+0x40/0xe4\n[ 2602.091465] el0t_64_sync_handler+0x120/0x12c\n[ 2602.091470] el0t_64_sync+0x190/0x194", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22102", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer dereference in l3mdev_l3_rcv\n\nWhen delete l3s ipvlan:\n\n ip link del link eth0 ipvlan1 type ipvlan mode l3s\n\nThis may cause a null pointer dereference:\n\n Call trace:\n ip_rcv_finish+0x48/0xd0\n ip_rcv+0x5c/0x100\n __netif_receive_skb_one_core+0x64/0xb0\n __netif_receive_skb+0x20/0x80\n process_backlog+0xb4/0x204\n napi_poll+0xe8/0x294\n net_rx_action+0xd8/0x22c\n __do_softirq+0x12c/0x354\n\nThis is because l3mdev_l3_rcv() visit dev->l3mdev_ops after\nipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process\nlike this:\n\n (CPU1) | (CPU2)\n l3mdev_l3_rcv() |\n check dev->priv_flags: |\n master = skb->dev; |\n |\n | ipvlan_l3s_unregister()\n | set dev->priv_flags\n | dev->l3mdev_ops = NULL;\n |\n visit master->l3mdev_ops |\n\nTo avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22103", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Use kernel helpers for hex dumps\n\nPreviously, when the driver was printing hex dumps, the buffer was cast\nto an 8 byte long and printed using string formatters. If the buffer\nsize was not a multiple of 8 then a read buffer overflow was possible.\n\nTherefore, create a new ibmvnic function that loops over a buffer and\ncalls hex_dump_to_buffer instead.\n\nThis patch address KASAN reports like the one below:\n ibmvnic 30000003 env3: Login Buffer:\n ibmvnic 30000003 env3: 01000000af000000\n <...>\n ibmvnic 30000003 env3: 2e6d62692e736261\n ibmvnic 30000003 env3: 65050003006d6f63\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]\n Read of size 8 at addr c0000001331a9aa8 by task ip/17681\n <...>\n Allocated by task 17681:\n <...>\n ibmvnic_login+0x2f0/0xffc [ibmvnic]\n ibmvnic_open+0x148/0x308 [ibmvnic]\n __dev_open+0x1ac/0x304\n <...>\n The buggy address is located 168 bytes inside of\n allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)\n <...>\n =================================================================\n ibmvnic 30000003 env3: 000000000033766e", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22104", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: check xdp prog when set bond mode\n\nFollowing operations can trigger a warning[1]:\n\n ip netns add ns1\n ip netns exec ns1 ip link add bond0 type bond mode balance-rr\n ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp\n ip netns exec ns1 ip link set bond0 type bond mode broadcast\n ip netns del ns1\n\nWhen delete the namespace, dev_xdp_uninstall() is called to remove xdp\nprogram on bond dev, and bond_xdp_set() will check the bond mode. If bond\nmode is changed after attaching xdp program, the warning may occur.\n\nSome bond modes (broadcast, etc.) do not support native xdp. Set bond mode\nwith xdp program attached is not good. Add check for xdp program when set\nbond mode.\n\n [1]\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930\n Modules linked in:\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n Workqueue: netns cleanup_net\n RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930\n Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...\n RSP: 0018:ffffc90000063d80 EFLAGS: 00000282\n RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff\n RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48\n RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb\n R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8\n R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000\n FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0\n Call Trace:\n \n ? __warn+0x83/0x130\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x54/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? bond_net_exit_batch_rtnl+0x5c/0x90\n cleanup_net+0x237/0x3d0\n process_one_work+0x163/0x390\n worker_thread+0x293/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xec/0x1e0\n ? __pfx_kthread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22105", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: unregister xdp rxq info in the reset path\n\nvmxnet3 does not unregister xdp rxq info in the\nvmxnet3_reset_work() code path as vmxnet3_rq_destroy()\nis not invoked in this code path. So, we get below message with a\nbacktrace.\n\nMissing unregister, handled but fix driver\nWARNING: CPU:48 PID: 500 at net/core/xdp.c:182\n__xdp_rxq_info_reg+0x93/0xf0\n\nThis patch fixes the problem by moving the unregister\ncode of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22106", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn't require the memmove of elements\n [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22107", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Mask the bd_cnt field in the TX BD properly\n\nThe bd_cnt field in the TX BD specifies the total number of BDs for\nthe TX packet. The bd_cnt field has 5 bits and the maximum number\nsupported is 32 with the value 0.\n\nCONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB\nfragments can approach or exceed the maximum supported by the chip.\nAdd a macro to properly mask the bd_cnt field so that the value 32\nwill be properly masked and set to 0 in the bd_cnd field.\n\nWithout this patch, the out-of-range bd_cnt value will corrupt the\nTX BD and may cause TX timeout.\n\nThe next patch will check for values exceeding 32.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22108", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Remove broken autobind\n\nBinding AX25 socket by using the autobind feature leads to memory leaks\nin ax25_connect() and also refcount leaks in ax25_release(). Memory\nleak was detected with kmemleak:\n\n================================================================\nunreferenced object 0xffff8880253cd680 (size 96):\nbacktrace:\n__kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)\nkmemdup_noprof (mm/util.c:136)\nax25_rt_autobind (net/ax25/ax25_route.c:428)\nax25_connect (net/ax25/af_ax25.c:1282)\n__sys_connect_file (net/socket.c:2045)\n__sys_connect (net/socket.c:2064)\n__x64_sys_connect (net/socket.c:2067)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n================================================================\n\nWhen socket is bound, refcounts must be incremented the way it is done\nin ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of\nautobind, the refcounts are not incremented.\n\nThis bug leads to the following issue reported by Syzkaller:\n\n================================================================\nax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de\n------------[ cut here ]------------\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\nModules linked in:\nCPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\n...\nCall Trace:\n \n __refcount_dec include/linux/refcount.h:336 [inline]\n refcount_dec include/linux/refcount.h:351 [inline]\n ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236\n netdev_tracker_free include/linux/netdevice.h:4302 [inline]\n netdev_put include/linux/netdevice.h:4319 [inline]\n ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080\n __sock_release net/socket.c:647 [inline]\n sock_close+0xbc/0x240 net/socket.c:1398\n __fput+0x3e9/0x9f0 fs/file_table.c:464\n __do_sys_close fs/open.c:1580 [inline]\n __se_sys_close fs/open.c:1565 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1565\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ...\n \n================================================================\n\nConsidering the issues above and the comments left in the code that say:\n\"check if we can remove this feature. It is broken.\"; \"autobinding in this\nmay or may not work\"; - it is better to completely remove this feature than\nto fix it because it is broken and leads to various kinds of memory bugs.\n\nNow calling connect() without first binding socket will result in an\nerror (-EINVAL). Userspace software that relies on the autobind feature\nmight get broken. However, this feature does not seem widely used with\nthis specific driver as it was not reliable at any point of time, and it\nis already broken anyway. E.g. ax25-tools and ax25-apps packages for\npopular distributions do not use the autobind feature for AF_AX25.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22109", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error\n\nIt is possible that ctx in nfqnl_build_packet_message() could be used\nbefore it is properly initialize, which is only initialized\nby nfqnl_get_sk_secctx().\n\nThis patch corrects this problem by initializing the lsmctx to a safe\nvalue when it is declared.\n\nThis is similar to the commit 35fcac7a7c25\n(\"audit: Initialize lsmctx to avoid memory allocation error\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22110", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet's say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device's refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc '\n ' |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---> |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock <-' `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) <----------------'\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let's not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it's better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22111", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix out-of-range access of vnic_info array\n\nThe bnxt_queue_{start | stop}() access vnic_info as much as allocated,\nwhich indicates bp->nr_vnics.\nSo, it should not reach bp->vnic_info[bp->nr_vnics].", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22112", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid journaling sb update on error if journal is destroying\n\nPresently we always BUG_ON if trying to start a transaction on a journal marked\nwith JBD2_UNMOUNT, since this should never happen. However, while ltp running\nstress tests, it was observed that in case of some error handling paths, it is\npossible for update_super_work to start a transaction after the journal is\ndestroyed eg:\n\n(umount)\next4_kill_sb\n kill_block_super\n generic_shutdown_super\n sync_filesystem /* commits all txns */\n evict_inodes\n /* might start a new txn */\n ext4_put_super\n\tflush_work(&sbi->s_sb_upd_work) /* flush the workqueue */\n jbd2_journal_destroy\n journal_kill_thread\n journal->j_flags |= JBD2_UNMOUNT;\n jbd2_journal_commit_transaction\n jbd2_journal_get_descriptor_buffer\n jbd2_journal_bmap\n ext4_journal_bmap\n ext4_map_blocks\n ...\n ext4_inode_error\n ext4_handle_error\n schedule_work(&sbi->s_sb_upd_work)\n\n /* work queue kicks in */\n update_super_work\n jbd2_journal_start\n start_this_handle\n BUG_ON(journal->j_flags &\n JBD2_UNMOUNT)\n\nHence, introduce a new mount flag to indicate journal is destroying and only do\na journaled (and deferred) update of sb if this flag is not set. Otherwise, just\nfallback to an un-journaled commit.\n\nFurther, in the journal destroy path, we have the following sequence:\n\n 1. Set mount flag indicating journal is destroying\n 2. force a commit and wait for it\n 3. flush pending sb updates\n\nThis sequence is important as it ensures that, after this point, there is no sb\nupdate that might be journaled so it is safe to update the sb outside the\njournal. (To avoid race discussed in 2d01ddc86606)\n\nAlso, we don't need a similar check in ext4_grp_locked_error since it is only\ncalled from mballoc and AFAICT it would be always valid to schedule work here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22113", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't clobber ret in btrfs_validate_super()\n\nCommit 2a9bb78cfd36 (\"btrfs: validate system chunk array at\nbtrfs_validate_super()\") introduces a call to validate_sys_chunk_array()\nin btrfs_validate_super(), which clobbers the value of ret set earlier.\nThis has the effect of negating the validity checks done earlier, making\nit so btrfs could potentially try to mount invalid filesystems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22114", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block group refcount race in btrfs_create_pending_block_groups()\n\nBlock group creation is done in two phases, which results in a slightly\nunintuitive property: a block group can be allocated/deallocated from\nafter btrfs_make_block_group() adds it to the space_info with\nbtrfs_add_bg_to_space_info(), but before creation is completely completed\nin btrfs_create_pending_block_groups(). As a result, it is possible for a\nblock group to go unused and have 'btrfs_mark_bg_unused' called on it\nconcurrently with 'btrfs_create_pending_block_groups'. This causes a\nnumber of issues, which were fixed with the block group flag\n'BLOCK_GROUP_FLAG_NEW'.\n\nHowever, this fix is not quite complete. Since it does not use the\nunused_bg_lock, it is possible for the following race to occur:\n\nbtrfs_create_pending_block_groups btrfs_mark_bg_unused\n if list_empty // false\n list_del_init\n clear_bit\n else if (test_bit) // true\n list_move_tail\n\nAnd we get into the exact same broken ref count and invalid new_bgs\nstate for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to\nprevent.\n\nThe broken refcount aspect will result in a warning like:\n\n [1272.943527] refcount_t: underflow; use-after-free.\n [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]\n [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108\n [1272.946368] Tainted: [W]=WARN\n [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]\n [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110\n [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282\n [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000\n [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff\n [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268\n [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0\n [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0\n [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000\n [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0\n [1272.954474] Call Trace:\n [1272.954655] \n [1272.954812] ? refcount_warn_saturate+0xba/0x110\n [1272.955173] ? __warn.cold+0x93/0xd7\n [1272.955487] ? refcount_warn_saturate+0xba/0x110\n [1272.955816] ? report_bug+0xe7/0x120\n [1272.956103] ? handle_bug+0x53/0x90\n [1272.956424] ? exc_invalid_op+0x13/0x60\n [1272.956700] ? asm_exc_invalid_op+0x16/0x20\n [1272.957011] ? refcount_warn_saturate+0xba/0x110\n [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]\n [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs]\n [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs]\n [1272.958729] process_one_work+0x130/0x290\n [1272.959026] worker_thread+0x2ea/0x420\n [1272.959335] ? __pfx_worker_thread+0x10/0x10\n [1272.959644] kthread+0xd7/0x1c0\n [1272.959872] ? __pfx_kthread+0x10/0x10\n [1272.960172] ret_from_fork+0x30/0x50\n [1272.960474] ? __pfx_kthread+0x10/0x10\n [1272.960745] ret_from_fork_asm+0x1a/0x30\n [1272.961035] \n [1272.961238] ---[ end trace 0000000000000000 ]---\n\nThough we have seen them in the async discard workfn as well. It is\nmost likely to happen after a relocation finishes which cancels discard,\ntears down the block group, etc.\n\nFix this fully by taking the lock arou\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22115", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: check error for register_netdev() on init\n\nCurrent init logic ignores the error code from register_netdev(),\nwhich will cause WARN_ON() on attempt to unregister it, if there was one,\nand there is no info for the user that the creation of the netdev failed.\n\nWARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10\n...\n[ 3707.563641] unregister_netdev+0x1c/0x30\n[ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]\n[ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]\n[ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]\n[ 3707.563739] idpf_remove+0xbf/0x780 [idpf]\n[ 3707.563769] pci_device_remove+0xab/0x1e0\n[ 3707.563786] device_release_driver_internal+0x371/0x530\n[ 3707.563803] driver_detach+0xbf/0x180\n[ 3707.563816] bus_remove_driver+0x11b/0x2a0\n[ 3707.563829] pci_unregister_driver+0x2a/0x250\n\nIntroduce an error check and log the vport number and error code.\nOn removal make sure to check VPORT_REG_NETDEV flag prior to calling\nunregister and free on the netdev.\n\nAdd local variables for idx, vport_config and netdev for readability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22116", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()\n\nFix using the untrusted value of proto->raw.pkt_len in function\nice_vc_fdir_parse_raw() by verifying if it does not exceed the\nVIRTCHNL_MAX_SIZE_RAW_PACKET value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22117", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: validate queue quanta parameters to prevent OOB access\n\nAdd queue wraparound prevention in quanta configuration.\nEnsure end_qid does not overflow by validating start_qid and num_queues.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22118", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: init wiphy_work before allocating rfkill fails\n\nsyzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]\n\nAfter rfkill allocation fails, the wiphy release process will be performed,\nwhich will cause cfg80211_dev_free to access the uninitialized wiphy_work\nrelated data.\n\nMove the initialization of wiphy_work to before rfkill initialization to\navoid this issue.\n\n[1]\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n assign_lock_key kernel/locking/lockdep.c:983 [inline]\n register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297\n __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103\n lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162\n cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196\n device_release+0xa1/0x240 drivers/base/core.c:2568\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e4/0x5a0 lib/kobject.c:737\n put_device+0x1f/0x30 drivers/base/core.c:3774\n wiphy_free net/wireless/core.c:1224 [inline]\n wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562\n ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835\n mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185\n hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242\n genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338\n netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg net/socket.c:733 [inline]\n ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573\n ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627\n __sys_sendmsg+0x16e/0x220 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n\nClose: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22119", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: goto right label 'out_mmap_sem' in ext4_setattr()\n\nOtherwise, if ext4_inode_attach_jinode() fails, a hung task will\nhappen because filemap_invalidate_unlock() isn't called to unlock\nmapping->invalidate_lock. Like this:\n\nEXT4-fs error (device sda) in ext4_setattr:5557: Out of memory\nINFO: task fsstress:374 blocked for more than 122 seconds.\n Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:fsstress state:D stack:0 pid:374 tgid:374 ppid:373\n task_flags:0x440140 flags:0x00000000\nCall Trace:\n \n __schedule+0x2c9/0x7f0\n schedule+0x27/0xa0\n schedule_preempt_disabled+0x15/0x30\n rwsem_down_read_slowpath+0x278/0x4c0\n down_read+0x59/0xb0\n page_cache_ra_unbounded+0x65/0x1b0\n filemap_get_pages+0x124/0x3e0\n filemap_read+0x114/0x3d0\n vfs_read+0x297/0x360\n ksys_read+0x6c/0xe0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22120", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere's issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn't check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22121", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix adding folio to bio\n\n>4GB folio is possible on some ARCHs, such as aarch64, 16GB hugepage\nis supported, then 'offset' of folio can't be held in 'unsigned int',\ncause warning in bio_add_folio_nofail() and IO failure.\n\nFix it by adjusting 'page' & trimming 'offset' so that `->bi_offset` won't\nbe overflow, and folio can be added to bio successfully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22122", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid accessing uninitialized curseg\n\nsyzbot reports a f2fs bug as below:\n\nF2FS-fs (loop3): Stopped filesystem due to reason: 7\nkworker/u8:7: attempt to access beyond end of device\nBUG: unable to handle page fault for address: ffffed1604ea3dfa\nRIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]\nRIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]\nRIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]\nRIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]\nRIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649\n \n f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]\n f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791\n write_inode fs/fs-writeback.c:1525 [inline]\n __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745\n writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976\n wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156\n wb_do_writeback fs/fs-writeback.c:2303 [inline]\n wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nCommit 8b10d3653735 (\"f2fs: introduce FAULT_NO_SEGMENT\") allows to trigger\nno free segment fault in allocator, then it will update curseg->segno to\nNULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed\nto check the flag, and access invalid curseg->segno directly in below call\npath, then resulting in panic:\n\n- f2fs_write_inode\n - f2fs_is_checkpoint_ready\n - has_enough_free_secs\n - has_not_enough_free_secs\n - __get_secs_required\n - has_curseg_enough_space\n - get_ckpt_valid_blocks\n : access invalid curseg->segno\n\nTo avoid this issue, let's:\n- check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in\nf2fs_write_inode().\n- in has_curseg_enough_space(), save curseg->segno into a temp variable,\nand verify its validation before use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22123", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: fix wrong bitmap_limit for clustermd when write sb\n\nIn clustermd, separate write-intent-bitmaps are used for each cluster\nnode:\n\n0 4k 8k 12k\n-------------------------------------------------------------------\n| idle | md super | bm super [0] + bits |\n| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] |\n| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits |\n| bm bits [3, contd] | | |\n\nSo in node 1, pg_index in __write_sb_page() could equal to\nbitmap->storage.file_pages. Then bitmap_limit will be calculated to\n0. md_super_write() will be called with 0 size.\nThat means the first 4k sb area of node 1 will never be updated\nthrough filemap_write_page().\nThis bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize.\n\nHere use (pg_index % bitmap->storage.file_pages) to make calculation\nof bitmap_limit correct.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22124", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1,raid10: don't ignore IO flags\n\nIf blk-wbt is enabled by default, it's found that raid write performance\nis quite bad because all IO are throttled by wbt of underlying disks,\ndue to flag REQ_IDLE is ignored. And turns out this behaviour exist since\nblk-wbt is introduced.\n\nOther than REQ_IDLE, other flags should not be ignored as well, for\nexample REQ_META can be set for filesystems, clearing it can cause priority\nreverse problems; And REQ_NOWAIT should not be cleared as well, because\nio will wait instead of failing directly in underlying disks.\n\nFix those problems by keep IO flags from master bio.\n\nFises: f51d46d0e7cb (\"md: add support for REQ_NOWAIT\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22125", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix mddev uaf while iterating all_mddevs list\n\nWhile iterating all_mddevs list from md_notify_reboot() and md_exit(),\nlist_for_each_entry_safe is used, and this can race with deletint the\nnext mddev, causing UAF:\n\nt1:\nspin_lock\n//list_for_each_entry_safe(mddev, n, ...)\n mddev_get(mddev1)\n // assume mddev2 is the next entry\n spin_unlock\n t2:\n //remove mddev2\n ...\n mddev_free\n spin_lock\n list_del\n spin_unlock\n kfree(mddev2)\n mddev_put(mddev1)\n spin_lock\n //continue dereference mddev2->all_mddevs\n\nThe old helper for_each_mddev() actually grab the reference of mddev2\nwhile holding the lock, to prevent from being freed. This problem can be\nfixed the same way, however, the code will be complex.\n\nHence switch to use list_for_each_entry, in this case mddev_put() can free\nthe mddev1 and it's not safe as well. Refer to md_seq_show(), also factor\nout a helper mddev_put_locked() to fix this problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22126", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix potential deadloop in prepare_compress_overwrite()\n\nJan Prusakowski reported a kernel hang issue as below:\n\nWhen running xfstests on linux-next kernel (6.14.0-rc3, 6.12) I\nencountered a problem in generic/475 test where fsstress process\ngets blocked in __f2fs_write_data_pages() and the test hangs.\nThe options I used are:\n\nMKFS_OPTIONS -- -O compression -O extra_attr -O project_quota -O quota /dev/vdc\nMOUNT_OPTIONS -- -o acl,user_xattr -o discard,compress_extension=* /dev/vdc /vdc\n\nINFO: task kworker/u8:0:11 blocked for more than 122 seconds.\n Not tainted 6.14.0-rc3-xfstests-lockdep #1\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/u8:0 state:D stack:0 pid:11 tgid:11 ppid:2 task_flags:0x4208160 flags:0x00004000\nWorkqueue: writeback wb_workfn (flush-253:0)\nCall Trace:\n \n __schedule+0x309/0x8e0\n schedule+0x3a/0x100\n schedule_preempt_disabled+0x15/0x30\n __mutex_lock+0x59a/0xdb0\n __f2fs_write_data_pages+0x3ac/0x400\n do_writepages+0xe8/0x290\n __writeback_single_inode+0x5c/0x360\n writeback_sb_inodes+0x22f/0x570\n wb_writeback+0xb0/0x410\n wb_do_writeback+0x47/0x2f0\n wb_workfn+0x5a/0x1c0\n process_one_work+0x223/0x5b0\n worker_thread+0x1d5/0x3c0\n kthread+0xfd/0x230\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n \n\nThe root cause is: once generic/475 starts toload error table to dm\ndevice, f2fs_prepare_compress_overwrite() will loop reading compressed\ncluster pages due to IO error, meanwhile it has held .writepages lock,\nit can block all other writeback tasks.\n\nLet's fix this issue w/ below changes:\n- add f2fs_handle_page_eio() in prepare_compress_overwrite() to\ndetect IO error.\n- detect cp_error earler in f2fs_read_multi_pages().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22127", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-22128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath12k_pci_msi_alloc(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ.\n\nThis may end up with a warning from the IRQ core that is expecting the\naffinity hint to be cleared before freeing the IRQ:\n\nkernel/irq/manage.c:\n\n\t/* make sure affinity_hint is cleaned up */\n\tif (WARN_ON_ONCE(desc->affinity_hint))\n\t\tdesc->affinity_hint = NULL;\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath12k_pci_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22128", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath11k_pci_alloc_msi(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ. This results in the\nbelow warning:\n\nWARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c\nCall trace:\n free_irq+0x278/0x29c\n ath11k_pcic_free_irq+0x70/0x10c [ath11k]\n ath11k_pci_probe+0x800/0x820 [ath11k_pci]\n local_pci_probe+0x40/0xbc\n\nThe warning is due to not clearing the affinity hint before freeing the\nIRQs.\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath11k_pcic_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm.\n\nTested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23129", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid panic once fallocation fails for pinfile\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2746!\nCPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]\nRIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876\nCall Trace:\n \n __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210\n f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]\n f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238\n f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830\n f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940\n vfs_fallocate+0x569/0x6e0 fs/open.c:327\n do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x80/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nConcurrent pinfile allocation may run out of free section, result in\npanic in get_new_segment(), let's expand pin_sem lock coverage to\ninclude f2fs_gc(), so that we can make sure to reclaim enough free\nspace for following allocation.\n\nIn addition, do below changes to enhance error path handling:\n- call f2fs_bug_on() only in non-pinfile allocation path in\nget_new_segment().\n- call reset_curseg_fields() to reset all fields of curseg in\nnew_curseg()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23130", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: prevent NPD when writing a positive value to event_done\n\ndo_uevent returns the value written to event_done. In case it is a\npositive value, new_lockspace would undo all the work, and lockspace\nwould not be set. __dlm_new_lockspace, however, would treat that\npositive value as a success due to commit 8511a2728ab8 (\"dlm: fix use\ncount with multiple joins\").\n\nDown the line, device_create_lockspace would pass that NULL lockspace to\ndlm_find_lockspace_local, leading to a NULL pointer dereference.\n\nTreating such positive values as successes prevents the problem. Given\nthis has been broken for so long, this is unlikely to break userspace\nexpectations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23131", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: quota: fix to avoid warning in dquot_writeback_dquots()\n\nF2FS-fs (dm-59): checkpoint=enable has some unwritten data.\n\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308\npc : dquot_writeback_dquots+0x2fc/0x308\nlr : f2fs_quota_sync+0xcc/0x1c4\nCall trace:\ndquot_writeback_dquots+0x2fc/0x308\nf2fs_quota_sync+0xcc/0x1c4\nf2fs_write_checkpoint+0x3d4/0x9b0\nf2fs_issue_checkpoint+0x1bc/0x2c0\nf2fs_sync_fs+0x54/0x150\nf2fs_do_sync_file+0x2f8/0x814\n__f2fs_ioctl+0x1960/0x3244\nf2fs_ioctl+0x54/0xe0\n__arm64_sys_ioctl+0xa8/0xe4\ninvoke_syscall+0x58/0x114\n\ncheckpoint and f2fs_remount may race as below, resulting triggering warning\nin dquot_writeback_dquots().\n\natomic write remount\n - do_remount\n - down_write(&sb->s_umount);\n - f2fs_remount\n- ioctl\n - f2fs_do_sync_file\n - f2fs_sync_fs\n - f2fs_write_checkpoint\n - block_operations\n - locked = down_read_trylock(&sbi->sb->s_umount)\n : fail to lock due to the write lock was held by remount\n - up_write(&sb->s_umount);\n - f2fs_quota_sync\n - dquot_writeback_dquots\n - WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount))\n : trigger warning because s_umount lock was unlocked by remount\n\nIf checkpoint comes from mount/umount/remount/freeze/quotactl, caller of\ncheckpoint has already held s_umount lock, calling dquot_writeback_dquots()\nin the context should be safe.\n\nSo let's record task to sbi->umount_lock_holder, so that checkpoint can\nknow whether the lock has held in the context or not by checking current\nw/ it.\n\nIn addition, in order to not misrepresent caller of checkpoint, we should\nnot allow to trigger async checkpoint for those callers: mount/umount/remount/\nfreeze/quotactl.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23132", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211's handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n kfree+0x109/0x3a0\n ath11k_regd_update+0x1cf/0x350 [ath11k]\n ath11k_regd_update_work+0x14/0x20 [ath11k]\n process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23133", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Don't take register_mutex with copy_from/to_user()\n\nThe infamous mmap_lock taken in copy_from/to_user() can be often\nproblematic when it's called inside another mutex, as they might lead\nto deadlocks.\n\nIn the case of ALSA timer code, the bad pattern is with\nguard(mutex)(®ister_mutex) that covers copy_from/to_user() -- which\nwas mistakenly introduced at converting to guard(), and it had been\ncarefully worked around in the past.\n\nThis patch fixes those pieces simply by moving copy_from/to_user() out\nof the register mutex lock again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23134", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Teardown riscv specific bits after kvm_exit\n\nDuring a module removal, kvm_exit invokes arch specific disable\ncall which disables AIA. However, we invoke aia_exit before kvm_exit\nresulting in the following warning. KVM kernel module can't be inserted\nafterwards due to inconsistent state of IRQ.\n\n[25469.031389] percpu IRQ 31 still enabled on CPU0!\n[25469.031732] WARNING: CPU: 3 PID: 943 at kernel/irq/manage.c:2476 __free_percpu_irq+0xa2/0x150\n[25469.031804] Modules linked in: kvm(-)\n[25469.031848] CPU: 3 UID: 0 PID: 943 Comm: rmmod Not tainted 6.14.0-rc5-06947-g91c763118f47-dirty #2\n[25469.031905] Hardware name: riscv-virtio,qemu (DT)\n[25469.031928] epc : __free_percpu_irq+0xa2/0x150\n[25469.031976] ra : __free_percpu_irq+0xa2/0x150\n[25469.032197] epc : ffffffff8007db1e ra : ffffffff8007db1e sp : ff2000000088bd50\n[25469.032241] gp : ffffffff8131cef8 tp : ff60000080b96400 t0 : ff2000000088baf8\n[25469.032285] t1 : fffffffffffffffc t2 : 5249207570637265 s0 : ff2000000088bd90\n[25469.032329] s1 : ff60000098b21080 a0 : 037d527a15eb4f00 a1 : 037d527a15eb4f00\n[25469.032372] a2 : 0000000000000023 a3 : 0000000000000001 a4 : ffffffff8122dbf8\n[25469.032410] a5 : 0000000000000fff a6 : 0000000000000000 a7 : ffffffff8122dc10\n[25469.032448] s2 : ff60000080c22eb0 s3 : 0000000200000022 s4 : 000000000000001f\n[25469.032488] s5 : ff60000080c22e00 s6 : ffffffff80c351c0 s7 : 0000000000000000\n[25469.032582] s8 : 0000000000000003 s9 : 000055556b7fb490 s10: 00007ffff0e12fa0\n[25469.032621] s11: 00007ffff0e13e9a t3 : ffffffff81354ac7 t4 : ffffffff81354ac7\n[25469.032664] t5 : ffffffff81354ac8 t6 : ffffffff81354ac7\n[25469.032698] status: 0000000200000100 badaddr: ffffffff8007db1e cause: 0000000000000003\n[25469.032738] [] __free_percpu_irq+0xa2/0x150\n[25469.032797] [] free_percpu_irq+0x30/0x5e\n[25469.032856] [] kvm_riscv_aia_exit+0x40/0x42 [kvm]\n[25469.033947] [] cleanup_module+0x10/0x32 [kvm]\n[25469.035300] [] __riscv_sys_delete_module+0x18e/0x1fc\n[25469.035374] [] syscall_handler+0x3a/0x46\n[25469.035456] [] do_trap_ecall_u+0x72/0x134\n[25469.035536] [] handle_exception+0x148/0x156\n\nInvoke aia_exit and other arch specific cleanup functions after kvm_exit\nso that disable gets a chance to be called first before exit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23135", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: int340x: Add NULL check for adev\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL.\nThis is similar to the commit cd2fd6eab480\n(\"platform/x86: int3472: Check for adev == NULL\").\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in int3402_thermal_probe().\n\nNote, under the same directory, int3400_thermal_probe() has such a\ncheck.\n\n[ rjw: Subject edit, added Fixes: ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23136", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update\n\nCheck if policy is NULL before dereferencing it in amd_pstate_update.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23137", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: fix pipe accounting mismatch\n\nCurrently, watch_queue_set_size() modifies the pipe buffers charged to\nuser->pipe_bufs without updating the pipe->nr_accounted on the pipe\nitself, due to the if (!pipe_has_watch_queue()) test in\npipe_resize_ring(). This means that when the pipe is ultimately freed,\nwe decrement user->pipe_bufs by something other than what than we had\ncharged to it, potentially leading to an underflow. This in turn can\ncause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.\n\nTo remedy this, explicitly account for the pipe usage in\nwatch_queue_set_size() to match the number set via account_pipe_buffers()\n\n(It's unclear why watch_queue_set_size() does not update nr_accounted;\nit may be due to intentional overprovisioning in watch_queue_set_size()?)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23138", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error\n\nAfter devm_request_irq() fails with error in pci_endpoint_test_request_irq(),\nthe pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs\nhave been released.\n\nHowever, some requested IRQs remain unreleased, so there are still\n/proc/irq/* entries remaining, and this results in WARN() with the\nfollowing message:\n\n remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'\n WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c\n\nTo solve this issue, set the number of remaining IRQs to test->num_irqs,\nand release IRQs in advance by calling pci_endpoint_test_release_irq().\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23140", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses\n\nAcquire a lock on kvm->srcu when userspace is getting MP state to handle a\nrather extreme edge case where \"accepting\" APIC events, i.e. processing\npending INIT or SIPI, can trigger accesses to guest memory. If the vCPU\nis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP\nstate will trigger a nested VM-Exit by way of ->check_nested_events(), and\nemuating the nested VM-Exit can access guest memory.\n\nThe splat was originally hit by syzkaller on a Google-internal kernel, and\nreproduced on an upstream kernel by hacking the triple_fault_event_test\nselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a\nmemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.\n\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by triple_fault_ev/1256:\n #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]\n\n stack backtrace:\n CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x144/0x190\n kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n read_and_check_msr_entry+0x2e/0x180 [kvm_intel]\n __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]\n kvm_check_nested_events+0x1b/0x30 [kvm]\n kvm_apic_accept_events+0x33/0x100 [kvm]\n kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]\n kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]\n __x64_sys_ioctl+0x8b/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23141", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: detect and prevent references to a freed transport in sendmsg\n\nsctp_sendmsg() re-uses associations and transports when possible by\ndoing a lookup based on the socket endpoint and the message destination\naddress, and then sctp_sendmsg_to_asoc() sets the selected transport in\nall the message chunks to be sent.\n\nThere's a possible race condition if another thread triggers the removal\nof that selected transport, for instance, by explicitly unbinding an\naddress with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have\nbeen set up and before the message is sent. This can happen if the send\nbuffer is full, during the period when the sender thread temporarily\nreleases the socket lock in sctp_wait_for_sndbuf().\n\nThis causes the access to the transport data in\nsctp_outq_select_transport(), when the association outqueue is flushed,\nto result in a use-after-free read.\n\nThis change avoids this scenario by having sctp_transport_free() signal\nthe freeing of the transport, tagging it as \"dead\". In order to do this,\nthe patch restores the \"dead\" bit in struct sctp_transport, which was\nremoved in\ncommit 47faa1e4c50e (\"sctp: remove the dead field of sctp_transport\").\n\nThen, in the scenario where the sender thread has released the socket\nlock in sctp_wait_for_sndbuf(), the bit is checked again after\nre-acquiring the socket lock to detect the deletion. This is done while\nholding a reference to the transport to prevent it from being freed in\nthe process.\n\nIf the transport was deleted while the socket lock was relinquished,\nsctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the\nsend.\n\nThe bug was found by a private syzbot instance (see the error report [1]\nand the C reproducer that triggers it [2]).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23142", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n\nWhen I ran the repro [0] and waited a few seconds, I observed two\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\n\nReproduction Steps:\n\n 1) Mount CIFS\n 2) Add an iptables rule to drop incoming FIN packets for CIFS\n 3) Unmount CIFS\n 4) Unload the CIFS module\n 5) Remove the iptables rule\n\nAt step 3), the CIFS module calls sock_release() for the underlying\nTCP socket, and it returns quickly. However, the socket remains in\nFIN_WAIT_1 because incoming FIN packets are dropped.\n\nAt this point, the module's refcnt is 0 while the socket is still\nalive, so the following rmmod command succeeds.\n\n # ss -tan\n State Recv-Q Send-Q Local Address:Port Peer Address:Port\n FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445\n\n # lsmod | grep cifs\n cifs 1159168 0\n\nThis highlights a discrepancy between the lifetime of the CIFS module\nand the underlying TCP socket. Even after CIFS calls sock_release()\nand it returns, the TCP socket does not die immediately in order to\nclose the connection gracefully.\n\nWhile this is generally fine, it causes an issue with LOCKDEP because\nCIFS assigns a different lock class to the TCP socket's sk->sk_lock\nusing sock_lock_init_class_and_name().\n\nOnce an incoming packet is processed for the socket or a timer fires,\nsk->sk_lock is acquired.\n\nThen, LOCKDEP checks the lock context in check_wait_context(), where\nhlock_class() is called to retrieve the lock class. However, since\nthe module has already been unloaded, hlock_class() logs a warning\nand returns NULL, triggering the null-ptr-deref.\n\nIf LOCKDEP is enabled, we must ensure that a module calling\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\nwhile such a socket is still alive to prevent this issue.\n\nLet's hold the module reference in sock_lock_init_class_and_name()\nand release it when the socket is freed in sk_prot_free().\n\nNote that sock_lock_init() clears sk->sk_owner for svc_create_socket()\nthat calls sock_lock_init_class_and_name() for a listening socket,\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\n\n[0]:\nCIFS_SERVER=\"10.0.0.137\"\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\nDEV=\"enp0s3\"\nCRED=\"/root/WindowsCredential.txt\"\n\nMNT=$(mktemp -d /tmp/XXXXXX)\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\n\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\n\nfor i in $(seq 10);\ndo\n umount ${MNT}\n rmmod cifs\n sleep 1\ndone\n\nrm -r ${MNT}\n\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\n\n[1]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\n...\nCall Trace:\n \n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\n...\n\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire (kernel/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23143", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led_bl: Hold led_access lock when calling led_sysfs_disable()\n\nLockdep detects the following issue on led-backlight removal:\n [ 142.315935] ------------[ cut here ]------------\n [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80\n ...\n [ 142.500725] Call trace:\n [ 142.503176] led_sysfs_enable+0x54/0x80 (P)\n [ 142.507370] led_bl_remove+0x80/0xa8 [led_bl]\n [ 142.511742] platform_remove+0x30/0x58\n [ 142.515501] device_remove+0x54/0x90\n ...\n\nIndeed, led_sysfs_enable() has to be called with the led_access\nlock held.\n\nHold the lock when calling led_sysfs_disable().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23144", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.\n\nCall trace:\n\n mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n ip_local_deliver (./net/ipv4/ip_input.c:254)\n ip_rcv_finish (./net/ipv4/ip_input.c:449)\n ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n'subflow_req->msk' ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the 'subflow_req->msk' under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23145", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: ene-kb3930: Fix a potential NULL pointer dereference\n\nThe off_gpios could be NULL. Add missing check in the kb3930_probe().\nThis is similar to the issue fixed in commit b1ba8bcb2d1f\n(\"backlight: hx8357: Fix potential NULL pointer dereference\").\n\nThis was detected by our static analysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23146", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Add NULL pointer check in i3c_master_queue_ibi()\n\nThe I3C master driver may receive an IBI from a target device that has not\nbeen probed yet. In such cases, the master calls `i3c_master_queue_ibi()`\nto queue an IBI work task, leading to \"Unable to handle kernel read from\nunreadable memory\" and resulting in a kernel panic.\n\nTypical IBI handling flow:\n1. The I3C master scans target devices and probes their respective drivers.\n2. The target device driver calls `i3c_device_request_ibi()` to enable IBI\n and assigns `dev->ibi = ibi`.\n3. The I3C master receives an IBI from the target device and calls\n `i3c_master_queue_ibi()` to queue the target device driver\u2019s IBI\n handler task.\n\nHowever, since target device events are asynchronous to the I3C probe\nsequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,\nleading to a kernel panic.\n\nAdd a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing\nan uninitialized `dev->ibi`, ensuring stability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23147", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()\n\nsoc_dev_attr->revision could be NULL, thus,\na pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23148", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: do not start chip while suspended\n\nChecking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can\nlead to a spurious tpm_chip_start() call:\n\n[35985.503771] i2c i2c-1: Transfer while suspended\n[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810\n[35985.503802] Modules linked in:\n[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f\n[35985.503814] Tainted: [W]=WARN\n[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023\n[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810\n[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5\n[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246\n[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000\n[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001\n[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820\n[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120\n[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000\n[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0\n[35985.503855] Call Trace:\n[35985.503859] \n[35985.503863] ? __warn+0xd4/0x260\n[35985.503868] ? __i2c_transfer+0xbe/0x810\n[35985.503874] ? report_bug+0xf3/0x210\n[35985.503882] ? handle_bug+0x63/0xb0\n[35985.503887] ? exc_invalid_op+0x16/0x50\n[35985.503892] ? asm_exc_invalid_op+0x16/0x20\n[35985.503904] ? __i2c_transfer+0xbe/0x810\n[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0\n[35985.503920] tpm_cr50_i2c_read+0x8e/0x120\n[35985.503928] tpm_cr50_request_locality+0x75/0x170\n[35985.503935] tpm_chip_start+0x116/0x160\n[35985.503942] tpm_try_get_ops+0x57/0x90\n[35985.503948] tpm_find_get_ops+0x26/0xd0\n[35985.503955] tpm_get_random+0x2d/0x80\n\nDon't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless\nTPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in\nsuch a failure case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23149", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThe following loop is located right above 'if' statement.\n\nfor (i = count-1; i >= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 > blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n'i' in this case could go down to -1, in which case sum of active entries\nwouldn't exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23150", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Fix race between unprepare and queue_buf\n\nA client driver may use mhi_unprepare_from_transfer() to quiesce\nincoming data during the client driver's tear down. The client driver\nmight also be processing data at the same time, resulting in a call to\nmhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs\nafter mhi_unprepare_from_transfer() has torn down the channel, a panic\nwill occur due to an invalid dereference leading to a page fault.\n\nThis occurs because mhi_gen_tre() does not verify the channel state\nafter locking it. Fix this by having mhi_gen_tre() confirm the channel\nstate is valid, or return error to avoid accessing deinitialized data.\n\n[mani: added stable tag]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23151", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()\n\nFix a silly bug where an array was used outside of its scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23152", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()\n\nFix a silly bug where an array was used outside of its scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23153", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix io_req_post_cqe abuse by send bundle\n\n[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0\n[ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0\n[ 115.001880][ T5313] Call Trace:\n[ 115.002222][ T5313] \n[ 115.007813][ T5313] io_send+0x4fe/0x10f0\n[ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740\n[ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0\n[ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600\n[ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0\n\nAs the comment states, io_req_post_cqe() should only be used by\nmultishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are\nnot. Add a flag signifying whether a request wants to post multiple\nCQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but\nthat's left out for simplicity.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23154", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Fix accessing freed irq affinity_hint\n\nIn stmmac_request_irq_multi_msi(), a pointer to the stack variable\ncpu_mask is passed to irq_set_affinity_hint(). This value is stored in\nirq_desc->affinity_hint, but once stmmac_request_irq_multi_msi()\nreturns, the pointer becomes dangling.\n\nThe affinity_hint is exposed via procfs with S_IRUGO permissions,\nallowing any unprivileged process to read it. Accessing this stale\npointer can lead to:\n\n- a kernel oops or panic if the referenced memory has been released and\n unmapped, or\n- leakage of kernel data into userspace if the memory is re-used for\n other purposes.\n\nAll platforms that use stmmac with PCI MSI (Intel, Loongson, etc) are\naffected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23155", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: refactor hfi packet parsing logic\n\nwords_count denotes the number of words in total payload, while data\npoints to payload of various property within it. When words_count\nreaches last word, data can access memory beyond the total payload. This\ncan lead to OOB access. With this patch, the utility api for handling\nindividual properties now returns the size of data consumed. Accordingly\nremaining bytes are calculated before parsing the payload, thereby\neliminates the OOB access possibilities.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23156", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi_parser: add check to avoid out of bound access\n\nThere is a possibility that init_codecs is invoked multiple times during\nmanipulated payload from video firmware. In such case, if codecs_count\ncan get incremented to value more than MAX_CODEC_NUM, there can be OOB\naccess. Reset the count so that it always starts from beginning.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23157", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add check to handle incorrect queue size\n\nqsize represents size of shared queued between driver and video\nfirmware. Firmware can modify this value to an invalid large value. In\nsuch situation, empty_space will be bigger than the space actually\navailable. Since new_wr_idx is not checked, so the following code will\nresult in an OOB write.\n...\nqsize = qhdr->q_size\n\nif (wr_idx >= rd_idx)\n empty_space = qsize - (wr_idx - rd_idx)\n....\nif (new_wr_idx < qsize) {\n memcpy(wr_ptr, packet, dwords << 2) --> OOB write\n\nAdd check to ensure qsize is within the allocated size while\nreading and writing packets into the queue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23158", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add a check to handle OOB in sfr region\n\nsfr->buf_size is in shared memory and can be modified by malicious user.\nOOB write is possible when the size is made higher than actual sfr data\nbuffer. Cap the size to allocated size for such cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23159", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization\n\nOn Mediatek devices with a system companion processor (SCP) the mtk_scp\nstructure has to be removed explicitly to avoid a resource leak.\nFree the structure in case the allocation of the firmware structure fails\nduring the firmware initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23160", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type\n\nThe access to the PCI config space via pci_ops::read and pci_ops::write is\na low-level hardware access. The functions can be accessed with disabled\ninterrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this\npurpose.\n\nA spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be\nacquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in\nthe same context as the pci_lock.\n\nMake vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with\ninterrupts disabled.\n\nThis was reported as:\n\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n Call Trace:\n rt_spin_lock+0x4e/0x130\n vmd_pci_read+0x8d/0x100 [vmd]\n pci_user_read_config_byte+0x6f/0xe0\n pci_read_config+0xfe/0x290\n sysfs_kf_bin_read+0x68/0x90\n\n[bigeasy: reword commit message]\nTested-off-by: Luis Claudio R. Goncalves \n[kwilczynski: commit log]\n[bhelgaas: add back report info from\nhttps://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23161", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vf: Don't try to trigger a full GT reset if VF\n\nVFs don't have access to the GDRST(0x941c) register that driver\nuses to reset a GT. Attempt to trigger a reset using debugfs:\n\n $ cat /sys/kernel/debug/dri/0000:00:02.1/gt0/force_reset\n\nor due to a hang condition detected by the driver leads to:\n\n [ ] xe 0000:00:02.1: [drm] GT0: trying reset from force_reset [xe]\n [ ] xe 0000:00:02.1: [drm] GT0: reset queued\n [ ] xe 0000:00:02.1: [drm] GT0: reset started\n [ ] ------------[ cut here ]------------\n [ ] xe 0000:00:02.1: [drm] GT0: VF is trying to write 0x1 to an inaccessible register 0x941c+0x0\n [ ] WARNING: CPU: 3 PID: 3069 at drivers/gpu/drm/xe/xe_gt_sriov_vf.c:996 xe_gt_sriov_vf_write32+0xc6/0x580 [xe]\n [ ] RIP: 0010:xe_gt_sriov_vf_write32+0xc6/0x580 [xe]\n [ ] Call Trace:\n [ ] \n [ ] ? show_regs+0x6c/0x80\n [ ] ? __warn+0x93/0x1c0\n [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]\n [ ] ? report_bug+0x182/0x1b0\n [ ] ? handle_bug+0x6e/0xb0\n [ ] ? exc_invalid_op+0x18/0x80\n [ ] ? asm_exc_invalid_op+0x1b/0x20\n [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]\n [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]\n [ ] ? xe_gt_tlb_invalidation_reset+0xef/0x110 [xe]\n [ ] ? __mutex_unlock_slowpath+0x41/0x2e0\n [ ] xe_mmio_write32+0x64/0x150 [xe]\n [ ] do_gt_reset+0x2f/0xa0 [xe]\n [ ] gt_reset_worker+0x14e/0x1e0 [xe]\n [ ] process_one_work+0x21c/0x740\n [ ] worker_thread+0x1db/0x3c0\n\nFix that by sending H2G VF_RESET(0x5507) action instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23162", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-23163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: don't propagate flags on open\n\nWith the device instance lock, there is now a possibility of a deadlock:\n\n[ 1.211455] ============================================\n[ 1.211571] WARNING: possible recursive locking detected\n[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted\n[ 1.211823] --------------------------------------------\n[ 1.211936] ip/184 is trying to acquire lock:\n[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0\n[ 1.212207]\n[ 1.212207] but task is already holding lock:\n[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0\n[ 1.212487]\n[ 1.212487] other info that might help us debug this:\n[ 1.212626] Possible unsafe locking scenario:\n[ 1.212626]\n[ 1.212751] CPU0\n[ 1.212815] ----\n[ 1.212871] lock(&dev->lock);\n[ 1.212944] lock(&dev->lock);\n[ 1.213016]\n[ 1.213016] *** DEADLOCK ***\n[ 1.213016]\n[ 1.213143] May be due to missing lock nesting notation\n[ 1.213143]\n[ 1.213294] 3 locks held by ip/184:\n[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0\n[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0\n[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0\n[ 1.213895]\n[ 1.213895] stack backtrace:\n[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5\n[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 1.213994] Call Trace:\n[ 1.213995] \n[ 1.213996] dump_stack_lvl+0x8e/0xd0\n[ 1.214000] print_deadlock_bug+0x28b/0x2a0\n[ 1.214020] lock_acquire+0xea/0x2a0\n[ 1.214027] __mutex_lock+0xbf/0xd40\n[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI\n[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev\n[ 1.214042] __dev_open+0x145/0x270\n[ 1.214046] __dev_change_flags+0xb0/0x1e0\n[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev\n[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info\n[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0\n[ 1.214058] notifier_call_chain+0x78/0x120\n[ 1.214062] netif_open+0x6d/0x90\n[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0\n[ 1.214066] bond_enslave+0x64c/0x1230\n[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0\n[ 1.214077] do_setlink+0x516/0x13b0\n[ 1.214094] rtnl_newlink+0xaba/0xb80\n[ 1.214132] rtnetlink_rcv_msg+0x440/0x490\n[ 1.214144] netlink_rcv_skb+0xeb/0x120\n[ 1.214150] netlink_unicast+0x1f9/0x320\n[ 1.214153] netlink_sendmsg+0x346/0x3f0\n[ 1.214157] __sock_sendmsg+0x86/0xb0\n[ 1.214160] ____sys_sendmsg+0x1c8/0x220\n[ 1.214164] ___sys_sendmsg+0x28f/0x2d0\n[ 1.214179] __x64_sys_sendmsg+0xef/0x140\n[ 1.214184] do_syscall_64+0xec/0x1d0\n[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 1.214191] RIP: 0033:0x7f2d1b4a7e56\n\nDevice setup:\n\n netdevsim0 (down)\n ^ ^\n bond netdevsim1.100@netdevsim1 allmulticast=on (down)\n\nWhen we enslave the lower device (netdevsim0) which has a vlan, we\npropagate vlan's allmuti/promisc flags during ndo_open. This causes\n(re)locking on of the real_dev.\n\nPropagate allmulti/promisc on flags change, not on the open. There\nis a slight semantics change that vlans that are down now propagate\nthe flags, but this seems unlikely to result in the real issues.\n\nReproducer:\n\n echo 0 1 > /sys/bus/netdevsim/new_device\n\n dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)\n dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)\n\n ip link set dev $dev name netdevsim0\n ip link set dev netdevsim0 up\n\n ip link add link netdevsim0 name netdevsim0.100 type vlan id 100\n ip link set dev netdevsim0.100 allm\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-23163", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: ignore xattrs past end\n\nOnce inside 'ext4_xattr_inode_dec_ref_all' we should\nignore xattrs entries past the 'end' entry.\n\nThis fixes the following KASAN reported issue:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nRead of size 4 at addr ffff888012c120c4 by task repro/2065\n\nCPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x1fd/0x300\n ? tcp_gro_dev_warn+0x260/0x260\n ? _printk+0xc0/0x100\n ? read_lock_is_recursive+0x10/0x10\n ? irq_work_queue+0x72/0xf0\n ? __virt_addr_valid+0x17b/0x4b0\n print_address_description+0x78/0x390\n print_report+0x107/0x1f0\n ? __virt_addr_valid+0x17b/0x4b0\n ? __virt_addr_valid+0x3ff/0x4b0\n ? __phys_addr+0xb5/0x160\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n kasan_report+0xcc/0x100\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ? ext4_xattr_delete_inode+0xd30/0xd30\n ? __ext4_journal_ensure_credits+0x5f0/0x5f0\n ? __ext4_journal_ensure_credits+0x2b/0x5f0\n ? inode_update_timestamps+0x410/0x410\n ext4_xattr_delete_inode+0xb64/0xd30\n ? ext4_truncate+0xb70/0xdc0\n ? ext4_expand_extra_isize_ea+0x1d20/0x1d20\n ? __ext4_mark_inode_dirty+0x670/0x670\n ? ext4_journal_check_start+0x16f/0x240\n ? ext4_inode_is_fast_symlink+0x2f2/0x3a0\n ext4_evict_inode+0xc8c/0xff0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n ? do_raw_spin_unlock+0x53/0x8a0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n evict+0x4ac/0x950\n ? proc_nr_inodes+0x310/0x310\n ? trace_ext4_drop_inode+0xa2/0x220\n ? _raw_spin_unlock+0x1a/0x30\n ? iput+0x4cb/0x7e0\n do_unlinkat+0x495/0x7c0\n ? try_break_deleg+0x120/0x120\n ? 0xffffffff81000000\n ? __check_object_size+0x15a/0x210\n ? strncpy_from_user+0x13e/0x250\n ? getname_flags+0x1dc/0x530\n __x64_sys_unlinkat+0xc8/0xf0\n do_syscall_64+0x65/0x110\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x434ffd\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8\nRSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107\nRAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd\nRDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005\nRBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001\n \n\nThe buggy address belongs to the object at ffff888012c12000\n which belongs to the cache filp of size 360\nThe buggy address is located 196 bytes inside of\n freed 360-byte region [ffff888012c12000, ffff888012c12168)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12\nhead: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x40(head|node=0|zone=0)\npage_type: f5(slab)\nraw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nraw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nhead: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000\nhead: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888012c12180: fc fc fc fc fc fc fc fc fc\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37738", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()\n\nsyzbot reports an UBSAN issue as below:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10\nindex 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')\nCPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429\n get_nid fs/f2fs/node.h:381 [inline]\n f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181\n f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886\n f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093\n aio_write+0x56b/0x7c0 fs/aio.c:1633\n io_submit_one+0x8a7/0x18a0 fs/aio.c:2052\n __do_sys_io_submit fs/aio.c:2111 [inline]\n __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f238798cde9\n\nindex 18446744073709550692 (decimal, unsigned long long)\n= 0xfffffffffffffc64 (hexadecimal, unsigned long long)\n= -924 (decimal, long long)\n\nIn f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to\naccess .i_nid[-924], it means both offset[0] and level should zero.\n\nThe possible case should be in f2fs_do_truncate_blocks(), we try to\ntruncate inode size to zero, however, dn.ofs_in_node is zero and\ndn.node_page is not an inode page, so it fails to truncate inode page,\nand then pass zeroed free_from to f2fs_truncate_inode_blocks(), result\nin this issue.\n\n\tif (dn.ofs_in_node || IS_INODE(dn.node_page)) {\n\t\tf2fs_truncate_data_blocks_range(&dn, count);\n\t\tfree_from += count;\n\t}\n\nI guess the reason why dn.node_page is not an inode page could be: there\nare multiple nat entries share the same node block address, once the node\nblock address was reused, f2fs_get_node_page() may load a non-inode block.\n\nLet's add a sanity check for such condition to avoid out-of-bounds access\nissue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37739", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add sanity check for agwidth in dbMount\n\nThe width in dmapctl of the AG is zero, it trigger a divide error when\ncalculating the control page level in dbAllocAG.\n\nTo avoid this issue, add a check for agwidth in dbAllocAG.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37740", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Prevent copying of nlink with value 0 from disk inode\n\nsyzbot report a deadlock in diFree. [1]\n\nWhen calling \"ioctl$LOOP_SET_STATUS64\", the offset value passed in is 4,\nwhich does not match the mounted loop device, causing the mapping of the\nmounted loop device to be invalidated.\n\nWhen creating the directory and creating the inode of iag in diReadSpecial(),\nread the page of fixed disk inode (AIT) in raw mode in read_metapage(), the\nmetapage data it returns is corrupted, which causes the nlink value of 0 to be\nassigned to the iag inode when executing copy_from_dinode(), which ultimately\ncauses a deadlock when entering diFree().\n\nTo avoid this, first check the nlink value of dinode before setting iag inode.\n\n[1]\nWARNING: possible recursive locking detected\n6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted\n--------------------------------------------\nsyz-executor301/5309 is trying to acquire lock:\nffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n\nbut task is already holding lock:\nffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&(imap->im_aglock[index]));\n lock(&(imap->im_aglock[index]));\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n5 locks held by syz-executor301/5309:\n #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515\n #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]\n #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026\n #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037\n check_deadlock kernel/locking/lockdep.c:3089 [inline]\n validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891\n __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889\n jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156\n evict+0x4e8/0x9b0 fs/inode.c:725\n diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]\n duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022\n diNewIAG fs/jfs/jfs_imap.c:2597 [inline]\n diAllocExt fs/jfs/jfs_imap.c:1905 [inline]\n diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669\n diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225\n vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n __do_sys_mkdirat fs/namei.c:4295 [inline]\n __se_sys_mkdirat fs/namei.c:4293 [inline]\n __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n do_syscall_x64 arch/x86/en\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37741", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of imap allocated in the diMount() function\n\nsyzbot reports that hex_dump_to_buffer is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nhex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171\nprint_hex_dump+0x13d/0x3e0 lib/hexdump.c:276\ndiFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876\njfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156\nevict+0x723/0xd10 fs/inode.c:796\niput_final fs/inode.c:1946 [inline]\niput+0x97b/0xdb0 fs/inode.c:1972\ntxUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367\ntxLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\njfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733\nkthread+0x6b9/0xef0 kernel/kthread.c:464\nret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nUninit was created at:\nslab_post_alloc_hook mm/slub.c:4121 [inline]\nslab_alloc_node mm/slub.c:4164 [inline]\n__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320\nkmalloc_noprof include/linux/slab.h:901 [inline]\ndiMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105\njfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176\njfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523\nget_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636\nget_tree_bdev+0x37/0x50 fs/super.c:1659\njfs_get_tree+0x34/0x40 fs/jfs/super.c:635\nvfs_get_tree+0xb1/0x5a0 fs/super.c:1814\ndo_new_mount+0x71f/0x15e0 fs/namespace.c:3560\npath_mount+0x742/0x1f10 fs/namespace.c:3887\ndo_mount fs/namespace.c:3900 [inline]\n__do_sys_mount fs/namespace.c:4111 [inline]\n__se_sys_mount+0x71f/0x800 fs/namespace.c:4088\n__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088\nx64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n=====================================================\n\nThe reason is that imap is not properly initialized after memory\nallocation. It will cause the snprintf() function to write uninitialized\ndata into linebuf within hex_dump_to_buffer().\n\nFix this by using kzalloc instead of kmalloc to clear its content at the\nbeginning in diMount().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37742", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid memory leak while enabling statistics\n\nDriver uses monitor destination rings for extended statistics mode and\nstandalone monitor mode. In extended statistics mode, TLVs are parsed from\nthe buffer received from the monitor destination ring and assigned to the\nppdu_info structure to update per-packet statistics. In standalone monitor\nmode, along with per-packet statistics, the packet data (payload) is\ncaptured, and the driver updates per MSDU to mac80211.\n\nWhen the AP interface is enabled, only extended statistics mode is\nactivated. As part of enabling monitor rings for collecting statistics,\nthe driver subscribes to HAL_RX_MPDU_START TLV in the filter\nconfiguration. This TLV is received from the monitor destination ring, and\nkzalloc for the mon_mpdu object occurs, which is not freed, leading to a\nmemory leak. The kzalloc for the mon_mpdu object is only required while\nenabling the standalone monitor interface. This causes a memory leak while\nenabling extended statistics mode in the driver.\n\nFix this memory leak by removing the kzalloc for the mon_mpdu object in\nthe HAL_RX_MPDU_START TLV handling. Additionally, remove the standalone\nmonitor mode handlings in the HAL_MON_BUF_ADDR and HAL_RX_MSDU_END TLVs.\nThese TLV tags will be handled properly when enabling standalone monitor\nmode in the future.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37743", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_pci_remove()\n\nKmemleak reported this error:\n\n unreferenced object 0xffff1c165cec3060 (size 32):\n comm \"insmod\", pid 560, jiffies 4296964570 (age 235.596s)\n backtrace:\n [<000000005434db68>] __kmem_cache_alloc_node+0x1f4/0x2c0\n [<000000001203b155>] kmalloc_trace+0x40/0x88\n [<0000000028adc9c8>] _request_firmware+0xb8/0x608\n [<00000000cad1aef7>] firmware_request_nowarn+0x50/0x80\n [<000000005011a682>] local_pci_probe+0x48/0xd0\n [<00000000077cd295>] pci_device_probe+0xb4/0x200\n [<0000000087184c94>] really_probe+0x150/0x2c0\n\nThe firmware memory was allocated in ath12k_pci_probe(), but not\nfreed in ath12k_pci_remove() in case ATH12K_FLAG_QMI_FAIL bit is\nset. So call ath12k_fw_unmap() to free the memory.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.2.0-02280-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37744", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: hibernate: Avoid deadlock in hibernate_compressor_param_set()\n\nsyzbot reported a deadlock in lock_system_sleep() (see below).\n\nThe write operation to \"/sys/module/hibernate/parameters/compressor\"\nconflicts with the registration of ieee80211 device, resulting in a deadlock\nwhen attempting to acquire system_transition_mutex under param_lock.\n\nTo avoid this deadlock, change hibernate_compressor_param_set() to use\nmutex_trylock() for attempting to acquire system_transition_mutex and\nreturn -EBUSY when it fails.\n\nTask flags need not be saved or adjusted before calling\nmutex_trylock(&system_transition_mutex) because the caller is not going\nto end up waiting for this mutex and if it runs concurrently with system\nsuspend in progress, it will be frozen properly when it returns to user\nspace.\n\nsyzbot report:\n\nsyz-executor895/5833 is trying to acquire lock:\nffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56\n\nbut task is already holding lock:\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline]\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 (param_lock){+.+.}-{4:4}:\n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline]\n rate_control_alloc net/mac80211/rate.c:266 [inline]\n ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015\n ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531\n mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558\n init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910\n do_one_initcall+0x128/0x700 init/main.c:1257\n do_initcall_level init/main.c:1319 [inline]\n do_initcalls init/main.c:1335 [inline]\n do_basic_setup init/main.c:1354 [inline]\n kernel_init_freeable+0x5c7/0x900 init/main.c:1568\n kernel_init+0x1c/0x2b0 init/main.c:1457\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n-> #2 (rtnl_mutex){+.+.}-{4:4}:\n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n wg_pm_notification drivers/net/wireguard/device.c:80 [inline]\n wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64\n notifier_call_chain+0xb7/0x410 kernel/notifier.c:85\n notifier_call_chain_robust kernel/notifier.c:120 [inline]\n blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline]\n blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333\n pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102\n snapshot_open+0x189/0x2b0 kernel/power/user.c:77\n misc_open+0x35a/0x420 drivers/char/misc.c:179\n chrdev_open+0x237/0x6a0 fs/char_dev.c:414\n do_dentry_open+0x735/0x1c40 fs/open.c:956\n vfs_open+0x82/0x3f0 fs/open.c:1086\n do_open fs/namei.c:3830 [inline]\n path_openat+0x1e88/0x2d80 fs/namei.c:3989\n do_filp_open+0x20c/0x470 fs/namei.c:4016\n do_sys_openat2+0x17a/0x1e0 fs/open.c:1428\n do_sys_open fs/open.c:1443 [inline]\n __do_sys_openat fs/open.c:1459 [inline]\n __se_sys_openat fs/open.c:1454 [inline]\n __x64_sys_openat+0x175/0x210 fs/open.c:1454\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #1 ((pm_chain_head).rwsem){++++}-{4:4}:\n down_read+0x9a/0x330 kernel/locking/rwsem.c:1524\n blocking_notifier_call_chain_robust kerne\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37745", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/dwc_pcie: fix duplicate pci_dev devices\n\nDuring platform_device_register, wrongly using struct device\npci_dev as platform_data caused a kmemdup copy of pci_dev. Worse\nstill, accessing the duplicated device leads to list corruption as its\nmutex content (e.g., list, magic) remains the same as the original.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37746", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix hang while freeing sigtrap event\n\nPerf can hang while freeing a sigtrap event if a related deferred\nsignal hadn't managed to be sent before the file got closed:\n\nperf_event_overflow()\n task_work_add(perf_pending_task)\n\nfput()\n task_work_add(____fput())\n\ntask_work_run()\n ____fput()\n perf_release()\n perf_event_release_kernel()\n _free_event()\n perf_pending_task_sync()\n task_work_cancel() -> FAILED\n rcuwait_wait_event()\n\nOnce task_work_run() is running, the list of pending callbacks is\nremoved from the task_struct and from this point on task_work_cancel()\ncan't remove any pending and not yet started work items, hence the\ntask_work_cancel() failure and the hang on rcuwait_wait_event().\n\nTask work could be changed to remove one work at a time, so a work\nrunning on the current task can always cancel a pending one, however\nthe wait / wake design is still subject to inverted dependencies when\nremote targets are involved, as pictured by Oleg:\n\nT1 T2\n\nfd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid);\nclose(fd) close(fd)\n \n perf_event_overflow() perf_event_overflow()\n task_work_add(perf_pending_task) task_work_add(perf_pending_task)\n \n fput() fput()\n task_work_add(____fput()) task_work_add(____fput())\n\n task_work_run() task_work_run()\n ____fput() ____fput()\n perf_release() perf_release()\n perf_event_release_kernel() perf_event_release_kernel()\n _free_event() _free_event()\n perf_pending_task_sync() perf_pending_task_sync()\n rcuwait_wait_event() rcuwait_wait_event()\n\nTherefore the only option left is to acquire the event reference count\nupon queueing the perf task work and release it from the task work, just\nlike it was done before 3a5465418f5f (\"perf: Fix event leak upon exec and file release\")\nbut without the leaks it fixed.\n\nSome adjustments are necessary to make it work:\n\n* A child event might dereference its parent upon freeing. Care must be\n taken to release the parent last.\n\n* Some places assuming the event doesn't have any reference held and\n therefore can be freed right away must instead put the reference and\n let the reference counting to its job.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37747", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group\n\nCurrently, mtk_iommu calls during probe iommu_device_register before\nthe hw_list from driver data is initialized. Since iommu probing issue\nfix, it leads to NULL pointer dereference in mtk_iommu_device_group when\nhw_list is accessed with list_first_entry (not null safe).\n\nSo, change the call order to ensure iommu_device_register is called\nafter the driver data are initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37748", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ppp: Add bound checking for skb data on ppp_sync_txmung\n\nEnsure we have enough data in linear buffer from skb before accessing\ninitial bytes. This prevents potential out-of-bounds accesses\nwhen processing short packets.\n\nWhen ppp_sync_txmung receives an incoming package with an empty\npayload:\n(remote) gef\u27a4 p *(struct pppoe_hdr *) (skb->head + skb->network_header)\n$18 = {\n\ttype = 0x1,\n\tver = 0x1,\n\tcode = 0x0,\n\tsid = 0x2,\n length = 0x0,\n\ttag = 0xffff8880371cdb96\n}\n\nfrom the skb struct (trimmed)\n tail = 0x16,\n end = 0x140,\n head = 0xffff88803346f400 \"4\",\n data = 0xffff88803346f416 \":\\377\",\n truesize = 0x380,\n len = 0x0,\n data_len = 0x0,\n mac_len = 0xe,\n hdr_len = 0x0,\n\nit is not safe to access data[2].\n\n[pabeni@redhat.com: fixed subj typo]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37749", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in decryption with multichannel\n\nAfter commit f7025d861694 (\"smb: client: allocate crypto only for\nprimary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in\nasync decryption\"), the channels started reusing AEAD TFM from primary\nchannel to perform synchronous decryption, but that can't done as\nthere could be multiple cifsd threads (one per channel) simultaneously\naccessing it to perform decryption.\n\nThis fixes the following KASAN splat when running fstest generic/249\nwith 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows\nServer 2022:\n\nBUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110\nRead of size 8 at addr ffff8881046c18a0 by task cifsd/986\nCPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1\nPREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x5d/0x80\n print_report+0x156/0x528\n ? gf128mul_4k_lle+0xba/0x110\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? gf128mul_4k_lle+0xba/0x110\n kasan_report+0xdf/0x1a0\n ? gf128mul_4k_lle+0xba/0x110\n gf128mul_4k_lle+0xba/0x110\n ghash_update+0x189/0x210\n shash_ahash_update+0x295/0x370\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_extract_iter_to_sg+0x10/0x10\n ? ___kmalloc_large_node+0x10e/0x180\n ? __asan_memset+0x23/0x50\n crypto_ahash_update+0x3c/0xc0\n gcm_hash_assoc_remain_continue+0x93/0xc0\n crypt_message+0xe09/0xec0 [cifs]\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? _raw_spin_unlock+0x23/0x40\n ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]\n decrypt_raw_data+0x229/0x380 [cifs]\n ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]\n smb3_receive_transform+0x837/0xc80 [cifs]\n ? __pfx_smb3_receive_transform+0x10/0x10 [cifs]\n ? __pfx___might_resched+0x10/0x10\n ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]\n cifs_demultiplex_thread+0x692/0x1570 [cifs]\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? rcu_lockdep_current_cpu_online+0x62/0xb0\n ? find_held_lock+0x32/0x90\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xd/0xd0\n ? trace_irq_enable.constprop.0+0xa8/0xe0\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n kthread+0x1fe/0x380\n ? kthread+0x10f/0x380\n ? __pfx_kthread+0x10/0x10\n ? local_clock_noinstr+0xd/0xd0\n ? ret_from_fork+0x1b/0x60\n ? local_clock+0x15/0x30\n ? lock_release+0x29b/0x390\n ? rcu_is_watching+0x20/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37750", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Avoid running off the end of an AMD erratum table\n\nThe NULL array terminator at the end of erratum_1386_microcode was\nremoved during the switch from x86_cpu_desc to x86_cpu_id. This\ncauses readers to run off the end of the array.\n\nReplace the NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37751", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type 'struct sfq_head[128]'\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37752", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/huc: Fix fence not released on early probe errors\n\nHuC delayed loading fence, introduced with commit 27536e03271da\n(\"drm/i915/huc: track delayed HuC load with a fence\"), is registered with\nobject tracker early on driver probe but unregistered only from driver\nremove, which is not called on early probe errors. Since its memory is\nallocated under devres, then released anyway, it may happen to be\nallocated again to the fence and reused on future driver probes, resulting\nin kernel warnings that taint the kernel:\n\n<4> [309.731371] ------------[ cut here ]------------\n<3> [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915]\n<4> [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0\n...\n<4> [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G U 6.14.0-CI_DRM_16362-gf0fd77956987+ #1\n...\n<4> [309.731700] RIP: 0010:debug_print_object+0x93/0xf0\n...\n<4> [309.731728] Call Trace:\n<4> [309.731730] \n...\n<4> [309.731949] __debug_object_init+0x17b/0x1c0\n<4> [309.731957] debug_object_init+0x34/0x50\n<4> [309.732126] __i915_sw_fence_init+0x34/0x60 [i915]\n<4> [309.732256] intel_huc_init_early+0x4b/0x1d0 [i915]\n<4> [309.732468] intel_uc_init_early+0x61/0x680 [i915]\n<4> [309.732667] intel_gt_common_init_early+0x105/0x130 [i915]\n<4> [309.732804] intel_root_gt_init_early+0x63/0x80 [i915]\n<4> [309.732938] i915_driver_probe+0x1fa/0xeb0 [i915]\n<4> [309.733075] i915_pci_probe+0xe6/0x220 [i915]\n<4> [309.733198] local_pci_probe+0x44/0xb0\n<4> [309.733203] pci_device_probe+0xf4/0x270\n<4> [309.733209] really_probe+0xee/0x3c0\n<4> [309.733215] __driver_probe_device+0x8c/0x180\n<4> [309.733219] driver_probe_device+0x24/0xd0\n<4> [309.733223] __driver_attach+0x10f/0x220\n<4> [309.733230] bus_for_each_dev+0x7d/0xe0\n<4> [309.733236] driver_attach+0x1e/0x30\n<4> [309.733239] bus_add_driver+0x151/0x290\n<4> [309.733244] driver_register+0x5e/0x130\n<4> [309.733247] __pci_register_driver+0x7d/0x90\n<4> [309.733251] i915_pci_register_driver+0x23/0x30 [i915]\n<4> [309.733413] i915_init+0x34/0x120 [i915]\n<4> [309.733655] do_one_initcall+0x62/0x3f0\n<4> [309.733667] do_init_module+0x97/0x2a0\n<4> [309.733671] load_module+0x25ff/0x2890\n<4> [309.733688] init_module_from_file+0x97/0xe0\n<4> [309.733701] idempotent_init_module+0x118/0x330\n<4> [309.733711] __x64_sys_finit_module+0x77/0x100\n<4> [309.733715] x64_sys_call+0x1f37/0x2650\n<4> [309.733719] do_syscall_64+0x91/0x180\n<4> [309.733763] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<4> [309.733792] \n...\n<4> [309.733806] ---[ end trace 0000000000000000 ]---\n\nThat scenario is most easily reproducible with\nigt@i915_module_load@reload-with-fault-injection.\n\nFix the issue by moving the cleanup step to driver release path.\n\n(cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37754", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: handle page_pool_dev_alloc_pages error\n\npage_pool_dev_alloc_pages could return NULL. There was a WARN_ON(!page)\nbut it would still proceed to use the NULL pointer and then crash.\n\nThis is similar to commit 001ba0902046\n(\"net: fec: handle page_pool_dev_alloc_pages error\").\n\nThis is found by our static analysis tool KNighter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37755", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: explicitly disallow disconnect\n\nsyzbot discovered that it can disconnect a TLS socket and then\nrun into all sort of unexpected corner cases. I have a vague\nrecollection of Eric pointing this out to us a long time ago.\nSupporting disconnect is really hard, for one thing if offload\nis enabled we'd need to wait for all packets to be _acked_.\nDisconnect is not commonly used, disallow it.\n\nThe immediate problem syzbot run into is the warning in the strp,\nbut that's just the easiest bug to trigger:\n\n WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486\n Call Trace:\n \n tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363\n tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043\n inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678\n sock_recvmsg_nosec net/socket.c:1023 [inline]\n sock_recvmsg+0x109/0x280 net/socket.c:1045\n __sys_recvfrom+0x202/0x380 net/socket.c:2237", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37756", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix memory leak in tipc_link_xmit\n\nIn case the backlog transmit queue for system-importance messages is overloaded,\ntipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to\nmemory leak and failure when a skb is allocated.\n\nThis commit fixes this issue by purging the skb list before tipc_link_xmit()\nreturns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37757", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()\n\ndevm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does\nnot check for this case, which can result in a NULL pointer dereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37758", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix handling recovery & reissue in ublk_abort_queue()\n\nCommit 8284066946e6 (\"ublk: grab request reference when the request is handled\nby userspace\") doesn't grab request reference in case of recovery reissue.\nThen the request can be requeued & re-dispatch & failed when canceling\nuring command.\n\nIf it is one zc request, the request can be freed before io_uring\nreturns the zc buffer back, then cause kernel panic:\n\n[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 126.773657] #PF: supervisor read access in kernel mode\n[ 126.774052] #PF: error_code(0x0000) - not-present page\n[ 126.774455] PGD 0 P4D 0\n[ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)\n[ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n[ 126.776275] Workqueue: iou_exit io_ring_exit_work\n[ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]\n\nFixes it by always grabbing request reference for aborting the request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37759", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: add give_up_on_oom option on modify/merge, use in uffd release\n\nCurrently, if a VMA merge fails due to an OOM condition arising on commit\nmerge or a failure to duplicate anon_vma's, we report this so the caller\ncan handle it.\n\nHowever there are cases where the caller is only ostensibly trying a\nmerge, and doesn't mind if it fails due to this condition.\n\nSince we do not want to introduce an implicit assumption that we only\nactually modify VMAs after OOM conditions might arise, add a 'give up on\noom' option and make an explicit contract that, should this flag be set, we\nabsolutely will not modify any VMAs should OOM arise and just bail out.\n\nSince it'd be very unusual for a user to try to vma_modify() with this flag\nset but be specifying a range within a VMA which ends up being split (which\ncan fail due to rlimit issues, not only OOM), we add a debug warning for\nthis condition.\n\nThe motivating reason for this is uffd release - syzkaller (and Pedro\nFalcato's VERY astute analysis) found a way in which an injected fault on\nallocation, triggering an OOM condition on commit merge, would result in\nuffd code becoming confused and treating an error value as if it were a VMA\npointer.\n\nTo avoid this, we make use of this new VMG flag to ensure that this never\noccurs, utilising the fact that, should we be clearing entire VMAs, we do\nnot wish an OOM event to be reported to us.\n\nMany thanks to Pedro Falcato for his excellent analysis and Jann Horn for\nhis insightful and intelligent analysis of the situation, both of whom were\ninstrumental in this fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37760", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix an out-of-bounds shift when invalidating TLB\n\nWhen the size of the range invalidated is larger than\nrounddown_pow_of_two(ULONG_MAX),\nThe function macro roundup_pow_of_two(length) will hit an out-of-bounds\nshift [1].\n\nUse a full TLB invalidation for such cases.\nv2:\n- Use a define for the range size limit over which we use a full\n TLB invalidation. (Lucas)\n- Use a better calculation of the limit.\n\n[1]:\n[ 39.202421] ------------[ cut here ]------------\n[ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n[ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int'\n[ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10\n[ 39.202690] Tainted: [U]=USER\n[ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023\n[ 39.202691] Call Trace:\n[ 39.202692] \n[ 39.202695] dump_stack_lvl+0x6e/0xa0\n[ 39.202699] ubsan_epilogue+0x5/0x30\n[ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6\n[ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe]\n[ 39.202800] ? find_held_lock+0x2b/0x80\n[ 39.202803] ? mark_held_locks+0x40/0x70\n[ 39.202806] xe_svm_invalidate+0x459/0x700 [xe]\n[ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm]\n[ 39.202900] __mmu_notifier_release+0x1f5/0x270\n[ 39.202905] exit_mmap+0x40e/0x450\n[ 39.202912] __mmput+0x45/0x110\n[ 39.202914] exit_mm+0xc5/0x130\n[ 39.202916] do_exit+0x21c/0x500\n[ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190\n[ 39.202920] do_group_exit+0x36/0xa0\n[ 39.202922] get_signal+0x8f8/0x900\n[ 39.202926] arch_do_signal_or_restart+0x35/0x100\n[ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290\n[ 39.202932] do_syscall_64+0xa1/0x180\n[ 39.202934] ? do_user_addr_fault+0x59f/0x8a0\n[ 39.202937] ? lock_release+0xd2/0x2a0\n[ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0\n[ 39.202942] ? trace_hardirqs_off+0x4b/0xc0\n[ 39.202944] ? clear_bhb_loop+0x25/0x80\n[ 39.202946] ? clear_bhb_loop+0x25/0x80\n[ 39.202947] ? clear_bhb_loop+0x25/0x80\n[ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 39.202952] RIP: 0033:0x7fa945e543e1\n[ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7.\n[ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293\n[ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3\n[ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff\n[ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0\n[ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n[ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000\n[ 39.202970] \n[ 39.202970] ---[ end trace ]---\n\n(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37761", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix missed dmabuf unpinning in error path of prepare_fb()\n\nCorrect error handling in prepare_fb() to fix leaking resources when\nerror happens.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37762", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: take paired job reference\n\nFor paired jobs, have the fragment job take a reference on the\ngeometry job, so that the geometry job cannot be freed until\nthe fragment job has finished with it.\n\nThe geometry job structure is accessed when the fragment job is being\nprepared by the GPU scheduler. Taking the reference prevents the\ngeometry job being freed until the fragment job no longer requires it.\n\nFixes a use after free bug detected by KASAN:\n\n[ 124.256386] BUG: KASAN: slab-use-after-free in pvr_queue_prepare_job+0x108/0x868 [powervr]\n[ 124.264893] Read of size 1 at addr ffff0000084cb960 by task kworker/u16:4/63", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37763", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: fix firmware memory leaks\n\nFree the memory used to hold the results of firmware image processing\nwhen the module is unloaded.\n\nFix the related issue of the same memory being leaked if processing\nof the firmware image fails during module load.\n\nEnsure all firmware GEM objects are destroyed if firmware image\nprocessing fails.\n\nFixes memory leaks on powervr module unload detected by Kmemleak:\n\nunreferenced object 0xffff000042e20000 (size 94208):\n comm \"modprobe\", pid 470, jiffies 4295277154\n hex dump (first 32 bytes):\n 02 ae 7f ed bf 45 84 00 3c 5b 1f ed 9f 45 45 05 .....E..<[...EE.\n d5 4f 5d 14 6c 00 3d 23 30 d0 3a 4a 66 0e 48 c8 .O].l.=#0.:Jf.H.\n backtrace (crc dd329dec):\n kmemleak_alloc+0x30/0x40\n ___kmalloc_large_node+0x140/0x188\n __kmalloc_large_node_noprof+0x2c/0x13c\n __kmalloc_noprof+0x48/0x4c0\n pvr_fw_init+0xaa4/0x1f50 [powervr]\n\nunreferenced object 0xffff000042d20000 (size 20480):\n comm \"modprobe\", pid 470, jiffies 4295277154\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 09 00 00 00 0b 00 00 00 ................\n 00 00 00 00 00 00 00 00 07 00 00 00 08 00 00 00 ................\n backtrace (crc 395b02e3):\n kmemleak_alloc+0x30/0x40\n ___kmalloc_large_node+0x140/0x188\n __kmalloc_large_node_noprof+0x2c/0x13c\n __kmalloc_noprof+0x48/0x4c0\n pvr_fw_init+0xb0c/0x1f50 [powervr]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37764", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix ttm_bo_delayed_delete oops\n\nFix an oops in ttm_bo_delayed_delete which results from dererencing a\ndangling pointer:\n\nOops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP\nCPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216\nHardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024\nWorkqueue: ttm ttm_bo_delayed_delete [ttm]\nRIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290\nCode: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b\nRSP: 0018:ffffbf9383473d60 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b\nR13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc\nFS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0\nPKRU: 55555554\nCall Trace:\n \n ? __die_body.cold+0x19/0x26\n ? die_addr+0x3d/0x70\n ? exc_general_protection+0x159/0x460\n ? asm_exc_general_protection+0x27/0x30\n ? dma_resv_iter_first_unlocked+0x55/0x290\n dma_resv_wait_timeout+0x56/0x100\n ttm_bo_delayed_delete+0x69/0xb0 [ttm]\n process_one_work+0x217/0x5c0\n worker_thread+0x1c8/0x3d0\n ? apply_wqattrs_cleanup.part.0+0xc0/0xc0\n kthread+0x10b/0x240\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork+0x40/0x70\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork_asm+0x11/0x20\n \n\nThe cause of this is:\n\n- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the\n reference to the shared dma_buf. The reference count is 0, so the\n dma_buf is destroyed, which in turn decrements the corresponding\n amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -\n calling drm_gem_object_release then dma_resv_fini (which destroys the\n reservation object), then finally freeing the amdgpu_bo.\n\n- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory\n formerly allocated to the amdgpu_bo.\n\n- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls\n ttm_bo_release, which schedules ttm_bo_delayed_delete.\n\n- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,\n resulting in a general protection fault.\n\nFix this by moving the drm_prime_gem_destroy call from\nnouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will\nbe run after ttm_bo_delayed_delete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37765", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37766", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37767", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37768", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm/smu11: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n(cherry picked from commit da7dc714a8f8e1c9fc33c57cd63583779a3bef71)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37769", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37770", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37771", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix workqueue crash in cma_netevent_work_handler\n\nstruct rdma_cm_id has member \"struct work_struct net_work\"\nthat is reused for enqueuing cma_netevent_work_handler()s\nonto cma_wq.\n\nBelow crash[1] can occur if more than one call to\ncma_netevent_callback() occurs in quick succession,\nwhich further enqueues cma_netevent_work_handler()s for the\nsame rdma_cm_id, overwriting any previously queued work-item(s)\nthat was just scheduled to run i.e. there is no guarantee\nthe queued work item may run between two successive calls\nto cma_netevent_callback() and the 2nd INIT_WORK would overwrite\nthe 1st work item (for the same rdma_cm_id), despite grabbing\nid_table_lock during enqueue.\n\nAlso drgn analysis [2] indicates the work item was likely overwritten.\n\nFix this by moving the INIT_WORK() to __rdma_create_id(),\nso that it doesn't race with any existing queue_work() or\nits worker thread.\n\n[1] Trimmed crash stack:\n=============================================\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nkworker/u256:6 ... 6.12.0-0...\nWorkqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm)\nRIP: 0010:process_one_work+0xba/0x31a\nCall Trace:\n worker_thread+0x266/0x3a0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n=============================================\n\n[2] drgn crash analysis:\n\n>>> trace = prog.crashed_thread().stack_trace()\n>>> trace\n(0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)\n(1) __crash_kexec (kernel/crash_core.c:122:4)\n(2) panic (kernel/panic.c:399:3)\n(3) oops_end (arch/x86/kernel/dumpstack.c:382:3)\n...\n(8) process_one_work (kernel/workqueue.c:3168:2)\n(9) process_scheduled_works (kernel/workqueue.c:3310:3)\n(10) worker_thread (kernel/workqueue.c:3391:4)\n(11) kthread (kernel/kthread.c:389:9)\n\nLine workqueue.c:3168 for this kernel version is in process_one_work():\n3168\tstrscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);\n\n>>> trace[8][\"work\"]\n*(struct work_struct *)0xffff92577d0a21d8 = {\n\t.data = (atomic_long_t){\n\t\t.counter = (s64)536870912, <=== Note\n\t},\n\t.entry = (struct list_head){\n\t\t.next = (struct list_head *)0xffff924d075924c0,\n\t\t.prev = (struct list_head *)0xffff924d075924c0,\n\t},\n\t.func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,\n}\n\nSuspicion is that pwq is NULL:\n>>> trace[8][\"pwq\"]\n(struct pool_workqueue *)\n\nIn process_one_work(), pwq is assigned from:\nstruct pool_workqueue *pwq = get_work_pwq(work);\n\nand get_work_pwq() is:\nstatic struct pool_workqueue *get_work_pwq(struct work_struct *work)\n{\n \tunsigned long data = atomic_long_read(&work->data);\n\n \tif (data & WORK_STRUCT_PWQ)\n \t\treturn work_struct_pwq(data);\n \telse\n \t\treturn NULL;\n}\n\nWORK_STRUCT_PWQ is 0x4:\n>>> print(repr(prog['WORK_STRUCT_PWQ']))\nObject(prog, 'enum work_flags', value=4)\n\nBut work->data is 536870912 which is 0x20000000.\nSo, get_work_pwq() returns NULL and we crash in process_one_work():\n3168\tstrscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);\n=============================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37772", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: add filesystem context source name check\n\nIn certain scenarios, for example, during fuzz testing, the source\nname may be NULL, which could lead to a kernel panic. Therefore, an\nextra check for the source name should be added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37773", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: ensure slab->obj_exts is clear in a newly allocated slab page\n\nktest recently reported crashes while running several buffered io tests\nwith __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.\nThe signature indicates an invalid address dereference with low bits of\nslab->obj_exts being set. The bits were outside of the range used by\npage_memcg_data_flags and objext_flags and hence were not masked out\nby slab_obj_exts() when obtaining the pointer stored in slab->obj_exts.\nThe typical crash log looks like this:\n\n00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n00510 Mem abort info:\n00510 ESR = 0x0000000096000045\n00510 EC = 0x25: DABT (current EL), IL = 32 bits\n00510 SET = 0, FnV = 0\n00510 EA = 0, S1PTW = 0\n00510 FSC = 0x05: level 1 translation fault\n00510 Data abort info:\n00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000\n00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000\n00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n00510 Internal error: Oops: 0000000096000045 [#1] SMP\n00510 Modules linked in:\n00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE\n00510 Hardware name: linux,dummy-virt (DT)\n00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190\n00510 lr : __kmalloc_noprof+0x150/0x310\n00510 sp : ffffff80c87df6c0\n00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200\n00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001\n00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180\n00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000\n00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700\n00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006\n00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58\n00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556\n00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060\n00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000\n00510 Call trace:\n00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)\n00510 __kmalloc_noprof+0x150/0x310\n00510 __bch2_folio_create+0x5c/0xf8\n00510 bch2_folio_create+0x2c/0x40\n00510 bch2_readahead+0xc0/0x460\n00510 read_pages+0x7c/0x230\n00510 page_cache_ra_order+0x244/0x3a8\n00510 page_cache_async_ra+0x124/0x170\n00510 filemap_readahead.isra.0+0x58/0xa0\n00510 filemap_get_pages+0x454/0x7b0\n00510 filemap_read+0xdc/0x418\n00510 bch2_read_iter+0x100/0x1b0\n00510 vfs_read+0x214/0x300\n00510 ksys_read+0x6c/0x108\n00510 __arm64_sys_read+0x20/0x30\n00510 invoke_syscall.constprop.0+0x54/0xe8\n00510 do_el0_svc+0x44/0xc8\n00510 el0_svc+0x18/0x58\n00510 el0t_64_sync_handler+0x104/0x130\n00510 el0t_64_sync+0x154/0x158\n00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)\n00510 ---[ end trace 0000000000000000 ]---\n00510 Kernel panic - not syncing: Oops: Fatal exception\n00510 SMP: stopping secondary CPUs\n00510 Kernel Offset: disabled\n00510 CPU features: 0x0000,000000e0,00000410,8240500b\n00510 Memory Limit: none\n\nInvestigation indicates that these bits are already set when we allocate\nslab page and are not zeroed out after allocation. We are not yet sure\nwhy these crashes start happening only recently but regardless of the\nreason, not initializing a field that gets used later is wrong. Fix it\nby initializing slab->obj_exts during slab page allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37774", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix the warning from __kernel_write_iter\n\n[ 2110.972290] ------------[ cut here ]------------\n[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280\n\nThis patch doesn't allow writing to directory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37775", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb_break_all_levII_oplock()\n\nThere is a room in smb_break_all_levII_oplock that can cause racy issues\nwhen unlocking in the middle of the loop. This patch use read lock\nto protect whole loop.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37776", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in __smb2_lease_break_noti()\n\nMove tcp_transport free to ksmbd_conn_free. If ksmbd connection is\nreferenced when ksmbd server thread terminates, It will not be freed,\nbut conn->tcp_transport is freed. __smb2_lease_break_noti can be performed\nasynchronously when the connection is disconnected. __smb2_lease_break_noti\ncalls ksmbd_conn_write, which can cause use-after-free\nwhen conn->ksmbd_transport is already freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37777", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix dangling pointer in krb_authenticate\n\nkrb_authenticate frees sess->user and does not set the pointer\nto NULL. It calls ksmbd_krb5_authenticate to reinitialise\nsess->user but that function may return without doing so. If\nthat happens then smb2_sess_setup, which calls krb_authenticate,\nwill be accessing free'd memory when it later uses sess->user.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37778", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/iov_iter: fix to increase non slab folio refcount\n\nWhen testing EROFS file-backed mount over v9fs on qemu, I encountered a\nfolio UAF issue. The page sanity check reports the following call trace. \nThe root cause is that pages in bvec are coalesced across a folio bounary.\nThe refcount of all non-slab folios should be increased to ensure\np9_releas_pages can put them correctly.\n\nBUG: Bad page state in process md5sum pfn:18300\npage: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300\nhead: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\naops:z_erofs_aops ino:30b0f dentry name(?):\"GoogleExtServicesCn.apk\"\nflags: 0x100000000000041(locked|head|node=0|zone=1)\nraw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0\nraw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000\nhead: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0\nhead: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000\nhead: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000\nhead: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\nCall Trace:\n dump_stack_lvl+0x53/0x70\n bad_page+0xd4/0x220\n __free_pages_ok+0x76d/0xf30\n __folio_put+0x230/0x320\n p9_release_pages+0x179/0x1f0\n p9_virtio_zc_request+0xa2a/0x1230\n p9_client_zc_rpc.constprop.0+0x247/0x700\n p9_client_read_once+0x34d/0x810\n p9_client_read+0xf3/0x150\n v9fs_issue_read+0x111/0x360\n netfs_unbuffered_read_iter_locked+0x927/0x1390\n netfs_unbuffered_read_iter+0xa2/0xe0\n vfs_iocb_iter_read+0x2c7/0x460\n erofs_fileio_rq_submit+0x46b/0x5b0\n z_erofs_runqueue+0x1203/0x21e0\n z_erofs_readahead+0x579/0x8b0\n read_pages+0x19f/0xa70\n page_cache_ra_order+0x4ad/0xb80\n filemap_readahead.isra.0+0xe7/0x150\n filemap_get_pages+0x7aa/0x1890\n filemap_read+0x320/0xc80\n vfs_read+0x6c6/0xa30\n ksys_read+0xf9/0x1c0\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x71/0x79", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37779", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: Prevent the use of too small fid\n\nsyzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]\n\nThe handle_bytes value passed in by the reproducing program is equal to 12.\nIn handle_to_path(), only 12 bytes of memory are allocated for the structure\nfile_handle->f_handle member, which causes an out-of-bounds access when\naccessing the member parent_block of the structure isofs_fid in isofs,\nbecause accessing parent_block requires at least 16 bytes of f_handle.\nHere, fh_len is used to indirectly confirm that the value of handle_bytes\nis greater than 3 before accessing parent_block.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\nRead of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466\nCPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x198/0x550 mm/kasan/report.c:521\n kasan_report+0xd8/0x138 mm/kasan/report.c:634\n __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380\n isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\n exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523\n do_handle_to_path+0xa0/0x198 fs/fhandle.c:257\n handle_to_path fs/fhandle.c:385 [inline]\n do_handle_open+0x8cc/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 6466:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306\n kmalloc_noprof include/linux/slab.h:905 [inline]\n handle_to_path fs/fhandle.c:357 [inline]\n do_handle_open+0x5a4/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37780", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cros-ec-tunnel: defer probe if parent EC is not present\n\nWhen i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent\ndevice will not be found, leading to NULL pointer dereference.\n\nThat can also be reproduced by unbinding the controller driver and then\nloading i2c-cros-ec-tunnel module (or binding the device).\n\n[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[ 271.998215] #PF: supervisor read access in kernel mode\n[ 272.003351] #PF: error_code(0x0000) - not-present page\n[ 272.008485] PGD 0 P4D 0\n[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5\n[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021\n[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]\n[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9\n[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282\n[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000\n[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00\n[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000\n[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000\n[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10\n[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000\n[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0\n[ 272.129155] Call Trace:\n[ 272.131606] \n[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110\n[ 272.137985] platform_probe+0x69/0xa0\n[ 272.141652] really_probe+0x152/0x310\n[ 272.145318] __driver_probe_device+0x77/0x110\n[ 272.149678] driver_probe_device+0x1e/0x190\n[ 272.153864] __driver_attach+0x10b/0x1e0\n[ 272.157790] ? driver_attach+0x20/0x20\n[ 272.161542] bus_for_each_dev+0x107/0x150\n[ 272.165553] bus_add_driver+0x15d/0x270\n[ 272.169392] driver_register+0x65/0x110\n[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]\n[ 272.182617] do_one_initcall+0x110/0x350\n[ 272.186543] ? security_kernfs_init_security+0x49/0xd0\n[ 272.191682] ? __kernfs_new_node+0x1b9/0x240\n[ 272.195954] ? security_kernfs_init_security+0x49/0xd0\n[ 272.201093] ? __kernfs_new_node+0x1b9/0x240\n[ 272.205365] ? kernfs_link_sibling+0x105/0x130\n[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0\n[ 272.214773] ? kernfs_activate+0x57/0x70\n[ 272.218699] ? kernfs_add_one+0x118/0x160\n[ 272.222710] ? __kernfs_create_file+0x71/0xa0\n[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110\n[ 272.232033] ? internal_create_group+0x453/0x4a0\n[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0\n[ 272.241355] ? __free_frozen_pages+0x1dc/0x420\n[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0\n[ 272.250505] ? load_module+0x1509/0x16f0\n[ 272.254431] do_init_module+0x60/0x230\n[ 272.258181] __se_sys_finit_module+0x27a/0x370\n[ 272.262627] do_syscall_64+0x6a/0xf0\n[ 272.266206] ? do_syscall_64+0x76/0xf0\n[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90\n[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[ 272.279887] RIP: 0033:0x7b9309168d39\n[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8\n[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37781", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check\n\nThe function dpu_plane_virtual_atomic_check was dereferencing pointers\nreturned by drm_atomic_get_plane_state without checking for errors. This\ncould lead to undefined behavior if the function returns an error pointer.\n\nThis commit adds checks using IS_ERR to ensure that plane_state is\nvalid before dereferencing them.\n\nSimilar to commit da29abe71e16\n(\"drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed\").\n\nPatchwork: https://patchwork.freedesktop.org/patch/643132/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37783", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icss-iep: Fix possible NULL pointer dereference for perout request\n\nThe ICSS IEP driver tracks perout and pps enable state with flags.\nCurrently when disabling pps and perout signals during icss_iep_exit(),\nresults in NULL pointer dereference for perout.\n\nTo fix the null pointer dereference issue, the icss_iep_perout_enable_hw\nfunction can be modified to directly clear the IEP CMP registers when\ndisabling PPS or PEROUT, without referencing the ptp_perout_request\nstructure, as its contents are irrelevant in this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37784", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains '.' dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least '.'\nand '..' as directory entries in the first data block. It first loads\nthe '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of '..' dir\nentry (in ext4_next_entry). It assumes the '..' dir entry fits into the\nsame data block.\n\nIf the rec_len of '.' is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for '.' dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[ 38.595158]\n[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 38.595304] Call Trace:\n[ 38.595308] \n[ 38.595311] dump_stack_lvl+0xa7/0xd0\n[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0\n[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595349] print_report+0xaa/0x250\n[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595368] ? kasan_addr_to_slab+0x9/0x90\n[ 38.595378] kasan_report+0xab/0xe0\n[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595400] __ext4_check_dir_entry+0x67e/0x710\n[ 38.595410] ext4_empty_dir+0x465/0x990\n[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10\n[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10\n[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0\n[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10\n[ 38.595478] ? down_write+0xdb/0x140\n[ 38.595487] ? __pfx_down_write+0x10/0x10\n[ 38.595497] ext4_rmdir+0xee/0x140\n[ 38.595506] vfs_rmdir+0x209/0x670\n[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190\n[ 38.595529] do_rmdir+0x363/0x3c0\n[ 38.595537] ? __pfx_do_rmdir+0x10/0x10\n[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0\n[ 38.595561] __x64_sys_unlinkat+0xf0/0x130\n[ 38.595570] do_syscall_64+0x5b/0x180\n[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37785", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: free routing table on probe failure\n\nIf complete = true in dsa_tree_setup(), it means that we are the last\nswitch of the tree which is successfully probing, and we should be\nsetting up all switches from our probe path.\n\nAfter \"complete\" becomes true, dsa_tree_setup_cpu_ports() or any\nsubsequent function may fail. If that happens, the entire tree setup is\nin limbo: the first N-1 switches have successfully finished probing\n(doing nothing but having allocated persistent memory in the tree's\ndst->ports, and maybe dst->rtable), and switch N failed to probe, ending\nthe tree setup process before anything is tangible from the user's PoV.\n\nIf switch N fails to probe, its memory (ports) will be freed and removed\nfrom dst->ports. However, the dst->rtable elements pointing to its ports,\nas created by dsa_link_touch(), will remain there, and will lead to\nuse-after-free if dereferenced.\n\nIf dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely\npossible because that is where ds->ops->setup() is, we get a kasan\nreport like this:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568\nRead of size 8 at addr ffff000004f56020 by task kworker/u8:3/42\n\nCall trace:\n __asan_report_load8_noabort+0x20/0x30\n mv88e6xxx_setup_upstream_port+0x240/0x568\n mv88e6xxx_setup+0xebc/0x1eb0\n dsa_register_switch+0x1af4/0x2ae0\n mv88e6xxx_register_switch+0x1b8/0x2a8\n mv88e6xxx_probe+0xc4c/0xf60\n mdio_probe+0x78/0xb8\n really_probe+0x2b8/0x5a8\n __driver_probe_device+0x164/0x298\n driver_probe_device+0x78/0x258\n __device_attach_driver+0x274/0x350\n\nAllocated by task 42:\n __kasan_kmalloc+0x84/0xa0\n __kmalloc_cache_noprof+0x298/0x490\n dsa_switch_touch_ports+0x174/0x3d8\n dsa_register_switch+0x800/0x2ae0\n mv88e6xxx_register_switch+0x1b8/0x2a8\n mv88e6xxx_probe+0xc4c/0xf60\n mdio_probe+0x78/0xb8\n really_probe+0x2b8/0x5a8\n __driver_probe_device+0x164/0x298\n driver_probe_device+0x78/0x258\n __device_attach_driver+0x274/0x350\n\nFreed by task 42:\n __kasan_slab_free+0x48/0x68\n kfree+0x138/0x418\n dsa_register_switch+0x2694/0x2ae0\n mv88e6xxx_register_switch+0x1b8/0x2a8\n mv88e6xxx_probe+0xc4c/0xf60\n mdio_probe+0x78/0xb8\n really_probe+0x2b8/0x5a8\n __driver_probe_device+0x164/0x298\n driver_probe_device+0x78/0x258\n __device_attach_driver+0x274/0x350\n\nThe simplest way to fix the bug is to delete the routing table in its\nentirety. dsa_tree_setup_routing_table() has no problem in regenerating\nit even if we deleted links between ports other than those of switch N,\nbecause dsa_link_touch() first checks whether the port pair already\nexists in dst->rtable, allocating if not.\n\nThe deletion of the routing table in its entirety already exists in\ndsa_tree_teardown(), so refactor that into a function that can also be\ncalled from the tree setup error path.\n\nIn my analysis of the commit to blame, it is the one which added\ndsa_link elements to dst->rtable. Prior to that, each switch had its own\nds->rtable which is freed when the switch fails to probe. But the tree\nis potentially persistent memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37786", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered\n\nRussell King reports that a system with mv88e6xxx dereferences a NULL\npointer when unbinding this driver:\nhttps://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/\n\nThe crash seems to be in devlink_region_destroy(), which is not NULL\ntolerant but is given a NULL devlink global region pointer.\n\nAt least on some chips, some devlink regions are conditionally registered\nsince the blamed commit, see mv88e6xxx_setup_devlink_regions_global():\n\n\t\tif (cond && !cond(chip))\n\t\t\tcontinue;\n\nThese are MV88E6XXX_REGION_STU and MV88E6XXX_REGION_PVT. If the chip\ndoes not have an STU or PVT, it should crash like this.\n\nTo fix the issue, avoid unregistering those regions which are NULL, i.e.\nwere skipped at mv88e6xxx_setup_devlink_regions_global() time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37787", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path\n\nIn the for loop used to allocate the loc_array and bmap for each port, a\nmemory leak is possible when the allocation for loc_array succeeds,\nbut the allocation for bmap fails. This is because when the control flow\ngoes to the label free_eth_finfo, only the allocations starting from\n(i-1)th iteration are freed.\n\nFix that by freeing the loc_array in the bmap allocation error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37788", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix nested key length validation in the set() action\n\nIt's not safe to access nla_len(ovs_key) if the data is smaller than\nthe netlink header. Check that the attribute is OK first.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37789", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Set SOCK_RCU_FREE\n\nBind lookup runs under RCU, so ensure that a socket doesn't go away in\nthe middle of a lookup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37790", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()\n\nrpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct\nsize of rpl is sizeof(*rpl) which should be just 1 byte. Using the\npointer size instead can cause stack corruption:\n\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100\nCPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE 6.11.0 #24\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: Dell Inc. PowerEdge R760/04GWWM, BIOS 1.6.6 09/20/2023\nWorkqueue: events module_flash_fw_work\nCall Trace:\n \n panic+0x339/0x360\n ? ethtool_cmis_wait_for_cond+0xf4/0x100\n ? __pfx_status_success+0x10/0x10\n ? __pfx_status_fail+0x10/0x10\n __stack_chk_fail+0x10/0x10\n ethtool_cmis_wait_for_cond+0xf4/0x100\n ethtool_cmis_cdb_execute_cmd+0x1fc/0x330\n ? __pfx_status_fail+0x10/0x10\n cmis_cdb_module_features_get+0x6d/0xd0\n ethtool_cmis_cdb_init+0x8a/0xd0\n ethtool_cmis_fw_update+0x46/0x1d0\n module_flash_fw_work+0x17/0xa0\n process_one_work+0x179/0x390\n worker_thread+0x239/0x340\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37791", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btrtl: Prevent potential NULL dereference\n\nThe btrtl_initialize() function checks that rtl_load_file() either\nhad an error or it loaded a zero length file. However, if it loaded\na zero length file then the error code is not set correctly. It\nresults in an error pointer vs NULL bug, followed by a NULL pointer\ndereference. This was detected by Smatch:\n\ndrivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37792", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\navs_component_probe() does not check for this case, which results in a\nNULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37793", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Purge vif txq in ieee80211_do_stop()\n\nAfter ieee80211_do_stop() SKB from vif's txq could still be processed.\nIndeed another concurrent vif schedule_and_wake_txq call could cause\nthose packets to be dequeued (see ieee80211_handle_wake_tx_queue())\nwithout checking the sdata current state.\n\nBecause vif.drv_priv is now cleared in this function, this could lead to\ndriver crash.\n\nFor example in ath12k, ahvif is store in vif.drv_priv. Thus if\nath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be\nNULL, leading the ath12k_warn(ahvif->ah,...) call in this function to\ntrigger the NULL deref below.\n\n Unable to handle kernel paging request at virtual address dfffffc000000001\n KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n batman_adv: bat0: Interface deactivated: brbh1337\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [dfffffc000000001] address between user and kernel address ranges\n Internal error: Oops: 0000000096000004 [#1] SMP\n CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114\n Hardware name: HW (DT)\n pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]\n lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]\n sp : ffffffc086ace450\n x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4\n x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e\n x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0\n x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958\n x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8\n x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03\n x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40\n x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0\n x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001\n x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008\n Call trace:\n ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)\n ieee80211_handle_wake_tx_queue+0x16c/0x260\n ieee80211_queue_skb+0xeec/0x1d20\n ieee80211_tx+0x200/0x2c8\n ieee80211_xmit+0x22c/0x338\n __ieee80211_subif_start_xmit+0x7e8/0xc60\n ieee80211_subif_start_xmit+0xc4/0xee0\n __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0\n ieee80211_subif_start_xmit_8023+0x124/0x488\n dev_hard_start_xmit+0x160/0x5a8\n __dev_queue_xmit+0x6f8/0x3120\n br_dev_queue_push_xmit+0x120/0x4a8\n __br_forward+0xe4/0x2b0\n deliver_clone+0x5c/0xd0\n br_flood+0x398/0x580\n br_dev_xmit+0x454/0x9f8\n dev_hard_start_xmit+0x160/0x5a8\n __dev_queue_xmit+0x6f8/0x3120\n ip6_finish_output2+0xc28/0x1b60\n __ip6_finish_output+0x38c/0x638\n ip6_output+0x1b4/0x338\n ip6_local_out+0x7c/0xa8\n ip6_send_skb+0x7c/0x1b0\n ip6_push_pending_frames+0x94/0xd0\n rawv6_sendmsg+0x1a98/0x2898\n inet_sendmsg+0x94/0xe0\n __sys_sendto+0x1e4/0x308\n __arm64_sys_sendto+0xc4/0x140\n do_el0_svc+0x110/0x280\n el0_svc+0x20/0x60\n el0t_64_sync_handler+0x104/0x138\n el0t_64_sync+0x154/0x158\n\nTo avoid that, empty vif's txq at ieee80211_do_stop() so no packet could\nbe dequeued after ieee80211_do_stop() (new packets cannot be queued\nbecause SDATA_STATE_RUNNING is cleared at this point).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37794", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: at76c50x: fix use after free access in at76_disconnect\n\nThe memory pointed to by priv is freed at the end of at76_delete_device\nfunction (using ieee80211_free_hw). But the code then accesses the udev\nfield of the freed object to put the USB device. This may also lead to a\nmemory leak of the usb device. Fix this by using udev from interface.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37796", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn't emptied.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37797", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncodel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()\n\nAfter making all ->qlen_notify() callbacks idempotent, now it is safe to\nremove the check of qlen!=0 from both fq_codel_dequeue() and\ncodel_qdisc_dequeue().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37798", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp\n\nvmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that\nis, packet sizes between 128 - 3k bytes).\n\nWe noticed MTU-related connectivity issues with Cilium's service load-\nbalancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP\nbackend service where the XDP LB was doing IPIP encap led to overly large\npacket sizes but only for *some* of the packets (e.g. HTTP GET request)\nwhile others (e.g. the prior TCP 3WHS) looked completely fine on the wire.\n\nIn fact, the pcap recording on the backend node actually revealed that the\nnode with the XDP LB was leaking uninitialized kernel data onto the wire\nfor the affected packets, for example, while the packets should have been\n152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes\nwas padded with whatever other data was in that page at the time (e.g. we\nsaw user/payload data from prior processed packets).\n\nWe only noticed this through an MTU issue, e.g. when the XDP LB node and\nthe backend node both had the same MTU (e.g. 1500) then the curl request\ngot dropped on the backend node's NIC given the packet was too large even\nthough the IPIP-encapped packet normally would never even come close to\nthe MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let\nthe curl request succeed (which also indicates that the kernel ignored the\npadding, and thus the issue wasn't very user-visible).\n\nCommit e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") was too eager\nto also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs\nto stick to rcd->len which is the actual packet length from the descriptor.\nThe latter we also feed into vmxnet3_process_xdp_small(), by the way, and\nit indicates the correct length needed to initialize the xdp->{data,data_end}\nparts. For e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") the\nrelevant part was adapting xdp_init_buff() to address the warning given the\nxdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on\nthe wire looks good again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37799", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential NULL pointer dereference in dev_uevent()\n\nIf userspace reads \"uevent\" device attribute at the same time as another\nthreads unbinds the device from its driver, change to dev->driver from a\nvalid pointer to NULL may result in crash. Fix this by using READ_ONCE()\nwhen fetching the pointer, and take bus' drivers klist lock to make sure\ndriver instance will not disappear while we access it.\n\nUse WRITE_ONCE() when setting the driver pointer to ensure there is no\ntearing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37800", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-imx: Add check for spi_imx_setupxfer()\n\nAdd check for the return value of spi_imx_setupxfer().\nspi_imx->rx and spi_imx->tx function pointer can be NULL when\nspi_imx_setupxfer() return error, and make NULL pointer dereference.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n 0x0\n spi_imx_pio_transfer+0x50/0xd8\n spi_imx_transfer_one+0x18c/0x858\n spi_transfer_one_message+0x43c/0x790\n __spi_pump_transfer_message+0x238/0x5d4\n __spi_sync+0x2b0/0x454\n spi_write_then_read+0x11c/0x200", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37801", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix WARNING \"do not call blocking ops when !TASK_RUNNING\"\n\nwait_event_timeout() will set the state of the current\ntask to TASK_UNINTERRUPTIBLE, before doing the condition check. This\nmeans that ksmbd_durable_scavenger_alive() will try to acquire the mutex\nwhile already in a sleeping state. The scheduler warns us by giving\nthe following warning:\n\ndo not call blocking ops when !TASK_RUNNING; state=2 set at\n [<0000000061515a6f>] prepare_to_wait_event+0x9f/0x6c0\nWARNING: CPU: 2 PID: 4147 at kernel/sched/core.c:10099 __might_sleep+0x12f/0x160\n\nmutex lock is not needed in ksmbd_durable_scavenger_alive().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37802", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: fix a buf size overflow issue during udmabuf creation\n\nby casting size_limit_mb to u64 when calculate pglimit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37803", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsound/virtio: Fix cancel_sync warnings on uninitialized work_structs\n\nBetty reported hitting the following warning:\n\n[ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182\n...\n[ 8.713282][ T221] Call trace:\n[ 8.713365][ T221] __flush_work+0x8d0/0x914\n[ 8.713468][ T221] __cancel_work_sync+0xac/0xfc\n[ 8.713570][ T221] cancel_work_sync+0x24/0x34\n[ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276]\n[ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276]\n[ 8.714035][ T221] virtio_dev_probe+0x28c/0x390\n[ 8.714139][ T221] really_probe+0x1bc/0x4c8\n...\n\nIt seems we're hitting the error path in virtsnd_probe(), which\ntriggers a virtsnd_remove() which iterates over the substreams\ncalling cancel_work_sync() on the elapsed_period work_struct.\n\nLooking at the code, from earlier in:\nvirtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg()\n\nWe set snd->nsubstreams, allocate the snd->substreams, and if\nwe then hit an error on the info allocation or something in\nvirtsnd_ctl_query_info() fails, we will exit without having\ninitialized the elapsed_period work_struct.\n\nWhen that error path unwinds we then call virtsnd_remove()\nwhich as long as the substreams array is allocated, will iterate\nthrough calling cancel_work_sync() on the uninitialized work\nstruct hitting this warning.\n\nTakashi Iwai suggested this fix, which initializes the substreams\nstructure right after allocation, so that if we hit the error\npaths we avoid trying to cleanup uninitialized data.\n\nNote: I have not yet managed to reproduce the issue myself, so\nthis patch has had limited testing.\n\nFeedback or thoughts would be appreciated!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37805", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Keep write operations atomic\n\nsyzbot reported a NULL pointer dereference in __generic_file_write_iter. [1]\n\nBefore the write operation is completed, the user executes ioctl[2] to clear\nthe compress flag of the file, which causes the is_compressed() judgment to\nreturn 0, further causing the program to enter the wrong process and call the\nwrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of\nwrite_begin.\n\nUse inode lock to synchronize ioctl and write to avoid this case.\n\n[1]\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000086000006\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000\n[0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000\nInternal error: Oops: 0000000086000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : 0x0\nlr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055\nsp : ffff80009d4978a0\nx29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8\nx26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68\nx23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000\nx20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c\nx17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001\nx14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0\nx11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000\nx2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0\nCall trace:\n 0x0 (P)\n __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156\n ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0x920/0xcf4 fs/read_write.c:679\n ksys_write+0x15c/0x26c fs/read_write.c:731\n __do_sys_write fs/read_write.c:742 [inline]\n __se_sys_write fs/read_write.c:739 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n\n[2]\nioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000000c0)=0x20)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37806", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kmemleak warning for percpu hashmap\n\nVlad Poenaru reported the following kmemleak issue:\n\n unreferenced object 0x606fd7c44ac8 (size 32):\n backtrace (crc 0):\n pcpu_alloc_noprof+0x730/0xeb0\n bpf_map_alloc_percpu+0x69/0xc0\n prealloc_init+0x9d/0x1b0\n htab_map_alloc+0x363/0x510\n map_create+0x215/0x3a0\n __sys_bpf+0x16b/0x3e0\n __x64_sys_bpf+0x18/0x20\n do_syscall_64+0x7b/0x150\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFurther investigation shows the reason is due to not 8-byte aligned\nstore of percpu pointer in htab_elem_set_ptr():\n *(void __percpu **)(l->key + key_size) = pptr;\n\nNote that the whole htab_elem alignment is 8 (for x86_64). If the key_size\nis 4, that means pptr is stored in a location which is 4 byte aligned but\nnot 8 byte aligned. In mm/kmemleak.c, scan_block() scans the memory based\non 8 byte stride, so it won't detect above pptr, hence reporting the memory\nleak.\n\nIn htab_map_alloc(), we already have\n\n htab->elem_size = sizeof(struct htab_elem) +\n round_up(htab->map.key_size, 8);\n if (percpu)\n htab->elem_size += sizeof(void *);\n else\n htab->elem_size += round_up(htab->map.value_size, 8);\n\nSo storing pptr with 8-byte alignment won't cause any problem and can fix\nkmemleak too.\n\nThe issue can be reproduced with bpf selftest as well:\n 1. Enable CONFIG_DEBUG_KMEMLEAK config\n 2. Add a getchar() before skel destroy in test_hash_map() in prog_tests/for_each.c.\n The purpose is to keep map available so kmemleak can be detected.\n 3. run './test_progs -t for_each/hash_map &' and a kmemleak should be reported.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37807", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: null - Use spin lock instead of mutex\n\nAs the null algorithm may be freed in softirq context through\naf_alg, use spin locks instead of mutexes to protect the default\nnull algorithm.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37808", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: class: Fix NULL pointer access\n\nConcurrent calls to typec_partner_unlink_device can lead to a NULL pointer\ndereference. This patch adds a mutex to protect USB device pointers and\nprevent this issue. The same mutex protects both the device pointers and\nthe partner device registration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37809", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: check that event count does not exceed event buffer length\n\nThe event count is read from register DWC3_GEVNTCOUNT.\nThere is a check for the count being zero, but not for exceeding the\nevent buffer length.\nCheck that event count does not exceed event buffer length,\navoiding an out-of-bounds access when memcpy'ing the event.\nCrash log:\nUnable to handle kernel paging request at virtual address ffffffc0129be000\npc : __memcpy+0x114/0x180\nlr : dwc3_check_event_buf+0xec/0x348\nx3 : 0000000000000030 x2 : 000000000000dfc4\nx1 : ffffffc0129be000 x0 : ffffff87aad60080\nCall trace:\n__memcpy+0x114/0x180\ndwc3_interrupt+0x24/0x34", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37810", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: ci_hdrc_imx: fix usbmisc handling\n\nusbmisc is an optional device property so it is totally valid for the\ncorresponding data->usbmisc_data to have a NULL value.\n\nCheck that before dereferencing the pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37811", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: Fix deadlock when using NCM gadget\n\nThe cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit\n58f2fcb3a845 (\"usb: cdnsp: Fix deadlock issue during using NCM gadget\").\n\nUnder PREEMPT_RT the deadlock can be readily triggered by heavy network\ntraffic, for example using \"iperf --bidir\" over NCM ethernet link.\n\nThe deadlock occurs because the threaded interrupt handler gets\npreempted by a softirq, but both are protected by the same spinlock.\nPrevent deadlock by disabling softirq during threaded irq handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37812", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix invalid pointer dereference in Etron workaround\n\nThis check is performed before prepare_transfer() and prepare_ring(), so\nenqueue can already point at the final link TRB of a segment. And indeed\nit will, some 0.4% of times this code is called.\n\nThen enqueue + 1 is an invalid pointer. It will crash the kernel right\naway or load some junk which may look like a link TRB and cause the real\nlink TRB to be replaced with a NOOP. This wouldn't end well.\n\nUse a functionally equivalent test which doesn't dereference the pointer\nand always gives correct result.\n\nSomething has crashed my machine twice in recent days while playing with\nan Etron HC, and a control transfer stress test ran for confirmation has\njust crashed it again. The same test passes with this patch applied.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37813", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT\n\nThis requirement was overeagerly loosened in commit 2f83e38a095f\n(\"tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN\"), but as\nit turns out,\n\n (1) the logic I implemented there was inconsistent (apologies!),\n\n (2) TIOCL_SELMOUSEREPORT might actually be a small security risk\n after all, and\n\n (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse\n daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN\n already.\n\nIn more detail:\n\n1. The previous patch has inconsistent logic:\n\n In commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes\n without CAP_SYS_ADMIN\"), we checked for sel_mode ==\n TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of\n this \"mode\" parameter were actually used as an additional way to\n pass an argument. So the patch did actually still require\n CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not\n require it if none of the mouse buttons bits are set.\n\n This logic is inconsistent and was not intentional. We should have\n the same policies for using TIOCL_SELMOUSEREPORT independent of the\n value of the \"hidden\" mouse button argument.\n\n I sent a separate documentation patch to the man page list with\n more details on TIOCL_SELMOUSEREPORT:\n https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/\n\n2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can\n let an attacker simulate \"keyboard\" input to command line\n applications on the same terminal, like TIOCSTI and some other\n TIOCLINUX \"selection mode\" IOCTLs.\n\n By enabling mouse reporting on a terminal and then injecting mouse\n reports through TIOCL_SELMOUSEREPORT, an attacker can simulate\n mouse movements on the same terminal, similar to the TIOCSTI\n keystroke injection attacks that were previously possible with\n TIOCSTI and other TIOCL_SETSEL selection modes.\n\n Many programs (including libreadline/bash) are then prone to\n misinterpret these mouse reports as normal keyboard input because\n they do not expect input in the X11 mouse protocol form. The\n attacker does not have complete control over the escape sequence,\n but they can at least control the values of two consecutive bytes\n in the binary mouse reporting escape sequence.\n\n I went into more detail on that in the discussion at\n https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/\n\n It is not equally trivial to simulate arbitrary keystrokes as it\n was with TIOCSTI (commit 83efeeeb3d04 (\"tty: Allow TIOCSTI to be\n disabled\")), but the general mechanism is there, and together with\n the small number of existing legit use cases (see below), it would\n be better to revert back to requiring CAP_SYS_ADMIN for\n TIOCL_SELMOUSEREPORT, as it was already the case before\n commit 2f83e38a095f (\"tty: Permit some TIOCL_SETSEL modes without\n CAP_SYS_ADMIN\").\n\n3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or\n Consolation), and they are the only legit use case:\n\n To quote console_codes(4):\n\n The mouse tracking facility is intended to return\n xterm(1)-compatible mouse status reports. Because the console\n driver has no way to know the device or type of the mouse, these\n reports are returned in the console input stream only when the\n virtual terminal driver receives a mouse update ioctl. These\n ioctls must be generated by a mouse-aware user-mode application\n such as the gpm(8) daemon.\n\n Jared Finder has also confirmed in\n https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/\n that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it\n would be difficult to find good reasons for doing that, given that\n it would interfere with the reports that GPM is sending.\n\n More information on the interaction between GPM, terminals and th\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37814", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration\n\nResolve kernel panic while accessing IRQ handler associated with the\ngenerated IRQ. This is done by acquiring the spinlock and storing the\ncurrent interrupt state before handling the interrupt request using\ngeneric_handle_irq.\n\nA previous fix patch was submitted where 'generic_handle_irq' was\nreplaced with 'handle_nested_irq'. However, this change also causes\nthe kernel panic where after determining which GPIO triggered the\ninterrupt and attempting to call handle_nested_irq with the mapped\nIRQ number, leads to a failure in locating the registered handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37815", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmei: vsc: Fix fortify-panic caused by invalid counted_by() use\n\ngcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[]\nand the vsc-tp.c code is using this in a wrong way. len does not contain\nthe available size in the buffer, it contains the actual packet length\n*without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to\nbuf[] the fortify-panic handler gets triggered:\n\n[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0\n[ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50\n...\n[ 80.843175] __fortify_panic+0x9/0xb\n[ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw]\n[ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110\n[ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc]\n[ 80.843270] mei_reset+0x11d/0x420 [mei]\n\nThe easiest fix would be to just drop the counted-by but with the exception\nof the ack buffer in vsc_tp_xfer_helper() which only contains enough room\nfor the packet-header, all other uses of vsc_tp_packet always use a buffer\nof VSC_TP_MAX_XFER_SIZE bytes for the packet.\n\nInstead of just dropping the counted-by, split the vsc_tp_packet struct\ndefinition into a header and a full-packet definition and use a fixed\nsize buf[] in the packet definition, this way fortify-source buffer\noverrun checking still works when enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37816", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: fix a double free bug in chameleon_parse_gdd()\n\nIn chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'\nwould be released in mcb_device_register() via put_device().\nThus, goto 'err' label and free 'mdev' again causes a double free.\nJust return if mcb_device_register() fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37817", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Return NULL from huge_pte_offset() for invalid PMD\n\nLoongArch's huge_pte_offset() currently returns a pointer to a PMD slot\neven if the underlying entry points to invalid_pte_table (indicating no\nmapping). Callers like smaps_hugetlb_range() fetch this invalid entry\nvalue (the address of invalid_pte_table) via this pointer.\n\nThe generic is_swap_pte() check then incorrectly identifies this address\nas a swap entry on LoongArch, because it satisfies the \"!pte_present()\n&& !pte_none()\" conditions. This misinterpretation, combined with a\ncoincidental match by is_migration_entry() on the address bits, leads to\nkernel crashes in pfn_swap_entry_to_page().\n\nFix this at the architecture level by modifying huge_pte_offset() to\ncheck the PMD entry's content using pmd_none() before returning. If the\nentry is invalid (i.e., it points to invalid_pte_table), return NULL\ninstead of the pointer to the slot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37818", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()\n\nWith ACPI in place, gicv2m_get_fwnode() is registered with the pci\nsubsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime\nduring a PCI host bridge probe. But, the call back is wrongly marked as\n__init, causing it to be freed, while being registered with the PCI\nsubsystem and could trigger:\n\n Unable to handle kernel paging request at virtual address ffff8000816c0400\n gicv2m_get_fwnode+0x0/0x58 (P)\n pci_set_bus_msi_domain+0x74/0x88\n pci_register_host_bridge+0x194/0x548\n\nThis is easily reproducible on a Juno board with ACPI boot.\n\nRetain the function for later use.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37819", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: handle NULL returned by xdp_convert_buff_to_frame()\n\nThe function xdp_convert_buff_to_frame() may return NULL if it fails\nto correctly convert the XDP buffer into an XDP frame due to memory\nconstraints, internal errors, or invalid data. Failing to check for NULL\nmay lead to a NULL pointer dereference if the result is used later in\nprocessing, potentially causing crashes, data corruption, or undefined\nbehavior.\n\nOn XDP redirect failure, the associated page must be released explicitly\nif it was previously retained via get_page(). Failing to do so may result\nin a memory leak, as the pages reference count is not decremented.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37820", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/eevdf: Fix se->slice being set to U64_MAX and resulting crash\n\nThere is a code path in dequeue_entities() that can set the slice of a\nsched_entity to U64_MAX, which sometimes results in a crash.\n\nThe offending case is when dequeue_entities() is called to dequeue a\ndelayed group entity, and then the entity's parent's dequeue is delayed.\nIn that case:\n\n1. In the if (entity_is_task(se)) else block at the beginning of\n dequeue_entities(), slice is set to\n cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then\n it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.\n2. The first for_each_sched_entity() loop dequeues the entity.\n3. If the entity was its parent's only child, then the next iteration\n tries to dequeue the parent.\n4. If the parent's dequeue needs to be delayed, then it breaks from the\n first for_each_sched_entity() loop _without updating slice_.\n5. The second for_each_sched_entity() loop sets the parent's ->slice to\n the saved slice, which is still U64_MAX.\n\nThis throws off subsequent calculations with potentially catastrophic\nresults. A manifestation we saw in production was:\n\n6. In update_entity_lag(), se->slice is used to calculate limit, which\n ends up as a huge negative number.\n7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit\n is negative, vlag > limit, so se->vlag is set to the same huge\n negative number.\n8. In place_entity(), se->vlag is scaled, which overflows and results in\n another huge (positive or negative) number.\n9. The adjusted lag is subtracted from se->vruntime, which increases or\n decreases se->vruntime by a huge number.\n10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which\n incorrectly returns false because the vruntime is so far from the\n other vruntimes on the queue, causing the\n (vruntime - cfs_rq->min_vruntime) * load calulation to overflow.\n11. Nothing appears to be eligible, so pick_eevdf() returns NULL.\n12. pick_next_entity() tries to dereference the return value of\n pick_eevdf() and crashes.\n\nDumping the cfs_rq states from the core dumps with drgn showed tell-tale\nhuge vruntime ranges and bogus vlag values, and I also traced se->slice\nbeing set to U64_MAX on live systems (which was usually \"benign\" since\nthe rest of the runqueue needed to be in a particular state to crash).\n\nFix it in dequeue_entities() by always setting slice from the first\nnon-empty cfs_rq.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37821", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: uprobes: Add missing fence.i after building the XOL buffer\n\nThe XOL (execute out-of-line) buffer is used to single-step the\nreplaced instruction(s) for uprobes. The RISC-V port was missing a\nproper fence.i (i$ flushing) after constructing the XOL buffer, which\ncan result in incorrect execution of stale/broken instructions.\n\nThis was found running the BPF selftests \"test_progs:\nuprobe_autoattach, attach_probe\" on the Spacemit K1/X60, where the\nuprobes tests randomly blew up.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37822", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too\n\nSimilarly to the previous patch, we need to safe guard hfsc_dequeue()\ntoo. But for this one, we don't have a reliable reproducer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37823", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL pointer dereference in tipc_mon_reinit_self()\n\nsyzbot reported:\n\ntipc: Node number set to 1055423674\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: events tipc_net_finalize_work\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n...\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nThere is a racing condition between workqueue created when enabling\nbearer and another thread created when disabling bearer right after\nthat as follow:\n\nenabling_bearer | disabling_bearer\n--------------- | ----------------\ntipc_disc_timeout() |\n{ | bearer_disable()\n ... | {\n schedule_work(&tn->work); | tipc_mon_delete()\n ... | {\n} | ...\n | write_lock_bh(&mon->lock);\n | mon->self = NULL;\n | write_unlock_bh(&mon->lock);\n | ...\n | }\ntipc_net_finalize_work() | }\n{ |\n ... |\n tipc_net_finalize() |\n { |\n ... |\n tipc_mon_reinit_self() |\n { |\n ... |\n write_lock_bh(&mon->lock); |\n mon->self->addr = tipc_own_addr(net); |\n write_unlock_bh(&mon->lock); |\n ... \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37824", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix out-of-bounds access in nvmet_enable_port\n\nWhen trying to enable a port that has no transport configured yet,\nnvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports\narray, causing an out-of-bounds access:\n\n[ 106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da\n[ 106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632\n[...]\n[ 106.076026] nvmet: transport type 255 not supported\n\nSince commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by\nnvmet_ports_make().\nAvoid this by checking for NVMF_TRTYPE_MAX before proceeding.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37825", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Add NULL check in ufshcd_mcq_compl_pending_transfer()\n\nAdd a NULL check for the returned hwq pointer by ufshcd_mcq_req_to_hwq().\n\nThis is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix\nufshcd_abort_one racing issue\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37826", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n Call Trace:\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15c/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n btrfs_add_free_space_async_trimmed+0x34/0x40\n btrfs_add_new_free_space+0x107/0x120\n btrfs_make_block_group+0x104/0x2b0\n btrfs_create_chunk+0x977/0xf20\n btrfs_chunk_alloc+0x174/0x510\n ? srso_return_thunk+0x5/0x5f\n btrfs_inc_block_group_ro+0x1b1/0x230\n btrfs_relocate_block_group+0x9e/0x410\n btrfs_relocate_chunk+0x3f/0x130\n btrfs_balance+0x8ac/0x12b0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? __kmalloc_cache_noprof+0x14c/0x3e0\n btrfs_ioctl+0x2686/0x2a80\n ? srso_return_thunk+0x5/0x5f\n ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x82/0x160\n ? srso_return_thunk+0x5/0x5f\n ? __memcg_slab_free_hook+0x11a/0x170\n ? srso_return_thunk+0x5/0x5f\n ? kmem_cache_free+0x3f0/0x450\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? sysfs_emit+0xaf/0xc0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? seq_read_iter+0x207/0x460\n ? srso_return_thunk+0x5/0x5f\n ? vfs_read+0x29c/0x370\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? srso_return_thunk+0x5/0x5f\n ? exc_page_fault+0x7e/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fdab1e0ca6d\n RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n \n CR2: 0000000000000058\n ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37827", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()\n\nA race can occur between the MCQ completion path and the abort handler:\nonce a request completes, __blk_mq_free_request() sets rq->mq_hctx to\nNULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in\nufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is\ndereferenced, the kernel will crash.\n\nAdd a NULL check for the returned hwq pointer. If hwq is NULL, log an\nerror and return FAILED, preventing a potential NULL-pointer\ndereference. As suggested by Bart, the ufshcd_cmd_inflight() check is\nremoved.\n\nThis is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix\nufshcd_abort_one racing issue\").\n\nThis is found by our static analysis tool KNighter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37828", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()\n\ncpufreq_cpu_get_raw() can return NULL when the target CPU is not present\nin the policy->cpus mask. scpi_cpufreq_get_rate() does not check for\nthis case, which results in a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37829", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()\n\ncpufreq_cpu_get_raw() can return NULL when the target CPU is not present\nin the policy->cpus mask. scmi_cpufreq_get_rate() does not check for\nthis case, which results in a NULL pointer dereference.\n\nAdd NULL check after cpufreq_cpu_get_raw() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37830", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate()\n\ncpufreq_cpu_get_raw() can return NULL when the target CPU is not present\nin the policy->cpus mask. apple_soc_cpufreq_get_rate() does not check\nfor this case, which results in a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37831", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads\n\nFix niu_try_msix() to not cause a fatal trap on sparc systems.\n\nSet PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to\nwork around a bug in the hardware or firmware.\n\nFor each vector entry in the msix table, niu chips will cause a fatal\ntrap if any registers in that entry are read before that entries'\nENTRY_DATA register is written to. Testing indicates writes to other\nregisters are not sufficient to prevent the fatal trap, however the value\ndoes not appear to matter. This only needs to happen once after power up,\nso simply rebooting into a kernel lacking this fix will NOT cause the\ntrap.\n\nNON-RESUMABLE ERROR: Reporting on cpu 64\nNON-RESUMABLE ERROR: TPC [0x00000000005f6900] \nNON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff\nNON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000]\nNON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff]\nNON-RESUMABLE ERROR: type [precise nonresumable]\nNON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv >\nNON-RESUMABLE ERROR: raddr [0xffffffffffffffff]\nNON-RESUMABLE ERROR: insn effective address [0x000000c50020000c]\nNON-RESUMABLE ERROR: size [0x8]\nNON-RESUMABLE ERROR: asi [0x00]\nCPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63\nWorkqueue: events work_for_cpu_fn\nTSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted\nTPC: \ng0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100\ng4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000\no0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620\no4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128\nRPC: <__pci_enable_msix_range+0x3cc/0x460>\nl0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020\nl4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734\ni0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d\ni4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0\nI7: \nCall Trace:\n[<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu]\n[<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu]\n[<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu]\n[<00000000005ef3e4>] local_pci_probe+0x28/0x74\n[<0000000000469240>] work_for_cpu_fn+0x8/0x1c\n[<000000000046b008>] process_scheduled_works+0x144/0x210\n[<000000000046b518>] worker_thread+0x13c/0x1c0\n[<00000000004710e0>] kthread+0xb8/0xc8\n[<00000000004060c8>] ret_from_fork+0x1c/0x2c\n[<0000000000000000>] 0x0\nKernel panic - not syncing: Non-resumable error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37833", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: don't try to reclaim hwpoison folio\n\nSyzkaller reports a bug as follows:\n\nInjecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000\nMemory failure: 0x18b00e: dirty swapcache page still referenced by 2 users\nMemory failure: 0x18b00e: recovery action for dirty swapcache page: Failed\npage: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e\nmemcg:ffff0000dd6d9000\nanon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff)\nraw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9\nraw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000\npage dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio))\n------------[ cut here ]------------\nkernel BUG at mm/swap_state.c:184!\nInternal error: Oops - BUG: 00000000f2000800 [#1] SMP\nModules linked in:\nCPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3\nHardware name: linux,dummy-virt (DT)\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : add_to_swap+0xbc/0x158\nlr : add_to_swap+0xbc/0x158\nsp : ffff800087f37340\nx29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780\nx26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0\nx23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4\nx20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000\nx17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c\nx14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b\nx11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000\nx8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001\nx5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000\nCall trace:\n add_to_swap+0xbc/0x158\n shrink_folio_list+0x12ac/0x2648\n shrink_inactive_list+0x318/0x948\n shrink_lruvec+0x450/0x720\n shrink_node_memcgs+0x280/0x4a8\n shrink_node+0x128/0x978\n balance_pgdat+0x4f0/0xb20\n kswapd+0x228/0x438\n kthread+0x214/0x230\n ret_from_fork+0x10/0x20\n\nI can reproduce this issue with the following steps:\n\n1) When a dirty swapcache page is isolated by reclaim process and the\n page isn't locked, inject memory failure for the page. \n me_swapcache_dirty() clears uptodate flag and tries to delete from lru,\n but fails. Reclaim process will put the hwpoisoned page back to lru.\n\n2) The process that maps the hwpoisoned page exits, the page is deleted\n the page will never be freed and will be in the lru forever.\n\n3) If we trigger a reclaim again and tries to reclaim the page,\n add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is\n cleared.\n\nTo fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the\nhwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap\nit in shrink_folio_list(), otherwise the folio will fail to be unmaped by\nhwpoison_user_mappings() since the folio isn't in lru list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37834", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix reference leak in pci_register_host_bridge()\n\nIf device_register() fails, call put_device() to give up the reference to\navoid a memory leak, per the comment at device_register().\n\nFound by code review.\n\n[bhelgaas: squash Dan Carpenter's double free fix from\nhttps://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37836", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()\n\nTwo WARNINGs are observed when SMMU driver rolls back upon failure:\n arm-smmu-v3.9.auto: Failed to register iommu\n arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22\n ------------[ cut here ]------------\n WARNING: CPU: 5 PID: 1 at kernel/dma/mapping.c:74 dmam_free_coherent+0xc0/0xd8\n Call trace:\n dmam_free_coherent+0xc0/0xd8 (P)\n tegra241_vintf_free_lvcmdq+0x74/0x188\n tegra241_cmdqv_remove_vintf+0x60/0x148\n tegra241_cmdqv_remove+0x48/0xc8\n arm_smmu_impl_remove+0x28/0x60\n devm_action_release+0x1c/0x40\n ------------[ cut here ]------------\n 128 pages are still in use!\n WARNING: CPU: 16 PID: 1 at mm/page_alloc.c:6902 free_contig_range+0x18c/0x1c8\n Call trace:\n free_contig_range+0x18c/0x1c8 (P)\n cma_release+0x154/0x2f0\n dma_free_contiguous+0x38/0xa0\n dma_direct_free+0x10c/0x248\n dma_free_attrs+0x100/0x290\n dmam_free_coherent+0x78/0xd8\n tegra241_vintf_free_lvcmdq+0x74/0x160\n tegra241_cmdqv_remove+0x98/0x198\n arm_smmu_impl_remove+0x28/0x60\n devm_action_release+0x1c/0x40\n\nThis is because the LVCMDQ queue memory are managed by devres, while that\ndmam_free_coherent() is called in the context of devm_action_release().\n\nJason pointed out that \"arm_smmu_impl_probe() has mis-ordered the devres\ncallbacks if ops->device_remove() is going to be manually freeing things\nthat probe allocated\":\nhttps://lore.kernel.org/linux-iommu/20250407174408.GB1722458@nvidia.com/\n\nIn fact, tegra241_cmdqv_init_structures() only allocates memory resources\nwhich means any failure that it generates would be similar to -ENOMEM, so\nthere is no point in having that \"falling back to standard SMMU\" routine,\nas the standard SMMU would likely fail to allocate memory too.\n\nRemove the unwind part in tegra241_cmdqv_init_structures(), and return a\nproper error code to ask SMMU driver to call tegra241_cmdqv_remove() via\nimpl_ops->device_remove(). Then, drop tegra241_vintf_free_lvcmdq() since\ndevres will take care of that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37837", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, &ssi->work is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi->cl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37838", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: remove wrong sb->s_sequence check\n\nJournal emptiness is not determined by sb->s_sequence == 0 but rather by\nsb->s_start == 0 (which is set a few lines above). Furthermore 0 is a\nvalid transaction ID so the check can spuriously trigger. Remove the\ninvalid WARN_ON.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37839", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: fix PM resume warning\n\nFixed warning on PM resume as shown below caused due to uninitialized\nstruct nand_operation that checks chip select field :\nWARN_ON(op->cs >= nanddev_ntargets(&chip->base)\n\n[ 14.588522] ------------[ cut here ]------------\n[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8\n[ 14.588553] Modules linked in: bdc udc_core\n[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16\n[ 14.588590] Tainted: [W]=WARN\n[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)\n[ 14.588598] Call trace:\n[ 14.588604] dump_backtrace from show_stack+0x18/0x1c\n[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c\n[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c\n[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c\n[ 14.588653] r5:c08d40b0 r4:c1003cb0\n[ 14.588656] dump_stack from __warn+0x84/0xe4\n[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194\n[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000\n[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8\n[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048\n[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150\n[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040\n[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54\n[ 14.588735] r5:00000010 r4:c0840a50\n[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c\n[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324\n[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010\n[ 14.588779] device_resume from dpm_resume+0x130/0x160\n[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0\n[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20\n[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414\n[ 14.588826] r4:00000010\n[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8\n[ 14.588848] r5:c228a414 r4:00000000\n[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc\n[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000\n[ 14.588871] r4:00000003\n[ 14.588874] pm_suspend from state_store+0x74/0xd0\n[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003\n[ 14.588892] state_store from kobj_attr_store+0x1c/0x28\n[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250\n[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c\n[ 14.588936] r5:c3502900 r4:c0d92a48\n[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0\n[ 14.588956] r5:c3502900 r4:c3501f40\n[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420\n[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00\n[ 14.588983] r4:c042a88c\n[ 14.588987] vfs_write from ksys_write+0x74/0xe4\n[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00\n[ 14.589008] r4:c34f7f00\n[ 14.589011] ksys_write from sys_write+0x10/0x14\n[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004\n[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c\n[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)\n[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001\n[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78\n[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8\n[ 14.589065] ---[ end trace 0000000000000000 ]---\n\nThe fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when\ndoing PM resume operation in compliance with the controller support for single\ndie nand chip. Switching from nand_reset_op() to nan\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37840", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npm: cpupower: bench: Prevent NULL dereference on malloc failure\n\nIf malloc returns NULL due to low memory, 'config' pointer can be NULL.\nAdd a check to prevent NULL dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37841", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-qspi: use devm function instead of driver remove\n\nDriver use devm APIs to manage clk/irq/resources and register the spi\ncontroller, but the legacy remove function will be called first during\ndevice detach and trigger kernel panic. Drop the remove function and use\ndevm_add_action_or_reset() for driver cleanup to ensure the release\nsequence.\n\nTrigger kernel panic on i.MX8MQ by\necho 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37842", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pciehp: Avoid unnecessary device replacement check\n\nHot-removal of nested PCI hotplug ports suffers from a long-standing race\ncondition which can lead to a deadlock: A parent hotplug port acquires\npci_lock_rescan_remove(), then waits for pciehp to unbind from a child\nhotplug port. Meanwhile that child hotplug port tries to acquire\npci_lock_rescan_remove() as well in order to remove its own children.\n\nThe deadlock only occurs if the parent acquires pci_lock_rescan_remove()\nfirst, not if the child happens to acquire it first.\n\nSeveral workarounds to avoid the issue have been proposed and discarded\nover the years, e.g.:\n\nhttps://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/\n\nA proper fix is being worked on, but needs more time as it is nontrivial\nand necessarily intrusive.\n\nRecent commit 9d573d19547b (\"PCI: pciehp: Detect device replacement during\nsystem sleep\") provokes more frequent occurrence of the deadlock when\nremoving more than one Thunderbolt device during system sleep. The commit\nsought to detect device replacement, but also triggered on device removal.\nDifferentiating reliably between replacement and removal is impossible\nbecause pci_get_dsn() returns 0 both if the device was removed, as well as\nif it was replaced with one lacking a Device Serial Number.\n\nAvoid the more frequent occurrence of the deadlock by checking whether the\nhotplug port itself was hot-removed. If so, there's no sense in checking\nwhether its child device was replaced.\n\nThis works because the ->resume_noirq() callback is invoked in top-down\norder for the entire hierarchy: A parent hotplug port detecting device\nreplacement (or removal) marks all children as removed using\npci_dev_set_disconnected() and a child hotplug port can then reliably\ndetect being removed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37843", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: avoid NULL pointer dereference in dbg call\n\ncifs_server_dbg() implies server to be non-NULL so\nmove call under condition to avoid NULL pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37844", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: fprobe events: Fix possible UAF on modules\n\nCommit ac91052f0ae5 (\"tracing: tprobe-events: Fix leakage of module\nrefcount\") moved try_module_get() from __find_tracepoint_module_cb()\nto find_tracepoint() caller, but that introduced a possible UAF\nbecause the module can be unloaded before try_module_get(). In this\ncase, the module object should be freed too. Thus, try_module_get()\ndoes not only fail but may access to the freed object.\n\nTo avoid that, try_module_get() in __find_tracepoint_module_cb()\nagain.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37845", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mops: Do not dereference src reg for a set operation\n\nThe source register is not used for SET* and reading it can result in\na UBSAN out-of-bounds array access error, specifically when the MOPS\nexception is taken from a SET* sequence with XZR (reg 31) as the\nsource. Architecturally this is the only case where a src/dst/size\nfield in the ESR can be reported as 31.\n\nPrior to 2de451a329cf662b the code in do_el0_mops() was benign as the\nuse of pt_regs_read_reg() prevented the out-of-bounds access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37846", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix deadlock in ivpu_ms_cleanup()\n\nFix deadlock in ivpu_ms_cleanup() by preventing runtime resume after\nfile_priv->ms_lock is acquired.\n\nDuring a failure in runtime resume, a cold boot is executed, which\ncalls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup()\nthat acquires file_priv->ms_lock and causes the deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37847", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix PM related deadlocks in MS IOCTLs\n\nPrevent runtime resume/suspend while MS IOCTLs are in progress.\nFailed suspend will call ivpu_ms_cleanup() that would try to acquire\nfile_priv->ms_lock, which is already held by the IOCTLs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37848", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Tear down vGIC on failed vCPU creation\n\nIf kvm_arch_vcpu_create() fails to share the vCPU page with the\nhypervisor, we propagate the error back to the ioctl but leave the\nvGIC vCPU data initialised. Note only does this leak the corresponding\nmemory when the vCPU is destroyed but it can also lead to use-after-free\nif the redistributor device handling tries to walk into the vCPU.\n\nAdd the missing cleanup to kvm_arch_vcpu_create(), ensuring that the\nvGIC vCPU structures are destroyed on error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37849", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()\n\nWith CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a\ndivide-by-zero in the following line:\n\n\tdo_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));\n\ndue to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate()\nreturns zero.\n\nThis is presumably just a theoretical problem: COMPILE_TEST overrides\nthe dependency on RALINK which would select COMMON_CLK. Regardless it's\na good idea to check for the error explicitly to avoid divide-by-zero.\n\nFixes the following warning:\n\n drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section\n\n[ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37850", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: omapfb: Add 'plane' value check\n\nFunction dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB\nof the enum parameter plane.\n\nThe value of this parameter is initialized in dss_init_overlays and in the\ncurrent state of the code it cannot take this value so it's not a real\nproblem.\n\nFor the purposes of defensive coding it wouldn't be superfluous to check\nthe parameter value, because some functions down the call stack process\nthis value correctly and some not.\n\nFor example, in dispc_ovl_setup_global_alpha it may lead to buffer\noverflow.\n\nAdd check for this value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37851", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()\n\nAdd error handling to propagate amdgpu_cgs_create_device() failures\nto the caller. When amdgpu_cgs_create_device() fails, release hwmgr\nand return -ENOMEM to prevent null pointer dereference.\n\n[v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37852", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: debugfs hang_hws skip GPU with MES\n\ndebugfs hang_hws is used by GPU reset test with HWS, for MES this crash\nthe kernel with NULL pointer access because dqm->packet_mgr is not setup\nfor MES path.\n\nSkip GPU with MES for now, MES hang_hws debugfs interface will be\nsupported later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37853", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mode1 reset crash issue\n\nIf HW scheduler hangs and mode1 reset is used to recover GPU, KFD signal\nuser space to abort the processes. After process abort exit, user queues\nstill use the GPU to access system memory before h/w is reset while KFD\ncleanup worker free system memory and free VRAM.\n\nThere is use-after-free race bug that KFD allocate and reuse the freed\nsystem memory, and user queue write to the same system memory to corrupt\nthe data structure and cause driver crash.\n\nTo fix this race, KFD cleanup worker terminate user queues, then flush\nreset_domain wq to wait for any GPU ongoing reset complete, and then\nfree outstanding BOs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37854", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Guard Possible Null Pointer Dereference\n\n[WHY]\nIn some situations, dc->res_pool may be null.\n\n[HOW]\nCheck if pointer is null before dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37855", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: harden block_group::bg_list against list_del() races\n\nAs far as I can tell, these calls of list_del_init() on bg_list cannot\nrun concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(),\nas they are in transaction error paths and situations where the block\ngroup is readonly.\n\nHowever, if there is any chance at all of racing with mark_bg_unused(),\nor a different future user of bg_list, better to be safe than sorry.\n\nOtherwise we risk the following interleaving (bg_list refcount in parens)\n\nT1 (some random op) T2 (btrfs_mark_bg_unused)\n !list_empty(&bg->bg_list); (1)\nlist_del_init(&bg->bg_list); (1)\n list_move_tail (1)\nbtrfs_put_block_group (0)\n btrfs_delete_unused_bgs\n bg = list_first_entry\n list_del_init(&bg->bg_list);\n btrfs_put_block_group(bg); (-1)\n\nUltimately, this results in a broken ref count that hits zero one deref\nearly and the real final deref underflows the refcount, resulting in a WARNING.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37856", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: st: Fix array overflow in st_setup()\n\nChange the array size to follow parms size instead of a fixed value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37857", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: Prevent integer overflow in AG size calculation\n\nThe JFS filesystem calculates allocation group (AG) size using 1 <<\nl2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB\naggregates on 32-bit systems), this 32-bit shift operation causes undefined\nbehavior and improper AG sizing.\n\nOn 32-bit architectures:\n- Left-shifting 1 by 32+ bits results in 0 due to integer overflow\n- This creates invalid AG sizes (0 or garbage values) in\nsbi->bmap->db_agsize\n- Subsequent block allocations would reference invalid AG structures\n- Could lead to:\n - Filesystem corruption during extend operations\n - Kernel crashes due to invalid memory accesses\n - Security vulnerabilities via malformed on-disk structures\n\nFix by casting to s64 before shifting:\nbmp->db_agsize = (s64)1 << l2agsize;\n\nThis ensures 64-bit arithmetic even on 32-bit architectures. The cast\nmatches the data type of db_agsize (s64) and follows similar patterns in\nJFS block calculation code.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37858", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: avoid infinite loop to schedule delayed worker\n\nWe noticed the kworker in page_pool_release_retry() was waken\nup repeatedly and infinitely in production because of the\nbuggy driver causing the inflight less than 0 and warning\nus in page_pool_inflight()[1].\n\nSince the inflight value goes negative, it means we should\nnot expect the whole page_pool to get back to work normally.\n\nThis patch mitigates the adverse effect by not rescheduling\nthe kworker when detecting the inflight negative in\npage_pool_release_retry().\n\n[1]\n[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------\n[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages\n...\n[Mon Feb 10 20:36:11 2025] Call Trace:\n[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70\n[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370\n[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0\n[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140\n[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370\n[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40\n[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40\n[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---\nNote: before this patch, the above calltrace would flood the\ndmesg due to repeated reschedule of release_dw kworker.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37859", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix NULL dereferences in ef100_process_design_param()\n\nSince cited commit, ef100_probe_main() and hence also\n ef100_check_design_params() run before efx->net_dev is created;\n consequently, we cannot netif_set_tso_max_size() or _segs() at this\n point.\nMove those netif calls to ef100_probe_netdev(), and also replace\n netif_err within the design params code with pci_err.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37860", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue\n\nWhen the task management thread processes reply queues while the reset\nthread resets them, the task management thread accesses an invalid queue ID\n(0xFFFF), set by the reset thread, which points to unallocated memory,\ncausing a crash.\n\nAdd flag 'io_admin_reset_sync' to synchronize access between the reset,\nI/O, and admin threads. Before a reset, the reset handler sets this flag to\nblock I/O and admin processing threads. If any thread bypasses the initial\ncheck, the reset thread waits up to 10 seconds for processing to finish. If\nthe wait exceeds 10 seconds, the controller is marked as unrecoverable.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37861", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: pidff: Fix null pointer dereference in pidff_find_fields\n\nThis function triggered a null pointer dereference if used to search for\na report that isn't implemented on the device. This happened both for\noptional and required reports alike.\n\nThe same logic was applied to pidff_find_special_field and although\npidff_init_fields should return an error earlier if one of the required\nreports is missing, future modifications could change this logic and\nresurface this possible null pointer dereference again.\n\nLKML bug report:\nhttps://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37862", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: don't allow datadir only\n\nIn theory overlayfs could support upper layer directly referring to a data\nlayer, but there's no current use case for this.\n\nOriginally, when data-only layers were introduced, this wasn't allowed,\nonly introduced by the \"datadir+\" feature, but without actually handling\nthis case, resulting in an Oops.\n\nFix by disallowing datadir without lowerdir.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37863", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: clean up FDB, MDB, VLAN entries on unbind\n\nAs explained in many places such as commit b117e1e8a86d (\"net: dsa:\ndelete dsa_legacy_fdb_add and dsa_legacy_fdb_del\"), DSA is written given\nthe assumption that higher layers have balanced additions/deletions.\nAs such, it only makes sense to be extremely vocal when those\nassumptions are violated and the driver unbinds with entries still\npresent.\n\nBut Ido Schimmel points out a very simple situation where that is wrong:\nhttps://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/\n(also briefly discussed by me in the aforementioned commit).\n\nBasically, while the bridge bypass operations are not something that DSA\nexplicitly documents, and for the majority of DSA drivers this API\nsimply causes them to go to promiscuous mode, that isn't the case for\nall drivers. Some have the necessary requirements for bridge bypass\noperations to do something useful - see dsa_switch_supports_uc_filtering().\n\nAlthough in tools/testing/selftests/net/forwarding/local_termination.sh,\nwe made an effort to popularize better mechanisms to manage address\nfilters on DSA interfaces from user space - namely macvlan for unicast,\nand setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the\nfact is that 'bridge fdb add ... self static local' also exists as\nkernel UAPI, and might be useful to someone, even if only for a quick\nhack.\n\nIt seems counter-productive to block that path by implementing shim\n.ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP\nin order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from\nrunning, although we could do that.\n\nAccepting that cleanup is necessary seems to be the only option.\nEspecially since we appear to be coming back at this from a different\nangle as well. Russell King is noticing that the WARN_ON() triggers even\nfor VLANs:\nhttps://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/\n\nWhat happens in the bug report above is that dsa_port_do_vlan_del() fails,\nthen the VLAN entry lingers on, and then we warn on unbind and leak it.\n\nThis is not a straight revert of the blamed commit, but we now add an\ninformational print to the kernel log (to still have a way to see\nthat bugs exist), and some extra comments gathered from past years'\nexperience, to justify the logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37864", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported\n\nRussell King reports that on the ZII dev rev B, deleting a bridge VLAN\nfrom a user port fails with -ENOENT:\nhttps://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/\n\nThis comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(),\nwhich tries to find an MST entry in &chip->msts associated with the SID,\nbut fails and returns -ENOENT as such.\n\nBut we know that this chip does not support MST at all, so that is not\nsurprising. The question is why does the guard in mv88e6xxx_mst_put()\nnot exit early:\n\n\tif (!sid)\n\t\treturn 0;\n\nAnd the answer seems to be simple: the sid comes from vlan.sid which\nsupposedly was previously populated by mv88e6xxx_vtu_get().\nBut some chip->info->ops->vtu_getnext() implementations do not populate\nvlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case,\nlater in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is\njust residual stack memory.\n\nTesting for sid == 0 covers all cases of a non-bridge VLAN or a bridge\nVLAN mapped to the default MSTI. For some chips, SID 0 is valid and\ninstalled by mv88e6xxx_stu_setup(). A chip which does not support the\nSTU would implicitly only support mapping all VLANs to the default MSTI,\nso although SID 0 is not valid, it would be sufficient, if we were to\nzero-initialize the vlan structure, to fix the bug, due to the\ncoincidence that a test for vlan.sid == 0 already exists and leads to\nthe same (correct) behavior.\n\nAnother option which would be sufficient would be to add a test for\nmv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one\nwhich already exists in mv88e6xxx_mst_get(). But that placement means\nthe caller will have to dereference vlan.sid, which means it will access\nuninitialized memory, which is not nice even if it ignores it later.\n\nSo we end up making both modifications, in order to not rely just on the\nsid == 0 coincidence, but also to avoid having uninitialized structure\nfields which might get temporarily accessed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37865", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()\n\nA warning is seen when running the latest kernel on a BlueField SOC:\n[251.512704] ------------[ cut here ]------------\n[251.512711] invalid sysfs_emit: buf:0000000003aa32ae\n[251.512720] WARNING: CPU: 1 PID: 705264 at fs/sysfs/file.c:767 sysfs_emit+0xac/0xc8\n\nThe warning is triggered because the mlxbf-bootctl driver invokes\n\"sysfs_emit()\" with a buffer pointer that is not aligned to the\nstart of the page. The driver should instead use \"sysfs_emit_at()\"\nto support non-zero offsets into the destination buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37866", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37867", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Silence oversized kvmalloc() warning\n\nsyzkaller triggered an oversized kvmalloc() warning.\nSilence it by adding __GFP_NOWARN.\n\nsyzkaller log:\n WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180\n CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__kvmalloc_node_noprof+0x175/0x180\n RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246\n RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b\n RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002\n RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000\n R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ib_umem_odp_get+0x1f6/0x390\n mlx5_ib_reg_user_mr+0x1e8/0x450\n ib_uverbs_reg_mr+0x28b/0x440\n ib_uverbs_write+0x7d3/0xa30\n vfs_write+0x1ac/0x6c0\n ksys_write+0x134/0x170\n ? __sanitizer_cov_trace_pc+0x1c/0x50\n do_syscall_64+0x50/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37867", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix notifier vs folio deadlock\n\nUser is reporting what smells like notifier vs folio deadlock, where\nmigrate_pages_batch() on core kernel side is holding folio lock(s) and\nthen interacting with the mappings of it, however those mappings are\ntied to some userptr, which means calling into the notifier callback and\ngrabbing the notifier lock. With perfect timing it looks possible that\nthe pages we pulled from the hmm fault can get sniped by\nmigrate_pages_batch() at the same time that we are holding the notifier\nlock to mark the pages as accessed/dirty, but at this point we also want\nto grab the folio locks(s) to mark them as dirty, but if they are\ncontended from notifier/migrate_pages_batch side then we deadlock since\nfolio lock won't be dropped until we drop the notifier lock.\n\nFortunately the mark_page_accessed/dirty is not really needed in the\nfirst place it seems and should have already been done by hmm fault, so\njust remove it.\n\n(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37868", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Use local fence in error path of xe_migrate_clear\n\nThe intent of the error path in xe_migrate_clear is to wait on locally\ngenerated fence and then return. The code is waiting on m->fence which\ncould be the local fence but this is only stable under the job mutex\nleading to a possible UAF. Fix code to wait on local fence.\n\n(cherry picked from commit 762b7e95362170b3e13a8704f38d5e47eca4ba74)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37869", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: prevent hang on link training fail\n\n[Why]\nWhen link training fails, the phy clock will be disabled. However, in\nenable_streams, it is assumed that link training succeeded and the\nmux selects the phy clock, causing a hang when a register write is made.\n\n[How]\nWhen enable_stream is hit, check if link training failed. If it did, fall\nback to the ref clock to avoid a hang and keep the system in a recoverable\nstate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37870", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n T1 T2\n nfs4_laundromat\n nfs4_get_client_reaplist\n nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx->flc_lock\n spin_lock // clp->cl_lock\n nfs4_lockowner_has_blockers\n locks_owner_has_blockers\n spin_lock // flctx->flc_lock\n nfsd_break_deleg_cb\n nfsd_break_one_deleg\n nfs4_put_stid\n refcount_dec_and_lock\n spin_lock // clp->cl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->\nnfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37871", "detail": "fixed-version", "description": "Fixed from version 6.14.4" }, { "id": "CVE-2025-37872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: fix memory leak in txgbe_probe() error path\n\nWhen txgbe_sw_init() is called, memory is allocated for wx->rss_key\nin wx_init_rss_key(). However, in txgbe_probe() function, the subsequent\nerror paths after txgbe_sw_init() don't free the rss_key. Fix that by\nfreeing it in error path along with wx->mac_table.\n\nAlso change the label to which execution jumps when txgbe_sw_init()\nfails, because otherwise, it could lead to a double free for rss_key,\nwhen the mac_table allocation fails in wx_sw_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37872", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix missing ring index trim on error path\n\nCommit under Fixes converted tx_prod to be free running but missed\nmasking it on the Tx error path. This crashes on error conditions,\nfor example when DMA mapping fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37873", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ngbe: fix memory leak in ngbe_probe() error path\n\nWhen ngbe_sw_init() is called, memory is allocated for wx->rss_key\nin wx_init_rss_key(). However, in ngbe_probe() function, the subsequent\nerror paths after ngbe_sw_init() don't free the rss_key. Fix that by\nfreeing it in error path along with wx->mac_table.\n\nAlso change the label to which execution jumps when ngbe_sw_init()\nfails, because otherwise, it could lead to a double free for rss_key,\nwhen the mac_table allocation fails in wx_sw_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37874", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix PTM cycle trigger logic\n\nWriting to clear the PTM status 'valid' bit while the PTM cycle is\ntriggered results in unreliable PTM operation. To fix this, clear the\nPTM 'trigger' and status after each PTM transaction.\n\nThe issue can be reproduced with the following:\n\n$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m\n\nNote: 1000 Hz (-R 1000) is unrealistically large, but provides a way to\nquickly reproduce the issue.\n\nPHC2SYS exits with:\n\n\"ioctl PTP_OFFSET_PRECISE: Connection timed out\" when the PTM transaction\n fails\n\nThis patch also fixes a hang in igc_probe() when loading the igc\ndriver in the kdump kernel on systems supporting PTM.\n\nThe igc driver running in the base kernel enables PTM trigger in\nigc_probe(). Therefore the driver is always in PTM trigger mode,\nexcept in brief periods when manually triggering a PTM cycle.\n\nWhen a crash occurs, the NIC is reset while PTM trigger is enabled.\nDue to a hardware problem, the NIC is subsequently in a bad busmaster\nstate and doesn't handle register reads/writes. When running\nigc_probe() in the kdump kernel, the first register access to a NIC\nregister hangs driver probing and ultimately breaks kdump.\n\nWith this patch, igc has PTM trigger disabled most of the time,\nand the trigger is only enabled for very brief (10 - 100 us) periods\nwhen manually triggering a PTM cycle. Chances that a crash occurs\nduring a PTM trigger are not 0, but extremely reduced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37875", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only create /proc/fs/netfs with CONFIG_PROC_FS\n\nWhen testing a special config:\n\nCONFIG_NETFS_SUPPORTS=y\nCONFIG_PROC_FS=n\n\nThe system crashes with something like:\n\n[ 3.766197] ------------[ cut here ]------------\n[ 3.766484] kernel BUG at mm/mempool.c:560!\n[ 3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W\n[ 3.767777] Tainted: [W]=WARN\n[ 3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n[ 3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19\n[ 3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00\n[ 3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286\n[ 3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000\n[ 3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff\n[ 3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828\n[ 3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0\n[ 3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40\n[ 3.772554] FS: 0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000\n[ 3.773061] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0\n[ 3.773884] PKRU: 55555554\n[ 3.774058] Call Trace:\n[ 3.774232] \n[ 3.774371] mempool_alloc_noprof+0x6a/0x190\n[ 3.774649] ? _printk+0x57/0x80\n[ 3.774862] netfs_alloc_request+0x85/0x2ce\n[ 3.775147] netfs_readahead+0x28/0x170\n[ 3.775395] read_pages+0x6c/0x350\n[ 3.775623] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.775928] page_cache_ra_unbounded+0x1bd/0x2a0\n[ 3.776247] filemap_get_pages+0x139/0x970\n[ 3.776510] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.776820] filemap_read+0xf9/0x580\n[ 3.777054] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.777368] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.777674] ? find_held_lock+0x32/0x90\n[ 3.777929] ? netfs_start_io_read+0x19/0x70\n[ 3.778221] ? netfs_start_io_read+0x19/0x70\n[ 3.778489] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.778800] ? lock_acquired+0x1e6/0x450\n[ 3.779054] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 3.779379] netfs_buffered_read_iter+0x57/0x80\n[ 3.779670] __kernel_read+0x158/0x2c0\n[ 3.779927] bprm_execve+0x300/0x7a0\n[ 3.780185] kernel_execve+0x10c/0x140\n[ 3.780423] ? __pfx_kernel_init+0x10/0x10\n[ 3.780690] kernel_init+0xd5/0x150\n[ 3.780910] ret_from_fork+0x2d/0x50\n[ 3.781156] ? __pfx_kernel_init+0x10/0x10\n[ 3.781414] ret_from_fork_asm+0x1a/0x30\n[ 3.781677] \n[ 3.781823] Modules linked in:\n[ 3.782065] ---[ end trace 0000000000000000 ]---\n\nThis is caused by the following error path in netfs_init():\n\n if (!proc_mkdir(\"fs/netfs\", NULL))\n goto error_proc;\n\nFix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only\ncreated with CONFIG_PROC_FS.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37876", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Clear iommu-dma ops on cleanup\n\nIf iommu_device_register() encounters an error, it can end up tearing\ndown already-configured groups and default domains, however this\ncurrently still leaves devices hooked up to iommu-dma (and even\nhistorically the behaviour in this area was at best inconsistent across\narchitectures/drivers...) Although in the case that an IOMMU is present\nwhose driver has failed to probe, users cannot necessarily expect DMA to\nwork anyway, it's still arguable that we should do our best to put\nthings back as if the IOMMU driver was never there at all, and certainly\nthe potential for crashing in iommu-dma itself is undesirable. Make sure\nwe clean up the dev->dma_iommu flag along with everything else.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37877", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix WARN_ON(!ctx) in __free_event() for partial init\n\nMove the get_ctx(child_ctx) call and the child_event->ctx assignment to\noccur immediately after the child event is allocated. Ensure that\nchild_event->ctx is non-NULL before any subsequent error path within\ninherit_event calls free_event(), satisfying the assumptions of the\ncleanup code.\n\nDetails:\n\nThere's no clear Fixes tag, because this bug is a side-effect of\nmultiple interacting commits over time (up to 15 years old), not\na single regression.\n\nThe code initially incremented refcount then assigned context\nimmediately after the child_event was created. Later, an early\nvalidity check for child_event was added before the\nrefcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was\nadded, assuming event->ctx is valid if the pmu_ctx is valid.\nThe problem is that the WARN_ON_ONCE() could trigger after the initial\ncheck passed but before child_event->ctx was assigned, violating its\nprecondition. The solution is to assign child_event->ctx right after\nits initial validation. This ensures the context exists for any\nsubsequent checks or cleanup routines, resolving the WARN_ON_ONCE().\n\nTo resolve it, defer the refcount update and child_event->ctx assignment\ndirectly after child_event->pmu_ctx is set but before checking if the\nparent event is orphaned. The cleanup routine depends on\nevent->pmu_ctx being non-NULL before it verifies event->ctx is\nnon-NULL. This also maintains the author's original intent of passing\nin child_ctx to find_get_pmu_context before its refcount/assignment.\n\n[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37878", "detail": "fixed-version", "description": "Fixed from version 6.14.5" }, { "id": "CVE-2025-37879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/net: fix improper handling of bogus negative read/write replies\n\nIn p9_client_write() and p9_client_read_once(), if the server\nincorrectly replies with success but a negative write/read count then we\nwould consider written (negative) <= rsize (positive) because both\nvariables were signed.\n\nMake variables unsigned to avoid this problem.\n\nThe reproducer linked below now fails with the following error instead\nof a null pointer deref:\n9pnet: bogus RWRITE count (4294967295 > 3)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37879", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: work around sched_yield not yielding in time-travel mode\n\nsched_yield by a userspace may not actually cause scheduling in\ntime-travel mode as no time has passed. In the case seen it appears to\nbe a badly implemented userspace spinlock in ASAN. Unfortunately, with\ntime-travel it causes an extreme slowdown or even deadlock depending on\nthe kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS).\n\nWork around it by accounting time to the process whenever it executes a\nsched_yield syscall.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37880", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()\n\nThe variable d->name, returned by devm_kasprintf(), could be NULL.\nA pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37881", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix isochronous Ring Underrun/Overrun event handling\n\nThe TRB pointer of these events points at enqueue at the time of error\noccurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we\nare handling the event, a new TD may be queued at this ring position.\n\nI can trigger this race by rising interrupt moderation to increase IRQ\nhandling delay. Similar delay may occur naturally due to system load.\n\nIf this ever happens after a Missed Service Error, missed TDs will be\nskipped and the new TD processed as if it matched the event. It could\nbe given back prematurely, risking data loss or buffer UAF by the xHC.\n\nDon't complete TDs on xrun events and don't warn if queued TDs don't\nmatch the event's TRB pointer, which can be NULL or a link/no-op TRB.\nDon't warn if there are no queued TDs at all.\n\nNow that it's safe, also handle xrun events if the skip flag is clear.\nThis ensures completion of any TD stuck in 'error mid TD' state right\nbefore the xrun event, which could happen if a driver submits a finite\nnumber of URBs to a buggy HC and then an error occurs on the last TD.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37882", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Add check for get_zeroed_page()\n\nAdd check for the return value of get_zeroed_page() in\nsclp_console_init() to prevent null pointer dereference.\nFurthermore, to solve the memory leak caused by the loop\nallocation, add a free helper to do the free job.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37883", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix deadlock between rcu_tasks_trace and event_mutex.\n\nFix the following deadlock:\nCPU A\n_free_event()\n perf_kprobe_destroy()\n mutex_lock(&event_mutex)\n perf_trace_event_unreg()\n synchronize_rcu_tasks_trace()\n\nThere are several paths where _free_event() grabs event_mutex\nand calls sync_rcu_tasks_trace. Above is one such case.\n\nCPU B\nbpf_prog_test_run_syscall()\n rcu_read_lock_trace()\n bpf_prog_run_pin_on_cpu()\n bpf_prog_load()\n bpf_tracing_func_proto()\n trace_set_clr_event()\n mutex_lock(&event_mutex)\n\nDelegate trace_set_clr_event() to workqueue to avoid\nsuch lock dependency.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37884", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reset IRTE to host control if *new* route isn't postable\n\nRestore an IRTE back to host control (remapped or posted MSI mode) if the\n*new* GSI route prevents posting the IRQ directly to a vCPU, regardless of\nthe GSI routing type. Updating the IRTE if and only if the new GSI is an\nMSI results in KVM leaving an IRTE posting to a vCPU.\n\nThe dangling IRTE can result in interrupts being incorrectly delivered to\nthe guest, and in the worst case scenario can result in use-after-free,\ne.g. if the VM is torn down, but the underlying host IRQ isn't freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37885", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: make wait_context part of q_info\n\nMake the wait_context a full part of the q_info struct rather\nthan a stack variable that goes away after pdsc_adminq_post()\nis done so that the context is still available after the wait\nloop has given up.\n\nThere was a case where a slow development firmware caused\nthe adminq request to time out, but then later the FW finally\nfinished the request and sent the interrupt. The handler tried\nto complete_all() the completion context that had been created\non the stack in pdsc_adminq_post() but no longer existed.\nThis caused bad pointer usage, kernel crashes, and much wailing\nand gnashing of teeth.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37886", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result\n\nIf the FW doesn't support the PDS_CORE_CMD_FW_CONTROL command\nthe driver might at the least print garbage and at the worst\ncrash when the user runs the \"devlink dev info\" devlink command.\n\nThis happens because the stack variable fw_list is not 0\ninitialized which results in fw_list.num_fw_slots being a\ngarbage value from the stack. Then the driver tries to access\nfw_list.fw_names[i] with i >= ARRAY_SIZE and runs off the end\nof the array.\n\nFix this by initializing the fw_list and by not failing\ncompletely if the devcmd fails because other useful information\nis printed via devlink dev info even if the devcmd fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37887", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table()\n\nAdd NULL check for mlx5_get_flow_namespace() returns in\nmlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent\nNULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37888", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Consistently treat platform_max as control value\n\nThis reverts commit 9bdd10d57a88 (\"ASoC: ops: Shift tested values in\nsnd_soc_put_volsw() by +min\"), and makes some additional related\nupdates.\n\nThere are two ways the platform_max could be interpreted; the maximum\nregister value, or the maximum value the control can be set to. The\npatch moved from treating the value as a control value to a register\none. When the patch was applied it was technically correct as\nsnd_soc_limit_volume() also used the register interpretation. However,\neven then most of the other usages treated platform_max as a\ncontrol value, and snd_soc_limit_volume() has since been updated to\nalso do so in commit fb9ad24485087 (\"ASoC: ops: add correct range\ncheck for limiting volume\"). That patch however, missed updating\nsnd_soc_put_volsw() back to the control interpretation, and fixing\nsnd_soc_info_volsw_range(). The control interpretation makes more\nsense as limiting is typically done from the machine driver, so it is\nappropriate to use the customer facing representation rather than the\ninternal codec representation. Update all the code to consistently use\nthis interpretation of platform_max.\n\nFinally, also add some comments to the soc_mixer_control struct to\nhopefully avoid further patches switching between the two approaches.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37889", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-37890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard's report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon't insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37890", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ump: Fix buffer overflow at UMP SysEx message conversion\n\nThe conversion function from MIDI 1.0 to UMP packet contains an\ninternal buffer to keep the incoming MIDI bytes, and its size is 4, as\nit was supposed to be the max size for a MIDI1 UMP packet data.\nHowever, the implementation overlooked that SysEx is handled in a\ndifferent format, and it can be up to 6 bytes, as found in\ndo_convert_to_ump(). It leads eventually to a buffer overflow, and\nmay corrupt the memory when a longer SysEx message is received.\n\nThe fix is simply to extend the buffer size to 6 to fit with the SysEx\nUMP message.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37891", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: inftlcore: Add error check for inftl_read_oob()\n\nIn INFTL_findwriteunit(), the return value of inftl_read_oob()\nneed to be checked. A proper implementation can be\nfound in INFTL_deleteblock(). The status will be set as\nSECTOR_IGNORE to break from the while-loop correctly\nif the inftl_read_oob() fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37892", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Fix off-by-one error in build_prologue()\n\nVincent reported that running BPF progs with tailcalls on LoongArch\ncauses kernel hard lockup. Debugging the issues shows that the JITed\nimage missing a jirl instruction at the end of the epilogue.\n\nThere are two passes in JIT compiling, the first pass set the flags and\nthe second pass generates JIT code based on those flags. With BPF progs\nmixing bpf2bpf and tailcalls, build_prologue() generates N insns in the\nfirst pass and then generates N+1 insns in the second pass. This makes\nepilogue_offset off by one and we will jump to some unexpected insn and\ncause lockup. Fix this by inserting a nop insn.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37893", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use sock_gen_put() when sk_state is TCP_TIME_WAIT\n\nIt is possible for a pointer of type struct inet_timewait_sock to be\nreturned from the functions __inet_lookup_established() and\n__inet6_lookup_established(). This can cause a crash when the\nreturned pointer is of type struct inet_timewait_sock and\nsock_put() is called on it. The following is a crash call stack that\nshows sk->sk_wmem_alloc being accessed in sk_free() during the call to\nsock_put() on a struct inet_timewait_sock pointer. To avoid this issue,\nuse sock_gen_put() instead of sock_put() when sk->sk_state\nis TCP_TIME_WAIT.\n\nmrdump.ko ipanic() + 120\nvmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132\nvmlinux atomic_notifier_call_chain(val=0) + 56\nvmlinux panic() + 344\nvmlinux add_taint() + 164\nvmlinux end_report() + 136\nvmlinux kasan_report(size=0) + 236\nvmlinux report_tag_fault() + 16\nvmlinux do_tag_recovery() + 16\nvmlinux __do_kernel_fault() + 88\nvmlinux do_bad_area() + 28\nvmlinux do_tag_check_fault() + 60\nvmlinux do_mem_abort() + 80\nvmlinux el1_abort() + 56\nvmlinux el1h_64_sync_handler() + 124\nvmlinux > 0xFFFFFFC080011294()\nvmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C)\nvmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C)\nvmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)\n+ 8\nvmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)\n+ 8\nvmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8\nvmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C,\noldp=0) + 8\nvmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8\nvmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8\nvmlinux sk_free(sk=0xF2FFFF82A8960700) + 28\nvmlinux sock_put() + 48\nvmlinux tcp6_check_fraglist_gro() + 236\nvmlinux tcp6_gro_receive() + 624\nvmlinux ipv6_gro_receive() + 912\nvmlinux dev_gro_receive() + 1116\nvmlinux napi_gro_receive() + 196\nccmni.ko ccmni_rx_callback() + 208\nccmni.ko ccmni_queue_recv_skb() + 388\nccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088\nvmlinux kthread() + 268\nvmlinux 0xFFFFFFC08001F30C()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37894", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix error handling path in bnxt_init_chip()\n\nWARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails\nbecause we call cancel_work_sync() on dim work that has not been\ninitialized.\n\nWARNING: CPU: 37 PID: 5223 at kernel/workqueue.c:4201 __flush_work.isra.0+0x212/0x230\n\nThe driver relies on the BNXT_STATE_NAPI_DISABLED bit to check if dim\nwork has already been cancelled. But in the bnxt_open() path,\nBNXT_STATE_NAPI_DISABLED is not set and this causes the error\npath to think that it needs to cancel the uninitalized dim work.\nFix it by setting BNXT_STATE_NAPI_DISABLED during initialization.\nThe bit will be cleared when we enable NAPI and initialize dim work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37895", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-mem: Add fix to avoid divide error\n\nFor some SPI flash memory operations, dummy bytes are not mandatory. For\nexample, in Winbond SPINAND flash memory devices, the `write_cache` and\n`update_cache` operation variants have zero dummy bytes. Calculating the\nduration for SPI memory operations with zero dummy bytes causes\na divide error when `ncycles` is calculated in the\nspi_mem_calc_op_duration().\n\nAdd changes to skip the 'ncylcles' calculation for zero dummy bytes.\n\nFollowing divide error is fixed by this change:\n\n Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n...\n\n ? do_trap+0xdb/0x100\n ? do_error_trap+0x75/0xb0\n ? spi_mem_calc_op_duration+0x56/0xb0\n ? exc_divide_error+0x3b/0x70\n ? spi_mem_calc_op_duration+0x56/0xb0\n ? asm_exc_divide_error+0x1b/0x20\n ? spi_mem_calc_op_duration+0x56/0xb0\n ? spinand_select_op_variant+0xee/0x190 [spinand]\n spinand_match_and_init+0x13e/0x1a0 [spinand]\n spinand_manufacturer_match+0x6e/0xa0 [spinand]\n spinand_probe+0x357/0x7f0 [spinand]\n ? kernfs_activate+0x87/0xd0\n spi_mem_probe+0x7a/0xb0\n spi_probe+0x7d/0x130", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37896", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: plfxlc: Remove erroneous assert in plfxlc_mac_release\n\nplfxlc_mac_release() asserts that mac->lock is held. This assertion is\nincorrect, because even if it was possible, it would not be the valid\nbehaviour. The function is used when probe fails or after the device is\ndisconnected. In both cases mac->lock can not be held as the driver is\nnot working with the device at the moment. All functions that use mac->lock\nunlock it just after it was held. There is also no need to hold mac->lock\nfor plfxlc_mac_release() itself, as mac data is not affected, except for\nmac->flags, which is modified atomically.\n\nThis bug leads to the following warning:\n================================================================\nWARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0\nModules linked in:\nCPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106\nCall Trace:\n \n probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694\n usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165\n usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238\n usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620\n hub_port_connect drivers/usb/core/hub.c:5477 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]\n port_event drivers/usb/core/hub.c:5773 [inline]\n hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855\n process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292\n worker_thread+0xa47/0x1200 kernel/workqueue.c:2439\n kthread+0x28d/0x320 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \n================================================================\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37897", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37898", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc64/ftrace: fix module loading without patchable function entries\n\nget_stubs_size assumes that there must always be at least one patchable\nfunction entry, which is not always the case (modules that export data\nbut no code), otherwise it returns -ENOEXEC and thus the section header\nsh_size is set to that value. During module_memory_alloc() the size is\npassed to execmem_alloc() after being page-aligned and thus set to zero\nwhich will cause it to fail the allocation (and thus module loading) as\n__vmalloc_node_range() checks for zero-sized allocs and returns null:\n\n[ 115.466896] module_64: cast_common: doesn't contain __patchable_function_entries.\n[ 115.469189] ------------[ cut here ]------------\n[ 115.469496] WARNING: CPU: 0 PID: 274 at mm/vmalloc.c:3778 __vmalloc_node_range_noprof+0x8b4/0x8f0\n...\n[ 115.478574] ---[ end trace 0000000000000000 ]---\n[ 115.479545] execmem: unable to allocate memory\n\nFix this by removing the check completely, since it is anyway not\nhelpful to propagate this as an error upwards.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37898", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in session logoff\n\nThe sess->user object can currently be in use by another thread, for\nexample if another connection has sent a session setup request to\nbind to the session being free'd. The handler for that connection could\nbe in the smb2_sess_setup function which makes use of sess->user.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37899", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix two issues in iommu_copy_struct_from_user()\n\nIn the review for iommu_copy_struct_to_user() helper, Matt pointed out that\na NULL pointer should be rejected prior to dereferencing it:\nhttps://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com\n\nAnd Alok pointed out a typo at the same time:\nhttps://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com\n\nSince both issues were copied from iommu_copy_struct_from_user(), fix them\nfirst in the current header.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37900", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs\n\nOn Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not\nhave a corresponding MPM pin and should not be handled inside the MPM\ndriver. The IRQ domain hierarchy is always applied, so it's required to\nexplicitly disconnect the hierarchy for those. The pinctrl-msm driver marks\nthese with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but\nirq-qcom-mpm is currently missing the check. This is causing crashes when\nsetting up interrupts for non-wake GPIOs:\n\n root@rb1:~# gpiomon -c gpiochip1 10\n irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1\n Unable to handle kernel paging request at virtual address ffff8000a1dc3820\n Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT)\n pc : mpm_set_type+0x80/0xcc\n lr : mpm_set_type+0x5c/0xcc\n Call trace:\n mpm_set_type+0x80/0xcc (P)\n qcom_mpm_set_type+0x64/0x158\n irq_chip_set_type_parent+0x20/0x38\n msm_gpio_irq_set_type+0x50/0x530\n __irq_set_trigger+0x60/0x184\n __setup_irq+0x304/0x6bc\n request_threaded_irq+0xc8/0x19c\n edge_detector_setup+0x260/0x364\n linereq_create+0x420/0x5a8\n gpio_ioctl+0x2d4/0x6c0\n\nFix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that\nMPM is removed entirely from the hierarchy for non-wake GPIOs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37901", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix slab-use-after-free in hdcp\n\nThe HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector\nobjects without incrementing the kref reference counts. When using a\nUSB-C dock, and the dock is unplugged, the corresponding\namdgpu_dm_connector objects are freed, creating dangling pointers in the\nHDCP code. When the dock is plugged back, the dangling pointers are\ndereferenced, resulting in a slab-use-after-free:\n\n[ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu]\n[ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10\n\n[ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233\n[ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024\n[ 66.776186] Workqueue: events event_property_validate [amdgpu]\n[ 66.776494] Call Trace:\n[ 66.776496] \n[ 66.776497] dump_stack_lvl+0x70/0xa0\n[ 66.776504] print_report+0x175/0x555\n[ 66.776507] ? __virt_addr_valid+0x243/0x450\n[ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0\n[ 66.776515] kasan_report+0xeb/0x1c0\n[ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu]\n[ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu]\n[ 66.777121] __asan_report_load4_noabort+0x14/0x20\n[ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu]\n[ 66.777342] ? __lock_acquire+0x6b40/0x6b40\n[ 66.777347] ? enable_assr+0x250/0x250 [amdgpu]\n[ 66.777571] process_one_work+0x86b/0x1510\n[ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0\n[ 66.777578] ? assign_work+0x16b/0x280\n[ 66.777580] ? lock_is_held_type+0xa3/0x130\n[ 66.777583] worker_thread+0x5c0/0xfa0\n[ 66.777587] ? process_one_work+0x1510/0x1510\n[ 66.777588] kthread+0x3a2/0x840\n[ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0\n[ 66.777594] ? trace_hardirqs_on+0x4f/0x60\n[ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60\n[ 66.777599] ? calculate_sigpending+0x77/0xa0\n[ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0\n[ 66.777605] ret_from_fork+0x40/0x90\n[ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0\n[ 66.777609] ret_from_fork_asm+0x11/0x20\n[ 66.777614] \n\n[ 66.777643] Allocated by task 10:\n[ 66.777646] kasan_save_stack+0x39/0x60\n[ 66.777649] kasan_save_track+0x14/0x40\n[ 66.777652] kasan_save_alloc_info+0x37/0x50\n[ 66.777655] __kasan_kmalloc+0xbb/0xc0\n[ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0\n[ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu]\n[ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper]\n[ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper]\n[ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper]\n[ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper]\n[ 66.777917] process_one_work+0x86b/0x1510\n[ 66.777919] worker_thread+0x5c0/0xfa0\n[ 66.777922] kthread+0x3a2/0x840\n[ 66.777925] ret_from_fork+0x40/0x90\n[ 66.777927] ret_from_fork_asm+0x11/0x20\n\n[ 66.777932] Freed by task 1713:\n[ 66.777935] kasan_save_stack+0x39/0x60\n[ 66.777938] kasan_save_track+0x14/0x40\n[ 66.777940] kasan_save_free_info+0x3b/0x60\n[ 66.777944] __kasan_slab_free+0x52/0x70\n[ 66.777946] kfree+0x13f/0x4b0\n[ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu]\n[ 66.778179] drm_connector_free+0x7d/0xb0\n[ 66.778184] drm_mode_object_put.part.0+0xee/0x160\n[ 66.778188] drm_mode_object_put+0x37/0x50\n[ 66.778191] drm_atomic_state_default_clear+0x220/0xd60\n[ 66.778194] __drm_atomic_state_free+0x16e/0x2a0\n[ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0\n[ 66.778200] drm_ioctl_kernel+0x17a/0x310\n[ 66.778203] drm_ioctl+0x584/0xd10\n[ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu]\n[ 66.778375] __x64_sys_ioctl+0x139/0x1a0\n[ 66.778378] x64_sys_call+0xee7/0xfb0\n[ 66.778381] \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37903", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix the inode leak in btrfs_iget()\n\n[BUG]\nThere is a bug report that a syzbot reproducer can lead to the following\nbusy inode at unmount time:\n\n BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50\n VFS: Busy inodes after unmount of loop1 (btrfs)\n ------------[ cut here ]------------\n kernel BUG at fs/super.c:650!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full)\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650\n Call Trace:\n \n kill_anon_super+0x3a/0x60 fs/super.c:1237\n btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099\n deactivate_locked_super+0xbe/0x1a0 fs/super.c:473\n deactivate_super fs/super.c:506 [inline]\n deactivate_super+0xe2/0x100 fs/super.c:502\n cleanup_mnt+0x21f/0x440 fs/namespace.c:1435\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:114 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218\n do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\n[CAUSE]\nWhen btrfs_alloc_path() failed, btrfs_iget() directly returned without\nreleasing the inode already allocated by btrfs_iget_locked().\n\nThis results the above busy inode and trigger the kernel BUG.\n\n[FIX]\nFix it by calling iget_failed() if btrfs_alloc_path() failed.\n\nIf we hit error inside btrfs_read_locked_inode(), it will properly call\niget_failed(), so nothing to worry about.\n\nAlthough the iget_failed() cleanup inside btrfs_read_locked_inode() is a\nbreak of the normal error handling scheme, let's fix the obvious bug\nand backport first, then rework the error handling later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37904", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Balance device refcount when destroying devices\n\nUsing device_find_child() to lookup the proper SCMI device to destroy\ncauses an unbalance in device refcount, since device_find_child() calls an\nimplicit get_device(): this, in turns, inhibits the call of the provided\nrelease methods upon devices destruction.\n\nAs a consequence, one of the structures that is not freed properly upon\ndestruction is the internal struct device_private dev->p populated by the\ndrivers subsystem core.\n\nKMemleak detects this situation since loading/unloding some SCMI driver\ncauses related devices to be created/destroyed without calling any\ndevice_release method.\n\nunreferenced object 0xffff00000f583800 (size 512):\n comm \"insmod\", pid 227, jiffies 4294912190\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6......\n backtrace (crc 114e2eed):\n kmemleak_alloc+0xbc/0xd8\n __kmalloc_cache_noprof+0x2dc/0x398\n device_add+0x954/0x12d0\n device_register+0x28/0x40\n __scmi_device_create.part.0+0x1bc/0x380\n scmi_device_create+0x2d0/0x390\n scmi_create_protocol_devices+0x74/0xf8\n scmi_device_request_notifier+0x1f8/0x2a8\n notifier_call_chain+0x110/0x3b0\n blocking_notifier_call_chain+0x70/0xb0\n scmi_driver_register+0x350/0x7f0\n 0xffff80000a3b3038\n do_one_initcall+0x12c/0x730\n do_init_module+0x1dc/0x640\n load_module+0x4b20/0x5b70\n init_module_from_file+0xec/0x158\n\n$ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0\ndevice_add+0x954/0x12d0:\nkmalloc_noprof at include/linux/slab.h:901\n(inlined by) kzalloc_noprof at include/linux/slab.h:1037\n(inlined by) device_private_init at drivers/base/core.c:3510\n(inlined by) device_add at drivers/base/core.c:3561\n\nBalance device refcount by issuing a put_device() on devices found via\ndevice_find_child().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37905", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd\n\nublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but\nwe may have scheduled task work via io_uring_cmd_complete_in_task() for\ndispatching request, then kernel crash can be triggered.\n\nFix it by not trying to canceling the command if ublk block request is\nstarted.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37906", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix locking order in ivpu_job_submit\n\nFix deadlock in job submission and abort handling.\nWhen a thread aborts currently executing jobs due to a fault,\nit first locks the global lock protecting submitted_jobs (#1).\n\nAfter the last job is destroyed, it proceeds to release the related context\nand locks file_priv (#2). Meanwhile, in the job submission thread,\nthe file_priv lock (#2) is taken first, and then the submitted_jobs\nlock (#1) is obtained when a job is added to the submitted jobs list.\n\n CPU0 CPU1\n ---- \t ----\n (for example due to a fault) (jobs submissions keep coming)\n\n lock(&vdev->submitted_jobs_lock) #1\n ivpu_jobs_abort_all()\n job_destroy()\n lock(&file_priv->lock) #2\n lock(&vdev->submitted_jobs_lock) #1\n file_priv_release()\n lock(&vdev->context_list_lock)\n lock(&file_priv->lock) #2\n\nThis order of locking causes a deadlock. To resolve this issue,\nchange the order of locking in ivpu_job_submit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37907", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slab: clean up slab->obj_exts always\n\nWhen memory allocation profiling is disabled at runtime or due to an\nerror, shutdown_mem_profiling() is called: slab->obj_exts which\npreviously allocated remains.\nIt won't be cleared by unaccount_slab() because of\nmem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts\nshould always be cleaned up in unaccount_slab() to avoid following error:\n\n[...]BUG: Bad page state in process...\n..\n[...]page dumped because: page still charged to cgroup\n\n[andriy.shevchenko@linux.intel.com: fold need_slab_obj_ext() into its only user]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37908", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: Fix memleak issue when GSO enabled\n\nAlways map the `skb` to the LS descriptor. Previously skb was\nmapped to EXT descriptor when the number of fragments is zero with\nGSO enabled. Mapping the skb to EXT descriptor prevents it from\nbeing freed, leading to a memory leak", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37909", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations\n\nOn Adva boards, SMA sysfs store/get operations can call\n__handle_signal_outputs() or __handle_signal_inputs() while the `irig`\nand `dcf` pointers are uninitialized, leading to a NULL pointer\ndereference in __handle_signal() and causing a kernel crash. Adva boards\ndon't use `irig` or `dcf` functionality, so add Adva-specific callbacks\n`ptp_ocp_sma_adva_set_outputs()` and `ptp_ocp_sma_adva_set_inputs()` that\navoid invoking `irig` or `dcf` input/output routines.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37910", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix out-of-bound memcpy() during ethtool -w\n\nWhen retrieving the FW coredump using ethtool, it can sometimes cause\nmemory corruption:\n\nBUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nCorrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45):\n__bnxt_get_coredump+0x3ef/0x670 [bnxt_en]\nethtool_get_dump_data+0xdc/0x1a0\n__dev_ethtool+0xa1e/0x1af0\ndev_ethtool+0xa8/0x170\ndev_ioctl+0x1b5/0x580\nsock_do_ioctl+0xab/0xf0\nsock_ioctl+0x1ce/0x2e0\n__x64_sys_ioctl+0x87/0xc0\ndo_syscall_64+0x5c/0xf0\nentry_SYSCALL_64_after_hwframe+0x78/0x80\n\n...\n\nThis happens when copying the coredump segment list in\nbnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command.\nThe info->dest_buf buffer is allocated based on the number of coredump\nsegments returned by the FW. The segment list is then DMA'ed by\nthe FW and the length of the DMA is returned by FW. The driver then\ncopies this DMA'ed segment list to info->dest_buf.\n\nIn some cases, this DMA length may exceed the info->dest_buf length\nand cause the above BUG condition. Fix it by capping the copy\nlength to not exceed the length of info->dest_buf. The extra\nDMA data contains no useful information.\n\nThis code path is shared for the HWRM_DBG_COREDUMP_LIST and the\nHWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different\nfor these 2 FW commands. To simplify the logic, we need to move\nthe line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE\nup, so that the new check to cap the copy length will work for both\ncommands.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37911", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()\n\nAs mentioned in the commit baeb705fd6a7 (\"ice: always check VF VSI\npointer values\"), we need to perform a null pointer check on the return\nvalue of ice_get_vf_vsi() before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37912", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: qfq: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of qfq, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nThis patch checks whether the class was already added to the agg->active\nlist (cl_is_active) before doing the addition to cater for the reentrant\ncase.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37913", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of ets, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether\nthe class was already added to the active_list (cl_is_active) before\ndoing the addition to cater for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37914", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: drr: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of drr, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether the\nclass was already added to the active_list (cl_is_active) before adding\nto the list to cover for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37915", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: remove write-after-free of client_id\n\nA use-after-free error popped up in stress testing:\n\n[Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core]\n[Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47):\n[Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core]\n[Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core]\n[Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70\n[Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180\n[Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80\n[Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0\n[Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80\n\nThe actual device uninit usually happens on a separate thread\nscheduled after this code runs, but there is no guarantee of order\nof thread execution, so this could be a problem. There's no\nactual need to clear the client_id at this point, so simply\nremove the offending code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37916", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll\n\nUse spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock\nand spin_unlock in mtk_star_emac driver to avoid spinlock recursion\noccurrence that can happen when enabling the DMA interrupts again in\nrx/tx poll.\n\n```\nBUG: spinlock recursion on CPU#0, swapper/0/0\n lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0,\n .owner_cpu: 0\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted\n 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT\nHardware name: MediaTek MT8365 Open Platform EVK (DT)\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x60/0x80\n dump_stack+0x18/0x24\n spin_dump+0x78/0x88\n do_raw_spin_lock+0x11c/0x120\n _raw_spin_lock+0x20/0x2c\n mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac]\n __handle_irq_event_percpu+0x48/0x140\n handle_irq_event+0x4c/0xb0\n handle_fasteoi_irq+0xa0/0x1bc\n handle_irq_desc+0x34/0x58\n generic_handle_domain_irq+0x1c/0x28\n gic_handle_irq+0x4c/0x120\n do_interrupt_handler+0x50/0x84\n el1_interrupt+0x34/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n regmap_mmio_read32le+0xc/0x20 (P)\n _regmap_bus_reg_read+0x6c/0xac\n _regmap_read+0x60/0xdc\n regmap_read+0x4c/0x80\n mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac]\n __napi_poll+0x38/0x188\n net_rx_action+0x164/0x2c0\n handle_softirqs+0x100/0x244\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x24/0x64\n do_softirq_own_stack+0x1c/0x40\n __irq_exit_rcu+0xd4/0x10c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n cpuidle_enter_state+0xac/0x320 (P)\n cpuidle_enter+0x38/0x50\n do_idle+0x1e4/0x260\n cpu_startup_entry+0x34/0x3c\n rest_init+0xdc/0xe0\n console_on_rootfs+0x0/0x6c\n __primary_switched+0x88/0x90\n```", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37917", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()\n\nA NULL pointer dereference can occur in skb_dequeue() when processing a\nQCA firmware crash dump on WCN7851 (0489:e0f3).\n\n[ 93.672166] Bluetooth: hci0: ACL memdump size(589824)\n\n[ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth]\n[ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80\n\nThe issue stems from handle_dump_pkt_qca() returning 0 even when a dump\npacket is successfully processed. This is because it incorrectly\nforwards the return value of hci_devcd_init() (which returns 0 on\nsuccess). As a result, the caller (btusb_recv_acl_qca() or\nbtusb_recv_evt_qca()) assumes the packet was not handled and passes it\nto hci_recv_frame(), leading to premature kfree() of the skb.\n\nLater, hci_devcd_rx() attempts to dequeue the same skb from the dump\nqueue, resulting in a NULL pointer dereference.\n\nFix this by:\n1. Making handle_dump_pkt_qca() return 0 on success and negative errno\n on failure, consistent with kernel conventions.\n2. Splitting dump packet detection into separate functions for ACL\n and event packets for better structure and readability.\n\nThis ensures dump packets are properly identified and consumed, avoiding\ndouble handling and preventing NULL pointer access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37918", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot\n\nUpdate chip data using dev_get_drvdata(dev->parent) to fix\nNULL pointer deref in acp_i2s_set_tdm_slot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37919", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix race condition in AF_XDP generic RX path\n\nMove rx_lock from xsk_socket to xsk_buff_pool.\nFix synchronization for shared umem mode in\ngeneric RX path where multiple sockets share\nsingle xsk_buff_pool.\n\nRX queue is exclusive to xsk_socket, while FILL\nqueue can be shared between multiple sockets.\nThis could result in race condition where two\nCPU cores access RX path of two different sockets\nsharing the same umem.\n\nProtect both queues by acquiring spinlock in shared\nxsk_buff_pool.\n\nLock contention may be minimized in the future by some\nper-thread FQ buffering.\n\nIt's safe and necessary to move spin_lock_bh(rx_lock)\nafter xsk_rcv_check():\n* xs->pool and spinlock_init is synchronized by\n xsk_bind() -> xsk_is_bound() memory barriers.\n* xsk_rcv_check() may return true at the moment\n of xsk_release() or xsk_unbind_dev(),\n however this will not cause any data races or\n race conditions. xsk_unbind_dev() removes xdp\n socket from all maps and waits for completion\n of all outstanding rx operations. Packets in\n RX path will either complete safely or drop.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37920", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: vnifilter: Fix unlocked deletion of default FDB entry\n\nWhen a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB\nentry associated with the default remote (assuming one was configured)\nis deleted without holding the hash lock. This is wrong and will result\nin a warning [1] being generated by the lockdep annotation that was\nadded by commit ebe642067455 (\"vxlan: Create wrappers for FDB lookup\").\n\nReproducer:\n\n # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1\n # bridge vni add vni 10010 remote 198.51.100.1 dev vx0\n # bridge vni del vni 10010 dev vx0\n\nFix by acquiring the hash lock before the deletion and releasing it\nafterwards. Blame the original commit that introduced the issue rather\nthan the one that exposed it.\n\n[1]\nWARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0\n[...]\nRIP: 0010:vxlan_find_mac+0x17f/0x1a0\n[...]\nCall Trace:\n \n __vxlan_fdb_delete+0xbe/0x560\n vxlan_vni_delete_group+0x2ba/0x940\n vxlan_vni_del.isra.0+0x15f/0x580\n vxlan_process_vni_filter+0x38b/0x7b0\n vxlan_vnifilter_process+0x3bb/0x510\n rtnetlink_rcv_msg+0x2f7/0xb70\n netlink_rcv_skb+0x131/0x360\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n __sys_sendmsg+0x121/0x1b0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37921", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbook3s64/radix : Align section vmemmap start address to PAGE_SIZE\n\nA vmemmap altmap is a device-provided region used to provide\nbacking storage for struct pages. For each namespace, the altmap\nshould belong to that same namespace. If the namespaces are\ncreated unaligned, there is a chance that the section vmemmap\nstart address could also be unaligned. If the section vmemmap\nstart address is unaligned, the altmap page allocated from the\ncurrent namespace might be used by the previous namespace also.\nDuring the free operation, since the altmap is shared between two\nnamespaces, the previous namespace may detect that the page does\nnot belong to its altmap and incorrectly assume that the page is a\nnormal page. It then attempts to free the normal page, which leads\nto a kernel crash.\n\nKernel attempted to read user page (18) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000018\nFaulting instruction address: 0xc000000000530c7c\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\nCPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G W\nNIP: c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffe\nREGS: c000000015e57040 TRAP: 0300 Tainted: G W\nMSR: 800000000280b033 CR: 84482404\nCFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0\nGPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040\nGPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001f\nGPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000\nGPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020\nGPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00\nGPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fff\nGPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000\nGPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040\nNIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0\nLR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0\nCall Trace:\nfree_unref_page+0x50/0x1e0\nfree_reserved_page+0x40/0x68\nfree_vmemmap_pages+0x98/0xe0\nremove_pte_table+0x164/0x1e8\nremove_pmd_table+0x204/0x2c8\nremove_pud_table+0x1c4/0x288\nremove_pagetable+0x1c8/0x310\nvmemmap_free+0x24/0x50\nsection_deactivate+0x28c/0x2a0\n__remove_pages+0x84/0x110\narch_remove_memory+0x38/0x60\nmemunmap_pages+0x18c/0x3d0\ndevm_action_release+0x30/0x50\nrelease_nodes+0x68/0x140\ndevres_release_group+0x100/0x190\ndax_pmem_compat_release+0x44/0x80 [dax_pmem_compat]\ndevice_for_each_child+0x8c/0x100\n[dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat]\nnvdimm_bus_remove+0x78/0x140 [libnvdimm]\ndevice_remove+0x70/0xd0\n\nAnother issue is that if there is no altmap, a PMD-sized vmemmap\npage will be allocated from RAM, regardless of the alignment of\nthe section start address. If the section start address is not\naligned to the PMD size, a VM_BUG_ON will be triggered when\nsetting the PMD-sized page to page table.\n\nIn this patch, we are aligning the section vmemmap start address\nto PAGE_SIZE. After alignment, the start address will not be\npart of the current namespace, and a normal page will be allocated\nfor the vmemmap mapping of the current section. For the remaining\nsections, altmaps will be allocated. During the free operation,\nthe normal page will be correctly freed.\n\nIn the same way, a PMD_SIZE vmemmap page will be allocated only if\nthe section start address is PMD_SIZE-aligned; otherwise, it will\nfall back to a PAGE-sized vmemmap allocation.\n\nWithout this patch\n==================\nNS1 start NS2 start\n _________________________________________________________\n| NS1 | NS2 |\n ---------------------------------------------------------\n| Altmap| Altmap | .....|Altmap| Altmap | ...........\n| NS1 | NS1 \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37922", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix oob write in trace_seq_to_buffer()\n\nsyzbot reported this bug:\n==================================================================\nBUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\nBUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\nWrite of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260\n\nCPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106\n trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]\n tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822\n ....\n==================================================================\n\nIt has been reported that trace_seq_to_buffer() tries to copy more data\nthan PAGE_SIZE to buf. Therefore, to prevent this, we should use the\nsmaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37923", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in kerberos authentication\n\nSetting sess->user = NULL was introduced to fix the dangling pointer\ncreated by ksmbd_free_user. However, it is possible another thread could\nbe operating on the session and make use of sess->user after it has been\npassed to ksmbd_free_user but before sess->user is set to NULL.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37924", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: reject on-disk inodes of an unsupported type\n\nSyzbot has reported the following BUG:\n\nkernel BUG at fs/inode.c:668!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nRIP: 0010:clear_inode+0x168/0x190\nCode: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7\n 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f\nRSP: 0018:ffffc900027dfae8 EFLAGS: 00010093\nRAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38\nR10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000\nR13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80\nFS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0\nCall Trace:\n \n ? __die_body+0x5f/0xb0\n ? die+0x9e/0xc0\n ? do_trap+0x15a/0x3a0\n ? clear_inode+0x168/0x190\n ? do_error_trap+0x1dc/0x2c0\n ? clear_inode+0x168/0x190\n ? __pfx_do_error_trap+0x10/0x10\n ? report_bug+0x3cd/0x500\n ? handle_invalid_op+0x34/0x40\n ? clear_inode+0x168/0x190\n ? exc_invalid_op+0x38/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? clear_inode+0x57/0x190\n ? clear_inode+0x167/0x190\n ? clear_inode+0x168/0x190\n ? clear_inode+0x167/0x190\n jfs_evict_inode+0xb5/0x440\n ? __pfx_jfs_evict_inode+0x10/0x10\n evict+0x4ea/0x9b0\n ? __pfx_evict+0x10/0x10\n ? iput+0x713/0xa50\n txUpdateMap+0x931/0xb10\n ? __pfx_txUpdateMap+0x10/0x10\n jfs_lazycommit+0x49a/0xb80\n ? _raw_spin_unlock_irqrestore+0x8f/0x140\n ? lockdep_hardirqs_on+0x99/0x150\n ? __pfx_jfs_lazycommit+0x10/0x10\n ? __pfx_default_wake_function+0x10/0x10\n ? __kthread_parkme+0x169/0x1d0\n ? __pfx_jfs_lazycommit+0x10/0x10\n kthread+0x2f2/0x390\n ? __pfx_jfs_lazycommit+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x4d/0x80\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nThis happens when 'clear_inode()' makes an attempt to finalize an underlying\nJFS inode of unknown type. According to JFS layout description from\nhttps://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to\n15 are reserved for future extensions and should not be encountered on a valid\nfilesystem. So add an extra check for valid inode type in 'copy_from_dinode()'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37925", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_session_rpc_open\n\nA UAF issue can occur due to a race condition between\nksmbd_session_rpc_open() and __session_rpc_close().\nAdd rpc_lock to the session to protect it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37926", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid\n\nThere is a string parsing logic error which can lead to an overflow of hid\nor uid buffers. Comparing ACPIID_LEN against a total string length doesn't\ntake into account the lengths of individual hid and uid buffers so the\ncheck is insufficient in some cases. For example if the length of hid\nstring is 4 and the length of the uid string is 260, the length of str\nwill be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer\nwhich size is 256.\n\nThe same applies to the hid string with length 13 and uid string with\nlength 250.\n\nCheck the length of hid and uid strings separately to prevent\nbuffer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37927", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: don't schedule in atomic context\n\nA BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and\ntry_verify_in_tasklet are enabled.\n[ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421\n[ 129.444723][ T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4\n[ 129.444740][ T934] preempt_count: 201, expected: 0\n[ 129.444756][ T934] RCU nest depth: 0, expected: 0\n[ 129.444781][ T934] Preemption disabled at:\n[ 129.444789][ T934] [] shrink_work+0x21c/0x248\n[ 129.445167][ T934] kernel BUG at kernel/sched/walt/walt_debug.c:16!\n[ 129.445183][ T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ 129.445204][ T934] Skip md ftrace buffer dump for: 0x1609e0\n[ 129.447348][ T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G W OE 6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8\n[ 129.447362][ T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT)\n[ 129.447373][ T934] Workqueue: dm_bufio_cache shrink_work\n[ 129.447394][ T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 129.447406][ T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug]\n[ 129.447435][ T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c\n[ 129.447451][ T934] sp : ffffffc0843dbc90\n[ 129.447459][ T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b\n[ 129.447479][ T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68\n[ 129.447497][ T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900\n[ 129.447517][ T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030\n[ 129.447535][ T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358\n[ 129.447554][ T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003\n[ 129.447572][ T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400\n[ 129.447591][ T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8\n[ 129.447610][ T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0\n[ 129.447629][ T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000\n[ 129.447647][ T934] Call trace:\n[ 129.447655][ T934] android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6]\n[ 129.447681][ T934] __might_resched+0x190/0x1a8\n[ 129.447694][ T934] shrink_work+0x180/0x248\n[ 129.447706][ T934] process_one_work+0x260/0x624\n[ 129.447718][ T934] worker_thread+0x28c/0x454\n[ 129.447729][ T934] kthread+0x118/0x158\n[ 129.447742][ T934] ret_from_fork+0x10/0x20\n[ 129.447761][ T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000)\n[ 129.447772][ T934] ---[ end trace 0000000000000000 ]---\n\ndm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet\nis enabled, and __scan will be called in atomic context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37928", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays\n\nCommit a5951389e58d (\"arm64: errata: Add newer ARM cores to the\nspectre_bhb_loop_affected() lists\") added some additional CPUs to the\nSpectre-BHB workaround, including some new arrays for designs that\nrequire new 'k' values for the workaround to be effective.\n\nUnfortunately, the new arrays omitted the sentinel entry and so\nis_midr_in_range_list() will walk off the end when it doesn't find a\nmatch. With UBSAN enabled, this leads to a crash during boot when\nis_midr_in_range_list() is inlined (which was more common prior to\nc8c2647e69be (\"arm64: Make \u00a0_midr_in_range_list() an exported\nfunction\")):\n\n | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP\n | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : spectre_bhb_loop_affected+0x28/0x30\n | lr : is_spectre_bhb_affected+0x170/0x190\n | [...]\n | Call trace:\n | spectre_bhb_loop_affected+0x28/0x30\n | update_cpu_capabilities+0xc0/0x184\n | init_cpu_features+0x188/0x1a4\n | cpuinfo_store_boot_cpu+0x4c/0x60\n | smp_prepare_boot_cpu+0x38/0x54\n | start_kernel+0x8c/0x478\n | __primary_switched+0xc8/0xd4\n | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020)\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: aarch64 BRK: Fatal exception\n\nAdd the missing sentinel entries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37929", "detail": "fixed-version", "description": "Fixed from version 6.14.6" }, { "id": "CVE-2025-37930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()\n\nNouveau is mostly designed in a way that it's expected that fences only\never get signaled through nouveau_fence_signal(). However, in at least\none other place, nouveau_fence_done(), can signal fences, too. If that\nhappens (race) a signaled fence remains in the pending list for a while,\nuntil it gets removed by nouveau_fence_update().\n\nShould nouveau_fence_context_kill() run in the meantime, this would be\na bug because the function would attempt to set an error code on an\nalready signaled fence.\n\nHave nouveau_fence_context_kill() check for a fence being signaled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37930", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: adjust subpage bit start based on sectorsize\n\nWhen running machines with 64k page size and a 16k nodesize we started\nseeing tree log corruption in production. This turned out to be because\nwe were not writing out dirty blocks sometimes, so this in fact affects\nall metadata writes.\n\nWhen writing out a subpage EB we scan the subpage bitmap for a dirty\nrange. If the range isn't dirty we do\n\n\tbit_start++;\n\nto move onto the next bit. The problem is the bitmap is based on the\nnumber of sectors that an EB has. So in this case, we have a 64k\npagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4\nbits for every node. With a 64k page size we end up with 4 nodes per\npage.\n\nTo make this easier this is how everything looks\n\n[0 16k 32k 48k ] logical address\n[0 4 8 12 ] radix tree offset\n[ 64k page ] folio\n[ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers\n[ | | | | | | | | | | | | | | | | ] bitmap\n\nNow we use all of our addressing based on fs_info->sectorsize_bits, so\nas you can see the above our 16k eb->start turns into radix entry 4.\n\nWhen we find a dirty range for our eb, we correctly do bit_start +=\nsectors_per_node, because if we start at bit 0, the next bit for the\nnext eb is 4, to correspond to eb->start 16k.\n\nHowever if our range is clean, we will do bit_start++, which will now\nput us offset from our radix tree entries.\n\nIn our case, assume that the first time we check the bitmap the block is\nnot dirty, we increment bit_start so now it == 1, and then we loop\naround and check again. This time it is dirty, and we go to find that\nstart using the following equation\n\n\tstart = folio_start + bit_start * fs_info->sectorsize;\n\nso in the case above, eb->start 0 is now dirty, and we calculate start\nas\n\n\t0 + 1 * fs_info->sectorsize = 4096\n\t4096 >> 12 = 1\n\nNow we're looking up the radix tree for 1, and we won't find an eb.\nWhat's worse is now we're using bit_start == 1, so we do bit_start +=\nsectors_per_node, which is now 5. If that eb is dirty we will run into\nthe same thing, we will look at an offset that is not populated in the\nradix tree, and now we're skipping the writeout of dirty extent buffers.\n\nThe best fix for this is to not use sectorsize_bits to address nodes,\nbut that's a larger change. Since this is a fs corruption problem fix\nit simply by always using sectors_per_node to increment the start bit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37931", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_qlen_notify() idempotent\n\nhtb_qlen_notify() always deactivates the HTB class and in fact could\ntrigger a warning if it is already deactivated. Therefore, it is not\nidempotent and not friendly to its callers, like fq_codel_dequeue().\n\nLet's make it idempotent to ease qdisc_tree_reduce_backlog() callers'\nlife.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37932", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix host hang issue during device reboot\n\nWhen the host loses heartbeat messages from the device,\nthe driver calls the device-specific ndo_stop function,\nwhich frees the resources. If the driver is unloaded in\nthis scenario, it calls ndo_stop again, attempting to free\nresources that have already been freed, leading to a host\nhang issue. To resolve this, dev_close should be called\ninstead of the device-specific stop function.dev_close\ninternally calls ndo_stop to stop the network interface\nand performs additional cleanup tasks. During the driver\nunload process, if the device is already down, ndo_stop\nis not called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37933", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction\n\nActually check if the passed pointers are valid, before writing to them.\nThis also fixes a USBAN warning:\nUBSAN: invalid-load in ../sound/soc/fsl/imx-card.c:687:25\nload of value 255 is not a valid value for type '_Bool'\n\nThis is because playback_only is uninitialized and is not written to, as\nthe playback-only property is absent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37934", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM\n\nIf the mtk_poll_rx() function detects the MTK_RESETTING flag, it will\njump to release_desc and refill the high word of the SDP on the 4GB RFB.\nSubsequently, mtk_rx_clean will process an incorrect SDP, leading to a\npanic.\n\nAdd patch from MediaTek's SDK to resolve this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37935", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.\n\nWhen generating the MSR_IA32_PEBS_ENABLE value that will be loaded on\nVM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE\nvalue. Consulting only the host kernel's host vs. guest masks results in\nrunning the guest with PEBS enabled even when the guest doesn't want to use\nPEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply\nlooking at exclude_host can't differentiate between events created by host\nuserspace, and events created by KVM on behalf of the guest.\n\nRunning the guest with PEBS unexpectedly enabled typically manifests as\ncrashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't\nwritten MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when\ntrying to record PEBS events.\n\nThe issue is most easily reproduced by running `perf kvm top` from before\ncommit 7b100989b4f6 (\"perf evlist: Remove __evlist__add_default\") (after\nwhich, `perf kvm top` effectively stopped using PEBS).\tThe userspace side\nof perf creates a guest-only PEBS event, which intel_guest_get_msrs()\nmisconstrues a guest-*owned* PEBS event.\n\nArguably, this is a userspace bug, as enabling PEBS on guest-only events\nsimply cannot work, and userspace can kill VMs in many other ways (there\nis no danger to the host). However, even if this is considered to be bad\nuserspace behavior, there's zero downside to perf/KVM restricting PEBS to\nguest-owned events.\n\nNote, commit 854250329c02 (\"KVM: x86/pmu: Disable guest PEBS temporarily\nin two rare situations\") fixed the case where host userspace is profiling\nKVM *and* userspace, but missed the case where userspace is profiling only\nKVM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37936", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()\n\nIf dib8000_set_dds()'s call to dib8000_read32() returns zero, the result\nis a divide-by-zero. Prevent that from happening.\n\nFixes the following warning with an UBSAN kernel:\n\n drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37937", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Verify event formats that have \"%*p..\"\n\nThe trace event verifier checks the formats of trace events to make sure\nthat they do not point at memory that is not in the trace event itself or\nin data that will never be freed. If an event references data that was\nallocated when the event triggered and that same data is freed before the\nevent is read, then the kernel can crash by reading freed memory.\n\nThe verifier runs at boot up (or module load) and scans the print formats\nof the events and checks their arguments to make sure that dereferenced\npointers are safe. If the format uses \"%*p..\" the verifier will ignore it,\nand that could be dangerous. Cover this case as well.\n\nAlso add to the sample code a use case of \"%*pbl\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37938", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Fix accessing BTF.ext core_relo header\n\nUpdate btf_ext_parse_info() to ensure the core_relo header is present\nbefore reading its fields. This avoids a potential buffer read overflow\nreported by the OSS Fuzz project.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37939", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Add cond_resched() to ftrace_graph_set_hash()\n\nWhen the kernel contains a large number of functions that can be traced,\nthe loop in ftrace_graph_set_hash() may take a lot of time to execute.\nThis may trigger the softlockup watchdog.\n\nAdd cond_resched() within the loop to allow the kernel to remain\nresponsive even when processing a large number of functions.\n\nThis matches the cond_resched() that is used in other locations of the\ncode that iterates over all functions that can be traced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37940", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()\n\nWhen snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails,\nwcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info',\nwhich is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free()\nto prevent potential memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37941", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi\n\nIn certain cases, hardware might provide packets with a\nlength greater than the maximum native Wi-Fi header length.\nThis can lead to accessing and modifying fields in the header\nwithin the ath12k_dp_rx_h_undecap_nwifi function for\nDP_RX_DECAP_TYPE_NATIVE_WIFI decap type and\npotentially resulting in invalid data access and memory corruption.\n\nAdd a sanity check before processing the SKB to prevent invalid\ndata access in the undecap native Wi-Fi function for the\nDP_RX_DECAP_TYPE_NATIVE_WIFI decap type.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37943", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process\n\nCurrently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry\nto fetch the next entry from the destination ring. This is incorrect because\nath12k_hal_srng_src_get_next_entry is intended for source rings, not destination\nrings. This leads to invalid entry fetches, causing potential data corruption or\ncrashes due to accessing incorrect memory locations. This happens because the\nsource ring and destination ring have different handling mechanisms and using\nthe wrong function results in incorrect pointer arithmetic and ring management.\n\nTo fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with\nath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures\nthat the correct function is used for fetching entries from the destination\nring, preventing invalid memory accesses.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37944", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY\n\nDSA has 2 kinds of drivers:\n\n1. Those who call dsa_switch_suspend() and dsa_switch_resume() from\n their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz\n2. Those who don't: all others. The above methods should be optional.\n\nFor type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(),\nand dsa_switch_resume() calls dsa_user_resume() -> phylink_start().\nThese seem good candidates for setting mac_managed_pm = true because\nthat is essentially its definition [1], but that does not seem to be the\nbiggest problem for now, and is not what this change focuses on.\n\nTalking strictly about the 2nd category of DSA drivers here (which\ndo not have MAC managed PM, meaning that for their attached PHYs,\nmdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full),\nI have noticed that the following warning from mdio_bus_phy_resume() is\ntriggered:\n\n\tWARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY &&\n\t\tphydev->state != PHY_UP);\n\nbecause the PHY state machine is running.\n\nIt's running as a result of a previous dsa_user_open() -> ... ->\nphylink_start() -> phy_start() having been initiated by the user.\n\nThe previous mdio_bus_phy_suspend() was supposed to have called\nphy_stop_machine(), but it didn't. So this is why the PHY is in state\nPHY_NOLINK by the time mdio_bus_phy_resume() runs.\n\nmdio_bus_phy_suspend() did not call phy_stop_machine() because for\nphylink, the phydev->adjust_link function pointer is NULL. This seems a\ntechnicality introduced by commit fddd91016d16 (\"phylib: fix PAL state\nmachine restart on resume\"). That commit was written before phylink\nexisted, and was intended to avoid crashing with consumer drivers which\ndon't use the PHY state machine - phylink always does, when using a PHY.\nBut phylink itself has historically not been developed with\nsuspend/resume in mind, and apparently not tested too much in that\nscenario, allowing this bug to exist unnoticed for so long. Plus, prior\nto the WARN_ON(), it would have likely been invisible.\n\nThis issue is not in fact restricted to type 2 DSA drivers (according to\nthe above ad-hoc classification), but can be extrapolated to any MAC\ndriver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where\nthe issue was reported. Assuming mac_managed_pm is set correctly, a\nquick search indicates the following other drivers might be affected:\n\n$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm\ndrivers/net/ethernet/atheros/ag71xx.c\ndrivers/net/ethernet/microchip/sparx5/sparx5_main.c\ndrivers/net/ethernet/microchip/lan966x/lan966x_main.c\ndrivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c\ndrivers/net/ethernet/freescale/fs_enet/fs_enet-main.c\ndrivers/net/ethernet/freescale/dpaa/dpaa_eth.c\ndrivers/net/ethernet/freescale/ucc_geth.c\ndrivers/net/ethernet/freescale/enetc/enetc_pf_common.c\ndrivers/net/ethernet/marvell/mvpp2/mvpp2_main.c\ndrivers/net/ethernet/marvell/mvneta.c\ndrivers/net/ethernet/marvell/prestera/prestera_main.c\ndrivers/net/ethernet/mediatek/mtk_eth_soc.c\ndrivers/net/ethernet/altera/altera_tse_main.c\ndrivers/net/ethernet/wangxun/txgbe/txgbe_phy.c\ndrivers/net/ethernet/meta/fbnic/fbnic_phylink.c\ndrivers/net/ethernet/tehuti/tn40_phy.c\ndrivers/net/ethernet/mscc/ocelot_net.c\n\nMake the existing conditions dependent on the PHY device having a\nphydev->phy_link_change() implementation equal to the default\nphy_link_change() provided by phylib. Otherwise, we implicitly know that\nthe phydev has the phylink-provided phylink_phy_change() callback, and\nwhen phylink is used, the PHY state machine always needs to be stopped/\nstarted on the suspend/resume path. The code is structured as such that\nif phydev->phy_link_change() is absent, it is a matter of time until the\nkernel will crash - no need to further complicate the test.\n\nThus, for the situation where the PM is not managed b\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37945", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs\n\nWith commit bcb5d6c76903 (\"s390/pci: introduce lock to synchronize state\nof zpci_dev's\") the code to ignore power off of a PF that has child VFs\nwas changed from a direct return to a goto to the unlock and\npci_dev_put() section. The change however left the existing pci_dev_put()\nuntouched resulting in a doubple put. This can subsequently cause a use\nafter free if the struct pci_dev is released in an unexpected state.\nFix this by removing the extra pci_dev_put().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37946", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent out-of-bounds stream writes by validating *pos\n\nksmbd_vfs_stream_write() did not validate whether the write offset\n(*pos) was within the bounds of the existing stream data length (v_len).\nIf *pos was greater than or equal to v_len, this could lead to an\nout-of-bounds memory write.\n\nThis patch adds a check to ensure *pos is less than v_len before\nproceeding. If the condition fails, -EINVAL is returned.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37947", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Add BHB mitigation to the epilogue for cBPF programs\n\nA malicious BPF program may manipulate the branch history to influence\nwhat the hardware speculates will happen next.\n\nOn exit from a BPF program, emit the BHB mititgation sequence.\n\nThis is only applied for 'classic' cBPF programs that are loaded by\nseccomp.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37948", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxenbus: Use kref to track req lifetime\n\nMarek reported seeing a NULL pointer fault in the xenbus_thread\ncallstack:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: e030:__wake_up_common+0x4c/0x180\nCall Trace:\n \n __wake_up_common_lock+0x82/0xd0\n process_msg+0x18e/0x2f0\n xenbus_thread+0x165/0x1c0\n\nprocess_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a\nthin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems\nlike it was xs_wake_up() in this case.\n\nIt seems like req may have woken up the xs_wait_for_reply(), which\nkfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed\ndata.\n\nLinux Device Drivers 2nd edition states:\n\"Normally, a wake_up call can cause an immediate reschedule to happen,\nmeaning that other processes might run before wake_up returns.\"\n... which would match the behaviour observed.\n\nChange to keeping two krefs on each request. One for the caller, and\none for xenbus_thread. Each will kref_put() when finished, and the last\nwill free it.\n\nThis use of kref matches the description in\nDocumentation/core-api/kref.rst", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37949", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix panic in failed foilio allocation\n\ncommit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit\n9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of\npages\") save -ENOMEM in the folio array upon allocation failure and call\nthe folio array free code.\n\nThe folio array free code expects either valid folio pointers or NULL. \nFinding the -ENOMEM will result in a panic. Fix by NULLing the error\nfolio entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37950", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Add job to pending list if the reset was skipped\n\nWhen a CL/CSD job times out, we check if the GPU has made any progress\nsince the last timeout. If so, instead of resetting the hardware, we skip\nthe reset and let the timer get rearmed. This gives long-running jobs a\nchance to complete.\n\nHowever, when `timedout_job()` is called, the job in question is removed\nfrom the pending list, which means it won't be automatically freed through\n`free_job()`. Consequently, when we skip the reset and keep the job\nrunning, the job won't be freed when it finally completes.\n\nThis situation leads to a memory leak, as exposed in [1] and [2].\n\nSimilarly to commit 704d3d60fec4 (\"drm/etnaviv: don't block scheduler when\nGPU is still active\"), this patch ensures the job is put back on the\npending list when extending the timeout.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37951", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix UAF in __close_file_table_ids\n\nA use-after-free is possible if one thread destroys the file\nvia __ksmbd_close_fd while another thread holds a reference to\nit. The existing checks on fp->refcount are not sufficient to\nprevent this.\n\nThe fix takes ft->lock around the section which removes the\nfile from the file table. This prevents two threads acquiring the\nsame file pointer via __close_file_table_ids, as well as the other\nfunctions which retrieve a file from the IDR and which already use\nthis same lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37952", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_deactivate() idempotent\n\nAlan reported a NULL pointer dereference in htb_next_rb_node()\nafter we made htb_qlen_notify() idempotent.\n\nIt turns out in the following case it introduced some regression:\n\nhtb_dequeue_tree():\n |-> fq_codel_dequeue()\n |-> qdisc_tree_reduce_backlog()\n |-> htb_qlen_notify()\n |-> htb_deactivate()\n |-> htb_next_rb_node()\n |-> htb_deactivate()\n\nFor htb_next_rb_node(), after calling the 1st htb_deactivate(), the\nclprio[prio]->ptr could be already set to NULL, which means\nhtb_next_rb_node() is vulnerable here.\n\nFor htb_deactivate(), although we checked qlen before calling it, in\ncase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again\nwhich triggers the warning inside.\n\nTo fix the issues here, we need to:\n\n1) Make htb_deactivate() idempotent, that is, simply return if we\n already call it before.\n2) Make htb_next_rb_node() safe against ptr==NULL.\n\nMany thanks to Alan for testing and for the reproducer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37953", "detail": "fixed-version", "description": "Fixed from version 6.14.7" }, { "id": "CVE-2025-37954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Avoid race in open_cached_dir with lease breaks\n\nA pre-existing valid cfid returned from find_or_create_cached_dir might\nrace with a lease break, meaning open_cached_dir doesn't consider it\nvalid, and thinks it's newly-constructed. This leaks a dentry reference\nif the allocation occurs before the queued lease break work runs.\n\nAvoid the race by extending holding the cfid_list_lock across\nfind_or_create_cached_dir and when the result is checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37954", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()\n\nThe selftests added to our CI by Bui Quang Minh recently reveals\nthat there is a mem leak on the error path of virtnet_xsk_pool_enable():\n\nunreferenced object 0xffff88800a68a000 (size 2048):\n comm \"xdp_helper\", pid 318, jiffies 4294692778\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 0):\n __kvmalloc_node_noprof+0x402/0x570\n virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882)\n xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226)\n xsk_bind+0x6a5/0x1ae0\n __sys_bind+0x15e/0x230\n __x64_sys_bind+0x72/0xb0\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37955", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent rename with empty string\n\nClient can send empty newname string to ksmbd server.\nIt will cause a kernel oops from d_alloc.\nThis patch return the error when attempting to rename\na file or directory with an empty new name string.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37956", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception\n\nPreviously, commit ed129ec9057f (\"KVM: x86: forcibly leave nested mode\non vCPU reset\") addressed an issue where a triple fault occurring in\nnested mode could lead to use-after-free scenarios. However, the commit\ndid not handle the analogous situation for System Management Mode (SMM).\n\nThis omission results in triggering a WARN when KVM forces a vCPU INIT\nafter SHUTDOWN interception while the vCPU is in SMM. This situation was\nreprodused using Syzkaller by:\n\n 1) Creating a KVM VM and vCPU\n 2) Sending a KVM_SMI ioctl to explicitly enter SMM\n 3) Executing invalid instructions causing consecutive exceptions and\n eventually a triple fault\n\nThe issue manifests as follows:\n\n WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112\n kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112\n Modules linked in:\n CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted\n 6.1.130-syzkaller-00157-g164fe5dde9b6 #0\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n BIOS 1.12.0-1 04/01/2014\n RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112\n Call Trace:\n \n shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136\n svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395\n svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457\n vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline]\n vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062\n kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283\n kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nArchitecturally, INIT is blocked when the CPU is in SMM, hence KVM's WARN()\nin kvm_vcpu_reset() to guard against KVM bugs, e.g. to detect improper\nemulation of INIT. SHUTDOWN on SVM is a weird edge case where KVM needs to\ndo _something_ sane with the VMCB, since it's technically undefined, and\nINIT is the least awful choice given KVM's ABI.\n\nSo, double down on stuffing INIT on SHUTDOWN, and force the vCPU out of\nSMM to avoid any weirdness (and the WARN).\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[sean: massage changelog, make it clear this isn't architectural behavior]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37957", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below. To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early. In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio. Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37958", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Scrub packet on bpf_redirect_peer\n\nWhen bpf_redirect_peer is used to redirect packets to a device in\nanother network namespace, the skb isn't scrubbed. That can lead skb\ninformation from one namespace to be \"misused\" in another namespace.\n\nAs one example, this is causing Cilium to drop traffic when using\nbpf_redirect_peer to redirect packets that just went through IPsec\ndecryption to a container namespace. The following pwru trace shows (1)\nthe packet path from the host's XFRM layer to the container's XFRM\nlayer where it's dropped and (2) the number of active skb extensions at\neach function.\n\n NETNS MARK IFACE TUPLE FUNC\n 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive\n .active_extensions = (__u8)2,\n [...]\n 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core\n .active_extensions = (__u8)2,\n [...]\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)\n .active_extensions = (__u8)2,\n\nIn this case, there are no XFRM policies in the container's network\nnamespace so the drop is unexpected. When we decrypt the IPsec packet,\nthe XFRM state used for decryption is set in the skb extensions. This\ninformation is preserved across the netns switch. When we reach the\nXFRM policy check in the container's netns, __xfrm_policy_check drops\nthe packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM\npolicy can't be found that matches the (host-side) XFRM state used for\ndecryption.\n\nThis patch fixes this by scrubbing the packet when using\nbpf_redirect_peer, as is done on typical netns switches via veth\ndevices except skb->mark and skb->tstamp are not zeroed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37959", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemblock: Accept allocated memory before use in memblock_double_array()\n\nWhen increasing the array size in memblock_double_array() and the slab\nis not yet available, a call to memblock_find_in_range() is used to\nreserve/allocate memory. However, the range returned may not have been\naccepted, which can result in a crash when booting an SNP guest:\n\n RIP: 0010:memcpy_orig+0x68/0x130\n Code: ...\n RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006\n RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000\n RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00\n RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000\n R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78\n R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00\n memblock_double_array+0xff/0x310\n memblock_add_range+0x1fb/0x2f0\n memblock_reserve+0x4f/0xa0\n memblock_alloc_range_nid+0xac/0x130\n memblock_alloc_internal+0x53/0xc0\n memblock_alloc_try_nid+0x3d/0xa0\n swiotlb_init_remap+0x149/0x2f0\n mem_init+0xb/0xb0\n mm_core_init+0x8f/0x350\n start_kernel+0x17e/0x5d0\n x86_64_start_reservations+0x14/0x30\n x86_64_start_kernel+0x92/0xa0\n secondary_startup_64_no_verify+0x194/0x19b\n\nMitigate this by calling accept_memory() on the memory range returned\nbefore the slab is available.\n\nPrior to v6.12, the accept_memory() interface used a 'start' and 'end'\nparameter instead of 'start' and 'size', therefore the accept_memory()\ncall must be adjusted to specify 'start + size' for 'end' when applying\nto kernels prior to v6.12.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37960", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix uninit-value for saddr in do_output_route4\n\nsyzbot reports for uninit-value for the saddr argument [1].\ncommit 4754957f04f5 (\"ipvs: do not use random local source address for\ntunnels\") already implies that the input value of saddr\nshould be ignored but the code is still reading it which can prevent\nto connect the route. Fix it by changing the argument to ret_saddr.\n\n[1]\nBUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4167 [inline]\n slab_alloc_node mm/slub.c:4210 [inline]\n __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367\n kmalloc_noprof include/linux/slab.h:905 [inline]\n ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]\n __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nCPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)\nHardware name: Google Google Compute Engi\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37961", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leak in parse_lease_state()\n\nThe previous patch that added bounds check for create lease context\nintroduced a memory leak. When the bounds check fails, the function\nreturns NULL without freeing the previously allocated lease_ctx_info\nstructure.\n\nThis patch fixes the issue by adding kfree(lreq) before returning NULL\nin both boundary check cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37962", "detail": "fixed-version", "description": "Fixed from version 6.14.7" }, { "id": "CVE-2025-37963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Only mitigate cBPF programs loaded by unprivileged users\n\nSupport for eBPF programs loaded by unprivileged users is typically\ndisabled. This means only cBPF programs need to be mitigated for BHB.\n\nIn addition, only mitigate cBPF programs that were loaded by an\nunprivileged user. Privileged users can also load the same program\nvia eBPF, making the mitigation pointless.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37963", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Eliminate window where TLB flushes may be inadvertently skipped\n\ntl;dr: There is a window in the mm switching code where the new CR3 is\nset and the CPU should be getting TLB flushes for the new mm. But\nshould_flush_tlb() has a bug and suppresses the flush. Fix it by\nwidening the window where should_flush_tlb() sends an IPI.\n\nLong Version:\n\n=== History ===\n\nThere were a few things leading up to this.\n\nFirst, updating mm_cpumask() was observed to be too expensive, so it was\nmade lazier. But being lazy caused too many unnecessary IPIs to CPUs\ndue to the now-lazy mm_cpumask(). So code was added to cull\nmm_cpumask() periodically[2]. But that culling was a bit too aggressive\nand skipped sending TLB flushes to CPUs that need them. So here we are\nagain.\n\n=== Problem ===\n\nThe too-aggressive code in should_flush_tlb() strikes in this window:\n\n\t// Turn on IPIs for this CPU/mm combination, but only\n\t// if should_flush_tlb() agrees:\n\tcpumask_set_cpu(cpu, mm_cpumask(next));\n\n\tnext_tlb_gen = atomic64_read(&next->context.tlb_gen);\n\tchoose_new_asid(next, next_tlb_gen, &new_asid, &need_flush);\n\tload_new_mm_cr3(need_flush);\n\t// ^ After 'need_flush' is set to false, IPIs *MUST*\n\t// be sent to this CPU and not be ignored.\n\n this_cpu_write(cpu_tlbstate.loaded_mm, next);\n\t// ^ Not until this point does should_flush_tlb()\n\t// become true!\n\nshould_flush_tlb() will suppress TLB flushes between load_new_mm_cr3()\nand writing to 'loaded_mm', which is a window where they should not be\nsuppressed. Whoops.\n\n=== Solution ===\n\nThankfully, the fuzzy \"just about to write CR3\" window is already marked\nwith loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in\nshould_flush_tlb() is sufficient to ensure that the CPU is targeted with\nan IPI.\n\nThis will cause more TLB flush IPIs. But the window is relatively small\nand I do not expect this to cause any kind of measurable performance\nimpact.\n\nUpdate the comment where LOADED_MM_SWITCHING is written since it grew\nyet another user.\n\nPeter Z also raised a concern that should_flush_tlb() might not observe\n'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off()\nwrites them. Add a barrier to ensure that they are observed in the\norder they are written.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37964", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix invalid context error in dml helper\n\n[Why]\n\"BUG: sleeping function called from invalid context\" error.\nafter:\n\"drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()\"\n\nThe populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag\nfor memory allocation, which shouldn't be used in atomic contexts.\n\nThe allocation is needed only for using another helper function\nget_scaler_data_for_plane().\n\n[How]\nModify helpers to pass a pointer to scaler_data within existing context,\neliminating the need for dynamic memory allocation/deallocation\nand copying.\n\n(cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37965", "detail": "fixed-version", "description": "Fixed from version 6.14.7" }, { "id": "CVE-2025-37966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL\n\nWhen userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not\navailable, the kernel crashes:\n\nOops - illegal instruction [#1]\n [snip]\nepc : set_tagged_addr_ctrl+0x112/0x15a\n ra : set_tagged_addr_ctrl+0x74/0x15a\nepc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10\n [snip]\nstatus: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002\n set_tagged_addr_ctrl+0x112/0x15a\n __riscv_sys_prctl+0x352/0x73c\n do_trap_ecall_u+0x17c/0x20c\n andle_exception+0x150/0x15c\n\nFix it by checking if Supm is available.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37966", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix deadlock\n\nThis patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock\nfunctions to the UCSI driver. ucsi_con_mutex_lock ensures the connector\nmutex is only locked if a connection is established and the partner pointer\nis valid. This resolves a deadlock scenario where\nucsi_displayport_remove_partner holds con->mutex waiting for\ndp_altmode_work to complete while dp_altmode_work attempts to acquire it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37967", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: opt3001: fix deadlock due to concurrent flag access\n\nThe threaded IRQ function in this driver is reading the flag twice: once to\nlock a mutex and once to unlock it. Even though the code setting the flag\nis designed to prevent it, there are subtle cases where the flag could be\ntrue at the mutex_lock stage and false at the mutex_unlock stage. This\nresults in the mutex not being unlocked, resulting in a deadlock.\n\nFix it by making the opt3001_irq() code generally more robust, reading the\nflag into a variable and using the variable value at both stages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37968", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo\n\nPrevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in\ncase pattern_len is equal to zero and the device FIFO is not empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37969", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo\n\nPrevent st_lsm6dsx_read_fifo from falling in an infinite loop in case\npattern_len is equal to zero and the device FIFO is not empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37970", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: bcm2835-camera: Initialise dev in v4l2_dev\n\nCommit 42a2f6664e18 (\"staging: vc04_services: Move global g_state to\nvchiq_state\") changed mmal_init to pass dev->v4l2_dev.dev to\nvchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got\na NULL pointer dereference.\n\nSet dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer\ncould be passed into v4l2_device_register to set it, however that also\nhas other effects that would need additional changes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37971", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: mtk-pmic-keys - fix possible null pointer dereference\n\nIn mtk_pmic_keys_probe, the regs parameter is only set if the button is\nparsed in the device tree. However, on hardware where the button is left\nfloating, that node will most likely be removed not to enable that\ninput. In that case the code will try to dereference a null pointer.\n\nLet's use the regs struct instead as it is defined for all supported\nplatforms. Note that it is ok setting the key reg even if that latter is\ndisabled as the interrupt won't be enabled anyway.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37972", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation\n\nCurrently during the multi-link element defragmentation process, the\nmulti-link element length added to the total IEs length when calculating\nthe length of remaining IEs after the multi-link element in\ncfg80211_defrag_mle(). This could lead to out-of-bounds access if the\nmulti-link element or its corresponding fragment elements are the last\nelements in the IEs buffer.\n\nTo address this issue, correctly calculate the remaining IEs length by\ndeducting the multi-link element end offset from total IEs end offset.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37973", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Fix missing check for zpci_create_device() error return\n\nThe zpci_create_device() function returns an error pointer that needs to\nbe checked before dereferencing it as a struct zpci_dev pointer. Add the\nmissing check in __clp_add() where it was missed when adding the\nscan_list in the fixed commit. Simply not adding the device to the scan\nlist results in the previous behavior.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37974", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: module: Fix out-of-bounds relocation access\n\nThe current code allows rel[j] to access one element past the end of the\nrelocation section. Simplify to num_relocations which is equivalent to\nthe existing size expression.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37975", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Disable iocc if dma-coherent property isn't set\n\nIf dma-coherent property isn't set then descriptors are non-cacheable\nand the iocc shareability bits should be disabled. Without this UFS can\nend up in an incompatible configuration and suffer from random cache\nrelated stability issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37977", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: integrity: Do not call set_page_dirty_lock()\n\nPlacing multiple protection information buffers inside the same page\ncan lead to oopses because set_page_dirty_lock() can't be called from\ninterrupt context.\n\nSince a protection information buffer is not backed by a file there is\nno point in setting its page dirty, there is nothing to synchronize.\nDrop the call to set_page_dirty_lock() and remove the last argument to\nbio_integrity_unpin_bvec().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37978", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix sc7280 lpass potential buffer overflow\n\nCase values introduced in commit\n5f78e1fb7a3e (\"ASoC: qcom: Add driver support for audioreach solution\")\ncause out of bounds access in arrays of sc7280 driver data (e.g. in case\nof RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()).\n\nRedefine LPASS_MAX_PORTS to consider the maximum possible port id for\nq6dsp as sc7280 driver utilizes some of those values.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37979", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix resource leak in blk_register_queue() error path\n\nWhen registering a queue fails after blk_mq_sysfs_register() is\nsuccessful but the function later encounters an error, we need\nto clean up the blk_mq_sysfs resources.\n\nAdd the missing blk_mq_sysfs_unregister() call in the error path\nto properly clean up these resources and prevent a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37980", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Use is_kdump_kernel() to check for kdump\n\nThe smartpqi driver checks the reset_devices variable to determine\nwhether special adjustments need to be made for kdump. This has the\neffect that after a regular kexec reboot, some driver parameters such as\nmax_transfer_size are much lower than usual. More importantly, kexec\nreboot tests have revealed memory corruption caused by the driver log\nbeing written to system memory after a kexec.\n\nFix this by testing is_kdump_kernel() rather than reset_devices where\nappropriate.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37981", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wl1251: fix memory leak in wl1251_tx_work\n\nThe skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails\nwith a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37982", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqibfs: fix _another_ leak\n\nfailure to allocate inode => leaked dentry...\n\nthis one had been there since the initial merge; to be fair,\nif we are that far OOM, the odds of failing at that particular\nallocation are low...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37983", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()\n\nHerbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa\nimplementation's ->key_size() callback returns an unusually large value.\nHerbert instead suggests (for a division by 8):\n\n X / 8 + !!(X & 7)\n\nBased on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and\nuse it in lieu of DIV_ROUND_UP() for ->key_size() return values.\n\nAdditionally, use the macro in ecc_digits_from_bytes(), whose \"nbytes\"\nparameter is a ->key_size() return value in some instances, or a\nuser-specified ASN.1 length in the case of ecdsa_get_signature_rs().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37984", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: wdm: close race between wdm_open and wdm_wwan_port_stop\n\nClearing WDM_WWAN_IN_USE must be the last action or\nwe can open a chardev whose URBs are still poisoned", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37985", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: class: Invalidate USB device pointers on partner unregistration\n\nTo avoid using invalid USB device pointers after a Type-C partner\ndisconnects, this patch clears the pointers upon partner unregistration.\nThis ensures a clean state for future connections.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37986", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: Prevent possible adminq overflow/stuck condition\n\nThe pds_core's adminq is protected by the adminq_lock, which prevents\nmore than 1 command to be posted onto it at any one time. This makes it\nso the client drivers cannot simultaneously post adminq commands.\nHowever, the completions happen in a different context, which means\nmultiple adminq commands can be posted sequentially and all waiting\non completion.\n\nOn the FW side, the backing adminq request queue is only 16 entries\nlong and the retry mechanism and/or overflow/stuck prevention is\nlacking. This can cause the adminq to get stuck, so commands are no\nlonger processed and completions are no longer sent by the FW.\n\nAs an initial fix, prevent more than 16 outstanding adminq commands so\nthere's no way to cause the adminq from getting stuck. This works\nbecause the backing adminq request queue will never have more than 16\npending adminq commands, so it will never overflow. This is done by\nreducing the adminq depth to 16.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37987", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfix a couple of races in MNT_TREE_BENEATH handling by do_move_mount()\n\nNormally do_lock_mount(path, _) is locking a mountpoint pinned by\n*path and at the time when matching unlock_mount() unlocks that\nlocation it is still pinned by the same thing.\n\nUnfortunately, for 'beneath' case it's no longer that simple -\nthe object being locked is not the one *path points to. It's the\nmountpoint of path->mnt. The thing is, without sufficient locking\n->mnt_parent may change under us and none of the locks are held\nat that point. The rules are\n\t* mount_lock stabilizes m->mnt_parent for any mount m.\n\t* namespace_sem stabilizes m->mnt_parent, provided that\nm is mounted.\n\t* if either of the above holds and refcount of m is positive,\nwe are guaranteed the same for refcount of m->mnt_parent.\n\nnamespace_sem nests inside inode_lock(), so do_lock_mount() has\nto take inode_lock() before grabbing namespace_sem. It does\nrecheck that path->mnt is still mounted in the same place after\ngetting namespace_sem, and it does take care to pin the dentry.\nIt is needed, since otherwise we might end up with racing mount --move\n(or umount) happening while we were getting locks; in that case\ndentry would no longer be a mountpoint and could've been evicted\non memory pressure along with its inode - not something you want\nwhen grabbing lock on that inode.\n\nHowever, pinning a dentry is not enough - the matching mount is\nalso pinned only by the fact that path->mnt is mounted on top it\nand at that point we are not holding any locks whatsoever, so\nthe same kind of races could end up with all references to\nthat mount gone just as we are about to enter inode_lock().\nIf that happens, we are left with filesystem being shut down while\nwe are holding a dentry reference on it; results are not pretty.\n\nWhat we need to do is grab both dentry and mount at the same time;\nthat makes inode_lock() safe *and* avoids the problem with fs getting\nshut down under us. After taking namespace_sem we verify that\npath->mnt is still mounted (which stabilizes its ->mnt_parent) and\ncheck that it's still mounted at the same place. From that point\non to the matching namespace_unlock() we are guaranteed that\nmount/dentry pair we'd grabbed are also pinned by being the mountpoint\nof path->mnt, so we can quietly drop both the dentry reference (as\nthe current code does) and mnt one - it's OK to do under namespace_sem,\nsince we are not dropping the final refs.\n\nThat solves the problem on do_lock_mount() side; unlock_mount()\nalso has one, since dentry is guaranteed to stay pinned only until\nthe namespace_unlock(). That's easy to fix - just have inode_unlock()\ndone earlier, while it's still pinned by mp->m_dentry.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37988", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: leds: fix memory leak\n\nA network restart test on a router led to an out-of-memory condition,\nwhich was traced to a memory leak in the PHY LED trigger code.\n\nThe root cause is misuse of the devm API. The registration function\n(phy_led_triggers_register) is called from phy_attach_direct, not\nphy_probe, and the unregister function (phy_led_triggers_unregister)\nis called from phy_detach, not phy_remove. This means the register and\nunregister functions can be called multiple times for the same PHY\ndevice, but devm-allocated memory is not freed until the driver is\nunbound.\n\nThis also prevents kmemleak from detecting the leak, as the devm API\ninternally stores the allocated pointer.\n\nFix this by replacing devm_kzalloc/devm_kcalloc with standard\nkzalloc/kcalloc, and add the corresponding kfree calls in the unregister\npath.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37989", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()\n\nThe function brcmf_usb_dl_writeimage() calls the function\nbrcmf_usb_dl_cmd() but dose not check its return value. The\n'state.state' and the 'state.bytes' are uninitialized if the\nfunction brcmf_usb_dl_cmd() fails. It is dangerous to use\nuninitialized variables in the conditions.\n\nAdd error handling for brcmf_usb_dl_cmd() to jump to error\nhandling path if the brcmf_usb_dl_cmd() fails and the\n'state.state' and the 'state.bytes' are uninitialized.\n\nImprove the error message to report more detailed error\ninformation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37990", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix double SIGFPE crash\n\nCamm noticed that on parisc a SIGFPE exception will crash an application with\na second SIGFPE in the signal handler. Dave analyzed it, and it happens\nbecause glibc uses a double-word floating-point store to atomically update\nfunction descriptors. As a result of lazy binding, we hit a floating-point\nstore in fpe_func almost immediately.\n\nWhen the T bit is set, an assist exception trap occurs when when the\nco-processor encounters *any* floating-point instruction except for a double\nstore of register %fr0. The latter cancels all pending traps. Let's fix this\nby clearing the Trap (T) bit in the FP status register before returning to the\nsignal handler in userspace.\n\nThe issue can be reproduced with this test program:\n\nroot@parisc:~# cat fpe.c\n\nstatic void fpe_func(int sig, siginfo_t *i, void *v) {\n sigset_t set;\n sigemptyset(&set);\n sigaddset(&set, SIGFPE);\n sigprocmask(SIG_UNBLOCK, &set, NULL);\n printf(\"GOT signal %d with si_code %ld\\n\", sig, i->si_code);\n}\n\nint main() {\n struct sigaction action = {\n .sa_sigaction = fpe_func,\n .sa_flags = SA_RESTART|SA_SIGINFO };\n sigaction(SIGFPE, &action, 0);\n feenableexcept(FE_OVERFLOW);\n return printf(\"%lf\\n\",1.7976931348623158E308*1.7976931348623158E308);\n}\n\nroot@parisc:~# gcc fpe.c -lm\nroot@parisc:~# ./a.out\n Floating point exception\n\nroot@parisc:~# strace -f ./a.out\n execve(\"./a.out\", [\"./a.out\"], 0xf9ac7034 /* 20 vars */) = 0\n getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0\n ...\n rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---\n +++ killed by SIGFPE +++\n Floating point exception", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37991", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during ->change()\n\nPreviously, when reducing a qdisc's limit via the ->change() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch->limit against sch->q.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their ->change() routines.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37992", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe\n\nThe spin lock tx_handling_spinlock in struct m_can_classdev is not\nbeing initialized. This leads the following spinlock bad magic\ncomplaint from the kernel, eg. when trying to send CAN frames with\ncansend from can-utils:\n\n| BUG: spinlock bad magic on CPU#0, cansend/95\n| lock: 0xff60000002ec1010, .magic: 00000000, .owner: /-1, .owner_cpu: 0\n| CPU: 0 UID: 0 PID: 95 Comm: cansend Not tainted 6.15.0-rc3-00032-ga79be02bba5c #5 NONE\n| Hardware name: MachineWare SIM-V (DT)\n| Call Trace:\n| [] dump_backtrace+0x1c/0x24\n| [] show_stack+0x28/0x34\n| [] dump_stack_lvl+0x4a/0x68\n| [] dump_stack+0x14/0x1c\n| [] spin_dump+0x62/0x6e\n| [] do_raw_spin_lock+0xd0/0x142\n| [] _raw_spin_lock_irqsave+0x20/0x2c\n| [] m_can_start_xmit+0x90/0x34a\n| [] dev_hard_start_xmit+0xa6/0xee\n| [] sch_direct_xmit+0x114/0x292\n| [] __dev_queue_xmit+0x3b0/0xaa8\n| [] can_send+0xc6/0x242\n| [] raw_sendmsg+0x1a8/0x36c\n| [] sock_write_iter+0x9a/0xee\n| [] vfs_write+0x184/0x3a6\n| [] ksys_write+0xa0/0xc0\n| [] __riscv_sys_write+0x14/0x1c\n| [] do_trap_ecall_u+0x168/0x212\n| [] handle_exception+0x146/0x152\n\nInitializing the spin lock in m_can_class_allocate_dev solves that\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37993", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix NULL pointer access\n\nThis patch ensures that the UCSI driver waits for all pending tasks in the\nucsi_displayport_work workqueue to finish executing before proceeding with\nthe partner removal.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37994", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: ensure that kobject_put() is safe for module type kobjects\n\nIn 'lookup_or_create_module_kobject()', an internal kobject is created\nusing 'module_ktype'. So call to 'kobject_put()' on error handling\npath causes an attempt to use an uninitialized completion pointer in\n'module_kobject_release()'. In this scenario, we just want to release\nkobject without an extra synchronization required for a regular module\nunloading process, so adding an extra check whether 'complete()' is\nactually required makes 'kobject_put()' safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37995", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()\n\nCommit fce886a60207 (\"KVM: arm64: Plumb the pKVM MMU in KVM\") made the\ninitialization of the local memcache variable in user_mem_abort()\nconditional, leaving a codepath where it is used uninitialized via\nkvm_pgtable_stage2_map().\n\nThis can fail on any path that requires a stage-2 allocation\nwithout transition via a permission fault or dirty logging.\n\nFix this by making sure that memcache is always valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37996", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix region locking in hash types\n\nRegion locking introduced in v5.6-rc4 contained three macros to handle\nthe region locks: ahash_bucket_start(), ahash_bucket_end() which gave\nback the start and end hash bucket values belonging to a given region\nlock and ahash_region() which should give back the region lock belonging\nto a given hash bucket. The latter was incorrect which can lead to a\nrace condition between the garbage collector and adding new elements\nwhen a hash type of set is defined with timeouts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37997", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: Fix unsafe attribute parsing in output_userspace()\n\nThis patch replaces the manual Netlink attribute iteration in\noutput_userspace() with nla_for_each_nested(), which ensures that only\nwell-formed attributes are processed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37998", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-37999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()\n\nIf bio_add_folio() fails (because it is full),\nerofs_fileio_scan_folio() needs to submit the I/O request via\nerofs_fileio_rq_submit() and allocate a new I/O request with an empty\n`struct bio`. Then it retries the bio_add_folio() call.\n\nHowever, at this point, erofs_onlinefolio_split() has already been\ncalled which increments `folio->private`; the retry will call\nerofs_onlinefolio_split() again, but there will never be a matching\nerofs_onlinefolio_end() call. This leaves the folio locked forever\nand all waiters will be stuck in folio_wait_bit_common().\n\nThis bug has been added by commit ce63cb62d794 (\"erofs: support\nunencoded inodes for fileio\"), but was practically unreachable because\nthere was room for 256 folios in the `struct bio` - until commit\n9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which\nreduced the array capacity to 16 folios.\n\nIt was now trivial to trigger the bug by manually invoking readahead\nfrom userspace, e.g.:\n\n posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);\n\nThis should be fixed by invoking erofs_onlinefolio_split() only after\nbio_add_folio() has succeeded. This is safe: asynchronous completions\ninvoking erofs_onlinefolio_end() will not unlock the folio because\nerofs_fileio_scan_folio() is still holding a reference to be released\nby erofs_onlinefolio_end() at the end.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-37999", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc's peek() operation before incrementing sch->q.qlen and\nsch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch->q.qlen and\nsch->qstats.backlog before the call to the child qdisc's peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38000", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\n\nSavino says:\n \"We are writing to report that this recent patch\n (141d34391abbb315d68556b7c67ad97885407547) [1]\n can be bypassed, and a UAF can still occur when HFSC is utilized with\n NETEM.\n\n The patch only checks the cl->cl_nactive field to determine whether\n it is the first insertion or not [2], but this field is only\n incremented by init_vf [3].\n\n By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\n check and insert the class twice in the eltree.\n Under normal conditions, this would lead to an infinite loop in\n hfsc_dequeue for the reasons we already explained in this report [5].\n\n However, if TBF is added as root qdisc and it is configured with a\n very low rate,\n it can be utilized to prevent packets from being dequeued.\n This behavior can be exploited to perform subsequent insertions in the\n HFSC eltree and cause a UAF.\"\n\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38001", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo()\n\nNot everything requires locking in there, which is why the 'has_lock'\nvariable exists. But enough does that it's a bit unwieldy to manage.\nWrap the whole thing in a ->uring_lock trylock, and just return\nwith no output if we fail to grab it. The existing trylock() will\nalready have greatly diminished utility/output for the failure case.\n\nThis fixes an issue with reading the SQE fields, if the ring is being\nactively resized at the same time.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38002", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add missing rcu read protection for procfs content\n\nWhen the procfs content is generated for a bcm_op which is in the process\nto be removed the procfs output might show unreliable data (UAF).\n\nAs the removal of bcm_op's is already implemented with rcu handling this\npatch adds the missing rcu_read_lock() and makes sure the list entries\nare properly removed under rcu protection.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38003", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add locking for bcm_op runtime updates\n\nThe CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via\nhrtimer. The content and also the length of the sequence can be changed\nresp reduced at runtime where the 'currframe' counter is then set to zero.\n\nAlthough this appeared to be a safe operation the updates of 'currframe'\ncan be triggered from user space and hrtimer context in bcm_can_tx().\nAnderson Nascimento created a proof of concept that triggered a KASAN\nslab-out-of-bounds read access which can be prevented with a spin_lock_bh.\n\nAt the rework of bcm_can_tx() the 'count' variable has been moved into\nthe protected section as this variable can be modified from both contexts\ntoo.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38004", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Add missing locking\n\nRecent kernels complain about a missing lock in k3-udma.c when the lock\nvalidator is enabled:\n\n[ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238\n[ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28\n[ 4.144867] Hardware name: pp-v12 (DT)\n[ 4.148648] Workqueue: events udma_check_tx_completion\n[ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.160834] pc : udma_start.isra.0+0x34/0x238\n[ 4.165227] lr : udma_start.isra.0+0x30/0x238\n[ 4.169618] sp : ffffffc083cabcf0\n[ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005\n[ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000\n[ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670\n[ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030\n[ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048\n[ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001\n[ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68\n[ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8\n[ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000\n[ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000\n[ 4.244986] Call trace:\n[ 4.247463] udma_start.isra.0+0x34/0x238\n[ 4.251509] udma_check_tx_completion+0xd0/0xdc\n[ 4.256076] process_one_work+0x244/0x3fc\n[ 4.260129] process_scheduled_works+0x6c/0x74\n[ 4.264610] worker_thread+0x150/0x1dc\n[ 4.268398] kthread+0xd8/0xe8\n[ 4.271492] ret_from_fork+0x10/0x20\n[ 4.275107] irq event stamp: 220\n[ 4.278363] hardirqs last enabled at (219): [] _raw_spin_unlock_irq+0x38/0x50\n[ 4.287183] hardirqs last disabled at (220): [] el1_dbg+0x24/0x50\n[ 4.294879] softirqs last enabled at (182): [] handle_softirqs+0x1c0/0x3cc\n[ 4.303437] softirqs last disabled at (177): [] __do_softirq+0x1c/0x28\n[ 4.311559] ---[ end trace 0000000000000000 ]---\n\nThis commit adds the missing locking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38005", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: Don't access ifa_index when missing\n\nIn mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but\nonly when the struct ifaddrmsg is provided. Otherwise it will be\ncomparing to uninitialised memory - reproducible in the syzkaller case from\ndhcpd, or busybox \"ip addr show\".\n\nThe kernel MCTP implementation has always filtered by ifa_index, so\nexisting userspace programs expecting to dump MCTP addresses must\nalready be passing a valid ifa_index value (either 0 or a real index).\n\nBUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128\n rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380\n rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824\n netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38006", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Add NULL check in uclogic_input_configured()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nuclogic_input_configured() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38007", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: fix race condition in unaccepted memory handling\n\nThe page allocator tracks the number of zones that have unaccepted memory\nusing static_branch_enc/dec() and uses that static branch in hot paths to\ndetermine if it needs to deal with unaccepted memory.\n\nBorislav and Thomas pointed out that the tracking is racy: operations on\nstatic_branch are not serialized against adding/removing unaccepted pages\nto/from the zone.\n\nSanity checks inside static_branch machinery detects it:\n\nWARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0\n\nThe comment around the WARN() explains the problem:\n\n\t/*\n\t * Warn about the '-1' case though; since that means a\n\t * decrement is concurrent with a first (0->1) increment. IOW\n\t * people are trying to disable something that wasn't yet fully\n\t * enabled. This suggests an ordering problem on the user side.\n\t */\n\nThe effect of this static_branch optimization is only visible on\nmicrobenchmark.\n\nInstead of adding more complexity around it, remove it altogether.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38008", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: disable napi on driver removal\n\nA warning on driver removal started occurring after commit 9dd05df8403b\n(\"net: warn if NAPI instance wasn't shut down\"). Disable tx napi before\ndeleting it in mt76_dma_cleanup().\n\n WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100\n CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy)\n Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024\n RIP: 0010:__netif_napi_del_locked+0xf0/0x100\n Call Trace:\n \n mt76_dma_cleanup+0x54/0x2f0 [mt76]\n mt7921_pci_remove+0xd5/0x190 [mt7921e]\n pci_device_remove+0x47/0xc0\n device_release_driver_internal+0x19e/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x6d/0xf0\n pci_unregister_driver+0x2e/0xb0\n __do_sys_delete_module.isra.0+0x197/0x2e0\n do_syscall_64+0x7b/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTested with mt7921e but the same pattern can be actually applied to other\nmt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled\nin their *_dma_init() functions and only toggled off and on again inside\ntheir suspend/resume/reset paths. So it should be okay to disable tx\nnapi in such a generic way.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38009", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Use a bitmask for UTMI pad power state tracking\n\nThe current implementation uses bias_pad_enable as a reference count to\nmanage the shared bias pad for all UTMI PHYs. However, during system\nsuspension with connected USB devices, multiple power-down requests for\nthe UTMI pad result in a mismatch in the reference count, which in turn\nproduces warnings such as:\n\n[ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170\n[ 237.763103] Call trace:\n[ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170\n[ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30\n[ 237.763110] phy_power_off+0x48/0x100\n[ 237.763113] tegra_xusb_enter_elpg+0x204/0x500\n[ 237.763119] tegra_xusb_suspend+0x48/0x140\n[ 237.763122] platform_pm_suspend+0x2c/0xb0\n[ 237.763125] dpm_run_callback.isra.0+0x20/0xa0\n[ 237.763127] __device_suspend+0x118/0x330\n[ 237.763129] dpm_suspend+0x10c/0x1f0\n[ 237.763130] dpm_suspend_start+0x88/0xb0\n[ 237.763132] suspend_devices_and_enter+0x120/0x500\n[ 237.763135] pm_suspend+0x1ec/0x270\n\nThe root cause was traced back to the dynamic power-down changes\nintroduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"),\nwhere the UTMI pad was being powered down without verifying its current\nstate. This unbalanced behavior led to discrepancies in the reference\ncount.\n\nTo rectify this issue, this patch replaces the single reference counter\nwith a bitmask, renamed to utmi_pad_enabled. Each bit in the mask\ncorresponds to one of the four USB2 PHYs, allowing us to track each pad's\nenablement status individually.\n\nWith this change:\n - The bias pad is powered on only when the mask is clear.\n - Each UTMI pad is powered on or down based on its corresponding bit\n in the mask, preventing redundant operations.\n - The overall power state of the shared bias pad is maintained\n correctly during suspend/resume cycles.\n\nThe mutex used to prevent race conditions during UTMI pad enable/disable\noperations has been moved from the tegra186_utmi_bias_pad_power_on/off\nfunctions to the parent functions tegra186_utmi_pad_power_on/down. This\nchange ensures that there are no race conditions when updating the bitmask.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38010", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: csa unmap use uninterruptible lock\n\nAfter process exit to unmap csa and free GPU vm, if signal is accepted\nand then waiting to take vm lock is interrupted and return, it causes\nmemory leaking and below warning backtrace.\n\nChange to use uninterruptible wait lock fix the issue.\n\nWARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525\n amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu]\n Call Trace:\n \n drm_file_free.part.0+0x1da/0x230 [drm]\n drm_close_helper.isra.0+0x65/0x70 [drm]\n drm_release+0x6a/0x120 [drm]\n amdgpu_drm_release+0x51/0x60 [amdgpu]\n __fput+0x9f/0x280\n ____fput+0xe/0x20\n task_work_run+0x67/0xa0\n do_exit+0x217/0x3c0\n do_group_exit+0x3b/0xb0\n get_signal+0x14a/0x8d0\n arch_do_signal_or_restart+0xde/0x100\n exit_to_user_mode_loop+0xc1/0x1a0\n exit_to_user_mode_prepare+0xf4/0x100\n syscall_exit_to_user_mode+0x17/0x40\n do_syscall_64+0x69/0xc0\n\n(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38011", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: bpf_iter_scx_dsq_new() should always initialize iterator\n\nBPF programs may call next() and destroy() on BPF iterators even after new()\nreturns an error value (e.g. bpf_for_each() macro ignores error returns from\nnew()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized\nstate after an error return causing bpf_iter_scx_dsq_next() to dereference\ngarbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that\nnext() and destroy() become noops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38012", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request\n\nMake sure that n_channels is set after allocating the\nstruct cfg80211_registered_device::int_scan_req member. Seen with\nsyzkaller:\n\nUBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5\nindex 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')\n\nThis was missed in the initial conversions because I failed to locate\nthe allocation likely due to the \"sizeof(void *)\" not matching the\n\"channels\" array type.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38013", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Refactor remove call with idxd_cleanup() helper\n\nThe idxd_cleanup() helper cleans up perfmon, interrupts, internals and\nso on. Refactor remove call with the idxd_cleanup() helper to avoid code\nduplication. Note, this also fixes the missing put_device() for idxd\ngroups, enginces and wqs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38014", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix memory leak in error handling path of idxd_alloc\n\nMemory allocated for idxd is not freed if an error occurs during\nidxd_alloc(). To fix it, free the allocated memory in the reverse order\nof allocation before exiting the function in case of an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38015", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: abort dispatch if device destroyed\n\nThe current HID bpf implementation assumes no output report/request will\ngo through it after hid_bpf_destroy_device() has been called. This leads\nto a bug that unplugging certain types of HID devices causes a cleaned-\nup SRCU to be accessed. The bug was previously a hidden failure until a\nrecent x86 percpu change [1] made it access not-present pages.\n\nThe bug will be triggered if the conditions below are met:\n\nA) a device under the driver has some LEDs on\nB) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)\n\nIf condition A is met, hidinput_led_worker() is always scheduled *after*\nhid_bpf_destroy_device().\n\nhid_destroy_device\n` hid_bpf_destroy_device\n ` cleanup_srcu_struct(&hdev->bpf.srcu)\n` hid_remove_device\n ` ...\n ` led_classdev_unregister\n ` led_trigger_set(led_cdev, NULL)\n ` led_set_brightness(led_cdev, LED_OFF)\n ` ...\n ` input_inject_event\n ` input_event_dispose\n ` hidinput_input_event\n ` schedule_work(&hid->led_work) [hidinput_led_worker]\n\nThis is fine when condition B is not met, where hidinput_led_worker()\ncalls hid_ll_driver->request(). This is the case for most HID drivers,\nwhich implement it or use the generic one from usbhid. The driver itself\nor an underlying driver will then abort processing the request.\n\nOtherwise, hidinput_led_worker() tries hid_hw_output_report() and leads\nto the bug.\n\nhidinput_led_worker\n` hid_hw_output_report\n ` dispatch_hid_bpf_output_report\n ` srcu_read_lock(&hdev->bpf.srcu)\n ` srcu_read_unlock(&hdev->bpf.srcu, idx)\n\nThe bug has existed since the introduction [2] of\ndispatch_hid_bpf_output_report(). However, the same bug also exists in\ndispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect\nbecause of the lack of [1], but confirmed bpf.destroyed == 1) the bug\nagainst the commit (i.e., the Fixes:) introducing the function. This is\nbecause hidinput_led_worker() falls back to hid_hw_raw_request() when\nhid_ll_driver->output_report() is uninplemented (e.g., logitech-\ndjreceiver).\n\nhidinput_led_worker\n` hid_hw_output_report: -ENOSYS\n` hid_hw_raw_request\n ` dispatch_hid_bpf_raw_requests\n ` srcu_read_lock(&hdev->bpf.srcu)\n ` srcu_read_unlock(&hdev->bpf.srcu, idx)\n\nFix the issue by returning early in the two mentioned functions if\nhid_bpf has been marked as destroyed. Though\ndispatch_hid_bpf_device_event() handles input events, and there is no\nevidence that it may be called after the destruction, the same check, as\na safety net, is also added to it to maintain the consistency among all\ndispatch functions.\n\nThe impact of the bug on other architectures is unclear. Even if it acts\nas a hidden failure, this is still dangerous because it corrupts\nwhatever is on the address calculated by SRCU. Thus, CC'ing the stable\nlist.\n\n[1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\")\n[2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for\nhid_hw_output_report\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38016", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/eventpoll: fix endless busy loop after timeout has expired\n\nAfter commit 0a65bc27bd64 (\"eventpoll: Set epoll timeout if it's in\nthe future\"), the following program would immediately enter a busy\nloop in the kernel:\n\n```\nint main() {\n int e = epoll_create1(0);\n struct epoll_event event = {.events = EPOLLIN};\n epoll_ctl(e, EPOLL_CTL_ADD, 0, &event);\n const struct timespec timeout = {.tv_nsec = 1};\n epoll_pwait2(e, &event, 1, &timeout, 0);\n}\n```\n\nThis happens because the given (non-zero) timeout of 1 nanosecond\nusually expires before ep_poll() is entered and then\nep_schedule_timeout() returns false, but `timed_out` is never set\nbecause the code line that sets it is skipped. This quickly turns\ninto a soft lockup, RCU stalls and deadlocks, inflicting severe\nheadaches to the whole system.\n\nWhen the timeout has expired, we don't need to schedule a hrtimer, but\nwe should set the `timed_out` variable. Therefore, I suggest moving\nthe ep_schedule_timeout() check into the `timed_out` expression\ninstead of skipping it.\n\nbrauner: Note that there was an earlier fix by Joe Damato in response to\nmy bug report in [1].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38017", "detail": "fixed-version", "description": "Fixed from version 6.14.8" }, { "id": "CVE-2025-38018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix kernel panic when alloc_page failed\n\nWe cannot set frag_list to NULL pointer when alloc_page failed.\nIt will be used in tls_strp_check_queue_ok when the next time\ntls_strp_read_sock is called.\n\nThis is because we don't reset full_len in tls_strp_flush_anchor_copy()\nso the recv path will try to continue handling the partial record\non the next call but we dettached the rcvq from the frag list.\nAlternative fix would be to reset full_len.\n\nUnable to handle kernel NULL pointer dereference\nat virtual address 0000000000000028\n Call trace:\n tls_strp_check_rcv+0x128/0x27c\n tls_strp_data_ready+0x34/0x44\n tls_data_ready+0x3c/0x1f0\n tcp_data_ready+0x9c/0xe4\n tcp_data_queue+0xf6c/0x12d0\n tcp_rcv_established+0x52c/0x798", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38018", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices\n\nThe driver only offloads neighbors that are constructed on top of net\ndevices registered by it or their uppers (which are all Ethernet). The\ndevice supports GRE encapsulation and decapsulation of forwarded\ntraffic, but the driver will not offload dummy neighbors constructed on\ntop of GRE net devices as they are not uppers of its net devices:\n\n # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1\n # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1\n $ ip neigh show dev gre1 nud noarp\n 0.0.0.0 lladdr 0.0.0.0 NOARP\n\n(Note that the neighbor is not marked with 'offload')\n\nWhen the driver is reloaded and the existing configuration is replayed,\nthe driver does not perform the same check regarding existing neighbors\nand offloads the previously added one:\n\n # devlink dev reload pci/0000:01:00.0\n $ ip neigh show dev gre1 nud noarp\n 0.0.0.0 lladdr 0.0.0.0 offload NOARP\n\nIf the neighbor is later deleted, the driver will ignore the\nnotification (given the GRE net device is not its upper) and will\ntherefore keep referencing freed memory, resulting in a use-after-free\n[1] when the net device is deleted:\n\n # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1\n # ip link del dev gre1\n\nFix by skipping neighbor replay if the net device for which the replay\nis performed is not our upper.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200\nRead of size 8 at addr ffff888155b0e420 by task ip/2282\n[...]\nCall Trace:\n \n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6f/0x350\n print_report+0x108/0x205\n kasan_report+0xdf/0x110\n mlxsw_sp_neigh_entry_update+0x1ea/0x200\n mlxsw_sp_router_rif_gone_sync+0x2a8/0x440\n mlxsw_sp_rif_destroy+0x1e9/0x750\n mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0\n mlxsw_sp_router_netdevice_event+0x3ac/0x15e0\n notifier_call_chain+0xca/0x150\n call_netdevice_notifiers_info+0x7f/0x100\n unregister_netdevice_many_notify+0xc8c/0x1d90\n rtnl_dellink+0x34e/0xa50\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x131/0x360\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n __sys_sendmsg+0x121/0x1b0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38019", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Disable MACsec offload for uplink representor profile\n\nMACsec offload is not supported in switchdev mode for uplink\nrepresentors. When switching to the uplink representor profile, the\nMACsec offload feature must be cleared from the netdevice's features.\n\nIf left enabled, attempts to add offloads result in a null pointer\ndereference, as the uplink representor does not support MACsec offload\neven though the feature bit remains set.\n\nClear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().\n\nKernel log:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__mutex_lock+0x128/0x1dd0\nCode: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff\nRSP: 0018:ffff888147a4f160 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001\nRDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078\nRBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000\nFS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nCall Trace:\n \n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? __mutex_lock+0x128/0x1dd0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mutex_lock_io_nested+0x1ae0/0x1ae0\n ? lock_acquire+0x1c2/0x530\n ? macsec_upd_offload+0x145/0x380\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? kasan_save_stack+0x30/0x40\n ? kasan_save_stack+0x20/0x40\n ? kasan_save_track+0x10/0x30\n ? __kasan_kmalloc+0x77/0x90\n ? __kmalloc_noprof+0x249/0x6b0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240\n ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]\n ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]\n macsec_update_offload+0x26c/0x820\n ? macsec_set_mac_address+0x4b0/0x4b0\n ? lockdep_hardirqs_on_prepare+0x284/0x400\n ? _raw_spin_unlock_irqrestore+0x47/0x50\n macsec_upd_offload+0x2c8/0x380\n ? macsec_update_offload+0x820/0x820\n ? __nla_parse+0x22/0x30\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240\n genl_family_rcv_msg_doit+0x1cc/0x2a0\n ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240\n ? cap_capable+0xd4/0x330\n genl_rcv_msg+0x3ea/0x670\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? lockdep_set_lock_cmp_fn+0x190/0x190\n ? macsec_update_offload+0x820/0x820\n netlink_rcv_skb+0x12b/0x390\n ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0\n ? netlink_ack+0xd80/0xd80\n ? rwsem_down_read_slowpath+0xf90/0xf90\n ? netlink_deliver_tap+0xcd/0xac0\n ? netlink_deliver_tap+0x155/0xac0\n ? _copy_from_iter+0x1bb/0x12c0\n genl_rcv+0x24/0x40\n netlink_unicast+0x440/0x700\n ? netlink_attachskb+0x760/0x760\n ? lock_acquire+0x1c2/0x530\n ? __might_fault+0xbb/0x170\n netlink_sendmsg+0x749/0xc10\n ? netlink_unicast+0x700/0x700\n ? __might_fault+0xbb/0x170\n ? netlink_unicast+0x700/0x700\n __sock_sendmsg+0xc5/0x190\n ____sys_sendmsg+0x53f/0x760\n ? import_iovec+0x7/0x10\n ? kernel_sendmsg+0x30/0x30\n ? __copy_msghdr+0x3c0/0x3c0\n ? filter_irq_stacks+0x90/0x90\n ? stack_depot_save_flags+0x28/0xa30\n ___sys_sen\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38020", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp\n\nSimilar to commit 6a057072ddd1 (\"drm/amd/display: Fix null check for\npipe_ctx->plane_state in dcn20_program_pipe\") that addresses a null\npointer dereference on dcn20_update_dchubp_dpp. This is the same\nfunction hooked for update_dchubp_dpp in dcn401, with the same issue.\nFix possible null pointer deference on dcn401_program_pipe too.\n\n(cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38021", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38022", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: handle failure of nfs_get_lock_context in unlock path\n\nWhen memory is insufficient, the allocation of nfs_lock_context in\nnfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat\nan nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)\nas valid and proceed to execute rpc_run_task(), this will trigger a NULL\npointer dereference in nfs4_locku_prepare. For example:\n\nBUG: kernel NULL pointer dereference, address: 000000000000000c\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40\nWorkqueue: rpciod rpc_async_schedule\nRIP: 0010:nfs4_locku_prepare+0x35/0xc2\nCode: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3\nRSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246\nRAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40\nRBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38\nR10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030\nR13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30\nFS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0\nCall Trace:\n \n __rpc_execute+0xbc/0x480\n rpc_async_schedule+0x2f/0x40\n process_one_work+0x232/0x5d0\n worker_thread+0x1da/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x240\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \nModules linked in:\nCR2: 000000000000000c\n---[ end trace 0000000000000000 ]---\n\nFree the allocated nfs4_unlockdata when nfs_get_lock_context() fails and\nreturn NULL to terminate subsequent rpc_run_task, preventing NULL pointer\ndereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38023", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug\n\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcf/0x610 mm/kasan/report.c:489\n kasan_report+0xb5/0xe0 mm/kasan/report.c:602\n rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195\n rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132\n __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232\n rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109\n create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052\n ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095\n ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679\n vfs_write fs/read_write.c:677 [inline]\n vfs_write+0x26a/0xcc0 fs/read_write.c:659\n ksys_write+0x1b8/0x200 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIn the function rxe_create_cq, when rxe_cq_from_init fails, the function\nrxe_cleanup will be called to handle the allocated resources. In fact,\nsome memory resources have already been freed in the function\nrxe_cq_from_init. Thus, this problem will occur.\n\nThe solution is to let rxe_cleanup do all the work.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38024", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7606: check for NULL before calling sw_mode_config()\n\nCheck that the sw_mode_config function pointer is not NULL before\ncalling it. Not all buses define this callback, which resulted in a NULL\npointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38025", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: max20086: fix invalid memory access\n\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\narray of struct of_regulator_match allocated on the stack for the\nmatches argument.\n\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\nbe de-allocated using devm_of_regulator_put_matches().\n\nstruct devm_of_regulator_matches is populated with the stack allocated\nmatches array.\n\nIf the device fails to probe, devm_of_regulator_put_matches() will be\ncalled and will try to call of_node_put() on that stack pointer,\ngenerating the following dmesg entries:\n\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\nkobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet\nkobject_put() is being called.\n\nFollowed by a stack trace matching the call flow described above.\n\nSwitch to allocating the matches array using devm_kcalloc() to\navoid accessing the stack pointer long after it's out of scope.\n\nThis also has the advantage of allowing multiple max20086 to probe\nwithout overriding the data stored inside the global of_regulator_match.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38027", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS/localio: Fix a race in nfs_local_open_fh()\n\nOnce the clp->cl_uuid.lock has been dropped, another CPU could come in\nand free the struct nfsd_file that was just added. To prevent that from\nhappening, take the RCU read lock before dropping the spin lock.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38028", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: avoid sleepable page allocation from atomic context\n\napply_to_pte_range() enters the lazy MMU mode and then invokes\nkasan_populate_vmalloc_pte() callback on each page table walk iteration. \nHowever, the callback can go into sleep when trying to allocate a single\npage, e.g. if an architecutre disables preemption on lazy MMU mode enter.\n\nOn s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and\narch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs:\n\n[ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321\n[ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\n[ 0.663358] preempt_count: 1, expected: 0\n[ 0.663366] RCU nest depth: 0, expected: 0\n[ 0.663375] no locks held by kthreadd/2.\n[ 0.663383] Preemption disabled at:\n[ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0\n[ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT\n[ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)\n[ 0.663409] Call Trace:\n[ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140\n[ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700\n[ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0\n[ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0\n[ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0\n[ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120\n[ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0\n[ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120\n[ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0\n[ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0\n[ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0\n[ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40\n[ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0\n[ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10\n[ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0\n[ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310\n[ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110\n[ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330\n[ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0\n[ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90\n[ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0\n[ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0\n[ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0\n[ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0\n[ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38\n\nInstead of allocating single pages per-PTE, bulk-allocate the shadow\nmemory prior to applying kasan_populate_vmalloc_pte() callback on a page\nrange.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38029", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n hex dump (first 32 bytes):\n 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............\n d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#.\n backtrace (crc 838fb36):\n __kmalloc_cache_noprof+0x284/0x320\n padata_alloc_pd+0x20/0x1e0\n padata_alloc_shell+0x3b/0xa0\n 0xffffffffc040a54d\n cryptomgr_probe+0x43/0xc0\n kthread+0xf6/0x1f0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38031", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmr: consolidate the ipmr_can_free_table() checks.\n\nGuoyu Yin reported a splat in the ipmr netns cleanup path:\n\nWARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_free_table net/ipv4/ipmr.c:440 [inline]\nWARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361\nModules linked in:\nCPU: 2 UID: 0 PID: 14564 Comm: syz.4.838 Not tainted 6.14.0 #1\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:ipmr_free_table net/ipv4/ipmr.c:440 [inline]\nRIP: 0010:ipmr_rules_exit+0x135/0x1c0 net/ipv4/ipmr.c:361\nCode: ff df 48 c1 ea 03 80 3c 02 00 75 7d 48 c7 83 60 05 00 00 00 00 00 00 5b 5d 41 5c 41 5d 41 5e e9 71 67 7f 00 e8 4c 2d 8a fd 90 <0f> 0b 90 eb 93 e8 41 2d 8a fd 0f b6 2d 80 54 ea 01 31 ff 89 ee e8\nRSP: 0018:ffff888109547c58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff888108c12dc0 RCX: ffffffff83e09868\nRDX: ffff8881022b3300 RSI: ffffffff83e098d4 RDI: 0000000000000005\nRBP: ffff888104288000 R08: 0000000000000000 R09: ffffed10211825c9\nR10: 0000000000000001 R11: ffff88801816c4a0 R12: 0000000000000001\nR13: ffff888108c13320 R14: ffff888108c12dc0 R15: fffffbfff0b74058\nFS: 00007f84f39316c0(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f84f3930f98 CR3: 0000000113b56000 CR4: 0000000000350ef0\nCall Trace:\n \n ipmr_net_exit_batch+0x50/0x90 net/ipv4/ipmr.c:3160\n ops_exit_list+0x10c/0x160 net/core/net_namespace.c:177\n setup_net+0x47d/0x8e0 net/core/net_namespace.c:394\n copy_net_ns+0x25d/0x410 net/core/net_namespace.c:516\n create_new_namespaces+0x3f6/0xaf0 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc3/0x180 kernel/nsproxy.c:228\n ksys_unshare+0x78d/0x9a0 kernel/fork.c:3342\n __do_sys_unshare kernel/fork.c:3413 [inline]\n __se_sys_unshare kernel/fork.c:3411 [inline]\n __x64_sys_unshare+0x31/0x40 kernel/fork.c:3411\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f84f532cc29\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f84f3931038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f84f5615fa0 RCX: 00007f84f532cc29\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000400\nRBP: 00007f84f53fba18 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f84f5615fa0 R15: 00007fff51c5f328\n \n\nThe running kernel has CONFIG_IP_MROUTE_MULTIPLE_TABLES disabled, and\nthe sanity check for such build is still too loose.\n\nAddress the issue consolidating the relevant sanity check in a single\nhelper regardless of the kernel configuration. Also share it between\nthe ipv4 and ipv6 code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38032", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88\n\nCalling core::fmt::write() from rust code while FineIBT is enabled\nresults in a kernel panic:\n\n[ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132!\n[ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 4614.211781] CPU: 2 UID: 0 PID: 6057 Comm: dmabuf_dump Tainted: G U O 6.12.17-android16-0-g6ab38c534a43 #1 9da040f27673ec3945e23b998a0f8bd64c846599\n[ 4614.227832] Tainted: [U]=USER, [O]=OOT_MODULE\n[ 4614.241247] RIP: 0010:do_kernel_cp_fault+0xea/0xf0\n...\n[ 4614.398144] RIP: 0010:_RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x0/0x20\n[ 4614.407792] Code: 48 f7 df 48 0f 48 f9 48 89 f2 89 c6 5d e9 18 fd ff ff 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 41 81 ea 14 61 af 2c 74 03 0f 0b 90 <66> 0f 1f 00 55 48 89 e5 48 89 f2 48 8b 3f be 01 00 00 00 5d e9 e7\n[ 4614.428775] RSP: 0018:ffffb95acfa4ba68 EFLAGS: 00010246\n[ 4614.434609] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000\n[ 4614.442587] RDX: 0000000000000007 RSI: ffffb95acfa4ba70 RDI: ffffb95acfa4bc88\n[ 4614.450557] RBP: ffffb95acfa4bae0 R08: ffff0a00ffffff05 R09: 0000000000000070\n[ 4614.458527] R10: 0000000000000000 R11: ffffffffab67eaf0 R12: ffffb95acfa4bcc8\n[ 4614.466493] R13: ffffffffac5d50f0 R14: 0000000000000000 R15: 0000000000000000\n[ 4614.474473] ? __cfi__RNvXs5_NtNtNtCs3o2tGsuHyou_4core3fmt3num3impyNtB9_7Display3fmt+0x10/0x10\n[ 4614.484118] ? _RNvNtCs3o2tGsuHyou_4core3fmt5write+0x1d2/0x250\n\nThis happens because core::fmt::write() calls\ncore::fmt::rt::Argument::fmt(), which currently has CFI disabled:\n\nlibrary/core/src/fmt/rt.rs:\n171 // FIXME: Transmuting formatter in new and indirectly branching to/calling\n172 // it here is an explicit CFI violation.\n173 #[allow(inline_no_sanitize)]\n174 #[no_sanitize(cfi, kcfi)]\n175 #[inline]\n176 pub(super) unsafe fn fmt(&self, f: &mut Formatter<'_>) -> Result {\n\nThis causes a Control Protection exception, because FineIBT has sealed\noff the original function's endbr64.\n\nThis makes rust currently incompatible with FineIBT. Add a Kconfig\ndependency that prevents FineIBT from getting turned on by default\nif rust is enabled.\n\n[ Rust 1.88.0 (scheduled for 2025-06-26) should have this fixed [1],\n and thus we relaxed the condition with Rust >= 1.88.\n\n When `objtool` lands checking for this with e.g. [2], the plan is\n to ideally run that in upstream Rust's CI to prevent regressions\n early [3], since we do not control `core`'s source code.\n\n Alice tested the Rust PR backported to an older compiler.\n\n Peter would like that Rust provides a stable `core` which can be\n pulled into the kernel: \"Relying on that much out of tree code is\n 'unfortunate'\".\n\n - Miguel ]\n\n[ Reduced splat. - Miguel ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38033", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref\n\nbtrfs_prelim_ref() calls the old and new reference variables in the\nincorrect order. This causes a NULL pointer dereference because oldref\nis passed as NULL to trace_btrfs_prelim_ref_insert().\n\nNote, trace_btrfs_prelim_ref_insert() is being called with newref as\noldref (and oldref as NULL) on purpose in order to print out\nthe values of newref.\n\nTo reproduce:\necho 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable\n\nPerform some writeback operations.\n\nBacktrace:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130\n Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88\n RSP: 0018:ffffce44820077a0 EFLAGS: 00010286\n RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b\n RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010\n RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010\n R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000\n R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540\n FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n prelim_ref_insert+0x1c1/0x270\n find_parent_nodes+0x12a6/0x1ee0\n ? __entry_text_end+0x101f06/0x101f09\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n btrfs_is_data_extent_shared+0x167/0x640\n ? fiemap_process_hole+0xd0/0x2c0\n extent_fiemap+0xa5c/0xbc0\n ? __entry_text_end+0x101f05/0x101f09\n btrfs_fiemap+0x7e/0xd0\n do_vfs_ioctl+0x425/0x9d0\n __x64_sys_ioctl+0x75/0xc0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38034", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: don't restore null sk_state_change\n\nqueue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if\nthe TCP connection isn't established when nvmet_tcp_set_queue_sock() is\ncalled then queue->state_change isn't set and sock->sk->sk_state_change\nisn't replaced.\n\nAs such we don't need to restore sock->sk->sk_state_change if\nqueue->state_change is NULL.\n\nThis avoids NULL pointer dereferences such as this:\n\n[ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode\n[ 286.463796][ C0] #PF: error_code(0x0010) - not-present page\n[ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0\n[ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI\n[ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary)\n[ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[ 286.467147][ C0] RIP: 0010:0x0\n[ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246\n[ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43\n[ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100\n[ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c\n[ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3\n[ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268\n[ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000\n[ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0\n[ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400\n[ 286.475453][ C0] Call Trace:\n[ 286.476102][ C0] \n[ 286.476719][ C0] tcp_fin+0x2bb/0x440\n[ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60\n[ 286.478174][ C0] ? __build_skb_around+0x234/0x330\n[ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0\n[ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10\n[ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0\n[ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30\n[ 286.482769][ C0] ? ktime_get+0x66/0x150\n[ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0\n[ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050\n[ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0\n[ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0\n[ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10\n[ 286.486917][ C0] ? lock_release+0x217/0x2c0\n[ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0\n[ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30\n[ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0\n[ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0\n[ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10\n[ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10\n[ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack]\n[ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0\n[ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370\n[ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420\n[ 286.494268][ C0] ip_local_deliver+0x168/0x430\n[ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10\n[ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10\n[ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20\n[ 286.496806][ C0] ? lock_release+0x217/0x2c0\n[ 286.497414][ C0] ip_rcv+0x455/0x6e0\n[ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10\n[ \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38035", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vf: Perform early GT MMIO initialization to read GMDID\n\nVFs need to communicate with the GuC to obtain the GMDID value\nand existing GuC functions used for that assume that the GT has\nit's MMIO members already setup. However, due to recent refactoring\nthe gt->mmio is initialized later, and any attempt by the VF to use\nxe_mmio_read|write() from GuC functions will lead to NPD crash due\nto unset MMIO register address:\n\n[] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode\n[] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507\n[] BUG: unable to handle page fault for address: 0000000000190240\n\nSince we are already tweaking the id and type of the primary GT to\nmimic it's a Media GT before initializing the GuC communication,\nwe can also call xe_gt_mmio_init() to perform early setup of the\ngt->mmio which will make those GuC functions work again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38036", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Annotate FDB data races\n\nThe 'used' and 'updated' fields in the FDB entry structure can be\naccessed concurrently by multiple threads, leading to reports such as\n[1]. Can be reproduced using [2].\n\nSuppress these reports by annotating these accesses using\nREAD_ONCE() / WRITE_ONCE().\n\n[1]\nBUG: KCSAN: data-race in vxlan_xmit / vxlan_xmit\n\nwrite to 0xffff942604d263a8 of 8 bytes by task 286 on cpu 0:\n vxlan_xmit+0xb29/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff942604d263a8 of 8 bytes by task 287 on cpu 2:\n vxlan_xmit+0xadf/0x2380\n dev_hard_start_xmit+0x84/0x2f0\n __dev_queue_xmit+0x45a/0x1650\n packet_xmit+0x100/0x150\n packet_sendmsg+0x2114/0x2ac0\n __sys_sendto+0x318/0x330\n __x64_sys_sendto+0x76/0x90\n x64_sys_call+0x14e8/0x1c00\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000fffbac6e -> 0x00000000fffbac6f\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 2 UID: 0 PID: 287 Comm: mausezahn Not tainted 6.13.0-rc7-01544-gb4b270f11a02 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n\n[2]\n #!/bin/bash\n\n set +H\n echo whitelist > /sys/kernel/debug/kcsan\n echo !vxlan_xmit > /sys/kernel/debug/kcsan\n\n ip link add name vx0 up type vxlan id 10010 dstport 4789 local 192.0.2.1\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 198.51.100.1\n taskset -c 0 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &\n taskset -c 2 mausezahn vx0 -a own -b 00:11:22:33:44:55 -c 0 -q &", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38037", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost\n\nset_boost is a per-policy function call, hence a driver wide lock is\nunnecessary. Also this mutex_acquire can collide with the mutex_acquire\nfrom the mode-switch path in status_store(), which can lead to a\ndeadlock. So, remove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38038", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled\n\nWhen attempting to enable MQPRIO while HTB offload is already\nconfigured, the driver currently returns `-EINVAL` and triggers a\n`WARN_ON`, leading to an unnecessary call trace.\n\nUpdate the code to handle this case more gracefully by returning\n`-EOPNOTSUPP` instead, while also providing a helpful user message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38039", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mctrl_gpio: split disable_ms into sync and no_sync APIs\n\nThe following splat has been observed on a SAMA5D27 platform using\natmel_serial:\n\nBUG: sleeping function called from invalid context at kernel/irq/manage.c:738\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last enabled at (0): [<00000000>] 0x0\nhardirqs last disabled at (0): [] copy_process+0x1c4c/0x7bec\nsoftirqs last enabled at (0): [] copy_process+0x1ca0/0x7bec\nsoftirqs last disabled at (0): [<00000000>] 0x0\nCPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74\nHardware name: Atmel SAMA5\nWorkqueue: hci0 hci_power_on [bluetooth]\nCall trace:\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x44/0x70\n dump_stack_lvl from __might_resched+0x38c/0x598\n __might_resched from disable_irq+0x1c/0x48\n disable_irq from mctrl_gpio_disable_ms+0x74/0xc0\n mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4\n atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8\n atmel_set_termios from uart_change_line_settings+0x15c/0x994\n uart_change_line_settings from uart_set_termios+0x2b0/0x668\n uart_set_termios from tty_set_termios+0x600/0x8ec\n tty_set_termios from ttyport_set_flow_control+0x188/0x1e0\n ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc]\n wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth]\n hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth]\n hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth]\n hci_power_on [bluetooth] from process_one_work+0x998/0x1a38\n process_one_work from worker_thread+0x6e0/0xfb4\n worker_thread from kthread+0x3d4/0x484\n kthread from ret_from_fork+0x14/0x28\n\nThis warning is emitted when trying to toggle, at the highest level,\nsome flow control (with serdev_device_set_flow_control) in a device\ndriver. At the lowest level, the atmel_serial driver is using\nserial_mctrl_gpio lib to enable/disable the corresponding IRQs\naccordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to\ndisable_irq (called in mctrl_gpio_disable_ms) being possibly called in\nsome atomic context (some tty drivers perform modem lines configuration\nin regions protected by port lock).\n\nSplit mctrl_gpio_disable_ms into two differents APIs, a non-blocking one\nand a blocking one. Replace mctrl_gpio_disable_ms calls with the\nrelevant version depending on whether the call is protected by some port\nlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38040", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: h616: Reparent GPU clock during frequency changes\n\nThe H616 manual does not state that the GPU PLL supports\ndynamic frequency configuration, so we must take extra care when changing\nthe frequency. Currently any attempt to do device DVFS on the GPU lead\nto panfrost various ooops, and GPU hangs.\n\nThe manual describes the algorithm for changing the PLL\nfrequency, which the CPU PLL notifier code already support, so we reuse\nthat to reparent the GPU clock to GPU1 clock during frequency\nchanges.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38041", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn\n\nThe user of k3_udma_glue_reset_rx_chn() e.g. ti_am65_cpsw_nuss can\nrun on multiple platforms having different DMA architectures.\nOn some platforms there can be one FDQ for all flows in the RX channel\nwhile for others there is a separate FDQ for each flow in the RX channel.\n\nSo far we have been relying on the skip_fdq argument of\nk3_udma_glue_reset_rx_chn().\n\nInstead of relying on the user to provide this information, infer it\nbased on DMA architecture during k3_udma_glue_request_rx_chn() and save it\nin an internal flag 'single_fdq'. Use that flag at\nk3_udma_glue_reset_rx_chn() to deicide if the FDQ needs\nto be cleared for every flow or just for flow 0.\n\nFixes the below issue on ti_am65_cpsw_nuss driver on AM62-SK.\n\n> ip link set eth1 down\n> ip link set eth0 down\n> ethtool -L eth0 rx 8\n> ip link set eth0 up\n> modprobe -r ti_am65_cpsw_nuss\n\n[ 103.045726] ------------[ cut here ]------------\n[ 103.050505] k3_knav_desc_pool size 512000 != avail 64000\n[ 103.050703] WARNING: CPU: 1 PID: 450 at drivers/net/ethernet/ti/k3-cppi-desc-pool.c:33 k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool]\n[ 103.068810] Modules linked in: ti_am65_cpsw_nuss(-) k3_cppi_desc_pool snd_soc_hdmi_codec crct10dif_ce snd_soc_simple_card snd_soc_simple_card_utils display_connector rtc_ti_k3 k3_j72xx_bandgap tidss drm_client_lib snd_soc_davinci_mcas\np drm_dma_helper tps6598x phylink snd_soc_ti_udma rti_wdt drm_display_helper snd_soc_tlv320aic3x_i2c typec at24 phy_gmii_sel snd_soc_ti_edma snd_soc_tlv320aic3x sii902x snd_soc_ti_sdma sa2ul omap_mailbox drm_kms_helper authenc cfg80211 r\nfkill fuse drm drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: k3_cppi_desc_pool]\n[ 103.119950] CPU: 1 UID: 0 PID: 450 Comm: modprobe Not tainted 6.13.0-rc7-00001-g9c5e3435fa66 #1011\n[ 103.119968] Hardware name: Texas Instruments AM625 SK (DT)\n[ 103.119974] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 103.119983] pc : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool]\n[ 103.148007] lr : k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool]\n[ 103.154709] sp : ffff8000826ebbc0\n[ 103.158015] x29: ffff8000826ebbc0 x28: ffff0000090b6300 x27: 0000000000000000\n[ 103.165145] x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000019df6b0\n[ 103.172271] x23: ffff0000019df6b8 x22: ffff0000019df410 x21: ffff8000826ebc88\n[ 103.179397] x20: 000000000007d000 x19: ffff00000a3b3000 x18: 0000000000000000\n[ 103.186522] x17: 0000000000000000 x16: 0000000000000000 x15: 000001e8c35e1cde\n[ 103.193647] x14: 0000000000000396 x13: 000000000000035c x12: 0000000000000000\n[ 103.200772] x11: 000000000000003a x10: 00000000000009c0 x9 : ffff8000826eba20\n[ 103.207897] x8 : ffff0000090b6d20 x7 : ffff00007728c180 x6 : ffff00007728c100\n[ 103.215022] x5 : 0000000000000001 x4 : ffff000000508a50 x3 : ffff7ffff6146000\n[ 103.222147] x2 : 0000000000000000 x1 : e300b4173ee6b200 x0 : 0000000000000000\n[ 103.229274] Call trace:\n[ 103.231714] k3_cppi_desc_pool_destroy+0xa0/0xa8 [k3_cppi_desc_pool] (P)\n[ 103.238408] am65_cpsw_nuss_free_rx_chns+0x28/0x4c [ti_am65_cpsw_nuss]\n[ 103.244942] devm_action_release+0x14/0x20\n[ 103.249040] release_nodes+0x3c/0x68\n[ 103.252610] devres_release_all+0x8c/0xdc\n[ 103.256614] device_unbind_cleanup+0x18/0x60\n[ 103.260876] device_release_driver_internal+0xf8/0x178\n[ 103.266004] driver_detach+0x50/0x9c\n[ 103.269571] bus_remove_driver+0x6c/0xbc\n[ 103.273485] driver_unregister+0x30/0x60\n[ 103.277401] platform_driver_unregister+0x14/0x20\n[ 103.282096] am65_cpsw_nuss_driver_exit+0x18/0xff4 [ti_am65_cpsw_nuss]\n[ 103.288620] __arm64_sys_delete_module+0x17c/0x25c\n[ 103.293404] invoke_syscall+0x44/0x100\n[ 103.297149] el0_svc_common.constprop.0+0xc0/0xe0\n[ 103.301845] do_el0_svc+0x1c/0x28\n[ 103.305155] el0_svc+0x28/0x98\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38042", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Set dma_mask for ffa devices\n\nSet dma_mask for FFA devices, otherwise DMA allocation using the device pointer\nlead to following warning:\n\nWARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38043", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx231xx: set device_caps for 417\n\nThe video_device for the MPEG encoder did not set device_caps.\n\nAdd this, otherwise the video device can't be registered (you get a\nWARN_ON instead).\n\nNot seen before since currently 417 support is disabled, but I found\nthis while experimenting with it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38044", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix debug actions order\n\nThe order of actions taken for debug was implemented incorrectly.\nNow we implemented the dump split and do the FW reset only in the\nmiddle of the dump (rather than the FW killing itself on error.)\nAs a result, some of the actions taken when applying the config\nwill now crash the device, so we need to fix the order.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38045", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Fix system hang during S4 resume with FRED enabled\n\nUpon a wakeup from S4, the restore kernel starts and initializes the\nFRED MSRs as needed from its perspective. It then loads a hibernation\nimage, including the image kernel, and attempts to load image pages\ndirectly into their original page frames used before hibernation unless\nthose frames are currently in use. Once all pages are moved to their\noriginal locations, it jumps to a \"trampoline\" page in the image kernel.\n\nAt this point, the image kernel takes control, but the FRED MSRs still\ncontain values set by the restore kernel, which may differ from those\nset by the image kernel before hibernation. Therefore, the image kernel\nmust ensure the FRED MSRs have the same values as before hibernation.\nSince these values depend only on the location of the kernel text and\ndata, they can be recomputed from scratch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38047", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\n\nsyzbot reports a data-race when accessing the event_triggered, here is the\nsimplified stack when the issue occurred:\n\n==================================================================\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\n\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3800 [inline]\n\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\n\nvalue changed: 0x01 -> 0x00\n==================================================================\n\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\nas false due to the race condition. Since event_triggered is an unreliable\nhint used for optimization, this should only cause the driver temporarily\nsuggest that the device not send an interrupt notification when the event\nindex is used.\n\nFix this KCSAN reported data-race issue by explicitly tagging the access as\ndata_racy.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38048", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors\n\nCommit\n\n 6eac36bb9eb0 (\"x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid\")\n\nadded logic that causes resctrl to search for the CLOSID with the fewest dirty\ncache lines when creating a new control group, if requested by the arch code.\nThis depends on the values read from the llc_occupancy counters. The logic is\napplicable to architectures where the CLOSID effectively forms part of the\nmonitoring identifier and so do not allow complete freedom to choose an unused\nmonitoring identifier for a given CLOSID.\n\nThis support missed that some platforms may not have these counters. This\ncauses a NULL pointer dereference when creating a new control group as the\narray was not allocated by dom_data_init().\n\nAs this feature isn't necessary on platforms that don't have cache occupancy\nmonitors, add this to the check that occurs when a new control group is\nallocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38049", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios\n\nA kernel crash was observed when replacing free hugetlb folios:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000028\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary)\nRIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0\nRSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000\nRDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000\nRBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000\nR10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000\nR13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004\nFS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0\nCall Trace:\n\n replace_free_hugepage_folios+0xb6/0x100\n alloc_contig_range_noprof+0x18a/0x590\n ? srso_return_thunk+0x5/0x5f\n ? down_read+0x12/0xa0\n ? srso_return_thunk+0x5/0x5f\n cma_range_alloc.constprop.0+0x131/0x290\n __cma_alloc+0xcf/0x2c0\n cma_alloc_write+0x43/0xb0\n simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110\n debugfs_attr_write+0x46/0x70\n full_proxy_write+0x62/0xa0\n vfs_write+0xf8/0x420\n ? srso_return_thunk+0x5/0x5f\n ? filp_flush+0x86/0xa0\n ? srso_return_thunk+0x5/0x5f\n ? filp_close+0x1f/0x30\n ? srso_return_thunk+0x5/0x5f\n ? do_dup2+0xaf/0x160\n ? srso_return_thunk+0x5/0x5f\n ksys_write+0x65/0xe0\n do_syscall_64+0x64/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThere is a potential race between __update_and_free_hugetlb_folio() and\nreplace_free_hugepage_folios():\n\nCPU1 CPU2\n__update_and_free_hugetlb_folio replace_free_hugepage_folios\n folio_test_hugetlb(folio)\n -- It's still hugetlb folio.\n\n __folio_clear_hugetlb(folio)\n hugetlb_free_folio(folio)\n h = folio_hstate(folio)\n -- Here, h is NULL pointer\n\nWhen the above race condition occurs, folio_hstate(folio) returns NULL,\nand subsequent access to this NULL pointer will cause the system to crash.\nTo resolve this issue, execute folio_hstate(folio) under the protection\nof the hugetlb_lock lock, ensuring that folio_hstate(folio) does not\nreturn NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38050", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x640\n kasan_report+0xb8/0xf0\n cifs_fill_dirent+0xb03/0xb60 [cifs]\n cifs_readdir+0x12cb/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n \n\n Allocated by task 408:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_noprof+0x117/0x3d0\n mempool_alloc_noprof+0xf2/0x2c0\n cifs_buf_get+0x36/0x80 [cifs]\n allocate_buffers+0x1d2/0x330 [cifs]\n cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n kthread+0x394/0x720\n ret_from_fork+0x34/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0x2b8/0x500\n cifs_buf_release+0x3c/0x70 [cifs]\n cifs_readdir+0x1c97/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents64+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1 Process 2\n-----------------------------------\n---truncated---", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38051", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25\n\n Call Trace:\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n crypto_request_complete include/crypto/algapi.h:266\n aead_request_complete include/crypto/internal/aead.h:85\n cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772\n crypto_request_complete include/crypto/algapi.h:266\n cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\n Allocated by task 8355:\n kzalloc_noprof include/linux/slab.h:778\n tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466\n tipc_init_net+0x2dd/0x430 net/tipc/core.c:72\n ops_init+0xb9/0x650 net/core/net_namespace.c:139\n setup_net+0x435/0xb40 net/core/net_namespace.c:343\n copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228\n ksys_unshare+0x419/0x970 kernel/fork.c:3323\n __do_sys_unshare kernel/fork.c:3394\n\n Freed by task 63:\n kfree+0x12a/0x3b0 mm/slub.c:4557\n tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539\n tipc_exit_net+0x8c/0x110 net/tipc/core.c:119\n ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\nAfter freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done\nmay still visit it in cryptd_queue_worker workqueue.\n\nI reproduce this issue by:\n ip netns add ns1\n ip link add veth1 type veth peer name veth2\n ip link set veth1 netns ns1\n ip netns exec ns1 tipc bearer enable media eth dev veth1\n ip netns exec ns1 tipc node set key this_is_a_master_key master\n ip netns exec ns1 tipc bearer disable media eth dev veth1\n ip netns del ns1\n\nThe key of reproduction is that, simd_aead_encrypt is interrupted, leading\nto crypto_simd_usable() return false. Thus, the cryptd_queue_worker is\ntriggered, and the tipc_crypto tx will be visited.\n\n tipc_disc_timeout\n tipc_bearer_xmit_skb\n tipc_crypto_xmit\n tipc_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n simd_aead_encrypt\n // crypto_simd_usable() is false\n child = &ctx->cryptd_tfm->base;\n\n simd_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n cryptd_aead_encrypt_enqueue\n cryptd_aead_enqueue\n cryptd_enqueue_request\n // trigger cryptd_queue_worker\n queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)\n\nFix this by holding net reference count before encrypt.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38052", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix null-ptr-deref in idpf_features_check\n\nidpf_features_check is used to validate the TX packet. skb header\nlength is compared with the hardware supported value received from\nthe device control plane. The value is stored in the adapter structure\nand to access it, vport pointer is used. During reset all the vports\nare released and the vport pointer that the netdev private structure\npoints to is NULL.\n\nTo avoid null-ptr-deref, store the max header length value in netdev\nprivate structure. This also helps to cache the value and avoid\naccessing adapter pointer in hot path.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000068\n...\nRIP: 0010:idpf_features_check+0x6d/0xe0 [idpf]\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x154/0x520\n ? exc_page_fault+0x76/0x190\n ? asm_exc_page_fault+0x26/0x30\n ? idpf_features_check+0x6d/0xe0 [idpf]\n netif_skb_features+0x88/0x310\n validate_xmit_skb+0x2a/0x2b0\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x19d/0x3a0\n __dev_queue_xmit+0xb74/0xe70\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38053", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Limit signal/freq counts in summary output functions\n\nThe debugfs summary output could access uninitialized elements in\nthe freq_in[] and signal_out[] arrays, causing NULL pointer\ndereferences and triggering a kernel Oops (page_fault_oops).\nThis patch adds u8 fields (nr_freq_in, nr_signal_out) to track the\nnumber of initialized elements, with a maximum of 4 per array.\nThe summary output functions are updated to respect these limits,\npreventing out-of-bounds access and ensuring safe array handling.\n\nWiden the label variables because the change confuses GCC about\nmax length of the strings.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38054", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq\n\nCurrently, using PEBS-via-PT with a sample frequency instead of a sample\nperiod, causes a segfault. For example:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000195\n \n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0xca/0x290\n ? exc_page_fault+0x7e/0x1b0\n ? asm_exc_page_fault+0x26/0x30\n ? intel_pmu_pebs_event_update_no_drain+0x40/0x60\n ? intel_pmu_pebs_event_update_no_drain+0x32/0x60\n intel_pmu_drain_pebs_icl+0x333/0x350\n handle_pmi_common+0x272/0x3c0\n intel_pmu_handle_irq+0x10a/0x2e0\n perf_event_nmi_handler+0x2a/0x50\n\nThat happens because intel_pmu_pebs_event_update_no_drain() assumes all the\npebs_enabled bits represent counter indexes, which is not always the case.\nIn this particular case, bits 60 and 61 are set for PEBS-via-PT purposes.\n\nThe behaviour of PEBS-via-PT with sample frequency is questionable because\nalthough a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not\nadjusted anyway.\n\nPutting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing\nthe mask of counter bits instead of 'size'. Note, prior to the Fixes\ncommit, 'size' would be limited to the maximum counter index, so the issue\nwas not hit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38055", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Fix UAF when reloading module\n\nhda_generic_machine_select() appends -idisp to the tplg filename by\nallocating a new string with devm_kasprintf(), then stores the string\nright back into the global variable snd_soc_acpi_intel_hda_machines.\nWhen the module is unloaded, this memory is freed, resulting in a global\nvariable pointing to freed memory. Reloading the module then triggers\na use-after-free:\n\nBUG: KFENCE: use-after-free read in string+0x48/0xe0\n\nUse-after-free read at 0x00000000967e0109 (in kfence-#99):\n string+0x48/0xe0\n vsnprintf+0x329/0x6e0\n devm_kvasprintf+0x54/0xb0\n devm_kasprintf+0x58/0x80\n hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]\n sof_probe_work+0x7f/0x600 [snd_sof]\n process_one_work+0x17b/0x330\n worker_thread+0x2ce/0x3f0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nkfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64\n\nallocated by task 333 on cpu 8 at 17.798069s (130.453553s ago):\n devm_kmalloc+0x52/0x120\n devm_kvasprintf+0x66/0xb0\n devm_kasprintf+0x58/0x80\n hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]\n sof_probe_work+0x7f/0x600 [snd_sof]\n process_one_work+0x17b/0x330\n worker_thread+0x2ce/0x3f0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nfreed by task 1543 on cpu 4 at 141.586686s (6.665010s ago):\n release_nodes+0x43/0xb0\n devres_release_all+0x90/0xf0\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1c1/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x6d/0xf0\n pci_unregister_driver+0x42/0xb0\n __do_sys_delete_module+0x1d1/0x310\n do_syscall_64+0x82/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it by copying the match array with devm_kmemdup_array() before we\nmodify it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38056", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: fix skb leaks\n\nA few error paths are missing a kfree_skb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38057", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock\n\n... or we risk stealing final mntput from sync umount - raising mnt_count\nafter umount(2) has verified that victim is not busy, but before it\nhas set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see\nthat it's safe to quietly undo mnt_count increment and leaves dropping\nthe reference to caller, where it'll be a full-blown mntput().\n\nCheck under mount_lock is needed; leaving the current one done before\ntaking that makes no sense - it's nowhere near common enough to bother\nwith.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38058", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid NULL pointer dereference if no valid csum tree\n\n[BUG]\nWhen trying read-only scrub on a btrfs with rescue=idatacsums mount\noption, it will crash with the following call trace:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000208\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs]\n Call Trace:\n \n scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs]\n scrub_simple_mirror+0x175/0x290 [btrfs]\n scrub_stripe+0x5f7/0x6f0 [btrfs]\n scrub_chunk+0x9a/0x150 [btrfs]\n scrub_enumerate_chunks+0x333/0x660 [btrfs]\n btrfs_scrub_dev+0x23e/0x600 [btrfs]\n btrfs_ioctl+0x1dcf/0x2f80 [btrfs]\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x4f/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[CAUSE]\nMount option \"rescue=idatacsums\" will completely skip loading the csum\ntree, so that any data read will not find any data csum thus we will\nignore data checksum verification.\n\nNormally call sites utilizing csum tree will check the fs state flag\nNO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all.\n\nThis results in scrub to call btrfs_search_slot() on a NULL pointer\nand triggered above crash.\n\n[FIX]\nCheck both extent and csum tree root before doing any tree search.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38059", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: copy_verifier_state() should copy 'loop_entry' field\n\nThe bpf_verifier_state.loop_entry state should be copied by\ncopy_verifier_state(). Otherwise, .loop_entry values from unrelated\nstates would poison env->cur_state.\n\nAdditionally, env->stack should not contain any states with\n.loop_entry != NULL. The states in env->stack are yet to be verified,\nwhile .loop_entry is set for states that reached an equivalent state.\nThis means that env->cur_state->loop_entry should always be NULL after\npop_stack().\n\nSee the selftest in the next commit for an example of the program that\nis not safe yet is accepted by verifier w/o this fix.\n\nThis change has some verification performance impact for selftests:\n\nFile Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- -------------\narena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%)\narena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%)\narena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%)\niters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%)\niters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%)\niters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%)\nkmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%)\nverifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%)\nverifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%)\n\nAnd significant negative impact for sched_ext:\n\nFile Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------\nbpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%)\nbpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%)\nbpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%)\nbpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%)\nbpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%)\nbpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%)\nbpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%)\nbpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%)\nscx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%)\nscx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%)\nscx_qmap.bpf.o qmap_dispatch \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38060", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pktgen: fix access outside of user given buffer in pktgen_thread_write()\n\nHonour the user given buffer size for the strn_len() calls (otherwise\nstrn_len() will access memory outside of the user given buffer).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38061", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie\n\nThe IOMMU translation for MSI message addresses has been a 2-step process,\nseparated in time:\n\n 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address\n is stored in the MSI descriptor when an MSI interrupt is allocated.\n\n 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a\n translated message address.\n\nThis has an inherent lifetime problem for the pointer stored in the cookie\nthat must remain valid between the two steps. However, there is no locking\nat the irq layer that helps protect the lifetime. Today, this works under\nthe assumption that the iommu domain is not changed while MSI interrupts\nbeing programmed. This is true for normal DMA API users within the kernel,\nas the iommu domain is attached before the driver is probed and cannot be\nchanged while a driver is attached.\n\nClassic VFIO type1 also prevented changing the iommu domain while VFIO was\nrunning as it does not support changing the \"container\" after starting up.\n\nHowever, iommufd has improved this so that the iommu domain can be changed\nduring VFIO operation. This potentially allows userspace to directly race\nVFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and\nVFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).\n\nThis potentially causes both the cookie pointer and the unlocked call to\niommu_get_domain_for_dev() on the MSI translation path to become UAFs.\n\nFix the MSI cookie UAF by removing the cookie pointer. The translated IOVA\naddress is already known during iommu_dma_prepare_msi() and cannot change.\nThus, it can simply be stored as an integer in the MSI descriptor.\n\nThe other UAF related to iommu_get_domain_for_dev() will be addressed in\npatch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by\nusing the IOMMU group mutex.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38062", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix unconditional IO throttle caused by REQ_PREFLUSH\n\nWhen a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush()\ngenerates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC,\nwhich causes the flush_bio to be throttled by wbt_wait().\n\nAn example from v5.4, similar problem also exists in upstream:\n\n crash> bt 2091206\n PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: \"kworker/u260:0\"\n #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8\n #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4\n #2 [ffff800084a2f880] schedule at ffff800040bfa4b4\n #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4\n #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc\n #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0\n #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254\n #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38\n #8 [ffff800084a2fa60] generic_make_request at ffff800040570138\n #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4\n #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs]\n #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs]\n #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs]\n #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs]\n #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs]\n #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs]\n #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08\n #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc\n #18 [ffff800084a2fe70] kthread at ffff800040118de4\n\nAfter commit 2def2845cc33 (\"xfs: don't allow log IO to be throttled\"),\nthe metadata submitted by xlog_write_iclog() should not be throttled.\nBut due to the existence of the dm layer, throttling flush_bio indirectly\ncauses the metadata bio to be throttled.\n\nFix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes\nwbt_should_throttle() return false to avoid wbt_wait().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38063", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: break and reset virtio devices on device_shutdown()\n\nHongyu reported a hang on kexec in a VM. QEMU reported invalid memory\naccesses during the hang.\n\n\tInvalid read at addr 0x102877002, size 2, region '(null)', reason: rejected\n\tInvalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected\n\t...\n\nIt was traced down to virtio-console. Kexec works fine if virtio-console\nis not in use.\n\nThe issue is that virtio-console continues to write to the MMIO even after\nunderlying virtio-pci device is reset.\n\nAdditionally, Eric noticed that IOMMUs are reset before devices, if\ndevices are not reset on shutdown they continue to poke at guest memory\nand get errors from the IOMMU. Some devices get wedged then.\n\nThe problem can be solved by breaking all virtio devices on virtio\nbus shutdown, then resetting them.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38064", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Do not truncate file size\n\n'len' is used to store the result of i_size_read(), so making 'len'\na size_t results in truncation to 4GiB on 32-bit systems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38065", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n with some mappings stored in the first array block of the mapping\n array. Here we use cache_restore v1.0 to build the metadata.\n\ncat <> cmeta.xml\n\n \n \n \n\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38066", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrseq: Fix segfault on registration when rseq_cs is non-zero\n\nThe rseq_cs field is documented as being set to 0 by user-space prior to\nregistration, however this is not currently enforced by the kernel. This\ncan result in a segfault on return to user-space if the value stored in\nthe rseq_cs field doesn't point to a valid struct rseq_cs.\n\nThe correct solution to this would be to fail the rseq registration when\nthe rseq_cs field is non-zero. However, some older versions of glibc\nwill reuse the rseq area of previous threads without clearing the\nrseq_cs field and will also terminate the process if the rseq\nregistration fails in a secondary thread. This wasn't caught in testing\nbecause in this case the leftover rseq_cs does point to a valid struct\nrseq_cs.\n\nWhat we can do is clear the rseq_cs field on registration when it's\nnon-zero which will prevent segfaults on registration and won't break\nthe glibc versions that reuse rseq areas on thread creation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38067", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns. It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write. Use the safe interface in crypto/lzo.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38068", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops\n\nFix a kernel oops found while testing the stm32_pcie Endpoint driver\nwith handling of PERST# deassertion:\n\nDuring EP initialization, pci_epf_test_alloc_space() allocates all BARs,\nwhich are further freed if epc_set_bar() fails (for instance, due to no\nfree inbound window).\n\nHowever, when pci_epc_set_bar() fails, the error path:\n\n pci_epc_set_bar() ->\n pci_epf_free_space()\n\ndoes not clear the previous assignment to epf_test->reg[bar].\n\nThen, if the host reboots, the PERST# deassertion restarts the BAR\nallocation sequence with the same allocation failure (no free inbound\nwindow), creating a double free situation since epf_test->reg[bar] was\ndeallocated and is still non-NULL.\n\nThus, make sure that pci_epf_alloc_space() and pci_epf_free_space()\ninvocations are symmetric, and as such, set epf_test->reg[bar] to NULL\nwhen memory is freed.\n\n[kwilczynski: commit log]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38069", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: Add NULL check in sma1307_setting_loaded()\n\nAll varibale allocated by kzalloc and devm_kzalloc could be NULL.\nMultiple pointer checks and their cleanup are added.\n\nThis issue is found by our static analysis tool", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38070", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Check return value from memblock_phys_alloc_range()\n\nAt least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of\ncontiguous free memory available at this point, the kernel will crash\nand burn because memblock_phys_alloc_range() returns 0 on failure,\nwhich leads memblock_phys_free() to throw the first 4 MiB of physical\nmemory to the wolves.\n\nAt a minimum it should fail gracefully with a meaningful diagnostic,\nbut in fact everything seems to work fine without the weird reserve\nallocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38071", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibnvdimm/labels: Fix divide error in nd_label_data_init()\n\nIf a faulty CXL memory device returns a broken zero LSA size in its\nmemory device information (Identify Memory Device (Opcode 4000h), CXL\nspec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm\ndriver:\n\n Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]\n\nCode and flow:\n\n1) CXL Command 4000h returns LSA size = 0\n2) config_size is assigned to zero LSA size (CXL pmem driver):\n\ndrivers/cxl/pmem.c: .config_size = mds->lsa_size,\n\n3) max_xfer is set to zero (nvdimm driver):\n\ndrivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size);\n\n4) A subsequent DIV_ROUND_UP() causes a division by zero:\n\ndrivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */\ndrivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer,\ndrivers/nvdimm/label.c- config_size);\n\nFix this by checking the config size parameter by extending an\nexisting check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38072", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq->log_used with vq->mutex\n\nThe vhost-scsi completion path may access vq->log_base when vq->log_used is\nalready set to false.\n\n vhost-thread QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-> vhost_add_used()\n -> vhost_add_used_n()\n if (unlikely(vq->log_used))\n QEMU disables vq->log_used\n via VHOST_SET_VRING_ADDR.\n mutex_lock(&vq->mutex);\n vq->log_used = false now!\n mutex_unlock(&vq->mutex);\n\n\t\t\t\t QEMU gfree(vq->log_base)\n log_used()\n -> log_write(vq->log_base)\n\nAssuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38074", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix timeout on deleted connection\n\nNOPIN response timer may expire on a deleted connection and crash with\nsuch logs:\n\nDid not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d\n\nBUG: Kernel NULL pointer dereference on read at 0x00000000\nNIP strlcpy+0x8/0xb0\nLR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod]\nCall Trace:\n iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod]\n call_timer_fn+0x58/0x1f0\n run_timer_softirq+0x740/0x860\n __do_softirq+0x16c/0x420\n irq_exit+0x188/0x1c0\n timer_interrupt+0x184/0x410\n\nThat is because nopin response timer may be re-started on nopin timer\nexpiration.\n\nStop nopin timer before stopping the nopin response timer to be sure\nthat no one of them will be re-started.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38075", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nalloc_tag: allocate percpu counters for module tags dynamically\n\nWhen a module gets unloaded it checks whether any of its tags are still in\nuse and if so, we keep the memory containing module's allocation tags\nalive until all tags are unused. However percpu counters referenced by\nthe tags are freed by free_module(). This will lead to UAF if the memory\nallocated by a module is accessed after module was unloaded.\n\nTo fix this we allocate percpu counters for module allocation tags\ndynamically and we keep it alive for tags which are still in use after\nmodule unloading. This also removes the requirement of a larger\nPERCPU_MODULE_RESERVE when memory allocation profiling is enabled because\npercpu memory for counters does not need to be reserved anymore.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38076", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()\n\nIf the 'buf' array received from the user contains an empty string, the\n'length' variable will be zero. Accessing the 'buf' array element with\nindex 'length - 1' will result in a buffer overflow.\n\nAdd a check for an empty string.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38077", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix race of buffer access at PCM OSS layer\n\nThe PCM OSS layer tries to clear the buffer with the silence data at\ninitialization (or reconfiguration) of a stream with the explicit call\nof snd_pcm_format_set_silence() with runtime->dma_area. But this may\nlead to a UAF because the accessed runtime->dma_area might be freed\nconcurrently, as it's performed outside the PCM ops.\n\nFor avoiding it, move the code into the PCM core and perform it inside\nthe buffer access lock, so that it won't be changed during the\noperation.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38078", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38079", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Increase block_sequence array size\n\n[Why]\nIt's possible to generate more than 50 steps in hwss_build_fast_sequence,\nfor example with a 6-pipe asic where all pipes are in one MPC chain. This\noverflows the block_sequence buffer and corrupts block_sequence_steps,\ncausing a crash.\n\n[How]\nExpand block_sequence to 100 items. A naive upper bound on the possible\nnumber of steps for a 6-pipe asic, ignoring the potential for steps to be\nmutually exclusive, is 91 with current code, therefore 100 is sufficient.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38080", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi-rockchip: Fix register out of bounds access\n\nDo not write native chip select stuff for GPIO chip selects.\nGPIOs can be numbered much higher than native CS.\nAlso, it makes no sense.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38081", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix potential out-of-bound write\n\nIf the caller wrote more characters, count is truncated to the max\navailable space in \"simple_write_to_buffer\". Check that the input\nsize does not exceed the buffer size. Write a zero termination\nafterwards.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38082", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: prio: fix a race in prio_tune()\n\nGerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38083", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops->may_split(). This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens. At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n - mmap lock (exclusively)\n - VMA lock\n - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n call us with only the mmap lock held (in shared mode), but currently\n only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38084", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38085", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n if (err == size) {\n memcpy(data, buf, size);\n }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n return (buff[0] | buff[1] << 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38086", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix use-after-free in taprio_dev_notifier\n\nSince taprio\u2019s taprio_dev_notifier() isn\u2019t protected by an\nRCU read-side critical section, a race with advance_sched()\ncan lead to a use-after-free.\n\nAdding rcu_read_lock() inside taprio_dev_notifier() prevents this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38087", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap\n\nmemtrace mmap issue has an out of bounds issue. This patch fixes the by\nchecking that the requested mapping region size should stay within the\nallocated region size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38088", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: handle SVC_GARBAGE during svc auth processing as auth error\n\ntianshuo han reported a remotely-triggerable crash if the client sends a\nkernel RPC server a specially crafted packet. If decoding the RPC reply\nfails in such a way that SVC_GARBAGE is returned without setting the\nrq_accept_statp pointer, then that pointer can be dereferenced and a\nvalue stored there.\n\nIf it's the first time the thread has processed an RPC, then that\npointer will be set to NULL and the kernel will crash. In other cases,\nit could create a memory scribble.\n\nThe server sunrpc code treats a SVC_GARBAGE return from svc_authenticate\nor pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531\nsays that if authentication fails that the RPC should be rejected\ninstead with a status of AUTH_ERR.\n\nHandle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of\nAUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This\nsidesteps the whole problem of touching the rpc_accept_statp pointer in\nthis situation and avoids the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38089", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/rapidio/rio_cm.c: prevent possible heap overwrite\n\nIn\n\nriocm_cdev_ioctl(RIO_CM_CHAN_SEND)\n -> cm_chan_msg_send()\n -> riocm_ch_send()\n\ncm_chan_msg_send() checks that userspace didn't send too much data but\nriocm_ch_send() failed to check that userspace sent sufficient data. The\nresult is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr\nwhich were outside the bounds of the space which cm_chan_msg_send()\nallocated.\n\nAddress this by teaching riocm_ch_send() to check that the entire\nrio_ch_chan_hdr was copied in from userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38090", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: check stream id dml21 wrapper to get plane_id\n\n[Why & How]\nFix a false positive warning which occurs due to lack of correct checks\nwhen querying plane_id in DML21. This fixes the warning when performing a\nmode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover):\n\n[ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi\n[ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu\n[ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024\n[ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu]\n[ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87\n[ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246\n[ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000\n[ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000\n[ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000\n[ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000\n[ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000\n[ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0\n[ 35.751806] PKRU: 55555554\n[ 35.751807] Call Trace:\n[ 35.751810] \n[ 35.751816] ? show_regs+0x6c/0x80\n[ 35.751820] ? __warn+0x88/0x140\n[ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751964] ? report_bug+0x182/0x1b0\n[ 35.751969] ? handle_bug+0x6e/0xb0\n[ 35.751972] ? exc_invalid_op+0x18/0x80\n[ 35.751974] ? asm_exc_invalid_op+0x1b/0x20\n[ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.752117] ? math_pow+0x48/0xa0 [amdgpu]\n[ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752260] ? math_pow+0x48/0xa0 [amdgpu]\n[ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752403] ? math_pow+0x11/0xa0 [amdgpu]\n[ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu]\n[ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu]\n\n(cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38091", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use list_first_entry_or_null for opinfo_get_list()\n\nThe list_first_entry() macro never returns NULL. If the list is\nempty then it returns an invalid pointer. Use list_first_entry_or_null()\nto check if the list is empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38092", "detail": "fixed-version", "description": "Fixed from version 6.14.10" }, { "id": "CVE-2025-38093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: x1e80100: Add GPU cooling\n\nUnlike the CPU, the GPU does not throttle its speed automatically when it\nreaches high temperatures. With certain high GPU loads it is possible to\nreach the critical hardware shutdown temperature of 120\u00b0C, endangering the\nhardware and making it impossible to run certain applications.\n\nSet up GPU cooling similar to the ACPI tables, by throttling the GPU speed\nwhen reaching 95\u00b0C and polling every 200ms.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38093", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cadence: macb: Fix a possible deadlock in macb_halt_tx.\n\nThere is a situation where after THALT is set high, TGO stays high as\nwell. Because jiffies are never updated, as we are in a context with\ninterrupts disabled, we never exit that loop and have a deadlock.\n\nThat deadlock was noticed on a sama5d4 device that stayed locked for days.\n\nUse retries instead of jiffies so that the timeout really works and we do\nnot have a deadlock anymore.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38094", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: insert memory barrier before updating num_fences\n\nsmp_store_mb() inserts memory barrier after storing operation.\nIt is different with what the comment is originally aiming so Null\npointer dereference can be happened if memory update is reordered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38095", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: don't warn when if there is a FW error\n\niwl_trans_reclaim is warning if it is called when the FW is not alive.\nBut if it is called when there is a pending restart, i.e. after a FW\nerror, there is no need to warn, instead - return silently.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38096", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: remove encap socket caching to avoid reference leak\n\nThe current scheme for caching the encap socket can lead to reference\nleaks when we try to delete the netns.\n\nThe reference chain is: xfrm_state -> enacp_sk -> netns\n\nSince the encap socket is a userspace socket, it holds a reference on\nthe netns. If we delete the espintcp state (through flush or\nindividual delete) before removing the netns, the reference on the\nsocket is dropped and the netns is correctly deleted. Otherwise, the\nnetns may not be reachable anymore (if all processes within the ns\nhave terminated), so we cannot delete the xfrm state to drop its\nreference on the socket.\n\nThis patch results in a small (~2% in my tests) performance\nregression.\n\nA GC-type mechanism could be added for the socket cache, to clear\nreferences if the state hasn't been used \"recently\", but it's a lot\nmore complex than just not caching the socket.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38097", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink\n\nDon't try to operate on a drm_wb_connector as an amdgpu_dm_connector.\nWhile dereferencing aconnector->base will \"work\" it's wrong and\nmight lead to unknown bad things. Just... don't.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38098", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken\n\nA SCO connection without the proper voice_setting can cause\nthe controller to lock up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38099", "detail": "fixed-version", "description": "Fixed from version 6.14.9" }, { "id": "CVE-2025-38100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/iopl: Cure TIF_IO_BITMAP inconsistencies\n\nio_bitmap_exit() is invoked from exit_thread() when a task exists or\nwhen a fork fails. In the latter case the exit_thread() cleans up\nresources which were allocated during fork().\n\nio_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up\nin tss_update_io_bitmap(). tss_update_io_bitmap() operates on the\ncurrent task. If current has TIF_IO_BITMAP set, but no bitmap installed,\ntss_update_io_bitmap() crashes with a NULL pointer dereference.\n\nThere are two issues, which lead to that problem:\n\n 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when\n the task, which is cleaned up, is not the current task. That's a\n clear indicator for a cleanup after a failed fork().\n\n 2) A task should not have TIF_IO_BITMAP set and neither a bitmap\n installed nor IOPL emulation level 3 activated.\n\n This happens when a kernel thread is created in the context of\n a user space thread, which has TIF_IO_BITMAP set as the thread\n flags are copied and the IO bitmap pointer is cleared.\n\n Other than in the failed fork() case this has no impact because\n kernel threads including IO workers never return to user space and\n therefore never invoke tss_update_io_bitmap().\n\nCure this by adding the missing cleanups and checks:\n\n 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if\n the to be cleaned up task is not the current task.\n\n 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user\n space forks it is set later, when the IO bitmap is inherited in\n io_bitmap_share().\n\nFor paranoia sake, add a warning into tss_update_io_bitmap() to catch\nthe case, when that code is invoked with inconsistent state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38100", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()\n\nEnlarge the critical section in ring_buffer_subbuf_order_set() to\nensure that error handling takes place with per-buffer mutex held,\nthus preventing list corruption and other concurrency-related issues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38101", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n Modules linked in:\n CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n RIP: 0010:try_grab_folio+0x106/0x130\n Call Trace:\n \n follow_huge_pmd+0x240/0x8e0\n follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n follow_page_mask+0x1c2/0x1f0\n __get_user_pages+0x176/0x950\n __gup_longterm_locked+0x15b/0x1060\n ? gup_fast+0x120/0x1f0\n gup_fast_fallback+0x17e/0x230\n get_user_pages_fast+0x5f/0x80\n vmci_host_unlocked_ioctl+0x21c/0xf80\n RIP: 0033:0x54d2cd\n ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context->notify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update &context->notify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context->notify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38102", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38103", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV\n\nRLCG Register Access is a way for virtual functions to safely access GPU\nregisters in a virtualized environment., including TLB flushes and\nregister reads. When multiple threads or VFs try to access the same\nregisters simultaneously, it can lead to race conditions. By using the\nRLCG interface, the driver can serialize access to the registers. This\nmeans that only one thread can access the registers at a time,\npreventing conflicts and ensuring that operations are performed\ncorrectly. Additionally, when a low-priority task holds a mutex that a\nhigh-priority task needs, ie., If a thread holding a spinlock tries to\nacquire a mutex, it can lead to priority inversion. register access in\namdgpu_virt_rlcg_reg_rw especially in a fast code path is critical.\n\nThe call stack shows that the function amdgpu_virt_rlcg_reg_rw is being\ncalled, which attempts to acquire the mutex. This function is invoked\nfrom amdgpu_sriov_wreg, which in turn is called from\ngmc_v11_0_flush_gpu_tlb.\n\nThe [ BUG: Invalid wait context ] indicates that a thread is trying to\nacquire a mutex while it is in a context that does not allow it to sleep\n(like holding a spinlock).\n\nFixes the below:\n\n[ 253.013423] =============================\n[ 253.013434] [ BUG: Invalid wait context ]\n[ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE\n[ 253.013464] -----------------------------\n[ 253.013475] kworker/0:1/10 is trying to lock:\n[ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[ 253.013815] other info that might help us debug this:\n[ 253.013827] context-{4:4}\n[ 253.013835] 3 locks held by kworker/0:1/10:\n[ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680\n[ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680\n[ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu]\n[ 253.014154] stack backtrace:\n[ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14\n[ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024\n[ 253.014224] Workqueue: events work_for_cpu_fn\n[ 253.014241] Call Trace:\n[ 253.014250] \n[ 253.014260] dump_stack_lvl+0x9b/0xf0\n[ 253.014275] dump_stack+0x10/0x20\n[ 253.014287] __lock_acquire+0xa47/0x2810\n[ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 253.014321] lock_acquire+0xd1/0x300\n[ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[ 253.014562] ? __lock_acquire+0xa6b/0x2810\n[ 253.014578] __mutex_lock+0x85/0xe20\n[ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[ 253.014782] ? sched_clock_noinstr+0x9/0x10\n[ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 253.014808] ? local_clock_noinstr+0xe/0xc0\n[ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 253.015029] mutex_lock_nested+0x1b/0x30\n[ 253.015044] ? mutex_lock_nested+0x1b/0x30\n[ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu]\n[ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu]\n[ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu]\n[ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu]\n[ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu]\n[ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu]\n[ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu]\n[ 253.0170\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38104", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call. This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we're at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38105", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()\n\nsyzbot reports:\n\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\n\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x53/0x70\n print_report+0xd0/0x670\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? getrusage+0x1109/0x1a60\n kasan_report+0xce/0x100\n ? getrusage+0x1109/0x1a60\n getrusage+0x1109/0x1a60\n ? __pfx_getrusage+0x10/0x10\n __io_uring_show_fdinfo+0x9fe/0x1790\n ? ksys_read+0xf7/0x1c0\n ? do_syscall_64+0xa4/0x260\n ? vsnprintf+0x591/0x1100\n ? __pfx___io_uring_show_fdinfo+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n ? mutex_trylock+0xcf/0x130\n ? __pfx_mutex_trylock+0x10/0x10\n ? __pfx_show_fd_locks+0x10/0x10\n ? io_uring_show_fdinfo+0x57/0x80\n io_uring_show_fdinfo+0x57/0x80\n seq_show+0x38c/0x690\n seq_read_iter+0x3f7/0x1180\n ? inode_set_ctime_current+0x160/0x4b0\n seq_read+0x271/0x3e0\n ? __pfx_seq_read+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __mark_inode_dirty+0x402/0x810\n ? selinux_file_permission+0x368/0x500\n ? file_update_time+0x10f/0x160\n vfs_read+0x177/0xa40\n ? __pfx___handle_mm_fault+0x10/0x10\n ? __pfx_vfs_read+0x10/0x10\n ? mutex_lock+0x81/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ? fdget_pos+0x24d/0x4b0\n ksys_read+0xf7/0x1c0\n ? __pfx_ksys_read+0x10/0x10\n ? do_user_addr_fault+0x43b/0x9c0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \n\nAllocated by task 298:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_node_noprof+0xe8/0x330\n copy_process+0x376/0x5e00\n create_io_thread+0xab/0xf0\n io_sq_offload_create+0x9ed/0xf20\n io_uring_setup+0x12b0/0x1cc0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 22:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0xc4/0x360\n rcu_core+0x5ff/0x19f0\n handle_softirqs+0x18c/0x530\n run_ksoftirqd+0x20/0x30\n smpboot_thread_fn+0x287/0x6c0\n kthread+0x30d/0x630\n ret_from_fork+0xef/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n kasan_record_aux_stack+0x8c/0xa0\n __call_rcu_common.constprop.0+0x68/0x940\n __schedule+0xff2/0x2930\n __cond_resched+0x4c/0x80\n mutex_lock+0x5c/0xe0\n io_uring_del_tctx_node+0xe1/0x2b0\n io_uring_clean_tctx+0xb7/0x160\n io_uring_cancel_generic+0x34e/0x760\n do_exit+0x240/0x2350\n do_group_exit+0xab/0x220\n __x64_sys_exit_group+0x39/0x40\n x64_sys_call+0x1243/0x1840\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe buggy address belongs to the object at ffff88810de2cb00\n which belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\n freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\n\nwhich is caused by the task_struct pointed to by sq->thread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre\nrelase or exit of sq->thread.\n\nFix this by assigning and looking up ->thread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38106", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38107", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: red: fix a race in __red_change()\n\nGerrard Tai reported a race condition in RED, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38108", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38109", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like 'mdio-tools' to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38110", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like 'mdio-tools' to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38111", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix TOCTOU issue in sk_is_readable()\n\nsk->sk_prot->sock_is_readable is a valid function pointer when sk resides\nin a sockmap. After the last sk_psock_put() (which usually happens when\nsocket is removed from sockmap), sk->sk_prot gets restored and\nsk->sk_prot->sock_is_readable becomes NULL.\n\nThis makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded\nafter the initial check. Which in turn may lead to a null pointer\ndereference.\n\nEnsure the function pointer does not turn NULL after the check.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38112", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Fix NULL pointer dereference when nosmp is used\n\nWith nosmp in cmdline, other CPUs are not brought up, leaving\ntheir cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu()\ndereferences these NULL pointers, causing panic.\n\nPanic backtrace:\n\n[ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8\n...\n[ 0.403255] [] cppc_allow_fast_switch+0x6a/0xd4\n...\nKernel panic - not syncing: Attempted to kill init!\n\n[ rjw: New subject ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38113", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: Move cancel_work_sync to avoid deadlock\n\nPreviously, e1000_down called cancel_work_sync for the e1000 reset task\n(via e1000_down_and_stop), which takes RTNL.\n\nAs reported by users and syzbot, a deadlock is possible in the following\nscenario:\n\nCPU 0:\n - RTNL is held\n - e1000_close\n - e1000_down\n - cancel_work_sync (cancel / wait for e1000_reset_task())\n\nCPU 1:\n - process_one_work\n - e1000_reset_task\n - take RTNL\n\nTo remedy this, avoid calling cancel_work_sync from e1000_down\n(e1000_reset_task does nothing if the device is down anyway). Instead,\ncall cancel_work_sync for e1000_reset_task when the device is being\nremoved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38114", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: fix a potential crash on gso_skb handling\n\nSFQ has an assumption of always being able to queue at least one packet.\n\nHowever, after the blamed commit, sch->q.len can be inflated by packets\nin sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed\nby an immediate drop.\n\nFix sfq_drop() to properly clear q->tail in this situation.\n\n\nip netns add lb\nip link add dev to-lb type veth peer name in-lb netns lb\nethtool -K to-lb tso off # force qdisc to requeue gso_skb\nip netns exec lb ethtool -K in-lb gro on # enable NAPI\nip link set dev to-lb up\nip -netns lb link set dev in-lb up\nip addr add dev to-lb 192.168.20.1/24\nip -netns lb addr add dev in-lb 192.168.20.2/24\ntc qdisc replace dev to-lb root sfq limit 100\n\nip netns exec lb netserver\n\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38115", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix uaf in ath12k_core_init()\n\nWhen the execution of ath12k_core_hw_group_assign() or\nath12k_core_hw_group_create() fails, the registered notifier chain is not\nunregistered properly. Its memory is freed after rmmod, which may trigger\nto a use-after-free (UAF) issue if there is a subsequent access to this\nnotifier chain.\n\nFixes the issue by calling ath12k_core_panic_notifier_unregister() in\nfailure cases.\n\nCall trace:\n notifier_chain_register+0x4c/0x1f0 (P)\n atomic_notifier_chain_register+0x38/0x68\n ath12k_core_init+0x50/0x4e8 [ath12k]\n ath12k_pci_probe+0x5f8/0xc28 [ath12k]\n pci_device_probe+0xbc/0x1a8\n really_probe+0xc8/0x3a0\n __driver_probe_device+0x84/0x1b0\n driver_probe_device+0x44/0x130\n __driver_attach+0xcc/0x208\n bus_for_each_dev+0x84/0x100\n driver_attach+0x2c/0x40\n bus_add_driver+0x130/0x260\n driver_register+0x70/0x138\n __pci_register_driver+0x68/0x80\n ath12k_pci_init+0x30/0x68 [ath12k]\n ath12k_init+0x28/0x78 [ath12k]\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38116", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Protect mgmt_pending list with its own lock\n\nThis uses a mutex to protect from concurrent access of mgmt_pending\nlist which can cause crashes like:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\nRead of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318\n\nCPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_address_description+0xa8/0x254 mm/kasan/report.c:408\n print_report+0x68/0x84 mm/kasan/report.c:521\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379\n hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\n mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223\n pending_find net/bluetooth/mgmt.c:947 [inline]\n remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445\n hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n sock_write_iter+0x25c/0x378 net/socket.c:1131\n new_sync_write fs/read_write.c:591 [inline]\n vfs_write+0x62c/0x97c fs/read_write.c:684\n ksys_write+0x120/0x210 fs/read_write.c:736\n __do_sys_write fs/read_write.c:747 [inline]\n __se_sys_write fs/read_write.c:744 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:744\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 7037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4327 [inline]\n __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198\n sk_alloc+0x44/0x3ac net/core/sock.c:2254\n bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148\n hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202\n bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132\n __sock_create+0x43c/0x91c net/socket.c:1541\n sock_create net/socket.c:1599 [inline]\n __sys_socket_create net/socket.c:1636 [inline]\n __sys_socket+0xd4/0x1c0 net/socket.c:1683\n __do_sys_socket net/socket.c:1697 [inline]\n __se_sys_socket net/socket.c:1695 [inline]\n __arm64_sys_socket+0x7c/0x94 net/socket.c:1695\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nFreed by task 6607:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38117", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete\n\nThis reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to\navoid crashes like bellow:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\nRead of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341\n\nCPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\n hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 5987:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252\n mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279\n remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x548/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5989:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2380 [inline]\n slab_free mm/slub.c:4642 [inline]\n kfree+0x18e/0x440 mm/slub.c:4841\n mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242\n mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314\n __sys_bind_socket net/socket.c:1810 [inline]\n __sys_bind+0x2c3/0x3e0 net/socket.c:1841\n __do_sys_bind net/socket.c:1846 [inline]\n __se_sys_bind net/socket.c:1844 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1844\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38118", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: ufs: Fix a hang in the error handler\n\nufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter\nfunction can only succeed if UFSHCD_EH_IN_PROGRESS is not set because\nresuming involves submitting a SCSI command and ufshcd_queuecommand()\nreturns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this\nhang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has\nbeen called instead of before.\n\nBacktrace:\n__switch_to+0x174/0x338\n__schedule+0x600/0x9e4\nschedule+0x7c/0xe8\nschedule_timeout+0xa4/0x1c8\nio_schedule_timeout+0x48/0x70\nwait_for_common_io+0xa8/0x160 //waiting on START_STOP\nwait_for_completion_io_timeout+0x10/0x20\nblk_execute_rq+0xe4/0x1e4\nscsi_execute_cmd+0x108/0x244\nufshcd_set_dev_pwr_mode+0xe8/0x250\n__ufshcd_wl_resume+0x94/0x354\nufshcd_wl_runtime_resume+0x3c/0x174\nscsi_runtime_resume+0x64/0xa4\nrpm_resume+0x15c/0xa1c\n__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing\nufshcd_err_handler+0x1a0/0xd08\nprocess_one_work+0x174/0x808\nworker_thread+0x15c/0x490\nkthread+0xf4/0x1ec\nret_from_fork+0x10/0x20\n\n[ bvanassche: rewrote patch description ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38119", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo_avx2: fix initial map fill\n\nIf the first field doesn't cover the entire start map, then we must zero\nout the remainder, else we leak those bits into the next match round map.\n\nThe early fix was incomplete and did only fix up the generic C\nimplementation.\n\nA followup patch adds a test case to nft_concat_range.sh.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38120", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: avoid panic on init failure\n\nIn case of an error during init, in_hw_restart will be set, but it will\nnever get cleared.\nInstead, we will retry to init again, and then we will act like we are in a\nrestart when we are actually not.\n\nThis causes (among others) to a NULL pointer dereference when canceling\nrx_omi::finished_work, that was not even initialized, because we thought\nthat we are in hw_restart.\n\nSet in_hw_restart to true only if the fw is running, then we know that\nFW was loaded successfully and we are not going to the retry loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38121", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: add missing NULL check for gve_alloc_pending_packet() in TX DQO\n\ngve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()\ndid not check for this case before dereferencing the returned pointer.\n\nAdd a missing NULL check to prevent a potential NULL pointer\ndereference when allocation fails.\n\nThis improves robustness in low-memory scenarios.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38122", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Fix napi rx poll issue\n\nWhen driver handles the napi rx polling requests, the netdev might\nhave been released by the dellink logic triggered by the disconnect\noperation on user plane. However, in the logic of processing skb in\npolling, an invalid netdev is still being used, which causes a panic.\n\nBUG: kernel NULL pointer dereference, address: 00000000000000f1\nOops: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:dev_gro_receive+0x3a/0x620\n[...]\nCall Trace:\n \n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x4f/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]\n ? dev_gro_receive+0x3a/0x620\n napi_gro_receive+0xad/0x170\n t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]\n t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]\n net_rx_action+0x103/0x470\n irq_exit_rcu+0x13a/0x310\n sysvec_apic_timer_interrupt+0x56/0x90\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38123", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix udp gso skb_segment after pull from frag_list\n\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don't\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\n\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\n\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\n\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\n\n skb_segment+0xcd0/0xd14\n __udp_gso_segment+0x334/0x5f4\n udp4_ufo_fragment+0x118/0x15c\n inet_gso_segment+0x164/0x338\n skb_mac_gso_segment+0xc4/0x13c\n __skb_gso_segment+0xc4/0x124\n validate_xmit_skb+0x9c/0x2c0\n validate_xmit_skb_list+0x4c/0x80\n sch_direct_xmit+0x70/0x404\n __dev_queue_xmit+0x64c/0xe5c\n neigh_resolve_output+0x178/0x1c4\n ip_finish_output2+0x37c/0x47c\n __ip_finish_output+0x194/0x240\n ip_finish_output+0x20/0xf4\n ip_output+0x100/0x1a0\n NF_HOOK+0xc4/0x16c\n ip_forward+0x314/0x32c\n ip_rcv+0x90/0x118\n __netif_receive_skb+0x74/0x124\n process_backlog+0xe8/0x1a4\n __napi_poll+0x5c/0x1f8\n net_rx_action+0x154/0x314\n handle_softirqs+0x154/0x4b8\n\n [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!\n [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000\n [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)\n [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38124", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38125", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring timestamping\n\nThe stmmac platform drivers that do not open-code the clk_ptp_rate value\nafter having retrieved the default one from the device-tree can end up\nwith 0 in clk_ptp_rate (as clk_get_rate can return 0). It will\neventually propagate up to PTP initialization when bringing up the\ninterface, leading to a divide by 0:\n\n Division by zero in kernel.\n CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22\n Hardware name: STM32 (Device Tree Support)\n Call trace:\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x6c/0x8c\n dump_stack_lvl from Ldiv0_64+0x8/0x18\n Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4\n stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c\n stmmac_hw_setup from __stmmac_open+0x18c/0x434\n __stmmac_open from stmmac_open+0x3c/0xbc\n stmmac_open from __dev_open+0xf4/0x1ac\n __dev_open from __dev_change_flags+0x1cc/0x224\n __dev_change_flags from dev_change_flags+0x24/0x60\n dev_change_flags from ip_auto_config+0x2e8/0x11a0\n ip_auto_config from do_one_initcall+0x84/0x33c\n do_one_initcall from kernel_init_freeable+0x1b8/0x214\n kernel_init_freeable from kernel_init+0x24/0x140\n kernel_init from ret_from_fork+0x14/0x28\n Exception stack(0xe0815fb0 to 0xe0815ff8)\n\nPrevent this division by 0 by adding an explicit check and error log\nabout the actual issue. While at it, remove the same check from\nstmmac_ptp_register, which then becomes duplicate", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38126", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Tx scheduler error handling in XDP callback\n\nWhen the XDP program is loaded, the XDP callback adds new Tx queues.\nThis means that the callback must update the Tx scheduler with the new\nqueue number. In the event of a Tx scheduler failure, the XDP callback\nshould also fail and roll back any changes previously made for XDP\npreparation.\n\nThe previous implementation had a bug that not all changes made by the\nXDP callback were rolled back. This caused the crash with the following\ncall trace:\n\n[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5\n[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI\n[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)\n[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022\n[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]\n\n[...]\n\n[ +0.002715] Call Trace:\n[ +0.002452] \n[ +0.002021] ? __die_body.cold+0x19/0x29\n[ +0.003922] ? die_addr+0x3c/0x60\n[ +0.003319] ? exc_general_protection+0x17c/0x400\n[ +0.004707] ? asm_exc_general_protection+0x26/0x30\n[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]\n[ +0.004835] ice_napi_poll+0x665/0x680 [ice]\n[ +0.004320] __napi_poll+0x28/0x190\n[ +0.003500] net_rx_action+0x198/0x360\n[ +0.003752] ? update_rq_clock+0x39/0x220\n[ +0.004013] handle_softirqs+0xf1/0x340\n[ +0.003840] ? sched_clock_cpu+0xf/0x1f0\n[ +0.003925] __irq_exit_rcu+0xc2/0xe0\n[ +0.003665] common_interrupt+0x85/0xa0\n[ +0.003839] \n[ +0.002098] \n[ +0.002106] asm_common_interrupt+0x26/0x40\n[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690\n\nFix this by performing the missing unmapping of XDP queues from\nq_vectors and setting the XDP rings pointer back to NULL after all those\nqueues are released.\nAlso, add an immediate exit from the XDP callback in case of ring\npreparation failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38127", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: reject malformed HCI_CMD_SYNC commands\n\nIn 'mgmt_hci_cmd_sync()', check whether the size of parameters passed\nin 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data\n(i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes).\nOtherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()'\nto do 'skb_put_data()' from an area beyond the one actually passed to\n'mgmt_hci_cmd_sync()'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38128", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n ptr_ring_produce\n spin_lock(&r->producer_lock);\n WRITE_ONCE(r->queue[r->producer++], ptr)\n //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t page_pool_scrub\n\t\t\t\t page_pool_empty_ring\n\t\t\t\t ptr_ring_consume\n\t\t\t\t page_pool_return_page //release all page\n\t\t\t\t __page_pool_destroy\n\t\t\t\t free_percpu(pool->recycle_stats);\n\t\t\t\t free(pool) //free\n\n spin_unlock(&r->producer_lock); //pool->ring uaf read\n recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38129", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/connector: only call HDMI audio helper plugged cb if non-null\n\nOn driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb\nwith NULL as the callback function and codec_dev, as seen in its\nhdmi_remove function.\n\nThe HDMI audio helper then happily tries calling said null function\npointer, and produces an Oops as a result.\n\nFix this by only executing the callback if fn is non-null. This means\nthe .plugged_cb and .plugged_cb_dev members still get appropriately\ncleared.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38130", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs' sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0 CPU1\n(sysfs enable) load module\n cscfg_load_config_sets()\n activate config. // sysfs\n (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev->cscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev->cscfg_csdev_lock)\n\n deactivate config // sysfs\n (sys_activec_cnt == 0)\n cscfg_unload_config_sets()\n unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc's active_cnt as a reference count\n which will be holded when\n - activate the config.\n - enable the activated config.\nand put the module reference when config_active_cnt == 0.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38131", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: holding cscfg_csdev_lock while removing cscfg from csdev\n\nThere'll be possible race scenario for coresight config:\n\nCPU0 CPU1\n(perf enable) load module\n cscfg_load_config_sets()\n activate config. // sysfs\n (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\n lock(csdev->cscfg_csdev_lock)\n deactivate config // sysfs\n (sys_activec_cnt == 0)\n cscfg_unload_config_sets()\n cscfg_remove_owned_csdev_configs()\n // here load config activate by CPU1\n unlock(csdev->cscfg_csdev_lock)\n\niterating config_csdev_list could be raced with config_csdev_list's\nentry delete.\n\nTo resolve this race , hold csdev->cscfg_csdev_lock() while\ncscfg_remove_owned_csdev_configs()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38132", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4851: fix ad4858 chan pointer handling\n\nThe pointer returned from ad4851_parse_channels_common() is incremented\ninternally as each channel is populated. In ad4858_parse_channels(),\nthe same pointer was further incremented while setting ext_scan_type\nfields for each channel. This resulted in indio_dev->channels being set\nto a pointer past the end of the allocated array, potentially causing\nmemory corruption or undefined behavior.\n\nFix this by iterating over the channels using an explicit index instead\nof incrementing the pointer. This preserves the original base pointer\nand ensures all channel metadata is set correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38133", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()\n\nAs demonstrated by the fix for update_port_device_state,\ncommit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"),\nusb_hub_to_struct_hub() can return NULL in certain scenarios,\nsuch as during hub driver unbind or teardown race conditions,\neven if the underlying usb_device structure exists.\n\nPlus, all other places that call usb_hub_to_struct_hub() in the same file\ndo check for NULL return values.\n\nIf usb_hub_to_struct_hub() returns NULL, the subsequent access to\nhub->ports[udev->portnum - 1] will cause a null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38134", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix potential null-ptr-deref in mlb_usio_probe()\n\ndevm_ioremap() can return NULL on error. Currently, mlb_usio_probe()\ndoes not check for this case, which could result in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38135", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Reorder clock handling and power management in probe\n\nReorder the initialization sequence in `usbhs_probe()` to enable runtime\nPM before accessing registers, preventing potential crashes due to\nuninitialized clocks.\n\nCurrently, in the probe path, registers are accessed before enabling the\nclocks, leading to a synchronous external abort on the RZ/V2H SoC.\nThe problematic call flow is as follows:\n\n usbhs_probe()\n usbhs_sys_clock_ctrl()\n usbhs_bset()\n usbhs_write()\n iowrite16() <-- Register access before enabling clocks\n\nSince `iowrite16()` is performed without ensuring the required clocks are\nenabled, this can lead to access errors. To fix this, enable PM runtime\nearly in the probe function and ensure clocks are acquired before register\naccess, preventing crashes like the following on RZ/V2H:\n\n[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\n[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6\n[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98\n[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)\n[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]\n[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]\n[13.321138] sp : ffff8000827e3850\n[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0\n[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025\n[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010\n[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff\n[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce\n[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000\n[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750\n[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c\n[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000\n[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080\n[13.395574] Call trace:\n[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)\n[13.403076] platform_probe+0x68/0xdc\n[13.406738] really_probe+0xbc/0x2c0\n[13.410306] __driver_probe_device+0x78/0x120\n[13.414653] driver_probe_device+0x3c/0x154\n[13.418825] __driver_attach+0x90/0x1a0\n[13.422647] bus_for_each_dev+0x7c/0xe0\n[13.426470] driver_attach+0x24/0x30\n[13.430032] bus_add_driver+0xe4/0x208\n[13.433766] driver_register+0x68/0x130\n[13.437587] __platform_driver_register+0x24/0x30\n[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]\n[13.448450] do_one_initcall+0x60/0x1d4\n[13.452276] do_init_module+0x54/0x1f8\n[13.456014] load_module+0x1754/0x1c98\n[13.459750] init_module_from_file+0x88/0xcc\n[13.464004] __arm64_sys_finit_module+0x1c4/0x328\n[13.468689] invoke_syscall+0x48/0x104\n[13.472426] el0_svc_common.constprop.0+0xc0/0xe0\n[13.477113] do_el0_svc+0x1c/0x28\n[13.480415] el0_svc+0x30/0xcc\n[13.483460] el0t_64_sync_handler+0x10c/0x138\n[13.487800] el0t_64_sync+0x198/0x19c\n[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)\n[13.497522] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38136", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/pwrctrl: Cancel outstanding rescan work when unregistering\n\nIt's possible to trigger use-after-free here by:\n\n (a) forcing rescan_work_func() to take a long time and\n (b) utilizing a pwrctrl driver that may be unloaded for some reason\n\nCancel outstanding work to ensure it is finished before we allow our data\nstructures to be cleaned up.\n\n[bhelgaas: tidy commit log]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38137", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: Add NULL check in udma_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nudma_probe() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38138", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix oops in write-retry from mis-resetting the subreq iterator\n\nFix the resetting of the subrequest iterator in netfs_retry_write_stream()\nto use the iterator-reset function as the iterator may have been shortened\nby a previous retry. In such a case, the amount of data to be written by\nthe subrequest is not \"subreq->len\" but \"subreq->len -\nsubreq->transferred\".\n\nWithout this, KASAN may see an error in iov_iter_revert():\n\n BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline]\n BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147\n\n CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Workqueue: events_unbound netfs_write_collection_worker\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n iov_iter_revert lib/iov_iter.c:633 [inline]\n iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline]\n netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231\n netfs_collect_write_results fs/netfs/write_collect.c:352 [inline]\n netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374\n process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38139", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: limit swapping tables for devices with zone write plugs\n\ndm_revalidate_zones() only allowed new or previously unzoned devices to\ncall blk_revalidate_disk_zones(). If the device was already zoned,\ndisk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones()\nreturned without doing any work. This would make the zoned settings for\nthe device not match the new table. If the device had zone write plug\nresources, it could run into errors like bdev_zone_is_seq() reading\ninvalid memory because disk->conv_zones_bitmap was the wrong size.\n\nIf the device doesn't have any zone write plug resources, calling\nblk_revalidate_disk_zones() will always correctly update device. If\nblk_revalidate_disk_zones() fails, it can still overwrite or clear the\ncurrent disk->nr_zones value. In this case, DM must restore the previous\nvalue of disk->nr_zones, so that the zoned settings will continue to\nmatch the previous value that it fell back to.\n\nIf the device already has zone write plug resources,\nblk_revalidate_disk_zones() will not correctly update them, if it is\ncalled for arbitrary zoned device changes. Since there is not much need\nfor this ability, the easiest solution is to disallow any table reloads\nthat change the zoned settings, for devices that already have zone plug\nresources. Specifically, if a device already has zone plug resources\nallocated, it can only switch to another zoned table that also emulates\nzone append. Also, it cannot change the device size or the zone size. A\ndevice can switch to an error target.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38140", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix dm_blk_report_zones\n\nIf dm_get_live_table() returned NULL, dm_put_live_table() was never\ncalled. Also, it is possible that md->zone_revalidate_map will change\nwhile calling this function. Only read it once, so that we are always\nusing the same value. Otherwise we might miss a call to\ndm_put_live_table().\n\nFinally, while md->zone_revalidate_map is set and a process is calling\nblk_revalidate_disk_zones() to set up the zone append emulation\nresources, it is possible that another process, perhaps triggered by\nblkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If\nblk_revalidate_disk_zones() fails, these resources can be freed while\nthe other process is still using them, causing a use-after-free error.\n\nblk_revalidate_disk_zones() will only ever be called when initially\nsetting up the zone append emulation resources, such as when setting up\na zoned dm-crypt table for the first time. Further table swaps will not\nset md->zone_revalidate_map or call blk_revalidate_disk_zones().\nHowever it must be called using the new table (referenced by\nmd->zone_revalidate_map) and the new queue limits while the DM device is\nsuspended. dm_blk_report_zones() needs some way to distinguish between a\ncall from blk_revalidate_disk_zones(), which must be allowed to use\nmd->zone_revalidate_map to access this not yet activated table, and all\nother calls to dm_blk_report_zones(), which should not be allowed while\nthe device is suspended and cannot use md->zone_revalidate_map, since\nthe zone resources might be freed by the process currently calling\nblk_revalidate_disk_zones().\n\nSolve this by tracking the process that sets md->zone_revalidate_map in\ndm_revalidate_zones() and only allowing that process to make use of it\nin dm_blk_report_zones().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38141", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) check sensor index in read_string()\n\nPrevent a potential invalid memory access when the requested sensor\nis not found.\n\nfind_ec_sensor_index() may return a negative value (e.g. -ENOENT),\nbut its result was used without checking, which could lead to\nundefined behavior when passed to get_sensor_info().\n\nAdd a proper check to return -EINVAL if sensor_index is negative.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[groeck: Return error code returned from find_ec_sensor_index]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38142", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: pm8941: Add NULL check in wled_configure()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nwled_configure() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38143", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()\n\ndevm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38144", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\naspeed_lpc_enable_snoop() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.\n\n[arj: Fix Fixes: tag to use subject from 3772e5da4454]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38145", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix the dead loop of MPLS parse\n\nThe unexpected MPLS packet may not end with the bottom label stack.\nWhen there are many stacks, The label count value has wrapped around.\nA dead loop occurs, soft lockup/CPU stuck finally.\n\nstack backtrace:\nUBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26\nindex -1 is out of range for type '__be32 [3]'\nCPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu\nHardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021\nCall Trace:\n \n show_stack+0x52/0x5c\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n key_extract_l3l4+0x82a/0x840 [openvswitch]\n ? kfree_skbmem+0x52/0xa0\n key_extract+0x9c/0x2b0 [openvswitch]\n ovs_flow_key_extract+0x124/0x350 [openvswitch]\n ovs_vport_receive+0x61/0xd0 [openvswitch]\n ? kernel_init_free_pages.part.0+0x4a/0x70\n ? get_page_from_freelist+0x353/0x540\n netdev_port_receive+0xc4/0x180 [openvswitch]\n ? netdev_port_receive+0x180/0x180 [openvswitch]\n netdev_frame_hook+0x1f/0x40 [openvswitch]\n __netif_receive_skb_core.constprop.0+0x23a/0xf00\n __netif_receive_skb_list_core+0xfa/0x240\n netif_receive_skb_list_internal+0x18e/0x2a0\n napi_complete_done+0x7a/0x1c0\n bnxt_poll+0x155/0x1c0 [bnxt_en]\n __napi_poll+0x30/0x180\n net_rx_action+0x126/0x280\n ? bnxt_msix+0x67/0x80 [bnxt_en]\n handle_softirqs+0xda/0x2d0\n irq_exit_rcu+0x96/0xc0\n common_interrupt+0x8e/0xa0\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38146", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Don't call calipso functions for AF_INET sk.\n\nsyzkaller reported a null-ptr-deref in txopt_get(). [0]\n\nThe offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,\nso struct ipv6_pinfo was NULL there.\n\nHowever, this never happens for IPv6 sockets as inet_sk(sk)->pinet6\nis always set in inet6_create(), meaning the socket was not IPv6 one.\n\nThe root cause is missing validation in netlbl_conn_setattr().\n\nnetlbl_conn_setattr() switches branches based on struct\nsockaddr.sa_family, which is passed from userspace. However,\nnetlbl_conn_setattr() does not check if the address family matches\nthe socket.\n\nThe syzkaller must have called connect() for an IPv6 address on\nan IPv4 socket.\n\nWe have a proper validation in tcp_v[46]_connect(), but\nsecurity_socket_connect() is called in the earlier stage.\n\nLet's copy the validation to netlbl_conn_setattr().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:txopt_get include/net/ipv6.h:390 [inline]\nRIP: 0010:\nCode: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00\nRSP: 0018:ffff88811b8afc48 EFLAGS: 00010212\nRAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c\nRDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070\nRBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e\nR10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00\nR13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80\nFS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n \n calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557\n netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177\n selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569\n selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]\n selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615\n selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931\n security_socket_connect+0x50/0xa0 security/security.c:4598\n __sys_connect_file+0xa4/0x190 net/socket.c:2067\n __sys_connect+0x12c/0x170 net/socket.c:2088\n __do_sys_connect net/socket.c:2098 [inline]\n __se_sys_connect net/socket.c:2095 [inline]\n __x64_sys_connect+0x73/0xb0 net/socket.c:2095\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f901b61a12d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d\nRDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003\nRBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000\n \nModules linked in:", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38147", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: mscc: Fix memory leak when using one step timestamping\n\nFix memory leak when running one-step timestamping. When running\none-step sync timestamping, the HW is configured to insert the TX time\ninto the frame, so there is no reason to keep the skb anymore. As in\nthis case the HW will never generate an interrupt to say that the frame\nwas timestamped, then the frame will never released.\nFix this by freeing the frame in case of one-step timestamping.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38148", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: clear phydev->devlink when the link is deleted\n\nThere is a potential crash issue when disabling and re-enabling the\nnetwork port. When disabling the network port, phy_detach() calls\ndevice_link_del() to remove the device link, but it does not clear\nphydev->devlink, so phydev->devlink is not a NULL pointer. Then the\nnetwork port is re-enabled, but if phy_attach_direct() fails before\ncalling device_link_add(), the code jumps to the \"error\" label and\ncalls phy_detach(). Since phydev->devlink retains the old value from\nthe previous attach/detach cycle, device_link_del() uses the old value,\nwhich accesses a NULL pointer and causes a crash. The simplified crash\nlog is as follows.\n\n[ 24.702421] Call trace:\n[ 24.704856] device_link_put_kref+0x20/0x120\n[ 24.709124] device_link_del+0x30/0x48\n[ 24.712864] phy_detach+0x24/0x168\n[ 24.716261] phy_attach_direct+0x168/0x3a4\n[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c\n[ 24.725140] phylink_of_phy_connect+0x1c/0x34\n\nTherefore, phydev->devlink needs to be cleared when the device link is\ndeleted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38149", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: move notifier's packet_dev_mc out of rcu critical section\n\nSyzkaller reports the following issue:\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578\n __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:746\n team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781\n dev_change_rx_flags net/core/dev.c:9145 [inline]\n __dev_set_promiscuity+0x3f8/0x590 net/core/dev.c:9189\n netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201\n dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 packet_dev_mc net/packet/af_packet.c:3698 [inline]\n packet_dev_mclist_delete net/packet/af_packet.c:3722 [inline]\n packet_notifier+0x292/0xa60 net/packet/af_packet.c:4247\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]\n call_netdevice_notifiers net/core/dev.c:2228 [inline]\n unregister_netdevice_many_notify+0x15d8/0x2330 net/core/dev.c:11972\n rtnl_delete_link net/core/rtnetlink.c:3522 [inline]\n rtnl_dellink+0x488/0x710 net/core/rtnetlink.c:3564\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6955\n netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534\n\nCalling `PACKET_ADD_MEMBERSHIP` on an ops-locked device can trigger\nthe `NETDEV_UNREGISTER` notifier, which may require disabling promiscuous\nand/or allmulti mode. Both of these operations require acquiring\nthe netdev instance lock.\n\nMove the call to `packet_dev_mc` outside of the RCU critical section.\nThe `mclist` modifications (add, del, flush, unregister) are protected by\nthe RTNL, not the RCU. The RCU only protects the `sklist` and its\nassociated `sks`. The delayed operation on the `mclist` entry remains\nwithin the RTNL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38150", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix hang when cma_netevent_callback fails to queue_work\n\nThe cited commit fixed a crash when cma_netevent_callback was called for\na cma_id while work on that id from a previous call had not yet started.\nThe work item was re-initialized in the second call, which corrupted the\nwork item currently in the work queue.\n\nHowever, it left a problem when queue_work fails (because the item is\nstill pending in the work queue from a previous call). In this case,\ncma_id_put (which is called in the work handler) is therefore not\ncalled. This results in a userspace process hang (zombie process).\n\nFix this by calling cma_id_put() if queue_work fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38151", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Clear table_sz when rproc_shutdown\n\nThere is case as below could trigger kernel dump:\nUse U-Boot to start remote processor(rproc) with resource table\npublished to a fixed address by rproc. After Kernel boots up,\nstop the rproc, load a new firmware which doesn't have resource table\n,and start rproc.\n\nWhen starting rproc with a firmware not have resource table,\n`memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will\ntrigger dump, because rproc->cache_table is set to NULL during the last\nstop operation, but rproc->table_sz is still valid.\n\nThis issue is found on i.MX8MP and i.MX9.\n\nDump as below:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000\n[0000000000000000] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in:\nCPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38\nHardware name: NXP i.MX8MPlus EVK board (DT)\npstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __pi_memcpy_generic+0x110/0x22c\nlr : rproc_start+0x88/0x1e0\nCall trace:\n __pi_memcpy_generic+0x110/0x22c (P)\n rproc_boot+0x198/0x57c\n state_store+0x40/0x104\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x120/0x1cc\n vfs_write+0x240/0x378\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xcc\n el0t_64_sync_handler+0x10c/0x138\n el0t_64_sync+0x198/0x19c\n\nClear rproc->table_sz to address the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38152", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: fix error handling of usbnet read calls\n\nSyzkaller, courtesy of syzbot, identified an error (see report [1]) in\naqc111 driver, caused by incomplete sanitation of usb read calls'\nresults. This problem is quite similar to the one fixed in commit\n920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\").\n\nFor instance, usbnet_read_cmd() may read fewer than 'size' bytes,\neven if the caller expected the full amount, and aqc111_read_cmd()\nwill not check its result properly. As [1] shows, this may lead\nto MAC address in aqc111_bind() being only partly initialized,\ntriggering KMSAN warnings.\n\nFix the issue by verifying that the number of bytes read is\nas expected and not less.\n\n[1] Partial syzbot report:\nBUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\nBUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\n usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n really_probe+0x4d1/0xd90 drivers/base/dd.c:658\n __driver_probe_device+0x268/0x380 drivers/base/dd.c:800\n...\n\nUninit was stored to memory at:\n dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582\n __dev_addr_set include/linux/netdevice.h:4874 [inline]\n eth_hw_addr_set include/linux/etherdevice.h:325 [inline]\n aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n...\n\nUninit was stored to memory at:\n ether_addr_copy include/linux/etherdevice.h:305 [inline]\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]\n aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n...\n\nLocal variable buf.i created at:\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]\n aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38153", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk->sk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n'''\nCPU0 CPU1\n\nbacklog::skb_send_sock\n sendmsg_unlocked\n sock_sendmsg\n sock_sendmsg_nosec\n close(fd):\n ...\n ops->release() -> sock_map_close()\n sk_socket->ops = NULL\n free(socket)\n sock->ops->sendmsg\n ^\n panic here\n'''\n\nThe ref of psock become 0 after sock_map_close() executed.\n'''\nvoid sock_map_close()\n{\n ...\n if (likely(psock)) {\n ...\n // !! here we remove psock and the ref of psock become 0\n sock_map_remove_links(sk, psock)\n psock = sk_psock_get(sk);\n if (unlikely(!psock))\n goto no_psock; <=== Control jumps here via goto\n ...\n cancel_delayed_work_sync(&psock->work); <=== not executed\n sk_psock_put(sk, psock);\n ...\n}\n'''\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn't started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n'''\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n \n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n'''", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38154", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38155", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7996_mmio_wed_init()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38156", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Abort software beacon handling if disabled\n\nA malicious USB device can send a WMI_SWBA_EVENTID event from an\nath9k_htc-managed device before beaconing has been enabled. This causes\na device-by-zero error in the driver, leading to either a crash or an\nout of bounds read.\n\nPrevent this by aborting the handling in ath9k_htc_swba() if beacons are\nnot enabled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38157", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: fix XQE dma address error\n\nThe dma addresses of EQE and AEQE are wrong after migration and\nresults in guest kernel-mode encryption services failure.\nComparing the definition of hardware registers, we found that\nthere was an error when the data read from the register was\ncombined into an address. Therefore, the address combination\nsequence needs to be corrected.\n\nEven after fixing the above problem, we still have an issue\nwhere the Guest from an old kernel can get migrated to\nnew kernel and may result in wrong data.\n\nIn order to ensure that the address is correct after migration,\nif an old magic number is detected, the dma address needs to be\nupdated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38158", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since 'para' array is passed to\n'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n ...\n SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n ...\n SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38159", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38160", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error flow upon firmware failure for RQ destruction\n\nUpon RQ destruction if the firmware command fails which is the\nlast resource to be destroyed some SW resources were already cleaned\nregardless of the failure.\n\nNow properly rollback the object to its original state upon such failure.\n\nIn order to avoid a use-after free in case someone tries to destroy the\nobject again, which results in the following kernel trace:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)\nCPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : refcount_warn_saturate+0xf4/0x148\nlr : refcount_warn_saturate+0xf4/0x148\nsp : ffff80008b81b7e0\nx29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001\nx26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00\nx23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000\nx20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006\nx17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f\nx14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78\nx11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90\nx8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff\nx5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600\nCall trace:\n refcount_warn_saturate+0xf4/0x148\n mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]\n mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]\n mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]\n ib_destroy_wq_user+0x30/0xc0 [ib_core]\n uverbs_free_wq+0x28/0x58 [ib_uverbs]\n destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]\n uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]\n __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]\n ib_uverbs_close+0x2c/0x100 [ib_uverbs]\n __fput+0xd8/0x2f0\n __fput_sync+0x50/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall.constprop.0+0x74/0xd0\n do_el0_svc+0x48/0xe8\n el0_svc+0x44/0x1d0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x1a4/0x1a8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38161", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: prevent overflow in lookup table allocation\n\nWhen calculating the lookup table size, ensure the following\nmultiplication does not overflow:\n\n- desc->field_len[] maximum value is U8_MAX multiplied by\n NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.\n- NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case.\n- sizeof(unsigned long), from sizeof(*f->lt), lt in\n struct nft_pipapo_field.\n\nThen, use check_mul_overflow() to multiply by bucket size and then use\ncheck_add_overflow() to the alignment for avx2 (if needed). Finally, add\nlt_size_check_overflow() helper and use it to consolidate this.\n\nWhile at it, replace leftover allocation using the GFP_KERNEL to\nGFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38162", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sbi->total_valid_block_count\n\nsyzbot reported a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/f2fs.h:2521!\nRIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521\nCall Trace:\n f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695\n truncate_dnode+0x417/0x740 fs/f2fs/node.c:973\n truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014\n f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197\n f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888\n f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112\n notify_change+0xbca/0xe90 fs/attr.c:552\n do_truncate+0x222/0x310 fs/open.c:65\n handle_truncate fs/namei.c:3466 [inline]\n do_open fs/namei.c:3849 [inline]\n path_openat+0x2e4f/0x35d0 fs/namei.c:4004\n do_filp_open+0x284/0x4e0 fs/namei.c:4031\n do_sys_openat2+0x12b/0x1d0 fs/open.c:1429\n do_sys_open fs/open.c:1444 [inline]\n __do_sys_creat fs/open.c:1522 [inline]\n __se_sys_creat fs/open.c:1516 [inline]\n __x64_sys_creat+0x124/0x170 fs/open.c:1516\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94\n\nThe reason is: in fuzzed image, sbi->total_valid_block_count is\ninconsistent w/ mapped blocks indexed by inode, so, we should\nnot trigger panic for such case, instead, let's print log and\nset fsck flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38163", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: zone: fix to avoid inconsistence in between SIT and SSA\n\nw/ below testcase, it will cause inconsistence in between SIT and SSA.\n\ncreate_null_blk 512 2 1024 1024\nmkfs.f2fs -m /dev/nullb0\nmount /dev/nullb0 /mnt/f2fs/\ntouch /mnt/f2fs/file\nf2fs_io pinfile set /mnt/f2fs/file\nfallocate -l 4GiB /mnt/f2fs/file\n\nF2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT\nCPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84\nTainted: [O]=OOT_MODULE\nHardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\nCall Trace:\n \n dump_stack_lvl+0xb3/0xd0\n dump_stack+0x14/0x20\n f2fs_handle_critical_error+0x18c/0x220 [f2fs]\n f2fs_stop_checkpoint+0x38/0x50 [f2fs]\n do_garbage_collect+0x674/0x6e0 [f2fs]\n f2fs_gc_range+0x12b/0x230 [f2fs]\n f2fs_allocate_pinning_section+0x5c/0x150 [f2fs]\n f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs]\n f2fs_fallocate+0x3c3/0x410 [f2fs]\n vfs_fallocate+0x15f/0x4b0\n __x64_sys_fallocate+0x4a/0x80\n x64_sys_call+0x15e8/0x1b80\n do_syscall_64+0x68/0x130\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f9dba5197ca\nF2FS-fs (nullb0): Stopped filesystem due to reason: 4\n\nThe reason is f2fs_gc_range() may try to migrate block in curseg, however,\nits SSA block is not uptodate due to the last summary block data is still\nin cache of curseg.\n\nIn this patch, we add a condition in f2fs_gc_range() to check whether\nsection is opened or not, and skip block migration for opened section.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38164", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n'''\n[ 657.460555] kernel BUG at net/core/skbuff.c:2178!\n[ 657.462680] Tainted: [W]=WARN\n[ 657.463287] Workqueue: events sk_psock_backlog\n...\n[ 657.469610] \n[ 657.469738] ? die+0x36/0x90\n[ 657.469916] ? do_trap+0x1d0/0x270\n[ 657.470118] ? pskb_expand_head+0x612/0xf40\n[ 657.470376] ? pskb_expand_head+0x612/0xf40\n[ 657.470620] ? do_error_trap+0xa3/0x170\n[ 657.470846] ? pskb_expand_head+0x612/0xf40\n[ 657.471092] ? handle_invalid_op+0x2c/0x40\n[ 657.471335] ? pskb_expand_head+0x612/0xf40\n[ 657.471579] ? exc_invalid_op+0x2d/0x40\n[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20\n[ 657.472052] ? pskb_expand_head+0xd1/0xf40\n[ 657.472292] ? pskb_expand_head+0x612/0xf40\n[ 657.472540] ? lock_acquire+0x18f/0x4e0\n[ 657.472766] ? find_held_lock+0x2d/0x110\n[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10\n[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470\n[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10\n[ 657.473826] __pskb_pull_tail+0xfd/0x1d20\n[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90\n[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0\n[ 657.476010] sk_psock_backlog+0x5cf/0xd70\n[ 657.476637] process_one_work+0x858/0x1a20\n'''\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n'''\nsk_psock_backlog:\n sk_psock_handle_skb\n skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'\n sk_psock_skb_ingress____________\n \u2193\n |\n | \u2192 sk_psock_skb_ingress_self\n | sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________\u2191 skb_linearize\n'''\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add 'take_ref' param to control it's behavior.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38165", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix ktls panic with sockmap\n\n[ 2172.936997] ------------[ cut here ]------------\n[ 2172.936999] kernel BUG at lib/iov_iter.c:629!\n......\n[ 2172.944996] PKRU: 55555554\n[ 2172.945155] Call Trace:\n[ 2172.945299] \n[ 2172.945428] ? die+0x36/0x90\n[ 2172.945601] ? do_trap+0xdd/0x100\n[ 2172.945795] ? iov_iter_revert+0x178/0x180\n[ 2172.946031] ? iov_iter_revert+0x178/0x180\n[ 2172.946267] ? do_error_trap+0x7d/0x110\n[ 2172.946499] ? iov_iter_revert+0x178/0x180\n[ 2172.946736] ? exc_invalid_op+0x50/0x70\n[ 2172.946961] ? iov_iter_revert+0x178/0x180\n[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20\n[ 2172.947446] ? iov_iter_revert+0x178/0x180\n[ 2172.947683] ? iov_iter_revert+0x5c/0x180\n[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840\n[ 2172.948206] tls_sw_sendmsg+0x52/0x80\n[ 2172.948420] ? inet_sendmsg+0x1f/0x70\n[ 2172.948634] __sys_sendto+0x1cd/0x200\n[ 2172.948848] ? find_held_lock+0x2b/0x80\n[ 2172.949072] ? syscall_trace_enter+0x140/0x270\n[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170\n[ 2172.949595] ? find_held_lock+0x2b/0x80\n[ 2172.949817] ? syscall_trace_enter+0x140/0x270\n[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190\n[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0\n[ 2172.951036] __x64_sys_sendto+0x24/0x30\n[ 2172.951382] do_syscall_64+0x90/0x170\n......\n\nAfter calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,\ne.g., when the BPF program executes bpf_msg_push_data().\n\nIf the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,\nit will return -ENOSPC and attempt to roll back to the non-zero copy\nlogic. However, during rollback, msg->msg_iter is reset, but since\nmsg_pl->sg.size has been increased, subsequent executions will exceed the\nactual size of msg_iter.\n'''\niov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);\n'''\n\nThe changes in this commit are based on the following considerations:\n\n1. When cork_bytes is set, rolling back to non-zero copy logic is\npointless and can directly go to zero-copy logic.\n\n2. We can not calculate the correct number of bytes to revert msg_iter.\n\nAssume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes\nby the BPF program, it becomes 11-byte data: \"abc?de?fgh?\".\nThen, we set cork_bytes to 6, which means the first 6 bytes have been\nprocessed, and the remaining 5 bytes \"?fgh?\" will be cached until the\nlength meets the cork_bytes requirement.\n\nHowever, some data in \"?fgh?\" is not within 'sg->msg_iter'\n(but in msg_pl instead), especially the data \"?\" we pushed.\n\nSo it doesn't seem as simple as just reverting through an offset of\nmsg_iter.\n\n3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs,\nthe user-space send() doesn't return an error, and the returned length is\nthe same as the input length parameter, even if some data is cached.\n\nAdditionally, I saw that the current non-zero-copy logic for handling\ncorking is written as:\n'''\nline 1177\nelse if (ret != -EAGAIN) {\n\tif (ret == -ENOSPC)\n\t\tret = 0;\n\tgoto send_end;\n'''\n\nSo it's ok to just return 'copied' without error when a \"cork\" situation\noccurs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38166", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle hdr_first_de() return value\n\nThe hdr_first_de() function returns a pointer to a struct NTFS_DE. This\npointer may be NULL. To handle the NULL error effectively, it is important\nto implement an error handler. This will help manage potential errors\nconsistently.\n\nAdditionally, error handling for the return value already exists at other\npoints where this function is called.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38167", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm-ni: Unregister PMUs on probe failure\n\nWhen a resource allocation fails in one clock domain of an NI device,\nwe need to properly roll back all previously registered perf PMUs in\nother clock domains of the same device.\n\nOtherwise, it can lead to kernel panics.\n\nCalling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374\narm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000\narm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16\nlist_add corruption: next->prev should be prev (fffffd01e9698a18),\nbut was 0000000000000000. (next=ffff10001a0decc8).\npstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : list_add_valid_or_report+0x7c/0xb8\nlr : list_add_valid_or_report+0x7c/0xb8\nCall trace:\n __list_add_valid_or_report+0x7c/0xb8\n perf_pmu_register+0x22c/0x3a0\n arm_ni_probe+0x554/0x70c [arm_ni]\n platform_probe+0x70/0xe8\n really_probe+0xc6/0x4d8\n driver_probe_device+0x48/0x170\n __driver_attach+0x8e/0x1c0\n bus_for_each_dev+0x64/0xf0\n driver_add+0x138/0x260\n bus_add_driver+0x68/0x138\n __platform_driver_register+0x2c/0x40\n arm_ni_init+0x14/0x2a [arm_ni]\n do_init_module+0x36/0x298\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops - BUG: Fatal exception\nSMP: stopping secondary CPUs", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38168", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP\n\nOn system with SME, a thread's kernel FPSIMD state may be erroneously\nclobbered during a context switch immediately after that state is\nrestored. Systems without SME are unaffected.\n\nIf the CPU happens to be in streaming SVE mode before a context switch\nto a thread with kernel FPSIMD state, fpsimd_thread_switch() will\nrestore the kernel FPSIMD state using fpsimd_load_kernel_state() while\nthe CPU is still in streaming SVE mode. When fpsimd_thread_switch()\nsubsequently calls fpsimd_flush_cpu_state(), this will execute an\nSMSTOP, causing an exit from streaming SVE mode. The exit from\nstreaming SVE mode will cause the hardware to reset a number of\nFPSIMD/SVE/SME registers, clobbering the FPSIMD state.\n\nFix this by calling fpsimd_flush_cpu_state() before restoring the kernel\nFPSIMD state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38169", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n| // task->fpsimd_cpu is 0.\n| // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| /* With TIF_SME userspace shouldn't generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n|\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| unsigned long vq_minus_one =\n| sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n| sme_set_vq(vq_minus_one);\n|\n| fpsimd_bind_task_to_cpu();\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task->fpsimd_cpu is still 0\n| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SME traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38170", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: max77705: Fix workqueue error handling in probe\n\nThe create_singlethread_workqueue() doesn't return error pointers, it\nreturns NULL. Also cleanup the workqueue on the error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38171", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid using multiple devices with different type\n\nFor multiple devices, both primary and extra devices should be the\nsame type. `erofs_init_device` has already guaranteed that if the\nprimary is a file-backed device, extra devices should also be\nregular files.\n\nHowever, if the primary is a block device while the extra device\nis a file-backed device, `erofs_init_device` will get an ENOTBLK,\nwhich is not treated as an error in `erofs_fc_get_tree`, and that\nleads to an UAF:\n\n erofs_fc_get_tree\n get_tree_bdev_flags(erofs_fc_fill_super)\n erofs_read_superblock\n erofs_init_device // sbi->dif0 is not inited yet,\n // return -ENOTBLK\n deactivate_locked_super\n free(sbi)\n if (err is -ENOTBLK)\n sbi->dif0.file = filp_open() // sbi UAF\n\nSo if -ENOTBLK is hitted in `erofs_init_device`, it means the\nprimary device must be a block device, and the extra device\nis not a block device. The error can be converted to -EINVAL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38172", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38173", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Do not double dequeue a configuration request\n\nSome of our devices crash in tb_cfg_request_dequeue():\n\n general protection fault, probably for non-canonical address 0xdead000000000122\n\n CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65\n RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0\n Call Trace:\n \n ? tb_cfg_request_dequeue+0x2d/0xa0\n tb_cfg_request_work+0x33/0x80\n worker_thread+0x386/0x8f0\n kthread+0xed/0x110\n ret_from_fork+0x38/0x50\n ret_from_fork_asm+0x1b/0x30\n\nThe circumstances are unclear, however, the theory is that\ntb_cfg_request_work() can be scheduled twice for a request:\nfirst time via frame.callback from ring_work() and second\ntime from tb_cfg_request(). Both times kworkers will execute\ntb_cfg_request_dequeue(), which results in double list_del()\nfrom the ctl->request_queue (the list poison deference hints\nat it: 0xdead000000000122).\n\nDo not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE\nbit set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38174", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix yet another UAF in binder_devices\n\nCommit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\")\naddressed a use-after-free where devices could be released without first\nbeing removed from the binder_devices list. However, there is a similar\npath in binder_free_proc() that was missed:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100\n Write of size 8 at addr ffff0000c773b900 by task umount/467\n CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n binder_remove_device+0xd4/0x100\n binderfs_evict_inode+0x230/0x2f0\n evict+0x25c/0x5dc\n iput+0x304/0x480\n dentry_unlink_inode+0x208/0x46c\n __dentry_kill+0x154/0x530\n [...]\n\n Allocated by task 463:\n __kmalloc_cache_noprof+0x13c/0x324\n binderfs_binder_device_create.isra.0+0x138/0xa60\n binder_ctl_ioctl+0x1ac/0x230\n [...]\n\n Freed by task 215:\n kfree+0x184/0x31c\n binder_proc_dec_tmpref+0x33c/0x4ac\n binder_deferred_func+0xc10/0x1108\n process_one_work+0x520/0xba4\n [...]\n ==================================================================\n\nCall binder_remove_device() within binder_free_proc() to ensure the\ndevice is removed from the binder_devices list before being kfreed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38175", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in binderfs_evict_inode()\n\nRunning 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled\nkernel, I've noticed the following:\n\nBUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0\nWrite of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699\n\nCPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x1c2/0x2a0\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n print_report+0x155/0x840\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n ? __phys_addr+0xba/0x170\n ? binderfs_evict_inode+0x1de/0x2d0\n kasan_report+0x147/0x180\n ? binderfs_evict_inode+0x1de/0x2d0\n binderfs_evict_inode+0x1de/0x2d0\n ? __pfx_binderfs_evict_inode+0x10/0x10\n evict+0x524/0x9f0\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_evict+0x10/0x10\n ? do_raw_spin_unlock+0x4d/0x210\n ? _raw_spin_unlock+0x28/0x50\n ? iput+0x697/0x9b0\n __dentry_kill+0x209/0x660\n ? shrink_kill+0x8d/0x2c0\n shrink_kill+0xa9/0x2c0\n shrink_dentry_list+0x2e0/0x5e0\n shrink_dcache_parent+0xa2/0x2c0\n ? __pfx_shrink_dcache_parent+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n do_one_tree+0x23/0xe0\n shrink_dcache_for_umount+0xa0/0x170\n generic_shutdown_super+0x67/0x390\n kill_litter_super+0x76/0xb0\n binderfs_kill_super+0x44/0x90\n deactivate_locked_super+0xb9/0x130\n cleanup_mnt+0x422/0x4c0\n ? lockdep_hardirqs_on+0x9d/0x150\n task_work_run+0x1d2/0x260\n ? __pfx_task_work_run+0x10/0x10\n resume_user_mode_work+0x52/0x60\n syscall_exit_to_user_mode+0x9a/0x120\n do_syscall_64+0x103/0x210\n ? asm_sysvec_apic_timer_interrupt+0x1a/0x20\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0xcac57b\nCode: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8\nRSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\nRAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850\nRBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff\nR10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718\nR13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830\n \n\nAllocated by task 1705:\n kasan_save_track+0x3e/0x80\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc_cache_noprof+0x213/0x3e0\n binderfs_binder_device_create+0x183/0xa80\n binder_ctl_ioctl+0x138/0x190\n __x64_sys_ioctl+0x120/0x1b0\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 1705:\n kasan_save_track+0x3e/0x80\n kasan_save_free_info+0x46/0x50\n __kasan_slab_free+0x62/0x70\n kfree+0x194/0x440\n evict+0x524/0x9f0\n do_unlinkat+0x390/0x5b0\n __x64_sys_unlink+0x47/0x50\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis 'stress-ng' workload causes the concurrent deletions from\n'binder_devices' and so requires full-featured synchronization\nto prevent list corruption.\n\nI've found this issue independently but pretty sure that syzbot did\nthe same, so Reported-by: and Closes: should be applicable here as well.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38176", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: make hfsc_qlen_notify() idempotent\n\nhfsc_qlen_notify() is not idempotent either and not friendly\nto its callers, like fq_codel_dequeue(). Let's make it idempotent\nto ease qdisc_tree_reduce_backlog() callers' life:\n\n1. update_vf() decreases cl->cl_nactive, so we can check whether it is\nnon-zero before calling it.\n\n2. eltree_remove() always removes RB node cl->el_node, but we can use\n RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38177", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()\n\nThis fixes the following problem:\n\n[ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30\n[ 750.346409] [ T9870] ==================================================================\n[ 750.346814] [ T9870] BUG: KASAN: slab-out-of-bounds in smb_set_sge+0x2cc/0x3b0 [cifs]\n[ 750.347330] [ T9870] Write of size 8 at addr ffff888011082890 by task xfs_io/9870\n[ 750.347705] [ T9870]\n[ 750.348077] [ T9870] CPU: 0 UID: 0 PID: 9870 Comm: xfs_io Kdump: loaded Not tainted 6.16.0-rc2-metze.02+ #1 PREEMPT(voluntary)\n[ 750.348082] [ T9870] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\n[ 750.348085] [ T9870] Call Trace:\n[ 750.348086] [ T9870] \n[ 750.348088] [ T9870] dump_stack_lvl+0x76/0xa0\n[ 750.348106] [ T9870] print_report+0xd1/0x640\n[ 750.348116] [ T9870] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 750.348120] [ T9870] ? kasan_complete_mode_report_info+0x26/0x210\n[ 750.348124] [ T9870] kasan_report+0xe7/0x130\n[ 750.348128] [ T9870] ? smb_set_sge+0x2cc/0x3b0 [cifs]\n[ 750.348262] [ T9870] ? smb_set_sge+0x2cc/0x3b0 [cifs]\n[ 750.348377] [ T9870] __asan_report_store8_noabort+0x17/0x30\n[ 750.348381] [ T9870] smb_set_sge+0x2cc/0x3b0 [cifs]\n[ 750.348496] [ T9870] smbd_post_send_iter+0x1990/0x3070 [cifs]\n[ 750.348625] [ T9870] ? __pfx_smbd_post_send_iter+0x10/0x10 [cifs]\n[ 750.348741] [ T9870] ? update_stack_state+0x2a0/0x670\n[ 750.348749] [ T9870] ? cifs_flush+0x153/0x320 [cifs]\n[ 750.348870] [ T9870] ? cifs_flush+0x153/0x320 [cifs]\n[ 750.348990] [ T9870] ? update_stack_state+0x2a0/0x670\n[ 750.348995] [ T9870] smbd_send+0x58c/0x9c0 [cifs]\n[ 750.349117] [ T9870] ? __pfx_smbd_send+0x10/0x10 [cifs]\n[ 750.349231] [ T9870] ? unwind_get_return_address+0x65/0xb0\n[ 750.349235] [ T9870] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 750.349242] [ T9870] ? arch_stack_walk+0xa7/0x100\n[ 750.349250] [ T9870] ? stack_trace_save+0x92/0xd0\n[ 750.349254] [ T9870] __smb_send_rqst+0x931/0xec0 [cifs]\n[ 750.349374] [ T9870] ? kernel_text_address+0x173/0x190\n[ 750.349379] [ T9870] ? kasan_save_stack+0x39/0x70\n[ 750.349382] [ T9870] ? kasan_save_track+0x18/0x70\n[ 750.349385] [ T9870] ? __kasan_slab_alloc+0x9d/0xa0\n[ 750.349389] [ T9870] ? __pfx___smb_send_rqst+0x10/0x10 [cifs]\n[ 750.349508] [ T9870] ? smb2_mid_entry_alloc+0xb4/0x7e0 [cifs]\n[ 750.349626] [ T9870] ? cifs_call_async+0x277/0xb00 [cifs]\n[ 750.349746] [ T9870] ? cifs_issue_write+0x256/0x610 [cifs]\n[ 750.349867] [ T9870] ? netfs_do_issue_write+0xc2/0x340 [netfs]\n[ 750.349900] [ T9870] ? netfs_advance_write+0x45b/0x1270 [netfs]\n[ 750.349929] [ T9870] ? netfs_write_folio+0xd6c/0x1be0 [netfs]\n[ 750.349958] [ T9870] ? netfs_writepages+0x2e9/0xa80 [netfs]\n[ 750.349987] [ T9870] ? do_writepages+0x21f/0x590\n[ 750.349993] [ T9870] ? filemap_fdatawrite_wbc+0xe1/0x140\n[ 750.349997] [ T9870] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 750.350002] [ T9870] smb_send_rqst+0x22e/0x2f0 [cifs]\n[ 750.350131] [ T9870] ? __pfx_smb_send_rqst+0x10/0x10 [cifs]\n[ 750.350255] [ T9870] ? local_clock_noinstr+0xe/0xd0\n[ 750.350261] [ T9870] ? kasan_save_alloc_info+0x37/0x60\n[ 750.350268] [ T9870] ? __kasan_check_write+0x14/0x30\n[ 750.350271] [ T9870] ? _raw_spin_lock+0x81/0xf0\n[ 750.350275] [ T9870] ? __pfx__raw_spin_lock+0x10/0x10\n[ 750.350278] [ T9870] ? smb2_setup_async_request+0x293/0x580 [cifs]\n[ 750.350398] [ T9870] cifs_call_async+0x477/0xb00 [cifs]\n[ 750.350518] [ T9870] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]\n[ 750.350636] [ T9870] ? __pfx_cifs_call_async+0x10/0x10 [cifs]\n[ 750.350756] [ T9870] ? __pfx__raw_spin_lock+0x10/0x10\n[ 750.350760] [ T9870] ? __kasan_check_write+0x14/0x30\n[ 750.350763] [ T98\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38179", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix /proc/net/atm/lec handling\n\n/proc/net/atm/lec must ensure safety against dev_lec[] changes.\n\nIt appears it had dev_put() calls without prior dev_hold(),\nleading to imbalance and UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38180", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Fix null-ptr-deref in calipso_req_{set,del}attr().\n\nsyzkaller reported a null-ptr-deref in sock_omalloc() while allocating\na CALIPSO option. [0]\n\nThe NULL is of struct sock, which was fetched by sk_to_full_sk() in\ncalipso_req_setattr().\n\nSince commit a1a5344ddbe8 (\"tcp: avoid two atomic ops for syncookies\"),\nreqsk->rsk_listener could be NULL when SYN Cookie is returned to its\nclient, as hinted by the leading SYN Cookie log.\n\nHere are 3 options to fix the bug:\n\n 1) Return 0 in calipso_req_setattr()\n 2) Return an error in calipso_req_setattr()\n 3) Alaways set rsk_listener\n\n1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie\nfor CALIPSO. 3) is also no go as there have been many efforts to reduce\natomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35\n(\"tcp/dccp: do not touch listener sk_refcnt under synflood\").\n\nAs of the blamed commit, SYN Cookie already did not need refcounting,\nand no one has stumbled on the bug for 9 years, so no CALIPSO user will\ncare about SYN Cookie.\n\nLet's return an error in calipso_req_setattr() and calipso_req_delattr()\nin the SYN Cookie case.\n\nThis can be reproduced by [1] on Fedora and now connect() of nc times out.\n\n[0]:\nTCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]\nRIP: 0010:sock_net include/net/sock.h:655 [inline]\nRIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806\nCode: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b\nRSP: 0018:ffff88811af89038 EFLAGS: 00010216\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400\nRDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030\nRBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e\nR10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000\nR13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050\nFS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n \n ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288\n calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204\n calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597\n netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249\n selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342\n selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551\n security_inet_conn_request+0x50/0xa0 security/security.c:4945\n tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825\n tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275\n tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328\n tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781\n tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667\n tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904\n ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436\n ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491\n dst_input include/net/dst.h:469 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netf\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38181", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: santizize the arguments from userspace when adding a device\n\nSanity check the values for queue depth and number of queues\nwe get from userspace when adding a device.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38182", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()\n\nBefore calling lan743x_ptp_io_event_clock_get(), the 'channel' value\nis checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8).\nThis seems correct and aligns with the PTP interrupt status register\n(PTP_INT_STS) specifications.\n\nHowever, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with\nonly LAN743X_PTP_N_EXTTS(4) elements, using channel as an index:\n\n lan743x_ptp_io_event_clock_get(..., u8 channel,...)\n {\n ...\n /* Update Local timestamp */\n extts = &ptp->extts[channel];\n extts->ts.tv_sec = sec;\n ...\n }\n\nTo avoid an out-of-bounds write and utilize all the supported GPIO\ninputs, set LAN743X_PTP_N_EXTTS to 8.\n\nDetected using the static analysis tool - Svace.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38183", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer\n\nThe reproduction steps:\n1. create a tun interface\n2. enable l2 bearer\n3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun\n\ntipc: Started in network mode\ntipc: Node identity 8af312d38a21, cluster identity 4711\ntipc: Enabled bearer , priority 1\nOops: general protection fault\nKASAN: null-ptr-deref in range\nCPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT\nHardware name: QEMU Ubuntu 24.04 PC\nRIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0\n\nthe ub was in fact a struct dev.\n\nwhen bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or\nother media when other thread changes it.\n\nfix this by checking media_id.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38184", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Free invalid length skb in atmtcp_c_send().\n\nsyzbot reported the splat below. [0]\n\nvcc_sendmsg() copies data passed from userspace to skb and passes\nit to vcc->dev->ops->send().\n\natmtcp_c_send() accesses skb->data as struct atmtcp_hdr after\nchecking if skb->len is 0, but it's not enough.\n\nAlso, when skb->len == 0, skb and sk (vcc) were leaked because\ndev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing\nto revert atm_account_tx() in vcc_sendmsg(), which is expected\nto be done in atm_pop_raw().\n\nLet's properly free skb with an invalid length in atmtcp_c_send().\n\n[0]:\nBUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670\n alloc_skb include/linux/skbuff.h:1336 [inline]\n vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38185", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start()\n\nBefore the commit under the Fixes tag below, bnxt_ulp_stop() and\nbnxt_ulp_start() were always invoked in pairs. After that commit,\nthe new bnxt_ulp_restart() can be invoked after bnxt_ulp_stop()\nhas been called. This may result in the RoCE driver's aux driver\n.suspend() method being invoked twice. The 2nd bnxt_re_suspend()\ncall will crash when it dereferences a NULL pointer:\n\n(NULL ib_device): Handle device suspend call\nBUG: kernel NULL pointer dereference, address: 0000000000000b78\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 20 UID: 0 PID: 181 Comm: kworker/u96:5 Tainted: G S 6.15.0-rc1 #4 PREEMPT(voluntary)\nTainted: [S]=CPU_OUT_OF_SPEC\nHardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\nWorkqueue: bnxt_pf_wq bnxt_sp_task [bnxt_en]\nRIP: 0010:bnxt_re_suspend+0x45/0x1f0 [bnxt_re]\nCode: 8b 05 a7 3c 5b f5 48 89 44 24 18 31 c0 49 8b 5c 24 08 4d 8b 2c 24 e8 ea 06 0a f4 48 c7 c6 04 60 52 c0 48 89 df e8 1b ce f9 ff <48> 8b 83 78 0b 00 00 48 8b 80 38 03 00 00 a8 40 0f 85 b5 00 00 00\nRSP: 0018:ffffa2e84084fd88 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ffffffffb4b6b934 RDI: 00000000ffffffff\nRBP: ffffa1760954c9c0 R08: 0000000000000000 R09: c0000000ffffdfff\nR10: 0000000000000001 R11: ffffa2e84084fb50 R12: ffffa176031ef070\nR13: ffffa17609775000 R14: ffffa17603adc180 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa17daa397000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000b78 CR3: 00000004aaa30003 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nbnxt_ulp_stop+0x69/0x90 [bnxt_en]\nbnxt_sp_task+0x678/0x920 [bnxt_en]\n? __schedule+0x514/0xf50\nprocess_scheduled_works+0x9d/0x400\nworker_thread+0x11c/0x260\n? __pfx_worker_thread+0x10/0x10\nkthread+0xfe/0x1e0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2b/0x40\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\nCheck the BNXT_EN_FLAG_ULP_STOPPED flag and do not proceed if the flag\nis already set. This will preserve the original symmetrical\nbnxt_ulp_stop() and bnxt_ulp_start().\n\nAlso, inside bnxt_ulp_start(), clear the BNXT_EN_FLAG_ULP_STOPPED\nflag after taking the mutex to avoid any race condition. And for\nsymmetry, only proceed in bnxt_ulp_start() if the\nBNXT_EN_FLAG_ULP_STOPPED is set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38186", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix a use-after-free in r535_gsp_rpc_push()\n\nThe RPC container is released after being passed to r535_gsp_rpc_send().\n\nWhen sending the initial fragment of a large RPC and passing the\ncaller's RPC container, the container will be freed prematurely. Subsequent\nattempts to send remaining fragments will therefore result in a\nuse-after-free.\n\nAllocate a temporary RPC container for holding the initial fragment of a\nlarge RPC when sending. Free the caller's container when all fragments\nare successfully sent.\n\n[ Rebase onto Blackwell changes. - Danilo ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38187", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a7xx: Call CP_RESET_CONTEXT_STATE\n\nCalling this packet is necessary when we switch contexts because there\nare various pieces of state used by userspace to synchronize between BR\nand BV that are persistent across submits and we need to make sure that\nthey are in a \"safe\" state when switching contexts. Otherwise a\nuserspace submission in one context could cause another context to\nfunction incorrectly and hang, effectively a denial of service (although\nwithout leaking data). This was missed during initial a7xx bringup.\n\nPatchwork: https://patchwork.freedesktop.org/patch/654924/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38188", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`\n\nThe following kernel Oops was recently reported by Mesa CI:\n\n[ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588\n[ 800.148619] Mem abort info:\n[ 800.151402] ESR = 0x0000000096000005\n[ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 800.160444] SET = 0, FnV = 0\n[ 800.163488] EA = 0, S1PTW = 0\n[ 800.166619] FSC = 0x05: level 1 translation fault\n[ 800.171487] Data abort info:\n[ 800.174357] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 800.179832] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 800.184873] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000\n[ 800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight\n[ 800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1\n[ 800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n[ 800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d]\n[ 800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d]\n[ 800.267251] sp : ffffffc080003e60\n[ 800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000\n[ 800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020\n[ 800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158\n[ 800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000\n[ 800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000\n[ 800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c\n[ 800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0\n[ 800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980\n[ 800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382\n[ 800.341859] Call trace:\n[ 800.344294] v3d_job_update_stats+0x60/0x130 [v3d]\n[ 800.349086] v3d_irq+0x124/0x2e0 [v3d]\n[ 800.352835] __handle_irq_event_percpu+0x58/0x218\n[ 800.357539] handle_irq_event+0x54/0xb8\n[ 800.361369] handle_fasteoi_irq+0xac/0x240\n[ 800.365458] handle_irq_desc+0x48/0x68\n[ 800.369200] generic_handle_domain_irq+0x24/0x38\n[ 800.373810] gic_handle_irq+0x48/0xd8\n[ 800.377464] call_on_irq_stack+0x24/0x58\n[ 800.381379] do_interrupt_handler+0x88/0x98\n[ 800.385554] el1_interrupt+0x34/0x68\n[ 800.389123] el1h_64_irq_handler+0x18/0x28\n[ 800.393211] el1h_64_irq+0x64/0x68\n[ 800.396603] default_idle_call+0x3c/0x168\n[ 800.400606] do_idle+0x1fc/0x230\n[ 800.403827] cpu_startup_entry+0x40/0x50\n[ 800.407742] rest_init+0xe4/0xf0\n[ 800.410962] start_kernel+0x5e8/0x790\n[ 800.414616] __primary_switched+0x80/0x90\n[ 800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1)\n[ 800.424707] ---[ end trace 0000000000000000 ]---\n[ 800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThis issue happens when the file descriptor is closed before the jobs\nsubmitted by it are completed. When the job completes, we update the\nglobal GPU stats and the per-fd GPU stats, which are exposed through\nfdinfo. If the file descriptor was closed, then the struct `v3d_file_priv`\nand its stats were already freed and we can't update the per-fd stats.\n\nTherefore, if the file descriptor was already closed, don't u\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38189", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Revert atm_account_tx() if copy_from_iter_full() fails.\n\nIn vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by\natm_account_tx().\n\nIt is expected to be reverted by atm_pop_raw() later called by\nvcc->dev->ops->send(vcc, skb).\n\nHowever, vcc_sendmsg() misses the same revert when copy_from_iter_full()\nfails, and then we will leak a socket.\n\nLet's factorise the revert part as atm_return_tx() and call it in\nthe failure path.\n\nNote that the corresponding sk_wmem_alloc operation can be found in\nalloc_tx() as of the blamed commit.\n\n $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38190", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference in destroy_previous_session\n\nIf client set ->PreviousSessionId on kerberos session setup stage,\nNULL pointer dereference error will happen. Since sess->user is not\nset yet, It can pass the user argument as NULL to destroy_previous_session.\nsess->user will be set in ksmbd_krb5_authenticate(). So this patch move\ncalling destroy_previous_session() after ksmbd_krb5_authenticate().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38191", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: clear the dst when changing skb protocol\n\nA not-so-careful NAT46 BPF program can crash the kernel\nif it indiscriminately flips ingress packets from v4 to v6:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ip6_rcv_core (net/ipv6/ip6_input.c:190:20)\n ipv6_rcv (net/ipv6/ip6_input.c:306:8)\n process_backlog (net/core/dev.c:6186:4)\n napi_poll (net/core/dev.c:6906:9)\n net_rx_action (net/core/dev.c:7028:13)\n do_softirq (kernel/softirq.c:462:3)\n netif_rx (net/core/dev.c:5326:3)\n dev_loopback_xmit (net/core/dev.c:4015:2)\n ip_mc_finish_output (net/ipv4/ip_output.c:363:8)\n NF_HOOK (./include/linux/netfilter.h:314:9)\n ip_mc_output (net/ipv4/ip_output.c:400:5)\n dst_output (./include/net/dst.h:459:9)\n ip_local_out (net/ipv4/ip_output.c:130:9)\n ip_send_skb (net/ipv4/ip_output.c:1496:8)\n udp_send_skb (net/ipv4/udp.c:1040:8)\n udp_sendmsg (net/ipv4/udp.c:1328:10)\n\nThe output interface has a 4->6 program attached at ingress.\nWe try to loop the multicast skb back to the sending socket.\nIngress BPF runs as part of netif_rx(), pushes a valid v6 hdr\nand changes skb->protocol to v6. We enter ip6_rcv_core which\ntries to use skb_dst(). But the dst is still an IPv4 one left\nafter IPv4 mcast output.\n\nClear the dst in all BPF helpers which change the protocol.\nTry to preserve metadata dsts, those may carry non-routing\nmetadata.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38192", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: reject invalid perturb period\n\nGerrard Tai reported that SFQ perturb_period has no range check yet,\nand this can be used to trigger a race condition fixed in a separate patch.\n\nWe want to make sure ctl->perturb_period * HZ will not overflow\nand is positive.\n\n\ntc qd add dev lo root sfq perturb -10 # negative value : error\nError: sch_sfq: invalid perturb period.\n\ntc qd add dev lo root sfq perturb 1000000000 # too big : error\nError: sch_sfq: invalid perturb period.\n\ntc qd add dev lo root sfq perturb 2000000 # acceptable value\ntc -s -d qd sh dev lo\nqdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec\n Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)\n backlog 0b 0p requeues 0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38193", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before writing summary\n\nSyzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault\ninjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't\ncheck return value of jffs2_prealloc_raw_node_refs and simply lets any\nerror propagate into jffs2_sum_write_data, which eventually calls\njffs2_link_node_ref in order to link the summary to an expectedly allocated\nnode.\n\nkernel BUG at fs/jffs2/nodelist.c:592!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592\nCall Trace:\n \n jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]\n jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874\n jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388\n jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301\n generic_perform_write+0x314/0x5d0 mm/filemap.c:3856\n __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973\n generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005\n call_write_iter include/linux/fs.h:2265 [inline]\n do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10c/0x170 fs/splice.c:950\n splice_direct_to_actor+0x337/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFix this issue by checking return value of jffs2_prealloc_raw_node_refs\nbefore calling jffs2_sum_write_data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38194", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix panic caused by NULL-PMD in huge_pte_offset()\n\nERROR INFO:\n\nCPU 25 Unable to handle kernel paging request at virtual address 0x0\n ...\n Call Trace:\n [<900000000023c30c>] huge_pte_offset+0x3c/0x58\n [<900000000057fd4c>] hugetlb_follow_page_mask+0x74/0x438\n [<900000000051fee8>] __get_user_pages+0xe0/0x4c8\n [<9000000000522414>] faultin_page_range+0x84/0x380\n [<9000000000564e8c>] madvise_vma_behavior+0x534/0xa48\n [<900000000056689c>] do_madvise+0x1bc/0x3e8\n [<9000000000566df4>] sys_madvise+0x24/0x38\n [<90000000015b9e88>] do_syscall+0x78/0x98\n [<9000000000221f18>] handle_syscall+0xb8/0x158\n\nIn some cases, pmd may be NULL and rely on NULL as the return value for\nprocessing, so it is necessary to determine this situation here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38195", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: validate buffer count with offset for cloning\n\nsyzbot reports that it can trigger a WARN_ON() for kmalloc() attempt\nthat's too big:\n\nWARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\nModules linked in:\nCPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\npstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024\nlr : __do_kmalloc_node mm/slub.c:-1 [inline]\nlr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012\nsp : ffff80009cfd7a90\nx29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0\nx26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000\nx23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8\nx20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff\nx17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005\nx14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000\nx11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938\nx8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000\nx2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001\nCall trace:\n __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P)\n kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]\n io_rsrc_data_alloc io_uring/rsrc.c:206 [inline]\n io_clone_buffers io_uring/rsrc.c:1178 [inline]\n io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287\n __io_uring_register io_uring/register.c:815 [inline]\n __do_sys_io_uring_register io_uring/register.c:926 [inline]\n __se_sys_io_uring_register io_uring/register.c:903 [inline]\n __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nwhich is due to offset + buffer_count being too large. The registration\ncode checks only the total count of buffers, but given that the indexing\nis an array, it should also check offset + count. That can't exceed\nIORING_MAX_REG_BUFFERS either, as there's no way to reach buffers beyond\nthat limit.\n\nThere's no issue with registrering a table this large, outside of the\nfact that it's pointless to register buffers that cannot be reached, and\nthat it can trigger this kmalloc() warning for attempting an allocation\nthat is too large.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38196", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell_rbu: Fix list usage\n\nPass the correct list head to list_for_each_entry*() when looping through\nthe packet list.\n\nWithout this patch, reading the packet data via sysfs will show the data\nincorrectly (because it starts at the wrong packet), and clearing the\npacket list will result in a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38197", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Make sure modelist not set on unregistered console\n\nIt looks like attempting to write to the \"store_modes\" sysfs node will\nrun afoul of unregistered consoles:\n\nUBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28\nindex -1 is out of range for type 'fb_info *[32]'\n...\n fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122\n fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048\n fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673\n store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113\n dev_attr_store+0x55/0x80 drivers/base/core.c:2439\n\nstatic struct fb_info *fbcon_registered_fb[FB_MAX];\n...\nstatic signed char con2fb_map[MAX_NR_CONSOLES];\n...\nstatic struct fb_info *fbcon_info_from_console(int console)\n...\n return fbcon_registered_fb[con2fb_map[console]];\n\nIf con2fb_map contains a -1 things go wrong here. Instead, return NULL,\nas callers of fbcon_info_from_console() are trying to compare against\nexisting \"info\" pointers, so error handling should kick in correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38198", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix memory leak due to multiple rx_stats allocation\n\nrx_stats for each arsta is allocated when adding a station.\narsta->rx_stats will be freed when a station is removed.\n\nRedundant allocations are occurring when the same station is added\nmultiple times. This causes ath12k_mac_station_add() to be called\nmultiple times, and rx_stats is allocated each time. As a result there\nis memory leaks.\n\nPrevent multiple allocations of rx_stats when ath12k_mac_station_add()\nis called repeatedly by checking if rx_stats is already allocated\nbefore allocating again. Allocate arsta->rx_stats if arsta->rx_stats\nis NULL respectively.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38199", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix MMIO write access to an invalid page in i40e_clear_hw\n\nWhen the device sends a specific input, an integer underflow can occur, leading\nto MMIO write access to an invalid page.\n\nPrevent the integer underflow by changing the type of related variables.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38200", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX\n\nOtherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()\nwhen resizing hashtable because __GFP_NOWARN is unset.\n\nSimilar to:\n\n b541ba7d1f5a (\"netfilter: conntrack: clamp maximum hashtable size to INT_MAX\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38201", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()\n\nbpf_map_lookup_percpu_elem() helper is also available for sleepable bpf\nprogram. When BPF JIT is disabled or under 32-bit host,\nbpf_map_lookup_percpu_elem() will not be inlined. Using it in a\nsleepable bpf program will trigger the warning in\nbpf_map_lookup_percpu_elem(), because the bpf program only holds\nrcu_read_lock_trace lock. Therefore, add the missed check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38202", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix null-ptr-deref in jfs_ioc_trim\n\n[ Syzkaller Report ]\n\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000087: 0000 [#1\nKASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]\nCPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted\n6.13.0-rc6-gfbfd64d25c7a-dirty #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nSched_ext: serialise (enabled+all), task: runnable_at=-30ms\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n? __die_body+0x61/0xb0\n? die_addr+0xb1/0xe0\n? exc_general_protection+0x333/0x510\n? asm_exc_general_protection+0x26/0x30\n? jfs_ioc_trim+0x34b/0x8f0\njfs_ioctl+0x3c8/0x4f0\n? __pfx_jfs_ioctl+0x10/0x10\n? __pfx_jfs_ioctl+0x10/0x10\n__se_sys_ioctl+0x269/0x350\n? __pfx___se_sys_ioctl+0x10/0x10\n? do_syscall_64+0xfb/0x210\ndo_syscall_64+0xee/0x210\n? syscall_exit_to_user_mode+0x1e0/0x330\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe51f4903ad\nCode: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d\nRSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad\nRDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640\nR13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:jfs_ioc_trim+0x34b/0x8f0\nCode: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93\n90 82 fe ff 4c 89 ff 31 f6\nRSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206\nRAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a\nRDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001\nRBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000\nR10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438\nFS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nKernel panic - not syncing: Fatal exception\n\n[ Analysis ]\n\nWe believe that we have found a concurrency bug in the `fs/jfs` module\nthat results in a null pointer dereference. There is a closely related\nissue which has been fixed:\n\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234\n\n... but, unfortunately, the accepted patch appears to still be\nsusceptible to a null pointer dereference under some interleavings.\n\nTo trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set\nto NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This\nbug manifests quite rarely under normal circumstances, but is\ntriggereable from a syz-program.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38203", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds read in add_missing_indices\n\nstbl is s8 but it must contain offsets into slot which can go from 0 to\n127.\n\nAdded a bound check for that error and return -EIO if the check fails.\nAlso make jfs_readdir return with error if add_missing_indices returns\nwith an error.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38204", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid divide by zero by initializing dummy pitch to 1\n\n[Why]\nIf the dummy values in `populate_dummy_dml_surface_cfg()` aren't updated\nthen they can lead to a divide by zero in downstream callers like\nCalculateVMAndRowBytes()\n\n[How]\nInitialize dummy value to a value to avoid divide by zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38205", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free ->vol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() <--------- double free\nThis patch set ->vol_util as NULL after freeing it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38206", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix uprobe pte be overwritten when expanding vma\n\nPatch series \"Fix uprobe pte be overwritten when expanding vma\".\n\n\nThis patch (of 4):\n\nWe encountered a BUG alert triggered by Syzkaller as follows:\n BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1\n\nAnd we can reproduce it with the following steps:\n1. register uprobe on file at zero offset\n2. mmap the file at zero offset:\n addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0);\n3. mremap part of vma1 to new vma2:\n addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE);\n4. mremap back to orig addr1:\n mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1);\n\nIn step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2\nwith range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1\nto vma2, then unmap the vma1 range [addr1, addr1 + 4096].\n\nIn step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the\naddr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096,\naddr1 + 8192] still maps the file, it will take vma_merge_new_range to\nexpand the range, and then do uprobe_mmap in vma_complete. Since the\nmerged vma pgoff is also zero offset, it will install uprobe anon page to\nthe merged vma. However, the upcomming move_page_tables step, which use\nset_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite\nthe newly uprobe pte in the merged vma, and lead that pte to be orphan.\n\nSince the uprobe pte will be remapped to the merged vma, we can remove the\nunnecessary uprobe_mmap upon merged vma.\n\nThis problem was first found in linux-6.6.y and also exists in the\ncommunity syzkaller:\nhttps://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38207", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: add NULL check in automount_fullpath\n\npage is checked for null in __build_path_from_dentry_optional_prefix\nwhen tcon->origin_fullpath is not set. However, the check is missing when\nit is set.\nAdd a check to prevent a potential NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38208", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: remove tag set when second admin queue config fails\n\nCommit 104d0e2f6222 (\"nvme-fabrics: reset admin connection for secure\nconcatenation\") modified nvme_tcp_setup_ctrl() to call\nnvme_tcp_configure_admin_queue() twice. The first call prepares for\nDH-CHAP negotitation, and the second call is required for secure\nconcatenation. However, this change triggered BUG KASAN slab-use-after-\nfree in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by\nrepeating the blktests test case nvme/063 a few times [1].\n\nWhen the BUG happens, nvme_tcp_create_ctrl() fails in the call chain\nbelow:\n\nnvme_tcp_create_ctrl()\n nvme_tcp_alloc_ctrl() new=true ... Alloc nvme_tcp_ctrl and admin_tag_set\n nvme_tcp_setup_ctrl() new=true\n nvme_tcp_configure_admin_queue() new=true ... Succeed\n nvme_alloc_admin_tag_set() ... Alloc the tag set for admin_tag_set\n nvme_stop_keep_alive()\n nvme_tcp_teardown_admin_queue() remove=false\n nvme_tcp_configure_admin_queue() new=false\n nvme_tcp_alloc_admin_queue() ... Fail, but do not call nvme_remove_admin_tag_set()\n nvme_uninit_ctrl()\n nvme_put_ctrl() ... Free up the nvme_tcp_ctrl and admin_tag_set\n\nThe first call of nvme_tcp_configure_admin_queue() succeeds with\nnew=true argument. The second call fails with new=false argument. This\nsecond call does not call nvme_remove_admin_tag_set() on failure, due to\nthe new=false argument. Then the admin tag set is not removed. However,\nnvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call\nnvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which\nhas admin_tag_set field. Later on, the timeout handler accesses the\nadmin_tag_set field and causes the BUG KASAN slab-use-after-free.\n\nTo not leave the admin tag set, call nvme_remove_admin_tag_set() when\nthe second nvme_tcp_configure_admin_queue() call fails. Do not return\nfrom nvme_tcp_setup_ctrl() on failure. Instead, jump to \"destroy_admin\"\ngo-to label to call nvme_tcp_teardown_admin_queue() which calls\nnvme_remove_admin_tag_set().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38209", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs-tsm-report: Fix NULL dereference of tsm_ops\n\nUnlike sysfs, the lifetime of configfs objects is controlled by\nuserspace. There is no mechanism for the kernel to find and delete all\ncreated config-items. Instead, the configfs-tsm-report mechanism has an\nexpectation that tsm_unregister() can happen at any time and cause\nestablished config-item access to start failing.\n\nThat expectation is not fully satisfied. While tsm_report_read(),\ntsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail\nif tsm_ops have been unregistered, tsm_report_privlevel_store()\ntsm_report_provider_show() fail to check for ops registration. Add the\nmissing checks for tsm_ops having been removed.\n\nNow, in supporting the ability for tsm_unregister() to always succeed,\nit leaves the problem of what to do with lingering config-items. The\nexpectation is that the admin that arranges for the ->remove() (unbind)\nof the ${tsm_arch}-guest driver is also responsible for deletion of all\nopen config-items. Until that deletion happens, ->probe() (reload /\nbind) of the ${tsm_arch}-guest driver fails.\n\nThis allows for emergency shutdown / revocation of attestation\ninterfaces, and requires coordinated restart.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38210", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id's last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n Workqueue: 0x0 (iw_cm_wq)\n Call Trace:\n \n dump_stack_lvl+0x6a/0x90\n print_report+0x174/0x554\n ? __virt_addr_valid+0x208/0x430\n ? __pwq_activate_work+0x1ff/0x250\n kasan_report+0xae/0x170\n ? __pwq_activate_work+0x1ff/0x250\n __pwq_activate_work+0x1ff/0x250\n pwq_dec_nr_in_flight+0x8c5/0xfb0\n process_one_work+0xc11/0x1460\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5ef/0xfd0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x3b0/0x770\n ? __pfx_kthread+0x10/0x10\n ? rcu_is_watching+0x11/0xb0\n ? _raw_spin_unlock_irq+0x24/0x50\n ? rcu_is_watching+0x11/0xb0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\n Allocated by task 147416:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n alloc_work_entries+0xa9/0x260 [iw_cm]\n iw_cm_connect+0x23/0x4a0 [iw_cm]\n rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n cma_cm_event_handler+0xae/0x320 [rdma_cm]\n cma_work_handler+0x106/0x1b0 [rdma_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 147091:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kfree+0x13a/0x4b0\n dealloc_work_entries+0x125/0x1f0 [iw_cm]\n iwcm_deref_id+0x6f/0xa0 [iw_cm]\n cm_work_handler+0x136/0x1ba0 [iw_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x2c/0x50\n kasan_record_aux_stack+0xa3/0xb0\n __queue_work+0x2ff/0x1390\n queue_work_on+0x67/0xc0\n cm_event_handler+0x46a/0x820 [iw_cm]\n siw_cm_upcall+0x330/0x650 [siw]\n siw_cm_work_handler+0x6b9/0x2b20 [siw]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38211", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough. If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38212", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in fb_set_var() fails to allocate memory for\nfb_videomode, later it may lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info->var.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nThe reason is that fb_info->var is being modified in fb_set_var(), and\nthen fb_videomode_to_var() is called. If it fails to add the mode to\nfb_info->modelist, fb_set_var() returns error, but does not restore the\nold value of fb_info->var. Restore fb_info->var on failure the same way\nit is done earlier in the function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38214", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in do_register_framebuffer() fails to allocate\nmemory for fb_videomode, it will later lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info->var.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nEven though fbcon_init() checks beforehand if fb_match_mode() in\nvar_to_display() fails, it can not prevent the panic because fbcon_init()\ndoes not return error code. Considering this and the comment in the code\nabout fb_match_mode() returning NULL - \"This should not happen\" - it is\nbetter to prevent registering the fb_info if its mode was not set\nsuccessfully. Also move fb_add_videomode() closer to the beginning of\ndo_register_framebuffer() to avoid having to do the cleanup on fail.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38215", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Restore context entry setup order for aliased devices\n\nCommit 2031c469f816 (\"iommu/vt-d: Add support for static identity domain\")\nchanged the context entry setup during domain attachment from a\nset-and-check policy to a clear-and-reset approach. This inadvertently\nintroduced a regression affecting PCI aliased devices behind PCIe-to-PCI\nbridges.\n\nSpecifically, keyboard and touchpad stopped working on several Apple\nMacbooks with below messages:\n\n kernel: platform pxa2xx-spi.3: Adding to iommu group 20\n kernel: input: Apple SPI Keyboard as\n /devices/pci0000:00/0000:00:1e.3/pxa2xx-spi.3/spi_master/spi2/spi-APP000D:00/input/input0\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr\n 0xffffa000 [fault reason 0x06] PTE Read access is not set\n kernel: DMAR: DRHD: handling fault status reg 3\n kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00\n\nFix this by restoring the previous context setup order.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38216", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ftsteutates) Fix TOCTOU race in fts_read()\n\nIn the fts_read() function, when handling hwmon_pwm_auto_channels_temp,\nthe code accesses the shared variable data->fan_source[channel] twice\nwithout holding any locks. It is first checked against\nFTS_FAN_SOURCE_INVALID, and if the check passes, it is read again\nwhen used as an argument to the BIT() macro.\n\nThis creates a Time-of-Check to Time-of-Use (TOCTOU) race condition.\nAnother thread executing fts_update_device() can modify the value of\ndata->fan_source[channel] between the check and its use. If the value\nis changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the\nBIT() macro will be called with a large shift value (BIT(255)).\nA bit shift by a value greater than or equal to the type width is\nundefined behavior and can lead to a crash or incorrect values being\nreturned to userspace.\n\nFix this by reading data->fan_source[channel] into a local variable\nonce, eliminating the race condition. Additionally, add a bounds check\nto ensure the value is less than BITS_PER_LONG before passing it to\nthe BIT() macro, making the code more robust against undefined behavior.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38217", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sit_bitmap_size\n\nw/ below testcase, resize will generate a corrupted image which\ncontains inconsistent metadata, so when mounting such image, it\nwill trigger kernel panic:\n\ntouch img\ntruncate -s $((512*1024*1024*1024)) img\nmkfs.f2fs -f img $((256*1024*1024))\nresize.f2fs -s -i img -t $((1024*1024*1024))\nmount img /mnt/f2fs\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.h:863!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_ra_meta_pages+0x47c/0x490\n\nCall Trace:\n f2fs_build_segment_manager+0x11c3/0x2600\n f2fs_fill_super+0xe97/0x2840\n mount_bdev+0xf4/0x140\n legacy_get_tree+0x2b/0x50\n vfs_get_tree+0x29/0xd0\n path_mount+0x487/0xaf0\n __x64_sys_mount+0x116/0x150\n do_syscall_64+0x82/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdbfde1bcfe\n\nThe reaseon is:\n\nsit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum\nthere are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt\nis 4762, build_sit_entries() -> current_sit_addr() tries to access\nout-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap\nand sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on().\n\nLet's add sanity check in f2fs_sanity_check_ckpt() to avoid panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38218", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: prevent kernel warning due to negative i_nlink from corrupted image\n\nWARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0\nhome/cc/linux/fs/inode.c:417\nModules linked in:\nCPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted\n6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417\nCode: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff\nf0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90\n<0f> 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6\nff\nRSP: 0018:ffffc900026b7c28 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f\nRDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005\nRBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000\nR13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0\nFS: 000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0\nCall Trace:\n \n f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline]\n f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845\n f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909\n f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581\n vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544\n do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608\n __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline]\n __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline]\n __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652\n do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb3d092324b\nCode: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66\n2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05\n<48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01\n48\nRSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b\nRDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0\nRBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0\nR10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0\nR13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38219", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: only dirty folios when data journaling regular files\n\nfstest generic/388 occasionally reproduces a crash that looks as\nfollows:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCall Trace:\n \n ext4_block_zero_page_range+0x30c/0x380 [ext4]\n ext4_truncate+0x436/0x440 [ext4]\n ext4_process_orphan+0x5d/0x110 [ext4]\n ext4_orphan_cleanup+0x124/0x4f0 [ext4]\n ext4_fill_super+0x262d/0x3110 [ext4]\n get_tree_bdev_flags+0x132/0x1d0\n vfs_get_tree+0x26/0xd0\n vfs_cmd_create+0x59/0xe0\n __do_sys_fsconfig+0x4ed/0x6b0\n do_syscall_64+0x82/0x170\n ...\n\nThis occurs when processing a symlink inode from the orphan list. The\npartial block zeroing code in the truncate path calls\next4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls\nmapping->a_ops->dirty_folio(), but symlink inodes are not assigned an\na_ops vector in ext4, hence the crash.\n\nTo avoid this problem, update the ext4_dirty_journalled_data() helper to\nonly mark the folio dirty on regular files (for which a_ops is\nassigned). This also matches the journaling logic in the ext4_symlink()\ncreation path, where ext4_handle_dirty_metadata() is called directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38220", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out of bounds punch offset\n\nPunching a hole with a start offset that exceeds max_end is not\npermitted and will result in a negative length in the\ntruncate_inode_partial_folio() function while truncating the page cache,\npotentially leading to undesirable consequences.\n\nA simple reproducer:\n\n truncate -s 9895604649994 /mnt/foo\n xfs_io -c \"pwrite 8796093022208 4096\" /mnt/foo\n xfs_io -c \"fpunch 8796093022213 25769803777\" /mnt/foo\n\n kernel BUG at include/linux/highmem.h:275!\n Oops: invalid opcode: 0000 [#1] SMP PTI\n CPU: 3 UID: 0 PID: 710 Comm: xfs_io Not tainted 6.15.0-rc3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:zero_user_segments.constprop.0+0xd7/0x110\n RSP: 0018:ffffc90001cf3b38 EFLAGS: 00010287\n RAX: 0000000000000005 RBX: ffffea0001485e40 RCX: 0000000000001000\n RDX: 000000000040b000 RSI: 0000000000000005 RDI: 000000000040b000\n RBP: 000000000040affb R08: ffff888000000000 R09: ffffea0000000000\n R10: 0000000000000003 R11: 00000000fffc7fc5 R12: 0000000000000005\n R13: 000000000040affb R14: ffffea0001485e40 R15: ffff888031cd3000\n FS: 00007f4f63d0b780(0000) GS:ffff8880d337d000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000001ae0b038 CR3: 00000000536aa000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n truncate_inode_partial_folio+0x3dd/0x620\n truncate_inode_pages_range+0x226/0x720\n ? bdev_getblk+0x52/0x3e0\n ? ext4_get_group_desc+0x78/0x150\n ? crc32c_arch+0xfd/0x180\n ? __ext4_get_inode_loc+0x18c/0x840\n ? ext4_inode_csum+0x117/0x160\n ? jbd2_journal_dirty_metadata+0x61/0x390\n ? __ext4_handle_dirty_metadata+0xa0/0x2b0\n ? kmem_cache_free+0x90/0x5a0\n ? jbd2_journal_stop+0x1d5/0x550\n ? __ext4_journal_stop+0x49/0x100\n truncate_pagecache_range+0x50/0x80\n ext4_truncate_page_cache_block_range+0x57/0x3a0\n ext4_punch_hole+0x1fe/0x670\n ext4_fallocate+0x792/0x17d0\n ? __count_memcg_events+0x175/0x2a0\n vfs_fallocate+0x121/0x560\n ksys_fallocate+0x51/0xc0\n __x64_sys_fallocate+0x24/0x40\n x64_sys_call+0x18d2/0x4170\n do_syscall_64+0xa7/0x220\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by filtering out cases where the punching start offset exceeds\nmax_end.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38221", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n ftruncate(fd, 30);\n pwrite(fd, \"a\", 1, (1UL << 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[ 44.545164] ------------[ cut here ]------------\n[ 44.545530] kernel BUG at fs/ext4/inline.c:240!\n[ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb\n[ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[ 44.546523] PKRU: 55555554\n[ 44.546523] Call Trace:\n[ 44.546523] \n[ 44.546523] ext4_write_inline_data_end+0x126/0x2d0\n[ 44.546523] generic_perform_write+0x17e/0x270\n[ 44.546523] ext4_buffered_write_iter+0xc8/0x170\n[ 44.546523] vfs_write+0x2be/0x3e0\n[ 44.546523] __x64_sys_pwrite64+0x6d/0xc0\n[ 44.546523] do_syscall_64+0x6a/0xf0\n[ 44.546523] ? __wake_up+0x89/0xb0\n[ 44.546523] ? xas_find+0x72/0x1c0\n[ 44.546523] ? next_uptodate_folio+0x317/0x330\n[ 44.546523] ? set_pte_range+0x1a6/0x270\n[ 44.546523] ? filemap_map_pages+0x6ee/0x840\n[ 44.546523] ? ext4_setattr+0x2fa/0x750\n[ 44.546523] ? do_pte_missing+0x128/0xf70\n[ 44.546523] ? security_inode_post_setattr+0x3e/0xd0\n[ 44.546523] ? ___pte_offset_map+0x19/0x100\n[ 44.546523] ? handle_mm_fault+0x721/0xa10\n[ 44.546523] ? do_user_addr_fault+0x197/0x730\n[ 44.546523] ? do_syscall_64+0x76/0xf0\n[ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90\n[ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[ 44.546523] RIP: 0033:0x7f42999c6687\n[ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38222", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: avoid kernel BUG for encrypted inode with unaligned file size\n\nThe generic/397 test hits a BUG_ON for the case of encrypted inode with\nunaligned file size (for example, 33K or 1K):\n\n[ 877.737811] run fstests generic/397 at 2025-01-03 12:34:40\n[ 877.875761] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 877.876130] libceph: client4614 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 877.991965] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 877.992334] libceph: client4617 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 878.017234] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 878.017594] libceph: client4620 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 878.031394] xfs_io (pid 18988) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n[ 878.054528] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 878.054892] libceph: client4623 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 878.070287] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 878.070704] libceph: client4626 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 878.264586] libceph: mon0 (2)127.0.0.1:40674 session established\n[ 878.265258] libceph: client4629 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949\n[ 878.374578] -----------[ cut here ]------------\n[ 878.374586] kernel BUG at net/ceph/messenger.c:1070!\n[ 878.375150] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 878.378145] CPU: 2 UID: 0 PID: 4759 Comm: kworker/2:9 Not tainted 6.13.0-rc5+ #1\n[ 878.378969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 878.380167] Workqueue: ceph-msgr ceph_con_workfn\n[ 878.381639] RIP: 0010:ceph_msg_data_cursor_init+0x42/0x50\n[ 878.382152] Code: 89 17 48 8b 46 70 55 48 89 47 08 c7 47 18 00 00 00 00 48 89 e5 e8 de cc ff ff 5d 31 c0 31 d2 31 f6 31 ff c3 cc cc cc cc 0f 0b <0f> 0b 0f 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90\n[ 878.383928] RSP: 0018:ffffb4ffc7cbbd28 EFLAGS: 00010287\n[ 878.384447] RAX: ffffffff82bb9ac0 RBX: ffff981390c2f1f8 RCX: 0000000000000000\n[ 878.385129] RDX: 0000000000009000 RSI: ffff981288232b58 RDI: ffff981390c2f378\n[ 878.385839] RBP: ffffb4ffc7cbbe18 R08: 0000000000000000 R09: 0000000000000000\n[ 878.386539] R10: 0000000000000000 R11: 0000000000000000 R12: ffff981390c2f030\n[ 878.387203] R13: ffff981288232b58 R14: 0000000000000029 R15: 0000000000000001\n[ 878.387877] FS: 0000000000000000(0000) GS:ffff9814b7900000(0000) knlGS:0000000000000000\n[ 878.388663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 878.389212] CR2: 00005e106a0554e0 CR3: 0000000112bf0001 CR4: 0000000000772ef0\n[ 878.389921] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 878.390620] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 878.391307] PKRU: 55555554\n[ 878.391567] Call Trace:\n[ 878.391807] \n[ 878.392021] ? show_regs+0x71/0x90\n[ 878.392391] ? die+0x38/0xa0\n[ 878.392667] ? do_trap+0xdb/0x100\n[ 878.392981] ? do_error_trap+0x75/0xb0\n[ 878.393372] ? ceph_msg_data_cursor_init+0x42/0x50\n[ 878.393842] ? exc_invalid_op+0x53/0x80\n[ 878.394232] ? ceph_msg_data_cursor_init+0x42/0x50\n[ 878.394694] ? asm_exc_invalid_op+0x1b/0x20\n[ 878.395099] ? ceph_msg_data_cursor_init+0x42/0x50\n[ 878.395583] ? ceph_con_v2_try_read+0xd16/0x2220\n[ 878.396027] ? _raw_spin_unlock+0xe/0x40\n[ 878.396428] ? raw_spin_rq_unlock+0x10/0x40\n[ 878.396842] ? finish_task_switch.isra.0+0x97/0x310\n[ 878.397338] ? __schedule+0x44b/0x16b0\n[ 878.397738] ceph_con_workfn+0x326/0x750\n[ 878.398121] process_one_work+0x188/0x3d0\n[ 878.398522] ? __pfx_worker_thread+0x10/0x10\n[ 878.398929] worker_thread+0x2b5/0x3c0\n[ 878.399310] ? __pfx_worker_thread+0x10/0x10\n[ 878.399727] kthread+0xe1/0x120\n[ 878.400031] ? __pfx_kthread+0x10/0x10\n[ 878.400431] ret_from_fork+0x43/0x70\n[ 878.400771] ? __pfx_kthread+0x10/0x10\n[ 878.401127] ret_from_fork_asm+0x1a/0x30\n[ 878.401543] \n[ 878.401760] Modules l\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38223", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_pciefd: refine error prone echo_skb_max handling logic\n\necho_skb_max should define the supported upper limit of echo_skb[]\nallocated inside the netdevice's priv. The corresponding size value\nprovided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT\nwhich is 17.\n\nBut later echo_skb_max is rounded up to the nearest power of two (for the\nmax case, that would be 32) and the tx/ack indices calculated further\nduring tx/rx may exceed the upper array boundary. Kasan reported this for\nthe ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit\nfunction has actually caught the same thing earlier.\n\n BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528\n Read of size 8 at addr ffff888105e4f078 by task swapper/4/0\n\n CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary)\n Call Trace:\n \n dump_stack_lvl lib/dump_stack.c:122\n print_report mm/kasan/report.c:521\n kasan_report mm/kasan/report.c:634\n kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528\n kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605\n kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656\n kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684\n kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733\n __handle_irq_event_percpu kernel/irq/handle.c:158\n handle_irq_event kernel/irq/handle.c:210\n handle_edge_irq kernel/irq/chip.c:833\n __common_interrupt arch/x86/kernel/irq.c:296\n common_interrupt arch/x86/kernel/irq.c:286\n \n\nTx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq\nnumbers' generation that's not the case - we're free to calculate them as\nwould be more convenient, not taking tx max count into account. The only\ndownside is that the size of echo_skb[] should correspond to the max seq\nnumber (not tx max count), so in some situations a bit more memory would\nbe consumed than could be.\n\nThus make the size of the underlying echo_skb[] sufficient for the rounded\nmax tx value.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38224", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Cleanup after an allocation error\n\nWhen allocation failures are not cleaned up by the driver, further\nallocation errors will be false-positives, which will cause buffers to\nremain uninitialized and cause NULL pointer dereferences.\nEnsure proper cleanup of failed allocations to prevent these issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38225", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38226", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of initialization failure\n\nsyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]\n\nAfter PSI initialization fails, the si member is accessed again, resulting\nin this uaf.\n\nAfter si initialization fails, the subsequent process needs to be exited.\n\n[1]\nBUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]\nBUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nRead of size 8 at addr ffff88802fa42acc by task syz.2.37/6059\n\nCPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0xc3/0x670 mm/kasan/report.c:521\nkasan_report+0xd9/0x110 mm/kasan/report.c:634\nvidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78\nvidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nvidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\nvidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\ndmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\ndvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\ndvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\ndvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\ndvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\ndvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n__fput+0x3ff/0xb70 fs/file_table.c:464\ntask_work_run+0x14e/0x250 kernel/task_work.c:227\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xad8/0x2d70 kernel/exit.c:938\ndo_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n__do_sys_exit_group kernel/exit.c:1098 [inline]\n__se_sys_exit_group kernel/exit.c:1096 [inline]\n__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096\nx64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f871d58d169\nCode: Unable to access opcode bytes at 0x7f871d58d13f.\nRSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169\nRDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003\nR13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840\n \n\nAllocated by task 6059:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970\n vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423\n vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\n vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\n dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\n dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\n dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\n dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3ff/0xb70 fs/file_tabl\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38227", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imagination: fix a potential memory leak in e5010_probe()\n\nAdd video_device_release() to release the memory allocated by\nvideo_device_alloc() if something goes wrong.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38228", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cxusb: no longer judge rbuf when the write fails\n\nsyzbot reported a uninit-value in cxusb_i2c_xfer. [1]\n\nOnly when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()\nsucceeds and rlen is greater than 0, the read operation of usb_bulk_msg()\nwill be executed to read rlen bytes of data from the dvb device into the\nrbuf.\n\nIn this case, although rlen is 1, the write operation failed which resulted\nin the dvb read operation not being executed, and ultimately variable i was\nnot initialized.\n\n[1]\nBUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\nBUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\n cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1\n i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315\n i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343\n i2c_master_send include/linux/i2c.h:109 [inline]\n i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183\n do_loop_readv_writev fs/read_write.c:848 [inline]\n vfs_writev+0x963/0x14e0 fs/read_write.c:1057\n do_writev+0x247/0x5c0 fs/read_write.c:1101\n __do_sys_writev fs/read_write.c:1169 [inline]\n __se_sys_writev fs/read_write.c:1166 [inline]\n __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166\n x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38229", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: validate AG parameters in dbMount() to prevent crashes\n\nValidate db_agheight, db_agwidth, and db_agstart in dbMount to catch\ncorrupted metadata early and avoid undefined behavior in dbAllocAG.\nLimits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE:\n\n- agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift\n (L2LPERCTL - 2*agheight) >= 0.\n- agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight))\n ensures agperlev >= 1.\n - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5).\n - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG;\n 2^(10 - 2*agheight) prevents division to 0.\n- agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within\n stree (size 1365).\n - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8).\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9\nshift exponent -335544310 is negative\nCPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400\n dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613\n jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105\n jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38230", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Initialize ssc before laundromat_work to prevent NULL dereference\n\nIn nfs4_state_start_net(), laundromat_work may access nfsd_ssc through\nnfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,\nthis can cause NULL pointer dereference.\n\nNormally the delayed start of laundromat_work allows sufficient time for\nnfsd_ssc initialization to complete. However, when the kernel waits too\nlong for userspace responses (e.g. in nfs4_state_start_net ->\nnfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->\ncld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the\ndelayed work may start before nfsd_ssc initialization finishes.\n\nFix this by moving nfsd_ssc initialization before starting laundromat_work.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38231", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix race between nfsd registration and exports_proc\n\nAs of now nfsd calls create_proc_exports_entry() at start of init_nfsd\nand cleanup by remove_proc_entry() at last of exit_nfsd.\n\nWhich causes kernel OOPs if there is race between below 2 operations:\n(i) exportfs -r\n(ii) mount -t nfsd none /proc/fs/nfsd\n\nfor 5.4 kernel ARM64:\n\nCPU 1:\nel1_irq+0xbc/0x180\narch_counter_get_cntvct+0x14/0x18\nrunning_clock+0xc/0x18\npreempt_count_add+0x88/0x110\nprep_new_page+0xb0/0x220\nget_page_from_freelist+0x2d8/0x1778\n__alloc_pages_nodemask+0x15c/0xef0\n__vmalloc_node_range+0x28c/0x478\n__vmalloc_node_flags_caller+0x8c/0xb0\nkvmalloc_node+0x88/0xe0\nnfsd_init_net+0x6c/0x108 [nfsd]\nops_init+0x44/0x170\nregister_pernet_operations+0x114/0x270\nregister_pernet_subsys+0x34/0x50\ninit_nfsd+0xa8/0x718 [nfsd]\ndo_one_initcall+0x54/0x2e0\n\nCPU 2 :\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n\nPC is at : exports_net_open+0x50/0x68 [nfsd]\n\nCall trace:\nexports_net_open+0x50/0x68 [nfsd]\nexports_proc_open+0x2c/0x38 [nfsd]\nproc_reg_open+0xb8/0x198\ndo_dentry_open+0x1c4/0x418\nvfs_open+0x38/0x48\npath_openat+0x28c/0xf18\ndo_filp_open+0x70/0xe8\ndo_sys_open+0x154/0x248\n\nSometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().\n\nand same is happening on latest 6.14 kernel as well:\n\n[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty\n...\n[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48\n...\n[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4\n...\n[ 285.469695] Call trace:\n[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)\n[ 285.470488] seq_read+0xe0/0x11c\n[ 285.470675] proc_reg_read+0x9c/0xf0\n[ 285.470874] vfs_read+0xc4/0x2fc\n[ 285.471057] ksys_read+0x6c/0xf4\n[ 285.471231] __arm64_sys_read+0x1c/0x28\n[ 285.471428] invoke_syscall+0x44/0x100\n[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0\n[ 285.471870] do_el0_svc_compat+0x1c/0x34\n[ 285.472073] el0_svc_compat+0x2c/0x80\n[ 285.472265] el0t_32_sync_handler+0x90/0x140\n[ 285.472473] el0t_32_sync+0x19c/0x1a0\n[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)\n[ 285.473422] ---[ end trace 0000000000000000 ]---\n\nIt reproduced simply with below script:\nwhile [ 1 ]\ndo\n/exportfs -r\ndone &\n\nwhile [ 1 ]\ndo\ninsmod /nfsd.ko\nmount -t nfsd none /proc/fs/nfsd\numount /proc/fs/nfsd\nrmmod nfsd\ndone &\n\nSo exporting interfaces to user space shall be done at last and\ncleanup at first place.\n\nWith change there is no Kernel OOPs.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38232", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc64/ftrace: fix clobbered r15 during livepatching\n\nWhile r15 is clobbered always with PPC_FTRACE_OUT_OF_LINE, it is\nnot restored in livepatch sequence leading to not so obvious fails\nlike below:\n\n BUG: Unable to handle kernel data access on write at 0xc0000000000f9078\n Faulting instruction address: 0xc0000000018ff958\n Oops: Kernel access of bad area, sig: 11 [#1]\n ...\n NIP: c0000000018ff958 LR: c0000000018ff930 CTR: c0000000009c0790\n REGS: c00000005f2e7790 TRAP: 0300 Tainted: G K (6.14.0+)\n MSR: 8000000000009033 CR: 2822880b XER: 20040000\n CFAR: c0000000008addc0 DAR: c0000000000f9078 DSISR: 0a000000 IRQMASK: 1\n GPR00: c0000000018f2584 c00000005f2e7a30 c00000000280a900 c000000017ffa488\n GPR04: 0000000000000008 0000000000000000 c0000000018f24fc 000000000000000d\n GPR08: fffffffffffe0000 000000000000000d 0000000000000000 0000000000008000\n GPR12: c0000000009c0790 c000000017ffa480 c00000005f2e7c78 c0000000000f9070\n GPR16: c00000005f2e7c90 0000000000000000 0000000000000000 0000000000000000\n GPR20: 0000000000000000 c00000005f3efa80 c00000005f2e7c60 c00000005f2e7c88\n GPR24: c00000005f2e7c60 0000000000000001 c0000000000f9078 0000000000000000\n GPR28: 00007fff97960000 c000000017ffa480 0000000000000000 c0000000000f9078\n ...\n Call Trace:\n check_heap_object+0x34/0x390 (unreliable)\n __mutex_unlock_slowpath.isra.0+0xe4/0x230\n seq_read_iter+0x430/0xa90\n proc_reg_read_iter+0xa4/0x200\n vfs_read+0x41c/0x510\n ksys_read+0xa4/0x190\n system_call_exception+0x1d0/0x440\n system_call_vectored_common+0x15c/0x2ec\n\nFix it by restoring r15 always.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38233", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Fix race in push_rt_task\n\nOverview\n========\nWhen a CPU chooses to call push_rt_task and picks a task to push to\nanother CPU's runqueue then it will call find_lock_lowest_rq method\nwhich would take a double lock on both CPUs' runqueues. If one of the\nlocks aren't readily available, it may lead to dropping the current\nrunqueue lock and reacquiring both the locks at once. During this window\nit is possible that the task is already migrated and is running on some\nother CPU. These cases are already handled. However, if the task is\nmigrated and has already been executed and another CPU is now trying to\nwake it up (ttwu) such that it is queued again on the runqeue\n(on_rq is 1) and also if the task was run by the same CPU, then the\ncurrent checks will pass even though the task was migrated out and is no\nlonger in the pushable tasks list.\n\nCrashes\n=======\nThis bug resulted in quite a few flavors of crashes triggering kernel\npanics with various crash signatures such as assert failures, page\nfaults, null pointer dereferences, and queue corruption errors all\ncoming from scheduler itself.\n\nSome of the crashes:\n-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? pick_next_task_rt+0x6e/0x1d0\n ? do_error_trap+0x64/0xa0\n ? pick_next_task_rt+0x6e/0x1d0\n ? exc_invalid_op+0x4c/0x60\n ? pick_next_task_rt+0x6e/0x1d0\n ? asm_exc_invalid_op+0x12/0x20\n ? pick_next_task_rt+0x6e/0x1d0\n __schedule+0x5cb/0x790\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-> BUG: kernel NULL pointer dereference, address: 00000000000000c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? __warn+0x8a/0xe0\n ? exc_page_fault+0x3d6/0x520\n ? asm_exc_page_fault+0x1e/0x30\n ? pick_next_task_rt+0xb5/0x1d0\n ? pick_next_task_rt+0x8c/0x1d0\n __schedule+0x583/0x7e0\n ? update_ts_time_stats+0x55/0x70\n schedule_idle+0x1e/0x40\n do_idle+0x15e/0x200\n cpu_startup_entry+0x19/0x20\n start_secondary+0x117/0x160\n secondary_startup_64_no_verify+0xb0/0xbb\n\n-> BUG: unable to handle page fault for address: ffff9464daea5900\n kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))\n\n-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)\n Call Trace:\n ? __die_body+0x1a/0x60\n ? die+0x2a/0x50\n ? do_trap+0x85/0x100\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? do_error_trap+0x64/0xa0\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? exc_invalid_op+0x4c/0x60\n ? dequeue_top_rt_rq+0xa2/0xb0\n ? asm_exc_invalid_op+0x12/0x20\n ? dequeue_top_rt_rq+0xa2/0xb0\n dequeue_rt_entity+0x1f/0x70\n dequeue_task_rt+0x2d/0x70\n __schedule+0x1a8/0x7e0\n ? blk_finish_plug+0x25/0x40\n schedule+0x3c/0xb0\n futex_wait_queue_me+0xb6/0x120\n futex_wait+0xd9/0x240\n do_futex+0x344/0xa90\n ? get_mm_exe_file+0x30/0x60\n ? audit_exe_compare+0x58/0x70\n ? audit_filter_rules.constprop.26+0x65e/0x1220\n __x64_sys_futex+0x148/0x1f0\n do_syscall_64+0x30/0x80\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\n\n-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0\n Call Trace:\n ? __die_body+0x1a/0x60\n ? no_context+0x183/0x350\n ? spurious_kernel_fault+0x171/0x1c0\n ? exc_page_fault+0x3b6/0x520\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? asm_exc_page_fault+0x1e/0x30\n ? _cond_resched+0x15/0x30\n ? futex_wait_queue_me+0xc8/0x120\n ? futex_wait+0xd9/0x240\n ? try_to_wake_up+0x1b8/0x490\n ? futex_wake+0x78/0x160\n ? do_futex+0xcd/0xa90\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? plist_del+0x6a/0xd0\n ? plist_check_list+0x15/0x40\n ? plist_check_list+0x2e/0x40\n ? dequeue_pushable_task+0x20/0x70\n ? __schedule+0x382/0x7e0\n ? asm_sysvec_reschedule_i\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38234", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix \"appletb_backlight\" backlight device reference counting\n\nDuring appletb_kbd_probe, probe attempts to get the backlight device\nby name. When this happens backlight_device_get_by_name looks for a\ndevice in the backlight class which has name \"appletb_backlight\" and\nupon finding a match it increments the reference count for the device\nand returns it to the caller. However this reference is never released\nleading to a reference leak.\n\nFix this by decrementing the backlight device reference count on removal\nvia put_device and on probe failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38235", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don't leave consecutive consumed OOB skbs.\n\nJann Horn reported a use-after-free in unix_stream_read_generic().\n\nThe following sequences reproduce the issue:\n\n $ python3\n from socket import *\n s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)\n s1.send(b'x', MSG_OOB)\n s2.recv(1, MSG_OOB) # leave a consumed OOB skb\n s1.send(b'y', MSG_OOB)\n s2.recv(1, MSG_OOB) # leave a consumed OOB skb\n s1.send(b'z', MSG_OOB)\n s2.recv(1) # recv 'z' illegally\n s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)\n\nEven though a user reads OOB data, the skb holding the data stays on\nthe recv queue to mark the OOB boundary and break the next recv().\n\nAfter the last send() in the scenario above, the sk2's recv queue has\n2 leading consumed OOB skbs and 1 real OOB skb.\n\nThen, the following happens during the next recv() without MSG_OOB\n\n 1. unix_stream_read_generic() peeks the first consumed OOB skb\n 2. manage_oob() returns the next consumed OOB skb\n 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb\n 4. unix_stream_read_generic() reads and frees the OOB skb\n\n, and the last recv(MSG_OOB) triggers KASAN splat.\n\nThe 3. above occurs because of the SO_PEEK_OFF code, which does not\nexpect unix_skb_len(skb) to be 0, but this is true for such consumed\nOOB skbs.\n\n while (skip >= unix_skb_len(skb)) {\n skip -= unix_skb_len(skb);\n skb = skb_peek_next(skb, &sk->sk_receive_queue);\n ...\n }\n\nIn addition to this use-after-free, there is another issue that\nioctl(SIOCATMARK) does not function properly with consecutive consumed\nOOB skbs.\n\nSo, nothing good comes out of such a situation.\n\nInstead of complicating manage_oob(), ioctl() handling, and the next\nECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,\nlet's not leave such consecutive OOB unnecessarily.\n\nNow, while receiving an OOB skb in unix_stream_recv_urg(), if its\nprevious skb is a consumed OOB skb, it is freed.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)\nRead of size 4 at addr ffff888106ef2904 by task python3/315\n\nCPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:636)\n unix_stream_read_actor (net/unix/af_unix.c:3027)\n unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)\n unix_stream_recvmsg (net/unix/af_unix.c:3048)\n sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))\n __sys_recvfrom (net/socket.c:2278)\n __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f8911fcea06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06\nRDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006\nRBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20\nR13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000\n \n\nAllocated by task 315:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:348)\n kmem_cache_alloc_\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38236", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode()\n\nIn fimc_is_hw_change_mode(), the function changes camera modes without\nwaiting for hardware completion, risking corrupted data or system hangs\nif subsequent operations proceed before the hardware is ready.\n\nAdd fimc_is_hw_wait_intmsr0_intmsd0() after mode configuration, ensuring\nhardware state synchronization and stable interrupt handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38237", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out\n\nWhen both the RHBA and RPA FDMI requests time out, fnic reuses a frame to\nsend ABTS for each of them. On send completion, this causes an attempt to\nfree the same frame twice that leads to a crash.\n\nFix crash by allocating separate frames for RHBA and RPA, and modify ABTS\nlogic accordingly.\n\nTested by checking MDS for FDMI information.\n\nTested by using instrumented driver to:\n\n - Drop PLOGI response\n - Drop RHBA response\n - Drop RPA response\n - Drop RHBA and RPA response\n - Drop PLOGI response + ABTS response\n - Drop RHBA response + ABTS response\n - Drop RPA response + ABTS response\n - Drop RHBA and RPA response + ABTS response for both of them", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38238", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix invalid node index\n\nOn a system with DRAM interleave enabled, out-of-bound access is\ndetected:\n\nmegaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask *[1024]'\ndump_stack_lvl+0x5d/0x80\nubsan_epilogue+0x5/0x2b\n__ubsan_handle_out_of_bounds.cold+0x46/0x4b\nmegasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas]\nmegasas_probe_one.cold+0xa4d/0x189c [megaraid_sas]\nlocal_pci_probe+0x42/0x90\npci_device_probe+0xdc/0x290\nreally_probe+0xdb/0x340\n__driver_probe_device+0x78/0x110\ndriver_probe_device+0x1f/0xa0\n__driver_attach+0xba/0x1c0\nbus_for_each_dev+0x8b/0xe0\nbus_add_driver+0x142/0x220\ndriver_register+0x72/0xd0\nmegasas_init+0xdf/0xff0 [megaraid_sas]\ndo_one_initcall+0x57/0x310\ndo_init_module+0x90/0x250\ninit_module_from_file+0x85/0xc0\nidempotent_init_module+0x114/0x310\n__x64_sys_finit_module+0x65/0xc0\ndo_syscall_64+0x82/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it accordingly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38239", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr\n\nThe function mtk_dp_wait_hpd_asserted() may be called before the\n`mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach().\nSpecifically it can be called via this callpath:\n - mtk_edp_wait_hpd_asserted\n - [panel probe]\n - dp_aux_ep_probe\n\nUsing \"drm\" level prints anywhere in this callpath causes a NULL\npointer dereference. Change the error message directly in\nmtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the\nerror messages in mtk_dp_parse_capabilities(), which is called by\nmtk_dp_wait_hpd_asserted().\n\nWhile touching these prints, also add the error code to them to make\nfuture debugging easier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38240", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem, swap: fix softlockup with mTHP swapin\n\nFollowing softlockup can be easily reproduced on my test machine with:\n\necho always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled\nswapon /dev/zram0 # zram0 is a 48G swap device\nmkdir -p /sys/fs/cgroup/memory/test\necho 1G > /sys/fs/cgroup/test/memory.max\necho $BASHPID > /sys/fs/cgroup/test/cgroup.procs\nwhile true; do\n dd if=/dev/zero of=/tmp/test.img bs=1M count=5120\n cat /tmp/test.img > /dev/null\n rm /tmp/test.img\ndone\n\nThen after a while:\nwatchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787]\nModules linked in: zram virtiofs\nCPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)\u00b7\nTainted: [L]=SOFTLOCKUP\nHardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015\nRIP: 0010:mpol_shared_policy_lookup+0xd/0x70\nCode: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <48> 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8\nRSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202\nRAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001\nRDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518\nRBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001\nR13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000\nFS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n shmem_alloc_folio+0x31/0xc0\n shmem_swapin_folio+0x309/0xcf0\n ? filemap_get_entry+0x117/0x1e0\n ? xas_load+0xd/0xb0\n ? filemap_get_entry+0x101/0x1e0\n shmem_get_folio_gfp+0x2ed/0x5b0\n shmem_file_read_iter+0x7f/0x2e0\n vfs_read+0x252/0x330\n ksys_read+0x68/0xf0\n do_syscall_64+0x4c/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f03f9a46991\nCode: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec\nRSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991\nRDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003\nRBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380\nR10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000\nR13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000\n \n\nThe reason is simple, readahead brought some order 0 folio in swap cache,\nand the swapin mTHP folio being allocated is in conflict with it, so\nswapcache_prepare fails and causes shmem_swap_alloc_folio to return\n-EEXIST, and shmem simply retries again and again causing this loop.\n\nFix it by applying a similar fix for anon mTHP swapin.\n\nThe performance change is very slight, time of swapin 10g zero folios\nwith shmem (test for 12 times):\nBefore: 2.47s\nAfter: 2.48s\n\n[kasong@tencent.com: add comment]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38241", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: userfaultfd: fix race of userfaultfd_move and swap cache\n\nThis commit fixes two kinds of races, they may have different results:\n\nBarry reported a BUG_ON in commit c50f8e6053b0, we may see the same\nBUG_ON if the filemap lookup returned NULL and folio is added to swap\ncache after that.\n\nIf another kind of race is triggered (folio changed after lookup) we\nmay see RSS counter is corrupted:\n\n[ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_ANONPAGES val:-1\n[ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_SHMEMPAGES val:1\n\nBecause the folio is being accounted to the wrong VMA.\n\nI'm not sure if there will be any data corruption though, seems no. \nThe issues above are critical already.\n\n\nOn seeing a swap entry PTE, userfaultfd_move does a lockless swap cache\nlookup, and tries to move the found folio to the faulting vma. Currently,\nit relies on checking the PTE value to ensure that the moved folio still\nbelongs to the src swap entry and that no new folio has been added to the\nswap cache, which turns out to be unreliable.\n\nWhile working and reviewing the swap table series with Barry, following\nexisting races are observed and reproduced [1]:\n\nIn the example below, move_pages_pte is moving src_pte to dst_pte, where\nsrc_pte is a swap entry PTE holding swap entry S1, and S1 is not in the\nswap cache:\n\nCPU1 CPU2\nuserfaultfd_move\n move_pages_pte()\n entry = pte_to_swp_entry(orig_src_pte);\n // Here it got entry = S1\n ... < interrupted> ...\n \n // folio A is a new allocated folio\n // and get installed into src_pte\n \n // src_pte now points to folio A, S1\n // has swap count == 0, it can be freed\n // by folio_swap_swap or swap\n // allocator's reclaim.\n \n // folio B is a folio in another VMA.\n \n // S1 is freed, folio B can use it\n // for swap out with no problem.\n ...\n folio = filemap_get_folio(S1)\n // Got folio B here !!!\n ... < interrupted again> ...\n \n // Now S1 is free to be used again.\n \n // Now src_pte is a swap entry PTE\n // holding S1 again.\n folio_trylock(folio)\n move_swap_pte\n double_pt_lock\n is_pte_pages_stable\n // Check passed because src_pte == S1\n folio_move_anon_rmap(...)\n // Moved invalid folio B here !!!\n\nThe race window is very short and requires multiple collisions of multiple\nrare events, so it's very unlikely to happen, but with a deliberately\nconstructed reproducer and increased time window, it can be reproduced\neasily.\n\nThis can be fixed by checking if the folio returned by filemap is the\nvalid swap cache folio after acquiring the folio lock.\n\nAnother similar race is possible: filemap_get_folio may return NULL, but\nfolio (A) could be swapped in and then swapped out again using the same\nswap entry after the lookup. In such a case, folio (A) may remain in the\nswap cache, so it must be moved too:\n\nCPU1 CPU2\nuserfaultfd_move\n move_pages_pte()\n entry = pte_to_swp_entry(orig_src_pte);\n // Here it got entry = S1, and S1 is not in swap cache\n folio = filemap_get\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38242", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix invalid inode pointer dereferences during log replay\n\nIn a few places where we call read_one_inode(), if we get a NULL pointer\nwe end up jumping into an error path, or fallthrough in case of\n__add_inode_ref(), where we then do something like this:\n\n iput(&inode->vfs_inode);\n\nwhich results in an invalid inode pointer that triggers an invalid memory\naccess, resulting in a crash.\n\nFix this by making sure we don't do such dereferences.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38243", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential deadlock when reconnecting channels\n\nFix cifs_signal_cifsd_for_reconnect() to take the correct lock order\nand prevent the following deadlock from happening\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.16.0-rc3-build2+ #1301 Tainted: G S W\n------------------------------------------------------\ncifsd/6055 is trying to acquire lock:\nffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200\n\nbut task is already holding lock:\nffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #2 (&ret_buf->chan_lock){+.+.}-{3:3}:\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_setup_session+0x81/0x4b0\n cifs_get_smb_ses+0x771/0x900\n cifs_mount_get_session+0x7e/0x170\n cifs_mount+0x92/0x2d0\n cifs_smb3_do_mount+0x161/0x460\n smb3_get_tree+0x55/0x90\n vfs_get_tree+0x46/0x180\n do_new_mount+0x1b0/0x2e0\n path_mount+0x6ee/0x740\n do_mount+0x98/0xe0\n __do_sys_mount+0x148/0x180\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-> #1 (&ret_buf->ses_lock){+.+.}-{3:3}:\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_match_super+0x101/0x320\n sget+0xab/0x270\n cifs_smb3_do_mount+0x1e0/0x460\n smb3_get_tree+0x55/0x90\n vfs_get_tree+0x46/0x180\n do_new_mount+0x1b0/0x2e0\n path_mount+0x6ee/0x740\n do_mount+0x98/0xe0\n __do_sys_mount+0x148/0x180\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}:\n check_noncircular+0x95/0xc0\n check_prev_add+0x115/0x2f0\n validate_chain+0x1cf/0x270\n __lock_acquire+0x60e/0x780\n lock_acquire.part.0+0xb4/0x1f0\n _raw_spin_lock+0x2f/0x40\n cifs_signal_cifsd_for_reconnect+0x134/0x200\n __cifs_reconnect+0x8f/0x500\n cifs_handle_standard+0x112/0x280\n cifs_demultiplex_thread+0x64d/0xbc0\n kthread+0x2f7/0x310\n ret_from_fork+0x2a/0x230\n ret_from_fork_asm+0x1a/0x30\n\nother info that might help us debug this:\n\nChain exists of:\n &tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&ret_buf->chan_lock);\n lock(&ret_buf->ses_lock);\n lock(&ret_buf->chan_lock);\n lock(&tcp_ses->srv_lock);\n\n *** DEADLOCK ***\n\n3 locks held by cifsd/6055:\n #0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200\n #1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200\n #2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38244", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n\nsyzbot reported a warning below during atm_dev_register(). [0]\n\nBefore creating a new device and procfs/sysfs for it, atm_dev_register()\nlooks up a duplicated device by __atm_dev_lookup(). These operations are\ndone under atm_dev_mutex.\n\nHowever, when removing a device in atm_dev_deregister(), it releases the\nmutex just after removing the device from the list that __atm_dev_lookup()\niterates over.\n\nSo, there will be a small race window where the device does not exist on\nthe device list but procfs/sysfs are still not removed, triggering the\nsplat.\n\nLet's hold the mutex until procfs/sysfs are removed in\natm_dev_deregister().\n\n[0]:\nproc_dir_entry 'atm/atmtcp:0' already registered\nWARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377\nModules linked in:\nCPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nRIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377\nCode: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48\nRSP: 0018:ffffc9000466fa30 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248\nRDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001\nRBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140\nR13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444\nFS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n proc_create_data+0xbe/0x110 fs/proc/generic.c:585\n atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361\n atm_dev_register+0x46d/0x890 net/atm/resources.c:113\n atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369\n atmtcp_attach drivers/atm/atmtcp.c:403 [inline]\n atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x115/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f38b3b74459\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459\nRDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005\nRBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac\nR13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38245", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: properly flush XDP redirect lists\n\nWe encountered following crash when testing a XDP_REDIRECT feature\nin production:\n\n[56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd\n40f30).\n[56251.601413] ------------[ cut here ]------------\n[56251.611357] kernel BUG at lib/list_debug.c:29!\n[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6.\n3 #1\n[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE\n[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025\n[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0\n[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48\n 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89\n[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246\n[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000\n[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80\n[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18\n[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000\n[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40\n[56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000\n[56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0\n[56251.831365] PKRU: 55555554\n[56251.838653] Call Trace:\n[56251.845560] \n[56251.851943] cpu_map_enqueue.cold+0x5/0xa\n[56251.860243] xdp_do_redirect+0x2d9/0x480\n[56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]\n[56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]\n[56251.885665] ? cpu_max_write+0x1e/0x100\n[56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en]\n[56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en]\n[56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.944250] __napi_poll+0x2b/0x160\n[56251.951155] bpf_trampoline_6442548651+0x79/0x123\n[56251.959262] __napi_poll+0x5/0x160\n[56251.966037] net_rx_action+0x3d2/0x880\n[56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5\n[56251.989262] ? __hrtimer_run_queues+0x162/0x2a0\n[56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5\n[56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en]\n[56252.019903] handle_softirqs+0xcf/0x270\n[56252.026650] irq_exit_rcu+0x67/0x90\n[56252.032933] common_interrupt+0x85/0xa0\n[56252.039498] \n[56252.044246] \n[56252.048935] asm_common_interrupt+0x26/0x40\n[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420\n[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae\n 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29\n[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202\n[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000\n[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000\n[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e\n[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860\n[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000\n[56252.146667] ? cpuidle_enter_state+0xab/0x420\n[56252.153909] cpuidle_enter+0x2d/0x40\n[56252.160360] do_idle+0x176/0x1c0\n[56252.166456\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38246", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserns and mnt_idmap leak in open_tree_attr(2)\n\nOnce want_mount_setattr() has returned a positive, it does require\nfinish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr()\ndoes not change that.\n\nAs the result, we can end up leaking userns and possibly mnt_idmap as\nwell.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38247", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mcast: Fix use-after-free during router port configuration\n\nThe bridge maintains a global list of ports behind which a multicast\nrouter resides. The list is consulted during forwarding to ensure\nmulticast packets are forwarded to these ports even if the ports are not\nmember in the matching MDB entry.\n\nWhen per-VLAN multicast snooping is enabled, the per-port multicast\ncontext is disabled on each port and the port is removed from the global\nrouter port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 1\n $ bridge -d mdb show | grep router\n\nHowever, the port can be re-added to the global list even when per-VLAN\nmulticast snooping is enabled:\n\n # ip link set dev dummy1 type bridge_slave mcast_router 0\n # ip link set dev dummy1 type bridge_slave mcast_router 2\n $ bridge -d mdb show | grep router\n router ports on br1: dummy1\n\nSince commit 4b30ae9adb04 (\"net: bridge: mcast: re-implement\nbr_multicast_{enable, disable}_port functions\"), when per-VLAN multicast\nsnooping is enabled, multicast disablement on a port will disable the\nper-{port, VLAN} multicast contexts and not the per-port one. As a\nresult, a port will remain in the global router port list even after it\nis deleted. This will lead to a use-after-free [1] when the list is\ntraversed (when adding a new port to the list, for example):\n\n # ip link del dev dummy1\n # ip link add name dummy2 up master br1 type dummy\n # ip link set dev dummy2 type bridge_slave mcast_router 2\n\nSimilarly, stale entries can also be found in the per-VLAN router port\nlist. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}\ncontexts are disabled on each port and the port is removed from the\nper-VLAN router port list:\n\n # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1\n # ip link add name dummy1 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy1\n # bridge vlan global set vid 2 dev br1 mcast_snooping 1\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n # ip link set dev br1 type bridge mcast_vlan_snooping 0\n $ bridge vlan global show dev br1 vid 2 | grep router\n\nHowever, the port can be re-added to the per-VLAN list even when\nper-VLAN multicast snooping is disabled:\n\n # bridge vlan set vid 2 dev dummy1 mcast_router 0\n # bridge vlan set vid 2 dev dummy1 mcast_router 2\n $ bridge vlan global show dev br1 vid 2 | grep router\n router ports: dummy1\n\nWhen the VLAN is deleted from the port, the per-{port, VLAN} multicast\ncontext will not be disabled since multicast snooping is not enabled\non the VLAN. As a result, the port will remain in the per-VLAN router\nport list even after it is no longer member in the VLAN. This will lead\nto a use-after-free [2] when the list is traversed (when adding a new\nport to the list, for example):\n\n # ip link add name dummy2 up master br1 type dummy\n # bridge vlan add vid 2 dev dummy2\n # bridge vlan del vid 2 dev dummy1\n # bridge vlan set vid 2 dev dummy2 mcast_router 2\n\nFix these issues by removing the port from the relevant (global or\nper-VLAN) router port list in br_multicast_port_ctx_deinit(). The\nfunction is invoked during port deletion with the per-port multicast\ncontext and during VLAN deletion with the per-{port, VLAN} multicast\ncontext.\n\nNote that deleting the multicast router timer is not enough as it only\ntakes care of the temporary multicast router states (1 or 3) and not the\npermanent one (2).\n\n[1]\nBUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560\nWrite of size 8 at addr ffff888004a67328 by task ip/384\n[...]\nCall Trace:\n \n dump_stack\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38248", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()\n\nIn snd_usb_get_audioformat_uac3(), the length value returned from\nsnd_usb_ctl_msg() is used directly for memory allocation without\nvalidation. This length is controlled by the USB device.\n\nThe allocated buffer is cast to a uac3_cluster_header_descriptor\nand its fields are accessed without verifying that the buffer\nis large enough. If the device returns a smaller than expected\nlength, this leads to an out-of-bounds read.\n\nAdd a length check to ensure the buffer is large enough for\nuac3_cluster_header_descriptor.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38249", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix use-after-free in vhci_flush()\n\nsyzbot reported use-after-free in vhci_flush() without repro. [0]\n\nFrom the splat, a thread close()d a vhci file descriptor while\nits device was being used by iotcl() on another thread.\n\nOnce the last fd refcnt is released, vhci_release() calls\nhci_unregister_dev(), hci_free_dev(), and kfree() for struct\nvhci_data, which is set to hci_dev->dev->driver_data.\n\nThe problem is that there is no synchronisation after unlinking\nhdev from hci_dev_list in hci_unregister_dev(). There might be\nanother thread still accessing the hdev which was fetched before\nthe unlink operation.\n\nWe can use SRCU for such synchronisation.\n\nLet's run hci_dev_reset() under SRCU and wait for its completion\nin hci_unregister_dev().\n\nAnother option would be to restore hci_dev->destruct(), which was\nremoved in commit 587ae086f6e4 (\"Bluetooth: Remove unused\nhci-destruct cb\"). However, this would not be a good solution, as\nwe should not run hci_unregister_dev() while there are in-flight\nioctl() requests, which could lead to another data-race KCSAN splat.\n\nNote that other drivers seem to have the same problem, for exmaple,\nvirtbt_remove().\n\n[0]:\nBUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\nBUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\nRead of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718\n\nCPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\n skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\n skb_queue_purge include/linux/skbuff.h:3368 [inline]\n vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69\n hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]\n hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592\n sock_do_ioctl+0xd9/0x300 net/socket.c:1190\n sock_ioctl+0x576/0x790 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcf5b98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929\nRDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009\nRBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528\n \n\nAllocated by task 6535:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635\n misc_open+0x2bc/0x330 drivers/char/misc.c:161\n chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414\n do_dentry_open+0xdf0/0x1970 fs/open.c:964\n vfs_open+0x3b/0x340 fs/open.c:1094\n do_open fs/namei.c:3887 [inline]\n path_openat+0x2ee5/0x3830 fs/name\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38250", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: prevent NULL deref in clip_push()\n\nBlamed commit missed that vcc_destroy_socket() calls\nclip_push() with a NULL skb.\n\nIf clip_devs is NULL, clip_push() then crashes when reading\nskb->truesize.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38251", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/ras: Fix CPER handler device confusion\n\nBy inspection, cxl_cper_handle_prot_err() is making a series of fragile\nassumptions that can lead to crashes:\n\n1/ It assumes that endpoints identified in the record are a CXL-type-3\n device, nothing guarantees that.\n\n2/ It assumes that the device is bound to the cxl_pci driver, nothing\n guarantees that.\n\n3/ Minor, it holds the device lock over the switch-port tracing for no\n reason as the trace is 100% generated from data in the record.\n\nCorrect those by checking that the PCIe endpoint parents a cxl_memdev\nbefore assuming the format of the driver data, and move the lock to where\nit is required. Consequently this also makes the implementation ready for\nCXL accelerators that are not bound to cxl_pci.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38252", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix crash in wacom_aes_battery_handler()\n\nCommit fd2a9b29dc9c (\"HID: wacom: Remove AES power_supply after extended\ninactivity\") introduced wacom_aes_battery_handler() which is scheduled\nas a delayed work (aes_battery_work).\n\nIn wacom_remove(), aes_battery_work is not canceled. Consequently, if\nthe device is removed while aes_battery_work is still pending, then hard\ncrashes or \"Oops: general protection fault...\" are experienced when\nwacom_aes_battery_handler() is finally called. E.g., this happens with\nbuilt-in USB devices after resume from hibernate when aes_battery_work\nwas still pending at the time of hibernation.\n\nSo, take care to cancel aes_battery_work in wacom_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38253", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add sanity checks for drm_edid_raw()\n\nWhen EDID is retrieved via drm_edid_raw(), it doesn't guarantee to\nreturn proper EDID bytes the caller wants: it may be either NULL (that\nleads to an Oops) or with too long bytes over the fixed size raw_edid\narray (that may lead to memory corruption). The latter was reported\nactually when connected with a bad adapter.\n\nAdd sanity checks for drm_edid_raw() to address the above corner\ncases, and return EDID_BAD_INPUT accordingly.\n\n(cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38254", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()\n\nWhile testing null_blk with configfs, echo 0 > poll_queues will trigger\nfollowing panic:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:__bitmap_or+0x48/0x70\nCall Trace:\n \n __group_cpus_evenly+0x822/0x8c0\n group_cpus_evenly+0x2d9/0x490\n blk_mq_map_queues+0x1e/0x110\n null_map_queues+0xc9/0x170 [null_blk]\n blk_mq_update_queue_map+0xdb/0x160\n blk_mq_update_nr_hw_queues+0x22b/0x560\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_poll_queues_store+0xa4/0x130 [null_blk]\n configfs_write_iter+0x109/0x1d0\n vfs_write+0x26e/0x6f0\n ksys_write+0x79/0x180\n __x64_sys_write+0x1d/0x30\n x64_sys_call+0x45c4/0x45f0\n do_syscall_64+0xa5/0x240\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRoot cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from\nkcalloc(), and later ZERO_SIZE_PTR will be deferenced.\n\nFix the problem by checking numgrps first in group_cpus_evenly(), and\nreturn NULL directly if numgrps is zero.\n\n[yukuai3@huawei.com: also fix the non-SMP version]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38255", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: fix folio unpinning\n\nsyzbot complains about an unmapping failure:\n\n[ 108.070381][ T14] kernel BUG at mm/gup.c:71!\n[ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025\n[ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work\n[ 108.174205][ T14] Call trace:\n[ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)\n[ 108.178138][ T14] unpin_user_page+0x80/0x10c\n[ 108.180189][ T14] io_release_ubuf+0x84/0xf8\n[ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c\n[ 108.184345][ T14] io_rsrc_data_free+0x148/0x298\n[ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0\n[ 108.188991][ T14] io_ring_ctx_free+0x48/0x480\n[ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8\n[ 108.193207][ T14] process_one_work+0x7e8/0x155c\n[ 108.195431][ T14] worker_thread+0x958/0xed8\n[ 108.197561][ T14] kthread+0x5fc/0x75c\n[ 108.199362][ T14] ret_from_fork+0x10/0x20\n\nWe can pin a tail page of a folio, but then io_uring will try to unpin\nthe head page of the folio. While it should be fine in terms of keeping\nthe page actually alive, mm folks say it's wrong and triggers a debug\nwarning. Use unpin_user_folio() instead of unpin_user_page*.\n\n[axboe: adapt to current tree, massage commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38256", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pkey: Prevent overflow in size calculation for memdup_user()\n\nNumber of apqn target list entries contained in 'nr_apqns' variable is\ndetermined by userspace via an ioctl call so the result of the product in\ncalculation of size passed to memdup_user() may overflow.\n\nIn this case the actual size of the allocated area and the value\ndescribing it won't be in sync leading to various types of unpredictable\nbehaviour later.\n\nUse a proper memdup_array_user() helper which returns an error if an\noverflow is detected. Note that it is different from when nr_apqns is\ninitially zero - that case is considered valid and should be handled in\nsubsequent pkey_handler implementations.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38257", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write\n\nmemcg_path_store() assigns a newly allocated memory buffer to\nfilter->memcg_path, without deallocating the previously allocated and\nassigned memory buffer. As a result, users can leak kernel memory by\ncontinuously writing a data to memcg_path DAMOS sysfs file. Fix the leak\nby deallocating the previously set memory buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38258", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd9335: Fix missing free of regulator supplies\n\nDriver gets and enables all regulator supplies in probe path\n(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup\nin final error paths and in unbind (missing remove() callback). This\nleads to leaked memory and unbalanced regulator enable count during\nprobe errors or unbind.\n\nFix this by converting entire code into devm_regulator_bulk_get_enable()\nwhich also greatly simplifies the code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38259", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process 'repro' launched './file2' with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n \n btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n submit_one_bio+0xde/0x160 [btrfs]\n btrfs_readahead+0x498/0x6a0 [btrfs]\n read_pages+0x1c3/0xb20\n page_cache_ra_order+0x4b5/0xc20\n filemap_get_pages+0x2d3/0x19e0\n filemap_read+0x314/0xde0\n __kernel_read+0x35b/0x900\n bprm_execve+0x62e/0x1140\n do_execveat_common.isra.0+0x3fc/0x520\n __x64_sys_execveat+0xdc/0x130\n do_syscall_64+0x54/0x1d0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38260", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: save the SR_SUM status over switches\n\nWhen threads/tasks are switched we need to ensure the old execution's\nSR_SUM state is saved and the new thread has the old SR_SUM state\nrestored.\n\nThe issue was seen under heavy load especially with the syz-stress tool\nrunning, with crashes as follows in schedule_tail:\n\nUnable to handle kernel access to user memory without uaccess routines\nat virtual address 000000002749f0d0\nOops [#1]\nModules linked in:\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\nHardware name: riscv-virtio,qemu (DT)\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n ra : task_pid_vnr include/linux/sched.h:1421 [inline]\n ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\n gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\n t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\n s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\n a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\n a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\n s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\n s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\n s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\n s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\n t5 : ffffffc4043cafba t6 : 0000000000040000\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\n000000000000000f\nCall Trace:\n[] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n[] ret_from_exception+0x0/0x14\nDumping ftrace buffer:\n (ftrace buffer empty)\n---[ end trace b5f8f9231dc87dda ]---\n\nThe issue comes from the put_user() in schedule_tail\n(kernel/sched/core.c) doing the following:\n\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\n{\n...\n if (current->set_child_tid)\n put_user(task_pid_vnr(current), current->set_child_tid);\n...\n}\n\nthe put_user() macro causes the code sequence to come out as follows:\n\n1:\t__enable_user_access()\n2:\treg = task_pid_vnr(current);\n3:\t*current->set_child_tid = reg;\n4:\t__disable_user_access()\n\nThe problem is that we may have a sleeping function as argument which\ncould clear SR_SUM causing the panic above. This was fixed by\nevaluating the argument of the put_user() macro outside the user-enabled\nsection in commit 285a76bb2cf5 (\"riscv: evaluate put_user() arg before\nenabling user access\")\"\n\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\nto avoid the same issue we had with put_user() and sleeping functions we\nmust ensure code flow can go through switch_to() from within a region of\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\npatch addresses the problem allowing future work to enable full use of\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\non every access. Make switch_to() save and restore SR_SUM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38261", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: uartlite: register uart driver in init\n\nWhen two instances of uart devices are probing, a concurrency race can\noccur. If one thread calls uart_register_driver function, which first\nallocates and assigns memory to 'uart_state' member of uart_driver\nstructure, the other instance can bypass uart driver registration and\ncall ulite_assign. This calls uart_add_one_port, which expects the uart\ndriver to be fully initialized. This leads to a kernel panic due to a\nnull pointer dereference:\n\n[ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8\n[ 8.156982] #PF: supervisor write access in kernel mode\n[ 8.156984] #PF: error_code(0x0002) - not-present page\n[ 8.156986] PGD 0 P4D 0\n...\n[ 8.180668] RIP: 0010:mutex_lock+0x19/0x30\n[ 8.188624] Call Trace:\n[ 8.188629] ? __die_body.cold+0x1a/0x1f\n[ 8.195260] ? page_fault_oops+0x15c/0x290\n[ 8.209183] ? __irq_resolve_mapping+0x47/0x80\n[ 8.209187] ? exc_page_fault+0x64/0x140\n[ 8.209190] ? asm_exc_page_fault+0x22/0x30\n[ 8.209196] ? mutex_lock+0x19/0x30\n[ 8.223116] uart_add_one_port+0x60/0x440\n[ 8.223122] ? proc_tty_register_driver+0x43/0x50\n[ 8.223126] ? tty_register_driver+0x1ca/0x1e0\n[ 8.246250] ulite_probe+0x357/0x4b0 [uartlite]\n\nTo prevent it, move uart driver registration in to init function. This\nwill ensure that uart_driver is always registered when probe function\nis called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38262", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||\n 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,\n 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864 bucket_pages(c)) ||\n 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||\n 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),\n 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869 !(c->moving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870 WQ_MEM_RECLAIM, 0)) ||\n 1871 bch_journal_alloc(c) ||\n 1872 bch_btree_cache_alloc(c) ||\n 1873 bch_open_buckets_alloc(c) ||\n 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))\n 1875 goto err;\n ^^^^^^^^\n 1876\n ...\n 1883 return c;\n 1884 err:\n 1885 bch_cache_set_unregister(c);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886 return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098 c = bch_cache_set_alloc(&ca->sb);\n 2099 if (!c)\n 2100 return err;\n ^^^^^^^^^^\n ...\n 2128 ca->set = c;\n 2129 ca->set->cache[ca->sb.nr_this_dev] = ca;\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138 return NULL;\n 2139 err:\n 2140 bch_cache_set_unregister(c);\n 2141 return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and\n call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n value to c->cache[], it means that c->cache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---> bch_cache_set_stop()\n ---> closure_queue()\n -.-> cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654 for_each_cache(ca, c, i)\n 1655 if (ca->alloc_thread)\n ^^\n 1656 kthread_stop(ca->alloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n kernel crash occurred as below:\n[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[ 846.713242] bcache: register_bcache() error : failed to register device\n[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[ 846.714790] PGD 0 P4D 0\n[ 846.715129] Oops: 0000 [#1] SMP PTI\n[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[ 846.716451] Workqueue: events cache_set_flush [bcache]\n[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38263", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: sanitize request list handling\n\nValidate the request in nvme_tcp_handle_r2t() to ensure it's not part of\nany list, otherwise a malicious R2T PDU might inject a loop in request\nlist processing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38264", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: jsm: fix NPE during jsm_uart_port_init\n\nNo device was set which caused serial_base_ctrl_add to crash.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000050\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1\n RIP: 0010:serial_base_ctrl_add+0x96/0x120\n Call Trace:\n \n serial_core_register_port+0x1a0/0x580\n ? __setup_irq+0x39c/0x660\n ? __kmalloc_cache_noprof+0x111/0x310\n jsm_uart_port_init+0xe8/0x180 [jsm]\n jsm_probe_one+0x1f4/0x410 [jsm]\n local_pci_probe+0x42/0x90\n pci_device_probe+0x22f/0x270\n really_probe+0xdb/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8c/0xe0\n bus_add_driver+0x112/0x1f0\n driver_register+0x72/0xd0\n jsm_init_module+0x36/0xff0 [jsm]\n ? __pfx_jsm_init_module+0x10/0x10 [jsm]\n do_one_initcall+0x58/0x310\n do_init_module+0x60/0x230\n\nTested with Digi Neo PCIe 8 port card.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38265", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms\n\nCommit 3ef9f710efcb (\"pinctrl: mediatek: Add EINT support for multiple\naddresses\") introduced an access to the 'soc' field of struct\nmtk_pinctrl in mtk_eint_do_init() and for that an include of\npinctrl-mtk-common-v2.h.\n\nHowever, pinctrl drivers relying on the v1 common driver include\npinctrl-mtk-common.h instead, which provides another definition of\nstruct mtk_pinctrl that does not contain an 'soc' field.\n\nSince mtk_eint_do_init() can be called both by v1 and v2 drivers, it\nwill now try to dereference an invalid pointer when called on v1\nplatforms. This has been observed on Genio 350 EVK (MT8365), which\ncrashes very early in boot (the kernel trace can only be seen with\nearlycon).\n\nIn order to fix this, since 'struct mtk_pinctrl' was only needed to get\na 'struct mtk_eint_pin', make 'struct mtk_eint_pin' a parameter\nof mtk_eint_do_init() so that callers need to supply it, removing\nmtk_eint_do_init()'s dependency on any particular 'struct mtk_pinctrl'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38266", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not trigger WARN_ON() due to a commit_overrun\n\nWhen reading a memory mapped buffer the reader page is just swapped out\nwith the last page written in the write buffer. If the reader page is the\nsame as the commit buffer (the buffer that is currently being written to)\nit was assumed that it should never have missed events. If it does, it\ntriggers a WARN_ON_ONCE().\n\nBut there just happens to be one scenario where this can legitimately\nhappen. That is on a commit_overrun. A commit overrun is when an interrupt\npreempts an event being written to the buffer and then the interrupt adds\nso many new events that it fills and wraps the buffer back to the commit.\nAny new events would then be dropped and be reported as \"missed_events\".\n\nIn this case, the next page to read is the commit buffer and after the\nswap of the reader page, the reader page will be the commit buffer, but\nthis time there will be missed events and this triggers the following\nwarning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780\n Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50\n RSP: 0018:ffff888121787dc0 EFLAGS: 00010002\n RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49\n RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8\n RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982\n R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00\n R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008\n FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0\n Call Trace:\n \n ? __pfx_ring_buffer_map_get_reader+0x10/0x10\n tracing_buffers_ioctl+0x283/0x370\n __x64_sys_ioctl+0x134/0x190\n do_syscall_64+0x79/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f95c8de48db\n Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00\n RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db\n RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006\n RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90\n \n irq event stamp: 5080\n hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70\n hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70\n softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710\n softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210\n ---[ end trace 0000000000000000 ]---\n\nThe above was triggered by running on a kernel with both lockdep and KASAN\nas well as kmemleak enabled and executing the following command:\n\n # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50\n\nWith perf interjecting a lot of interrupts and trace-cmd enabling all\nevents as well as function tracing, with lockdep, KASAN and kmemleak\nenabled, it could cause an interrupt preempting an event being written to\nadd enough event\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38267", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work\n\nA state check was previously added to tcpm_queue_vdm_unlocked to\nprevent a deadlock where the DisplayPort Alt Mode driver would be\nexecuting work and attempting to grab the tcpm_lock while the TCPM\nwas holding the lock and attempting to unregister the altmode, blocking\non the altmode driver's cancel_work_sync call.\n\nBecause the state check isn't protected, there is a small window\nwhere the Alt Mode driver could determine that the TCPM is\nin a ready state and attempt to grab the lock while the\nTCPM grabs the lock and changes the TCPM state to one that\ncauses the deadlock. The callstack is provided below:\n\n[110121.667392][ C7] Call trace:\n[110121.667396][ C7] __switch_to+0x174/0x338\n[110121.667406][ C7] __schedule+0x608/0x9f0\n[110121.667414][ C7] schedule+0x7c/0xe8\n[110121.667423][ C7] kernfs_drain+0xb0/0x114\n[110121.667431][ C7] __kernfs_remove+0x16c/0x20c\n[110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8\n[110121.667442][ C7] sysfs_remove_group+0x84/0xe8\n[110121.667450][ C7] sysfs_remove_groups+0x34/0x58\n[110121.667458][ C7] device_remove_groups+0x10/0x20\n[110121.667464][ C7] device_release_driver_internal+0x164/0x2e4\n[110121.667475][ C7] device_release_driver+0x18/0x28\n[110121.667484][ C7] bus_remove_device+0xec/0x118\n[110121.667491][ C7] device_del+0x1e8/0x4ac\n[110121.667498][ C7] device_unregister+0x18/0x38\n[110121.667504][ C7] typec_unregister_altmode+0x30/0x44\n[110121.667515][ C7] tcpm_reset_port+0xac/0x370\n[110121.667523][ C7] tcpm_snk_detach+0x84/0xb8\n[110121.667529][ C7] run_state_machine+0x4c0/0x1b68\n[110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4\n[110121.667544][ C7] kthread_worker_fn+0x10c/0x244\n[110121.667552][ C7] kthread+0x104/0x1d4\n[110121.667557][ C7] ret_from_fork+0x10/0x20\n\n[110121.667689][ C7] Workqueue: events dp_altmode_work\n[110121.667697][ C7] Call trace:\n[110121.667701][ C7] __switch_to+0x174/0x338\n[110121.667710][ C7] __schedule+0x608/0x9f0\n[110121.667717][ C7] schedule+0x7c/0xe8\n[110121.667725][ C7] schedule_preempt_disabled+0x24/0x40\n[110121.667733][ C7] __mutex_lock+0x408/0xdac\n[110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24\n[110121.667748][ C7] mutex_lock+0x40/0xec\n[110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4\n[110121.667764][ C7] typec_altmode_enter+0xdc/0x10c\n[110121.667769][ C7] dp_altmode_work+0x68/0x164\n[110121.667775][ C7] process_one_work+0x1e4/0x43c\n[110121.667783][ C7] worker_thread+0x25c/0x430\n[110121.667789][ C7] kthread+0x104/0x1d4\n[110121.667794][ C7] ret_from_fork+0x10/0x20\n\nChange tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,\nwhich can perform the state check while holding the TCPM lock\nwhile the Alt Mode lock is no longer held. This requires a new\nstruct to hold the vdm data, altmode_vdm_event.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38268", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: exit after state insertion failure at btrfs_convert_extent_bit()\n\nIf insert_state() state failed it returns an error pointer and we call\nextent_io_tree_panic() which will trigger a BUG() call. However if\nCONFIG_BUG is disabled, which is an uncommon and exotic scenario, then\nwe fallthrough and call cache_state() which will dereference the error\npointer, resulting in an invalid memory access.\n\nSo jump to the 'out' label after calling extent_io_tree_panic(), it also\nmakes the code more clear besides dealing with the exotic scenario where\nCONFIG_BUG is disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38269", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drv: netdevsim: don't napi_complete() from netpoll\n\nnetdevsim supports netpoll. Make sure we don't call napi_complete()\nfrom it, since it may not be scheduled. Breno reports hitting a\nwarning in napi_complete_done():\n\nWARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560\n __napi_poll+0x2d8/0x3a0\n handle_softirqs+0x1fe/0x710\n\nThis is presumably after netpoll stole the SCHED bit prematurely.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38270", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent a NULL deref in rtnl_create_link()\n\nAt the time rtnl_create_link() is running, dev->netdev_ops is NULL,\nwe must not use netdev_lock_ops() or risk a NULL deref if\nCONFIG_NET_SHAPER is defined.\n\nUse netif_set_group() instead of dev_set_group().\n\n RIP: 0010:netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]\n RIP: 0010:netdev_lock_ops include/net/netdev_lock.h:41 [inline]\n RIP: 0010:dev_set_group+0xc0/0x230 net/core/dev_api.c:82\nCall Trace:\n \n rtnl_create_link+0x748/0xd10 net/core/rtnetlink.c:3674\n rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813\n __rtnl_newlink net/core/rtnetlink.c:3940 [inline]\n rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2534\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x75b/0x8d0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38271", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: b53: do not enable EEE on bcm63xx\n\nBCM63xx internal switches do not support EEE, but provide multiple RGMII\nports where external PHYs may be connected. If one of these PHYs are EEE\ncapable, we may try to enable EEE for the MACs, which then hangs the\nsystem on access of the (non-existent) EEE registers.\n\nFix this by checking if the switch actually supports EEE before\nattempting to configure it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38272", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tipc: fix refcount warning in tipc_aead_encrypt\n\nsyzbot reported a refcount warning [1] caused by calling get_net() on\na network namespace that is being destroyed (refcount=0). This happens\nwhen a TIPC discovery timer fires during network namespace cleanup.\n\nThe recently added get_net() call in commit e279024617134 (\"net/tipc:\nfix slab-use-after-free Read in tipc_aead_encrypt_done\") attempts to\nhold a reference to the network namespace. However, if the namespace\nis already being destroyed, its refcount might be zero, leading to the\nuse-after-free warning.\n\nReplace get_net() with maybe_get_net(), which safely checks if the\nrefcount is non-zero before incrementing it. If the namespace is being\ndestroyed, return -ENODEV early, after releasing the bearer reference.\n\n[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38273", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()\n\nfpga_mgr_test_img_load_sgt() allocates memory for sgt using\nkunit_kzalloc() however it does not check if the allocation failed.\nIt then passes sgt to sg_alloc_table(), which passes it to\n__sg_alloc_table(). This function calls memset() on sgt in an attempt to\nzero it out. If the allocation fails then sgt will be NULL and the\nmemset will trigger a NULL pointer dereference.\n\nFix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38274", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug\n\nThe qmp_usb_iomap() helper function currently returns the raw result of\ndevm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return\na NULL pointer and the caller only checks error pointers with IS_ERR(),\nNULL could bypass the check and lead to an invalid dereference.\n\nFix the issue by checking if devm_ioremap() returns NULL. When it does,\nqmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),\nensuring safe and consistent error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38275", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/dax: Fix \"don't skip locked entries when scanning entries\"\n\nCommit 6be3e21d25ca (\"fs/dax: don't skip locked entries when scanning\nentries\") introduced a new function, wait_entry_unlocked_exclusive(),\nwhich waits for the current entry to become unlocked without advancing\nthe XArray iterator state.\n\nWaiting for the entry to become unlocked requires dropping the XArray\nlock. This requires calling xas_pause() prior to dropping the lock\nwhich leaves the xas in a suitable state for the next iteration. However\nthis has the side-effect of advancing the xas state to the next index.\nNormally this isn't an issue because xas_for_each() contains code to\ndetect this state and thus avoid advancing the index a second time on\nthe next loop iteration.\n\nHowever both callers of and wait_entry_unlocked_exclusive() itself\nsubsequently use the xas state to reload the entry. As xas_pause()\nupdated the state to the next index this will cause the current entry\nwhich is being waited on to be skipped. This caused the following\nwarning to fire intermittently when running xftest generic/068 on an XFS\nfilesystem with FS DAX enabled:\n\n[ 35.067397] ------------[ cut here ]------------\n[ 35.068229] WARNING: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0\n[ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm\n[ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary)\n[ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204\n[ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0\n[ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68\n[ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202\n[ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4\n[ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8\n[ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003\n[ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f\n[ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe\n[ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000\n[ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0\n[ 35.089354] Call Trace:\n[ 35.089749] \n[ 35.090168] truncate_inode_pages_range+0xfc/0x4d0\n[ 35.091078] truncate_pagecache+0x47/0x60\n[ 35.091735] xfs_setattr_size+0xc7/0x3e0\n[ 35.092648] xfs_vn_setattr+0x1ea/0x270\n[ 35.093437] notify_change+0x1f4/0x510\n[ 35.094219] ? do_truncate+0x97/0xe0\n[ 35.094879] do_truncate+0x97/0xe0\n[ 35.095640] path_openat+0xabd/0xca0\n[ 35.096278] do_filp_open+0xd7/0x190\n[ 35.096860] do_sys_openat2+0x8a/0xe0\n[ 35.097459] __x64_sys_openat+0x6d/0xa0\n[ 35.098076] do_syscall_64+0xbb/0x1d0\n[ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 35.099444] RIP: 0033:0x7f9134d81fc1\n[ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5\n[ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101\n[ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1\n[ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c\n[ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064\n[ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066\n[ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400\n[ 35.110357] \n[ 35.110769] irq event stamp: 8415587\n[ 35.111486] hardirqs last enabled at (8415599): [] __up_console_se\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38276", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: nand: ecc-mxic: Fix use of uninitialized variable ret\n\nIf ctx->steps is zero, the loop processing ECC steps is skipped,\nand the variable ret remains uninitialized. It is later checked\nand returned, which leads to undefined behavior and may cause\nunpredictable results in user space or kernel crashes.\n\nThis scenario can be triggered in edge cases such as misconfigured\ngeometry, ECC engine misuse, or if ctx->steps is not validated\nafter initialization.\n\nInitialize ret to zero before the loop to ensure correct and safe\nbehavior regardless of the ctx->steps value.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38277", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback\n\nThis patch addresses below issues,\n\n1. Active traffic on the leaf node must be stopped before its send queue\n is reassigned to the parent. This patch resolves the issue by marking\n the node as 'Inner'.\n\n2. During a system reboot, the interface receives TC_HTB_LEAF_DEL\n and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues.\n In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue\n is reassigned to the parent, the current logic still attempts to update\n the real number of queues, leadning to below warnings\n\n New queues can't be registered after device unregistration.\n WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714\n netdev_queue_update_kobjects+0x1e4/0x200", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38278", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not include stack ptr register in precision backtracking bookkeeping\n\nYi Lai reported an issue ([1]) where the following warning appears\nin kernel dmesg:\n [ 60.643604] verifier backtracking bug\n [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10\n [ 60.648428] Modules linked in: bpf_testmod(OE)\n [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full)\n [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10\n [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04\n 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ...\n [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246\n [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000\n [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff\n [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a\n [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8\n [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001\n [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000\n [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0\n [ 60.691623] Call Trace:\n [ 60.692821] \n [ 60.693960] ? __pfx_verbose+0x10/0x10\n [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10\n [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0\n [ 60.699237] do_check+0x58fa/0xab10\n ...\n\nFurther analysis shows the warning is at line 4302 as below:\n\n 4294 /* static subprog call instruction, which\n 4295 * means that we are exiting current subprog,\n 4296 * so only r1-r5 could be still requested as\n 4297 * precise, r0 and r6-r10 or any stack slot in\n 4298 * the current frame should be zero by now\n 4299 */\n 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) {\n 4301 verbose(env, \"BUG regs %x\\n\", bt_reg_mask(bt));\n 4302 WARN_ONCE(1, \"verifier backtracking bug\");\n 4303 return -EFAULT;\n 4304 }\n\nWith the below test (also in the next patch):\n __used __naked static void __bpf_jmp_r10(void)\n {\n\tasm volatile (\n\t\"r2 = 2314885393468386424 ll;\"\n\t\"goto +0;\"\n\t\"if r2 <= r10 goto +3;\"\n\t\"if r1 >= -1835016 goto +0;\"\n\t\"if r2 <= 8 goto +0;\"\n\t\"if r3 <= 0 goto +0;\"\n\t\"exit;\"\n\t::: __clobber_all);\n }\n\n SEC(\"?raw_tp\")\n __naked void bpf_jmp_r10(void)\n {\n\tasm volatile (\n\t\"r3 = 0 ll;\"\n\t\"call __bpf_jmp_r10;\"\n\t\"r0 = 0;\"\n\t\"exit;\"\n\t::: __clobber_all);\n }\n\nThe following is the verifier failure log:\n 0: (18) r3 = 0x0 ; R3_w=0\n 2: (85) call pc+2\n caller:\n R10=fp0\n callee:\n frame1: R1=ctx() R3_w=0 R10=fp0\n 5: frame1: R1=ctx() R3_w=0 R10=fp0\n ; asm volatile (\" \\ @ verifier_precision.c:184\n 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78\n 7: (05) goto pc+0\n 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0\n 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx()\n 10: (b5) if r2 <= 0x8 goto pc+0\n mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1\n mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0\n mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3\n mark_preci\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38279", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Avoid __bpf_prog_ret0_warn when jit fails\n\nsyzkaller reported an issue:\n\nWARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357\nModules linked in:\nCPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39\nRIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357\nCall Trace:\n \n bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]\n __bpf_prog_run include/linux/filter.h:718 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105\n ...\n\nWhen creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.\nThis issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set\nand bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,\nbut jit failed due to FAULT_INJECTION. As a result, incorrectly\ntreats the program as valid, when the program runs it calls\n`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38280", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Add NULL check in mt7996_thermal_init\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt7996_thermal_init() is not checked.\nAdd NULL check in mt7996_thermal_init(), to handle kernel NULL\npointer dereference error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38281", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Relax constraint in draining guard\n\nThe active reference lifecycle provides the break/unbreak mechanism but\nthe active reference is not truly active after unbreak -- callers don't\nuse it afterwards but it's important for proper pairing of kn->active\ncounting. Assuming this mechanism is in place, the WARN check in\nkernfs_should_drain_open_files() is too sensitive -- it may transiently\ncatch those (rightful) callers between\nkernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen\nRidong:\n\n\tkernfs_remove_by_name_ns\tkernfs_get_active // active=1\n\t__kernfs_remove\t\t\t\t\t // active=0x80000002\n\tkernfs_drain\t\t\t...\n\twait_event\n\t//waiting (active == 0x80000001)\n\t\t\t\t\tkernfs_break_active_protection\n\t\t\t\t\t// active = 0x80000001\n\t// continue\n\t\t\t\t\tkernfs_unbreak_active_protection\n\t\t\t\t\t// active = 0x80000002\n\t...\n\tkernfs_should_drain_open_files\n\t// warning occurs\n\t\t\t\t\tkernfs_put_active\n\nTo avoid the false positives (mind panic_on_warn) remove the check altogether.\n(This is meant as quick fix, I think active reference break/unbreak may be\nsimplified with larger rework.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38282", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: bugfix live migration function without VF device driver\n\nIf the VF device driver is not loaded in the Guest OS and we attempt to\nperform device data migration, the address of the migrated data will\nbe NULL.\nThe live migration recovery operation on the destination side will\naccess a null address value, which will cause access errors.\n\nTherefore, live migration of VMs without added VF device drivers\ndoes not require device data migration.\nIn addition, when the queue address data obtained by the destination\nis empty, device queue recovery processing will not be performed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38283", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\n\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn't set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\n\nWith NULL mmap address, kernel throws trace:\n\n BUG: unable to handle page fault for address: 0000000000001090\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\n RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\n RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\n RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\n RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\n R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\n FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\n Call Trace:\n \n rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\n rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\n rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n ? __pfx___device_attach_driver+0x10/0x10\n ? __pfx___device_attach_driver+0x10/0x10\n local_pci_probe+0x47/0xa0\n pci_call_probe+0x5d/0x190\n pci_device_probe+0xa7/0x160\n really_probe+0xf9/0x370\n ? pm_runtime_barrier+0x55/0xa0\n __driver_probe_device+0x8c/0x140\n driver_probe_device+0x24/0xd0\n __device_attach_driver+0xcd/0x170\n bus_for_each_drv+0x99/0x100\n __device_attach+0xb4/0x1d0\n device_attach+0x10/0x20\n pci_bus_add_device+0x59/0x90\n pci_bus_add_devices+0x31/0x80\n pciehp_configure_device+0xaa/0x170\n pciehp_enable_slot+0xd6/0x240\n pciehp_handle_presence_or_link_change+0xf1/0x180\n pciehp_ist+0x162/0x1c0\n irq_thread_fn+0x24/0x70\n irq_thread+0xef/0x1c0\n ? __pfx_irq_thread_fn+0x10/0x10\n ? __pfx_irq_thread_dtor+0x10/0x10\n ? __pfx_irq_thread+0x10/0x10\n kthread+0xfc/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x47/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38284", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix WARN() in get_bpf_raw_tp_regs\n\nsyzkaller reported an issue:\n\nWARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nModules linked in:\nCPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nRSP: 0018:ffffc90003636fa8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c\nRDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005\nRBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003\nR10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004\nR13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900\nFS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]\n bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]\n __bpf_prog_run include/linux/filter.h:718 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]\n bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405\n __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47\n __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47\n __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35\n __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]\n mmap_read_trylock include/linux/mmap_lock.h:204 [inline]\n stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157\n __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483\n ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]\n bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496\n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]\n bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n\nTracepoint like trace_mmap_lock_acquire_returned may cause nested call\nas the corner case show above, which will be resolved with more general\nmethod in the future. As a result, WARN_ON_ONCE will be triggered. As\nAlexei suggested, remove the WARN_ON_ONCE first.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38285", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91: Fix possible out-of-boundary access\n\nat91_gpio_probe() doesn't check that given OF alias is not available or\nsomething went wrong when trying to get it. This might have consequences\nwhen accessing gpio_chips array with that value as an index. Note, that\nBUG() can be compiled out and hence won't actually perform the required\nchecks.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38286", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/cm: Drop lockdep assert and WARN when freeing old msg\n\nThe send completion handler can run after cm_id has advanced to another\nmessage. The cm_id lock is not needed in this case, but a recent change\nre-used cm_free_priv_msg(), which asserts that the lock is held and\nWARNs if the cm_id's currently outstanding msg is different than the one\nbeing freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38287", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels\n\nCorrect kernel call trace when calling smp_processor_id() when called in\npreemptible kernels by using raw_smp_processor_id().\n\nsmp_processor_id() checks to see if preemption is disabled and if not,\nissue an error message followed by a call to dump_stack().\n\nBrief example of call trace:\nkernel: check_preemption_disabled: 436 callbacks suppressed\nkernel: BUG: using smp_processor_id() in preemptible [00000000]\n code: kworker/u1025:0/2354\nkernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi]\nkernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0\nkernel: ...\nkernel: Workqueue: writeback wb_workfn (flush-253:0)\nkernel: Call Trace:\nkernel: \nkernel: dump_stack_lvl+0x34/0x48\nkernel: check_preemption_disabled+0xdd/0xe0\nkernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi]\nkernel: ...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38288", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk\n\nSmatch detected a potential use-after-free of an ndlp oject in\ndev_loss_tmo_callbk during driver unload or fatal error handling.\n\nFix by reordering code to avoid potential use-after-free if initial\nnodelist reference has been previously removed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38289", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix node corruption in ar->arvifs list\n\nIn current WLAN recovery code flow, ath12k_core_halt() only reinitializes\nthe \"arvifs\" list head. This will cause the list node immediately following\nthe list head to become an invalid list node. Because the prev of that node\nstill points to the list head \"arvifs\", but the next of the list head\n\"arvifs\" no longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif removal, and it\nhappens before the spin_lock_bh(&ar->data_lock) in\nath12k_mac_vdev_delete(), list_del() will detect the previously mentioned\nsituation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the list head\n\"arvifs\" during WLAN halt. The reinitialization is to make the list nodes\nvalid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute\nnormally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xd4/0x100 (P)\nath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]\nath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]\ncfg80211_wiphy_work+0xfc/0x100\nprocess_one_work+0x164/0x2d0\nworker_thread+0x254/0x380\nkthread+0xfc/0x100\nret_from_fork+0x10/0x20\n\nThe change is mostly copied from the ath11k patch:\nhttps://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38290", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Prevent sending WMI commands to firmware during firmware crash\n\nCurrently, we encounter the following kernel call trace when a firmware\ncrash occurs. This happens because the host sends WMI commands to the\nfirmware while it is in recovery, causing the commands to fail and\nresulting in the kernel call trace.\n\nSet the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the\nhost driver receives the firmware crash notification from MHI. This\nprevents sending WMI commands to the firmware during recovery.\n\nCall Trace:\n \n dump_stack_lvl+0x75/0xc0\n register_lock_class+0x6be/0x7a0\n ? __lock_acquire+0x644/0x19a0\n __lock_acquire+0x95/0x19a0\n lock_acquire+0x265/0x310\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ? find_held_lock+0x34/0xa0\n ? ath12k_ce_send+0x56/0x210 [ath12k]\n _raw_spin_lock_bh+0x33/0x70\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_htc_send+0x178/0x390 [ath12k]\n ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k]\n ath12k_wmi_cmd_send+0x62/0x190 [ath12k]\n ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1\n ath12k_mac_op_get_survey+0x2be/0x310 [ath12k]\n ieee80211_dump_survey+0x99/0x240 [mac80211]\n nl80211_dump_survey+0xe7/0x470 [cfg80211]\n ? kmalloc_reserve+0x59/0xf0\n genl_dumpit+0x24/0x70\n netlink_dump+0x177/0x360\n __netlink_dump_start+0x206/0x280\n genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0\n ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0\n ? genl_op_lock.part.12+0x10/0x10\n ? genl_dumpit+0x70/0x70\n genl_rcv_msg+0x1d0/0x290\n ? nl80211_del_station+0x330/0x330 [cfg80211]\n ? genl_get_cmd_both+0x50/0x50\n netlink_rcv_skb+0x4f/0x100\n genl_rcv+0x1f/0x30\n netlink_unicast+0x1b6/0x260\n netlink_sendmsg+0x31a/0x450\n __sock_sendmsg+0xa8/0xb0\n ____sys_sendmsg+0x1e4/0x260\n ___sys_sendmsg+0x89/0xe0\n ? local_clock_noinstr+0xb/0xc0\n ? rcu_is_watching+0xd/0x40\n ? kfree+0x1de/0x370\n ? __sys_sendmsg+0x7a/0xc0\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38291", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix invalid access to memory\n\nIn ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean\nis_continuation is part of rxcb.\nCurrently, after freeing the skb, the rxcb->is_continuation accessed\nagain which is wrong since the memory is already freed.\nThis might lead use-after-free error.\n\nHence, fix by locally defining bool is_continuation from rxcb,\nso that after freeing skb, is_continuation can be used.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38292", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix node corruption in ar->arvifs list\n\nIn current WLAN recovery code flow, ath11k_core_halt() only\nreinitializes the \"arvifs\" list head. This will cause the\nlist node immediately following the list head to become an\ninvalid list node. Because the prev of that node still points\nto the list head \"arvifs\", but the next of the list head \"arvifs\"\nno longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif\nremoval, and it happens before the spin_lock_bh(&ar->data_lock)\nin ath11k_mac_op_remove_interface(), list_del() will detect the\npreviously mentioned situation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the\nlist head \"arvifs\" during WLAN halt. The reinitialization is to make\nthe list nodes valid, ensuring that the list_del() in\nath11k_mac_op_remove_interface() can execute normally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xb8/0xd0\nath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]\ndrv_remove_interface+0x48/0x194 [mac80211]\nieee80211_do_stop+0x6e0/0x844 [mac80211]\nieee80211_stop+0x44/0x17c [mac80211]\n__dev_close_many+0xac/0x150\n__dev_change_flags+0x194/0x234\ndev_change_flags+0x24/0x6c\ndevinet_ioctl+0x3a0/0x670\ninet_ioctl+0x200/0x248\nsock_do_ioctl+0x60/0x118\nsock_ioctl+0x274/0x35c\n__arm64_sys_ioctl+0xac/0xf0\ninvoke_syscall+0x48/0x114\n...\n\nTested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38293", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix NULL access in assign channel context handler\n\nCurrently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle\n(ar) gets accessed from the link VIF handle (arvif) for debug logging, This\nis incorrect. In the fail scenario, radio handle is NULL. Fix the NULL\naccess, avoid radio handle access by moving to the hardware debug logging\nhelper function (ath12k_hw_warn).\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38294", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()\n\nThe Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses\nsmp_processor_id(), which assumes disabled preemption. This leads to kernel\nwarnings during module loading because meson_ddr_pmu_create() can be called\nin a preemptible context.\n\nFollowing kernel warning and stack trace:\n[ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289\n[ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38\n[ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0\n[ 31.745181] [ T2289] Tainted: [W]=WARN\n[ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ 31.745188] [ T2289] Call trace:\n[ 31.745191] [ T2289] show_stack+0x28/0x40 (C)\n[ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198\n[ 31.745205] [ T2289] dump_stack+0x20/0x50\n[ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0\n[ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38\n[ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[ 31.745246] [ T2289] platform_probe+0x98/0xe0\n[ 31.745254] [ T2289] really_probe+0x144/0x3f8\n[ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180\n[ 31.745261] [ T2289] driver_probe_device+0x54/0x268\n[ 31.745264] [ T2289] __driver_attach+0x11c/0x288\n[ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160\n[ 31.745274] [ T2289] driver_attach+0x34/0x50\n[ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0\n[ 31.745281] [ T2289] driver_register+0x78/0x120\n[ 31.745285] [ T2289] __platform_driver_register+0x30/0x48\n[ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]\n[ 31.745298] [ T2289] do_one_initcall+0x11c/0x438\n[ 31.745303] [ T2289] do_init_module+0x68/0x228\n[ 31.745311] [ T2289] load_module+0x118c/0x13a8\n[ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390\n[ 31.745320] [ T2289] invoke_syscall+0x74/0x108\n[ 31.745326] [ T2289] el0_svc_common+0x90/0xf8\n[ 31.745330] [ T2289] do_el0_svc+0x2c/0x48\n[ 31.745333] [ T2289] el0_svc+0x60/0x150\n[ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118\n[ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0\n\nChanges replaces smp_processor_id() with raw_smp_processor_id() to\nensure safe CPU ID retrieval in preemptible contexts.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38295", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: platform_profile: Avoid initializing on non-ACPI platforms\n\nThe platform profile driver is loaded even on platforms that do not have\nACPI enabled. The initialization of the sysfs entries was recently moved\nfrom platform_profile_register() to the module init call, and those\nentries need acpi_kobj to be initialized which is not the case when ACPI\nis disabled.\n\nThis results in the following warning:\n\n WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8\n Modules linked in:\n CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT\n Tainted: [W]=WARN\n Hardware name: riscv-virtio,qemu (DT)\n epc : internal_create_group+0xa22/0xdd8\n ra : internal_create_group+0xa22/0xdd8\n\n Call Trace:\n\n internal_create_group+0xa22/0xdd8\n sysfs_create_group+0x22/0x2e\n platform_profile_init+0x74/0xb2\n do_one_initcall+0x198/0xa9e\n kernel_init_freeable+0x6d8/0x780\n kernel_init+0x28/0x24c\n ret_from_fork+0xe/0x18\n\nFix this by checking if ACPI is enabled before trying to create sysfs\nentries.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38296", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: EM: Fix potential division-by-zero error in em_compute_costs()\n\nWhen the device is of a non-CPU type, table[i].performance won't be\ninitialized in the previous em_init_performance(), resulting in division\nby zero when calculating costs in em_compute_costs().\n\nSince the 'cost' algorithm is only used for EAS energy efficiency\ncalculations and is currently not utilized by other device drivers, we\nshould add the _is_cpu_device(dev) check to prevent this division-by-zero\nissue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38297", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/skx_common: Fix general protection fault\n\nAfter loading i10nm_edac (which automatically loads skx_edac_common), if\nunload only i10nm_edac, then reload it and perform error injection testing,\na general protection fault may occur:\n\n mce: [Hardware Error]: Machine check events logged\n Oops: general protection fault ...\n ...\n Workqueue: events mce_gen_pool_process\n RIP: 0010:string+0x53/0xe0\n ...\n Call Trace:\n \n ? die_addr+0x37/0x90\n ? exc_general_protection+0x1e7/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? string+0x53/0xe0\n vsnprintf+0x23e/0x4c0\n snprintf+0x4d/0x70\n skx_adxl_decode+0x16a/0x330 [skx_edac_common]\n skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]\n skx_mce_check_error+0x17/0x20 [skx_edac_common]\n ...\n\nThe issue arose was because the variable 'adxl_component_count' (inside\nskx_edac_common), which counts the ADXL components, was not reset. During\nthe reloading of i10nm_edac, the count was incremented by the actual number\nof ADXL components again, resulting in a count that was double the real\nnumber of ADXL components. This led to an out-of-bounds reference to the\nADXL component array, causing the general protection fault above.\n\nFix this issue by resetting the 'adxl_component_count' in adxl_put(),\nwhich is called during the unloading of {skx,i10nm}_edac.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38298", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()\n\nETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),\nin the case the codec dai_name will be null.\n\nAvoid a crash if the device tree is not assigning a codec\nto these links.\n\n[ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 1.181065] Mem abort info:\n[ 1.181420] ESR = 0x0000000096000004\n[ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.182576] SET = 0, FnV = 0\n[ 1.182964] EA = 0, S1PTW = 0\n[ 1.183367] FSC = 0x04: level 0 translation fault\n[ 1.183983] Data abort info:\n[ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1.186439] [0000000000000000] user address but active_mm is swapper\n[ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 1.188029] Modules linked in:\n[ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85\n[ 1.189515] Hardware name: Radxa NIO 12L (DT)\n[ 1.190065] Workqueue: events_unbound deferred_probe_work_func\n[ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.191683] pc : __pi_strcmp+0x24/0x140\n[ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0\n[ 1.192854] sp : ffff800083473970\n[ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002\n[ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88\n[ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8\n[ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff\n[ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006\n[ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374\n[ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018\n[ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000\n[ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d\n[ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000\n[ 1.202236] Call trace:\n[ 1.202545] __pi_strcmp+0x24/0x140 (P)\n[ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8\n[ 1.203644] platform_probe+0x70/0xe8\n[ 1.204106] really_probe+0xc8/0x3a0\n[ 1.204556] __driver_probe_device+0x84/0x160\n[ 1.205104] driver_probe_device+0x44/0x130\n[ 1.205630] __device_attach_driver+0xc4/0x170\n[ 1.206189] bus_for_each_drv+0x8c/0xf8\n[ 1.206672] __device_attach+0xa8/0x1c8\n[ 1.207155] device_initial_probe+0x1c/0x30\n[ 1.207681] bus_probe_device+0xb0/0xc0\n[ 1.208165] deferred_probe_work_func+0xa4/0x100\n[ 1.208747] process_one_work+0x158/0x3e0\n[ 1.209254] worker_thread+0x2c4/0x3e8\n[ 1.209727] kthread+0x134/0x1f0\n[ 1.210136] ret_from_fork+0x10/0x20\n[ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402)\n[ 1.211355] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38299", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()\n\nFix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():\n\n1] If dma_map_sg() fails for areq->dst, the device driver would try to free\n DMA memory it has not allocated in the first place. To fix this, on the\n \"theend_sgs\" error path, call dma unmap only if the corresponding dma\n map was successful.\n\n2] If the dma_map_single() call for the IV fails, the device driver would\n try to free an invalid DMA memory address on the \"theend_iv\" path:\n ------------[ cut here ]------------\n DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address\n WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90\n Modules linked in: skcipher_example(O+)\n CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT\n Tainted: [O]=OOT_MODULE\n Hardware name: OrangePi Zero2 (DT)\n pc : check_unmap+0x123c/0x1b90\n lr : check_unmap+0x123c/0x1b90\n ...\n Call trace:\n check_unmap+0x123c/0x1b90 (P)\n debug_dma_unmap_page+0xac/0xc0\n dma_unmap_page_attrs+0x1f4/0x5fc\n sun8i_ce_cipher_do_one+0x1bd4/0x1f40\n crypto_pump_work+0x334/0x6e0\n kthread_worker_fn+0x21c/0x438\n kthread+0x374/0x664\n ret_from_fork+0x10/0x20\n ---[ end trace 0000000000000000 ]---\n\nTo fix this, check for !dma_mapping_error() before calling\ndma_unmap_single() on the \"theend_iv\" path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38300", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: zynqmp_nvmem: unbreak driver after cleanup\n\nCommit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\")\nchanged the driver to expect the device pointer to be passed as the\n\"context\", but in nvmem the context parameter comes from nvmem_config.priv\nwhich is never set - Leading to null pointer exceptions when the device is\naccessed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38301", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work\n\nBios queued up in the zone write plug have already gone through all all\npreparation in the submit_bio path, including the freeze protection.\n\nSubmitting them through submit_bio_noacct_nocheck duplicates the work\nand can can cause deadlocks when freezing a queue with pending bio\nwrite plugs.\n\nGo straight to ->submit_bio or blk_mq_submit_bio to bypass the\nsuperfluous extra freeze protection and checks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38302", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix possible crashes on eir_create_adv_data\n\neir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER\nwithout checking if that would fit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38303", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix NULL pointer deference on eir_get_service_data\n\nThe len parameter is considered optional so it can be NULL so it cannot\nbe used for skipping to next entry of EIR_SERVICE_DATA.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38304", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()\n\nThere is no disagreement that we should check both ptp->is_virtual_clock\nand ptp->n_vclocks to check if the ptp virtual clock is in use.\n\nHowever, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in\nptp_vclock_in_use(), we observe a recursive lock in the call trace\nstarting from n_vclocks_store().\n\n============================================\nWARNING: possible recursive locking detected\n6.15.0-rc6 #1 Not tainted\n--------------------------------------------\nsyz.0.1540/13807 is trying to acquire lock:\nffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]\nffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415\n\nbut task is already holding lock:\nffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:\n n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&ptp->n_vclocks_mux);\n lock(&ptp->n_vclocks_mux);\n\n *** DEADLOCK ***\n....\n============================================\n\nThe best way to solve this is to remove the logic that checks\nptp->n_vclocks in ptp_vclock_in_use().\n\nThe reason why this is appropriate is that any path that uses\nptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater\nthan 0 before unregistering vclocks, and all functions are already\nwritten this way. And in the function that uses ptp->n_vclocks, we\nalready get ptp->n_vclocks_mux before unregistering vclocks.\n\nTherefore, we need to remove the redundant check for ptp->n_vclocks in\nptp_vclock_in_use() to prevent recursive locking.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38305", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/fhandle.c: fix a race in call of has_locked_children()\n\nmay_decode_fh() is calling has_locked_children() while holding no locks.\nThat's an oopsable race...\n\nThe rest of the callers are safe since they are holding namespace_sem and\nare guaranteed a positive refcount on the mount in question.\n\nRename the current has_locked_children() to __has_locked_children(), make\nit static and switch the fs/namespace.c users to it.\n\nMake has_locked_children() a wrapper for __has_locked_children(), calling\nthe latter under read_seqlock_excl(&mount_lock).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38306", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Verify content returned by parse_int_array()\n\nThe first element of the returned array stores its length. If it is 0,\nany manipulation beyond the element at index 0 ends with null-ptr-deref.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38307", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix possible null-ptr-deref when initing hw\n\nSearch result of avs_dai_find_path_template() shall be verified before\nbeing used. As 'template' is already known when\navs_hw_constraints_init() is fired, drop the search entirely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38308", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xe_svm_init() earlier\n\nIn xe_vm_close_and_put() we need to be able to call xe_svm_fini(),\nhowever during vm creation we can call this on the error path, before\nhaving actually initialised the svm state, leading to various splats\nfollowed by a fatal NPD.\n\n(cherry picked from commit 4f296d77cf49fcb5f90b4674123ad7f3a0676165)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38309", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: Fix validation of nexthop addresses\n\nThe kernel currently validates that the length of the provided nexthop\naddress does not exceed the specified length. This can lead to the\nkernel reading uninitialized memory if user space provided a shorter\nlength than the specified one.\n\nFix by validating that the provided length exactly matches the specified\none.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38310", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: get rid of the crit lock\n\nGet rid of the crit lock.\nThat frees us from the error prone logic of try_locks.\n\nThanks to netdev_lock() by Jakub it is now easy, and in most cases we were\nprotected by it already - replace crit lock by netdev lock when it was not\nthe case.\n\nLockdep reports that we should cancel the work under crit_lock [splat1],\nand that was the scheme we have mostly followed since [1] by Slawomir.\nBut when that is done we still got into deadlocks [splat2]. So instead\nwe should look at the bigger problem, namely \"weird locking/scheduling\"\nof the iavf. The first step to fix that is to remove the crit lock.\nI will followup with a -next series that simplifies scheduling/tasks.\n\nCancel the work without netdev lock (weird unlock+lock scheme),\nto fix the [splat2] (which would be totally ugly if we would kept\nthe crit lock).\n\nExtend protected part of iavf_watchdog_task() to include scheduling\nmore work.\n\nNote that the removed comment in iavf_reset_task() was misplaced,\nit belonged to inside of the removed if condition, so it's gone now.\n\n[splat1] - w/o this patch - The deadlock during VF removal:\n WARNING: possible circular locking dependency detected\n sh/3825 is trying to acquire lock:\n ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470\n but task is already holding lock:\n (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf]\n which lock already depends on the new lock.\n\n[splat2] - when cancelling work under crit lock, w/o this series,\n\t see [2] for the band aid attempt\n WARNING: possible circular locking dependency detected\n sh/3550 is trying to acquire lock:\n ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n but task is already holding lock:\n (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf]\n which lock already depends on the new lock.\n\n[1] fc2e6b3b132a (\"iavf: Rework mutexes for better synchronisation\")\n[2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38311", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()\n\nIn fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,\ncvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's\nthen passed to fb_cvt_hperiod(), where it's used as a divider -- division\nby 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to\navoid such overflow...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38312", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix double-free on mc_dev\n\nThe blamed commit tried to simplify how the deallocations are done but,\nin the process, introduced a double-free on the mc_dev variable.\n\nIn case the MC device is a DPRC, a new mc_bus is allocated and the\nmc_dev variable is just a reference to one of its fields. In this\ncircumstance, on the error path only the mc_bus should be freed.\n\nThis commit introduces back the following checkpatch warning which is a\nfalse-positive.\n\nWARNING: kfree(NULL) is safe and this check is probably not required\n+ if (mc_bus)\n+ kfree(mc_bus);", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38313", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-pci: Fix result size returned for the admin command completion\n\nThe result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes\nlarger than the actual result data size. This occurs because the\nresult_sg_size field of the command is filled with the result length\nfrom virtqueue_get_buf(), which includes both the data size and an\nadditional 8 bytes of status.\n\nThis oversized result size causes two issues:\n1. The state transferred to the destination includes 8 bytes of extra\n data at the end.\n2. The allocated buffer in the kernel may be smaller than the returned\n size, leading to failures when reading beyond the allocated size.\n\nThe commit fixes this by subtracting the status size from the result of\nvirtqueue_get_buf().\n\nThis fix has been tested through live migrations with virtio-net,\nvirtio-net-transitional, and virtio-blk devices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38314", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Check dsbr size from EFI variable\n\nSince the size of struct btintel_dsbr is already known, we can just\nstart there instead of querying the EFI variable size. If the final\nresult doesn't match what we expect also fail. This fixes a stack buffer\noverflow when the EFI variable is larger than struct btintel_dsbr.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38315", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor()\n\nThe function mt7996_set_monitor() dereferences phy before\nthe NULL sanity check.\n\nFix this to avoid NULL pointer dereference by moving the\ndereference after the check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38316", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix buffer overflow in debugfs\n\nIf the user tries to write more than 32 bytes then it results in memory\ncorruption. Fortunately, this is debugfs so it's limited to root users.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38317", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm-ni: Fix missing platform_set_drvdata()\n\nAdd missing platform_set_drvdata in arm_ni_probe(), otherwise\ncalling platform_get_drvdata() in remove returns NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38318", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table\n\nThe function atomctrl_initialize_mc_reg_table() and\natomctrl_initialize_mc_reg_table_v2_2() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table()\nfails to retrieve vram_info, it returns NULL which is later\ndereferenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38319", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()\n\nKASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().\n\nCall Trace:\n[ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8\n[ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550\n[ 97.285732]\n[ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11\n[ 97.287032] Hardware name: linux,dummy-virt (DT)\n[ 97.287815] Call trace:\n[ 97.288279] dump_backtrace+0xa0/0x128\n[ 97.288946] show_stack+0x20/0x38\n[ 97.289551] dump_stack_lvl+0x78/0xc8\n[ 97.290203] print_address_description.constprop.0+0x84/0x3c8\n[ 97.291159] print_report+0xb0/0x280\n[ 97.291792] kasan_report+0x84/0xd0\n[ 97.292421] __asan_load8+0x9c/0xc0\n[ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8\n[ 97.293835] process_fetch_insn+0x770/0xa30\n[ 97.294562] kprobe_trace_func+0x254/0x3b0\n[ 97.295271] kprobe_dispatcher+0x98/0xe0\n[ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210\n[ 97.296774] call_break_hook+0xc4/0x100\n[ 97.297451] brk_handler+0x24/0x78\n[ 97.298073] do_debug_exception+0xac/0x178\n[ 97.298785] el1_dbg+0x70/0x90\n[ 97.299344] el1h_64_sync_handler+0xcc/0xe8\n[ 97.300066] el1h_64_sync+0x78/0x80\n[ 97.300699] kernel_clone+0x0/0x500\n[ 97.301331] __arm64_sys_clone+0x70/0x90\n[ 97.302084] invoke_syscall+0x68/0x198\n[ 97.302746] el0_svc_common.constprop.0+0x11c/0x150\n[ 97.303569] do_el0_svc+0x38/0x50\n[ 97.304164] el0_svc+0x44/0x1d8\n[ 97.304749] el0t_64_sync_handler+0x100/0x130\n[ 97.305500] el0t_64_sync+0x188/0x190\n[ 97.306151]\n[ 97.306475] The buggy address belongs to stack of task 1.sh/2550\n[ 97.307461] and is located at offset 0 in frame:\n[ 97.308257] __se_sys_clone+0x0/0x138\n[ 97.308910]\n[ 97.309241] This frame has 1 object:\n[ 97.309873] [48, 184) 'args'\n[ 97.309876]\n[ 97.310749] The buggy address belongs to the virtual mapping at\n[ 97.310749] [ffff800089270000, ffff800089279000) created by:\n[ 97.310749] dup_task_struct+0xc0/0x2e8\n[ 97.313347]\n[ 97.313674] The buggy address belongs to the physical page:\n[ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a\n[ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)\n[ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000\n[ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[ 97.319445] page dumped because: kasan: bad access detected\n[ 97.320371]\n[ 97.320694] Memory state around the buggy address:\n[ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00\n[ 97.325023] ^\n[ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3\n[ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\nThis issue seems to be related to the behavior of some gcc compilers and\nwas also fixed on the s390 architecture before:\n\n commit d93a855c31b7 (\"s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()\")\n\nAs described in that commit, regs_get_kernel_stack_nth() has confirmed that\n`addr` is on the stack, so reading the value at `*addr` should be allowed.\nUse READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.\n\n[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38320", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Log an error when close_all_cached_dirs fails\n\nUnder low-memory conditions, close_all_cached_dirs() can't move the\ndentries to a separate list to dput() them once the locks are dropped.\nThis will result in a \"Dentry still in use\" error, so add an error\nmessage that makes it clear this is what happened:\n\n[ 495.281119] CIFS: VFS: \\\\otters.example.com\\share Out of memory while dropping dentries\n[ 495.281595] ------------[ cut here ]------------\n[ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs]\n[ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0\n\nAlso, bail out of looping through all tcons as soon as a single\nallocation fails, since we're already in trouble, and kmalloc() attempts\nfor subseqeuent tcons are likely to fail just like the first one did.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38321", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix crash in icl_update_topdown_event()\n\nThe perf_fuzzer found a hard-lockup crash on a RaptorLake machine:\n\n Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000\n CPU: 23 UID: 0 PID: 0 Comm: swapper/23\n Tainted: [W]=WARN\n Hardware name: Dell Inc. Precision 9660/0VJ762\n RIP: 0010:native_read_pmc+0x7/0x40\n Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...\n RSP: 000:fffb03100273de8 EFLAGS: 00010046\n ....\n Call Trace:\n \n icl_update_topdown_event+0x165/0x190\n ? ktime_get+0x38/0xd0\n intel_pmu_read_event+0xf9/0x210\n __perf_event_read+0xf9/0x210\n\nCPUs 16-23 are E-core CPUs that don't support the perf metrics feature.\nThe icl_update_topdown_event() should not be invoked on these CPUs.\n\nIt's a regression of commit:\n\n f9bdf1f95339 (\"perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read\")\n\nThe bug introduced by that commit is that the is_topdown_event() function\nis mistakenly used to replace the is_topdown_count() call to check if the\ntopdown functions for the perf metrics feature should be invoked.\n\nFix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38322", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: add lec_mutex\n\nsyzbot found its way in net/atm/lec.c, and found an error path\nin lecd_attach() could leave a dangling pointer in dev_lec[].\n\nAdd a mutex to protect dev_lecp[] uses from lecd_attach(),\nlec_vcc_attach() and lec_mcast_attach().\n\nFollowing patch will use this mutex for /proc/net/atm/lec.\n\nBUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]\nBUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\nRead of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142\n\nCPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xcd/0x680 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n lecd_attach net/atm/lec.c:751 [inline]\n lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x118/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nAllocated by task 6132:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4328 [inline]\n __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015\n alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711\n lecd_attach net/atm/lec.c:737 [inline]\n lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x118/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6132:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x2b4/0x4d0 mm/slub.c:4842\n free_netdev+0x6c5/0x910 net/core/dev.c:11892\n lecd_attach net/atm/lec.c:744 [inline]\n lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x118/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38323", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().\n\nAs syzbot reported [0], mpls_route_input_rcu() can be called\nfrom mpls_getroute(), where is under RTNL.\n\nnet->mpls.platform_label is only updated under RTNL.\n\nLet's use rcu_dereference_rtnl() in mpls_route_input_rcu() to\nsilence the splat.\n\n[0]:\nWARNING: suspicious RCU usage\n6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted\n ----------------------------\nnet/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.2.4451/17730:\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865\n mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84\n mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381\n rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964\n netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmmsg+0x200/0x420 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0a2818e969\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969\nRDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38324", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add free_transport ops in ksmbd connection\n\nfree_transport function for tcp connection can be called from smbdirect.\nIt will cause kernel oops. This patch add free_transport ops in ksmbd\nconnection, and add each free_transports for tcp and smbdirect.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38325", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: clean device rq_list in aoedev_downdev()\n\nAn aoe device's rq_list contains accepted block requests that are\nwaiting to be transmitted to the aoe target. This queue was added as\npart of the conversion to blk_mq. However, the queue was not cleaned out\nwhen an aoe device is downed which caused blk_mq_freeze_queue() to sleep\nindefinitely waiting for those requests to complete, causing a hang. This\nfix cleans out the queue before calling blk_mq_freeze_queue().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38326", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfgraph: Do not enable function_graph tracer when setting funcgraph-args\n\nWhen setting the funcgraph-args option when function graph tracer is net\nenabled, it incorrectly enables it. Worse, it unregisters itself when it\nwas never registered. Then when it gets enabled again, it will register\nitself a second time causing a WARNing.\n\n ~# echo 1 > /sys/kernel/tracing/options/funcgraph-args\n ~# head -20 /sys/kernel/tracing/trace\n # tracer: nop\n #\n # entries-in-buffer/entries-written: 813/26317372 #P:8\n #\n # _-----=> irqs-off/BH-disabled\n # / _----=> need-resched\n # | / _---=> hardirq/softirq\n # || / _--=> preempt-depth\n # ||| / _-=> migrate-disable\n # |||| / delay\n # TASK-PID CPU# ||||| TIMESTAMP FUNCTION\n # | | | ||||| | |\n -0 [007] d..4. 358.966010: 7) 1.692 us | fetch_next_timer_interrupt(basej=4294981640, basem=357956000000, base_local=0xffff88823c3ae040, base_global=0xffff88823c3af300, tevt=0xffff888100e47cb8);\n -0 [007] d..4. 358.966012: 7) | tmigr_cpu_deactivate(nextexp=357988000000) {\n -0 [007] d..4. 358.966013: 7) | _raw_spin_lock(lock=0xffff88823c3b2320) {\n -0 [007] d..4. 358.966014: 7) 0.981 us | preempt_count_add(val=1);\n -0 [007] d..5. 358.966017: 7) 1.058 us | do_raw_spin_lock(lock=0xffff88823c3b2320);\n -0 [007] d..4. 358.966019: 7) 5.824 us | }\n -0 [007] d..5. 358.966021: 7) | tmigr_inactive_up(group=0xffff888100cb9000, child=0x0, data=0xffff888100e47bc0) {\n -0 [007] d..5. 358.966022: 7) | tmigr_update_events(group=0xffff888100cb9000, child=0x0, data=0xffff888100e47bc0) {\n\nNotice the \"tracer: nop\" at the top there. The current tracer is the \"nop\"\ntracer, but the content is obviously the function graph tracer.\n\nEnabling function graph tracing will cause it to register again and\ntrigger a warning in the accounting:\n\n ~# echo function_graph > /sys/kernel/tracing/current_tracer\n -bash: echo: write error: Device or resource busy\n\nWith the dmesg of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 1095 at kernel/trace/ftrace.c:3509 ftrace_startup_subops+0xc1e/0x1000\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 7 UID: 0 PID: 1095 Comm: bash Not tainted 6.16.0-rc2-test-00006-gea03de4105d3 #24 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:ftrace_startup_subops+0xc1e/0x1000\n Code: 48 b8 22 01 00 00 00 00 ad de 49 89 84 24 88 01 00 00 8b 44 24 08 89 04 24 e9 c3 f7 ff ff c7 04 24 ed ff ff ff e9 b7 f7 ff ff <0f> 0b c7 04 24 f0 ff ff ff e9 a9 f7 ff ff c7 04 24 f4 ff ff ff e9\n RSP: 0018:ffff888133cff948 EFLAGS: 00010202\n RAX: 0000000000000001 RBX: 1ffff1102679ff31 RCX: 0000000000000000\n RDX: 1ffffffff0b27a60 RSI: ffffffff8593d2f0 RDI: ffffffff85941140\n RBP: 00000000000c2041 R08: ffffffffffffffff R09: ffffed1020240221\n R10: ffff88810120110f R11: ffffed1020240214 R12: ffffffff8593d2f0\n R13: ffffffff8593d300 R14: ffffffff85941140 R15: ffffffff85631100\n FS: 00007f7ec6f28740(0000) GS:ffff8882b5251000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7ec6f181c0 CR3: 000000012f1d0005 CR4: 0000000000172ef0\n Call Trace:\n \n ? __pfx_ftrace_startup_subops+0x10/0x10\n ? find_held_lock+0x2b/0x80\n ? ftrace_stub_direct_tramp+0x10/0x10\n ? ftrace_stub_direct_tramp+0x10/0x10\n ? trace_preempt_on+0xd0/0x110\n ? __pfx_trace_graph_entry_args+0x10/\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38327", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check jffs2_prealloc_raw_node_refs() result in few other places\n\nFuzzing hit another invalid pointer dereference due to the lack of\nchecking whether jffs2_prealloc_raw_node_refs() completed successfully.\nSubsequent logic implies that the node refs have been allocated.\n\nHandle that. The code is ready for propagating the error upwards.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600\nCall Trace:\n jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]\n jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118\n jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253\n jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302\n generic_perform_write+0x2c2/0x500 mm/filemap.c:3347\n __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465\n generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497\n call_write_iter include/linux/fs.h:2039 [inline]\n do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740\n do_iter_write+0x18c/0x710 fs/read_write.c:866\n vfs_writev+0x1db/0x6a0 fs/read_write.c:939\n do_pwritev fs/read_write.c:1036 [inline]\n __do_sys_pwritev fs/read_write.c:1083 [inline]\n __se_sys_pwritev fs/read_write.c:1078 [inline]\n __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38328", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info)\n\nKASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(),\nbecause the source string length was rounded up to the allocation size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38329", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache)\n\nKASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets().\nThe code uses mock_coeff_template.length_bytes (4 bytes) for register value\nallocations. But later, this length is set to 8 bytes which causes\ntest code failures.\n\nAs fix, just remove the lenght override, keeping the original value 4\nfor all operations.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38330", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: cortina: Use TOE/TSO on all TCP\n\nIt is desireable to push the hardware accelerator to also\nprocess non-segmented TCP frames: we pass the skb->len\nto the \"TOE/TSO\" offloader and it will handle them.\n\nWithout this quirk the driver becomes unstable and lock\nup and and crash.\n\nI do not know exactly why, but it is probably due to the\nTOE (TCP offload engine) feature that is coupled with the\nsegmentation feature - it is not possible to turn one\npart off and not the other, either both TOE and TSO are\nactive, or neither of them.\n\nNot having the TOE part active seems detrimental, as if\nthat hardware feature is not really supposed to be turned\noff.\n\nThe datasheet says:\n\n \"Based on packet parsing and TCP connection/NAT table\n lookup results, the NetEngine puts the packets\n belonging to the same TCP connection to the same queue\n for the software to process. The NetEngine puts\n incoming packets to the buffer or series of buffers\n for a jumbo packet. With this hardware acceleration,\n IP/TCP header parsing, checksum validation and\n connection lookup are offloaded from the software\n processing.\"\n\nAfter numerous tests with the hardware locking up after\nsomething between minutes and hours depending on load\nusing iperf3 I have concluded this is necessary to stabilize\nthe hardware.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38331", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Use memcpy() for BIOS version\n\nThe strlcat() with FORTIFY support is triggering a panic because it\nthinks the target buffer will overflow although the correct target\nbuffer size is passed in.\n\nAnyway, instead of memset() with 0 followed by a strlcat(), just use\nmemcpy() and ensure that the resulting buffer is NULL terminated.\n\nBIOSVersion is only used for the lpfc_printf_log() which expects a\nproperly terminated string.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38332", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to bail out in get_new_segment()\n\n------------[ cut here ]------------\nWARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dc\npc : new_curseg+0x5e8/0x6dc\nCall trace:\n new_curseg+0x5e8/0x6dc\n f2fs_allocate_data_block+0xa54/0xe28\n do_write_page+0x6c/0x194\n f2fs_do_write_node_page+0x38/0x78\n __write_node_page+0x248/0x6d4\n f2fs_sync_node_pages+0x524/0x72c\n f2fs_write_checkpoint+0x4bc/0x9b0\n __checkpoint_and_complete_reqs+0x80/0x244\n issue_checkpoint_thread+0x8c/0xec\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20\n\nget_new_segment() detects inconsistent status in between free_segmap\nand free_secmap, let's record such error into super block, and bail\nout get_new_segment() instead of continue using the segment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38333", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Prevent attempts to reclaim poisoned pages\n\nTL;DR: SGX page reclaim touches the page to copy its contents to\nsecondary storage. SGX instructions do not gracefully handle machine\nchecks. Despite this, the existing SGX code will try to reclaim pages\nthat it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages.\n\nThe longer story:\n\nPages used by an enclave only get epc_page->poison set in\narch_memory_failure() but they currently stay on sgx_active_page_list until\nsgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched.\n\nepc_page->poison is not checked in the reclaimer logic meaning that, if other\nconditions are met, an attempt will be made to reclaim an EPC page that was\npoisoned. This is bad because 1. we don't want that page to end up added\nto another enclave and 2. it is likely to cause one core to shut down\nand the kernel to panic.\n\nSpecifically, reclaiming uses microcode operations including \"EWB\" which\naccesses the EPC page contents to encrypt and write them out to non-SGX\nmemory. Those operations cannot handle MCEs in their accesses other than\nby putting the executing core into a special shutdown state (affecting\nboth threads with HT.) The kernel will subsequently panic on the\nremaining cores seeing the core didn't enter MCE handler(s) in time.\n\nCall sgx_unmark_page_reclaimable() to remove the affected EPC page from\nsgx_active_page_list on memory error to stop it being considered for\nreclaiming.\n\nTesting epc_page->poison in sgx_reclaim_pages() would also work but I assume\nit's better to add code in the less likely paths.\n\nThe affected EPC page is not added to &node->sgx_poison_page_list until\nlater in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd.\nMembership on other lists doesn't change to avoid changing any of the\nlists' semantics except for sgx_active_page_list. There's a \"TBD\" comment\nin arch_memory_failure() about pre-emptive actions, the goal here is not\nto address everything that it may imply.\n\nThis also doesn't completely close the time window when a memory error\nnotification will be fatal (for a not previously poisoned EPC page) --\nthe MCE can happen after sgx_reclaim_pages() has selected its candidates\nor even *inside* a microcode operation (actually easy to trigger due to\nthe amount of time spent in them.)\n\nThe spinlock in sgx_unmark_page_reclaimable() is safe because\nmemory_failure() runs in process context and no spinlocks are held,\nexplicitly noted in a mm/memory-failure.c comment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38334", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: gpio-keys - fix a sleep while atomic with PREEMPT_RT\n\nWhen enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in\nhard irq context, but the input_event() takes a spin_lock, which isn't\nallowed there as it is converted to a rt_spin_lock().\n\n[ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0\n...\n[ 4054.290195] __might_resched+0x13c/0x1f4\n[ 4054.290209] rt_spin_lock+0x54/0x11c\n[ 4054.290219] input_event+0x48/0x80\n[ 4054.290230] gpio_keys_irq_timer+0x4c/0x78\n[ 4054.290243] __hrtimer_run_queues+0x1a4/0x438\n[ 4054.290257] hrtimer_interrupt+0xe4/0x240\n[ 4054.290269] arch_timer_handler_phys+0x2c/0x44\n[ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c\n[ 4054.290297] handle_irq_desc+0x40/0x58\n[ 4054.290307] generic_handle_domain_irq+0x1c/0x28\n[ 4054.290316] gic_handle_irq+0x44/0xcc\n\nConsidering the gpio_keys_irq_isr() can run in any context, e.g. it can\nbe threaded, it seems there's no point in requesting the timer isr to\nrun in hard irq context.\n\nRelax the hrtimer not to use the hard context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38335", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330\n\nThe controller has a hardware bug that can hard hang the system when\ndoing ATAPI DMAs without any trace of what happened. Depending on the\ndevice attached, it can also prevent the system from booting.\n\nIn this case, the system hangs when reading the ATIP from optical media\nwith cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an\nOptiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4,\nrunning at UDMA/33.\n\nThe issue can be reproduced by running the same command with a cygwin\nbuild of cdrecord on WinXP, although it requires more attempts to cause\nit. The hang in that case is also resolved by forcing PIO. It doesn't\nappear that VIA has produced any drivers for that OS, thus no known\nworkaround exists.\n\nHDDs attached to the controller do not suffer from any DMA issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38336", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()\n\nSince handle->h_transaction may be a NULL pointer, so we should change it\nto call is_handle_aborted(handle) first before dereferencing it.\n\nAnd the following data-race was reported in my fuzzer:\n\n==================================================================\nBUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata\n\nwrite to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:\n jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nread to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:\n jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512\n __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358\n ext4_do_update_inode fs/ext4/inode.c:5220 [inline]\n ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869\n __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074\n ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103\n....\n\nvalue changed: 0x00000000 -> 0x00000001\n==================================================================\n\nThis issue is caused by missing data-race annotation for jh->b_modified.\nTherefore, the missing annotation needs to be added.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38337", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()\n\nSometimes, when a file was read while it was being truncated by\nanother NFS client, the kernel could deadlock because folio_unlock()\nwas called twice, and the second call would XOR back the `PG_locked`\nflag.\n\nMost of the time (depending on the timing of the truncation), nobody\nnotices the problem because folio_unlock() gets called three times,\nwhich flips `PG_locked` back off:\n\n 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio,\n nfs_return_empty_folio\n 2. vfs_read, nfs_read_folio, ... netfs_read_collection,\n netfs_unlock_abandoned_read_pages\n 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio,\n nfs_return_empty_folio\n\nThe problem is that nfs_read_add_folio() is not supposed to unlock the\nfolio if fscache is enabled, and a nfs_netfs_folio_unlock() check is\nmissing in nfs_return_empty_folio().\n\nRarely this leads to a warning in netfs_read_collection():\n\n ------------[ cut here ]------------\n R=0000031c: folio 10 is not locked\n WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00\n [...]\n Workqueue: events_unbound netfs_read_collection_worker\n RIP: 0010:netfs_read_collection+0x7c0/0xf00\n [...]\n Call Trace:\n \n netfs_read_collection_worker+0x67/0x80\n process_one_work+0x12e/0x2c0\n worker_thread+0x295/0x3a0\n\nMost of the time, however, processes just get stuck forever in\nfolio_wait_bit_common(), waiting for `PG_locked` to disappear, which\nnever happens because nobody is really holding the folio lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38338", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf: fix JIT code size calculation of bpf trampoline\n\narch_bpf_trampoline_size() provides JIT size of the BPF trampoline\nbefore the buffer for JIT'ing it is allocated. The total number of\ninstructions emitted for BPF trampoline JIT code depends on where\nthe final image is located. So, the size arrived at with the dummy\npass in arch_bpf_trampoline_size() can vary from the actual size\nneeded in arch_prepare_bpf_trampoline(). When the instructions\naccounted in arch_bpf_trampoline_size() is less than the number of\ninstructions emitted during the actual JIT compile of the trampoline,\nthe below warning is produced:\n\n WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc\n\nwhich is:\n\n /* Make sure the trampoline generation logic doesn't overflow */\n if (image && WARN_ON_ONCE(&image[ctx->idx] >\n \t\t\t(u32 *)rw_image_end - BPF_INSN_SAFETY)) {\n\nSo, during the dummy pass, instead of providing some arbitrary image\nlocation, account for maximum possible instructions if and when there\nis a dependency with image location for JIT'ing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38339", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Fix OOB memory read access in KUnit test\n\nKASAN reported out of bounds access - cs_dsp_mock_bin_add_name_or_info(),\nbecause the source string length was rounded up to the allocation size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38340", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: fbnic: avoid double free when failing to DMA-map FW msg\n\nThe semantics are that caller of fbnic_mbx_map_msg() retains\nthe ownership of the message on error. All existing callers\ndutifully free the page.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38341", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoftware node: Correct a OOB check in software_node_get_reference_args()\n\nsoftware_node_get_reference_args() wants to get @index-th element, so\nthe property value requires at least '(index + 1) * sizeof(*ref)' bytes\nbut that can not be guaranteed by current OOB check, and may cause OOB\nfor malformed property.\n\nFix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38342", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: drop fragments with multicast or broadcast RA\n\nIEEE 802.11 fragmentation can only be applied to unicast frames.\nTherefore, drop fragments with multicast or broadcast RA. This patch\naddresses vulnerabilities such as CVE-2020-26145.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38343", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi parse and parseext cache leaks\n\nACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5\n\nI'm Seunghun Han, and I work for National Security Research Institute of\nSouth Korea.\n\nI have been doing a research on ACPI and found an ACPI cache leak in ACPI\nearly abort cases.\n\nBoot log of ACPI cache leak is as follows:\n[ 0.352414] ACPI: Added _OSI(Module Device)\n[ 0.353182] ACPI: Added _OSI(Processor Device)\n[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)\n[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device)\n[ 0.356028] ACPI: Unable to start the ACPI Interpreter\n[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects\n[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W\n4.12.0-rc4-next-20170608+ #10\n[ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[ 0.361873] Call Trace:\n[ 0.362243] ? dump_stack+0x5c/0x81\n[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0\n[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27\n[ 0.363296] ? acpi_os_delete_cache+0xa/0x10\n[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b\n[ 0.364000] ? acpi_terminate+0xa/0x14\n[ 0.364000] ? acpi_init+0x2af/0x34f\n[ 0.364000] ? __class_create+0x4c/0x80\n[ 0.364000] ? video_setup+0x7f/0x7f\n[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27\n[ 0.364000] ? do_one_initcall+0x4e/0x1a0\n[ 0.364000] ? kernel_init_freeable+0x189/0x20a\n[ 0.364000] ? rest_init+0xc0/0xc0\n[ 0.364000] ? kernel_init+0xa/0x100\n[ 0.364000] ? ret_from_fork+0x25/0x30\n\nI analyzed this memory leak in detail. I found that \u201cAcpi-State\u201d cache and\n\u201cAcpi-Parse\u201d cache were merged because the size of cache objects was same\nslab cache size.\n\nI finally found \u201cAcpi-Parse\u201d cache and \u201cAcpi-parse_ext\u201d cache were leaked\nusing SLAB_NEVER_MERGE flag in kmem_cache_create() function.\n\nReal ACPI cache leak point is as follows:\n[ 0.360101] ACPI: Added _OSI(Module Device)\n[ 0.360101] ACPI: Added _OSI(Processor Device)\n[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)\n[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device)\n[ 0.364016] ACPI: Unable to start the ACPI Interpreter\n[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects\n[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W\n4.12.0-rc4-next-20170608+ #8\n[ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[ 0.372000] Call Trace:\n[ 0.372000] ? dump_stack+0x5c/0x81\n[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0\n[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27\n[ 0.372000] ? acpi_os_delete_cache+0xa/0x10\n[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b\n[ 0.372000] ? acpi_terminate+0xa/0x14\n[ 0.372000] ? acpi_init+0x2af/0x34f\n[ 0.372000] ? __class_create+0x4c/0x80\n[ 0.372000] ? video_setup+0x7f/0x7f\n[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27\n[ 0.372000] ? do_one_initcall+0x4e/0x1a0\n[ 0.372000] ? kernel_init_freeable+0x189/0x20a\n[ 0.372000] ? rest_init+0xc0/0xc0\n[ 0.372000] ? kernel_init+0xa/0x100\n[ 0.372000] ? ret_from_fork+0x25/0x30\n[ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects\n[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W\n4.12.0-rc4-next-20170608+ #8\n[ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS\nvirtual_box 12/01/2006\n[ 0.392000] Call Trace:\n[ 0.392000] ? dump_stack+0x5c/0x81\n[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0\n[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27\n[ 0.392000] ? acpi_os_delete_cache+0xa/0x10\n[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b\n[ 0.392000] ? acpi_terminate+0xa/0x14\n[ 0.392000] ? acpi_init+0x2af/0x3\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38344", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n>[ 0.585957] ACPI: Added _OSI(Module Device)\n>[ 0.587218] ACPI: Added _OSI(Processor Device)\n>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n>[ 0.597858] ACPI: Unable to start the ACPI Interpreter\n>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n>[ 0.609177] Call Trace:\n>[ 0.610063] ? dump_stack+0x5c/0x81\n>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0\n>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27\n>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10\n>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b\n>[ 0.619293] ? acpi_terminate+0xa/0x14\n>[ 0.620394] ? acpi_init+0x2af/0x34f\n>[ 0.621616] ? __class_create+0x4c/0x80\n>[ 0.623412] ? video_setup+0x7f/0x7f\n>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27\n>[ 0.625861] ? do_one_initcall+0x4e/0x1a0\n>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f\n>[ 0.628972] ? rest_init+0x80/0x80\n>[ 0.630043] ? kernel_init+0xa/0x100\n>[ 0.631084] ? ret_from_fork+0x25/0x30\n>[ 0.633343] vgaarb: loaded\n>[ 0.635036] EDAC MC: Ver: 3.0.0\n>[ 0.638601] PCI: Probing PCI hardware\n>[ 0.639833] PCI host bridge to bus 0000:00\n>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]\n> ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state->operand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (<= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38345", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix UAF when lookup kallsym after ftrace disabled\n\nThe following issue happens with a buggy module:\n\nBUG: unable to handle page fault for address: ffffffffc05d0218\nPGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nRIP: 0010:sized_strscpy+0x81/0x2f0\nRSP: 0018:ffff88812d76fa08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000\nRDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d\nRBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68\nR10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038\nR13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff\nFS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ftrace_mod_get_kallsym+0x1ac/0x590\n update_iter_mod+0x239/0x5b0\n s_next+0x5b/0xa0\n seq_read_iter+0x8c9/0x1070\n seq_read+0x249/0x3b0\n proc_reg_read+0x1b0/0x280\n vfs_read+0x17f/0x920\n ksys_read+0xf3/0x1c0\n do_syscall_64+0x5f/0x2e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue may happen as follows:\n(1) Add kprobe tracepoint;\n(2) insmod test.ko;\n(3) Module triggers ftrace disabled;\n(4) rmmod test.ko;\n(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;\nftrace_mod_get_kallsym()\n...\nstrscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);\n...\n\nThe problem is when a module triggers an issue with ftrace and\nsets ftrace_disable. The ftrace_disable is set when an anomaly is\ndiscovered and to prevent any more damage, ftrace stops all text\nmodification. The issue that happened was that the ftrace_disable stops\nmore than just the text modification.\n\nWhen a module is loaded, its init functions can also be traced. Because\nkallsyms deletes the init functions after a module has loaded, ftrace\nsaves them when the module is loaded and function tracing is enabled. This\nallows the output of the function trace to show the init function names\ninstead of just their raw memory addresses.\n\nWhen a module is removed, ftrace_release_mod() is called, and if\nftrace_disable is set, it just returns without doing anything more. The\nproblem here is that it leaves the mod_list still around and if kallsyms\nis called, it will call into this code and access the module memory that\nhas already been freed as it will return:\n\n strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);\n\nWhere the \"mod\" no longer exists and triggers a UAF bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38346", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on ino and xnid\n\nsyzbot reported a f2fs bug as below:\n\nINFO: task syz-executor140:5308 blocked for more than 143 seconds.\n Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006\nCall Trace:\n \n context_switch kernel/sched/core.c:5378 [inline]\n __schedule+0x190e/0x4c90 kernel/sched/core.c:6765\n __schedule_loop kernel/sched/core.c:6842 [inline]\n schedule+0x14b/0x320 kernel/sched/core.c:6857\n io_schedule+0x8d/0x110 kernel/sched/core.c:7690\n folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317\n __folio_lock mm/filemap.c:1664 [inline]\n folio_lock include/linux/pagemap.h:1163 [inline]\n __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917\n pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87\n find_get_page_flags include/linux/pagemap.h:842 [inline]\n f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776\n __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463\n read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306\n lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]\n f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533\n __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179\n f2fs_acl_create fs/f2fs/acl.c:375 [inline]\n f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418\n f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539\n f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666\n f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765\n f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808\n f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]\n f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766\n vfs_mknod+0x36d/0x3b0 fs/namei.c:4191\n unix_bind_bsd net/unix/af_unix.c:1286 [inline]\n unix_bind+0x563/0xe30 net/unix/af_unix.c:1379\n __sys_bind_socket net/socket.c:1817 [inline]\n __sys_bind+0x1e4/0x290 net/socket.c:1848\n __do_sys_bind net/socket.c:1853 [inline]\n __se_sys_bind net/socket.c:1851 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1851\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLet's dump and check metadata of corrupted inode, it shows its xattr_nid\nis the same to its i_ino.\n\ndump.f2fs -i 3 chaseyu.img.raw\ni_xattr_nid [0x 3 : 3]\n\nSo that, during mknod in the corrupted directory, it tries to get and\nlock inode page twice, result in deadlock.\n\n- f2fs_mknod\n - f2fs_add_inline_entry\n - f2fs_get_inode_page --- lock dir's inode page\n - f2fs_init_acl\n - f2fs_acl_create(dir,..)\n - __f2fs_get_acl\n - f2fs_getxattr\n - lookup_all_xattrs\n - __get_node_page --- try to lock dir's inode page\n\nIn order to fix this, let's add sanity check on ino and xnid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38347", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv->eeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n| struct sk_buff *skb)\n|{\n| struct p54_hdr *hdr = (struct p54_hdr *) skb->data;\n| struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;\n|\n| if (priv->fw_var >= 0x509) {\n| memcpy(priv->eeprom, eeprom->v2.data,\n| le16_to_cpu(eeprom->v2.len));\n| } else {\n| memcpy(priv->eeprom, eeprom->v1.data,\n| le16_to_cpu(eeprom->v1.len));\n| }\n| [...]\n\nThe eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it's possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload >a< firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38348", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: don't decrement ep refcount while still holding the ep mutex\n\nJann Horn points out that epoll is decrementing the ep refcount and then\ndoing a\n\n mutex_unlock(&ep->mtx);\n\nafterwards. That's very wrong, because it can lead to a use-after-free.\n\nThat pattern is actually fine for the very last reference, because the\ncode in question will delay the actual call to \"ep_free(ep)\" until after\nit has unlocked the mutex.\n\nBut it's wrong for the much subtler \"next to last\" case when somebody\n*else* may also be dropping their reference and free the ep while we're\nstill using the mutex.\n\nNote that this is true even if that other user is also using the same ep\nmutex: mutexes, unlike spinlocks, can not be used for object ownership,\neven if they guarantee mutual exclusion.\n\nA mutex \"unlock\" operation is not atomic, and as one user is still\naccessing the mutex as part of unlocking it, another user can come in\nand get the now released mutex and free the data structure while the\nfirst user is still cleaning up.\n\nSee our mutex documentation in Documentation/locking/mutex-design.rst,\nin particular the section [1] about semantics:\n\n\t\"mutex_unlock() may access the mutex structure even after it has\n\t internally released the lock already - so it's not safe for\n\t another context to acquire the mutex and assume that the\n\t mutex_unlock() context is not using the structure anymore\"\n\nSo if we drop our ep ref before the mutex unlock, but we weren't the\nlast one, we may then unlock the mutex, another user comes in, drops\n_their_ reference and releases the 'ep' as it now has no users - all\nwhile the mutex_unlock() is still accessing it.\n\nFix this by simply moving the ep refcount dropping to outside the mutex:\nthe refcount itself is atomic, and doesn't need mutex protection (that's\nthe whole _point_ of refcounts: unlike mutexes, they are inherently\nabout object lifetimes).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38349", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes' dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent's parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n tc qdisc add dev lo root handle 1: drr\n tc filter add dev lo parent 1: basic classid 1:1\n tc class add dev lo parent 1: classid 1:1 drr\n tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n tc qdisc add dev lo parent 2:1 handle 3: netem\n tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n tc class delete dev lo classid 1:1\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38350", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush\n\nIn KVM guests with Hyper-V hypercalls enabled, the hypercalls\nHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX\nallow a guest to request invalidation of portions of a virtual TLB.\nFor this, the hypercall parameter includes a list of GVAs that are supposed\nto be invalidated.\n\nHowever, when non-canonical GVAs are passed, there is currently no\nfiltering in place and they are eventually passed to checked invocations of\nINVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores\nnon-canonical addresses (effectively a no-op), Intel's INVVPID explicitly\nsignals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():\n\n invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000\n WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482\n invvpid_error+0x91/0xa0 [kvm_intel]\n Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse\n CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)\n RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]\n Call Trace:\n vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]\n kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]\n\nHyper-V documents that invalid GVAs (those that are beyond a partition's\nGVA space) are to be ignored. While not completely clear whether this\nruling also applies to non-canonical GVAs, it is likely fine to make that\nassumption, and manual testing on Azure confirms \"real\" Hyper-V interprets\nthe specification in the same way.\n\nSkip non-canonical GVAs when processing the list of address to avoid\ntripping the INVVPID failure. Alternatively, KVM could filter out \"bad\"\nGVAs before inserting into the FIFO, but practically speaking the only\ndownside of pushing validation to the final processing is that doing so\nis suboptimal for the guest, and no well-behaved guest will request TLB\nflushes for non-canonical addresses.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38351", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won't be\nable to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk->exit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail\nanyway in this case.", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38352", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix taking invalid lock on wedge\n\nIf device wedges on e.g. GuC upload, the submission is not yet enabled\nand the state is not even initialized. Protect the wedge call so it does\nnothing in this case. It fixes the following splat:\n\n\t[] xe 0000:bf:00.0: [drm] device wedged, needs recovery\n\t[] ------------[ cut here ]------------\n\t[] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n\t[] WARNING: CPU: 48 PID: 312 at kernel/locking/mutex.c:564 __mutex_lock+0x8a1/0xe60\n\t...\n\t[] RIP: 0010:__mutex_lock+0x8a1/0xe60\n\t[] mutex_lock_nested+0x1b/0x30\n\t[] xe_guc_submit_wedge+0x80/0x2b0 [xe]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38353", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/gpu: Fix crash when throttling GPU immediately during boot\n\nThere is a small chance that the GPU is already hot during boot. In that\ncase, the call to of_devfreq_cooling_register() will immediately try to\napply devfreq cooling, as seen in the following crash:\n\n Unable to handle kernel paging request at virtual address 0000000000014110\n pc : a6xx_gpu_busy+0x1c/0x58 [msm]\n lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm]\n Call trace:\n a6xx_gpu_busy+0x1c/0x58 [msm] (P)\n devfreq_simple_ondemand_func+0x3c/0x150\n devfreq_update_target+0x44/0xd8\n qos_max_notifier_call+0x30/0x84\n blocking_notifier_call_chain+0x6c/0xa0\n pm_qos_update_target+0xd0/0x110\n freq_qos_apply+0x3c/0x74\n apply_constraint+0x88/0x148\n __dev_pm_qos_update_request+0x7c/0xcc\n dev_pm_qos_update_request+0x38/0x5c\n devfreq_cooling_set_cur_state+0x98/0xf0\n __thermal_cdev_update+0x64/0xb4\n thermal_cdev_update+0x4c/0x58\n step_wise_manage+0x1f0/0x318\n __thermal_zone_device_update+0x278/0x424\n __thermal_cooling_device_register+0x2bc/0x308\n thermal_of_cooling_device_register+0x10/0x1c\n of_devfreq_cooling_register_power+0x240/0x2bc\n of_devfreq_cooling_register+0x14/0x20\n msm_devfreq_init+0xc4/0x1a0 [msm]\n msm_gpu_init+0x304/0x574 [msm]\n adreno_gpu_init+0x1c4/0x2e0 [msm]\n a6xx_gpu_init+0x5c8/0x9c8 [msm]\n adreno_bind+0x2a8/0x33c [msm]\n ...\n\nAt this point we haven't initialized the GMU at all yet, so we cannot read\nthe GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before\nin commit 6694482a70e9 (\"drm/msm: Avoid unclocked GMU register access in\n6xx gpu_busy\"): msm_devfreq_init() does call devfreq_suspend_device(), but\nunlike msm_devfreq_suspend(), it doesn't set the df->suspended flag\naccordingly. This means the df->suspended flag does not match the actual\ndevfreq state after initialization and msm_devfreq_get_dev_status() will\nend up accessing GMU registers, causing the crash.\n\nFix this by setting df->suspended correctly during initialization.\n\nPatchwork: https://patchwork.freedesktop.org/patch/650772/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38354", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Process deferred GGTT node removals on device unwind\n\nWhile we are indirectly draining our dedicated workqueue ggtt->wq\nthat we use to complete asynchronous removal of some GGTT nodes,\nthis happends as part of the managed-drm unwinding (ggtt_fini_early),\nwhich could be later then manage-device unwinding, where we could\nalready unmap our MMIO/GMS mapping (mmio_fini).\n\nThis was recently observed during unsuccessful VF initialization:\n\n [ ] xe 0000:00:02.1: probe with driver xe failed with error -62\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes)\n [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes)\n [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes)\n\nand this was leading to:\n\n [ ] BUG: unable to handle page fault for address: ffffc900058162a0\n [ ] #PF: supervisor write access in kernel mode\n [ ] #PF: error_code(0x0002) - not-present page\n [ ] Oops: Oops: 0002 [#1] SMP NOPTI\n [ ] Tainted: [W]=WARN\n [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe]\n [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe]\n [ ] Call Trace:\n [ ] \n [ ] xe_ggtt_clear+0xb0/0x270 [xe]\n [ ] ggtt_node_remove+0xbb/0x120 [xe]\n [ ] ggtt_node_remove_work_func+0x30/0x50 [xe]\n [ ] process_one_work+0x22b/0x6f0\n [ ] worker_thread+0x1e8/0x3d\n\nAdd managed-device action that will explicitly drain the workqueue\nwith all pending node removals prior to releasing MMIO/GSM mapping.\n\n(cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38355", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Explicitly exit CT safe mode on unwind\n\nDuring driver probe we might be briefly using CT safe mode, which\nis based on a delayed work, but usually we are able to stop this\nonce we have IRQ fully operational. However, if we abort the probe\nquite early then during unwind we might try to destroy the workqueue\nwhile there is still a pending delayed work that attempts to restart\nitself which triggers a WARN.\n\nThis was recently observed during unsuccessful VF initialization:\n\n [ ] xe 0000:00:02.1: probe with driver xe failed with error -62\n [ ] ------------[ cut here ]------------\n [ ] workqueue: cannot queue safe_mode_worker_func [xe] on wq xe-g2h-wq\n [ ] WARNING: CPU: 9 PID: 0 at kernel/workqueue.c:2257 __queue_work+0x287/0x710\n [ ] RIP: 0010:__queue_work+0x287/0x710\n [ ] Call Trace:\n [ ] delayed_work_timer_fn+0x19/0x30\n [ ] call_timer_fn+0xa1/0x2a0\n\nExit the CT safe mode on unwind to avoid that warning.\n\n(cherry picked from commit 2ddbb73ec20b98e70a5200cb85deade22ccea2ec)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38356", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix runtime warning on truncate_folio_batch_exceptionals()\n\nThe WARN_ON_ONCE is introduced on truncate_folio_batch_exceptionals() to\ncapture whether the filesystem has removed all DAX entries or not.\n\nAnd the fix has been applied on the filesystem xfs and ext4 by the commit\n0e2f80afcfa6 (\"fs/dax: ensure all pages are idle prior to filesystem\nunmount\").\n\nApply the missed fix on filesystem fuse to fix the runtime warning:\n\n[ 2.011450] ------------[ cut here ]------------\n[ 2.011873] WARNING: CPU: 0 PID: 145 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0x272/0x2b0\n[ 2.012468] Modules linked in:\n[ 2.012718] CPU: 0 UID: 1000 PID: 145 Comm: weston Not tainted 6.16.0-rc2-WSL2-STABLE #2 PREEMPT(undef)\n[ 2.013292] RIP: 0010:truncate_folio_batch_exceptionals+0x272/0x2b0\n[ 2.013704] Code: 48 63 d0 41 29 c5 48 8d 1c d5 00 00 00 00 4e 8d 6c 2a 01 49 c1 e5 03 eb 09 48 83 c3 08 49 39 dd 74 83 41 f6 44 1c 08 01 74 ef <0f> 0b 49 8b 34 1e 48 89 ef e8 10 a2 17 00 eb df 48 8b 7d 00 e8 35\n[ 2.014845] RSP: 0018:ffffa47ec33f3b10 EFLAGS: 00010202\n[ 2.015279] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 2.015884] RDX: 0000000000000000 RSI: ffffa47ec33f3ca0 RDI: ffff98aa44f3fa80\n[ 2.016377] RBP: ffff98aa44f3fbf0 R08: ffffa47ec33f3ba8 R09: 0000000000000000\n[ 2.016942] R10: 0000000000000001 R11: 0000000000000000 R12: ffffa47ec33f3ca0\n[ 2.017437] R13: 0000000000000008 R14: ffffa47ec33f3ba8 R15: 0000000000000000\n[ 2.017972] FS: 000079ce006afa40(0000) GS:ffff98aade441000(0000) knlGS:0000000000000000\n[ 2.018510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 2.018987] CR2: 000079ce03e74000 CR3: 000000010784f006 CR4: 0000000000372eb0\n[ 2.019518] Call Trace:\n[ 2.019729] \n[ 2.019901] truncate_inode_pages_range+0xd8/0x400\n[ 2.020280] ? timerqueue_add+0x66/0xb0\n[ 2.020574] ? get_nohz_timer_target+0x2a/0x140\n[ 2.020904] ? timerqueue_add+0x66/0xb0\n[ 2.021231] ? timerqueue_del+0x2e/0x50\n[ 2.021646] ? __remove_hrtimer+0x39/0x90\n[ 2.022017] ? srso_alias_untrain_ret+0x1/0x10\n[ 2.022497] ? psi_group_change+0x136/0x350\n[ 2.023046] ? _raw_spin_unlock+0xe/0x30\n[ 2.023514] ? finish_task_switch.isra.0+0x8d/0x280\n[ 2.024068] ? __schedule+0x532/0xbd0\n[ 2.024551] fuse_evict_inode+0x29/0x190\n[ 2.025131] evict+0x100/0x270\n[ 2.025641] ? _atomic_dec_and_lock+0x39/0x50\n[ 2.026316] ? __pfx_generic_delete_inode+0x10/0x10\n[ 2.026843] __dentry_kill+0x71/0x180\n[ 2.027335] dput+0xeb/0x1b0\n[ 2.027725] __fput+0x136/0x2b0\n[ 2.028054] __x64_sys_close+0x3d/0x80\n[ 2.028469] do_syscall_64+0x6d/0x1b0\n[ 2.028832] ? clear_bhb_loop+0x30/0x80\n[ 2.029182] ? clear_bhb_loop+0x30/0x80\n[ 2.029533] ? clear_bhb_loop+0x30/0x80\n[ 2.029902] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 2.030423] RIP: 0033:0x79ce03d0d067\n[ 2.030820] Code: b8 ff ff ff ff e9 3e ff ff ff 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 c3 a7 f8 ff\n[ 2.032354] RSP: 002b:00007ffef0498948 EFLAGS: 00000246 ORIG_RAX: 0000000000000003\n[ 2.032939] RAX: ffffffffffffffda RBX: 00007ffef0498960 RCX: 000079ce03d0d067\n[ 2.033612] RDX: 0000000000000003 RSI: 0000000000001000 RDI: 000000000000000d\n[ 2.034289] RBP: 00007ffef0498a30 R08: 000000000000000d R09: 0000000000000000\n[ 2.034944] R10: 00007ffef0498978 R11: 0000000000000246 R12: 0000000000000001\n[ 2.035610] R13: 00007ffef0498960 R14: 000079ce03e09ce0 R15: 0000000000000003\n[ 2.036301] \n[ 2.036532] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38357", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between async reclaim worker and close_ctree()\n\nSyzbot reported an assertion failure due to an attempt to add a delayed\niput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info\nstate:\n\n WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n Modules linked in:\n CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n Workqueue: btrfs-endio-write btrfs_work_helper\n RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n Code: 4e ad 5d (...)\n RSP: 0018:ffffc9000213f780 EFLAGS: 00010293\n RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00\n RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000\n RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c\n R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001\n R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100\n FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635\n btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312\n btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nThis can happen due to a race with the async reclaim worker like this:\n\n1) The async metadata reclaim worker enters shrink_delalloc(), which calls\n btrfs_start_delalloc_roots() with an nr_pages argument that has a value\n less than LONG_MAX, and that in turn enters start_delalloc_inodes(),\n which sets the local variable 'full_flush' to false because\n wbc->nr_to_write is less than LONG_MAX;\n\n2) There it finds inode X in a root's delalloc list, grabs a reference for\n inode X (with igrab()), and triggers writeback for it with\n filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;\n\n3) The unmount sequence starts from another task, we enter close_ctree()\n and we flush the workqueue fs_info->endio_write_workers, which waits\n for the ordered extent for inode X to complete and when dropping the\n last reference of the ordered extent, with btrfs_put_ordered_extent(),\n when we call btrfs_add_delayed_iput() we don't add the inode to the\n list of delayed iputs because it has a refcount of 2, so we decrement\n it to 1 and return;\n\n4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which\n runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT\n in the fs_info state;\n\n5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now\n calls btrfs_add_delayed_iput() for inode X and there we trigger an\n assertion failure since the fs_info state has the flag\n BTRFS_FS_STATE_NO_DELAYED_IPUT set.\n\nFix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for\nthe async reclaim workers to finish, after we call cancel_work_sync() for\nthem at close_ctree(), and by running delayed iputs after wait for the\nreclaim workers to finish and before setting the bit.\n\nThis race was recently introduced by commit 19e60b2a95f5 (\"btrfs: add\nextra warning if delayed iput is added when it's not allowed\"). Without\nthe new validation at btrfs_add_delayed_iput(), \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38358", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Fix in_atomic() handling in do_secure_storage_access()\n\nKernel user spaces accesses to not exported pages in atomic context\nincorrectly try to resolve the page fault.\nWith debug options enabled call traces like this can be seen:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39\npreempt_count: 1, expected: 0\nRCU nest depth: 0, expected: 0\nINFO: lockdep is turned off.\nPreemption disabled at:\n[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0\nCPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39\nTainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT\nTainted: [W]=WARN\nHardware name: IBM 3931 A01 703 (LPAR)\nCall Trace:\n [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8\n [<00000383e99bf152>] __might_resched+0x292/0x2d0\n [<00000383eaa7c374>] down_read+0x34/0x2d0\n [<00000383e99432f8>] do_secure_storage_access+0x108/0x360\n [<00000383eaa724b0>] __do_pgm_check+0x130/0x220\n [<00000383eaa842e4>] pgm_check_handler+0x114/0x160\n [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0\n([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0)\n [<00000383e9c45eae>] generic_perform_write+0x16e/0x310\n [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160\n [<00000383e9da0de4>] vfs_write+0x1c4/0x460\n [<00000383e9da123c>] ksys_write+0x7c/0x100\n [<00000383eaa7284e>] __do_syscall+0x15e/0x280\n [<00000383eaa8417e>] system_call+0x6e/0x90\nINFO: lockdep is turned off.\n\nIt is not allowed to take the mmap_lock while in atomic context. Therefore\nhandle such a secure storage access fault as if the accessed page is not\nmapped: the uaccess function will return -EFAULT, and the caller has to\ndeal with this. Usually this means that the access is retried in process\ncontext, which allows to resolve the page fault (or in this case export the\npage).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38359", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add more checks for DSC / HUBP ONO guarantees\n\n[WHY]\nFor non-zero DSC instances it's possible that the HUBP domain required\nto drive it for sequential ONO ASICs isn't met, potentially causing\nthe logic to the tile to enter an undefined state leading to a system\nhang.\n\n[HOW]\nAdd more checks to ensure that the HUBP domain matching the DSC instance\nis appropriately powered.\n\n(cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38360", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check dce_hwseq before dereferencing it\n\n[WHAT]\n\nhws was checked for null earlier in dce110_blank_stream, indicating hws\ncan be null, and should be checked whenever it is used.\n\n(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38361", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check for get_first_active_display()\n\nThe function mod_hdcp_hdcp1_enable_encryption() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference in\nmod_hdcp_hdcp2_enable_encryption().\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38362", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix a possible null pointer dereference\n\nIn tegra_crtc_reset(), new memory is allocated with kzalloc(), but\nno check is performed. Before calling __drm_atomic_helper_crtc_reset,\nstate should be checked to prevent possible null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38363", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()\n\nTemporarily clear the preallocation flag when explicitly requesting\nallocations. Pre-existing allocations are already counted against the\nrequest through mas_node_count_gfp(), but the allocations will not happen\nif the MA_STATE_PREALLOC flag is set. This flag is meant to avoid\nre-allocating in bulk allocation mode, and to detect issues with\npreallocation calculations.\n\nThe MA_STATE_PREALLOC flag should also always be set on zero allocations\nso that detection of underflow allocations will print a WARN_ON() during\nconsumption.\n\nUser visible effect of this flaw is a WARN_ON() followed by a null pointer\ndereference when subsequent requests for larger number of nodes is\nignored, such as the vma merge retry in mmap_region() caused by drivers\naltering the vma flags (which happens in v6.6, at least)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38364", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a race between renames and directory logging\n\nWe have a race between a rename and directory inode logging that if it\nhappens and we crash/power fail before the rename completes, the next time\nthe filesystem is mounted, the log replay code will end up deleting the\nfile that was being renamed.\n\nThis is best explained following a step by step analysis of an interleaving\nof steps that lead into this situation.\n\nConsider the initial conditions:\n\n1) We are at transaction N;\n\n2) We have directories A and B created in a past transaction (< N);\n\n3) We have inode X corresponding to a file that has 2 hardlinks, one in\n directory A and the other in directory B, so we'll name them as\n \"A/foo_link1\" and \"B/foo_link2\". Both hard links were persisted in a\n past transaction (< N);\n\n4) We have inode Y corresponding to a file that as a single hard link and\n is located in directory A, we'll name it as \"A/bar\". This file was also\n persisted in a past transaction (< N).\n\nThe steps leading to a file loss are the following and for all of them we\nare under transaction N:\n\n 1) Link \"A/foo_link1\" is removed, so inode's X last_unlink_trans field\n is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir();\n\n 2) Task A starts a rename for inode Y, with the goal of renaming from\n \"A/bar\" to \"A/baz\", so we enter btrfs_rename();\n\n 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling\n btrfs_insert_inode_ref();\n\n 4) Because the rename happens in the same directory, we don't set the\n last_unlink_trans field of directoty A's inode to the current\n transaction id, that is, we don't cal btrfs_record_unlink_dir();\n\n 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY\n and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode()\n (actually the dir index item is added as a delayed item, but the\n effect is the same);\n\n 6) Now before task A adds the new entry \"A/baz\" to directory A by\n calling btrfs_add_link(), another task, task B is logging inode X;\n\n 7) Task B starts a fsync of inode X and after logging inode X, at\n btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since\n inode X has a last_unlink_trans value of N, set at in step 1;\n\n 8) At btrfs_log_all_parents() we search for all parent directories of\n inode X using the commit root, so we find directories A and B and log\n them. Bu when logging direct A, we don't have a dir index item for\n inode Y anymore, neither the old name \"A/bar\" nor for the new name\n \"A/baz\" since the rename has deleted the old name but has not yet\n inserted the new name - task A hasn't called yet btrfs_add_link() to\n do that.\n\n Note that logging directory A doesn't fallback to a transaction\n commit because its last_unlink_trans has a lower value than the\n current transaction's id (see step 4);\n\n 9) Task B finishes logging directories A and B and gets back to\n btrfs_sync_file() where it calls btrfs_sync_log() to persist the log\n tree;\n\n10) Task B successfully persisted the log tree, btrfs_sync_log() completed\n with success, and a power failure happened.\n\n We have a log tree without any directory entry for inode Y, so the\n log replay code deletes the entry for inode Y, name \"A/bar\", from the\n subvolume tree since it doesn't exist in the log tree and the log\n tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY\n item that covers the index range for the dentry that corresponds to\n \"A/bar\").\n\n Since there's no other hard link for inode Y and the log replay code\n deletes the name \"A/bar\", the file is lost.\n\nThe issue wouldn't happen if task B synced the log only after task A\ncalled btrfs_log_new_name(), which would update the log with the new name\nfor inode Y (\"A/bar\").\n\nFix this by pinning the log root during renames before removing the old\ndirectory entry, and unpinning af\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38365", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Check validity of \"num_cpu\" from user space\n\nThe maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about\nirqchip EIOINTC, here add validation about cpu number to avoid array\npointer overflow.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38366", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Avoid overflow with array index\n\nThe variable index is modified and reused as array index when modify\nregister EIOINTC_ENABLE. There will be array index overflow problem.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38367", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe()\n\nThe returned value, pfsm->miscdev.name, from devm_kasprintf()\ncould be NULL.\nA pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38368", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using\n\nRunning IDXD workloads in a container with the /dev directory mounted can\ntrigger a call trace or even a kernel panic when the parent process of the\ncontainer is terminated.\n\nThis issue occurs because, under certain configurations, Docker does not\nproperly propagate the mount replica back to the original mount point.\n\nIn this case, when the user driver detaches, the WQ is destroyed but it\nstill calls destroy_workqueue() attempting to completes all pending work.\nIt's necessary to check wq->wq and skip the drain if it no longer exists.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38369", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix failure to rebuild free space tree using multiple transactions\n\nIf we are rebuilding a free space tree, while modifying the free space\ntree we may need to allocate a new metadata block group.\nIf we end up using multiple transactions for the rebuild, when we call\nbtrfs_end_transaction() we enter btrfs_create_pending_block_groups()\nwhich calls add_block_group_free_space() to add items to the free space\ntree for the block group.\n\nThen later during the free space tree rebuild, at\nbtrfs_rebuild_free_space_tree(), we may find such new block groups\nand call populate_free_space_tree() for them, which fails with -EEXIST\nbecause there are already items in the free space tree. Then we abort the\ntransaction with -EEXIST at btrfs_rebuild_free_space_tree().\nNotice that we say \"may find\" the new block groups because a new block\ngroup may be inserted in the block groups rbtree, which is being iterated\nby the rebuild process, before or after the current node where the rebuild\nprocess is currently at.\n\nSyzbot recently reported such case which produces a trace like the\nfollowing:\n\n ------------[ cut here ]------------\n BTRFS: Transaction aborted (error -17)\n WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n Modules linked in:\n CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n lr : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n sp : ffff80009c4f7740\n x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000\n x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003\n x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8\n x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276\n x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001\n x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000\n x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00\n x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000\n x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c\n x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001\n Call trace:\n btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P)\n btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n do_remount fs/namespace.c:3365 [inline]\n path_mount+0xb34/0xde0 fs/namespace.c:4200\n do_mount fs/namespace.c:4221 [inline]\n __do_sys_mount fs/namespace.c:4432 [inline]\n __se_sys_mount fs/namespace.c:4409 [inline]\n __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n irq event stamp: 330\n hardirqs last enabled at (329): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1525 [inline]\n hardirqs last enabled at (329): [] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:5130\n hardirqs last disabled at (330): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511\n softirqs last enabled at (10): [] local_bh_enable+0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38370", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable interrupts before resetting the GPU\n\nCurrently, an interrupt can be triggered during a GPU reset, which can\nlead to GPU hangs and NULL pointer dereference in an interrupt context\nas shown in the following trace:\n\n [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n [ 314.043822] Mem abort info:\n [ 314.046606] ESR = 0x0000000096000005\n [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 314.055651] SET = 0, FnV = 0\n [ 314.058695] EA = 0, S1PTW = 0\n [ 314.061826] FSC = 0x05: level 1 translation fault\n [ 314.066694] Data abort info:\n [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000\n [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1\n [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]\n [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]\n [ 314.160198] sp : ffffffc080003ea0\n [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000\n [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0\n [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000\n [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000\n [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000\n [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001\n [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874\n [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180\n [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb\n [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n [ 314.234807] Call trace:\n [ 314.237243] v3d_irq+0xec/0x2e0 [v3d]\n [ 314.240906] __handle_irq_event_percpu+0x58/0x218\n [ 314.245609] handle_irq_event+0x54/0xb8\n [ 314.249439] handle_fasteoi_irq+0xac/0x240\n [ 314.253527] handle_irq_desc+0x48/0x68\n [ 314.257269] generic_handle_domain_irq+0x24/0x38\n [ 314.261879] gic_handle_irq+0x48/0xd8\n [ 314.265533] call_on_irq_stack+0x24/0x58\n [ 314.269448] do_interrupt_handler+0x88/0x98\n [ 314.273624] el1_interrupt+0x34/0x68\n [ 314.277193] el1h_64_irq_handler+0x18/0x28\n [ 314.281281] el1h_64_irq+0x64/0x68\n [ 314.284673] default_idle_call+0x3c/0x168\n [ 314.288675] do_idle+0x1fc/0x230\n [ 314.291895] cpu_startup_entry+0x3c/0x50\n [ 314.295810] rest_init+0xe4/0xf0\n [ 314.299030] start_kernel+0x5e8/0x790\n [ 314.302684] __primary_switched+0x80/0x90\n [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)\n [ 314.312775] ---[ end trace 0000000000000000 ]---\n [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n [ 314.324249] SMP: stopping secondary CPUs\n [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000\n [ 314.334076] PHYS_OFFSET: 0x0\n [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b\n [ 314.342337] Memory Limit: none\n [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nBefore resetting the G\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38371", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix unsafe xarray access in implicit ODP handling\n\n__xa_store() and __xa_erase() were used without holding the proper lock,\nwhich led to a lockdep warning due to unsafe RCU usage. This patch\nreplaces them with xa_store() and xa_erase(), which perform the necessary\nlocking internally.\n\n =============================\n WARNING: suspicious RCPU usage\n 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1 Not tainted\n -----------------------------\n ./include/linux/xarray.h:1211 suspicious rcu_dereference_protected() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 3 locks held by kworker/u136:0/219:\n at: process_one_work+0xbe4/0x15f0\n process_one_work+0x75c/0x15f0\n pagefault_mr+0x9a5/0x1390 [mlx5_ib]\n\n stack backtrace:\n CPU: 14 UID: 0 PID: 219 Comm: kworker/u136:0 Not tainted\n 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n Call Trace:\n dump_stack_lvl+0xa8/0xc0\n lockdep_rcu_suspicious+0x1e6/0x260\n xas_create+0xb8a/0xee0\n xas_store+0x73/0x14c0\n __xa_store+0x13c/0x220\n ? xa_store_range+0x390/0x390\n ? spin_bug+0x1d0/0x1d0\n pagefault_mr+0xcb5/0x1390 [mlx5_ib]\n ? _raw_spin_unlock+0x1f/0x30\n mlx5_ib_eqe_pf_action+0x3be/0x2620 [mlx5_ib]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? mlx5_ib_invalidate_range+0xcb0/0xcb0 [mlx5_ib]\n process_one_work+0x7db/0x15f0\n ? pwq_dec_nr_in_flight+0xda0/0xda0\n ? assign_work+0x168/0x240\n worker_thread+0x57d/0xcd0\n ? rescuer_thread+0xc40/0xc40\n kthread+0x3b3/0x800\n ? kthread_is_per_cpu+0xb0/0xb0\n ? lock_downgrade+0x680/0x680\n ? do_raw_spin_lock+0x12d/0x270\n ? spin_bug+0x1d0/0x1d0\n ? finish_task_switch.isra.0+0x284/0x9e0\n ? lockdep_hardirqs_on_prepare+0x284/0x400\n ? kthread_is_per_cpu+0xb0/0xb0\n ret_from_fork+0x2d/0x70\n ? kthread_is_per_cpu+0xb0/0xb0\n ret_from_fork_asm+0x11/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38372", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix potential deadlock in MR deregistration\n\nThe issue arises when kzalloc() is invoked while holding umem_mutex or\nany other lock acquired under umem_mutex. This is problematic because\nkzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke\nmmu_notifier_invalidate_range_start(). This function can lead to\nmlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again,\nresulting in a deadlock.\n\nThe problematic flow:\n CPU0 | CPU1\n---------------------------------------|------------------------------------------------\nmlx5_ib_dereg_mr() |\n \u2192 revoke_mr() |\n \u2192 mutex_lock(&umem_odp->umem_mutex) |\n | mlx5_mkey_cache_init()\n | \u2192 mutex_lock(&dev->cache.rb_lock)\n | \u2192 mlx5r_cache_create_ent_locked()\n | \u2192 kzalloc(GFP_KERNEL)\n | \u2192 fs_reclaim()\n | \u2192 mmu_notifier_invalidate_range_start()\n | \u2192 mlx5_ib_invalidate_range()\n | \u2192 mutex_lock(&umem_odp->umem_mutex)\n \u2192 cache_ent_find_and_store() |\n \u2192 mutex_lock(&dev->cache.rb_lock) |\n\nAdditionally, when kzalloc() is called from within\ncache_ent_find_and_store(), we encounter the same deadlock due to\nre-acquisition of umem_mutex.\n\nSolve by releasing umem_mutex in dereg_mr() after umr_revoke_mr()\nand before acquiring rb_lock. This ensures that we don't hold\numem_mutex while performing memory allocations that could trigger\nthe reclaim path.\n\nThis change prevents the deadlock by ensuring proper lock ordering and\navoiding holding locks during memory allocation operations that could\ntrigger the reclaim path.\n\nThe following lockdep warning demonstrates the deadlock:\n\n python3/20557 is trying to acquire lock:\n ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at:\n mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]\n\n but task is already holding lock:\n ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at:\n unmap_vmas+0x7b/0x1a0\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:\n fs_reclaim_acquire+0x60/0xd0\n mem_cgroup_css_alloc+0x6f/0x9b0\n cgroup_init_subsys+0xa4/0x240\n cgroup_init+0x1c8/0x510\n start_kernel+0x747/0x760\n x86_64_start_reservations+0x25/0x30\n x86_64_start_kernel+0x73/0x80\n common_startup_64+0x129/0x138\n\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n fs_reclaim_acquire+0x91/0xd0\n __kmalloc_cache_noprof+0x4d/0x4c0\n mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib]\n mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib]\n mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib]\n __mlx5_ib_add+0x4b/0x190 [mlx5_ib]\n mlx5r_probe+0xd9/0x320 [mlx5_ib]\n auxiliary_bus_probe+0x42/0x70\n really_probe+0xdb/0x360\n __driver_probe_device+0x8f/0x130\n driver_probe_device+0x1f/0xb0\n __driver_attach+0xd4/0x1f0\n bus_for_each_dev+0x79/0xd0\n bus_add_driver+0xf0/0x200\n driver_register+0x6e/0xc0\n __auxiliary_driver_register+0x6a/0xc0\n do_one_initcall+0x5e/0x390\n do_init_module+0x88/0x240\n init_module_from_file+0x85/0xc0\n idempotent_init_module+0x104/0x300\n __x64_sys_finit_module+0x68/0xc0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}:\n __mutex_lock+0x98/0xf10\n __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib]\n mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib]\n ib_dereg_mr_user+0x85/0x1f0 [ib_core]\n \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38373", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\noptee: ffa: fix sleep in atomic context\n\nThe OP-TEE driver registers the function notif_callback() for FF-A\nnotifications. However, this function is called in an atomic context\nleading to errors like this when processing asynchronous notifications:\n\n | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258\n | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0\n | preempt_count: 1, expected: 0\n | RCU nest depth: 0, expected: 0\n | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0-00019-g657536ebe0aa #13\n | Hardware name: linux,dummy-virt (DT)\n | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn\n | Call trace:\n | show_stack+0x18/0x24 (C)\n | dump_stack_lvl+0x78/0x90\n | dump_stack+0x18/0x24\n | __might_resched+0x114/0x170\n | __might_sleep+0x48/0x98\n | mutex_lock+0x24/0x80\n | optee_get_msg_arg+0x7c/0x21c\n | simple_call_with_arg+0x50/0xc0\n | optee_do_bottom_half+0x14/0x20\n | notif_callback+0x3c/0x48\n | handle_notif_callbacks+0x9c/0xe0\n | notif_get_and_handle+0x40/0x88\n | generic_exec_single+0x80/0xc0\n | smp_call_function_single+0xfc/0x1a0\n | notif_pcpu_irq_work_fn+0x2c/0x38\n | process_one_work+0x14c/0x2b4\n | worker_thread+0x2e4/0x3e0\n | kthread+0x13c/0x210\n | ret_from_fork+0x10/0x20\n\nFix this by adding work queue to process the notification in a\nnon-atomic context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38374", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: ensure the received length does not exceed allocated size\n\nIn xdp_linearize_page, when reading the following buffers from the ring,\nwe forget to check the received length with the true allocate size. This\ncan lead to an out-of-bound read. This commit adds that missing check.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38375", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: disconnect/reconnect from host when do suspend/resume\n\nShawn and John reported a hang issue during system suspend as below:\n\n - USB gadget is enabled as Ethernet\n - There is data transfer over USB Ethernet (scp a big file between host\n and device)\n - Device is going in/out suspend (echo mem > /sys/power/state)\n\nThe root cause is the USB device controller is suspended but the USB bus\nis still active which caused the USB host continues to transfer data with\ndevice and the device continues to queue USB requests (in this case, a\ndelayed TCP ACK packet trigger the issue) after controller is suspended,\nhowever the USB controller clock is already gated off. Then if udc driver\naccess registers after that point, the system will hang.\n\nThe correct way to avoid such issue is to disconnect device from host when\nthe USB bus is not at suspend state. Then the host will receive disconnect\nevent and stop data transfer in time. To continue make USB gadget device\nwork after system resume, this will reconnect device automatically.\n\nTo make usb wakeup work if USB bus is already at suspend state, this will\nkeep connection for it only when USB device controller has enabled wakeup\ncapability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38376", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: fix dangling neighbour pointers in rose_rt_device_down()\n\nThere are two bugs in rose_rt_device_down() that can cause\nuse-after-free:\n\n1. The loop bound `t->count` is modified within the loop, which can\n cause the loop to terminate early and miss some entries.\n\n2. When removing an entry from the neighbour array, the subsequent entries\n are moved up to fill the gap, but the loop index `i` is still\n incremented, causing the next entry to be skipped.\n\nFor example, if a node has three neighbours (A, A, B) with count=3 and A\nis being removed, the second A is not checked.\n\n i=0: (A, A, B) -> (A, B) with count=2\n ^ checked\n i=1: (A, B) -> (A, B) with count=2\n ^ checked (B, not A!)\n i=2: (doesn't occur because i < count is false)\n\nThis leaves the second A in the array with count=2, but the rose_neigh\nstructure has been freed. Code that accesses these entries assumes that\nthe first `count` entries are valid pointers, causing a use-after-free\nwhen it accesses the dangling pointer.\n\nFix both issues by iterating over the array in reverse order with a fixed\nloop bound. This ensures that all entries are examined and that the removal\nof an entry doesn't affect subsequent iterations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38377", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\n\nIn probe appletb_kbd_probe() a \"struct appletb_kbd *kbd\" is allocated\nvia devm_kzalloc() to store touch bar keyboard related data.\nLater on if backlight_device_get_by_name() finds a backlight device\nwith name \"appletb_backlight\" a timer (kbd->inactivity_timer) is setup\nwith appletb_inactivity_timer() and the timer is armed to run after\nappletb_tb_dim_timeout (60) seconds.\n\nA use-after-free is triggered when failure occurs after the timer is\narmed. This ultimately means probe failure occurs and as a result the\n\"struct appletb_kbd *kbd\" which is device managed memory is freed.\nAfter 60 seconds the timer will have expired and __run_timers will\nattempt to access the timer (kbd->inactivity_timer) however the kdb\nstructure has been freed causing a use-after free.\n\n[ 71.636938] ==================================================================\n[ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890\n[ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0\n[ 71.637915]\n[ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)\n[ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 71.637915] Call Trace:\n[ 71.637915] \n[ 71.637915] dump_stack_lvl+0x53/0x70\n[ 71.637915] print_report+0xce/0x670\n[ 71.637915] ? __run_timers+0x7ad/0x890\n[ 71.637915] kasan_report+0xce/0x100\n[ 71.637915] ? __run_timers+0x7ad/0x890\n[ 71.637915] __run_timers+0x7ad/0x890\n[ 71.637915] ? __pfx___run_timers+0x10/0x10\n[ 71.637915] ? update_process_times+0xfc/0x190\n[ 71.637915] ? __pfx_update_process_times+0x10/0x10\n[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0\n[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0\n[ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 71.637915] run_timer_softirq+0x141/0x240\n[ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10\n[ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10\n[ 71.637915] ? kvm_clock_get_cycles+0x18/0x30\n[ 71.637915] ? ktime_get+0x60/0x140\n[ 71.637915] handle_softirqs+0x1b8/0x5c0\n[ 71.637915] ? __pfx_handle_softirqs+0x10/0x10\n[ 71.637915] irq_exit_rcu+0xaf/0xe0\n[ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80\n[ 71.637915] \n[ 71.637915]\n[ 71.637915] Allocated by task 39:\n[ 71.637915] kasan_save_stack+0x33/0x60\n[ 71.637915] kasan_save_track+0x14/0x30\n[ 71.637915] __kasan_kmalloc+0x8f/0xa0\n[ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420\n[ 71.637915] devm_kmalloc+0x74/0x1e0\n[ 71.637915] appletb_kbd_probe+0x37/0x3c0\n[ 71.637915] hid_device_probe+0x2d1/0x680\n[ 71.637915] really_probe+0x1c3/0x690\n[ 71.637915] __driver_probe_device+0x247/0x300\n[ 71.637915] driver_probe_device+0x49/0x210\n[...]\n[ 71.637915]\n[ 71.637915] Freed by task 39:\n[ 71.637915] kasan_save_stack+0x33/0x60\n[ 71.637915] kasan_save_track+0x14/0x30\n[ 71.637915] kasan_save_free_info+0x3b/0x60\n[ 71.637915] __kasan_slab_free+0x37/0x50\n[ 71.637915] kfree+0xcf/0x360\n[ 71.637915] devres_release_group+0x1f8/0x3c0\n[ 71.637915] hid_device_probe+0x315/0x680\n[ 71.637915] really_probe+0x1c3/0x690\n[ 71.637915] __driver_probe_device+0x247/0x300\n[ 71.637915] driver_probe_device+0x49/0x210\n[...]\n\nThe root cause of the issue is that the timer is not disarmed\non failure paths leading to it remaining active and accessing\nfreed memory. To fix this call timer_delete_sync() to deactivate\nthe timer.\n\nAnother small issue is that timer_delete_sync is called\nunconditionally in appletb_kbd_remove(), fix this by checking\nfor a valid kbd->backlight_dev before calling timer_delete_sync.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38378", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix warning when reconnecting channel\n\nWhen reconnecting a channel in smb2_reconnect_server(), a dummy tcon\nis passed down to smb2_reconnect() with ->query_interface\nuninitialized, so we can't call queue_delayed_work() on it.\n\nFix the following warning by ensuring that we're queueing the delayed\nworker from correct tcon.\n\nWARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200\nModules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__queue_delayed_work+0x1d2/0x200\nCode: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00\n00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe\nff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9\nRSP: 0018:ffffc900014afad8 EFLAGS: 00010003\nRAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1\nRDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0\nRBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331\nR10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040\nR13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020\nFS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n queue_delayed_work_on+0xb4/0xc0\n smb2_reconnect+0xb22/0xf50 [cifs]\n smb2_reconnect_server+0x413/0xd40 [cifs]\n ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs]\n ? local_clock_noinstr+0xd/0xd0\n ? local_clock+0x15/0x30\n ? lock_release+0x29b/0x390\n process_one_work+0x4c5/0xa10\n ? __pfx_process_one_work+0x10/0x10\n ? __list_add_valid_or_report+0x37/0x120\n worker_thread+0x2f1/0x5a0\n ? __kthread_parkme+0xde/0x100\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x1fe/0x380\n ? kthread+0x10f/0x380\n ? __pfx_kthread+0x10/0x10\n ? local_clock_noinstr+0xd/0xd0\n ? ret_from_fork+0x1b/0x1f0\n ? local_clock+0x15/0x30\n ? lock_release+0x29b/0x390\n ? rcu_is_watching+0x20/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x15b/0x1f0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \nirq event stamp: 1116206\nhardirqs last enabled at (1116205): [] __up_console_sem+0x52/0x60\nhardirqs last disabled at (1116206): [] queue_delayed_work_on+0x6e/0xc0\nsoftirqs last enabled at (1116138): [] __smb_send_rqst+0x42d/0x950 [cifs]\nsoftirqs last disabled at (1116136): [] release_sock+0x21/0xf0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38379", "detail": "fixed-version", "description": "Fixed from version 6.15.6" }, { "id": "CVE-2025-38381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt()\n\nThe cs40l50_upload_owt() function allocates memory via kmalloc()\nwithout checking for allocation failure, which could lead to a\nNULL pointer dereference.\n\nReturn -ENOMEM in case allocation fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38381", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix iteration of extrefs during log replay\n\nAt __inode_add_ref() when processing extrefs, if we jump into the next\nlabel we have an undefined value of victim_name.len, since we haven't\ninitialized it before we did the goto. This results in an invalid memory\naccess in the next iteration of the loop since victim_name.len was not\ninitialized to the length of the name of the current extref.\n\nFix this by initializing victim_name.len with the current extref's name\nlength.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38382", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix data race in show_numa_info()\n\nThe following data-race was found in show_numa_info():\n\n==================================================================\nBUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show\n\nread to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0:\n show_numa_info mm/vmalloc.c:4936 [inline]\n vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016\n seq_read_iter+0x373/0xb40 fs/seq_file.c:230\n proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299\n....\n\nwrite to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1:\n show_numa_info mm/vmalloc.c:4934 [inline]\n vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016\n seq_read_iter+0x373/0xb40 fs/seq_file.c:230\n proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299\n....\n\nvalue changed: 0x0000008f -> 0x00000000\n==================================================================\n\nAccording to this report,there is a read/write data-race because\nm->private is accessible to multiple CPUs. To fix this, instead of\nallocating the heap in proc_vmalloc_init() and passing the heap address to\nm->private, vmalloc_info_show() should allocate the heap.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38383", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spinand: fix memory leak of ECC engine conf\n\nMemory allocated for the ECC engine conf is not released during spinand\ncleanup. Below kmemleak trace is seen for this memory leak:\n\nunreferenced object 0xffffff80064f00e0 (size 8):\n comm \"swapper/0\", pid 1, jiffies 4294937458\n hex dump (first 8 bytes):\n 00 00 00 00 00 00 00 00 ........\n backtrace (crc 0):\n kmemleak_alloc+0x30/0x40\n __kmalloc_cache_noprof+0x208/0x3c0\n spinand_ondie_ecc_init_ctx+0x114/0x200\n nand_ecc_init_ctx+0x70/0xa8\n nanddev_ecc_engine_init+0xec/0x27c\n spinand_probe+0xa2c/0x1620\n spi_mem_probe+0x130/0x21c\n spi_probe+0xf0/0x170\n really_probe+0x17c/0x6e8\n __driver_probe_device+0x17c/0x21c\n driver_probe_device+0x58/0x180\n __device_attach_driver+0x15c/0x1f8\n bus_for_each_drv+0xec/0x150\n __device_attach+0x188/0x24c\n device_initial_probe+0x10/0x20\n bus_probe_device+0x11c/0x160\n\nFix the leak by calling nanddev_ecc_engine_cleanup() inside\nspinand_cleanup().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38384", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect\n\nRemove redundant netif_napi_del() call from disconnect path.\n\nA WARN may be triggered in __netif_napi_del_locked() during USB device\ndisconnect:\n\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n\nThis happens because netif_napi_del() is called in the disconnect path while\nNAPI is still enabled. However, it is not necessary to call netif_napi_del()\nexplicitly, since unregister_netdev() will handle NAPI teardown automatically\nand safely. Removing the redundant call avoids triggering the warning.\n\nFull trace:\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV\n lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV\n lan78xx 1-1:1.0 enu1: Link is Down\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n Modules linked in: flexcan can_dev fuse\n CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT\n Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)\n Workqueue: usb_hub_wq hub_event\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __netif_napi_del_locked+0x2b4/0x350\n lr : __netif_napi_del_locked+0x7c/0x350\n sp : ffffffc085b673c0\n x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8\n x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb\n x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000\n x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000\n x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028\n x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8\n x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000\n x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001\n x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000\n Call trace:\n __netif_napi_del_locked+0x2b4/0x350 (P)\n lan78xx_disconnect+0xf4/0x360\n usb_unbind_interface+0x158/0x718\n device_remove+0x100/0x150\n device_release_driver_internal+0x308/0x478\n device_release_driver+0x1c/0x30\n bus_remove_device+0x1a8/0x368\n device_del+0x2e0/0x7b0\n usb_disable_device+0x244/0x540\n usb_disconnect+0x220/0x758\n hub_event+0x105c/0x35e0\n process_one_work+0x760/0x17b0\n worker_thread+0x768/0xce8\n kthread+0x3bc/0x690\n ret_from_fork+0x10/0x20\n irq event stamp: 211604\n hardirqs last enabled at (211603): [] _raw_spin_unlock_irqrestore+0x84/0x98\n hardirqs last disabled at (211604): [] el1_dbg+0x24/0x80\n softirqs last enabled at (211296): [] handle_softirqs+0x820/0xbc8\n softirqs last disabled at (210993): [] __do_softirq+0x18/0x20\n ---[ end trace 0000000000000000 ]---\n lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38385", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38386", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert\n\nThe obj_event may be loaded immediately after inserted, then if the\nlist_head is not initialized then we may get a poisonous pointer. This\nfixes the crash below:\n\n mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)\n mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056\n mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0\n mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps\n IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n Mem abort info:\n ESR = 0x96000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000\n [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] SMP\n Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)\n [last unloaded: mst_pci]\n CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023\n pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)\n pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]\n lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]\n sp : ffff80001005bcf0\n x29: ffff80001005bcf0 x28: 0000000000000001\n x27: ffff244e0740a1d8 x26: ffff244e0740a1d0\n x25: ffffda56beff5ae0 x24: ffffda56bf911618\n x23: ffff244e0596a480 x22: ffff244e0596a480\n x21: ffff244d8312ad90 x20: ffff244e0596a480\n x19: fffffffffffffff0 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffda56be66d620\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000040 x10: ffffda56bfcafb50\n x9 : ffffda5655c25f2c x8 : 0000000000000010\n x7 : 0000000000000000 x6 : ffff24545a2e24b8\n x5 : 0000000000000003 x4 : ffff80001005bd28\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : ffff244e0596a480 x0 : ffff244d8312ad90\n Call trace:\n dispatch_event_fd+0x68/0x300 [mlx5_ib]\n devx_event_notifier+0xcc/0x228 [mlx5_ib]\n atomic_notifier_call_chain+0x58/0x80\n mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]\n atomic_notifier_call_chain+0x58/0x80\n irq_int_handler+0x20/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x60/0x220\n handle_irq_event_percpu+0x3c/0x90\n handle_irq_event+0x58/0x158\n handle_fasteoi_irq+0xfc/0x188\n generic_handle_irq+0x34/0x48\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38387", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Replace mutex with rwlock to avoid sleep in atomic context\n\nThe current use of a mutex to protect the notifier hashtable accesses\ncan lead to issues in the atomic context. It results in the below\nkernel warnings:\n\n | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258\n | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0\n | preempt_count: 1, expected: 0\n | RCU nest depth: 0, expected: 0\n | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0 #4\n | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn\n | Call trace:\n | show_stack+0x18/0x24 (C)\n | dump_stack_lvl+0x78/0x90\n | dump_stack+0x18/0x24\n | __might_resched+0x114/0x170\n | __might_sleep+0x48/0x98\n | mutex_lock+0x24/0x80\n | handle_notif_callbacks+0x54/0xe0\n | notif_get_and_handle+0x40/0x88\n | generic_exec_single+0x80/0xc0\n | smp_call_function_single+0xfc/0x1a0\n | notif_pcpu_irq_work_fn+0x2c/0x38\n | process_one_work+0x14c/0x2b4\n | worker_thread+0x2e4/0x3e0\n | kthread+0x13c/0x210\n | ret_from_fork+0x10/0x20\n\nTo address this, replace the mutex with an rwlock to protect the notifier\nhashtable accesses. This ensures that read-side locking does not sleep and\nmultiple readers can acquire the lock concurrently, avoiding unnecessary\ncontention and potential deadlocks. Writer access remains exclusive,\npreserving correctness.\n\nThis change resolves warnings from lockdep about potential sleep in\natomic context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38388", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix timeline left held on VMA alloc error\n\nThe following error has been reported sporadically by CI when a test\nunbinds the i915 driver on a ring submission platform:\n\n<4> [239.330153] ------------[ cut here ]------------\n<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)\n<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n<4> [239.330942] Call Trace:\n<4> [239.330944] \n<4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915]\n<4> [239.331202] i915_driver_release+0x86/0xa0 [i915]\n<4> [239.331482] devm_drm_dev_init_release+0x61/0x90\n<4> [239.331494] devm_action_release+0x15/0x30\n<4> [239.331504] release_nodes+0x3d/0x120\n<4> [239.331517] devres_release_all+0x96/0xd0\n<4> [239.331533] device_unbind_cleanup+0x12/0x80\n<4> [239.331543] device_release_driver_internal+0x23a/0x280\n<4> [239.331550] ? bus_find_device+0xa5/0xe0\n<4> [239.331563] device_driver_detach+0x14/0x20\n...\n<4> [357.719679] ---[ end trace 0000000000000000 ]---\n\nIf the test also unloads the i915 module then that's followed with:\n\n<3> [357.787478] =============================================================================\n<3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown()\n<3> [357.788031] -----------------------------------------------------------------------------\n<3> [357.788204] Object 0xffff888109e7f480 @offset=29824\n<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244\n<4> [357.788994] i915_vma_instance+0xee/0xc10 [i915]\n<4> [357.789290] init_status_page+0x7b/0x420 [i915]\n<4> [357.789532] intel_engines_init+0x1d8/0x980 [i915]\n<4> [357.789772] intel_gt_init+0x175/0x450 [i915]\n<4> [357.790014] i915_gem_init+0x113/0x340 [i915]\n<4> [357.790281] i915_driver_probe+0x847/0xed0 [i915]\n<4> [357.790504] i915_pci_probe+0xe6/0x220 [i915]\n...\n\nCloser analysis of CI results history has revealed a dependency of the\nerror on a few IGT tests, namely:\n- igt@api_intel_allocator@fork-simple-stress-signal,\n- igt@api_intel_allocator@two-level-inception-interruptible,\n- igt@gem_linear_blits@interruptible,\n- igt@prime_mmap_coherency@ioctl-errors,\nwhich invisibly trigger the issue, then exhibited with first driver unbind\nattempt.\n\nAll of the above tests perform actions which are actively interrupted with\nsignals. Further debugging has allowed to narrow that scope down to\nDRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring\nsubmission, in particular.\n\nIf successful then that function, or its execlists or GuC submission\nequivalent, is supposed to be called only once per GEM context engine,\nfollowed by raise of a flag that prevents the function from being called\nagain. The function is expected to unwind its internal errors itself, so\nit may be safely called once more after it returns an error.\n\nIn case of ring submission, the function first gets a reference to the\nengine's legacy timeline and then allocates a VMA. If the VMA allocation\nfails, e.g. when i915_vma_instance() called from inside is interrupted\nwith a signal, then ring_context_alloc() fails, leaving the timeline held\nreferenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the\ntimeline is got, and only that last one is put on successful completion.\nAs a consequence, the legacy timeline, with its underlying engine status\npage's VMA object, is still held and not released on driver unbind.\n\nGet the legacy timeline only after successful allocation of the context\nengine's VMA.\n\nv2: Add a note on other submission methods (Krzysztof Karas):\n Both execlists and GuC submission use lrc_alloc() which seems free\n from a similar issue.\n\n(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38389", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Fix memory leak by freeing notifier callback node\n\nCommit e0573444edbf (\"firmware: arm_ffa: Add interfaces to request\nnotification callbacks\") adds support for notifier callbacks by allocating\nand inserting a callback node into a hashtable during registration of\nnotifiers. However, during unregistration, the code only removes the\nnode from the hashtable without freeing the associated memory, resulting\nin a memory leak.\n\nResolve the memory leak issue by ensuring the allocated notifier callback\nnode is properly freed after it is removed from the hashtable entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38390", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: do not index invalid pin_assignments\n\nA poorly implemented DisplayPort Alt Mode port partner can indicate\nthat its pin assignment capabilities are greater than the maximum\nvalue, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show\nwill cause a BRK exception due to an out of bounds array access.\n\nPrevent for loop in pin_assignment_show from accessing\ninvalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX\nvalue in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop\ncondition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38391", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert control queue mutex to a spinlock\n\nWith VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated\non module load:\n\n[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578\n[ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager\n[ 324.701689] preempt_count: 201, expected: 0\n[ 324.701693] RCU nest depth: 0, expected: 0\n[ 324.701697] 2 locks held by NetworkManager/1582:\n[ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0\n[ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870\n[ 324.701749] Preemption disabled at:\n[ 324.701752] [] __dev_open+0x3dd/0x870\n[ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)\n[ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022\n[ 324.701774] Call Trace:\n[ 324.701777] \n[ 324.701779] dump_stack_lvl+0x5d/0x80\n[ 324.701788] ? __dev_open+0x3dd/0x870\n[ 324.701793] __might_resched.cold+0x1ef/0x23d\n<..>\n[ 324.701818] __mutex_lock+0x113/0x1b80\n<..>\n[ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]\n[ 324.701935] ? kasan_save_track+0x14/0x30\n[ 324.701941] idpf_mb_clean+0x143/0x380 [idpf]\n<..>\n[ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf]\n[ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf]\n[ 324.702021] ? rcu_is_watching+0x12/0xc0\n[ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]\n<..>\n[ 324.702122] __hw_addr_sync_dev+0x1cf/0x300\n[ 324.702126] ? find_held_lock+0x32/0x90\n[ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf]\n[ 324.702152] __dev_open+0x3f8/0x870\n[ 324.702159] ? __pfx___dev_open+0x10/0x10\n[ 324.702174] __dev_change_flags+0x443/0x650\n<..>\n[ 324.702208] netif_change_flags+0x80/0x160\n[ 324.702218] do_setlink.isra.0+0x16a0/0x3960\n<..>\n[ 324.702349] rtnl_newlink+0x12fd/0x21e0\n\nThe sequence is as follows:\n\trtnl_newlink()->\n\t__dev_change_flags()->\n\t__dev_open()->\n\tdev_set_rx_mode() - > # disables BH and grabs \"dev->addr_list_lock\"\n\tidpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON\n\t__dev_uc_sync() ->\n\tidpf_add_mac_filter ->\n\tidpf_add_del_mac_filters ->\n\tidpf_send_mb_msg() ->\n\tidpf_mb_clean() ->\n\tidpf_ctlq_clean_sq() # mutex_lock(cq_lock)\n\nFix by converting cq_lock to a spinlock. All operations under the new\nlock are safe except freeing the DMA memory, which may use vunmap(). Fix\nby requesting a contiguous physical memory for the DMA mapping.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38392", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN\n\nWe found a few different systems hung up in writeback waiting on the same\npage lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in\npnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count\nwas zero.\n\nIt seems most likely that this is another race between the waiter and waker\nsimilar to commit ed0172af5d6f (\"SUNRPC: Fix a race to wake a sync task\").\nFix it up by applying the advised barrier.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38393", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix memory corruption of input_handler_list\n\nIn appletb_kbd_probe an input handler is initialised and then registered\nwith input core through input_register_handler(). When this happens input\ncore will add the input handler (specifically its node) to the global\ninput_handler_list. The input_handler_list is central to the functionality\nof input core and is traversed in various places in input core. An example\nof this is when a new input device is plugged in and gets registered with\ninput core.\n\nThe input_handler in probe is allocated as device managed memory. If a\nprobe failure occurs after input_register_handler() the input_handler\nmemory is freed, yet it will remain in the input_handler_list. This\neffectively means the input_handler_list contains a dangling pointer\nto data belonging to a freed input handler.\n\nThis causes an issue when any other input device is plugged in - in my\ncase I had an old PixArt HP USB optical mouse and I decided to\nplug it in after a failure occurred after input_register_handler().\nThis lead to the registration of this input device via\ninput_register_device which involves traversing over every handler\nin the corrupted input_handler_list and calling input_attach_handler(),\ngiving each handler a chance to bind to newly registered device.\n\nThe core of this bug is a UAF which causes memory corruption of\ninput_handler_list and to fix it we must ensure the input handler is\nunregistered from input core, this is done through\ninput_unregister_handler().\n\n[ 63.191597] ==================================================================\n[ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0\n[ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54\n[ 63.192094]\n[ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d\n[ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164\n[ 63.192094] Workqueue: usb_hub_wq hub_event\n[ 63.192094] Call Trace:\n[ 63.192094] \n[ 63.192094] dump_stack_lvl+0x53/0x70\n[ 63.192094] print_report+0xce/0x670\n[ 63.192094] kasan_report+0xce/0x100\n[ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0\n[ 63.192094] input_register_device+0x76c/0xd00\n[ 63.192094] hidinput_connect+0x686d/0xad60\n[ 63.192094] hid_connect+0xf20/0x1b10\n[ 63.192094] hid_hw_start+0x83/0x100\n[ 63.192094] hid_device_probe+0x2d1/0x680\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] hid_add_device+0x30b/0x910\n[ 63.192094] usbhid_probe+0x920/0xe00\n[ 63.192094] usb_probe_interface+0x363/0x9a0\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] usb_set_configuration+0xd14/0x1880\n[ 63.192094] usb_generic_driver_probe+0x78/0xb0\n[ 63.192094] usb_probe_device+0xaa/0x2e0\n[ 63.192094] really_probe+0x1c3/0x690\n[ 63.192094] __driver_probe_device+0x247/0x300\n[ 63.192094] driver_probe_device+0x49/0x210\n[ 63.192094] __device_attach_driver+0x160/0x320\n[ 63.192094] bus_for_each_drv+0x10f/0x190\n[ 63.192094] __device_attach+0x18e/0x370\n[ 63.192094] bus_probe_device+0x123/0x170\n[ 63.192094] device_add+0xd4d/0x1460\n[ 63.192094] usb_new_device+0x7b4/0x1000\n[ 63.192094] hub_event+0x234d/0x3\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38394", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: gpio: Fix the out-of-bounds access to drvdata::gpiods\n\ndrvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But\nthe memory is allocated for only one pointer. This will lead to\nout-of-bounds access later in the code if 'config::ngpios' is > 1. So\nfix the code to allocate enough memory to hold 'config::ngpios' of GPIO\ndescriptors.\n\nWhile at it, also move the check for memory allocation failure to be below\nthe allocation to make it more readable.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38395", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38396", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: fix suspicious RCU usage warning\n\nWhen I run the NVME over TCP test in virtme-ng, I get the following\n\"suspicious RCU usage\" warning in nvme_mpath_add_sysfs_link():\n\n'''\n[ 5.024557][ T44] nvmet: Created nvm controller 1 for subsystem nqn.2025-06.org.nvmexpress.mptcp for NQN nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77.\n[ 5.027401][ T183] nvme nvme0: creating 2 I/O queues.\n[ 5.029017][ T183] nvme nvme0: mapped 2/0/0 default/read/poll queues.\n[ 5.032587][ T183] nvme nvme0: new ctrl: NQN \"nqn.2025-06.org.nvmexpress.mptcp\", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77\n[ 5.042214][ T25]\n[ 5.042440][ T25] =============================\n[ 5.042579][ T25] WARNING: suspicious RCU usage\n[ 5.042705][ T25] 6.16.0-rc3+ #23 Not tainted\n[ 5.042812][ T25] -----------------------------\n[ 5.042934][ T25] drivers/nvme/host/multipath.c:1203 RCU-list traversed in non-reader section!!\n[ 5.043111][ T25]\n[ 5.043111][ T25] other info that might help us debug this:\n[ 5.043111][ T25]\n[ 5.043341][ T25]\n[ 5.043341][ T25] rcu_scheduler_active = 2, debug_locks = 1\n[ 5.043502][ T25] 3 locks held by kworker/u9:0/25:\n[ 5.043615][ T25] #0: ffff888008730948 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x7ed/0x1350\n[ 5.043830][ T25] #1: ffffc900001afd40 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0xcf3/0x1350\n[ 5.044084][ T25] #2: ffff888013ee0020 (&head->srcu){.+.+}-{0:0}, at: nvme_mpath_add_sysfs_link.part.0+0xb4/0x3a0\n[ 5.044300][ T25]\n[ 5.044300][ T25] stack backtrace:\n[ 5.044439][ T25] CPU: 0 UID: 0 PID: 25 Comm: kworker/u9:0 Not tainted 6.16.0-rc3+ #23 PREEMPT(full)\n[ 5.044441][ T25] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 5.044442][ T25] Workqueue: async async_run_entry_fn\n[ 5.044445][ T25] Call Trace:\n[ 5.044446][ T25] \n[ 5.044449][ T25] dump_stack_lvl+0x6f/0xb0\n[ 5.044453][ T25] lockdep_rcu_suspicious.cold+0x4f/0xb1\n[ 5.044457][ T25] nvme_mpath_add_sysfs_link.part.0+0x2fb/0x3a0\n[ 5.044459][ T25] ? queue_work_on+0x90/0xf0\n[ 5.044461][ T25] ? lockdep_hardirqs_on+0x78/0x110\n[ 5.044466][ T25] nvme_mpath_set_live+0x1e9/0x4f0\n[ 5.044470][ T25] nvme_mpath_add_disk+0x240/0x2f0\n[ 5.044472][ T25] ? __pfx_nvme_mpath_add_disk+0x10/0x10\n[ 5.044475][ T25] ? add_disk_fwnode+0x361/0x580\n[ 5.044480][ T25] nvme_alloc_ns+0x81c/0x17c0\n[ 5.044483][ T25] ? kasan_quarantine_put+0x104/0x240\n[ 5.044487][ T25] ? __pfx_nvme_alloc_ns+0x10/0x10\n[ 5.044495][ T25] ? __pfx_nvme_find_get_ns+0x10/0x10\n[ 5.044496][ T25] ? rcu_read_lock_any_held+0x45/0xa0\n[ 5.044498][ T25] ? validate_chain+0x232/0x4f0\n[ 5.044503][ T25] nvme_scan_ns+0x4c8/0x810\n[ 5.044506][ T25] ? __pfx_nvme_scan_ns+0x10/0x10\n[ 5.044508][ T25] ? find_held_lock+0x2b/0x80\n[ 5.044512][ T25] ? ktime_get+0x16d/0x220\n[ 5.044517][ T25] ? kvm_clock_get_cycles+0x18/0x30\n[ 5.044520][ T25] ? __pfx_nvme_scan_ns_async+0x10/0x10\n[ 5.044522][ T25] async_run_entry_fn+0x97/0x560\n[ 5.044523][ T25] ? rcu_is_watching+0x12/0xc0\n[ 5.044526][ T25] process_one_work+0xd3c/0x1350\n[ 5.044532][ T25] ? __pfx_process_one_work+0x10/0x10\n[ 5.044536][ T25] ? assign_work+0x16c/0x240\n[ 5.044539][ T25] worker_thread+0x4da/0xd50\n[ 5.044545][ T25] ? __pfx_worker_thread+0x10/0x10\n[ 5.044546][ T25] kthread+0x356/0x5c0\n[ 5.044548][ T25] ? __pfx_kthread+0x10/0x10\n[ 5.044549][ T25] ? ret_from_fork+0x1b/0x2e0\n[ 5.044552][ T25] ? __lock_release.isra.0+0x5d/0x180\n[ 5.044553][ T25] ? ret_from_fork+0x1b/0x2e0\n[ 5.044555][ T25] ? rcu_is_watching+0x12/0xc0\n[ 5.044557][ T25] ? __pfx_kthread+0x10/0x10\n[ 5.04\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38397", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: reallocate BAM transactions\n\nUsing the mtd_nandbiterrs module for testing the driver occasionally\nresults in weird things like below.\n\n1. swiotlb mapping fails with the following message:\n\n [ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)\n [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc\n [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page\n [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110)\n\n Rebooting the board after this causes a panic due to a NULL pointer\n dereference.\n\n2. If the swiotlb mapping does not fail, rebooting the board may result\n in a different panic due to a bad spinlock magic:\n\n [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241\n [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b\n ...\n\nInvestigating the issue revealed that these symptoms are results of\nmemory corruption which is caused by out of bounds access within the\ndriver.\n\nThe driver uses a dynamically allocated structure for BAM transactions,\nwhich structure must have enough space for all possible variations of\ndifferent flash operations initiated by the driver. The required space\nheavily depends on the actual number of 'codewords' which is calculated\nfrom the pagesize of the actual NAND chip.\n\nAlthough the qcom_nandc_alloc() function allocates memory for the BAM\ntransactions during probe, but since the actual number of 'codewords'\nis not yet know the allocation is done for one 'codeword' only.\n\nBecause of this, whenever the driver does a flash operation, and the\nnumber of the required transactions exceeds the size of the allocated\narrays the driver accesses memory out of the allocated range.\n\nTo avoid this, change the code to free the initially allocated BAM\ntransactions memory, and allocate a new one once the actual number of\n'codewords' required for a given NAND chip is known.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38398", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()\n\nThe function core_scsi3_decode_spec_i_port(), in its error code path,\nunconditionally calls core_scsi3_lunacl_undepend_item() passing the\ndest_se_deve pointer, which may be NULL.\n\nThis can lead to a NULL pointer dereference if dest_se_deve remains\nunset.\n\nSPC-3 PR SPEC_I_PT: Unable to locate dest_tpg\nUnable to handle kernel paging request at virtual address dfff800000000012\nCall trace:\n core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)\n core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]\n core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]\n target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]\n\nFix this by adding a NULL check before calling\ncore_scsi3_lunacl_undepend_item()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38399", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.\n\nsyzbot reported a warning below [1] following a fault injection in\nnfs_fs_proc_net_init(). [0]\n\nWhen nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.\n\nLater, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning\nis logged as the directory is not empty.\n\nLet's handle the error of nfs_fs_proc_net_init() properly.\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:123)\n should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)\n should_failslab (mm/failslab.c:46)\n kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)\n __proc_create (fs/proc/generic.c:427)\n proc_create_reg (fs/proc/generic.c:554)\n proc_create_net_data (fs/proc/proc_net.c:120)\n nfs_fs_proc_net_init (fs/nfs/client.c:1409)\n nfs_net_init (fs/nfs/inode.c:2600)\n ops_init (net/core/net_namespace.c:138)\n setup_net (net/core/net_namespace.c:443)\n copy_net_ns (net/core/net_namespace.c:576)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))\n ksys_unshare (kernel/fork.c:3123)\n __x64_sys_unshare (kernel/fork.c:3190)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \n\n[1]:\nremove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'\n WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727\nModules linked in:\nCPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727\nCode: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00\nRSP: 0018:ffffc90003637b08 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8\nRDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001\nRBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00\nR13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000\nFS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76\n ops_exit_list net/core/net_namespace.c:200 [inline]\n ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253\n setup_net+0x2e1/0x510 net/core/net_namespace.c:457\n copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574\n create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218\n ksys_unshare+0x45b/0xa40 kernel/fork.c:3121\n __do_sys_unshare kernel/fork.c:3192 [inline]\n __se_sys_unshare kernel/fork.c:3190 [inline]\n __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa1a6b8e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38400", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtk-sd: Prevent memory corruption from DMA map failure\n\nIf msdc_prepare_data() fails to map the DMA region, the request is\nnot prepared for data receiving, but msdc_start_data() proceeds\nthe DMA with previous setting.\nSince this will lead a memory corruption, we have to stop the\nrequest operation soon after the msdc_prepare_data() fails to\nprepare it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38401", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: return 0 size for RSS key if not supported\n\nReturning -EOPNOTSUPP from function returning u32 is leading to\ncast and invalid size value as a result.\n\n-EOPNOTSUPP as a size probably will lead to allocation fail.\n\nCommand: ethtool -x eth0\nIt is visible on all devices that don't have RSS caps set.\n\n[ 136.615917] Call Trace:\n[ 136.615921] \n[ 136.615927] ? __warn+0x89/0x130\n[ 136.615942] ? __alloc_frozen_pages_noprof+0x322/0x330\n[ 136.615953] ? report_bug+0x164/0x190\n[ 136.615968] ? handle_bug+0x58/0x90\n[ 136.615979] ? exc_invalid_op+0x17/0x70\n[ 136.615987] ? asm_exc_invalid_op+0x1a/0x20\n[ 136.616001] ? rss_prepare_get.constprop.0+0xb9/0x170\n[ 136.616016] ? __alloc_frozen_pages_noprof+0x322/0x330\n[ 136.616028] __alloc_pages_noprof+0xe/0x20\n[ 136.616038] ___kmalloc_large_node+0x80/0x110\n[ 136.616072] __kmalloc_large_node_noprof+0x1d/0xa0\n[ 136.616081] __kmalloc_noprof+0x32c/0x4c0\n[ 136.616098] ? rss_prepare_get.constprop.0+0xb9/0x170\n[ 136.616105] rss_prepare_get.constprop.0+0xb9/0x170\n[ 136.616114] ethnl_default_doit+0x107/0x3d0\n[ 136.616131] genl_family_rcv_msg_doit+0x100/0x160\n[ 136.616147] genl_rcv_msg+0x1b8/0x2c0\n[ 136.616156] ? __pfx_ethnl_default_doit+0x10/0x10\n[ 136.616168] ? __pfx_genl_rcv_msg+0x10/0x10\n[ 136.616176] netlink_rcv_skb+0x58/0x110\n[ 136.616186] genl_rcv+0x28/0x40\n[ 136.616195] netlink_unicast+0x19b/0x290\n[ 136.616206] netlink_sendmsg+0x222/0x490\n[ 136.616215] __sys_sendto+0x1fd/0x210\n[ 136.616233] __x64_sys_sendto+0x24/0x30\n[ 136.616242] do_syscall_64+0x82/0x160\n[ 136.616252] ? __sys_recvmsg+0x83/0xe0\n[ 136.616265] ? syscall_exit_to_user_mode+0x10/0x210\n[ 136.616275] ? do_syscall_64+0x8e/0x160\n[ 136.616282] ? __count_memcg_events+0xa1/0x130\n[ 136.616295] ? count_memcg_events.constprop.0+0x1a/0x30\n[ 136.616306] ? handle_mm_fault+0xae/0x2d0\n[ 136.616319] ? do_user_addr_fault+0x379/0x670\n[ 136.616328] ? clear_bhb_loop+0x45/0xa0\n[ 136.616340] ? clear_bhb_loop+0x45/0xa0\n[ 136.616349] ? clear_bhb_loop+0x45/0xa0\n[ 136.616359] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 136.616369] RIP: 0033:0x7fd30ba7b047\n[ 136.616376] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d bd d5 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44\n[ 136.616381] RSP: 002b:00007ffde1796d68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\n[ 136.616388] RAX: ffffffffffffffda RBX: 000055d7bd89f2a0 RCX: 00007fd30ba7b047\n[ 136.616392] RDX: 0000000000000028 RSI: 000055d7bd89f3b0 RDI: 0000000000000003\n[ 136.616396] RBP: 00007ffde1796e10 R08: 00007fd30bb4e200 R09: 000000000000000c\n[ 136.616399] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d7bd89f340\n[ 136.616403] R13: 000055d7bd89f3b0 R14: 000055d78943f200 R15: 0000000000000000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38402", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/vmci: Clear the vmci transport packet properly when initializing it\n\nIn vmci_transport_packet_init memset the vmci_transport_packet before\npopulating the fields to avoid any uninitialised data being left in the\nstructure.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38403", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: displayport: Fix potential deadlock\n\nThe deadlock can occur due to a recursive lock acquisition of\n`cros_typec_altmode_data::mutex`.\nThe call chain is as follows:\n1. cros_typec_altmode_work() acquires the mutex\n2. typec_altmode_vdm() -> dp_altmode_vdm() ->\n3. typec_altmode_exit() -> cros_typec_altmode_exit()\n4. cros_typec_altmode_exit() attempts to acquire the mutex again\n\nTo prevent this, defer the `typec_altmode_exit()` call by scheduling\nit rather than calling it directly from within the mutex-protected\ncontext.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38404", "detail": "fixed-version", "description": "Fixed from version 6.15.6" }, { "id": "CVE-2025-38405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix memory leak of bio integrity\n\nIf nvmet receives commands with metadata there is a continuous memory\nleak of kmalloc-128 slab or more precisely bio->bi_integrity.\n\nSince commit bf4c89fc8797 (\"block: don't call bio_uninit from bio_endio\")\neach user of bio_init has to use bio_uninit as well. Otherwise the bio\nintegrity is not getting free. Nvmet uses bio_init for inline bios.\n\nUninit the inline bio to complete deallocation of integrity in bio.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38405", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath6kl: remove WARN on bad firmware input\n\nIf the firmware gives bad input, that's nothing to do with\nthe driver's stack at this point etc., so the WARN_ON()\ndoesn't add any value. Additionally, this is one of the\ntop syzbot reports now. Just print a message, and as an\nadded bonus, print the sizes too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38406", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: cpu_ops_sbi: Use static array for boot_data\n\nSince commit 6b9f29b81b15 (\"riscv: Enable pcpu page first chunk\nallocator\"), if NUMA is enabled, the page percpu allocator may be used\non very sparse configurations, or when requested on boot with\npercpu_alloc=page.\n\nIn that case, percpu data gets put in the vmalloc area. However,\nsbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data,\nand simply assumes that __pa() would work. This causes the just started\nhart to immediately access an invalid address and hang.\n\nFortunately, struct sbi_hart_boot_data is not too large, so we can\nsimply allocate an array for boot_data statically, putting it in the\nkernel image.\n\nThis fixes NUMA=y SMP boot on Sophgo SG2042.\n\nTo reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then\nrun with:\n\n qemu-system-riscv64 -M virt -smp 2 -nographic \\\n -kernel arch/riscv/boot/Image \\\n -append \"percpu_alloc=page\"\n\nKernel output:\n\n[ 0.000000] Booting Linux on hartid 0\n[ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025\n...\n[ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712\n...\n[ 0.083192] smp: Bringing up secondary CPUs ...\n[ 0.086722] ------------[ cut here ]------------\n[ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080)\n[ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8\n[ 0.088376] Modules linked in:\n[ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE\n[ 0.088833] Hardware name: riscv-virtio,qemu (DT)\n[ 0.088948] epc : __virt_to_phys+0xae/0xe8\n[ 0.089001] ra : __virt_to_phys+0xae/0xe8\n[ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0\n[ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976\n[ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0\n[ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000\n[ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000\n[ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001\n[ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec\n[ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000\n[ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7\n[ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8\n[ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003\n[ 0.090101] [] __virt_to_phys+0xae/0xe8\n[ 0.090228] [] sbi_cpu_start+0x6e/0xe8\n[ 0.090247] [] __cpu_up+0x1e/0x8c\n[ 0.090260] [] bringup_cpu+0x42/0x258\n[ 0.090277] [] cpuhp_invoke_callback+0xe0/0x40c\n[ 0.090292] [] __cpuhp_invoke_callback_range+0x68/0xfc\n[ 0.090320] [] _cpu_up+0x11a/0x244\n[ 0.090334] [] cpu_up+0x52/0x90\n[ 0.090384] [] bringup_nonboot_cpus+0x78/0x118\n[ 0.090411] [] smp_init+0x34/0xb8\n[ 0.090425] [] kernel_init_freeable+0x148/0x2e4\n[ 0.090442] [] kernel_init+0x1e/0x14c\n[ 0.090455] [] ret_from_fork_kernel+0xe/0xf0\n[ 0.090471] [] ret_from_fork_kernel_asm+0x16/0x18\n[ 0.090560] ---[ end trace 0000000000000000 ]---\n[ 1.179875] CPU1: failed to come online\n[ 1.190324] smp: Brought up 1 node, 1 CPU", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38407", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/irq_sim: Initialize work context pointers properly\n\nInitialize `ops` member's pointers properly by using kzalloc() instead of\nkmalloc() when allocating the simulation work context. Otherwise the\npointers contain random content leading to invalid dereferencing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38408", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix another leak in the submit error path\n\nput_unused_fd() doesn't free the installed file, if we've already done\nfd_install(). So we need to also free the sync_file.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653583/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38409", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix a fence leak in submit error path\n\nIn error paths, we could unref the submit without calling\ndrm_sched_entity_push_job(), so msm_job_free() will never get\ncalled. Since drm_sched_job_cleanup() will NULL out the\ns_fence, we can use that to detect this case.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653584/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38410", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix double put of request\n\nIf a netfs request finishes during the pause loop, it will have the ref\nthat belongs to the IN_PROGRESS flag removed at that point - however, if it\nthen goes to the final wait loop, that will *also* put the ref because it\nsees that the IN_PROGRESS flag is clear and incorrectly assumes that this\nhappened when it called the collector.\n\nIn fact, since IN_PROGRESS is clear, we shouldn't call the collector again\nsince it's done all the cleanup, such as calling ->ki_complete().\n\nFix this by making netfs_collect_in_app() just return, indicating that\nwe're done if IN_PROGRESS is removed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38411", "detail": "fixed-version", "description": "Fixed from version 6.15.6" }, { "id": "CVE-2025-38412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks\n\nAfter retrieving WMI data blocks in sysfs callbacks, check for the\nvalidity of them before dereferencing their content.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38412", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: xsk: rx: fix the frame's length check\n\nWhen calling buf_to_xdp, the len argument is the frame data's length\nwithout virtio header's length (vi->hdr_len). We check that len with\n\n\txsk_pool_get_rx_frame_size() + vi->hdr_len\n\nto ensure the provided len does not larger than the allocated chunk\nsize. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk,\nwe use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost\nto start placing data from\n\n\thard_start + XDP_PACKET_HEADROOM - vi->hdr_len\nnot\n\thard_start + XDP_PACKET_HEADROOM\n\nBut the first buffer has virtio_header, so the maximum frame's length in\nthe first buffer can only be\n\n\txsk_pool_get_rx_frame_size()\nnot\n\txsk_pool_get_rx_frame_size() + vi->hdr_len\n\nlike in the current check.\n\nThis commit adds an additional argument to buf_to_xdp differentiate\nbetween the first buffer and other ones to correctly calculate the maximum\nframe's length.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38413", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850\n\nGCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash\non some specific platforms.\n\nSince this register is divergent for WCN7850 and QCN9274, move it to\nregister table to allow different definitions. Then correct the register\naddress for WCN7850 to fix this issue.\n\nNote IPQ5332 is not affected as it is not PCIe based device.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38414", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check return result of sb_min_blocksize\n\nSyzkaller reports an \"UBSAN: shift-out-of-bounds in squashfs_bio_read\" bug.\n\nSyzkaller forks multiple processes which after mounting the Squashfs\nfilesystem, issues an ioctl(\"/dev/loop0\", LOOP_SET_BLOCK_SIZE, 0x8000). \nNow if this ioctl occurs at the same time another process is in the\nprocess of mounting a Squashfs filesystem on /dev/loop0, the failure\noccurs. When this happens the following code in squashfs_fill_super()\nfails.\n\n----\nmsblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);\nmsblk->devblksize_log2 = ffz(~msblk->devblksize);\n----\n\nsb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.\n\nAs a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2\nis set to 64.\n\nThis subsequently causes the\n\nUBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36\nshift exponent 64 is too large for 64-bit type 'u64' (aka\n'unsigned long long')\n\nThis commit adds a check for a 0 return by sb_min_blocksize().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38415", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: uart: Set tty->disc_data only in success path\n\nSetting tty->disc_data before opening the NCI device means we need to\nclean it up on error paths. This also opens some short window if device\nstarts sending data, even before NCIUARTSETDRIVER IOCTL succeeded\n(broken hardware?). Close the window by exposing tty->disc_data only on\nthe success path, when opening of the NCI device and try_module_get()\nsucceeds.\n\nThe code differs in error path in one aspect: tty->disc_data won't be\never assigned thus NULL-ified. This however should not be relevant\ndifference, because of \"tty->disc_data=NULL\" in nci_uart_tty_open().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38416", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix eswitch code memory leak in reset scenario\n\nAdd simple eswitch mode checker in attaching VF procedure and allocate\nrequired port representor memory structures only in switchdev mode.\nThe reset flows triggers VF (if present) detach/attach procedure.\nIt might involve VF port representor(s) re-creation if the device is\nconfigured is switchdev mode (not legacy one).\nThe memory was blindly allocated in current implementation,\nregardless of the mode and not freed if in legacy mode.\n\nKmemeleak trace:\nunreferenced object (percpu) 0x7e3bce5b888458 (size 40):\n comm \"bash\", pid 1784, jiffies 4295743894\n hex dump (first 32 bytes on cpu 45):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 0):\n pcpu_alloc_noprof+0x4c4/0x7c0\n ice_repr_create+0x66/0x130 [ice]\n ice_repr_create_vf+0x22/0x70 [ice]\n ice_eswitch_attach_vf+0x1b/0xa0 [ice]\n ice_reset_all_vfs+0x1dd/0x2f0 [ice]\n ice_pci_err_resume+0x3b/0xb0 [ice]\n pci_reset_function+0x8f/0x120\n reset_store+0x56/0xa0\n kernfs_fop_write_iter+0x120/0x1b0\n vfs_write+0x31c/0x430\n ksys_write+0x61/0xd0\n do_syscall_64+0x5b/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTesting hints (ethX is PF netdev):\n- create at least one VF\n echo 1 > /sys/class/net/ethX/device/sriov_numvfs\n- trigger the reset\n echo 1 > /sys/class/net/ethX/device/reset", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38417", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Release rproc->clean_table after rproc_attach() fails\n\nWhen rproc->state = RPROC_DETACHED is attached to remote processor\nthrough rproc_attach(), if rproc_handle_resources() returns failure,\nthen the clean table should be released, otherwise the following\nmemory leak will occur.\n\nunreferenced object 0xffff000086a99800 (size 1024):\ncomm \"kworker/u12:3\", pid 59, jiffies 4294893670 (age 121.140s)\nhex dump (first 32 bytes):\n00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............\n00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............\nbacktrace:\n [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc\n [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230\n [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260\n [<0000000037818dae>] kmemdup+0x34/0x60\n [<00000000610f7f57>] rproc_boot+0x35c/0x56c\n [<0000000065f8871a>] rproc_add+0x124/0x17c\n [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4\n [<000000003bcaa37d>] platform_probe+0x68/0xd8\n [<00000000771577f9>] really_probe+0x110/0x27c\n [<00000000531fea59>] __driver_probe_device+0x78/0x12c\n [<0000000080036a04>] driver_probe_device+0x3c/0x118\n [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8\n [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4\n [<000000001a53b53e>] __device_attach+0xfc/0x18c\n [<00000000d1a2a32c>] device_initial_probe+0x14/0x20\n [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4\n unreferenced object 0xffff0000864c9690 (size 16):", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38418", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()\n\nWhen rproc->state = RPROC_DETACHED and rproc_attach() is used\nto attach to the remote processor, if rproc_handle_resources()\nreturns a failure, the resources allocated by imx_rproc_prepare()\nshould be released, otherwise the following memory leak will occur.\n\nSince almost the same thing is done in imx_rproc_prepare() and\nrproc_resource_cleanup(), Function rproc_resource_cleanup() is able\nto deal with empty lists so it is better to fix the \"goto\" statements\nin rproc_attach(). replace the \"unprepare_device\" goto statement with\n\"clean_up_resources\" and get rid of the \"unprepare_device\" label.\n\nunreferenced object 0xffff0000861c5d00 (size 128):\ncomm \"kworker/u12:3\", pid 59, jiffies 4294893509 (age 149.220s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............\nbacktrace:\n [<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c\n [<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0\n [<00000000521c0345>] kmalloc_trace+0x40/0x158\n [<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8\n [<000000002815755e>] imx_rproc_prepare+0xe0/0x180\n [<0000000003f61b4e>] rproc_boot+0x2ec/0x528\n [<00000000e7e994ac>] rproc_add+0x124/0x17c\n [<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4\n [<00000000efc298a1>] platform_probe+0x68/0xd8\n [<00000000110be6fe>] really_probe+0x110/0x27c\n [<00000000e245c0ae>] __driver_probe_device+0x78/0x12c\n [<00000000f61f6f5e>] driver_probe_device+0x3c/0x118\n [<00000000a7874938>] __device_attach_driver+0xb8/0xf8\n [<0000000065319e69>] bus_for_each_drv+0x84/0xe4\n [<00000000db3eb243>] __device_attach+0xfc/0x18c\n [<0000000072e4e1a4>] device_initial_probe+0x14/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38419", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: do not ping device which has failed to load firmware\n\nSyzkaller reports [1, 2] crashes caused by an attempts to ping\nthe device which has failed to load firmware. Since such a device\ndoesn't pass 'ieee80211_register_hw()', an internal workqueue\nmanaged by 'ieee80211_queue_work()' is not yet created and an\nattempt to queue work on it causes null-ptr-deref.\n\n[1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff\n[2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38420", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: pmf: Use device managed allocations\n\nIf setting up smart PC fails for any reason then this can lead to\na double free when unloading amd-pmf. This is because dev->buf was\nfreed but never set to NULL and is again freed in amd_pmf_remove().\n\nTo avoid subtle allocation bugs in failures leading to a double free\nchange all allocations into device managed allocations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38421", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices\n\nMaximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb\nand 64 Kb respectively. Adjust max size definitions and return correct\nEEPROM length based on device. Also prevent out-of-bound read/write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38422", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd9375: Fix double free of regulator supplies\n\nDriver gets regulator supplies in probe path with\ndevm_regulator_bulk_get(), so should not call regulator_bulk_free() in\nerror and remove paths to avoid double free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38423", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix sample vs do_exit()\n\nBaisheng Gao reported an ARM64 crash, which Mark decoded as being a\nsynchronous external abort -- most likely due to trying to access\nMMIO in bad ways.\n\nThe crash further shows perf trying to do a user stack sample while in\nexit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address\nspace it is trying to access.\n\nIt turns out that we stop perf after we tear down the userspace mm; a\nreceipie for disaster, since perf likes to access userspace for\nvarious reasons.\n\nFlip this order by moving up where we stop perf in do_exit().\n\nAdditionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER\nto abort when the current task does not have an mm (exit_mm() makes\nsure to set current->mm = NULL; before commencing with the actual\nteardown). Such that CPU wide events don't trip on this same problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38424", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: check msg length in SMBUS block read\n\nFor SMBUS block read, do not continue to read if the message length\npassed from the device is '0' or greater than the maximum allowed bytes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38425", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add basic validation for RAS header\n\nIf RAS header read from EEPROM is corrupted, it could result in trying\nto allocate huge memory for reading the records. Add some validation to\nheader fields.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38426", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: screen_info: Relocate framebuffers behind PCI bridges\n\nApply PCI host-bridge window offsets to screen_info framebuffers. Fixes\ninvalid access to I/O memory.\n\nResources behind a PCI host bridge can be relocated by a certain offset\nin the kernel's CPU address range used for I/O. The framebuffer memory\nrange stored in screen_info refers to the CPU addresses as seen during\nboot (where the offset is 0). During boot up, firmware may assign a\ndifferent memory offset to the PCI host bridge and thereby relocating\nthe framebuffer address of the PCI graphics device as seen by the kernel.\nThe information in screen_info must be updated as well.\n\nThe helper pcibios_bus_to_resource() performs the relocation of the\nscreen_info's framebuffer resource (given in PCI bus addresses). The\nresult matches the I/O-memory resource of the PCI graphics device (given\nin CPU addresses). As before, we store away the information necessary to\nlater update the information in screen_info itself.\n\nCommit 78aa89d1dfba (\"firmware/sysfb: Update screen_info for relocated\nEFI framebuffers\") added the code for updating screen_info. It is based\non similar functionality that pre-existed in efifb. Efifb uses a pointer\nto the PCI resource, while the newer code does a memcpy of the region.\nHence efifb sees any updates to the PCI resource and avoids the issue.\n\nv3:\n- Only use struct pci_bus_region for PCI bus addresses (Bjorn)\n- Clarify address semantics in commit messages and comments (Bjorn)\nv2:\n- Fixed tags (Takashi, Ivan)\n- Updated information on efifb", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38427", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ims-pcu - check record size in ims_pcu_flash_firmware()\n\nThe \"len\" variable comes from the firmware and we generally do\ntrust firmware, but it's always better to double check. If the \"len\"\nis too large it could result in memory corruption when we do\n\"memcpy(fragment->data, rec->data, len);\"", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38428", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: ep: Update read pointer only after buffer is written\n\nInside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated\nbefore the buffer is written, potentially causing race conditions where\nthe host sees an updated read pointer before the buffer is actually\nwritten. Updating rd_offset prematurely can lead to the host accessing\nan uninitialized or incomplete element, resulting in data corruption.\n\nInvoke the buffer write before updating rd_offset to ensure the element\nis fully written before signaling its availability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38429", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: nfsd4_spo_must_allow() must check this is a v4 compound request\n\nIf the request being processed is not a v4 compound request, then\nexamining the cstate can have undefined results.\n\nThis patch adds a check that the rpc procedure being executed\n(rq_procinfo) is the NFSPROC4_COMPOUND procedure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38430", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix regression with native SMB symlinks\n\nSome users and customers reported that their backup/copy tools started\nto fail when the directory being copied contained symlink targets that\nthe client couldn't parse - even when those symlinks weren't followed.\n\nFix this by allowing lstat(2) and readlink(2) to succeed even when the\nclient can't resolve the symlink target, restoring old behavior.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38431", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: Initialize UDP checksum field before checksumming\n\ncommit f1fce08e63fe (\"netpoll: Eliminate redundant assignment\") removed\nthe initialization of the UDP checksum, which was wrong and broke\nnetpoll IPv6 transmission due to bad checksumming.\n\nudph->check needs to be set before calling csum_ipv6_magic().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38432", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix runtime constant support for nommu kernels\n\nthe `__runtime_fixup_32` function does not handle the case where `val` is\nzero correctly (as might occur when patching a nommu kernel and referring\nto a physical address below the 4GiB boundary whose upper 32 bits are all\nzero) because nothing in the existing logic prevents the code from taking\nthe `else` branch of both nop-checks and emitting two `nop` instructions.\n\nThis leaves random garbage in the register that is supposed to receive the\nupper 32 bits of the pointer instead of zero that when combined with the\nvalue for the lower 32 bits yields an invalid pointer and causes a kernel\npanic when that pointer is eventually accessed.\n\nThe author clearly considered the fact that if the `lui` is converted into\na `nop` that the second instruction needs to be adjusted to become an `li`\ninstead of an `addi`, hence introducing the `addi_insn_mask` variable, but\ndidn't follow that logic through fully to the case where the `else` branch\nexecutes. To fix it just adjust the logic to ensure that the second `else`\nbranch is not taken if the first instruction will be patched to a `nop`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38433", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"riscv: Define TASK_SIZE_MAX for __access_ok()\"\n\nThis reverts commit ad5643cf2f69 (\"riscv: Define TASK_SIZE_MAX for\n__access_ok()\").\n\nThis commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),\nbecause the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some\ncomputation.\n\nThe reasoning was that all user addresses are less than LONG_MAX, and all\nkernel addresses are greater than LONG_MAX. Therefore access_ok() can\nfilter kernel addresses.\n\nAddresses between TASK_SIZE and LONG_MAX are not valid user addresses, but\naccess_ok() let them pass. That was thought to be okay, because they are\nnot valid addresses at hardware level.\n\nUnfortunately, one case is missed: get_user_pages_fast() happily accepts\naddresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses\nget_user_pages_fast(). This causes the problem reported by Robert [1].\n\nTherefore, revert this commit. TASK_SIZE_MAX is changed to the default:\nTASK_SIZE.\n\nThis unfortunately reduces performance, because TASK_SIZE is more expensive\nto compute compared to LONG_MAX. But correctness first, we can think about\noptimization later, if required.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38434", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: vector: Fix context save/restore with xtheadvector\n\nPreviously only v0-v7 were correctly saved/restored,\nand the context of v8-v31 are damanged.\nCorrectly save/restore v8-v31 to avoid breaking userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38435", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/scheduler: signal scheduled fence when kill job\n\nWhen an entity from application B is killed, drm_sched_entity_kill()\nremoves all jobs belonging to that entity through\ndrm_sched_entity_kill_jobs_work(). If application A's job depends on a\nscheduled fence from application B's job, and that fence is not properly\nsignaled during the killing process, application A's dependency cannot be\ncleared.\n\nThis leads to application A hanging indefinitely while waiting for a\ndependency that will never be resolved. Fix this issue by ensuring that\nscheduled fences are properly signaled when an entity is killed, allowing\ndependent applications to continue execution.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38436", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potential use-after-free in oplock/lease break ack\n\nIf ksmbd_iov_pin_rsp return error, use-after-free can happen by\naccessing opinfo->state and opinfo_put and ksmbd_fd_put could\ncalled twice.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38437", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.\n\nsof_pdata->tplg_filename can have address allocated by kstrdup()\nand can be overwritten. Memory leak was detected with kmemleak:\n\nunreferenced object 0xffff88812391ff60 (size 16):\n comm \"kworker/4:1\", pid 161, jiffies 4294802931\n hex dump (first 16 bytes):\n 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic.\n backtrace (crc 4bf1675c):\n __kmalloc_node_track_caller_noprof+0x49c/0x6b0\n kstrdup+0x46/0xc0\n hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic]\n sof_init_environment+0x16f/0xb50 [snd_sof]\n sof_probe_continue+0x45/0x7c0 [snd_sof]\n sof_probe_work+0x1e/0x40 [snd_sof]\n process_one_work+0x894/0x14b0\n worker_thread+0x5e5/0xfb0\n kthread+0x39d/0x760\n ret_from_fork+0x31/0x70\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38438", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n\nWhen transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()\nwith the proper length instead of 0. This bug triggers this warning\non a system with IOMMU enabled:\n\nWARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170\nRIP: 0010:__iommu_dma_unmap+0x159/0x170\nCode: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45\nb8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00\nRSP: 0018:ff22d31181150c88 EFLAGS: 00010206\nRAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000\nR10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000\nR13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00\nFS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0\nPKRU: 55555554\nCall Trace:\n\n? show_regs+0x6d/0x80\n? __warn+0x89/0x160\n? __iommu_dma_unmap+0x159/0x170\n? report_bug+0x17e/0x1b0\n? handle_bug+0x46/0x90\n? exc_invalid_op+0x18/0x80\n? asm_exc_invalid_op+0x1b/0x20\n? __iommu_dma_unmap+0x159/0x170\n? __iommu_dma_unmap+0xb3/0x170\niommu_dma_unmap_page+0x4f/0x100\ndma_unmap_page_attrs+0x52/0x220\n? srso_alias_return_thunk+0x5/0xfbef5\n? xdp_return_frame+0x2e/0xd0\nbnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]\n__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]\nbnxt_poll+0xd3/0x1e0 [bnxt_en]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38439", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix race between DIM disable and net_dim()\n\nThere's a race between disabling DIM and NAPI callbacks using the dim\npointer on the RQ or SQ.\n\nIf NAPI checks the DIM state bit and sees it still set, it assumes\n`rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after\nthat check, the pointer might already be set to NULL, leading to a NULL\npointer dereference in net_dim().\n\nFix this by calling `synchronize_net()` before freeing the DIM context.\nThis ensures all in-progress NAPI callbacks are finished before the\npointer is cleared.\n\nKernel log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:net_dim+0x23/0x190\n...\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? common_interrupt+0xf/0xa0\n ? sysvec_call_function_single+0xb/0x90\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? net_dim+0x23/0x190\n ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core]\n ? sysvec_apic_timer_interrupt+0xb/0x90\n mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core]\n mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core]\n ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core]\n busy_poll_stop+0xa2/0x200\n ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core]\n ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core]\n __napi_busy_loop+0x345/0x3b0\n ? sysvec_call_function_single+0xb/0x90\n ? asm_sysvec_call_function_single+0x16/0x20\n ? sysvec_apic_timer_interrupt+0xb/0x90\n ? pcpu_free_area+0x1e4/0x2e0\n napi_busy_loop+0x11/0x20\n xsk_recvmsg+0x10c/0x130\n sock_recvmsg+0x44/0x70\n __sys_recvfrom+0xbc/0x130\n ? __schedule+0x398/0x890\n __x64_sys_recvfrom+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n...\n---[ end trace 0000000000000000 ]---\n...\n---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38440", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()\n\nsyzbot found a potential access to uninit-value in nf_flow_pppoe_proto()\n\nBlamed commit forgot the Ethernet header.\n\nBUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27\n nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623\n nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]\n nf_ingress net/core/dev.c:5742 [inline]\n __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837\n __netif_receive_skb_one_core net/core/dev.c:5975 [inline]\n __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090\n netif_receive_skb_internal net/core/dev.c:6176 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6235\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xb4b/0x1580 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38441", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: reject bs > ps block devices when THP is disabled\n\nIf THP is disabled and when a block device with logical block size >\npage size is present, the following null ptr deref panic happens during\nboot:\n\n[ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07]\n[ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380\n\n[ 13.025448] Call Trace:\n[ 13.025692] \n[ 13.025895] block_read_full_folio+0x610/0x780\n[ 13.026379] ? __pfx_blkdev_get_block+0x10/0x10\n[ 13.027008] ? __folio_batch_add_and_move+0x1fa/0x2b0\n[ 13.027548] ? __pfx_blkdev_read_folio+0x10/0x10\n[ 13.028080] filemap_read_folio+0x9b/0x200\n[ 13.028526] ? __pfx_filemap_read_folio+0x10/0x10\n[ 13.029030] ? __filemap_get_folio+0x43/0x620\n[ 13.029497] do_read_cache_folio+0x155/0x3b0\n[ 13.029962] ? __pfx_blkdev_read_folio+0x10/0x10\n[ 13.030381] read_part_sector+0xb7/0x2a0\n[ 13.030805] read_lba+0x174/0x2c0\n\n[ 13.045348] nvme_scan_ns+0x684/0x850 [nvme_core]\n[ 13.045858] ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core]\n[ 13.046414] ? _raw_spin_unlock+0x15/0x40\n[ 13.046843] ? __switch_to+0x523/0x10a0\n[ 13.047253] ? kvm_clock_get_cycles+0x14/0x30\n[ 13.047742] ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core]\n[ 13.048353] async_run_entry_fn+0x96/0x4f0\n[ 13.048787] process_one_work+0x667/0x10a0\n[ 13.049219] worker_thread+0x63c/0xf60\n\nAs large folio support depends on THP, only allow bs > ps block devices\nif THP is enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38442", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nThere is a use-after-free issue in nbd:\n\nblock nbd6: Receive control failed (result -104)\nblock nbd6: shutting down sockets\n==================================================================\nBUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022\nWrite of size 4 at addr ffff8880295de478 by task kworker/u33:0/67\n\nCPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: nbd6-recv recv_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]\n recv_work+0x694/0xa80 drivers/block/nbd.c:1022\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nnbd_genl_connect() does not properly stop the device on certain\nerror paths after nbd_start_device() has been called. This causes\nthe error path to put nbd->config while recv_work continue to use\nthe config after putting it, leading to use-after-free in recv_work.\n\nThis patch moves nbd_start_device() after the backend file creation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38443", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid10: cleanup memleak at raid10_make_request\n\nIf raid10_read_request or raid10_write_request registers a new\nrequest and the REQ_NOWAIT flag is set, the code does not\nfree the malloc from the mempool.\n\nunreferenced object 0xffff8884802c3200 (size 192):\n comm \"fio\", pid 9197, jiffies 4298078271\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A......\n 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc c1a049a2):\n __kmalloc+0x2bb/0x450\n mempool_alloc+0x11b/0x320\n raid10_make_request+0x19e/0x650 [raid10]\n md_handle_request+0x3b3/0x9e0\n __submit_bio+0x394/0x560\n __submit_bio_noacct+0x145/0x530\n submit_bio_noacct_nocheck+0x682/0x830\n __blkdev_direct_IO_async+0x4dc/0x6b0\n blkdev_read_iter+0x1e5/0x3b0\n __io_read+0x230/0x1110\n io_read+0x13/0x30\n io_issue_sqe+0x134/0x1180\n io_submit_sqes+0x48c/0xe90\n __do_sys_io_uring_enter+0x574/0x8b0\n do_syscall_64+0x5c/0xe0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nV4: changing backing tree to see if CKI tests will pass.\nThe patch code has not changed between any versions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38444", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: Fix stack memory use after return in raid1_reshape\n\nIn the raid1_reshape function, newpool is\nallocated on the stack and assigned to conf->r1bio_pool.\nThis results in conf->r1bio_pool.wait.head pointing\nto a stack address.\nAccessing this address later can lead to a kernel panic.\n\nExample access path:\n\nraid1_reshape()\n{\n\t// newpool is on the stack\n\tmempool_t newpool, oldpool;\n\t// initialize newpool.wait.head to stack address\n\tmempool_init(&newpool, ...);\n\tconf->r1bio_pool = newpool;\n}\n\nraid1_read_request() or raid1_write_request()\n{\n\talloc_r1bio()\n\t{\n\t\tmempool_alloc()\n\t\t{\n\t\t\t// if pool->alloc fails\n\t\t\tremove_element()\n\t\t\t{\n\t\t\t\t--pool->curr_nr;\n\t\t\t}\n\t\t}\n\t}\n}\n\nmempool_free()\n{\n\tif (pool->curr_nr < pool->min_nr) {\n\t\t// pool->wait.head is a stack address\n\t\t// wake_up() will try to access this invalid address\n\t\t// which leads to a kernel panic\n\t\treturn;\n\t\twake_up(&pool->wait);\n\t}\n}\n\nFix:\nreinit conf->r1bio_pool.wait after assigning newpool.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38445", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data\n\nWhen num_parents is 4, __clk_register() occurs an out-of-bounds\nwhen accessing parent_names member. Use ARRAY_SIZE() instead of\nhardcode number here.\n\n BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8\n Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59\n Hardware name: NXP i.MX95 19X19 board (DT)\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n dump_backtrace+0x94/0xec\n show_stack+0x18/0x24\n dump_stack_lvl+0x8c/0xcc\n print_report+0x398/0x5fc\n kasan_report+0xd4/0x114\n __asan_report_load8_noabort+0x20/0x2c\n __clk_register+0x1844/0x20d8\n clk_hw_register+0x44/0x110\n __clk_hw_register_mux+0x284/0x3a8\n imx95_bc_probe+0x4f4/0xa70", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38446", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/rmap: fix potential out-of-bounds page table access during batched unmap\n\nAs pointed out by David[1], the batched unmap logic in\ntry_to_unmap_one() may read past the end of a PTE table when a large\nfolio's PTE mappings are not fully contained within a single page\ntable.\n\nWhile this scenario might be rare, an issue triggerable from userspace\nmust be fixed regardless of its likelihood. This patch fixes the\nout-of-bounds access by refactoring the logic into a new helper,\nfolio_unmap_pte_batch().\n\nThe new helper correctly calculates the safe batch size by capping the\nscan at both the VMA and PMD boundaries. To simplify the code, it also\nsupports partial batching (i.e., any number of pages from 1 up to the\ncalculated safe maximum), as there is no strong reason to special-case\nfor fully mapped folios.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38447", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_serial: Fix race condition in TTY wakeup\n\nA race condition occurs when gs_start_io() calls either gs_start_rx() or\ngs_start_tx(), as those functions briefly drop the port_lock for\nusb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear\nport.tty and port_usb, respectively.\n\nUse the null-safe TTY Port helper function to wake up TTY.\n\nExample\n CPU1:\t\t\t CPU2:\n gserial_connect() // lock\n \t\t\t gs_close() // await lock\n gs_start_rx() // unlock\n usb_ep_queue()\n \t\t\t gs_close() // lock, reset port.tty and unlock\n gs_start_rx() // lock\n tty_wakeup() // NPE", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38448", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Acquire references on GEM handles for framebuffers\n\nA GEM handle can be released while the GEM buffer object is attached\nto a DRM framebuffer. This leads to the release of the dma-buf backing\nthe buffer object, if any. [1] Trying to use the framebuffer in further\nmode-setting operations leads to a segmentation fault. Most easily\nhappens with driver that use shadow planes for vmap-ing the dma-buf\nduring a page flip. An example is shown below.\n\n[ 156.791968] ------------[ cut here ]------------\n[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430\n[...]\n[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430\n[ 157.043420] Call Trace:\n[ 157.045898] \n[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710\n[ 157.065567] ? dma_buf_vmap+0x224/0x430\n[ 157.069446] ? __warn.cold+0x58/0xe4\n[ 157.073061] ? dma_buf_vmap+0x224/0x430\n[ 157.077111] ? report_bug+0x1dd/0x390\n[ 157.080842] ? handle_bug+0x5e/0xa0\n[ 157.084389] ? exc_invalid_op+0x14/0x50\n[ 157.088291] ? asm_exc_invalid_op+0x16/0x20\n[ 157.092548] ? dma_buf_vmap+0x224/0x430\n[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230\n[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10\n[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10\n[ 157.110697] drm_gem_shmem_vmap+0x74/0x710\n[ 157.114866] drm_gem_vmap+0xa9/0x1b0\n[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0\n[ 157.123086] drm_gem_fb_vmap+0xab/0x300\n[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10\n[ 157.133032] ? lockdep_init_map_type+0x19d/0x880\n[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0\n[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180\n[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40\n[...]\n[ 157.346424] ---[ end trace 0000000000000000 ]---\n\nAcquiring GEM handles for the framebuffer's GEM buffer objects prevents\nthis from happening. The framebuffer's cleanup later puts the handle\nreferences.\n\nCommit 1a148af06000 (\"drm/gem-shmem: Use dma_buf from GEM object\ninstance\") triggers the segmentation fault easily by using the dma-buf\nfield more widely. The underlying issue with reference counting has\nbeen present before.\n\nv2:\n- acquire the handle instead of the BO (Christian)\n- fix comment style (Christian)\n- drop the Fixes tag (Christian)\n- rename err_ gotos\n- add missing Link tag", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38449", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()\n\nAdd a NULL check for msta->vif before accessing its members to prevent\na kernel panic in AP mode deployment. This also fix the issue reported\nin [1].\n\nThe crash occurs when this function is triggered before the station is\nfully initialized. The call trace shows a page fault at\nmt7925_sta_set_decap_offload() due to accessing resources when msta->vif\nis NULL.\n\nFix this by adding an early return if msta->vif is NULL and also check\nwcid.sta is ready. This ensures we only proceed with decap offload\nconfiguration when the station's state is properly initialized.\n\n[14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0\n[14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G\n[14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE\n[14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n[14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common]\n[14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common]\n[14739.851985] sp : ffffffc085efb500\n[14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158\n[14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001\n[14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88\n[14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000\n[14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080\n[14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000\n[14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0\n[14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100\n[14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000\n[14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8\n[14739.926686] Call trace:\n[14739.929130] mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common]\n[14739.935505] ieee80211_check_fast_rx+0x19c/0x510 [mac80211]\n[14739.941344] _sta_info_move_state+0xe4/0x510 [mac80211]\n[14739.946860] sta_info_move_state+0x1c/0x30 [mac80211]\n[14739.952116] sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211]\n[14739.958708] sta_apply_parameters+0x234/0x5e0 [mac80211]\n[14739.964332] ieee80211_add_station+0xdc/0x190 [mac80211]\n[14739.969950] nl80211_new_station+0x46c/0x670 [cfg80211]\n[14739.975516] genl_family_rcv_msg_doit+0xdc/0x150\n[14739.980158] genl_rcv_msg+0x218/0x298\n[14739.983830] netlink_rcv_skb+0x64/0x138\n[14739.987670] genl_rcv+0x40/0x60\n[14739.990816] netlink_unicast+0x314/0x380\n[14739.994742] netlink_sendmsg+0x198/0x3f0\n[14739.998664] __sock_sendmsg+0x64/0xc0\n[14740.002324] ____sys_sendmsg+0x260/0x298\n[14740.006242] ___sys_sendmsg+0xb4/0x110", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38450", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: fix GPF in bitmap_get_stats()\n\nThe commit message of commit 6ec1f0239485 (\"md/md-bitmap: fix stats\ncollection for external bitmaps\") states:\n\n Remove the external bitmap check as the statistics should be\n available regardless of bitmap storage location.\n\n Return -EINVAL only for invalid bitmap with no storage (neither in\n superblock nor in external file).\n\nBut, the code does not adhere to the above, as it does only check for\na valid super-block for \"internal\" bitmaps. Hence, we observe:\n\nOops: GPF, probably for non-canonical address 0x1cd66f1f40000028\nRIP: 0010:bitmap_get_stats+0x45/0xd0\nCall Trace:\n\n seq_read_iter+0x2b9/0x46a\n seq_read+0x12f/0x180\n proc_reg_read+0x57/0xb0\n vfs_read+0xf6/0x380\n ksys_read+0x6d/0xf0\n do_syscall_64+0x8c/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nWe fix this by checking the existence of a super-block for both the\ninternal and external case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38451", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()\n\nAdd check for the return value of rcar_gen4_ptp_alloc()\nto prevent potential null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38452", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU\n\nsyzbot reports that defer/local task_work adding via msg_ring can hit\na request that has been freed:\n\nCPU: 1 UID: 0 PID: 19356 Comm: iou-wrk-19354 Not tainted 6.16.0-rc4-syzkaller-00108-g17bbde2e1716 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n io_req_local_work_add io_uring/io_uring.c:1184 [inline]\n __io_req_task_work_add+0x589/0x950 io_uring/io_uring.c:1252\n io_msg_remote_post io_uring/msg_ring.c:103 [inline]\n io_msg_data_remote io_uring/msg_ring.c:133 [inline]\n __io_msg_ring_data+0x820/0xaa0 io_uring/msg_ring.c:151\n io_msg_ring_data io_uring/msg_ring.c:173 [inline]\n io_msg_ring+0x134/0xa00 io_uring/msg_ring.c:314\n __io_issue_sqe+0x17e/0x4b0 io_uring/io_uring.c:1739\n io_issue_sqe+0x165/0xfd0 io_uring/io_uring.c:1762\n io_wq_submit_work+0x6e9/0xb90 io_uring/io_uring.c:1874\n io_worker_handle_work+0x7cd/0x1180 io_uring/io-wq.c:642\n io_wq_worker+0x42f/0xeb0 io_uring/io-wq.c:696\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nwhich is supposed to be safe with how requests are allocated. But msg\nring requests alloc and free on their own, and hence must defer freeing\nto a sane time.\n\nAdd an rcu_head and use kfree_rcu() in both spots where requests are\nfreed. Only the one in io_msg_tw_complete() is strictly required as it\nhas been visible on the other ring, but use it consistently in the other\nspot as well.\n\nThis should not cause any other issues outside of KASAN rightfully\ncomplaining about it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38453", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp()\n\nUse pr_warn() instead of dev_warn() when 'pdev' is NULL to avoid a\npotential NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38454", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight\n\nReject migration of SEV{-ES} state if either the source or destination VM\nis actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the\nsection between incrementing created_vcpus and online_vcpus. The bulk of\nvCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs\nin parallel, and so sev_info.es_active can get toggled from false=>true in\nthe destination VM after (or during) svm_vcpu_create(), resulting in an\nSEV{-ES} VM effectively having a non-SEV{-ES} vCPU.\n\nThe issue manifests most visibly as a crash when trying to free a vCPU's\nNULL VMSA page in an SEV-ES VM, but any number of things can go wrong.\n\n BUG: unable to handle page fault for address: ffffebde00000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]\n RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]\n RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]\n RIP: 0010:PageHead include/linux/page-flags.h:866 [inline]\n RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067\n Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0\n RSP: 0018:ffff8984551978d0 EFLAGS: 00010246\n RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98\n RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000\n RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000\n R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000\n R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000\n FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0\n DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n Call Trace:\n \n sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169\n svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515\n kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396\n kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline]\n kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490\n kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895\n kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310\n kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369\n __fput+0x3e4/0x9e0 fs/file_table.c:465\n task_work_run+0x1a9/0x220 kernel/task_work.c:227\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0x7f0/0x25b0 kernel/exit.c:953\n do_group_exit+0x203/0x2d0 kernel/exit.c:1102\n get_signal+0x1357/0x1480 kernel/signal.c:3034\n arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218\n do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f87a898e969\n \n Modules linked in: gq(O)\n gsmi: Log Shutdown Reason 0x03\n CR2: ffffebde00000000\n ---[ end trace 0000000000000000 ]---\n\nDeliberately don't check for a NULL VMSA when freeing the vCPU, as crashing\nthe host is likely desirable due to the VMSA being consumed by hardware.\nE.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a\nbogus VMSA page. Accessing P\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38455", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:msghandler: Fix potential memory corruption in ipmi_create_user()\n\nThe \"intf\" list iterator is an invalid pointer if the correct\n\"intf->intf_num\" is not found. Calling atomic_dec(&intf->nr_users) on\nand invalid pointer will lead to memory corruption.\n\nWe don't really need to call atomic_dec() if we haven't called\natomic_add_return() so update the if (intf->in_shutdown) path as well.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38456", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Abort __tc_modify_qdisc if parent class does not exist\n\nLion's patch [1] revealed an ancient bug in the qdisc API.\nWhenever a user creates/modifies a qdisc specifying as a parent another\nqdisc, the qdisc API will, during grafting, detect that the user is\nnot trying to attach to a class and reject. However grafting is\nperformed after qdisc_create (and thus the qdiscs' init callback) is\nexecuted. In qdiscs that eventually call qdisc_tree_reduce_backlog\nduring init or change (such as fq, hhf, choke, etc), an issue\narises. For example, executing the following commands:\n\nsudo tc qdisc add dev lo root handle a: htb default 2\nsudo tc qdisc add dev lo parent a: handle beef fq\n\nQdiscs such as fq, hhf, choke, etc unconditionally invoke\nqdisc_tree_reduce_backlog() in their control path init() or change() which\nthen causes a failure to find the child class; however, that does not stop\nthe unconditional invocation of the assumed child qdisc's qlen_notify with\na null class. All these qdiscs make the assumption that class is non-null.\n\nThe solution is ensure that qdisc_leaf() which looks up the parent\nclass, and is invoked prior to qdisc_create(), should return failure on\nnot finding the class.\nIn this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the\nparentid doesn't correspond to a class, so that we can detect it\nearlier on and abort before qdisc_create is called.\n\n[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38457", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix NULL pointer dereference in vcc_sendmsg()\n\natmarpd_dev_ops does not implement the send method, which may cause crash\nas bellow.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: Oops: 0010 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246\nRAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000\nRDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000\nRBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287\nR10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00\nR13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88\nFS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n ____sys_sendmsg+0x52d/0x830 net/socket.c:2566\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620\n __sys_sendmmsg+0x227/0x430 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38458", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc->push(),\nand the second call copies it to clip_vcc->old_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc->old_push(),\ntriggering the infinite recursion.\n\nLet's prevent the second ioctl(ATMARP_MKIP) by checking\nvcc->user_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n \n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n \nModules linked in:", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38459", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix potential null-ptr-deref in to_atmarpd().\n\natmarpd is protected by RTNL since commit f3a0592b37b8 (\"[ATM]: clip\ncauses unregister hang\").\n\nHowever, it is not enough because to_atmarpd() is called without RTNL,\nespecially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.\n\nAlso, there is no RTNL dependency around atmarpd.\n\nLet's use a private mutex and RCU to protect access to atmarpd in\nto_atmarpd().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38460", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_* TOCTOU\n\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\n\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\n\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\n vsock_connect+0x59c/0xc40\n __sys_connect+0xe8/0x100\n __x64_sys_connect+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38461", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_{g2h,h2g} TOCTOU\n\nvsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.\ntransport_{g2h,h2g} may become NULL after the NULL check.\n\nIntroduce vsock_transport_local_cid() to protect from a potential\nnull-ptr-deref.\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_find_cid+0x47/0x90\nCall Trace:\n __vsock_bind+0x4b2/0x720\n vsock_bind+0x90/0xe0\n __sys_bind+0x14d/0x1e0\n __x64_sys_bind+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nKASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\nRIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0\nCall Trace:\n __x64_sys_ioctl+0x12d/0x190\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38462", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Correct signedness in skb remaining space calculation\n\nSyzkaller reported a bug [1] where sk->sk_forward_alloc can overflow.\n\nWhen we send data, if an skb exists at the tail of the write queue, the\nkernel will attempt to append the new data to that skb. However, the code\nthat checks for available space in the skb is flawed:\n'''\ncopy = size_goal - skb->len\n'''\n\nThe types of the variables involved are:\n'''\ncopy: ssize_t (s64 on 64-bit systems)\nsize_goal: int\nskb->len: unsigned int\n'''\n\nDue to C's type promotion rules, the signed size_goal is converted to an\nunsigned int to match skb->len before the subtraction. The result is an\nunsigned int.\n\nWhen this unsigned int result is then assigned to the s64 copy variable,\nit is zero-extended, preserving its non-negative value. Consequently, copy\nis always >= 0.\n\nAssume we are sending 2GB of data and size_goal has been adjusted to a\nvalue smaller than skb->len. The subtraction will result in copy holding a\nvery large positive integer. In the subsequent logic, this large value is\nused to update sk->sk_forward_alloc, which can easily cause it to overflow.\n\nThe syzkaller reproducer uses TCP_REPAIR to reliably create this\ncondition. However, this can also occur in real-world scenarios. The\ntcp_bound_to_half_wnd() function can also reduce size_goal to a small\nvalue. This would cause the subsequent tcp_wmem_schedule() to set\nsk->sk_forward_alloc to a value close to INT_MAX. Further memory\nallocation requests would then cause sk_forward_alloc to wrap around and\nbecome negative.\n\n[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38463", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_conn_close().\n\nsyzbot reported a null-ptr-deref in tipc_conn_close() during netns\ndismantle. [0]\n\ntipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls\ntipc_conn_close() for each tipc_conn.\n\nThe problem is that tipc_conn_close() is called after releasing the\nIDR lock.\n\nAt the same time, there might be tipc_conn_recv_work() running and it\ncould call tipc_conn_close() for the same tipc_conn and release its\nlast ->kref.\n\nOnce we release the IDR lock in tipc_topsrv_stop(), there is no\nguarantee that the tipc_conn is alive.\n\nLet's hold the ref before releasing the lock and put the ref after\ntipc_conn_close() in tipc_topsrv_stop().\n\n[0]:\nBUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\nRead of size 8 at addr ffff888099305a08 by task kworker/u4:3/435\n\nCPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1fc/0x2ef lib/dump_stack.c:118\n print_address_description.cold+0x54/0x219 mm/kasan/report.c:256\n kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354\n kasan_report mm/kasan/report.c:412 [inline]\n __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433\n tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165\n tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]\n tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722\n ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153\n cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nAllocated by task 23:\n kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625\n kmalloc include/linux/slab.h:515 [inline]\n kzalloc include/linux/slab.h:709 [inline]\n tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192\n tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nFreed by task 23:\n __cache_free mm/slab.c:3503 [inline]\n kfree+0xcc/0x210 mm/slab.c:3822\n tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]\n kref_put include/linux/kref.h:70 [inline]\n conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155\n process_one_work+0x864/0x1570 kernel/workqueue.c:2153\n worker_thread+0x64c/0x1130 kernel/workqueue.c:2296\n kthread+0x33f/0x460 kernel/kthread.c:259\n ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415\n\nThe buggy address belongs to the object at ffff888099305a00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 8 bytes inside of\n 512-byte region [ffff888099305a00, ffff888099305c00)\nThe buggy address belongs to the page:\npage:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0\nflags: 0xfff00000000100(slab)\nraw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940\nraw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38464", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix wraparounds of sk->sk_rmem_alloc.\n\nNetlink has this pattern in some places\n\n if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)\n \tatomic_add(skb->truesize, &sk->sk_rmem_alloc);\n\n, which has the same problem fixed by commit 5a465a0da13e (\"udp:\nFix multiple wraparounds of sk->sk_rmem_alloc.\").\n\nFor example, if we set INT_MAX to SO_RCVBUFFORCE, the condition\nis always false as the two operands are of int.\n\nThen, a single socket can eat as many skb as possible until OOM\nhappens, and we can see multiple wraparounds of sk->sk_rmem_alloc.\n\nLet's fix it by using atomic_add_return() and comparing the two\nvariables as unsigned int.\n\nBefore:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n -1668710080 0 rtnl:nl_wraparound/293 *\n\nAfter:\n [root@fedora ~]# ss -f netlink\n Recv-Q Send-Q Local Address:Port Peer Address:Port\n 2147483072 0 rtnl:nl_wraparound/290 *\n ^\n `--- INT_MAX - 576", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38465", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is 'mistaken' for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38466", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: exynos7_drm_decon: add vblank check in IRQ handling\n\nIf there's support for another console device (such as a TTY serial),\nthe kernel occasionally panics during boot. The panic message and a\nrelevant snippet of the call stack is as follows:\n\n Unable to handle kernel NULL pointer dereference at virtual address 000000000000000\n Call trace:\n drm_crtc_handle_vblank+0x10/0x30 (P)\n decon_irq_handler+0x88/0xb4\n [...]\n\nOtherwise, the panics don't happen. This indicates that it's some sort\nof race condition.\n\nAdd a check to validate if the drm device can handle vblanks before\ncalling drm_crtc_handle_vblank() to avoid this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38467", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->\n htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0) | htb_enqueue() {\n 0) + 13.635 us | netem_enqueue();\n 0) 4.719 us | htb_activate_prios();\n 0) # 2249.199 us | }\n 0) | htb_dequeue() {\n 0) 2.355 us | htb_lookup_leaf();\n 0) | netem_dequeue() {\n 0) + 11.061 us | blackhole_enqueue();\n 0) | qdisc_tree_reduce_backlog() {\n 0) | qdisc_lookup_rcu() {\n 0) 1.873 us | qdisc_match_from_root();\n 0) 6.292 us | }\n 0) 1.894 us | htb_search();\n 0) | htb_qlen_notify() {\n 0) 2.655 us | htb_deactivate_prios();\n 0) 6.933 us | }\n 0) + 25.227 us | }\n 0) 1.983 us | blackhole_dequeue();\n 0) + 86.553 us | }\n 0) # 2932.761 us | qdisc_warn_nonwc();\n 0) | htb_lookup_leaf() {\n 0) | BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38468", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls\n\nkvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host\nfor more than one event channel potr (nr_ports > 1).\n\nAfter the kmalloc_array(), the error paths need to go through the\n\"out\" label, but the call to kvm_read_guest_virt() does not.\n\n[Adjusted commit message. - Paolo]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38469", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the \"rx-vlan-filter\" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the \"rx-vlan-filter\"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the \"rx-vlan-filter\"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the \"rx-vlan-filter\" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n vlan_filter_push_vids\n ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n\"rx-vlan-filter\" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n comm \"ip\", pid 384, jiffies 4296130254\n hex dump (first 32 bytes):\n 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 81ce31fa):\n __kmalloc_cache_noprof+0x2b5/0x340\n vlan_vid_add+0x434/0x940\n vlan_device_event.cold+0x75/0xa8\n notifier_call_chain+0xca/0x150\n __dev_notify_flags+0xe3/0x250\n rtnl_configure_link+0x193/0x260\n rtnl_newlink_create+0x383/0x8e0\n __rtnl_newlink+0x22c/0xa40\n rtnl_newlink+0x627/0xb00\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x11f/0x350\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n stm.full_len\").", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38471", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n [exception RIP: __nf_ct_delete_from_lists+172]\n [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct->timeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry. If we ignore\nct->status and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n - ct hlist pointers are overloaded and store/cache the raw tuple hash\n - ct->timeout matches the relative time expected for a new udp flow\n rather than the absolute 'jiffies' value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct->status set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z. cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t->refcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t->timeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct->status |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t\n\t\t\tnf_ct_expired()\n\t\t\t -> yes (ct->timeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -> set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn't guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout 'cpu y' race, 'garbage' hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free'd and E gets\ndestroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn't matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38472", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan->data is NULL.\n\nLet's not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38473", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: net: sierra: check for no status endpoint\n\nThe driver checks for having three endpoints and\nhaving bulk in and out endpoints, but not that\nthe third endpoint is interrupt input.\nRectify the omission.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38474", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix various oops due to inet_sock type confusion.\n\nsyzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while\nfreeing inet_sk(sk)->inet_opt.\n\nThe address was freed multiple times even though it was read-only memory.\n\ncipso_v4_sock_setattr() did nothing wrong, and the root cause was type\nconfusion.\n\nThe cited commit made it possible to create smc_sock as an INET socket.\n\nThe issue is that struct smc_sock does not have struct inet_sock as the\nfirst member but hijacks AF_INET and AF_INET6 sk_family, which confuses\nvarious places.\n\nIn this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),\nwhich is an address of a function in the text segment.\n\n $ pahole -C inet_sock vmlinux\n struct inet_sock {\n ...\n struct ip_options_rcu * inet_opt; /* 784 8 */\n\n $ pahole -C smc_sock vmlinux\n struct smc_sock {\n ...\n void (*clcsk_data_ready)(struct sock *); /* 784 8 */\n\nThe same issue for another field was reported before. [2][3]\n\nAt that time, an ugly hack was suggested [4], but it makes both INET\nand SMC code error-prone and hard to change.\n\nAlso, yet another variant was fixed by a hacky commit 98d4435efcbf3\n(\"net/smc: prevent NULL pointer dereference in txopt_get\").\n\nInstead of papering over the root cause by such hacks, we should not\nallow non-INET socket to reuse the INET infra.\n\nLet's add inet_sock as the first member of smc_sock.\n\n[0]:\nkvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73\nWARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nModules linked in:\nCPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nTainted: [W]=WARN\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nlr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nsp : ffff8000a03a7730\nx29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3\nx26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00\nx23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0\nx20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff\nx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c\nx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000\nx8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360\nx2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000\nCall trace:\n kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)\n cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914\n netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000\n smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581\n smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912\n security_inode_setsecurity+0x118/0x3c0 security/security.c:2706\n __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251\n __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295\n vfs_setxattr+0x158/0x2ac fs/xattr.c:321\n do_setxattr fs/xattr.c:636 [inline]\n file_setxattr+0x1b8/0x294 fs/xattr.c:646\n path_setxattrat+0x2ac/0x320 fs/xattr.c:711\n __do_sys_fsetxattr fs/xattr.c:761 [inline]\n __se_sys_fsetxattr fs/xattr.c:758 [inline]\n __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879\n el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\n[\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38475", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet's fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[ 57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \n \n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38476", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when 'agg' is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38477", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn->n` elements in some\ncases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that. For Comedi instruction codes\nthat write to the subdevice, the first `insn->n` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized. That could be a problem if the subdevice instruction\nhandler reads the uninitialized data. Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0. For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38478", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-edma: free irq correctly in remove path\n\nAdd fsl_edma->txirq/errirq check to avoid below warning because no\nerrirq at i.MX9 platform. Otherwise there will be kernel dump:\nWARNING: CPU: 0 PID: 11 at kernel/irq/devres.c:144 devm_free_irq+0x74/0x80\nModules linked in:\nCPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc7#18\nHardware name: NXP i.MX93 11X11 EVK board (DT)\nWorkqueue: events_unbound deferred_probe_work_func\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : devm_free_irq+0x74/0x80\nlr : devm_free_irq+0x48/0x80\nCall trace:\n devm_free_irq+0x74/0x80 (P)\n devm_free_irq+0x48/0x80 (L)\n fsl_edma_remove+0xc4/0xc8\n platform_remove+0x28/0x44\n device_remove+0x4c/0x80", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38479", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions. In that case, the subdevice's `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory. It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated. However, if `insn->n` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`. This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn->n` is 0, before reaching the code\nthat accesses `data[0]`. Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn->n`, which is 0 in this case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38480", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large\n\nThe handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to\nhold the array of `struct comedi_insn`, getting the length from the\n`n_insns` member of the `struct comedi_insnlist` supplied by the user.\nThe allocation will fail with a WARNING and a stack dump if it is too\nlarge.\n\nAvoid that by failing with an `-EINVAL` error if the supplied `n_insns`\nvalue is unreasonable.\n\nDefine the limit on the `n_insns` value in the `MAX_INSNS` macro. Set\nthis to the same value as `MAX_SAMPLES` (65536), which is the maximum\nallowed sum of the values of the member `n` in the array of `struct\ncomedi_insn`, and sensible comedi instructions will have an `n` of at\nleast 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38481", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das6402: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* IRQs 2,3,5,6,7, 10,11,15 are valid for \"enhanced\" mode */\n\tif ((1 << it->options[1]) & 0x8cec) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test. Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38482", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das16m1: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */\n\tif ((1 << it->options[1]) & 0xdcfc) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38483", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: backend: fix out-of-bound write\n\nThe buffer is set to 80 character. If a caller write more characters,\ncount is truncated to the max available space in \"simple_write_to_buffer\".\nBut afterwards a string terminator is written to the buffer at offset count\nwithout boundary check. The zero termination is written OUT-OF-BOUND.\n\nAdd a check that the given buffer is smaller then the buffer to prevent.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38484", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush\n\nfxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with\niio_for_each_active_channel()) without making sure the indio_dev\nstays in buffer mode.\nThere is a race if indio_dev exits buffer mode in the middle of the\ninterrupt that flushes the fifo. Fix this by calling\nsynchronize_irq() to ensure that no interrupt is currently running when\ndisabling buffer mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[...]\n_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290\nfxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178\nfxls8962af_interrupt from irq_thread_fn+0x1c/0x7c\nirq_thread_fn from irq_thread+0x110/0x1f4\nirq_thread from kthread+0xe0/0xfc\nkthread from ret_from_fork+0x14/0x2c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38485", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"\n\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\n\nThis patch broke Dragonboard 845c (sdm845). I see:\n\n Unexpected kernel BRK exception at EL1\n Internal error: BRK handler: 00000000f20003e8 [#1] SMP\n pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\n lr : snd_soc_dai_set_channel_map+0x34/0x78\n Call trace:\n qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\n sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\n snd_soc_link_init+0x28/0x6c\n snd_soc_bind_card+0x5f4/0xb0c\n snd_soc_register_card+0x148/0x1a4\n devm_snd_soc_register_card+0x50/0xb0\n sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\n platform_probe+0x6c/0xd0\n really_probe+0xc0/0x2a4\n __driver_probe_device+0x7c/0x130\n driver_probe_device+0x40/0x118\n __device_attach_driver+0xc4/0x108\n bus_for_each_drv+0x8c/0xf0\n __device_attach+0xa4/0x198\n device_initial_probe+0x18/0x28\n bus_probe_device+0xb8/0xbc\n deferred_probe_work_func+0xac/0xfc\n process_one_work+0x244/0x658\n worker_thread+0x1b4/0x360\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Kernel panic - not syncing: BRK handler: Fatal exception\n\nDan has also reported following issues with the original patch\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\n\nBug #1:\nThe zeroeth element of ctrl->pconfig[] is supposed to be unused. We\nstart counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128.\n\nBug #2:\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts\nmemory like Yongqin Liu pointed out.\n\nBug 3:\nLike Jie Gan pointed out, it erases all the tx information with the rx\ninformation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38486", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: lpc-snoop: Don't disable channels that aren't enabled\n\nMitigate e.g. the following:\n\n # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind\n ...\n [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write\n [ 120.373866] [00000004] *pgd=00000000\n [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM\n [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE\n ...\n [ 120.679543] Call trace:\n [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac\n [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38\n [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38487", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n crypt_message()\n // Allocate the creq buffer containing the req\n creq = smb2_get_aead_req(..., &req);\n\n // Async encryption returns -EINPROGRESS immediately\n rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n // Free creq while async operation is still in progress\n kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn't\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn't freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38488", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again\n\nCommit 7ded842b356d (\"s390/bpf: Fix bpf_plt pointer arithmetic\") has\naccidentally removed the critical piece of commit c730fce7c70c\n(\"s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL\"), causing\nintermittent kernel panics in e.g. perf's on_switch() prog to reappear.\n\nRestore the fix and add a comment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38489", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: remove duplicate page_pool_put_full_page()\n\npage_pool_put_full_page() should only be invoked when freeing Rx buffers\nor building a skb if the size is too short. At other times, the pages\nneed to be reused. So remove the redundant page put. In the original\ncode, double free pages cause kernel panic:\n\n[ 876.949834] __irq_exit_rcu+0xc7/0x130\n[ 876.949836] common_interrupt+0xb8/0xd0\n[ 876.949838] \n[ 876.949838] \n[ 876.949840] asm_common_interrupt+0x22/0x40\n[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420\n[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d\n[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246\n[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e\n[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed\n[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580\n[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000\n[ 876.949852] ? cpuidle_enter_state+0xb3/0x420\n[ 876.949855] cpuidle_enter+0x29/0x40\n[ 876.949857] cpuidle_idle_call+0xfd/0x170\n[ 876.949859] do_idle+0x7a/0xc0\n[ 876.949861] cpu_startup_entry+0x25/0x30\n[ 876.949862] start_secondary+0x117/0x140\n[ 876.949864] common_startup_64+0x13e/0x148\n[ 876.949867] \n[ 876.949868] ---[ end trace 0000000000000000 ]---\n[ 876.949869] ------------[ cut here ]------------\n[ 876.949870] list_del corruption, ffffead40445a348->next is NULL\n[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120\n[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)\n[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi\n[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)\n[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE\n[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120\n[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8\n[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282\n[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000\n[ 876.949942] RDX: 0000000000000105 RSI: 00000\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38490", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision atomic\n\nSyzkaller reported the following splat:\n\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Modules linked in:\n CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\n RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\n RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\n RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\n RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\n FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\n Call Trace:\n \n tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\n tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\n tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\n tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\n tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\n ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:469 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\n __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\n __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\n process_backlog+0x301/0x1360 net/core/dev.c:6440\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\n napi_poll net/core/dev.c:7517 [inline]\n net_rx_action+0xb44/0x1010 net/core/dev.c:7644\n handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\n do_softirq+0x3f/0x90 kernel/softirq.c:480\n \n \n __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\n mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\n mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\n __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\n mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\n inet_release+0xed/0x200 net/ipv4/af_inet.c:435\n inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x402/0xb70 fs/file_table.c:465\n task_work_run+0x150/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xd4\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38491", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix race between cache write completion and ALL_QUEUED being set\n\nWhen netfslib is issuing subrequests, the subrequests start processing\nimmediately and may complete before we reach the end of the issuing\nfunction. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED\nto indicate to the collector that we aren't going to issue any more subreqs\nand that it can do the final notifications and cleanup.\n\nNow, this isn't a problem if the request is synchronous\n(NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be\ndone in-thread and we're guaranteed an opportunity to run the collector.\n\nHowever, if the request is asynchronous, collection is primarily triggered\nby the termination of subrequests queuing it on a workqueue. Now, a race\ncan occur here if the app thread sets ALL_QUEUED after the last subrequest\nterminates.\n\nThis can happen most easily with the copy2cache code (as used by Ceph)\nwhere, in the collection routine of a read request, an asynchronous write\nrequest is spawned to copy data to the cache. Folios are added to the\nwrite request as they're unlocked, but there may be a delay before\nALL_QUEUED is set as the write subrequests may complete before we get\nthere.\n\nIf all the write subreqs have finished by the ALL_QUEUED point, no further\nevents happen and the collection never happens, leaving the request\nhanging.\n\nFix this by queuing the collector after setting ALL_QUEUED. This is a bit\nheavy-handed and it may be sufficient to do it only if there are no extant\nsubreqs.\n\nAlso add a tracepoint to cross-reference both requests in a copy-to-request\noperation and add a trace to the netfs_rreq tracepoint to indicate the\nsetting of ALL_QUEUED.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38492", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix crash in timerlat_dump_stack()\n\nWe have observed kernel panics when using timerlat with stack saving,\nwith the following dmesg output:\n\nmemcpy: detected buffer overflow: 88 byte write of buffer size 0\nWARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0\nCPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)\nCall Trace:\n \n ? trace_buffer_lock_reserve+0x2a/0x60\n __fortify_panic+0xd/0xf\n __timerlat_dump_stack.cold+0xd/0xd\n timerlat_dump_stack.part.0+0x47/0x80\n timerlat_fd_read+0x36d/0x390\n vfs_read+0xe2/0x390\n ? syscall_exit_to_user_mode+0x1d5/0x210\n ksys_read+0x73/0xe0\n do_syscall_64+0x7b/0x160\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n__timerlat_dump_stack() constructs the ftrace stack entry like this:\n\nstruct stack_entry *entry;\n...\nmemcpy(&entry->caller, fstack->calls, size);\nentry->size = fstack->nr_entries;\n\nSince commit e7186af7fb26 (\"tracing: Add back FORTIFY_SOURCE logic to\nkernel_stack event structure\"), struct stack_entry marks its caller\nfield with __counted_by(size). At the time of the memcpy, entry->size\ncontains garbage from the ringbuffer, which under some circumstances is\nzero, triggering a kernel panic by buffer overflow.\n\nPopulate the size field before the memcpy so that the out-of-bounds\ncheck knows the correct size. This is analogous to\n__ftrace_trace_stack().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38493", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: do not bypass hid_hw_raw_request\n\nhid_hw_raw_request() is actually useful to ensure the provided buffer\nand length are valid. Directly calling in the low level transport driver\nfunction bypassed those checks and allowed invalid paramto be used.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38494", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: ensure the allocated report buffer can contain the reserved report ID\n\nWhen the report ID is not used, the low level transport drivers expect\nthe first byte to be 0. However, currently the allocated buffer not\naccount for that extra byte, meaning that instead of having 8 guaranteed\nbytes for implement to be working, we only have 7.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38495", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: fix sched in atomic context\n\nIf \"try_verify_in_tasklet\" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP\nis enabled for dm-bufio. However, when bufio tries to evict buffers, there\nis a chance to trigger scheduling in spin_lock_bh, the following warning\nis hit:\n\nBUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2\npreempt_count: 201, expected: 0\nRCU nest depth: 0, expected: 0\n4 locks held by kworker/2:2/123:\n #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970\n #1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970\n #2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710\n #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710\nPreemption disabled at:\n[<0000000000000000>] 0x0\nCPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: dm_bufio_cache do_global_cleanup\nCall Trace:\n \n dump_stack_lvl+0x53/0x70\n __might_resched+0x360/0x4e0\n do_global_cleanup+0x2f5/0x710\n process_one_work+0x7db/0x1970\n worker_thread+0x518/0xea0\n kthread+0x359/0x690\n ret_from_fork+0xf3/0x1b0\n ret_from_fork_asm+0x1a/0x30\n \n\nThat can be reproduced by:\n\n veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb\n SIZE=$(blockdev --getsz /dev/vda)\n dmsetup create myverity -r --table \"0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 1 sha256 1 try_verify_in_tasklet\"\n mount /dev/dm-0 /mnt -o ro\n echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes\n [read files in /mnt]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38496", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Fix OOB read on empty string write\n\nWhen writing an empty string to either 'qw_sign' or 'landingPage'\nsysfs attributes, the store functions attempt to access page[l - 1]\nbefore validating that the length 'l' is greater than zero.\n\nThis patch fixes the vulnerability by adding a check at the beginning\nof os_desc_qw_sign_store() and webusb_landingPage_store() to handle\nthe zero-length input case gracefully by returning immediately.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38497", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller's mount namespace. This change aligns permission checking\nwith the rest of mount(2).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38498", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won't expose something\nhidden by a mount we wouldn't be able to undo. \"Wouldn't be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere's a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38499", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn't look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net->xfrmi hash, but since it also exists in the\nxfrmi_net->collect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[ 8.516540] kernel BUG at net/core/dev.c:12029!\n[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 8.516569] Workqueue: netns cleanup_net\n[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[ 8.516625] PKRU: 55555554\n[ 8.516627] Call Trace:\n[ 8.516632] \n[ 8.516635] ? rtnl_is_locked+0x15/0x20\n[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0\n[ 8.516650] ops_undo_list+0x1f2/0x220\n[ 8.516659] cleanup_net+0x1ad/0x2e0\n[ 8.516664] process_one_work+0x160/0x380\n[ 8.516673] worker_thread+0x2aa/0x3c0\n[ 8.516679] ? __pfx_worker_thread+0x10/0x10\n[ 8.516686] kthread+0xfb/0x200\n[ 8.516690] ? __pfx_kthread+0x10/0x10\n[ 8.516693] ? __pfx_kthread+0x10/0x10\n[ 8.516697] ret_from_fork+0x82/0xf0\n[ 8.516705] ? __pfx_kthread+0x10/0x10\n[ 8.516709] ret_from_fork_asm+0x1a/0x30\n[ 8.516718] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38500", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: limit repeated connections from clients with the same IP\n\nRepeated connections from clients with the same IP address may exhaust\nthe max connections and prevent other normal client connections.\nThis patch limit repeated connections from clients with the same IP.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38501", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n storage = ctx->prog_item->cgroup_storage[stype];\n\n if (stype == BPF_CGROUP_STORAGE_SHARED)\n ptr = &READ_ONCE(storage->buf)->data[0];\n else\n ptr = this_cpu_ptr(storage->percpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram's map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38502", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion when building free space tree\n\nWhen building the free space tree with the block group tree feature\nenabled, we can hit an assertion failure like this:\n\n BTRFS info (device loop0 state M): rebuilding free space tree\n assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/free-space-tree.c:1102!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Modules linked in:\n CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102\n sp : ffff8000a4ce7600\n x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8\n x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001\n x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160\n x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff\n x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0\n x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff\n x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00\n x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001\n x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0\n x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e\n Call trace:\n populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)\n btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337\n btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n do_remount fs/namespace.c:3365 [inline]\n path_mount+0xb34/0xde0 fs/namespace.c:4200\n do_mount fs/namespace.c:4221 [inline]\n __do_sys_mount fs/namespace.c:4432 [inline]\n __se_sys_mount fs/namespace.c:4409 [inline]\n __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n Code: f0047182 91178042 528089c3 9771d47b (d4210000)\n ---[ end trace 0000000000000000 ]---\n\nThis happens because we are processing an empty block group, which has\nno extents allocated from it, there are no items for this block group,\nincluding the block group item since block group items are stored in a\ndedicated tree when using the block group tree feature. It also means\nthis is the block group with the highest start offset, so there are no\nhigher keys in the extent root, hence btrfs_search_slot_for_read()\nreturns 1 (no higher key found).\n\nFix this by asserting 'ret' is 0 only if the block group tree feature\nis not enabled, in which case we should find a block group item for\nthe block group since it's stored in the extent root and block group\nitem keys are greater than extent item keys (the value for\nBTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and\nBTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).\nIn case 'ret' is 1, we just need to add a record to the free space\ntree which spans the whole block group, and we can achieve this by\nmaking 'ret == 0' as the while loop's condition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38503", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix pp destruction warnings\n\nWith multiple page pools and in some other cases we can have allocated\nniovs on page pool destruction. Remove a misplaced warning checking that\nall niovs are returned to zcrx on io_pp_zc_destroy(). It was reported\nbefore but apparently got lost.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38504", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: discard erroneous disassoc frames on STA interface\n\nWhen operating in concurrent STA/AP mode with host MLME enabled,\nthe firmware incorrectly sends disassociation frames to the STA\ninterface when clients disconnect from the AP interface.\nThis causes kernel warnings as the STA interface processes\ndisconnect events that don't apply to it:\n\n[ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211]\n[ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us\n[ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT\n[ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT)\n[ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex]\n[ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211]\n[ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211]\n[ 1303.370221] sp : ffff800083053be0\n[ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000\n[ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae\n[ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008\n[ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006\n[ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048\n[ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000\n[ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300\n[ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002\n[ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186\n[ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de\n[ 1303.446221] Call trace:\n[ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P)\n[ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211]\n[ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex]\n[ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex]\n[ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex]\n[ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex]\n[ 1303.483734] process_one_work+0x14c/0x28c\n[ 1303.487845] worker_thread+0x2cc/0x3d4\n[ 1303.491680] kthread+0x12c/0x208\n[ 1303.495014] ret_from_fork+0x10/0x20\n\nAdd validation in the STA receive path to verify that disassoc/deauth\nframes originate from the connected AP. Frames that fail this check\nare discarded early, preventing them from reaching the MLME layer and\ntriggering WARN_ON().\n\nThis filtering logic is similar with that used in the\nieee80211_rx_mgmt_disassoc() function in mac80211, which drops\ndisassoc frames that don't match the current BSSID\n(!ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)), ensuring\nonly relevant frames are processed.\n\nTested on:\n- 8997 with FW 16.68.1.p197", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38505", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Allow CPU to reschedule while setting per-page memory attributes\n\nWhen running an SEV-SNP guest with a sufficiently large amount of memory (1TB+),\nthe host can experience CPU soft lockups when running an operation in\nkvm_vm_set_mem_attributes() to set memory attributes on the whole\nrange of guest memory.\n\nwatchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372]\nCPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary)\nHardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024\nRIP: 0010:xas_create+0x78/0x1f0\nCode: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 <74> 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87\nRSP: 0018:ffffad890a34b940 EFLAGS: 00000286\nRAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000\nRDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868\nR13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868\nFS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \n xas_store+0x58/0x630\n __xa_store+0xa5/0x130\n xa_store+0x2c/0x50\n kvm_vm_set_mem_attributes+0x343/0x710 [kvm]\n kvm_vm_ioctl+0x796/0xab0 [kvm]\n __x64_sys_ioctl+0xa3/0xd0\n do_syscall_64+0x8c/0x7a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f5578d031bb\nCode: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb\nRDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b\nRBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000\nR10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120\nR13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0\n\nWhile looping through the range of memory setting the attributes,\ncall cond_resched() to give the scheduler a chance to run a higher\npriority task on the runqueue if necessary and avoid staying in\nkernel mode long enough to trigger the lockup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38506", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nintendo: avoid bluetooth suspend/resume stalls\n\nEnsure we don't stall or panic the kernel when using bluetooth-connected\ncontrollers. This was reported as an issue on android devices using\nkernel 6.6 due to the resume hook which had been added for usb joycons.\n\nFirst, set a new state value to JOYCON_CTLR_STATE_SUSPENDED in a\nnewly-added nintendo_hid_suspend. This makes sure we will not stall out\nthe kernel waiting for input reports during led classdev suspend. The\nstalls could happen if connectivity is unreliable or lost to the\ncontroller prior to suspend.\n\nSecond, since we lose connectivity during suspend, do not try\njoycon_init() for bluetooth controllers in the nintendo_hid_resume path.\n\nTested via multiple suspend/resume flows when using the controller both\nin USB and bluetooth modes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38507", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Use TSC_FACTOR for Secure TSC frequency calculation\n\nWhen using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on\nthe nominal P0 frequency, which deviates slightly (typically ~0.2%) from\nthe actual mean TSC frequency due to clocking parameters.\n\nOver extended VM uptime, this discrepancy accumulates, causing clock skew\nbetween the hypervisor and a SEV-SNP VM, leading to early timer interrupts as\nperceived by the guest.\n\nThe guest kernel relies on the reported nominal frequency for TSC-based\ntimekeeping, while the actual frequency set during SNP_LAUNCH_START may\ndiffer. This mismatch results in inaccurate time calculations, causing the\nguest to perceive hrtimers as firing earlier than expected.\n\nUtilize the TSC_FACTOR from the SEV firmware's secrets page (see \"Secrets\nPage Format\" in the SNP Firmware ABI Specification) to calculate the mean\nTSC frequency, ensuring accurate timekeeping and mitigating clock skew in\nSEV-SNP VMs.\n\nUse early_ioremap_encrypted() to map the secrets page as\nioremap_encrypted() uses kmalloc() which is not available during early TSC\ninitialization and causes a panic.\n\n [ bp: Drop the silly dummy var:\n https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38508", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject VHT opmode for unsupported channel widths\n\nVHT operating mode notifications are not defined for channel widths\nbelow 20 MHz. In particular, 5 MHz and 10 MHz are not valid under the\nVHT specification and must be rejected.\n\nWithout this check, malformed notifications using these widths may\nreach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due to\ninvalid input. This issue was reported by syzbot.\n\nReject these unsupported widths early in sta_link_apply_parameters()\nwhen opmode_notif is used. The accepted set includes 20, 40, 80, 160,\nand 80+80 MHz, which are valid for VHT. While 320 MHz is not defined\nfor VHT, it is allowed to avoid rejecting HE or EHT clients that may\nstill send a VHT opmode notification.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38509", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: remove kasan_find_vm_area() to prevent possible deadlock\n\nfind_vm_area() couldn't be called in atomic_context. If find_vm_area() is\ncalled to reports vm area information, kasan can trigger deadlock like:\n\nCPU0 CPU1\nvmalloc();\n alloc_vmap_area();\n spin_lock(&vn->busy.lock)\n spin_lock_bh(&some_lock);\n \n \n spin_lock(&some_lock);\n \n kasan_report();\n print_report();\n print_address_description();\n kasan_find_vm_area();\n find_vm_area();\n spin_lock(&vn->busy.lock) // deadlock!\n\nTo prevent possible deadlock while kasan reports, remove kasan_find_vm_area().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38510", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pf: Clear all LMTT pages on alloc\n\nOur LMEM buffer objects are not cleared by default on alloc\nand during VF provisioning we only setup LMTT PTEs for the\nactually provisioned LMEM range. But beyond that valid range\nwe might leave some stale data that could either point to some\nother VFs allocations or even to the PF pages.\n\nExplicitly clear all new LMTT page to avoid the risk that a\nmalicious VF would try to exploit that gap.\n\nWhile around add asserts to catch any undesired PTE overwrites\nand low-level debug traces to track LMTT PT life-cycle.\n\n(cherry picked from commit 3fae6918a3e27cce20ded2551f863fb05d4bef8d)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38511", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: prevent A-MSDU attacks in mesh networks\n\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\nbe considered a variant of CVE-2020-24588 but for mesh networks.\n\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\nby an adversary. This is done by parsing a received A-MSDU as a standard\nMSDU, calculating the length of the Mesh Control header, and seeing if\nthe 6 bytes after this header equal the start of an rfc1042 header. If\nequal, this is a strong indication of an ongoing attack attempt.\n\nThis defense was tested with mac80211_hwsim against a mesh network that\nuses an empty Mesh Address Extension field, i.e., when four addresses\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\nwas also tested, and confirmed working, when using both an empty and\n12-byte Mesh Address Extension field.\n\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\nnetworks keep being detected and prevented.\n\nNote that the vulnerability being patched, and the defense being\nimplemented, was also discussed in the following paper and in the\nfollowing IEEE 802.11 presentation:\n\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38512", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n \tT0\t\t\t \t\tT1\nzd_mac_tx_to_dev()\n /* len == skb_queue_len(q) */\n while (len > ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t filter_ack()\n\t\t\t\t\t spin_lock_irqsave(&q->lock, flags);\n\t\t\t\t\t /* position == skb_queue_len(q) */\n\t\t\t\t\t for (i=1; itype == NL80211_IFTYPE_AP)\n\t\t\t\t\t skb = __skb_dequeue(q);\n\t\t\t\t\t spin_unlock_irqrestore(&q->lock, flags);\n\n skb_dequeue() -> NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38513", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix oops due to non-existence of prealloc backlog struct\n\nIf an AF_RXRPC service socket is opened and bound, but calls are\npreallocated, then rxrpc_alloc_incoming_call() will oops because the\nrxrpc_backlog struct doesn't get allocated until the first preallocation is\nmade.\n\nFix this by returning NULL from rxrpc_alloc_incoming_call() if there is no\nbacklog struct. This will cause the incoming call to be aborted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38514", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Increment job count before swapping tail spsc queue\n\nA small race exists between spsc_queue_push and the run-job worker, in\nwhich spsc_queue_push may return not-first while the run-job worker has\nalready idled due to the job count being zero. If this race occurs, job\nscheduling stops, leading to hangs while waiting on the job\u2019s DMA\nfences.\n\nSeal this race by incrementing the job count before appending to the\nSPSC queue.\n\nThis race was observed on a drm-tip 6.16-rc1 build with the Xe driver in\nan SVM test case.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38515", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: qcom: msm: mark certain pins as invalid for interrupts\n\nOn some platforms, the UFS-reset pin has no interrupt logic in TLMM but\nis nevertheless registered as a GPIO in the kernel. This enables the\nuser-space to trigger a BUG() in the pinctrl-msm driver by running, for\nexample: `gpiomon -c 0 113` on RB2.\n\nThe exact culprit is requesting pins whose intr_detection_width setting\nis not 1 or 2 for interrupts. This hits a BUG() in\nmsm_gpio_irq_set_type(). Potentially crashing the kernel due to an\ninvalid request from user-space is not optimal, so let's go through the\npins and mark those that would fail the check as invalid for the irq chip\nas we should not even register them as available irqs.\n\nThis function can be extended if we determine that there are more\ncorner-cases like this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38516", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()\n\nalloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even\nwhen the alloc_tag_cttype is not allocated because:\n\n 1) alloc tagging is disabled because mem profiling is disabled\n (!alloc_tag_cttype)\n 2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype)\n 3) alloc tagging is enabled, but failed initialization\n (!alloc_tag_cttype or IS_ERR(alloc_tag_cttype))\n\nIn all cases, alloc_tag_cttype is not allocated, and therefore\nalloc_tag_top_users() should not attempt to acquire the semaphore.\n\nThis leads to a crash on memory allocation failure by attempting to\nacquire a non-existent semaphore:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G D 6.16.0-rc2 #1 VOLUNTARY\n Tainted: [D]=DIE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:down_read_trylock+0xaa/0x3b0\n Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff\n RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016\n RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000\n RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070\n RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1\n R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37\n R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000\n FS: 00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0\n Call Trace:\n \n codetag_trylock_module_list+0xd/0x20\n alloc_tag_top_users+0x369/0x4b0\n __show_mem+0x1cd/0x6e0\n warn_alloc+0x2b1/0x390\n __alloc_frozen_pages_noprof+0x12b9/0x21a0\n alloc_pages_mpol+0x135/0x3e0\n alloc_slab_page+0x82/0xe0\n new_slab+0x212/0x240\n ___slab_alloc+0x82a/0xe00\n \n\nAs David Wang points out, this issue became easier to trigger after commit\n780138b12381 (\"alloc_tag: check mem_profiling_support in alloc_tag_init\").\n\nBefore the commit, the issue occurred only when it failed to allocate and\ninitialize alloc_tag_cttype or if a memory allocation fails before\nalloc_tag_init() is called. After the commit, it can be easily triggered\nwhen memory profiling is compiled but disabled at boot.\n\nTo properly determine whether alloc_tag_init() has been called and its\ndata structures initialized, verify that alloc_tag_cttype is a valid\npointer before acquiring the semaphore. If the variable is NULL or an\nerror value, it has not been properly initialized. In such a case, just\nskip and do not attempt to acquire the semaphore.\n\n[harry.yoo@oracle.com: v3]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38517", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Disable INVLPGB on Zen2\n\nAMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an issue\nthat causes system oopses and panics when performing TLB flush using\nINVLPGB.\n\nHowever, the problem is that that machine has misconfigured CPUID and\nshould not report the INVLPGB bit in the first place. So zap the\nkernel's representation of the flag so that nothing gets confused.\n\n [ bp: Massage. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38518", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon: fix divide by zero in damon_get_intervals_score()\n\nThe current implementation allows having zero size regions with no special\nreasons, but damon_get_intervals_score() gets crashed by divide by zero\nwhen the region size is zero.\n\n [ 29.403950] Oops: divide error: 0000 [#1] SMP NOPTI\n\nThis patch fixes the bug, but does not disallow zero size regions to keep\nthe backward compatibility since disallowing zero size regions might be a\nbreaking change for some users.\n\nIn addition, the same crash can happen when intervals_goal.access_bp is\nzero so this should be fixed in stable trees as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38519", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Don't call mmput from MMU notifier callback\n\nIf the process is exiting, the mmput inside mmu notifier callback from\ncompactd or fork or numa balancing could release the last reference\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock\nwith below backtrace.\n\nThe deadlock will leak kfd process as mmu notifier release is not called\nand cause VRAM leaking.\n\nThe fix is to take mm reference mmget_non_zero when adding prange to the\ndeferred list to pair with mmput in deferred list work.\n\nIf prange split and add into pchild list, the pchild work_item.mm is not\nused, so remove the mm parameter from svm_range_unmap_split and\nsvm_range_add_child.\n\nThe backtrace of hung task:\n\n INFO: task python:348105 blocked for more than 64512 seconds.\n Call Trace:\n __schedule+0x1c3/0x550\n schedule+0x46/0xb0\n rwsem_down_write_slowpath+0x24b/0x4c0\n unlink_anon_vmas+0xb1/0x1c0\n free_pgtables+0xa9/0x130\n exit_mmap+0xbc/0x1a0\n mmput+0x5a/0x140\n svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]\n mn_itree_invalidate+0x72/0xc0\n __mmu_notifier_invalidate_range_start+0x48/0x60\n try_to_unmap_one+0x10fa/0x1400\n rmap_walk_anon+0x196/0x460\n try_to_unmap+0xbb/0x210\n migrate_page_unmap+0x54d/0x7e0\n migrate_pages_batch+0x1c3/0xae0\n migrate_pages_sync+0x98/0x240\n migrate_pages+0x25c/0x520\n compact_zone+0x29d/0x590\n compact_zone_order+0xb6/0xf0\n try_to_compact_pages+0xbe/0x220\n __alloc_pages_direct_compact+0x96/0x1a0\n __alloc_pages_slowpath+0x410/0x930\n __alloc_pages_nodemask+0x3a9/0x3e0\n do_huge_pmd_anonymous_page+0xd7/0x3e0\n __handle_mm_fault+0x5e3/0x5f0\n handle_mm_fault+0xf7/0x2e0\n hmm_vma_fault.isra.0+0x4d/0xa0\n walk_pmd_range.isra.0+0xa8/0x310\n walk_pud_range+0x167/0x240\n walk_pgd_range+0x55/0x100\n __walk_page_range+0x87/0x90\n walk_page_range+0xf6/0x160\n hmm_range_fault+0x4f/0x90\n amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]\n amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]\n init_user_pages+0xb1/0x2a0 [amdgpu]\n amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]\n kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]\n kfd_ioctl+0x29d/0x500 [amdgpu]\n\n(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38520", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Fix kernel crash when hard resetting the GPU\n\nThe GPU hard reset sequence calls pm_runtime_force_suspend() and\npm_runtime_force_resume(), which according to their documentation should\nonly be used during system-wide PM transitions to sleep states.\n\nThe main issue though is that depending on some internal runtime PM\nstate as seen by pm_runtime_force_suspend() (whether the usage count is\n<= 1), pm_runtime_force_resume() might not resume the device unless\nneeded. If that happens, the runtime PM resume callback\npvr_power_device_resume() is not called, the GPU clocks are not\nre-enabled, and the kernel crashes on the next attempt to access GPU\nregisters as part of the power-on sequence.\n\nReplace calls to pm_runtime_force_suspend() and\npm_runtime_force_resume() with direct calls to the driver's runtime PM\ncallbacks, pvr_power_device_suspend() and pvr_power_device_resume(),\nto ensure clocks are re-enabled and avoid the kernel crash.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38521", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/ext: Prevent update_locked_rq() calls with NULL rq\n\nAvoid invoking update_locked_rq() when the runqueue (rq) pointer is NULL\nin the SCX_CALL_OP and SCX_CALL_OP_RET macros.\n\nPreviously, calling update_locked_rq(NULL) with preemption enabled could\ntrigger the following warning:\n\n BUG: using __this_cpu_write() in preemptible [00000000]\n\nThis happens because __this_cpu_write() is unsafe to use in preemptible\ncontext.\n\nrq is NULL when an ops invoked from an unlocked context. In such cases, we\ndon't need to store any rq, since the value should already be NULL\n(unlocked). Ensure that update_locked_rq() is only called when rq is\nnon-NULL, preventing calling __this_cpu_write() on preemptible context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38522", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\n\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\n\n CIFS: Attempting to mount //172.31.9.1/test\n CIFS: VFS: RDMA transport established\n usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n ------------[ cut here ]------------\n kernel BUG at mm/usercopy.c:102!\n ...\n RIP: 0010:usercopy_abort+0x6c/0x80\n ...\n Call Trace:\n \n __check_heap_object+0xe3/0x120\n __check_object_size+0x4dc/0x6d0\n smbd_recv+0x77f/0xfe0 [cifs]\n cifs_readv_from_socket+0x276/0x8f0 [cifs]\n cifs_read_from_socket+0xcd/0x120 [cifs]\n cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\n kthread+0x396/0x830\n ret_from_fork+0x2b8/0x3b0\n ret_from_fork_asm+0x1a/0x30\n\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\n\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38523", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix recv-recv race of completed call\n\nIf a call receives an event (such as incoming data), the call gets placed\non the socket's queue and a thread in recvmsg can be awakened to go and\nprocess it. Once the thread has picked up the call off of the queue,\nfurther events will cause it to be requeued, and once the socket lock is\ndropped (recvmsg uses call->user_mutex to allow the socket to be used in\nparallel), a second thread can come in and its recvmsg can pop the call off\nthe socket queue again.\n\nIn such a case, the first thread will be receiving stuff from the call and\nthe second thread will be blocked on call->user_mutex. The first thread\ncan, at this point, process both the event that it picked call for and the\nevent that the second thread picked the call for and may see the call\nterminate - in which case the call will be \"released\", decoupling the call\nfrom the user call ID assigned to it (RXRPC_USER_CALL_ID in the control\nmessage).\n\nThe first thread will return okay, but then the second thread will wake up\nholding the user_mutex and, if it sees that the call has been released by\nthe first thread, it will BUG thusly:\n\n\tkernel BUG at net/rxrpc/recvmsg.c:474!\n\nFix this by just dequeuing the call and ignoring it if it is seen to be\nalready released. We can't tell userspace about it anyway as the user call\nID has become stale.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38524", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix irq-disabled in local_bh_enable()\n\nThe rxrpc_assess_MTU_size() function calls down into the IP layer to find\nout the MTU size for a route. When accepting an incoming call, this is\ncalled from rxrpc_new_incoming_call() which holds interrupts disabled\nacross the code that calls down to it. Unfortunately, the IP layer uses\nlocal_bh_enable() which, config dependent, throws a warning if IRQs are\nenabled:\n\nWARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0\n...\nRIP: 0010:__local_bh_enable_ip+0x43/0xd0\n...\nCall Trace:\n \n rt_cache_route+0x7e/0xa0\n rt_set_nexthop.isra.0+0x3b3/0x3f0\n __mkroute_output+0x43a/0x460\n ip_route_output_key_hash+0xf7/0x140\n ip_route_output_flow+0x1b/0x90\n rxrpc_assess_MTU_size.isra.0+0x2a0/0x590\n rxrpc_new_incoming_peer+0x46/0x120\n rxrpc_alloc_incoming_call+0x1b1/0x400\n rxrpc_new_incoming_call+0x1da/0x5e0\n rxrpc_input_packet+0x827/0x900\n rxrpc_io_thread+0x403/0xb60\n kthread+0x2f7/0x310\n ret_from_fork+0x2a/0x230\n ret_from_fork_asm+0x1a/0x30\n...\nhardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50\nhardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70\nsoftirqs last enabled at (0): copy_process+0xc61/0x2730\nsoftirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90\n\nFix this by moving the call to rxrpc_assess_MTU_size() out of\nrxrpc_init_peer() and further up the stack where it can be done without\ninterrupts disabled.\n\nIt shouldn't be a problem for rxrpc_new_incoming_call() to do it after the\nlocks are dropped as pmtud is going to be performed by the I/O thread - and\nwe're in the I/O thread at this point.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38525", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: add NULL check in eswitch lag check\n\nThe function ice_lag_is_switchdev_running() is being called from outside of\nthe LAG event handler code. This results in the lag->upper_netdev being\nNULL sometimes. To avoid a NULL-pointer dereference, there needs to be a\ncheck before it is dereferenced.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38526", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(&inode->i_rcu, i_callback)\n spin_lock(&cinode->open_file_lock) <- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(&cinode->open_file_lock) <- UAF\n cifs_done_oplock_break(cinode) <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38527", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject %p% format string in bprintf-like helpers\n\nstatic const char fmt[] = \"%p%\";\n bpf_trace_printk(fmt, sizeof(fmt));\n\nThe above BPF program isn't rejected and causes a kernel warning at\nruntime:\n\n Please remove unsupported %\\x00 in format string\n WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0\n\nThis happens because bpf_bprintf_prepare skips over the second %,\ndetected as punctuation, while processing %p. This patch fixes it by\nnot skipping over punctuation. %\\x00 is then processed in the next\niteration and rejected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38528", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: aio_iiro_16: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 << it->options[1]) & 0xdcfc) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test. Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38529", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl812: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\tif ((1 << it->options[1]) & board->irq_bits) {\n\nHowever, `it->options[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it->options[1]` to be within bounds before proceeding with\nthe original test. Valid `it->options[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38530", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: common: st_sensors: Fix use of uninitialize device structs\n\nThroughout the various probe functions &indio_dev->dev is used before it\nis initialized. This caused a kernel panic in st_sensors_power_enable()\nwhen the call to devm_regulator_bulk_get_enable() fails and then calls\ndev_err_probe() with the uninitialized device.\n\nThis seems to only cause a panic with dev_err_probe(), dev_err(),\ndev_warn() and dev_info() don't seem to cause a panic, but are fixed\nas well.\n\nThe issue is reported and traced here: [1]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38531", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: properly reset Rx ring descriptor\n\nWhen device reset is triggered by feature changes such as toggling Rx\nVLAN offload, wx->do_reset() is called to reinitialize Rx rings. The\nhardware descriptor ring may retain stale values from previous sessions.\nAnd only set the length to 0 in rx_desc[0] would result in building\nmalformed SKBs. Fix it to ensure a clean slate after device reset.\n\n[ 549.186435] [ C16] ------------[ cut here ]------------\n[ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814!\n[ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary)\n[ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n[ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510\n[ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8\n[ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282\n[ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2\n[ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40\n[ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e\n[ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200\n[ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2\n[ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000\n[ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0\n[ 549.186505] [ C16] PKRU: 55555554\n[ 549.186507] [ C16] Call Trace:\n[ 549.186510] [ C16] \n[ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 549.186517] [ C16] __skb_pad+0xc7/0xf0\n[ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx]\n[ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx]\n[ 549.186540] [ C16] __napi_poll+0x28/0x190\n[ 549.186544] [ C16] net_rx_action+0x301/0x3f0\n[ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50\n[ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160\n[ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0\n[ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130\n[ 549.186572] [ C16] common_interrupt+0xb8/0xd0\n[ 549.186576] [ C16] \n[ 549.186577] [ C16] \n[ 549.186579] [ C16] asm_common_interrupt+0x22/0x40\n[ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420\n[ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d\n[ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246\n[ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000\n[ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3\n[ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000\n[ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40\n[ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000\n[ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420\n[ 549.186605] [ C16] cpuidle_en\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38532", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: fix the using of Rx buffer DMA\n\nThe wx_rx_buffer structure contained two DMA address fields: 'dma' and\n'page_dma'. However, only 'page_dma' was actually initialized and used\nto program the Rx descriptor. But 'dma' was uninitialized and used in\nsome paths.\n\nThis could lead to undefined behavior, including DMA errors or\nuse-after-free, if the uninitialized 'dma' was used. Althrough such\nerror has not yet occurred, it is worth fixing in the code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38533", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38534", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix copy-to-cache so that it performs collection with ceph+fscache\n\nThe netfs copy-to-cache that is used by Ceph with local caching sets up a\nnew request to write data just read to the cache. The request is started\nand then left to look after itself whilst the app continues. The request\ngets notified by the backing fs upon completion of the async DIO write, but\nthen tries to wake up the app because NETFS_RREQ_OFFLOAD_COLLECTION isn't\nset - but the app isn't waiting there, and so the request just hangs.\n\nFix this by setting NETFS_RREQ_OFFLOAD_COLLECTION which causes the\nnotification from the backing filesystem to put the collection onto a work\nqueue instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38534", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode\n\nWhen transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code\nassumed that the regulator should be disabled. However, if the regulator\nis marked as always-on, regulator_is_enabled() continues to return true,\nleading to an incorrect attempt to disable a regulator which is not\nenabled.\n\nThis can result in warnings such as:\n\n[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004\n_regulator_disable+0xe4/0x1a0\n[ 250.155652] unbalanced disables for VIN_SYS_5V0\n\nTo fix this, we move the regulator control logic into\ntegra186_xusb_padctl_id_override() function since it's directly related\nto the ID override state. The regulator is now only disabled when the role\ntransitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID\nregister. This ensures that regulator enable/disable operations are\nproperly balanced and only occur when actually transitioning to/from host\nmode.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38535", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: fix potential use-after-free in airoha_npu_get()\n\nnp->name was being used after calling of_node_put(np), which\nreleases the node and can lead to a use-after-free bug.\nPreviously, of_node_put(np) was called unconditionally after\nof_find_device_by_node(np), which could result in a use-after-free if\npdev is NULL.\n\nThis patch moves of_node_put(np) after the error check to ensure\nthe node is only released after both the error and success cases\nare handled appropriately, preventing potential resource issues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38536", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Don't register LEDs for genphy\n\nIf a PHY has no driver, the genphy driver is probed/removed directly in\nphy_attach/detach. If the PHY's ofnode has an \"leds\" subnode, then the\nLEDs will be (un)registered when probing/removing the genphy driver.\nThis could occur if the leds are for a non-generic driver that isn't\nloaded for whatever reason. Synchronously removing the PHY device in\nphy_detach leads to the following deadlock:\n\nrtnl_lock()\nndo_close()\n ...\n phy_detach()\n phy_remove()\n phy_leds_unregister()\n led_classdev_unregister()\n led_trigger_set()\n netdev_trigger_deactivate()\n unregister_netdevice_notifier()\n rtnl_lock()\n\nThere is a corresponding deadlock on the open/register side of things\n(and that one is reported by lockdep), but it requires a race while this\none is deterministic.\n\nGeneric PHYs do not support LEDs anyway, so don't bother registering\nthem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38537", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: nbpfaxi: Fix memory corruption in probe()\n\nThe nbpf->chan[] array is allocated earlier in the nbpf_probe() function\nand it has \"num_channels\" elements. These three loops iterate one\nelement farther than they should and corrupt memory.\n\nThe changes to the second loop are more involved. In this case, we're\ncopying data from the irqbuf[] array into the nbpf->chan[] array. If\nthe data in irqbuf[i] is the error IRQ then we skip it, so the iterators\nare not in sync. I added a check to ensure that we don't go beyond the\nend of the irqbuf[] array. I'm pretty sure this can't happen, but it\nseemed harmless to add a check.\n\nOn the other hand, after the loop has ended there is a check to ensure\nthat the \"chan\" iterator is where we expect it to be. In the original\ncode we went one element beyond the end of the array so the iterator\nwasn't in the correct place and it would always return -EINVAL. However,\nnow it will always be in the correct place. I deleted the check since\nwe know the result.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38538", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add down_write(trace_event_sem) when adding trace event\n\nWhen a module is loaded, it adds trace events defined by the module. It\nmay also need to modify the modules trace printk formats to replace enum\nnames with their values.\n\nIf two modules are loaded at the same time, the adding of the event to the\nftrace_events list can corrupt the walking of the list in the code that is\nmodifying the printk format strings and crash the kernel.\n\nThe addition of the event should take the trace_event_sem for write while\nit adds the new event.\n\nAlso add a lockdep_assert_held() on that semaphore in\n__trace_add_event_dirs() as it iterates the list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38539", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n\nThe Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C)\nreport a HID sensor interface that is not actually implemented.\nAttempting to access this non-functional sensor via iio_info causes\nsystem hangs as runtime PM tries to wake up an unresponsive sensor.\n\nAdd these 2 devices to the HID ignore list since the sensor interface is\nnon-functional by design and should not be exposed to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38540", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()\n\ndevm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38541", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix device refcount leak in atrtr_create()\n\nWhen updating an existing route entry in atrtr_create(), the old device\nreference was not being released before assigning the new device,\nleading to a device refcount leak. Fix this by calling dev_put() to\nrelease the old device reference before holding the new one.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38542", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: nvdec: Fix dma_alloc_coherent error check\n\nCheck for NULL return value with dma_alloc_coherent, in line with\nRobin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38543", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix bug due to prealloc collision\n\nWhen userspace is using AF_RXRPC to provide a server, it has to preallocate\nincoming calls and assign to them call IDs that will be used to thread\nrelated recvmsg() and sendmsg() together. The preallocated call IDs will\nautomatically be attached to calls as they come in until the pool is empty.\n\nTo the kernel, the call IDs are just arbitrary numbers, but userspace can\nuse the call ID to hold a pointer to prepared structs. In any case, the\nuser isn't permitted to create two calls with the same call ID (call IDs\nbecome available again when the call ends) and EBADSLT should result from\nsendmsg() if an attempt is made to preallocate a call with an in-use call\nID.\n\nHowever, the cleanup in the error handling will trigger both assertions in\nrxrpc_cleanup_call() because the call isn't marked complete and isn't\nmarked as having been released.\n\nFix this by setting the call state in rxrpc_service_prealloc_one() and then\nmarking it as being released before calling the cleanup function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38544", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info\n\nWhile transitioning from netdev_alloc_ip_align() to build_skb(), memory\nfor the \"skb_shared_info\" member of an \"skb\" was not allocated. Fix this\nby allocating \"PAGE_SIZE\" as the skb length, accounting for the packet\nlength, headroom and tailroom, thereby including the required memory space\nfor skb_shared_info.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38545", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix memory leak of struct clip_vcc.\n\nioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to\nvcc->user_back.\n\nThe code assumes that vcc_destroy_socket() passes NULL skb\nto vcc->push() when the socket is close()d, and then clip_push()\nfrees clip_vcc.\n\nHowever, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in\natm_init_atmarp(), resulting in memory leak.\n\nLet's serialise two ioctl() by lock_sock() and check vcc->push()\nin atm_init_atmarp() to prevent memleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38546", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps\n\nThe AXP717 ADC channel maps is missing a sentinel entry at the end. This\ncauses a KASAN warning.\n\nAdd the missing sentinel entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38547", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (corsair-cpro) Validate the size of the received input buffer\n\nAdd buffer_recv_size to store the size of the received bytes.\nValidate buffer_recv_size in send_usb_cmd().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38548", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths\n\nWhen processing mount options, efivarfs allocates efivarfs_fs_info (sfi)\nearly in fs_context initialization. However, sfi is associated with the\nsuperblock and typically freed when the superblock is destroyed. If the\nfs_context is released (final put) before fill_super is called\u2014such as\non error paths or during reconfiguration\u2014the sfi structure would leak,\nas ownership never transfers to the superblock.\n\nImplement the .free callback in efivarfs_context_ops to ensure any\nallocated sfi is properly freed if the fs_context is torn down before\nfill_super, preventing this memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38549", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Delay put pmc->idev in mld_del_delrec()\n\npmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()\ndoes, the reference should be put after ip6_mc_clear_src() return.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38550", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix recursived rtnl_lock() during probe()\n\nThe deadlock appears in a stack trace like:\n\n virtnet_probe()\n rtnl_lock()\n virtio_config_changed_work()\n netdev_notify_peers()\n rtnl_lock()\n\nIt happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the\nvirtio-net driver is still probing.\n\nThe config_work in probe() will get scheduled until virtnet_open() enables\nthe config change notification via virtio_config_driver_enable().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38551", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: plug races between subflow fail and subflow creation\n\nWe have races similar to the one addressed by the previous patch between\nsubflow failing and additional subflow creation. They are just harder to\ntrigger.\n\nThe solution is similar. Use a separate flag to track the condition\n'socket state prevent any additional subflow creation' protected by the\nfallback lock.\n\nThe socket fallback makes such flag true, and also receiving or sending\nan MP_FAIL option.\n\nThe field 'allow_infinite_fallback' is now always touched under the\nrelevant lock, we can drop the ONCE annotation on write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38552", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Restrict conditions for adding duplicating netems to qdisc tree\n\nnetem_enqueue's duplication prevention logic breaks when a netem\nresides in a qdisc tree with other netems - this can lead to a\nsoft lockup and OOM loop in netem_dequeue, as seen in [1].\nEnsure that a duplicating netem cannot exist in a tree with other\nnetems.\n\nPrevious approaches suggested in discussions in chronological order:\n\n1) Track duplication status or ttl in the sk_buff struct. Considered\ntoo specific a use case to extend such a struct, though this would\nbe a resilient fix and address other previous and potential future\nDOS bugs like the one described in loopy fun [2].\n\n2) Restrict netem_enqueue recursion depth like in act_mirred with a\nper cpu variable. However, netem_dequeue can call enqueue on its\nchild, and the depth restriction could be bypassed if the child is a\nnetem.\n\n3) Use the same approach as in 2, but add metadata in netem_skb_cb\nto handle the netem_dequeue case and track a packet's involvement\nin duplication. This is an overly complex approach, and Jamal\nnotes that the skb cb can be overwritten to circumvent this\nsafeguard.\n\n4) Prevent the addition of a netem to a qdisc tree if its ancestral\npath contains a netem. However, filters and actions can cause a\npacket to change paths when re-enqueued to the root from netem\nduplication, leading us to the current solution: prevent a\nduplicating netem from inhabiting the same tree as other netems.\n\n[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/\n[2] https://lwn.net/Articles/719297/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38553", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped\n\nBy inducing delays in the right places, Jann Horn created a reproducer for\na hard to hit UAF issue that became possible after VMAs were allowed to be\nrecycled by adding SLAB_TYPESAFE_BY_RCU to their cache.\n\nRace description is borrowed from Jann's discovery report:\nlock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under\nrcu_read_lock(). At that point, the VMA may be concurrently freed, and it\ncan be recycled by another process. vma_start_read() then increments the\nvma->vm_refcnt (if it is in an acceptable range), and if this succeeds,\nvma_start_read() can return a recycled VMA.\n\nIn this scenario where the VMA has been recycled, lock_vma_under_rcu()\nwill then detect the mismatching ->vm_mm pointer and drop the VMA through\nvma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops\nthe refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. \nThis is wrong: It implicitly assumes that the caller is keeping the VMA's\nmm alive, but in this scenario the caller has no relation to the VMA's mm,\nso the rcuwait_wake_up() can cause UAF.\n\nThe diagram depicting the race:\nT1 T2 T3\n== == ==\nlock_vma_under_rcu\n mas_walk\n \n mmap\n \n vma_start_read\n __refcount_inc_not_zero_limited_acquire\n munmap\n __vma_enter_locked\n refcount_add_not_zero\n vma_end_read\n vma_refcount_put\n __refcount_dec_and_test\n rcuwait_wait_event\n \n rcuwait_wake_up [UAF]\n\nNote that rcuwait_wait_event() in T3 does not block because refcount was\nalready dropped by T1. At this point T3 can exit and free the mm causing\nUAF in T1.\n\nTo avoid this we move vma->vm_mm verification into vma_start_read() and\ngrab vma->vm_mm to stabilize it before vma_refcount_put() operation.\n\n[surenb@google.com: v3]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38554", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev->os_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -> composite_dev_cleanup():\nit will checks whether cdev->os_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38555", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn't reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38556", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to prevent NULL pointer dereference\n\nA malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL\npointer dereference whilst the power feature-report is toggled and sent to\nthe device in apple_magic_backlight_report_set(). The power feature-report\nis expected to have two data fields, but if the descriptor declares one\nfield then accessing field[1] and dereferencing it in\napple_magic_backlight_report_set() becomes invalid\nsince field[1] will be NULL.\n\nAn example of a minimal descriptor which can cause the crash is something\nlike the following where the report with ID 3 (power report) only\nreferences a single 1-byte field. When hid core parses the descriptor it\nwill encounter the final feature tag, allocate a hid_report (all members\nof field[] will be zeroed out), create field structure and populate it,\nincreasing the maxfield to 1. The subsequent field[1] access and\ndereference causes the crash.\n\n Usage Page (Vendor Defined 0xFF00)\n Usage (0x0F)\n Collection (Application)\n Report ID (1)\n Usage (0x01)\n Logical Minimum (0)\n Logical Maximum (255)\n Report Size (8)\n Report Count (1)\n Feature (Data,Var,Abs)\n\n Usage (0x02)\n Logical Maximum (32767)\n Report Size (16)\n Report Count (1)\n Feature (Data,Var,Abs)\n\n Report ID (3)\n Usage (0x03)\n Logical Minimum (0)\n Logical Maximum (1)\n Report Size (8)\n Report Count (1)\n Feature (Data,Var,Abs)\n End Collection\n\nHere we see the KASAN splat when the kernel dereferences the\nNULL pointer and crashes:\n\n [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI\n [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)\n [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210\n [ 15.165691] Call Trace:\n [ 15.165691] \n [ 15.165691] apple_probe+0x571/0xa20\n [ 15.165691] hid_device_probe+0x2e2/0x6f0\n [ 15.165691] really_probe+0x1ca/0x5c0\n [ 15.165691] __driver_probe_device+0x24f/0x310\n [ 15.165691] driver_probe_device+0x4a/0xd0\n [ 15.165691] __device_attach_driver+0x169/0x220\n [ 15.165691] bus_for_each_drv+0x118/0x1b0\n [ 15.165691] __device_attach+0x1d5/0x380\n [ 15.165691] device_initial_probe+0x12/0x20\n [ 15.165691] bus_probe_device+0x13d/0x180\n [ 15.165691] device_add+0xd87/0x1510\n [...]\n\nTo fix this issue we should validate the number of fields that the\nbacklight and power reports have and if they do not have the required\nnumber of fields then bail.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38557", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[ 2.756273] Mem abort info:\n[ 2.760080] ESR = 0x0000000096000005\n[ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2.771068] SET = 0, FnV = 0\n[ 2.771069] EA = 0, S1PTW = 0\n[ 2.771070] FSC = 0x05: level 1 translation fault\n[ 2.771071] Data abort info:\n[ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 2.771084] Dumping ftrace buffer:\n[ 2.771085] (ftrace buffer empty)\n[ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15\n[ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[ 2.771146] sp : ffffffc08140bbb0\n[ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[ 2.771156] Call trace:\n[ 2.771157] __uvcg_fill_strm+0x198/0x2cc\n[ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c\n[ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290\n[ 2.771159] configfs_symlink+0x1f8/0x630\n[ 2.771161] vfs_symlink+0x114/0x1a0\n[ 2.771163] do_symlinkat+0x94/0x28c\n[ 2.771164] __arm64_sys_symlinkat+0x54/0x70\n[ 2.771164] invoke_syscall+0x58/0x114\n[ 2.771166] el0_svc_common+0x80/0xe0\n[ 2.771168] do_el0_svc+0x1c/0x28\n[ 2.771169] el0_svc+0x3c/0x70\n[ 2.771172] el0t_64_sync_handler+0x68/0xbc\n[ 2.771173] el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38558", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/intel/pmt: fix a crashlog NULL pointer access\n\nUsage of the intel_pmt_read() for binary sysfs, requires a pcidev. The\ncurrent use of the endpoint value is only valid for telemetry endpoint\nusage.\n\nWithout the ep, the crashlog usage causes the following NULL pointer\nexception:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nOops: Oops: 0000 [#1] SMP NOPTI\nRIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class]\nCode:\nCall Trace:\n \n ? sysfs_kf_bin_read+0xc0/0xe0\n kernfs_fop_read_iter+0xac/0x1a0\n vfs_read+0x26d/0x350\n ksys_read+0x6b/0xe0\n __x64_sys_read+0x1d/0x30\n x64_sys_call+0x1bc8/0x1d70\n do_syscall_64+0x6d/0x110\n\nAugment struct intel_pmt_entry with a pointer to the pcidev to avoid\nthe NULL pointer exception.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38559", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Evict cache lines during SNP memory validation\n\nAn SNP cache coherency vulnerability requires a cache line eviction\nmitigation when validating memory after a page state change to private.\nThe specific mitigation is to touch the first and last byte of each 4K\npage that is being validated. There is no need to perform the mitigation\nwhen performing a page state change to shared and rescinding validation.\n\nCPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit\nthat, when set, indicates that the software mitigation for this\nvulnerability is not needed.\n\nImplement the mitigation and invoke it when validating memory (making it\nprivate) and the COHERENCY_SFW_NO bit is not set, indicating the SNP\nguest is vulnerable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38560", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Preauh_HashValue race condition\n\nIf client send multiple session setup requests to ksmbd,\nPreauh_HashValue race condition could happen.\nThere is no need to free sess->Preauh_HashValue at session setup phase.\nIt can be freed together with session at connection termination phase.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38561", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix null pointer dereference error in generate_encryptionkey\n\nIf client send two session setups with krb5 authenticate to ksmbd,\nnull pointer dereference error in generate_encryptionkey could happen.\nsess->Preauth_HashValue is set to NULL if session is valid.\nSo this patch skip generate encryption key if session is valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38562", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()'ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38563", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Handle buffer mapping fail correctly in perf_mmap()\n\nAfter successful allocation of a buffer or a successful attachment to an\nexisting buffer perf_mmap() tries to map the buffer read only into the page\ntable. If that fails, the already set up page table entries are zapped, but\nthe other perf specific side effects of that failure are not handled. The\ncalling code just cleans up the VMA and does not invoke perf_mmap_close().\n\nThis leaks reference counts, corrupts user->vm accounting and also results\nin an unbalanced invocation of event::event_mapped().\n\nCure this by moving the event::event_mapped() invocation before the\nmap_range() call so that on map_range() failure perf_mmap_close() can be\ninvoked without causing an unbalanced event::event_unmapped() call.\n\nperf_mmap_close() undoes the reference counts and eventually frees buffers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38564", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Exit early on perf_mmap() fail\n\nWhen perf_mmap() fails to allocate a buffer, it still invokes the\nevent_mapped() callback of the related event. On X86 this might increase\nthe perf_rdpmc_allowed reference counter. But nothing undoes this as\nperf_mmap_close() is never called in this case, which causes another\nreference count leak.\n\nReturn early on failure to prevent that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38565", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator's kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert's level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38566", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: avoid ref leak in nfsd_open_local_fh()\n\nIf two calls to nfsd_open_local_fh() race and both successfully call\nnfsd_file_acquire_local(), they will both get an extra reference to the\nnet to accompany the file reference stored in *pnf.\n\nOne of them will fail to store (using xchg()) the file reference in\n*pnf and will drop that reference but WON'T drop the accompanying\nreference to the net. This leak means that when the nfs server is shut\ndown it will hang in nfsd_shutdown_net() waiting for\n&nn->nfsd_net_free_done.\n\nThis patch adds the missing nfsd_net_put().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38567", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: mqprio: fix stack out-of-bounds write in tc entry parsing\n\nTCA_MQPRIO_TC_ENTRY_INDEX is validated using\nNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value\nTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack\nwrite in the fp[] array, which only has room for 16 elements (0\u201315).\n\nFix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38568", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbenet: fix BUG when creating VFs\n\nbenet crashes as soon as SRIOV VFs are created:\n\n kernel BUG at mm/vmalloc.c:3457!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary)\n [...]\n RIP: 0010:vunmap+0x5f/0x70\n [...]\n Call Trace:\n \n __iommu_dma_free+0xe8/0x1c0\n be_cmd_set_mac_list+0x3fe/0x640 [be2net]\n be_cmd_set_mac+0xaf/0x110 [be2net]\n be_vf_eth_addr_config+0x19f/0x330 [be2net]\n be_vf_setup+0x4f7/0x990 [be2net]\n be_pci_sriov_configure+0x3a1/0x470 [be2net]\n sriov_numvfs_store+0x20b/0x380\n kernfs_fop_write_iter+0x354/0x530\n vfs_write+0x9b9/0xf60\n ksys_write+0xf3/0x1d0\n do_syscall_64+0x8c/0x3d0\n\nbe_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh.\nFix it by freeing only after the lock has been released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38569", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: fbnic: unlink NAPIs from queues on error to open\n\nCI hit a UaF in fbnic in the AF_XDP portion of the queues.py test.\nThe UaF is in the __sk_mark_napi_id_once() call in xsk_bind(),\nNAPI has been freed. Looks like the device failed to open earlier,\nand we lack clearing the NAPI pointer from the queue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38570", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix client side handling of tls alerts\n\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr's\niterator's kvec.\n\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38571", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb->transport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n skb_gso_segment include/net/gso.h:83 [inline]\n validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n __dev_xmit_skb net/core/dev.c:4102 [inline]\n __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38572", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cs42l43: Property entry should be a null-terminated array\n\nThe software node does not specify a count of property entries, so the\narray must be null-terminated.\n\nWhen unterminated, this can lead to a fault in the downstream cs35l56\namplifier driver, because the node parse walks off the end of the\narray into unknown memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38573", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npptp: ensure minimal skb length in pptp_xmit()\n\nCommit aabc6596ffb3 (\"net: ppp: Add bound checking for skb data\non ppp_sync_txmung\") fixed ppp_sync_txmunge()\n\nWe need a similar fix in pptp_xmit(), otherwise we might\nread uninit data as reported by syzbot.\n\nBUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]\n ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314\n pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n __release_sock+0x1d3/0x330 net/core/sock.c:3213\n release_sock+0x6b/0x270 net/core/sock.c:3767\n pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x893/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38574", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use aead_request_free to match aead_request_alloc\n\nUse aead_request_free() instead of kfree() to properly free memory\nallocated by aead_request_alloc(). This ensures sensitive crypto data\nis zeroed before being freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38575", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: Make EEH driver device hotplug safe\n\nMultiple race conditions existed between the PCIe hotplug driver and the\nEEH driver, leading to a variety of kernel oopses of the same general\nnature:\n\n\n\n\n\n\n\n\nA second class of oops is also seen when the underlying bus disappears\nduring device recovery.\n\nRefactor the EEH module to be PCI rescan and remove safe. Also clean\nup a few minor formatting / readability issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38576", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid panic in f2fs_evict_inode\n\nAs syzbot [1] reported as below:\n\nR10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450\nR13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520\n \n---[ end trace 0000000000000000 ]---\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff88812d962278 by task syz-executor/564\n\nCPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \n __dump_stack+0x21/0x24 lib/dump_stack.c:88\n dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106\n print_address_description+0x71/0x210 mm/kasan/report.c:316\n print_report+0x4a/0x60 mm/kasan/report.c:427\n kasan_report+0x122/0x150 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531\n f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585\n f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703\n f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677\n writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733\n sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789\n f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159\n block_operations fs/f2fs/checkpoint.c:1269 [inline]\n f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658\n kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668\n deactivate_locked_super+0x98/0x100 fs/super.c:332\n deactivate_super+0xaf/0xe0 fs/super.c:363\n cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186\n __cleanup_mnt+0x19/0x20 fs/namespace.c:1193\n task_work_run+0x1c6/0x230 kernel/task_work.c:203\n exit_task_work include/linux/task_work.h:39 [inline]\n do_exit+0x9fb/0x2410 kernel/exit.c:871\n do_group_exit+0x210/0x2d0 kernel/exit.c:1021\n __do_sys_exit_group kernel/exit.c:1032 [inline]\n __se_sys_exit_group kernel/exit.c:1030 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030\n x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\nRIP: 0033:0x7f28b1b8e169\nCode: Unable to access opcode bytes at 0x7f28b1b8e13f.\nRSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360\nR10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360\nR13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520\n \n\nAllocated by task 569:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429\n alloc_inode_sb include/linux/fs.h:3245 [inline]\n f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x186/0x880 fs/inode.c:1373\n f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483\n f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487\n __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690\n lookup_slow+0x57/0x70 fs/namei.c:1707\n walk_component+0x2e6/0x410 fs/namei\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38577", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\nsyzbot reported an UAF issue as below: [1] [2]\n\n[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000\n\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8\n\nCPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x158/0x4e0 mm/kasan/report.c:427\n kasan_report+0x13c/0x170 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553\n f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588\n f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706\n f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677\n writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903\n __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974\n wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081\n wb_check_background_flush fs/fs-writeback.c:2151 [inline]\n wb_do_writeback fs/fs-writeback.c:2239 [inline]\n wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266\n process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299\n worker_thread+0xa60/0x1260 kernel/workqueue.c:2446\n kthread+0x26d/0x300 kernel/kthread.c:386\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \n\nAllocated by task 298:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333\n kasan_slab_alloc include/linux/kasan.h:202 [inline]\n slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768\n slab_alloc_node mm/slub.c:3421 [inline]\n slab_alloc mm/slub.c:3431 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3438 [inline]\n kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454\n alloc_inode_sb include/linux/fs.h:3255 [inline]\n f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x18c/0x7e0 fs/inode.c:1373\n f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486\n f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484\n __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689\n lookup_slow+0x5a/0x80 fs/namei.c:1706\n walk_component+0x2e7/0x410 fs/namei.c:1997\n lookup_last fs/namei.c:2454 [inline]\n path_lookupat+0x16d/0x450 fs/namei.c:2478\n filename_lookup+0x251/0x600 fs/namei.c:2507\n vfs_statx+0x107/0x4b0 fs/stat.c:229\n vfs_fstatat fs/stat.c:267 [inline]\n vfs_lstat include/linux/fs.h:3434 [inline]\n __do_sys_newlstat fs/stat.c:423 [inline]\n __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417\n __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417\n x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\n\nFreed by task 0:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516\n ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241\n __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249\n kasan_slab_free include/linux/kasan.h:178 [inline]\n slab_free_hook mm/slub.c:1745 [inline]\n slab_free_freelist_hook mm/slub.c:1771 [inline]\n slab_free mm/slub.c:3686 [inline]\n kmem_cache_free+0x\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38578", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix KMSAN uninit-value in extent_info usage\n\nKMSAN reported a use of uninitialized value in `__is_extent_mergeable()`\n and `__is_back_mergeable()` via the read extent tree path.\n\nThe root cause is that `get_read_extent_info()` only initializes three\nfields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the\nremaining fields uninitialized. This leads to undefined behavior\nwhen those fields are accessed later, especially during\nextent merging.\n\nFix it by zero-initializing the `extent_info` struct before population.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38579", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix inode use after free in ext4_end_io_rsv_work()\n\nIn ext4_io_end_defer_completion(), check if io_end->list_vec is empty to\navoid adding an io_end that requires no conversion to the\ni_rsv_conversion_list, which in turn prevents starting an unnecessary\nworker. An ext4_emergency_state() check is also added to avoid attempting\nto abort the journal in an emergency state.\n\nAdditionally, ext4_put_io_end_defer() is refactored to call\next4_io_end_defer_completion() directly instead of being open-coded.\nThis also prevents starting an unnecessary worker when EXT4_IO_END_FAILED\nis set but data_err=abort is not enabled.\n\nThis ensures that the check in ext4_put_io_end_defer() is consistent with\nthe check in ext4_end_bio(). Otherwise, we might add an io_end to the\ni_rsv_conversion_list and then call ext4_finish_bio(), after which the\ninode could be freed before ext4_end_io_rsv_work() is called, triggering\na use-after-free issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38580", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for ccp.ko\n\nWhen CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding\nthe ccp device causes the following crash:\n\n$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind\n$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind\n\n[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098\n[ 204.978026] #PF: supervisor write access in kernel mode\n[ 204.979126] #PF: error_code(0x0002) - not-present page\n[ 204.980226] PGD 0 P4D 0\n[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI\n...\n[ 204.997852] Call Trace:\n[ 204.999074] \n[ 205.000297] start_creating+0x9f/0x1c0\n[ 205.001533] debugfs_create_dir+0x1f/0x170\n[ 205.002769] ? srso_return_thunk+0x5/0x5f\n[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]\n[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]\n[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]\n[ 205.007709] sp_init+0x5f/0x80 [ccp]\n[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]\n[ 205.010165] ? srso_return_thunk+0x5/0x5f\n[ 205.011376] local_pci_probe+0x4f/0xb0\n[ 205.012584] pci_device_probe+0xdb/0x230\n[ 205.013810] really_probe+0xed/0x380\n[ 205.015024] __driver_probe_device+0x7e/0x160\n[ 205.016240] device_driver_attach+0x2f/0x60\n[ 205.017457] bind_store+0x7c/0xb0\n[ 205.018663] drv_attr_store+0x28/0x40\n[ 205.019868] sysfs_kf_write+0x5f/0x70\n[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0\n[ 205.022267] vfs_write+0x308/0x440\n[ 205.023453] ksys_write+0x6d/0xe0\n[ 205.024616] __x64_sys_write+0x1e/0x30\n[ 205.025778] x64_sys_call+0x16ba/0x2150\n[ 205.026942] do_syscall_64+0x56/0x1e0\n[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 205.029276] RIP: 0033:0x7fbc36f10104\n[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5\n\nThis patch sets ccp_debugfs_dir to NULL after destroying it in\nccp5_debugfs_destroy, allowing the directory dentry to be\nrecreated when rebinding the ccp device.\n\nTested on AMD Ryzen 7 1700X.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38581", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix double destruction of rsv_qp\n\nrsv_qp may be double destroyed in error flow, first in free_mr_init(),\nand then in hns_roce_exit(). Fix it by moving the free_mr_init() call\ninto hns_roce_v2_init().\n\nlist_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100)\nWARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240\n...\nCall trace:\n __list_del_entry_valid+0x148/0x240\n hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]\n free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]\n hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]\n hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]\n hclge_notify_roce_client+0x6c/0x160 [hclge]\n hclge_reset_rebuild+0x150/0x5c0 [hclge]\n hclge_reset+0x10c/0x140 [hclge]\n hclge_reset_subtask+0x80/0x104 [hclge]\n hclge_reset_service_task+0x168/0x3ac [hclge]\n hclge_service_task+0x50/0x100 [hclge]\n process_one_work+0x250/0x9a0\n worker_thread+0x324/0x990\n kthread+0x190/0x210\n ret_from_fork+0x10/0x18", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38582", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: xilinx: vcu: unregister pll_post only if registered correctly\n\nIf registration of pll_post is failed, it will be set to NULL or ERR,\nunregistering same will fail with following call trace:\n\nUnable to handle kernel NULL pointer dereference at virtual address 008\npc : clk_hw_unregister+0xc/0x20\nlr : clk_hw_unregister_fixed_factor+0x18/0x30\nsp : ffff800011923850\n...\nCall trace:\n clk_hw_unregister+0xc/0x20\n clk_hw_unregister_fixed_factor+0x18/0x30\n xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]\n xvcu_probe+0x2bc/0x53c [xlnx_vcu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38583", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit. A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly. If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38584", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()\n\nWhen gmin_get_config_var() calls efi.get_variable() and the EFI variable\nis larger than the expected buffer size, two behaviors combine to create\na stack buffer overflow:\n\n1. gmin_get_config_var() does not return the proper error code when\n efi.get_variable() fails. It returns the stale 'ret' value from\n earlier operations instead of indicating the EFI failure.\n\n2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates\n *out_len to the required buffer size but writes no data to the output\n buffer. However, due to bug #1, gmin_get_var_int() believes the call\n succeeded.\n\nThe caller gmin_get_var_int() then performs:\n- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack\n- Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64\n- If EFI variable is >64 bytes, efi.get_variable() sets len=required_size\n- Due to bug #1, thinks call succeeded with len=required_size\n- Executes val[len] = 0, writing past end of 65-byte stack buffer\n\nThis creates a stack buffer overflow when EFI variables are larger than\n64 bytes. Since EFI variables can be controlled by firmware or system\nconfiguration, this could potentially be exploited for code execution.\n\nFix the bug by returning proper error codes from gmin_get_config_var()\nbased on EFI status instead of stale 'ret' value.\n\nThe gmin_get_var_int() function is called during device initialization\nfor camera sensor configuration on Intel Bay Trail and Cherry Trail\nplatforms using the atomisp camera stack.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38585", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix fp initialization for exception boundary\n\nIn the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF\nprogram, find_used_callee_regs() is not called because for a program\nacting as exception boundary, all callee saved registers are saved.\nfind_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP\nbeing used in any of the instructions.\n\nFor programs acting as exception boundary, ctx->fp_used remains false\neven if frame pointer is used by the program and therefore, FP is not\nset-up for such programs in the prologue. This can cause the kernel to\ncrash due to a pagefault.\n\nFix it by setting ctx->fp_used = true for exception boundary programs as\nfp is always saved in such programs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38586", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible infinite loop in fib6_info_uses_dev()\n\nfib6_info_uses_dev() seems to rely on RCU without an explicit\nprotection.\n\nLike the prior fix in rt6_nlmsg_size(),\nwe need to make sure fib6_del_route() or fib6_add_rt2node()\nhave not removed the anchor from the list, or we risk an infinite loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38587", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, &f6i->fib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i->fib6_nsiblings is zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38588", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: Fix null-ptr-deref in neigh_flush_dev().\n\nkernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]\n\nThe cited commit introduced per-netdev neighbour list and converted\nneigh_flush_dev() to use it instead of the global hash table.\n\nOne thing we missed is that neigh_table_clear() calls neigh_ifdown()\nwith NULL dev.\n\nLet's restore the hash table iteration.\n\nNote that IPv6 module is no longer unloadable, so neigh_table_clear()\nis called only when IPv6 fails to initialise, which is unlikely to\nhappen.\n\n[0]:\nIPv6: Attempt to unregister permanent protocol 136\nIPv6: Attempt to unregister permanent protocol 17\nOops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]\nCPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570\nCode: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f\nRSP: 0000:ffff88810026f408 EFLAGS: 00010206\nRAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640\nRBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000\nFS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __neigh_ifdown.llvm.6395807810224103582+0x44/0x390\n neigh_table_clear+0xb1/0x268\n ndisc_cleanup+0x21/0x38 [ipv6]\n init_module+0x2f5/0x468 [ipv6]\n do_one_initcall+0x1ba/0x628\n do_init_module+0x21a/0x530\n load_module+0x2550/0x2ea0\n __se_sys_finit_module+0x3d2/0x620\n __x64_sys_finit_module+0x76/0x88\n x64_sys_call+0x7ff/0xde8\n do_syscall_64+0xfb/0x1e8\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f575d6f2719\nCode: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719\nRDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004\nRBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00\nR10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000\nR13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270\n \nModules linked in: ipv6(+)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38589", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Remove skb secpath if xfrm state is not found\n\nHardware returns a unique identifier for a decrypted packet's xfrm\nstate, this state is looked up in an xarray. However, the state might\nhave been freed by the time of this lookup.\n\nCurrently, if the state is not found, only a counter is incremented.\nThe secpath (sp) extension on the skb is not removed, resulting in\nsp->len becoming 0.\n\nSubsequently, functions like __xfrm_policy_check() attempt to access\nfields such as xfrm_input_state(skb)->xso.type (which dereferences\nsp->xvec[sp->len - 1]) without first validating sp->len. This leads to\na crash when dereferencing an invalid state pointer.\n\nThis patch prevents the crash by explicitly removing the secpath\nextension from the skb if the xfrm state is not found after hardware\ndecryption. This ensures downstream functions do not operate on a\nzero-length secpath.\n\n BUG: unable to handle page fault for address: ffffffff000002c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 282e067 P4D 282e067 PUD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__xfrm_policy_check+0x61a/0xa30\n Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa\n RSP: 0018:ffff88885fb04918 EFLAGS: 00010297\n RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000\n RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353\n R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8\n R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00\n FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? try_to_wake_up+0x108/0x4c0\n ? udp4_lib_lookup2+0xbe/0x150\n ? udp_lib_lport_inuse+0x100/0x100\n ? __udp4_lib_lookup+0x2b0/0x410\n __xfrm_policy_check2.constprop.0+0x11e/0x130\n udp_queue_rcv_one_skb+0x1d/0x530\n udp_unicast_rcv_skb+0x76/0x90\n __udp4_lib_rcv+0xa64/0xe90\n ip_protocol_deliver_rcu+0x20/0x130\n ip_local_deliver_finish+0x75/0xa0\n ip_local_deliver+0xc1/0xd0\n ? ip_protocol_deliver_rcu+0x130/0x130\n ip_sublist_rcv+0x1f9/0x240\n ? ip_rcv_finish_core+0x430/0x430\n ip_list_rcv+0xfc/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x200/0x360\n ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]\n gro_receive_skb+0xfd/0x210\n mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]\n mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]\n ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]\n mlx5e_napi_poll+0x114/0xab0 [mlx5_core]\n __napi_poll+0x25/0x170\n net_rx_action+0x32d/0x3a0\n ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]\n ? notifier_call_chain+0x33/0xa0\n handle_softirqs+0xda/0x250\n irq_exit_rcu+0x6d/0xc0\n common_interrupt+0x81/0xa0\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38590", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn't match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn->off\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn't get reported to the mailing list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38591", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv\n\nCurrently both dev_coredumpv and skb_put_data in hci_devcd_dump use\nhdev->dump.head. However, dev_coredumpv can free the buffer. From\ndev_coredumpm_timeout documentation, which is used by dev_coredumpv:\n\n > Creates a new device coredump for the given device. If a previous one hasn't\n > been read yet, the new coredump is discarded. The data lifetime is determined\n > by the device coredump framework and when it is no longer needed the @free\n > function will be called to free the data.\n\nIf the data has not been read by the userspace yet, dev_coredumpv will\ndiscard new buffer, freeing hdev->dump.head. This leads to\nvmalloc-out-of-bounds error when skb_put_data tries to access\nhdev->dump.head.\n\nA crash report from syzbot illustrates this:\n\n ==================================================================\n BUG: KASAN: vmalloc-out-of-bounds in skb_put_data\n include/linux/skbuff.h:2752 [inline]\n BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240\n net/bluetooth/coredump.c:258\n Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844\n\n CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted\n 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS\n Google 02/12/2025\n Workqueue: hci0 hci_devcd_timeout\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105\n skb_put_data include/linux/skbuff.h:2752 [inline]\n hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258\n hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\n The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping\n Memory state around the buggy address:\n ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n >ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ==================================================================\n\nTo avoid this issue, reorder dev_coredumpv to be called after\nskb_put_data that does not free the data.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38592", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'\n\nFunction 'hci_discovery_filter_clear()' frees 'uuids' array and then\nsets it to NULL. There is a tiny chance of the following race:\n\n'hci_cmd_sync_work()'\n\n 'update_passive_scan_sync()'\n\n 'hci_update_passive_scan_sync()'\n\n 'hci_discovery_filter_clear()'\n kfree(uuids);\n\n <-------------------------preempted-------------------------------->\n 'start_service_discovery()'\n\n 'hci_discovery_filter_clear()'\n kfree(uuids); // DOUBLE FREE\n\n <-------------------------preempted-------------------------------->\n\n uuids = NULL;\n\nTo fix it let's add locking around 'kfree()' call and NULL pointer\nassignment. Otherwise the following backtrace fires:\n\n[ ] ------------[ cut here ]------------\n[ ] kernel BUG at mm/slub.c:547!\n[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1\n[ ] Tainted: [O]=OOT_MODULE\n[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ ] pc : __slab_free+0xf8/0x348\n[ ] lr : __slab_free+0x48/0x348\n...\n[ ] Call trace:\n[ ] __slab_free+0xf8/0x348\n[ ] kfree+0x164/0x27c\n[ ] start_service_discovery+0x1d0/0x2c0\n[ ] hci_sock_sendmsg+0x518/0x924\n[ ] __sock_sendmsg+0x54/0x60\n[ ] sock_write_iter+0x98/0xf8\n[ ] do_iter_readv_writev+0xe4/0x1c8\n[ ] vfs_writev+0x128/0x2b0\n[ ] do_writev+0xfc/0x118\n[ ] __arm64_sys_writev+0x20/0x2c\n[ ] invoke_syscall+0x68/0xf0\n[ ] el0_svc_common.constprop.0+0x40/0xe0\n[ ] do_el0_svc+0x1c/0x28\n[ ] el0_svc+0x30/0xd0\n[ ] el0t_64_sync_handler+0x100/0x12c\n[ ] el0t_64_sync+0x194/0x198\n[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)\n[ ] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38593", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU's\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n \n iopf_free_group+0xe/0x20\n process_one_work+0x197/0x3d0\n worker_thread+0x23a/0x350\n ? rescuer_thread+0x4a0/0x4a0\n kthread+0xf8/0x230\n ? finish_task_switch.isra.0+0x81/0x260\n ? kthreads_online_cpu+0x110/0x110\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork+0x13b/0x170\n ? kthreads_online_cpu+0x110/0x110\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38594", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we'd inserted a file reference into descriptor table, another\nthread could close it. That's fine for the case when all we are doing is\nreturning that descriptor to userland (it's a race, but it's a userland\nrace and there's nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its ->release()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38595", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code\n\nThe object is potentially already gone after the drm_gem_object_put().\nIn general the object should be fully constructed before calling\ndrm_gem_handle_create(), except the debugfs tracking uses a separate\nlock and list and separate flag to denotate whether the object is\nactually initialized.\n\nSince I'm touching this all anyway simplify this by only adding the\nobject to the debugfs when it's ready for that, which allows us to\ndelete that separate flag. panthor_gem_debugfs_bo_rm() already checks\nwhether we've actually been added to the list or this is some error\npath cleanup.\n\nv2: Fix build issues for !CONFIG_DEBUGFS (Adri\u00e1n)\n\nv3: Add linebreak and remove outdated comment (Liviu)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38596", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port\n\nEach window of a vop2 is usable by a specific set of video ports, so while\nbinding the vop2, we look through the list of available windows trying to\nfind one designated as primary-plane and usable by that specific port.\n\nThe code later wants to use drm_crtc_init_with_planes with that found\nprimary plane, but nothing has checked so far if a primary plane was\nactually found.\n\nFor whatever reason, the rk3576 vp2 does not have a usable primary window\n(if vp0 is also in use) which brought the issue to light and ended in a\nnull-pointer dereference further down.\n\nAs we expect a primary-plane to exist for a video-port, add a check at\nthe end of the window-iteration and fail probing if none was found.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38597", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0\n\n[ +0.000020] BUG: KASAN: slab-use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]\n[ +0.000817] Read of size 8 at addr ffff88812eec8c58 by task amd_pci_unplug/1733\n\n[ +0.000027] CPU: 10 UID: 0 PID: 1733 Comm: amd_pci_unplug Tainted: G W 6.14.0+ #2\n[ +0.000009] Tainted: [W]=WARN\n[ +0.000003] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000004] Call Trace:\n[ +0.000004] \n[ +0.000003] dump_stack_lvl+0x76/0xa0\n[ +0.000011] print_report+0xce/0x600\n[ +0.000009] ? srso_return_thunk+0x5/0x5f\n[ +0.000006] ? kasan_complete_mode_report_info+0x76/0x200\n[ +0.000007] ? kasan_addr_to_slab+0xd/0xb0\n[ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]\n[ +0.000707] kasan_report+0xbe/0x110\n[ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]\n[ +0.000541] __asan_report_load8_noabort+0x14/0x30\n[ +0.000005] amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu]\n[ +0.000535] ? stop_cpsch+0x396/0x600 [amdgpu]\n[ +0.000556] ? stop_cpsch+0x429/0x600 [amdgpu]\n[ +0.000536] ? __pfx_amdgpu_userq_suspend+0x10/0x10 [amdgpu]\n[ +0.000536] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? kgd2kfd_suspend+0x132/0x1d0 [amdgpu]\n[ +0.000542] amdgpu_device_fini_hw+0x581/0xe90 [amdgpu]\n[ +0.000485] ? down_write+0xbb/0x140\n[ +0.000007] ? __mutex_unlock_slowpath.constprop.0+0x317/0x360\n[ +0.000005] ? __pfx_amdgpu_device_fini_hw+0x10/0x10 [amdgpu]\n[ +0.000482] ? __kasan_check_write+0x14/0x30\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? up_write+0x55/0xb0\n[ +0.000007] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? blocking_notifier_chain_unregister+0x6c/0xc0\n[ +0.000008] amdgpu_driver_unload_kms+0x69/0x90 [amdgpu]\n[ +0.000484] amdgpu_pci_remove+0x93/0x130 [amdgpu]\n[ +0.000482] pci_device_remove+0xae/0x1e0\n[ +0.000008] device_remove+0xc7/0x180\n[ +0.000008] device_release_driver_internal+0x3d4/0x5a0\n[ +0.000007] device_release_driver+0x12/0x20\n[ +0.000004] pci_stop_bus_device+0x104/0x150\n[ +0.000006] pci_stop_and_remove_bus_device_locked+0x1b/0x40\n[ +0.000005] remove_store+0xd7/0xf0\n[ +0.000005] ? __pfx_remove_store+0x10/0x10\n[ +0.000006] ? __pfx__copy_from_iter+0x10/0x10\n[ +0.000006] ? __pfx_dev_attr_store+0x10/0x10\n[ +0.000006] dev_attr_store+0x3f/0x80\n[ +0.000006] sysfs_kf_write+0x125/0x1d0\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? __kasan_check_write+0x14/0x30\n[ +0.000005] kernfs_fop_write_iter+0x2ea/0x490\n[ +0.000005] ? rw_verify_area+0x70/0x420\n[ +0.000005] ? __pfx_kernfs_fop_write_iter+0x10/0x10\n[ +0.000006] vfs_write+0x90d/0xe70\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000005] ? __pfx_vfs_write+0x10/0x10\n[ +0.000004] ? local_clock+0x15/0x30\n[ +0.000008] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __kasan_slab_free+0x5f/0x80\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? fdget_pos+0x1d3/0x500\n[ +0.000007] ksys_write+0x119/0x220\n[ +0.000005] ? putname+0x1c/0x30\n[ +0.000006] ? __pfx_ksys_write+0x10/0x10\n[ +0.000007] __x64_sys_write+0x72/0xc0\n[ +0.000006] x64_sys_call+0x18ab/0x26f0\n[ +0.000006] do_syscall_64+0x7c/0x170\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __pfx___x64_sys_openat+0x10/0x10\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? do_syscall_64+0x88/0x170\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? irqentry_exit+0x43/0x50\n[ +0.000004] ? srso_return_thunk+0x5\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38598", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible OOB access in mt7996_tx()\n\nFis possible Out-Of-Boundary access in mt7996_tx routine if link_id is\nset to IEEE80211_LINK_UNSPECIFIED", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38599", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan()\n\nThe ssid->ssids[] and sreq->ssids[] arrays have MT7925_RNR_SCAN_MAX_BSSIDS\nelements so this >= needs to be > to prevent an out of bounds access.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38600", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: clear initialized flag for deinit-ed srng lists\n\nIn a number of cases we see kernel panics on resume due\nto ath11k kernel page fault, which happens under the\nfollowing circumstances:\n\n1) First ath11k_hal_dump_srng_stats() call\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 22511ms before\n ath11k_pci 0000:01:00.0: group_id 1 14440788ms before\n [..]\n ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..\n ath11k_pci 0000:01:00.0: Service connect timeout\n ath11k_pci 0000:01:00.0: failed to connect to HTT: -110\n ath11k_pci 0000:01:00.0: failed to start core: -110\n ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM\n ath11k_pci 0000:01:00.0: already resetting count 2\n ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110\n ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110\n ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery\n [..]\n\n2) At this point reconfiguration fails (we have 2 resets) and\n ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()\n which destroys srng lists. However, it does not reset per-list\n ->initialized flag.\n\n3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized\n flag and attempts to dump srng stats:\n\n Last interrupt received for each group:\n ath11k_pci 0000:01:00.0: group_id 0 66785ms before\n ath11k_pci 0000:01:00.0: group_id 1 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 2 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 3 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 4 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 5 14780845ms before\n ath11k_pci 0000:01:00.0: group_id 6 14485062ms before\n ath11k_pci 0000:01:00.0: group_id 7 66814ms before\n ath11k_pci 0000:01:00.0: group_id 8 68997ms before\n ath11k_pci 0000:01:00.0: group_id 9 67588ms before\n ath11k_pci 0000:01:00.0: group_id 10 69511ms before\n BUG: unable to handle page fault for address: ffffa007404eb010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]\n Call Trace:\n \n ? __die_body+0xae/0xb0\n ? page_fault_oops+0x381/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]\n ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]\n worker_thread+0x389/0x930\n kthread+0x149/0x170\n\nClear per-list ->initialized flag in ath11k_hal_srng_deinit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38601", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue since it may\nreturn NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38602", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n \n rtl8187_tx_cb+0x116/0x150 [rtl8187]\n __usb_hcd_giveback_urb+0x9d/0x120\n usb_giveback_urb_bh+0xbb/0x140\n process_one_work+0x19b/0x3c0\n bh_worker+0x1a7/0x210\n tasklet_action+0x10/0x30\n handle_softirqs+0xf0/0x340\n __irq_exit_rcu+0xcd/0xf0\n common_interrupt+0x85/0xa0\n \n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38604", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type()\n\nIn ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to\nretrieve the ab pointer. In vdev delete sequence the arvif->ar could\nbecome NULL and that would trigger kernel panic.\nSince the caller ath12k_dp_tx() already has a valid ab pointer, pass it\ndirectly to avoid panic and unnecessary dereferencing.\n\nPC points to \"ath12k_dp_tx+0x228/0x988 [ath12k]\"\nLR points to \"ath12k_dp_tx+0xc8/0x988 [ath12k]\".\nThe Backtrace obtained is as follows:\nath12k_dp_tx+0x228/0x988 [ath12k]\nath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k]\nieee80211_process_measurement_req+0x320/0x348 [mac80211]\nieee80211_tx_dequeue+0x9ac/0x1518 [mac80211]\nieee80211_tx_dequeue+0xb14/0x1518 [mac80211]\nieee80211_tx_prepare_skb+0x224/0x254 [mac80211]\nieee80211_xmit+0xec/0x100 [mac80211]\n__ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211]\nieee80211_subif_start_xmit+0x2e8/0x308 [mac80211]\nnetdev_start_xmit+0x150/0x18c\ndev_hard_start_xmit+0x74/0xc0\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38605", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss\n\nDuring beacon miss handling, ath12k driver iterates over active virtual\ninterfaces (vifs) and attempts to access the radio object (ar) via\narvif->deflink->ar.\n\nHowever, after commit aa80f12f3bed (\"wifi: ath12k: defer vdev creation for\nMLO\"), arvif is linked to a radio only after vdev creation, typically when\na channel is assigned or a scan is requested.\nFor P2P capable devices, a default P2P interface is created by\nwpa_supplicant along with regular station interfaces, these serve as dummy\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\non such P2P vifs, driver selects destination radio (ar) based on scan\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\nfrom the radio and leaving arvif->ar uninitialized.\n\nWhile handling beacon miss for station interfaces, P2P interface is also\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\ntries to dereference the uninitialized arvif->deflink->ar.\n\nFix this by verifying that vdev is created for the arvif before accessing\nits ar during beacon miss handling and similar vif iterator callbacks.\n\n==========================================================================\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\n Call Trace:\n __iterate_interfaces+0x11a/0x410 [mac80211]\n ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\n ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\n ath12k_roam_event+0x393/0x560 [ath12k]\n ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\n ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\n ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\n ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\n ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\n ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\n process_one_work+0xe3a/0x1430\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38606", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: handle jset (if a & b ...) as a jump in CFG computation\n\nBPF_JSET is a conditional jump and currently verifier.c:can_jump()\ndoes not know about that. This can lead to incorrect live registers\nand SCC computation.\n\nE.g. in the following example:\n\n 1: r0 = 1;\n 2: r2 = 2;\n 3: if r1 & 0x7 goto +1;\n 4: exit;\n 5: r0 = r2;\n 6: exit;\n\nW/o this fix insn_successors(3) will return only (4), a jump to (5)\nwould be missed and r2 won't be marked as alive at (3).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38607", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n\nWhen sending plaintext data, we initially calculated the corresponding\nciphertext length. However, if we later reduced the plaintext data length\nvia socket policy, we failed to recalculate the ciphertext length.\n\nThis results in transmitting buffers containing uninitialized data during\nciphertext transmission.\n\nThis causes uninitialized bytes to be appended after a complete\n\"Application Data\" packet, leading to errors on the receiving end when\nparsing TLS record.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38608", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Check governor before using governor->name\n\nCommit 96ffcdf239de (\"PM / devfreq: Remove redundant governor_name from\nstruct devfreq\") removes governor_name and uses governor->name to replace\nit. But devfreq->governor may be NULL and directly using\ndevfreq->governor->name may cause null pointer exception. Move the check of\ngovernor to before using governor->name.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38609", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()\n\nThe get_pd_power_uw() function can crash with a NULL pointer dereference\nwhen em_cpu_get() returns NULL. This occurs when a CPU becomes impossible\nduring runtime, causing get_cpu_device() to return NULL, which propagates\nthrough em_cpu_get() and leads to a crash when em_span_cpus() dereferences\nthe NULL pointer.\n\nAdd a NULL check after em_cpu_get() and return 0 if unavailable,\nmatching the existing fallback behavior in __dtpm_cpu_setup().\n\n[ rjw: Drop an excess empty code line ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38610", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()\n\nIn the error paths after fb_info structure is successfully allocated,\nthe memory allocated in fb_deferred_io_init() for info->pagerefs is not\nfreed. Fix that by adding the cleanup function on the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38612", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gpib: fix unset padding field copy back to userspace\n\nThe introduction of a padding field in the gpib_board_info_ioctl is\nshowing up as initialized data on the stack frame being copyied back\nto userspace in function board_info_ioctl. The simplest fix is to\ninitialize the entire struct to zero to ensure all unassigned padding\nfields are zero'd before being copied back to userspace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38613", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don't\nlimit the depth of the resulting tree for two reasons:\n\n - They don't look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38614", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: cancle set bad inode after removing name fails\n\nThe reproducer uses a file0 on a ntfs3 file system with a corrupted i_link.\nWhen renaming, the file0's inode is marked as a bad inode because the file\nname cannot be deleted.\n\nThe underlying bug is that make_bad_inode() is called on a live inode.\nIn some cases it's \"icache lookup finds a normal inode, d_splice_alias()\nis called to attach it to dentry, while another thread decides to call\nmake_bad_inode() on it - that would evict it from icache, but we'd already\nfound it there earlier\".\nIn some it's outright \"we have an inode attached to dentry - that's how we\ngot it in the first place; let's call make_bad_inode() on it just for shits\nand giggles\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38615", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: handle data disappearing from under the TLS ULP\n\nTLS expects that it owns the receive queue of the TCP socket.\nThis cannot be guaranteed in case the reader of the TCP socket\nentered before the TLS ULP was installed, or uses some non-standard\nread API (eg. zerocopy ones). Replace the WARN_ON() and a buggy\nearly exit (which leaves anchor pointing to a freed skb) with real\nerror handling. Wipe the parsing state and tell the reader to retry.\n\nWe already reload the anchor every time we (re)acquire the socket lock,\nso the only condition we need to avoid is an out of bounds read\n(not having enough bytes in the socket for previously parsed record len).\n\nIf some data was read from under TLS but there's enough in the queue\nwe'll reload and decrypt what is most likely not a valid TLS record.\nLeading to some undefined behavior from TLS perspective (corrupting\na stream? missing an alert? missing an attack?) but no kernel crash\nshould take place.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38616", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po->bind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo->bind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po->num to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po->bind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38617", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38618", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: fix list_del corruption\n\nIf ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is\nmarked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.\nThis causes the same buffer to be retried in the next iteration, resulting\nin a double list_del() and eventual list corruption.\n\nFix this by removing the buffer from the queue before calling\nvb2_buffer_done() on error.\n\nThis resolves a crash due to list_del corruption:\n[ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA\n[ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048\n[ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)\n[ 37.850799] ------------[ cut here ]------------\n[ 37.855424] kernel BUG at lib/list_debug.c:65!\n[ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul\n[ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY\n[ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)\n[ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114\n[ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114\n[ 37.914059] sp : ffff800080003db0\n[ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000\n[ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122\n[ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0\n[ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a\n[ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720\n[ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea\n[ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568\n[ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff\n[ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000\n[ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d\n[ 37.988832] Call trace:\n[ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P)\n[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4\n[ 38.001419] udma_vchan_complete+0x1e0/0x344\n[ 38.005705] tasklet_action_common+0x118/0x310\n[ 38.010163] tasklet_action+0x30/0x3c\n[ 38.013832] handle_softirqs+0x10c/0x2e0\n[ 38.017761] __do_softirq+0x14/0x20\n[ 38.021256] ____do_softirq+0x10/0x20\n[ 38.024931] call_on_irq_stack+0x24/0x60\n[ 38.028873] do_softirq_own_stack+0x1c/0x40\n[ 38.033064] __irq_exit_rcu+0x130/0x15c\n[ 38.036909] irq_exit_rcu+0x10/0x20\n[ 38.040403] el1_interrupt+0x38/0x60\n[ 38.043987] el1h_64_irq_handler+0x18/0x24\n[ 38.048091] el1h_64_irq+0x6c/0x70\n[ 38.051501] default_idle_call+0x34/0xe0 (P)\n[ 38.055783] do_idle+0x1f8/0x250\n[ 38.059021] cpu_startup_entry+0x34/0x3c\n[ 38.062951] rest_init+0xb4/0xc0\n[ 38.066186] console_on_rootfs+0x0/0x6c\n[ 38.070031] __primary_switched+0x88/0x90\n[ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)\n[ 38.080168] ---[ end trace 0000000000000000 ]---\n[ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt\n[ 38.092197] SMP: stopping secondary CPUs\n[ 38.096139] Kernel Offset: disabled\n[ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b\n[ 38.105202] Memory Limit: none\n[ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38619", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzloop: fix KASAN use-after-free of tag set\n\nWhen a zoned loop device, or zloop device, is removed, KASAN enabled\nkernel reports \"BUG KASAN use-after-free\" in blk_mq_free_tag_set(). The\nBUG happens because zloop_ctl_remove() calls put_disk(), which invokes\nzloop_free_disk(). The zloop_free_disk() frees the memory allocated for\nthe zlo pointer. However, after the memory is freed, zloop_ctl_remove()\ncalls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.\nHence the KASAN use-after-free.\n\n zloop_ctl_remove()\n put_disk(zlo->disk)\n put_device()\n kobject_put()\n ...\n zloop_free_disk()\n kvfree(zlo)\n blk_mq_free_tag_set(&zlo->tag_set)\n\nTo avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)\nfrom zloop_ctl_remove() into zloop_free_disk(). This ensures that\nthe tag_set is freed before the call to kvfree(zlo).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38620", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: make rdev_addable usable for rcu mode\n\nOur testcase trigger panic:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000e0\n...\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94\nPREEMPT(none)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nWorkqueue: md_misc md_start_sync\nRIP: 0010:rdev_addable+0x4d/0xf0\n...\nCall Trace:\n \n md_start_sync+0x329/0x480\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x14d/0x180\n ret_from_fork_asm+0x1a/0x30\n \nModules linked in: raid10\nCR2: 00000000000000e0\n---[ end trace 0000000000000000 ]---\nRIP: 0010:rdev_addable+0x4d/0xf0\n\nmd_spares_need_change in md_start_sync will call rdev_addable which\nprotected by rcu_read_lock/rcu_read_unlock. This rcu context will help\nprotect rdev won't be released, but rdev->mddev will be set to NULL\nbefore we call synchronize_rcu in md_kick_rdev_from_array. Fix this by\nusing READ_ONCE and check does rdev->mddev still alive.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38621", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: drop UFO packets in udp_rcv_segment()\n\nWhen sending a packet with virtio_net_hdr to tun device, if the gso_type\nin virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr\nsize, below crash may happen.\n\n ------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:4572!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:skb_pull_rcsum+0x8e/0xa0\n Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000\n RSP: 0018:ffffc900001fba38 EFLAGS: 00000297\n RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948\n RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062\n RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001\n R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000\n R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900\n FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0\n Call Trace:\n \n udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445\n udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475\n udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626\n __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690\n ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233\n ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579\n ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636\n ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670\n __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067\n netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210\n napi_complete_done+0x78/0x180 net/core/dev.c:6580\n tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909\n tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984\n vfs_write+0x300/0x420 fs/read_write.c:593\n ksys_write+0x60/0xd0 fs/read_write.c:686\n do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63\n \n\nTo trigger gso segment in udp_queue_rcv_skb(), we should also set option\nUDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv\nhook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try\nto pull udphdr, but the skb size has been segmented to gso size, which\nleads to this crash.\n\nPrevious commit cf329aa42b66 (\"udp: cope with UDP GRO packet misdirection\")\nintroduces segmentation in UDP receive path only for GRO, which was never\nintended to be used for UFO, so drop UFO packets in udp_rcv_segment().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38622", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Fix surprise plug detection and recovery\n\nThe existing PowerNV hotplug code did not handle surprise plug events\ncorrectly, leading to a complete failure of the hotplug system after device\nremoval and a required reboot to detect new devices.\n\nThis comes down to two issues:\n\n 1) When a device is surprise removed, often the bridge upstream\n port will cause a PE freeze on the PHB. If this freeze is not\n cleared, the MSI interrupts from the bridge hotplug notification\n logic will not be received by the kernel, stalling all plug events\n on all slots associated with the PE.\n\n 2) When a device is removed from a slot, regardless of surprise or\n programmatic removal, the associated PHB/PE ls left frozen.\n If this freeze is not cleared via a fundamental reset, skiboot\n is unable to clear the freeze and cannot retrain / rescan the\n slot. This also requires a reboot to clear the freeze and redetect\n the device in the slot.\n\nIssue the appropriate unfreeze and rescan commands on hotplug events,\nand don't oops on hotplug if pci_bus_to_OF_node() returns NULL.\n\n[bhelgaas: tidy comments]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38623", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pnv_php: Clean up allocated IRQs on unplug\n\nWhen the root of a nested PCIe bridge configuration is unplugged, the\npnv_php driver leaked the allocated IRQ resources for the child bridges'\nhotplug event notifications, resulting in a panic.\n\nFix this by walking all child buses and deallocating all its IRQ resources\nbefore calling pci_hp_remove_devices().\n\nAlso modify the lifetime of the workqueue at struct pnv_php_slot::wq so\nthat it is only destroyed in pnv_php_free_slot(), instead of\npnv_php_disable_irq(). This is required since pnv_php_disable_irq() will\nnow be called by workers triggered by hot unplug interrupts, so the\nworkqueue needs to stay allocated.\n\nThe abridged kernel panic that occurs without this patch is as follows:\n\n WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c\n CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2\n Call Trace:\n msi_device_data_release+0x34/0x9c (unreliable)\n release_nodes+0x64/0x13c\n devres_release_all+0xc0/0x140\n device_del+0x2d4/0x46c\n pci_destroy_dev+0x5c/0x194\n pci_hp_remove_devices+0x90/0x128\n pci_hp_remove_devices+0x44/0x128\n pnv_php_disable_slot+0x54/0xd4\n power_write_file+0xf8/0x18c\n pci_slot_attr_store+0x40/0x5c\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x3bc/0x50c\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x230\n system_call_vectored_common+0x15c/0x2ec\n\n[bhelgaas: tidy comments]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38624", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pds: Fix missing detach_ioas op\n\nWhen CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci\ndriver, the following WARN_ON() trace is seen and probe fails:\n\nWARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio]\n<...>\npds_vfio_pci 0000:08:00.1: probe with driver pds_vfio_pci failed with error -22\n\nThis is because the driver's vfio_device_ops.detach_ioas isn't set.\n\nFix this by using the generic vfio_iommufd_physical_detach_ioas\nfunction.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38625", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\n\nw/ \"mode=lfs\" mount option, generic/299 will cause system panic as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2835!\nCall Trace:\n \n f2fs_allocate_data_block+0x6f4/0xc50\n f2fs_map_blocks+0x970/0x1550\n f2fs_iomap_begin+0xb2/0x1e0\n iomap_iter+0x1d6/0x430\n __iomap_dio_rw+0x208/0x9a0\n f2fs_file_write_iter+0x6b3/0xfa0\n aio_write+0x15d/0x2e0\n io_submit_one+0x55e/0xab0\n __x64_sys_io_submit+0xa5/0x230\n do_syscall_64+0x84/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0010:new_curseg+0x70f/0x720\n\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\ntrigger foreground gc only if it allocates any physical block, it will be\na little bit later when there is multiple threads writing data w/\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\nf2fs_map_blocks() does block allocations aggressively.\n\nIn order to fix this issue, let's give a chance to trigger foreground\ngc in prior to block allocation in f2fs_map_blocks().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38626", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n The UAF case as below:\n Thread A Thread B\n - f2fs_decompress_end_io\n - f2fs_put_dic\n - queue_work\n add free_dic work to post_read_wq\n - do_unlink\n - iput\n - evict\n - call_rcu\n This file is deleted after read.\n\n Thread C kworker to process post_read_wq\n - rcu_do_batch\n - f2fs_free_inode\n - kmem_cache_free\n inode is freed by rcu\n - process_scheduled_works\n - f2fs_late_free_dic\n - f2fs_free_dic\n - f2fs_release_decomp_mem\n read (dic->inode)->i_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38627", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix release of uninitialized resources on error path\n\nThe commit in the fixes tag made sure that mlx5_vdpa_free()\nis the single entrypoint for removing the vdpa device resources\nadded in mlx5_vdpa_dev_add(), even in the cleanup path of\nmlx5_vdpa_dev_add().\n\nThis means that all functions from mlx5_vdpa_free() should be able to\nhandle uninitialized resources. This was not the case though:\nmlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()\nwere not able to do so. This caused the splat below when adding\na vdpa device without a MAC address.\n\nThis patch fixes these remaining issues:\n\n- Makes mlx5_vdpa_destroy_mr_resources() return early if called on\n uninitialized resources.\n\n- Moves mlx5_cmd_init_async_ctx() early on during device addition\n because it can't fail. This means that mlx5_cmd_cleanup_async_ctx()\n also can't fail. To mirror this, move the call site of\n mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().\n\nAn additional comment was added in mlx5_vdpa_free() to document\nthe expectations of functions called from this context.\n\nSplat:\n\n mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?\n ------------[ cut here ]------------\n WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0\n [...]\n Call Trace:\n \n ? __try_to_del_timer_sync+0x61/0x90\n ? __timer_delete_sync+0x2b/0x40\n mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]\n mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]\n vdpa_release_dev+0x1e/0x50 [vdpa]\n device_release+0x31/0x90\n kobject_cleanup+0x37/0x130\n mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]\n vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]\n genl_family_rcv_msg_doit+0xd8/0x130\n genl_family_rcv_msg+0x14b/0x220\n ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n genl_rcv_msg+0x47/0xa0\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x27b/0x3b0\n netlink_sendmsg+0x1f7/0x430\n __sys_sendto+0x1fa/0x210\n ? ___pte_offset_map+0x17/0x160\n ? next_uptodate_folio+0x85/0x2b0\n ? percpu_counter_add_batch+0x51/0x90\n ? filemap_map_pages+0x515/0x660\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x7b/0x2c0\n ? do_read_fault+0x108/0x220\n ? do_pte_missing+0x14a/0x3e0\n ? __handle_mm_fault+0x321/0x730\n ? count_memcg_events+0x13f/0x180\n ? handle_mm_fault+0x1fb/0x2d0\n ? do_user_addr_fault+0x20c/0x700\n ? syscall_exit_work+0x104/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f0c25b0feca\n [...]\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38628", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb: scarlett2: Fix missing NULL check\n\nscarlett2_input_select_ctl_info() sets up the string arrays allocated\nvia kasprintf(), but it misses NULL checks, which may lead to NULL\ndereference Oops. Let's add the proper NULL check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38629", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref\n\nfb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot\nallocate a struct fb_modelist. If that happens, the modelist stays empty but\nthe driver continues to register. Add a check for its return value to prevent\npoteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 (\"fbdev:\nFix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38630", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx95-blk-ctl: Fix synchronous abort\n\nWhen enabling runtime PM for clock suppliers that also belong to a power\ndomain, the following crash is thrown:\nerror: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\nWorkqueue: events_unbound deferred_probe_work_func\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : clk_mux_get_parent+0x60/0x90\nlr : clk_core_reparent_orphans_nolock+0x58/0xd8\n Call trace:\n clk_mux_get_parent+0x60/0x90\n clk_core_reparent_orphans_nolock+0x58/0xd8\n of_clk_add_hw_provider.part.0+0x90/0x100\n of_clk_add_hw_provider+0x1c/0x38\n imx95_bc_probe+0x2e0/0x3f0\n platform_probe+0x70/0xd8\n\nEnabling runtime PM without explicitly resuming the device caused\nthe power domain cut off after clk_register() is called. As a result,\na crash happens when the clock hardware provider is added and attempts\nto access the BLK_CTL register.\n\nFix this by using devm_pm_runtime_enable() instead of pm_runtime_enable()\nand getting rid of the pm_runtime_disable() in the cleanup path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38631", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinmux: fix race causing mux_owner NULL with active mux_usecount\n\ncommit 5a3e85c3c397 (\"pinmux: Use sequential access to access\ndesc->pinmux data\") tried to address the issue when two client of the\nsame gpio calls pinctrl_select_state() for the same functionality, was\nresulting in NULL pointer issue while accessing desc->mux_owner.\nHowever, issue was not completely fixed due to the way it was handled\nand it can still result in the same NULL pointer.\n\nThe issue occurs due to the following interleaving:\n\n cpu0 (process A) cpu1 (process B)\n\n pin_request() { pin_free() {\n\n mutex_lock()\n desc->mux_usecount--; //becomes 0\n ..\n mutex_unlock()\n\n mutex_lock(desc->mux)\n desc->mux_usecount++; // becomes 1\n desc->mux_owner = owner;\n mutex_unlock(desc->mux)\n\n mutex_lock(desc->mux)\n desc->mux_owner = NULL;\n mutex_unlock(desc->mux)\n\nThis sequence leads to a state where the pin appears to be in use\n(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can\ncause NULL pointer on next pin_request on the same pin.\n\nEnsure that updates to mux_usecount and mux_owner are performed\natomically under the same lock. Only clear mux_owner when mux_usecount\nreaches zero and no new owner has been assigned.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38632", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: spacemit: mark K1 pll1_d8 as critical\n\nThe pll1_d8 clock is enabled by the boot loader, and is ultimately a\nparent for numerous clocks, including those used by APB and AXI buses.\nGuodong Xu discovered that this clock got disabled while responding to\ngetting -EPROBE_DEFER when requesting a reset controller.\n\nThe needed clock (CLK_DMA, along with its parents) had already been\nenabled. To respond to the probe deferral return, the CLK_DMA clock\nwas disabled, and this led to parent clocks also reducing their enable\ncount. When the enable count for pll1_d8 was decremented it became 0,\nwhich caused it to be disabled. This led to a system hang.\n\nMarking that clock critical resolves this by preventing it from being\ndisabled.\n\nDefine a new macro CCU_FACTOR_GATE_DEFINE() to allow clock flags to\nbe supplied for a CCU_FACTOR_GATE clock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38633", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cpcap-charger: Fix null check for power_supply_get_by_name\n\nIn the cpcap_usb_detect() function, the power_supply_get_by_name()\nfunction may return `NULL` instead of an error pointer.\nTo prevent potential null pointer dereferences, Added a null check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38634", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: davinci: Add NULL check in davinci_lpsc_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ndavinci_lpsc_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensuring\nno resources are left allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38635", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrv: Use strings in da monitors tracepoints\n\nUsing DA monitors tracepoints with KASAN enabled triggers the following\nwarning:\n\n BUG: KASAN: global-out-of-bounds in do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0\n Read of size 32 at addr ffffffffaada8980 by task ...\n Call Trace:\n \n [...]\n do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0\n ? __pfx_do_trace_event_raw_event_event_da_monitor+0x10/0x10\n ? trace_event_sncid+0x83/0x200\n trace_event_sncid+0x163/0x200\n [...]\n The buggy address belongs to the variable:\n automaton_snep+0x4e0/0x5e0\n\nThis is caused by the tracepoints reading 32 bytes __array instead of\n__string from the automata definition. Such strings are literals and\nreading 32 bytes ends up in out of bound memory accesses (e.g. the next\nautomaton's data in this case).\nThe error is harmless as, while printing the string, we stop at the null\nterminator, but it should still be fixed.\n\nUse the __string facilities while defining the tracepoints to avoid\nreading out of bound memory.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38636", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: skbprio: Remove overly strict queue assertions\n\nIn the current implementation, skbprio enqueue/dequeue contains an assertion\nthat fails under certain conditions when SKBPRIO is used as a child qdisc under\nTBF with specific parameters. The failure occurs because TBF sometimes peeks at\npackets in the child qdisc without actually dequeuing them when tokens are\nunavailable.\n\nThis peek operation creates a discrepancy between the parent and child qdisc\nqueue length counters. When TBF later receives a high-priority packet,\nSKBPRIO's queue length may show a different value than what's reflected in its\ninternal priority queue tracking, triggering the assertion.\n\nThe fix removes this overly strict assertions in SKBPRIO, they are not\nnecessary at all.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38637", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-38638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: add a retry logic in net6_rt_notify()\n\ninet6_rt_notify() can be called under RCU protection only.\nThis means the route could be changed concurrently\nand rt6_fill_node() could return -EMSGSIZE.\n\nRe-size the skb when this happens and retry, removing\none WARN_ON() that syzbot was able to trigger:\n\nWARNING: CPU: 3 PID: 6291 at net/ipv6/route.c:6342 inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342\nModules linked in:\nCPU: 3 UID: 0 PID: 6291 Comm: syz.0.77 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342\nCode: fc ff ff e8 6d 52 ea f7 e9 47 fc ff ff 48 8b 7c 24 08 4c 89 04 24 e8 5a 52 ea f7 4c 8b 04 24 e9 94 fd ff ff e8 9c fe 84 f7 90 <0f> 0b 90 e9 bd fd ff ff e8 6e 52 ea f7 e9 bb fb ff ff 48 89 df e8\nRSP: 0018:ffffc900035cf1d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffc900035cf540 RCX: ffffffff8a36e790\nRDX: ffff88802f7e8000 RSI: ffffffff8a36e9d4 RDI: 0000000000000005\nRBP: ffff88803c230f00 R08: 0000000000000005 R09: 00000000ffffffa6\nR10: 00000000ffffffa6 R11: 0000000000000001 R12: 00000000ffffffa6\nR13: 0000000000000900 R14: ffff888032ea4100 R15: 0000000000000000\nFS: 00007fac7b89a6c0(0000) GS:ffff8880d6a20000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fac7b899f98 CR3: 0000000034b3f000 CR4: 0000000000352ef0\nCall Trace:\n \n ip6_route_mpath_notify+0xde/0x280 net/ipv6/route.c:5356\n ip6_route_multipath_add+0x1181/0x1bd0 net/ipv6/route.c:5536\n inet6_rtm_newroute+0xe4/0x1a0 net/ipv6/route.c:5647\n rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6944\n netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x58d/0x850 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38638", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_nfacct: don't assume acct name is null-terminated\n\nBUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721\nRead of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851\n[..]\n string+0x231/0x2b0 lib/vsprintf.c:721\n vsnprintf+0x739/0xf00 lib/vsprintf.c:2874\n [..]\n nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41\n xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523\n\nnfnl_acct_find_get() handles non-null input, but the error\nprintk relied on its presence.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38639", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable migration in nf_hook_run_bpf().\n\nsyzbot reported that the netfilter bpf prog can be called without\nmigration disabled in xmit path.\n\nThen the assertion in __bpf_prog_run() fails, triggering the splat\nbelow. [0]\n\nLet's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().\n\n[0]:\nBUG: assuming non migratable context at ./include/linux/filter.h:703\nin_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session\n3 locks held by sshd-session/5829:\n #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]\n #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395\n #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]\n #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]\n #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470\n #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]\n #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]\n #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241\nCPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n __cant_migrate kernel/sched/core.c:8860 [inline]\n __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834\n __bpf_prog_run include/linux/filter.h:703 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20\n nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]\n nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623\n nf_hook+0x370/0x680 include/linux/netfilter.h:272\n NF_HOOK_COND include/linux/netfilter.h:305 [inline]\n ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433\n dst_output include/net/dst.h:459 [inline]\n ip_local_out net/ipv4/ip_output.c:129 [inline]\n __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527\n __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479\n tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]\n tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838\n __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021\n tcp_push+0x225/0x700 net/ipv4/tcp.c:759\n tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359\n tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396\n inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n sock_write_iter+0x4aa/0x5b0 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x6c7/0x1150 fs/read_write.c:686\n ksys_write+0x1f8/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe7d365d407\nCode: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\nRSP:", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38640", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Fix potential NULL dereference on kmalloc failure\n\nAvoid potential NULL pointer dereference by checking the return value of\nkmalloc and handling allocation failure properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38641", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix WARN_ON for monitor mode on some devices\n\nOn devices without WANT_MONITOR_VIF (and probably without\nchannel context support) we get a WARN_ON for changing the\nper-link setting of a monitor interface.\n\nSince we already skip AP_VLAN interfaces and MONITOR with\nWANT_MONITOR_VIF and/or NO_VIRTUAL_MONITOR should update\nthe settings, catch this in the link change code instead\nof the warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38642", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()\n\nCallers of wdev_chandef() must hold the wiphy mutex.\n\nBut the worker cfg80211_propagate_cac_done_wk() never takes the lock.\nWhich triggers the warning below with the mesh_peer_connected_dfs\ntest from hostapd and not (yet) released mac80211 code changes:\n\nWARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165\nModules linked in:\nCPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf\nWorkqueue: cfg80211 cfg80211_propagate_cac_done_wk\nStack:\n 00000000 00000001 ffffff00 6093267c\n 00000000 6002ec30 6d577c50 60037608\n 00000000 67e8d108 6063717b 00000000\nCall Trace:\n [<6002ec30>] ? _printk+0x0/0x98\n [<6003c2b3>] show_stack+0x10e/0x11a\n [<6002ec30>] ? _printk+0x0/0x98\n [<60037608>] dump_stack_lvl+0x71/0xb8\n [<6063717b>] ? wdev_chandef+0x60/0x165\n [<6003766d>] dump_stack+0x1e/0x20\n [<6005d1b7>] __warn+0x101/0x20f\n [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d\n [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec\n [<60751191>] ? __this_cpu_preempt_check+0x0/0x16\n [<600b11a2>] ? mark_held_locks+0x5a/0x6e\n [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d\n [<60052e53>] ? unblock_signals+0x3a/0xe7\n [<60052f2d>] ? um_set_signals+0x2d/0x43\n [<60751191>] ? __this_cpu_preempt_check+0x0/0x16\n [<607508b2>] ? lock_is_held_type+0x207/0x21f\n [<6063717b>] wdev_chandef+0x60/0x165\n [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f\n [<60052f00>] ? um_set_signals+0x0/0x43\n [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a\n [<6007e460>] process_scheduled_works+0x3bc/0x60e\n [<6007d0ec>] ? move_linked_works+0x4d/0x81\n [<6007d120>] ? assign_work+0x0/0xaa\n [<6007f81f>] worker_thread+0x220/0x2dc\n [<600786ef>] ? set_pf_worker+0x0/0x57\n [<60087c96>] ? to_kthread+0x0/0x43\n [<6008ab3c>] kthread+0x2d3/0x2e2\n [<6007f5ff>] ? worker_thread+0x0/0x2dc\n [<6006c05b>] ? calculate_sigpending+0x0/0x56\n [<6003b37d>] new_thread_handler+0x4a/0x64\nirq event stamp: 614611\nhardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf\nhardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf\nsoftirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985\nsoftirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38643", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata->u.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38644", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Check device memory pointer before usage\n\nAdd a NULL check before accessing device memory to prevent a crash if\ndev->dm allocation in mlx5_init_once() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38645", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band\n\nWith a quite rare chance, RX report might be problematic to make SW think\na packet is received on 6 GHz band even if the chip does not support 6 GHz\nband actually. Since SW won't initialize stuffs for unsupported bands, NULL\ndereference will happen then in the sequence, rtw89_vif_rx_stats_iter() ->\nrtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.\n\nThe following is a crash log for this case.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000032\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)\n Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024\n RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]\n Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11\n 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45\n 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85\n RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246\n RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011\n RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6\n RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4\n R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0\n PKRU: 55555554\n Call Trace:\n \n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x4f/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]\n __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]\n ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]\n rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]\n rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38646", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi\n\nThe following assertion is triggered on the rtw89 driver startup. It\nlooks meaningless to hold wiphy lock on the early init stage so drop the\nassertion.\n\n WARNING: CPU: 7 PID: 629 at drivers/net/wireless/realtek/rtw89/sar.c:502 rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]\n CPU: 7 UID: 0 PID: 629 Comm: (udev-worker) Not tainted 6.15.0+ #29 PREEMPT(lazy)\n Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024\n RIP: 0010:rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core]\n Call Trace:\n \n rtw89_sar_init+0x68/0x2c0 [rtw89_core]\n rtw89_core_init+0x188e/0x1e50 [rtw89_core]\n rtw89_pci_probe+0x530/0xb50 [rtw89_pci]\n local_pci_probe+0xd9/0x190\n pci_call_probe+0x183/0x540\n pci_device_probe+0x171/0x2c0\n really_probe+0x1e1/0x890\n __driver_probe_device+0x18c/0x390\n driver_probe_device+0x4a/0x120\n __driver_attach+0x1a0/0x530\n bus_for_each_dev+0x10b/0x190\n bus_add_driver+0x2eb/0x540\n driver_register+0x1a3/0x3a0\n do_one_initcall+0xd5/0x450\n do_init_module+0x2cc/0x8f0\n init_module_from_file+0xe1/0x150\n idempotent_init_module+0x226/0x760\n __x64_sys_finit_module+0xcd/0x150\n do_syscall_64+0x94/0x380\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38647", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: stm32: Check for cfg availability in stm32_spi_probe\n\nThe stm32_spi_probe function now includes a check to ensure that the\npointer returned by of_device_get_match_data is not NULL before\naccessing its members. This resolves a warning where a potential NULL\npointer dereference could occur when accessing cfg->has_device_mode.\n\nBefore accessing the 'has_device_mode' member, we verify that 'cfg' is\nnot NULL. If 'cfg' is NULL, an error message is logged.\n\nThis change ensures that the driver does not attempt to access\nconfiguration data if it is not available, thus preventing a potential\nsystem crash due to a NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38648", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop for Coresight\n\nAn infinite loop has been created by the Coresight devices. When only a\nsource device is enabled, the coresight_find_activated_sysfs_sink function\nis recursively invoked in an attempt to locate an active sink device,\nultimately leading to a stack overflow and system crash. Therefore, disable\nthe replicator1 to break the infinite loop and prevent a potential stack\noverflow.\n\nreplicator1_out -> funnel_swao_in6 -> tmc_etf_swao_in -> tmc_etf_swao_out\n | |\nreplicator1_in replicator_swao_in\n | |\nreplicator0_out1 replicator_swao_out0\n | |\nreplicator0_in funnel_in1_in3\n | |\ntmc_etf_out <- tmc_etf_in <- funnel_merg_out <- funnel_merg_in1 <- funnel_in1_out\n\n[call trace]\n dump_backtrace+0x9c/0x128\n show_stack+0x20/0x38\n dump_stack_lvl+0x48/0x60\n dump_stack+0x18/0x28\n panic+0x340/0x3b0\n nmi_panic+0x94/0xa0\n panic_bad_stack+0x114/0x138\n handle_bad_stack+0x34/0xb8\n __bad_stack+0x78/0x80\n coresight_find_activated_sysfs_sink+0x28/0xa0 [coresight]\n coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]\n coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]\n coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]\n coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]\n ...\n coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight]\n coresight_enable_sysfs+0x80/0x2a0 [coresight]\n\nside effect after the change:\nOnly trace data originating from AOSS can reach the ETF_SWAO and EUD sinks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38649", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: remove mutex_lock check in hfsplus_free_extents\n\nSyzbot reported an issue in hfsplus filesystem:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346\n\thfsplus_free_extents+0x700/0xad0\nCall Trace:\n\nhfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606\nhfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56\ncont_expand_zero fs/buffer.c:2383 [inline]\ncont_write_begin+0x2cf/0x860 fs/buffer.c:2446\nhfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52\ngeneric_cont_expand_simple+0x151/0x250 fs/buffer.c:2347\nhfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263\nnotify_change+0xe38/0x10f0 fs/attr.c:420\ndo_truncate+0x1fb/0x2e0 fs/open.c:65\ndo_sys_ftruncate+0x2eb/0x380 fs/open.c:193\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTo avoid deadlock, Commit 31651c607151 (\"hfsplus: avoid deadlock\non file truncation\") unlock extree before hfsplus_free_extents(),\nand add check wheather extree is locked in hfsplus_free_extents().\n\nHowever, when operations such as hfsplus_file_release,\nhfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed\nconcurrently in different files, it is very likely to trigger the\nWARN_ON, which will lead syzbot and xfstest to consider it as an\nabnormality.\n\nThe comment above this warning also describes one of the easy\ntriggering situations, which can easily trigger and cause\nxfstest&syzbot to report errors.\n\n[task A]\t\t\t[task B]\n->hfsplus_file_release\n ->hfsplus_file_truncate\n ->hfs_find_init\n ->mutex_lock\n ->mutex_unlock\n\t\t\t\t->hfsplus_write_begin\n\t\t\t\t ->hfsplus_get_block\n\t\t\t\t ->hfsplus_file_extend\n\t\t\t\t ->hfsplus_ext_read_extent\n\t\t\t\t ->hfs_find_init\n\t\t\t\t\t ->mutex_lock\n ->hfsplus_free_extents\n WARN_ON(mutex_is_locked) !!!\n\nSeveral threads could try to lock the shared extents tree.\nAnd warning can be triggered in one thread when another thread\nhas locked the tree. This is the wrong behavior of the code and\nwe need to remove the warning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38650", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix warning from KUnit tests\n\nget_id_range() expects a positive value as first argument but\nget_random_u8() can return 0. Fix this by clamping it.\n\nValidated by running the test in a for loop for 1000 times.\n\nNote that MAX() is wrong as it is only supposed to be used for\nconstants, but max() is good here.\n\n [..] ok 9 test_range2_rand1\n [..] ok 10 test_range2_rand2\n [..] ok 11 test_range2_rand15\n [..] ------------[ cut here ]------------\n [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))\n [..] Modules linked in:\n [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef)\n [..] Tainted: [N]=TEST\n [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1))\n [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff <0f> 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31\n\n [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246\n [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000\n ^^^^^^^^^^^^^^^^\n [..]\n [..] Call Trace:\n [..]\n [..] ---[ end trace 0000000000000000 ]---\n [..] ok 12 test_range2_rand16\n [..] # landlock_id: pass:12 fail:0 skip:0 total:12\n [..] # Totals: pass:12 fail:0 skip:0 total:12\n [..] ok 1 landlock_id\n\n[mic: Minor cosmetic improvements]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38651", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in devs.path\n\n- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- truncate -s $((1024*1024*1024)) \\\n /mnt/f2fs/012345678901234567890123456789012345678901234567890123\n- touch /mnt/f2fs/file\n- truncate -s $((1024*1024*1024)) /mnt/f2fs/file\n- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n -c /mnt/f2fs/file\n- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \\\n /mnt/f2fs/loop\n\n[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\\xff\\x01, 511, 0 - 3ffff\n[16937.192268] F2FS-fs (loop0): Failed to find devices\n\nIf device path length equals to MAX_PATH_LEN, sbi->devs.path[] may\nnot end up w/ null character due to path array is fully filled, So\naccidently, fields locate after path[] may be treated as part of\ndevice path, result in parsing wrong device path.\n\nstruct f2fs_dev_info {\n...\n\tchar path[MAX_PATH_LEN];\n...\n};\n\nLet's add one byte space for sbi->devs.path[] to store null\ncharacter of device path string.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38652", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al\n\nCheck pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. \nIt's a gap in proc_reg_open() after commit 654b33ada4ab(\"proc: fix UAF in\nproc_get_inode()\"). Followed by AI Viro's suggestion, fix it in same\nmanner.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38653", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: canaan: k230: Fix order of DT parse and pinctrl register\n\nMove DT parse before pinctrl register. This ensures that device tree\nparsing is done before calling devm_pinctrl_register() to prevent using\nuninitialized pin resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38654", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: canaan: k230: add NULL check in DT parse\n\nAdd a NULL check for the return value of of_get_property() when\nretrieving the \"pinmux\" property in the group parser. This avoids\na potential NULL pointer dereference if the property is missing\nfrom the device tree node.\n\nAlso fix a typo (\"sintenel\") in the device ID match table comment,\ncorrecting it to \"sentinel\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38655", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()\n\nPreserve the error code if iwl_setup_deferred_work() fails. The current\ncode returns ERR_PTR(0) (which is NULL) on this path. I believe the\nmissing error code potentially leads to a use after free involving\ndebugfs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38656" }, { "id": "CVE-2025-38657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch()\n\nThe \"link_id\" value comes from the user via debugfs. If it's larger\nthan BITS_PER_LONG then that would result in shift wrapping and\npotentially an out of bounds access later. In fact, we can limit it\nto IEEE80211_MLD_MAX_NUM_LINKS (15).\n\nFortunately, only root can write to debugfs files so the security\nimpact is minimal.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38657", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails\n\nHave nvmet_req_init() and req->execute() complete failed commands.\n\nDescription of the problem:\nnvmet_req_init() calls __nvmet_req_complete() internally upon failure,\ne.g., unsupported opcode, which calls the \"queue_response\" callback,\nthis results in nvmet_pci_epf_queue_response() being called, which will\ncall nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is\ndifferent from DMA_TO_DEVICE. This results in a double completion as\nnvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod()\nwhen nvmet_req_init() fails.\n\nSteps to reproduce:\nOn the host send a command with an unsupported opcode with nvme-cli,\nFor example the admin command \"security receive\"\n$ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096\n\nThis triggers a double completion as nvmet_req_init() fails and\nnvmet_pci_epf_queue_response() is called, here iod->dma_dir is still\nin the default state of \"DMA_NONE\" as set by default in\nnvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called.\nBecause nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also\ncalled in nvmet_pci_epf_exec_iod_work() leading to a double completion.\nThis not only sends two completions to the host but also corrupts the\nstate of the PCI NVMe target leading to kernel oops.\n\nThis patch lets nvmet_req_init() and req->execute() complete all failed\ncommands, and removes the double completion case in\nnvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where\ndouble completions occurred.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38658", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: No more self recovery\n\nWhen a node withdraws and it turns out that it is the only node that has\nthe filesystem mounted, gfs2 currently tries to replay the local journal\nto bring the filesystem back into a consistent state. Not only is that\na very bad idea, it has also never worked because gfs2_recover_func()\nwill refuse to do anything during a withdraw.\n\nHowever, before even getting to this point, gfs2_recover_func()\ndereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before\ncommit 04133b607a78 (\"gfs2: Prevent double iput for journal on error\")\nand is a NULL pointer dereference since then.\n\nSimply get rid of self recovery to fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38659", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n[ceph] parse_longname(): strrchr() expects NUL-terminated string\n\n... and parse_longname() is not guaranteed that. That's the reason\nwhy it uses kmemdup_nul() to build the argument for kstrtou64();\nthe problem is, kstrtou64() is not the only thing that need it.\n\nJust get a NUL-terminated copy of the entire thing and be done\nwith that...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38660", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array\n\nAdd missing empty member to `awcc_dmi_table`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38661", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv\n\nGiven mt8365_dai_set_priv allocate priv_size space to copy priv_data which\nmeans we should pass mt8365_i2s_priv[i] or \"struct mtk_afe_i2s_priv\"\ninstead of afe_priv which has the size of \"struct mt8365_afe_private\".\n\nOtherwise the KASAN complains about.\n\n[ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]\n...\n[ 59.394789] Call trace:\n[ 59.395167] dump_backtrace+0xa0/0x128\n[ 59.395733] show_stack+0x20/0x38\n[ 59.396238] dump_stack_lvl+0xe8/0x148\n[ 59.396806] print_report+0x37c/0x5e0\n[ 59.397358] kasan_report+0xac/0xf8\n[ 59.397885] kasan_check_range+0xe8/0x190\n[ 59.398485] asan_memcpy+0x3c/0x98\n[ 59.399022] mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]\n[ 59.399928] mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm]\n[ 59.400893] mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm]\n[ 59.401873] platform_probe+0xcc/0x228\n[ 59.402442] really_probe+0x340/0x9e8\n[ 59.402992] driver_probe_device+0x16c/0x3f8\n[ 59.403638] driver_probe_device+0x64/0x1d8\n[ 59.404256] driver_attach+0x1dc/0x4c8\n[ 59.404840] bus_for_each_dev+0x100/0x190\n[ 59.405442] driver_attach+0x44/0x68\n[ 59.405980] bus_add_driver+0x23c/0x500\n[ 59.406550] driver_register+0xf8/0x3d0\n[ 59.407122] platform_driver_register+0x68/0x98\n[ 59.407810] mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38662", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: reject invalid file types when reading inodes\n\nTo prevent inodes with invalid file types from tripping through the vfs\nand causing malfunctions or assertion failures, add a missing sanity check\nwhen reading an inode from a block device. If the file type is not valid,\ntreat it as a filesystem error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38663", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix a null pointer dereference in ice_copy_and_init_pkg()\n\nAdd check for the return value of devm_kmemdup()\nto prevent potential null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38664", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode\n\nAndrei Lalaev reported a NULL pointer deref when a CAN device is\nrestarted from Bus Off and the driver does not implement the struct\ncan_priv::do_set_mode callback.\n\nThere are 2 code path that call struct can_priv::do_set_mode:\n- directly by a manual restart from the user space, via\n can_changelink()\n- delayed automatic restart after bus off (deactivated by default)\n\nTo prevent the NULL pointer deference, refuse a manual restart or\nconfigure the automatic restart delay in can_changelink() and report\nthe error via extack to user space.\n\nAs an additional safety measure let can_restart() return an error if\ncan_priv::do_set_mode is not set instead of dereferencing it\nunchecked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38665", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy probe\n\nThe AARP proxy\u2010probe routine (aarp_proxy_probe_network) sends a probe,\nreleases the aarp_lock, sleeps, then re-acquires the lock. During that\nwindow an expire timer thread (__aarp_expire_timer) can remove and\nkfree() the same entry, leading to a use-after-free.\n\nrace condition:\n\n cpu 0 | cpu 1\n atalk_sendmsg() | atif_proxy_probe_device()\n aarp_send_ddp() | aarp_proxy_probe_network()\n mod_timer() | lock(aarp_lock) // LOCK!!\n timeout around 200ms | alloc(aarp_entry)\n and then call | proxies[hash] = aarp_entry\n aarp_expire_timeout() | aarp_send_probe()\n | unlock(aarp_lock) // UNLOCK!!\n lock(aarp_lock) // LOCK!! | msleep(100);\n __aarp_expire_timer(&proxies[ct]) |\n free(aarp_entry) |\n unlock(aarp_lock) // UNLOCK!! |\n | lock(aarp_lock) // LOCK!!\n | UAF aarp_entry !!\n\n==================================================================\nBUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\nRead of size 4 at addr ffff8880123aa360 by task repro/13278\n\nCPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc1/0x630 mm/kasan/report.c:521\n kasan_report+0xca/0x100 mm/kasan/report.c:634\n aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n sock_do_ioctl+0xdc/0x260 net/socket.c:1190\n sock_ioctl+0x239/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nAllocated:\n aarp_alloc net/appletalk/aarp.c:382 [inline]\n aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n\nFreed:\n kfree+0x148/0x4d0 mm/slub.c:4841\n __aarp_expire net/appletalk/aarp.c:90 [inline]\n __aarp_expire_timer net/appletalk/aarp.c:261 [inline]\n aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317\n\nThe buggy address belongs to the object at ffff8880123aa300\n which belongs to the cache kmalloc-192 of size 192\nThe buggy address is located 96 bytes inside of\n freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)\n\nMemory state around the buggy address:\n ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38666", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: fix potential out-of-bound write\n\nThe buffer is set to 20 characters. If a caller write more characters,\ncount is truncated to the max available space in \"simple_write_to_buffer\".\nTo protect from OoB access, check that the input size fit into buffer and\nadd a zero terminator after copy to the end of the copied data.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38667", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix NULL dereference on unbind due to stale coupling data\n\nFailing to reset coupling_desc.n_coupled after freeing coupled_rdevs can\nlead to NULL pointer dereference when regulators are accessed post-unbind.\n\nThis can happen during runtime PM or other regulator operations that rely\non coupling metadata.\n\nFor example, on ridesx4, unbinding the 'reg-dummy' platform device triggers\na panic in regulator_lock_recursive() due to stale coupling state.\n\nEnsure n_coupled is set to 0 to prevent access to invalid pointers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38668", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/gem-shmem: Use dma_buf from GEM object instance\"\n\nThis reverts commit 1a148af06000e545e714fe3210af3d77ff903c11.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance's lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don't work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach->dmabuf.\n\nv3:\n- cc stable", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38669", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()\n\n`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change\nto different stacks along with the Shadow Call Stack if it is enabled.\nThose two stack changes cannot be done atomically and both functions\ncan be interrupted by SErrors or Debug Exceptions which, though unlikely,\nis very much broken : if interrupted, we can end up with mismatched stacks\nand Shadow Call Stack leading to clobbered stacks.\n\nIn `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,\nbut x18 stills points to the old task's SCS. When the interrupt handler\ntries to save the task's SCS pointer, it will save the old task\nSCS pointer (x18) into the new task struct (pointed to by SP_EL0),\nclobbering it.\n\nIn `call_on_irq_stack()`, it can happen when switching from the task stack\nto the IRQ stack and when switching back. In both cases, we can be\ninterrupted when the SCS pointer points to the IRQ SCS, but SP points to\nthe task stack. The nested interrupt handler pushes its return addresses\non the IRQ SCS. It then detects that SP points to the task stack,\ncalls `call_on_irq_stack()` and clobbers the task SCS pointer with\nthe IRQ SCS pointer, which it will also use !\n\nThis leads to tasks returning to addresses on the wrong SCS,\nor even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK\nor FPAC if enabled.\n\nThis is possible on a default config, but unlikely.\nHowever, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and\ninstead the GIC is responsible for filtering what interrupts the CPU\nshould receive based on priority.\nGiven the goal of emulating NMIs, pseudo-NMIs can be received by the CPU\neven in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*\nfrequently depending on the system configuration and workload, leading\nto unpredictable kernel panics.\n\nCompletely mask DAIF in `cpu_switch_to()` and restore it when returning.\nDo the same in `call_on_irq_stack()`, but restore and mask around\nthe branch.\nMask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency\nof behaviour between all configurations.\n\nIntroduce and use an assembly macro for saving and masking DAIF,\nas the existing one saves but only masks IF.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38670", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qup: jump out of the loop in case of timeout\n\nOriginal logic only sets the return value but doesn't jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\n\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38671", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/gem-dma: Use dma_buf from GEM object instance\"\n\nThis reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance's lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don't work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach->dmabuf.\n\nv3:\n- cc stable", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38672", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/gem-framebuffer: Use dma_buf from GEM object instance\"\n\nThis reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance's lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don't work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach->dmabuf.\n\nv3:\n- cc stable", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38673", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/prime: Use dma_buf from GEM object instance\"\n\nThis reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance's lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don't work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach->dmabuf.\n\nv3:\n- cc stable", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38674", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: state: initialize state_ptrs earlier in xfrm_state_find\n\nIn case of preemption, xfrm_state_look_at will find a different\npcpu_id and look up states for that other CPU. If we matched a state\nfor CPU2 in the state_cache while the lookup started on CPU1, we will\njump to \"found\", but the \"best\" state that we got will be ignored and\nwe will enter the \"acquire\" block. This block uses state_ptrs, which\nisn't initialized at this point.\n\nLet's initialize state_ptrs just after taking rcu_read_lock. This will\nalso prevent a possible misuse in the future, if someone adjusts this\nfunction.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38675", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-38676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Avoid stack buffer overflow from kernel cmdline\n\nWhile the kernel command line is considered trusted in most environments,\navoid writing 1 byte past the end of \"acpiid\" if the \"str\" argument is\nmaximum length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38676", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in dnode page\n\nAs Jiaming Zhang reported:\n\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x17e/0x800 mm/kasan/report.c:480\n kasan_report+0x147/0x180 mm/kasan/report.c:593\n data_blkaddr fs/f2fs/f2fs.h:3053 [inline]\n f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]\n f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855\n f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195\n prepare_write_begin fs/f2fs/data.c:3395 [inline]\n f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594\n generic_perform_write+0x2c7/0x910 mm/filemap.c:4112\n f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]\n f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x546/0xa90 fs/read_write.c:686\n ksys_write+0x149/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is in the corrupted image, there is a dnode has the same\nnode id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to\naccess block address in dnode at offset 934, however it parses the dnode\nas inode node, so that get_dnode_addr() returns 360, then it tries to\naccess page address from 360 + 934 * 4 = 4096 w/ 4 bytes.\n\nTo fix this issue, let's add sanity check for node id of all direct nodes\nduring f2fs_get_dnode_of_data().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38677", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38678", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Fix OOB read due to missing payload bound check\n\nCurrently, The event_seq_changed() handler processes a variable number\nof properties sent by the firmware. The number of properties is indicated\nby the firmware and used to iterate over the payload. However, the\npayload size is not being validated against the actual message length.\n\nThis can lead to out-of-bounds memory access if the firmware provides a\nproperty count that exceeds the data available in the payload. Such a\ncondition can result in kernel crashes or potential information leaks if\nmemory beyond the buffer is accessed.\n\nFix this by properly validating the remaining size of the payload before\neach property access and updating bounds accordingly as properties are\nparsed.\n\nThis ensures that property parsing is safely bounded within the received\nmessage buffer and protects against malformed or malicious firmware\nbehavior.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38679", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\n\nThe buffer length check before calling uvc_parse_format() only ensured\nthat the buffer has at least 3 bytes (buflen > 2), buf the function\naccesses buffer[3], requiring at least 4 bytes.\n\nThis can lead to an out-of-bounds read if the buffer has exactly 3 bytes.\n\nFix it by checking that the buffer has at least 4 bytes in\nuvc_parse_format().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38680", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required. The ptdump code can race with concurrent modifications of\nthe kernel page tables. When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose. In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx(). Instead of solving this race\ncondition again, let's just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38681", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Fix double-free of fwnode in i2c_unregister_device()\n\nBefore commit df6d7277e552 (\"i2c: core: Do not dereference fwnode in struct\ndevice\"), i2c_unregister_device() only called fwnode_handle_put() on\nof_node-s in the form of calling of_node_put(client->dev.of_node).\n\nBut after this commit the i2c_client's fwnode now unconditionally gets\nfwnode_handle_put() on it.\n\nWhen the i2c_client has no primary (ACPI / OF) fwnode but it does have\na software fwnode, the software-node will be the primary node and\nfwnode_handle_put() will put() it.\n\nBut for the software fwnode device_remove_software_node() will also put()\nit leading to a double free:\n\n[ 82.665598] ------------[ cut here ]------------\n[ 82.665609] refcount_t: underflow; use-after-free.\n[ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11\n...\n[ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110\n...\n[ 82.666962] \n[ 82.666971] i2c_unregister_device+0x60/0x90\n\nFix this by not calling fwnode_handle_put() when the primary fwnode is\na software-node.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38682", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix panic during namespace deletion with VF\n\nThe existing code move the VF NIC to new namespace when NETDEV_REGISTER is\nreceived on netvsc NIC. During deletion of the namespace,\ndefault_device_exit_batch() >> default_device_exit_net() is called. When\nnetvsc NIC is moved back and registered to the default namespace, it\nautomatically brings VF NIC back to the default namespace. This will cause\nthe default_device_exit_net() >> for_each_netdev_safe loop unable to detect\nthe list end, and hit NULL ptr:\n\n[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0\n[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[ 231.450246] #PF: supervisor read access in kernel mode\n[ 231.450579] #PF: error_code(0x0000) - not-present page\n[ 231.450916] PGD 17b8a8067 P4D 0\n[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY\n[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024\n[ 231.452692] Workqueue: netns cleanup_net\n[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0\n[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00\n[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246\n[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb\n[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564\n[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000\n[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340\n[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340\n[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000\n[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0\n[ 231.458434] Call Trace:\n[ 231.458600] \n[ 231.458777] ops_undo_list+0x100/0x220\n[ 231.459015] cleanup_net+0x1b8/0x300\n[ 231.459285] process_one_work+0x184/0x340\n\nTo fix it, move the ns change to a workqueue, and take rtnl_lock to avoid\nchanging the netdev list when default_device_exit_net() is using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38683", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: use old 'nbands' while purging unused classes\n\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\nwe purge unused DWRR queues; the value of 'q->nbands' is the new one, and\nthe cleanup should be done with the old one. The problem is here since my\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\nassigning a new value of 'q->nbands', so that all purge operations find a\nconsistent configuration:\n\n - old 'q->nbands' because it's needed by ets_class_find()\n - old 'q->nstrict' because it's needed by ets_class_is_strict()\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\n Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\n RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\n Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\n RSP: 0018:ffffba186009f400 EFLAGS: 00010202\n RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\n RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\n R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\n R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\n FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \n ets_class_qlen_notify+0x65/0x90 [sch_ets]\n qdisc_tree_reduce_backlog+0x74/0x110\n ets_qdisc_change+0x630/0xa40 [sch_ets]\n __tc_modify_qdisc.constprop.0+0x216/0x7f0\n tc_modify_qdisc+0x7c/0x120\n rtnetlink_rcv_msg+0x145/0x3f0\n netlink_rcv_skb+0x53/0x100\n netlink_unicast+0x245/0x390\n netlink_sendmsg+0x21b/0x470\n ____sys_sendmsg+0x39d/0x3d0\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xd0\n do_syscall_64+0x7d/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f2155114084\n Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\n RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\n RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\n R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\n R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\n \n\n [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\n [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38684", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix vmalloc out-of-bounds write in fast_imageblit\n\nThis issue triggers when a userspace program does an ioctl\nFBIOPUT_CON2FBMAP by passing console number and frame buffer number.\nIdeally this maps console to frame buffer and updates the screen if\nconsole is visible.\n\nAs part of mapping it has to do resize of console according to frame\nbuffer info. if this resize fails and returns from vc_do_resize() and\ncontinues further. At this point console and new frame buffer are mapped\nand sets display vars. Despite failure still it continue to proceed\nupdating the screen at later stages where vc_data is related to previous\nframe buffer and frame buffer info and display vars are mapped to new\nframe buffer and eventully leading to out-of-bounds write in\nfast_imageblit(). This bheviour is excepted only when fg_console is\nequal to requested console which is a visible console and updates screen\nwith invalid struct references in fbcon_putcs().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38685", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry\n\nWhen UFFDIO_MOVE encounters a migration PMD entry, it proceeds with\nobtaining a folio and accessing it even though the entry is swp_entry_t. \nAdd the missing check and let split_huge_pmd() handle migration entries. \nWhile at it also remove unnecessary folio check.\n\n[surenb@google.com: remove extra folio check, per David]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38686", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix race between polling and detaching\n\nsyzbot reports a use-after-free in comedi in the below link, which is\ndue to comedi gladly removing the allocated async area even though poll\nrequests are still active on the wait_queue_head inside of it. This can\ncause a use-after-free when the poll entries are later triggered or\nremoved, as the memory for the wait_queue_head has been freed. We need\nto check there are no tasks queued on any of the subdevices' wait queues\nbefore allowing the device to be detached by the `COMEDI_DEVCONFIG`\nioctl.\n\nTasks will read-lock `dev->attach_lock` before adding themselves to the\nsubdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl\nhandler by write-locking `dev->attach_lock` before checking that all of\nthe subdevices are safe to be deleted. This includes testing for any\nsleepers on the subdevices' wait queues. It remains locked until the\ndevice has been detached. This requires the `comedi_device_detach()`\nfunction to be refactored slightly, moving the bulk of it into new\nfunction `comedi_device_detach_locked()`.\n\nNote that the refactor of `comedi_device_detach()` results in\n`comedi_device_cancel_all()` now being called while `dev->attach_lock`\nis write-locked, which wasn't the case previously, but that does not\nmatter.\n\nThanks to Jens Axboe for diagnosing the problem and co-developing this\npatch.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38687", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Prevent ALIGN() overflow\n\nWhen allocating IOVA the candidate range gets aligned to the target\nalignment. If the range is close to ULONG_MAX then the ALIGN() can\nwrap resulting in a corrupted iova.\n\nOpen code the ALIGN() using get_add_overflow() to prevent this.\nThis simplifies the checks as we don't need to check for length earlier\neither.\n\nConsolidate the two copies of this code under a single helper.\n\nThis bug would allow userspace to create a mapping that overlaps with some\nother mapping or a reserved range.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38688", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix NULL dereference in avx512_status()\n\nProblem\n-------\nWith CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status\ncauses a warning and a NULL pointer dereference.\n\nThis is because the AVX-512 timestamp code uses x86_task_fpu() but\ndoesn't check it for NULL. CONFIG_X86_DEBUG_FPU addles that function\nfor kernel threads (PF_KTHREAD specifically), making it return NULL.\n\nThe point of the warning was to ensure that kernel threads only access\ntask->fpu after going through kernel_fpu_begin()/_end(). Note: all\nkernel tasks exposed in /proc have a valid task->fpu.\n\nSolution\n--------\nOne option is to silence the warning and check for NULL from\nx86_task_fpu(). However, that warning is fairly fresh and seems like a\ndefense against misuse of the FPU state in kernel threads.\n\nInstead, stop outputting AVX-512_elapsed_ms for kernel threads\naltogether. The data was garbage anyway because avx512_timestamp is\nonly updated for user threads, not kernel threads.\n\nIf anyone ever wants to track kernel thread AVX-512 use, they can come\nback later and do it properly, separate from this bug fix.\n\n[ dhansen: mostly rewrite changelog ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38689", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/migrate: prevent infinite recursion\n\nIf the buf + offset is not aligned to XE_CAHELINE_BYTES we fallback to\nusing a bounce buffer. However the bounce buffer here is allocated on\nthe stack, and the only alignment requirement here is that it's\nnaturally aligned to u8, and not XE_CACHELINE_BYTES. If the bounce\nbuffer is also misaligned we then recurse back into the function again,\nhowever the new bounce buffer might also not be aligned, and might never\nbe until we eventually blow through the stack, as we keep recursing.\n\nInstead of using the stack use kmalloc, which should respect the\npower-of-two alignment request here. Fixes a kernel panic when\ntriggering this path through eudebug.\n\nv2 (Stuart):\n - Add build bug check for power-of-two restriction\n - s/EINVAL/ENOMEM/\n\n(cherry picked from commit 38b34e928a08ba594c4bbf7118aa3aadacd62fff)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38690", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix uninited ptr deref in block/scsi layout\n\nThe error occurs on the third attempt to encode extents. When function\next_tree_prepare_commit() reallocates a larger buffer to retry encoding\nextents, the \"layoutupdate_pages\" page array is initialized only after the\nretry loop. But ext_tree_free_commitdata() is called on every iteration\nand tries to put pages in the array, thus dereferencing uninitialized\npointers.\n\nAn additional problem is that there is no limit on the maximum possible\nbuffer_size. When there are too many extents, the client may create a\nlayoutcommit that is larger than the maximum possible RPC size accepted\nby the server.\n\nDuring testing, we observed two typical scenarios. First, one memory page\nfor extents is enough when we work with small files, append data to the\nend of the file, or preallocate extents before writing. But when we fill\na new large file without preallocating, the number of extents can be huge,\nand counting the number of written extents in ext_tree_encode_commit()\ndoes not help much. Since this number increases even more between\nunlocking and locking of ext_tree, the reallocated buffer may not be\nlarge enough again and again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38691", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: add cluster chain loop check for dir\n\nAn infinite loop may occur if the following conditions occur due to\nfile system corruption.\n\n(1) Condition for exfat_count_dir_entries() to loop infinitely.\n - The cluster chain includes a loop.\n - There is no UNUSED entry in the cluster chain.\n\n(2) Condition for exfat_create_upcase_table() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and up-case table entry in the cluster\n chain of the root directory.\n\n(3) Condition for exfat_load_bitmap() to loop infinitely.\n - The cluster chain of the root directory includes a loop.\n - There are no UNUSED entry and bitmap entry in the cluster chain\n of the root directory.\n\n(4) Condition for exfat_find_dir_entry() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n\n(5) Condition for exfat_check_dir_empty() to loop infinitely.\n - The cluster chain includes a loop.\n - The unused directory entries were exhausted by some operation.\n - All files and sub-directories under the directory are deleted.\n\nThis commit adds checks to break the above infinite loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38692", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar\n\nIn w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash.\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38693", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\n\nIn dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and\nmsg[0].len is zero, former checks on msg[0].buf would be passed. If accessing\nmsg[0].buf[2] without sanity check, null pointer deref would happen. We add\ncheck on msg[0].len to prevent crash. Similar issue occurs when access\nmsg[1].buf[0] and msg[1].buf[1].\n\nSimilar commit: commit 0ed554fd769a (\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38694", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure\n\nIf a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the\nresultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may\noccur before sli4_hba.hdwqs are allocated. This may result in a null\npointer dereference when attempting to take the abts_io_buf_list_lock for\nthe first hardware queue. Fix by adding a null ptr check on\nphba->sli4_hba.hdwq and early return because this situation means there\nmust have been an error during port initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38695", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Don't crash in stack_top() for tasks without ABI or vDSO\n\nNot all tasks have an ABI associated or vDSO mapped,\nfor example kthreads never do.\nIf such a task ever ends up calling stack_top(), it will derefence the\nNULL ABI pointer and crash.\n\nThis can for example happen when using kunit:\n\n mips_stack_top+0x28/0xc0\n arch_pick_mmap_layout+0x190/0x220\n kunit_vm_mmap_init+0xf8/0x138\n __kunit_add_resource+0x40/0xa8\n kunit_vm_mmap+0x88/0xd8\n usercopy_test_init+0xb8/0x240\n kunit_try_run_case+0x5c/0x1a8\n kunit_generic_run_threadfn_adapter+0x28/0x50\n kthread+0x118/0x240\n ret_from_kernel_thread+0x14/0x1c\n\nOnly dereference the ABI point if it is set.\n\nThe GIC page is also included as it is specific to the vDSO.\nAlso move the randomization adjustment into the same conditional.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38696", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: upper bound check of tree index in dbAllocAG\n\nWhen computing the tree index in dbAllocAG, we never check if we are\nout of bounds realative to the size of the stree.\nThis could happen in a scenario where the filesystem metadata are\ncorrupted.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38697", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Regular file corruption check\n\nThe reproducer builds a corrupted file on disk with a negative i_size value.\nAdd a check when opening this file to avoid subsequent operation failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38698", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Double-free fix\n\nWhen the bfad_im_probe() function fails during initialization, the memory\npointed to by bfad->im is freed without setting bfad->im to NULL.\n\nSubsequently, during driver uninstallation, when the state machine enters\nthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,\nit attempts to free the memory pointed to by bfad->im again, thereby\ntriggering a double-free vulnerability.\n\nSet bfad->im to NULL if probing fails.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38699", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated\n\nIn case of an ib_fast_reg_mr allocation failure during iSER setup, the\nmachine hits a panic because iscsi_conn->dd_data is initialized\nunconditionally, even when no memory is allocated (dd_size == 0). This\nleads invalid pointer dereference during connection teardown.\n\nFix by setting iscsi_conn->dd_data only if memory is actually allocated.\n\nPanic trace:\n------------\n iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12\n iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers\n BUG: unable to handle page fault for address: fffffffffffffff8\n RIP: 0010:swake_up_locked.part.5+0xa/0x40\n Call Trace:\n complete+0x31/0x40\n iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]\n iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]\n iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]\n iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]\n ? netlink_lookup+0x12f/0x1b0\n ? netlink_deliver_tap+0x2c/0x200\n netlink_unicast+0x1ab/0x280\n netlink_sendmsg+0x257/0x4f0\n ? _copy_from_user+0x29/0x60\n sock_sendmsg+0x5f/0x70", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38700", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: do not BUG when INLINE_DATA_FL lacks system.data xattr\n\nA syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()\nwhen an inode had the INLINE_DATA_FL flag set but was missing the\nsystem.data extended attribute.\n\nSince this can happen due to a maiciouly fuzzed file system, we\nshouldn't BUG, but rather, report it as a corrupted file system.\n\nAdd similar replacements of BUG_ON with EXT4_ERROR_INODE() ii\next4_create_inline_data() and ext4_inline_data_truncate().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38701", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: fix potential buffer overflow in do_register_framebuffer()\n\nThe current implementation may lead to buffer overflow when:\n1. Unregistration creates NULL gaps in registered_fb[]\n2. All array slots become occupied despite num_registered_fb < FB_MAX\n3. The registration loop exceeds array bounds\n\nAdd boundary check to prevent registered_fb[FB_MAX] access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38702", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Make dma-fences compliant with the safe access rules\n\nXe can free some of the data pointed to by the dma-fences it exports. Most\nnotably the timeline name can get freed if userspace closes the associated\nsubmit queue. At the same time the fence could have been exported to a\nthird party (for example a sync_fence fd) which will then cause an use-\nafter-free on subsequent access.\n\nTo make this safe we need to make the driver compliant with the newly\ndocumented dma-fence rules. Driver has to ensure a RCU grace period\nbetween signalling a fence and freeing any data pointed to by said fence.\n\nFor the timeline name we simply make the queue be freed via kfree_rcu and\nfor the shared lock associated with multiple queues we add a RCU grace\nperiod before freeing the per GT structure holding the lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38703", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access\n\nIn the preparation stage of CPU online, if the corresponding\nthe rdp's->nocb_cb_kthread does not exist, will be created,\nthere is a situation where the rdp's rcuop kthreads creation fails,\nand then de-offload this CPU's rdp, does not assign this CPU's\nrdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and\nrdp's->rdp_gp->nocb_gp_kthread is still valid.\n\nThis will cause the subsequent re-offload operation of this offline\nCPU, which will pass the conditional check and the kthread_unpark()\nwill access invalid rdp's->nocb_cb_kthread pointer.\n\nThis commit therefore use rdp's->nocb_gp_kthread instead of\nrdp_gp's->nocb_gp_kthread for safety check.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38704", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix null pointer access\n\nWriting a string without delimiters (' ', '\\n', '\\0') to the under\ngpu_od/fan_ctrl sysfs or pp_power_profile_mode for the CUSTOM profile\nwill result in a null pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38705", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()\n\nsnd_soc_remove_pcm_runtime() might be called with rtd == NULL which will\nleads to null pointer dereference.\nThis was reproduced with topology loading and marking a link as ignore\ndue to missing hardware component on the system.\nOn module removal the soc_tplg_remove_link() would call\nsnd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,\nno runtime was created.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38706", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add sanity check for file name\n\nThe length of the file name should be smaller than the directory entry size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38707", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: add missing kref_get in handle_write_conflicts\n\nWith `two-primaries` enabled, DRBD tries to detect \"concurrent\" writes\nand handle write conflicts, so that even if you write to the same sector\nsimultaneously on both nodes, they end up with the identical data once\nthe writes are completed.\n\nIn handling \"superseeded\" writes, we forgot a kref_get,\nresulting in a premature drbd_destroy_device and use after free,\nand further to kernel crashes with symptoms.\n\nRelevance: No one should use DRBD as a random data generator, and apparently\nall users of \"two-primaries\" handle concurrent writes correctly on layer up.\nThat is cluster file systems use some distributed lock manager,\nand live migration in virtualization environments stops writes on one node\nbefore starting writes on the other node.\n\nWhich means that other than for \"test cases\",\nthis code path is never taken in real life.\n\nFYI, in DRBD 9, things are handled differently nowadays. We still detect\n\"write conflicts\", but no longer try to be smart about them.\nWe decided to disconnect hard instead: upper layers must not submit concurrent\nwrites. If they do, that's their fault.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38708", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: Avoid updating block size under exclusive owner\n\nSyzbot came up with a reproducer where a loop device block size is\nchanged underneath a mounted filesystem. This causes a mismatch between\nthe block device block size and the block size stored in the superblock\ncausing confusion in various places such as fs/buffer.c. The particular\nissue triggered by syzbot was a warning in __getblk_slow() due to\nrequested buffer size not matching block device block size.\n\nFix the problem by getting exclusive hold of the loop device to change\nits block size. This fails if somebody (such as filesystem) has already\nan exclusive ownership of the block device and thus prevents modifying\nthe loop device under some exclusive owner which doesn't expect it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38709", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Validate i_depth for exhash directories\n\nA fuzzer test introduced corruption that ends up with a depth of 0 in\ndir_e_read(), causing an undefined shift by 32 at:\n\n index = hash >> (32 - dip->i_depth);\n\nAs calculated in an open-coded way in dir_make_exhash(), the minimum\ndepth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is\ninvalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.\n\nSo we can avoid the undefined behaviour by checking for depth values\nlower than the minimum in gfs2_dinode_in(). Values greater than the\nmaximum are already being checked for there.\n\nAlso switch the calculation in dir_make_exhash() to use ilog2() to\nclarify how the depth is calculated.\n\nTested with the syzkaller repro.c and xfstests '-g quick'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38710", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: avoid deadlock when linking with ReplaceIfExists\n\nIf smb2_create_link() is called with ReplaceIfExists set and the name\ndoes exist then a deadlock will happen.\n\nksmbd_vfs_kern_path_locked() will return with success and the parent\ndirectory will be locked. ksmbd_vfs_remove_file() will then remove the\nfile. ksmbd_vfs_link() will then be called while the parent is still\nlocked. It will try to lock the same parent and will deadlock.\n\nThis patch moves the ksmbd_vfs_kern_path_unlock() call to *before*\nksmbd_vfs_link() and then simplifies the code, removing the file_present\nflag variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38711", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()\n\nWhen the volume header contains erroneous values that do not reflect\nthe actual state of the filesystem, hfsplus_fill_super() assumes that\nthe attributes file is not yet created, which later results in hitting\nBUG_ON() when hfsplus_create_attributes_file() is called. Replace this\nBUG_ON() with -EIO error with a message to suggest running fsck tool.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38712", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nThe hfsplus_readdir() method is capable to crash by calling\nhfsplus_uni2asc():\n\n[ 667.121659][ T9805] ==================================================================\n[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10\n[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805\n[ 667.124578][ T9805]\n[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)\n[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 667.124890][ T9805] Call Trace:\n[ 667.124893][ T9805] \n[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0\n[ 667.124911][ T9805] print_report+0xd0/0x660\n[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610\n[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180\n[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10\n[ 667.124942][ T9805] kasan_report+0xc6/0x100\n[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10\n[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10\n[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360\n[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0\n[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10\n[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0\n[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20\n[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0\n[ 667.125022][ T9805] ? lock_acquire+0x30/0x80\n[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20\n[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0\n[ 667.125044][ T9805] ? putname+0x154/0x1a0\n[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10\n[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0\n[ 667.125069][ T9805] iterate_dir+0x296/0xb20\n[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0\n[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10\n[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200\n[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10\n[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0\n[ 667.125143][ T9805] do_syscall_64+0xc9/0x480\n[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9\n[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48\n[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9\n[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9\n[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004\n[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110\n[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260\n[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 667.125207][ T9805] \n[ 667.125210][ T9805]\n[ 667.145632][ T9805] Allocated by task 9805:\n[ 667.145991][ T9805] kasan_save_stack+0x20/0x40\n[ 667.146352][ T9805] kasan_save_track+0x14/0x30\n[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0\n[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550\n[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0\n[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0\n[ 667.148174][ T9805] iterate_dir+0x296/0xb20\n[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0\n[ 667.148937][ T9805] do_syscall_64+0xc9/0x480\n[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 667.149809][ T9805]\n[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000\n[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048\n[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of\n[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)\n[ 667.1\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38713", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()\n\nThe hfsplus_bnode_read() method can trigger the issue:\n\n[ 174.852007][ T9784] ==================================================================\n[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360\n[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784\n[ 174.854059][ T9784]\n[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)\n[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 174.854286][ T9784] Call Trace:\n[ 174.854289][ T9784] \n[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0\n[ 174.854305][ T9784] print_report+0xd0/0x660\n[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610\n[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180\n[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\n[ 174.854337][ T9784] kasan_report+0xc6/0x100\n[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360\n[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360\n[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380\n[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10\n[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0\n[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310\n[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40\n[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0\n[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0\n[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10\n[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10\n[ 174.854436][ T9784] ? __asan_memset+0x23/0x50\n[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320\n[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10\n[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0\n[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40\n[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0\n[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10\n[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0\n[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10\n[ 174.854525][ T9784] ? down_write+0x148/0x200\n[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10\n[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0\n[ 174.854549][ T9784] do_unlinkat+0x490/0x670\n[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10\n[ 174.854565][ T9784] ? __might_fault+0xbc/0x130\n[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550\n[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110\n[ 174.854592][ T9784] do_syscall_64+0xc9/0x480\n[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167\n[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08\n[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\n[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167\n[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50\n[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40\n[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0\n[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 174.854658][ T9784] \n[ 174.854661][ T9784]\n[ 174.879281][ T9784] Allocated by task 9784:\n[ 174.879664][ T9784] kasan_save_stack+0x20/0x40\n[ 174.880082][ T9784] kasan_save_track+0x14/0x30\n[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0\n[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550\n[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890\n[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10\n[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520\n[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38714", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix slab-out-of-bounds in hfs_bnode_read()\n\nThis patch introduces is_bnode_offset_valid() method that checks\nthe requested offset value. Also, it introduces\ncheck_and_correct_requested_length() method that checks and\ncorrect the requested length (if it is necessary). These methods\nare used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),\nhfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent\nthe access out of allocated memory and triggering the crash.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38715", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix general protection fault in hfs_find_init()\n\nThe hfs_find_init() method can trigger the crash\nif tree pointer is NULL:\n\n[ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI\n[ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]\n[ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full)\n[ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230\n[ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc\n[ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202\n[ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09\n[ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8\n[ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000\n[ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004\n[ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000\n[ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000\n[ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0\n[ 45.762286][ T9787] Call Trace:\n[ 45.762570][ T9787] \n[ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0\n[ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0\n[ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10\n[ 45.764250][ T9787] hfs_get_block+0x55f/0x830\n[ 45.764646][ T9787] block_read_full_folio+0x36d/0x850\n[ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10\n[ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100\n[ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10\n[ 45.766415][ T9787] filemap_read_folio+0xbe/0x290\n[ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10\n[ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0\n[ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0\n[ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10\n[ 45.768666][ T9787] read_cache_page+0x5b/0x160\n[ 45.769070][ T9787] hfs_btree_open+0x491/0x1740\n[ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0\n[ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10\n[ 45.770316][ T9787] ? find_held_lock+0x2b/0x80\n[ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280\n[ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280\n[ 45.771674][ T9787] hfs_fill_super+0x38e/0x720\n[ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10\n[ 45.772549][ T9787] ? snprintf+0xbe/0x100\n[ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10\n[ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0\n[ 45.773796][ T9787] ? find_held_lock+0x2b/0x80\n[ 45.774215][ T9787] ? set_blocksize+0x40a/0x510\n[ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0\n[ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730\n[ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620\n[ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10\n[ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10\n[ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10\n[ 45.777365][ T9787] ? security_capable+0x80/0x260\n[ 45.777803][ T9787] vfs_get_tree+0x8e/0x340\n[ 45.778203][ T9787] path_mount+0x13de/0x2010\n[ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0\n[ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10\n[ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550\n[ 45.779954][ T9787] ? putname+0x154/0x1a0\n[ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300\n[ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10\n[ 45.781232][ T9787] \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38716", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: kcm: Fix race condition in kcm_unattach()\n\nsyzbot found a race condition when kcm_unattach(psock)\nand kcm_release(kcm) are executed at the same time.\n\nkcm_unattach() is missing a check of the flag\nkcm->tx_stopped before calling queue_work().\n\nIf the kcm has a reserved psock, kcm_unattach() might get executed\nbetween cancel_work_sync() and unreserve_psock() in kcm_release(),\nrequeuing kcm->tx_work right before kcm gets freed in kcm_done().\n\nRemove kcm->tx_stopped and replace it by the less\nerror-prone disable_work_sync().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38717", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: linearize cloned gso packets in sctp_rcv\n\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It's not safe to access these frag skbs.\n\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\n\n BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\n sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n __release_sock+0x1da/0x330 net/core/sock.c:3106\n release_sock+0x6b/0x250 net/core/sock.c:3660\n sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\n sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\n sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\n inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:718 [inline]\n\nand\n\n BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\n sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n __release_sock+0x1d3/0x330 net/core/sock.c:3213\n release_sock+0x6b/0x270 net/core/sock.c:3767\n sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\n sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\n sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\n inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38718", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hibmcge: fix the division by zero issue\n\nWhen the network port is down, the queue is released, and ring->len is 0.\nIn debugfs, hbg_get_queue_used_num() will be called,\nwhich may lead to a division by zero issue.\n\nThis patch adds a check, if ring->len is 0,\nhbg_get_queue_used_num() directly returns 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38719", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hibmcge: fix rtnl deadlock issue\n\nCurrently, the hibmcge netdev acquires the rtnl_lock in\npci_error_handlers.reset_prepare() and releases it in\npci_error_handlers.reset_done().\n\nHowever, in the PCI framework:\npci_reset_bus - __pci_reset_slot - pci_slot_save_and_disable_locked -\n pci_dev_save_and_disable - err_handler->reset_prepare(dev);\n\nIn pci_slot_save_and_disable_locked():\n\tlist_for_each_entry(dev, &slot->bus->devices, bus_list) {\n\t\tif (!dev->slot || dev->slot!= slot)\n\t\t\tcontinue;\n\t\tpci_dev_save_and_disable(dev);\n\t\tif (dev->subordinate)\n\t\t\tpci_bus_save_and_disable_locked(dev->subordinate);\n\t}\n\nThis will iterate through all devices under the current bus and execute\nerr_handler->reset_prepare(), causing two devices of the hibmcge driver\nto sequentially request the rtnl_lock, leading to a deadlock.\n\nSince the driver now executes netif_device_detach()\nbefore the reset process, it will not concurrently with\nother netdev APIs, so there is no need to hold the rtnl_lock now.\n\nTherefore, this patch removes the rtnl_lock during the reset process and\nadjusts the position of HBG_NIC_STATE_RESETTING to ensure\nthat multiple resets are not executed concurrently.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38720", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n if (res < 0) {\n nf_conntrack_get(&ct->ct_general); // HERE\n cb->args[1] = (unsigned long)ct;\n ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet->count from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n if (res < 0) {\n\t\tif (ct != last)\n\t nf_conntrack_get(&ct->ct_general);\n\nBut this reference counting isn't needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a 'skip hint', not the actual\nobject so we can apply the same cookie strategy there as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38721", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs: fix UAF in export_dmabuf()\n\nAs soon as we'd inserted a file reference into descriptor table, another\nthread could close it. That's fine for the case when all we are doing is\nreturning that descriptor to userland (it's a race, but it's a userland\nrace and there's nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its ->release()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\nhabanalabs export_dmabuf() calls it and then proceeds to access the\nobjects destroyed on close. In particular, it grabs an extra reference to\nanother struct file that will be dropped as part of ->release() for ours;\nthat \"will be\" is actually \"might have already been\".\n\nFix that by reserving descriptor before anything else and do fd_install()\nonly when everything had been set up. As a side benefit, we no longer\nhave the failure exit with file already created, but reference to\nunderlying file (as well as ->dmabuf_export_cnt, etc.) not grabbed yet;\nunlike dma_buf_fd(), fd_install() can't fail.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38722", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Fix jump offset calculation in tailcall\n\nThe extra pass of bpf_int_jit_compile() skips JIT context initialization\nwhich essentially skips offset calculation leaving out_offset = -1, so\nthe jmp_offset in emit_bpf_tail_call is calculated by\n\n\"#define jmp_offset (out_offset - (cur_offset))\"\n\nis a negative number, which is wrong. The final generated assembly are\nas follow.\n\n54:\tbgeu \t$a2, $t1, -8\t # 0x0000004c\n58:\taddi.d \t$a6, $s5, -1\n5c:\tbltz \t$a6, -16\t # 0x0000004c\n60:\talsl.d \t$t2, $a2, $a1, 0x3\n64:\tld.d \t$t2, $t2, 264\n68:\tbeq \t$t2, $zero, -28\t # 0x0000004c\n\nBefore apply this patch, the follow test case will reveal soft lock issues.\n\ncd tools/testing/selftests/bpf/\n./test_progs --allow=tailcalls/tailcall_bpf2bpf_1\n\ndmesg:\nwatchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38723", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38724", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: add phy_mask for ax88772 mdio bus\n\nWithout setting phy_mask for ax88772 mdio bus, current driver may create\nat most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.\nDLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy\ndevice will bind to net phy driver. This is creating issue during system\nsuspend/resume since phy_polling_mode() in phy_state_machine() will\ndirectly deference member of phydev->drv for non-main phy devices. Then\nNULL pointer dereference issue will occur. Due to only external phy or\ninternal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud\nthe issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38725", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect\n\nAfter the call to phy_disconnect() netdev->phydev is reset to NULL.\nSo fixed_phy_unregister() would be called with a NULL pointer as argument.\nTherefore cache the phy_device before this call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38726", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket's read memory allocation\nconstraints. Firstly, it has:\n\n rmem < READ_ONCE(sk->sk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket's receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)\n\nThe checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is\nequal to sk->sk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n (t=26000 jiffies g=230833 q=259957)\n NMI backtrace for cpu 0\n CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n Call Trace:\n \n dump_stack lib/dump_stack.c:120\n nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n update_process_times kernel/time/timer.c:1953\n tick_sched_handle kernel/time/tick-sched.c:227\n tick_sched_timer kernel/time/tick-sched.c:1399\n __hrtimer_run_queues kernel/time/hrtimer.c:1652\n hrtimer_interrupt kernel/time/hrtimer.c:1717\n __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n \n\n netlink_attachskb net/netlink/af_netlink.c:1234\n netlink_unicast net/netlink/af_netlink.c:1349\n kauditd_send_queue kernel/audit.c:776\n kauditd_thread kernel/audit.c:897\n kthread kernel/kthread.c:328\n ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38727", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix for slab out of bounds on mount to ksmbd\n\nWith KASAN enabled, it is possible to get a slab out of bounds\nduring mount to ksmbd due to missing check in parse_server_interfaces()\n(see below):\n\n BUG: KASAN: slab-out-of-bounds in\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n Read of size 4 at addr ffff8881433dba98 by task mount/9827\n\n CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G\n OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,\n BIOS 2.13.1 06/14/2019\n Call Trace:\n \n dump_stack_lvl+0x9f/0xf0\n print_report+0xd1/0x670\n __virt_addr_valid+0x22c/0x430\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? kasan_complete_mode_report_info+0x2a/0x1f0\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n kasan_report+0xd6/0x110\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n __asan_report_load_n_noabort+0x13/0x20\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]\n ? trace_hardirqs_on+0x51/0x60\n SMB3_request_interfaces+0x1ad/0x3f0 [cifs]\n ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]\n ? SMB2_tcon+0x23c/0x15d0 [cifs]\n smb3_qfs_tcon+0x173/0x2b0 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n cifs_mount_get_tcon+0x369/0xb90 [cifs]\n ? dfs_cache_find+0xe7/0x150 [cifs]\n dfs_mount_share+0x985/0x2970 [cifs]\n ? check_path.constprop.0+0x28/0x50\n ? save_trace+0x54/0x370\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? __lock_acquire+0xb82/0x2ba0\n ? __kasan_check_write+0x18/0x20\n cifs_mount+0xbc/0x9e0 [cifs]\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]\n cifs_smb3_do_mount+0x263/0x1990 [cifs]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38728", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 power domain descriptors, too\n\nUAC3 power domain descriptors need to be verified with its variable\nbLength for avoiding the unexpected OOB accesses by malicious\nfirmware, too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38729", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: commit partial buffers on retry\n\nRing provided buffers are potentially only valid within the single\nexecution context in which they were acquired. io_uring deals with this\nand invalidates them on retry. But on the networking side, if\nMSG_WAITALL is set, or if the socket is of the streaming type and too\nlittle was processed, then it will hang on to the buffer rather than\nrecycle or commit it. This is problematic for two reasons:\n\n1) If someone unregisters the provided buffer ring before a later retry,\n then the req->buf_list will no longer be valid.\n\n2) If multiple sockers are using the same buffer group, then multiple\n receives can consume the same memory. This can cause data corruption\n in the application, as either receive could land in the same\n userspace buffer.\n\nFix this by disallowing partial retries from pinning a provided buffer\nacross multiple executions, if ring provided buffers are used.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38730", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix vm_bind_ioctl double free bug\n\nIf the argument check during an array bind fails, the bind_ops are freed\ntwice as seen below. Fix this by setting bind_ops to NULL after freeing.\n\n==================================================================\nBUG: KASAN: double-free in xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\nFree of addr ffff88813bb9b800 by task xe_vm/14198\n\nCPU: 5 UID: 0 PID: 14198 Comm: xe_vm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full)\nHardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5 RVP, BIOS ADLPFWI1.R00.2411.A02.2110081023 10/08/2021\nCall Trace:\n \n dump_stack_lvl+0x82/0xd0\n print_report+0xcb/0x610\n ? __virt_addr_valid+0x19a/0x300\n ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n kasan_report_invalid_free+0xc8/0xf0\n ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n check_slab_allocation+0x102/0x130\n kfree+0x10d/0x440\n ? should_fail_ex+0x57/0x2f0\n ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\n ? __lock_acquire+0xab9/0x27f0\n ? lock_acquire+0x165/0x300\n ? drm_dev_enter+0x53/0xe0 [drm]\n ? find_held_lock+0x2b/0x80\n ? drm_dev_exit+0x30/0x50 [drm]\n ? drm_ioctl_kernel+0x128/0x1c0 [drm]\n drm_ioctl_kernel+0x128/0x1c0 [drm]\n ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\n ? find_held_lock+0x2b/0x80\n ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]\n ? should_fail_ex+0x57/0x2f0\n ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\n drm_ioctl+0x352/0x620 [drm]\n ? __pfx_drm_ioctl+0x10/0x10 [drm]\n ? __pfx_rpm_resume+0x10/0x10\n ? do_raw_spin_lock+0x11a/0x1b0\n ? find_held_lock+0x2b/0x80\n ? __pm_runtime_resume+0x61/0xc0\n ? rcu_is_watching+0x20/0x50\n ? trace_irq_enable.constprop.0+0xac/0xe0\n xe_drm_ioctl+0x91/0xc0 [xe]\n __x64_sys_ioctl+0xb2/0x100\n ? rcu_is_watching+0x20/0x50\n do_syscall_64+0x68/0x2e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa9acb24ded\n\n(cherry picked from commit a01b704527c28a2fd43a17a85f8996b75ec8492a)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38731", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject: don't leak dst refcount for loopback packets\n\nrecent patches to add a WARN() when replacing skb dst entry found an\nold bug:\n\nWARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]\nWARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]\nWARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234\n[..]\nCall Trace:\n nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325\n nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27\n expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]\n ..\n\nThis is because blamed commit forgot about loopback packets.\nSuch packets already have a dst_entry attached, even at PRE_ROUTING stage.\n\nInstead of checking hook just check if the skb already has a route\nattached to it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38732", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Do not map lowcore with identity mapping\n\nSince the identity mapping is pinned to address zero the lowcore is always\nalso mapped to address zero, this happens regardless of the relocate_lowcore\ncommand line option. If the option is specified the lowcore is mapped\ntwice, instead of only once.\n\nThis means that NULL pointer accesses will succeed instead of causing an\nexception (low address protection still applies, but covers only parts).\nTo fix this never map the first two pages of physical memory with the\nidentity mapping.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38733", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix UAF on smcsk after smc_listen_out()\n\nBPF CI testing report a UAF issue:\n\n [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0\n [ 16.447134] #PF: supervisor read access in kernel mod e\n [ 16.447516] #PF: error_code(0x0000) - not-present pag e\n [ 16.447878] PGD 0 P4D 0\n [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I\n [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2\n [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E\n [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4\n [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k\n [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0\n [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6\n [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0\n [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0\n [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5\n [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0\n [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0\n [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0\n [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3\n [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0\n [ 16.456459] PKRU: 5555555 4\n [ 16.456654] Call Trace :\n [ 16.456832] \n [ 16.456989] ? __die+0x23/0x7 0\n [ 16.457215] ? page_fault_oops+0x180/0x4c 0\n [ 16.457508] ? __lock_acquire+0x3e6/0x249 0\n [ 16.457801] ? exc_page_fault+0x68/0x20 0\n [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0\n [ 16.458389] ? smc_listen_work+0xc02/0x159 0\n [ 16.458689] ? smc_listen_work+0xc02/0x159 0\n [ 16.458987] ? lock_is_held_type+0x8f/0x10 0\n [ 16.459284] process_one_work+0x1ea/0x6d 0\n [ 16.459570] worker_thread+0x1c3/0x38 0\n [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0\n [ 16.460144] kthread+0xe0/0x11 0\n [ 16.460372] ? __pfx_kthread+0x10/0x1 0\n [ 16.460640] ret_from_fork+0x31/0x5 0\n [ 16.460896] ? __pfx_kthread+0x10/0x1 0\n [ 16.461166] ret_from_fork_asm+0x1a/0x3 0\n [ 16.461453] \n [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ]\n [ 16.462134] CR2: 000000000000003 0\n [ 16.462380] ---[ end trace 0000000000000000 ]---\n [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590\n\nThe direct cause of this issue is that after smc_listen_out_connected(),\nnewclcsock->sk may be NULL since it will releases the smcsk. Therefore,\nif the application closes the socket immediately after accept,\nnewclcsock->sk can be NULL. A possible execution order could be as\nfollows:\n\nsmc_listen_work | userspace\n-----------------------------------------------------------------\nlock_sock(sk) |\nsmc_listen_out_connected() |\n| \\- smc_listen_out |\n| | \\- release_sock |\n | |- sk->sk_data_ready() |\n | fd = accept();\n | close(fd);\n | \\- socket->sk = NULL;\n/* newclcsock->sk is NULL now */\nSMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))\n\nSince smc_listen_out_connected() will not fail, simply swapping the order\nof the code can easily fix this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38734", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: prevent ethtool ops after shutdown\n\nA crash can occur if an ethtool operation is invoked\nafter shutdown() is called.\n\nshutdown() is invoked during system shutdown to stop DMA operations\nwithout performing expensive deallocations. It is discouraged to\nunregister the netdev in this path, so the device may still be visible\nto userspace and kernel helpers.\n\nIn gve, shutdown() tears down most internal data structures. If an\nethtool operation is dispatched after shutdown(), it will dereference\nfreed or NULL pointers, leading to a kernel panic. While graceful\nshutdown normally quiesces userspace before invoking the reboot\nsyscall, forced shutdowns (as observed on GCP VMs) can still trigger\nthis path.\n\nFix by calling netif_device_detach() in shutdown().\nThis marks the device as detached so the ethtool ioctl handler\nwill skip dispatching operations to the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38735", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-38736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: Fix PHY address mask in MDIO bus initialization\n\nSyzbot reported shift-out-of-bounds exception on MDIO bus initialization.\n\nThe PHY address should be masked to 5 bits (0-31). Without this\nmask, invalid PHY addresses could be used, potentially causing issues\nwith MDIO bus operations.\n\nFix this by masking the PHY address with 0x1f (31 decimal) to ensure\nit stays within the valid range.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38736", "detail": "fixed-version", "description": "Fixed from version 6.16.4" }, { "id": "CVE-2025-38737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix oops due to uninitialised variable\n\nFix smb3_init_transform_rq() to initialise buffer to NULL before calling\nnetfs_alloc_folioq_buffer() as netfs assumes it can append to the buffer it\nis given. Setting it to NULL means it should start a fresh buffer, but the\nvalue is currently undefined.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-38737", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix race conditions in ppp_fill_forward_path\n\nppp_fill_forward_path() has two race conditions:\n\n1. The ppp->channels list can change between list_empty() and\n list_first_entry(), as ppp_lock() is not held. If the only channel\n is deleted in ppp_disconnect_channel(), list_first_entry() may\n access an empty head or a freed entry, and trigger a panic.\n\n2. pch->chan can be NULL. When ppp_unregister_channel() is called,\n pch->chan is set to NULL before pch is removed from ppp->channels.\n\nFix these by using a lockless RCU approach:\n- Use list_first_or_null_rcu() to safely test and access the first list\n entry.\n- Convert list modifications on ppp->channels to their RCU variants and\n add synchronize_net() after removal.\n- Check for a NULL pch->chan before dereferencing it.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39673", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: ufs-qcom: Fix ESI null pointer dereference\n\nESI/MSI is a performance optimization feature that provides dedicated\ninterrupts per MCQ hardware queue. This is optional feature and UFS MCQ\nshould work with and without ESI feature.\n\nCommit e46a28cea29a (\"scsi: ufs: qcom: Remove the MSI descriptor abuse\")\nbrings a regression in ESI (Enhanced System Interrupt) configuration that\ncauses a null pointer dereference when Platform MSI allocation fails.\n\nThe issue occurs in when platform_device_msi_init_and_alloc_irqs() in\nufs_qcom_config_esi() fails (returns -EINVAL) but the current code uses\n__free() macro for automatic cleanup free MSI resources that were never\nsuccessfully allocated.\n\nUnable to handle kernel NULL pointer dereference at virtual\naddress 0000000000000008\n\n Call trace:\n mutex_lock+0xc/0x54 (P)\n platform_device_msi_free_irqs_all+0x1c/0x40\n ufs_qcom_config_esi+0x1d0/0x220 [ufs_qcom]\n ufshcd_config_mcq+0x28/0x104\n ufshcd_init+0xa3c/0xf40\n ufshcd_pltfrm_init+0x504/0x7d4\n ufs_qcom_probe+0x20/0x58 [ufs_qcom]\n\nFix by restructuring the ESI configuration to try MSI allocation first,\nbefore any other resource allocation and instead use explicit cleanup\ninstead of __free() macro to avoid cleanup of unallocated resources.\n\nTested on SM8750 platform with MCQ enabled, both with and without\nPlatform ESI support.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39674", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()\n\nThe function mod_hdcp_hdcp1_create_session() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference.\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.\n\nThis is similar to the commit c3e9826a2202\n(\"drm/amd/display: Add null pointer check for get_first_active_display()\").\n\n(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39675", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla4xxx: Prevent a potential error pointer dereference\n\nThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,\nbut qla4xxx_ep_connect() returns error pointers. Propagating the error\npointers will lead to an Oops in the caller, so change the error pointers\nto NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39676", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix backlog accounting in qdisc_dequeue_internal\n\nThis issue applies for the following qdiscs: hhf, fq, fq_codel, and\nfq_pie, and occurs in their change handlers when adjusting to the new\nlimit. The problem is the following in the values passed to the\nsubsequent qdisc_tree_reduce_backlog call given a tbf parent:\n\n When the tbf parent runs out of tokens, skbs of these qdiscs will\n be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,\n which accounts for both qlen and backlog. However, in the case of\n qdisc_dequeue_internal, ONLY qlen is accounted for when pulling\n from gso_skb. This means that these qdiscs are missing a\n qdisc_qstats_backlog_dec when dropping packets to satisfy the\n new limit in their change handlers.\n\n One can observe this issue with the following (with tc patched to\n support a limit of 0):\n\n export TARGET=fq\n tc qdisc del dev lo root\n tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms\n tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000\n echo ''; echo 'add child'; tc -s -d qdisc show dev lo\n ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null\n echo ''; echo 'after ping'; tc -s -d qdisc show dev lo\n tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0\n echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo\n tc qdisc replace dev lo handle 2: parent 1:1 sfq\n echo ''; echo 'post graft'; tc -s -d qdisc show dev lo\n\n The second to last show command shows 0 packets but a positive\n number (74) of backlog bytes. The problem becomes clearer in the\n last show command, where qdisc_purge_queue triggers\n qdisc_tree_reduce_backlog with the positive backlog and causes an\n underflow in the tbf parent's backlog (4096 Mb instead of 0).\n\nTo fix this issue, the codepath for all clients of qdisc_dequeue_internal\nhas been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.\nqdisc_dequeue_internal handles the backlog adjustments for all cases that\ndo not directly use the dequeue handler.\n\nThe old fq_codel_change limit adjustment loop accumulated the arguments to\nthe subsequent qdisc_tree_reduce_backlog call through the cstats field.\nHowever, this is confusing and error prone as fq_codel_dequeue could also\npotentially mutate this field (which qdisc_dequeue_internal calls in the\nnon gso_skb case), so we have unified the code here with other qdiscs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39677", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL\n\nIf metric table address is not allocated, accessing metrics_bin will\nresult in a NULL pointer dereference, so add a check.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39678", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor().\n\nWhen the nvif_vmm_type is invalid, we will return error directly\nwithout freeing the args in nvif_vmm_ctor(), which leading a memory\nleak. Fix it by setting the ret -EINVAL and goto done.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39679", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer\n\nThe data->block[0] variable comes from user. Without proper check,\nthe variable may be very large to cause an out-of-bounds bug.\n\nFix this bug by checking the value of data->block[0] first.\n\n1. commit 39244cc75482 (\"i2c: ismt: Fix an out-of-bounds bug in\n ismt_access()\")\n2. commit 92fbb6d1296f (\"i2c: xgene-slimpro: Fix out-of-bounds bug in\n xgene_slimpro_i2c_xfer()\")", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39680", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n 923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn't put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n [ bp: Massage commit message. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39681", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don't know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don't have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it's\nzero length.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39682", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser->buffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release->\nftrace_process_regex->strsep->strpbrk. We can solve this problem by\nlimiting access to parser->buffer when trace_get_user failed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39683", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel\nbuffer is allocated to hold `insn->n` samples (each of which is an\n`unsigned int`). For some instruction types, `insn->n` samples are\ncopied back to user-space, unless an error code is being returned. The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn->n` samples, so that there is\nan information leak. There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler. For `INSN_READ` it only fills in at most 1 sample, so if\n`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver. It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39684", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl726: Prevent invalid irq number\n\nThe reproducer passed in an irq number(0x80008000) that was too large,\nwhich triggered the oob.\n\nAdded an interrupt number check to prevent users from passing in an irq\nnumber that was too large.\n\nIf `it->options[1]` is 31, then `1 << it->options[1]` is still invalid\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\nPossible solutions include reducing the upper bound on the\n`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.\n\nThe old code would just not attempt to request the IRQ if the\n`options[1]` value were invalid. And it would still configure the\ndevice without interrupts even if the call to `request_irq` returned an\nerror. So it would be better to combine this test with the test below.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39685", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn->n samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample. For `INSN_READ`, the comedi core will\ncopy `insn->n` samples back to user-space. (That triggered KASAN\nkernel-infoleak errors when `insn->n` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn->n` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39686", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: as73211: Ensure buffer holes are zeroed\n\nGiven that the buffer is copied to a kfifo that ultimately user space\ncan read, ensure we zero it.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39687", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()\n\nThe pynfs DELEG8 test fails when run against nfsd. It acquires a\ndelegation and then lets the lease time out. It then tries to use the\ndeleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets\nbad NFS4ERR_BAD_STATEID instead.\n\nWhen a delegation is revoked, it's initially marked with\nSC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked\nwith the SC_STATUS_FREEABLE flag, which denotes that it is waiting for\ns FREE_STATEID call.\n\nnfs4_lookup_stateid() accepts a statusmask that includes the status\nflags that a found stateid is allowed to have. Currently, that mask\nnever includes SC_STATUS_FREEABLE, which means that revoked delegations\nare (almost) never found.\n\nAdd SC_STATUS_FREEABLE to the always-allowed status flags, and remove it\nfrom nfsd4_delegreturn() since it's now always implied.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39688", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn't have to differentiate when to free the\niterator's hash between writers and readers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39689", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: sca3300: fix uninitialized iio scan data\n\nFix potential leak of uninitialized stack data to userspace by ensuring\nthat the `channels` array is zeroed before use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39690", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: fix use-after-free when call bh_read() helper\n\nThere's issue as follows:\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb4/0x270\n kasan_report+0xb8/0xf0\n end_buffer_read_sync+0xe3/0x110\n end_bio_bh_io_sync+0x56/0x80\n blk_update_request+0x30a/0x720\n scsi_end_request+0x51/0x2b0\n scsi_io_completion+0xe3/0x480\n ? scsi_device_unbusy+0x11e/0x160\n blk_complete_reqs+0x7b/0x90\n handle_softirqs+0xef/0x370\n irq_exit_rcu+0xa5/0xd0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \n\n Above issue happens when do ntfs3 filesystem mount, issue may happens\n as follows:\n mount IRQ\nntfs_fill_super\n read_cache_page\n do_read_cache_folio\n filemap_read_folio\n mpage_read_folio\n\t do_mpage_readpage\n\t ntfs_get_block_vbo\n\t bh_read\n\t submit_bh\n\t wait_on_buffer(bh);\n\t blk_complete_reqs\n\t\t\t\t scsi_io_completion\n\t\t\t\t scsi_end_request\n\t\t\t\t blk_update_request\n\t\t\t\t end_bio_bh_io_sync\n\t\t\t\t\t end_buffer_read_sync\n\t\t\t\t\t __end_buffer_read_notouch\n\t\t\t\t\t unlock_buffer\n\n wait_on_buffer(bh);--> return will return to caller\n\n\t\t\t\t\t put_bh\n\t\t\t\t\t --> trigger stack-out-of-bounds\nIn the mpage_read_folio() function, the stack variable 'map_bh' is\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\nwait_on_buffer() returns to continue processing, the stack variable\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\nprocess, calling put_bh() may result in stack overrun.\n\nIf the bh is not allocated on the stack, it belongs to a folio. Freeing\na buffer head which belongs to a folio is done by drop_buffers() which\nwill fail to free buffers which are still locked. So it is safe to call\nput_bh() before __end_buffer_read_notouch().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39691", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()\n\nWe can't call destroy_workqueue(smb_direct_wq); before stop_sessions()!\n\nOtherwise already existing connections try to use smb_direct_wq as\na NULL pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39692", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid a NULL pointer dereference\n\n[WHY]\nAlthough unlikely drm_atomic_get_new_connector_state() or\ndrm_atomic_get_old_connector_state() can return NULL.\n\n[HOW]\nCheck returns before dereference.\n\n(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39693", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix SCCB present check\n\nTracing code called by the SCLP interrupt handler contains early exits\nif the SCCB address associated with an interrupt is NULL. This check is\nperformed after physical to virtual address translation.\n\nIf the kernel identity mapping does not start at address zero, the\nresulting virtual address is never zero, so that the NULL checks won't\nwork. Subsequently this may result in incorrect accesses to the first\npage of the identity mapping.\n\nFix this by introducing a function that handles the NULL case before\naddress translation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39694", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Flush delayed SKBs while releasing RXE resources\n\nWhen skb packets are sent out, these skb packets still depends on\nthe rxe resources, for example, QP, sk, when these packets are\ndestroyed.\n\nIf these rxe resources are released when the skb packets are destroyed,\nthe call traces will appear.\n\nTo avoid skb packets hang too long time in some network devices,\na timestamp is added when these skb packets are created. If these\nskb packets hang too long time in network devices, these network\ndevices can free these skb packets to release rxe resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39695", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: tas2781: Fix wrong reference of tasdevice_priv\n\nDuring the conversion to unify the calibration data management, the\nreference to tasdevice_priv was wrongly set to h->hda_priv instead of\nh->priv. This resulted in memory corruption and crashes eventually.\nUnfortunately it's a void pointer, hence the compiler couldn't know\nthat it's wrong.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39696", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a race when updating an existing write\n\nAfter nfs_lock_and_join_requests() tests for whether the request is\nstill attached to the mapping, nothing prevents a call to\nnfs_inode_remove_request() from succeeding until we actually lock the\npage group.\nThe reason is that whoever called nfs_inode_remove_request() doesn't\nnecessarily have a lock on the page group head.\n\nSo in order to avoid races, let's take the page group lock earlier in\nnfs_lock_and_join_requests(), and hold it across the removal of the\nrequest in nfs_inode_remove_request().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39697", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/futex: ensure io_futex_wait() cleans up properly on failure\n\nThe io_futex_data is allocated upfront and assigned to the io_kiocb\nasync_data field, but the request isn't marked with REQ_F_ASYNC_DATA\nat that point. Those two should always go together, as the flag tells\nio_uring whether the field is valid or not.\n\nAdditionally, on failure cleanup, the futex handler frees the data but\ndoes not clear ->async_data. Clear the data and the flag in the error\npath as well.\n\nThanks to Trend Micro Zero Day Initiative and particularly ReDress for\nreporting this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39698", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/riscv: prevent NULL deref in iova_to_phys\n\nThe riscv_iommu_pte_fetch() function returns either NULL for\nunmapped/never-mapped iova, or a valid leaf pte pointer that\nrequires no further validation.\n\nriscv_iommu_iova_to_phys() failed to handle NULL returns.\nPrevent null pointer dereference in\nriscv_iommu_iova_to_phys(), and remove the pte validation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39699", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/ops-common: ignore migration request to invalid nodes\n\ndamon_migrate_pages() tries migration even if the target node is invalid. \nIf users mistakenly make such invalid requests via\nDAMOS_MIGRATE_{HOT,COLD} action, the below kernel BUG can happen.\n\n [ 7831.883495] BUG: unable to handle page fault for address: 0000000000001f48\n [ 7831.884160] #PF: supervisor read access in kernel mode\n [ 7831.884681] #PF: error_code(0x0000) - not-present page\n [ 7831.885203] PGD 0 P4D 0\n [ 7831.885468] Oops: Oops: 0000 [#1] SMP PTI\n [ 7831.885852] CPU: 31 UID: 0 PID: 94202 Comm: kdamond.0 Not tainted 6.16.0-rc5-mm-new-damon+ #93 PREEMPT(voluntary)\n [ 7831.886913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.el9 04/01/2014\n [ 7831.887777] RIP: 0010:__alloc_frozen_pages_noprof (include/linux/mmzone.h:1724 include/linux/mmzone.h:1750 mm/page_alloc.c:4936 mm/page_alloc.c:5137)\n [...]\n [ 7831.895953] Call Trace:\n [ 7831.896195] \n [ 7831.896397] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)\n [ 7831.896787] migrate_pages_batch (mm/migrate.c:1189 mm/migrate.c:1851)\n [ 7831.897228] ? __pfx_alloc_migration_target (mm/migrate.c:2137)\n [ 7831.897735] migrate_pages (mm/migrate.c:2078)\n [ 7831.898141] ? __pfx_alloc_migration_target (mm/migrate.c:2137)\n [ 7831.898664] damon_migrate_folio_list (mm/damon/ops-common.c:321 mm/damon/ops-common.c:354)\n [ 7831.899140] damon_migrate_pages (mm/damon/ops-common.c:405)\n [...]\n\nAdd a target node validity check in damon_migrate_pages(). The validity\ncheck is stolen from that of do_pages_move(), which is being used for the\nmove_pages() system call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39700", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: pfr_update: Fix the driver update version check\n\nThe security-version-number check should be used rather\nthan the runtime version check for driver updates.\n\nOtherwise, the firmware update would fail when the update binary had\na lower runtime version number than the current one.\n\n[ rjw: Changelog edits ]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39701", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39702", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, hsr: reject HSR frame if skb can't hold tag\n\nReceiving HSR frame with insufficient space to hold HSR tag in the skb\ncan result in a crash (kernel BUG):\n\n[ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1\n[ 45.392559] ------------[ cut here ]------------\n[ 45.392912] kernel BUG at net/core/skbuff.c:211!\n[ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef)\n[ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0\n\n\n\n[ 45.402911] Call Trace:\n[ 45.403105] \n[ 45.404470] skb_push+0xcd/0xf0\n[ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0\n[ 45.406513] br_forward_finish+0x128/0x260\n[ 45.408483] __br_forward+0x42d/0x590\n[ 45.409464] maybe_deliver+0x2eb/0x420\n[ 45.409763] br_flood+0x174/0x4a0\n[ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0\n[ 45.411618] br_handle_frame+0xac3/0x1230\n[ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0\n[ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0\n[ 45.424478] __netif_receive_skb+0x22/0x170\n[ 45.424806] process_backlog+0x242/0x6d0\n[ 45.425116] __napi_poll+0xbb/0x630\n[ 45.425394] net_rx_action+0x4d1/0xcc0\n[ 45.427613] handle_softirqs+0x1a4/0x580\n[ 45.427926] do_softirq+0x74/0x90\n[ 45.428196] \n\nThis issue was found by syzkaller.\n\nThe panic happens in br_dev_queue_push_xmit() once it receives a\ncorrupted skb with ETH header already pushed in linear data. When it\nattempts the skb_push() call, there's not enough headroom and\nskb_push() panics.\n\nThe corrupted skb is put on the queue by HSR layer, which makes a\nsequence of unintended transformations when it receives a specific\ncorrupted HSR frame (with incomplete TAG).\n\nFix it by dropping and consuming frames that are not long enough to\ncontain both ethernet and hsr headers.\n\nAlternative fix would be to check for enough headroom before skb_push()\nin br_dev_queue_push_xmit().\n\nIn the reproducer, this is injected via AF_PACKET, but I don't easily\nsee why it couldn't be sent over the wire from adjacent network.\n\nFurther Details:\n\nIn the reproducer, the following network interface chain is set up:\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 veth0_to_hsr \u251c\u2500\u2500\u2500\u2524 hsr_slave0 \u253c\u2500\u2500\u2500\u2510\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\n \u2502 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u251c\u2500\u2524 hsr0 \u251c\u2500\u2500\u2500\u2510\n \u2502 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502 \u2502\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 veth1_to_hsr \u253c\u2500\u2500\u2500\u2524 hsr_slave1 \u251c\u2500\u2500\u2500\u2518 \u2514\u2524 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u250c\u253c bridge \u2502\n \u2502\u2502 \u2502\n \u2502\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502\n \u2502 ... \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\nTo trigger the events leading up to crash, reproducer sends a corrupted\nHSR fr\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39703", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix stack protector issue in send_ipi_data()\n\nFunction kvm_io_bus_read() is called in function send_ipi_data(), buffer\nsize of parameter *val should be at least 8 bytes. Since some emulation\nfunctions like loongarch_ipi_readl() and kvm_eiointc_read() will write\nthe buffer *val with 8 bytes signed extension regardless parameter len.\n\nOtherwise there will be buffer overflow issue when CONFIG_STACKPROTECTOR\nis enabled. The bug report is shown as follows:\n\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: send_ipi_data+0x194/0x1a0 [kvm]\nCPU: 11 UID: 107 PID: 2692 Comm: CPU 0/KVM Not tainted 6.17.0-rc1+ #102 PREEMPT(full)\nStack : 9000000005901568 0000000000000000 9000000003af371c 900000013c68c000\n 900000013c68f850 900000013c68f858 0000000000000000 900000013c68f998\n 900000013c68f990 900000013c68f990 900000013c68f6c0 fffffffffffdb058\n fffffffffffdb0e0 900000013c68f858 911e1d4d39cf0ec2 9000000105657a00\n 0000000000000001 fffffffffffffffe 0000000000000578 282049464555206e\n 6f73676e6f6f4c20 0000000000000001 00000000086b4000 0000000000000000\n 0000000000000000 0000000000000000 9000000005709968 90000000058f9000\n 900000013c68fa68 900000013c68fab4 90000000029279f0 900000010153f940\n 900000010001f360 0000000000000000 9000000003af3734 000000004390000c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d\n ...\nCall Trace:\n[<9000000003af3734>] show_stack+0x5c/0x180\n[<9000000003aed168>] dump_stack_lvl+0x6c/0x9c\n[<9000000003ad0ab0>] vpanic+0x108/0x2c4\n[<9000000003ad0ca8>] panic+0x3c/0x40\n[<9000000004eb0a1c>] __stack_chk_fail+0x14/0x18\n[] send_ipi_data+0x190/0x1a0 [kvm]\n[] __kvm_io_bus_write+0xa4/0xe8 [kvm]\n[] kvm_io_bus_write+0x54/0x90 [kvm]\n[] kvm_emu_iocsr+0x180/0x310 [kvm]\n[] kvm_handle_gspr+0x280/0x478 [kvm]\n[] kvm_handle_exit+0xc0/0x130 [kvm]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39704", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a Null pointer dereference vulnerability\n\n[Why]\nA null pointer dereference vulnerability exists in the AMD display driver's\n(DC module) cleanup function dc_destruct().\nWhen display control context (dc->ctx) construction fails\n(due to memory allocation failure), this pointer remains NULL.\nDuring subsequent error handling when dc_destruct() is called,\nthere's no NULL check before dereferencing the perf_trace member\n(dc->ctx->perf_trace), causing a kernel null pointer dereference crash.\n\n[How]\nCheck if dc->ctx is non-NULL before dereferencing.\n\n(Updated commit text and removed unnecessary error message)\n(cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39705", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Destroy KFD debugfs after destroy KFD wq\n\nSince KFD proc content was moved to kernel debugfs, we can't destroy KFD\ndebugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior\nto kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens\nwhen /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but\nkfd_process_destroy_wq calls kfd_debugfs_remove_process. This line\n debugfs_remove_recursive(entry->proc_dentry);\ntries to remove /sys/kernel/debug/kfd/proc/ while\n/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel\nNULL pointer.\n\n(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39706", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities\n\nHUBBUB structure is not initialized on DCE hardware, so check if it is NULL\nto avoid null dereference while accessing amdgpu_dm_capabilities file in\ndebugfs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39707", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix NULL pointer dereference\n\nA warning reported by smatch indicated a possible null pointer\ndereference where one of the arguments to API\n\"iris_hfi_gen2_handle_system_error\" could sometimes be null.\n\nTo fix this, add a check to validate that the argument passed is not\nnull before accessing its members.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39708", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: protect against spurious interrupts during probe\n\nMake sure the interrupt handler is initialized before the interrupt is\nregistered.\n\nIf the IRQ is registered before hfi_create(), it's possible that an\ninterrupt fires before the handler setup is complete, leading to a NULL\ndereference.\n\nThis error condition has been observed during system boot on Rb3Gen2.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39709", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Add a check for packet size after reading from shared memory\n\nAdd a check to ensure that the packet size does not exceed the number of\navailable words after reading the packet header from shared memory. This\nensures that the size provided by the firmware is safe to process and\nprevent potential out-of-bounds memory access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39710", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls\n\nBoth the ACE and CSI driver are missing a mei_cldev_disable() call in\ntheir remove() function.\n\nThis causes the mei_cl client to stay part of the mei_device->file_list\nlist even though its memory is freed by mei_cl_bus_dev_release() calling\nkfree(cldev->cl).\n\nThis leads to a use-after-free when mei_vsc_remove() runs mei_stop()\nwhich first removes all mei bus devices calling mei_ace_remove() and\nmei_csi_remove() followed by mei_cl_bus_dev_release() and then calls\nmei_cl_all_disconnect() which walks over mei_device->file_list dereferecing\nthe just freed cldev->cl.\n\nAnd mei_vsc_remove() it self is run at shutdown because of the\nplatform_device_unregister(tp->pdev) in vsc_tp_shutdown()\n\nWhen building a kernel with KASAN this leads to the following KASAN report:\n\n[ 106.634504] ==================================================================\n[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1\n[ 106.634729]\n[ 106.634767] Tainted: [E]=UNSIGNED_MODULE\n[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025\n[ 106.634773] Call Trace:\n[ 106.634777] \n...\n[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei\n[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei\n...\n[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei\n[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc\n[ 106.635066] platform_remove (drivers/base/platform.c:1424)\n\nAdd the missing mei_cldev_disable() calls so that the mei_cl gets removed\nfrom mei_device->file_list before it is freed to fix this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39711", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval\n\nGetting / Setting the frame interval using the V4L2 subdev pad ops\nget_frame_interval/set_frame_interval causes a deadlock, as the\nsubdev state is locked in the [1] but also in the driver itself.\n\nIn [2] it's described that the caller is responsible to acquire and\nrelease the lock in this case. Therefore, acquiring the lock in the\ndriver is wrong.\n\nRemove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval()\nand mt9m114_ifp_set_frame_interval().\n\n[1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129\n[2] Documentation/driver-api/media/v4l2-subdev.rst", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39712", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n\nIn the interrupt handler rain_interrupt(), the buffer full check on\nrain->buf_len is performed before acquiring rain->buf_lock. This\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\nrain->buf_len is concurrently accessed and modified in the work\nhandler rain_irq_work_handler() under the same lock.\n\nMultiple interrupt invocations can race, with each reading buf_len\nbefore it becomes full and then proceeding. This can lead to both\ninterrupts attempting to write to the buffer, incrementing buf_len\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\n\nFix this bug by moving the spin_lock() to before the buffer full\ncheck. This ensures that the check and the subsequent buffer modification\nare performed atomically, preventing the race condition. An corresponding\nspin_unlock() is added to the overflow path to correctly release the\nlock.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39713", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn't adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39714", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise gateway LWS calls to probe user read access\n\nWe use load and stbys,e instructions to trigger memory reference\ninterruptions without writing to memory. Because of the way read\naccess support is implemented, read access interruptions are only\ntriggered at privilege levels 2 and 3. The kernel and gateway\npage execute at privilege level 0, so this code never triggers\na read access interruption. Thus, it is currently possible for\nuser code to execute a LWS compare and swap operation at an\naddress that is read protected at privilege level 3 (PRIV_USER).\n\nFix this by probing read access rights at privilege level 3 and\nbranching to lws_fault if access isn't allowed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39715", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise __get_user() to probe user read access\n\nBecause of the way read access support is implemented, read access\ninterruptions are only triggered at privilege levels 2 and 3. The\nkernel executes at privilege level 0, so __get_user() never triggers\na read access interruption (code 26). Thus, it is currently possible\nfor user code to access a read protected address via a system call.\n\nFix this by probing read access rights at privilege level 3 (PRIV_USER)\nand setting __gu_err to -EFAULT (-14) if access isn't allowed.\n\nNote the cmpiclr instruction does a 32-bit compare because COND macro\ndoesn't work inside asm.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39716", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopen_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE\n\nAs described in commit 7a54947e727b ('Merge patch series \"fs: allow\nchanging idmappings\"'), open_tree_attr(2) was necessary in order to\nallow for a detached mount to be created and have its idmappings changed\nwithout the risk of any racing threads operating on it. For this reason,\nmount_setattr(2) still does not allow for id-mappings to be changed.\n\nHowever, there was a bug in commit 2462651ffa76 (\"fs: allow changing\nidmappings\") which allowed users to bypass this restriction by calling\nopen_tree_attr(2) *without* OPEN_TREE_CLONE.\n\ncan_idmap_mount() prevented this bug from allowing an attached\nmountpoint's id-mapping from being modified (thanks to an is_anon_ns()\ncheck), but this still allows for detached (but visible) mounts to have\ntheir be id-mapping changed. This risks the same UAF and locking issues\nas described in the merge commit, and was likely unintentional.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39717", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Validate length in packet header before skb_put()\n\nWhen receiving a vsock packet in the guest, only the virtqueue buffer\nsize is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,\nvirtio_vsock_skb_rx_put() uses the length from the packet header as the\nlength argument to skb_put(), potentially resulting in SKB overflow if\nthe host has gone wonky.\n\nValidate the length as advertised by the packet header before calling\nvirtio_vsock_skb_rx_put().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39718", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: bno055: fix OOB access of hw_xlate array\n\nFix a potential out-of-bounds array access of the hw_xlate array in\nbno055.c.\n\nIn bno055_get_regmask(), hw_xlate was iterated over the length of the\nvals array instead of the length of the hw_xlate array. In the case of\nbno055_gyr_scale, the vals array is larger than the hw_xlate array,\nso this could result in an out-of-bounds access. In practice, this\nshouldn't happen though because a match should always be found which\nbreaks out of the for loop before it iterates beyond the end of the\nhw_xlate array.\n\nBy adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be\nsure we are iterating over the correct length.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39719", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix refcount leak causing resource not released\n\nWhen ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not\ndecremented properly, causing a refcount leak that prevents the count from\nreaching zero and the memory from being released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39720", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - flush misc workqueue during device shutdown\n\nRepeated loading and unloading of a device specific QAT driver, for\nexample qat_4xxx, in a tight loop can lead to a crash due to a\nuse-after-free scenario. This occurs when a power management (PM)\ninterrupt triggers just before the device-specific driver (e.g.,\nqat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains\nloaded.\n\nSince the driver uses a shared workqueue (`qat_misc_wq`) across all\ndevices and owned by intel_qat.ko, a deferred routine from the\ndevice-specific driver may still be pending in the queue. If this\nroutine executes after the driver is unloaded, it can dereference freed\nmemory, resulting in a page fault and kernel crash like the following:\n\n BUG: unable to handle page fault for address: ffa000002e50a01c\n #PF: supervisor read access in kernel mode\n RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]\n Call Trace:\n pm_bh_handler+0x1d2/0x250 [intel_qat]\n process_one_work+0x171/0x340\n worker_thread+0x277/0x3a0\n kthread+0xf0/0x120\n ret_from_fork+0x2d/0x50\n\nTo prevent this, flush the misc workqueue during device shutdown to\nensure that all pending work items are completed before the driver is\nunloaded.\n\nNote: This approach may slightly increase shutdown latency if the\nworkqueue contains jobs from other devices, but it ensures correctness\nand stability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39721", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP\n\nSince the CAAM on these SoCs is managed by another ARM core, called the\nSECO (Security Controller) on iMX8QM and Secure Enclave on iMX8ULP, which\nalso reserves access to register page 0 suspend operations cannot touch\nthis page.\n\nThis is similar to when running OPTEE, where OPTEE will reserve page 0.\n\nTrack this situation using a new state variable no_page0, reflecting if\npage 0 is reserved elsewhere, either by other management cores in SoC or\nby OPTEE.\n\nReplace the optee_en check in suspend/resume with the new check.\n\noptee_en cannot go away as it's needed elsewhere to gate OPTEE specific\nsituations.\n\nFixes the following splat at suspend:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n Hardware name: Freescale i.MX8QXP ACU6C (DT)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : readl+0x0/0x18\n lr : rd_reg32+0x18/0x3c\n sp : ffffffc08192ba20\n x29: ffffffc08192ba20 x28: ffffff8025190000 x27: 0000000000000000\n x26: ffffffc0808ae808 x25: ffffffc080922338 x24: ffffff8020e89090\n x23: 0000000000000000 x22: ffffffc080922000 x21: ffffff8020e89010\n x20: ffffffc080387ef8 x19: ffffff8020e89010 x18: 000000005d8000d5\n x17: 0000000030f35963 x16: 000000008f785f3f x15: 000000003b8ef57c\n x14: 00000000c418aef8 x13: 00000000f5fea526 x12: 0000000000000001\n x11: 0000000000000002 x10: 0000000000000001 x9 : 0000000000000000\n x8 : ffffff8025190870 x7 : ffffff8021726880 x6 : 0000000000000002\n x5 : ffffff80217268f0 x4 : ffffff8021726880 x3 : ffffffc081200000\n x2 : 0000000000000001 x1 : ffffff8020e89010 x0 : ffffffc081200004\n Call trace:\n readl+0x0/0x18\n caam_ctrl_suspend+0x30/0xdc\n dpm_run_callback.constprop.0+0x24/0x5c\n device_suspend+0x170/0x2e8\n dpm_suspend+0xa0/0x104\n dpm_suspend_start+0x48/0x50\n suspend_devices_and_enter+0x7c/0x45c\n pm_suspend+0x148/0x160\n state_store+0xb4/0xf8\n kobj_attr_store+0x14/0x24\n sysfs_kf_write+0x38/0x48\n kernfs_fop_write_iter+0xb4/0x178\n vfs_write+0x118/0x178\n ksys_write+0x6c/0xd0\n __arm64_sys_write+0x14/0x1c\n invoke_syscall.constprop.0+0x64/0xb0\n do_el0_svc+0x90/0xb0\n el0_svc+0x18/0x44\n el0t_64_sync_handler+0x88/0x124\n el0t_64_sync+0x150/0x154\n Code: 88dffc21 88dffc21 5ac00800 d65f03c0 (b9400000)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39722", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix unbuffered write error handling\n\nIf all the subrequests in an unbuffered write stream fail, the subrequest\ncollector doesn't update the stream->transferred value and it retains its\ninitial LONG_MAX value. Unfortunately, if all active streams fail, then we\ntake the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set\nin wreq->transferred - which is then returned from ->write_iter().\n\nLONG_MAX was chosen as the initial value so that all the streams can be\nquickly assessed by taking the smallest value of all stream->transferred -\nbut this only works if we've set any of them.\n\nFix this by adding a flag to indicate whether the value in\nstream->transferred is valid and checking that when we integrate the\nvalues. stream->transferred can then be initialised to zero.\n\nThis was found by running the generic/750 xfstest against cifs with\ncache=none. It splices data to the target file. Once (if) it has used up\nall the available scratch space, the writes start failing with ENOSPC.\nThis causes ->write_iter() to fail. However, it was returning\nwreq->transferred, i.e. LONG_MAX, rather than an error (because it thought\nthe amount transferred was non-zero) and iter_file_splice_write() would\nthen try to clean up that amount of pipe bufferage - leading to an oops\nwhen it overran. The kernel log showed:\n\n CIFS: VFS: Send error in write = -28\n\nfollowed by:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n\nwith:\n\n RIP: 0010:iter_file_splice_write+0x3a4/0x520\n do_splice+0x197/0x4e0\n\nor:\n\n RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282)\n iter_file_splice_write (fs/splice.c:755)\n\nAlso put a warning check into splice to announce if ->write_iter() returned\nthat it had written more than it was asked to.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39723", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p->fcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==\n(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock\nto fix this issue.\n\nPanic backtrace:\n[ 0.442336] Oops - unknown exception [#1]\n[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e\n...\n[ 0.442416] console_on_rootfs+0x26/0x70", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39724", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list\n\nIn shrink_folio_list(), the hwpoisoned folio may be large folio, which\ncan't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one()\nmust be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then\nretry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of\npvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a\nWARN_ON_ONCE due to the page isn't in swapcache.\n\nSince UCE is rare in real world, and race with reclaimation is more rare,\njust skipping the hwpoisoned large folio is enough. memory_failure() will\nhandle it if the UCE is triggered again.\n\nThis happens when memory reclaim for large folio races with\nmemory_failure(), and will lead to kernel panic. The race is as\nfollows:\n\ncpu0 cpu1\n shrink_folio_list memory_failure\n TestSetPageHWPoison\n unmap_poisoned_folio\n --> trigger BUG_ON due to\n unmap_poisoned_folio couldn't\n handle large folio\n\n[tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39725", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-39726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ism: fix concurrency management in ism_cmd()\n\nThe s390x ISM device data sheet clearly states that only one\nrequest-response sequence is allowable per ISM function at any point in\ntime. Unfortunately as of today the s390/ism driver in Linux does not\nhonor that requirement. This patch aims to rectify that.\n\nThis problem was discovered based on Aliaksei's bug report which states\nthat for certain workloads the ISM functions end up entering error state\n(with PEC 2 as seen from the logs) after a while and as a consequence\nconnections handled by the respective function break, and for future\nconnection requests the ISM device is not considered -- given it is in a\ndysfunctional state. During further debugging PEC 3A was observed as\nwell.\n\nA kernel message like\n[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a\nis a reliable indicator of the stated function entering error state\nwith PEC 2. Let me also point out that a kernel message like\n[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery\nis a reliable indicator that the ISM function won't be auto-recovered\nbecause the ISM driver currently lacks support for it.\n\nOn a technical level, without this synchronization, commands (inputs to\nthe FW) may be partially or fully overwritten (corrupted) by another CPU\ntrying to issue commands on the same function. There is hard evidence that\nthis can lead to DMB token values being used as DMB IOVAs, leading to\nPEC 2 PCI events indicating invalid DMA. But this is only one of the\nfailure modes imaginable. In theory even completely losing one command\nand executing another one twice and then trying to interpret the outputs\nas if the command we intended to execute was actually executed and not\nthe other one is also possible. Frankly, I don't feel confident about\nproviding an exhaustive list of possible consequences.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39726", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-39727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix potential buffer overflow in setup_clusters()\n\nIn setup_swap_map(), we only ensure badpages are in range (0, last_page]. \nAs maxpages might be < last_page, setup_clusters() will encounter a buffer\noverflow when a badpage is >= maxpages.\n\nOnly call inc_cluster_info_page() for badpage which is < maxpages to fix\nthe issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39727", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: Fix UBSAN panic in samsung_clk_init()\n\nWith UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to\ndereferencing `ctx->clk_data.hws` before setting\n`ctx->clk_data.num = nr_clks`. Move that up to fix the crash.\n\n UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\n \n Call trace:\n samsung_clk_init+0x110/0x124 (P)\n samsung_clk_init+0x48/0x124 (L)\n samsung_cmu_register_one+0x3c/0xa0\n exynos_arm64_register_cmu+0x54/0x64\n __gs101_cmu_top_of_clk_init_declare+0x28/0x60\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix dereferencing uninitialized error pointer\n\nFix below smatch warnings:\ndrivers/crypto/ccp/sev-dev.c:1312 __sev_platform_init_locked()\nerror: we previously assumed 'error' could be null", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39729", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39730", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: vm_unmap_ram() may be called from an invalid context\n\nWhen testing F2FS with xfstests using UFS backed virtual disks the\nkernel complains sometimes that f2fs_release_decomp_mem() calls\nvm_unmap_ram() from an invalid context. Example trace from\nf2fs/007 test:\n\nf2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007\n[ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978\n[ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd\n[ 11.475357] preempt_count: 1, expected: 0\n[ 11.476970] RCU nest depth: 0, expected: 0\n[ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)\n[ 11.478535] Tainted: [W]=WARN\n[ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 11.478537] Call Trace:\n[ 11.478543] \n[ 11.478545] dump_stack_lvl+0x4e/0x70\n[ 11.478554] __might_resched.cold+0xaf/0xbe\n[ 11.478557] vm_unmap_ram+0x21/0xb0\n[ 11.478560] f2fs_release_decomp_mem+0x59/0x80\n[ 11.478563] f2fs_free_dic+0x18/0x1a0\n[ 11.478565] f2fs_finish_read_bio+0xd7/0x290\n[ 11.478570] blk_update_request+0xec/0x3b0\n[ 11.478574] ? sbitmap_queue_clear+0x3b/0x60\n[ 11.478576] scsi_end_request+0x27/0x1a0\n[ 11.478582] scsi_io_completion+0x40/0x300\n[ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0\n[ 11.478588] ufshcd_sl_intr+0x194/0x1f0\n[ 11.478592] ufshcd_threaded_intr+0x68/0xb0\n[ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10\n[ 11.478599] irq_thread_fn+0x20/0x60\n[ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10\n[ 11.478603] irq_thread+0xb9/0x180\n[ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10\n[ 11.478607] ? __pfx_irq_thread+0x10/0x10\n[ 11.478609] kthread+0x10a/0x230\n[ 11.478614] ? __pfx_kthread+0x10/0x10\n[ 11.478615] ret_from_fork+0x7e/0xd0\n[ 11.478619] ? __pfx_kthread+0x10/0x10\n[ 11.478621] ret_from_fork_asm+0x1a/0x30\n[ 11.478623] \n\nThis patch modifies in_task() check inside f2fs_read_end_io() to also\ncheck if interrupts are disabled. This ensures that pages are unmapped\nasynchronously in an interrupt handler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39731", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()\n\nath11k_mac_disable_peer_fixed_rate() is passed as the iterator to\nieee80211_iterate_stations_atomic(). Note in this case the iterator is\nrequired to be atomic, however ath11k_mac_disable_peer_fixed_rate() does\nnot follow it as it might sleep. Consequently below warning is seen:\n\nBUG: sleeping function called from invalid context at wmi.c:304\nCall Trace:\n \n dump_stack_lvl\n __might_resched.cold\n ath11k_wmi_cmd_send\n ath11k_wmi_set_peer_param\n ath11k_mac_disable_peer_fixed_rate\n ieee80211_iterate_stations_atomic\n ath11k_mac_op_set_bitrate_mask.cold\n\nChange to ieee80211_iterate_stations_mtx() to fix this issue.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39732", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: replace team lock with rtnl lock\n\nsyszbot reports various ordering issues for lower instance locks and\nteam lock. Switch to using rtnl lock for protecting team device,\nsimilar to bonding. Based on the patch by Tetsuo Handa.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39733", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"fs/ntfs3: Replace inode_trylock with inode_lock\"\n\nThis reverts commit 69505fe98f198ee813898cbcaf6770949636430b.\n\nInitially, conditional lock acquisition was removed to fix an xfstest bug\nthat was observed during internal testing. The deadlock reported by syzbot\nis resolved by reintroducing conditional acquisition. The xfstest bug no\nlonger occurs on kernel version 6.16-rc1 during internal testing. I\nassume that changes in other modules may have contributed to this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39734", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds read in ea_get()\n\nDuring the \"size_check\" label in ea_get(), the code checks if the extended\nattribute list (xattr) size matches ea_size. If not, it logs\n\"ea_get: invalid extended attribute\" and calls print_hex_dump().\n\nHere, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds\nINT_MAX (2,147,483,647). Then ea_size is clamped:\n\n\tint size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));\n\nAlthough clamp_t aims to bound ea_size between 0 and 4110417968, the upper\nlimit is treated as an int, causing an overflow above 2^31 - 1. This leads\n\"size\" to wrap around and become negative (-184549328).\n\nThe \"size\" is then passed to print_hex_dump() (called \"len\" in\nprint_hex_dump()), it is passed as type size_t (an unsigned\ntype), this is then stored inside a variable called\n\"int remaining\", which is then assigned to \"int linelen\" which\nis then passed to hex_dump_to_buffer(). In print_hex_dump()\nthe for loop, iterates through 0 to len-1, where len is\n18446744073525002176, calling hex_dump_to_buffer()\non each iteration:\n\n\tfor (i = 0; i < len; i += rowsize) {\n\t\tlinelen = min(remaining, rowsize);\n\t\tremaining -= rowsize;\n\n\t\thex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,\n\t\t\t\t linebuf, sizeof(linebuf), ascii);\n\n\t\t...\n\t}\n\nThe expected stopping condition (i < len) is effectively broken\nsince len is corrupted and very large. This eventually leads to\nthe \"ptr+i\" being passed to hex_dump_to_buffer() to get closer\nto the end of the actual bounds of \"ptr\", eventually an out of\nbounds access is done in hex_dump_to_buffer() in the following\nfor loop:\n\n\tfor (j = 0; j < len; j++) {\n\t\t\tif (linebuflen < lx + 2)\n\t\t\t\tgoto overflow2;\n\t\t\tch = ptr[j];\n\t\t...\n\t}\n\nTo fix this we should validate \"EALIST_SIZE(ea_buf->xattr)\"\nbefore it is utilised.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39735", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock\n\nWhen netpoll is enabled, calling pr_warn_once() while holding\nkmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock\ninversion with the netconsole subsystem. This occurs because\npr_warn_once() may trigger netpoll, which eventually leads to\n__alloc_skb() and back into kmemleak code, attempting to reacquire\nkmemleak_lock.\n\nThis is the path for the deadlock.\n\nmem_pool_alloc()\n -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\n -> pr_warn_once()\n -> netconsole subsystem\n\t -> netpoll\n\t -> __alloc_skb\n\t\t -> __create_object\n\t\t -> raw_spin_lock_irqsave(&kmemleak_lock, flags);\n\nFix this by setting a flag and issuing the pr_warn_once() after\nkmemleak_lock is released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39736", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()\n\nA soft lockup warning was observed on a relative small system x86-64\nsystem with 16 GB of memory when running a debug kernel with kmemleak\nenabled.\n\n watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]\n\nThe test system was running a workload with hot unplug happening in\nparallel. Then kemleak decided to disable itself due to its inability to\nallocate more kmemleak objects. The debug kernel has its\nCONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.\n\nThe soft lockup happened in kmemleak_do_cleanup() when the existing\nkmemleak objects were being removed and deleted one-by-one in a loop via a\nworkqueue. In this particular case, there are at least 40,000 objects\nthat need to be processed and given the slowness of a debug kernel and the\nfact that a raw_spinlock has to be acquired and released in\n__delete_object(), it could take a while to properly handle all these\nobjects.\n\nAs kmemleak has been disabled in this case, the object removal and\ndeletion process can be further optimized as locking isn't really needed. \nHowever, it is probably not worth the effort to optimize for such an edge\ncase that should rarely happen. So the simple solution is to call\ncond_resched() at periodic interval in the iteration loop to avoid soft\nlockup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39737", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not allow relocation of partially dropped subvolumes\n\n[BUG]\nThere is an internal report that balance triggered transaction abort,\nwith the following call trace:\n\n item 85 key (594509824 169 0) itemoff 12599 itemsize 33\n extent refs 1 gen 197740 flags 2\n ref#0: tree block backref root 7\n item 86 key (594558976 169 0) itemoff 12566 itemsize 33\n extent refs 1 gen 197522 flags 2\n ref#0: tree block backref root 7\n ...\n BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0\n BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117\n ------------[ cut here ]------------\n BTRFS: Transaction aborted (error -117)\n WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]\n\nAnd btrfs check doesn't report anything wrong related to the extent\ntree.\n\n[CAUSE]\nThe cause is a little complex, firstly the extent tree indeed doesn't\nhave the backref for 594526208.\n\nThe extent tree only have the following two backrefs around that bytenr\non-disk:\n\n item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33\n refs 1 gen 197740 flags TREE_BLOCK\n tree block skinny level 0\n (176 0x7) tree block backref root CSUM_TREE\n item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33\n refs 1 gen 197522 flags TREE_BLOCK\n tree block skinny level 0\n (176 0x7) tree block backref root CSUM_TREE\n\nBut the such missing backref item is not an corruption on disk, as the\noffending delayed ref belongs to subvolume 934, and that subvolume is\nbeing dropped:\n\n item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439\n generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328\n last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0\n drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2\n level 2 generation_v2 198229\n\nAnd that offending tree block 594526208 is inside the dropped range of\nthat subvolume. That explains why there is no backref item for that\nbytenr and why btrfs check is not reporting anything wrong.\n\nBut this also shows another problem, as btrfs will do all the orphan\nsubvolume cleanup at a read-write mount.\n\nSo half-dropped subvolume should not exist after an RW mount, and\nbalance itself is also exclusive to subvolume cleanup, meaning we\nshouldn't hit a subvolume half-dropped during relocation.\n\nThe root cause is, there is no orphan item for this subvolume.\nIn fact there are 5 subvolumes from around 2021 that have the same\nproblem.\n\nIt looks like the original report has some older kernels running, and\ncaused those zombie subvolumes.\n\nThankfully upstream commit 8d488a8c7ba2 (\"btrfs: fix subvolume/snapshot\ndeletion not triggered on mount\") has long fixed the bug.\n\n[ENHANCEMENT]\nFor repairing such old fs, btrfs-progs will be enhanced.\n\nConsidering how delayed the problem will show up (at run delayed ref\ntime) and at that time we have to abort transaction already, it is too\nlate.\n\nInstead here we reject any half-dropped subvolume for reloc tree at the\nearliest time, preventing confusion and extra time wasted on debugging\nsimilar bugs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39738", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-qcom: Add SM6115 MDSS compatible\n\nAdd the SM6115 MDSS compatible to clients compatible list, as it also\nneeds that workaround.\nWithout this workaround, for example, QRB4210 RB2 which is based on\nSM4250/SM6115 generates a lot of smmu unhandled context faults during\nboot:\n\narm_smmu_context_fault: 116854 callbacks suppressed\narm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,\niova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5\narm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420\narm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1]\narm-smmu c600000.iommu: Unhandled context fault: fsr=0x402,\niova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5\narm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420\n\nand also failed initialisation of lontium lt9611uxc, gpu and dpu is\nobserved:\n(binding MDSS components triggered by lt9611uxc have failed)\n\n ------------[ cut here ]------------\n !aspace\n WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm]\n Modules linked in: ... (long list of modules)\n CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT\n Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT)\n pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : msm_gem_vma_init+0x150/0x18c [msm]\n lr : msm_gem_vma_init+0x150/0x18c [msm]\n sp : ffff80008144b280\n \t\t...\n Call trace:\n msm_gem_vma_init+0x150/0x18c [msm] (P)\n get_vma_locked+0xc0/0x194 [msm]\n msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm]\n msm_gem_kernel_new+0x48/0x160 [msm]\n msm_gpu_init+0x34c/0x53c [msm]\n adreno_gpu_init+0x1b0/0x2d8 [msm]\n a6xx_gpu_init+0x1e8/0x9e0 [msm]\n adreno_bind+0x2b8/0x348 [msm]\n component_bind_all+0x100/0x230\n msm_drm_bind+0x13c/0x3d0 [msm]\n try_to_bring_up_aggregate_device+0x164/0x1d0\n __component_add+0xa4/0x174\n component_add+0x14/0x20\n dsi_dev_attach+0x20/0x34 [msm]\n dsi_host_attach+0x58/0x98 [msm]\n devm_mipi_dsi_attach+0x34/0x90\n lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc]\n lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc]\n i2c_device_probe+0x148/0x2a8\n really_probe+0xbc/0x2c0\n __driver_probe_device+0x78/0x120\n driver_probe_device+0x3c/0x154\n __driver_attach+0x90/0x1a0\n bus_for_each_dev+0x68/0xb8\n driver_attach+0x24/0x30\n bus_add_driver+0xe4/0x208\n driver_register+0x68/0x124\n i2c_register_driver+0x48/0xcc\n lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc]\n do_one_initcall+0x60/0x1d4\n do_init_module+0x54/0x1fc\n load_module+0x1748/0x1c8c\n init_module_from_file+0x74/0xa0\n __arm64_sys_finit_module+0x130/0x2f8\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x2c/0x80\n el0t_64_sync_handler+0x10c/0x138\n el0t_64_sync+0x198/0x19c\n ---[ end trace 0000000000000000 ]---\n msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22\n msm_dpu 5e01000.display-controller: failed to load adreno gpu\n platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19\n msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22\n msm_dpu 5e01000.display-controller: adev bind failed: -22\n lt9611uxc 0-002b: failed to attach dsi to host\n lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39739", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/migrate: prevent potential UAF\n\nIf we hit the error path, the previous fence (if there is one) has\nalready been put() prior to this, so doing a fence_wait could lead to\nUAF. Tweak the flow to do to the put() until after we do the wait.\n\n(cherry picked from commit 9b7ca35ed28fe5fad86e9d9c24ebd1271e4c9c3e)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39740", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/migrate: don't overflow max copy size\n\nWith non-page aligned copy, we need to use 4 byte aligned pitch, however\nthe size itself might still be close to our maximum of ~8M, and so the\ndimensions of the copy can easily exceed the S16_MAX limit of the copy\ncommand leading to the following assert:\n\nxe 0000:03:00.0: [drm] Assertion `size / pitch <= ((s16)(((u16)~0U) >> 1))` failed!\nplatform: BATTLEMAGE subplatform: 1\ngraphics: Xe2_HPG 20.01 step A0\nmedia: Xe2_HPM 13.01 step A1\ntile: 0 VRAM 10.0 GiB\nGT: 0 type 1\n\nWARNING: CPU: 23 PID: 10605 at drivers/gpu/drm/xe/xe_migrate.c:673 emit_copy+0x4b5/0x4e0 [xe]\n\nTo fix this account for the pitch when calculating the number of current\nbytes to copy.\n\n(cherry picked from commit 8c2d61e0e916e077fda7e7b8e67f25ffe0f361fc)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39741", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n\nThe function divides number of online CPUs by num_core_siblings, and\nlater checks the divider by zero. This implies a possibility to get\nand divide-by-zero runtime error. Fix it by moving the check prior to\ndivision. This also helps to save one indentation level.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39742", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: truncate good inode pages when hard link is 0\n\nThe fileset value of the inode copy from the disk by the reproducer is\nAGGR_RESERVED_I. When executing evict, its hard link number is 0, so its\ninode pages are not truncated. This causes the bugon to be triggered when\nexecuting clear_inode() because nrpages is greater than 0.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39743", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix rcu_read_unlock() deadloop due to IRQ work\n\nDuring rcu_read_unlock_special(), if this happens during irq_exit(), we\ncan lockup if an IPI is issued. This is because the IPI itself triggers\nthe irq_exit() path causing a recursive lock up.\n\nThis is precisely what Xiongfeng found when invoking a BPF program on\nthe trace_tick_stop() tracepoint As shown in the trace below. Fix by\nmanaging the irq_work state correctly.\n\nirq_exit()\n __irq_exit_rcu()\n /* in_hardirq() returns false after this */\n preempt_count_sub(HARDIRQ_OFFSET)\n tick_irq_exit()\n tick_nohz_irq_exit()\n\t tick_nohz_stop_sched_tick()\n\t trace_tick_stop() /* a bpf prog is hooked on this trace point */\n\t\t __bpf_trace_tick_stop()\n\t\t bpf_trace_run2()\n\t\t\t rcu_read_unlock_special()\n /* will send a IPI to itself */\n\t\t\t irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);\n\nA simple reproducer can also be obtained by doing the following in\ntick_irq_exit(). It will hang on boot without the patch:\n\n static inline void tick_irq_exit(void)\n {\n +\trcu_read_lock();\n +\tWRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true);\n +\trcu_read_unlock();\n +\n\n[neeraj: Apply Frederic's suggested fix for PREEMPT_RT]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39744", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix rcutorture_one_extend_check() splat in RT kernels\n\nFor built with CONFIG_PREEMPT_RT=y kernels, running rcutorture\ntests resulted in the following splat:\n\n[ 68.797425] rcutorture_one_extend_check during change: Current 0x1 To add 0x1 To remove 0x0 preempt_count() 0x0\n[ 68.797533] WARNING: CPU: 2 PID: 512 at kernel/rcu/rcutorture.c:1993 rcutorture_one_extend_check+0x419/0x560 [rcutorture]\n[ 68.797601] Call Trace:\n[ 68.797602] \n[ 68.797619] ? lockdep_softirqs_off+0xa5/0x160\n[ 68.797631] rcutorture_one_extend+0x18e/0xcc0 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]\n[ 68.797646] ? local_clock+0x19/0x40\n[ 68.797659] rcu_torture_one_read+0xf0/0x280 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]\n[ 68.797678] ? __pfx_rcu_torture_one_read+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]\n[ 68.797804] ? __pfx_rcu_torture_timer+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]\n[ 68.797815] rcu-torture: rcu_torture_reader task started\n[ 68.797824] rcu-torture: Creating rcu_torture_reader task\n[ 68.797824] rcu_torture_reader+0x238/0x580 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c]\n[ 68.797836] ? kvm_sched_clock_read+0x15/0x30\n\nDisable BH does not change the SOFTIRQ corresponding bits in\npreempt_count() for RT kernels, this commit therefore use\nsoftirq_count() to check the if BH is disabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39745", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: shutdown driver when hardware is unreliable\n\nIn rare cases, ath10k may lose connection with the PCIe bus due to\nsome unknown reasons, which could further lead to system crashes during\nresuming due to watchdog timeout:\n\nath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardware\nath10k_pci 0000:01:00.0: already restarting\nath10k_pci 0000:01:00.0: failed to stop WMI vdev 0: -11\nath10k_pci 0000:01:00.0: failed to stop vdev 0: -11\nieee80211 phy0: PM: **** DPM device timeout ****\nCall Trace:\n panic+0x125/0x315\n dpm_watchdog_set+0x54/0x54\n dpm_watchdog_handler+0x57/0x57\n call_timer_fn+0x31/0x13c\n\nAt this point, all WMI commands will timeout and attempt to restart\ndevice. So set a threshold for consecutive restart failures. If the\nthreshold is exceeded, consider the hardware is unreliable and all\nath10k operations should be skipped to avoid system crash.\n\nfail_cont_count and pending_recovery are atomic variables, and\ndo not involve complex conditional logic. Therefore, even if recovery\ncheck and reconfig complete are executed concurrently, the recovery\nmechanism will not be broken.\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39746", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Add error handling for krealloc in metadata setup\n\nFunction msm_ioctl_gem_info_set_metadata() now checks for krealloc\nfailure and returns -ENOMEM, avoiding potential NULL pointer dereference.\nExplicitly avoids __GFP_NOFAIL due to deadlock risks and allocation constraints.\n\nPatchwork: https://patchwork.freedesktop.org/patch/661235/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39747", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Forget ranges when refining tnum after JSET\n\nSyzbot reported a kernel warning due to a range invariant violation on\nthe following BPF program.\n\n 0: call bpf_get_netns_cookie\n 1: if r0 == 0 goto \n 2: if r0 & Oxffffffff goto \n\nThe issue is on the path where we fall through both jumps.\n\nThat path is unreachable at runtime: after insn 1, we know r0 != 0, but\nwith the sign extension on the jset, we would only fallthrough insn 2\nif r0 == 0. Unfortunately, is_branch_taken() isn't currently able to\nfigure this out, so the verifier walks all branches. The verifier then\nrefines the register bounds using the second condition and we end\nup with inconsistent bounds on this unreachable path:\n\n 1: if r0 == 0 goto \n r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)\n 2: if r0 & 0xffffffff goto \n r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)\n r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)\n\nImproving the range refinement for JSET to cover all cases is tricky. We\nalso don't expect many users to rely on JSET given LLVM doesn't generate\nthose instructions. So instead of improving the range refinement for\nJSETs, Eduard suggested we forget the ranges whenever we're narrowing\ntnums after a JSET. This patch implements that approach.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39748", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect ->defer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won't happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure's ->defer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special(). This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [] __schedule+0x129/0xd70\nsoftirqs last enabled at (0): [] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special(). In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe ->defer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending\nfield. This suffices because this handler is not a fast path.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39749", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Correct tid cleanup when tid setup fails\n\nCurrently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),\nthe tid value is already incremented, even though the corresponding\nTID is not actually allocated. Proceed to\nath12k_dp_rx_peer_tid_delete() starting from unallocated tid,\nwhich might leads to freeing unallocated TID and cause potential\ncrash or out-of-bounds access.\n\nHence, fix by correctly decrementing tid before cleanup to match only\nthe successfully allocated TIDs.\n\nAlso, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),\nas decrementing the tid before cleanup in loop will take care of this.\n\nCompile tested only.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39750", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: rockchip: fix kernel hang during smp initialization\n\nIn order to bring up secondary CPUs main CPU write trampoline\ncode to SRAM. The trampoline code is written while secondary\nCPUs are powered on (at least that true for RK3188 CPU).\nSometimes that leads to kernel hang. Probably because secondary\nCPU execute trampoline code while kernel doesn't expect.\n\nThe patch moves SRAM initialization step to the point where all\nsecondary CPUs are powered down.\n\nThat fixes rarely hangs on RK3188:\n[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000\n[ 0.091996] rockchip_smp_prepare_cpus: ncores 4", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39752", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops\n\nClears up the warning added in 7ee3647243e5 (\"migrate: Remove call to\n->writepage\") that occurs in various xfstests, causing \"something found\nin dmesg\" failures.\n\n[ 341.136573] gfs2_meta_aops does not implement migrate_folio\n[ 341.136953] WARNING: CPU: 1 PID: 36 at mm/migrate.c:944 move_to_new_folio+0x2f8/0x300", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39753", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/smaps: fix race between smaps_hugetlb_range and migration\n\nsmaps_hugetlb_range() handles the pte without holdling ptl, and may be\nconcurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). \nThe race is as follows.\n\nsmaps_hugetlb_range migrate_pages\n huge_ptep_get\n remove_migration_ptes\n\t\t\t\t folio_unlock\n pfn_swap_entry_folio\n BUG_ON\n\nTo fix it, hold ptl lock in smaps_hugetlb_range().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39754", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gpib: Fix cb7210 pcmcia Oops\n\nThe pcmcia_driver struct was still only using the old .name\ninitialization in the drv field. This led to a NULL pointer\nderef Oops in strcmp called from pcmcia_register_driver.\n\nInitialize the pcmcia_driver struct name field.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39755", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include \n #include \n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, &rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39756", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 cluster segment descriptors\n\nUAC3 class segment descriptors need to be verified whether their sizes\nmatch with the declared lengths and whether they fit with the\nallocated buffer sizes, too. Otherwise malicious firmware may lead to\nthe unexpected OOB accesses.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39757", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages\n\nEver since commit c2ff29e99a76 (\"siw: Inline do_tcp_sendpages()\"),\nwe have been doing this:\n\nstatic int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,\n size_t size)\n[...]\n /* Calculate the number of bytes we need to push, for this page\n * specifically */\n size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);\n /* If we can't splice it, then copy it in, as normal */\n if (!sendpage_ok(page[i]))\n msg.msg_flags &= ~MSG_SPLICE_PAGES;\n /* Set the bvec pointing to the page, with len $bytes */\n bvec_set_page(&bvec, page[i], bytes, offset);\n /* Set the iter to $size, aka the size of the whole sendpages (!!!) */\n iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);\ntry_page_again:\n lock_sock(sk);\n /* Sendmsg with $size size (!!!) */\n rv = tcp_sendmsg_locked(sk, &msg, size);\n\nThis means we've been sending oversized iov_iters and tcp_sendmsg calls\nfor a while. This has a been a benign bug because sendpage_ok() always\nreturned true. With the recent slab allocator changes being slowly\nintroduced into next (that disallow sendpage on large kmalloc\nallocations), we have recently hit out-of-bounds crashes, due to slight\ndifferences in iov_iter behavior between the MSG_SPLICE_PAGES and\n\"regular\" copy paths:\n\n(MSG_SPLICE_PAGES)\nskb_splice_from_iter\n iov_iter_extract_pages\n iov_iter_extract_bvec_pages\n uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere\n skb_splice_from_iter gets a \"short\" read\n\n(!MSG_SPLICE_PAGES)\nskb_copy_to_page_nocache copy=iov_iter_count\n [...]\n copy_from_iter\n /* this doesn't help */\n if (unlikely(iter->count < len))\n len = iter->count;\n iterate_bvec\n ... and we run off the bvecs\n\nFix this by properly setting the iov_iter's byte count, plus sending the\ncorrect byte count to tcp_sendmsg_locked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39758", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\n\nThere's a race between a task disabling quotas and another running the\nrescan ioctl that can result in a use-after-free of qgroup records from\nthe fs_info->qgroup_tree rbtree.\n\nThis happens as follows:\n\n1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();\n\n2) Task B enters btrfs_quota_disable() and calls\n btrfs_qgroup_wait_for_completion(), which does nothing because at that\n point fs_info->qgroup_rescan_running is false (it wasn't set yet by\n task A);\n\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\n from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;\n\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\n the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,\n but task B is freeing qgroup records from that tree without holding\n the lock, resulting in a use-after-free.\n\nFix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().\nAlso at btrfs_qgroup_rescan() don't start the rescan worker if quotas\nwere already disabled.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39759", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: config: Prevent OOB read in SS endpoint companion parsing\n\nusb_parse_ss_endpoint_companion() checks descriptor type before length,\nenabling a potentially odd read outside of the buffer size.\n\nFix this up by checking the size first before looking at any of the\nfields in the descriptor.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39760", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Decrement TID on RX peer frag setup error handling\n\nCurrently, TID is not decremented before peer cleanup, during error\nhandling path of ath12k_dp_rx_peer_frag_setup(). This could lead to\nout-of-bounds access in peer->rx_tid[].\n\nHence, add a decrement operation for TID, before peer cleanup to\nensures proper cleanup and prevents out-of-bounds access issues when\nthe RX peer frag setup fails.\n\nFound during code review. Compile tested only.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39761", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: add null check\n\n[WHY]\nPrevents null pointer dereferences to enhance function robustness\n\n[HOW]\nAdds early null check and return false if invalid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39762", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered\n\nIf a synchronous error is detected as a result of user-space process\ntriggering a 2-bit uncorrected error, the CPU will take a synchronous\nerror exception such as Synchronous External Abort (SEA) on Arm64. The\nkernel will queue a memory_failure() work which poisons the related\npage, unmaps the page, and then sends a SIGBUS to the process, so that\na system wide panic can be avoided.\n\nHowever, no memory_failure() work will be queued when abnormal\nsynchronous errors occur. These errors can include situations like\ninvalid PA, unexpected severity, no memory failure config support,\ninvalid GUID section, etc. In such a case, the user-space process will\ntrigger SEA again. This loop can potentially exceed the platform\nfirmware threshold or even trigger a kernel hard lockup, leading to a\nsystem reboot.\n\nFix it by performing a force kill if no memory_failure() work is queued\nfor synchronous errors.\n\n[ rjw: Changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39763", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: remove refcounting in expectation dumpers\n\nSame pattern as previous patch: do not keep the expectation object\nalive via refcount, only store a cookie value and then use that\nas the skip hint for dump resumption.\n\nAFAICS this has the same issue as the one resolved in the conntrack\ndumper, when we do\n if (!refcount_inc_not_zero(&exp->use))\n\nto increment the refcount, there is a chance that exp == last, which\ncauses a double-increment of the refcount and subsequent memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39764", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: fix ida_free call while not allocated\n\nIn the snd_utimer_create() function, if the kasprintf() function return\nNULL, snd_utimer_put_id() will be called, finally use ida_free()\nto free the unallocated id 0.\n\nthe syzkaller reported the following information:\n ------------[ cut here ]------------\n ida_free called for id=0 which is not allocated.\n WARNING: CPU: 1 PID: 1286 at lib/idr.c:592 ida_free+0x1fd/0x2f0 lib/idr.c:592\n Modules linked in:\n CPU: 1 UID: 0 PID: 1286 Comm: syz-executor164 Not tainted 6.15.8 #3 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014\n RIP: 0010:ida_free+0x1fd/0x2f0 lib/idr.c:592\n Code: f8 fc 41 83 fc 3e 76 69 e8 70 b2 f8 (...)\n RSP: 0018:ffffc900007f79c8 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: 1ffff920000fef3b RCX: ffffffff872176a5\n RDX: ffff88800369d200 RSI: 0000000000000000 RDI: ffff88800369d200\n RBP: 0000000000000000 R08: ffffffff87ba60a5 R09: 0000000000000000\n R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\n R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f6f1abc1740(0000) GS:ffff8880d76a0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f6f1ad7a784 CR3: 000000007a6e2000 CR4: 00000000000006f0\n Call Trace:\n \n snd_utimer_put_id sound/core/timer.c:2043 [inline] [snd_timer]\n snd_utimer_create+0x59b/0x6a0 sound/core/timer.c:2184 [snd_timer]\n snd_utimer_ioctl_create sound/core/timer.c:2202 [inline] [snd_timer]\n __snd_timer_user_ioctl.isra.0+0x724/0x1340 sound/core/timer.c:2287 [snd_timer]\n snd_timer_user_ioctl+0x75/0xc0 sound/core/timer.c:2298 [snd_timer]\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x198/0x200 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x7b/0x160 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nThe utimer->id should be set properly before the kasprintf() function,\nensures the snd_utimer_put_id() function will free the allocated id.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39765", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit\n\nThe following setup can trigger a WARNING in htb_activate due to\nthe condition: !cl->leaf.q->q.qlen\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 \\\n htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle f: \\\n cake memlimit 1b\nping -I lo -f -c1 -s64 -W0.001 127.0.0.1\n\nThis is because the low memlimit leads to a low buffer_limit, which\ncauses packet dropping. However, cake_enqueue still returns\nNET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an\nempty child qdisc. We should return NET_XMIT_CN when packets are\ndropped from the same tin and flow.\n\nI do not believe return value of NET_XMIT_CN is necessary for packet\ndrops in the case of ack filtering, as that is meant to optimize\nperformance, not to signal congestion.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39766", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Optimize module load time by optimizing PLT/GOT counting\n\nWhen enabling CONFIG_KASAN, CONFIG_PREEMPT_VOLUNTARY_BUILD and\nCONFIG_PREEMPT_VOLUNTARY at the same time, there will be soft deadlock,\nthe relevant logs are as follows:\n\nrcu: INFO: rcu_sched self-detected stall on CPU\n...\nCall Trace:\n[<900000000024f9e4>] show_stack+0x5c/0x180\n[<90000000002482f4>] dump_stack_lvl+0x94/0xbc\n[<9000000000224544>] rcu_dump_cpu_stacks+0x1fc/0x280\n[<900000000037ac80>] rcu_sched_clock_irq+0x720/0xf88\n[<9000000000396c34>] update_process_times+0xb4/0x150\n[<90000000003b2474>] tick_nohz_handler+0xf4/0x250\n[<9000000000397e28>] __hrtimer_run_queues+0x1d0/0x428\n[<9000000000399b2c>] hrtimer_interrupt+0x214/0x538\n[<9000000000253634>] constant_timer_interrupt+0x64/0x80\n[<9000000000349938>] __handle_irq_event_percpu+0x78/0x1a0\n[<9000000000349a78>] handle_irq_event_percpu+0x18/0x88\n[<9000000000354c00>] handle_percpu_irq+0x90/0xf0\n[<9000000000348c74>] handle_irq_desc+0x94/0xb8\n[<9000000001012b28>] handle_cpu_irq+0x68/0xa0\n[<9000000001def8c0>] handle_loongarch_irq+0x30/0x48\n[<9000000001def958>] do_vint+0x80/0xd0\n[<9000000000268a0c>] kasan_mem_to_shadow.part.0+0x2c/0x2a0\n[<90000000006344f4>] __asan_load8+0x4c/0x120\n[<900000000025c0d0>] module_frob_arch_sections+0x5c8/0x6b8\n[<90000000003895f0>] load_module+0x9e0/0x2958\n[<900000000038b770>] __do_sys_init_module+0x208/0x2d0\n[<9000000001df0c34>] do_syscall+0x94/0x190\n[<900000000024d6fc>] handle_syscall+0xbc/0x158\n\nAfter analysis, this is because the slow speed of loading the amdgpu\nmodule leads to the long time occupation of the cpu and then the soft\ndeadlock.\n\nWhen loading a module, module_frob_arch_sections() tries to figure out\nthe number of PLTs/GOTs that will be needed to handle all the RELAs. It\nwill call the count_max_entries() to find in an out-of-order date which\ncounting algorithm has O(n^2) complexity.\n\nTo make it faster, we sort the relocation list by info and addend. That\nway, to check for a duplicate relocation, it just needs to compare with\nthe previous entry. This reduces the complexity of the algorithm to O(n\n log n), as done in commit d4e0340919fb (\"arm64/module: Optimize module\nload time by optimizing PLT counting\"). This gives sinificant reduction\nin module load time for modules with large number of relocations.\n\nAfter applying this patch, the soft deadlock problem has been solved,\nand the kernel starts normally without \"Call Trace\".\n\nUsing the default configuration to test some modules, the results are as\nfollows:\n\nModule Size\nip_tables 36K\nfat 143K\nradeon 2.5MB\namdgpu 16MB\n\nWithout this patch:\nModule Module load time (ms)\tCount(PLTs/GOTs)\nip_tables 18\t\t\t\t59/6\nfat 0\t\t\t\t162/14\nradeon 54\t\t\t\t1221/84\namdgpu 1411\t\t\t4525/1098\n\nWith this patch:\nModule Module load time (ms)\tCount(PLTs/GOTs)\nip_tables 18\t\t\t\t59/6\nfat 0\t\t\t\t162/14\nradeon 22\t\t\t\t1221/84\namdgpu 45\t\t\t\t4525/1098", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39767", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, fix complex rules rehash error flow\n\nMoving rules from matcher to matcher should not fail.\nHowever, if it does fail due to various reasons, the error flow\nshould allow the kernel to continue functioning (albeit with broken\nsteering rules) instead of going into series of soft lock-ups or\nsome other problematic behaviour.\n\nSimilar to the simple rules, complex rules rehash logic suffers\nfrom the same problems. This patch fixes the error flow for moving\ncomplex rules:\n - If new rule creation fails before it was even enqeued, do not\n poll for completion\n - If TIMEOUT happened while moving the rule, no point trying\n to poll for completions for other rules. Something is broken,\n completion won't come, just abort the rehash sequence.\n - If some other completion with error received, don't give up.\n Continue handling rest of the rules to minimize the damage.\n - Make sure that the first error code that was received will\n be actually returned to the caller instead of replacing it\n with the generic error code.\n\nAll the aforementioned issues stem from the same bad error flow,\nso no point fixing them one by one and leaving partially broken\ncode - fixing them in one patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39768", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix lockdep warning during rmmod\n\nThe commit under the Fixes tag added a netdev_assert_locked() in\nbnxt_free_ntp_fltrs(). The lock should be held during normal run-time\nbut the assert will be triggered (see below) during bnxt_remove_one()\nwhich should not need the lock. The netdev is already unregistered by\nthen. Fix it by calling netdev_assert_locked_or_invisible() which will\nnot assert if the netdev is unregistered.\n\nWARNING: CPU: 5 PID: 2241 at ./include/net/netdev_lock.h:17 bnxt_free_ntp_fltrs+0xf8/0x100 [bnxt_en]\nModules linked in: rpcrdma rdma_cm iw_cm ib_cm configfs ib_core bnxt_en(-) bridge stp llc x86_pkg_temp_thermal xfs tg3 [last unloaded: bnxt_re]\nCPU: 5 UID: 0 PID: 2241 Comm: rmmod Tainted: G S W 6.16.0 #2 PREEMPT(voluntary)\nTainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\nHardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\nRIP: 0010:bnxt_free_ntp_fltrs+0xf8/0x100 [bnxt_en]\nCode: 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 47 60 be ff ff ff ff 48 8d b8 28 0c 00 00 e8 d0 cf 41 c3 85 c0 0f 85 2e ff ff ff <0f> 0b e9 27 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa92082387da0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff9e5b593d8000 RCX: 0000000000000001\nRDX: 0000000000000001 RSI: ffffffff83dc9a70 RDI: ffffffff83e1a1cf\nRBP: ffff9e5b593d8c80 R08: 0000000000000000 R09: ffffffff8373a2b3\nR10: 000000008100009f R11: 0000000000000001 R12: 0000000000000001\nR13: ffffffffc01c4478 R14: dead000000000122 R15: dead000000000100\nFS: 00007f3a8a52c740(0000) GS:ffff9e631ad1c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055bb289419c8 CR3: 000000011274e001 CR4: 00000000003706f0\nCall Trace:\n \n bnxt_remove_one+0x57/0x180 [bnxt_en]\n pci_device_remove+0x39/0xc0\n device_release_driver_internal+0xa5/0x130\n driver_detach+0x42/0x90\n bus_remove_driver+0x61/0xc0\n pci_unregister_driver+0x38/0x90\n bnxt_exit+0xc/0x7d0 [bnxt_en]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39769", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n \n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39770", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: pca9450: Use devm_register_sys_off_handler\n\nWith module test, there is error dump:\n------------[ cut here ]------------\n notifier callback pca9450_i2c_restart_handler already registered\n WARNING: kernel/notifier.c:23 at notifier_chain_register+0x5c/0x88,\n CPU#0: kworker/u16:3/50\n Call trace:\n notifier_chain_register+0x5c/0x88 (P)\n atomic_notifier_chain_register+0x30/0x58\n register_restart_handler+0x1c/0x28\n pca9450_i2c_probe+0x418/0x538\n i2c_device_probe+0x220/0x3d0\n really_probe+0x114/0x410\n __driver_probe_device+0xa0/0x150\n driver_probe_device+0x40/0x114\n __device_attach_driver+0xd4/0x12c\n\nSo use devm_register_sys_off_handler to let kernel handle the resource\nfree to avoid kernel dump.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39771", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn't need to free anything.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39772", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix soft lockup in br_multicast_query_expired()\n\nWhen set multicast_query_interval to a large value, the local variable\n'time' in br_multicast_send_query() may overflow. If the time is smaller\nthan jiffies, the timer will expire immediately, and then call mod_timer()\nagain, which creates a loop and may trigger the following soft lockup\nissue.\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]\n CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)\n Call Trace:\n \n __netdev_alloc_skb+0x2e/0x3a0\n br_ip6_multicast_alloc_query+0x212/0x1b70\n __br_multicast_send_query+0x376/0xac0\n br_multicast_send_query+0x299/0x510\n br_multicast_query_expired.constprop.0+0x16d/0x1b0\n call_timer_fn+0x3b/0x2a0\n __run_timers+0x619/0x950\n run_timer_softirq+0x11c/0x220\n handle_softirqs+0x18e/0x560\n __irq_exit_rcu+0x158/0x1a0\n sysvec_apic_timer_interrupt+0x76/0x90\n \n\nThis issue can be reproduced with:\n ip link add br0 type bridge\n echo 1 > /sys/class/net/br0/bridge/multicast_querier\n echo 0xffffffffffffffff >\n \t/sys/class/net/br0/bridge/multicast_query_interval\n ip link set dev br0 up\n\nThe multicast_startup_query_interval can also cause this issue. Similar to\nthe commit 99b40610956a (\"net: bridge: mcast: add and enforce query\ninterval minimum\"), add check for the query interval maximum to fix this\nissue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39773", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: rzg2l_adc: Set driver data before enabling runtime PM\n\nWhen stress-testing the system by repeatedly unbinding and binding the ADC\ndevice in a loop, and the ADC is a supplier for another device (e.g., a\nthermal hardware block that reads temperature through the ADC), it may\nhappen that the ADC device is runtime-resumed immediately after runtime PM\nis enabled, triggered by its consumer. At this point, since drvdata is not\nyet set and the driver's runtime PM callbacks rely on it, a crash can\noccur. To avoid this, set drvdata just after it was allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39774", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix WARN with uffd that has remap events disabled\n\nRegistering userfaultd on a VMA that spans at least one PMD and then\nmremap()'ing that VMA can trigger a WARN when recovering from a failed\npage table move due to a page table allocation error.\n\nThe code ends up doing the right thing (recurse, avoiding moving actual\npage tables), but triggering that WARN is unpleasant:\n\nWARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]\nWARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]\nWARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852\nModules linked in:\nCPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]\nRIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]\nRIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852\nCode: ...\nRSP: 0018:ffffc900037a76d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645\nRDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007\nRBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000\nFS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0\nCall Trace:\n \n copy_vma_and_data+0x468/0x790 mm/mremap.c:1215\n move_vma+0x548/0x1780 mm/mremap.c:1282\n mremap_to+0x1b7/0x450 mm/mremap.c:1406\n do_mremap+0xfad/0x1f80 mm/mremap.c:1921\n __do_sys_mremap+0x119/0x170 mm/mremap.c:1977\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f00d0b8ebe9\nCode: ...\nRSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019\nRAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9\nRDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000\nRBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000\nR10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002\nR13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005\n \n\nThe underlying issue is that we recurse during the original page table\nmove, but not during the recovery move.\n\nFix it by checking for both VMAs and performing the check before the\npmd_none() sanity check.\n\nAdd a new helper where we perform+document that check for the PMD and PUD\nlevel.\n\nThanks to Harry for bisecting.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39775", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: clear page table entries at destroy_args()\n\nThe mm/debug_vm_pagetable test allocates manually page table entries for\nthe tests it runs, using also its manually allocated mm_struct. That in\nitself is ok, but when it exits, at destroy_args() it fails to clear those\nentries with the *_clear functions.\n\nThe problem is that leaves stale entries. If another process allocates an\nmm_struct with a pgd at the same address, it may end up running into the\nstale entry. This is happening in practice on a debug kernel with\nCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra\ndebugging I added (it prints a warning trace if pgtables_bytes goes\nnegative, in addition to the warning at check_mm() function):\n\n[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000\n[ 2.539366] kmem_cache info\n[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508\n[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e\n(...)\n[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0\n[ 2.552816] Modules linked in:\n[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY\n[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries\n[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90\n[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)\n[ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a\n[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0\n[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001\n[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff\n[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000\n[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb\n[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0\n[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000\n[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001\n[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760\n[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0\n[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0\n[ 2.553199] Call Trace:\n[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)\n[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0\n[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570\n[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650\n[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290\n[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0\n[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870\n[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150\n[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50\n[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0\n[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n(...)\n[ 2.558892] ---[ end trace 0000000000000000 ]---\n[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1\n[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144\n\nHere the modprobe process ended up with an allocated mm_struct from the\nmm_struct slab that was used before by the debug_vm_pgtable test. That is\nnot a problem, since the mm_stru\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39776", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: acomp - Fix CFI failure due to type punning\n\nTo avoid a crash when control flow integrity is enabled, make the\nworkspace (\"stream\") free function use a consistent type, and call it\nthrough a function pointer that has that same type.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39777", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show()\n\nThe csts_state_names[] array only has six sparse entries, but the\niteration code in nvmet_ctrl_state_show() iterates seven, resulting in a\npotential out-of-bounds stack read. Fix that.\n\nFixes the following warning with an UBSAN kernel:\n\n vmlinux.o: warning: objtool: .text.nvmet_ctrl_state_show: unexpected end of section", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39778", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: subpage: keep TOWRITE tag until folio is cleaned\n\nbtrfs_subpage_set_writeback() calls folio_start_writeback() the first time\na folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag\neven if there are still dirty blocks in the folio. This can break ordering\nguarantees, such as those required by btrfs_wait_ordered_extents().\n\nThat ordering breakage leads to a real failure. For example, running\ngeneric/464 on a zoned setup will hit the following ASSERT. This happens\nbecause the broken ordering fails to flush existing dirty pages before the\nfile size is truncated.\n\n assertion failed: !list_empty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/zoned.c:1899!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\n Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]\n RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246\n RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff\n RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8\n R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00\n R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680\n FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0\n Call Trace:\n \n ? srso_return_thunk+0x5/0x5f\n btrfs_finish_ordered_io+0x4a/0x60 [btrfs]\n btrfs_work_helper+0xf9/0x490 [btrfs]\n process_one_work+0x204/0x590\n ? srso_return_thunk+0x5/0x5f\n worker_thread+0x1d6/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x118/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x205/0x260\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nConsider process A calling writepages() with WB_SYNC_NONE. In zoned mode or\nfor compressed writes, it locks several folios for delalloc and starts\nwriting them out. Let's call the last locked folio folio X. Suppose the\nwrite range only partially covers folio X, leaving some pages dirty.\nProcess A calls btrfs_subpage_set_writeback() when building a bio. This\nfunction call clears the TOWRITE tag of folio X, whose size = 8K and\nthe block size = 4K. It is following state.\n\n 0 4K 8K\n |/////|/////| (flag: DIRTY, tag: DIRTY)\n <-----> Process A will write this range.\n\nNow suppose process B concurrently calls writepages() with WB_SYNC_ALL. It\ncalls tag_pages_for_writeback() to tag dirty folios with\nPAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,\nB collects tagged folios using filemap_get_folios_tag() and must wait for\nfolio X to be written before returning from writepages().\n\n 0 4K 8K\n |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE)\n\nHowever, between tagging and collecting, process A may call\nbtrfs_subpage_set_writeback() and clear folio X's TOWRITE tag.\n 0 4K 8K\n | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY)\n\nAs a result, process B won't see folio X in its batch, and returns without\nwaiting for it. This breaks the WB_SYNC_ALL ordering requirement.\n\nFix this by using btrfs_subpage_set_writeback_keepwrite(), which retains\nthe TOWRITE tag. We now manually clear the tag only after the folio becomes\nclean, via the xas operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39779", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/ext: Fix invalid task state transitions on class switch\n\nWhen enabling a sched_ext scheduler, we may trigger invalid task state\ntransitions, resulting in warnings like the following (which can be\neasily reproduced by running the hotplug selftest in a loop):\n\n sched_ext: Invalid task state transition 0 -> 3 for fish[770]\n WARNING: CPU: 18 PID: 787 at kernel/sched/ext.c:3862 scx_set_task_state+0x7c/0xc0\n ...\n RIP: 0010:scx_set_task_state+0x7c/0xc0\n ...\n Call Trace:\n \n scx_enable_task+0x11f/0x2e0\n switching_to_scx+0x24/0x110\n scx_enable.isra.0+0xd14/0x13d0\n bpf_struct_ops_link_create+0x136/0x1a0\n __sys_bpf+0x1edd/0x2c30\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0xbb/0x370\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis happens because we skip initialization for tasks that are already\ndead (with their usage counter set to zero), but we don't exclude them\nduring the scheduling class transition phase.\n\nFix this by also skipping dead tasks during class swiching, preventing\ninvalid task state transitions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39780", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Drop WARN_ON_ONCE() from flush_cache_vmap\n\nI have observed warning to occassionally trigger.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39781", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: prevent softlockup in jbd2_log_do_checkpoint()\n\nBoth jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()\nperiodically release j_list_lock after processing a batch of buffers to\navoid long hold times on the j_list_lock. However, since both functions\ncontend for j_list_lock, the combined time spent waiting and processing\ncan be significant.\n\njbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when\nneed_resched() is true to avoid softlockups during prolonged operations.\nBut jbd2_log_do_checkpoint() only exits its loop when need_resched() is\ntrue, relying on potentially sleeping functions like __flush_batch() or\nwait_on_buffer() to trigger rescheduling. If those functions do not sleep,\nthe kernel may hit a softlockup.\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]\nCPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017\nWorkqueue: writeback wb_workfn (flush-7:2)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : native_queued_spin_lock_slowpath+0x358/0x418\nlr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\nCall trace:\n native_queued_spin_lock_slowpath+0x358/0x418\n jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\n __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]\n add_transaction_credits+0x3bc/0x418 [jbd2]\n start_this_handle+0xf8/0x560 [jbd2]\n jbd2__journal_start+0x118/0x228 [jbd2]\n __ext4_journal_start_sb+0x110/0x188 [ext4]\n ext4_do_writepages+0x3dc/0x740 [ext4]\n ext4_writepages+0xa4/0x190 [ext4]\n do_writepages+0x94/0x228\n __writeback_single_inode+0x48/0x318\n writeback_sb_inodes+0x204/0x590\n __writeback_inodes_wb+0x54/0xf8\n wb_writeback+0x2cc/0x3d8\n wb_do_writeback+0x2e0/0x2f8\n wb_workfn+0x80/0x2a8\n process_one_work+0x178/0x3e8\n worker_thread+0x234/0x3b8\n kthread+0xf0/0x108\n ret_from_fork+0x10/0x20\n\nSo explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid\nsoftlockup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39782", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix configfs group list head handling\n\nDoing a list_del() on the epf_group field of struct pci_epf_driver in\npci_epf_remove_cfs() is not correct as this field is a list head, not\na list entry. This list_del() call triggers a KASAN warning when an\nendpoint function driver which has a configfs attribute group is torn\ndown:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198\nWrite of size 8 at addr ffff00010f4a0d80 by task rmmod/319\n\nCPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE\nHardware name: Radxa ROCK 5B (DT)\nCall trace:\nshow_stack+0x2c/0x84 (C)\ndump_stack_lvl+0x70/0x98\nprint_report+0x17c/0x538\nkasan_report+0xb8/0x190\n__asan_report_store8_noabort+0x20/0x2c\npci_epf_remove_cfs+0x17c/0x198\npci_epf_unregister_driver+0x18/0x30\nnvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]\n__arm64_sys_delete_module+0x264/0x424\ninvoke_syscall+0x70/0x260\nel0_svc_common.constprop.0+0xac/0x230\ndo_el0_svc+0x40/0x58\nel0_svc+0x48/0xdc\nel0t_64_sync_handler+0x10c/0x138\nel0t_64_sync+0x198/0x19c\n...\n\nRemove this incorrect list_del() call from pci_epf_remove_cfs().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39783", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix link speed calculation on retrain failure\n\nWhen pcie_failed_link_retrain() fails to retrain, it tries to revert to the\nprevious link speed. However it calculates that speed from the Link\nControl 2 register without masking out non-speed bits first.\n\nPCIE_LNKCTL2_TLS2SPEED() converts such incorrect values to\nPCI_SPEED_UNKNOWN (0xff), which in turn causes a WARN splat in\npcie_set_target_speed():\n\n pci 0000:00:01.1: [1022:14ed] type 01 class 0x060400 PCIe Root Port\n pci 0000:00:01.1: broken device, retraining non-functional downstream link at 2.5GT/s\n pci 0000:00:01.1: retraining failed\n WARNING: CPU: 1 PID: 1 at drivers/pci/pcie/bwctrl.c:168 pcie_set_target_speed\n RDX: 0000000000000001 RSI: 00000000000000ff RDI: ffff9acd82efa000\n pcie_failed_link_retrain\n pci_device_add\n pci_scan_single_device\n\nMask out the non-speed bits in PCIE_LNKCTL2_TLS2SPEED() and\nPCIE_LNKCAP_SLS2SPEED() so they don't incorrectly return PCI_SPEED_UNKNOWN.\n\n[bhelgaas: commit log, add details from https://lore.kernel.org/r/1c92ef6bcb314ee6977839b46b393282e4f52e74.1750684771.git.lukas@wunner.de]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39784", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix irq_request()'s irq name variable is local\n\nThe local variable is passed in request_irq (), and there will be use\nafter free problem, which will make request_irq failed. Using the global\nirq name instead of it to fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39785", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad7173: fix channels index for syscalib_mode\n\nFix the index used to look up the channel when accessing the\nsyscalib_mode attribute. The address field is a 0-based index (same\nas scan_index) that it used to access the channel in the\nad7173_channels array throughout the driver. The channels field, on\nthe other hand, may not match the address field depending on the\nchannel configuration specified in the device tree and could result\nin an out-of-bounds access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39786", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: mdt_loader: Ensure we don't read past the ELF header\n\nWhen the MDT loader is used in remoteproc, the ELF header is sanitized\nbeforehand, but that's not necessary the case for other clients.\n\nValidate the size of the firmware buffer to ensure that we don't read\npast the end as we iterate over the header. e_phentsize and e_shentsize\nare validated as well, to ensure that the assumptions about step size in\nthe traversal are valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39787", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE\n\nOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,\nand in this case the driver ends up programming the UTRL_NEXUS_TYPE\nincorrectly as 0.\n\nThis is because the left hand side of the shift is 1, which is of type\nint, i.e. 31 bits wide. Shifting by more than that width results in\nundefined behaviour.\n\nFix this by switching to the BIT() macro, which applies correct type\ncasting as required. This ensures the correct value is written to\nUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift\nwarning:\n\n UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21\n shift exponent 32 is too large for 32-bit type 'int'\n\nFor consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE\nwrite.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39788", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39789", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: x86/aegis - Add missing error checks\n\nThe skcipher_walk functions can allocate memory and can fail, so\nchecking for errors is necessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39789", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Detect events pointing to unexpected TREs\n\nWhen a remote device sends a completion event to the host, it contains a\npointer to the consumed TRE. The host uses this pointer to process all of\nthe TREs between it and the host's local copy of the ring's read pointer.\nThis works when processing completion for chained transactions, but can\nlead to nasty results if the device sends an event for a single-element\ntransaction with a read pointer that is multiple elements ahead of the\nhost's read pointer.\n\nFor instance, if the host accesses an event ring while the device is\nupdating it, the pointer inside of the event might still point to an old\nTRE. If the host uses the channel's xfer_cb() to directly free the buffer\npointed to by the TRE, the buffer will be double-freed.\n\nThis behavior was observed on an ep that used upstream EP stack without\n'commit 6f18d174b73d (\"bus: mhi: ep: Update read pointer only after buffer\nis written\")'. Where the device updated the events ring pointer before\nupdating the event contents, so it left a window where the host was able to\naccess the stale data the event pointed to, before the device had the\nchance to update them. The usual pattern was that the host received an\nevent pointing to a TRE that is not immediately after the last processed\none, so it got treated as if it was a chained transaction, processing all\nof the TREs in between the two read pointers.\n\nThis commit aims to harden the host by ensuring transactions where the\nevent points to a TRE that isn't local_rp + 1 are chained.\n\n[mani: added stable tag and reworded commit message]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39790", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: dm-crypt: Do not partially accept write BIOs with zoned targets\n\nRead and write operations issued to a dm-crypt target may be split\naccording to the dm-crypt internal limits defined by the max_read_size\nand max_write_size module parameters (default is 128 KB). The intent is\nto improve processing time of large BIOs by splitting them into smaller\noperations that can be parallelized on different CPUs.\n\nFor zoned dm-crypt targets, this BIO splitting is still done but without\nthe parallel execution to ensure that the issuing order of write\noperations to the underlying devices remains sequential. However, the\nsplitting itself causes other problems:\n\n1) Since dm-crypt relies on the block layer zone write plugging to\n handle zone append emulation using regular write operations, the\n reminder of a split write BIO will always be plugged into the target\n zone write plugged. Once the on-going write BIO finishes, this\n reminder BIO is unplugged and issued from the zone write plug work.\n If this reminder BIO itself needs to be split, the reminder will be\n re-issued and plugged again, but that causes a call to a\n blk_queue_enter(), which may block if a queue freeze operation was\n initiated. This results in a deadlock as DM submission still holds\n BIOs that the queue freeze side is waiting for.\n\n2) dm-crypt relies on the emulation done by the block layer using\n regular write operations for processing zone append operations. This\n still requires to properly return the written sector as the BIO\n sector of the original BIO. However, this can be done correctly only\n and only if there is a single clone BIO used for processing the\n original zone append operation issued by the user. If the size of a\n zone append operation is larger than dm-crypt max_write_size, then\n the orginal BIO will be split and processed as a chain of regular\n write operations. Such chaining result in an incorrect written sector\n being returned to the zone append issuer using the original BIO\n sector. This in turn results in file system data corruptions using\n xfs or btrfs.\n\nFix this by modifying get_max_request_size() to always return the size\nof the BIO to avoid it being split with dm_accpet_partial_bio() in\ncrypt_map(). get_max_request_size() is renamed to\nget_max_request_sectors() to clarify the unit of the value returned\nand its interface is changed to take a struct dm_target pointer and a\npointer to the struct bio being processed. In addition to this change,\nto ensure that crypt_alloc_buffer() works correctly, set the dm-crypt\ndevice max_hw_sectors limit to be at most\nBIO_MAX_VECS << PAGE_SECTORS_SHIFT (1 MB with a 4KB page architecture).\nThis forces DM core to split write BIOs before passing them to\ncrypt_map(), and thus guaranteeing that dm-crypt can always accept an\nentire write BIO without needing to split it.\n\nThis change does not have any effect on the read path of dm-crypt. Read\noperations can still be split and the BIO fragments processed in\nparallel. There is also no impact on the performance of the write path\ngiven that all zone write BIOs were already processed inline instead of\nin parallel.\n\nThis change also does not affect in any way regular dm-crypt block\ndevices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39791", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: Always split write BIOs to zoned device limits\n\nAny zoned DM target that requires zone append emulation will use the\nblock layer zone write plugging. In such case, DM target drivers must\nnot split BIOs using dm_accept_partial_bio() as doing so can potentially\nlead to deadlocks with queue freeze operations. Regular write operations\nused to emulate zone append operations also cannot be split by the\ntarget driver as that would result in an invalid writen sector value\nreturn using the BIO sector.\n\nIn order for zoned DM target drivers to avoid such incorrect BIO\nsplitting, we must ensure that large BIOs are split before being passed\nto the map() function of the target, thus guaranteeing that the\nlimits for the mapped device are not exceeded.\n\ndm-crypt and dm-flakey are the only target drivers supporting zoned\ndevices and using dm_accept_partial_bio().\n\nIn the case of dm-crypt, this function is used to split BIOs to the\ninternal max_write_size limit (which will be suppressed in a different\npatch). However, since crypt_alloc_buffer() uses a bioset allowing only\nup to BIO_MAX_VECS (256) vectors in a BIO. The dm-crypt device\nmax_segments limit, which is not set and so default to BLK_MAX_SEGMENTS\n(128), must thus be respected and write BIOs split accordingly.\n\nIn the case of dm-flakey, since zone append emulation is not required,\nthe block layer zone write plugging is not used and no splitting of BIOs\nrequired.\n\nModify the function dm_zone_bio_needs_split() to use the block layer\nhelper function bio_needs_zone_write_plugging() to force a call to\nbio_split_to_limits() in dm_split_and_process_bio(). This allows DM\ntarget drivers to avoid using dm_accept_partial_bio() for write\noperations on zoned DM devices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39792", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/memmap: cast nr_pages to size_t before shifting\n\nIf the allocated size exceeds UINT_MAX, then it's necessary to cast\nthe mr->nr_pages value to size_t to prevent it from overflowing. In\npractice this isn't much of a concern as the required memory size will\nhave been validated upfront, and accounted to the user. And > 4GB sizes\nwill be necessary to make the lack of a cast a problem, which greatly\nexceeds normal user locked_vm settings that are generally in the kb to\nmb range. However, if root is used, then accounting isn't done, and\nthen it's possible to hit this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39793", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: tegra: Use I/O memcpy to write to IRAM\n\nKasan crashes the kernel trying to check boundaries when using the\nnormal memcpy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39794", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid possible overflow for chunk_sectors check in blk_stack_limits()\n\nIn blk_stack_limits(), we check that the t->chunk_sectors value is a\nmultiple of the t->physical_block_size value.\n\nHowever, by finding the chunk_sectors value in bytes, we may overflow\nthe unsigned int which holds chunk_sectors, so change the check to be\nbased on sectors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39795", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: ignore ops-locked netdevs\n\nSyzkaller managed to trigger lock dependency in xsk_notify via\nregister_netdevice. As discussed in [0], using register_netdevice\nin the notifiers is problematic so skip adding lapbeth for ops-locked\ndevices.\n\n xsk_notifier+0xa4/0x280 net/xdp/xsk.c:1645\n notifier_call_chain+0xbc/0x410 kernel/notifier.c:85\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2230\n call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\n call_netdevice_notifiers net/core/dev.c:2282 [inline]\n unregister_netdevice_many_notify+0xf9d/0x2700 net/core/dev.c:12077\n unregister_netdevice_many net/core/dev.c:12140 [inline]\n unregister_netdevice_queue+0x305/0x3f0 net/core/dev.c:11984\n register_netdevice+0x18f1/0x2270 net/core/dev.c:11149\n lapbeth_new_device drivers/net/wan/lapbether.c:420 [inline]\n lapbeth_device_event+0x5b1/0xbe0 drivers/net/wan/lapbether.c:462\n notifier_call_chain+0xbc/0x410 kernel/notifier.c:85\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2230\n call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\n call_netdevice_notifiers net/core/dev.c:2282 [inline]\n __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9497\n netif_change_flags+0x108/0x160 net/core/dev.c:9526\n dev_change_flags+0xba/0x250 net/core/dev_api.c:68\n devinet_ioctl+0x11d5/0x1f50 net/ipv4/devinet.c:1200\n inet_ioctl+0x3a7/0x3f0 net/ipv4/af_inet.c:1001\n\n0: https://lore.kernel.org/netdev/20250625140357.6203d0af@kernel.org/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39796", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Duplicate SPI Handling\n\nThe issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI\nNetlink message, which triggers the kernel function xfrm_alloc_spi().\nThis function is expected to ensure uniqueness of the Security Parameter\nIndex (SPI) for inbound Security Associations (SAs). However, it can\nreturn success even when the requested SPI is already in use, leading\nto duplicate SPIs assigned to multiple inbound SAs, differentiated\nonly by their destination addresses.\n\nThis behavior causes inconsistencies during SPI lookups for inbound packets.\nSince the lookup may return an arbitrary SA among those with the same SPI,\npacket processing can fail, resulting in packet drops.\n\nAccording to RFC 4301 section 4.4.2 , for inbound processing a unicast SA\nis uniquely identified by the SPI and optionally protocol.\n\nReproducing the Issue Reliably:\nTo consistently reproduce the problem, restrict the available SPI range in\ncharon.conf : spi_min = 0x10000000 spi_max = 0x10000002\nThis limits the system to only 2 usable SPI values.\nNext, create more than 2 Child SA. each using unique pair of src/dst address.\nAs soon as the 3rd Child SA is initiated, it will be assigned a duplicate\nSPI, since the SPI pool is already exhausted.\nWith a narrow SPI range, the issue is consistently reproducible.\nWith a broader/default range, it becomes rare and unpredictable.\n\nCurrent implementation:\nxfrm_spi_hash() lookup function computes hash using daddr, proto, and family.\nSo if two SAs have the same SPI but different destination addresses, then\nthey will:\na. Hash into different buckets\nb. Be stored in different linked lists (byspi + h)\nc. Not be seen in the same hlist_for_each_entry_rcu() iteration.\nAs a result, the lookup will result in NULL and kernel allows that Duplicate SPI\n\nProposed Change:\nxfrm_state_lookup_spi_proto() does a truly global search - across all states,\nregardless of hash bucket and matches SPI and proto.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39797", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix the setting of capabilities when automounting a new filesystem\n\nCapabilities cannot be inherited when we cross into a new filesystem.\nThey need to be reset to the minimal defaults, and then probed for\nagain.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39798", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort transaction on unexpected eb generation at btrfs_copy_root()\n\nIf we find an unexpected generation for the extent buffer we are cloning\nat btrfs_copy_root(), we just WARN_ON() and don't error out and abort the\ntransaction, meaning we allow to persist metadata with an unexpected\ngeneration. Instead of warning only, abort the transaction and return\n-EUCLEAN.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39800", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when 'panic_on_warn' is enabled\nand unnecessary call trace prints when 'panic_on_warn' is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n =======\n->dwc3_thread_interrupt\n ->dwc3_ep0_interrupt\n ->configfs_composite_setup\n ->composite_setup\n ->usb_ep_queue\n ->dwc3_gadget_ep0_queue\n ->__dwc3_gadget_ep0_queue\n ->__dwc3_ep0_do_control_data\n ->dwc3_send_gadget_ep_cmd\n\n2. Disconnect\n ==========\n->dwc3_thread_interrupt\n ->dwc3_gadget_disconnect_interrupt\n ->dwc3_ep0_reset_state\n ->dwc3_ep0_end_control_data\n ->dwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39801", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts\n\nRestore the SIMD usability check that was removed by commit 773426f4771b\n(\"crypto: arm/poly1305 - Add block-only interface\").\n\nThis safety check is cheap and is well worth eliminating a footgun.\nWhile the Poly1305 functions should not be called when SIMD registers\nare unusable, if they are anyway, they should just do the right thing\ninstead of corrupting random tasks' registers and/or computing incorrect\nMACs. Fixing this is also needed for poly1305_kunit to pass.\n\nJust use may_use_simd() instead of the original crypto_simd_usable(),\nsince poly1305_kunit won't rely on crypto_simd_disabled_for_test.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39802", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Remove WARN_ON_ONCE() call from ufshcd_uic_cmd_compl()\n\nThe UIC completion interrupt may be disabled while an UIC command is\nbeing processed. When the UIC completion interrupt is reenabled, an UIC\ninterrupt is triggered and the WARN_ON_ONCE(!cmd) statement is hit.\nHence this patch that removes this kernel warning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39803", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts\n\nRestore the SIMD usability check that was removed by commit a59e5468a921\n(\"crypto: arm64/poly1305 - Add block-only interface\").\n\nThis safety check is cheap and is well worth eliminating a footgun.\nWhile the Poly1305 functions should not be called when SIMD registers\nare unusable, if they are anyway, they should just do the right thing\ninstead of corrupting random tasks' registers and/or computing incorrect\nMACs. Fixing this is also needed for poly1305_kunit to pass.\n\nJust use may_use_simd() instead of the original crypto_simd_usable(),\nsince poly1305_kunit won't rely on crypto_simd_disabled_for_test.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39804", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix unregister_netdev call order in macb_remove()\n\nWhen removing a macb device, the driver calls phy_exit() before\nunregister_netdev(). This leads to a WARN from kernfs:\n\n ------------[ cut here ]------------\n kernfs: can not remove 'attached_dev', no directory\n WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683\n Call trace:\n kernfs_remove_by_name_ns+0xd8/0xf0\n sysfs_remove_link+0x24/0x58\n phy_detach+0x5c/0x168\n phy_disconnect+0x4c/0x70\n phylink_disconnect_phy+0x6c/0xc0 [phylink]\n macb_close+0x6c/0x170 [macb]\n ...\n macb_remove+0x60/0x168 [macb]\n platform_remove+0x5c/0x80\n ...\n\nThe warning happens because the PHY is being exited while the netdev\nis still registered. The correct order is to unregister the netdev\nbefore shutting down the PHY and cleaning up the MDIO bus.\n\nFix this by moving unregister_netdev() ahead of phy_exit() in\nmacb_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39805", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39806", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add error handling for old state CRTC in atomic_disable\n\nIntroduce error handling to address an issue where, after a hotplug\nevent, the cursor continues to update. This situation can lead to a\nkernel panic due to accessing the NULL `old_state->crtc`.\n\nE,g.\nUnable to handle kernel NULL pointer dereference at virtual address\nCall trace:\n mtk_crtc_plane_disable+0x24/0x140\n mtk_plane_atomic_update+0x8c/0xa8\n drm_atomic_helper_commit_planes+0x114/0x2c8\n drm_atomic_helper_commit_tail_rpm+0x4c/0x158\n commit_tail+0xa0/0x168\n drm_atomic_helper_commit+0x110/0x120\n drm_atomic_commit+0x8c/0xe0\n drm_atomic_helper_update_plane+0xd4/0x128\n __setplane_atomic+0xcc/0x110\n drm_mode_cursor_common+0x250/0x440\n drm_mode_cursor_ioctl+0x44/0x70\n drm_ioctl+0x264/0x5d8\n __arm64_sys_ioctl+0xd8/0x510\n invoke_syscall+0x6c/0xe0\n do_el0_svc+0x68/0xe8\n el0_svc+0x34/0x60\n el0t_64_sync_handler+0x1c/0xf8\n el0t_64_sync+0x180/0x188\n\nAdding NULL pointer checks to ensure stability by preventing operations\non an invalid CRTC state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39807", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev->dev.parent->parent to null\nif hdev->dev.parent->parent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39808", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length\n\nThe QuickI2C ACPI _DSD methods return ICRS and ISUB data with a\ntrailing byte, making the actual length is one more byte than the\nstructs defined.\n\nIt caused stack-out-of-bounds and kernel crash:\n\nkernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75\nkernel:\nkernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\nkernel: Workqueue: async async_run_entry_fn\nkernel: Call Trace:\nkernel: \nkernel: dump_stack_lvl+0x76/0xa0\nkernel: print_report+0xd1/0x660\nkernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10\nkernel: ? __kasan_slab_free+0x5d/0x80\nkernel: ? kasan_addr_to_slab+0xd/0xb0\nkernel: kasan_report+0xe1/0x120\nkernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: kasan_check_range+0x11c/0x200\nkernel: __asan_memcpy+0x3b/0x80\nkernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]\nkernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]\n[...]\nkernel: \nkernel:\nkernel: The buggy address belongs to stack of task kworker/u33:2/75\nkernel: and is located at offset 48 in frame:\nkernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]\nkernel:\nkernel: This frame has 3 objects:\nkernel: [32, 36) 'hid_desc_addr'\nkernel: [48, 59) 'i2c_param'\nkernel: [80, 224) 'i2c_config'\n\nACPI DSD methods return:\n\n\\_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00\n\\_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00\n\nAdding reserved padding to quicki2c_subip_acpi_parameter/config.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39809", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created. So it doesn't take bp->num_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations(). This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc\nmay be greater than 1. This will cause bp->tx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp->num_tc in the code\npaths mentioned above. Add 2 helper functions to determine\nbp->tx_nr_rings and bp->tx_nr_rings_per_tc.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39810", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: Clear the scratch_pt pointer on error\n\nAvoid triggering a dereference of an error pointer on cleanup in\nxe_vm_free_scratch() by clearing any scratch_pt error pointer.\n\n(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39811", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39812", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n sctp_get_port net/sctp/socket.c:8523 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n sctp_get_port net/sctp/socket.c:8515 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39812", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump) CPU1 (reader)\necho z > /proc/sysrq-trigger\n\n!trace_empty(&iter)\ntrace_iterator_reset(&iter) <- len = size = 0\n cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(&iter)\n __find_next_entry\n ring_buffer_empty_cpu <- all empty\n return NULL\n\ntrace_printk_seq(&iter.seq)\n WARN_ON_ONCE(s->seq.len >= s->seq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the 'iter.seq' is properly populated before\nsubsequent operations.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39813", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset\n\nIssuing a reset when the driver is loaded without RDMA support, will\nresults in a crash as it attempts to remove RDMA's non-existent auxbus\ndevice:\necho 1 > /sys/class/net//device/reset\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n...\nRIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]\n...\nCall Trace:\n\nice_prepare_for_reset+0x77/0x260 [ice]\npci_dev_save_and_disable+0x2c/0x70\npci_reset_function+0x88/0x130\nreset_store+0x5a/0xa0\nkernfs_fop_write_iter+0x15e/0x210\nvfs_write+0x273/0x520\nksys_write+0x6b/0xe0\ndo_syscall_64+0x79/0x3b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nice_unplug_aux_dev() checks pf->cdev_info->adev for NULL pointer, but\npf->cdev_info will also be NULL, leading to the deref in the trace above.\n\nIntroduce a flag to be set when the creation of the auxbus device is\nsuccessful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39814", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: fix stack overrun when loading vlenb\n\nThe userspace load can put up to 2048 bits into an xlen bit stack\nbuffer. We want only xlen bits, so check the size beforehand.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39815", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths\n\nSince the buffers are mapped from userspace, it is prudent to use\nREAD_ONCE() to read the value into a local variable, and use that for\nany other actions taken. Having a stable read of the buffer length\navoids worrying about it changing after checking, or being read multiple\ntimes.\n\nSimilarly, the buffer may well change in between it being picked and\nbeing committed. Ensure the looping for incremental ring buffer commit\nstops if it hits a zero sized buffer, as no further progress can be made\nat that point.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39816", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n Call trace:\n kasan_check_range+0xe8/0x190\n __asan_loadN+0x1c/0x28\n memcmp+0x98/0xd0\n efivarfs_d_compare+0x68/0xd8\n __d_lookup_rcu_op_compare+0x178/0x218\n __d_lookup_rcu+0x1f8/0x228\n d_alloc_parallel+0x150/0x648\n lookup_open.isra.0+0x5f0/0x8d0\n open_last_lookups+0x264/0x828\n path_openat+0x130/0x3f8\n do_filp_open+0x114/0x248\n do_sys_openat2+0x340/0x3c0\n __arm64_sys_openat+0x120/0x1a0\n\nIf dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n T1\t\t\tT2\n lookup_open\n ->lookup\n simple_lookup\n d_add\n // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t __d_lookup_rcu\n\t\t\t __d_lookup_rcu_op_compare\n\t\t\t hlist_bl_for_each_entry_rcu\n\t\t\t // invalid dentry can be retrieved\n\t\t\t ->d_compare\n\t\t\t efivarfs_d_compare\n\t\t\t // oob\n\nFix it by checking 'guid' before cmp.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39817", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save\n\nImproper use of secondary pointer (&dev->i2c_subip_regs) caused\nkernel crash and out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510\n Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107\n\n CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\n Workqueue: async async_run_entry_fn\n Call Trace:\n \n dump_stack_lvl+0x76/0xa0\n print_report+0xd1/0x660\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? kasan_complete_mode_report_info+0x26/0x200\n kasan_report+0xe1/0x120\n ? _regmap_bulk_read+0x449/0x510\n ? _regmap_bulk_read+0x449/0x510\n __asan_report_store4_noabort+0x17/0x30\n _regmap_bulk_read+0x449/0x510\n ? __pfx__regmap_bulk_read+0x10/0x10\n regmap_bulk_read+0x270/0x3d0\n pio_complete+0x1ee/0x2c0 [intel_thc]\n ? __pfx_pio_complete+0x10/0x10 [intel_thc]\n ? __pfx_pio_wait+0x10/0x10 [intel_thc]\n ? regmap_update_bits_base+0x13b/0x1f0\n thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]\n thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]\n ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]\n[...]\n The buggy address belongs to the object at ffff888136005d00\n which belongs to the cache kmalloc-rnd-12-192 of size 192\n The buggy address is located 0 bytes to the right of\n allocated 192-byte region [ffff888136005d00, ffff888136005dc0)\n\nReplaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure\nsafe memory access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39818", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb: Fix inconsistent refcnt update\n\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\nSuch inconsistent update could lead to possible resource leaks.\n\nWhy it is a possible bug:\n1. In the comment section of the function, it clearly states that the\nreference to `cfile` should be dropped after calling this function.\n2. Every control flow path would check and drop the reference to\n`cfile`, except the patched one.\n3. Existing callers would not handle refcount update of `cfile` if\n-ENOMEM is returned.\n\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\ncleanup logic would always be respected. As the problem is caused by the\nallocation failure of `vars`, the cleanup logic between label \"finished\"\nand \"out\" can be safely ignored. According to the definition of function\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\nTherefore, the replay logic also gets ignored.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39819", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add a null ptr check for dpu_encoder_needs_modeset\n\nThe drm_atomic_get_new_connector_state() can return NULL if the\nconnector is not part of the atomic state. Add a check to prevent\na NULL pointer dereference.\n\nThis follows the same pattern used in dpu_encoder_update_topology()\nwithin the same file, which checks for NULL before using conn_state.\n\nPatchwork: https://patchwork.freedesktop.org/patch/665188/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39820", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Avoid undefined behavior from stopping/starting inactive events\n\nCalling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can\nleave event->hw.idx at -1. When PMU drivers later attempt to use this\nnegative index as a shift exponent in bitwise operations, it leads to UBSAN\nshift-out-of-bounds reports.\n\nThe issue is a logical flaw in how event groups handle throttling when some\nmembers are intentionally disabled. Based on the analysis and the\nreproducer provided by Mark Rutland (this issue on both arm64 and x86-64).\n\nThe scenario unfolds as follows:\n\n 1. A group leader event is configured with a very aggressive sampling\n period (e.g., sample_period = 1). This causes frequent interrupts and\n triggers the throttling mechanism.\n 2. A child event in the same group is created in a disabled state\n (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF.\n Since it hasn't been scheduled onto the PMU, its event->hw.idx remains\n initialized at -1.\n 3. When throttling occurs, perf_event_throttle_group() and later\n perf_event_unthrottle_group() iterate through all siblings, including\n the disabled child event.\n 4. perf_event_throttle()/unthrottle() are called on this inactive child\n event, which then call event->pmu->start()/stop().\n 5. The PMU driver receives the event with hw.idx == -1 and attempts to\n use it as a shift exponent. e.g., in macros like PMCNTENSET(idx),\n leading to the UBSAN report.\n\nThe throttling mechanism attempts to start/stop events that are not\nactively scheduled on the hardware.\n\nMove the state check into perf_event_throttle()/perf_event_unthrottle() so\nthat inactive events are skipped entirely. This ensures only active events\nwith a valid hw.idx are processed, preventing undefined behavior and\nsilencing UBSAN warnings. The corrected check ensures true before\nproceeding with PMU operations.\n\nThe problem can be reproduced with the syzkaller reproducer:", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39821", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: fix signedness in this_len calculation\n\nWhen importing and using buffers, buf->len is considered unsigned.\nHowever, buf->len is converted to signed int when committing. This can\nlead to unexpected behavior if the buffer is large enough to be\ninterpreted as a negative value. Make min_t calculation unsigned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39822", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: use array_index_nospec with indices that come from guest\n\nmin and dest_id are guest-controlled indices. Using array_index_nospec()\nafter the bounds checks clamps these values to mitigate speculative execution\nside-channels.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39823", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39824", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D, // Usage Page (Digitizer)\n0x09, 0x05, // Usage (Touch Pad)\n0xA1, 0x01, // Collection (Application)\n0x85, 0x0D, // Report ID (13)\n0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5, // Usage (0xC5)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x04, // Report Count (4)\n0xB1, 0x02, // Feature (Data,Var,Abs)\n0x85, 0x5D, // Report ID (93)\n0x06, 0x00, 0x00, // Usage Page (Undefined)\n0x09, 0x01, // Usage (0x01)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x1B, // Report Count (27)\n0x81, 0x02, // Input (Data,Var,Abs)\n0xC0, // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[ 21.672709] ==================================================================\n[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[ 21.673700]\n[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 21.673700] Call Trace:\n[ 21.673700] \n[ 21.673700] dump_stack_lvl+0x5f/0x80\n[ 21.673700] print_report+0xd1/0x660\n[ 21.673700] kasan_report+0xe5/0x120\n[ 21.673700] __asan_report_store8_noabort+0x1b/0x30\n[ 21.673700] asus_probe+0xeeb/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Allocated by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_alloc_info+0x3b/0x50\n[ 21.673700] __kasan_kmalloc+0x9c/0xa0\n[ 21.673700] __kmalloc_cache_noprof+0x139/0x340\n[ 21.673700] input_allocate_device+0x44/0x370\n[ 21.673700] hidinput_connect+0xcb6/0x2630\n[ 21.673700] hid_connect+0xf74/0x1d60\n[ 21.673700] hid_hw_start+0x8c/0x110\n[ 21.673700] asus_probe+0x5a3/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Freed by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_free_info+0x3f/0x60\n[ 21.673700] __kasan_slab_free+0x3c/0x50\n[ 21.673700] kfre\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39824", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39825", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39825", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39826", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert 'use' field to refcount_t\n\nThe 'use' field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh->use becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of 'use' from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39826", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39827", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the 'count' field in struct rose_neigh tracks references from\nrose_node structures, while the 'use' field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using 'use' field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh->use when rose_neigh->count is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39827", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39828", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n struct atmtcp_control {\n \tstruct atmtcp_hdr hdr;\t/* must be first */\n ...\n \tatm_kptr_t vcc;\t\t/* both directions */\n ...\n } __ATM_API_ALIGN;\n\n typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:\n\n 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())\n 2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet's add a new ->pre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n \n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n \nModules linked in:", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39828", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39829", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace/fgraph: Fix the warning caused by missing unregister notifier\n\nThis warning was triggered during testing on v6.16:\n\nnotifier callback ftrace_suspend_notifier_call already registered\nWARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0\n...\nCall Trace:\n \n blocking_notifier_chain_register+0x34/0x60\n register_ftrace_graph+0x330/0x410\n ftrace_profile_write+0x1e9/0x340\n vfs_write+0xf8/0x420\n ? filp_flush+0x8a/0xa0\n ? filp_close+0x1f/0x30\n ? do_dup2+0xaf/0x160\n ksys_write+0x65/0xe0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen writing to the function_profile_enabled interface, the notifier was\nnot unregistered after start_graph_tracing failed, causing a warning the\nnext time function_profile_enabled was written.\n\nFixed by adding unregister_pm_notifier in the exception path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39829", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39830", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path\n\nIn the error path of hws_pool_buddy_init(), the buddy allocator cleanup\ndoesn't free the allocator structure itself, causing a memory leak.\n\nAdd the missing kfree() to properly release all allocated memory.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39830", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39831", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbnic: Move phylink resume out of service_task and into open/close\n\nThe fbnic driver was presenting with the following locking assert coming\nout of a PM resume:\n[ 42.208116][ T164] RTNL: assertion failed at drivers/net/phy/phylink.c (2611)\n[ 42.208492][ T164] WARNING: CPU: 1 PID: 164 at drivers/net/phy/phylink.c:2611 phylink_resume+0x190/0x1e0\n[ 42.208872][ T164] Modules linked in:\n[ 42.209140][ T164] CPU: 1 UID: 0 PID: 164 Comm: bash Not tainted 6.17.0-rc2-virtme #134 PREEMPT(full)\n[ 42.209496][ T164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 42.209861][ T164] RIP: 0010:phylink_resume+0x190/0x1e0\n[ 42.210057][ T164] Code: 83 e5 01 0f 85 b0 fe ff ff c6 05 1c cd 3e 02 01 90 ba 33 0a 00 00 48 c7 c6 20 3a 1d a5 48 c7 c7 e0 3e 1d a5 e8 21 b8 90 fe 90 <0f> 0b 90 90 e9 86 fe ff ff e8 42 ea 1f ff e9 e2 fe ff ff 48 89 ef\n[ 42.210708][ T164] RSP: 0018:ffffc90000affbd8 EFLAGS: 00010296\n[ 42.210983][ T164] RAX: 0000000000000000 RBX: ffff8880078d8400 RCX: 0000000000000000\n[ 42.211235][ T164] RDX: 0000000000000000 RSI: 1ffffffff4f10938 RDI: 0000000000000001\n[ 42.211466][ T164] RBP: 0000000000000000 R08: ffffffffa2ae79ea R09: fffffbfff4b3eb84\n[ 42.211707][ T164] R10: 0000000000000003 R11: 0000000000000000 R12: ffff888007ad8000\n[ 42.211997][ T164] R13: 0000000000000002 R14: ffff888006a18800 R15: ffffffffa34c59e0\n[ 42.212234][ T164] FS: 00007f0dc8e39740(0000) GS:ffff88808f51f000(0000) knlGS:0000000000000000\n[ 42.212505][ T164] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 42.212704][ T164] CR2: 00007f0dc8e9fe10 CR3: 000000000b56d003 CR4: 0000000000772ef0\n[ 42.213227][ T164] PKRU: 55555554\n[ 42.213366][ T164] Call Trace:\n[ 42.213483][ T164] \n[ 42.213565][ T164] __fbnic_pm_attach.isra.0+0x8e/0xa0\n[ 42.213725][ T164] pci_reset_function+0x116/0x1d0\n[ 42.213895][ T164] reset_store+0xa0/0x100\n[ 42.214025][ T164] ? pci_dev_reset_attr_is_visible+0x50/0x50\n[ 42.214221][ T164] ? sysfs_file_kobj+0xc1/0x1e0\n[ 42.214374][ T164] ? sysfs_kf_write+0x65/0x160\n[ 42.214526][ T164] kernfs_fop_write_iter+0x2f8/0x4c0\n[ 42.214677][ T164] ? kernfs_vma_page_mkwrite+0x1f0/0x1f0\n[ 42.214836][ T164] new_sync_write+0x308/0x6f0\n[ 42.214987][ T164] ? __lock_acquire+0x34c/0x740\n[ 42.215135][ T164] ? new_sync_read+0x6f0/0x6f0\n[ 42.215288][ T164] ? lock_acquire.part.0+0xbc/0x260\n[ 42.215440][ T164] ? ksys_write+0xff/0x200\n[ 42.215590][ T164] ? perf_trace_sched_switch+0x6d0/0x6d0\n[ 42.215742][ T164] vfs_write+0x65e/0xbb0\n[ 42.215876][ T164] ksys_write+0xff/0x200\n[ 42.215994][ T164] ? __ia32_sys_read+0xc0/0xc0\n[ 42.216141][ T164] ? do_user_addr_fault+0x269/0x9f0\n[ 42.216292][ T164] ? rcu_is_watching+0x15/0xd0\n[ 42.216442][ T164] do_syscall_64+0xbb/0x360\n[ 42.216591][ T164] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[ 42.216784][ T164] RIP: 0033:0x7f0dc8ea9986\n\nA bit of digging showed that we were invoking the phylink_resume as a part\nof the fbnic_up path when we were enabling the service task while not\nholding the RTNL lock. We should be enabling this sooner as a part of the\nndo_open path and then just letting the service task come online later.\nThis will help to enforce the correct locking and brings the phylink\ninterface online at the same time as the network interface, instead of at a\nlater time.\n\nI tested this on QEMU to verify this was working by putting the system to\nsleep using \"echo mem > /sys/power/state\" to put the system to sleep in the\nguest and then using the command \"system_wakeup\" in the QEMU monitor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39831", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39832", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix lockdep assertion on sync reset unload event\n\nFix lockdep assertion triggered during sync reset unload event. When the\nsync reset flow is initiated using the devlink reload fw_activate\noption, the PF already holds the devlink lock while handling unload\nevent. In this case, delegate sync reset unload event handling back to\nthe devlink callback process to avoid double-locking and resolve the\nlockdep warning.\n\nKernel log:\nWARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40\n[...]\nCall Trace:\n\n mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]\n mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]\n process_one_work+0x222/0x640\n worker_thread+0x199/0x350\n kthread+0x10b/0x230\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x8e/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39832", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39833", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: hfcpci: Fix warning when deleting uninitialized timer\n\nWith CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads\nto the following splat:\n\n[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0\n[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0\n[ 250.218775] Modules linked in: hfcpci(-) mISDN_core\n[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)\n[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0\n[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d\n[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286\n[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95\n[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0\n[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39\n[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001\n[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8\n[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000\n[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0\n[ 250.236117] Call Trace:\n[ 250.236599] \n[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130\n[ 250.237920] debug_object_assert_init+0x1f6/0x310\n[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10\n[ 250.239658] ? __lock_acquire+0xdea/0x1c70\n[ 250.240369] __try_to_del_timer_sync+0x69/0x140\n[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10\n[ 250.242058] ? __timer_delete_sync+0xc6/0x120\n[ 250.242842] ? lock_acquire+0x30/0x80\n[ 250.243474] ? __timer_delete_sync+0xc6/0x120\n[ 250.244262] __timer_delete_sync+0x98/0x120\n[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci]\n[ 250.245704] __do_sys_delete_module+0x348/0x510\n[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10\n[ 250.247338] do_syscall_64+0xc1/0x360\n[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFix this by initializing hfc_tl timer with DEFINE_TIMER macro.\nAlso, use mod_timer instead of manual timeout update.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39833", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39834", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow\n\nWhen an invalid stc_type is provided, the function allocates memory for\nshared_stc but jumps to unlock_and_out without freeing it, causing a\nmemory leak.\n\nFix by jumping to free_shared_stc label instead to ensure proper cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39834", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39835", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: do not propagate ENODATA disk errors into xattr code\n\nENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;\nnamely, that the requested attribute name could not be found.\n\nHowever, a medium error from disk may also return ENODATA. At best,\nthis medium error may escape to userspace as \"attribute not found\"\nwhen in fact it's an IO (disk) error.\n\nAt worst, we may oops in xfs_attr_leaf_get() when we do:\n\n\terror = xfs_attr_leaf_hasname(args, &bp);\n\tif (error == -ENOATTR) {\n\t\txfs_trans_brelse(args->trans, bp);\n\t\treturn error;\n\t}\n\nbecause an ENODATA/ENOATTR error from disk leaves us with a null bp,\nand the xfs_trans_brelse will then null-deref it.\n\nAs discussed on the list, we really need to modify the lower level\nIO functions to trap all disk errors and ensure that we don't let\nunique errors like this leak up into higher xfs functions - many\nlike this should be remapped to EIO.\n\nHowever, this patch directly addresses a reported bug in the xattr\ncode, and should be safe to backport to stable kernels. A larger-scope\npatch to handle more unique errors at lower levels can follow later.\n\n(Note, prior to 07120f1abdff we did not oops, but we did return the\nwrong error code to userspace.)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39835", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39836", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: stmm: Fix incorrect buffer allocation method\n\nThe communication buffer allocated by setup_mm_hdr() is later on passed\nto tee_shm_register_kernel_buf(). The latter expects those buffers to be\ncontiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause\nvarious corruptions or BUGs, specifically since commit 9aec2fb0fd5e\n(\"slab: allocate frozen pages\"), though it was broken before as well.\n\nFix this by using alloc_pages_exact() instead of kmalloc().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39836", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39837", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: asus-wmi: Fix racy registrations\n\nasus_wmi_register_driver() may be called from multiple drivers\nconcurrently, which can lead to the racy list operations, eventually\ncorrupting the memory and hitting Oops on some ASUS machines.\nAlso, the error handling is missing, and it forgot to unregister ACPI\nlps0 dev ops in the error case.\n\nThis patch covers those issues by introducing a simple mutex at\nacpi_wmi_register_driver() & *_unregister_driver, and adding the\nproper call of asus_s2idle_check_unregister() in the error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39837", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39838", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL pointer dereference in UTF16 conversion\n\nThere can be a NULL pointer dereference bug here. NULL is passed to\n__cifs_sfu_make_node without checks, which passes it unchecked to\ncifs_strndup_to_utf16, which in turn passes it to\ncifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.\n\nThis patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and\nreturns NULL early to prevent dereferencing NULL pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39838", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39839", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39839", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39840", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix out-of-bounds read in audit_compare_dname_path()\n\nWhen a watch on dir=/ is combined with an fsnotify event for a\nsingle-character name directly under / (e.g., creating /a), an\nout-of-bounds read can occur in audit_compare_dname_path().\n\nThe helper parent_len() returns 1 for \"/\". In audit_compare_dname_path(),\nwhen parentlen equals the full path length (1), the code sets p = path + 1\nand pathlen = 1 - 1 = 0. The subsequent loop then dereferences\np[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.\n\nFix this by adding a pathlen > 0 check to the while loop condition\nto prevent the out-of-bounds access.\n\n[PM: subject tweak, sign-off email fixes]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39840", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39841", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39841", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39842", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: prevent release journal inode after journal shutdown\n\nBefore calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already\nbeen executed in ocfs2_dismount_volume(), so osb->journal must be NULL. \nTherefore, the following calltrace will inevitably fail when it reaches\njbd2_journal_release_jbd_inode().\n\nocfs2_dismount_volume()->\n ocfs2_delete_osb()->\n ocfs2_free_slot_info()->\n __ocfs2_free_slot_info()->\n evict()->\n ocfs2_evict_inode()->\n ocfs2_clear_inode()->\n\t jbd2_journal_release_jbd_inode(osb->journal->j_journal,\n\nAdding osb->journal checks will prevent null-ptr-deref during the above\nexecution path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39842", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39843", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: slub: avoid wake up kswapd in set_track_prepare\n\nset_track_prepare() can incur lock recursion.\nThe issue is that it is called from hrtimer_start_range_ns\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\n\nAvoid deadlock caused by implicitly waking up kswapd by passing in\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\ngfp_nested_mask().\nSince ___slab_alloc() has preemption disabled, we mask out\n__GFP_DIRECT_RECLAIM from the flags there.\n\nThe oops looks something like:\n\nBUG: spinlock recursion on CPU#3, swapper/3/0\n lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\nCall trace:\nspin_bug+0x0\n_raw_spin_lock_irqsave+0x80\nhrtimer_try_to_cancel+0x94\ntask_contending+0x10c\nenqueue_dl_entity+0x2a4\ndl_server_start+0x74\nenqueue_task_fair+0x568\nenqueue_task+0xac\ndo_activate_task+0x14c\nttwu_do_activate+0xcc\ntry_to_wake_up+0x6c8\ndefault_wake_function+0x20\nautoremove_wake_function+0x1c\n__wake_up+0xac\nwakeup_kswapd+0x19c\nwake_all_kswapds+0x78\n__alloc_pages_slowpath+0x1ac\n__alloc_pages_noprof+0x298\nstack_depot_save_flags+0x6b0\nstack_depot_save+0x14\nset_track_prepare+0x5c\n___slab_alloc+0xccc\n__kmalloc_cache_noprof+0x470\n__set_page_owner+0x2bc\npost_alloc_hook[jt]+0x1b8\nprep_new_page+0x28\nget_page_from_freelist+0x1edc\n__alloc_pages_noprof+0x13c\nalloc_slab_page+0x244\nallocate_slab+0x7c\n___slab_alloc+0x8e8\nkmem_cache_alloc_noprof+0x450\ndebug_objects_fill_pool+0x22c\ndebug_object_activate+0x40\nenqueue_hrtimer[jt]+0xdc\nhrtimer_start_range_ns+0x5f8\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39843", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39844", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: move page table sync declarations to linux/pgtable.h\n\nDuring our internal testing, we started observing intermittent boot\nfailures when the machine uses 4-level paging and has a large amount of\npersistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0 \n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \n\nIt turns out that the kernel panics while initializing vmemmap (struct\npage array) when the vmemmap region spans two PGD entries, because the new\nPGD entry is only installed in init_mm.pgd, but not in the page tables of\nother tasks.\n\nAnd looking at __populate_section_memmap():\n if (vmemmap_can_optimize(altmap, pgmap)) \n // does not sync top level page tables\n r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap);\n else \n // sync top level page tables in x86\n r = vmemmap_populate(start, end, nid, altmap);\n\nIn the normal path, vmemmap_populate() in arch/x86/mm/init_64.c\nsynchronizes the top level page table (See commit 9b861528a801 (\"x86-64,\nmem: Update all PGDs for direct mapping and vmemmap mapping changes\")) so\nthat all tasks in the system can see the new vmemmap area.\n\nHowever, when vmemmap_can_optimize() returns true, the optimized path\nskips synchronization of top-level page tables. This is because\nvmemmap_populate_compound_pages() is implemented in core MM code, which\ndoes not handle synchronization of the top-level page tables. Instead,\nthe core MM has historically relied on each architecture to perform this\nsynchronization manually.\n\nWe're not the first party to encounter a crash caused by not-sync'd top\nlevel page tables: earlier this year, Gwan-gyeong Mun attempted to address\nthe issue [1] [2] after hitting a kernel panic when x86 code accessed the\nvmemmap area before the corresponding top-level entries were synced. At\nthat time, the issue was believed to be triggered only when struct page\nwas enlarged for debugging purposes, and the patch did not get further\nupdates.\n\nIt turns out that current approach of relying on each arch to handle the\npage table sync manually is fragile because 1) it's easy to forget to sync\nthe top level page table, and 2) it's also easy to overlook that the\nkernel should not access the vmemmap and direct mapping areas before the\nsync.\n\n# The solution: Make page table sync more code robust and harder to miss\n\nTo address this, Dave Hansen suggested [3] [4] introducing\n{pgd,p4d}_populate_kernel() for updating kernel portion of the page tables\nand allow each architecture to explicitly perform synchronization when\ninstalling top-level entries. With this approach, we no longer need to\nworry about missing the sync step, reducing the risk of future\nregressions.\n\nThe new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK,\nPGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by\nvmalloc and ioremap to synchronize page tables.\n\npgd_populate_kernel() looks like this:\nstatic inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd,\n p4d_t *p4d)\n{\n pgd_populate(&init_mm, pgd, p4d);\n if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED)\n arch_sync_kernel_mappings(addr, addr);\n}\n\nIt is worth noting that vmalloc() and apply_to_range() carefully\nsynchronizes page tables by calling p*d_alloc_track() and\narch_sync_kernel_mappings(), and thus they are not affected by\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39844", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39845", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n BUG: unable to handle page fault for address: ffffeb3ff1200000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n Tainted: [W]=WARN\n RIP: 0010:vmemmap_set_pmd+0xff/0x230\n \n vmemmap_populate_hugepages+0x176/0x180\n vmemmap_populate+0x34/0x80\n __populate_section_memmap+0x41/0x90\n sparse_add_section+0x121/0x3e0\n __add_pages+0xba/0x150\n add_pages+0x1d/0x70\n memremap_pages+0x3dc/0x810\n devm_memremap_pages+0x1c/0x60\n xe_devm_add+0x8b/0x100 [xe]\n xe_tile_init_noalloc+0x6a/0x70 [xe]\n xe_device_probe+0x48c/0x740 [xe]\n [... snip ...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39845", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39846", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39846", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39847", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix memory leak in pad_compress_skb\n\nIf alloc_skb() fails in pad_compress_skb(), it returns NULL without\nreleasing the old skb. The caller does:\n\n skb = pad_compress_skb(ppp, skb);\n if (!skb)\n goto drop;\n\ndrop:\n kfree_skb(skb);\n\nWhen pad_compress_skb() returns NULL, the reference to the old skb is\nlost and kfree_skb(skb) ends up doing nothing, leading to a memory leak.\n\nAlign pad_compress_skb() semantics with realloc(): only free the old\nskb if allocation and compression succeed. At the call site, use the\nnew_skb variable so the original skb is not lost when pad_compress_skb()\nfails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39847", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39848", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb->dev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39848", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39849", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()\n\nIf the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would\nlead to memory corruption so add some bounds checking.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39849", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39850", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0.0.0.0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor's MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n \n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy\n\n ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n \n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39850", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39851", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD when refreshing an FDB entry with a nexthop object\n\nVXLAN FDB entries can point to either a remote destination or an FDB\nnexthop group. The latter is usually used in EVPN deployments where\nlearning is disabled.\n\nHowever, when learning is enabled, an incoming packet might try to\nrefresh an FDB entry that points to an FDB nexthop group and therefore\ndoes not have a remote. Such packets should be dropped, but they are\nonly dropped after dereferencing the non-existent remote, resulting in a\nNPD [1] which can be reproduced using [2].\n\nFix by dropping such packets earlier. Remove the misleading comment from\nfirst_remote_rcu().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_snoop+0x98/0x1e0\n[...]\nCall Trace:\n \n vxlan_encap_bypass+0x209/0x240\n encap_bypass_if_local+0xb1/0x100\n vxlan_xmit_one+0x1375/0x17e0\n vxlan_xmit+0x6b4/0x15f0\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n ip address add 192.0.2.2/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.3 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass\n ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020\n bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10\n\n mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39851", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39852", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6\n\nWhen tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just\nexits the function. This ends up causing a memory-leak:\n\nunreferenced object 0xffff0000281a8200 (size 2496):\n comm \"softirq\", pid 0, jiffies 4295174684\n hex dump (first 32 bytes):\n 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................\n 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............\n backtrace (crc 5ebdbe15):\n kmemleak_alloc+0x44/0xe0\n kmem_cache_alloc_noprof+0x248/0x470\n sk_prot_alloc+0x48/0x120\n sk_clone_lock+0x38/0x3b0\n inet_csk_clone_lock+0x34/0x150\n tcp_create_openreq_child+0x3c/0x4a8\n tcp_v6_syn_recv_sock+0x1c0/0x620\n tcp_check_req+0x588/0x790\n tcp_v6_rcv+0x5d0/0xc18\n ip6_protocol_deliver_rcu+0x2d8/0x4c0\n ip6_input_finish+0x74/0x148\n ip6_input+0x50/0x118\n ip6_sublist_rcv+0x2fc/0x3b0\n ipv6_list_rcv+0x114/0x170\n __netif_receive_skb_list_core+0x16c/0x200\n netif_receive_skb_list_internal+0x1f0/0x2d0\n\nThis is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when\nexiting upon error, inet_csk_prepare_forced_close() and tcp_done() need\nto be called. They make sure the newsk will end up being correctly\nfree'd.\n\ntcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit\nlabel that takes care of things. So, this patch here makes sure\ntcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar\nerror-handling and thus fixes the leak for TCP-AO.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39852", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39853", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39853", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39854", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL access of tx->in_use in ice_ll_ts_intr\n\nRecent versions of the E810 firmware have support for an extra interrupt to\nhandle report of the \"low latency\" Tx timestamps coming from the\nspecialized low latency firmware interface. Instead of polling the\nregisters, software can wait until the low latency interrupt is fired.\n\nThis logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as\nit uses the same \"ready\" bitmap to track which Tx timestamps complete.\n\nUnfortunately, the ice_ll_ts_intr() function does not check if the\ntracker is initialized before its first access. This results in NULL\ndereference or use-after-free bugs similar to the issues fixed in the\nice_ptp_ts_irq() function.\n\nFix this by only checking the in_use bitmap (and other fields) if the\ntracker is marked as initialized. The reset flow will clear the init field\nunder lock before it tears the tracker down, thus preventing any\nuse-after-free or NULL access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39854", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39855", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL access of tx->in_use in ice_ptp_ts_irq\n\nThe E810 device has support for a \"low latency\" firmware interface to\naccess and read the Tx timestamps. This interface does not use the standard\nTx timestamp logic, due to the latency overhead of proxying sideband\ncommand requests over the firmware AdminQ.\n\nThe logic still makes use of the Tx timestamp tracking structure,\nice_ptp_tx, as it uses the same \"ready\" bitmap to track which Tx\ntimestamps complete.\n\nUnfortunately, the ice_ptp_ts_irq() function does not check if the tracker\nis initialized before its first access. This results in NULL dereference or\nuse-after-free bugs similar to the following:\n\n[245977.278756] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[245977.278774] RIP: 0010:_find_first_bit+0x19/0x40\n[245977.278796] Call Trace:\n[245977.278809] ? ice_misc_intr+0x364/0x380 [ice]\n\nThis can occur if a Tx timestamp interrupt races with the driver reset\nlogic.\n\nFix this by only checking the in_use bitmap (and other fields) if the\ntracker is marked as initialized. The reset flow will clear the init field\nunder lock before it tears the tracker down, thus preventing any\nuse-after-free or NULL access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39855", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39856", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev\n\nIn the TX completion packet stage of TI SoCs with CPSW2G instance, which\nhas single external ethernet port, ndev is accessed without being\ninitialized if no TX packets have been processed. It results into null\npointer dereference, causing kernel to crash. Fix this by having a check\non the number of TX packets which have been processed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39856", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39857", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()\n\nBUG: kernel NULL pointer dereference, address: 00000000000002ec\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nWorkqueue: smc_hs_wq smc_listen_work [smc]\nRIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]\n...\nCall Trace:\n \n smcr_buf_map_link+0x211/0x2a0 [smc]\n __smc_buf_create+0x522/0x970 [smc]\n smc_buf_create+0x3a/0x110 [smc]\n smc_find_rdma_v2_device_serv+0x18f/0x240 [smc]\n ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc]\n smc_listen_find_device+0x1dd/0x2b0 [smc]\n smc_listen_work+0x30f/0x580 [smc]\n process_one_work+0x18c/0x340\n worker_thread+0x242/0x360\n kthread+0xe7/0x220\n ret_from_fork+0x13a/0x160\n ret_from_fork_asm+0x1a/0x30\n \n\nIf the software RoCE device is used, ibdev->dma_device is a null pointer.\nAs a result, the problem occurs. Null pointer detection is added to\nprevent problems.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39857", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39858", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring\n\nReplace NULL check with IS_ERR() check after calling page_pool_create()\nsince this function returns error pointers (ERR_PTR).\nUsing NULL check could lead to invalid pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39858", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39859", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog\n\nThe ptp_ocp_detach() only shuts down the watchdog timer if it is\npending. However, if the timer handler is already running, the\ntimer_delete_sync() is not called. This leads to race conditions\nwhere the devlink that contains the ptp_ocp is deallocated while\nthe timer handler is still accessing it, resulting in use-after-free\nbugs. The following details one of the race scenarios.\n\n(thread 1) | (thread 2)\nptp_ocp_remove() |\n ptp_ocp_detach() | ptp_ocp_watchdog()\n if (timer_pending(&bp->watchdog))| bp = timer_container_of()\n timer_delete_sync() |\n |\n devlink_free(devlink) //free |\n | bp-> //use\n\nResolve this by unconditionally calling timer_delete_sync() to ensure\nthe timer is reliably deactivated, preventing any access after free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39859", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39860", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) <-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) <-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) <-- last refcnt\n bt_accept_unlink(sk) <-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet's call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39860", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39861", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: vhci: Prevent use-after-free by removing debugfs files early\n\nMove the creation of debugfs files into a dedicated function, and ensure\nthey are explicitly removed during vhci_release(), before associated\ndata structures are freed.\n\nPreviously, debugfs files such as \"force_suspend\", \"force_wakeup\", and\nothers were created under hdev->debugfs but not removed in\nvhci_release(). Since vhci_release() frees the backing vhci_data\nstructure, any access to these files after release would result in\nuse-after-free errors.\n\nAlthough hdev->debugfs is later freed in hci_release_dev(), user can\naccess files after vhci_data is freed but before hdev->debugfs is\nreleased.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39861", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39862", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix list corruption after hardware restart\n\nSince stations are recreated from scratch, all lists that wcids are added\nto must be cleared before calling ieee80211_restart_hw.\nSet wcid->sta = 0 for each wcid entry in order to ensure that they are\nnot added again before they are ready.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39862", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39863", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(&bt_local->work) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local->timer_on = false;\n if (cfg->btcoex->timer_on) |\n ... |\n cancel_work_sync(); |\n ... |\n kfree(cfg->btcoex); // FREE |\n | schedule_work(&bt_local->work); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0 | CPU1\nbrcmf_btcoex_detach | brcmf_btcoex_timerfunc\n | bt_local->timer_on = false;\n if (cfg->btcoex->timer_on) |\n ... |\n cancel_work_sync(); |\n ... | schedule_work(); // Reschedule\n |\n kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker\n /* | btci = container_of(....); // USE\n The kfree() above could | ...\n also occur at any point | btci-> // USE\n during the worker's execution|\n */ |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39863", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39864", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they're not shared via the corresponding\n'hidden_beacon_bss' pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39864", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39865", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache -->\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); -->\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39865", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39866", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(&inode->i_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode->i_wb\n spin_unlock(&inode->i_lock);\n spin_lock(&wb->list_lock)\n spin_lock(&inode->i_lock)\n inode_io_list_move_locked\n spin_unlock(&wb->list_lock)\n spin_unlock(&inode->i_lock)\n spin_lock(&old_wb->list_lock)\n inode_do_switch_wbs\n spin_lock(&inode->i_lock)\n inode->i_wb = new_wb\n spin_unlock(&inode->i_lock)\n spin_unlock(&old_wb->list_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39866", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39868", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix runtime warning on truncate_folio_batch_exceptionals()\n\nCommit 0e2f80afcfa6(\"fs/dax: ensure all pages are idle prior to\nfilesystem unmount\") introduced the WARN_ON_ONCE to capture whether\nthe filesystem has removed all DAX entries or not and applied the\nfix to xfs and ext4.\n\nApply the missed fix on erofs to fix the runtime warning:\n\n[ 5.266254] ------------[ cut here ]------------\n[ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260\n[ 5.266294] Modules linked in:\n[ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)\n[ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022\n[ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260\n[ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df <0f> 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90\n[ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202\n[ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898\n[ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000\n[ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001\n[ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000\n[ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0\n[ 5.267144] PKRU: 55555554\n[ 5.267150] Call Trace:\n[ 5.267154] \n[ 5.267181] truncate_inode_pages_range+0x118/0x5e0\n[ 5.267193] ? save_trace+0x54/0x390\n[ 5.267296] truncate_inode_pages_final+0x43/0x60\n[ 5.267309] evict+0x2a4/0x2c0\n[ 5.267339] dispose_list+0x39/0x80\n[ 5.267352] evict_inodes+0x150/0x1b0\n[ 5.267376] generic_shutdown_super+0x41/0x180\n[ 5.267390] kill_block_super+0x1b/0x50\n[ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]\n[ 5.267436] deactivate_locked_super+0x32/0xb0\n[ 5.267450] deactivate_super+0x46/0x60\n[ 5.267460] cleanup_mnt+0xc3/0x170\n[ 5.267475] __cleanup_mnt+0x12/0x20\n[ 5.267485] task_work_run+0x5d/0xb0\n[ 5.267499] exit_to_user_mode_loop+0x144/0x170\n[ 5.267512] do_syscall_64+0x2b9/0x7c0\n[ 5.267523] ? __lock_acquire+0x665/0x2ce0\n[ 5.267535] ? __lock_acquire+0x665/0x2ce0\n[ 5.267560] ? lock_acquire+0xcd/0x300\n[ 5.267573] ? find_held_lock+0x31/0x90\n[ 5.267582] ? mntput_no_expire+0x97/0x4e0\n[ 5.267606] ? mntput_no_expire+0xa1/0x4e0\n[ 5.267625] ? mntput+0x24/0x50\n[ 5.267634] ? path_put+0x1e/0x30\n[ 5.267647] ? do_faccessat+0x120/0x2f0\n[ 5.267677] ? do_syscall_64+0x1a2/0x7c0\n[ 5.267686] ? from_kgid_munged+0x17/0x30\n[ 5.267703] ? from_kuid_munged+0x13/0x30\n[ 5.267711] ? __do_sys_getuid+0x3d/0x50\n[ 5.267724] ? do_syscall_64+0x1a2/0x7c0\n[ 5.267732] ? irqentry_exit+0x77/0xb0\n[ 5.267743] ? clear_bhb_loop+0x30/0x80\n[ 5.267752] ? clear_bhb_loop+0x30/0x80\n[ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 5.267772] RIP: 0033:0x7aaa8b32a9fb\n[ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8\n[ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb\n[ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080\n[ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020\n[ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00\n[ 5.267817] R13: 00000000\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39868", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39869", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n\nFix a critical memory allocation bug in edma_setup_from_hw() where\nqueue_priority_map was allocated with insufficient memory. The code\ndeclared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),\nbut allocated memory using sizeof(s8) instead of the correct size.\n\nThis caused out-of-bounds memory writes when accessing:\n queue_priority_map[i][0] = i;\n queue_priority_map[i][1] = i;\n\nThe bug manifested as kernel crashes with \"Oops - undefined instruction\"\non ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the\nmemory corruption triggered kernel hardening features on Clang.\n\nChange the allocation to use sizeof(*queue_priority_map) which\nautomatically gets the correct size for the 2D array structure.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39869", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39870", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle. It's simpler to just re-write it in a cleaner\nway. The issues here are:\n\n1) If \"idxd->max_wqs\" is <= 0 then we call put_device(conf_dev) when\n \"conf_dev\" hasn't been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid. It's\n either uninitialized or it points to the \"conf_dev\" from the\n previous iteration so it leads to a double free.\n\nIt's better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations. I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39870", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39871", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \n idxd_remove+0xe4/0x120 [idxd]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x197/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x74/0xf0\n pci_unregister_driver+0x2e/0xb0\n idxd_exit_module+0x34/0x7a0 [idxd]\n __do_sys_delete_module.constprop.0+0x183/0x280\n do_syscall_64+0x54/0xd70\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -> device_unregister() -> put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39871", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39872", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: hold rcu and dev lock for hsr_get_port_ndev\n\nhsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.\nOn the other hand, before return the port device, we need to hold the\ndevice reference to avoid UaF in the caller function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39872", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39873", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB\n\ncan_put_echo_skb() takes ownership of the SKB and it may be freed\nduring or after the call.\n\nHowever, xilinx_can xcan_write_frame() keeps using SKB after the call.\n\nFix that by only calling can_put_echo_skb() after the code is done\ntouching the SKB.\n\nThe tx_lock is held for the entire xcan_write_frame() execution and\nalso on the can_get_echo_skb() side so the order of operations does not\nmatter.\n\nAn earlier fix commit 3d3c817c3a40 (\"can: xilinx_can: Fix usage of skb\nmemory\") did not move the can_put_echo_skb() call far enough.\n\n[mkl: add \"commit\" in front of sha1 in patch description]\n[mkl: fix indention]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39873", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39874", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacsec: sync features on RTM_NEWLINK\n\nSyzkaller managed to lock the lower device via ETHTOOL_SFEATURES:\n\n netdev_lock include/linux/netdevice.h:2761 [inline]\n netdev_lock_ops include/net/netdev_lock.h:42 [inline]\n netdev_sync_lower_features net/core/dev.c:10649 [inline]\n __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819\n netdev_update_features+0x6d/0xe0 net/core/dev.c:10876\n macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]\n call_netdevice_notifiers net/core/dev.c:2281 [inline]\n netdev_features_change+0x85/0xc0 net/core/dev.c:1570\n __dev_ethtool net/ethtool/ioctl.c:3469 [inline]\n dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502\n dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759\n\nIt happens because lower features are out of sync with the upper:\n\n __dev_ethtool (real_dev)\n netdev_lock_ops(real_dev)\n ETHTOOL_SFEATURES\n __netdev_features_change\n netdev_sync_upper_features\n disable LRO on the lower\n if (old_features != dev->features)\n netdev_features_change\n fires NETDEV_FEAT_CHANGE\n\tmacsec_notify\n\t NETDEV_FEAT_CHANGE\n\t netdev_update_features (for each macsec dev)\n\t netdev_sync_lower_features\n\t if (upper_features != lower_features)\n\t netdev_lock_ops(lower) # lower == real_dev\n\t\t stuck\n\t\t ...\n\n netdev_unlock_ops(real_dev)\n\nPer commit af5f54b0ef9e (\"net: Lock lower level devices when updating\nfeatures\"), we elide the lock/unlock when the upper and lower features\nare synced. Makes sure the lower (real_dev) has proper features after\nthe macsec link has been created. This makes sure we never hit the\nsituation where we need to sync upper flags to the lower.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39874", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39875", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix NULL pointer dereference in ethtool loopback test\n\nThe igb driver currently causes a NULL pointer dereference when executing\nthe ethtool loopback test. This occurs because there is no associated\nq_vector for the test ring when it is set up, as interrupts are typically\nnot added to the test rings.\n\nSince commit 5ef44b3cb43b removed the napi_id assignment in\n__xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.\nTherefore, simply use 0 as the last parameter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39875", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39876", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n\nThe function of_phy_find_device may return NULL, so we need to take\ncare before dereferencing phy_dev.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39876", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39877", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix use-after-free in state_show()\n\nstate_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. \nThis allows a use-after-free race:\n\nCPU 0 CPU 1\n----- -----\nstate_show() damon_sysfs_turn_damon_on()\nctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);\n damon_destroy_ctx(kdamond->damon_ctx);\n kdamond->damon_ctx = NULL;\n mutex_unlock(&damon_sysfs_lock);\ndamon_is_running(ctx); /* ctx is freed */\nmutex_lock(&ctx->kdamond_lock); /* UAF */\n\n(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and\ndamon_sysfs_kdamond_release(), which free or replace the context under\ndamon_sysfs_lock.)\n\nFix by taking damon_sysfs_lock before dereferencing the context, mirroring\nthe locking used in pid_show().\n\nThe bug has existed since state_show() first accessed kdamond->damon_ctx.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39877", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39878", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash after fscrypt_encrypt_pagecache_blocks() error\n\nThe function move_dirty_folio_in_page_array() was created by commit\nce80b76dd327 (\"ceph: introduce ceph_process_folio_batch() method\") by\nmoving code from ceph_writepages_start() to this function.\n\nThis new function is supposed to return an error code which is checked\nby the caller (now ceph_process_folio_batch()), and on error, the\ncaller invokes redirty_page_for_writepage() and then breaks from the\nloop.\n\nHowever, the refactoring commit has gone wrong, and it by accident, it\nalways returns 0 (= success) because it first NULLs the pointer and\nthen returns PTR_ERR(NULL) which is always 0. This means errors are\nsilently ignored, leaving NULL entries in the page array, which may\nlater crash the kernel.\n\nThe simple solution is to call PTR_ERR() before clearing the pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39878", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39879", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: always call ceph_shift_unused_folios_left()\n\nThe function ceph_process_folio_batch() sets folio_batch entries to\nNULL, which is an illegal state. Before folio_batch_release() crashes\ndue to this API violation, the function ceph_shift_unused_folios_left()\nis supposed to remove those NULLs from the array.\n\nHowever, since commit ce80b76dd327 (\"ceph: introduce\nceph_process_folio_batch() method\"), this shifting doesn't happen\nanymore because the \"for\" loop got moved to ceph_process_folio_batch(),\nand now the `i` variable that remains in ceph_writepages_start()\ndoesn't get incremented anymore, making the shifting effectively\nunreachable much of the time.\n\nLater, commit 1551ec61dc55 (\"ceph: introduce ceph_submit_write()\nmethod\") added more preconditions for doing the shift, replacing the\n`i` check (with something that is still just as broken):\n\n- if ceph_process_folio_batch() fails, shifting never happens\n\n- if ceph_move_dirty_page_in_page_array() was never called (because\n ceph_process_folio_batch() has returned early for some of various\n reasons), shifting never happens\n\n- if `processed_in_fbatch` is zero (because ceph_process_folio_batch()\n has returned early for some of the reasons mentioned above or\n because ceph_move_dirty_page_in_page_array() has failed), shifting\n never happens\n\nSince those two commits, any problem in ceph_process_folio_batch()\ncould crash the kernel, e.g. this way:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023\n Workqueue: writeback wb_workfn (flush-ceph-1)\n RIP: 0010:folios_put_refs+0x85/0x140\n Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 >\n RSP: 0018:ffffb880af8db778 EFLAGS: 00010207\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003\n RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0\n RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f\n R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000\n FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n \n ceph_writepages_start+0xeb9/0x1410\n\nThe crash can be reproduced easily by changing the\nceph_check_page_before_write() return value to `-E2BIG`.\n\n(Interestingly, the crash happens only if `huge_zero_folio` has\nalready been allocated; without `huge_zero_folio`,\nis_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL\nentries instead of dereferencing them. That makes reproducing the bug\nsomewhat unreliable. See\nhttps://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com\nfor a discussion of this detail.)\n\nMy suggestion is to move the ceph_shift_unused_folios_left() to right\nafter ceph_process_folio_batch() to ensure it always gets called to\nfix up the illegal folio_batch state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39879", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39880", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con->v1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use. This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that\nit's being written to can cause more serious consequences, but luckily\nit's not something that happens often.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39880", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39881", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: Fix UAF in polling when open file is released\n\nA use-after-free (UAF) vulnerability was identified in the PSI (Pressure\nStall Information) monitoring mechanism:\n\nBUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140\nRead of size 8 at addr ffff3de3d50bd308 by task systemd/1\n\npsi_trigger_poll+0x3c/0x140\ncgroup_pressure_poll+0x70/0xa0\ncgroup_file_poll+0x8c/0x100\nkernfs_fop_poll+0x11c/0x1c0\nep_item_poll.isra.0+0x188/0x2c0\n\nAllocated by task 1:\ncgroup_file_open+0x88/0x388\nkernfs_fop_open+0x73c/0xaf0\ndo_dentry_open+0x5fc/0x1200\nvfs_open+0xa0/0x3f0\ndo_open+0x7e8/0xd08\npath_openat+0x2fc/0x6b0\ndo_filp_open+0x174/0x368\n\nFreed by task 8462:\ncgroup_file_release+0x130/0x1f8\nkernfs_drain_open_files+0x17c/0x440\nkernfs_drain+0x2dc/0x360\nkernfs_show+0x1b8/0x288\ncgroup_file_show+0x150/0x268\ncgroup_pressure_write+0x1dc/0x340\ncgroup_file_write+0x274/0x548\n\nReproduction Steps:\n1. Open test/cpu.pressure and establish epoll monitoring\n2. Disable monitoring: echo 0 > test/cgroup.pressure\n3. Re-enable monitoring: echo 1 > test/cgroup.pressure\n\nThe race condition occurs because:\n1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it:\n - Releases PSI triggers via cgroup_file_release()\n - Frees of->priv through kernfs_drain_open_files()\n2. While epoll still holds reference to the file and continues polling\n3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->priv\n\nepolling\t\t\tdisable/enable cgroup.pressure\nfd=open(cpu.pressure)\nwhile(1)\n...\nepoll_wait\nkernfs_fop_poll\nkernfs_get_active = true\techo 0 > cgroup.pressure\n...\t\t\t\tcgroup_file_show\n\t\t\t\tkernfs_show\n\t\t\t\t// inactive kn\n\t\t\t\tkernfs_drain_open_files\n\t\t\t\tcft->release(of);\n\t\t\t\tkfree(ctx);\n\t\t\t\t...\nkernfs_get_active = false\n\t\t\t\techo 1 > cgroup.pressure\n\t\t\t\tkernfs_show\n\t\t\t\tkernfs_activate_one(kn);\nkernfs_fop_poll\nkernfs_get_active = true\ncgroup_file_poll\npsi_trigger_poll\n// UAF\n...\nend: close(fd)\n\nTo address this issue, introduce kernfs_get_active_of() for kernfs open\nfiles to obtain active references. This function will fail if the open file\nhas been released. Replace kernfs_get_active() with kernfs_get_active_of()\nto prevent further operations on released file descriptors.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39881", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39882", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: fix potential OF node use-after-free\n\nThe for_each_child_of_node() helper drops the reference it takes to each\nnode as it iterates over children and an explicit of_node_put() is only\nneeded when exiting the loop early.\n\nDrop the recently introduced bogus additional reference count decrement\nat each iteration that could potentially lead to a use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39882", "detail": "fixed-version", "description": "Fixed from version 6.16.8" }, { "id": "CVE-2025-39883", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n\nWhen I did memory failure tests, below panic occurs:\n\npage dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))\nkernel BUG at include/linux/page-flags.h:616!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nCall Trace:\n \n unpoison_memory+0x2f3/0x590\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xd5/0x540\n ksys_write+0x64/0xe0\n do_syscall_64+0xb9/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08f0314887\nRSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887\nRDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001\nRBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009\nR13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00\n \nModules linked in: hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:unpoison_memory+0x2f3/0x590\nRSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246\nRAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0\nRBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb\nR10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000\nR13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe\nFS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe root cause is that unpoison_memory() tries to check the PG_HWPoison\nflags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is\ntriggered. This can be reproduced by below steps:\n\n1.Offline memory block:\n\n echo offline > /sys/devices/system/memory/memory12/state\n\n2.Get offlined memory pfn:\n\n page-types -b n -rlN\n\n3.Write pfn to unpoison-pfn\n\n echo > /sys/kernel/debug/hwpoison/unpoison-pfn\n\nThis scenario can be identified by pfn_to_online_page() returning NULL. \nAnd ZONE_DEVICE pages are never expected, so we can simply fail if\npfn_to_online_page() == NULL to fix the bug.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39883", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39884", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix subvolume deletion lockup caused by inodes xarray race\n\nThere is a race condition between inode eviction and inode caching that\ncan cause a live struct btrfs_inode to be missing from the root->inodes\nxarray. Specifically, there is a window during evict() between the inode\nbeing unhashed and deleted from the xarray. If btrfs_iget() is called\nfor the same inode in that window, it will be recreated and inserted\ninto the xarray, but then eviction will delete the new entry, leaving\nnothing in the xarray:\n\nThread 1 Thread 2\n---------------------------------------------------------------\nevict()\n remove_inode_hash()\n btrfs_iget_path()\n btrfs_iget_locked()\n btrfs_read_locked_inode()\n btrfs_add_inode_to_root()\n destroy_inode()\n btrfs_destroy_inode()\n btrfs_del_inode_from_root()\n __xa_erase\n\nIn turn, this can cause issues for subvolume deletion. Specifically, if\nan inode is in this lost state, and all other inodes are evicted, then\nbtrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.\nIf the lost inode has a delayed_node attached to it, then when\nbtrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),\nit will loop forever because the delayed_nodes xarray will never become\nempty (unless memory pressure forces the inode out). We saw this\nmanifest as soft lockups in production.\n\nFix it by only deleting the xarray entry if it matches the given inode\n(using __xa_cmpxchg()).", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39884", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39885", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39885", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39886", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()\n\nCurrently, calling bpf_map_kmalloc_node() from __bpf_async_init() can\ncause various locking issues; see the following stack trace (edited for\nstyle) as one example:\n\n...\n [10.011566] do_raw_spin_lock.cold\n [10.011570] try_to_wake_up (5) double-acquiring the same\n [10.011575] kick_pool rq_lock, causing a hardlockup\n [10.011579] __queue_work\n [10.011582] queue_work_on\n [10.011585] kernfs_notify\n [10.011589] cgroup_file_notify\n [10.011593] try_charge_memcg (4) memcg accounting raises an\n [10.011597] obj_cgroup_charge_pages MEMCG_MAX event\n [10.011599] obj_cgroup_charge_account\n [10.011600] __memcg_slab_post_alloc_hook\n [10.011603] __kmalloc_node_noprof\n...\n [10.011611] bpf_map_kmalloc_node\n [10.011612] __bpf_async_init\n [10.011615] bpf_timer_init (3) BPF calls bpf_timer_init()\n [10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable\n [10.011619] bpf__sched_ext_ops_runnable\n [10.011620] enqueue_task_scx (2) BPF runs with rq_lock held\n [10.011622] enqueue_task\n [10.011626] ttwu_do_activate\n [10.011629] sched_ttwu_pending (1) grabs rq_lock\n...\n\nThe above was reproduced on bpf-next (b338cf849ec8) by modifying\n./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during\nops.runnable(), and hacking the memcg accounting code a bit to make\na bpf_timer_init() call more likely to raise an MEMCG_MAX event.\n\nWe have also run into other similar variants (both internally and on\nbpf-next), including double-acquiring cgroup_file_kn_lock, the same\nworker_pool::lock, etc.\n\nAs suggested by Shakeel, fix this by using __GFP_HIGH instead of\nGFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()\nraises an MEMCG_MAX event, we call __memcg_memory_event() with\n@allow_spinning=false and avoid calling cgroup_file_notify() there.\n\nDepends on mm patch\n\"memcg: skip cgroup_file_notify if spinning is not allowed\":\nhttps://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/\n\nv0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/\nhttps://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/\nv1 approach:\nhttps://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39886", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39887", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix null-ptr-deref in bitmap_parselist()\n\nA crash was observed with the following output:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb204c255 #138 PREEMPT(voluntary)\nRIP: 0010:bitmap_parselist+0x53/0x3e0\nCall Trace:\n \n osnoise_cpus_write+0x7a/0x190\n vfs_write+0xf8/0x410\n ? do_sys_openat2+0x88/0xd0\n ksys_write+0x60/0xd0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThis issue can be reproduced by below code:\n\nfd=open(\"/sys/kernel/debug/tracing/osnoise/cpus\", O_WRONLY);\nwrite(fd, \"0-2\", 0);\n\nWhen user pass 'count=0' to osnoise_cpus_write(), kmalloc() will return\nZERO_SIZE_PTR (16) and cpulist_parse() treat it as a normal value, which\ntrigger the null pointer dereference. Add check for the parameter 'count'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39887", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39888", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Block access to folio overlimit\n\nsyz reported a slab-out-of-bounds Write in fuse_dev_do_write.\n\nWhen the number of bytes to be retrieved is truncated to the upper limit\nby fc->max_pages and there is an offset, the oob is triggered.\n\nAdd a loop termination condition to prevent overruns.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39888", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39889", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: Check encryption key size on incoming connection\n\nThis is required for passing GAP/SEC/SEM/BI-04-C PTS test case:\n Security Mode 4 Level 4, Responder - Invalid Encryption Key Size\n - 128 bit\n\nThis tests the security key with size from 1 to 15 bytes while the\nSecurity Mode 4 Level 4 requests 16 bytes key size.\n\nCurrently PTS fails with the following logs:\n- expected:Connection Response:\n Code: [3 (0x03)] Code\n Identifier: (lt)WildCard: Exists(gt)\n Length: [8 (0x0008)]\n Destination CID: (lt)WildCard: Exists(gt)\n Source CID: [64 (0x0040)]\n Result: [3 (0x0003)] Connection refused - Security block\n Status: (lt)WildCard: Exists(gt),\nbut received:Connection Response:\n Code: [3 (0x03)] Code\n Identifier: [1 (0x01)]\n Length: [8 (0x0008)]\n Destination CID: [64 (0x0040)]\n Source CID: [64 (0x0040)]\n Result: [0 (0x0000)] Connection Successful\n Status: [0 (0x0000)] No further information available\n\nAnd HCI logs:\n< HCI Command: Read Encrypti.. (0x05|0x0008) plen 2\n Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n> HCI Event: Command Complete (0x0e) plen 7\n Read Encryption Key Size (0x05|0x0008) ncmd 1\n Status: Success (0x00)\n Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n Key size: 7\n> ACL Data RX: Handle 14 flags 0x02 dlen 12\n L2CAP: Connection Request (0x02) ident 1 len 4\n PSM: 4097 (0x1001)\n Source CID: 64\n< ACL Data TX: Handle 14 flags 0x00 dlen 16\n L2CAP: Connection Response (0x03) ident 1 len 8\n Destination CID: 64\n Source CID: 64\n Result: Connection successful (0x0000)\n Status: No further information available (0x0000)", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39889", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39890", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_service_ready_ext_event\n\nCurrently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps\nis not freed in the failure case, causing a memory leak. The following\ntrace is observed in kmemleak:\n\nunreferenced object 0xffff8b3eb5789c00 (size 1024):\n comm \"softirq\", pid 0, jiffies 4294942577\n hex dump (first 32 bytes):\n 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...\n 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..\n backtrace (crc 44e1c357):\n __kmalloc_noprof+0x30b/0x410\n ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]\n ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]\n ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]\n ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]\n ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]\n process_one_work+0x219/0x680\n bh_worker+0x198/0x1f0\n tasklet_action+0x13/0x30\n handle_softirqs+0xca/0x460\n __irq_exit_rcu+0xbe/0x110\n irq_exit_rcu+0x9/0x30\n\nFree svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39890", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-39891", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter->chan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out\nmemory. The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here. What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn't necessarily\ninitialize the whole array. Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small. It's a maximum of 900 bytes so it's\nmore appropriate to use kcalloc() instead vmalloc().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39891", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39892", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()\n\nsoc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.\nIn such case, CPU component driver might not have driver->name, then\nsnd_soc_lookup_component_nolocked() will be NULL pointer access error.\nCare NULL driver name.\n\n\tCall trace:\n\t strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4\n\t snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44\n\t snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64\n\t snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc\n\t devres_release_all from device_unbind_cleanup+0xc/0x60\n\t device_unbind_cleanup from really_probe+0x220/0x2c8\n\t really_probe from __driver_probe_device+0x88/0x1a0\n\t __driver_probe_device from driver_probe_device+0x30/0x110\n\tdriver_probe_device from __driver_attach+0x90/0x178\n\t__driver_attach from bus_for_each_dev+0x7c/0xcc\n\tbus_for_each_dev from bus_add_driver+0xcc/0x1ec\n\tbus_add_driver from driver_register+0x80/0x11c\n\tdriver_register from do_one_initcall+0x58/0x23c\n\tdo_one_initcall from kernel_init_freeable+0x198/0x1f4\n\tkernel_init_freeable from kernel_init+0x1c/0x12c\n\tkernel_init from ret_from_fork+0x14/0x28", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39892", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39893", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: unregister ECC engine on probe error and device remove\n\nThe on-host hardware ECC engine remains registered both when\nthe spi_register_controller() function returns with an error\nand also on device removal.\n\nChange the qcom_spi_probe() function to unregister the engine\non the error path, and add the missing unregistering call to\nqcom_spi_remove() to avoid possible use-after-free issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39893", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39894", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm\n\nWhen send a broadcast packet to a tap device, which was added to a bridge,\nbr_nf_local_in() is called to confirm the conntrack. If another conntrack\nwith the same hash value is added to the hash table, which can be\ntriggered by a normal packet to a non-bridge device, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200\n CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)\n RIP: 0010:br_nf_local_in+0x168/0x200\n Call Trace:\n \n nf_hook_slow+0x3e/0xf0\n br_pass_frame_up+0x103/0x180\n br_handle_frame_finish+0x2de/0x5b0\n br_nf_hook_thresh+0xc0/0x120\n br_nf_pre_routing_finish+0x168/0x3a0\n br_nf_pre_routing+0x237/0x5e0\n br_handle_frame+0x1ec/0x3c0\n __netif_receive_skb_core+0x225/0x1210\n __netif_receive_skb_one_core+0x37/0xa0\n netif_receive_skb+0x36/0x160\n tun_get_user+0xa54/0x10c0\n tun_chr_write_iter+0x65/0xb0\n vfs_write+0x305/0x410\n ksys_write+0x60/0xd0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n ---[ end trace 0000000000000000 ]---\n\nTo solve the hash conflict, nf_ct_resolve_clash() try to merge the\nconntracks, and update skb->_nfct. However, br_nf_local_in() still use the\nold ct from local variable 'nfct' after confirm(), which leads to this\nwarning.\n\nIf confirm() does not insert the conntrack entry and return NF_DROP, the\nwarning may also occur. There is no need to reserve the WARN_ON_ONCE, just\nremove it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39894", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39895", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix sched_numa_find_nth_cpu() if mask offline\n\nsched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'\nCPU in sched_domains_numa_masks and given cpus mask. However they\nmight not intersect if all CPUs in the cpus mask are offline. bsearch\nwill return NULL in that case, bail out instead of dereferencing a\nbogus pointer.\n\nThe previous behaviour lead to this bug when using maxcpus=4 on an\nrk3399 (LLLLbb) (i.e. booting with all big CPUs offline):\n\n[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000\n[ 1.423635] Mem abort info:\n[ 1.423889] ESR = 0x0000000096000006\n[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.424715] SET = 0, FnV = 0\n[ 1.424995] EA = 0, S1PTW = 0\n[ 1.425279] FSC = 0x06: level 2 translation fault\n[ 1.425735] Data abort info:\n[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000\n[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000\n[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 1.429525] Modules linked in:\n[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT\n[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)\n[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488\n[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488\n[ 1.432543] sp : ffffffc084e1b960\n[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0\n[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378\n[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff\n[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7\n[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372\n[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860\n[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000\n[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68\n[ 1.439332] Call trace:\n[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)\n[ 1.440016] smp_call_function_any+0xc8/0xd0\n[ 1.440416] armv8_pmu_init+0x58/0x27c\n[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c\n[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8\n[ 1.441603] armv8_pmu_device_probe+0x1c/0x28\n[ 1.442007] platform_probe+0x5c/0xac\n[ 1.442347] really_probe+0xbc/0x298\n[ 1.442683] __driver_probe_device+0x78/0x12c\n[ 1.443087] driver_probe_device+0xdc/0x160\n[ 1.443475] __driver_attach+0x94/0x19c\n[ 1.443833] bus_for_each_dev+0x74/0xd4\n[ 1.444190] driver_attach+0x24/0x30\n[ 1.444525] bus_add_driver+0xe4/0x208\n[ 1.444874] driver_register+0x60/0x128\n[ 1.445233] __platform_driver_register+0x24/0x30\n[ 1.445662] armv8_pmu_driver_init+0x28/0x4c\n[ 1.446059] do_one_initcall+0x44/0x25c\n[ 1.446416] kernel_init_freeable+0x1dc/0x3bc\n[ 1.446820] kernel_init+0x20/0x1d8\n[ 1.447151] ret_from_fork+0x10/0x20\n[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)\n[ 1.448040] ---[ end trace 0000000000000000 ]---\n[ 1.448483] note: swapper/0[1] exited with preempt_count 1\n[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 1.449741] SMP: stopping secondary CPUs\n[ 1.450105] Kernel Offset: disabled\n[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b\n[ \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39895", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39896", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Prevent recovery work from being queued during device removal\n\nUse disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini()\nto ensure that no new recovery work items can be queued after device\nremoval has started. Previously, recovery work could be scheduled even\nafter canceling existing work, potentially leading to use-after-free\nbugs if recovery accessed freed resources.\n\nRename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to better\nreflect its new behavior.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39896", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39897", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Add error handling for RX metadata pointer retrieval\n\nAdd proper error checking for dmaengine_desc_get_metadata_ptr() which\ncan return an error pointer and lead to potential crashes or undefined\nbehaviour if the pointer retrieval fails.\n\nProperly handle the error by unmapping DMA buffer, freeing the skb and\nreturning early to prevent further processing with invalid data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39897", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39899", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE\n\nWith CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using\nkmap_local_page(), which requires unmapping in Last-In-First-Out order.\n\nThe current code maps dst_pte first, then src_pte, but unmaps them in the\nsame order (dst_pte, src_pte), violating the LIFO requirement. This\ncauses the warning in kunmap_local_indexed():\n\n WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c\n addr \\!= __fix_to_virt(FIX_KMAP_BEGIN + idx)\n\nFix this by reversing the unmap order to respect LIFO ordering.\n\nThis issue follows the same pattern as similar fixes:\n- commit eca6828403b8 (\"crypto: skcipher - fix mismatch between mapping and unmapping order\")\n- commit 8cf57c6df818 (\"nilfs2: eliminate staggered calls to kunmap in nilfs_rename\")\n\nBoth of which addressed the same fundamental requirement that kmap_local\noperations must follow LIFO ordering.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39899", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39900", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y\n\nsyzbot reported a WARNING in est_timer() [1]\n\nProblem here is that with CONFIG_PREEMPT_RT=y, timer callbacks\ncan be preempted.\n\nAdopt preempt_disable_nested()/preempt_enable_nested() to fix this.\n\n[1]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nModules linked in:\nCPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]\n RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nCall Trace:\n \n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22c/0x710 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1043\n smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39900", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39901", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: remove read access to debugfs files\n\nThe 'command' and 'netdev_ops' debugfs files are a legacy debugging\ninterface supported by the i40e driver since its early days by commit\n02e9c290814c (\"i40e: debugfs interface\").\n\nBoth of these debugfs files provide a read handler which is mostly useless,\nand which is implemented with questionable logic. They both use a static\n256 byte buffer which is initialized to the empty string. In the case of\nthe 'command' file this buffer is literally never used and simply wastes\nspace. In the case of the 'netdev_ops' file, the last command written is\nsaved here.\n\nOn read, the files contents are presented as the name of the device\nfollowed by a colon and then the contents of their respective static\nbuffer. For 'command' this will always be \": \". For 'netdev_ops',\nthis will be \": \". But note the buffer is\nshared between all devices operated by this module. At best, it is mostly\nmeaningless information, and at worse it could be accessed simultaneously\nas there doesn't appear to be any locking mechanism.\n\nWe have also recently received multiple reports for both read functions\nabout their use of snprintf and potential overflow that could result in\nreading arbitrary kernel memory. For the 'command' file, this is definitely\nimpossible, since the static buffer is always zero and never written to.\nFor the 'netdev_ops' file, it does appear to be possible, if the user\ncarefully crafts the command input, it will be copied into the buffer,\nwhich could be large enough to cause snprintf to truncate, which then\ncauses the copy_to_user to read beyond the length of the buffer allocated\nby kzalloc.\n\nA minimal fix would be to replace snprintf() with scnprintf() which would\ncap the return to the number of bytes written, preventing an overflow. A\nmore involved fix would be to drop the mostly useless static buffers,\nsaving 512 bytes and modifying the read functions to stop needing those as\ninput.\n\nInstead, lets just completely drop the read access to these files. These\nare debug interfaces exposed as part of debugfs, and I don't believe that\ndropping read access will break any script, as the provided output is\npretty useless. You can find the netdev name through other more standard\ninterfaces, and the 'netdev_ops' interface can easily result in garbage if\nyou issue simultaneous writes to multiple devices at once.\n\nIn order to properly remove the i40e_dbg_netdev_ops_buf, we need to\nrefactor its write function to avoid using the static buffer. Instead, use\nthe same logic as the i40e_dbg_command_write, with an allocated buffer.\nUpdate the code to use this instead of the static buffer, and ensure we\nfree the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on\nmultiple devices, and allows us to remove the now unused static buffer\nalong with removing the read access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39901", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39902", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39902", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39903", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs. Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren't.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[ 0.000000] KASLR enabled\n[ 0.000000] random: crng init done\n[ 0.000000] Machine model: linux,dummy-virt\n[ 0.000000] efi: UEFI not found.\n[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')\n[ 0.000000] printk: legacy bootconsole [pl11] enabled\n[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[ 0.000000] node 1 must be removed before remove section 23\n[ 0.000000] Zone ranges:\n[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]\n[ 0.000000] DMA32 empty\n[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]\n[ 0.000000] Movable zone start for each node\n[ 0.000000] Early memory node ranges\n[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]\n[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 0.000000] Mem abort info:\n[ 0.000000] ESR = 0x0000000096000004\n[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.000000] SET = 0, FnV = 0\n[ 0.000000] EA = 0, S1PTW = 0\n[ 0.000000] FSC = 0x04: level 0 translation fault\n[ 0.000000] Data abort info:\n[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 0.000000] [00000000000000a0] user address but active_mm is swapper\n[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[ 0.000000] Hardware name: linux,dummy-virt (DT)\n[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.000000] pc : free_area_init+0x50c/0xf9c\n[ 0.000000] lr : free_area_init+0x5c0/0xf9c\n[ 0.000000] sp : ffffa02ca0f33c00\n[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[ 0.0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39903", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39904", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: kexec: initialize kexec_buf struct in load_other_segments()\n\nPatch series \"kexec: Fix invalid field access\".\n\nThe kexec_buf structure was previously declared without initialization. \ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type '_Bool'\n\nZero-initializing kexec_buf at declaration ensures all fields are cleanly\nset, preventing future instances of uninitialized memory being used.\n\nAn initial fix was already landed for arm64[0], and this patchset fixes\nthe problem on the remaining arm64 code and on riscv, as raised by Mark.\n\nDiscussions about this problem could be found at[1][2].\n\n\nThis patch (of 3):\n\nThe kexec_buf structure was previously declared without initialization.\ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type '_Bool'\n\nZero-initializing kexec_buf at declaration ensures all fields are\ncleanly set, preventing future instances of uninitialized memory being\nused.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39904", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39905", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phylink: add lock for serializing concurrent pl->phydev writes with resolver\n\nCurrently phylink_resolve() protects itself against concurrent\nphylink_bringup_phy() or phylink_disconnect_phy() calls which modify\npl->phydev by relying on pl->state_mutex.\n\nThe problem is that in phylink_resolve(), pl->state_mutex is in a lock\ninversion state with pl->phydev->lock. So pl->phydev->lock needs to be\nacquired prior to pl->state_mutex. But that requires dereferencing\npl->phydev in the first place, and without pl->state_mutex, that is\nracy.\n\nHence the reason for the extra lock. Currently it is redundant, but it\nwill serve a functional purpose once mutex_lock(&phy->lock) will be\nmoved outside of the mutex_lock(&pl->state_mutex) section.\n\nAnother alternative considered would have been to let phylink_resolve()\nacquire the rtnl_mutex, which is also held when phylink_bringup_phy()\nand phylink_disconnect_phy() are called. But since phylink_disconnect_phy()\nruns under rtnl_lock(), it would deadlock with phylink_resolve() when\ncalling flush_work(&pl->resolve). Additionally, it would have been\nundesirable because it would have unnecessarily blocked many other call\npaths as well in the entire kernel, so the smaller-scoped lock was\npreferred.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39905", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39906", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: remove oem i2c adapter on finish\n\nFixes a bug where unbinding of the GPU would leave the oem i2c adapter\nregistered resulting in a null pointer dereference when applications try\nto access the invalid device.\n\n(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39906", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39907", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren't supported\n[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[ 4.097071] Modules linked in:\n[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[ 4.118824] Workqueue: events_unbound deferred_probe_work_func\n[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.131624] pc : add_dma_entry+0x23c/0x300\n[ 4.135658] lr : add_dma_entry+0x23c/0x300\n[ 4.139792] sp : ffff800009dbb490\n[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[ 4.214185] Call trace:\n[ 4.216605] add_dma_entry+0x23c/0x300\n[ 4.220338] debug_dma_map_sg+0x198/0x350\n[ 4.224373] __dma_map_sg_attrs+0xa0/0x110\n[ 4.228411] dma_map_sg_attrs+0x10/0x2c\n[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[ 4.242127] nand_read_oob+0x1d4/0x8e0\n[ 4.245861] mtd_read_oob_std+0x58/0x84\n[ 4.249596] mtd_read_oob+0x90/0x150\n[ 4.253231] mtd_read+0x68/0xac", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39907", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39908", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dev_ioctl: take ops lock in hwtstamp lower paths\n\nndo hwtstamp callbacks are expected to run under the per-device ops\nlock. Make the lower get/set paths consistent with the rest of ndo\ninvocations.\n\nKernel log:\nWARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_update_features+0x4bd/0xe60\n...\nRIP: 0010:__netdev_update_features+0x4bd/0xe60\n...\nCall Trace:\n\nnetdev_update_features+0x1f/0x60\nmlx5_hwtstamp_set+0x181/0x290 [mlx5_core]\nmlx5e_hwtstamp_set+0x19/0x30 [mlx5_core]\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp+0x13d/0x240\ndev_ioctl+0x12f/0x4b0\nsock_ioctl+0x171/0x370\n__x64_sys_ioctl+0x3f7/0x900\n? __sys_setsockopt+0x69/0xb0\ndo_syscall_64+0x6f/0x2e0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\n...\n\n....\n---[ end trace 0000000000000000 ]---\n\nNote that the mlx5_hwtstamp_set and mlx5e_hwtstamp_set functions shown\nin the trace come from an in progress patch converting the legacy ioctl\nto ndo_hwtstamp_get/set and are not present in mainline.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39908", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39909", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()\n\nPatch series \"mm/damon: avoid divide-by-zero in DAMON module's parameters\napplication\".\n\nDAMON's RECLAIM and LRU_SORT modules perform no validation on\nuser-configured parameters during application, which may lead to\ndivision-by-zero errors.\n\nAvoid the divide-by-zero by adding validation checks when DAMON modules\nattempt to apply the parameters.\n\n\nThis patch (of 2):\n\nDuring the calculation of 'hot_thres' and 'cold_thres', either\n'sample_interval' or 'aggr_interval' is used as the divisor, which may\nlead to division-by-zero errors. Fix it by directly returning -EINVAL\nwhen such a case occurs. Additionally, since 'aggr_interval' is already\nrequired to be set no smaller than 'sample_interval' in damon_set_attrs(),\nonly the case where 'sample_interval' is zero needs to be checked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39909", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39910", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()\n\nkasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and\nalways allocate memory using the hardcoded GFP_KERNEL flag. This makes\nthem inconsistent with vmalloc(), which was recently extended to support\nGFP_NOFS and GFP_NOIO allocations.\n\nPage table allocations performed during shadow population also ignore the\nexternal gfp_mask. To preserve the intended semantics of GFP_NOFS and\nGFP_NOIO, wrap the apply_to_page_range() calls into the appropriate\nmemalloc scope.\n\nxfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.\n\nThere was a report here\nhttps://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com\n\nThis patch:\n - Extends kasan_populate_vmalloc() and helpers to take gfp_mask;\n - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();\n - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore()\n around apply_to_page_range();\n - Updates vmalloc.c and percpu allocator call sites accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39910", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39911", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n \n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39911", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39912", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/localio: restore creds before releasing pageio data\n\nOtherwise if the nfsd filecache code releases the nfsd_file\nimmediately, it can trigger the BUG_ON(cred == current->cred) in\n__put_cred() when it puts the nfsd_file->nf_file->f-cred.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39912", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39913", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock->cork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk->sk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock->cork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock->cork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39913", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39914", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fails in trace_pid_write\n\nSyzkaller trigger a fault injection warning:\n\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\nModules linked in:\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\nTainted: [U]=USER\nHardware name: Google Compute Engine/Google Compute Engine\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\nFS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\n vfs_write+0x24c/0x1150 fs/read_write.c:677\n ksys_write+0x12b/0x250 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe can reproduce the warning by following the steps below:\n1. echo 8 >> set_event_notrace_pid. Let tr->filtered_pids owns one pid\n and register sched_switch tracepoint.\n2. echo ' ' >> set_event_pid, and perform fault injection during chunk\n allocation of trace_pid_list_alloc. Let pid_list with no pid and\nassign to tr->filtered_pids.\n3. echo ' ' >> set_event_pid. Let pid_list is NULL and assign to\n tr->filtered_pids.\n4. echo 9 >> set_event_pid, will trigger the double register\n sched_switch tracepoint warning.\n\nThe reason is that syzkaller injects a fault into the chunk allocation\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\nmay trigger double register of the same tracepoint. This only occurs\nwhen the system is about to crash, but to suppress this warning, let's\nadd failure handling logic to trace_pid_list_set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39914", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39915", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: transfer phy_config_inband() locking responsibility to phylink\n\nProblem description\n===================\n\nLockdep reports a possible circular locking dependency (AB/BA) between\n&pl->state_mutex and &phy->lock, as follows.\n\nphylink_resolve() // acquires &pl->state_mutex\n-> phylink_major_config()\n -> phy_config_inband() // acquires &pl->phydev->lock\n\nwhereas all the other call sites where &pl->state_mutex and\n&pl->phydev->lock have the locking scheme reversed. Everywhere else,\n&pl->phydev->lock is acquired at the top level, and &pl->state_mutex at\nthe lower level. A clear example is phylink_bringup_phy().\n\nThe outlier is the newly introduced phy_config_inband() and the existing\nlock order is the correct one. To understand why it cannot be the other\nway around, it is sufficient to consider phylink_phy_change(), phylink's\ncallback from the PHY device's phy->phy_link_change() virtual method,\ninvoked by the PHY state machine.\n\nphy_link_up() and phy_link_down(), the (indirect) callers of\nphylink_phy_change(), are called with &phydev->lock acquired.\nThen phylink_phy_change() acquires its own &pl->state_mutex, to\nserialize changes made to its pl->phy_state and pl->link_config.\nSo all other instances of &pl->state_mutex and &phydev->lock must be\nconsistent with this order.\n\nProblem impact\n==============\n\nI think the kernel runs a serious deadlock risk if an existing\nphylink_resolve() thread, which results in a phy_config_inband() call,\nis concurrent with a phy_link_up() or phy_link_down() call, which will\ndeadlock on &pl->state_mutex in phylink_phy_change(). Practically\nspeaking, the impact may be limited by the slow speed of the medium\nauto-negotiation protocol, which makes it unlikely for the current state\nto still be unresolved when a new one is detected, but I think the\nproblem is there. Nonetheless, the problem was discovered using lockdep.\n\nProposed solution\n=================\n\nPractically speaking, the phy_config_inband() requirement of having\nphydev->lock acquired must transfer to the caller (phylink is the only\ncaller). There, it must bubble up until immediately before\n&pl->state_mutex is acquired, for the cases where that takes place.\n\nSolution details, considerations, notes\n=======================================\n\nThis is the phy_config_inband() call graph:\n\n sfp_upstream_ops :: connect_phy()\n |\n v\n phylink_sfp_connect_phy()\n |\n v\n phylink_sfp_config_phy()\n |\n | sfp_upstream_ops :: module_insert()\n | |\n | v\n | phylink_sfp_module_insert()\n | |\n | | sfp_upstream_ops :: module_start()\n | | |\n | | v\n | | phylink_sfp_module_start()\n | | |\n | v v\n | phylink_sfp_config_optical()\n phylink_start() | |\n | phylink_resume() v v\n | | phylink_sfp_set_config()\n | | |\n v v v\n phylink_mac_initial_config()\n | phylink_resolve()\n | | phylink_ethtool_ksettings_set()\n v v v\n phylink_major_config()\n |\n v\n phy_config_inband()\n\nphylink_major_config() caller #1, phylink_mac_initial_config(), does not\nacquire &pl->state_mutex nor do its callers. It must acquire\n&pl->phydev->lock prior to calling phylink_major_config().\n\nphylink_major_config() caller #2, phylink_resolve() acquires\n&pl->state_mutex, thus also needs to acquire &pl->phydev->lock.\n\nphylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is\ncompletely uninteresting, because it only call\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39915", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39916", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()\n\nWhen creating a new scheme of DAMON_RECLAIM, the calculation of\n'min_age_region' uses 'aggr_interval' as the divisor, which may lead to\ndivision-by-zero errors. Fix it by directly returning -EINVAL when such a\ncase occurs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39916", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39917", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt\n\nStanislav reported that in bpf_crypto_crypt() the destination dynptr's\nsize is not validated to be at least as large as the source dynptr's\nsize before calling into the crypto backend with 'len = src_len'. This\ncan result in an OOB write when the destination is smaller than the\nsource.\n\nConcretely, in mentioned function, psrc and pdst are both linear\nbuffers fetched from each dynptr:\n\n psrc = __bpf_dynptr_data(src, src_len);\n [...]\n pdst = __bpf_dynptr_data_rw(dst, dst_len);\n [...]\n err = decrypt ?\n ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) :\n ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv);\n\nThe crypto backend expects pdst to be large enough with a src_len length\nthat can be written. Add an additional src_len > dst_len check and bail\nout if it's the case. Note that these kfuncs are accessible under root\nprivileges only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39917", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39918", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: fix linked list corruption\n\nNever leave scheduled wcid entries on the temporary on-stack list", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39918", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39919", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: add missing check for rx wcid entries\n\nNon-station wcid entries must not be passed to the rx functions.\nIn case of the global wcid entry, it could even lead to corruption in the wcid\narray due to pointer being casted to struct mt7996_sta_link using container_of.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39919", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39920", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Add error handling for add_interval() in do_validate_mem()\n\nIn the do_validate_mem(), the call to add_interval() does not\nhandle errors. If kmalloc() fails in add_interval(), it could\nresult in a null pointer being inserted into the linked list,\nleading to illegal memory access when sub_interval() is called\nnext.\n\nThis patch adds an error handling for the add_interval(). If\nadd_interval() returns an error, the function will return early\nwith the error code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39920", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39921", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback\n\nIn commit 13529647743d9 (\"spi: microchip-core-qspi: Support per spi-mem\noperation frequency switches\") the logic for checking the viability of\nop->max_freq in mchp_coreqspi_setup_clock() was copied into\nmchp_coreqspi_supports_op(). Unfortunately, op->max_freq is not valid\nwhen this function is called during probe but is instead zero.\nAccordingly, baud_rate_val is calculated to be INT_MAX due to division\nby zero, causing probe of the attached memory device to fail.\n\nSeemingly spi-microchip-core-qspi was the only driver that had such a\nmodification made to its supports_op callback when the per_op_freq\ncapability was added, so just remove it to restore prior functionality.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39921", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39922", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix incorrect map used in eee linkmode\n\nincorrectly used ixgbe_lp_map in loops intended to populate the\nsupported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.\nThis results in incorrect bit setting and potential out-of-bounds\naccess, since ixgbe_lp_map and ixgbe_ls_map have different sizes\nand purposes.\n\nixgbe_lp_map[i] -> ixgbe_ls_map[i]\n\nUse ixgbe_ls_map for supported and advertised linkmodes, and keep\nixgbe_lp_map usage only for link partner (lp_advertised) mapping.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39922", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39923", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don't have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It's safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39923", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39924", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix invalid algorithm for encoded extents\n\nThe current algorithm sanity checks do not properly apply to new\nencoded extents.\n\nUnify the algorithm check with Z_EROFS_COMPRESSION(_RUNTIME)_MAX\nand ensure consistency with sbi->available_compr_algs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39924", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39925", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39925", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39926", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenetlink: fix genl_bind() invoking bind() after -EPERM\n\nPer family bind/unbind callbacks were introduced to allow families\nto track multicast group consumer presence, e.g. to start or stop\nproducing events depending on listeners.\n\nHowever, in genl_bind() the bind() callback was invoked even if\ncapability checks failed and ret was set to -EPERM. This means that\ncallbacks could run on behalf of unauthorized callers while the\nsyscall still returned failure to user space.\n\nFix this by only invoking bind() after \"if (ret) break;\" check\ni.e. after permission checks have succeeded.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39926", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39927", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix race condition validating r_parent before applying state\n\nAdd validation to ensure the cached parent directory inode matches the\ndirectory info in MDS replies. This prevents client-side race conditions\nwhere concurrent operations (e.g. rename) cause r_parent to become stale\nbetween request initiation and reply processing, which could lead to\napplying state changes to incorrect directory inodes.\n\n[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to\n move CEPH_CAP_PIN reference when r_parent is updated:\n\n When the parent directory lock is not held, req->r_parent can become\n stale and is updated to point to the correct inode. However, the\n associated CEPH_CAP_PIN reference was not being adjusted. The\n CEPH_CAP_PIN is a reference on an inode that is tracked for\n accounting purposes. Moving this pin is important to keep the\n accounting balanced. When the pin was not moved from the old parent\n to the new one, it created two problems: The reference on the old,\n stale parent was never released, causing a reference leak.\n A reference for the new parent was never acquired, creating the risk\n of a reference underflow later in ceph_mdsc_release_request(). This\n patch corrects the logic by releasing the pin from the old parent and\n acquiring it for the new parent when r_parent is switched. This\n ensures reference accounting stays balanced. ]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39927", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39928", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: ensure data length is within supported range\n\nAdd an explicit check for the xfer length to 'rtl9300_i2c_config_xfer'\nto ensure the data length isn't within the supported range. In\nparticular a data length of 0 is not supported by the hardware and\ncauses unintended or destructive behaviour.\n\nThis limitation becomes obvious when looking at the register\ndocumentation [1]. 4 bits are reserved for DATA_WIDTH and the value\nof these 4 bits is used as N + 1, allowing a data length range of\n1 <= len <= 16.\n\nAffected by this is the SMBus Quick Operation which works with a data\nlength of 0. Passing 0 as the length causes an underflow of the value\ndue to:\n\n(len - 1) & 0xf\n\nand effectively specifying a transfer length of 16 via the registers.\nThis causes a 16-byte write operation instead of a Quick Write. For\nexample, on SFP modules without write-protected EEPROM this soft-bricks\nthem by overwriting some initial bytes.\n\nFor completeness, also add a quirk for the zero length.\n\n[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39928", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39929", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path\n\nDuring tests of another unrelated patch I was able to trigger this\nerror: Objects remaining on __kmem_cache_shutdown()", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39929", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39930", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()\n\ncommit 419d1918105e (\"ASoC: simple-card-utils: use __free(device_node) for\ndevice node\") uses __free(device_node) for dlc->of_node, but we need to\nkeep it while driver is in use.\n\nDon't use __free(device_node) in graph_util_parse_dai().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39930", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39931", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Set merge to zero early in af_alg_sendmsg\n\nIf an error causes af_alg_sendmsg to abort, ctx->merge may contain\na garbage value from the previous loop. This may then trigger a\ncrash on the next entry into af_alg_sendmsg when it attempts to do\na merge that can't be done.\n\nFix this by setting ctx->merge to zero near the start of the loop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39931", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39932", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)\n\nIn smbd_destroy() we may destroy the memory so we better\nwait until post_send_credits_work is no longer pending\nand will never be started again.\n\nI actually just hit the case using rxe:\n\nWARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]\n...\n[ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]\n[ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]\n[ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60\n[ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]\n[ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]\n[ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]\n[ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10\n[ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0\n[ 5305.687889] [ T138] process_one_work+0x629/0xf80\n[ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687933] [ T138] worker_thread+0x87f/0x1570\n...\n\nIt means rxe_post_recv was called after rdma_destroy_qp().\nThis happened because put_receive_buffer() was triggered\nby ib_drain_qp() and called:\nqueue_work(info->workqueue, &info->post_send_credits_work);", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39932", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39933", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let recv_done verify data_offset, data_length and remaining_data_length\n\nThis is inspired by the related server fixes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39933", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39934", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: anx7625: Fix NULL pointer dereference with early IRQ\n\nIf the interrupt occurs before resource initialization is complete, the\ninterrupt handler/worker may access uninitialized data such as the I2C\ntcpc_client device, potentially leading to NULL pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39934", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39935", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded()\n\nThe sma1307->set.header_size is how many integers are in the header\n(there are 8 of them) but instead of allocating space of 8 integers\nwe allocate 8 bytes. This leads to memory corruption when we copy data\nit on the next line:\n\n memcpy(sma1307->set.header, data,\n sma1307->set.header_size * sizeof(int));\n\nAlso since we're immediately copying over the memory in ->set.header,\nthere is no need to zero it in the allocator. Use devm_kmalloc_array()\nto allocate the memory instead.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39935", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39936", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()\n\nWhen\n\n 9770b428b1a2 (\"crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown\")\n\nmoved the error messages dumping so that they don't need to be issued by\nthe callers, it missed the case where __sev_firmware_shutdown() calls\n__sev_platform_shutdown_locked() with a NULL argument which leads to\na NULL ptr deref on the shutdown path, during suspend to disk:\n\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 983 Comm: hib.sh Not tainted 6.17.0-rc4+ #1 PREEMPT(voluntary)\n Hardware name: Supermicro Super Server/H12SSL-i, BIOS 2.5 09/08/2022\n RIP: 0010:__sev_platform_shutdown_locked.cold+0x0/0x21 [ccp]\n\nThat rIP is:\n\n 00000000000006fd <__sev_platform_shutdown_locked.cold>:\n 6fd: 8b 13 mov (%rbx),%edx\n 6ff: 48 8b 7d 00 mov 0x0(%rbp),%rdi\n 703: 89 c1 mov %eax,%ecx\n\n Code: 74 05 31 ff 41 89 3f 49 8b 3e 89 ea 48 c7 c6 a0 8e 54 a0 41 bf 92 ff ff ff e8 e5 2e 09 e1 c6 05 2a d4 38 00 01 e9 26 af ff ff <8b> 13 48 8b 7d 00 89 c1 48 c7 c6 18 90 54 a0 89 44 24 04 e8 c1 2e\n RSP: 0018:ffffc90005467d00 EFLAGS: 00010282\n RAX: 00000000ffffff92 RBX: 0000000000000000 RCX: 0000000000000000\n \t\t\t ^^^^^^^^^^^^^^^^\nand %rbx is nice and clean.\n\n Call Trace:\n \n __sev_firmware_shutdown.isra.0\n sev_dev_destroy\n psp_dev_destroy\n sp_destroy\n pci_device_shutdown\n device_shutdown\n kernel_power_off\n hibernate.cold\n state_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nPass in a pointer to the function-local error var in the caller.\n\nWith that addressed, suspending the ccp shows the error properly at\nleast:\n\n ccp 0000:47:00.1: sev command 0x2 timed out, disabling PSP\n ccp 0000:47:00.1: SEV: failed to SHUTDOWN error 0x0, rc -110\n SEV-SNP: Leaking PFN range 0x146800-0x146a00\n SEV-SNP: PFN 0x146800 unassigned, dumping non-zero entries in 2M PFN region: [0x146800 - 0x146a00]\n ...\n ccp 0000:47:00.1: SEV-SNP firmware shutdown failed, rc -16, error 0x0\n ACPI: PM: Preparing to enter system sleep state S5\n kvm: exiting hardware virtualization\n reboot: Power down\n\nBtw, this driver is crying to be cleaned up to pass in a proper I/O\nstruct which can be used to store information between the different\nfunctions, otherwise stuff like that will happen in the future again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39936", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39937", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer\n\nSince commit 7d5e9737efda (\"net: rfkill: gpio: get the name and type from\ndevice property\") rfkill_find_type() gets called with the possibly\nuninitialized \"const char *type_name;\" local variable.\n\nOn x86 systems when rfkill-gpio binds to a \"BCM4752\" or \"LNV4752\"\nacpi_device, the rfkill->type is set based on the ACPI acpi_device_id:\n\n rfkill->type = (unsigned)id->driver_data;\n\nand there is no \"type\" property so device_property_read_string() will fail\nand leave type_name uninitialized, leading to a potential crash.\n\nrfkill_find_type() does accept a NULL pointer, fix the potential crash\nby initializing type_name to NULL.\n\nNote likely sofar this has not been caught because:\n\n1. Not many x86 machines actually have a \"BCM4752\"/\"LNV4752\" acpi_device\n2. The stack happened to contain NULL where type_name is stored", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39937", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39938", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed\n\nIf earlier opening of source graph fails (e.g. ADSP rejects due to\nincorrect audioreach topology), the graph is closed and\n\"dai_data->graph[dai->id]\" is assigned NULL. Preparing the DAI for sink\ngraph continues though and next call to q6apm_lpass_dai_prepare()\nreceives dai_data->graph[dai->id]=NULL leading to NULL pointer\nexception:\n\n qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd\n qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78\n q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22\n Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\n ...\n Call trace:\n q6apm_graph_media_format_pcm+0x48/0x120 (P)\n q6apm_lpass_dai_prepare+0x110/0x1b4\n snd_soc_pcm_dai_prepare+0x74/0x108\n __soc_pcm_prepare+0x44/0x160\n dpcm_be_dai_prepare+0x124/0x1c0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39938", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39939", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/s390: Fix memory corruption when using identity domain\n\nzpci_get_iommu_ctrs() returns counter information to be reported as part\nof device statistics; these counters are stored as part of the s390_domain.\nThe problem, however, is that the identity domain is not backed by an\ns390_domain and so the conversion via to_s390_domain() yields a bad address\nthat is zero'd initially and read on-demand later via a sysfs read.\nThese counters aren't necessary for the identity domain; just return NULL\nin this case.\n\nThis issue was discovered via KASAN with reports that look like:\nBUG: KASAN: global-out-of-bounds in zpci_fmb_enable_device\nwhen using the identity domain for a device on s390.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39939", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39940", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-stripe: fix a possible integer overflow\n\nThere's a possible integer overflow in stripe_io_hints if we have too\nlarge chunk size. Test if the overflow happened, and if it did, don't set\nlimits->io_min and limits->io_opt;", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39940", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39941", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix slot write race condition\n\nParallel concurrent writes to the same zram index result in leaked\nzsmalloc handles. Schematically we can have something like this:\n\nCPU0 CPU1\nzram_slot_lock()\nzs_free(handle)\nzram_slot_lock()\n\t\t\t\tzram_slot_lock()\n\t\t\t\tzs_free(handle)\n\t\t\t\tzram_slot_lock()\n\ncompress\t\t\tcompress\nhandle = zs_malloc()\t\thandle = zs_malloc()\nzram_slot_lock\nzram_set_handle(handle)\nzram_slot_lock\n\t\t\t\tzram_slot_lock\n\t\t\t\tzram_set_handle(handle)\n\t\t\t\tzram_slot_lock\n\nEither CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done\ntoo early. In fact, we need to reset zram entry right before we set its\nnew handle, all under the same slot lock scope.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39941", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39942", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size\n\nThis is inspired by the check for data_offset + data_length.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39942", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39943", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer\n\nIf data_offset and data_length of smb_direct_data_transfer struct are\ninvalid, out of bounds issue could happen.\nThis patch validate data_offset and data_length field in recv_done.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39943", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39944", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()\n\nThe original code relies on cancel_delayed_work() in otx2_ptp_destroy(),\nwhich does not ensure that the delayed work item synctstamp_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work\nremains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().\nFurthermore, the synctstamp_work is cyclic, the likelihood of triggering\nthe bug is nonnegligible.\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\notx2_remove() |\n otx2_ptp_destroy() | otx2_sync_tstamp()\n cancel_delayed_work() |\n kfree(ptp) |\n | ptp = container_of(...); //UAF\n | ptp-> //UAF\n\nThis is confirmed by a KASAN report:\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800aa09a18 by task bash/136\n...\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \n...\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n otx2_ptp_init+0xb1/0x860\n otx2_probe+0x4eb/0xc30\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 136:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n otx2_ptp_destroy+0x38/0x80\n otx2_remove+0x10d/0x4c0\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled before the otx2_ptp is\ndeallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the OcteonTX2 PCI device in QEMU and introduced\nartificial delays within the otx2_sync_tstamp() function to increase the\nlikelihood of triggering the bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39944", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39945", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncnic: Fix use-after-free bugs in cnic_delete_task\n\nThe original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),\nwhich does not guarantee that the delayed work item 'delete_task' has\nfully completed if it was already running. Additionally, the delayed work\nitem is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only\nblocks and waits for work items that were already queued to the\nworkqueue prior to its invocation. Any work items submitted after\nflush_workqueue() is called are not included in the set of tasks that the\nflush operation awaits. This means that after the cyclic work items have\nfinished executing, a delayed work item may still exist in the workqueue.\nThis leads to use-after-free scenarios where the cnic_dev is deallocated\nby cnic_free_dev(), while delete_task remains active and attempt to\ndereference cnic_dev in cnic_delete_task().\n\nA typical race condition is illustrated below:\n\nCPU 0 (cleanup) | CPU 1 (delayed work callback)\ncnic_netdev_event() |\n cnic_stop_hw() | cnic_delete_task()\n cnic_cm_stop_bnx2x_hw() | ...\n cancel_delayed_work() | /* the queue_delayed_work()\n flush_workqueue() | executes after flush_workqueue()*/\n | queue_delayed_work()\n cnic_free_dev(dev)//free | cnic_delete_task() //new instance\n | dev = cp->dev; //use\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the cyclic delayed work item is properly canceled and that any\nongoing execution of the work item completes before the cnic_dev is\ndeallocated. Furthermore, since cancel_delayed_work_sync() uses\n__flush_work(work, true) to synchronously wait for any currently\nexecuting instance of the work item to finish, the flush_workqueue()\nbecomes redundant and should be removed.\n\nThis bug was identified through static analysis. To reproduce the issue\nand validate the fix, I simulated the cnic PCI device in QEMU and\nintroduced intentional delays \u2014 such as inserting calls to ssleep()\nwithin the cnic_delete_task() function \u2014 to increase the likelihood\nof triggering the bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39945", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39946", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: make sure to abort the stream if headers are bogus\n\nNormally we wait for the socket to buffer up the whole record\nbefore we service it. If the socket has a tiny buffer, however,\nwe read out the data sooner, to prevent connection stalls.\nMake sure that we abort the connection when we find out late\nthat the record is actually invalid. Retrying the parsing is\nfine in itself but since we copy some more data each time\nbefore we parse we can overflow the allocated skb space.\n\nConstructing a scenario in which we're under pressure without\nenough data in the socket to parse the length upfront is quite\nhard. syzbot figured out a way to do this by serving us the header\nin small OOB sends, and then filling in the recvbuf with a large\nnormal send.\n\nMake sure that tls_rx_msg_size() aborts strp, if we reach\nan invalid record there's really no way to recover.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39946", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39947", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Harden uplink netdev access against device unbind\n\nThe function mlx5_uplink_netdev_get() gets the uplink netdevice\npointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can\nbe removed and its pointer cleared when unbound from the mlx5_core.eth\ndriver. This results in a NULL pointer, causing a kernel panic.\n\n BUG: unable to handle page fault for address: 0000000000001300\n at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]\n Call Trace:\n \n mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]\n esw_offloads_enable+0x593/0x910 [mlx5_core]\n mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xd0\n genl_family_rcv_msg_doit+0xe0/0x130\n genl_rcv_msg+0x183/0x290\n netlink_rcv_skb+0x4b/0xf0\n genl_rcv+0x24/0x40\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x119/0x180\n do_syscall_64+0x53/0x1d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nEnsure the pointer is valid before use by checking it for NULL. If it\nis valid, immediately call netdev_hold() to take a reference, and\npreventing the netdevice from being freed while it is in use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39947", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39948", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Rx page leak on multi-buffer frames\n\nThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each\nbuffer in the current frame. This function was introduced as part of\nhandling multi-buffer XDP support in the ice driver.\n\nIt works by iterating over the buffers from first_desc up to 1 plus the\ntotal number of fragments in the frame, cached from before the XDP program\nwas executed.\n\nIf the hardware posts a descriptor with a size of 0, the logic used in\nice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added\nas fragments in ice_add_xdp_frag. Since the buffer isn't counted as a\nfragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't\ncall ice_put_rx_buf().\n\nBecause we don't call ice_put_rx_buf(), we don't attempt to re-use the\npage or free it. This leaves a stale page in the ring, as we don't\nincrement next_to_alloc.\n\nThe ice_reuse_rx_page() assumes that the next_to_alloc has been incremented\nproperly, and that it always points to a buffer with a NULL page. Since\nthis function doesn't check, it will happily recycle a page over the top\nof the next_to_alloc buffer, losing track of the old page.\n\nNote that this leak only occurs for multi-buffer frames. The\nice_put_rx_mbuf() function always handles at least one buffer, so a\nsingle-buffer frame will always get handled correctly. It is not clear\nprecisely why the hardware hands us descriptors with a size of 0 sometimes,\nbut it happens somewhat regularly with \"jumbo frames\" used by 9K MTU.\n\nTo fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on\nall buffers between first_desc and next_to_clean. Borrow the logic of a\nsimilar function in i40e used for this same purpose. Use the same logic\nalso in ice_get_pgcnts().\n\nInstead of iterating over just the number of fragments, use a loop which\niterates until the current index reaches to the next_to_clean element just\npast the current frame. Unlike i40e, the ice_put_rx_mbuf() function does\ncall ice_put_rx_buf() on the last buffer of the frame indicating the end of\npacket.\n\nFor non-linear (multi-buffer) frames, we need to take care when adjusting\nthe pagecnt_bias. An XDP program might release fragments from the tail of\nthe frame, in which case that fragment page is already released. Only\nupdate the pagecnt_bias for the first descriptor and fragments still\nremaining post-XDP program. Take care to only access the shared info for\nfragmented buffers, as this avoids a significant cache miss.\n\nThe xdp_xmit value only needs to be updated if an XDP program is run, and\nonly once per packet. Drop the xdp_xmit pointer argument from\nice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function\ndirectly. This avoids needing to pass the argument and avoids an extra\nbit-wise OR for each buffer in the frame.\n\nMove the increment of the ntc local variable to ensure its updated *before*\nall calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic\nrequires the index of the element just after the current frame.\n\nNow that we use an index pointer in the ring to identify the packet, we no\nlonger need to track or cache the number of fragments in the rx_ring.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39948", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39949", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nqed: Don't collect too many protection override GRC elements\n\nIn the protection override dump path, the firmware can return far too\nmany GRC elements, resulting in attempting to write past the end of the\npreviously-kmalloc'ed dump buffer.\n\nThis will result in a kernel panic with reason:\n\n BUG: unable to handle kernel paging request at ADDRESS\n\nwhere \"ADDRESS\" is just past the end of the protection override dump\nbuffer. The start address of the buffer is:\n p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf\nand the size of the buffer is buf_size in the same data structure.\n\nThe panic can be arrived at from either the qede Ethernet driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc02662ed [qed]\n qed_dbg_protection_override_dump at ffffffffc0267792 [qed]\n qed_dbg_feature at ffffffffc026aa8f [qed]\n qed_dbg_all_data at ffffffffc026b211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]\n devlink_health_do_dump at ffffffff82497f61\n devlink_health_report at ffffffff8249cf29\n qed_report_fatal_error at ffffffffc0272baf [qed]\n qede_sp_task at ffffffffc045ed32 [qede]\n process_one_work at ffffffff81d19783\n\nor the qedf storage driver path:\n\n [exception RIP: qed_grc_dump_addr_range+0x108]\n qed_protection_override_dump at ffffffffc068b2ed [qed]\n qed_dbg_protection_override_dump at ffffffffc068c792 [qed]\n qed_dbg_feature at ffffffffc068fa8f [qed]\n qed_dbg_all_data at ffffffffc0690211 [qed]\n qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]\n devlink_health_do_dump at ffffffff8aa95e51\n devlink_health_report at ffffffff8aa9ae19\n qed_report_fatal_error at ffffffffc0697baf [qed]\n qed_hw_err_notify at ffffffffc06d32d7 [qed]\n qed_spq_post at ffffffffc06b1011 [qed]\n qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]\n qedf_cleanup_fcport at ffffffffc05e7597 [qedf]\n qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]\n fc_rport_work at ffffffffc02da715 [libfc]\n process_one_work at ffffffff8a319663\n\nResolve this by clamping the firmware's return value to the maximum\nnumber of legal elements the firmware should return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39949", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39950", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR\n\nA NULL pointer dereference can occur in tcp_ao_finish_connect() during a\nconnect() system call on a socket with a TCP-AO key added and TCP_REPAIR\nenabled.\n\nThe function is called with skb being NULL and attempts to dereference it\non tcp_hdr(skb)->seq without a prior skb validation.\n\nFix this by checking if skb is NULL before dereferencing it.\n\nThe commentary is taken from bpf_skops_established(), which is also called\nin the same flow. Unlike the function being patched,\nbpf_skops_established() validates the skb before dereferencing it.\n\nint main(void){\n\tstruct sockaddr_in sockaddr;\n\tstruct tcp_ao_add tcp_ao;\n\tint sk;\n\tint one = 1;\n\n\tmemset(&sockaddr,'\\0',sizeof(sockaddr));\n\tmemset(&tcp_ao,'\\0',sizeof(tcp_ao));\n\n\tsk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n\n\tsockaddr.sin_family = AF_INET;\n\n\tmemcpy(tcp_ao.alg_name,\"cmac(aes128)\",12);\n\tmemcpy(tcp_ao.key,\"ABCDEFGHABCDEFGH\",16);\n\ttcp_ao.keylen = 16;\n\n\tmemcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr));\n\n\tsetsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao,\n\tsizeof(tcp_ao));\n\tsetsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one));\n\n\tsockaddr.sin_family = AF_INET;\n\tsockaddr.sin_port = htobe16(123);\n\n\tinet_aton(\"127.0.0.1\", &sockaddr.sin_addr);\n\n\tconnect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr));\n\nreturn 0;\n}\n\n$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall\n$ unshare -Urn\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b6\nPGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop\nReference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39950", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39951", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: virtio_uml: Fix use-after-free after put_device in probe\n\nWhen register_virtio_device() fails in virtio_uml_probe(),\nthe code sets vu_dev->registered = 1 even though\nthe device was not successfully registered.\nThis can lead to use-after-free or other issues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39951", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39952", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: avoid buffer overflow in WID string configuration\n\nFix the following copy overflow warning identified by Smatch checker.\n\n drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()\n error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)\n\nThis patch introduces size check before accessing the memory buffer.\nThe checks are base on the WID type of received data from the firmware.\nFor WID string configuration, the size limit is determined by individual\nelement size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field\nof 'struct wilc_cfg_str'.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39952", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39953", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39953", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39954", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: mp: Fix dual-divider clock rate readback\n\nWhen dual-divider clock support was introduced, the P divider offset was\nleft out of the .recalc_rate readback function. This causes the clock\nrate to become bogus or even zero (possibly due to the P divider being\n1, leading to a divide-by-zero).\n\nFix this by incorporating the P divider offset into the calculation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39954", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39955", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet's call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39955", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39956", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: don't fail igc_probe() on LED setup error\n\nWhen igc_led_setup() fails, igc_probe() fails and triggers kernel panic\nin free_netdev() since unregister_netdev() is not called. [1]\nThis behavior can be tested using fault-injection framework, especially\nthe failslab feature. [2]\n\nSince LED support is not mandatory, treat LED setup failures as\nnon-fatal and continue probe with a warning message, consequently\navoiding the kernel panic.\n\n[1]\n kernel BUG at net/core/dev.c:12047!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 937 Comm: repro-igc-led-e Not tainted 6.17.0-rc4-enjuk-tnguy-00865-gc4940196ab02 #64 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:free_netdev+0x278/0x2b0\n [...]\n Call Trace:\n \n igc_probe+0x370/0x910\n local_pci_probe+0x3a/0x80\n pci_device_probe+0xd1/0x200\n [...]\n\n[2]\n #!/bin/bash -ex\n\n FAILSLAB_PATH=/sys/kernel/debug/failslab/\n DEVICE=0000:00:05.0\n START_ADDR=$(grep \" igc_led_setup\" /proc/kallsyms \\\n | awk '{printf(\"0x%s\", $1)}')\n END_ADDR=$(printf \"0x%x\" $((START_ADDR + 0x100)))\n\n echo $START_ADDR > $FAILSLAB_PATH/require-start\n echo $END_ADDR > $FAILSLAB_PATH/require-end\n echo 1 > $FAILSLAB_PATH/times\n echo 100 > $FAILSLAB_PATH/probability\n echo N > $FAILSLAB_PATH/ignore-gfp-wait\n\n echo $DEVICE > /sys/bus/pci/drivers/igc/bind", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39956", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39957", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: increase scan_ies_len for S1G\n\nCurrently the S1G capability element is not taken into account\nfor the scan_ies_len, which leads to a buffer length validation\nfailure in ieee80211_prep_hw_scan() and subsequent WARN in\n__ieee80211_start_scan(). This prevents hw scanning from functioning.\nTo fix ensure we accommodate for the S1G capability length.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39957", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39958", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/s390: Make attach succeed when the device was surprise removed\n\nWhen a PCI device is removed with surprise hotplug, there may still be\nattempts to attach the device to the default domain as part of tear down\nvia (__iommu_release_dma_ownership()), or because the removal happens\nduring probe (__iommu_probe_device()). In both cases zpci_register_ioat()\nfails with a cc value indicating that the device handle is invalid. This\nis because the device is no longer part of the instance as far as the\nhypervisor is concerned.\n\nCurrently this leads to an error return and s390_iommu_attach_device()\nfails. This triggers the WARN_ON() in __iommu_group_set_domain_nofail()\nbecause attaching to the default domain must never fail.\n\nWith the device fenced by the hypervisor no DMAs to or from memory are\npossible and the IOMMU translations have no effect. Proceed as if the\nregistration was successful and let the hotplug event handling clean up\nthe device.\n\nThis is similar to how devices in the error state are handled since\ncommit 59bbf596791b (\"iommu/s390: Make attach succeed even if the device\nis in error state\") except that for removal the domain will not be\nregistered later. This approach was also previously discussed at the\nlink.\n\nHandle both cases, error state and removal, in a helper which checks if\nthe error needs to be propagated or ignored. Avoid magic number\ncondition codes by using the pre-existing, but never used, defines for\nPCI load/store condition codes and rename them to reflect that they\napply to all PCI instructions.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39958", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39959", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp: Fix incorrect retrival of acp_chip_info\n\nUse dev_get_drvdata(dev->parent) instead of dev_get_platdata(dev)\nto correctly obtain acp_chip_info members in the acp I2S driver.\nPreviously, some members were not updated properly due to incorrect\ndata access, which could potentially lead to null pointer\ndereferences.\n\nThis issue was missed in the earlier commit\n(\"ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot\"),\nwhich only addressed set_tdm_slot(). This change ensures that all\nrelevant functions correctly retrieve acp_chip_info, preventing\nfurther null pointer dereference issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39959", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39960", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: acpi: initialize acpi_gpio_info struct\n\nSince commit 7c010d463372 (\"gpiolib: acpi: Make sure we fill struct\nacpi_gpio_info\"), uninitialized acpi_gpio_info struct are passed to\n__acpi_find_gpio() and later in the call stack info->quirks is used in\nacpi_populate_gpio_lookup. This breaks the i2c_hid_cpi driver:\n\n[ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ\n[ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22\n\nFix this by initializing the acpi_gpio_info pass to __acpi_find_gpio()", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39960", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39961", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/pgtbl: Fix possible race while increase page table level\n\nThe AMD IOMMU host page table implementation supports dynamic page table levels\n(up to 6 levels), starting with a 3-level configuration that expands based on\nIOVA address. The kernel maintains a root pointer and current page table level\nto enable proper page table walks in alloc_pte()/fetch_pte() operations.\n\nThe IOMMU IOVA allocator initially starts with 32-bit address and onces its\nexhuasted it switches to 64-bit address (max address is determined based\non IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU\ndriver increases page table level.\n\nBut in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads\npgtable->[root/mode] without lock. So its possible that in exteme corner case,\nwhen increase_address_space() is updating pgtable->[root/mode], fetch_pte()\nreads wrong page table level (pgtable->mode). It does compare the value with\nlevel encoded in page table and returns NULL. This will result is\niommu_unmap ops to fail and upper layer may retry/log WARN_ON.\n\nCPU 0 CPU 1\n------ ------\nmap pages unmap pages\nalloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte()\n pgtable->root = pte (new root value)\n READ pgtable->[mode/root]\n\t\t\t\t\t Reads new root, old mode\n Updates mode (pgtable->mode += 1)\n\nSince Page table level updates are infrequent and already synchronized with a\nspinlock, implement seqcount to enable lock-free read operations on the read path.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39961", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39962", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix untrusted unsigned subtract\n\nFix the following Smatch static checker warning:\n\n net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket()\n warn: untrusted unsigned subtract. 'ticket_len - 10 * 4'\n\nby prechecking the length of what we're trying to extract in two places in\nthe token and decoding for a response packet.\n\nAlso use sizeof() on the struct we're extracting rather specifying the size\nnumerically to be consistent with the other related statements.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39962", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39963", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix incorrect io_kiocb reference in io_link_skb\n\nIn io_link_skb function, there is a bug where prev_notif is incorrectly\nassigned using 'nd' instead of 'prev_nd'. This causes the context\nvalidation check to compare the current notification with itself instead\nof comparing it with the previous notification.\n\nFix by using the correct prev_nd parameter when obtaining prev_notif.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39963", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39964", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Disallow concurrent writes in af_alg_sendmsg\n\nIssuing two writes to the same af_alg socket is bogus as the\ndata will be interleaved in an unpredictable fashion. Furthermore,\nconcurrent writes may create inconsistencies in the internal\nsocket state.\n\nDisallow this by adding a new ctx->write field that indiciates\nexclusive ownership for writing.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39964", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39965", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: xfrm_alloc_spi shouldn't use 0 as SPI\n\nx->id.spi == 0 means \"no SPI assigned\", but since commit\n94f39804d891 (\"xfrm: Duplicate SPI Handling\"), we now create states\nand add them to the byspi list with this value.\n\n__xfrm_state_delete doesn't remove those states from the byspi list,\nsince they shouldn't be there, and this shows up as a UAF the next\ntime we go through the byspi list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39965", "detail": "fixed-version", "description": "Fixed from version 6.16.10" }, { "id": "CVE-2025-39966", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix race during abort for file descriptors\n\nfput() doesn't actually call file_operations release() synchronously, it\nputs the file on a work queue and it will be released eventually.\n\nThis is normally fine, except for iommufd the file and the iommufd_object\nare tied to gether. The file has the object as it's private_data and holds\na users refcount, while the object is expected to remain alive as long as\nthe file is.\n\nWhen the allocation of a new object aborts before installing the file it\nwill fput() the file and then go on to immediately kfree() the obj. This\ncauses a UAF once the workqueue completes the fput() and tries to\ndecrement the users refcount.\n\nFix this by putting the core code in charge of the file lifetime, and call\n__fput_sync() during abort to ensure that release() is called before\nkfree. __fput_sync() is a bit too tricky to open code in all the object\nimplementations. Instead the objects tell the core code where the file\npointer is and the core will take care of the life cycle.\n\nIf the object is successfully allocated then the file will hold a users\nrefcount and the iommufd_object cannot be destroyed.\n\nIt is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an\nissue because close() is already using a synchronous version of fput().\n\nThe UAF looks like this:\n\n BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164\n\n CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]\n __refcount_dec include/linux/refcount.h:455 [inline]\n refcount_dec include/linux/refcount.h:476 [inline]\n iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376\n __fput+0x402/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39966", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39967", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: fix integer overflow in fbcon_do_set_font\n\nFix integer overflow vulnerabilities in fbcon_do_set_font() where font\nsize calculations could overflow when handling user-controlled font\nparameters.\n\nThe vulnerabilities occur when:\n1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount\n multiplication with user-controlled values that can overflow.\n2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow\n3. This results in smaller allocations than expected, leading to buffer\n overflows during font data copying.\n\nAdd explicit overflow checking using check_mul_overflow() and\ncheck_add_overflow() kernel helpers to safety validate all size\ncalculations before allocation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39967", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39968", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add max boundary check for VF filters\n\nThere is no check for max filters that VF can request. Add it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39968", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39969", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix validation of VF state in get resources\n\nVF state I40E_VF_STATE_ACTIVE is not the only state in which\nVF is actually active so it should not be used to determine\nif a VF is allowed to obtain resources.\n\nUse I40E_VF_STATE_RESOURCES_LOADED that is set only in\ni40e_vc_get_vf_resources_msg() and cleared during reset.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39969", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39970", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix input validation logic for action_meta\n\nFix condition to check 'greater or equal' to prevent OOB dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39970", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39971", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in config queues msg\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf->ch[idx] in i40e_vc_config_queues_msg().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39971", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39972", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix idx validation in i40e_validate_queue_map\n\nEnsure idx is within range of active/initialized TCs when iterating over\nvf->ch[idx] in i40e_validate_queue_map().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39972", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39973", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39973", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39974", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()\n\nWhen config osnoise cpus by write() syscall, the following KASAN splat may\nbe observed:\n\nBUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130\nRead of size 1 at addr ffff88810121e3a1 by task test/447\nCPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_report+0xcb/0x610\n kasan_report+0xb8/0xf0\n _parse_integer_limit+0x103/0x130\n bitmap_parselist+0x16d/0x6f0\n osnoise_cpus_write+0x116/0x2d0\n vfs_write+0x21e/0xcc0\n ksys_write+0xee/0x1c0\n do_syscall_64+0xa8/0x2a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThis issue can be reproduced by below code:\n\nconst char *cpulist = \"1\";\nint fd=open(\"/sys/kernel/debug/tracing/osnoise/cpus\", O_WRONLY);\nwrite(fd, cpulist, strlen(cpulist));\n\nFunction bitmap_parselist() was called to parse cpulist, it require that\nthe parameter 'buf' must be terminated with a '\\0' or '\\n'. Fix this issue\nby adding a '\\0' to 'buf' in osnoise_cpus_write().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39974", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39975", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix wrong index reference in smb2_compound_op()\n\nIn smb2_compound_op(), the loop that processes each command's response\nuses wrong indices when accessing response bufferes.\n\nThis incorrect indexing leads to improper handling of command results.\nAlso, if incorrectly computed index is greather than or equal to\nMAX_COMPOUND, it can cause out-of-bounds accesses.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39975", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Use correct exit on failure from futex_hash_allocate_default()\n\ncopy_process() uses the wrong error exit path from futex_hash_allocate_default().\nAfter exiting from futex_hash_allocate_default(), neither tasklist_lock\nnor siglock has been acquired. The exit label bad_fork_core_free unlocks\nboth of these locks which is wrong.\n\nThe next exit label, bad_fork_cancel_cgroup, is the correct exit.\nsched_cgroup_fork() did not allocate any resources that need to freed.\n\nUse bad_fork_cancel_cgroup on error exit from futex_hash_allocate_default().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39976", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent use-after-free during requeue-PI\n\nsyzbot managed to trigger the following race:\n\n T1 T2\n\n futex_wait_requeue_pi()\n futex_do_wait()\n schedule()\n futex_requeue()\n futex_proxy_trylock_atomic()\n futex_requeue_pi_prepare()\n requeue_pi_wake_futex()\n futex_requeue_pi_complete()\n /* preempt */\n\n * timeout/ signal wakes T1 *\n\n futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED\n futex_hash_put()\n // back to userland, on stack futex_q is garbage\n\n /* back */\n wake_up_state(q->task, TASK_NORMAL);\n\nIn this scenario futex_wait_requeue_pi() is able to leave without using\nfutex_q::lock_ptr for synchronization.\n\nThis can be prevented by reading futex_q::task before updating the\nfutex_q::requeue_state. A reference on the task_struct is not needed\nbecause requeue_pi_wake_futex() is invoked with a spinlock_t held which\nimplies a RCU read section.\n\nEven if T1 terminates immediately after, the task_struct will remain valid\nduring T2's wake_up_state(). A READ_ONCE on futex_q::task before\nfutex_requeue_pi_complete() is enough because it ensures that the variable\nis read before the state is updated.\n\nRead futex_q::task before updating the requeue state, use it for the\nfollowing wakeup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39977", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential use after free in otx2_tc_add_flow()\n\nThis code calls kfree_rcu(new_node, rcu) and then dereferences \"new_node\"\nand then dereferences it on the next line. Two lines later, we take\na mutex so I don't think this is an RCU safe region. Re-order it to do\nthe dereferences before queuing up the free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39978", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, fix UAF in flow counter release\n\nFix a kernel trace [1] caused by releasing an HWS action of a local flow\ncounter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and\nmutex were not initialized and the counter struct could already be freed\nwhen deleting the rule.\n\nFix it by adding the missing initializations and adding refcount for the\nlocal flow counter struct.\n\n[1] Kernel log:\n Call Trace:\n \n dump_stack_lvl+0x34/0x48\n mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]\n mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]\n mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]\n mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]\n del_hw_fte+0x1ce/0x260 [mlx5_core]\n mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]\n ? ttwu_queue_wakelist+0xf4/0x110\n mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]\n uverbs_free_flow+0x20/0x50 [ib_uverbs]\n destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]\n uobj_destroy+0x3c/0x80 [ib_uverbs]\n ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]\n ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]\n ? do_tty_write+0x1a9/0x270\n ? file_tty_write.constprop.0+0x98/0xc0\n ? new_sync_write+0xfc/0x190\n ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]\n __x64_sys_ioctl+0x87/0xc0\n do_syscall_64+0x59/0x90", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39979", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n \n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39980", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible UAFs\n\nThis attemps to fix possible UAFs caused by struct mgmt_pending being\nfreed while still being processed like in the following trace, in order\nto fix mgmt_pending_valid is introduce and use to check if the\nmgmt_pending hasn't been removed from the pending list, on the complete\ncallbacks it is used to check and in addtion remove the cmd from the list\nwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd\nis left on the list it can still be accessed and freed.\n\nBUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nRead of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55\n\nCPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 12210:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247\n add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n sock_write_iter+0x258/0x330 net/socket.c:1133\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 12221:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4648 [inline]\n kfree+0x18e/0x440 mm/slub.c:4847\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444\n hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290\n hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]\n hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526\n sock_do_ioctl+0xd9/0x300 net/socket.c:1192\n sock_ioctl+0x576/0x790 net/socket.c:1313\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39981", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync\n\nThis fixes the following UFA in hci_acl_create_conn_sync where a\nconnection still pending is command submission (conn->state == BT_OPEN)\nmaybe freed, also since this also can happen with the likes of\nhci_le_create_conn_sync fix it as well:\n\nBUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nWrite of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541\n\nCPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci3 hci_cmd_sync_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 123736:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]\n hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634\n pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x54b/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 103680:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39982", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue\n\nThis fixes the following UAF caused by not properly locking hdev when\nprocessing HCI_EV_NUM_COMP_PKTS:\n\nBUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\nRead of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54\n\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci1 hci_rx_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x230 mm/kasan/report.c:480\n kasan_report+0x118/0x150 mm/kasan/report.c:593\n hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\n hci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404\n hci_event_func net/bluetooth/hci_event.c:7477 [inline]\n hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 54:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\n le_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628\n hci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794\n hci_event_func net/bluetooth/hci_event.c:7474 [inline]\n hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531\n hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n\nFreed by task 9572:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2381 [inline]\n slab_free mm/slub.c:4643 [inline]\n kfree+0x18e/0x440 mm/slub.c:4842\n device_release+0x9c/0x1c0\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x22b/0x480 lib/kobject.c:737\n hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\n hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\n hci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x70e/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39983", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Update napi->skb after XDP process\n\nThe syzbot report a UAF issue:\n\n BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]\n BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079\n CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n Call Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n skb_reset_mac_header include/linux/skbuff.h:3150 [inline]\n napi_frags_skb net/core/gro.c:723 [inline]\n napi_gro_frags+0x6e/0x1030 net/core/gro.c:758\n tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\n Allocated by task 6079:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:330 [inline]\n __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558\n kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]\n napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295\n __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657\n napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811\n napi_get_frags+0x69/0x140 net/core/gro.c:673\n tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]\n tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 6079:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2422 [inline]\n slab_free mm/slub.c:4695 [inline]\n kmem_cache_free+0x18f/0x400 mm/slub.c:4797\n skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969\n netif_skb_check_for_xdp net/core/dev.c:5390 [inline]\n netif_receive_generic_xdp net/core/dev.c:5431 [inline]\n do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499\n tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAfter commit e6d5dbdd20aa (\"xdp: add multi-buff support for xdp running in\ngeneric mode\"), the original skb may be freed in skb_pp_cow_data() when\nXDP program was attached, which was allocated in tun_napi_alloc_frags().\nHowever, the napi->skb still point to the original skb, update it after\nXDP process.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39984", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb->len fits the interface's MTU.\n\nUnfortunately, because the mcba_usb driver does not populate its\nnet_device_ops->ndo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers' xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb->protocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, mcba_usb_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf->len\nas-is with no further checks on these lines:\n\n\tusb_msg.dlc = cf->len;\n\n\tmemcpy(usb_msg.data, cf->data, usb_msg.dlc);\n\nHere, cf->len corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame->flags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops->ndo_change_mtu() to ensure that the\ninterface's MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39985", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb->len fits the interface's MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops->ndo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers' xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb->protocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, sun4ican_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN frame.\n\nThis can result in a buffer overflow. The driver will consume cf->len\nas-is with no further checks on this line:\n\n\tdlc = cf->len;\n\nHere, cf->len corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame->flags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs a\ncouple line below when doing:\n\n\tfor (i = 0; i < dlc; i++)\n\t\twritel(cf->data[i], priv->base + (dreg + i * 4));\n\nPopulate net_device_ops->ndo_change_mtu() to ensure that the\ninterface's MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39986", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb->len fits the interface's MTU.\n\nUnfortunately, because the sun4i_can driver does not populate its\nnet_device_ops->ndo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers' xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb->protocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, hi3110_hard_start_xmit() receives a CAN XL frame which it is\nnot able to correctly handle and will thus misinterpret it as a CAN\nframe. The driver will consume frame->len as-is with no further\nchecks.\n\nThis can result in a buffer overflow later on in hi3110_hw_tx() on\nthis line:\n\n\tmemcpy(buf + HI3110_FIFO_EXT_DATA_OFF,\n\t frame->data, frame->len);\n\nHere, frame->len corresponds to the flags field of the CAN XL frame.\nIn our previous example, we set canxl_frame->flags to 0xff. Because\nthe maximum expected length is 8, a buffer overflow of 247 bytes\noccurs!\n\nPopulate net_device_ops->ndo_change_mtu() to ensure that the\ninterface's MTU can not be set to anything bigger than CAN_MTU. By\nfixing the root cause, this prevents the buffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39987", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow\n\nSending an PF_PACKET allows to bypass the CAN framework logic and to\ndirectly reach the xmit() function of a CAN driver. The only check\nwhich is performed by the PF_PACKET framework is to make sure that\nskb->len fits the interface's MTU.\n\nUnfortunately, because the etas_es58x driver does not populate its\nnet_device_ops->ndo_change_mtu(), it is possible for an attacker to\nconfigure an invalid MTU by doing, for example:\n\n $ ip link set can0 mtu 9999\n\nAfter doing so, the attacker could open a PF_PACKET socket using the\nETH_P_CANXL protocol:\n\n\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));\n\nto inject a malicious CAN XL frames. For example:\n\n\tstruct canxl_frame frame = {\n\t\t.flags = 0xff,\n\t\t.len = 2048,\n\t};\n\nThe CAN drivers' xmit() function are calling can_dev_dropped_skb() to\ncheck that the skb is valid, unfortunately under above conditions, the\nmalicious packet is able to go through can_dev_dropped_skb() checks:\n\n 1. the skb->protocol is set to ETH_P_CANXL which is valid (the\n function does not check the actual device capabilities).\n\n 2. the length is a valid CAN XL length.\n\nAnd so, es58x_start_xmit() receives a CAN XL frame which it is not\nable to correctly handle and will thus misinterpret it as a CAN(FD)\nframe.\n\nThis can result in a buffer overflow. For example, using the es581.4\nvariant, the frame will be dispatched to es581_4_tx_can_msg(), go\nthrough the last check at the beginning of this function:\n\n\tif (can_is_canfd_skb(skb))\n\t\treturn -EMSGSIZE;\n\nand reach this line:\n\n\tmemcpy(tx_can_msg->data, cf->data, cf->len);\n\nHere, cf->len corresponds to the flags field of the CAN XL frame. In\nour previous example, we set canxl_frame->flags to 0xff. Because the\nmaximum expected length is 8, a buffer overflow of 247 bytes occurs!\n\nPopulate net_device_ops->ndo_change_mtu() to ensure that the\ninterface's MTU can not be set to anything bigger than CAN_MTU or\nCANFD_MTU (depending on the device capabilities). By fixing the root\ncause, this prevents the buffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39988", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mce: use is_copy_from_user() to determine copy-from-user context\n\nPatch series \"mm/hwpoison: Fix regressions in memory failure handling\",\nv4.\n\n## 1. What am I trying to do:\n\nThis patchset resolves two critical regressions related to memory failure\nhandling that have appeared in the upstream kernel since version 5.17, as\ncompared to 5.10 LTS.\n\n - copyin case: poison found in user page while kernel copying from user space\n - instr case: poison found while instruction fetching in user space\n\n## 2. What is the expected outcome and why\n\n- For copyin case:\n\nKernel can recover from poison found where kernel is doing get_user() or\ncopy_from_user() if those places get an error return and the kernel return\n-EFAULT to the process instead of crashing. More specifily, MCE handler\nchecks the fixup handler type to decide whether an in kernel #MC can be\nrecovered. When EX_TYPE_UACCESS is found, the PC jumps to recovery code\nspecified in _ASM_EXTABLE_FAULT() and return a -EFAULT to user space.\n\n- For instr case:\n\nIf a poison found while instruction fetching in user space, full recovery\nis possible. User process takes #PF, Linux allocates a new page and fills\nby reading from storage.\n\n\n## 3. What actually happens and why\n\n- For copyin case: kernel panic since v5.17\n\nCommit 4c132d1d844a (\"x86/futex: Remove .fixup usage\") introduced a new\nextable fixup type, EX_TYPE_EFAULT_REG, and later patches updated the\nextable fixup type for copy-from-user operations, changing it from\nEX_TYPE_UACCESS to EX_TYPE_EFAULT_REG. It breaks previous EX_TYPE_UACCESS\nhandling when posion found in get_user() or copy_from_user().\n\n- For instr case: user process is killed by a SIGBUS signal due to #CMCI\n and #MCE race\n\nWhen an uncorrected memory error is consumed there is a race between the\nCMCI from the memory controller reporting an uncorrected error with a UCNA\nsignature, and the core reporting and SRAR signature machine check when\nthe data is about to be consumed.\n\n### Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1]\n\nPrior to Icelake memory controllers reported patrol scrub events that\ndetected a previously unseen uncorrected error in memory by signaling a\nbroadcast machine check with an SRAO (Software Recoverable Action\nOptional) signature in the machine check bank. This was overkill because\nit's not an urgent problem that no core is on the verge of consuming that\nbad data. It's also found that multi SRAO UCE may cause nested MCE\ninterrupts and finally become an IERR.\n\nHence, Intel downgrades the machine check bank signature of patrol scrub\nfrom SRAO to UCNA (Uncorrected, No Action required), and signal changed to\n#CMCI. Just to add to the confusion, Linux does take an action (in\nuc_decode_notifier()) to try to offline the page despite the UC*NA*\nsignature name.\n\n### Background: why #CMCI and #MCE race when poison is consuming in\n Intel platform [1]\n\nHaving decided that CMCI/UCNA is the best action for patrol scrub errors,\nthe memory controller uses it for reads too. But the memory controller is\nexecuting asynchronously from the core, and can't tell the difference\nbetween a \"real\" read and a speculative read. So it will do CMCI/UCNA if\nan error is found in any read.\n\nThus:\n\n1) Core is clever and thinks address A is needed soon, issues a\n speculative read.\n\n2) Core finds it is going to use address A soon after sending the read\n request\n\n3) The CMCI from the memory controller is in a race with MCE from the\n core that will soon try to retire the load from address A.\n\nQuite often (because speculation has got better) the CMCI from the memory\ncontroller is delivered before the core is committed to the instruction\nreading address A, so the interrupt is taken, and Linux offlines the page\n(marking it as poison).\n\n\n## Why user process is killed for instr case\n\nCommit 046545a661af (\"mm/hwpoison: fix error page recovered but reported\n\"not\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39989", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-39990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the helper function is valid in get_helper_proto\n\nkernel test robot reported verifier bug [1] where the helper func\npointer could be NULL due to disabled config option.\n\nAs Alexei suggested we could check on that in get_helper_proto\ndirectly. Marking tail_call helper func with BPF_PTR_POISON,\nbecause it is unused by design.\n\n [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39990", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-39991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()\n\nIf ab->fw.m3_data points to data, then fw pointer remains null.\nFurther, if m3_mem is not allocated, then fw is dereferenced to be\npassed to ath11k_err function.\n\nReplace fw->size by m3_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39991", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: check for stable address space before operating on the VMA\n\nIt is possible to hit a zero entry while traversing the vmas in unuse_mm()\ncalled from swapoff path and accessing it causes the OOPS:\n\nUnable to handle kernel NULL pointer dereference at virtual address\n0000000000000446--> Loading the memory from offset 0x40 on the\nXA_ZERO_ENTRY as address.\nMem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n\nThe issue is manifested from the below race between the fork() on a\nprocess and swapoff:\nfork(dup_mmap())\t\t\tswapoff(unuse_mm)\n--------------- -----------------\n1) Identical mtree is built using\n __mt_dup().\n\n2) copy_pte_range()-->\n\tcopy_nonpresent_pte():\n The dst mm is added into the\n mmlist to be visible to the\n swapoff operation.\n\n3) Fatal signal is sent to the parent\nprocess(which is the current during the\nfork) thus skip the duplication of the\nvmas and mark the vma range with\nXA_ZERO_ENTRY as a marker for this process\nthat helps during exit_mmap().\n\n\t\t\t\t 4) swapoff is tried on the\n\t\t\t\t\t'mm' added to the 'mmlist' as\n\t\t\t\t\tpart of the 2.\n\n\t\t\t\t 5) unuse_mm(), that iterates\n\t\t\t\t\tthrough the vma's of this 'mm'\n\t\t\t\t\twill hit the non-NULL zero entry\n\t\t\t\t\tand operating on this zero entry\n\t\t\t\t\tas a vma is resulting into the\n\t\t\t\t\toops.\n\nThe proper fix would be around not exposing this partially-valid tree to\nothers when droping the mmap lock, which is being solved with [1]. A\nsimpler solution would be checking for MMF_UNSTABLE, as it is set if\nmm_struct is not fully initialized in dup_mmap().\n\nThanks to Liam/Lorenzo/David for all the suggestions in fixing this\nissue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39992", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx->users). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write Thread 2 imon_disconnect\n ...\n if\n usb_put_dev(ictx->usbdev_intf0)\n else\n usb_put_dev(ictx->usbdev_intf1)\n...\nwhile\n send_packet\n if\n pipe = usb_sndintpipe(\n ictx->usbdev_intf0) UAF\n else\n pipe = usb_sndctrlpipe(\n ictx->usbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx->disconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx->disconnected under ictx->lock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39993", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuner: xc5000: Fix use-after-free in xc5000_release\n\nThe original code uses cancel_delayed_work() in xc5000_release(), which\ndoes not guarantee that the delayed work item timer_sleep has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere xc5000_release() may free the xc5000_priv while timer_sleep is still\nactive and attempts to dereference the xc5000_priv.\n\nA typical race condition is illustrated below:\n\nCPU 0 (release thread) | CPU 1 (delayed work callback)\nxc5000_release() | xc5000_do_timer_sleep()\n cancel_delayed_work() |\n hybrid_tuner_release_state(priv) |\n kfree(priv) |\n | priv = container_of() // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the timer_sleep is properly canceled before the xc5000_priv memory\nis deallocated.\n\nA deadlock concern was considered: xc5000_release() is called in a process\ncontext and is not holding any locks that the timer_sleep work item might\nalso need. Therefore, the use of the _sync() variant is safe here.\n\nThis bug was initially identified through static analysis.\n\n[hverkuil: fix typo in Subject: tunner -> tuner]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39994", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe\n\nThe state->timer is a cyclic timer that schedules work_i2c_poll and\ndelayed_work_enable_hotplug, while rearming itself. Using timer_delete()\nfails to guarantee the timer isn't still running when destroyed, similarly\ncancel_delayed_work() cannot ensure delayed_work_enable_hotplug has\nterminated if already executing. During probe failure after timer\ninitialization, these may continue running as orphans and reference the\nalready-freed tc358743_state object through tc358743_irq_poll_timer.\n\nThe following is the trace captured by KASAN.\n\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff88800ded83c8 by task swapper/1/0\n...\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __pfx_sched_balance_find_src_group+0x10/0x10\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? tmigr_update_events+0x280/0x740\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x98/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \n...\n\nAllocated by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_node_track_caller_noprof+0x198/0x430\n devm_kmalloc+0x7b/0x1e0\n tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 141:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n release_nodes+0xa4/0x100\n devres_release_group+0x1b2/0x380\n i2c_device_probe+0x694/0x880\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __device_attach_driver+0x174/0x220\n bus_for_each_drv+0x100/0x190\n __device_attach+0x206/0x370\n bus_probe_device+0x123/0x170\n device_add+0xd25/0x1470\n i2c_new_client_device+0x7a0/0xcd0\n do_one_initcall+0x89/0x300\n do_init_module+0x29d/0x7f0\n load_module+0x4f48/0x69e0\n init_module_from_file+0xe4/0x150\n idempotent_init_module+0x320/0x670\n __x64_sys_finit_module+0xbd/0x120\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace timer_delete() with timer_delete_sync() and cancel_delayed_work()\nwith cancel_delayed_work_sync() to ensure proper termination of timer and\nwork items before resource cleanup.\n\nThis bug was initially identified through static analysis. For reproduction\nand testing, I created a functional emulation of the tc358743 device via a\nkernel module and introduced faults through the debugfs interface.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39995", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nflexcop_pci_remove() | flexcop_pci_irq_check_work()\n cancel_delayed_work() |\n flexcop_device_kfree(fc_pci->fc_dev) |\n | fc = fc_pci->fc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n \n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39996", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free\n\nThe previous commit 0718a78f6a9f (\"ALSA: usb-audio: Kill timer properly at\nremoval\") patched a UAF issue caused by the error timer.\n\nHowever, because the error timer kill added in this patch occurs after the\nendpoint delete, a race condition to UAF still occurs, albeit rarely.\n\nAdditionally, since kill-cleanup for urb is also missing, freed memory can\nbe accessed in interrupt context related to urb, which can cause UAF.\n\nTherefore, to prevent this, error timer and urb must be killed before\nfreeing the heap memory.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39997", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: target_core_configfs: Add length check to avoid buffer overflow\n\nA buffer overflow arises from the usage of snprintf to write into the\nbuffer \"buf\" in target_lu_gp_members_show function located in\n/drivers/target/target_core_configfs.c. This buffer is allocated with\nsize LU_GROUP_NAME_BUF (256 bytes).\n\nsnprintf(...) formats multiple strings into buf with the HBA name\n(hba->hba_group.cg_item), a slash character, a devicename (dev->\ndev_group.cg_item) and a newline character, the total formatted string\nlength may exceed the buffer size of 256 bytes.\n\nSince snprintf() returns the total number of bytes that would have been\nwritten (the length of %s/%sn ), this value may exceed the buffer length\n(256 bytes) passed to memcpy(), this will ultimately cause function\nmemcpy reporting a buffer overflow error.\n\nAn additional check of the return value of snprintf() can avoid this\nbuffer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39998", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-39999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix blk_mq_tags double free while nr_requests grown\n\nIn the case user trigger tags grow by queue sysfs attribute nr_requests,\nhctx->sched_tags will be freed directly and replaced with a new\nallocated tags, see blk_mq_tag_update_depth().\n\nThe problem is that hctx->sched_tags is from elevator->et->tags, while\net->tags is still the freed tags, hence later elevator exit will try to\nfree the tags again, causing kernel panic.\n\nFix this problem by replacing et->tags with new allocated tags as well.\n\nNoted there are still some long term problems that will require some\nrefactor to be fixed thoroughly[1].\n\n[1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39999", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()\n\nThere is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to\naccess already freed skb_data:\n\n BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n\n CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025\n Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]\n\n Use-after-free write at 0x0000000020309d9d (in kfence-#251):\n rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache\n\n allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):\n __alloc_skb net/core/skbuff.c:659\n __netdev_alloc_skb net/core/skbuff.c:734\n ieee80211_nullfunc_get net/mac80211/tx.c:5844\n rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431\n rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338\n rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979\n rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165\n rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194\n rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012\n rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059\n rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758\n process_one_work kernel/workqueue.c:3241\n worker_thread kernel/workqueue.c:3400\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\n freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):\n ieee80211_tx_status_skb net/mac80211/status.c:1117\n rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564\n rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651\n rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676\n rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238\n __napi_poll net/core/dev.c:7495\n net_rx_action net/core/dev.c:7557 net/core/dev.c:7684\n handle_softirqs kernel/softirq.c:580\n do_softirq.part.0 kernel/softirq.c:480\n __local_bh_enable_ip kernel/softirq.c:407\n rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927\n irq_thread_fn kernel/irq/manage.c:1133\n irq_thread kernel/irq/manage.c:1257\n kthread kernel/kthread.c:463\n ret_from_fork arch/x86/kernel/process.c:154\n ret_from_fork_asm arch/x86/entry/entry_64.S:258\n\nIt is a consequence of a race between the waiting and the signaling side\nof the completion:\n\n Waiting thread Completing thread\n\nrtw89_core_tx_kick_off_and_wait()\n rcu_assign_pointer(skb_data->wait, wait)\n /* start waiting */\n wait_for_completion_timeout()\n rtw89_pci_tx_status()\n rtw89_core_tx_wait_complete()\n rcu_read_lock()\n /* signals completion and\n \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40000", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n\nDuring the detaching of Marvell's SAS/SATA controller, the original code\ncalls cancel_delayed_work() in mvs_free() to cancel the delayed work\nitem mwq->work_q. However, if mwq->work_q is already running, the\ncancel_delayed_work() may fail to cancel it. This can lead to\nuse-after-free scenarios where mvs_free() frees the mvs_info while\nmvs_work_queue() is still executing and attempts to access the\nalready-freed mvs_info.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nmvs_pci_remove() |\n mvs_free() | mvs_work_queue()\n cancel_delayed_work() |\n kfree(mvi) |\n | mvi-> // UAF\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing\ndelayed work item completes before the mvs_info is deallocated.\n\nThis bug was found by static analysis.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40001", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix use-after-free in tb_dp_dprx_work\n\nThe original code relies on cancel_delayed_work() in tb_dp_dprx_stop(),\nwhich does not ensure that the delayed work item tunnel->dprx_work has\nfully completed if it was already running. This leads to use-after-free\nscenarios where tb_tunnel is deallocated by tb_tunnel_put(), while\ntunnel->dprx_work remains active and attempts to dereference tb_tunnel\nin tb_dp_dprx_work().\n\nA typical race condition is illustrated below:\n\nCPU 0 | CPU 1\ntb_dp_tunnel_active() |\n tb_deactivate_and_free_tunnel()| tb_dp_dprx_start()\n tb_tunnel_deactivate() | queue_delayed_work()\n tb_dp_activate() |\n tb_dp_dprx_stop() | tb_dp_dprx_work() //delayed worker\n cancel_delayed_work() |\n tb_tunnel_put(tunnel); |\n | tunnel = container_of(...); //UAF\n | tunnel-> //UAF\n\nReplacing cancel_delayed_work() with cancel_delayed_work_sync() is\nnot feasible as it would introduce a deadlock: both tb_dp_dprx_work()\nand the cleanup path acquire tb->lock, and cancel_delayed_work_sync()\nwould wait indefinitely for the work item that cannot proceed.\n\nInstead, implement proper reference counting:\n- If cancel_delayed_work() returns true (work is pending), we release\n the reference in the stop function.\n- If it returns false (work is executing or already completed), the\n reference is released in delayed work function itself.\n\nThis ensures the tb_tunnel remains valid during work item execution\nwhile preventing memory leaks.\n\nThis bug was found by static analysis.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40002", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix use-after-free caused by cyclic delayed work\n\nThe origin code calls cancel_delayed_work() in ocelot_stats_deinit()\nto cancel the cyclic delayed work item ocelot->stats_work. However,\ncancel_delayed_work() may fail to cancel the work item if it is already\nexecuting. While destroy_workqueue() does wait for all pending work items\nin the work queue to complete before destroying the work queue, it cannot\nprevent the delayed work item from being rescheduled within the\nocelot_check_stats_work() function. This limitation exists because the\ndelayed work item is only enqueued into the work queue after its timer\nexpires. Before the timer expiration, destroy_workqueue() has no visibility\nof this pending work item. Once the work queue appears empty,\ndestroy_workqueue() proceeds with destruction. When the timer eventually\nexpires, the delayed work item gets queued again, leading to the following\nwarning:\n\nworkqueue: cannot queue ocelot_check_stats_work on wq ocelot-switch-stats\nWARNING: CPU: 2 PID: 0 at kernel/workqueue.c:2255 __queue_work+0x875/0xaf0\n...\nRIP: 0010:__queue_work+0x875/0xaf0\n...\nRSP: 0018:ffff88806d108b10 EFLAGS: 00010086\nRAX: 0000000000000000 RBX: 0000000000000101 RCX: 0000000000000027\nRDX: 0000000000000027 RSI: 0000000000000004 RDI: ffff88806d123e88\nRBP: ffffffff813c3170 R08: 0000000000000000 R09: ffffed100da247d2\nR10: ffffed100da247d1 R11: ffff88806d123e8b R12: ffff88800c00f000\nR13: ffff88800d7285c0 R14: ffff88806d0a5580 R15: ffff88800d7285a0\nFS: 0000000000000000(0000) GS:ffff8880e5725000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe18e45ea10 CR3: 0000000005e6c000 CR4: 00000000000006f0\nCall Trace:\n \n ? kasan_report+0xc6/0xf0\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n call_timer_fn+0x25/0x1c0\n __run_timer_base.part.0+0x3be/0x8c0\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x1c0/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \n...\n\nThe following diagram reveals the cause of the above warning:\n\nCPU 0 (remove) | CPU 1 (delayed work callback)\nmscc_ocelot_remove() |\n ocelot_deinit() | ocelot_check_stats_work()\n ocelot_stats_deinit() |\n cancel_delayed_work()| ...\n | queue_delayed_work()\n destroy_workqueue() | (wait a time)\n | __queue_work() //UAF\n\nThe above scenario actually constitutes a UAF vulnerability.\n\nThe ocelot_stats_deinit() is only invoked when initialization\nfailure or resource destruction, so we must ensure that any\ndelayed work items cannot be rescheduled.\n\nReplace cancel_delayed_work() with disable_delayed_work_sync()\nto guarantee proper cancellation of the delayed work item and\nensure completion of any currently executing work before the\nworkqueue is deallocated.\n\nA deadlock concern was considered: ocelot_stats_deinit() is called\nin a process context and is not holding any locks that the delayed\nwork item might also need. Therefore, the use of the _sync() variant\nis safe here.\n\nThis bug was identified through static analysis. To reproduce the\nissue and validate the fix, I simulated ocelot-swit\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40003", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: Fix buffer overflow in USB transport layer\n\nA buffer overflow vulnerability exists in the USB 9pfs transport layer\nwhere inconsistent size validation between packet header parsing and\nactual data copying allows a malicious USB host to overflow heap buffers.\n\nThe issue occurs because:\n- usb9pfs_rx_header() validates only the declared size in packet header\n- usb9pfs_rx_complete() uses req->actual (actual received bytes) for\nmemcpy\n\nThis allows an attacker to craft packets with small declared size\n(bypassing validation) but large actual payload (triggering overflow\nin memcpy).\n\nAdd validation in usb9pfs_rx_complete() to ensure req->actual does not\nexceed the buffer capacity before copying data.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40004", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Implement refcount to handle unbind during busy\n\ndriver support indirect read and indirect write operation with\nassumption no force device removal(unbind) operation. However\nforce device removal(removal) is still available to root superuser.\n\nUnbinding driver during operation causes kernel crash. This changes\nensure driver able to handle such operation for indirect read and\nindirect write by implementing refcount to track attached devices\nto the controller and gracefully wait and until attached devices\nremove operation completed before proceed with removal operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40005", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole. remove_inode_single_folio\nwill unmap the folio if the folio is still mapped. However, it's called\nwithout folio lock. If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won't\nunmap it. Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again. As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n \n dump_stack_lvl+0x4f/0x70\n filemap_unaccount_folio+0xc4/0x1c0\n __filemap_remove_folio+0x38/0x1c0\n filemap_remove_folio+0x41/0xd0\n remove_inode_hugepages+0x142/0x250\n hugetlbfs_fallocate+0x471/0x5a0\n vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40006", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: fix reference leak\n\nCommit 20d72b00ca81 (\"netfs: Fix the request's work item to not\nrequire a ref\") modified netfs_alloc_request() to initialize the\nreference counter to 2 instead of 1. The rationale was that the\nrequet's \"work\" would release the second reference after completion\n(via netfs_{read,write}_collection_worker()). That works most of the\ntime if all goes well.\n\nHowever, it leaks this additional reference if the request is released\nbefore the I/O operation has been submitted: the error code path only\ndecrements the reference counter once and the work item will never be\nqueued because there will never be a completion.\n\nThis has caused outages of our whole server cluster today because\ntasks were blocked in netfs_wait_for_outstanding_io(), leading to\ndeadlocks in Ceph (another bug that I will address soon in another\npatch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call\nwhich failed in fscache_begin_write_operation(). The leaked\nnetfs_io_request was never completed, leaving `netfs_inode.io_count`\nwith a positive value forever.\n\nAll of this is super-fragile code. Finding out which code paths will\nlead to an eventual completion and which do not is hard to see:\n\n- Some functions like netfs_create_write_req() allocate a request, but\n will never submit any I/O.\n\n- netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read()\n and then netfs_put_request(); however, netfs_unbuffered_read() can\n also fail early before submitting the I/O request, therefore another\n netfs_put_request() call must be added there.\n\nA rule of thumb is that functions that return a `netfs_io_request` do\nnot submit I/O, and all of their callers must be checked.\n\nFor my taste, the whole netfs code needs an overhaul to make reference\ncounting easier to understand and less fragile & obscure. But to fix\nthis bug here and now and produce a patch that is adequate for a\nstable backport, I tried a minimal approach that quickly frees the\nrequest object upon early failure.\n\nI decided against adding a second netfs_put_request() each time\nbecause that would cause code duplication which obscures the code\nfurther. Instead, I added the function netfs_put_failed_request()\nwhich frees such a failed request synchronously under the assumption\nthat the reference count is exactly 2 (as initially set by\nnetfs_alloc_request() and never touched), verified by a\nWARN_ON_ONCE(). It then deinitializes the request object (without\ngoing through the \"cleanup_work\" indirection) and frees the allocation\n(with RCU protection to protect against concurrent access by\nnetfs_requests_seq_start()).\n\nAll code paths that fail early have been changed to call\nnetfs_put_failed_request() instead of netfs_put_request().\nAdditionally, I have added a netfs_put_request() call to\nnetfs_unbuffered_read() as explained above because the\nnetfs_put_failed_request() approach does not work there.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40007", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkmsan: fix out-of-bounds access to shadow memory\n\nRunning sha224_kunit on a KMSAN-enabled kernel results in a crash in\nkmsan_internal_set_shadow_origin():\n\n BUG: unable to handle page fault for address: ffffbc3840291000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)\n Tainted: [N]=TEST\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100\n [...]\n Call Trace:\n \n __msan_memset+0xee/0x1a0\n sha224_final+0x9e/0x350\n test_hash_buffer_overruns+0x46f/0x5f0\n ? kmsan_get_shadow_origin_ptr+0x46/0xa0\n ? __pfx_test_hash_buffer_overruns+0x10/0x10\n kunit_try_run_case+0x198/0xa00\n\nThis occurs when memset() is called on a buffer that is not 4-byte aligned\nand extends to the end of a guard page, i.e. the next page is unmapped.\n\nThe bug is that the loop at the end of kmsan_internal_set_shadow_origin()\naccesses the wrong shadow memory bytes when the address is not 4-byte\naligned. Since each 4 bytes are associated with an origin, it rounds the\naddress and size so that it can access all the origins that contain the\nbuffer. However, when it checks the corresponding shadow bytes for a\nparticular origin, it incorrectly uses the original unrounded shadow\naddress. This results in reads from shadow memory beyond the end of the\nbuffer's shadow memory, which crashes when that memory is not mapped.\n\nTo fix this, correctly align the shadow address before accessing the 4\nshadow bytes corresponding to each origin.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40008", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc/task_mmu: check p->vec_buf for NULL\n\nWhen the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches\npagemap_scan_backout_range(), kernel panics with null-ptr-deref:\n\n[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n[ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80\n\n\n\n[ 44.946828] Call Trace:\n[ 44.947030] \n[ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0\n[ 44.952593] walk_pmd_range.isra.0+0x302/0x910\n[ 44.954069] walk_pud_range.isra.0+0x419/0x790\n[ 44.954427] walk_p4d_range+0x41e/0x620\n[ 44.954743] walk_pgd_range+0x31e/0x630\n[ 44.955057] __walk_page_range+0x160/0x670\n[ 44.956883] walk_page_range_mm+0x408/0x980\n[ 44.958677] walk_page_range+0x66/0x90\n[ 44.958984] do_pagemap_scan+0x28d/0x9c0\n[ 44.961833] do_pagemap_cmd+0x59/0x80\n[ 44.962484] __x64_sys_ioctl+0x18d/0x210\n[ 44.962804] do_syscall_64+0x5b/0x290\n[ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nvec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are\nallocated and p->vec_buf remains set to NULL.\n\nThis breaks an assumption made later in pagemap_scan_backout_range(), that\npage_region is always allocated for p->vec_buf_index.\n\nFix it by explicitly checking p->vec_buf for NULL before dereferencing.\n\nOther sites that might run into same deref-issue are already (directly or\ntransitively) protected by checking p->vec_buf.\n\nNote:\nFrom PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output\nis requested and it's only the side effects caller is interested in,\nhence it passes check in pagemap_scan_get_args().\n\nThis issue was found by syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40009", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix potential null pointer dereference in afs_put_server\n\nafs_put_server() accessed server->debug_id before the NULL check, which\ncould lead to a null pointer dereference. Move the debug_id assignment,\nensuring we never dereference a NULL server pointer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40010", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix null dereference in hdmi teardown\n\npci_set_drvdata sets the value of pdev->driver_data to NULL,\nafter which the driver_data obtained from the same dev is\ndereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is\nextracted from it. To prevent this, swap these calls.\n\nFound by Linux Verification Center (linuxtesting.org) with Svacer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40011", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix warning in smc_rx_splice() when calling get_page()\n\nsmc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents\nholding a refcount on the buffer. This can lead to use-after-free if\nthe memory is released before splice_to_pipe() completes.\n\nUse folio_alloc() instead, ensuring DMBs are page-backed and safe for\nget_page().\n\nWARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE\nHardware name: IBM 3931 A01 704 (z/VM 7.4.0)\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005\n 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000\n 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000\n 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8\nKrnl Code: 0007931610326960: af000000\t\tmc\t0,0\n 0007931610326964: a7f4ff43\t\tbrc\t15,00079316103267ea\n #0007931610326968: af000000\t\tmc\t0,0\n >000793161032696c: a7f4ff3f\t\tbrc\t15,00079316103267ea\n 0007931610326970: e320f1000004\tlg\t%r2,256(%r15)\n 0007931610326976: c0e53fd1b5f5\tbrasl\t%r14,000793168fd5d560\n 000793161032697c: a7f4fbb5\t\tbrc\t15,00079316103260e6\n 0007931610326980: b904002b\t\tlgr\t%r2,%r11\nCall Trace:\n smc_rx_splice+0xafc/0xe20 [smc]\n smc_rx_splice+0x756/0xe20 [smc])\n smc_rx_recvmsg+0xa74/0xe00 [smc]\n smc_splice_read+0x1ce/0x3b0 [smc]\n sock_splice_read+0xa2/0xf0\n do_splice_read+0x198/0x240\n splice_file_to_pipe+0x7e/0x110\n do_splice+0x59e/0xde0\n __do_splice+0x11a/0x2d0\n __s390x_sys_splice+0x140/0x1f0\n __do_syscall+0x122/0x280\n system_call+0x6e/0x90\nLast Breaking-Event-Address:\nsmc_rx_splice+0x960/0xe20 [smc]\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40012", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: audioreach: fix potential null pointer dereference\n\nIt is possible that the topology parsing function\naudioreach_widget_load_module_common() could return NULL or an error\npointer. Add missing NULL check so that we do not dereference it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40013", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq()\n\nIf speed_hz < AMD_SPI_MIN_HZ, amd_set_spi_freq() iterates over the\nentire amd_spi_freq array without breaking out early, causing 'i' to go\nbeyond the array bounds.\n\nFix that by stopping the loop when it gets to the last entry, so the low\nspeed_hz value gets clamped up to AMD_SPI_MIN_HZ.\n\nFixes the following warning with an UBSAN kernel:\n\n drivers/spi/spi-amd.o: error: objtool: amd_set_spi_freq() falls through to next function amd_spi_set_opcode()", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40014", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-40015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stm32-csi: Fix dereference before NULL check\n\nIn 'stm32_csi_start', 'csidev->s_subdev' is dereferenced directly while\nassigning a value to the 'src_pad'. However the same value is being\nchecked against NULL at a later point of time indicating that there\nare chances that the value can be NULL.\n\nMove the dereference after the NULL check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40015", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID\n\nPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero\nunique ID.\n\n```\nEach Unit and Terminal within the video function is assigned a unique\nidentification number, the Unit ID (UID) or Terminal ID (TID), contained in\nthe bUnitID or bTerminalID field of the descriptor. The value 0x00 is\nreserved for undefined ID,\n```\n\nIf we add a new entity with id 0 or a duplicated ID, it will be marked\nas UVC_INVALID_ENTITY_ID.\n\nIn a previous attempt commit 3dd075fe8ebb (\"media: uvcvideo: Require\nentities to have a non-zero unique ID\"), we ignored all the invalid units,\nthis broke a lot of non-compatible cameras. Hopefully we are more lucky\nthis time.\n\nThis also prevents some syzkaller reproducers from triggering warnings due\nto a chain of entities referring to themselves. In one particular case, an\nOutput Unit is connected to an Input Unit, both with the same ID of 1. But\nwhen looking up for the source ID of the Output Unit, that same entity is\nfound instead of the input entity, which leads to such warnings.\n\nIn another case, a backward chain was considered finished as the source ID\nwas 0. Later on, that entity was found, but its pads were not valid.\n\nHere is a sample stack trace for one of those cases.\n\n[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd\n[ 20.830206] usb 1-1: Using ep0 maxpacket: 8\n[ 20.833501] usb 1-1: config 0 descriptor??\n[ 21.038518] usb 1-1: string descriptor 0 read error: -71\n[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201)\n[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!\n[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!\n[ 21.042218] ------------[ cut here ]------------\n[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0\n[ 21.043195] Modules linked in:\n[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444\n[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 21.044639] Workqueue: usb_hub_wq hub_event\n[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0\n[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00\n[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246\n[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1\n[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290\n[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000\n[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003\n[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000\n[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000\n[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0\n[ 21.051136] PKRU: 55555554\n[ 21.051331] Call Trace:\n[ 21.051480] \n[ 21.051611] ? __warn+0xc4/0x210\n[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.052252] ? report_bug+0x11b/0x1a0\n[ 21.052540] ? trace_hardirqs_on+0x31/0x40\n[ 21.052901] ? handle_bug+0x3d/0x70\n[ 21.053197] ? exc_invalid_op+0x1a/0x50\n[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20\n[ 21.053924] ? media_create_pad_link+0x91/0x2e0\n[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0\n[ 21.054834] ? media_create_pad_link+0x91/0x2e0\n[ 21.055131] ? _raw_spin_unlock+0x1e/0x40\n[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210\n[ 21.055837] uvc_mc_register_entities+0x358/0x400\n[ 21.056144] uvc_register_chains+0x1\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40016", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix memory leak by freeing untracked persist buffer\n\nOne internal buffer which is allocated only once per session was not\nbeing freed during session close because it was not being tracked as\npart of internal buffer list which resulted in a memory leak.\n\nAdd the necessary logic to explicitly free the untracked internal buffer\nduring session close to ensure all allocated memory is released\nproperly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40017", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp->app pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40018", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit's also checked for decryption and in-place encryption.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40019", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_usb: fix shift-out-of-bounds issue\n\nExplicitly uses a 64-bit constant when the number of bits used for its\nshifting is 32 (which is the case for PC CAN FD interfaces supported by\nthis driver).\n\n[mkl: update subject, apply manually]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40020", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: dynevent: Add a missing lockdown check on dynevent\n\nSince dynamic_events interface on tracefs is compatible with\nkprobe_events and uprobe_events, it should also check the lockdown\nstatus and reject if it is set.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40021", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix incorrect boolean values in af_alg_ctx\n\nCommit 1b34cbbf4f01 (\"crypto: af_alg - Disallow concurrent writes in\naf_alg_sendmsg\") changed some fields from bool to 1-bit bitfields of\ntype u32.\n\nHowever, some assignments to these fields, specifically 'more' and\n'merge', assign values greater than 1. These relied on C's implicit\nconversion to bool, such that zero becomes false and nonzero becomes\ntrue.\n\nWith a 1-bit bitfields of type u32 instead, mod 2 of the value is taken\ninstead, resulting in 0 being assigned in some cases when 1 was intended.\n\nFix this by restoring the bool type.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40022", "detail": "fixed-version", "description": "Fixed from version 6.16.10" }, { "id": "CVE-2025-40023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vf: Don't expose sysfs attributes not applicable for VFs\n\nVFs can't read BMG_PCIE_CAP(0x138340) register nor access PCODE\n(already guarded by the info.skip_pcode flag) so we shouldn't\nexpose attributes that require any of them to avoid errors like:\n\n [] xe 0000:03:00.1: [drm] Tile0: GT0: VF is trying to read an \\\n inaccessible register 0x138340+0x0\n [] RIP: 0010:xe_gt_sriov_vf_read32+0x6c2/0x9a0 [xe]\n [] Call Trace:\n [] xe_mmio_read32+0x110/0x280 [xe]\n [] auto_link_downgrade_capable_show+0x2e/0x70 [xe]\n [] dev_attr_show+0x1a/0x70\n [] sysfs_kf_seq_show+0xaa/0x120\n [] kernfs_seq_show+0x41/0x60\n\n(cherry picked from commit a2d6223d224f333f705ed8495bf8bebfbc585c35)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40023", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: Take a reference on the task in struct vhost_task.\n\nvhost_task_create() creates a task and keeps a reference to its\ntask_struct. That task may exit early via a signal and its task_struct\nwill be released.\nA pending vhost_task_wake() will then attempt to wake the task and\naccess a task_struct which is no longer there.\n\nAcquire a reference on the task_struct while creating the thread and\nrelease the reference while the struct vhost_task itself is removed.\nIf the task exits early due to a signal, then the vhost_task_wake() will\nstill access a valid task_struct. The wake is safe and will be skipped\nin this case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40024", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node footer for non inode dnode\n\nAs syzbot reported below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/file.c:1243!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)\nRIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243\nCall Trace:\n \n f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306\n f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018\n vfs_fallocate+0x666/0x7e0 fs/open.c:342\n ksys_fallocate fs/open.c:366 [inline]\n __do_sys_fallocate fs/open.c:371 [inline]\n __se_sys_fallocate fs/open.c:369 [inline]\n __x64_sys_fallocate+0xc0/0x110 fs/open.c:369\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f1e65f8ebe9\n\nw/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent\ntruncation range in direct node in f2fs_truncate_hole().\n\nThe root cause is: a non-inode dnode may has the same footer.ino and\nfooter.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()\nmay return wrong blkaddr count which may be 923 typically, by chance,\ndn.ofs_in_node is equal to 923, then count can be calculated to 0 in below\nstatement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...).\n\n\tcount = min(end_offset - dn.ofs_in_node, pg_end - pg_start);\n\nThis patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing\npassing the new_type to sanity_check_node_footer in f2fs_get_node_folio()\nto detect corruption that a non-inode dnode has the same footer.ino and\nfooter.nid.\n\nScripts to reproduce:\nmkfs.f2fs -f /dev/vdb\nmount /dev/vdb /mnt/f2fs\ntouch /mnt/f2fs/foo\ntouch /mnt/f2fs/bar\ndd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8\numount /mnt/f2fs\ninject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb\nmount /dev/vdb /mnt/f2fs\nxfs_io /mnt/f2fs/foo -c \"fpunch 6984k 4k\"", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40025", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don't (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don't recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O. If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace, KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question. gp_interception()'s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu->arch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n PKRU: 55555554\n Call Trace:\n \n kvm_fast_pio+0xd6/0x1d0 [kvm]\n vmx_handle_exit+0x149/0x610 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0x5d/0xc60\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40026", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(&m->rq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(&m->req_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(&m->req_lock);\n // status rewrite\n p9_client_cb(m->client, req, REQ_STATUS_ERROR)\n // first remove\n list_del(&req->req_list);\n ...\n\n spin_lock(&m->req_lock)\n ...\n // second remove\n list_del(&req->req_list);\n spin_unlock(&m->req_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req->status\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req->status in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40027", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix double-free in dbitmap\n\nA process might fail to allocate a new bitmap when trying to expand its\nproc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap\nvia dbitmap_free(). However, the driver calls dbitmap_free() again when\nthe same process terminates, leading to a double-free error:\n\n ==================================================================\n BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c\n Free of addr ffff00000b7c1420 by task kworker/9:1/209\n\n CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Workqueue: events binder_deferred_func\n Call trace:\n kfree+0x164/0x31c\n binder_proc_dec_tmpref+0x2e0/0x55c\n binder_deferred_func+0xc24/0x1120\n process_one_work+0x520/0xba4\n [...]\n\n Allocated by task 448:\n __kmalloc_noprof+0x178/0x3c0\n bitmap_zalloc+0x24/0x30\n binder_open+0x14c/0xc10\n [...]\n\n Freed by task 449:\n kfree+0x184/0x31c\n binder_inc_ref_for_node+0xb44/0xe44\n binder_transaction+0x29b4/0x7fbc\n binder_thread_write+0x1708/0x442c\n binder_ioctl+0x1b50/0x2900\n [...]\n ==================================================================\n\nFix this issue by marking proc->map NULL in dbitmap_free().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40028", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: Check return value of platform_get_resource()\n\nplatform_get_resource() returns NULL in case of failure, so check its\nreturn value and propagate the error in order to prevent NULL pointer\ndereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40029", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: check the return value of pinmux_ops::get_function_name()\n\nWhile the API contract in docs doesn't specify it explicitly, the\ngeneric implementation of the get_function_name() callback from struct\npinmux_ops - pinmux_generic_get_function_name() - can fail and return\nNULL. This is already checked in pinmux_check_ops() so add a similar\ncheck in pinmux_func_name_to_selector() instead of passing the returned\npointer right down to strcmp() where the NULL can get dereferenced. This\nis normal operation when adding new pinfunctions.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40030", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix register_shm_helper()\n\nIn register_shm_helper(), fix incorrect error handling for a call to\niov_iter_extract_pages(). A case is missing for when\niov_iter_extract_pages() only got some pages and return a number larger\nthan 0, but not the requested amount.\n\nThis fixes a possible NULL pointer dereference following a bad input from\nioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40031", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release\n\nThe fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be\nNULL even after EPF initialization. Then it is prudent to check that\nthey have non-NULL values before releasing the channels. Add the checks\nin pci_epf_test_clean_dma_chan().\n\nWithout the checks, NULL pointer dereferences happen and they can lead\nto a kernel panic in some cases:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Call trace:\n dma_release_channel+0x2c/0x120 (P)\n pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]\n pci_epc_deinit_notify+0x74/0xc0\n tegra_pcie_ep_pex_rst_irq+0x250/0x5d8\n irq_thread_fn+0x34/0xb8\n irq_thread+0x18c/0x2e8\n kthread+0x14c/0x210\n ret_from_fork+0x10/0x20\n\n[mani: trimmed the stack trace]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40032", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()\n\npru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL\ncheck, which could lead to a null pointer dereference. Move the pru\nassignment, ensuring we never dereference a NULL rproc pointer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40033", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/AER: Avoid NULL pointer dereference in aer_ratelimit()\n\nWhen platform firmware supplies error information to the OS, e.g., via the\nACPI APEI GHES mechanism, it may identify an error source device that\ndoesn't advertise an AER Capability and therefore dev->aer_info, which\ncontains AER stats and ratelimiting data, is NULL.\n\npci_dev_aer_stats_incr() already checks dev->aer_info for NULL, but\naer_ratelimit() did not, leading to NULL pointer dereferences like this one\nfrom the URL below:\n\n {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0\n {1}[Hardware Error]: event severity: corrected\n {1}[Hardware Error]: device_id: 0000:00:00.0\n {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2020\n {1}[Hardware Error]: aer_cor_status: 0x00001000, aer_cor_mask: 0x00002000\n BUG: kernel NULL pointer dereference, address: 0000000000000264\n RIP: 0010:___ratelimit+0xc/0x1b0\n pci_print_aer+0x141/0x360\n aer_recover_work_func+0xb5/0x130\n\n[8086:2020] is an Intel \"Sky Lake-E DMI3 Registers\" device that claims to\nbe a Root Port but does not advertise an AER Capability.\n\nAdd a NULL check in aer_ratelimit() to avoid the NULL pointer dereference.\nNote that this also prevents ratelimiting these events from GHES.\n\n[bhelgaas: add crash details to commit log]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40034", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n\nStruct ff_effect_compat is embedded twice inside\nuinput_ff_upload_compat, contains internal padding. In particular, there\nis a hole after struct ff_replay to satisfy alignment requirements for\nthe following union member. Without clearing the structure,\ncopy_to_user() may leak stack data to userspace.\n\nInitialize ff_up_compat to zero before filling valid fields.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40035", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix possible map leak in fastrpc_put_args\n\ncopy_to_user() failure would cause an early return without cleaning up\nthe fdlist, which has been updated by the DSP. This could lead to map\nleak. Fix this by redirecting to a cleanup path on failure, ensuring\nthat all mapped buffers are properly released before returning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40036", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian's kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[ 6.750697]\n[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY\n[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[ 6.752189] Call trace:\n[ 6.752190] show_stack+0x34/0x98 (C)\n[ 6.752194] dump_stack_lvl+0x60/0x80\n[ 6.752197] print_report+0x17c/0x4d8\n[ 6.752201] kasan_report+0xb4/0x100\n[ 6.752206] __asan_report_load4_noabort+0x20/0x30\n[ 6.752209] simplefb_detach_genpds+0x58/0x220\n[ 6.752213] devm_action_release+0x50/0x98\n[ 6.752216] release_nodes+0xd0/0x2c8\n[ 6.752219] devres_release_all+0xfc/0x178\n[ 6.752221] device_unbind_cleanup+0x28/0x168\n[ 6.752224] device_release_driver_internal+0x34c/0x470\n[ 6.752228] device_release_driver+0x20/0x38\n[ 6.752231] bus_remove_device+0x1b0/0x380\n[ 6.752234] device_del+0x314/0x820\n[ 6.752238] platform_device_del+0x3c/0x1e8\n[ 6.752242] platform_device_unregister+0x20/0x50\n[ 6.752246] aperture_detach_platform_device+0x1c/0x30\n[ 6.752250] aperture_detach_devices+0x16c/0x290\n[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50\n...\n[ 6.752343]\n[ 6.967409] Allocated by task 62:\n[ 6.970724] kasan_save_stack+0x3c/0x70\n[ 6.974560] kasan_save_track+0x20/0x40\n[ 6.978397] kasan_save_alloc_info+0x40/0x58\n[ 6.982670] __kasan_kmalloc+0xd4/0xd8\n[ 6.986420] __kmalloc_noprof+0x194/0x540\n[ 6.990432] framebuffer_alloc+0xc8/0x130\n[ 6.994444] simplefb_probe+0x258/0x2378\n...\n[ 7.054356]\n[ 7.055838] Freed by task 227:\n[ 7.058891] kasan_save_stack+0x3c/0x70\n[ 7.062727] kasan_save_track+0x20/0x40\n[ 7.066565] kasan_save_free_info+0x4c/0x80\n[ 7.070751] __kasan_slab_free+0x6c/0xa0\n[ 7.074675] kfree+0x10c/0x380\n[ 7.077727] framebuffer_release+0x5c/0x90\n[ 7.081826] simplefb_destroy+0x1b4/0x2c0\n[ 7.085837] put_fb_info+0x98/0x100\n[ 7.089326] unregister_framebuffer+0x178/0x320\n[ 7.093861] simplefb_remove+0x3c/0x60\n[ 7.097611] platform_remove+0x60/0x98\n[ 7.101361] device_remove+0xb8/0x160\n[ 7.105024] device_release_driver_internal+0x2fc/0x470\n[ 7.110256] device_release_driver+0x20/0x38\n[ 7.114529] bus_remove_device+0x1b0/0x380\n[ 7.118628] device_del+0x314/0x820\n[ 7.122116] platform_device_del+0x3c/0x1e8\n[ 7.126302] platform_device_unregister+0x20/0x50\n[ 7.131012] aperture_detach_platform_device+0x1c/0x30\n[ 7.136157] aperture_detach_devices+0x16c/0x290\n[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40037", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid\n\nSkip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP\nisn't valid, e.g. because KVM is running with nrips=false. SVM must\ndecode and emulate to skip the instruction if the CPU doesn't provide the\nnext RIP, and getting the instruction bytes to decode requires reading\nguest memory. Reading guest memory through the emulator can fault, i.e.\ncan sleep, which is disallowed since the fastpath handlers run with IRQs\ndisabled.\n\n BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu\n preempt_count: 1, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 30580\n hardirqs last enabled at (30579): [] vcpu_run+0x1787/0x1db0 [kvm]\n hardirqs last disabled at (30580): [] __schedule+0x1e2/0xed0\n softirqs last enabled at (30570): [] fpu_swap_kvm_fpstate+0x44/0x210\n softirqs last disabled at (30568): [] fpu_swap_kvm_fpstate+0x44/0x210\n CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE\n Tainted: [U]=USER\n Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025\n Call Trace:\n \n dump_stack_lvl+0x7d/0xb0\n __might_resched+0x271/0x290\n __might_fault+0x28/0x80\n kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]\n kvm_fetch_guest_virt+0x92/0xc0 [kvm]\n __do_insn_fetch_bytes+0xf3/0x1e0 [kvm]\n x86_decode_insn+0xd1/0x1010 [kvm]\n x86_emulate_instruction+0x105/0x810 [kvm]\n __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]\n handle_fastpath_invd+0xc4/0x1a0 [kvm]\n vcpu_run+0x11a1/0x1db0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]\n kvm_vcpu_ioctl+0x578/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x8a/0x2c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f479d57a94b\n \n\nNote, this is essentially a reapply of commit 5c30e8101e8d (\"KVM: SVM:\nSkip WRMSR fastpath on VM-Exit if next RIP isn't valid\"), but with\ndifferent justification (KVM now grabs SRCU when skipping the instruction\nfor other reasons).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40038", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix race condition in RPC handle list access\n\nThe 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd\nsession. Access to this list is intended to be protected by\n'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was\nflawed, leading to potential race conditions.\n\nIn ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock\nbefore calling xa_store() and xa_erase(). Since these operations modify\nthe XArray structure, a write lock is required to ensure exclusive access\nand prevent data corruption from concurrent modifications.\n\nFurthermore, ksmbd_session_rpc_method() accessed the list using xa_load()\nwithout holding any lock at all. This could lead to reading inconsistent\ndata or a potential use-after-free if an entry is concurrently removed and\nthe pointer is dereferenced.\n\nFix these issues by:\n1. Using down_write() and up_write() in ksmbd_session_rpc_open()\n to ensure exclusive access during XArray modification, and ensuring\n the lock is correctly released on error paths.\n2. Adding down_read() and up_read() in ksmbd_session_rpc_method()\n to safely protect the lookup.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40039", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix flag-dropping behavior in ksm_madvise\n\nsyzkaller discovered the following crash: (kernel BUG)\n\n[ 44.607039] ------------[ cut here ]------------\n[ 44.607422] kernel BUG at mm/userfaultfd.c:2067!\n[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)\n[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460\n\n\n\n[ 44.617726] Call Trace:\n[ 44.617926] \n[ 44.619284] userfaultfd_release+0xef/0x1b0\n[ 44.620976] __fput+0x3f9/0xb60\n[ 44.621240] fput_close_sync+0x110/0x210\n[ 44.622222] __x64_sys_close+0x8f/0x120\n[ 44.622530] do_syscall_64+0x5b/0x2f0\n[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 44.623244] RIP: 0033:0x7f365bb3f227\n\nKernel panics because it detects UFFD inconsistency during\nuserfaultfd_release_all(). Specifically, a VMA which has a valid pointer\nto vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.\n\nThe inconsistency is caused in ksm_madvise(): when user calls madvise()\nwith MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,\nit accidentally clears all flags stored in the upper 32 bits of\nvma->vm_flags.\n\nAssuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and\nint are 32-bit wide. This setup causes the following mishap during the &=\n~VM_MERGEABLE assignment.\n\nVM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. \nAfter ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then\npromoted to unsigned long before the & operation. This promotion fills\nupper 32 bits with leading 0s, as we're doing unsigned conversion (and\neven for a signed conversion, this wouldn't help as the leading bit is 0).\n& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff\ninstead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears\nthe upper 32-bits of its value.\n\nFix it by changing `VM_MERGEABLE` constant to unsigned long, using the\nBIT() macro.\n\nNote: other VM_* flags are not affected: This only happens to the\nVM_MERGEABLE flag, as the other VM_* flags are all constants of type int\nand after ~ operation, they end up with leading 1 and are thus converted\nto unsigned long with leading 1s.\n\nNote 2:\nAfter commit 31defc3b01d9 (\"userfaultfd: remove (VM_)BUG_ON()s\"), this is\nno longer a kernel BUG, but a WARNING at the same place:\n\n[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067\n\nbut the root-cause (flag-drop) remains the same.\n\n[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40040", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Sign-extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n Oops[#1]:\n CPU 0 Unable to handle kernel paging request at virtual address 0000000000741d58, era == 90000000851b5ac0, ra == 90000000851b5aa4\n CPU: 0 UID: 0 PID: 449 Comm: test_progs Tainted: G OE 6.16.0+ #3 PREEMPT(full)\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n pc 90000000851b5ac0 ra 90000000851b5aa4 tp 90000001076b8000 sp 90000001076bb600\n a0 0000000000741ce8 a1 0000000000000001 a2 90000001076bb5c0 a3 0000000000000008\n a4 90000001004c4620 a5 9000000100741ce8 a6 0000000000000000 a7 0100000000000000\n t0 0000000000000010 t1 0000000000000000 t2 9000000104d24d30 t3 0000000000000001\n t4 4f2317da8a7e08c4 t5 fffffefffc002f00 t6 90000001004c4620 t7 ffffffffc61c5b3d\n t8 0000000000000000 u0 0000000000000001 s9 0000000000000050 s0 90000001075bc800\n s1 0000000000000040 s2 900000010597c400 s3 0000000000000008 s4 90000001075bc880\n s5 90000001075bc8f0 s6 0000000000000000 s7 0000000000741ce8 s8 0000000000000000\n ra: 90000000851b5aa4 __qdisc_run+0xac/0x8d8\n ERA: 90000000851b5ac0 __qdisc_run+0xc8/0x8d8\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000741d58\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)]\n Process test_progs (pid: 449, threadinfo=000000009af02b3a, task=00000000e9ba4956)\n Stack : 0000000000000000 90000001075bc8ac 90000000869524a8 9000000100741ce8\n 90000001075bc800 9000000100415300 90000001075bc8ac 0000000000000000\n 900000010597c400 900000008694a000 0000000000000000 9000000105b59000\n 90000001075bc800 9000000100741ce8 0000000000000050 900000008513000c\n 9000000086936000 0000000100094d4c fffffff400676208 0000000000000000\n 9000000105b59000 900000008694a000 9000000086bf0dc0 9000000105b59000\n 9000000086bf0d68 9000000085147010 90000001075be788 0000000000000000\n 9000000086bf0f98 0000000000000001 0000000000000010 9000000006015840\n 0000000000000000 9000000086be6c40 0000000000000000 0000000000000000\n 0000000000000000 4f2317da8a7e08c4 0000000000000101 4f2317da8a7e08c4\n ...\n Call Trace:\n [<90000000851b5ac0>] __qdisc_run+0xc8/0x8d8\n [<9000000085130008>] __dev_queue_xmit+0x578/0x10f0\n [<90000000853701c0>] ip6_finish_output2+0x2f0/0x950\n [<9000000085374bc8>] ip6_finish_output+0x2b8/0x448\n [<9000000085370b24>] ip6_xmit+0x304/0x858\n [<90000000853c4438>] inet6_csk_xmit+0x100/0x170\n [<90000000852b32f0>] __tcp_transmit_skb+0x490/0xdd0\n [<90000000852b47fc>] tcp_connect+0xbcc/0x1168\n [<90000000853b9088>] tcp_v6_connect+0x580/0x8a0\n [<90000000852e7738>] __inet_stream_connect+0x170/0x480\n [<90000000852e7a98>] inet_stream_connect+0x50/0x88\n [<90000000850f2814>] __sys_connect+0xe4/0x110\n [<90000000850f2858>] sys_connect+0x18/0x28\n [<9000000085520c94>] do_syscall+0x94/0x1a0\n [<9000000083df1fb8>] handle_syscall+0xb8/0x158\n\n Code: 4001ad80 2400873f 2400832d <240073cc> 001137ff 001133ff 6407b41f 001503cc 0280041d\n\n ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires LoongArch ABI.\n\nSo let's sign extend struct ops return values according to the LoongArch\nABI ([1]) and return value spec in function model.\n\n[1]: https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40041", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828] kprobe_perf_func+0x30/0x260\n[1135630.441661] kprobe_dispatcher+0x44/0x60\n[1135630.448396] aggr_pre_handler+0x70/0xc8\n[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435] brk_handler+0xbc/0xd8\n[1135630.468437] do_debug_exception+0x84/0x138\n[1135630.475074] el1_dbg+0x18/0x8c\n[1135630.480582] security_file_permission+0x0/0xd0\n[1135630.487426] vfs_write+0x70/0x1c0\n[1135630.493059] ksys_write+0x5c/0xc8\n[1135630.498638] __arm64_sys_write+0x24/0x30\n[1135630.504821] el0_svc_common+0x78/0x130\n[1135630.510838] el0_svc_handler+0x38/0x78\n[1135630.516834] el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec : ldr x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 : ldr x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call->perf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash> struct trace_event_call -o\nstruct trace_event_call {\n ...\n [120] struct hlist_head *perf_events; //(call->perf_event)\n ...\n}\n\ncrash> struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n ...\n perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n CPU0 CPU1\n ==== ====\n perf_kprobe_init\n perf_trace_event_init\n tp_event->perf_events = list;(1)\n tp_event->class->reg (2)\u2190 KPROBE ACTIVE\n Debug exception triggers\n ...\n kprobe_dispatcher\n kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)\n head = this_cpu_ptr(call->perf_events)(3)\n (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event->perf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class->reg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n call->perf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40042", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Add parameter validation for packet data\n\nSyzbot reported an uninitialized value bug in nci_init_req, which was\nintroduced by commit 5aca7966d2a7 (\"Merge tag\n'perf-tools-fixes-for-v6.17-2025-09-16' of\ngit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools\").\n\nThis bug arises due to very limited and poor input validation\nthat was done at nic_valid_size(). This validation only\nvalidates the skb->len (directly reflects size provided at the\nuserspace interface) with the length provided in the buffer\nitself (interpreted as NCI_HEADER). This leads to the processing\nof memory content at the address assuming the correct layout\nper what opcode requires there. This leads to the accesses to\nbuffer of `skb_buff->data` which is not assigned anything yet.\n\nFollowing the same silent drop of packets of invalid sizes at\n`nic_valid_size()`, add validation of the data in the respective\nhandlers and return error values in case of failure. Release\nthe skb if error values are returned from handlers in\n`nci_nft_packet` and effectively do a silent drop\n\nPossible TODO: because we silently drop the packets, the\ncall to `nci_request` will be waiting for completion of request\nand will face timeouts. These timeouts can get excessively logged\nin the dmesg. A proper handling of them may require to export\n`nci_request_cancel` (or propagate error handling from the\nnft packets handlers).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40043", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n\nWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes from\non-disk data and must be validated against the block size. Crafted or\ncorrupted images may set lengthAllocDescs so that the total descriptor\nlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,\nleading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and\ntrigger a KASAN use-after-free read.\n\nBUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\nRead of size 1 at addr ffff888041e7d000 by task syz-executor317/5309\n\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\n udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261\n udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179\n extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46\n udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106\n udf_release_file+0xc1/0x120 fs/udf/file.c:185\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nValidate the computed total length against epos->bh->b_size.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40044", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd937x: set the comp soundwire port correctly\n\nFor some reason we endup with setting soundwire port for\nHPHL_COMP and HPHR_COMP as zero, this can potentially result\nin a memory corruption due to accessing and setting -1 th element of\nport_map array.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40045", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix overshooting recv limit\n\nIt's reported that sometimes a zcrx request can receive more than was\nrequested. It's caused by io_zcrx_recv_skb() adjusting desc->count for\nall received buffers including frag lists, but then doing recursive\ncalls to process frag list skbs, which leads to desc->count double\naccounting and underflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40046", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: always prune wait queue entry in io_waitid_wait()\n\nFor a successful return, always remove our entry from the wait queue\nentry list. Previously this was skipped if a cancelation was in\nprogress, but this can race with another invocation of the wait queue\nentry callback.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40047", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Let userspace take care of interrupt mask\n\nRemove the logic to set interrupt mask by default in uio_hv_generic\ndriver as the interrupt mask value is supposed to be controlled\ncompletely by the user space. If the mask bit gets changed\nby the driver, concurrently with user mode operating on the ring,\nthe mask bit may be set when it is supposed to be clear, and the\nuser-mode driver will miss an interrupt which will cause a hang.\n\nFor eg- when the driver sets inbound ring buffer interrupt mask to 1,\nthe host does not interrupt the guest on the UIO VMBus channel.\nHowever, setting the mask does not prevent the host from putting a\nmessage in the inbound ring buffer.\u00a0So let\u2019s assume that happens,\nthe host puts a message into the ring buffer but does not interrupt.\n\nSubsequently, the user space code in the guest sets the inbound ring\nbuffer interrupt mask to 0, saying \u201cHey, I\u2019m ready for interrupts\u201d.\nUser space code then calls pread() to wait for an interrupt.\nThen one of two things happens:\n\n* The host never sends another message. So the pread() waits forever.\n* The host does send another message. But because there\u2019s already a\n message in the ring buffer, it doesn\u2019t generate an interrupt.\n This is the correct behavior, because the host should only send an\n interrupt when the inbound ring buffer transitions from empty to\n not-empty. Adding an additional message to a ring buffer that is not\n empty is not supposed to generate an interrupt on the guest.\n Since the guest is waiting in pread() and not removing messages from\n the ring buffer, the pread() waits forever.\n\nThis could be easily reproduced in hv_fcopy_uio_daemon if we delay\nsetting interrupt mask to 0.\n\nSimilarly if hv_uio_channel_cb() sets the interrupt_mask to 1,\nthere\u2019s a race condition. Once user space empties the inbound ring\nbuffer, but before user space sets interrupt_mask to 0, the host could\nput another message in the ring buffer but it wouldn\u2019t interrupt.\nThen the next pread() would hang.\n\nFix these by removing all instances where interrupt_mask is changed,\nwhile keeping the one in set_event() unchanged to enable userspace\ncontrol the interrupt mask by writing 0/1 to /dev/uioX.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40048", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix uninit-value in squashfs_get_parent\n\nSyzkaller reports a \"KMSAN: uninit-value in squashfs_get_parent\" bug.\n\nThis is caused by open_by_handle_at() being called with a file handle\ncontaining an invalid parent inode number. In particular the inode number\nis that of a symbolic link, rather than a directory.\n\nSquashfs_get_parent() gets called with that symbolic link inode, and\naccesses the parent member field.\n\n\tunsigned int parent_ino = squashfs_i(inode)->parent;\n\nBecause non-directory inodes in Squashfs do not have a parent value, this\nis uninitialised, and this causes an uninitialised value access.\n\nThe fix is to initialise parent with the invalid inode 0, which will cause\nan EINVAL error to be returned.\n\nRegular inodes used to share the parent field with the block_list_start\nfield. This is removed in this commit to enable the parent field to\ncontain the invalid inode number 0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40049", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip scalar adjustment for BPF_NEG if dst is a pointer\n\nIn check_alu_op(), the verifier currently calls check_reg_arg() and\nadjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.\nHowever, if the destination register holds a pointer, these scalar\nadjustments are unnecessary and potentially incorrect.\n\nThis patch adds a check to skip the adjustment logic when the destination\nregister contains a pointer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40050", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Modify the return value check\n\nThe return value of copy_from_iter and copy_to_iter can't be negative,\ncheck whether the copied lengths are equal.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40051", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix crypto buffers in non-linear memory\n\nThe crypto API, through the scatterlist API, expects input buffers to be\nin linear memory. We handle this with the cifs_sg_set_buf() helper\nthat converts vmalloc'd memory to their corresponding pages.\n\nHowever, when we allocate our aead_request buffer (@creq in\nsmb2ops.c::crypt_message()), we do so with kvzalloc(), which possibly\nputs aead_request->__ctx in vmalloc area.\n\nAEAD algorithm then uses ->__ctx for its private/internal data and\noperations, and uses sg_set_buf() for such data on a few places.\n\nThis works fine as long as @creq falls into kmalloc zone (small\nrequests) or vmalloc'd memory is still within linear range.\n\nTasks' stacks are vmalloc'd by default (CONFIG_VMAP_STACK=y), so too\nmany tasks will increment the base stacks' addresses to a point where\nvirt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when that\nhappens.\n\nIn practice: too many parallel reads and writes on an encrypted mount\nwill trigger this bug.\n\nTo fix this, always alloc @creq with kmalloc() instead.\nAlso drop the @sensitive_size variable/arguments since\nkfree_sensitive() doesn't need it.\n\nBacktrace:\n\n[ 945.272081] ------------[ cut here ]------------\n[ 945.272774] kernel BUG at include/linux/scatterlist.h:209!\n[ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)\n[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)\n[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220\n[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b\n[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246\n[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030\n[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070\n[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000\n[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070\n[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010\n[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000\n[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0\n[ 945.286683] Call Trace:\n[ 945.286952] \n[ 945.287184] ? crypt_message+0x33f/0xad0 [cifs]\n[ 945.287719] crypto_gcm_encrypt+0x36/0xe0\n[ 945.288152] crypt_message+0x54a/0xad0 [cifs]\n[ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs]\n[ 945.289300] smb_send_rqst+0xa3/0x160 [cifs]\n[ 945.289944] cifs_call_async+0x178/0x340 [cifs]\n[ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs]\n[ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs]\n[ 945.291759] ? find_held_lock+0x32/0x90\n[ 945.292212] ? netfs_advance_write+0xf2/0x310\n[ 945.292723] netfs_advance_write+0xf2/0x310\n[ 945.293210] netfs_write_folio+0x346/0xcc0\n[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10\n[ 945.294250] netfs_writepages+0x117/0x460\n[ 945.294724] do_writepages+0xbe/0x170\n[ 945.295152] ? find_held_lock+0x32/0x90\n[ 945.295600] ? kvm_sched_clock_read+0x11/0x20\n[ 945.296103] __writeback_single_inode+0x56/0x4b0\n[ 945.296643] writeback_sb_inodes+0x229/0x550\n[ 945.297140] __writeback_inodes_wb+0x4c/0xe0\n[ 945.297642] wb_writeback+0x2f1/0x3f0\n[ 945.298069] wb_workfn+0x300/0x490\n[ 945.298472] process_one_work+0x1fe/0x590\n[ 945.298949] worker_thread+0x1ce/0x3c0\n[ 945.299397] ? __pfx_worker_thread+0x10/0x10\n[ 945.299900] kthr\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40052", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dlink: handle copy_thresh allocation failure\n\nThe driver did not handle failure of `netdev_alloc_skb_ip_align()`.\nIf the allocation failed, dereferencing `skb->protocol` could lead to\na NULL pointer dereference.\n\nThis patch tries to allocate `skb`. If the allocation fails, it falls\nback to the normal path.\n\nTested-on: D-Link DGE-550T Rev-A3", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40053", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF issue in f2fs_merge_page_bio()\n\nAs JY reported in bugzilla [1],\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98\nlr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4\nCPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5\nTainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nWorkqueue: writeback wb_workfn (flush-254:49)\nCall trace:\n f2fs_is_cp_guaranteed+0x70/0x98\n f2fs_inplace_write_data+0x174/0x2f4\n f2fs_do_write_data_page+0x214/0x81c\n f2fs_write_single_data_page+0x28c/0x764\n f2fs_write_data_pages+0x78c/0xce4\n do_writepages+0xe8/0x2fc\n __writeback_single_inode+0x4c/0x4b4\n writeback_sb_inodes+0x314/0x540\n __writeback_inodes_wb+0xa4/0xf4\n wb_writeback+0x160/0x448\n wb_workfn+0x2f0/0x5dc\n process_scheduled_works+0x1c8/0x458\n worker_thread+0x334/0x3f0\n kthread+0x118/0x1ac\n ret_from_fork+0x10/0x20\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220575\n\nThe panic was caused by UAF issue w/ below race condition:\n\nkworker\n- writepages\n - f2fs_write_cache_pages\n - f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_merge_page_bio\n - add_inu_page\n : cache page #1 into bio & cache bio in\n io->bio_list\n - f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_merge_page_bio\n - add_inu_page\n : cache page #2 into bio which is linked\n in io->bio_list\n\t\t\t\t\t\twrite\n\t\t\t\t\t\t- f2fs_write_begin\n\t\t\t\t\t\t: write page #1\n\t\t\t\t\t\t - f2fs_folio_wait_writeback\n\t\t\t\t\t\t - f2fs_submit_merged_ipu_write\n\t\t\t\t\t\t - f2fs_submit_write_bio\n\t\t\t\t\t\t : submit bio which inclues page #1 and #2\n\n\t\t\t\t\t\tsoftware IRQ\n\t\t\t\t\t\t- f2fs_write_end_io\n\t\t\t\t\t\t - fscrypt_free_bounce_page\n\t\t\t\t\t\t : freed bounced page which belongs to page #2\n - inc_page_count( , WB_DATA_TYPE(data_folio), false)\n : data_folio points to fio->encrypted_page\n the bounced page can be freed before\n accessing it in f2fs_is_cp_guarantee()\n\nIt can reproduce w/ below testcase:\nRun below script in shell #1:\nfor ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \\\n-c \"pwrite 0 32k\" -c \"fdatasync\"\n\nRun below script in shell #2:\nfor ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \\\n-c \"pwrite 0 32k\" -c \"fdatasync\"\n\nSo, in f2fs_merge_page_bio(), let's avoid using fio->encrypted_page after\ncommit page into internal ipu cache.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40054", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix double free in user_cluster_connect()\n\nuser_cluster_disconnect() frees \"conn->cc_private\" which is \"lc\" but then\nthe error handling frees \"lc\" a second time. Set \"lc\" to NULL on this\npath to avoid a double free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40055", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: vringh: Fix copy_to_iter return value check\n\nThe return value of copy_to_iter can't be negative, check whether the\ncopied length is equal to the requested length instead of checking for\nnegative values.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40056", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Add a upper bound on max_vclocks\n\nsyzbot reported WARNING in max_vclocks_store.\n\nThis occurs when the argument max is too large for kcalloc to handle.\n\nExtend the guard to guard against values that are too large for\nkcalloc", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40057", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Disallow dirty tracking if incoherent page walk\n\nDirty page tracking relies on the IOMMU atomically updating the dirty bit\nin the paging-structure entry. For this operation to succeed, the paging-\nstructure memory must be coherent between the IOMMU and the CPU. In\nanother word, if the iommu page walk is incoherent, dirty page tracking\ndoesn't work.\n\nThe Intel VT-d specification, Section 3.10 \"Snoop Behavior\" states:\n\n\"Remapping hardware encountering the need to atomically update A/EA/D bits\n in a paging-structure entry that is not snooped will result in a non-\n recoverable fault.\"\n\nTo prevent an IOMMU from being incorrectly configured for dirty page\ntracking when it is operating in an incoherent mode, mark SSADS as\nsupported only when both ecap_slads and ecap_smpwc are supported.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40058", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Fix incorrect handling for return value of devm_kzalloc\n\nThe return value of devm_kzalloc could be an null pointer,\nuse \"!desc.pdata\" to fix incorrect handling return value\nof devm_kzalloc.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40059", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: trbe: Return NULL pointer for allocation failures\n\nWhen the TRBE driver fails to allocate a buffer, it currently returns\nthe error code \"-ENOMEM\". However, the caller etm_setup_aux() only\nchecks for a NULL pointer, so it misses the error. As a result, the\ndriver continues and eventually causes a kernel panic.\n\nFix this by returning a NULL pointer from arm_trbe_alloc_buffer() on\nallocation failures. This allows that the callers can properly handle\nthe failure.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40060", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race in do_task() when draining\n\nWhen do_task() exhausts its iteration budget (!ret), it sets the state\nto TASK_STATE_IDLE to reschedule, without a secondary check on the\ncurrent task->state. This can overwrite the TASK_STATE_DRAINING state\nset by a concurrent call to rxe_cleanup_task() or rxe_disable_task().\n\nWhile state changes are protected by a spinlock, both rxe_cleanup_task()\nand rxe_disable_task() release the lock while waiting for the task to\nfinish draining in the while(!is_done(task)) loop. The race occurs if\ndo_task() hits its iteration limit and acquires the lock in this window.\nThe cleanup logic may then proceed while the task incorrectly\nreschedules itself, leading to a potential use-after-free.\n\nThis bug was introduced during the migration from tasklets to workqueues,\nwhere the special handling for the draining case was lost.\n\nFix this by restoring the original pre-migration behavior. If the state is\nTASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to\nforce a new loop iteration. This allows the task to finish its work, so\nthat a subsequent iteration can reach the switch statement and correctly\ntransition the state to TASK_STATE_DRAINED, stopping the task as intended.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40061", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs\n\nWhen the initialization of qm->debug.acc_diff_reg fails,\nthe probe process does not exit. However, after qm->debug.qm_diff_regs is\nfreed, it is not set to NULL. This can lead to a double free when the\nremove process attempts to free it again. Therefore, qm->debug.qm_diff_regs\nshould be set to NULL after it is freed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40062", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: comp - Use same definition of context alloc and free ops\n\nIn commit 42d9f6c77479 (\"crypto: acomp - Move scomp stream allocation\ncode into acomp\"), the crypto_acomp_streams struct was made to rely on\nhaving the alloc_ctx and free_ctx operations defined in the same order\nas the scomp_alg struct. But in that same commit, the alloc_ctx and\nfree_ctx members of scomp_alg may be randomized by structure layout\nrandomization, since they are contained in a pure ops structure\n(containing only function pointers). If the pointers within scomp_alg\nare randomized, but those in crypto_acomp_streams are not, then\nthe order may no longer match. This fixes the problem by removing the\nunion from scomp_alg so that both crypto_acomp_streams and scomp_alg\nwill share the same definition of alloc_ctx and free_ctx, ensuring\nthey will always have the same layout.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40063", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in __pnet_find_base_ndev().\n\nsyzbot reported use-after-free of net_device in __pnet_find_base_ndev(),\nwhich was called during connect(). [0]\n\nsmc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes\ndown to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened\nat __pnet_find_base_ndev() when the dev is first used.\n\nThis means dev had already been freed before acquiring RTNL in\npnet_find_base_ndev().\n\nWhile dev is going away, dst->dev could be swapped with blackhole_netdev,\nand the dev's refcnt by dst will be released.\n\nWe must hold dev's refcnt before calling smc_pnet_find_ism_resource().\n\nAlso, smc_pnet_find_roce_resource() has the same problem.\n\nLet's use __sk_dst_get() and dst_dev_rcu() in the two functions.\n\n[0]:\nBUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\nRead of size 1 at addr ffff888036bac33a by task syz.0.3632/18609\n\nCPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\n pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]\n smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]\n smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154\n smc_find_ism_device net/smc/af_smc.c:1030 [inline]\n smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]\n __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545\n smc_connect+0x877/0xd90 net/smc/af_smc.c:1715\n __sys_connect_file net/socket.c:2086 [inline]\n __sys_connect+0x313/0x440 net/socket.c:2105\n __do_sys_connect net/socket.c:2111 [inline]\n __se_sys_connect net/socket.c:2108 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2108\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f47cbf8eba9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9\nRDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b\nRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8\n \n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000\nraw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\n prep_new_page mm/page_alloc.c:1859 [inline]\n get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148\n alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416\n ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kvmalloc_node\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40064", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Write hgatp register with valid mode bits\n\nAccording to the RISC-V Privileged Architecture Spec, when MODE=Bare\nis selected,software must write zero to the remaining fields of hgatp.\n\nWe have detected the valid mode supported by the HW before, So using a\nvalid mode to detect how many vmid bits are supported.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40065", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links()\n\nIn order to avoid a possible NULL pointer dereference in\nmt7996_mac_sta_init_link routine, move the phy pointer check before\nrunning mt7996_mac_sta_init_link() in mt7996_mac_sta_add_links routine.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40066", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist\n\nIndex allocation requires at least one bit in the $BITMAP attribute to\ntrack usage of index entries. If the bitmap is empty while index blocks\nare already present, this reflects on-disk corruption.\n\nsyzbot triggered this condition using a malformed NTFS image. During a\nrename() operation involving a long filename (which spans multiple\nindex entries), the empty bitmap allowed the name to be added without\nvalid tracking. Subsequent deletion of the original entry failed with\n-ENOENT, due to unexpected index state.\n\nReject such cases by verifying that the bitmap is not empty when index\nblocks exist.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40067", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: Fix integer overflow in run_unpack()\n\nThe MFT record relative to the file being opened contains its runlist,\nan array containing information about the file's location on the physical\ndisk. Analysis of all Call Stack paths showed that the values of the\nrunlist array, from which LCNs are calculated, are not validated before\nrun_unpack function.\n\nThe run_unpack function decodes the compressed runlist data format\nfrom MFT attributes (for example, $DATA), converting them into a runs_tree\nstructure, which describes the mapping of virtual clusters (VCN) to\nlogical clusters (LCN). The NTFS3 subsystem also has a shortcut for\ndeleting files from MFT records - in this case, the RUN_DEALLOCATE\ncommand is sent to the run_unpack input, and the function logic\nprovides that all data transferred to the runlist about file or\ndirectory is deleted without creating a runs_tree structure.\n\nSubstituting the runlist in the $DATA attribute of the MFT record for an\narbitrary file can lead either to access to arbitrary data on the disk\nbypassing access checks to them (since the inode access check\noccurs above) or to destruction of arbitrary data on the disk.\n\nAdd overflow check for addition operation.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40068", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix obj leak in VM_BIND error path\n\nIf we fail a handle-lookup part way thru, we need to drop the already\nobtained obj references.\n\nPatchwork: https://patchwork.freedesktop.org/patch/669784/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40069", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps->dev, which will\ninit dev->release to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, 'kfree_pps' should be removed\nin pps_register_source() to avoid a double free in the failure case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40070", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: Don't block input queue by waiting MSC\n\nCurrently gsm_queue() processes incoming frames and when opening\na DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().\nIf basic mode is used it calls gsm_modem_upd_via_msc() and it\ncannot block the input queue by waiting the response to come\ninto the same input queue.\n\nInstead allow sending Modem Status Command without waiting for remote\nend to respond. Define a new function gsm_modem_send_initial_msc()\nfor this purpose. As MSC is only valid for basic encoding, it does\nnot do anything for advanced or when convergence layer type 2 is used.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40071", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing\n\nThe function do_fanotify_mark() does not validate if\nmnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns.\nThis causes a NULL pointer dereference in do_fanotify_mark() if the\npath is not a mount namespace object.\n\nFix this by checking mnt_ns_from_dentry()'s return value before\ndereferencing it.\n\nBefore the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nKilled\n\nint main(void){\n int ffd;\n ffd = fanotify_init(FAN_CLASS_NOTIF | FAN_REPORT_MNT, 0);\n if(ffd < 0){\n perror(\"fanotify_init\");\n exit(EXIT_FAILURE);\n }\n\n printf(\"Fanotify fd: %d\\n\",ffd);\n\n if(fanotify_mark(ffd, FAN_MARK_ADD | FAN_MARK_MNTNS,\nFAN_MNT_ATTACH, AT_FDCWD, \"A\") < 0){\n perror(\"fanotify_mark\");\n exit(EXIT_FAILURE);\n }\n\nreturn 0;\n}\n\nAfter the patch\n\n$ gcc fanotify_nullptr.c -o fanotify_nullptr\n$ mkdir A\n$ ./fanotify_nullptr\nFanotify fd: 3\nfanotify_mark: Operation not permitted\n$ unshare -Urm\nFanotify fd: 3\nfanotify_mark: Invalid argument\n\n[ 25.694973] BUG: kernel NULL pointer dereference, address: 0000000000000038\n[ 25.695006] #PF: supervisor read access in kernel mode\n[ 25.695012] #PF: error_code(0x0000) - not-present page\n[ 25.695017] PGD 109a30067 P4D 109a30067 PUD 142b46067 PMD 0\n[ 25.695025] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 25.695032] CPU: 4 UID: 1000 PID: 1478 Comm: fanotify_nullpt Not\ntainted 6.17.0-rc4 #1 PREEMPT(lazy)\n[ 25.695040] Hardware name: VMware, Inc. VMware Virtual\nPlatform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[ 25.695049] RIP: 0010:do_fanotify_mark+0x817/0x950\n[ 25.695066] Code: 04 00 00 e9 45 fd ff ff 48 8b 7c 24 48 4c 89 54\n24 18 4c 89 5c 24 10 4c 89 0c 24 e8 b3 11 fc ff 4c 8b 54 24 18 4c 8b\n5c 24 10 <48> 8b 78 38 4c 8b 0c 24 49 89 c4 e9 13 fd ff ff 8b 4c 24 28\n85 c9\n[ 25.695081] RSP: 0018:ffffd31c469e3c08 EFLAGS: 00010203\n[ 25.695104] RAX: 0000000000000000 RBX: 0000000001000000 RCX: ffff8eb48aebd220\n[ 25.695110] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8eb4835e8180\n[ 25.695115] RBP: 0000000000000111 R08: 0000000000000000 R09: 0000000000000000\n[ 25.695142] R10: ffff8eb48a7d56c0 R11: ffff8eb482bede00 R12: 00000000004012a7\n[ 25.695148] R13: 0000000000000110 R14: 0000000000000001 R15: ffff8eb48a7d56c0\n[ 25.695154] FS: 00007f8733bda740(0000) GS:ffff8eb61ce5f000(0000)\nknlGS:0000000000000000\n[ 25.695162] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 25.695170] CR2: 0000000000000038 CR3: 0000000136994006 CR4: 00000000003706f0\n[ 25.695201] Call Trace:\n[ 25.695209] \n[ 25.695215] __x64_sys_fanotify_mark+0x1f/0x30\n[ 25.695222] do_syscall_64+0x82/0x2c0\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40072", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Do not validate SSPP when it is not ready\n\nCurrent code will validate current plane and previous plane to\nconfirm they can share a SSPP with multi-rect mode. The SSPP\nis already allocated for previous plane, while current plane\nis not associated with any SSPP yet. Null pointer is referenced\nwhen validating the SSPP of current plane. Skip SSPP validation\nfor current plane.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000888ac3000\n[0000000000000020] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nModules linked in:\nCPU: 4 UID: 0 PID: 1891 Comm: modetest Tainted: G S 6.15.0-rc2-g3ee3f6e1202e #335 PREEMPT\nTainted: [S]=CPU_OUT_OF_SPEC\nHardware name: SM8650 EV1 rev1 4slam 2et (DT)\npstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : dpu_plane_is_multirect_capable+0x68/0x90\nlr : dpu_assign_plane_resources+0x288/0x410\nsp : ffff800093dcb770\nx29: ffff800093dcb770 x28: 0000000000002000 x27: ffff000817c6c000\nx26: ffff000806b46368 x25: ffff0008013f6080 x24: ffff00080cbf4800\nx23: ffff000810842680 x22: ffff0008013f1080 x21: ffff00080cc86080\nx20: ffff000806b463b0 x19: ffff00080cbf5a00 x18: 00000000ffffffff\nx17: 707a5f657a696c61 x16: 0000000000000003 x15: 0000000000002200\nx14: 00000000ffffffff x13: 00aaaaaa00aaaaaa x12: 0000000000000000\nx11: ffff000817c6e2b8 x10: 0000000000000000 x9 : ffff80008106a950\nx8 : ffff00080cbf48f4 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000438 x3 : 0000000000000438\nx2 : ffff800082e245e0 x1 : 0000000000000008 x0 : 0000000000000000\nCall trace:\n dpu_plane_is_multirect_capable+0x68/0x90 (P)\n dpu_crtc_atomic_check+0x5bc/0x650\n drm_atomic_helper_check_planes+0x13c/0x220\n drm_atomic_helper_check+0x58/0xb8\n msm_atomic_check+0xd8/0xf0\n drm_atomic_check_only+0x4a8/0x968\n drm_atomic_commit+0x50/0xd8\n drm_atomic_helper_update_plane+0x140/0x188\n __setplane_atomic+0xfc/0x148\n drm_mode_setplane+0x164/0x378\n drm_ioctl_kernel+0xc0/0x140\n drm_ioctl+0x20c/0x500\n __arm64_sys_ioctl+0xbc/0xf8\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x48/0xf8\n do_el0_svc+0x28/0x40\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0x144/0x168\n el0t_64_sync+0x198/0x1a0\nCode: b9402021 370fffc1 f9401441 3707ff81 (f94010a1)\n---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/patch/669224/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40073", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: start using dst_dev_rcu()\n\nChange icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.\n\nChange ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),\nipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40074", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: use dst_dev_net_rcu()\n\nReplace three dst_dev() with a lockdep enabled helper.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40075", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()\n\nStarting with commit dd26c1a23fd5 (\"PCI: rcar-host: Switch to\nmsi_create_parent_irq_domain()\"), the MSI parent IRQ domain is NULL because\nthe object of type struct irq_domain_info passed to:\n\nmsi_create_parent_irq_domain() ->\n irq_domain_instantiate()() ->\n __irq_domain_instantiate()\n\nhas no reference to the parent IRQ domain. Using msi->domain->parent as an\nargument for generic_handle_domain_irq() leads to below error:\n\n\t\"Unable to handle kernel NULL pointer dereference at virtual address\"\n\nThis error was identified while switching the upcoming RZ/G3S PCIe host\ncontroller driver to msi_create_parent_irq_domain() (which was using a\nsimilar pattern to handle MSIs (see link section)), but it was not tested\non hardware using the pcie-rcar-host controller driver due to lack of\nhardware.\n\n[mani: reworded subject and description]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40076", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid overflow while left shift operation\n\nShould cast type of folio->index from pgoff_t to loff_t to avoid overflow\nwhile left shift operation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40077", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Explicitly check accesses to bpf_sock_addr\n\nSyzkaller found a kernel warning on the following sock_addr program:\n\n 0: r0 = 0\n 1: r2 = *(u32 *)(r1 +60)\n 2: exit\n\nwhich triggers:\n\n verifier bug: error during ctx access conversion (0)\n\nThis is happening because offset 60 in bpf_sock_addr corresponds to an\nimplicit padding of 4 bytes, right after msg_src_ip4. Access to this\npadding isn't rejected in sock_addr_is_valid_access and it thus later\nfails to convert the access.\n\nThis patch fixes it by explicitly checking the various fields of\nbpf_sock_addr in sock_addr_is_valid_access.\n\nI checked the other ctx structures and is_valid_access functions and\ndidn't find any other similar cases. Other cases of (properly handled)\npadding are covered in new tests in a subsequent patch.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40078", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv, bpf: Sign extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n Unable to handle kernel paging request at virtual address ffffffffa38dbf58\n Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000\n [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000\n Oops [#1]\n Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]\n CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE\n Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024\n epc : __qdisc_run+0x82/0x6f0\n ra : __qdisc_run+0x6e/0x6f0\n epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550\n gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180\n t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0\n s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001\n a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000\n a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049\n s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000\n s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0\n s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000\n s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000\n t5 : 0000000000000000 t6 : ff60000093a6a8b6\n status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d\n [] __qdisc_run+0x82/0x6f0\n [] __dev_queue_xmit+0x4c0/0x1128\n [] neigh_resolve_output+0xd0/0x170\n [] ip6_finish_output2+0x226/0x6c8\n [] ip6_finish_output+0x10c/0x2a0\n [] ip6_output+0x5e/0x178\n [] ip6_xmit+0x29a/0x608\n [] inet6_csk_xmit+0xe6/0x140\n [] __tcp_transmit_skb+0x45c/0xaa8\n [] tcp_connect+0x9ce/0xd10\n [] tcp_v6_connect+0x4ac/0x5e8\n [] __inet_stream_connect+0xd8/0x318\n [] inet_stream_connect+0x3e/0x68\n [] __sys_connect_file+0x50/0x88\n [] __sys_connect+0x96/0xc8\n [] __riscv_sys_connect+0x20/0x30\n [] do_trap_ecall_u+0x256/0x378\n [] handle_exception+0x14a/0x156\n Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709\n ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires RISC-V ABI.\n\nSo let's sign extend struct ops return values according to the function\nmodel and RISC-V ABI([0]).\n\n [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40079", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40080", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm_spe: Prevent overflow in PERF_IDX2OFF()\n\nCast nr_pages to unsigned long to avoid overflow when handling large\nAUX buffer sizes (>= 2 GiB).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40081", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n\nBUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\nRead of size 2 at addr ffff8880289ef218 by task syz.6.248/14290\n\nCPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x5f0 mm/kasan/report.c:482\n kasan_report+0xca/0x100 mm/kasan/report.c:595\n hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186\n hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe0e9fae16d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3\nRAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000\nRBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000\n \n\nAllocated by task 14290:\n kasan_save_stack+0x24/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4333 [inline]\n __kmalloc_noprof+0x219/0x540 mm/slub.c:4345\n kmalloc_noprof include/linux/slab.h:909 [inline]\n hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21\n hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697\n vfs_listxattr+0xbe/0x140 fs/xattr.c:493\n listxattr+0xee/0x190 fs/xattr.c:924\n filename_listxattr fs/xattr.c:958 [inline]\n path_listxattrat+0x143/0x360 fs/xattr.c:988\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen hfsplus_uni2asc is called from hfsplus_listxattr,\nit actually passes in a struct hfsplus_attr_unistr*.\nThe size of the corresponding structure is different from that of hfsplus_unistr,\nso the previous fix (94458781aee6) is insufficient.\nThe pointer on the unicode buffer is still going beyond the allocated memory.\n\nThis patch introduces two warpper functions hfsplus_uni2asc_xattr_str and\nhfsplus_uni2asc_str to process two unicode buffers,\nstruct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.\nWhen ustrlen value is bigger than the allocated memory size,\nthe ustrlen value is limited to an safe size.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40082", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40083", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-40084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: transport_ipc: validate payload size before reading handle\n\nhandle_response() dereferences the payload as a 4-byte handle without\nverifying that the declared payload size is at least 4 bytes. A malformed\nor truncated message from ksmbd.mountd can lead to a 4-byte read past the\ndeclared payload size. Validate the size before dereferencing.\n\nThis is a minimal fix to guard the initial handle read.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40084", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer deference in try_to_register_card\n\nIn try_to_register_card(), the return value of usb_ifnum_to_if() is\npassed directly to usb_interface_claimed() without a NULL check, which\nwill lead to a NULL pointer dereference when creating an invalid\nUSB audio device. Fix this by adding a check to ensure the interface\npointer is valid before passing it to usb_interface_claimed().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40085", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don't allow evicting of BOs in same VM in array of VM binds\n\nAn array of VM binds can potentially evict other buffer objects (BOs)\nwithin the same VM under certain conditions, which may lead to NULL\npointer dereferences later in the bind pipeline. To prevent this, clear\nthe allow_res_evict flag in the xe_bo_validate call.\n\nv2:\n - Invert polarity of no_res_evict (Thomas)\n - Add comment in code explaining issue (Thomas)\n\n(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40086", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define a proc_layoutcommit for the FlexFiles layout type\n\nAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT\noperation on a FlexFiles layout.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40087", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n\nThe hfsplus_strcasecmp() logic can trigger the issue:\n\n[ 117.317703][ T9855] ==================================================================\n[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490\n[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855\n[ 117.319577][ T9855]\n[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)\n[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 117.319783][ T9855] Call Trace:\n[ 117.319785][ T9855] \n[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0\n[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10\n[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0\n[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0\n[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40\n[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319842][ T9855] print_report+0x17e/0x7e0\n[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0\n[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0\n[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180\n[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319876][ T9855] kasan_report+0x147/0x180\n[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490\n[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10\n[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0\n[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470\n[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10\n[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10\n[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510\n[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10\n[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10\n[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510\n[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0\n[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120\n[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890\n[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10\n[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0\n[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80\n[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10\n[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100\n[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150\n[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0\n[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10\n[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0\n[ 117.320055][ T9855] lookup_slow+0x53/0x70\n[ 117.320065][ T9855] walk_component+0x2f0/0x430\n[ 117.320073][ T9855] path_lookupat+0x169/0x440\n[ 117.320081][ T9855] filename_lookup+0x212/0x590\n[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10\n[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290\n[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540\n[ 117.320112][ T9855] user_path_at+0x3a/0x60\n[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160\n[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10\n[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0\n[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0\n[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0\n[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07\n[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08\n[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40088", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/features: Add check for no entries in cxl_feature_info\n\ncxl EDAC calls cxl_feature_info() to get the feature information and\nif the hardware has no Features support, cxlfs may be passed in as\nNULL.\n\n[ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 51.965571] #PF: supervisor read access in kernel mode\n[ 51.971559] #PF: error_code(0x0000) - not-present page\n[ 51.977542] PGD 17e4f6067 P4D 0\n[ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj\ntest+ #64 PREEMPT(voluntary)\n[ 51.997355] Hardware name: \n[ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core]\n\nAdd a check for cxlfs before dereferencing it and return -EOPNOTSUPP if\nthere is no cxlfs created due to no hardware support.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40089", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix recursive locking in RPC handle list access\n\nSince commit 305853cce3794 (\"ksmbd: Fix race condition in RPC handle list\naccess\"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.\n\nThis causes hung connections / tasks when a client attempts to open\na named pipe. Using Samba's rpcclient tool:\n\n $ rpcclient //192.168.1.254 -U user%password\n $ rpcclient $> srvinfo\n \n\nKernel side:\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000\n Workqueue: ksmbd-io handle_ksmbd_work\n Call trace:\n __schedule from schedule+0x3c/0x58\n schedule from schedule_preempt_disabled+0xc/0x10\n schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8\n rwsem_down_read_slowpath from down_read+0x28/0x30\n down_read from ksmbd_session_rpc_method+0x18/0x3c\n ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68\n ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228\n ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8\n create_smb2_pipe from smb2_open+0x10c/0x27ac\n smb2_open from handle_ksmbd_work+0x238/0x3dc\n handle_ksmbd_work from process_scheduled_works+0x160/0x25c\n process_scheduled_works from worker_thread+0x16c/0x1e8\n worker_thread from kthread+0xa8/0xb8\n kthread from ret_from_fork+0x14/0x38\n Exception stack(0x8529ffb0 to 0x8529fff8)\n\nThe task deadlocks because the lock is already held:\n ksmbd_session_rpc_open\n down_write(&sess->rpc_lock)\n ksmbd_rpc_open\n ksmbd_session_rpc_method\n down_read(&sess->rpc_lock) <-- deadlock\n\nAdjust ksmbd_session_rpc_method() callers to take the lock when necessary.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40090", "detail": "fixed-version", "description": "Fixed from version 6.17.5" }, { "id": "CVE-2025-40091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix too early devlink_free() in ixgbe_remove()\n\nSince ixgbe_adapter is embedded in devlink, calling devlink_free()\nprematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free()\nto the end.\n\nKASAN report:\n\n BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]\n Read of size 8 at addr ffff0000adf813e0 by task bash/2095\n CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full)\n [...]\n Call trace:\n show_stack+0x30/0x90 (C)\n dump_stack_lvl+0x9c/0xd0\n print_address_description.constprop.0+0x90/0x310\n print_report+0x104/0x1f0\n kasan_report+0x88/0x180\n __asan_report_load8_noabort+0x20/0x30\n ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]\n ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe]\n ixgbe_remove+0x2d0/0x8c0 [ixgbe]\n pci_device_remove+0xa0/0x220\n device_remove+0xb8/0x170\n device_release_driver_internal+0x318/0x490\n device_driver_detach+0x40/0x68\n unbind_store+0xec/0x118\n drv_attr_store+0x64/0xb8\n sysfs_kf_write+0xcc/0x138\n kernfs_fop_write_iter+0x294/0x440\n new_sync_write+0x1fc/0x588\n vfs_write+0x480/0x6a0\n ksys_write+0xf0/0x1e0\n __arm64_sys_write+0x70/0xc0\n invoke_syscall.constprop.0+0xcc/0x280\n el0_svc_common.constprop.0+0xa8/0x248\n do_el0_svc+0x44/0x68\n el0_svc+0x54/0x160\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40091", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ncm->notify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep->ops->free_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n ncm_bind+0x39c/0x3dc\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40092", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ecm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the ecm->notify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep->ops->free_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40093", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_acm: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the acm->notify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep->ops->free_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nCall trace:\n usb_ep_free_request+0x2c/0xec\n gs_free_req+0x30/0x44\n acm_bind+0x1b8/0x1f4\n usb_add_function+0xcc/0x1f0\n configfs_composite_bind+0x468/0x588\n gadget_bind_driver+0x104/0x270\n really_probe+0x190/0x374\n __driver_probe_device+0xa0/0x12c\n driver_probe_device+0x3c/0x218\n __device_attach_driver+0x14c/0x188\n bus_for_each_drv+0x10c/0x168\n __device_attach+0xfc/0x198\n device_initial_probe+0x14/0x24\n bus_probe_device+0x94/0x11c\n device_add+0x268/0x48c\n usb_add_gadget+0x198/0x28c\n dwc3_gadget_init+0x700/0x858\n __dwc3_set_mode+0x3cc/0x664\n process_scheduled_works+0x1d8/0x488\n worker_thread+0x244/0x334\n kthread+0x114/0x1bc\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40094", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Refactor bind path to use __free()\n\nAfter an bind/unbind cycle, the rndis->notify_req is left stale. If a\nsubsequent bind fails, the unified error label attempts to free this\nstale request, leading to a NULL pointer dereference when accessing\nep->ops->free_request.\n\nRefactor the error handling in the bind path to use the __free()\nautomatic cleanup mechanism.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40095", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies\n\nWhen adding dependencies with drm_sched_job_add_dependency(), that\nfunction consumes the fence reference both on success and failure, so in\nthe latter case the dma_fence_put() on the error path (xarray failed to\nexpand) is a double free.\n\nInterestingly this bug appears to have been present ever since\ncommit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code\nback then looked like this:\n\ndrm_sched_job_add_implicit_dependencies():\n...\n for (i = 0; i < fence_count; i++) {\n ret = drm_sched_job_add_dependency(job, fences[i]);\n if (ret)\n break;\n }\n\n for (; i < fence_count; i++)\n dma_fence_put(fences[i]);\n\nWhich means for the failing 'i' the dma_fence_put was already a double\nfree. Possibly there were no users at that time, or the test cases were\ninsufficient to hit it.\n\nThe bug was then only noticed and fixed after\ncommit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\")\nlanded, with its fixup of\ncommit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\").\n\nAt that point it was a slightly different flavour of a double free, which\ncommit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\")\nnoticed and attempted to fix.\n\nBut it only moved the double free from happening inside the\ndrm_sched_job_add_dependency(), when releasing the reference not yet\nobtained, to the caller, when releasing the reference already released by\nthe former in the failure case.\n\nAs such it is not easy to identify the right target for the fixes tag so\nlets keep it simple and just continue the chain.\n\nWhile fixing we also improve the comment and explain the reason for taking\nthe reference and not dropping it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40096", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix missing pointer check in hda_component_manager_init function\n\nThe __component_match_add function may assign the 'matchptr' pointer\nthe value ERR_PTR(-ENOMEM), which will subsequently be dereferenced.\n\nThe call stack leading to the error looks like this:\n\nhda_component_manager_init\n|-> component_match_add\n |-> component_match_add_release\n |-> __component_match_add ( ... ,**matchptr, ... )\n |-> *matchptr = ERR_PTR(-ENOMEM); // assign\n|-> component_master_add_with_match( ... match)\n |-> component_match_realloc(match, match->num); // dereference\n\nAdd IS_ERR() check to prevent the crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40097", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()\n\nReturn value of a function acpi_evaluate_dsm() is dereferenced without\nchecking for NULL, but it is usually checked for this function.\n\nacpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns\nacpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40098", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: parse_dfs_referrals: prevent oob on malformed input\n\nMalicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS\n\n- reply smaller than sizeof(struct get_dfs_referral_rsp)\n- reply with number of referrals smaller than NumberOfReferrals in the\nheader\n\nProcessing of such replies will cause oob.\n\nReturn -EINVAL error on such replies to prevent oob-s.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40099", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not assert we found block group item when creating free space tree\n\nCurrently, when building a free space tree at populate_free_space_tree(),\nif we are not using the block group tree feature, we always expect to find\nblock group items (either extent items or a block group item with key type\nBTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with\nbtrfs_search_slot_for_read(), so we assert that we found an item. However\nthis expectation is wrong since we can have a new block group created in\nthe current transaction which is still empty and for which we still have\nnot added the block group's item to the extent tree, in which case we do\nnot have any items in the extent tree associated to the block group.\n\nThe insertion of a new block group's block group item in the extent tree\nhappens at btrfs_create_pending_block_groups() when it calls the helper\ninsert_block_group_item(). This typically is done when a transaction\nhandle is released, committed or when running delayed refs (either as\npart of a transaction commit or when serving tickets for space reservation\nif we are low on free space).\n\nSo remove the assertion at populate_free_space_tree() even when the block\ngroup tree feature is not enabled and update the comment to mention this\ncase.\n\nSyzbot reported this with the following stack trace:\n\n BTRFS info (device loop3 state M): rebuilding free space tree\n assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/free-space-tree.c:1115!\n Oops: invalid opcode: 0000 [#1] SMP KASAN PTI\n CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115\n Code: ff ff e8 d3 (...)\n RSP: 0018:ffffc9000430f780 EFLAGS: 00010246\n RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000\n RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\n RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94\n R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001\n R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000\n FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0\n Call Trace:\n \n btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364\n btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062\n btrfs_remount_rw fs/btrfs/super.c:1334 [inline]\n btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559\n reconfigure_super+0x227/0x890 fs/super.c:1076\n do_remount fs/namespace.c:3279 [inline]\n path_mount+0xd1a/0xfe0 fs/namespace.c:4027\n do_mount fs/namespace.c:4048 [inline]\n __do_sys_mount fs/namespace.c:4236 [inline]\n __se_sys_mount+0x313/0x410 fs/namespace.c:4213\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f424e39066a\n Code: d8 64 89 02 (...)\n RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5\n RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a\n RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000\n RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020\n R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380\n R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0\n \n Modules linked in:\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40100", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST\n\nAt the end of btrfs_load_block_group_zone_info() the first thing we do\nis to ensure that if the mapping type is not a SINGLE one and there is\nno RAID stripe tree, then we return early with an error.\n\nDoing that, though, prevents the code from running the last calls from\nthis function which are about freeing memory allocated during its\nrun. Hence, in this case, instead of returning early, we set the ret\nvalue and fall through the rest of the cleanup code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40101", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Prevent access to vCPU events before init\n\nAnother day, another syzkaller bug. KVM erroneously allows userspace to\npend vCPU events for a vCPU that hasn't been initialized yet, leading to\nKVM interpreting a bunch of uninitialized garbage for routing /\ninjecting the exception.\n\nIn one case the injection code and the hyp disagree on whether the vCPU\nhas a 32bit EL1 and put the vCPU into an illegal mode for AArch64,\ntripping the BUG() in exception_target_el() during the next injection:\n\n kernel BUG at arch/arm64/kvm/inject_fault.c:40!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : exception_target_el+0x88/0x8c\n lr : pend_serror_exception+0x18/0x13c\n sp : ffff800082f03a10\n x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000\n x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000\n x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004\n x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20\n Call trace:\n exception_target_el+0x88/0x8c (P)\n kvm_inject_serror_esr+0x40/0x3b4\n __kvm_arm_vcpu_set_events+0xf0/0x100\n kvm_arch_vcpu_ioctl+0x180/0x9d4\n kvm_vcpu_ioctl+0x60c/0x9f4\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)\n\nReject the ioctls outright as no sane VMM would call these before\nKVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been\nthrown away by the eventual reset of the vCPU's state.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40102", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix refcount leak for cifs_sb_tlink\n\nFix three refcount inconsistency issues related to `cifs_sb_tlink`.\n\nComments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be\ncalled after successful calls to `cifs_sb_tlink()`. Three calls fail to\nupdate refcount accordingly, leading to possible resource leaks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40103", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: fix mailbox API compatibility by negotiating supported features\n\nThere was backward compatibility in the terms of mailbox API. Various\ndrivers from various OSes supporting 10G adapters from Intel portfolio\ncould easily negotiate mailbox API.\n\nThis convention has been broken since introducing API 1.4.\nCommit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support\nfor IPSec which is specific only for the kernel ixgbe driver. None of the\nrest of the Intel 10G PF/VF drivers supports it. And actually lack of\nsupport was not included in the IPSec implementation - there were no such\ncode paths. No possibility to negotiate support for the feature was\nintroduced along with introduction of the feature itself.\n\nCommit 339f28964147 (\"ixgbevf: Add support for new mailbox communication\nbetween PF and VF\") increasing API version to 1.5 did the same - it\nintroduced code supported specifically by the PF ESX driver. It altered API\nversion for the VF driver in the same time not touching the version\ndefined for the PF ixgbe driver. It led to additional discrepancies,\nas the code provided within API 1.6 cannot be supported for Linux ixgbe\ndriver as it causes crashes.\n\nThe issue was noticed some time ago and mitigated by Jake within the commit\nd0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\").\nAs a result we have regression for IPsec support and after increasing API\nto version 1.6 ixgbevf driver stopped to support ESX MBX.\n\nTo fix this mess add new mailbox op asking PF driver about supported\nfeatures. Basing on a response determine whether to set support for IPSec\nand ESX-specific enhanced mailbox.\n\nNew mailbox op, for compatibility purposes, must be added within new API\nrevision, as API version of OOT PF & VF drivers is already increased to\n1.6 and doesn't incorporate features negotiate op.\n\nFeatures negotiation mechanism gives possibility to be extended with new\nfeatures when needed in the future.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40104", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don't leak disconnected dentries on umount\n\nWhen user calls open_by_handle_at() on some inode that is not cached, we\nwill create disconnected dentry for it. If such dentry is a directory,\nexportfs_decode_fh_raw() will then try to connect this dentry to the\ndentry tree through reconnect_path(). It may happen for various reasons\n(such as corrupted fs or race with rename) that the call to\nlookup_one_unlocked() in reconnect_one() will fail to find the dentry we\nare trying to reconnect and instead create a new dentry under the\nparent. Now this dentry will not be marked as disconnected although the\nparent still may well be disconnected (at least in case this\ninconsistency happened because the fs is corrupted and .. doesn't point\nto the real parent directory). This creates inconsistency in\ndisconnected flags but AFAICS it was mostly harmless. At least until\ncommit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\")\nwhich removed adding of most disconnected dentries to sb->s_anon list.\nThus after this commit cleanup of disconnected dentries implicitely\nrelies on the fact that dput() will immediately reclaim such dentries.\nHowever when some leaf dentry isn't marked as disconnected, as in the\nscenario described above, the reclaim doesn't happen and the dentries\nare \"leaked\". Memory reclaim can eventually reclaim them but otherwise\nthey stay in memory and if umount comes first, we hit infamous \"Busy\ninodes after unmount\" bug. Make sure all dentries created under a\ndisconnected parent are marked as disconnected as well.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40105", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: fix divide-by-zero in comedi_buf_munge()\n\nThe comedi_buf_munge() function performs a modulo operation\n`async->munge_chan %= async->cmd.chanlist_len` without first\nchecking if chanlist_len is zero. If a user program submits a command with\nchanlist_len set to zero, this causes a divide-by-zero error when the device\nprocesses data in the interrupt handler path.\n\nAdd a check for zero chanlist_len at the beginning of the\nfunction, similar to the existing checks for !map and\nCMDF_RAWDATA flag. When chanlist_len is zero, update\nmunge_count and return early, indicating the data was\nhandled without munging.\n\nThis prevents potential kernel panics from malformed user commands.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40106", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled\n\nThis issue is similar to the vulnerability in the `mcp251x` driver,\nwhich was fixed in commit 03c427147b2d (\"can: mcp251x: fix resume from\nsleep before interface was brought up\").\n\nIn the `hi311x` driver, when the device resumes from sleep, the driver\nschedules `priv->restart_work`. However, if the network interface was\nnot previously enabled, the `priv->wq` (workqueue) is not allocated and\ninitialized, leading to a null pointer dereference.\n\nTo fix this, we move the allocation and initialization of the workqueue\nfrom the `hi3110_open` function to the `hi3110_can_probe` function.\nThis ensures that the workqueue is properly initialized before it is\nused during device resume. And added logic to destroy the workqueue\nin the error handling paths of `hi3110_can_probe` and in the\n`hi3110_can_remove` function to prevent resource leaks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40107", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: qcom-geni: Fix blocked task\n\nRevert commit 1afa70632c39 (\"serial: qcom-geni: Enable PM runtime for\nserial driver\") and its dependent commit 86fa39dd6fb7 (\"serial:\nqcom-geni: Enable Serial on SA8255p Qualcomm platforms\") because the\nfirst one causes regression - hang task on Qualcomm RB1 board (QRB2210)\nand unable to use serial at all during normal boot:\n\n INFO: task kworker/u16:0:12 blocked for more than 42 seconds.\n Not tainted 6.17.0-rc1-00004-g53e760d89498 #9\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack:0 pid:12 tgid:12 ppid:2 task_flags:0x4208060 flags:0x00000010\n Workqueue: async async_run_entry_fn\n Call trace:\n __switch_to+0xe8/0x1a0 (T)\n __schedule+0x290/0x7c0\n schedule+0x34/0x118\n rpm_resume+0x14c/0x66c\n rpm_resume+0x2a4/0x66c\n rpm_resume+0x2a4/0x66c\n rpm_resume+0x2a4/0x66c\n __pm_runtime_resume+0x50/0x9c\n __driver_probe_device+0x58/0x120\n driver_probe_device+0x3c/0x154\n __driver_attach_async_helper+0x4c/0xc0\n async_run_entry_fn+0x34/0xe0\n process_one_work+0x148/0x290\n worker_thread+0x2c4/0x3e0\n kthread+0x118/0x1c0\n ret_from_fork+0x10/0x20\n\nThe issue was reported on 12th of August and was ignored by author of\ncommits introducing issue for two weeks. Only after complaining author\nproduced a fix which did not work, so if original commits cannot be\nreliably fixed for 5 weeks, they obviously are buggy and need to be\ndropped.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40108", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: rng - Ensure set_ent is always present\n\nEnsure that set_ent is always set since only drbg provides it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40109", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a null-ptr access in the cursor snooper\n\nCheck that the resource which is converted to a surface exists before\ntrying to use the cursor snooper on it.\n\nvmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers\nbecause some svga commands accept SVGA3D_INVALID_ID to mean \"no surface\",\nunfortunately functions that accept the actual surfaces as objects might\n(and in case of the cursor snooper, do not) be able to handle null\nobjects. Make sure that we validate not only the identifier (via the\nvmw_cmd_res_check) but also check that the actual resource exists before\ntrying to do something with it.\n\nFixes unchecked null-ptr reference in the snooping code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40110", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix Use-after-free in validation\n\nNodes stored in the validation duplicates hashtable come from an arena\nallocator that is cleared at the end of vmw_execbuf_process. All nodes\nare expected to be cleared in vmw_validation_drop_ht but this node escaped\nbecause its resource was destroyed prematurely.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40111", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for Niagara\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations and a broken epilogue in the exception handlers. This will\nprevent crashes and ensure correct return values of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40112", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E\n\nThe ADSP firmware on X1E has separate firmware binaries for the main\nfirmware and the DTB. The same applies for the \"lite\" firmware loaded by\nthe boot firmware.\n\nWhen preparing to load the new ADSP firmware we shutdown the lite_pas_id\nfor the main firmware, but we don't shutdown the corresponding lite pas_id\nfor the DTB. The fact that we're leaving it \"running\" forever becomes\nobvious if you try to reuse (or just access) the memory region used by the\n\"lite\" firmware: The &adsp_boot_mem is accessible, but accessing the\n&adsp_boot_dtb_mem results in a crash.\n\nWe don't support reusing the memory regions currently, but nevertheless we\nshould not keep part of the lite firmware running. Fix this by adding the\nlite_dtb_pas_id and shutting it down as well.\n\nWe don't have a way to detect if the lite firmware is actually running yet,\nso ignore the return status of qcom_scm_pas_shutdown() for now. This was\nalready the case before, the assignment to \"ret\" is not used anywhere.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40113", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: Add check for array bounds in veml6075_read_int_time_ms\n\nThe array contains only 5 elements, but the index calculated by\nveml6075_read_int_time_index can range from 0 to 7,\nwhich could lead to out-of-bounds access. The check prevents this issue.\n\nCoverity Issue\nCID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN)\noverrun-local: Overrunning array veml6075_it_ms of 5 4-byte\nelements at element index 7 (byte offset 31) using\nindex int_index (which evaluates to 7)\n\nThis is hardening against potentially broken hardware. Good to have\nbut not necessary to backport.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40114", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-40115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix crash in transport port remove by using ioc_info()\n\nDuring mpt3sas_transport_port_remove(), messages were logged with\ndev_printk() against &mpt3sas_port->port->dev. At this point the SAS\ntransport device may already be partially unregistered or freed, leading\nto a crash when accessing its struct device.\n\nUsing ioc_info(), which logs via the PCI device (ioc->pdev->dev),\nguaranteed to remain valid until driver removal.\n\n[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI\n[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)\n[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024\n[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70\n[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff\n[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206\n[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32\n[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845\n[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8\n[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000\n[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30\n[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000\n[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0\n[83428.295844] PKRU: 55555554\n[83428.295846] Call Trace:\n[83428.295848] \n[83428.295850] _dev_printk+0x5c/0x80\n[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]\n[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]\n[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]\n[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]\n[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]\n[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]\n[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]\n[83428.295957] pci_device_remove+0x3b/0xb0\n[83428.295962] device_release_driver_internal+0x193/0x200\n[83428.295968] driver_detach+0x44/0x90\n[83428.295971] bus_remove_driver+0x69/0xf0\n[83428.295975] pci_unregister_driver+0x2a/0xb0\n[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]\n[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310\n[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296000] ? __x64_sys_getdents64+0x9a/0x110\n[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296009] ? syscall_trace_enter+0xf6/0x1b0\n[83428.296014] do_syscall_64+0x7b/0x2c0\n[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5\n[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40115", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: max3421-hcd: Fix error pointer dereference in probe cleanup\n\nThe kthread_run() function returns error pointers so the\nmax3421_hcd->spi_thread pointer can be either error pointers or NULL.\nCheck for both before dereferencing it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40116", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl()\n\nCommit eefb83790a0d (\"misc: pci_endpoint_test: Add doorbell test case\")\nadded NO_BAR (-1) to the pci_barno enum which, in practical terms,\nchanges the enum from an unsigned int to a signed int. If the user\npasses a negative number in pci_endpoint_test_ioctl() then it results in\nan array underflow in pci_endpoint_test_bar().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40117", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n\nSince commit f7b705c238d1 (\"scsi: pm80xx: Set phy_attached to zero when\ndevice is gone\") UBSAN reports:\n\n UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17\n index 28 is out of range for type 'pm8001_phy [16]'\n\non rmmod when using an expander.\n\nFor a direct attached device, attached_phy contains the local phy id.\nFor a device behind an expander, attached_phy contains the remote phy\nid, not the local phy id.\n\nI.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a\ndevice behind an expander, attached_phy can be much larger than\npm8001_ha->chip->n_phy (depending on the amount of phys of the\nexpander).\n\nE.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the\nports has an expander connected. The expander has 31 phys with phy ids\n0-30.\n\nThe pm8001_ha->phy array only contains the phys of the HBA. It does not\ncontain the phys of the expander. Thus, it is wrong to use attached_phy\nto index the pm8001_ha->phy array for a device behind an expander.\n\nThus, we can only clear phy_attached for devices that are directly\nattached.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40118", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential null deref in ext4_mb_init()\n\nIn ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called\nwhen sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo\nslab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy()\nlacks null pointer checking, this leads to a null pointer dereference.\n\n==================================================================\nEXT4-fs: no memory for groupinfo slab cache\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: Oops: 0002 [#1] SMP PTI\nCPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none)\nRIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40\nCall Trace:\n \n xa_destroy+0x61/0x130\n ext4_mb_init+0x483/0x540\n __ext4_fill_super+0x116d/0x17b0\n ext4_fill_super+0xd3/0x280\n get_tree_bdev_flags+0x132/0x1d0\n vfs_get_tree+0x29/0xd0\n do_new_mount+0x197/0x300\n __x64_sys_mount+0x116/0x150\n do_syscall_64+0x50/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nTherefore, add necessary null check to ext4_mb_avg_fragment_size_destroy()\nto prevent this issue. The same fix is also applied to\next4_mb_largest_free_orders_destroy().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40119", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock\n\nPrevent USB runtime PM (autosuspend) for AX88772* in bind.\n\nusbnet enables runtime PM (autosuspend) by default, so disabling it via\nthe usb_driver flag is ineffective. On AX88772B, autosuspend shows no\nmeasurable power saving with current driver (no link partner, admin\nup/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering\nthe PHY off on admin-down, not from USB autosuspend.\n\nThe real hazard is that with runtime PM enabled, ndo_open() (under RTNL)\nmay synchronously trigger autoresume (usb_autopm_get_interface()) into\nasix_resume() while the USB PM lock is held. Resume paths then invoke\nphylink/phylib and MDIO, which also expect RTNL, leading to possible\ndeadlocks or PM lock vs MDIO wake issues.\n\nTo avoid this, keep the device runtime-PM active by taking a usage\nreference in ax88772_bind() and dropping it in unbind(). A non-zero PM\nusage count blocks runtime suspend regardless of userspace policy\n(.../power/control - pm_runtime_allow/forbid), making this approach\nrobust against sysfs overrides.\n\nHolding a runtime-PM usage ref does not affect system-wide suspend;\nsystem sleep/resume callbacks continue to run as before.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40120", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver just ignores and leaves as is, which may lead to\nunepxected results like OOB access.\n\nThis patch adds the sanity check and corrects the input mapping to the\ncertain default value if an invalid value is passed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40121", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error\n\nWhen running perf_fuzzer on PTL, sometimes the below \"unchecked MSR\n access error\" is seen when accessing IA32_PMC_x_CFG_B MSRs.\n\n[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)\n[ 55.611280] Call Trace:\n[ 55.611282] \n[ 55.611284] ? intel_pmu_config_acr+0x87/0x160\n[ 55.611289] intel_pmu_enable_acr+0x6d/0x80\n[ 55.611291] intel_pmu_enable_event+0xce/0x460\n[ 55.611293] x86_pmu_start+0x78/0xb0\n[ 55.611297] x86_pmu_enable+0x218/0x3a0\n[ 55.611300] ? x86_pmu_enable+0x121/0x3a0\n[ 55.611302] perf_pmu_enable+0x40/0x50\n[ 55.611307] ctx_resched+0x19d/0x220\n[ 55.611309] __perf_install_in_context+0x284/0x2f0\n[ 55.611311] ? __pfx_remote_function+0x10/0x10\n[ 55.611314] remote_function+0x52/0x70\n[ 55.611317] ? __pfx_remote_function+0x10/0x10\n[ 55.611319] generic_exec_single+0x84/0x150\n[ 55.611323] smp_call_function_single+0xc5/0x1a0\n[ 55.611326] ? __pfx_remote_function+0x10/0x10\n[ 55.611329] perf_install_in_context+0xd1/0x1e0\n[ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10\n[ 55.611333] __do_sys_perf_event_open+0xa76/0x1040\n[ 55.611336] __x64_sys_perf_event_open+0x26/0x30\n[ 55.611337] x64_sys_call+0x1d8e/0x20c0\n[ 55.611339] do_syscall_64+0x4f/0x120\n[ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nOn PTL, GP counter 0 and 1 doesn't support auto counter reload feature,\nthus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR\nwhich requires to enable auto counter reload on GP counter 0.\n\nThe root cause of causing this issue is the check for auto counter\nreload (ACR) counter mask from user space is incorrect in\nintel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter\nmask from user space could be set into hw.config1 and then written into\nCFG_B MSRs and trigger the MSR access warning.\n\ne.g., User may create a perf event with ACR counter mask (config2=0xcb),\nand there is only 1 event created, so \"cpuc->n_events\" is 1.\n\nThe correct check condition should be \"i + idx >= cpuc->n_events\"\ninstead of \"i + idx > cpuc->n_events\" (it looks a typo). Otherwise,\nthe counter mask would traverse twice and an invalid \"cpuc->assign[1]\"\nbit (bit 0) is set into hw.config1 and cause MSR accessing error.\n\nBesides, also check if the ACR counter mask corresponding events are\nACR events. If not, filter out these counter mask. If a event is not a\nACR event, it could be scheduled to an HW counter which doesn't support\nACR. It's invalid to add their counter index in ACR counter mask.\n\nFurthermore, remove the WARN_ON_ONCE() since it's easily triggered as\nuser could set any invalid ACR counter mask and the warning message\ncould mislead users.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40122", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Enforce expected_attach_type for tailcall compatibility\n\nYinhao et al. recently reported:\n\n Our fuzzer tool discovered an uninitialized pointer issue in the\n bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem.\n This leads to a NULL pointer dereference when a BPF program attempts to\n deference the txq member of struct xdp_buff object.\n\nThe test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the\nentry point for bpf_prog_test_run_xdp() and its expected_attach_type can\nneither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot\nof a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP\nto pass xdp_is_valid_access() validation. The program returns struct xdp_md's\negress_ifindex, and the latter is only allowed to be accessed under mentioned\nexpected_attach_type. progB is then inserted into the tailcall which progA\ncalls.\n\nThe underlying issue goes beyond XDP though. Another example are programs\nof type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well\nas sock_addr_func_proto() have different logic depending on the programs'\nexpected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME\nshould not be allowed doing a tailcall into a program which calls bpf_bind()\nout of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.\n\nIn short, specifying expected_attach_type allows to open up additional\nfunctionality or restrictions beyond what the basic bpf_prog_type enables.\nThe use of tailcalls must not violate these constraints. Fix it by enforcing\nexpected_attach_type in __bpf_prog_map_compatible().\n\nNote that we only enforce this for tailcall maps, but not for BPF devmaps or\ncpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and\ncpu_map_bpf_prog_run*() which set up a new environment / context and therefore\nthese situations are not prone to this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40123", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III\n\nAnthony Yznaga tracked down that a BUG_ON in ext4 code with large folios\nenabled resulted from copy_from_user() returning impossibly large values\ngreater than the size to be copied. This lead to __copy_from_iter()\nreturning impossible values instead of the actual number of bytes it was\nable to copy.\n\nThe BUG_ON has been reported in\nhttps://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. The exception handlers expect that\n%o2 has already been masked during the bulk copy loop, but the masking was\nperformed after that loop. This will fix the return value of copy_from_user\nand copy_to_user in the faulting case. The behaviour of memcpy stays\nunchanged.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40124", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\n\nIn __blk_mq_update_nr_hw_queues() the return value of\nblk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx\nfails, later changing the number of hw_queues or removing disk will\ntrigger the following warning:\n\n kernfs: can not remove 'nr_tags', no directory\n WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160\n Call Trace:\n remove_files.isra.1+0x38/0xb0\n sysfs_remove_group+0x4d/0x100\n sysfs_remove_groups+0x31/0x60\n __kobject_del+0x23/0xf0\n kobject_del+0x17/0x40\n blk_mq_unregister_hctx+0x5d/0x80\n blk_mq_sysfs_unregister_hctxs+0x94/0xd0\n blk_mq_update_nr_hw_queues+0x124/0x760\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x92/0x120 [null_blk]\n\nkobjct_del() was called unconditionally even if sysfs creation failed.\nFix it by checkig the kobject creation statusbefore deleting it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40125", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC\n\nThe referenced commit introduced exception handlers on user-space memory\nreferences in copy_from_user and copy_to_user. These handlers return from\nthe respective function and calculate the remaining bytes left to copy\nusing the current register contents. This commit fixes a couple of bad\ncalculations. This will fix the return value of copy_from_user and\ncopy_to_user in the faulting case. The behaviour of memcpy stays unchanged.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40126", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: ks-sa - fix division by zero in ks_sa_rng_init\n\nFix division by zero in ks_sa_rng_init caused by missing clock\npointer initialization. The clk_get_rate() call is performed on\nan uninitialized clk pointer, resulting in division by zero when\ncalculating delay values.\n\nAdd clock initialization code before using the clock.\n\n\n drivers/char/hw_random/ks-sa-rng.c | 7 +++++++\n 1 file changed, 7 insertions(+)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40127", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix null pointer dereference on zero-length checksum\n\nIn xdr_stream_decode_opaque_auth(), zero-length checksum.len causes\nchecksum.data to be set to NULL. This triggers a NPD when accessing\nchecksum.data in gss_krb5_verify_mic_v2(). This patch ensures that\nthe value of checksum.len is not less than XDR_UNIT.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40129", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix data race in CPU latency PM QoS request handling\n\nThe cpu_latency_qos_add/remove/update_request interfaces lack internal\nsynchronization by design, requiring the caller to ensure thread safety.\nThe current implementation relies on the 'pm_qos_enabled' flag, which is\ninsufficient to prevent concurrent access and cannot serve as a proper\nsynchronization mechanism. This has led to data races and list\ncorruption issues.\n\nA typical race condition call trace is:\n\n[Thread A]\nufshcd_pm_qos_exit()\n --> cpu_latency_qos_remove_request()\n --> cpu_latency_qos_apply();\n --> pm_qos_update_target()\n --> plist_del <--(1) delete plist node\n --> memset(req, 0, sizeof(*req));\n --> hba->pm_qos_enabled = false;\n\n[Thread B]\nufshcd_devfreq_target\n --> ufshcd_devfreq_scale\n --> ufshcd_scale_clks\n --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true\n --> cpu_latency_qos_update_request\n --> pm_qos_update_target\n --> plist_del <--(3) plist node use-after-free\n\nIntroduces a dedicated mutex to serialize PM QoS operations, preventing\ndata races and ensuring safe access to PM QoS resources, including sysfs\ninterface reads.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40130", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()\n\nIn ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because\nrxcb->peer_id is not updated with a valid value. This is expected\nin monitor mode, where RX frames bypass the regular RX\ndescriptor path that typically sets rxcb->peer_id.\nAs a result, the peer is NULL, and link_id and link_valid fields\nin the RX status are not populated. This leads to a WARN_ON in\nmac80211 when it receives data frame from an associated station\nwith invalid link_id.\n\nFix this potential issue by using ppduinfo->peer_id, which holds\nthe correct peer id for the received frame. This ensures that the\npeer is correctly found and the associated link metadata is updated\naccordingly.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40131", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback\n\nIn create_sdw_dailink() check that sof_end->codec_info->add_sidecar\nis not NULL before calling it.\n\nThe original code assumed that if include_sidecar is true, the codec\non that link has an add_sidecar callback. But there could be other\ncodecs on the same link that do not have an add_sidecar callback.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40132", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().\n\nmptcp_active_enable() is called from subflow_finish_connect(),\nwhich is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always\nunder RCU.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dst_dev_rcu().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40133", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix NULL pointer dereference in __dm_suspend()\n\nThere is a race condition between dm device suspend and table load that\ncan lead to null pointer dereference. The issue occurs when suspend is\ninvoked before table load completes:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000054\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50\nCall Trace:\n \n blk_mq_quiesce_queue+0x2c/0x50\n dm_stop_queue+0xd/0x20\n __dm_suspend+0x130/0x330\n dm_suspend+0x11a/0x180\n dev_suspend+0x27e/0x560\n ctl_ioctl+0x4cf/0x850\n dm_ctl_ioctl+0xd/0x20\n vfs_ioctl+0x1d/0x50\n __se_sys_ioctl+0x9b/0xc0\n __x64_sys_ioctl+0x19/0x30\n x64_sys_call+0x2c4a/0x4620\n do_syscall_64+0x9e/0x1b0\n\nThe issue can be triggered as below:\n\nT1 \t\t\t\t\t\tT2\ndm_suspend\t\t\t\t\ttable_load\n__dm_suspend\t\t\t\t\tdm_setup_md_queue\n\t\t\t\t\t\tdm_mq_init_request_queue\n\t\t\t\t\t\tblk_mq_init_allocated_queue\n\t\t\t\t\t\t=> q->mq_ops = set->ops; (1)\ndm_stop_queue / dm_wait_for_completion\n=> q->tag_set NULL pointer!\t(2)\n\t\t\t\t\t\t=> q->tag_set = set; (3)\n\nFix this by checking if a valid table (map) exists before performing\nrequest-based suspend and waiting for target I/O. When map is NULL,\nskip these table-dependent suspend steps.\n\nEven when map is NULL, no I/O can reach any target because there is\nno table loaded; I/O submitted in this state will fail early in the\nDM layer. Skipping the table-dependent suspend logic in this case\nis safe and avoids NULL pointer dereferences.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40134", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40135", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - request reserved interrupt for virtual function\n\nThe device interrupt vector 3 is an error interrupt for\nphysical function and a reserved interrupt for virtual function.\nHowever, the driver has not registered the reserved interrupt for\nvirtual function. When allocating interrupts, the number of interrupts\nis allocated based on powers of two, which includes this interrupt.\nWhen the system enables GICv4 and the virtual function passthrough\nto the virtual machine, releasing the interrupt in the driver\ntriggers a warning.\n\nThe WARNING report is:\nWARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4\n\nTherefore, register a reserved interrupt for VF and set the\nIRQF_NO_AUTOEN flag to avoid that warning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40136", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate first page in error path of f2fs_truncate()\n\nsyzbot reports a bug as below:\n\nloop0: detected capacity change from 0 to 40427\nF2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)\nF2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.\n------------[ cut here ]------------\nkernel BUG at fs/inode.c:753!\nRIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753\nCall Trace:\n \n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047\n get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692\n vfs_get_tree+0x8f/0x2b0 fs/super.c:1815\n do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808\n do_mount fs/namespace.c:4136 [inline]\n __do_sys_mount fs/namespace.c:4347 [inline]\n __se_sys_mount+0x317/0x410 fs/namespace.c:4324\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDuring f2fs_evict_inode(), clear_inode() detects that we missed to truncate\nall page cache before destorying inode, that is because in below path, we\nwill create page #0 in cache, but missed to drop it in error path, let's fix\nit.\n\n- evict\n - f2fs_evict_inode\n - f2fs_truncate\n - f2fs_convert_inline_inode\n - f2fs_grab_cache_folio\n : create page #0 in cache\n - f2fs_convert_inline_folio\n : sanity check failed, return -EFSCORRUPTED\n - clear_inode detects that inode->i_data.nrpages is not zero", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40137", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()\n\nsyzbot reported a f2fs bug as below:\n\nOops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)}\nRIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284\nCall Trace:\n \n f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline]\n f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436\n __f2fs_remount fs/f2fs/super.c:2653 [inline]\n f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297\n reconfigure_super+0x224/0x890 fs/super.c:1077\n do_remount fs/namespace.c:3314 [inline]\n path_mount+0xd18/0xfe0 fs/namespace.c:4112\n do_mount fs/namespace.c:4133 [inline]\n __do_sys_mount fs/namespace.c:4344 [inline]\n __se_sys_mount+0x317/0x410 fs/namespace.c:4321\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref\nissue in strcmp().\n\nThe bug can be reproduced w/ below scripts:\nmkfs.f2fs -f /dev/vdb\nmount -t f2fs -o usrquota /dev/vdb /mnt/f2fs\nquotacheck -uc /mnt/f2fs/\numount /mnt/f2fs\nmount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs\nmount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs\numount /mnt/f2fs\n\nSo, before old_qname and new_qname comparison, we need to check whether\nthey are all valid pointers, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40138", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().\n\nsmc_clc_prfx_set() is called during connect() and not under RCU\nnor RTNL.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()\nafter kernel_getsockname().\n\nNote that the returned value of smc_clc_prfx_set() is not used\nin the caller.\n\nWhile at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()\nnot to touch dst there.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40139", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\n\nsyzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.\nThis is the sequence of events that leads to the warning:\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev->tx_urb);\n}\n\nrtl8150_set_multicast() {\n\tnetif_stop_queue();\n\tnetif_wake_queue();\t\t<-- wakes up TX queue before URB is done\n}\n\nrtl8150_start_xmit() {\n\tnetif_stop_queue();\n\tusb_submit_urb(dev->tx_urb);\t<-- double submission\n}\n\nrtl8150_set_multicast being the ndo_set_rx_mode callback should not be\ncalling netif_stop_queue and notif_start_queue as these handle\nTX queue synchronization.\n\nThe net core function dev_set_rx_mode handles the synchronization\nfor rtl8150_set_multicast making it safe to remove these locks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40140", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix possible UAF on iso_conn_free\n\nThis attempt to fix similar issue to sco_conn_free where if the\nconn->sk is not set to NULL may lead to UAF on iso_conn_free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40141", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT\n\nsnd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts\nvia spin_lock_irq(). This also implicitly disables the handling of\nsoftirqs such as TIMER_SOFTIRQ.\nOn PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not\ndisable them. That means a timer can be invoked during spin_lock_irq()\non the same CPU. Due to synchronisations reasons local_bh_disable() has\na per-CPU lock named softirq_ctrl.lock which synchronizes individual\nsoftirq against each other.\nsyz-bot managed to trigger a lockdep report where softirq_ctrl.lock is\nacquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This\nis a possible deadlock.\n\nThe softirq_ctrl.lock can not be made part of spin_lock_irq() as this\nwould lead to too much synchronisation against individual threads on the\nsystem. To avoid the possible deadlock, softirqs must be manually\ndisabled before the lock is acquired.\n\nDisable softirqs before the lock is acquired on PREEMPT_RT.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40142", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: dont report verifier bug for missing bpf_scc_visit on speculative path\n\nSyzbot generated a program that triggers a verifier_bug() call in\nmaybe_exit_scc(). maybe_exit_scc() assumes that, when called for a\nstate with insn_idx in some SCC, there should be an instance of struct\nbpf_scc_visit allocated for that SCC. Turns out the assumption does\nnot hold for speculative execution paths. See example in the next\npatch.\n\nmaybe_scc_exit() is called from update_branch_counts() for states that\nreach branch count of zero, meaning that path exploration for a\nparticular path is finished. Path exploration can finish in one of\nthree ways:\na. Verification error is found. In this case, update_branch_counts()\n is called only for non-speculative paths.\nb. Top level BPF_EXIT is reached. Such instructions are never a part of\n an SCC, so compute_scc_callchain() in maybe_scc_exit() will return\n false, and maybe_scc_exit() will return early.\nc. A checkpoint is reached and matched. Checkpoints are created by\n is_state_visited(), which calls maybe_enter_scc(), which allocates\n bpf_scc_visit instances for checkpoints within SCCs.\n\nHence, for non-speculative symbolic execution paths, the assumption\nstill holds: if maybe_scc_exit() is called for a state within an SCC,\nbpf_scc_visit instance must exist.\n\nThis patch removes the verifier_bug() call for speculative paths.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40143", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure\n\nWhen devm_add_action_or_reset() fails, it calls the passed cleanup\nfunction. Hence the caller must not repeat that cleanup.\n\nReplace the \"goto err_regulator_free\" by the actual freeing, as there\nwill never be a need again for a second user of this label.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40145", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix potential deadlock while nr_requests grown\n\nAllocate and free sched_tags while queue is freezed can deadlock[1],\nthis is a long term problem, hence allocate memory before freezing\nqueue and free memory after queue is unfreezed.\n\n[1] https://lore.kernel.org/all/0659ea8d-a463-47c8-9180-43c719e106eb@linux.ibm.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40146", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: fix access race during throttle policy activation\n\nOn repeated cold boots we occasionally hit a NULL pointer crash in\nblk_should_throtl() when throttling is consulted before the throttle\npolicy is fully enabled for the queue. Checking only q->td != NULL is\ninsufficient during early initialization, so blkg_to_pd() for the\nthrottle policy can still return NULL and blkg_to_tg() becomes NULL,\nwhich later gets dereferenced.\n\n Unable to handle kernel NULL pointer dereference\n at virtual address 0000000000000156\n ...\n pc : submit_bio_noacct+0x14c/0x4c8\n lr : submit_bio_noacct+0x48/0x4c8\n sp : ffff800087f0b690\n x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0\n x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70\n x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff\n x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c\n x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60\n x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002\n x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500\n x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a\n Call trace:\n submit_bio_noacct+0x14c/0x4c8\n verity_map+0x178/0x2c8\n __map_bio+0x228/0x250\n dm_submit_bio+0x1c4/0x678\n __submit_bio+0x170/0x230\n submit_bio_noacct_nocheck+0x16c/0x388\n submit_bio_noacct+0x16c/0x4c8\n submit_bio+0xb4/0x210\n f2fs_submit_read_bio+0x4c/0xf0\n f2fs_mpage_readpages+0x3b0/0x5f0\n f2fs_readahead+0x90/0xe8\n\nTighten blk_throtl_activated() to also require that the throttle policy\nbit is set on the queue:\n\n return q->td != NULL &&\n test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);\n\nThis prevents blk_should_throtl() from accessing throttle group state\nuntil policy data has been attached to blkgs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40147", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions\n\nThe function dc_stream_set_cursor_attributes() currently dereferences\nthe `stream` pointer and nested members `stream->ctx->dc->current_state`\nwithout checking for NULL.\n\nAll callers of these functions, such as in\n`dcn30_apply_idle_power_optimizations()` and\n`amdgpu_dm_plane_handle_cursor_update()`, already perform NULL checks\nbefore calling these functions.\n\nFixes below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes()\nerror: we previously assumed 'stream' could be null (see line 334)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n 327 bool dc_stream_program_cursor_attributes(\n 328 struct dc_stream_state *stream,\n 329 const struct dc_cursor_attributes *attributes)\n 330 {\n 331 struct dc *dc;\n 332 bool reset_idle_optimizations = false;\n 333\n 334 dc = stream ? stream->ctx->dc : NULL;\n ^^^^^^\nThe old code assumed stream could be NULL.\n\n 335\n--> 336 if (dc_stream_set_cursor_attributes(stream, attributes)) {\n ^^^^^^\nThe refactor added an unchecked dereference.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n 313 bool dc_stream_set_cursor_attributes(\n 314 struct dc_stream_state *stream,\n 315 const struct dc_cursor_attributes *attributes)\n 316 {\n 317 bool result = false;\n 318\n 319 if (dc_stream_check_cursor_attributes(stream, stream->ctx->dc->current_state, attributes)) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here.\nThis function used to check for if stream as NULL and return false at\nthe start. Probably we should add that back.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40148", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only ->ndo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40149", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid migrating empty section\n\nIt reports a bug from device w/ zufs:\n\nF2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT\nF2FS-fs (dm-64): Stopped filesystem due to reason: 4\n\nThread A\t\t\t\tThread B\n- f2fs_expand_inode_data\n - f2fs_allocate_pinning_section\n - f2fs_gc_range\n - do_garbage_collect w/ segno #x\n\t\t\t\t\t- writepage\n\t\t\t\t\t - f2fs_allocate_data_block\n\t\t\t\t\t - new_curseg\n\t\t\t\t\t - allocate segno #x\n\nThe root cause is: fallocate on pinning file may race w/ block allocation\nas above, result in do_garbage_collect() from fallocate() may migrate\nsegment which is just allocated by a log, the log will update segment type\nin its in-memory structure, however GC will get segment type from on-disk\nSSA block, once segment type changes by log, we can detect such\ninconsistency, then shutdown filesystem.\n\nIn this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE),\nhowever segno #173822 was just allocated as data type segment, so in-memory\nSIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).\n\nChange as below to fix this issue:\n- check whether current section is empty before gc\n- add sanity checks on do_garbage_collect() to avoid any race case, result\nin migrating segment used by log.\n- btw, it fixes misc issue in printed logs: \"SSA and SIT\" -> \"SIT and SSA\".", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40150", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: No support of struct argument in trampoline programs\n\nThe current implementation does not support struct argument. This causes\na oops when running bpf selftest:\n\n $ ./test_progs -a tracing_struct\n Oops[#1]:\n CPU -1 Unable to handle kernel paging request at virtual address 0000000000000018, era == 9000000085bef268, ra == 90000000844f3938\n rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n rcu: 1-...0: (19 ticks this GP) idle=1094/1/0x4000000000000000 softirq=1380/1382 fqs=801\n rcu: (detected by 0, t=5252 jiffies, g=1197, q=52 ncpus=4)\n Sending NMI from CPU 0 to CPUs 1:\n rcu: rcu_preempt kthread starved for 2495 jiffies! g1197 f0x0 RCU_GP_DOING_FQS(6) ->state=0x0 ->cpu=2\n rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.\n rcu: RCU grace-period kthread stack dump:\n task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 task_flags:0x208040 flags:0x00000800\n Stack : 9000000100423e80 0000000000000402 0000000000000010 90000001003b0680\n 9000000085d88000 0000000000000000 0000000000000040 9000000087159350\n 9000000085c2b9b0 0000000000000001 900000008704a000 0000000000000005\n 00000000ffff355b 00000000ffff355b 0000000000000000 0000000000000004\n 9000000085d90510 0000000000000000 0000000000000002 7b5d998f8281e86e\n 00000000ffff355c 7b5d998f8281e86e 000000000000003f 9000000087159350\n 900000008715bf98 0000000000000005 9000000087036000 900000008704a000\n 9000000100407c98 90000001003aff80 900000008715c4c0 9000000085c2b9b0\n 00000000ffff355b 9000000085c33d3c 00000000000000b4 0000000000000000\n 9000000007002150 00000000ffff355b 9000000084615480 0000000007000002\n ...\n Call Trace:\n [<9000000085c2a868>] __schedule+0x410/0x1520\n [<9000000085c2b9ac>] schedule+0x34/0x190\n [<9000000085c33d38>] schedule_timeout+0x98/0x140\n [<90000000845e9120>] rcu_gp_fqs_loop+0x5f8/0x868\n [<90000000845ed538>] rcu_gp_kthread+0x260/0x2e0\n [<900000008454e8a4>] kthread+0x144/0x238\n [<9000000085c26b60>] ret_from_kernel_thread+0x28/0xc8\n [<90000000844f20e4>] ret_from_kernel_thread_asm+0xc/0x88\n\n rcu: Stack dump where RCU GP kthread last ran:\n Sending NMI from CPU 0 to CPUs 2:\n NMI backtrace for cpu 2 skipped: idling at idle_exit+0x0/0x4\n\nReject it for now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40151", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix bootup splat with separate_gpu_drm modparam\n\nThe drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses\ndrm_gem_obj.gpuva.list, which is not initialized when the drm driver\ndoes not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms\ndrm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam\nis set:\n\n[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0\n[ 9.523160] Mem abort info:\n[ 9.523161] ESR = 0x0000000096000006\n[ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9.523165] SET = 0, FnV = 0\n[ 9.523166] EA = 0, S1PTW = 0\n[ 9.523167] FSC = 0x06: level 2 translation fault\n[ 9.523169] Data abort info:\n[ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000\n[ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000\n[ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT\n[ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024\n[ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 9.592973] pc : lookup_vma+0x28/0xe0 [msm]\n[ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm]\n[ 9.763632] sp : ffff800082dab460\n[ 9.763666] Call trace:\n[ 9.763668] lookup_vma+0x28/0xe0 [msm] (P)\n[ 9.763688] get_vma_locked+0x2c/0x128 [msm]\n[ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]\n[ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm]\n[ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]\n[ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]\n[ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]\n[ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]\n[ 9.763782] drm_client_register+0x58/0x9c [drm]\n[ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]\n[ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib]\n[ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm]\n[ 9.763830] msm_drm_init+0x1a8/0x22c [msm]\n[ 9.763848] msm_drm_bind+0x30/0x3c [msm]\n[ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4\n[ 9.919283] __component_add+0xa4/0x170\n[ 9.919286] component_add+0x14/0x20\n[ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm]\n[ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm]\n[ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]\n[ 9.919341] really_probe+0xbc/0x298\n[ 9.919345] __driver_probe_device+0x78/0x12c\n[ 9.919348] driver_probe_device+0x40/0x160\n[ 9.919350] __driver_attach+0x94/0x19c\n[ 9.919353] bus_for_each_dev+0x74/0xd4\n[ 9.919355] driver_attach+0x24/0x30\n[ 9.919358] bus_add_driver+0xe4/0x208\n[ 9.919360] driver_register+0x60/0x128\n[ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]\n[ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]\n[ 9.919370] do_one_initcall+0x6c/0x1b0\n[ 9.919374] do_init_module+0x58/0x234\n[ 9.919377] load_module+0x19cc/0x1bd4\n[ 9.919380] init_module_from_file+0x84/0xc4\n[ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc\n[ 9.919384] invoke_syscall+0x48/0x110\n[ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8\n[ 9.919393] do_el0_svc+0x20/0x2c\n[ 9.919396] el0_svc+0x34/0xf0\n[ 9.919401] el0t_64_sync_handler+0xa0/0xe4\n[ 9.919403] el0t_64_sync+0x198/0x19c\n[ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)\n[ 9.919410] ---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/pa\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40152", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: avoid soft lockup when mprotect to large memory area\n\nWhen calling mprotect() to a large hugetlb memory area in our customer's\nworkload (~300GB hugetlb memory), soft lockup was observed:\n\nwatchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]\n\nCPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7\nHardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc\u00a0: mte_clear_page_tags+0x14/0x24\nlr\u00a0: mte_sync_tags+0x1c0/0x240\nsp\u00a0: ffff80003150bb80\nx29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000\nx26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458\nx23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000\nx20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c\nx8\u00a0: 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5\u00a0: fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000\nx2\u00a0: 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000\n\nCall trace:\n\u00a0\u00a0mte_clear_page_tags+0x14/0x24\n\u00a0\u00a0set_huge_pte_at+0x25c/0x280\n\u00a0\u00a0hugetlb_change_protection+0x220/0x430\n\u00a0\u00a0change_protection+0x5c/0x8c\n\u00a0\u00a0mprotect_fixup+0x10c/0x294\n\u00a0\u00a0do_mprotect_pkey.constprop.0+0x2e0/0x3d4\n\u00a0\u00a0__arm64_sys_mprotect+0x24/0x44\n\u00a0\u00a0invoke_syscall+0x50/0x160\n\u00a0\u00a0el0_svc_common+0x48/0x144\n\u00a0\u00a0do_el0_svc+0x30/0xe0\n\u00a0\u00a0el0_svc+0x30/0xf0\n\u00a0\u00a0el0t_64_sync_handler+0xc4/0x148\n\u00a0\u00a0el0t_64_sync+0x1a4/0x1a8\n\nSoft lockup is not triggered with THP or base page because there is\ncond_resched() called for each PMD size.\n\nAlthough the soft lockup was triggered by MTE, it should be not MTE\nspecific. The other processing which takes long time in the loop may\ntrigger soft lockup too.\n\nSo add cond_resched() for hugetlb to avoid soft lockup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40153", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n\nWhen an invalid value is passed via quirk option, currently\nbytcr_rt5640 driver only shows an error message but leaves as is.\nThis may lead to unepxected results like OOB access.\n\nThis patch corrects the input mapping to the certain default value if\nan invalid value is passed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40154", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: debugfs: Fix legacy mode page table dump logic\n\nIn legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR\nmaybe uninitialized or zero in that case and may cause oops like:\n\n Oops: general protection fault, probably for non-canonical address\n 0xf00087d3f000f000: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n RIP: 0010:pgtable_walk_level+0x98/0x150\n RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206\n RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e\n RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000\n RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002\n R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000\n R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98\n FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0\n PKRU: 55555554\n Call Trace:\n \n pgtable_walk_level+0x88/0x150\n domain_translation_struct_show.isra.0+0x2d9/0x300\n dev_domain_translation_struct_show+0x20/0x40\n seq_read_iter+0x12d/0x490\n...\n\nAvoid walking the page table if TT is not 00b or 01b.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40155", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()\n\nThe drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) which\nwould lead to a error pointer dereference. Use IS_ERR_OR_NULL() to check\nthat the pointer is valid.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40156", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/i10nm: Skip DIMM enumeration on a disabled memory controller\n\nWhen loading the i10nm_edac driver on some Intel Granite Rapids servers,\na call trace may appear as follows:\n\n UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16\n shift exponent -66 is negative\n ...\n __ubsan_handle_shift_out_of_bounds+0x1e3/0x390\n skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common]\n i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac]\n skx_register_mci+0x159/0x220 [skx_edac_common]\n i10nm_init+0xcb0/0x1ff0 [i10nm_edac]\n ...\n\nThis occurs because some BIOS may disable a memory controller if there\naren't any memory DIMMs populated on this memory controller. The DIMMMTR\nregister of this disabled memory controller contains the invalid value\n~0, resulting in the call trace above.\n\nFix this call trace by skipping DIMM enumeration on a disabled memory\ncontroller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40157", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_output()\n\nUse RCU in ip6_output() in order to use dst_dev_rcu() to prevent\npossible UAF.\n\nWe can remove rcu_read_lock()/rcu_read_unlock() pairs\nfrom ip6_finish_output2().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40158", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc->addr with a non-zero pool->tx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn't happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc->len to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc->addr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn't hurt the performance much.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40159", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: Return -EEXIST for bound VIRQs\n\nChange find_virq() to return -EEXIST when a VIRQ is bound to a\ndifferent CPU than the one passed in. With that, remove the BUG_ON()\nfrom bind_virq_to_irq() to propogate the error upwards.\n\nSome VIRQs are per-cpu, but others are per-domain or global. Those must\nbe bound to CPU0 and can then migrate elsewhere. The lookup for\nper-domain and global will probably fail when migrated off CPU 0,\nespecially when the current CPU is tracked. This now returns -EEXIST\ninstead of BUG_ON().\n\nA second call to bind a per-domain or global VIRQ is not expected, but\nmake it non-fatal to avoid trying to look up the irq, since we don't\nknow which per_cpu(virq_to_irq) it will be in.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40160", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynqmp-ipi: Fix SGI cleanup on unbind\n\nThe driver incorrectly determines SGI vs SPI interrupts by checking IRQ\nnumber < 16, which fails with dynamic IRQ allocation. During unbind,\nthis causes improper SGI cleanup leading to kernel crash.\n\nAdd explicit irq_type field to pdata for reliable identification of SGI\ninterrupts (type-2) and only clean up SGI resources when appropriate.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40161", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails\n\ndevm_kasprintf() may return NULL on memory allocation failure,\nbut the debug message prints cpus->dai_name before checking it.\nMove the dev_dbg() call after the NULL check to prevent potential\nNULL pointer dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40162", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Stop dl_server before CPU goes offline\n\nIBM CI tool reported kernel warning[1] when running a CPU removal\noperation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\"\n\nWARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170\nNIP [c0000000002b6ed8] cpudl_set+0x58/0x170\nLR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0\nCall Trace:\n[c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable)\n[c0000000002b7cb8] dl_server_timer+0x168/0x2a0\n[c00000000034df84] __hrtimer_run_queues+0x1a4/0x390\n[c00000000034f624] hrtimer_interrupt+0x124/0x300\n[c00000000002a230] timer_interrupt+0x140/0x320\n\nGit bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\")\n\nThis happens since:\n- dl_server hrtimer gets enqueued close to cpu offline, when\n kthread_park enqueues a fair task.\n- CPU goes offline and drmgr removes it from cpu_present_mask.\n- hrtimer fires and warning is hit.\n\nFix it by stopping the dl_server before CPU is marked dead.\n\n[1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/\n[2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr\n\n[sshegde: wrote the changelog and tested it]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40163", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40164", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: m2m: Fix streaming cleanup on release\n\nIf streamon/streamoff calls are imbalanced, such as when exiting an\napplication with Ctrl+C when streaming, the m2m usage_count will never\nreach zero and the ISI channel won't be freed. Besides from that, if the\ninput line width is more than 2K, it will trigger a WARN_ON():\n\n[ 59.222120] ------------[ cut here ]------------\n[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654\n[ 59.238569] Modules linked in: ap1302\n[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT\n[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)\n[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120\n[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120\n[ 59.275047] sp : ffff8000848c3b40\n[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00\n[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001\n[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780\n[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000\n[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c\n[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30\n[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420\n[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000\n[ 59.349590] Call trace:\n[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)\n[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c\n[ 59.361072] v4l_streamon+0x24/0x30\n[ 59.364556] __video_do_ioctl+0x40c/0x4a0\n[ 59.368560] video_usercopy+0x2bc/0x690\n[ 59.372382] video_ioctl2+0x18/0x24\n[ 59.375857] v4l2_ioctl+0x40/0x60\n[ 59.379168] __arm64_sys_ioctl+0xac/0x104\n[ 59.383172] invoke_syscall+0x48/0x104\n[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0\n[ 59.391613] do_el0_svc+0x1c/0x28\n[ 59.394915] el0_svc+0x34/0xf4\n[ 59.397966] el0t_64_sync_handler+0xa0/0xe4\n[ 59.402143] el0t_64_sync+0x198/0x19c\n[ 59.405801] ---[ end trace 0000000000000000 ]---\n\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nv4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40165", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Check GuC running state before deregistering exec queue\n\nIn normal operation, a registered exec queue is disabled and\nderegistered through the GuC, and freed only after the GuC confirms\ncompletion. However, if the driver is forced to unbind while the exec\nqueue is still running, the user may call exec_destroy() after the GuC\nhas already been stopped and CT communication disabled.\n\nIn this case, the driver cannot receive a response from the GuC,\npreventing proper cleanup of exec queue resources. Fix this by directly\nreleasing the resources when GuC is not running.\n\nHere is the failure dmesg log:\n\"\n[ 468.089581] ---[ end trace 0000000000000000 ]---\n[ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535)\n[ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535\n[ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1\n[ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1)\n[ 468.092716] ------------[ cut here ]------------\n[ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe]\n\"\n\nv2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled().\n As CT may go down and come back during VF migration.\n\n(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40166", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: detect invalid INLINE_DATA + EXTENTS flag combination\n\nsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity\nfile on a corrupted ext4 filesystem mounted without a journal.\n\nThe issue is that the filesystem has an inode with both the INLINE_DATA\nand EXTENTS flags set:\n\n EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:\n comm syz.0.17: corrupted extent tree: lblk 0 < prev 66\n\nInvestigation revealed that the inode has both flags set:\n DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1\n\nThis is an invalid combination since an inode should have either:\n- INLINE_DATA: data stored directly in the inode\n- EXTENTS: data stored in extent-mapped blocks\n\nHaving both flags causes ext4_has_inline_data() to return true, skipping\nextent tree validation in __ext4_iget(). The unvalidated out-of-order\nextents then trigger a BUG_ON in ext4_es_cache_extent() due to integer\nunderflow when calculating hole sizes.\n\nFix this by detecting this invalid flag combination early in ext4_iget()\nand rejecting the corrupted inode.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40167", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().\n\nsmc_clc_prfx_match() is called from smc_listen_work() and\nnot under RCU nor RTNL.\n\nUsing sk_dst_get(sk)->dev could trigger UAF.\n\nLet's use __sk_dst_get() and dst_dev_rcu().\n\nNote that the returned value of smc_clc_prfx_match() is not\nused in the caller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40168", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject negative offsets for ALU ops\n\nWhen verifying BPF programs, the check_alu_op() function validates\ninstructions with ALU operations. The 'offset' field in these\ninstructions is a signed 16-bit integer.\n\nThe existing check 'insn->off > 1' was intended to ensure the offset is\neither 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' is\nsigned, this check incorrectly accepts all negative values (e.g., -1).\n\nThis commit tightens the validation by changing the condition to\n'(insn->off != 0 && insn->off != 1)'. This ensures that any value\nother than the explicitly permitted 0 and 1 is rejected, hardening the\nverifier against malformed BPF programs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40169", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use dst_dev_rcu() in sk_setup_caps()\n\nUse RCU to protect accesses to dst->dev from sk_setup_caps()\nand sk_dst_gso_max_size().\n\nAlso use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),\nand ip_dst_mtu_maybe_forward().\n\nip4_dst_hoplimit() can use dst_dev_net_rcu().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40170", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: move lsop put work to nvmet_fc_ls_req_op\n\nIt\u2019s possible for more than one async command to be in flight from\n__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.\n\nIn the current code, only one put work item is queued at a time, which\nresults in a leaked reference.\n\nTo fix this, move the work item to the nvmet_fc_ls_req_op struct, which\nalready tracks all resources related to the command.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40171", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()\n\nCurrently, if find_and_map_user_pages() takes a DMA xfer request from the\nuser with a length field set to 0, or in a rare case, the host receives\nQAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size\nis equal to the requested transaction size, the function will return 0\nbefore allocating an sgt or setting the fields of the dma_xfer struct.\nIn that case, encode_addr_size_pairs() will try to access the sgt which\nwill lead to a general protection fault.\n\nReturn an EINVAL in case the user provides a zero-sized ALP, or the device\nrequests continuation after all of the bytes have been transferred.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40172", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ip6_tunnel: Prevent perpetual tunnel growth\n\nSimilarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.\nWhile ipv4 tunnel headroom adjustment growth was limited in\ncommit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"),\nipv6 tunnel yet increases the headroom without any ceiling.\n\nReflect ipv4 tunnel headroom adjustment limit on ipv6 version.\n\nCredits to Francesco Ruggeri, who was originally debugging this issue\nand wrote local Arista-specific patch and a reproducer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40173", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix SMP ordering in switch_mm_irqs_off()\n\nStephen noted that it is possible to not have an smp_mb() between\nthe loaded_mm store and the tlb_gen load in switch_mm(), meaning the\nordering against flush_tlb_mm_range() goes out the window, and it\nbecomes possible for switch_mm() to not observe a recent tlb_gen\nupdate and fail to flush the TLBs.\n\n[ dhansen: merge conflict fixed by Ingo ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40174", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: cleanup remaining SKBs in PTP flows\n\nWhen the driver requests Tx timestamp value, one of the first steps is\nto clone SKB using skb_get. It increases the reference counter for that\nSKB to prevent unexpected freeing by another component.\nHowever, there may be a case where the index is requested, SKB is\nassigned and never consumed by PTP flows - for example due to reset during\nrunning PTP apps.\n\nAdd a check in release timestamping function to verify if the SKB\nassigned to Tx timestamp latch was freed, and release remaining SKBs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40175", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: wait for pending async decryptions if tls_strp_msg_hold fails\n\nAsync decryption calls tls_strp_msg_hold to create a clone of the\ninput skb to hold references to the memory it uses. If we fail to\nallocate that clone, proceeding with async decryption can lead to\nvarious issues (UAF on the skb, writing into userspace memory after\nthe recv() call has returned).\n\nIn this case, wait for all pending decryption requests.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40176", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix bootlog initialization ordering\n\nAs soon as we queue MHI buffers to receive the bootlog from the device,\nwe could be receiving data. Therefore all the resources needed to\nprocess that data need to be setup prior to queuing the buffers.\n\nWe currently initialize some of the resources after queuing the buffers\nwhich creates a race between the probe() and any data that comes back\nfrom the device. If the uninitialized resources are accessed, we could\nsee page faults.\n\nFix the init ordering to close the race.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40177", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: Add a judgment for ns null in pid_nr_ns\n\n__task_pid_nr_ns\n ns = task_active_pid_ns(current);\n pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);\n if (pid && ns->level <= pid->level) {\n\nSometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.\n\nFor example:\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n\tMem abort info:\n\tESR = 0x0000000096000007\n\tEC = 0x25: DABT (current EL), IL = 32 bits\n\tSET = 0, FnV = 0\n\tEA = 0, S1PTW = 0\n\tFSC = 0x07: level 3 translation fault\n\tData abort info:\n\tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n\tCM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000\n\t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000\n\tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : __task_pid_nr_ns+0x74/0xd0\n\tlr : __task_pid_nr_ns+0x24/0xd0\n\tsp : ffffffc08001bd10\n\tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001\n\tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31\n\tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0\n\tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000\n\tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc\n\tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800\n\tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001\n\tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449\n\tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc\n\tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0\n\tCall trace:\n\t__task_pid_nr_ns+0x74/0xd0\n\t...\n\t__handle_irq_event_percpu+0xd4/0x284\n\thandle_irq_event+0x48/0xb0\n\thandle_fasteoi_irq+0x160/0x2d8\n\tgeneric_handle_domain_irq+0x44/0x60\n\tgic_handle_irq+0x4c/0x114\n\tcall_on_irq_stack+0x3c/0x74\n\tdo_interrupt_handler+0x4c/0x84\n\tel1_interrupt+0x34/0x58\n\tel1h_64_irq_handler+0x18/0x24\n\tel1h_64_irq+0x68/0x6c\n\taccount_kernel_stack+0x60/0x144\n\texit_task_stack_account+0x1c/0x80\n\tdo_exit+0x7e4/0xaf8\n\t...\n\tget_signal+0x7bc/0x8d8\n\tdo_notify_resume+0x128/0x828\n\tel0_svc+0x6c/0x70\n\tel0t_64_sync_handler+0x68/0xbc\n\tel0t_64_sync+0x1a8/0x1ac\n\tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception in interrupt", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40178", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: verify orphan file size is not too big\n\nIn principle orphan file can be arbitrarily large. However orphan replay\nneeds to traverse it all and we also pin all its buffers in memory. Thus\nfilesystems with absurdly large orphan files can lead to big amounts of\nmemory consumed. Limit orphan file size to a sane value and also use\nkvmalloc() for allocating array of block descriptor structures to avoid\nlarge order allocations for sane but large orphan files.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40179", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop\n\nThe cleanup loop was starting at the wrong array index, causing\nout-of-bounds access.\nStart the loop at the correct index for zero-indexed arrays to prevent\naccessing memory beyond the allocated array bounds.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40180", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP\n\nWhen running as an SNP or TDX guest under KVM, force the legacy PCI hole,\ni.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC\nvia a forced variable MTRR range.\n\nIn most KVM-based setups, legacy devices such as the HPET and TPM are\nenumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and\noptionally a SystemMemory descriptor for an OperationRegion, e.g. if the\ndevice needs to be accessed via a Control Method.\n\nIf a SystemMemory entry is present, then the kernel's ACPI driver will\nauto-ioremap the region so that it can be accessed at will. However, the\nACPI spec doesn't provide a way to enumerate the memory type of\nSystemMemory regions, i.e. there's no way to tell software that a region\nmust be mapped as UC vs. WB, etc. As a result, Linux's ACPI driver always\nmaps SystemMemory regions using ioremap_cache(), i.e. as WB on x86.\n\nThe dedicated device drivers however, e.g. the HPET driver and TPM driver,\nwant to map their associated memory as UC or WC, as accessing PCI devices\nusing WB is unsupported.\n\nOn bare metal and non-CoCO, the conflicting requirements \"work\" as firmware\nconfigures the PCI hole (and other device memory) to be UC in the MTRRs.\nSo even though the ACPI mappings request WB, they are forced to UC- in the\nkernel's tracking due to the kernel properly handling the MTRR overrides,\nand thus are compatible with the drivers' requested WC/UC-.\n\nWith force WB MTRRs on SNP and TDX guests, the ACPI mappings get their\nrequested WB if the ACPI mappings are established before the dedicated\ndriver code attempts to initialize the device. E.g. if acpi_init()\nruns before the corresponding device driver is probed, ACPI's WB mapping\nwill \"win\", and result in the driver's ioremap() failing because the\nexisting WB mapping isn't compatible with the requested WC/UC-.\n\nE.g. when a TPM is emulated by the hypervisor (ignoring the security\nimplications of relying on what is allegedly an untrusted entity to store\nmeasurements), the TPM driver will request UC and fail:\n\n [ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0\n [ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12\n\nNote, the '0x2' and '0x0' values refer to \"enum page_cache_mode\", not x86's\nmemtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC).\nE.g. tracing mapping requests for TPM TIS yields:\n\n Mapping TPM TIS with req_type = 0\n WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460\n Modules linked in:\n CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY\n Tainted: [W]=WARN\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025\n RIP: 0010:memtype_reserve+0x2ab/0x460\n __ioremap_caller+0x16d/0x3d0\n ioremap_cache+0x17/0x30\n x86_acpi_os_ioremap+0xe/0x20\n acpi_os_map_iomem+0x1f3/0x240\n acpi_os_map_memory+0xe/0x20\n acpi_ex_system_memory_space_handler+0x273/0x440\n acpi_ev_address_space_dispatch+0x176/0x4c0\n acpi_ex_access_region+0x2ad/0x530\n acpi_ex_field_datum_io+0xa2/0x4f0\n acpi_ex_extract_from_field+0x296/0x3e0\n acpi_ex_read_data_from_field+0xd1/0x460\n acpi_ex_resolve_node_to_value+0x2ee/0x530\n acpi_ex_resolve_to_value+0x1f2/0x540\n acpi_ds_evaluate_name_path+0x11b/0x190\n acpi_ds_exec_end_op+0x456/0x960\n acpi_ps_parse_loop+0x27a/0xa50\n acpi_ps_parse_aml+0x226/0x600\n acpi_ps_execute_method+0x172/0x3e0\n acpi_ns_evaluate+0x175/0x5f0\n acpi_evaluate_object+0x213/0x490\n acpi_evaluate_integer+0x6d/0x140\n acpi_bus_get_status+0x93/0x150\n acpi_add_single_object+0x43a/0x7c0\n acpi_bus_check_add+0x149/0x3a0\n acpi_bus_check_add_1+0x16/0x30\n acpi_ns_walk_namespace+0x22c/0x360\n acpi_walk_namespace+0x15c/0x170\n acpi_bus_scan+0x1dd/0x200\n acpi_scan_init+0xe5/0x2b0\n acpi_init+0x264/0x5b0\n do_one_i\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40181", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: skcipher - Fix reqsize handling\n\nCommit afddce13ce81d (\"crypto: api - Add reqsize to crypto_alg\")\nintroduced cra_reqsize field in crypto_alg struct to replace type\nspecific reqsize fields. It looks like this was introduced specifically\nfor ahash and acomp from the commit description as subsequent commits\nadd necessary changes in these alg frameworks.\n\nHowever, this is being recommended for use in all crypto algs [1]\ninstead of setting reqsize using crypto_*_set_reqsize(). Using\ncra_reqsize in skcipher algorithms, hence, causes memory\ncorruptions and crashes as the underlying functions in the algorithm\nframework have not been updated to set the reqsize properly from\ncra_reqsize. [2]\n\nAdd proper set_reqsize calls in the skcipher init function to\nproperly initialize reqsize for these algorithms in the framework.\n\n[1]: https://lore.kernel.org/linux-crypto/aCL8BxpHr5OpT04k@gondor.apana.org.au/\n[2]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40182", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}\n\nCilium has a BPF egress gateway feature which forces outgoing K8s Pod\ntraffic to pass through dedicated egress gateways which then SNAT the\ntraffic in order to interact with stable IPs outside the cluster.\n\nThe traffic is directed to the gateway via vxlan tunnel in collect md\nmode. A recent BPF change utilized the bpf_redirect_neigh() helper to\nforward packets after the arrival and decap on vxlan, which turned out\nover time that the kmalloc-256 slab usage in kernel was ever-increasing.\n\nThe issue was that vxlan allocates the metadata_dst object and attaches\nit through a fake dst entry to the skb. The latter was never released\nthough given bpf_redirect_neigh() was merely setting the new dst entry\nvia skb_dst_set() without dropping an existing one first.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40183", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix debug checking for np-guests using huge mappings\n\nWhen running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then\nthe debug checking in assert_host_shared_guest() fails on the launch of an\nnp-guest. This WARN_ON() causes a panic and generates the stack below.\n\nIn __pkvm_host_relax_perms_guest() the debug checking assumes the mapping\nis a single page but it may be a block map. Update the checking so that\nthe size is not checked and just assumes the correct size.\n\nWhile we're here make the same fix in __pkvm_host_mkyoung_guest().\n\n Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128\n Info: Removed ghost socket file \"/.lkvm//guest-128.sock\".\n[ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088!\n[ 1406.521804] kvm [141]: nVHE call trace:\n[ 1406.521828] kvm [141]: [] __kvm_nvhe_hyp_panic+0xb4/0xe8\n[ 1406.521946] kvm [141]: [] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c\n[ 1406.522049] kvm [141]: [] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104\n[ 1406.522157] kvm [141]: [] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c\n[ 1406.522250] kvm [141]: [] __kvm_nvhe_handle_trap+0x8c/0x1a8\n[ 1406.522333] kvm [141]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4\n[ 1406.522454] kvm [141]: ---[ end nVHE call trace ]---\n[ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000\n[ 1406.522554] Kernel panic - not syncing: HYP panic:\n[ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800\n[ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000\n[ 1406.522554] VCPU:0000000000000000\n[ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT\n[ 1406.523485] Hardware name: FVP Base RevC (DT)\n[ 1406.523566] Call trace:\n[ 1406.523629] show_stack+0x18/0x24 (C)\n[ 1406.523753] dump_stack_lvl+0xd4/0x108\n[ 1406.523899] dump_stack+0x18/0x24\n[ 1406.524040] panic+0x3d8/0x448\n[ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c\n[ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c\n[ 1406.524500] handle_exit+0x60/0x17c\n[ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0\n[ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc\n[ 1406.524919] __arm64_sys_ioctl+0xac/0x104\n[ 1406.525067] invoke_syscall+0x48/0x10c\n[ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0\n[ 1406.525322] do_el0_svc+0x1c/0x28\n[ 1406.525441] el0_svc+0x38/0x120\n[ 1406.525588] el0t_64_sync_handler+0x10c/0x138\n[ 1406.525750] el0t_64_sync+0x1ac/0x1b0\n[ 1406.525876] SMP: stopping secondary CPUs\n[ 1406.525965] Kernel Offset: disabled\n[ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f\n[ 1406.526130] Memory Limit: none\n[ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic:\n[ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800\n[ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000\n[ 1406.959099] VCPU:0000000000000000 ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40184", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: ice_adapter: release xa entry on adapter allocation failure\n\nWhen ice_adapter_new() fails, the reserved XArray entry created by\nxa_insert() is not released. This causes subsequent insertions at\nthe same index to return -EBUSY, potentially leading to\nNULL pointer dereferences.\n\nReorder the operations as suggested by Przemek Kitszel:\n1. Check if adapter already exists (xa_load)\n2. Reserve the XArray slot (xa_reserve)\n3. Allocate the adapter (ice_adapter_new)\n4. Store the adapter (xa_store)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40185", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk->sk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req->rsk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet's remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp->fastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40186", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n\nIf new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0\nand sctp_ulpevent_make_authkey() returns 0, then the variable\nai_ev remains zero and the zero will be dereferenced\nin the sctp_ulpevent_free() function.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40187", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npwm: berlin: Fix wrong register in suspend/resume\n\nThe 'enable' register should be BERLIN_PWM_EN rather than\nBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there\nwill be cpu exception then kernel panic during suspend/resume.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40188", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom\n\nSyzbot reported read of uninitialized variable BUG with following call stack.\n\nlan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout\n=====================================================\nBUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]\nBUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\nBUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline]\n lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\n lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766\n lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707\n\nLocal variable sig.i.i created at:\n lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline]\n lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline]\n lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241\n lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766\n\nThe function lan78xx_read_raw_eeprom failed to properly propagate EEPROM\nread timeout errors (-ETIMEDOUT). In the fallthrough path, it first\nattempted to restore the pin configuration for LED outputs and then\nreturned only the status of that restore operation, discarding the\noriginal timeout error.\n\nAs a result, callers could mistakenly treat the data buffer as valid\neven though the EEPROM read had actually timed out with no data or partial\ndata.\n\nTo fix this, handle errors in restoring the LED pin configuration separately.\nIf the restore succeeds, return any prior EEPROM timeout error correctly\nto the caller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40189", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: guard against EA inode refcount underflow in xattr update\n\nsyzkaller found a path where ext4_xattr_inode_update_ref() reads an EA\ninode refcount that is already <= 0 and then applies ref_change (often\n-1). That lets the refcount underflow and we proceed with a bogus value,\ntriggering errors like:\n\n EXT4-fs error: EA inode ref underflow: ref_count=-1 ref_change=-1\n EXT4-fs warning: ea_inode dec ref err=-117\n\nMake the invariant explicit: if the current refcount is non-positive,\ntreat this as on-disk corruption, emit ext4_error_inode(), and fail the\noperation with -EFSCORRUPTED instead of updating the refcount. Delete the\nWARN_ONCE() as negative refcounts are now impossible; keep error reporting\nin ext4_error_inode().\n\nThis prevents the underflow and the follow-on orphan/cleanup churn.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40190", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix kfd process ref leaking when userptr unmapping\n\nkfd_lookup_process_by_pid hold the kfd process reference to ensure it\ndoesn't get destroyed while sending the segfault event to user space.\n\nCalling kfd_lookup_process_by_pid as function parameter leaks the kfd\nprocess refcount and miss the NULL pointer check if app process is\nalready destroyed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40191", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ipmi: fix msg stack when IPMI is disconnected\"\n\nThis reverts commit c608966f3f9c2dca596967501d00753282b395fc.\n\nThis patch has a subtle bug that can cause the IPMI driver to go into an\ninfinite loop if the BMC misbehaves in a certain way. Apparently\ncertain BMCs do misbehave this way because several reports have come in\nrecently about this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40192", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxtensa: simdisk: add input size check in proc_write_simdisk\n\nA malicious user could pass an arbitrarily bad value\nto memdup_user_nul(), potentially causing kernel crash.\n\nThis follows the same pattern as commit ee76746387f6\n(\"netdevsim: prevent bad user input in nsim_dev_health_break_write()\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40193", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n\nThe cpufreq_cpu_put() call in update_qos_request() takes place too early\nbecause the latter subsequently calls freq_qos_update_request() that\nindirectly accesses the policy object in question through the QoS request\nobject passed to it.\n\nFortunately, update_qos_request() is called under intel_pstate_driver_lock,\nso this issue does not matter for changing the intel_pstate operation\nmode, but it theoretically can cause a crash to occur on CPU device hot\nremoval (which currently can only happen in virt, but it is formally\nsupported nevertheless).\n\nAddress this issue by modifying update_qos_request() to drop the\nreference to the policy later.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40194", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmount: handle NULL values in mnt_ns_release()\n\nWhen calling in listmount() mnt_ns_release() may be passed a NULL\npointer. Handle that case gracefully.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40195", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: quota: create dedicated workqueue for quota_release_work\n\nThere is a kernel panic due to WARN_ONCE when panic_on_warn is set.\n\nThis issue occurs when writeback is triggered due to sync call for an\nopened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance\nis needed at sync path, flush for quota_release_work is triggered.\nBy default quota_release_work is queued to \"events_unbound\" queue which\ndoes not have WQ_MEM_RECLAIM flag. During f2fs balance \"writeback\"\nworkqueue tries to flush quota_release_work causing kernel panic due to\nMEM_RECLAIM flag mismatch errors.\n\nThis patch creates dedicated workqueue with WQ_MEM_RECLAIM flag\nfor work quota_release_work.\n\n------------[ cut here ]------------\nWARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148\nCall trace:\n check_flush_dependency+0x13c/0x148\n __flush_work+0xd0/0x398\n flush_delayed_work+0x44/0x5c\n dquot_writeback_dquots+0x54/0x318\n f2fs_do_quota_sync+0xb8/0x1a8\n f2fs_write_checkpoint+0x3cc/0x99c\n f2fs_gc+0x190/0x750\n f2fs_balance_fs+0x110/0x168\n f2fs_write_single_data_page+0x474/0x7dc\n f2fs_write_data_pages+0x7d0/0xd0c\n do_writepages+0xe0/0x2f4\n __writeback_single_inode+0x44/0x4ac\n writeback_sb_inodes+0x30c/0x538\n wb_writeback+0xf4/0x440\n wb_workfn+0x128/0x5d4\n process_scheduled_works+0x1c4/0x45c\n worker_thread+0x32c/0x3e8\n kthread+0x11c/0x1b0\n ret_from_fork+0x10/0x20\nKernel panic - not syncing: kernel: panic_on_warn set ...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40196", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc: Clear minor number before put device\n\nThe device minor should not be cleared after the device is released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40197", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated. Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40198", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches\n\nHelge reported that the introduction of PP_MAGIC_MASK let to crashes on\nboot on his 32-bit parisc machine. The cause of this is the mask is set\ntoo wide, so the page_pool_page_is_pp() incurs false positives which\ncrashes the machine.\n\nJust disabling the check in page_pool_is_pp() will lead to the page_pool\ncode itself malfunctioning; so instead of doing this, this patch changes\nthe define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel\npointers for page_pool-tagged pages.\n\nThe fix relies on the kernel pointers that alias with the pp_magic field\nalways being above PAGE_OFFSET. With this assumption, we can use the\nlowest bit of the value of PAGE_OFFSET as the upper bound of the\nPP_DMA_INDEX_MASK, which should avoid the false positives.\n\nBecause we cannot rely on PAGE_OFFSET always being a compile-time\nconstant, nor on it always being >0, we fall back to disabling the\ndma_index storage when there are not enough bits available. This leaves\nus in the situation we were in before the patch in the Fixes tag, but\nonly on a subset of architecture configurations. This seems to be the\nbest we can do until the transition to page types in complete for\npage_pool pages.\n\nv2:\n- Make sure there's at least 8 bits available and that the PAGE_OFFSET\n bit calculation doesn't wrap", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40199", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40200", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk->group_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n->group_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don't see a better fix for -stable.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40201", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Rework user message limit handling\n\nThe limit on the number of user messages had a number of issues,\nimproper counting in some cases and a use after free.\n\nRestructure how this is all done to handle more in the receive message\nallocation routine, so all refcouting and user message limit counts\nare done in that routine. It's a lot cleaner and safer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40202", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlistmount: don't call path_put() under namespace semaphore\n\nMassage listmount() and make sure we don't call path_put() under the\nnamespace semaphore. If we put the last reference we're fscked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40203", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40204", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid->parent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40205", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_objref: validate objref and objrefmap expressions\n\nReferencing a synproxy stateful object from OUTPUT hook causes kernel\ncrash due to infinite recursive calls:\n\nBUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)\n[...]\nCall Trace:\n __find_rr_leaf+0x99/0x230\n fib6_table_lookup+0x13b/0x2d0\n ip6_pol_route+0xa4/0x400\n fib6_rule_lookup+0x156/0x240\n ip6_route_output_flags+0xc6/0x150\n __nf_ip6_route+0x23/0x50\n synproxy_send_tcp_ipv6+0x106/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n nft_synproxy_do_eval+0x263/0x310\n nft_do_chain+0x5a8/0x5f0 [nf_tables\n nft_do_chain_inet+0x98/0x110\n nf_hook_slow+0x43/0xc0\n __ip6_local_out+0xf0/0x170\n ip6_local_out+0x17/0x70\n synproxy_send_tcp_ipv6+0x1a2/0x200\n synproxy_send_client_synack_ipv6+0x1aa/0x1f0\n[...]\n\nImplement objref and objrefmap expression validate functions.\n\nCurrently, only NFT_OBJECT_SYNPROXY object type requires validation.\nThis will also handle a jump to a chain using a synproxy object from the\nOUTPUT hook.\n\nNow when trying to reference a synproxy object in the OUTPUT hook, nft\nwill produce the following error:\n\nsynproxy_crash.nft: Error: Could not process rule: Operation not supported\n synproxy name mysynproxy\n ^^^^^^^^^^^^^^^^^^^^^^^^", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40206", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()\n\nv4l2_subdev_call_state_try() macro allocates a subdev state with\n__v4l2_subdev_state_alloc(), but does not check the returned value. If\n__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would\ncause v4l2_subdev_call_state_try() to crash.\n\nAdd proper error handling to v4l2_subdev_call_state_try().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40207", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: fix module removal if firmware download failed\n\nFix remove if firmware failed to load:\nqcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2\nqcom-iris aa00000.video-codec: firmware download failed\nqcom-iris aa00000.video-codec: core init failed\n\nthen:\n$ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind\n\nTriggers:\ngenpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow!\n------------[ cut here ]------------\nvideo_cc_mvs0_clk already disabled\nWARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542\n\npc : clk_core_disable+0xa4/0xac\nlr : clk_core_disable+0xa4/0xac\n\nCall trace:\n clk_core_disable+0xa4/0xac (P)\n clk_disable+0x30/0x4c\n iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]\n iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]\n iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]\n iris_vpu_power_off+0x34/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nvideo_cc_mvs0_clk already unprepared\nWARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542\n\npc : clk_core_unprepare+0xf0/0x110\nlr : clk_core_unprepare+0xf0/0x110\n\nCall trace:\n clk_core_unprepare+0xf0/0x110 (P)\n clk_unprepare+0x2c/0x44\n iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]\n iris_vpu_power_off_hw+0x48/0x58 [qcom_iris]\n iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris]\n iris_vpu_power_off+0x34/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\n---[ end trace 0000000000000000 ]---\ngenpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow!\n------------[ cut here ]------------\ngcc_video_axi0_clk already disabled\nWARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542\n\npc : clk_core_disable+0xa4/0xac\nlr : clk_core_disable+0xa4/0xac\n\nCall trace:\n clk_core_disable+0xa4/0xac (P)\n clk_disable+0x30/0x4c\n iris_disable_unprepare_clock+0x20/0x48 [qcom_iris]\n iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]\n iris_vpu_power_off+0x48/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\n------------[ cut here ]------------\ngcc_video_axi0_clk already unprepared\nWARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542\n\npc : clk_core_unprepare+0xf0/0x110\nlr : clk_core_unprepare+0xf0/0x110\n\nCall trace:\n clk_core_unprepare+0xf0/0x110 (P)\n clk_unprepare+0x2c/0x44\n iris_disable_unprepare_clock+0x28/0x48 [qcom_iris]\n iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris]\n iris_vpu_power_off+0x48/0x84 [qcom_iris]\n iris_core_deinit+0x44/0xc8 [qcom_iris]\n iris_remove+0x20/0x48 [qcom_iris]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n\n---[ end trace 0000000000000000 ]---\n\nSkip deinit if initialization never succeeded.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40208", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation\n\nWhen btrfs_add_qgroup_relation() is called with invalid qgroup levels\n(src >= dst), the function returns -EINVAL directly without freeing the\npreallocated qgroup_list structure passed by the caller. This causes a\nmemory leak because the caller unconditionally sets the pointer to NULL\nafter the call, preventing any cleanup.\n\nThe issue occurs because the level validation check happens before the\nmutex is acquired and before any error handling path that would free\nthe prealloc pointer. On this early return, the cleanup code at the\n'out' label (which includes kfree(prealloc)) is never reached.\n\nIn btrfs_ioctl_qgroup_assign(), the code pattern is:\n\n prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);\n ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc);\n prealloc = NULL; // Always set to NULL regardless of return value\n ...\n kfree(prealloc); // This becomes kfree(NULL), does nothing\n\nWhen the level check fails, 'prealloc' is never freed by either the\ncallee or the caller, resulting in a 64-byte memory leak per failed\noperation. This can be triggered repeatedly by an unprivileged user\nwith access to a writable btrfs mount, potentially exhausting kernel\nmemory.\n\nFix this by freeing prealloc before the early return, ensuring prealloc\nis always freed on all error paths.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40209", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"\n\nI've found that pynfs COMP6 now leaves the connection or lease in a\nstrange state, which causes CLOSE9 to hang indefinitely. I've dug\ninto it a little, but I haven't been able to root-cause it yet.\nHowever, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on\nnumber of operations per NFSv4 COMPOUND\").\n\nTianshuo Han also reports a potential vulnerability when decoding\nan NFSv4 COMPOUND. An attacker can place an arbitrarily large op\ncount in the COMPOUND header, which results in:\n\n[ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total\npages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO),\nnodemask=(null),cpuset=/,mems_allowed=0\n\nwhen NFSD attempts to allocate the COMPOUND op array.\n\nLet's restore the operation-per-COMPOUND limit, but increased to 200\nfor now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40210", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device->brightness\nand device->backlight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device->brightness or\ndevice->backlight.\n\nFix this by calling cancel_delayed_work_sync() for each device's\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40211", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix refcount leak in nfsd_set_fh_dentry()\n\nnfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find\nthe various exported filesystems using LOOKUP requests from a known root\nfilehandle. NFSv3 uses the MOUNT protocol to find those exported\nfilesystems and so is not given access to the pseudo root filesystem.\n\nIf a v3 (or v2) client uses a filehandle from that filesystem,\nnfsd_set_fh_dentry() will report an error, but still stores the export\nin \"struct svc_fh\" even though it also drops the reference (exp_put()).\nThis means that when fh_put() is called an extra reference will be dropped\nwhich can lead to use-after-free and possible denial of service.\n\nNormal NFS usage will not provide a pseudo-root filehandle to a v3\nclient. This bug can only be triggered by the client synthesising an\nincorrect filehandle.\n\nTo fix this we move the assignments to the svc_fh later, after all\npossible error cases have been detected.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40212", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete\n\nThere is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to\nmemcpy from badly declared on-stack flexible array.\n\nAnother crash is in set_mesh_complete() due to double list_del via\nmgmt_pending_valid + mgmt_pending_remove.\n\nUse DEFINE_FLEX to declare the flexible array right, and don't memcpy\noutside bounds.\n\nAs mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,\nand also report status on error.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40213", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n 1)\n 1-a. Create a single cyclic reference with many sockets\n 1-b. close() all sockets\n 1-c. Trigger GC\n\n 2)\n 2-a. Pass sk-A to an embryo sk-B\n 2-b. Pass sk-X to sk-X\n 2-c. Trigger GC\n\n 3)\n 3-a. accept() the embryo sk-B\n 3-b. Pass sk-B to sk-C\n 3-c. close() the in-flight sk-A\n 3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\n unix_sk(sk-X)->vertex->scc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B's listener and sk-C are not in-flight.\n\n3-c decrements sk-A's file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n sk-A -> sk-B (-> sk-C)\n sk-X -> sk-X\n\nThis is totally fine. All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\n &&\n sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\n ^-- 1 in-flight count for sk-B\n -> sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet's track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex's scc_index.\n\nThis way, we can continue to avoid Tarjan's algorithm while\npreventing misjudgments.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40214", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x->tunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can't guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe're going to lock x->tunnel while x is locked.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40215", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-40216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: don't rely on user vaddr alignment\n\nThere is no guaranteed alignment for user pointers, however the\ncalculation of an offset of the first page into a folio after coalescing\nuses some weird bit mask logic, get rid of it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40216", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-40217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npidfs: validate extensible ioctls\n\nValidate extensible ioctls stricter than we do now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40217", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr: do not repeat pte_offset_map_lock() until success\n\nDAMON's virtual address space operation set implementation (vaddr) calls\npte_offset_map_lock() inside the page table walk callback function. This\nis for reading and writing page table accessed bits. If\npte_offset_map_lock() fails, it retries by returning the page table walk\ncallback function with ACTION_AGAIN.\n\npte_offset_map_lock() can continuously fail if the target is a pmd\nmigration entry, though. Hence it could cause an infinite page table walk\nif the migration cannot be done until the page table walk is finished. \nThis indeed caused a soft lockup when CPU hotplugging and DAMON were\nrunning in parallel.\n\nAvoid the infinite loop by simply not retrying the page table walk. DAMON\nis promising only a best-effort accuracy, so missing access to such pages\nis no problem.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40218", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]\n[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[<0>] aio_read+0x130/0x1e0\n[<0>] io_submit_one+0x542/0x860\n[<0>] __x64_sys_io_submit+0x98/0x1a0\n[<0>] do_syscall_64+0x37/0xf0\n[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]\n[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[<0>] fuse_file_put+0x9a/0xd0 [fuse]\n[<0>] fuse_release+0x36/0x50 [fuse]\n[<0>] __fput+0xec/0x2b0\n[<0>] task_work_run+0x55/0x90\n[<0>] syscall_exit_to_user_mode+0xe9/0x100\n[<0>] do_syscall_64+0x43/0xf0\n[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there's nothing all that exciting in\nthe server itself. So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha. AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function. The completion puts the\nstruct file, queuing a delayed fput to the fuse server task. When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren't any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40220", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: mg4b: fix uninitialized iio scan data\n\nFix potential leak of uninitialized stack data to userspace by ensuring\nthat the `scan` structure is zeroed before use.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40221", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: sh-sci: fix RSCI FIFO overrun handling\n\nThe receive error handling code is shared between RSCI and all other\nSCIF port types, but the RSCI overrun_reg is specified as a memory\noffset, while for other SCIF types it is an enum value used to index\ninto the sci_port_params->regs array, as mentioned above the\nsci_serial_in() function.\n\nFor RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call\ninside the sci_handle_fifo_overrun() function to index outside the\nbounds of the regs array, which currently has a size of 20, as specified\nby SCI_NR_REGS.\n\nBecause of this, we end up accessing memory outside of RSCI's\nrsci_port_params structure, which, when interpreted as a plat_sci_reg,\nhappens to have a non-zero size, causing the following WARN when\nsci_serial_in() is called, as the accidental size does not match the\nsupported register sizes.\n\nThe existence of the overrun_reg needs to be checked because\nSCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not\npresent in the regs array.\n\nAvoid calling sci_getreg() for port types which don't use standard\nregister handling.\n\nUse the ops->read_reg() and ops->write_reg() functions to properly read\nand write registers for RSCI, and change the type of the status variable\nto accommodate the 32-bit CSR register.\n\nsci_getreg() and sci_serial_in() are also called with overrun_reg in the\nsci_mpxed_interrupt() interrupt handler, but that code path is not used\nfor RSCI, as it does not have a muxed interrupt.\n\n------------[ cut here ]------------\nInvalid register access\nWARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac\nModules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT\nHardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT)\npstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : sci_serial_in+0x38/0xac\nlr : sci_serial_in+0x38/0xac\nsp : ffff800080003e80\nx29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d\nx26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80\nx23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000\nx20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a\nx17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720\nx14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720\nx11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48\nx8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48\nx5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80\nCall trace:\n sci_serial_in+0x38/0xac (P)\n sci_handle_fifo_overrun.isra.0+0x70/0x134\n sci_er_interrupt+0x50/0x39c\n __handle_irq_event_percpu+0x48/0x140\n handle_irq_event+0x44/0xb0\n handle_fasteoi_irq+0xf4/0x1a0\n handle_irq_desc+0x34/0x58\n generic_handle_domain_irq+0x1c/0x28\n gic_handle_irq+0x4c/0x140\n call_on_irq_stack+0x30/0x48\n do_interrupt_handler+0x80/0x84\n el1_interrupt+0x34/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n default_idle_call+0x28/0x58 (P)\n do_idle+0x1f8/0x250\n cpu_startup_entry+0x34/0x3c\n rest_init+0xd8/0xe0\n console_on_rootfs+0x0/0x6c\n __primary_switched+0x88/0x90\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40222", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: Fix use-after-free in hdm_disconnect\n\nhdm_disconnect() calls most_deregister_interface(), which eventually\nunregisters the MOST interface device with device_unregister(iface->dev).\nIf that drops the last reference, the device core may call release_mdev()\nimmediately while hdm_disconnect() is still executing.\n\nThe old code also freed several mdev-owned allocations in\nhdm_disconnect() and then performed additional put_device() calls.\nDepending on refcount order, this could lead to use-after-free or\ndouble-free when release_mdev() ran (or when unregister paths also\nperformed puts).\n\nFix by moving the frees of mdev-owned allocations into release_mdev(),\nso they happen exactly once when the device is truly released, and by\ndropping the extra put_device() calls in hdm_disconnect() that are\nredundant after device_unregister() and most_deregister_interface().\n\nThis addresses the KASAN slab-use-after-free reported by syzbot in\nhdm_disconnect(). See report and stack traces in the bug link below.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40223", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()\n\nThe driver allocates memory for sensor data using devm_kzalloc(), but\ndid not check if the allocation succeeded. In case of memory allocation\nfailure, dereferencing the NULL pointer would lead to a kernel crash.\n\nAdd a NULL pointer check and return -ENOMEM to handle allocation failure\nproperly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40224", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix kernel panic on partial unmap of a GPU VA region\n\nThis commit address a kernel panic issue that can happen if Userspace\ntries to partially unmap a GPU virtual region (aka drm_gpuva).\nThe VM_BIND interface allows partial unmapping of a BO.\n\nPanthor driver pre-allocates memory for the new drm_gpuva structures\nthat would be needed for the map/unmap operation, done using drm_gpuvm\nlayer. It expected that only one new drm_gpuva would be needed on umap\nbut a partial unmap can require 2 new drm_gpuva and that's why it\nended up doing a NULL pointer dereference causing a kernel panic.\n\nFollowing dump was seen when partial unmap was exercised.\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078\n Mem abort info:\n ESR = 0x0000000096000046\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000\n [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000\n Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP\n \n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]\n sp : ffff800085d43970\n x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000\n x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000\n x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010\n x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c\n x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58\n x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c\n x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7\n x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001\n x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078\n Call trace:\n panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n op_remap_cb.isra.22+0x50/0x80\n __drm_gpuvm_sm_unmap+0x10c/0x1c8\n drm_gpuvm_sm_unmap+0x40/0x60\n panthor_vm_exec_op+0xb4/0x3d0 [panthor]\n panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]\n panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]\n drm_ioctl_kernel+0xbc/0x138\n drm_ioctl+0x240/0x500\n __arm64_sys_ioctl+0xb0/0xf8\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.1+0x98/0xf8\n do_el0_svc+0x24/0x38\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xc8\n el0t_64_sync+0x174/0x178", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40225", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Account for failed debug initialization\n\nWhen the SCMI debug subsystem fails to initialize, the related debug root\nwill be missing, and the underlying descriptor will be NULL.\n\nHandle this fault condition in the SCMI debug helpers that maintain\nmetrics counters.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40226", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: dealloc commit test ctx always\n\nThe damon_ctx for testing online DAMON parameters commit inputs is\ndeallocated only when the test fails. This means memory is leaked for\nevery successful online DAMON parameters commit. Fix the leak by always\ndeallocating it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40227", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: catch commit test ctx alloc failure\n\nPatch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\".\n\nDAMON sysfs interface dynamically allocates and uses a damon_ctx object\nfor testing if given inputs for online DAMON parameters update is valid.\nThe object is being used without an allocation failure check, and leaked\nwhen the test succeeds. Fix the two bugs.\n\n\nThis patch (of 2):\n\nThe damon_ctx for testing online DAMON parameters commit inputs is used\nwithout its allocation failure check. This could result in an invalid\nmemory access. Fix it by directly returning an error when the allocation\nfailed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40228", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme\n\nCurrently, damon_destroy_scheme() only cleans up the filter list but\nleaves ops_filter untouched, which could lead to memory leaks when a\nscheme is destroyed.\n\nThis patch ensures both filter and ops_filter are properly freed in\ndamon_destroy_scheme(), preventing potential memory leaks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40229", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent poison consumption when splitting THP\n\nWhen performing memory error injection on a THP (Transparent Huge Page)\nmapped to userspace on an x86 server, the kernel panics with the following\ntrace. The expected behavior is to terminate the affected process instead\nof panicking the kernel, as the x86 Machine Check code can recover from an\nin-userspace #MC.\n\n mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134\n mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0}\n mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db\n mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320\n mce: [Hardware Error]: Run the above through 'mcelog --ascii'\n mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel\n Kernel panic - not syncing: Fatal local machine check\n\nThe root cause of this panic is that handling a memory failure triggered\nby an in-userspace #MC necessitates splitting the THP. The splitting\nprocess employs a mechanism, implemented in\ntry_to_map_unused_to_zeropage(), which reads the pages in the THP to\nidentify zero-filled pages. However, reading the pages in the THP results\nin a second in-kernel #MC, occurring before the initial memory_failure()\ncompletes, ultimately leading to a kernel panic. See the kernel panic\ncall trace on the two #MCs.\n\n First Machine Check occurs // [1]\n memory_failure() // [2]\n try_to_split_thp_page()\n split_huge_page()\n split_huge_page_to_list_to_order()\n __folio_split() // [3]\n remap_page()\n remove_migration_ptes()\n remove_migration_pte()\n try_to_map_unused_to_zeropage() // [4]\n memchr_inv() // [5]\n Second Machine Check occurs // [6]\n Kernel panic\n\n[1] Triggered by accessing a hardware-poisoned THP in userspace, which is\n typically recoverable by terminating the affected process.\n\n[2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page().\n\n[3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page().\n\n[4] Try to map the unused THP to zeropage.\n\n[5] Re-access pages in the hw-poisoned THP in the kernel.\n\n[6] Triggered in-kernel, leading to a panic kernel.\n\nIn Step[2], memory_failure() sets the poisoned flag on the page in the THP\nby TestSetPageHWPoison() before calling try_to_split_thp_page().\n\nAs suggested by David Hildenbrand, fix this panic by not accessing to the\npoisoned page in the THP during zeropage identification, while continuing\nto scan unaffected pages in the THP for possible zeropage mapping. This\nprevents a second in-kernel #MC that would cause kernel panic in Step[4].\n\nThanks to Andrew Zaborowski for his initial work on fixing this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40230", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport->release() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport->release() and vsock_deassign_transport(). This is safe\nbecause we don't need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won't disappear by\nobtaining a module reference first via try_module_get().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40231", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrv: Fully convert enabled_monitors to use list_head as iterator\n\nThe callbacks in enabled_monitors_seq_ops are inconsistent. Some treat the\niterator as struct rv_monitor *, while others treat the iterator as struct\nlist_head *.\n\nThis causes a wrong type cast and crashes the system as reported by Nathan.\n\nConvert everything to use struct list_head * as iterator. This also makes\nenabled_monitors consistent with available_monitors.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40232", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: clear extent cache after moving/defragmenting extents\n\nThe extent map cache can become stale when extents are moved or\ndefragmented, causing subsequent operations to see outdated extent flags. \nThis triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().\n\nThe problem occurs when:\n1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED\n2. ioctl(FITRIM) triggers ocfs2_move_extents()\n3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)\n4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()\n which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)\n5. The extent map cache is not invalidated after the move\n6. Later write() operations read stale cached flags (0x2) but disk has\n updated flags (0x0), causing a mismatch\n7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers\n\nFix by clearing the extent map cache after each extent move/defrag\noperation in __ocfs2_move_extents_range(). This ensures subsequent\noperations read fresh extent data from disk.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40233", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep handlers\n\nDevices without the AWCC interface don't initialize `awcc`. Add a check\nbefore dereferencing it in sleep handlers.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40234", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()\n\nIf fs_info->super_copy or fs_info->super_for_commit allocated failed in\nbtrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().\nOtherwise btrfs_check_leaked_roots() would access NULL pointer because\nfs_info->allocated_roots had not been initialised.\n\nsyzkaller reported the following information:\n ------------[ cut here ]------------\n BUG: unable to handle page fault for address: fffffffffffffbb0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0\n Oops: Oops: 0000 [#1] SMP KASAN PTI\n CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)\n RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]\n RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]\n RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]\n RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]\n RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230\n [...]\n Call Trace:\n \n btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280\n btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029\n btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097\n vfs_get_tree+0x98/0x320 fs/super.c:1759\n do_new_mount+0x357/0x660 fs/namespace.c:3899\n path_mount+0x716/0x19c0 fs/namespace.c:4226\n do_mount fs/namespace.c:4239 [inline]\n __do_sys_mount fs/namespace.c:4450 [inline]\n __se_sys_mount fs/namespace.c:4427 [inline]\n __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f032eaffa8d\n [...]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40235", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: zero unused hash fields\n\nWhen GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to\ninitialize the tunnel metadata but forget to zero unused rxhash\nfields. This may leak information to another side. Fixing this by\nzeroing the unused hash fields.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40236", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/notify: call exportfs_encode_fid with s_umount\n\nCalling intotify_show_fdinfo() on fd watching an overlayfs inode, while\nthe overlayfs is being unmounted, can lead to dereferencing NULL ptr.\n\nThis issue was found by syzkaller.\n\nRace Condition Diagram:\n\nThread 1 Thread 2\n-------- --------\n\ngeneric_shutdown_super()\n shrink_dcache_for_umount\n sb->s_root = NULL\n\n |\n | vfs_read()\n | inotify_fdinfo()\n | * inode get from mark *\n | show_mark_fhandle(m, inode)\n | exportfs_encode_fid(inode, ..)\n | ovl_encode_fh(inode, ..)\n | ovl_check_encode_origin(inode)\n | * deref i_sb->s_root *\n |\n |\n v\n fsnotify_sb_delete(sb)\n\nWhich then leads to:\n\n[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n\n\n\n[ 32.143353] Call Trace:\n[ 32.143732] ovl_encode_fh+0xd5/0x170\n[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300\n[ 32.144425] show_mark_fhandle+0xbe/0x1f0\n[ 32.145805] inotify_fdinfo+0x226/0x2d0\n[ 32.146442] inotify_show_fdinfo+0x1c5/0x350\n[ 32.147168] seq_show+0x530/0x6f0\n[ 32.147449] seq_read_iter+0x503/0x12a0\n[ 32.148419] seq_read+0x31f/0x410\n[ 32.150714] vfs_read+0x1f0/0x9e0\n[ 32.152297] ksys_read+0x125/0x240\n\nIOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set\nto NULL in the unmount path.\n\nFix it by protecting calling exportfs_encode_fid() from\nshow_mark_fhandle() with s_umount lock.\n\nThis form of fix was suggested by Amir in [1].\n\n[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40237", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec cleanup over MPV device\n\nWhen we do mlx5e_detach_netdev() we eventually disable blocking events\nnotifier, among those events are IPsec MPV events from IB to core.\n\nSo before disabling those blocking events, make sure to also unregister\nthe devcom device and mark all this device operations as complete,\nin order to prevent the other device from using invalid netdev\nduring future devcom events which could cause the trace below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nPGD 146427067 P4D 146427067 PUD 146488067 PMD 0\nOops: Oops: 0000 [#1] SMP\nCPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\nCode: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40\nRSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206\nRAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00\nRDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000\nR10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600\nR13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80\nFS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\n mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core]\n mlx5_devcom_send_event+0x8c/0x170 [mlx5_core]\n blocking_event+0x17b/0x230 [mlx5_core]\n notifier_call_chain+0x35/0xa0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core]\n mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib]\n mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib]\n ? idr_alloc_cyclic+0x50/0xb0\n ? __kmalloc_cache_noprof+0x167/0x340\n ? __kmalloc_noprof+0x1a7/0x430\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe9/0x310 [mlx5_ib]\n ? kernfs_add_one+0x107/0x150\n ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n auxiliary_bus_probe+0x3e/0x90\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x62d/0x830\n __auxiliary_device_add+0x3b/0xa0\n ? auxiliary_device_init+0x41/0x90\n add_adev+0xd1/0x150 [mlx5_core]\n mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core]\n esw_mode_change+0x6c/0xc0 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x180/0x2b0\n ? devlink_get_from_attrs_lock+0x170/0x170\n ? devlink_nl_eswitch_get_doit+0x290/0x290\n ? devlink_nl_pre_doit_port_optional+0x50/0x50\n ? genl_family_rcv_msg_dumpit+0xf0/0xf0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1fc/0x2d0\n netlink_sendmsg+0x1e4/0x410\n __sock_sendmsg+0x38/0x60\n ? sockfd_lookup_light+0x12/0x60\n __sys_sendto+0x105/0x160\n ? __sys_recvmsg+0x4e/0x90\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f27bc91b13a\nCode: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40238", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: always set shared->phydev for LAN8814\n\nCurrently, during the LAN8814 PTP probe shared->phydev is only set if PTP\nclock gets actually set, otherwise the function will return before setting\nit.\n\nThis is an issue as shared->phydev is unconditionally being used when IRQ\nis being handled, especially in lan8814_gpio_process_cap and since it was\nnot set it will cause a NULL pointer exception and crash the kernel.\n\nSo, simply always set shared->phydev to avoid the NULL pointer exception.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40239", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk->skb pointer is dereferenced in the if-block where it's supposed\nto be NULL only.\n\nchunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list\ninstead and do it just before replacing chunk->skb. We're sure that\notherwise chunk->skb is non-NULL because of outer if() condition.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40240", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix crafted invalid cases for encoded extents\n\nRobert recently reported two corrupted images that can cause system\ncrashes, which are related to the new encoded extents introduced\nin Linux 6.15:\n\n - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but\n (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent\n special extents such as sparse extents (!EROFS_MAP_MAPPED), but\n previously only plen == 0 was handled;\n\n - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000,\n then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in\n \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an\n out-of-bound access of pcl->compressed_bvecs[] in\n z_erofs_submit_queue(). EROFS only supports 48-bit physical block\n addresses (up to 1EiB for 4k blocks), so add a sanity check to\n enforce this.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40241", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix unlikely race in gdlm_put_lock\n\nIn gdlm_put_lock(), there is a small window of time in which the\nDFL_UNMOUNT flag has been set but the lockspace hasn't been released,\nyet. In that window, dlm may still call gdlm_ast() and gdlm_bast().\nTo prevent it from dereferencing freed glock objects, only free the\nglock if the lockspace has actually been released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40242", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()\n\nThe syzbot reported issue in hfs_find_set_zero_bits():\n\n=====================================================\nBUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45\n hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151\n hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408\n hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353\n __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151\n block_write_begin fs/buffer.c:2262 [inline]\n cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n cont_expand_zero fs/buffer.c:2528 [inline]\n cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591\n hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52\n hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494\n hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654\n notify_change+0x1993/0x1aa0 fs/attr.c:552\n do_truncate+0x28f/0x310 fs/open.c:68\n do_ftruncate+0x698/0x730 fs/open.c:195\n do_sys_ftruncate fs/open.c:210 [inline]\n __do_sys_ftruncate fs/open.c:215 [inline]\n __se_sys_ftruncate fs/open.c:213 [inline]\n __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213\n x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354\n kmalloc_noprof include/linux/slab.h:905 [inline]\n hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175\n hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337\n get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681\n get_tree_bdev+0x38/0x50 fs/super.c:1704\n hfs_get_tree+0x35/0x40 fs/hfs/super.c:388\n vfs_get_tree+0xb0/0x5c0 fs/super.c:1804\n do_new_mount+0x738/0x1610 fs/namespace.c:3902\n path_mount+0x6db/0x1e90 fs/namespace.c:4226\n do_mount fs/namespace.c:4239 [inline]\n __do_sys_mount fs/namespace.c:4450 [inline]\n __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427\n x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n=====================================================\n\nThe HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():\n\nHFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);\n\nFinally, it can trigger the reported issue because kmalloc()\ndoesn't clear the allocated memory. If allocated memory contains\nonly zeros, then everything will work pretty fine.\nBut if the allocated memory contains the \"garbage\", then\nit can affect the bitmap operations and it triggers\nthe reported issue.\n\nThis patch simply exchanges the kmalloc() on kzalloc()\nwith the goal to guarantee the correctness of bitmap operations.\nBecause, newly created allocation bitmap should have all\navailable blocks free. Potentially, initialization bitmap's read\noperation could not fill the whole allocated memory and\n\"garbage\" in the not initialized memory will be the reason of\nvolume coruptions and file system driver bugs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40243", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n\nThe syzbot reported issue in __hfsplus_ext_cache_extent():\n\n[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0\n[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.199771][ T9350] ksys_write+0x23e/0x490\n[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.202054][ T9350]\n[ 70.202279][ T9350] Uninit was created at:\n[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80\n[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0\n[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0\n[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.207961][ T9350] ksys_write+0x23e/0x490\n[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.210230][ T9350]\n[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5\n[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.212115][ T9350] =====================================================\n[ 70.212734][ T9350] Disabling lock debugging due to kernel taint\n[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5\n[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE\n[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.215999][ T9350] Call Trace:\n[ 70.216309][ T9350] \n[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0\n[ 70.217025][ T9350] dump_stack+0x1e/0x30\n[ 70.217421][ T9350] panic+0x502/0xca0\n[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\n\n[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...\n kernel\n:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\nset ...\n[ 70.221254][ T9350] ? __msan_warning+0x96/0x120\n[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0\n[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0\n[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0\n[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950\n[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130\n[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060\n[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460\n[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0\n[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0\n[ 70.228997][ T9350] ? ksys_write+0x23e/0x490\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40244", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnios2: ensure that memblock.current_limit is set when setting pfn limits\n\nOn nios2, with CONFIG_FLATMEM set, the kernel relies on\nmemblock_get_current_limit() to determine the limits of mem_map, in\nparticular for max_low_pfn.\nUnfortunately, memblock.current_limit is only default initialized to\nMEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading\nto situations where max_low_pfn can erroneously exceed the value of\nmax_pfn and, thus, the valid range of available DRAM.\n\nThis can in turn cause kernel-level paging failures, e.g.:\n\n[ 76.900000] Unable to handle kernel paging request at virtual address 20303000\n[ 76.900000] ea = c0080890, ra = c000462c, cause = 14\n[ 76.900000] Kernel panic - not syncing: Oops\n[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---\n\nThis patch fixes this by pre-calculating memblock.current_limit\nbased on the upper limits of the available memory ranges via\nadjust_lowmem_bounds, a simplified version of the equivalent\nimplementation within the arm architecture.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40245", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix out of bounds memory read error in symlink repair\n\nxfs/286 produced this report on my test fleet:\n\n ==================================================================\n BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110\n\n Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):\n memcpy_orig+0x54/0x110\n xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]\n xrep_symlink_salvage+0x100/0x110 [xfs]\n xrep_symlink+0x2e/0x80 [xfs]\n xrep_attempt+0x61/0x1f0 [xfs]\n xfs_scrub_metadata+0x34f/0x5c0 [xfs]\n xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]\n xfs_file_ioctl+0xe23/0x10e0 [xfs]\n __x64_sys_ioctl+0x76/0xc0\n do_syscall_64+0x4e/0x1e0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128\n\n allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):\n xfs_init_local_fork+0x79/0xe0 [xfs]\n xfs_iformat_local+0xa4/0x170 [xfs]\n xfs_iformat_data_fork+0x148/0x180 [xfs]\n xfs_inode_from_disk+0x2cd/0x480 [xfs]\n xfs_iget+0x450/0xd60 [xfs]\n xfs_bulkstat_one_int+0x6b/0x510 [xfs]\n xfs_bulkstat_iwalk+0x1e/0x30 [xfs]\n xfs_iwalk_ag_recs+0xdf/0x150 [xfs]\n xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]\n xfs_iwalk_ag+0x1dc/0x2f0 [xfs]\n xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]\n xfs_iwalk+0xa4/0xd0 [xfs]\n xfs_bulkstat+0xfa/0x170 [xfs]\n xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]\n xfs_file_ioctl+0xbf2/0x10e0 [xfs]\n __x64_sys_ioctl+0x76/0xc0\n do_syscall_64+0x4e/0x1e0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014\n ==================================================================\n\nOn further analysis, I realized that the second parameter to min() is\nnot correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data\nbuffer. if_bytes can be smaller than the data fork size because:\n\n(a) the forkoff code tries to keep the data area as large as possible\n(b) for symbolic links, if_bytes is the ondisk file size + 1\n(c) forkoff is always a multiple of 8.\n\nCase in point: for a single-byte symlink target, forkoff will be\n8 but the buffer will only be 2 bytes long.\n\nIn other words, the logic here is wrong and we walk off the end of the\nincore buffer. Fix that.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40246", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix pgtable prealloc error path\n\nThe following splat was reported:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000\n [0000000000000010] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT)\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : build_detached_freelist+0x28/0x224\n lr : kmem_cache_free_bulk.part.0+0x38/0x244\n sp : ffff000a508c7a20\n x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350\n x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000\n x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000\n x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8\n x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640\n x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30\n x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940\n x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000\n x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8\n x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00\n Call trace:\n build_detached_freelist+0x28/0x224 (P)\n kmem_cache_free_bulk.part.0+0x38/0x244\n kmem_cache_free_bulk+0x10/0x1c\n msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0\n msm_vma_job_free+0x30/0x240\n msm_ioctl_vm_bind+0x1d0/0x9a0\n drm_ioctl_kernel+0x84/0x104\n drm_ioctl+0x358/0x4d4\n __arm64_sys_ioctl+0x8c/0xe0\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0x3c/0xe0\n do_el0_svc+0x18/0x20\n el0_svc+0x30/0x100\n el0t_64_sync_handler+0x104/0x130\n el0t_64_sync+0x170/0x174\n Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6)\n ---[ end trace 0000000000000000 ]---\n\nSince msm_vma_job_free() is called directly from the ioctl, this looks\nlike an error path cleanup issue. Which I think results from\nprealloc_cleanup() called without a preceding successful\nprealloc_allocate() call. So handle that case better.\n\nPatchwork: https://patchwork.freedesktop.org/patch/678677/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40247", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() ->\n virtio_transport_purge_skbs() may race with sendmsg() invoking\n virtio_transport_get_credit(). This results in a permanently elevated\n `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket's state may race with socket\n being placed in a sockmap. A disconnected socket remaining in a sockmap\n breaks sockmap's assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n any simultaneous sendmsg() or connect() and may result in a\n use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don't linger, can't be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40248", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: make sure the cdev fd is still active before emitting events\n\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It's possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\n\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\n\n struct file::f_count incremented from zero; use-after-free condition present!\n\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40249", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\n\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\nand end up in a crash[1] when the other threads tries to access this,\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\nmodifies the cleanup to remove only the specific IRQ mapping that was\njust added.\n\nThis prevents removal of other valid mappings and ensures precise\ncleanup of the failed IRQ allocation's associated glue object.\n\nNote: This error is observed when both fwctl and rds configs are enabled.\n\n[1]\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\ngeneral protection fault, probably for non-canonical address\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\n\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\nCall Trace:\n \n ? show_trace_log_lvl+0x1d6/0x2f9\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n ? __die_body.cold+0x8/0xa\n ? die_addr+0x39/0x53\n ? exc_general_protection+0x1c4/0x3e9\n ? dev_vprintk_emit+0x5f/0x90\n ? asm_exc_general_protection+0x22/0x27\n ? free_irq_cpu_rmap+0x23/0x7d\n mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n irq_pool_request_vector+0x7d/0x90 [mlx5_core]\n mlx5_irq_request+0x2e/0xe0 [mlx5_core]\n mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\n comp_irq_request_pci+0x64/0xf0 [mlx5_core]\n create_comp_eq+0x71/0x385 [mlx5_core]\n ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\n mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\n ? xas_load+0x8/0x91\n mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\n mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\n mlx5e_open_channels+0xad/0x250 [mlx5_core]\n mlx5e_open_locked+0x3e/0x110 [mlx5_core]\n mlx5e_open+0x23/0x70 [mlx5_core]\n __dev_open+0xf1/0x1a5\n __dev_change_flags+0x1e1/0x249\n dev_change_flags+0x21/0x5c\n do_setlink+0x28b/0xcc4\n ? __nla_parse+0x22/0x3d\n ? inet6_validate_link_af+0x6b/0x108\n ? cpumask_next+0x1f/0x35\n ? __snmp6_fill_stats64.constprop.0+0x66/0x107\n ? __nla_validate_parse+0x48/0x1e6\n __rtnl_newlink+0x5ff/0xa57\n ? kmem_cache_alloc_trace+0x164/0x2ce\n rtnl_newlink+0x44/0x6e\n rtnetlink_rcv_msg+0x2bb/0x362\n ? __netlink_sendskb+0x4c/0x6c\n ? netlink_unicast+0x28f/0x2ce\n ? rtnl_calcit.isra.0+0x150/0x146\n netlink_rcv_skb+0x5f/0x112\n netlink_unicast+0x213/0x2ce\n netlink_sendmsg+0x24f/0x4d9\n __sock_sendmsg+0x65/0x6a\n ____sys_sendmsg+0x28f/0x2c9\n ? import_iovec+0x17/0x2b\n ___sys_sendmsg+0x97/0xe0\n __sys_sendmsg+0x81/0xd8\n do_syscall_64+0x35/0x87\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\nRIP: 0033:0x7fc328603727\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 00000000000\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40250", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\n\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent's refcount, without actually setting the\n`devlink_rate->parent` pointer to NULL.\n\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\n\nThis patch fixes the issue by explicitly setting `devlink_rate->parent`\nto NULL after notifying the driver, thus fulfilling the function's\ndocumented behavior for all rate objects.\n\n[1]\nrepro steps:\necho 1 > /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 > /sys/bus/netdevsim/del_device\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \n devl_rate_leaf_destroy+0x8d/0x90\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n device_unregister+0x1a/0x60\n del_device_store+0x111/0x170 [netdevsim]\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0x10f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \n devl_rate_leaf_destroy+0x8d/0x90\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\n notifier_call_chain+0x33/0xa0\n blocking_notifier_call_chain+0x3b/0x50\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\n mlx5_unload+0x1d/0x170 [mlx5_core]\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\n remove_one+0x78/0xd0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x53/0x1f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40251", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n\nThe loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate\nover 'cqe->len_list[]' using only a zero-length terminator as\nthe stopping condition. If the terminator was missing or\nmalformed, the loop could run past the end of the fixed-size array.\n\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\na potential out-of-bounds access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40252", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ctcm: Fix double-kfree\n\nThe function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally\nfrom function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.\nAfter that a call to function 'kfree' in function 'ctcmpc_unpack_skb'\nfrees it again.\n\nRemove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.\n\nBug detected by the clang static analyzer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40253", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action. However, the set(nsh(...)) has a very different\nmemory layout. Nested attributes in there are doubled in size in\ncase of the masked set(). That makes proper validation impossible.\n\nThere is also confusion in the code between the 'masked' flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the 'is_mask' that says that the value\nwe're parsing is the mask. This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn't allocate any memory for it:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n Call Trace:\n \n validate_nsh+0x60/0x90 [openvswitch]\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n genl_family_rcv_msg_doit+0xdb/0x130\n genl_family_rcv_msg+0x14b/0x220\n genl_rcv_msg+0x47/0xa0\n netlink_rcv_skb+0x53/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x280/0x3b0\n netlink_sendmsg+0x1f7/0x430\n ____sys_sendmsg+0x36b/0x3a0\n ___sys_sendmsg+0x87/0xd0\n __sys_sendmsg+0x6d/0xd0\n do_syscall_64+0x7b/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nested\nattributes. It should be copying each nested attribute and doubling\nthem in size independently. And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash. And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let's just remove it altogether. It's better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40254", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()\n\nThe ethtool tsconfig Netlink path can trigger a null pointer\ndereference. A call chain such as:\n\n tsconfig_prepare_data() ->\n dev_get_hwtstamp_phylib() ->\n vlan_hwtstamp_get() ->\n generic_hwtstamp_get_lower() ->\n generic_hwtstamp_ioctl_lower()\n\nresults in generic_hwtstamp_ioctl_lower() being called with\nkernel_cfg->ifr as NULL.\n\nThe generic_hwtstamp_ioctl_lower() function does not expect\na NULL ifr and dereferences it, leading to a system crash.\n\nFix this by adding a NULL check for kernel_cfg->ifr in\ngeneric_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40255", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added\n\nIn commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I\nmissed the case where state creation fails between full\ninitialization (->init_state has been called) and being inserted on\nthe lists.\n\nIn this situation, ->init_state has been called, so for IPcomp\ntunnels, the fallback tunnel has been created and added onto the\nlists, but the user state never gets added, because we fail before\nthat. The user state doesn't go through __xfrm_state_delete, so we\ndon't call xfrm_state_delete_tunnel for those states, and we end up\nleaking the FB tunnel.\n\nThere are several codepaths affected by this: the add/update paths, in\nboth net/key and xfrm, and the migrate code (xfrm_migrate,\nxfrm_state_migrate). A \"proper\" rollback of the init_state work would\nprobably be doable in the add/update code, but for migrate it gets\nmore complicated as multiple states may be involved.\n\nAt some point, the new (not-inserted) state will be destroyed, so call\nxfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states\nwill have their fallback tunnel cleaned up during __xfrm_state_delete,\nwhich solves the issue that b441cf3f8c4b (and other patches before it)\naimed at. All states (including FB tunnels) will be removed from the\nlists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40256", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix a race in mptcp_pm_del_add_timer()\n\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)\nwhile another might have free entry already, as reported by syzbot.\n\nAdd RCU protection to fix this issue.\n\nAlso change confusing add_timer variable with stop_timer boolean.\n\nsyzbot report:\n\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\n\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nWorkqueue: events mptcp_worker\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\n process_backlog+0x31e/0x900 net/core/dev.c:6544\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\n napi_poll net/core/dev.c:7657 [inline]\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 44:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\n kmalloc_noprof include/linux/slab.h:957 [inline]\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n\nFreed by task 6630:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object m\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40257", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk->sk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B] sock_hold(sk);\n return true;\n }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n sock_hold(sk);\n if (schedule_work(...))\n return true;\n sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \n __refcount_add include/linux/refcount.h:-1 [inline]\n __refcount_inc include/linux/refcount.h:366 [inline]\n refcount_inc include/linux/refcount.h:383 [inline]\n sock_hold include/net/sock.h:816 [inline]\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40258", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Do not sleep in atomic context\n\nsg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may\nsleep. Hence, call sg_finish_rem_req() with interrupts enabled instead\nof disabled.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40259", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix scx_enable() crash on helper kthread creation failure\n\nA crash was observed when the sched_ext selftests runner was\nterminated with Ctrl+\\ while test 15 was running:\n\nNIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0\nLR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0\nCall Trace:\nscx_enable.constprop.0+0x32c/0x12b0 (unreliable)\nbpf_struct_ops_link_create+0x18c/0x22c\n__sys_bpf+0x23f8/0x3044\nsys_bpf+0x2c/0x6c\nsystem_call_exception+0x124/0x320\nsystem_call_vectored_common+0x15c/0x2ec\n\nkthread_run_worker() returns an ERR_PTR() on failure rather than NULL,\nbut the current code in scx_alloc_and_add_sched() only checks for a NULL\nhelper. Incase of failure on SIGQUIT, the error is not handled in\nscx_alloc_and_add_sched() and scx_enable() ends up dereferencing an\nerror pointer.\n\nError handling is fixed in scx_alloc_and_add_sched() to propagate\nPTR_ERR() into ret, so that scx_enable() jumps to the existing error\npath, avoiding random dereference on failure.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40260", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause ->ioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure ->ioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40261", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: imx_sc_key - fix memory corruption on unload\n\nThis is supposed to be \"priv\" but we accidentally pass \"&priv\" which is\nan address in the stack and so it will lead to memory corruption when\nthe imx_sc_key_action() function is called. Remove the &.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40262", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn't called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n ...\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n input_event\n cros_ec_keyb_work\n blocking_notifier_call_chain\n ec_irq_thread\n\nIt's still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn't access `ckdev->idev` and friends if\nthe driver doesn't intend to initialize them.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40263", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: pass wrb_params in case of OS2BMC\n\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\npointer when processing a workaround for specific packet, as commit\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\npacket\") states.\n\nThe correct way would be to pass the wrb_params from be_xmit().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40264", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfat: fix missing sb_min_blocksize() return value checks\n\nWhen emulating an nvme device on qemu with both logical_block_size and\nphysical_block_size set to 8 KiB, but without format, a kernel panic\nwas triggered during the early boot stage while attempting to mount a\nvfat filesystem.\n\n[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize\n[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192\n[95553.697117] ------------[ cut here ]------------\n[95553.697567] kernel BUG at fs/buffer.c:1582!\n[95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)\n[95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0\n[95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f\n[95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246\n[95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001\n[95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000\n[95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000\n[95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000\n[95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000\n[95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0\n[95553.708439] PKRU: 55555554\n[95553.708734] Call Trace:\n[95553.709015] \n[95553.709266] __getblk_slow+0xd2/0x230\n[95553.709641] ? find_get_block_common+0x8b/0x530\n[95553.710084] bdev_getblk+0x77/0xa0\n[95553.710449] __bread_gfp+0x22/0x140\n[95553.710810] fat_fill_super+0x23a/0xfc0\n[95553.711216] ? __pfx_setup+0x10/0x10\n[95553.711580] ? __pfx_vfat_fill_super+0x10/0x10\n[95553.712014] vfat_fill_super+0x15/0x30\n[95553.712401] get_tree_bdev_flags+0x141/0x1e0\n[95553.712817] get_tree_bdev+0x10/0x20\n[95553.713177] vfat_get_tree+0x15/0x20\n[95553.713550] vfs_get_tree+0x2a/0x100\n[95553.713910] vfs_cmd_create+0x62/0xf0\n[95553.714273] __do_sys_fsconfig+0x4e7/0x660\n[95553.714669] __x64_sys_fsconfig+0x20/0x40\n[95553.715062] x64_sys_call+0x21ee/0x26a0\n[95553.715453] do_syscall_64+0x80/0x670\n[95553.715816] ? __fs_parse+0x65/0x1e0\n[95553.716172] ? fat_parse_param+0x103/0x4b0\n[95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0\n[95553.717034] ? __do_sys_fsconfig+0x3d9/0x660\n[95553.717548] ? __x64_sys_fsconfig+0x20/0x40\n[95553.717957] ? x64_sys_call+0x21ee/0x26a0\n[95553.718360] ? do_syscall_64+0xb8/0x670\n[95553.718734] ? __x64_sys_fsconfig+0x20/0x40\n[95553.719141] ? x64_sys_call+0x21ee/0x26a0\n[95553.719545] ? do_syscall_64+0xb8/0x670\n[95553.719922] ? x64_sys_call+0x1405/0x26a0\n[95553.720317] ? do_syscall_64+0xb8/0x670\n[95553.720702] ? __x64_sys_close+0x3e/0x90\n[95553.721080] ? x64_sys_call+0x1b5e/0x26a0\n[95553.721478] ? do_syscall_64+0xb8/0x670\n[95553.721841] ? irqentry_exit+0x43/0x50\n[95553.722211] ? exc_page_fault+0x90/0x1b0\n[95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[95553.723166] RIP: 0033:0x72ee774f3afe\n[95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48\n[95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af\n[95553.725892] RAX: ffffffffffffffda RBX: \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40265", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Check the untrusted offset in FF-A memory share\n\nVerify the offset to prevent OOB access in the hypervisor\nFF-A buffer in case an untrusted large enough value\n[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]\nis set from the host kernel.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40266", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: ensure allocated iovec gets cleared for early failure\n\nA previous commit reused the recyling infrastructure for early cleanup,\nbut this is not enough for the case where our internal caches have\noverflowed. If this happens, then the allocated iovec can get leaked if\nthe request is also aborted early.\n\nReinstate the previous forced free of the iovec for that situation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40267", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: client: fix memory leak in smb3_fs_context_parse_param\n\nThe user calls fsconfig twice, but when the program exits, free() only\nfrees ctx->source for the second fsconfig, not the first.\nRegarding fc->source, there is no code in the fs context related to its\nmemory reclamation.\n\nTo fix this memory leak, release the source memory corresponding to ctx\nor fc before each parsing.\n\nsyzbot reported:\nBUG: memory leak\nunreferenced object 0xffff888128afa360 (size 96):\n backtrace (crc 79c9c7ba):\n kstrdup+0x3c/0x80 mm/util.c:84\n smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444\n\nBUG: memory leak\nunreferenced object 0xffff888112c7d900 (size 96):\n backtrace (crc 79c9c7ba):\n smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629\n smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40268", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically. The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor. OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above. This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor. So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize. The comparison with\nep->packsize[1] alone should suffice since it's always equal or\ngreater than ep->packsize[0].", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40269", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, swap: fix potential UAF issue for VMA readahead\n\nSince commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device\npinning\"), the common helper for allocating and preparing a folio in the\nswap cache layer no longer tries to get a swap device reference\ninternally, because all callers of __read_swap_cache_async are already\nholding a swap entry reference. The repeated swap device pinning isn't\nneeded on the same swap device.\n\nCaller of VMA readahead is also holding a reference to the target entry's\nswap device, but VMA readahead walks the page table, so it might encounter\nswap entries from other devices, and call __read_swap_cache_async on\nanother device without holding a reference to it.\n\nSo it is possible to cause a UAF when swapoff of device A raced with\nswapin on device B, and VMA readahead tries to read swap entries from\ndevice A. It's not easy to trigger, but in theory, it could cause real\nissues.\n\nMake VMA readahead try to get the device reference first if the swap\ndevice is a different one from the target entry.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40270", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(&proc_subdir_lock); | remove_proc_subtree()\n | write_lock(&proc_subdir_lock);\n [time window] | rb_erase(&root->subdir_node, &parent->subdir);\n | write_unlock(&proc_subdir_lock);\n read_lock(&proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40271", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping. The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map. However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40272", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent's stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn't\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner->\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231] process_one_work+0x584/0x1050\n[ 1626.870595] worker_thread+0x4c4/0xc60\n[ 1626.870893] kthread+0x2f8/0x398\n[ 1626.871146] ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40273", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying\n\nWhen unbinding a memslot from a guest_memfd instance, remove the bindings\neven if the guest_memfd file is dying, i.e. even if its file refcount has\ngone to zero. If the memslot is freed before the file is fully released,\nnullifying the memslot side of the binding in kvm_gmem_release() will\nwrite to freed memory, as detected by syzbot+KASAN:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022\n\n CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\n Call Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n __fput+0x44c/0xa70 fs/file_table.c:468\n task_work_run+0x1d4/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fbeeff8efc9\n \n\n Allocated by task 6023:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104\n kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 6023:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2533 [inline]\n slab_free mm/slub.c:6622 [inline]\n kfree+0x19a/0x6d0 mm/slub.c:6829\n kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130\n kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDeliberately don't acquire filemap invalid lock when the file is dying as\nthe lifecycle of f_mapping is outside the purview of KVM. Dereferencing\nthe mapping is *probably* fine, but there's no need to invalidate anything\nas memslot deletion is responsible for zapping SPTEs, and the only code\nthat can access the dying file is kvm_gmem_release(), whose core code is\nmutual\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40274", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40275", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Flush shmem writes before mapping buffers CPU-uncached\n\nThe shmem layer zeroes out the new pages using cached mappings, and if\nwe don't CPU-flush we might leave dirty cachelines behind, leading to\npotential data leaks and/or asynchronous buffer corruption when dirty\ncachelines are evicted.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40276", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40277", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable 'opt' was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40278", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable 'opt' was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40279", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)->monitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet's hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40280", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type 'unsigned int'\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:233 [inline]\n __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40281", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: 6lowpan: reset link-local header on ipv6 recv path\n\nBluetooth 6lowpan.c netdev has header_ops, so it must set link-local\nheader for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW\n\nAdd missing skb_reset_mac_header() for uncompressed ipv6 RX path.\n\nFor the compressed one, it is done in lowpan_header_decompress().\n\nLog: (BlueZ 6lowpan-tester Client Recv Raw - Success)\n------\nkernel BUG at net/core/skbuff.c:212!\nCall Trace:\n\n...\npacket_rcv (net/packet/af_packet.c:2152)\n...\n\n__local_bh_enable_ip (kernel/softirq.c:407)\nnetif_rx (net/core/dev.c:5648)\nchan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)\n------", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40282", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free'd.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40283", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: cancel mesh send timer when hdev removed\n\nmesh_send_done timer is not canceled when hdev is removed, which causes\ncrash if the timer triggers after hdev is gone.\n\nCancel the timer when MGMT removes the hdev, like other MGMT timers.\n\nShould fix the BUG: sporadically seen by BlueZ test bot\n(in \"Mesh - Send cancel - 1\" test).\n\nLog:\n------\nBUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0\n...\nFreed by task 36:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x103/0x500\n device_release+0x9a/0x210\n kobject_put+0x100/0x1e0\n vhci_release+0x18b/0x240\n------", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40284", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix possible refcount leak in smb2_sess_setup()\n\nReference count of ksmbd_session will leak when session need reconnect.\nFix this by adding the missing ksmbd_user_session_put().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40285", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix possible memory leak in smb2_read()\n\nMemory leak occurs when ksmbd_vfs_read() fails.\nFix this by adding the missing kvfree().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40286", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix improper check of dentry.stream.valid_size\n\nWe found an infinite loop bug in the exFAT file system that can lead to a\nDenial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is\nmalformed, the following system calls \u2014 SYS_openat, SYS_ftruncate, and\nSYS_pwrite64 \u2014 can cause the kernel to hang.\n\nRoot cause analysis shows that the size validation code in exfat_find()\ndoes not check whether dentry.stream.valid_size is negative. As a result,\nthe system calls mentioned above can succeed and eventually trigger the DoS\nissue.\n\nThis patch adds a check for negative dentry.stream.valid_size to prevent\nthis vulnerability.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40287", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man->bdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs\u2014since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n `amdgpu_cs_get_threshold_for_moves()` to include a check for\n `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n `bdev`), return 0 for migration thresholds immediately\u2014skipping VRAM-specific\n logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n reporting to use a conditional: if the manager is used, return the real VRAM\n usage; otherwise, return 0. This avoids accessing `man->bdev` when it is\n NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n data write path. Use `ttm_resource_manager_used()` to check validity: if the\n manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM's design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n `man->bdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40288", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM\n\nOtherwise accessing them can cause a crash.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40289", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n\nSince commit 30f241fcf52a (\"xsk: Fix immature cq descriptor\nproduction\"), the descriptor number is stored in skb control block and\nxsk_cq_submit_addr_locked() relies on it to put the umem addrs onto\npool's completion queue.\n\nskb control block shouldn't be used for this purpose as after transmit\nxsk doesn't have control over it and other subsystems could use it. This\nleads to the following kernel panic due to a NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:xsk_destruct_skb+0xd0/0x180\n [...]\n Call Trace:\n \n ? napi_complete_done+0x7a/0x1a0\n ip_rcv_core+0x1bb/0x340\n ip_rcv+0x30/0x1f0\n __netif_receive_skb_one_core+0x85/0xa0\n process_backlog+0x87/0x130\n __napi_poll+0x28/0x180\n net_rx_action+0x339/0x420\n handle_softirqs+0xdc/0x320\n ? handle_edge_irq+0x90/0x1e0\n do_softirq.part.0+0x3b/0x60\n \n \n __local_bh_enable_ip+0x60/0x70\n __dev_direct_xmit+0x14e/0x1f0\n __xsk_generic_xmit+0x482/0xb70\n ? __remove_hrtimer+0x41/0xa0\n ? __xsk_generic_xmit+0x51/0xb70\n ? _raw_spin_unlock_irqrestore+0xe/0x40\n xsk_sendmsg+0xda/0x1c0\n __sys_sendto+0x1ee/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x84/0x2f0\n ? __pfx_pollwake+0x10/0x10\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n ? do_syscall_64+0x204/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n [...]\n Kernel panic - not syncing: Fatal exception in interrupt\n Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n\nInstead use the skb destructor_arg pointer along with pointer tagging.\nAs pointers are always aligned to 8B, use the bottom bit to indicate\nwhether this a single address or an allocated struct containing several\naddresses.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40290", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix regbuf vector size truncation\n\nThere is a report of io_estimate_bvec_size() truncating the calculated\nnumber of segments that leads to corruption issues. Check it doesn't\noverflow \"int\"s used later. Rough but simple, can be improved on top.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40291", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix received length check in big packets\n\nSince commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length\nfor big packets\"), when guest gso is off, the allocated size for big\npackets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on\nnegotiated MTU. The number of allocated frags for big packets is stored\nin vi->big_packets_num_skbfrags.\n\nBecause the host announced buffer length can be malicious (e.g. the host\nvhost_net driver's get_rx_bufs is modified to announce incorrect\nlength), we need a check in virtio_net receive path. Currently, the\ncheck is not adapted to the new change which can lead to NULL page\npointer dereference in the below while loop when receiving length that\nis larger than the allocated one.\n\nThis commit fixes the received length check corresponding to the new\nchange.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40292", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Don't overflow during division for dirty tracking\n\nIf pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow\nto 0 and this triggers divide by 0.\n\nIn this case the index should just be 0, so reorganize things to divide\nby shift and avoid hitting any overflows.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40293", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the 'value' array in the mgmt_adv_pattern structure is 31.\nIf the value of 'pattern[i].length' is set in the user space\nand exceeds 31, the 'patterns[i].value' array can be accessed\nout of bound when copied.\n\nIncreasing the size of the 'value' array in\nthe 'mgmt_adv_pattern' structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for 'offset'\nand 'length' back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40294", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT\n\nWhen simulating an nvme device on qemu with both logical_block_size and\nphysical_block_size set to 8 KiB, an error trace appears during\npartition table reading at boot time. The issue is caused by\ninode->i_blkbits being larger than PAGE_SHIFT, which leads to a left\nshift of -1 and triggering a UBSAN warning.\n\n[ 2.697306] ------------[ cut here ]------------\n[ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37\n[ 2.697311] shift exponent -1 is negative\n[ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary)\n[ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 2.697320] Call Trace:\n[ 2.697324] \n[ 2.697325] dump_stack_lvl+0x76/0xa0\n[ 2.697340] dump_stack+0x10/0x20\n[ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390\n[ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94\n[ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90\n[ 2.697365] submit_bh_wbc+0xb6/0x190\n[ 2.697370] block_read_full_folio+0x194/0x270\n[ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10\n[ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10\n[ 2.697377] blkdev_read_folio+0x18/0x30\n[ 2.697379] filemap_read_folio+0x40/0xe0\n[ 2.697382] filemap_get_pages+0x5ef/0x7a0\n[ 2.697385] ? mmap_region+0x63/0xd0\n[ 2.697389] filemap_read+0x11d/0x520\n[ 2.697392] blkdev_read_iter+0x7c/0x180\n[ 2.697393] vfs_read+0x261/0x390\n[ 2.697397] ksys_read+0x71/0xf0\n[ 2.697398] __x64_sys_read+0x19/0x30\n[ 2.697399] x64_sys_call+0x1e88/0x26a0\n[ 2.697405] do_syscall_64+0x80/0x670\n[ 2.697410] ? __x64_sys_newfstat+0x15/0x20\n[ 2.697414] ? x64_sys_call+0x204a/0x26a0\n[ 2.697415] ? do_syscall_64+0xb8/0x670\n[ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0\n[ 2.697420] ? irqentry_exit+0x43/0x50\n[ 2.697421] ? exc_page_fault+0x90/0x1b0\n[ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 2.697425] RIP: 0033:0x75054cba4a06\n[ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\n[ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n[ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06\n[ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b\n[ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000\n[ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0\n[ 2.697436] \n[ 2.697436] ---[ end trace ]---\n\nThis situation can happen for block devices because when\nCONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size\nis 64 KiB. set_init_blocksize() then sets the block device\ninode->i_blkbits to 13, which is within this limit.\n\nFile I/O does not trigger this problem because for filesystems that do\nnot support the FS_LBS feature, sb_set_blocksize() prevents\nsb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode\nallocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits\nfrom sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS\nflag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not\nhit the left-shift underflow issue.\n\n[EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40295", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Fix double free of GPIO device during unregister\n\nregulator_unregister() already frees the associated GPIO device. On\nThinkPad X9 (Lunar Lake), this causes a double free issue that leads to\nrandom failures when other drivers (typically Intel THC) attempt to\nallocate interrupts. The root cause is that the reference count of the\npinctrl_intel_platform module unexpectedly drops to zero when this\ndriver defers its probe.\n\nThis behavior can also be reproduced by unloading the module directly.\n\nFix the issue by removing the redundant release of the GPIO device\nduring regulator unregistration.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40296", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix use-after-free due to MST port state bypass\n\nsyzbot reported[1] a use-after-free when deleting an expired fdb. It is\ndue to a race condition between learning still happening and a port being\ndeleted, after all its fdbs have been flushed. The port's state has been\ntoggled to disabled so no learning should happen at that time, but if we\nhave MST enabled, it will bypass the port's state, that together with VLAN\nfiltering disabled can lead to fdb learning at a time when it shouldn't\nhappen while the port is being deleted. VLAN filtering must be disabled\nbecause we flush the port VLANs when it's being deleted which will stop\nlearning. This fix adds a check for the port's vlan group which is\ninitialized to NULL when the port is getting deleted, that avoids the port\nstate bypass. When MST is enabled there would be a minimal new overhead\nin the fast-path because the port's vlan group pointer is cache-hot.\n\n[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40297", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Implement settime64 with -EOPNOTSUPP\n\nptp_clock_settime() assumes every ptp_clock has implemented settime64().\nStub it with -EOPNOTSUPP to prevent a NULL dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40298", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Implement gettimex64 with -EOPNOTSUPP\n\ngve implemented a ptp_clock for sole use of do_aux_work at this time.\nptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has\nimplemented either gettimex64 or gettime64. Stub gettimex64 and return\n-EOPNOTSUPP to prevent NULL dereferencing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40299", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40300", "detail": "fixed-version", "description": "Fixed from version 6.17" }, { "id": "CVE-2025-40301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: validate skb length for unknown CC opcode\n\nIn hci_cmd_complete_evt(), if the command complete event has an unknown\nopcode, we assume the first byte of the remaining skb->data contains the\nreturn status. However, parameter data has previously been pulled in\nhci_event_func(), which may leave the skb empty. If so, using skb->data[0]\nfor the return status uses un-init memory.\n\nThe fix is to check skb->len before using skb->data.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40301", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: forbid remove_bufs when legacy fileio is active\n\nvb2_ioctl_remove_bufs() call manipulates queue internal buffer list,\npotentially overwriting some pointers used by the legacy fileio access\nmode. Forbid that ioctl when fileio is active to protect internal queue\nstate between subsequent read/write calls.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40302", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure no dirty metadata is written back for an fs with errors\n\n[BUG]\nDuring development of a minor feature (make sure all btrfs_bio::end_io()\nis called in task context), I noticed a crash in generic/388, where\nmetadata writes triggered new works after btrfs_stop_all_workers().\n\nIt turns out that it can even happen without any code modification, just\nusing RAID5 for metadata and the same workload from generic/388 is going\nto trigger the use-after-free.\n\n[CAUSE]\nIf btrfs hits an error, the fs is marked as error, no new\ntransaction is allowed thus metadata is in a frozen state.\n\nBut there are some metadata modifications before that error, and they are\nstill in the btree inode page cache.\n\nSince there will be no real transaction commit, all those dirty folios\nare just kept as is in the page cache, and they can not be invalidated\nby invalidate_inode_pages2() call inside close_ctree(), because they are\ndirty.\n\nAnd finally after btrfs_stop_all_workers(), we call iput() on btree\ninode, which triggers writeback of those dirty metadata.\n\nAnd if the fs is using RAID56 metadata, this will trigger RMW and queue\nnew works into rmw_workers, which is already stopped, causing warning\nfrom queue_work() and use-after-free.\n\n[FIX]\nAdd a special handling for write_one_eb(), that if the fs is already in\nan error state, immediately mark the bbio as failure, instead of really\nsubmitting them.\n\nThen during close_ctree(), iput() will just discard all those dirty\ntree blocks without really writing them back, thus no more new jobs for\nalready stopped-and-freed workqueues.\n\nThe extra discard in write_one_eb() also acts as an extra safenet.\nE.g. the transaction abort is triggered by some extent/free space\ntree corruptions, and since extent/free space tree is already corrupted\nsome tree blocks may be allocated where they shouldn't be (overwriting\nexisting tree blocks). In that case writing them back will further\ncorrupting the fs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40303", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds\n\nAdd bounds checking to prevent writes past framebuffer boundaries when\nrendering text near screen edges. Return early if the Y position is off-screen\nand clip image height to screen boundary. Break from the rendering loop if the\nX position is off-screen. When clipping image width to fit the screen, update\nthe character count to match the clipped width to prevent buffer size\nmismatches.\n\nWithout the character count update, bit_putcs_aligned and bit_putcs_unaligned\nreceive mismatched parameters where the buffer is allocated for the clipped\nwidth but cnt reflects the original larger count, causing out-of-bounds writes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40304", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN\n\np9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq)\nif list_empty(&m->req_list).\n\nHowever, if the pipe is full, we need to read more data and this used to\nwork prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer\nif the pipe is still full\").\n\np9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before\nthe commit above) triggered the unnecessary wakeup. This wakeup calls\np9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux()\nwill notice EPOLLIN and schedule_work(&m->rq).\n\nThis no longer happens after the optimization above, change p9_fd_request()\nto use p9_poll_mux() instead of only checking for EPOLLOUT.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40305", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau forwarded me a message from\nDisclosure with the following\nwarning:\n\n> The helper `xattr_key()` uses the pointer variable in the loop condition\n> rather than dereferencing it. As `key` is incremented, it remains non-NULL\n> (until it runs into unmapped memory), so the loop does not terminate on\n> valid C strings and will walk memory indefinitely, consuming CPU or hanging\n> the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key. When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40306", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: validate cluster allocation bits of the allocation bitmap\n\nsyzbot created an exfat image with cluster bits not set for the allocation\nbitmap. exfat-fs reads and uses the allocation bitmap without checking\nthis. The problem is that if the start cluster of the allocation bitmap\nis 6, cluster 6 can be allocated when creating a directory with mkdir.\nexfat zeros out this cluster in exfat_mkdir, which can delete existing\nentries. This can reallocate the allocated entries. In addition,\nthe allocation bitmap is also zeroed out, so cluster 6 can be reallocated.\nThis patch adds exfat_test_bitmap_range to validate that clusters used for\nthe allocation bitmap are correctly marked as in-use.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40307", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n Call Trace:\n \n hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40308", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40309", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw\n\nThere is race in amdgpu_amdkfd_device_fini_sw and interrupt.\nif amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and\n kfree(kfd), and KGD interrupt generated.\n\nkernel panic log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000098\namdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP\n\nPGD d78c68067 P4D d78c68067\n\nkfd kfd: amdgpu: Allocated 3969056 bytes on gart\n\nPUD 1465b8067 PMD @\n\nOops: @002 [#1] SMP NOPTI\n\nkfd kfd: amdgpu: Total number of KFD nodes to be created: 4\nCPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K\n\nRIP: 0010:_raw_spin_lock_irqsave+0x12/0x40\n\nCode: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc\n\n89 c6 e8 07 38 5d\n\nRSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046\n\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018\n0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098\nffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020\n0000000000000000 R11: 0000000000000000 R12: 0900000000000002\nffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00\n\nCS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033\n\nCR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0\n0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400\n\nPKRU: 55555554\n\nCall Trace:\n\n\n\nkgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]\n\n? amdgpu_fence_process+0xa4/0x150 [amdgpu]\n\nkfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace\n\namdgpu_irq_dispatch+0x165/0x210 [amdgpu]\n\namdgpu_ih_process+0x80/0x100 [amdgpu]\n\namdgpu: Virtual CRAT table created for GPU\n\namdgpu_irq_handler+0x1f/@x60 [amdgpu]\n\n__handle_irq_event_percpu+0x3d/0x170\n\namdgpu: Topology: Add dGPU node [0x74a2:0x1002]\n\nhandle_irq_event+0x5a/@xcO\n\nhandle_edge_irq+0x93/0x240\n\nkfd kfd: amdgpu: KFD node 1 partition @ size 49148M\n\nasm_call_irq_on_stack+0xf/@x20\n\n\n\ncommon_interrupt+0xb3/0x130\n\nasm_common_interrupt+0x1le/0x40\n\n5.10.134-010.a1i5000.a18.x86_64 #1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40310", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: support mapping cb with vmalloc-backed coherent memory\n\nWhen IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return\naddresses from the vmalloc range. If such an address is mapped without\nVM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the\nVM_PFNMAP restriction.\n\nFix this by checking for vmalloc addresses and setting VM_MIXEDMAP\nin the VMA before mapping. This ensures safe mapping and avoids kernel\ncrashes. The memory is still driver-allocated and cannot be accessed\ndirectly by userspace.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40311", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Verify inode mode when loading from disk\n\nThe inode mode loaded from corrupted disk can be invalid. Do like what\ncommit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\")\ndoes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40312", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: pretend $Extend records as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40313", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev->gadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40314", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix epfile null pointer access after ep enable.\n\nA race condition occurs when ffs_func_eps_enable() runs concurrently\nwith ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()\nsets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading\nto a NULL pointer dereference when accessing epfile->ep in\nffs_func_eps_enable() after successful usb_ep_enable().\n\nThe ffs->epfiles pointer is set to NULL in both ffs_data_clear() and\nffs_data_close() functions, and its modification is protected by the\nspinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function\nis also protected by ffs->eps_lock.\n\nThus, add NULL pointer handling for ffs->epfiles in the\nffs_func_eps_enable() function to fix issues", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40315", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix device use-after-free on unbind\n\nA recent change fixed device reference leaks when looking up drm\nplatform device driver data during bind() but failed to remove a partial\nfix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix\nkobject put for component sub-drivers\").\n\nThis results in a reference imbalance on component bind() failures and\non unbind() which could lead to a user-after-free.\n\nMake sure to only drop the references after retrieving the driver data\nby effectively reverting the previous partial fix.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40316", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n slim_read+0x48/0x74 [slimbus]\n regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n _regmap_raw_read+0xe8/0x174\n _regmap_bus_read+0x44/0x80\n _regmap_read+0x60/0xd8\n _regmap_update_bits+0xf4/0x140\n _regmap_select_page+0xa8/0x124\n _regmap_raw_write_impl+0x3b8/0x65c\n _regmap_bus_raw_write+0x60/0x80\n _regmap_write+0x58/0xc0\n regmap_write+0x4c/0x80\n wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xf0\n el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto &slimbus->dev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40317", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\n\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\n\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40318", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(&rb->work)` ensures that all pending irq_work\ncomplete before freeing the buffer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40319", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential cfid UAF in smb2_query_info_compound\n\nWhen smb2_query_info_compound() retries, a previously allocated cfid may\nhave been freed in the first attempt.\nBecause cfid wasn't reset on replay, later cleanup could act on a stale\npointer, leading to a potential use-after-free.\n\nReinitialize cfid to NULL under the replay label.\n\nExample trace (trimmed):\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110\n[...]\nRIP: 0010:refcount_warn_saturate+0x9c/0x110\n[...]\nCall Trace:\n \n smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? step_into+0x10d/0x690\n ? __legitimize_path+0x28/0x60\n smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? kmem_cache_alloc+0x18a/0x340\n ? getname_flags+0x46/0x1e0\n cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n statfs_by_dentry+0x67/0x90\n vfs_statfs+0x16/0xd0\n user_statfs+0x54/0xa0\n __do_sys_statfs+0x20/0x50\n do_syscall_64+0x58/0x80", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40320", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302] genl_rcv_msg+0x220/0x2a0\n [ 1417.076317] netlink_rcv_skb+0x68/0x140\n [ 1417.076330] genl_rcv+0x40/0x60\n [ 1417.076343] netlink_unicast+0x330/0x3b8\n [ 1417.076357] netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370] __sock_sendmsg+0x64/0xc0\n [ 1417.076391] ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408] ___sys_sendmsg+0xb8/0x118\n [ 1417.076427] __sys_sendmsg+0x90/0xf8\n [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465] invoke_syscall+0x50/0x120\n [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506] do_el0_svc+0x24/0x38\n [ 1417.076525] el0_svc+0x30/0x100\n [ 1417.076548] el0t_64_sync_handler+0x100/0x130\n [ 1417.076569] el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40321", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font's\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40322", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Set fb_display[i]->mode to NULL when the mode is released\n\nRecently, we discovered the following issue through syzkaller:\n\nBUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0\nRead of size 4 at addr ff11000001b3c69c by task syz.xxx\n...\nCall Trace:\n \n dump_stack_lvl+0xab/0xe0\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb9/0x280\n kasan_report+0xb8/0xf0\n fb_mode_is_equal+0x285/0x2f0\n fbcon_mode_deleted+0x129/0x180\n fb_set_var+0xe7f/0x11d0\n do_fb_ioctl+0x6a0/0x750\n fb_ioctl+0xe0/0x140\n __x64_sys_ioctl+0x193/0x210\n do_syscall_64+0x5f/0x9c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nBased on experimentation and analysis, during framebuffer unregistration,\nonly the memory of fb_info->modelist is freed, without setting the\ncorresponding fb_display[i]->mode to NULL for the freed modes. This leads\nto UAF issues during subsequent accesses. Here's an example of reproduction\nsteps:\n1. With /dev/fb0 already registered in the system, load a kernel module\n to register a new device /dev/fb1;\n2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);\n3. Switch console from fb to VGA (to allow normal rmmod of the ko);\n4. Unload the kernel module, at this point fb1's modelist is freed, leaving\n a wild pointer in fb_display[];\n5. Trigger the bug via system calls through fb0 attempting to delete a mode\n from fb0.\n\nAdd a check in do_unregister_framebuffer(): if the mode to be freed exists\nin fb_display[], set the corresponding mode pointer to NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40323", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40324", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: wait barrier before returning discard request with REQ_NOWAIT\n\nraid10_handle_discard should wait barrier before returning a discard bio\nwhich has REQ_NOWAIT. And there is no need to print warning calltrace\nif a discard bio has REQ_NOWAIT flag. Quality engineer usually checks\ndmesg and reports error if dmesg has warning/error calltrace.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40325", "detail": "fixed-version", "description": "Fixed from version 6.15" }, { "id": "CVE-2025-40326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define actions for the new time_deleg FATTR4 attributes\n\nNFSv4 clients won't send legitimate GETATTR requests for these new\nattributes because they are intended to be used only with CB_GETATTR\nand SETATTR. But NFSD has to do something besides crashing if it\never sees a GETATTR request that queries these attributes.\n\nRFC 8881 Section 18.7.3 states:\n\n> The server MUST return a value for each attribute that the client\n> requests if the attribute is supported by the server for the\n> target file system. If the server does not support a particular\n> attribute on the target file system, then it MUST NOT return the\n> attribute value and MUST NOT set the attribute bit in the result\n> bitmap. The server MUST return an error if it supports an\n> attribute on the target but cannot obtain its value. In that case,\n> no attribute values will be returned.\n\nFurther, RFC 9754 Section 5 states:\n\n> These new attributes are invalid to be used with GETATTR, VERIFY,\n> and NVERIFY, and they can only be used with CB_GETATTR and SETATTR\n> by a client holding an appropriate delegation.\n\nThus there does not appear to be a specific server response mandated\nby specification. Taking the guidance that querying these attributes\nvia GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the\nrequest entirely.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40326", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix system hang caused by cpu-clock usage\n\ncpu-clock usage by the async-profiler tool can trigger a system hang,\nwhich got bisected back to the following commit by Octavia Togami:\n\n 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue\n\nThe root cause of the hang is that cpu-clock is a special type of SW\nevent which relies on hrtimers. The __perf_event_overflow() callback\nis invoked from the hrtimer handler for cpu-clock events, and\n__perf_event_overflow() tries to call cpu_clock_event_stop()\nto stop the event, which calls htimer_cancel() to cancel the hrtimer.\n\nBut that's a recursion into the hrtimer code from a hrtimer handler,\nwhich (unsurprisingly) deadlocks.\n\nTo fix this bug, use hrtimer_try_to_cancel() instead, and set\nthe PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer()\nto stop the event once it sees the PERF_HES_STOPPED flag.\n\n[ mingo: Fixed the comments and improved the changelog. ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40327", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_close_cached_fid()\n\nfind_or_create_cached_dir() could grab a new reference after kref_put()\nhad seen the refcount drop to zero but before cfid_list_lock is acquired\nin smb2_close_cached_fid(), leading to use-after-free.\n\nSwitch to kref_put_lock() so cfid_release() is called with\ncfid_list_lock held, closing that gap.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40328", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031] Possible interrupt unsafe locking scenario:\n\n[ 1231.611033] CPU0 CPU1\n[ 1231.611034] ---- ----\n[ 1231.611035] lock(&xa->xa_lock#17);\n[ 1231.611038] local_irq_disable();\n[ 1231.611039] lock(&fence->lock);\n[ 1231.611041] lock(&xa->xa_lock#17);\n[ 1231.611044] \n[ 1231.611045] lock(&fence->lock);\n[ 1231.611047]\n *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job->dependencies\nthrough the xa_* functions that don't disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n dma_fence_signal() // locks f1.lock\n -> drm_sched_entity_kill_jobs_cb()\n -> foreach dependencies\n -> dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40329", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Shutdown FW DMA in bnxt_shutdown()\n\nThe netif_close() call in bnxt_shutdown() only stops packet DMA. There\nmay be FW DMA for trace logging (recently added) that will continue. If\nwe kexec to a new kernel, the DMA will corrupt memory in the new kernel.\n\nAdd bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.\nThis will stop the FW DMA. In case the call fails, call pcie_flr() to\nreset the function and stop the DMA.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40330", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40331", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mmap write lock not release\n\nIf mmap write lock is taken while draining retry fault, mmap write lock\nis not released because svm_range_restore_pages calls mmap_read_unlock\nthen returns. This causes deadlock and system hangs later because mmap\nread or write lock cannot be taken.\n\nDowngrade mmap write lock to read lock if draining retry fault fix this\nbug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40332", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix infinite loop in __insert_extent_tree()\n\nWhen we get wrong extent info data, and look up extent_node in rb tree,\nit will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by\nreturn NULL and print some kernel messages in that case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40333", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate userq buffer virtual address and size\n\nIt needs to validate the userq object virtual address to\ndetermine whether it is residented in a valid vm mapping.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40334", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate userq input args\n\nThis will help on validating the userq input args, and\nrejecting for the invalid userq request at the IOCTLs\nfirst place.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40335", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gpusvm: fix hmm_pfn_to_map_order() usage\n\nHandle the case where the hmm range partially covers a huge page (like\n2M), otherwise we can potentially end up doing something nasty like\nmapping memory which is outside the range, and maybe not even mapped by\nthe mm. Fix is based on the xe userptr code, which in a future patch\nwill directly use gpusvm, so needs alignment here.\n\nv2:\n - Add kernel-doc (Matt B)\n - s/fls/ilog2/ (Thomas)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40336", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Correctly handle Rx checksum offload errors\n\nThe stmmac_rx function would previously set skb->ip_summed to\nCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled\nand the packet was of a known IP ethertype.\n\nHowever, this logic failed to check if the hardware had actually\nreported a checksum error. The hardware status, indicating a header or\npayload checksum failure, was being ignored at this stage. This could\ncause corrupt packets to be passed up the network stack as valid.\n\nThis patch corrects the logic by checking the `csum_none` status flag,\nwhich is set when the hardware reports a checksum error. If this flag\nis set, skb->ip_summed is now correctly set to CHECKSUM_NONE,\nensuring the kernel's network stack will perform its own validation and\nproperly handle the corrupt packet.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40337", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Do not share the name pointer between components\n\nBy sharing 'name' directly, tearing down components may lead to\nuse-after-free errors. Duplicate the name to avoid that.\n\nAt the same time, update the order of operations - since commit\ncee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via\nconfig\") the framework does not override component->name if set before\ninvoking the initializer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40338", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix nullptr err of vm_handle_moved\n\nIf a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL.\nSo, such kind of amdgpu_bo_va should be updated separately before\namdgpu_vm_handle_moved.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40339", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.\n\nI saw an oops in xe_gem_fault when running the xe-fast-feedback\ntestlist against the realtime kernel without debug options enabled.\n\nThe panic happens after core_hotunplug unbind-rebind finishes.\nPresumably what happens is that a process mmaps, unlocks because\nof the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,\ncausing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since\nthere was nothing left to populate, and then oopses in\n\"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource\nis NULL.\n\nIt's convoluted, but fits the data and explains the oops after\nthe test exits.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40340", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don't leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task's\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T->robust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal->exec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task's exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40341", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40342", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40343", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Disable periods-elapsed work when closing PCM\n\navs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio\nstream while period-elapsed work services its IRQs. As the former\nfrees the DAI's private context, these two operations shall be\nsynchronized to avoid slab-use-after-free or worse errors.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40344", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: sddr55: Reject out-of-bound new_pba\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nnew_pba comes from the status packet returned after each write.\nA bogus device could report values beyond the block count derived\nfrom info->capacity, letting the driver walk off the end of\npba_to_lba[] and corrupt heap memory.\n\nReject PBAs that exceed the computed block count and fail the\ntransfer so we avoid touching out-of-range mapping entries.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40345", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Fix incorrect error check in topology_parse_cpu_capacity()\n\nFix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()\nwhich causes the code to proceed with NULL clock pointers. The current\nlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both\nvalid pointers and NULL, leading to potential NULL pointer dereference\nin clk_get_rate().\n\nPer include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:\n\"The error code within @ptr if it is an error pointer; 0 otherwise.\"\n\nThis means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL\npointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)\nwhen cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be\ncalled when of_clk_get() returns NULL.\n\nReplace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid\npointers, preventing potential NULL pointer dereference in clk_get_rate().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40346", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix the deadlock of enetc_mdio_lock\n\nAfter applying the workaround for err050089, the LS1028A platform\nexperiences RCU stalls on RT kernel. This issue is caused by the\nrecursive acquisition of the read lock enetc_mdio_lock. Here list some\nof the call stacks identified under the enetc_poll path that may lead to\na deadlock:\n\nenetc_poll\n -> enetc_lock_mdio\n -> enetc_clean_rx_ring OR napi_complete_done\n -> napi_gro_receive\n -> enetc_start_xmit\n -> enetc_lock_mdio\n -> enetc_map_tx_buffs\n -> enetc_unlock_mdio\n -> enetc_unlock_mdio\n\nAfter enetc_poll acquires the read lock, a higher-priority writer attempts\nto acquire the lock, causing preemption. The writer detects that a\nread lock is already held and is scheduled out. However, readers under\nenetc_poll cannot acquire the read lock again because a writer is already\nwaiting, leading to a thread hang.\n\nCurrently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent\nrecursive lock acquisition.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40347", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: Avoid race on slab->obj_exts in alloc_slab_obj_exts\n\nIf two competing threads enter alloc_slab_obj_exts() and one of them\nfails to allocate the object extension vector, it might override the\nvalid slab->obj_exts allocated by the other thread with\nOBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and\nexpects a valid pointer to dereference a NULL pointer later on.\n\nUpdate slab->obj_exts atomically using cmpxchg() to avoid\nslab->obj_exts overrides by racing threads.\n\nThanks for Vlastimil and Suren's help with debugging.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40348", "detail": "fixed-version", "description": "Fixed from version 6.17.6" }, { "id": "CVE-2025-40349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: validate record offset in hfsplus_bmap_alloc\n\nhfsplus_bmap_alloc can trigger a crash if a\nrecord offset or length is larger than node_size\n\n[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183\n[ 15.265949]\n[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)\n[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 15.266167] Call Trace:\n[ 15.266168] \n[ 15.266169] dump_stack_lvl+0x53/0x70\n[ 15.266173] print_report+0xd0/0x660\n[ 15.266181] kasan_report+0xce/0x100\n[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0\n[ 15.266217] hfsplus_brec_insert+0x870/0xb00\n[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570\n[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910\n[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200\n[ 15.266233] hfsplus_file_extend+0x5a7/0x1000\n[ 15.266237] hfsplus_get_block+0x12b/0x8c0\n[ 15.266238] __block_write_begin_int+0x36b/0x12c0\n[ 15.266251] block_write_begin+0x77/0x110\n[ 15.266252] cont_write_begin+0x428/0x720\n[ 15.266259] hfsplus_write_begin+0x51/0x100\n[ 15.266262] cont_write_begin+0x272/0x720\n[ 15.266270] hfsplus_write_begin+0x51/0x100\n[ 15.266274] generic_perform_write+0x321/0x750\n[ 15.266285] generic_file_write_iter+0xc3/0x310\n[ 15.266289] __kernel_write_iter+0x2fd/0x800\n[ 15.266296] dump_user_range+0x2ea/0x910\n[ 15.266301] elf_core_dump+0x2a94/0x2ed0\n[ 15.266320] vfs_coredump+0x1d85/0x45e0\n[ 15.266349] get_signal+0x12e3/0x1990\n[ 15.266357] arch_do_signal_or_restart+0x89/0x580\n[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110\n[ 15.266364] asm_exc_page_fault+0x26/0x30\n[ 15.266366] RIP: 0033:0x41bd35\n[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f\n[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283\n[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000\n[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100\n[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000\n[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000\n[ 15.266376] \n\nWhen calling hfsplus_bmap_alloc to allocate a free node, this function\nfirst retrieves the bitmap from header node and map node using node->page\ntogether with the offset and length from hfs_brec_lenoff\n\n```\nlen = hfs_brec_lenoff(node, 2, &off16);\noff = off16;\n\noff += node->page_offset;\npagep = node->page + (off >> PAGE_SHIFT);\ndata = kmap_local_page(*pagep);\n```\n\nHowever, if the retrieved offset or length is invalid(i.e. exceeds\nnode_size), the code may end up accessing pages outside the allocated\nrange for this node.\n\nThis patch adds proper validation of both offset and length before use,\npreventing out-of-bounds page access. Move is_bnode_offset_valid and\ncheck_and_correct_requested_length to hfsplus_fs.h, as they may be\nrequired by other functions.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40349", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ\n\nXDP programs can change the layout of an xdp_buff through\nbpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver\ncannot assume the size of the linear data area nor fragments. Fix the\nbug in mlx5 by generating skb according to xdp_buff after XDP programs\nrun.\n\nCurrently, when handling multi-buf XDP, the mlx5 driver assumes the\nlayout of an xdp_buff to be unchanged. That is, the linear data area\ncontinues to be empty and fragments remain the same. This may cause\nthe driver to generate erroneous skb or triggering a kernel\nwarning. When an XDP program added linear data through\nbpf_xdp_adjust_head(), the linear data will be ignored as\nmlx5e_build_linear_skb() builds an skb without linear data and then\npull data from fragments to fill the linear data area. When an XDP\nprogram has shrunk the non-linear data through bpf_xdp_adjust_tail(),\nthe delta passed to __pskb_pull_tail() may exceed the actual nonlinear\ndata size and trigger the BUG_ON in it.\n\nTo fix the issue, first record the original number of fragments. If the\nnumber of fragments changes after the XDP program runs, rewind the end\nfragment pointer by the difference and recalculate the truesize. Then,\nbuild the skb with the linear data area matching the xdp_buff. Finally,\nonly pull data in if there is non-linear data and fill the linear part\nup to 256 bytes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40350", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n\nThe syzbot reported issue in hfsplus_delete_cat():\n\n[ 70.682285][ T9333] =====================================================\n[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0\n[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310\n[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810\n[ 70.685447][ T9333] do_rmdir+0x964/0xea0\n[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0\n[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0\n[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.687646][ T9333]\n[ 70.687856][ T9333] Uninit was stored to memory at:\n[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600\n[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70\n[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0\n[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30\n[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0\n[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0\n[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.692773][ T9333]\n[ 70.692990][ T9333] Uninit was stored to memory at:\n[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700\n[ 70.694911][ T9333] mount_bdev+0x37b/0x530\n[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.696588][ T9333] do_new_mount+0x73e/0x1630\n[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.697425][ T9333] __se_sys_mount+0x733/0x830\n[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.699730][ T9333]\n[ 70.699946][ T9333] Uninit was created at:\n[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60\n[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0\n[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0\n[ 70.701774][ T9333] allocate_slab+0x30e/0x1390\n[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0\n[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20\n[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0\n[ 70.703598][ T9333] alloc_inode+0x82/0x490\n[ 70.703984][ T9333] iget_locked+0x22e/0x1320\n[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0\n[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0\n[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700\n[ 70.705776][ T9333] mount_bdev+0x37b/0x530\n[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.707444][ T9333] do_new_mount+0x73e/0x1630\n[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.708270][ T9333] __se_sys_mount+0x733/0x830\n[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.710611][ T9333]\n[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17\n[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.712490][ T9333] =====================================================\n[ 70.713085][ T9333] Disabling lock debugging due to kernel taint\n[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.714159][ T9333] \n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40351", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init\n\nThe lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting\nthe following warning when the BlueField-3 SOC is booted:\n\n BUG: key ffff00008a3402a8 has not been registered!\n ------------[ cut here ]------------\n DEBUG_LOCKS_WARN_ON(1)\n WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0\n\n Call trace:\n lockdep_init_map_type+0x1d4/0x2a0\n __kernfs_create_file+0x84/0x140\n sysfs_add_file_mode_ns+0xcc/0x1cc\n internal_create_group+0x110/0x3d4\n internal_create_groups.part.0+0x54/0xcc\n sysfs_create_groups+0x24/0x40\n device_add+0x6e8/0x93c\n device_register+0x28/0x40\n __hwmon_device_register+0x4b0/0x8a0\n devm_hwmon_device_register_with_groups+0x7c/0xe0\n mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc]\n platform_probe+0x70/0x110\n\nThe mlxbf_pmc driver must call sysfs_attr_init() during the\ninitialization of the \"count_clock\" data structure to avoid\nthis warning.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40352", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Do not warn if the page is already tagged in copy_highpage()\n\nThe arm64 copy_highpage() assumes that the destination page is newly\nallocated and not MTE-tagged (PG_mte_tagged unset) and warns\naccordingly. However, following commit 060913999d7a (\"mm: migrate:\nsupport poisoned recover from migrate folio\"), folio_mc_copy() is called\nbefore __folio_migrate_mapping(). If the latter fails (-EAGAIN), the\ncopy will be done again to the same destination page. Since\ncopy_highpage() already set the PG_mte_tagged flag, this second copy\nwill warn.\n\nReplace the WARN_ON_ONCE(page already tagged) in the arm64\ncopy_highpage() with a comment.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40353", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: increase max link count and fix link->enc NULL pointer access\n\n[why]\n1.) dc->links[MAX_LINKS] array size smaller than actual requested.\nmax_connector + max_dpia + 4 virtual = 14.\nincrease from 12 to 14.\n\n2.) hw_init() access null LINK_ENC for dpia non display_endpoint.\n\n(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40354", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysfs: check visibility before changing group attribute ownership\n\nSince commit 0c17270f9b92 (\"net: sysfs: Implement is_visible for\nphys_(port_id, port_name, switch_id)\"), __dev_change_net_namespace() can\nhit WARN_ON() when trying to change owner of a file that isn't visible.\nSee the trace below:\n\n WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30\n CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f\n Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025\n RIP: 0010:__dev_change_net_namespace+0xb89/0xc30\n [...]\n Call Trace:\n \n ? if6_seq_show+0x30/0x50\n do_setlink.isra.0+0xc7/0x1270\n ? __nla_validate_parse+0x5c/0xcc0\n ? security_capable+0x94/0x1a0\n rtnl_newlink+0x858/0xc20\n ? update_curr+0x8e/0x1c0\n ? update_entity_lag+0x71/0x80\n ? sched_balance_newidle+0x358/0x450\n ? psi_task_switch+0x113/0x2a0\n ? __pfx_rtnl_newlink+0x10/0x10\n rtnetlink_rcv_msg+0x346/0x3e0\n ? sched_clock+0x10/0x30\n ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x59/0x110\n netlink_unicast+0x285/0x3c0\n ? __alloc_skb+0xdb/0x1a0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x39f/0x3d0\n ? import_iovec+0x2f/0x40\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x81/0x970\n ? __sys_bind+0xe3/0x110\n ? syscall_exit_work+0x143/0x1b0\n ? do_syscall_64+0x244/0x970\n ? sock_alloc_file+0x63/0xc0\n ? syscall_exit_work+0x143/0x1b0\n ? do_syscall_64+0x244/0x970\n ? alloc_fd+0x12e/0x190\n ? put_unused_fd+0x2a/0x70\n ? do_sys_openat2+0xa2/0xe0\n ? syscall_exit_work+0x143/0x1b0\n ? do_syscall_64+0x244/0x970\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \n\nFix this by checking is_visible() before trying to touch the attribute.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40355", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rockchip-sfc: Fix DMA-API usage\n\nUse DMA-API dma_map_single() call for getting the DMA address of the\ntransfer buffer instead of hacking with virt_to_phys().\n\nThis fixes the following DMA-API debug warning:\n------------[ cut here ]------------\nDMA-API: rockchip-sfc fe300000.spi: device driver tries to sync DMA memory it has not allocated [device address=0x000000000cf70000] [size=288 bytes]\nWARNING: kernel/dma/debug.c:1106 at check_sync+0x1d8/0x690, CPU#2: systemd-udevd/151\nModules linked in: ...\nHardware name: Hardkernel ODROID-M1 (DT)\npstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : check_sync+0x1d8/0x690\nlr : check_sync+0x1d8/0x690\n..\nCall trace:\n check_sync+0x1d8/0x690 (P)\n debug_dma_sync_single_for_cpu+0x84/0x8c\n __dma_sync_single_for_cpu+0x88/0x234\n rockchip_sfc_exec_mem_op+0x4a0/0x798 [spi_rockchip_sfc]\n spi_mem_exec_op+0x408/0x498\n spi_nor_read_data+0x170/0x184\n spi_nor_read_sfdp+0x74/0xe4\n spi_nor_parse_sfdp+0x120/0x11f0\n spi_nor_sfdp_init_params_deprecated+0x3c/0x8c\n spi_nor_scan+0x690/0xf88\n spi_nor_probe+0xe4/0x304\n spi_mem_probe+0x6c/0xa8\n spi_probe+0x94/0xd4\n really_probe+0xbc/0x298\n ...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40356", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n Call Trace:\n \n smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n netlink_dump_start include/linux/netlink.h:341 [inline]\n smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg net/socket.c:729 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThe process like this:\n\n (CPU1) | (CPU2)\n ---------------------------------|-------------------------------\n inet_create() |\n // init clcsock to NULL |\n sk = sk_alloc() |\n |\n // unexpectedly change clcsock |\n inet_init_csk_locks() |\n |\n // add sk to hash table |\n smc_inet_init_sock() |\n smc_sk_init() |\n smc_hash_sk() |\n | // traverse the hash table\n | smc_diag_dump_proto\n | __smc_diag_dump()\n | // visit wrong clcsock\n | smc_diag_msg_common_fill()\n // alloc clcsock |\n smc_create_clcsk |\n sock_create_kern |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40357", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: stacktrace: Disable KASAN checks for non-current tasks\n\nUnwinding the stack of a task other than current, KASAN would report\n\"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\"\n\nThere is a same issue on x86 and has been resolved by the commit\n84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\")\nThe solution could be applied to RISC-V too.\n\nThis patch also can solve the issue:\nhttps://seclists.org/oss-sec/2025/q4/23\n\n[pjw@kernel.org: clean up checkpatch issues]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40358", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix KASAN global-out-of-bounds warning\n\nWhen running \"perf mem record\" command on CWF, the below KASAN\nglobal-out-of-bounds warning is seen.\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0\n Read of size 4 at addr ffffffffb721d000 by task dtlb/9850\n\n Call Trace:\n\n kasan_report+0xb8/0xf0\n cmt_latency_data+0x176/0x1b0\n setup_arch_pebs_sample_data+0xf49/0x2560\n intel_pmu_drain_arch_pebs+0x577/0xb00\n handle_pmi_common+0x6c4/0xc80\n\nThe issue is caused by below code in __grt_latency_data(). The code\ntries to access x86_hybrid_pmu structure which doesn't exist on\nnon-hybrid platform like CWF.\n\n WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big)\n\nSo add is_hybrid() check before calling this WARN_ON_ONCE to fix the\nglobal-out-of-bounds access issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40359", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sysfb: Do not dereference NULL pointer in plane reset\n\nThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not\nderef that pointer, but forward NULL to the other plane-reset helpers.\nClears plane->state to NULL.\n\nv2:\n- fix typo in commit description (Javier)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40360", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix multifs mds auth caps issue\n\nThe mds auth caps check should also validate the\nfsname along with the associated caps. Not doing\nso would result in applying the mds auth caps of\none fs on to the other fs in a multifs ceph cluster.\nThe bug causes multiple issues w.r.t user\nauthentication, following is one such example.\n\nSteps to Reproduce (on vstart cluster):\n1. Create two file systems in a cluster, say 'fsname1' and 'fsname2'\n2. Authorize read only permission to the user 'client.usr' on fs 'fsname1'\n $ceph fs authorize fsname1 client.usr / r\n3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2'\n $ceph fs authorize fsname2 client.usr / rw\n4. Update the keyring\n $ceph auth get client.usr >> ./keyring\n\nWith above permssions for the user 'client.usr', following is the\nexpectation.\n a. The 'client.usr' should be able to only read the contents\n and not allowed to create or delete files on file system 'fsname1'.\n b. The 'client.usr' should be able to read/write on file system 'fsname2'.\n\nBut, with this bug, the 'client.usr' is allowed to read/write on file\nsystem 'fsname1'. See below.\n\n5. Mount the file system 'fsname1' with the user 'client.usr'\n $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/\n6. Try creating a file on file system 'fsname1' with user 'client.usr'. This\n should fail but passes with this bug.\n $touch /kmnt_fsname1_usr/file1\n7. Mount the file system 'fsname1' with the user 'client.admin' and create a\n file.\n $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin\n $echo \"data\" > /kmnt_fsname1_admin/admin_file1\n8. Try removing an existing file on file system 'fsname1' with the user\n 'client.usr'. This shoudn't succeed but succeeds with the bug.\n $rm -f /kmnt_fsname1_usr/admin_file1\n\nFor more information, please take a look at the corresponding mds/fuse patch\nand tests added by looking into the tracker mentioned below.\n\nv2: Fix a possible null dereference in doutc\nv3: Don't store fsname from mdsmap, validate against\n ceph_mount_options's fsname and use it\nv4: Code refactor, better warning message and\n fix possible compiler warning\n\n[ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40362", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix field-spanning memcpy warning in AH output\n\nFix field-spanning memcpy warnings in ah6_output() and\nah6_output_done() where extension headers are copied to/from IPv6\naddress fields, triggering fortify-string warnings about writes beyond\nthe 16-byte address fields.\n\n memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16)\n WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439\n\nThe warnings are false positives as the extension headers are\nintentionally placed after the IPv6 header in memory. Fix by properly\ncopying addresses and extension headers separately, and introduce\nhelper functions to avoid code duplication.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40363", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-40364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix io_req_prep_async with provided buffers\n\nio_req_prep_async() can import provided buffers, commit the ring state\nby giving up on that before, it'll be reimported later if needed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-40364", "detail": "fixed-version", "description": "Fixed from version 6.14" }, { "id": "CVE-2025-4598", "summary": "A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.\n\nA SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-4598" }, { "id": "CVE-2025-68167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix invalid pointer access in debugfs\n\nIf the memory allocation in gpiolib_seq_start() fails, the s->private\nfield remains uninitialized and is later dereferenced without checking\nin gpiolib_seq_stop(). Initialize s->private to NULL before calling\nkzalloc() and check it before dereferencing it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68167", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uninitialized waitqueue in transaction manager\n\nThe transaction manager initialization in txInit() was not properly\ninitializing TxBlock[0].waitor waitqueue, causing a crash when\ntxEnd(0) is called on read-only filesystems.\n\nWhen a filesystem is mounted read-only, txBegin() returns tid=0 to\nindicate no transaction. However, txEnd(0) still gets called and\ntries to access TxBlock[0].waitor via tid_to_tblock(0), but this\nwaitqueue was never initialized because the initialization loop\nstarted at index 1 instead of 0.\n\nThis causes a 'non-static key' lockdep warning and system crash:\n INFO: trying to register non-static key in txEnd\n\nFix by ensuring all transaction blocks including TxBlock[0] have\ntheir waitqueues properly initialized during txInit().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68168", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix deadlock in memory allocation under spinlock\n\nFix a AA deadlock in refill_skbs() where memory allocation while holding\nskb_pool->lock can trigger a recursive lock acquisition attempt.\n\nThe deadlock scenario occurs when the system is under severe memory\npressure:\n\n1. refill_skbs() acquires skb_pool->lock (spinlock)\n2. alloc_skb() is called while holding the lock\n3. Memory allocator fails and calls slab_out_of_memory()\n4. This triggers printk() for the OOM warning\n5. The console output path calls netpoll_send_udp()\n6. netpoll_send_udp() attempts to acquire the same skb_pool->lock\n7. Deadlock: the lock is already held by the same CPU\n\nCall stack:\n refill_skbs()\n spin_lock_irqsave(&skb_pool->lock) <- lock acquired\n __alloc_skb()\n kmem_cache_alloc_node_noprof()\n slab_out_of_memory()\n printk()\n console_flush_all()\n netpoll_send_udp()\n skb_dequeue()\n spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt\n\nThis bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb\nrefilling on critical path\") which removed refill_skbs() from the\ncritical path (where nested printk was being deferred), letting nested\nprintk being called from inside refill_skbs()\n\nRefactor refill_skbs() to never allocate memory while holding\nthe spinlock.\n\nAnother possible solution to fix this problem is protecting the\nrefill_skbs() from nested printks, basically calling\nprintk_deferred_{enter,exit}() in refill_skbs(), then, any nested\npr_warn() would be deferred.\n\nI prefer this approach, given I _think_ it might be a good idea to move\nthe alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having\nthe alloc_skb() outside of the lock will be necessary step.\n\nThere is a possible TOCTOU issue when checking for the pool length, and\nqueueing the new allocated skb, but, this is not an issue, given that\nan extra SKB in the pool is harmless and it will be eventually used.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68169", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Do not kfree() devres managed rdev\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling\nkfree() on it.\n\nThis fixes things exploding if the driver probe fails and devres cleans up\nthe rdev after we already free'd it.\n\n(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68170", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Ensure XFD state on signal delivery\n\nSean reported [1] the following splat when running KVM tests:\n\n WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70\n Call Trace:\n \n fpu__clear_user_states+0x9c/0x100\n arch_do_signal_or_restart+0x142/0x210\n exit_to_user_mode_loop+0x55/0x100\n do_syscall_64+0x205/0x2c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nChao further identified [2] a reproducible scenario involving signal\ndelivery: a non-AMX task is preempted by an AMX-enabled task which\nmodifies the XFD MSR.\n\nWhen the non-AMX task resumes and reloads XSTATE with init values,\na warning is triggered due to a mismatch between fpstate::xfd and the\nCPU's current XFD state. fpu__clear_user_states() does not currently\nre-synchronize the XFD state after such preemption.\n\nInvoke xfd_update_state() which detects and corrects the mismatch if\nthere is a dynamic feature.\n\nThis also benefits the sigreturn path, as fpu__restore_sig() may call\nfpu__clear_user_states() when the sigframe is inaccessible.\n\n[ dhansen: minor changelog munging ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68171", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aspeed - fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the manual clock cleanup in both aspeed_acry_probe()'s error\npath and aspeed_acry_remove().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68172", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix softlockup in ftrace_module_enable\n\nA soft lockup was observed when loading amdgpu module.\nIf a module has a lot of tracable functions, multiple calls\nto kallsyms_lookup can spend too much time in RCU critical\nsection and with disabled preemption, causing kernel panic.\nThis is the same issue that was fixed in\ncommit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY\nkernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to\nftrace_graph_set_hash()\").\n\nFix it the same way by adding cond_resched() in ftrace_module_enable.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68173", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: enhance kfd process check in switch partition\n\ncurrent switch partition only check if kfd_processes_table is empty.\nkfd_prcesses_table entry is deleted in kfd_process_notifier_release, but\nkfd_process tear down is in kfd_process_wq_release.\n\nconsider two processes:\n\nProcess A (workqueue) -> kfd_process_wq_release -> Access kfd_node member\nProcess B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw\n-> kfd_node tear down.\n\nProcess A and B may trigger a race as shown in dmesg log.\n\nThis patch is to resolve the race by adding an atomic kfd_process counter\nkfd_processes_count, it increment as create kfd process, decrement as\nfinish kfd_process_wq_release.\n\nv2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds\nand bug fix. (Philip Yang)\n\n[3966658.307702] divide error: 0000 [#1] SMP NOPTI\n[3966658.350818] i10nm_edac\n[3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted\n[3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu]\n[3966658.362839] nfit\n[3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu]\n[3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00\n[3966658.380967] x86_pkg_temp_thermal\n[3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246\n[3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000\n[3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00\n[3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4\n[3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000\n[3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800\n[3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000\n[3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0\n[3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[3966658.391536] PKRU: 55555554\n[3966658.391536] Call Trace:\n[3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu]\n[3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu]\n[3966658.399754] intel_powerclamp\n[3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu]\n[3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu]\n[3966658.410516] coretemp\n[3966658.434016] process_one_work+0x1ad/0x380\n[3966658.434021] worker_thread+0x49/0x310\n[3966658.438963] kvm_intel\n[3966658.446041] ? process_one_work+0x380/0x380\n[3966658.446045] kthread+0x118/0x140\n[3966658.446047] ? __kthread_bind_mask+0x60/0x60\n[3966658.446050] ret_from_fork+0x1f/0x30\n[3966658.446053] Modules linked in: kpatch_20765354(OEK)\n[3966658.455310] kvm\n[3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK)\n[3966658.473462] idxd_mdev\n[3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68174", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: Fix streaming cleanup on release\n\nThe current implementation unconditionally calls\nmxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can\nlead to situations where any release call (like from a simple\n\"v4l2-ctl -l\") may release a currently streaming queue when called on\nsuch a device.\n\nThis is reproducible on an i.MX8MP board by streaming from an ISI\ncapture device using gstreamer:\n\n\tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\\n\t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\\n\t fakesink\n\nWhile this stream is running, querying the caps of the same device\nprovokes the error state:\n\n\tv4l2-ctl -l -d /dev/videoX\n\nThis results in the following trace:\n\n[ 155.452152] ------------[ cut here ]------------\n[ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi]\n[ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6\n[ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT\n[ 157.064369] Hardware name: imx8mp_board_01 (DT)\n[ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi]\n[ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi]\n[ 157.087126] sp : ffff800080003ee0\n[ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000\n[ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50\n[ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000\n[ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000\n[ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000\n[ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38\n[ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000\n[ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000\n[ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200\n[ 157.161850] Call trace:\n[ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P)\n[ 157.170319] __handle_irq_event_percpu+0x58/0x218\n[ 157.175029] handle_irq_event+0x54/0xb8\n[ 157.178867] handle_fasteoi_irq+0xac/0x248\n[ 157.182968] handle_irq_desc+0x48/0x68\n[ 157.186723] generic_handle_domain_irq+0x24/0x38\n[ 157.191346] gic_handle_irq+0x54/0x120\n[ 157.195098] call_on_irq_stack+0x24/0x30\n[ 157.199027] do_interrupt_handler+0x88/0x98\n[ 157.203212] el0_interrupt+0x44/0xc0\n[ 157.206792] __el0_irq_handler_common+0x18/0x28\n[ 157.211328] el0t_64_irq_handler+0x10/0x20\n[ 157.215429] el0t_64_irq+0x198/0x1a0\n[ 157.219009] ---[ end trace 0000000000000000 ]---\n\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nvb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of\nthe manual cleanup from mxc_isi_video_release().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68175", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: cadence: Check for the existence of cdns_pcie::ops before using it\n\ncdns_pcie::ops might not be populated by all the Cadence glue drivers. This\nis going to be true for the upcoming Sophgo platform which doesn't set the\nops.\n\nHence, add a check to prevent NULL pointer dereference.\n\n[mani: reworded subject and description]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68176", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq/longhaul: handle NULL policy in longhaul_exit\n\nlonghaul_exit() was calling cpufreq_cpu_get(0) without checking\nfor a NULL policy pointer. On some systems, this could lead to a\nNULL dereference and a kernel warning or panic.\n\nThis patch adds a check using unlikely() and returns early if the\npolicy is NULL.\n\nBugzilla: #219962", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68177", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix possible deadlock while configuring policy\n\nFollowing deadlock can be triggered easily by lockdep:\n\nWARNING: possible circular locking dependency detected\n6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted\n------------------------------------------------------\ncheck/1334 is trying to acquire lock:\nff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180\n\nbut task is already holding lock:\nff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}:\n blk_queue_enter+0x40b/0x470\n blkg_conf_prep+0x7b/0x3c0\n tg_set_limit+0x10a/0x3e0\n cgroup_file_write+0xc6/0x420\n kernfs_fop_write_iter+0x189/0x280\n vfs_write+0x256/0x490\n ksys_write+0x83/0x190\n __x64_sys_write+0x21/0x30\n x64_sys_call+0x4608/0x4630\n do_syscall_64+0xdb/0x6b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n-> #1 (&q->rq_qos_mutex){+.+.}-{4:4}:\n __mutex_lock+0xd8/0xf50\n mutex_lock_nested+0x2b/0x40\n wbt_init+0x17e/0x280\n wbt_enable_default+0xe9/0x140\n blk_register_queue+0x1da/0x2e0\n __add_disk+0x38c/0x5d0\n add_disk_fwnode+0x89/0x250\n device_add_disk+0x18/0x30\n virtblk_probe+0x13a3/0x1800\n virtio_dev_probe+0x389/0x610\n really_probe+0x136/0x620\n __driver_probe_device+0xb3/0x230\n driver_probe_device+0x2f/0xe0\n __driver_attach+0x158/0x250\n bus_for_each_dev+0xa9/0x130\n driver_attach+0x26/0x40\n bus_add_driver+0x178/0x3d0\n driver_register+0x7d/0x1c0\n __register_virtio_driver+0x2c/0x60\n virtio_blk_init+0x6f/0xe0\n do_one_initcall+0x94/0x540\n kernel_init_freeable+0x56a/0x7b0\n kernel_init+0x2b/0x270\n ret_from_fork+0x268/0x4c0\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (&q->sysfs_lock){+.+.}-{4:4}:\n __lock_acquire+0x1835/0x2940\n lock_acquire+0xf9/0x450\n __mutex_lock+0xd8/0xf50\n mutex_lock_nested+0x2b/0x40\n blk_unregister_queue+0x53/0x180\n __del_gendisk+0x226/0x690\n del_gendisk+0xba/0x110\n sd_remove+0x49/0xb0 [sd_mod]\n device_remove+0x87/0xb0\n device_release_driver_internal+0x11e/0x230\n device_release_driver+0x1a/0x30\n bus_remove_device+0x14d/0x220\n device_del+0x1e1/0x5a0\n __scsi_remove_device+0x1ff/0x2f0\n scsi_remove_device+0x37/0x60\n sdev_store_delete+0x77/0x100\n dev_attr_store+0x1f/0x40\n sysfs_kf_write+0x65/0x90\n kernfs_fop_write_iter+0x189/0x280\n vfs_write+0x256/0x490\n ksys_write+0x83/0x190\n __x64_sys_write+0x21/0x30\n x64_sys_call+0x4608/0x4630\n do_syscall_64+0xdb/0x6b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nother info that might help us debug this:\n\nChain exists of:\n &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&q->q_usage_counter(queue)#3);\n lock(&q->rq_qos_mutex);\n lock(&q->q_usage_counter(queue)#3);\n lock(&q->sysfs_lock);\n\nRoot cause is that queue_usage_counter is grabbed with rq_qos_mutex\nheld in blkg_conf_prep(), while queue should be freezed before\nrq_qos_mutex from other context.\n\nThe blk_queue_enter() from blkg_conf_prep() is used to protect against\npolicy deactivation, which is already protected with blkcg_mutex, hence\nconvert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile,\nconsider that blkcg_mutex is held after queue is freezed from policy\ndeactivation, also convert blkg_alloc() to use GFP_NOIO.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68178", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP\n\nAs reported by Luiz Capitulino enabling HVO on s390 leads to reproducible\ncrashes. The problem is that kernel page tables are modified without\nflushing corresponding TLB entries.\n\nEven if it looks like the empty flush_tlb_all() implementation on s390 is\nthe problem, it is actually a different problem: on s390 it is not allowed\nto replace an active/valid page table entry with another valid page table\nentry without the detour over an invalid entry. A direct replacement may\nlead to random crashes and/or data corruption.\n\nIn order to invalidate an entry special instructions have to be used\n(e.g. ipte or idte). Alternatively there are also special instructions\navailable which allow to replace a valid entry with a different valid\nentry (e.g. crdte or cspg).\n\nGiven that the HVO code currently does not provide the hooks to allow for\nan implementation which is compliant with the s390 architecture\nrequirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is\nbasically a revert of the original patch which enabled it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68179", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref in debugfs odm_combine_segments\n\nWhen a connector is connected but inactive (e.g., disabled by desktop\nenvironments), pipe_ctx->stream_res.tg will be destroyed. Then, reading\nodm_combine_segments causes kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6\n Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \n seq_read_iter+0x125/0x490\n ? __alloc_frozen_pages_noprof+0x18f/0x350\n seq_read+0x12c/0x170\n full_proxy_read+0x51/0x80\n vfs_read+0xbc/0x390\n ? __handle_mm_fault+0xa46/0xef0\n ? do_syscall_64+0x71/0x900\n ksys_read+0x73/0xf0\n do_syscall_64+0x71/0x900\n ? count_memcg_events+0xc2/0x190\n ? handle_mm_fault+0x1d7/0x2d0\n ? do_user_addr_fault+0x21a/0x690\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\n RIP: 0033:0x7f44d4031687\n Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00>\n RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687\n RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003\n RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000\n \n Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x>\n snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn>\n platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp>\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n\nFix this by checking pipe_ctx->\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68180", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Remove calls to drm_put_dev()\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd\nshould be done by devres.\n\nHowever, drm_put_dev() is still in the probe error and device remove\npaths. When the driver fails to probe warnings like the following are\nshown because devres is trying to drm_put_dev() after the driver\nalready did it.\n\n[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22\n[ 5.649605] ------------[ cut here ]------------\n[ 5.649607] refcount_t: underflow; use-after-free.\n[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\n(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68181", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()\n\nThis code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it\ndereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\"\nfirst to avoid a potential use after free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68182", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr\n\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\n\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n\n # getfattr -m - -d -e hex /usr/bin/bash\n # file: usr/bin/bash\n security.ima=0x0404...\n\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\n\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\n\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\n\nHere's a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n\n #include \n #include \n #include \n #include \n #include \n #include \n\n int main() {\n const char* file_path = \"/usr/sbin/test_binary\";\n const char* hex_string = \"030204d33204490066306402304\";\n int length = strlen(hex_string);\n char* ima_attr_value;\n int fd;\n\n fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\n if (fd == -1) {\n perror(\"Error opening file\");\n return 1;\n }\n\n ima_attr_value = (char*)malloc(length / 2 );\n for (int i = 0, j = 0; i < length; i += 2, j++) {\n sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]);\n }\n\n if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n const char* selinux_value= \"system_u:object_r:bin_t:s0\";\n if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n close(fd);\n\n return 0;\n }", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68183", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Disable AFBC support on Mediatek DRM driver\n\nCommit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM\ndriver\") added AFBC support to Mediatek DRM and enabled the\n32x8/split/sparse modifier.\n\nHowever, this is currently broken on Mediatek MT8188 (Genio 700 EVK\nplatform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by\ndefault since Mesa v25.0.\n\nKernel trace reports vblank timeouts constantly, and the render is garbled:\n\n```\n[CRTC:62:crtc-0] vblank wait timed out\nWARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\n[...]\nHardware name: MediaTek Genio-700 EVK (DT)\nWorkqueue: events_unbound commit_work\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nlr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nsp : ffff80008337bca0\nx29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000\nx26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000\nx23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80\nx20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a\nx17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000\nx14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b\nx11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70\nx8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70\nx5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480\nCall trace:\n drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)\n drm_atomic_helper_commit_tail_rpm+0x64/0x80\n commit_tail+0xa4/0x1a4\n commit_work+0x14/0x20\n process_one_work+0x150/0x290\n worker_thread+0x2d0/0x3ec\n kthread+0x12c/0x210\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\n```\n\nUntil this gets fixed upstream, disable AFBC support on this platform, as\nit's currently broken with upstream Mesa.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68184", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing\n\nTheoretically it's an oopsable race, but I don't believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon't be easy to attack.\n\nAnyway, it's easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under ->d_lock and be done with that.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68185", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up\n\nThe function ring_buffer_map_get_reader() is a bit more strict than the\nother get reader functions, and except for certain situations the\nrb_get_reader_page() should not return NULL. If it does, it triggers a\nwarning.\n\nThis warning was triggering but after looking at why, it was because\nanother acceptable situation was happening and it wasn't checked for.\n\nIf the reader catches up to the writer and there's still data to be read\non the reader page, then the rb_get_reader_page() will return NULL as\nthere's no new page to get.\n\nIn this situation, the reader page should not be updated and no warning\nshould trigger.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68186", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: Check regmap pointer returned by device_node_to_regmap()\n\nThe call to device_node_to_regmap() in airoha_mdio_probe() can return\nan ERR_PTR() if regmap initialization fails. Currently, the driver\nstores the pointer without validation, which could lead to a crash\nif it is later dereferenced.\n\nAdd an IS_ERR() check and return the corresponding error code to make\nthe probe path more robust.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68187", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()\n\nUse RCU to avoid a pair of atomic operations and a potential\nUAF on dst_dev()->flags.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68188", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix GEM free for imported dma-bufs\n\nImported dma-bufs also have obj->resv != &obj->_resv. So we should\ncheck both this condition in addition to flags for handling the\n_NO_SHARE case.\n\nFixes this splat that was reported with IRIS video playback:\n\n ------------[ cut here ]------------\n WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm]\n CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT\n pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : msm_gem_free_object+0x1f8/0x264 [msm]\n lr : msm_gem_free_object+0x138/0x264 [msm]\n sp : ffff800092a1bb30\n x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08\n x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6\n x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200\n x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f\n x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020\n x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032\n x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8\n Call trace:\n msm_gem_free_object+0x1f8/0x264 [msm] (P)\n drm_gem_object_free+0x1c/0x30 [drm]\n drm_gem_object_handle_put_unlocked+0x138/0x150 [drm]\n drm_gem_object_release_handle+0x5c/0xcc [drm]\n drm_gem_handle_delete+0x68/0xbc [drm]\n drm_gem_close_ioctl+0x34/0x40 [drm]\n drm_ioctl_kernel+0xc0/0x130 [drm]\n drm_ioctl+0x360/0x4e0 [drm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n ---[ end trace 0000000000000000 ]---\n ------------[ cut here ]------------\n\nPatchwork: https://patchwork.freedesktop.org/patch/676273/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68189", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()\n\nkcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws\nremains NULL while ectx.ws_size is set, leading to a potential NULL\npointer dereference in atom_get_src_int() when accessing WS entries.\n\nReturn -ENOMEM on allocation failure to avoid the NULL dereference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68190", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: use netdev_warn() instead of netdev_WARN()\n\nnetdev_WARN() uses WARN/WARN_ON to print a backtrace along with\nfile and line information. In this case, udp_tunnel_nic_register()\nreturning an error is just a failed operation, not a kernel bug.\n\nudp_tunnel_nic_register() can fail due to a memory allocation\nfailure (kzalloc() or udp_tunnel_nic_alloc()).\nThis is a normal runtime error and not a kernel bug.\n\nReplace netdev_WARN() with netdev_warn() accordingly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68191", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup\n\nRaw IP packets have no MAC header, leaving skb->mac_header uninitialized.\nThis can trigger kernel panics on ARM64 when xfrm or other subsystems\naccess the offset due to strict alignment checks.\n\nInitialize the MAC header to prevent such crashes.\n\nThis can trigger kernel panics on ARM when running IPsec over the\nqmimux0 interface.\n\nExample trace:\n\n Internal error: Oops: 000000009600004f [#1] SMP\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1\n Hardware name: LS1028A RDB Board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : xfrm_input+0xde8/0x1318\n lr : xfrm_input+0x61c/0x1318\n sp : ffff800080003b20\n Call trace:\n xfrm_input+0xde8/0x1318\n xfrm6_rcv+0x38/0x44\n xfrm6_esp_rcv+0x48/0xa8\n ip6_protocol_deliver_rcu+0x94/0x4b0\n ip6_input_finish+0x44/0x70\n ip6_input+0x44/0xc0\n ipv6_rcv+0x6c/0x114\n __netif_receive_skb_one_core+0x5c/0x8c\n __netif_receive_skb+0x18/0x60\n process_backlog+0x78/0x17c\n __napi_poll+0x38/0x180\n net_rx_action+0x168/0x2f0", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68192", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Add devm release action to safely tear down CT\n\nWhen a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE\nflag, the driver initiates TLB invalidation requests via the CTB mechanism\nwhile releasing the BO. However a premature release of the CTB BO can lead\nto system crashes, as observed in:\n\nOops: Oops: 0000 [#1] SMP NOPTI\nRIP: 0010:h2g_write+0x2f3/0x7c0 [xe]\nCall Trace:\n guc_ct_send_locked+0x8b/0x670 [xe]\n xe_guc_ct_send_locked+0x19/0x60 [xe]\n send_tlb_invalidation+0xb4/0x460 [xe]\n xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe]\n ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe]\n ggtt_node_remove+0x110/0x140 [xe]\n xe_ggtt_node_remove+0x40/0xa0 [xe]\n xe_ggtt_remove_bo+0x87/0x250 [xe]\n\nIntroduce a devm-managed release action during xe_guc_ct_init() and\nxe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before\nresource deallocation, preventing the use-after-free scenario.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68193", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: make send_packet() more robust\n\nsyzbot is reporting that imon has three problems which result in\nhung tasks due to forever holding device lock [1].\n\nFirst problem is that when usb_rx_callback_intf0() once got -EPROTO error\nafter ictx->dev_present_intf0 became true, usb_rx_callback_intf0()\nresubmits urb after printk(), and resubmitted urb causes\nusb_rx_callback_intf0() to again get -EPROTO error. This results in\nprintk() flooding (RCU stalls).\n\nAlan Stern commented [2] that\n\n In theory it's okay to resubmit _if_ the driver has a robust\n error-recovery scheme (such as giving up after some fixed limit on the\n number of errors or after some fixed time has elapsed, perhaps with a\n time delay to prevent a flood of errors). Most drivers don't bother to\n do this; they simply give up right away. This makes them more\n vulnerable to short-term noise interference during USB transfers, but in\n reality such interference is quite rare. There's nothing really wrong\n with giving up right away.\n\nbut imon has a poor error-recovery scheme which just retries forever;\nthis behavior should be fixed.\n\nSince I'm not sure whether it is safe for imon users to give up upon any\nerror code, this patch takes care of only union of error codes chosen from\nmodules in drivers/media/rc/ directory which handle -EPROTO error (i.e.\nir_toy, mceusb and igorplugusb).\n\nSecond problem is that when usb_rx_callback_intf0() once got -EPROTO error\nbefore ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always\nresubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge\nhardware after early callbacks\"). Move the ictx->dev_present_intf0 test\nintroduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes\nuntil intf configured\") to immediately before imon_incoming_packet(), or\nthe first problem explained above happens without printk() flooding (i.e.\nhung task).\n\nThird problem is that when usb_rx_callback_intf0() is not called for some\nreason (e.g. flaky hardware; the reproducer for this problem sometimes\nprevents usb_rx_callback_intf0() from being called),\nwait_for_completion_interruptible() in send_packet() never returns (i.e.\nhung task). As a workaround for such situation, change send_packet() to\nwait for completion with timeout of 10 seconds.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68194", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Cache streams targeting link when performing LT automation\n\n[WHY]\nLast LT automation update can cause crash by referencing current_state and\ncalling into dc_update_planes_and_stream which may clobber current_state.\n\n[HOW]\nCache relevant stream pointers and iterate through them instead of relying\non the current_state.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68196", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()\n\nWith older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER\nfor FW trace data type that has not been initialized. This will result\nin a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a\nvalid magic_byte pointer before proceeding.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68197", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrash: fix crashkernel resource shrink\n\nWhen crashkernel is configured with a high reservation, shrinking its\nvalue below the low crashkernel reservation causes two issues:\n\n1. Invalid crashkernel resource objects\n2. Kernel crash if crashkernel shrinking is done twice\n\nFor example, with crashkernel=200M,high, the kernel reserves 200MB of high\nmemory and some default low memory (say 256MB). The reservation appears\nas:\n\ncat /proc/iomem | grep -i crash\naf000000-beffffff : Crash kernel\n433000000-43f7fffff : Crash kernel\n\nIf crashkernel is then shrunk to 50MB (echo 52428800 >\n/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:\naf000000-beffffff : Crash kernel\n\nInstead, it should show 50MB:\naf000000-b21fffff : Crash kernel\n\nFurther shrinking crashkernel to 40MB causes a kernel crash with the\nfollowing trace (x86):\n\nBUG: kernel NULL pointer dereference, address: 0000000000000038\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\n\nCall Trace: \n? __die_body.cold+0x19/0x27\n? page_fault_oops+0x15a/0x2f0\n? search_module_extables+0x19/0x60\n? search_bpf_extables+0x5f/0x80\n? exc_page_fault+0x7e/0x180\n? asm_exc_page_fault+0x26/0x30\n? __release_resource+0xd/0xb0\nrelease_resource+0x26/0x40\n__crash_shrink_memory+0xe5/0x110\ncrash_shrink_memory+0x12a/0x190\nkexec_crash_size_store+0x41/0x80\nkernfs_fop_write_iter+0x141/0x1f0\nvfs_write+0x294/0x460\nksys_write+0x6d/0xf0\n\n\nThis happens because __crash_shrink_memory()/kernel/crash_core.c\nincorrectly updates the crashk_res resource object even when\ncrashk_low_res should be updated.\n\nFix this by ensuring the correct crashkernel resource object is updated\nwhen shrinking crashkernel memory.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68198", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncodetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext\n\nWhen alloc_slab_obj_exts() fails and then later succeeds in allocating a\nslab extension vector, it calls handle_failed_objexts_alloc() to mark all\nobjects in the vector as empty. As a result all objects in this slab\n(slabA) will have their extensions set to CODETAG_EMPTY.\n\nLater on if this slabA is used to allocate a slabobj_ext vector for\nanother slab (slabB), we end up with the slabB->obj_exts pointing to a\nslabobj_ext vector that itself has a non-NULL slabobj_ext equal to\nCODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to\nfree slabB->obj_exts vector. \n\nfree_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will\ngenerate a warning because it expects slabobj_ext vectors to have a NULL\nobj_ext, not CODETAG_EMPTY.\n\nModify mark_objexts_empty() to skip the warning and setting the obj_ext\nvalue if it's already set to CODETAG_EMPTY.\n\n\nTo quickly detect this WARN, I modified the code from\nWARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1);\n\nWe then obtained this message:\n\n[21630.898561] ------------[ cut here ]------------\n[21630.898596] kernel BUG at mm/slub.c:2050!\n[21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 \nvhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap \nvhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace \nnetfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs \nblake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel \nudp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \nnf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink \nvirtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper \ndrm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi \nnet_failover virtio_console failover virtio_mmio dm_mirror \ndm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci \nvirtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 \naes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]\n[21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: \nloaded Tainted: G\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 W\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6.18.0-rc1+ #74 PREEMPT(voluntary)\n[21630.910495] Tainted: [W]=WARN\n[21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown \n2/2/2022\n[21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS \nBTYPE=--)\n[21630.912392] pc : __free_slab+0x228/0x250\n[21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : \nffff8000a02f73e0\n[21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: \nffff0000c0011c40\n[21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: \nffff000102199b40\n[21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: \nffff0000c0011c40\n[21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: \n0000000000000000\n[21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: \n0000000000000000\n[21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: \nffff70001405ee66\n[21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : \nffff800080a295dc\n[21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : \n0000000000003000\n[21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : \n0000000000000007\n[21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : \n0000000000000001\n[21630.921810] Call trace:\n[21630.922130]\u00a0 __free_slab+0x228/0x250 (P)\n[21630.922669]\u00a0 free_slab+0x38/0x118\n[21630.923079]\u00a0 free_to_partial_list+0x1d4/0x340\n[21630.923591]\u00a0 __slab_free+0x24c/0x348\n[21630.924024]\u00a0 ___cache_free+0xf0/0x110\n[21630.924468]\u00a0 qlist_free_all+0x78/0x130\n[21630.924922]\u00a0 kasan_quarantine_reduce+0x11\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68199", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add bpf_prog_run_data_pointers()\n\nsyzbot found that cls_bpf_classify() is able to change\ntc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().\n\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]\nWARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214\n\nstruct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched:\nExtend qdisc control block with tc control block\"), which added a wrong\ninteraction with db58ba459202 (\"bpf: wire in data and data_end for\ncls_act_bpf\").\n\ndrop_reason was added later.\n\nAdd bpf_prog_run_data_pointers() helper to save/restore the net_sched\nstorage colliding with BPF data_meta/data_end.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68200", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: remove two invalid BUG_ON()s\n\nThose can be triggered trivially by userspace.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68201", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix unsafe locking in the scx_dump_state()\n\nFor built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted\nsleepable spinlock and not disable-irq, so the following scenarios occur:\n\ninconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.\nirq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:\n(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40\n{IN-HARDIRQ-W} state was registered at:\n lock_acquire+0x1e1/0x510\n _raw_spin_lock_nested+0x42/0x80\n raw_spin_rq_lock_nested+0x2b/0x40\n sched_tick+0xae/0x7b0\n update_process_times+0x14c/0x1b0\n tick_periodic+0x62/0x1f0\n tick_handle_periodic+0x48/0xf0\n timer_interrupt+0x55/0x80\n __handle_irq_event_percpu+0x20a/0x5c0\n handle_irq_event_percpu+0x18/0xc0\n handle_irq_event+0xb5/0x150\n handle_level_irq+0x220/0x460\n __common_interrupt+0xa2/0x1e0\n common_interrupt+0xb0/0xd0\n asm_common_interrupt+0x2b/0x40\n _raw_spin_unlock_irqrestore+0x45/0x80\n __setup_irq+0xc34/0x1a30\n request_threaded_irq+0x214/0x2f0\n hpet_time_init+0x3e/0x60\n x86_late_time_init+0x5b/0xb0\n start_kernel+0x308/0x410\n x86_64_start_reservations+0x1c/0x30\n x86_64_start_kernel+0x96/0xa0\n common_startup_64+0x13e/0x148\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&rq->__lock);\n \n lock(&rq->__lock);\n\n *** DEADLOCK ***\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 27 Comm: irq_work/0\n Call Trace:\n \n dump_stack_lvl+0x8c/0xd0\n dump_stack+0x14/0x20\n print_usage_bug+0x42e/0x690\n mark_lock.part.44+0x867/0xa70\n ? __pfx_mark_lock.part.44+0x10/0x10\n ? string_nocheck+0x19c/0x310\n ? number+0x739/0x9f0\n ? __pfx_string_nocheck+0x10/0x10\n ? __pfx_check_pointer+0x10/0x10\n ? kvm_sched_clock_read+0x15/0x30\n ? sched_clock_noinstr+0xd/0x20\n ? local_clock_noinstr+0x1c/0xe0\n __lock_acquire+0xc4b/0x62b0\n ? __pfx_format_decode+0x10/0x10\n ? __pfx_string+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n lock_acquire+0x1e1/0x510\n ? raw_spin_rq_lock_nested+0x2b/0x40\n ? __pfx_lock_acquire+0x10/0x10\n ? dump_line+0x12e/0x270\n ? raw_spin_rq_lock_nested+0x20/0x40\n _raw_spin_lock_nested+0x42/0x80\n ? raw_spin_rq_lock_nested+0x2b/0x40\n raw_spin_rq_lock_nested+0x2b/0x40\n scx_dump_state+0x3b3/0x1270\n ? finish_task_switch+0x27e/0x840\n scx_ops_error_irq_workfn+0x67/0x80\n irq_work_single+0x113/0x260\n irq_work_run_list.part.3+0x44/0x70\n run_irq_workd+0x6b/0x90\n ? __pfx_run_irq_workd+0x10/0x10\n smpboot_thread_fn+0x529/0x870\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x305/0x3f0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x40/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\nThis commit therefore use rq_lock_irqsave/irqrestore() to replace\nrq_lock/unlock() in the scx_dump_state().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68202", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: scmi: Fix genpd leak on provider registration failure\n\nIf of_genpd_add_provider_onecell() fails during probe, the previously\ncreated generic power domains are not removed, leading to a memory leak\nand potential kernel crash later in genpd_debug_add().\n\nAdd proper error handling to unwind the initialized domains before\nreturning from probe to ensure all resources are correctly released on\nfailure.\n\nExample crash trace observed without this fix:\n\n | Unable to handle kernel paging request at virtual address fffffffffffffc70\n | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT\n | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform\n | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : genpd_debug_add+0x2c/0x160\n | lr : genpd_debug_init+0x74/0x98\n | Call trace:\n | genpd_debug_add+0x2c/0x160 (P)\n | genpd_debug_init+0x74/0x98\n | do_one_initcall+0xd0/0x2d8\n | do_initcall_level+0xa0/0x140\n | do_initcalls+0x60/0xa8\n | do_basic_setup+0x28/0x40\n | kernel_init_freeable+0xe8/0x170\n | kernel_init+0x2c/0x140\n | ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68204", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver\n\nAfter restructuring and splitting the HDMI codec driver code, each\nHDMI codec driver contains the own build_controls and build_pcms ops.\nA copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both\nbuild_controls and build_pcms are swapped. Unfortunately both\ncallbacks have the very same form, and the compiler didn't complain\nit, either. This resulted in a NULL dereference because the PCM\ninstance hasn't been initialized at calling the build_controls\ncallback.\n\nFix it by passing the proper entries.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68205", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp> epsv\nEPSV/EPRT on IPv4 off.\nftp> ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68206", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Synchronize Dead CT worker with unbind\n\nCancel and wait for any Dead CT worker to complete before continuing\nwith device unbinding. Else the worker will end up using resources freed\nby the undind operation.\n\n(cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68207", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: account for current allocated stack depth in widen_imprecise_scalars()\n\nThe usage pattern for widen_imprecise_scalars() looks as follows:\n\n prev_st = find_prev_entry(env, ...);\n queued_st = push_stack(...);\n widen_imprecise_scalars(env, prev_st, queued_st);\n\nWhere prev_st is an ancestor of the queued_st in the explored states\ntree. This ancestor is not guaranteed to have same allocated stack\ndepth as queued_st. E.g. in the following case:\n\n def main():\n for i in 1..2:\n foo(i) // same callsite, differnt param\n\n def foo(i):\n if i == 1:\n use 128 bytes of stack\n iterator based loop\n\nHere, for a second 'foo' call prev_st->allocated_stack is 128,\nwhile queued_st->allocated_stack is much smaller.\nwiden_imprecise_scalars() needs to take this into account and avoid\naccessing bpf_verifier_state->frame[*]->stack out of bounds.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68208", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: Fix default values in create CQ\n\nCurrently, CQs without a completion function are assigned the\nmlx5_add_cq_to_tasklet function by default. This is problematic since\nonly user CQs created through the mlx5_ib driver are intended to use\nthis function.\n\nAdditionally, all CQs that will use doorbells instead of polling for\ncompletions must call mlx5_cq_arm. However, the default CQ creation flow\nleaves a valid value in the CQ's arm_db field, allowing FW to send\ninterrupts to polling-only CQs in certain corner cases.\n\nThese two factors would allow a polling-only kernel CQ to be triggered\nby an EQ interrupt and call a completion function intended only for user\nCQs, causing a null pointer exception.\n\nSome areas in the driver have prevented this issue with one-off fixes\nbut did not address the root cause.\n\nThis patch fixes the described issue by adding defaults to the create CQ\nflow. It adds a default dummy completion function to protect against\nnull pointer exceptions, and it sets an invalid command sequence number\nby default in kernel CQs to prevent the FW from sending an interrupt to\nthe CQ until it is armed. User CQs are responsible for their own\ninitialization values.\n\nCallers of mlx5_core_create_cq are responsible for changing the\ncompletion function and arming the CQ per their needs.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68209", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid infinite loop due to incomplete zstd-compressed data\n\nCurrently, the decompression logic incorrectly spins if compressed\ndata is truncated in crafted (deliberately corrupted) images.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68210", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksm: use range-walk function to jump over holes in scan_get_next_rmap_item\n\nCurrently, scan_get_next_rmap_item() walks every page address in a VMA to\nlocate mergeable pages. This becomes highly inefficient when scanning\nlarge virtual memory areas that contain mostly unmapped regions, causing\nksmd to use large amount of cpu without deduplicating much pages.\n\nThis patch replaces the per-address lookup with a range walk using\nwalk_page_range(). The range walker allows KSM to skip over entire\nunmapped holes in a VMA, avoiding unnecessary lookups. This problem was\npreviously discussed in [1].\n\nConsider the following test program which creates a 32 TiB mapping in the\nvirtual address space but only populates a single page:\n\n#include \n#include \n#include \n\n/* 32 TiB */\nconst size_t size = 32ul * 1024 * 1024 * 1024 * 1024;\n\nint main() {\n char *area = mmap(NULL, size, PROT_READ | PROT_WRITE,\n MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0);\n\n if (area == MAP_FAILED) {\n perror(\"mmap() failed\\n\");\n return -1;\n }\n\n /* Populate a single page such that we get an anon_vma. */\n *area = 0;\n\n /* Enable KSM. */\n madvise(area, size, MADV_MERGEABLE);\n pause();\n return 0;\n}\n\n$ ./ksm-sparse &\n$ echo 1 > /sys/kernel/mm/ksm/run \n\nWithout this patch ksmd uses 100% of the cpu for a long time (more then 1\nhour in my test machine) scanning all the 32 TiB virtual address space\nthat contain only one mapped page. This makes ksmd essentially deadlocked\nnot able to deduplicate anything of value. With this patch ksmd walks\nonly the one mapped page and skips the rest of the 32 TiB virtual address\nspace, making the scan fast using little cpu.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68211", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Fix uninitialized 'offp' in statmount_string()\n\nIn statmount_string(), most flags assign an output offset pointer (offp)\nwhich is later updated with the string offset. However, the\nSTATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the\nstruct fields instead of using offp. This leaves offp uninitialized,\nleading to a possible uninitialized dereference when *offp is updated.\n\nFix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code\npath consistent.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68212", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix possible vport_config NULL pointer deref in remove\n\nAttempting to remove the driver will cause a crash in cases where\nthe vport failed to initialize. Following trace is from an instance where\nthe driver failed during an attempt to create a VF:\n[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated\n[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)\n[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028\n...\n[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]\n...\n[ 1723.364973] Call Trace:\n[ 1723.365475] \n[ 1723.365972] pci_device_remove+0x42/0xb0\n[ 1723.366481] device_release_driver_internal+0x1a9/0x210\n[ 1723.366987] pci_stop_bus_device+0x6d/0x90\n[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20\n[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120\n[ 1723.368309] sriov_disable+0x34/0xe0\n[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf]\n[ 1723.368982] sriov_numvfs_store+0xda/0x1c0\n\nAvoid the NULL pointer dereference by adding NULL pointer check for\nvport_config[i], before freeing user_config.q_coalesce.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68213", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase->running_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base->running_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer->function = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase->running_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base->running_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer->function = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68214", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix PTP cleanup on driver removal in error path\n\nImprove the cleanup on releasing PTP resources in error path.\nThe error case might happen either at the driver probe and PTP\nfeature initialization or on PTP restart (errors in reset handling, NVM\nupdate etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf\nfunction) and 'ps_lock' mutex deinitialization were missed.\nAdditionally, ptp clock was not unregistered in the latter case.\n\nKeep PTP state as 'uninitialized' on init to distinguish between error\nscenarios and to avoid resource release duplication at driver removal.\n\nThe consequence of missing ice_ptp_cleanup_pf call is the following call\ntrace dumped when ice_adapter object is freed (port list is not empty,\nas it is required at this stage):\n\n[ T93022] ------------[ cut here ]------------\n[ T93022] WARNING: CPU: 10 PID: 93022 at\nice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]\n...\n[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]\n...\n[ T93022] Call Trace:\n[ T93022] \n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] ? __warn.cold+0xb0/0x10e\n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] ? report_bug+0xd8/0x150\n[ T93022] ? handle_bug+0xe9/0x110\n[ T93022] ? exc_invalid_op+0x17/0x70\n[ T93022] ? asm_exc_invalid_op+0x1a/0x20\n[ T93022] ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[ T93022] pci_device_remove+0x42/0xb0\n[ T93022] device_release_driver_internal+0x19f/0x200\n[ T93022] driver_detach+0x48/0x90\n[ T93022] bus_remove_driver+0x70/0xf0\n[ T93022] pci_unregister_driver+0x42/0xb0\n[ T93022] ice_module_exit+0x10/0xdb0 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n...\n[ T93022] ---[ end trace 0000000000000000 ]---\n[ T93022] ice: module unloaded", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68215", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Disable trampoline for kernel module function trace\n\nThe current LoongArch BPF trampoline implementation is incompatible\nwith tracing functions in kernel modules. This causes several severe\nand user-visible problems:\n\n* The `bpf_selftests/module_attach` test fails consistently.\n* Kernel lockup when a BPF program is attached to a module function [1].\n* Critical kernel modules like WireGuard experience traffic disruption\n when their functions are traced with fentry [2].\n\nGiven the severity and the potential for other unknown side-effects, it\nis safest to disable the feature entirely for now. This patch prevents\nthe BPF subsystem from allowing trampoline attachments to kernel module\nfunctions on LoongArch.\n\nThis is a temporary mitigation until the core issues in the trampoline\ncode for kernel module handling can be identified and fixed.\n\n[root@fedora bpf]# ./test_progs -a module_attach -v\nbpf_testmod.ko is already unloaded.\nLoading bpf_testmod.ko...\nSuccessfully loaded bpf_testmod.ko.\ntest_module_attach:PASS:skel_open 0 nsec\ntest_module_attach:PASS:set_attach_target 0 nsec\ntest_module_attach:PASS:set_attach_target_explicit 0 nsec\ntest_module_attach:PASS:skel_load 0 nsec\nlibbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP\nlibbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP\ntest_module_attach:FAIL:skel_attach skeleton attach failed: -524\nSummary: 0/0 PASSED, 0 SKIPPED, 1 FAILED\nSuccessfully unloaded bpf_testmod.ko.\n\n[1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/\n[2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68216", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: pegasus-notetaker - fix potential out-of-bounds access\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68217", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: fix lockdep WARN due to partition scan work\n\nBlktests test cases nvme/014, 057 and 058 fail occasionally due to a\nlockdep WARN. As reported in the Closes tag URL, the WARN indicates that\na deadlock can happen due to the dependency among disk->open_mutex,\nkblockd workqueue completion and partition_scan_work completion.\n\nTo avoid the lockdep WARN and the potential deadlock, cut the dependency\nby running the partition_scan_work not by kblockd workqueue but by\nnvme_wq.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68218", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix memory leak in smb3_fs_context_parse_param error path\n\nAdd proper cleanup of ctx->source and fc->source to the\ncifs_parse_mount_err error handler. This ensures that memory allocated\nfor the source strings is correctly freed on all error paths, matching\nthe cleanup already performed in the success path by\nsmb3_cleanup_fs_context_contents().\nPointers are also set to NULL after freeing to prevent potential\ndouble-free issues.\n\nThis change fixes a memory leak originally detected by syzbot. The\nleak occurred when processing Opt_source mount options if an error\nhappened after ctx->source and fc->source were successfully\nallocated but before the function completed.\n\nThe specific leak sequence was:\n1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory\n2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory\n3. A subsequent error jumps to cifs_parse_mount_err\n4. The old error handler freed passwords but not the source strings,\ncausing the memory to leak.\n\nThis issue was not addressed by commit e8c73eb7db0a (\"cifs: client:\nfix memory leak in smb3_fs_context_parse_param\"), which only fixed\nleaks from repeated fsconfig() calls but not this error path.\n\nPatch updated with minor change suggested by kernel test robot", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68219", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error\n\nMake knav_dma_open_channel consistently return NULL on error instead\nof ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h\nreturns NULL when the driver is disabled, but the driver\nimplementation does not even return NULL or ERR_PTR on failure,\ncausing inconsistency in the users. This results in a crash in\nnetcp_free_navigator_resources as followed (trimmed):\n\nUnhandled fault: alignment exception (0x221) at 0xfffffff2\n[fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000\nInternal error: : 221 [#1] SMP ARM\nModules linked in:\nCPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE\nHardware name: Keystone\nPC is at knav_dma_close_channel+0x30/0x19c\nLR is at netcp_free_navigator_resources+0x2c/0x28c\n\n[... TRIM...]\n\nCall trace:\n knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c\n netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c\n netcp_ndo_open from __dev_open+0x114/0x29c\n __dev_open from __dev_change_flags+0x190/0x208\n __dev_change_flags from netif_change_flags+0x1c/0x58\n netif_change_flags from dev_change_flags+0x38/0xa0\n dev_change_flags from ip_auto_config+0x2c4/0x11f0\n ip_auto_config from do_one_initcall+0x58/0x200\n do_one_initcall from kernel_init_freeable+0x1cc/0x238\n kernel_init_freeable from kernel_init+0x1c/0x12c\n kernel_init from ret_from_fork+0x14/0x38\n[... TRIM...]\n\nStandardize the error handling by making the function return NULL on\nall error conditions. The API is used in just the netcp_core.c so the\nimpact is limited.\n\nNote, this change, in effect reverts commit 5b6cb43b4d62 (\"net:\nethernet: ti: netcp_core: return error while dma channel open issue\"),\nbut provides a less error prone implementation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68220", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix address removal logic in mptcp_pm_nl_rm_addr\n\nFix inverted WARN_ON_ONCE condition that prevented normal address\nremoval counter updates. The current code only executes decrement\nlogic when the counter is already 0 (abnormal state), while\nnormal removals (counter > 0) are ignored.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68221", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc\n\ns32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its\nfields are initialized. Notably, num_custom_params is used in\npinconf_generic_parse_dt_config(), resulting in intermittent allocation\nerrors, such as the following splat when probing i2c-imx:\n\n WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300\n [...]\n Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)\n [...]\n Call trace:\n __alloc_pages_noprof+0x290/0x300 (P)\n ___kmalloc_large_node+0x84/0x168\n __kmalloc_large_node_noprof+0x34/0x120\n __kmalloc_noprof+0x2ac/0x378\n pinconf_generic_parse_dt_config+0x68/0x1a0\n s32_dt_node_to_map+0x104/0x248\n dt_to_map_one_config+0x154/0x1d8\n pinctrl_dt_to_map+0x12c/0x280\n create_pinctrl+0x6c/0x270\n pinctrl_get+0xc0/0x170\n devm_pinctrl_get+0x50/0xa0\n pinctrl_bind_pins+0x60/0x2a0\n really_probe+0x60/0x3a0\n [...]\n __platform_driver_register+0x2c/0x40\n i2c_adap_imx_init+0x28/0xff8 [i2c_imx]\n [...]\n\nThis results in later parse failures that can cause issues in dependent\ndrivers:\n\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n [...]\n pca953x 0-0022: failed writing register: -6\n i2c i2c-0: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n i2c i2c-1: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n i2c i2c-2: IMX I2C adapter registered\n\nFix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of\ndevm_kmalloc() in s32_pinctrl_probe(), which sets the previously\nuninitialized fields to zero.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68222", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: delete radeon_fence_process in is_signaled, no deadlock\n\nDelete the attempt to progress the queue when checking if fence is\nsignaled. This avoids deadlock.\n\ndma-fence_ops::signaled can be called with the fence lock in unknown\nstate. For radeon, the fence lock is also the wait queue lock. This can\ncause a self deadlock when signaled() tries to make forward progress on\nthe wait queue. But advancing the queue is unneeded because incorrectly\nreturning false from signaled() is perfectly acceptable.\n\n(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68223", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_kho: check if KHO is enabled\n\nWe must check whether KHO is enabled prior to issuing KHO commands,\notherwise KHO internal data structures are not initialized.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68225", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix incomplete backport in cfids_invalidation_worker()\n\nThe previous commit bdb596ceb4b7 (\"smb: client: fix potential UAF in\nsmb2_close_cached_fid()\") was an incomplete backport and missed one\nkref_put() call in cfids_invalidation_worker() that should have been\nconverted to close_cached_dir().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68226", "detail": "fixed-version", "description": "Fixed from version 6.17.10" }, { "id": "CVE-2025-68227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix proto fallback detection with BPF\n\nThe sockmap feature allows bpf syscall from userspace, or based\non bpf sockops, replacing the sk_prot of sockets during protocol stack\nprocessing with sockmap's custom read/write interfaces.\n'''\ntcp_rcv_state_process()\n syn_recv_sock()/subflow_syn_recv_sock()\n tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)\n bpf_skops_established <== sockops\n bpf_sock_map_update(sk) <== call bpf helper\n tcp_bpf_update_proto() <== update sk_prot\n'''\n\nWhen the server has MPTCP enabled but the client sends a TCP SYN\nwithout MPTCP, subflow_syn_recv_sock() performs a fallback on the\nsubflow, replacing the subflow sk's sk_prot with the native sk_prot.\n'''\nsubflow_syn_recv_sock()\n subflow_ulp_fallback()\n subflow_drop_ctx()\n mptcp_subflow_ops_undo_override()\n'''\n\nThen, this subflow can be normally used by sockmap, which replaces the\nnative sk_prot with sockmap's custom sk_prot. The issue occurs when the\nuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().\nHere, it uses sk->sk_prot to compare with the native sk_prot, but this\nis incorrect when sockmap is used, as we may incorrectly set\nsk->sk_socket->ops.\n\nThis fix uses the more generic sk_family for the comparison instead.\n\nAdditionally, this also prevents a WARNING from occurring:\n\nresult from ./scripts/decode_stacktrace.sh:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \\\n(net/mptcp/protocol.c:4005)\nModules linked in:\n...\n\nPKRU: 55555554\nCall Trace:\n\ndo_accept (net/socket.c:1989)\n__sys_accept4 (net/socket.c:2028 net/socket.c:2057)\n__x64_sys_accept (net/socket.c:2067)\nx64_sys_call (arch/x86/entry/syscall_64.c:41)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f87ac92b83d\n\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68227", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/plane: Fix create_in_format_blob() return value\n\ncreate_in_format_blob() is either supposed to return a valid\npointer or an error, but never NULL. The caller will dereference\nthe blob when it is not an error, and thus will oops if NULL\nreturned. Return proper error values in the failure cases.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68228", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()\n\nIf the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we\nattempt to dereference it in tcm_loop_tpg_address_show() we will get a\nsegfault, see below for an example. So, check tl_hba->sh before\ndereferencing it.\n\n Unable to allocate struct scsi_host\n BUG: kernel NULL pointer dereference, address: 0000000000000194\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024\n RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]\n...\n Call Trace:\n \n configfs_read_iter+0x12d/0x1d0 [configfs]\n vfs_read+0x1b5/0x300\n ksys_read+0x6f/0xf0\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68229", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix gpu page fault after hibernation on PF passthrough\n\nOn PF passthrough environment, after hibernate and then resume, coralgemm\nwill cause gpu page fault.\n\nMode1 reset happens during hibernate, but partition mode is not restored\non resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right\nafter resume. When CP access the MQD BO, wrong stride size is used,\nthis will cause out of bound access on the MQD BO, resulting page fault.\n\nThe fix is to ensure gfx_v9_4_3_switch_compute_partition() is called\nwhen resume from a hibernation.\nKFD resume is called separately during a reset recovery or resume from\nsuspend sequence. Hence it's not required to be called as part of\npartition switch.\n\n(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68230", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempool: fix poisoning order>0 pages with HIGHMEM\n\nThe kernel test has reported:\n\n BUG: unable to handle page fault for address: fffba000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n *pde = 03171067 *pte = 00000000\n Oops: Oops: 0002 [#1]\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca\n Tainted: [T]=RANDSTRUCT\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)\n Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56\n EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b\n ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8\n DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287\n CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690\n Call Trace:\n poison_element (mm/mempool.c:83 mm/mempool.c:102)\n mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)\n mempool_init_noprof (mm/mempool.c:250 (discriminator 1))\n ? mempool_alloc_pages (mm/mempool.c:640)\n bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))\n ? mempool_alloc_pages (mm/mempool.c:640)\n do_one_initcall (init/main.c:1283)\n\nChristoph found out this is due to the poisoning code not dealing\nproperly with CONFIG_HIGHMEM because only the first page is mapped but\nthen the whole potentially high-order page is accessed.\n\nWe could give up on HIGHMEM here, but it's straightforward to fix this\nwith a loop that's mapping, poisoning or checking and unmapping\nindividual pages.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68231", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: more robust handing of race to avoid txq getting stuck\n\nCommit dc82a33297fc (\"veth: apply qdisc backpressure on full ptr_ring to\nreduce TX drops\") introduced a race condition that can lead to a permanently\nstalled TXQ. This was observed in production on ARM64 systems (Ampere Altra\nMax).\n\nThe race occurs in veth_xmit(). The producer observes a full ptr_ring and\nstops the queue (netif_tx_stop_queue()). The subsequent conditional logic,\nintended to re-wake the queue if the consumer had just emptied it (if\n(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a\n\"lost wakeup\" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and\ntraffic halts.\n\nThis failure is caused by an incorrect use of the __ptr_ring_empty() API\nfrom the producer side. As noted in kernel comments, this check is not\nguaranteed to be correct if a consumer is operating on another CPU. The\nempty test is based on ptr_ring->consumer_head, making it reliable only for\nthe consumer. Using this check from the producer side is fundamentally racy.\n\nThis patch fixes the race by adopting the more robust logic from an earlier\nversion V4 of the patchset, which always flushed the peer:\n\n(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier\nare removed. Instead, after stopping the queue, we unconditionally call\n__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,\nmaking it solely responsible for re-waking the TXQ.\n This handles the race where veth_poll() consumes all packets and completes\nNAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.\nThe __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule\nNAPI.\n\n(2) On the consumer side, the logic for waking the peer TXQ is moved out of\nveth_xdp_rcv() and placed at the end of the veth_poll() function. This\nplacement is part of fixing the race, as the netif_tx_queue_stopped() check\nmust occur after rx_notify_masked is potentially set to false during NAPI\ncompletion.\n This handles the race where veth_poll() consumes all packets, but haven't\nfinished (rx_notify_masked is still true). The producer veth_xmit() stops the\nTXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning\nnot starting NAPI. Then veth_poll() change rx_notify_masked to false and\nstops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake\nit up.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68232", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Add call to put_pid()\n\nAdd a call to put_pid() corresponding to get_task_pid().\nhost1x_memory_context_alloc() does not take ownership of the PID so we\nneed to free it here to avoid leaking.\n\n[mperttunen@nvidia.com: reword commit message]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68233", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/cmd_net: fix wrong argument types for skb_queue_splice()\n\nIf timestamp retriving needs to be retried and the local list of\nSKB's already has entries, then it's spliced back into the socket\nqueue. However, the arguments for the splice helper are transposed,\ncausing exactly the wrong direction of splicing into the on-stack\nlist. Fix that up.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68234", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot\n\nnvkm_falcon_fw::boot is allocated, but no one frees it. This causes a\nkmemleak warning.\n\nMake sure this data is deallocated.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68235", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)\n\nAccording to UFS specifications, the power-off sequence for a UFS device\nincludes:\n\n - Sending an SSU command with Power_Condition=3 and await a response.\n\n - Asserting RST_N low.\n\n - Turning off REF_CLK.\n\n - Turning off VCC.\n\n - Turning off VCCQ/VCCQ2.\n\nAs part of ufs shutdown, after the SSU command completion, asserting\nhardware reset (HWRST) triggers the device firmware to wake up and\nexecute its reset routine. This routine initializes hardware blocks and\ntakes a few milliseconds to complete. During this time, the ICCQ draws a\nlarge current.\n\nThis large ICCQ current may cause issues for the regulator which is\nsupplying power to UFS, because the turn off request from UFS driver to\nthe regulator framework will be immediately followed by low power\nmode(LPM) request by regulator framework. This is done by framework\nbecause UFS which is the only client is requesting for disable. So if\nthe rail is still in the process of shutting down while ICCQ exceeds LPM\ncurrent thresholds, and LPM mode is activated in hardware during this\nstate, it may trigger an overcurrent protection (OCP) fault in the\nregulator.\n\nTo prevent this, a 10ms delay is added after asserting HWRST. This\nallows the reset operation to complete while power rails remain active\nand in high-power mode.\n\nCurrently there is no way for Host to query whether the reset is\ncompleted or not and hence this the delay is based on experiments with\nQualcomm UFS controllers across multiple UFS vendors.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68236", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that's capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68237", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl->dmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68238", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: restore write access before closing files opened by open_exec()\n\nbm_register_write() opens an executable file using open_exec(), which\ninternally calls do_open_execat() and denies write access on the file to\navoid modification while it is being executed.\n\nHowever, when an error occurs, bm_register_write() closes the file using\nfilp_close() directly. This does not restore the write permission, which\nmay cause subsequent write operations on the same file to fail.\n\nFix this by calling exe_file_allow_write_access() before filp_close() to\nrestore the write permission properly.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68239", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: avoid having an active sc_timer before freeing sci\n\nBecause kthread_stop did not stop sc_task properly and returned -EINTR,\nthe sc_timer was not properly closed, ultimately causing the problem [1]\nreported by syzbot when freeing sci due to the sc_timer not being closed.\n\nBecause the thread sc_task main function nilfs_segctor_thread() returns 0\nwhen it succeeds, when the return value of kthread_stop() is not 0 in\nnilfs_segctor_destroy(), we believe that it has not properly closed\nsc_timer.\n\nWe use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and\nset the value of sc_task to NULL under the protection of lock\nsc_state_lock, so as to avoid the issue caused by sc_timer not being\nproperly shutdowned.\n\n[1]\nODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout\nCall trace:\n nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline]\n nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877\n nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68240", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver's packet transmission path calls: sit_tunnel_xmit() ->\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path's __mkroute_output() -> find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0 CPU 1\n__mkroute_output()\n find_exception() [fnheX]\n update_or_create_fnhe()\n fnhe_remove_oldest() [fnheX]\n rt_bind_exception() [bind dst]\n RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68241", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix LTP test failures when timestamps are delegated\n\nThe utimes01 and utime06 tests fail when delegated timestamps are\nenabled, specifically in subtests that modify the atime and mtime\nfields using the 'nobody' user ID.\n\nThe problem can be reproduced as follow:\n\n# echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports\n# export -ra\n# mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir\n# cd /opt/ltp\n# ./runltp -d /tmpdir -s utimes01\n# ./runltp -d /tmpdir -s utime06\n\nThis issue occurs because nfs_setattr does not verify the inode's\nUID against the caller's fsuid when delegated timestamps are\npermitted for the inode.\n\nThis patch adds the UID check and if it does not match then the\nrequest is sent to the server for permission checking.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68242", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Check the TLS certificate fields in nfs_match_client()\n\nIf the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the\ncert_serial and privkey_serial fields need to match as well since they\ndefine the client's identity, as presented to the server.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68243", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called. When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-> #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292] dma_resv_lockdep+0x19a/0x390\n[86.862315] do_one_initcall+0x60/0x3f0\n[86.862334] kernel_init_freeable+0x3cd/0x680\n[86.862353] kernel_init+0x1b/0x200\n[86.862369] ret_from_fork+0x47/0x70\n[86.862383] ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-> #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425] dma_resv_lockdep+0x178/0x390\n[86.862440] do_one_initcall+0x60/0x3f0\n[86.862454] kernel_init_freeable+0x3cd/0x680\n[86.862470] kernel_init+0x1b/0x200\n[86.862482] ret_from_fork+0x47/0x70\n[86.862495] ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-> #3 (&mm->mmap_lock){++++}-{3:3}:\n[86.862531] down_read_killable+0x46/0x1e0\n[86.862546] lock_mm_and_find_vma+0xa2/0x280\n[86.862561] do_user_addr_fault+0x266/0x8e0\n[86.862578] exc_page_fault+0x8a/0x2f0\n[86.862593] asm_exc_page_fault+0x27/0x30\n[86.862607] filldir64+0xeb/0x180\n[86.862620] kernfs_fop_readdir+0x118/0x480\n[86.862635] iterate_dir+0xcf/0x2b0\n[86.862648] __x64_sys_getdents64+0x84/0x140\n[86.862661] x64_sys_call+0x1058/0x2660\n[86.862675] do_syscall_64+0x91/0xe90\n[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-> #2 (&root->kernfs_rwsem){++++}-{3:3}:\n[86.862725] down_write+0x3e/0xf0\n[86.862738] kernfs_add_one+0x30/0x3c0\n[86.862751] kernfs_create_dir_ns+0x53/0xb0\n[86.862765] internal_create_group+0x134/0x4c0\n[86.862779] sysfs_create_group+0x13/0x20\n[86.862792] topology_add_dev+0x1d/0x30\n[86.862806] cpuhp_invoke_callback+0x4b5/0x850\n[86.862822] cpuhp_issue_call+0xbf/0x1f0\n[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852] __cpuhp_setup_state+0xb0/0x220\n[86.862866] topology_sysfs_init+0x30/0x50\n[86.862879] do_one_initcall+0x60/0x3f0\n[86.862893] kernel_init_freeable+0x3cd/0x680\n[86.862908] kernel_init+0x1b/0x200\n[86.862921] ret_from_fork+0x47/0x70\n[86.862934] ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-> #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969] __mutex_lock+0xaa/0xed0\n[86.862982] mutex_lock_nested+0x1b/0x30\n[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012] __cpuhp_setup_state+0xb0/0x220\n[86.863026] page_alloc_init_cpuhp+0x2d/0x60\n[86.863041] mm_core_init+0x22/0x2d0\n[86.863054] start_kernel+0x576/0xbd0\n[86.863068] x86_64_start_reservations+0x18/0x30\n[86.863084] x86_64_start_kernel+0xbf/0x110\n[86.863098] common_startup_64+0x13e/0x141\n[86.863114]\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135] __lock_acquire+0x16\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68244", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: fix incorrect refcount handling causing incorrect cleanup\n\ncommit efa95b01da18 (\"netpoll: fix use after free\") incorrectly\nignored the refcount and prematurely set dev->npinfo to NULL during\nnetpoll cleanup, leading to improper behavior and memory leaks.\n\nScenario causing lack of proper cleanup:\n\n1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is\n allocated, and refcnt = 1\n - Keep in mind that npinfo is shared among all netpoll instances. In\n this case, there is just one.\n\n2) Another netpoll is also associated with the same NIC and\n npinfo->refcnt += 1.\n - Now dev->npinfo->refcnt = 2;\n - There is just one npinfo associated to the netdev.\n\n3) When the first netpolls goes to clean up:\n - The first cleanup succeeds and clears np->dev->npinfo, ignoring\n refcnt.\n - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`\n - Set dev->npinfo = NULL, without proper cleanup\n - No ->ndo_netpoll_cleanup() is either called\n\n4) Now the second target tries to clean up\n - The second cleanup fails because np->dev->npinfo is already NULL.\n * In this case, ops->ndo_netpoll_cleanup() was never called, and\n the skb pool is not cleaned as well (for the second netpoll\n instance)\n - This leaks npinfo and skbpool skbs, which is clearly reported by\n kmemleak.\n\nRevert commit efa95b01da18 (\"netpoll: fix use after free\") and adds\nclarifying comments emphasizing that npinfo cleanup should only happen\nonce the refcount reaches zero, ensuring stable and correct netpoll\nbehavior.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68245", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: close accepted socket when per-IP limit rejects connection\n\nWhen the per-IP connection limit is exceeded in ksmbd_kthread_fn(),\nthe code sets ret = -EAGAIN and continues the accept loop without\nclosing the just-accepted socket. That leaks one socket per rejected\nattempt from a single IP and enables a trivial remote DoS.\n\nRelease client_sk before continuing.\n\nThis bug was found with ZeroPath.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68246", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Plug potential memory leak in do_timer_create()\n\nWhen posix timer creation is set to allocate a given timer ID and the\naccess to the user space value faults, the function terminates without\nfreeing the already allocated posix timer structure.\n\nMove the allocation after the user space access to cure that.\n\n[ tglx: Massaged change log ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68247", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmw_balloon: indicate success when effectively deflating during migration\n\nWhen migrating a balloon page, we first deflate the old page to then\ninflate the new page.\n\nHowever, if inflating the new page succeeded, we effectively deflated the\nold page, reducing the balloon size.\n\nIn that case, the migration actually worked: similar to migrating+\nimmediately deflating the new page. The old page will be freed back to\nthe buddy.\n\nRight now, the core will leave the page be marked as isolated (as we\nreturned an error). When later trying to putback that page, we will run\ninto the WARN_ON_ONCE() in balloon_page_putback().\n\nThat handling was changed in commit 3544c4faccb8 (\"mm/balloon_compaction:\nstop using __ClearPageMovable()\"); before that change, we would have\ntolerated that way of handling it.\n\nTo fix it, let's just return 0 in that case, making the core effectively\njust clear the \"isolated\" flag + freeing it back to the buddy as if the\nmigration succeeded. Note that the new page will also get freed when the\ncore puts the last reference.\n\nNote that this also makes it all be more consistent: we will no longer\nunisolate the page in the balloon driver while keeping it marked as being\nisolated in migration core.\n\nThis was found by code inspection.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68248", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: hdm_probe: Fix calling put_device() before device initialization\n\nThe early error path in hdm_probe() can jump to err_free_mdev before\n&mdev->dev has been initialized with device_initialize(). Calling\nput_device(&mdev->dev) there triggers a device core WARN and ends up\ninvoking kref_put(&kobj->kref, kobject_release) on an uninitialized\nkobject.\n\nIn this path the private struct was only kmalloc'ed and the intended\nrelease is effectively kfree(mdev) anyway, so free it directly instead\nof calling put_device() on an uninitialized device.\n\nThis removes the WARNING and fixes the pre-initialization error path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68249", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhung_task: fix warnings caused by unaligned lock pointers\n\nThe blocker tracking mechanism assumes that lock pointers are at least\n4-byte aligned to use their lower bits for type encoding.\n\nHowever, as reported by Eero Tamminen, some architectures like m68k\nonly guarantee 2-byte alignment of 32-bit values. This breaks the\nassumption and causes two related WARN_ON_ONCE checks to trigger.\n\nTo fix this, the runtime checks are adjusted to silently ignore any lock\nthat is not 4-byte aligned, effectively disabling the feature in such\ncases and avoiding the related warnings.\n\nThanks to Geert Uytterhoeven for bisecting!", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68250", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid infinite loops due to corrupted subpage compact indexes\n\nRobert reported an infinite loop observed by two crafted images.\n\nThe root cause is that `clusterofs` can be larger than `lclustersize`\nfor !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.:\n\n blocksize = lclustersize = 512 lcn = 6 clusterofs = 515\n\nMove the corresponding check for full compress indexes to\n`z_erofs_load_lcluster_from_disk()` to also cover subpage compact\ncompress indexes.\n\nIt also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX`\ncheck, since it should be placed right after\n`z_erofs_load_{compact,full}_lcluster()`.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68251", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup\n\nIn fastrpc_map_lookup, dma_buf_get is called to obtain a reference to\nthe dma_buf for comparison purposes. However, this reference is never\nreleased when the function returns, leading to a dma_buf memory leak.\n\nFix this by adding dma_buf_put before returning from the function,\nensuring that the temporarily acquired reference is properly released\nregardless of whether a matching map is found.\n\nRule: add", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68252", "detail": "fixed-version", "description": "Fixed from version 6.17.6" }, { "id": "CVE-2025-68253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: don't spin in add_stack_record when gfp flags don't allow\n\nsyzbot was able to find the following path:\n add_stack_record_to_list mm/page_owner.c:182 [inline]\n inc_stack_record_count mm/page_owner.c:214 [inline]\n __set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\n prep_new_page mm/page_alloc.c:1859 [inline]\n get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554\n\nDon't spin in add_stack_record_to_list() when it is called\nfrom *_nolock() context.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68253", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing\n\nThe Extended Supported Rates (ESR) IE handling in OnBeacon accessed\n*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these\noffsets lie within the received frame buffer. A malformed beacon with\nan ESR IE positioned at the end of the buffer could cause an\nout-of-bounds read, potentially triggering a kernel panic.\n\nAdd a boundary check to ensure that the ESR IE body and the subsequent\nbytes are within the limits of the frame before attempting to access\nthem.\n\nThis prevents OOB reads caused by malformed beacon frames.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68254", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68255", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser\n\nThe Information Element (IE) parser rtw_get_ie() trusted the length\nbyte of each IE without validating that the IE body (len bytes after\nthe 2-byte header) fits inside the remaining frame buffer. A malformed\nframe can advertise an IE length larger than the available data, causing\nthe parser to increment its pointer beyond the buffer end. This results\nin out-of-bounds reads or, depending on the pattern, an infinite loop.\n\nFix by validating that (offset + 2 + len) does not exceed the limit\nbefore accepting the IE or advancing to the next element.\n\nThis prevents OOB reads and ensures the parser terminates safely on\nmalformed frames.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68256", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device's attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev->get_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device's attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev->get_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device's attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68257", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s->n_chan in\nmultiq3_attach() via it->options[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68258", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests. Enabling or disabling a static branch in Linux\nuses the kernel's \"text poke\" code patching mechanism. To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream. If a CPU hits the int3, i.e. executes the code while it's being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction. If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest's TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68259", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix race condition on death_list\n\nRust Binder contains the following unsafe operation:\n\n\t// SAFETY: A `NodeDeath` is never inserted into the death list\n\t// of any node other than its owner, so it is either in this\n\t// death list or in no death list.\n\tunsafe { node_inner.death_list.remove(self) };\n\nThis operation is unsafe because when touching the prev/next pointers of\na list element, we have to ensure that no other thread is also touching\nthem in parallel. If the node is present in the list that `remove` is\ncalled on, then that is fine because we have exclusive access to that\nlist. If the node is not in any list, then it's also ok. But if it's\npresent in a different list that may be accessed in parallel, then that\nmay be a data race on the prev/next pointers.\n\nAnd unfortunately that is exactly what is happening here. In\nNode::release, we:\n\n 1. Take the lock.\n 2. Move all items to a local list on the stack.\n 3. Drop the lock.\n 4. Iterate the local list on the stack.\n\nCombined with threads using the unsafe remove method on the original\nlist, this leads to memory corruption of the prev/next pointers. This\nleads to crashes like this one:\n\n\tUnable to handle kernel paging request at virtual address 000bb9841bcac70e\n\tMem abort info:\n\t ESR = 0x0000000096000044\n\t EC = 0x25: DABT (current EL), IL = 32 bits\n\t SET = 0, FnV = 0\n\t EA = 0, S1PTW = 0\n\t FSC = 0x04: level 0 translation fault\n\tData abort info:\n\t ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000\n\t CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n\t GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t[000bb9841bcac70e] address between user and kernel address ranges\n\tInternal error: Oops: 0000000096000044 [#1] PREEMPT SMP\n\tgoogle-cdd 538c004.gcdd: context saved(CPU:1)\n\titem - log_kevents is disabled\n\tModules linked in: ... rust_binder\n\tCPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S W OE 6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b\n\tTainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n\tHardware name: MUSTANG PVT 1.0 based on LGA (DT)\n\tWorkqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder]\n\tpstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder]\n\tlr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder]\n\tsp : ffffffc09b433ac0\n\tx29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448\n\tx26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578\n\tx23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40\n\tx20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00\n\tx17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0\n\tx14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0\n\tx11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000\n\tx8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30\n\tx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\n\tx2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00\n\tCall trace:\n\t _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc]\n\t process_scheduled_works+0x1c4/0x45c\n\t worker_thread+0x32c/0x3e8\n\t kthread+0x11c/0x1c8\n\t ret_from_fork+0x10/0x20\n\tCode: 94218d85 b4000155 a94026a8 d10102a0 (f9000509)\n\t---[ end trace 0000000000000000 ]---\n\nThus, modify Node::release to pop items directly off the original list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68260", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add i_data_sem protection in ext4_destroy_inline_data_nolock()\n\nFix a race between inline data destruction and block mapping.\n\nThe function ext4_destroy_inline_data_nolock() changes the inode data\nlayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.\nAt the same time, another thread may execute ext4_map_blocks(), which\ntests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()\nor ext4_ind_map_blocks().\n\nWithout i_data_sem protection, ext4_ind_map_blocks() may receive inode\nwith EXT4_INODE_EXTENTS flag and triggering assert.\n\nkernel BUG at fs/ext4/indirect.c:546!\nEXT4-fs (loop2): unmounting filesystem.\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546\n\nCall Trace:\n \n ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681\n _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822\n ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124\n ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255\n ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000\n generic_perform_write+0x259/0x5d0 mm/filemap.c:3846\n ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285\n ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679\n call_write_iter include/linux/fs.h:2271 [inline]\n do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10f/0x170 fs/splice.c:950\n splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68261", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: zstd - fix double-free in per-CPU stream cleanup\n\nThe crypto/zstd module has a double-free bug that occurs when multiple\ntfms are allocated and freed.\n\nThe issue happens because zstd_streams (per-CPU contexts) are freed in\nzstd_exit() during every tfm destruction, rather than being managed at\nthe module level. When multiple tfms exist, each tfm exit attempts to\nfree the same shared per-CPU streams, resulting in a double-free.\n\nThis leads to a stack trace similar to:\n\n BUG: Bad page state in process kworker/u16:1 pfn:106fd93\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93\n flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: nonzero entire_mapcount\n Modules linked in: ...\n CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B\n Hardware name: ...\n Workqueue: btrfs-delalloc btrfs_work_helper\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n bad_page+0x71/0xd0\n free_unref_page_prepare+0x24e/0x490\n free_unref_page+0x60/0x170\n crypto_acomp_free_streams+0x5d/0xc0\n crypto_acomp_exit_tfm+0x23/0x50\n crypto_destroy_tfm+0x60/0xc0\n ...\n\nChange the lifecycle management of zstd_streams to free the streams only\nonce during module cleanup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68262", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry->response under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry->response without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry->response while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry->response, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry->response pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry->response consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68263", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei->i_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68264", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller's admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller's 'put' to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68265", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfs: Reconstruct file type when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when\nthe S_IFMT bits of the 32bits \"mode\" field loaded from disk are corrupted\nor when the 32bits \"attributes\" field loaded from disk are corrupted.\n\nA documentation says that BFS uses only lower 9 bits of the \"mode\" field.\nBut I can't find an explicit explanation that the unused upper 23 bits\n(especially, the S_IFMT bits) are initialized with 0.\n\nTherefore, ignore the S_IFMT bits of the \"mode\" field loaded from disk.\nAlso, verify that the value of the \"attributes\" field loaded from disk is\neither BFS_VREG or BFS_VDIR (because BFS supports only regular files and\nthe root directory).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68266", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list\n\n\"struct sdca_control\" declares \"values\" field as integer array.\nBut the memory allocated to it is of char array. This causes\ncrash for sdca_parse_function API. This patch addresses the\nissue by allocating correct data size.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68281", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: udc: fix use-after-free in usb_gadget_state_work\n\nA race condition during gadget teardown can lead to a use-after-free\nin usb_gadget_state_work(), as reported by KASAN:\n\n BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0\n Workqueue: events usb_gadget_state_work\n\nThe fundamental race occurs because a concurrent event (e.g., an\ninterrupt) can call usb_gadget_set_state() and schedule gadget->work\nat any time during the cleanup process in usb_del_gadget().\n\nCommit 399a45e5237c (\"usb: gadget: core: flush gadget workqueue after\ndevice removal\") attempted to fix this by moving flush_work() to after\ndevice_del(). However, this does not fully solve the race, as a new\nwork item can still be scheduled *after* flush_work() completes but\nbefore the gadget's memory is freed, leading to the same use-after-free.\n\nThis patch fixes the race condition robustly by introducing a 'teardown'\nflag and a 'state_lock' spinlock to the usb_gadget struct. The flag is\nset during cleanup in usb_del_gadget() *before* calling flush_work() to\nprevent any new work from being scheduled once cleanup has commenced.\nThe scheduling site, usb_gadget_set_state(), now checks this flag under\nthe lock before queueing the work, thus safely closing the race window.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68282", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace BUG_ON with bounds check for map->max_osd\n\nOSD indexes come from untrusted network packets. Boundary checks are\nadded to validate these against map->max_osd.\n\n[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic\n edits ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68283", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds writes in handle_auth_session_key()\n\nThe len field originates from untrusted network packets. Boundary\nchecks have been added to prevent potential out-of-bounds writes when\ndecrypting the connection secret or processing service tickets.\n\n[ idryomov: changelog ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68284", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived. Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n kfree(monc->monmap);\n monc->monmap = monmap;\n\n ceph_osdmap_destroy(osdc->osdmap);\n osdc->osdmap = newmap;\n\nunder client->monc.mutex and client->osdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it's possible for\nclient->monc.monmap->epoch and client->osdc.osdmap->epoch arms in\n\n client->monc.monmap && client->monc.monmap->epoch &&\n client->osdc.osdmap && client->osdc.osdmap->epoch;\n\ncondition to dereference an already freed map. This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n ...\n Call Trace:\n \n have_mon_and_osd_map+0x56/0x70\n ceph_open_session+0x182/0x290\n ceph_get_tree+0x333/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\n Allocated by task 13305:\n ceph_osdmap_alloc+0x16/0x130\n ceph_osdc_init+0x27a/0x4c0\n ceph_create_client+0x153/0x190\n create_fs_client+0x50/0x2a0\n ceph_get_tree+0xff/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 9475:\n kfree+0x212/0x290\n handle_one_map+0x23c/0x3b0\n ceph_osdc_handle_map+0x3c9/0x590\n mon_dispatch+0x655/0x6f0\n ceph_con_process_message+0xc3/0xe0\n ceph_con_v1_try_read+0x614/0x760\n ceph_con_workfn+0x2de/0x650\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x2ec/0x300\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient->monc.mutex and client->osdc.lock taken as appropriate. While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client->auth_err under client->monc.mutex to match\nhow it's set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68285", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check NULL before accessing\n\n[WHAT]\nIGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic\nfails with NULL pointer dereference. This can be reproduced with\nboth an eDP panel and a DP monitors connected.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted\n6.16.0-99-custom #8 PREEMPT(voluntary)\n Hardware name: AMD ........\n RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]\n Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49\n 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30\n c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02\n RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668\n RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000\n RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760\n R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000\n R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c\n FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \n dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]\n amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]\n ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]\n amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]\n drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400\n drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30\n drm_crtc_get_last_vbltimestamp+0x55/0x90\n drm_crtc_next_vblank_start+0x45/0xa0\n drm_atomic_helper_wait_for_fences+0x81/0x1f0\n ...\n\n(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68286", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees 'out'\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68287", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: Fix memory leak in USB bulk transport\n\nA kernel memory leak was identified by the 'ioctl_sg01' test from Linux\nTest Project (LTP). The following bytes were mainly observed: 0x53425355.\n\nWhen USB storage devices incorrectly skip the data phase with status data,\nthe code extracts/validates the CSW from the sg buffer, but fails to clear\nit afterwards. This leaves status protocol data in srb's transfer buffer,\nsuch as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can\nlead to USB protocols leaks to user space through SCSI generic (/dev/sg*)\ninterfaces, such as the one seen here when the LTP test requested 512 KiB.\n\nFix the leak by zeroing the CSW data in srb's transfer buffer immediately\nafter the validation of devices that skip data phase.\n\nNote: Differently from CVE-2018-1000204, which fixed a big leak by zero-\ning pages at allocation time, this leak occurs after allocation, when USB\nprotocol data is written to already-allocated sg pages.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68288", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix memory leak in eem_unwrap\n\nThe existing code did not handle the failure case of usb_ep_queue in the\ncommand path, potentially leading to memory leaks.\n\nImprove error handling to free all allocated resources on usb_ep_queue\nfailure. This patch continues to use goto logic for error handling, as the\nexisting error handling is complex and not easily adaptable to auto-cleanup\nhelpers.\n\nkmemleak results:\n unreferenced object 0xffffff895a512300 (size 240):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n kmem_cache_alloc+0x1b4/0x358\n skb_clone+0x90/0xd8\n eem_unwrap+0x1cc/0x36c\n unreferenced object 0xffffff8a157f4000 (size 256):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n dwc3_gadget_ep_alloc_request+0x58/0x11c\n usb_ep_alloc_request+0x40/0xe4\n eem_unwrap+0x204/0x36c\n unreferenced object 0xffffff8aadbaac00 (size 128):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n __kmalloc+0x64/0x1a8\n eem_unwrap+0x218/0x36c\n unreferenced object 0xffffff89ccef3500 (size 64):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n eem_unwrap+0x238/0x36c", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68289", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: fix double free on late probe failure\n\nThe MOST subsystem has a non-standard registration function which frees\nthe interface on registration failures and on deregistration.\n\nThis unsurprisingly leads to bugs in the MOST drivers, and a couple of\nrecent changes turned a reference underflow and use-after-free in the\nUSB driver into several double free and a use-after-free on late probe\nfailures.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68290", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().\n\nsyzbot reported divide-by-zero in __tcp_select_window() by\nMPTCP socket. [0]\n\nWe had a similar issue for the bare TCP and fixed in commit\n499350a5a6e7 (\"tcp: initialize rcv_mss to TCP_MIN_MSS instead\nof 0\").\n\nLet's apply the same fix to mptcp_do_fastclose().\n\n[0]:\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336\nCode: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00\nRSP: 0018:ffffc90003017640 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028\nR10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0\nCall Trace:\n \n tcp_select_window net/ipv4/tcp_output.c:281 [inline]\n __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568\n tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]\n tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836\n mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793\n mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253\n mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776\n mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3bd/0x520 net/socket.c:2244\n __do_sys_sendto net/socket.c:2251 [inline]\n __se_sys_sendto net/socket.c:2247 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2247\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f66e998f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68291", "detail": "fixed-version", "description": "Fixed from version 6.17.11" }, { "id": "CVE-2025-68292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memfd: fix information leak in hugetlb folios\n\nWhen allocating hugetlb folios for memfd, three initialization steps are\nmissing:\n\n1. Folios are not zeroed, leading to kernel memory disclosure to userspace\n2. Folios are not marked uptodate before adding to page cache\n3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache()\n\nThe memfd allocation path bypasses the normal page fault handler\n(hugetlb_no_page) which would handle all of these initialization steps. \nThis is problematic especially for udmabuf use cases where folios are\npinned and directly accessed by userspace via DMA.\n\nFix by matching the initialization pattern used in hugetlb_no_page():\n- Zero the folio using folio_zero_user() which is optimized for huge pages\n- Mark it uptodate with folio_mark_uptodate()\n- Take hugetlb_fault_mutex before adding to page cache to prevent races\n\nThe folio_zero_user() change also fixes a potential security issue where\nuninitialized kernel memory could be disclosed to userspace through read()\nor mmap() operations on the memfd.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68292", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix NULL pointer deference when splitting folio\n\nCommit c010d47f107f (\"mm: thp: split huge page to any lower order pages\")\nintroduced an early check on the folio's order via mapping->flags before\nproceeding with the split work.\n\nThis check introduced a bug: for shmem folios in the swap cache and\ntruncated folios, the mapping pointer can be NULL. Accessing\nmapping->flags in this state leads directly to a NULL pointer dereference.\n\nThis commit fixes the issue by moving the check for mapping != NULL before\nany attempt to access mapping->flags.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68293", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: ensure vectored buffer node import is tied to notification\n\nWhen support for vectored registered buffers was added, the import\nitself is using 'req' rather than the notification io_kiocb, sr->notif.\nFor non-vectored imports, sr->notif is correctly used. This is important\nas the lifetime of the two may be different. Use the correct io_kiocb\nfor the vectored buffer import.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68294", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix memory leak in cifs_construct_tcon()\n\nWhen having a multiuser mount with domain= specified and using\ncifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,\nso it needs to be freed before leaving cifs_construct_tcon().\n\nThis fixes the following memory leak reported by kmemleak:\n\n mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...\n su - testuser\n cifscreds add -d ZELDA -u testuser\n ...\n ls /mnt/1\n ...\n umount /mnt\n echo scan > /sys/kernel/debug/kmemleak\n cat /sys/kernel/debug/kmemleak\n unreferenced object 0xffff8881203c3f08 (size 8):\n comm \"ls\", pid 5060, jiffies 4307222943\n hex dump (first 8 bytes):\n 5a 45 4c 44 41 00 cc cc ZELDA...\n backtrace (crc d109a8cf):\n __kmalloc_node_track_caller_noprof+0x572/0x710\n kstrdup+0x3a/0x70\n cifs_sb_tlink+0x1209/0x1770 [cifs]\n cifs_get_fattr+0xe1/0xf50 [cifs]\n cifs_get_inode_info+0xb5/0x240 [cifs]\n cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]\n cifs_getattr+0x28e/0x450 [cifs]\n vfs_getattr_nosec+0x126/0x180\n vfs_statx+0xf6/0x220\n do_statx+0xab/0x110\n __x64_sys_statx+0xd5/0x130\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68295", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup\n\nProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOB\naccess in fbcon_remap_all(). Without holding the console lock the call\nraces with switching outputs.\n\nVGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon\nfunction uses struct fb_info.node, which is set by register_framebuffer().\nAs the fb-helper code currently sets up VGA switcheroo before registering\nthe framebuffer, the value of node is -1 and therefore not a legal value.\nFor example, fbcon uses the value within set_con2fb_map() [1] as an index\ninto an array.\n\nMoving vga_switcheroo_client_fb_set() after register_framebuffer() can\nresult in VGA switching that does not switch fbcon correctly.\n\nTherefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),\nwhich already holds the console lock. Fbdev calls fbcon_fb_registered()\nfrom within register_framebuffer(). Serializes the helper with VGA\nswitcheroo's call to fbcon_remap_all().\n\nAlthough vga_switcheroo_client_fb_set() takes an instance of struct fb_info\nas parameter, it really only needs the contained fbcon state. Moving the\ncall to fbcon initialization is therefore cleaner than before. Only amdgpu,\ni915, nouveau and radeon support vga_switcheroo. For all other drivers,\nthis change does nothing.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68296", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash in process_v2_sparse_read() for encrypted directories\n\nThe crash in process_v2_sparse_read() for fscrypt-encrypted directories\nhas been reported. Issue takes place for Ceph msgr2 protocol in secure\nmode. It can be reproduced by the steps:\n\nsudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure\n\n(1) mkdir /mnt/cephfs/fscrypt-test-3\n(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3\n(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3\n(4) fscrypt lock /mnt/cephfs/fscrypt-test-3\n(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3\n(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar\n(7) Issue has been triggered\n\n[ 408.072247] ------------[ cut here ]------------\n[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865\nceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common\nintel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery\npmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass\npolyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse\nserio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg\npata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore\n[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+\n[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.17.0-5.fc42 04/01/2014\n[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn\n[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0\n[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8\n8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06\nfe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85\n[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246\n[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38\n[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8\n[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8\n[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000\n[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)\nknlGS:0000000000000000\n[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0\n[ 408.072336] PKRU: 55555554\n[ 408.072337] Call Trace:\n[ 408.072338] \n[ 408.072340] ? sched_clock_noinstr+0x9/0x10\n[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10\n[ 408.072347] ? _raw_spin_unlock+0xe/0x40\n[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830\n[ 408.072353] ? __kasan_check_write+0x14/0x30\n[ 408.072357] ? mutex_lock+0x84/0xe0\n[ 408.072359] ? __pfx_mutex_lock+0x10/0x10\n[ 408.072361] ceph_con_workfn+0x27e/0x10e0\n[ 408.072364] ? metric_delayed_work+0x311/0x2c50\n[ 408.072367] process_one_work+0x611/0xe20\n[ 408.072371] ? __kasan_check_write+0x14/0x30\n[ 408.072373] worker_thread+0x7e3/0x1580\n[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 408.072378] ? __pfx_worker_thread+0x10/0x10\n[ 408.072381] kthread+0x381/0x7a0\n[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 408.072385] ? __pfx_kthread+0x10/0x10\n[ 408.072387] ? __kasan_check_write+0x14/0x30\n[ 408.072389] ? recalc_sigpending+0x160/0x220\n[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50\n[ 408.072394] ? calculate_sigpending+0x78/0xb0\n[ 408.072395] ? __pfx_kthread+0x10/0x10\n[ 408.072397] ret_from_fork+0x2b6/0x380\n[ 408.072400] ? __pfx_kthread+0x10/0x10\n[ 408.072402] ret_from_fork_asm+0x1a/0x30\n[ 408.072406] \n[ 408.072407] ---[ end trace 0000000000000000 ]---\n[ 408.072418] Oops: general protection fault, probably for non-canonical\naddress 0xdffffc00000000\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68297", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref\n\nIn btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:\n usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)\n\nThat function can return NULL in some cases. Even when it returns\nNULL, though, we still go on to call btusb_mtk_claim_iso_intf().\n\nAs of commit e9087e828827 (\"Bluetooth: btusb: mediatek: Add locks for\nusb_driver_claim_interface()\"), calling btusb_mtk_claim_iso_intf()\nwhen `btmtk_data->isopkt_intf` is NULL will cause a crash because\nwe'll end up passing a bad pointer to device_lock(). Prior to that\ncommit we'd pass the NULL pointer directly to\nusb_driver_claim_interface() which would detect it and return an\nerror, which was handled.\n\nResolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check\nat the start of the function. This makes the code handle a NULL\n`btmtk_data->isopkt_intf` the same way it did before the problematic\ncommit (just with a slight change to the error message printed).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68298", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix delayed allocation of a cell's anonymous key\n\nThe allocation of a cell's anonymous key is done in a background thread\nalong with other cell setup such as doing a DNS upcall. In the reported\nbug, this is triggered by afs_parse_source() parsing the device name given\nto mount() and calling afs_lookup_cell() with the name of the cell.\n\nThe normal key lookup then tries to use the key description on the\nanonymous authentication key as the reference for request_key() - but it\nmay not yet be set and so an oops can happen.\n\nThis has been made more likely to happen by the fix for dynamic lookup\nfailure.\n\nFix this by firstly allocating a reference name and attaching it to the\nafs_cell record when the record is created. It can share the memory\nallocation with the cell name (unfortunately it can't just overlap the cell\nname by prepending it with \"afs@\" as the cell name already has a '.'\nprepended for other purposes). This reference name is then passed to\nrequest_key().\n\nSecondly, the anon key is now allocated on demand at the point a key is\nrequested in afs_request_key() if it is not already allocated. A mutex is\nused to prevent multiple allocation for a cell.\n\nThirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't\nyet allocated (if we need it) and then the caller can return -ECHILD to\ndrop out of RCU-mode and afs_request_key() can be called.\n\nNote that the anonymous key is kind of necessary to make the key lookup\ncache work as that doesn't currently cache a negative lookup, but it's\nprobably worth some investigation to see if NULL can be used instead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68299", "detail": "fixed-version", "description": "Fixed from version 6.17.11" }, { "id": "CVE-2025-68300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/namespace: fix reference leak in grab_requested_mnt_ns\n\nlookup_mnt_ns() already takes a reference on mnt_ns.\ngrab_requested_mnt_ns() doesn't need to take an extra reference.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68300", "detail": "fixed-version", "description": "Fixed from version 6.17.11" }, { "id": "CVE-2025-68301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn't check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,\n then all fragments are accounted for.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68301", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let's add a 'break' after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68302", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"&punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(&ipcdev->cmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68303", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: lookup hci_conn on RX path on protocol side\n\nThe hdev lock/lookup/unlock/use pattern in the packet RX path doesn't\nensure hci_conn* is not concurrently modified/deleted. This locking\nappears to be leftover from before conn_hash started using RCU\ncommit bf4c63252490b (\"Bluetooth: convert conn hash to RCU\")\nand not clear if it had purpose since then.\n\nCurrently, there are code paths that delete hci_conn* from elsewhere\nthan the ordered hdev->workqueue where the RX work runs in. E.g.\ncommit 5af1f84ed13a (\"Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync\")\nintroduced some of these, and there probably were a few others before\nit. It's better to do the locking so that even if these run\nconcurrently no UAF is possible.\n\nMove the lookup of hci_conn and associated socket-specific conn to\nprotocol recv handlers, and do them within a single critical section\nto cover hci_conn* usage and lookup.\n\nsyzkaller has reported a crash that appears to be this issue:\n\n [Task hdev->workqueue] [Task 2]\n hci_disconnect_all_sync\n l2cap_recv_acldata(hcon)\n hci_conn_get(hcon)\n hci_abort_conn_sync(hcon)\n hci_dev_lock\n hci_dev_lock\n hci_conn_del(hcon)\n v-------------------------------- hci_dev_unlock\n hci_conn_put(hcon)\n conn = hcon->l2cap_data (UAF)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68304", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Prevent race in socket write iter and sock bind\n\nThere is a potential race condition between sock bind and socket write\niter. bind may free the same cmd via mgmt_pending before write iter sends\nthe cmd, just as syzbot reported in UAF[1].\n\nHere we use hci_dev_lock to synchronize the two, thereby avoiding the\nUAF mentioned in [1].\n\n[1]\nsyzbot reported:\nBUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\nRead of size 8 at addr ffff888077164818 by task syz.0.17/5989\nCall Trace:\n mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\n set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nAllocated by task 5989:\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nFreed by task 5991:\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68305", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface\n\nWhen performing reset tests and encountering abnormal card drop issues\nthat lead to a kernel crash, it is necessary to perform a null check\nbefore releasing resources to avoid attempting to release a null pointer.\n\n<4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)\n<4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n<4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n<4>[ 29.158162] pc : klist_remove+0x90/0x158\n<4>[ 29.158174] lr : klist_remove+0x88/0x158\n<4>[ 29.158180] sp : ffffffc0846b3c00\n<4>[ 29.158185] pmr_save: 000000e0\n<4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058\n<4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0\n<4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290\n<4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781\n<4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428\n<4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018\n<4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000\n<4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d\n<4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e\n<4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c\n<4>[ 29.158285] Call trace:\n<4>[ 29.158290] klist_remove+0x90/0x158\n<4>[ 29.158298] device_release_driver_internal+0x20c/0x268\n<4>[ 29.158308] device_release_driver+0x1c/0x30\n<4>[ 29.158316] usb_driver_release_interface+0x70/0x88\n<4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]\n<4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]\n<4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]\n<4>[ 29.158430] process_scheduled_works+0x258/0x4e8\n<4>[ 29.158441] worker_thread+0x300/0x428\n<4>[ 29.158448] kthread+0x108/0x1d0\n<4>[ 29.158455] ret_from_fork+0x10/0x20\n<0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)\n<4>[ 29.158474] ---[ end trace 0000000000000000 ]---\n<0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception\n<2>[ 29.167144] SMP: stopping secondary CPUs\n<4>[ 29.167158] ------------[ cut here ]------------", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68306", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver's context and do accounting\n- wake the send queue", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68307", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint's wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68308", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/AER: Fix NULL pointer access by aer_info\n\nThe kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx\nwill result in kernel panic. Fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68309", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump\n\nDo not block PCI config accesses through pci_cfg_access_lock() when\nexecuting the s390 variant of PCI error recovery: Acquire just\ndevice_lock() instead of pci_dev_lock() as powerpc's EEH and\ngenerig PCI AER processing do.\n\nDuring error recovery testing a pair of tasks was reported to be hung:\n\nmlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working\nINFO: task kmcheck:72 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000\nCall Trace:\n [<000000065256f030>] __schedule+0x2a0/0x590\n [<000000065256f356>] schedule+0x36/0xe0\n [<000000065256f572>] schedule_preempt_disabled+0x22/0x30\n [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8\n [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core]\n [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core]\n [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398\n [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0\nINFO: task kworker/u1664:6:1514 blocked for more than 122 seconds.\n Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000\nWorkqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]\nCall Trace:\n [<000000065256f030>] __schedule+0x2a0/0x590\n [<000000065256f356>] schedule+0x36/0xe0\n [<0000000652172e28>] pci_wait_cfg+0x80/0xe8\n [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88\n [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core]\n [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core]\n [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core]\n [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168\n [<0000000652513212>] devlink_health_report+0x19a/0x230\n [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]\n\nNo kernel log of the exact same error with an upstream kernel is\navailable - but the very same deadlock situation can be constructed there,\ntoo:\n\n- task: kmcheck\n mlx5_unload_one() tries to acquire devlink lock while the PCI error\n recovery code has set pdev->block_cfg_access by way of\n pci_cfg_access_lock()\n- task: kworker\n mlx5_crdump_collect() tries to set block_cfg_access through\n pci_cfg_access_lock() while devlink_health_report() had acquired\n the devlink lock.\n\nA similar deadlock situation can be reproduced by requesting a\ncrdump with\n > devlink health dump show pci/ reporter fw_fatal\n\nwhile PCI error recovery is executed on the same physical function\nby mlx5_core's pci_error_handlers. On s390 this can be injected with\n > zpcictl --reset-fw \n\nTests with this patch failed to reproduce that second deadlock situation,\nthe devlink command is rejected with \"kernel answers: Permission denied\" -\nand we get a kernel log message of:\n\nmlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5\n\nbecause the config read of VSC_SEMAPHORE is rejected by the underlying\nhardware.\n\nTwo prior attempts to address this issue have been discussed and\nultimately rejected [see link], with the primary argument that s390's\nimplementation of PCI error recovery is imposing restrictions that\nneither powerpc's EEH nor PCI AER handling need. Tests show that PCI\nerror recovery on s390 is running to completion even without blocking\naccess to PCI config space.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68310", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ip22zilog: Use platform device for probing\n\nAfter commit 84a9582fd203 (\"serial: core: Start managing serial controllers\nto enable runtime PM\") serial drivers need to provide a device in\nstruct uart_port.dev otherwise an oops happens. To fix this issue\nfor ip22zilog driver switch driver to a platform driver and setup\nthe serial device in sgi-ip22 code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68311", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68312", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add RDSEED fix for Zen5\n\nThere's an issue with RDSEED's 16-bit and 32-bit register output\nvariants on Zen5 which return a random value of 0 \"at a rate inconsistent\nwith randomness while incorrectly signaling success (CF=1)\". Search the\nweb for AMD-SB-7055 for more detail.\n\nAdd a fix glue which checks microcode revisions.\n\n [ bp: Add microcode revisions checking, rewrite. ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68313", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: make sure last_fence is always updated\n\nUpdate last_fence in the vm-bind path instead of kernel managed path.\n\nlast_fence is used to wait for work to finish in vm_bind contexts but not\nused for kernel managed contexts.\n\nThis fixes a bug where last_fence is not waited on context close leading\nto faults as resources are freed while in use.\n\nPatchwork: https://patchwork.freedesktop.org/patch/680080/", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68314", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to detect potential corrupted nid in free_nid_list\n\nAs reported, on-disk footer.ino and footer.nid is the same and\nout-of-range, let's add sanity check on f2fs_alloc_nid() to detect\nany potential corruption in free_nid_list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68315", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix invalid probe error return value\n\nAfter DME Link Startup, the error return value is set to the MIPI UniPro\nGenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure\nduring driver probe, the error code 1 is propagated back to the driver\nprobe function which must return a negative value to indicate an error,\nbut 1 is not negative, so the probe is considered to be successful even\nthough it failed. Subsequently, removing the driver results in an oops\nbecause it is not in a valid state.\n\nThis happens because none of the callers of ufshcd_init() expect a\nnon-negative error code.\n\nFix the return value and documentation to match actual usage.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68316", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zctx: check chained notif contexts\n\nSend zc only links ubuf_info for requests coming from the same context.\nThere are some ambiguous syz reports, so let's check the assumption on\nnotification completion.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68317", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL\n\nThe AXI crossbar of TH1520 has no proper timeout handling, which means\ngating AXI clocks can easily lead to bus timeout and thus system hang.\n\nSet all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are\nungated by default on system reset.\n\nIn addition, convert all current CLK_IGNORE_UNUSED usage to\nCLK_IS_CRITICAL to prevent unwanted clock gating.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68318", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetconsole: Acquire su_mutex before navigating configs hierarchy\n\nThere is a race between operations that iterate over the userdata\ncg_children list and concurrent add/remove of userdata items through\nconfigfs. The update_userdata() function iterates over the\nnt->userdata_group.cg_children list, and count_extradata_entries() also\niterates over this same list to count nodes.\n\nQuoting from Documentation/filesystems/configfs.rst:\n> A subsystem can navigate the cg_children list and the ci_parent pointer\n> to see the tree created by the subsystem. This can race with configfs'\n> management of the hierarchy, so configfs uses the subsystem mutex to\n> protect modifications. Whenever a subsystem wants to navigate the\n> hierarchy, it must do so under the protection of the subsystem\n> mutex.\n\nWithout proper locking, if a userdata item is added or removed\nconcurrently while these functions are iterating, the list can be\naccessed in an inconsistent state. For example, the list_for_each() loop\ncan reach a node that is being removed from the list by list_del_init()\nwhich sets the nodes' .next pointer to point to itself, so the loop will\nnever end (or reach the WARN_ON_ONCE in update_userdata() ).\n\nFix this by holding the configfs subsystem mutex (su_mutex) during all\noperations that iterate over cg_children.\nThis includes:\n- userdatum_value_store() which calls update_userdata() to iterate over\n cg_children\n- All sysdata_*_enabled_store() functions which call\n count_extradata_entries() to iterate over cg_children\n\nThe su_mutex must be acquired before dynamic_netconsole_mutex to avoid\npotential lock ordering issues, as configfs operations may already hold\nsu_mutex when calling into our code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68319", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix sleeping in atomic context\n\nThe following warning was seen when we try to connect using ssh to the device.\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:575\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE\nTainted: [W]=WARN\nHardware name: Generic DT based system\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x7c/0xac\n dump_stack_lvl from __might_resched+0x16c/0x2b0\n __might_resched from __mutex_lock+0x64/0xd34\n __mutex_lock from mutex_lock_nested+0x1c/0x24\n mutex_lock_nested from lan966x_stats_get+0x5c/0x558\n lan966x_stats_get from dev_get_stats+0x40/0x43c\n dev_get_stats from dev_seq_printf_stats+0x3c/0x184\n dev_seq_printf_stats from dev_seq_show+0x10/0x30\n dev_seq_show from seq_read_iter+0x350/0x4ec\n seq_read_iter from seq_read+0xfc/0x194\n seq_read from proc_reg_read+0xac/0x100\n proc_reg_read from vfs_read+0xb0/0x2b0\n vfs_read from ksys_read+0x6c/0xec\n ksys_read from ret_fast_syscall+0x0/0x1c\nException stack(0xf0b11fa8 to 0xf0b11ff0)\n1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001\n1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001\n1fe0: 0005404c be9048c0 00018684 b6ec2cd8\n\nIt seems that we are using a mutex in a atomic context which is wrong.\nChange the mutex with a spinlock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68320", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: always add GFP_NOWARN for ATOMIC allocations\n\nDriver authors often forget to add GFP_NOWARN for page allocation\nfrom the datapath. This is annoying to users as OOMs are a fact\nof life, and we pretty much expect network Rx to hit page allocation\nfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations\nby default.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68321", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Avoid crash due to unaligned access in unwinder\n\nGuenter Roeck reported this kernel crash on his emulated B160L machine:\n\nStarting network: udhcpc: started, v1.36.1\n Backtrace:\n [<104320d4>] unwind_once+0x1c/0x5c\n [<10434a00>] walk_stackframe.isra.0+0x74/0xb8\n [<10434a6c>] arch_stack_walk+0x28/0x38\n [<104e5efc>] stack_trace_save+0x48/0x5c\n [<105d1bdc>] set_track_prepare+0x44/0x6c\n [<105d9c80>] ___slab_alloc+0xfc4/0x1024\n [<105d9d38>] __slab_alloc.isra.0+0x58/0x90\n [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0\n [<105b8e54>] __anon_vma_prepare+0x60/0x280\n [<105a823c>] __vmf_anon_prepare+0x68/0x94\n [<105a8b34>] do_wp_page+0x8cc/0xf10\n [<105aad88>] handle_mm_fault+0x6c0/0xf08\n [<10425568>] do_page_fault+0x110/0x440\n [<10427938>] handle_interruption+0x184/0x748\n [<11178398>] schedule+0x4c/0x190\n BUG: spinlock recursion on CPU#0, ifconfig/2420\n lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0\n\nWhile creating the stack trace, the unwinder uses the stack pointer to guess\nthe previous frame to read the previous stack pointer from memory. The crash\nhappens, because the unwinder tries to read from unaligned memory and as such\ntriggers the unalignment trap handler which then leads to the spinlock\nrecursion and finally to a deadlock.\n\nFix it by checking the alignment before accessing the memory.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68322", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec->work\n\nThe delayed work uec->work is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68323", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: imm: Fix use-after-free bug caused by unfinished delayed work\n\nThe delayed work item 'imm_tq' is initialized in imm_attach() and\nscheduled via imm_queuecommand() for processing SCSI commands. When the\nIMM parallel port SCSI host adapter is detached through imm_detach(),\nthe imm_struct device instance is deallocated.\n\nHowever, the delayed work might still be pending or executing\nwhen imm_detach() is called, leading to use-after-free bugs\nwhen the work function imm_interrupt() accesses the already\nfreed imm_struct memory.\n\nThe race condition can occur as follows:\n\nCPU 0(detach thread) | CPU 1\n | imm_queuecommand()\n | imm_queuecommand_lck()\nimm_detach() | schedule_delayed_work()\n kfree(dev) //FREE | imm_interrupt()\n | dev = container_of(...) //USE\n dev-> //USE\n\nAdd disable_delayed_work_sync() in imm_detach() to guarantee proper\ncancellation of the delayed work item before imm_struct is deallocated.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68324", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68325", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Fix stack_depot usage\n\nAdd missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is\nenabled to fix the following call stack:\n\n\t[] BUG: kernel NULL pointer dereference, address: 0000000000000000\n\t[] Workqueue: drm_sched_run_job_work [gpu_sched]\n\t[] RIP: 0010:stack_depot_save_flags+0x172/0x870\n\t[] Call Trace:\n\t[] \n\t[] fast_req_track+0x58/0xb0 [xe]\n\n(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68326", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Fix synchronous external abort on unbind\n\nA synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is\nexecuted after the configuration sequence described above:\n\nmodprobe usb_f_ecm\nmodprobe libcomposite\nmodprobe configfs\ncd /sys/kernel/config/usb_gadget\nmkdir -p g1\ncd g1\necho \"0x1d6b\" > idVendor\necho \"0x0104\" > idProduct\nmkdir -p strings/0x409\necho \"0123456789\" > strings/0x409/serialnumber\necho \"Renesas.\" > strings/0x409/manufacturer\necho \"Ethernet Gadget\" > strings/0x409/product\nmkdir -p functions/ecm.usb0\nmkdir -p configs/c.1\nmkdir -p configs/c.1/strings/0x409\necho \"ECM\" > configs/c.1/strings/0x409/configuration\n\nif [ ! -L configs/c.1/ecm.usb0 ]; then\n ln -s functions/ecm.usb0 configs/c.1\nfi\n\necho 11e20000.usb > UDC\necho 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind\n\nThe displayed trace is as follows:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)\n pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]\n lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]\n sp : ffff8000838b3920\n x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810\n x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000\n x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020\n x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344\n x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000\n x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418\n x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\n x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80\n Call trace:\n usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)\n usbhsg_pullup+0x4c/0x7c [renesas_usbhs]\n usb_gadget_disconnect_locked+0x48/0xd4\n gadget_unbind_driver+0x44/0x114\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_release_driver+0x18/0x24\n bus_remove_device+0xcc/0x10c\n device_del+0x14c/0x404\n usb_del_gadget+0x88/0xc0\n usb_del_gadget_udc+0x18/0x30\n usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]\n usbhs_mod_remove+0x20/0x30 [renesas_usbhs]\n usbhs_remove+0x98/0xdc [renesas_usbhs]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_driver_detach+0x18/0x24\n unbind_store+0xb4/0xb8\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x2ac/0x350\n ksys_write+0x68/0xfc\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)\n ---[ end trace 0000000000000000 ]---\n note: sh[188] exited with irqs disabled\n note: sh[188] exited with preempt_count 1\n\nThe issue occurs because usbhs_sys_function_pullup(), which accesses the IP\nregisters, is executed after the USBHS clocks have been disabled. The\nproblem is reproducible on the Renesas RZ/G3S SoC starting with the\naddition of module stop in the clock enable/disable APIs. With module stop\nfunctionality enabled, a bus error is expected if a master accesses a\nmodule whose clock has been stopped and module stop activated.\n\nDisable the IP clocks at the end of remove.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68327", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68328", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs\n\nWhen a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel\ncalls vm_ops->close on each portion. For trace buffer mappings, this\nresults in ring_buffer_unmap() being called multiple times while\nring_buffer_map() was only called once.\n\nThis causes ring_buffer_unmap() to return -ENODEV on subsequent calls\nbecause user_mapped is already 0, triggering a WARN_ON.\n\nTrace buffer mappings cannot support partial mappings because the ring\nbuffer structure requires the complete buffer including the meta page.\n\nFix this by adding a may_split callback that returns -EINVAL to prevent\nVMA splits entirely.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68329", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68330", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg->dma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo->cmnd array. If the successfully\nsubmitted URBs is completed before devinfo->resetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68331", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver's Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver's Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68332", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix possible deadlock in the deferred_irq_workfn()\n\nFor PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in\nthe per-cpu irq_work/* task context and not disable-irq, if the rq\nreturned by container_of() is current CPU's rq, the following scenarios\nmay occur:\n\nlock(&rq->__lock);\n\n lock(&rq->__lock);\n\nThis commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to\ninitialize rq->scx.deferred_irq_work, make the deferred_irq_workfn()\nis always invoked in hard-irq context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68333", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Add support for Van Gogh SoC\n\nThe ROG Xbox Ally (non-X) SoC features a similar architecture to the\nSteam Deck. While the Steam Deck supports S3 (s2idle causes a crash),\nthis support was dropped by the Xbox Ally which only S0ix suspend.\n\nSince the handler is missing here, this causes the device to not suspend\nand the AMD GPU driver to crash while trying to resume afterwards due to\na power hang.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68334", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev->read_subdev may not have initialized its pointer to\n&struct comedi_async as intended. Thus, any such dereferencing of\n&s->async->cmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice's own ->cancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n...", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68335", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/spinlock/debug: Fix data-race in do_raw_write_lock\n\nKCSAN reports:\n\nBUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock\n\nwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:\n do_raw_write_lock+0x120/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:\n do_raw_write_lock+0x88/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nvalue changed: 0xffffffff -> 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111\n\nCommit 1a365e822372 (\"locking/spinlock/debug: Fix various data races\") has\nadressed most of these races, but seems to be not consistent/not complete.\n\n>From do_raw_write_lock() only debug_write_lock_after() part has been\nconverted to WRITE_ONCE(), but not debug_write_lock_before() part.\nDo it now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68336", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere's issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68337", "detail": "cpe-stable-backport", "description": "Backported in 6.18.1" }, { "id": "CVE-2025-68338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Don't free uninitialized ksz_irq\n\nIf something goes wrong at setup, ksz_irq_free() can be called on\nuninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It\nleads to freeing uninitialized IRQ numbers and/or domains.\n\nUse dsa_switch_for_each_user_port_continue_reverse() in the error path\nto iterate only over the fully initialized ports.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68338", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e->available_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e->available_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68339", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops->create of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n - If port_dev is not the same type as dev, dev takes mtu from port_dev\n - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev->mtu = dev->mtu and instead\nletting team_dev_type_check_change assign dev->mtu = port_dev->mtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n - team device driver in-tree selftests\n - Add/remove various devices as slaves of team device\n - syzbot", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68340", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: reduce XDP no_direct return section to fix race\n\nAs explain in commit fa349e396e48 (\"veth: Fix race with AF_XDP exposing\nold or uninitialized descriptors\") for veth there is a chance after\nnapi_complete_done() that another CPU can manage start another NAPI\ninstance running veth_pool(). For NAPI this is correctly handled as the\nnapi_schedule_prep() check will prevent multiple instances from getting\nscheduled, but for the remaining code in veth_pool() this can run\nconcurrent with the newly started NAPI instance.\n\nThe problem/race is that xdp_clear_return_frame_no_direct() isn't\ndesigned to be nested.\n\nPrior to commit 401cb7dae813 (\"net: Reference bpf_redirect_info via\ntask_struct on PREEMPT_RT.\") the temporary BPF net context\nbpf_redirect_info was stored per CPU, where this wasn't an issue. Since\nthis commit the BPF context is stored in 'current' task_struct. When\nrunning veth in threaded-NAPI mode, then the kthread becomes the storage\narea. Now a race exists between two concurrent veth_pool() function calls\none exiting NAPI and one running new NAPI, both using the same BPF net\ncontext.\n\nRace is when another CPU gets within the xdp_set_return_frame_no_direct()\nsection before exiting veth_pool() calls the clear-function\nxdp_clear_return_frame_no_direct().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68341", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68342", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header\n\nThe driver expects to receive a struct gs_host_frame in\ngs_usb_receive_bulk_callback().\n\nUse struct_group to describe the header of the struct gs_host_frame and\ncheck that we have at least received the header before accessing any\nmembers of it.\n\nTo resubmit the URB, do not dereference the pointer chain\n\"dev->parent->hf_size_rx\" but use \"parent->hf_size_rx\" instead. Since\n\"urb->context\" contains \"parent\", it is always defined, while \"dev\" is not\ndefined if the URB it too short.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68343", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header->size field is u32 but gets\ncast to int for comparison with dev->freemem\n\nFix by using unsigned comparison to avoid integer overflow.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68344", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68345", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68346", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68347", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in __blkdev_issue_zero_pages\n\nMove the fatal signal check before bio_alloc() to prevent a memory\nleak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.\n\nPreviously, the bio was allocated before checking for a fatal signal.\nIf a signal was pending, the code would break out of the loop without\nfreeing or chaining the just-allocated bio, causing a memory leak.\n\nThis matches the pattern already used in __blkdev_issue_write_zeroes()\nwhere the signal check precedes the allocation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68348", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -> nfs4_write_inode\n -> pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68349", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix divide-by-zero in exfat_allocate_bitmap\n\nThe variable max_ra_count can be 0 in exfat_allocate_bitmap(),\nwhich causes a divide-by-zero error in the subsequent modulo operation\n(i % max_ra_count), leading to a system crash.\nWhen max_ra_count is 0, it means that readahead is not used. This patch\nload the bitmap without readahead.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68350", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68351", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix out-of-bounds memory access in ch341_transfer_one\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nThe 'len' variable is calculated as 'min(32, trans->len + 1)',\nwhich includes the 1-byte command header.\n\nWhen copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len'\nas the length is incorrect because:\n\n1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size\n 'trans->len', i.e., 'len - 1' in this context).\n2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is\n CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1\n overflows the buffer.\n\nFix this by copying 'len - 1' bytes.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68352", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: prevent NULL deref in vxlan_xmit_one\n\nNeither sock4 nor sock6 pointers are guaranteed to be non-NULL in\nvxlan_xmit_one, e.g. if the iface is brought down. This can lead to the\nfollowing NULL dereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:vxlan_xmit_one+0xbb3/0x1580\n Call Trace:\n vxlan_xmit+0x429/0x610\n dev_hard_start_xmit+0x55/0xa0\n __dev_queue_xmit+0x6d0/0x7f0\n ip_finish_output2+0x24b/0x590\n ip_output+0x63/0x110\n\nMentioned commits changed the code path in vxlan_xmit_one and as a side\neffect the sock4/6 pointer validity checks in vxlan(6)_get_route were\nlost. Fix this by adding back checks.\n\nSince both commits being fixed were released in the same version (v6.7)\nand are strongly related, bundle the fixes in a single commit.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68353", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68354", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exclusive map memory leak\n\nWhen excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also\nneeds to be freed. Otherwise, the map memory will not be reclaimed, just\nlike the memory leak problem reported by syzbot [1].\n\nsyzbot reported:\nBUG: memory leak\n backtrace (crc 7b9fb9b4):\n map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512\n __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68355", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Prevent recursive memory reclaim\n\nFunction new_inode() returns a new inode with inode->i_mapping->gfp_mask\nset to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so\nallocations in that address space can recurse into filesystem memory\nreclaim. We don't want that to happen because it can consume a\nsignificant amount of stack memory.\n\nWorse than that is that it can also deadlock: for example, in several\nplaces, gfs2_unstuff_dinode() is called inside filesystem transactions.\nThis calls filemap_grab_folio(), which can allocate a new folio, which\ncan trigger memory reclaim. If memory reclaim recurses into the\nfilesystem and starts another transaction, a deadlock will ensue.\n\nTo fix these kinds of problems, prevent memory reclaim from recursing\ninto filesystem code by making sure that the gfp_mask of inode address\nspaces doesn't include __GFP_FS.\n\nThe \"meta\" and resource group address spaces were already using GFP_NOFS\nas their gfp_mask (which doesn't include __GFP_FS). The default value\nof GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To\navoid being overly limiting, use the default value and only knock off\nthe __GFP_FS flag. I'm not sure if this will actually make a\ndifference, but it also shouldn't hurt.\n\nThis patch is loosely based on commit ad22c7a043c2 (\"xfs: prevent stack\noverflows from page cache allocation\").\n\nFixes xfstest generic/273.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68356", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: allocate s_dio_done_wq for async reads as well\n\nSince commit 222f2c7c6d14 (\"iomap: always run error completions in user\ncontext\"), read error completions are deferred to s_dio_done_wq. This\nmeans the workqueue also needs to be allocated for async reads.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68357", "detail": "fixed-version", "description": "Fixed from version 6.12.64" }, { "id": "CVE-2025-68358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix racy bitfield write in btrfs_clear_space_info_full()\n\nFrom the memory-barriers.txt document regarding memory barrier ordering\nguarantees:\n\n (*) These guarantees do not apply to bitfields, because compilers often\n generate code to modify these using non-atomic read-modify-write\n sequences. Do not attempt to use bitfields to synchronize parallel\n algorithms.\n\n (*) Even in cases where bitfields are protected by locks, all fields\n in a given bitfield must be protected by one lock. If two fields\n in a given bitfield are protected by different locks, the compiler's\n non-atomic read-modify-write sequences can cause an update to one\n field to corrupt the value of an adjacent field.\n\nbtrfs_space_info has a bitfield sharing an underlying word consisting of\nthe fields full, chunk_alloc, and flush:\n\nstruct btrfs_space_info {\n struct btrfs_fs_info * fs_info; /* 0 8 */\n struct btrfs_space_info * parent; /* 8 8 */\n ...\n int clamp; /* 172 4 */\n unsigned int full:1; /* 176: 0 4 */\n unsigned int chunk_alloc:1; /* 176: 1 4 */\n unsigned int flush:1; /* 176: 2 4 */\n ...\n\nTherefore, to be safe from parallel read-modify-writes losing a write to\none of the bitfield members protected by a lock, all writes to all the\nbitfields must use the lock. They almost universally do, except for\nbtrfs_clear_space_info_full() which iterates over the space_infos and\nwrites out found->full = 0 without a lock.\n\nImagine that we have one thread completing a transaction in which we\nfinished deleting a block_group and are thus calling\nbtrfs_clear_space_info_full() while simultaneously the data reclaim\nticket infrastructure is running do_async_reclaim_data_space():\n\n T1 T2\nbtrfs_commit_transaction\n btrfs_clear_space_info_full\n data_sinfo->full = 0\n READ: full:0, chunk_alloc:0, flush:1\n do_async_reclaim_data_space(data_sinfo)\n spin_lock(&space_info->lock);\n if(list_empty(tickets))\n space_info->flush = 0;\n READ: full: 0, chunk_alloc:0, flush:1\n MOD/WRITE: full: 0, chunk_alloc:0, flush:0\n spin_unlock(&space_info->lock);\n return;\n MOD/WRITE: full:0, chunk_alloc:0, flush:1\n\nand now data_sinfo->flush is 1 but the reclaim worker has exited. This\nbreaks the invariant that flush is 0 iff there is no work queued or\nrunning. Once this invariant is violated, future allocations that go\ninto __reserve_bytes() will add tickets to space_info->tickets but will\nsee space_info->flush is set to 1 and not queue the work. After this,\nthey will block forever on the resulting ticket, as it is now impossible\nto kick the worker again.\n\nI also confirmed by looking at the assembly of the affected kernel that\nit is doing RMW operations. For example, to set the flush (3rd) bit to 0,\nthe assembly is:\n andb $0xfb,0x60(%rbx)\nand similarly for setting the full (1st) bit to 0:\n andb $0xfe,-0x20(%rax)\n\nSo I think this is really a bug on practical systems. I have observed\na number of systems in this exact state, but am currently unable to\nreproduce it.\n\nRather than leaving this footgun lying around for the future, take\nadvantage of the fact that there is room in the struct anyway, and that\nit is already quite large and simply change the three bitfield members to\nbools. This avoids writes to space_info->full having any effect on\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68358", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\n\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn't set this kfree'd pointer\nto NULL, then kfree() would have acted on a non-NULL 'record' object\nwhich was pointing to memory already freed by the callee.\n\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the 'qrecord' object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the 'qrecord' object on its own. The only exception where the\n'qrecord' object cannot be kfree'd is if it was inserted into the\ntracing logic, for which we already have the 'qrecord_inserted_ret'\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\n\nAs a side-effect of the above, we must guarantee that\n'qrecord_inserted_ret' is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid 'qrecord_inserted_ret' having an invalid\nvalue on an early exit.\n\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the 'qrecord' object.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68359", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\n\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\nfrom/to the wireless NIC. In the current codebase we assume to always\nuse the primary wed device in wed callbacks resulting in the following\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\n\n[ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\n[ 297.464928] Mem abort info:\n[ 297.467722] ESR = 0x0000000096000005\n[ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 297.476766] SET = 0, FnV = 0\n[ 297.479809] EA = 0, S1PTW = 0\n[ 297.482940] FSC = 0x05: level 1 translation fault\n[ 297.487809] Data abort info:\n[ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\n[ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\n[ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\n[ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0\n[ 297.723908] Tainted: [O]=OOT_MODULE\n[ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\n[ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\n[ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80\n[ 297.757126] sp : ffffffc080fe3ae0\n[ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\n[ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\n[ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\n[ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\n[ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\n[ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\n[ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\n[ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\n[ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\n[ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\n[ 297.831686] Call trace:\n[ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[ 297.839254] mtk_wed_flow_remove+0x58/0x80\n[ 297.843342] mtk_flow_offload_cmd+0x434/0x574\n[ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40\n[ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\n[ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\n[ 297.864463] process_one_work+0x174/0x300\n[ 297.868465] worker_thread+0x278/0x430\n[ 297.872204] kthread+0xd8/0xdc\n[ 297.875251] ret_from_fork+0x10/0x20\n[ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\n[ 297.884901] ---[ end trace 0000000000000000 ]---\n\nFix the issue detecting the proper wed reference to use running wed\ncallabacks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68360", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: limit the level of fs stacking for file-backed mounts\n\nOtherwise, it could cause potential kernel stack overflow (e.g., EROFS\nmounting itself).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68361", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb->len from urb->actual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68362", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb->transport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb->transport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb->transport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68363", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()\n\nIn '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just\nto avoid crashing the whole kernel due to a filesystem corruption.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68364", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68365", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config unlock in nbd_genl_connect\n\nThere is one use-after-free warning when running NBD_CMD_CONNECT and\nNBD_CLEAR_SOCK:\n\nnbd_genl_connect\n nbd_alloc_and_init_config // config_refs=1\n nbd_start_device // config_refs=2\n set NBD_RT_HAS_CONFIG_REF\t\t\topen nbd // config_refs=3\n recv_work done // config_refs=2\n\t\t\t\t\t\tNBD_CLEAR_SOCK // config_refs=1\n\t\t\t\t\t\tclose nbd // config_refs=0\n refcount_inc -> uaf\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290\n nbd_genl_connect+0x16d0/0x1ab0\n genl_family_rcv_msg_doit+0x1f3/0x310\n genl_rcv_msg+0x44a/0x790\n\nThe issue can be easily reproduced by adding a small delay before\nrefcount_inc(&nbd->config_refs) in nbd_genl_connect():\n\n mutex_unlock(&nbd->config_lock);\n if (!ret) {\n set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);\n+ printk(\"before sleep\\n\");\n+ mdelay(5 * 1000);\n+ printk(\"after sleep\\n\");\n refcount_inc(&nbd->config_refs);\n nbd_connect_reply(info, nbd->index);\n }", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68366", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse\n\nThe following warning appears when running syzkaller, and this issue also\nexists in the mainline code.\n\n ------------[ cut here ]------------\n list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.\n WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130\n Modules linked in:\n CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__list_add_valid_or_report+0xf7/0x130\n RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817\n RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001\n RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c\n R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100\n R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48\n FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 80000000\n Call Trace:\n \n input_register_handler+0xb3/0x210\n mac_hid_start_emulation+0x1c5/0x290\n mac_hid_toggle_emumouse+0x20a/0x240\n proc_sys_call_handler+0x4c2/0x6e0\n new_sync_write+0x1b1/0x2d0\n vfs_write+0x709/0x950\n ksys_write+0x12a/0x250\n do_syscall_64+0x5a/0x110\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe WARNING occurs when two processes concurrently write to the mac-hid\nemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().\nBoth processes read old_val=0, then both try to register the input handler,\nleading to a double list_add of the same handler.\n\n CPU0 CPU1\n ------------------------- -------------------------\n vfs_write() //write 1 vfs_write() //write 1\n proc_sys_write() proc_sys_write()\n mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()\n old_val = *valp // old_val=0\n old_val = *valp // old_val=0\n mutex_lock_killable()\n proc_dointvec() // *valp=1\n mac_hid_start_emulation()\n input_register_handler()\n mutex_unlock()\n mutex_lock_killable()\n proc_dointvec()\n mac_hid_start_emulation()\n input_register_handler() //Trigger Warning\n mutex_unlock()\n\nFix this by moving the old_val read inside the mutex lock region.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68367", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: init bioset in mddev_init\n\nIO operations may be needed before md_run(), such as updating metadata\nafter writing sysfs. Without bioset, this triggers a NULL pointer\ndereference as below:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n Call Trace:\n md_update_sb+0x658/0xe00\n new_level_store+0xc5/0x120\n md_attr_store+0xc9/0x1e0\n sysfs_kf_write+0x6f/0xa0\n kernfs_fop_write_iter+0x141/0x2a0\n vfs_write+0x1fc/0x5a0\n ksys_write+0x79/0x180\n __x64_sys_write+0x1d/0x30\n x64_sys_call+0x2818/0x2880\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nReproducer\n```\n mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd]\n echo inactive > /sys/block/md0/md/array_state\n echo 10 > /sys/block/md0/md/new_level\n```\n\nmddev_init() can only be called once per mddev, no need to test if bioset\nhas been initialized anymore.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68368", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: init run lock for extend inode\n\nAfter setting the inode mode of $Extend to a regular file, executing the\ntruncate system call will enter the do_truncate() routine, causing the\nrun_lock uninitialized error reported by syzbot.\n\nPrior to patch 4e8011ffec79, if the inode mode of $Extend was not set to\na regular file, the do_truncate() routine would not be entered.\n\nAdd the run_lock initialization when loading $Extend.\n\nsyzbot reported:\nINFO: trying to register non-static key.\nCall Trace:\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984\n register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299\n __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590\n ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860\n ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387\n ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68369", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc: add the handle of the event to the path\n\nThe handle is essential for retrieving the AUX_EVENT of each CPU and is\nrequired in perf mode. It has been added to the coresight_path so that\ndependent devices can access it from the path when needed.\n\nThe existing bug can be reproduced with:\nperf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null\n\nShowing an oops as follows:\nUnable to handle kernel paging request at virtual address 000f6e84934ed19e\n\nCall trace:\n tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)\n catu_enable_hw+0xbc/0x3d0 [coresight_catu]\n catu_enable+0x70/0xe0 [coresight_catu]\n coresight_enable_path+0xb0/0x258 [coresight]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68370", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller's SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68371", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n nbd_genl_connect // conf_ref=2 (connect and recv_work A)\n nbd_open\t // conf_ref=3\n recv_work A done // conf_ref=2\n NBD_CLEAR_SOCK // conf_ref=1\n nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n close nbd\t // conf_ref=1\n recv_work B\n config_put // conf_ref=0\n atomic_dec(&config->recv_threads); -> UAF\n\nOr only running NBD_CLEAR_SOCK:\n nbd_genl_connect // conf_ref=2\n nbd_open \t // conf_ref=3\n NBD_CLEAR_SOCK // conf_ref=2\n close nbd\n nbd_release\n config_put // conf_ref=1\n recv_work\n config_put \t // conf_ref=0\n atomic_dec(&config->recv_threads); -> UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd->task_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don't need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=1 (trigger recv_work)\n open nbd // nbd_refs=2\n NBD_CLEAR_SOCK\n close nbd\n nbd_release\n nbd_disconnect_and_put\n flush_workqueue // recv_work done\n nbd_config_put\n nbd_put // nbd_refs=1\n nbd_put // nbd_refs=0\n queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n connect // nbd_refs=2 (trigger recv_work)\n open nbd // nbd_refs=3\n NBD_CLEAR_SOCK // conf_refs=2\n close nbd\n nbd_release\n nbd_config_put // conf_refs=1\n nbd_put // nbd_refs=2\n recv_work done // conf_refs=0, nbd_refs=1\n rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68372", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: avoid repeated calls to del_gendisk\n\nThere is a uaf problem which is found by case 23rdev-lifetime:\n\nOops: general protection fault, probably for non-canonical address 0xdead000000000122\nRIP: 0010:bdi_unregister+0x4b/0x170\nCall Trace:\n \n __del_gendisk+0x356/0x3e0\n mddev_unlock+0x351/0x360\n rdev_attr_store+0x217/0x280\n kernfs_fop_write_iter+0x14a/0x210\n vfs_write+0x29e/0x550\n ksys_write+0x74/0xf0\n do_syscall_64+0xbb/0x380\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff5250a177e\n\nThe sequence is:\n1. rdev remove path gets reconfig_mutex\n2. rdev remove path release reconfig_mutex in mddev_unlock\n3. md stop calls do_md_stop and sets MD_DELETED\n4. rdev remove path calls del_gendisk because MD_DELETED is set\n5. md stop path release reconfig_mutex and calls del_gendisk again\n\nSo there is a race condition we should resolve. This patch adds a\nflag MD_DO_DELETE to avoid the race condition.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68373", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix rcu protection in md_wakeup_thread\n\nWe attempted to use RCU to protect the pointer 'thread', but directly\npassed the value when calling md_wakeup_thread(). This means that the\nRCU pointer has been acquired before rcu_read_lock(), which renders\nrcu_read_lock() ineffective and could lead to a use-after-free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68374", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix NULL event access and potential PEBS record loss\n\nWhen intel_pmu_drain_pebs_icl() is called to drain PEBS records, the\nperf_event_overflow() could be called to process the last PEBS record.\n\nWhile perf_event_overflow() could trigger the interrupt throttle and\nstop all events of the group, like what the below call-chain shows.\n\nperf_event_overflow()\n -> __perf_event_overflow()\n ->__perf_event_account_interrupt()\n -> perf_event_throttle_group()\n -> perf_event_throttle()\n -> event->pmu->stop()\n -> x86_pmu_stop()\n\nThe side effect of stopping the events is that all corresponding event\npointers in cpuc->events[] array are cleared to NULL.\n\nAssume there are two PEBS events (event a and event b) in a group. When\nintel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the\nlast PEBS record of PEBS event a, interrupt throttle is triggered and\nall pointers of event a and event b are cleared to NULL. Then\nintel_pmu_drain_pebs_icl() tries to process the last PEBS record of\nevent b and encounters NULL pointer access.\n\nTo avoid this issue, move cpuc->events[] clearing from x86_pmu_stop()\nto x86_pmu_del(). It's safe since cpuc->active_mask or\ncpuc->pebs_enabled is always checked before access the event pointer\nfrom cpuc->events[].", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68375", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: ETR: Fix ETR buffer use-after-free issue\n\nWhen ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed\nand enabled again, currently sysfs_buf will point to the newly\nallocated memory(buf_new) and free the old memory(buf_old). But the\netr_buf that is being used by the ETR remains pointed to buf_old, not\nupdated to buf_new. In this case, it will result in a memory\nuse-after-free issue.\n\nFix this by checking ETR's mode before updating and releasing buf_old,\nif the mode is CS_MODE_SYSFS, then skip updating and releasing it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68376", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nns: initialize ns_list_node for initial namespaces\n\nMake sure that the list is always initialized for initial namespaces.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68377", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket's data array.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68378", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq->rq.queue after resize failure\n\nA NULL pointer dereference can occur in rxe_srq_chk_attr() when\nibv_modify_srq() is invoked twice in succession under certain error\nconditions. The first call may fail in rxe_queue_resize(), which leads\nrxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then\ntriggers a crash (null deref) when accessing\nsrq->rq.queue->buf->index_mask.\n\nCall Trace:\n\nrxe_modify_srq+0x170/0x480 [rdma_rxe]\n? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]\n? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]\n? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]\nib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]\n? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]\n? tryinc_node_nr_active+0xe6/0x150\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\n? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]\nib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]\n? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]\nib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]\n? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]\n? __pfx___raw_spin_lock_irqsave+0x10/0x10\n? __pfx_do_vfs_ioctl+0x10/0x10\n? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0\n? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10\nib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]\n? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]\n__x64_sys_ioctl+0x138/0x1c0\ndo_syscall_64+0x82/0x250\n? fdget_pos+0x58/0x4c0\n? ksys_write+0xf3/0x1c0\n? __pfx_ksys_write+0x10/0x10\n? do_syscall_64+0xc8/0x250\n? __pfx_vm_mmap_pgoff+0x10/0x10\n? fget+0x173/0x230\n? fput+0x2a/0x80\n? ksys_mmap_pgoff+0x224/0x4c0\n? do_syscall_64+0xc8/0x250\n? do_user_addr_fault+0x37b/0xfe0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\n? clear_bhb_loop+0x50/0xa0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68379", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to\nfirmware as receive MCS while peer's receive MCS sent as transmit MCS,\nwhich goes against firmwire's definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs->rx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs->rx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer's receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68380", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68724", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -> gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68725", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aead - Fix reqsize handling\n\nCommit afddce13ce81d (\"crypto: api - Add reqsize to crypto_alg\")\nintroduced cra_reqsize field in crypto_alg struct to replace type\nspecific reqsize fields. It looks like this was introduced specifically\nfor ahash and acomp from the commit description as subsequent commits\nadd necessary changes in these alg frameworks.\n\nHowever, this is being recommended for use in all crypto algs\ninstead of setting reqsize using crypto_*_set_reqsize(). Using\ncra_reqsize in aead algorithms, hence, causes memory corruptions and\ncrashes as the underlying functions in the algorithm framework have not\nbeen updated to set the reqsize properly from cra_reqsize. [1]\n\nAdd proper set_reqsize calls in the aead init function to properly\ninitialize reqsize for these algorithms in the framework.\n\n[1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68726", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Fix uninit buffer allocated by __getname()\n\nFix uninit errors caused after buffer allocation given to 'de'; by\ninitializing the buffer with zeroes. The fix was found by using KMSAN.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68727", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix uninit memory after failed mi_read in mi_format_new\n\nFix a KMSAN un-init bug found by syzkaller.\n\nntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be\nuptodate. We do not bring the buffer uptodate before setting it as\nuptodate. If the buffer were to not be uptodate, it could mean adding a\nbuffer with un-init data to the mi record. Attempting to load that record\nwill trigger KMSAN.\n\nAvoid this by setting the buffer as uptodate, if it\u2019s not already, by\noverwriting it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68728", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\n\nCurrently, packets received on the REO exception ring from\nunassociated peers are of MSDU buffer type, while the driver expects\nlink descriptor type packets. These packets are not parsed further due\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\nbut the associated skb is not freed. This may lead to kernel\ncrashes and buffer leaks.\n\nHence to fix, update the RX error handler to explicitly drop\nMSDU buffer type packets received on the REO exception ring.\nThis prevents further processing of invalid packets and ensures\nstability in the RX error handling path.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68729", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()\n\nDon't add BO to the vdev->bo_list in ivpu_gem_create_object().\nWhen failure happens inside drm_gem_shmem_create(), the BO is not\nfully created and ivpu_gem_bo_free() callback will not be called\ncausing a deleted BO to be left on the list.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68730", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array()\n\nThe unpublished smatch static checker reported a warning.\n\ndrivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array()\nwarn: potential user controlled sizeof overflow\n'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)'\n\nEven this will not cause a real issue, it is better to put a reasonable\nlimitation for element_size and num_element. Add condition to make sure\nthe input element_size <= 4K and num_element <= 1K.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68731", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68732", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmack: fix bug: unprivileged task can create labels\n\nIf an unprivileged task is allowed to relabel itself\n(/smack/relabel-self is not empty),\nit can freely create new labels by writing their\nnames into own /proc/PID/attr/smack/current\n\nThis occurs because do_setattr() imports\nthe provided label in advance,\nbefore checking \"relabel-self\" list.\n\nThis change ensures that the \"relabel-self\" list\nis checked before importing the label.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68733", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()\n\nIn hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when\nsetup_instance() fails with an error code. Fix that by freeing the urb\nbefore freeing the hw structure. Also change the error paths to use the\ngoto ladder style.\n\nCompile tested only. Issue found using a prototype static analysis tool.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68734", "detail": "fixed-version", "description": "Fixed from version 6.18" }, { "id": "CVE-2025-68735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Prevent potential UAF in group creation\n\nThis commit prevents the possibility of a use after free issue in the\nGROUP_CREATE ioctl function, which arose as pointer to the group is\naccessed in that ioctl function after storing it in the Xarray.\nA malicious userspace can second guess the handle of a group and try\nto call GROUP_DESTROY ioctl from another thread around the same time\nas GROUP_CREATE ioctl.\n\nTo prevent the use after free exploit, this commit uses a mark on an\nentry of group pool Xarray which is added just before returning from\nthe GROUP_CREATE ioctl function. The mark is checked for all ioctls\nthat specify the group handle and so userspace won't be abe to delete\na group that isn't marked yet.\n\nv2: Add R-bs and fixes tags", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68735", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix handling of disconnected directories\n\nDisconnected files or directories can appear when they are visible and\nopened from a bind mount, but have been renamed or moved from the source\nof the bind mount in a way that makes them inaccessible from the mount\npoint (i.e. out of scope).\n\nPreviously, access rights tied to files or directories opened through a\ndisconnected directory were collected by walking the related hierarchy\ndown to the root of the filesystem, without taking into account the\nmount point because it couldn't be found. This could lead to\ninconsistent access results, potential access right widening, and\nhard-to-debug renames, especially since such paths cannot be printed.\n\nFor a sandboxed task to create a disconnected directory, it needs to\nhave write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to\nthe underlying source of the bind mount, and read access to the related\nmount point. Because a sandboxed task cannot acquire more access\nrights than those defined by its Landlock domain, this could lead to\ninconsistent access rights due to missing permissions that should be\ninherited from the mount point hierarchy, while inheriting permissions\nfrom the filesystem hierarchy hidden by this mount point instead.\n\nLandlock now handles files and directories opened from disconnected\ndirectories by taking into account the filesystem hierarchy when the\nmount point is not found in the hierarchy walk, and also always taking\ninto account the mount point from which these disconnected directories\nwere opened. This ensures that a rename is not allowed if it would\nwiden access rights [1].\n\nThe rationale is that, even if disconnected hierarchies might not be\nvisible or accessible to a sandboxed task, relying on the collected\naccess rights from them improves the guarantee that access rights will\nnot be widened during a rename because of the access right comparison\nbetween the source and the destination (see LANDLOCK_ACCESS_FS_REFER).\nIt may look like this would grant more access on disconnected files and\ndirectories, but the security policies are always enforced for all the\nevaluated hierarchies. This new behavior should be less surprising to\nusers and safer from an access control perspective.\n\nRemove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and\nfix the related comment.\n\nBecause opened files have their access rights stored in the related file\nsecurity properties, there is no impact for disconnected or unlinked\nfiles.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68736", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/pageattr: Propagate return value from __change_memory_common\n\nThe rodata=on security measure requires that any code path which does\nvmalloc -> set_memory_ro/set_memory_rox must protect the linear map alias\ntoo. Therefore, if such a call fails, we must abort set_memory_* and caller\nmust take appropriate action; currently we are suppressing the error, and\nthere is a real chance of such an error arising post commit a166563e7ec3\n(\"arm64: mm: support large block mapping when rodata=full\"). Therefore,\npropagate any error to the caller.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68737", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()\n\nIf a link does not have an assigned channel yet, mt7996_vif_link returns\nNULL. We still need to store the updated queue settings in that case, and\napply them later.\nMove the location of the queue params to within struct mt7996_vif_link.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68738", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: hisi: Fix potential UAF in OPP handling\n\nEnsure all required data is acquired before calling dev_pm_opp_put(opp)\nto maintain correct resource acquisition and release order.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68739", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the 'if (!rc)' check\nand sets 'result = true'. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via 'semodule -d', if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&\n!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.\n\nCall trace:\n selinux_audit_rule_match+0x310/0x3b8\n security_audit_rule_match+0x60/0xa0\n ima_match_rules+0x2e4/0x4a0\n ima_match_policy+0x9c/0x1e8\n ima_get_action+0x48/0x60\n process_measurement+0xf8/0xa98\n ima_bprm_check+0x98/0xd8\n security_bprm_check+0x5c/0x78\n search_binary_handler+0x6c/0x318\n exec_binprm+0x58/0x1b8\n bprm_execve+0xb8/0x130\n do_execveat_common.isra.0+0x1a8/0x258\n __arm64_sys_execve+0x48/0x68\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x44/0x200\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68740", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix improper freeing of purex item\n\nIn qla2xxx_process_purls_iocb(), an item is allocated via\nqla27xx_copy_multiple_pkt(), which internally calls\nqla24xx_alloc_purex_item().\n\nThe qla24xx_alloc_purex_item() function may return a pre-allocated item\nfrom a per-adapter pool for small allocations, instead of dynamically\nallocating memory with kzalloc().\n\nAn error handling path in qla2xxx_process_purls_iocb() incorrectly uses\nkfree() to release the item. If the item was from the pre-allocated\npool, calling kfree() on it is a bug that can lead to memory corruption.\n\nFix this by using the correct deallocation function,\nqla24xx_free_purex_item(), which properly handles both dynamically\nallocated and pre-allocated items.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68741", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog->stats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc <-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array->items[index] = &dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog->stats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(&stats->syncp)\n---softirq end---\n\n static_branch_dec(&cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68742", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix create memory region overlap check\n\nThe current check is incorrect; it only checks if the beginning or end\nof a region is within an existing region. This doesn't account for\nuserspace specifying a region that begins before and ends after an\nexisting region.\n\nChange the logic to a range intersection check against gfns and uaddrs\nfor each region.\n\nRemove mshv_partition_region_by_uaddr() as it is no longer used.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68743", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling 'bpf_obj_free_fields()' after\n'copy_map_value[,_long]()' in 'pcpu_copy_value()'.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68744", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Clear cmds after chip reset\n\nCommit aefed3e5548f (\"scsi: qla2xxx: target: Fix offline port handling\nand host reset handling\") caused two problems:\n\n1. Commands sent to FW, after chip reset got stuck and never freed as FW\n is not going to respond to them anymore.\n\n2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a\n (\"scsi: qla2xxx: Fix missed DMA unmap for aborted commands\")\n attempted to fix this, but introduced another bug under different\n circumstances when two different CPUs were racing to call\n qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in\n dma_unmap_sg_attrs().\n\nSo revert \"scsi: qla2xxx: Fix missed DMA unmap for aborted commands\" and\npartially revert \"scsi: qla2xxx: target: Fix offline port handling and\nhost reset handling\" at __qla2x00_abort_all_cmds.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68745", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68746", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF on kernel BO VA nodes\n\nIf the MMU is down, panthor_vm_unmap_range() might return an error.\nWe expect the page table to be updated still, and if the MMU is blocked,\nthe rest of the GPU should be blocked too, so no risk of accessing\nphysical memory returned to the system (which the current code doesn't\ncover for anyway).\n\nProceed with the rest of the cleanup instead of bailing out and leaving\nthe va_node inserted in the drm_mm, which leads to UAF when other\nadjacent nodes are removed from the drm_mm tree.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68747", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF race between device unplug and FW event processing\n\nThe function panthor_fw_unplug() will free the FW memory sections.\nThe problem is that there could still be pending FW events which are yet\nnot handled at this point. process_fw_events_work() can in this case try\nto access said freed memory.\n\nSimply call disable_work_sync() to both drain and prevent future\ninvocation of process_fw_events_work().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68748", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix 'Memory manager not clean during takedown' warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68749", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: potential integer overflow in usbg_make_tpg()\n\nThe variable tpgt in usbg_make_tpg() is defined as unsigned long and is\nassigned to tpgt->tport_tpgt, which is defined as u16. This may cause an\ninteger overflow when tpgt is greater than USHRT_MAX (65535). I\nhaven't tried to trigger it myself, but it is possible to trigger it\nby calling usbg_make_tpg() with a large value for tpgt.\n\nI modified the type of tpgt to match tpgt->tport_tpgt and adjusted the\nrelevant code accordingly.\n\nThis patch is similar to commit 59c816c1f24d (\"vhost/scsi: potential\nmemory corruption\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68750", "detail": "fixed-version", "description": "Fixed from version 6.16" }, { "id": "CVE-2025-68751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/fpu: Fix false-positive kmsan report in fpu_vstl()\n\nA false-positive kmsan report is detected when running ping command.\n\nAn inline assembly instruction 'vstl' can write varied amount of bytes\ndepending on value of 'index' argument. If 'index' > 0, 'vstl' writes\nat least 2 bytes.\n\nclang generates kmsan write helper call depending on inline assembly\nconstraints. Constraints are evaluated compile-time, but value of\n'index' argument is known only at runtime.\n\nclang currently generates call to __msan_instrument_asm_store with 1 byte\nas size. Manually call kmsan function to indicate correct amount of bytes\nwritten and fix false-positive report.\n\nThis change fixes following kmsan reports:\n\n[ 36.563119] =====================================================\n[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 36.563852] virtqueue_add+0x35c6/0x7c70\n[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0\n[ 36.564266] start_xmit+0x288c/0x4a20\n[ 36.564460] dev_hard_start_xmit+0x302/0x900\n[ 36.564649] sch_direct_xmit+0x340/0xea0\n[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0\n[ 36.565058] neigh_resolve_output+0x936/0xb40\n[ 36.565278] __neigh_update+0x2f66/0x3a60\n[ 36.565499] neigh_update+0x52/0x60\n[ 36.565683] arp_process+0x1588/0x2de0\n[ 36.565916] NF_HOOK+0x1da/0x240\n[ 36.566087] arp_rcv+0x3e4/0x6e0\n[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0\n[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0\n[ 36.566710] napi_complete_done+0x376/0x740\n[ 36.566918] virtnet_poll+0x1bae/0x2910\n[ 36.567130] __napi_poll+0xf4/0x830\n[ 36.567294] net_rx_action+0x97c/0x1ed0\n[ 36.567556] handle_softirqs+0x306/0xe10\n[ 36.567731] irq_exit_rcu+0x14c/0x2e0\n[ 36.567910] do_io_irq+0xd4/0x120\n[ 36.568139] io_int_handler+0xc2/0xe8\n[ 36.568299] arch_cpu_idle+0xb0/0xc0\n[ 36.568540] arch_cpu_idle+0x76/0xc0\n[ 36.568726] default_idle_call+0x40/0x70\n[ 36.568953] do_idle+0x1d6/0x390\n[ 36.569486] cpu_startup_entry+0x9a/0xb0\n[ 36.569745] rest_init+0x1ea/0x290\n[ 36.570029] start_kernel+0x95e/0xb90\n[ 36.570348] startup_continue+0x2e/0x40\n[ 36.570703]\n[ 36.570798] Uninit was created at:\n[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0\n[ 36.571261] kmalloc_reserve+0x12a/0x470\n[ 36.571553] __alloc_skb+0x310/0x860\n[ 36.571844] __ip_append_data+0x483e/0x6a30\n[ 36.572170] ip_append_data+0x11c/0x1e0\n[ 36.572477] raw_sendmsg+0x1c8c/0x2180\n[ 36.572818] inet_sendmsg+0xe6/0x190\n[ 36.573142] __sys_sendto+0x55e/0x8e0\n[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0\n[ 36.573571] __do_syscall+0x12e/0x240\n[ 36.573823] system_call+0x6e/0x90\n[ 36.573976]\n[ 36.574017] Byte 35 of 98 is uninitialized\n[ 36.574082] Memory access of size 98 starts at 0000000007aa0012\n[ 36.574218]\n[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE\n[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST\n[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)\n[ 36.574755] =====================================================\n\n[ 63.532541] =====================================================\n[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[ 63.533989] virtqueue_add+0x35c6/0x7c70\n[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0\n[ 63.535861] start_xmit+0x288c/0x4a20\n[ 63.536708] dev_hard_start_xmit+0x302/0x900\n[ 63.537020] sch_direct_xmit+0x340/0xea0\n[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0\n[ 63.538819] neigh_resolve_output+0x936/0xb40\n[ 63.539793] ip_finish_output2+0x1ee2/0x2200\n[ 63.540784] __ip_finish_output+0x272/0x7a0\n[ 63.541765] ip_finish_output+0x4e/0x5e0\n[ 63.542791] ip_output+0x166/0x410\n[ 63.543771] ip_push_pending_frames+0x1a2/0x470\n[ 63.544753] raw_sendmsg+0x1f06/0x2180\n[ 63.545033] inet_sendmsg+0xe6/0x190\n[ 63.546006] __sys_sendto+0x55e/0x8e0\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68751", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Implement settime64 with -EOPNOTSUPP\n\nptp_clock_settime() assumes every ptp_clock has implemented settime64().\nStub it with -EOPNOTSUPP to prevent a NULL dereference.\n\nThe fix is similar to commit 329d050bbe63 (\"gve: Implement settime64\nwith -EOPNOTSUPP\").", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68752", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68753", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: amlogic-a4: fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the redundant clk_disable_unprepare() calls from the probe\nerror path and aml_rtc_remove(), allowing the devm framework to\nautomatically manage the clock lifecycle.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68754", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: most: remove broken i2c driver\n\nThe MOST I2C driver has been completely broken for five years without\nanyone noticing so remove the driver from staging.\n\nSpecifically, commit 723de0f9171e (\"staging: most: remove device from\ninterface structure\") started requiring drivers to set the interface\ndevice pointer before registration, but the I2C driver was never updated\nwhich results in a NULL pointer dereference if anyone ever tries to\nprobe it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68755", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock\n\nblk_mq_{add,del}_queue_tag_set() functions add and remove queues from\ntagset, the functions make sure that tagset and queues are marked as\nshared when two or more queues are attached to the same tagset.\nInitially a tagset starts as unshared and when the number of added\nqueues reaches two, blk_mq_add_queue_tag_set() marks it as shared along\nwith all the queues attached to it. When the number of attached queues\ndrops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and\nthe remaining queues as unshared.\n\nBoth functions need to freeze current queues in tagset before setting on\nunsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions\nhold set->tag_list_lock mutex, which makes sense as we do not want\nqueues to be added or deleted in the process. This used to work fine\nuntil commit 98d81f0df70c (\"nvme: use blk_mq_[un]quiesce_tagset\")\nmade the nvme driver quiesce tagset instead of quiscing individual\nqueues. blk_mq_quiesce_tagset() does the job and quiesce the queues in\nset->tag_list while holding set->tag_list_lock also.\n\nThis results in deadlock between two threads with these stacktraces:\n\n __schedule+0x47c/0xbb0\n ? timerqueue_add+0x66/0xb0\n schedule+0x1c/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.constprop.0+0x271/0x600\n blk_mq_quiesce_tagset+0x25/0xc0\n nvme_dev_disable+0x9c/0x250\n nvme_timeout+0x1fc/0x520\n blk_mq_handle_expired+0x5c/0x90\n bt_iter+0x7e/0x90\n blk_mq_queue_tag_busy_iter+0x27e/0x550\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __blk_mq_complete_request_remote+0x10/0x10\n ? __call_rcu_common.constprop.0+0x1c0/0x210\n blk_mq_timeout_work+0x12d/0x170\n process_one_work+0x12e/0x2d0\n worker_thread+0x288/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n\n __schedule+0x47c/0xbb0\n ? xas_find+0x161/0x1a0\n schedule+0x1c/0xa0\n blk_mq_freeze_queue_wait+0x3d/0x70\n ? destroy_sched_domains_rcu+0x30/0x30\n blk_mq_update_tag_set_shared+0x44/0x80\n blk_mq_exit_queue+0x141/0x150\n del_gendisk+0x25a/0x2d0\n nvme_ns_remove+0xc9/0x170\n nvme_remove_namespaces+0xc7/0x100\n nvme_remove+0x62/0x150\n pci_device_remove+0x23/0x60\n device_release_driver_internal+0x159/0x200\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x112/0x1e0\n vfs_write+0x2b1/0x3d0\n ksys_write+0x4e/0xb0\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe top stacktrace is showing nvme_timeout() called to handle nvme\ncommand timeout. timeout handler is trying to disable the controller and\nas a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not\nto call queue callback handlers. The thread is stuck waiting for\nset->tag_list_lock as it tries to walk the queues in set->tag_list.\n\nThe lock is held by the second thread in the bottom stack which is\nwaiting for one of queues to be frozen. The queue usage counter will\ndrop to zero after nvme_timeout() finishes, and this will not happen\nbecause the thread will wait for this mutex forever.\n\nGiven that [un]quiescing queue is an operation that does not need to\nsleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking\nset->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU\nsafe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)\nin blk_mq_del_queue_tag_set() because we can not re-initialize it while\nthe list is being traversed under RCU. The deleted queue will not be\nadded/deleted to/from a tagset and it will be freed in blk_free_queue()\nafter the end of RCU grace period.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68756", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence->ops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((&fence->timer));\n[117.004436] \n[117.004438] lock((&fence->timer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68757", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = <0x62>;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = <3>;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = <&addon_led_pwm>;\n brightness-levels = <255>;\n default-brightness-level = <255>;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68758", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv->rx_buf entry to null, to avoid double free.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68759", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix potential out-of-bounds read in iommu_mmio_show\n\nIn iommu_mmio_write(), it validates the user-provided offset with the\ncheck: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.\nThis assumes a 4-byte access. However, the corresponding\nshow handler, iommu_mmio_show(), uses readq() to perform an 8-byte\n(64-bit) read.\n\nIf a user provides an offset equal to `mmio_phys_end - 4`, the check\npasses, and will lead to a 4-byte out-of-bounds read.\n\nFix this by adjusting the boundary check to use sizeof(u64), which\ncorresponds to the size of the readq() operation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68760", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix potential use after free in hfs_correct_next_unused_CNID()\n\nThis code calls hfs_bnode_put(node) which drops the refcount and then\ndreferences \"node\" on the next line. It's only safe to use \"node\"\nwhen we're holding a reference so flip these two lines around.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68761", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: initialize work queue before error checks\n\nPrevent a kernel warning when netconsole setup fails on devices with\nIFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in\n__flush_work) occurs because the cleanup path tries to cancel an\nuninitialized work queue.\n\nWhen __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL,\nit fails early and calls skb_pool_flush() for cleanup. This function\ncalls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been\ninitialized yet, triggering the warning.\n\nMove INIT_WORK() to the beginning of __netpoll_setup(), ensuring the\nwork queue is properly initialized before any potential failure points.\nThis allows the cleanup path to safely cancel the work queue regardless\nof where the setup fails.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68762", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Correctly handle return of sg_nents_for_len\n\nThe return value of sg_nents_for_len was assigned to an unsigned long\nin starfive_hash_digest, causing negative error codes to be converted\nto large positive integers.\n\nAdd error checking for sg_nents_for_len and return immediately on\nfailure to prevent potential buffer overflows.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68763", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68764", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68765", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to >= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn't set the error code. Return\n-EINVAL in that case, instead of returning success.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68766", "detail": "cpe-stable-backport", "description": "Backported in 6.18.2" }, { "id": "CVE-2025-68767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: Verify inode mode when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when\nthe S_IFMT bits of the 16bits \"mode\" field loaded from disk are corrupted.\n\nAccording to [1], the permissions field was treated as reserved in Mac OS\n8 and 9. According to [2], the reserved field was explicitly initialized\nwith 0, and that field must remain 0 as long as reserved. Therefore, when\nthe \"mode\" field is not 0 (i.e. no longer reserved), the file must be\nS_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/\nS_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68767", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn't obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack's netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir->dead\nis set, in case packet sneaks in while we're running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68768", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_recover_fsync_data()\n\nWith below scripts, it will trigger panic in f2fs:\n\nmkfs.f2fs -f /dev/vdd\nmount /dev/vdd /mnt/f2fs\ntouch /mnt/f2fs/foo\nsync\necho 111 >> /mnt/f2fs/foo\nf2fs_io fsync /mnt/f2fs/foo\nf2fs_io shutdown 2 /mnt/f2fs\numount /mnt/f2fs\nmount -o ro,norecovery /dev/vdd /mnt/f2fs\nor\nmount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs\n\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0\nF2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f\nF2FS-fs (vdd): Stopped filesystem due to reason: 0\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1\nFilesystem f2fs get_tree() didn't set fc->root, returned 1\n------------[ cut here ]------------\nkernel BUG at fs/super.c:1761!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vfs_get_tree.cold+0x18/0x1a\nCall Trace:\n \n fc_mount+0x13/0xa0\n path_mount+0x34e/0xc50\n __x64_sys_mount+0x121/0x150\n do_syscall_64+0x84/0x800\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa6cc126cfe\n\nThe root cause is we missed to handle error number returned from\nf2fs_recover_fsync_data() when mounting image w/ ro,norecovery or\nro,disable_roll_forward mount option, result in returning a positive\nerror number to vfs_get_tree(), fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68769", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix XDP_TX path\n\nFor XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not\ncorrect. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be\nlooping within NAPI and some event flags may be set in earlier\niterations. In particular, if BNXT_TX_EVENT is set earlier indicating\nsome XDP_TX packets are ready and pending, it will be cleared if it is\nXDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we\nsuccessfully call __bnxt_xmit_xdp(). But if the TX ring has no more\nroom, the flag will not be set. This will cause the TX producer to be\nahead but the driver will not hit the TX doorbell.\n\nFor multi-buf XDP_TX, there is no need to clear the event flags and set\nBNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in\nbnxt_rx_pkt().\n\nThe visible symptom of this is that the RX ring associated with the\nTX XDP ring will eventually become empty and all packets will be dropped.\nBecause this condition will cause the driver to not refill the RX ring\nseeing that the TX ring has forever pending XDP_TX packets.\n\nThe fix is to only clear BNXT_RX_EVENT when we have successfully\ncalled __bnxt_xmit_xdp().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68770", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68771", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating compression context during writeback\n\nBai, Shuangpeng reported a bug as below:\n\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\nCall Trace:\n \n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\n generic_write_sync include/linux/fs.h:3043 [inline]\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe bug was triggered w/ below race condition:\n\nfsync\t\t\t\tsetattr\t\t\tioctl\n- f2fs_do_sync_file\n - file_write_and_wait_range\n - f2fs_write_cache_pages\n : inode is non-compressed\n : cc.cluster_size =\n F2FS_I(inode)->i_cluster_size = 0\n - tag_pages_for_writeback\n\t\t\t\t- f2fs_setattr\n\t\t\t\t - truncate_setsize\n\t\t\t\t - f2fs_truncate\n\t\t\t\t\t\t\t- f2fs_fileattr_set\n\t\t\t\t\t\t\t - f2fs_setflags_common\n\t\t\t\t\t\t\t - set_compress_context\n\t\t\t\t\t\t\t : F2FS_I(inode)->i_cluster_size = 4\n\t\t\t\t\t\t\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\n - f2fs_compressed_file\n : return true\n - f2fs_all_cluster_page_ready\n : \"pgidx % cc->cluster_size\" trigger dividing 0 issue\n\nLet's change as below to fix this issue:\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\nto track the number of threads which calling f2fs_write_cache_pages().\n- use .i_sem lock to protect .writeback update.\n- check .writeback before update compression context in f2fs_setflags_common()\nto avoid race w/ ->writepages.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68772", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68773", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n hfsplus_write_inode()\n -> hfsplus_write_system_inode()\n -> hfs_btree_write()\n -> hfs_bnode_find(tree, 0)\n -> __hfs_bnode_create(tree, 0)\n\nThread B:\n hfsplus_create_cat()\n -> hfs_brec_insert()\n -> hfs_bnode_split()\n -> hfs_bmap_alloc()\n -> hfs_bnode_find(tree, 0)\n -> __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) { <- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode->next_hash = tree->node_hash[hash];\n\t\ttree->node_hash[hash] = node;\n\t\ttree->node_hash_cnt++;\n\t} else { <- Thread B\n\t\tspin_unlock(&tree->hash_lock);\n\t\tkfree(node);\n\t\twait_event(node2->lock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, &node2->flags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(&node->refcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68774", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net->hn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn't\nfollow it up with the ClientHello due to a problem with tlshd. When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport(). When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68775", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std\nbut doesn't check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68776", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ti_am335x_tsc - fix off-by-one error in wire_order validation\n\nThe current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows\nwire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds\naccess when used as index in 'config_pins[wire_order[i]]'.\n\nSince config_pins has 4 elements (indices 0-3), the valid range for\nwire_order should be 0-3. Fix the off-by-one error by using >= instead\nof > in the validation check.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68777", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't log conflicting inode if it's a dir moved in the current transaction\n\nWe can't log a conflicting inode if it's a directory and it was moved\nfrom one parent directory to another parent directory in the current\ntransaction, as this can result an attempt to have a directory with\ntwo hard links during log replay, one for the old parent directory and\nanother for the new parent directory.\n\nThe following scenario triggers that issue:\n\n1) We have directories \"dir1\" and \"dir2\" created in a past transaction.\n Directory \"dir1\" has inode A as its parent directory;\n\n2) We move \"dir1\" to some other directory;\n\n3) We create a file with the name \"dir1\" in directory inode A;\n\n4) We fsync the new file. This results in logging the inode of the new file\n and the inode for the directory \"dir1\" that was previously moved in the\n current transaction. So the log tree has the INODE_REF item for the\n new location of \"dir1\";\n\n5) We move the new file to some other directory. This results in updating\n the log tree to included the new INODE_REF for the new location of the\n file and removes the INODE_REF for the old location. This happens\n during the rename when we call btrfs_log_new_name();\n\n6) We fsync the file, and that persists the log tree changes done in the\n previous step (btrfs_log_new_name() only updates the log tree in\n memory);\n\n7) We have a power failure;\n\n8) Next time the fs is mounted, log replay happens and when processing\n the inode for directory \"dir1\" we find a new INODE_REF and add that\n link, but we don't remove the old link of the inode since we have\n not logged the old parent directory of the directory inode \"dir1\".\n\nAs a result after log replay finishes when we trigger writeback of the\nsubvolume tree's extent buffers, the tree check will detect that we have\na directory a hard link count of 2 and we get a mount failure.\nThe errors and stack traces reported in dmesg/syslog are like this:\n\n [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\n [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\n [ 3845.731236] memcg:ffff9264c02f4e00\n [ 3845.731751] aops:btree_aops [btrfs] ino:1\n [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\n [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\n [ 3845.735305] page dumped because: eb page dump\n [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\n [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\n [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\n [ 3845.737792] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n [ 3845.737794] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n [ 3845.737795] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n [ 3845.737797] \t\trdev 0 sequence 2 flags 0x0\n [ 3845.737798] \t\tatime 1764259517.0\n [ 3845.737800] \t\tctime 1764259517.572889464\n [ 3845.737801] \t\tmtime 1764259517.572889464\n [ 3845.737802] \t\totime 1764259517.0\n [ 3845.737803] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n [ 3845.737805] \t\tindex 0 name_len 2\n [ 3845.737807] \titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\n [ 3845.737808] \t\tlocation key (257 1 0) type 2\n [ 3845.737810] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737811] \titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\n [ 3845.737813] \t\tlocation key (258 1 0) type 2\n [ 3845.737814] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737815] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n [ 3845.737816] \t\tlocation key (257 1 0) type 2\n [\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68778", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid unregistering PSP twice\n\nPSP is unregistered twice in:\n_mlx5e_remove -> mlx5e_psp_unregister\nmlx5e_nic_cleanup -> mlx5e_psp_unregister\n\nThis leads to a refcount underflow in some conditions:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n[...]\n mlx5e_psp_unregister+0x26/0x50 [mlx5_core]\n mlx5e_nic_cleanup+0x26/0x90 [mlx5_core]\n mlx5e_remove+0xe6/0x1f0 [mlx5_core]\n auxiliary_bus_remove+0x18/0x30\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core]\n[...]\n\nDo not directly remove psp from the _mlx5e_remove path, the PSP cleanup\nhappens as part of profile cleanup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68779", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: only set free_cpus for online runqueues\n\nCommit 16b269436b72 (\"sched/deadline: Modify cpudl::free_cpus\nto reflect rd->online\") introduced the cpudl_set/clear_freecpu\nfunctions to allow the cpu_dl::free_cpus mask to be manipulated\nby the deadline scheduler class rq_on/offline callbacks so the\nmask would also reflect this state.\n\nCommit 9659e1eeee28 (\"sched/deadline: Remove cpu_active_mask\nfrom cpudl_find()\") removed the check of the cpu_active_mask to\nsave some processing on the premise that the cpudl::free_cpus\nmask already reflected the runqueue online state.\n\nUnfortunately, there are cases where it is possible for the\ncpudl_clear function to set the free_cpus bit for a CPU when the\ndeadline runqueue is offline. When this occurs while a CPU is\nconnected to the default root domain the flag may retain the bad\nstate after the CPU has been unplugged. Later, a different CPU\nthat is transitioning through the default root domain may push a\ndeadline task to the powered down CPU when cpudl_find sees its\nfree_cpus bit is set. If this happens the task will not have the\nopportunity to run.\n\nOne example is outlined here:\nhttps://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com\n\nAnother occurs when the last deadline task is migrated from a\nCPU that has an offlined runqueue. The dequeue_task member of\nthe deadline scheduler class will eventually call cpudl_clear\nand set the free_cpus bit for the CPU.\n\nThis commit modifies the cpudl_clear function to be aware of the\nonline state of the deadline runqueue so that the free_cpus mask\ncan be updated appropriately.\n\nIt is no longer necessary to manage the mask outside of the\ncpudl_set/clear functions so the cpudl_set/clear_freecpu\nfunctions are removed. In addition, since the free_cpus mask is\nnow only updated under the cpudl lock the code was changed to\nuse the non-atomic __cpumask functions.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68780", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread) | (delayed work)\nfsl_otg_remove() |\n kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n | og = container_of(...) //USE\n | og-> //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68781", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd->t_task_cdb fails, it remains NULL but is later\ndereferenced in the 'err' path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68782", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-mixer: us16x08: validate meter packet indices\n\nget_meter_levels_from_urb() parses the 64-byte meter packets sent by\nthe device and fills the per-channel arrays meter_level[],\ncomp_level[] and master_level[] in struct snd_us16x08_meter_store.\n\nCurrently the function derives the channel index directly from the\nmeter packet (MUB2(meter_urb, s) - 1) and uses it to index those\narrays without validating the range. If the packet contains a\nnegative or out-of-range channel number, the driver may write past\nthe end of these arrays.\n\nIntroduce a local channel variable and validate it before updating the\narrays. We reject negative indices, limit meter_level[] and\ncomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]\nupdates with ARRAY_SIZE(master_level).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68783", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix a UAF problem in xattr repair\n\nThe xchk_setup_xattr_buf function can allocate a new value buffer, which\nmeans that any reference to ab->value before the call could become a\ndangling pointer. Fix this by moving an assignment to after the buffer\nsetup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68784", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix middle attribute validation in push_nsh() action\n\nThe push_nsh() action structure looks like this:\n\n OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))\n\nThe outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the\nnla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost\nOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()\ninside nsh_key_put_from_nlattr(). But nothing checks if the attribute\nin the middle is OK. We don't even check that this attribute is the\nOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()\ncalls - first time directly while calling validate_push_nsh() and the\nsecond time as part of the nla_for_each_nested() macro, which isn't\nsafe, potentially causing invalid memory access if the size of this\nattribute is incorrect. The failure may not be noticed during\nvalidation due to larger netlink buffer, but cause trouble later during\naction execution where the buffer is allocated exactly to the size:\n\n BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n Read of size 184 at addr ffff88816459a634 by task a.out/22624\n\n CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)\n Call Trace:\n \n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x2c/0x390\n kasan_report+0xdd/0x110\n kasan_check_range+0x35/0x1b0\n __asan_memcpy+0x20/0x60\n nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n push_nsh+0x82/0x120 [openvswitch]\n do_execute_actions+0x1405/0x2840 [openvswitch]\n ovs_execute_actions+0xd5/0x3b0 [openvswitch]\n ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]\n genl_family_rcv_msg_doit+0x1d6/0x2b0\n genl_family_rcv_msg+0x336/0x580\n genl_rcv_msg+0x9f/0x130\n netlink_rcv_skb+0x11f/0x370\n genl_rcv+0x24/0x40\n netlink_unicast+0x73e/0xaa0\n netlink_sendmsg+0x744/0xbf0\n __sys_sendto+0x3d6/0x450\n do_syscall_64+0x79/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nLet's add some checks that the attribute is properly sized and it's\nthe only one attribute inside the action. Technically, there is no\nreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we're\npushing an NSH header already, it just creates extra nesting, but\nthat's how uAPI works today. So, keeping as it is.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68785", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: skip lock-range check on equal size to avoid size==0 underflow\n\nWhen size equals the current i_size (including 0), the code used to call\ncheck_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`\nand can underflow for size==0. Skip the equal case.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68786", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68787", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68788", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68790", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix double unregister of HCA_PORTS component\n\nClear hca_devcom_comp in device's private data after unregistering it in\nLAG teardown. Otherwise a slightly lagging second pass through\nmlx5_unload_one() might try to unregister it again and trip over\nuse-after-free.\n\nOn s390 almost all PCI level recovery events trigger two passes through\nmxl5_unload_one() - one through the poll_health() method and one through\nmlx5_pci_err_detected() as callback from generic PCI error recovery.\nWhile testing PCI error recovery paths with more kernel debug features\nenabled, this issue reproducibly led to kernel panics with the following\ncall chain:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI\n Fault in home space mode while using kernel ASCE.\n AS:00000000705c4007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1]SMP\n\n CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted\n 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT\n\n Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000\n 0000000000000000 0000000000000000 0000000000000001 0000000000000000\n 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100\n 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8\n Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832\n 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4\n *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820\n >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2)\n 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4\n 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8\n 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec\n 0000020fc86aa1f2: a7eb00e8 aghi %r14,232\n\n Call Trace:\n __lock_acquire+0x5c/0x15f0\n lock_acquire.part.0+0xf8/0x270\n lock_acquire+0xb0/0x1b0\n down_write+0x5a/0x250\n mlx5_detach_device+0x42/0x110 [mlx5_core]\n mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core]\n mlx5_unload_one+0x42/0x60 [mlx5_core]\n mlx5_pci_err_detected+0x94/0x150 [mlx5_core]\n zpci_event_attempt_error_recovery+0xcc/0x388", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68790", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68791", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: missing copy_finish in fuse-over-io-uring argument copies\n\nFix a possible reference count leak of payload pages during\nfuse argument copies.\n\n[Joanne: simplified error cleanup]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68791", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68792", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm2-sessions: Fix out of range indexing in name_size\n\n'name_size' does not have any range checks, and it just directly indexes\nwith TPM_ALG_ID, which could lead into memory corruption at worst.\n\nAddress the issue by only processing known values and returning -EINVAL for\nunrecognized values.\n\nMake also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so\nthat errors are detected before causing any spurious TPM traffic.\n\nEnd also the authorization session on failure in both of the functions, as\nthe session state would be then by definition corrupted.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68792", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68793", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job->pasid access race in gpu recovery\n\nAvoid a possible UAF in GPU recovery due to a race between\nthe sched timeout callback and the tdr work queue.\n\nThe gpu recovery function calls drm_sched_stop() and\nlater drm_sched_start(). drm_sched_start() restarts\nthe tdr queue which will eventually free the job. If\nthe tdr queue frees the job before time out callback\ncompletes, the job will be freed and we'll get a UAF\nwhen accessing the pasid. Cache it early to avoid the\nUAF.\n\nExample KASAN trace:\n[ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323\n[ 493.074892]\n[ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)\n[ 493.076493] Tainted: [E]=UNSIGNED_MODULE\n[ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[ 493.076512] Call Trace:\n[ 493.076515] \n[ 493.076518] dump_stack_lvl+0x64/0x80\n[ 493.076529] print_report+0xce/0x630\n[ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0\n[ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077253] kasan_report+0xb8/0xf0\n[ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[ 493.080903] ? pick_task_fair+0x24e/0x330\n[ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[ 493.081702] ? _raw_spin_lock+0x75/0xc0\n[ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10\n[ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081725] process_one_work+0x679/0xff0\n[ 493.081732] worker_thread+0x6ce/0xfd0\n[ 493.081736] ? __pfx_worker_thread+0x10/0x10\n[ 493.081739] kthread+0x376/0x730\n[ 493.081744] ? __pfx_kthread+0x10/0x10\n[ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081751] ? __pfx_kthread+0x10/0x10\n[ 493.081755] ret_from_fork+0x247/0x330\n[ 493.081761] ? __pfx_kthread+0x10/0x10\n[ 493.081764] ret_from_fork_asm+0x1a/0x30\n[ 493.081771] \n\n(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68793", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68794", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: adjust read range correctly for non-block-aligned positions\n\niomap_adjust_read_range() assumes that the position and length passed in\nare block-aligned. This is not always the case however, as shown in the\nsyzbot generated case for erofs. This causes too many bytes to be\nskipped for uptodate blocks, which results in returning the incorrect\nposition and length to read in. If all the blocks are uptodate, this\nunderflows length and returns a position beyond the folio.\n\nFix the calculation to also take into account the block offset when\ncalculating how many bytes can be skipped for uptodate blocks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68794", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68795", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Avoid overflowing userspace buffer on stats query\n\nThe ethtool -S command operates across three ioctl calls:\nETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and\nETHTOOL_GSTATS for the values.\n\nIf the number of stats changes between these calls (e.g., due to device\nreconfiguration), userspace's buffer allocation will be incorrect,\npotentially leading to buffer overflow.\n\nDrivers are generally expected to maintain stable stat counts, but some\ndrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making\nthis scenario possible.\n\nSome drivers try to handle this internally:\n- bnad_get_ethtool_stats() returns early in case stats.n_stats is not\n equal to the driver's stats count.\n- micrel/ksz884x also makes sure not to write anything beyond\n stats.n_stats and overflow the buffer.\n\nHowever, both use stats.n_stats which is already assigned with the value\nreturned from get_sset_count(), hence won't solve the issue described\nhere.\n\nChange ethtool_get_strings(), ethtool_get_stats(),\nethtool_get_phy_stats() to not return anything in case of a mismatch\nbetween userspace's size and get_sset_size(), to prevent buffer\noverflow.\nThe returned n_stats value will be equal to zero, to reflect that\nnothing has been returned.\n\nThis could result in one of two cases when using upstream ethtool,\ndepending on when the size change is detected:\n1. When detected in ethtool_get_strings():\n # ethtool -S eth2\n no stats available\n\n2. When detected in get stats, all stats will be reported as zero.\n\nBoth cases are presumably transient, and a subsequent ethtool call\nshould succeed.\n\nOther than the overflow avoidance, these two cases are very evident (no\noutput/cleared stats), which is arguably better than presenting\nincorrect/shifted stats.\nI also considered returning an error instead of a \"silent\" response, but\nthat seems more destructive towards userspace apps.\n\nNotes:\n- This patch does not claim to fix the inherent race, it only makes sure\n that we do not overflow the userspace buffer, and makes for a more\n predictable behavior.\n\n- RTNL lock is held during each ioctl, the race window exists between\n the separate ioctl calls when the lock is released.\n\n- Userspace ethtool always fills stats.n_stats, but it is likely that\n these stats ioctls are implemented in other userspace applications\n which might not fill it. The added code checks that it's not zero,\n to prevent any regressions.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68795", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68796", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating zero-sized extent in extent cache\n\nAs syzbot reported:\n\nF2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/extent_cache.c:678!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678\nCall Trace:\n \n f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085\n f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]\n f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737\n f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030\n vfs_fallocate+0x669/0x7e0 fs/open.c:342\n ioctl_preallocate fs/ioctl.c:289 [inline]\n file_ioctl+0x611/0x780 fs/ioctl.c:-1\n do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576\n __do_sys_ioctl fs/ioctl.c:595 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f07bc58eec9\n\nIn error path of f2fs_zero_range(), it may add a zero-sized extent\ninto extent cache, it should be avoided.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68796", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68797", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: applicom: fix NULL pointer dereference in ac_ioctl\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nIn ac_ioctl, the validation of IndexCard and the check for a valid\nRamIO pointer are skipped when cmd is 6. However, the function\nunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the\nend.\n\nIf cmd is 6, IndexCard may reference a board that does not exist\n(where RamIO is NULL), leading to a NULL pointer dereference.\n\nFix this by skipping the readb access when cmd is 6, as this\ncommand is a global information query and does not target a specific\nboard context.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68797", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68798", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GPF\n\nOn AMD machines cpuc->events[idx] can become NULL in a subtle race\ncondition with NMI->throttle->x86_pmu_stop().\n\nCheck event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.\nThis appears to be an AMD only issue.\n\nSyzkaller reported a GPF in amd_pmu_enable_all.\n\nINFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143\n msecs\nOops: general protection fault, probably for non-canonical address\n 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]\nCPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk\nRIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195\n arch/x86/events/core.c:1430)\nRSP: 0018:ffff888118009d60 EFLAGS: 00010012\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601\nFS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0\nCall Trace:\n \namd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))\nx86_pmu_enable (arch/x86/events/core.c:1360)\nevent_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186\n kernel/events/core.c:2346)\n__perf_remove_from_context (kernel/events/core.c:2435)\nevent_function (kernel/events/core.c:259)\nremote_function (kernel/events/core.c:92 (discriminator 1)\n kernel/events/core.c:72 (discriminator 1))\n__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64\n kernel/smp.c:135 kernel/smp.c:540)\n__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207\n ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)\nsysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)\n arch/x86/kernel/smp.c:266 (discriminator 47))\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68798", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68799", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix integer underflow in cffrml_receive()\n\nThe cffrml_receive() function extracts a length field from the packet\nheader and, when FCS is disabled, subtracts 2 from this length without\nvalidating that len >= 2.\n\nIf an attacker sends a malicious packet with a length field of 0 or 1\nto an interface with FCS disabled, the subtraction causes an integer\nunderflow.\n\nThis can lead to memory exhaustion and kernel instability, potential\ninformation disclosure if padding contains uninitialized kernel memory.\n\nFix this by validating that len >= 2 before performing the subtraction.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68799", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68800", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68800", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68801", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix neighbour use-after-free\n\nWe sometimes observe use-after-free when dereferencing a neighbour [1].\nThe problem seems to be that the driver stores a pointer to the\nneighbour, but without holding a reference on it. A reference is only\ntaken when the neighbour is used by a nexthop.\n\nFix by simplifying the reference counting scheme. Always take a\nreference when storing a neighbour pointer in a neighbour entry. Avoid\ntaking a referencing when the neighbour is used by a nexthop as the\nneighbour entry associated with the nexthop already holds a reference.\n\nTested by running the test that uncovered the problem over 300 times.\nWithout this patch the problem was reproduced after a handful of\niterations.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310\nRead of size 8 at addr ffff88817f8e3420 by task ip/3929\n\nCPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nCall Trace:\n \n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6e/0x300\n print_report+0xfc/0x1fb\n kasan_report+0xe4/0x110\n mlxsw_sp_neigh_entry_update+0x2d4/0x310\n mlxsw_sp_router_rif_gone_sync+0x35f/0x510\n mlxsw_sp_rif_destroy+0x1ea/0x730\n mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0\n __mlxsw_sp_inetaddr_lag_event+0xcc/0x130\n __mlxsw_sp_inetaddr_event+0xf5/0x3c0\n mlxsw_sp_router_netdevice_event+0x1015/0x1580\n notifier_call_chain+0xcc/0x150\n call_netdevice_notifiers_info+0x7e/0x100\n __netdev_upper_dev_unlink+0x10b/0x210\n netdev_upper_dev_unlink+0x79/0xa0\n vrf_del_slave+0x18/0x50\n do_set_master+0x146/0x7d0\n do_setlink.isra.0+0x9a0/0x2880\n rtnl_newlink+0x637/0xb20\n rtnetlink_rcv_msg+0x6fe/0xb90\n netlink_rcv_skb+0x123/0x380\n netlink_unicast+0x4a3/0x770\n netlink_sendmsg+0x75b/0xc90\n __sock_sendmsg+0xbe/0x160\n ____sys_sendmsg+0x5b2/0x7d0\n ___sys_sendmsg+0xfd/0x180\n __sys_sendmsg+0x124/0x1c0\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[...]\n\nAllocated by task 109:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x2c1/0x790\n neigh_alloc+0x6af/0x8f0\n ___neigh_create+0x63/0xe90\n mlxsw_sp_nexthop_neigh_init+0x430/0x7e0\n mlxsw_sp_nexthop_type_init+0x212/0x960\n mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280\n mlxsw_sp_nexthop6_group_get+0x392/0x6a0\n mlxsw_sp_fib6_entry_create+0x46a/0xfd0\n mlxsw_sp_router_fib6_replace+0x1ed/0x5f0\n mlxsw_sp_router_fib6_event_work+0x10a/0x2a0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nFreed by task 154:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kmem_cache_free_bulk.part.0+0x1eb/0x5e0\n kvfree_rcu_bulk+0x1f2/0x260\n kfree_rcu_work+0x130/0x1b0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nLast potentially related work creation:\n kasan_save_stack+0x30/0x50\n kasan_record_aux_stack+0x8c/0xa0\n kvfree_call_rcu+0x93/0x5b0\n mlxsw_sp_router_neigh_event_work+0x67d/0x860\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68801", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68802", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Limit num_syncs to prevent oversized allocations\n\nThe exec and vm_bind ioctl allow userspace to specify an arbitrary\nnum_syncs value. Without bounds checking, a very large num_syncs\ncan force an excessively large allocation, leading to kernel warnings\nfrom the page allocator as below.\n\nIntroduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request\nexceeding this limit.\n\n\"\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124\n...\nCall Trace:\n \n alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416\n ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388\n kmalloc_noprof include/linux/slab.h:909 [inline]\n kmalloc_array_noprof include/linux/slab.h:948 [inline]\n xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158\n drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797\n drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894\n xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\"\n\nv2: Add \"Reported-by\" and Cc stable kernels.\nv3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh)\nv4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)\nv5: Do the check at the top of the exec func. (Matt)\n\n(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68802", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68803", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file's\nmode bits rather than returning the originally-specified ACL.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68803", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68804", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver\n\nAfter unbinding the driver, another kthread `cros_ec_console_log_work`\nis still accessing the device, resulting an UAF and crash.\n\nThe driver doesn't unregister the EC device in .remove() which should\nshutdown sub-devices synchronously. Fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68804", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68805", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix io-uring list corruption for terminated non-committed requests\n\nWhen a request is terminated before it has been committed, the request\nis not removed from the queue's list. This leaves a dangling list entry\nthat leads to list corruption and use-after-free issues.\n\nRemove the request from the queue's list for terminated non-committed\nrequests.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68805", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68806", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix buffer validation by including null terminator size in EA length\n\nThe smb2_set_ea function, which handles Extended Attributes (EA),\nwas performing buffer validation checks that incorrectly omitted the size\nof the null terminating character (+1 byte) for EA Name.\nThis patch fixes the issue by explicitly adding '+ 1' to EaNameLength where\nthe null terminator is expected to be present in the buffer, ensuring\nthe validation accurately reflects the total required buffer size.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68806", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68807", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n rq_wait[0]:\n inflight: -1\n has_waiters: True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n task:kworker/u24:39 state:D stack:0 pid:14767\n Call Trace:\n rq_qos_wait+0xb4/0x150\n wbt_wait+0xa9/0x100\n __rq_qos_throttle+0x24/0x40\n blk_mq_submit_bio+0x672/0x7b0\n ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n - __wbt_enable_default(): Returns true if wbt_init() should be called\n - wbt_enable_default(): Wrapper for existing callers (no init)\n - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the\n original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n code since it's no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68807", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68808", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: initialize local pointers upon transfer of memory ownership\n\nvidtv_channel_si_init() creates a temporary list (program, service, event)\nand ownership of the memory itself is transferred to the PAT/SDT/EIT\ntables through vidtv_psi_pat_program_assign(),\nvidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().\n\nThe problem here is that the local pointer where the memory ownership\ntransfer was completed is not initialized to NULL. This causes the\nvidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and\nin the flow that jumps to free_eit, the memory that was freed by\nvidtv_psi_*_table_destroy() can be accessed again by\nvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it\nis freed once again.\n\nTherefore, to prevent use-after-free and double-free vulnerability,\nlocal pointers must be initialized to NULL when transferring memory\nownership.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68808", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68809", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode->m_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci->m_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n ci->m_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n used to read and modify m_flags without ci->m_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock\n after dropping inode_hash_lock.\n - Adding ci->m_lock protection to all helpers that read or modify\n m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),\n and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68809", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68810", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot\n\nReject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was\ninitially created with a guest_memfd binding, as KVM doesn't support\ntoggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling\nKVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.\n\nFailure to reject the new memslot results in a use-after-free due to KVM\nnot unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY\nchange is easy enough, and can/will be done as a hardening measure (in\nanticipation of KVM supporting dirty logging on guest_memfd at some point),\nbut fixing the use-after-free would only address the immediate symptom.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]\n Write of size 8 at addr ffff8881111ae908 by task repro/745\n\n CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \n dump_stack_lvl+0x51/0x60\n print_report+0xcb/0x5c0\n kasan_report+0xb4/0xe0\n kvm_gmem_release+0x362/0x400 [kvm]\n __fput+0x2fa/0x9d0\n task_work_run+0x12c/0x200\n do_exit+0x6ae/0x2100\n do_group_exit+0xa8/0x230\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0x737/0x740\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f581f2eac31\n \n\n Allocated by task 745 on cpu 6 at 9.746971s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_kmalloc+0x77/0x90\n kvm_set_memory_region.part.0+0x652/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 745 on cpu 6 at 9.747467s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x3b/0x60\n kfree+0xf5/0x440\n kvm_set_memslot+0x3c2/0x1160 [kvm]\n kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68810", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68811", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: use rc_pageoff for memcpy byte offset\n\nsvc_rdma_copy_inline_range added rc_curpage (page index) to the page\nbase instead of the byte offset rc_pageoff. Use rc_pageoff so copies\nland within the current page.\n\nFound by ZeroPath (https://zeropath.com)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68811", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68813", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb->dev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb->dev. An attempt was made to fix the NULL skb->dev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb->dev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb->dev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb->dev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb->dev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb->dev from skb_dst(skb)->dev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68813", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68814", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68814", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68815", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn't checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[ 59.279014][ T365] ------------[ cut here ]------------\n[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[ 59.280860][ T365] Modules linked in:\n[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[ 59.288812][ T365] Call Trace:\n[ 59.289056][ T365] \n[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80\n[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0\n[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10\n[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240\n[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10\n[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110\n[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68815", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68816", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68816", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68817", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68817", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68818", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp->done() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp->cmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68818", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68819", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()\n\nrlen value is a user-controlled value, but dtv5100_i2c_msg() does not\ncheck the size of the rlen value. Therefore, if it is set to a value\nlarger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.\n\nTherefore, we need to add proper range checking to prevent this vuln.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68819", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68820", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68820", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68821", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff->release_args only if release is\nneeded\") skips allocating ff->release_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n>>> stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff->release_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() ->\nfuse_release_end()).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68821", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68822", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv->dev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68822", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-68823", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk->open_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio->bi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task's task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk->open_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68823", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp\nis allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to\nmin(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller\nthan hdev->num_tqps, which causes some hdev->htqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,\nensuring that the lengths of hdev->htqp and kinfo->tqp are consistent\nand that all elements are properly initialized.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71064", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nAs Jiaming Zhang and syzbot reported, there is potential deadlock in\nf2fs as below:\n\nChain exists of:\n &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(sb_internal#2);\n lock(fs_reclaim);\n lock(sb_internal#2);\n rlock(&sbi->cp_rwsem);\n\n *** DEADLOCK ***\n\n3 locks held by kswapd0/73:\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389\n #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]\n #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197\n #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043\n check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908\n __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537\n f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]\n f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]\n f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791\n f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867\n f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925\n f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853\n evict+0x504/0x9c0 fs/inode.c:810\n dispose_list fs/inode.c:852 [inline]\n prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000\n super_cache_scan+0x39b/0x4b0 fs/super.c:224\n do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437\n shrink_slab_memcg mm/shrinker.c:550 [inline]\n shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628\n shrink_one+0x28a/0x7c0 mm/vmscan.c:4955\n shrink_many mm/vmscan.c:5016 [inline]\n lru_gen_shrink_node mm/vmscan.c:5094 [inline]\n shrink_node+0x315d/0x3780 mm/vmscan.c:6081\n kswapd_shrink_node mm/vmscan.c:6941 [inline]\n balance_pgdat mm/vmscan.c:7124 [inline]\n kswapd+0x147c/0x2800 mm/vmscan.c:7389\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nThe root cause is deadlock among four locks as below:\n\nkswapd\n- fs_reclaim\t\t\t\t--- Lock A\n - shrink_one\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n\n- iput\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n - f2fs_truncate\n - f2fs_truncate_blocks\n - f2fs_do_truncate_blocks\n - f2fs_lock_op\t\t\t--- Lock C\n\nioctl\n- f2fs_ioc_commit_atomic_write\n - f2fs_lock_op\t\t\t\t--- Lock C\n - __f2fs_commit_atomic_write\n - __replace_atomic_write_block\n - f2fs_get_dnode_of_data\n - __get_node_folio\n - f2fs_check_nid_range\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n\nopen\n- do_open\n - do_truncate\n - security_inode_need_killpriv\n - f2fs_getxattr\n - lookup_all_xattrs\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n - f2fs_commit_super\n - read_mapping_folio\n - filemap_alloc_folio_noprof\n - prepare_alloc_pages\n - fs_reclaim_acquire\t--- Lock A\n\nIn order to a\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71065", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i < oldbands; i++) {\n if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)\n list_del_init(&q->classes[i].alist);\n qdisc_purge_queue(q->classes[i].qdisc);\n }\n\n WRITE_ONCE(q->nbands, nbands);\n for (i = nstrict; i < q->nstrict; i++) {\n if (q->classes[i].qdisc->q.qlen) {\n\t\t // (2) the class is added to the q->active\n list_add_tail(&q->classes[i].alist, &q->active);\n q->classes[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q->nstrict, nstrict);\n memcpy(q->prio2band, priomap, sizeof(priomap));\n\n for (i = 0; i < q->nbands; i++)\n WRITE_ONCE(q->classes[i].quantum, quanta[i]);\n\n for (i = oldbands; i < q->nbands; i++) {\n q->classes[i].qdisc = queues[i];\n if (q->classes[i].qdisc != &noop_qdisc)\n qdisc_hash_add(q->classes[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q->nbands; i < oldbands; i++) {\n\t // (4) we're reducing the refcount for our class's qdisc and\n\t // freeing it\n qdisc_put(q->classes[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q->classes[i].qdisc = NULL;\n WRITE_ONCE(q->classes[i].quantum, 0);\n q->classes[i].deficit = 0;\n gnet_stats_basic_sync_init(&q->classes[i].bstats);\n memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2>/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2>/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n >/dev/null 2>&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71066", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb->s_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\\x00', 0x0)\n r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)\n ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)\n mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\\x00',\n &(0x7f0000000000)='ntfs3\\x00', 0x2208004, 0x0)\n syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves\nsb->s_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb->s_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71067", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71068", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: invalidate dentry cache on failed whiteout creation\n\nF2FS can mount filesystems with corrupted directory depth values that\nget runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT\noperations are performed on such directories, f2fs_rename performs\ndirectory modifications (updating target entry and deleting source\nentry) before attempting to add the whiteout entry via f2fs_add_link.\n\nIf f2fs_add_link fails due to the corrupted directory structure, the\nfunction returns an error to VFS, but the partial directory\nmodifications have already been committed to disk. VFS assumes the\nentire rename operation failed and does not update the dentry cache,\nleaving stale mappings.\n\nIn the error path, VFS does not call d_move() to update the dentry\ncache. This results in new_dentry still pointing to the old inode\n(new_inode) which has already had its i_nlink decremented to zero.\nThe stale cache causes subsequent operations to incorrectly reference\nthe freed inode.\n\nThis causes subsequent operations to use cached dentry information that\nno longer matches the on-disk state. When a second rename targets the\nsame entry, VFS attempts to decrement i_nlink on the stale inode, which\nmay already have i_nlink=0, triggering a WARNING in drop_nlink().\n\nExample sequence:\n1. First rename (RENAME_WHITEOUT): file2 \u2192 file1\n - f2fs updates file1 entry on disk (points to inode 8)\n - f2fs deletes file2 entry on disk\n - f2fs_add_link(whiteout) fails (corrupted directory)\n - Returns error to VFS\n - VFS does not call d_move() due to error\n - VFS cache still has: file1 \u2192 inode 7 (stale!)\n - inode 7 has i_nlink=0 (already decremented)\n\n2. Second rename: file3 \u2192 file1\n - VFS uses stale cache: file1 \u2192 inode 7\n - Tries to drop_nlink on inode 7 (i_nlink already 0)\n - WARNING in drop_nlink()\n\nFix this by explicitly invalidating old_dentry and new_dentry when\nf2fs_add_link fails during whiteout creation. This forces VFS to\nrefresh from disk on subsequent operations, ensuring cache consistency\neven when the rename partially succeeds.\n\nReproducer:\n1. Mount F2FS image with corrupted i_current_depth\n2. renameat2(file2, file1, RENAME_WHITEOUT)\n3. renameat2(file3, file1, 0)\n4. System triggers WARNING in drop_nlink()", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71069", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: clean up user copy references on ublk server exit\n\nIf a ublk server process releases a ublk char device file, any requests\ndispatched to the ublk server but not yet completed will retain a ref\nvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (\"ublk: simplify\naborting ublk request\"), __ublk_fail_req() would decrement the reference\ncount before completing the failed request. However, that commit\noptimized __ublk_fail_req() to call __ublk_complete_rq() directly\nwithout decrementing the request reference count.\nThe leaked reference count incorrectly allows user copy and zero copy\noperations on the completed ublk request. It also triggers the\nWARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit()\nand ublk_deinit_queue().\nCommit c5c5eb24ed61 (\"ublk: avoid ublk_io_release() called after ublk\nchar dev is closed\") already fixed the issue for ublk devices using\nUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference\ncount leak also affects UBLK_F_USER_COPY, the other reference-counted\ndata copy mode. Fix the condition in ublk_check_and_reset_active_ref()\nto include all reference-counted data copy modes. This ensures that any\nublk requests still owned by the ublk server when it exits have their\nreference counts reset to 0.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71070", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: fix use-after-free on probe deferral\n\nThe driver is dropping the references taken to the larb devices during\nprobe after successful lookup as well as on errors. This can\npotentially lead to a use-after-free in case a larb device has not yet\nbeen bound to its driver so that the iommu driver probe defers.\n\nFix this by keeping the references as expected while the iommu driver is\nbound.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71071", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: fix recovery on rename failures\n\nmaple_tree insertions can fail if we are seriously short on memory;\nsimple_offset_rename() does not recover well if it runs into that.\nThe same goes for simple_offset_rename_exchange().\n\nMoreover, shmem_whiteout() expects that if it succeeds, the caller will\nprogress to d_move(), i.e. that shmem_rename2() won't fail past the\nsuccessful call of shmem_whiteout().\n\nNot hard to fix, fortunately - mtree_store() can't fail if the index we\nare trying to store into is already present in the tree as a singleton.\n\nFor simple_offset_rename_exchange() that's enough - we just need to be\ncareful about the order of operations.\n\nFor simple_offset_rename() solution is to preinsert the target into the\ntree for new_dir; the rest can be done without any potentially failing\noperations.\n\nThat preinsertion has to be done in shmem_rename2() rather than in\nsimple_offset_rename() itself - otherwise we'd need to deal with the\npossibility of failure after successful shmem_whiteout().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71072", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: lkkbd - disable pending work before freeing device\n\nlkkbd_interrupt() schedules lk->tq via schedule_work(), and the work\nhandler lkkbd_reinit() dereferences the lkkbd structure and its\nserio/input_dev fields.\n\nlkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd\nstructure without preventing the reinit work from being queued again\nuntil serio_close() returns. This can allow the work handler to run\nafter the structure has been freed, leading to a potential use-after-free.\n\nUse disable_work_sync() instead of cancel_work_sync() to ensure the\nreinit work cannot be re-queued, and call it both in lkkbd_disconnect()\nand in lkkbd_connect() error paths after serio_open().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71073", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfunctionfs: fix the open/removal races\n\nffs_epfile_open() can race with removal, ending up with file->private_data\npointing to freed object.\n\nThere is a total count of opened files on functionfs (both ep0 and\ndynamic ones) and when it hits zero, dynamic files get removed.\nUnfortunately, that removal can happen while another thread is\nin ffs_epfile_open(), but has not incremented the count yet.\nIn that case open will succeed, leaving us with UAF on any subsequent\nread() or write().\n\nThe root cause is that ffs->opened is misused; atomic_dec_and_test() vs.\natomic_add_return() is not a good idea, when object remains visible all\nalong.\n\nTo untangle that\n\t* serialize openers on ffs->mutex (both for ep0 and for dynamic files)\n\t* have dynamic ones use atomic_inc_not_zero() and fail if we had\nzero ->opened; in that case the file we are opening is doomed.\n\t* have the inodes of dynamic files marked on removal (from the\ncallback of simple_recursive_removal()) - clear ->i_private there.\n\t* have open of dynamic ones verify they hadn't been already removed,\nalong with checking that state is FFS_ACTIVE.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71074" }, { "id": "CVE-2025-71075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71075", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Limit num_syncs to prevent oversized allocations\n\nThe OA open parameters did not validate num_syncs, allowing\nuserspace to pass arbitrarily large values, potentially\nleading to excessive allocations.\n\nAdd check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,\nreturning -EINVAL when the limit is violated.\n\nv2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)\n\n(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71076", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71077", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don't call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71078", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(&rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(&dev->dev) <- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(&dev->dev)\n rfkill_unregister()\n mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock ->\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71079", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT\n\nOn PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the\ncurrent task can be preempted. Another task running on the same CPU\nmay then execute rt6_make_pcpu_route() and successfully install a\npcpu_rt entry. When the first task resumes execution, its cmpxchg()\nin rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer\nNULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding\nmdelay() after rt6_get_pcpu_route().\n\nUsing preempt_disable/enable is not appropriate here because\nip6_rt_pcpu_alloc() may sleep.\n\nFix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:\nfree our allocation and return the existing pcpu_rt installed by\nanother task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT\nkernels where such races should not occur.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71080", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: sai: fix OF node leak on probe\n\nThe reference taken to the sync provider OF node when probing the\nplatform device is currently only dropped if the set_sync() callback\nfails during DAI probe.\n\nMake sure to drop the reference on platform probe failures (e.g. probe\ndeferral) and on driver unbind.\n\nThis also avoids a potential use-after-free in case the DAI is ever\nreprobed without first rebinding the platform driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71081", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: revert use of devm_kzalloc in btusb\n\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\n\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\n\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(&btusb_driver, data->intf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\n\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71082", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71083", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71084", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead < 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom > INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) < 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = &dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg->cmsg_len = cmsg_len;\n cmsg->cmsg_level = IPPROTO_IPV6;\n cmsg->cmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, &msg, 0);", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71085", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt <\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71086", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix off-by-one issues in iavf_config_rss_reg()\n\nThere are off-by-one bugs when configuring RSS hash key and lookup\ntable, causing out-of-bounds reads to memory [1] and out-of-bounds\nwrites to device registers.\n\nBefore commit 43a3d9ba34c9 (\"i40evf: Allow PF driver to configure RSS\"),\nthe loop upper bounds were:\n i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX\nwhich is safe since the value is the last valid index.\n\nThat commit changed the bounds to:\n i <= adapter->rss_{key,lut}_size / 4\nwhere `rss_{key,lut}_size / 4` is the number of dwords, so the last\nvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`\naccesses one element past the end.\n\nFix the issues by using `<` instead of `<=`, ensuring we do not exceed\nthe bounds.\n\n[1] KASAN splat about rss_key_size off-by-one\n BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800\n Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63\n\n CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: iavf iavf_watchdog_task\n Call Trace:\n \n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x1a0\n iavf_config_rss+0x619/0x800\n iavf_watchdog_task+0x2be7/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n \n\n Allocated by task 63:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x246/0x6f0\n iavf_watchdog_task+0x28fc/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n\n The buggy address belongs to the object at ffff888102c50100\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes to the right of\n allocated 52-byte region [ffff888102c50100, ffff888102c50134)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50\n flags: 0x200000000000000(node=0|zone=2)\n page_type: f5(slab)\n raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ^\n ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc\n ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71087", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Modules linked in:\n CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n Call Trace:\n \n tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n dst_input include/net/dst.h:471 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n process_backlog+0x442/0x15e0 net/core/dev.c:6444\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n napi_poll net/core/dev.c:7557 [inline]\n net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n run_ksoftirqd kernel/softirq.c:968 [inline]\n run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n kthread+0x3c2/0x780 kernel/kthread.c:463\n ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -> FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that's not already there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71088", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU's page tables. The x86 architecture maps the\nkernel's virtual address space into the upper portion of every process's\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU's internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71089", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()\n\nnfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites\nfp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if\nthe client already has a SHARE_ACCESS_READ open from a previous OPEN\noperation, this action overwrites the existing pointer without\nreleasing its reference, orphaning the previous reference.\n\nAdditionally, the function originally stored the same nfsd_file\npointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with\nonly a single reference. When put_deleg_file() runs, it clears\nfi_rdeleg_file and calls nfs4_file_put_access() to release the file.\n\nHowever, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when\nthe fi_access[O_RDONLY] counter drops to zero. If another READ open\nexists on the file, the counter remains elevated and the nfsd_file\nreference from the delegation is never released. This potentially\ncauses open conflicts on that file.\n\nThen, on server shutdown, these leaks cause __nfsd_file_cache_purge()\nto encounter files with an elevated reference count that cannot be\ncleaned up, ultimately triggering a BUG() in kmem_cache_destroy()\nbecause there are still nfsd_file objects allocated in that cache.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71090", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_override_port_prio_changed()\n\nThere has been a syzkaller bug reported recently with the following\ntrace:\n\nlist_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:59!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59\nCode: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286\nRAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000\nRDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005\nRBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230\nR13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480\nFS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0\nCall Trace:\n \n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:223 [inline]\n list_del_rcu include/linux/rculist.h:178 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]\n team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]\n team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534\n team_option_set drivers/net/team/team_core.c:376 [inline]\n team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653\n genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684\n __sys_sendmsg+0x16d/0x220 net/socket.c:2716\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe problem is in this flow:\n1) Port is enabled, queue_id != 0, in qom_list\n2) Port gets disabled\n -> team_port_disable()\n -> team_queue_override_port_del()\n -> del (removed from list)\n3) Port is disabled, queue_id != 0, not in any list\n4) Priority changes\n -> team_queue_override_port_prio_changed()\n -> checks: port disabled && queue_id != 0\n -> calls del - hits the BUG as it is removed already\n\nTo fix this, change the check in team_queue_override_port_prio_changed()\nso it returns early if port is not enabled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71091", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()\n\nCommit ef56081d1864 (\"RDMA/bnxt_re: RoCE related hardware counters\nupdate\") added three new counters and placed them after\nBNXT_RE_OUT_OF_SEQ_ERR.\n\nBNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware\nstatistics with different num_counters values on chip_gen_p5_p7 devices.\n\nAs a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating\nhw_stats, which leads to an out-of-bounds write in\nbnxt_re_copy_err_stats().\n\nThe counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and\nBNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not\nonly p5/p7 devices.\n\nFix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they\nare included in the generic counter set.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71092", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: fix OOB in e1000_tbi_should_accept()\n\nIn e1000_tbi_should_accept() we read the last byte of the frame via\n'data[length - 1]' to evaluate the TBI workaround. If the descriptor-\nreported length is zero or larger than the actual RX buffer size, this\nread goes out of bounds and can hit unrelated slab objects. The issue\nis observed from the NAPI receive path (e1000_clean_rx_irq):\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790\nRead of size 1 at addr ffff888014114e54 by task sshd/363\n\nCPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x5a/0x74\n print_address_description+0x7b/0x440\n print_report+0x101/0x200\n kasan_report+0xc1/0xf0\n e1000_tbi_should_accept+0x610/0x790\n e1000_clean_rx_irq+0xa8c/0x1110\n e1000_clean+0xde2/0x3c10\n __napi_poll+0x98/0x380\n net_rx_action+0x491/0xa20\n __do_softirq+0x2c9/0x61d\n do_softirq+0xd1/0x120\n \n \n __local_bh_enable_ip+0xfe/0x130\n ip_finish_output2+0x7d5/0xb00\n __ip_queue_xmit+0xe24/0x1ab0\n __tcp_transmit_skb+0x1bcb/0x3340\n tcp_write_xmit+0x175d/0x6bd0\n __tcp_push_pending_frames+0x7b/0x280\n tcp_sendmsg_locked+0x2e4f/0x32d0\n tcp_sendmsg+0x24/0x40\n sock_write_iter+0x322/0x430\n vfs_write+0x56c/0xa60\n ksys_write+0xd1/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f511b476b10\nCode: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24\nRSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10\nRDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003\nRBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00\nR10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003\n \nAllocated by task 1:\n __kasan_krealloc+0x131/0x1c0\n krealloc+0x90/0xc0\n add_sysfs_param+0xcb/0x8a0\n kernel_add_sysfs_param+0x81/0xd4\n param_sysfs_builtin+0x138/0x1a6\n param_sysfs_init+0x57/0x5b\n do_one_initcall+0x104/0x250\n do_initcall_level+0x102/0x132\n do_initcalls+0x46/0x74\n kernel_init_freeable+0x28f/0x393\n kernel_init+0x14/0x1a0\n ret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888014114000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1620 bytes to the right of\n 2048-byte region [ffff888014114000, ffff888014114800]\nThe buggy address belongs to the physical page:\npage:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110\nhead:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x100000000010200(slab|head|node=0|zone=1)\nraw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000\nraw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n==================================================================\n\nThis happens because the TBI check unconditionally dereferences the last\nbyte without validating the reported length first:\n\n\tu8 last_byte = *(data + length - 1);\n\nFix by rejecting the frame early if the length is zero, or if it exceeds\nadapter->rx_buffer_len. This preserves the TBI workaround semantics for\nvalid frames and prevents touching memory beyond the RX buffer.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71093", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (>= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n addr 207 out of range\n WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71094", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix the crash issue for zero copy XDP_TX action\n\nThere is a crash issue when running zero copy XDP_TX action, the crash\nlog is shown below.\n\n[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000\n[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP\n[ 216.301694] Call trace:\n[ 216.304130] dcache_clean_poc+0x20/0x38 (P)\n[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0\n[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400\n[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368\n[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00\n[ 216.326576] __napi_poll+0x40/0x218\n[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n\nFor XDP_TX action, the xdp_buff is converted to xdp_frame by\nxdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame\ndepends on the memory type of the xdp_buff. For page pool based xdp_buff\nit produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy\nXSK pool based xdp_buff it produces xdp_frame with memory type\nMEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the\nmemory type and always uses the page pool type, this leads to invalid\nmappings and causes the crash. Therefore, check the xdp_buff memory type\nin stmmac_xdp_xmit_back() to fix this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71095", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n hex_byte_pack include/linux/hex.h:13 [inline]\n ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n __compat_sys_sendmsg net/compat.c:346 [inline]\n __do_compat_sys_sendmsg net/compat.c:353 [inline]\n __se_compat_sys_sendmsg net/compat.c:350 [inline]\n __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71096", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71097", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev->needed_headroom and/or dev->hard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71098", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()\n\nIn xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping\nmetrics_lock. Since this lock protects the lifetime of oa_config, an\nattacker could guess the id and call xe_oa_remove_config_ioctl() with\nperfect timing, freeing oa_config before we dereference it, leading to\na potential use-after-free.\n\nFix this by caching the id in a local variable while holding the lock.\n\nv2: (Matt A)\n- Dropped mutex_unlock(&oa->metrics_lock) ordering change from\n xe_oa_remove_config_ioctl()\n\n(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71099", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()\n\nTID getting from ieee80211_get_tid() might be out of range of array size\nof sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,\nUBSAN warn:\n\n UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30\n index 10 is out of range for type 'rtl_tid_data [9]'", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71100", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing\n\nThe hp_populate_*_elements_from_package() functions in the hp-bioscfg\ndriver contain out-of-bounds array access vulnerabilities.\n\nThese functions parse ACPI packages into internal data structures using\na for loop with index variable 'elem' that iterates through\nenum_obj/integer_obj/order_obj/password_obj/string_obj arrays.\n\nWhen processing multi-element fields like PREREQUISITES and\nENUM_POSSIBLE_VALUES, these functions read multiple consecutive array\nelements using expressions like 'enum_obj[elem + reqs]' and\n'enum_obj[elem + pos_values]' within nested loops.\n\nThe bug is that the bounds check only validated elem, but did not consider\nthe additional offset when accessing elem + reqs or elem + pos_values.\n\nThe fix changes the bounds check to validate the actual accessed index.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71101", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscs: fix a wrong parameter in __scs_magic\n\n__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is\ngiven. 'task_scs(tsk)' is the starting address of the task's shadow call\nstack, and '__scs_magic(task_scs(tsk))' is the end address of the task's\nshadow call stack. Here should be '__scs_magic(task_scs(tsk))'.\n\nThe user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE\nis enabled, the shadow call stack usage checking function\n(scs_check_usage) would scan an incorrect memory range. This could lead\n\n1. **Inaccurate stack usage reporting**: The function would calculate\n wrong usage statistics for the shadow call stack, potentially showing\n incorrect value in kmsg.\n\n2. **Potential kernel crash**: If the value of __scs_magic(tsk)is\n greater than that of __scs_magic(task_scs(tsk)), the for loop may\n access unmapped memory, potentially causing a kernel panic. However,\n this scenario is unlikely because task_struct is allocated via the slab\n allocator (which typically returns lower addresses), while the shadow\n call stack returned by task_scs(tsk) is allocated via vmalloc(which\n typically returns higher addresses).\n\nHowever, since this is purely a debugging feature\n(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not\nunaffected. The bug only impacts developers and testers who are actively\ndebugging stack usage with this configuration enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71102", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: adreno: fix deferencing ifpc_reglist when not declared\n\nOn plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist\nif still deferenced in a7xx_patch_pwrup_reglist() which causes\na kernel crash:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n...\npc : a6xx_hw_init+0x155c/0x1e4c [msm]\nlr : a6xx_hw_init+0x9a8/0x1e4c [msm]\n...\nCall trace:\n a6xx_hw_init+0x155c/0x1e4c [msm] (P)\n msm_gpu_hw_init+0x58/0x88 [msm]\n adreno_load_gpu+0x94/0x1fc [msm]\n msm_open+0xe4/0xf4 [msm]\n drm_file_alloc+0x1a0/0x2e4 [drm]\n drm_client_init+0x7c/0x104 [drm]\n drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib]\n drm_client_setup+0xb4/0xd8 [drm_client_lib]\n msm_drm_kms_post_init+0x2c/0x3c [msm]\n msm_drm_init+0x1a4/0x228 [msm]\n msm_drm_bind+0x30/0x3c [msm]\n...\n\nCheck the validity of ifpc_reglist before deferencing the table\nto setup the register values.\n\nPatchwork: https://patchwork.freedesktop.org/patch/688944/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71103", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer\n\nWhen advancing the target expiration for the guest's APIC timer in periodic\nmode, set the expiration to \"now\" if the target expiration is in the past\n(similar to what is done in update_target_expiration()). Blindly adding\nthe period to the previous target expiration can result in KVM generating\na practically unbounded number of hrtimer IRQs due to programming an\nexpired timer over and over. In extreme scenarios, e.g. if userspace\npauses/suspends a VM for an extended duration, this can even cause hard\nlockups in the host.\n\nCurrently, the bug only affects Intel CPUs when using the hypervisor timer\n(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,\na.k.a. hrtimer, which KVM keeps running even on exits to userspace, the\nHV timer only runs while the guest is active. As a result, if the vCPU\ndoes not run for an extended duration, there will be a huge gap between\nthe target expiration and the current time the vCPU resumes running.\nBecause the target expiration is incremented by only one period on each\ntimer expiration, this leads to a series of timer expirations occurring\nrapidly after the vCPU/VM resumes.\n\nMore critically, when the vCPU first triggers a periodic HV timer\nexpiration after resuming, advancing the expiration by only one period\nwill result in a target expiration in the past. As a result, the delta\nmay be calculated as a negative value. When the delta is converted into\nan absolute value (tscdeadline is an unsigned u64), the resulting value\ncan overflow what the HV timer is capable of programming. I.e. the large\nvalue will exceed the VMX Preemption Timer's maximum bit width of\ncpu_preemption_timer_multi + 32, and thus cause KVM to switch from the\nHV timer to the software timer (hrtimers).\n\nAfter switching to the software timer, periodic timer expiration callbacks\nmay be executed consecutively within a single clock interrupt handler,\nbecause hrtimers honors KVM's request for an expiration in the past and\nimmediately re-invokes KVM's callback after reprogramming. And because\nthe interrupt handler runs with IRQs disabled, restarting KVM's hrtimer\nover and over until the target expiration is advanced to \"now\" can result\nin a hard lockup.\n\nE.g. the following hard lockup was triggered in the host when running a\nWindows VM (only relevant because it used the APIC timer in periodic mode)\nafter resuming the VM from a long suspend (in the host).\n\n NMI watchdog: Watchdog detected hard LOCKUP on cpu 45\n ...\n RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]\n ...\n RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046\n RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc\n RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500\n RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0\n R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0\n R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8\n FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0\n PKRU: 55555554\n Call Trace:\n \n apic_timer_fn+0x31/0x50 [kvm]\n __hrtimer_run_queues+0x100/0x280\n hrtimer_interrupt+0x100/0x210\n ? ttwu_do_wakeup+0x19/0x160\n smp_apic_timer_interrupt+0x6a/0x130\n apic_timer_interrupt+0xf/0x20\n \n\nMoreover, if the suspend duration of the virtual machine is not long enough\nto trigger a hard lockup in this scenario, since commit 98c25ead5eda\n(\"KVM: VMX: Move preemption timer <=> hrtimer dance to common x86\"), KVM\nwill continue using the software timer until the guest reprograms the APIC\ntimer in some way. Since the periodic timer does not require frequent APIC\ntimer register programming, the guest may continue to use the software\ntimer in \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71104", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name 'f2fs_xattr_entry-7:7' already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\n\u00a0do_mount fs/namespace.c:4136 [inline]\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet's changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71105", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: PM: Fix reverse check in filesystems_freeze_callback()\n\nThe freeze_all_ptr check in filesystems_freeze_callback() introduced by\ncommit a3f8f8662771 (\"power: always freeze efivarfs\") is reverse which\nquite confusingly causes all file systems to be frozen when\nfilesystem_freeze_enabled is false.\n\nOn my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to\ntrigger, most likely due to an attempt to freeze a file system that is\nnot ready for that.\n\nAdd a logical negation to the check in question to reverse it as\nappropriate.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71106", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: ensure node page reads complete before f2fs_put_super() finishes\n\nXfstests generic/335, generic/336 sometimes crash with the following message:\n\nF2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/super.c:1939!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_put_super+0x3b3/0x3c0\nCall Trace:\n \n generic_shutdown_super+0x7e/0x190\n kill_block_super+0x1a/0x40\n kill_f2fs_super+0x9d/0x190\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x5c/0xa0\n exit_to_user_mode_loop+0xb7/0xc0\n do_syscall_64+0x1ae/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n---[ end trace 0000000000000000 ]---\n\nIt appears that sometimes it is possible that f2fs_put_super() is called before\nall node page reads are completed.\nAdding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71107", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Handle incorrect num_connectors capability\n\nThe UCSI spec states that the num_connectors field is 7 bits, and the\n8th bit is reserved and should be set to zero.\nSome buggy FW has been known to set this bit, and it can lead to a\nsystem not booting.\nFlag that the FW is not behaving correctly, and auto-fix the value\nso that the system boots correctly.\n\nFound on Lenovo P1 G8 during Linux enablement program. The FW will\nbe fixed, but seemed worth addressing in case it hit platforms that\naren't officially Linux supported.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71108", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits\n\nSince commit e424054000878 (\"MIPS: Tracing: Reduce the overhead of\ndynamic Function Tracer\"), the macro UASM_i_LA_mostly has been used,\nand this macro can generate more than 2 instructions. At the same\ntime, the code in ftrace assumes that no more than 2 instructions can\nbe generated, which is why it stores them in an int[2] array. However,\nas previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)\ncauses a buffer overflow when _mcount is beyond 32 bits. This leads to\ncorruption of the variables located in the __read_mostly section.\n\nThis corruption was observed because the variable\n__cpu_primary_thread_mask was corrupted, causing a hang very early\nduring boot.\n\nThis fix prevents the corruption by avoiding the generation of\ninstructions if they could exceed 2 instructions in\nlength. Fortunately, insn_la_mcount is only used if the instrumented\ncode is located outside the kernel code section, so dynamic ftrace can\nstill be used, albeit in a more limited scope. This is still\npreferable to corrupting memory and/or crashing the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71109", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: reset KASAN tag in defer_free() before accessing freed memory\n\nWhen CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()\nbefore defer_free(). On ARM64 with MTE (Memory Tagging Extension),\nkasan_slab_free() poisons the memory and changes the tag from the\noriginal (e.g., 0xf3) to a poison tag (0xfe).\n\nWhen defer_free() then tries to write to the freed object to build the\ndeferred free list via llist_add(), the pointer still has the old tag,\ncausing a tag mismatch and triggering a KASAN use-after-free report:\n\n BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537\n Write at addr f3f000000854f020 by task kworker/u8:6/983\n Pointer tag: [f3], memory tag: [fe]\n\nFix this by calling kasan_reset_tag() before accessing the freed memory.\nThis is safe because defer_free() is part of the allocator itself and is\nexpected to manipulate freed memory for bookkeeping purposes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71110", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (w83791d) Convert macros to functions to avoid TOCTOU\n\nThe macro FAN_FROM_REG evaluates its arguments multiple times. When used\nin lockless contexts involving shared driver data, this leads to\nTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentially\ncausing divide-by-zero errors.\n\nConvert the macro to a static function. This guarantees that arguments\nare evaluated only once (pass-by-value), preventing the race\nconditions.\n\nAdditionally, in store_fan_div, move the calculation of the minimum\nlimit inside the update lock. This ensures that the read-modify-write\nsequence operates on consistent data.\n\nAdhere to the principle of minimal changes by only converting macros\nthat evaluate arguments multiple times and are used in lockless\ncontexts.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71111", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71112", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n'inflight' variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx->inflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71113", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvia_wdt: fix critical boot hang due to unnamed resource allocation\n\nThe VIA watchdog driver uses allocate_resource() to reserve a MMIO\nregion for the watchdog control register. However, the allocated\nresource was not given a name, which causes the kernel resource tree\nto contain an entry marked as \"\" under /proc/iomem on x86\nplatforms.\n\nDuring boot, this unnamed resource can lead to a critical hang because\nsubsequent resource lookups and conflict checks fail to handle the\ninvalid entry properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71114", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\num: init cpu_tasks[] earlier\n\nThis is currently done in uml_finishsetup(), but e.g. with\nKCOV enabled we'll crash because some init code can call\ninto e.g. memparse(), which has coverage annotations, and\nthen the checks in check_kcov_mode() crash because current\nis NULL.\n\nSimply initialize the cpu_tasks[] array statically, which\nfixes the crash. For the later SMP work, it seems to have\nnot really caused any problems yet, but initialize all of\nthe entries anyway.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71115", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71116", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Remove queue freezing from several sysfs store callbacks\n\nFreezing the request queue from inside sysfs store callbacks may cause a\ndeadlock in combination with the dm-multipath driver and the\nqueue_if_no_path option. Additionally, freezing the request queue slows\ndown system boot on systems where sysfs attributes are set synchronously.\n\nFix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue()\ncalls from the store callbacks that do not strictly need these callbacks.\nAdd the __data_racy annotation to request_queue.rq_timeout to suppress\nKCSAN data race reports about the rq_timeout reads.\n\nThis patch may cause a small delay in applying the new settings.\n\nFor all the attributes affected by this patch, I/O will complete\ncorrectly whether the old or the new value of the attribute is used.\n\nThis patch affects the following sysfs attributes:\n* io_poll_delay\n* io_timeout\n* nomerges\n* read_ahead_kb\n* rq_affinity\n\nHere is an example of a deadlock triggered by running test srp/002\nif this patch is not applied:\n\ntask:multipathd\nCall Trace:\n \n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n schedule_preempt_disabled+0x1c/0x30\n __mutex_lock+0xb89/0x1650\n mutex_lock_nested+0x1f/0x30\n dm_table_set_restrictions+0x823/0xdf0\n __bind+0x166/0x590\n dm_swap_table+0x2a7/0x490\n do_resume+0x1b1/0x610\n dev_suspend+0x55/0x1a0\n ctl_ioctl+0x3a5/0x7e0\n dm_ctl_ioctl+0x12/0x20\n __x64_sys_ioctl+0x127/0x1a0\n x64_sys_call+0xe2b/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \ntask:(udev-worker)\nCall Trace:\n \n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n blk_mq_freeze_queue_wait+0xf2/0x140\n blk_mq_freeze_queue_nomemsave+0x23/0x30\n queue_ra_store+0x14e/0x290\n queue_attr_store+0x23e/0x2c0\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3b2/0x630\n vfs_write+0x4fd/0x1390\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x276/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71117", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid walking the Namespace if start_node is NULL\n\nAlthough commit 0c9992315e73 (\"ACPICA: Avoid walking the ACPI Namespace\nif it is not there\") fixed the situation when both start_node and\nacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed\non Honor Magicbook 14 Pro [1].\n\nThat happens due to the access to the member of parent_node in\nacpi_ns_get_next_node(). The NULL pointer dereference will always\nhappen, no matter whether or not the start_node is equal to\nACPI_ROOT_OBJECT, so move the check of start_node being NULL\nout of the if block.\n\nUnfortunately, all the attempts to contact Honor have failed, they\nrefused to provide any technical support for Linux.\n\nThe bad DSDT table's dump could be found on GitHub [2].\n\nDMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025\n\n[ rjw: Subject adjustment, changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71118", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kexec: Enable SMT before waking offline CPUs\n\nIf SMT is disabled or a partial SMT state is enabled, when a new kernel\nimage is loaded for kexec, on reboot the following warning is observed:\n\nkexec: Waking offline cpu 228.\nWARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc\n[snip]\n NIP kexec_prepare_cpus+0x1b0/0x1bc\n LR kexec_prepare_cpus+0x1a0/0x1bc\n Call Trace:\n kexec_prepare_cpus+0x1a0/0x1bc (unreliable)\n default_machine_kexec+0x160/0x19c\n machine_kexec+0x80/0x88\n kernel_kexec+0xd0/0x118\n __do_sys_reboot+0x210/0x2c4\n system_call_exception+0x124/0x320\n system_call_vectored_common+0x15c/0x2ec\n\nThis occurs as add_cpu() fails due to cpu_bootable() returning false for\nCPUs that fail the cpu_smt_thread_allowed() check or non primary\nthreads if SMT is disabled.\n\nFix the issue by enabling SMT and resetting the number of SMT threads to\nthe number of threads per core, before attempting to wake up all present\nCPUs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71119", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token->pages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token->pages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length > 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71120", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Do not reprogram affinitiy on ASP chip\n\nThe ASP chip is a very old variant of the GSP chip and is used e.g. in\nHP 730 workstations. When trying to reprogram the affinity it will crash\nwith a HPMC as the relevant registers don't seem to be at the usual\nlocation. Let's avoid the crash by checking the sversion. Also note,\nthat reprogramming isn't necessary either, as the HP730 is a just a\nsingle-CPU machine.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71121", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED\n\nsyzkaller found it could overflow math in the test infrastructure and\ncause a WARN_ON by corrupting the reserved interval tree. This only\neffects test kernels with CONFIG_IOMMUFD_TEST.\n\nValidate the user input length in the test ioctl.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71122", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix string copying in parse_apply_sb_mount_options()\n\nstrscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term\nstring of possibly bigger size. Commit 0efc5990bca5 (\"string.h: Introduce\nmemtostr() and memtostr_pad()\") provides additional information in that\nregard. So if this happens, the following warning is observed:\n\nstrnlen: detected buffer overflow: 65 byte read of buffer size 64\nWARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nModules linked in:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nCall Trace:\n \n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [inline]\n sized_strscpy include/linux/fortify-string.h:309 [inline]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]\n __ext4_fill_super fs/ext4/super.c:5261 [inline]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [inline]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [inline]\n __do_sys_mount fs/namespace.c:4103 [inline]\n __se_sys_mount fs/namespace.c:4080 [inline]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSince userspace is expected to provide s_mount_opts field to be at most 63\ncharacters long with the ending byte being NUL-term, use a 64-byte buffer\nwhich matches the size of s_mount_opts, so that strscpy_pad() does its job\nproperly. Return with error if the user still managed to provide a\nnon-NUL-term string here.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71123", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: move preempt_prepare_postamble after error check\n\nMove the call to preempt_prepare_postamble() after verifying that\npreempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL,\ndereferencing it in preempt_prepare_postamble() would lead to a crash.\n\nThis change avoids calling the preparation function when the\npostamble allocation has failed, preventing potential NULL pointer\ndereference and ensuring proper error handling.\n\nPatchwork: https://patchwork.freedesktop.org/patch/687659/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71124", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not register unsupported perf events\n\nSynthetic events currently do not have a function to register perf events.\nThis leads to calling the tracepoint register functions with a NULL\nfunction pointer which triggers:\n\n ------------[ cut here ]------------\n WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:tracepoint_add_func+0x357/0x370\n Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f\n RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246\n RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000\n RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8\n RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780\n R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a\n R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78\n FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0\n Call Trace:\n \n tracepoint_probe_register+0x5d/0x90\n synth_event_reg+0x3c/0x60\n perf_trace_event_init+0x204/0x340\n perf_trace_init+0x85/0xd0\n perf_tp_event_init+0x2e/0x50\n perf_try_init_event+0x6f/0x230\n ? perf_event_alloc+0x4bb/0xdc0\n perf_event_alloc+0x65a/0xdc0\n __se_sys_perf_event_open+0x290/0x9f0\n do_syscall_64+0x93/0x7b0\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ? trace_hardirqs_off+0x53/0xc0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInstead, have the code return -ENODEV, which doesn't warn and has perf\nerror out with:\n\n # perf record -e synthetic:futex_wait\nError:\nThe sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).\n\"dmesg | grep -i perf\" may provide additional information.\n\nIdeally perf should support synthetic events, but for now just fix the\nwarning. The support can come later.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71125", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: avoid deadlock on fallback while reinjecting\n\nJakub reported an MPTCP deadlock at fallback time:\n\n WARNING: possible recursive locking detected\n 6.18.0-rc7-virtme #1 Not tainted\n --------------------------------------------\n mptcp_connect/20858 is trying to acquire lock:\n ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280\n\n but task is already holding lock:\n ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&msk->fallback_lock);\n lock(&msk->fallback_lock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 3 locks held by mptcp_connect/20858:\n #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0\n #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0\n #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)\n Hardware name: Bochs, BIOS Bochs 01/01/2011\n Call Trace:\n \n dump_stack_lvl+0x6f/0xa0\n print_deadlock_bug.cold+0xc0/0xcd\n validate_chain+0x2ff/0x5f0\n __lock_acquire+0x34c/0x740\n lock_acquire.part.0+0xbc/0x260\n _raw_spin_lock_bh+0x38/0x50\n __mptcp_try_fallback+0xd8/0x280\n mptcp_sendmsg_frag+0x16c2/0x3050\n __mptcp_retrans+0x421/0xaa0\n mptcp_release_cb+0x5aa/0xa70\n release_sock+0xab/0x1d0\n mptcp_sendmsg+0xd5b/0x1bc0\n sock_write_iter+0x281/0x4d0\n new_sync_write+0x3c5/0x6f0\n vfs_write+0x65e/0xbb0\n ksys_write+0x17e/0x200\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7fa5627cbc5e\n Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e\n RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005\n RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920\n R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c\n\nThe packet scheduler could attempt a reinjection after receiving an\nMP_FAIL and before the infinite map has been transmitted, causing a\ndeadlock since MPTCP needs to do the reinjection atomically from WRT\nfallback.\n\nAddress the issue explicitly avoiding the reinjection in the critical\nscenario. Note that this is the only fallback critical section that\ncould potentially send packets and hit the double-lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71126", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Discard Beacon frames to non-broadcast address\n\nBeacon frames are required to be sent to the broadcast address, see IEEE\nStd 802.11-2020, 11.1.3.1 (\"The Address 1 field of the Beacon .. frame\nshall be set to the broadcast address\"). A unicast Beacon frame might be\nused as a targeted attack to get one of the associated STAs to do\nsomething (e.g., using CSA to move it to another channel). As such, it\nis better have strict filtering for this on the received side and\ndiscard all Beacon frames that are sent to an unexpected address.\n\nThis is even more important for cases where beacon protection is used.\nThe current implementation in mac80211 is correctly discarding unicast\nBeacon frames if the Protected Frame bit in the Frame Control field is\nset to 0. However, if that bit is set to 1, the logic used for checking\nfor configured BIGTK(s) does not actually work. If the driver does not\nhave logic for dropping unicast Beacon frames with Protected Frame bit\n1, these frames would be accepted in mac80211 processing as valid Beacon\nframes even though they are not protected. This would allow beacon\nprotection to be bypassed. While the logic for checking beacon\nprotection could be extended to cover this corner case, a more generic\ncheck for discard all Beacon frames based on A1=unicast address covers\nthis without needing additional changes.\n\nAddress all these issues by dropping received Beacon frames if they are\nsent to a non-broadcast address.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71127", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing options.\n\nThe struct ip_tunnel_info has a flexible array member named\noptions that is protected by a counted_by(options_len)\nattribute.\n\nThe compiler will use this information to enforce runtime bounds\nchecking deployed by FORTIFY_SOURCE string helpers.\n\nAs laid out in the GCC documentation, the counter must be\ninitialized before the first reference to the flexible array\nmember.\n\nAfter scanning through the files that use struct ip_tunnel_info\nand also refer to options or options_len, it appears the normal\ncase is to use the ip_tunnel_info_opts_set() helper.\n\nSaid helper would initialize options_len properly before copying\ndata into options, however in the GRE ERSPAN code a partial\nupdate is done, preventing the use of the helper function.\n\nBefore this change the handling of ERSPAN traffic in GRE tunnels\nwould cause a kernel panic when the kernel is compiled with\nGCC 15+ and having FORTIFY_SOURCE configured:\n\nmemcpy: detected buffer overflow: 4 byte write of buffer size 0\n\nCall Trace:\n \n __fortify_panic+0xd/0xf\n erspan_rcv.cold+0x68/0x83\n ? ip_route_input_slow+0x816/0x9d0\n gre_rcv+0x1b2/0x1c0\n gre_rcv+0x8e/0x100\n ? raw_v4_input+0x2a0/0x2b0\n ip_protocol_deliver_rcu+0x1ea/0x210\n ip_local_deliver_finish+0x86/0x110\n ip_local_deliver+0x65/0x110\n ? ip_rcv_finish_core+0xd6/0x360\n ip_rcv+0x186/0x1a0\n\nReported-at: https://launchpad.net/bugs/2129580", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71128", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Sign extend kfunc call arguments\n\nThe kfunc calls are native calls so they should follow LoongArch calling\nconventions. Sign extend its arguments properly to avoid kernel panic.\nThis is done by adding a new emit_abi_ext() helper. The emit_abi_ext()\nhelper performs extension in place meaning a value already store in the\ntarget register (Note: this is different from the existing sign_extend()\nhelper and thus we can't reuse it).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71129", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer\n\nInitialize the eb.vma array with values of 0 when the eb structure is\nfirst set up. In particular, this sets the eb->vma[i].vma pointers to\nNULL, simplifying cleanup and getting rid of the bug described below.\n\nDuring the execution of eb_lookup_vmas(), the eb->vma array is\nsuccessively filled up with struct eb_vma objects. This process includes\ncalling eb_add_vma(), which might fail; however, even in the event of\nfailure, eb->vma[i].vma is set for the currently processed buffer.\n\nIf eb_add_vma() fails, eb_lookup_vmas() returns with an error, which\nprompts a call to eb_release_vmas() to clean up the mess. Since\neb_lookup_vmas() might fail during processing any (possibly not first)\nbuffer, eb_release_vmas() checks whether a buffer's vma is NULL to know\nat what point did the lookup function fail.\n\nIn eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper\nfunction eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is\nset to NULL in case i915_gem_object_userptr_submit_init() fails; the\ncurrent one needs to be cleaned up by eb_release_vmas() at this point,\nso the next one is set. If eb_add_vma() fails, neither the current nor\nthe next vma is set to NULL, which is a source of a NULL deref bug\ndescribed in the issue linked in the Closes tag.\n\nWhen entering eb_lookup_vmas(), the vma pointers are set to the slab\npoison value, instead of NULL. This doesn't matter for the actual\nlookup, since it gets overwritten anyway, however the eb_release_vmas()\nfunction only recognizes NULL as the stopping value, hence the pointers\nare being set to NULL as they go in case of intermediate failure. This\npatch changes the approach to filling them all with NULL at the start\ninstead, rather than handling that manually during failure.\n\n(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71130", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Do not use req->iv after crypto_aead_encrypt\n\nAs soon as crypto_aead_encrypt is called, the underlying request\nmay be freed by an asynchronous completion. Thus dereferencing\nreq->iv after it returns is invalid.\n\nInstead of checking req->iv against info, create a new variable\nunaligned_info and use it for that purpose instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71131", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc91x: fix broken irq-context in PREEMPT_RT\n\nWhen smc91x.c is built with PREEMPT_RT, the following splat occurs\nin FVP_RevC:\n\n[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000\n[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]\n[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work\n[ 13.062266] C\n** replaying previous printk message **\n[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}\n[ 13.062353] Hardware name: , BIOS\n[ 13.062382] Workqueue: mld mld_ifc_work\n[ 13.062469] Call trace:\n[ 13.062494] show_stack+0x24/0x40 (C)\n[ 13.062602] __dump_stack+0x28/0x48\n[ 13.062710] dump_stack_lvl+0x7c/0xb0\n[ 13.062818] dump_stack+0x18/0x34\n[ 13.062926] process_scheduled_works+0x294/0x450\n[ 13.063043] worker_thread+0x260/0x3d8\n[ 13.063124] kthread+0x1c4/0x228\n[ 13.063235] ret_from_fork+0x10/0x20\n\nThis happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,\nbut smc_special_unlock() does not restore IRQs on PREEMPT_RT.\nThe reason is that smc_special_unlock() calls spin_unlock_irqrestore(),\nand rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke\nrcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.\n\nTo address this issue, replace smc_special_trylock() with spin_trylock_irqsave().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71132", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n \n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71133", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: change all pageblocks migrate type on coalescing\n\nWhen a page is freed it coalesces with a buddy into a higher order page\nwhile possible. When the buddy page migrate type differs, it is expected\nto be updated to match the one of the page being freed.\n\nHowever, only the first pageblock of the buddy page is updated, while the\nrest of the pageblocks are left unchanged.\n\nThat causes warnings in later expand() and other code paths (like below),\nsince an inconsistency between migration type of the list containing the\npage and the page-owned pageblocks migration types is introduced.\n\n[ 308.986589] ------------[ cut here ]------------\n[ 308.987227] page type is 0, passed migratetype is 1 (nr=256)\n[ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270\n[ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E)\n[ 308.987439] Unloaded tainted modules: hmac_s390(E):2\n[ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT\n[ 308.987657] Tainted: [E]=UNSIGNED_MODULE\n[ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0)\n[ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270)\n[ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88\n[ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300\n[ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008\n[ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0\n[ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2\tlarl\t%r2,000003499883abd4\n 00000349976fa5f6: c0e5ffe3f4b5\tbrasl\t%r14,0000034997378f60\n #00000349976fa5fc: af000000\t\tmc\t0,0\n >00000349976fa600: a7f4ff4c\t\tbrc\t15,00000349976fa498\n 00000349976fa604: b9040026\t\tlgr\t%r2,%r6\n 00000349976fa608: c0300088317f\tlarl\t%r3,0000034998800906\n 00000349976fa60e: c0e5fffdb6e1\tbrasl\t%r14,00000349976b13d0\n 00000349976fa614: af000000\t\tmc\t0,0\n[ 308.987734] Call Trace:\n[ 308.987738] [<00000349976fa600>] expand+0x240/0x270\n[ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270)\n[ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940\n[ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0\n[ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40\n[ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0\n[ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400\n[ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220\n[ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0\n[ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0\n[ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240\n[ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210\n[ 308.987804] [<00000349976cb0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71134", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()\n\nThe variable mddev->private is first assigned to conf and then checked:\n\n conf = mddev->private;\n if (!conf) ...\n\nIf conf is NULL, then mddev->private is also NULL. In this case,\nnull-pointer dereferences can occur when calling raid5_quiesce():\n\n raid5_quiesce(mddev, true);\n raid5_quiesce(mddev, false);\n\nsince mddev->private is assigned to conf again in raid5_quiesce(), and conf\nis dereferenced in several places, for example:\n\n conf->quiesce = 0;\n wake_up(&conf->wait_for_quiescent);\n\nTo fix this issue, the function should unlock mddev and return before\ninvoking raid5_quiesce() when conf is NULL, following the existing pattern\nin raid5_change_consistency_policy().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71135", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()\n\nIt's possible for cp_read() and hdmi_read() to return -EIO. Those\nvalues are further used as indexes for accessing arrays.\n\nFix that by checking return values where it's needed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71136", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix \"UBSAN: shift-out-of-bounds error\"\n\nThis patch ensures that the RX ring size (rx_pending) is not\nset below the permitted length. This avoids UBSAN\nshift-out-of-bounds errors when users passes small or zero\nring sizes via ethtool -G.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71137", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add missing NULL pointer check for pingpong interface\n\nIt is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a\nsingle place the check is missing.\nAlso use convenient locals instead of phys_enc->* where available.\n\nPatchwork: https://patchwork.freedesktop.org/patch/693860/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71138", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/kexec: fix IMA when allocation happens in CMA area\n\n*** Bug description ***\n\nWhen I tested kexec with the latest kernel, I ran into the following warning:\n\n[ 40.712410] ------------[ cut here ]------------\n[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[ 40.816047] Call trace:\n[ 40.818498] kimage_map_segment+0x144/0x198 (P)\n[ 40.823221] ima_kexec_post_load+0x58/0xc0\n[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[ 40.855423] ---[ end trace 0000000000000000 ]---\n\n*** How to reproduce ***\n\nThis bug is only triggered when the kexec target address is allocated in\nthe CMA area. If no CMA area is reserved in the kernel, use the \"cma=\"\noption in the kernel command line to reserve one.\n\n*** Root cause ***\nThe commit 07d24902977e (\"kexec: enable CMA based contiguous\nallocation\") allocates the kexec target address directly on the CMA area\nto avoid copying during the jump. In this case, there is no IND_SOURCE\nfor the kexec segment. But the current implementation of\nkimage_map_segment() assumes that IND_SOURCE pages exist and map them\ninto a contiguous virtual address by vmap().\n\n*** Solution ***\nIf IMA segment is allocated in the CMA area, use its page_address()\ndirectly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71139", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Use spinlock for context list protection lock\n\nPreviously a mutex was added to protect the encoder and decoder context\nlists from unexpected changes originating from the SCP IP block, causing\nthe context pointer to go invalid, resulting in a NULL pointer\ndereference in the IPI handler.\n\nTurns out on the MT8173, the VPU IPI handler is called from hard IRQ\ncontext. This causes a big warning from the scheduler. This was first\nreported downstream on the ChromeOS kernels, but is also reproducible\non mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though\nthe actual capture format is not supported, the affected code paths\nare triggered.\n\nSince this lock just protects the context list and operations on it are\nvery fast, it should be OK to switch to a spinlock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71140", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tilcdc: Fix removal actions in case of failed probe\n\nThe drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers\nshould only be called when the device has been successfully registered.\nCurrently, these functions are called unconditionally in tilcdc_fini(),\nwhich causes warnings during probe deferral scenarios.\n\n[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68\n...\n[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108\n[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8\n[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144\n[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]\n[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]\n\nFix this by rewriting the failed probe cleanup path using the standard\ngoto error handling pattern, which ensures that cleanup functions are\nonly called on successfully initialized resources. Additionally, remove\nthe now-unnecessary is_registered flag.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71141", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpuset: fix warning when disabling remote partition\n\nA warning was triggered as follows:\n\nWARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110\nRIP: 0010:remote_partition_disable+0xf7/0x110\nRSP: 0018:ffffc90001947d88 EFLAGS: 00000206\nRAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40\nRDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000\nRBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8\nR13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0\nCall Trace:\n \n update_prstate+0x2d3/0x580\n cpuset_partition_write+0x94/0xf0\n kernfs_fop_write_iter+0x147/0x200\n vfs_write+0x35d/0x500\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f55c8cd4887\n\nReproduction steps (on a 16-CPU machine):\n\n # cd /sys/fs/cgroup/\n # mkdir A1\n # echo +cpuset > A1/cgroup.subtree_control\n # echo \"0-14\" > A1/cpuset.cpus.exclusive\n # mkdir A1/A2\n # echo \"0-14\" > A1/A2/cpuset.cpus.exclusive\n # echo \"root\" > A1/A2/cpuset.cpus.partition\n # echo 0 > /sys/devices/system/cpu/cpu15/online\n # echo member > A1/A2/cpuset.cpus.partition\n\nWhen CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs\nremain available for the top_cpuset, forcing partitions to share CPUs with\nthe top_cpuset. In this scenario, disabling the remote partition triggers\na warning stating that effective_xcpus is not a subset of\nsubpartitions_cpus. Partitions should be invalidated in this case to\ninform users that the partition is now invalid(cpus are shared with\ntop_cpuset).\n\nTo fix this issue:\n1. Only emit the warning only if subpartitions_cpus is not empty and the\n effective_xcpus is not a subset of subpartitions_cpus.\n2. During the CPU hotplug process, invalidate partitions if\n subpartitions_cpus is empty.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71142", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: exynos-clkout: Assign .num before accessing .hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)\nabout the number of elements in .hws[], so that it can warn when .hws[]\nis accessed out of bounds. As noted in that change, the __counted_by\nmember must be initialized with the number of elements before the first\narray access happens, otherwise there will be a warning from each access\nprior to the initialization because the number of elements is zero. This\noccurs in exynos_clkout_probe() due to .num being assigned after .hws[]\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18\n index 0 is out of range for type 'clk_hw *[*]'\n\nMove the .num initialization to before the first access of .hws[],\nclearing up the warning.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71143", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure context reset on disconnect()\n\nAfter the blamed commit below, if the MPC subflow is already in TCP_CLOSE\nstatus or has fallback to TCP at mptcp_disconnect() time,\nmptcp_do_fastclose() skips setting the `send_fastclose flag` and the later\n__mptcp_close_ssk() does not reset anymore the related subflow context.\n\nAny later connection will be created with both the `request_mptcp` flag\nand the msk-level fallback status off (it is unconditionally cleared at\nMPTCP disconnect time), leading to a warning in subflow_data_ready():\n\n WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Modules linked in:\n CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))\n Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09\n RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435\n RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005\n RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b\n R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0\n Call Trace:\n \n tcp_data_ready (net/ipv4/tcp_input.c:5356)\n tcp_data_queue (net/ipv4/tcp_input.c:5445)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)\n __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))\n release_sock (net/core/sock.c:3737)\n mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)\n inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))\n __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))\n __x64_sys_sendto (net/socket.c:2247)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n RIP: 0033:0x7f883326702d\n\nAddress the issue setting an explicit `fastclosing` flag at fastclose\ntime, and checking such flag after mptcp_do_fastclose().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71144", "detail": "cpe-stable-backport", "description": "Backported in 6.18.5" }, { "id": "CVE-2025-71145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: isp1301: fix non-OF device reference imbalance\n\nA recent change fixing a device reference leak in a UDC driver\nintroduced a potential use-after-free in the non-OF case as the\nisp1301_get_client() helper only increases the reference count for the\nreturned I2C device in the OF case.\n\nIncrement the reference count also for non-OF so that the caller can\ndecrement it unconditionally.\n\nNote that this is inherently racy just as using the returned I2C device\nis since nothing is preventing the PHY driver from being unbound while\nin use.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71145" }, { "id": "CVE-2025-71146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: fix leaked ct in error paths\n\nThere are some situations where ct might be leaked as error paths are\nskipping the refcounted check and return immediately. In order to solve\nit make sure that the check is always called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71146", "detail": "fixed-version", "description": "Fixed from version 6.18.3" }, { "id": "CVE-2025-71147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix a memory leak in tpm2_load_cmd\n\n'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'\nbut it is not freed in the failure paths. Address this by wrapping the blob\ninto with a cleanup helper.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71147", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: restore destructor on submit failure\n\nhandshake_req_submit() replaces sk->sk_destruct but never restores it when\nsubmission fails before the request is hashed. handshake_sk_destruct() then\nreturns early and the original destructor never runs, leaking the socket.\nRestore sk_destruct on the error path.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71148", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix refcount leak when invalid session is found on session lookup\n\nWhen a session is found but its state is not SMB2_SESSION_VALID, It\nindicates that no valid session was found, but it is missing to decrement\nthe reference count acquired by the session lookup, which results in\na reference count leak. This patch fixes the issue by explicitly calling\nksmbd_user_session_put to release the reference to the session.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71150", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory and information leak in smb3_reconfigure()\n\nIn smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the\nfunction returns immediately without freeing and erasing the newly\nallocated new_password and new_password2. This causes both a memory leak\nand a potential information leak.\n\nFix this by calling kfree_sensitive() on both password buffers before\nreturning in this error case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71151", "detail": "cpe-stable-backport", "description": "Backported in 6.18.3" }, { "id": "CVE-2025-71152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: properly keep track of conduit reference\n\nProblem description\n-------------------\n\nDSA has a mumbo-jumbo of reference handling of the conduit net device\nand its kobject which, sadly, is just wrong and doesn't make sense.\n\nThere are two distinct problems.\n\n1. The OF path, which uses of_find_net_device_by_node(), never releases\n the elevated refcount on the conduit's kobject. Nominally, the OF and\n non-OF paths should result in objects having identical reference\n counts taken, and it is already suspicious that\n dsa_dev_to_net_device() has a put_device() call which is missing in\n dsa_port_parse_of(), but we can actually even verify that an issue\n exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command\n \"before\" and \"after\" applying this patch:\n\n(unbind the conduit driver for net device eno2)\necho 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind\n\nwe see these lines in the output diff which appear only with the patch\napplied:\n\nkobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)\nkobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)\n\n2. After we find the conduit interface one way (OF) or another (non-OF),\n it can get unregistered at any time, and DSA remains with a long-lived,\n but in this case stale, cpu_dp->conduit pointer. Holding the net\n device's underlying kobject isn't actually of much help, it just\n prevents it from being freed (but we never need that kobject\n directly). What helps us to prevent the net device from being\n unregistered is the parallel netdev reference mechanism (dev_hold()\n and dev_put()).\n\nActually we actually use that netdev tracker mechanism implicitly on\nuser ports since commit 2f1e8ea726e9 (\"net: dsa: link interfaces with\nthe DSA master to get rid of lockdep warnings\"), via netdev_upper_dev_link().\nBut time still passes at DSA switch probe time between the initial\nof_find_net_device_by_node() code and the user port creation time, time\nduring which the conduit could unregister itself and DSA wouldn't know\nabout it.\n\nSo we have to run of_find_net_device_by_node() under rtnl_lock() to\nprevent that from happening, and release the lock only with the netdev\ntracker having acquired the reference.\n\nDo we need to keep the reference until dsa_unregister_switch() /\ndsa_switch_shutdown()?\n1: Maybe yes. A switch device will still be registered even if all user\n ports failed to probe, see commit 86f8b1c01a0a (\"net: dsa: Do not\n make user port errors fatal\"), and the cpu_dp->conduit pointers\n remain valid. I haven't audited all call paths to see whether they\n will actually use the conduit in lack of any user port, but if they\n do, it seems safer to not rely on user ports for that reference.\n2. Definitely yes. We support changing the conduit which a user port is\n associated to, and we can get into a situation where we've moved all\n user ports away from a conduit, thus no longer hold any reference to\n it via the net device tracker. But we shouldn't let it go nonetheless\n - see the next change in relation to dsa_tree_find_first_conduit()\n and LAG conduits which disappear.\n We have to be prepared to return to the physical conduit, so the CPU\n port must explicitly keep another reference to it. This is also to\n say: the user ports and their CPU ports may not always keep a\n reference to the same conduit net device, and both are needed.\n\nAs for the conduit's kobject for the /sys/class/net/ entry, we don't\ncare about it, we can release it as soon as we hold the net device\nobject itself.\n\nHistory and blame attribution\n-----------------------------\n\nThe code has been refactored so many times, it is very difficult to\nfollow and properly attribute a blame, but I'll try to make a short\nhistory which I hope to be correct.\n\nWe have two distinct probing paths:\n- one for OF, introduced in 2016 i\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71152", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix memory leak in get_file_all_info()\n\nIn get_file_all_info(), if vfs_getattr() fails, the function returns\nimmediately without freeing the allocated filename, leading to a memory\nleak.\n\nFix this by freeing the filename before returning in this error case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71153", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71154", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: Fix gmap_helper_zap_one_page() again\n\nA few checks were missing in gmap_helper_zap_one_page(), which can lead\nto memory corruption in the guest under specific circumstances.\n\nAdd the missing checks.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71155", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: defer interrupt enabling until NAPI registration\n\nCurrently, interrupts are automatically enabled immediately upon\nrequest. This allows interrupt to fire before the associated NAPI\ncontext is fully initialized and cause failures like below:\n\n[ 0.946369] Call Trace:\n[ 0.946369] \n[ 0.946369] __napi_poll+0x2a/0x1e0\n[ 0.946369] net_rx_action+0x2f9/0x3f0\n[ 0.946369] handle_softirqs+0xd6/0x2c0\n[ 0.946369] ? handle_edge_irq+0xc1/0x1b0\n[ 0.946369] __irq_exit_rcu+0xc3/0xe0\n[ 0.946369] common_interrupt+0x81/0xa0\n[ 0.946369] \n[ 0.946369] \n[ 0.946369] asm_common_interrupt+0x22/0x40\n[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10\n\nUse the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto\nenablement and explicitly enable the interrupt in NAPI initialization\npath (and disable it during NAPI teardown).\n\nThis ensures that interrupt lifecycle is strictly coupled with\nreadiness of NAPI context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71156", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: always drop device refcount in ib_del_sub_device_and_put()\n\nSince nldev_deldev() (introduced by commit 060c642b2ab8 (\"RDMA/nldev: Add\nsupport to add/delete a sub IB device through netlink\") grabs a reference\nusing ib_device_get_by_index() before calling ib_del_sub_device_and_put(),\nwe need to drop that reference before returning -EOPNOTSUPP error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71157", "detail": "cpe-stable-backport", "description": "Backported in 6.18.4" }, { "id": "CVE-2025-71158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: ensure worker is torn down\n\nWhen an IRQ worker is running, unplugging the device would cause a\ncrash. The sealevel hardware this driver was written for was not\nhotpluggable, so I never realized it.\n\nThis change uses a spinlock to protect a list of workers, which\nit tears down on disconnect.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71158", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()\n\nPreviously, btrfs_get_or_create_delayed_node() set the delayed_node's\nrefcount before acquiring the root->delayed_nodes lock.\nCommit e8513c012de7 (\"btrfs: implement ref_tracker for delayed_nodes\")\nmoved refcount_set inside the critical section, which means there is\nno longer a memory barrier between setting the refcount and setting\nbtrfs_inode->delayed_node.\n\nWithout that barrier, the stores to node->refs and\nbtrfs_inode->delayed_node may become visible out of order. Another\nthread can then read btrfs_inode->delayed_node and attempt to\nincrement a refcount that hasn't been set yet, leading to a\nrefcounting bug and a use-after-free warning.\n\nThe fix is to move refcount_set back to where it was to take\nadvantage of the implicit memory barrier provided by lock\nacquisition.\n\nBecause the allocations now happen outside of the lock's critical\nsection, they can use GFP_NOFS instead of GFP_ATOMIC.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71159", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: avoid chain re-validation if possible\n\nHamza Mahfooz reports cpu soft lock-ups in\nnft_chain_validate():\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]\n[..]\n RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]\n[..]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_immediate_validate+0x36/0x50 [nf_tables]\n nft_chain_validate+0xc9/0x110 [nf_tables]\n nft_table_validate+0x6b/0xb0 [nf_tables]\n nf_tables_validate+0x8b/0xa0 [nf_tables]\n nf_tables_commit+0x1df/0x1eb0 [nf_tables]\n[..]\n\nCurrently nf_tables will traverse the entire table (chain graph), starting\nfrom the entry points (base chains), exploring all possible paths\n(chain jumps). But there are cases where we could avoid revalidation.\n\nConsider:\n1 input -> j2 -> j3\n2 input -> j2 -> j3\n3 input -> j1 -> j2 -> j3\n\nThen the second rule does not need to revalidate j2, and, by extension j3,\nbecause this was already checked during validation of the first rule.\nWe need to validate it only for rule 3.\n\nThis is needed because chain loop detection also ensures we do not exceed\nthe jump stack: Just because we know that j2 is cycle free, its last jump\nmight now exceed the allowed stack size. We also need to update all\nreachable chains with the new largest observed call depth.\n\nCare has to be taken to revalidate even if the chain depth won't be an\nissue: chain validation also ensures that expressions are not called from\ninvalid base chains. For example, the masquerade expression can only be\ncalled from NAT postrouting base chains.\n\nTherefore we also need to keep record of the base chain context (type,\nhooknum) and revalidate if the chain becomes reachable from a different\nhook location.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71160", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the 'D' state.\n\n2. It doesn't work. In fec_read_bufs we store data into the variable\n\"fio->bufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio->bufs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71161", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n 1. DMA transfer completes, triggering an interrupt that schedules the\n completion tasklet (tasklet has not executed yet)\n 2. Audio playback stops, calling tegra_adma_terminate_all() which\n frees the DMA buffer memory via kfree()\n 3. The scheduled tasklet finally executes, calling vchan_complete()\n which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n vchan_synchronize() which kills any pending tasklets and frees any\n terminated descriptors.\n\nCrash logs:\n[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[ 337.427562] Call trace:\n[ 337.427564] dump_backtrace+0x0/0x320\n[ 337.427571] show_stack+0x20/0x30\n[ 337.427575] dump_stack_lvl+0x68/0x84\n[ 337.427584] print_address_description.constprop.0+0x74/0x2b8\n[ 337.427590] kasan_report+0x1f4/0x210\n[ 337.427598] __asan_load8+0xa0/0xd0\n[ 337.427603] vchan_complete+0x124/0x3b0\n[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0\n[ 337.427617] tasklet_action+0x30/0x40\n[ 337.427623] __do_softirq+0x1a0/0x5c4\n[ 337.427628] irq_exit+0x110/0x140\n[ 337.427633] handle_domain_irq+0xa4/0xe0\n[ 337.427640] gic_handle_irq+0x64/0x160\n[ 337.427644] call_on_irq_stack+0x20/0x4c\n[ 337.427649] do_interrupt_handler+0x7c/0x90\n[ 337.427654] el1_interrupt+0x30/0x80\n[ 337.427659] el1h_64_irq_handler+0x18/0x30\n[ 337.427663] el1h_64_irq+0x7c/0x80\n[ 337.427667] cpuidle_enter_state+0xe4/0x540\n[ 337.427674] cpuidle_enter+0x54/0x80\n[ 337.427679] do_idle+0x2e0/0x380\n[ 337.427685] cpu_startup_entry+0x2c/0x70\n[ 337.427690] rest_init+0x114/0x130\n[ 337.427695] arch_call_rest_init+0x18/0x24\n[ 337.427702] start_kernel+0x380/0x3b4\n[ 337.427706] __primary_switched+0xc0/0xc8", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71162", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix device leaks on compat bind and unbind\n\nMake sure to drop the reference taken when looking up the idxd device as\npart of the compat bind and unbind sysfs interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71163", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: interrupt-cnt: Drop IRQF_NO_THREAD flag\n\nAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as\nCONFIG_PROVE_RAW_LOCK_NESTING warns:\n=============================\n[ BUG: Invalid wait context ]\n6.18.0-rc1+git... #1\n-----------------------------\nsome-user-space-process/1251 is trying to lock:\n(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]\nother info that might help us debug this:\ncontext-{2:2}\nno locks held by some-user-space-process/....\nstack backtrace:\nCPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT\nCall trace:\n show_stack (C)\n dump_stack_lvl\n dump_stack\n __lock_acquire\n lock_acquire\n _raw_spin_lock_irqsave\n counter_push_event [counter]\n interrupt_cnt_isr [interrupt_cnt]\n __handle_irq_event_percpu\n handle_irq_event\n handle_simple_irq\n handle_irq_desc\n generic_handle_domain_irq\n gpio_irq_handler\n handle_irq_desc\n generic_handle_domain_irq\n gic_handle_irq\n call_on_irq_stack\n do_interrupt_handler\n el0_interrupt\n __el0_irq_handler_common\n el0t_64_irq_handler\n el0t_64_irq\n\n... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an\nalternative to switching to raw_spinlock_t, because the latter would limit\nall potential nested locks to raw_spinlock_t only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71180", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: remove spin_lock() in rust_shrink_free_page()\n\nWhen forward-porting Rust Binder to 6.18, I neglected to take commit\nfb56fdf8b9a2 (\"mm/list_lru: split the lock to per-cgroup scope\") into\naccount, and apparently I did not end up running the shrinker callback\nwhen I sanity tested the driver before submission. This leads to crashes\nlike the following:\n\n\t============================================\n\tWARNING: possible recursive locking detected\n\t6.18.0-mainline-maybe-dirty #1 Tainted: G IO\n\t--------------------------------------------\n\tkswapd0/68 is trying to acquire lock:\n\tffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230\n\n\tbut task is already holding lock:\n\tffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20\n\n\tother info that might help us debug this:\n\t Possible unsafe locking scenario:\n\n\t CPU0\n\t ----\n\t lock(&l->lock);\n\t lock(&l->lock);\n\n\t *** DEADLOCK ***\n\n\t May be due to missing lock nesting notation\n\n\t3 locks held by kswapd0/68:\n\t #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160\n\t #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20\n\t #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230\n\nTo fix this, remove the spin_lock() call from rust_shrink_free_page().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71181", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: make j1939_session_activate() fail if device is no longer registered\n\nsyzbot is still reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\neven after commit 93a27b5891b8 (\"can: j1939: add missing calls in\nNETDEV_UNREGISTER notification handler\") was added. A debug printk() patch\nfound that j1939_session_activate() can succeed even after\nj1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)\nhas completed.\n\nSince j1939_cancel_active_session() is processed with the session list lock\nheld, checking ndev->reg_state in j1939_session_activate() with the session\nlist lock held can reliably close the race window.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71182", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always detect conflicting inodes when logging inode refs\n\nAfter rename exchanging (either with the rename exchange operation or\nregular renames in multiple non-atomic steps) two inodes and at least\none of them is a directory, we can end up with a log tree that contains\nonly of the inodes and after a power failure that can result in an attempt\nto delete the other inode when it should not because it was not deleted\nbefore the power failure. In some case that delete attempt fails when\nthe target inode is a directory that contains a subvolume inside it, since\nthe log replay code is not prepared to deal with directory entries that\npoint to root items (only inode items).\n\n1) We have directories \"dir1\" (inode A) and \"dir2\" (inode B) under the\n same parent directory;\n\n2) We have a file (inode C) under directory \"dir1\" (inode A);\n\n3) We have a subvolume inside directory \"dir2\" (inode B);\n\n4) All these inodes were persisted in a past transaction and we are\n currently at transaction N;\n\n5) We rename the file (inode C), so at btrfs_log_new_name() we update\n inode C's last_unlink_trans to N;\n\n6) We get a rename exchange for \"dir1\" (inode A) and \"dir2\" (inode B),\n so after the exchange \"dir1\" is inode B and \"dir2\" is inode A.\n During the rename exchange we call btrfs_log_new_name() for inodes\n A and B, but because they are directories, we don't update their\n last_unlink_trans to N;\n\n7) An fsync against the file (inode C) is done, and because its inode\n has a last_unlink_trans with a value of N we log its parent directory\n (inode A) (through btrfs_log_all_parents(), called from\n btrfs_log_inode_parent()).\n\n8) So we end up with inode B not logged, which now has the old name\n of inode A. At copy_inode_items_to_log(), when logging inode A, we\n did not check if we had any conflicting inode to log because inode\n A has a generation lower than the current transaction (created in\n a past transaction);\n\n9) After a power failure, when replaying the log tree, since we find that\n inode A has a new name that conflicts with the name of inode B in the\n fs tree, we attempt to delete inode B... this is wrong since that\n directory was never deleted before the power failure, and because there\n is a subvolume inside that directory, attempting to delete it will fail\n since replay_dir_deletes() and btrfs_unlink_inode() are not prepared\n to deal with dir items that point to roots instead of inodes.\n\n When that happens the mount fails and we get a stack trace like the\n following:\n\n [87.2314] BTRFS info (device dm-0): start tree-log replay\n [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259\n [87.2332] ------------[ cut here ]------------\n [87.2338] BTRFS: Transaction aborted (error -2)\n [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]\n [87.2368] Modules linked in: btrfs loop dm_thin_pool (...)\n [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)\n [87.2489] Tainted: [W]=WARN\n [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]\n [87.2538] Code: c0 89 04 24 (...)\n [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286\n [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000\n [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff\n [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840\n [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0\n [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10\n [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000\n [87.\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71183", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix NULL dereference on root when tracing inode eviction\n\nWhen evicting an inode the first thing we do is to setup tracing for it,\nwhich implies fetching the root's id. But in btrfs_evict_inode() the\nroot might be NULL, as implied in the next check that we do in\nbtrfs_evict_inode().\n\nHence, we either should set the ->root_objectid to 0 in case the root is\nNULL, or we move tracing setup after checking that the root is not\nNULL. Setting the rootid to 0 at least gives us the possibility to trace\nthis call even in the case when the root is NULL, so that's the solution\ntaken here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71184", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\n\nMake sure to drop the reference taken when looking up the crossbar\nplatform device during am335x route allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71185", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: stm32: dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71186", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sh: rz-dmac: fix device leak on probe failure\n\nMake sure to drop the reference taken when looking up the ICU device\nduring probe also on probe failures (e.g. probe deferral).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71187", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71188", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\n\nMake sure to drop the reference taken to the DMA master OF node also on\nlate route allocation failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71189", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: bcm-sba-raid: fix device leak on probe\n\nMake sure to drop the reference taken when looking up the mailbox device\nduring probe on probe failures and on driver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71190", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\n\nMake sure to drop the reference taken when looking up the DMA platform\ndevice during of_dma_xlate() when releasing channel resources.\n\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\nerror paths but the reference is still leaking on successful allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71191", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ac97: fix a double free in snd_ac97_controller_register()\n\nIf ac97_add_adapter() fails, put_device() is the correct way to drop\nthe device reference. kfree() is not required.\nAdd kfree() if idr_alloc() fails and in ac97_adapter_release() to do\nthe cleanup.\n\nFound by code review.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71192", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qusb2: Fix NULL pointer dereference on early suspend\n\nEnabling runtime PM before attaching the QPHY instance as driver data\ncan lead to a NULL pointer dereference in runtime PM callbacks that\nexpect valid driver data. There is a small window where the suspend\ncallback may run after PM runtime enabling and before runtime forbid.\nThis causes a sporadic crash during boot:\n\n```\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a1\n[...]\nCPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT\nWorkqueue: pm pm_runtime_work\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]\nlr : pm_generic_runtime_suspend+0x2c/0x44\n[...]\n```\n\nAttach the QPHY instance as driver data before enabling runtime PM to\nprevent NULL pointer dereference in runtime PM callbacks.\n\nReorder pm_runtime_enable() and pm_runtime_forbid() to prevent a\nshort window where an unnecessary runtime suspend can occur.\n\nUse the devres-managed version to ensure PM runtime is symmetrically\ndisabled during driver removal for proper cleanup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71193", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\n\nWhen wait_current_trans() is called during start_transaction(), it\ncurrently waits for a blocked transaction without considering whether\nthe given transaction type actually needs to wait for that particular\ntransaction state. The btrfs_blocked_trans_types[] array already defines\nwhich transaction types should wait for which transaction states, but\nthis check was missing in wait_current_trans().\n\nThis can lead to a deadlock scenario involving two transactions and\npending ordered extents:\n\n 1. Transaction A is in TRANS_STATE_COMMIT_DOING state\n\n 2. A worker processing an ordered extent calls start_transaction()\n with TRANS_JOIN\n\n 3. join_transaction() returns -EBUSY because Transaction A is in\n TRANS_STATE_COMMIT_DOING\n\n 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\n\n 5. A new Transaction B is created (TRANS_STATE_RUNNING)\n\n 6. The ordered extent from step 2 is added to Transaction B's\n pending ordered extents\n\n 7. Transaction B immediately starts commit by another task and\n enters TRANS_STATE_COMMIT_START\n\n 8. The worker finally reaches wait_current_trans(), sees Transaction B\n in TRANS_STATE_COMMIT_START (a blocked state), and waits\n unconditionally\n\n 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\n according to btrfs_blocked_trans_types[]\n\n 10. Transaction B is waiting for pending ordered extents to complete\n\n 11. Deadlock: Transaction B waits for ordered extent, ordered extent\n waits for Transaction B\n\nThis can be illustrated by the following call stacks:\n CPU0 CPU1\n btrfs_finish_ordered_io()\n start_transaction(TRANS_JOIN)\n join_transaction()\n # -EBUSY (Transaction A is\n # TRANS_STATE_COMMIT_DOING)\n # Transaction A completes\n # Transaction B created\n # ordered extent added to\n # Transaction B's pending list\n btrfs_commit_transaction()\n # Transaction B enters\n # TRANS_STATE_COMMIT_START\n # waiting for pending ordered\n # extents\n wait_current_trans()\n # waits for Transaction B\n # (should not wait!)\n\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\nextents:\n\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\n btrfs_sync_file+0x342/0x4d0 [btrfs]\n __x64_sys_fdatasync+0x4b/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTask kworker in wait_current_trans waiting for transaction commit:\n\n Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\n __schedule+0x2e7/0x8a0\n schedule+0x64/0xe0\n wait_current_trans+0xb0/0x110 [btrfs]\n start_transaction+0x346/0x5b0 [btrfs]\n btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\n btrfs_work_helper+0xe8/0x350 [btrfs]\n process_one_work+0x1d3/0x3c0\n worker_thread+0x4d/0x3e0\n kthread+0x12d/0x150\n ret_from_fork+0x1f/0x30\n\nFix this by passing the transaction type to wait_current_trans() and\nchecking btrfs_blocked_trans_types[cur_trans->state] against the given\ntype before deciding to wait. This ensures that transaction types which\nare allowed to join during certain blocked states will not unnecessarily\nwait and cause deadlocks.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71194", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix regmap max_register\n\nThe max_register field is assigned the size of the register memory\nregion instead of the offset of the last register.\nThe result is that reading from the regmap via debugfs can cause\na segmentation fault:\n\ntail /sys/kernel/debug/regmap/xdma.1.auto/registers\nUnable to handle kernel paging request at virtual address ffff800082f70000\nMem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n[...]\nCall trace:\n regmap_mmio_read32le+0x10/0x30\n _regmap_bus_reg_read+0x74/0xc0\n _regmap_read+0x68/0x198\n regmap_read+0x54/0x88\n regmap_read_debugfs+0x140/0x380\n regmap_map_read_file+0x30/0x48\n full_proxy_read+0x68/0xc8\n vfs_read+0xcc/0x310\n ksys_read+0x7c/0x120\n __arm64_sys_read+0x24/0x40\n invoke_syscall.constprop.0+0x64/0x108\n do_el0_svc+0xb0/0xd8\n el0_svc+0x38/0x130\n el0t_64_sync_handler+0x120/0x138\n el0t_64_sync+0x194/0x198\nCode: aa1e03e9 d503201f f9400000 8b214000 (b9400000)\n---[ end trace 0000000000000000 ]---\nnote: tail[1217] exited with irqs disabled\nnote: tail[1217] exited with preempt_count 1\nSegmentation fault", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71195", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: stm32-usphyc: Fix off by one in probe()\n\nThe \"index\" variable is used as an index into the usbphyc->phys[] array\nwhich has usbphyc->nphys elements. So if it is equal to usbphyc->nphys\nthen it is one element out of bounds. The \"index\" comes from the\ndevice tree so it's data that we trust and it's unlikely to be wrong,\nhowever it's obviously still worth fixing the bug. Change the > to >=.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71196", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with 'size + 1'\nbytes and a NUL terminator is appended. However, the 'size' argument\ndoes not account for this extra byte. The original code then allocated\n'size' bytes and used strcpy() to copy 'buf', which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index 'size'.\n\nFix this by parsing the 'buf' parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71197", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2025-71198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection\n\nThe st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL\nevent_spec field, indicating support for IIO events. However, event\ndetection is not supported for all sensors, and if userspace tries to\nconfigure accelerometer wakeup events on a sensor device that does not\nsupport them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL\npointer when trying to write to the wakeup register.\nDefine an additional struct iio_chan_spec array whose members have a NULL\nevent_spec field, and use this array instead of st_lsm6dsx_acc_channels for\nsensors without event detection capability.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71198", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2025-71199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver\n\nat91_adc_interrupt can call at91_adc_touch_data_handler function\nto start the work by schedule_work(&st->touch_st.workq).\n\nIf we remove the module which will call at91_adc_remove to\nmake cleanup, it will free indio_dev through iio_device_unregister but\nquite a bit later. While the work mentioned above will be used. The\nsequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | at91_adc_workq_handler\nat91_adc_remove |\niio_device_unregister(indio_dev) |\n//free indio_dev a bit later |\n | iio_push_to_buffers(indio_dev)\n | //use indio_dev\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in at91_adc_remove.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71199", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2025-71200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode\n\nWhen operating in HS200 or HS400 timing modes, reducing the clock frequency\nbelow 52MHz will lead to link broken as the Rockchip DWC MSHC controller\nrequires maintaining a minimum clock of 52MHz in these modes.\n\nAdd a check to prevent illegal clock reduction through debugfs:\n\nroot@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock\nroot@debian:/# [ 30.090146] mmc0: running CQE recovery\nmmc0: cqhci: Failed to halt\nmmc0: cqhci: spurious TCN for tag 0\nWARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24\nModules linked in:\nCPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT\nHardware name: Rockchip RK3588 EVB1 V10 Board (DT)\nWorkqueue: kblockd blk_mq_run_work_fn\npstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : cqhci_irq+0x254/0x818\nlr : cqhci_irq+0x254/0x818\n...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71200", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2025-71201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix early read unlock of page with EOF in middle\n\nThe read result collection for buffered reads seems to run ahead of the\ncompletion of subrequests under some circumstances, as can be seen in the\nfollowing log snippet:\n\n 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0\n ...\n netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0\n ...\n netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2\n netfs_folio: i=157f3 ix=00004-00004 read-done\n netfs_folio: i=157f3 ix=00004-00004 read-unlock\n netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2\n netfs_folio: i=157f3 ix=00005-00005 read-done\n netfs_folio: i=157f3 ix=00005-00005 read-unlock\n ...\n netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\n netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c\n netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff\n netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8\n ...\n netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0\n netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0\n\nThe 'cto=5fb2' indicates the collected file pos we've collected results to\nso far - but we still have 0x4e more bytes to go - so we shouldn't have\ncollected folio ix=00005 yet. The 'ZERO' subreq that clears the tail\nhappens after we unlock the folio, allowing the application to see the\nuncleared tail through mmap.\n\nThe problem is that netfs_read_unlock_folios() will unlock a folio in which\nthe amount of read results collected hits EOF position - but the ZERO\nsubreq lies beyond that and so happens after.\n\nFix this by changing the end check to always be the end of the folio and\nnever the end of the file.\n\nIn the future, I should look at clearing to the end of the folio here rather\nthan adding a ZERO subreq to do this. On the other hand, the ZERO subreq can\nrun in parallel with an async READ subreq. Further, the ZERO subreq may still\nbe necessary to, say, handle extents in a ceph file that don't have any\nbacking store and are thus implicitly all zeros.\n\nThis can be reproduced by creating a file, the size of which doesn't align\nto a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something\nlike:\n\n xfs_io -c \"mmap -r 0 0x6000\" -c \"madvise -d 0 0x6000\" \\\n -c \"mread -v 0 0x6000\" /xfstest.test/x\n\nThe last 0x4e bytes should all be 00, but if the tail hasn't been cleared\nyet, you may see rubbish there. This can be reproduced with kafs by\nmodifying the kernel to disable the call to netfs_read_subreq_progress()\nand to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.\nReproduction can be made easier by inserting an mdelay(100) in\nnetfs_issue_read() for the ZERO-subreq case.\n\nAFS and CIFS are normally unlikely to show this as they dispatch READ ops\nasynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is\ncompletely synchronous, so the ZERO-subreq will always happen after. It isn't\nseen all the time, though, because the collection may be done in a worker\nthread.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71201", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2025-71202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sva: invalidate stale IOTLB entries for kernel address space\n\nIntroduce a new IOMMU interface to flush IOTLB paging cache entries for\nthe CPU kernel address space. This interface is invoked from the x86\narchitecture code that manages combined user and kernel page tables,\nspecifically before any kernel page table page is freed and reused.\n\nThis addresses the main issue with vfree() which is a common occurrence\nand can be triggered by unprivileged users. While this resolves the\nprimary problem, it doesn't address some extremely rare case related to\nmemory unplug of memory that was present as reserved memory at boot, which\ncannot be triggered by unprivileged users. The discussion can be found at\nthe link below.\n\nEnable SVA on x86 architecture since the IOMMU can now receive\nnotification to flush the paging cache before freeing the CPU kernel page\ntable pages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71202", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2025-71203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sanitize syscall table indexing under speculation\n\nThe syscall number is a user-controlled value used to index into the\nsyscall table. Use array_index_nospec() to clamp this value after the\nbounds check to prevent speculative out-of-bounds access and subsequent\ndata leakage via cache side channels.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71203", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix refcount leak in parse_durable_handle_context()\n\nWhen the command is a replay operation and -ENOEXEC is returned,\nthe refcount of ksmbd_file must be released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71204", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()\n\nWhen ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71220", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()\n\nAdd proper locking in mmp_pdma_residue() to prevent use-after-free when\naccessing descriptor list and descriptor contents.\n\nThe race occurs when multiple threads call tx_status() while the tasklet\non another CPU is freeing completed descriptors:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -> NO LOCK held\n list_for_each_entry(sw, ..)\n DMA interrupt\n dma_do_tasklet()\n -> spin_lock(&desc_lock)\n list_move(sw->node, ...)\n spin_unlock(&desc_lock)\n | dma_pool_free(sw) <- FREED!\n -> access sw->desc <- UAF!\n\nThis issue can be reproduced when running dmatest on the same channel with\nmultiple threads (threads_per_chan > 1).\n\nFix by protecting the chain_running list iteration and descriptor access\nwith the chan->desc_lock spinlock.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71221", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: ensure skb headroom before skb_push\n\nThis avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is\nless than needed (typically 110 - 94 = 16 bytes).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71222", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/server: fix refcount leak in smb2_open()\n\nWhen ksmbd_vfs_getattr() fails, the reference count of ksmbd_file\nmust be released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71223", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: ocb: skip rx_no_sta when interface is not joined\n\nieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only\npresent after JOIN_OCB.\n\nRX may run before JOIN_OCB is executed, in which case the OCB interface\nis not operational. Skip RX peer handling when the interface is not\njoined to avoid warnings in the RX path.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71224", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: suspend array while updating raid_disks via sysfs\n\nIn raid1_reshape(), freeze_array() is called before modifying the r1bio\nmemory pool (conf->r1bio_pool) and conf->raid_disks, and\nunfreeze_array() is called after the update is completed.\n\nHowever, freeze_array() only waits until nr_sync_pending and\n(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error\noccurs, nr_queued is increased and the corresponding r1bio is queued to\neither retry_list or bio_end_io_list. As a result, freeze_array() may\nunblock before these r1bios are released.\n\nThis can lead to a situation where conf->raid_disks and the mempool have\nalready been updated while queued r1bios, allocated with the old\nraid_disks value, are later released. Consequently, free_r1bio() may\naccess memory out of bounds in put_all_bios() and release r1bios of the\nwrong size to the new mempool, potentially causing issues with the\nmempool as well.\n\nSince only normal I/O might increase nr_queued while an I/O error occurs,\nsuspending the array avoids this issue.\n\nNote: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends\nthe array. Therefore, we suspend the array when updating raid_disks\nvia sysfs to avoid this issue too.", "scorev2": "0.0", "scorev3": "5.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71225", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't WARN for connections on invalid channels\n\nIt's not clear (to me) how exactly syzbot managed to hit this,\nbut it seems conceivable that e.g. regulatory changed and has\ndisabled a channel between scanning (channel is checked to be\nusable by cfg80211_get_ies_channel_number) and connecting on\nthe channel later.\n\nWith one scenario that isn't covered elsewhere described above,\nthe warning isn't good, replace it with a (more informative)\nerror message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71227", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()\n\nrtw_core_enable_beacon() reads 4 bytes from an address that is not a\nmultiple of 4. This results in a crash on some systems.\n\nDo 1 byte reads/writes instead.\n\nUnable to handle kernel paging request at virtual address ffff8000827e0522\nMem abort info:\n ESR = 0x0000000096000021\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x21: alignment fault\nData abort info:\n ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nswapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000\n[ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13\nInternal error: Oops: 0000000096000021 [#1] SMP\nModules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...]\nCPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY\nTainted: [W]=WARN\nHardware name: FriendlyElec NanoPC-T6 LTS (DT)\nWorkqueue: phy0 rtw_c2h_work [rtw88_core]\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : rtw_pci_read32+0x18/0x40 [rtw88_pci]\nlr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core]\nsp : ffff800080cc3ca0\nx29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828\nx26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00\nx23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001\nx20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522\nCall trace:\n rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)\n rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]\n rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]\n rtw_c2h_work+0x50/0x98 [rtw88_core]\n process_one_work+0x178/0x3f8\n worker_thread+0x208/0x418\n kthread+0x120/0x220\n ret_from_fork+0x10/0x20\nCode: d28fe202 8b020000 f9524400 8b214000 (b9400000)\n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71229" }, { "id": "CVE-2025-71230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: ensure sb->s_fs_info is always cleaned up\n\nWhen hfs was converted to the new mount api a bug was introduced by\nchanging the allocation pattern of sb->s_fs_info. If setup_bdev_super()\nfails after a new superblock has been allocated by sget_fc(), but before\nhfs_fill_super() takes ownership of the filesystem-specific s_fs_info\ndata it was leaked.\n\nFix this by freeing sb->s_fs_info in hfs_kill_super().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71230" }, { "id": "CVE-2025-71231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode\n\nThe local variable 'i' is initialized with -EINVAL, but the for loop\nimmediately overwrites it and -EINVAL is never returned.\n\nIf no empty compression mode can be found, the function would return the\nout-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid\narray access in add_iaa_compression_mode().\n\nFix both issues by returning either a valid index or -EINVAL.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71231" }, { "id": "CVE-2025-71232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Free sp in error path to fix system crash\n\nSystem crash seen during load/unload test in a loop,\n\n[61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.\n[61110.467494] =============================================================================\n[61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown()\n[61110.467501] -----------------------------------------------------------------------------\n\n[61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff)\n[61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1\n[61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023\n[61110.467515] Call Trace:\n[61110.467516] \n[61110.467519] dump_stack_lvl+0x34/0x48\n[61110.467526] slab_err.cold+0x53/0x67\n[61110.467534] __kmem_cache_shutdown+0x16e/0x320\n[61110.467540] kmem_cache_destroy+0x51/0x160\n[61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx]\n[61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280\n[61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0\n[61110.467616] ? do_syscall_64+0x5c/0x90\n[61110.467619] ? exc_page_fault+0x62/0x150\n[61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[61110.467626] \n[61110.467627] Disabling lock debugging due to kernel taint\n[61110.467635] Object 0x0000000026f7e6e6 @offset=16000\n[61110.467639] ------------[ cut here ]------------\n[61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx]\n[61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160\n[61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1\n[61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023\n[61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160\n[61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89\n[61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282\n[61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027\n[61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0\n[61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7\n[61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000\n[61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000\n[61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0\n[61110.467736] PKRU: 55555554\n[61110.467737] Call Trace:\n[61110.467738] \n[61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx]\n[61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280\n\nFree sp in the error path to fix the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71232" }, { "id": "CVE-2025-71233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Avoid creating sub-groups asynchronously\n\nThe asynchronous creation of sub-groups by a delayed work could lead to a\nNULL pointer dereference when the driver directory is removed before the\nwork completes.\n\nThe crash can be easily reproduced with the following commands:\n\n # cd /sys/kernel/config/pci_ep/functions/pci_epf_test\n # for i in {1..20}; do mkdir test && rmdir test; done\n\n BUG: kernel NULL pointer dereference, address: 0000000000000088\n ...\n Call Trace:\n configfs_register_group+0x3d/0x190\n pci_epf_cfs_work+0x41/0x110\n process_one_work+0x18f/0x350\n worker_thread+0x25a/0x3a0\n\nFix this issue by using configfs_add_default_group() API which does not\nhave the deadlock problem as configfs_register_group() and does not require\nthe delayed work handler.\n\n[mani: slightly reworded the description and added stable list]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71233" }, { "id": "CVE-2025-71234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add\n\nThe driver does not set hw->sta_data_size, which causes mac80211 to\nallocate insufficient space for driver private station data in\n__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of\nstruct rtl8xxxu_sta_info through sta->drv_priv, this results in a\nslab-out-of-bounds write.\n\nKASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:\n\n BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346\n Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12\n\nSet hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during\nprobe, similar to how hw->vif_data_size is configured. This ensures\nmac80211 allocates sufficient space for the driver's per-station\nprivate data.\n\nTested on StarFive VisionFive 2 v1.2A board.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71234" }, { "id": "CVE-2025-71235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Delay module unload while fabric scan in progress\n\nSystem crash seen during load/unload test in a loop.\n\n[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086\n[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0\n[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000\n[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000\n[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0\n[105954.384928] PKRU: 55555554\n[105954.384929] Call Trace:\n[105954.384931] \n[105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx]\n[105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx]\n[105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx]\n[105954.384999] ? __wake_up_common+0x80/0x190\n[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx]\n[105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx]\n[105954.385040] ? __handle_irq_event_percpu+0x3d/0x190\n[105954.385044] ? handle_irq_event+0x58/0xb0\n[105954.385046] ? handle_edge_irq+0x93/0x240\n[105954.385050] ? __common_interrupt+0x41/0xa0\n[105954.385055] ? common_interrupt+0x3e/0xa0\n[105954.385060] ? asm_common_interrupt+0x22/0x40\n\nThe root cause of this was that there was a free (dma_free_attrs) in the\ninterrupt context. There was a device discovery/fabric scan in\nprogress. A module unload was issued which set the UNLOADING flag. As\npart of the discovery, after receiving an interrupt a work queue was\nscheduled (which involved a work to be queued). Since the UNLOADING\nflag is set, the work item was not allocated and the mapped memory had\nto be freed. The free occurred in interrupt context leading to system\ncrash. Delay the driver unload until the fabric scan is complete to\navoid the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71235" }, { "id": "CVE-2025-71236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Validate sp before freeing associated memory\n\nSystem crash with the following signature\n[154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete\n[154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.\n[154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5.\n[154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed \u2013 0078 0080 0000.\n[154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed \u2013 0078 00a0 0000.\n[154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).\n[154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).\n[154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8\n[154565.553080] #PF: supervisor read access in kernel mode\n[154565.553082] #PF: error_code(0x0000) - not-present page\n[154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0\n[154565.553089] Oops: 0000 1 PREEMPT SMP PTI\n[154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1\n[154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024\n[154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]\n[154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b\n[154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286\n[154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002\n[154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47\n[154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a\n[154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0\n[154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000\n[154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000\n[154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0\n[154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[154565.553159] PKRU: 55555554\n[154565.553160] Call Trace:\n[154565.553162] \n[154565.553165] ? show_trace_log_lvl+0x1c4/0x2df\n[154565.553172] ? show_trace_log_lvl+0x1c4/0x2df\n[154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]\n[154565.553215] ? __die_body.cold+0x8/0xd\n[154565.553218] ? page_fault_oops+0x134/0x170\n[154565.553223] ? snprintf+0x49/0x70\n[154565.553229] ? exc_page_fault+0x62/0x150\n[154565.553238] ? asm_exc_page_fault+0x22/0x30\n\nCheck for sp being non NULL before freeing any associated memory", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71236" }, { "id": "CVE-2025-71237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: Fix potential block overflow that cause system hang\n\nWhen a user executes the FITRIM command, an underflow can occur when\ncalculating nblocks if end_block is too small. Since nblocks is of\ntype sector_t, which is u64, a negative nblocks value will become a\nvery large positive integer. This ultimately leads to the block layer\nfunction __blkdev_issue_discard() taking an excessively long time to\nprocess the bio chain, and the ns_segctor_sem lock remains held for a\nlong period. This prevents other tasks from acquiring the ns_segctor_sem\nlock, resulting in the hang reported by syzbot in [1].\n\nIf the ending block is too small, typically if it is smaller than 4KiB\nrange, depending on the usage of the segment 0, it may be possible to\nattempt a discard request beyond the device size causing the hang.\n\nExiting successfully and assign the discarded size (0 in this case)\nto range->len.\n\nAlthough the start and len values in the user input range are too small,\na conservative strategy is adopted here to safely ignore them, which is\nequivalent to a no-op; it will not perform any trimming and will not\nthrow an error.\n\n[1]\ntask:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000\nCall Trace:\n rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272\n nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]\n nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684\n\n[ryusuke: corrected part of the commit message about the consequences]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71237" }, { "id": "CVE-2025-71238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix bsg_done() causing double free\n\nKernel panic observed on system,\n\n[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000\n[5353358.825194] #PF: supervisor write access in kernel mode\n[5353358.825195] #PF: error_code(0x0002) - not-present page\n[5353358.825196] PGD 100006067 P4D 0\n[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1\n[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025\n[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10\n[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246\n[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000\n[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000\n[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000\n[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090\n[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000\n[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000\n[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0\n[5353358.825221] PKRU: 55555554\n[5353358.825222] Call Trace:\n[5353358.825223] \n[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df\n[5353358.825232] ? sg_copy_buffer+0xc8/0x110\n[5353358.825236] ? __die_body.cold+0x8/0xd\n[5353358.825238] ? page_fault_oops+0x134/0x170\n[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110\n[5353358.825244] ? exc_page_fault+0xa8/0x150\n[5353358.825247] ? asm_exc_page_fault+0x22/0x30\n[5353358.825252] ? memcpy_erms+0x6/0x10\n[5353358.825253] sg_copy_buffer+0xc8/0x110\n[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]\n[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]\n\nMost routines in qla_bsg.c call bsg_done() only for success cases.\nHowever a few invoke it for failure case as well leading to a double\nfree. Validate before calling bsg_done().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71238" }, { "id": "CVE-2025-71239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: add fchmodat2() to change attributes class\n\nfchmodat2(), introduced in version 6.6 is currently not in the change\nattribute class of audit. Calling fchmodat2() to change a file\nattribute in the same fashion than chmod() or fchmodat() will bypass\naudit rules such as:\n\n-w /tmp/test -p rwa -k test_rwa\n\nThe current patch adds fchmodat2() to the change attributes class.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71239" }, { "id": "CVE-2025-71265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an attribute header\nindicates an empty run list, while directory entries reference it as\ncontaining actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way\nto represent an empty run list, and run_unpack() correctly handles this by\nchecking if evcn + 1 equals svcn and returning early without parsing any run\ndata. However, this creates a problem when there is metadata inconsistency,\nwhere the attribute header claims to be empty (evcn=-1) but the caller\nexpects to read actual data. When run_unpack() immediately returns success\nupon seeing this condition, it leaves the runs_tree uninitialized with\nrun->runs as a NULL. The calling function attr_load_runs_range() assumes\nthat a successful return means that the runs were loaded and sets clen to 0,\nexpecting the next run_lookup_entry() call to succeed. Because runs_tree\nremains uninitialized, run_lookup_entry() continues to fail, and the loop\nincrements vcn by zero (vcn += 0), leading to an infinite loop.\n\nThis patch adds a retry counter to detect when run_lookup_entry() fails\nconsecutively after attr_load_runs_vcn(). If the run is still not found on\nthe second attempt, it indicates corrupted metadata and returns -EINVAL,\npreventing the Denial-of-Service (DoS) vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71265" }, { "id": "CVE-2025-71266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71266" }, { "id": "CVE-2025-71267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71267" }, { "id": "CVE-2025-71268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix reservation leak in some error paths when inserting inline extent\n\nIf we fail to allocate a path or join a transaction, we return from\n__cow_file_range_inline() without freeing the reserved qgroup data,\nresulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()\nin such cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71268", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not free data reservation in fallback from inline due to -ENOSPC\n\nIf we fail to create an inline extent due to -ENOSPC, we will attempt to\ngo through the normal COW path, reserve an extent, create an ordered\nextent, etc. However we were always freeing the reserved qgroup data,\nwhich is wrong since we will use data. Fix this by freeing the reserved\nqgroup data in __cow_file_range_inline() only if we are not doing the\nfallback (ret is <= 0).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71269", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Enable exception fixup for specific ADE subcode\n\nThis patch allows the LoongArch BPF JIT to handle recoverable memory\naccess errors generated by BPF_PROBE_MEM* instructions.\n\nWhen a BPF program performs memory access operations, the instructions\nit executes may trigger ADEM exceptions. The kernel\u2019s built-in BPF\nexception table mechanism (EX_TYPE_BPF) will generate corresponding\nexception fixup entries in the JIT compilation phase; however, the\narchitecture-specific trap handling function needs to proactively call\nthe common fixup routine to achieve exception recovery.\n\ndo_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs,\nensure safe execution.\n\nRelevant test cases: illegal address access tests in module_attach and\nsubprogs_extable of selftests/bpf.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71270", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2025-71271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: ensure sb->s_fs_info is always cleaned up\n\nWhen hfsplus was converted to the new mount api a bug was introduced by\nchanging the allocation pattern of sb->s_fs_info. If setup_bdev_super()\nfails after a new superblock has been allocated by sget_fc(), but before\nhfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info\ndata it was leaked.\n\nFix this by freeing sb->s_fs_info in hfsplus_kill_super().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71271" }, { "id": "CVE-2025-71272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: core: fix resource leak in most_register_interface error paths\n\nThe function most_register_interface() did not correctly release resources\nif it failed early (before registering the device). In these cases, it\nreturned an error code immediately, leaking the memory allocated for the\ninterface.\n\nFix this by initializing the device early via device_initialize() and\ncalling put_device() on all error paths.\n\nThe most_register_interface() is expected to call put_device() on\nerror which frees the resources allocated in the caller. The\nput_device() either calls release_mdev() or dim2_release(),\ndepending on the caller.\n\nSwitch to using device_add() instead of device_register() to handle\nthe split initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71272" }, { "id": "CVE-2025-71273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()\n\nSimplify the code by using device managed memory allocations.\n\nThis also fixes a memory leak in rtw_register_hw(). The supported bands\nwere not freed in the error path.\n\nCopied from commit 145df52a8671 (\"wifi: rtw89: Convert\nrtw89_core_set_supported_band to use devm_*\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71273" }, { "id": "CVE-2025-71274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: core: fix race in driver_override_show() and use core helper\n\nThe driver_override_show function reads the driver_override string\nwithout holding the device_lock. However, the store function modifies\nand frees the string while holding the device_lock. This creates a race\ncondition where the string can be freed by the store function while\nbeing read by the show function, leading to a use-after-free.\n\nTo fix this, replace the rpmsg_string_attr macro with explicit show and\nstore functions. The new driver_override_store uses the standard\ndriver_set_override helper. Since the introduction of\ndriver_set_override, the comments in include/linux/rpmsg.h have stated\nthat this helper must be used to set or clear driver_override, but the\nimplementation was not updated until now.\n\nBecause driver_set_override modifies and frees the string while holding\nthe device_lock, the new driver_override_show now correctly holds the\ndevice_lock during the read operation to prevent the race.\n\nAdditionally, since rpmsg_string_attr has only ever been used for\ndriver_override, removing the macro simplifies the code.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71274" }, { "id": "CVE-2025-71285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Drop the MHI auto_queue feature for IPCR DL channels\n\nMHI stack offers the 'auto_queue' feature, which allows the MHI stack to\nauto queue the buffers for the RX path (DL channel). Though this feature\nsimplifies the client driver design, it introduces race between the client\ndrivers and the MHI stack. For instance, with auto_queue, the 'dl_callback'\nfor the DL channel may get called before the client driver is fully probed.\nThis means, by the time the dl_callback gets called, the client driver's\nstructures might not be initialized, leading to NULL ptr dereference.\n\nCurrently, the drivers have to workaround this issue by initializing the\ninternal structures before calling mhi_prepare_for_transfer_autoqueue().\nBut even so, there is a chance that the client driver's internal code path\nmay call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is\ncalled, leading to similar NULL ptr dereference. This issue has been\nreported on the Qcom X1E80100 CRD machines affecting boot.\n\nSo to properly fix all these races, drop the MHI 'auto_queue' feature\naltogether and let the client driver (QRTR) manage the RX buffers manually.\nIn the QRTR driver, queue the RX buffers based on the ring length during\nprobe and recycle the buffers in 'dl_callback' once they are consumed. This\nalso warrants removing the setting of 'auto_queue' flag from controller\ndrivers.\n\nCurrently, this 'auto_queue' feature is only enabled for IPCR DL channel.\nSo only the QRTR client driver requires the modification.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71285" }, { "id": "CVE-2025-71286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls\n\nThe size of the data behind of scontrol->ipc_control_data for bytes\ncontrols is:\n[1] sizeof(struct sof_ipc4_control_data) + // kernel only struct\n[2] sizeof(struct sof_abi_hdr)) + payload\n\nThe max_size specifies the size of [2] and it is coming from topology.\n\nChange the function to take this into account and allocate adequate amount\nof memory behind scontrol->ipc_control_data.\n\nWith the change we will allocate [1] amount more memory to be able to hold\nthe full size of data.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71286" }, { "id": "CVE-2025-71287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: mtk-smi: fix device leak on larb probe\n\nMake sure to drop the reference taken when looking up the SMI device\nduring larb probe on late probe failure (e.g. probe deferral) and on\ndriver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71287" }, { "id": "CVE-2025-71288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: mtk-smi: fix device leaks on common probe\n\nMake sure to drop the reference taken when looking up the SMI device\nduring common probe on late probe failure (e.g. probe deferral) and on\ndriver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71288" }, { "id": "CVE-2025-71289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle attr_set_size() errors when truncating files\n\nIf attr_set_size() fails while truncating down, the error is silently\nignored and the inode may be left in an inconsistent state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71289" }, { "id": "CVE-2025-71290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ti_fpc202: fix a potential memory leak in probe function\n\nUse for_each_child_of_node_scoped() to simplify the code and ensure the\ndevice node reference is automatically released when the loop scope\nends.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71290" }, { "id": "CVE-2025-71291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()\n\nIn the function bcm_vk_read(), the pointer entry is checked, indicating\nthat it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the\nfollowing code may cause null-pointer dereferences:\n\n struct vk_msg_blk tmp_msg = entry->to_h_msg[0];\n set_msg_id(&tmp_msg, entry->usr_msg_id);\n tmp_msg.size = entry->to_h_blks - 1;\n\nTo prevent these possible null-pointer dereferences, copy to_h_msg,\nusr_msg_id, and to_h_blks from iter into temporary variables, and return\nthese temporary variables to the application instead of accessing them\nthrough a potentially NULL entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71291" }, { "id": "CVE-2025-71292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: nlink overflow in jfs_rename\n\nIf nlink is maximal for a directory (-1) and inside that directory you\nperform a rename for some child directory (not moving from the parent),\nthen the nlink of the first directory is first incremented and later\ndecremented. Normally this is fine, but when nlink = -1 this causes a\nwrap around to 0, and then drop_nlink issues a warning.\n\nAfter applying the patch syzbot no longer issues any warnings. I also\nran some basic fs tests to look for any regressions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71292" }, { "id": "CVE-2025-71293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/ras: Move ras data alloc before bad page check\n\nIn the rare event if eeprom has only invalid address entries,\nallocation is skipped, this causes following NULL pointer issue\n[ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[ 547.118897] #PF: supervisor read access in kernel mode\n[ 547.130292] #PF: error_code(0x0000) - not-present page\n[ 547.141689] PGD 124757067 P4D 0\n[ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu\n[ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025\n[ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76\n[ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246\n[ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000\n[ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800\n[ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000\n[ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092\n[ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000\n[ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0\n[ 547.389321] PKRU: 55555554\n[ 547.395316] Call Trace:\n[ 547.400737] \n[ 547.405386] ? show_regs+0x6d/0x80\n[ 547.412929] ? __die+0x24/0x80\n[ 547.419697] ? page_fault_oops+0x99/0x1b0\n[ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0\n[ 547.438249] ? exc_page_fault+0x83/0x1b0\n[ 547.446949] ? asm_exc_page_fault+0x27/0x30\n[ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[ 547.470040] ? mas_wr_modify+0xcd/0x140\n[ 547.478548] sysfs_kf_bin_read+0x63/0xb0\n[ 547.487248] kernfs_file_read_iter+0xa1/0x190\n[ 547.496909] kernfs_fop_read_iter+0x25/0x40\n[ 547.506182] vfs_read+0x255/0x390\n\nThis also result in space left assigned to negative values.\nMoving data alloc call before bad page check resolves both the issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71293" }, { "id": "CVE-2025-71294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer issue buffer funcs\n\nIf SDMA block not enabled, buffer_funcs will not initialize,\nfix the null pointer issue if buffer_funcs not initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71294" }, { "id": "CVE-2025-71295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: add alert in try_to_free_buffers() for folios without buffers\n\ntry_to_free_buffers() can be called on folios with no buffers attached\nwhen filemap_release_folio() is invoked on a folio belonging to a mapping\nwith AS_RELEASE_ALWAYS set but no release_folio operation defined.\n\nIn such cases, folio_needs_release() returns true because of the\nAS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This\ncauses try_to_free_buffers() to call drop_buffers() on a folio with no\nbuffers, leading to a null pointer dereference.\n\nAdding a check in try_to_free_buffers() to return early if the folio has no\nbuffers attached, with WARN_ON_ONCE() to alert about the misconfiguration.\nThis provides defensive hardening.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71295" }, { "id": "CVE-2025-71296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: shmem: Hold reservation lock around purge\n\nAcquire and release the GEM object's reservation lock around calls\nto the object's purge operation. The tests use\ndrm_gem_shmem_purge_locked(), which led to errors such as show below.\n\n[ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740\n\nOnly export the new helper drm_gem_shmem_purge() for Kunit tests.\nThis is not an interface for regular drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71296" }, { "id": "CVE-2025-71297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()\n\nrtw8822b_set_antenna() can be called from userspace when the chip is\npowered off. In that case a WARNING is triggered in\nrtw8822b_config_trx_mode() because trying to read the RF registers\nwhen the chip is powered off returns an unexpected value.\n\nCall rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when\nthe chip is powered on.\n\n------------[ cut here ]------------\nwrite RF mode table fail\nWARNING: CPU: 0 PID: 7183 at rtw8822b.c:824 rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]\nCPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE 6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1\nTainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021\nRIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]\nCall Trace:\n \n rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b 370206f42e5890d8d5f48eb358b759efa37c422b]\n rtw_ops_set_antenna+0x50/0x80 [rtw88_core 711c8fb4f686162be4625b1d0b8e8c6a5ac850fb]\n ieee80211_set_antenna+0x60/0x100 [mac80211 f1845d85d2ecacf3b71867635a050ece90486cf3]\n nl80211_set_wiphy+0x384/0xe00 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]\n ? netdev_run_todo+0x63/0x550\n genl_family_rcv_msg_doit+0xfc/0x160\n genl_rcv_msg+0x1aa/0x2b0\n ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]\n ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]\n ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x59/0x110\n genl_rcv+0x28/0x40\n netlink_unicast+0x285/0x3c0\n ? __alloc_skb+0xdb/0x1a0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x39f/0x3d0\n ? import_iovec+0x2f/0x40\n ___sys_sendmsg+0x99/0xe0\n ? refill_obj_stock+0x12e/0x240\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x81/0x970\n ? do_syscall_64+0x81/0x970\n ? ksys_read+0x73/0xf0\n ? do_syscall_64+0x81/0x970\n ? count_memcg_events+0xc2/0x190\n ? handle_mm_fault+0x1d7/0x2d0\n ? do_user_addr_fault+0x21a/0x690\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71297" }, { "id": "CVE-2025-71298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: shmem: Hold reservation lock around madvise\n\nAcquire and release the GEM object's reservation lock around calls\nto the object's madvide operation. The tests use\ndrm_gem_shmem_madvise_locked(), which led to errors such as show below.\n\n[ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140\n\nOnly export the new helper drm_gem_shmem_madvise() for Kunit tests.\nThis is not an interface for regular drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71298" }, { "id": "CVE-2025-71299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing\n\nThe recent refactoring of where runtime PM is enabled done in commit\nf1eb4e792bb1 (\"spi: spi-cadence-quadspi: Enable pm runtime earlier to\navoid imbalance\") made the fact that when we do a pm_runtime_disable()\nin the error paths of probe() we can trigger a runtime disable which in\nturn results in duplicate clock disables. This is particularly likely\nto happen when there is missing or broken DT description for the flashes\nattached to the controller.\n\nEarly on in the probe function we do a pm_runtime_get_noresume() since\nthe probe function leaves the device in a powered up state but in the\nerror path we can't assume that PM is enabled so we also manually\ndisable everything, including clocks. This means that when runtime PM is\nactive both it and the probe function release the same reference to the\nmain clock for the IP, triggering warnings from the clock subsystem:\n\n[ 8.693719] clk:75:7 already disabled\n[ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb\n...\n[ 8.694261] clk_core_disable+0xa0/0xb4 (P)\n[ 8.694272] clk_disable+0x38/0x60\n[ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi]\n[ 8.694309] platform_probe+0x5c/0xa4\n\nDealing with this issue properly is complicated by the fact that we\ndon't know if runtime PM is active so can't tell if it will disable the\nclocks or not. We can, however, sidestep the issue for the flash\ndescriptions by moving their parsing to when we parse the controller\nproperties which also save us doing a bunch of setup which can never be\nused so let's do that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71299" }, { "id": "CVE-2025-71300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"arm64: zynqmp: Add an OP-TEE node to the device tree\"\n\nThis reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe.\n\nOP-TEE logic in U-Boot automatically injects a reserved-memory\nnode along with optee firmware node to kernel device tree.\nThe injection logic is dependent on that there is no manually\ndefined optee node. Having the node in zynqmp.dtsi effectively\nbreaks OP-TEE's insertion of the reserved-memory node, causing\nmemory access violations during runtime.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71300" }, { "id": "CVE-2025-71301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tests: shmem: Hold reservation lock around vmap/vunmap\n\nAcquire and release the GEM object's reservation lock around vmap and\nvunmap operations. The tests use vmap_locked, which led to errors such\nas show below.\n\n[ 122.292030] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:390 drm_gem_shmem_vmap_locked+0x3a3/0x6f0\n\n[ 122.468066] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:293 drm_gem_shmem_pin_locked+0x1fe/0x350\n\n[ 122.563504] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:234 drm_gem_shmem_get_pages_locked+0x23c/0x370\n\n[ 122.662248] WARNING: CPU: 2 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:452 drm_gem_shmem_vunmap_locked+0x101/0x330\n\nOnly export the new vmap/vunmap helpers for Kunit tests. These are\nnot interfaces for regular drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71301" }, { "id": "CVE-2025-71302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: fix for dma-fence safe access rules\n\nCommit 506aa8b02a8d6 (\"dma-fence: Add safe access helpers and document\nthe rules\") details the dma-fence safe access rules. The most common\nculprit is that drm_sched_fence_get_timeline_name may race with\ngroup_free_queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-71302" }, { "id": "CVE-2026-22976", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc->q.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q->q.qlen == 0, but its class's leaf\nqdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 0.903571] #PF: supervisor write access in kernel mode\n[ 0.903860] #PF: error_code(0x0002) - not-present page\n[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n 0:\t0f 84 4d 01 00 00 \tje 0x153\n 6:\t48 89 70 18 \tmov %rsi,0x18(%rax)\n a:\t8b 4b 10 \tmov 0x10(%rbx),%ecx\n d:\t48 c7 c2 ff ff ff ff \tmov $0xffffffffffffffff,%rdx\n 14:\t48 8b 78 08 \tmov 0x8(%rax),%rdi\n 18:\t48 d3 e2 \tshl %cl,%rdx\n 1b:\t48 21 f2 \tand %rsi,%rdx\n 1e:\t48 2b 13 \tsub (%rbx),%rdx\n 21:\t48 8b 30 \tmov (%rax),%rsi\n 24:\t48 d3 ea \tshr %cl,%rdx\n 27:\t8b 4b 18 \tmov 0x18(%rbx),%ecx\n\t...\n[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[ 0.910247] PKRU: 55555554\n[ 0.910391] Call Trace:\n[ 0.910527] \n[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)\n[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)\n[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)\n[ 0.912484] netlink_sendmsg (net/netlink/af\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22976", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22977", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\n\nskbuff_fclone_cache was created without defining a usercopy region,\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\nvia sock_recv_errqueue() -> put_cmsg().\n\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\n (from skbuff_fclone_cache) [1]\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\n5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\n usercopy whitelist [5]\n\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\nsocket error queue, accessing the sock_exterr_skb structure in skb->cb\nvia put_cmsg() triggers a usercopy hardening violation:\n\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\n[ 5.384903] PKRU: 55555554\n[ 5.384903] Call Trace:\n[ 5.384903] \n[ 5.384903] __check_heap_object+0x9a/0xd0\n[ 5.384903] __check_object_size+0x46c/0x690\n[ 5.384903] put_cmsg+0x129/0x5e0\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? schedule+0x6d/0x270\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? mutex_unlock+0x81/0xd0\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThe crash offset 296 corresponds to skb2->cb within skbuff_fclones:\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\n 272 + 24 (inside sock_exterr_skb.ee)\n\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\n\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22977", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22978", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space.", "scorev2": "0.0", "scorev3": "3.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22978", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22979", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb->sk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment's\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22979", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22980", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op->init() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn't require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn't restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn->client_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22980", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22981", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n\tUP\necho 1 > /sys/class/net/ens801f0/device/reset& \\\nethtool -L ens801f0 combined 8\nip -br a\n\tDOWN\nip link set up\nip -br a\n\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637] \n[408508.140077] __dev_close_many+0xbb/0x260\n[408508.140533] __dev_change_flags+0x1cf/0x280\n[408508.140987] netif_change_flags+0x26/0x70\n[408508.141434] dev_change_flags+0x3d/0xb0\n[408508.141878] devinet_ioctl+0x460/0x890\n[408508.142321] inet_ioctl+0x18e/0x1d0\n[408508.142762] ? _copy_to_user+0x22/0x70\n[408508.143207] sock_do_ioctl+0x3d/0xe0\n[408508.143652] sock_ioctl+0x10e/0x330\n[408508.144091] ? find_held_lock+0x2b/0x80\n[408508.144537] __x64_sys_ioctl+0x96/0xe0\n[408508.144979] do_syscall_64+0x79/0x3d0\n[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22981", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22982", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22982", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22983", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not write to msg_get_inq in callee\n\nNULL pointer dereference fix.\n\nmsg_get_inq is an input field from caller to callee. Don't set it in\nthe callee, as the caller may not clear it on struct reuse.\n\nThis is a kernel-internal variant of msghdr only, and the only user\ndoes reinitialize the field. So this is not critical for that reason.\nBut it is more robust to avoid the write, and slightly simpler code.\nAnd it fixes a bug, see below.\n\nCallers set msg_get_inq to request the input queue length to be\nreturned in msg_inq. This is equivalent to but independent from the\nSO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).\nTo reduce branching in the hot path the second also sets the msg_inq.\nThat is WAI.\n\nThis is a fix to commit 4d1442979e4a (\"af_unix: don't post cmsg for\nSO_INQ unless explicitly asked for\"), which fixed the inverse.\n\nAlso avoid NULL pointer dereference in unix_stream_read_generic if\nstate->msg is NULL and msg->msg_get_inq is written. A NULL state->msg\ncan happen when splicing as of commit 2b514574f7e8 (\"net: af_unix:\nimplement splice for stream af_unix sockets\").\n\nAlso collapse two branches using a bitwise or.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22983", "detail": "fixed-version", "description": "Fixed from version 6.18.6" }, { "id": "CVE-2026-22984", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in handle_auth_done()\n\nPerform an explicit bounds check on payload_len to avoid a possible\nout-of-bounds access in the callout.\n\n[ idryomov: changelog ]", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22984", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22985", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL pointer crash on early ethtool operations\n\nThe RSS LUT is not initialized until the interface comes up, causing\nthe following NULL pointer crash when ethtool operations like rxhash on/off\nare performed before the interface is brought up for the first time.\n\nMove RSS LUT initialization from ndo_open to vport creation to ensure LUT\nis always available. This enables RSS configuration via ethtool before\nbringing the interface up. Simplify LUT management by maintaining all\nchanges in the driver's soft copy and programming zeros to the indirection\ntable when rxhash is disabled. Defer HW programming until the interface\ncomes up if it is down during rxhash and LUT configuration changes.\n\nSteps to reproduce:\n** Load idpf driver; interfaces will be created\n\tmodprobe idpf\n** Before bringing the interfaces up, turn rxhash off\n\tethtool -K eth2 rxhash off\n\n[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[89408.371908] #PF: supervisor read access in kernel mode\n[89408.371924] #PF: error_code(0x0000) - not-present page\n[89408.371940] PGD 0 P4D 0\n[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI\n\n[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130\n[89408.372310] Call Trace:\n[89408.372317] \n[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf]\n[89408.372363] __netdev_update_features+0x295/0xde0\n[89408.372384] ethnl_set_features+0x15e/0x460\n[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180\n[89408.372429] genl_rcv_msg+0x1ad/0x2b0\n[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10\n[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10\n[89408.372482] netlink_rcv_skb+0x58/0x100\n[89408.372502] genl_rcv+0x2c/0x50\n[89408.372516] netlink_unicast+0x289/0x3e0\n[89408.372533] netlink_sendmsg+0x215/0x440\n[89408.372551] __sys_sendto+0x234/0x240\n[89408.372571] __x64_sys_sendto+0x28/0x30\n[89408.372585] x64_sys_call+0x1909/0x1da0\n[89408.372604] do_syscall_64+0x7a/0xfa0\n[89408.373140] ? clear_bhb_loop+0x60/0xb0\n[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[89408.378887] \n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22985", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22986", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix race condition for gdev->srcu\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements to reflect modified order of operations\n\n[Bartosz: fixed a build issue, removed stray newline]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22986", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22987", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy\n\nsyzbot reported a crash in tc_act_in_hw() during netns teardown where\ntcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action\npointer, leading to an invalid dereference.\n\nGuard against ERR_PTR entries when iterating the action IDR so teardown\ndoes not call tc_act_in_hw() on an error pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22987", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22988", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: do not assume dev_hard_header() does not change skb->head\n\narp_create() is the only dev_hard_header() caller\nmaking assumption about skb->head being unchanged.\n\nA recent commit broke this assumption.\n\nInitialize @arp pointer after dev_hard_header() call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22988", "detail": "fixed-version", "description": "Fixed from version 6.18.6" }, { "id": "CVE-2026-22989", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: check that server is running in unlock_filesystem\n\nIf we are trying to unlock the filesystem via an administrative\ninterface and nfsd isn't running, it crashes the server. This\nhappens currently because nfsd4_revoke_states() access state\nstructures (eg., conf_id_hashtbl) that has been freed as a part\nof the server shutdown.\n\n[ 59.465072] Call trace:\n[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)\n[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]\n[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]\n[ 59.466780] vfs_write+0x1f0/0x938\n[ 59.467088] ksys_write+0xfc/0x1f8\n[ 59.467395] __arm64_sys_write+0x74/0xb8\n[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8\n[ 59.468177] do_el0_svc+0x154/0x1d8\n[ 59.468489] el0_svc+0x40/0xe0\n[ 59.468767] el0t_64_sync_handler+0xa0/0xe8\n[ 59.469138] el0t_64_sync+0x1ac/0x1b0\n\nEnsure this can't happen by taking the nfsd_mutex and checking that\nthe server is still up, and then holding the mutex across the call to\nnfsd4_revoke_states().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22989", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22990", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace overzealous BUG_ON in osdmap_apply_incremental()\n\nIf the osdmap is (maliciously) corrupted such that the incremental\nosdmap epoch is different from what is expected, there is no need to\nBUG. Instead, just declare the incremental osdmap to be invalid.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22990", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22991", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make free_choose_arg_map() resilient to partial allocation\n\nfree_choose_arg_map() may dereference a NULL pointer if its caller fails\nafter a partial allocation.\n\nFor example, in decode_choose_args(), if allocation of arg_map->args\nfails, execution jumps to the fail label and free_choose_arg_map() is\ncalled. Since arg_map->size is updated to a non-zero value before memory\nallocation, free_choose_arg_map() will iterate over arg_map->args and\ndereference a NULL pointer.\n\nTo prevent this potential NULL pointer dereference and make\nfree_choose_arg_map() more resilient, add checks for pointers before\niterating.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22991", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22992", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn't returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature().", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22992", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22993", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793] \n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22993", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22994", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22994", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-22995", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix use-after-free in ublk_partition_scan_work\n\nA race condition exists between the async partition scan work and device\nteardown that can lead to a use-after-free of ub->ub_disk:\n\n1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()\n2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:\n - del_gendisk(ub->ub_disk)\n - ublk_detach_disk() sets ub->ub_disk = NULL\n - put_disk() which may free the disk\n3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk\n leading to UAF\n\nFix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold\na reference to the disk during the partition scan. The spinlock in\nublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker\neither gets a valid reference or sees NULL and exits early.\n\nAlso change flush_work() to cancel_work_sync() to avoid running the\npartition scan work unnecessarily when the disk is already detached.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22995", "detail": "fixed-version", "description": "Fixed from version 6.18.6" }, { "id": "CVE-2026-22996", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails, mlx5e_priv in mlx5e_dev devlink private is used to\nreference the netdev and mdev associated with that struct. Instead,\nstore netdev directly into mlx5e_dev and get mdev from the containing\nmlx5_adev aux device structure.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==> oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000520\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_remove+0x68/0x130\nRSP: 0018:ffffc900034838f0 EFLAGS: 00010246\nRAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10\nR10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0\nR13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400\nFS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0\nCall Trace:\n \n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22996", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-22997", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts\n\nSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is\ncalled only when the timer is enabled, we need to call\nj1939_session_deactivate_activate_next() if we cancelled the timer.\nOtherwise, refcount for j1939_session leaks, which will later appear as\n\n| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.\n\nproblem.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22997", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-22998", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command's data structures (cmd->req.sg and cmd->iov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd->req.sg allocated, cmd->iov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd->req.sg and cmd->iov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd->req.sg allocated, cmd->iov NULL\n- WRITE commands: both allocated", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22998", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-22999", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl->qdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-22999", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23000", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash on profile change rollback failure\n\nmlx5e_netdev_change_profile can fail to attach a new profile and can\nfail to rollback to old profile, in such case, we could end up with a\ndangling netdev with a fully reset netdev_priv. A retry to change\nprofile, e.g. another attempt to call mlx5e_netdev_change_profile via\nswitchdev mode change, will crash trying to access the now NULL\npriv->mdev.\n\nThis fix allows mlx5e_netdev_change_profile() to handle previous\nfailures and an empty priv, by not assuming priv is valid.\n\nPass netdev and mdev to all flows requiring\nmlx5e_netdev_change_profile() and avoid passing priv.\nIn mlx5e_netdev_change_profile() check if current priv is valid, and if\nnot, just attach the new profile without trying to access the old one.\n\nThis fixes the following oops, when enabling switchdev mode for the 2nd\ntime after first time failure:\n\n ## Enabling switchdev mode first time:\n\nmlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n ^^^^^^^^\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\n\n ## retry: Enabling switchdev mode 2nd time:\n\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nBUG: kernel NULL pointer dereference, address: 0000000000000038\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_detach_netdev+0x3c/0x90\nCode: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07\nRSP: 0018:ffffc90000673890 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000\nRDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000\nR10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000\nR13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000\nFS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0\nCall Trace:\n \n mlx5e_netdev_change_profile+0x45/0xb0\n mlx5e_vport_rep_load+0x27b/0x2d0\n mlx5_esw_offloads_rep_load+0x72/0xf0\n esw_offloads_enable+0x5d0/0x970\n mlx5_eswitch_enable_locked+0x349/0x430\n ? is_mp_supported+0x57/0xb0\n mlx5_devlink_eswitch_mode_set+0x26b/0x430\n devlink_nl_eswitch_set_doit+0x6f/0xf0\n genl_family_rcv_msg_doit+0xe8/0x140\n genl_rcv_msg+0x18b/0x290\n ? __pfx_devlink_nl_pre_doit+0x10/0x10\n ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n ? __pfx_devlink_nl_post_doit+0x10/0x10\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x52/0x100\n genl_rcv+0x28/0x40\n netlink_unicast+0x282/0x3e0\n ? __alloc_skb+0xd6/0x190\n netlink_sendmsg+0x1f7/0x430\n __sys_sendto+0x213/0x220\n ? __sys_recvmsg+0x6a/0xd0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdfb8495047", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23000", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23001", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)->vlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry->vlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23001", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23002", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/buildid: use __kernel_read() for sleepable context\n\nPrevent a \"BUG: unable to handle kernel NULL pointer dereference in\nfilemap_read_folio\".\n\nFor the sleepable context, convert freader to use __kernel_read() instead\nof direct page cache access via read_cache_folio(). This simplifies the\nfaultable code path by using the standard kernel file reading interface\nwhich handles all the complexity of reading file data.\n\nAt the moment we are not changing the code for non-sleepable context which\nuses filemap_get_folio() and only succeeds if the target folios are\nalready in memory and up-to-date. The reason is to keep the patch simple\nand easier to backport to stable kernels.\n\nSyzbot repro does not crash the kernel anymore and the selftests run\nsuccessfully.\n\nIn the follow up we will make __kernel_read() with IOCB_NOWAIT work for\nnon-sleepable contexts. In addition, I would like to replace the\nsecretmem check with a more generic approach and will add fstest for the\nbuildid code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23002", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23003", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23003", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()\n\nsyzbot was able to crash the kernel in rt6_uncached_list_flush_dev()\nin an interesting way [1]\n\nCrash happens in list_del_init()/INIT_LIST_HEAD() while writing\nlist->prev, while the prior write on list->next went well.\n\nstatic inline void INIT_LIST_HEAD(struct list_head *list)\n{\n\tWRITE_ONCE(list->next, list); // This went well\n\tWRITE_ONCE(list->prev, list); // Crash, @list has been freed.\n}\n\nIssue here is that rt6_uncached_list_del() did not attempt to lock\nul->lock, as list_empty(&rt->dst.rt_uncached) returned\ntrue because the WRITE_ONCE(list->next, list) happened on the other CPU.\n\nWe might use list_del_init_careful() and list_empty_careful(),\nor make sure rt6_uncached_list_del() always grabs the spinlock\nwhenever rt->dst.rt_uncached_list has been set.\n\nA similar fix is neeed for IPv4.\n\n[1]\n\n BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]\n BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]\n BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\nWrite of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450\n\nCPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: netns cleanup_net\nCall Trace:\n \n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n INIT_LIST_HEAD include/linux/list.h:46 [inline]\n list_del_init include/linux/list.h:296 [inline]\n rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]\n rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020\n addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853\n addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]\n call_netdevice_notifiers net/core/dev.c:2282 [inline]\n netif_close_many+0x29c/0x410 net/core/dev.c:1785\n unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353\n ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]\n ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248\n cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \n\nAllocated by task 803:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4953 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270\n dst_alloc+0x105/0x170 net/core/dst.c:89\n ip6_dst_alloc net/ipv6/route.c:342 [inline]\n icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333\n mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23004", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1\n\nWhen loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in\nresponse to a guest WRMSR, clear XFD-disabled features in the saved (or to\nbe restored) XSTATE_BV to ensure KVM doesn't attempt to load state for\nfeatures that are disabled via the guest's XFD. Because the kernel\nexecutes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1\nwill cause XRSTOR to #NM and panic the kernel.\n\nE.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n switch_fpu_return+0x4a/0xb0\n kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \n ---[ end trace 0000000000000000 ]---\n\nThis can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,\nand a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's\ncall to fpu_update_guest_xfd().\n\nand if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n fpu_swap_kvm_fpstate+0x6b/0x120\n kvm_load_guest_fpu+0x30/0x80 [kvm]\n kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \n ---[ end trace 0000000000000000 ]---\n\nThe new behavior is consistent with the AMX architecture. Per Intel's SDM,\nXSAVE saves XSTATE_BV as '0' for components that are disabled via XFD\n(and non-compacted XSAVE saves the initial configuration of the state\ncomponent):\n\n If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,\n the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;\n instead, it operates as if XINUSE[i] = 0 (and the state component was\n in its initial state): it saves bit i of XSTATE_BV field of the XSAVE\n header as 0; in addition, XSAVE saves the initial configuration of the\n state component (the other instructions do not save state component i).\n\nAlternatively, KVM could always do XRSTOR with XFD=0, e.g. by using\na constant XFD based on the set of enabled features when XSAVEing for\na struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled\nfeatures can only happen in the above interrupt case, or in similar\nscenarios involving preemption on preemptible kernels, because\nfpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the\noutgoing FPU state with the current XFD; and that is (on all but the\nfirst WRMSR to XFD) the guest XFD.\n\nTherefore, XFD can only go out of sync with XSTATE_BV in the above\ninterrupt case, or in similar scenarios involving preemption on\npreemptible kernels, and it we can consider it (de facto) part of KVM\nABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.\n\n[Move clea\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23005", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: tlv320adcx140: fix null pointer\n\nThe \"snd_soc_component\" in \"adcx140_priv\" was only used once but never\nset. It was only used for reaching \"dev\" which is already present in\n\"adcx140_priv\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23006", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: zero non-PI portion of auto integrity buffer\n\nThe auto-generated integrity buffer for writes needs to be fully\ninitialized before being passed to the underlying block device,\notherwise the uninitialized memory can be read back by userspace or\nanyone with physical access to the storage device. If protection\ninformation is generated, that portion of the integrity buffer is\nalready initialized. The integrity data is also zeroed if PI generation\nis disabled via sysfs or the PI tuple size is 0. However, this misses\nthe case where PI is generated and the PI tuple size is nonzero, but the\nmetadata size is larger than the PI tuple. In this case, the remainder\n(\"opaque\") of the metadata is left uninitialized.\nGeneralize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the\nmetadata is larger than just the PI tuple.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23007", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix KMS with 3D on HW version 10\n\nHW version 10 does not have GB Surfaces so there is no backing buffer for\nsurface backed FBs. This would result in a nullptr dereference and crash\nthe driver causing a black screen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23008", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: sideband: don't dereference freed ring when removing sideband endpoint\n\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\nrunning and has a valid transfer ring.\n\nLianqin reported a crash during suspend/wake-up stress testing, and\nfound the cause to be dereferencing a non-existing transfer ring\n'ep->ring' during xhci_sideband_remove_endpoint().\n\nThe endpoint and its ring may be in unknown state if this function\nis called after xHCI was reinitialized in resume (lost power), or if\ndevice is being re-enumerated, disconnected or endpoint already dropped.\n\nFix this by both removing unnecessary ring access, and by checking\nep->ring exists before dereferencing it. Also make sure endpoint is\nrunning before attempting to stop it.\n\nRemove the xhci_initialize_ring_info() call during sideband endpoint\nremoval as is it only initializes ring structure enqueue, dequeue and\ncycle state values to their starting values without changing actual\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\nis worse than leaving it as it is. The endpoint will get freed in after\nthis in most usecases.\n\nIf the (audio) class driver want's to reuse the endpoint after offload\nthen it is up to the class driver to ensure endpoint is properly set up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23009", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix use-after-free in inet6_addr_del().\n\nsyzbot reported use-after-free of inet6_ifaddr in\ninet6_addr_del(). [0]\n\nThe cited commit accidentally moved ipv6_del_addr() for\nmngtmpaddr before reading its ifp->flags for temporary\naddresses in inet6_addr_del().\n\nLet's move ipv6_del_addr() down to fix the UAF.\n\n[0]:\nBUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\nRead of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593\n\nCPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\n addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181\n inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f164cf8f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749\nRDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003\nRBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288\n \n\nAllocated by task 9593:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120\n inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050\n addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160\n inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6099:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free_freelist_hook mm/slub.c:2569 [inline]\n slab_free_bulk mm/slub.c:6696 [inline]\n kmem_cache_free_bulk mm/slub.c:7383 [inline]\n kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362\n kfree_bulk include/linux/slab.h:830 [inline]\n kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523\n kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]\n kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqu\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23010", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to commit db5b4e39c4e6 (\"ip6_gre: make ip6gre_header() robust\")\n\nOver the years, syzbot found many ways to crash the kernel\nin ipgre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev->needed_headroom and/or dev->hard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ipgre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0\n kernel BUG at net/core/skbuff.c:213 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: mld mld_ifc_work\n RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213\nCall Trace:\n \n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23011", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: remove call_control in inactive contexts\n\nIf damon_call() is executed against a DAMON context that is not running,\nthe function returns error while keeping the damon_call_control object\nlinked to the context's call_controls list. Let's suppose the object is\ndeallocated after the damon_call(), and yet another damon_call() is\nexecuted against the same context. The function tries to add the new\ndamon_call_control object to the call_controls list, which still has the\npointer to the previous damon_call_control object, which is deallocated. \nAs a result, use-after-free happens.\n\nThis can actually be triggered using the DAMON sysfs interface. It is not\neasily exploitable since it requires the sysfs write permission and making\na definitely weird file writes, though. Please refer to the report for\nmore details about the issue reproduction steps.\n\nFix the issue by making two changes. Firstly, move the final\nkdamond_call() for cancelling all existing damon_call() requests from\nterminating DAMON context to be done before the ctx->kdamond reset. This\nmakes any code that sees NULL ctx->kdamond can safely assume the context\nmay not access damon_call() requests anymore. Secondly, let damon_call()\nto cleanup the damon_call_control objects that were added to the\nalready-terminated DAMON context, before returning the error.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23012", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback\n\noctep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to\nioq_vector. If request_irq() fails part-way, the rollback loop calls\nfree_irq() with dev_id set to 'oct', which does not match the original\ndev_id and may leave the irqaction registered.\n\nThis can keep IRQ handlers alive while ioq_vector is later freed during\nunwind/teardown, leading to a use-after-free or crash when an interrupt\nfires.\n\nFix the error path to free IRQs with the same ioq_vector dev_id used\nduring request_irq().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23013", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Ensure swevent hrtimer is properly destroyed\n\nWith the change to hrtimer_try_to_cancel() in\nperf_swevent_cancel_hrtimer() it appears possible for the hrtimer to\nstill be active by the time the event gets freed.\n\nMake sure the event does a full hrtimer_cancel() on the free path by\ninstalling a perf_event::destroy handler.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23014", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths\n\nThe reference obtained by calling usb_get_dev() is not released in the\ngpio_mpsse_probe() error paths. Fix that by using device managed helper\nfunctions. Also remove the usb_put_dev() call in the disconnect function\nsince now it will be released automatically.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23015", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: drop fraglist conntrack references\n\nJakub added a warning in nf_conntrack_cleanup_net_list() to make debugging\nleaked skbs/conntrack references more obvious.\n\nsyzbot reports this as triggering, and I can also reproduce this via\nip_defrag.sh selftest:\n\n conntrack cleanup blocked for 60s\n WARNING: net/netfilter/nf_conntrack_core.c:2512\n [..]\n\nconntrack clenups gets stuck because there are skbs with still hold nf_conn\nreferences via their frag_list.\n\n net.core.skb_defer_max=0 makes the hang disappear.\n\nEric Dumazet points out that skb_release_head_state() doesn't follow the\nfraglist.\n\nip_defrag.sh can only reproduce this problem since\ncommit 6471658dc66c (\"udp: use skb_attempt_defer_free()\"), but AFAICS this\nproblem could happen with TCP as well if pmtu discovery is off.\n\nThe relevant problem path for udp is:\n1. netns emits fragmented packets\n2. nf_defrag_v6_hook reassembles them (in output hook)\n3. reassembled skb is tracked (skb owns nf_conn reference)\n4. ip6_output refragments\n5. refragmented packets also own nf_conn reference (ip6_fragment\n calls ip6_copy_metadata())\n6. on input path, nf_defrag_v6_hook skips defragmentation: the\n fragments already have skb->nf_conn attached\n7. skbs are reassembled via ipv6_frag_rcv()\n8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up\n in pcpu freelist, but still has nf_conn reference.\n\nPossible solutions:\n 1 let defrag engine drop nf_conn entry, OR\n 2 export kick_defer_list_purge() and call it from the conntrack\n netns exit callback, OR\n 3 add skb_has_frag_list() check to skb_attempt_defer_free()\n\n2 & 3 also solve ip_defrag.sh hang but share same drawback:\n\nSuch reassembled skbs, queued to socket, can prevent conntrack module\nremoval until userspace has consumed the packet. While both tcp and udp\nstack do call nf_reset_ct() before placing skb on socket queue, that\nfunction doesn't iterate frag_list skbs.\n\nTherefore drop nf_conn entries when they are placed in defrag queue.\nKeep the nf_conn entry of the first (offset 0) skb so that reassembled\nskb retains nf_conn entry for sake of TX path.\n\nNote that fixes tag is incorrect; it points to the commit introducing the\n'ip_defrag.sh reproducible problem': no need to backport this patch to\nevery stable kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23016", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix error handling in the init_task on load\n\nIf the init_task fails during a driver load, we end up without vports and\nnetdevs, effectively failing the entire process. In that state a\nsubsequent reset will result in a crash as the service task attempts to\naccess uninitialized resources. Following trace is from an error in the\ninit_task where the CREATE_VPORT (op 501) is rejected by the FW:\n\n[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated\n[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)\n[40958.148190] idpf 0000:83:00.0: HW reset detected\n[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8\n...\n[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]\n[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]\n...\n[40958.177932] Call Trace:\n[40958.178491] \n[40958.179040] process_one_work+0x226/0x6d0\n[40958.179609] worker_thread+0x19e/0x340\n[40958.180158] ? __pfx_worker_thread+0x10/0x10\n[40958.180702] kthread+0x10f/0x250\n[40958.181238] ? __pfx_kthread+0x10/0x10\n[40958.181774] ret_from_fork+0x251/0x2b0\n[40958.182307] ? __pfx_kthread+0x10/0x10\n[40958.182834] ret_from_fork_asm+0x1a/0x30\n[40958.183370] \n\nFix the error handling in the init_task to make sure the service and\nmailbox tasks are disabled if the error happens during load. These are\nstarted in idpf_vc_core_init(), which spawns the init_task and has no way\nof knowing if it failed. If the error happens on reset, following\nsuccessful driver load, the tasks can still run, as that will allow the\nnetdevs to attempt recovery through another reset. Stop the PTP callbacks\neither way as those will be restarted by the call to idpf_vc_core_init()\nduring a successful reset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23017", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n [6.1433] ======================================================\n [6.1574] WARNING: possible circular locking dependency detected\n [6.1583] 6.18.0+ #4 Tainted: G U\n [6.1591] ------------------------------------------------------\n [6.1599] kswapd0/117 is trying to acquire lock:\n [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1625]\n but task is already holding lock:\n [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n [6.1646]\n which lock already depends on the new lock.\n\n [6.1657]\n the existing dependency chain (in reverse order) is:\n [6.1667]\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n [6.1677] fs_reclaim_acquire+0x9d/0xd0\n [6.1685] __kmalloc_cache_noprof+0x59/0x750\n [6.1694] btrfs_init_file_extent_tree+0x90/0x100\n [6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n [6.1710] btrfs_iget+0xbb/0xf0\n [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n [6.1724] btrfs_lookup+0x12/0x30\n [6.1731] lookup_open.isra.0+0x1aa/0x6a0\n [6.1739] path_openat+0x5f7/0xc60\n [6.1746] do_filp_open+0xd6/0x180\n [6.1753] do_sys_openat2+0x8b/0xe0\n [6.1760] __x64_sys_openat+0x54/0xa0\n [6.1768] do_syscall_64+0x97/0x3e0\n [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1784]\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n [6.1794] lock_release+0x127/0x2a0\n [6.1801] up_read+0x1b/0x30\n [6.1808] btrfs_search_slot+0x8e0/0xff0\n [6.1817] btrfs_lookup_inode+0x52/0xd0\n [6.1825] __btrfs_update_delayed_inode+0x73/0x520\n [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n [6.1842] btrfs_log_inode+0x608/0x1aa0\n [6.1849] btrfs_log_inode_parent+0x249/0xf80\n [6.1857] btrfs_log_dentry_safe+0x3e/0x60\n [6.1865] btrfs_sync_file+0x431/0x690\n [6.1872] do_fsync+0x39/0x80\n [6.1879] __x64_sys_fsync+0x13/0x20\n [6.1887] do_syscall_64+0x97/0x3e0\n [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1903]\n -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n [6.1913] __lock_acquire+0x15e9/0x2820\n [6.1920] lock_acquire+0xc9/0x2d0\n [6.1927] __mutex_lock+0xcc/0x10a0\n [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1944] btrfs_evict_inode+0x20b/0x4b0\n [6.1952] evict+0x15a/0x2f0\n [6.1958] prune_icache_sb+0x91/0xd0\n [6.1966] super_cache_scan+0x150/0x1d0\n [6.1974] do_shrink_slab+0x155/0x6f0\n [6.1981] shrink_slab+0x48e/0x890\n [6.1988] shrink_one+0x11a/0x1f0\n [6.1995] shrink_node+0xbfd/0x1320\n [6.1002] balance_pgdat+0x67f/0xc60\n [6.1321] kswapd+0x1dc/0x3e0\n [6.1643] kthread+0xff/0x240\n [6.1965] ret_from_fork+0x223/0x280\n [6.1287] ret_from_fork_asm+0x1a/0x30\n [6.1616]\n other info that might help us debug this:\n\n [6.1561] Chain exists of:\n &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim\n\n [6.1503] Possible unsafe locking scenario:\n\n [6.1110] CPU0 CPU1\n [6.1411] ---- ----\n [6.1707] lock(fs_reclaim);\n [6.1998] lock(btrfs-tree-00);\n [6.1291] lock(fs_reclaim);\n [6.1581] lock(&del\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23018", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23019", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: 3com: 3c59x: fix possible null dereference in vortex_probe1()\n\npdev can be null and free_ring: can be called in 1297 with a null\npdev.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23020", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: fix memory leak in update_eth_regs_async()\n\nWhen asynchronously writing to the device registers and if usb_submit_urb()\nfail, the code fail to release allocated to this point resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23021", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak in idpf_vc_core_deinit()\n\nMake sure to free hw->lan_regs. Reported by kmemleak during reset:\n\nunreferenced object 0xff1b913d02a936c0 (size 96):\n comm \"kworker/u258:14\", pid 2174, jiffies 4294958305\n hex dump (first 32 bytes):\n 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-.........\n 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-.\n backtrace (crc 36063c4f):\n __kmalloc_noprof+0x48f/0x890\n idpf_vc_core_init+0x6ce/0x9b0 [idpf]\n idpf_vc_event_task+0x1fb/0x350 [idpf]\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x251/0x2b0\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23022", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak in idpf_vport_rel()\n\nFree vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory\nduring a reset. Reported by kmemleak:\n\nunreferenced object 0xff450acac838a000 (size 4096):\n comm \"kworker/u258:5\", pid 7732, jiffies 4296830044\n hex dump (first 32 bytes):\n 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................\n backtrace (crc 3da81902):\n __kmalloc_cache_noprof+0x469/0x7a0\n idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf]\n idpf_init_task+0x1ec/0x8d0 [idpf]\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x251/0x2b0\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23023", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leak of flow steer list on rmmod\n\nThe flow steering list maintains entries that are added and removed as\nethtool creates and deletes flow steering rules. Module removal with active\nentries causes memory leak as the list is not properly cleaned up.\n\nPrevent this by iterating through the remaining entries in the list and\nfreeing the associated memory during module removal. Add a spinlock\n(flow_steer_list_lock) to protect the list access from multiple threads.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23024", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: prevent pcp corruption with SMP=n\n\nThe kernel test robot has reported:\n\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\n lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470\n Call Trace:\n \n __dump_stack (lib/dump_stack.c:95)\n dump_stack_lvl (lib/dump_stack.c:123)\n dump_stack (lib/dump_stack.c:130)\n spin_dump (kernel/locking/spinlock_debug.c:71)\n do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\n _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\n __free_frozen_pages (mm/page_alloc.c:2973)\n ___free_pages (mm/page_alloc.c:5295)\n __free_pages (mm/page_alloc.c:5334)\n tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\n ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\n ? rcu_core (kernel/rcu/tree.c:?)\n rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\n rcu_core_si (kernel/rcu/tree.c:2879)\n handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\n __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\n irq_exit_rcu (kernel/softirq.c:741)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\n \n \n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\n free_pcppages_bulk (mm/page_alloc.c:1494)\n drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\n __drain_all_pages (mm/page_alloc.c:2731)\n drain_all_pages (mm/page_alloc.c:2747)\n kcompactd (mm/compaction.c:3115)\n kthread (kernel/kthread.c:465)\n ? __cfi_kcompactd (mm/compaction.c:3166)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork (arch/x86/kernel/process.c:164)\n ? __cfi_kthread (kernel/kthread.c:412)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\n \n\nMatthew has analyzed the report and identified that in drain_page_zone()\nwe are in a section protected by spin_lock(&pcp->lock) and then get an\ninterrupt that attempts spin_trylock() on the same lock. The code is\ndesigned to work this way without disabling IRQs and occasionally fail the\ntrylock with a fallback. However, the SMP=n spinlock implementation\nassumes spin_trylock() will always succeed, and thus it's normally a\nno-op. Here the enabled lock debugging catches the problem, but otherwise\nit could cause a corruption of the pcp structure.\n\nThe problem has been introduced by commit 574907741599 (\"mm/page_alloc:\nleave IRQs enabled for per-cpu page allocations\"). The pcp locking scheme\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\nnot been recognized. Fix it by introducing local wrappers that change the\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\nthat do spin_lock(&pcp->lock).\n\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23025", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\n\nFix a memory leak in gpi_peripheral_config() where the original memory\npointed to by gchan->config could be lost if krealloc() fails.\n\nThe issue occurs when:\n1. gchan->config points to previously allocated memory\n2. krealloc() fails and returns NULL\n3. The function directly assigns NULL to gchan->config, losing the\n reference to the original memory\n4. The original memory becomes unreachable and cannot be freed\n\nFix this by using a temporary variable to hold the krealloc() result\nand only updating gchan->config when the allocation succeeds.\n\nFound via static analysis and code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23026", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device->destroy() seems to be supposed to free its kvm_device\nstruct, but kvm_pch_pic_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23027", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device->destroy() seems to be supposed to free its kvm_device\nstruct, but kvm_ipi_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23028", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()\n\nIn kvm_ioctl_create_device(), kvm_device has allocated memory,\nkvm_device->destroy() seems to be supposed to free its kvm_device\nstruct, but kvm_eiointc_destroy() is not currently doing this, that\nwould lead to a memory leak.\n\nSo, fix it.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23029", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\n\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\n\nFix by returning directly to avoid the duplicate of_node_put().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23030", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\n\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\nparent->rx_submitted anchor and submitted. In the complete callback\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\ngs_can_close() the URBs are freed by calling\nusb_kill_anchored_urbs(parent->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in gs_can_close().\n\nFix the memory leak by anchoring the URB in the\ngs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23031", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix kmemleak by releasing references to fault configfs items\n\nWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk\ndriver sets up fault injection support by creating the timeout_inject,\nrequeue_inject, and init_hctx_fault_inject configfs items as children\nof the top-level nullbX configfs group.\n\nHowever, when the nullbX device is removed, the references taken to\nthese fault-config configfs items are not released. As a result,\nkmemleak reports a memory leak, for example:\n\nunreferenced object 0xc00000021ff25c40 (size 32):\n comm \"mkdir\", pid 10665, jiffies 4322121578\n hex dump (first 32 bytes):\n 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_\n 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........\n backtrace (crc 1a018c86):\n __kmalloc_node_track_caller_noprof+0x494/0xbd8\n kvasprintf+0x74/0xf4\n config_item_set_name+0xf0/0x104\n config_group_init_type_name+0x48/0xfc\n fault_config_init+0x48/0xf0\n 0xc0080000180559e4\n configfs_mkdir+0x304/0x814\n vfs_mkdir+0x49c/0x604\n do_mkdirat+0x314/0x3d0\n sys_mkdir+0xa0/0xd8\n system_call_exception+0x1b0/0x4f0\n system_call_vectored_common+0x15c/0x2ec\n\nFix this by explicitly releasing the references to the fault-config\nconfigfs items when dropping the reference to the top-level nullbX\nconfigfs group.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23032", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: omap-dma: fix dma_pool resource leak in error paths\n\nThe dma_pool created by dma_pool_create() is not destroyed when\ndma_async_device_register() or of_dma_controller_register() fails,\ncausing a resource leak in the probe error paths.\n\nAdd dma_pool_destroy() in both error paths to properly release the\nallocated dma_pool resource.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23033", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix fence reference leak on queue teardown v2\n\nThe user mode queue keeps a pointer to the most recent fence in\nuserq->last_fence. This pointer holds an extra dma_fence reference.\n\nWhen the queue is destroyed, we free the fence driver and its xarray,\nbut we forgot to drop the last_fence reference.\n\nBecause of the missing dma_fence_put(), the last fence object can stay\nalive when the driver unloads. This leaves an allocated object in the\namdgpu_userq_fence slab cache and triggers\n\nThis is visible during driver unload as:\n\n BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()\n kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects\n Call Trace:\n kmem_cache_destroy\n amdgpu_userq_fence_slab_fini\n amdgpu_exit\n __do_sys_delete_module\n\nFix this by putting userq->last_fence and clearing the pointer during\namdgpu_userq_fence_driver_free().\n\nThis makes sure the fence reference is released and the slab cache is\nempty when the module exits.\n\nv2: Update to only release userq->last_fence with dma_fence_put()\n (Christian)\n\n(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23034", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv\n\nmlx5e_priv is an unstable structure that can be memset(0) if profile\nattaching fails.\n\nPass netdev to mlx5e_destroy_netdev() to guarantee it will work on a\nvalid netdev.\n\nOn mlx5e_remove: Check validity of priv->profile, before attempting\nto cleanup any resources that might be not there.\n\nThis fixes a kernel oops in mlx5e_remove when switchdev mode fails due\nto change profile failure.\n\n$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev\nError: mlx5_core: Failed setting eswitch to offloads.\ndmesg:\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n\n$ devlink dev reload pci/0000:00:03.0 ==> oops\n\nBUG: kernel NULL pointer dereference, address: 0000000000000370\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100\nRSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286\nRAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0\nRBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10\nR10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0\nR13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400\nFS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0\nCall Trace:\n \n mlx5e_remove+0x57/0x110\n device_release_driver_internal+0x19c/0x200\n bus_remove_device+0xc6/0x130\n device_del+0x160/0x3d0\n ? devl_param_driverinit_value_get+0x2d/0x90\n mlx5_detach_device+0x89/0xe0\n mlx5_unload_one_devl_locked+0x3a/0x70\n mlx5_devlink_reload_down+0xc8/0x220\n devlink_reload+0x7d/0x260\n devlink_nl_reload_doit+0x45b/0x5a0\n genl_family_rcv_msg_doit+0xe8/0x140", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23035", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe 'out' label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode's mutex, and a task updating a delayed\ninode starts by taking the node's mutex and then modifying the inode's\nsubvolume btree.\n\nSyzbot reported the following lockdep splat for this:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n syzkaller #0 Not tainted\n ------------------------------------------------------\n btrfs-cleaner/8725 is trying to acquire lock:\n ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n\n but task is already holding lock:\n ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{4:4}:\n __lock_release kernel/locking/lockdep.c:5574 [inline]\n lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\n up_read+0x24/0x3c kernel/locking/rwsem.c:1632\n btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\n btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\n btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\n btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\n btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\n flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\n do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\n btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\n process_scheduled_works kernel/workqueue.c:3346 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3427\n kthread+0x5fc/0x75c kernel/kthread.c:463\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n\n -> #0 (&delayed_node->mutex){+.+.}-{4:4}:\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain kernel/locking/lockdep.c:3908 [inline]\n __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\n lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n __mutex_lock kernel/locking/mutex.c:760 [inline]\n mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\n btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\n btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\n evict+0x414/0x928 fs/inode.c:810\n iput_final fs/inode.c:1914 [inline]\n iput+0x95c/0xad4 fs/inode.c:1966\n iget_failed+0xec/0x134 fs/bad_inode.c:248\n btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\n btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\n btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\n btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23036", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: etas_es58x: allow partial RX URB allocation to succeed\n\nWhen es58x_alloc_rx_urbs() fails to allocate the requested number of\nURBs but succeeds in allocating some, it returns an error code.\nThis causes es58x_open() to return early, skipping the cleanup label\n'free_urbs', which leads to the anchored URBs being leaked.\n\nAs pointed out by maintainer Vincent Mailhol, the driver is designed\nto handle partial URB allocation gracefully. Therefore, partial\nallocation should not be treated as a fatal error.\n\nModify es58x_alloc_rx_urbs() to return 0 if at least one URB has been\nallocated, restoring the intended behavior and preventing the leak\nin es58x_open().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23037", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\n\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\nthe function jumps to the out_scratch label without freeing the already\nallocated dsaddrs list, leading to a memory leak.\n\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\nfrees the dsaddrs list before cleaning up other resources.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23038", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gud: fix NULL fb and crtc dereferences on USB disconnect\n\nOn disconnect drm_atomic_helper_disable_all() is called which\nsets both the fb and crtc for a plane to NULL before invoking a commit.\n\nThis causes a kernel oops on every display disconnect.\n\nAdd guards for those dereferences.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23039", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: fix typo in frequency notification\n\nThe NAN notification is for 5745 MHz which corresponds to channel 149\nand not 5475 which is not actually a valid channel. This could result in\na NULL pointer dereference in cfg80211_next_nan_dw_notif.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23040", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup\n\nWhen bnxt_init_one() fails during initialization (e.g.,\nbnxt_init_int_mode returns -ENODEV), the error path calls\nbnxt_free_hwrm_resources() which destroys the DMA pool and sets\nbp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,\nwhich invokes ptp_clock_unregister().\n\nSince commit a60fc3294a37 (\"ptp: rework ptp_clock_unregister() to\ndisable events\"), ptp_clock_unregister() now calls\nptp_disable_all_events(), which in turn invokes the driver's .enable()\ncallback (bnxt_ptp_enable()) to disable PTP events before completing the\nunregistration.\n\nbnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()\nand bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This\nfunction tries to allocate from bp->hwrm_dma_pool, causing a NULL\npointer dereference:\n\n bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n Call Trace:\n __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)\n bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)\n ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)\n ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)\n bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)\n bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)\n\nLines are against commit f8f9c1f4d0c7 (\"Linux 6.19-rc3\")\n\nFix this by clearing and unregistering ptp (bnxt_ptp_clear()) before\nfreeing HWRM resources.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23041", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix aux device unplugging when rdma is not supported by vport\n\nIf vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not\nallocate vdev_info for this vport. This leads to kernel NULL pointer\ndereference in idpf_idc_vport_dev_down(), which references vdev_info for\nevery vport regardless.\n\nCheck, if vdev_info was ever allocated before unplugging aux device.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23042", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix NULL pointer dereference in do_abort_log_replay()\n\nCoverity reported a NULL pointer dereference issue (CID 1666756) in\ndo_abort_log_replay(). When btrfs_alloc_path() fails in\nreplay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay()\ncalls do_abort_log_replay() which unconditionally dereferences\nwc->subvol_path when attempting to print debug information. Fix this by\nadding a NULL check before dereferencing wc->subvol_path in\ndo_abort_log_replay().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23043", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: hibernate: Fix crash when freeing invalid crypto compressor\n\nWhen crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.\n\nThe cleanup code in save_compressed_image() and load_compressed_image()\nunconditionally calls crypto_free_acomp() without checking for ERR_PTR,\nwhich causes crypto_acomp_tfm() to dereference an invalid pointer and\ncrash the kernel.\n\nThis can be triggered when the compression algorithm is unavailable\n(e.g., CONFIG_CRYPTO_LZO not enabled).\n\nFix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()\nand acomp_request_free(), similar to the existing kthread_stop() check.\n\n[ rjw: Added 2 empty code lines ]", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23044", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ena: fix missing lock when update devlink params\n\nFix assert lock warning while calling devl_param_driverinit_value_set()\nin ena.\n\nWARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9\nCPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy)\nHardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017\nWorkqueue: events work_for_cpu_fn\nRIP: 0010:devl_assert_locked+0x62/0x90\n\nCall Trace:\n \n devl_param_driverinit_value_set+0x15/0x1c0\n ena_devlink_alloc+0x18c/0x220 [ena]\n ? __pfx_ena_devlink_alloc+0x10/0x10 [ena]\n ? trace_hardirqs_on+0x18/0x140\n ? lockdep_hardirqs_on+0x8c/0x130\n ? __raw_spin_unlock_irqrestore+0x5d/0x80\n ? __raw_spin_unlock_irqrestore+0x46/0x80\n ? devm_ioremap_wc+0x9a/0xd0\n ena_probe+0x4d2/0x1b20 [ena]\n ? __lock_acquire+0x56a/0xbd0\n ? __pfx_ena_probe+0x10/0x10 [ena]\n ? local_clock+0x15/0x30\n ? __lock_release.isra.0+0x1c9/0x340\n ? mark_held_locks+0x40/0x70\n ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170\n ? trace_hardirqs_on+0x18/0x140\n ? lockdep_hardirqs_on+0x8c/0x130\n ? __raw_spin_unlock_irqrestore+0x5d/0x80\n ? __raw_spin_unlock_irqrestore+0x46/0x80\n ? __pfx_ena_probe+0x10/0x10 [ena]\n ......\n ", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23045", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix device mismatch in devm_kzalloc/devm_kfree\n\nInitial rss_hdr allocation uses virtio_device->device,\nbut virtnet_set_queues() frees using net_device->device.\nThis device mismatch causing below devres warning\n\n[ 3788.514041] ------------[ cut here ]------------\n[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463\n[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]\n[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT\n[ 3788.514067] Tainted: [W]=WARN\n[ 3788.514069] Hardware name: Marvell CN106XX board (DT)\n[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n[ 3788.514074] pc : devm_kfree+0x84/0x98\n[ 3788.514076] lr : devm_kfree+0x54/0x98\n[ 3788.514079] sp : ffff800084e2f220\n[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f\n[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080\n[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018\n[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000\n[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff\n[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff\n[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c\n[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f\n[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080\n[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000\n[ 3788.514123] Call trace:\n[ 3788.514125] devm_kfree+0x84/0x98 (P)\n[ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net]\n[ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net]\n[ 3788.514139] virtio_dev_probe+0x1e0/0x338\n[ 3788.514144] really_probe+0xc8/0x3a0\n[ 3788.514149] __driver_probe_device+0x84/0x170\n[ 3788.514152] driver_probe_device+0x44/0x120\n[ 3788.514155] __device_attach_driver+0xc4/0x168\n[ 3788.514158] bus_for_each_drv+0x8c/0xf0\n[ 3788.514161] __device_attach+0xa4/0x1c0\n[ 3788.514164] device_initial_probe+0x1c/0x30\n[ 3788.514168] bus_probe_device+0xb4/0xc0\n[ 3788.514170] device_add+0x614/0x828\n[ 3788.514173] register_virtio_device+0x214/0x258\n[ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]\n[ 3788.514179] vdpa_dev_probe+0xa8/0xd8\n[ 3788.514183] really_probe+0xc8/0x3a0\n[ 3788.514186] __driver_probe_device+0x84/0x170\n[ 3788.514189] driver_probe_device+0x44/0x120\n[ 3788.514192] __device_attach_driver+0xc4/0x168\n[ 3788.514195] bus_for_each_drv+0x8c/0xf0\n[ 3788.514197] __device_attach+0xa4/0x1c0\n[ 3788.514200] device_initial_probe+0x1c/0x30\n[ 3788.514203] bus_probe_device+0xb4/0xc0\n[ 3788.514206] device_add+0x614/0x828\n[ 3788.514209] _vdpa_register_device+0x58/0x88\n[ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]\n[ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0\n[ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158\n[ 3788.514222] genl_rcv_msg+0x218/0x298\n[ 3788.514225] netlink_rcv_skb+0x64/0x138\n[ 3788.514229] genl_rcv+0x40/0x60\n[ 3788.514233] netlink_unicast+0x32c/0x3b0\n[ 3788.514237] netlink_sendmsg+0x170/0x3b8\n[ 3788.514241] __sys_sendto+0x12c/0x1c0\n[ 3788.514246] __arm64_sys_sendto+0x30/0x48\n[ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8\n[ 3788.514255] do_el0_svc+0x48/0xd0\n[ 3788.514259] el0_svc+0x48/0x210\n[ 3788.514264] el0t_64_sync_handler+0xa0/0xe8\n[ 3788.514268] el0t_64_sync+0x198/0x1a0\n[ 3788.514271] ---[ end trace 0000000000000000 ]---\n\nFix by using virtio_device->device consistently for\nallocation and deallocation", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23046", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make calc_target() set t->paused, not just clear it\n\nCurrently calc_target() clears t->paused if the request shouldn't be\npaused anymore, but doesn't ever set t->paused even though it's able to\ndetermine when the request should be paused. Setting t->paused is left\nto __submit_request() which is fine for regular requests but doesn't\nwork for linger requests -- since __submit_request() doesn't operate\non linger requests, there is nowhere for lreq->t.paused to be set.\nOne consequence of this is that watches don't get reestablished on\npaused -> unpaused transitions in cases where requests have been paused\nlong enough for the (paused) unwatch request to time out and for the\nsubsequent (re)watch request to enter the paused state. On top of the\nwatch not getting reestablished, rbd_reregister_watch() gets stuck with\nrbd_dev->watch_mutex held:\n\n rbd_register_watch\n __rbd_register_watch\n ceph_osdc_watch\n linger_reg_commit_wait\n\nIt's waiting for lreq->reg_commit_wait to be completed, but for that to\nhappen the respective request needs to end up on need_resend_linger list\nand be kicked when requests are unpaused. There is no chance for that\nif the request in question is never marked paused in the first place.\n\nThe fact that rbd_dev->watch_mutex remains taken out forever then\nprevents the image from getting unmapped -- \"rbd unmap\" would inevitably\nhang in D state on an attempt to grab the mutex.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23047", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: call skb_orphan() before skb_attempt_defer_free()\n\nStandard UDP receive path does not use skb->destructor.\n\nBut skmsg layer does use it, since it calls skb_set_owner_sk_safe()\nfrom udp_read_skb().\n\nThis then triggers this warning in skb_attempt_defer_free():\n\n DEBUG_NET_WARN_ON_ONCE(skb->destructor);\n\nWe must call skb_orphan() to fix this issue.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23048", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel\n\nThe connector type for the DataImage SCF0700C48GGU18 panel is missing and\ndevm_drm_panel_bridge_add() requires connector type to be set. This leads\nto a warning and a backtrace in the kernel log and panel does not work:\n\"\nWARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8\n\"\nThe warning is triggered by a check for valid connector type in\ndevm_drm_panel_bridge_add(). If there is no valid connector type\nset for a panel, the warning is printed and panel is not added.\nFill in the missing connector type to fix the warning and make\nthe panel operational once again.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23049", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix a deadlock when returning a delegation during open()\n\nBen Coddington reports seeing a hang in the following stack trace:\n 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415\n 1 [ffffd0b50e177548] schedule at ffffffff9ca05717\n 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1\n 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb\n 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5\n 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]\n 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]\n 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]\n 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]\n 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]\n 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]\n 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]\n 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]\n 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]\n 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]\n 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]\n 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]\n 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea\n 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e\n 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935\n\nThe issue is that the delegreturn is being asked to wait for a layout\nreturn that cannot complete because a state recovery was initiated. The\nstate recovery cannot complete until the open() finishes processing the\ndelegations it was given.\n\nThe solution is to propagate the existing flags that indicate a\nnon-blocking call to the function pnfs_roc(), so that it knows not to\nwait in this situation.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23050", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix drm panic null pointer when driver not support atomic\n\nWhen driver not support atomic, fb using plane->fb rather than\nplane->state->fb.\n\n(cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23051", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Do not over-allocate ftrace memory\n\nThe pg_remaining calculation in ftrace_process_locs() assumes that\nENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the\nallocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE\n(integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g.\n4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages)\nhave significantly more capacity than 256 * 170. This leads to pg_remaining\nbeing underestimated, which in turn makes skip (derived from skipped -\npg_remaining) larger than expected, causing the WARN(skip != remaining)\nto trigger.\n\nExtra allocated pages for ftrace: 2 with 654 skipped\nWARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0\n\nA similar problem in ftrace_allocate_records() can result in allocating\ntoo many pages. This can trigger the second warning in\nftrace_process_locs().\n\nExtra allocated pages for ftrace\nWARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580\n\nUse the actual capacity of a page group to determine the number of pages\nto allocate. Have ftrace_allocate_pages() return the number of allocated\npages to avoid having to calculate it. Use the actual page group capacity\nwhen validating the number of unused pages due to skipped entries.\nDrop the definition of ENTRIES_PER_PAGE since it is no longer used.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23052", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a deadlock involving nfs_release_folio()\n\nWang Zhaolong reports a deadlock involving NFSv4.1 state recovery\nwaiting on kthreadd, which is attempting to reclaim memory by calling\nnfs_release_folio(). The latter cannot make progress due to state\nrecovery being needed.\n\nIt seems that the only safe thing to do here is to kick off a writeback\nof the folio, without waiting for completion, or else kicking off an\nasynchronous commit.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23053", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hv_netvsc: reject RSS hash key programming without RX indirection table\n\nRSS configuration requires a valid RX indirection table. When the device\nreports a single receive queue, rndis_filter_device_add() does not\nallocate an indirection table, accepting RSS hash key updates in this\nstate leads to a hang.\n\nFix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return\n-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device\ncapabilities and prevents incorrect behavior.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23054", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: riic: Move suspend handling to NOIRQ phase\n\nCommit 53326135d0e0 (\"i2c: riic: Add suspend/resume support\") added\nsuspend support for the Renesas I2C driver and following this change\non RZ/G3E the following WARNING is seen on entering suspend ...\n\n[ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[ 134.285536] ------------[ cut here ]------------\n[ 134.290298] i2c i2c-2: Transfer while suspended\n[ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388\n[ 134.365507] Tainted: [W]=WARN\n[ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT)\n[ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214\n[ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214\n[ 134.391717] sp : ffff800083f23860\n[ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60\n[ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001\n[ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936\n[ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006\n[ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280\n[ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09\n[ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8\n[ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000\n[ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000\n[ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80\n[ 134.466851] Call trace:\n[ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P)\n[ 134.473715] i2c_smbus_xfer+0xbc/0x120\n[ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84\n[ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208]\n[ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208]\n[ 134.493226] __rtc_read_time+0x44/0x88\n[ 134.497012] rtc_read_time+0x3c/0x68\n[ 134.500622] rtc_suspend+0x9c/0x170\n\nThe warning is triggered because I2C transfers can still be attempted\nwhile the controller is already suspended, due to inappropriate ordering\nof the system sleep callbacks.\n\nIf the controller is autosuspended, there is no way to wake it up once\nruntime PM disabled (in suspend_late()). During system resume, the I2C\ncontroller will be available only after runtime PM is re-enabled\n(in resume_early()). However, this may be too late for some devices.\n\nWake up the controller in the suspend() callback while runtime PM is\nstill enabled. The I2C controller will remain available until the\nsuspend_noirq() callback (pm_runtime_force_suspend()) is called. During\nresume, the I2C controller can be restored by the resume_noirq() callback\n(pm_runtime_force_resume()). Finally, the resume() callback re-enables\nautosuspend. As a result, the I2C controller can remain available until\nthe system enters suspend_noirq() and from resume_noirq().", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23055", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: implement mremap in uacce_vm_ops to return -EPERM\n\nThe current uacce_vm_ops does not support the mremap operation of\nvm_operations_struct. Implement .mremap to return -EPERM to remind\nusers.\n\nThe reason we need to explicitly disable mremap is that when the\ndriver does not implement .mremap, it uses the default mremap\nmethod. This could lead to a risk scenario:\n\nAn application might first mmap address p1, then mremap to p2,\nfollowed by munmap(p1), and finally munmap(p2). Since the default\nmremap copies the original vma's vm_private_data (i.e., q) to the\nnew vma, both munmap operations would trigger vma_close, causing\nq->qfr to be freed twice(qfr will be set to null here, so repeated\nrelease is ok).", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23056", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Coalesce only linear skb\n\nvsock/virtio common tries to coalesce buffers in rx queue: if a linear skb\n(with a spare tail room) is followed by a small skb (length limited by\nGOOD_COPY_LEN = 128), an attempt is made to join them.\n\nSince the introduction of MSG_ZEROCOPY support, assumption that a small skb\nwill always be linear is incorrect. In the zerocopy case, data is lost and\nthe linear skb is appended with uninitialized kernel memory.\n\nOf all 3 supported virtio-based transports, only loopback-transport is\naffected. G2H virtio-transport rx queue operates on explicitly linear skbs;\nsee virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G\nvhost-transport may allocate non-linear skbs, but only for sizes that are\nnot considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in\nvirtio_vsock_alloc_skb().\n\nEnsure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0\nguarantees last_skb is linear.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23057", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn ems_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nems_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in ems_usb_close().\n\nFix the memory leak by anchoring the URB in the\nems_usb_read_bulk_callback() to the dev->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23058", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Sanitize payload size to prevent member overflow\n\nIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size\nreported by firmware is used to calculate the copy length into\nitem->iocb. However, the iocb member is defined as a fixed-size 64-byte\narray within struct purex_item.\n\nIf the reported frame_size exceeds 64 bytes, subsequent memcpy calls will\noverflow the iocb member boundary. While extra memory might be allocated,\nthis cross-member write is unsafe and triggers warnings under\nCONFIG_FORTIFY_SOURCE.\n\nFix this by capping total_bytes to the size of the iocb member (64 bytes)\nbefore allocation and copying. This ensures all copies remain within the\nbounds of the destination structure member.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23059", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23060", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev->rx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23061", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro\n\nThe GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs\nattributes:\n\n1. Off-by-one error: The loop condition used '<=' instead of '<',\n causing access beyond array bounds. Since array indices are 0-based\n and go from 0 to instances_count-1, the loop should use '<'.\n\n2. Missing NULL check: The code dereferenced attr_name_kobj->name\n without checking if attr_name_kobj was NULL, causing a null pointer\n dereference in min_length_show() and other attribute show functions.\n\nThe panic occurred when fwupd tried to read BIOS configuration attributes:\n\n Oops: general protection fault [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]\n\nAdd a NULL check for attr_name_kobj before dereferencing and corrects\nthe loop boundary to match the pattern used elsewhere in the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23062", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: ensure safe queue release with state management\n\nDirectly calling `put_queue` carries risks since it cannot\nguarantee that resources of `uacce_queue` have been fully released\nbeforehand. So adding a `stop_queue` operation for the\nUACCE_CMD_PUT_Q command and leaving the `put_queue` operation to\nthe final resource release ensures safety.\n\nQueue states are defined as follows:\n- UACCE_Q_ZOMBIE: Initial state\n- UACCE_Q_INIT: After opening `uacce`\n- UACCE_Q_STARTED: After `start` is issued via `ioctl`\n\nWhen executing `poweroff -f` in virt while accelerator are still\nworking, `uacce_fops_release` and `uacce_remove` may execute\nconcurrently. This can cause `uacce_put_queue` within\n`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add\nstate checks to prevent accessing freed pointers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23063", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: avoid possible NULL deref\n\ntcf_ife_encode() must make sure ife_encode() does not return NULL.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166\nCPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)\nCall Trace:\n \n ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101\n tcf_ife_encode net/sched/act_ife.c:841 [inline]\n tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877\n tc_act include/net/tc_wrapper.h:130 [inline]\n tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152\n tcf_exts_exec include/net/pkt_cls.h:349 [inline]\n mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42\n tc_classify include/net/tc_wrapper.h:197 [inline]\n __tcf_classify net/sched/cls_api.c:1764 [inline]\n tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860\n multiq_classify net/sched/sch_multiq.c:39 [inline]\n multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66\n dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147\n __dev_xmit_skb net/core/dev.c:4262 [inline]\n __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23064", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: Fix memory leak in wbrf_record()\n\nThe tmp buffer is allocated using kcalloc() but is not freed if\nacpi_evaluate_dsm() fails. This causes a memory leak in the error path.\n\nFix this by explicitly freeing the tmp buffer in the error handling\npath of acpi_evaluate_dsm().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23065", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix recvmsg() unconditional requeue\n\nIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at\nthe front of the recvmsg queue already has its mutex locked, it requeues\nthe call - whether or not the call is already queued. The call may be on\nthe queue because MSG_PEEK was also passed and so the call was not dequeued\nor because the I/O thread requeued it.\n\nThe unconditional requeue may then corrupt the recvmsg queue, leading to\nthings like UAFs or refcount underruns.\n\nFix this by only requeuing the call if it isn't already on the queue - and\nmoving it to the front if it is already queued. If we don't queue it, we\nhave to put the ref we obtained by dequeuing it.\n\nAlso, MSG_PEEK doesn't dequeue the call so shouldn't call\nrxrpc_notify_socket() for the call if we didn't use up all the data on the\nqueue, so fix that also.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23066", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/io-pgtable-arm: fix size_t signedness bug in unmap path\n\n__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative\nerror code) when encountering an unmapped PTE. Since size_t is unsigned,\n-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE\non 64-bit systems).\n\nThis corrupted value propagates through the call chain:\n __arm_lpae_unmap() returns -ENOENT as size_t\n -> arm_lpae_unmap_pages() returns it\n -> __iommu_unmap() adds it to iova address\n -> iommu_pgsize() triggers BUG_ON due to corrupted iova\n\nThis can cause IOVA address overflow in __iommu_unmap() loop and\ntrigger BUG_ON in iommu_pgsize() from invalid address alignment.\n\nFix by returning 0 instead of -ENOENT. The WARN_ON already signals\nthe error condition, and returning 0 (meaning \"nothing unmapped\")\nis the correct semantic for size_t return type. This matches the\nbehavior of other io-pgtable implementations (io-pgtable-arm-v7s,\nio-pgtable-dart) which return 0 on error conditions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23067", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23068", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential underflow in virtio_transport_get_credit()\n\nThe credit calculation in virtio_transport_get_credit() uses unsigned\narithmetic:\n\n ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);\n\nIf the peer shrinks its advertised buffer (peer_buf_alloc) while bytes\nare in flight, the subtraction can underflow and produce a large\npositive value, potentially allowing more data to be queued than the\npeer can handle.\n\nReuse virtio_transport_has_space() which already handles this case and\nadd a comment to make it clear why we are doing that.\n\n[Stefano: use virtio_transport_has_space() instead of duplicating the code]\n[Stefano: tweak the commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23069", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nOcteontx2-af: Add proper checks for fwdata\n\nfirmware populates MAC address, link modes (supported, advertised)\nand EEPROM data in shared firmware structure which kernel access\nvia MAC block(CGX/RPM).\n\nAccessing fwdata, on boards booted with out MAC block leading to\nkernel panics.\n\nInternal error: Oops: 0000000096000005 [#1] SMP\n[ 10.460721] Modules linked in:\n[ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT\n[ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT)\n[ 10.479793] Workqueue: events work_for_cpu_fn\n[ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 10.491124] pc : rvu_sdp_init+0x18/0x114\n[ 10.495051] lr : rvu_probe+0xe58/0x1d18", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23070", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: Fix race condition in hwspinlock irqsave routine\n\nPreviously, the address of the shared member '&map->spinlock_flags' was\npassed directly to 'hwspin_lock_timeout_irqsave'. This creates a race\ncondition where multiple contexts contending for the lock could overwrite\nthe shared flags variable, potentially corrupting the state for the\ncurrent lock owner.\n\nFix this by using a local stack variable 'flags' to store the IRQ state\ntemporarily.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23071", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Fix memleak in l2tp_udp_encap_recv().\n\nsyzbot reported memleak of struct l2tp_session, l2tp_tunnel,\nsock, etc. [0]\n\nThe cited commit moved down the validation of the protocol\nversion in l2tp_udp_encap_recv().\n\nThe new place requires an extra error handling to avoid the\nmemleak.\n\nLet's call l2tp_session_put() there.\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88810a290200 (size 512):\n comm \"syz.0.17\", pid 6086, jiffies 4294944299\n hex dump (first 32 bytes):\n 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc babb6a4f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n __do_kmalloc_node mm/slub.c:5656 [inline]\n __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778\n pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755\n __sys_connect_file+0x7a/0xb0 net/socket.c:2089\n __sys_connect+0xde/0x110 net/socket.c:2108\n __do_sys_connect net/socket.c:2114 [inline]\n __se_sys_connect net/socket.c:2111 [inline]\n __x64_sys_connect+0x1c/0x30 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23072", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Fix memory corruption due to not set vif driver data size\n\nThe struct ieee80211_vif contains trailing space for vif driver data,\nwhen struct ieee80211_vif is allocated, the total memory size that is\nallocated is sizeof(struct ieee80211_vif) + size of vif driver data.\nThe size of vif driver data is set by each WiFi driver as needed.\n\nThe RSI911x driver does not set vif driver data size, no trailing space\nfor vif driver data is therefore allocated past struct ieee80211_vif .\nThe RSI911x driver does however use the vif driver data to store its\nvif driver data structure \"struct vif_priv\". An access to vif->drv_priv\nleads to access out of struct ieee80211_vif bounds and corruption of\nsome memory.\n\nIn case of the failure observed locally, rsi_mac80211_add_interface()\nwould write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;\nvif_info->vap_id = vap_idx. This write corrupts struct fq_tin member\nstruct list_head new_flows . The flow = list_first_entry(head, struct\nfq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus\naddress, which when accessed causes a crash.\n\nThe trigger is very simple, boot the machine with init=/bin/sh , mount\ndevtmpfs, sysfs, procfs, and then do \"ip link set wlan0 up\", \"sleep 1\",\n\"ip link set wlan0 down\" and the crash occurs.\n\nFix this by setting the correct size of vif driver data, which is the\nsize of \"struct vif_priv\", so that memory is allocated and the driver\ncan store its driver data in it, instead of corrupting memory around\nit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23073", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n \u2514\u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql's enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch->q.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2's lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem's delay), a dangling pointer is\naccessed causing GangMin's causing a UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23074", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn esd_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nesd_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in esd_usb_close().\n\nFix the memory leak by anchoring the URB in the\nesd_usb_read_bulk_callback() to the dev->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23075", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix potential OOB access in audio mixer handling\n\nIn the audio mixer handling code of ctxfi driver, the conf field is\nused as a kind of loop index, and it's referred in the index callbacks\n(amixer_index() and sum_index()).\n\nAs spotted recently by fuzzers, the current code causes OOB access at\nthose functions.\n| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48\n| index 8 is out of range for type 'unsigned char [8]'\n\nAfter the analysis, the cause was found to be the lack of the proper\n(re-)initialization of conj field.\n\nThis patch addresses those OOB accesses by adding the proper\ninitializations of the loop indices.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23076", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge\n\nPatch series \"mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted\nmerge\", v2.\n\nCommit 879bca0a2c4f (\"mm/vma: fix incorrectly disallowed anonymous VMA\nmerges\") introduced the ability to merge previously unavailable VMA merge\nscenarios.\n\nHowever, it is handling merges incorrectly when it comes to mremap() of a\nfaulted VMA adjacent to an unfaulted VMA. The issues arise in three\ncases:\n\n1. Previous VMA unfaulted:\n\n copied -----|\n v\n\t|-----------|.............|\n\t| unfaulted |(faulted VMA)|\n\t|-----------|.............|\n\t prev\n\n2. Next VMA unfaulted:\n\n copied -----|\n v\n\t |.............|-----------|\n\t |(faulted VMA)| unfaulted |\n |.............|-----------|\n\t\t next\n\n3. Both adjacent VMAs unfaulted:\n\n copied -----|\n v\n\t|-----------|.............|-----------|\n\t| unfaulted |(faulted VMA)| unfaulted |\n\t|-----------|.............|-----------|\n\t prev next\n\nThis series fixes each of these cases, and introduces self tests to assert\nthat the issues are corrected.\n\nI also test a further case which was already handled, to assert that my\nchanges continues to correctly handle it:\n\n4. prev unfaulted, next faulted:\n\n copied -----|\n v\n\t|-----------|.............|-----------|\n\t| unfaulted |(faulted VMA)| faulted |\n\t|-----------|.............|-----------|\n\t prev next\n\nThis bug was discovered via a syzbot report, linked to in the first patch\nin the series, I confirmed that this series fixes the bug.\n\nI also discovered that we are failing to check that the faulted VMA was\nnot forked when merging a copied VMA in cases 1-3 above, an issue this\nseries also addresses.\n\nI also added self tests to assert that this is resolved (and confirmed\nthat the tests failed prior to this).\n\nI also cleaned up vma_expand() as part of this work, renamed\nvma_had_uncowed_parents() to vma_is_fork_child() as the previous name was\nunduly confusing, and simplified the comments around this function.\n\n\nThis patch (of 4):\n\nCommit 879bca0a2c4f (\"mm/vma: fix incorrectly disallowed anonymous VMA\nmerges\") introduced the ability to merge previously unavailable VMA merge\nscenarios.\n\nThe key piece of logic introduced was the ability to merge a faulted VMA\nimmediately next to an unfaulted VMA, which relies upon dup_anon_vma() to\ncorrectly handle anon_vma state.\n\nIn the case of the merge of an existing VMA (that is changing properties\nof a VMA and then merging if those properties are shared by adjacent\nVMAs), dup_anon_vma() is invoked correctly.\n\nHowever in the case of the merge of a new VMA, a corner case peculiar to\nmremap() was missed.\n\nThe issue is that vma_expand() only performs dup_anon_vma() if the target\n(the VMA that will ultimately become the merged VMA): is not the next VMA,\ni.e. the one that appears after the range in which the new VMA is to be\nestablished.\n\nA key insight here is that in all other cases other than mremap(), a new\nVMA merge either expands an existing VMA, meaning that the target VMA will\nbe that VMA, or would have anon_vma be NULL.\n\nSpecifically:\n\n* __mmap_region() - no anon_vma in place, initial mapping.\n* do_brk_flags() - expanding an existing VMA.\n* vma_merge_extend() - expanding an existing VMA.\n* relocate_vma_down() - no anon_vma in place, initial mapping.\n\nIn addition, we are in the unique situation of needing to duplicate\nanon_vma state from a VMA that is neither the previous or next VMA being\nmerged with.\n\ndup_anon_vma() deals exclusively with the target=unfaulted, src=faulted\ncase. This leaves four possibilities, in each case where the copied VMA\nis faulted:\n\n1. Previous VMA unfaulted:\n\n copied -----|\n \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23077", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Fix buffer overflow in config retrieval\n\nThe scarlett2_usb_get_config() function has a logic error in the\nendianness conversion code that can cause buffer overflows when\ncount > 1.\n\nThe code checks `if (size == 2)` where `size` is the total buffer size in\nbytes, then loops `count` times treating each element as u16 (2 bytes).\nThis causes the loop to access `count * 2` bytes when the buffer only\nhas `size` bytes allocated.\n\nFix by checking the element size (config_item->size) instead of the\ntotal buffer size. This ensures the endianness conversion matches the\nactual element type.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23078", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify()\n\nOn error handling paths, lineinfo_changed_notify() doesn't free the\nallocated resources which results leaks. Fix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23079", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23080", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: intel-xway: fix OF node refcount leakage\n\nAutomated review spotted am OF node reference count leakage when\nchecking if the 'leds' child node exists.\n\nCall of_put_node() to correctly maintain the refcount.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23081", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error\n\nIn commit 7352e1d5932a (\"can: gs_usb: gs_usb_receive_bulk_callback(): fix\nURB memory leak\"), the URB was re-anchored before usb_submit_urb() in\ngs_usb_receive_bulk_callback() to prevent a leak of this URB during\ncleanup.\n\nHowever, this patch did not take into account that usb_submit_urb() could\nfail. The URB remains anchored and\nusb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops\ninfinitely since the anchor list never becomes empty.\n\nTo fix the bug, unanchor the URB when an usb_submit_urb() error occurs,\nalso print an info message.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23082", "detail": "fixed-version", "description": "Fixed from version 6.18.8" }, { "id": "CVE-2026-23083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Don't allow 0 for FOU_ATTR_IPPROTO.\n\nfou_udp_recv() has the same problem mentioned in the previous\npatch.\n\nIf FOU_ATTR_IPPROTO is set to 0, skb is not freed by\nfou_udp_recv() nor \"resubmit\"-ted in ip_protocol_deliver_rcu().\n\nLet's forbid 0 for FOU_ATTR_IPPROTO.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23083", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23084", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the 'itt' object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit 'unsigned long'\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don't call virt_to_phys or similar interfaces. It's expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23085", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host's own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer's\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk->buffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23086", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: xen: scsiback: Fix potential memory leak in scsiback_remove()\n\nMemory allocated for struct vscsiblk_info in scsiback_probe() is not\nfreed in scsiback_remove() leading to potential memory leaks on remove,\nas well as in the scsiback_probe() error paths. Fix that by freeing it\nin scsiback_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23087", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix crash on synthetic stacktrace field usage\n\nWhen creating a synthetic event based on an existing synthetic event that\nhad a stacktrace field and the new synthetic event used that field a\nkernel crash occurred:\n\n ~# cd /sys/kernel/tracing\n ~# echo 's:stack unsigned long stack[];' > dynamic_events\n ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger\n ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger\n\nThe above creates a synthetic event that takes a stacktrace when a task\nschedules out in a non-running state and passes that stacktrace to the\nsched_switch event when that task schedules back in. It triggers the\n\"stack\" synthetic event that has a stacktrace as its field (called \"stack\").\n\n ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events\n ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger\n ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger\n\nThe above makes another synthetic event called \"syscall_stack\" that\nattaches the first synthetic event (stack) to the sys_exit trace event and\nrecords the stacktrace from the stack event with the id of the system call\nthat is exiting.\n\nWhen enabling this event (or using it in a historgram):\n\n ~# echo 1 > events/synthetic/syscall_stack/enable\n\nProduces a kernel crash!\n\n BUG: unable to handle page fault for address: 0000000000400010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:trace_event_raw_event_synth+0x90/0x380\n Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f\n RSP: 0018:ffffd2670388f958 EFLAGS: 00010202\n RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0\n RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50\n R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010\n R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90\n FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0\n Call Trace:\n \n ? __tracing_map_insert+0x208/0x3a0\n action_trace+0x67/0x70\n event_hist_trigger+0x633/0x6d0\n event_triggers_call+0x82/0x130\n trace_event_buffer_commit+0x19d/0x250\n trace_event_raw_event_sys_exit+0x62/0xb0\n syscall_exit_work+0x9d/0x140\n do_syscall_64+0x20a/0x2f0\n ? trace_event_raw_event_sched_switch+0x12b/0x170\n ? save_fpregs_to_fpstate+0x3e/0x90\n ? _raw_spin_unlock+0xe/0x30\n ? finish_task_switch.isra.0+0x97/0x2c0\n ? __rseq_handle_notify_resume+0xad/0x4c0\n ? __schedule+0x4b8/0xd00\n ? restore_fpregs_from_fpstate+0x3c/0x90\n ? switch_fpu_return+0x5b/0xe0\n ? do_syscall_64+0x1ef/0x2f0\n ? do_fault+0x2e9/0x540\n ? __handle_mm_fault+0x7d1/0xf70\n ? count_memcg_events+0x167/0x1d0\n ? handle_mm_fault+0x1d7/0x2e0\n ? do_user_addr_fault+0x2c3/0x7f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reason is that the stacktrace field is not labeled as such, and is\ntreated as a normal field and not as a dynamic event that it is.\n\nIn trace_event_raw_event_synth() the event is field is still treated as a\ndynamic array, but the retrieval of the data is considered a normal field,\nand the reference is just the meta data:\n\n// Meta data is retrieved instead of a dynamic array\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23088", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()\n\nWhen snd_usb_create_mixer() fails, snd_usb_mixer_free() frees\nmixer->id_elems but the controls already added to the card still\nreference the freed memory. Later when snd_card_register() runs,\nthe OSS mixer layer calls their callbacks and hits a use-after-free read.\n\nCall trace:\n get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411\n get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241\n mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381\n snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887\n ...\n snd_card_register+0x4ed/0x6d0 sound/core/init.c:923\n usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025\n\nFix by calling snd_ctl_remove() for all mixer controls before freeing\nid_elems. We save the next pointer first because snd_ctl_remove()\nfrees the current element.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23089", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: core: fix device reference leak on report present\n\nSlimbus devices can be allocated dynamically upon reception of\nreport-present messages.\n\nMake sure to drop the reference taken when looking up already registered\ndevices.\n\nNote that this requires taking an extra reference in case the device has\nnot yet been registered and has to be allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23090", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: fix device leak on output open()\n\nMake sure to drop the reference taken when looking up the th device\nduring output device open() on errors and on close().\n\nNote that a recent commit fixed the leak in a couple of open() error\npaths but not all of them, and the reference is still leaking on\nsuccessful open().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23091", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source\n\nWhen simple_write_to_buffer() succeeds, it returns the number of bytes\nactually copied to the buffer. The code incorrectly uses 'count'\nas the index for null termination instead of the actual bytes copied.\nIf count exceeds the buffer size, this leads to out-of-bounds write.\nAdd a check for the count and use the return value as the index.\n\nThe bug was validated using a demo module that mirrors the original\ncode and was tested under QEMU.\n\nPattern of the bug:\n- A fixed 64-byte stack buffer is filled using count.\n- If count > 64, the code still does buf[count] = '\\0', causing an\n- out-of-bounds write on the stack.\n\nSteps for reproduce:\n- Opens the device node.\n- Writes 128 bytes of A to it.\n- This overflows the 64-byte stack buffer and KASAN reports the OOB.\n\nFound via static analysis. This is similar to the\ncommit da9374819eb3 (\"iio: backend: fix out-of-bound write\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23092", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: smbd: fix dma_unmap_sg() nents\n\nThe dma_unmap_sg() functions should be called with the same nents as the\ndma_map_sg(), not the value the map function returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23093", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix isolate sysfs check condition\n\nuacce supports the device isolation feature. If the driver\nimplements the isolate_err_threshold_read and\nisolate_err_threshold_write callback functions, uacce will create\nsysfs files now. Users can read and configure the isolation policy\nthrough sysfs. Currently, sysfs files are created as long as either\nisolate_err_threshold_read or isolate_err_threshold_write callback\nfunctions are present.\n\nHowever, accessing a non-existent callback function may cause the\nsystem to crash. Therefore, intercept the creation of sysfs if\nneither read nor write exists; create sysfs if either is supported,\nbut intercept unsupported operations at the call site.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23094", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr->proto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet's drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23095", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix cdev handling in the cleanup path\n\nWhen cdev_device_add fails, it internally releases the cdev memory,\nand if cdev_device_del is then executed, it will cause a hang error.\nTo fix it, we check the return value of cdev_device_add() and clear\nuacce->cdev to avoid calling cdev_device_del in the uacce_remove.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23096", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -> migrate_hugetlbs()\n -> unmap_and_move_huge_page() <- Takes folio_lock!\n -> remove_migration_ptes()\n -> __rmap_walk_file()\n -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!\n -> hugetlbfs_zero_partial_page()\n -> filemap_lock_hugetlb_folio()\n -> filemap_lock_folio()\n -> __filemap_get_folio <- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23097", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix double-free in nr_route_frame()\n\nIn nr_route_frame(), old_skb is immediately freed without checking if\nnr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,\nthe caller function will free old_skb again, causing a double-free bug.\n\nTherefore, to prevent this, we need to modify it to check whether\nnr_neigh->ax25 is NULL before freeing old_skb.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23098", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: limit BOND_MODE_8023AD to Ethernet devices\n\nBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.\n\nsyzbot reported:\n\n BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\nRead of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497\n\nCPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n __hw_addr_create net/core/dev_addr_lists.c:63 [inline]\n __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118\n __dev_mc_add net/core/dev_addr_lists.c:868 [inline]\n dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886\n bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180\n do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963\n do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n ____sys_sendmsg+0x505/0x820 net/socket.c:2592\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646\n __sys_sendmsg+0x164/0x220 net/socket.c:2678\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307\n do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n \n\nThe buggy address belongs to the variable:\n lacpdu_mcast_addr+0x0/0x40", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23099", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl. using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that's all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount. Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc->pt_share_count to identify\nsharing.\n\nWe didn't convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive. In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23100", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-class: Only Add LED to leds_list when it is fully ready\n\nBefore this change the LED was added to leds_list before led_init_core()\ngets called adding it the list before led_classdev.set_brightness_work gets\ninitialized.\n\nThis leaves a window where led_trigger_register() of a LED's default\ntrigger will call led_trigger_set() which calls led_set_brightness()\nwhich in turn will end up queueing the *uninitialized*\nled_classdev.set_brightness_work.\n\nThis race gets hit by the lenovo-thinkpad-t14s EC driver which registers\n2 LEDs with a default trigger provided by snd_ctl_led.ko in quick\nsuccession. The first led_classdev_register() causes an async modprobe of\nsnd_ctl_led to run and that async modprobe manages to exactly hit\nthe window where the second LED is on the leds_list without led_init_core()\nbeing called for it, resulting in:\n\n ------------[ cut here ]------------\n WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390\n Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025\n ...\n Call trace:\n __flush_work+0x344/0x390 (P)\n flush_work+0x2c/0x50\n led_trigger_set+0x1c8/0x340\n led_trigger_register+0x17c/0x1c0\n led_trigger_register_simple+0x84/0xe8\n snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]\n do_one_initcall+0x5c/0x318\n do_init_module+0x9c/0x2b8\n load_module+0x7e0/0x998\n\nClose the race window by moving the adding of the LED to leds_list to\nafter the led_init_core() call.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23101", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Fix restoration of SVE context\n\nWhen SME is supported, Restoring SVE signal context can go wrong in a\nfew ways, including placing the task into an invalid state where the\nkernel may read from out-of-bounds memory (and may potentially take a\nfatal fault) and/or may kill the task with a SIGKILL.\n\n(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into\n an invalid state where SVCR.SM is set (and sve_state is non-NULL)\n but TIF_SME is clear, consequently resuting in out-of-bounds memory\n reads and/or killing the task with SIGKILL.\n\n This can only occur in unusual (but legitimate) cases where the SVE\n signal context has either been modified by userspace or was saved in\n the context of another task (e.g. as with CRIU), as otherwise the\n presence of an SVE signal context with SVE_SIG_FLAG_SM implies that\n TIF_SME is already set.\n\n While in this state, task_fpsimd_load() will NOT configure SMCR_ELx\n (leaving some arbitrary value configured in hardware) before\n restoring SVCR and attempting to restore the streaming mode SVE\n registers from memory via sve_load_state(). As the value of\n SMCR_ELx.LEN may be larger than the task's streaming SVE vector\n length, this may read memory outside of the task's allocated\n sve_state, reading unrelated data and/or triggering a fault.\n\n While this can result in secrets being loaded into streaming SVE\n registers, these values are never exposed. As TIF_SME is clear,\n fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0\n accesses to streaming mode SVE registers, so these cannot be\n accessed directly at EL0. As fpsimd_save_user_state() verifies the\n live vector length before saving (S)SVE state to memory, no secret\n values can be saved back to memory (and hence cannot be observed via\n ptrace, signals, etc).\n\n When the live vector length doesn't match the expected vector length\n for the task, fpsimd_save_user_state() will send a fatal SIGKILL\n signal to the task. Hence the task may be killed after executing\n userspace for some period of time.\n\n(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the\n task's SVCR.SM. If SVCR.SM was set prior to restoring the context,\n then the task will be left in streaming mode unexpectedly, and some\n register state will be combined inconsistently, though the task will\n be left in legitimate state from the kernel's PoV.\n\n This can only occur in unusual (but legitimate) cases where ptrace\n has been used to set SVCR.SM after entry to the sigreturn syscall,\n as syscall entry clears SVCR.SM.\n\n In these cases, the the provided SVE register data will be loaded\n into the task's sve_state using the non-streaming SVE vector length\n and the FPSIMD registers will be merged into this using the\n streaming SVE vector length.\n\nFix (1) by setting TIF_SME when setting SVCR.SM. This also requires\nensuring that the task's sme_state has been allocated, but as this could\ncontain live ZA state, it should not be zeroed. Fix (2) by clearing\nSVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.\n\nFor consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,\nand fp_type earlier, immediately after the allocation of\nsve_state/sme_state, before the restore of the actual register state.\nThis makes it easier to ensure that these are always modified\nconsistently, even if a fault is taken while reading the register data\nfrom the signal context. I do not expect any software to depend on the\nexact state restored when a fault is taken while reading the context.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23102", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it's highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port->ipvlans + ipvlan->addrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan->addrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23103", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix devlink reload call trace\n\nCommit 4da71a77fc3b (\"ice: read internal temperature sensor\") introduced\ninternal temperature sensor reading via HWMON. ice_hwmon_init() was added\nto ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a\nresult if devlink reload is used to reinit the device and then the driver\nis removed, a call trace can occur.\n\nBUG: unable to handle page fault for address: ffffffffc0fd4b5d\nCall Trace:\n string+0x48/0xe0\n vsnprintf+0x1f9/0x650\n sprintf+0x62/0x80\n name_show+0x1f/0x30\n dev_attr_show+0x19/0x60\n\nThe call trace repeats approximately every 10 minutes when system\nmonitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs\nattributes that reference freed module memory.\n\nThe sequence is:\n1. Driver load, ice_hwmon_init() gets called from ice_init_feature()\n2. Devlink reload down, flow does not call ice_remove()\n3. Devlink reload up, ice_hwmon_init() gets called from\n ice_init_feature() resulting in a second instance\n4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the\n first hwmon instance orphaned with dangling pointer\n\nFix this by moving ice_hwmon_exit() from ice_remove() to\nice_deinit_features() to ensure proper cleanup symmetry with\nice_hwmon_init().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23104", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag\n\nThis is more of a preventive patch to make the code more consistent and\nto prevent possible exploits that employ child qlen manipulations on qfq.\nuse cl_is_active instead of relying on the child qdisc's qlen to determine\nclass activation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23105", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimekeeping: Adjust the leap state for the correct auxiliary timekeeper\n\nWhen __do_ajdtimex() was introduced to handle adjtimex for any\ntimekeeper, this reference to tk_core was not updated. When called on an\nauxiliary timekeeper, the core timekeeper would be updated incorrectly.\n\nThis gets caught by the lock debugging diagnostics because the\ntimekeepers sequence lock gets written to without holding its\nassociated spinlock:\n\nWARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125\naux_clock_adj (kernel/time/timekeeping.c:2979)\n__do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nUpdate the correct auxiliary timekeeper.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23106", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn't attempt to allocate the task's\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask's sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n| ESR = 0x0000000096000046\n| EC = 0x25: DABT (current EL), IL = 32 bits\n| SET = 0, FnV = 0\n| EA = 0, S1PTW = 0\n| FSC = 0x06: level 2 translation fault\n| Data abort info:\n| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n| CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1] SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n| sve_save_state+0x4/0xf0 (P)\n| fpsimd_thread_switch+0x48/0x198\n| __switch_to+0x20/0x1c0\n| __schedule+0x36c/0xce0\n| schedule+0x34/0x11c\n| exit_to_user_mode_loop+0x124/0x188\n| el0_interrupt+0xc8/0xd8\n| __el0_irq_handler_common+0x18/0x24\n| el0t_64_irq_handler+0x10/0x1c\n| el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task's sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23107", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23108", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()\n\nAbove the while() loop in wait_sb_inodes(), we document that we must wait\nfor all pages under writeback for data integrity. Consequently, if a\nmapping, like fuse, traditionally does not have data integrity semantics,\nthere is no need to wait at all; we can simply skip these inodes.\n\nThis restores fuse back to prior behavior where syncs are no-ops. This\nfixes a user regression where if a system is running a faulty fuse server\nthat does not reply to issued write requests, this causes wait_sb_inodes()\nto wait forever.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23109", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Wake up the error handler when final completions race against each other\n\nThe fragile ordering between marking commands completed or failed so\nthat the error handler only wakes when the last running command\ncompletes or times out has race conditions. These race conditions can\ncause the SCSI layer to fail to wake the error handler, leaving I/O\nthrough the SCSI host stuck as the error state cannot advance.\n\nFirst, there is an memory ordering issue within scsi_dec_host_busy().\nThe write which clears SCMD_STATE_INFLIGHT may be reordered with reads\ncounting in scsi_host_busy(). While the local CPU will see its own\nwrite, reordering can allow other CPUs in scsi_dec_host_busy() or\nscsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to\nsee a host busy equal to the host_failed count.\n\nThis race condition can be prevented with a memory barrier on the error\npath to force the write to be visible before counting host busy\ncommands.\n\nSecond, there is a general ordering issue with scsi_eh_inc_host_failed(). By\ncounting busy commands before incrementing host_failed, it can race with a\nfinal command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does\nnot see host_failed incremented but scsi_eh_inc_host_failed() counts busy\ncommands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),\nresulting in neither waking the error handler task.\n\nThis needs the call to scsi_host_busy() to be moved after host_failed is\nincremented to close the race condition.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23110", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don't need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain->use reference count. Each abort cycle\npermanently decrements chain->use. Once chain->use reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23111", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23112", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop\n\nCurrently this is checked before running the pending work. Normally this\nis quite fine, as work items either end up blocking (which will create a\nnew worker for other items), or they complete fairly quickly. But syzbot\nreports an issue where io-wq takes seemingly forever to exit, and with a\nbit of debugging, this turns out to be because it queues a bunch of big\n(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't\nsupport ->read_iter(), loop_rw_iter() ends up handling them. Each read\nreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch of\nthese pending, processing the whole chain can take a long time. Easily\nlonger than the syzbot uninterruptible sleep timeout of 140 seconds.\nThis then triggers a complaint off the io-wq exit path:\n\nINFO: task syz.4.135:6326 blocked for more than 143 seconds.\n Not tainted syzkaller #0\n Blocked by coredump.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000\nCall Trace:\n \n context_switch kernel/sched/core.c:5256 [inline]\n __schedule+0x1139/0x6150 kernel/sched/core.c:6863\n __schedule_loop kernel/sched/core.c:6945 [inline]\n schedule+0xe7/0x3a0 kernel/sched/core.c:6960\n schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75\n do_wait_for_common kernel/sched/completion.c:100 [inline]\n __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121\n io_wq_exit_workers io_uring/io-wq.c:1328 [inline]\n io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356\n io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203\n io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651\n io_uring_files_cancel include/linux/io_uring.h:19 [inline]\n do_exit+0x2ce/0x2bd0 kernel/exit.c:911\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1112\n get_signal+0x2671/0x26d0 kernel/signal.c:3034\n arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337\n __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]\n exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa02738f749\nRSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca\nRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749\nRDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098\nRBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98\n\nThere's really nothing wrong here, outside of processing these reads\nwill take a LONG time. However, we can speed up the exit by checking the\nIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will\nexit the ring after queueing up all of these reads. Then once the first\nitem is processed, io-wq will simply cancel the rest. That should avoid\nsyzbot running into this complaint again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23113", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: ptrace: Fix SVE writes on !SME systems\n\nWhen SVE is supported but SME is not supported, a ptrace write to the\nNT_ARM_SVE regset can place the tracee into an invalid state where\n(non-streaming) SVE register data is stored in FP_STATE_SVE format but\nTIF_SVE is clear. This can result in a later warning from\nfpsimd_restore_current_state(), e.g.\n\n WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748\n\nWhen this happens, fpsimd_restore_current_state() will set TIF_SVE,\nplacing the task into the correct state. This occurs before any other\ncheck of TIF_SVE can possibly occur, as other checks of TIF_SVE only\nhappen while the FPSIMD/SVE/SME state is live. Thus, aside from the\nwarning, there is no functional issue.\n\nThis bug was introduced during rework to error handling in commit:\n\n 9f8bf718f2923 (\"arm64/fpsimd: ptrace: Gracefully handle errors\")\n\n... where the setting of TIF_SVE was moved into a block which is only\nexecuted when system_supports_sme() is true.\n\nFix this by removing the system_supports_sme() check. This ensures that\nTIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of\nunconditionally manipulating the tracee's saved svcr value. The\nmanipulation of svcr is benign and inexpensive, and we already do\nsimilar elsewhere (e.g. during signal handling), so I don't think it's\nworth guarding this with system_supports_sme() checks.\n\nAside from the above, there is no functional change. The 'type' argument\nto sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when\nsystem_supports_sme(), so the ARM64_VEC_SME case in the switch statement\nis still unreachable when !system_supports_sme(). When\nCONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(),\nand the compiler can constant-fold for the case where type is\nARM64_VEC_SVE, removing the logic for other cases.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23114", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty->port race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty->port has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty->port warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n printk: legacy console [ttyMSM0] enabled\n printk: legacy console [ttyMSM0] enabled\n printk: legacy bootconsole [qcom_geni0] disabled\n printk: legacy bootconsole [qcom_geni0] disabled\n ------------[ cut here ]------------\n tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver!\n WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n ...\n Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c): user-space:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | open console\n | ...\n | tty_init_dev()\n | driver->ports[idx] is NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() <- set driver->ports[idx]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23115", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu\n\nFor i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset\nand clock enable bits, but is ungated and reset together with the VPUs.\nSo we can't reset G1 or G2 separately, it may led to the system hang.\nRemove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.\nLet imx8mq_vpu_power_notifier() do really vpu reset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23116", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: add missing ice_deinit_hw() in devlink reinit path\n\ndevlink-reload results in ice_init_hw failed error, and then removing\nthe ice driver causes a NULL pointer dereference.\n\n[ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16\n...\n[ +0.000001] Call Trace:\n[ +0.000003] \n[ +0.000006] ice_unload+0x8f/0x100 [ice]\n[ +0.000081] ice_remove+0xba/0x300 [ice]\n\nCommit 1390b8b3d2be (\"ice: remove duplicate call to ice_deinit_hw() on\nerror paths\") removed ice_deinit_hw() from ice_deinit_dev(). As a result\nice_devlink_reinit_down() no longer calls ice_deinit_hw(), but\nice_devlink_reinit_up() still calls ice_init_hw(). Since the control\nqueues are not uninitialized, ice_init_hw() fails with -EBUSY.\n\nAdd ice_deinit_hw() to ice_devlink_reinit_down() to correspond with\nice_init_hw() in ice_devlink_reinit_up().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23117", "detail": "fixed-version", "description": "Fixed from version 6.18.8" }, { "id": "CVE-2026-23118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix data-race warning and potential load/store tearing\n\nFix the following:\n\n BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet\n\nwhich is reporting an issue with the reads and writes to ->last_tx_at in:\n\n conn->peer->last_tx_at = ktime_get_seconds();\n\nand:\n\n keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;\n\nThe lockless accesses to these to values aren't actually a problem as the\nread only needs an approximate time of last transmission for the purposes\nof deciding whether or not the transmission of a keepalive packet is\nwarranted yet.\n\nAlso, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit\narch.\n\nFix both of these by switching to an unsigned int for ->last_tx_at and only\nstoring the LSW of the time64_t. It can then be reconstructed at need\nprovided no more than 68 years has elapsed since the last transmission.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23118", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: provide a net pointer to __skb_flow_dissect()\n\nAfter 3cbf4ffba5ee (\"net: plumb network namespace into __skb_flow_dissect\")\nwe have to provide a net pointer to __skb_flow_dissect(),\neither via skb->dev, skb->sk, or a user provided pointer.\n\nIn the following case, syzbot was able to cook a bare skb.\n\nWARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053\nCall Trace:\n \n bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline]\n __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157\n bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline]\n bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline]\n bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515\n xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388\n bpf_prog_run_xdp include/net/xdp.h:700 [inline]\n bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421\n bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390\n bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703\n __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182\n __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23119", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: avoid one data-race in l2tp_tunnel_del_work()\n\nWe should read sk->sk_socket only when dealing with kernel sockets.\n\nsyzbot reported the following data-race:\n\nBUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release\n\nwrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:\n sk_set_socket include/net/sock.h:2092 [inline]\n sock_orphan include/net/sock.h:2118 [inline]\n sk_common_release+0xae/0x230 net/core/sock.c:4003\n udp_lib_close+0x15/0x20 include/net/udp.h:325\n inet_release+0xce/0xf0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:662 [inline]\n sock_close+0x6b/0x150 net/socket.c:1455\n __fput+0x29b/0x650 fs/file_table.c:468\n ____fput+0x1c/0x30 fs/file_table.c:496\n task_work_run+0x131/0x1a0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]\n exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:\n l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340\n worker_thread+0x582/0x770 kernel/workqueue.c:3421\n kthread+0x489/0x510 kernel/kthread.c:463\n ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nvalue changed: 0xffff88811b818000 -> 0x0000000000000000", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23120", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: annotate data-race around dev->work\n\ndev->work can re read locklessly in mISDN_read()\nand mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations.\n\nBUG: KCSAN: data-race in mISDN_ioctl / mISDN_read\n\nwrite to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1:\n misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline]\n mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583\n __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583\n x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nread to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0:\n mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112\n do_loop_readv_writev fs/read_write.c:847 [inline]\n vfs_readv+0x3fb/0x690 fs/read_write.c:1020\n do_readv+0xe7/0x210 fs/read_write.c:1080\n __do_sys_readv fs/read_write.c:1165 [inline]\n __se_sys_readv fs/read_write.c:1162 [inline]\n __x64_sys_readv+0x45/0x50 fs/read_write.c:1162\n x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00000000 -> 0x00000001", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23121", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reduce TSN TX packet buffer from 7KB to 5KB per queue\n\nThe previous 7 KB per queue caused TX unit hangs under heavy\ntimestamping load. Reducing to 5 KB avoids these hangs and matches\nthe TSN recommendation in I225/I226 SW User Manual Section 7.5.4.\n\nThe 8 KB \"freed\" by this change is currently unused. This reduction\nis not expected to impact throughput, as the i226 is PCIe-limited\nfor small TSN packets rather than TX-buffer-limited.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23122", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: debugfs: initialize src_node and dst_node to empty strings\n\nThe debugfs_create_str() API assumes that the string pointer is either NULL\nor points to valid kmalloc() memory. Leaving the pointer uninitialized can\ncause problems.\n\nInitialize src_node and dst_node to empty strings before creating the\ndebugfs entries to guarantee that reads and writes are safe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23123", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: annotate data-race in ndisc_router_discovery()\n\nsyzbot found that ndisc_router_discovery() could read and write\nin6_dev->ra_mtu without holding a lock [1]\n\nThis looks fine, IFLA_INET6_RA_MTU is best effort.\n\nAdd READ_ONCE()/WRITE_ONCE() to document the race.\n\nNote that we might also reject illegal MTU values\n(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.\n\n[1]\nBUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery\n\nread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:\n ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nwrite to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:\n ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559\n ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841\n icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989\n ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438\n ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79\n...\n\nvalue changed: 0x00000000 -> 0xe5400659", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23124", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while\nasoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23125", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: fix a race issue related to the operation on bpf_bound_progs list\n\nThe netdevsim driver lacks a protection mechanism for operations on the\nbpf_bound_progs list. When the nsim_bpf_create_prog() performs\nlist_add_tail, it is possible that nsim_bpf_destroy_prog() is\nsimultaneously performs list_del. Concurrent operations on the list may\nlead to list corruption and trigger a kernel crash as follows:\n\n[ 417.290971] kernel BUG at lib/list_debug.c:62!\n[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1\n[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 417.291007] Workqueue: events bpf_prog_free_deferred\n[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0\n[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8\n[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246\n[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000\n[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180\n[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003\n[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20\n[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000\n[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000\n[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0\n[ 417.291088] PKRU: 55555554\n[ 417.291091] Call Trace:\n[ 417.291096] \n[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim]\n[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80\n[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0\n[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0\n[ 417.291178] process_one_work+0x18a/0x3a0\n[ 417.291188] worker_thread+0x27b/0x3a0\n[ 417.291197] ? __pfx_worker_thread+0x10/0x10\n[ 417.291207] kthread+0xe5/0x120\n[ 417.291214] ? __pfx_kthread+0x10/0x10\n[ 417.291221] ret_from_fork+0x31/0x50\n[ 417.291230] ? __pfx_kthread+0x10/0x10\n[ 417.291236] ret_from_fork_asm+0x1a/0x30\n[ 417.291246] \n\nAdd a mutex lock, to prevent simultaneous addition and deletion operations\non the list.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23126", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix refcount warning on event->mmap_count increment\n\nWhen calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the\nfollowing warning is triggered:\n\n refcount_t: addition on 0; use-after-free.\n WARNING: lib/refcount.c:25\n\nPoC:\n\n struct perf_event_attr attr = {0};\n int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n PERF_FLAG_FD_OUTPUT);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nThis occurs when creating a group member event with the flag\nPERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing\nthe event triggers the warning.\n\nSince the event has copied the output_event in perf_event_set_output(),\nevent->rb is set. As a result, perf_mmap_rb() calls\nrefcount_inc(&event->mmap_count) when event->mmap_count = 0.\n\nDisallow the case when event->mmap_count = 0. This also prevents two\nevents from updating the same user_page.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23127", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Set __nocfi on swsusp_arch_resume()\n\nA DABT is reported[1] on an android based system when resume from hiberate.\nThis happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()\nand does not have a CFI hash, but swsusp_arch_resume() will attempt to\nverify the CFI hash when calling a copy of swsusp_arch_suspend_exit().\n\nGiven that there's an existing requirement that the entrypoint to\nswsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text\nsection, we cannot fix this by marking swsusp_arch_suspend_exit() with\nSYM_FUNC_*(). The simplest fix for now is to disable the CFI check in\nswsusp_arch_resume().\n\nMark swsusp_arch_resume() as __nocfi to disable the CFI check.\n\n[1]\n[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc\n[ 22.991934][ T1] Mem abort info:\n[ 22.991934][ T1] ESR = 0x0000000096000007\n[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 22.991934][ T1] SET = 0, FnV = 0\n[ 22.991934][ T1] EA = 0, S1PTW = 0\n[ 22.991934][ T1] FSC = 0x07: level 3 translation fault\n[ 22.991934][ T1] Data abort info:\n[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper\n[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP\n[ 22.991934][ T1] Dumping ftrace buffer:\n[ 22.991934][ T1] (ftrace buffer empty)\n[ 22.991934][ T1] Modules linked in:\n[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419\n[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)\n[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344\n[ 22.991934][ T1] sp : ffffffc08006b960\n[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000\n[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820\n[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000\n[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058\n[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004\n[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000\n[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000\n[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b\n[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530\n[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000\n[ 22.991934][ T1] Call trace:\n[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344\n[ 22.991934][ T1] hibernation_restore+0x158/0x18c\n[ 22.991934][ T1] load_image_and_restore+0xb0/0xec\n[ 22.991934][ T1] software_resume+0xf4/0x19c\n[ 22.991934][ T1] software_resume_initcall+0x34/0x78\n[ 22.991934][ T1] do_one_initcall+0xe8/0x370\n[ 22.991934][ T1] do_initcall_level+0xc8/0x19c\n[ 22.991934][ T1] do_initcalls+0x70/0xc0\n[ 22.991934][ T1] do_basic_setup+0x1c/0x28\n[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148\n[ 22.991934][ T1] kernel_init+0x20/0x1a8\n[ 22.991934][ T1] ret_from_fork+0x10/0x20\n[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)\n\n[catalin.marinas@arm.com: commit log updated by Mark Rutland]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23128", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpll: Prevent duplicate registrations\n\nModify the internal registration helpers dpll_xa_ref_{dpll,pin}_add()\nto reject duplicate registration attempts.\n\nPreviously, if a caller attempted to register the same pin multiple\ntimes (with the same ops, priv, and cookie) on the same device, the core\nsilently increments the reference count and return success. This behavior\nis incorrect because if the caller makes these duplicate registrations\nthen for the first one dpll_pin_registration is allocated and for others\nthe associated dpll_pin_ref.refcount is incremented. During the first\nunregistration the associated dpll_pin_registration is freed and for\nothers WARN is fired.\n\nFix this by updating the logic to return `-EEXIST` if a matching\nregistration is found to enforce a strict \"register once\" policy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23129", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dead lock while flushing management frames\n\nCommit [1] converted the management transmission work item into a\nwiphy work. Since a wiphy work can only run under wiphy lock\nprotection, a race condition happens in below scenario:\n\n1. a management frame is queued for transmission.\n2. ath12k_mac_op_flush() gets called to flush pending frames associated\n with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()\n the process waits for the transmission done.\n3. Since wiphy lock has been taken by the flush process, the transmission\n work item has no chance to run, hence the dead lock.\n\n>From user view, this dead lock results in below issue:\n\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticated\n wlp8s0: associate with xxxxxx (try 1/3)\n wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)\n ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1\n\nThe dead lock can be avoided by invoking wiphy_work_flush() to proactively\nrun the queued work item. Note actually it is already present in\nath12k_mac_op_flush(), however it does not protect the case where vif\nbeing NULL. Hence move it ahead to cover this case as well.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23130", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names\n\nThe hp-bioscfg driver attempts to register kobjects with empty names when\nthe HP BIOS returns attributes with empty name strings. This causes\nmultiple kernel warnings:\n\n kobject: (00000000135fb5e6): attempted to be registered with empty name!\n WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310\n\nAdd validation in hp_init_bios_buffer_attribute() to check if the\nattribute name is empty after parsing it from the WMI buffer. If empty,\nlog a debug message and skip registration of that attribute, allowing the\nmodule to continue processing other valid attributes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23131", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind\n\nFix several issues in dw_dp_bind() error handling:\n\n1. Missing return after drm_bridge_attach() failure - the function\n continued execution instead of returning an error.\n\n2. Resource leak: drm_dp_aux_register() is not a devm function, so\n drm_dp_aux_unregister() must be called on all error paths after\n aux registration succeeds. This affects errors from:\n - drm_bridge_attach()\n - phy_init()\n - devm_add_action_or_reset()\n - platform_get_irq()\n - devm_request_threaded_irq()\n\n3. Bug fix: platform_get_irq() returns the IRQ number or a negative\n error code, but the error path was returning ERR_PTR(ret) instead\n of ERR_PTR(dp->irq).\n\nUse a goto label for cleanup to ensure consistent error handling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23132", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23133", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: fix kmalloc_nolock() context check for PREEMPT_RT\n\nOn PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current\ncheck in kmalloc_nolock() only verifies we're not in NMI or hard IRQ\ncontext, but misses the case where preemption is disabled.\n\nWhen a BPF program runs from a tracepoint with preemption disabled\n(preempt_count > 0), kmalloc_nolock() proceeds to call\nlocal_lock_irqsave() which attempts to acquire a sleeping lock,\ntriggering:\n\n BUG: sleeping function called from invalid context\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6128\n preempt_count: 2, expected: 0\n\nFix this by checking !preemptible() on PREEMPT_RT, which directly\nexpresses the constraint that we cannot take a sleeping lock when\npreemption is disabled. This encompasses the previous checks for NMI\nand hard IRQ contexts while also catching cases where preemption is\ndisabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23134", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23135", "detail": "cpe-stable-backport", "description": "Backported in 6.18.8" }, { "id": "CVE-2026-23136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: reset sparse-read state in osd_fault()\n\nWhen a fault occurs, the connection is abandoned, reestablished, and any\npending operations are retried. The OSD client tracks the progress of a\nsparse-read reply using a separate state machine, largely independent of\nthe messenger's state.\n\nIf a connection is lost mid-payload or the sparse-read state machine\nreturns an error, the sparse-read state is not reset. The OSD client\nwill then interpret the beginning of a new reply as the continuation of\nthe old one. If this makes the sparse-read machinery enter a failure\nstate, it may never recover, producing loops like:\n\n libceph: [0] got 0 extents\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n libceph: data len 142248331 != extent len 0\n libceph: osd0 (1)...:6801 socket error on read\n\nTherefore, reset the sparse-read state in osd_fault(), ensuring retries\nstart from a clean state.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23136", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: Fix memory leak in unittest_data_add()\n\nIn unittest_data_add(), if of_resolve_phandles() fails, the allocated\nunittest_data is not freed, leading to a memory leak.\n\nFix this by using scope-based cleanup helper __free(kfree) for automatic\nresource cleanup. This ensures unittest_data is automatically freed when\nit goes out of scope in error paths.\n\nFor the success path, use retain_and_null_ptr() to transfer ownership\nof the memory to the device tree and prevent double freeing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23137", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add recursion protection in kernel stack trace recording\n\nA bug was reported about an infinite recursion caused by tracing the rcu\nevents with the kernel stack trace trigger enabled. The stack trace code\ncalled back into RCU which then called the stack trace again.\n\nExpand the ftrace recursion protection to add a set of bits to protect\nevents from recursion. Each bit represents the context that the event is\nin (normal, softirq, interrupt and NMI).\n\nHave the stack trace code use the interrupt context to protect against\nrecursion.\n\nNote, the bug showed an issue in both the RCU code as well as the tracing\nstacktrace code. This only handles the tracing stack trace side of the\nbug. The RCU fix will be handled separately.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23138", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: update last_gc only when GC has been performed\n\nCurrently last_gc is being updated everytime a new connection is\ntracked, that means that it is updated even if a GC wasn't performed.\nWith a sufficiently high packet rate, it is possible to always bypass\nthe GC, causing the list to grow infinitely.\n\nUpdate the last_gc value only when a GC has been actually performed.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23139", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Subtract size of xdp_frame from allowed metadata size\n\nThe xdp_frame structure takes up part of the XDP frame headroom,\nlimiting the size of the metadata. However, in bpf_test_run, we don't\ntake this into account, which makes it possible for userspace to supply\na metadata size that is too large (taking up the entire headroom).\n\nIf userspace supplies such a large metadata size in live packet mode,\nthe xdp_update_frame_from_buff() call in xdp_test_run_init_page() call\nwill fail, after which packet transmission proceeds with an\nuninitialised frame structure, leading to the usual Bad Stuff.\n\nThe commit in the Fixes tag fixed a related bug where the second check\nin xdp_update_frame_from_buff() could fail, but did not add any\nadditional constraints on the metadata size. Complete the fix by adding\nan additional check on the metadata size. Reorder the checks slightly to\nmake the logic clearer and add a comment.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23140", "detail": "cpe-stable-backport", "description": "Backported in 6.18.6" }, { "id": "CVE-2026-23141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23141", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure\n\nWhen a DAMOS-scheme DAMON sysfs directory setup fails after setup of\naccess_pattern/ directory, subdirectories of access_pattern/ directory are\nnot cleaned up. As a result, DAMON sysfs interface is nearly broken until\nthe system reboots, and the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23142", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23143", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: cleanup attrs subdirs on context dir setup failure\n\nWhen a context DAMON sysfs directory setup is failed after setup of attrs/\ndirectory, subdirectories of attrs/ directory are not cleaned up. As a\nresult, DAMON sysfs interface is nearly broken until the system reboots,\nand the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23144", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_xattr_inode_update_ref\n\nThe error branch for ext4_xattr_inode_update_ref forget to release the\nrefcount for iloc.bh. Find this when review code.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23145", "detail": "cpe-stable-backport", "description": "Backported in 6.18.7" }, { "id": "CVE-2026-23146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto->open() to initialize\nhu->priv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu->priv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto->dequeue() accesses hu->priv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(&hu->write_work)\n proto->open(hu)\n // initializes hu->priv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto->dequeue(hu)\n // accesses hu->priv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()\nsucceeds, ensuring hu->priv is initialized before any work can be\nscheduled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23146", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zlib: fix the folio leak on S390 hardware acceleration\n\n[BUG]\nAfter commit aa60fe12b4f4 (\"btrfs: zlib: refactor S390x HW acceleration\nbuffer preparation\"), we no longer release the folio of the page cache\nof folio returned by btrfs_compress_filemap_get_folio() for S390\nhardware acceleration path.\n\n[CAUSE]\nBefore that commit, we call kumap_local() and folio_put() after handling\neach folio.\n\nAlthough the timing is not ideal (it release previous folio at the\nbeginning of the loop, and rely on some extra cleanup out of the loop),\nit at least handles the folio release correctly.\n\nMeanwhile the refactored code is easier to read, it lacks the call to\nrelease the filemap folio.\n\n[FIX]\nAdd the missing folio_put() for copy_data_into_buffer().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23147", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n Call Trace:\n submit_bio_noacct_nocheck+0x44/0x250\n nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n process_one_work+0x193/0x3c0\n worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23148", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl()\n\nSince GEM bo handles are u32 in the uapi and the internal implementation\nuses idr_alloc() which uses int ranges, passing a new handle larger than\nINT_MAX trivially triggers a kernel warning:\n\nidr_alloc():\n...\n\tif (WARN_ON_ONCE(start < 0))\n\t\treturn -EINVAL;\n...\n\nFix it by rejecting new handles above INT_MAX and at the same time make\nthe end limit calculation more obvious by moving into int domain.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23149", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local->tx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { '\n |- pdu = nfc_alloc_send_skb(..., &err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(&local->tx_queue); |\n | ' |\n |- skb_queue_tail(&local->tx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., &err) |\n ^._________________________________.'\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local->tx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet's do that and check list_empty(&local->list) before\nqueuing skb to local->tx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23150", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23151", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: correctly decode TTLM with default link map\n\nTID-To-Link Mapping (TTLM) elements do not contain any link mapping\npresence indicator if a default mapping is used and parsing needs to be\nskipped.\n\nNote that access points should not explicitly report an advertised TTLM\nwith a default mapping as that is the implied mapping if the element is\nnot included, this is even the case when switching back to the default\nmapping. However, mac80211 would incorrectly parse the frame and would\nalso read one byte beyond the end of the element.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23152", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: core: fix race condition against transaction list\n\nThe list of transaction is enumerated without acquiring card lock when\nprocessing AR response event. This causes a race condition bug when\nprocessing AT request completion event concurrently.\n\nThis commit fixes the bug by put timer start for split transaction\nexpiration into the scope of lock. The value of jiffies in card structure\nis referred before acquiring the lock.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23153", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix segmentation of forwarding fraglist GRO\n\nThis patch enhances GSO segment handling by properly checking\nthe SKB_GSO_DODGY flag for frag_list GSO packets, addressing\nlow throughput issues observed when a station accesses IPv4\nservers via hotspots with an IPv6-only upstream interface.\n\nSpecifically, it fixes a bug in GSO segmentation when forwarding\nGRO packets containing a frag_list. The function skb_segment_list\ncannot correctly process GRO skbs that have been converted by XLAT,\nsince XLAT only translates the header of the head skb. Consequently,\nskbs in the frag_list may remain untranslated, resulting in protocol\ninconsistencies and reduced throughput.\n\nTo address this, the patch explicitly sets the SKB_GSO_DODGY flag\nfor GSO packets in XLAT's IPv4/IPv6 protocol translation helpers\n(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO\npackets as potentially modified after protocol translation. As a\nresult, GSO segmentation will avoid using skb_segment_list and\ninstead falls back to skb_segment for packets with the SKB_GSO_DODGY\nflag. This ensures that only safe and fully translated frag_list\npackets are processed by skb_segment_list, resolving protocol\ninconsistencies and improving throughput when forwarding GRO packets\nconverted by XLAT.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23154", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix error message\n\nSinc commit 79a6d1bfe114 (\"can: gs_usb: gs_usb_receive_bulk_callback():\nunanchor URL on usb_submit_urb() error\") a failing resubmit URB will print\nan info message.\n\nIn the case of a short read where netdev has not yet been assigned,\ninitialize as NULL to avoid dereferencing an undefined value. Also report\nthe error value of the failed resubmit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23155", "detail": "fixed-version", "description": "Fixed from version 6.18.9" }, { "id": "CVE-2026-23156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: fix error propagation in efivar_entry_get()\n\nefivar_entry_get() always returns success even if the underlying\n__efivar_entry_get() fails, masking errors.\n\nThis may result in uninitialized heap memory being copied to userspace\nin the efivarfs_file_read() path.\n\nFix it by returning the error from __efivar_entry_get().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23156", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not strictly require dirty metadata threshold for metadata writepages\n\n[BUG]\nThere is an internal report that over 1000 processes are\nwaiting at the io_schedule_timeout() of balance_dirty_pages(), causing\na system hang and trigger a kernel coredump.\n\nThe kernel is v6.4 kernel based, but the root problem still applies to\nany upstream kernel before v6.18.\n\n[CAUSE]\nFrom Jan Kara for his wisdom on the dirty page balance behavior first.\n\n This cgroup dirty limit was what was actually playing the role here\n because the cgroup had only a small amount of memory and so the dirty\n limit for it was something like 16MB.\n\n Dirty throttling is responsible for enforcing that nobody can dirty\n (significantly) more dirty memory than there's dirty limit. Thus when\n a task is dirtying pages it periodically enters into balance_dirty_pages()\n and we let it sleep there to slow down the dirtying.\n\n When the system is over dirty limit already (either globally or within\n a cgroup of the running task), we will not let the task exit from\n balance_dirty_pages() until the number of dirty pages drops below the\n limit.\n\n So in this particular case, as I already mentioned, there was a cgroup\n with relatively small amount of memory and as a result with dirty limit\n set at 16MB. A task from that cgroup has dirtied about 28MB worth of\n pages in btrfs btree inode and these were practically the only dirty\n pages in that cgroup.\n\nSo that means the only way to reduce the dirty pages of that cgroup is\nto writeback the dirty pages of btrfs btree inode, and only after that\nthose processes can exit balance_dirty_pages().\n\nNow back to the btrfs part, btree_writepages() is responsible for\nwriting back dirty btree inode pages.\n\nThe problem here is, there is a btrfs internal threshold that if the\nbtree inode's dirty bytes are below the 32M threshold, it will not\ndo any writeback.\n\nThis behavior is to batch as much metadata as possible so we won't write\nback those tree blocks and then later re-COW them again for another\nmodification.\n\nThis internal 32MiB is higher than the existing dirty page size (28MiB),\nmeaning no writeback will happen, causing a deadlock between btrfs and\ncgroup:\n\n- Btrfs doesn't want to write back btree inode until more dirty pages\n\n- Cgroup/MM doesn't want more dirty pages for btrfs btree inode\n Thus any process touching that btree inode is put into sleep until\n the number of dirty pages is reduced.\n\nThanks Jan Kara a lot for the analysis of the root cause.\n\n[ENHANCEMENT]\nSince kernel commit b55102826d7d (\"btrfs: set AS_KERNEL_FILE on the\nbtree_inode\"), btrfs btree inode pages will only be charged to the root\ncgroup which should have a much larger limit than btrfs' 32MiB\nthreshold.\nSo it should not affect newer kernels.\n\nBut for all current LTS kernels, they are all affected by this problem,\nand backporting the whole AS_KERNEL_FILE may not be a good idea.\n\nEven for newer kernels I still think it's a good idea to get\nrid of the internal threshold at btree_writepages(), since for most cases\ncgroup/MM has a better view of full system memory usage than btrfs' fixed\nthreshold.\n\nFor internal callers using btrfs_btree_balance_dirty() since that\nfunction is already doing internal threshold check, we don't need to\nbother them.\n\nBut for external callers of btree_writepages(), just respect their\nrequests and write back whatever they want, ignoring the internal\nbtrfs threshold to avoid such deadlock on btree inode dirty page\nbalancing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23157", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: virtuser: fix UAF in configfs release path\n\nThe gpio-virtuser configfs release path uses guard(mutex) to protect\nthe device structure. However, the device is freed before the guard\ncleanup runs, causing mutex_unlock() to operate on freed memory.\n\nSpecifically, gpio_virtuser_device_config_group_release() destroys\nthe mutex and frees the device while still inside the guard(mutex)\nscope. When the function returns, the guard cleanup invokes\nmutex_unlock(&dev->lock), resulting in a slab use-after-free.\n\nLimit the mutex lifetime by using a scoped_guard() only around the\nactivation check, so that the lock is released before mutex_destroy()\nand kfree() are called.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23158", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There's a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23159", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Fix memory leak in octep_device_setup()\n\nIn octep_device_setup(), if octep_ctrl_net_init() fails, the function\nreturns directly without unmapping the mapped resources and freeing the\nallocated configuration memory.\n\nFix this by jumping to the unsupported_dev label, which performs the\nnecessary cleanup. This aligns with the error handling logic of other\npaths in this function.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23160", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem, swap: fix race of truncate and swap entry split\n\nThe helper for shmem swap freeing is not handling the order of swap\nentries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it\ngets the entry order before that using xa_get_order without lock\nprotection, and it may get an outdated order value if the entry is split\nor changed in other ways after the xa_get_order and before the\nxa_cmpxchg_irq.\n\nAnd besides, the order could grow and be larger than expected, and cause\ntruncation to erase data beyond the end border. For example, if the\ntarget entry and following entries are swapped in or freed, then a large\nfolio was added in place and swapped out, using the same entry, the\nxa_cmpxchg_irq will still succeed, it's very unlikely to happen though.\n\nTo fix that, open code the Xarray cmpxchg and put the order retrieval and\nvalue checking in the same critical section. Also, ensure the order won't\nexceed the end border, skip it if the entry goes across the border.\n\nSkipping large swap entries crosses the end border is safe here. Shmem\ntruncate iterates the range twice, in the first iteration,\nfind_lock_entries already filtered such entries, and shmem will swapin the\nentries that cross the end border and partially truncate the folio (split\nthe folio or at least zero part of it). So in the second loop here, if we\nsee a swap entry that crosses the end order, it must at least have its\ncontent erased already.\n\nI observed random swapoff hangs and kernel panics when stress testing\nZSWAP with shmem. After applying this patch, all problems are gone.", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23161", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/nvm: Fix double-free on aux add failure\n\nAfter a successful auxiliary_device_init(), aux_dev->dev.release\n(xe_nvm_release_dev()) is responsible for the kfree(nvm). When\nthere is failure with auxiliary_device_add(), driver will call\nauxiliary_device_uninit(), which call put_device(). So that the\n.release callback will be triggered to free the memory associated\nwith the auxiliary_device.\n\nMove the kfree(nvm) into the auxiliary_device_init() failure path\nand remove the err goto path to fix below error.\n\n\"\n[ 13.232905] ==================================================================\n[ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe]\n[ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273\n\n[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary)\n...\n[ 13.233125] Call Trace:\n[ 13.233126] \n[ 13.233127] dump_stack_lvl+0x7f/0xc0\n[ 13.233132] print_report+0xce/0x610\n[ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0\n[ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe]\n...\n\"\n\nv2: drop err goto path. (Alexander)\n\n(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23162", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove\n\nOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and\nih2 interrupt ring buffers are not initialized. This is by design, as\nthese secondary IH rings are only available on discrete GPUs. See\nvega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when\nAMD_IS_APU is set.\n\nHowever, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to\nget the timestamp of the last interrupt entry. When retry faults are\nenabled on APUs (noretry=0), this function is called from the SVM page\nfault recovery path, resulting in a NULL pointer dereference when\namdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].\n\nThe crash manifests as:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000004\n RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]\n Call Trace:\n amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]\n svm_range_restore_pages+0xae5/0x11c0 [amdgpu]\n amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]\n gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]\n amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]\n amdgpu_ih_process+0x84/0x100 [amdgpu]\n\nThis issue was exposed by commit 1446226d32a4 (\"drm/amdgpu: Remove GC HW\nIP 9.3.0 from noretry=1\") which changed the default for Renoir APU from\nnoretry=1 to noretry=0, enabling retry fault handling and thus\nexercising the buggy code path.\n\nFix this by adding a check for ih1.ring_size before attempting to use\nit. Also restore the soft_ih support from commit dd299441654f (\"drm/amdgpu:\nRework retry fault removal\"). This is needed if the hardware doesn't\nsupport secondary HW IH rings.\n\nv2: additional updates (Alex)\n\n(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23163", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrocker: fix memory leak in rocker_world_port_post_fini()\n\nIn rocker_world_port_pre_init(), rocker_port->wpriv is allocated with\nkzalloc(wops->port_priv_size, GFP_KERNEL). However, in\nrocker_world_port_post_fini(), the memory is only freed when\nwops->port_post_fini callback is set:\n\n if (!wops->port_post_fini)\n return;\n wops->port_post_fini(rocker_port);\n kfree(rocker_port->wpriv);\n\nSince rocker_ofdpa_ops does not implement port_post_fini callback\n(it is NULL), the wpriv memory allocated for each port is never freed\nwhen ports are removed. This leads to a memory leak of\nsizeof(struct ofdpa_port) bytes per port on every device removal.\n\nFix this by always calling kfree(rocker_port->wpriv) regardless of\nwhether the port_post_fini callback exists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23164", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix deadlock in RSS config read\n\nSince cited commit, core locks the net_device's rss_lock when handling\n ethtool -x command, so driver's implementation should not lock it\n again. Remove the latter.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23165", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix NULL pointer dereference in ice_vsi_set_napi_queues\n\nAdd NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes\nduring resume from suspend when rings[q_idx]->q_vector is NULL.\n\nTested adaptor:\n60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)\n Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]\n\nSR-IOV state: both disabled and enabled can reproduce this issue.\n\nkernel version: v6.18\n\nReproduce steps:\nBoot up and execute suspend like systemctl suspend or rtcwake.\n\nLog:\n<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040\n<1>[ 231.444052] #PF: supervisor read access in kernel mode\n<1>[ 231.444484] #PF: error_code(0x0000) - not-present page\n<6>[ 231.444913] PGD 0 P4D 0\n<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI\n<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170\n<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89\n<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202\n<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010\n<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000\n<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000\n<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000\n<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000\n<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0\n<4>[ 231.451629] PKRU: 55555554\n<4>[ 231.452076] Call Trace:\n<4>[ 231.452549] \n<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]\n<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]\n<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10\n<4>[ 231.454425] pci_pm_resume+0x8c/0x140\n<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10\n<4>[ 231.455347] dpm_run_callback+0x5f/0x160\n<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170\n<4>[ 231.456244] device_resume+0x177/0x270\n<4>[ 231.456708] dpm_resume+0x209/0x2f0\n<4>[ 231.457151] dpm_resume_end+0x15/0x30\n<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0\n<4>[ 231.458054] enter_state+0x10e/0x570\n\nAdd defensive checks for both the ring pointer and its q_vector\nbefore dereferencing, allowing the system to resume successfully even when\nq_vectors are unmapped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23166", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet's unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev->conn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev->conn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n \n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23167", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nflex_proportions: make fprop_new_period() hardirq safe\n\nBernd has reported a lockdep splat from flexible proportions code that is\nessentially complaining about the following race:\n\n\nrun_timer_softirq - we are in softirq context\n call_timer_fn\n writeout_period\n fprop_new_period\n write_seqcount_begin(&p->sequence);\n\n \n ...\n blk_mq_end_request()\n\t blk_update_request()\n\t ext4_end_bio()\n\t folio_end_writeback()\n\t\t__wb_writeout_add()\n\t\t __fprop_add_percpu_max()\n\t\t if (unlikely(max_frac < FPROP_FRAC_BASE)) {\n\t\t fprop_fraction_percpu()\n\t\t\tseq = read_seqcount_begin(&p->sequence);\n\t\t\t - sees odd sequence so loops indefinitely\n\nNote that a deadlock like this is only possible if the bdi has configured\nmaximum fraction of writeout throughput which is very rare in general but\nfrequent for example for FUSE bdis. To fix this problem we have to make\nsure write section of the sequence counter is irqsafe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23168", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race in mptcp_pm_nl_flush_addrs_doit()\n\nsyzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()\nand/or mptcp_pm_nl_is_backup()\n\nRoot cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()\nwhich is not RCU ready.\n\nlist_splice_init_rcu() can not be called here while holding pernet->lock\nspinlock.\n\nMany thanks to Eulgyu Kim for providing a repro and testing our patches.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23169", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imx/tve: fix probe device leak\n\nMake sure to drop the reference taken to the DDC device during probe on\nprobe failure (e.g. probe deferral) and on driver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23170", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix use-after-free due to enslave fail after slave array update\n\nFix a use-after-free which happens due to enslave failure after the new\nslave has been added to the array. Since the new slave can be used for Tx\nimmediately, we can use it after it has been freed by the enslave error\ncleanup path which frees the allocated slave memory. Slave update array is\nsupposed to be called last when further enslave failures are not expected.\nMove it after xdp setup to avoid any problems.\n\nIt is very easy to reproduce the problem with a simple xdp_pass prog:\n ip l add bond1 type bond mode balance-xor\n ip l set bond1 up\n ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass\n ip l add dumdum type dummy\n\nThen run in parallel:\n while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;\n mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp \"dp=1-1023, flags=syn\"\n\nThe crash happens almost immediately:\n [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI\n [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]\n [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)\n [ 605.602979] Tainted: [B]=BAD_PAGE\n [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210\n [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89\n [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213\n [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000\n [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be\n [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c\n [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000\n [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84\n [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000\n [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0\n [ 605.603373] Call Trace:\n [ 605.603392] \n [ 605.603410] __dev_queue_xmit+0x448/0x32a0\n [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10\n [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603546] ? _printk+0xcb/0x100\n [ 605.603566] ? __pfx__printk+0x10/0x10\n [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603627] ? add_taint+0x5e/0x70\n [ 605.603648] ? add_taint+0x2a/0x70\n [ 605.603670] ? end_report.cold+0x51/0x75\n [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23171", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: fix potential skb->frags overflow in RX path\n\nWhen receiving data in the DPMAIF RX path,\nthe t7xx_dpmaif_set_frag_to_skb() function adds\npage fragments to an skb without checking if the number of\nfragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow\nin skb_shinfo(skb)->frags[] array, corrupting adjacent memory and\npotentially causing kernel crashes or other undefined behavior.\n\nThis issue was identified through static code analysis by comparing with a\nsimilar vulnerability fixed in the mt76 driver commit b102f0c522cf (\"mt76:\nfix array overflow on receiving too many fragments for a packet\").\n\nThe vulnerability could be triggered if the modem firmware sends packets\nwith excessive fragments. While under normal protocol conditions (MTU 3080\nbytes, BAT buffer 3584 bytes),\na single packet should not require additional\nfragments, the kernel should not blindly trust firmware behavior.\nMalicious, buggy, or compromised firmware could potentially craft packets\nwith more fragments than the kernel expects.\n\nFix this by adding a bounds check before calling skb_add_rx_frag() to\nensure nr_frags does not exceed MAX_SKB_FRAGS.\n\nThe check must be performed before unmapping to avoid a page leak\nand double DMA unmap during device teardown.", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23172", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, delete flows only for existing peers\n\nWhen deleting TC steering flows, iterate only over actual devcom\npeers instead of assuming all possible ports exist. This avoids\ntouching non-existent peers and ensures cleanup is limited to\ndevices the driver is currently connected to.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 133c8a067 P4D 0\n Oops: Oops: 0002 [#1] SMP\n CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]\n Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49\n RSP: 0018:ff11000143867528 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000\n RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0\n RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002\n R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78\n R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0\n FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0\n Call Trace:\n \n mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n mlx5e_flow_put+0x25/0x50 [mlx5_core]\n mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]\n tc_setup_cb_reoffload+0x20/0x80\n fl_reoffload+0x26f/0x2f0 [cls_flower]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n tcf_block_playback_offloads+0x9e/0x1c0\n tcf_block_unbind+0x7b/0xd0\n tcf_block_setup+0x186/0x1d0\n tcf_block_offload_cmd.isra.0+0xef/0x130\n tcf_block_offload_unbind+0x43/0x70\n __tcf_block_put+0x85/0x160\n ingress_destroy+0x32/0x110 [sch_ingress]\n __qdisc_destroy+0x44/0x100\n qdisc_graft+0x22b/0x610\n tc_get_qdisc+0x183/0x4d0\n rtnetlink_rcv_msg+0x2d7/0x3d0\n ? rtnl_calcit.isra.0+0x100/0x100\n netlink_rcv_skb+0x53/0x100\n netlink_unicast+0x249/0x320\n ? __alloc_skb+0x102/0x1f0\n netlink_sendmsg+0x1e3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1ef/0x230\n ? copy_msghdr_from_user+0x6c/0xa0\n ___sys_sendmsg+0x7f/0xc0\n ? ___sys_recvmsg+0x8a/0xc0\n ? __sys_sendto+0x119/0x180\n __sys_sendmsg+0x61/0xb0\n do_syscall_64+0x55/0x640\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f35238bb764\n Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55\n RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764\n RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003\n RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20\n R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790\n R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23173", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: handle changing device dma map requirements\n\nThe initial state of dma_needs_unmap may be false, but change to true\nwhile mapping the data iterator. Enabling swiotlb is one such case that\ncan change the result. The nvme driver needs to save the mapped dma\nvectors to be unmapped later, so allocate as needed during iteration\nrather than assume it was always allocated at the beginning. This fixes\na NULL dereference from accessing an uninitialized dma_vecs when the\ndevice dma unmapping requirements change mid-iteration.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23174", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don't hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/481\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 481 Comm: rpcbind Not tainted 6.19.0-rc7-next-20260130-yocto-standard+ #35 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0x98\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x54\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver.\n\nPlease note: To reproduce this issue, I manually reverted the changes to\nam335x-bone-common.dtsi from commit c477358e66a3 (\"ARM: dts: am335x-bone:\nswitch to new cpsw switch drv\") in order to revert to the legacy cpsw\ndriver.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23175", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: toshiba_haps: Fix memory leaks in add/remove routines\n\ntoshiba_haps_add() leaks the haps object allocated by it if it returns\nan error after allocating that object successfully.\n\ntoshiba_haps_remove() does not free the object pointed to by\ntoshiba_haps before clearing that pointer, so it becomes unreachable\nallocated memory.\n\nAddress these memory leaks by using devm_kzalloc() for allocating\nthe memory in question.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23176", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, shmem: prevent infinite loop on truncate race\n\nWhen truncating a large swap entry, shmem_free_swap() returns 0 when the\nentry's index doesn't match the given index due to lookup alignment. The\nfailure fallback path checks if the entry crosses the end border and\naborts when it happens, so truncate won't erase an unexpected entry or\nrange. But one scenario was ignored.\n\nWhen `index` points to the middle of a large swap entry, and the large\nswap entry doesn't go across the end border, find_get_entries() will\nreturn that large swap entry as the first item in the batch with\n`indices[0]` equal to `index`. The entry's base index will be smaller\nthan `indices[0]`, so shmem_free_swap() will fail and return 0 due to the\n\"base < index\" check. The code will then call shmem_confirm_swap(), get\nthe order, check if it crosses the END boundary (which it doesn't), and\nretry with the same index.\n\nThe next iteration will find the same entry again at the same index with\nsame indices, leading to an infinite loop.\n\nFix this by retrying with a round-down index, and abort if the index is\nsmaller than the truncate range.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23177", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23178", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()\n\nWhen the socket is closed while in TCP_LISTEN a callback is run to\nflush all outstanding packets, which in turns calls\nnvmet_tcp_listen_data_ready() with the sk_callback_lock held.\nSo we need to check if we are in TCP_LISTEN before attempting\nto get the sk_callback_lock() to avoid a deadlock.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23179", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: add bounds check for if_id in IRQ handler\n\nThe IRQ handler extracts if_id from the upper 16 bits of the hardware\nstatus register and uses it to index into ethsw->ports[] without\nvalidation. Since if_id can be any 16-bit value (0-65535) but the ports\narray is only allocated with sw_attr.num_ifs elements, this can lead to\nan out-of-bounds read potentially.\n\nAdd a bounds check before accessing the array, consistent with the\nexisting validation in dpaa2_switch_rx().", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23180", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: sync read disk super and set block size\n\nWhen the user performs a btrfs mount, the block device is not set\ncorrectly. The user sets the block size of the block device to 0x4000\nby executing the BLKBSZSET command.\nSince the block size change also changes the mapping->flags value, this\nfurther affects the result of the mapping_min_folio_order() calculation.\n\nLet's analyze the following two scenarios:\n\nScenario 1: Without executing the BLKBSZSET command, the block size is\n0x1000, and mapping_min_folio_order() returns 0;\n\nScenario 2: After executing the BLKBSZSET command, the block size is\n0x4000, and mapping_min_folio_order() returns 2.\n\ndo_read_cache_folio() allocates a folio before the BLKBSZSET command\nis executed. This results in the allocated folio having an order value\nof 0. Later, after BLKBSZSET is executed, the block size increases to\n0x4000, and the mapping_min_folio_order() calculation result becomes 2.\n\nThis leads to two undesirable consequences:\n\n1. filemap_add_folio() triggers a VM_BUG_ON_FOLIO(folio_order(folio) <\nmapping_min_folio_order(mapping)) assertion.\n\n2. The syzbot report [1] shows a null pointer dereference in\ncreate_empty_buffers() due to a buffer head allocation failure.\n\nSynchronization should be established based on the inode between the\nBLKBSZSET command and read cache page to prevent inconsistencies in\nblock size or mapping flags before and after folio allocation.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:create_empty_buffers+0x4d/0x480 fs/buffer.c:1694\nCall Trace:\n folio_create_buffers+0x109/0x150 fs/buffer.c:1802\n block_read_full_folio+0x14c/0x850 fs/buffer.c:2403\n filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496\n do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096\n do_read_cache_page mm/filemap.c:4162 [inline]\n read_cache_page_gfp+0x29/0x120 mm/filemap.c:4195\n btrfs_read_disk_super+0x192/0x500 fs/btrfs/volumes.c:1367", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23181", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra: Fix a memory leak in tegra_slink_probe()\n\nIn tegra_slink_probe(), when platform_get_irq() fails, it directly\nreturns from the function with an error code, which causes a memory leak.\n\nReplace it with a goto label to ensure proper cleanup.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23182", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: fix NULL pointer dereference when setting max\n\nAn issue was triggered:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:strcmp+0x10/0x30\n RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\n RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\n RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\n R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\n R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\n Call Trace:\n \n dmemcg_limit_write.constprop.0+0x16d/0x390\n ? __pfx_set_resource_max+0x10/0x10\n kernfs_fop_write_iter+0x14e/0x200\n vfs_write+0x367/0x510\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f42697e1887\n\nIt was trriggered setting max without limitation, the command is like:\n\"echo test/region0 > dmem.max\". To fix this issue, add check whether\noptions is valid after parsing the region_name.", "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23183", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF in binder_netlink_report()\n\nOneway transactions sent to frozen targets via binder_proc_transaction()\nreturn a BR_TRANSACTION_PENDING_FROZEN error but they are still treated\nas successful since the target is expected to thaw at some point. It is\nthen not safe to access 't' after BR_TRANSACTION_PENDING_FROZEN errors\nas the transaction could have been consumed by the now thawed target.\n\nThis is the case for binder_netlink_report() which derreferences 't'\nafter a pending frozen error, as pointed out by the following KASAN\nreport:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in binder_netlink_report.isra.0+0x694/0x6c8\n Read of size 8 at addr ffff00000f98ba38 by task binder-util/522\n\n CPU: 4 UID: 0 PID: 522 Comm: binder-util Not tainted 6.19.0-rc6-00015-gc03e9c42ae8f #1 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n binder_netlink_report.isra.0+0x694/0x6c8\n binder_transaction+0x66e4/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Allocated by task 522:\n __kmalloc_cache_noprof+0x17c/0x50c\n binder_transaction+0x584/0x79b8\n binder_thread_write+0xab4/0x4440\n binder_ioctl+0x1fd4/0x2940\n [...]\n\n Freed by task 488:\n kfree+0x1d0/0x420\n binder_free_transaction+0x150/0x234\n binder_thread_read+0x2d08/0x3ce4\n binder_ioctl+0x488/0x2940\n [...]\n ==================================================================\n\nInstead, make a transaction copy so the data can be safely accessed by\nbinder_netlink_report() after a pending frozen error. While here, add a\ncomment about not using t->buffer in binder_netlink_report().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23184", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: cancel mlo_scan_start_wk\n\nmlo_scan_start_wk is not canceled on disconnection. In fact, it is not\ncanceled anywhere except in the restart cleanup, where we don't really\nhave to.\n\nThis can cause an init-after-queue issue: if, for example, the work was\nqueued and then drv_change_interface got executed.\n\nThis can also cause use-after-free: if the work is executed after the\nvif is freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23185", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()\n\nThe acpi_power_meter driver's .notify() callback function,\nacpi_power_meter_notify(), calls hwmon_device_unregister() under a lock\nthat is also acquired by callbacks in sysfs attributes of the device\nbeing unregistered which is prone to deadlocks between sysfs access and\ndevice removal.\n\nAddress this by moving the hwmon device removal in\nacpi_power_meter_notify() outside the lock in question, but notice\nthat doing it alone is not sufficient because two concurrent\nMETER_NOTIFY_CONFIG notifications may be attempting to remove the\nsame device at the same time. To prevent that from happening, add a\nnew lock serializing the execution of the switch () statement in\nacpi_power_meter_notify(). For simplicity, it is a static mutex\nwhich should not be a problem from the performance perspective.\n\nThe new lock also allows the hwmon_device_register_with_info()\nin acpi_power_meter_notify() to be called outside the inner lock\nbecause it prevents the other notifications handled by that function\nfrom manipulating the \"resource\" object while the hwmon device based\non it is being registered. The sending of ACPI netlink messages from\nacpi_power_meter_notify() is serialized by the new lock too which\ngenerally helps to ensure that the order of handling firmware\nnotifications is the same as the order of sending netlink messages\nrelated to them.\n\nIn addition, notice that hwmon_device_register_with_info() may fail\nin which case resource->hwmon_dev will become an error pointer,\nso add checks to avoid attempting to unregister the hwmon device\npointer to by it in that case to acpi_power_meter_notify() and\nacpi_power_meter_remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23186", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains\n\nFix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23187", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: r8152: fix resume reset deadlock\n\nrtl8152 can trigger device reset during reset which\npotentially can result in a deadlock:\n\n **** DPM device timeout after 10 seconds; 15 seconds until panic ****\n Call Trace:\n \n schedule+0x483/0x1370\n schedule_preempt_disabled+0x15/0x30\n __mutex_lock_common+0x1fd/0x470\n __rtl8152_set_mac_address+0x80/0x1f0\n dev_set_mac_address+0x7f/0x150\n rtl8152_post_reset+0x72/0x150\n usb_reset_device+0x1d0/0x220\n rtl8152_resume+0x99/0xc0\n usb_resume_interface+0x3e/0xc0\n usb_resume_both+0x104/0x150\n usb_resume+0x22/0x110\n\nThe problem is that rtl8152 resume calls reset under\ntp->control mutex while reset basically re-enters rtl8152\nand attempts to acquire the same tp->control lock once\nagain.\n\nReset INACCESSIBLE device outside of tp->control mutex\nscope to avoid recursive mutex_lock() deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23188", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n const char fs_name = mdsc->fsc->mount_options->mds_namespace;\n ...\n if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {\n / fsname mismatch, try next one */\n return 0;\n }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It's possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n get rid of a series of strlen() calls in ceph_namespace_match(),\n drop changes to namespace_equals() body to avoid treating empty\n mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n as namespace_equals() isn't an equivalent substitution there ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23189", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: fix memory leak in acp3x pdm dma ops", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23190", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23191", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlinkwatch: use __dev_put() in callers to prevent UAF\n\nAfter linkwatch_do_dev() calls __dev_put() to release the linkwatch\nreference, the device refcount may drop to 1. At this point,\nnetdev_run_todo() can proceed (since linkwatch_sync_dev() sees an\nempty list and returns without blocking), wait for the refcount to\nbecome 1 via netdev_wait_allrefs_any(), and then free the device\nvia kobject_put().\n\nThis creates a use-after-free when __linkwatch_run_queue() tries to\ncall netdev_unlock_ops() on the already-freed device.\n\nNote that adding netdev_lock_ops()/netdev_unlock_ops() pair in\nnetdev_run_todo() before kobject_put() would not work, because\nnetdev_lock_ops() is conditional - it only locks when\nnetdev_need_ops_lock() returns true. If the device doesn't require\nops_lock, linkwatch won't hold any lock, and netdev_run_todo()\nacquiring the lock won't provide synchronization.\n\nFix this by moving __dev_put() from linkwatch_do_dev() to its\ncallers. The device reference logically pairs with de-listing the\ndevice, so it's reasonable for the caller that did the de-listing\nto release it. This allows placing __dev_put() after all device\naccesses are complete, preventing UAF.\n\nThe bug can be reproduced by adding mdelay(2000) after\nlinkwatch_do_dev() in __linkwatch_run_queue(), then running:\n\n ip tuntap add mode tun name tun_test\n ip link set tun_test up\n ip link set tun_test carrier off\n ip link set tun_test carrier on\n sleep 0.5\n ip tuntap del mode tun name tun_test\n\nKASAN report:\n\n ==================================================================\n BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]\n BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]\n BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245\n Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123\n\n CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: events_unbound linkwatch_event\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x156/0x4c9 mm/kasan/report.c:482\n kasan_report+0xdf/0x1a0 mm/kasan/report.c:595\n netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]\n netdev_unlock_ops include/net/netdev_lock.h:47 [inline]\n __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245\n linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304\n process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x5da/0xe40 kernel/workqueue.c:3421\n kthread+0x3b3/0x730 kernel/kthread.c:463\n ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \n ==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23192", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\n\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess->session_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\n\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\n\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23193", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: correctly handle FDA objects of length zero\n\nFix a bug where an empty FDA (fd array) object with 0 fds would cause an\nout-of-bounds error. The previous implementation used `skip == 0` to\nmean \"this is a pointer fixup\", but 0 is also the correct skip length\nfor an empty FDA. If the FDA is at the end of the buffer, then this\nresults in an attempt to write 8-bytes out of bounds. This is caught and\nresults in an EINVAL error being returned to userspace.\n\nThe pattern of using `skip == 0` as a special value originates from the\nC-implementation of Binder. As part of fixing this bug, this pattern is\nreplaced with a Rust enum.\n\nI considered the alternate option of not pushing a fixup when the length\nis zero, but I think it's cleaner to just get rid of the zero-is-special\nstuff.\n\nThe root cause of this bug was diagnosed by Gemini CLI on first try. I\nused the following prompt:\n\n> There appears to be a bug in @drivers/android/binder/thread.rs where\n> the Fixups oob bug is triggered with 316 304 316 324. This implies\n> that we somehow ended up with a fixup where buffer A has a pointer to\n> buffer B, but the pointer is located at an index in buffer A that is\n> out of bounds. Please investigate the code to find the bug. You may\n> compare with @drivers/android/binder.c that implements this correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23194", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: avoid pool UAF\n\nAn UAF issue was observed:\n\nBUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150\nWrite of size 8 at addr ffff888106715440 by task insmod/527\n\nCPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11\nTainted: [O]=OOT_MODULE\nCall Trace:\n\ndump_stack_lvl+0x82/0xd0\nkasan_report+0xca/0x100\nkasan_check_range+0x39/0x1c0\npage_counter_uncharge+0x65/0x150\ndmem_cgroup_uncharge+0x1f/0x260\n\nAllocated by task 527:\n\nFreed by task 0:\n\nThe buggy address belongs to the object at ffff888106715400\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 64 bytes inside of\nfreed 512-byte region [ffff888106715400, ffff888106715600)\n\nThe buggy address belongs to the physical page:\n\nMemory state around the buggy address:\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\t\t\t\t ^\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThe issue occurs because a pool can still be held by a caller after its\nassociated memory region is unregistered. The current implementation frees\nthe pool even if users still hold references to it (e.g., before uncharge\noperations complete).\n\nThis patch adds a reference counter to each pool, ensuring that a pool is\nonly freed when its reference count drops to zero.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23195", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer\n\nAdd DMA buffer readiness check before reading DMA buffer to avoid\nunexpected NULL pointer accessing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23196", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: preserve error state in block data length handler\n\nWhen a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,\nthe length handler sets the state to IMX_I2C_STATE_FAILED. However,\ni2c_imx_master_isr() unconditionally overwrites this with\nIMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns\nbuffers and crashes the system.\n\nGuard the state transition to preserve error states set by the length\nhandler.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23197", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't clobber irqfd routing type when deassigning irqfd\n\nWhen deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's\nrouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86\nand arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to\nhandle a concurrent routing update, verify that the irqfd is still active\nbefore consuming the routing information. As evidenced by the x86 and\narm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),\nclobbering the entry type without notifying arch code is surprising and\nerror prone.\n\nAs a bonus, checking that the irqfd is active provides a convenient\nlocation for documenting _why_ KVM must not consume the routing entry for\nan irqfd that is in the process of being deassigned: once the irqfd is\ndeleted from the list (which happens *before* the eventfd is detached), it\nwill no longer receive updates via kvm_irq_routing_update(), and so KVM\ncould deliver an event using stale routing information (relative to\nKVM_SET_GSI_ROUTING returning to userspace).\n\nAs an even better bonus, explicitly checking for the irqfd being active\nfixes a similar bug to the one the clobbering is trying to prevent: if an\nirqfd is deactivated, and then its routing is changed,\nkvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing()\n(because the irqfd isn't in the list). And so if the irqfd is in bypass\nmode, IRQs will continue to be posted using the old routing information.\n\nAs for kvm_arch_irq_bypass_del_producer(), clobbering the routing type\nresults in KVM incorrectly keeping the IRQ in bypass mode, which is\nespecially problematic on AMD as KVM tracks IRQs that are being posted to\na vCPU in a list whose lifetime is tied to the irqfd.\n\nWithout the help of KASAN to detect use-after-free, the most common\nsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to\nthe memory for irqfd structure being re-allocated and zeroed, resulting\nin irqfd->irq_bypass_data being NULL when read by\navic_update_iommu_vcpu_affinity():\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:amd_iommu_update_ga+0x19/0xe0\n Call Trace:\n \n avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]\n __avic_vcpu_load+0xf4/0x130 [kvm_amd]\n kvm_arch_vcpu_load+0x89/0x210 [kvm]\n vcpu_load+0x30/0x40 [kvm]\n kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]\n kvm_vcpu_ioctl+0x571/0x6a0 [kvm]\n __se_sys_ioctl+0x6d/0xb0\n do_syscall_64+0x6f/0x9d0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x46893b\n \n ---[ end trace 0000000000000000 ]---\n\nIf AVIC is inhibited when the irfd is deassigned, the bug will manifest as\nlist corruption, e.g. on the next irqfd assignment.\n\n list_add corruption. next->prev should be prev (ffff8d474d5cd588),\n but was 0000000000000000. (next=ffff8d8658f86530).\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:31!\n Oops: invalid opcode: 0000 [#1] SMP\n CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test\n Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n RIP: 0010:__list_add_valid_or_report+0x97/0xc0\n Call Trace:\n \n avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]\n kvm_pi_update_irte+0xbf/0x190 [kvm]\n kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]\n irq_bypass_register_consumer+0xcd/0x170 [irqbypa\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23198", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nprocfs: avoid fetching build ID while holding VMA lock\n\nFix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock\nor per-VMA lock, whichever was used to lock VMA under question, to avoid\ndeadlock reported by syzbot:\n\n -> #1 (&mm->mmap_lock){++++}-{4:4}:\n __might_fault+0xed/0x170\n _copy_to_iter+0x118/0x1720\n copy_page_to_iter+0x12d/0x1e0\n filemap_read+0x720/0x10a0\n blkdev_read_iter+0x2b5/0x4e0\n vfs_read+0x7f4/0xae0\n ksys_read+0x12a/0x250\n do_syscall_64+0xcb/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}:\n __lock_acquire+0x1509/0x26d0\n lock_acquire+0x185/0x340\n down_read+0x98/0x490\n blkdev_read_iter+0x2a7/0x4e0\n __kernel_read+0x39a/0xa90\n freader_fetch+0x1d5/0xa80\n __build_id_parse.isra.0+0xea/0x6a0\n do_procmap_query+0xd75/0x1050\n procfs_procmap_ioctl+0x7a/0xb0\n __x64_sys_ioctl+0x18e/0x210\n do_syscall_64+0xcb/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n other info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(&mm->mmap_lock);\n lock(&sb->s_type->i_mutex_key#8);\n lock(&mm->mmap_lock);\n rlock(&sb->s_type->i_mutex_key#8);\n\n *** DEADLOCK ***\n\nThis seems to be exacerbated (as we haven't seen these syzbot reports\nbefore that) by the recent:\n\n\t777a8560fd29 (\"lib/buildid: use __kernel_read() for sleepable context\")\n\nTo make this safe, we need to grab file refcount while VMA is still locked, but\nother than that everything is pretty straightforward. Internal build_id_parse()\nAPI assumes VMA is passed, but it only needs the underlying file reference, so\njust add another variant build_id_parse_file() that expects file passed\ndirectly.\n\n[akpm@linux-foundation.org: fix up kerneldoc]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23199", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF\n\nsyzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6\nroute. [0]\n\nCommit f72514b3c569 (\"ipv6: clear RA flags when adding a static\nroute\") introduced logic to clear RTF_ADDRCONF from existing routes\nwhen a static route with the same nexthop is added. However, this\ncauses a problem when the existing route has a gateway.\n\nWhen RTF_ADDRCONF is cleared from a route that has a gateway, that\nroute becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns\ntrue. The issue is that this route was never added to the\nfib6_siblings list.\n\nThis leads to a mismatch between the following counts:\n\n- The sibling count computed by iterating fib6_next chain, which\n includes the newly ECMP-eligible route\n\n- The actual siblings in fib6_siblings list, which does not include\n that route\n\nWhen a subsequent ECMP route is added, fib6_add_rt2node() hits\nBUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the\ncounts don't match.\n\nFix this by only clearing RTF_ADDRCONF when the existing route does\nnot have a gateway. Routes without a gateway cannot qualify for ECMP\nanyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing\nRTF_ADDRCONF on them is safe and matches the original intent of the\ncommit.\n\n[0]:\nkernel BUG at net/ipv6/ip6_fib.c:1217!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217\n[...]\nCall Trace:\n \n fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946\n ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571\n inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577\n sock_do_ioctl+0xdc/0x300 net/socket.c:1245\n sock_ioctl+0x576/0x790 net/socket.c:1366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23200", "detail": "fixed-version", "description": "Fixed from version 6.18.10" }, { "id": "CVE-2026-23201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix oops due to invalid pointer for kfree() in parse_longname()\n\nThis fixes a kernel oops when reading ceph snapshot directories (.snap),\nfor example by simply running `ls /mnt/my_ceph/.snap`.\n\nThe variable str is guarded by __free(kfree), but advanced by one for\nskipping the initial '_' in snapshot names. Thus, kfree() is called\nwith an invalid pointer. This patch removes the need for advancing the\npointer so kfree() is called with correct memory pointer.\n\nSteps to reproduce:\n\n1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)\n\n2. Add cephfs mount to fstab\n$ echo \"samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0\" >> /etc/fstab\n\n3. Reboot the system\n$ systemctl reboot\n\n4. Check if it's really mounted\n$ mount | grep stuff\n\n5. List snapshots (expected 63 snapshots on my system)\n$ ls /mnt/test/stuff/.snap\n\nNow ls hangs forever and the kernel log shows the oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23201", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23202", "detail": "fixed-version", "description": "Fixed from version 6.18.10" }, { "id": "CVE-2026-23203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don't hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0xd8\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x5\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23203", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23204", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix memory leak in smb2_open_file()\n\nReproducer:\n\n 1. server: directories are exported read-only\n 2. client: mount -t cifs //${server_ip}/export /mnt\n 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct\n 4. client: umount /mnt\n 5. client: sleep 1\n 6. client: modprobe -r cifs\n\nThe error message is as follows:\n\n =============================================================================\n BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()\n -----------------------------------------------------------------------------\n\n Object 0x00000000d47521be @offset=14336\n ...\n WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577\n ...\n Call Trace:\n \n kmem_cache_destroy+0x94/0x190\n cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n cleanup_module+0x4e/0x540 [cifs]\n __se_sys_delete_module+0x278/0x400\n __x64_sys_delete_module+0x5f/0x70\n x64_sys_call+0x2299/0x2ff0\n do_syscall_64+0x89/0x350\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]\n WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23205", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\n\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw->sw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\n\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw->ports[0]->netdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\n\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23206", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer check in IRQ handler\n\nNow that all other accesses to curr_xfer are done under the lock,\nprotect the curr_xfer NULL check in tegra_qspi_isr_thread() with the\nspinlock. Without this protection, the following race can occur:\n\n CPU0 (ISR thread) CPU1 (timeout path)\n ---------------- -------------------\n if (!tqspi->curr_xfer)\n // sees non-NULL\n spin_lock()\n tqspi->curr_xfer = NULL\n spin_unlock()\n handle_*_xfer()\n spin_lock()\n t = tqspi->curr_xfer // NULL!\n ... t->len ... // NULL dereference!\n\nWith this patch, all curr_xfer accesses are now properly synchronized.\n\nAlthough all accesses to curr_xfer are done under the lock, in\ntegra_qspi_isr_thread() it checks for NULL, releases the lock and\nreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().\nThere is a potential for an update in between, which could cause a NULL\npointer dereference.\n\nTo handle this, add a NULL check inside the handlers after acquiring\nthe lock. This ensures that if the timeout path has already cleared\ncurr_xfer, the handler will safely return without dereferencing the\nNULL pointer.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23207", "detail": "fixed-version", "description": "Fixed from version 6.18.10" }, { "id": "CVE-2026-23208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Prevent excessive number of frames\n\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\n\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\n copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\n prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\n prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23208", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port's vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops->newlink)\n err = ops->newlink(dev, ¶ms, extack);\n else\n err = register_netdevice(dev);\n if (err < 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device's macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23209", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix PTP NULL pointer dereference during VSI rebuild\n\nFix race condition where PTP periodic work runs while VSI is being\nrebuilt, accessing NULL vsi->rx_rings.\n\nThe sequence was:\n1. ice_ptp_prepare_for_reset() cancels PTP work\n2. ice_ptp_rebuild() immediately queues PTP work\n3. VSI rebuild happens AFTER ice_ptp_rebuild()\n4. PTP work runs and accesses NULL vsi->rx_rings\n\nFix: Keep PTP work cancelled during rebuild, only queue it after\nVSI rebuild completes in ice_rebuild().\n\nAdded ice_ptp_queue_work() helper function to encapsulate the logic\nfor queuing PTP work, ensuring it's only queued when PTP is supported\nand the state is ICE_PTP_READY.\n\nError log:\n[ 121.392544] ice 0000:60:00.1: PTP reset successful\n[ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 121.392712] #PF: supervisor read access in kernel mode\n[ 121.392720] #PF: error_code(0x0000) - not-present page\n[ 121.392727] PGD 0\n[ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)\n[ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC\n[ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]\n[ 121.393042] Call Trace:\n[ 121.393047] \n[ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]\n[ 121.393202] kthread_worker_fn+0xa2/0x260\n[ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]\n[ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10\n[ 121.393371] kthread+0x10d/0x230\n[ 121.393382] ? __pfx_kthread+0x10/0x10\n[ 121.393393] ret_from_fork+0x273/0x2b0\n[ 121.393407] ? __pfx_kthread+0x10/0x10\n[ 121.393417] ret_from_fork_asm+0x1a/0x30\n[ 121.393432] ", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23210", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, swap: restore swap_space attr aviod kernel panic\n\ncommit 8b47299a411a (\"mm, swap: mark swap address space ro and add context\ndebug check\") made the swap address space read-only. It may lead to\nkernel panic if arch_prepare_to_swap returns a failure under heavy memory\npressure as follows,\n\nel1_abort+0x40/0x64\nel1h_64_sync_handler+0x48/0xcc\nel1h_64_sync+0x84/0x88\nerrseq_set+0x4c/0xb8 (P)\n__filemap_set_wb_err+0x20/0xd0\nshrink_folio_list+0xc20/0x11cc\nevict_folios+0x1520/0x1be4\ntry_to_shrink_lruvec+0x27c/0x3dc\nshrink_one+0x9c/0x228\nshrink_node+0xb3c/0xeac\ndo_try_to_free_pages+0x170/0x4f0\ntry_to_free_pages+0x334/0x534\n__alloc_pages_direct_reclaim+0x90/0x158\n__alloc_pages_slowpath+0x334/0x588\n__alloc_frozen_pages_noprof+0x224/0x2fc\n__folio_alloc_noprof+0x14/0x64\nvma_alloc_zeroed_movable_folio+0x34/0x44\ndo_pte_missing+0xad4/0x1040\nhandle_mm_fault+0x4a4/0x790\ndo_page_fault+0x288/0x5f8\ndo_translation_fault+0x38/0x54\ndo_mem_abort+0x54/0xa8\n\nRestore swap address space as not ro to avoid the panic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23211", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: annotate data-races around slave->last_rx\n\nslave->last_rx and slave->target_last_arp_rx[...] can be read and written\nlocklessly. Add READ_ONCE() and WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate\n\nwrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:\n bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335\n bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533\n __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039\n __netif_receive_skb_one_core net/core/dev.c:6150 [inline]\n __netif_receive_skb+0x59/0x270 net/core/dev.c:6265\n netif_receive_skb_internal net/core/dev.c:6351 [inline]\n netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410\n...\n\nwrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:\n bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335\n bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533\n __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039\n __netif_receive_skb_one_core net/core/dev.c:6150 [inline]\n __netif_receive_skb+0x59/0x270 net/core/dev.c:6265\n netif_receive_skb_internal net/core/dev.c:6351 [inline]\n netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410\n br_netif_receive_skb net/bridge/br_input.c:30 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n...\n\nvalue changed: 0x0000000100005365 -> 0x0000000100005366", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23212", "detail": "cpe-stable-backport", "description": "Backported in 6.18.9" }, { "id": "CVE-2026-23213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Disable MMIO access during SMU Mode 1 reset\n\nDuring Mode 1 reset, the ASIC undergoes a reset cycle and becomes\ntemporarily inaccessible via PCIe. Any attempt to access MMIO registers\nduring this window (e.g., from interrupt handlers or other driver threads)\ncan result in uncompleted PCIe transactions, leading to NMI panics or\nsystem hangs.\n\nTo prevent this, set the `no_hw_access` flag to true immediately after\ntriggering the reset. This signals other driver components to skip\nregister accesses while the device is offline.\n\nA memory barrier `smp_mb()` is added to ensure the flag update is\nglobally visible to all cores before the driver enters the sleep/wait\nstate.\n\n(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23213", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject new transactions if the fs is fully read-only\n\n[BUG]\nThere is a bug report where a heavily fuzzed fs is mounted with all\nrescue mount options, which leads to the following warnings during\nunmount:\n\n BTRFS: Transaction aborted (error -22)\n Modules linked in:\n CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted\n 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]\n RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611\n Call Trace:\n \n btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705\n btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157\n btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517\n btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708\n btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130\n btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499\n btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628\n evict+0x5f4/0xae0 fs/inode.c:837\n __dentry_kill+0x209/0x660 fs/dcache.c:670\n finish_dput+0xc9/0x480 fs/dcache.c:879\n shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661\n generic_shutdown_super+0x67/0x2c0 fs/super.c:621\n kill_anon_super+0x3b/0x70 fs/super.c:1289\n btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127\n deactivate_locked_super+0xbc/0x130 fs/super.c:474\n cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318\n task_work_run+0x1d4/0x260 kernel/task_work.c:233\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0x694/0x22f0 kernel/exit.c:971\n do_group_exit+0x21c/0x2d0 kernel/exit.c:1112\n __do_sys_exit_group kernel/exit.c:1123 [inline]\n __se_sys_exit_group kernel/exit.c:1121 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121\n x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x44f639\n Code: Unable to access opcode bytes at 0x44f60f.\n RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\n RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639\n RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0\n R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \n\nSince rescue mount options will mark the full fs read-only, there should\nbe no new transaction triggered.\n\nBut during unmount we will evict all inodes, which can trigger a new\ntransaction, and triggers warnings on a heavily corrupted fs.\n\n[CAUSE]\nBtrfs allows new transaction even on a read-only fs, this is to allow\nlog replay happen even on read-only mounts, just like what ext4/xfs do.\n\nHowever with rescue mount options, the fs is fully read-only and cannot\nbe remounted read-write, thus in that case we should also reject any new\ntransactions.\n\n[FIX]\nIf we find the fs has rescue mount options, we should treat the fs as\nerror, so that no new transaction can be started.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23214", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmware: Fix hypercall clobbers\n\nFedora QA reported the following panic:\n\n BUG: unable to handle page fault for address: 0000000040003e54\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025\n RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90\n ..\n Call Trace:\n vmmouse_report_events+0x13e/0x1b0\n psmouse_handle_byte+0x15/0x60\n ps2_interrupt+0x8a/0xd0\n ...\n\nbecause the QEMU VMware mouse emulation is buggy, and clears the top 32\nbits of %rdi that the kernel kept a pointer in.\n\nThe QEMU vmmouse driver saves and restores the register state in a\n\"uint32_t data[6];\" and as a result restores the state with the high\nbits all cleared.\n\nRDI originally contained the value of a valid kernel stack address\n(0xff5eeb3240003e54). After the vmware hypercall it now contains\n0x40003e54, and we get a page fault as a result when it is dereferenced.\n\nThe proper fix would be in QEMU, but this works around the issue in the\nkernel to keep old setups working, when old kernels had not happened to\nkeep any state in %rdi over the hypercall.\n\nIn theory this same issue exists for all the hypercalls in the vmmouse\ndriver; in practice it has only been seen with vmware_hypercall3() and\nvmware_hypercall4(). For now, just mark RDI/RSI as clobbered for those\ntwo calls. This should have a minimal effect on code generation overall\nas it should be rare for the compiler to want to make RDI/RSI live\nacross hypercalls.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23215", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()\n\nIn iscsit_dec_conn_usage_count(), the function calls complete() while\nholding the conn->conn_usage_lock. As soon as complete() is invoked, the\nwaiter (such as iscsit_close_connection()) may wake up and proceed to free\nthe iscsit_conn structure.\n\nIf the waiter frees the memory before the current thread reaches\nspin_unlock_bh(), it results in a KASAN slab-use-after-free as the function\nattempts to release a lock within the already-freed connection structure.\n\nFix this by releasing the spinlock before calling complete().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23216", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: trace: fix snapshot deadlock with sbi ecall\n\nIf sbi_ecall.c's functions are traceable,\n\necho \"__sbi_ecall:snapshot\" > /sys/kernel/tracing/set_ftrace_filter\n\nmay get the kernel into a deadlock.\n\n(Functions in sbi_ecall.c are excluded from tracing if\nCONFIG_RISCV_ALTERNATIVE_EARLY is set.)\n\n__sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code\nraises an IPI interrupt, which results in another call to __sbi_ecall\nand another snapshot...\n\nAll it takes to get into this endless loop is one initial __sbi_ecall.\nOn RISC-V systems without SSTC extension, the clock events in\ntimer-riscv.c issue periodic sbi ecalls, making the problem easy to\ntrigger.\n\nAlways exclude the sbi_ecall.c functions from tracing to fix the\npotential deadlock.\n\nsbi ecalls can easiliy be logged via trace events, excluding ecall\nfunctions from function tracing is not a big limitation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23217", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: loongson-64bit: Fix incorrect NULL check after devm_kcalloc()\n\nFix incorrect NULL check in loongson_gpio_init_irqchip().\nThe function checks chip->parent instead of chip->irq.parents.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23218", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single\n\nWhen CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning\nmay be noticed:\n\n[ 3959.023862] ------------[ cut here ]------------\n[ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378)\n[ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998\n[ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject]\n[ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G W 6.19.0-rc7+ #7 PREEMPT(voluntary)\n[ 3959.024182] Tainted: [W]=WARN\n[ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n[ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3959.024199] pc : alloc_tag_add+0x128/0x178\n[ 3959.024207] lr : alloc_tag_add+0x128/0x178\n[ 3959.024214] sp : ffff80008b696d60\n[ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240\n[ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860\n[ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0\n[ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000\n[ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293\n[ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000\n[ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001\n[ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838\n[ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640\n[ 3959.024340] Call trace:\n[ 3959.024346] alloc_tag_add+0x128/0x178 (P)\n[ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8\n[ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8\n[ 3959.024369] xas_alloc+0x304/0x4f0\n[ 3959.024381] xas_create+0x1e0/0x4a0\n[ 3959.024388] xas_store+0x68/0xda8\n[ 3959.024395] __filemap_add_folio+0x5b0/0xbd8\n[ 3959.024409] filemap_add_folio+0x16c/0x7e0\n[ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8\n[ 3959.024424] iomap_get_folio+0xfc/0x180\n[ 3959.024435] __iomap_get_folio+0x2f8/0x4b8\n[ 3959.024441] iomap_write_begin+0x198/0xc18\n[ 3959.024448] iomap_write_iter+0x2ec/0x8f8\n[ 3959.024454] iomap_file_buffered_write+0x19c/0x290\n[ 3959.024461] blkdev_write_iter+0x38c/0x978\n[ 3959.024470] vfs_write+0x4d4/0x928\n[ 3959.024482] ksys_write+0xfc/0x1f8\n[ 3959.024489] __arm64_sys_write+0x74/0xb0\n[ 3959.024496] invoke_syscall+0xd4/0x258\n[ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240\n[ 3959.024514] do_el0_svc+0x48/0x68\n[ 3959.024520] el0_svc+0x40/0xf8\n[ 3959.024526] el0t_64_sync_handler+0xa0/0xe8\n[ 3959.024533] el0t_64_sync+0x1ac/0x1b0\n[ 3959.024540] ---[ end trace 0000000000000000 ]---\n\nWhen __memcg_slab_post_alloc_hook() fails, there are two different\nfree paths depending on whether size == 1 or size != 1. In the\nkmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook().\nHowever, in memcg_alloc_abort_single() we don't, the above warning will be\ntriggered on the next allocation.\n\nTherefore, add alloc_tagging_slab_free_hook() to the\nmemcg_alloc_abort_single() path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23219", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\n\nThe problem occurs when a signed request fails smb2 signature verification\ncheck. In __process_request(), if check_sign_req() returns an error,\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\nset_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\nis lost. Consequently, is_chained_smb2_message() continues to point to\nthe same request header instead of advancing. If the header's NextCommand\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\nto repeatedly process the same failed request in an infinite loop.\nThis results in the kernel log being flooded with \"bad smb2 signature\"\nmessages and high CPU usage.\n\nThis patch fixes the issue by changing the return value from\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\nthe processing loop terminates immediately rather than attempting to\ncontinue from an invalidated offset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23220" }, { "id": "CVE-2026-23221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix use-after-free in driver_override_show()\n\nThe driver_override_show() function reads the driver_override string\nwithout holding the device_lock. However, driver_override_store() uses\ndriver_set_override(), which modifies and frees the string while holding\nthe device_lock.\n\nThis can result in a concurrent use-after-free if the string is freed\nby the store function while being read by the show function.\n\nFix this by holding the device_lock around the read operation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23221" }, { "id": "CVE-2026-23222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly\n\nThe existing allocation of scatterlists in omap_crypto_copy_sg_lists()\nwas allocating an array of scatterlist pointers, not scatterlist objects,\nresulting in a 4x too small allocation.\n\nUse sizeof(*new_sg) to get the correct object size.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23222" }, { "id": "CVE-2026-23223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix UAF in xchk_btree_check_block_owner\n\nWe cannot dereference bs->cur when trying to determine if bs->cur\naliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.\nFix this by sampling before type before any freeing could happen.\nThe correct temporal ordering was broken when we removed xfs_btnum_t.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23223" }, { "id": "CVE-2026-23224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix UAF issue for file-backed mounts w/ directio option\n\n[ 9.269940][ T3222] Call trace:\n[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108\n[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198\n[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180\n[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24\n[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac\n[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220\n[ 9.270083][ T3222] filemap_read_folio+0x60/0x120\n[ 9.270102][ T3222] filemap_fault+0xcac/0x1060\n[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554\n[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c\n[ 9.270142][ T3222] do_page_fault+0x178/0x88c\n[ 9.270167][ T3222] do_translation_fault+0x38/0x54\n[ 9.270183][ T3222] do_mem_abort+0x54/0xac\n[ 9.270208][ T3222] el0_da+0x44/0x7c\n[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4\n[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0\n\nEROFS may encounter above panic when enabling file-backed mount w/\ndirectio mount option, the root cause is it may suffer UAF in below\nrace condition:\n\n- z_erofs_read_folio wq s_dio_done_wq\n - z_erofs_runqueue\n - erofs_fileio_submit_bio\n - erofs_fileio_rq_submit\n - vfs_iocb_iter_read\n - ext4_file_read_iter\n - ext4_dio_read_iter\n - iomap_dio_rw\n : bio was submitted and return -EIOCBQUEUED\n - dio_aio_complete_work\n - dio_complete\n - dio->iocb->ki_complete (erofs_fileio_ki_complete())\n - kfree(rq)\n : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\n - file_accessed\n : access NULL file point\n\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\ndecrease reference count, the last one decreasing the reference count\nto zero will free rq.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23224" }, { "id": "CVE-2026-23225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/mmcid: Don't assume CID is CPU owned on mode switch\n\nShinichiro reported a KASAN UAF, which is actually an out of bounds access\nin the MMCID management code.\n\n CPU0\t\t\t\t\t\tCPU1\n \t\t\t\t\t\tT1 runs in userspace\n T0: fork(T4) -> Switch to per CPU CID mode\n fixup() set MM_CID_TRANSIT on T1/CPU1\n T4 exit()\n T3 exit()\n T2 exit()\n\t\t\t\t\t\tT1 exit() switch to per task mode\n\t\t\t\t\t\t ---> Out of bounds access.\n\nAs T1 has not scheduled after T0 set the TRANSIT bit, it exits with the\nTRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in\nthe task and drops the CID, but it does not touch the per CPU storage.\nThat's functionally correct because a CID is only owned by the CPU when\nthe ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.\n\nNow sched_mm_cid_exit() assumes that the CID is CPU owned because the\nprior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the\nnot set ONCPU bit and then invokes clear_bit() with an insanely large\nbit number because TRANSIT is set (bit 29).\n\nPrevent that by actually validating that the CID is CPU owned in\nmm_drop_cid_on_cpu().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23225", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add chann_lock to protect ksmbd_chann_list xarray\n\nksmbd_chann_list xarray lacks synchronization, allowing use-after-free in\nmulti-channel sessions (between lookup_chann_list() and ksmbd_chann_del).\n\nAdds rw_semaphore chann_lock to struct ksmbd_session and protects\nall xa_load/xa_store/xa_erase accesses.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23226" }, { "id": "CVE-2026-23227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free\n\nExynos Virtual Display driver performs memory alloc/free operations\nwithout lock protection, which easily causes concurrency problem.\n\nFor example, use-after-free can occur in race scenario like this:\n```\n\tCPU0\t\t\t\tCPU1\t\t\t\tCPU2\n\t----\t\t\t\t----\t\t\t\t----\n vidi_connection_ioctl()\n if (vidi->connection) // true\n drm_edid = drm_edid_alloc(); // alloc drm_edid\n ...\n ctx->raw_edid = drm_edid;\n ...\n\t\t\t\t\t\t\t\tdrm_mode_getconnector()\n\t\t\t\t\t\t\t\t drm_helper_probe_single_connector_modes()\n\t\t\t\t\t\t\t\t vidi_get_modes()\n\t\t\t\t\t\t\t\t if (ctx->raw_edid) // true\n\t\t\t\t\t\t\t\t drm_edid_dup(ctx->raw_edid);\n\t\t\t\t\t\t\t\t if (!drm_edid) // false\n\t\t\t\t\t\t\t\t ...\n\t\t\t\tvidi_connection_ioctl()\n\t\t\t\t if (vidi->connection) // false\n\t\t\t\t drm_edid_free(ctx->raw_edid); // free drm_edid\n\t\t\t\t ...\n\t\t\t\t\t\t\t\t drm_edid_alloc(drm_edid->edid)\n\t\t\t\t\t\t\t\t kmemdup(edid); // UAF!!\n\t\t\t\t\t\t\t\t ...\n```\n\nTo prevent these vulns, at least in vidi_context, member variables related\nto memory alloc/free should be protected with ctx->lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23227" }, { "id": "CVE-2026-23228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()\n\nOn kthread_run() failure in ksmbd_tcp_new_connection(), the transport is\nfreed via free_transport(), which does not decrement active_num_conn,\nleaking this counter.\n\nReplace free_transport() with ksmbd_tcp_disconnect().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23228" }, { "id": "CVE-2026-23229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio - Add spinlock protection with virtqueue notification\n\nWhen VM boots with one virtio-crypto PCI device and builtin backend,\nrun openssl benchmark command with multiple processes, such as\n openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32\n\nopenssl processes will hangup and there is error reported like this:\n virtio_crypto virtio0: dataq.0:id 3 is not a head!\n\nIt seems that the data virtqueue need protection when it is handled\nfor virtio done notification. If the spinlock protection is added\nin virtcrypto_done_task(), openssl benchmark with multiple processes\nworks well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23229" }, { "id": "CVE-2026-23230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: split cached_fid bitfields to avoid shared-byte RMW races\n\nis_open, has_lease and on_list are stored in the same bitfield byte in\nstruct cached_fid but are updated in different code paths that may run\nconcurrently. Bitfield assignments generate byte read\u2013modify\u2013write\noperations (e.g. `orb $mask, addr` on x86_64), so updating one flag can\nrestore stale values of the others.\n\nA possible interleaving is:\n CPU1: load old byte (has_lease=1, on_list=1)\n CPU2: clear both flags (store 0)\n CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits\n\nTo avoid this class of races, convert these flags to separate bool\nfields.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23230" }, { "id": "CVE-2026-23231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table->chains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table->chains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain->blob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23231" }, { "id": "CVE-2026-23232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: block cache/dio write during f2fs_enable_checkpoint()\"\n\nThis reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a.\n\nOriginal patch may cause below deadlock, revert it.\n\nwrite\t\t\t\tremount\n- write_begin\n - lock_page --- lock A\n - prepare_write_begin\n - f2fs_map_lock\n\t\t\t\t- f2fs_enable_checkpoint\n\t\t\t\t - down_write(cp_enable_rwsem) --- lock B\n\t\t\t\t - sync_inode_sb\n\t\t\t\t - writepages\n\t\t\t\t - lock_page\t\t\t--- lock A\n - down_read(cp_enable_rwsem) --- lock A", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23232", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid mapping wrong physical block for swapfile\n\nXiaolong Guo reported a f2fs bug in bugzilla [1]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951\n\nQuoted:\n\n\"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,\nthe system experiences data corruption leading to either:\n1 dm-verity corruption errors and device reboot\n2 F2FS node corruption errors and boot hangs\n\nThe issue occurs specifically when:\n1 Using F2FS filesystem (ext4 is unaffected)\n2 Swapfile size is less than F2FS section size (2MB)\n3 Swapfile has fragmented physical layout (multiple non-contiguous extents)\n4 Kernel version is 6.6+ (6.1 is unaffected)\n\nThe root cause is in check_swap_activate() function in fs/f2fs/data.c. When the\nfirst extent of a small swapfile (< 2MB) is not aligned to section boundaries,\nthe function incorrectly treats it as the last extent, failing to map\nsubsequent extents. This results in incorrect swap_extent creation where only\nthe first extent is mapped, causing subsequent swap writes to overwrite wrong\nphysical locations (other files' data).\n\nSteps to Reproduce\n1 Setup a device with F2FS-formatted userdata partition\n2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng\n3 Run swap stress test: (Android devices)\nadb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60\n--swap 0\"\n\nLog:\n1 Ftrace shows in kernel 6.6, only first extent is mapped during second\nf2fs_map_blocks call in check_swap_activate():\nstress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start\nblkaddr=0x43143, len=0x1\n(Only 4KB mapped, not the full swapfile)\n2 in kernel 6.1, both extents are correctly mapped:\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start\nblkaddr=0x13cd4, len=0x1\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start\nblkaddr=0x60c84b, len=0xff\n\nThe problematic code is in check_swap_activate():\nif ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||\n nr_pblocks % blks_per_sec ||\n !f2fs_valid_pinned_area(sbi, pblock)) {\n bool last_extent = false;\n\n not_aligned++;\n\n nr_pblocks = roundup(nr_pblocks, blks_per_sec);\n if (cur_lblock + nr_pblocks > sis->max)\n nr_pblocks -= blks_per_sec;\n\n /* this extent is last one */\n if (!nr_pblocks) {\n nr_pblocks = last_lblock - cur_lblock;\n last_extent = true;\n }\n\n ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);\n if (ret) {\n if (ret == -ENOENT)\n ret = -EINVAL;\n goto out;\n }\n\n if (!last_extent)\n goto retry;\n}\n\nWhen the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)\nexceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The\ncode then incorrectly assumes this is the last extent, sets nr_pblocks =\nlast_lblock - cur_lblock (entire swapfile), and performs migration. After\nmigration, it doesn't retry mapping, so subsequent extents are never processed.\n\"\n\nIn order to fix this issue, we need to lookup block mapping info after\nwe migrate all blocks in the tail of swapfile.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23233" }, { "id": "CVE-2026-23234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_write_end_io()\n\nAs syzbot reported an use-after-free issue in f2fs_write_end_io().\n\nIt is caused by below race condition:\n\nloop device\t\t\t\tumount\n- worker_thread\n - loop_process_work\n - do_req_filebacked\n - lo_rw_aio\n - lo_rw_aio_complete\n - blk_mq_end_request\n - blk_update_request\n - f2fs_write_end_io\n - dec_page_count\n - folio_end_writeback\n\t\t\t\t\t- kill_f2fs_super\n\t\t\t\t\t - kill_block_super\n\t\t\t\t\t - f2fs_put_super\n\t\t\t\t\t : free(sbi)\n : get_pages(, F2FS_WB_CP_DATA)\n accessed sbi which is freed\n\nIn kill_f2fs_super(), we will drop all page caches of f2fs inodes before\ncall free(sbi), it guarantee that all folios should end its writeback, so\nit should be safe to access sbi before last folio_end_writeback().\n\nLet's relocate ckpt thread wakeup flow before folio_end_writeback() to\nresolve this issue.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23234" }, { "id": "CVE-2026-23235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix out-of-bounds access in sysfs attribute read/write\n\nSome f2fs sysfs attributes suffer from out-of-bounds memory access and\nincorrect handling of integer values whose size is not 4 bytes.\n\nFor example:\nvm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out\nvm:~# cat /sys/fs/f2fs/vde/carve_out\n65537\nvm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold\nvm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold\n1\n\ncarve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit\ninteger. However, the sysfs interface allows setting it to a value\nlarger than 255, resulting in an out-of-range update.\n\natgc_age_threshold maps to {struct atgc_management}->age_threshold,\nwhich is a 64-bit integer, but its sysfs interface cannot correctly set\nvalues larger than UINT_MAX.\n\nThe root causes are:\n1. __sbi_store() treats all default values as unsigned int, which\nprevents updating integers larger than 4 bytes and causes out-of-bounds\nwrites for integers smaller than 4 bytes.\n\n2. f2fs_sbi_show() also assumes all default values are unsigned int,\nleading to out-of-bounds reads and incorrect access to integers larger\nthan 4 bytes.\n\nThis patch introduces {struct f2fs_attr}->size to record the actual size\nof the integer associated with each sysfs attribute. With this\ninformation, sysfs read and write operations can correctly access and\nupdate values according to their real data size, avoiding memory\ncorruption and truncation.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23235" }, { "id": "CVE-2026-23236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace. Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel.", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23236" }, { "id": "CVE-2026-23237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: classmate-laptop: Add missing NULL pointer checks\n\nIn a few places in the Classmate laptop driver, code using the accel\nobject may run before that object's address is stored in the driver\ndata of the input device using it.\n\nFor example, cmpc_accel_sensitivity_store_v4() is the \"show\" method\nof cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),\nbefore calling dev_set_drvdata() for inputdev->dev. If the sysfs\nattribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev)\ncall in in cmpc_accel_sensitivity_store_v4() returns NULL which\nleads to a NULL pointer dereference going forward.\n\nMoreover, sysfs attributes using the input device are added before\ninitializing that device by cmpc_add_acpi_notify_device() and if one\nof them is accessed before running that function, a NULL pointer\ndereference will occur.\n\nFor example, cmpc_accel_sensitivity_attr_v4 is added before calling\ncmpc_add_acpi_notify_device() and if it is read prematurely, the\ndev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4()\nreturns NULL which leads to a NULL pointer dereference going forward.\n\nFix this by adding NULL pointer checks in all of the relevant places.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23237" }, { "id": "CVE-2026-23238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nromfs: check sb_set_blocksize() return value\n\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice's configuration.\n\nThis can be triggered by setting a loop device's block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\n\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device's logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\n\nThe superblock's block size remains at the device's logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\n\n kernel BUG at fs/buffer.c:1582!\n BUG_ON(size > PAGE_SIZE);\n\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23238" }, { "id": "CVE-2026-23239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: Fix race condition in espintcp_close()\n\nThis issue was discovered during a code audit.\n\nAfter cancel_work_sync() is called from espintcp_close(),\nespintcp_tx_work() can still be scheduled from paths such as\nthe Delayed ACK handler or ksoftirqd.\nAs a result, the espintcp_tx_work() worker may dereference a\nfreed espintcp ctx or sk.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\n espintcp_close()\n cancel_work_sync(&ctx->work);\n espintcp_write_space()\n schedule_work(&ctx->work);\n\nTo prevent this race condition, cancel_work_sync() is\nreplaced with disable_work_sync().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23239" }, { "id": "CVE-2026-23240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Fix race condition in tls_sw_cancel_work_tx()\n\nThis issue was discovered during a code audit.\n\nAfter cancel_delayed_work_sync() is called from tls_sk_proto_close(),\ntx_work_handler() can still be scheduled from paths such as the\nDelayed ACK handler or ksoftirqd.\nAs a result, the tx_work_handler() worker may dereference a freed\nTLS object.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ntls_sk_proto_close()\n tls_sw_cancel_work_tx()\n tls_write_space()\n tls_sw_write_space()\n if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask))\n set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);\n cancel_delayed_work_sync(&ctx->tx_work.work);\n schedule_delayed_work(&tx_ctx->tx_work.work, 0);\n\nTo prevent this race condition, cancel_delayed_work_sync() is\nreplaced with disable_delayed_work_sync().", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23240" }, { "id": "CVE-2026-23241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: add missing syscalls to read class\n\nThe \"at\" variant of getxattr() and listxattr() are missing from the\naudit read class. Calling getxattrat() or listxattrat() on a file to\nread its extended attributes will bypass audit rules such as:\n\n-w /tmp/test -p rwa -k test_rwa\n\nThe current patch adds missing syscalls to the audit read class.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23241" }, { "id": "CVE-2026-23242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix potential NULL pointer dereference in header processing\n\nIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),\nqp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()\ndereferences qp->rx_fpdu->more_ddp_segs without checking, which\nmay lead to a NULL pointer deref. Only check more_ddp_segs when\nrx_fpdu is present.\n\nKASAN splat:\n[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]\n[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23242" }, { "id": "CVE-2026-23243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23243" }, { "id": "CVE-2026-23244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix memory allocation in nvme_pr_read_keys()\n\nnvme_pr_read_keys() takes num_keys from userspace and uses it to\ncalculate the allocation size for rse via struct_size(). The upper\nlimit is PR_KEYS_MAX (64K).\n\nA malicious or buggy userspace can pass a large num_keys value that\nresults in a 4MB allocation attempt at most, causing a warning in\nthe page allocator when the order exceeds MAX_PAGE_ORDER.\n\nTo fix this, use kvzalloc() instead of kzalloc().\n\nThis bug has the same reasoning and fix with the patch below:\nhttps://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/\n\nWarning log:\nWARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272\nModules linked in:\nCPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216\nCode: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d\nRSP: 0018:ffffc90000fcf450 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0\nRDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0\nRBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001\nR10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000\nR13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620\nFS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0\nCall Trace:\n \n alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486\n alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557\n ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598\n __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245\n blkdev_pr_read_keys block/ioctl.c:456 [inline]\n blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730\n blkdev_ioctl+0x299/0x700 block/ioctl.c:786\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583\n x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fb893d3108d\nCode: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d\nRDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003\nRBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001\n ", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23244" }, { "id": "CVE-2026-23245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23245" }, { "id": "CVE-2026-23246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\n\nlink_id is taken from the ML Reconfiguration element (control & 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23246" }, { "id": "CVE-2026-23247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: secure_seq: add back ports to TS offset\n\nThis reverts 28ee1b746f49 (\"secure_seq: downgrade to per-host timestamp offsets\")\n\ntcp_tw_recycle went away in 2017.\n\nZhouyan Deng reported off-path TCP source port leakage via\nSYN cookie side-channel that can be fixed in multiple ways.\n\nOne of them is to bring back TCP ports in TS offset randomization.\n\nAs a bonus, we perform a single siphash() computation\nto provide both an ISN and a TS offset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23247" }, { "id": "CVE-2026-23248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix refcount bug and potential UAF in perf_mmap\n\nSyzkaller reported a refcount_t: addition on 0; use-after-free warning\nin perf_mmap.\n\nThe issue is caused by a race condition between a failing mmap() setup\nand a concurrent mmap() on a dependent event (e.g., using output\nredirection).\n\nIn perf_mmap(), the ring_buffer (rb) is allocated and assigned to\nevent->rb with the mmap_mutex held. The mutex is then released to\nperform map_range().\n\nIf map_range() fails, perf_mmap_close() is called to clean up.\nHowever, since the mutex was dropped, another thread attaching to\nthis event (via inherited events or output redirection) can acquire\nthe mutex, observe the valid event->rb pointer, and attempt to\nincrement its reference count. If the cleanup path has already\ndropped the reference count to zero, this results in a\nuse-after-free or refcount saturation warning.\n\nFix this by extending the scope of mmap_mutex to cover the\nmap_range() call. This ensures that the ring buffer initialization\nand mapping (or cleanup on failure) happens atomically effectively,\npreventing other threads from accessing a half-initialized or\ndying ring buffer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23248" }, { "id": "CVE-2026-23249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check for deleted cursors when revalidating two btrees\n\nThe free space and inode btree repair functions will rebuild both btrees\nat the same time, after which it needs to evaluate both btrees to\nconfirm that the corruptions are gone.\n\nHowever, Jiaming Zhang ran syzbot and produced a crash in the second\nxchk_allocbt call. His root-cause analysis is as follows (with minor\ncorrections):\n\n In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first\n for BNOBT, second for CNTBT). The cause of this issue is that the\n first call nullified the cursor required by the second call.\n\n Let's first enter xrep_revalidate_allocbt() via following call chain:\n\n xfs_file_ioctl() ->\n xfs_ioc_scrubv_metadata() ->\n xfs_scrub_metadata() ->\n `sc->ops->repair_eval(sc)` ->\n xrep_revalidate_allocbt()\n\n xchk_allocbt() is called twice in this function. In the first call:\n\n /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */\n xchk_allocbt() ->\n xchk_btree() ->\n `bs->scrub_rec(bs, recp)` ->\n xchk_allocbt_rec() ->\n xchk_allocbt_xref() ->\n xchk_allocbt_xref_other()\n\n since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.\n Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call\n chain:\n\n xfs_alloc_get_rec() ->\n xfs_btree_get_rec() ->\n xfs_btree_check_block() ->\n (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter\n is true, return -EFSCORRUPTED. This should be caused by\n ioctl$XFS_IOC_ERROR_INJECTION I guess.\n\n Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from\n xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this\n function, *curpp (points to sc->sa.cnt_cur) is nullified.\n\n Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been\n nullified, it then triggered null-ptr-deref via xchk_allocbt() (second\n call) -> xchk_btree().\n\nSo. The bnobt revalidation failed on a cross-reference attempt, so we\ndeleted the cntbt cursor, and then crashed when we tried to revalidate\nthe cntbt. Therefore, check for a null cntbt cursor before that\nrevalidation, and mark the repair incomplete. Also we can ignore the\nsecond tree entirely if the first tree was rebuilt but is already\ncorrupt.\n\nApply the same fix to xrep_revalidate_iallocbt because it has the same\nproblem.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23249" }, { "id": "CVE-2026-23250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check return value of xchk_scrub_create_subord\n\nFix this function to return NULL instead of a mangled ENOMEM, then fix\nthe callers to actually check for a null pointer and return ENOMEM.\nMost of the corrections here are for code merged between 6.2 and 6.10.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23250" }, { "id": "CVE-2026-23251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: only call xf{array,blob}_destroy if we have a valid pointer\n\nOnly call the xfarray and xfblob destructor if we have a valid pointer,\nand be sure to null out that pointer afterwards. Note that this patch\nfixes a large number of commits, most of which were merged between 6.9\nand 6.10.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23251" }, { "id": "CVE-2026-23252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: get rid of the xchk_xfile_*_descr calls\n\nThe xchk_xfile_*_descr macros call kasprintf, which can fail to allocate\nmemory if the formatted string is larger than 16 bytes (or whatever the\nnofail guarantees are nowadays). Some of them could easily exceed that,\nand Jiaming Zhang found a few places where that can happen with syzbot.\n\nThe descriptions are debugging aids and aren't required to be unique, so\nlet's just pass in static strings and eliminate this path to failure.\nNote this patch touches a number of commits, most of which were merged\nbetween 6.6 and 6.14.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23252" }, { "id": "CVE-2026-23253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\n\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\n\nSince dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\n\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init(). The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\n\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23253" }, { "id": "CVE-2026-23254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: fix outer network offset\n\nThe udp GRO complete stage assumes that all the packets inserted the RX\nhave the `encapsulation` flag zeroed. Such assumption is not true, as a\nfew H/W NICs can set such flag when H/W offloading the checksum for\nan UDP encapsulated traffic, the tun driver can inject GSO packets with\nUDP encapsulation and the problematic layout can also be created via\na veth based setup.\n\nDue to the above, in the problematic scenarios, udp4_gro_complete() uses\nthe wrong network offset (inner instead of outer) to compute the outer\nUDP header pseudo checksum, leading to csum validation errors later on\nin packet processing.\n\nAddress the issue always clearing the encapsulation flag at GRO completion\ntime. Such flag will be set again as needed for encapsulated packets by\nudp_gro_complete().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23254", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add proper RCU protection to /proc/net/ptype\n\nYin Fengwei reported an RCU stall in ptype_seq_show() and provided\na patch.\n\nReal issue is that ptype_seq_next() and ptype_seq_show() violate\nRCU rules.\n\nptype_seq_show() runs under rcu_read_lock(), and reads pt->dev\nto get device name without any barrier.\n\nAt the same time, concurrent writers can remove a packet_type structure\n(which is correctly freed after an RCU grace period) and clear pt->dev\nwithout an RCU grace period.\n\nDefine ptype_iter_state to carry a dev pointer along seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // added in this patch\n};\n\nWe need to record the device pointer in ptype_get_idx() and\nptype_seq_next() so that ptype_seq_show() is safe against\nconcurrent pt->dev changes.\n\nWe also need to add full RCU protection in ptype_seq_next().\n(Missing READ_ONCE() when reading list.next values)\n\nMany thanks to Dong Chenchen for providing a repro.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23255", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nCompile tested only. Issue found using code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23256", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nAlso, decrement i in the devlink_alloc failure path to point to the\nlast successfully allocated index.\n\nCompile tested only. Issue found using code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23257", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Initialize netdev pointer before queue setup\n\nIn setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().\nHowever, the pointer to this structure is stored in oct->props[i].netdev\nonly after the calls to netif_set_real_num_rx_queues() and\nnetif_set_real_num_tx_queues().\n\nIf either of these functions fails, setup_nic_devices() returns an error\nwithout freeing the allocated netdev. Since oct->props[i].netdev is still\nNULL at this point, the cleanup function liquidio_destroy_nic_device()\nwill fail to find and free the netdev, resulting in a memory leak.\n\nFix this by initializing oct->props[i].netdev before calling the queue\nsetup functions. This ensures that the netdev is properly accessible for\ncleanup in case of errors.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23258", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: free potentially allocated iovec on cache put failure\n\nIf a read/write request goes through io_req_rw_cleanup() and has an\nallocated iovec attached and fails to put to the rw_cache, then it may\nend up with an unaccounted iovec pointer. Have io_rw_recycle() return\nwhether it recycled the request or not, and use that to gauge whether to\nfree a potential iovec or not.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23259", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: maple: free entry on mas_store_gfp() failure\n\nregcache_maple_write() allocates a new block ('entry') to merge\nadjacent ranges and then stores it with mas_store_gfp().\nWhen mas_store_gfp() fails, the new 'entry' remains allocated and\nis never freed, leaking memory.\n\nFree 'entry' on the failure path; on success continue freeing the\nreplaced neighbor blocks ('lower', 'upper').", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23260", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: release admin tagset if init fails\n\nnvme_fabrics creates an NVMe/FC controller in following path:\n\n nvmf_dev_write()\n -> nvmf_create_ctrl()\n -> nvme_fc_create_ctrl()\n -> nvme_fc_init_ctrl()\n\nnvme_fc_init_ctrl() allocates the admin blk-mq resources right after\nnvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing\nthe controller state, scheduling connect work, etc.), we jump to the\nfail_ctrl path, which tears down the controller references but never\nfrees the admin queue/tag set. The leaked blk-mq allocations match the\nkmemleak report seen during blktests nvme/fc.\n\nCheck ctrl->ctrl.admin_tagset in the fail_ctrl path and call\nnvme_remove_admin_tag_set() when it is set so that all admin queue\nallocations are reclaimed whenever controller setup aborts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23261", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Fix stats report corruption on queue count change\n\nThe driver and the NIC share a region in memory for stats reporting.\nThe NIC calculates its offset into this region based on the total size\nof the stats region and the size of the NIC's stats.\n\nWhen the number of queues is changed, the driver's stats region is\nresized. If the queue count is increased, the NIC can write past\nthe end of the allocated stats region, causing memory corruption.\nIf the queue count is decreased, there is a gap between the driver\nand NIC stats, leading to incorrect stats reporting.\n\nThis change fixes the issue by allocating stats region with maximum\nsize, and the offset calculation for NIC stats is changed to match\nwith the calculation of the NIC.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23262", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix page array leak\n\nd9f595b9a65e (\"io_uring/zcrx: fix leaking pages on sg init fail\") fixed\na page leakage but didn't free the page array, release it as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23263", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: Check if ASPM is enabled from PCIe subsystem\"\n\nThis reverts commit 7294863a6f01248d72b61d38478978d638641bee.\n\nThis commit was erroneously applied again after commit 0ab5d711ec74\n(\"drm/amd: Refactor `amdgpu_aspm` to be evaluated per device\")\nremoved it, leading to very hard to debug crashes, when used with a system with two\nAMD GPUs of which only one supports ASPM.\n\n(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23264", "detail": "cpe-stable-backport", "description": "Backported in 6.18.10" }, { "id": "CVE-2026-23265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node footer in {read,write}_end_io\n\n-----------[ cut here ]------------\nkernel BUG at fs/f2fs/data.c:358!\nCall Trace:\n \n blk_update_request+0x5eb/0xe70 block/blk-mq.c:987\n blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149\n blk_complete_reqs block/blk-mq.c:1224 [inline]\n blk_done_softirq+0x107/0x160 block/blk-mq.c:1229\n handle_softirqs+0x283/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050\n \n\nIn f2fs_write_end_io(), it detects there is inconsistency in between\nnode page index (nid) and footer.nid of node page.\n\nIf footer of node page is corrupted in fuzzed image, then we load corrupted\nnode page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(),\nin where we won't do sanity check on node footer, once node page becomes\ndirty, we will encounter this bug after node page writeback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23265" }, { "id": "CVE-2026-23266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: rivafb: fix divide error in nv3_arb()\n\nA userspace program can trigger the RIVA NV3 arbitration code by calling\nthe FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver\nrecomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz\n(derived from the PRAMDAC MCLK PLL) as a divisor without validating it\nfirst.\n\nIn a normal setup, state->mclk_khz is provided by the real hardware and is\nnon-zero. However, an attacker can construct a malicious or misconfigured\ndevice (e.g. a crafted/emulated PCI device) that exposes a bogus PLL\nconfiguration, causing state->mclk_khz to become zero. Once\nnv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns\ncalculation causes a divide error and crashes the kernel.\n\nFix this by checking whether state->mclk_khz is zero and bailing out before\ndoing the division.\n\nThe following log reveals it:\n\nrivafb: setting virtual Y resolution to 2184\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]\nRIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546\nCall Trace:\n nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603\n nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]\n CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246\n riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779\n rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188\n __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23266" }, { "id": "CVE-2026-23267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes\n\nDuring SPO tests, when mounting F2FS, an -EINVAL error was returned from\nf2fs_recover_inode_page. The issue occurred under the following scenario\n\nThread A Thread B\nf2fs_ioc_commit_atomic_write\n - f2fs_do_sync_file // atomic = true\n - f2fs_fsync_node_pages\n : last_folio = inode folio\n : schedule before folio_lock(last_folio) f2fs_write_checkpoint\n - block_operations// writeback last_folio\n - schedule before f2fs_flush_nat_entries\n : set_fsync_mark(last_folio, 1)\n : set_dentry_mark(last_folio, 1)\n : folio_mark_dirty(last_folio)\n - __write_node_folio(last_folio)\n : f2fs_down_read(&sbi->node_write)//block\n - f2fs_flush_nat_entries\n : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)\n - unblock_operations\n : f2fs_up_write(&sbi->node_write)\n f2fs_write_checkpoint//return\n : f2fs_do_write_node_page()\nf2fs_ioc_commit_atomic_write//return\n SPO\n\nThread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has\nalready been written once. However, the {struct nat_entry}->flag did not\nhave the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and\nwrite last_folio again after Thread B finishes f2fs_write_checkpoint.\n\nAfter SPO and reboot, it was detected that {struct node_info}->blk_addr\nwas not NULL_ADDR because Thread B successfully write the checkpoint.\n\nThis issue only occurs in atomic write scenarios. For regular file\nfsync operations, the folio must be dirty. If\nblock_operations->f2fs_sync_node_pages successfully submit the folio\nwrite, this path will not be executed. Otherwise, the\nf2fs_write_checkpoint will need to wait for the folio write submission\nto complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the\nsituation where f2fs_need_dentry_mark checks that the {struct\nnat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has\nalready been submitted, will not occur.\n\nTherefore, for atomic file fsync, sbi->node_write should be acquired\nthrough __write_node_folio to ensure that the IS_CHECKPOINTED flag\ncorrectly indicates that the checkpoint write has been completed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23267" }, { "id": "CVE-2026-23268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23268" }, { "id": "CVE-2026-23269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23269" }, { "id": "CVE-2026-23270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it's still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23270" }, { "id": "CVE-2026-23271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix __perf_event_overflow() vs perf_remove_from_context() race\n\nMake sure that __perf_event_overflow() runs with IRQs disabled for all\npossible callchains. Specifically the software events can end up running\nit with only preemption disabled.\n\nThis opens up a race vs perf_event_exit_event() and friends that will go\nand free various things the overflow path expects to be present, like\nthe BPF program.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23271" }, { "id": "CVE-2026-23272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set->nelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set->nelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23272" }, { "id": "CVE-2026-23273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23273" }, { "id": "CVE-2026-23274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23274" }, { "id": "CVE-2026-23275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx->rings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it's possible for the OR'ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there's no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that's the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23275" }, { "id": "CVE-2026-23276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n \n __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n ip_rt_update_pmtu (net/ipv4/route.c:1073)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n ip_output (net/ipv4/ip_output.c:438)\n iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n dev_hard_start_xmit (net/core/dev.c:3887)\n __dev_queue_xmit (net/core/dev.c:4841)\n mld_sendpack\n mld_ifc_work\n process_one_work\n worker_thread\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23276" }, { "id": "CVE-2026-23277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit\n\nteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit\nthrough slave devices, but does not update skb->dev to the slave device\nbeforehand.\n\nWhen a gretap tunnel is a TEQL slave, the transmit path reaches\niptunnel_xmit() which saves dev = skb->dev (still pointing to teql0\nmaster) and later calls iptunnel_xmit_stats(dev, pkt_len). This\nfunction does:\n\n get_cpu_ptr(dev->tstats)\n\nSince teql_master_setup() does not set dev->pcpu_stat_type to\nNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats\nfor teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes\nNULL + __per_cpu_offset[cpu], resulting in a page fault.\n\n BUG: unable to handle page fault for address: ffff8880e6659018\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 68bc067 P4D 68bc067 PUD 0\n Oops: Oops: 0002 [#1] SMP KASAN PTI\n RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)\n Call Trace:\n \n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n __gre_xmit (net/ipv4/ip_gre.c:478)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n teql_master_xmit (net/sched/sch_teql.c:319)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n neigh_direct_output (net/core/neighbour.c:1660)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n __ip_finish_output.part.0 (net/ipv4/ip_output.c:315)\n ip_mc_output (net/ipv4/ip_output.c:369)\n ip_send_skb (net/ipv4/ip_output.c:1508)\n udp_send_skb (net/ipv4/udp.c:1195)\n udp_sendmsg (net/ipv4/udp.c:1485)\n inet_sendmsg (net/ipv4/af_inet.c:859)\n __sys_sendto (net/socket.c:2206)\n\nFix this by setting skb->dev = slave before calling\nnetdev_start_xmit(), so that tunnel xmit functions see the correct\nslave device with properly allocated tstats.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23277" }, { "id": "CVE-2026-23278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: always walk all pending catchall elements\n\nDuring transaction processing we might have more than one catchall element:\n1 live catchall element and 1 pending element that is coming as part of the\nnew batch.\n\nIf the map holding the catchall elements is also going away, its\nrequired to toggle all catchall elements and not just the first viable\ncandidate.\n\nOtherwise, we get:\n WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404\n RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]\n [..]\n __nft_set_elem_destroy+0x106/0x380 [nf_tables]\n nf_tables_abort_release+0x348/0x8d0 [nf_tables]\n nf_tables_abort+0xcf2/0x3ac0 [nf_tables]\n nfnetlink_rcv_batch+0x9c9/0x20e0 [..]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23278" }, { "id": "CVE-2026-23279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23279" }, { "id": "CVE-2026-23280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Prevent ubuf size overflow\n\nThe ubuf size calculation may overflow, resulting in an undersized\nallocation and possible memory corruption.\n\nUse check_add_overflow() helpers to validate the size calculation before\nallocation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23280" }, { "id": "CVE-2026-23281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix use-after-free in lbs_free_adapter()\n\nThe lbs_free_adapter() function uses timer_delete() (non-synchronous)\nfor both command_timer and tx_lockup_timer before the structure is\nfreed. This is incorrect because timer_delete() does not wait for\nany running timer callback to complete.\n\nIf a timer callback is executing when lbs_free_adapter() is called,\nthe callback will access freed memory since lbs_cfg_free() frees the\ncontaining structure immediately after lbs_free_adapter() returns.\n\nBoth timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)\naccess priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,\nwhich would all be use-after-free violations.\n\nUse timer_delete_sync() instead to ensure any running timer callback\nhas completed before returning.\n\nThis bug was introduced in commit 8f641d93c38a (\"libertas: detect TX\nlockups and reset hardware\") where del_timer() was used instead of\ndel_timer_sync() in the cleanup path. The command_timer has had the\nsame issue since the driver was first written.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23281" }, { "id": "CVE-2026-23282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix oops due to uninitialised var in smb2_unlink()\n\nIf SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the\niovs set @rqst will be left uninitialised, hence calling\nSMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will\noops.\n\nFix this by initialising @close_iov and @open_iov before setting them\nin @rqst.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23282" }, { "id": "CVE-2026-23283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read()\n\nIn fp9931_hwmon_read(), if regmap_read() failed, the function returned\nthe error code without calling pm_runtime_put_autosuspend(), causing\na PM reference leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23283", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()\n\nReset eBPF program pointer to old_prog and do not decrease its ref-count\nif mtk_open routine in mtk_xdp_setup() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23284" }, { "id": "CVE-2026-23285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix null-pointer dereference on local read error\n\nIn drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to\n__req_mod() with a NULL peer_device:\n\n __req_mod(req, what, NULL, &m);\n\nThe READ_COMPLETED_WITH_ERROR handler then unconditionally passes this\nNULL peer_device to drbd_set_out_of_sync(), which dereferences it,\ncausing a null-pointer dereference.\n\nFix this by obtaining the peer_device via first_peer_device(device),\nmatching how drbd_req_destroy() handles the same situation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23285" }, { "id": "CVE-2026-23286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix null-ptr-deref in lec_arp_clear_vccs\n\nsyzkaller reported a null-ptr-deref in lec_arp_clear_vccs().\nThis issue can be easily reproduced using the syzkaller reproducer.\n\nIn the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by\nmultiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).\nWhen the underlying VCC is closed, lec_vcc_close() iterates over all\nARP entries and calls lec_arp_clear_vccs() for each matched entry.\n\nFor example, when lec_vcc_close() iterates through the hlists in\npriv->lec_arp_empty_ones or other ARP tables:\n\n1. In the first iteration, for the first matched ARP entry sharing the VCC,\nlec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)\nand sets vcc->user_back to NULL.\n2. In the second iteration, for the next matched ARP entry sharing the same\nVCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from\nvcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it\nvia `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.\n\nFix this by adding a null check for vpriv before dereferencing\nit. If vpriv is already NULL, it means the VCC has been cleared\nby a previous call, so we can safely skip the cleanup and just\nclear the entry's vcc/recv_vcc pointers.\n\nThe entire cleanup block (including vcc_release_async()) is placed inside\nthe vpriv guard because a NULL vpriv indicates the VCC has already been\nfully released by a prior iteration \u2014 repeating the teardown would\nredundantly set flags and trigger callbacks on an already-closing socket.\n\nThe Fixes tag points to the initial commit because the entry->vcc path has\nbeen vulnerable since the original code. The entry->recv_vcc path was later\nadded by commit 8d9f73c0ad2f (\"atm: fix a memory leak of vcc->user_back\")\nwith the same pattern, and both paths are fixed here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23286" }, { "id": "CVE-2026-23287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/sifive-plic: Fix frozen interrupt due to affinity setting\n\nPLIC ignores interrupt completion message for disabled interrupt, explained\nby the specification:\n\n The PLIC signals it has completed executing an interrupt handler by\n writing the interrupt ID it received from the claim to the\n claim/complete register. The PLIC does not check whether the completion\n ID is the same as the last claim ID for that target. If the completion\n ID does not match an interrupt source that is currently enabled for\n the target, the completion is silently ignored.\n\nThis caused problems in the past, because an interrupt can be disabled\nwhile still being handled and plic_irq_eoi() had no effect. That was fixed\nby checking if the interrupt is disabled, and if so enable it, before\nsending the completion message. That check is done with irqd_irq_disabled().\n\nHowever, that is not sufficient because the enable bit for the handling\nhart can be zero despite irqd_irq_disabled(d) being false. This can happen\nwhen affinity setting is changed while a hart is still handling the\ninterrupt.\n\nThis problem is easily reproducible by dumping a large file to uart (which\ngenerates lots of interrupts) and at the same time keep changing the uart\ninterrupt's affinity setting. The uart port becomes frozen almost\ninstantaneously.\n\nFix this by checking PLIC's enable bit instead of irqd_irq_disabled().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23287" }, { "id": "CVE-2026-23288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23288", "detail": "fixed-version", "description": "only affects 6.19.4 onwards" }, { "id": "CVE-2026-23289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()\n\nFix a user triggerable leak on the system call failure path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23289" }, { "id": "CVE-2026-23290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: validate USB endpoints\n\nThe pegasus driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23290" }, { "id": "CVE-2026-23291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: properly drop the usb interface reference on disconnect\n\nWhen the device is disconnected from the driver, there is a \"dangling\"\nreference count on the usb interface that was grabbed in the probe\ncallback. Fix this up by properly dropping the reference after we are\ndone with it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23291" }, { "id": "CVE-2026-23292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix recursive locking in __configfs_open_file()\n\nIn flush_write_buffer, &p->frag_sem is acquired and then the loaded store\nfunction is called, which, here, is target_core_item_dbroot_store(). This\nfunction called filp_open(), following which these functions were called\n(in reverse order), according to the call trace:\n\n down_read\n __configfs_open_file\n do_dentry_open\n vfs_open\n do_open\n path_openat\n do_filp_open\n file_open_name\n filp_open\n target_core_item_dbroot_store\n flush_write_buffer\n configfs_write_iter\n\ntarget_core_item_dbroot_store() tries to validate the new file path by\ntrying to open the file path provided to it; however, in this case, the bug\nreport shows:\n\ndb_root: not a directory: /sys/kernel/config/target/dbroot\n\nindicating that the same configfs file was tried to be opened, on which it\nis currently working on. Thus, it is trying to acquire frag_sem semaphore\nof the same file of which it already holds the semaphore obtained in\nflush_write_buffer(), leading to acquiring the semaphore in a nested manner\nand a possibility of recursive locking.\n\nFix this by modifying target_core_item_dbroot_store() to use kern_path()\ninstead of filp_open() to avoid opening the file using filesystem-specific\nfunction __configfs_open_file(), and further modifying it to make this fix\ncompatible.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23292" }, { "id": "CVE-2026-23293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n \n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23293" }, { "id": "CVE-2026-23294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in devmap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be\naccessed concurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __dev_flush() run atomically\nwith respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_xmit_all(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double-free / use-after-free on bq->q[]: bq_xmit_all() snapshots\n cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames.\n If preempted after the snapshot, a second task can call bq_enqueue()\n -> bq_xmit_all() on the same bq, transmitting (and freeing) the\n same frames. When the first task resumes, it operates on stale\n pointers in bq->q[], causing use-after-free.\n\n2. bq->count and bq->q[] corruption: concurrent bq_enqueue() modifying\n bq->count and bq->q[] while bq_xmit_all() is reading them.\n\n3. dev_rx/xdp_prog teardown race: __dev_flush() clears bq->dev_rx and\n bq->xdp_prog after bq_xmit_all(). If preempted between\n bq_xmit_all() return and bq->dev_rx = NULL, a preempting\n bq_enqueue() sees dev_rx still set (non-NULL), skips adding bq to\n the flush_list, and enqueues a frame. When __dev_flush() resumes,\n it clears dev_rx and removes bq from the flush_list, orphaning the\n newly enqueued frame.\n\n4. __list_del_clearprev() on flush_node: similar to the cpumap race,\n both tasks can call __list_del_clearprev() on the same flush_node,\n the second dereferences the prev pointer already set to NULL.\n\nThe race between task A (__dev_flush -> bq_xmit_all) and task B\n(bq_enqueue -> bq_xmit_all) on the same CPU:\n\n Task A (xdp_do_flush) Task B (ndo_xdp_xmit redirect)\n ---------------------- --------------------------------\n __dev_flush(flush_list)\n bq_xmit_all(bq)\n cnt = bq->count /* e.g. 16 */\n /* start iterating bq->q[] */\n <-- CFS preempts Task A -->\n bq_enqueue(dev, xdpf)\n bq->count == DEV_MAP_BULK_SIZE\n bq_xmit_all(bq, 0)\n cnt = bq->count /* same 16! */\n ndo_xdp_xmit(bq->q[])\n /* frames freed by driver */\n bq->count = 0\n <-- Task A resumes -->\n ndo_xdp_xmit(bq->q[])\n /* use-after-free: frames already freed! */\n\nFix this by adding a local_lock_t to xdp_dev_bulk_queue and acquiring\nit in bq_enqueue() and __dev_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23294" }, { "id": "CVE-2026-23295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix dead lock for suspend and resume\n\nWhen an application issues a query IOCTL while auto suspend is running,\na deadlock can occur. The query path holds dev_lock and then calls\npm_runtime_resume_and_get(), which waits for the ongoing suspend to\ncomplete. Meanwhile, the suspend callback attempts to acquire dev_lock\nand blocks, resulting in a deadlock.\n\nFix this by releasing dev_lock before calling pm_runtime_resume_and_get()\nand reacquiring it after the call completes. Also acquire dev_lock in the\nresume callback to keep the locking consistent.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23295", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix refcount leak for tagset_refcnt\n\nThis leak will cause a hang when tearing down the SCSI host. For example,\niscsid hangs with the following call trace:\n\n[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured\n\nPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: \"iscsid\"\n #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4\n #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f\n #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0\n #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f\n #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b\n #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]\n #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]\n #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]\n #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6\n #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23296" }, { "id": "CVE-2026-23297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().\n\nsyzbot reported memory leak of struct cred. [0]\n\nnfsd_nl_threads_set_doit() passes get_current_cred() to\nnfsd_svc(), but put_cred() is not called after that.\n\nThe cred is finally passed down to _svc_xprt_create(),\nwhich calls get_cred() with the cred for struct svc_xprt.\n\nThe ownership of the refcount by get_current_cred() is not\ntransferred to anywhere and is just leaked.\n\nnfsd_svc() is also called from write_threads(), but it does\nnot bump file->f_cred there.\n\nnfsd_nl_threads_set_doit() is called from sendmsg() and\ncurrent->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_threads_set_doit().\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff888108b89480 (size 184):\n comm \"syz-executor\", pid 5994, jiffies 4294943386\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 369454a7):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270\n prepare_creds+0x22/0x600 kernel/cred.c:185\n copy_creds+0x44/0x290 kernel/cred.c:286\n copy_process+0x7a7/0x2870 kernel/fork.c:2086\n kernel_clone+0xac/0x6e0 kernel/fork.c:2651\n __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23297" }, { "id": "CVE-2026-23298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23298" }, { "id": "CVE-2026-23299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: purge error queues in socket destructors\n\nWhen TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued\ninto sk_error_queue and will stay there until consumed. If userspace never\ngets to read the timestamps, or if the controller is removed unexpectedly,\nthese SKBs will leak.\n\nFix by adding skb_queue_purge() calls for sk_error_queue in affected\nbluetooth destructors. RFCOMM does not currently use sk_error_queue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23299" }, { "id": "CVE-2026-23300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23300" }, { "id": "CVE-2026-23301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: Add allocation failure check for Entity name\n\nCurrently find_sdca_entity_iot() can allocate a string for the\nEntity name but it doesn't check if that allocation succeeded.\nAdd the missing NULL check after the allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23301", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate data-races around sk->sk_{data_ready,write_space}\n\nskmsg (and probably other layers) are changing these pointers\nwhile other cpus might read them concurrently.\n\nAdd corresponding READ_ONCE()/WRITE_ONCE() annotations\nfor UDP, TCP and AF_UNIX.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23302" }, { "id": "CVE-2026-23303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Don't log plaintext credentials in cifs_set_cifscreds\n\nWhen debug logging is enabled, cifs_set_cifscreds() logs the key\npayload and exposes the plaintext username and password. Remove the\ndebug log to avoid exposing credentials.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23303" }, { "id": "CVE-2026-23304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()\n\nl3mdev_master_dev_rcu() can return NULL when the slave device is being\nun-slaved from a VRF. All other callers deal with this, but we lost\nthe fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()\nwith commit 4832c30d5458 (\"net: ipv6: put host and anycast routes on\ndevice with address\").\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)\n Call Trace:\n ip6_pol_route (net/ipv6/route.c:2318)\n fib6_rule_lookup (net/ipv6/fib6_rules.c:115)\n ip6_route_output_flags (net/ipv6/route.c:2607)\n vrf_process_v6_outbound (drivers/net/vrf.c:437)\n\nI was tempted to rework the un-slaving code to clear the flag first\nand insert synchronize_rcu() before we remove the upper. But looks like\nthe explicit fallback to loopback_dev is an established pattern.\nAnd I guess avoiding the synchronize_rcu() is nice, too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23304" }, { "id": "CVE-2026-23305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/rocket: fix unwinding in error path in rocket_probe\n\nWhen rocket_core_init() fails (as could be the case with EPROBE_DEFER),\nwe need to properly unwind by decrementing the counter we just\nincremented and if this is the first core we failed to probe, remove the\nrocket DRM device with rocket_device_fini() as well. This matches the\nlogic in rocket_remove(). Failing to properly unwind results in\nout-of-bounds accesses.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23305" }, { "id": "CVE-2026-23306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23306" }, { "id": "CVE-2026-23307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message\n\nWhen looking at the data in a USB urb, the actual_length is the size of\nthe buffer passed to the driver, not the transfer_buffer_length which is\nset by the driver as the max size of the buffer.\n\nWhen parsing the messages in ems_usb_read_bulk_callback() properly check\nthe size both at the beginning of parsing the message to make sure it is\nbig enough for the expected structure, and at the end of the message to\nmake sure we don't overflow past the end of the buffer for the next\nmessage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23307" }, { "id": "CVE-2026-23308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: equilibrium: fix warning trace on load\n\nThe callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also\ncalled in the callback function 'eqbr_irq_mask_ack()'. This is done to\navoid source code duplication. The problem, is that in the function\n'eqbr_irq_mask()' also calles the gpiolib function 'gpiochip_disable_irq()'\n\nThis generates the following warning trace in the log for every gpio on\nload.\n\n[ 6.088111] ------------[ cut here ]------------\n[ 6.092440] WARNING: CPU: 3 PID: 1 at drivers/gpio/gpiolib.c:3810 gpiochip_disable_irq+0x39/0x50\n[ 6.097847] Modules linked in:\n[ 6.097847] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.12.59+ #0\n[ 6.097847] Tainted: [W]=WARN\n[ 6.097847] RIP: 0010:gpiochip_disable_irq+0x39/0x50\n[ 6.097847] Code: 39 c6 48 19 c0 21 c6 48 c1 e6 05 48 03 b2 38 03 00 00 48 81 fe 00 f0 ff ff 77 11 48 8b 46 08 f6 c4 02 74 06 f0 80 66 09 fb c3 <0f> 0b 90 0f 1f 40 00 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40\n[ 6.097847] RSP: 0000:ffffc9000000b830 EFLAGS: 00010046\n[ 6.097847] RAX: 0000000000000045 RBX: ffff888001be02a0 RCX: 0000000000000008\n[ 6.097847] RDX: ffff888001be9000 RSI: ffff888001b2dd00 RDI: ffff888001be02a0\n[ 6.097847] RBP: ffffc9000000b860 R08: 0000000000000000 R09: 0000000000000000\n[ 6.097847] R10: 0000000000000001 R11: ffff888001b2a154 R12: ffff888001be0514\n[ 6.097847] R13: ffff888001be02a0 R14: 0000000000000008 R15: 0000000000000000\n[ 6.097847] FS: 0000000000000000(0000) GS:ffff888041d80000(0000) knlGS:0000000000000000\n[ 6.097847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6.097847] CR2: 0000000000000000 CR3: 0000000003030000 CR4: 00000000001026b0\n[ 6.097847] Call Trace:\n[ 6.097847] \n[ 6.097847] ? eqbr_irq_mask+0x63/0x70\n[ 6.097847] ? no_action+0x10/0x10\n[ 6.097847] eqbr_irq_mask_ack+0x11/0x60\n\nIn an other driver (drivers/pinctrl/starfive/pinctrl-starfive-jh7100.c) the\ninterrupt is not disabled here.\n\nTo fix this, do not call the 'eqbr_irq_mask()' and 'eqbr_irq_ack()'\nfunction. Implement instead this directly without disabling the interrupts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23308" }, { "id": "CVE-2026-23309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23309" }, { "id": "CVE-2026-23310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded\n\nbond_option_mode_set() already rejects mode changes that would make a\nloaded XDP program incompatible via bond_xdp_check(). However,\nbond_option_xmit_hash_policy_set() has no such guard.\n\nFor 802.3ad and balance-xor modes, bond_xdp_check() returns false when\nxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually\nabsent due to hardware offload. This means a user can:\n\n1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode\n with a compatible xmit_hash_policy (e.g. layer2+3).\n2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.\n\nThis leaves bond->xdp_prog set but bond_xdp_check() now returning false\nfor the same device. When the bond is later destroyed, dev_xdp_uninstall()\ncalls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits\nthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:\n\nWARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))\n\nFix this by rejecting xmit_hash_policy changes to vlan+srcmac when an\nXDP program is loaded on a bond in 802.3ad or balance-xor mode.\n\ncommit 39a0876d595b (\"net, bonding: Disallow vlan+srcmac with XDP\")\nintroduced bond_xdp_check() which returns false for 802.3ad/balance-xor\nmodes when xmit_hash_policy is vlan+srcmac. The check was wired into\nbond_xdp_set() to reject XDP attachment with an incompatible policy, but\nthe symmetric path -- preventing xmit_hash_policy from being changed to an\nincompatible value after XDP is already loaded -- was left unguarded in\nbond_option_xmit_hash_policy_set().\n\nNote:\ncommit 094ee6017ea0 (\"bonding: check xdp prog when set bond mode\")\nlater added a similar guard to bond_option_mode_set(), but\nbond_option_xmit_hash_policy_set() remained unprotected.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23310" }, { "id": "CVE-2026-23311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix invalid wait context in ctx_sched_in()\n\nLockdep found a bug in the event scheduling when a pinned event was\nfailed and wakes up the threads in the ring buffer like below.\n\nIt seems it should not grab a wait-queue lock under perf-context lock.\nLet's do it with irq_work.\n\n [ 39.913691] =============================\n [ 39.914157] [ BUG: Invalid wait context ]\n [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted\n [ 39.915271] -----------------------------\n [ 39.915731] repro/837 is trying to lock:\n [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60\n [ 39.917182] other info that might help us debug this:\n [ 39.917761] context-{5:5}\n [ 39.918079] 4 locks held by repro/837:\n [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0\n [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0\n [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0\n [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23311" }, { "id": "CVE-2026-23312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: validate USB endpoints\n\nThe kaweth driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23312" }, { "id": "CVE-2026-23313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix preempt count leak in napi poll tracepoint\n\nUsing get_cpu() in the tracepoint assignment causes an obvious preempt\ncount leak because nothing invokes put_cpu() to undo it:\n\n softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101?\n\nThis clearly has seen a lot of testing in the last 3+ years...\n\nUse smp_processor_id() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23313" }, { "id": "CVE-2026-23314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio()\n\nIn bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns\nwithout calling of_node_put(child), causing the device node reference\nleak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23314" }, { "id": "CVE-2026-23315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23315" }, { "id": "CVE-2026-23316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix ARM64 alignment fault in multipath hash seed\n\n`struct sysctl_fib_multipath_hash_seed` contains two u32 fields\n(user_seed and mp_seed), making it an 8-byte structure with a 4-byte\nalignment requirement.\n\nIn `fib_multipath_hash_from_keys()`, the code evaluates the entire\nstruct atomically via `READ_ONCE()`:\n\n mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;\n\nWhile this silently works on GCC by falling back to unaligned regular\nloads which the ARM64 kernel tolerates, it causes a fatal kernel panic\nwhen compiled with Clang and LTO enabled.\n\nCommit e35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire\nwhen CONFIG_LTO=y\") strengthens `READ_ONCE()` to use Load-Acquire\ninstructions (`ldar` / `ldapr`) to prevent compiler reordering bugs\nunder Clang LTO. Since the macro evaluates the full 8-byte struct,\nClang emits a 64-bit `ldar` instruction. ARM64 architecture strictly\nrequires `ldar` to be naturally aligned, thus executing it on a 4-byte\naligned address triggers a strict Alignment Fault (FSC = 0x21).\n\nFix the read side by moving the `READ_ONCE()` directly to the `u32`\nmember, which emits a safe 32-bit `ldar Wn`.\n\nFurthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire\nstruct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis\nshows that Clang splits this 8-byte write into two separate 32-bit\n`str` instructions. While this avoids an alignment fault, it destroys\natomicity and exposes a tear-write vulnerability. Fix this by\nexplicitly splitting the write into two 32-bit `WRITE_ONCE()`\noperations.\n\nFinally, add the missing `READ_ONCE()` when reading `user_seed` in\n`proc_fib_multipath_hash_seed()` to ensure proper pairing and\nconcurrency safety.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23316" }, { "id": "CVE-2026-23317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23317" }, { "id": "CVE-2026-23318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23318" }, { "id": "CVE-2026-23319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when 'bpf_link_put' reduces the\nrefcount of 'shim_link->link.link' to zero, the resource is considered\nreleased but may still be referenced via 'tr->progs_hlist' in\n'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in\n'bpf_shim_tramp_link_release' is deferred. During this window, another\nprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.\n\nBased on Martin KaFai Lau's suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n 'bpf_shim_tramp_link_release' to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link->trampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link,\n\t\tshim_link->trampoline, NULL));\n\tbpf_trampoline_put(shim_link->trampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM's report.\nAfter the patch, the bug no longer occurs even after millions of\niterations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23319" }, { "id": "CVE-2026-23321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n msk->pm.local_addr_used == 0\n WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n Modules linked in:\n CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n Call Trace:\n \n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f66346f826d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n \n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n linked to the MPTCP endpoint will be sent ('signal' flag), but no\n subflows is initiated ('subflow' flag)\n - Remove the MPTCP endpoint\n\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23321" }, { "id": "CVE-2026-23322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Fix use-after-free and list corruption on sender error\n\nThe analysis from Breno:\n\nWhen the SMI sender returns an error, smi_work() delivers an error\nresponse but then jumps back to restart without cleaning up properly:\n\n1. intf->curr_msg is not cleared, so no new message is pulled\n2. newmsg still points to the message, causing sender() to be called\n again with the same message\n3. If sender() fails again, deliver_err_response() is called with\n the same recv_msg that was already queued for delivery\n\nThis causes list_add corruption (\"list_add double add\") because the\nrecv_msg is added to the user_msgs list twice. Subsequently, the\ncorrupted list leads to use-after-free when the memory is freed and\nreused, and eventually a NULL pointer dereference when accessing\nrecv_msg->done.\n\nThe buggy sequence:\n\n sender() fails\n -> deliver_err_response(recv_msg) // recv_msg queued for delivery\n -> goto restart // curr_msg not cleared!\n sender() fails again (same message!)\n -> deliver_err_response(recv_msg) // tries to queue same recv_msg\n -> LIST CORRUPTION\n\nFix this by freeing the message and setting it to NULL on a send error.\nAlso, always free the newmsg on a send error, otherwise it will leak.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23322" }, { "id": "CVE-2026-23323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver\n\nThe recently added macsmc-hwmon driver contained several critical\nbugs in its sensor population logic and float conversion routines.\n\nSpecifically:\n- The voltage sensor population loop used the wrong prefix (\"volt-\"\n instead of \"voltage-\") and incorrectly assigned sensors to the\n temperature sensor array (hwmon->temp.sensors) instead of the\n voltage sensor array (hwmon->volt.sensors). This would lead to\n out-of-bounds memory access or data corruption when both temperature\n and voltage sensors were present.\n- The float conversion in macsmc_hwmon_write_f32() had flawed exponent\n logic for values >= 2^24 and lacked masking for the mantissa, which\n could lead to incorrect values being written to the SMC.\n\nFix these issues to ensure correct sensor registration and reliable\nmanual fan control.\n\nConfirm that the reported overflow in FIELD_PREP is fixed by declaring\nmacsmc_hwmon_write_f32() as __always_inline for a compile test.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23323", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23324" }, { "id": "CVE-2026-23325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23325" }, { "id": "CVE-2026-23326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23326" }, { "id": "CVE-2026-23327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n \n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23327" }, { "id": "CVE-2026-23328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix NULL pointer dereference of mgmt_chann\n\nmgmt_chann may be set to NULL if the firmware returns an unexpected\nerror in aie2_send_mgmt_msg_wait(). This can later lead to a NULL\npointer dereference in aie2_hw_stop().\n\nFix this by introducing a dedicated helper to destroy mgmt_chann\nand by adding proper NULL checks before accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23328" }, { "id": "CVE-2026-23329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibie: don't unroll if fwlog isn't supported\n\nThe libie_fwlog_deinit() function can be called during driver unload\neven when firmware logging was never properly initialized. This led to call\ntrace:\n\n[ 148.576156] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 148.576167] CPU: 80 UID: 0 PID: 12843 Comm: rmmod Kdump: loaded Not tainted 6.17.0-rc7next-queue-3oct-01915-g06d79d51cf51 #1 PREEMPT(full)\n[ 148.576177] Hardware name: HPE ProLiant DL385 Gen10 Plus/ProLiant DL385 Gen10 Plus, BIOS A42 07/18/2020\n[ 148.576182] RIP: 0010:__dev_printk+0x16/0x70\n[ 148.576196] Code: 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 55 41 54 49 89 d4 55 48 89 fd 53 48 85 f6 74 3c <4c> 8b 6e 50 48 89 f3 4d 85 ed 75 03 4c 8b 2e 48 89 df e8 f3 27 98\n[ 148.576204] RSP: 0018:ffffd2fd7ea17a48 EFLAGS: 00010202\n[ 148.576211] RAX: ffffd2fd7ea17aa0 RBX: ffff8eb288ae2000 RCX: 0000000000000000\n[ 148.576217] RDX: ffffd2fd7ea17a70 RSI: 00000000000000c8 RDI: ffffffffb68d3d88\n[ 148.576222] RBP: ffffffffb68d3d88 R08: 0000000000000000 R09: 0000000000000000\n[ 148.576227] R10: 00000000000000c8 R11: ffff8eb2b1a49400 R12: ffffd2fd7ea17a70\n[ 148.576231] R13: ffff8eb3141fb000 R14: ffffffffc1215b48 R15: ffffffffc1215bd8\n[ 148.576236] FS: 00007f5666ba6740(0000) GS:ffff8eb2472b9000(0000) knlGS:0000000000000000\n[ 148.576242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 148.576247] CR2: 0000000000000118 CR3: 000000011ad17000 CR4: 0000000000350ef0\n[ 148.576252] Call Trace:\n[ 148.576258] \n[ 148.576269] _dev_warn+0x7c/0x96\n[ 148.576290] libie_fwlog_deinit+0x112/0x117 [libie_fwlog]\n[ 148.576303] ixgbe_remove+0x63/0x290 [ixgbe]\n[ 148.576342] pci_device_remove+0x42/0xb0\n[ 148.576354] device_release_driver_internal+0x19c/0x200\n[ 148.576365] driver_detach+0x48/0x90\n[ 148.576372] bus_remove_driver+0x6d/0xf0\n[ 148.576383] pci_unregister_driver+0x2e/0xb0\n[ 148.576393] ixgbe_exit_module+0x1c/0xd50 [ixgbe]\n[ 148.576430] __do_sys_delete_module.isra.0+0x1bc/0x2e0\n[ 148.576446] do_syscall_64+0x7f/0x980\n\nIt can be reproduced by trying to unload ixgbe driver in recovery mode.\n\nFix that by checking if fwlog is supported before doing unroll.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23329" }, { "id": "CVE-2026-23330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: complete pending data exchange on device close\n\nIn nci_close_device(), complete any pending data exchange before\nclosing. The data exchange callback (e.g.\nrawsock_data_exchange_complete) holds a socket reference.\n\nNIPA occasionally hits this leak:\n\nunreferenced object 0xff1100000f435000 (size 2048):\n comm \"nci_dev\", pid 3954, jiffies 4295441245\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............\n backtrace (crc ec2b3c5):\n __kmalloc_noprof+0x4db/0x730\n sk_prot_alloc.isra.0+0xe4/0x1d0\n sk_alloc+0x36/0x760\n rawsock_create+0xd1/0x540\n nfc_sock_create+0x11f/0x280\n __sock_create+0x22d/0x630\n __sys_socket+0x115/0x1d0\n __x64_sys_socket+0x72/0xd0\n do_syscall_64+0x117/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23330" }, { "id": "CVE-2026-23331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.\n\nLet's say we bind() an UDP socket to the wildcard address with a\nnon-zero port, connect() it to an address, and disconnect it from\nthe address.\n\nbind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not\nSOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put\nthe socket into the 4-tuple hash table.\n\nThen, __udp_disconnect() calls sk->sk_prot->rehash(sk).\n\nIt computes a new hash based on the wildcard address and moves\nthe socket to a new slot in the 4-tuple hash table, leaving a\ngarbage in the chain that no packet hits.\n\nLet's remove such a socket from 4-tuple hash table when disconnected.\n\nNote that udp_sk(sk)->udp_portaddr_hash needs to be udpated after\nudp_hash4_dec(hslot2) in udp_unhash4().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23331" }, { "id": "CVE-2026-23332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix crash during turbo disable\n\nWhen the system is booted with kernel command line argument \"nosmt\" or\n\"maxcpus\" to limit the number of CPUs, disabling turbo via:\n\n echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo\n\nresults in a crash:\n\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n ...\n RIP: 0010:store_no_turbo+0x100/0x1f0\n ...\n\nThis occurs because for_each_possible_cpu() returns CPUs even if they\nare not online. For those CPUs, all_cpu_data[] will be NULL. Since\ncommit 973207ae3d7c (\"cpufreq: intel_pstate: Rearrange max frequency\nupdates handling code\"), all_cpu_data[] is dereferenced even for CPUs\nwhich are not online, causing the NULL pointer dereference.\n\nTo fix that, pass CPU number to intel_pstate_update_max_freq() and use\nall_cpu_data[] for those CPUs for which there is a valid cpufreq policy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23332" }, { "id": "CVE-2026-23334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: f81604: handle short interrupt urb messages properly\n\nIf an interrupt urb is received that is not the correct length, properly\ndetect it and don't attempt to treat the data as valid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23334" }, { "id": "CVE-2026-23335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23335" }, { "id": "CVE-2026-23336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()\n\nThere is a use-after-free error in cfg80211_shutdown_all_interfaces found\nby syzkaller:\n\nBUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220\nRead of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: events cfg80211_rfkill_block_work\nCall Trace:\n \n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n \n\nThe problem arises due to the rfkill_block work is not cancelled when wiphy\nis being unregistered. In order to fix the issue cancel the corresponding\nwork in wiphy_unregister().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23336" }, { "id": "CVE-2026-23337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: pinconf-generic: Fix memory leak in pinconf_generic_parse_dt_config()\n\nIn pinconf_generic_parse_dt_config(), if parse_dt_cfg() fails, it returns\ndirectly. This bypasses the cleanup logic and results in a memory leak of\nthe cfg buffer.\n\nFix this by jumping to the out label on failure, ensuring kfree(cfg) is\ncalled before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23337", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings\n\nUserspace can either deliberately pass in the too small num_fences, or the\nrequired number can legitimately grow between the two calls to the userq\nwait ioctl. In both cases we do not want the emit the kernel warning\nbacktrace since nothing is wrong with the kernel and userspace will simply\nget an errno reported back. So lets simply drop the WARN_ONs.\n\n(cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23338" }, { "id": "CVE-2026-23339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free skb on nci_transceive early error paths\n\nnci_transceive() takes ownership of the skb passed by the caller,\nbut the -EPROTO, -EINVAL, and -EBUSY error paths return without\nfreeing it.\n\nDue to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes\nthe nci/nci_dev selftest hits the error path occasionally in NIPA,\nand kmemleak detects leaks:\n\nunreferenced object 0xff11000015ce6a40 (size 640):\n comm \"nci_dev\", pid 3954, jiffies 4295441246\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace (crc 7c40cc2a):\n kmem_cache_alloc_node_noprof+0x492/0x630\n __alloc_skb+0x11e/0x5f0\n alloc_skb_with_frags+0xc6/0x8f0\n sock_alloc_send_pskb+0x326/0x3f0\n nfc_alloc_send_skb+0x94/0x1d0\n rawsock_sendmsg+0x162/0x4c0\n do_syscall_64+0x117/0xfc0", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23339" }, { "id": "CVE-2026-23340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs\n\nWhen shrinking the number of real tx queues,\nnetif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush\nqdiscs for queues which will no longer be used.\n\nqdisc_reset_all_tx_gt() currently serializes qdisc_reset() with\nqdisc_lock(). However, for lockless qdiscs, the dequeue path is\nserialized by qdisc_run_begin/end() using qdisc->seqlock instead, so\nqdisc_reset() can run concurrently with __qdisc_run() and free skbs\nwhile they are still being dequeued, leading to UAF.\n\nThis can easily be reproduced on e.g. virtio-net by imposing heavy\ntraffic while frequently changing the number of queue pairs:\n\n iperf3 -ub0 -c $peer -t 0 &\n while :; do\n ethtool -L eth0 combined 1\n ethtool -L eth0 combined 2\n done\n\nWith KASAN enabled, this leads to reports like:\n\n BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760\n ...\n Call Trace:\n \n ...\n __qdisc_run+0x133f/0x1760\n __dev_queue_xmit+0x248f/0x3550\n ip_finish_output2+0xa42/0x2110\n ip_output+0x1a7/0x410\n ip_send_skb+0x2e6/0x480\n udp_send_skb+0xb0a/0x1590\n udp_sendmsg+0x13c9/0x1fc0\n ...\n \n\n Allocated by task 1270 on cpu 5 at 44.558414s:\n ...\n alloc_skb_with_frags+0x84/0x7c0\n sock_alloc_send_pskb+0x69a/0x830\n __ip_append_data+0x1b86/0x48c0\n ip_make_skb+0x1e8/0x2b0\n udp_sendmsg+0x13a6/0x1fc0\n ...\n\n Freed by task 1306 on cpu 3 at 44.558445s:\n ...\n kmem_cache_free+0x117/0x5e0\n pfifo_fast_reset+0x14d/0x580\n qdisc_reset+0x9e/0x5f0\n netif_set_real_num_tx_queues+0x303/0x840\n virtnet_set_channels+0x1bf/0x260 [virtio_net]\n ethnl_set_channels+0x684/0xae0\n ethnl_default_set_doit+0x31a/0x890\n ...\n\nSerialize qdisc_reset_all_tx_gt() against the lockless dequeue path by\ntaking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the\nserialization model already used by dev_reset_queue().\n\nAdditionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state\nreflects an empty queue, avoiding needless re-scheduling.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23340" }, { "id": "CVE-2026-23341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix crash when destroying a suspended hardware context\n\nIf userspace issues an ioctl to destroy a hardware context that has\nalready been automatically suspended, the driver may crash because the\nmailbox channel pointer is NULL for the suspended context.\n\nFix this by checking the mailbox channel pointer in aie2_destroy_context()\nbefore accessing it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23341", "detail": "fixed-version", "description": "only affects 6.19.4 onwards" }, { "id": "CVE-2026-23342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in cpumap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed\nconcurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __cpu_map_flush() run\natomically with respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_flush_to_queue(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double __list_del_clearprev(): after bq->count is reset in\n bq_flush_to_queue(), a preempting task can call bq_enqueue() ->\n bq_flush_to_queue() on the same bq when bq->count reaches\n CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()\n on the same bq->flush_node, the second call dereferences the\n prev pointer that was already set to NULL by the first.\n\n2. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt\n the packet queue while bq_flush_to_queue() is processing it.\n\nThe race between task A (__cpu_map_flush -> bq_flush_to_queue) and\ntask B (bq_enqueue -> bq_flush_to_queue) on the same CPU:\n\n Task A (xdp_do_flush) Task B (cpu_map_enqueue)\n ---------------------- ------------------------\n bq_flush_to_queue(bq)\n spin_lock(&q->producer_lock)\n /* flush bq->q[] to ptr_ring */\n bq->count = 0\n spin_unlock(&q->producer_lock)\n bq_enqueue(rcpu, xdpf)\n <-- CFS preempts Task A --> bq->q[bq->count++] = xdpf\n /* ... more enqueues until full ... */\n bq_flush_to_queue(bq)\n spin_lock(&q->producer_lock)\n /* flush to ptr_ring */\n spin_unlock(&q->producer_lock)\n __list_del_clearprev(flush_node)\n /* sets flush_node.prev = NULL */\n <-- Task A resumes -->\n __list_del_clearprev(flush_node)\n flush_node.prev->next = ...\n /* prev is NULL -> kernel oops */\n\nFix this by adding a local_lock_t to xdp_bulk_queue and acquiring it\nin bq_enqueue() and __cpu_map_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.\n\nTo reproduce, insert an mdelay(100) between bq->count = 0 and\n__list_del_clearprev() in bq_flush_to_queue(), then run reproducer\nprovided by syzkaller.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23342" }, { "id": "CVE-2026-23343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: produce a warning when calculated tailroom is negative\n\nMany ethernet drivers report xdp Rx queue frag size as being the same as\nDMA write size. However, the only user of this field, namely\nbpf_xdp_frags_increase_tail(), clearly expects a truesize.\n\nSuch difference leads to unspecific memory corruption issues under certain\ncircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when\nrunning xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses\nall DMA-writable space in 2 buffers. This would be fine, if only\nrxq->frag_size was properly set to 4K, but value of 3K results in a\nnegative tailroom, because there is a non-zero page offset.\n\nWe are supposed to return -EINVAL and be done with it in such case, but due\nto tailroom being stored as an unsigned int, it is reported to be somewhere\nnear UINT_MAX, resulting in a tail being grown, even if the requested\noffset is too much (it is around 2K in the abovementioned test). This later\nleads to all kinds of unspecific calltraces.\n\n[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6\n[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4\n[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]\n[ 7340.339230] in xskxceiver[42b5,400000+69000]\n[ 7340.340300] likely on CPU 6 (core 0, socket 6)\n[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe\n[ 7340.340888] likely on CPU 3 (core 0, socket 3)\n[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7\n[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI\n[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)\n[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80\n[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89\n[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202\n[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010\n[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff\n[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0\n[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0\n[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500\n[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000\n[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0\n[ 7340.421237] PKRU: 55555554\n[ 7340.421623] Call Trace:\n[ 7340.421987] \n[ 7340.422309] ? softleaf_from_pte+0x77/0xa0\n[ 7340.422855] swap_pte_batch+0xa7/0x290\n[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270\n[ 7340.424102] zap_pte_range+0x281/0x580\n[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240\n[ 7340.425177] unmap_page_range+0x24d/0x420\n[ 7340.425714] unmap_vmas+0xa1/0x180\n[ 7340.426185] exit_mmap+0xe1/0x3b0\n[ 7340.426644] __mmput+0x41/0x150\n[ 7340.427098] exit_mm+0xb1/0x110\n[ 7340.427539] do_exit+0x1b2/0x460\n[ 7340.427992] do_group_exit+0x2d/0xc0\n[ 7340.428477] get_signal+0x79d/0x7e0\n[ 7340.428957] arch_do_signal_or_restart+0x34/0x100\n[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0\n[ 7340.430159] do_syscall_64+0x188/\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23343" }, { "id": "CVE-2026-23344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix use-after-free on error path\n\nIn the error path of sev_tsm_init_locked(), the code dereferences 't'\nafter it has been freed with kfree(). The pr_err() statement attempts\nto access t->tio_en and t->tio_init_done after the memory has been\nreleased.\n\nMove the pr_err() call before kfree(t) to access the fields while the\nmemory is still valid.\n\nThis issue reported by Smatch static analyser", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23344", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled\n\nWhen FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the\nshareability attribute with bits 50-51 of the output address. The\n_PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this\nmatches the other _PAGE_* definitions) but using this macro directly\nleads to the following panic when enabling GCS on a system/model with\nLPA2:\n\n Unable to handle kernel paging request at virtual address fffff1ffc32d8008\n Mem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000\n [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G M 7.0.0-rc1 #1 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025\n pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : zap_huge_pmd+0x168/0x468\n lr : zap_huge_pmd+0x2c/0x468\n sp : ffff800080beb660\n x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898\n x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41\n x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000\n x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007\n x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000\n x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff\n x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370\n x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000\n x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600\n Call trace:\n zap_huge_pmd+0x168/0x468 (P)\n unmap_page_range+0xd70/0x1560\n unmap_single_vma+0x48/0x80\n unmap_vmas+0x90/0x180\n unmap_region+0x88/0xe4\n vms_complete_munmap_vmas+0xf8/0x1e0\n do_vmi_align_munmap+0x158/0x180\n do_vmi_munmap+0xac/0x160\n __vm_munmap+0xb0/0x138\n vm_munmap+0x14/0x20\n gcs_free+0x70/0x80\n mm_release+0x1c/0xc8\n exit_mm_release+0x28/0x38\n do_exit+0x190/0x8ec\n do_group_exit+0x34/0x90\n get_signal+0x794/0x858\n arch_do_signal_or_restart+0x11c/0x3e0\n exit_to_user_mode_loop+0x10c/0x17c\n el0_da+0x8c/0x9c\n el0t_64_sync_handler+0xd0/0xf0\n el0t_64_sync+0x198/0x19c\n Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420)\n\nSimilarly to how the kernel handles protection_map[], use a\ngcs_page_prot variable to store the protection bits and clear PTE_SHARED\nif LPA2 is enabled.\n\nAlso remove the unused PAGE_GCS{,_RO} macros.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23345" }, { "id": "CVE-2026-23346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: io: Extract user memory type in ioremap_prot()\n\nThe only caller of ioremap_prot() outside of the generic ioremap()\nimplementation is generic_access_phys(), which passes a 'pgprot_t' value\ndetermined from the user mapping of the target 'pfn' being accessed by\nthe kernel. On arm64, the 'pgprot_t' contains all of the non-address\nbits from the pte, including the permission controls, and so we end up\nreturning a new user mapping from ioremap_prot() which faults when\naccessed from the kernel on systems with PAN:\n\n | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000\n | ...\n | Call trace:\n | __memcpy_fromio+0x80/0xf8\n | generic_access_phys+0x20c/0x2b8\n | __access_remote_vm+0x46c/0x5b8\n | access_remote_vm+0x18/0x30\n | environ_read+0x238/0x3e8\n | vfs_read+0xe4/0x2b0\n | ksys_read+0xcc/0x178\n | __arm64_sys_read+0x4c/0x68\n\nExtract only the memory type from the user 'pgprot_t' in ioremap_prot()\nand assert that we're being passed a user mapping, to protect us against\nany changes in future that may require additional handling. To avoid\nfalsely flagging users of ioremap(), provide our own ioremap() macro\nwhich simply wraps __ioremap_prot().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23346" }, { "id": "CVE-2026-23347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: f81604: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23347" }, { "id": "CVE-2026-23348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\n\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev->parent that points to &nvdimm_bus->dev.\n\n[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[ 192.899459] RIP: 0010:kobject_get+0xc/0x90\n[ 192.924871] Call Trace:\n[ 192.925959] \n[ 192.926976] ? pm_runtime_init+0xb9/0xe0\n[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]\n[ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]\n[ 192.943349] really_probe+0xde/0x380\n\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\n driver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\n cxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in\n devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\n will exit with -EBUSY.\n\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23348" }, { "id": "CVE-2026-23349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: pidff: Fix condition effect bit clearing\n\nAs reported by MPDarkGuy on discord, NULL pointer dereferences were\nhappening because not all the conditional effects bits were cleared.\n\nProperly clear all conditional effect bits from ffbit", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23349" }, { "id": "CVE-2026-23350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/queue: Call fini on exec queue creation fail\n\nEvery call to queue init should have a corresponding fini call.\nSkipping this would mean skipping removal of the queue from GuC list\n(which is part of guc_id allocation). A damaged queue stored in\nexec_queue_lookup list would lead to invalid memory reference,\nsooner or later.\n\nCall fini to free guc_id. This must be done before any internal\nLRCs are freed.\n\nSince the finalization with this extra call became very similar to\n__xe_exec_queue_fini(), reuse that. To make this reuse possible,\nalter xe_lrc_put() so it can survive NULL parameters, like other\nsimilar functions.\n\nv2: Reuse _xe_exec_queue_fini(). Make xe_lrc_put() aware of NULLs.\n\n(cherry picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23350", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free'd element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23351" }, { "id": "CVE-2026-23352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efi: defer freeing of boot services memory\n\nefi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE\nand EFI_BOOT_SERVICES_DATA using memblock_free_late().\n\nThere are two issue with that: memblock_free_late() should be used for\nmemory allocated with memblock_alloc() while the memory reserved with\nmemblock_reserve() should be freed with free_reserved_area().\n\nMore acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y\nefi_free_boot_services() is called before deferred initialization of the\nmemory map is complete.\n\nBenjamin Herrenschmidt reports that this causes a leak of ~140MB of\nRAM on EC2 t3a.nano instances which only have 512MB or RAM.\n\nIf the freed memory resides in the areas that memory map for them is\nstill uninitialized, they won't be actually freed because\nmemblock_free_late() calls memblock_free_pages() and the latter skips\nuninitialized pages.\n\nUsing free_reserved_area() at this point is also problematic because\n__free_page() accesses the buddy of the freed page and that again might\nend up in uninitialized part of the memory map.\n\nDelaying the entire efi_free_boot_services() could be problematic\nbecause in addition to freeing boot services memory it updates\nefi.memmap without any synchronization and that's undesirable late in\nboot when there is concurrency.\n\nMore robust approach is to only defer freeing of the EFI boot services\nmemory.\n\nSplit efi_free_boot_services() in two. First efi_unmap_boot_services()\ncollects ranges that should be freed into an array then\nefi_free_boot_services() later frees them after deferred init is complete.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23352" }, { "id": "CVE-2026-23353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n \n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23353", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Correct speculative safety in fred_extint()\n\narray_index_nospec() is no use if the result gets spilled to the stack, as\nit makes the believed safe-under-speculation value subject to memory\npredictions.\n\nFor all practical purposes, this means array_index_nospec() must be used in\nthe expression that accesses the array.\n\nAs the code currently stands, it's the wrong side of irqentry_enter(), and\n'index' is put into %ebp across the function call.\n\nRemove the index variable and reposition array_index_nospec(), so it's\ncalculated immediately before the array access.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23354" }, { "id": "CVE-2026-23355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata: cancel pending work after clearing deferred_qc\n\nSyzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by\nap->ops->qc_defer() returning non-zero before issuing the deferred qc.\n\nata_scsi_schedule_deferred_qc() is called during each command completion.\nThis function will check if there is a deferred QC, and if\nap->ops->qc_defer() returns zero, meaning that it is possible to queue the\ndeferred qc at this time (without being deferred), then it will queue the\nwork which will issue the deferred qc.\n\nOnce the work get to run, which can potentially be a very long time after\nthe work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns\nnon-zero.\n\nWhile we hold the ap->lock both when assigning and clearing deferred_qc,\nand the work itself holds the ap->lock, the code currently does not cancel\nthe work after clearing the deferred qc.\n\nThis means that the following scenario can happen:\n1) One or several NCQ commands are queued.\n2) A non-NCQ command is queued, gets stored in ap->deferred_qc.\n3) Last NCQ command gets completed, work is queued to issue the deferred\n qc.\n4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is\n currently NOT canceled.\n5) Port is reset.\n6) One or several NCQ commands are queued.\n7) A non-NCQ command is queued, gets stored in ap->deferred_qc.\n8) Work is finally run. Yet at this time, there is still NCQ commands in\n flight.\n\nThe work in 8) really belongs to the non-NCQ command in 2), not to the\nnon-NCQ command in 7). The reason why the work is executed when it is not\nsupposed to, is because it was never canceled when ap->deferred_qc was\ncleared in 4). Thus, ensure that we always cancel the work after clearing\nap->deferred_qc.\n\nAnother potential fix would have been to let ata_scsi_deferred_qc_work() do\nnothing if ap->ops->qc_defer() returns non-zero. However, canceling the\nwork when clearing ap->deferred_qc seems slightly more logical, as we hold\nthe ap->lock when clearing ap->deferred_qc, so we know that the work cannot\nbe holding the lock. (The function could be waiting for the lock, but that\nis okay since it will do nothing if ap->deferred_qc is not set.)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23355", "detail": "fixed-version", "description": "only affects 6.18.14 onwards" }, { "id": "CVE-2026-23356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: fix \"LOGIC BUG\" in drbd_al_begin_io_nonblock()\n\nEven though we check that we \"should\" be able to do lc_get_cumulative()\nwhile holding the device->al_lock spinlock, it may still fail,\nif some other code path decided to do lc_try_lock() with bad timing.\n\nIf that happened, we logged \"LOGIC BUG for enr=...\",\nbut still did not return an error.\n\nThe rest of the code now assumed that this request has references\nfor the relevant activity log extents.\n\nThe implcations are that during an active resync, mutual exclusivity of\nresync versus application IO is not guaranteed. And a potential crash\nat this point may not realizs that these extents could have been target\nof in-flight IO and would need to be resynced just in case.\n\nAlso, once the request completes, it will give up activity log references it\ndoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().\n\nFix:\n\nDo not crash the kernel for a condition that is harmless during normal\noperation: also catch \"e->refcnt == 0\", not only \"e == NULL\"\nwhen being noisy about \"al_complete_io() called on inactive extent %u\\n\".\n\nAnd do not try to be smart and \"guess\" whether something will work, then\nbe surprised when it does not.\nDeal with the fact that it may or may not work. If it does not, remember a\npossible \"partially in activity log\" state (only possible for requests that\ncross extent boundaries), and return an error code from\ndrbd_al_begin_io_nonblock().\n\nA latter call for the same request will then resume from where we left off.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23356" }, { "id": "CVE-2026-23357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix deadlock in error path of mcp251x_open\n\nThe mcp251x_open() function call free_irq() in its error path with the\nmpc_lock mutex held. But if an interrupt already occurred the\ninterrupt handler will be waiting for the mpc_lock and free_irq() will\ndeadlock waiting for the handler to finish.\n\nThis issue is similar to the one fixed in commit 7dd9c26bd6cf (\"can:\nmcp251x: fix deadlock if an interrupt occurs during mcp251x_open\") but\nfor the error path.\n\nTo solve this issue move the call to free_irq() after the lock is\nreleased. Setting `priv->force_quit = 1` beforehand ensure that the IRQ\nhandler will exit right away once it acquired the lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23357" }, { "id": "CVE-2026-23358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix error handling in slot reset\n\nIf the device has not recovered after slot reset is called, it goes to\nout label for error handling. There it could make decision based on\nuninitialized hive pointer and could result in accessing an uninitialized\nlist.\n\nInitialize the list and hive properly so that it handles the error\nsituation and also releases the reset domain lock which is acquired\nduring error_detected callback.\n\n(cherry picked from commit bb71362182e59caa227e4192da5a612b09349696)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23358" }, { "id": "CVE-2026-23359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23359" }, { "id": "CVE-2026-23360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin queue leak on controller reset\n\nWhen nvme_alloc_admin_tag_set() is called during a controller reset,\na previous admin queue may still exist. Release it properly before\nallocating a new one to avoid orphaning the old queue.\n\nThis fixes a regression introduced by commit 03b3bcd319b3 (\"nvme: fix\nadmin request_queue lifetime\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23360" }, { "id": "CVE-2026-23361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry\n\nEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X\ninterrupt to the host using a writel(), which generates a PCI posted write\ntransaction. There's no completion for posted writes, so the writel() may\nreturn before the PCI write completes. dw_pcie_ep_raise_msix_irq() also\nunmaps the outbound ATU entry used for the PCI write, so the write races\nwith the unmap.\n\nIf the PCI write loses the race with the ATU unmap, the write may corrupt\nhost memory or cause IOMMU errors, e.g., these when running fio with a\nlarger queue depth against nvmet-pci-epf:\n\n arm-smmu-v3 fc900000.iommu: 0x0000010000000010\n arm-smmu-v3 fc900000.iommu: 0x0000020000000000\n arm-smmu-v3 fc900000.iommu: 0x000000090000f040\n arm-smmu-v3 fc900000.iommu: 0x0000000000000000\n arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0\n arm-smmu-v3 fc900000.iommu: unpriv data write s1 \"Input address caused fault\" stag: 0x0\n\nFlush the write by performing a readl() of the same address to ensure that\nthe write has reached the destination before the ATU entry is unmapped.\n\nThe same problem was solved for dw_pcie_ep_raise_msi_irq() in commit\n8719c64e76bf (\"PCI: dwc: ep: Cache MSI outbound iATU mapping\"), but there\nit was solved by dedicating an outbound iATU only for MSI. We can't do the\nsame for MSI-X because each vector can have a different msg_addr and the\nmsg_addr may be changed while the vector is masked.\n\n[bhelgaas: commit log]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23361" }, { "id": "CVE-2026-23362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: fix locking for bcm_op runtime updates\n\nCommit c2aba69d0c36 (\"can: bcm: add locking for bcm_op runtime updates\")\nadded a locking for some variables that can be modified at runtime when\nupdating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().\n\nUsually the RX_SETUP only handles and filters incoming traffic with one\nexception: When the RX_RTR_FRAME flag is set a predefined CAN frame is\nsent when a specific RTR frame is received. Therefore the rx bcm_op uses\nbcm_can_tx() which uses the bcm_tx_lock that was only initialized in\nbcm_tx_setup(). Add the missing spin_lock_init() when allocating the\nbcm_op in bcm_rx_setup() to handle the RTR case properly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23362" }, { "id": "CVE-2026-23363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7925_mac_write_txwi_80211 in order to avoid a possible oob access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23363" }, { "id": "CVE-2026-23364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Compare MACs in constant time\n\nTo prevent timing attacks, MAC comparisons need to be constant-time.\nReplace the memcmp() with the correct function, crypto_memneq().", "scorev2": "0.0", "scorev3": "7.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23364" }, { "id": "CVE-2026-23365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kalmia: validate USB endpoints\n\nThe kalmia driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23365" }, { "id": "CVE-2026-23366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Do not destroy NULL modes\n\n'modes' in drm_client_modeset_probe may fail to kcalloc. If this\noccurs, we jump to 'out', calling modes_destroy on it, which\ndereferences it. This may result in a NULL pointer dereference in the\nerror case. Prevent that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23366" }, { "id": "CVE-2026-23367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23367" }, { "id": "CVE-2026-23368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock \"triggers_list_lock\" via down_write(&triggers_list_lock);\n[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0\n[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0\n[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78\n[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [<80014504>] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock \"triggers_list_lock\" by down_read(&triggers_list_lock);\n[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4\n[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c\n[ 1362.232164] [<80014504>] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don't hold RTNL, so solving the AB-BA deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23368" }, { "id": "CVE-2026-23369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Revert \"i2c: i801: replace acpi_lock with I2C bus lock\"\n\nThis reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1.\n\nUnder rare circumstances, multiple udev threads can collect i801 device\ninfo on boot and walk i801_acpi_io_handler somewhat concurrently. The\nfirst will note the area is reserved by acpi to prevent further touches.\nThis ultimately causes the area to be deregistered. The second will\nenter i801_acpi_io_handler after the area is unregistered but before a\ncheck can be made that the area is unregistered. i2c_lock_bus relies on\nthe now unregistered area containing lock_ops to lock the bus. The end\nresult is a kernel panic on boot with the following backtrace;\n\n[ 14.971872] ioatdma 0000:09:00.2: enabling device (0100 -> 0102)\n[ 14.971873] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 14.971880] #PF: supervisor read access in kernel mode\n[ 14.971884] #PF: error_code(0x0000) - not-present page\n[ 14.971887] PGD 0 P4D 0\n[ 14.971894] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 14.971900] CPU: 5 PID: 956 Comm: systemd-udevd Not tainted 5.14.0-611.5.1.el9_7.x86_64 #1\n[ 14.971905] Hardware name: XXXXXXXXXXXXXXXXXXXXXXX BIOS 1.20.10.SV91 01/30/2023\n[ 14.971908] RIP: 0010:i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.971929] Code: 00 00 49 8b 40 20 41 57 41 56 4d 8b b8 30 04 00 00 49 89 ce 41 55 41 89 d5 41 54 49 89 f4 be 02 00 00 00 55 4c 89 c5 53 89 fb <48> 8b 00 4c 89 c7 e8 18 61 54 e9 80 bd 80 04 00 00 00 75 09 4c 3b\n[ 14.971933] RSP: 0018:ffffbaa841483838 EFLAGS: 00010282\n[ 14.971938] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9685e01ba568\n[ 14.971941] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000000\n[ 14.971944] RBP: ffff9685ca22f028 R08: ffff9685ca22f028 R09: ffff9685ca22f028\n[ 14.971948] R10: 000000000000000b R11: 0000000000000580 R12: 0000000000000580\n[ 14.971951] R13: 0000000000000008 R14: ffff9685e01ba568 R15: ffff9685c222f000\n[ 14.971954] FS: 00007f8287c0ab40(0000) GS:ffff96a47f940000(0000) knlGS:0000000000000000\n[ 14.971959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 14.971963] CR2: 0000000000000000 CR3: 0000000168090001 CR4: 00000000003706f0\n[ 14.971966] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 14.971968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 14.971972] Call Trace:\n[ 14.971977] \n[ 14.971981] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.971994] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.972003] ? acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972014] ? __die_body.cold+0x8/0xd\n[ 14.972021] ? page_fault_oops+0x132/0x170\n[ 14.972028] ? exc_page_fault+0x61/0x150\n[ 14.972036] ? asm_exc_page_fault+0x22/0x30\n[ 14.972045] ? i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.972061] acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972069] ? __pfx_i801_acpi_io_handler+0x10/0x10 [i2c_i801]\n[ 14.972085] acpi_ex_access_region+0x5b/0xd0\n[ 14.972093] acpi_ex_field_datum_io+0x73/0x2e0\n[ 14.972100] acpi_ex_read_data_from_field+0x8e/0x230\n[ 14.972106] acpi_ex_resolve_node_to_value+0x23d/0x310\n[ 14.972114] acpi_ds_evaluate_name_path+0xad/0x110\n[ 14.972121] acpi_ds_exec_end_op+0x321/0x510\n[ 14.972127] acpi_ps_parse_loop+0xf7/0x680\n[ 14.972136] acpi_ps_parse_aml+0x17a/0x3d0\n[ 14.972143] acpi_ps_execute_method+0x137/0x270\n[ 14.972150] acpi_ns_evaluate+0x1f4/0x2e0\n[ 14.972158] acpi_evaluate_object+0x134/0x2f0\n[ 14.972164] acpi_evaluate_integer+0x50/0xe0\n[ 14.972173] ? vsnprintf+0x24b/0x570\n[ 14.972181] acpi_ac_get_state.part.0+0x23/0x70\n[ 14.972189] get_ac_property+0x4e/0x60\n[ 14.972195] power_supply_show_property+0x90/0x1f0\n[ 14.972205] add_prop_uevent+0x29/0x90\n[ 14.972213] power_supply_uevent+0x109/0x1d0\n[ 14.972222] dev_uevent+0x10e/0x2f0\n[ 14.972228] uevent_show+0x8e/0x100\n[ 14.972236] dev_attr_show+0x19\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23369" }, { "id": "CVE-2026-23370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Don't hex dump plaintext password data\n\nset_new_password() hex dumps the entire buffer, which contains plaintext\npassword data, including current and new passwords. Remove the hex dump\nto avoid leaking credentials.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23370" }, { "id": "CVE-2026-23371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting\n\nRunning stress-ng --schedpolicy 0 on an RT kernel on a big machine\nmight lead to the following WARNINGs (edited).\n\n sched: DL de-boosted task PID 22725: REPLENISH flag missing\n\n WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (running_bw underflow)\n Call trace:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nThe problem is that when a SCHED_DEADLINE task (lock holder) is\nchanged to a lower priority class via sched_setscheduler(), it may\nfail to properly inherit the parameters of potential DEADLINE donors\nif it didn't already inherit them in the past (shorter deadline than\ndonor's at that time). This might lead to bandwidth accounting\ncorruption, as enqueue_task_dl() won't recognize the lock holder as\nboosted.\n\nThe scenario occurs when:\n1. A DEADLINE task (donor) blocks on a PI mutex held by another\n DEADLINE task (holder), but the holder doesn't inherit parameters\n (e.g., it already has a shorter deadline)\n2. sched_setscheduler() changes the holder from DEADLINE to a lower\n class while still holding the mutex\n3. The holder should now inherit DEADLINE parameters from the donor\n and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen\n\nFix the issue by introducing __setscheduler_dl_pi(), which detects when\na DEADLINE (proper or boosted) task gets setscheduled to a lower\npriority class. In case, the function makes the task inherit DEADLINE\nparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to\nensure proper bandwidth accounting during the next enqueue operation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23371" }, { "id": "CVE-2026-23372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: rawsock: cancel tx_work before socket teardown\n\nIn rawsock_release(), cancel any pending tx_work and purge the write\nqueue before orphaning the socket. rawsock_tx_work runs on the system\nworkqueue and calls nfc_data_exchange which dereferences the NCI\ndevice. Without synchronization, tx_work can race with socket and\ndevice teardown when a process is killed (e.g. by SIGKILL), leading\nto use-after-free or leaked references.\n\nSet SEND_SHUTDOWN first so that if tx_work is already running it will\nsee the flag and skip transmitting, then use cancel_work_sync to wait\nfor any in-progress execution to finish, and finally purge any\nremaining queued skbs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23372" }, { "id": "CVE-2026-23373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config\n\nThis triggers a WARN_ON in ieee80211_hw_conf_init and isn't the expected\nbehavior from the driver - other drivers default to 0 too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23373" }, { "id": "CVE-2026-23374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] \n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] \n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] \n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23374" }, { "id": "CVE-2026-23375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n BUG: unable to handle page fault for address: ffff88810284d000\n RIP: 0010:memcpy_orig+0x16/0x130\n Call Trace:\n collapse_file\n hpage_collapse_scan_file\n madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n Memory failure: 0x106d96f: recovery action for clean unevictable\n LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23375" }, { "id": "CVE-2026-23376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fcloop: Check remoteport port_state before calling done callback\n\nIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when\nremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the\nnvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to\nfail and the nvme-fc transport layer itself will directly call\nnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free\nthe lsrsp resources.\n\nUpdate the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.\nIf online, then lsrsp->done callback will free the lsrsp. Else, return\n-ENODEV to signal the nvme-fc transport to handle freeing lsrsp.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23376" }, { "id": "CVE-2026-23377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz\n\nThe only user of frag_size field in XDP RxQ info is\nbpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead\nof DMA write size. Different assumptions in ice driver configuration lead\nto negative tailroom.\n\nThis allows to trigger kernel panic, when using\nXDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to\n6912 and the requested offset to a huge value, e.g.\nXSK_UMEM__MAX_FRAME_SIZE * 100.\n\nDue to other quirks of the ZC configuration in ice, panic is not observed\nin ZC mode, but tailroom growing still fails when it should not.\n\nUse fill queue buffer truesize instead of DMA write size in XDP RxQ info.\nFix ZC mode too by using the new helper.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23377" }, { "id": "CVE-2026-23378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: Fix metalist update behavior\n\nWhenever an ife action replace changes the metalist, instead of\nreplacing the old data on the metalist, the current ife code is appending\nthe new metadata. Aside from being innapropriate behavior, this may lead\nto an unbounded addition of metadata to the metalist which might cause an\nout of bounds error when running the encode op:\n\n[ 138.423369][ C1] ==================================================================\n[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255\n[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)\n[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 138.425800][ C1] Call Trace:\n[ 138.425804][ C1] \n[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)\n[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))\n[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))\n[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))\n[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)\n[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)\n[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))\n[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)\n[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)\n\nTo solve this issue, fix the replace behavior by adding the metalist to\nthe ife rcu data structure.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23378" }, { "id": "CVE-2026-23379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: fix divide by zero in the offload path\n\nOffloading ETS requires computing each class' WRR weight: this is done by\naveraging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned\nint, the same integer size as the individual DRR quanta, can overflow and\neven cause division by zero, like it happened in the following splat:\n\n Oops: divide error: 0000 [#1] SMP PTI\n CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Call Trace:\n \n ets_qdisc_change+0x870/0xf40 [sch_ets]\n qdisc_create+0x12b/0x540\n tc_modify_qdisc+0x6d7/0xbd0\n rtnetlink_rcv_msg+0x168/0x6b0\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x1d6/0x2b0\n netlink_sendmsg+0x22e/0x470\n ____sys_sendmsg+0x38a/0x3c0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x111/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f440b81c77e\n Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e\n RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003\n RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8\n R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980\n \n Modules linked in: sch_ets(E) netdevsim(E)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n\nFix this using 64-bit integers for 'q_sum' and 'q_psum'.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23379" }, { "id": "CVE-2026-23380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close\n\nWhen a process forks, the child process copies the parent's VMAs but the\nuser_mapped reference count is not incremented. As a result, when both the\nparent and child processes exit, tracing_buffers_mmap_close() is called\ntwice. On the second call, user_mapped is already 0, causing the function to\nreturn -ENODEV and triggering a WARN_ON.\n\nNormally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.\nBut this is only a hint, and the application can call\nmadvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the\napplication does that, it can trigger this issue on fork.\n\nFix it by incrementing the user_mapped reference count without re-mapping\nthe pages in the VMA's open callback.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23380" }, { "id": "CVE-2026-23381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub->nd_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n \n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23381" }, { "id": "CVE-2026-23382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them\n\nIn commit 2ff5baa9b527 (\"HID: appleir: Fix potential NULL dereference at\nraw event handle\"), we handle the fact that raw event callbacks\ncan happen even for a HID device that has not been \"claimed\" causing a\ncrash if a broken device were attempted to be connected to the system.\n\nFix up the remaining in-tree HID drivers that forgot to add this same\ncheck to resolve the same issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23382" }, { "id": "CVE-2026-23383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing\n\nstruct bpf_plt contains a u64 target field. Currently, the BPF JIT\nallocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT\nbuffer.\n\nBecause the base address of the JIT buffer can be 4-byte aligned (e.g.,\nending in 0x4 or 0xc), the relative padding logic in build_plt() fails\nto ensure that target lands on an 8-byte boundary.\n\nThis leads to two issues:\n1. UBSAN reports misaligned-access warnings when dereferencing the\n structure.\n2. More critically, target is updated concurrently via WRITE_ONCE() in\n bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64,\n 64-bit loads/stores are only guaranteed to be single-copy atomic if\n they are 64-bit aligned. A misaligned target risks a torn read,\n causing the JIT to jump to a corrupted address.\n\nFix this by increasing the allocation alignment requirement to 8 bytes\n(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of\nthe JIT buffer to an 8-byte boundary, allowing the relative padding math\nin build_plt() to correctly align the target field.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23383" }, { "id": "CVE-2026-23384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)\n __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)\n __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23384" }, { "id": "CVE-2026-23385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clone set on flush only\n\nSyzbot with fault injection triggered a failing memory allocation with\nGFP_KERNEL which results in a WARN splat:\n\niter.err\nWARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992\nModules linked in:\nCPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nRIP: 0010:nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845\nCode: 8b 05 86 5a 4e 09 48 3b 84 24 a0 00 00 00 75 62 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 63 6d fa f7 90 <0f> 0b 90 43\n+80 7c 35 00 00 0f 85 23 fe ff ff e9 26 fe ff ff 89 d9\nRSP: 0018:ffffc900045af780 EFLAGS: 00010293\nRAX: ffffffff89ca45bd RBX: 00000000fffffff4 RCX: ffff888028111e40\nRDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000\nRBP: ffffc900045af870 R08: 0000000000400dc0 R09: 00000000ffffffff\nR10: dffffc0000000000 R11: fffffbfff1d141db R12: ffffc900045af7e0\nR13: 1ffff920008b5f24 R14: dffffc0000000000 R15: ffffc900045af920\nFS: 000055557a6a5500(0000) GS:ffff888125496000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb5ea271fc0 CR3: 000000003269e000 CR4: 00000000003526f0\nCall Trace:\n \n __nft_release_table+0xceb/0x11f0 net/netfilter/nf_tables_api.c:12115\n nft_rcv_nl_event+0xc25/0xdb0 net/netfilter/nf_tables_api.c:12187\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380\n netlink_release+0x123b/0x1ad0 net/netlink/af_netlink.c:761\n __sock_release net/socket.c:662 [inline]\n sock_close+0xc3/0x240 net/socket.c:1455\n\nRestrict set clone to the flush set command in the preparation phase.\nAdd NFT_ITER_UPDATE_CLONE and use it for this purpose, update the rbtree\nand pipapo backends to only clone the set when this iteration type is\nused.\n\nAs for the existing NFT_ITER_UPDATE type, update the pipapo backend to\nuse the existing set clone if available, otherwise use the existing set\nrepresentation. After this update, there is no need to clone a set that\nis being deleted, this includes bound anonymous set.\n\nAn alternative approach to NFT_ITER_UPDATE_CLONE is to add a .clone\ninterface and call it from the flush set path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23385" }, { "id": "CVE-2026-23386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL\n\nIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA\nbuffer cleanup path. It iterates num_bufs times and attempts to unmap\nentries in the dma array.\n\nThis leads to two issues:\n1. The dma array shares storage with tx_qpl_buf_ids (union).\n Interpreting buffer IDs as DMA addresses results in attempting to\n unmap incorrect memory locations.\n2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed\n the size of the dma array, causing out-of-bounds access warnings\n(trace below is how we noticed this issue).\n\nUBSAN: array-index-out-of-bounds in\ndrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of\nrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')\nWorkqueue: gve gve_service_task [gve]\nCall Trace:\n\ndump_stack_lvl+0x33/0xa0\n__ubsan_handle_out_of_bounds+0xdc/0x110\ngve_tx_stop_ring_dqo+0x182/0x200 [gve]\ngve_close+0x1be/0x450 [gve]\ngve_reset+0x99/0x120 [gve]\ngve_service_task+0x61/0x100 [gve]\nprocess_scheduled_works+0x1e9/0x380\n\nFix this by properly checking for QPL mode and delegating to\ngve_free_tx_qpl_bufs() to reclaim the buffers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23386" }, { "id": "CVE-2026-23387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()\n\ndevm_add_action_or_reset() already invokes the action on failure,\nso the explicit put causes a double-put.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23387" }, { "id": "CVE-2026-23388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23388" }, { "id": "CVE-2026-23389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix memory leak in ice_set_ringparam()\n\nIn ice_set_ringparam, tx_rings and xdp_rings are allocated before\nrx_rings. If the allocation of rx_rings fails, the code jumps to\nthe done label leaking both tx_rings and xdp_rings. Furthermore, if\nthe setup of an individual Rx ring fails during the loop, the code jumps\nto the free_tx label which releases tx_rings but leaks xdp_rings.\n\nFix this by introducing a free_xdp label and updating the error paths to\nensure both xdp_rings and tx_rings are properly freed if rx_rings\nallocation or setup fails.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23389" }, { "id": "CVE-2026-23390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n phys_addrs: 1000 * 8 bytes = 8,000 bytes\n dma_addrs: 1000 * 8 bytes = 8,000 bytes\n lengths: 1000 * 4 bytes = 4,000 bytes\n Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n Steven Rostedt)\n- This allocates only what's needed up to the cap, avoiding waste\n for small operations\n\nReviwed-by: Sean Anderson ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23390" }, { "id": "CVE-2026-23391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23391" }, { "id": "CVE-2026-23392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23392" }, { "id": "CVE-2026-23393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep still in hlist\n if (peer_mep->ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&peer_mep->head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23393" }, { "id": "CVE-2026-23394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Give up GC if MSG_PEEK intervened.\n\nIgor Ushakov reported that GC purged the receive queue of\nan alive socket due to a race with MSG_PEEK with a nice repro.\n\nThis is the exact same issue previously fixed by commit\ncbcf01128d0a (\"af_unix: fix garbage collect vs MSG_PEEK\").\n\nAfter GC was replaced with the current algorithm, the cited\ncommit removed the locking dance in unix_peek_fds() and\nreintroduced the same issue.\n\nThe problem is that MSG_PEEK bumps a file refcount without\ninteracting with GC.\n\nConsider an SCC containing sk-A and sk-B, where sk-A is\nclose()d but can be recv()ed via sk-B.\n\nThe bad thing happens if sk-A is recv()ed with MSG_PEEK from\nsk-B and sk-B is close()d while GC is checking unix_vertex_dead()\nfor sk-A and sk-B.\n\n GC thread User thread\n --------- -----------\n unix_vertex_dead(sk-A)\n -> true <------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n invalidate !! -> sk-A's file refcount : 1 -> 2\n\n close(sk-B)\n -> sk-B's file refcount : 2 -> 1\n unix_vertex_dead(sk-B)\n -> true\n\nInitially, sk-A's file refcount is 1 by the inflight fd in sk-B\nrecvq. GC thinks sk-A is dead because the file refcount is the\nsame as the number of its inflight fds.\n\nHowever, sk-A's file refcount is bumped silently by MSG_PEEK,\nwhich invalidates the previous evaluation.\n\nAt this moment, sk-B's file refcount is 2; one by the open fd,\nand one by the inflight fd in sk-A. The subsequent close()\nreleases one refcount by the former.\n\nFinally, GC incorrectly concludes that both sk-A and sk-B are dead.\n\nOne option is to restore the locking dance in unix_peek_fds(),\nbut we can resolve this more elegantly thanks to the new algorithm.\n\nThe point is that the issue does not occur without the subsequent\nclose() and we actually do not need to synchronise MSG_PEEK with\nthe dead SCC detection.\n\nWhen the issue occurs, close() and GC touch the same file refcount.\nIf GC sees the refcount being decremented by close(), it can just\ngive up garbage-collecting the SCC.\n\nTherefore, we only need to signal the race during MSG_PEEK with\na proper memory barrier to make it visible to the GC.\n\nLet's use seqcount_t to notify GC when MSG_PEEK occurs and let\nit defer the SCC to the next run.\n\nThis way no locking is needed on the MSG_PEEK side, and we can\navoid imposing a penalty on every MSG_PEEK unnecessarily.\n\nNote that we can retry within unix_scc_dead() if MSG_PEEK is\ndetected, but we do not do so to avoid hung task splat from\nabusive MSG_PEEK calls.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23394" }, { "id": "CVE-2026-23395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n'Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.'\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23395" }, { "id": "CVE-2026-23396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23396" }, { "id": "CVE-2026-23397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx->optp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length < 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"< 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx->optsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23397" }, { "id": "CVE-2026-23398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n \n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23398" }, { "id": "CVE-2026-23399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\n\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\n \u00a0 unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n \u00a0 \u00a0 comm \"softirq\", pid 0, jiffies 4294931867\n \u00a0 \u00a0 hex dump (first 16 bytes on cpu 3):\n \u00a0 \u00a0 \u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u00a0 \u00a0 backtrace (crc 0):\n \u00a0 \u00a0 \u00a0 pcpu_alloc_noprof+0x453/0xd80\n \u00a0 \u00a0 \u00a0 nft_counter_clone+0x9c/0x190 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_expr_clone+0x8f/0x1b0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_rhash_update+0x236/0x11c0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_eval+0x11f/0x670 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain+0x253/0x1700 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n \u00a0 \u00a0 \u00a0 nf_hook_slow+0xaa/0x1e0\n \u00a0 \u00a0 \u00a0 ip_local_deliver+0x209/0x330", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23399" }, { "id": "CVE-2026-23400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: call set_notification_done() without proc lock\n\nConsider the following sequence of events on a death listener:\n1. The remote process dies and sends a BR_DEAD_BINDER message.\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\n\nHowever, this can result in a deadlock if the current thread is not a\nlooper. This is because dead_binder_done() still holds the proc lock\nduring set_notification_done(), which called push_work_if_looper().\nNormally, push_work_if_looper() takes the thread lock, which is fine to\ntake under the proc lock. But if the current thread is not a looper,\nthen it falls back to delivering the reply to the process work queue,\nwhich involves taking the proc lock. Since the proc lock is already\nheld, this is a deadlock.\n\nFix this by releasing the proc lock during set_notification_done(). It\nwas not intentional that it was held during that function to begin with.\n\nI don't think this ever happens in Android because BC_DEAD_BINDER_DONE\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\nalways delivers BR_DEAD_BINDER to a looper. So there's no scenario where\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23400" }, { "id": "CVE-2026-23401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n \n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23401" }, { "id": "CVE-2026-23402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE\n\nAdjust KVM's sanity check against overwriting a shadow-present SPTE with a\nanother SPTE with a different target PFN to only apply to direct MMUs,\ni.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM\nto overwrite a shadow-present SPTE in response to a guest write, writes\nfrom outside the scope of KVM, e.g. from host userspace, aren't detected\nby KVM's write tracking and so can break KVM's shadow paging rules.\n\n ------------[ cut here ]------------\n pfn != spte_to_pfn(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]\n Call Trace:\n \n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23402" }, { "id": "CVE-2026-23403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix memory leak in verify_header\n\nThe function sets `*ns = NULL` on every call, leaking the namespace\nstring allocated in previous iterations when multiple profiles are\nunpacked. This also breaks namespace consistency checking since *ns\nis always NULL when the comparison is made.\n\nRemove the incorrect assignment.\nThe caller (aa_unpack) initializes *ns to NULL once before the loop,\nwhich is sufficient.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23403" }, { "id": "CVE-2026-23404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf='a'; for ((i=0; i<1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a > /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23404" }, { "id": "CVE-2026-23405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix: limit the number of levels of policy namespaces\n\nCurrently the number of policy namespaces is not bounded relying on\nthe user namespace limit. However policy namespaces aren't strictly\ntied to user namespaces and it is possible to create them and nest\nthem arbitrarily deep which can be used to exhaust system resource.\n\nHard cap policy namespaces to the same depth as user namespaces.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23405" }, { "id": "CVE-2026-23406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix side-effect bug in match_char() macro usage\n\nThe match_char() macro evaluates its character parameter multiple\ntimes when traversing differential encoding chains. When invoked\nwith *str++, the string pointer advances on each iteration of the\ninner do-while loop, causing the DFA to check different characters\nat each iteration and therefore skip input characters.\nThis results in out-of-bounds reads when the pointer advances past\nthe input buffer boundary.\n\n[ 94.984676] ==================================================================\n[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\n[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976\n\n[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 94.986329] Call Trace:\n[ 94.986341] \n[ 94.986347] dump_stack_lvl+0x5e/0x80\n[ 94.986374] print_report+0xc8/0x270\n[ 94.986384] ? aa_dfa_match+0x5ae/0x760\n[ 94.986388] kasan_report+0x118/0x150\n[ 94.986401] ? aa_dfa_match+0x5ae/0x760\n[ 94.986405] aa_dfa_match+0x5ae/0x760\n[ 94.986408] __aa_path_perm+0x131/0x400\n[ 94.986418] aa_path_perm+0x219/0x2f0\n[ 94.986424] apparmor_file_open+0x345/0x570\n[ 94.986431] security_file_open+0x5c/0x140\n[ 94.986442] do_dentry_open+0x2f6/0x1120\n[ 94.986450] vfs_open+0x38/0x2b0\n[ 94.986453] ? may_open+0x1e2/0x2b0\n[ 94.986466] path_openat+0x231b/0x2b30\n[ 94.986469] ? __x64_sys_openat+0xf8/0x130\n[ 94.986477] do_file_open+0x19d/0x360\n[ 94.986487] do_sys_openat2+0x98/0x100\n[ 94.986491] __x64_sys_openat+0xf8/0x130\n[ 94.986499] do_syscall_64+0x8e/0x660\n[ 94.986515] ? count_memcg_events+0x15f/0x3c0\n[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0\n[ 94.986551] ? vma_start_read+0xf0/0x320\n[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0\n[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0\n[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986588] ? irqentry_exit+0x3c/0x590\n[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 94.986597] RIP: 0033:0x7fda4a79c3ea\n\nFix by extracting the character value before invoking match_char,\nensuring single evaluation per outer loop.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23406" }, { "id": "CVE-2026-23407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix missing bounds check on DEFAULT table in verify_dfa()\n\nThe verify_dfa() function only checks DEFAULT_TABLE bounds when the state\nis not differentially encoded.\n\nWhen the verification loop traverses the differential encoding chain,\nit reads k = DEFAULT_TABLE[j] and uses k as an array index without\nvalidation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,\ntherefore, causes both out-of-bounds reads and writes.\n\n[ 57.179855] ==================================================================\n[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660\n[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993\n\n[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 57.181563] Call Trace:\n[ 57.181572] \n[ 57.181577] dump_stack_lvl+0x5e/0x80\n[ 57.181596] print_report+0xc8/0x270\n[ 57.181605] ? verify_dfa+0x59a/0x660\n[ 57.181608] kasan_report+0x118/0x150\n[ 57.181620] ? verify_dfa+0x59a/0x660\n[ 57.181623] verify_dfa+0x59a/0x660\n[ 57.181627] aa_dfa_unpack+0x1610/0x1740\n[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470\n[ 57.181640] unpack_pdb+0x86d/0x46b0\n[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300\n[ 57.181659] aa_unpack+0x20b0/0x4c30\n[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181664] ? stack_depot_save_flags+0x33/0x700\n[ 57.181681] ? kasan_save_track+0x4f/0x80\n[ 57.181683] ? kasan_save_track+0x3e/0x80\n[ 57.181686] ? __kasan_kmalloc+0x93/0xb0\n[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130\n[ 57.181697] ? policy_update+0x154/0x330\n[ 57.181704] aa_replace_profiles+0x15a/0x1dd0\n[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181712] ? aa_loaddata_alloc+0x77/0x140\n[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181717] ? _copy_from_user+0x2a/0x70\n[ 57.181730] policy_update+0x17a/0x330\n[ 57.181733] profile_replace+0x153/0x1a0\n[ 57.181735] ? rw_verify_area+0x93/0x2d0\n[ 57.181740] vfs_write+0x235/0xab0\n[ 57.181745] ksys_write+0xb0/0x170\n[ 57.181748] do_syscall_64+0x8e/0x660\n[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 57.181765] RIP: 0033:0x7f6192792eb2\n\nRemove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE\nentries unconditionally.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23407" }, { "id": "CVE-2026-23408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, &lh, &ns_name);\n\nand if ent->ns_name contains an ns_name in\n1089 } else if (ent->ns_name) {\n\nthen ns_name is assigned the ent->ns_name\n1095 ns_name = ent->ns_name;\n\nhowever ent->ns_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent->ns_name after it is transferred to ns_name\n\n\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23408" }, { "id": "CVE-2026-23409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix differential encoding verification\n\nDifferential encoding allows loops to be created if it is abused. To\nprevent this the unpack should verify that a diff-encode chain\nterminates.\n\nUnfortunately the differential encode verification had two bugs.\n\n1. it conflated states that had gone through check and already been\n marked, with states that were currently being checked and marked.\n This means that loops in the current chain being verified are treated\n as a chain that has already been verified.\n\n2. the order bailout on already checked states compared current chain\n check iterators j,k instead of using the outer loop iterator i.\n Meaning a step backwards in states in the current chain verification\n was being mistaken for moving to an already verified state.\n\nMove to a double mark scheme where already verified states get a\ndifferent mark, than the current chain being kept. This enables us\nto also drop the backwards verification check that was the cause of\nthe second error as any already verified state is already marked.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23409" }, { "id": "CVE-2026-23410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race on rawdata dereference\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren't refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23410" }, { "id": "CVE-2026-23411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23411" }, { "id": "CVE-2026-23412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: defer hook memory release until rcu readers are done\n\nYiming Qian reports UaF when concurrent process is dumping hooks via\nnfnetlink_hooks:\n\nBUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0\nRead of size 8 at addr ffff888003edbf88 by task poc/79\nCall Trace:\n \n nfnl_hook_dump_one.isra.0+0xe71/0x10f0\n netlink_dump+0x554/0x12b0\n nfnl_hook_get+0x176/0x230\n [..]\n\nDefer release until after concurrent readers have completed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23412" }, { "id": "CVE-2026-23413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclsact: Fix use-after-free in init/destroy rollback asymmetry\n\nFix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.\nThe latter is achieved by first fully initializing a clsact instance, and\nthen in a second step having a replacement failure for the new clsact qdisc\ninstance. clsact_init() initializes ingress first and then takes care of the\negress part. This can fail midway, for example, via tcf_block_get_ext(). Upon\nfailure, the kernel will trigger the clsact_destroy() callback.\n\nCommit 1cb6f0bae504 (\"bpf: Fix too early release of tcx_entry\") details the\nway how the transition is happening. If tcf_block_get_ext on the q->ingress_block\nends up failing, we took the tcx_miniq_inc reference count on the ingress\nside, but not yet on the egress side. clsact_destroy() tests whether the\n{ingress,egress}_entry was non-NULL. However, even in midway failure on the\nreplacement, both are in fact non-NULL with a valid egress_entry from the\nprevious clsact instance.\n\nWhat we really need to test for is whether the qdisc instance-specific ingress\nor egress side previously got initialized. This adds a small helper for checking\nthe miniq initialization called mini_qdisc_pair_inited, and utilizes that upon\nclsact_destroy() in order to fix the use-after-free scenario. Convert the\ningress_destroy() side as well so both are consistent to each other.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23413" }, { "id": "CVE-2026-23414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(&ctx->async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23414" }, { "id": "CVE-2026-23415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()\n\nDuring futex_key_to_node_opt() execution, vma->vm_policy is read under\nspeculative mmap lock and RCU. Concurrently, mbind() may call\nvma_replace_policy() which frees the old mempolicy immediately via\nkmem_cache_free().\n\nThis creates a race where __futex_key_to_node() dereferences a freed\nmempolicy pointer, causing a use-after-free read of mpol->mode.\n\n[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)\n[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87\n\n[ 151.415969] Call Trace:\n\n[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)\n[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)\n[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)\n\nFix by adding rcu to __mpol_put().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23415" }, { "id": "CVE-2026-23416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mseal: update VMA end correctly on merge\n\nPreviously we stored the end of the current VMA in curr_end, and then upon\niterating to the next VMA updated curr_start to curr_end to advance to the\nnext VMA.\n\nHowever, this doesn't take into account the fact that a VMA might be\nupdated due to a merge by vma_modify_flags(), which can result in curr_end\nbeing stale and thus, upon setting curr_start to curr_end, ending up with\nan incorrect curr_start on the next iteration.\n\nResolve the issue by setting curr_end to vma->vm_end unconditionally to\nensure this value remains updated should this occur.\n\nWhile we're here, eliminate this entire class of bug by simply setting\nconst curr_[start/end] to be clamped to the input range and VMAs, which\nalso happens to simplify the logic.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23416" }, { "id": "CVE-2026-23417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23417" }, { "id": "CVE-2026-23418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/reg_sr: Fix leak on xa_store failure\n\nFree the newly allocated entry when xa_store() fails to avoid a memory\nleak on the error path.\n\nv2: use goto fail_free. (Bala)\n\n(cherry picked from commit 6bc6fec71ac45f52db609af4e62bdb96b9f5fadb)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23418" }, { "id": "CVE-2026-23419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: Fix circular locking dependency in rds_tcp_tune\n\nsyzbot reported a circular locking dependency in rds_tcp_tune() where\nsk_net_refcnt_upgrade() is called while holding the socket lock:\n\n======================================================\nWARNING: possible circular locking dependency detected\n======================================================\nkworker/u10:8/15040 is trying to acquire lock:\nffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},\nat: __kmalloc_cache_noprof+0x4b/0x6f0\n\nbut task is already holding lock:\nffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},\nat: rds_tcp_tune+0xd7/0x930\n\nThe issue occurs because sk_net_refcnt_upgrade() performs memory\nallocation (via get_net_track() -> ref_tracker_alloc()) while the\nsocket lock is held, creating a circular dependency with fs_reclaim.\n\nFix this by moving sk_net_refcnt_upgrade() outside the socket lock\ncritical section. This is safe because the fields modified by the\nsk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not\naccessed by any concurrent code path at this point.\n\nv2:\n - Corrected fixes tag\n - check patch line wrap nits\n - ai commentary nits", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23419" }, { "id": "CVE-2026-23420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Fix a locking bug\n\nMake sure that wl->mutex is locked before it is unlocked. This has been\ndetected by the Clang thread-safety analyzer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23420" }, { "id": "CVE-2026-23421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/configfs: Free ctx_restore_mid_bb in release\n\nctx_restore_mid_bb memory is allocated in wa_bb_store(), but\nxe_config_device_release() only frees ctx_restore_post_bb.\n\nFree ctx_restore_mid_bb[0].cs as well to avoid leaking the allocation\nwhen the configfs device is removed.\n\n(cherry picked from commit a235e7d0098337c3f2d1e8f3610c719a589e115f)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23421" }, { "id": "CVE-2026-23422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler\n\nCommit 31a7a0bbeb00 (\"dpaa2-switch: add bounds check for if_id in IRQ\nhandler\") introduces a range check for if_id to avoid an out-of-bounds\naccess. If an out-of-bounds if_id is detected, the interrupt status is\nnot cleared. This may result in an interrupt storm.\n\nClear the interrupt status after detecting an out-of-bounds if_id to avoid\nthe problem.\n\nFound by an experimental AI code review agent at Google.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23422" }, { "id": "CVE-2026-23423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: free pages on error in btrfs_uring_read_extent()\n\nIn this function the 'pages' object is never freed in the hopes that it is\npicked up by btrfs_uring_read_finished() whenever that executes in the\nfuture. But that's just the happy path. Along the way previous\nallocations might have gone wrong, or we might not get -EIOCBQUEUED from\nbtrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a\ncleanup section that frees all memory allocated by this function without\nassuming any deferred execution, and this also needs to happen for the\n'pages' allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23423" }, { "id": "CVE-2026-23424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Validate command buffer payload count\n\nThe count field in the command header is used to determine the valid\npayload size. Verify that the valid payload does not exceed the remaining\nbuffer space.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23424" }, { "id": "CVE-2026-23425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix ID register initialization for non-protected pKVM guests\n\nIn protected mode, the hypervisor maintains a separate instance of\nthe `kvm` structure for each VM. For non-protected VMs, this structure is\ninitialized from the host's `kvm` state.\n\nCurrently, `pkvm_init_features_from_host()` copies the\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` flag from the host without the\nunderlying `id_regs` data being initialized. This results in the\nhypervisor seeing the flag as set while the ID registers remain zeroed.\n\nConsequently, `kvm_has_feat()` checks at EL2 fail (return 0) for\nnon-protected VMs. This breaks logic that relies on feature detection,\nsuch as `ctxt_has_tcrx()` for TCR2_EL1 support. As a result, certain\nsystem registers (e.g., TCR2_EL1, PIR_EL1, POR_EL1) are not\nsaved/restored during the world switch, which could lead to state\ncorruption.\n\nFix this by explicitly copying the ID registers from the host `kvm` to\nthe hypervisor `kvm` for non-protected VMs during initialization, since\nwe trust the host with its non-protected guests' features. Also ensure\n`KVM_ARCH_FLAG_ID_REGS_INITIALIZED` is cleared initially in\n`pkvm_init_features_from_host` so that `vm_copy_id_regs` can properly\ninitialize them and set the flag once done.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23425" }, { "id": "CVE-2026-23426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()\n\nThe logicvc_drm_config_parse() function calls of_get_child_by_name() to\nfind the \"layers\" node but fails to release the reference, leading to a\ndevice node reference leak.\n\nFix this by using the __free(device_node) cleanup attribute to automatic\nrelease the reference when the variable goes out of scope.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23426" }, { "id": "CVE-2026-23427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in durable v2 replay of active file handles\n\nparse_durable_handle_context() unconditionally assigns dh_info->fp->conn\nto the current connection when handling a DURABLE_REQ_V2 context with\nSMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by\nfp->conn, so it returns file handles that are already actively connected.\nThe unconditional overwrite replaces fp->conn, and when the overwriting\nconnection is subsequently freed, __ksmbd_close_fd() dereferences the\nstale fp->conn via spin_lock(&fp->conn->llist_lock), causing a\nuse-after-free.\n\nKASAN report:\n\n[ 7.349357] ==================================================================\n[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0\n[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108\n[ 7.350010]\n[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY\n[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work\n[ 7.350083] Call Trace:\n[ 7.350087] \n[ 7.350087] dump_stack_lvl+0x64/0x80\n[ 7.350094] print_report+0xce/0x660\n[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 7.350101] ? __pfx___mod_timer+0x10/0x10\n[ 7.350106] ? _raw_spin_lock+0x75/0xe0\n[ 7.350108] kasan_report+0xce/0x100\n[ 7.350109] ? _raw_spin_lock+0x75/0xe0\n[ 7.350114] kasan_check_range+0x105/0x1b0\n[ 7.350116] _raw_spin_lock+0x75/0xe0\n[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10\n[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780\n[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0\n[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0\n[ 7.350131] ksmbd_close_fd+0x135/0x1b0\n[ 7.350133] smb2_close+0xb19/0x15b0\n[ 7.350142] ? __pfx_smb2_close+0x10/0x10\n[ 7.350143] ? xas_load+0x18/0x270\n[ 7.350146] ? _raw_spin_lock+0x84/0xe0\n[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10\n[ 7.350150] ? _raw_spin_unlock+0xe/0x30\n[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0\n[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0\n[ 7.350154] handle_ksmbd_work+0x40f/0x1080\n[ 7.350156] process_one_work+0x5fa/0xef0\n[ 7.350162] ? assign_work+0x122/0x3e0\n[ 7.350163] worker_thread+0x54b/0xf70\n[ 7.350165] ? __pfx_worker_thread+0x10/0x10\n[ 7.350166] kthread+0x346/0x470\n[ 7.350170] ? recalc_sigpending+0x19b/0x230\n[ 7.350176] ? __pfx_kthread+0x10/0x10\n[ 7.350178] ret_from_fork+0x4fb/0x6c0\n[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10\n[ 7.350185] ? __switch_to+0x36c/0xbe0\n[ 7.350188] ? __pfx_kthread+0x10/0x10\n[ 7.350190] ret_from_fork_asm+0x1a/0x30\n[ 7.350197] \n[ 7.350197]\n[ 7.355160] Allocated by task 123:\n[ 7.355261] kasan_save_stack+0x33/0x60\n[ 7.355373] kasan_save_track+0x14/0x30\n[ 7.355484] __kasan_kmalloc+0x8f/0xa0\n[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0\n[ 7.355711] ksmbd_kthread_fn+0x243/0xd70\n[ 7.355839] kthread+0x346/0x470\n[ 7.355942] ret_from_fork+0x4fb/0x6c0\n[ 7.356051] ret_from_fork_asm+0x1a/0x30\n[ 7.356164]\n[ 7.356214] Freed by task 134:\n[ 7.356305] kasan_save_stack+0x33/0x60\n[ 7.356416] kasan_save_track+0x14/0x30\n[ 7.356527] kasan_save_free_info+0x3b/0x60\n[ 7.356646] __kasan_slab_free+0x43/0x70\n[ 7.356761] kfree+0x1ca/0x430\n[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0\n[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40\n[ 7.357138] kthread+0x346/0x470\n[ 7.357240] ret_from_fork+0x4fb/0x6c0\n[ 7.357350] ret_from_fork_asm+0x1a/0x30\n[ 7.357463]\n[ 7.357513] The buggy address belongs to the object at ffff8881056ac000\n[ 7.357513] which belongs to the cache kmalloc-1k of size 1024\n[ 7.357857] The buggy address is located 396 bytes inside of\n[ 7.357857] freed 1024-byte region \n---truncated---", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23427" }, { "id": "CVE-2026-23428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of share_conf in compound request\n\nsmb2_get_ksmbd_tcon() reuses work->tcon in compound requests without\nvalidating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==\nTREE_CONNECTED on the initial lookup path, but the compound reuse path\nbypasses this check entirely.\n\nIf a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state\nto TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),\nsubsequent commands dereference the freed share_conf through\nwork->tcon->share_conf.\n\nKASAN report:\n\n[ 4.144653] ==================================================================\n[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70\n[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44\n[ 4.145772]\n[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY\n[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work\n[ 4.145888] Call Trace:\n[ 4.145892] \n[ 4.145894] dump_stack_lvl+0x64/0x80\n[ 4.145910] print_report+0xce/0x660\n[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 4.145928] ? smb2_write+0xc74/0xe70\n[ 4.145931] kasan_report+0xce/0x100\n[ 4.145934] ? smb2_write+0xc74/0xe70\n[ 4.145937] smb2_write+0xc74/0xe70\n[ 4.145939] ? __pfx_smb2_write+0x10/0x10\n[ 4.145942] ? _raw_spin_unlock+0xe/0x30\n[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0\n[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480\n[ 4.145951] handle_ksmbd_work+0x40f/0x1080\n[ 4.145953] process_one_work+0x5fa/0xef0\n[ 4.145962] ? assign_work+0x122/0x3e0\n[ 4.145964] worker_thread+0x54b/0xf70\n[ 4.145967] ? __pfx_worker_thread+0x10/0x10\n[ 4.145970] kthread+0x346/0x470\n[ 4.145976] ? recalc_sigpending+0x19b/0x230\n[ 4.145980] ? __pfx_kthread+0x10/0x10\n[ 4.145984] ret_from_fork+0x4fb/0x6c0\n[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10\n[ 4.145995] ? __switch_to+0x36c/0xbe0\n[ 4.145999] ? __pfx_kthread+0x10/0x10\n[ 4.146003] ret_from_fork_asm+0x1a/0x30\n[ 4.146013] \n[ 4.146014]\n[ 4.149858] Allocated by task 44:\n[ 4.149953] kasan_save_stack+0x33/0x60\n[ 4.150061] kasan_save_track+0x14/0x30\n[ 4.150169] __kasan_kmalloc+0x8f/0xa0\n[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0\n[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600\n[ 4.150529] smb2_tree_connect+0x2e6/0x1000\n[ 4.150645] handle_ksmbd_work+0x40f/0x1080\n[ 4.150761] process_one_work+0x5fa/0xef0\n[ 4.150873] worker_thread+0x54b/0xf70\n[ 4.150978] kthread+0x346/0x470\n[ 4.151071] ret_from_fork+0x4fb/0x6c0\n[ 4.151176] ret_from_fork_asm+0x1a/0x30\n[ 4.151286]\n[ 4.151332] Freed by task 44:\n[ 4.151418] kasan_save_stack+0x33/0x60\n[ 4.151526] kasan_save_track+0x14/0x30\n[ 4.151634] kasan_save_free_info+0x3b/0x60\n[ 4.151751] __kasan_slab_free+0x43/0x70\n[ 4.151861] kfree+0x1ca/0x430\n[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190\n[ 4.152088] smb2_tree_disconnect+0x1cd/0x480\n[ 4.152211] handle_ksmbd_work+0x40f/0x1080\n[ 4.152326] process_one_work+0x5fa/0xef0\n[ 4.152438] worker_thread+0x54b/0xf70\n[ 4.152545] kthread+0x346/0x470\n[ 4.152638] ret_from_fork+0x4fb/0x6c0\n[ 4.152743] ret_from_fork_asm+0x1a/0x30\n[ 4.152853]\n[ 4.152900] The buggy address belongs to the object at ffff88810430c180\n[ 4.152900] which belongs to the cache kmalloc-96 of size 96\n[ 4.153226] The buggy address is located 20 bytes inside of\n[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)\n[ 4.153549]\n[ 4.153596] The buggy address belongs to the physical page:\n[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c\n[ 4.154000] flags: 0x\n---truncated---", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23428" }, { "id": "CVE-2026-23429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sva: Fix crash in iommu_sva_unbind_device()\n\ndomain->mm->iommu_mm can be freed by iommu_domain_free():\n iommu_domain_free()\n mmdrop()\n __mmdrop()\n mm_pasid_drop()\nAfter iommu_domain_free() returns, accessing domain->mm->iommu_mm may\ndereference a freed mm structure, leading to a crash.\n\nFix this by moving the code that accesses domain->mm->iommu_mm to before\nthe call to iommu_domain_free().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23429" }, { "id": "CVE-2026-23430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Don't overwrite KMS surface dirty tracker\n\nWe were overwriting the surface's dirty tracker here causing a memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23430" }, { "id": "CVE-2026-23431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: amlogic-spisg: Fix memory leak in aml_spisg_probe()\n\nIn aml_spisg_probe(), ctlr is allocated by\nspi_alloc_target()/spi_alloc_host(), but fails to call\nspi_controller_put() in several error paths. This leads\nto a memory leak whenever the driver fails to probe after\nthe initial allocation.\n\nConvert to use devm_spi_alloc_host()/devm_spi_alloc_target()\nto fix the memory leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23431" }, { "id": "CVE-2026-23432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix use-after-free in mshv_map_user_memory error path\n\nIn the error path of mshv_map_user_memory(), calling vfree() directly on\nthe region leaves the MMU notifier registered. When userspace later unmaps\nthe memory, the notifier fires and accesses the freed region, causing a\nuse-after-free and potential kernel panic.\n\nReplace vfree() with mshv_partition_put() to properly unregister\nthe MMU notifier before freeing the region.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23432", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm_mpam: Fix null pointer dereference when restoring bandwidth counters\n\nWhen an MSC supporting memory bandwidth monitoring is brought offline and\nthen online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to\nrestore the configuration of the bandwidth counters. It doesn't care about\nthe value read, mbwu_arg.val, and doesn't set it leading to a null pointer\ndereference when __ris_msmon_read() adds to it. This results in a kernel\noops with a call trace such as:\n\nCall trace:\n__ris_msmon_read+0x19c/0x64c (P)\nmpam_restore_mbwu_state+0xa0/0xe8\nsmp_call_on_cpu_callback+0x1c/0x38\nprocess_one_work+0x154/0x4b4\nworker_thread+0x188/0x310\nkthread+0x11c/0x130\nret_from_fork+0x10/0x20\n\nProvide a local variable for val to avoid __ris_msmon_read() dereferencing\na null pointer when adding to val.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23433", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23434" }, { "id": "CVE-2026-23435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000198\n RIP: x86_perf_event_update+0xc/0xa0\n Call Trace:\n \n amd_pmu_v2_handle_irq+0x1a6/0x390\n perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc->event_base))` check in\nx86_perf_event_update() where hwc = &event->hw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc->active_mask and cpuc->events[]:\n\n active_mask: 0x1e (bits 1, 2, 3, 4)\n events[1]: 0xff1100136cbd4f38 (valid)\n events[2]: 0x0 (NULL, but active_mask bit 2 set)\n events[3]: 0xff1100076fd2cf38 (valid)\n events[4]: 0xff1100079e990a90 (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc->events[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu->start() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n perf_adjust_freq_unthr_events()\n -> perf_event_unthrottle_group()\n -> perf_event_unthrottle()\n -> event->pmu->start(event, 0)\n -> x86_pmu_start() // sets active_mask but not events[]\n\nThe race sequence is:\n\n 1. A group of perf events overflows, triggering group throttle via\n perf_event_throttle_group(). All events are stopped: active_mask\n bits cleared, events[] preserved (x86_pmu_stop no longer clears\n events[] after commit 7e772a93eb61).\n\n 2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n due to other scheduling activity. Stopped events that need to\n move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n to be skipped -- events[new_idx] is never set.\n\n 3. The timer tick unthrottles the group via pmu->start(). Since\n commit 7e772a93eb61 removed the events[] assignment from\n x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n remains NULL.\n\n 4. A PMC overflow NMI fires. The handler iterates active counters,\n finds active_mask[2] set, reads events[2] which is NULL, and\n crashes dereferencing it.\n\nMove the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu->start() always finds a valid event pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23435" }, { "id": "CVE-2026-23436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there's any chance of write happening concurrently\nwith the flush - we're back to leaking the hierarchy.\n\nWe may take the lock for devices which don't support shapers but\nwe're only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23436" }, { "id": "CVE-2026-23437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect late read accesses to the hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThis is not proper, a conversion from a ref to a locked netdev\nmust include a liveness check (a check if the netdev hasn't been\nunregistered already). Fix the read cases (those under RCU).\nWrites needs a separate change to protect from creating the\nhierarchy after flush has already run.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23437" }, { "id": "CVE-2026-23438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23438" }, { "id": "CVE-2026-23439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n\n\nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0\n(success) without actually creating a socket. Callers such as\nfou_create() then proceed to dereference the uninitialized socket\npointer, resulting in a NULL pointer dereference.\n\nThe captured NULL deref crash:\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)\n [...]\n Call Trace:\n \n genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)\n [...]\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))\n __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)\n\nThis patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so\ncallers correctly take their error paths. There is only one caller of\nthe vulnerable function and only privileged users can trigger it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23439" }, { "id": "CVE-2026-23440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix race condition during IPSec ESN update\n\nIn IPSec full offload mode, the device reports an ESN (Extended\nSequence Number) wrap event to the driver. The driver validates this\nevent by querying the IPSec ASO and checking that the esn_event_arm\nfield is 0x0, which indicates an event has occurred. After handling\nthe event, the driver must re-arm the context by setting esn_event_arm\nback to 0x1.\n\nA race condition exists in this handling path. After validating the\nevent, the driver calls mlx5_accel_esp_modify_xfrm() to update the\nkernel's xfrm state. This function temporarily releases and\nre-acquires the xfrm state lock.\n\nSo, need to acknowledge the event first by setting esn_event_arm to\n0x1. This prevents the driver from reprocessing the same ESN update if\nthe hardware sends events for other reason. Since the next ESN update\nonly occurs after nearly 2^31 packets are received, there's no risk of\nmissing an update, as it will happen long after this handling has\nfinished.\n\nProcessing the event twice causes the ESN high-order bits (esn_msb) to\nbe incremented incorrectly. The driver then programs the hardware with\nthis invalid ESN state, which leads to anti-replay failures and a\ncomplete halt of IPSec traffic.\n\nFix this by re-arming the ESN event immediately after it is validated,\nbefore calling mlx5_accel_esp_modify_xfrm(). This ensures that any\nspurious, duplicate events are correctly ignored, closing the race\nwindow.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23440" }, { "id": "CVE-2026-23441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent concurrent access to IPSec ASO context\n\nThe query or updating IPSec offload object is through Access ASO WQE.\nThe driver uses a single mlx5e_ipsec_aso struct for each PF, which\ncontains a shared DMA-mapped context for all ASO operations.\n\nA race condition exists because the ASO spinlock is released before\nthe hardware has finished processing WQE. If a second operation is\ninitiated immediately after, it overwrites the shared context in the\nDMA area.\n\nWhen the first operation's completion is processed later, it reads\nthis corrupted context, leading to unexpected behavior and incorrect\nresults.\n\nThis commit fixes the race by introducing a private context within\neach IPSec offload object. The shared ASO context is now copied to\nthis private context while the ASO spinlock is held. Subsequent\nprocessing uses this saved, per-object context, ensuring its integrity\nis maintained.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23441" }, { "id": "CVE-2026-23442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: add NULL checks for idev in SRv6 paths\n\n__in6_dev_get() can return NULL when the device has no IPv6 configuration\n(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).\n\nAdd NULL checks for idev returned by __in6_dev_get() in both\nseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL\npointer dereferences.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23442" }, { "id": "CVE-2026-23443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Fix previous acpi_processor_errata_piix4() fix\n\nAfter commi f132e089fe89 (\"ACPI: processor: Fix NULL-pointer dereference\nin acpi_processor_errata_piix4()\"), device pointers may be dereferenced\nafter dropping references to the device objects pointed to by them,\nwhich may cause a use-after-free to occur.\n\nMoreover, debug messages about enabling the errata may be printed\nif the errata flags corresponding to them are unset.\n\nAddress all of these issues by moving message printing to the points\nin the code where the errata flags are set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23443" }, { "id": "CVE-2026-23444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function's kdoc.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23444" }, { "id": "CVE-2026-23445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix page fault in XDP TX timestamps handling\n\nIf an XDP application that requested TX timestamping is shutting down\nwhile the link of the interface in use is still up the following kernel\nsplat is reported:\n\n[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008\n...\n[ 883.803650] [ T1554] Call Trace:\n[ 883.803652] [ T1554] \n[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]\n[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]\n...\n\nDuring shutdown of the TX ring the xsk_meta pointers are left behind, so\nthat the IRQ handler is trying to touch them.\n\nThis issue is now being fixed by cleaning up the stale xsk meta data on\nTX shutdown. TX timestamps on other queues remain unaffected.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23445" }, { "id": "CVE-2026-23446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Do not perform PM inside suspend callback\n\nsyzbot reports \"task hung in rpm_resume\"\n\nThis is caused by aqc111_suspend calling\nthe PM variant of its write_cmd routine.\n\nThe simplified call trace looks like this:\n\nrpm_suspend()\n usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING\n aqc111_suspend() - called for the usb device interface\n aqc111_write32_cmd()\n usb_autopm_get_interface()\n pm_runtime_resume_and_get()\n rpm_resume() - here we call rpm_resume() on our parent\n rpm_resume() - Here we wait for a status change that will never happen.\n\nAt this point we block another task which holds\nrtnl_lock and locks up the whole networking stack.\n\nFix this by replacing the write_cmd calls with their _nopm variants", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23446" }, { "id": "CVE-2026-23447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check\n\nThe same bounds-check bug fixed for NDP16 in the previous patch also\nexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated\nagainst the total skb length without accounting for ndpoffset, allowing\nout-of-bounds reads when the NDP32 is placed near the end of the NTB.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\n\nCompile-tested only.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23447" }, { "id": "CVE-2026-23448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check\n\ncdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE\nentries fit within the skb. The first check correctly accounts for\nndpoffset:\n\n if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)\n\nbut the second check omits it:\n\n if ((sizeof(struct usb_cdc_ncm_ndp16) +\n ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)\n\nThis validates the DPE array size against the total skb length as if\nthe NDP were at offset 0, rather than at ndpoffset. When the NDP is\nplaced near the end of the NTB (large wNdpIndex), the DPE entries can\nextend past the skb data buffer even though the check passes.\ncdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating\nthe DPE array.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23448" }, { "id": "CVE-2026-23449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[ 238.029749][ T318]\n[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 238.029910][ T318] Call Trace:\n[ 238.029913][ T318] \n[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)\n[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)\n[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)\n...\n[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)\n[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)\n[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)\n[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)\n[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)\n[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[ 238.081469][ T318]\n[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:\n[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[ 238.085900][ T318] __kasan_slab_free (mm/\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23449" }, { "id": "CVE-2026-23450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()\n\nSyzkaller reported a panic in smc_tcp_syn_recv_sock() [1].\n\nsmc_tcp_syn_recv_sock() is called in the TCP receive path\n(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP\nlistening socket). It reads sk_user_data to get the smc_sock\npointer. However, when the SMC listen socket is being closed\nconcurrently, smc_close_active() sets clcsock->sk_user_data\nto NULL under sk_callback_lock, and then the smc_sock itself\ncan be freed via sock_put() in smc_release().\n\nThis leads to two issues:\n\n1) NULL pointer dereference: sk_user_data is NULL when\n accessed.\n2) Use-after-free: sk_user_data is read as non-NULL, but the\n smc_sock is freed before its fields (e.g., queued_smc_hs,\n ori_af_ops) are accessed.\n\nThe race window looks like this (the syzkaller crash [1]\ntriggers via the SYN cookie path: tcp_get_cookie_sock() ->\nsmc_tcp_syn_recv_sock(), but the normal tcp_check_req() path\nhas the same race):\n\n CPU A (softirq) CPU B (process ctx)\n\n tcp_v4_rcv()\n TCP_NEW_SYN_RECV:\n sk = req->rsk_listener\n sock_hold(sk)\n /* No lock on listener */\n smc_close_active():\n write_lock_bh(cb_lock)\n sk_user_data = NULL\n write_unlock_bh(cb_lock)\n ...\n smc_clcsock_release()\n sock_put(smc->sk) x2\n -> smc_sock freed!\n tcp_check_req()\n smc_tcp_syn_recv_sock():\n smc = user_data(sk)\n -> NULL or dangling\n smc->queued_smc_hs\n -> crash!\n\nNote that the clcsock and smc_sock are two independent objects\nwith separate refcounts. TCP stack holds a reference on the\nclcsock, which keeps it alive, but this does NOT prevent the\nsmc_sock from being freed.\n\nFix this by using RCU and refcount_inc_not_zero() to safely\naccess smc_sock. Since smc_tcp_syn_recv_sock() is called in\nthe TCP three-way handshake path, taking read_lock_bh on\nsk_callback_lock is too heavy and would not survive a SYN\nflood attack. Using rcu_read_lock() is much more lightweight.\n\n- Set SOCK_RCU_FREE on the SMC listen socket so that\n smc_sock freeing is deferred until after the RCU grace\n period. This guarantees the memory is still valid when\n accessed inside rcu_read_lock().\n- Use rcu_read_lock() to protect reading sk_user_data.\n- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the\n smc_sock. If the refcount has already reached zero (close\n path completed), it returns false and we bail out safely.\n\nNote: smc_hs_congested() has a similar lockless read of\nsk_user_data without rcu_read_lock(), but it only checks for\nNULL and accesses the global smc_hs_wq, never dereferencing\nany smc_sock field, so it is not affected.\n\nReproducer was verified with mdelay injection and smc_run,\nthe issue no longer occurs with this patch applied.\n\n[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23450" }, { "id": "CVE-2026-23451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: prevent potential infinite loop in bond_header_parse()\n\nbond_header_parse() can loop if a stack of two bonding devices is setup,\nbecause skb->dev always points to the hierarchy top.\n\nAdd new \"const struct net_device *dev\" parameter to\n(struct header_ops)->parse() method to make sure the recursion\nis bounded, and that the final leaf parse method is called.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23451", "detail": "fixed-version", "description": "only affects 6.18.19 onwards" }, { "id": "CVE-2026-23452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: runtime: Fix a race condition related to device removal\n\nThe following code in pm_runtime_work() may dereference the dev->parent\npointer after the parent device has been freed:\n\n\t/* Maybe the parent is now able to suspend. */\n\tif (parent && !parent->power.ignore_children) {\n\t\tspin_unlock(&dev->power.lock);\n\n\t\tspin_lock(&parent->power.lock);\n\t\trpm_idle(parent, RPM_ASYNC);\n\t\tspin_unlock(&parent->power.lock);\n\n\t\tspin_lock(&dev->power.lock);\n\t}\n\nFix this by inserting a flush_work() call in pm_runtime_remove().\n\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\n\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n \n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x8b/0x310\n print_report+0xfd/0x1d7\n kasan_report+0xd8/0x1d0\n __kasan_check_byte+0x42/0x60\n lock_acquire.part.0+0x38/0x230\n lock_acquire+0x70/0x160\n _raw_spin_lock+0x36/0x50\n rpm_suspend+0xc6a/0xfe0\n rpm_idle+0x578/0x770\n pm_runtime_work+0xee/0x120\n process_one_work+0xde3/0x1410\n worker_thread+0x5eb/0xfe0\n kthread+0x37b/0x480\n ret_from_fork+0x6cb/0x920\n ret_from_fork_asm+0x11/0x20\n \n\nAllocated by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_alloc_info+0x3d/0x50\n __kasan_kmalloc+0xa0/0xb0\n __kmalloc_noprof+0x311/0x990\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\n __scsi_scan_target+0x101/0x460 [scsi_mod]\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\n store_scan+0x2d2/0x390 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n do_syscall_64+0xee/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFreed by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_free_info+0x3f/0x50\n __kasan_slab_free+0x67/0x80\n kfree+0x225/0x6c0\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_put+0x7f/0xc0 [scsi_mod]\n sdev_store_delete+0xa5/0x120 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23452" }, { "id": "CVE-2026-23453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy mode\n\nPage recycling was removed from the XDP_DROP path in emac_run_xdp() to\navoid conflicts with AF_XDP zero-copy mode, which uses xsk_buff_free()\ninstead.\n\nHowever, this causes a memory leak when running XDP programs that drop\npackets in non-zero-copy mode (standard page pool mode). The pages are\nnever returned to the page pool, leading to OOM conditions.\n\nFix this by handling cleanup in the caller, emac_rx_packet().\nWhen emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP, the\ncaller now recycles the page back to the page pool. The zero-copy\npath, emac_rx_packet_zc() already handles cleanup correctly with\nxsk_buff_free().", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23453", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-23454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown\n\nA potential race condition exists in mana_hwc_destroy_channel() where\nhwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and\nEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupt\nhandler to dereference freed memory, leading to a use-after-free or\nNULL pointer dereference in mana_hwc_handle_resp().\n\nmana_smc_teardown_hwc() signals the hardware to stop but does not\nsynchronize against IRQ handlers already executing on other CPUs. The\nIRQ synchronization only happens in mana_hwc_destroy_cq() via\nmana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs\nafter kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()\ncan dereference freed caller_ctx (and rxq->msg_buf) in\nmana_hwc_handle_resp().\n\nFix this by reordering teardown to reverse-of-creation order: destroy\nthe TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This\nensures all in-flight interrupt handlers complete before the memory they\naccess is freed.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23454" }, { "id": "CVE-2026-23455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23455" }, { "id": "CVE-2026-23456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint().", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23456" }, { "id": "CVE-2026-23457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length.", "scorev2": "0.0", "scorev3": "8.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23457" }, { "id": "CVE-2026-23458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct->ext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb->args[0] early-return check in the dump\ncallback to avoid dereferencing ct->ext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n \n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23458" }, { "id": "CVE-2026-23459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS\n\nBlamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which\ncall iptunnel_xmit_stats().\n\niptunnel_xmit_stats() was assuming tunnels were only using\nNETDEV_PCPU_STAT_TSTATS.\n\n@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.\n\n32bit kernels would either have corruptions or freezes if the syncp\nsequence was overwritten.\n\nThis patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid\na potential cache line miss since iptunnel_xmit_stats() needs to read it.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23459" }, { "id": "CVE-2026-23460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rose: fix NULL pointer dereference in rose_transmit_link on reconnect\n\nsyzkaller reported a bug [1], and the reproducer is available at [2].\n\nROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,\nTCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects\ncalls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING\n(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.\n\nWhen rose_connect() is called a second time while the first connection\nattempt is still in progress (TCP_SYN_SENT), it overwrites\nrose->neighbour via rose_get_neigh(). If that returns NULL, the socket\nis left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.\nWhen the socket is subsequently closed, rose_release() sees\nROSE_STATE_1 and calls rose_write_internal() ->\nrose_transmit_link(skb, NULL), causing a NULL pointer dereference.\n\nPer connect(2), a second connect() while a connection is already in\nprogress should return -EALREADY. Add this missing check for\nTCP_SYN_SENT to complete the state validation in rose_connect().\n\n[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271\n[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23460" }, { "id": "CVE-2026-23461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn->lock to protect access to\nconn->users. However, l2cap_register_user() and l2cap_unregister_user()\ndon't use conn->lock, creating a race condition where these functions can\naccess conn->users and conn->hchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn->lock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23461" }, { "id": "CVE-2026-23462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user->remove callback is called:\n\n[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 97.809947] Call Trace:\n[ 97.809954] \n[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)\n[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[ 97.810404] __fput (fs/file_table.c:470)\n[ 97.810430] task_work_run (kernel/task_work.c:235)\n[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)\n[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[ 97.810527] do_exit (kernel/exit.c:972)\n[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)\n[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 97.810721] do_group_exit (kernel/exit.c:1093)\n[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))\n[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810826] ? vfs_read (fs/read_write.c:555)\n[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)\n[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)\n[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810960] arch_do_signal_or_restart (arch/\n---truncated---", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23462" }, { "id": "CVE-2026-23463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between\nfq_table[fq->idx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq->fqid = fqid;\n fq->idx = fqid * 2;\n WARN_ON(fq_table[fq->idx]);\n fq_table[fq->idx] = fq;\n fq_table[fq->idx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq->idx] is set to NULL before\ngen_pool_free() is called by using smp_wmb().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23463" }, { "id": "CVE-2026-23464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()\n\nIn mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails,\nthe function returns immediately without freeing the allocated memory\nfor sys_controller, leading to a memory leak.\n\nFix this by jumping to the out_free label to ensure the memory is\nproperly freed.\n\nAlso, consolidate the error handling for the mbox_request_channel()\nfailure case to use the same label.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23464" }, { "id": "CVE-2026-23465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: log new dentries when logging parent dir of a conflicting inode\n\nIf we log the parent directory of a conflicting inode, we are not logging\nthe new dentries of the directory, so when we finish we have the parent\ndirectory's inode marked as logged but we did not log its new dentries.\nAs a consequence if the parent directory is explicitly fsynced later and\nit does not have any new changes since we logged it, the fsync is a no-op\nand after a power failure the new dentries are missing.\n\nExample scenario:\n\n $ mkdir foo\n\n $ sync\n\n $rmdir foo\n\n $ mkdir dir1\n $ mkdir dir2\n\n # A file with the same name and parent as the directory we just deleted\n # and was persisted in a past transaction. So the deleted directory's\n # inode is a conflicting inode of this new file's inode.\n $ touch foo\n\n $ ln foo dir2/link\n\n # The fsync on dir2 will log the parent directory (\".\") because the\n # conflicting inode (deleted directory) does not exists anymore, but it\n # it does not log its new dentries (dir1).\n $ xfs_io -c \"fsync\" dir2\n\n # This fsync on the parent directory is no-op, since the previous fsync\n # logged it (but without logging its new dentries).\n $ xfs_io -c \"fsync\" .\n\n \n\n # After log replay dir1 is missing.\n\nFix this by ensuring we log new dir dentries whenever we log the parent\ndirectory of a no longer existing conflicting inode.\n\nA test case for fstests will follow soon.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23465" }, { "id": "CVE-2026-23466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Open-code GGTT MMIO access protection\n\nGGTT MMIO access is currently protected by hotplug (drm_dev_enter),\nwhich works correctly when the driver loads successfully and is later\nunbound or unloaded. However, if driver load fails, this protection is\ninsufficient because drm_dev_unplug() is never called.\n\nAdditionally, devm release functions cannot guarantee that all BOs with\nGGTT mappings are destroyed before the GGTT MMIO region is removed, as\nsome BOs may be freed asynchronously by worker threads.\n\nTo address this, introduce an open-coded flag, protected by the GGTT\nlock, that guards GGTT MMIO access. The flag is cleared during the\ndev_fini_ggtt devm release function to ensure MMIO access is disabled\nonce teardown begins.\n\n(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23466" }, { "id": "CVE-2026-23467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dmc: Fix an unlikely NULL pointer deference at probe\n\nintel_dmc_update_dc6_allowed_count() oopses when DMC hasn't been\ninitialized, and dmc is thus NULL.\n\nThat would be the case when the call path is\nintel_power_domains_init_hw() -> {skl,bxt,icl}_display_core_init() ->\ngen9_set_dc_state() -> intel_dmc_update_dc6_allowed_count(), as\nintel_power_domains_init_hw() is called *before* intel_dmc_init().\n\nHowever, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count()\nconditionally, depending on the current and target DC states. At probe,\nthe target is disabled, but if DC6 is enabled, the function is called,\nand an oops follows. Apparently it's quite unlikely that DC6 is enabled\nat probe, as we haven't seen this failure mode before.\n\nIt is also strange to have DC6 enabled at boot, since that would require\nthe DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and\nthe driver stopping / reprogramming the firmware is a poorly specified\nsequence and as such unlikely an intentional BIOS behaviour. It's more\nlikely that BIOS is leaving an unintentionally enabled DC6 HW state\nbehind (without actually loading the required DMC firmware for this).\n\nThe tracking of the DC6 allowed counter only works if starting /\nstopping the counter depends on the _SW_ DC6 state vs. the current _HW_\nDC6 state (since stopping the counter requires the DC5 counter captured\nwhen the counter was started). Thus, using the HW DC6 state is incorrect\nand it also leads to the above oops. Fix both issues by using the SW DC6\nstate for the tracking.\n\nThis is v2 of the fix originally sent by Jani, updated based on the\nfirst Link: discussion below.\n\n(cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23467" }, { "id": "CVE-2026-23468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23468" }, { "id": "CVE-2026-23469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Synchronize interrupts before suspending the GPU\n\nThe runtime PM suspend callback doesn't know whether the IRQ handler is\nin progress on a different CPU core and doesn't wait for it to finish.\n\nDepending on timing, the IRQ handler could be running while the GPU is\nsuspended, leading to kernel crashes when trying to access GPU\nregisters. See example signature below.\n\nIn a power off sequence initiated by the runtime PM suspend callback,\nwait for any IRQ handlers in progress on other CPU cores to finish, by\ncalling synchronize_irq().\n\nAt the same time, remove the runtime PM resume/put calls in the threaded\nIRQ handler. On top of not being the right approach to begin with, and\nbeing at the wrong place as they should have wrapped all GPU register\naccesses, the driver would hit a deadlock between synchronize_irq()\nbeing called from a runtime PM suspend callback, holding the device\npower lock, and the resume callback requiring the same.\n\nExample crash signature on a TI AM68 SK platform:\n\n [ 337.241218] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError\n [ 337.241239] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241246] Tainted: [M]=MACHINE_CHECK\n [ 337.241249] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241252] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 337.241256] pc : pvr_riscv_irq_pending+0xc/0x24\n [ 337.241277] lr : pvr_device_irq_thread_handler+0x64/0x310\n [ 337.241282] sp : ffff800085b0bd30\n [ 337.241284] x29: ffff800085b0bd50 x28: ffff0008070d9eab x27: ffff800083a5ce10\n [ 337.241291] x26: ffff000806e48f80 x25: ffff0008070d9eac x24: 0000000000000000\n [ 337.241296] x23: ffff0008068e9bf0 x22: ffff0008068e9bd0 x21: ffff800085b0bd30\n [ 337.241301] x20: ffff0008070d9e00 x19: ffff0008068e9000 x18: 0000000000000001\n [ 337.241305] x17: 637365645f656c70 x16: 0000000000000000 x15: ffff000b7df9ff40\n [ 337.241310] x14: 0000a585fe3c0d0e x13: 000000999704f060 x12: 000000000002771a\n [ 337.241314] x11: 00000000000000c0 x10: 0000000000000af0 x9 : ffff800085b0bd00\n [ 337.241318] x8 : ffff0008071175d0 x7 : 000000000000b955 x6 : 0000000000000003\n [ 337.241323] x5 : 0000000000000000 x4 : 0000000000000002 x3 : 0000000000000000\n [ 337.241327] x2 : ffff800080e39d20 x1 : ffff800080e3fc48 x0 : 0000000000000000\n [ 337.241333] Kernel panic - not syncing: Asynchronous SError Interrupt\n [ 337.241337] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241342] Tainted: [M]=MACHINE_CHECK\n [ 337.241343] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241345] Call trace:\n [ 337.241348] show_stack+0x18/0x24 (C)\n [ 337.241357] dump_stack_lvl+0x60/0x80\n [ 337.241364] dump_stack+0x18/0x24\n [ 337.241368] vpanic+0x124/0x2ec\n [ 337.241373] abort+0x0/0x4\n [ 337.241377] add_taint+0x0/0xbc\n [ 337.241384] arm64_serror_panic+0x70/0x80\n [ 337.241389] do_serror+0x3c/0x74\n [ 337.241392] el1h_64_error_handler+0x30/0x48\n [ 337.241400] el1h_64_error+0x6c/0x70\n [ 337.241404] pvr_riscv_irq_pending+0xc/0x24 (P)\n [ 337.241410] irq_thread_fn+0x2c/0xb0\n [ 337.241416] irq_thread+0x170/0x334\n [ 337.241421] kthread+0x12c/0x210\n [ 337.241428] ret_from_fork+0x10/0x20\n [ 337.241434] SMP: stopping secondary CPUs\n [ 337.241451] Kernel Offset: disabled\n [ 337.241453] CPU features: 0x040000,02002800,20002001,0400421b\n [ 337.241456] Memory Limit: none\n [ 337.457921] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23469" }, { "id": "CVE-2026-23470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Fix deadlock in soft reset sequence\n\nThe soft reset sequence is currently executed from the threaded IRQ\nhandler, hence it cannot call disable_irq() which internally waits\nfor IRQ handlers, i.e. itself, to complete.\n\nUse disable_irq_nosync() during a soft reset instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23470" }, { "id": "CVE-2026-23472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN\n\nuart_write_room() and uart_write() behave inconsistently when\nxmit_buf is NULL (which happens for PORT_UNKNOWN ports that were\nnever properly initialized):\n\n- uart_write_room() returns kfifo_avail() which can be > 0\n- uart_write() checks xmit_buf and returns 0 if NULL\n\nThis inconsistency causes an infinite loop in drivers that rely on\ntty_write_room() to determine if they can write:\n\n while (tty_write_room(tty) > 0) {\n written = tty->ops->write(...);\n // written is always 0, loop never exits\n }\n\nFor example, caif_serial's handle_tx() enters an infinite loop when\nused with PORT_UNKNOWN serial ports, causing system hangs.\n\nFix by making uart_write_room() also check xmit_buf and return 0 if\nit's NULL, consistent with uart_write().\n\nReproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23472" }, { "id": "CVE-2026-23474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Avoid boot crash in RedBoot partition table parser\n\nGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,\ncommit 439a1bcac648 (\"fortify: Use __builtin_dynamic_object_size() when\navailable\") produces the warning below and an oops.\n\n Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000\n ------------[ cut here ]------------\n WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1\n memcmp: detected buffer overflow: 15 byte read of buffer size 14\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE\n\nAs Kees said, \"'names' is pointing to the final 'namelen' many bytes\nof the allocation ... 'namelen' could be basically any length at all.\nThis fortify warning looks legit to me -- this code used to be reading\nbeyond the end of the allocation.\"\n\nSince the size of the dynamic allocation is calculated with strlen()\nwe can use strcmp() instead of memcmp() and remain within bounds.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23474" }, { "id": "CVE-2026-23475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-23475" }, { "id": "CVE-2026-31389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31389" }, { "id": "CVE-2026-31390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix memory leak in xe_vm_madvise_ioctl\n\nWhen check_bo_args_are_sane() validation fails, jump to the new\nfree_vmas cleanup label to properly free the allocated resources.\nThis ensures proper cleanup in this error path.\n\n(cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31390" }, { "id": "CVE-2026-31391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix OOM ->tfm_count leak\n\nIf memory allocation fails, decrement ->tfm_count to avoid blocking\nfuture reads.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31391" }, { "id": "CVE-2026-31392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix krb5 mount with username option\n\nCustomer reported that some of their krb5 mounts were failing against\na single server as the client was trying to mount the shares with\nwrong credentials. It turned out the client was reusing SMB session\nfrom first mount to try mounting the other shares, even though a\ndifferent username= option had been specified to the other mounts.\n\nBy using username mount option along with sec=krb5 to search for\nprincipals from keytab is supported by cifs.upcall(8) since\ncifs-utils-4.8. So fix this by matching username mount option in\nmatch_session() even with Kerberos.\n\nFor example, the second mount below should fail with -ENOKEY as there\nis no 'foobar' principal in keytab (/etc/krb5.keytab). The client\nends up reusing SMB session from first mount to perform the second\none, which is wrong.\n\n```\n$ ktutil\nktutil: add_entry -password -p testuser -k 1 -e aes256-cts\nPassword for testuser@ZELDA.TEST:\nktutil: write_kt /etc/krb5.keytab\nktutil: quit\n$ klist -ke\nKeytab name: FILE:/etc/krb5.keytab\nKVNO Principal\n ---- ----------------------------------------------------------------\n 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)\n$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser\n$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar\n$ mount -t cifs | grep -Po 'username=\\K\\w+'\ntestuser\ntestuser\n```", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31392" }, { "id": "CVE-2026-31393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp->data without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads\n 4 bytes past the header (needs cmd_len >= 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header\n (needs cmd_len >= 5).\n\nA truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31393" }, { "id": "CVE-2026-31394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n\nieee80211_chan_bw_change() iterates all stations and accesses\nlink->reserved.oper via sta->sdata->link[link_id]. For stations on\nAP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to\nthe VLAN sdata, whose link never participates in chanctx reservations.\nThis leaves link->reserved.oper zero-initialized with chan == NULL,\ncausing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()\nwhen accessing chandef->chan->band during CSA.\n\nResolve the VLAN sdata to its parent AP sdata using get_bss_sdata()\nbefore accessing link data.\n\n[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31394" }, { "id": "CVE-2026-31395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler\n\nThe ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in\nbnxt_async_event_process() uses a firmware-supplied 'type' field\ndirectly as an index into bp->bs_trace[] without bounds validation.\n\nThe 'type' field is a 16-bit value extracted from DMA-mapped completion\nring memory that the NIC writes directly to host RAM. A malicious or\ncompromised NIC can supply any value from 0 to 65535, causing an\nout-of-bounds access into kernel heap memory.\n\nThe bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte\nand writes to bs_trace->last_offset and bs_trace->wrapped, leading to\nkernel memory corruption or a crash.\n\nFix by adding a bounds check and defining BNXT_TRACE_MAX as\nDBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently\ndefined firmware trace types (0x0 through 0xc).", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31395" }, { "id": "CVE-2026-31396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix use-after-free access to PTP clock\n\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\n\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\n\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x17f/0x496 mm/kasan/report.c:420\n kasan_report+0xd9/0x180 mm/kasan/report.c:524\n ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\n gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\n macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\n ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n __dev_ethtool net/ethtool/ioctl.c:3017 [inline]\n dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \n\nAllocated by task 457:\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:699 [inline]\n ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\n gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\n macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n __dev_open+0x2ce/0x500 net/core/dev.c:1501\n __dev_change_flags+0x56a/0x740 net/core/dev.c:8651\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\n rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\n rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\n netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x14b/0x180 net/socket.c:730\n __sys_sendto+0x320/0x3b0 net/socket.c:2152\n __do_sys_sendto net/socket.c:2164 [inline]\n __se_sys_sendto net/socket.c:2160 [inline]\n __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 938:\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1729 [inline]\n slab_free_freelist_hook mm/slub.c:1755 [inline]\n slab_free mm/slub.c:3687 [inline]\n __kmem_cache_free+0xbc/0x320 mm/slub.c:3700\n device_release+0xa0/0x240 drivers/base/core.c:2507\n kobject_cleanup lib/kobject.c:681 [inline]\n kobject_release lib/kobject.c:712 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1cd/0x350 lib/kobject.c:729\n put_device+0x1b/0x30 drivers/base/core.c:3805\n ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\n gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\n macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n __dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n __dev_close net/core/dev.c:1597 [inline]\n __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\n dev_change_fl\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31396" }, { "id": "CVE-2026-31397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()\n\nmove_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge\nzero pages. For the huge zero page path, src_folio is explicitly set to\nNULL, and is used as a sentinel to skip folio operations like lock and\nrmap.\n\nIn the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,\npgprot) passes NULL through folio_pfn() and page_to_pfn(). With\nSPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD\npointing to non-existent physical memory. On other memory models it is a\nNULL dereference.\n\nUse page_folio(src_page) to obtain the valid huge zero folio from the\npage, which was obtained from pmd_page() and remains valid throughout.\n\nAfter commit d82d09e48219 (\"mm/huge_memory: mark PMD mappings of the huge\nzero folio special\"), moved huge zero PMDs must remain special so\nvm_normal_page_pmd() continues to treat them as special mappings.\n\nmove_pages_huge_pmd() currently reconstructs the destination PMD in the\nhuge zero page branch, which drops PMD state such as pmd_special() on\narchitectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result,\nvm_normal_page_pmd() can treat the moved huge zero PMD as a normal page\nand corrupt its refcount.\n\nInstead of reconstructing the PMD from the folio, derive the destination\nentry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD\nmetadata the same way move_huge_pmd() does for moved entries by marking it\nsoft-dirty and clearing uffd-wp.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31397" }, { "id": "CVE-2026-31398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/rmap: fix incorrect pte restoration for lazyfree folios\n\nWe batch unmap anonymous lazyfree folios by folio_unmap_pte_batch. If the\nbatch has a mix of writable and non-writable bits, we may end up setting\nthe entire batch writable. Fix this by respecting writable bit during\nbatching.\n\nAlthough on a successful unmap of a lazyfree folio, the soft-dirty bit is\nlost, preserve it on pte restoration by respecting the bit during\nbatching, to make the fix consistent w.r.t both writable bit and\nsoft-dirty bit.\n\nI was able to write the below reproducer and crash the kernel. \nExplanation of reproducer (set 64K mTHP to always):\n\nFault in a 64K large folio. Split the VMA at mid-point with\nMADV_DONTFORK. fork() - parent points to the folio with 8 writable ptes\nand 8 non-writable ptes. Merge the VMAs with MADV_DOFORK so that\nfolio_unmap_pte_batch() can determine all the 16 ptes as a batch. Do\nMADV_FREE on the range to mark the folio as lazyfree. Write to the memory\nto dirty the pte, eventually rmap will dirty the folio. Then trigger\nreclaim, we will hit the pte restoration path, and the kernel will crash\nwith the trace given below.\n\nThe BUG happens at:\n\n\tBUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw);\n\nThe code path is asking for anonymous page to be mapped writable into the\npagetable. The BUG_ON() firing implies that such a writable page has been\nmapped into the pagetables of more than one process, which breaks\nanonymous memory/CoW semantics.\n\n[ 21.134473] kernel BUG at mm/page_table_check.c:118!\n[ 21.134497] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 21.135917] Modules linked in:\n[ 21.136085] CPU: 1 UID: 0 PID: 1735 Comm: dup-lazyfree Not tainted 7.0.0-rc1-00116-g018018a17770 #1028 PREEMPT\n[ 21.136858] Hardware name: linux,dummy-virt (DT)\n[ 21.137019] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 21.137308] pc : page_table_check_set+0x28c/0x2a8\n[ 21.137607] lr : page_table_check_set+0x134/0x2a8\n[ 21.137885] sp : ffff80008a3b3340\n[ 21.138124] x29: ffff80008a3b3340 x28: fffffdffc3d14400 x27: ffffd1a55e03d000\n[ 21.138623] x26: 0040000000000040 x25: ffffd1a55f7dd000 x24: 0000000000000001\n[ 21.139045] x23: 0000000000000001 x22: 0000000000000001 x21: ffffd1a55f217f30\n[ 21.139629] x20: 0000000000134521 x19: 0000000000134519 x18: 005c43e000040000\n[ 21.140027] x17: 0001400000000000 x16: 0001700000000000 x15: 000000000000ffff\n[ 21.140578] x14: 000000000000000c x13: 005c006000000000 x12: 0000000000000020\n[ 21.140828] x11: 0000000000000000 x10: 005c000000000000 x9 : ffffd1a55c079ee0\n[ 21.141077] x8 : 0000000000000001 x7 : 005c03e000040000 x6 : 000000004000ffff\n[ 21.141490] x5 : ffff00017fffce00 x4 : 0000000000000001 x3 : 0000000000000002\n[ 21.141741] x2 : 0000000000134510 x1 : 0000000000000000 x0 : ffff0000c08228c0\n[ 21.141991] Call trace:\n[ 21.142093] page_table_check_set+0x28c/0x2a8 (P)\n[ 21.142265] __page_table_check_ptes_set+0x144/0x1e8\n[ 21.142441] __set_ptes_anysz.constprop.0+0x160/0x1a8\n[ 21.142766] contpte_set_ptes+0xe8/0x140\n[ 21.142907] try_to_unmap_one+0x10c4/0x10d0\n[ 21.143177] rmap_walk_anon+0x100/0x250\n[ 21.143315] try_to_unmap+0xa0/0xc8\n[ 21.143441] shrink_folio_list+0x59c/0x18a8\n[ 21.143759] shrink_lruvec+0x664/0xbf0\n[ 21.144043] shrink_node+0x218/0x878\n[ 21.144285] __node_reclaim.constprop.0+0x98/0x338\n[ 21.144763] user_proactive_reclaim+0x2a4/0x340\n[ 21.145056] reclaim_store+0x3c/0x60\n[ 21.145216] dev_attr_store+0x20/0x40\n[ 21.145585] sysfs_kf_write+0x84/0xa8\n[ 21.145835] kernfs_fop_write_iter+0x130/0x1c8\n[ 21.145994] vfs_write+0x2b8/0x368\n[ 21.146119] ksys_write+0x70/0x110\n[ 21.146240] __arm64_sys_write+0x24/0x38\n[ 21.146380] invoke_syscall+0x50/0x120\n[ 21.146513] el0_svc_common.constprop.0+0x48/0xf8\n[ 21.146679] do_el0_svc+0x28/0x40\n[ 21.146798] el0_svc+0x34/0x110\n[ 21.146926] el0t\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31398" }, { "id": "CVE-2026-31399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvdimm/bus: Fix potential use after free in asynchronous initialization\n\nDingisoul with KASAN reports a use after free if device_add() fails in\nnd_async_device_register().\n\nCommit b6eae0f61db2 (\"libnvdimm: Hold reference on parent while\nscheduling async init\") correctly added a reference on the parent device\nto be held until asynchronous initialization was complete. However, if\ndevice_add() results in an allocation failure the ref count of the\ndevice drops to 0 prior to the parent pointer being accessed. Thus\nresulting in use after free.\n\nThe bug bot AI correctly identified the fix. Save a reference to the\nparent pointer to be used to drop the parent reference regardless of the\noutcome of device_add().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31399" }, { "id": "CVE-2026-31400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix cache_request leak in cache_release\n\nWhen a reader's file descriptor is closed while in the middle of reading\na cache_request (rp->offset != 0), cache_release() decrements the\nrequest's readers count but never checks whether it should free the\nrequest.\n\nIn cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the\ncache_request is removed from the queue and freed along with its buffer\nand cache_head reference. cache_release() lacks this cleanup.\n\nThe only other path that frees requests with readers == 0 is\ncache_dequeue(), but it runs only when CACHE_PENDING transitions from\nset to clear. If that transition already happened while readers was\nstill non-zero, cache_dequeue() will have skipped the request, and no\nsubsequent call will clean it up.\n\nAdd the same cleanup logic from cache_read() to cache_release(): after\ndecrementing readers, check if it reached 0 with CACHE_PENDING clear,\nand if so, dequeue and free the cache_request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31400" }, { "id": "CVE-2026-31401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31401" }, { "id": "CVE-2026-31402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31402" }, { "id": "CVE-2026-31403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module's lifetime. exports_proc_open()\ncaptures the caller's current network namespace and stores\nits svc_export_cache in seq->private, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd->net, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31403" }, { "id": "CVE-2026-31404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client->name (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec (\"nfsd: fix UAF when access ex_uuid or\nex_stats\") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31404" }, { "id": "CVE-2026-31405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-net: fix OOB access in ULE extension header tables\n\nThe ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables\nin handle_one_ule_extension() are declared with 255 elements (valid\nindices 0-254), but the index htype is derived from network-controlled\ndata as (ule_sndu_type & 0x00FF), giving a range of 0-255. When\nhtype equals 255, an out-of-bounds read occurs on the function pointer\ntable, and the OOB value may be called as a function pointer.\n\nAdd a bounds check on htype against the array size before either table\nis accessed. Out-of-range values now cause the SNDU to be discarded.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31405" }, { "id": "CVE-2026-31406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini()\n\nAfter cancel_delayed_work_sync() is called from\nxfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining\nstates via __xfrm_state_delete(), which calls\nxfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\ncleanup_net() [Round 1]\n ops_undo_list()\n xfrm_net_exit()\n xfrm_nat_keepalive_net_fini()\n cancel_delayed_work_sync(nat_keepalive_work);\n xfrm_state_fini()\n xfrm_state_flush()\n xfrm_state_delete(x)\n __xfrm_state_delete(x)\n xfrm_nat_keepalive_state_updated(x)\n schedule_delayed_work(nat_keepalive_work);\n rcu_barrier();\n net_complete_free();\n net_passive_dec(net);\n llist_add(&net->defer_free_list, &defer_free_list);\n\ncleanup_net() [Round 2]\n rcu_barrier();\n net_complete_free()\n kmem_cache_free(net_cachep, net);\n nat_keepalive_work()\n // on freed net\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31406" }, { "id": "CVE-2026-31407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31407" }, { "id": "CVE-2026-31408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\nsco_recv_frame() reads conn->sk under sco_conn_lock() but immediately\nreleases the lock without holding a reference to the socket. A concurrent\nclose() can free the socket between the lock release and the subsequent\nsk->sk_state access, resulting in a use-after-free.\n\nOther functions in the same file (sco_sock_timeout(), sco_conn_del())\ncorrectly use sco_sock_hold() to safely hold a reference under the lock.\n\nFix by using sco_sock_hold() to take a reference before releasing the\nlock, and adding sock_put() on all exit paths.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31408" }, { "id": "CVE-2026-31409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31409" }, { "id": "CVE-2026-31410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION\n\nUse sb->s_uuid for a proper volume identifier as the primary choice.\nFor filesystems that do not provide a UUID, fall back to stfs.f_fsid\nobtained from vfs_statfs().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31410" }, { "id": "CVE-2026-31411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc\npointer from msg->vcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = &iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31411" }, { "id": "CVE-2026-31412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31412" }, { "id": "CVE-2026-31413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant. When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 & K == 0.\nFor BPF_OR this is wrong: 0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env->insn_idx (instead of env->insn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31413" }, { "id": "CVE-2026-31414", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: use expect->helper\n\nUse expect->helper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp->master->helper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31414" }, { "id": "CVE-2026-31415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt->dst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n - Uses `opt->opt_flen + opt->opt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n - It computes `len = ((hdr->hdrlen + 1) << 3);`\n - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns,\n CAP_NET_RAW)`. (line 922)\n - Then it does:\n - `opt->opt_flen += len;` (line 927)\n - `opt->dst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` => `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +\n opt->opt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n - `skb_push(skb, ipv6_optlen(opt));`\n - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -> `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31415" }, { "id": "CVE-2026-31416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31416" }, { "id": "CVE-2026-31417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31417" }, { "id": "CVE-2026-31418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n->pos in k, but it only drops the\nbucket when both n->pos and k are zero. This misses buckets whose live\nentries have all been removed while n->pos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n->pos are unused and\nrelease it directly instead of shrinking it further.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31418" }, { "id": "CVE-2026-31419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop. This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31419" }, { "id": "CVE-2026-31420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31420" }, { "id": "CVE-2026-31421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q->handle. Shared blocks leave block->q NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()'s\nold-method path needs block->q which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n tc_run (net/core/dev.c:4401)\n __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31421" }, { "id": "CVE-2026-31422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q->handle to derive\na default baseclass. Shared blocks leave block->q NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block->q and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n=======================================================================", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31422" }, { "id": "CVE-2026-31423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value. For large inputs\n(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor. When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n Oops: divide error: 0000\n RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n Call Trace:\n init_ed (net/sched/sch_hfsc.c:629)\n hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31423" }, { "id": "CVE-2026-31424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n \n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n \n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31424" }, { "id": "CVE-2026-31425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n rds_ib_get_mr (net/rds/ib_rdma.c:615)\n __rds_rdma_map (net/rds/rdma.c:295)\n rds_cmsg_rdma_map (net/rds/rdma.c:860)\n rds_sendmsg (net/rds/send.c:1363)\n ____sys_sendmsg\n do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31425" }, { "id": "CVE-2026-31426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: clean up handlers on probe failure in acpi_ec_setup()\n\nWhen ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware\nplatforms, it has already started the EC and installed the address\nspace handler with the struct acpi_ec pointer as handler context.\nHowever, acpi_ec_setup() propagates the error without any cleanup.\n\nThe caller acpi_ec_add() then frees the struct acpi_ec for non-boot\ninstances, leaving a dangling handler context in ACPICA.\n\nAny subsequent AML evaluation that accesses an EC OpRegion field\ndispatches into acpi_ec_space_handler() with the freed pointer,\ncausing a use-after-free:\n\n BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)\n Write of size 8 at addr ffff88800721de38 by task init/1\n Call Trace:\n \n mutex_lock (kernel/locking/mutex.c:289)\n acpi_ec_space_handler (drivers/acpi/ec.c:1362)\n acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)\n acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)\n acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)\n acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)\n acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)\n acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)\n \n\n Allocated by task 1:\n acpi_ec_alloc (drivers/acpi/ec.c:1424)\n acpi_ec_add (drivers/acpi/ec.c:1692)\n\n Freed by task 1:\n kfree (mm/slub.c:6876)\n acpi_ec_add (drivers/acpi/ec.c:1751)\n\nThe bug triggers on reduced-hardware EC platforms (ec->gpe < 0)\nwhen the GPIO IRQ provider defers probing. Once the stale handler\nexists, any unprivileged sysfs read that causes AML to touch an\nEC OpRegion (battery, thermal, backlight) exercises the dangling\npointer.\n\nFix this by calling ec_remove_handlers() in the error path of\nacpi_ec_setup() before clearing first_ec. ec_remove_handlers()\nchecks each EC_FLAGS_* bit before acting, so it is safe to call\nregardless of how far ec_install_handlers() progressed:\n\n -ENODEV (handler not installed): only calls acpi_ec_stop()\n -EPROBE_DEFER (handler installed): removes handler, stops EC", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31426" }, { "id": "CVE-2026-31427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks->sdp_session()\nwith &rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31427" }, { "id": "CVE-2026-31428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31428" }, { "id": "CVE-2026-31429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb: fix cross-cache free of KFENCE-allocated skb head\n\nSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2\nvalue (e.g. 704 on x86_64) to avoid collisions with generic kmalloc\nbucket sizes. This ensures that skb_kfree_head() can reliably use\nskb_end_offset to distinguish skb heads allocated from\nskb_small_head_cache vs. generic kmalloc caches.\n\nHowever, when KFENCE is enabled, kfence_ksize() returns the exact\nrequested allocation size instead of the slab bucket size. If a caller\n(e.g. bpf_test_init) allocates skb head data via kzalloc() and the\nrequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, then\nslab_build_skb() -> ksize() returns that exact value. After subtracting\nskb_shared_info overhead, skb_end_offset ends up matching\nSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly free\nthe object to skb_small_head_cache instead of back to the original\nkmalloc cache, resulting in a slab cross-cache free:\n\n kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected\n skbuff_small_head but got kmalloc-1k\n\nFix this by always calling kfree(head) in skb_kfree_head(). This keeps\nthe free path generic and avoids allocator-specific misclassification\nfor KFENCE objects.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31429" }, { "id": "CVE-2026-31430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nX.509: Fix out-of-bounds access when parsing extensions\n\nLeo reports an out-of-bounds access when parsing a certificate with\nempty Basic Constraints or Key Usage extension because the first byte of\nthe extension is read before checking its length. Fix it.\n\nThe bug can be triggered by an unprivileged user by submitting a\nspecially crafted certificate to the kernel through the keyrings(7) API.\nLeo has demonstrated this with a proof-of-concept program responsibly\ndisclosed off-list.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31430" }, { "id": "CVE-2026-31431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings. Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31431" }, { "id": "CVE-2026-31432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix OOB write in QUERY_INFO for compound requests\n\nWhen a compound request such as READ + QUERY_INFO(Security) is received,\nand the first command (READ) consumes most of the response buffer,\nksmbd could write beyond the allocated buffer while building a security\ndescriptor.\n\nThe root cause was that smb2_get_info_sec() checked buffer space using\nppntsd_size from xattr, while build_sec_desc() often synthesized a\nsignificantly larger descriptor from POSIX ACLs.\n\nThis patch introduces smb_acl_sec_desc_scratch_len() to accurately\ncompute the final descriptor size beforehand, performs proper buffer\nchecking with smb2_calc_max_out_buf_len(), and uses exact-sized\nallocation + iov pinning.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31432" }, { "id": "CVE-2026-31433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial OOB in get_file_all_info() for compound requests\n\nWhen a compound request consists of QUERY_DIRECTORY + QUERY_INFO\n(FILE_ALL_INFORMATION) and the first command consumes nearly the entire\nmax_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()\nwith PATH_MAX, causing out-of-bounds write beyond the response buffer.\nIn get_file_all_info(), there was a missing validation check for\nthe client-provided OutputBufferLength before copying the filename into\nFileName field of the smb2_file_all_info structure.\nIf the filename length exceeds the available buffer space, it could lead to\npotential buffer overflows or memory corruption during smbConvertToUTF16\nconversion. This calculating the actual free buffer size using\nsmb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is\ninsufficient and updating smbConvertToUTF16 to use the actual filename\nlength (clamped by PATH_MAX) to ensure a safe copy operation.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31433" }, { "id": "CVE-2026-31434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix leak of kobject name for sub-group space_info\n\nWhen create_space_info_sub_group() allocates elements of\nspace_info->sub_group[], kobject_init_and_add() is called for each\nelement via btrfs_sysfs_add_space_info_type(). However, when\ncheck_removing_space_info() frees these elements, it does not call\nbtrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is\nnot called and the associated kobj->name objects are leaked.\n\nThis memory leak is reproduced by running the blktests test case\nzbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak\nfeature reports the following error:\n\nunreferenced object 0xffff888112877d40 (size 16):\n comm \"mount\", pid 1244, jiffies 4294996972\n hex dump (first 16 bytes):\n 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc......\n backtrace (crc 53ffde4d):\n __kmalloc_node_track_caller_noprof+0x619/0x870\n kstrdup+0x42/0xc0\n kobject_set_name_vargs+0x44/0x110\n kobject_init_and_add+0xcf/0x150\n btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs]\n create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs]\n create_space_info+0x211/0x320 [btrfs]\n btrfs_init_space_info+0x15a/0x1b0 [btrfs]\n open_ctree+0x33c7/0x4a50 [btrfs]\n btrfs_get_tree.cold+0x9f/0x1ee [btrfs]\n vfs_get_tree+0x87/0x2f0\n vfs_cmd_create+0xbd/0x280\n __do_sys_fsconfig+0x3df/0x990\n do_syscall_64+0x136/0x1540\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo avoid the leak, call btrfs_sysfs_remove_space_info() instead of\nkfree() for the elements.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31434" }, { "id": "CVE-2026-31435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix read abandonment during retry\n\nUnder certain circumstances, all the remaining subrequests from a read\nrequest will get abandoned during retry. The abandonment process expects\nthe 'subreq' variable to be set to the place to start abandonment from, but\nit doesn't always have a useful value (it will be uninitialised on the\nfirst pass through the loop and it may point to a deleted subrequest on\nlater passes).\n\nFix the first jump to \"abandon:\" to set subreq to the start of the first\nsubrequest expected to need retry (which, in this abandonment case, turned\nout unexpectedly to no longer have NEED_RETRY set).\n\nAlso clear the subreq pointer after discarding superfluous retryable\nsubrequests to cause an oops if we do try to access it.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31435" }, { "id": "CVE-2026-31436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()\n\nAt the end of this function, d is the traversal cursor of flist, but the\ncode completes found instead. This can lead to issues such as NULL pointer\ndereferences, double completion, or descriptor leaks.\n\nFix this by completing d instead of found in the final\nlist_for_each_entry_safe() loop.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31436" }, { "id": "CVE-2026-31437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry\n\nWhen a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path\nin netfs_unbuffered_write() unconditionally calls stream->prepare_write()\nwithout checking if it is NULL.\n\nFilesystems such as 9P do not set the prepare_write operation, so\nstream->prepare_write remains NULL. When get_user_pages() fails with\n-EFAULT and the subrequest is flagged for retry, this results in a NULL\npointer dereference at fs/netfs/direct_write.c:189.\n\nFix this by mirroring the pattern already used in write_retry.c: if\nstream->prepare_write is NULL, skip renegotiation and directly reissue\nthe subrequest via netfs_reissue_write(), which handles iterator reset,\nIN_PROGRESS flag, stats update and reissue internally.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31437", "detail": "fixed-version", "description": "only affects 6.18.17 onwards" }, { "id": "CVE-2026-31438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators\n\nWhen a process crashes and the kernel writes a core dump to a 9P\nfilesystem, __kernel_write() creates an ITER_KVEC iterator. This\niterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which\nonly handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,\nhitting the BUG() for any other type.\n\nFix this by adding netfs_limit_kvec() following the same pattern as\nnetfs_limit_bvec(), since both kvec and bvec are simple segment arrays\nwith pointer and length fields. Dispatch it from netfs_limit_iter() when\nthe iterator type is ITER_KVEC.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31438" }, { "id": "CVE-2026-31439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: xilinx: xdma: Fix regmap init error handling\n\ndevm_regmap_init_mmio returns an ERR_PTR() upon error, not NULL.\nFix the error check and also fix the error message. Use the error code\nfrom ERR_PTR() instead of the wrong value in ret.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31439" }, { "id": "CVE-2026-31440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix leaking event log memory\n\nDuring the device remove process, the device is reset, causing the\nconfiguration registers to go back to their default state, which is\nzero. As the driver is checking if the event log support was enabled\nbefore deallocating, it will fail if a reset happened before.\n\nDo not check if the support was enabled, the check for 'idxd->evl'\nbeing valid (only allocated if the HW capability is available) is\nenough.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31440" }, { "id": "CVE-2026-31441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31441" }, { "id": "CVE-2026-31442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible invalid memory access after FLR\n\nIn the case that the first Function Level Reset (FLR) concludes\ncorrectly, but in the second FLR the scratch area for the saved\nconfiguration cannot be allocated, it's possible for a invalid memory\naccess to happen.\n\nAlways set the deallocated scratch area to NULL after FLR completes.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31442" }, { "id": "CVE-2026-31443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix crash when the event log is disabled\n\nIf reporting errors to the event log is not supported by the hardware,\nand an error that causes Function Level Reset (FLR) is received, the\ndriver will try to restore the event log even if it was not allocated.\n\nAlso, only try to free the event log if it was properly allocated.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31443" }, { "id": "CVE-2026-31444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free and NULL deref in smb_grant_oplock()\n\nsmb_grant_oplock() has two issues in the oplock publication sequence:\n\n1) opinfo is linked into ci->m_op_list (via opinfo_add) before\n add_lease_global_list() is called. If add_lease_global_list()\n fails (kmalloc returns NULL), the error path frees the opinfo\n via __free_opinfo() while it is still linked in ci->m_op_list.\n Concurrent m_op_list readers (opinfo_get_list, or direct iteration\n in smb_break_all_levII_oplock) dereference the freed node.\n\n2) opinfo->o_fp is assigned after add_lease_global_list() publishes\n the opinfo on the global lease list. A concurrent\n find_same_lease_key() can walk the lease list and dereference\n opinfo->o_fp->f_ci while o_fp is still NULL.\n\nFix by restructuring the publication sequence to eliminate post-publish\nfailure:\n\n- Set opinfo->o_fp before any list publication (fixes NULL deref).\n- Preallocate lease_table via alloc_lease_table() before opinfo_add()\n so add_lease_global_list() becomes infallible after publication.\n- Keep the original m_op_list publication order (opinfo_add before\n lease list) so concurrent opens via same_client_has_lease() and\n opinfo_get_list() still see the in-flight grant.\n- Use opinfo_put() instead of __free_opinfo() on err_out so that\n the RCU-deferred free path is used.\n\nThis also requires splitting add_lease_global_list() to take a\npreallocated lease_table and changing its return type from int to void,\nsince it can no longer fail.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31444" }, { "id": "CVE-2026-31445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update. It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction. damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures. In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn't be used anymore. The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters. But it can still theoretically fail if the\ninternal memory allocation fails. In the case, DAMON may run with the\npartially updated damon_ctx. This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1]. Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare. But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object. For this,\nintroduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it\nwhen it is failed. kdamond_call() checks if the field is set after each\ndamon_call_control->fn() is executed. If it is set, ignore remaining\ncallback requests and return. All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations. If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn't use the context that might be\ncorrupted.\n\n[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31445" }, { "id": "CVE-2026-31446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which\naccesses the kobject's kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(&sbi->s_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj->sd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(&sbi->s_kobj)\n kn = kobj->sd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(&sbi->s_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31446" }, { "id": "CVE-2026-31447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: reject mount if bigalloc with s_first_data_block != 0\n\nbigalloc with s_first_data_block != 0 is not supported, reject mounting\nit.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31447" }, { "id": "CVE-2026-31448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we've\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I'd just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]", "scorev2": "0.0", "scorev3": "9.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31448" }, { "id": "CVE-2026-31449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31449" }, { "id": "CVE-2026-31450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei->jinode to concurrent users.\nIt used to set ei->jinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei->jinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31450" }, { "id": "CVE-2026-31451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: replace BUG_ON with proper error handling in ext4_read_inline_folio\n\nReplace BUG_ON() with proper error handling when inline data size\nexceeds PAGE_SIZE. This prevents kernel panic and allows the system to\ncontinue running while properly reporting the filesystem corruption.\n\nThe error is logged via ext4_error_inode(), the buffer head is released\nto prevent memory leak, and -EFSCORRUPTED is returned to indicate\nfilesystem corruption.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31451" }, { "id": "CVE-2026-31452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: convert inline data to extents when truncate exceeds inline size\n\nAdd a check in ext4_setattr() to convert files from inline data storage\nto extent-based storage when truncate() grows the file size beyond the\ninline capacity. This prevents the filesystem from entering an\ninconsistent state where the inline data flag is set but the file size\nexceeds what can be stored inline.\n\nWithout this fix, the following sequence causes a kernel BUG_ON():\n\n1. Mount filesystem with inode that has inline flag set and small size\n2. truncate(file, 50MB) - grows size but inline flag remains set\n3. sendfile() attempts to write data\n4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)\n\nThe crash occurs because ext4_write_inline_data() expects inline storage\nto accommodate the write, but the actual inline capacity (~60 bytes for\ni_block + ~96 bytes for xattrs) is far smaller than the file size and\nwrite request.\n\nThe fix checks if the new size from setattr exceeds the inode's actual\ninline capacity (EXT4_I(inode)->i_inline_size) and converts the file to\nextent-based storage before proceeding with the size change.\n\nThis addresses the root cause by ensuring the inline data flag and file\nsize remain consistent during truncate operations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31452" }, { "id": "CVE-2026-31453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: avoid dereferencing log items after push callbacks\n\nAfter xfsaild_push_item() calls iop_push(), the log item may have been\nfreed if the AIL lock was dropped during the push. Background inode\nreclaim or the dquot shrinker can free the log item while the AIL lock\nis not held, and the tracepoints in the switch statement dereference\nthe log item after iop_push() returns.\n\nFix this by capturing the log item type, flags, and LSN before calling\nxfsaild_push_item(), and introducing a new xfs_ail_push_class trace\nevent class that takes these pre-captured values and the ailp pointer\ninstead of the log item pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31453" }, { "id": "CVE-2026-31454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: save ailp before dropping the AIL lock in push callbacks\n\nIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock\nis dropped to perform buffer IO. Once the cluster buffer no longer\nprotects the log item from reclaim, the log item may be freed by\nbackground reclaim or the dquot shrinker. The subsequent spin_lock()\ncall dereferences lip->li_ailp, which is a use-after-free.\n\nFix this by saving the ailp pointer in a local variable while the AIL\nlock is held and the log item is guaranteed to be valid.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31454" }, { "id": "CVE-2026-31455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: stop reclaim before pushing AIL during unmount\n\nThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while\nbackground reclaim and inodegc are still running. This is broken\nindependently of any use-after-free issues - background reclaim and\ninodegc should not be running while the AIL is being pushed during\nunmount, as inodegc can dirty and insert inodes into the AIL during the\nflush, and background reclaim can race to abort and free dirty inodes.\n\nReorder xfs_unmount_flush_inodes() to stop inodegc and cancel background\nreclaim before pushing the AIL. Stop inodegc before cancelling\nm_reclaim_work because the inodegc worker can re-queue m_reclaim_work\nvia xfs_inodegc_set_reclaimable.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31455" }, { "id": "CVE-2026-31456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/pagewalk: fix race between concurrent split and refault\n\nThe splitting of a PUD entry in walk_pud_range() can race with a\nconcurrent thread refaulting the PUD leaf entry causing it to try walking\na PMD range that has disappeared.\n\nAn example and reproduction of this is to try reading numa_maps of a\nprocess while VFIO-PCI is setting up DMA (specifically the\nvfio_pin_pages_remote call) on a large BAR for that process.\n\nThis will trigger a kernel BUG:\nvfio-pci 0000:03:00.0: enabling device (0000 -> 0002)\nBUG: unable to handle page fault for address: ffffa23980000000\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\n...\nRIP: 0010:walk_pgd_range+0x3b5/0x7a0\nCode: 8d 43 ff 48 89 44 24 28 4d 89 ce 4d 8d a7 00 00 20 00 48 8b 4c 24\n28 49 81 e4 00 00 e0 ff 49 8d 44 24 ff 48 39 c8 4c 0f 43 e3 <49> f7 06\n 9f ff ff ff 75 3b 48 8b 44 24 20 48 8b 40 28 48 85 c0 74\nRSP: 0018:ffffac23e1ecf808 EFLAGS: 00010287\nRAX: 00007f44c01fffff RBX: 00007f4500000000 RCX: 00007f44ffffffff\nRDX: 0000000000000000 RSI: 000ffffffffff000 RDI: ffffffff93378fe0\nRBP: ffffac23e1ecf918 R08: 0000000000000004 R09: ffffa23980000000\nR10: 0000000000000020 R11: 0000000000000004 R12: 00007f44c0200000\nR13: 00007f44c0000000 R14: ffffa23980000000 R15: 00007f44c0000000\nFS: 00007fe884739580(0000) GS:ffff9b7d7a9c0000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa23980000000 CR3: 000000c0650e2005 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n __walk_page_range+0x195/0x1b0\n walk_page_vma+0x62/0xc0\n show_numa_map+0x12b/0x3b0\n seq_read_iter+0x297/0x440\n seq_read+0x11d/0x140\n vfs_read+0xc2/0x340\n ksys_read+0x5f/0xe0\n do_syscall_64+0x68/0x130\n ? get_page_from_freelist+0x5c2/0x17e0\n ? mas_store_prealloc+0x17e/0x360\n ? vma_set_page_prot+0x4c/0xa0\n ? __alloc_pages_noprof+0x14e/0x2d0\n ? __mod_memcg_lruvec_state+0x8d/0x140\n ? __lruvec_stat_mod_folio+0x76/0xb0\n ? __folio_mod_stat+0x26/0x80\n ? do_anonymous_page+0x705/0x900\n ? __handle_mm_fault+0xa8d/0x1000\n ? __count_memcg_events+0x53/0xf0\n ? handle_mm_fault+0xa5/0x360\n ? do_user_addr_fault+0x342/0x640\n ? arch_exit_to_user_mode_prepare.constprop.0+0x16/0xa0\n ? irqentry_exit_to_user_mode+0x24/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fe88464f47e\nCode: c0 e9 b6 fe ff ff 50 48 8d 3d be 07 0b 00 e8 69 01 02 00 66 0f 1f\n84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00\n f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28\nRSP: 002b:00007ffe6cd9a9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fe88464f47e\nRDX: 0000000000020000 RSI: 00007fe884543000 RDI: 0000000000000003\nRBP: 00007fe884543000 R08: 00007fe884542010 R09: 0000000000000000\nR10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n \n\nFix this by validating the PUD entry in walk_pmd_range() using a stable\nsnapshot (pudp_get()). If the PUD is not present or is a leaf, retry the\nwalk via ACTION_AGAIN instead of descending further. This mirrors the\nretry logic in walk_pte_range(), which lets walk_pmd_range() retry if the\nPTE is not being got by pte_offset_map_lock().", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31456" }, { "id": "CVE-2026-31457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr in repeat_call_fn\n\ndamon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),\ndamon_sysfs_upd_schemes_stats(), and\ndamon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. \nIf nr_contexts is set to 0 via sysfs while DAMON is running, these\nfunctions dereference contexts_arr[0] and cause a NULL pointer\ndereference. Add the missing check.\n\nFor example, the issue can be reproduced using DAMON sysfs interface and\nDAMON user-space tool (damo) [1] like below.\n\n $ sudo damo start --refresh_interval 1s\n $ echo 0 | sudo tee \\\n /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31457" }, { "id": "CVE-2026-31458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]\n\nMultiple sysfs command paths dereference contexts_arr[0] without first\nverifying that kdamond->contexts->nr == 1. A user can set nr_contexts to\n0 via sysfs while DAMON is running, causing NULL pointer dereferences.\n\nIn more detail, the issue can be triggered by privileged users like\nbelow.\n\nFirst, start DAMON and make contexts directory empty\n(kdamond->contexts->nr == 0).\n\n # damo start\n # cd /sys/kernel/mm/damon/admin/kdamonds/0\n # echo 0 > contexts/nr_contexts\n\nThen, each of below commands will cause the NULL pointer dereference.\n\n # echo update_schemes_stats > state\n # echo update_schemes_tried_regions > state\n # echo update_schemes_tried_bytes > state\n # echo update_schemes_effective_quotas > state\n # echo update_tuned_intervals > state\n\nGuard all commands (except OFF) at the entry point of\ndamon_sysfs_handle_cmd().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31458" }, { "id": "CVE-2026-31459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure\n\nPatch series \"mm/damon/sysfs: fix memory leak and NULL dereference\nissues\", v4.\n\nDAMON_SYSFS can leak memory under allocation failure, and do NULL pointer\ndereference when a privileged user make wrong sequences of control. Fix\nthose.\n\n\nThis patch (of 3):\n\nWhen damon_sysfs_new_test_ctx() fails in damon_sysfs_commit_input(),\nparam_ctx is leaked because the early return skips the cleanup at the out\nlabel. Destroy param_ctx before returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31459" }, { "id": "CVE-2026-31460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: check if ext_caps is valid in BL setup\n\nLVDS connectors don't have extended backlight caps so check\nif the pointer is valid before accessing it.\n\n(cherry picked from commit 3f797396d7f4eb9bb6eded184bbc6f033628a6f6)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31460", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix drm_edid leak in amdgpu_dm\n\n[WHAT]\nWhen a sink is connected, aconnector->drm_edid was overwritten without\nfreeing the previous allocation, causing a memory leak on resume.\n\n[HOW]\nFree the previous drm_edid before updating it.\n\n(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31461" }, { "id": "CVE-2026-31462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: prevent immediate PASID reuse case\n\nPASID resue could cause interrupt issue when process\nimmediately runs into hw state left by previous\nprocess exited with the same PASID, it's possible that\npage faults are still pending in the IH ring buffer when\nthe process exits and frees up its PASID. To prevent the\ncase, it uses idr cyclic allocator same as kernel pid's.\n\n(cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31462" }, { "id": "CVE-2026-31463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: fix invalid folio access when i_blkbits differs from I/O granularity\n\nCommit aa35dd5cbc06 (\"iomap: fix invalid folio access after\nfolio_end_read()\") partially addressed invalid folio access for folios\nwithout an ifs attached, but it did not handle the case where\n1 << inode->i_blkbits matches the folio size but is different from the\ngranularity used for the IO, which means IO can be submitted for less\nthan the full folio for the !ifs case.\n\nIn this case, the condition:\n\n if (*bytes_submitted == folio_len)\n ctx->cur_folio = NULL;\n\nin iomap_read_folio_iter() will not invalidate ctx->cur_folio, and\niomap_read_end() will still be called on the folio even though the IO\nhelper owns it and will finish the read on it.\n\nFix this by unconditionally invalidating ctx->cur_folio for the !ifs\ncase.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31463", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost->num_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation. The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31464" }, { "id": "CVE-2026-31465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don't block sync for filesystems with no data integrity guarantees\n\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\nguarantee data persistence on sync (eg fuse). For superblocks with this\nflag set, sync kicks off writeback of dirty inodes but does not wait\nfor the flusher threads to complete the writeback.\n\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\ncommit f9a49aa302a0 (\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\nin wait_sb_inodes()\"). The flag belongs at the superblock level because\ndata integrity is a filesystem-wide property, not a per-inode one.\nHaving this flag at the superblock level also allows us to skip having\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\nindividually.\n\nPrior to this commit, mappings with no data integrity guarantees skipped\nwaiting on writeback completion but still waited on the flusher threads\nto finish initiating the writeback. Waiting on the flusher threads is\nunnecessary. This commit kicks off writeback but does not wait on the\nflusher threads. This change properly addresses a recent report [1] for\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\non the flusher threads to finish:\n\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\nCall Trace:\n \n __schedule+0x457/0x1720\n schedule+0x27/0xd0\n wb_wait_for_completion+0x97/0xe0\n sync_inodes_sb+0xf8/0x2e0\n __iterate_supers+0xdc/0x160\n ksys_sync+0x43/0xb0\n pm_fs_sync_work_fn+0x17/0xa0\n process_one_work+0x193/0x350\n worker_thread+0x1a1/0x310\n kthread+0xfc/0x240\n ret_from_fork+0x243/0x280\n ret_from_fork_asm+0x1a/0x30\n \n\nOn fuse this is problematic because there are paths that may cause the\nflusher thread to block (eg if systemd freezes the user session cgroups\nfirst, which freezes the fuse daemon, before invoking the kernel\nsuspend. The kernel suspend triggers ->write_node() which on fuse issues\na synchronous setattr request, which cannot be processed since the\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\nwriteback, initiating writeback on a dirty folio already under writeback\nleads to writeback_get_folio() -> folio_prepare_writeback() ->\nunconditional wait on writeback to finish, which will cause a hang).\nThis commit restores fuse to its prior behavior before tmp folios were\nremoved, where sync was essentially a no-op.\n\n[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31465" }, { "id": "CVE-2026-31466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix folio isn't locked in softleaf_to_folio()\n\nOn arm64 server, we found folio that get from migration entry isn't locked\nin softleaf_to_folio(). This issue triggers when mTHP splitting and\nzap_nonpresent_ptes() races, and the root cause is lack of memory barrier\nin softleaf_to_folio(). The race is as follows:\n\n\tCPU0 CPU1\n\ndeferred_split_scan() zap_nonpresent_ptes()\n lock folio\n split_folio()\n unmap_folio()\n change ptes to migration entries\n __split_folio_to_order() softleaf_to_folio()\n set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry))\n smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio))\n prep_compound_page() for tail pages\n\nIn __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages\nare visible before the tail page becomes non-compound. smp_wmb() should\nbe paired with smp_rmb() in softleaf_to_folio(), which is missed. As a\nresult, if zap_nonpresent_ptes() accesses migration entry that stores tail\npfn, softleaf_to_folio() may see the updated compound_head of tail page\nbefore page->flags.\n\nThis issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()\nbecause of the race between folio split and zap_nonpresent_ptes()\nleading to a folio incorrectly undergoing modification without a folio\nlock being held.\n\nThis is a BUG_ON() before commit 93976a20345b (\"mm: eliminate further\nswapops predicates\"), which in merged in v6.19-rc1.\n\nTo fix it, add missing smp_rmb() if the softleaf entry is migration entry\nin softleaf_to_folio() and softleaf_to_page().\n\n[tujinjiang@huawei.com: update function name and comments]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31466" }, { "id": "CVE-2026-31467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: add GFP_NOIO in the bio completion if needed\n\nThe bio completion path in the process context (e.g. dm-verity)\nwill directly call into decompression rather than trigger another\nworkqueue context for minimal scheduling latencies, which can\nthen call vm_map_ram() with GFP_KERNEL.\n\nDue to insufficient memory, vm_map_ram() may generate memory\nswapping I/O, which can cause submit_bio_wait to deadlock\nin some scenarios.\n\nTrimmed down the call stack, as follows:\n\nf2fs_submit_read_io\n submit_bio //bio_list is initialized.\n mmc_blk_mq_recovery\n z_erofs_endio\n vm_map_ram\n __pte_alloc_kernel\n __alloc_pages_direct_reclaim\n shrink_folio_list\n __swap_writepage\n submit_bio_wait //bio_list is non-NULL, hang!!!\n\nUse memalloc_noio_{save,restore}() to wrap up this path.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31467" }, { "id": "CVE-2026-31468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain. In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31468", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device's IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb->dst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n ...\n percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n dst_release+0xe0/0x110 net/core/dst.c:177\n skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]\n free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n tc qdisc del dev $NETDEV root\n tc qdisc add dev $NETDEV root handle 1: prio\n tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n ip netns add testns\n ip link set $NETDEV netns testns\n ip netns exec testns ifconfig $NETDEV 10.0.32.46/24\n ip netns exec testns ping -c 1 10.0.32.1\n ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31469" }, { "id": "CVE-2026-31470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt: tdx-guest: Fix handling of host controlled 'quote' buffer length\n\nValidate host controlled value `quote_buf->out_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\n\nCatch scenarios where the host specifies a response length larger than\nthe guest's allocation, or otherwise races modifying the response while\nthe guest consumes it.\n\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\n\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31470" }, { "id": "CVE-2026-31471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x->mode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x->mode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x->mode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x->mode_data unset. The destroy path already\nhandles a NULL mode_data pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31471" }, { "id": "CVE-2026-31472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: validate inner IPv4 header length in IPTFS payload\n\nAdd validation of the inner IPv4 packet tot_len and ihl fields parsed\nfrom decrypted IPTFS payloads in __input_process_payload(). A crafted\nESP packet containing an inner IPv4 header with tot_len=0 causes an\ninfinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the\ndata offset never advances and the while(data < tail) loop never\nterminates, spinning forever in softirq context.\n\nReject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct\niphdr), which catches both the tot_len=0 case and malformed ihl values.\nThe normal IP stack performs this validation in ip_rcv_core(), but IPTFS\nextracts and processes inner packets before they reach that layer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31472" }, { "id": "CVE-2026-31473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex\n\nMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)\nqueue teardown paths. This can race request object cleanup against vb2\nqueue cancellation and lead to use-after-free reports.\n\nWe already serialize request queueing against STREAMON/OFF with\nreq_queue_mutex. Extend that serialization to REQBUFS, and also take\nthe same mutex in media_request_ioctl_reinit() so REINIT is in the\nsame exclusion domain.\n\nThis keeps request cleanup and queue cancellation from running in\nparallel for request-capable devices.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31473" }, { "id": "CVE-2026-31474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31474" }, { "id": "CVE-2026-31475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31475" }, { "id": "CVE-2026-31476", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: do not expire session on binding failure\n\nWhen a multichannel session binding request fails (e.g. wrong password),\nthe error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.\nHowever, during binding, sess points to the target session looked up via\nksmbd_session_lookup_slowpath() -- which belongs to another connection's\nuser. This allows a remote attacker to invalidate any active session by\nsimply sending a binding request with a wrong password (DoS).\n\nFix this by skipping session expiration when the failed request was\na binding attempt, since the session does not belong to the current\nconnection. The reference taken by ksmbd_session_lookup_slowpath() is\nstill correctly released via ksmbd_user_session_put().", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31476" }, { "id": "CVE-2026-31477", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leaks and NULL deref in smb2_lock()\n\nsmb2_lock() has three error handling issues after list_del() detaches\nsmb_lock from lock_list at no_check_cl:\n\n1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK\n path, goto out leaks smb_lock and its flock because the out:\n handler only iterates lock_list and rollback_list, neither of\n which contains the detached smb_lock.\n\n2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out\n leaks smb_lock and flock for the same reason. The error code\n returned to the dispatcher is also stale.\n\n3) In the rollback path, smb_flock_init() can return NULL on\n allocation failure. The result is dereferenced unconditionally,\n causing a kernel NULL pointer dereference. Add a NULL check to\n prevent the crash and clean up the bookkeeping; the VFS lock\n itself cannot be rolled back without the allocation and will be\n released at file or connection teardown.\n\nFix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before\nthe if(!rc) check in the UNLOCK branch so all exit paths share one\nfree site, and by freeing smb_lock and flock before goto out in the\nnon-UNLOCK branch. Propagate the correct error code in both cases.\nFix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding\na NULL check for locks_free_lock(rlock) in the shared cleanup.\n\nFound via call-graph analysis using sqry.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31477" }, { "id": "CVE-2026-31478", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()\n\nAfter this commit (e2b76ab8b5c9 \"ksmbd: add support for read compound\"),\nresponse buffer management was changed to use dynamic iov array.\nIn the new design, smb2_calc_max_out_buf_len() expects the second\nargument (hdr2_len) to be the offset of ->Buffer field in the\nresponse structure, not a hardcoded magic number.\nFix the remaining call sites to use the correct offsetof() value.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31478" }, { "id": "CVE-2026-31479", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: always keep track of remap prev/next\n\nDuring 3D workload, user is reporting hitting:\n\n[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925\n[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)\n[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]\n[ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282\n[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000\n[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000\n[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380\n[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380\n[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000\n[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\n[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0\n[ 413.362088] PKRU: 55555554\n[ 413.362089] Call Trace:\n[ 413.362092] \n[ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe]\n\nWhich seems to hint that the vma we are re-inserting for the ops unwind\nis either invalid or overlapping with something already inserted in the\nvm. It shouldn't be invalid since this is a re-insertion, so must have\nworked before. Leaving the likely culprit as something already placed\nwhere we want to insert the vma.\n\nFollowing from that, for the case where we do something like a rebind in\nthe middle of a vma, and one or both mapped ends are already compatible,\nwe skip doing the rebind of those vma and set next/prev to NULL. As well\nas then adjust the original unmap va range, to avoid unmapping the ends.\nHowever, if we trigger the unwind path, we end up with three va, with\nthe two ends never being removed and the original va range in the middle\nstill being the shrunken size.\n\nIf this occurs, one failure mode is when another unwind op needs to\ninteract with that range, which can happen with a vector of binds. For\nexample, if we need to re-insert something in place of the original va.\nIn this case the va is still the shrunken version, so when removing it\nand then doing a re-insert it can overlap with the ends, which were\nnever removed, triggering a warning like above, plus leaving the vm in a\nbad state.\n\nWith that, we need two things here:\n\n 1) Stop nuking the prev/next tracking for the skip cases. Instead\n relying on checking for skip prev/next, where needed. That way on the\n unwind path, we now correctly remove both ends.\n\n 2) Undo the unmap va shrinkage, on the unwind path. With the two ends\n now removed the unmap va should expand back to the original size again,\n before re-insertion.\n\nv2:\n - Update the explanation in the commit message, based on an actual IGT of\n triggering this issue, rather than conjecture.\n - Also undo the unmap shrinkage, for the skip case. With the two ends\n now removed, the original unmap va range should expand back to the\n original range.\nv3:\n - Track the old start/range separately. vma_size/start() uses the va\n info directly.\n\n(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31479" }, { "id": "CVE-2026-31480", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential deadlock in cpu hotplug with osnoise\n\nThe following sequence may leads deadlock in cpu hotplug:\n\n task1 task2 task3\n ----- ----- -----\n\n mutex_lock(&interface_lock)\n\n [CPU GOING OFFLINE]\n\n cpus_write_lock();\n osnoise_cpu_die();\n kthread_stop(task3);\n wait_for_completion();\n\n osnoise_sleep();\n mutex_lock(&interface_lock);\n\n cpus_read_lock();\n\n [DEAD LOCK]\n\nFix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31480" }, { "id": "CVE-2026-31481", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Drain deferred trigger frees if kthread creation fails\n\nBoot-time trigger registration can fail before the trigger-data cleanup\nkthread exists. Deferring those frees until late init is fine, but the\npost-boot fallback must still drain the deferred list if kthread\ncreation never succeeds.\n\nOtherwise, boot-deferred nodes can accumulate on\ntrigger_data_free_list, later frees fall back to synchronously freeing\nonly the current object, and the older queued entries are leaked\nforever.\n\nTo trigger this, add the following to the kernel command line:\n\n trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon\n\nThe second traceon trigger will fail and be freed. This triggers a NULL\npointer dereference and crashes the kernel.\n\nKeep the deferred boot-time behavior, but when kthread creation fails,\ndrain the whole queued list synchronously. Do the same in the late-init\ndrain path so queued entries are not stranded there either.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31481", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31482", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/entry: Scrub r12 register on kernel entry\n\nBefore commit f33f2d4c7c80 (\"s390/bp: remove TIF_ISOLATE_BP\"),\nall entry handlers loaded r12 with the current task pointer\n(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That\ncommit removed TIF_ISOLATE_BP, dropping both the branch prediction\nmacros and the r12 load, but did not add r12 to the register clearing\nsequence.\n\nAdd the missing xgr %r12,%r12 to make the register scrub consistent\nacross all entry points.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31482" }, { "id": "CVE-2026-31483", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/syscalls: Add spectre boundary for syscall dispatch table\n\nThe s390 syscall number is directly controlled by userspace, but does\nnot have an array_index_nospec() boundary to prevent access past the\nsyscall function pointer tables.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31483" }, { "id": "CVE-2026-31484", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/fdinfo: fix OOB read in SQE_MIXED wrap check\n\n__io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte\nSQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second\nhalf of the SQE would be past the end of the sq_sqes array. The current\ncheck tests (++sq_head & sq_mask) == 0, but sq_head is only incremented\nwhen a 128-byte SQE is encountered, not on every iteration. The actual\narray index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask\n(the last slot) while the wrap check passes.\n\nFix by checking sq_idx directly. Keep the sq_head increment so the loop\nstill skips the second half of the 128-byte SQE on the next iteration.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31484", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31485", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n| spi_transfer_one_message+0x49c/0x7c8\n| __spi_pump_transfer_message+0x120/0x420\n| __spi_sync+0x2c4/0x520\n| spi_sync+0x34/0x60\n| spidev_message+0x20c/0x378 [spidev]\n| spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31485" }, { "id": "CVE-2026-31486", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31486" }, { "id": "CVE-2026-31487", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]\n\nAlso note that we do not enable the driver_override feature of struct\nbus_type, as SPI - in contrast to most other buses - passes \"\" to\nsysfs_emit() when the driver_override pointer is NULL. Thus, printing\n\"\\n\" instead of \"(null)\\n\".", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31487" }, { "id": "CVE-2026-31488", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not skip unrelated mode changes in DSC validation\n\nStarting with commit 17ce8a6907f7 (\"drm/amd/display: Add dsc pre-validation in\natomic check\"), amdgpu resets the CRTC state mode_changed flag to false when\nrecomputing the DSC configuration results in no timing change for a particular\nstream.\n\nHowever, this is incorrect in scenarios where a change in MST/DSC configuration\nhappens in the same KMS commit as another (unrelated) mode change. For example,\nthe integrated panel of a laptop may be configured differently (e.g., HDR\nenabled/disabled) depending on whether external screens are attached. In this\ncase, plugging in external DP-MST screens may result in the mode_changed flag\nbeing dropped incorrectly for the integrated panel if its DSC configuration\ndid not change during precomputation in pre_validate_dsc().\n\nAt this point, however, dm_update_crtc_state() has already created new streams\nfor CRTCs with DSC-independent mode changes. In turn,\namdgpu_dm_commit_streams() will never release the old stream, resulting in a\nmemory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to\nthe new stream either, which manifests as a use-after-free when the stream gets\ndisabled later on:\n\nBUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]\nWrite of size 4 at addr ffff88813d836524 by task kworker/9:9/29977\n\nWorkqueue: events drm_mode_rmfb_work_fn\nCall Trace:\n \n dump_stack_lvl+0x6e/0xa0\n print_address_description.constprop.0+0x88/0x320\n ? dc_stream_release+0x25/0x90 [amdgpu]\n print_report+0xfc/0x1ff\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __virt_addr_valid+0x225/0x4e0\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_report+0xe1/0x180\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_check_range+0x125/0x200\n dc_stream_release+0x25/0x90 [amdgpu]\n dc_state_destruct+0x14d/0x5c0 [amdgpu]\n dc_state_release.part.0+0x4e/0x130 [amdgpu]\n dm_atomic_destroy_state+0x3f/0x70 [amdgpu]\n drm_atomic_state_default_clear+0x8ee/0xf30\n ? drm_mode_object_put.part.0+0xb1/0x130\n __drm_atomic_state_free+0x15c/0x2d0\n atomic_remove_fb+0x67e/0x980\n\nSince there is no reliable way of figuring out whether a CRTC has unrelated\nmode changes pending at the time of DSC validation, remember the value of the\nmode_changed flag from before the point where a CRTC was marked as potentially\naffected by a change in DSC configuration. Reset the mode_changed flag to this\nearlier value instead in pre_validate_dsc().\n\n(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31488" }, { "id": "CVE-2026-31489", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31489" }, { "id": "CVE-2026-31490", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pf: Fix use-after-free in migration restore\n\nWhen an error is returned from xe_sriov_pf_migration_restore_produce(),\nthe data pointer is not set to NULL, which can trigger use-after-free\nin subsequent .write() calls.\nSet the pointer to NULL upon error to fix the problem.\n\n(cherry picked from commit 4f53d8c6d23527d734fe3531d08e15cb170a0819)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31490", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31491", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Harden depth calculation functions\n\nAn issue was exposed where OS can pass in U32_MAX for SQ/RQ/SRQ size.\nThis can cause integer overflow and truncation of SQ/RQ/SRQ depth\nreturning a success when it should have failed.\n\nHarden the functions to do all depth calculations and boundary\nchecking in u64 sizes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31491" }, { "id": "CVE-2026-31492", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Initialize free_qp completion before using it\n\nIn irdma_create_qp, if ib_copy_to_udata fails, it will call\nirdma_destroy_qp to clean up which will attempt to wait on\nthe free_qp completion, which is not initialized yet. Fix this\nby initializing the completion before the ib_copy_to_udata call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31492" }, { "id": "CVE-2026-31493", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix use of completion ctx after free\n\nOn admin queue completion handling, if the admin command completed with\nerror we print data from the completion context. The issue is that we\nalready freed the completion context in polling/interrupts handler which\nmeans we print data from context in an unknown state (it might be\nalready used again).\nChange the admin submission flow so alloc/dealloc of the context will be\nsymmetric and dealloc will be called after any potential use of the\ncontext.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31493" }, { "id": "CVE-2026-31494", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: use the current queue number for stats\n\nThere's a potential mismatch between the memory reserved for statistics\nand the amount of memory written.\n\ngem_get_sset_count() correctly computes the number of stats based on the\nactive queues, whereas gem_get_ethtool_stats() indiscriminately copies\ndata using the maximum number of queues, and in the case the number of\nactive queues is less than MACB_MAX_QUEUES, this results in a OOB write\nas observed in the KASAN splat.\n\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78\n [macb]\nWrite of size 760 at addr ffff80008080b000 by task ethtool/1027\n\nCPU: [...]\nTainted: [E]=UNSIGNED_MODULE\nHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025\nCall trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n print_report+0x384/0x5e0\n kasan_report+0xa0/0xf0\n kasan_check_range+0xe8/0x190\n __asan_memcpy+0x54/0x98\n gem_get_ethtool_stats+0x54/0x78 [macb\n 926c13f3af83b0c6fe64badb21ec87d5e93fcf65]\n dev_ethtool+0x1220/0x38c0\n dev_ioctl+0x4ac/0xca8\n sock_do_ioctl+0x170/0x1d8\n sock_ioctl+0x484/0x5d8\n __arm64_sys_ioctl+0x12c/0x1b8\n invoke_syscall+0xd4/0x258\n el0_svc_common.constprop.0+0xb4/0x240\n do_el0_svc+0x48/0x68\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8\n\nThe buggy address belongs to a 1-page vmalloc region starting at\n 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff00000a333000 pfn:0xa333\nflags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)\nraw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\n\nFix it by making sure the copied size only considers the active number of\nqueues.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31494" }, { "id": "CVE-2026-31495", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use netlink policy range checks\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at\n policy level, removing the manual >= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE\n (14). The normal TCP option parsing path already clamps to this value,\n but the ctnetlink path accepted 0-255, causing undefined behavior when\n used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31495" }, { "id": "CVE-2026-31496", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: skip expectations in other netns via proc\n\nSkip expectations that do not reside in this netns.\n\nSimilar to e77e6ff502ea (\"netfilter: conntrack: do not dump other netns's\nconntrack entries via proc\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31496" }, { "id": "CVE-2026-31497", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata->sco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data->sco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31497" }, { "id": "CVE-2026-31498", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan->sdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31498" }, { "id": "CVE-2026-31499", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn->lock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn->lock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn->lock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31499" }, { "id": "CVE-2026-31500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock(). This lets it race against\nhci_dev_do_close() -> btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock. When both paths manipulate\nhdev->req_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n read of hdev->req_rsp at net/bluetooth/hci_sync.c:199\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n write/free by task ioctl/22580:\n btintel_shutdown_combined+0xd0/0x360\n drivers/bluetooth/btintel.c:3648\n hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n BUG: KASAN: slab-use-after-free in\n sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n Read of size 4 at addr ffff888144a738dc\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31500" }, { "id": "CVE-2026-31501", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path\n\ncppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.\nIn both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is\nfreed via k3_cppi_desc_pool_free() before the psdata pointer is used\nby emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].\nThis constitutes a use-after-free on every received packet that goes\nthrough the timestamp path.\n\nDefer the descriptor free until after all accesses through the psdata\npointer are complete. For emac_rx_packet(), move the free into the\nrequeue label so both early-exit and success paths free the descriptor\nafter all accesses are done. For emac_rx_packet_zc(), move the free to\nthe end of the loop body after emac_dispatch_skb_zc() (which calls\nemac_rx_timestamp()) has returned.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31501" }, { "id": "CVE-2026-31502", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix header_ops type confusion with non-Ethernet ports\n\nSimilar to commit 950803f72547 (\"bonding: fix type confusion in\nbond_setup_by_slave()\") team has the same class of header_ops type\nconfusion.\n\nFor non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops\ndirectly. When the team device later calls dev_hard_header() or\ndev_parse_header(), these callbacks can run with the team net_device\ninstead of the real lower device, so netdev_priv(dev) is interpreted as\nthe wrong private type and can crash.\n\nThe syzbot report shows a crash in bond_header_create(), but the root\ncause is in team: the topology is gre -> bond -> team, and team calls\nthe inherited header_ops with its own net_device instead of the lower\ndevice, so bond_header_create() receives a team device and interprets\nnetdev_priv() as bonding private data, causing a type confusion crash.\n\nFix this by introducing team header_ops wrappers for create/parse,\nselecting a team port under RCU, and calling the lower device callbacks\nwith port->dev, so each callback always sees the correct net_device\ncontext.\n\nAlso pass the selected lower device to the lower parse callback, so\nrecursion is bounded in stacked non-Ethernet topologies and parse\ncallbacks always run with the correct device context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31502" }, { "id": "CVE-2026-31503", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable->hash and udptable->hash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot->count > 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1, \"[fd00::1]:8888\")\nbind(fd2, \"[fd00::2]:8888\")\nbind(fd3, \"[fd00::3]:8888\")\nbind(fd4, \"[fd00::4]:8888\")\nbind(fd5, \"[fd00::5]:8888\")\nbind(fd6, \"[fd00::6]:8888\")\nbind(fd7, \"[fd00::7]:8888\")\nbind(fd8, \"[fd00::8]:8888\")\nbind(fd9, \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot->count exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\") /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot->count > 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31503" }, { "id": "CVE-2026-31504", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31504" }, { "id": "CVE-2026-31505", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix out-of-bounds writes in iavf_get_ethtool_stats()\n\niavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\n\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\n\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\n\nThread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-> num_active_queues = 8\niavf_schedule_finish_config()\n iavf_get_sset_count()\n real_num_tx_queues: 1\n -> buffer for 1 queue\n iavf_get_ethtool_stats()\n num_active_queues: 8\n -> out-of-bounds!\n iavf_finish_config()\n -> real_num_tx_queues = 8\n\nUse immutable num_tx_queues in all related functions to avoid the issue.\n\n[1]\n BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\n Write of size 8 at addr ffffc900031c9080 by task ethtool/5800\n\n CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x180\n iavf_add_one_ethtool_stat+0x200/0x270\n iavf_get_ethtool_stats+0x14c/0x2e0\n __dev_ethtool+0x3d0c/0x5830\n dev_ethtool+0x12d/0x270\n dev_ioctl+0x53c/0xe30\n sock_do_ioctl+0x1a9/0x270\n sock_ioctl+0x3d4/0x5e0\n __x64_sys_ioctl+0x137/0x1c0\n do_syscall_64+0xf3/0x690\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7da0e6e36d\n ...\n \n\n The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\n The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff88813a013de0 pfn:0x13a013\n flags: 0x200000000000000(node=0|zone=2)\n raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\n raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31505" }, { "id": "CVE-2026-31506", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix double free of WoL irq\n\nWe do not need to free wol_irq since it was instantiated with\ndevm_request_irq(). So devres will free for us.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31506" }, { "id": "CVE-2026-31507", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv->smc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31507" }, { "id": "CVE-2026-31508", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[ 998.393944] PKRU: 55555554\n[ 998.393946] Call Trace:\n[ 998.393949] \n[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394009] ? __die_body.cold+0x8/0x12\n[ 998.394016] ? die_addr+0x3c/0x60\n[ 998.394027] ? exc_general_protection+0x16d/0x390\n[ 998.394042] ? asm_exc_general_protection+0x26/0x30\n[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0\n[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394102] notifier_call_chain+0x5a/0xd0\n[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60\n[ 998.394110] rtnl_dellink+0x169/0x3e0\n[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0\n[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0\n[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 998.394132] netlink_rcv_skb+0x50/0x100\n[ 998.394138] netlink_unicast+0x292/0x3f0\n[ 998.394141] netlink_sendmsg+0x21b/0x470\n[ 998.394145] ____sys_sendmsg+0x39d/0x3d0\n[ 998.394149] ___sys_sendmsg+0x9a/0xe0\n[ 998.394156] __sys_sendmsg+0x7a/0xd0\n[ 998.394160] do_syscall_64+0x7f/0x170\n[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 998.394165] RIP: 0033:0x7fad61bf4724\n[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31508" }, { "id": "CVE-2026-31509", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31509" }, { "id": "CVE-2026-31510", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n\nBefore using sk pointer, check if it is null.\n\nFix the following:\n\n KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\n CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\n Workqueue: events l2cap_info_timeout\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\n veth0_macvtap: entered promiscuous mode\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Call Trace:\n \n __kasan_check_byte+0x12/0x40\n lock_acquire+0x79/0x2e0\n lock_sock_nested+0x48/0x100\n ? l2cap_sock_ready_cb+0x46/0x160\n l2cap_sock_ready_cb+0x46/0x160\n l2cap_conn_start+0x779/0xff0\n ? __pfx_l2cap_conn_start+0x10/0x10\n ? l2cap_info_timeout+0x60/0xa0\n ? __pfx___mutex_lock+0x10/0x10\n l2cap_info_timeout+0x68/0xa0\n ? process_scheduled_works+0xa8d/0x18c0\n process_scheduled_works+0xb6e/0x18c0\n ? __pfx_process_scheduled_works+0x10/0x10\n ? assign_work+0x3d5/0x5e0\n worker_thread+0xa53/0xfc0\n kthread+0x388/0x470\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x51e/0xb90\n ? __pfx_ret_from_fork+0x10/0x10\n veth1_macvtap: entered promiscuous mode\n ? __switch_to+0xc7d/0x1450\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n batman_adv: batadv0: Interface activated: batadv_slave_0\n batman_adv: batadv0: Interface activated: batadv_slave_1\n netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce\n ieee80211 phy39: Selected rate control algorithm 'minstrel_ht'\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31510" }, { "id": "CVE-2026-31511", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31511" }, { "id": "CVE-2026-31512", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb->data using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31512" }, { "id": "CVE-2026-31513", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker's oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31513" }, { "id": "CVE-2026-31514", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: set fileio bio failed in short read case\n\nFor file-backed mount, IO requests are handled by vfs_iocb_iter_read().\nHowever, it can be interrupted by SIGKILL, returning the number of\nbytes actually copied. Unused folios in bio are unexpectedly marked\nas uptodate.\n\n vfs_read\n filemap_read\n filemap_get_pages\n filemap_readahead\n erofs_fileio_readahead\n erofs_fileio_rq_submit\n vfs_iocb_iter_read\n filemap_read\n filemap_get_pages <= detect signal\n erofs_fileio_ki_complete <= set all folios uptodate\n\nThis patch addresses this by setting short read bio with an error\ndirectly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31514" }, { "id": "CVE-2026-31515", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n \n skb_over_panic net/core/skbuff.c:219 [inline]\n skb_put+0x159/0x210 net/core/skbuff.c:2655\n skb_put_zero include/linux/skbuff.h:2788 [inline]\n set_ipsecrequest net/key/af_key.c:3532 [inline]\n pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31515" }, { "id": "CVE-2026-31516", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: prevent policy_hthresh.work from racing with netns teardown\n\nA XFRM_MSG_NEWSPDINFO request can queue the per-net work item\npolicy_hthresh.work onto the system workqueue.\n\nThe queued callback, xfrm_hash_rebuild(), retrieves the enclosing\nstruct net via container_of(). If the net namespace is torn down\nbefore that work runs, the associated struct net may already have\nbeen freed, and xfrm_hash_rebuild() may then dereference stale memory.\n\nxfrm_policy_fini() already flushes policy_hash_work during teardown,\nbut it does not synchronize policy_hthresh.work.\n\nSynchronize policy_hthresh.work in xfrm_policy_fini() as well, so the\nqueued work cannot outlive the net namespace teardown and access a\nfreed struct net.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31516" }, { "id": "CVE-2026-31517", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix skb_put() panic on non-linear skb during reassembly\n\nIn iptfs_reassem_cont(), IP-TFS attempts to append data to the new inner\npacket 'newskb' that is being reassembled. First a zero-copy approach is\ntried if it succeeds then newskb becomes non-linear.\n\nWhen a subsequent fragment in the same datagram does not meet the\nfast-path conditions, a memory copy is performed. It calls skb_put() to\nappend the data and as newskb is non-linear it triggers\nSKB_LINEAR_ASSERT check.\n\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:skb_put+0x3c/0x40\n [...]\n Call Trace:\n \n iptfs_reassem_cont+0x1ab/0x5e0 [xfrm_iptfs]\n iptfs_input_ordered+0x2af/0x380 [xfrm_iptfs]\n iptfs_input+0x122/0x3e0 [xfrm_iptfs]\n xfrm_input+0x91e/0x1a50\n xfrm4_esp_rcv+0x3a/0x110\n ip_protocol_deliver_rcu+0x1d7/0x1f0\n ip_local_deliver_finish+0xbe/0x1e0\n __netif_receive_skb_core.constprop.0+0xb56/0x1120\n __netif_receive_skb_list_core+0x133/0x2b0\n netif_receive_skb_list_internal+0x1ff/0x3f0\n napi_complete_done+0x81/0x220\n virtnet_poll+0x9d6/0x116e [virtio_net]\n __napi_poll.constprop.0+0x2b/0x270\n net_rx_action+0x162/0x360\n handle_softirqs+0xdc/0x510\n __irq_exit_rcu+0xe7/0x110\n irq_exit_rcu+0xe/0x20\n common_interrupt+0x85/0xa0\n \n \n\nFix this by checking if the skb is non-linear. If it is, linearize it by\ncalling skb_linearize(). As the initial allocation of newskb originally\nreserved enough tailroom for the entire reassembled packet we do not\nneed to check if we have enough tailroom or extend it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31517" }, { "id": "CVE-2026-31518", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31518" }, { "id": "CVE-2026-31519", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create\n\nWe have recently observed a number of subvolumes with broken dentries.\nls-ing the parent dir looks like:\n\ndrwxrwxrwt 1 root root 16 Jan 23 16:49 .\ndrwxr-xr-x 1 root root 24 Jan 23 16:48 ..\nd????????? ? ? ? ? ? broken_subvol\n\nand similarly stat-ing the file fails.\n\nIn this state, deleting the subvol fails with ENOENT, but attempting to\ncreate a new file or subvol over it errors out with EEXIST and even\naborts the fs. Which leaves us a bit stuck.\n\ndmesg contains a single notable error message reading:\n\"could not do orphan cleanup -2\"\n\n2 is ENOENT and the error comes from the failure handling path of\nbtrfs_orphan_cleanup(), with the stack leading back up to\nbtrfs_lookup().\n\nbtrfs_lookup\nbtrfs_lookup_dentry\nbtrfs_orphan_cleanup // prints that message and returns -ENOENT\n\nAfter some detailed inspection of the internal state, it became clear\nthat:\n- there are no orphan items for the subvol\n- the subvol is otherwise healthy looking, it is not half-deleted or\n anything, there is no drop progress, etc.\n- the subvol was created a while ago and does the meaningful first\n btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much\n later.\n- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,\n which results in a negative dentry for the subvolume via\n d_splice_alias(NULL, dentry), leading to the observed behavior. The\n bug can be mitigated by dropping the dentry cache, at which point we\n can successfully delete the subvolume if we want.\n\ni.e.,\nbtrfs_lookup()\n btrfs_lookup_dentry()\n if (!sb_rdonly(inode->vfs_inode)->vfs_inode)\n btrfs_orphan_cleanup(sub_root)\n test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\n btrfs_search_slot() // finds orphan item for inode N\n ...\n prints \"could not do orphan cleanup -2\"\n if (inode == ERR_PTR(-ENOENT))\n inode = NULL;\n return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume\n\nbtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\non the root when it runs, so it cannot run more than once on a given\nroot, so something else must run concurrently. However, the obvious\nroutes to deleting an orphan when nlinks goes to 0 should not be able to\nrun without first doing a lookup into the subvolume, which should run\nbtrfs_orphan_cleanup() and set the bit.\n\nThe final important observation is that create_subvol() calls\nd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if\nthe dentry cache gets dropped, the next lookup into the subvolume will\nmake a real call into btrfs_orphan_cleanup() for the first time. This\nopens up the possibility of concurrently deleting the inode/orphan items\nbut most typical evict() paths will be holding a reference on the parent\ndentry (child dentry holds parent->d_lockref.count via dget in\nd_alloc(), released in __dentry_kill()) and prevent the parent from\nbeing removed from the dentry cache.\n\nThe one exception is delayed iputs. Ordered extent creation calls\nigrab() on the inode. If the file is unlinked and closed while those\nrefs are held, iput() in __dentry_kill() decrements i_count but does\nnot trigger eviction (i_count > 0). The child dentry is freed and the\nsubvol dentry's d_lockref.count drops to 0, making it evictable while\nthe inode is still alive.\n\nSince there are two races (the race between writeback and unlink and\nthe race between lookup and delayed iputs), and there are too many moving\nparts, the following three diagrams show the complete picture.\n(Only the second and third are races)\n\nPhase 1:\nCreate Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set\n\nbtrfs_mksubvol()\n lookup_one_len()\n __lookup_slow()\n d_alloc_parallel()\n __d_alloc() // d_lockref.count = 1\n create_subvol(dentry)\n // doesn't touch the bit..\n d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31519" }, { "id": "CVE-2026-31520", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: avoid memory leak in apple_report_fixup()\n\nThe apple_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31520" }, { "id": "CVE-2026-31521", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: Fix kernel panic when a symbol st_shndx is out of bounds\n\nThe module loader doesn't check for bounds of the ELF section index in\nsimplify_symbols():\n\n for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {\n\t\tconst char *name = info->strtab + sym[i].st_name;\n\n\t\tswitch (sym[i].st_shndx) {\n\t\tcase SHN_COMMON:\n\n\t\t[...]\n\n\t\tdefault:\n\t\t\t/* Divert to percpu allocation if a percpu var. */\n\t\t\tif (sym[i].st_shndx == info->index.pcpu)\n\t\t\t\tsecbase = (unsigned long)mod_percpu(mod);\n\t\t\telse\n /** HERE --> **/\t\tsecbase = info->sechdrs[sym[i].st_shndx].sh_addr;\n\t\t\tsym[i].st_value += secbase;\n\t\t\tbreak;\n\t\t}\n\t}\n\nA symbol with an out-of-bounds st_shndx value, for example 0xffff\n(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:\n\n BUG: unable to handle page fault for address: ...\n RIP: 0010:simplify_symbols+0x2b2/0x480\n ...\n Kernel panic - not syncing: Fatal exception\n\nThis can happen when module ELF is legitimately using SHN_XINDEX or\nwhen it is corrupted.\n\nAdd a bounds check in simplify_symbols() to validate that st_shndx is\nwithin the valid range before using it.\n\nThis issue was discovered due to a bug in llvm-objcopy, see relevant\ndiscussion for details [1].\n\n[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31521" }, { "id": "CVE-2026-31522", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: avoid memory leak in magicmouse_report_fixup()\n\nThe magicmouse_report_fixup() function was returning a\nnewly kmemdup()-allocated buffer, but never freeing it.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it *is* permitted to return a sub-portion of the input\nrdesc, whose lifetime is managed by the caller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31522" }, { "id": "CVE-2026-31523", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: ensure we're polling a polled queue\n\nA user can change the polled queue count at run time. There's a brief\nwindow during a reset where a hipri task may try to poll that queue\nbefore the block layer has updated the queue maps, which would race with\nthe now interrupt driven queue and may cause double completions.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31523" }, { "id": "CVE-2026-31524", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: avoid memory leak in asus_report_fixup()\n\nThe asus_report_fixup() function was returning a newly allocated\nkmemdup()-allocated buffer, but never freeing it. Switch to\ndevm_kzalloc() to ensure the memory is managed and freed automatically\nwhen the device is removed.\n\nThe caller of report_fixup() does not take ownership of the returned\npointer, but it is permitted to return a pointer whose lifetime is at\nleast that of the input buffer.\n\nAlso fix a harmless out-of-bounds read by copying only the original\ndescriptor size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31524" }, { "id": "CVE-2026-31525", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN\n\nThe BPF interpreter's signed 32-bit division and modulo handlers use\nthe kernel abs() macro on s32 operands. The abs() macro documentation\n(include/linux/math.h) explicitly states the result is undefined when\nthe input is the type minimum. When DST contains S32_MIN (0x80000000),\nabs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged\non arm64/x86. This value is then sign-extended to u64 as\n0xFFFFFFFF80000000, causing do_div() to compute the wrong result.\n\nThe verifier's abstract interpretation (scalar32_min_max_sdiv) computes\nthe mathematically correct result for range tracking, creating a\nverifier/interpreter mismatch that can be exploited for out-of-bounds\nmap value access.\n\nIntroduce abs_s32() which handles S32_MIN correctly by casting to u32\nbefore negating, avoiding signed overflow entirely. Replace all 8\nabs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.\n\ns32 is the only affected case -- the s64 division/modulo handlers do\nnot use abs().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31525" }, { "id": "CVE-2026-31526", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exception exit lock checking for subprogs\n\nprocess_bpf_exit_full() passes check_lock = !curframe to\ncheck_resource_leak(), which is false in cases when bpf_throw() is\ncalled from a static subprog. This makes check_resource_leak() to skip\nvalidation of active_rcu_locks, active_preempt_locks, and\nactive_irq_id on exception exits from subprogs.\n\nAt runtime bpf_throw() unwinds the stack via ORC without releasing any\nuser-acquired locks, which may cause various issues as the result.\n\nFix by setting check_lock = true for exception exits regardless of\ncurframe, since exceptions bypass all intermediate frame\ncleanup. Update the error message prefix to \"bpf_throw\" for exception\nexits to distinguish them from normal BPF_EXIT.\n\nFix reject_subprog_with_rcu_read_lock test which was previously\npassing for the wrong reason. Test program returned directly from the\nsubprog call without closing the RCU section, so the error was\ntriggered by the unclosed RCU lock on normal exit, not by\nbpf_throw. Update __msg annotations for affected tests to match the\nnew \"bpf_throw\" error prefix.\n\nThe spin_lock case is not affected because they are already checked [1]\nat the call site in do_check_insn() before bpf_throw can run.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31526" }, { "id": "CVE-2026-31527", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31527" }, { "id": "CVE-2026-31528", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Make sure to use pmu_ctx->pmu for groups\n\nOliver reported that x86_pmu_del() ended up doing an out-of-bound memory access\nwhen group_sched_in() fails and needs to roll back.\n\nThis *should* be handled by the transaction callbacks, but he found that when\nthe group leader is a software event, the transaction handlers of the wrong PMU\nare used. Despite the move_group case in perf_event_open() and group_sched_in()\nusing pmu_ctx->pmu.\n\nTurns out, inherit uses event->pmu to clone the events, effectively undoing the\nmove_group case for all inherited contexts. Fix this by also making inherit use\npmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.\n\nSimilarly, __perf_event_read() should use equally use pmu_ctx->pmu for the\ngroup case.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31528" }, { "id": "CVE-2026-31529", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix leakage in __construct_region()\n\nFailing the first sysfs_update_group() needs to explicitly\nkfree the resource as it is too early for cxl_region_iomem_release()\nto do so.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31529", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31530", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use after free of parent_port in cxl_detach_ep()\n\ncxl_detach_ep() is called during bottom-up removal when all CXL memory\ndevices beneath a switch port have been removed. For each port in the\nhierarchy it locks both the port and its parent, removes the endpoint,\nand if the port is now empty, marks it dead and unregisters the port\nby calling delete_switch_port(). There are two places during this work\nwhere the parent_port may be used after freeing:\n\nFirst, a concurrent detach may have already processed a port by the\ntime a second worker finds it via bus_find_device(). Without pinning\nparent_port, it may already be freed when we discover port->dead and\nattempt to unlock the parent_port. In a production kernel that's a\nsilent memory corruption, with lock debug, it looks like this:\n\n[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())\n[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310\n[]Call Trace:\n[]mutex_unlock+0xd/0x20\n[]cxl_detach_ep+0x180/0x400 [cxl_core]\n[]devm_action_release+0x10/0x20\n[]devres_release_all+0xa8/0xe0\n[]device_unbind_cleanup+0xd/0xa0\n[]really_probe+0x1a6/0x3e0\n\nSecond, delete_switch_port() releases three devm actions registered\nagainst parent_port. The last of those is unregister_port() and it\ncalls device_unregister() on the child port, which can cascade. If\nparent_port is now also empty the device core may unregister and free\nit too. So by the time delete_switch_port() returns, parent_port may\nbe free, and the subsequent device_unlock(&parent_port->dev) operates\non freed memory. The kernel log looks same as above, with a different\noffset in cxl_detach_ep().\n\nBoth of these issues stem from the absence of a lifetime guarantee\nbetween a child port and its parent port.\n\nEstablish a lifetime rule for ports: child ports hold a reference to\ntheir parent device until release. Take the reference when the port\nis allocated and drop it when released. This ensures the parent is\nvalid for the full lifetime of the child and eliminates the use after\nfree window in cxl_detach_ep().\n\nThis is easily reproduced with a reload of cxl_acpi in QEMU with CXL\ndevices present.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31530" }, { "id": "CVE-2026-31531", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()\n\nWhen querying a nexthop object via RTM_GETNEXTHOP, the kernel currently\nallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for\nsingle nexthops and small Equal-Cost Multi-Path groups, this fixed\nallocation fails for large nexthop groups like 512 nexthops.\n\nThis results in the following warning splat:\n\n WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608\n [...]\n RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)\n [...]\n Call Trace:\n \n rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)\n ___sys_sendmsg (net/socket.c:2641)\n __sys_sendmsg (net/socket.c:2671)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \n\nFix this by allocating the size dynamically using nh_nlmsg_size() and\nusing nlmsg_new(), this is consistent with nexthop_notify() behavior. In\naddition, adjust nh_nlmsg_size_grp() so it calculates the size needed\nbased on flags passed. While at it, also add the size of NHA_FDB for\nnexthop group size calculation as it was missing too.\n\nThis cannot be reproduced via iproute2 as the group size is currently\nlimited and the command fails as follows:\n\naddattr_l ERROR: message exceeded bound of 1048", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31531" }, { "id": "CVE-2026-31532", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro->uniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro->uniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro->uniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31532" }, { "id": "CVE-2026-31533", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31533" }, { "id": "CVE-2026-31535", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31535" }, { "id": "CVE-2026-31536", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: let send_done handle a completion without IB_SEND_SIGNALED\n\nWith smbdirect_send_batch processing we likely have requests without\nIB_SEND_SIGNALED, which will be destroyed in the final request\nthat has IB_SEND_SIGNALED set.\n\nIf the connection is broken all requests are signaled\neven without explicit IB_SEND_SIGNALED.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31536" }, { "id": "CVE-2026-31537", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.send_io.bcredits\n\nIt turns out that our code will corrupt the stream of\nreassabled data transfer messages when we trigger an\nimmendiate (empty) send.\n\nIn order to fix this we'll have a single 'batch' credit per\nconnection. And code getting that credit is free to use\nas much messages until remaining_length reaches 0, then\nthe batch credit it given back and the next logical send can\nhappen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31537" }, { "id": "CVE-2026-31538", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: make use of smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.\n\nThis fixes regression Namjae reported with\nthe 6.18 release.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31538" }, { "id": "CVE-2026-31539", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: smbdirect: introduce smbdirect_socket.recv_io.credits.available\n\nThe logic off managing recv credits by counting posted recv_io and\ngranted credits is racy.\n\nThat's because the peer might already consumed a credit,\nbut between receiving the incoming recv at the hardware\nand processing the completion in the 'recv_done' functions\nwe likely have a window where we grant credits, which\ndon't really exist.\n\nSo we better have a decicated counter for the\navailable credits, which will be incremented\nwhen we posted new recv buffers and drained when\nwe grant the credits to the peer.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31539" }, { "id": "CVE-2026-31540", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Check set_default_submission() before deferencing\n\nWhen the i915 driver firmware binaries are not present, the\nset_default_submission pointer is not set. This pointer is\ndereferenced during suspend anyways.\n\nAdd a check to make sure it is set before dereferencing.\n\n[ 23.289926] PM: suspend entry (deep)\n[ 23.293558] Filesystems sync: 0.000 seconds\n[ 23.298010] Freezing user space processes\n[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)\n[ 23.309766] OOM killer disabled.\n[ 23.313027] Freezing remaining freezable tasks\n[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)\n[ 23.342038] serial 00:05: disabled\n[ 23.345719] serial 00:02: disabled\n[ 23.349342] serial 00:01: disabled\n[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache\n[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache\n[ 23.361635] ata1.00: Entering standby power mode\n[ 23.368863] ata2.00: Entering standby power mode\n[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 23.452194] #PF: supervisor instruction fetch in kernel mode\n[ 23.457896] #PF: error_code(0x0010) - not-present page\n[ 23.463065] PGD 0 P4D 0\n[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI\n[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)\n[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[ 23.496511] Workqueue: async async_run_entry_fn\n[ 23.501087] RIP: 0010:0x0\n[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246\n[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f\n[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000\n[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff\n[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8\n[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68\n[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000\n[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0\n[ 23.572539] PKRU: 55555554\n[ 23.575281] Call Trace:\n[ 23.577770] \n[ 23.579905] intel_engines_reset_default_submission+0x42/0x60\n[ 23.585695] __intel_gt_unset_wedged+0x191/0x200\n[ 23.590360] intel_gt_unset_wedged+0x20/0x40\n[ 23.594675] gt_sanitize+0x15e/0x170\n[ 23.598290] i915_gem_suspend_late+0x6b/0x180\n[ 23.602692] i915_drm_suspend_late+0x35/0xf0\n[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10\n[ 23.611843] dpm_run_callback+0x78/0x1c0\n[ 23.615817] device_suspend_late+0xde/0x2e0\n[ 23.620037] async_suspend_late+0x18/0x30\n[ 23.624082] async_run_entry_fn+0x25/0xa0\n[ 23.628129] process_one_work+0x15b/0x380\n[ 23.632182] worker_thread+0x2a5/0x3c0\n[ 23.635973] ? __pfx_worker_thread+0x10/0x10\n[ 23.640279] kthread+0xf6/0x1f0\n[ 23.643464] ? __pfx_kthread+0x10/0x10\n[ 23.647263] ? __pfx_kthread+0x10/0x10\n[ 23.651045] ret_from_fork+0x131/0x190\n[ 23.654837] ? __pfx_kthread+0x10/0x10\n[ 23.658634] ret_from_fork_asm+0x1a/0x30\n[ 23.662597] \n[ 23.664826] Modules linked in:\n[ 23.667914] CR2: 0000000000000000\n[ 23.671271] ------------[ cut here ]------------\n\n(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31540" }, { "id": "CVE-2026-31541", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance's trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31541" }, { "id": "CVE-2026-31542", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/platform/uv: Handle deconfigured sockets\n\nWhen a socket is deconfigured, it's mapped to SOCK_EMPTY (0xffff). This causes\na panic while allocating UV hub info structures.\n\nFix this by using NUMA_NO_NODE, allowing UV hub info structures to be\nallocated on valid nodes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31542" }, { "id": "CVE-2026-31543", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrash_dump: don't log dm-crypt key bytes in read_key_from_user_keying\n\nWhen debug logging is enabled, read_key_from_user_keying() logs the first\n8 bytes of the key payload and partially exposes the dm-crypt key. Stop\nlogging any key bytes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31543" }, { "id": "CVE-2026-31544", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix NULL dereference on notify error path\n\nSince commit b5daf93b809d1 (\"firmware: arm_scmi: Avoid notifier\nregistration for unsupported events\") the call chains leading to the helper\n__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to\nget an handler for the requested event key, while the current helper can\nstill return a NULL when no handler could be found or created.\n\nFix by forcing an ERR_PTR return value when the handler reference is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31544" }, { "id": "CVE-2026-31545", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nxp-nci: allow GPIOs to sleep\n\nAllow the firmware and enable GPIOs to sleep.\n\nThis fixes a `WARN_ON' and allows the driver to operate GPIOs which are\nconnected to I2C GPIO expanders.\n\n-- >8 --\nkernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98\n-- >8 --", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31545" }, { "id": "CVE-2026-31546", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info->slave without checking if it's NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info->slave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[ 1.295897] Call Trace:\n[ 1.296134] seq_read_iter (fs/seq_file.c:231)\n[ 1.296341] seq_read (fs/seq_file.c:164)\n[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[ 1.296658] vfs_read (fs/read_write.c:572)\n[ 1.296981] ksys_read (fs/read_write.c:717)\n[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31546" }, { "id": "CVE-2026-31547", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix missing runtime PM reference in ccs_mode_store\n\nccs_mode_store() calls xe_gt_reset() which internally invokes\nxe_pm_runtime_get_noresume(). That function requires the caller\nto already hold an outer runtime PM reference and warns if none\nis held:\n\n [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection\n [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at\n xe_pm_runtime_get_noresume+0x8b/0xc0\n\nFix this by protecting xe_gt_reset() with the scope-based\nguard(xe_pm_runtime)(xe), which is the preferred form when\nthe reference lifetime matches a single scope.\n\nv2:\n- Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng)\n- Update commit message accordingly\n\n(cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31547", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31548", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down\n\nWhen the nl80211 socket that originated a PMSR request is\nclosed, cfg80211_release_pmsr() sets the request's nl_portid\nto zero and schedules pmsr_free_wk to process the abort\nasynchronously. If the interface is concurrently torn down\nbefore that work runs, cfg80211_pmsr_wdev_down() calls\ncfg80211_pmsr_process_abort() directly. However, the already-\nscheduled pmsr_free_wk work item remains pending and may run\nafter the interface has been removed from the driver. This\ncould cause the driver's abort_pmsr callback to operate on a\ntorn-down interface, leading to undefined behavior and\npotential crashes.\n\nCancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()\nbefore calling cfg80211_pmsr_process_abort(). This ensures any\npending or in-progress work is drained before interface teardown\nproceeds, preventing the work from invoking the driver abort\ncallback after the interface is gone.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31548" }, { "id": "CVE-2026-31549", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cp2615: fix serial string NULL-deref at probe\n\nThe cp2615 driver uses the USB device serial string as the i2c adapter\nname but does not make sure that the string exists.\n\nVerify that the device has a serial number before accessing it to avoid\ntriggering a NULL-pointer dereference (e.g. with malicious devices).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31549" }, { "id": "CVE-2026-31550", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: bcm: bcm2835-power: Increase ASB control timeout\n\nThe bcm2835_asb_control() function uses a tight polling loop to wait\nfor the ASB bridge to acknowledge a request. During intensive workloads,\nthis handshake intermittently fails for V3D's master ASB on BCM2711,\nresulting in \"Failed to disable ASB master for v3d\" errors during\nruntime PM suspend. As a consequence, the failed power-off leaves V3D in\na broken state, leading to bus faults or system hangs on later accesses.\n\nAs the timeout is insufficient in some scenarios, increase the polling\ntimeout from 1us to 5us, which is still negligible in the context of a\npower domain transition. Also, replace the open-coded ktime_get_ns()/\ncpu_relax() polling loop with readl_poll_timeout_atomic().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31550" }, { "id": "CVE-2026-31551", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Fix static_branch_dec() underflow for aql_disable.\n\nsyzbot reported static_branch_dec() underflow in aql_enable_write(). [0]\n\nThe problem is that aql_enable_write() does not serialise concurrent\nwrite()s to the debugfs.\n\naql_enable_write() checks static_key_false(&aql_disable.key) and\nlater calls static_branch_inc() or static_branch_dec(), but the\nstate may change between the two calls.\n\naql_disable does not need to track inc/dec.\n\nLet's use static_branch_enable() and static_branch_disable().\n\n[0]:\nval == 0\nWARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288\nModules linked in:\nCPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)\nTainted: [U]=USER, [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026\nRIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311\nCode: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00\nRSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4\nRDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000\nRBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a\nR13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98\nFS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0\nCall Trace:\n \n __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]\n __static_key_slow_dec kernel/jump_label.c:321 [inline]\n static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336\n aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343\n short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383\n vfs_write+0x2aa/0x1070 fs/read_write.c:684\n ksys_pwrite64 fs/read_write.c:793 [inline]\n __do_sys_pwrite64 fs/read_write.c:801 [inline]\n __se_sys_pwrite64 fs/read_write.c:798 [inline]\n __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f530cf9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012\nRAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9\nRDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010\nRBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978\n ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31551" }, { "id": "CVE-2026-31552", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom\n\nSince upstream commit e75665dd0968 (\"wifi: wlcore: ensure skb headroom\nbefore skb_push\"), wl1271_tx_allocate() and with it\nwl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.\nHowever, in wlcore_tx_work_locked(), a return value of -EAGAIN from\nwl1271_prepare_tx_frame() is interpreted as the aggregation buffer being\nfull. This causes the code to flush the buffer, put the skb back at the\nhead of the queue, and immediately retry the same skb in a tight while\nloop.\n\nBecause wlcore_tx_work_locked() holds wl->mutex, and the retry happens\nimmediately with GFP_ATOMIC, this will result in an infinite loop and a\nCPU soft lockup. Return -ENOMEM instead so the packet is dropped and\nthe loop terminates.\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31552" }, { "id": "CVE-2026-31553", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()\n\nUsing \"(u64 __user *)hva + offset\" to get the virtual addresses of S1/S2\ndescriptors looks really wrong, if offset is not zero. What we want to get\nfor swapping is hva + offset, not hva + offset*8. ;-)\n\nFix it.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31553", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31554", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Require sys_futex_requeue() to have identical flags\n\nNicholas reported that his LLM found it was possible to create a UaF\nwhen sys_futex_requeue() is used with different flags. The initial\nmotivation for allowing different flags was the variable sized futex,\nbut since that hasn't been merged (yet), simply mandate the flags are\nidentical, as is the case for the old style sys_futex() requeue\noperations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31554" }, { "id": "CVE-2026-31555", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31555" }, { "id": "CVE-2026-31556", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: scrub: unlock dquot before early return in quota scrub\n\nxchk_quota_item can return early after calling xchk_fblock_process_error.\nWhen that helper returns false, the function returned immediately without\ndropping dq->q_qlock, which can leave the dquot lock held and risk lock\nleaks or deadlocks in later quota operations.\n\nFix this by unlocking dq->q_qlock before the early return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31556" }, { "id": "CVE-2026-31557", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n nvmet_execute_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\n nvmet_add_async_event()\n queue_work(nvmet_wq, &ctrl->async_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n nvmet_rdma_cm_handler()\n nvmet_rdma_queue_disconnect()\n __nvmet_rdma_queue_disconnect()\n queue_work(nvmet_wq, &queue->release_work)\n process_one_work()\n lock((wq_completion)nvmet-wq) <--------- 1st\n nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n nvmet_rdma_release_queue_work()\n nvmet_rdma_free_queue()\n nvmet_sq_destroy()\n nvmet_ctrl_put()\n nvmet_ctrl_free()\n flush_work(&ctrl->async_event_work)\n __flush_work()\n touch_wq_lockdep_map()\n lock((wq_completion)nvmet-wq) <--------- 2nd\n\nLockdep splat:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.19.0-rc3nvme+ #14 Tainted: G N\n --------------------------------------------\n kworker/u192:42/44933 is trying to acquire lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n but task is already holding lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n 3 locks held by kworker/u192:42/44933:\n #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n Call Trace:\n __flush_work+0x268/0x530\n nvmet_ctrl_free+0x140/0x310 [nvmet]\n nvmet_cq_put+0x74/0x90 [nvmet]\n nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n process_one_work+0x206/0x660\n worker_thread+0x184/0x320\n kthread+0x10c/0x240\n ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31557" }, { "id": "CVE-2026-31558", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust\n\nkvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so\ncpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this\ncase so as to make it more robust.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31558" }, { "id": "CVE-2026-31559", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix missing NULL checks for kstrdup()\n\n1. Replace \"of_find_node_by_path(\"/\")\" with \"of_root\" to avoid multiple\ncalls to \"of_node_put()\".\n\n2. Fix a potential kernel oops during early boot when memory allocation\nfails while parsing CPU model from device tree.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31559" }, { "id": "CVE-2026-31560", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-dw-dma: fix print error log when wait finish transaction\n\nIf an error occurs, the device may not have a current message. In this\ncase, the system will crash.\n\nIn this case, it's better to use dev from the struct ctlr (struct spi_controller*).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31560" }, { "id": "CVE-2026-31561", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31561" }, { "id": "CVE-2026-31562", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register\n\nThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,\nwhich uses dev_get_drvdata to retrieve the mtk_dsi struct, so this\nstructure needs to be stored inside the driver data before invoking it.\n\nAs drvdata is currently uninitialized it leads to a crash when\nregistering the DSI DRM encoder right after acquiring\nthe mode_config.idr_mutex, blocking all subsequent DRM operations.\n\nFixes the following crash during mediatek-drm probe (tested on Xiaomi\nSmart Clock x04g):\n\nUnable to handle kernel NULL pointer dereference at virtual address\n 0000000000000040\n[...]\nModules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib\n drm_dma_helper drm_kms_helper panel_simple\n[...]\nCall trace:\n drm_mode_object_add+0x58/0x98 (P)\n __drm_encoder_init+0x48/0x140\n drm_encoder_init+0x6c/0xa0\n drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]\n mtk_dsi_bind+0x34/0x13c [mediatek_drm]\n component_bind_all+0x120/0x280\n mtk_drm_bind+0x284/0x67c [mediatek_drm]\n try_to_bring_up_aggregate_device+0x23c/0x320\n __component_add+0xa4/0x198\n component_add+0x14/0x20\n mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]\n mipi_dsi_attach+0x2c/0x50\n panel_simple_dsi_probe+0x4c/0x9c [panel_simple]\n mipi_dsi_drv_probe+0x1c/0x28\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __device_attach_driver+0xbc/0x17c\n bus_for_each_drv+0x88/0xf0\n __device_attach+0x9c/0x1cc\n device_initial_probe+0x54/0x60\n bus_probe_device+0x34/0xa0\n device_add+0x5b0/0x800\n mipi_dsi_device_register_full+0xdc/0x16c\n mipi_dsi_host_register+0xc4/0x17c\n mtk_dsi_probe+0x10c/0x260 [mediatek_drm]\n platform_probe+0x5c/0xa4\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __driver_attach+0xc8/0x1f8\n bus_for_each_dev+0x7c/0xe0\n driver_attach+0x24/0x30\n bus_add_driver+0x11c/0x240\n driver_register+0x68/0x130\n __platform_register_drivers+0x64/0x160\n mtk_drm_init+0x24/0x1000 [mediatek_drm]\n do_one_initcall+0x60/0x1d0\n do_init_module+0x54/0x240\n load_module+0x1838/0x1dc0\n init_module_from_file+0xd8/0xf0\n __arm64_sys_finit_module+0x1b4/0x428\n invoke_syscall.constprop.0+0x48/0xc8\n do_el0_svc+0x3c/0xb8\n el0_svc+0x34/0xe8\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31562" }, { "id": "CVE-2026-31563", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Use dev_consume_skb_any() to free TX SKBs\n\nThe napi_consume_skb() function is not intended to be called in an IRQ\ndisabled context. However, after commit 6bc8a5098bf4 (\"net: macb: Fix\ntx_ptr_lock locking\"), the freeing of TX SKBs is performed with IRQs\ndisabled. To resolve the following call trace, use dev_consume_skb_any()\nfor freeing TX SKBs:\n WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15\n Modules linked in:\n CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT\n Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __local_bh_enable_ip+0x174/0x188\n lr : local_bh_enable+0x24/0x38\n sp : ffff800082b3bb10\n x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0\n x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80\n x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000\n x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001\n x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000\n x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650\n x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258\n x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000\n x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc\n Call trace:\n __local_bh_enable_ip+0x174/0x188 (P)\n local_bh_enable+0x24/0x38\n skb_attempt_defer_free+0x190/0x1d8\n napi_consume_skb+0x58/0x108\n macb_tx_poll+0x1a4/0x558\n __napi_poll+0x50/0x198\n net_rx_action+0x1f4/0x3d8\n handle_softirqs+0x16c/0x560\n run_ksoftirqd+0x44/0x80\n smpboot_thread_fn+0x1d8/0x338\n kthread+0x120/0x150\n ret_from_fork+0x10/0x20\n irq event stamp: 29751\n hardirqs last enabled at (29750): [] _raw_spin_unlock_irqrestore+0x44/0x88\n hardirqs last disabled at (29751): [] _raw_spin_lock_irqsave+0x38/0x98\n softirqs last enabled at (29150): [] handle_softirqs+0x504/0x560\n softirqs last disabled at (29153): [] run_ksoftirqd+0x44/0x80", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31563" }, { "id": "CVE-2026-31564", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix base address calculation in kvm_eiointc_regs_access()\n\nIn function kvm_eiointc_regs_access(), the register base address is\ncaculated from array base address plus offset, the offset is absolute\nvalue from the base address. The data type of array base address is\nu64, it should be converted into the \"void *\" type and then plus the\noffset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31564", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31565", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix deadlock during netdev reset with active connections\n\nResolve deadlock that occurs when user executes netdev reset while RDMA\napplications (e.g., rping) are active. The netdev reset causes ice\ndriver to remove irdma auxiliary driver, triggering device_delete and\nsubsequent client removal. During client removal, uverbs_client waits\nfor QP reference count to reach zero while cma_client holds the final\nreference, creating circular dependency and indefinite wait in iWARP\nmode. Skip QP reference count wait during device reset to prevent\ndeadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31565" }, { "id": "CVE-2026-31566", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31566" }, { "id": "CVE-2026-31567", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()\n\nCommit 35e4a69b2003f (\"PM: sleep: Allow pm_restrict_gfp_mask()\nstacking\") introduced refcount-based GFP mask management that warns\nwhen pm_restore_gfp_mask() is called with saved_gfp_count == 0.\n\nSome hibernation paths call pm_restore_gfp_mask() defensively where\nthe GFP mask may or may not be restricted depending on the execution\npath. For example, the uswsusp interface invokes it in\nSNAPSHOT_CREATE_IMAGE, SNAPSHOT_UNFREEZE, and snapshot_release().\nBefore the stacking change this was a silent no-op; it now triggers\na spurious WARNING.\n\nRemove the WARN_ON() wrapper from the !saved_gfp_count check while\nretaining the check itself, so that defensive calls remain harmless\nwithout producing false warnings.\n\n[ rjw: Subject tweak ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31567" }, { "id": "CVE-2026-31568", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Add missing secure storage access fixups for donated memory\n\nThere are special cases where secure storage access exceptions happen\nin a kernel context for pages that don't have the PG_arch_1 bit\nset. That bit is set for non-exported guest secure storage (memory)\nbut is absent on storage donated to the Ultravisor since the kernel\nisn't allowed to export donated pages.\n\nPrior to this patch we would try to export the page by calling\narch_make_folio_accessible() which would instantly return since the\narch bit is absent signifying that the page was already exported and\nno further action is necessary. This leads to secure storage access\nexception loops which can never be resolved.\n\nWith this patch we unconditionally try to export and if that fails we\nfixup.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31568" }, { "id": "CVE-2026-31569", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Handle the case that EIOINTC's coremap is empty\n\nEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently\nwe get a cpuid with -1 in this case, but we actually need 0 because it's\nsimilar as the case that cpuid >= 4.\n\nThis fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31569" }, { "id": "CVE-2026-31570", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n int from = calc_idx(crc8->from_idx, cf->len);\n int to = calc_idx(crc8->to_idx, cf->len);\n int res = calc_idx(crc8->result_idx, cf->len);\n\n if (from < 0 || to < 0 || res < 0)\n return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n for (i = crc8->from_idx; ...) /* BUG: raw negative index */\n cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31570" }, { "id": "CVE-2026-31571", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Unlink NV12 planes earlier\n\nunlink_nv12_plane() will clobber parts of the plane state\npotentially already set up by plane_atomic_check(), so we\nmust make sure not to call the two in the wrong order.\nThe problem happens when a plane previously selected as\na Y plane is now configured as a normal plane by user space.\nplane_atomic_check() will first compute the proper plane\nstate based on the userspace request, and unlink_nv12_plane()\nlater clears some of the state.\n\nThis used to work on account of unlink_nv12_plane() skipping\nthe state clearing based on the plane visibility. But I removed\nthat check, thinking it was an impossible situation. Now when\nthat situation happens unlink_nv12_plane() will just WARN\nand proceed to clobber the state.\n\nRather than reverting to the old way of doing things, I think\nit's more clear if we unlink the NV12 planes before we even\ncompute the new plane state.\n\n(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31571" }, { "id": "CVE-2026-31572", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: amdisp: Fix resume-probe race condition issue\n\nIdentified resume-probe race condition in kernel v7.0 with the commit\n38fa29b01a6a (\"i2c: designware: Combine the init functions\"),but this\nissue existed from the beginning though not detected.\n\nThe amdisp i2c device requires ISP to be in power-on state for probe\nto succeed. To meet this requirement, this device is added to genpd\nto control ISP power using runtime PM. The pm_runtime_get_sync() called\nbefore i2c_dw_probe() triggers PM resume, which powers on ISP and also\ninvokes the amdisp i2c runtime resume before the probe completes resulting\nin this race condition and a NULL dereferencing issue in v7.0\n\nFix this race condition by using the genpd APIs directly during probe:\n - Call dev_pm_genpd_resume() to Power ON ISP before probe\n - Call dev_pm_genpd_suspend() to Power OFF ISP after probe\n - Set the device to suspended state with pm_runtime_set_suspended()\n - Enable runtime PM only after the device is fully initialized", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31572" }, { "id": "CVE-2026-31573", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: Fix kernel panic due to __initconst misuse\n\nFix a kernel panic when probing the driver as a module:\n\n Unable to handle kernel paging request at virtual address\n ffffd9c18eb05000\n of_find_matching_node_and_match+0x5c/0x1a0\n hantro_probe+0x2f4/0x7d0 [hantro_vpu]\n\nThe imx8mq_vpu_shared_resources array is referenced by variant\nstructures through their shared_devices field. When built as a\nmodule, __initconst causes this data to be freed after module\ninit, but it's later accessed during probe, causing a page fault.\n\nThe imx8mq_vpu_shared_resources is referenced from non-init code,\nso keeping __initconst or __initconst_or_module here is wrong.\n\nDrop the __initconst annotation and let it live in the normal .rodata\nsection.\n\nA bug of __initconst called from regular non-init probe code\nleading to bugs during probe deferrals or during unbind-bind cycles.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31573", "detail": "fixed-version", "description": "only affects 6.19.6 onwards" }, { "id": "CVE-2026-31574", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclockevents: Add missing resets of the next_event_forced flag\n\nThe prevention mechanism against timer interrupt starvation missed to reset\nthe next_event_forced flag in a couple of places:\n\n - When the clock event state changes. That can cause the flag to be\n stale over a shutdown/startup sequence\n\n - When a non-forced event is armed, which then prevents rearming before\n that event. If that event is far out in the future this will cause\n missed timer interrupts.\n\n - In the suspend wakeup handler.\n\nThat led to stalls which have been reported by several people.\n\nAdd the missing resets, which fixes the problems for the reporters.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31574", "detail": "fixed-version", "description": "only affects 7.0 onwards" }, { "id": "CVE-2026-31575", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix hugetlb fault mutex hash calculation\n\nIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate the\npage index for hugetlb_fault_mutex_hash(). However, linear_page_index()\nreturns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()\nexpects the index in huge page units. This mismatch means that different\naddresses within the same huge page can produce different hash values,\nleading to the use of different mutexes for the same huge page. This can\ncause races between faulting threads, which can corrupt the reservation\nmap and trigger the BUG_ON in resv_map_release().\n\nFix this by introducing hugetlb_linear_page_index(), which returns the\npage index in huge page granularity, and using it in place of\nlinear_page_index().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31575" }, { "id": "CVE-2026-31576", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hackrf: fix to not free memory after the device is registered in hackrf_probe()\n\nIn hackrf driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nhackrf_probe()\n kzalloc(); // alloc hackrf_dev\n ....\n v4l2_device_register();\n ....\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open hackrf fd\n\t\t\t\t\t\t....\n v4l2_device_unregister();\n ....\n kfree(); // free hackrf_dev\n ....\n\t\t\t\t\t\tsys_ioctl(fd, ...);\n\t\t\t\t\t\t v4l2_ioctl();\n\t\t\t\t\t\t video_is_registered() // UAF!!\n\t\t\t\t\t\t....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t v4l2_release() // UAF!!\n\t\t\t\t\t\t hackrf_video_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a V4L2 or video device is unregistered, the device node is removed so\nnew open() calls are blocked.\n\nHowever, file descriptors that are already open-and any in-flight I/O-do\nnot terminate immediately; they remain valid until the last reference is\ndropped and the driver's release() is invoked.\n\nTherefore, freeing device memory on the error path after hackrf_probe()\nhas registered dev it will lead to a race to use-after-free vuln, since\nthose already-open handles haven't been released yet.\n\nAnd since release() free memory too, race to use-after-free and\ndouble-free vuln occur.\n\nTo prevent this, if device is registered from probe(), it should be\nmodified to free memory only through release() rather than calling\nkfree() directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31576" }, { "id": "CVE-2026-31577", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode's btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31577" }, { "id": "CVE-2026-31578", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n kzalloc(); // alloc as102_dev_t\n ....\n usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n usb_deregister_dev();\n ....\n kfree(); // free as102_dev_t\n ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t as102_release() // UAF!!\n\t\t\t\t\t\t as102_usb_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver's .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --> as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31578" }, { "id": "CVE-2026-31579", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback. This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31579" }, { "id": "CVE-2026-31580", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix cached_dev.sb_bio use-after-free and crash\n\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n\n```\n[6888366.280350] Call Trace:\n[6888366.280452] blk_update_request+0x14e/0x370\n[6888366.280561] blk_mq_end_request+0x1a/0x130\n[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903] __complete_request+0x22/0x70 [libceph]\n[6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164] ? inet_recvmsg+0x5b/0xd0\n[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]\n```\n\nAfter analyzing the coredump file, we found that the address of\ndc->sb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\n\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime. If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\n\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\n\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31580" }, { "id": "CVE-2026-31581", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: fix use-after-free on disconnect\n\nIn usb6fire_chip_abort(), the chip struct is allocated as the card's\nprivate data (via snd_card_new with sizeof(struct sfire_chip)). When\nsnd_card_free_when_closed() is called and no file handles are open, the\ncard and embedded chip are freed synchronously. The subsequent\nchip->card = NULL write then hits freed slab memory.\n\nCall trace:\n usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]\n usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182\n usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458\n ...\n hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953\n\nFix by moving the card lifecycle out of usb6fire_chip_abort() and into\nusb6fire_chip_disconnect(). The card pointer is saved in a local\nbefore any teardown, snd_card_disconnect() is called first to prevent\nnew opens, URBs are aborted while chip is still valid, and\nsnd_card_free_when_closed() is called last so chip is never accessed\nafter the card may be freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31581" }, { "id": "CVE-2026-31582", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (powerz) Fix use-after-free on USB disconnect\n\nAfter powerz_disconnect() frees the URB and releases the mutex, a\nsubsequent powerz_read() call can acquire the mutex and call\npowerz_read_data(), which dereferences the freed URB pointer.\n\nFix by:\n - Setting priv->urb to NULL in powerz_disconnect() so that\n powerz_read_data() can detect the disconnected state.\n - Adding a !priv->urb check at the start of powerz_read_data()\n to return -ENODEV on a disconnected device.\n - Moving usb_set_intfdata() before hwmon registration so the\n disconnect handler can always find the priv pointer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31582" }, { "id": "CVE-2026-31583", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,\ncreating a race with em28xx_v4l2_init()'s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev->v4l2 to NULL under dev->lock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,\n since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n v4l2->norm, since dev->v4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev->v4l2 read and\nadding a NULL check for dev->v4l2 under the lock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31583" }, { "id": "CVE-2026-31584", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx->encode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n CPU 0 (release path) CPU 1 (workqueue)\n --------------------- ------------------\n fops_vcodec_release()\n v4l2_m2m_ctx_release()\n v4l2_m2m_cancel_job()\n // waits for m2m job \"done\"\n mtk_venc_worker()\n v4l2_m2m_job_finish()\n // m2m job \"done\"\n // BUT worker still running!\n // post-job_finish access:\n other ctx dereferences\n // UAF if ctx already freed\n // returns (job \"done\")\n kfree(ctx) // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)\nThe worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n Allocated by task 47:\n __kasan_kmalloc+0x7f/0x90\n fops_vcodec_open+0x85/0x1a0\n\n Freed by task 47:\n __kasan_slab_free+0x43/0x70\n kfree+0xee/0x3a0\n fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(&ctx->list). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31584" }, { "id": "CVE-2026-31585", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds > 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb->streaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31585" }, { "id": "CVE-2026-31586", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\n\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n \n blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n cgwb_release_workfn (mm/backing-dev.c:629)\n process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n Freed by task 1016:\n kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31586" }, { "id": "CVE-2026-31587", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31587" }, { "id": "CVE-2026-31588", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\n\nWhen exiting to userspace to service an emulated MMIO write, copy the\nto-be-written value to a scratch field in the MMIO fragment if the size\nof the data payload is 8 bytes or less, i.e. can fit in a single chunk,\ninstead of pointing the fragment directly at the source value.\n\nThis fixes a class of use-after-free bugs that occur when the emulator\ninitiates a write using an on-stack, local variable as the source, the\nwrite splits a page boundary, *and* both pages are MMIO pages. Because\nKVM's ABI only allows for physically contiguous MMIO requests, accesses\nthat split MMIO pages are separated into two fragments, and are sent to\nuserspace one at a time. When KVM attempts to complete userspace MMIO in\nresponse to KVM_RUN after the first fragment, KVM will detect the second\nfragment and generate a second userspace exit, and reference the on-stack\nvariable.\n\nThe issue is most visible if the second KVM_RUN is performed by a separate\ntask, in which case the stack of the initiating task can show up as truly\nfreed data.\n\n ==================================================================\n BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420\n Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984\n\n CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:\n dump_stack+0xbe/0xfd\n print_address_description.constprop.0+0x19/0x170\n __kasan_report.cold+0x6c/0x84\n kasan_report+0x3a/0x50\n check_memory_region+0xfd/0x1f0\n memcpy+0x20/0x60\n complete_emulated_mmio+0x305/0x420\n kvm_arch_vcpu_ioctl_run+0x63f/0x6d0\n kvm_vcpu_ioctl+0x413/0xb20\n __se_sys_ioctl+0x111/0x160\n do_syscall_64+0x30/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n RIP: 0033:0x42477d\n Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d\n RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005\n RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c\n R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720\n\n The buggy address belongs to the page:\n page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37\n flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ==================================================================\n\nThe bug can also be reproduced with a targeted KVM-Unit-Test by hacking\nKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by\noverwrite the data value with garbage.\n\nLimit the use of the scratch fields to 8-byte or smaller accesses, and to\njust writes, as larger accesses and reads are not affected thanks to\nimplementation details in the emulator, but add a sanity check to ensure\nthose details don't change in the future. Specifically, KVM never uses\non-stack variables for accesses larger that 8 bytes, e.g. uses an operand\nin the emulator context, and *al\n---truncated---", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31588" }, { "id": "CVE-2026-31589", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call ->free_folio() directly in folio_unmap_invalidate()\n\nWe can only call filemap_free_folio() if we have a reference to (or hold a\nlock on) the mapping. Otherwise, we've already removed the folio from the\nmapping so it no longer pins the mapping and the mapping can be removed,\ncausing a use-after-free when accessing mapping->a_ops.\n\nFollow the same pattern as __remove_mapping() and load the free_folio\nfunction pointer before dropping the lock on the mapping. That lets us\nmake filemap_free_folio() static as this was the only caller outside\nfilemap.c.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31589" }, { "id": "CVE-2026-31590", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31590" }, { "id": "CVE-2026-31591", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish\n\nLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as\nallowing userspace to manipulate and/or run a vCPU while its state is being\nsynchronized would at best corrupt vCPU state, and at worst crash the host\nkernel.\n\nOpportunistically assert that vcpu->mutex is held when synchronizing its\nVMSA (the SEV-ES path already locks vCPUs).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31591" }, { "id": "CVE-2026-31592", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock\n\nTake and hold kvm->lock for before checking sev_guest() in\nsev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock\nis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't\nrollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add to\na not-yet-initialized sev->regions_list, e.g. triggering a #GP\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE\n Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83\n Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00\n RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256\n RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000\n RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000\n RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000\n R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000\n R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000\n FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0\n Call Trace:\n \n kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371\n kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363\n __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f34e9f7e9a9\n Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9\n RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007\n RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8\n \n\nwith a syzlang reproducer that looks like:\n\n syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async)\n syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB=\"...\"], 0x4f}) (async)\n r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)\n r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)\n r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)\n r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)\n ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async)\n ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async)\n ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async)\n r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)\n openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)\n ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async)\n r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)\n close(r0) (async)\n openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async)\n ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async)\n ioctl$KVM_RUN(r5, 0xae80, 0x0)\n\nOpportunistically use guard() to avoid having to define a new error label\nand goto usage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31592" }, { "id": "CVE-2026-31593", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU\n\nReject synchronizing vCPU state to its associated VMSA if the vCPU has\nalready been launched, i.e. if the VMSA has already been encrypted. On a\nhost with SNP enabled, accessing guest-private memory generates an RMP #PF\nand panics the host.\n\n BUG: unable to handle page fault for address: ff1276cbfdf36000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x80000003) - RMP violation\n PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163\n SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]\n Oops: Oops: 0003 [#1] SMP NOPTI\n CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023\n RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]\n Call Trace:\n \n snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]\n snp_launch_finish+0xb6/0x380 [kvm_amd]\n sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]\n kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]\n kvm_vm_ioctl+0x3fd/0xcc0 [kvm]\n __x64_sys_ioctl+0xa3/0x100\n x64_sys_call+0xfe0/0x2350\n do_syscall_64+0x81/0x10f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7ffff673287d\n \n\nNote, the KVM flaw has been present since commit ad73109ae7ec (\"KVM: SVM:\nProvide support to launch and run an SEV-ES guest\"), but has only been\nactively dangerous for the host since SNP support was added. With SEV-ES,\nKVM would \"just\" clobber guest state, which is totally fine from a host\nkernel perspective since userspace can clobber guest state any time before\nsev_launch_update_vmsa().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31593" }, { "id": "CVE-2026-31594", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to perform later. This leads to an oops when .allow_link fails\nor when .drop_link is performed. The following is an example oops of the\nformer case:\n\n Unable to handle kernel paging request at virtual address dead000000000108\n [...]\n [dead000000000108] address between user and kernel address ranges\n Internal error: Oops: 0000000096000044 [#1] SMP\n [...]\n Call trace:\n pci_epc_remove_epf+0x78/0xe0 (P)\n pci_primary_epc_epf_link+0x88/0xa8\n configfs_symlink+0x1f4/0x5a0\n vfs_symlink+0x134/0x1d8\n do_symlinkat+0x88/0x138\n __arm64_sys_symlinkat+0x74/0xe0\n [...]\n\nRemove the helper, and drop pci_epc_put(). EPC device refcounting is\ntied to the configfs EPC group lifetime, and pci_epc_put() in the\n.drop_link path is sufficient.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31594" }, { "id": "CVE-2026-31595", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup\n\nDisable the delayed work before clearing BAR mappings and doorbells to\navoid running the handler after resources have been torn down.\n\n Unable to handle kernel paging request at virtual address ffff800083f46004\n [...]\n Internal error: Oops: 0000000096000007 [#1] SMP\n [...]\n Call trace:\n epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)\n process_one_work+0x154/0x3b0\n worker_thread+0x2c8/0x400\n kthread+0x148/0x210\n ret_from_fork+0x10/0x20", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31595" }, { "id": "CVE-2026-31596", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle invalid dinode in ocfs2_group_extend\n\n[BUG]\nkernel BUG at fs/ocfs2/resize.c:308!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308\nCode: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe\nCall Trace:\n ...\n ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583\n x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\n[CAUSE]\nocfs2_group_extend() assumes that the global bitmap inode block\nreturned from ocfs2_inode_lock() has already been validated and\nBUG_ONs when the signature is not a dinode. That assumption is too\nstrong for crafted filesystems because the JBD2-managed buffer path\ncan bypass structural validation and return an invalid dinode to the\nresize ioctl.\n\n[FIX]\nValidate the dinode explicitly in ocfs2_group_extend(). If the global\nbitmap buffer does not contain a valid dinode, report filesystem\ncorruption with ocfs2_error() and fail the resize operation instead of\ncrashing the kernel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31596" }, { "id": "CVE-2026-31597", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\n\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\n \"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock\n may be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\n\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\n\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31597" }, { "id": "CVE-2026-31598", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix possible deadlock between unlink and dio_end_io_write\n\nocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,\nwhile in ocfs2_dio_end_io_write, it acquires these locks in reverse order.\nThis creates an ABBA lock ordering violation on lock classes\nocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and\nocfs2_file_ip_alloc_sem_key.\n\nLock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):\nocfs2_unlink\n ocfs2_prepare_orphan_dir\n ocfs2_lookup_lock_orphan_dir\n inode_lock(orphan_dir_inode) <- lock A\n __ocfs2_prepare_orphan_dir\n ocfs2_prepare_dir_for_insert\n ocfs2_extend_dir\n\t ocfs2_expand_inline_dir\n\t down_write(&oi->ip_alloc_sem) <- Lock B\n\nLock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):\nocfs2_dio_end_io_write\n down_write(&oi->ip_alloc_sem) <- Lock B\n ocfs2_del_inode_from_orphan()\n inode_lock(orphan_dir_inode) <- Lock A\n\nDeadlock Scenario:\n CPU0 (unlink) CPU1 (dio_end_io_write)\n ------ ------\n inode_lock(orphan_dir_inode)\n down_write(ip_alloc_sem)\n down_write(ip_alloc_sem)\n inode_lock(orphan_dir_inode)\n\nSince ip_alloc_sem is to protect allocation changes, which is unrelated\nwith operations in ocfs2_del_inode_from_orphan. So move\nocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31598" }, { "id": "CVE-2026-31599", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n \n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31599" }, { "id": "CVE-2026-31600", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: Handle invalid large leaf mappings correctly\n\nIt has been possible for a long time to mark ptes in the linear map as\ninvalid. This is done for secretmem, kfence, realm dma memory un/share,\nand others, by simply clearing the PTE_VALID bit. But until commit\na166563e7ec37 (\"arm64: mm: support large block mapping when\nrodata=full\") large leaf mappings were never made invalid in this way.\n\nIt turns out various parts of the code base are not equipped to handle\ninvalid large leaf mappings (in the way they are currently encoded) and\nI've observed a kernel panic while booting a realm guest on a\nBBML2_NOABORT system as a result:\n\n[ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers\n[ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000\n[ 15.513762] Mem abort info:\n[ 15.527245] ESR = 0x0000000096000046\n[ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.572146] SET = 0, FnV = 0\n[ 15.592141] EA = 0, S1PTW = 0\n[ 15.612694] FSC = 0x06: level 2 translation fault\n[ 15.640644] Data abort info:\n[ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n[ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000\n[ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704\n[ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP\n[ 15.886394] Modules linked in:\n[ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT\n[ 15.935258] Hardware name: linux,dummy-virt (DT)\n[ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c\n[ 16.006163] lr : swiotlb_bounce+0xf4/0x158\n[ 16.024145] sp : ffff80008000b8f0\n[ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000\n[ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000\n[ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0\n[ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc\n[ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974\n[ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018\n[ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000\n[ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000\n[ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000\n[ 16.349071] Call trace:\n[ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)\n[ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4\n[ 16.400282] swiotlb_map+0x5c/0x228\n[ 16.415984] dma_map_phys+0x244/0x2b8\n[ 16.432199] dma_map_page_attrs+0x44/0x58\n[ 16.449782] virtqueue_map_page_attrs+0x38/0x44\n[ 16.469596] virtqueue_map_single_attrs+0xc0/0x130\n[ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc\n[ 16.510355] try_fill_recv+0x2a4/0x584\n[ 16.526989] virtnet_open+0xd4/0x238\n[ 16.542775] __dev_open+0x110/0x24c\n[ 16.558280] __dev_change_flags+0x194/0x20c\n[ 16.576879] netif_change_flags+0x24/0x6c\n[ 16.594489] dev_change_flags+0x48/0x7c\n[ 16.611462] ip_auto_config+0x258/0x1114\n[ 16.628727] do_one_initcall+0x80/0x1c8\n[ 16.645590] kernel_init_freeable+0x208/0x2f0\n[ 16.664917] kernel_init+0x24/0x1e0\n[ 16.680295] ret_from_fork+0x10/0x20\n[ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)\n[ 16.723106] ---[ end trace 0000000000000000 ]---\n[ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000\n---truncated---", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31600" }, { "id": "CVE-2026-31601", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/xe: Reorganize the init to decouple migration from reset\n\nAttempting to issue reset on VF devices that don't support migration\nleads to the following:\n\n BUG: unable to handle page fault for address: 00000000000011f8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)\n Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe]\n Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89\n RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202\n RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800\n R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0\n FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0\n PKRU: 55555554\n Call Trace:\n \n xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci]\n pci_dev_restore+0x3b/0x80\n pci_reset_function+0x109/0x140\n reset_store+0x5c/0xb0\n dev_attr_store+0x17/0x40\n sysfs_kf_write+0x72/0x90\n kernfs_fop_write_iter+0x161/0x1f0\n vfs_write+0x261/0x440\n ksys_write+0x69/0xf0\n __x64_sys_write+0x19/0x30\n x64_sys_call+0x259/0x26e0\n do_syscall_64+0xcb/0x1500\n ? __fput+0x1a2/0x2d0\n ? fput_close_sync+0x3d/0xa0\n ? __x64_sys_close+0x3e/0x90\n ? x64_sys_call+0x1b7c/0x26e0\n ? do_syscall_64+0x109/0x1500\n ? __task_pid_nr_ns+0x68/0x100\n ? __do_sys_getpid+0x1d/0x30\n ? x64_sys_call+0x10b5/0x26e0\n ? do_syscall_64+0x109/0x1500\n ? putname+0x41/0x90\n ? do_faccessat+0x1e8/0x300\n ? __x64_sys_access+0x1c/0x30\n ? x64_sys_call+0x1822/0x26e0\n ? do_syscall_64+0x109/0x1500\n ? tick_program_event+0x43/0xa0\n ? hrtimer_interrupt+0x126/0x260\n ? irqentry_exit+0xb2/0x710\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7877d5f1c5a4\n Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89\n RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4\n RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009\n RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9\n R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0\n \n\nThis is caused by the fact that some of the xe_vfio_pci_core_device\nmembers needed for handling reset are only initialized as part of\nmigration init.\n\nFix the problem by reorganizing the code to decouple VF init from\nmigration init.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31601", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31602", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Limit PTP to a single page\n\nCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256\nplayback streams, but the additional pages are not used by the card\ncorrectly. The CT20K2 hardware already has multiple VMEM_PTPAL\nregisters, but using them separately would require refactoring the\nentire virtual memory allocation logic.\n\nct_vm_map() always uses PTEs in vm->ptp[0].area regardless of\nCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When\naggregate memory allocations exceed this limit, ct_vm_map() tries to\naccess beyond the allocated space and causes a page fault:\n\n BUG: unable to handle page fault for address: ffffd4ae8a10a000\n Oops: Oops: 0002 [#1] SMP PTI\n RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]\n Call Trace:\n atc_pcm_playback_prepare+0x225/0x3b0\n ct_pcm_playback_prepare+0x38/0x60\n snd_pcm_do_prepare+0x2f/0x50\n snd_pcm_action_single+0x36/0x90\n snd_pcm_action_nonatomic+0xbf/0xd0\n snd_pcm_ioctl+0x28/0x40\n __x64_sys_ioctl+0x97/0xe0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count\nremain unchanged.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31602" }, { "id": "CVE-2026-31603", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: sm750fb: fix division by zero in ps_to_hz()\n\nps_to_hz() is called from hw_sm750_crtc_set_mode() without validating\nthat pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO\ncauses a division by zero.\n\nFix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent\nwith other framebuffer drivers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31603" }, { "id": "CVE-2026-31604", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on all probe errors (e.g. when descriptor parsing\nfails).\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31604" }, { "id": "CVE-2026-31605", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31605" }, { "id": "CVE-2026-31606", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: don't call cdev_init while cdev in use\n\nWhen calling unbind, then bind again, cdev_init reinitialized the cdev,\neven though there may still be references to it. That's the case when\nthe /dev/hidg* device is still opened. This obviously unsafe behavior\nlike oopes.\n\nThis fixes this by using cdev_alloc to put the cdev on the heap. That\nway, we can simply allocate a new one in hidg_bind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31606" }, { "id": "CVE-2026-31607", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb->number_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb->iso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n The buggy address is located 0 bytes to the right of\n allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu->number_of_packets against\nurb->number_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31607" }, { "id": "CVE-2026-31608", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()\n\nsmb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),\nso we should not call it again after post_sendmsg()\nmoved it to the batch list.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31608" }, { "id": "CVE-2026-31609", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()\n\nsmbd_send_batch_flush() already calls smbd_free_send_io(),\nso we should not call it again after smbd_post_send()\nmoved it to the batch list.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31609" }, { "id": "CVE-2026-31610", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix mechToken leak when SPNEGO decode fails after token alloc\n\nThe kernel ASN.1 BER decoder calls action callbacks incrementally as it\nwalks the input. When ksmbd_decode_negTokenInit() reaches the mechToken\n[2] OCTET STRING element, ksmbd_neg_token_alloc() allocates\nconn->mechToken immediately via kmemdup_nul(). If a later element in\nthe same blob is malformed, then the decoder will return nonzero after\nthe allocation is already live. This could happen if mechListMIC [3]\noverrunse the enclosing SEQUENCE.\n\ndecode_negotiation_token() then sets conn->use_spnego = false because\nboth the negTokenInit and negTokenTarg grammars failed. The cleanup at\nthe bottom of smb2_sess_setup() is gated on use_spnego:\n\n\tif (conn->use_spnego && conn->mechToken) {\n\t\tkfree(conn->mechToken);\n\t\tconn->mechToken = NULL;\n\t}\n\nso the kfree is skipped, causing the mechToken to never be freed.\n\nThis codepath is reachable pre-authentication, so untrusted clients can\ncause slow memory leaks on a server without even being properly\nauthenticated.\n\nFix this up by not checking check for use_spnego, as it's not required,\nso the memory will always be properly freed. At the same time, always\nfree the memory in ksmbd_conn_free() incase some other failure path\nforgot to free it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31610" }, { "id": "CVE-2026-31611", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require 3 sub-authorities before reading sub_auth[2]\n\nparse_dacl() compares each ACE SID against sid_unix_NFS_mode and on\nmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is\nthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares\nonly min(num_subauth, 2) sub-authorities so a client SID with\nnum_subauth = 2 and sub_auth = {88, 3} will match.\n\nIf num_subauth = 2 and the ACE is placed at the very end of the security\ndescriptor, sub_auth[2] will be 4 bytes past end_of_acl. The\nout-of-band bytes will then be masked to the low 9 bits and applied as\nthe file's POSIX mode, probably not something that is good to have\nhappen.\n\nFix this up by forcing the SID to actually carry a third sub-authority\nbefore reading it at all.", "scorev2": "0.0", "scorev3": "8.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31611" }, { "id": "CVE-2026-31612", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate EaNameLength in smb2_get_ea()\n\nsmb2_get_ea() reads ea_req->EaNameLength from the client request and\npasses it directly to strncmp() as the comparison length without\nverifying that the length of the name really is the size of the input\nbuffer received.\n\nFix this up by properly checking the size of the name based on the value\nreceived and the overall size of the request, to prevent a later\nstrncmp() call to use the length as a \"trusted\" size of the buffer.\nWithout this check, uninitialized heap values might be slowly leaked to\nthe client.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31612" }, { "id": "CVE-2026-31613", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB reads parsing symlink error response\n\nWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()\nreturns success without any length validation, leaving the symlink\nparsers as the only defense against an untrusted server.\n\nsymlink_data() walks SMB 3.1.1 error contexts with the loop test \"p <\nend\", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset\n0. When the server-controlled ErrorDataLength advances p to within 1-7\nbytes of end, the next iteration will read past it. When the matching\ncontext is found, sym->SymLinkErrorTag is read at offset 4 from\np->ErrorContextData with no check that the symlink header itself fits.\n\nsmb2_parse_symlink_response() then bounds-checks the substitute name\nusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from\niov_base. That value is computed as sizeof(smb2_err_rsp) +\nsizeof(smb2_symlink_err_rsp), which is correct only when\nErrorContextCount == 0.\n\nWith at least one error context the symlink data sits 8 bytes deeper,\nand each skipped non-matching context shifts it further by 8 +\nALIGN(ErrorDataLength, 8). The check is too short, allowing the\nsubstitute name read to run past iov_len. The out-of-bound heap bytes\nare UTF-16-decoded into the symlink target and returned to userspace via\nreadlink(2).\n\nFix this all up by making the loops test require the full context header\nto fit, rejecting sym if its header runs past end, and bound the\nsubstitute name against the actual position of sym->PathBuffer rather\nthan a fixed offset.\n\nBecause sub_offs and sub_len are 16bits, the pointer math will not\noverflow here with the new greater-than.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31613" }, { "id": "CVE-2026-31614", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix off-by-8 bounds check in check_wsl_eas()\n\nThe bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\nname and value, but ea_data sits at offset sizeof(struct\nsmb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()\nlater reads ea->ea_data[0..nlen-1] and the value bytes follow at\nea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1\n+ vlen. Isn't pointer math fun?\n\nThe earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the\n8-byte header is in bounds, but since the last EA is placed within 8\nbytes of the end of the response, the name and value bytes are read past\nthe end of iov.\n\nFix this mess all up by using ea->ea_data as the base for the bounds\ncheck.\n\nAn \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\ninto the EA name comparison and influence which WSL xattr the data is\ninterpreted as.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31614" }, { "id": "CVE-2026-31615", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31615" }, { "id": "CVE-2026-31616", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info->frags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req->actual < req->length,\nwhere req->length is set to PAGE_SIZE by the gadget. If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb->frags overflow in RX path\").", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31616" }, { "id": "CVE-2026-31617", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size. With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP. This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31617" }, { "id": "CVE-2026-31618", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31618" }, { "id": "CVE-2026-31619", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: fireworks: bound device-supplied status before string array lookup\n\nThe status field in an EFW response is a 32-bit value supplied by the\nfirewire device. efr_status_names[] has 17 entries so a status value\noutside that range goes off into the weeds when looking at the %s value.\n\nEven worse, the status could return EFR_STATUS_INCOMPLETE which is\n0x80000000, and is obviously not in that array of potential strings.\n\nFix this up by properly bounding the index against the array size and\nprinting \"unknown\" if it's not recognized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31619" }, { "id": "CVE-2026-31620", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usx2y: us144mkii: fix NULL deref on missing interface 0\n\nA malicious USB device with the TASCAM US-144MKII device id can have a\nconfiguration containing bInterfaceNumber=1 but no interface 0. USB\nconfiguration descriptors are not required to assign interface numbers\nsequentially, so usb_ifnum_to_if(dev, 0) returns will NULL, which will\nthen be dereferenced directly.\n\nFix this up by checking the return value properly.", "scorev2": "0.0", "scorev3": "4.6", "scorev4": "0.0", "vector": "PHYSICAL", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31620" }, { "id": "CVE-2026-31621", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return. The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd->auxr_dev = NULL and frees the underlying object. The subsequent\nbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31621", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31622", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: Bounds check NFC-A cascade depth in SDD response handler\n\nThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3\nor 4 bytes to target->nfcid1 on each round, but the number of cascade\nrounds is controlled entirely by the peer device. The peer sets the\ncascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the\ncascade-incomplete bit in the SEL_RES (deciding whether another round\nfollows).\n\nISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is\nsized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver\nactually enforces this. This means a malicious peer can keep the\ncascade running, writing past the heap-allocated nfc_target with each\nround.\n\nFix this by rejecting the response when the accumulated UID would exceed\nthe buffer.\n\nCommit e329e71013c9 (\"NFC: nci: Bounds check struct nfc_target arrays\")\nfixed similar missing checks against the same field on the NCI path.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31622" }, { "id": "CVE-2026-31623", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31623" }, { "id": "CVE-2026-31624", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31624" }, { "id": "CVE-2026-31625", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: alps: fix NULL pointer dereference in alps_raw_event()\n\nCommit ecfa6f34492c (\"HID: Add HID_CLAIMED_INPUT guards in raw_event\ncallbacks missing them\") attempted to fix up the HID drivers that had\nmissed the previous fix that was done in 2ff5baa9b527 (\"HID: appleir:\nFix potential NULL dereference at raw event handle\"), but the alps\ndriver was missed.\n\nFix this up by properly checking in the hid-alps driver that it had been\nclaimed correctly before attempting to process the raw event.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31625" }, { "id": "CVE-2026-31626", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31626" }, { "id": "CVE-2026-31627", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: s3c24xx: check the size of the SMBUS message before using it\n\nThe first byte of an i2c SMBUS message is the size, and it should be\nverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX\nbefore processing it.\n\nThis is the same logic that was added in commit a6e04f05ce0b (\"i2c:\ntegra: check msg length in SMBUS block read\") to the i2c tegra driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31627" }, { "id": "CVE-2026-31628", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1's hardware divider can leave, under certain circumstances, partial\nresults from previous operations. Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31628" }, { "id": "CVE-2026-31629", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31629" }, { "id": "CVE-2026-31630", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31630" }, { "id": "CVE-2026-31631", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix buffer overread in rxgk_do_verify_authenticator()\n\nFix rxgk_do_verify_authenticator() to check the buffer size before checking\nthe nonce.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31631" }, { "id": "CVE-2026-31632", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix leak of rxgk context in rxgk_verify_response()\n\nFix rxgk_verify_response() to clean up the rxgk context it creates.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31632" }, { "id": "CVE-2026-31633", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix integer overflow in rxgk_verify_response()\n\nIn rxgk_verify_response(), there's a potential integer overflow due to\nrounding up token_len before checking it, thereby allowing the length check to\nbe bypassed.\n\nFix this by checking the unrounded value against len too (len is limited as\nthe response must fit in a single UDP packet).", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31633" }, { "id": "CVE-2026-31634", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx->securities is already set.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31634" }, { "id": "CVE-2026-31635", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix oversized RESPONSE authenticator length check\n\nrxgk_verify_response() decodes auth_len from the packet and is supposed\nto verify that it fits in the remaining bytes. The existing check is\ninverted, so oversized RESPONSE authenticators are accepted and passed\nto rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an\nimpossible length and hit BUG_ON(len).\n\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\n\nRIP: __skb_to_sgvec()\n [net/core/skbuff.c:5285 (discriminator 1)]\nCall Trace:\n skb_to_sgvec() [net/core/skbuff.c:5305]\n rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]\n rxgk_verify_response() [net/rxrpc/rxgk.c:1268]\n rxrpc_process_connection()\n [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n net/rxrpc/conn_event.c:386]\n process_one_work() [kernel/workqueue.c:3281]\n worker_thread()\n [kernel/workqueue.c:3353 kernel/workqueue.c:3440]\n kthread() [kernel/kthread.c:436]\n ret_from_fork() [arch/x86/kernel/process.c:164]\n\nReject authenticator lengths that exceed the remaining packet payload.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31635" }, { "id": "CVE-2026-31636", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix RESPONSE authenticator parser OOB read\n\nrxgk_verify_authenticator() copies auth_len bytes into a temporary\nbuffer and then passes p + auth_len as the parser limit to\nrxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the\nparser end pointer by a factor of four and lets malformed RESPONSE\nauthenticators read past the kmalloc() buffer.\n\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\n\nBUG: KASAN: slab-out-of-bounds in rxgk_verify_response()\nCall Trace:\n dump_stack_lvl() [lib/dump_stack.c:123]\n print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]\n kasan_report() [mm/kasan/report.c:597]\n rxgk_verify_response()\n [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167\n net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n net/rxrpc/conn_event.c:386]\n process_one_work() [kernel/workqueue.c:3281]\n worker_thread()\n [kernel/workqueue.c:3353 kernel/workqueue.c:3440]\n kthread() [kernel/kthread.c:436]\n ret_from_fork() [arch/x86/kernel/process.c:164]\n\nAllocated by task 54:\n rxgk_verify_response()\n [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155\n net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n net/rxrpc/conn_event.c:386]\n\nConvert the byte count to __be32 units before constructing the parser\nlimit.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31636" }, { "id": "CVE-2026-31637", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31637" }, { "id": "CVE-2026-31638", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Only put the call ref if one was acquired\n\nrxrpc_input_packet_on_conn() can process a to-client packet after the\ncurrent client call on the channel has already been torn down. In that\ncase chan->call is NULL, rxrpc_try_get_call() returns NULL and there is\nno reference to drop.\n\nThe client-side implicit-end error path does not account for that and\nunconditionally calls rxrpc_put_call(). This turns a protocol error\npath into a kernel crash instead of rejecting the packet.\n\nOnly drop the call reference if one was actually acquired. Keep the\nexisting protocol error handling unchanged.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31638" }, { "id": "CVE-2026-31639", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key reference count leak from call->key\n\nWhen creating a client call in rxrpc_alloc_client_call(), the code obtains\na reference to the key. This is never cleaned up and gets leaked when the\ncall is destroyed.\n\nFix this by freeing call->key in rxrpc_destroy_call().\n\nBefore the patch, it shows the key reference counter elevated:\n\n$ cat /proc/keys | grep afs@54321\n1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka\n$\n\nAfter the patch, the invalidated key is removed when the code exits:\n\n$ cat /proc/keys | grep afs@54321\n$", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31639" }, { "id": "CVE-2026-31640", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix use of wrong skb when comparing queued RESP challenge serial\n\nIn rxrpc_post_response(), the code should be comparing the challenge serial\nnumber from the cached response before deciding to switch to a newer\nresponse, but looks at the newer packet private data instead, rendering the\ncomparison always false.\n\nFix this by switching to look at the older packet.\n\nFix further[1] to substitute the new packet in place of the old one if\nnewer and also to release whichever we don't use.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31640" }, { "id": "CVE-2026-31641", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix RxGK token loading to check bounds\n\nrxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length\nfrom the XDR token as u32 values and passes each through round_up(x, 4)\nbefore using the rounded value for validation and allocation. When the raw\nlength is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and\nkzalloc both use 0 while the subsequent memcpy still copies the original\n~4 GiB value, producing a heap buffer overflow reachable from an\nunprivileged add_key() call.\n\nFix this by:\n\n (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket\n lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with\n the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.\n\n (2) Sizing the flexible-array allocation from the validated raw key\n length via struct_size_t() instead of the rounded value.\n\n (3) Caching the raw lengths so that the later field assignments and\n memcpy calls do not re-read from the token, eliminating a class of\n TOCTOU re-parse.\n\nThe control path (valid token with lengths within bounds) is unaffected.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31641" }, { "id": "CVE-2026-31642", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call removal to use RCU safe deletion\n\nFix rxrpc call removal from the rxnet->calls list to use list_del_rcu()\nrather than list_del_init() to prevent stuffing up reading\n/proc/net/rxrpc/calls from potentially getting into an infinite loop.\n\nThis, however, means that list_empty() no longer works on an entry that's\nbeen deleted from the list, making it harder to detect prior deletion. Fix\nthis by:\n\nFirstly, make rxrpc_destroy_all_calls() only dump the first ten calls that\nare unexpectedly still on the list. Limiting the number of steps means\nthere's no need to call cond_resched() or to remove calls from the list\nhere, thereby eliminating the need for rxrpc_put_call() to check for that.\n\nrxrpc_put_call() can then be fixed to unconditionally delete the call from\nthe list as it is the only place that the deletion occurs.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31642" }, { "id": "CVE-2026-31643", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix key parsing memleak\n\nIn rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can be\nleaked in a few error paths after it's allocated.\n\nFix this by freeing it in the \"reject_token:\" case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31643" }, { "id": "CVE-2026-31644", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix use-after-free and leak in lan966x_fdma_reload()\n\nWhen lan966x_fdma_reload() fails to allocate new RX buffers, the restore\npath restarts DMA using old descriptors whose pages were already freed\nvia lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can\nrelease pages back to the buddy allocator, the hardware may DMA into\nmemory now owned by other kernel subsystems.\n\nAdditionally, on the restore path, the newly created page pool (if\nallocation partially succeeded) is overwritten without being destroyed,\nleaking it.\n\nFix both issues by deferring the release of old pages until after the\nnew allocation succeeds. Save the old page array before the allocation\nso old pages can be freed on the success path. On the failure path, the\nold descriptors, pages and page pool are all still valid, making the\nrestore safe. Also ensure the restore path re-enables NAPI and wakes\nthe netdev, matching the success path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31644" }, { "id": "CVE-2026-31645", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page pool leak in error paths\n\nlan966x_fdma_rx_alloc() creates a page pool but does not destroy it if\nthe subsequent fdma_alloc_coherent() call fails, leaking the pool.\n\nSimilarly, lan966x_fdma_init() frees the coherent DMA memory when\nlan966x_fdma_tx_alloc() fails but does not destroy the page pool that\nwas successfully created by lan966x_fdma_rx_alloc(), leaking it.\n\nAdd the missing page_pool_destroy() calls in both error paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31645" }, { "id": "CVE-2026-31646", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31646" }, { "id": "CVE-2026-31647", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling\n\nSwitch from using the completion's raw spinlock to a local lock in the\nidpf_vc_xn struct. The conversion is safe because complete/_all() are\ncalled outside the lock and there is no reason to share the completion\nlock in the current logic. This avoids invalid wait context reported by\nthe kernel due to the async handler taking BH spinlock:\n\n[ 805.726977] =============================\n[ 805.726991] [ BUG: Invalid wait context ]\n[ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE\n[ 805.727026] -----------------------------\n[ 805.727038] kworker/u261:0/572 is trying to lock:\n[ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727099] other info that might help us debug this:\n[ 805.727111] context-{5:5}\n[ 805.727119] 3 locks held by kworker/u261:0/572:\n[ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730\n[ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730\n[ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf]\n[ 805.727218] stack backtrace:\n...\n[ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf]\n[ 805.727247] Call Trace:\n[ 805.727249] \n[ 805.727251] dump_stack_lvl+0x77/0xb0\n[ 805.727259] __lock_acquire+0xb3b/0x2290\n[ 805.727268] ? __irq_work_queue_local+0x59/0x130\n[ 805.727275] lock_acquire+0xc6/0x2f0\n[ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727284] ? _printk+0x5b/0x80\n[ 805.727290] _raw_spin_lock_bh+0x38/0x50\n[ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf]\n[ 805.727317] process_one_work+0x226/0x730\n[ 805.727322] worker_thread+0x19e/0x340\n[ 805.727325] ? __pfx_worker_thread+0x10/0x10\n[ 805.727328] kthread+0xf4/0x130\n[ 805.727333] ? __pfx_kthread+0x10/0x10\n[ 805.727336] ret_from_fork+0x32c/0x410\n[ 805.727345] ? __pfx_kthread+0x10/0x10\n[ 805.727347] ret_from_fork_asm+0x1a/0x30\n[ 805.727354] ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31647" }, { "id": "CVE-2026-31648", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page\u2019s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio\u2019s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31648" }, { "id": "CVE-2026-31649", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb->len (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len <= bmax) but a\nlarge total length due to page fragments (skb->len > bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb->data + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31649" }, { "id": "CVE-2026-31650", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix use-after-free on disconnect\n\nThe vub300 driver maintains an explicit reference count for the\ncontroller and its driver data and the last reference can in theory be\ndropped after the driver has been unbound.\n\nThis specifically means that the controller allocation must not be\ndevice managed as that can lead to use-after-free.\n\nNote that the lifetime is currently also incorrectly tied the parent USB\ndevice rather than interface, which can lead to memory leaks if the\ndriver is unbound without its device being physically disconnected (e.g.\non probe deferral).\n\nFix both issues by reverting to non-managed allocation of the controller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31650" }, { "id": "CVE-2026-31651", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31651" }, { "id": "CVE-2026-31652", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/stat: deallocate damon_call() failure leaking damon_ctx\n\ndamon_stat_start() always allocates the module's damon_ctx object\n(damon_stat_context). Meanwhile, if damon_call() in the function fails,\nthe damon_ctx object is not deallocated. Hence, if the damon_call() is\nfailed, and the user writes Y to \u201cenabled\u201d again, the previously\nallocated damon_ctx object is leaked.\n\nThis cannot simply be fixed by deallocating the damon_ctx object when\ndamon_call() fails. That's because damon_call() failure doesn't guarantee\nthe kdamond main function, which accesses the damon_ctx object, is\ncompletely finished. In other words, if damon_stat_start() deallocates\nthe damon_ctx object after damon_call() failure, the not-yet-terminated\nkdamond could access the freed memory (use-after-free).\n\nFix the leak while avoiding the use-after-free by keeping returning\ndamon_stat_start() without deallocating the damon_ctx object after\ndamon_call() failure, but deallocating it when the function is invoked\nagain and the kdamond is completely terminated. If the kdamond is not yet\nterminated, simply return -EAGAIN, as the kdamond will soon be terminated.\n\nThe issue was discovered [1] by sashiko.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31652" }, { "id": "CVE-2026-31653", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: dealloc repeat_call_control if damon_call() fails\n\ndamon_call() for repeat_call_control of DAMON_SYSFS could fail if somehow\nthe kdamond is stopped before the damon_call(). It could happen, for\nexample, when te damon context was made for monitroing of a virtual\naddress processes, and the process is terminated immediately, before the\ndamon_call() invocation. In the case, the dyanmically allocated\nrepeat_call_control is not deallocated and leaked.\n\nFix the leak by deallocating the repeat_call_control under the\ndamon_call() failure.\n\nThis issue is discovered by sashiko [1].", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31653" }, { "id": "CVE-2026-31654", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: fix memory leak in __mmap_region()\n\ncommit 605f6586ecf7 (\"mm/vma: do not leak memory when .mmap_prepare\nswaps the file\") handled the success path by skipping get_file() via\nfile_doesnt_need_get, but missed the error path.\n\nWhen /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls\nshmem_zero_setup_desc() which allocates a new shmem file to back the\nmapping. If __mmap_new_vma() subsequently fails, this replacement\nfile is never fput()'d - the original is released by\nksys_mmap_pgoff(), but nobody releases the new one.\n\nAdd fput() for the swapped file in the error path.\n\nReproducible with fault injection.\n\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 1\nCPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full)\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x164/0x1f0\n should_fail_ex+0x525/0x650\n should_failslab+0xdf/0x140\n kmem_cache_alloc_noprof+0x78/0x630\n vm_area_alloc+0x24/0x160\n __mmap_region+0xf6b/0x2660\n mmap_region+0x2eb/0x3a0\n do_mmap+0xc79/0x1240\n vm_mmap_pgoff+0x252/0x4c0\n ksys_mmap_pgoff+0xf8/0x120\n __x64_sys_mmap+0x12a/0x190\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nkmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881118aca80 (size 360):\n comm \"syz.7.14\", pid 366, jiffies 4294913255\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M.....\n backtrace (crc db0f53bc):\n kmem_cache_alloc_noprof+0x3ab/0x630\n alloc_empty_file+0x5a/0x1e0\n alloc_file_pseudo+0x135/0x220\n __shmem_file_setup+0x274/0x420\n shmem_zero_setup_desc+0x9c/0x170\n mmap_zero_prepare+0x123/0x140\n __mmap_region+0xdda/0x2660\n mmap_region+0x2eb/0x3a0\n do_mmap+0xc79/0x1240\n vm_mmap_pgoff+0x252/0x4c0\n ksys_mmap_pgoff+0xf8/0x120\n __x64_sys_mmap+0x12a/0x190\n do_syscall_64+0xa9/0x580\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFound by syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31654", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31655", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled\n\nKeep the NOC_HDCP clock always enabled to fix the potential hang\ncaused by the NoC ADB400 port power down handshake.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31655" }, { "id": "CVE-2026-31656", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine->heartbeat.systole request.\n\nThe heartbeat worker reads engine->heartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]\n<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n<4> [487.222707] Call Trace:\n<4> [487.222711] \n<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n<4> [487.223566] __engine_park+0xb9/0x650 [i915]\n<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]\n<4> [487.226625] engine_retire+0x122/0x180 [i915]\n<4> [487.227037] process_one_work+0x239/0x760\n<4> [487.227060] worker_thread+0x200/0x3f0\n<4> [487.227068] ? __pfx_worker_thread+0x10/0x10\n<4> [487.227075] kthread+0x10d/0x150\n<4> [487.227083] ? __pfx_kthread+0x10/0x10\n<4> [487.227092] ret_from_fork+0x3d4/0x480\n<4> [487.227099] ? __pfx_kthread+0x10/0x10\n<4> [487.227107] ret_from_fork_asm+0x1a/0x30\n<4> [487.227141] \n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31656" }, { "id": "CVE-2026-31657", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim->backbone_gw and drop the old\ngateway's last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim->backbone_gw->orig and\ntakes claim->backbone_gw->crc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31657" }, { "id": "CVE-2026-31658", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()\n\nWhen dma_map_single() fails in tse_start_xmit(), the function returns\nNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the\nstack the packet was consumed, the skb is never freed, leaking memory\non every DMA mapping failure.\n\nAdd dev_kfree_skb_any() before returning to properly free the skb.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31658" }, { "id": "CVE-2026-31659", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31659" }, { "id": "CVE-2026-31660", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31660" }, { "id": "CVE-2026-31661", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31661" }, { "id": "CVE-2026-31662", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG\n\nThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements\nbc_ackers on every inbound group ACK, even when the same member has\nalready acknowledged the current broadcast round.\n\nBecause bc_ackers is a u16, a duplicate ACK received after the last\nlegitimate ACK wraps the counter to 65535. Once wrapped,\ntipc_group_bc_cong() keeps reporting congestion and later group\nbroadcasts on the affected socket stay blocked until the group is\nrecreated.\n\nFix this by ignoring duplicate or stale ACKs before touching bc_acked or\nbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and\nprevents the underflow path.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31662" }, { "id": "CVE-2026-31663", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: hold dev ref until after transport_finish NF_HOOK\n\nAfter async crypto completes, xfrm_input_resume() calls dev_put()\nimmediately on re-entry before the skb reaches transport_finish.\nThe skb->dev pointer is then used inside NF_HOOK and its okfn,\nwhich can race with device teardown.\n\nRemove the dev_put from the async resumption entry and instead\ndrop the reference after the NF_HOOK call in transport_finish,\nusing a saved device pointer since NF_HOOK may consume the skb.\nThis covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip\nthe okfn.\n\nFor non-transport exits (decaps, gro, drop) and secondary\nasync return points, release the reference inline when\nasync is set.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31663" }, { "id": "CVE-2026-31664", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31664" }, { "id": "CVE-2026-31665", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31665" }, { "id": "CVE-2026-31666", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()\n\nAfter commit 1618aa3c2e01 (\"btrfs: simplify return variables in\nlookup_extent_data_ref()\"), the err and ret variables were merged into\na single ret variable. However, when btrfs_next_leaf() returns 0\n(success), ret is overwritten from -ENOENT to 0. If the first key in\nthe next leaf does not match (different objectid or type), the function\nreturns 0 instead of -ENOENT, making the caller believe the lookup\nsucceeded when it did not. This can lead to operations on the wrong\nextent tree item, potentially causing extent tree corruption.\n\nFix this by returning -ENOENT directly when the key does not match,\ninstead of relying on the ret variable.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31666" }, { "id": "CVE-2026-31667", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n uinput_dev_upload_effect() -> uinput_request_submit() ->\n uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n uinput_create_device() -> input_register_device(), which acquires\n input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n calls kbd_connect() -> input_register_handle(), which acquires\n dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex. The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep). This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot(). Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n ff->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> state_lock (spinlock, leaf)\n udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31667" }, { "id": "CVE-2026-31668", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: separate dst_cache for input and output paths in seg6 lwtunnel\n\nThe seg6 lwtunnel uses a single dst_cache per encap route, shared\nbetween seg6_input_core() and seg6_output_core(). These two paths\ncan perform the post-encap SID lookup in different routing contexts\n(e.g., ip rules matching on the ingress interface, or VRF table\nseparation). Whichever path runs first populates the cache, and the\nother reuses it blindly, bypassing its own lookup.\n\nFix this by splitting the cache into cache_input and cache_output,\nso each path maintains its own cached dst independently.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31668" }, { "id": "CVE-2026-31669", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP's mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(&tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31669" }, { "id": "CVE-2026-31670", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: prevent unlimited numbers of rfkill events from being created\n\nUserspace can create an unlimited number of rfkill events if the system\nis so configured, while not consuming them from the rfkill file\ndescriptor, causing a potential out of memory situation. Prevent this\nfrom bounding the number of pending rfkill events at a \"large\" number\n(i.e. 1000) to prevent abuses like this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31670" }, { "id": "CVE-2026-31671", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31671" }, { "id": "CVE-2026-31672", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00usb: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the USB anchor lifetime so that it is released on driver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31672" }, { "id": "CVE-2026-31673", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31673" }, { "id": "CVE-2026-31674", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31674" }, { "id": "CVE-2026-31675", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_netem: fix out-of-bounds access in packet corruption\n\nIn netem_enqueue(), the packet corruption logic uses\nget_random_u32_below(skb_headlen(skb)) to select an index for\nmodifying skb->data. When an AF_PACKET TX_RING sends fully non-linear\npackets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.\n\nPassing 0 to get_random_u32_below() takes the variable-ceil slow path\nwhich returns an unconstrained 32-bit random integer. Using this\nunconstrained value as an offset into skb->data results in an\nout-of-bounds memory access.\n\nFix this by verifying skb_headlen(skb) is non-zero before attempting\nto corrupt the linear data area. Fully non-linear packets will silently\nbypass the corruption logic.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31675" }, { "id": "CVE-2026-31676", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: only handle RESPONSE during service challenge\n\nOnly process RESPONSE packets while the service connection is still in\nRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before\nrunning response verification and security initialization, then use a local\nsecured flag to decide whether to queue the secured-connection work after\nthe state transition. This keeps duplicate or late RESPONSE packets from\nre-running the setup path and removes the unlocked post-transition state\ntest.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31676" }, { "id": "CVE-2026-31677", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - limit RX SG extraction by receive buffer budget\n\nMake af_alg_get_rsgl() limit each RX scatterlist extraction to the\nremaining receive buffer budget.\n\naf_alg_get_rsgl() currently uses af_alg_readable() only as a gate\nbefore extracting data into the RX scatterlist. Limit each extraction\nto the remaining af_alg_rcvbuf(sk) budget so that receive-side\naccounting matches the amount of data attached to the request.\n\nIf skcipher cannot obtain enough RX space for at least one chunk while\nmore data remains to be processed, reject the recvmsg call instead of\nrounding the request length down to zero.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31677" }, { "id": "CVE-2026-31678", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport->dev.\n\nDo not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31678" }, { "id": "CVE-2026-31679", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: validate MPLS set/set_masked payload length\n\nvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for\nSET/SET_MASKED actions. In action handling, OVS expects fixed-size\nMPLS key data (struct ovs_key_mpls).\n\nUse the already normalized key_len (masked case included) and reject\nnon-matching MPLS action key sizes.\n\nReject invalid MPLS action payload lengths early.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31679" }, { "id": "CVE-2026-31680", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: flowlabel: defer exclusive option free until RCU teardown\n\n`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file\nRCU read-side lock and prints `fl->opt->opt_nflen` when an option block\nis present.\n\nExclusive flowlabels currently free `fl->opt` as soon as `fl->users`\ndrops to zero in `fl_release()`. However, the surrounding\n`struct ip6_flowlabel` remains visible in the global hash table until\nlater garbage collection removes it and `fl_free_rcu()` finally tears it\ndown.\n\nA concurrent `/proc/net/ip6_flowlabel` reader can therefore race that\nearly `kfree()` and dereference freed option state, triggering a crash\nin `ip6fl_seq_show()`.\n\nFix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches\nthe lifetime already required for the enclosing flowlabel while readers\ncan still reach it under RCU.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31680" }, { "id": "CVE-2026-31681", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_multiport: validate range encoding in checkentry\n\nports_match_v1() treats any non-zero pflags entry as the start of a\nport range and unconditionally consumes the next ports[] element as\nthe range end.\n\nThe checkentry path currently validates protocol, flags and count, but\nit does not validate the range encoding itself. As a result, malformed\nrules can mark the last slot as a range start or place two range starts\nback to back, leaving ports_match_v1() to step past the last valid\nports[] element while interpreting the rule.\n\nReject malformed multiport v1 rules in checkentry by validating that\neach range start has a following element and that the following element\nis not itself marked as another range start.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31681" }, { "id": "CVE-2026-31682", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31682" }, { "id": "CVE-2026-31683", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: avoid OGM aggregation when skb tailroom is insufficient\n\nWhen OGM aggregation state is toggled at runtime, an existing forwarded\npacket may have been allocated with only packet_len bytes, while a later\npacket can still be selected for aggregation. Appending in this case can\nhit skb_put overflow conditions.\n\nReject aggregation when the target skb tailroom cannot accommodate the new\npacket. The caller then falls back to creating a new forward packet\ninstead of appending.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31683" }, { "id": "CVE-2026-31684", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_csum: validate nested VLAN headers\n\ntcf_csum_act() walks nested VLAN headers directly from skb->data when an\nskb still carries in-payload VLAN tags. The current code reads\nvlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without\nfirst ensuring that the full VLAN header is present in the linear area.\n\nIf only part of an inner VLAN header is linearized, accessing\nh_vlan_encapsulated_proto reads past the linear area, and the following\nskb_pull(VLAN_HLEN) may violate skb invariants.\n\nFix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and\npulling each nested VLAN header. If the header still is not fully\navailable, drop the packet through the existing error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31684" }, { "id": "CVE-2026-31685", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par->fragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`.", "scorev2": "0.0", "scorev3": "9.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31685" }, { "id": "CVE-2026-31686", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kasan: fix double free for kasan pXds\n\nkasan_free_pxd() assumes the page table is always struct page aligned. \nBut that's not always the case for all architectures. E.g. In case of\npowerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache\nnamed pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just\ndirectly pass the start of the pxd table which is passed as the 1st\nargument.\n\nThis fixes the below double free kasan issue seen with PMEM:\n\nradix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages\n==================================================================\nBUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20\nFree of addr c0000003c38e0000 by task ndctl/2164\n\nCPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY\nHardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries\nCall Trace:\n dump_stack_lvl+0x88/0xc4 (unreliable)\n print_report+0x214/0x63c\n kasan_report_invalid_free+0xe4/0x110\n check_slab_allocation+0x100/0x150\n kmem_cache_free+0x128/0x6e0\n kasan_remove_zero_shadow+0x9c4/0xa20\n memunmap_pages+0x2b8/0x5c0\n devm_action_release+0x54/0x70\n release_nodes+0xc8/0x1a0\n devres_release_all+0xe0/0x140\n device_unbind_cleanup+0x30/0x120\n device_release_driver_internal+0x3e4/0x450\n unbind_store+0xfc/0x110\n drv_attr_store+0x78/0xb0\n sysfs_kf_write+0x114/0x140\n kernfs_fop_write_iter+0x264/0x3f0\n vfs_write+0x3bc/0x7d0\n ksys_write+0xa4/0x190\n system_call_exception+0x190/0x480\n system_call_vectored_common+0x15c/0x2ec\n---- interrupt: 3000 at 0x7fff93b3d3f4\nNIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000\nREGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)\nMSR: 800000000280f033 CR: 48888208 XER: 00000000\n<...>\nNIP [00007fff93b3d3f4] 0x7fff93b3d3f4\nLR [00007fff93b3d3f4] 0x7fff93b3d3f4\n---- interrupt: 3000\n\n The buggy address belongs to the object at c0000003c38e0000\n which belongs to the cache pgtable-2^9 of size 4096\n The buggy address is located 0 bytes inside of\n 4096-byte region [c0000003c38e0000, c0000003c38e1000)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c\n head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n memcg:c0000003bfd63e01\n flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)\n page_type: f5(slab)\n raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\n page dumped because: kasan: bad access detected\n\n[ 138.953636] [ T2164] Memory state around the buggy address:\n[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953669] [ T2164] ^\n[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953692] [ T2164] ==================================================================\n[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31686" }, { "id": "CVE-2026-31687", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: omap: do not register driver in probe()\n\nCommit 11a78b794496 (\"ARM: OMAP: MPUIO wake updates\") registers the\nomap_mpuio_driver from omap_mpuio_init(), which is called from\nomap_gpio_probe().\n\nHowever, it neither makes sense to register drivers from probe()\ncallbacks of other drivers, nor does the driver core allow registering\ndrivers with a device lock already being held.\n\nThe latter was revealed by commit dc23806a7c47 (\"driver core: enforce\ndevice_lock for driver_match_device()\") leading to a potential deadlock\ncondition described in [1].\n\nAdditionally, the omap_mpuio_driver is never unregistered from the\ndriver core, even if the module is unloaded.\n\nHence, register the omap_mpuio_driver from the module initcall and\nunregister it in module_exit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31687" }, { "id": "CVE-2026-31688", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: enforce device_lock for driver_match_device()\n\nCurrently, driver_match_device() is called from three sites. One site\n(__device_attach_driver) holds device_lock(dev), but the other two\n(bind_store and __driver_attach) do not. This inconsistency means that\nbus match() callbacks are not guaranteed to be called with the lock\nheld.\n\nFix this by introducing driver_match_device_locked(), which guarantees\nholding the device lock using a scoped guard. Replace the unlocked calls\nin bind_store() and __driver_attach() with this new helper. Also add a\nlock assertion to driver_match_device() to enforce this guarantee.\n\nThis consistency also fixes a known race condition. The driver_override\nimplementation relies on the device_lock, so the missing lock led to the\nuse-after-free (UAF) reported in Bugzilla for buses using this field.\n\nStress testing the two newly locked paths for 24 hours with\nCONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrence\nand no lockdep warnings.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31688" }, { "id": "CVE-2026-31689", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci->pvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device's release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they're called:\n\n MCE: In-kernel MCE decoding enabled.\n ------------[ cut here ]------------\n kobject: '(null)': is not initialized, yet kobject_put() is being called.\n WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n RIP: 0010:kobject_put\n Call Trace:\n \n edac_mc_alloc+0xbe/0xe0 [edac_core]\n amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n do_one_initcall\n ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31689" }, { "id": "CVE-2026-31690", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: thead: Fix buffer overflow and use standard endian macros\n\nAddresses two issues in the TH1520 AON firmware protocol driver:\n\n1. Fix a potential buffer overflow where the code used unsafe pointer\n arithmetic to access the 'mode' field through the 'resource' pointer\n with an offset. This was flagged by Smatch static checker as:\n \"buffer overflow 'data' 2 <= 3\"\n\n2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard\n kernel endianness conversion macros (cpu_to_be16, etc.) for better\n portability and maintainability.\n\nThe functionality was re-tested with the GPU power-up sequence,\nconfirming the GPU powers up correctly and the driver probes\nsuccessfully.\n\n[ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware\npowervr/rogue_36.52.104.182_v1.fw\n[ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build\n6645434 OS)\n[ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on\nminor 0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31690" }, { "id": "CVE-2026-31691", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: remove napi_synchronize() in igb_down()\n\nWhen an AF_XDP zero-copy application terminates abruptly (e.g., kill -9),\nthe XSK buffer pool is destroyed but NAPI polling continues.\nigb_clean_rx_irq_zc() repeatedly returns the full budget, preventing\nnapi_complete_done() from clearing NAPI_STATE_SCHED.\n\nigb_down() calls napi_synchronize() before napi_disable() for each queue\nvector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear,\nwhich never happens. igb_down() blocks indefinitely, the TX watchdog\nfires, and the TX queue remains permanently stalled.\n\nnapi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE.\nAfter a full-budget poll, __napi_poll() checks napi_disable_pending(). If\nset, it forces completion and clears NAPI_STATE_SCHED, breaking the loop\nthat napi_synchronize() cannot.\n\nnapi_synchronize() was added in commit 41f149a285da (\"igb: Fix possible\npanic caused by Rx traffic arrival while interface is down\").\nnapi_disable() provides stronger guarantees: it prevents further\nscheduling and waits for any active poll to exit.\nOther Intel drivers (ixgbe, ice, i40e) use napi_disable() without a\npreceding napi_synchronize() in their down paths.\n\nRemove redundant napi_synchronize() call and reorder napi_disable()\nbefore igb_set_queue_napi() so the queue-to-NAPI mapping is only\ncleared after polling has fully stopped.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31691" }, { "id": "CVE-2026-31692", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: add missing netlink_ns_capable() check for peer netns\n\nrtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer\nnetwork namespace when creating paired devices (veth, vxcan,\nnetkit). This allows an unprivileged user with a user namespace\nto create interfaces in arbitrary network namespaces, including\ninit_net.\n\nAdd a netlink_ns_capable() check for CAP_NET_ADMIN in the peer\nnamespace before allowing device creation to proceed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31692" }, { "id": "CVE-2026-31693", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: some missing initializations on replay\n\nIn several places in the code, we have a label to signify\nthe start of the code where a request can be replayed if\nnecessary. However, some of these places were missing the\nnecessary reinitializations of certain local variables\nbefore replay.\n\nThis change makes sure that these variables get initialized\nafter the label.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31693" }, { "id": "CVE-2026-31694", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31694" }, { "id": "CVE-2026-31695", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.\n\nLet's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n \n dump_stack_lvl+0x4d/0x70\n print_report+0x170/0x4f3\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n kasan_report+0xda/0x110\n ? __pm_runtime_resume+0xe2/0xf0\n ? __pm_runtime_resume+0xe2/0xf0\n __pm_runtime_resume+0xe2/0xf0\n ethnl_ops_begin+0x49/0x270\n ethnl_set_features+0x23c/0xab0\n ? __pfx_ethnl_set_features+0x10/0x10\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xf/0xf0\n ? local_clock+0x10/0x30\n ? kasan_save_track+0x25/0x60\n ? __kasan_kmalloc+0x7f/0x90\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n genl_family_rcv_msg_doit+0x1e7/0x2c0\n ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n ? __pfx_cred_has_capability.isra.0+0x10/0x10\n ? stack_trace_save+0x8e/0xc0\n genl_rcv_msg+0x411/0x660\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_ethnl_set_features+0x10/0x10\n netlink_rcv_skb+0x121/0x380\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_down_read+0x10/0x10\n genl_rcv+0x23/0x30\n netlink_unicast+0x60f/0x830\n ? __pfx_netlink_unicast+0x10/0x10\n ? __pfx___alloc_skb+0x10/0x10\n netlink_sendmsg+0x6ea/0xbc0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? __futex_queue+0x10b/0x1f0\n ____sys_sendmsg+0x7a2/0x950\n ? copy_msghdr_from_user+0x26b/0x430\n ? __pfx_____sys_sendmsg+0x10/0x10\n ? __pfx_copy_msghdr_from_user+0x10/0x10\n ___sys_sendmsg+0xf8/0x180\n ? __pfx____sys_sendmsg+0x10/0x10\n ? __pfx_futex_wait+0x10/0x10\n ? fdget+0x2e4/0x4a0\n __sys_sendmsg+0x11f/0x1c0\n ? __pfx___sys_sendmsg+0x10/0x10\n do_syscall_64+0xe2/0x570\n ? exc_page_fault+0x66/0xb0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31695" }, { "id": "CVE-2026-31696", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads <= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31696" }, { "id": "CVE-2026-31697", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31697" }, { "id": "CVE-2026-31698", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don't attempt to copy the blobs to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31698" }, { "id": "CVE-2026-31699", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don't attempt to copy the blob to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31699" }, { "id": "CVE-2026-31700", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()\n\nIn tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points\ndirectly into the mmap'd TX ring buffer shared with userspace. The\nkernel validates the header via __packet_snd_vnet_parse() but then\nre-reads all fields later in virtio_net_hdr_to_skb(). A concurrent\nuserspace thread can modify the vnet_hdr fields between validation\nand use, bypassing all safety checks.\n\nThe non-TPACKET path (packet_snd()) already correctly copies vnet_hdr\nto a stack-local variable. All other vnet_hdr consumers in the kernel\n(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX\npath is the only caller of virtio_net_hdr_to_skb() that reads directly\nfrom user-controlled shared memory.\n\nFix this by copying vnet_hdr from the mmap'd ring buffer to a\nstack-local variable before validation and use, consistent with the\napproach used in packet_snd() and all other callers.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31700" }, { "id": "CVE-2026-31701", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: take a reference on the USB device in create_card()\n\nThe caiaq driver stores a pointer to the parent USB device in\ncdev->chip.dev but never takes a reference on it. The card's\nprivate_free callback, snd_usb_caiaq_card_free(), can run\nasynchronously via snd_card_free_when_closed() after the USB\ndevice has already been disconnected and freed, so any access to\ncdev->chip.dev in that path dereferences a freed usb_device.\n\nOn top of the refcounting issue, the current card_free implementation\ncalls usb_reset_device(cdev->chip.dev). A reset in a free callback\nis inappropriate: the device is going away, the call takes the\ndevice lock in a teardown context, and the reset races with the\ndisconnect path that the callback is already cleaning up after.\n\nTake a reference on the USB device in create_card() with\nusb_get_dev(), drop it with usb_put_dev() in the free callback,\nand remove the usb_reset_device() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31701" }, { "id": "CVE-2026-31702", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()\n\nIn f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring\nthe F2FS_WB_CP_DATA counter to zero, unblocking\nf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount\nCPU. The unmount path then proceeds to call\nf2fs_destroy_page_array_cache(sbi), which destroys\nsbi->page_array_slab via kmem_cache_destroy(), and eventually\nkfree(sbi). Meanwhile, the bio completion callback is still executing:\nwhen it reaches page_array_free(sbi, ...), it dereferences\nsbi->page_array_slab \u2014 a destroyed slab cache \u2014 to call\nkmem_cache_free(), causing a use-after-free.\n\nThis is the same class of bug as CVE-2026-23234 (which fixed the\nequivalent race in f2fs_write_end_io() in data.c), but in the\ncompressed writeback completion path that was not covered by that fix.\n\nFix this by moving dec_page_count() to after page_array_free(), so\nthat all sbi accesses complete before the counter decrement that can\nunblock unmount. For non-last folios (where atomic_dec_return on\ncic->pending_pages is nonzero), dec_page_count is called immediately\nbefore returning \u2014 page_array_free is not reached on this path, so\nthere is no post-decrement sbi access. For the last folio,\npage_array_free runs while the F2FS_WB_CP_DATA counter is still\nnonzero (this folio has not yet decremented it), keeping sbi alive,\nand dec_page_count runs as the final operation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31702" }, { "id": "CVE-2026-31703", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n wb_get(new_wb);\n while (1) {\n list = llist_del_all(&new_wb->switch_wbs_ctxs);\n /* Nothing to do? */\n if (!list)\n break;\n ... process the items ...\n }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n if (llist_add(&isw->list, &wb->switch_wbs_ctxs))\n queue_work(isw_wq, &wb->switch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb->switch_work is pending while wb->switch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -> no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -> 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let's avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb->switch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31703" }, { "id": "CVE-2026-31704", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use check_add_overflow() to prevent u16 DACL size overflow\n\nset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes\nin u16 variables. When a file has many POSIX ACL entries, the\naccumulated size can wrap past 65535, causing the pointer arithmetic\n(char *)pndace + *size to land within already-written ACEs. Subsequent\nwrites then overwrite earlier entries, and pndacl->size gets a\ntruncated value.\n\nUse check_add_overflow() at each accumulation point to detect the\nwrap before it corrupts the buffer, consistent with existing\ncheck_mul_overflow() usage elsewhere in smbacl.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31704" }, { "id": "CVE-2026-31705", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31705" }, { "id": "CVE-2026-31706", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()\n\nsmb_inherit_dacl() trusts the on-disk num_aces value from the parent\ndirectory's DACL xattr and uses it to size a heap allocation:\n\n aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);\n\nnum_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)\nwithout checking that it is consistent with the declared pdacl_size.\nAn authenticated client whose parent directory's security.NTACL is\ntampered (e.g. via offline xattr corruption or a concurrent path that\nbypasses parse_dacl()) can present num_aces = 65535 with minimal\nactual ACE data. This causes a ~8 MB allocation (not kzalloc, so\nuninitialized) that the subsequent loop only partially populates, and\nmay also overflow the three-way size_t multiply on 32-bit kernels.\n\nAdditionally, the ACE walk loop uses the weaker\noffsetof(struct smb_ace, access_req) minimum size check rather than\nthe minimum valid on-wire ACE size, and does not reject ACEs whose\ndeclared size is below the minimum.\n\nReproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.\nA legitimate mount.cifs client creates a parent directory over SMB\n(ksmbd writes a valid security.NTACL xattr), then the NTACL blob on\nthe backing filesystem is rewritten to set num_aces = 0xFFFF while\nkeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s\nhash check still passes. A subsequent SMB2 CREATE of a child under\nthat parent drives smb2_open() into smb_inherit_dacl() (share has\n\"vfs objects = acl_xattr\" set), which fails the page allocator:\n\n WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0\n Workqueue: ksmbd-io handle_ksmbd_work\n __alloc_frozen_pages_noprof+0x46c/0x9c0\n ___kmalloc_large_node+0x68/0x130\n __kmalloc_large_node_noprof+0x24/0x70\n __kmalloc_noprof+0x4c9/0x690\n smb_inherit_dacl+0x394/0x2430\n smb2_open+0x595d/0xabe0\n handle_ksmbd_work+0x3d3/0x1140\n\nWith the patch applied the added guard rejects the tampered value\nwith -EINVAL before any large allocation runs, smb2_open() falls back\nto smb2_create_sd_buffer(), and the child is created with a default\nSD. No warning, no splat.\n\nFix by:\n\n 1. Validating num_aces against pdacl_size using the same formula\n applied in parse_dacl().\n\n 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with\n kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe\n allocation.\n\n 3. Tightening the per-ACE loop guard to require the minimum valid\n ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and\n rejecting under-sized ACEs, matching the hardening in\n smb_check_perm_dacl() and parse_dacl().\n\nv1 -> v2:\n - Replace the synthetic test-module splat in the changelog with a\n real-path UML + KASAN reproduction driven through mount.cifs and\n SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name\n in v1 since it does not exist in ksmbd.\n - Drop the commit-hash citation from the code comment per Namjae's\n review; keep the parse_dacl() pointer.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31706" }, { "id": "CVE-2026-31707", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate response sizes in ipc_validate_msg()\n\nipc_validate_msg() computes the expected message size for each\nresponse type by adding (or multiplying) attacker-controlled fields\nfrom the daemon response to a fixed struct size in unsigned int\narithmetic. Three cases can overflow:\n\n KSMBD_EVENT_RPC_REQUEST:\n msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;\n KSMBD_EVENT_SHARE_CONFIG_REQUEST:\n msg_sz = sizeof(struct ksmbd_share_config_response) +\n resp->payload_sz;\n KSMBD_EVENT_LOGIN_REQUEST_EXT:\n msg_sz = sizeof(struct ksmbd_login_response_ext) +\n resp->ngroups * sizeof(gid_t);\n\nresp->payload_sz is __u32 and resp->ngroups is __s32. Each addition\ncan wrap in unsigned int; the multiplication by sizeof(gid_t) mixes\nsigned and size_t, so a negative ngroups is converted to SIZE_MAX\nbefore the multiply. A wrapped value of msg_sz that happens to\nequal entry->msg_sz bypasses the size check on the next line, and\ndownstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,\nkmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the\nunverified length.\n\nUse check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST\npaths to detect integer overflow without constraining functional\npayload size; userspace ksmbd-tools grows NDR responses in 4096-byte\nchunks for calls like NetShareEnumAll, so a hard transport cap is\nunworkable on the response side. For LOGIN_REQUEST_EXT, reject\nresp->ngroups outside the signed [0, NGROUPS_MAX] range up front and\nreport the error from ipc_validate_msg() so it fires at the IPC\nboundary; with that bound the subsequent multiplication and addition\nstay well below UINT_MAX. The now-redundant ngroups check and\npr_err in ksmbd_alloc_user() are removed.\n\nThis is the response-side analogue of aab98e2dbd64 (\"ksmbd: fix\ninteger overflows on 32 bit systems\"), which hardened the request\nside.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31707" }, { "id": "CVE-2026-31708", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path\n\nsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL\nand the default QUERY_INFO path. The QUERY_INFO branch clamps\nqi.input_buffer_length to the server-reported OutputBufferLength and then\ncopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but\nit never verifies that the flexible-array payload actually fits within\nrsp_iov[1].iov_len.\n\nA malicious server can return OutputBufferLength larger than the actual\nQUERY_INFO response, causing copy_to_user() to walk past the response\nbuffer and expose adjacent kernel heap to userspace.\n\nGuard the QUERY_INFO copy with a bounds check on the actual Buffer\npayload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)\nrather than an open-coded addition so the guard cannot overflow on\n32-bit builds.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31708" }, { "id": "CVE-2026-31709", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: validate the whole DACL before rewriting it in cifsacl\n\nbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl->num_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths. parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31709" }, { "id": "CVE-2026-31710", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix dir separator in SMB1 UNIX mounts\n\nWhen calling cifs_mount_get_tcon() with SMB1 UNIX mounts,\n@cifs_sb->mnt_cifs_flags needs to be read or updated only after\ncalling reset_cifs_unix_caps(), otherwise it might end up with missing\nCIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits.\n\nThis fixes the wrong dir separator used in paths caused by the missing\nCIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31710", "detail": "fixed-version", "description": "only affects 7.0 onwards" }, { "id": "CVE-2026-31711", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath. The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter. Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected. The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\". With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31711" }, { "id": "CVE-2026-31712", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require minimum ACE size in smb_check_perm_dacl()\n\nBoth ACE-walk loops in smb_check_perm_dacl() only guard against an\nunder-sized remaining buffer, not against an ACE whose declared\n`ace->size` is smaller than the struct it claims to describe:\n\n if (offsetof(struct smb_ace, access_req) > aces_size)\n break;\n ace_size = le16_to_cpu(ace->size);\n if (ace_size > aces_size)\n break;\n\nThe first check only requires the 4-byte ACE header to be in bounds;\nit does not require access_req (4 bytes at offset 4) to be readable.\nAn attacker who has set a crafted DACL on a file they own can declare\nace->size == 4 with aces_size == 4, pass both checks, and then\n\n granted |= le32_to_cpu(ace->access_req); /* upper loop */\n compare_sids(&sid, &ace->sid); /* lower loop */\n\nreads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at\noffset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES\n* 4 bytes).\n\nTighten both loops to require\n\n ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE\n\nwhich is the smallest valid on-wire ACE layout (4-byte header +\n4-byte access_req + 8-byte sid base with zero sub-auths). Also\nreject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES\nbefore letting compare_sids() dereference sub_auth[] entries.\n\nparse_sec_desc() already enforces an equivalent check (lines 441-448);\nsmb_check_perm_dacl() simply grew weaker validation over time.\n\nReachability: authenticated SMB client with permission to set an ACL\non a file. On a subsequent CREATE against that file, the kernel\nwalks the stored DACL via smb_check_perm_dacl() and triggers the\nOOB read. Not pre-auth, and the OOB read is not reflected to the\nattacker, but KASAN reports and kernel state corruption are\npossible.", "scorev2": "0.0", "scorev3": "8.3", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31712" }, { "id": "CVE-2026-31713", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: abort on fatal signal during sync init\n\nWhen sync init is used and the server exits for some reason (error, crash)\nwhile processing FUSE_INIT, the filesystem creation will hang. The reason\nis that while all other threads will exit, the mounting thread (or process)\nwill keep the device fd open, which will prevent an abort from happening.\n\nThis is a regression from the async mount case, where the mount was done\nfirst, and the FUSE_INIT processing afterwards, in which case there's no\nsuch recursive syscall keeping the fd open.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31713" }, { "id": "CVE-2026-31714", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid memory leak in f2fs_rename()\n\nsyzbot reported a f2fs bug as below:\n\nBUG: memory leak\nunreferenced object 0xffff888127f70830 (size 16):\n comm \"syz.0.23\", pid 6144, jiffies 4294943712\n hex dump (first 16 bytes):\n 3c af 57 72 5b e6 8f ad 6e 8e fd 33 42 39 03 ff <.Wr[...n..3B9..\n backtrace (crc 925f8a80):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4520 [inline]\n slab_alloc_node mm/slub.c:4844 [inline]\n __do_kmalloc_node mm/slub.c:5237 [inline]\n __kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250\n kmalloc_noprof include/linux/slab.h:954 [inline]\n fscrypt_setup_filename+0x15e/0x3b0 fs/crypto/fname.c:364\n f2fs_setup_filename+0x52/0xb0 fs/f2fs/dir.c:143\n f2fs_rename+0x159/0xca0 fs/f2fs/namei.c:961\n f2fs_rename2+0xd5/0xf20 fs/f2fs/namei.c:1308\n vfs_rename+0x7ff/0x1250 fs/namei.c:6026\n filename_renameat2+0x4f4/0x660 fs/namei.c:6144\n __do_sys_renameat2 fs/namei.c:6173 [inline]\n __se_sys_renameat2 fs/namei.c:6168 [inline]\n __x64_sys_renameat2+0x59/0x80 fs/namei.c:6168\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is in commit 40b2d55e0452 (\"f2fs: fix to create selinux\nlabel during whiteout initialization\"), we added a call to\nf2fs_setup_filename() without a matching call to f2fs_free_filename(),\nfix it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31714" }, { "id": "CVE-2026-31715", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()\n\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\n\nThe concurrent scenario that triggers the panic is as follows:\n\nF2FS_WB_CP_DATA write callback umount\n - f2fs_write_checkpoint\n - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n - bio_endio\n - f2fs_write_end_io\n : dec_page_count(sbi, F2FS_WB_CP_DATA)\n : wake_up(&sbi->cp_wait)\n - kill_f2fs_super\n - kill_block_super\n - f2fs_put_super\n : iput(sbi->node_inode)\n : sbi->node_inode = NULL\n : f2fs_in_warm_node_list\n - is_node_folio // sbi->node_inode is NULL and panic\n\nThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) and\nsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\n\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31715" }, { "id": "CVE-2026-31716", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: validate rec->used in journal-replay file record check\n\ncheck_file_record() validates rec->total against the record size but\nnever validates rec->used. The do_action() journal-replay handlers read\nrec->used from disk and use it to compute memmove lengths:\n\n DeleteAttribute: memmove(attr, ..., used - asize - roff)\n CreateAttribute: memmove(..., attr, used - roff)\n change_attr_size: memmove(..., used - PtrOffset(rec, next))\n\nWhen rec->used is smaller than the offset of a validated attribute, or\nlarger than the record size, these subtractions can underflow allowing\nus to copy huge amounts of memory in to a 4kb buffer, generally\nconsidered a bad idea overall.\n\nThis requires a corrupted filesystem, which isn't a threat model the\nkernel really needs to worry about, but checking for such an obvious\nout-of-bounds value is good to keep things robust, especially on journal\nreplay\n\nFix this up by bounding rec->used correctly.\n\nThis is much like commit b2bc7c44ed17 (\"fs/ntfs3: Fix slab-out-of-bounds\nread in DeleteIndexEntryRoot\") which checked different values in this\nsame switch statement.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31716" }, { "id": "CVE-2026-31717", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate owner of durable handle on reconnect\n\nCurrently, ksmbd does not verify if the user attempting to reconnect\nto a durable handle is the same user who originally opened the file.\nThis allows any authenticated user to hijack an orphaned durable handle\nby predicting or brute-forcing the persistent ID.\n\nAccording to MS-SMB2, the server MUST verify that the SecurityContext\nof the reconnect request matches the SecurityContext associated with\nthe existing open.\nAdd a durable_owner structure to ksmbd_file to store the original opener's\nUID, GID, and account name. and catpure the owner information when a file\nhandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()\nto validate the identity of the requester during SMB2_CREATE (DHnC).", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31717" }, { "id": "CVE-2026-31718", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger\n\nWhen a durable file handle survives session disconnect (TCP close without\nSMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the\nhandle for later reconnection. However, it did not clean up the byte-range\nlocks on fp->lock_list.\n\nLater, when the durable scavenger thread times out and calls\n__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:\n\n spin_lock(&fp->conn->llist_lock);\n\nThis caused a slab use-after-free because fp->conn was NULL and the\noriginal connection object had already been freed by\nksmbd_tcp_disconnect().\n\nThe root cause is asymmetric cleanup: lock entries (smb_lock->clist) were\nleft dangling on the freed conn->lock_list while fp->conn was nulled out.\n\nTo fix this issue properly, we need to handle the lifetime of\nsmb_lock->clist across three paths:\n - Safely skip clist deletion when list is empty and fp->conn is NULL.\n - Remove the lock from the old connection's lock_list in\n session_fd_check()\n - Re-add the lock to the new connection's lock_list in\n ksmbd_reopen_durable_fd().", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31718" }, { "id": "CVE-2026-31719", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: krb5enc - fix async decrypt skipping hash verification\n\nkrb5enc_dispatch_decrypt() sets req->base.complete as the skcipher\ncallback, which is the caller's own completion handler. When the\nskcipher completes asynchronously, this signals \"done\" to the caller\nwithout executing krb5enc_dispatch_decrypt_hash(), completely bypassing\nthe integrity verification (hash check).\n\nCompare with the encrypt path which correctly uses\nkrb5enc_encrypt_done as an intermediate callback to chain into the\nhash computation on async completion.\n\nFix by adding krb5enc_decrypt_done as an intermediate callback that\nchains into krb5enc_dispatch_decrypt_hash() upon async skcipher\ncompletion, matching the encrypt path's callback pattern.\n\nAlso fix EBUSY/EINPROGRESS handling throughout: remove\nkrb5enc_request_complete() which incorrectly swallowed EINPROGRESS\nnotifications that must be passed up to callers waiting on backlogged\nrequests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done\nfor the dispatch_encrypt return value.\n\n\nUnset MAY_BACKLOG on the async completion path so the user won't\nsee back-to-back EINPROGRESS notifications.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31719" }, { "id": "CVE-2026-31720", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_uac1_legacy: validate control request size\n\nf_audio_complete() copies req->length bytes into a 4-byte stack\nvariable:\n\n u32 data = 0;\n memcpy(&data, req->buf, req->length);\n\nreq->length is derived from the host-controlled USB request path,\nwhich can lead to a stack out-of-bounds write.\n\nValidate req->actual against the expected payload size for the\nsupported control selectors and decode only the expected amount\nof data.\n\nThis avoids copying a host-influenced length into a fixed-size\nstack object.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31720" }, { "id": "CVE-2026-31721", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: move list and spinlock inits from bind to alloc\n\nThere was an issue when you did the following:\n- setup and bind an hid gadget\n- open /dev/hidg0\n- use the resulting fd in EPOLL_CTL_ADD\n- unbind the UDC\n- bind the UDC\n- use the fd in EPOLL_CTL_DEL\n\nWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported\nwithin remove_wait_queue (via ep_remove_wait_queue). After some\ndebugging I found out that the queues, which f_hid registers via\npoll_wait were the problem. These were initialized using\ninit_waitqueue_head inside hidg_bind. So effectively, the bind function\nre-initialized the queues while there were still items in them.\n\nThe solution is to move the initialization from hidg_bind to hidg_alloc\nto extend their lifetimes to the lifetime of the function instance.\n\nAdditionally, I found many other possibly problematic init calls in the\nbind function, which I moved as well.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31721" }, { "id": "CVE-2026-31722", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n console:/ # ls -l /sys/class/net/usb0\n lrwxrwxrwx ... /sys/class/net/usb0 ->\n /sys/devices/platform/.../gadget.0/net/usb0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe borrowed_net flag is used to indicate whether the network device is\nshared and pre-registered during the legacy driver's bind phase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31722" }, { "id": "CVE-2026-31723", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_subset: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n console:/ # ls -l /sys/class/net/usb0\n lrwxrwxrwx ... /sys/class/net/usb0 ->\n /sys/devices/platform/.../gadget.0/net/usb0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31723" }, { "id": "CVE-2026-31724", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\nconsole:/ # ls -l /sys/class/net/usb0\nlrwxrwxrwx ... /sys/class/net/usb0 ->\n/sys/devices/platform/.../gadget.0/net/usb0\nconsole:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\nls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31724" }, { "id": "CVE-2026-31725", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ecm: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n console:/ # ls -l /sys/class/net/usb0\n lrwxrwxrwx ... /sys/class/net/usb0 ->\n /sys/devices/platform/.../gadget.0/net/usb0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31725" }, { "id": "CVE-2026-31726", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix NULL pointer dereference during unbind race\n\nCommit b81ac4395bbe (\"usb: gadget: uvc: allow for application to cleanly\nshutdown\") introduced two stages of synchronization waits totaling 1500ms\nin uvc_function_unbind() to prevent several types of kernel panics.\nHowever, this timing-based approach is insufficient during power\nmanagement (PM) transitions.\n\nWhen the PM subsystem starts freezing user space processes, the\nwait_event_interruptible_timeout() is aborted early, which allows the\nunbind thread to proceed and nullify the gadget pointer\n(cdev->gadget = NULL):\n\n[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()\n[ 814.178583][ T3173] PM: suspend entry (deep)\n[ 814.192487][ T3173] Freezing user space processes\n[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release\n\nWhen the PM subsystem resumes or aborts the suspend and tasks are\nrestarted, the V4L2 release path is executed and attempts to access the\nalready nullified gadget pointer, triggering a kernel panic:\n\n[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake\n[ 814.386727][ T3173] Restarting tasks ...\n[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030\n[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4\n[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94\n[ 814.404078][ T4558] Call trace:\n[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4\n[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94\n[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c\n[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac\n[ 814.404095][ T4558] v4l2_release+0xcc/0x130\n\nAddress the race condition and NULL pointer dereference by:\n\n1. State Synchronization (flag + mutex)\nIntroduce a 'func_unbound' flag in struct uvc_device. This allows\nuvc_function_disconnect() to safely skip accessing the nullified\ncdev->gadget pointer. As suggested by Alan Stern, this flag is protected\nby a new mutex (uvc->lock) to ensure proper memory ordering and prevent\ninstruction reordering or speculative loads. This mutex is also used to\nprotect 'func_connected' for consistent state management.\n\n2. Explicit Synchronization (completion)\nUse a completion to synchronize uvc_function_unbind() with the\nuvc_vdev_release() callback. This prevents Use-After-Free (UAF) by\nensuring struct uvc_device is freed after all video device resources\nare released.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31726" }, { "id": "CVE-2026-31727", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo\n\nCommit ec35c1969650 (\"usb: gadget: f_ncm: Fix net_device lifecycle with\ndevice_move\") reparents the gadget device to /sys/devices/virtual during\nunbind, clearing the gadget pointer. If the userspace tool queries on\nthe surviving interface during this detached window, this leads to a\nNULL pointer dereference.\n\nUnable to handle kernel NULL pointer dereference\nCall trace:\n eth_get_drvinfo+0x50/0x90\n ethtool_get_drvinfo+0x5c/0x1f0\n __dev_ethtool+0xaec/0x1fe0\n dev_ethtool+0x134/0x2e0\n dev_ioctl+0x338/0x560\n\nAdd a NULL check for dev->gadget in eth_get_drvinfo(). When detached,\nskip copying the fw_version and bus_info strings, which is natively\nhandled by ethtool_get_drvinfo for empty strings.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31727" }, { "id": "CVE-2026-31728", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_ether: Fix race between gether_disconnect and eth_stop\n\nA race condition between gether_disconnect() and eth_stop() leads to a\nNULL pointer dereference. Specifically, if eth_stop() is triggered\nconcurrently while gether_disconnect() is tearing down the endpoints,\neth_stop() attempts to access the cleared endpoint descriptor, causing\nthe following NPE:\n\n Unable to handle kernel NULL pointer dereference\n Call trace:\n __dwc3_gadget_ep_enable+0x60/0x788\n dwc3_gadget_ep_enable+0x70/0xe4\n usb_ep_enable+0x60/0x15c\n eth_stop+0xb8/0x108\n\nBecause eth_stop() crashes while holding the dev->lock, the thread\nrunning gether_disconnect() fails to acquire the same lock and spins\nforever, resulting in a hardlockup:\n\n Core - Debugging Information for Hardlockup core(7)\n Call trace:\n queued_spin_lock_slowpath+0x94/0x488\n _raw_spin_lock+0x64/0x6c\n gether_disconnect+0x19c/0x1e8\n ncm_set_alt+0x68/0x1a0\n composite_setup+0x6a0/0xc50\n\nThe root cause is that the clearing of dev->port_usb in\ngether_disconnect() is delayed until the end of the function.\n\nMove the clearing of dev->port_usb to the very beginning of\ngether_disconnect() while holding dev->lock. This cuts off the link\nimmediately, ensuring eth_stop() will see dev->port_usb as NULL and\nsafely bail out.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31728" }, { "id": "CVE-2026-31729", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: validate connector number in ucsi_notify_common()\n\nThe connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a\n7-bit field (0-127) that is used to index into the connector array in\nucsi_connector_change(). However, the array is only allocated for the\nnumber of connectors reported by the device (typically 2-4 entries).\n\nA malicious or malfunctioning device could report an out-of-range\nconnector number in the CCI, causing an out-of-bounds array access in\nucsi_connector_change().\n\nAdd a bounds check in ucsi_notify_common(), the central point where CCI\nis parsed after arriving from hardware, so that bogus connector numbers\nare rejected before they propagate further.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31729" }, { "id": "CVE-2026-31730", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: possible double-free of cctx->remote_heap\n\nfastrpc_init_create_static_process() may free cctx->remote_heap on the\nerr_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()\nfrees cctx->remote_heap again if it is non-NULL, which can lead to a\ndouble-free if the INIT_CREATE_STATIC ioctl hits the error path and the rpmsg\ndevice is subsequently removed/unbound.\nClear cctx->remote_heap after freeing it in the error path to prevent the\nlater cleanup from freeing it again.\n\nThis issue was found by an in-house analysis workflow that extracts AST-based\ninformation and runs static checks, with LLM assistance for triage, and was\nconfirmed by manual code review.\nNo hardware testing was performed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31730" }, { "id": "CVE-2026-31731", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Address thermal zone removal races with resume\n\nSince thermal_zone_pm_complete() and thermal_zone_device_resume()\nre-initialize the poll_queue delayed work for the given thermal zone,\nthe cancel_delayed_work_sync() in thermal_zone_device_unregister()\nmay miss some already running work items and the thermal zone may\nbe freed prematurely [1].\n\nThere are two failing scenarios that both start with\nrunning thermal_pm_notify_complete() right before invoking\nthermal_zone_device_unregister() for one of the thermal zones.\n\nIn the first scenario, there is a work item already running for\nthe given thermal zone when thermal_pm_notify_complete() calls\nthermal_zone_pm_complete() for that thermal zone and it continues to\nrun when thermal_zone_device_unregister() starts. Since the poll_queue\ndelayed work has been re-initialized by thermal_pm_notify_complete(), the\nrunning work item will be missed by the cancel_delayed_work_sync() in\nthermal_zone_device_unregister() and if it continues to run past the\nfreeing of the thermal zone object, a use-after-free will occur.\n\nIn the second scenario, thermal_zone_device_resume() queued up by\nthermal_pm_notify_complete() runs right after the thermal_zone_exit()\ncalled by thermal_zone_device_unregister() has returned. The poll_queue\ndelayed work is re-initialized by it before cancel_delayed_work_sync() is\ncalled by thermal_zone_device_unregister(), so it may continue to run\nafter the freeing of the thermal zone object, which also leads to a\nuse-after-free.\n\nAddress the first failing scenario by ensuring that no thermal work\nitems will be running when thermal_pm_notify_complete() is called.\nFor this purpose, first move the cancel_delayed_work() call from\nthermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent\nnew work from entering the workqueue going forward. Next, switch\nover to using a dedicated workqueue for thermal events and update\nthe code in thermal_pm_notify() to flush that workqueue after\nthermal_pm_notify_prepare() has returned which will take care of\nall leftover thermal work already on the workqueue (that leftover\nwork would do nothing useful anyway because all of the thermal zones\nhave been flagged as suspended).\n\nThe second failing scenario is addressed by adding a tz->state check\nto thermal_zone_device_resume() to prevent it from re-initializing\nthe poll_queue delayed work if the thermal zone is going away.\n\nNote that the above changes will also facilitate relocating the suspend\nand resume of thermal zones closer to the suspend and resume of devices,\nrespectively.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31731" }, { "id": "CVE-2026-31732", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: Fix resource leaks on errors in gpiochip_add_data_with_key()\n\nSince commit aab5c6f20023 (\"gpio: set device type for GPIO chips\"),\n`gdev->dev.release` is unset. As a result, the reference count to\n`gdev->dev` isn't dropped on the error handling paths.\n\nDrop the reference on errors.\n\nAlso reorder the instructions to make the error handling simpler.\nNow gpiochip_add_data_with_key() roughly looks like:\n\n >>> Some memory allocation. Go to ERR ZONE 1 on errors.\n >>> device_initialize().\n\n gpiodev_release() takes over the responsibility for freeing the\n resources of `gdev->dev`. The subsequent error handling paths\n shouldn't go through ERR ZONE 1 again which leads to double free.\n\n >>> Some initialization mainly on `gdev`.\n >>> The rest of initialization. Go to ERR ZONE 2 on errors.\n >>> Chip registration success and exit.\n\n >>> ERR ZONE 2. gpio_device_put() and exit.\n >>> ERR ZONE 1.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31732" }, { "id": "CVE-2026-31733", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix stale direct dispatch state in ddsp_dsq_id\n\n@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a\nspurious warning in mark_direct_dispatch() when the next wakeup's\nops.select_cpu() calls scx_bpf_dsq_insert(), such as:\n\n WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140\n\nThe root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(),\nwhich is not reached in all paths that consume or cancel a direct dispatch\nverdict.\n\nFix it by clearing it at the right places:\n\n - direct_dispatch(): cache the direct dispatch state in local variables\n and clear it before dispatch_enqueue() on the synchronous path. For\n the deferred path, the direct dispatch state must remain set until\n process_ddsp_deferred_locals() consumes them.\n\n - process_ddsp_deferred_locals(): cache the dispatch state in local\n variables and clear it before calling dispatch_to_local_dsq(), which\n may migrate the task to another rq.\n\n - do_enqueue_task(): clear the dispatch state on the enqueue path\n (local/global/bypass fallbacks), where the direct dispatch verdict is\n ignored.\n\n - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue()\n to handle both the deferred dispatch cancellation and the holding_cpu\n race, covering all cases where a pending direct dispatch is\n cancelled.\n\n - scx_disable_task(): clear the direct dispatch state when\n transitioning a task out of the current scheduler. Waking tasks may\n have had the direct dispatch state set by the outgoing scheduler's\n ops.select_cpu() and then been queued on a wake_list via\n ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such\n tasks are not on the runqueue and are not iterated by scx_bypass(),\n so their direct dispatch state won't be cleared. Without this clear,\n any subsequent SCX scheduler that tries to direct dispatch the task\n will trigger the WARN_ON_ONCE() in mark_direct_dispatch().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31733" }, { "id": "CVE-2026-31734", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU\n\nSince commit 8e4f0b1ebcf2 (\"bpf: use rcu_read_lock_dont_migrate() for\ntrampoline.c\"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()\nonly when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().\nWithout CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,\nso migration_disabled == 1 always means the task is truly\nmigration-disabled regardless of whether it is the current task.\n\nThe old unconditional p == current check was a false negative in this\ncase, potentially allowing a migration-disabled task to be dispatched to\na remote CPU and triggering scx_error in task_can_run_on_remote_rq().\n\nOnly apply the p == current disambiguation when CONFIG_PREEMPT_RCU is\nenabled, where the ambiguity with the BPF prolog still exists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31734" }, { "id": "CVE-2026-31735", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommupt: Fix short gather if the unmap goes into a large mapping\n\nunmap has the odd behavior that it can unmap more than requested if the\nending point lands within the middle of a large or contiguous IOPTE.\n\nIn this case the gather should flush everything unmapped which can be\nlarger than what was requested to be unmapped. The gather was only\nflushing the range requested to be unmapped, not extending to the extra\nrange, resulting in a short invalidation if the caller hits this special\ncondition.\n\nThis was found by the new invalidation/gather test I am adding in\npreparation for ARMv8. Claude deduced the root cause.\n\nAs far as I remember nothing relies on unmapping a large entry, so this is\nlikely not a triggerable bug.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31735", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31736", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled\n\nIf the gmac0 is disabled, the precheck for a valid ingress device will\ncause a NULL pointer deref and crash the system. This happens because\neth->netdev[0] will be NULL but the code will directly try to access\nnetdev_ops.\n\nInstead of just checking for the first net_device, it must be checked if\nany of the mtk_eth net_devices is matching the netdev_ops of the ingress\ndevice.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31736" }, { "id": "CVE-2026-31737", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ftgmac100: fix ring allocation unwind on open failure\n\nftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and\nrx_scratch in stages. On intermediate failures it returned -ENOMEM\ndirectly, leaking resources allocated earlier in the function.\n\nRework the failure path to use staged local unwind labels and free\nallocated resources in reverse order before returning -ENOMEM. This\nmatches common netdev allocation cleanup style.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31737" }, { "id": "CVE-2026-31738", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: validate ND option lengths in vxlan_na_create\n\nvxlan_na_create() walks ND options according to option-provided\nlengths. A malformed option can make the parser advance beyond the\ncomputed option span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31738" }, { "id": "CVE-2026-31739", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: tegra - Add missing CRYPTO_ALG_ASYNC\n\nThe tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its\nasynchronous algorithms, causing the crypto API to select them for users\nthat request only synchronous algorithms. This causes crashes (at\nleast). Fix this by adding the flag like what the other drivers do.\nAlso remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just\nget ignored and overridden by the registration function anyway.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31739" }, { "id": "CVE-2026-31740", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member\n\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\n\nThe dev member is assigned both by the counter driver and the PWM driver\nfor channels 1 and 2, to their own struct device instance, overwriting\nthe previous value.\n\nThe sub-drivers race to assign their own struct device pointer to the\nsame struct rz_mtu3_channel's dev member.\n\nThe dev member of struct rz_mtu3_channel is used by the counter\nsub-driver for runtime PM.\n\nDepending on the probe order of the counter and PWM sub-drivers, the\ndev member may point to the wrong struct device instance, causing the\ncounter sub-driver to do runtime PM actions on the wrong device.\n\nTo fix this, use the parent pointer of the counter, which is assigned\nduring probe to the correct struct device, not the struct device pointer\ninside the shared struct rz_mtu3_channel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31740" }, { "id": "CVE-2026-31741", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: prevent counter from being toggled multiple times\n\nRuntime PM counter is incremented / decremented each time the sysfs\nenable file is written to.\n\nIf user writes 0 to the sysfs enable file multiple times, runtime PM\nusage count underflows, generating the following message.\n\nrz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!\n\nAt the same time, hardware registers end up being accessed with clocks\noff in rz_mtu3_terminate_counter() to disable an already disabled\nchannel.\n\nIf user writes 1 to the sysfs enable file multiple times, runtime PM\nusage count will be incremented each time, requiring the same number of\n0 writes to get it back to 0.\n\nIf user writes 0 to the sysfs enable file while PWM is in progress, PWM\nis stopped without counter being the owner of the underlying MTU3\nchannel.\n\nCheck against the cached count_is_enabled value and exit if the user\nis trying to set the same enable value.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31741" }, { "id": "CVE-2026-31742", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: discard stale unicode buffer on alt screen exit after resize\n\nWhen enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and\nsets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize()\nskips reallocating the unicode buffer because vc_uni_lines is NULL.\nHowever, vc_saved_uni_lines still points to the old buffer allocated for\nthe original dimensions.\n\nWhen leave_alt_screen() later restores vc_saved_uni_lines, the buffer\ndimensions no longer match vc_rows/vc_cols. Any operation that iterates\nover the unicode buffer using the current dimensions (e.g. csi_J clearing\nthe screen) will access memory out of bounds, causing a kernel oops:\n\n BUG: unable to handle page fault for address: 0x0000002000000020\n RIP: 0010:csi_J+0x133/0x2d0\n\nThe faulting address 0x0000002000000020 is two adjacent u32 space\ncharacters (0x20) interpreted as a pointer, read from the row data area\npast the end of the 25-entry pointer array in a buffer allocated for\n80x25 but accessed with 240x67 dimensions.\n\nFix this by checking whether the console dimensions changed while in the\nalternate screen. If they did, free the stale saved buffer instead of\nrestoring it. The unicode screen will be lazily rebuilt via\nvc_uniscr_check() when next needed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31742", "detail": "fixed-version", "description": "only affects 6.18.20 onwards" }, { "id": "CVE-2026-31743", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy\n\nBuffer size used in dma allocation and memcpy is wrong.\nIt can lead to undersized DMA buffer access and possible\nmemory corruption. use correct buffer size in dma_alloc_coherent\nand memcpy.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31743" }, { "id": "CVE-2026-31744", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: EM: Fix NULL pointer dereference when perf domain ID is not found\n\ndev_energymodel_nl_get_perf_domains_doit() calls\nem_perf_domain_get_by_id() but does not check the return value before\npassing it to __em_nl_get_pd_size(). When a caller supplies a\nnon-existent perf domain ID, em_perf_domain_get_by_id() returns NULL,\nand __em_nl_get_pd_size() immediately dereferences pd->cpus\n(struct offset 0x30), causing a NULL pointer dereference.\n\nThe sister handler dev_energymodel_nl_get_perf_table_doit() already\nhandles this correctly via __em_nl_get_pd_table_id(), which returns\nNULL and causes the caller to return -EINVAL. Add the same NULL check\nin the get-perf-domains do handler.\n\n[ rjw: Subject and changelog edits ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31744", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31745", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: gpio: fix double free in reset_add_gpio_aux_device() error path\n\nWhen __auxiliary_device_add() fails, reset_add_gpio_aux_device()\ncalls auxiliary_device_uninit(adev).\n\nThe device release callback reset_gpio_aux_device_release() frees\nadev, but the current error path then calls kfree(adev) again,\ncausing a double free.\n\nKeep kfree(adev) for the auxiliary_device_init() failure path, but\navoid freeing adev after auxiliary_device_uninit().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31745", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31746", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: Fix memory leak with CCA cards used as accelerator\n\nTests showed that there is a memory leak if CCA cards are used as\naccelerator for clear key RSA requests (ME and CRT). With the last\nrework for the memory allocation the AP messages are allocated by\nap_init_apmsg() but for some reason on two places (ME and CRT) the\nolder allocation was still in place. So the first allocation simple\nwas never freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31746" }, { "id": "CVE-2026-31747", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me4000: Fix potential overrun of firmware buffer\n\n`me4000_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`. It is possible for it to overrun the source\nbuffer because it blindly trusts the file format. It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream. On failure, log an error and\nreturn `-EINVAL`.\n\nNote: The firmware loading was totally broken before commit ac584af59945\n(\"staging: comedi: me4000: fix firmware downloading\"), but that is the\nmost sensible target for this fix.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31747" }, { "id": "CVE-2026-31748", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: me_daq: Fix potential overrun of firmware buffer\n\n`me2600_xilinx_download()` loads the firmware that was requested by\n`request_firmware()`. It is possible for it to overrun the source\nbuffer because it blindly trusts the file format. It reads a data\nstream length from the first 4 bytes into variable `file_length` and\nreads the data stream contents of length `file_length` from offset 16\nonwards. Although it checks that the supplied firmware is at least 16\nbytes long, it does not check that it is long enough to contain the data\nstream.\n\nAdd a test to ensure that the supplied firmware is long enough to\ncontain the header and the data stream. On failure, log an error and\nreturn `-EINVAL`.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31748" }, { "id": "CVE-2026-31749", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: ni_atmio16d: Fix invalid clean-up after failed attach\n\nIf the driver's COMEDI \"attach\" handler function (`atmio16d_attach()`)\nreturns an error, the COMEDI core will call the driver's \"detach\"\nhandler function (`atmio16d_detach()`) to clean up. This calls\n`reset_atmio16d()` unconditionally, but depending on where the error\noccurred in the attach handler, the device may not have been\nsufficiently initialized to call `reset_atmio16d()`. It uses\n`dev->iobase` as the I/O port base address and `dev->private` as the\npointer to the COMEDI device's private data structure. `dev->iobase`\nmay still be set to its initial value of 0, which would result in\nundesired writes to low I/O port addresses. `dev->private` may still be\n`NULL`, which would result in null pointer dereferences.\n\nFix `atmio16d_detach()` by checking that `dev->private` is valid\n(non-null) before calling `reset_atmio16d()`. This implies that\n`dev->iobase` was set correctly since that is set up before\n`dev->private`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31749" }, { "id": "CVE-2026-31750", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: runflags cannot determine whether to reclaim chanlist\n\nsyzbot reported a memory leak [1], because commit 4e1da516debb (\"comedi:\nAdd reference counting for Comedi command handling\") did not consider\nthe exceptional exit case in do_cmd_ioctl() where runflags is not set.\nThis caused chanlist not to be properly freed by do_become_nonbusy(),\nas it only frees chanlist when runflags is correctly set.\n\nAdded a check in do_become_nonbusy() for the case where runflags is not\nset, to properly free the chanlist memory.\n\n[1]\nBUG: memory leak\n backtrace (crc 844a0efa):\n __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]\n do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890\n do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31750", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31751", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: dt2815: add hardware detection to prevent crash\n\nThe dt2815 driver crashes when attached to I/O ports without actual\nhardware present. This occurs because syzkaller or users can attach\nthe driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.\n\nWhen no hardware exists at the specified port, inb() operations return\n0xff (floating bus), but outb() operations can trigger page faults due\nto undefined behavior, especially under race conditions:\n\n BUG: unable to handle page fault for address: 000000007fffff90\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n RIP: 0010:dt2815_attach+0x6e0/0x1110\n\nAdd hardware detection by reading the status register before attempting\nany write operations. If the read returns 0xff, assume no hardware is\npresent and fail the attach with -ENODEV. This prevents crashes from\noutb() operations on non-existent hardware.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31751" }, { "id": "CVE-2026-31752", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: validate ND option lengths\n\nbr_nd_send() walks ND options according to option-provided lengths.\nA malformed option can make the parser advance beyond the computed\noption span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31752" }, { "id": "CVE-2026-31753", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: line-display: fix NULL dereference in linedisp_release\n\nlinedisp_release() currently retrieves the enclosing struct linedisp via\nto_linedisp(). That lookup depends on the attachment list, but the\nattachment may already have been removed before put_device() invokes the\nrelease callback. This can happen in linedisp_unregister(), and can also\nbe reached from some linedisp_register() error paths.\n\nIn that case, to_linedisp() returns NULL and linedisp_release()\ndereferences it while freeing the display resources.\n\nThe struct device released here is the embedded linedisp->dev used by\nlinedisp_register(), so retrieve the enclosing object directly with\ncontainer_of() instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31753", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31754", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix state inconsistency on gadget init failure\n\nWhen cdns3_gadget_start() fails, the DRD hardware is left in gadget mode\nwhile software state remains INACTIVE, creating hardware/software state\ninconsistency.\n\nWhen switching to host mode via sysfs:\n echo host > /sys/class/usb_role/13180000.usb-role-switch/role\n\nThe role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,\nso cdns_role_stop() skips cleanup because state is still INACTIVE.\nThis violates the DRD controller design specification (Figure22),\nwhich requires returning to idle state before switching roles.\n\nThis leads to a synchronous external abort in xhci_gen_setup() when\nsetting up the host controller:\n\n[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19\n[ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget\n[ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed\n...\n[ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller\n[ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP\n[ 1301.382485] pc : xhci_gen_setup+0xa4/0x408\n[ 1301.393391] backtrace:\n ...\n xhci_gen_setup+0xa4/0x408 <-- CRASH\n xhci_plat_setup+0x44/0x58\n usb_add_hcd+0x284/0x678\n ...\n cdns_role_set+0x9c/0xbc <-- Role switch\n\nFix by calling cdns_drd_gadget_off() in the error path to properly\nclean up the DRD gadget state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31754" }, { "id": "CVE-2026-31755", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: fix NULL pointer dereference in ep_queue\n\nWhen the gadget endpoint is disabled or not yet configured, the ep->desc\npointer can be NULL. This leads to a NULL pointer dereference when\n__cdns3_gadget_ep_queue() is called, causing a kernel crash.\n\nAdd a check to return -ESHUTDOWN if ep->desc is NULL, which is the\nstandard return code for unconfigured endpoints.\n\nThis prevents potential crashes when ep_queue is called on endpoints\nthat are not ready.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31755" }, { "id": "CVE-2026-31756", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()\n\ndwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,\nwhich expects hsotg->lock to be held since it does spin_unlock/spin_lock\naround the gadget driver callback invocation.\n\nHowever, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()\nwithout holding the lock. This leads to:\n - spin_unlock on a lock that is not held (undefined behavior)\n - The lock remaining held after dwc2_gadget_exit_clock_gating() returns,\n causing a deadlock when spin_lock_irqsave() is called later in the\n same function.\n\nFix this by acquiring hsotg->lock before calling\ndwc2_gadget_exit_clock_gating() and releasing it afterwards, which\nsatisfies the locking requirement of the call_gadget() macro.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31756" }, { "id": "CVE-2026-31757", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: usbio: Fix URB memory leak on submit failure\n\nWhen usb_submit_urb() fails in usbio_probe(), the previously allocated\nURB is never freed, causing a memory leak.\n\nFix this by jumping to err_free_urb label to properly release the URB\non the error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31757" }, { "id": "CVE-2026-31758", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Flush anchored URBs in usbtmc_release\n\nWhen calling usbtmc_release, pending anchored URBs must be flushed or\nkilled to prevent use-after-free errors (e.g. in the HCD giveback\npath). Call usbtmc_draw_down() to allow anchored URBs to be completed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31758" }, { "id": "CVE-2026-31759", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix double free in ulpi_register_interface() error path\n\nWhen device_register() fails, ulpi_register() calls put_device() on\nulpi->dev.\n\nThe device release callback ulpi_dev_release() drops the OF node\nreference and frees ulpi, but the current error path in\nulpi_register_interface() then calls kfree(ulpi) again, causing a\ndouble free.\n\nLet put_device() handle the cleanup through ulpi_dev_release() and\navoid freeing ulpi again in ulpi_register_interface().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31759" }, { "id": "CVE-2026-31760", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpib: lpvo_usb: fix memory leak on disconnect\n\nThe driver iterates over the registered USB interfaces during GPIB\nattach and takes a reference to their USB devices until a match is\nfound. These references are never released which leads to a memory leak\nwhen devices are disconnected.\n\nFix the leak by dropping the unnecessary references.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31760" }, { "id": "CVE-2026-31761", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Move iio_device_register() to correct location\n\niio_device_register() should be at the end of the probe function to\nprevent race conditions.\n\nPlace iio_device_register() at the end of the probe function and place\niio_device_unregister() accordingly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31761" }, { "id": "CVE-2026-31762", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix irq resource leak\n\nThe interrupt handler is setup but only a few lines down if\niio_trigger_register() fails the function returns without properly\nreleasing the handler.\n\nAdd cleanup goto to resolve resource leak.\n\nDetected by Smatch:\ndrivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn:\n'irq' from request_threaded_irq() not released on lines: 1124.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31762" }, { "id": "CVE-2026-31763", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Fix incorrect free_irq() variable\n\nThe handler for the IRQ part of this driver is mpu3050->trig but,\nin the teardown free_irq() is called with handler mpu3050.\n\nUse correct IRQ handler when calling free_irq().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31763" }, { "id": "CVE-2026-31764", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only\n\nThe st_lsm6dsx_hwfifo_odr_store() function, which is called when userspace\nwrites the buffer sampling frequency sysfs attribute, calls\nst_lsm6dsx_check_odr(), which accesses the odr_table array at index\n`sensor->id`; since this array is only 2 entries long, an access for any\nsensor type other than accelerometer or gyroscope is an out-of-bounds\naccess.\n\nThe motivation for being able to set a buffer frequency different from the\nsensor sampling frequency is to support use cases that need accurate event\ndetection (which requires a high sampling frequency) while retrieving\nsensor data at low frequency. Since all the supported event types are\ngenerated from acceleration data only, do not create the buffer sampling\nfrequency attribute for sensor types other than the accelerometer.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31764", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31765", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB\n\nCurrently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while\nKFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with\n4K pages, both values match (8KB), so allocation and reserved space\nare consistent.\n\nHowever, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,\nwhile the reserved trap area remains 8KB. This mismatch causes the\nkernel to crash when running rocminfo or rccl unit tests.\n\nKernel attempted to read user page (2) - exploit attempt? (uid: 1001)\nBUG: Kernel NULL pointer dereference on read at 0x00000002\nFaulting instruction address: 0xc0000000002c8a64\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\nCPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E\n6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY\nTainted: [E]=UNSIGNED_MODULE\nHardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006\nof:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries\nNIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730\nREGS: c0000001e0957580 TRAP: 0300 Tainted: G E\nMSR: 8000000000009033 CR: 24008268\nXER: 00000036\nCFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000\nIRQMASK: 1\nGPR00: c00000000125d908 c0000001e0957820 c0000000016e8100\nc00000013d814540\nGPR04: 0000000000000002 c00000013d814550 0000000000000045\n0000000000000000\nGPR08: c00000013444d000 c00000013d814538 c00000013d814538\n0000000084002268\nGPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff\n0000000000020000\nGPR16: 0000000000000000 0000000000000002 c00000015f653000\n0000000000000000\nGPR20: c000000138662400 c00000013d814540 0000000000000000\nc00000013d814500\nGPR24: 0000000000000000 0000000000000002 c0000001e0957888\nc0000001e0957878\nGPR28: c00000013d814548 0000000000000000 c00000013d814540\nc0000001e0957888\nNIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0\nLR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00\nCall Trace:\n0xc0000001e0957890 (unreliable)\n__mutex_lock.constprop.0+0x58/0xd00\namdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]\nkfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]\nkfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]\nkfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]\nkfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]\nkfd_ioctl+0x514/0x670 [amdgpu]\nsys_ioctl+0x134/0x180\nsystem_call_exception+0x114/0x300\nsystem_call_vectored_common+0x15c/0x2ec\n\nThis patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and\nKFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve\n64 KB for the trap in the address space, but only allocate 8 KB within\nit. With this approach, the allocation size never exceeds the reserved\narea.\n\n(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31765" }, { "id": "CVE-2026-31766", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate doorbell_offset in user queue creation\n\namdgpu_userq_get_doorbell_index() passes the user-provided\ndoorbell_offset to amdgpu_doorbell_index_on_bar() without bounds\nchecking. An arbitrarily large doorbell_offset can cause the\ncalculated doorbell index to fall outside the allocated doorbell BO,\npotentially corrupting kernel doorbell space.\n\nValidate that doorbell_offset falls within the doorbell BO before\ncomputing the BAR index, using u64 arithmetic to prevent overflow.\n\n(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31766" }, { "id": "CVE-2026-31767", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode\n\nStop adjusting the horizontal timing values based on the\ncompression ratio in command mode. Bspec seems to be telling\nus to do this only in video mode, and this is also how the\nWindows driver does things.\n\nThis should also fix a div-by-zero on some machines because\nthe adjusted htotal ends up being so small that we end up with\nline_time_us==0 when trying to determine the vtotal value in\ncommand mode.\n\nNote that this doesn't actually make the display on the\nHuawei Matebook E work, but at least the kernel no longer\nexplodes when the driver loads.\n\n(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31767" }, { "id": "CVE-2026-31768", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-adc161s626: use DMA-safe memory for spi_read()\n\nAdd a DMA-safe buffer and use it for spi_read() instead of a stack\nmemory. All SPI buffers must be DMA-safe.\n\nSince we only need up to 3 bytes, we just use a u8[] instead of __be16\nand __be32 and change the conversion functions appropriately.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31768" }, { "id": "CVE-2026-31769", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpib: fix use-after-free in IO ioctl handlers\n\nThe IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor\npointer after board->big_gpib_mutex has been released. A concurrent\nIBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() during\nthis window, causing a use-after-free.\n\nThe IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitly\nrelease big_gpib_mutex before calling their handler. wait_ioctl() is\ncalled with big_gpib_mutex held, but ibwait() releases it internally\nwhen wait_mask is non-zero. In all four cases, the descriptor pointer\nobtained from handle_to_descriptor() becomes unprotected.\n\nFix this by introducing a kernel-only descriptor_busy reference count\nin struct gpib_descriptor. Each handler atomically increments\ndescriptor_busy under file_priv->descriptors_mutex before releasing the\nlock, and decrements it when done. close_dev_ioctl() checks\ndescriptor_busy under the same lock and rejects the close with -EBUSY\nif the count is non-zero.\n\nA reference count rather than a simple flag is necessary because\nmultiple handlers can operate on the same descriptor concurrently\n(e.g. IBRD and IBWAIT on the same handle from different threads).\n\nA separate counter is needed because io_in_progress can be cleared from\nunprivileged userspace via the IBWAIT ioctl (through general_ibstatus()\nwith set_mask containing CMPL), which would allow an attacker to bypass\na check based solely on io_in_progress. The new descriptor_busy\ncounter is only modified by the kernel IO paths.\n\nThe lock ordering is consistent (big_gpib_mutex -> descriptors_mutex)\nand the handlers only hold descriptors_mutex briefly during the lookup,\nso there is no deadlock risk and no impact on IO throughput.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31769" }, { "id": "CVE-2026-31770", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (occ) Fix division by zero in occ_show_power_1()\n\nIn occ_show_power_1() case 1, the accumulator is divided by\nupdate_tag without checking for zero. If no samples have been\ncollected yet (e.g. during early boot when the sensor block is\nincluded but hasn't been updated), update_tag is zero, causing\na kernel divide-by-zero crash.\n\nThe 2019 fix in commit 211186cae14d (\"hwmon: (occ) Fix division by\nzero issue\") only addressed occ_get_powr_avg() used by\nocc_show_power_2() and occ_show_power_a0(). This separate code\npath in occ_show_power_1() was missed.\n\nFix this by reusing the existing occ_get_powr_avg() helper, which\nalready handles the zero-sample case and uses mul_u64_u32_div()\nto multiply before dividing for better precision. Move the helper\nabove occ_show_power_1() so it is visible at the call site.\n\n[groeck: Fix alignment problems reported by checkpatch]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31770" }, { "id": "CVE-2026-31771", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: move wake reason storage into validated event handlers\n\nhci_store_wake_reason() is called from hci_event_packet() immediately\nafter stripping the HCI event header but before hci_event_func()\nenforces the per-event minimum payload length from hci_ev_table.\nThis means a short HCI event frame can reach bacpy() before any bounds\ncheck runs.\n\nRather than duplicating skb parsing and per-event length checks inside\nhci_store_wake_reason(), move wake-address storage into the individual\nevent handlers after their existing event-length validation has\nsucceeded. Convert hci_store_wake_reason() into a small helper that only\nstores an already-validated bdaddr while the caller holds hci_dev_lock().\nUse the same helper after hci_event_func() with a NULL address to\npreserve the existing unexpected-wake fallback semantics when no\nvalidated event handler records a wake address.\n\nAnnotate the helper with __must_hold(&hdev->lock) and add\nlockdep_assert_held(&hdev->lock) so future call paths keep the lock\ncontract explicit.\n\nCall the helper from hci_conn_request_evt(), hci_conn_complete_evt(),\nhci_sync_conn_complete_evt(), le_conn_complete_evt(),\nhci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),\nhci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and\nhci_le_past_received_evt().", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31771" }, { "id": "CVE-2026-31772", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync\n\nhci_le_big_create_sync() uses DEFINE_FLEX to allocate a\nstruct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)\nBIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)\nentries \u2014 validated against ISO_MAX_NUM_BIS (0x1f) in the caller\nhci_conn_big_create_sync(). When conn->num_bis is between 18 and 31,\nthe memcpy that copies conn->bis into cp->bis writes up to 14 bytes\npast the stack buffer, corrupting adjacent stack memory.\n\nThis is trivially reproducible: binding an ISO socket with\nbc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will\neventually trigger hci_le_big_create_sync() from the HCI command\nsync worker, causing a KASAN-detectable stack-out-of-bounds write:\n\n BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0\n Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71\n\nFix this by changing the DEFINE_FLEX count from the incorrect 0x11 to\nHCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that\nconn->bis can actually carry.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31772" }, { "id": "CVE-2026-31773", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: derive legacy responder STK authentication from MITM state\n\nThe legacy responder path in smp_random() currently labels the stored\nSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.\nThat reflects what the local service requested, not what the pairing\nflow actually achieved.\n\nFor Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear\nand the resulting STK should remain unauthenticated even if the local\nside requested HIGH security. Use the established MITM state when\nstoring the responder STK so the key metadata matches the pairing result.\n\nThis also keeps the legacy path aligned with the Secure Connections code,\nwhich already treats JUST_WORKS/JUST_CFM as unauthenticated.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31773" }, { "id": "CVE-2026-31774", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()\n\nsqe->len is __u32 but gets stored into sr->len which is int. When\nuserspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),\nsr->len overflows to a negative value. This negative value propagates\nthrough the bundle recv/send path:\n\n 1. io_recv(): sel.val = sr->len (ssize_t gets -1)\n 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets\n 0xFFFFFFFFFFFFFFFF)\n 3. io_ring_buffers_peek(): buf->len is not clamped because max_len\n is astronomically large\n 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs()\n 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1,\n causing ret to increase instead of decrease, creating an\n infinite loop that reads past the allocated iov[] array\n\nThis results in a slab-out-of-bounds read in io_bundle_nbufs() from\nthe kmalloc-64 slab, as nbufs increments past the allocated iovec\nentries.\n\n BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160\n Read of size 8 at addr ffff888100ae05c8 by task exp/145\n Call Trace:\n io_bundle_nbufs+0x128/0x160\n io_recv_finish+0x117/0xe20\n io_recv+0x2db/0x1160\n\nFix this by rejecting negative sr->len values early in both\nio_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,\nany value > INT_MAX indicates overflow and is not a valid length.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31774" }, { "id": "CVE-2026-31775", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initialization\n\nThe recent refactoring of xfi driver changed the assignment of\natc->daios[] at atc_get_resources(); now it loops over all enum\nDAIOTYP entries while it looped formerly only a part of them.\nThe problem is that the last entry, SPDIF1, is a special type that\nis used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO),\nand there is no corresponding definition for hw20k2. Due to the lack\nof the info, it caused a kernel crash on hw20k2, which was already\nworked around by the commit b045ab3dff97 (\"ALSA: ctxfi: Fix missing\nSPDIFI1 index handling\").\n\nThis patch addresses the root cause of the regression above properly,\nsimply by skipping the incorrect SPDIF1 type in the parser loop.\n\nFor making the change clearer, the code is slightly arranged, too.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31775", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31776", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Fix missing SPDIFI1 index handling\n\nSPDIF1 DAIO type isn't properly handled in daio_device_index() for\nhw20k2, and it returned -EINVAL, which ended up with the out-of-bounds\narray access. Follow the hw20k1 pattern and return the proper index\nfor this type, too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31776", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31777", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Check the error for index mapping\n\nThe ctxfi driver blindly assumed a proper value returned from\ndaio_device_index(), but it's not always true. Add a proper error\ncheck to deal with the error from the function.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31777" }, { "id": "CVE-2026-31778", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix stack out-of-bounds read in init_card\n\nThe loop creates a whitespace-stripped copy of the card shortname\nwhere `len < sizeof(card->id)` is used for the bounds check. Since\nsizeof(card->id) is 16 and the local id buffer is also 16 bytes,\nwriting 16 non-space characters fills the entire buffer,\noverwriting the terminating nullbyte.\n\nWhen this non-null-terminated string is later passed to\nsnd_card_set_id() -> copy_valid_id_string(), the function scans\nforward with `while (*nid && ...)` and reads past the end of the\nstack buffer, reading the contents of the stack.\n\nA USB device with a product name containing many non-ASCII, non-space\ncharacters (e.g. multibyte UTF-8) will reliably trigger this as follows:\n\n BUG: KASAN: stack-out-of-bounds in copy_valid_id_string\n sound/core/init.c:696 [inline]\n BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c\n sound/core/init.c:718\n\nThe off-by-one has been present since commit bafeee5b1f8d (\"ALSA:\nsnd_usb_caiaq: give better shortname\") from June 2009 (v2.6.31-rc1),\nwhich first introduced this whitespace-stripping loop. The original\ncode never accounted for the null terminator when bounding the copy.\n\nFix this by changing the loop bound to `sizeof(card->id) - 1`,\nensuring at least one byte remains as the null terminator.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31778" }, { "id": "CVE-2026-31779", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()\n\nThe memcpy function assumes the dynamic array notif->matches is at least\nas large as the number of bytes to copy. Otherwise, results->matches may\ncontain unwanted data. To guarantee safety, extend the validation in one\nof the checks to ensure sufficient packet length.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31779" }, { "id": "CVE-2026-31780", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation\n\nThe variable valuesize is declared as u8 but accumulates the total\nlength of all SSIDs to scan. Each SSID contributes up to 33 bytes\n(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)\nSSIDs the total can reach 330, which wraps around to 74 when stored\nin a u8.\n\nThis causes kmalloc to allocate only 75 bytes while the subsequent\nmemcpy writes up to 331 bytes into the buffer, resulting in a 256-byte\nheap buffer overflow.\n\nWiden valuesize from u8 to u32 to accommodate the full range.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31780" }, { "id": "CVE-2026-31781", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ioc32: stop speculation on the drm_compat_ioctl path\n\nThe drm compat ioctl path takes a user controlled pointer, and then\ndereferences it into a table of function pointers, the signature method\nof spectre problems. Fix this up by calling array_index_nospec() on the\nindex to the function pointer list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31781" }, { "id": "CVE-2026-31782", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix potential bad container_of in intel_pmu_hw_config\n\nAuto counter reload may have a group of events with software events\npresent within it. The software event PMU isn't the x86_hybrid_pmu and\na container_of operation in intel_pmu_set_acr_caused_constr (via the\nhybrid helper) could cause out of bound memory reads. Avoid this by\nguarding the call to intel_pmu_set_acr_caused_constr with an\nis_x86_event check.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31782" }, { "id": "CVE-2026-31783", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback\n\naml_sfc_probe() registers the on-host NAND ECC engine, but teardown was\nmissing from both probe unwind and remove-time cleanup. Add a devm cleanup\naction after successful registration so\nnand_ecc_unregister_on_host_hw_engine() runs automatically on probe\nfailures and during device removal.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31783" }, { "id": "CVE-2026-31784", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pxp: Clear restart flag in pxp_start after jumping back\n\nIf we don't clear the flag we'll keep jumping back at the beginning of\nthe function once we reach the end.\n\n(cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31784" }, { "id": "CVE-2026-31785", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/xe_pagefault: Disallow writes to read-only VMAs\n\nThe page fault handler should reject write/atomic access to read only\nVMAs. Add code to handle this in xe_pagefault_service after the VMA\nlookup.\n\nv2:\n- Apply max line length (Matthew)\n\n(cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31785", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-31786", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it's\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31786" }, { "id": "CVE-2026-31787", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31787" }, { "id": "CVE-2026-31788", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: restrict usage in unprivileged domU\n\nThe Xen privcmd driver allows to issue arbitrary hypercalls from\nuser space processes. This is normally no problem, as access is\nusually limited to root and the hypervisor will deny any hypercalls\naffecting other domains.\n\nIn case the guest is booted using secure boot, however, the privcmd\ndriver would be enabling a root user process to modify e.g. kernel\nmemory contents, thus breaking the secure boot feature.\n\nThe only known case where an unprivileged domU is really needing to\nuse the privcmd driver is the case when it is acting as the device\nmodel for another guest. In this case all hypercalls issued via the\nprivcmd driver will target that other guest.\n\nFortunately the privcmd driver can already be locked down to allow\nonly hypercalls targeting a specific domain, but this mode can be\nactivated from user land only today.\n\nThe target domain can be obtained from Xenstore, so when not running\nin dom0 restrict the privcmd driver to that target domain from the\nbeginning, resolving the potential problem of breaking secure boot.\n\nThis is XSA-482\n\n---\nV2:\n- defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich)\n- wait in open() if target domain isn't known yet\n- issue message in case no target domain found (Jan Beulich)", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-31788" }, { "id": "CVE-2026-43004", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: stm32-ospi: Fix resource leak in remove() callback\n\nThe remove() callback returned early if pm_runtime_resume_and_get()\nfailed, skipping the cleanup of spi controller and other resources.\n\nRemove the early return so cleanup completes regardless of PM resume\nresult.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43004" }, { "id": "CVE-2026-43005", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (tps53679) Fix array access with zero-length block read\n\ni2c_smbus_read_block_data() can return 0, indicating a zero-length\nread. When this happens, tps53679_identify_chip() accesses buf[ret - 1]\nwhich is buf[-1], reading one byte before the buffer on the stack.\n\nFix by changing the check from \"ret < 0\" to \"ret <= 0\", treating a\nzero-length read as an error (-EIO), which prevents the out-of-bounds\narray access.\n\nAlso fix a typo in the adjacent comment: \"if present\" instead of\nduplicate \"if\".", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43005" }, { "id": "CVE-2026-43006", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rsrc: reject zero-length fixed buffer import\n\nvalidate_fixed_range() admits buf_addr at the exact end of the\nregistered region when len is zero, because the check uses strict\ngreater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()\nthen computes offset == imu->len, which causes the bvec skip logic\nto advance past the last bio_vec entry and read bv_offset from\nout-of-bounds slab memory.\n\nReturn early from io_import_fixed() when len is zero. A zero-length\nimport has no data to transfer and should not walk the bvec array\nat all.\n\n BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0\n Read of size 4 at addr ffff888002bcc254 by task poc/103\n Call Trace:\n io_import_reg_buf+0x697/0x7f0\n io_write_fixed+0xd9/0x250\n __io_issue_sqe+0xad/0x710\n io_issue_sqe+0x7d/0x1100\n io_submit_sqes+0x86a/0x23c0\n __do_sys_io_uring_enter+0xa98/0x1590\n Allocated by task 103:\n The buggy address is located 12 bytes to the right of\n allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43006" }, { "id": "CVE-2026-43007", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Handle DBC deactivation if the owner went away\n\nWhen a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV\ntransaction to the host over the QAIC_CONTROL MHI channel. QAIC handles\nthis by calling decode_deactivate() to release the resources allocated for\nthat DBC. Since that handling is done in the qaic_manage_ioctl() context,\nif the user goes away before receiving and handling the deactivation, the\nhost will be out-of-sync with the DBCs available for use, and the DBC\nresources will not be freed unless the device is removed. If another user\nloads and requests to activate a network, then the device assigns the same\nDBC to that network, QAIC will \"indefinitely\" wait for dbc->in_use = false,\nleading the user process to hang.\n\nAs a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions\nthat are received after the user has gone away.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43007" }, { "id": "CVE-2026-43008", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: qixis-fpga: Fix error handling for devm_regmap_init_mmio()\n\ndevm_regmap_init_mmio() returns an ERR_PTR() on failure, not NULL.\nThe original code checked for NULL which would never trigger on error,\npotentially leading to an invalid pointer dereference.\nUse IS_ERR() and PTR_ERR() to properly handle the error case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43008", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43009", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix incorrect pruning due to atomic fetch precision tracking\n\nWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC\nand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as\na destination, thus receiving the old value from the memory location.\n\nThe current backtracking logic does not account for this. It treats\natomic fetch operations the same as regular stores where the src\nregister is only an input. This leads the backtrack_insn to fail to\npropagate precision to the stack location, which is then not marked\nas precise!\n\nLater, the verifier's path pruning can incorrectly consider two states\nequivalent when they differ in terms of stack state. Meaning, two\nbranches can be treated as equivalent and thus get pruned when they\nshould not be seen as such.\n\nFix it as follows: Extend the BPF_LDX handling in backtrack_insn to\nalso cover atomic fetch operations via is_atomic_fetch_insn() helper.\nWhen the fetch dst register is being tracked for precision, clear it,\nand propagate precision over to the stack slot. For non-stack memory,\nthe precision walk stops at the atomic instruction, same as regular\nBPF_LDX. This covers all fetch variants.\n\nBefore:\n\n 0: (b7) r1 = 8 ; R1=8\n 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8\n 2: (b7) r2 = 0 ; R2=0\n 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm\n 4: (bf) r3 = r10 ; R3=fp0 R10=fp0\n 5: (0f) r3 += r2\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0\n 6: R2=8 R3=fp8\n 6: (b7) r0 = 0 ; R0=0\n 7: (95) exit\n\nAfter:\n\n 0: (b7) r1 = 8 ; R1=8\n 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8\n 2: (b7) r2 = 0 ; R2=0\n 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm\n 4: (bf) r3 = r10 ; R3=fp0 R10=fp0\n 5: (0f) r3 += r2\n mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10\n mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)\n mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0\n mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1\n mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8\n 6: R2=8 R3=fp8\n 6: (b7) r0 = 0 ; R0=0\n 7: (95) exit", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43009" }, { "id": "CVE-2026-43010", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject sleepable kprobe_multi programs at attach time\n\nkprobe.multi programs run in atomic/RCU context and cannot sleep.\nHowever, bpf_kprobe_multi_link_attach() did not validate whether the\nprogram being attached had the sleepable flag set, allowing sleepable\nhelpers such as bpf_copy_from_user() to be invoked from a non-sleepable\ncontext.\n\nThis causes a \"sleeping function called from invalid context\" splat:\n\n BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo\n preempt_count: 1, expected: 0\n RCU nest depth: 2, expected: 0\n\nFix this by rejecting sleepable programs early in\nbpf_kprobe_multi_link_attach(), before any further processing.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43010" }, { "id": "CVE-2026-43011", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix potential double free of skb\n\nWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at\nline 48 and returns 1 (error).\nThis error propagates back through the call chain:\n\nx25_queue_rx_frame returns 1\n |\n v\nx25_state3_machine receives the return value 1 and takes the else\nbranch at line 278, setting queued=0 and returning 0\n |\n v\nx25_process_rx_frame returns queued=0\n |\n v\nx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)\nagain\n\nThis would free the same skb twice. Looking at x25_backlog_rcv:\n\nnet/x25/x25_in.c:x25_backlog_rcv() {\n ...\n queued = x25_process_rx_frame(sk, skb);\n ...\n if (!queued)\n kfree_skb(skb);\n}", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43011" }, { "id": "CVE-2026-43012", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix switchdev mode rollback in case of failure\n\nIf for some internal reason switchdev mode fails, we rollback to legacy\nmode, before this patch, rollback will unregister the uplink netdev and\nleave it unregistered causing the below kernel bug.\n\nTo fix this, we need to avoid netdev unregister by setting the proper\nrollback flag 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to indicate legacy mode.\n\ndevlink (431) used greatest stack depth: 11048 bytes left\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), \\\n\tnecvfs(0), active vports(0)\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nmlx5_core 0000:00:03.0: Loading uplink representor for vport 65535\nmlx5_core 0000:00:03.0: mlx5_cmd_out_err:816:(pid 456): \\\n\tQUERY_HCA_CAP(0x100) op_mod(0x0) failed, \\\n\tstatus bad parameter(0x3), syndrome (0x3a3846), err(-22)\nmlx5_core 0000:00:03.0 enp0s3np0 (unregistered): Unloading uplink \\\n\trepresentor for vport 65535\n ------------[ cut here ]------------\nkernel BUG at net/core/dev.c:12070!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 456 Comm: devlink Not tainted 6.16.0-rc3+ \\\n\t#9 PREEMPT(voluntary)\nRIP: 0010:unregister_netdevice_many_notify+0x123/0xae0\n...\nCall Trace:\n[ 90.923094] unregister_netdevice_queue+0xad/0xf0\n[ 90.923323] unregister_netdev+0x1c/0x40\n[ 90.923522] mlx5e_vport_rep_unload+0x61/0xc6\n[ 90.923736] esw_offloads_enable+0x8e6/0x920\n[ 90.923947] mlx5_eswitch_enable_locked+0x349/0x430\n[ 90.924182] ? is_mp_supported+0x57/0xb0\n[ 90.924376] mlx5_devlink_eswitch_mode_set+0x167/0x350\n[ 90.924628] devlink_nl_eswitch_set_doit+0x6f/0xf0\n[ 90.924862] genl_family_rcv_msg_doit+0xe8/0x140\n[ 90.925088] genl_rcv_msg+0x18b/0x290\n[ 90.925269] ? __pfx_devlink_nl_pre_doit+0x10/0x10\n[ 90.925506] ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n[ 90.925766] ? __pfx_devlink_nl_post_doit+0x10/0x10\n[ 90.926001] ? __pfx_genl_rcv_msg+0x10/0x10\n[ 90.926206] netlink_rcv_skb+0x52/0x100\n[ 90.926393] genl_rcv+0x28/0x40\n[ 90.926557] netlink_unicast+0x27d/0x3d0\n[ 90.926749] netlink_sendmsg+0x1f7/0x430\n[ 90.926942] __sys_sendto+0x213/0x220\n[ 90.927127] ? __sys_recvmsg+0x6a/0xd0\n[ 90.927312] __x64_sys_sendto+0x24/0x30\n[ 90.927504] do_syscall_64+0x50/0x1c0\n[ 90.927687] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 90.927929] RIP: 0033:0x7f7d0363e047", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43012" }, { "id": "CVE-2026-43013", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43013" }, { "id": "CVE-2026-43014", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: properly unregister fixed rate clocks\n\nThe additional resources allocated with clk_register_fixed_rate() need\nto be released with clk_unregister_fixed_rate(), otherwise they are lost.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43014" }, { "id": "CVE-2026-43015", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix clk handling on PCI glue driver removal\n\nplatform_device_unregister() may still want to use the registered clks\nduring runtime resume callback.\n\nNote that there is a commit d82d5303c4c5 (\"net: macb: fix use after free\non rmmod\") that addressed the similar problem of clk vs platform device\nunregistration but just moved the bug to another place.\n\nSave the pointers to clks into local variables for reuse after platform\ndevice is unregistered.\n\nBUG: KASAN: use-after-free in clk_prepare+0x5a/0x60\nRead of size 8 at addr ffff888104f85e00 by task modprobe/597\n\nCPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8d/0xba\n print_report+0x17f/0x496\n kasan_report+0xd9/0x180\n clk_prepare+0x5a/0x60\n macb_runtime_resume+0x13d/0x410 [macb]\n pm_generic_runtime_resume+0x97/0xd0\n __rpm_callback+0xc8/0x4d0\n rpm_callback+0xf6/0x230\n rpm_resume+0xeeb/0x1a70\n __pm_runtime_resume+0xb4/0x170\n bus_remove_device+0x2e3/0x4b0\n device_del+0x5b3/0xdc0\n platform_device_del+0x4e/0x280\n platform_device_unregister+0x11/0x50\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \n\nAllocated by task 519:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n __kasan_kmalloc+0x8e/0x90\n __clk_register+0x458/0x2890\n clk_hw_register+0x1a/0x60\n __clk_hw_register_fixed_rate+0x255/0x410\n clk_register_fixed_rate+0x3c/0xa0\n macb_probe+0x1d8/0x42e [macb_pci]\n local_pci_probe+0xd7/0x190\n pci_device_probe+0x252/0x600\n really_probe+0x255/0x7f0\n __driver_probe_device+0x1ee/0x330\n driver_probe_device+0x4c/0x1f0\n __driver_attach+0x1df/0x4e0\n bus_for_each_dev+0x15d/0x1f0\n bus_add_driver+0x486/0x5e0\n driver_register+0x23a/0x3d0\n do_one_initcall+0xfd/0x4d0\n do_init_module+0x18b/0x5a0\n load_module+0x5663/0x7950\n __do_sys_finit_module+0x101/0x180\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 597:\n kasan_save_stack+0x2c/0x50\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x2a/0x50\n __kasan_slab_free+0x106/0x180\n __kmem_cache_free+0xbc/0x320\n clk_unregister+0x6de/0x8d0\n macb_remove+0x73/0xc0 [macb_pci]\n pci_device_remove+0xae/0x210\n device_remove+0xcb/0x180\n device_release_driver_internal+0x529/0x770\n driver_detach+0xd4/0x1a0\n bus_remove_driver+0x135/0x260\n driver_unregister+0x72/0xb0\n pci_unregister_driver+0x26/0x220\n __do_sys_delete_module+0x32e/0x550\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43015" }, { "id": "CVE-2026-43016", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket's sk->sk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer's refcount, it does not\nprevent the peer's sock_orphan(), and the peer's sk_socket might\nbe freed after one RCU grace period.\n\nLet's fetch the peer's sk->sk_socket and sk->sk_socket->ops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n \n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n \n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43016" }, { "id": "CVE-2026-43017", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43017" }, { "id": "CVE-2026-43018", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_le_remote_conn_param_req_evt, otherwise it's possible it is freed\nconcurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43018" }, { "id": "CVE-2026-43019", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it's possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently. Just RCU lock is not suitable here, as we also want to\navoid \"tearing\" in the configuration.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43019" }, { "id": "CVE-2026-43020", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43020" }, { "id": "CVE-2026-43021", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once fails\n\nWhen hci_cmd_sync_queue_once() returns with error, the destroy callback\nwill not be called.\n\nFix leaking references / memory on these failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43021", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43022", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists\n\nhci_cmd_sync_queue_once() needs to indicate whether a queue item was\nadded, so caller can know if callbacks are called, so it can avoid\nleaking resources.\n\nChange the function to return -EEXIST if queue item already exists.\n\nModify all callsites to handle that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43022" }, { "id": "CVE-2026-43023", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state==BT_OPEN sk_state==BT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco <- blocked\n -> hcon1\n sco_conn_add->conn1\n lock_sock(sk)\n sco_chan_add:\n conn1->sk = sk\n sk->conn = conn1\n sk_state=BT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk->conn=NULL\n conn1->sk=NULL\n sk_state=\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -> hcon2\n sco_conn_add\n -> conn2\n lock_sock(sk)\n sco_chan_add:\n sk->conn=conn2\n sk_state=\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type != SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43023" }, { "id": "CVE-2026-43024", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject immediate NF_QUEUE verdict\n\nnft_queue is always used from userspace nftables to deliver the NF_QUEUE\nverdict. Immediately emitting an NF_QUEUE verdict is never used by the\nuserspace nft tools, so reject immediate NF_QUEUE verdicts.\n\nThe arp family does not provide queue support, but such an immediate\nverdict is still reachable. Globally reject NF_QUEUE immediate verdicts\nto address this issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43024" }, { "id": "CVE-2026-43025", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43025" }, { "id": "CVE-2026-43026", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent\n\nctnetlink_alloc_expect() allocates expectations from a non-zeroing\nslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not\npresent in the netlink message, saved_addr and saved_proto are\nnever initialized. Stale data from a previous slab occupant can\nthen be dumped to userspace by ctnetlink_exp_dump_expect(), which\nchecks these fields to decide whether to emit CTA_EXPECT_NAT.\n\nThe safe sibling nf_ct_expect_init(), used by the packet path,\nexplicitly zeroes these fields.\n\nZero saved_addr, saved_proto and dir in the else branch, guarded\nby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when\nNAT is enabled.\n\nConfirmed by priming the expect slab with NAT-bearing expectations,\nfreeing them, creating a new expectation without CTA_EXPECT_NAT,\nand observing that the ctnetlink dump emits a spurious\nCTA_EXPECT_NAT containing stale data from the prior allocation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43026" }, { "id": "CVE-2026-43027", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately. Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp->helper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n Read of size 1 at addr ffff888003b14d20 by task poc/103\n Call Trace:\n string+0x38f/0x430\n vsnprintf+0x3cc/0x1170\n seq_printf+0x17a/0x240\n exp_seq_show+0x2e5/0x560\n seq_read_iter+0x419/0x1280\n proc_reg_read+0x1ac/0x270\n vfs_read+0x179/0x930\n ksys_read+0xef/0x1c0\n Freed by task 103:\n The buggy address is located 32 bytes inside of\n freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43027" }, { "id": "CVE-2026-43028", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: ensure names are nul-terminated\n\nReject names that lack a \\0 character before feeding them\nto functions that expect c-strings.\n\nFixes tag is the most recent commit that needs this change.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43028" }, { "id": "CVE-2026-43029", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix soft lockup in mptcp_recvmsg()\n\nsyzbot reported a soft lockup in mptcp_recvmsg() [0].\n\nWhen receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not\nremoved from the sk_receive_queue. This causes sk_wait_data() to always\nfind available data and never perform actual waiting, leading to a soft\nlockup.\n\nFix this by adding a 'last' parameter to track the last peeked skb.\nThis allows sk_wait_data() to make informed waiting decisions and prevent\ninfinite loops when MSG_PEEK is used.\n\n[0]:\nwatchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963]\nModules linked in:\nCPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_wait_data+0x15/0x190\nCode: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b\nRSP: 0018:ffffc90000603ca0 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800\nRBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101\nR10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18\nR13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000\nFS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0\nCall Trace:\n \n mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329\n inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891\n sock_recvmsg+0x94/0xc0 net/socket.c:1100\n __sys_recvfrom+0xb2/0x130 net/socket.c:2256\n __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267\n do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131\nRIP: 0033:0x7f6e386a4a1d\nCode: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41\nRSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d\nRDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004\nRBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0\nR13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000\n ", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43029" }, { "id": "CVE-2026-43030", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix regsafe() for pointers to packet\n\nIn case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N\nregsafe() may return true which may lead to current state with\nvalid packet range not being explored. Fix the bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43030" }, { "id": "CVE-2026-43031", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Fix BQL accounting for multi-BD TX packets\n\nWhen a TX packet spans multiple buffer descriptors (scatter-gather),\naxienet_free_tx_chain sums the per-BD actual length from descriptor\nstatus into a caller-provided accumulator. That sum is reset on each\nNAPI poll. If the BDs for a single packet complete across different\npolls, the earlier bytes are lost and never credited to BQL. This\ncauses BQL to think bytes are permanently in-flight, eventually\nstalling the TX queue.\n\nThe SKB pointer is stored only on the last BD of a packet. When that\nBD completes, use skb->len for the byte count instead of summing\nper-BD status lengths. This matches netdev_sent_queue(), which debits\nskb->len, and naturally survives across polls because no partial\npacket contributes to the accumulator.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43031" }, { "id": "CVE-2026-43032", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: pn533: bound the UART receive buffer\n\npn532_receive_buf() appends every incoming byte to dev->recv_skb and\nonly resets the buffer after pn532_uart_rx_is_frame() recognizes a\ncomplete frame. A continuous stream of bytes without a valid PN532 frame\nheader therefore keeps growing the skb until skb_put_u8() hits the tail\nlimit.\n\nDrop the accumulated partial frame once the fixed receive buffer is full\nso malformed UART traffic cannot grow the skb past\nPN532_UART_SKB_BUFF_LEN.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43032" }, { "id": "CVE-2026-43033", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43033" }, { "id": "CVE-2026-43034", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: set backing store type from query type\n\nbnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the\nfirmware response in ctxm->type and later uses that value to index\nfixed backing-store metadata arrays such as ctx_arr[] and\nbnxt_bstore_to_trace[].\n\nctxm->type is fixed by the current backing-store query type and matches\nthe array index of ctx->ctx_arr. Set ctxm->type from the current loop\nvariable instead of depending on resp->type.\n\nAlso update the loop to advance type from next_valid_type in the for\nstatement, which keeps the control flow simpler for non-valid and\nunchanged entries.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43034" }, { "id": "CVE-2026-43035", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43035" }, { "id": "CVE-2026-43036", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use skb_header_pointer() for TCPv4 GSO frag_off check\n\nSyzbot reported a KMSAN uninit-value warning in gso_features_check()\ncalled from netif_skb_features() [1].\n\ngso_features_check() reads iph->frag_off to decide whether to clear\nmangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()\ncan rely on skb header offsets that are not always safe for direct\ndereference on packets injected from PF_PACKET paths.\n\nUse skb_header_pointer() for the TCPv4 frag_off check so the header read\nis robust whether data is already linear or needs copying.\n\n[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43036" }, { "id": "CVE-2026-43037", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2->cb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt->__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2->cb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl >= 5).", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43037" }, { "id": "CVE-2026-43038", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43038" }, { "id": "CVE-2026-43039", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch\n\nemac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but\nnever copies the packet data from the XDP buffer into it. The skb is\npassed up the stack containing uninitialized heap memory instead of\nthe actual received packet, leaking kernel heap contents to userspace.\n\nCopy the received packet data from the XDP buffer into the skb using\nskb_copy_to_linear_data().\n\nAdditionally, remove the skb_mark_for_recycle() call since the skb is\nbacked by the NAPI page frag allocator, not page_pool. Marking a\nnon-page_pool skb for recycle causes the free path to return pages to\na page_pool that does not own them, corrupting page_pool state.\n\nThe non-ZC path (emac_rx_packet) does not have these issues because it\nuses napi_build_skb() to wrap the existing page_pool page directly,\nrequiring no copy, and correctly marks for recycle since the page comes\nfrom page_pool_dev_alloc_pages().", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43039", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43040", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak\n\nWhen processing Router Advertisements with user options the kernel\nbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct\nhas three padding fields that are never zeroed and can leak kernel data\n\nThe fix is simple, just zeroes the padding fields.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43040" }, { "id": "CVE-2026-43041", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak\n\n__radix_tree_create() allocates and links intermediate nodes into the\ntree one by one. If a subsequent allocation fails, the already-linked\nnodes remain in the tree with no corresponding leaf entry. These orphaned\ninternal nodes are never reclaimed because radix_tree_for_each_slot()\nonly visits slots containing leaf values.\n\nThe radix_tree API is deprecated in favor of xarray. As suggested by\nMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead\nof fixing the radix_tree itself [1]. xarray properly handles cleanup of\ninternal nodes \u2014 xa_destroy() frees all internal xarray nodes when the\nqrtr_node is released, preventing the leak.\n\n[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43041" }, { "id": "CVE-2026-43042", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: add seqcount to protect the platform_label{,s} pair\n\nThe RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have\nan inconsistent view of platform_labels vs platform_label in case of a\nconcurrent resize (resize_platform_label_table, under\nplatform_mutex). This can lead to OOB accesses.\n\nThis patch adds a seqcount, so that we get a consistent snapshot.\n\nNote that mpls_label_ok is also susceptible to this, so the check\nagainst RTA_DST in rtm_to_route_config, done outside platform_mutex,\nis not sufficient. This value gets passed to mpls_label_ok once more\nin both mpls_route_add and mpls_route_del, so there is no issue, but\nthat additional check must not be removed.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43042" }, { "id": "CVE-2026-43043", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af-alg - fix NULL pointer dereference in scatterwalk\n\nThe AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)\nwhen chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL\nexactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent\nsendmsg() allocates a new SGL and chains it, but fails to clear the end\nmarker on the previous SGL's last data entry.\n\nThis causes the crypto scatterwalk to hit a premature end, returning NULL\non sg_next() and leading to a kernel panic during dereference.\n\nFix this by explicitly unmarking the end of the previous SGL when\nperforming sg_chain() in af_alg_alloc_tsgl().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43043" }, { "id": "CVE-2026-43044", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - fix DMA corruption on long hmac keys\n\nWhen a key longer than block size is supplied, it is copied and then\nhashed into the real key. The memory allocated for the copy needs to\nbe rounded to DMA cache alignment, as otherwise the hashed key may\ncorrupt neighbouring memory.\n\nThe rounding was performed, but never actually used for the allocation.\nFix this by replacing kmemdup with kmalloc for a larger buffer,\nfollowed by memcpy.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43044" }, { "id": "CVE-2026-43045", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix error handling in mshv_region_pin\n\nThe current error handling has two issues:\n\nFirst, pin_user_pages_fast() can return a short pin count (less than\nrequested but greater than zero) when it cannot pin all requested pages.\nThis is treated as success, leading to partially pinned regions being\nused, which causes memory corruption.\n\nSecond, when an error occurs mid-loop, already pinned pages from the\ncurrent batch are not properly accounted for before calling\nmshv_region_invalidate_pages(), causing a page reference leak.\n\nTreat short pins as errors and fix partial batch accounting before\ncleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43045" }, { "id": "CVE-2026-43046", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject root items with drop_progress and zero drop_level\n\n[BUG]\nWhen recovering relocation at mount time, merge_reloc_root() and\nbtrfs_drop_snapshot() both use BUG_ON(level == 0) to guard against\nan impossible state: a non-zero drop_progress combined with a zero\ndrop_level in a root_item, which can be triggered:\n\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/relocation.c:1545!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2\nRIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545\nCode: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000\nCall Trace:\n merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861\n btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195\n btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130\n open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640\n btrfs_fill_super fs/btrfs/super.c:987 [inline]\n btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]\n btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128\n vfs_get_tree+0x9a/0x370 fs/super.c:1758\n fc_mount fs/namespace.c:1199 [inline]\n do_new_mount_fc fs/namespace.c:3642 [inline]\n do_new_mount fs/namespace.c:3718 [inline]\n path_mount+0x5b8/0x1ea0 fs/namespace.c:4028\n do_mount fs/namespace.c:4041 [inline]\n __do_sys_mount fs/namespace.c:4229 [inline]\n __se_sys_mount fs/namespace.c:4206 [inline]\n __x64_sys_mount+0x282/0x320 fs/namespace.c:4206\n ...\nRIP: 0033:0x7f969c9a8fde\nCode: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f\n---[ end trace 0000000000000000 ]---\n\nThe bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic\nmetadata fuzzing tool that corrupts btrfs metadata at runtime.\n\n[CAUSE]\nA non-zero drop_progress.objectid means an interrupted\nbtrfs_drop_snapshot() left a resume point on disk, and in that case\ndrop_level must be greater than 0 because the checkpoint is only\nsaved at internal node levels.\n\nAlthough this invariant is enforced when the kernel writes the root\nitem, it is not validated when the root item is read back from disk.\nThat allows on-disk corruption to provide an invalid state with\ndrop_progress.objectid != 0 and drop_level == 0.\n\nWhen relocation recovery later processes such a root item,\nmerge_reloc_root() reads drop_level and hits BUG_ON(level == 0). The\nsame invalid metadata can also trigger the corresponding BUG_ON() in\nbtrfs_drop_snapshot().\n\n[FIX]\nFix this by validating the root_item invariant in tree-checker when\nreading root items from disk: if drop_progress.objectid is non-zero,\ndrop_level must also be non-zero. Reject such malformed metadata with\n-EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()\nand triggers the BUG_ON.\n\nAfter the fix, the same corruption is correctly rejected by tree-checker\nand the BUG_ON is no longer triggered.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43046" }, { "id": "CVE-2026-43047", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Check to ensure report responses match the request\n\nIt is possible for a malicious (or clumsy) device to respond to a\nspecific report's feature request using a completely different report\nID. This can cause confusion in the HID core resulting in nasty\nside-effects such as OOB writes.\n\nAdd a check to ensure that the report ID in the response, matches the\none that was requested. If it doesn't, omit reporting the raw event and\nreturn early.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43047" }, { "id": "CVE-2026-43048", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Mitigate potential OOB by removing bogus memset()\n\nThe memset() in hid_report_raw_event() has the good intention of\nclearing out bogus data by zeroing the area from the end of the incoming\ndata string to the assumed end of the buffer. However, as we have\npreviously seen, doing so can easily result in OOB reads and writes in\nthe subsequent thread of execution.\n\nThe current suggestion from one of the HID maintainers is to remove the\nmemset() and simply return if the incoming event buffer size is not\nlarge enough to fill the associated report.\n\nSuggested-by Benjamin Tissoires \n\n[bentiss: changed the return value]", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43048" }, { "id": "CVE-2026-43049", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure\n\nPresently, if the force feedback initialisation fails when probing the\nLogitech G920 Driving Force Racing Wheel for Xbox One, an error number\nwill be returned and propagated before the userspace infrastructure\n(sysfs and /dev/input) has been torn down. If userspace ignores the\nerrors and continues to use its references to these dangling entities, a\nUAF will promptly follow.\n\nWe have 2 options; continue to return the error, but ensure that all of\nthe infrastructure is torn down accordingly or continue to treat this\ncondition as a warning by emitting the message but returning success.\nIt is thought that the original author's intention was to emit the\nwarning but keep the device functional, less the force feedback feature,\nso let's go with that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43049" }, { "id": "CVE-2026-43050", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv->lecd\nto NULL and concurrent access to priv->lecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket's wait queue.\n\nThe root cause is that lec_atm_close() clears priv->lecd without\nany synchronization, while callers dereference priv->lecd without\nany protection against concurrent teardown.\n\nFix this by converting priv->lecd to an RCU-protected pointer:\n- Mark priv->lecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n lec_atm_close() to ensure all readers have completed before\n proceeding. This is safe since lec_atm_close() is called from\n vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n since vcc_destroy_socket() already drains it after lec_atm_close()\n returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n fix the race. The v1 spinlock approach had two issues pointed out\n by Eric Dumazet:\n 1. priv->lecd was still accessed directly after releasing the\n lock instead of using a local copy.\n 2. The spinlock did not prevent packets being queued after\n lec_atm_close() drains sk_receive_queue since timer and\n workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n unexpectedly with \"Connection to localhost closed by remote host\",\n likely due to a QEMU AHCI emulation issue unrelated to this fix.\n Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly.", "scorev2": "0.0", "scorev3": "7.0", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43050" }, { "id": "CVE-2026-43051", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43051" }, { "id": "CVE-2026-43052", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta->sta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43052" }, { "id": "CVE-2026-43053", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: close crash window in attr dabtree inactivation\n\nWhen inactivating an inode with node-format extended attributes,\nxfs_attr3_node_inactive() invalidates all child leaf/node blocks via\nxfs_trans_binval(), but intentionally does not remove the corresponding\nentries from their parent node blocks. The implicit assumption is that\nxfs_attr_inactive() will truncate the entire attr fork to zero extents\nafterwards, so log recovery will never reach the root node and follow\nthose stale pointers.\n\nHowever, if a log shutdown occurs after the leaf/node block cancellations\ncommit but before the attr bmap truncation commits, this assumption\nbreaks. Recovery replays the attr bmap intact (the inode still has\nattr fork extents), but suppresses replay of all cancelled leaf/node\nblocks, maybe leaving them as stale data on disk. On the next mount,\nxlog_recover_process_iunlinks() retries inactivation and attempts to\nread the root node via the attr bmap. If the root node was not replayed,\nreading the unreplayed root block triggers a metadata verification\nfailure immediately; if it was replayed, following its child pointers\nto unreplayed child blocks triggers the same failure:\n\n XFS (pmem0): Metadata corruption detected at\n xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78\n XFS (pmem0): Unmount and run xfs_repair\n XFS (pmem0): First 128 bytes of corrupted metadata buffer:\n 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n XFS (pmem0): metadata I/O error in \"xfs_da_read_buf+0x104/0x190\" at daddr 0x78 len 8 error 117\n\nFix this in two places:\n\nIn xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a\nchild block, immediately remove the entry that references it from the\nparent node in the same transaction. This eliminates the window where\nthe parent holds a pointer to a cancelled block. Once all children are\nremoved, the now-empty root node is converted to a leaf block within the\nsame transaction. This node-to-leaf conversion is necessary for crash\nsafety. If the system shutdown after the empty node is written to the\nlog but before the second-phase bmap truncation commits, log recovery\nwill attempt to verify the root block on disk. xfs_da3_node_verify()\ndoes not permit a node block with count == 0; such a block will fail\nverification and trigger a metadata corruption shutdown. on the other\nhand, leaf blocks are allowed to have this transient state.\n\nIn xfs_attr_inactive(), split the attr fork truncation into two explicit\nphases. First, truncate all extents beyond the root block (the child\nextents whose parent references have already been removed above).\nSecond, invalidate the root block and truncate the attr bmap to zero in\na single transaction. The two operations in the second phase must be\natomic: as long as the attr bmap has any non-zero length, recovery can\nfollow it to the root block, so the root block invalidation must commit\ntogether with the bmap-to-zero truncation.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43053" }, { "id": "CVE-2026-43054", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Drain commands in target_reset handler\n\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\nwithout draining any in-flight commands. The SCSI EH documentation\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\nhas made lower layers \"forget about timed out scmds\" and is ready for new\ncommands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\nmpi3mr) enforces this by draining or completing outstanding commands before\nreturning SUCCESS.\n\nBecause tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\nstill has async completion work queued for the old se_cmd. The memset in\nqueuecommand zeroes se_lun and lun_ref_active, causing\ntransport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN\nreference prevents transport_clear_lun_ref() from completing, hanging\nconfigfs LUN unlink forever in D-state:\n\n INFO: task rm:264 blocked for more than 122 seconds.\n rm D 0 264 258 0x00004000\n Call Trace:\n __schedule+0x3d0/0x8e0\n schedule+0x36/0xf0\n transport_clear_lun_ref+0x78/0x90 [target_core_mod]\n core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\n target_fabric_port_unlink+0x50/0x60 [target_core_mod]\n configfs_unlink+0x156/0x1f0 [configfs]\n vfs_unlink+0x109/0x290\n do_unlinkat+0x1d5/0x2d0\n\nFix this by making tcm_loop_target_reset() actually drain commands:\n\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\n the target core knows about (those not yet CMD_T_COMPLETE).\n\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\n flush_work() on each se_cmd \u2014 this drains any deferred completion work\n for commands that already had CMD_T_COMPLETE set before the TMR (which\n the TMR skips via __target_check_io_state()). This is the same pattern\n used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\n during reset.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43054" }, { "id": "CVE-2026-43055", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: file: Use kzalloc_flex for aio_cmd\n\nThe target_core_file doesn't initialize the aio_cmd->iocb for the\nki_write_stream. When a write command fd_execute_rw_aio() is executed,\nwe may get a bogus ki_write_stream value, causing unintended write\nfailure status when checking iocb->ki_write_stream > max_write_streams\nin the block device.\n\nLet's just use kzalloc_flex when allocating the aio_cmd and let\nki_write_stream=0 to fix this issue.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43055" }, { "id": "CVE-2026-43056", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in add_adev() error path\n\nIf auxiliary_device_add() fails, add_adev() jumps to add_fail and calls\nauxiliary_device_uninit(adev).\n\nThe auxiliary device has its release callback set to adev_release(),\nwhich frees the containing struct mana_adev. Since adev is embedded in\nstruct mana_adev, the subsequent fall-through to init_fail and access\nto adev->id may result in a use-after-free.\n\nFix this by saving the allocated auxiliary device id in a local\nvariable before calling auxiliary_device_add(), and use that saved id\nin the cleanup path after auxiliary_device_uninit().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43056" }, { "id": "CVE-2026-43057", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\n\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\npackets without IPv6 extension headers. Packets with extension\nheaders must fall back onto software checksumming. Since TSO\ndepends on checksum offload, those must revert to GSO.\n\nThe below commit introduces that fallback. It always checks\nnetwork header length. For tunneled packets, the inner header length\nmust be checked instead. Extend the check accordingly.\n\nA special case is tunneled packets without inner IP protocol. Such as\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\ntransport header either, so also must revert to the software GSO path.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43057" }, { "id": "CVE-2026-43058", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix pass-by-value structs causing MSAN warnings\n\nvidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their\nargument structs by value, causing MSAN to report uninit-value warnings.\nWhile only vidtv_ts_null_write_into() has triggered a report so far,\nboth functions share the same issue.\n\nFix by passing both structs by const pointer instead, avoiding the\nstack copy of the struct along with its MSAN shadow and origin metadata.\nThe functions do not modify the structs, which is enforced by the const\nqualifier.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43058" }, { "id": "CVE-2026-43059", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd->opcode directly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43059" }, { "id": "CVE-2026-43060", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: drop pending enqueued packets on removal\n\nPackets sitting in nfqueue might hold a reference to:\n\n- templates that specify the conntrack zone, because a percpu area is\n used and module removal is possible.\n- conntrack timeout policies and helper, where object removal leave\n a stale reference.\n\nSince these objects can just go away, drop enqueued packets to avoid\nstale reference to them.\n\nIf there is a need for finer grain removal, this logic can be revisited\nto make selective packet drop upon dependencies.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43060" }, { "id": "CVE-2026-43061", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix TX deadlock when using DMA\n\n`dmaengine_terminate_async` does not guarantee that the\n`__dma_tx_complete` callback will run. The callback is currently the\nonly place where `dma->tx_running` gets cleared. If the transaction is\ncanceled and the callback never runs, then `dma->tx_running` will never\nget cleared and we will never schedule new TX DMA transactions again.\n\nThis change makes it so we clear `dma->tx_running` after we terminate\nthe DMA transaction. This is \"safe\" because `serial8250_tx_dma_flush`\nis holding the UART port lock. The first thing the callback does is also\ngrab the UART port lock, so access to `dma->tx_running` is serialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43061" }, { "id": "CVE-2026-43062", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()\n\nl2cap_ecred_reconf_rsp() casts the incoming data to struct\nl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with\nresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes\nwith result at offset 0).\n\nThis causes two problems:\n\n - The sizeof(*rsp) length check requires 8 bytes instead of the\n correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected\n with -EPROTO.\n\n - rsp->result reads from offset 6 instead of offset 0, returning\n wrong data when the packet is large enough to pass the check.\n\nFix by using the correct type. Also pass the already byte-swapped\nresult variable to BT_DBG instead of the raw __le16 field.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43062" }, { "id": "CVE-2026-43063", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't irele after failing to iget in xfs_attri_recover_work\n\nxlog_recovery_iget* never set @ip to a valid pointer if they return\nan error, so this irele will walk off a dangling pointer. Fix that.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43063" }, { "id": "CVE-2026-43064", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix not releasing workqueue on .release()\n\nThe workqueue associated with an DSA/IAA device is not released when\nthe object is freed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43064" }, { "id": "CVE-2026-43065", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: always drain queued discard work in ext4_mb_release()\n\nWhile reviewing recent ext4 patch[1], Sashiko raised the following\nconcern[2]:\n\n> If the filesystem is initially mounted with the discard option,\n> deleting files will populate sbi->s_discard_list and queue\n> s_discard_work. If it is then remounted with nodiscard, the\n> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is\n> neither cancelled nor flushed.\n\n[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/\n[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev\n\nThe concern was valid, but it had nothing to do with the patch[1].\nOne of the problems with Sashiko in its current (early) form is that\nit will detect pre-existing issues and report it as a problem with the\npatch that it is reviewing.\n\nIn practice, it would be hard to hit deliberately (unless you are a\nmalicious syzkaller fuzzer), since it would involve mounting the file\nsystem with -o discard, and then deleting a large number of files,\nremounting the file system with -o nodiscard, and then immediately\nunmounting the file system before the queued discard work has a change\nto drain on its own.\n\nFix it because it's a real bug, and to avoid Sashiko from raising this\nconcern when analyzing future patches to mballoc.c.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43065" }, { "id": "CVE-2026-43066", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix iloc.bh leak in ext4_fc_replay_inode() error paths\n\nDuring code review, Joseph found that ext4_fc_replay_inode() calls\next4_get_fc_inode_loc() to get the inode location, which holds a\nreference to iloc.bh that must be released via brelse().\n\nHowever, several error paths jump to the 'out' label without\nreleasing iloc.bh:\n\n - ext4_handle_dirty_metadata() failure\n - sync_dirty_buffer() failure\n - ext4_mark_inode_used() failure\n - ext4_iget() failure\n\nFix this by introducing an 'out_brelse' label placed just before\nthe existing 'out' label to ensure iloc.bh is always released.\n\nAdditionally, make ext4_fc_replay_inode() propagate errors\nproperly instead of always returning 0.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43066" }, { "id": "CVE-2026-43067", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n group was populated via stream allocation from s_mb_last_groups),\n then start will be >= ngroups.\n\n Does this allow allocating blocks beyond the 32-bit limit for\n indirect block mapped files? The commit message mentions that\n ext4_mb_scan_groups_linear() takes care to not select unsupported\n groups. However, its loop uses group = *start, and the very first\n iteration will call ext4_mb_scan_group() with this unsupported\n group because next_linear_group() is only called at the end of the\n iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped. To address this, add a safety clamp in\next4_mb_scan_groups().", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43067" }, { "id": "CVE-2026-43068", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()\n\nThere's issue as follows:\n...\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117\nEXT4-fs (mmcblk0p1): This should not happen!! Data will be lost\n\nEXT4-fs (mmcblk0p1): error count since last fsck: 1\nEXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760\nEXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760\n...\n\nAccording to the log analysis, blocks are always requested from the\ncorrupted block group. This may happen as follows:\next4_mb_find_by_goal\n ext4_mb_load_buddy\n ext4_mb_load_buddy_gfp\n ext4_mb_init_cache\n ext4_read_block_bitmap_nowait\n ext4_wait_block_bitmap\n ext4_validate_block_bitmap\n if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))\n return -EFSCORRUPTED; // There's no logs.\n if (err)\n return err; // Will return error\next4_lock_group(ac->ac_sb, group);\n if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable\n goto out;\n\nAfter commit 9008a58e5dce (\"ext4: make the bitmap read routines return\nreal error codes\") merged, Commit 163a203ddb36 (\"ext4: mark block group\nas corrupt on block bitmap error\") is no real solution for allocating\nblocks from corrupted block groups. This is because if\n'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then\n'ext4_mb_load_buddy()' may return an error. This means that the block\nallocation will fail.\nTherefore, check block group if corrupted when ext4_mb_load_buddy()\nreturns error.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43068" }, { "id": "CVE-2026-43069", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_ll: Fix firmware leak on error path\n\nSmatch reports:\n\ndrivers/bluetooth/hci_ll.c:587 download_firmware() warn:\n'fw' from request_firmware() not released on lines: 544.\n\nIn download_firmware(), if request_firmware() succeeds but the returned\nfirmware content is invalid (no data or zero size), the function returns\nwithout releasing the firmware, resulting in a resource leak.\n\nFix this by calling release_firmware() before returning when\nrequest_firmware() succeeded but the firmware content is invalid.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43069" }, { "id": "CVE-2026-43070", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reset register ID for BPF_END value tracking\n\nWhen a register undergoes a BPF_END (byte swap) operation, its scalar\nvalue is mutated in-place. If this register previously shared a scalar ID\nwith another register (e.g., after an `r1 = r0` assignment), this tie must\nbe broken.\n\nCurrently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.\nConsequently, if a conditional jump checks the swapped register, the\nverifier incorrectly propagates the learned bounds to the linked register,\nleading to false confidence in the linked register's value and potentially\nallowing out-of-bounds memory accesses.\n\nFix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case\nto break the scalar tie, similar to how BPF_NEG handles it via\n`__mark_reg_known`.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43070", "detail": "fixed-version", "description": "only affects 6.18.17 onwards" }, { "id": "CVE-2026-43071", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n BUG: unable to handle page fault for address: ffff888b30b774b0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP PTI\n RIP: 0010:__d_lookup+0x56/0x120\n Call Trace:\n d_lookup.cold+0x16/0x5d\n lookup_dcache+0x27/0xf0\n lookup_one_qstr_excl+0x2a/0x180\n start_dirop+0x55/0xa0\n simple_start_creating+0x8d/0xa0\n debugfs_start_creating+0x8c/0x180\n debugfs_create_dir+0x1d/0x1c0\n pinctrl_init+0x6d/0x140\n do_one_initcall+0x6d/0x3d0\n kernel_init_freeable+0x39f/0x460\n kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n b = d_hash(hash)\n dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n // The C standard defines the behavior of right shift amounts\n // exceeding the bit width of the operand as undefined. The\n // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n // so 'b' will point to an unallocated memory region.\n hlist_bl_for_each_entry_rcu(b)\n hlist_bl_first_rcu(head)\n h->first // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43071" }, { "id": "CVE-2026-43072", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: platform_get_irq_byname() returns an int\n\nplatform_get_irq_byname() will return a negative value if an error\nhappens, so it should be checked and not just passed directly into\ndevm_request_threaded_irq() hoping all will be ok.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43072" }, { "id": "CVE-2026-43073", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named '__copy_user_nocache()' function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy. It is literally _neither_ of\nthose things. It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination. That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer. However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43073" }, { "id": "CVE-2026-43074", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: defer struct eventpoll free to RCU grace period\n\nIn certain situations, ep_free() in eventpoll.c will kfree the epi->ep\neventpoll struct while it still being used by another concurrent thread.\nDefer the kfree() to an RCU callback to prevent UAF.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43074" }, { "id": "CVE-2026-43075", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix out-of-bounds write in ocfs2_write_end_inline\n\nKASAN reports a use-after-free write of 4086 bytes in\nocfs2_write_end_inline, called from ocfs2_write_end_nolock during a\ncopy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on\na loop device. The actual bug is an out-of-bounds write past the inode\nblock buffer, not a true use-after-free. The write overflows into an\nadjacent freed page, which KASAN reports as UAF.\n\nThe root cause is that ocfs2_try_to_write_inline_data trusts the on-disk\nid_count field to determine whether a write fits in inline data. On a\ncorrupted filesystem, id_count can exceed the physical maximum inline data\ncapacity, causing writes to overflow the inode block buffer.\n\nCall trace (crash path):\n\n vfs_copy_file_range (fs/read_write.c:1634)\n do_splice_direct\n splice_direct_to_actor\n iter_file_splice_write\n ocfs2_file_write_iter\n generic_perform_write\n ocfs2_write_end\n ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)\n ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)\n memcpy_from_folio <-- KASAN: write OOB\n\nSo add id_count upper bound check in ocfs2_validate_inode_block() to\nalongside the existing i_size check to fix it.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43075" }, { "id": "CVE-2026-43076", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data. If\nthe filesystem is corrupted, an inode's i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n - i_size was 1099511627576 bytes (~1TB)\n - Actual inline data capacity (id_count) is typically <256 bytes\n - A garbage rec_len (54648) caused ctx->pos to jump out of bounds\n - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size <= id_count. This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43076" }, { "id": "CVE-2026-43077", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Fix minimum RX size check for decryption\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption. Fix this by adding the\nrequired extra length.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43077" }, { "id": "CVE-2026-43078", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl\n\nWhen page reassignment was added to af_alg_pull_tsgl the original\nloop wasn't updated so it may try to reassign one more page than\nnecessary.\n\nAdd the check to the reassignment so that this does not happen.\n\nAlso update the comment which still refers to the obsolete offset\nargument.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43078" }, { "id": "CVE-2026-43079", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Skip discovery table for offline dies\n\nThis warning can be triggered if NUMA is disabled and the system\nboots with fewer CPUs than the number of CPUs in die 0.\n\nWARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]\n\nCurrently, the discovery table continues to be parsed even if all CPUs\nin the associated die are offline. This can lead to an array overflow\nat \"pmu->boxes[die] = box\" in uncore_pci_pmu_register(), which may\ntrigger the warning above or cause other issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43079" }, { "id": "CVE-2026-43080", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Drop large packets with UDP encap\n\nsyzbot reported a WARN on my patch series [1]. The actual issue is an\noverflow of 16-bit UDP length field, and it exists in the upstream code.\nMy series added a debug WARN with an overflow check that exposed the\nissue, that's why syzbot tripped on my patches, rather than on upstream\ncode.\n\nsyzbot's repro:\n\nr0 = socket$pppl2tp(0x18, 0x1, 0x1)\nr1 = socket$inet6_udp(0xa, 0x2, 0x0)\nconnect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)\nconnect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\\x00', '\\xff\\xff', @empty}}}}, 0x32)\nwritev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)=\"ee\", 0x34000}], 0x1)\n\nIt basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP\nencapsulation, and l2tp_xmit_core doesn't check for overflows when it\nassigns the UDP length field. The value gets trimmed to 16 bites.\n\nAdd an overflow check that drops oversized packets and avoids sending\npackets with trimmed UDP length to the wire.\n\nsyzbot's stack trace (with my patch applied):\n\nlen >= 65536u\nWARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957\nWARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957\nWARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957\nModules linked in:\nCPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]\nRIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]\nRIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327\nCode: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f\nRSP: 0018:ffffc90003d67878 EFLAGS: 00010293\nRAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000\nRDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff\nRBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004\nR10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900\nR13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000\nFS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0\nCall Trace:\n \n pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x503/0x550 net/socket.c:1195\n do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1\n vfs_writev+0x33c/0x990 fs/read_write.c:1059\n do_writev+0x154/0x2e0 fs/read_write.c:1105\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f636479c629\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629\nRDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0\n \n\n[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43080" }, { "id": "CVE-2026-43081", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipa: fix GENERIC_CMD register field masks for IPA v5.0+\n\nFix the field masks to match the hardware layout documented in\ndownstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).\n\nNotably this fixes a WARN I was seeing when I tried to send \"stop\"\nto the MPSS remoteproc while IPA was up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43081" }, { "id": "CVE-2026-43082", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: leave space for null terminators on property_entry\n\nLists of struct property_entry are supposed to be terminated with an\nempty property, this driver currently seems to be allocating exactly the\namount of entry used.\n\nChange the struct definition to leave an extra element for all\nproperty_entry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43082" }, { "id": "CVE-2026-43083", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ioam6: fix OOB and missing lock\n\nWhen trace->type.bit6 is set:\n\n if (trace->type.bit6) {\n ...\n queue = skb_get_tx_queue(dev, skb);\n qdisc = rcu_dereference(queue->qdisc);\n\nThis code can lead to an out-of-bounds access of the dev->_tx[] array\nwhen is_input is true. In such a case, the packet is on the RX path and\nskb->queue_mapping contains the RX queue index of the ingress device. If\nthe ingress device has more RX queues than the egress device (dev) has\nTX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.\nAdd a check to avoid this situation since skb_get_tx_queue() does not\nclamp the index. This issue has also revealed that per queue visibility\ncannot be accurate and will be replaced later as a new feature.\n\nWhile at it, add missing lock around qdisc_qstats_qlen_backlog(). The\nfunction __ioam6_fill_trace_data() is called from both softirq and\nprocess contexts, hence the use of spin_lock_bh() here.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43083" }, { "id": "CVE-2026-43084", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: make hash table per queue\n\nSharing a global hash table among all queues is tempting, but\nit can cause crash:\n\nBUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n[..]\n nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n nfnetlink_rcv_msg+0x46a/0x930\n kmem_cache_alloc_node_noprof+0x11e/0x450\n\nstruct nf_queue_entry is freed via kfree, but parallel cpu can still\nencounter such an nf_queue_entry when walking the list.\n\nAlternative fix is to free the nf_queue_entry via kfree_rcu() instead,\nbut as we have to alloc/free for each skb this will cause more mem\npressure.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43084" }, { "id": "CVE-2026-43085", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator\n\nWhen batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()\nappends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via\nnlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()\nhelper only zeroes alignment padding after the payload, not the payload\nitself, so four bytes of stale kernel heap data are leaked to userspace\nin the NLMSG_DONE message body.\n\nUse nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes\nthe nfgenmsg payload via nfnl_fill_hdr(), consistent with how\n__build_packet_message() already constructs NFULNL_MSG_PACKET headers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43085" }, { "id": "CVE-2026-43086", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix NULL deref in ip_vs_add_service error path\n\nWhen ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local\nvariable sched is set to NULL. If ip_vs_start_estimator() subsequently\nfails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)\nwith sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL\ncheck (because svc->scheduler was set by the successful bind) but then\ndereferences the NULL sched parameter at sched->done_service, causing a\nkernel panic at offset 0x30 from NULL.\n\n Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)\n Call Trace:\n \n ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)\n do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)\n nf_setsockopt (net/netfilter/nf_sockopt.c:102)\n [..]\n\nFix by simply not clearing the local sched variable after a successful\nbind. ip_vs_unbind_scheduler() already detects whether a scheduler is\ninstalled via svc->scheduler, and keeping sched non-NULL ensures the\nerror path passes the correct pointer to both ip_vs_unbind_scheduler()\nand ip_vs_scheduler_put().\n\nWhile the bug is older, the problem popups in more recent kernels (6.2),\nwhen the new error path is taken after the ip_vs_start_estimator() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43086" }, { "id": "CVE-2026-43087", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Disable all pin interrupts during probe\n\nA chip being probed may have the interrupt-on-change feature enabled on\nsome of its pins, for example after a reboot. This can cause the chip to\ngenerate interrupts for pins that don't have a registered nested handler,\nwhich leads to a kernel crash such as below:\n\n[ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac\n[ 7.932314] Mem abort info:\n[ 7.935081] ESR = 0x0000000096000004\n[ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 7.944094] SET = 0, FnV = 0\n[ 7.947127] EA = 0, S1PTW = 0\n[ 7.950247] FSC = 0x04: level 0 translation fault\n[ 7.955101] Data abort info:\n[ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000\n[ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000\n[ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 7.992545] Modules linked in:\n[ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199\n[ 8.073689] Hardware name: Khadas VIM3 (DT)\n[ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80\n[ 8.098970] lr : handle_nested_irq+0x2c/0x168\n[ 8.098979] sp : ffff800082b2bd20\n[ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88\n[ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00\n[ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e\n[ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000\n[ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000\n[ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c\n[ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00\n[ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001\n[ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac\n[ 8.170560] Call trace:\n[ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P)\n[ 8.184443] mcp23s08_irq+0x248/0x358\n[ 8.184462] irq_thread_fn+0x34/0xb8\n[ 8.184470] irq_thread+0x1a4/0x310\n[ 8.195093] kthread+0x13c/0x150\n[ 8.198309] ret_from_fork+0x10/0x20\n[ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01)\n[ 8.207931] ---[ end trace 0000000000000000 ]---\n\nThis issue has always been present, but has been latent until commit\n\"f9f4fda15e72\" (\"pinctrl: mcp23s08: init reg_defaults from HW at probe and\nswitch cache type\"), which correctly removed reg_defaults from the regmap\nand as a side effect changed the behavior of the interrupt handler so that\nthe real value of the MCP_GPINTEN register is now being read from the chip\ninstead of using a bogus 0 default value; a non-zero value for this\nregister can trigger the invocation of a nested handler which may not exist\n(yet).\nFix this issue by disabling all pin interrupts during initialization.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43087", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43088", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: af_key: zero aligned sockaddr tail in PF_KEY exports\n\nPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr\npayload space, so IPv6 addresses occupy 32 bytes on the wire. However,\n`pfkey_sockaddr_fill()` initializes only the first 28 bytes of\n`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.\n\nNot every PF_KEY message is affected. The state and policy dump builders\nalready zero the whole message buffer before filling the sockaddr\npayloads. Keep the fix to the export paths that still append aligned\nsockaddr payloads with plain `skb_put()`:\n\n - `SADB_ACQUIRE`\n - `SADB_X_NAT_T_NEW_MAPPING`\n - `SADB_X_MIGRATE`\n\nFix those paths by clearing only the aligned sockaddr tail after\n`pfkey_sockaddr_fill()`.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43088" }, { "id": "CVE-2026-43089", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_mapping()\n\nstruct xfrm_usersa_id has a one-byte padding hole after the proto\nfield, which ends up never getting set to zero before copying out to\nuserspace. Fix that up by zeroing out the whole structure before\nsetting individual variables.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43089" }, { "id": "CVE-2026-43090", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix refcount leak in xfrm_migrate_policy_find\n\nsyzkaller reported a memory leak in xfrm_policy_alloc:\n\n BUG: memory leak\n unreferenced object 0xffff888114d79000 (size 1024):\n comm \"syz.1.17\", pid 931\n ...\n xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432\n\nThe root cause is a double call to xfrm_pol_hold_rcu() in\nxfrm_migrate_policy_find(). The lookup function already returns\na policy with held reference, making the second call redundant.\n\nRemove the redundant xfrm_pol_hold_rcu() call to fix the refcount\nimbalance and prevent the memory leak.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43090" }, { "id": "CVE-2026-43091", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Wait for RCU readers during policy netns exit\n\nxfrm_policy_fini() frees the policy_bydst hash tables after flushing the\npolicy work items and deleting all policies, but it does not wait for\nconcurrent RCU readers to leave their read-side critical sections first.\n\nThe policy_bydst tables are published via rcu_assign_pointer() and are\nlooked up through rcu_dereference_check(), so netns teardown must also\nwait for an RCU grace period before freeing the table memory.\n\nFix this by adding synchronize_rcu() before freeing the policy hash tables.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43091" }, { "id": "CVE-2026-43092", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate MTU against usable frame size on bind\n\nAF_XDP bind currently accepts zero-copy pool configurations without\nverifying that the device MTU fits into the usable frame space provided\nby the UMEM chunk.\n\nThis becomes a problem since we started to respect tailroom which is\nsubtracted from chunk_size (among with headroom). 2k chunk size might\nnot provide enough space for standard 1500 MTU, so let us catch such\nsettings at bind time. Furthermore, validate whether underlying HW will\nbe able to satisfy configured MTU wrt XSK's frame size multiplied by\nsupported Rx buffer chain length (that is exposed via\nnet_device::xdp_zc_max_segs).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43092" }, { "id": "CVE-2026-43093", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: tighten UMEM headroom validation to account for tailroom and min frame\n\nThe current headroom validation in xdp_umem_reg() could leave us with\ninsufficient space dedicated to even receive minimum-sized ethernet\nframe. Furthermore if multi-buffer would come to play then\nskb_shared_info stored at the end of XSK frame would be corrupted.\n\nHW typically works with 128-aligned sizes so let us provide this value\nas bare minimum.\n\nMulti-buffer setting is known later in the configuration process so\nbesides accounting for 128 bytes, let us also take care of tailroom space\nupfront.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43093" }, { "id": "CVE-2026-43094", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: add missing negotiate_features op to Hyper-V ops table\n\nCommit a7075f501bd3 (\"ixgbevf: fix mailbox API compatibility by\nnegotiating supported features\") added the .negotiate_features callback\nto ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot\nto add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL\non Hyper-V VMs.\n\nDuring probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),\nwhich unconditionally dereferences hw->mac.ops.negotiate_features().\nOn Hyper-V this results in a NULL pointer dereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]\n Workqueue: events work_for_cpu_fn\n RIP: 0010:0x0\n [...]\n Call Trace:\n ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]\n ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]\n ixgbevf_probe+0x20f/0x4a0 [ixgbevf]\n local_pci_probe+0x50/0xa0\n work_for_cpu_fn+0x1a/0x30\n [...]\n\nAdd ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and\nwire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP\ngracefully.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43094" }, { "id": "CVE-2026-43095", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: Fix errors in IRQ cleanup\n\nIRQs are enabled through sdca_irq_populate() from component probe\nusing devm_request_threaded_irq(), this however means the IRQs can\npersist if the sound card is torn down. Some of the IRQ handlers\nstore references to the card and the kcontrols which can then\nfail. Some detail of the crash was explained in [1].\n\nGenerally it is not advised to use devm outside of bus probe, so\nthe code is updated to not use devm. The IRQ requests are not moved\nto bus probe time as it makes passing the snd_soc_component into\nthe IRQs very awkward and would the require a second step once the\ncomponent is available, so it is simpler to just register the IRQs\nat this point, even though that necessitates some manual cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43095" }, { "id": "CVE-2026-43096", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix infinite fault loop on permission-denied GPA intercepts\n\nPrevent infinite fault loops when guests access memory regions without\nproper permissions. Currently, mshv_handle_gpa_intercept() attempts to\nremap pages for all faults on movable memory regions, regardless of\nwhether the access type is permitted. When a guest writes to a read-only\nregion, the remap succeeds but the region remains read-only, causing\nimmediate re-fault and spinning the vCPU indefinitely.\n\nValidate intercept access type against region permissions before\nattempting remaps. Reject writes to non-writable regions and executes to\nnon-executable regions early, returning false to let the VMM handle the\nintercept appropriately.\n\nThis also closes a potential DoS vector where malicious guests could\nintentionally trigger these fault loops to consume host resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43096", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43097", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: hv: Fix double ida_free in hv_pci_probe error path\n\nIf hv_pci_probe() fails after storing the domain number in\nhbus->bridge->domain_nr, there is a call to free this domain_nr via\npci_bus_release_emul_domain_nr(), however, during cleanup, the bridge\nrelease callback pci_release_host_bridge_dev() also frees the domain_nr\ncausing ida_free to be called on same ID twice and triggering following\nwarning:\n\n ida_free called for id=28971 which is not allocated.\n WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198\n Call Trace:\n pci_bus_release_emul_domain_nr+0x17/0x20\n pci_release_host_bridge_dev+0x4b/0x60\n device_release+0x3b/0xa0\n kobject_put+0x8e/0x220\n devm_pci_alloc_host_bridge_release+0xe/0x20\n devres_release_all+0x9a/0xd0\n device_unbind_cleanup+0x12/0xa0\n really_probe+0x1c5/0x3f0\n vmbus_add_channel_work+0x135/0x1a0\n\nFix this by letting pci core handle the free domain_nr and remove\nthe explicit free called in pci-hyperv driver.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43097", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43098", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: s3fwrn5: allocate rx skb before consuming bytes\n\ns3fwrn82_uart_read() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already\ndeliver a complete frame before allocating a fresh receive buffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43098" }, { "id": "CVE-2026-43099", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: fix null-ptr-deref in icmp_build_probe()\n\nipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the\nIPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing\nthis error pointer to dev_hold() will cause a kernel crash with\nnull-ptr-deref.\n\nInstead, silently discard the request. RFC 8335 does not appear to\ndefine a specific response for the case where an IPv6 interface\nidentifier is syntactically valid but the implementation cannot perform\nthe lookup at runtime, and silently dropping the request may safer than\nmisreporting \"No Such Interface\".", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43099" }, { "id": "CVE-2026-43100", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: guard local VLAN-0 FDB helpers against NULL vlan group\n\nWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and\nnbp_vlan_group() return NULL (br_private.h stub definitions). The\nBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and\nreaches br_fdb_delete_locals_per_vlan_port() and\nbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer\nis dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).\n\nThe observed crash is in the delete path, triggered when creating a\nbridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0\nvia RTM_NEWLINK. The insert helper has the same bug pattern.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI\n KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]\n RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310\n Call Trace:\n br_fdb_toggle_local_vlan_0+0x452/0x4c0\n br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276\n br_boolopt_toggle net/bridge/br.c:313\n br_boolopt_multi_toggle net/bridge/br.c:364\n br_changelink net/bridge/br_netlink.c:1542\n br_dev_newlink net/bridge/br_netlink.c:1575\n\nAdd NULL checks for the vlan group pointer in both helpers, returning\nearly when there are no VLANs to iterate. This matches the existing\npattern used by other bridge FDB functions such as br_fdb_add() and\nbr_fdb_delete().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43100" }, { "id": "CVE-2026-43101", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()\n\nWe need to check __in6_dev_get() for possible NULL value, as\nsuggested by Yiming Qian.\n\nAlso add skb_dst_dev_rcu() instead of skb_dst_dev(),\nand two missing READ_ONCE().\n\nNote that @dev can't be NULL.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43101" }, { "id": "CVE-2026-43102", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Fix memory leak in airoha_qdma_rx_process()\n\nIf an error occurs on the subsequents buffers belonging to the\nnon-linear part of the skb (e.g. due to an error in the payload length\nreported by the NIC or if we consumed all the available fragments for\nthe skb), the page_pool fragment will not be linked to the skb so it will\nnot return to the pool in the airoha_qdma_rx_process() error path. Fix the\nmemory leak partially reverting commit 'd6d2b0e1538d (\"net: airoha: Fix\npage recycling in airoha_qdma_rx_process()\")' and always running\npage_pool_put_full_page routine in the airoha_qdma_rx_process() error\npath.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43102" }, { "id": "CVE-2026-43103", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: handle NETDEV_PRE_TYPE_CHANGE\n\nlapbeth_data_transmit() expects the underlying device type\nto be ARPHRD_ETHER.\n\nReturning NOTIFY_BAD from lapbeth_device_event() makes sure\nbonding driver can not break this expectation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43103" }, { "id": "CVE-2026-43104", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix a memory leak in hang state error path\n\nWhen vc4_save_hang_state() encounters an early return condition, it\nreturns without freeing the previously allocated `kernel_state`,\nleaking memory.\n\nAdd the missing kfree() calls by consolidating the early return paths\ninto a single place.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43104" }, { "id": "CVE-2026-43105", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix memory leak of BO array in hang state\n\nThe hang state's BO array is allocated separately with kzalloc() in\nvc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the\nmissing kfree() for the BO array before freeing the hang state struct.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43105" }, { "id": "CVE-2026-43106", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix incorrect dentry refcount in cachefiles_cull()\n\nThe patch mentioned below changed cachefiles_bury_object() to expect 2\nreferences to the 'rep' dentry. Three of the callers were changed to\nuse start_removing_dentry() which takes an extra reference so in those\ncases the call gets the expected references.\n\nHowever there is another call to cachefiles_bury_object() in\ncachefiles_cull() which did not need to be changed to use\nstart_removing_dentry() and so was not properly considered.\nIt still passed the dentry with just one reference so the net result is\nthat a reference is lost.\n\nTo meet the expectations of cachefiles_bury_object(), cachefiles_cull()\nmust take an extra reference before the call. It will be dropped by\ncachefiles_bury_object().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43106", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43107", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: account XFRMA_IF_ID in aevent size calculation\n\nxfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then\nbuild_aevent() appends attributes including XFRMA_IF_ID when x->if_id is\nset.\n\nxfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states\nwith if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)\nin xfrm_get_ae(), turning a malformed netlink interaction into a kernel\npanic.\n\nAccount XFRMA_IF_ID in the size calculation unconditionally and replace\nthe BUG_ON with normal error unwinding.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43107" }, { "id": "CVE-2026-43108", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei\n\nIt looks element length declared in servreg_loc_pfr_req_ei for reason\nnot matching servreg_loc_pfr_req's reason field due which we could\nobserve decoding error on PD crash.\n\n qmi_decode_string_elem: String len 81 >= Max Len 65\n\nFix this by matching with servreg_loc_pfr_req's reason field.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43108" }, { "id": "CVE-2026-43109", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: shadow stacks: proper error handling for mmap lock\n\n\uae40\uc601\ubbfc reports that shstk_pop_sigframe() doesn't check for errors from\nmmap_read_lock_killable(), which is a silly oversight, and also shows\nthat we haven't marked those functions with \"__must_check\", which would\nhave immediately caught it.\n\nSo let's fix both issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43109" }, { "id": "CVE-2026-43110", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr->iflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr->iflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43110" }, { "id": "CVE-2026-43111", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: roccat: fix use-after-free in roccat_report_event\n\nroccat_report_event() iterates over the device->readers list without\nholding the readers_lock. This allows a concurrent roccat_release() to\nremove and free a reader while it's still being accessed, leading to a\nuse-after-free.\n\nProtect the readers list traversal with the readers_lock mutex.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43111" }, { "id": "CVE-2026-43112", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath\n\nWhen cifs_sanitize_prepath is called with an empty string or a string\ncontaining only delimiters (e.g., \"/\"), the current logic attempts to\ncheck *(cursor2 - 1) before cursor2 has advanced. This results in an\nout-of-bounds read.\n\nThis patch adds an early exit check after stripping prepended\ndelimiters. If no path content remains, the function returns NULL.\n\nThe bug was identified via manual audit and verified using a\nstandalone test case compiled with AddressSanitizer, which\ntriggered a SEGV on affected inputs.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43112" }, { "id": "CVE-2026-43113", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wl1251: validate packet IDs before indexing tx_frames\n\nwl1251_tx_packet_cb() uses the firmware completion ID directly to index\nthe fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the\ncompletion block, and the callback does not currently verify that it\nfits the array before dereferencing it.\n\nReject completion IDs that fall outside wl->tx_frames[] and keep the\nexisting NULL check in the same guard. This keeps the fix local to the\ntrust boundary and avoids touching the rest of the completion flow.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43113" }, { "id": "CVE-2026-43114", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e. nft -f foo.\n\nThis works. Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n We successfully re-inserted\n a . b\n c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation. It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map.", "scorev2": "0.0", "scorev3": "9.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43114" }, { "id": "CVE-2026-43115", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Use irq_work to start GP in tiny SRCU\n\nTiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),\nwhich acquires the workqueue pool->lock.\n\nThis causes a lockdep splat when call_srcu() is called with a scheduler\nlock held, due to:\n\n call_srcu() [holding pi_lock]\n srcu_gp_start_if_needed()\n schedule_work() -> pool->lock\n\n workqueue_init() / create_worker() [holding pool->lock]\n wake_up_process() -> try_to_wake_up() -> pi_lock\n\nAlso add irq_work_sync() to cleanup_srcu_struct() to prevent a\nuse-after-free if a queued irq_work fires after cleanup begins.\n\nTested with rcutorture SRCU-T and no lockdep warnings.\n\n[ Thanks to Boqun for similar fix in patch \"rcu: Use an intermediate irq_work\nto start process_srcu()\" ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43115" }, { "id": "CVE-2026-43116", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ensure safe access to master conntrack\n\nHolding reference on the expectation is not sufficient, the master\nconntrack object can just go away, making exp->master invalid.\n\nTo access exp->master safely:\n\n- Grab the nf_conntrack_expect_lock, this gets serialized with\n clean_from_lists() which also holds this lock when the master\n conntrack goes away.\n\n- Hold reference on master conntrack via nf_conntrack_find_get().\n Not so easy since the master tuple to look up for the master conntrack\n is not available in the existing problematic paths.\n\nThis patch goes for extending the nf_conntrack_expect_lock section\nto address this issue for simplicity, in the cases that are described\nbelow this is just slightly extending the lock section.\n\nThe add expectation command already holds a reference to the master\nconntrack from ctnetlink_create_expect().\n\nHowever, the delete expectation command needs to grab the spinlock\nbefore looking up for the expectation. Expand the existing spinlock\nsection to address this to cover the expectation lookup. Note that,\nthe nf_ct_expect_iterate_net() calls already grabs the spinlock while\niterating over the expectation table, which is correct.\n\nThe get expectation command needs to grab the spinlock to ensure master\nconntrack does not go away. This also expands the existing spinlock\nsection to cover the expectation lookup too. I needed to move the\nnetlink skb allocation out of the spinlock to keep it GFP_KERNEL.\n\nFor the expectation events, the IPEXP_DESTROY event is already delivered\nunder the spinlock, just move the delivery of IPEXP_NEW under the\nspinlock too because the master conntrack event cache is reached through\nexp->master.\n\nWhile at it, add lockdep notations to help identify what codepaths need\nto grab the spinlock.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43116" }, { "id": "CVE-2026-43117", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()\n\nIf overlay is used on top of btrfs, dentry->d_sb translates to overlay's\nsuper block and fsid assignment will lead to a crash.\n\nUse file_inode(file)->i_sb to always get btrfs_sb.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43117" }, { "id": "CVE-2026-43118", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix zero size inode with non-zero size after log replay\n\nWhen logging that an inode exists, as part of logging a new name or\nlogging new dir entries for a directory, we always set the generation of\nthe logged inode item to 0. This is to signal during log replay (in\noverwrite_item()), that we should not set the i_size since we only logged\nthat an inode exists, so the i_size of the inode in the subvolume tree\nmust be preserved (as when we log new names or that an inode exists, we\ndon't log extents).\n\nThis works fine except when we have already logged an inode in full mode\nor it's the first time we are logging an inode created in a past\ntransaction, that inode has a new i_size of 0 and then we log a new name\nfor the inode (due to a new hardlink or a rename), in which case we log\nan i_size of 0 for the inode and a generation of 0, which causes the log\nreplay code to not update the inode's i_size to 0 (in overwrite_item()).\n\nAn example scenario:\n\n mkdir /mnt/dir\n xfs_io -f -c \"pwrite 0 64K\" /mnt/dir/foo\n\n sync\n\n xfs_io -c \"truncate 0\" -c \"fsync\" /mnt/dir/foo\n\n ln /mnt/dir/foo /mnt/dir/bar\n\n xfs_io -c \"fsync\" /mnt/dir\n\n \n\nAfter log replay the file remains with a size of 64K. This is because when\nwe first log the inode, when we fsync file foo, we log its current i_size\nof 0, and then when we create a hard link we log again the inode in exists\nmode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we\nadd to the log tree, so during log replay overwrite_item() sees that the\ngeneration is 0 and i_size is 0 so we skip updating the inode's i_size\nfrom 64K to 0.\n\nFix this by making sure at fill_inode_item() we always log the real\ngeneration of the inode if it was logged in the current transaction with\nthe i_size we logged before. Also if an inode created in a previous\ntransaction is logged in exists mode only, make sure we log the i_size\nstored in the inode item located from the commit root, so that if we log\nmultiple times that the inode exists we get the correct i_size.\n\nA test case for fstests will follow soon.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43118" }, { "id": "CVE-2026-43119", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: annotate data-races around hdev->req_status\n\n__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:\n\n hdev->req_status = HCI_REQ_PEND;\n\nHowever, several other functions read or write hdev->req_status without\nholding any lock:\n\n - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)\n - hci_cmd_sync_complete() reads/writes from HCI event completion\n - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write\n - hci_abort_conn() reads in connection abort path\n\nSince __hci_cmd_sync_sk() runs on hdev->req_workqueue while\nhci_send_cmd_sync() runs on hdev->workqueue, these are different\nworkqueues that can execute concurrently on different CPUs. The plain\nC accesses constitute a data race.\n\nAdd READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses\nto hdev->req_status to prevent potential compiler optimizations that\ncould affect correctness (e.g., load fusing in the wait_event\ncondition or store reordering).", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43119" }, { "id": "CVE-2026-43120", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix double free related to rereg_user_mr\n\nIf IB_MR_REREG_TRANS is set during rereg_user_mr, the\numem will be released and a new one will be allocated\nin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans\nfails after the new umem is allocated, it releases the umem,\nbut does not set iwmr->region to NULL. The problem is that\nthis failure is propagated to the user, who will then call\nibv_dereg_mr (as they should). Then, the dereg_mr path will\nsee a non-NULL umem and attempt to call ib_umem_release again.\n\nFix this by setting iwmr->region to NULL after ib_umem_release.\n\nFixed: 5ac388db27c4 (\"RDMA/irdma: Add support to re-register a memory region\")", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43120" }, { "id": "CVE-2026-43121", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix user_ref race between scrub and refill paths\n\nThe io_zcrx_put_niov_uref() function uses a non-atomic\ncheck-then-decrement pattern (atomic_read followed by separate\natomic_dec) to manipulate user_refs. This is serialized against other\ncallers by rq_lock, but io_zcrx_scrub() modifies the same counter with\natomic_xchg() WITHOUT holding rq_lock.\n\nOn SMP systems, the following race exists:\n\n CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock)\n put_niov_uref:\n atomic_read(uref) - 1\n // window opens\n atomic_xchg(uref, 0) - 1\n return_niov_freelist(niov) [PUSH #1]\n // window closes\n atomic_dec(uref) - wraps to -1\n returns true\n return_niov(niov)\n return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE]\n\nThe same niov is pushed to the freelist twice, causing free_count to\nexceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds\nwrite (a u32 value) past the kvmalloc'd freelist array into the adjacent\nslab object.\n\nFix this by replacing the non-atomic read-then-dec in\nio_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically\ntests and decrements user_refs. This makes the operation safe against\nconcurrent atomic_xchg from scrub without requiring scrub to acquire\nrq_lock.\n\n[pavel: removed a warning and a comment]", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43121" }, { "id": "CVE-2026-43122", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Update cpuidle driver check in __acpi_processor_start()\n\nCommit 7a8c994cbb2d (\"ACPI: processor: idle: Optimize ACPI idle\ndriver registration\") moved the ACPI idle driver registration to\nacpi_processor_driver_init() and acpi_processor_power_init() does\nnot register an idle driver any more.\n\nAccordingly, the cpuidle driver check in __acpi_processor_start() needs\nto be updated to avoid calling acpi_processor_power_init() without a\ncpuidle driver, in which case the registration of the cpuidle device\nin that function would lead to a NULL pointer dereference in\n__cpuidle_register_device().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43122" }, { "id": "CVE-2026-43123", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: check return value of con2fb_acquire_newinfo()\n\nIf fbcon_open() fails when called from con2fb_acquire_newinfo() then\ninfo->fbcon_par pointer remains NULL which is later dereferenced.\n\nAdd check for return value of the function con2fb_acquire_newinfo() to\navoid it.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43123" }, { "id": "CVE-2026-43124", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: ram_core: fix incorrect success return when vmap() fails\n\nIn persistent_ram_vmap(), vmap() may return NULL on failure.\n\nIf offset is non-zero, adding offset_in_page(start) causes the function\nto return a non-NULL pointer even though the mapping failed.\npersistent_ram_buffer_map() therefore incorrectly returns success.\n\nSubsequent access to prz->buffer may dereference an invalid address\nand cause crashes.\n\nAdd proper NULL checking for vmap() failures.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43124" }, { "id": "CVE-2026-43125", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: validate length in dlm_search_rsb_tree\n\nThe len parameter in dlm_dump_rsb_name() is not validated and comes\nfrom network messages. When it exceeds DLM_RESNAME_MAXLEN, it can\ncause out-of-bounds write in dlm_search_rsb_tree().\n\nAdd length validation to prevent potential buffer overflow.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43125" }, { "id": "CVE-2026-43126", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mixer: oss: Add card disconnect checkpoints\n\nALSA OSS mixer layer calls the kcontrol ops rather individually, and\npending calls might be not always caught at disconnecting the device.\n\nFor avoiding the potential UAF scenarios, add sanity checks of the\ncard disconnection at each entry point of OSS mixer accesses. The\nrwsem is taken just before that check, hence the rest context should\nbe covered by that properly.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43126" }, { "id": "CVE-2026-43127", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix circular locking dependency in run_unpack_ex\n\nSyzbot reported a circular locking dependency between wnd->rw_lock\n(sbi->used.bitmap) and ni->file.run_lock.\n\nThe deadlock scenario:\n1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.\n2. run_unpack_ex() takes wnd->rw_lock then tries to acquire\n ni->file.run_lock inside ntfs_refresh_zone().\n\nThis creates an AB-BA deadlock.\n\nFix this by using down_read_trylock() instead of down_read() when\nacquiring run_lock in run_unpack_ex(). If the lock is contended,\nskip ntfs_refresh_zone() - the MFT zone will be refreshed on the\nnext MFT operation. This breaks the circular dependency since we\nnever block waiting for run_lock while holding wnd->rw_lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43127" }, { "id": "CVE-2026-43128", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umem: Fix double dma_buf_unpin in failure path\n\nIn ib_umem_dmabuf_get_pinned_with_dma_device(), the call to\nib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf\nis immediately unpinned but the umem_dmabuf->pinned flag is still\nset. Then, when ib_umem_release() is called, it calls\nib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.\n\nFix this by removing the immediate unpin upon failure and just let\nthe ib_umem_release/revoke path handle it. This also ensures the\nproper unmap-unpin unwind ordering if the dmabuf_map_pages call\nhappened to fail due to dma_resv_wait_timeout (and therefore has\na non-NULL umem_dmabuf->sgt).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43128" }, { "id": "CVE-2026-43129", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: verify the previous kernel's IMA buffer lies in addressable RAM\n\nPatch series \"Address page fault in ima_restore_measurement_list()\", v3.\n\nWhen the second-stage kernel is booted via kexec with a limiting command\nline such as \"mem=\" we observe a pafe fault that happens.\n\n BUG: unable to handle page fault for address: ffff97793ff47000\n RIP: ima_restore_measurement_list+0xdc/0x45a\n #PF: error_code(0x0000) not-present page\n\nThis happens on x86_64 only, as this is already fixed in aarch64 in\ncommit: cbf9c4b9617b (\"of: check previous kernel's ima-kexec-buffer\nagainst memory bounds\")\n\n\nThis patch (of 3):\n\nWhen the second-stage kernel is booted with a limiting command line (e.g. \n\"mem=\"), the IMA measurement buffer handed over from the previous\nkernel may fall outside the addressable RAM of the new kernel. Accessing\nsuch a buffer can fault during early restore.\n\nIntroduce a small generic helper, ima_validate_range(), which verifies\nthat a physical [start, end] range for the previous-kernel IMA buffer lies\nwithin addressable memory:\n\t- On x86, use pfn_range_is_mapped().\n\t- On OF based architectures, use page_is_ram().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43129" }, { "id": "CVE-2026-43130", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode\n\nCommit 4fc82cd907ac (\"iommu/vt-d: Don't issue ATS Invalidation\nrequest when device is disconnected\") relies on\npci_dev_is_disconnected() to skip ATS invalidation for\nsafely-removed devices, but it does not cover link-down caused\nby faults, which can still hard-lock the system.\n\nFor example, if a VM fails to connect to the PCIe device,\n\"virsh destroy\" is executed to release resources and isolate\nthe fault, but a hard-lockup occurs while releasing the group fd.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n intel_pasid_tear_down_entry\n device_block_translation\n blocking_domain_attach_dev\n __iommu_attach_device\n __iommu_device_set_domain\n __iommu_group_set_domain_internal\n iommu_detach_group\n vfio_iommu_type1_detach_group\n vfio_group_detach_container\n vfio_group_fops_release\n __fput\n\nAlthough pci_device_is_present() is slower than\npci_dev_is_disconnected(), it still takes only ~70 \u00b5s on a\nConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed\nand width increase.\n\nBesides, devtlb_invalidation_with_pasid() is called only in the\npaths below, which are far less frequent than memory map/unmap.\n\n1. mm-struct release\n2. {attach,release}_dev\n3. set/remove PASID\n4. dirty-tracking setup\n\nThe gain in system stability far outweighs the negligible cost\nof using pci_device_is_present() instead of pci_dev_is_disconnected()\nto decide when to skip ATS invalidation, especially under GDR\nhigh-load conditions.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43130" }, { "id": "CVE-2026-43131", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix null pointer dereference issue\n\nIf SMU is disabled, during RAS initialization,\nthere will be null pointer dereference issue here.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43131" }, { "id": "CVE-2026-43132", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: correctly handle dm_bufio_client_create() failure\n\nIf either of the calls to dm_bufio_client_create() in verity_fec_ctr()\nfails, then dm_bufio_client_destroy() is later called with an ERR_PTR()\nargument. That causes a crash. Fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43132" }, { "id": "CVE-2026-43133", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation\n\nCommit cc3ed80ae69f (\"KVM: nSVM: always use vmcb01 to for vmsave/vmload\nof guest state\") made KVM always use vmcb01 for the fields controlled by\nVMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code\nto always use vmcb01.\n\nAs a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not\nintercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01\ninstead of the current VMCB.", "scorev2": "0.0", "scorev3": "7.9", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43133" }, { "id": "CVE-2026-43134", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ\n\nThis adds a check for encryption key size upon receiving\nL2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which\nexpects L2CAP_CR_LE_BAD_KEY_SIZE.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43134" }, { "id": "CVE-2026-43135", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx23885: Add missing unmap in snd_cx23885_hw_params()\n\nIn error path, add cx23885_alsa_dma_unmap() to release the\nresource acquired by cx23885_alsa_dma_map().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43135" }, { "id": "CVE-2026-43136", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Check maxfield in hidpp_get_report_length()\n\nDo not crash when a report has no fields.\n\nFake USB gadgets can send their own HID report descriptors and can define report\nstructures without valid fields. This can be used to crash the kernel over USB.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43136" }, { "id": "CVE-2026-43137", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Fix NULL pointer dereference\n\nIf there's a mismatch between the DAI links in the machine driver and\nthe topology, it is possible that the playback/capture widget is not\nset, especially in the case of loopback capture for echo reference\nwhere we use the dummy DAI link. Return the error when the widget is not\nset to avoid a null pointer dereference like below when the topology is\nbroken.\n\nRIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43137" }, { "id": "CVE-2026-43138", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: gpio: suppress bind attributes in sysfs\n\nThis is a special device that's created dynamically and is supposed to\nstay in memory forever. We also currently don't have a devlink between\nit and the actual reset consumer. Suppress sysfs bind attributes so that\nuser-space can't unbind the device because - as of now - it will cause a\nuse-after-free splat from any user that puts the reset control handle.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43138" }, { "id": "CVE-2026-43139", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: fix uninitialized saddr in xfrm6_get_saddr()\n\nxfrm6_get_saddr() does not check the return value of\nipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable\nsource address (returns -EADDRNOTAVAIL), saddr->in6 is left\nuninitialized, but xfrm6_get_saddr() still returns 0 (success).\n\nThis causes the caller xfrm_tmpl_resolve_one() to use the uninitialized\naddress in xfrm_state_find(), triggering KMSAN warning:\n\n=====================================================\nBUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940\n xfrm_state_find+0x2424/0xa940\n xfrm_resolve_and_create_bundle+0x906/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n xfrm_lookup_route+0x63/0x2b0\n ip_route_output_flow+0x1ce/0x270\n udp_sendmsg+0x2ce1/0x3400\n inet_sendmsg+0x1ef/0x2a0\n __sock_sendmsg+0x278/0x3d0\n __sys_sendto+0x593/0x720\n __x64_sys_sendto+0x130/0x200\n x64_sys_call+0x332b/0x3e70\n do_syscall_64+0xd3/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable tmp.i.i created at:\n xfrm_resolve_and_create_bundle+0x3e3/0x5a20\n xfrm_lookup_with_ifid+0xcc0/0x3770\n=====================================================\n\nFix by checking the return value of ipv6_dev_get_saddr() and propagating\nthe error.", "scorev2": "0.0", "scorev3": "8.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43139" }, { "id": "CVE-2026-43140", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: Do not crash on missing msc->input\n\nFake USB devices can send their own report descriptors for which the\ninput_mapping() hook does not get called. In this case, msc->input stays NULL,\nleading to a crash at a later time.\n\nDetect this condition in the input_configured() hook and reject the device.\n\nThis is not supposed to happen with actual magic mouse devices, but can be\nprovoked by imposing as a magic mouse USB device.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43140" }, { "id": "CVE-2026-43141", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut\n\nNumber of MW LUTs depends on NTB configuration and can be set to zero,\nin such scenario rounddown_pow_of_two will cause undefined behaviour and\nshould not be performed.\nThis patch ensures that rounddown_pow_of_two is called on valid value.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43141" }, { "id": "CVE-2026-43142", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: gen1: Destroy internal buffers after FW releases\n\nAfter the firmware releases internal buffers, the driver was not\ndestroying them. This left stale allocations that were no longer used,\nespecially across resolution changes where new buffers are allocated per\nthe updated requirements. As a result, memory was wasted until session\nclose.\n\nDestroy internal buffers once the release response is received from the\nfirmware.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43142" }, { "id": "CVE-2026-43143", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: core: Add locking around 'mfd_of_node_list'\n\nManipulating a list in the kernel isn't safe without some sort of\nmutual exclusion. Add a mutex any time we access / modify\n'mfd_of_node_list' to prevent possible crashes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43143" }, { "id": "CVE-2026-43144", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential kernel oops when probe fails\n\nWhen probe of the sdio brcmfmac device fails for some reasons (i.e.\nmissing firmware), the sdiodev->bus is set to error instead of NULL, thus\nthe cleanup later in brcmf_sdio_remove() tries to free resources via\ninvalid bus pointer. This happens because sdiodev->bus is set 2 times:\nfirst in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix\nthis by chaning the brcmf_sdio_probe() function to return the error code\nand set sdio->bus only there.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43144" }, { "id": "CVE-2026-43145", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Fix invalid loaded resource table detection\n\nimx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded\nresource table even when the current firmware does not provide one.\n\nWhen the device tree contains a \"rsc-table\" entry, priv->rsc_table is\nnon-NULL and denotes where a resource table would be located if one is\npresent in memory. However, when the current firmware has no resource\ntable, rproc->table_ptr is NULL. The function still returns\npriv->rsc_table, and the remoteproc core interprets this as a valid loaded\nresource table.\n\nFix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when\nthere is no resource table for the current firmware (i.e. when\nrproc->table_ptr is NULL). This aligns the function's semantics with the\nremoteproc core: a loaded resource table is only reported when a valid\ntable_ptr exists.\n\nWith this change, starting firmware without a resource table no longer\ntriggers a crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43145" }, { "id": "CVE-2026-43146", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Add buffer to list only after successful allocation\n\nMove `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating\ninternal buffers. Previously, the buffer was enqueued in `buffers->list`\nbefore the DMA allocation. If the allocation failed, the function returned\n`-ENOMEM` while leaving a partially initialized buffer in the list, which\ncould lead to inconsistent state and potential leaks.\n\nBy adding the buffer to the list only after `dma_alloc_attrs()` succeeds,\nwe ensure the list contains only valid, fully initialized buffers.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43146" }, { "id": "CVE-2026-43147", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\"\n\nThis reverts commit 05703271c3cd (\"PCI/IOV: Add PCI rescan-remove locking\nwhen enabling/disabling SR-IOV\"), which causes a deadlock by recursively\ntaking pci_rescan_remove_lock when sriov_del_vfs() is called as part of\npci_stop_and_remove_bus_device(). For example with the following sequence\nof commands:\n\n $ echo > /sys/bus/pci/devices//sriov_numvfs\n $ echo 1 > /sys/bus/pci/devices//remove\n\nA trimmed trace of the deadlock on a mlx5 device is as below:\n\n zsh/5715 is trying to acquire lock:\n 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140\n\n but task is already holding lock:\n 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80\n ...\n Call Trace:\n [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110\n [<00000259779c844e>] print_deadlock_bug+0x31e/0x330\n [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0\n [<00000259779bffac>] lock_acquire+0x14c/0x350\n [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520\n [<000002597896413c>] mutex_lock_nested+0x3c/0x50\n [<00000259784a07e4>] sriov_disable+0x34/0x140\n [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core]\n [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core]\n [<00000259784857fc>] pci_device_remove+0x3c/0xa0\n [<000002597851012e>] device_release_driver_internal+0x18e/0x280\n [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0\n [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80\n [<00000259784972c2>] remove_store+0x72/0x90\n [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200\n [<0000025977d7241c>] vfs_write+0x24c/0x300\n [<0000025977d72696>] ksys_write+0x86/0x110\n [<000002597895b61c>] __do_syscall+0x14c/0x400\n [<000002597896e0ee>] system_call+0x6e/0x90\n\nThis alone is not a complete fix as it restores the issue the cited commit\ntried to solve. A new fix will be provided as a follow on.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43147" }, { "id": "CVE-2026-43148", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/smp: Add check for kcalloc() failure in parse_thread_groups()\n\nAs kcalloc() may fail, check its return value to avoid a NULL pointer\ndereference when passing it to of_property_read_u32_array().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43148" }, { "id": "CVE-2026-43149", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()\n\nThe priv->rx_buffer and priv->tx_buffer are alloc'd together as\ncontiguous buffers in uhdlc_init() but freed as two buffers in\nuhdlc_memclean().\n\nChange the cleanup to only call dma_free_coherent() once on the whole\nbuffer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43149" }, { "id": "CVE-2026-43150", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/arm-cmn: Reject unsupported hardware configurations\n\nSo far we've been fairly lax about accepting both unknown CMN models\n(at least with a warning), and unknown revisions of those which we\ndo know, as although things do frequently change between releases,\ntypically enough remains the same to be somewhat useful for at least\nsome basic bringup checks. However, we also make assumptions of the\nmaximum supported sizes and numbers of things in various places, and\nthere's no guarantee that something new might not be bigger and lead\nto nasty array overflows. Make sure we only try to run on things that\nactually match our assumptions and so will not risk memory corruption.\n\nWe have at least always failed on completely unknown node types, so\nupdate that error message for clarity and consistency too.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43150" }, { "id": "CVE-2026-43151", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"media: iris: Add sanity check for stop streaming\"\n\nThis reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4.\n\nRevert the check that skipped stop_streaming when the instance was in\nIRIS_INST_ERROR, as it caused multiple regressions:\n\n1. Buffers were not returned to vb2 when the instance was already in\n error state, triggering warnings in the vb2 core because buffer\n completion was skipped.\n\n2. If a session failed early (e.g. unsupported configuration), the\n instance transitioned to IRIS_INST_ERROR. When userspace attempted\n to stop streaming for cleanup, stop_streaming was skipped due to the\n added check, preventing proper teardown and leaving the firmware\n in an inconsistent state.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43151" }, { "id": "CVE-2026-43152", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-pl: handle probe errors\n\nErrors in init must be reported back or we'll\nfollow a NULL pointer the first time FF is used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43152" }, { "id": "CVE-2026-43153", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: remove xfs_attr_leaf_hasname\n\nThe calling convention of xfs_attr_leaf_hasname() is problematic, because\nit returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer\nwhen xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a\nnon-NULL buffer pointer for an already released buffer when\nxfs_attr3_leaf_lookup_int fails with other error values.\n\nFix this by simply open coding xfs_attr_leaf_hasname in the callers, so\nthat the buffer release code is done by each caller of\nxfs_attr3_leaf_read.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43153" }, { "id": "CVE-2026-43154", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix incorrect early exits in volume label handling\n\nCrafted EROFS images containing valid volume labels can trigger\nincorrect early returns, leading to folio reference leaks.\n\nHowever, this does not cause system crashes or other severe issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43154" }, { "id": "CVE-2026-43155", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmux: mmio: fix regmap leak on probe failure\n\nThe mmio regmap that may be allocated during probe is never freed.\n\nSwitch to using the device managed allocator so that the regmap is\nreleased on probe failures (e.g. probe deferral) and on driver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43155" }, { "id": "CVE-2026-43156", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: enable basic endpoint checking\n\npegasus_probe() fills URBs with hardcoded endpoint pipes without\nverifying the endpoint descriptors:\n\n - usb_rcvbulkpipe(dev, 1) for RX data\n - usb_sndbulkpipe(dev, 2) for TX data\n - usb_rcvintpipe(dev, 3) for status interrupts\n\nA malformed USB device can present these endpoints with transfer types\nthat differ from what the driver assumes.\n\nAdd a pegasus_usb_ep enum for endpoint numbers, replacing magic\nconstants throughout. Add usb_check_bulk_endpoints() and\nusb_check_int_endpoints() calls before any resource allocation to\nverify endpoint types before use, rejecting devices with mismatched\ndescriptors at probe time, and avoid triggering assertion.\n\nSimilar fix to\n- commit 90b7f2961798 (\"net: usb: rtl8150: enable basic endpoint checking\")\n- commit 9e7021d2aeae (\"net: usb: catc: enable basic endpoint checking\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43156" }, { "id": "CVE-2026-43157", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: CGX: fix bitmap leaks\n\nThe RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap)\nare allocated by cgx_lmac_init() but never freed in cgx_lmac_exit().\nUnbinding and rebinding the driver therefore triggers kmemleak:\n\n unreferenced object (size 16):\n backtrace:\n rvu_alloc_bitmap\n cgx_probe\n\nFree both bitmaps during teardown.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43157" }, { "id": "CVE-2026-43158", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix freemap adjustments when adding xattrs to leaf blocks\n\nxfs/592 and xfs/794 both trip this assertion in the leaf block freemap\nadjustment code after ~20 minutes of running on my test VMs:\n\n ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)\n\t\t\t\t\t+ xfs_attr3_leaf_hdr_size(leaf));\n\nUpon enabling quite a lot more debugging code, I narrowed this down to\nfsstress trying to set a local extended attribute with namelen=3 and\nvaluelen=71. This results in an entry size of 80 bytes.\n\nAt the start of xfs_attr3_leaf_add_work, the freemap looks like this:\n\ni 0 base 448 size 0 rhs 448 count 46\ni 1 base 388 size 132 rhs 448 count 46\ni 2 base 2120 size 4 rhs 448 count 46\nfirstused = 520\n\nwhere \"rhs\" is the first byte past the end of the leaf entry array.\nThis is inconsistent -- the entries array ends at byte 448, but\nfreemap[1] says there's free space starting at byte 388!\n\nBy the end of the function, the freemap is in worse shape:\n\ni 0 base 456 size 0 rhs 456 count 47\ni 1 base 388 size 52 rhs 456 count 47\ni 2 base 2120 size 4 rhs 456 count 47\nfirstused = 440\n\nImportant note: 388 is not aligned with the entries array element size\nof 8 bytes.\n\nBased on the incorrect freemap, the name area starts at byte 440, which\nis below the end of the entries array! That's why the assertion\ntriggers and the filesystem shuts down.\n\nHow did we end up here? First, recall from the previous patch that the\nfreemap array in an xattr leaf block is not intended to be a\ncomprehensive map of all free space in the leaf block. In other words,\nit's perfectly legal to have a leaf block with:\n\n * 376 bytes in use by the entries array\n * freemap[0] has [base = 376, size = 8]\n * freemap[1] has [base = 388, size = 1500]\n * the space between 376 and 388 is free, but the freemap stopped\n tracking that some time ago\n\nIf we add one xattr, the entries array grows to 384 bytes, and\nfreemap[0] becomes [base = 384, size = 0]. So far, so good. But if we\nadd a second xattr, the entries array grows to 392 bytes, and freemap[0]\ngets pushed up to [base = 392, size = 0]. This is bad, because\nfreemap[1] hasn't been updated, and now the entries array and the free\nspace claim the same space.\n\nThe fix here is to adjust all freemap entries so that none of them\ncollide with the entries array. Note that this fix relies on commit\n2a2b5932db6758 (\"xfs: fix attr leaf header freemap.size underflow\") and\nthe previous patch that resets zero length freemap entries to have\nbase = 0.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43158" }, { "id": "CVE-2026-43159", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix null dereference in find_network\n\nThe variable pwlan has the possibility of being NULL when passed into\nrtw_free_network_nolock() which would later dereference the variable.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43159" }, { "id": "CVE-2026-43160", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: macsmc: Initialize mutex\n\nInitialize struct apple_smc's mutex in apple_smc_probe(). Using the\nmutex uninitialized surprisingly resulted only in occasional NULL\npointer dereferences in apple_smc_read() calls from the probe()\nfunctions of sub devices.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43160" }, { "id": "CVE-2026-43161", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode\n\nPCIe endpoints with ATS enabled and passed through to userspace\n(e.g., QEMU, DPDK) can hard-lock the host when their link drops,\neither by surprise removal or by a link fault.\n\nCommit 4fc82cd907ac (\"iommu/vt-d: Don't issue ATS Invalidation\nrequest when device is disconnected\") adds pci_dev_is_disconnected()\nto devtlb_invalidation_with_pasid() so ATS invalidation is skipped\nonly when the device is being safely removed, but it applies only\nwhen Intel IOMMU scalable mode is enabled.\n\nWith scalable mode disabled or unsupported, a system hard-lock\noccurs when a PCIe endpoint's link drops because the Intel IOMMU\nwaits indefinitely for an ATS invalidation that cannot complete.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nCommit 81e921fd3216 (\"iommu/vt-d: Fix NULL domain on device release\")\nadds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),\nwhich calls qi_flush_dev_iotlb() and can also hard-lock the system\nwhen a PCIe endpoint's link drops.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n intel_context_flush_no_pasid\n device_pasid_table_teardown\n pci_pasid_table_teardown\n pci_for_each_dma_alias\n intel_pasid_teardown_sm_context\n intel_iommu_release_device\n iommu_deinit_device\n __iommu_group_remove_device\n iommu_release_device\n iommu_bus_notifier\n blocking_notifier_call_chain\n bus_notify\n device_del\n pci_remove_bus_device\n pci_stop_and_remove_bus_device\n pciehp_unconfigure_device\n pciehp_disable_slot\n pciehp_handle_presence_or_link_change\n pciehp_ist\n\nSometimes the endpoint loses connection without a link-down event\n(e.g., due to a link fault); killing the process (virsh destroy)\nthen hard-locks the host.\n\nCall Trace:\n qi_submit_sync\n qi_flush_dev_iotlb\n __context_flush_dev_iotlb.part.0\n domain_context_clear_one_cb\n pci_for_each_dma_alias\n device_block_translation\n blocking_domain_attach_dev\n __iommu_attach_device\n __iommu_device_set_domain\n __iommu_group_set_domain_internal\n iommu_detach_group\n vfio_iommu_type1_detach_group\n vfio_group_detach_container\n vfio_group_fops_release\n __fput\n\npci_dev_is_disconnected() only covers safe-removal paths;\npci_device_is_present() tests accessibility by reading\nvendor/device IDs and internally calls pci_dev_is_disconnected().\nOn a ConnectX-5 (8 GT/s, x2) this costs ~70 \u00b5s.\n\nSince __context_flush_dev_iotlb() is only called on\n{attach,release}_dev paths (not hot), add pci_device_is_present()\nthere to skip inaccessible devices and avoid the hard-lock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43161" }, { "id": "CVE-2026-43162", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tegra-video: Fix memory leak in __tegra_channel_try_format()\n\nThe state object allocated by __v4l2_subdev_state_alloc() must be freed\nwith __v4l2_subdev_state_free() when it is no longer needed.\n\nIn __tegra_channel_try_format(), two error paths return directly after\nv4l2_subdev_call() fails, without freeing the allocated 'sd_state'\nobject. This violates the requirement and causes a memory leak.\n\nFix this by introducing a cleanup label and using goto statements in the\nerror paths to ensure that __v4l2_subdev_state_free() is always called\nbefore the function returns.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43162" }, { "id": "CVE-2026-43163", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: fix GPF in write_page caused by resize race\n\nA General Protection Fault occurs in write_page() during array resize:\nRIP: 0010:write_page+0x22b/0x3c0 [md_mod]\n\nThis is a use-after-free race between bitmap_daemon_work() and\n__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`\nwithout locking, while the resize path frees that storage via\nmd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,\nallowing concurrent access to freed pages.\n\nFix by holding `mddev->bitmap_info.mutex` during the bitmap update.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43163" }, { "id": "CVE-2026-43164", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nudplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().\n\nsyzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0]\n\nSince the cited commit, udp_lib_init_sock() can fail, as can\nudp_init_sock() and udpv6_init_sock().\n\nLet's handle the error in udplite_sk_init() and udplitev6_sk_init().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\nBUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719\nRead of size 4 at addr 0000000000000008 by task syz.2.18/2944\n\nCPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n kasan_report+0xa2/0xe0 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200\n instrument_atomic_read include/linux/instrumented.h:82 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719\n __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline]\n udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906\n udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064\n ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489\n NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318\n ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500\n NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6149 [inline]\n __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262\n process_backlog+0x4d6/0x1160 net/core/dev.c:6614\n __napi_poll+0xae/0x320 net/core/dev.c:7678\n napi_poll net/core/dev.c:7741 [inline]\n net_rx_action+0x60d/0xdc0 net/core/dev.c:7893\n handle_softirqs+0x209/0x8d0 kernel/softirq.c:622\n do_softirq+0x52/0x90 kernel/softirq.c:523\n \n \n __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246\n ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984\n udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442\n udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469\n udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3eb/0x580 net/socket.c:2206\n __do_sys_sendto net/socket.c:2213 [inline]\n __se_sys_sendto net/socket.c:2209 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2209\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f67b4d9c629\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8\n ", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43164" }, { "id": "CVE-2026-43165", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin\n\nWhen calling of_parse_phandle_with_args(), the caller is responsible\nto call of_node_put() to release the reference of device node.\nIn nct7363_present_pwm_fanin, it does not release the reference,\ncausing a resource leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43165" }, { "id": "CVE-2026-43166", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix interlaced plain identification for encoded extents\n\nOnly plain data whose start position and on-disk physical length are\nboth aligned to the block size should be classified as interlaced\nplain extents. Otherwise, it must be treated as shifted plain extents.\n\nThis issue was found by syzbot using a crafted compressed image\ncontaining plain extents with unaligned physical lengths, which can\ncause OOB read in z_erofs_transform_plain().", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43166" }, { "id": "CVE-2026-43167", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: always flush state and policy upon NETDEV_UNREGISTER event\n\nsyzbot is reporting that \"struct xfrm_state\" refcount is leaking.\n\n unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2\n ref_tracker: netdev@ffff888052f24618 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]\n xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316\n xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]\n xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022\n xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550\n xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646\n __sys_sendmsg+0x16d/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis is because commit d77e38e612a0 (\"xfrm: Add an IPsec hardware\noffloading API\") implemented xfrm_dev_unregister() as no-op despite\nxfrm_dev_state_add() from xfrm_state_construct() acquires a reference\nto \"struct net_device\".\nI guess that that commit expected that NETDEV_DOWN event is fired before\nNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()\nis called only if (dev->features & NETIF_F_HW_ESP) != 0.\n\nSabrina Dubroca identified steps to reproduce the same symptoms as below.\n\n echo 0 > /sys/bus/netdevsim/new_device\n dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)\n ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \\\n spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \\\n offload crypto dev $dev dir out\n ethtool -K $dev esp-hw-offload off\n echo 0 > /sys/bus/netdevsim/del_device\n\nLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared after\nxfrm_dev_state_add() acquired a reference to \"struct net_device\".\nAlso, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit\nwhen acquiring a reference to \"struct net_device\".\n\nCommit 03891f820c21 (\"xfrm: handle NETDEV_UNREGISTER for xfrm device\")\nre-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that\ncommit for unknown reason chose to share xfrm_dev_down() between the\nNETDEV_DOWN event and the NETDEV_UNREGISTER event.\nI guess that that commit missed the behavior in the previous paragraph.\n\nTherefore, we need to re-introduce xfrm_dev_unregister() in order to\nrelease the reference to \"struct net_device\" by unconditionally flushing\nstate and policy.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43167" }, { "id": "CVE-2026-43168", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix reflink preserve cleanup issue\n\ncommit c06c303832ec (\"ocfs2: fix xattr array entry __counted_by error\")\ndoesn't handle all cases and the cleanup job for preserved xattr entries\nstill has bug:\n- the 'last' pointer should be shifted by one unit after cleanup\n an array entry.\n- current code logic doesn't cleanup the first entry when xh_count is 1.\n\nNote, commit c06c303832ec is also a bug fix for 0fe9b66c65f3.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43168" }, { "id": "CVE-2026-43169", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/buddy: Prevent BUG_ON by validating rounded allocation\n\nWhen DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is\nrounded up to the next power-of-two via roundup_pow_of_two().\nSimilarly, for non-contiguous allocations with large min_block_size,\nthe size is aligned up via round_up(). Both operations can produce a\nrounded size that exceeds mm->size, which later triggers\nBUG_ON(order > mm->max_order).\n\nExample scenarios:\n- 9G CONTIGUOUS allocation on 10G VRAM memory:\n roundup_pow_of_two(9G) = 16G > 10G\n- 9G allocation with 8G min_block_size on 10G VRAM memory:\n round_up(9G, 8G) = 16G > 10G\n\nFix this by checking the rounded size against mm->size. For\nnon-contiguous or range allocations where size > mm->size is invalid,\nreturn -EINVAL immediately. For contiguous allocations without range\nrestrictions, allow the request to fall through to the existing\n__alloc_contig_try_harder() fallback.\n\nThis ensures invalid user input returns an error or uses the fallback\npath instead of hitting BUG_ON.\n\nv2: (Matt A)\n- Add Fixes, Cc stable, and Closes tags for context", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43169" }, { "id": "CVE-2026-43170", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Move vbus draw to workqueue context\n\nCurrently dwc3_gadget_vbus_draw() can be called from atomic\ncontext, which in turn invokes power-supply-core APIs. And\nsome these PMIC APIs have operations that may sleep, leading\nto kernel panic.\n\nFix this by moving the vbus_draw into a workqueue context.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43170" }, { "id": "CVE-2026-43171", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEFI/CPER: don't dump the entire memory region\n\nThe current logic at cper_print_fw_err() doesn't check if the\nerror record length is big enough to handle offset. On a bad firmware,\nif the ofset is above the actual record, length -= offset will\nunderflow, making it dump the entire memory.\n\nThe end result can be:\n\n - the logic taking a lot of time dumping large regions of memory;\n - data disclosure due to the memory dumps;\n - an OOPS, if it tries to dump an unmapped memory region.\n\nFix it by checking if the section length is too small before doing\na hex dump.\n\n[ rjw: Subject tweaks ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43171" }, { "id": "CVE-2026-43172", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix 22000 series SMEM parsing\n\nIf the firmware were to report three LMACs (which doesn't\nexist in hardware) then using \"fwrt->smem_cfg.lmac[2]\" is\nan overrun of the array. Reject such and use IWL_FW_CHECK\ninstead of WARN_ON in this function.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43172" }, { "id": "CVE-2026-43173", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: xscale: Check for PTP support properly\n\nIn ixp4xx_get_ts_info() ixp46x_ptp_find() is called\nunconditionally despite this feature only existing on\nixp46x, leading to the following splat from tcpdump:\n\nroot@OpenWrt:~# tcpdump -vv -X -i eth0\n(...)\nUnable to handle kernel NULL pointer dereference at virtual address\n 00000238 when read\n(...)\nCall trace:\n ptp_clock_index from ixp46x_ptp_find+0x1c/0x38\n ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64\n ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108\n __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648\n __dev_ethtool from dev_ethtool+0x160/0x234\n dev_ethtool from dev_ioctl+0x2cc/0x460\n dev_ioctl from sock_ioctl+0x1ec/0x524\n sock_ioctl from sys_ioctl+0x51c/0xa94\n sys_ioctl from ret_fast_syscall+0x0/0x44\n (...)\nSegmentation fault\n\nCheck for ixp46x in ixp46x_ptp_find() before trying to set up\nPTP to avoid this.\n\nTo avoid altering the returned error code from ixp4xx_hwtstamp_set()\nwhich before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP\nfrom ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter\nthe error code. The helper function ixp46x_ptp_find() helper\nreturns -ENODEV.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43173" }, { "id": "CVE-2026-43174", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix post open error handling\n\nClosing a queue doesn't guarantee that all associated page pools are\nterminated right away, let the refcounting do the work instead of\nreleasing the zcrx ctx directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43174" }, { "id": "CVE-2026-43175", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841\n\nThe 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure\nthere are 8 slots for those newly registered clk_hw pointers, else\nthere is going to be out of bounds write when pointers 4..7 are set\ninto struct rs9_driver_data .clk_dif[4..7] field.\n\nSince there are other structure members past this struct clk_hw\npointer array, writing to .clk_dif[4..7] fields corrupts both\nthe struct rs9_driver_data content and data around it, sometimes\nwithout crashing the kernel. However, the kernel does surely\ncrash when the driver is unbound or during suspend.\n\nFix this, increase the struct clk_hw pointer array size to the\nmaximum output count of 9FGV0841, which is the biggest chip that\nis supported by this driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43175" }, { "id": "CVE-2026-43176", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: validate release report content before using for RTL8922DE\n\nThe commit 957eda596c76\n(\"wifi: rtw89: pci: validate sequence number of TX release report\")\ndoes validation on existing chips, which somehow a release report of SKB\nbecomes malformed. As no clear cause found, add rules ahead for RTL8922DE\nto avoid crash if it happens.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43176" }, { "id": "CVE-2026-43177", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ipu6: Fix RPM reference leak in probe error paths\n\nSeveral error paths in ipu6_pci_probe() were jumping directly to\nout_ipu6_bus_del_devices without releasing the runtime PM reference.\nAdd pm_runtime_put_sync() before cleaning up other resources.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43177" }, { "id": "CVE-2026-43178", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nprocfs: fix possible double mmput() in do_procmap_query()\n\nWhen user provides incorrectly sized buffer for build ID for PROCMAP_QUERY\nwe return with -ENAMETOOLONG error. After recent changes this condition\nhappens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),\nso original goto out is now wrong and will double-mmput() mm_struct. Fix\nby jumping further to clean up only vm_file and name_buf.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43178" }, { "id": "CVE-2026-43179", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix incorrect early exits for invalid metabox-enabled images\n\nCrafted EROFS images with metadata compression enabled can trigger\nincorrect early returns, leading to folio reference leaks.\n\nHowever, this does not cause system crashes or other severe issues.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43179" }, { "id": "CVE-2026-43180", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode\n\nkaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls\nnetif_stop_queue() and netif_wake_queue(). These are TX queue flow\ncontrol functions unrelated to RX multicast configuration.\n\nThe premature netif_wake_queue() can re-enable TX while tx_urb is still\nin-flight, leading to a double usb_submit_urb() on the same URB:\n\nkaweth_start_xmit() {\n netif_stop_queue();\n usb_submit_urb(kaweth->tx_urb);\n}\n\nkaweth_set_rx_mode() {\n netif_stop_queue();\n netif_wake_queue(); // wakes TX queue before URB is done\n}\n\nkaweth_start_xmit() {\n netif_stop_queue();\n usb_submit_urb(kaweth->tx_urb); // URB submitted while active\n}\n\nThis triggers the WARN in usb_submit_urb():\n\n \"URB submitted while active\"\n\nThis is a similar class of bug fixed in rtl8150 by\n\n- commit 958baf5eaee3 (\"net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\").\n\nAlso kaweth_set_rx_mode() is already functionally broken, the\nreal set_rx_mode action is performed by kaweth_async_set_rx_mode(),\nwhich in turn is not a no-op only at ndo_open() time.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43180" }, { "id": "CVE-2026-43181", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: sysfs: fix chip removal with GPIOs exported over sysfs\n\nCurrently if we export a GPIO over sysfs and unbind the parent GPIO\ncontroller, the exported attribute will remain under /sys/class/gpio\nbecause once we remove the parent device, we can no longer associate the\ndescriptor with it in gpiod_unexport() and never drop the final\nreference.\n\nRework the teardown code: provide an unlocked variant of\ngpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken\nbefore unregistering the parent device itself. This is done to prevent\nany new exports happening before we unregister the device completely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43181" }, { "id": "CVE-2026-43182", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ccs: Avoid possible division by zero\n\nCalculating maximum M for scaler configuration involves dividing by\nMIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably\nnon-zero, the driver was missing the check it in fact was. Fix this.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43182" }, { "id": "CVE-2026-43183", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx25821: Fix a resource leak in cx25821_dev_setup()\n\nAdd release_mem_region() if ioremap() fails to release the memory\nregion obtained by cx25821_get_resources().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43183" }, { "id": "CVE-2026-43184", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrnbd-srv: Zero the rsp buffer before using it\n\nBefore using the data buffer to send back the response message, zero it\ncompletely. This prevents any stray bytes to be picked up by the client\nside when there the message is exchanged between different protocol\nversions.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43184" }, { "id": "CVE-2026-43185", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix signededness bug in smb_direct_prepare_negotiation()\n\nsmb_direct_prepare_negotiation() casts an unsigned __u32 value\nfrom sp->max_recv_size and req->preferred_send_size to a signed\nint before computing min_t(int, ...). A maliciously provided\npreferred_send_size of 0x80000000 will return as smaller than\nmax_recv_size, and then be used to set the maximum allowed\nalowed receive size for the next message.\n\nBy sending a second message with a large value (>1420 bytes)\nthe attacker can then achieve a heap buffer overflow.\n\nThis fix replaces min_t(int, ...) with min_t(u32)", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43185" }, { "id": "CVE-2026-43186", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()\n\nOn the receive path, __ioam6_fill_trace_data() uses trace->nodelen\nto decide how much data to write for each node. It trusts this field\nas-is from the incoming packet, with no consistency check against\ntrace->type (the 24-bit field that tells which data items are\npresent). A crafted packet can set nodelen=0 while setting type bits\n0-21, causing the function to write ~100 bytes past the allocated\nregion (into skb_shared_info), which corrupts adjacent heap memory\nand leads to a kernel panic.\n\nAdd a shared helper ioam6_trace_compute_nodelen() in ioam6.c to\nderive the expected nodelen from the type field, and use it:\n\n - in ioam6_iptunnel.c (send path, existing validation) to replace\n the open-coded computation;\n - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose\n nodelen is inconsistent with the type field, before any data is\n written.\n\nPer RFC 9197, bits 12-21 are each short (4-octet) fields, so they\nare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to\n0xff1ffc00).", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43186" }, { "id": "CVE-2026-43187", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: delete attr leaf freemap entries when empty\n\nBack in commit 2a2b5932db6758 (\"xfs: fix attr leaf header freemap.size\nunderflow\"), Brian Foster observed that it's possible for a small\nfreemap at the end of the end of the xattr entries array to experience\na size underflow when subtracting the space consumed by an expansion of\nthe entries array. There are only three freemap entries, which means\nthat it is not a complete index of all free space in the leaf block.\n\nThis code can leave behind a zero-length freemap entry with a nonzero\nbase. Subsequent setxattr operations can increase the base up to the\npoint that it overlaps with another freemap entry. This isn't in and of\nitself a problem because the code in _leaf_add that finds free space\nignores any freemap entry with zero size.\n\nHowever, there's another bug in the freemap update code in _leaf_add,\nwhich is that it fails to update a freemap entry that begins midway\nthrough the xattr entry that was just appended to the array. That can\nresult in the freemap containing two entries with the same base but\ndifferent sizes (0 for the \"pushed-up\" entry, nonzero for the entry\nthat's actually tracking free space). A subsequent _leaf_add can then\nallocate xattr namevalue entries on top of the entries array, leading to\ndata loss. But fixing that is for later.\n\nFor now, eliminate the possibility of confusion by zeroing out the base\nof any freemap entry that has zero size. Because the freemap is not\nintended to be a complete index of free space, a subsequent failure to\nfind any free space for a new xattr will trigger block compaction, which\nregenerates the freemap.\n\nIt looks like this bug has been in the codebase for quite a long time.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43187" }, { "id": "CVE-2026-43188", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: do not propagate page array emplacement errors as batch errors\n\nWhen fscrypt is enabled, move_dirty_folio_in_page_array() may fail\nbecause it needs to allocate bounce buffers to store the encrypted\nversions of each folio. Each folio beyond the first allocates its bounce\nbuffer with GFP_NOWAIT. Failures are common (and expected) under this\nallocation mode; they should flush (not abort) the batch.\n\nHowever, ceph_process_folio_batch() uses the same `rc` variable for its\nown return code and for capturing the return codes of its routine calls;\nfailing to reset `rc` back to 0 results in the error being propagated\nout to the main writeback loop, which cannot actually tolerate any\nerrors here: once `ceph_wbc.pages` is allocated, it must be passed to\nceph_submit_write() to be freed. If it survives until the next iteration\n(e.g. due to the goto being followed), ceph_allocate_page_array()'s\nBUG_ON() will oops the worker.\n\nNote that this failure mode is currently masked due to another bug\n(addressed next in this series) that prevents multiple encrypted folios\nfrom being selected for the same write.\n\nFor now, just reset `rc` when redirtying the folio to prevent errors in\nmove_dirty_folio_in_page_array() from propagating. Note that\nmove_dirty_folio_in_page_array() is careful never to return errors on\nthe first folio, so there is no need to check for that. After this\nchange, ceph_process_folio_batch() no longer returns errors; its only\nremaining failure indicator is `locked_pages == 0`, which the caller\nalready handles correctly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43188" }, { "id": "CVE-2026-43189", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-async: Fix error handling on steps after finding a match\n\nOnce an async connection is found to be matching with an fwnode, a\nsub-device may be registered (in case it wasn't already), its bound\noperation is called, ancillary links are created, the async connection\nis added to the sub-device's list of connections and removed from the\nglobal waiting connection list. Further on, the sub-device's possible own\nnotifier is searched for possible additional matches.\n\nFix these specific issues:\n\n- If v4l2_async_match_notify() failed before the sub-notifier handling,\n the async connection was unbound and its entry removed from the\n sub-device's async connection list. The latter part was also done in\n v4l2_async_match_notify().\n\n- The async connection's sd field was only set after creating ancillary\n links in v4l2_async_match_notify(). It was however dereferenced in\n v4l2_async_unbind_subdev_one(), which was called on error path of\n v4l2_async_match_notify() failure.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43189" }, { "id": "CVE-2026-43190", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n to index op[i+1]. In the case where i + 1 == optlen, this causes an\n out-of-bounds read, accessing memory past the optlen boundary\n (either reading beyond the stack buffer _opt or the\n following payload).", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43190" }, { "id": "CVE-2026-43191", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35\n\n[Why]\nA backport of the change made for DCN401 that addresses an issue where\nwe turn off the PHY PLL when disabling TMDS output, which causes the\nOTG to remain stuck.\n\nThe OTG being stuck can lead to a hang in the DCHVM's ability to ACK\ninvalidations when it thinks the HUBP is still on but it's not receiving\nglobal sync.\n\nThe transition to PLL_ON needs to be atomic as there's no guarantee\nthat the thread isn't pre-empted or is able to complete before the\nIOMMU watchdog times out.\n\n[How]\nBackport the implementation from dcn401 back to dcn35.\n\nThere's a functional difference in when the eDP output is disabled in\ndcn401 code so we don't want to utilize it directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43191" }, { "id": "CVE-2026-43192", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm mpath: Add missing dm_put_device when failing to get scsi dh name\n\nWhen commit fd81bc5cca8f (\"scsi: device_handler: Return error pointer in\nscsi_dh_attached_handler_name()\") added code to fail parsing the path if\nscsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up\nthe reference to the path device that had just been taken. Fix this, and\nsteamline the error paths of parse_path() a little.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43192", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43193", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()\n\nClaude pointed out that there is a nfs4_file refcount leak in\nnfsd_get_dir_deleg(). Ensure that the reference to \"fp\" is released\nbefore returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43193", "detail": "fixed-version", "description": "only affects 6.19 onwards" }, { "id": "CVE-2026-43194", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: consume xmit errors of GSO frames\n\nudpgro_frglist.sh and udpgro_bench.sh are the flakiest tests\ncurrently in NIPA. They fail in the same exact way, TCP GRO\ntest stalls occasionally and the test gets killed after 10min.\n\nThese tests use veth to simulate GRO. They attach a trivial\n(\"return XDP_PASS;\") XDP program to the veth to force TSO off\nand NAPI on.\n\nDigging into the failure mode we can see that the connection\nis completely stuck after a burst of drops. The sender's snd_nxt\nis at sequence number N [1], but the receiver claims to have\nreceived (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle\nis that senders rtx queue is not empty (let's say the block in\nthe rtx queue is at sequence number N - 4 * MSS [3]).\n\nIn this state, sender sends a retransmission from the rtx queue\nwith a single segment, and sequence numbers N-4*MSS:N-3*MSS [3].\nReceiver sees it and responds with an ACK all the way up to\nN + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA\nbecause it has no recollection of ever sending data that far out [1].\nAnd we are stuck.\n\nThe root cause is the mess of the xmit return codes. veth returns\nan error when it can't xmit a frame. We end up with a loss event\nlike this:\n\n -------------------------------------------------\n | GSO super frame 1 | GSO super frame 2 |\n |-----------------------------------------------|\n | seg | seg | seg | seg | seg | seg | seg | seg |\n | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |\n -------------------------------------------------\n x ok ok | ok ok ok \n \\\\\n\t\t\t snd_nxt\n\n\"x\" means packet lost by veth, and \"ok\" means it went thru.\nSince veth has TSO disabled in this test it sees individual segments.\nSegment 1 is on the retransmit queue and will be resent.\n\nSo why did the sender not advance snd_nxt even tho it clearly did\nsend up to seg 8? tcp_write_xmit() interprets the return code\nfrom the core to mean that data has not been sent at all. Since\nTCP deals with GSO super frames, not individual segment the crux\nof the problem is that loss of a single segment can be interpreted\nas loss of all. TCP only sees the last return code for the last\nsegment of the GSO frame (in <> brackets in the diagram above).\n\nOf course for the problem to occur we need a setup or a device\nwithout a Qdisc. Otherwise Qdisc layer disconnects the protocol\nlayer from the device errors completely.\n\nWe have multiple ways to fix this.\n\n 1) make veth not return an error when it lost a packet.\n While this is what I think we did in the past, the issue keeps\n reappearing and it's annoying to debug. The game of whack\n a mole is not great.\n\n 2) fix the damn return codes\n We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the\n documentation, so maybe we should make the return code from\n ndo_start_xmit() a boolean. I like that the most, but perhaps\n some ancient, not-really-networking protocol would suffer.\n\n 3) make TCP ignore the errors\n It is not entirely clear to me what benefit TCP gets from\n interpreting the result of ip_queue_xmit()? Specifically once\n the connection is established and we're pushing data - packet\n loss is just packet loss?\n\n 4) this fix\n Ignore the rc in the Qdisc-less+GSO case, since it's unreliable.\n We already always return OK in the TCQ_F_CAN_BYPASS case.\n In the Qdisc-less case let's be a bit more conservative and only\n mask the GSO errors. This path is taken by non-IP-\"networks\"\n like CAN, MCTP etc, so we could regress some ancient thing.\n This is the simplest, but also maybe the hackiest fix?\n\nSimilar fix has been proposed by Eric in the past but never committed\nbecause original reporter was working with an OOT driver and wasn't\nproviding feedback (see Link).", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43194" }, { "id": "CVE-2026-43195", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate user queue size constraints\n\nAdd validation to ensure user queue sizes meet hardware requirements:\n- Size must be a power of two for efficient ring buffer wrapping\n- Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations\n\nThis prevents invalid configurations that could lead to GPU faults or\nunexpected behavior.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43195" }, { "id": "CVE-2026-43196", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: pruss: Fix double free in pruss_clk_mux_setup()\n\nIn the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly\ncalls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np)\non the error path. However, after the devm_add_action_or_reset()\nreturns, the of_node_put(clk_mux_np) is called again, causing a double\nfree.\n\nFix by returning directly, to avoid the duplicate of_node_put().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43196" }, { "id": "CVE-2026-43197", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetconsole: avoid OOB reads, msg is not nul-terminated\n\nmsg passed to netconsole from the console subsystem is not guaranteed\nto be nul-terminated. Before recent\ncommit 7eab73b18630 (\"netconsole: convert to NBCON console infrastructure\")\nthe message would be placed in printk_shared_pbufs, a static global\nbuffer, so KASAN had harder time catching OOB accesses. Now we see:\n\n printk: console [netcon_ext0] enabled\n BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240\n Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594\n\n CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9\n Call Trace:\n kasan_report+0xe4/0x120\n string+0x1f7/0x240\n vsnprintf+0x655/0xba0\n scnprintf+0xba/0x120\n netconsole_write+0x3fe/0xa10\n nbcon_emit_next_record+0x46e/0x860\n nbcon_kthread_func+0x623/0x750\n\n Allocated by task 1:\n nbcon_alloc+0x1ea/0x450\n register_console+0x26b/0xe10\n init_netconsole+0xbb0/0xda0\n\n The buggy address belongs to the object at ffff88813b6d4000\n which belongs to the cache kmalloc-4k of size 4096\n The buggy address is located 0 bytes to the right of\n allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43197" }, { "id": "CVE-2026-43198", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix potential race in tcp_v6_syn_recv_sock()\n\nCode in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()\nis done too late.\n\nAfter tcp_v4_syn_recv_sock(), the child socket is already visible\nfrom TCP ehash table and other cpus might use it.\n\nSince newinet->pinet6 is still pointing to the listener ipv6_pinfo\nbad things can happen as syzbot found.\n\nMove the problematic code in tcp_v6_mapped_child_init()\nand call this new helper from tcp_v4_syn_recv_sock() before\nthe ehash insertion.\n\nThis allows the removal of one tcp_sync_mss(), since\ntcp_v4_syn_recv_sock() will call it with the correct\ncontext.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43198" }, { "id": "CVE-2026-43199", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix \"scheduling while atomic\" in IPsec MAC address query\n\nFix a \"scheduling while atomic\" bug in mlx5e_ipsec_init_macs() by\nreplacing mlx5_query_mac_address() with ether_addr_copy() to get the\nlocal MAC address directly from netdev->dev_addr.\n\nThe issue occurs because mlx5_query_mac_address() queries the hardware\nwhich involves mlx5_cmd_exec() that can sleep, but it is called from\nthe mlx5e_ipsec_handle_event workqueue which runs in atomic context.\n\nThe MAC address is already available in netdev->dev_addr, so no need\nto query hardware. This avoids the sleeping call and resolves the bug.\n\nCall trace:\n BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200\n __schedule+0x7ab/0xa20\n schedule+0x1c/0xb0\n schedule_timeout+0x6e/0xf0\n __wait_for_common+0x91/0x1b0\n cmd_exec+0xa85/0xff0 [mlx5_core]\n mlx5_cmd_exec+0x1f/0x50 [mlx5_core]\n mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core]\n mlx5_query_mac_address+0x19/0x30 [mlx5_core]\n mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core]\n mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core]\n mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core]\n process_one_work+0x178/0x2e0\n worker_thread+0x2ea/0x430", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43199" }, { "id": "CVE-2026-43200", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions\n\nstruct configfs_item_operations callbacks are defined like the following:\n\n int (*allow_link)(struct config_item *src, struct config_item *target);\n void (*drop_link)(struct config_item *src, struct config_item *target);\n\nWhile pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify\nthe parameters in the correct order, pci_primary_epc_epf_unlink() and\npci_secondary_epc_epf_unlink() specify the parameters in the wrong order,\nleading to the below kernel crash when using the unlink command in\nconfigfs:\n\n Unable to handle kernel paging request at virtual address 0000000300000857\n Mem abort info:\n ...\n pc : string+0x54/0x14c\n lr : vsnprintf+0x280/0x6e8\n ...\n string+0x54/0x14c\n vsnprintf+0x280/0x6e8\n vprintk_default+0x38/0x4c\n vprintk+0xc4/0xe0\n pci_epf_unbind+0xdc/0x108\n configfs_unlink+0xe0/0x208+0x44/0x74\n vfs_unlink+0x120/0x29c\n __arm64_sys_unlinkat+0x3c/0x90\n invoke_syscall+0x48/0x134\n do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0\n\n[mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43200" }, { "id": "CVE-2026-43201", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ARM processor Error: don't go past allocated memory\n\nIf the BIOS generates a very small ARM Processor Error, or\nan incomplete one, the current logic will fail to deferrence\n\n\terr->section_length\nand\n\tctx_info->size\n\nAdd checks to avoid that. With such changes, such GHESv2\nrecords won't cause OOPSes like this:\n\n[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP\n[ 1.495449] Modules linked in:\n[ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT\n[ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n[ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred\n[ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1.497199] pc : log_arm_hw_error+0x5c/0x200\n[ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220\n\n0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75).\n70\t\terr_info = (struct cper_arm_err_info *)(err + 1);\n71\t\tctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num);\n72\t\tctx_err = (u8 *)ctx_info;\n73\n74\t\tfor (n = 0; n < err->context_info_num; n++) {\n75\t\t\tsz = sizeof(struct cper_arm_ctx_info) + ctx_info->size;\n76\t\t\tctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz);\n77\t\t\tctx_len += sz;\n78\t\t}\n79\n\nand similar ones while trying to access section_length on an\nerror dump with too small size.\n\n[ rjw: Subject tweaks ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43201" }, { "id": "CVE-2026-43202", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: vt8500lcdfb: fix missing dma_free_coherent()\n\nfbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not\nfreed if the error path is reached.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43202" }, { "id": "CVE-2026-43203", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: fore200e: fix use-after-free in tasklets during device removal\n\nWhen the PCA-200E or SBA-200E adapter is being detached, the fore200e\nis deallocated. However, the tx_tasklet or rx_tasklet may still be running\nor pending, leading to use-after-free bug when the already freed fore200e\nis accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().\n\nOne of the race conditions can occur as follows:\n\nCPU 0 (cleanup) | CPU 1 (tasklet)\nfore200e_pca_remove_one() | fore200e_interrupt()\n fore200e_shutdown() | tasklet_schedule()\n kfree(fore200e) | fore200e_tx_tasklet()\n | fore200e-> // UAF\n\nFix this by ensuring tx_tasklet or rx_tasklet is properly canceled before\nthe fore200e is released. Add tasklet_kill() in fore200e_shutdown() to\nsynchronize with any pending or running tasklets. Moreover, since\nfore200e_reset() could prevent further interrupts or data transfers,\nthe tasklet_kill() should be placed after fore200e_reset() to prevent\nthe tasklet from being rescheduled in fore200e_interrupt(). Finally,\nit only needs to do tasklet_kill() when the fore200e state is greater\nthan or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized\nin earlier states. In a word, the tasklet_kill() should be placed in\nthe FORE200E_STATE_IRQ branch within the switch...case structure.\n\nThis bug was identified through static analysis.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43203" }, { "id": "CVE-2026-43204", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6asm: drop DSP responses for closed data streams\n\n'Commit a354f030dbce (\"ASoC: qcom: q6asm: handle the responses\nafter closing\")' attempted to ignore DSP responses arriving\nafter a stream had been closed.\n\nHowever, those responses were still handled, causing lockups.\n\nFix this by unconditionally dropping all DSP responses associated with\nclosed data streams.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43204" }, { "id": "CVE-2026-43205", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: validate num_ifs to prevent out-of-bounds write\n\nThe driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()\nbut never validates it against DPSW_MAX_IF (64). This value controls\niteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices\ninto the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports\nnum_ifs >= 64, the loop can write past the array bounds.\n\nAdd a bound check for num_ifs in dpaa2_switch_init().\n\ndpaa2_switch_fdb_get_flood_cfg() appends the control interface (port\nnum_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all\nports match the flood filter, the loop fills all 64 slots and the control\ninterface write overflows by one entry.\n\nThe check uses >= because num_ifs == DPSW_MAX_IF is also functionally\nbroken.\n\nbuild_if_id_bitmap() silently drops any ID >= 64:\n if (id[i] < DPSW_MAX_IF)\n bmap[id[i] / 64] |= ...", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43205" }, { "id": "CVE-2026-43206", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()\n\nThe kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8\nbytes via memset without checking the buffer size parameter. This allows\nunprivileged userspace to trigger an out-of bounds kernel memory write\nby passing a small buffer, leading to potential privilege\nescalation.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43206" }, { "id": "CVE-2026-43207", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-mdp: Fix error handling in probe function\n\nAdd mtk_mdp_unregister_m2m_device() on the error handling path to prevent\nresource leak.\n\nAdd check for the return value of vpu_get_plat_device() to prevent null\npointer dereference. And vpu_get_plat_device() increases the reference\ncount of the returned platform device. Add platform_device_put() to\nprevent reference leak.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43207" }, { "id": "CVE-2026-43208", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not pass flow_id to set_rps_cpu()\n\nBlamed commit made the assumption that the RPS table for each receive\nqueue would have the same size, and that it would not change.\n\nCompute flow_id in set_rps_cpu(), do not assume we can use the value\ncomputed by get_rps_cpu(). Otherwise we risk out-of-bound access\nand/or crashes.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43208" }, { "id": "CVE-2026-43209", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nminix: Add required sanity checking to minix_check_superblock()\n\nThe fs/minix implementation of the minix filesystem does not currently\nsupport any other value for s_log_zone_size than 0. This is also the\nonly value supported in util-linux; see mkfs.minix.c line 511. In\naddition, this patch adds some sanity checking for the other minix\nsuperblock fields, and moves the minix_blocks_needed() checks for the\nzmap and imap also to minix_check_super_block().\n\nThis also closes a related syzbot bug report.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43209" }, { "id": "CVE-2026-43210", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: ring-buffer: Fix to check event length before using\n\nCheck the event length before adding it for accessing next index in\nrb_read_data_buffer(). Since this function is used for validating\npossibly broken ring buffers, the length of the event could be broken.\nIn that case, the new event (e + len) can point a wrong address.\nTo avoid invalid memory access at boot, check whether the length of\neach event is in the possible range before using it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43210" }, { "id": "CVE-2026-43211", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix pci_slot_trylock() error handling\n\nCommit a4e772898f8b (\"PCI: Add missing bridge lock to pci_bus_lock()\")\ndelegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in\npci_slot_trylock(), but it forgets to remove the corresponding\npci_dev_unlock() when pci_bus_trylock() fails.\n\nBefore a4e772898f8b, the code did:\n\n if (!pci_dev_trylock(dev)) /* <- lock bridge device */\n goto unlock;\n if (dev->subordinate) {\n if (!pci_bus_trylock(dev->subordinate)) {\n pci_dev_unlock(dev); /* <- unlock bridge device */\n goto unlock;\n }\n }\n\nAfter a4e772898f8b the bridge-device lock is no longer taken, but the\npci_dev_unlock(dev) on the failure path was left in place, leading to the\nbug.\n\nThis yields one of two errors:\n\n 1. A warning that the lock is being unlocked when no one holds it.\n 2. An incorrect unlock of a lock that belongs to another thread.\n\nFix it by removing the now-redundant pci_dev_unlock(dev) on the failure\npath.\n\n[Same patch later posted by Keith at\nhttps://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com]", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43211" }, { "id": "CVE-2026-43212", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE\n\nThe arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE -\nwhich is a valid index - so add a check for this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43212" }, { "id": "CVE-2026-43213", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: validate sequence number of TX release report\n\nHardware rarely reports abnormal sequence number in TX release report,\nwhich will access out-of-bounds of wd_ring->pages array, causing NULL\npointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U\n 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1)\n Call Trace:\n \n rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)]\n rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)]\n net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759\n handle_softirqs+0xbe/0x290 kernel/softirq.c:601\n ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)]\n __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423\n \n \n rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)]\n ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0\n irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314\n ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202\n ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220\n kthread+0xea/0x110 kernel/kthread.c:376\n ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287\n ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \n\nTo prevent crash, validate rpp_info.seq before using.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43213" }, { "id": "CVE-2026-43214", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()\n\nAdd SRCU read-side protection when reading PDPTR registers in\n__get_sregs2().\n\nReading PDPTRs may trigger access to guest memory:\nkvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() ->\nkvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot()\n\nkvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(),\nwhich uses srcu_dereference_check() and requires either kvm->srcu or\nkvm->slots_lock to be held. Currently only vcpu->mutex is held,\ntriggering lockdep warning:\n\n=============================\nWARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot\n6.12.59+ #3 Not tainted\n\ninclude/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.5.1717/15100:\n #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590\n\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824\n __kvm_memslots include/linux/kvm_host.h:1062 [inline]\n __kvm_memslots include/linux/kvm_host.h:1059 [inline]\n kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline]\n kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617\n kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302\n load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065\n svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688\n kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline]\n __get_sregs2 arch/x86/kvm/x86.c:11784 [inline]\n kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279\n kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43214" }, { "id": "CVE-2026-43215", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix locking usage for tcon fields\n\nWe used to use the cifs_tcp_ses_lock to protect a lot of objects\nthat are not just the server, ses or tcon lists. We later introduced\nsrv_lock, ses_lock and tc_lock to protect fields within the\ncorresponding structs. This was done to provide a more granular\nprotection and avoid unnecessary serialization.\n\nThere were still a couple of uses of cifs_tcp_ses_lock to provide\ntcon fields. In this patch, I've replaced them with tc_lock.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43215" }, { "id": "CVE-2026-43216", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Drop the lock in skb_may_tx_timestamp()\n\nskb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must\nnot be taken in IRQ context, only softirq is okay. A few drivers receive\nthe timestamp via a dedicated interrupt and complete the TX timestamp\nfrom that handler. This will lead to a deadlock if the lock is already\nwrite-locked on the same CPU.\n\nTaking the lock can be avoided. The socket (pointed by the skb) will\nremain valid until the skb is released. The ->sk_socket and ->file\nmember will be set to NULL once the user closes the socket which may\nhappen before the timestamp arrives.\nIf we happen to observe the pointer while the socket is closing but\nbefore the pointer is set to NULL then we may use it because both\npointer (and the file's cred member) are RCU freed.\n\nDrop the lock. Use READ_ONCE() to obtain the individual pointer. Add a\nmatching WRITE_ONCE() where the pointer are cleared.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43216" }, { "id": "CVE-2026-43217", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: gen2: Add sanity check for session stop\n\nIn iris_kill_session, inst->state is set to IRIS_INST_ERROR and\nsession_close is executed, which will kfree(inst_hfi_gen2->packet).\nIf stop_streaming is called afterward, it will cause a crash.\n\nAdd a NULL check for inst_hfi_gen2->packet before sendling STOP packet\nto firmware to fix that.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43217" }, { "id": "CVE-2026-43218", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c/tw9903: Fix potential memory leak in tw9903_probe()\n\nIn one of the error paths in tw9903_probe(), the memory allocated in\nv4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that\nby calling v4l2_ctrl_handler_free() on the handler in that error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43218" }, { "id": "CVE-2026-43219", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Fix potential unregister of netdev that has not been registered yet\n\nIf an error occurs during register_netdev() for the first MAC in\ncpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,\ncpsw->slaves[1].ndev would remain unchanged. This could later cause\ncpsw_unregister_ports() to attempt unregistering the second MAC.\nTo address this, add a check for ndev->reg_state before calling\nunregister_netdev(). With this change, setting cpsw->slaves[i].ndev\nto NULL becomes unnecessary and can be removed accordingly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43219" }, { "id": "CVE-2026-43220", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu->lock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43220" }, { "id": "CVE-2026-43221", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ipmb: initialise event handler read bytes\n\nIPMB doesn't use i2c reads, but the handler needs to set a value.\nOtherwise an i2c read will return an uninitialised value from the bus\ndriver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43221" }, { "id": "CVE-2026-43222", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: AV1: Fix tile info buffer size\n\nEach tile info is composed of: row_sb, col_sb, start_pos\nand end_pos (4 bytes each). So the total required memory\nis AV1_MAX_TILES * 16 bytes.\nUse the correct #define to allocate the buffer and avoid\nwriting tile info in non-allocated memory.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43222" }, { "id": "CVE-2026-43223", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix URB leak in pvr2_send_request_ex\n\nWhen pvr2_send_request_ex() submits a write URB successfully but fails to\nsubmit the read URB (e.g. returns -ENOMEM), it returns immediately without\nwaiting for the write URB to complete. Since the driver reuses the same\nURB structure, a subsequent call to pvr2_send_request_ex() attempts to\nsubmit the still-active write URB, triggering a 'URB submitted while\nactive' warning in usb_submit_urb().\n\nFix this by ensuring the write URB is unlinked and waited upon if the read\nURB submission fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43223" }, { "id": "CVE-2026-43224", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix sgtable leak on mapping failures\n\nIn an unlikely case when io_populate_area_dma() fails, which could only\nhappen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,\nio_zcrx_map_area() will have an initialised and not freed table. It was\nsupposed to be cleaned up in the error path, but !is_mapped prevents\nthat.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43224" }, { "id": "CVE-2026-43225", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix memory leak on failure path\n\ncfg80211_inform_bss_frame() may return NULL on failure. In that case,\nthe allocated buffer 'buf' is not freed and the function returns early,\nleading to potential memory leak.\nFix this by ensuring that 'buf' is freed on both success and failure paths.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43225" }, { "id": "CVE-2026-43226", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: No shortcut out of RDS_CONN_ERROR\n\nRDS connections carry a state \"rds_conn_path::cp_state\"\nand transitions from one state to another and are conditional\nupon an expected state: \"rds_conn_path_transition.\"\n\nThere is one exception to this conditionality, which is\n\"RDS_CONN_ERROR\" that can be enforced by \"rds_conn_path_drop\"\nregardless of what state the condition is currently in.\n\nBut as soon as a connection enters state \"RDS_CONN_ERROR\",\nthe connection handling code expects it to go through the\nshutdown-path.\n\nThe RDS/TCP multipath changes added a shortcut out of\n\"RDS_CONN_ERROR\" straight back to \"RDS_CONN_CONNECTING\"\nvia \"rds_tcp_accept_one_path\" (e.g. after \"rds_tcp_state_change\").\n\nA subsequent \"rds_tcp_reset_callbacks\" can then transition\nthe state to \"RDS_CONN_RESETTING\" with a shutdown-worker queued.\n\nThat'll trip up \"rds_conn_init_shutdown\", which was\nnever adjusted to handle \"RDS_CONN_RESETTING\" and subsequently\ndrops the connection with the dreaded \"DR_INV_CONN_STATE\",\nwhich leaves \"RDS_SHUTDOWN_WORK_QUEUED\" on forever.\n\nSo we do two things here:\n\na) Don't shortcut \"RDS_CONN_ERROR\", but take the longer\n path through the shutdown code.\n\nb) Add \"RDS_CONN_RESETTING\" to the expected states in\n \"rds_conn_init_shutdown\" so that we won't error out\n and get stuck, if we ever hit weird state transitions\n like this again.\"", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43226" }, { "id": "CVE-2026-43227", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/sh_tmu: Always leave device running after probe\n\nThe TMU device can be used as both a clocksource and a clockevent\nprovider. The driver tries to be smart and power itself on and off, as\nwell as enabling and disabling its clock when it's not in operation.\nThis behavior is slightly altered if the TMU is used as an early\nplatform device in which case the device is left powered on after probe,\nbut the clock is still enabled and disabled at runtime.\n\nThis has worked for a long time, but recent improvements in PREEMPT_RT\nand PROVE_LOCKING have highlighted an issue. As the TMU registers itself\nas a clockevent provider, clockevents_register_device(), it needs to use\nraw spinlocks internally as this is the context of which the clockevent\nframework interacts with the TMU driver. However in the context of\nholding a raw spinlock the TMU driver can't really manage its power\nstate or clock with calls to pm_runtime_*() and clk_*() as these calls\nend up in other platform drivers using regular spinlocks to control\npower and clocks.\n\nThis mix of spinlock contexts trips a lockdep warning.\n\n =============================\n [ BUG: Invalid wait context ]\n 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted\n -----------------------------\n swapper/0/0 is trying to lock:\n ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88\n other info that might help us debug this:\n context-{5:5}\n 1 lock held by swapper/0/0:\n ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0\n #0: ffff8000817ec298\n ccree e6601000.crypto: ARM ccree device initialized\n (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8\n stack backtrace:\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT\n Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n Call trace:\n show_stack+0x14/0x1c (C)\n dump_stack_lvl+0x6c/0x90\n dump_stack+0x14/0x1c\n __lock_acquire+0x904/0x1584\n lock_acquire+0x220/0x34c\n _raw_spin_lock_irqsave+0x58/0x80\n __pm_runtime_resume+0x38/0x88\n sh_tmu_clock_event_set_oneshot+0x84/0xd4\n clockevents_switch_state+0xfc/0x13c\n tick_broadcast_set_event+0x30/0xa4\n __tick_broadcast_oneshot_control+0x1e0/0x3a8\n tick_broadcast_oneshot_control+0x30/0x40\n cpuidle_enter_state+0x40c/0x680\n cpuidle_enter+0x30/0x40\n do_idle+0x1f4/0x280\n cpu_startup_entry+0x34/0x40\n kernel_init+0x0/0x130\n do_one_initcall+0x0/0x230\n __primary_switched+0x88/0x90\n\nFor non-PREEMPT_RT builds this is not really an issue, but for\nPREEMPT_RT builds where normal spinlocks can sleep this might be an\nissue. Be cautious and always leave the power and clock running after\nprobe.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43227" }, { "id": "CVE-2026-43228", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: Replace BUG_ON with error handling for CNID count checks\n\nIn a06ec283e125 next_id, folder_count, and file_count in the super block\ninfo were expanded to 64 bits, and BUG_ONs were added to detect\noverflow. This triggered an error reported by syzbot: if the MDB is\ncorrupted, the BUG_ON is triggered. This patch replaces this mechanism\nwith proper error handling and resolves the syzbot reported bug.\n\nSinged-off-by: Jori Koolstra ", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43228" }, { "id": "CVE-2026-43229", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n Internal error: synchronous external abort: 0000000096000010\n [#1] PREEMPT SMP\n Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n Tainted: G M W\n pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n Call trace:\n wave5_vdi_read_register+0x10/0x38 [wave5]\n kthread_worker_fn+0xd8/0x238\n kthread+0x104/0x120\n ret_from_fork+0x10/0x20\n Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: synchronous external abort:\n Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43229" }, { "id": "CVE-2026-43230", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: Clear reconnect pending bit\n\nWhen canceling the reconnect worker, care must be taken to reset the\nreconnect-pending bit. If the reconnect worker has not yet been\nscheduled before it is canceled, the reconnect-pending bit will stay\non forever.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43230" }, { "id": "CVE-2026-43231", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: radio-keene: fix memory leak in error path\n\nFix a memory leak in usb_keene_probe(). The v4l2 control handler is\ninitialized and controls are added, but if v4l2_device_register() or\nvideo_register_device() fails afterward, the handler was never freed,\nleaking memory.\n\nAdd v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure\nthe control handler is properly freed for all error paths after it is\ninitialized.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43231" }, { "id": "CVE-2026-43232", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets\n\nWhen the FarSync T-series card is being detached, the fst_card_info is\ndeallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task\nmay still be running or pending, leading to use-after-free bugs when the\nalready freed fst_card_info is accessed in fst_process_tx_work_q() or\nfst_process_int_work_q().\n\nA typical race condition is depicted below:\n\nCPU 0 (cleanup) | CPU 1 (tasklet)\n | fst_start_xmit()\nfst_remove_one() | tasklet_schedule()\n unregister_hdlc_device()|\n | fst_process_tx_work_q() //handler\n kfree(card) //free | do_bottom_half_tx()\n | card-> //use\n\nThe following KASAN trace was captured:\n\n==================================================================\n BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00\n Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32\n ...\n Call Trace:\n \n dump_stack_lvl+0x55/0x70\n print_report+0xcb/0x5d0\n ? do_bottom_half_tx+0xb88/0xd00\n kasan_report+0xb8/0xf0\n ? do_bottom_half_tx+0xb88/0xd00\n do_bottom_half_tx+0xb88/0xd00\n ? _raw_spin_lock_irqsave+0x85/0xe0\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? __pfx___hrtimer_run_queues+0x10/0x10\n fst_process_tx_work_q+0x67/0x90\n tasklet_action_common+0x1fa/0x720\n ? hrtimer_interrupt+0x31f/0x780\n handle_softirqs+0x176/0x530\n __irq_exit_rcu+0xab/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n ...\n\n Allocated by task 41 on cpu 3 at 72.330843s:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x17/0x60\n __kasan_kmalloc+0x7f/0x90\n fst_add_one+0x1a5/0x1cd0\n local_pci_probe+0xdd/0x190\n pci_device_probe+0x341/0x480\n really_probe+0x1c6/0x6a0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x48/0x210\n __device_attach_driver+0x160/0x320\n bus_for_each_drv+0x101/0x190\n __device_attach+0x198/0x3a0\n device_initial_probe+0x78/0xa0\n pci_bus_add_device+0x81/0xc0\n pci_bus_add_devices+0x7e/0x190\n enable_slot+0x9b9/0x1130\n acpiphp_check_bridge.part.0+0x2e1/0x460\n acpiphp_hotplug_notify+0x36c/0x3c0\n acpi_device_hotplug+0x203/0xb10\n acpi_hotplug_work_fn+0x59/0x80\n ...\n\n Freed by task 41 on cpu 1 at 75.138639s:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x17/0x60\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x135/0x410\n fst_remove_one+0x2ca/0x540\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0x364/0x530\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device+0xd/0x20\n disable_slot+0x116/0x260\n acpiphp_disable_and_eject_slot+0x4b/0x190\n acpiphp_hotplug_notify+0x230/0x3c0\n acpi_device_hotplug+0x203/0xb10\n acpi_hotplug_work_fn+0x59/0x80\n ...\n\n The buggy address belongs to the object at ffff88800aad1000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 28 bytes inside of\n freed 1024-byte region\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x100000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff\n head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n >ffff88800aad1000: fa fb\n---truncated---", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43232" }, { "id": "CVE-2026-43233", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_choice()\n\nIn decode_choice(), the boundary check before get_len() uses the\nvariable `len`, which is still 0 from its initialization at the top of\nthe function:\n\n unsigned int type, ext, len = 0;\n ...\n if (ext || (son->attr & OPEN)) {\n BYTE_ALIGN(bs);\n if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */\n return H323_ERROR_BOUND;\n len = get_len(bs); /* OOB read */\n\nWhen the bitstream is exactly consumed (bs->cur == bs->end), the check\nnf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),\nwhich is false. The subsequent get_len() call then dereferences\n*bs->cur++, reading 1 byte past the end of the buffer. If that byte\nhas bit 7 set, get_len() reads a second byte as well.\n\nThis can be triggered remotely by sending a crafted Q.931 SETUP message\nwith a User-User Information Element containing exactly 2 bytes of\nPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with\nthe nf_conntrack_h323 helper active. The decoder fully consumes the\nPER buffer before reaching this code path, resulting in a 1-2 byte\nheap-buffer-overflow read confirmed by AddressSanitizer.\n\nFix this by checking for 2 bytes (the maximum that get_len() may read)\ninstead of the uninitialized `len`. This matches the pattern used at\nevery other get_len() call site in the same file, where the caller\nchecks for 2 bytes of available data before calling get_len().", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43233" }, { "id": "CVE-2026-43234", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: avoid NETDEV_CHANGEMTU event when unregistering slave\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3\n ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]\n netdev_hold include/linux/netdevice.h:4429 [inline]\n inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286\n inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline]\n netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886\n netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907\n dev_set_mtu+0x126/0x260 net/core/dev_api.c:248\n team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333\n team_del_slave drivers/net/team/team_core.c:1936 [inline]\n team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929\n notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]\n call_netdevice_notifiers net/core/dev.c:2295 [inline]\n __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592\n do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060\n rtnl_changelink net/core/rtnetlink.c:3776 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3935 [inline]\n rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n\nproblem. Ido Schimmel found steps to reproduce\n\n ip link add name team1 type team\n ip link add name dummy1 mtu 1499 master team1 type dummy\n ip netns add ns1\n ip link set dev dummy1 netns ns1\n ip -n ns1 link del dev dummy1\n\nand also found that the same issue was fixed in the bond driver in\ncommit f51048c3e07b (\"bonding: avoid NETDEV_CHANGEMTU event when\nunregistering slave\").\n\nLet's do similar thing for the team driver, with commit ad7c7b2172c3 (\"net:\nhold netdev instance lock during sysfs operations\") and commit 303a8487a657\n(\"net: s/__dev_set_mtu/__netif_set_mtu/\") also applied.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43234" }, { "id": "CVE-2026-43235", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Add missing platform data entries for SM8750\n\nTwo platform-data fields for SM8750 were missed:\n\n - get_vpu_buffer_size = iris_vpu33_buf_size\n Without this, the driver fails to allocate the required internal\n buffers, leading to basic decode/encode failures during session\n bring-up.\n\n - max_core_mbps = ((7680 * 4320) / 256) * 60\n Without this capability exposed, capability checks are incomplete and\n v4l2-compliance for encoder fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43235" }, { "id": "CVE-2026-43236", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release\n\nThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copying\nthe atmel_hlcdc_plane state structure without properly duplicating the\ndrm_plane_state. In particular, state->commit remained set to the old\nstate commit, which can lead to a use-after-free in the next\ndrm_atomic_commit() call.\n\nFix this by calling\n__drm_atomic_helper_duplicate_plane_state(), which correctly clones\nthe base drm_plane_state (including the ->commit pointer).\n\nIt has been seen when closing and re-opening the device node while\nanother DRM client (e.g. fbdev) is still attached:\n\n=============================================================================\nBUG kmalloc-64 (Not tainted): Poison overwritten\n-----------------------------------------------------------------------------\n\n0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b\nFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b\nAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0\npid=29\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_framebuffer_remove+0x4cc/0x5a8\n drm_mode_rmfb_work_fn+0x6c/0x80\n process_one_work+0x12c/0x2cc\n worker_thread+0x2a8/0x400\n kthread+0xc0/0xdc\n ret_from_fork+0x14/0x28\nFreed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0\npid=169\n drm_atomic_helper_commit_hw_done+0x100/0x150\n drm_atomic_helper_commit_tail+0x64/0x8c\n commit_tail+0x168/0x18c\n drm_atomic_helper_commit+0x138/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54\nSlab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0\nflags=0x200(workingset|zone=0)\nObject 0xc611b340 @offset=832 fp=0xc611b7c0", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43236" }, { "id": "CVE-2026-43237", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4\n\nThis commit simplifies the amdgpu_gem_va_ioctl function, key updates\ninclude:\n - Moved the logic for managing the last update fence directly into\n amdgpu_gem_va_update_vm.\n - Introduced checks for the timeline point to enable conditional\n replacement or addition of fences.\n\nv2: Addressed review comments from Christian.\nv3: Updated comments (Christian).\nv4: The previous version selected the fence too early and did not manage its\n reference correctly, which could lead to stale or freed fences being used.\n This resulted in refcount underflows and could crash when updating GPU\n timelines.\n The fence is now chosen only after the VA mapping work is completed, and its\n reference is taken safely. After exporting it to the VM timeline syncobj, the\n driver always drops its local fence reference, ensuring balanced refcounting\n and avoiding use-after-free on dma_fence.\n\n\tCrash signature:\n\t[ 205.828135] refcount_t: underflow; use-after-free.\n\t[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\t...\n\t[ 206.074014] Call Trace:\n\t[ 206.076488] \n\t[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]\n\t[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]\n\t[ 206.094415] drm_ioctl+0x26e/0x520 [drm]\n\t[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]\n\t[ 206.109387] __x64_sys_ioctl+0x96/0xe0\n\t[ 206.113156] do_syscall_64+0x66/0x2d0\n\t...\n\t[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90\n\t...\n\t[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.553405] Call Trace:\n\t[ 206.553409] \n\t[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]\n\t[ 206.553424] dma_fence_signal+0x30/0x60\n\t[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]\n\t[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0\n\t[ 206.553437] dma_fence_signal+0x30/0x60\n\t[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]\n\t[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]\n\t[ 206.554353] edac_mce_amd(E) ee1004(E)\n\t[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]\n\t[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]\n\t[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]\n\t[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0\n\t[ 206.555506] handle_irq_event+0x38/0x80\n\t[ 206.555509] handle_edge_irq+0x92/0x1e0\n\t[ 206.555513] __common_interrupt+0x3e/0xb0\n\t[ 206.555519] common_interrupt+0x80/0xa0\n\t[ 206.555525] \n\t[ 206.555527] \n\t...\n\t[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43237" }, { "id": "CVE-2026-43238", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()\n\nCommit 38a6f0865796 (\"net: sched: support hash selecting tx queue\")\nadded SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is\ncomputed as:\n\nmapping_mod = queue_mapping_max - queue_mapping + 1;\n\nThe range size can be 65536 when the requested range covers all possible\nu16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).\nThat value cannot be represented in a u16 and previously wrapped to 0,\nso tcf_skbedit_hash() could trigger a divide-by-zero:\n\nqueue_mapping += skb_get_hash(skb) % params->mapping_mod;\n\nCompute mapping_mod in a wider type and reject ranges larger than U16_MAX\nto prevent params->mapping_mod from becoming 0 and avoid the crash.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43238" }, { "id": "CVE-2026-43239", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: prevent races in ->query_interfaces()\n\nIt was possible for two query interface works to be concurrently trying\nto update the interfaces.\n\nPrevent this by checking and updating iface_last_update under\niface_lock.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43239" }, { "id": "CVE-2026-43240", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: add a sanity check on previous kernel's ima kexec buffer\n\nWhen the second-stage kernel is booted via kexec with a limiting command\nline such as \"mem=\", the physical range that contains the carried\nover IMA measurement list may fall outside the truncated RAM leading to a\nkernel panic.\n\n BUG: unable to handle page fault for address: ffff97793ff47000\n RIP: ima_restore_measurement_list+0xdc/0x45a\n #PF: error_code(0x0000) \u2013 not-present page\n\nOther architectures already validate the range with page_is_ram(), as done\nin commit cbf9c4b9617b (\"of: check previous kernel's ima-kexec-buffer\nagainst memory bounds\") do a similar check on x86.\n\nWithout carrying the measurement list across kexec, the attestation\nwould fail.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43240" }, { "id": "CVE-2026-43241", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access\n\nNumber of MW LUTs depends on NTB configuration and can be set to MAX_MWS,\nThis patch protects against invalid index out of bounds access to mw_sizes\nWhen invalid access print message to user that configuration is not valid.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43241" }, { "id": "CVE-2026-43242", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: k3-socinfo: Fix regmap leak on probe failure\n\nThe mmio regmap allocated during probe is never freed.\n\nSwitch to using the device managed allocator so that the regmap is\nreleased on probe failures (e.g. probe deferral) and on driver unbind.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43242" }, { "id": "CVE-2026-43243", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add signal type check for dcn401 get_phyd32clk_src\n\nTrying to access link enc on a dpia link will cause a crash otherwise", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43243" }, { "id": "CVE-2026-43244", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: fix zero-frag skb in frag_list on partial sendmsg error\n\nSyzkaller reported a warning in kcm_write_msgs() when processing a\nmessage with a zero-fragment skb in the frag_list.\n\nWhen kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,\nit allocates a new skb (tskb) and links it into the frag_list before\ncopying data. If the copy subsequently fails (e.g. -EFAULT from\nuser memory), tskb remains in the frag_list with zero fragments:\n\n head skb (msg being assembled, NOT yet in sk_write_queue)\n +-----------+\n | frags[17] | (MAX_SKB_FRAGS, all filled with data)\n | frag_list-+--> tskb\n +-----------+ +----------+\n | frags[0] | (empty! copy failed before filling)\n +----------+\n\nFor SOCK_SEQPACKET with partial data already copied, the error path\nsaves this message via partial_message for later completion. For\nSOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a\nsubsequent zero-length write(fd, NULL, 0) completes the message and\nqueues it to sk_write_queue. kcm_write_msgs() then walks the\nfrag_list and hits:\n\n WARN_ON(!skb_shinfo(skb)->nr_frags)\n\nTCP has a similar pattern where skbs are enqueued before data copy\nand cleaned up on failure via tcp_remove_empty_skb(). KCM was\nmissing the equivalent cleanup.\n\nFix this by tracking the predecessor skb (frag_prev) when allocating\na new frag_list entry. On error, if the tail skb has zero frags,\nuse frag_prev to unlink and free it in O(1) without walking the\nsingly-linked frag_list. frag_prev is safe to dereference because\nthe entire message chain is only held locally (or in kcm->seq_skb)\nand is not added to sk_write_queue until MSG_EOR, so the send path\ncannot free it underneath us.\n\nAlso change the WARN_ON to WARN_ON_ONCE to avoid flooding the log\nif the condition is somehow hit repeatedly.\n\nThere are currently no KCM selftests in the kernel tree; a simple\nreproducer is available at [1].\n\n[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43244" }, { "id": "CVE-2026-43245", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: ->d_compare() must not block\n\n... so don't use __getname() there. Switch it (and ntfs_d_hash(), while\nwe are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash()\nalmost certainly can do with smaller allocations, but let ntfs folks\ndeal with that - keep the allocation size as-is for now.\n\nStop abusing names_cachep in ntfs, period - various uses of that thing\nin there have nothing to do with pathnames; just use k[mz]alloc() and\nbe done with that. For now let's keep sizes as-in, but AFAICS none of\nthe users actually want PATH_MAX.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43245" }, { "id": "CVE-2026-43246", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c/tw9906: Fix potential memory leak in tw9906_probe()\n\nIn one of the error paths in tw9906_probe(), the memory allocated in\nv4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that\nby calling v4l2_ctrl_handler_free() on the handler in that error path.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43246" }, { "id": "CVE-2026-43247", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix SError of kernel panic when closed\n\nSError of kernel panic rarely happened while testing fluster.\nThe root cause was to enter suspend mode because timeout of autosuspend\ndelay happened.\n\n[ 48.834439] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError\n[ 48.834455] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7\n[ 48.834461] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025\n[ 48.834464] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 48.834468] pc : wave5_dec_clr_disp_flag+0x40/0x80 [wave5]\n[ 48.834488] lr : wave5_dec_clr_disp_flag+0x40/0x80 [wave5]\n[ 48.834495] sp : ffff8000856e3a30\n[ 48.834497] x29: ffff8000856e3a30 x28: ffff0008093f6010 x27: ffff000809158130\n[ 48.834504] x26: 0000000000000000 x25: ffff00080b625000 x24: ffff000804a9ba80\n[ 48.834509] x23: ffff000802343028 x22: ffff000809158150 x21: ffff000802218000\n[ 48.834513] x20: ffff0008093f6000 x19: ffff0008093f6000 x18: 0000000000000000\n[ 48.834518] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff74009618\n[ 48.834523] x14: 000000010000000c x13: 0000000000000000 x12: 0000000000000000\n[ 48.834527] x11: ffffffffffffffff x10: ffffffffffffffff x9 : ffff000802343028\n[ 48.834532] x8 : ffff00080b6252a0 x7 : 0000000000000038 x6 : 0000000000000000\n[ 48.834536] x5 : ffff00080b625060 x4 : 0000000000000000 x3 : 0000000000000000\n[ 48.834541] x2 : 0000000000000000 x1 : ffff800084bf0118 x0 : ffff800084bf0000\n[ 48.834547] Kernel panic - not syncing: Asynchronous SError Interrupt\n[ 48.834549] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7\n[ 48.834554] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025\n[ 48.834556] Call trace:\n[ 48.834559] dump_backtrace+0x94/0xec\n[ 48.834574] show_stack+0x18/0x24\n[ 48.834579] dump_stack_lvl+0x38/0x90\n[ 48.834585] dump_stack+0x18/0x24\n[ 48.834588] panic+0x35c/0x3e0\n[ 48.834592] nmi_panic+0x40/0x8c\n[ 48.834595] arm64_serror_panic+0x64/0x70\n[ 48.834598] do_serror+0x3c/0x78\n[ 48.834601] el1h_64_error_handler+0x34/0x4c\n[ 48.834605] el1h_64_error+0x64/0x68\n[ 48.834608] wave5_dec_clr_disp_flag+0x40/0x80 [wave5]\n[ 48.834615] wave5_vpu_dec_clr_disp_flag+0x54/0x80 [wave5]\n[ 48.834622] wave5_vpu_dec_buf_queue+0x19c/0x1a0 [wave5]\n[ 48.834628] __enqueue_in_driver+0x3c/0x74 [videobuf2_common]\n[ 48.834639] vb2_core_qbuf+0x508/0x61c [videobuf2_common]\n[ 48.834646] vb2_qbuf+0xa4/0x168 [videobuf2_v4l2]\n[ 48.834656] v4l2_m2m_qbuf+0x80/0x238 [v4l2_mem2mem]\n[ 48.834666] v4l2_m2m_ioctl_qbuf+0x18/0x24 [v4l2_mem2mem]\n[ 48.834673] v4l_qbuf+0x48/0x5c [videodev]\n[ 48.834704] __video_do_ioctl+0x180/0x3f0 [videodev]\n[ 48.834725] video_usercopy+0x2ec/0x68c [videodev]\n[ 48.834745] video_ioctl2+0x18/0x24 [videodev]\n[ 48.834766] v4l2_ioctl+0x40/0x60 [videodev]\n[ 48.834786] __arm64_sys_ioctl+0xa8/0xec\n[ 48.834793] invoke_syscall+0x44/0x100\n[ 48.834800] el0_svc_common.constprop.0+0xc0/0xe0\n[ 48.834804] do_el0_svc+0x1c/0x28\n[ 48.834809] el0_svc+0x30/0xd0\n[ 48.834813] el0t_64_sync_handler+0xc0/0xc4\n[ 48.834816] el0t_64_sync+0x190/0x194\n[ 48.834820] SMP: stopping secondary CPUs\n[ 48.834831] Kernel Offset: disabled\n[ 48.834833] CPU features: 0x08,00002002,80200000,4200421b\n[ 48.834837] Memory Limit: none\n[ 49.161404] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43247" }, { "id": "CVE-2026-43248", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: move vdpa group bound check to vhost_vdpa\n\nRemove duplication by consolidating these here. This reduces the\nposibility of a parent driver missing them.\n\nWhile we're at it, fix a bug in vdpa_sim where a valid ASID can be\nassigned to a group equal to ngroups, causing an out of bound write.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43248" }, { "id": "CVE-2026-43249", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[ 27.052418] Call Trace:\n[ 27.052420] \n[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720\n[ 27.052426] ? xenbus_otherend_changed+0x72/0x140\n[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10\n[ 27.052434] xenwatch_thread+0x94/0x1c0\n[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10\n[ 27.052442] kthread+0xf8/0x240\n[ 27.052445] ? __pfx_kthread+0x10/0x10\n[ 27.052449] ? __pfx_kthread+0x10/0x10\n[ 27.052452] ret_from_fork+0x16b/0x1a0\n[ 27.052456] ? __pfx_kthread+0x10/0x10\n[ 27.052459] ret_from_fork_asm+0x1a/0x30\n[ 27.052463] \n[ 27.052465] Modules linked in:\n[ 27.052471] ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43249" }, { "id": "CVE-2026-43250", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted).", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43250" }, { "id": "CVE-2026-43251", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: prodikeys: Check presence of pm->input_ep82\n\nFake USB devices can send their own report descriptors for which the\ninput_mapping() hook does not get called. In this case, pm->input_ep82 stays\nNULL, which leads to a crash later.\n\nThis does not happen with the real device, but can be provoked by imposing as\none.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43251" }, { "id": "CVE-2026-43252", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always set ID as avail when rm endp\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535\n WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535\n Modules linked in:\n CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary)\n Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538\n Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89\n RSP: 0018:ffffc9001535b820 EFLAGS: 00010287\n netdevsim0: tun_chr_ioctl cmd 1074025677\n RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7\n netdevsim0: linktype set to 823\n RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff\n R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800\n FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000\n netlink: 'syz.3.50': attribute type 5 has an invalid length.\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'.\n CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0\n Call Trace:\n \n mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline]\n mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:733\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2662\n __sys_sendmsg net/socket.c:2694 [inline]\n __do_sys_sendmsg net/socket.c:2699 [inline]\n __se_sys_sendmsg net/socket.c:2697 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fc6adb66f6d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d\n RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43252" }, { "id": "CVE-2026-43253", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: move wait_on_sem() out of spinlock\n\nWith iommu.strict=1, the existing completion wait path can cause soft\nlockups under stressed environment, as wait_on_sem() busy-waits under the\nspinlock with interrupts disabled.\n\nMove the completion wait in iommu_completion_wait() out of the spinlock.\nwait_on_sem() only polls the hardware-updated cmd_sem and does not require\niommu->lock, so holding the lock during the busy wait unnecessarily\nincreases contention and extends the time with interrupts disabled.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43253" }, { "id": "CVE-2026-43254", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\novpn: tcp - fix packet extraction from stream\n\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\nThe current implementation has two bugs:\n\n1. Header offset overflow: Using pskb_pull with large offsets on\n coalesced skbs causes skb->data - skb->head to exceed the u16 storage\n of skb->network_header. This causes skb_reset_network_header to fail\n on the inner decapsulated packet, resulting in packet drops.\n\n2. Unaligned protocol headers: Extracting packets from arbitrary\n positions within the coalesced TCP stream provides no alignment\n guarantees for the packet data causing performance penalties on\n architectures without efficient unaligned access. Additionally,\n openvpn's 2-byte length prefix on TCP packets causes the subsequent\n 4-byte opcode and packet ID fields to be inherently misaligned.\n\nFix both issues by allocating a new skb for each openvpn packet and\nusing skb_copy_bits to extract only the packet content into the new\nbuffer, skipping the 2-byte length prefix. Also, check the length before\ninvoking the function that performs the allocation to avoid creating an\ninvalid skb.\n\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\npushed to the head safely, without misalignment.\n\nAs a side effect, this approach also avoids the expensive linearization\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\nthis resulted in TCP throughput improvements of up to 74%.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43254" }, { "id": "CVE-2026-43255", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix WARNING in usb_tx_block\n\nThe function usb_tx_block() submits cardp->tx_urb without ensuring that\nany previous transmission on this URB has completed. If a second call\noccurs while the URB is still active (e.g. during rapid firmware loading),\nusb_submit_urb() detects the active state and triggers a warning:\n'URB submitted while active'.\n\nFix this by enforcing serialization: call usb_kill_urb() before\nsubmitting the new request. This ensures the URB is idle and safe to reuse.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43255" }, { "id": "CVE-2026-43256", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()\n\nvfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop\nbound and passes the index to vfe_isr_reg_update(). However,\nvfe->line[] array is defined with VFE_LINE_NUM_MAX(4):\n\n struct vfe_line line[VFE_LINE_NUM_MAX];\n\nWhen index is 4, 5, 6, the access to vfe->line[line_id] exceeds\nthe array bounds and resulting in out-of-bounds memory access.\n\nFix this by using separate loops for output lines and write masters.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43256" }, { "id": "CVE-2026-43257", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Add missing unmap in snd_cx88_hw_params()\n\nIn error path, add cx88_alsa_dma_unmap() to release\nresource acquired by cx88_alsa_dma_map().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43257" }, { "id": "CVE-2026-43258", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nalpha: fix user-space corruption during memory compaction\n\nAlpha systems can suffer sporadic user-space crashes and heap\ncorruption when memory compaction is enabled.\n\nSymptoms include SIGSEGV, glibc allocator failures (e.g. \"unaligned\ntcache chunk\"), and compiler internal errors. The failures disappear\nwhen compaction is disabled or when using global TLB invalidation.\n\nThe root cause is insufficient TLB shootdown during page migration.\nAlpha relies on ASN-based MM context rollover for instruction cache\ncoherency, but this alone is not sufficient to prevent stale data or\ninstruction translations from surviving migration.\n\nFix this by introducing a migration-specific helper that combines:\n - MM context invalidation (ASN rollover),\n - immediate per-CPU TLB invalidation (TBI),\n - synchronous cross-CPU shootdown when required.\n\nThe helper is used only by migration/compaction paths to avoid changing\nglobal TLB semantics.\n\nAdditionally, update flush_tlb_other(), pte_clear(), to use\nREAD_ONCE()/WRITE_ONCE() for correct SMP memory ordering.\n\nThis fixes observed crashes on both UP and SMP Alpha systems.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43258" }, { "id": "CVE-2026-43259", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: fsl-imx8mq-usb: set platform driver data\n\nAdd missing platform_set_drvdata() as the data will be used in remove().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43259" }, { "id": "CVE-2026-43260", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RSS context delete logic\n\nWe need to free the corresponding RSS context VNIC\nin FW everytime an RSS context is deleted in driver.\nCommit 667ac333dbb7 added a check to delete the VNIC\nin FW only when netif_running() is true to help delete\nRSS contexts with interface down.\n\nHaving that condition will make the driver leak VNICs\nin FW whenever close() happens with active RSS contexts.\nOn the subsequent open(), as part of RSS context restoration,\nwe will end up trying to create extra VNICs for which we\ndid not make any reservation. FW can fail this request,\nthereby making us lose active RSS contexts.\n\nSuppose an RSS context is deleted already and we try to\nprocess a delete request again, then the HWRM functions\nwill check for validity of the request and they simply\nreturn if the resource is already freed. So, even for\ndelete-when-down cases, netif_running() check is not\nnecessary.\n\nRemove the netif_running() condition check when deleting\nan RSS context.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43260" }, { "id": "CVE-2026-43261", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Add support for TSV110 Spectre-BHB mitigation\n\nThe TSV110 processor is vulnerable to the Spectre-BHB (Branch History\nBuffer) attack, which can be exploited to leak information through\nbranch prediction side channels. This commit adds the MIDR of TSV110\nto the list for software mitigation.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43261" }, { "id": "CVE-2026-43262", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fiemap page fault fix\n\nIn gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode\nglock. This can lead to recursive glock taking if the fiemap buffer is\nmemory mapped to the same inode and accessing it triggers a page fault.\n\nFix by disabling page faults for iomap_fiemap() and faulting in the\nbuffer by hand if necessary.\n\nFixes xfstest generic/742.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43262" }, { "id": "CVE-2026-43263", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix Null reference while testing fluster\n\nWhen multi instances are created/destroyed, many interrupts happens\nand structures for decoder are removed.\n\"struct vpu_instance\" this structure is shared for all flow in the decoder,\nso if the structure is not protected by lock, Null dereference\ncould happens sometimes.\nIRQ Handler was spilt to two phases and Lock was added as well.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43263" }, { "id": "CVE-2026-43264", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: of: display_timing: fix refcount leak in of_get_display_timings()\n\nof_parse_phandle() returns a device_node with refcount incremented,\nwhich is stored in 'entry' and then copied to 'native_mode'. When the\nerror paths at lines 184 or 192 jump to 'entryfail', native_mode's\nrefcount is not decremented, causing a refcount leak.\n\nFix this by changing the goto target from 'entryfail' to 'timingfail',\nwhich properly calls of_node_put(native_mode) before cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43264" }, { "id": "CVE-2026-43265", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()\n\nIgnore -EBUSY when checking nested events after exiting a blocking state\nwhile L2 is active, as exiting to userspace will generate a spurious\nuserspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's\ndemise. Continuing with the wakeup isn't perfect either, as *something*\nhas gone sideways if a vCPU is awakened in L2 with an injected event (or\nworse, a nested run pending), but continuing on gives the VM a decent\nchance of surviving without any major side effects.\n\nAs explained in the Fixes commits, it _should_ be impossible for a vCPU to\nbe put into a blocking state with an already-injected event (exception,\nIRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected\nevents, and thus put the vCPU into what should be an impossible state.\n\nDon't bother trying to preserve the WARN, e.g. with an anti-syzkaller\nKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be\nviolating x86 architecture, e.g. by WARNing if KVM attempts to inject an\nexception or interrupt while the vCPU isn't running.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43265" }, { "id": "CVE-2026-43266", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nEFI/CPER: don't go past the ARM processor CPER record buffer\n\nThere's a logic inside GHES/CPER to detect if the section_length\nis too small, but it doesn't detect if it is too big.\n\nCurrently, if the firmware receives an ARM processor CPER record\nstating that a section length is big, kernel will blindly trust\nsection_length, producing a very long dump. For instance, a 67\nbytes record with ERR_INFO_NUM set 46198 and section length\nset to 854918320 would dump a lot of data going a way past the\nfirmware memory-mapped area.\n\nFix it by adding a logic to prevent it to go past the buffer\nif ERR_INFO_NUM is too big, making it report instead:\n\n\t[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1\n\t[Hardware Error]: event severity: recoverable\n\t[Hardware Error]: Error 0, type: recoverable\n\t[Hardware Error]: section_type: ARM processor error\n\t[Hardware Error]: MIDR: 0xff304b2f8476870a\n\t[Hardware Error]: section length: 854918320, CPER size: 67\n\t[Hardware Error]: section length is too big\n\t[Hardware Error]: firmware-generated error record is incorrect\n\t[Hardware Error]: ERR_INFO_NUM is 46198\n\n[ rjw: Subject and changelog tweaks ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43266" }, { "id": "CVE-2026-43267", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential zero beacon interval in beacon tracking\n\nDuring fuzz testing, it was discovered that bss_conf->beacon_int\nmight be zero, which could result in a division by zero error in\nsubsequent calculations. Set a default value of 100 TU if the\ninterval is zero to ensure stability.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43267" }, { "id": "CVE-2026-43268", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: pretend special inodes as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for special inodes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43268" }, { "id": "CVE-2026-43269", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback\n\nAfter several commits, the slab memory increases. Some drm_crtc_commit\nobjects are not freed. The atomic_destroy_state callback only put the\nframebuffer. Use the __drm_atomic_helper_plane_destroy_state() function\nto put all the objects that are no longer needed.\n\nIt has been seen after hours of usage of a graphics application or using\nkmemleak:\n\nunreferenced object 0xc63a6580 (size 64):\n comm \"egt_basic\", pid 171, jiffies 4294940784\n hex dump (first 32 bytes):\n 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.\n 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.\n backtrace (crc c25aa925):\n kmemleak_alloc+0x34/0x3c\n __kmalloc_cache_noprof+0x150/0x1a4\n drm_atomic_helper_setup_commit+0x1e8/0x7bc\n drm_atomic_helper_commit+0x3c/0x15c\n drm_atomic_commit+0xc0/0xf4\n drm_atomic_helper_set_config+0x84/0xb8\n drm_mode_setcrtc+0x32c/0x810\n drm_ioctl+0x20c/0x488\n sys_ioctl+0x14c/0xc20\n ret_fast_syscall+0x0/0x54", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43269" }, { "id": "CVE-2026-43270", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()\n\nIn mtk_mdp_probe(), vpu_get_plat_device() increases the reference\ncount of the returned platform device. Add platform_device_put()\nto prevent reference leak.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43270" }, { "id": "CVE-2026-43271", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the 'thread'\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops->join().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev->thread (the main MD thread) is not initialized until\n later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev->thread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the 'thread' pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43271" }, { "id": "CVE-2026-43272", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix possible dereference of uninitialized pointer\n\nThere is a pointer head_page in rb_meta_validate_events() which is not\ninitialized at the beginning of a function. This pointer can be dereferenced\nif there is a failure during reader page validation. In this case the control\nis passed to \"invalid\" label where the pointer is dereferenced in a loop.\n\nTo fix the issue initialize orig_head and head_page before calling\nrb_validate_buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43272" }, { "id": "CVE-2026-43273", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: supply snapshot context in ceph_zero_partial_object()\n\nThe ceph_zero_partial_object function was missing proper snapshot\ncontext for its OSD write operations, which could lead to data\ninconsistencies in snapshots.\n\nReproducer:\n../src/vstart.sh --new -x --localhost --bluestore\n./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a'\nmount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf\ndd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1\nmkdir /mnt/mycephfs/.snap/snap1\nmd5sum /mnt/mycephfs/.snap/snap1/foo\nfallocate -p -o 0 -l 4096 /mnt/mycephfs/foo\necho 3 > /proc/sys/vm/drop/caches\nmd5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43273" }, { "id": "CVE-2026-43274", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()\n\nThe cluster_cfg array is dynamically allocated to hold per-CPU\nconfiguration structures, with its size based on the number of online\nCPUs. Previously, this array was indexed using hartid, which may be\nnon-contiguous or exceed the bounds of the array, leading to\nout-of-bounds access.\nSwitch to using cpuid as the index, as it is guaranteed to be within\nthe valid range provided by for_each_online_cpu().", "scorev2": "0.0", "scorev3": "8.4", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43274" }, { "id": "CVE-2026-43275", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Flush exception handling work when RPM level is zero\n\nEnsure that the exception event handling work is explicitly flushed during\nsuspend when the runtime power management level is set to UFS_PM_LVL_0.\n\nWhen the RPM level is zero, the device power mode and link state both\nremain active. Previously, the UFS core driver bypassed flushing exception\nevent handling jobs in this configuration. This created a race condition\nwhere the driver could attempt to access the host controller to handle an\nexception after the system had already entered a deep power-down state,\nresulting in a system crash.\n\nExplicitly flush this work and disable auto BKOPs before the suspend\ncallback proceeds. This guarantees that pending exception tasks complete\nand prevents illegal hardware access during the power-down sequence.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43275" }, { "id": "CVE-2026-43276", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix double destroy_workqueue on service rescan PCI path\n\nWhile testing corner cases in the driver, a use-after-free crash\nwas found on the service rescan PCI path.\n\nWhen mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()\ndestroys gc->service_wq. If the subsequent mana_gd_resume() fails\nwith -ETIMEDOUT or -EPROTO, the code falls through to\nmana_serv_rescan() which triggers pci_stop_and_remove_bus_device().\nThis invokes the PCI .remove callback (mana_gd_remove), which calls\nmana_gd_cleanup() a second time, attempting to destroy the already-\nfreed workqueue. Fix this by NULL-checking gc->service_wq in\nmana_gd_cleanup() and setting it to NULL after destruction.\n\nCall stack of issue for reference:\n[Sat Feb 21 18:53:48 2026] Call Trace:\n[Sat Feb 21 18:53:48 2026] \n[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]\n[Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]\n[Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0\n[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70\n[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250\n[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20\n[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90\n[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30\n[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]\n[Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]\n[Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0\n[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0\n[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130\n[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350\n[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10\n[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30\n[Sat Feb 21 18:53:48 2026] ", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43276" }, { "id": "CVE-2026-43277", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ensure that won't go past CPER allocated record\n\nThe logic at ghes_new() prevents allocating too large records, by\nchecking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).\nYet, the allocation is done with the actual number of pages from the\nCPER bios table location, which can be smaller.\n\nYet, a bad firmware could send data with a different size, which might\nbe bigger than the allocated memory, causing an OOPS:\n\n Unable to handle kernel paging request at virtual address fff00000f9b40000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000\n [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in:\n CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n Workqueue: kacpi_notify acpi_os_execute_deferred\n pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : hex_dump_to_buffer+0x30c/0x4a0\n lr : hex_dump_to_buffer+0x328/0x4a0\n sp : ffff800080e13880\n x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083\n x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004\n x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083\n x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010\n x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020\n x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008\n x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020\n x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000\n x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008\n Call trace:\n hex_dump_to_buffer+0x30c/0x4a0 (P)\n print_hex_dump+0xac/0x170\n cper_estatus_print_section+0x90c/0x968\n cper_estatus_print+0xf0/0x158\n __ghes_print_estatus+0xa0/0x148\n ghes_proc+0x1bc/0x220\n ghes_notify_hed+0x5c/0xb8\n notifier_call_chain+0x78/0x148\n blocking_notifier_call_chain+0x4c/0x80\n acpi_hed_notify+0x28/0x40\n acpi_ev_notify_dispatch+0x50/0x80\n acpi_os_execute_deferred+0x24/0x48\n process_one_work+0x15c/0x3b0\n worker_thread+0x2d0/0x400\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)\n ---[ end trace 0000000000000000 ]---\n\nPrevent that by taking the actual allocated are into account when\nchecking for CPER length.\n\n[ rjw: Subject tweaks ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43277" }, { "id": "CVE-2026-43278", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: clear cloned request bio pointer when last clone bio completes\n\nStale rq->bio values have been observed to cause double-initialization of\ncloned bios in request-based device-mapper targets, leading to\nuse-after-free and double-free scenarios.\n\nOne such case occurs when using dm-multipath on top of a PCIe NVMe\nnamespace, where cloned request bios are freed during\nblk_complete_request(), but rq->bio is left intact. Subsequent clone\nteardown then attempts to free the same bios again via\nblk_rq_unprep_clone().\n\nThe resulting double-free path looks like:\n\n nvme_pci_complete_batch()\n nvme_complete_batch()\n blk_mq_end_request_batch()\n blk_complete_request() // called on a DM clone request\n bio_endio() // first free of all clone bios\n ...\n rq->end_io() // end_clone_request()\n dm_complete_request(tio->orig)\n dm_softirq_done()\n dm_done()\n dm_end_request()\n blk_rq_unprep_clone() // second free of clone bios\n\nFix this by clearing the clone request's bio pointer when the last cloned\nbio completes, ensuring that later teardown paths do not attempt to free\nalready-released bios.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43278" }, { "id": "CVE-2026-43279", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Add sanity check for OOB writes at silencing\n\nAt silencing the playback URB packets in the implicit fb mode before\nthe actual playback, we blindly assume that the received packets fit\nwith the buffer size. But when the setup in the capture stream\ndiffers from the playback stream (e.g. due to the USB core limitation\nof max packet size), such an inconsistency may lead to OOB writes to\nthe buffer, resulting in a crash.\n\nFor addressing it, add a sanity check of the transfer buffer size at\nprepare_silent_urb(), and stop the data copy if the received data\noverflows. Also, report back the transfer error properly from there,\ntoo.\n\nNote that this doesn't fix the root cause of the playback error\nitself, but this merely covers the kernel Oops.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43279" }, { "id": "CVE-2026-43280", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise\n\nWhen user provides a bogus pat_index value through the madvise IOCTL, the\nxe_pat_index_get_coh_mode() function performs an array access without\nvalidating bounds. This allows a malicious user to trigger an out-of-bounds\nkernel read from the xe->pat.table array.\n\nThe vulnerability exists because the validation in madvise_args_are_sane()\ndirectly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without\nfirst checking if pat_index is within [0, xe->pat.n_entries).\n\nAlthough xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug\nbuilds, it still performs the unsafe array access in production kernels.\n\nv2(Matthew Auld)\n- Using array_index_nospec() to mitigate spectre attacks when the value\nis used\n\nv3(Matthew Auld)\n- Put the declarations at the start of the block\n\n(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43280" }, { "id": "CVE-2026-43281", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()\n\nAlthough it is guided that `#mbox-cells` must be at least 1, there are\nmany instances of `#mbox-cells = <0>;` in the device tree. If that is\nthe case and the corresponding mailbox controller does not provide\n`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will\nbe used by default and out-of-bounds accesses could occur due to lack of\nbounds check in that function.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43281" }, { "id": "CVE-2026-43282", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port\n\nThe function ionic_query_port() calls ib_device_get_netdev() without\nchecking the return value which could lead to NULL pointer dereference,\nFix it by checking the return value and return -ENODEV if the 'ndev' is\nNULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43282" }, { "id": "CVE-2026-43283", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ec_bhf: Fix dma_free_coherent() dma handle\n\ndma_free_coherent() in error path takes priv->rx_buf.alloc_len as\nthe dma handle. This would lead to improper unmapping of the buffer.\n\nChange the dma handle to priv->rx_buf.alloc_phys.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43283" }, { "id": "CVE-2026-43284", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb->data_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data().", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43284" }, { "id": "CVE-2026-43285", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab: do not access current->mems_allowed_seq if !allow_spin\n\nLockdep complains when get_from_any_partial() is called in an NMI\ncontext, because current->mems_allowed_seq is seqcount_spinlock_t and\nnot NMI-safe:\n\n ================================\n WARNING: inconsistent lock state\n 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N\n --------------------------------\n inconsistent {INITIAL USE} -> {IN-NMI} usage.\n kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes:\n ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at: ___slab_alloc+0x58f/0xc00\n {INITIAL USE} state was registered at:\n lock_acquire+0x185/0x320\n kernel_init_freeable+0x391/0x1150\n kernel_init+0x1f/0x220\n ret_from_fork+0x736/0x8f0\n ret_from_fork_asm+0x1a/0x30\n irq event stamp: 56\n hardirqs last enabled at (55): [] _raw_spin_unlock_irq+0x27/0x70\n hardirqs last disabled at (56): [] __schedule+0x2a8a/0x6630\n softirqs last enabled at (0): [] copy_process+0x1dc1/0x6a10\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&____s->seqcount#3);\n \n lock(&____s->seqcount#3);\n\n *** DEADLOCK ***\n\nAccording to Documentation/locking/seqlock.rst, seqcount_t is not\nNMI-safe and seqcount_latch_t should be used when read path can interrupt\nthe write-side critical section. In this case, do not access\ncurrent->mems_allowed_seq and avoid retry.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43285" }, { "id": "CVE-2026-43286", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate->resv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool's reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool->used_hpages elevated if the globally requested pages could\nnot be acquired. This is because while a subpool's reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally. Thus, we need to adjust spool->used_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool's used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool. Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n successfully allocate any hugepages. It believes it can now only\n allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter. At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43286" }, { "id": "CVE-2026-43287", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Account property blob allocations to memcg\n\nDRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized\nproperty blobs backed by kernel memory.\n\nCurrently, the blob data allocation is not accounted to the allocating\nprocess's memory cgroup, allowing unprivileged users to trigger unbounded\nkernel memory consumption and potentially cause system-wide OOM.\n\nMark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory\nis properly charged to the caller's memcg. This ensures existing cgroup\nmemory limits apply and prevents uncontrolled kernel memory growth without\nintroducing additional policy or per-file limits.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43287" }, { "id": "CVE-2026-43288", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: move ext4_percpu_param_init() before ext4_mb_init()\n\nWhen running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the\n`DOUBLE_CHECK` macro defined, the following panic is triggered:\n\n==================================================================\nEXT4-fs error (device vdc): ext4_validate_block_bitmap:423:\n comm mount: bg 0: bad block bitmap checksum\nBUG: unable to handle page fault for address: ff110000fa2cc000\nPGD 3e01067 P4D 3e02067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W\n 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none)\nRIP: 0010:percpu_counter_add_batch+0x13/0xa0\nCall Trace:\n \n ext4_mark_group_bitmap_corrupted+0xcb/0xe0\n ext4_validate_block_bitmap+0x2a1/0x2f0\n ext4_read_block_bitmap+0x33/0x50\n mb_group_bb_bitmap_alloc+0x33/0x80\n ext4_mb_add_groupinfo+0x190/0x250\n ext4_mb_init_backend+0x87/0x290\n ext4_mb_init+0x456/0x640\n __ext4_fill_super+0x1072/0x1680\n ext4_fill_super+0xd3/0x280\n get_tree_bdev_flags+0x132/0x1d0\n vfs_get_tree+0x29/0xd0\n vfs_cmd_create+0x59/0xe0\n __do_sys_fsconfig+0x4f6/0x6b0\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nThis issue can be reproduced using the following commands:\n mkfs.ext4 -F -q -b 1024 /dev/sda 5G\n tune2fs -O quota,project /dev/sda\n mount /dev/sda /tmp/test\n\nWith DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads\nand validates the block bitmap. When the validation fails,\next4_mark_group_bitmap_corrupted() attempts to update\nsbi->s_freeclusters_counter. However, this percpu_counter has not been\ninitialized yet at this point, which leads to the panic described above.\n\nFix this by moving the execution of ext4_percpu_param_init() to occur\nbefore ext4_mb_init(), ensuring the per-CPU counters are initialized\nbefore they are used.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43288" }, { "id": "CVE-2026-43289", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkexec: derive purgatory entry from symbol\n\nkexec_load_purgatory() derives image->start by locating e_entry inside an\nSHF_EXECINSTR section. If the purgatory object contains multiple\nexecutable sections with overlapping sh_addr, the entrypoint check can\nmatch more than once and trigger a WARN.\n\nDerive the entry section from the purgatory_start symbol when present and\ncompute image->start from its final placement. Keep the existing e_entry\nfallback for purgatories that do not expose the symbol.\n\nWARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784\nCall Trace:\n \n bzImage64_load+0x133/0xa00\n __do_sys_kexec_file_load+0x2b3/0x5c0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[me@linux.beauty: move helper to avoid forward declaration, per Baoquan]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43289" }, { "id": "CVE-2026-43290", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Return queued buffers on start_streaming() failure\n\nReturn buffers if streaming fails to start due to uvc_pm_get() error.\n\nThis bug may be responsible for a warning I got running\n\n while :; do yavta -c3 /dev/video0; done\n\non an xHCI controller which failed under this workload.\nI had no luck reproducing this warning again to confirm.\n\nxhci_hcd 0000:09:00.0: HC died; cleaning up\nusb 13-2: USB disconnect, device number 2\nWARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43290" }, { "id": "CVE-2026-43291", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: nci: Fix parameter validation for packet data\n\nSince commit 9c328f54741b (\"net: nfc: nci: Add parameter validation for\npacket data\") communication with nci nfc chips is not working any more.\n\nThe mentioned commit tries to fix access of uninitialized data, but\nfailed to understand that in some cases the data packet is of variable\nlength and can therefore not be compared to the maximum packet length\ngiven by the sizeof(struct).", "scorev2": "0.0", "scorev3": "8.3", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43291" }, { "id": "CVE-2026-43292", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node\n\nWhen CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during\nvmalloc cleanup triggers expensive stack unwinding that acquires RCU read\nlocks. Processing a large purge_list without rescheduling can cause the\ntask to hold CPU for extended periods (10+ seconds), leading to RCU stalls\nand potential OOM conditions.\n\nThe issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node()\nwhere iterating through hundreds or thousands of vmap_area entries and\nfreeing their associated shadow pages causes:\n\n rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l\n ...\n task:kworker/0:17 state:R running task stack:28840 pid:6229\n ...\n kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299\n purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299\n\nEach call to kasan_release_vmalloc() can free many pages, and with\npage_owner tracking, each free triggers save_stack() which performs stack\nunwinding under RCU read lock. Without yielding, this creates an\nunbounded RCU critical section.\n\nAdd periodic cond_resched() calls within the loop to allow:\n- RCU grace periods to complete\n- Other tasks to run\n- Scheduler to preempt when needed\n\nThe fix uses need_resched() for immediate response under load, with a\nbatch count of 32 as a guaranteed upper bound to prevent worst-case stalls\neven under light load.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43292" }, { "id": "CVE-2026-43293", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix kthread worker destruction in polling mode\n\nFix the cleanup order in polling mode (irq < 0) to prevent kernel warnings\nduring module removal. Cancel the hrtimer before destroying the kthread\nworker to ensure work queues are empty.\n\nIn polling mode, the driver uses hrtimer to periodically trigger\nwave5_vpu_timer_callback() which queues work via kthread_queue_work().\nThe kthread_destroy_worker() function validates that both work queues\nare empty with WARN_ON(!list_empty(&worker->work_list)) and\nWARN_ON(!list_empty(&worker->delayed_work_list)).\n\nThe original code called kthread_destroy_worker() before hrtimer_cancel(),\ncreating a race condition where the timer could fire during worker\ndestruction and queue new work, triggering the WARN_ON.\n\nThis causes the following warning on every module unload in polling mode:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430\n kthread_destroy_worker+0x84/0x98\n Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ...\n Call trace:\n kthread_destroy_worker+0x84/0x98\n wave5_vpu_remove+0xc8/0xe0 [wave5]\n platform_remove+0x30/0x58\n ...\n ---[ end trace 0000000000000000 ]---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43293" }, { "id": "CVE-2026-43294", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels\n\nSince commit 56de5e305d4b (\"clk: renesas: r9a07g044: Add MSTOP for RZ/G2L\")\nwe may get the following kernel panic, for some panels, when rebooting:\n\n systemd-shutdown[1]: Rebooting.\n Call trace:\n ...\n do_serror+0x28/0x68\n el1h_64_error_handler+0x34/0x50\n el1h_64_error+0x6c/0x70\n rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P)\n mipi_dsi_device_transfer+0x44/0x58\n mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4\n ili9881c_unprepare+0x38/0x88\n drm_panel_unprepare+0xbc/0x108\n\nThis happens for panels that need to send MIPI-DSI commands in their\nunprepare() callback. Since the MIPI-DSI interface is stopped at that\npoint, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic.\n\nFix by moving rzg2l_mipi_dsi_stop() to new callback function\nrzg2l_mipi_dsi_atomic_post_disable().\n\nWith this change we now have the correct power-down/stop sequence:\n\n systemd-shutdown[1]: Rebooting.\n rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry\n ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry\n rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry\n reboot: Restarting system", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43294" }, { "id": "CVE-2026-43295", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()\n\nWhen idtab allocation fails, net is not registered with rio_add_net() yet,\nso kfree(net) is sufficient to release the memory. Set mport->net to NULL\nto avoid dangling pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43295" }, { "id": "CVE-2026-43296", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Workaround SQM/PSE stalls by disabling sticky\n\nNIX SQ manager sticky mode is known to cause stalls when multiple SQs\nshare an SMQ and transmit concurrently. Additionally, PSE may deadlock\non transitions between sticky and non-sticky transmissions. There is\nalso a credit drop issue observed when certain condition clocks are\ngated.\n\nwork around these hardware errata by:\n- Disabling SQM sticky operation:\n - Clear TM6 (bit 15)\n - Clear TM11 (bit 14)\n- Disabling sticky \u2192 non-sticky transition path that can deadlock PSE:\n - Clear TM5 (bit 23)\n- Preventing credit drops by keeping the control-flow clock enabled:\n - Set TM9 (bit 21)\n\nThese changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this\nconfiguration the SQM/PSE maintain forward progress under load without\ncredit loss, at the cost of disabling sticky optimizations.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43296" }, { "id": "CVE-2026-43297", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()\n\nrga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is\nunsupported or invalid. rga_buf_init() does not check the return value\nand unconditionally dereferences the pointer when accessing f->size.\n\nAdd proper ERR_PTR checking and return the error to prevent\ndereferencing an invalid pointer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43297" }, { "id": "CVE-2026-43298", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip vcn poison irq release on VF\n\nVF doesn't enable VCN poison irq in VCNv2.5. Skip releasing it and avoid\ncall trace during deinitialization.\n\n[ 71.913601] [drm] clean up the vf2pf work item\n[ 71.915088] ------------[ cut here ]------------\n[ 71.915092] WARNING: CPU: 3 PID: 1079 at /tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0 [amdgpu]\n[ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bit video wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common input_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_generic crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmouse bochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ich drm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd\n[ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE 6.8.0-87-generic #88~22.04.1-Ubuntu\n[ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014\n[ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu]\n[ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7 e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7 <0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00\n[ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246\n[ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX: 0000000000000000\n[ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09: 0000000000000000\n[ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12: ffff891bda480000\n[ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000\n[ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000) knlGS:0000000000000000\n[ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4: 0000000000770ef0\n[ 71.915800] PKRU: 55555554\n[ 71.915802] Call Trace:\n[ 71.915805] \n[ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43298" }, { "id": "CVE-2026-43299", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()\n\n[BUG]\nThere is a bug report that when btrfs hits ENOSPC error in a critical\npath, btrfs flips RO (this part is expected, although the ENOSPC bug\nstill needs to be addressed).\n\nThe problem is after the RO flip, if there is a read repair pending, we\ncan hit the ASSERT() inside btrfs_repair_io_failure() like the following:\n\n BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1\n ------------[ cut here ]------------\n BTRFS: Transaction aborted (error -28)\n WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844\n Modules linked in: kvm_intel kvm irqbypass\n [...]\n ---[ end trace 0000000000000000 ]---\n BTRFS info (device vdc state EA): 2 enospc errors during balance\n BTRFS info (device vdc state EA): balance: ended with status: -30\n BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6\n BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0\n [...]\n assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938\n ------------[ cut here ]------------\n assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938\n kernel BUG at fs/btrfs/bio.c:938!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full)\n Tainted: [W]=WARN, [N]=TEST\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n Workqueue: btrfs-endio simple_end_io_work\n RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120\n RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246\n RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff\n RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988\n R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310\n R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000\n FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n ------------[ cut here ]------------\n\n[CAUSE]\nThe cause of -ENOSPC error during the test case btrfs/124 is still\nunknown, although it's known that we still have cases where metadata can\nbe over-committed but can not be fulfilled correctly, thus if we hit\nsuch ENOSPC error inside a critical path, we have no choice but abort\nthe current transaction.\n\nThis will mark the fs read-only.\n\nThe problem is inside the btrfs_repair_io_failure() path that we require\nthe fs not to be mount read-only. This is normally fine, but if we are\ndoing a read-repair meanwhile the fs flips RO due to a critical error,\nwe can enter btrfs_repair_io_failure() with super block set to\nread-only, thus triggering the above crash.\n\n[FIX]\nJust replace the ASSERT() with a proper return if the fs is already\nread-only.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43299" }, { "id": "CVE-2026-43300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()\n\nIn jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it\nmay be NULL:\n\n if (!jdi)\n mipi_dsi_detach(dsi);\n\nHowever, when jdi is NULL, the function does not return and continues by\ncalling jdi_panel_disable():\n\n err = jdi_panel_disable(&jdi->base);\n\nInside jdi_panel_disable(), jdi is dereferenced unconditionally, which can\nlead to a NULL-pointer dereference:\n\n struct jdi_panel *jdi = to_panel_jdi(panel);\n backlight_disable(jdi->backlight);\n\nTo prevent such a potential NULL-pointer dereference, return early from\njdi_panel_dsi_remove() when jdi is NULL.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43300" }, { "id": "CVE-2026-43301", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix PM runtime usage count underflow\n\nReplace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in\nthe remove path to properly pair with pm_runtime_use_autosuspend() from\nprobe. This allows pm_runtime_disable() to handle reference count cleanup\ncorrectly regardless of current suspend state.\n\nThe driver calls pm_runtime_put_sync() unconditionally in remove, but the\ndevice may already be suspended due to autosuspend configured in probe.\nWhen autosuspend has already suspended the device, the usage count is 0,\nand pm_runtime_put_sync() decrements it to -1.\n\nThis causes the following warning on module unload:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430\n kthread_destroy_worker+0x84/0x98\n ...\n vdec 30210000.video-codec: Runtime PM usage count underflow!", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43301" }, { "id": "CVE-2026-43302", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Set DMA segment size to avoid debug warnings\n\nWhen using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the\nkernel occasionally reports a segment size mismatch. This is because\n'max_seg_size' is not set. The kernel defaults to 64K. setting\n'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()'\nfrom complaining about the over-mapping of the V3D segment length.\n\nDMA-API: v3d 1002000000.v3d: mapping sg segment longer than device\n claims to support [len=8290304] [max=65536]\nWARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388\nCPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1\nHardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : debug_dma_map_sg+0x330/0x388\nlr : debug_dma_map_sg+0x330/0x388\nsp : ffff8000829a3ac0\nx29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000\nx26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000\nx23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002\nx20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff\nx17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573\nx14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000\nx11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c\nx8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001\nx5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280\nCall trace:\n debug_dma_map_sg+0x330/0x388\n __dma_map_sg_attrs+0xc0/0x278\n dma_map_sgtable+0x30/0x58\n drm_gem_shmem_get_pages_sgt+0xb4/0x140\n v3d_bo_create_finish+0x28/0x130 [v3d]\n v3d_create_bo_ioctl+0x54/0x180 [v3d]\n drm_ioctl_kernel+0xc8/0x140\n drm_ioctl+0x2d4/0x4d8", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43302" }, { "id": "CVE-2026-43303", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page->private in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page->private but don't\nclear it before freeing pages. When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage->private values.\n\nThis causes a use-after-free in the swap subsystem. The swap code uses\npage->private to track swap count continuations, assuming freshly\nallocated pages have page->private == 0. When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page->lru containing LIST_POISON values,\ncausing a crash:\n\n KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page->private in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43303" }, { "id": "CVE-2026-43304", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: define and enforce CEPH_MAX_KEY_LEN\n\nWhen decoding the key, verify that the key material would fit into\na fixed-size buffer in process_auth_done() and generally has a sane\nlength.\n\nThe new CEPH_MAX_KEY_LEN check replaces the existing check for a key\nwith no key material which is a) not universal since CEPH_CRYPTO_NONE\nhas to be excluded and b) doesn't provide much value since a smaller\nthan needed key is just as invalid as no key -- this has to be handled\nelsewhere anyway.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43304" }, { "id": "CVE-2026-43305", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path\n\n[Why]\nThe evaluation for whether we need to use the DMUB HW lock isn't the\nsame as whether we need to unlock which results in a hang when the\nfast path is used for ASIC without FAMS support.\n\n[How]\nStore a flag that indicates whether we should use the lock and use\nthat same flag to specify whether unlocking is needed.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43305" }, { "id": "CVE-2026-43306", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: crypto: Use the correct destructor kfunc type\n\nWith CONFIG_CFI enabled, the kernel strictly enforces that indirect\nfunction calls use a function pointer type that matches the target\nfunction. I ran into the following type mismatch when running BPF\nself-tests:\n\n CFI failure at bpf_obj_free_fields+0x190/0x238 (target:\n bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)\n Internal error: Oops - CFI: 00000000f2008228 [#1] SMP\n ...\n\nAs bpf_crypto_ctx_release() is also used in BPF programs and using\na void pointer as the argument would make the verifier unhappy, add\na simple stub function with the correct type and register it as the\ndestructor kfunc instead.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43306" }, { "id": "CVE-2026-43307", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: adxl380: Avoid reading more entries than present in FIFO\n\nThe interrupt handler reads FIFO entries in batches of N samples, where N\nis the number of scan elements that have been enabled. However, the sensor\nfills the FIFO one sample at a time, even when more than one channel is\nenabled. Therefore,the number of entries reported by the FIFO status\nregisters may not be a multiple of N; if this number is not a multiple, the\nnumber of entries read from the FIFO may exceed the number of entries\nactually present.\n\nTo fix the above issue, round down the number of FIFO entries read from the\nstatus registers so that it is always a multiple of N.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43307" }, { "id": "CVE-2026-43308", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()\n\nThere is no need to BUG(), we can just return an error and log an error\nmessage.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43308" }, { "id": "CVE-2026-43309", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd raid: fix hang when stopping arrays with metadata through dm-raid\n\nWhen using device-mapper's dm-raid target, stopping a RAID array can cause\nthe system to hang under specific conditions.\n\nThis occurs when:\n\n- A dm-raid managed device tree is suspended from top to bottom\n (the top-level RAID device is suspended first, followed by its\n underlying metadata and data devices)\n\n- The top-level RAID device is then removed\n\nRemoving the top-level device triggers a hang in the following sequence:\nthe dm-raid destructor calls md_stop(), which tries to flush the\nwrite-intent bitmap by writing to the metadata sub-devices. However, these\ndevices are already suspended, making them unable to complete the write-intent\noperations and causing an indefinite block.\n\nFix:\n\n- Prevent bitmap flushing when md_stop() is called from dm-raid\ndestructor context\n and avoid a quiescing/unquescing cycle which could also cause I/O\n\n- Still allow write-intent bitmap flushing when called from dm-raid\nsuspend context\n\nThis ensures that RAID array teardown can complete successfully even when the\nunderlying devices are in a suspended state.\n\nThis second patch uses md_is_rdwr() to distinguish between suspend and\ndestructor paths as elaborated on above.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43309" }, { "id": "CVE-2026-43310", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC\n\nFor the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and\ng2 VPU cannot decode simultaneously; otherwise, it will cause below bus\nerror and produce corrupted pictures, even potentially lead to system hang.\n\n[ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out.\n[ 110.583517] hantro-vpu 38310000.video-codec: bus error detected.\n\nTherefore, it is necessary to ensure that g1 and g2 operate alternately.\nThis allows for successful multi-instance decoding of H.264 and HEVC.\n\nTo achieve this, g1 and g2 share the same v4l2_m2m_dev, and then the\nv4l2_m2m_dev can handle the scheduling.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43310" }, { "id": "CVE-2026-43311", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc/tegra: pmc: Fix unsafe generic_handle_irq() call\n\nCurrently, when resuming from system suspend on Tegra platforms,\nthe following warning is observed:\n\nWARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666\nCall trace:\n handle_irq_desc+0x20/0x58 (P)\n tegra186_pmc_wake_syscore_resume+0xe4/0x15c\n syscore_resume+0x3c/0xb8\n suspend_devices_and_enter+0x510/0x540\n pm_suspend+0x16c/0x1d8\n\nThe warning occurs because generic_handle_irq() is being called from\na non-interrupt context which is considered as unsafe.\n\nFix this warning by deferring generic_handle_irq() call to an IRQ work\nwhich gets executed in hard IRQ context where generic_handle_irq()\ncan be called safely.\n\nWhen PREEMPT_RT kernels are used, regular IRQ work (initialized with\ninit_irq_work) is deferred to run in per-CPU kthreads in preemptible\ncontext rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD\nvariant so that with PREEMPT_RT kernels, the IRQ work is processed in\nhardirq context instead of being deferred to a thread which is required\nfor calling generic_handle_irq().\n\nOn non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD()\nexecute in IRQ context, so this change has no functional impact for\nstandard kernel configurations.\n\n[treding@nvidia.com: miscellaneous cleanups]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43311" }, { "id": "CVE-2026-43312", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ov5647: Initialize subdev before controls\n\nIn ov5647_init_controls() we call v4l2_get_subdevdata, but it is\ninitialized by v4l2_i2c_subdev_init() in the probe, which currently\nhappens after init_controls(). This can result in a segfault if the\nerror condition is hit, and we try to access i2c_client, so fix the\norder.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43312" }, { "id": "CVE-2026-43313", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()\n\nIn acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE\ndevice and then reassigned an ISA device:\n\n dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...);\n dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);\n\nIf the first lookup succeeds but the second fails, dev becomes NULL. This\nleads to a potential null-pointer dereference when dev_dbg() is called:\n\n if (errata.piix4.bmisx)\n dev_dbg(&dev->dev, ...);\n\nTo prevent this, use two temporary pointers and retrieve each device\nindependently, avoiding overwriting dev with a possible NULL value.\n\n[ rjw: Subject adjustment, added an empty code line ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43313" }, { "id": "CVE-2026-43314", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: remove fake timeout to avoid leak request\n\nSince commit 15f73f5b3e59 (\"blk-mq: move failure injection out of\nblk_mq_complete_request\"), drivers are responsible for calling\nblk_should_fake_timeout() at appropriate code paths and opportunities.\n\nHowever, the dm driver does not implement its own timeout handler and\nrelies on the timeout handling of its slave devices.\n\nIf an io-timeout-fail error is injected to a dm device, the request\nwill be leaked and never completed, causing tasks to hang indefinitely.\n\nReproduce:\n1. prepare dm which has iscsi slave device\n2. inject io-timeout-fail to dm\n echo 1 >/sys/class/block/dm-0/io-timeout-fail\n echo 100 >/sys/kernel/debug/fail_io_timeout/probability\n echo 10 >/sys/kernel/debug/fail_io_timeout/times\n3. read/write dm\n4. iscsiadm -m node -u\n\nResult: hang task like below\n[ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds.\n[ 862.244133] Tainted: G E 6.19.0-rc1+ #51\n[ 862.244337] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000\n[ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi]\n[ 862.245264] Call Trace:\n[ 862.245587] \n[ 862.245814] __schedule+0x810/0x15c0\n[ 862.246557] schedule+0x69/0x180\n[ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120\n[ 862.247688] elevator_change+0x16d/0x460\n[ 862.247893] elevator_set_none+0x87/0xf0\n[ 862.248798] blk_unregister_queue+0x12e/0x2a0\n[ 862.248995] __del_gendisk+0x231/0x7e0\n[ 862.250143] del_gendisk+0x12f/0x1d0\n[ 862.250339] sd_remove+0x85/0x130 [sd_mod]\n[ 862.250650] device_release_driver_internal+0x36d/0x530\n[ 862.250849] bus_remove_device+0x1dd/0x3f0\n[ 862.251042] device_del+0x38a/0x930\n[ 862.252095] __scsi_remove_device+0x293/0x360\n[ 862.252291] scsi_remove_target+0x486/0x760\n[ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi]\n[ 862.252886] process_one_work+0x633/0xe50\n[ 862.253101] worker_thread+0x6df/0xf10\n[ 862.253647] kthread+0x36d/0x720\n[ 862.254533] ret_from_fork+0x2a6/0x470\n[ 862.255852] ret_from_fork_asm+0x1a/0x30\n[ 862.256037] \n\nRemove the blk_should_fake_timeout() check from dm, as dm has no\nnative timeout handling and should not attempt to fake timeouts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43314" }, { "id": "CVE-2026-43315", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding\n\nDrop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing\nas it is trivially easy to trigger from userspace by modifying CPUID after\nloading CR3. E.g. modifying the state restoration selftest like so:\n\n --- tools/testing/selftests/kvm/x86/state_test.c\n +++ tools/testing/selftests/kvm/x86/state_test.c\n @@ -280,7 +280,16 @@ int main(int argc, char *argv[])\n\n /* Restore state in a new VM. */\n vcpu = vm_recreate_with_one_vcpu(vm);\n - vcpu_load_state(vcpu, state);\n +\n + if (stage == 4) {\n + state->sregs.cr3 = BIT(44);\n + vcpu_load_state(vcpu, state);\n +\n + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36);\n + __vcpu_nested_state_set(vcpu, &state->nested);\n + } else {\n + vcpu_load_state(vcpu, state);\n + }\n\n /*\n * Restore XSAVE state in a dummy vCPU, first without doing\n\ngenerates:\n\n WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd]\n Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm]\n CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm\n Tainted: [W]=WARN\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd]\n Call Trace:\n \n kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm]\n kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x61/0xad0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nSimply delete the WARN instead of trying to prevent userspace from shoving\n\"illegal\" state into CR3. For better or worse, KVM's ABI allows userspace\nto set CPUID after SREGS, and vice versa, and KVM is very permissive when\nit comes to guest CPUID. I.e. attempting to enforce the virtual CPU model\nwhen setting CPUID could break userspace. Given that the WARN doesn't\nprovide any meaningful protection for KVM or benefit for userspace, simply\ndrop it even though the odds of breaking userspace are minuscule.\n\nOpportunistically delete a spurious newline.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43315" }, { "id": "CVE-2026-43316", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: solo6x10: Check for out of bounds chip_id\n\nClang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type\n(literal \"1\" is an \"int\") could end up being shifted beyond 32 bits,\nso instrumentation was added (and due to the double is_tw286x() call\nseen via inlining), Clang decides the second one must now be undefined\nbehavior and elides the rest of the function[1]. This is a known problem\nwith Clang (that is still being worked on), but we can avoid the entire\nproblem by actually checking the existing max chip ID, and now there is\nno runtime instrumentation added at all since everything is known to be\nwithin bounds.\n\nAdditionally use an unsigned value for the shift to remove the\ninstrumentation even without the explicit bounds checking.\n\n[hverkuil: fix checkpatch warning for is_tw286x]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43316" }, { "id": "CVE-2026-43317", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: core: fix leak on early registration failure\n\nA recent commit fixed a resource leak on early registration failures but\nfor some reason left out the first error path which still leaks the\nresources associated with the interface.\n\nFix up also the first error path so that the interface is always\nreleased on errors.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43317" }, { "id": "CVE-2026-43318", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify\n\nInvalidating a dmabuf will impact other users of the shared BO.\nIn the scenario where process A moves the BO, it needs to inform\nprocess B about the move and process B will need to update its\npage table.\n\nThe commit fixes a synchronisation bug caused by the use of the\nticket: it made amdgpu_vm_handle_moved behave as if updating\nthe page table immediately was correct but in this case it's not.\n\nAn example is the following scenario, with 2 GPUs and glxgears\nrunning on GPU0 and Xorg running on GPU1, on a system where P2P\nPCI isn't supported:\n\nglxgears:\n export linear buffer from GPU0 and import using GPU1\n submit frame rendering to GPU0\n submit tiled->linear blit\nXorg:\n copy of linear buffer\n\nThe sequence of jobs would be:\n drm_sched_job_run # GPU0, frame rendering\n drm_sched_job_queue # GPU0, blit\n drm_sched_job_done # GPU0, frame rendering\n drm_sched_job_run # GPU0, blit\n move linear buffer for GPU1 access #\n amdgpu_dma_buf_move_notify -> update pt # GPU0\n\nIt this point the blit job on GPU0 is still running and would\nlikely produce a page fault.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43318" }, { "id": "CVE-2026-43319", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spidev: fix lock inversion between spi_lock and buf_lock\n\nThe spidev driver previously used two mutexes, spi_lock and buf_lock,\nbut acquired them in different orders depending on the code path:\n\n write()/read(): buf_lock -> spi_lock\n ioctl(): spi_lock -> buf_lock\n\nThis AB-BA locking pattern triggers lockdep warnings and can\ncause real deadlocks:\n\n WARNING: possible circular locking dependency detected\n spidev_ioctl() -> mutex_lock(&spidev->buf_lock)\n spidev_sync_write() -> mutex_lock(&spidev->spi_lock)\n *** DEADLOCK ***\n\nThe issue is reproducible with a simple userspace program that\nperforms write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from\nseparate threads on the same spidev file descriptor.\n\nFix this by simplifying the locking model and removing the lock\ninversion entirely. spidev_sync() no longer performs any locking,\nand all callers serialize access using spi_lock.\n\nbuf_lock is removed since its functionality is fully covered by\nspi_lock, eliminating the possibility of lock ordering issues.\n\nThis removes the lock inversion and prevents deadlocks without\nchanging userspace ABI or behaviour.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43319" }, { "id": "CVE-2026-43320", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dsc eDP issue\n\n[why]\nNeed to add function hook check before use", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43320" }, { "id": "CVE-2026-43321", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Properly mark live registers for indirect jumps\n\nFor a `gotox rX` instruction the rX register should be marked as used\nin the compute_insn_live_regs() function. Fix this.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43321" }, { "id": "CVE-2026-43322", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue\nis not able to prevent it:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.\n---truncated---", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43322" }, { "id": "CVE-2026-43323", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix zero_vruntime tracking fix\n\nJohn reported that stress-ng-yield could make his machine unhappy and\nmanaged to bisect it to commit b3d99f43c72b (\"sched/fair: Fix\nzero_vruntime tracking\").\n\nThe combination of yield and that commit was specific enough to\nhypothesize the following scenario:\n\nSuppose we have 2 runnable tasks, both doing yield. Then one will be\neligible and one will not be, because the average position must be in\nbetween these two entities.\n\nTherefore, the runnable task will be eligible, and be promoted a full\nslice (all the tasks do is yield after all). This causes it to jump over\nthe other task and now the other task is eligible and current is no\nlonger. So we schedule.\n\nSince we are runnable, there is no {de,en}queue. All we have is the\n__{en,de}queue_entity() from {put_prev,set_next}_task(). But per the\nfingered commit, those two no longer move zero_vruntime.\n\nAll that moves zero_vruntime are tick and full {de,en}queue.\n\nThis means, that if the two tasks playing leapfrog can reach the\ncritical speed to reach the overflow point inside one tick's worth of\ntime, we're up a creek.\n\nAdditionally, when multiple cgroups are involved, there is no guarantee\nthe tick will in fact hit every cgroup in a timely manner. Statistically\nspeaking it will, but that same statistics does not rule out the\npossibility of one cgroup not getting a tick for a significant amount of\ntime -- however unlikely.\n\nTherefore, just like with the yield() case, force an update at the end\nof every slice. This ensures the update is never more than a single\nslice behind and the whole thing is within 2 lag bounds as per the\ncomment on entity_key().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43323" }, { "id": "CVE-2026-43324", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver. The\nerror has a somewhat involved history. The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur. Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late. It couldn't be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind. Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable! That's no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests. The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43324" }, { "id": "CVE-2026-43325", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: don't send a 6E related command when not supported\n\nMCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the\ndevice doesn't support 6E.\nApparently, the firmware is mistakenly advertising support for this\ncommand even on AX201 which does not support 6E and then the firmware\ncrashes.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43325" }, { "id": "CVE-2026-43326", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback\n\nSCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using\nsmp_cond_load_acquire() until the target CPU's kick_sync advances. Because\nthe irq_work runs in hardirq context, the waiting CPU cannot reschedule and\nits own kick_sync never advances. If multiple CPUs form a wait cycle, all\nCPUs deadlock.\n\nReplace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to\nforce the CPU through do_pick_task_scx(), which queues a balance callback\nto perform the wait. The balance callback drops the rq lock and enables\nIRQs following the sched_core_balance() pattern, so the CPU can process\nIPIs while waiting. The local CPU's kick_sync is advanced on entry to\ndo_pick_task_scx() and continuously during the wait, ensuring any CPU that\nstarts waiting for us sees the advancement and cannot form cyclic\ndependencies.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43326" }, { "id": "CVE-2026-43327", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix locking/synchronization error\n\nSyzbot testing was able to provoke an addressing exception and crash\nin the usb_gadget_udc_reset() routine in\ndrivers/usb/gadgets/udc/core.c, resulting from the fact that the\nroutine was called with a second (\"driver\") argument of NULL. The bad\ncaller was set_link_state() in dummy_hcd.c, and the problem arose\nbecause of a race between a USB reset and driver unbind.\n\nThese sorts of races were not supposed to be possible; commit\n7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous synchronization change\"),\nalong with a few followup commits, was written specifically to prevent\nthem. As it turns out, there are (at least) two errors remaining in\nthe code. Another patch will address the second error; this one is\nconcerned with the first.\n\nThe error responsible for the syzbot crash occurred because the\nstop_activity() routine will sometimes drop and then re-acquire the\ndum->lock spinlock. A call to stop_activity() occurs in\nset_link_state() when handling an emulated USB reset, after the test\nof dum->ints_enabled and before the increment of dum->callback_usage.\nThis allowed another thread (doing a driver unbind) to sneak in and\ngrab the spinlock, and then clear dum->ints_enabled and dum->driver.\nNormally this other thread would have to wait for dum->callback_usage\nto go down to 0 before it would clear dum->driver, but in this case it\ndidn't have to wait since dum->callback_usage had not yet been\nincremented.\n\nThe fix is to increment dum->callback_usage _before_ calling\nstop_activity() instead of after. Then the thread doing the unbind\nwill not clear dum->driver until after the call to\nusb_gadget_udc_reset() safely returns and dum->callback_usage has been\ndecremented again.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43327" }, { "id": "CVE-2026-43328", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path\n\nWhen kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls\nkobject_put(&dbs_data->attr_set.kobj).\n\nThe kobject release callback cpufreq_dbs_data_release() calls\ngov->exit(dbs_data) and kfree(dbs_data), but the current error path\nthen calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a\ndouble free.\n\nKeep the direct kfree(dbs_data) for the gov->init() failure path, but\nafter kobject_init_and_add() has been called, let kobject_put() handle\nthe cleanup through cpufreq_dbs_data_release().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43328" }, { "id": "CVE-2026-43329", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: strictly check for maximum number of actions\n\nThe maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address takes 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43329" }, { "id": "CVE-2026-43330", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - fix overflow on long hmac keys\n\nWhen a key longer than block size is supplied, it is copied and then\nhashed into the real key. The memory allocated for the copy needs to\nbe rounded to DMA cache alignment, as otherwise the hashed key may\ncorrupt neighbouring memory.\n\nThe copying is performed using kmemdup, however this leads to an overflow:\nreading more bytes (aligned_len - keylen) from the keylen source buffer.\nFix this by replacing kmemdup with kmalloc, followed by memcpy.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43330" }, { "id": "CVE-2026-43331", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Disable KCOV instrumentation after load_segments()\n\nThe load_segments() function changes segment registers, invalidating GS base\n(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any\nsubsequent instrumented C code call (e.g. native_gdt_invalidate()) begins\ncrashing the kernel in an endless loop.\n\nTo reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented\nkernel:\n\n $ kexec -l /boot/otherKernel\n $ kexec -e\n\nThe real-world context for this problem is enabling crash dump collection in\nsyzkaller. For this, the tool loads a panic kernel before fuzzing and then\ncalls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC\nand CONFIG_KCOV to be enabled simultaneously.\n\nAdding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())\nis also undesirable as it would introduce an extra performance overhead.\n\nDisabling instrumentation for the individual functions would be too fragile,\nso disable KCOV instrumentation for the entire machine_kexec_64.c and\nphysaddr.c. If coverage-guided fuzzing ever needs these components in the\nfuture, other approaches should be considered.\n\nThe problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported\nthere.\n\n [ bp: Space out comment for better readability. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43331" }, { "id": "CVE-2026-43332", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix thermal zone device registration error path\n\nIf thermal_zone_device_register_with_trips() fails after registering\na thermal zone device, it needs to wait for the tz->removal completion\nlike thermal_zone_device_unregister(), in case user space has managed\nto take a reference to the thermal zone device's kobject, in which case\nthermal_release() may not be called by the error path itself and tz may\nbe freed prematurely.\n\nAdd the missing wait_for_completion() call to the thermal zone device\nregistration error path.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43332" }, { "id": "CVE-2026-43333", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject direct access to nullable PTR_TO_BUF pointers\n\ncheck_mem_access() matches PTR_TO_BUF via base_type() which strips\nPTR_MAYBE_NULL, allowing direct dereference without a null check.\n\nMap iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.\nOn stop callbacks these are NULL, causing a kernel NULL dereference.\n\nAdd a type_may_be_null() guard to the PTR_TO_BUF branch, matching the\nexisting PTR_TO_BTF_ID pattern.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43333" }, { "id": "CVE-2026-43334", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: force responder MITM requirements before building the pairing response\n\nsmp_cmd_pairing_req() currently builds the pairing response from the\ninitiator auth_req before enforcing the local BT_SECURITY_HIGH\nrequirement. If the initiator omits SMP_AUTH_MITM, the response can\nalso omit it even though the local side still requires MITM.\n\ntk_request() then sees an auth value without SMP_AUTH_MITM and may\nselect JUST_CFM, making method selection inconsistent with the pairing\npolicy the responder already enforces.\n\nWhen the local side requires HIGH security, first verify that MITM can\nbe achieved from the IO capabilities and then force SMP_AUTH_MITM in the\nresponse in both rsp.auth_req and auth. This keeps the responder auth bits\nand later method selection aligned.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43334" }, { "id": "CVE-2026-43335", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes()\n\nThe change to dynamic IDs for SM8450 platform interconnects left two links\nunconverted, fix it to avoid the NULL pointer dereference in runtime,\nwhen a pointer to a destination interconnect is not valid:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n <...>\n Call trace:\n icc_link_nodes+0x3c/0x100 (P)\n qcom_icc_rpmh_probe+0x1b4/0x528\n platform_probe+0x64/0xc0\n really_probe+0xc4/0x2a8\n __driver_probe_device+0x80/0x140\n driver_probe_device+0x48/0x170\n __device_attach_driver+0xc0/0x148\n bus_for_each_drv+0x88/0xf0\n __device_attach+0xb0/0x1c0\n device_initial_probe+0x58/0x68\n bus_probe_device+0x40/0xb8\n deferred_probe_work_func+0x90/0xd0\n process_one_work+0x15c/0x3c0\n worker_thread+0x2e8/0x400\n kthread+0x150/0x208\n ret_from_fork+0x10/0x20\n Code: 900310f4 911d6294 91008280 94176078 (f94002a0)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Oops: Fatal exception", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43335" }, { "id": "CVE-2026-43336", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: chacha: Zeroize permuted_state before it leaves scope\n\nSince the ChaCha permutation is invertible, the local variable\n'permuted_state' is sufficient to compute the original 'state', and thus\nthe key, even after the permutation has been done.\n\nWhile the kernel is quite inconsistent about zeroizing secrets on the\nstack (and some prominent userspace crypto libraries don't bother at all\nsince it's not guaranteed to work anyway), the kernel does try to do it\nas a best practice, especially in cases involving the RNG.\n\nThus, explicitly zeroize 'permuted_state' before it goes out of scope.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43336" }, { "id": "CVE-2026-43337", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()\n\ndcn401_init_hw() assumes that update_bw_bounding_box() is valid when\nentering the update path. However, the existing condition:\n\n ((!fams2_enable && update_bw_bounding_box) || freq_changed)\n\ndoes not guarantee this, as the freq_changed branch can evaluate to true\nindependently of the callback pointer.\n\nThis can result in calling update_bw_bounding_box() when it is NULL.\n\nFix this by separating the update condition from the pointer checks and\nensuring the callback, dc->clk_mgr, and bw_params are validated before\nuse.\n\nFixes the below:\n../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362)\n\n(cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43337" }, { "id": "CVE-2026-43338", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reserve enough transaction items for qgroup ioctls\n\nCurrently our qgroup ioctls don't reserve any space, they just do a\ntransaction join, which does not reserve any space, neither for the quota\ntree updates nor for the delayed refs generated when updating the quota\ntree. The quota root uses the global block reserve, which is fine most of\nthe time since we don't expect a lot of updates to the quota root, or to\nbe too close to -ENOSPC such that other critical metadata updates need to\nresort to the global reserve.\n\nHowever this is not optimal, as not reserving proper space may result in a\ntransaction abort due to not reserving space for delayed refs and then\nabusing the use of the global block reserve.\n\nFor example, the following reproducer (which is unlikely to model any\nreal world use case, but just to illustrate the problem), triggers such a\ntransaction abort due to -ENOSPC when running delayed refs:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/nullb0\n MNT=/mnt/nullb0\n\n umount $DEV &> /dev/null\n # Limit device to 1G so that it's much faster to reproduce the issue.\n mkfs.btrfs -f -b 1G $DEV\n mount -o commit=600 $DEV $MNT\n\n fallocate -l 800M $MNT/filler\n btrfs quota enable $MNT\n\n for ((i = 1; i <= 400000; i++)); do\n btrfs qgroup create 1/$i $MNT\n done\n\n umount $MNT\n\nWhen running this, we can see in dmesg/syslog that a transaction abort\nhappened:\n\n [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28\n [436.493] ------------[ cut here ]------------\n [436.494] BTRFS: Transaction aborted (error -28)\n [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372\n [436.497] Modules linked in: btrfs loop (...)\n [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [436.510] Tainted: [W]=WARN\n [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs]\n [436.514] Code: 0f 82 ea (...)\n [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292\n [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001\n [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80\n [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867\n [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400\n [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000\n [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000\n [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0\n [436.530] Call Trace:\n [436.530] \n [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs]\n [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs]\n [436.532] sync_filesystem+0x7a/0x90\n [436.533] generic_shutdown_super+0x28/0x180\n [436.533] kill_anon_super+0x12/0x40\n [436.534] btrfs_kill_super+0x12/0x20 [btrfs]\n [436.534] deactivate_locked_super+0x2f/0xb0\n [436.534] cleanup_mnt+0xea/0x180\n [436.535] task_work_run+0x58/0xa0\n [436.535] exit_to_user_mode_loop+0xed/0x480\n [436.536] ? __x64_sys_umount+0x68/0x80\n [436.536] do_syscall_64+0x2a5/0xf20\n [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [436.537] RIP: 0033:0x7fe5906b6217\n [436.538] Code: 0d 00 f7 (...)\n [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217\n [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100\n [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff\n [436.544] R10: 0000000000000103 R11: \n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43338" }, { "id": "CVE-2026-43339", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible UaF in addrconf_permanent_addr()\n\nThe mentioned helper try to warn the user about an exceptional\ncondition, but the message is delivered too late, accessing the ipv6\nafter its possible deletion.\n\nReorder the statement to avoid the possible UaF; while at it, place the\nwarning outside the idev->lock as it needs no protection.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43339" }, { "id": "CVE-2026-43340", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Reinit dev->spinlock between attachments to low-level drivers\n\n`struct comedi_device` is the main controlling structure for a COMEDI\ndevice created by the COMEDI subsystem. It contains a member `spinlock`\ncontaining a spin-lock that is initialized by the COMEDI subsystem, but\nis reserved for use by a low-level driver attached to the COMEDI device\n(at least since commit 25436dc9d84f (\"Staging: comedi: remove RT\ncode\")).\n\nSome COMEDI devices (those created on initialization of the COMEDI\nsubsystem when the \"comedi.comedi_num_legacy_minors\" parameter is\nnon-zero) can be attached to different low-level drivers over their\nlifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in\ninconsistent lock states being reported when there is a mismatch in the\nspin-lock locking levels used by each low-level driver to which the\nCOMEDI device has been attached. Fix it by reinitializing\n`dev->spinlock` before calling the low-level driver's `attach` function\npointer if `CONFIG_LOCKDEP` is enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43340" }, { "id": "CVE-2026-43341", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: ioam6: prevent schema length wraparound in trace fill\n\nioam6_fill_trace_data() stores the schema contribution to the trace\nlength in a u8. With bit 22 enabled and the largest schema payload,\nsclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the\nremaining-space check. __ioam6_fill_trace_data() then positions the\nwrite cursor without reserving the schema area but still copies the\n4-byte schema header and the full schema payload, overrunning the trace\nbuffer.\n\nKeep sclen in an unsigned int so the remaining-space check and the write\ncursor calculation both see the full schema length.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43341" }, { "id": "CVE-2026-43342", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Protect RNDIS options with mutex\n\nThe class/subclass/protocol options are suspectible to race conditions\nas they can be accessed concurrently through configfs.\n\nUse existing mutex to protect these options. This issue was identified\nduring code inspection.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43342" }, { "id": "CVE-2026-43343", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_subset: Fix unbalanced refcnt in geth_free\n\ngeth_alloc() increments the reference count, but geth_free() fails to\ndecrement it. This prevents the configuration of attributes via configfs\nafter unlinking the function.\n\nDecrement the reference count in geth_free() to ensure proper cleanup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43343" }, { "id": "CVE-2026-43344", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix die ID init and look up bugs\n\nIn snbep_pci2phy_map_init(), in the nr_node_ids > 8 path,\nuncore_device_to_die() may return -1 when all CPUs associated\nwith the UBOX device are offline.\n\nRemove the WARN_ON_ONCE(die_id == -1) check for two reasons:\n\n- The current code breaks out of the loop. This is incorrect because\n pci_get_device() does not guarantee iteration in domain or bus order,\n so additional UBOX devices may be skipped during the scan.\n\n- Returning -EINVAL is incorrect, since marking offline buses with\n die_id == -1 is expected and should not be treated as an error.\n\nSeparately, when NUMA is disabled on a NUMA-capable platform,\npcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die()\nto return -1 for all PCI devices. As a result,\nspr_update_device_location(), used on Intel SPR and EMR, ignores the\ncorresponding PMON units and does not add them to the RB tree.\n\nFix this by using uncore_pcibus_to_dieid(), which retrieves topology\nfrom the UBOX GIDNIDMAP register and works regardless of whether NUMA\nis enabled in Linux. This requires snbep_pci2phy_map_init() to be\nadded in spr_uncore_pci_init().\n\nKeep uncore_device_to_die() only for the nr_node_ids > 8 case, where\nNUMA is expected to be enabled.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43344" }, { "id": "CVE-2026-43345", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipa: fix event ring index not programmed for IPA v5.0+\n\nFor IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to\nCH_C_CNTXT_1. The v5.0 register definition intended to define this\nfield in the CH_C_CNTXT_1 fmask array but used the old identifier of\nERINDEX instead of CH_ERINDEX.\n\nWithout a valid event ring, GSI channels could never signal transfer\ncompletions. This caused gsi_channel_trans_quiesce() to block\nforever in wait_for_completion().\n\nAt least for IPA v5.2 this resolves an issue seen where runtime\nsuspend, system suspend, and remoteproc stop all hanged forever. It\nalso meant the IPA data path was completely non functional.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43345" }, { "id": "CVE-2026-43346", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: ptp: don't WARN when controlling PF is unavailable\n\nIn VFIO passthrough setups, it is possible to pass through only a PF\nwhich doesn't own the source timer. In that case the PTP controlling PF\n(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp()\nreturns NULL and triggers WARN_ON() in ice_ptp_setup_pf().\n\nSince this is an expected behavior in that configuration, replace\nWARN_ON() with an informational message and return -EOPNOTSUPP.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43346" }, { "id": "CVE-2026-43347", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: monaco: Reserve full Gunyah metadata region\n\nWe observe spurious \"Synchronous External Abort\" exceptions\n(ESR=0x96000010) and kernel crashes on Monaco-based platforms.\nThese faults are caused by the kernel inadvertently accessing\nhypervisor-owned memory that is not properly marked as reserved.\n\n>From boot log, The Qualcomm hypervisor reports the memory range\nat 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:\nqhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0\n\nHowever, the EFI memory map provided by firmware only reserves the\nsubrange 0x91a40000\u20130x91a87fff (288 KiB). The remaining portion\n(0x91a88000\u20130x91afffff) is incorrectly reported as conventional\nmemory (from efi debug):\nefi: 0x000091a40000-0x000091a87fff [Reserved...]\nefi: 0x000091a88000-0x0000938fffff [Conventional...]\n\nAs a result, the allocator may hand out PFNs inside the hypervisor\nowned region, causing fatal aborts when the kernel accesses those\naddresses.\n\nAdd a reserved-memory carveout for the Gunyah hypervisor metadata\nat 0x91a80000 (512 KiB) and mark it as no-map so Linux does not\nmap or allocate from this area.\n\nFor the record:\nHyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)\nUEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43347" }, { "id": "CVE-2026-43348", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER\n\nWhen registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel\ncomputes pgmap->vmemmap_shift as the number of trailing zeros in the\nOR of start_pfn and last_pfn, intending to use the largest compound\npage order both endpoints are aligned to.\n\nHowever, this value is not clamped to MAX_FOLIO_ORDER, so a\nsufficiently aligned range (e.g. physical range\n[0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000\nwith 35 trailing zeros) can produce a shift larger than what\nmemremap_pages() accepts, triggering a WARN and returning -EINVAL:\n\n WARNING: ... memremap_pages+0x512/0x650\n requested folio size unsupported\n\nThe MAX_FOLIO_ORDER check was added by\ncommit 646b67d57589 (\"mm/memremap: reject unreasonable folio/compound\npage sizes in memremap_pages()\").\n\nFix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always\nrequest the largest order the kernel supports, in those cases, rather\nthan an out-of-range value.\n\nAlso fix the error path to propagate the actual error code from\ndevm_memremap_pages() instead of hard-coding -EFAULT, which was\nmasking the real -EINVAL return.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43348" }, { "id": "CVE-2026-43349", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer\n\nsyzbot reported a f2fs bug as below:\n\nBUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177\n f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1\n bio_endio+0x1006/0x1160 block/bio.c:1792\n submit_bio_noacct+0x533/0x2960 block/blk-core.c:891\n submit_bio+0x57a/0x620 block/blk-core.c:926\n blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline]\n f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557\n f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775\n read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481\n __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576\n f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623\n do_read_inode fs/f2fs/inode.c:425 [inline]\n f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596\n f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184\n get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694\n get_tree_bdev+0x38/0x50 fs/super.c:1717\n f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436\n vfs_get_tree+0xb3/0x5d0 fs/super.c:1754\n fc_mount fs/namespace.c:1193 [inline]\n do_new_mount_fc fs/namespace.c:3763 [inline]\n do_new_mount+0x885/0x1dd0 fs/namespace.c:3839\n path_mount+0x7a2/0x20b0 fs/namespace.c:4159\n do_mount fs/namespace.c:4172 [inline]\n __do_sys_mount fs/namespace.c:4361 [inline]\n __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338\n x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is: in f2fs_finish_read_bio(), we may access uninit data\nin folio if we failed to read the data from device into folio, let's add\na check condition to avoid such issue.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43349" }, { "id": "CVE-2026-43350", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: require a full NFS mode SID before reading mode bits\n\nparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS\nmode SID and reads sid.sub_auth[2] to recover the mode bits.\n\nThat assumes the ACE carries three subauthorities, but compare_sids()\nonly compares min(a, b) subauthorities. A malicious server can return\nan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still\nmatches sid_unix_NFS_mode and then drives the sub_auth[2] read four\nbytes past the end of the ACE.\n\nRequire num_subauth >= 3 before treating the ACE as an NFS mode SID.\nThis keeps the fix local to the special-SID mode path without changing\ncompare_sids() semantics for the rest of cifsacl.", "scorev2": "0.0", "scorev3": "7.6", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43350" }, { "id": "CVE-2026-43351", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Eagerly init vgic dist/redist on vgic creation\n\nIf vgic_allocate_private_irqs_locked() fails for any odd reason,\nwe exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised.\n\nkvm_vgic_dist_destroy() then comes along and walks into the weeds\ntrying to free the RDs. Got to love this stuff.\n\nSolve it by moving all the static initialisation early, and make\nsure that if we fail halfway, we're in a reasonable shape to\nperform the rest of the teardown. While at it, reset the vgic model\non failure, just in case...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43351" }, { "id": "CVE-2026-43352", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue\n\nThe logic used to abort the DMA ring contains several flaws:\n\n 1. The driver unconditionally issues a ring abort even when the ring has\n already stopped.\n 2. The completion used to wait for abort completion is never\n re-initialized, resulting in incorrect wait behavior.\n 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which\n resets hardware ring pointers and disrupts the controller state.\n 4. If the ring is already stopped, the abort operation should be\n considered successful without attempting further action.\n\nFix the abort handling by checking whether the ring is running before\nissuing an abort, re-initializing the completion when needed, ensuring that\nRING_CTRL_ENABLE remains asserted during abort, and treating an already\nstopped ring as a successful condition.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43352" }, { "id": "CVE-2026-43353", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time. However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring. If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43353" }, { "id": "CVE-2026-43354", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: proximity: hx9023s: Protect against division by zero in set_samp_freq\n\nAvoid division by zero when sampling frequency is unspecified.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43354" }, { "id": "CVE-2026-43355", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: bh1780: fix PM runtime leak on error path\n\nMove pm_runtime_put_autosuspend() before the error check to ensure\nthe PM runtime reference count is always decremented after\npm_runtime_get_sync(), regardless of whether the read operation\nsucceeds or fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43355" }, { "id": "CVE-2026-43356", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: adis: Fix NULL pointer dereference in adis_init\n\nThe adis_init() function dereferences adis->ops to check if the\nindividual function pointers (write, read, reset) are NULL, but does\nnot first check if adis->ops itself is NULL.\n\nDrivers like adis16480, adis16490, adis16545 and others do not set\ncustom ops and rely on adis_init() assigning the defaults. Since struct\nadis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL\nwhen adis_init() is called, causing a NULL pointer dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n pc : adis_init+0xc0/0x118\n Call trace:\n adis_init+0xc0/0x118\n adis16480_probe+0xe0/0x670\n\nFix this by checking if adis->ops is NULL before dereferencing it,\nfalling through to assign the default ops in that case.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43356" }, { "id": "CVE-2026-43357", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050-core: fix pm_runtime error handling\n\nThe return value of pm_runtime_get_sync() is not checked, allowing\nthe driver to access hardware that may fail to resume. The device\nusage count is also unconditionally incremented. Use\npm_runtime_resume_and_get() which propagates errors and avoids\nincrementing the usage count on failure.\n\nIn preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()\nfailure since postdisable does not run when preenable fails.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43357" }, { "id": "CVE-2026-43358", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()\n\nCall rcu_read_lock() before exiting the loop in\ntry_release_subpage_extent_buffer() because there is a rcu_read_unlock()\ncall past the loop.\n\nThis has been detected by the Clang thread-safety analyzer.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43358" }, { "id": "CVE-2026-43359", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on set received ioctl due to item overflow\n\nIf the set received ioctl fails due to an item overflow when attempting to\nadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction\nsince we did some metadata updates before.\n\nThis means that if a user calls this ioctl with the same received UUID\nfield for a lot of subvolumes, we will hit the overflow, trigger the\ntransaction abort and turn the filesystem into RO mode. A malicious user\ncould exploit this, and this ioctl does not even requires that a user\nhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.\n\nFix this by doing an early check for item overflow before starting a\ntransaction. This is also race safe because we are holding the subvol_sem\nsemaphore in exclusive (write) mode.\n\nA test case for fstests will follow soon.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43359" }, { "id": "CVE-2026-43360", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on file creation due to name hash collision\n\nIf we attempt to create several files with names that result in the same\nhash, we have to pack them in same dir item and that has a limit inherent\nto the leaf size. However if we reach that limit, we trigger a transaction\nabort and turns the filesystem into RO mode. This allows for a malicious\nuser to disrupt a system, without the need to have administration\nprivileges/capabilities.\n\nReproducer:\n\n $ cat exploit-hash-collisions.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster and require fewer file\n # names that result in hash collision.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # List of names that result in the same crc32c hash for btrfs.\n declare -a names=(\n 'foobar'\n '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'\n 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'\n 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'\n 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'\n 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'\n 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'\n 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'\n 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'\n 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'\n 'Ono7avN5GjC:_6dBJ_'\n 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'\n 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'\n 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'\n 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'\n 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'\n 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'\n 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'\n 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'\n 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'\n 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'\n 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'\n 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='\n 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'\n 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'\n 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'\n '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'\n 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43360" }, { "id": "CVE-2026-43361", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don't\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # Create a subvolume and set it to RO so that it can be used for send.\n btrfs subvolume create $MNT/sv\n touch $MNT/sv/foo\n btrfs property set $MNT/sv ro true\n\n # Send and receive the subvolume into snaps/sv.\n mkdir $MNT/snaps\n btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n # Now snapshot the received subvolume, which has a received_uuid, a\n # lot of times to trigger the leaf overflow.\n total=500\n for ((i = 1; i <= $total; i++)); do\n echo -ne \"\\rCreating snapshot $i/$total\"\n btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null\n done\n echo\n\n umount $MNT\n\nWhen running the test:\n\n $ ./test.sh\n (...)\n Create subvolume '/mnt/sdi/sv'\n At subvol /mnt/sdi/sv\n At subvol sv\n Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n $ dmesg\n (...)\n [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n [251067.629212] ------------[ cut here ]------------\n [251067.630033] BTRFS: Transaction aborted (error -75)\n [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n [251067.632851] Modules linked in: btrfs dm_zero (...)\n [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [251067.646165] Tainted: [W]=WARN\n [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n [251067.649984] Code: f0 48 0f (...)\n [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n [251067.661972] Call Trace:\n [251067.662292] \n [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]\n [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n [251067.665238] ? _raw_spin_unlock+0x15/0x30\n [251067.665837] ? record_root_\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43361" }, { "id": "CVE-2026-43362", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn't unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43362" }, { "id": "CVE-2026-43363", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Disable x2apic on resume if the kernel expects so\n\nWhen resuming from s2ram, firmware may re-enable x2apic mode, which may have\nbeen disabled by the kernel during boot either because it doesn't support IRQ\nremapping or for other reasons. This causes the kernel to continue using the\nxapic interface, while the hardware is in x2apic mode, which causes hangs.\nThis happens on defconfig + bare metal + s2ram.\n\nFix this in lapic_resume() by disabling x2apic if the kernel expects it to be\ndisabled, i.e. when x2apic_mode = 0.\n\nThe ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the\npre-sleep configuration or initial boot configuration for each CPU, including\nMSR state:\n\n When executing from the power-on reset vector as a result of waking from an\n S2 or S3 sleep state, the platform firmware performs only the hardware\n initialization required to restore the system to either the state the\n platform was in prior to the initial operating system boot, or to the\n pre-sleep configuration state. In multiprocessor systems, non-boot\n processors should be placed in the same state as prior to the initial\n operating system boot.\n\n (further ahead)\n\n If this is an S2 or S3 wake, then the platform runtime firmware restores\n minimum context of the system before jumping to the waking vector. This\n includes:\n\n\tCPU configuration. Platform runtime firmware restores the pre-sleep\n\tconfiguration or initial boot configuration of each CPU (MSR, MTRR,\n\tfirmware update, SMBase, and so on). Interrupts must be disabled (for\n\tIA-32 processors, disabled by CLI instruction).\n\n\t(and other things)\n\nSo at least as per the spec, re-enablement of x2apic by the firmware is\nallowed if \"x2apic on\" is a part of the initial boot configuration.\n\n [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization\n\n [ bp: Massage. ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43363" }, { "id": "CVE-2026-43364", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix NULL pointer dereference in ublk_ctrl_set_size()\n\nublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via\nset_capacity_and_notify() without checking if it is NULL.\n\nub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only\nassigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs\n(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE\nhandler performs no state validation, a user can trigger a NULL pointer\ndereference by sending UPDATE_SIZE to a device that has been added but\nnot yet started, or one that has been stopped.\n\nFix this by checking ub->ub_disk under ub->mutex before dereferencing\nit, and returning -ENODEV if the disk is not available.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43364" }, { "id": "CVE-2026-43365", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix undersized l_iclog_roundoff values\n\nIf the superblock doesn't list a log stripe unit, we set the incore log\nroundoff value to 512. This leads to corrupt logs and unmountable\nfilesystems in generic/617 on a disk with 4k physical sectors...\n\nXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c\nXFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.\nXFS (sda1): failed to locate log tail\nXFS (sda1): log mount/recovery failed: error -74\nXFS (sda1): log mount failed\nXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c\nXFS (sda1): Ending clean mount\n\n...on the current xfsprogs for-next which has a broken mkfs. xfs_info\nshows this...\n\nmeta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks\n = sectsz=4096 attr=2, projid32bit=1\n = crc=1 finobt=1, sparse=1, rmapbt=1\n = reflink=1 bigtime=1 inobtcount=1 nrext64=1\n = exchange=1 metadir=1\ndata = bsize=4096 blocks=2579968, imaxpct=25\n = sunit=0 swidth=0 blks\nnaming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1\nlog =internal log bsize=4096 blocks=16384, version=2\n = sectsz=4096 sunit=0 blks, lazy-count=1\nrealtime =none extsz=4096 blocks=0, rtextents=0\n = rgcount=0 rgsize=268435456 extents\n = zoned=0 start=0 reserved=0\n\n...observe that the log section has sectsz=4096 sunit=0, which means\nthat the roundoff factor is 512, not 4096 as you'd expect. We should\nfix mkfs not to generate broken filesystems, but anyone can fuzz the\nondisk superblock so we should be more cautious. I think the inadequate\nlogic predates commit a6a65fef5ef8d0, but that's clearly going to\nrequire a different backport.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43365" }, { "id": "CVE-2026-43366", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: check if target buffer list is still legacy on recycle\n\nThere's a gap between when the buffer was grabbed and when it\npotentially gets recycled, where if the list is empty, someone could've\nupgraded it to a ring provided type. This can happen if the request\nis forced via io-wq. The legacy recycling is missing checking if the\nbuffer_list still exists, and if it's of the correct type. Add those\nchecks.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43366" }, { "id": "CVE-2026-43367", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix a few more NULL pointer dereference in device cleanup\n\nI found a few more paths that cleanup fails due to a NULL version pointer\non unsupported hardware.\n\nAdd NULL checks as applicable.\n\n(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43367" }, { "id": "CVE-2026-43368", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential overflow of shmem scatterlist length\n\nWhen a scatterlists table of a GEM shmem object of size 4 GB or more is\npopulated with pages allocated from a folio, unsigned int .length\nattribute of a scatterlist may get overflowed if total byte length of\npages allocated to that single scatterlist happens to reach or cross the\n4GB limit. As a consequence, users of the object may suffer from hitting\nunexpected, premature end of the object's backing pages.\n\n[278.780187] ------------[ cut here ]------------\n[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]\n...\n[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)\n[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024\n[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]\n...\n[278.780786] Call Trace:\n[278.780787] \n[278.780788] ? __apply_to_page_range+0x3e6/0x910\n[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]\n[278.780906] apply_to_page_range+0x14/0x30\n[278.780908] remap_io_sg+0x14d/0x260 [i915]\n[278.781013] vm_fault_cpu+0xd2/0x330 [i915]\n[278.781137] __do_fault+0x3a/0x1b0\n[278.781140] do_fault+0x322/0x640\n[278.781143] __handle_mm_fault+0x938/0xfd0\n[278.781150] handle_mm_fault+0x12c/0x300\n[278.781152] ? lock_mm_and_find_vma+0x4b/0x760\n[278.781155] do_user_addr_fault+0x2d6/0x8e0\n[278.781160] exc_page_fault+0x96/0x2c0\n[278.781165] asm_exc_page_fault+0x27/0x30\n...\n\nThat issue was apprehended by the author of a change that introduced it,\nand potential risk even annotated with a comment, but then never addressed.\n\nWhen adding folio pages to a scatterlist table, take care of byte length\nof any single scatterlist not exceeding max_segment.\n\n(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43368" }, { "id": "CVE-2026-43369", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix NULL pointer dereference in device cleanup\n\nWhen GPU initialization fails due to an unsupported HW block\nIP blocks may have a NULL version pointer. During cleanup in\namdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and\namdgpu_device_set_cg_state which iterate over all IP blocks and access\nadev->ip_blocks[i].version without NULL checks, leading to a kernel\nNULL pointer dereference.\n\nAdd NULL checks for adev->ip_blocks[i].version in both\namdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent\ndereferencing NULL pointers during GPU teardown when initialization has\nfailed.\n\n(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43369" }, { "id": "CVE-2026-43370", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix use-after-free race in VM acquire\n\nReplace non-atomic vm->process_info assignment with cmpxchg()\nto prevent race when parent/child processes sharing a drm_file\nboth try to acquire the same VM after fork().\n\n(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43370" }, { "id": "CVE-2026-43371", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue->tx_head`\nand `queue->tx_tail` to '0'. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may\n occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n are reset to '0'.\n\n- The transmission may become stuck on a packet that has already been sent\n out, with its 'TX_USED' bit set, but has not yet been processed. However,\n due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',\n `macb_tx_poll()` incorrectly assumes there are no packets to handle\n because `queue->tx_head == queue->tx_tail`. This issue is only resolved\n when a new packet is placed at this position. This is the root cause of\n the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue->tx_head` and\n`queue->tx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43371" }, { "id": "CVE-2026-43372", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Fix error path in PTP IRQ setup\n\nIf request_threaded_irq() fails during the PTP message IRQ setup, the\nnewly created IRQ mapping is never disposed. Indeed, the\nksz_ptp_irq_setup()'s error path only frees the mappings that were\nsuccessfully set up.\n\nDispose the newly created mapping if the associated\nrequest_threaded_irq() fails at setup.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43372" }, { "id": "CVE-2026-43373", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ncsi: fix skb leak in error paths\n\nEarly return paths in NCSI RX and AEN handlers fail to release\nthe received skb, resulting in a memory leak.\n\nSpecifically, ncsi_aen_handler() returns on invalid AEN packets\nwithout consuming the skb. Similarly, ncsi_rcv_rsp() exits early\nwhen failing to resolve the NCSI device, response handler, or\nrequest, leaving the skb unfreed.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43373" }, { "id": "CVE-2026-43374", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: fix percpu use-after-free in remove_nh_grp_entry\n\nWhen removing a nexthop from a group, remove_nh_grp_entry() publishes\nthe new group via rcu_assign_pointer() then immediately frees the\nremoved entry's percpu stats with free_percpu(). However, the\nsynchronize_net() grace period in the caller remove_nexthop_from_groups()\nruns after the free. RCU readers that entered before the publish still\nsee the old group and can dereference the freed stats via\nnh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a\nuse-after-free on percpu memory.\n\nFix by deferring the free_percpu() until after synchronize_net() in the\ncaller. Removed entries are chained via nh_list onto a local deferred\nfree list. After the grace period completes and all RCU readers have\nfinished, the percpu stats are safely freed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43374" }, { "id": "CVE-2026-43375", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on probe failures.\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43375" }, { "id": "CVE-2026-43376", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free by using call_rcu() for oplock_info\n\nksmbd currently frees oplock_info immediately using kfree(), even\nthough it is accessed under RCU read-side critical sections in places\nlike opinfo_get() and proc_show_files().\n\nSince there is no RCU grace period delay between nullifying the pointer\nand freeing the memory, a reader can still access oplock_info\nstructure after it has been freed. This can leads to a use-after-free\nespecially in opinfo_get() where atomic_inc_not_zero() is called on\nalready freed memory.\n\nFix this by switching to deferred freeing using call_rcu().", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43376" }, { "id": "CVE-2026-43377", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Don't log keys in SMB3 signing and encryption key generation\n\nWhen KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and\ngenerate_smb3encryptionkey() log the session, signing, encryption, and\ndecryption key bytes. Remove the logs to avoid exposing credentials.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43377" }, { "id": "CVE-2026-43378", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix use-after-free in smb2_open()\n\nThe opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is\ndereferenced after rcu_read_unlock(), creating a use-after-free\nwindow.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43378" }, { "id": "CVE-2026-43379", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()\n\nopinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being\naccessed after rcu_read_unlock() has been called. This creates a\nrace condition where the memory could be freed by a concurrent\nwriter between the unlock and the subsequent pointer dereferences\n(opinfo->is_lease, etc.), leading to a use-after-free.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43379" }, { "id": "CVE-2026-43380", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read\n\nThe q54sj108a2_debugfs_read function suffers from a stack buffer overflow\ndue to incorrect arguments passed to bin2hex(). The function currently\npasses 'data' as the destination and 'data_char' as the source.\n\nBecause bin2hex() converts each input byte into two hex characters, a\n32-byte block read results in 64 bytes of output. Since 'data' is only\n34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end\nof the buffer onto the stack.\n\nAdditionally, the arguments were swapped: it was reading from the\nzero-initialized 'data_char' and writing to 'data', resulting in\nall-zero output regardless of the actual I2C read.\n\nFix this by:\n1. Expanding 'data_char' to 66 bytes to safely hold the hex output.\n2. Correcting the bin2hex() argument order and using the actual read count.\n3. Using a pointer to select the correct output buffer for the final\n simple_read_from_buffer call.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43380" }, { "id": "CVE-2026-43381", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dpcd: return EBUSY for aux xfer if the device is asleep\n\nIf we have runtime suspended, and userspace wants to use /dev/drm_dp_*\nthen just tell it the device is busy instead of crashing in the GSP\ncode.\n\nWARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]\nCPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)\nHardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024\nRIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]\n\nThis is a simple fix to get backported. We should probably engineer a\nproper power domain solution to wake up devices and keep them awake\nwhile fw updates are happening.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43381" }, { "id": "CVE-2026-43382", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid double-rtnl_lock ELP metric worker\n\nbatadv_v_elp_get_throughput() might be called when the RTNL lock is already\nheld. This could be problematic when the work queue item is cancelled via\ncancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,\nan rtnl_lock() would cause a deadlock.\n\nTo avoid this, rtnl_trylock() was used in this function to skip the\nretrieval of the ethtool information in case the RTNL lock was already\nheld.\n\nBut for cfg80211 interfaces, batadv_get_real_netdev() was called - which\nalso uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must\nalso be used instead and the lockless version __batadv_get_real_netdev()\nhas to be called.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43382" }, { "id": "CVE-2026-43383", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp-md5: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant\ntime. Use the appropriate helper function for this.", "scorev2": "0.0", "scorev3": "9.4", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43383" }, { "id": "CVE-2026-43384", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp-ao: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant\ntime. Use the appropriate helper function for this.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43384" }, { "id": "CVE-2026-43385", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix rcu_tasks stall in threaded busypoll\n\nI was debugging a NIC driver when I noticed that when I enable\nthreaded busypoll, bpftrace hangs when starting up. dmesg showed:\n\n rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old.\n rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old.\n rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old.\n rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old.\n INFO: rcu_tasks detected stalls on tasks:\n 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64\n task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000\n Call Trace:\n \n ? napi_threaded_poll_loop+0x27c/0x2c0\n ? __pfx_napi_threaded_poll+0x10/0x10\n ? napi_threaded_poll+0x26/0x80\n ? kthread+0xfa/0x240\n ? __pfx_kthread+0x10/0x10\n ? ret_from_fork+0x31/0x50\n ? __pfx_kthread+0x10/0x10\n ? ret_from_fork_asm+0x1a/0x30\n \n\nThe cause is that in threaded busypoll, the main loop is in\nnapi_threaded_poll rather than napi_threaded_poll_loop, where the\nlatter rarely iterates more than once within its loop. For\nrcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its\nqs state, the last_qs must be 100ms behind, and this can't happen\nbecause napi_threaded_poll_loop rarely iterates in threaded busypoll,\nand each time napi_threaded_poll_loop is called last_qs is reset to\nlatest jiffies.\n\nThis patch changes so that in threaded busypoll, last_qs is saved\nin the outer napi_threaded_poll, and whether busy_poll_last_qs\nis NULL indicates whether napi_threaded_poll_loop is called for\nbusypoll. This way last_qs would not reset to latest jiffies on\neach invocation of napi_threaded_poll_loop.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43385" }, { "id": "CVE-2026-43386", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie\n\nThe current code checks 'i + 5 < in_len' at the end of the if statement.\nHowever, it accesses 'in_ie[i + 5]' before that check, which can lead\nto an out-of-bounds read. Move the length check to the beginning of the\nconditional to ensure the index is within bounds before accessing the\narray.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43386" }, { "id": "CVE-2026-43387", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: properly validate the data in rtw_get_ie_ex()\n\nJust like in commit 154828bf9559 (\"staging: rtl8723bs: fix out-of-bounds\nread in rtw_get_ie() parser\"), we don't trust the data in the frame so\nwe should check the length better before acting on it", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43387" }, { "id": "CVE-2026-43388", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: clear walk_control on inactive context in damos_walk()\n\ndamos_walk() sets ctx->walk_control to the caller-provided control\nstructure before checking whether the context is running. If the context\nis inactive (damon_is_running() returns false), the function returns\n-EINVAL without clearing ctx->walk_control. This leaves a dangling\npointer to a stack-allocated structure that will be freed when the caller\nreturns.\n\nThis is structurally identical to the bug fixed in commit f9132fbc2e83\n(\"mm/damon/core: remove call_control in inactive contexts\") for\ndamon_call(), which had the same pattern of linking a control object and\nreturning an error without unlinking it.\n\nThe dangling walk_control pointer can cause:\n1. Use-after-free if the context is later started and kdamond\n\u00a0 \u00a0dereferences ctx->walk_control (e.g., in damos_walk_cancel()\n\u00a0 \u00a0which writes to control->canceled and calls complete())\n2. Permanent -EBUSY from subsequent damos_walk() calls, since the\n\u00a0 \u00a0stale pointer is non-NULL\n\nNonetheless, the real user impact is quite restrictive. The\nuse-after-free is impossible because there is no damos_walk() callers who\nstarts the context later. The permanent -EBUSY can actually confuse\nusers, as DAMON is not running. But the symptom is kept only while the\ncontext is turned off. Turning it on again will make DAMON internally\nuses a newly generated damon_ctx object that doesn't have the invalid\ndamos_walk_control pointer, so everything will work fine again.\n\nFix this by clearing ctx->walk_control under walk_control_lock before\nreturning -EINVAL, mirroring the fix pattern from f9132fbc2e83.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43388" }, { "id": "CVE-2026-43389", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memfd_luo: always dirty all folios\n\nA dirty folio is one which has been written to. A clean folio is its\nopposite. Since a clean folio has no user data, it can be freed under\nmemory pressure.\n\nmemfd preservation with LUO saves the flag at preserve(). This is\nproblematic. The folio might get dirtied later. Saving it at freeze()\nalso doesn't work, since the dirty bit from PTE is normally synced at\nunmap and there might still be mappings of the file at freeze().\n\nTo see why this is a problem, say a folio is clean at preserve, but gets\ndirtied later. The serialized state of the folio will mark it as clean. \nAfter retrieve, the next kernel will see the folio as clean and might try\nto reclaim it under memory pressure. This will result in losing user\ndata.\n\nMark all folios of the file as dirty, and always set the\nMEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making all\nclean folios un-reclaimable. This is a cost that has to be paid for\nparticipants of live update. It is not expected to be a common use case\nto preserve a lot of clean folios anyway.\n\nSince the value of pfolio->flags is a constant now, drop the flags\nvariable and set it directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43389" }, { "id": "CVE-2026-43390", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnstree: tighten permission checks for listing\n\nEven privileged services should not necessarily be able to see other\nprivileged service's namespaces so they can't leak information to each\nother. Use may_see_all_namespaces() helper that centralizes this policy\nuntil the nstree adapts.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43390" }, { "id": "CVE-2026-43391", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsfs: tighten permission checks for handle opening\n\nEven privileged services should not necessarily be able to see other\nprivileged service's namespaces so they can't leak information to each\nother. Use may_see_all_namespaces() helper that centralizes this policy\nuntil the nstree adapts.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43391" }, { "id": "CVE-2026-43392", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix starvation of scx_enable() under fair-class saturation\n\nDuring scx_enable(), the READY -> ENABLED task switching loop changes the\ncalling thread's sched_class from fair to ext. Since fair has higher\npriority than ext, saturating fair-class workloads can indefinitely starve\nthe enable thread, hanging the system. This was introduced when the enable\npath switched from preempt_disable() to scx_bypass() which doesn't protect\nagainst fair-class starvation. Note that the original preempt_disable()\nprotection wasn't complete either - in partial switch modes, the calling\nthread could still be starved after preempt_enable() as it may have been\nswitched to ext class.\n\nFix it by offloading the enable body to a dedicated system-wide RT\n(SCHED_FIFO) kthread which cannot be starved by either fair or ext class\ntasks. scx_enable() lazily creates the kthread on first use and passes the\nops pointer through a struct scx_enable_cmd containing the kthread_work,\nthen synchronously waits for completion.\n\nThe workfn runs on a different kthread from sch->helper (which runs\ndisable_work), so it can safely flush disable_work on the error path\nwithout deadlock.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43392" }, { "id": "CVE-2026-43393", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()\n\nFix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL,\nwe're not freeing the chunk map that we've just looked up.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43393" }, { "id": "CVE-2026-43394", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().\n\nnfsd_nl_listener_set_doit() uses get_current_cred() without\nput_cred().\n\nAs we can see from other callers, svc_xprt_create_from_sa()\ndoes not require the extra refcount.\n\nnfsd_nl_listener_set_doit() is always in the process context,\nsendmsg(), and current->cred does not go away.\n\nLet's use current_cred() in nfsd_nl_listener_set_doit().", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43394" }, { "id": "CVE-2026-43395", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/sync: Cleanup partially initialized sync on parse failure\n\nxe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,\nor user fence) before hitting a later failure path. Several of those paths\nreturned directly, leaving partially initialized state and leaking refs.\n\nRoute these error paths through a common free_sync label and call\nxe_sync_entry_cleanup(sync) before returning the error.\n\n(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43395" }, { "id": "CVE-2026-43396", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/sync: Fix user fence leak on alloc failure\n\nWhen dma_fence_chain_alloc() fails, properly release the user fence\nreference to prevent a memory leak.\n\n(cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43396" }, { "id": "CVE-2026-43397", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: samsung-dsim: Fix memory leak in error path\n\nIn samsung_dsim_host_attach(), drm_bridge_add() is called to add the\nbridge. However, if samsung_dsim_register_te_irq() or\npdata->host_ops->attach() fails afterwards, the function returns\nwithout removing the bridge, causing a memory leak.\n\nFix this by adding proper error handling with goto labels to ensure\ndrm_bridge_remove() is called in all error paths. Also ensure that\nsamsung_dsim_unregister_te_irq() is called if the attach operation\nfails after the TE IRQ has been registered.\n\nsamsung_dsim_unregister_te_irq() function is moved without changes\nto be before samsung_dsim_host_attach() to avoid forward declaration.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43397" }, { "id": "CVE-2026-43398", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add upper bound check on user inputs in wait ioctl\n\nHuge input values in amdgpu_userq_wait_ioctl can lead to a OOM and\ncould be exploited.\n\nSo check these input value against AMDGPU_USERQ_MAX_HANDLES\nwhich is big enough value for genuine use cases and could\npotentially avoid OOM.\n\nv2: squash in Srini's fix\n\n(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43398" }, { "id": "CVE-2026-43399", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl\n\nDrop reference to syncobj and timeline fence when aborting the ioctl due\noutput array being too small.\n\n(cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43399" }, { "id": "CVE-2026-43400", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add upper bound check on user inputs in signal ioctl\n\nHuge input values in amdgpu_userq_signal_ioctl can lead to a OOM and\ncould be exploited.\n\nSo check these input value against AMDGPU_USERQ_MAX_HANDLES\nwhich is big enough value for genuine use cases and could\npotentially avoid OOM.\n\n(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43400" }, { "id": "CVE-2026-43401", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()\n\nThe update_cpu_qos_request() function attempts to initialize the 'freq'\nvariable by dereferencing 'cpudata' before verifying if the 'policy'\nis valid.\n\nThis issue occurs on systems booted with the \"nosmt\" parameter, where\nall_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,\nany call to update_qos_requests() will result in a NULL pointer\ndereference as the code will attempt to access pstate.turbo_freq using\nthe NULL cpudata pointer.\n\nAlso, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap()\nafter initializing the 'freq' variable, so it is better to defer the\n'freq' until intel_pstate_get_hwp_cap() has been called.\n\nFix this by deferring the 'freq' assignment until after the policy and\ndriver_data have been validated.\n\n[ rjw: Added one paragraph to the changelog ]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43401" }, { "id": "CVE-2026-43402", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkthread: consolidate kthread exit paths to prevent use-after-free\n\nGuillaume reported crashes via corrupted RCU callback function pointers\nduring KUnit testing. The crash was traced back to the pidfs rhashtable\nconversion which replaced the 24-byte rb_node with an 8-byte rhash_head\nin struct pid, shrinking it from 160 to 144 bytes.\n\nstruct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With\nCONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to\n192 bytes and share the same slab cache. struct pid.rcu.func and\nstruct kthread.affinity_node both sit at offset 0x78.\n\nWhen a kthread exits via make_task_dead() it bypasses kthread_exit() and\nmisses the affinity_node cleanup. free_kthread_struct() frees the memory\nwhile the node is still linked into the global kthread_affinity_list. A\nsubsequent list_del() by another kthread writes through dangling list\npointers into the freed and reused memory, corrupting the pid's\nrcu.func pointer.\n\nInstead of patching free_kthread_struct() to handle the missed cleanup,\nconsolidate all kthread exit paths. Turn kthread_exit() into a macro\nthat calls do_exit() and add kthread_do_exit() which is called from\ndo_exit() for any task with PF_KTHREAD set. This guarantees that\nkthread-specific cleanup always happens regardless of the exit path -\nmake_task_dead(), direct do_exit(), or kthread_exit().\n\nReplace __to_kthread() with a new tsk_is_kthread() accessor in the\npublic header. Export do_exit() since module code using the\nkthread_exit() macro now needs it directly.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43402" }, { "id": "CVE-2026-43403", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsfs: tighten permission checks for ns iteration ioctls\n\nEven privileged services should not necessarily be able to see other\nprivileged service's namespaces so they can't leak information to each\nother. Use may_see_all_namespaces() helper that centralizes this policy\nuntil the nstree adapts.", "scorev2": "0.0", "scorev3": "8.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43403" }, { "id": "CVE-2026-43404", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n migrate_device_unmap()->lru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n migrate_device_unmap(), so that there is a reason to call\n lru_add_drain_all() for a system memory folio while a\n folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount > 1 which causes\n at least one migration PTE entry insertion to be deferred to\n try_to_migrate(), which can happen after the call to\n lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n eliminate the problem by waiting for the folio to be unlocked\n in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43404" }, { "id": "CVE-2026-43405", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Use u32 for non-negative values in ceph_monmap_decode()\n\nThis patch fixes unnecessary implicit conversions that change signedness\nof blob_len and num_mon in ceph_monmap_decode().\nCurrently blob_len and num_mon are (signed) int variables. They are used\nto hold values that are always non-negative and get assigned in\nceph_decode_32_safe(), which is meant to assign u32 values. Both\nvariables are subsequently used as unsigned values, and the value of\nnum_mon is further assigned to monmap->num_mon, which is of type u32.\nTherefore, both variables should be of type u32. This is especially\nrelevant for num_mon. If the value read from the incoming message is\nvery large, it is interpreted as a negative value, and the check for\nnum_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to\nallocate a very large chunk of memory for monmap, which will most likely\nfail. In this case, an unnecessary attempt to allocate memory is\nperformed, and -ENOMEM is returned instead of -EINVAL.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43405" }, { "id": "CVE-2026-43406", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in process_message_header()\n\nIf the message frame is (maliciously) corrupted in a way that the\nlength of the control segment ends up being less than the size of the\nmessage header or a different frame is made to look like a message\nframe, out-of-bounds reads may ensue in process_message_header().\n\nPerform an explicit bounds check before decoding the message header.", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43406" }, { "id": "CVE-2026-43407", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()\n\nThis patch fixes an out-of-bounds access in ceph_handle_auth_reply()\nthat can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In\nceph_handle_auth_reply(), the value of the payload_len field of such a\nmessage is stored in a variable of type int. A value greater than\nINT_MAX leads to an integer overflow and is interpreted as a negative\nvalue. This leads to decrementing the pointer address by this value and\nsubsequently accessing it because ceph_decode_need() only checks that\nthe memory access does not exceed the end address of the allocation.\n\nThis patch fixes the issue by changing the data type of payload_len to\nu32. Additionally, the data type of result_msg_len is changed to u32,\nas it is also a variable holding a non-negative length.\n\nAlso, an additional layer of sanity checks is introduced, ensuring that\ndirectly after reading it from the message, payload_len and\nresult_msg_len are not greater than the overall segment length.\n\nBUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]\nRead of size 4 at addr ffff88811404df14 by task kworker/20:1/262\n\nCPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nWorkqueue: ceph-msgr ceph_con_workfn [libceph]\nCall Trace:\n \n dump_stack_lvl+0x76/0xa0\n print_report+0xd1/0x620\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? kasan_complete_mode_report_info+0x72/0x210\n kasan_report+0xe7/0x130\n ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n __asan_report_load_n_noabort+0xf/0x20\n ceph_handle_auth_reply+0x642/0x7a0 [libceph]\n mon_dispatch+0x973/0x23d0 [libceph]\n ? apparmor_socket_recvmsg+0x6b/0xa0\n ? __pfx_mon_dispatch+0x10/0x10 [libceph]\n ? __kasan_check_write+0x14/0x30i\n ? mutex_unlock+0x7f/0xd0\n ? __pfx_mutex_unlock+0x10/0x10\n ? __pfx_do_recvmsg+0x10/0x10 [libceph]\n ceph_con_process_message+0x1f1/0x650 [libceph]\n process_message+0x1e/0x450 [libceph]\n ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]\n ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]\n ? save_fpregs_to_fpstate+0xb0/0x230\n ? raw_spin_rq_unlock+0x17/0xa0\n ? finish_task_switch.isra.0+0x13b/0x760\n ? __switch_to+0x385/0xda0\n ? __kasan_check_write+0x14/0x30\n ? mutex_lock+0x8d/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ceph_con_workfn+0x248/0x10c0 [libceph]\n process_one_work+0x629/0xf80\n ? __kasan_check_write+0x14/0x30\n worker_thread+0x87f/0x1570\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? __pfx_try_to_wake_up+0x10/0x10\n ? kasan_print_address_stack_frame+0x1f7/0x280\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x396/0x830\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ? __kasan_check_write+0x14/0x30\n ? recalc_sigpending+0x180/0x210\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x3f7/0x610\n ? __pfx_ret_from_fork+0x10/0x10\n ? __switch_to+0x385/0xda0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n\n[ idryomov: replace if statements with ceph_decode_need() for\n payload_len and result_msg_len ]", "scorev2": "0.0", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43407" }, { "id": "CVE-2026-43408", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: add a bunch of missing ceph_path_info initializers\n\nceph_mdsc_build_path() must be called with a zero-initialized\nceph_path_info parameter, or else the following\nceph_mdsc_free_path_info() may crash.\n\nExample crash (on Linux 6.18.12):\n\n virt_to_cache: Object is not a Slab page!\n WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400\n [...]\n Call Trace:\n [...]\n ceph_open+0x13d/0x3e0\n do_dentry_open+0x134/0x480\n vfs_open+0x2a/0xe0\n path_openat+0x9a3/0x1160\n [...]\n cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info\n WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400\n [...]\n kernel BUG at mm/slub.c:634!\n Oops: invalid opcode: 0000 [#1] SMP NOPTI\n RIP: 0010:__slab_free+0x1a4/0x350\n\nSome of the ceph_mdsc_build_path() callers had initializers, but\nothers had not, even though they were all added by commit 15f519e9f883\n(\"ceph: fix race condition validating r_parent before applying state\").\nThe ones without initializer are suspectible to random crashes. (I can\nimagine it could even be possible to exploit this bug to elevate\nprivileges.)\n\nUnfortunately, these Ceph functions are undocumented and its semantics\ncan only be derived from the code. I see that ceph_mdsc_build_path()\ninitializes the structure only on success, but not on error.\n\nCalling ceph_mdsc_free_path_info() after a failed\nceph_mdsc_build_path() call does not even make sense, but that's what\nall callers do, and for it to be safe, the structure must be\nzero-initialized. The least intrusive approach to fix this is\ntherefore to add initializers everywhere.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43408" }, { "id": "CVE-2026-43409", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: avoid crash when rmmod/insmod after ftrace killed\n\nAfter we hit ftrace is killed by some errors, the kernel crash if\nwe remove modules in which kprobe probes.\n\nBUG: unable to handle page fault for address: fffffbfff805000d\nPGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nCPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE\nTainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nRIP: 0010:kprobes_module_callback+0x89/0x790\nRSP: 0018:ffff88812e157d30 EFLAGS: 00010a02\nRAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90\nRDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a\nR10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002\nR13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040\nFS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0\nCall Trace:\n \n notifier_call_chain+0xc6/0x280\n blocking_notifier_call_chain+0x60/0x90\n __do_sys_delete_module.constprop.0+0x32a/0x4e0\n do_syscall_64+0x5d/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because the kprobe on ftrace does not correctly handles\nthe kprobe_ftrace_disabled flag set by ftrace_kill().\n\nTo prevent this error, check kprobe_ftrace_disabled in\n__disarm_kprobe_ftrace() and skip all ftrace related operations.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43409" }, { "id": "CVE-2026-43410", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled\n\nWhen the Remote System Update (RSU) isn't enabled in the First Stage\nBoot Loader (FSBL), the driver encounters a NULL pointer dereference when\nexcute svc_normal_to_secure_thread() thread, resulting in a kernel panic:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nMem abort info:\n...\nData abort info:\n...\n[0000000000000008] user address but active_mm is swapper\nInternal error: Oops: 0000000096000004 [#1] SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT\nHardware name: SoCFPGA Stratix 10 SoCDK (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : svc_normal_to_secure_thread+0x38c/0x990\nlr : svc_normal_to_secure_thread+0x144/0x990\n...\nCall trace:\n svc_normal_to_secure_thread+0x38c/0x990 (P)\n kthread+0x150/0x210\n ret_from_fork+0x10/0x20\nCode: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)\n---[ end trace 0000000000000000 ]---\n\nThe issue occurs because rsu_send_async_msg() fails when RSU is not enabled\nin firmware, causing the channel to be freed via stratix10_svc_free_channel().\nHowever, the probe function continues execution and registers\nsvc_normal_to_secure_thread(), which subsequently attempts to access the\nalready-freed channel, triggering the NULL pointer dereference.\n\nFix this by properly cleaning up the async client and returning early on\nfailure, preventing the thread from being used with an invalid channel.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43410" }, { "id": "CVE-2026-43411", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix divide-by-zero in tipc_sk_filter_connect()\n\nA user can set conn_timeout to any value via\nsetsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a\nSYN is rejected with TIPC_ERR_OVERLOAD and the retry path in\ntipc_sk_filter_connect() executes:\n\n delay %= (tsk->conn_timeout / 4);\n\nIf conn_timeout is in the range [0, 3], the integer division yields 0,\nand the modulo operation triggers a divide-by-zero exception, causing a\nkernel oops/panic.\n\nFix this by clamping conn_timeout to a minimum of 4 at the point of use\nin tipc_sk_filter_connect().\n\nOops: divide error: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+\nRIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)\nCall Trace:\n tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)\n __release_sock (include/net/sock.h:1185 net/core/sock.c:3213)\n release_sock (net/core/sock.c:3797)\n tipc_connect (net/tipc/socket.c:2570)\n __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43411" }, { "id": "CVE-2026-43412", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start\n\nDuring ADSP stop and start, the kernel crashes due to the order in which\nASoC components are removed.\n\nOn ADSP stop, the q6apm-audio .remove callback unloads topology and removes\nPCM runtimes during ASoC teardown. This deletes the RTDs that contain the\nq6apm DAI components before their removal pass runs, leaving those\ncomponents still linked to the card and causing crashes on the next rebind.\n\nFix this by ensuring that all dependent (child) components are removed\nfirst, and the q6apm component is removed last.\n\n[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[ 48.114763] Mem abort info:\n[ 48.117650] ESR = 0x0000000096000004\n[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 48.127010] SET = 0, FnV = 0\n[ 48.130172] EA = 0, S1PTW = 0\n[ 48.133415] FSC = 0x04: level 0 translation fault\n[ 48.138446] Data abort info:\n[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000\n[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000\n[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core\n[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6\n[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT\n[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)\n[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\n[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 48.330825] pc : mutex_lock+0xc/0x54\n[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]\n[ 48.340794] sp : ffff800084ddb7b0\n[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00\n[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098\n[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0\n[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff\n[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f\n[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673\n[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001\n[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000\n[ 48.402854] x5 : 0000000000000\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43412" }, { "id": "CVE-2026-43413", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Fix NULL pointer exception during user_scan()\n\nuser_scan() invokes updated sas_user_scan() for channel 0, and if\nsuccessful, iteratively scans remaining channels (1 to shost->max_channel)\nvia scsi_scan_host_selected() in commit 37c4e72b0651 (\"scsi: Fix\nsas_user_scan() to handle wildcard and multi-channel scans\"). However,\nhisi_sas supports only one channel, and the current value of max_channel is\n1. sas_user_scan() for channel 1 will trigger the following NULL pointer\nexception:\n\n[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0\n[ 441.554699] Mem abort info:\n[ 441.554710] ESR = 0x0000000096000004\n[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 441.554723] SET = 0, FnV = 0\n[ 441.554726] EA = 0, S1PTW = 0\n[ 441.554730] FSC = 0x04: level 0 translation fault\n[ 441.554735] Data abort info:\n[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000\n[ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000\n[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod\n[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT\n[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118\n[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118\n[ 441.707502] sp : ffff80009abbba40\n[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08\n[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00\n[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000\n[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020\n[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff\n[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a\n[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4\n[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030\n[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000\n[ 441.782053] Call trace:\n[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)\n[ 441.789095] sas_target_alloc+0x24/0xb0\n[ 441.792920] scsi_alloc_target+0x290/0x330\n[ 441.797010] __scsi_scan_target+0x88/0x258\n[ 441.801096] scsi_scan_channel+0x74/0xb8\n[ 441.805008] scsi_scan_host_selected+0x170/0x188\n[ 441.809615] sas_user_scan+0xfc/0x148\n[ 441.813267] store_scan+0x10c/0x180\n[ 441.816743] dev_attr_store+0x20/0x40\n[ 441.820398] sysfs_kf_write+0x84/0xa8\n[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8\n[ 441.828487] vfs_write+0x2c0/0x370\n[ 441.831880] ksys_write+0x74/0x118\n[ 441.835271] __arm64_sys_write+0x24/0x38\n[ 441.839182] invoke_syscall+0x50/0x120\n[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0\n[ 441.847611] do_el0_svc+0x24/0x38\n[ 441.850913] el0_svc+0x38/0x158\n[ 441.854043] el0t_64_sync_handler+0xa0/0xe8\n[ 441.858214] el0t_64_sync+0x1ac/0x1b0\n[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)\n[ 441.867946] ---[ end trace 0000000000000000 ]---\n\nTherefore\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43413" }, { "id": "CVE-2026-43415", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend\n\nIn __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel\nthe UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,\nPOST_CHANGE). This creates a race condition where ufshcd_rtc_work() can\nstill be running while ufshcd_vops_suspend() is executing. When\nUFSHCD_CAP_CLK_GATING is not supported, the condition\n!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()\nto be executed. Since ufshcd_vops_suspend() typically performs clock\ngating operations, executing ufshcd_update_rtc() at that moment triggers\nan SError. The kernel panic trace is as follows:\n\nKernel panic - not syncing: Asynchronous SError Interrupt\nCall trace:\n dump_backtrace+0xec/0x128\n show_stack+0x18/0x28\n dump_stack_lvl+0x40/0xa0\n dump_stack+0x18/0x24\n panic+0x148/0x374\n nmi_panic+0x3c/0x8c\n arm64_serror_panic+0x64/0x8c\n do_serror+0xc4/0xc8\n el1h_64_error_handler+0x34/0x4c\n el1h_64_error+0x68/0x6c\n el1_interrupt+0x20/0x58\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x68/0x6c\n ktime_get+0xc4/0x12c\n ufshcd_mcq_sq_stop+0x4c/0xec\n ufshcd_mcq_sq_cleanup+0x64/0x1dc\n ufshcd_clear_cmd+0x38/0x134\n ufshcd_issue_dev_cmd+0x298/0x4d0\n ufshcd_exec_dev_cmd+0x1a4/0x1c4\n ufshcd_query_attr+0xbc/0x19c\n ufshcd_rtc_work+0x10c/0x1c8\n process_scheduled_works+0x1c4/0x45c\n worker_thread+0x32c/0x3e8\n kthread+0x120/0x1d8\n ret_from_fork+0x10/0x20\n\nFix this by moving cancel_delayed_work_sync() before the call to\nufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is\nfully completed or cancelled at that point.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43415" }, { "id": "CVE-2026-43416", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc, perf: Check that current->mm is alive before getting user callchain\n\nIt may happen that mm is already released, which leads to kernel panic.\nThis adds the NULL check for current->mm, similarly to\ncommit 20afc60f892d (\"x86, perf: Check that current->mm is alive before getting user callchain\").\n\nI was getting this panic when running a profiling BPF program\n(profile.py from bcc-tools):\n\n [26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0)\n [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588\n [26215.051952] Faulting instruction address: 0xc00000000020fac0\n [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1]\n [...]\n [26215.052049] Call Trace:\n [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable)\n [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30\n [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360\n [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0\n [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274\n [...]\n\nIn addition, move storing the top-level stack entry to generic\nperf_callchain_user to make sure the top-evel entry is always captured,\neven if current->mm is NULL.\n\n[Maddy: fixed message to avoid checkpatch format style error]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43416" }, { "id": "CVE-2026-43417", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/mmcid: Handle vfork()/CLONE_VM correctly\n\nMatthieu and Jiri reported stalls where a task endlessly loops in\nmm_get_cid() when scheduling in.\n\nIt turned out that the logic which handles vfork()'ed tasks is broken. It\nis invoked when the number of tasks associated to a process is smaller than\nthe number of MMCID users. It then walks the task list to find the\nvfork()'ed task, but accounts all the already processed tasks as well.\n\nIf that double processing brings the number of to be handled tasks to 0,\nthe walk stops and the vfork()'ed task's CID is not fixed up. As a\nconsequence a subsequent schedule in fails to acquire a (transitional) CID\nand the machine stalls.\n\nCure this by removing the accounting condition and make the fixup always\nwalk the full task list if it could not find the exact number of users in\nthe process' thread list.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43417" }, { "id": "CVE-2026-43418", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/mmcid: Prevent CID stalls due to concurrent forks\n\nA newly forked task is accounted as MMCID user before the task is visible\nin the process' thread list and the global task list. This creates the\nfollowing problem:\n\n CPU1\t\t\tCPU2\n fork()\n sched_mm_cid_fork(tnew1)\n tnew1->mm.mm_cid_users++;\n tnew1->mm_cid.cid = getcid()\n-> preemption\n\t\t\tfork()\n\t\t\t sched_mm_cid_fork(tnew2)\n\t\t\t tnew2->mm.mm_cid_users++;\n // Reaches the per CPU threshold\n\t\t\t mm_cid_fixup_tasks_to_cpus()\n\t\t\t for_each_other(current, p)\n\t\t\t ....\n\nAs tnew1 is not visible yet, this fails to fix up the already allocated CID\nof tnew1. As a consequence a subsequent schedule in might fail to acquire a\n(transitional) CID and the machine stalls.\n\nMove the invocation of sched_mm_cid_fork() after the new task becomes\nvisible in the thread and the task list to prevent this.\n\nThis also makes it symmetrical vs. exit() where the task is removed as CID\nuser before the task is removed from the thread and task lists.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43418" }, { "id": "CVE-2026-43419", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leaks in ceph_mdsc_build_path()\n\nAdd __putname() calls to error code paths that did not free the \"path\"\npointer obtained by __getname(). If ownership of this pointer is not\npassed to the caller via path_info.path, the function must free it\nbefore returning.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43419" }, { "id": "CVE-2026-43420", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix i_nlink underrun during async unlink\n\nDuring async unlink, we drop the `i_nlink` counter before we receive\nthe completion (that will eventually update the `i_nlink`) because \"we\nassume that the unlink will succeed\". That is not a bad idea, but it\nraces against deletions by other clients (or against the completion of\nour own unlink) and can lead to an underrun which emits a WARNING like\nthis one:\n\n WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68\n Modules linked in:\n CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655\n Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023\n pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : drop_nlink+0x50/0x68\n lr : ceph_unlink+0x6c4/0x720\n sp : ffff80012173bc90\n x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680\n x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647\n x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203\n x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365\n x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec\n x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74\n x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94\n x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002\n x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8\n Call trace:\n drop_nlink+0x50/0x68 (P)\n vfs_unlink+0xb0/0x2e8\n do_unlinkat+0x204/0x288\n __arm64_sys_unlinkat+0x3c/0x80\n invoke_syscall.constprop.0+0x54/0xe8\n do_el0_svc+0xa4/0xc8\n el0_svc+0x18/0x58\n el0t_64_sync_handler+0x104/0x130\n el0t_64_sync+0x154/0x158\n\nIn ceph_unlink(), a call to ceph_mdsc_submit_request() submits the\nCEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.\n\nMeanwhile, between this call and the following drop_nlink() call, a\nworker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or\njust a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own\ncompletion). These will lead to a set_nlink() call, updating the\n`i_nlink` counter to the value received from the MDS. If that new\n`i_nlink` value happens to be zero, it is illegal to decrement it\nfurther. But that is exactly what ceph_unlink() will do then.\n\nThe WARNING can be reproduced this way:\n\n1. Force async unlink; only the async code path is affected. Having\n no real clue about Ceph internals, I was unable to find out why the\n MDS wouldn't give me the \"Fxr\" capabilities, so I patched\n get_caps_for_async_unlink() to always succeed.\n\n (Note that the WARNING dump above was found on an unpatched kernel,\n without this kludge - this is not a theoretical bug.)\n\n2. Add a sleep call after ceph_mdsc_submit_request() so the unlink\n completion gets handled by a worker thread before drop_nlink() is\n called. This guarantees that the `i_nlink` is already zero before\n drop_nlink() runs.\n\nThe solution is to skip the counter decrement when it is already zero,\nbut doing so without a lock is still racy (TOCTOU). Since\nceph_fill_inode() and handle_cap_grant() both hold the\n`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this\nseems like the proper lock to protect the `i_nlink` updates.\n\nI found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using\n`afs_vnode.cb_lock`). All three have the zero check as well.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43420" }, { "id": "CVE-2026-43421", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix net_device lifecycle with device_move\n\nThe network device outlived its parent gadget device during\ndisconnection, resulting in dangling sysfs links and null pointer\ndereference problems.\n\nA prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]\nwas reverted due to power management ordering concerns and a NO-CARRIER\nregression.\n\nA subsequent attempt to defer net_device allocation to bind [2] broke\n1:1 mapping between function instance and network device, making it\nimpossible for configfs to report the resolved interface name. This\nresults in a regression where the DHCP server fails on pmOS.\n\nUse device_move to reparent the net_device between the gadget device and\n/sys/devices/virtual/ across bind/unbind cycles. This preserves the\nnetwork interface across USB reconnection, allowing the DHCP server to\nretain their binding.\n\nIntroduce gether_attach_gadget()/gether_detach_gadget() helpers and use\n__free(detach_gadget) macro to undo attachment on bind failure. The\nbind_count ensures device_move executes only on the first bind.\n\n[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/\n[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43421" }, { "id": "CVE-2026-43422", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: legacy: ncm: Fix NPE in gncm_bind\n\nCommit 56a512a9b410 (\"usb: gadget: f_ncm: align net_device lifecycle\nwith bind/unbind\") deferred the allocation of the net_device. This\nchange leads to a NULL pointer dereference in the legacy NCM driver as\nit attempts to access the net_device before it's fully instantiated.\n\nStore the provided qmult, host_addr, and dev_addr into the struct\nncm_opts->net_opts during gncm_bind(). These values will be properly\napplied to the net_device when it is allocated and configured later in\nthe binding process by the NCM function driver.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43422" }, { "id": "CVE-2026-43423", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix atomic context locking issue\n\nThe ncm_set_alt function was holding a mutex to protect against races\nwith configfs, which invokes the might-sleep function inside an atomic\ncontext.\n\nRemove the struct net_device pointer from the f_ncm_opts structure to\neliminate the contention. The connection state is now managed by a new\nboolean flag to preserve the use-after-free fix from\ncommit 6334b8e4553c (\"usb: gadget: f_ncm: Fix UAF ncm object at re-bind\nafter usb ep transport error\").\n\nBUG: sleeping function called from invalid context\nCall Trace:\n dump_stack_lvl+0x83/0xc0\n dump_stack+0x14/0x16\n __might_resched+0x389/0x4c0\n __might_sleep+0x8e/0x100\n ...\n __mutex_lock+0x6f/0x1740\n ...\n ncm_set_alt+0x209/0xa40\n set_config+0x6b6/0xb40\n composite_setup+0x734/0x2b40\n ...", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43423" }, { "id": "CVE-2026-43424", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling\n\nThe `tpg->tpg_nexus` pointer in the USB Target driver is dynamically\nmanaged and tied to userspace configuration via ConfigFS. It can be\nNULL if the USB host sends requests before the nexus is fully\nestablished or immediately after it is dropped.\n\nCurrently, functions like `bot_submit_command()` and the data\ntransfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately\ndereference `tv_nexus->tvn_se_sess` without any validation. If a\nmalicious or misconfigured USB host sends a BOT (Bulk-Only Transport)\ncommand during this race window, it triggers a NULL pointer\ndereference, leading to a kernel panic (local DoS).\n\nThis exposes an inconsistent API usage within the module, as peer\nfunctions like `usbg_submit_command()` and `bot_send_bad_response()`\ncorrectly implement a NULL check for `tv_nexus` before proceeding.\n\nFix this by bringing consistency to the nexus handling. Add the\nmissing `if (!tv_nexus)` checks to the vulnerable BOT command and\nrequest processing paths, aborting the command gracefully with an\nerror instead of crashing the system.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43424" }, { "id": "CVE-2026-43425", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: image: mdc800: kill download URB on timeout\n\nmdc800_device_read() submits download_urb and waits for completion.\nIf the timeout fires and the device has not responded, the function\nreturns without killing the URB, leaving it active.\n\nA subsequent read() resubmits the same URB while it is still\nin-flight, triggering the WARN in usb_submit_urb():\n\n \"URB submitted while active\"\n\nCheck the return value of wait_event_timeout() and kill the URB if\nit indicates timeout, ensuring the URB is complete before its status\nis inspected or the URB is resubmitted.\n\nSimilar to\n- commit 372c93131998 (\"USB: yurex: fix control-URB timeout handling\")\n- commit b98d5000c505 (\"media: rc: iguanair: handle timeouts\")", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43425" }, { "id": "CVE-2026-43426", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43426" }, { "id": "CVE-2026-43427", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: class: cdc-wdm: fix reordering issue in read code path\n\nQuoting the bug report:\n\nDue to compiler optimization or CPU out-of-order execution, the\ndesc->length update can be reordered before the memmove. If this\nhappens, wdm_read() can see the new length and call copy_to_user() on\nuninitialized memory. This also violates LKMM data race rules [1].\n\nFix it by using WRITE_ONCE and memory barriers.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43427" }, { "id": "CVE-2026-43428", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Limit the length of unkillable synchronous timeouts\n\nThe usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in\nusbcore allow unlimited timeout durations. And since they use\nuninterruptible waits, this leaves open the possibility of hanging a\ntask for an indefinitely long time, with no way to kill it short of\nunplugging the target device.\n\nTo prevent this sort of problem, enforce a maximum limit on the length\nof these unkillable timeouts. The limit chosen here, somewhat\narbitrarily, is 60 seconds. On many systems (although not all) this\nis short enough to avoid triggering the kernel's hung-task detector.\n\nIn addition, clear up the ambiguity of negative timeout values by\ntreating them the same as 0, i.e., using the maximum allowed timeout.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43428" }, { "id": "CVE-2026-43429", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts\n\nThe usbtmc driver accepts timeout values specified by the user in an\nioctl command, and uses these timeouts for some usb_bulk_msg() calls.\nSince the user can specify arbitrarily long timeouts and\nusb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()\ninstead to avoid the possibility of the user hanging a kernel thread\nindefinitely.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43429" }, { "id": "CVE-2026-43430", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: yurex: fix race in probe\n\nThe bbu member of the descriptor must be set to the value\nstanding for uninitialized values before the URB whose\ncompletion handler sets bbu is submitted. Otherwise there is\na window during which probing can overwrite already retrieved\ndata.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43430" }, { "id": "CVE-2026-43431", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix NULL pointer dereference when reading portli debugfs files\n\nMichal reported and debgged a NULL pointer dereference bug in the\nrecently added portli debugfs files\n\nOops is caused when there are more port registers counted in\nxhci->max_ports than ports reported by Supported Protocol capabilities.\nThis is possible if max_ports is more than maximum port number, or\nif there are gaps between ports of different speeds the 'Supported\nProtocol' capabilities.\n\nIn such cases port->rhub will be NULL so we can't reach xhci behind it.\nAdd an explicit NULL check for this case, and print portli in hex\nwithout dereferencing port->rhub.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43431" }, { "id": "CVE-2026-43432", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix memory leak in xhci_disable_slot()\n\nxhci_alloc_command() allocates a command structure and, when the\nsecond argument is true, also allocates a completion structure.\nCurrently, the error handling path in xhci_disable_slot() only frees\nthe command structure using kfree(), causing the completion structure\nto leak.\n\nUse xhci_free_command() instead of kfree(). xhci_free_command() correctly\nfrees both the command structure and the associated completion structure.\nSince the command structure is allocated with zero-initialization,\ncommand->in_ctx is NULL and will not be erroneously freed by\nxhci_free_command().\n\nThis bug was found using an experimental static analysis tool we are\ndeveloping. The tool is based on the LLVM framework and is specifically\ndesigned to detect memory management issues. It is currently under\nactive development and not yet publicly available, but we plan to\nopen-source it after our research is published.\n\nThe bug was originally detected on v6.13-rc1 using our static analysis\ntool, and we have verified that the issue persists in the latest mainline\nkernel.\n\nWe performed build testing on x86_64 with allyesconfig using GCC=11.4.0.\nSince triggering these error paths in xhci_disable_slot() requires specific\nhardware conditions or abnormal state, we were unable to construct a test\ncase to reliably trigger these specific error paths at runtime.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43432" }, { "id": "CVE-2026-43433", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: avoid reading the written value in offsets array\n\nWhen sending a transaction, its offsets array is first copied into the\ntarget proc's vma, and then the values are read back from there. This is\nnormally fine because the vma is a read-only mapping, so the target\nprocess cannot change the value under us.\n\nHowever, if the target process somehow gains the ability to write to its\nown vma, it could change the offset before it's read back, causing the\nkernel to misinterpret what the sender meant. If the sender happens to\nsend a payload with a specific shape, this could in the worst case lead\nto the receiver being able to privilege escalate into the sender.\n\nThe intent is that gaining the ability to change the read-only vma of\nyour own process should not be exploitable, so remove this TOCTOU read\neven though it's unexploitable without another Binder bug.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43433" }, { "id": "CVE-2026-43434", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: check ownership before using vma\n\nWhen installing missing pages (or zapping them), Rust Binder will look\nup the vma in the mm by address, and then call vm_insert_page (or\nzap_page_range_single). However, if the vma is closed and replaced with\na different vma at the same address, this can lead to Rust Binder\ninstalling pages into the wrong vma.\n\nBy installing the page into a writable vma, it becomes possible to write\nto your own binder pages, which are normally read-only. Although you're\nnot supposed to be able to write to those pages, the intent behind the\ndesign of Rust Binder is that even if you get that ability, it should not\nlead to anything bad. Unfortunately, due to another bug, that is not the\ncase.\n\nTo fix this, store a pointer in vm_private_data and check that the vma\nreturned by vma_lookup() has the right vm_ops and vm_private_data before\ntrying to use the vma. This should ensure that Rust Binder will refuse\nto interact with any other VMA. The plan is to introduce more vma\nabstractions to avoid this unsafe access to vm_ops and vm_private_data,\nbut for now let's start with the simplest possible fix.\n\nC Binder performs the same check in a slightly different way: it\nprovides a vm_ops->close that sets a boolean to true, then checks that\nboolean after calling vma_lookup(), but this is more fragile\nthan the solution in this patch. (We probably still want to do both, but\nthe vm_ops->close callback will be added later as part of the follow-up\nvma API changes.)\n\nIt's still possible to remap the vma so that pages appear in the right\nvma, but at the wrong offset, but this is a separate issue and will be\nfixed when Rust Binder gets a vm_ops->close callback.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43434" }, { "id": "CVE-2026-43435", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: fix oneway spam detection\n\nThe spam detection logic in TreeRange was executed before the current\nrequest was inserted into the tree. So the new request was not being\nfactored in the spam calculation. Fix this by moving the logic after\nthe new range has been inserted.\n\nAlso, the detection logic for ArrayRange was missing altogether which\nmeant large spamming transactions could get away without being detected.\nFix this by implementing an equivalent low_oneway_space() in ArrayRange.\n\nNote that I looked into centralizing this logic in RangeAllocator but\niterating through 'state' and 'size' got a bit too complicated (for me)\nand I abandoned this effort.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43435" }, { "id": "CVE-2026-43436", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces\n\nThe Scarlett2 mixer quirk in USB-audio driver may hit a NULL\ndereference when a malformed USB descriptor is passed, since it\nassumes the presence of an endpoint in the parsed interface in\nscarlett2_find_fc_interface(), as reported by fuzzer.\n\nFor avoiding the NULL dereference, just add the sanity check of\nbNumEndpoints and skip the invalid interface.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43436" }, { "id": "CVE-2026-43437", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()\n\nIn the drain loop, the local variable 'runtime' is reassigned to a\nlinked stream's runtime (runtime = s->runtime at line 2157). After\nreleasing the stream lock at line 2169, the code accesses\nruntime->no_period_wakeup, runtime->rate, and runtime->buffer_size\n(lines 2170-2178) \u2014 all referencing the linked stream's runtime without\nany lock or refcount protecting its lifetime.\n\nA concurrent close() on the linked stream's fd triggers\nsnd_pcm_release_substream() \u2192 snd_pcm_drop() \u2192 pcm_release_private()\n\u2192 snd_pcm_unlink() \u2192 snd_pcm_detach_substream() \u2192 kfree(runtime).\nNo synchronization prevents kfree(runtime) from completing while the\ndrain path dereferences the stale pointer.\n\nFix by caching the needed runtime fields (no_period_wakeup, rate,\nbuffer_size) into local variables while still holding the stream lock,\nand using the cached values after the lock is released.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43437" }, { "id": "CVE-2026-43438", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Remove redundant css_put() in scx_cgroup_init()\n\nThe iterator css_for_each_descendant_pre() walks the cgroup hierarchy\nunder cgroup_lock(). It does not increment the reference counts on\nyielded css structs.\n\nAccording to the cgroup documentation, css_put() should only be used\nto release a reference obtained via css_get() or css_tryget_online().\nSince the iterator does not use either of these to acquire a reference,\ncalling css_put() in the error path of scx_cgroup_init() causes a\nrefcount underflow.\n\nRemove the unbalanced css_put() to prevent a potential Use-After-Free\n(UAF) vulnerability.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43438" }, { "id": "CVE-2026-43439", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: fix race between task migration and iteration\n\nWhen a task is migrated out of a css_set, cgroup_migrate_add_task()\nfirst moves it from cset->tasks to cset->mg_tasks via:\n\n list_move_tail(&task->cg_list, &cset->mg_tasks);\n\nIf a css_task_iter currently has it->task_pos pointing to this task,\ncss_set_move_task() calls css_task_iter_skip() to keep the iterator\nvalid. However, since the task has already been moved to ->mg_tasks,\nthe iterator is advanced relative to the mg_tasks list instead of the\noriginal tasks list. As a result, remaining tasks on cset->tasks, as\nwell as tasks queued on cset->mg_tasks, can be skipped by iteration.\n\nFix this by calling css_set_skip_task_iters() before unlinking\ntask->cg_list from cset->tasks. This advances all active iterators to\nthe next task on cset->tasks, so iteration continues correctly even\nwhen a task is concurrently being migrated.\n\nThis race is hard to hit in practice without instrumentation, but it\ncan be reproduced by artificially slowing down cgroup_procs_show().\nFor example, on an Android device a temporary\n/sys/kernel/cgroup/cgroup_test knob can be added to inject a delay\ninto cgroup_procs_show(), and then:\n\n 1) Spawn three long-running tasks (PIDs 101, 102, 103).\n 2) Create a test cgroup and move the tasks into it.\n 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test.\n 4) In one shell, read cgroup.procs from the test cgroup.\n 5) Within the delay window, in another shell migrate PID 102 by\n writing it to a different cgroup.procs file.\n\nUnder this setup, cgroup.procs can intermittently show only PID 101\nwhile skipping PID 103. Once the migration completes, reading the\nfile again shows all tasks as expected.\n\nNote that this change does not allow removing the existing\ncss_set_skip_task_iters() call in css_set_move_task(). The new call\nin cgroup_migrate_add_task() only handles iterators that are racing\nwith migration while the task is still on cset->tasks. Iterators may\nalso start after the task has been moved to cset->mg_tasks. If we\ndropped css_set_skip_task_iters() from css_set_move_task(), such\niterators could keep task_pos pointing to a migrating task, causing\ncss_task_iter_advance() to malfunction on the destination css_set,\nup to and including crashes or infinite loops.\n\nThe race window between migration and iteration is very small, and\ncss_task_iter is not on a hot path. In the worst case, when an\niterator is positioned on the first thread of the migrating process,\ncgroup_migrate_add_task() may have to skip multiple tasks via\ncss_set_skip_task_iters(). However, this only happens when migration\nand iteration actually race, so the performance impact is negligible\ncompared to the correctness fix provided here.", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43439" }, { "id": "CVE-2026-43440", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mana: Null service_wq on setup error to prevent double destroy\n\nIn mana_gd_setup() error path, set gc->service_wq to NULL after\ndestroy_workqueue() to match the cleanup in mana_gd_cleanup().\nThis prevents a use-after-free if the workqueue pointer is checked\nafter a failed setup.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43440" }, { "id": "CVE-2026-43441", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If bonding ARP/NS validation is enabled, an IPv6\nNS/NA packet received on a slave can reach bond_validate_na(), which\ncalls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can\ncrash in __ipv6_chk_addr_and_flags().\n\n BUG: kernel NULL pointer dereference, address: 00000000000005d8\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170\n Call Trace:\n \n ipv6_chk_addr+0x1f/0x30\n bond_validate_na+0x12e/0x1d0 [bonding]\n ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n bond_rcv_validate+0x1a0/0x450 [bonding]\n bond_handle_frame+0x5e/0x290 [bonding]\n ? srso_alias_return_thunk+0x5/0xfbef5\n __netif_receive_skb_core.constprop.0+0x3e8/0xe50\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? update_cfs_rq_load_avg+0x1a/0x240\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __enqueue_entity+0x5e/0x240\n __netif_receive_skb_one_core+0x39/0xa0\n process_backlog+0x9c/0x150\n __napi_poll+0x30/0x200\n ? srso_alias_return_thunk+0x5/0xfbef5\n net_rx_action+0x338/0x3b0\n handle_softirqs+0xc9/0x2a0\n do_softirq+0x42/0x60\n \n \n __local_bh_enable_ip+0x62/0x70\n __dev_queue_xmit+0x2d3/0x1000\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? packet_parse_headers+0x10a/0x1a0\n packet_sendmsg+0x10da/0x1700\n ? kick_pool+0x5f/0x140\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __queue_work+0x12d/0x4f0\n __sys_sendto+0x1f3/0x220\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x101/0xf80\n ? exc_page_fault+0x6e/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nFix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to\nbond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()\nand avoid the path to ipv6_chk_addr().", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43441" }, { "id": "CVE-2026-43442", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops\n\nWhen IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,\nthe boundary check for 128-byte SQE operations in io_init_req()\nvalidated the logical SQ head position rather than the physical SQE\nindex.\n\nThe existing check:\n\n !(ctx->cached_sq_head & (ctx->sq_entries - 1))\n\nensures the logical position isn't at the end of the ring, which is\ncorrect for NO_SQARRAY rings where physical == logical. However, when\nsq_array is present, an unprivileged user can remap any logical\nposition to an arbitrary physical index via sq_array. Setting\nsq_array[N] = sq_entries - 1 places a 128-byte operation at the last\nphysical SQE slot, causing the 128-byte memcpy in\nio_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE\narray.\n\nReplace the cached_sq_head alignment check with a direct validation\nof the physical SQE index, which correctly handles both sq_array and\nNO_SQARRAY cases.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43442" }, { "id": "CVE-2026-43443", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp-mach-common: Add missing error check for clock acquisition\n\nThe acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not\ncheck the return values of clk_get(). This could lead to a kernel crash\nwhen the invalid pointers are later dereferenced by clock core\nfunctions.\n\nFix this by:\n1. Changing clk_get() to the device-managed devm_clk_get().\n2. Adding IS_ERR() checks immediately after each clock acquisition.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43443" }, { "id": "CVE-2026-43444", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Unreserve bo if queue update failed\n\nError handling path should unreserve bo then return failed.\n\n(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33)", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43444" }, { "id": "CVE-2026-43445", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000/e1000e: Fix leak in DMA error cleanup\n\nIf an error is encountered while mapping TX buffers, the driver should\nunmap any buffers already mapped for that skb.\n\nBecause count is incremented after a successful mapping, it will always\nmatch the correct number of unmappings needed when dma_error is reached.\nDecrementing count before the while loop in dma_error causes an\noff-by-one error. If any mapping was successful before an unsuccessful\nmapping, exactly one DMA mapping would leak.\n\nIn these commits, a faulty while condition caused an infinite loop in\ndma_error:\nCommit 03b1320dfcee (\"e1000e: remove use of skb_dma_map from e1000e\ndriver\")\nCommit 602c0554d7b0 (\"e1000: remove use of skb_dma_map from e1000 driver\")\n\nCommit c1fa347f20f1 (\"e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of\nunsigned in *_tx_map()\") fixed the infinite loop, but introduced the\noff-by-one error.\n\nThis issue may still exist in the igbvf driver, but I did not address it\nin this patch.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43445" }, { "id": "CVE-2026-43446", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix runtime suspend deadlock when there is pending job\n\nThe runtime suspend callback drains the running job workqueue before\nsuspending the device. If a job is still executing and calls\npm_runtime_resume_and_get(), it can deadlock with the runtime suspend\npath.\n\nFix this by moving pm_runtime_resume_and_get() from the job execution\nroutine to the job submission routine, ensuring the device is resumed\nbefore the job is queued and avoiding the deadlock during runtime\nsuspend.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43446" }, { "id": "CVE-2026-43447", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix PTP use-after-free during reset\n\nCommit 7c01dbfc8a1c5f (\"iavf: periodically cache PHC time\") introduced a\nworker to cache PHC time, but failed to stop it during reset or disable.\n\nThis creates a race condition where `iavf_reset_task()` or\n`iavf_disable_vf()` free adapter resources (AQ) while the worker is still\nrunning. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it\naccesses freed memory/locks, leading to a crash.\n\nFix this by calling `iavf_ptp_release()` before tearing down the adapter.\nThis ensures `ptp_clock_unregister()` synchronously cancels the worker and\ncleans up the chardev before the backing resources are destroyed.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43447" }, { "id": "CVE-2026-43448", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix race bug in nvme_poll_irqdisable()\n\nIn the following scenario, pdev can be disabled between (1) and (3) by\n(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will\nreturn MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).\nThis causes IRQ warning because it tries to enable INTx IRQ that has\nnever been disabled before.\n\nTo fix this, save IRQ number into a local variable and ensure\ndisable_irq() and enable_irq() operate on the same IRQ number. Even if\npci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and\nenable_irq() on a stale IRQ number is still valid and safe, and the\ndepth accounting reamins balanced.\n\ntask 1:\nnvme_poll_irqdisable()\n disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1)\n enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)\n\ntask 2:\nnvme_reset_work()\n nvme_dev_disable()\n pdev->msix_enable = 0; ...(2)\n\ncrash log:\n\n------------[ cut here ]------------\nUnbalanced enable for IRQ 10\nWARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26\nModules linked in:\nCPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753\nCode: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9\nRSP: 0018:ffffc900001bf550 EFLAGS: 00010046\nRAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90\nRDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0\nRBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000\nR13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293\nFS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0\nCall Trace:\n \n enable_irq+0x121/0x1e0 kernel/irq/manage.c:797\n nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494\n nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744\n blk_mq_rq_timed_out block/blk-mq.c:1653 [inline]\n blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721\n bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292\n __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline]\n sbitmap_for_each_set include/linux/sbitmap.h:290 [inline]\n bt_for_each block/blk-mq-tag.c:324 [inline]\n blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536\n blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \nirq event stamp: 74478\nhardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]\nhardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202\nhardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]\nhardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162\nsoftirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline]\nsoftirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline]\nsoftirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120\n---truncated---", "scorev2": "0.0", "scorev3": "4.7", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43448" }, { "id": "CVE-2026-43449", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set\n\ndev->online_queues is a count incremented in nvme_init_queue. Thus,\nvalid indices are 0 through dev->online_queues \u2212 1.\n\nThis patch fixes the loop condition to ensure the index stays within the\nvalid range. Index 0 is excluded because it is the admin queue.\n\nKASAN splat:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\nRead of size 2 at addr ffff88800592a574 by task kworker/u8:5/74\n\nCPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: nvme-reset-wq nvme_reset_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x5d0 mm/kasan/report.c:482\n kasan_report+0xdc/0x110 mm/kasan/report.c:595\n __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379\n nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\n nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\n nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \n\nAllocated by task 34 on cpu 1 at 4.241550s:\n kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57\n kasan_save_track+0x1c/0x70 mm/kasan/common.c:78\n kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663\n kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]\n nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]\n nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534\n local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324\n pci_call_probe drivers/pci/pci-driver.c:392 [inline]\n __pci_device_probe drivers/pci/pci-driver.c:417 [inline]\n pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451\n call_driver_probe drivers/base/dd.c:583 [inline]\n really_probe+0x29b/0xb70 drivers/base/dd.c:661\n __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803\n driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833\n __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159\n async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff88800592a000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 244 bytes to the right of\n allocated 1152-byte region [ffff88800592a000, ffff88800592a480)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: f5(slab)\nraw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000\nhead: 000fffffc0000040 ffff888001042000 00000\n---truncated---", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43449" }, { "id": "CVE-2026-43450", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body. When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared. The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it. Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n nfnl_cthelper_dump_table+0x9f/0x1b0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n sock_recvmsg+0xde/0xf0\n __sys_recvfrom+0x150/0x200\n __x64_sys_recvfrom+0x76/0x90\n do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n __kvmalloc_node_noprof+0x21b/0x700\n nf_ct_alloc_hashtable+0x65/0xd0\n nf_conntrack_helper_init+0x21/0x60\n nf_conntrack_init_start+0x18d/0x300\n nf_conntrack_standalone_init+0x12/0xc0", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43450" }, { "id": "CVE-2026-43451", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: fix entry leak in bridge verdict error path\n\nnfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue\nentry from the queue data structures, taking ownership of the entry.\nFor PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN\nattributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN\npresent but NFQA_VLAN_TCI missing), the function returns immediately\nwithout freeing the dequeued entry or its sk_buff.\n\nThis leaks the nf_queue_entry, its associated sk_buff, and all held\nreferences (net_device refcounts, struct net refcount). Repeated\ntriggering exhausts kernel memory.\n\nFix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict\non the error path, consistent with other error handling in this file.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43451" }, { "id": "CVE-2026-43452", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: guard option walkers against 1-byte tail reads\n\nWhen the last byte of options is a non-single-byte option kind, walkers\nthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end\nof the option area.\n\nAdd an explicit i == optlen - 1 check before dereferencing op[i + 1]\nin xt_tcpudp and xt_dccp option walkers.", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43452" }, { "id": "CVE-2026-43453", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()\n\npipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the\nto_offset argument on every iteration, including the last one where\ni == m->field_count - 1. This reads one element past the end of the\nstack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]\nwith NFT_PIPAPO_MAX_FIELDS == 16).\n\nAlthough pipapo_unmap() returns early when is_last is true without\nusing the to_offset value, the argument is evaluated at the call site\nbefore the function body executes, making this a genuine out-of-bounds\nstack read confirmed by KASAN:\n\n BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]\n Read of size 4 at addr ffff8000810e71a4\n\n This frame has 1 object:\n [32, 160) 'rulemap'\n\n The buggy address is at offset 164 -- exactly 4 bytes past the end\n of the rulemap array.\n\nPass 0 instead of rulemap[i + 1].n on the last iteration to avoid\nthe out-of-bounds read.", "scorev2": "0.0", "scorev3": "7.1", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43453" }, { "id": "CVE-2026-43454", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix for duplicate device in netdev hooks\n\nWhen handling NETDEV_REGISTER notification, duplicate device\nregistration must be avoided since the device may have been added by\nnft_netdev_hook_alloc() already when creating the hook.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43454" }, { "id": "CVE-2026-43455", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: route: hold key->lock in mctp_flow_prepare_output()\n\nmctp_flow_prepare_output() checks key->dev and may call\nmctp_dev_set_key(), but it does not hold key->lock while doing so.\n\nmctp_dev_set_key() and mctp_dev_release_key() are annotated with\n__must_hold(&key->lock), so key->dev access is intended to be\nserialized by key->lock. The mctp_sendmsg() transmit path reaches\nmctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()\nwithout holding key->lock, so the check-and-set sequence is racy.\n\nExample interleaving:\n\n CPU0 CPU1\n ---- ----\n mctp_flow_prepare_output(key, devA)\n if (!key->dev) // sees NULL\n mctp_flow_prepare_output(\n key, devB)\n if (!key->dev) // still NULL\n mctp_dev_set_key(devB, key)\n mctp_dev_hold(devB)\n key->dev = devB\n mctp_dev_set_key(devA, key)\n mctp_dev_hold(devA)\n key->dev = devA // overwrites devB\n\nNow both devA and devB references were acquired, but only the final\nkey->dev value is tracked for release. One reference can be lost,\ncausing a resource leak as mctp_dev_release_key() would only decrease\nthe reference on one dev.\n\nFix by taking key->lock around the key->dev check and\nmctp_dev_set_key() call.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43455" }, { "id": "CVE-2026-43456", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix type confusion in bond_setup_by_slave()\n\nkernel BUG at net/core/skbuff.c:2306!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306\nRSP: 0018:ffffc90004aff760 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e\nRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900\nRBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000\nR10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780\nR13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0\nCall Trace:\n \n ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900\n dev_hard_header include/linux/netdevice.h:3439 [inline]\n packet_snd net/packet/af_packet.c:3028 [inline]\n packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592\n ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646\n __sys_sendmsg+0x170/0x220 net/socket.c:2678\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fe1a0e6c1a9\n\nWhen a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,\nbond_setup_by_slave() directly copies the slave's header_ops to the\nbond device:\n\n bond_dev->header_ops = slave_dev->header_ops;\n\nThis causes a type confusion when dev_hard_header() is later called\non the bond device. Functions like ipgre_header(), ip6gre_header(),all use\nnetdev_priv(dev) to access their device-specific private data. When\ncalled with the bond device, netdev_priv() returns the bond's private\ndata (struct bonding) instead of the expected type (e.g. struct\nip_tunnel), leading to garbage values being read and kernel crashes.\n\nFix this by introducing bond_header_ops with wrapper functions that\ndelegate to the active slave's header_ops using the slave's own\ndevice. This ensures netdev_priv() in the slave's header functions\nalways receives the correct device.\n\nThe fix is placed in the bonding driver rather than individual device\ndrivers, as the root cause is bond blindly inheriting header_ops from\nthe slave without considering that these callbacks expect a specific\nnetdev_priv() layout.\n\nThe type confusion can be observed by adding a printk in\nipgre_header() and running the following commands:\n\n ip link add dummy0 type dummy\n ip addr add 10.0.0.1/24 dev dummy0\n ip link set dummy0 up\n ip link add gre1 type gre local 10.0.0.1\n ip link add bond1 type bond mode active-backup\n ip link set gre1 master bond1\n ip link set gre1 up\n ip link set bond1 up\n ip addr add fe80::1/64 dev bond1", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43456" }, { "id": "CVE-2026-43457", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: i2c: fix skb memory leak in receive path\n\nWhen 'midev->allow_rx' is false, the newly allocated skb isn't consumed\nby netif_rx(), it needs to free the skb directly.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43457" }, { "id": "CVE-2026-43458", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: caif: hold tty->link reference in ldisc_open and ser_release\n\nA reproducer triggers a KASAN slab-use-after-free in pty_write_room()\nwhen caif_serial's TX path calls tty_write_room(). The faulting access\nis on tty->link->port.\n\nHold an extra kref on tty->link for the lifetime of the caif_serial line\ndiscipline: get it in ldisc_open() and drop it in ser_release(), and\nalso drop it on the ldisc_open() error path.\n\nWith this change applied, the reproducer no longer triggers the UAF in\nmy testing.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43458" }, { "id": "CVE-2026-43459", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-core: flush delayed work before removing DAIs and widgets\n\nWhen a sound card is unbound while a PCM stream is open, a\nuse-after-free can occur in snd_soc_dapm_stream_event(), called from\nthe close_delayed_work workqueue handler.\n\nDuring unbind, snd_soc_unbind_card() flushes delayed work and then\ncalls soc_cleanup_card_resources(). Inside cleanup,\nsnd_card_disconnect_sync() releases all PCM file descriptors, and\nthe resulting PCM close path can call snd_soc_dapm_stream_stop()\nwhich schedules new delayed work with a pmdown_time timer delay.\nSince this happens after the flush in snd_soc_unbind_card(), the\nnew work is not caught. soc_remove_link_components() then frees\nDAPM widgets before this work fires, leading to the use-after-free.\n\nThe existing flush in soc_free_pcm_runtime() also cannot help as it\nruns after soc_remove_link_components() has already freed the widgets.\n\nAdd a flush in soc_cleanup_card_resources() after\nsnd_card_disconnect_sync() (after which no new PCM closes can\nschedule further delayed work) and before soc_remove_link_dais()\nand soc_remove_link_components() (which tear down the structures the\ndelayed work accesses).", "scorev2": "0.0", "scorev3": "7.3", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43459" }, { "id": "CVE-2026-43460", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rockchip-sfc: Fix double-free in remove() callback\n\nThe driver uses devm_spi_register_controller() for registration, which\nautomatically unregisters the controller via devm cleanup when the\ndevice is removed. The manual call to spi_unregister_controller() in\nthe remove() callback can lead to a double-free.\n\nAnd to make sure controller is unregistered before DMA buffer is\nunmapped, switch to use spi_register_controller() in probe().", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43460" }, { "id": "CVE-2026-43461", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: amlogic: spifc-a4: Fix DMA mapping error handling\n\nFix three bugs in aml_sfc_dma_buffer_setup() error paths:\n1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails,\n nothing needs cleanup. Use direct return instead of goto.\n2. Double-unmap bug: When info DMA mapping failed, the code would\n unmap sfc->daddr inline, then fall through to out_map_data which\n would unmap it again, causing a double-unmap.\n3. Wrong unmap size: The out_map_info label used datalen instead of\n infolen when unmapping sfc->iaddr, which could lead to incorrect\n DMA sync behavior.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43461" }, { "id": "CVE-2026-43462", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: spacemit: Fix error handling in emac_tx_mem_map()\n\nThe DMA mappings were leaked on mapping error. Free them with the\nexisting emac_free_tx_buf() function.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43462" }, { "id": "CVE-2026-43463", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()\n\nrxrpc_kernel_lookup_peer() can also return error pointers in addition to\nNULL, so just checking for NULL is not sufficient.\n\nFix this by:\n\n (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL\n on allocation failure.\n\n (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the\n error code returned.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43463" }, { "id": "CVE-2026-43464", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nSuch issue can be observed with the\ntest_xdp_native_adjst_tail_shrnk_data selftest when using a payload of\n3600 and shrinking by 256 bytes (an upcoming selftest patch): the last\nfragment gets released by the XDP code but doesn't get tracked by the\ndriver. This results in a negative pp_ref_count during page release and\nthe following splat:\n\n WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137\n Modules linked in: [...]\n CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]\n [...]\n Call Trace:\n \n mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]\n mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]\n mlx5e_close_rq+0x50/0x60 [mlx5_core]\n mlx5e_close_queues+0x36/0x2c0 [mlx5_core]\n mlx5e_close_channel+0x1c/0x50 [mlx5_core]\n mlx5e_close_channels+0x45/0x80 [mlx5_core]\n mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]\n mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]\n netif_set_mtu_ext+0xf1/0x230\n do_setlink.isra.0+0x219/0x1180\n rtnl_newlink+0x79f/0xb60\n rtnetlink_rcv_msg+0x213/0x3a0\n netlink_rcv_skb+0x48/0xf0\n netlink_unicast+0x24a/0x350\n netlink_sendmsg+0x1ee/0x410\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x232/0x280\n ___sys_sendmsg+0x78/0xb0\n __sys_sendmsg+0x5f/0xb0\n [...]\n do_syscall_64+0x57/0xc50\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43464" }, { "id": "CVE-2026-43465", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn't change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n buffer with the packet data starting in the first fragment which is the\n page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n header into the linear part of the XDP buffer. As the packet doesn't\n contain more data, the program drops the tail fragment since it no\n longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n 63 => negative reference counting error.\n\nResulting splat during the test:\n\n WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n Modules linked in: [...]\n CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n [...]\n Call Trace:\n \n mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n mlx5e_close_channel+0x24/0x90 [mlx5_core]\n mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n netif_set_mtu_ext+0xfc/0x240\n do_setlink.isra.0+0x226/0x1100\n rtnl_newlink+0x7a9/0xba0\n rtnetlink_rcv_msg+0x220/0x3c0\n netlink_rcv_skb+0x4b/0xf0\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1e8/0x240\n ___sys_sendmsg+0x7c/0xb0\n [...]\n __sys_sendmsg+0x5f/0xb0\n do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43465" }, { "id": "CVE-2026-43466", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery\n\nIn case of a TX error CQE, a recovery flow is triggered,\nmlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,\ndesyncing the DMA FIFO producer and consumer.\n\nAfter recovery, the producer pushes new DMA entries at the old\ndma_fifo_pc, while the consumer reads from position 0.\nThis causes us to unmap stale DMA addresses from before the recovery.\n\nThe DMA FIFO is a purely software construct with no HW counterpart.\nAt the point of reset, all WQEs have been flushed so dma_fifo_cc is\nalready equal to dma_fifo_pc. There is no need to reset either counter,\nsimilar to how skb_fifo pc/cc are untouched.\n\nRemove the 'dma_fifo_cc = 0' reset.\n\nThis fixes the following WARNING:\n WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90\n Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommu_dma_unmap_page+0x79/0x90\n Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00\n Call Trace:\n \n ? __warn+0x7d/0x110\n ? iommu_dma_unmap_page+0x79/0x90\n ? report_bug+0x16d/0x180\n ? handle_bug+0x4f/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? iommu_dma_unmap_page+0x79/0x90\n ? iommu_dma_unmap_page+0x2e/0x90\n dma_unmap_page_attrs+0x10d/0x1b0\n mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]\n mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]\n mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]\n __napi_poll+0x24/0x190\n net_rx_action+0x32a/0x3b0\n ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]\n ? notifier_call_chain+0x35/0xa0\n handle_softirqs+0xc9/0x270\n irq_exit_rcu+0x71/0xd0\n common_interrupt+0x7f/0xa0\n \n \n asm_common_interrupt+0x22/0x40", "scorev2": "0.0", "scorev3": "8.2", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43466" }, { "id": "CVE-2026-43467", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix crash when moving to switchdev mode\n\nWhen moving to switchdev mode when the device doesn't support IPsec,\nwe try to clean up the IPsec resources anyway which causes the crash\nbelow, fix that by correctly checking for IPsec support before trying\nto clean up its resources.\n\n[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at\ndo_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490\n[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE\nip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype\nrpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink\nzram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi\nscsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core\nib_core\n[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted\n6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE\n[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680\n[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22\n00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb\n ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d\n41\n[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046\n[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:\nffff88810b980f00\n[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:\nffff88810770f728\n[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:\n0000000000000000\n[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:\nffff888103f3c4c0\n[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:\n0000000000000000\n[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)\nknlGS:0000000000000000\n[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:\n0000000000172eb0\n[27642.537982] Call Trace:\n[27642.538466] \n[27642.538907] exc_page_fault+0x76/0x140\n[27642.539583] asm_exc_page_fault+0x22/0x30\n[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30\n[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8\n01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00\n 00 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8\n 5b\n[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046\n[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:\nffff888113ad96d8\n[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:\n00000000000000a0\n[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:\nffff88810b980f00\n[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:\n00000000000000a8\n[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:\nffff8881130d8a40\n[27642.550379] complete_all+0x20/0x90\n[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]\n[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]\n[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]\n[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]\n[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]\n[27642.555757] ? xa_load+0x53/0x90\n[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]\n[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]\n[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]\n[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]\n[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]\n[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]\n[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0\n[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0\n[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130\n[27642.564816] genl_rcv_msg+0x183/0x290\n[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160\n[27642.566329] ? d\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43467" }, { "id": "CVE-2026-43468", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix deadlock between devlink lock and esw->wq\n\nesw->work_queue executes esw_functions_changed_event_handler ->\nesw_vfs_changed_event_handler and acquires the devlink lock.\n\n.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->\nmlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->\nmlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks\nwhen esw_vfs_changed_event_handler executes.\n\nFix that by no longer flushing the work to avoid the deadlock, and using\na generation counter to keep track of work relevance. This avoids an old\nhandler manipulating an esw that has undergone one or more mode changes:\n- the counter is incremented in mlx5_eswitch_event_handler_unregister.\n- the counter is read and passed to the ephemeral mlx5_host_work struct.\n- the work handler takes the devlink lock and bails out if the current\n generation is different than the one it was scheduled to operate on.\n- mlx5_eswitch_cleanup does the final draining before destroying the wq.\n\nNo longer flushing the workqueue has the side effect of maybe no longer\ncancelling pending vport_change_handler work items, but that's ok since\nthose are disabled elsewhere:\n- mlx5_eswitch_disable_locked disables the vport eq notifier.\n- mlx5_esw_vport_disable disarms the HW EQ notification and marks\n vport->enabled under state_lock to false to prevent pending vport\n handler from doing anything.\n- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events\n are disabled/finished.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43468" }, { "id": "CVE-2026-43469", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Decrement re_receiving on the early exit paths\n\nIn the event that rpcrdma_post_recvs() fails to create a work request\n(due to memory allocation failure, say) or otherwise exits early, we\nshould decrement ep->re_receiving before returning. Otherwise we will\nhang in rpcrdma_xprt_drain() as re_receiving will never reach zero and\nthe completion will never be triggered.\n\nOn a system with high memory pressure, this can appear as the following\nhung task:\n\n INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.\n Tainted: G S E 6.19.0 #3\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000\n Workqueue: xprtiod xprt_autoclose [sunrpc]\n Call Trace:\n \n __schedule+0x48b/0x18b0\n ? ib_post_send_mad+0x247/0xae0 [ib_core]\n schedule+0x27/0xf0\n schedule_timeout+0x104/0x110\n __wait_for_common+0x98/0x180\n ? __pfx_schedule_timeout+0x10/0x10\n wait_for_completion+0x24/0x40\n rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]\n xprt_rdma_close+0x12/0x40 [rpcrdma]\n xprt_autoclose+0x5f/0x120 [sunrpc]\n process_one_work+0x191/0x3e0\n worker_thread+0x2e3/0x420\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x273/0x2b0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30", "scorev2": "0.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43469" }, { "id": "CVE-2026-43470", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don't return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don't attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops.", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43470" }, { "id": "CVE-2026-43471", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()\n\nThe kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL\npointer dereference when accessing hwq->id. This can happen if\nufshcd_mcq_req_to_hwq() returns NULL.\n\nThis patch adds a NULL check for hwq before accessing its id field to\nprevent a kernel crash.\n\nKernel log excerpt:\n[] notify_die+0x4c/0x8c\n[] __die+0x60/0xb0\n[] die+0x4c/0xe0\n[] die_kernel_fault+0x74/0x88\n[] __do_kernel_fault+0x314/0x318\n[] do_page_fault+0xa4/0x5f8\n[] do_translation_fault+0x34/0x54\n[] do_mem_abort+0x50/0xa8\n[] el1_abort+0x3c/0x64\n[] el1h_64_sync_handler+0x44/0xcc\n[] el1h_64_sync+0x80/0x88\n[] ufshcd_add_command_trace+0x23c/0x320\n[] ufshcd_compl_one_cqe+0xa4/0x404\n[] ufshcd_mcq_poll_cqe_lock+0xac/0x104\n[] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]\n[] __handle_irq_event_percpu+0xc8/0x348\n[] handle_irq_event+0x3c/0xa8\n[] handle_fasteoi_irq+0xf8/0x294\n[] generic_handle_domain_irq+0x54/0x80\n[] gic_handle_irq+0x1d4/0x330\n[] call_on_irq_stack+0x44/0x68\n[] do_interrupt_handler+0x78/0xd8\n[] el1_interrupt+0x48/0xa8\n[] el1h_64_irq_handler+0x14/0x24\n[] el1h_64_irq+0x80/0x88\n[] arch_local_irq_enable+0x4/0x1c\n[] cpuidle_enter+0x34/0x54\n[] do_idle+0x1dc/0x2f8\n[] cpu_startup_entry+0x30/0x3c\n[] secondary_start_kernel+0x134/0x1ac\n[] __secondary_switched+0xc4/0xcc", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43471" }, { "id": "CVE-2026-43472", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nunshare: fix unshare_fs() handling\n\nThere's an unpleasant corner case in unshare(2), when we have a\nCLONE_NEWNS in flags and current->fs hadn't been shared at all; in that\ncase copy_mnt_ns() gets passed current->fs instead of a private copy,\nwhich causes interesting warts in proof of correctness]\n\n> I guess if private means fs->users == 1, the condition could still be true.\n\nUnfortunately, it's worse than just a convoluted proof of correctness.\nConsider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS\n(and current->fs->users == 1).\n\nWe pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and\nflips current->fs->{pwd,root} to corresponding locations in the new namespace.\nNow we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).\nWe call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's\ndestroyed and its mount tree is dissolved, but... current->fs->root and\ncurrent->fs->pwd are both left pointing to now detached mounts.\n\nThey are pinning those, so it's not a UAF, but it leaves the calling\nprocess with unshare(2) failing with -ENOMEM _and_ leaving it with\npwd and root on detached isolated mounts. The last part is clearly a bug.\n\nThere is other fun related to that mess (races with pivot_root(), including\nthe one between pivot_root() and fork(), of all things), but this one\nis easy to isolate and fix - treat CLONE_NEWNS as \"allocate a new\nfs_struct even if it hadn't been shared in the first place\". Sure, we could\ngo for something like \"if both CLONE_NEWNS *and* one of the things that might\nend up failing after copy_mnt_ns() call in create_new_namespaces() are set,\nforce allocation of new fs_struct\", but let's keep it simple - the cost\nof copy_fs_struct() is trivial.\n\nAnother benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets\na freshly allocated fs_struct, yet to be attached to anything. That\nseriously simplifies the analysis...\n\nFWIW, that bug had been there since the introduction of unshare(2) ;-/", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43472" }, { "id": "CVE-2026-43473", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Add NULL checks when resetting request and reply queues\n\nThe driver encountered a crash during resource cleanup when the reply and\nrequest queues were NULL due to freed memory. This issue occurred when the\ncreation of reply or request queues failed, and the driver freed the memory\nfirst, but attempted to mem set the content of the freed memory, leading to\na system crash.\n\nAdd NULL pointer checks for reply and request queues before accessing the\nreply/request memory during cleanup", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43473" }, { "id": "CVE-2026-43474", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: init flags_valid before calling vfs_fileattr_get\n\nsyzbot reported a uninit-value bug in [1].\n\nSimilar to the \"*get\" context where the kernel's internal file_kattr\nstructure is initialized before calling vfs_fileattr_get(), we should\nuse the same mechanism when using fa.\n\n[1]\nBUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n vfs_fileattr_get fs/file_attr.c:94 [inline]\n __do_sys_file_getattr fs/file_attr.c:416 [inline]\n\nLocal variable fa.i created at:\n __do_sys_file_getattr fs/file_attr.c:380 [inline]\n __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43474" }, { "id": "CVE-2026-43475", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix scheduling while atomic on PREEMPT_RT\n\nThis resolves the follow splat and lock-up when running with PREEMPT_RT\nenabled on Hyper-V:\n\n[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002\n[ 415.140822] INFO: lockdep is turned off.\n[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common\n[ 415.140846] Preemption disabled at:\n[ 415.140847] [] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}\n[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024\n[ 415.140857] Call Trace:\n[ 415.140861] \n[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140863] dump_stack_lvl+0x91/0xb0\n[ 415.140870] __schedule_bug+0x9c/0xc0\n[ 415.140875] __schedule+0xdf6/0x1300\n[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980\n[ 415.140879] ? rcu_is_watching+0x12/0x60\n[ 415.140883] schedule_rtlock+0x21/0x40\n[ 415.140885] rtlock_slowlock_locked+0x502/0x1980\n[ 415.140891] rt_spin_lock+0x89/0x1e0\n[ 415.140893] hv_ringbuffer_write+0x87/0x2a0\n[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0\n[ 415.140900] ? rcu_is_watching+0x12/0x60\n[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]\n[ 415.140904] ? HARDIRQ_verbose+0x10/0x10\n[ 415.140908] ? __rq_qos_issue+0x28/0x40\n[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]\n[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0\n[ 415.140928] blk_mq_issue_direct+0x87/0x2b0\n[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440\n[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0\n[ 415.140935] __blk_flush_plug+0xf4/0x150\n[ 415.140940] __submit_bio+0x2b2/0x5c0\n[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]\n[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]\n[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]\n[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]\n[ 415.141060] generic_perform_write+0x14e/0x2c0\n[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]\n[ 415.141083] vfs_write+0x2ca/0x570\n[ 415.141087] ksys_write+0x76/0xf0\n[ 415.141089] do_syscall_64+0x99/0x1490\n[ 415.141093] ? rcu_is_watching+0x12/0x60\n[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0\n[ 415.141097] ? rcu_is_watching+0x12/0x60\n[ 415.141098] ? lock_release+0x1f0/0x2a0\n[ 415.141100] ? rcu_is_watching+0x12/0x60\n[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0\n[ 415.141103] ? rcu_is_watching+0x12/0x60\n[ 415.141104] ? __schedule+0xb34/0x1300\n[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170\n[ 415.141109] ? do_nanosleep+0x8b/0x160\n[ 415.141111] ? hrtimer_nanosleep+0x89/0x100\n[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10\n[ 415.141116] ? xfd_validate_state+0x26/0x90\n[ 415.141118] ? rcu_is_watching+0x12/0x60\n[ 415.141120] ? do_syscall_64+0x1e0/0x1490\n[ 415.141121] ? do_syscall_64+0x1e0/0x1490\n[ 415.141123] ? rcu_is_watching+0x12/0x60\n[ 415.141124] ? do_syscall_64+0x1e0/0x1490\n[ 415.141125] ? do_syscall_64+0x1e0/0x1490\n[ 415.141127] ? irqentry_exit+0x140/0\n---truncated---", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43475" }, { "id": "CVE-2026-43500", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-43500" }, { "id": "CVE-2026-46300", "summary": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to. If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers. In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data(). If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags. The tailroom copy path does not need the marker because it copies\nbytes into @to's linear data rather than transferring frag descriptors.", "scorev2": "0.0", "scorev3": "7.8", "scorev4": "0.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2026-46300" } ] } ] }